我想获取系统进程加载的模块的文件名。
因此,我首先执行
System.Diagnostics.Process.EnterDebugMode();
进入调试模式并获得 SEDebugPrivilege。
但是 Module32First 函数总是失败......
我究竟做错了什么 ?
using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
{
public static class Toolhelp32
{
public const uint TH32CS_SNAPHEAPLIST = 0x00000001;
public const uint TH32CS_SNAPPROCESS = 0x00000002;
public const uint TH32CS_SNAPTHREAD = 0x00000004;
public const uint TH32CS_SNAPMODULE = 0x00000008;
public const uint TH32CS_SNAPMODULE32 = 0x00000010;
public const uint TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST |
TH32CS_SNAPPROCESS |
TH32CS_SNAPTHREAD |
TH32CS_SNAPMODULE);
public const uint TH32CS_INHERIT = 0x80000000;
public const uint HF32_DEFAULT = 1;
public const uint HF32_SHARED = 2;
public const uint LF32_FIXED = 0x00000001;
public const uint LF32_FREE = 0x00000002;
public const uint LF32_MOVEABLE = 0x00000004;
public struct HEAPLIST32
{
public uint dwSize;
public uint th32ProcessID;
public uint th32HeapID;
public uint dwFlags;
}
public struct HEAPENTRY32
{
public uint dwSize;
public IntPtr hHandle;
public uint dwAddress;
public uint dwBlockSize;
public uint dwFlags;
public uint dwLockCount;
public uint dwResvd;
public uint th32ProcessID;
public uint th32HeapID;
}
public struct PROCESSENTRY32W
{
public uint dwSize;
public uint cntUsage;
public uint th32ProcessID;
public UIntPtr th32DefaultHeapID;
public uint th32ModuleID;
public uint cntThreads;
public uint th32ParentProcessID;
public int pcPriClassBase;
public uint dwFlags;
public string szExeFile;
}
public struct PROCESSENTRY32
{
public uint dwSize;
public uint cntUsage;
public uint th32ProcessID;
public uint th32DefaultHeapID;
public uint th32ModuleID;
public uint cntThreads;
public uint th32ParentProcessID;
public int pcPriClassBase;
public uint dwFlags;
public string szExeFile;
}
public struct THREADENTRY32
{
public uint dwSize;
public uint cntUsage;
public uint th32ThreadID;
public uint th32OwnerProcessID;
public int tpBasePri;
public int tpDeltaPri;
public uint dwFlags;
}
public struct MODULEENTRY32W
{
public uint dwSize;
public uint th32ModuleID;
public uint th32ProcessID;
public uint GlblcntUsage;
public uint ProccntUsage;
public IntPtr modBaseAddr;
public uint modBaseSize;
public IntPtr hModule;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)]
public string szModule;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
public string szExePath;
}
public struct MODULEENTRY32
{
public uint dwSize;
public uint th32ModuleID;
public uint th32ProcessID;
public uint GlblcntUsage;
public uint ProccntUsage;
public IntPtr modBaseAddr;
public uint modBaseSize;
public IntPtr hModule;
public string szModule;
public string szExePath;
}
[DllImport("kernel32.dll")]
public static extern IntPtr CreateToolhelp32Snapshot(uint dwFlags, uint th32ProcessID);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool CloseHandle(IntPtr hSnapshot);
[DllImport("kernel32.dll")]
public static extern bool Heap32ListFirst(IntPtr hSnapshot, ref HEAPLIST32 lphl);
[DllImport("kernel32.dll")]
public static extern bool Heap32ListNext(IntPtr hSnapshot, ref HEAPLIST32 lphl);
[DllImport("kernel32.dll")]
public static extern bool Heap32First(IntPtr hSnapshot, ref HEAPENTRY32 lphe,
uint th32ProcessID, uint th32HeapID);
[DllImport("kernel32.dll")]
public static extern bool Heap32Next(IntPtr hSnapshot, ref HEAPENTRY32 lphe);
[DllImport("kernel32.dll")]
public static extern bool Toolhelp32ReadProcessMemory(uint th32ProcessID,
IntPtr lpBaseAddress, IntPtr lpBuffer, uint cbRead, IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern bool Process32FirstW(IntPtr hSnapshot, ref PROCESSENTRY32W lppe);
[DllImport("kernel32.dll")]
public static extern bool Process32NextW(IntPtr hSnapshot, ref PROCESSENTRY32W lppe);
[DllImport("kernel32.dll")]
public static extern bool Process32First(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
[DllImport("kernel32.dll")]
public static extern bool Process32Next(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
[DllImport("kernel32.dll")]
public static extern bool Thread32First(IntPtr hSnapshot, ref THREADENTRY32 lpte);
[DllImport("kernel32.dll")]
public static extern bool Thread32Next(IntPtr hSnapshot, ref THREADENTRY32 lpte);
[DllImport("kernel32.dll")]
public static extern bool Module32FirstW(IntPtr hSnapshot, ref MODULEENTRY32W lpme);
[DllImport("kernel32.dll")]
public static extern bool Module32NextW(IntPtr hSnapshot, ref MODULEENTRY32W lpme);
[DllImport("kernel32.dll")]
public static extern bool Module32First(IntPtr hSnapshot, ref MODULEENTRY32W lpme);
[DllImport("kernel32.dll")]
public static extern bool Module32Next(IntPtr hSnapshot, ref MODULEENTRY32W lpme);
}
}
class GetProcessModuleFilenamesHelper
{
const int INVALID_HANDLE_VALUE = -1;
const int ERROR_BAD_LENGTH = 0x18;
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern int GetModuleFileName(HandleRef hModule, StringBuilder buffer, int length);
public static List<Toolhelp32.MODULEENTRY32W> GetProcessModuleFilenames(int ProcId)
{
List<Toolhelp32.MODULEENTRY32W> lst = new List<Toolhelp32.MODULEENTRY32W>();
IntPtr hModuleSnapshot = new IntPtr(ERROR_BAD_LENGTH);
while (hModuleSnapshot == new IntPtr(ERROR_BAD_LENGTH))
{
hModuleSnapshot = Toolhelp32.CreateToolhelp32Snapshot(Toolhelp32.TH32CS_SNAPMODULE32|Toolhelp32.TH32CS_SNAPMODULE, (uint)ProcId);
System.Windows.Forms.Application.DoEvents();
}
if (hModuleSnapshot != new IntPtr(INVALID_HANDLE_VALUE))
{
Toolhelp32.MODULEENTRY32W ModuleList = new Toolhelp32.MODULEENTRY32W();
ModuleList.dwSize = (uint)Marshal.SizeOf(ModuleList);
if (Toolhelp32.Module32First(hModuleSnapshot, ref ModuleList))
{
do
{
Toolhelp32.MODULEENTRY32W ModuleEntry = new Toolhelp32.MODULEENTRY32W();
ModuleEntry.dwSize = (uint)Marshal.SizeOf(ModuleEntry);
/*
if (Toolhelp32.Heap32First(hHeapSnapshot, ref HeapEntry, HeapList.th32ProcessID, HeapList.th32HeapID))
{
do
{
MemUsage += HeapEntry.dwBlockSize;
} while (Toolhelp32.Heap32Next(hHeapSnapshot, ref HeapEntry));
}
*/
/*
StringBuilder buffer = new StringBuilder(260);
GetModuleFileName(ModuleEntry.hModule, buffer, buffer.Capacity);
string str = Path.GetFullPath(buffer.ToString());
str=str.Substring(0, str.LastIndexOf('\\'));
*/
lst.Add(ModuleEntry);
} while (Toolhelp32.Module32Next(hModuleSnapshot, ref ModuleList));
}
int lasterr = Marshal.GetLastWin32Error();
//System.Windows.Forms.MessageBox.Show(Marshal.GetLastWin32Error().ToString());
Toolhelp32.CloseHandle(hModuleSnapshot);
}
return lst;
}
}