private static byte[] DumpDotNetModule(NativeProcess process, void *address, ImageLayout imageLayout, out string fileName)
{
try
{
byte[] data = PEImageDumper.Dump(process, address, ref imageLayout);
data = PEImageDumper.ConvertImageLayout(data, imageLayout, ImageLayout.File);
bool isDotNet;
using (var peImage = new PEImage(data, true))
{
// 确保为有效PE文件
fileName = peImage.GetOriginalFilename() ?? ((IntPtr)address).ToString((ulong)address > uint.MaxValue ? "X16" : "X8");
isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0;
if (isDotNet)
{
try
{
using (var moduleDef = ModuleDefMD.Load(peImage))
{
}
// 再次验证是否为.NET程序集
}
catch
{
isDotNet = false;
}
}
}
return(isDotNet ? data : null);
}
catch
{
fileName = default;
return(null);
}
}
private static ImageLayout GetProbableImageLayout(byte[] firstPage)
{
try
{
uint imageSize = PEImageDumper.GetImageSize(firstPage, ImageLayout.File);
// 获取文件格式大小
var imageLayout = imageSize >= (uint)firstPage.Length ? ImageLayout.Memory : ImageLayout.File;
// 如果文件格式大小大于页面大小,说明在内存中是内存格式的,反之为文件格式
// 这种判断不准确,如果文件文件大小小于最小页面大小,判断会出错
return(imageLayout);
}
catch
{
return(ImageLayout.Memory);
}
}
public void DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
byte[] peImage = PEImageDumper.Dump(_process, (void *)moduleHandle, ref imageLayout);
peImage = PEImageDumper.ConvertImageLayout(peImage, imageLayout, ImageLayout.File);
File.WriteAllBytes(filePath, peImage);
}
