Exemplo n.º 1
0
        private void dumpMainModuleToolStripMenuItem_Click(object sender, EventArgs e)
        {
            if (driver.HasValidHandle())
            {
                ProcessSummary targetProcess = processList.SelectedItems[0].Tag as ProcessSummary;

                Task.Run(() =>
                {
                    if (dumper.DumpProcess(targetProcess, out PEFile peFile))
                    {
                        Invoke(new Action(() =>
                        {
                            using (SaveFileDialog sfd = new SaveFileDialog())
                            {
                                sfd.FileName = targetProcess.ProcessName.Replace(".exe", "_dump.exe");
                                sfd.Filter   = "Executable File (.exe)|*.exe";

                                if (sfd.ShowDialog() == DialogResult.OK)
                                {
                                    peFile.SaveToDisk(sfd.FileName);
                                    Logger.Log("Saved at '{0}' !", sfd.FileName);
                                }
                            }
                        }));
                    }
                    else
                    {
                        Invoke(new Action(() =>
                        {
                            MessageBox.Show("Unable to dump target process !", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
                        }));
                    }
                });
            }
            else
            {
                MessageBox.Show("Unable to communicate with driver ! Make sure it is loaded.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
        }
Exemplo n.º 2
0
        private void openInExplorerToolStripMenuItem_Click(object sender, EventArgs e)
        {
            ProcessSummary targetProcess = processList.SelectedItems[0].Tag as ProcessSummary;

            Process.Start("explorer.exe", Path.GetDirectoryName(targetProcess.MainModuleFileName));
        }
Exemplo n.º 3
0
        public bool DumpProcess(ProcessSummary processSummary, out PEFile outputFile)
        {
            IntPtr           basePointer = (IntPtr)processSummary.MainModuleBase;
            IMAGE_DOS_HEADER dosHeader   = ReadProcessStruct <IMAGE_DOS_HEADER>(processSummary.ProcessId, basePointer);

            outputFile = default(PEFile);

            Logger.SkipLine();
            Logger.Log("Targeting Process: {0} ({1})", processSummary.ProcessName, processSummary.ProcessId);

            if (dosHeader.IsValid)
            {
                IntPtr peHeaderPointer = basePointer + dosHeader.e_lfanew;
                Logger.Log("PE Header Found: 0x{0:x8}", peHeaderPointer.ToInt64());

                IntPtr dosStubPointer = basePointer + Marshal.SizeOf <IMAGE_DOS_HEADER>();
                byte[] dosStub        = ReadProcessBytes(processSummary.ProcessId, dosStubPointer, dosHeader.e_lfanew - Marshal.SizeOf <IMAGE_DOS_HEADER>());

                PEFile peFile;

                if (!processSummary.IsWOW64)
                {
                    peFile = Dump64BitPE(processSummary.ProcessId, dosHeader, dosStub, peHeaderPointer);
                }
                else
                {
                    peFile = Dump32BitPE(processSummary.ProcessId, dosHeader, dosStub, peHeaderPointer);
                }

                if (peFile != default(PEFile))
                {
                    IntPtr sectionHeaderPointer = peHeaderPointer + peFile.GetFirstSectionHeaderOffset();

                    Logger.Log("Header is valid ({0}) !", peFile.Type);
                    Logger.Log("Parsing {0} Sections...", peFile.Sections.Length);

                    for (int i = 0; i < peFile.Sections.Length; i++)
                    {
                        IMAGE_SECTION_HEADER sectionHeader = ReadProcessStruct <IMAGE_SECTION_HEADER>(processSummary.ProcessId, sectionHeaderPointer);
                        peFile.Sections[i] = new PESection
                        {
                            Header      = PESection.PESectionHeader.FromNativeStruct(sectionHeader),
                            InitialSize = (int)sectionHeader.VirtualSize
                        };

                        ReadSectionContent(processSummary.ProcessId, new IntPtr(basePointer.ToInt64() + sectionHeader.VirtualAddress), peFile.Sections[i]);
                        sectionHeaderPointer += Marshal.SizeOf <IMAGE_SECTION_HEADER>();
                    }

                    Logger.Log("Aligning Sections...");
                    peFile.AlignSectionHeaders();

                    Logger.Log("Fixing PE Header...");
                    peFile.FixPEHeader();

                    Logger.Log("Dump Completed !");
                    outputFile = peFile;
                    return(true);
                }
                else
                {
                    Logger.Log("Bad PE Header !");
                }
            }
            return(false);
        }