public Int64 GetModuleBase(string library)
{
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
if (module.Name.ToLower() == library.ToLower())
{
return((Int64)module.BaseAddress);
}
}
throw new Exception("ERROR: Unable to find library base for name '" + library + "'.");
}
public List <UInt64> MemoryFindAll(string library, List pattern)
{
// Find the module
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
if (module.Name.ToLower() == library.ToLower())
{
HeaderReader header = new HeaderReader(ProcessDotNet, (UInt64)module.BaseAddress);
return(MemoryFunctions.MemoryFindAll(ProcessDotNet, (IntPtr)module.BaseAddress, header.optHeader.SizeOfImage, pattern.ToArray <object>()));
}
}
return(null); // No results
}
public HeaderReader GetModuleHeader(string library)
{
// Find the module
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
if (module.Name.ToLower() == library.ToLower())
{
// Found the module, parse it's pe header in-memory
HeaderReader header = new HeaderReader(ProcessDotNet, (ulong)module.BaseAddress);
return(header);
}
}
return(null); // No results
}
public UInt64[] GetProcedureAddresses(string library, object procedures)
{
// Find the module
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
if (module.Name.ToLower() == library.ToLower())
{
// Found the module, parse it's pe header in-memory
HeaderReader header = new HeaderReader(ProcessDotNet, (ulong)module.BaseAddress);
Hashtable namesToAddresses = new Hashtable(header.exports.Count);
foreach (export function in header.exports.Values)
{
if (!namesToAddresses.Contains(function.Name.ToLower()))
{
namesToAddresses.Add(function.Name.ToLower(), function.Address);
}
}
// Resolve the provided imports
List <UInt64> result;
result = new List <UInt64>(10);
foreach (string procedure in (IEnumerable)procedures)
{
if (namesToAddresses.Contains(procedure.ToLower()))
{
result.Add((UInt64)namesToAddresses[procedure.ToLower()]);
}
else
{
result.Add(0);
}
}
return(result.ToArray());
}
}
return(new UInt64[0]);
}
public string[] GetLoadedModules()
{
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
List <string> modulePaths = new List <string>(modules.Count);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
modulePaths.Add(module.FullPath);
}
return(modulePaths.ToArray());
// This algorithm doesn't work for WOW64 processes - it only enumerates the 64 bit modules in WOW64 processses.
/*
* List<string> modules = new List<string>(ProcessDotNet.Modules.Count);
*
* foreach( System.Diagnostics.ProcessModule module in ProcessDotNet.Modules)
* modules.Add( module.FileName );
*
* return modules.ToArray();
* */
}
public string[] GetExportedFunctions(string library)
{
// Find the module
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
if (module.Name.ToLower() == library.ToLower())
{
// Found the module, parse it's pe header in-memory
HeaderReader header = new HeaderReader(ProcessDotNet, (UInt64)module.BaseAddress);
List <string> result = new List <string>(header.exports.Count);
foreach (export function in header.exports.Values)
{
result.Add(function.Name);
}
return(result.ToArray());
}
}
return(new string[0]); // No results
}
public HeaderReader GetLibraryHeader(string library)
{
// Found the module, parse it's pe header in-memory
try
{
// Find the module
List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64);
foreach (MemoryFunctions.PROCESS_MODULE module in modules)
{
if (module.Name.ToLower() == library.ToLower())
{
// Found the module, parse it's pe header in-memory
return(new HeaderReader(ProcessDotNet, (ulong)module.BaseAddress));
}
}
}
catch (Exception e)
{
throw new Exception("Unknown failure in Engine.GetLibraryHeader():\n" + e.ToString());
}
Console.WriteLine(string.Format("ERROR: Failed to call 'Engine.GetLibraryHeader()'."));
return(null);
}