/// <summary>
/// 枚举模块导出函数
/// </summary>
/// <param name="processHandle">进程句柄</param>
/// <param name="moduleHandle">模块句柄</param>
/// <param name="callback">回调函数</param>
/// <returns></returns>
internal static bool EnumFunctionsInternal(IntPtr processHandle, IntPtr moduleHandle, EnumFunctionsCallback callback)
{
int ntHeaderOffset;
bool is64;
int iedRVA;
IMAGE_EXPORT_DIRECTORY ied;
int[] nameOffsets;
string functionName;
short ordinal;
int addressOffset;
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + 0x3C, out ntHeaderOffset))
{
return(false);
}
if (!Process32.Is64BitProcessInternal(processHandle, out is64))
{
return(false);
}
if (is64)
{
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ntHeaderOffset + 0x88, out iedRVA))
{
return(false);
}
}
else
{
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ntHeaderOffset + 0x78, out iedRVA))
{
return(false);
}
}
if (!ReadProcessMemory(processHandle, moduleHandle + iedRVA, &ied, (size_t)40, null))
{
return(false);
}
if (ied.NumberOfNames == 0)
{
//无按名称导出函数
return(true);
}
nameOffsets = new int[ied.NumberOfNames];
fixed(void *p = &nameOffsets[0])
if (!ReadProcessMemory(processHandle, moduleHandle + (int)ied.AddressOfNames, p, (size_t)(ied.NumberOfNames * 4), null))
return(false);
for (int i = 0; i < ied.NumberOfNames; i++)
{
if (!MemoryIO.ReadStringInternal(processHandle, moduleHandle + nameOffsets[i], out functionName, 40, false, Encoding.ASCII))
{
return(false);
}
if (!MemoryIO.ReadInt16Internal(processHandle, moduleHandle + ((int)ied.AddressOfNameOrdinals + i * 2), out ordinal))
{
return(false);
}
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ((int)ied.AddressOfFunctions + ordinal * 4), out addressOffset))
{
return(false);
}
if (!callback(moduleHandle + addressOffset, functionName, ordinal))
{
return(true);
}
}
return(true);
}
/// <summary>
/// 获取远程进程函数地址
/// </summary>
/// <param name="processHandle">进程句柄</param>
/// <param name="moduleName">模块名</param>
/// <param name="functionName">函数名</param>
/// <returns></returns>
internal static IntPtr GetProcAddressInternal(IntPtr processHandle, string moduleName, string functionName)
{
IntPtr moduleHandle;
int ntHeaderOffset;
bool is64;
int iedRVA;
IMAGE_EXPORT_DIRECTORY ied;
int[] nameOffsets;
string name;
short ordinal;
int addressOffset;
moduleHandle = GetHandleInternal(processHandle, false, moduleName);
if (moduleHandle == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + 0x3C, out ntHeaderOffset))
{
return(IntPtr.Zero);
}
if (!Process32.Is64BitProcessInternal(processHandle, out is64))
{
return(IntPtr.Zero);
}
if (is64)
{
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ntHeaderOffset + 0x88, out iedRVA))
{
return(IntPtr.Zero);
}
}
else
{
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ntHeaderOffset + 0x78, out iedRVA))
{
return(IntPtr.Zero);
}
}
if (!ReadProcessMemory(processHandle, moduleHandle + iedRVA, &ied, (size_t)40, null))
{
return(IntPtr.Zero);
}
nameOffsets = new int[ied.NumberOfNames];
fixed(void *p = &nameOffsets[0])
if (!ReadProcessMemory(processHandle, moduleHandle + (int)ied.AddressOfNames, p, (size_t)(ied.NumberOfNames * 4), null))
return(IntPtr.Zero);
for (int i = 0; i < ied.NumberOfNames; i++)
{
if (!MemoryIO.ReadStringInternal(processHandle, moduleHandle + nameOffsets[i], out name, 40, false, Encoding.ASCII))
{
return(IntPtr.Zero);
}
if (name == functionName)
{
if (!MemoryIO.ReadInt16Internal(processHandle, moduleHandle + (int)ied.AddressOfNameOrdinals + i * 2, out ordinal))
{
return(IntPtr.Zero);
}
if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + (int)ied.AddressOfFunctions + ordinal * 4, out addressOffset))
{
return(IntPtr.Zero);
}
return(moduleHandle + addressOffset);
}
}
return(IntPtr.Zero);
}