public static void LoadProcessWow64Modules(this SymbolProvider symbols, int pid)
{
using (var buffer = new ProcessHacker.Native.Debugging.DebugBuffer())
{
buffer.Query(pid, ProcessHacker.Native.Api.RtlQueryProcessDebugFlags.Modules32);
foreach (var module in buffer.GetModules())
{
try
{
symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
}
catch (Exception ex)
{
Logging.Log(ex);
}
}
}
}
public static void LoadProcessWow64Modules(this SymbolProvider symbols, int pid)
{
using (var buffer = new ProcessHacker.Native.Debugging.DebugBuffer())
{
buffer.Query(
pid,
ProcessHacker.Native.Api.RtlQueryProcessDebugFlags.Modules32 |
ProcessHacker.Native.Api.RtlQueryProcessDebugFlags.NonInvasive
);
foreach (var module in buffer.GetModules())
{
try
{
symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
}
catch (Exception ex)
{
Logging.Log(ex);
}
}
}
}
private static void DumpProcessModules(MemoryObject processMo, int pid)
{
if (pid <= 0)
{
return;
}
using (var modules = processMo.CreateChild("Modules"))
{
if (pid != 4)
{
var baseAddressList = new Dictionary <IntPtr, object>();
bool isWow64 = false;
using (var phandle = new ProcessHandle(pid, Program.MinProcessQueryRights | ProcessAccess.VmRead))
{
if (OSVersion.Architecture == OSArch.Amd64)
{
isWow64 = phandle.IsWow64();
}
phandle.EnumModules((module) =>
{
if (!baseAddressList.ContainsKey(module.BaseAddress))
{
DumpProcessModule(modules, module);
baseAddressList.Add(module.BaseAddress, null);
}
return(true);
});
}
try
{
using (var phandle = new ProcessHandle(pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead))
{
phandle.EnumMemory((memory) =>
{
if (memory.Type == MemoryType.Mapped)
{
if (!baseAddressList.ContainsKey(memory.BaseAddress))
{
string fileName = phandle.GetMappedFileName(memory.BaseAddress);
if (fileName != null)
{
fileName = FileUtils.GetFileName(fileName);
DumpProcessModule(modules, new ProcessModule(
memory.BaseAddress,
memory.RegionSize.ToInt32(),
IntPtr.Zero,
0,
Path.GetFileName(fileName),
fileName
));
baseAddressList.Add(memory.BaseAddress, null);
}
}
}
return(true);
});
}
}
catch
{ }
if (isWow64)
{
try
{
using (var buffer = new ProcessHacker.Native.Debugging.DebugBuffer())
{
buffer.Query(
pid,
RtlQueryProcessDebugFlags.Modules32 |
RtlQueryProcessDebugFlags.NonInvasive
);
buffer.EnumModules((module) =>
{
if (!baseAddressList.ContainsKey(module.BaseAddress))
{
DumpProcessModule(modules, module);
baseAddressList.Add(module.BaseAddress, null);
}
return(true);
});
}
}
catch
{ }
}
}
else
{
foreach (var module in Windows.GetKernelModules())
{
DumpProcessModule(modules, module);
}
}
}
}
