private static byte[] DumpDotNetModule(NativeModule module, ImageLayout imageLayout, out string fileName)
{
try {
byte[] peImageData;
bool isDotNet;
peImageData = PEImageHelper.DirectCopy(module, imageLayout);
peImageData = PEImageHelper.ConvertImageLayout(peImageData, imageLayout, ImageLayout.File);
using (PEImage peImage = new PEImage(peImageData, true)) {
// 确保为有效PE文件
fileName = peImage.GetOriginalFilename() ?? ((IntPtr)module.Handle).ToString((ulong)module.Handle > uint.MaxValue ? "X16" : "X8");
isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0;
if (isDotNet)
{
try {
using (ModuleDefMD moduleDef = ModuleDefMD.Load(peImage)) {
}
// 再次验证是否为.NET程序集
}
catch {
isDotNet = false;
}
}
}
return(isDotNet ? peImageData : null);
}
catch {
fileName = default;
return(null);
}
}
public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
try {
byte[] peImageData;
peImageData = PEImageHelper.DirectCopy(_process.UnsafeGetModule((void *)moduleHandle), imageLayout);
peImageData = PEImageHelper.ConvertImageLayout(peImageData, imageLayout, ImageLayout.File);
File.WriteAllBytes(filePath, peImageData);
return(true);
}
catch {
return(false);
}
}
private static byte[] DumpModule(NativeModule module, ImageLayout imageLayout, MetadataInfo metadataInfo, string imagePath)
{
byte[] peImageData;
peImageData = PEImageHelper.DirectCopy(module, imageLayout, !(imagePath is null), imagePath);
if (imageLayout == ImageLayout.File)
{
// 统一为内存格式,方便修复
FileLayoutToMemoryLayout(ref peImageData, metadataInfo);
}
FixDotNetHeaders(peImageData, metadataInfo);
// 修复.NET头
peImageData = PEImageHelper.ConvertImageLayout(peImageData, ImageLayout.Memory, ImageLayout.File);
// 转换回文件格式用于保存
return(peImageData);
}
public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
ClrModule dacModule;
InjectionClrVersion clrVersion;
Injection.Options options;
AntiAntiDumpService antiAntiDumpService;
AntiAntiDumpInfo antiAntiDumpInfo;
MetadataInfo metadataInfo;
byte[] peImageData;
dacModule = TryGetDacModule(moduleHandle);
if (dacModule == null)
{
return(false);
}
switch (dacModule.Runtime.ClrInfo.Version.Major)
{
case 2:
clrVersion = InjectionClrVersion.V2;
break;
case 4:
clrVersion = InjectionClrVersion.V4;
break;
default:
return(false);
}
// 判断要dump的模块的CLR版本
options = new Injection.Options {
PortName = Guid.NewGuid().ToString(),
ObjectName = Guid.NewGuid().ToString()
};
using (NativeProcess process = NativeProcess.Open(_processId))
if (!process.InjectManaged(typeof(AntiAntiDumpService).Assembly.Location, typeof(Injection).FullName, "Main", options.Serialize(), clrVersion, out int result) || result != 0)
{
return(false);
}
antiAntiDumpService = (AntiAntiDumpService)Activator.GetObject(typeof(AntiAntiDumpService), $"Ipc://{options.PortName}/{options.ObjectName}");
// 注入DLL,通过.NET Remoting获取AntiAntiDumpService实例
antiAntiDumpInfo = antiAntiDumpService.GetAntiAntiDumpInfo(moduleHandle);
if (!antiAntiDumpInfo.CanAntiAntiDump)
{
return(false);
}
imageLayout = (ImageLayout)antiAntiDumpInfo.ImageLayout;
// 覆盖通过DAC获取的,不确定DAC获取的是否准确,毕竟DAC的bug还不少
metadataInfo = antiAntiDumpInfo.MetadataInfo;
PrintStreamInfo("#~ or #-", metadataInfo.TableStream);
PrintStreamInfo("#Strings", metadataInfo.StringHeap);
PrintStreamInfo("#US", metadataInfo.UserStringHeap);
PrintStreamInfo("#GUID", metadataInfo.GuidHeap);
PrintStreamInfo("#Blob", metadataInfo.BlobHeap);
peImageData = PEImageHelper.DirectCopy(_processId, (void *)moduleHandle, imageLayout);
FixHeader(peImageData, antiAntiDumpInfo);
peImageData = PEImageHelper.ConvertImageLayout(peImageData, imageLayout, ImageLayout.File);
File.WriteAllBytes(filePath, peImageData);
return(true);
}