public ModuleListViewItem(int procID, IntPtr _handle)
{
ModuleInfomation = PELoader.Load(procID, _handle);
Handle = _handle;
ProcessHandle = ModuleInfomation.GetProcessHandle();
StringBuilder sb = new StringBuilder(255);
NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
ModulePath = sb.ToString();
Text = Path.GetFileName(ModulePath);
SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
if (!string.IsNullOrEmpty(Text))
{
SubItems.Add(ModulePath);
}
else
{
SubItems.Add("Byte loaded");
}
}
void DumpModule(PEInfomation procPE, string path)
{
byte[] buffer = new byte[procPE.Overview.SizeOfImage];
IntPtr procHandle = procPE.GetProcessHandle();
NativeMethods.ReadProcessMemory(procHandle, procPE.ModuleBaseAddress, buffer, Convert.ToInt32(procPE.Overview.SizeOfHeaders), 0);
foreach (IMAGE_SECTION_HEADER section in procPE.Sections)
{
if (section.SizeOfRawData == 0)
{
continue;
}
byte[] sData = new byte[section.SizeOfRawData];
NativeMethods.ReadProcessMemory(procHandle, new IntPtr(procPE.Overview.ImageBase + section.VirtualAddress), sData, sData.Length, 0);
Buffer.BlockCopy(sData, 0, buffer, Convert.ToInt32(section.PointerToRawData), sData.Length);
}
File.WriteAllBytes(path, buffer);
procPE.CloseProcessHandle();
}
