public Int64 GetModuleBase(string library) { List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { if (module.Name.ToLower() == library.ToLower()) { return((Int64)module.BaseAddress); } } throw new Exception("ERROR: Unable to find library base for name '" + library + "'."); }
public List <UInt64> MemoryFindAll(string library, List pattern) { // Find the module List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { if (module.Name.ToLower() == library.ToLower()) { HeaderReader header = new HeaderReader(ProcessDotNet, (UInt64)module.BaseAddress); return(MemoryFunctions.MemoryFindAll(ProcessDotNet, (IntPtr)module.BaseAddress, header.optHeader.SizeOfImage, pattern.ToArray <object>())); } } return(null); // No results }
public HeaderReader GetModuleHeader(string library) { // Find the module List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { if (module.Name.ToLower() == library.ToLower()) { // Found the module, parse it's pe header in-memory HeaderReader header = new HeaderReader(ProcessDotNet, (ulong)module.BaseAddress); return(header); } } return(null); // No results }
public UInt64[] GetProcedureAddresses(string library, object procedures) { // Find the module List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { if (module.Name.ToLower() == library.ToLower()) { // Found the module, parse it's pe header in-memory HeaderReader header = new HeaderReader(ProcessDotNet, (ulong)module.BaseAddress); Hashtable namesToAddresses = new Hashtable(header.exports.Count); foreach (export function in header.exports.Values) { if (!namesToAddresses.Contains(function.Name.ToLower())) { namesToAddresses.Add(function.Name.ToLower(), function.Address); } } // Resolve the provided imports List <UInt64> result; result = new List <UInt64>(10); foreach (string procedure in (IEnumerable)procedures) { if (namesToAddresses.Contains(procedure.ToLower())) { result.Add((UInt64)namesToAddresses[procedure.ToLower()]); } else { result.Add(0); } } return(result.ToArray()); } } return(new UInt64[0]); }
public string[] GetLoadedModules() { List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); List <string> modulePaths = new List <string>(modules.Count); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { modulePaths.Add(module.FullPath); } return(modulePaths.ToArray()); // This algorithm doesn't work for WOW64 processes - it only enumerates the 64 bit modules in WOW64 processses. /* * List<string> modules = new List<string>(ProcessDotNet.Modules.Count); * * foreach( System.Diagnostics.ProcessModule module in ProcessDotNet.Modules) * modules.Add( module.FileName ); * * return modules.ToArray(); * */ }
public string[] GetExportedFunctions(string library) { // Find the module List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { if (module.Name.ToLower() == library.ToLower()) { // Found the module, parse it's pe header in-memory HeaderReader header = new HeaderReader(ProcessDotNet, (UInt64)module.BaseAddress); List <string> result = new List <string>(header.exports.Count); foreach (export function in header.exports.Values) { result.Add(function.Name); } return(result.ToArray()); } } return(new string[0]); // No results }
public HeaderReader GetLibraryHeader(string library) { // Found the module, parse it's pe header in-memory try { // Find the module List <MemoryFunctions.PROCESS_MODULE> modules = MemoryFunctions.EnumurateProcessModules(ProcessDotNet, !IsWin64); foreach (MemoryFunctions.PROCESS_MODULE module in modules) { if (module.Name.ToLower() == library.ToLower()) { // Found the module, parse it's pe header in-memory return(new HeaderReader(ProcessDotNet, (ulong)module.BaseAddress)); } } } catch (Exception e) { throw new Exception("Unknown failure in Engine.GetLibraryHeader():\n" + e.ToString()); } Console.WriteLine(string.Format("ERROR: Failed to call 'Engine.GetLibraryHeader()'.")); return(null); }