public bool DumpModule(IntPtr moduleHandle, string filePath) { return(false); Injection.Options options; MetadataService metadataService; MetadataInfo metadataInfo; byte[] peImage; options = new Injection.Options { PortName = Guid.NewGuid().ToString(), ObjectName = Guid.NewGuid().ToString() }; using (NativeProcess process = NativeProcess.Open(_processId)) if (!process.InjectManaged(typeof(MetadataService).Assembly.Location, typeof(Injection).FullName, "Main", options.Serialize(), out int result) || result != 0) { return(false); } metadataService = (MetadataService)Activator.GetObject(typeof(MetadataService), $"Ipc://{options.PortName}/{options.ObjectName}"); metadataInfo = metadataService.GetMetadataInfo(moduleHandle); PrintStreamInfo("#~ or #-", metadataInfo.TableStream); PrintStreamInfo("#Strings", metadataInfo.StringHeap); PrintStreamInfo("#US", metadataInfo.UserStringHeap); PrintStreamInfo("#GUID", metadataInfo.GuidHeap); PrintStreamInfo("#Blob", metadataInfo.BlobHeap); peImage = DumpMemoryModule(moduleHandle); return(true); }
public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath) { ClrModule dacModule; InjectionClrVersion clrVersion; Injection.Options options; AntiAntiDumpService antiAntiDumpService; AntiAntiDumpInfo antiAntiDumpInfo; MetadataInfo metadataInfo; byte[] peImageData; dacModule = TryGetDacModule(moduleHandle); if (dacModule == null) { return(false); } switch (dacModule.Runtime.ClrInfo.Version.Major) { case 2: clrVersion = InjectionClrVersion.V2; break; case 4: clrVersion = InjectionClrVersion.V4; break; default: return(false); } // 判断要dump的模块的CLR版本 options = new Injection.Options { PortName = Guid.NewGuid().ToString(), ObjectName = Guid.NewGuid().ToString() }; using (NativeProcess process = NativeProcess.Open(_processId)) if (!process.InjectManaged(typeof(AntiAntiDumpService).Assembly.Location, typeof(Injection).FullName, "Main", options.Serialize(), clrVersion, out int result) || result != 0) { return(false); } antiAntiDumpService = (AntiAntiDumpService)Activator.GetObject(typeof(AntiAntiDumpService), $"Ipc://{options.PortName}/{options.ObjectName}"); // 注入DLL,通过.NET Remoting获取AntiAntiDumpService实例 antiAntiDumpInfo = antiAntiDumpService.GetAntiAntiDumpInfo(moduleHandle); if (!antiAntiDumpInfo.CanAntiAntiDump) { return(false); } imageLayout = (ImageLayout)antiAntiDumpInfo.ImageLayout; // 覆盖通过DAC获取的,不确定DAC获取的是否准确,毕竟DAC的bug还不少 metadataInfo = antiAntiDumpInfo.MetadataInfo; PrintStreamInfo("#~ or #-", metadataInfo.TableStream); PrintStreamInfo("#Strings", metadataInfo.StringHeap); PrintStreamInfo("#US", metadataInfo.UserStringHeap); PrintStreamInfo("#GUID", metadataInfo.GuidHeap); PrintStreamInfo("#Blob", metadataInfo.BlobHeap); peImageData = PEImageHelper.DirectCopy(_processId, (void *)moduleHandle, imageLayout); FixHeader(peImageData, antiAntiDumpInfo); peImageData = PEImageHelper.ConvertImageLayout(peImageData, imageLayout, ImageLayout.File); File.WriteAllBytes(filePath, peImageData); return(true); }