private static byte[] DumpDotNetModule(NativeProcess process, void *address, ImageLayout imageLayout, out string fileName) { try { byte[] data = PEImageDumper.Dump(process, address, ref imageLayout); data = PEImageDumper.ConvertImageLayout(data, imageLayout, ImageLayout.File); bool isDotNet; using (var peImage = new PEImage(data, true)) { // 确保为有效PE文件 fileName = peImage.GetOriginalFilename() ?? ((IntPtr)address).ToString((ulong)address > uint.MaxValue ? "X16" : "X8"); isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0; if (isDotNet) { try { using (var moduleDef = ModuleDefMD.Load(peImage)) { } // 再次验证是否为.NET程序集 } catch { isDotNet = false; } } } return(isDotNet ? data : null); } catch { fileName = default; return(null); } }
public void DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath) { byte[] peImage = PEImageDumper.Dump(_process, (void *)moduleHandle, ref imageLayout); peImage = PEImageDumper.ConvertImageLayout(peImage, imageLayout, ImageLayout.File); File.WriteAllBytes(filePath, peImage); }