private static byte[] DumpDotNetModule(NativeProcess process, void *address, ImageLayout imageLayout, out string fileName) { try { byte[] data = PEImageDumper.Dump(process, address, ref imageLayout); data = PEImageDumper.ConvertImageLayout(data, imageLayout, ImageLayout.File); bool isDotNet; using (var peImage = new PEImage(data, true)) { // 确保为有效PE文件 fileName = peImage.GetOriginalFilename() ?? ((IntPtr)address).ToString((ulong)address > uint.MaxValue ? "X16" : "X8"); isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0; if (isDotNet) { try { using (var moduleDef = ModuleDefMD.Load(peImage)) { } // 再次验证是否为.NET程序集 } catch { isDotNet = false; } } } return(isDotNet ? data : null); } catch { fileName = default; return(null); } }
private static ImageLayout GetProbableImageLayout(byte[] firstPage) { try { uint imageSize = PEImageDumper.GetImageSize(firstPage, ImageLayout.File); // 获取文件格式大小 var imageLayout = imageSize >= (uint)firstPage.Length ? ImageLayout.Memory : ImageLayout.File; // 如果文件格式大小大于页面大小,说明在内存中是内存格式的,反之为文件格式 // 这种判断不准确,如果文件文件大小小于最小页面大小,判断会出错 return(imageLayout); } catch { return(ImageLayout.Memory); } }
public void DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath) { byte[] peImage = PEImageDumper.Dump(_process, (void *)moduleHandle, ref imageLayout); peImage = PEImageDumper.ConvertImageLayout(peImage, imageLayout, ImageLayout.File); File.WriteAllBytes(filePath, peImage); }