/// <summary>
/// Gets all modules in the opened process.
/// </summary>
/// <returns>A collection of modules in the process.</returns>
public IEnumerable <NormalizedModule> GetModules(Process process)
{
// Query all modules in the target process
IntPtr[] modulePointers = new IntPtr[0];
Int32 bytesNeeded = 0;
List <NormalizedModule> modules = new List <NormalizedModule>();
if (process == null)
{
return(modules);
}
if (this.ModuleCache.Contains(process.Id) && this.ModuleCache.TryGetValue(process.Id, out modules))
{
return(modules);
}
try
{
// Determine number of modules
if (!NativeMethods.EnumProcessModulesEx(process.Handle, modulePointers, 0, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll))
{
// Failure, return our current empty list
return(modules);
}
Int32 totalNumberofModules = bytesNeeded / IntPtr.Size;
modulePointers = new IntPtr[totalNumberofModules];
if (NativeMethods.EnumProcessModulesEx(process.Handle, modulePointers, bytesNeeded, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll))
{
for (Int32 index = 0; index < totalNumberofModules; index++)
{
StringBuilder moduleFilePath = new StringBuilder(1024);
NativeMethods.GetModuleFileNameEx(process.Handle, modulePointers[index], moduleFilePath, (UInt32)moduleFilePath.Capacity);
ModuleInformation moduleInformation = new ModuleInformation();
NativeMethods.GetModuleInformation(process.Handle, modulePointers[index], out moduleInformation, (UInt32)(IntPtr.Size * modulePointers.Length));
// Ignore modules in 64-bit address space for WoW64 processes
if (process.Is32Bit() && moduleInformation.ModuleBase.ToUInt64() > Int32.MaxValue)
{
continue;
}
// Convert to a normalized module and add it to our list
NormalizedModule module = new NormalizedModule(moduleFilePath.ToString(), moduleInformation.ModuleBase.ToUInt64(), (Int32)moduleInformation.SizeOfImage);
modules.Add(module);
}
}
}
catch (Exception ex)
{
Logger.Log(LogLevel.Error, "Unable to fetch modules from selected process", ex);
}
this.ModuleCache.Add(process.Id, modules);
return(modules);
}
/// <summary>
/// Gets all modules in the opened process.
/// </summary>
/// <returns>A collection of modules in the process.</returns>
public IEnumerable <NormalizedModule> GetModules()
{
// Query all modules in the target process
IntPtr[] modulePointers = new IntPtr[0];
Int32 bytesNeeded = 0;
List <NormalizedModule> modules = new List <NormalizedModule>();
if (this.SystemProcess == null)
{
return(modules);
}
try
{
// Determine number of modules
if (!NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, 0, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll))
{
return(modules);
}
Int32 totalNumberofModules = bytesNeeded / IntPtr.Size;
modulePointers = new IntPtr[totalNumberofModules];
if (NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, bytesNeeded, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll))
{
for (Int32 index = 0; index < totalNumberofModules; index++)
{
StringBuilder moduleFilePath = new StringBuilder(1024);
NativeMethods.GetModuleFileNameEx(this.SystemProcess.Handle, modulePointers[index], moduleFilePath, (UInt32)moduleFilePath.Capacity);
String moduleName = Path.GetFileName(moduleFilePath.ToString());
ModuleInformation moduleInformation = new ModuleInformation();
NativeMethods.GetModuleInformation(this.SystemProcess.Handle, modulePointers[index], out moduleInformation, (UInt32)(IntPtr.Size * modulePointers.Length));
// Ignore modules in 64-bit address space for WoW64 processes
if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit() && moduleInformation.ModuleBase.ToUInt64() > Int32.MaxValue)
{
continue;
}
// Convert to a normalized module and add it to our list
NormalizedModule module = new NormalizedModule(moduleName, moduleInformation.ModuleBase, (Int32)moduleInformation.SizeOfImage);
modules.Add(module);
}
}
}
catch (Exception ex)
{
OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Error, "Unable to fetch modules from selected process", ex);
AnalyticsService.GetInstance().SendEvent(AnalyticsService.AnalyticsAction.General, ex);
}
return(modules);
}
/// <summary>
/// Converts an address to a module and an address offset.
/// </summary>
/// <param name="address">The original address.</param>
/// <param name="moduleName">The module name containing this address, if there is one. Otherwise, empty string.</param>
/// <returns>The module name and address offset. If not contained by a module, the original address is returned.</returns>
public UInt64 AddressToModule(Process process, UInt64 address, out String moduleName)
{
NormalizedModule containingModule = this.GetModules(process)
.Select(module => module)
.Where(module => module.ContainsAddress(address))
.FirstOrDefault();
moduleName = containingModule?.Name ?? String.Empty;
return(containingModule == null ? address : address - containingModule.BaseAddress);
}
/// <summary>
/// Converts an address to a module and an address offset.
/// </summary>
/// <param name="address">The original address.</param>
/// <param name="moduleName">The module name containing this address, if there is one. Otherwise, empty string.</param>
/// <returns>The module name and address offset. If not contained by a module, the original address is returned.</returns>
public UInt64 AddressToModule(UInt64 address, out String moduleName)
{
NormalizedModule containingModule = EngineCore.GetInstance().VirtualMemory.GetModules()
.Select(module => module)
.Where(module => module.ContainsAddress(address))
.FirstOrDefault();
moduleName = containingModule?.Name ?? String.Empty;
return(containingModule == null ? address : address - containingModule.BaseAddress.ToUInt64());
}
/// <summary>
/// Gets all modules in the opened process
/// </summary>
/// <returns>A collection of modules in the process</returns>
public IEnumerable <NormalizedModule> GetModules()
{
List <NormalizedModule> normalizedModules = new List <NormalizedModule>();
if (this.SystemProcess == null)
{
return(normalizedModules);
}
// Query all modules in the target process
IntPtr[] modulePointers = new IntPtr[0];
Int32 bytesNeeded = 0;
try
{
// Determine number of modules
if (!Native.NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, 0, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll))
{
return(normalizedModules);
}
Int32 totalNumberofModules = bytesNeeded / IntPtr.Size;
modulePointers = new IntPtr[totalNumberofModules];
if (Native.NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, bytesNeeded, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll))
{
for (Int32 index = 0; index < totalNumberofModules; index++)
{
StringBuilder moduleFilePath = new StringBuilder(1024);
Native.NativeMethods.GetModuleFileNameEx(this.SystemProcess.Handle, modulePointers[index], moduleFilePath, (UInt32)moduleFilePath.Capacity);
String moduleName = Path.GetFileName(moduleFilePath.ToString());
ModuleInformation moduleInformation = new ModuleInformation();
Native.NativeMethods.GetModuleInformation(this.SystemProcess.Handle, modulePointers[index], out moduleInformation, (UInt32)(IntPtr.Size * modulePointers.Length));
// Convert to a normalized module and add it to our list
NormalizedModule module = new NormalizedModule(moduleName, moduleInformation.ModuleBase, unchecked ((Int32)moduleInformation.SizeOfImage));
normalizedModules.Add(module);
}
}
}
catch (Exception ex)
{
OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Error, "Error fetching modules from selected process: " + ex.ToString());
}
return(normalizedModules);
}
