public bool DumpProcess(ModuleListItem moduleListItem, IntPtr processId, out PEFile outputFile)
{
IntPtr basePointer = (IntPtr)moduleListItem.ModuleBase;
IMAGE_DOS_HEADER dosHeader = ReadProcessStruct <IMAGE_DOS_HEADER>(processId, basePointer);
outputFile = default;
if (dosHeader.IsValid)
{
IntPtr peHeaderPointer = basePointer + dosHeader.e_lfanew;
IntPtr dosStubPointer = basePointer + Marshal.SizeOf <IMAGE_DOS_HEADER>();
byte[] dosStub = ReadProcessBytes(processId, dosStubPointer, dosHeader.e_lfanew - Marshal.SizeOf <IMAGE_DOS_HEADER>());
var peFile = !moduleListItem.ModuleType ?
Dump64BitPE(processId, dosHeader, dosStub, peHeaderPointer) :
Dump32BitPE(processId, dosHeader, dosStub, peHeaderPointer);
if (peFile != default(PEFile))
{
IntPtr sectionHeaderPointer = peHeaderPointer + peFile.GetFirstSectionHeaderOffset();
for (int i = 0; i < peFile.Sections.Length; i++)
{
IMAGE_SECTION_HEADER sectionHeader = ReadProcessStruct <IMAGE_SECTION_HEADER>(processId, sectionHeaderPointer);
peFile.Sections[i] = new PESection
{
Header = PESection.PESectionHeader.FromNativeStruct(sectionHeader),
InitialSize = (int)sectionHeader.VirtualSize
};
ReadSectionContent(processId, new IntPtr(basePointer.ToInt64() + sectionHeader.VirtualAddress), peFile.Sections[i]);
sectionHeaderPointer += Marshal.SizeOf <IMAGE_SECTION_HEADER>();
}
//Logger.Log("Aligning Sections...");
peFile.AlignSectionHeaders();
//Logger.Log("Fixing PE Header...");
peFile.FixPEHeader();
//Logger.Log("Dump Completed !");
outputFile = peFile;
return(true);
}
}
return(false);
}
public bool FdGetModuleList(IntPtr pid, out ModuleListItem[] result)
{
result = Array.Empty <ModuleListItem>();
ulong moduleListSize = FdGetModuleListSize(pid);
if (moduleListSize <= 0)
{
return(false);
}
IntPtr moduleListPtr = MarshalUtility.AllocZeroFilled((int)moduleListSize);
KERNEL_MODULE_LIST_REQUEST kmlr = new KERNEL_MODULE_LIST_REQUEST
{
ProcessId = pid,
ModuleListPtr = (ulong)moduleListPtr.ToInt64(),
ModuleListSize = moduleListSize
};
IntPtr kmlrPointer = MarshalUtility.CopyStructToMemory(kmlr);
int kmlrSize = Marshal.SizeOf <KERNEL_MODULE_LIST_REQUEST>();
if (DeviceIoControl(hDriver, IO_MODULE_LIST_REQUEST, kmlrPointer, kmlrSize, kmlrPointer, kmlrSize, IntPtr.Zero, IntPtr.Zero))
{
kmlr = MarshalUtility.GetStructFromMemory <KERNEL_MODULE_LIST_REQUEST>(kmlrPointer);
if (kmlr.ModuleListCount > 0)
{
byte[] managedBuffer = new byte[moduleListSize];
Marshal.Copy(moduleListPtr, managedBuffer, 0, (int)moduleListSize);
Marshal.FreeHGlobal(moduleListPtr);
result = new ModuleListItem[kmlr.ModuleListCount];
using (BinaryReader reader = new BinaryReader(new MemoryStream(managedBuffer)))
{
for (int i = 0; i < result.Length; i++)
{
result[i] = ModuleListItem.FromByteStream(reader);
}
}
return(true);
}
}
return(false);
}
/// <summary>
/// Dumps the specified module.
/// </summary>
/// <param name="module">The module of a process</param>
private void DumpModule(ModuleListItem module)
{
//
// Get the destination path
//
string path;
var saveFile = new SaveFileDialog
{
FileName = $@"{Path.GetFileName(module.ModuleName)}",
Filter = @"Executable File (.dll)|*.dll"
};
//
// Show the dialog
//
if (saveFile.ShowDialog() == DialogResult.OK)
{
path = saveFile.FileName;
}
else
{
return;
}
//
// Dump module
//
if (!NemesisApi.DumpModule(_processId, (IntPtr)module.ImageBase, path))
{
MessageBox.Show("Failed to dump module.");
}
else
{
MessageBox.Show("Successfully dumped the module.");
}
}
private void DumpModule()
{
FireDumper.logsTextBox.AppendText(@"[*] Dumping module..." + Environment.NewLine);
if (FireDumper.c.HasValidHandle())
{
ModuleListItem targetModule = ModuleList.SelectedItems[0].Tag as ModuleListItem;
if (targetModule == null)
{
FireDumper.logsTextBox.AppendText(@"[-] Dumping module aborted! (No module selected)" + Environment.NewLine);
return;
}
Task.Run(() =>
{
if (new Dumper(FireDumper.c).DumpProcess(targetModule, targetProcess.ProcessId, out PEFile peFile))
{
Invoke(new Action(() =>
{
using (SaveFileDialog sfd = new SaveFileDialog())
{
string fileEnding = targetModule.ModuleName.Split('.').Last();
switch (fileEnding)
{
case "dll":
sfd.FileName = targetModule.ModuleName.Replace(".dll", "_dump.dll");
sfd.Filter = @"Dynamic Link Library (.dll)|*.dll";
break;
case "exe":
sfd.FileName = targetProcess.ProcessName.Replace(".exe", "_dump.exe");
sfd.Filter = @"Executable File (.exe)|*.exe";
break;
default:
sfd.FileName = targetProcess.ProcessName.Replace($".{fileEnding}", $"_dump.{fileEnding}");
sfd.Filter = $@"Custom PE File (.{fileEnding})|*.{fileEnding}";
break;
}
if (sfd.ShowDialog() == DialogResult.OK)
{
peFile.SaveToDisk(sfd.FileName);
FireDumper.logsTextBox.AppendText(@"[+] Saved dump to disk!" + Environment.NewLine);
FireDumper.logsTextBox.AppendText(@"[+] Successfully dumped " + targetModule.ModuleName + "!" + Environment.NewLine);
}
else
{
FireDumper.logsTextBox.AppendText(@"[!] Dumping aborted!" + Environment.NewLine);
}
}
}));
}
else
{
Invoke(new Action(() =>
{
FireDumper.logsTextBox.AppendText(@"[-] Unknown error with Dumper!" + Environment.NewLine);
MessageBox.Show(@"Unable to dump target module!", @"Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}));
}
});
}
}
