-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathModule.cs
132 lines (105 loc) · 3.06 KB
/
Module.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
* 由SharpDevelop创建。
* 用户: Administrator
* 日期: 2010-12-22
* 时间: 12:43
*
* 要改变这种模板请点击 工具|选项|代码编写|编辑标准头文件
*/
using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
namespace eflayMH_WPF
{
/// <summary>
/// Description of Module.
/// </summary>
public class Module
{
public Module()
{
}
string fullName;
public string FullName
{
get { return fullName; }
set { fullName = value; }
}
int baseAddress;
public int BaseAddress
{
get { return baseAddress; }
set { baseAddress = value; }
}
public unsafe static Module[] GetModules(IntPtr ProcessHandle)
{
int tmpbaseaddr = 0;
List<Module> ModuleList = new List<Module>();
win32.MemoryBasicInformation mbi = new win32.MemoryBasicInformation();
//win32.UNICODE_STRING usSectionName = new win32.UNICODE_STRING("");
win32.MEMORY_SECTION_NAME usSectionName = new win32.MEMORY_SECTION_NAME();
int dwStartAddr = 0x00000000;
do
{
int rt1 = 0;
if (win32.ZwQueryVirtualMemory(ProcessHandle, dwStartAddr, win32.MemoryInformationClass.MemoryBasicInformation,
&mbi, Marshal.SizeOf(mbi), out rt1) >= 0)
{
//if ((int)mbi.AllocationBase == 0)
// goto JMPNEXT;
if (mbi.lType == (int)win32.MbiType.MEM_IMAGE)
{
byte[] bt = new byte[260 * 2];
int rt = 0;
int result = win32.ZwQueryVirtualMemory(ProcessHandle, dwStartAddr,
win32.MemoryInformationClass.MemorySectionName,
out usSectionName, bt.Length,
//out usSectionName,
//Marshal.SizeOf(usSectionName),
out rt);
if (result >= 0
&& tmpbaseaddr!=(int)mbi.AllocationBase )
{
UnicodeEncoding une = new UnicodeEncoding();
string path = une.GetString(usSectionName.bt).TrimEnd('\0');
Module md = new Module();
md.baseAddress = (int)mbi.AllocationBase;
tmpbaseaddr = (int)mbi.AllocationBase;
md.fullName = win32.DeviceName2Path(path);
ModuleList.Add(md);
}
dwStartAddr += (int)mbi.RegionSize;
dwStartAddr -= ((int)mbi.RegionSize % 0x10000);
}//end of if Type == MEM_IMAGE
//JMPNEXT:
// dwStartAddr += (int)mbi.RegionSize;
// dwStartAddr -= ((int)mbi.RegionSize % 0x10000);
} // end of getmbi
dwStartAddr += 0x10000;
} while (dwStartAddr < 0x7ffeffff);
//去除重复
// int tmpbase = -1;
// Module mod;
// for (int i = 0; i < ModuleList.Count; i++)
// {
// mod = ModuleList[i];
// try
// {
// while (tmpbase == mod.baseAddress)
// {
// ModuleList.RemoveAt(i);
//
// mod = ModuleList[i];
//
// }
// }
// catch (ArgumentOutOfRangeException)
// { break; }
// tmpbase = mod.baseAddress;
//
// }
return ModuleList.ToArray();
}
}
}