public static void ScanOffsets(MemUtils memUtils,ProcessModule client,ProcessModule engine) { clientDll = client; engineDll = engine; clientDllBase = clientDll.BaseAddress.ToInt32(); engineDllBase = engineDll.BaseAddress.ToInt32(); EntityOff(memUtils); LocalPlayer(memUtils); Jump(memUtils); GameResources(memUtils); ClientState(memUtils); SetViewAngles(memUtils); SignOnState(memUtils); GlowManager(memUtils); WeaponTable(memUtils); EntityID(memUtils); EntityHealth(memUtils); EntityVecOrigin(memUtils); PlayerTeamNum(memUtils); PlayerBoneMatrix(memUtils); PlayerWeaponHandle(memUtils); vMatrix(memUtils); clientDll = null; engineDll = null; clientDllBase = 0; engineDllBase = 0; }
public CacheInfo(ProcessModule module) { FileDescription = module.FileVersionInfo.FileDescription; FileVersion = module.FileVersionInfo.FileVersion; ProductName = module.FileVersionInfo.ProductName; ProductVersion = module.FileVersionInfo.ProductVersion; }
public ModuleDataObject(Process p, ProcessModule m, bool isDisabled) : base(string.Format("{0}.{1}", p.Id, m.FileName)) { ID = p.Id; Refresh(p, m, isDisabled); ConstructionIsFinished = true; }
/// <summary> /// Initializes a new instance of the <see cref="RemoteModule" /> class. /// </summary> /// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param> /// <param name="module">The native <see cref="ProcessModule" /> object corresponding to this module.</param> internal RemoteModule(MemoryBase memorySharp, ProcessModule module) : base(memorySharp, module.BaseAddress) { // Save the parameter Native = module; LazyData = new Lazy<byte[]>( () => MemoryCore.ReadBytes(memorySharp.Handle, module.BaseAddress, module.ModuleMemorySize)); }
public HEAP_INFO(ulong heapAddress, ulong heapLength, string heapProtection, string extra, ProcessModule associatedModule) { this.heapAddress = heapAddress; this.heapLength = heapLength; this.heapProtection = heapProtection; this.extra = extra; this.associatedModule = associatedModule; }
public uint FindPattern( ProcessModule pModule, string szPattern, string szMask, char Delimiter ) { string[] saPattern = szPattern.Split( Delimiter ); byte[] bPattern = new byte[ saPattern.Length ]; for( int i = 0; i < bPattern.Length; i++ ) bPattern[ i ] = Convert.ToByte( saPattern[ i ], 0x10 ); return FindPattern( pModule, bPattern, szMask ); }
public virtual void Update(IntPtr value, ProcessModule targetModule) { IntPtr baseAddress = targetModule.BaseAddress; FileVersionInfo info = targetModule.FileVersionInfo; int offset = value.GetInt32OffsetFrom(targetModule.BaseAddress); Build = info.FileVersion; Value = offset; }
public Memory(ProcessModule engineDll, ProcessModule clientDll) { Scanner.ScanOffsets(clientDll, engineDll, Program.MemUtils); ClientDllBase = (int) clientDll.BaseAddress; var engineDllBase = (int) engineDll.BaseAddress; _entityList = ClientDllBase + Offsets.Misc.EntityList; _viewMatrix = ClientDllBase + Offsets.Misc.ViewMatrix; ClientState = Program.MemUtils.Read<int>((IntPtr) (engineDllBase + Offsets.ClientState.Base)); ActiveWeapon = "Default"; }
public static void doWork(object crap) { try { Process process = Process.GetCurrentProcess(); ProcessModule[] modules = new ProcessModule[process.Modules.Count]; process.Modules.CopyTo(modules, 0); var niQuery = from m in modules where m.FileName.Contains(@"\" + process.ProcessName + ".ni") select m.FileName; bool ni = niQuery.Count() > 0 ? true : false; if (!ni) { // FORNOW: for PoC debugging and sanity checking Console.WriteLine("The app is not NGen'd."); Console.WriteLine("NGen'ing the app..."); var assemblyPath = process.MainModule.FileName; ProcessStartInfo startInfo = new ProcessStartInfo(); // TODO: Determine the path to (the appropriate version of) // ngen.exe. // FORNOW: Just use a hardcoded path to ngen.exe for PoC. startInfo.FileName = @"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"; startInfo.Arguments = "install \"" + assemblyPath + "\""; // TBD: process options that you think make sense startInfo.CreateNoWindow = false; startInfo.UseShellExecute = false; startInfo.WindowStyle = ProcessWindowStyle.Hidden; try { using (Process exeProcess = Process.Start(startInfo)) { exeProcess.WaitForExit(); } } catch { // TBD: error handling that you think makes sense - e.g. // logging or displaying the error, moving on regardless // etcetera. } } } catch { } }
public Framework(ProcessModule clientDll, ProcessModule engineDll) { CSGOScanner.ScanOffsets(WithOverlay.MemUtils, clientDll, engineDll); clientDllBase = (int)clientDll.BaseAddress; engineDllBase = (int)engineDll.BaseAddress; dwEntityList = clientDllBase + CSGOOffsets.Misc.EntityList; dwViewMatrix = clientDllBase + CSGOOffsets.Misc.ViewMatrix; dwClientState = WithOverlay.MemUtils.Read<int>((IntPtr)(engineDllBase + CSGOOffsets.ClientState.Base)); mouseEnabled = true; AimbotActive = false; }
public static CacheInfo Get(string key, ProcessModule module) { CacheInfo result; if( CachedInfos.TryGetValue(key, out result)) { return result; } result = new CacheInfo(module); CachedInfos[key] = result; return result; }
static bool IsNetModule(ProcessModule m) { var s = m.ModuleName; if (s.Equals("mscorwks.dll", StringComparison.OrdinalIgnoreCase)) return true; if (s.Equals("mscorsvr.dll", StringComparison.OrdinalIgnoreCase)) return true; if (s.Equals("clr.dll", StringComparison.OrdinalIgnoreCase)) return true; return false; }
public void BackgroundProcess() { do { Thread.Sleep(500); ffximain = (from ProcessModule m in pol.Modules where m.ModuleName.ToLower() == "ffximain.dll" select m).FirstOrDefault(); } while (ffximain == null); _FFACE = new FFACE(pol.Id); while (_FFACE.Player.Name == "") Thread.Sleep(500); _FFACE.Windower.SendString("/vanatunes hold on"); sCharName = _FFACE.Player.Name; profile = "(none)"; //TODO: Check player name and set default profile byte[] mobPtrTmp = new byte[4]; IntPtr mobPtrArraySize = new IntPtr(); ReadProcessMemory(pol.Handle, new IntPtr(ffximain.BaseAddress.ToInt32() + 0x8020c), mobPtrTmp, 4, ref mobPtrArraySize); IntPtr mobPtr = new IntPtr(BitConverter.ToInt32(mobPtrTmp, 0)); ReadProcessMemory(pol.Handle, mobPtr, mobFlags, 4096*4, ref mobPtrArraySize); m_Zone = _FFACE.Player.Zone; uVanaHour = _FFACE.Timer.GetVanaTime().Hour; m_Status = _FFACE.Player.Status; m_Buffs = _FFACE.Player.StatusEffects; if (_FFACE.Party.Party0Count == 1 && _FFACE.Party.Party1Count == 0 && _FFACE.Party.Party2Count == 0) bPartyMember = false; else bPartyMember = true; bFighting = false; bInBattlefield = false; do{ if (CheckConditions()) { UInt16 thisTrack = ExecScript(); if (thisTrack != currentTrack) { currentTrack = thisTrack; _FFACE.Windower.SendString("/vanatunes playOverride " + currentTrack); } } Thread.Sleep(500); } while(Program.runCharThreads); if(ffximain != null) _FFACE.Windower.SendString("/vanatunes hold off"); }
private static void Dynamic_All(TraceEvent obj) { if (obj.EventName.Equals("EventCounters")) { IDictionary <string, object> payloadVal = (IDictionary <string, object>)(obj.PayloadValue(0)); IDictionary <string, object> payloadFields = (IDictionary <string, object>)(payloadVal["Payload"]); ICounterPayload payload = payloadFields.Count == 6 ? (ICounterPayload) new IncrementingCounterPayload(payloadFields) : (ICounterPayload) new CounterPayload(payloadFields); string displayName = payload.GetDisplay(); if (string.IsNullOrEmpty(displayName)) { displayName = payload.GetName(); } if (string.Compare(displayName, "GC Heap Size") == 0 && Convert.ToInt32(payload.GetValue()) > threshold) { Console.WriteLine("Memory threshold has been breached...."); System.Diagnostics.Process process = System.Diagnostics.Process.GetProcessById(pid); System.Diagnostics.ProcessModule coreclr = process.Modules.Cast <System.Diagnostics.ProcessModule>().FirstOrDefault(m => string.Equals(m.ModuleName, "libcoreclr.so")); if (coreclr == null) { Console.WriteLine("Unable to locate .NET runtime associated with this process!"); Environment.Exit(1); } else { string runtimeDirectory = Path.GetDirectoryName(coreclr.FileName); string createDumpPath = Path.Combine(runtimeDirectory, "createdump"); if (!File.Exists(createDumpPath)) { Console.WriteLine("Unable to locate 'createdump' tool in '{runtimeDirectory}'"); Environment.Exit(1); } var createdump = new System.Diagnostics.Process() { StartInfo = new System.Diagnostics.ProcessStartInfo() { FileName = createDumpPath, Arguments = $"--name coredump --withheap {pid}", }, EnableRaisingEvents = true, }; createdump.Start(); createdump.WaitForExit(); Environment.Exit(0); } } } }
public ModuleObject(Process p, ProcessModule m, string username) { Objects[(int)ModuleItemTypes.Name] = Path.GetFileName(m.FileName); Objects[(int)ModuleItemTypes.ID] = p.Id; Objects[(int)ModuleItemTypes.Path] = Path.GetDirectoryName(m.FileName); Objects[(int)ModuleItemTypes.ModuleMemorySize] = m.ModuleMemorySize; // Objects[(int)ModuleItemTypes.FileDescription] = m.FileVersionInfo.FileDescription; Objects[(int)ModuleItemTypes.FileVersion] = m.FileVersionInfo.FileVersion; Objects[(int)ModuleItemTypes.Product] = m.FileVersionInfo.ProductName; Objects[(int)ModuleItemTypes.ProductVersion] = m.FileVersionInfo.ProductVersion; ForegroundColor = ProcessObject.GetColorFromName(p, username); ToolTipText = m.FileVersionInfo.FileDescription; }
public LMouseUpListener() { this.callBack += new Native.HookProc(MouseEvents); using (System.Diagnostics.Process process = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule module = process.MainModule) { IntPtr hModule = Native.GetModuleHandle(module.ModuleName); _hook = Native.SetWindowsHookEx( (int)Native.HookType.WH_MOUSE_LL, this.callBack, hModule, 0); } }
public virtual bool TryGetCachedValue(ProcessModule targetModule, out IntPtr result) { result = IntPtr.Zero; IntPtr baseAddress = targetModule.BaseAddress; FileVersionInfo info = targetModule.FileVersionInfo; if (IsSameVersion(info)) { result = baseAddress + Value; return true; } return false; }
public static void CreateHook(KeyHandler _kh) { System.Diagnostics.Process _this = System.Diagnostics.Process.GetCurrentProcess(); System.Diagnostics.ProcessModule mod = _this.MainModule; hd = HookFunc; kh = _kh; hhk = API.SetWindowsHookEx(13, hd, API.GetModuleHandle(mod.ModuleName), 0); //13 is the parameter specifying that we're gonna do a low-level keyboard hook //MessageBox.Show(Marshal.GetLastWin32Error().ToString()); //for debugging //Note that this could be a Console.WriteLine(), as well. I just happened //to be debugging this in a Windows Application //to get the errors, in VS 2005+ (possibly before) do Tools -> Error Lookup }
private void EnumModule(ProcessModule m) { this.lvModDetail.ClearItems(); try { lvModDetail.AddItem(new object[] { "Base Address", m.BaseAddress.ToInt32().ToString("x").ToLower() }); lvModDetail.AddItem(new object[] { "Entry Point Address", m.EntryPointAddress.ToInt32().ToString("x").ToLower() }); lvModDetail.AddItem(new object[] { "File Name", m.FileName }); lvModDetail.AddItem(new object[] { "File Version", m.FileVersionInfo.FileVersion.ToString() }); lvModDetail.AddItem(new object[] { "File Description", m.FileVersionInfo.FileDescription.ToString() }); lvModDetail.AddItem(new object[] { "Memory Size", m.ModuleMemorySize.ToString("N0") }); } catch (Exception exp) { MessageBox.Show(exp.Message, exp.Source, MessageBoxButtons.OK, MessageBoxIcon.Error); } }
/// <summary> /// Performs a pattern scan. /// </summary> /// <param name="processHandle">The process the <see cref="ProcessModule" /> containing the data resides in.</param> /// <param name="processModule">The <see cref="ProcessModule" /> that contains the pattern data resides in.</param> /// <param name="data">The array of bytes containing the data to search for matches in.</param> /// <param name="mask"> /// The mask that defines the byte pattern we are searching for. /// <example> /// <code> /// var bytes = new byte[]{55,45,00,00,55} ; /// var mask = "xx??x"; /// </code> /// </example> /// </param> /// <param name="offsetToAdd">The offset to add to the offset result found from the pattern.</param> /// <param name="reBase">If the address should be rebased to this Instance's base address.</param> /// <param name="wildCardChar"> /// [Optinal] The 'wild card' defines the <see cref="char" /> value that the mask uses to differentiate /// between pattern data that is relevant, and pattern data that should be ignored. The default value is 'x'. /// </param> /// <param name="pattern">The byte array that contains the pattern of bytes we're looking for.</param> /// <returns>A new <see cref="PatternScanResult" /> instance.</returns> public static PatternScanResult Find(SafeMemoryHandle processHandle, ProcessModule processModule, byte[] data, byte[] pattern, string mask, int offsetToAdd, bool reBase, char wildCardChar = 'x') { for (var offset = 0; offset < data.Length; offset++) { if (mask.Where((m, b) => m == 'x' && pattern[b] != data[b + offset]).Any()) continue; var found = MemoryCore.Read<IntPtr>(processHandle, processModule.BaseAddress + offset + offsetToAdd); var result = new PatternScanResult { OriginalAddress = found, Address = reBase ? found : found.Subtract(processModule.BaseAddress), Offset = (IntPtr) offset }; return result; } // If this is reached, the pattern was not found. throw new Exception("The pattern scan for the pattern mask: " + "[" + mask + "]" + " was not found."); }
public static string GetFileProcessName(string filePath) { Process[] procs = Process.GetProcesses(); string fileName = Path.GetFileName(filePath); foreach (Process proc in procs) { if (proc.MainWindowHandle != new IntPtr(0) && !proc.HasExited) { ProcessModule[] arr = new ProcessModule[proc.Modules.Count]; foreach (ProcessModule pm in proc.Modules) { if (pm.ModuleName == fileName) return proc.ProcessName; } } } return null; }
/// <summary> /// Memory yi okumak için Process İsmi Giriniz.. /// </summary> /// <param name="ProccessName">Process Name</param> public MemoryReadLib(string ProccessName) { Process[] processes = Process.GetProcessesByName(ProccessName); foreach (Process pr in processes) { if (pr.ProcessName == ProccessName) { this.War3 = pr; } } if (War3 != null) { ProcessModuleCollection blabla = War3.Modules; foreach (ProcessModule mdl in blabla) { if (mdl.ModuleName == "Storm.dll") { this.StormDll = mdl; } else if (mdl.ModuleName == "Game.dll") { this.GameDll = mdl; } } if (GameDll == null || StormDll == null) { throw new NullReferenceException("There is no Game Process"); } } else { throw new NullReferenceException("There is no Game Process"); } }
static void OutputModuleMemory(Process process, ProcessModule processModule, Stream stream) { IntPtr processHandler = process.Handle; IntPtr baseAddress = processModule.BaseAddress; int moduleMemorySize = processModule.ModuleMemorySize; Console.WriteLine("BaseAddress: {0}", baseAddress); Console.WriteLine("ModuleMemorySize: {0}", moduleMemorySize); int bufferSize = 4096; byte[] buffer = new byte[bufferSize]; IntPtr pointer = baseAddress; IntPtr endPointer = IntPtr.Add(baseAddress, moduleMemorySize); while (pointer.ToInt64() < endPointer.ToInt64()) { IntPtr readSizeResult = IntPtr.Zero; IntPtr readSize = GetReadSize(pointer, endPointer, bufferSize); if (NativeMethods.ReadProcessMemory(processHandler, pointer, buffer, readSize, ref readSizeResult)) { stream.Write(buffer, 0, readSizeResult.ToInt32()); } pointer = IntPtr.Add(pointer, bufferSize); } }
public int IndexOf(ProcessModule module) { return(InnerList.IndexOf(module)); }
/// <summary> /// Initializes a new instance of the <see cref="InjectedModule"/> class. /// </summary> /// <param name="memorySharp">The reference of the <see cref="MemorySharp"/> object.</param> /// <param name="module">The native <see cref="ProcessModule"/> object corresponding to the injected module.</param> /// <param name="mustBeDisposed">The module will be ejected when the finalizer collects the object.</param> internal InjectedModule(MemorySharp memorySharp, ProcessModule module, bool mustBeDisposed = true) : base(memorySharp, module) { // Save the parameter MustBeDisposed = mustBeDisposed; }
public Welcome(bool CheckUpdate) { //2012-09-03 LiuQi 启动时检查是否有word进程 Process[] process; process = Process.GetProcesses(); foreach (Process p in process) { try { if (p.Id != 0 && p.Modules != null && p.Modules.Count > 0) { System.Diagnostics.ProcessModule pm = p.Modules[0]; if (pm.ModuleName.ToLower() == "winword.exe") { MessageBox.Show("其他程序影响电子病历正常使用须关闭!", "提示"); p.Kill(); break; } } } catch { } } InitializeComponent(); //开始日志 udt.jj.LoadlogAdapter(); if (ini.ReadValue("System", "CheckClient").Trim() == true.ToString()) { CheckClient(); } try { tLoadData = new Thread(LoadData); tShowStatus = new Thread(ShowStatus); if (ini.ReadValue("System", "LiveUpdate").Trim() == true.ToString()) { try { pUpdate.StartInfo.FileName = Application.StartupPath + "\\liveupdate.exe"; pUpdate.StartInfo.Arguments = "-liveupdate[" + FileMethod.GetFileName(System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName) + "]"; pUpdate.Start(); } catch (Win32Exception) { ini.WriteValue("System", "LiveUpdate", false.ToString()); MessageBox.Show(this, "启动自动更新程序失败,自动更新功能已关闭,若要重新开启此功能请联系系统管理员或重新安装。", "提示", MessageBoxButtons.OK, MessageBoxIcon.Asterisk, MessageBoxDefaultButton.Button1); } } else { } ThisAddIn.logon = new Logon(); } catch (Exception ex) { Globals.logAdapter.Record("EX756987457748", ex.Message + ">>" + ex.ToString(), true); MessageBox.Show(ex.ToString()); } }
private void hookGameButton_Click(object sender, EventArgs e) { MyProcess = Process.GetProcesses(); for (int i = 0; i < MyProcess.Length; i++) { if (MyProcess[i].ProcessName == "Dishonored") { gameProcId = MyProcess[i].Id; break; } } try { MyProcess[0] = Process.GetProcessById(gameProcId); mainModule = MyProcess[0].MainModule; Mem.ReadProcess = MyProcess[0]; Mem.OpenProcess(); GameFound = true; //GameFound is true, set all game specific variables and stuff here this.Height = origSize; hookGameButton.Text = "Game Hooked (Status: Connected to PID:" + gameProcId + " )"; this.mainTooltip.SetToolTip(this.hookGameButton, "PID in hex: 0x" + gameProcId.ToString("X") + "\n\nWe do not check if the game is still active after the initial hook"); //Timers healthTimer.Enabled = true; manaTimer.Enabled = true; breathTimer.Enabled = true; //Offsets playerHP.offsets = new playerInfo.PlayerAddyOffsets(0x0); playerMana.offsets = new playerInfo.playerDataMana(0x0); playerBreath.offsets = new playerInfo.playerDataBreath(0x0); playerGold.offsets = new playerInfo.playerDataGold(0x0); //Bases -- These are the same but separated for consistancy sake playerHP.baseAddress = 0x01452DE8; playerMana.baseAddress = 0x01452DE8; playerBreath.baseAddress = 0x01452DE8; playerGold.baseAddress = 0x0008E550; //Multilevel playerHP.multilevel = new int[] { 0x344 }; playerMana.multilevel = new int[] { 0xA60 }; playerBreath.multilevel = new int[] { 0xAB8 }; playerGold.multilevel = new int[] { 0x04 }; DishonoredTextProc = Process.GetProcessById(gameProcId); SetWindowText(DishonoredTextProc.MainWindowHandle, "Dishonored -- Hacks by Simple_AOB"); } catch (Exception ex) { MessageBox.Show("Could not connect (the game is probably not running): \n\n" + ex.Message + ex.StackTrace); } }
private static string GetSafeModuleName(ProcessModule m) { try { return m.FileName; } catch { } return m.ToString(); }
private static BitmapSource IconFromProcessModule(ProcessModule module, int widthAndHeight = 16) { return IconHelper.GetIcon(module.FileName, false, widthAndHeight); }
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly) { // preserving Everett behavior. if (processId == SystemProcessID || processId == IdleProcessID) { // system process and idle process doesn't have any modules throw new Win32Exception(HResults.E_FAIL, SR.EnumProcessModuleFailed); } SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle; try { processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true); bool succeeded = Interop.Kernel32.EnumProcessModules(processHandle, null, 0, out int needed); // The API we need to use to enumerate process modules differs on two factors: // 1) If our process is running in WOW64. // 2) The bitness of the process we wish to introspect. // // If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process // we can call psapi!EnumProcessModules. // // If we are running in WOW64 and we want to inspect the modules of a 64 bit process then // psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't // do the enumeration at all. So we'll detect this case and bail out. if (!succeeded) { SafeProcessHandle hCurProcess = SafeProcessHandle.InvalidHandle; try { hCurProcess = ProcessManager.OpenProcess((int)Interop.Kernel32.GetCurrentProcessId(), Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION, true); if (!Interop.Kernel32.IsWow64Process(hCurProcess, out bool sourceProcessIsWow64)) { throw new Win32Exception(); } if (!Interop.Kernel32.IsWow64Process(processHandle, out bool targetProcessIsWow64)) { throw new Win32Exception(); } if (sourceProcessIsWow64 && !targetProcessIsWow64) { // Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user. throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow); } } finally { if (hCurProcess != SafeProcessHandle.InvalidHandle) { hCurProcess.Dispose(); } } EnumProcessModulesUntilSuccess(processHandle, null, 0, out needed); } int modulesCount = needed / IntPtr.Size; IntPtr[] moduleHandles = new IntPtr[modulesCount]; while (true) { int size = needed; EnumProcessModulesUntilSuccess(processHandle, moduleHandles, size, out needed); if (size == needed) { break; } if (needed > size && needed / IntPtr.Size > modulesCount) { modulesCount = needed / IntPtr.Size; moduleHandles = new IntPtr[modulesCount]; } } var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : modulesCount); char[] chars = ArrayPool <char> .Shared.Rent(1024); try { for (int i = 0; i < modulesCount; i++) { if (i > 0) { // If the user is only interested in the main module, break now. // This avoid some waste of time. In addition, if the application unloads a DLL // we will not get an exception. if (firstModuleOnly) { break; } } IntPtr moduleHandle = moduleHandles[i]; Interop.Kernel32.NtModuleInfo ntModuleInfo; if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo)) { HandleLastWin32Error(); continue; } var module = new ProcessModule() { ModuleMemorySize = ntModuleInfo.SizeOfImage, EntryPointAddress = ntModuleInfo.EntryPoint, BaseAddress = ntModuleInfo.BaseOfDll }; int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length); if (length == 0) { HandleLastWin32Error(); continue; } module.ModuleName = new string(chars, 0, length); length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length); if (length == 0) { HandleLastWin32Error(); continue; } module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ? new string(chars, 4, length - 4) : new string(chars, 0, length); modules.Add(module); } } finally { ArrayPool <char> .Shared.Return(chars); } return(modules); } finally { if (!processHandle.IsInvalid) { processHandle.Dispose(); } } }
internal void Add(ProcessModule module) => InnerList.Add(module);
internal void Insert(int index, ProcessModule module) => InnerList.Insert(index, module);
public Module(ProcessModule processModule) { ProcessModule = processModule; }
public int IndexOf(System.Diagnostics.ProcessModule module) { throw null; }
public bool Contains(ProcessModule module) => InnerList.Contains(module);
/// <summary> /// Frees the loaded dynamic-link library (DLL) module and, if necessary, decrements its reference count. /// </summary> /// <param name="module">The <see cref="ProcessModule"/> object corresponding to the library to free.</param> public static void FreeLibrary(ProcessModule module) { FreeLibrary(module.ModuleName); }
public bool Contains(ProcessModule module) { return(InnerList.Contains(module)); }
public Module(SafeMemoryHandle handle, ProcessModule module, bool internalMem) : base(handle,module.BaseAddress, internalMem) { ThisModule = module; }
/// <summary> /// Initializes a new instance of the <see cref="RemoteModule"/> class. /// </summary> /// <param name="memorySharp">The reference of the <see cref="MemorySharp"/> object.</param> /// <param name="module">The native <see cref="ProcessModule"/> object corresponding to this module.</param> internal RemoteModule(MemorySharp memorySharp, ProcessModule module) : base(memorySharp, module.BaseAddress) { // Save the parameter Native = module; }
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly) { // preserving Everett behavior. if (processId == SystemProcessID || processId == IdleProcessID) { // system process and idle process doesn't have any modules throw new Win32Exception(Interop.Errors.EFail, SR.EnumProcessModuleFailed); } SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle; try { processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true); IntPtr[] moduleHandles = new IntPtr[64]; GCHandle moduleHandlesArrayHandle = default; int moduleCount = 0; while (true) { bool enumResult = false; try { moduleHandlesArrayHandle = GCHandle.Alloc(moduleHandles, GCHandleType.Pinned); enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount); // The API we need to use to enumerate process modules differs on two factors: // 1) If our process is running in WOW64. // 2) The bitness of the process we wish to introspect. // // If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process // we can call psapi!EnumProcessModules. // // If we are running in WOW64 and we want to inspect the modules of a 64 bit process then // psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't // do the enumeration at all. So we'll detect this case and bail out. // // Also, EnumProcessModules is not a reliable method to get the modules for a process. // If OS loader is touching module information, this method might fail and copy part of the data. // This is no easy solution to this problem. The only reliable way to fix this is to // suspend all the threads in target process. Of course we don't want to do this in Process class. // So we just to try avoid the race by calling the same method 50 (an arbitrary number) times. // if (!enumResult) { bool sourceProcessIsWow64 = false; bool targetProcessIsWow64 = false; SafeProcessHandle hCurProcess = SafeProcessHandle.InvalidHandle; try { hCurProcess = ProcessManager.OpenProcess(unchecked ((int)Interop.Kernel32.GetCurrentProcessId()), Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION, true); bool wow64Ret; wow64Ret = Interop.Kernel32.IsWow64Process(hCurProcess, ref sourceProcessIsWow64); if (!wow64Ret) { throw new Win32Exception(); } wow64Ret = Interop.Kernel32.IsWow64Process(processHandle, ref targetProcessIsWow64); if (!wow64Ret) { throw new Win32Exception(); } if (sourceProcessIsWow64 && !targetProcessIsWow64) { // Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user. throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow); } } finally { if (hCurProcess != SafeProcessHandle.InvalidHandle) { hCurProcess.Dispose(); } } // If the failure wasn't due to Wow64, try again. for (int i = 0; i < 50; i++) { enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount); if (enumResult) { break; } Thread.Sleep(1); } } } finally { moduleHandlesArrayHandle.Free(); } if (!enumResult) { throw new Win32Exception(); } moduleCount /= IntPtr.Size; if (moduleCount <= moduleHandles.Length) { break; } moduleHandles = new IntPtr[moduleHandles.Length * 2]; } var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : moduleCount); char[] chars = new char[1024]; for (int i = 0; i < moduleCount; i++) { if (i > 0) { // If the user is only interested in the main module, break now. // This avoid some waste of time. In addition, if the application unloads a DLL // we will not get an exception. if (firstModuleOnly) { break; } } IntPtr moduleHandle = moduleHandles[i]; Interop.Kernel32.NtModuleInfo ntModuleInfo; if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo)) { HandleError(); continue; } var module = new ProcessModule() { ModuleMemorySize = ntModuleInfo.SizeOfImage, EntryPointAddress = ntModuleInfo.EntryPoint, BaseAddress = ntModuleInfo.BaseOfDll }; int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length); if (length == 0) { HandleError(); continue; } module.ModuleName = new string(chars, 0, length); length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length); if (length == 0) { HandleError(); continue; } module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ? new string(chars, 4, length - 4) : new string(chars, 0, length); modules.Add(module); } return(modules); } finally { if (!processHandle.IsInvalid) { processHandle.Dispose(); } } }
/// <summary> /// Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). /// </summary> /// <param name="module">The <see cref="ProcessModule"/> object corresponding to the module.</param> /// <param name="functionName">The function or variable name, or the function's ordinal value.</param> /// <returns>If the function succeeds, the return value is the address of the exported function.</returns> public static IntPtr GetProcAddress(ProcessModule module, string functionName) { return GetProcAddress(module.ModuleName, functionName); }
static bool IsClrModule(ProcessModule mod, string[] clrNames) { var fname = Path.GetFileName(mod.FileName); return clrNames.Any(n => StringComparer.OrdinalIgnoreCase.Equals(n, fname)); }
public bool Contains(System.Diagnostics.ProcessModule module) { throw null; }
public int IndexOf(ProcessModule module) => InnerList.IndexOf(module);