public bool DumpProcess(ModuleListItem moduleListItem, IntPtr processId, out PEFile outputFile) { IntPtr basePointer = (IntPtr)moduleListItem.ModuleBase; IMAGE_DOS_HEADER dosHeader = ReadProcessStruct <IMAGE_DOS_HEADER>(processId, basePointer); outputFile = default; if (dosHeader.IsValid) { IntPtr peHeaderPointer = basePointer + dosHeader.e_lfanew; IntPtr dosStubPointer = basePointer + Marshal.SizeOf <IMAGE_DOS_HEADER>(); byte[] dosStub = ReadProcessBytes(processId, dosStubPointer, dosHeader.e_lfanew - Marshal.SizeOf <IMAGE_DOS_HEADER>()); var peFile = !moduleListItem.ModuleType ? Dump64BitPE(processId, dosHeader, dosStub, peHeaderPointer) : Dump32BitPE(processId, dosHeader, dosStub, peHeaderPointer); if (peFile != default(PEFile)) { IntPtr sectionHeaderPointer = peHeaderPointer + peFile.GetFirstSectionHeaderOffset(); for (int i = 0; i < peFile.Sections.Length; i++) { IMAGE_SECTION_HEADER sectionHeader = ReadProcessStruct <IMAGE_SECTION_HEADER>(processId, sectionHeaderPointer); peFile.Sections[i] = new PESection { Header = PESection.PESectionHeader.FromNativeStruct(sectionHeader), InitialSize = (int)sectionHeader.VirtualSize }; ReadSectionContent(processId, new IntPtr(basePointer.ToInt64() + sectionHeader.VirtualAddress), peFile.Sections[i]); sectionHeaderPointer += Marshal.SizeOf <IMAGE_SECTION_HEADER>(); } //Logger.Log("Aligning Sections..."); peFile.AlignSectionHeaders(); //Logger.Log("Fixing PE Header..."); peFile.FixPEHeader(); //Logger.Log("Dump Completed !"); outputFile = peFile; return(true); } } return(false); }
public bool FdGetModuleList(IntPtr pid, out ModuleListItem[] result) { result = Array.Empty <ModuleListItem>(); ulong moduleListSize = FdGetModuleListSize(pid); if (moduleListSize <= 0) { return(false); } IntPtr moduleListPtr = MarshalUtility.AllocZeroFilled((int)moduleListSize); KERNEL_MODULE_LIST_REQUEST kmlr = new KERNEL_MODULE_LIST_REQUEST { ProcessId = pid, ModuleListPtr = (ulong)moduleListPtr.ToInt64(), ModuleListSize = moduleListSize }; IntPtr kmlrPointer = MarshalUtility.CopyStructToMemory(kmlr); int kmlrSize = Marshal.SizeOf <KERNEL_MODULE_LIST_REQUEST>(); if (DeviceIoControl(hDriver, IO_MODULE_LIST_REQUEST, kmlrPointer, kmlrSize, kmlrPointer, kmlrSize, IntPtr.Zero, IntPtr.Zero)) { kmlr = MarshalUtility.GetStructFromMemory <KERNEL_MODULE_LIST_REQUEST>(kmlrPointer); if (kmlr.ModuleListCount > 0) { byte[] managedBuffer = new byte[moduleListSize]; Marshal.Copy(moduleListPtr, managedBuffer, 0, (int)moduleListSize); Marshal.FreeHGlobal(moduleListPtr); result = new ModuleListItem[kmlr.ModuleListCount]; using (BinaryReader reader = new BinaryReader(new MemoryStream(managedBuffer))) { for (int i = 0; i < result.Length; i++) { result[i] = ModuleListItem.FromByteStream(reader); } } return(true); } } return(false); }
/// <summary> /// Dumps the specified module. /// </summary> /// <param name="module">The module of a process</param> private void DumpModule(ModuleListItem module) { // // Get the destination path // string path; var saveFile = new SaveFileDialog { FileName = $@"{Path.GetFileName(module.ModuleName)}", Filter = @"Executable File (.dll)|*.dll" }; // // Show the dialog // if (saveFile.ShowDialog() == DialogResult.OK) { path = saveFile.FileName; } else { return; } // // Dump module // if (!NemesisApi.DumpModule(_processId, (IntPtr)module.ImageBase, path)) { MessageBox.Show("Failed to dump module."); } else { MessageBox.Show("Successfully dumped the module."); } }
private void DumpModule() { FireDumper.logsTextBox.AppendText(@"[*] Dumping module..." + Environment.NewLine); if (FireDumper.c.HasValidHandle()) { ModuleListItem targetModule = ModuleList.SelectedItems[0].Tag as ModuleListItem; if (targetModule == null) { FireDumper.logsTextBox.AppendText(@"[-] Dumping module aborted! (No module selected)" + Environment.NewLine); return; } Task.Run(() => { if (new Dumper(FireDumper.c).DumpProcess(targetModule, targetProcess.ProcessId, out PEFile peFile)) { Invoke(new Action(() => { using (SaveFileDialog sfd = new SaveFileDialog()) { string fileEnding = targetModule.ModuleName.Split('.').Last(); switch (fileEnding) { case "dll": sfd.FileName = targetModule.ModuleName.Replace(".dll", "_dump.dll"); sfd.Filter = @"Dynamic Link Library (.dll)|*.dll"; break; case "exe": sfd.FileName = targetProcess.ProcessName.Replace(".exe", "_dump.exe"); sfd.Filter = @"Executable File (.exe)|*.exe"; break; default: sfd.FileName = targetProcess.ProcessName.Replace($".{fileEnding}", $"_dump.{fileEnding}"); sfd.Filter = $@"Custom PE File (.{fileEnding})|*.{fileEnding}"; break; } if (sfd.ShowDialog() == DialogResult.OK) { peFile.SaveToDisk(sfd.FileName); FireDumper.logsTextBox.AppendText(@"[+] Saved dump to disk!" + Environment.NewLine); FireDumper.logsTextBox.AppendText(@"[+] Successfully dumped " + targetModule.ModuleName + "!" + Environment.NewLine); } else { FireDumper.logsTextBox.AppendText(@"[!] Dumping aborted!" + Environment.NewLine); } } })); } else { Invoke(new Action(() => { FireDumper.logsTextBox.AppendText(@"[-] Unknown error with Dumper!" + Environment.NewLine); MessageBox.Show(@"Unable to dump target module!", @"Error", MessageBoxButtons.OK, MessageBoxIcon.Error); })); } }); } }