cecil icon indicating copy to clipboard operation
cecil copied to clipboard

Published 20 hours ago verified publisher icon jbevain

Add a way to read PE images loaded in memory.

Open KirillOsenkov opened this issue 4 years ago • 3 comments

It is useful when inspecting modules loaded into a live process or reading process dump files.

On disk RVAs must be mapped to stream contents using section header mapping information. In memory RVAs can be used as direct offsets into the stream.

KirillOsenkov avatar Apr 27 '20 02:04 KirillOsenkov

You could read modules from memory or dump files using this ReadVirtualStream.cs:

https://gist.github.com/KirillOsenkov/1b12d8cca60e6dc1c13f6859451a2aab

KirillOsenkov avatar Apr 27 '20 02:04 KirillOsenkov

I took the implementation from the DumpModules project by @ljcollins25. It is used to save all modules from a .dmp file using ClrMD: https://github.com/Ref12/DumpModules/blob/master/src/Ref12.Diagnostics.Extraction/ModuleDumper.cs

KirillOsenkov avatar Apr 27 '20 02:04 KirillOsenkov

This would be a very useful feature.

gdynamics avatar Oct 21 '20 05:10 gdynamics