You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Step 1: Fetch 64-bit process modules using WMI, open modules as files
Step 2: Create separate 64-bit process using ClrMD to fetch modules
Step 3: Make separate process fetch all information (dynamic methods, threads)
Fetching modules using WMI
string[] GetProcessModules(int id)
{
List<string> res = new List<string>();
string query = "references of {win32_process.Handle="+id.ToString()+
"} WHERE ResultClass = CIM_ProcessExecutable";
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query))
using (ManagementObjectCollection results = searcher.Get())
{
foreach (ManagementObject x in results)
{
var antecedent = new ManagementObject((string)x["Antecedent"]);
if (antecedent["Name"] == null) continue;
string name = antecedent["Name"].ToString();
res.Add(name);
}
}
return res.ToArray();
}
In .NET 3.5, every managed module has corresponding .ni.dll native module loaded via LoadLibrary. In .NET 4.0 and newer, some modules might be memory-mapped rather then loaded from native image file.
Fetching modules using ClrMD
Version 1.1.142101+
StringBuilder sb = new StringBuilder(1000);
using (DataTarget dt = DataTarget.AttachToProcess(8036, false))
{
ClrInfo ci = dt.ClrVersions[0];
ClrRuntime clr = ci.CreateRuntime();
foreach (ClrModule module in clr.EnumerateModules())
{
if (module.IsPEFile) sb.AppendLine(module.Name);
}
}
The text was updated successfully, but these errors were encountered:
Fetching modules using WMI
In .NET 3.5, every managed module has corresponding .ni.dll native module loaded via LoadLibrary. In .NET 4.0 and newer, some modules might be memory-mapped rather then loaded from native image file.
Fetching modules using ClrMD
Version 1.1.142101+
The text was updated successfully, but these errors were encountered: