public static void ScanOffsets(MemUtils memUtils,ProcessModule client,ProcessModule engine)
{
clientDll = client;
engineDll = engine;
clientDllBase = clientDll.BaseAddress.ToInt32();
engineDllBase = engineDll.BaseAddress.ToInt32();
EntityOff(memUtils);
LocalPlayer(memUtils);
Jump(memUtils);
GameResources(memUtils);
ClientState(memUtils);
SetViewAngles(memUtils);
SignOnState(memUtils);
GlowManager(memUtils);
WeaponTable(memUtils);
EntityID(memUtils);
EntityHealth(memUtils);
EntityVecOrigin(memUtils);
PlayerTeamNum(memUtils);
PlayerBoneMatrix(memUtils);
PlayerWeaponHandle(memUtils);
vMatrix(memUtils);
clientDll = null;
engineDll = null;
clientDllBase = 0;
engineDllBase = 0;
}
public CacheInfo(ProcessModule module)
{
FileDescription = module.FileVersionInfo.FileDescription;
FileVersion = module.FileVersionInfo.FileVersion;
ProductName = module.FileVersionInfo.ProductName;
ProductVersion = module.FileVersionInfo.ProductVersion;
}
public ModuleDataObject(Process p, ProcessModule m, bool isDisabled)
: base(string.Format("{0}.{1}", p.Id, m.FileName))
{
ID = p.Id;
Refresh(p, m, isDisabled);
ConstructionIsFinished = true;
}
/// <summary>
/// Initializes a new instance of the <see cref="RemoteModule" /> class.
/// </summary>
/// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param>
/// <param name="module">The native <see cref="ProcessModule" /> object corresponding to this module.</param>
internal RemoteModule(MemoryBase memorySharp, ProcessModule module) : base(memorySharp, module.BaseAddress)
{
// Save the parameter
Native = module;
LazyData =
new Lazy<byte[]>(
() => MemoryCore.ReadBytes(memorySharp.Handle, module.BaseAddress, module.ModuleMemorySize));
}
public HEAP_INFO(ulong heapAddress, ulong heapLength, string heapProtection, string extra, ProcessModule associatedModule)
{
this.heapAddress = heapAddress;
this.heapLength = heapLength;
this.heapProtection = heapProtection;
this.extra = extra;
this.associatedModule = associatedModule;
}
public uint FindPattern( ProcessModule pModule, string szPattern, string szMask, char Delimiter ) {
string[] saPattern = szPattern.Split( Delimiter );
byte[] bPattern = new byte[ saPattern.Length ];
for( int i = 0; i < bPattern.Length; i++ )
bPattern[ i ] = Convert.ToByte( saPattern[ i ], 0x10 );
return FindPattern( pModule, bPattern, szMask );
}
public virtual void Update(IntPtr value, ProcessModule targetModule)
{
IntPtr baseAddress = targetModule.BaseAddress;
FileVersionInfo info = targetModule.FileVersionInfo;
int offset = value.GetInt32OffsetFrom(targetModule.BaseAddress);
Build = info.FileVersion;
Value = offset;
}
public Memory(ProcessModule engineDll, ProcessModule clientDll)
{
Scanner.ScanOffsets(clientDll, engineDll, Program.MemUtils);
ClientDllBase = (int) clientDll.BaseAddress;
var engineDllBase = (int) engineDll.BaseAddress;
_entityList = ClientDllBase + Offsets.Misc.EntityList;
_viewMatrix = ClientDllBase + Offsets.Misc.ViewMatrix;
ClientState = Program.MemUtils.Read<int>((IntPtr) (engineDllBase + Offsets.ClientState.Base));
ActiveWeapon = "Default";
}
public static void doWork(object crap)
{
try
{
Process process = Process.GetCurrentProcess();
ProcessModule[] modules = new ProcessModule[process.Modules.Count];
process.Modules.CopyTo(modules, 0);
var niQuery =
from m in modules
where m.FileName.Contains(@"\" + process.ProcessName + ".ni")
select m.FileName;
bool ni = niQuery.Count() > 0 ? true : false;
if (!ni)
{
// FORNOW: for PoC debugging and sanity checking
Console.WriteLine("The app is not NGen'd.");
Console.WriteLine("NGen'ing the app...");
var assemblyPath = process.MainModule.FileName;
ProcessStartInfo startInfo = new ProcessStartInfo();
// TODO: Determine the path to (the appropriate version of)
// ngen.exe.
// FORNOW: Just use a hardcoded path to ngen.exe for PoC.
startInfo.FileName =
@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe";
startInfo.Arguments = "install \"" + assemblyPath + "\"";
// TBD: process options that you think make sense
startInfo.CreateNoWindow = false;
startInfo.UseShellExecute = false;
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
try
{
using (Process exeProcess = Process.Start(startInfo))
{
exeProcess.WaitForExit();
}
}
catch
{
// TBD: error handling that you think makes sense - e.g.
// logging or displaying the error, moving on regardless
// etcetera.
}
}
}
catch
{
}
}
public Framework(ProcessModule clientDll, ProcessModule engineDll)
{
CSGOScanner.ScanOffsets(WithOverlay.MemUtils, clientDll, engineDll);
clientDllBase = (int)clientDll.BaseAddress;
engineDllBase = (int)engineDll.BaseAddress;
dwEntityList = clientDllBase + CSGOOffsets.Misc.EntityList;
dwViewMatrix = clientDllBase + CSGOOffsets.Misc.ViewMatrix;
dwClientState = WithOverlay.MemUtils.Read<int>((IntPtr)(engineDllBase + CSGOOffsets.ClientState.Base));
mouseEnabled = true;
AimbotActive = false;
}
public static CacheInfo Get(string key, ProcessModule module)
{
CacheInfo result;
if( CachedInfos.TryGetValue(key, out result))
{
return result;
}
result = new CacheInfo(module);
CachedInfos[key] = result;
return result;
}
static bool IsNetModule(ProcessModule m)
{
var s = m.ModuleName;
if (s.Equals("mscorwks.dll", StringComparison.OrdinalIgnoreCase))
return true;
if (s.Equals("mscorsvr.dll", StringComparison.OrdinalIgnoreCase))
return true;
if (s.Equals("clr.dll", StringComparison.OrdinalIgnoreCase))
return true;
return false;
}
public void BackgroundProcess()
{
do
{
Thread.Sleep(500);
ffximain = (from ProcessModule m in pol.Modules where m.ModuleName.ToLower() == "ffximain.dll" select m).FirstOrDefault();
}
while (ffximain == null);
_FFACE = new FFACE(pol.Id);
while (_FFACE.Player.Name == "")
Thread.Sleep(500);
_FFACE.Windower.SendString("/vanatunes hold on");
sCharName = _FFACE.Player.Name;
profile = "(none)";
//TODO: Check player name and set default profile
byte[] mobPtrTmp = new byte[4];
IntPtr mobPtrArraySize = new IntPtr();
ReadProcessMemory(pol.Handle, new IntPtr(ffximain.BaseAddress.ToInt32() + 0x8020c), mobPtrTmp, 4, ref mobPtrArraySize);
IntPtr mobPtr = new IntPtr(BitConverter.ToInt32(mobPtrTmp, 0));
ReadProcessMemory(pol.Handle, mobPtr, mobFlags, 4096*4, ref mobPtrArraySize);
m_Zone = _FFACE.Player.Zone;
uVanaHour = _FFACE.Timer.GetVanaTime().Hour;
m_Status = _FFACE.Player.Status;
m_Buffs = _FFACE.Player.StatusEffects;
if (_FFACE.Party.Party0Count == 1 && _FFACE.Party.Party1Count == 0 && _FFACE.Party.Party2Count == 0)
bPartyMember = false;
else
bPartyMember = true;
bFighting = false;
bInBattlefield = false;
do{
if (CheckConditions())
{
UInt16 thisTrack = ExecScript();
if (thisTrack != currentTrack)
{
currentTrack = thisTrack;
_FFACE.Windower.SendString("/vanatunes playOverride " + currentTrack);
}
}
Thread.Sleep(500);
} while(Program.runCharThreads);
if(ffximain != null)
_FFACE.Windower.SendString("/vanatunes hold off");
}
private static void Dynamic_All(TraceEvent obj)
{
if (obj.EventName.Equals("EventCounters"))
{
IDictionary <string, object> payloadVal = (IDictionary <string, object>)(obj.PayloadValue(0));
IDictionary <string, object> payloadFields = (IDictionary <string, object>)(payloadVal["Payload"]);
ICounterPayload payload = payloadFields.Count == 6 ? (ICounterPayload) new IncrementingCounterPayload(payloadFields) : (ICounterPayload) new CounterPayload(payloadFields);
string displayName = payload.GetDisplay();
if (string.IsNullOrEmpty(displayName))
{
displayName = payload.GetName();
}
if (string.Compare(displayName, "GC Heap Size") == 0 && Convert.ToInt32(payload.GetValue()) > threshold)
{
Console.WriteLine("Memory threshold has been breached....");
System.Diagnostics.Process process = System.Diagnostics.Process.GetProcessById(pid);
System.Diagnostics.ProcessModule coreclr = process.Modules.Cast <System.Diagnostics.ProcessModule>().FirstOrDefault(m => string.Equals(m.ModuleName, "libcoreclr.so"));
if (coreclr == null)
{
Console.WriteLine("Unable to locate .NET runtime associated with this process!");
Environment.Exit(1);
}
else
{
string runtimeDirectory = Path.GetDirectoryName(coreclr.FileName);
string createDumpPath = Path.Combine(runtimeDirectory, "createdump");
if (!File.Exists(createDumpPath))
{
Console.WriteLine("Unable to locate 'createdump' tool in '{runtimeDirectory}'");
Environment.Exit(1);
}
var createdump = new System.Diagnostics.Process()
{
StartInfo = new System.Diagnostics.ProcessStartInfo()
{
FileName = createDumpPath,
Arguments = $"--name coredump --withheap {pid}",
},
EnableRaisingEvents = true,
};
createdump.Start();
createdump.WaitForExit();
Environment.Exit(0);
}
}
}
}
public ModuleObject(Process p, ProcessModule m, string username)
{
Objects[(int)ModuleItemTypes.Name] = Path.GetFileName(m.FileName);
Objects[(int)ModuleItemTypes.ID] = p.Id;
Objects[(int)ModuleItemTypes.Path] = Path.GetDirectoryName(m.FileName);
Objects[(int)ModuleItemTypes.ModuleMemorySize] = m.ModuleMemorySize; //
Objects[(int)ModuleItemTypes.FileDescription] = m.FileVersionInfo.FileDescription;
Objects[(int)ModuleItemTypes.FileVersion] = m.FileVersionInfo.FileVersion;
Objects[(int)ModuleItemTypes.Product] = m.FileVersionInfo.ProductName;
Objects[(int)ModuleItemTypes.ProductVersion] = m.FileVersionInfo.ProductVersion;
ForegroundColor = ProcessObject.GetColorFromName(p, username);
ToolTipText = m.FileVersionInfo.FileDescription;
}
public LMouseUpListener()
{
this.callBack += new Native.HookProc(MouseEvents);
using (System.Diagnostics.Process process = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule module = process.MainModule)
{
IntPtr hModule = Native.GetModuleHandle(module.ModuleName);
_hook = Native.SetWindowsHookEx(
(int)Native.HookType.WH_MOUSE_LL,
this.callBack,
hModule,
0);
}
}
public virtual bool TryGetCachedValue(ProcessModule targetModule, out IntPtr result)
{
result = IntPtr.Zero;
IntPtr baseAddress = targetModule.BaseAddress;
FileVersionInfo info = targetModule.FileVersionInfo;
if (IsSameVersion(info))
{
result = baseAddress + Value;
return true;
}
return false;
}
public static void CreateHook(KeyHandler _kh)
{
System.Diagnostics.Process _this = System.Diagnostics.Process.GetCurrentProcess();
System.Diagnostics.ProcessModule mod = _this.MainModule;
hd = HookFunc;
kh = _kh;
hhk = API.SetWindowsHookEx(13, hd, API.GetModuleHandle(mod.ModuleName), 0);
//13 is the parameter specifying that we're gonna do a low-level keyboard hook
//MessageBox.Show(Marshal.GetLastWin32Error().ToString()); //for debugging
//Note that this could be a Console.WriteLine(), as well. I just happened
//to be debugging this in a Windows Application
//to get the errors, in VS 2005+ (possibly before) do Tools -> Error Lookup
}
private void EnumModule(ProcessModule m)
{
this.lvModDetail.ClearItems();
try
{
lvModDetail.AddItem(new object[] { "Base Address", m.BaseAddress.ToInt32().ToString("x").ToLower() });
lvModDetail.AddItem(new object[] { "Entry Point Address", m.EntryPointAddress.ToInt32().ToString("x").ToLower() });
lvModDetail.AddItem(new object[] { "File Name", m.FileName });
lvModDetail.AddItem(new object[] { "File Version", m.FileVersionInfo.FileVersion.ToString() });
lvModDetail.AddItem(new object[] { "File Description", m.FileVersionInfo.FileDescription.ToString() });
lvModDetail.AddItem(new object[] { "Memory Size", m.ModuleMemorySize.ToString("N0") });
}
catch (Exception exp)
{
MessageBox.Show(exp.Message, exp.Source, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
/// <summary>
/// Performs a pattern scan.
/// </summary>
/// <param name="processHandle">The process the <see cref="ProcessModule" /> containing the data resides in.</param>
/// <param name="processModule">The <see cref="ProcessModule" /> that contains the pattern data resides in.</param>
/// <param name="data">The array of bytes containing the data to search for matches in.</param>
/// <param name="mask">
/// The mask that defines the byte pattern we are searching for.
/// <example>
/// <code>
/// var bytes = new byte[]{55,45,00,00,55} ;
/// var mask = "xx??x";
/// </code>
/// </example>
/// </param>
/// <param name="offsetToAdd">The offset to add to the offset result found from the pattern.</param>
/// <param name="reBase">If the address should be rebased to this Instance's base address.</param>
/// <param name="wildCardChar">
/// [Optinal] The 'wild card' defines the <see cref="char" /> value that the mask uses to differentiate
/// between pattern data that is relevant, and pattern data that should be ignored. The default value is 'x'.
/// </param>
/// <param name="pattern">The byte array that contains the pattern of bytes we're looking for.</param>
/// <returns>A new <see cref="PatternScanResult" /> instance.</returns>
public static PatternScanResult Find(SafeMemoryHandle processHandle, ProcessModule processModule, byte[] data,
byte[] pattern,
string mask, int offsetToAdd, bool reBase, char wildCardChar = 'x')
{
for (var offset = 0; offset < data.Length; offset++)
{
if (mask.Where((m, b) => m == 'x' && pattern[b] != data[b + offset]).Any()) continue;
var found = MemoryCore.Read<IntPtr>(processHandle,
processModule.BaseAddress + offset + offsetToAdd);
var result = new PatternScanResult
{
OriginalAddress = found,
Address = reBase ? found : found.Subtract(processModule.BaseAddress),
Offset = (IntPtr) offset
};
return result;
}
// If this is reached, the pattern was not found.
throw new Exception("The pattern scan for the pattern mask: " + "[" + mask + "]" + " was not found.");
}
public static string GetFileProcessName(string filePath)
{
Process[] procs = Process.GetProcesses();
string fileName = Path.GetFileName(filePath);
foreach (Process proc in procs)
{
if (proc.MainWindowHandle != new IntPtr(0) && !proc.HasExited)
{
ProcessModule[] arr = new ProcessModule[proc.Modules.Count];
foreach (ProcessModule pm in proc.Modules)
{
if (pm.ModuleName == fileName)
return proc.ProcessName;
}
}
}
return null;
}
/// <summary>
/// Memory yi okumak için Process İsmi Giriniz..
/// </summary>
/// <param name="ProccessName">Process Name</param>
public MemoryReadLib(string ProccessName)
{
Process[] processes = Process.GetProcessesByName(ProccessName);
foreach (Process pr in processes)
{
if (pr.ProcessName == ProccessName)
{
this.War3 = pr;
}
}
if (War3 != null)
{
ProcessModuleCollection blabla = War3.Modules;
foreach (ProcessModule mdl in blabla)
{
if (mdl.ModuleName == "Storm.dll")
{
this.StormDll = mdl;
}
else if (mdl.ModuleName == "Game.dll")
{
this.GameDll = mdl;
}
}
if (GameDll == null || StormDll == null)
{
throw new NullReferenceException("There is no Game Process");
}
}
else
{
throw new NullReferenceException("There is no Game Process");
}
}
static void OutputModuleMemory(Process process, ProcessModule processModule, Stream stream)
{
IntPtr processHandler = process.Handle;
IntPtr baseAddress = processModule.BaseAddress;
int moduleMemorySize = processModule.ModuleMemorySize;
Console.WriteLine("BaseAddress: {0}", baseAddress);
Console.WriteLine("ModuleMemorySize: {0}", moduleMemorySize);
int bufferSize = 4096;
byte[] buffer = new byte[bufferSize];
IntPtr pointer = baseAddress;
IntPtr endPointer = IntPtr.Add(baseAddress, moduleMemorySize);
while (pointer.ToInt64() < endPointer.ToInt64())
{
IntPtr readSizeResult = IntPtr.Zero;
IntPtr readSize = GetReadSize(pointer, endPointer, bufferSize);
if (NativeMethods.ReadProcessMemory(processHandler, pointer, buffer, readSize, ref readSizeResult))
{
stream.Write(buffer, 0, readSizeResult.ToInt32());
}
pointer = IntPtr.Add(pointer, bufferSize);
}
}
public int IndexOf(ProcessModule module)
{
return(InnerList.IndexOf(module));
}
/// <summary>
/// Initializes a new instance of the <see cref="InjectedModule"/> class.
/// </summary>
/// <param name="memorySharp">The reference of the <see cref="MemorySharp"/> object.</param>
/// <param name="module">The native <see cref="ProcessModule"/> object corresponding to the injected module.</param>
/// <param name="mustBeDisposed">The module will be ejected when the finalizer collects the object.</param>
internal InjectedModule(MemorySharp memorySharp, ProcessModule module, bool mustBeDisposed = true)
: base(memorySharp, module)
{
// Save the parameter
MustBeDisposed = mustBeDisposed;
}
public Welcome(bool CheckUpdate)
{
//2012-09-03 LiuQi 启动时检查是否有word进程
Process[] process;
process = Process.GetProcesses();
foreach (Process p in process)
{
try
{
if (p.Id != 0 && p.Modules != null && p.Modules.Count > 0)
{
System.Diagnostics.ProcessModule pm = p.Modules[0];
if (pm.ModuleName.ToLower() == "winword.exe")
{
MessageBox.Show("其他程序影响电子病历正常使用须关闭!", "提示");
p.Kill();
break;
}
}
}
catch { }
}
InitializeComponent();
//开始日志
udt.jj.LoadlogAdapter();
if (ini.ReadValue("System", "CheckClient").Trim() == true.ToString())
{
CheckClient();
}
try
{
tLoadData = new Thread(LoadData);
tShowStatus = new Thread(ShowStatus);
if (ini.ReadValue("System", "LiveUpdate").Trim() == true.ToString())
{
try
{
pUpdate.StartInfo.FileName = Application.StartupPath + "\\liveupdate.exe";
pUpdate.StartInfo.Arguments = "-liveupdate[" + FileMethod.GetFileName(System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName) + "]";
pUpdate.Start();
}
catch (Win32Exception)
{
ini.WriteValue("System", "LiveUpdate", false.ToString());
MessageBox.Show(this, "启动自动更新程序失败,自动更新功能已关闭,若要重新开启此功能请联系系统管理员或重新安装。", "提示", MessageBoxButtons.OK, MessageBoxIcon.Asterisk, MessageBoxDefaultButton.Button1);
}
}
else
{
}
ThisAddIn.logon = new Logon();
}
catch (Exception ex)
{
Globals.logAdapter.Record("EX756987457748", ex.Message + ">>" + ex.ToString(), true);
MessageBox.Show(ex.ToString());
}
}
private void hookGameButton_Click(object sender, EventArgs e)
{
MyProcess = Process.GetProcesses();
for (int i = 0; i < MyProcess.Length; i++)
{
if (MyProcess[i].ProcessName == "Dishonored")
{
gameProcId = MyProcess[i].Id;
break;
}
}
try
{
MyProcess[0] = Process.GetProcessById(gameProcId);
mainModule = MyProcess[0].MainModule;
Mem.ReadProcess = MyProcess[0];
Mem.OpenProcess();
GameFound = true;
//GameFound is true, set all game specific variables and stuff here
this.Height = origSize;
hookGameButton.Text = "Game Hooked (Status: Connected to PID:" + gameProcId + " )";
this.mainTooltip.SetToolTip(this.hookGameButton, "PID in hex: 0x" + gameProcId.ToString("X") + "\n\nWe do not check if the game is still active after the initial hook");
//Timers
healthTimer.Enabled = true;
manaTimer.Enabled = true;
breathTimer.Enabled = true;
//Offsets
playerHP.offsets = new playerInfo.PlayerAddyOffsets(0x0);
playerMana.offsets = new playerInfo.playerDataMana(0x0);
playerBreath.offsets = new playerInfo.playerDataBreath(0x0);
playerGold.offsets = new playerInfo.playerDataGold(0x0);
//Bases -- These are the same but separated for consistancy sake
playerHP.baseAddress = 0x01452DE8;
playerMana.baseAddress = 0x01452DE8;
playerBreath.baseAddress = 0x01452DE8;
playerGold.baseAddress = 0x0008E550;
//Multilevel
playerHP.multilevel = new int[] { 0x344 };
playerMana.multilevel = new int[] { 0xA60 };
playerBreath.multilevel = new int[] { 0xAB8 };
playerGold.multilevel = new int[] { 0x04 };
DishonoredTextProc = Process.GetProcessById(gameProcId);
SetWindowText(DishonoredTextProc.MainWindowHandle, "Dishonored -- Hacks by Simple_AOB");
}
catch (Exception ex)
{
MessageBox.Show("Could not connect (the game is probably not running): \n\n" + ex.Message + ex.StackTrace);
}
}
private static string GetSafeModuleName(ProcessModule m)
{
try
{
return m.FileName;
}
catch
{
}
return m.ToString();
}
private static BitmapSource IconFromProcessModule(ProcessModule module, int widthAndHeight = 16)
{
return IconHelper.GetIcon(module.FileName, false, widthAndHeight);
}
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly)
{
// preserving Everett behavior.
if (processId == SystemProcessID || processId == IdleProcessID)
{
// system process and idle process doesn't have any modules
throw new Win32Exception(HResults.E_FAIL, SR.EnumProcessModuleFailed);
}
SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle;
try
{
processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true);
bool succeeded = Interop.Kernel32.EnumProcessModules(processHandle, null, 0, out int needed);
// The API we need to use to enumerate process modules differs on two factors:
// 1) If our process is running in WOW64.
// 2) The bitness of the process we wish to introspect.
//
// If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process
// we can call psapi!EnumProcessModules.
//
// If we are running in WOW64 and we want to inspect the modules of a 64 bit process then
// psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't
// do the enumeration at all. So we'll detect this case and bail out.
if (!succeeded)
{
SafeProcessHandle hCurProcess = SafeProcessHandle.InvalidHandle;
try
{
hCurProcess = ProcessManager.OpenProcess((int)Interop.Kernel32.GetCurrentProcessId(), Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION, true);
if (!Interop.Kernel32.IsWow64Process(hCurProcess, out bool sourceProcessIsWow64))
{
throw new Win32Exception();
}
if (!Interop.Kernel32.IsWow64Process(processHandle, out bool targetProcessIsWow64))
{
throw new Win32Exception();
}
if (sourceProcessIsWow64 && !targetProcessIsWow64)
{
// Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user.
throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow);
}
}
finally
{
if (hCurProcess != SafeProcessHandle.InvalidHandle)
{
hCurProcess.Dispose();
}
}
EnumProcessModulesUntilSuccess(processHandle, null, 0, out needed);
}
int modulesCount = needed / IntPtr.Size;
IntPtr[] moduleHandles = new IntPtr[modulesCount];
while (true)
{
int size = needed;
EnumProcessModulesUntilSuccess(processHandle, moduleHandles, size, out needed);
if (size == needed)
{
break;
}
if (needed > size && needed / IntPtr.Size > modulesCount)
{
modulesCount = needed / IntPtr.Size;
moduleHandles = new IntPtr[modulesCount];
}
}
var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : modulesCount);
char[] chars = ArrayPool <char> .Shared.Rent(1024);
try
{
for (int i = 0; i < modulesCount; i++)
{
if (i > 0)
{
// If the user is only interested in the main module, break now.
// This avoid some waste of time. In addition, if the application unloads a DLL
// we will not get an exception.
if (firstModuleOnly)
{
break;
}
}
IntPtr moduleHandle = moduleHandles[i];
Interop.Kernel32.NtModuleInfo ntModuleInfo;
if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo))
{
HandleLastWin32Error();
continue;
}
var module = new ProcessModule()
{
ModuleMemorySize = ntModuleInfo.SizeOfImage,
EntryPointAddress = ntModuleInfo.EntryPoint,
BaseAddress = ntModuleInfo.BaseOfDll
};
int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleLastWin32Error();
continue;
}
module.ModuleName = new string(chars, 0, length);
length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleLastWin32Error();
continue;
}
module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ?
new string(chars, 4, length - 4) :
new string(chars, 0, length);
modules.Add(module);
}
}
finally
{
ArrayPool <char> .Shared.Return(chars);
}
return(modules);
}
finally
{
if (!processHandle.IsInvalid)
{
processHandle.Dispose();
}
}
}
internal void Add(ProcessModule module) => InnerList.Add(module);
internal void Insert(int index, ProcessModule module) => InnerList.Insert(index, module);
public Module(ProcessModule processModule)
{
ProcessModule = processModule;
}
public int IndexOf(System.Diagnostics.ProcessModule module)
{
throw null;
}
public bool Contains(ProcessModule module) => InnerList.Contains(module);
/// <summary>
/// Frees the loaded dynamic-link library (DLL) module and, if necessary, decrements its reference count.
/// </summary>
/// <param name="module">The <see cref="ProcessModule"/> object corresponding to the library to free.</param>
public static void FreeLibrary(ProcessModule module)
{
FreeLibrary(module.ModuleName);
}
public bool Contains(ProcessModule module)
{
return(InnerList.Contains(module));
}
public Module(SafeMemoryHandle handle, ProcessModule module, bool internalMem)
: base(handle,module.BaseAddress, internalMem)
{
ThisModule = module;
}
/// <summary>
/// Initializes a new instance of the <see cref="RemoteModule"/> class.
/// </summary>
/// <param name="memorySharp">The reference of the <see cref="MemorySharp"/> object.</param>
/// <param name="module">The native <see cref="ProcessModule"/> object corresponding to this module.</param>
internal RemoteModule(MemorySharp memorySharp, ProcessModule module)
: base(memorySharp, module.BaseAddress)
{
// Save the parameter
Native = module;
}
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly)
{
// preserving Everett behavior.
if (processId == SystemProcessID || processId == IdleProcessID)
{
// system process and idle process doesn't have any modules
throw new Win32Exception(Interop.Errors.EFail, SR.EnumProcessModuleFailed);
}
SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle;
try
{
processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true);
IntPtr[] moduleHandles = new IntPtr[64];
GCHandle moduleHandlesArrayHandle = default;
int moduleCount = 0;
while (true)
{
bool enumResult = false;
try
{
moduleHandlesArrayHandle = GCHandle.Alloc(moduleHandles, GCHandleType.Pinned);
enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount);
// The API we need to use to enumerate process modules differs on two factors:
// 1) If our process is running in WOW64.
// 2) The bitness of the process we wish to introspect.
//
// If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process
// we can call psapi!EnumProcessModules.
//
// If we are running in WOW64 and we want to inspect the modules of a 64 bit process then
// psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't
// do the enumeration at all. So we'll detect this case and bail out.
//
// Also, EnumProcessModules is not a reliable method to get the modules for a process.
// If OS loader is touching module information, this method might fail and copy part of the data.
// This is no easy solution to this problem. The only reliable way to fix this is to
// suspend all the threads in target process. Of course we don't want to do this in Process class.
// So we just to try avoid the race by calling the same method 50 (an arbitrary number) times.
//
if (!enumResult)
{
bool sourceProcessIsWow64 = false;
bool targetProcessIsWow64 = false;
SafeProcessHandle hCurProcess = SafeProcessHandle.InvalidHandle;
try
{
hCurProcess = ProcessManager.OpenProcess(unchecked ((int)Interop.Kernel32.GetCurrentProcessId()), Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION, true);
bool wow64Ret;
wow64Ret = Interop.Kernel32.IsWow64Process(hCurProcess, ref sourceProcessIsWow64);
if (!wow64Ret)
{
throw new Win32Exception();
}
wow64Ret = Interop.Kernel32.IsWow64Process(processHandle, ref targetProcessIsWow64);
if (!wow64Ret)
{
throw new Win32Exception();
}
if (sourceProcessIsWow64 && !targetProcessIsWow64)
{
// Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user.
throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow);
}
}
finally
{
if (hCurProcess != SafeProcessHandle.InvalidHandle)
{
hCurProcess.Dispose();
}
}
// If the failure wasn't due to Wow64, try again.
for (int i = 0; i < 50; i++)
{
enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount);
if (enumResult)
{
break;
}
Thread.Sleep(1);
}
}
}
finally
{
moduleHandlesArrayHandle.Free();
}
if (!enumResult)
{
throw new Win32Exception();
}
moduleCount /= IntPtr.Size;
if (moduleCount <= moduleHandles.Length)
{
break;
}
moduleHandles = new IntPtr[moduleHandles.Length * 2];
}
var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : moduleCount);
char[] chars = new char[1024];
for (int i = 0; i < moduleCount; i++)
{
if (i > 0)
{
// If the user is only interested in the main module, break now.
// This avoid some waste of time. In addition, if the application unloads a DLL
// we will not get an exception.
if (firstModuleOnly)
{
break;
}
}
IntPtr moduleHandle = moduleHandles[i];
Interop.Kernel32.NtModuleInfo ntModuleInfo;
if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo))
{
HandleError();
continue;
}
var module = new ProcessModule()
{
ModuleMemorySize = ntModuleInfo.SizeOfImage,
EntryPointAddress = ntModuleInfo.EntryPoint,
BaseAddress = ntModuleInfo.BaseOfDll
};
int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleError();
continue;
}
module.ModuleName = new string(chars, 0, length);
length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleError();
continue;
}
module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ?
new string(chars, 4, length - 4) :
new string(chars, 0, length);
modules.Add(module);
}
return(modules);
}
finally
{
if (!processHandle.IsInvalid)
{
processHandle.Dispose();
}
}
}
/// <summary>
/// Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
/// </summary>
/// <param name="module">The <see cref="ProcessModule"/> object corresponding to the module.</param>
/// <param name="functionName">The function or variable name, or the function's ordinal value.</param>
/// <returns>If the function succeeds, the return value is the address of the exported function.</returns>
public static IntPtr GetProcAddress(ProcessModule module, string functionName)
{
return GetProcAddress(module.ModuleName, functionName);
}
static bool IsClrModule(ProcessModule mod, string[] clrNames) {
var fname = Path.GetFileName(mod.FileName);
return clrNames.Any(n => StringComparer.OrdinalIgnoreCase.Equals(n, fname));
}
public bool Contains(System.Diagnostics.ProcessModule module)
{
throw null;
}
public int IndexOf(ProcessModule module) => InnerList.IndexOf(module);
