private void dumpMainModuleToolStripMenuItem_Click(object sender, EventArgs e) { if (driver.HasValidHandle()) { ProcessSummary targetProcess = processList.SelectedItems[0].Tag as ProcessSummary; Task.Run(() => { if (dumper.DumpProcess(targetProcess, out PEFile peFile)) { Invoke(new Action(() => { using (SaveFileDialog sfd = new SaveFileDialog()) { sfd.FileName = targetProcess.ProcessName.Replace(".exe", "_dump.exe"); sfd.Filter = "Executable File (.exe)|*.exe"; if (sfd.ShowDialog() == DialogResult.OK) { peFile.SaveToDisk(sfd.FileName); Logger.Log("Saved at '{0}' !", sfd.FileName); } } })); } else { Invoke(new Action(() => { MessageBox.Show("Unable to dump target process !", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); })); } }); } else { MessageBox.Show("Unable to communicate with driver ! Make sure it is loaded.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
private void openInExplorerToolStripMenuItem_Click(object sender, EventArgs e) { ProcessSummary targetProcess = processList.SelectedItems[0].Tag as ProcessSummary; Process.Start("explorer.exe", Path.GetDirectoryName(targetProcess.MainModuleFileName)); }
public bool DumpProcess(ProcessSummary processSummary, out PEFile outputFile) { IntPtr basePointer = (IntPtr)processSummary.MainModuleBase; IMAGE_DOS_HEADER dosHeader = ReadProcessStruct <IMAGE_DOS_HEADER>(processSummary.ProcessId, basePointer); outputFile = default(PEFile); Logger.SkipLine(); Logger.Log("Targeting Process: {0} ({1})", processSummary.ProcessName, processSummary.ProcessId); if (dosHeader.IsValid) { IntPtr peHeaderPointer = basePointer + dosHeader.e_lfanew; Logger.Log("PE Header Found: 0x{0:x8}", peHeaderPointer.ToInt64()); IntPtr dosStubPointer = basePointer + Marshal.SizeOf <IMAGE_DOS_HEADER>(); byte[] dosStub = ReadProcessBytes(processSummary.ProcessId, dosStubPointer, dosHeader.e_lfanew - Marshal.SizeOf <IMAGE_DOS_HEADER>()); PEFile peFile; if (!processSummary.IsWOW64) { peFile = Dump64BitPE(processSummary.ProcessId, dosHeader, dosStub, peHeaderPointer); } else { peFile = Dump32BitPE(processSummary.ProcessId, dosHeader, dosStub, peHeaderPointer); } if (peFile != default(PEFile)) { IntPtr sectionHeaderPointer = peHeaderPointer + peFile.GetFirstSectionHeaderOffset(); Logger.Log("Header is valid ({0}) !", peFile.Type); Logger.Log("Parsing {0} Sections...", peFile.Sections.Length); for (int i = 0; i < peFile.Sections.Length; i++) { IMAGE_SECTION_HEADER sectionHeader = ReadProcessStruct <IMAGE_SECTION_HEADER>(processSummary.ProcessId, sectionHeaderPointer); peFile.Sections[i] = new PESection { Header = PESection.PESectionHeader.FromNativeStruct(sectionHeader), InitialSize = (int)sectionHeader.VirtualSize }; ReadSectionContent(processSummary.ProcessId, new IntPtr(basePointer.ToInt64() + sectionHeader.VirtualAddress), peFile.Sections[i]); sectionHeaderPointer += Marshal.SizeOf <IMAGE_SECTION_HEADER>(); } Logger.Log("Aligning Sections..."); peFile.AlignSectionHeaders(); Logger.Log("Fixing PE Header..."); peFile.FixPEHeader(); Logger.Log("Dump Completed !"); outputFile = peFile; return(true); } else { Logger.Log("Bad PE Header !"); } } return(false); }