游戏安全的学习(3)—— SDK dump。

学这个的终极目标肯定是去搞原嘛,但是虽然⚪的保护比上不足但是比下有余啊。所以还是先从无保护的游戏入手,是之前很火的一个 3d 恐怖解谜游戏 Granny。

Unity引擎

Unity 引擎是个很火的支持跨平台的游戏引擎,它主要的实现有 il2cppmono 两个工具来完成。

因此它生成的游戏中,就会隐含这两个工具其中一个的接口,通过这些接口,我们可以 dump 出所有这些基类的派生类,方法名,属性名,属性类型以及它们的偏移等等。

获取了这些东西之后,我们要对游戏 hook 就非常容易了。

dump mono 平台的符号

这里 CE 的源码其实实现了这些功能,对于一些基本的没有保护的游戏,我们就是一键 dump 符号。但是处出于学习的目的还是选择自己写一遍,复刻它 dump 的方法。

dump准备

这里选择 dll 注入然后获取模块列表,得到之后直接去寻找关键的函数。对于 Mono 平台来说,关键函数是 mono_thread_attach,而 il2cpp 的关键函数是 il2cpp_thread_attach

先写一个注入器去注入 dll。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#include<windows.h>
#include<iostream>
#include<time.h>
#include<stdlib.h>
#include<TlHelp32.h>
DWORD FindProcess() {
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe32;
    pe32 = { sizeof(pe32) };
    BOOL ret = Process32First(hSnap, &pe32);
    while (ret)
    {
        //wprintf(L"%s\n", pe32.szExeFile);
        if (!wcsncmp(pe32.szExeFile, L"Granny.exe", 11)) {
            printf("Find Granny.exe Process %d\n", pe32.th32ProcessID);
            return pe32.th32ProcessID;
        }
        ret = Process32Next(hSnap, &pe32);
    }
    return 0;
}
void InjectModule(DWORD ProcessId, const char* szPath)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
    printf("进程句柄:%p\n", hProcess);
    LPVOID lpAddress = VirtualAllocEx(hProcess, NULL, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    SIZE_T dwWriteLength = 0;
    WriteProcessMemory(hProcess, lpAddress, szPath, strlen(szPath), &dwWriteLength);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryA, lpAddress, NULL, NULL);
    WaitForSingleObject(hThread, -1);
    VirtualFreeEx(hProcess, lpAddress, 0, MEM_RELEASE);
    CloseHandle(hProcess);
    CloseHandle(hThread);
}

int main() {
    //HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 112788);
    //TerminateProcess(hProcess, 0);
    DWORD ProcessId = FindProcess();
    //printf("HANDLE:%d\n", hProcess);
    while (!ProcessId) {
        printf("未找到Granny程序,等待两秒中再试\n");
        Sleep(2000);
        ProcessId = FindProcess();
    }
    printf("开始注入进程...\n");
    InjectModule(ProcessId, "C:\\Users\\xia0ji233\\source\\repos\\Game3\\x64\\Debug\\GrannyConsole.dll");
    printf("注入完毕\n");
}

然后就是创建一个普通的 dll 去搞。

这里有一些小技巧,因为有些程序运行不带命令行,调试信息打印十分不方便,在 PROCESS ATTACH 的时候就可以使用以下代码创建一个终端。

1
2
AllocConsole();
freopen("CONOUT$", "w", stdout);

然后就能用 printf 或者是 cout 去打印调试信息了。

先创建一个进程快照,然后遍历进程里的模块,找到指定函数之后获取该模块的模块句柄。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
HANDLE ths = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
if (ths != INVALID_HANDLE_VALUE)
{
    MODULEENTRY32 me;
    me.dwSize = sizeof(me);

    if (Module32First(ths, &me))
    {
        do
        {
            if (GetProcAddress(me.hModule, "mono_thread_attach"))
            {
                wprintf(L"DLL:%s\n", me.szExePath);
                hMono = me.hModule;
                break;
            }

        } while (Module32Next(ths, &me));

    }
    CloseHandle(ths);
}

找到模块之后就可以初始化 Mono 平台的那些 api 了。

这里给出一下这些 api 的定义和获取:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
void InitAPI() {
    g_free = (G_FREE)GetProcAddress(hMono, "g_free");

    if (!g_free)
        g_free = (G_FREE)GetProcAddress(hMono, "mono_unity_g_free");


    mono_free = (MONO_FREE)GetProcAddress(hMono, "mono_free");

    mono_get_root_domain = (MONO_GET_ROOT_DOMAIN)GetProcAddress(hMono, "mono_get_root_domain");
    mono_thread_attach = (MONO_THREAD_ATTACH)GetProcAddress(hMono, "mono_thread_attach");
    mono_thread_detach = (MONO_THREAD_DETACH)GetProcAddress(hMono, "mono_thread_detach");
    mono_thread_cleanup = (MONO_THREAD_CLEANUP)GetProcAddress(hMono, "mono_thread_cleanup");

    mono_object_get_class = (MONO_OBJECT_GET_CLASS)GetProcAddress(hMono, "mono_object_get_class");

    mono_domain_foreach = (MONO_DOMAIN_FOREACH)GetProcAddress(hMono, "mono_domain_foreach");
    mono_domain_set = (MONO_DOMAIN_SET)GetProcAddress(hMono, "mono_domain_set");
    mono_domain_get = (MONO_DOMAIN_GET)GetProcAddress(hMono, "mono_domain_get");
    mono_assembly_foreach = (MONO_ASSEMBLY_FOREACH)GetProcAddress(hMono, "mono_assembly_foreach");
    mono_assembly_get_image = (MONO_ASSEMBLY_GET_IMAGE)GetProcAddress(hMono, "mono_assembly_get_image");
    mono_image_get_assembly = (MONO_IMAGE_GET_ASSEMBLY)GetProcAddress(hMono, "mono_image_get_assembly");

    mono_image_get_name = (MONO_IMAGE_GET_NAME)GetProcAddress(hMono, "mono_image_get_name");
    mono_image_get_filename = (MONO_IMAGE_GET_FILENAME)GetProcAddress(hMono, "mono_image_get_filename");

    mono_image_get_table_info = (MONO_IMAGE_GET_TABLE_INFO)GetProcAddress(hMono, "mono_image_get_table_info");
    mono_image_rva_map = (MONO_IMAGE_RVA_MAP)GetProcAddress(hMono, "mono_image_rva_map");

    mono_table_info_get_rows = (MONO_TABLE_INFO_GET_ROWS)GetProcAddress(hMono, "mono_table_info_get_rows");
    mono_metadata_decode_row_col = (MONO_METADATA_DECODE_ROW_COL)GetProcAddress(hMono, "mono_metadata_decode_row_col");
    mono_metadata_string_heap = (MONO_METADATA_STRING_HEAP)GetProcAddress(hMono, "mono_metadata_string_heap");


    mono_class_get = (MONO_CLASS_GET)GetProcAddress(hMono, "mono_class_get");
    mono_class_from_typeref = (MONO_CLASS_FROM_TYPEREF)GetProcAddress(hMono, "mono_class_from_typeref");
    mono_class_name_from_token = (MONO_CLASS_NAME_FROM_TOKEN)GetProcAddress(hMono, "mono_class_name_from_token");
    mono_class_from_name_case = (MONO_CLASS_FROM_NAME_CASE)GetProcAddress(hMono, "mono_class_from_name_case");
    mono_class_from_name = (MONO_CLASS_FROM_NAME_CASE)GetProcAddress(hMono, "mono_class_from_name");
    mono_class_get_name = (MONO_CLASS_GET_NAME)GetProcAddress(hMono, "mono_class_get_name");
    mono_class_get_namespace = (MONO_CLASS_GET_NAMESPACE)GetProcAddress(hMono, "mono_class_get_namespace");
    mono_class_get_methods = (MONO_CLASS_GET_METHODS)GetProcAddress(hMono, "mono_class_get_methods");
    mono_class_get_method_from_name = (MONO_CLASS_GET_METHOD_FROM_NAME)GetProcAddress(hMono, "mono_class_get_method_from_name");
    mono_class_get_fields = (MONO_CLASS_GET_FIELDS)GetProcAddress(hMono, "mono_class_get_fields");
    mono_class_get_parent = (MONO_CLASS_GET_PARENT)GetProcAddress(hMono, "mono_class_get_parent");
    mono_class_get_image = (MONO_CLASS_GET_IMAGE)GetProcAddress(hMono, "mono_class_get_image");
    mono_class_is_generic = (MONO_CLASS_IS_GENERIC)GetProcAddress(hMono, "mono_class_is_generic");
    mono_class_vtable = (MONO_CLASS_VTABLE)GetProcAddress(hMono, "mono_class_vtable");
    mono_class_from_mono_type = (MONO_CLASS_FROM_MONO_TYPE)GetProcAddress(hMono, "mono_class_from_mono_type");
    mono_class_get_element_class = (MONO_CLASS_GET_ELEMENT_CLASS)GetProcAddress(hMono, "mono_class_get_element_class");
    mono_class_instance_size = (MONO_CLASS_INSTANCE_SIZE)GetProcAddress(hMono, "mono_class_instance_size");

    mono_class_num_fields = (MONO_CLASS_NUM_FIELDS)GetProcAddress(hMono, "mono_class_num_fields");
    mono_class_num_methods = (MONO_CLASS_NUM_METHODS)GetProcAddress(hMono, "mono_class_num_methods");


    mono_field_get_name = (MONO_FIELD_GET_NAME)GetProcAddress(hMono, "mono_field_get_name");
    mono_field_get_type = (MONO_FIELD_GET_TYPE)GetProcAddress(hMono, "mono_field_get_type");
    mono_field_get_parent = (MONO_FIELD_GET_PARENT)GetProcAddress(hMono, "mono_field_get_parent");
    mono_field_get_offset = (MONO_FIELD_GET_OFFSET)GetProcAddress(hMono, "mono_field_get_offset");
    mono_field_get_flags = (MONO_FIELD_GET_FLAGS)GetProcAddress(hMono, "mono_field_get_flags");

    mono_type_get_name = (MONO_TYPE_GET_NAME)GetProcAddress(hMono, "mono_type_get_name");
    mono_type_get_type = (MONO_TYPE_GET_TYPE)GetProcAddress(hMono, "mono_type_get_type");
    mono_type_get_name_full = (MONO_TYPE_GET_NAME_FULL)GetProcAddress(hMono, "mono_type_get_name_full");

    mono_method_get_name = (MONO_METHOD_GET_NAME)GetProcAddress(hMono, "mono_method_get_name");
    mono_method_get_class = (MONO_METHOD_GET_CLASS)GetProcAddress(hMono, "mono_method_get_class");
    mono_method_get_header = (MONO_METHOD_GET_HEADER)GetProcAddress(hMono, "mono_method_get_header");
    mono_method_get_flags = (MONO_METHOD_GET_FLAGS)GetProcAddress(hMono, "mono_method_get_flags");
    mono_method_signature = (MONO_METHOD_SIG)GetProcAddress(hMono, "mono_method_signature");
    mono_method_get_param_names = (MONO_METHOD_GET_PARAM_NAMES)GetProcAddress(hMono, "mono_method_get_param_names");



    mono_signature_get_desc = (MONO_SIGNATURE_GET_DESC)GetProcAddress(hMono, "mono_signature_get_desc");
    mono_signature_get_params = (MONO_SIGNATURE_GET_PARAMS)GetProcAddress(hMono, "mono_signature_get_params");
    mono_signature_get_param_count = (MONO_SIGNATURE_GET_PARAM_COUNT)GetProcAddress(hMono, "mono_signature_get_param_count");
    mono_signature_get_return_type = (MONO_SIGNATURE_GET_RETURN_TYPE)GetProcAddress(hMono, "mono_signature_get_return_type");



    mono_compile_method = (MONO_COMPILE_METHOD)GetProcAddress(hMono, "mono_compile_method");
    mono_free_method = (MONO_FREE_METHOD)GetProcAddress(hMono, "mono_free_method");
    mono_jit_info_table_find = (MONO_JIT_INFO_TABLE_FIND)GetProcAddress(hMono, "mono_jit_info_table_find");
    mono_jit_info_get_method = (MONO_JIT_INFO_GET_METHOD)GetProcAddress(hMono, "mono_jit_info_get_method");
    mono_jit_info_get_code_start = (MONO_JIT_INFO_GET_CODE_START)GetProcAddress(hMono, "mono_jit_info_get_code_start");
    mono_jit_info_get_code_size = (MONO_JIT_INFO_GET_CODE_SIZE)GetProcAddress(hMono, "mono_jit_info_get_code_size");
    mono_jit_exec = (MONO_JIT_EXEC)GetProcAddress(hMono, "mono_jit_exec");

    mono_method_header_get_code = (MONO_METHOD_HEADER_GET_CODE)GetProcAddress(hMono, "mono_method_header_get_code");
    mono_disasm_code = (MONO_DISASM_CODE)GetProcAddress(hMono, "mono_disasm_code");

    mono_vtable_get_static_field_data = (MONO_VTABLE_GET_STATIC_FIELD_DATA)GetProcAddress(hMono, "mono_vtable_get_static_field_data");

    mono_method_desc_new = (MONO_METHOD_DESC_NEW)GetProcAddress(hMono, "mono_method_desc_new");;
    mono_method_desc_from_method = (MONO_METHOD_DESC_FROM_METHOD)GetProcAddress(hMono, "mono_method_desc_from_method");;
    mono_method_desc_free = (MONO_METHOD_DESC_FREE)GetProcAddress(hMono, "mono_method_desc_free");;

    mono_string_new = (MONO_STRING_NEW)GetProcAddress(hMono, "mono_string_new");
    mono_string_to_utf8 = (MONO_STRING_TO_UTF8)GetProcAddress(hMono, "mono_string_to_utf8");
    mono_array_new = (MONO_ARRAY_NEW)GetProcAddress(hMono, "mono_array_new");
    mono_value_box = (MONO_VALUE_BOX)GetProcAddress(hMono, "mono_value_box");
    mono_object_unbox = (MONO_OBJECT_UNBOX)GetProcAddress(hMono, "mono_object_unbox");
    mono_object_new = (MONO_OBJECT_NEW)GetProcAddress(hMono, "mono_object_new");

    mono_class_get_type = (MONO_CLASS_GET_TYPE)GetProcAddress(hMono, "mono_class_get_type");
    mono_class_get_nesting_type = (MONO_CLASS_GET_NESTING_TYPE)GetProcAddress(hMono, "mono_class_get_nesting_type");

    mono_method_desc_search_in_image = (MONO_METHOD_DESC_SEARCH_IN_IMAGE)GetProcAddress(hMono, "mono_method_desc_search_in_image");
    mono_runtime_invoke = (MONO_RUNTIME_INVOKE)GetProcAddress(hMono, "mono_runtime_invoke");
    mono_runtime_object_init = (MONO_RUNTIME_OBJECT_INIT)GetProcAddress(hMono, "mono_runtime_object_init");
    mono_assembly_name_new = (MONO_ASSEMBLY_NAME_NEW)GetProcAddress(hMono, "mono_assembly_name_new");
    mono_assembly_loaded = (MONO_ASSEMBLY_LOADED)GetProcAddress(hMono, "mono_assembly_loaded");
    mono_assembly_open = (MONO_ASSEMBLY_OPEN)GetProcAddress(hMono, "mono_assembly_open");
    mono_image_open = (MONO_IMAGE_OPEN)GetProcAddress(hMono, "mono_image_open");
    mono_field_static_get_value = (MONO_FIELD_STATIC_GET_VALUE)GetProcAddress(hMono, "mono_field_static_get_value");
    mono_field_static_set_value = (MONO_FIELD_STATIC_SET_VALUE)GetProcAddress(hMono, "mono_field_static_set_value");
    mono_runtime_is_shutting_down = (MONO_RUNTIME_IS_SHUTTING_DOWN)GetProcAddress(hMono, "mono_runtime_is_shutting_down");
}

然后最好再新建一个头文件,把下面的定义放到里面,在 dllmain 中包含上这个头文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
#pragma once
#include <windows.h>
#include<stdint.h>
#define MONOCMD_INITMONO 0
#define MONOCMD_OBJECT_GETCLASS 1
#define MONOCMD_ENUMDOMAINS 2
#define MONOCMD_SETCURRENTDOMAIN 3
#define MONOCMD_ENUMASSEMBLIES 4
#define MONOCMD_GETIMAGEFROMASSEMBLY 5
#define MONOCMD_GETIMAGENAME 6
#define MONOCMD_ENUMCLASSESINIMAGE 7
#define MONOCMD_ENUMFIELDSINCLASS 8
#define MONOCMD_ENUMMETHODSINCLASS 9
#define MONOCMD_COMPILEMETHOD 10

#define MONOCMD_GETMETHODHEADER 11
#define MONOCMD_GETMETHODHEADER_CODE 12
#define MONOCMD_LOOKUPRVA 13
#define MONOCMD_GETJITINFO 14
#define MONOCMD_FINDCLASS 15
#define MONOCMD_FINDMETHOD 16
#define MONOCMD_GETMETHODNAME 17
#define MONOCMD_GETMETHODCLASS 18
#define MONOCMD_GETCLASSNAME 19
#define MONOCMD_GETCLASSNAMESPACE 20
#define MONOCMD_FREEMETHOD 21
#define MONOCMD_TERMINATE 22
#define MONOCMD_DISASSEMBLE 23
#define MONOCMD_GETMETHODSIGNATURE 24
#define MONOCMD_GETPARENTCLASS 25
#define MONOCMD_GETSTATICFIELDADDRESSFROMCLASS 26
#define MONOCMD_GETTYPECLASS 27
#define MONOCMD_GETARRAYELEMENTCLASS 28
#define MONOCMD_FINDMETHODBYDESC 29
#define MONOCMD_INVOKEMETHOD 30
#define MONOCMD_LOADASSEMBLY 31
#define MONOCMD_GETFULLTYPENAME 32
#define MONOCMD_OBJECT_NEW 33
#define MONOCMD_OBJECT_INIT 34
#define MONOCMD_GETVTABLEFROMCLASS 35
#define MONOCMD_GETMETHODPARAMETERS 36
#define MONOCMD_ISCLASSGENERIC 37
#define MONOCMD_ISIL2CPP 38
#define MONOCMD_FILLOPTIONALFUNCTIONLIST 39
#define MONOCMD_GETSTATICFIELDVALUE 40
#define MONOCMD_SETSTATICFIELDVALUE 41
#define MONOCMD_GETCLASSIMAGE 42
#define MONOCMD_FREE 43
#define MONOCMD_GETIMAGEFILENAME 44
#define MONOCMD_GETCLASSNESTINGTYPE 45

typedef struct {} MonoType;
typedef struct {} MonoMethodSignature;
typedef void* gpointer;

typedef void(__cdecl* MonoDomainFunc) (void* domain, void* user_data);
typedef void(__cdecl* GFunc)          (void* data, void* user_data);

typedef void(__cdecl* G_FREE)(void* ptr);

typedef void* (__cdecl* MONO_GET_ROOT_DOMAIN)(void);
typedef void* (__cdecl* MONO_THREAD_ATTACH)(void* domain);
typedef void(__cdecl* MONO_THREAD_DETACH)(void* monothread);
typedef void(__cdecl* MONO_THREAD_CLEANUP)(void);
typedef void* (__cdecl* MONO_OBJECT_GET_CLASS)(void* object);

typedef void(__cdecl* MONO_DOMAIN_FOREACH)(MonoDomainFunc func, void* user_data);

typedef int(__cdecl* MONO_DOMAIN_SET)(void* domain, BOOL force);
typedef void* (__cdecl* MONO_DOMAIN_GET)();
typedef int(__cdecl* MONO_ASSEMBLY_FOREACH)(GFunc func, void* user_data);
typedef void* (__cdecl* MONO_ASSEMBLY_GET_IMAGE)(void* assembly);
typedef void* (__cdecl* MONO_ASSEMBLY_OPEN)(void* fname, int* status);
typedef void* (__cdecl* MONO_IMAGE_GET_ASSEMBLY)(void* image);
typedef char* (__cdecl* MONO_IMAGE_GET_NAME)(void* image);
typedef void* (__cdecl* MONO_IMAGE_OPEN)(const char* fname, int* status);
typedef char* (__cdecl* MONO_IMAGE_GET_FILENAME)(void* image);


typedef void* (__cdecl* MONO_IMAGE_GET_TABLE_INFO)(void* image, int table_id);
typedef int(__cdecl* MONO_TABLE_INFO_GET_ROWS)(void* tableinfo);
typedef int(__cdecl* MONO_METADATA_DECODE_ROW_COL)(void* tableinfo, int idx, unsigned int col);
typedef char* (__cdecl* MONO_METADATA_STRING_HEAP)(void* image, UINT32 index);

typedef void* (__cdecl* MONO_CLASS_FROM_NAME_CASE)(void* image, char* name_space, char* name);
typedef void* (__cdecl* MONO_CLASS_FROM_NAME)(void* image, char* name_space, char* name);
typedef char* (__cdecl* MONO_CLASS_GET_NAME)(void* klass);
typedef char* (__cdecl* MONO_CLASS_GET_NAMESPACE)(void* klass);
typedef void* (__cdecl* MONO_CLASS_GET)(void* image, UINT32 tokenindex);
typedef void* (__cdecl* MONO_CLASS_FROM_TYPEREF)(void* image, UINT32 type_token);
typedef char* (__cdecl* MONO_CLASS_NAME_FROM_TOKEN)(void* image, UINT32 token);


typedef void* (__cdecl* MONO_CLASS_GET_PROPERTIES)(void* klass, void* iter);
typedef void* (__cdecl* MONO_CLASS_GET_METHODS)(void* klass, void* iter);
typedef void* (__cdecl* MONO_CLASS_GET_METHOD_FROM_NAME)(void* klass, char* methodname, int paramcount);
typedef void* (__cdecl* MONO_CLASS_GET_FIELDS)(void* klass, void* iter);
typedef void* (__cdecl* MONO_CLASS_GET_PARENT)(void* klass);
typedef void* (__cdecl* MONO_CLASS_GET_IMAGE)(void* klass);
typedef void* (__cdecl* MONO_CLASS_VTABLE)(void* domain, void* klass);
typedef int(__cdecl* MONO_CLASS_INSTANCE_SIZE)(void* klass);
typedef void* (__cdecl* MONO_CLASS_FROM_MONO_TYPE)(void* type);
typedef void* (__cdecl* MONO_CLASS_GET_ELEMENT_CLASS)(void* klass);
typedef int(__cdecl* MONO_CLASS_IS_GENERIC)(void* klass);



typedef int(__cdecl* MONO_CLASS_NUM_FIELDS)(void* klass);
typedef int(__cdecl* MONO_CLASS_NUM_METHODS)(void* klass);

typedef char* (__cdecl* MONO_FIELD_GET_NAME)(void* field);
typedef void* (__cdecl* MONO_FIELD_GET_TYPE)(void* field);
typedef void* (__cdecl* MONO_FIELD_GET_PARENT)(void* field);
typedef int(__cdecl* MONO_FIELD_GET_OFFSET)(void* field);

typedef char* (__cdecl* MONO_TYPE_GET_NAME)(void* type);
typedef int(__cdecl* MONO_TYPE_GET_TYPE)(void* type);
typedef char* (__cdecl* MONO_TYPE_GET_NAME_FULL)(void* type, int format);
typedef int(__cdecl* MONO_FIELD_GET_FLAGS)(void* type);




typedef char* (__cdecl* MONO_METHOD_GET_NAME)(void* method);
typedef void* (__cdecl* MONO_COMPILE_METHOD)(void* method);
typedef void(__cdecl* MONO_FREE_METHOD)(void* method);

typedef void* (__cdecl* MONO_JIT_INFO_TABLE_FIND)(void* domain, void* addr);

typedef void* (__cdecl* MONO_JIT_INFO_GET_METHOD)(void* jitinfo);
typedef void* (__cdecl* MONO_JIT_INFO_GET_CODE_START)(void* jitinfo);
typedef int(__cdecl* MONO_JIT_INFO_GET_CODE_SIZE)(void* jitinfo);

typedef int(__cdecl* MONO_JIT_EXEC)(void* domain, void* assembly, int argc, char* argv[]);



typedef void* (__cdecl* MONO_METHOD_GET_HEADER)(void* method);
typedef void* (__cdecl* MONO_METHOD_GET_CLASS)(void* method);
typedef void* (__cdecl* MONO_METHOD_SIG)(void* method);
typedef void* (__cdecl* MONO_METHOD_GET_PARAM_NAMES)(void* method, const char** names);

typedef void* (__cdecl* MONO_METHOD_HEADER_GET_CODE)(void* methodheader, UINT32* code_size, UINT32* max_stack);
typedef char* (__cdecl* MONO_DISASM_CODE)(void* dishelper, void* method, void* ip, void* end);

typedef char* (__cdecl* MONO_SIGNATURE_GET_DESC)(void* signature, int include_namespace);
typedef MonoType* (__cdecl* MONO_SIGNATURE_GET_PARAMS)(MonoMethodSignature* sig, gpointer* iter);
typedef int(__cdecl* MONO_SIGNATURE_GET_PARAM_COUNT)(void* signature);
typedef MonoType* (__cdecl* MONO_SIGNATURE_GET_RETURN_TYPE)(void* signature);


typedef void* (__cdecl* MONO_IMAGE_RVA_MAP)(void* image, UINT32 addr);
typedef void* (__cdecl* MONO_VTABLE_GET_STATIC_FIELD_DATA)(void* vtable);


typedef void* (__cdecl* MONO_METHOD_DESC_NEW)(const char* name, int include_namespace);
typedef void* (__cdecl* MONO_METHOD_DESC_FROM_METHOD)(void* method);
typedef void(__cdecl* MONO_METHOD_DESC_FREE)(void* desc);

typedef void* (__cdecl* MONO_ASSEMBLY_NAME_NEW)(const char* name);
typedef void* (__cdecl* MONO_ASSEMBLY_LOADED)(void* aname);
typedef void* (__cdecl* MONO_IMAGE_LOADED)(void* aname);

typedef void* (__cdecl* MONO_STRING_NEW)(void* domain, const char* text);
typedef char* (__cdecl* MONO_STRING_TO_UTF8)(void*);
typedef void* (__cdecl* MONO_ARRAY_NEW)(void* domain, void* eclass, uintptr_t n);
typedef void* (__cdecl* MONO_OBJECT_TO_STRING)(void* object, void** exc);
typedef void* (__cdecl* MONO_OBJECT_NEW)(void* domain, void* klass);


typedef void(__cdecl* MONO_FREE)(void*);

typedef void* (__cdecl* MONO_METHOD_DESC_SEARCH_IN_IMAGE)(void* desc, void* image);
typedef void* (__cdecl* MONO_RUNTIME_INVOKE)(void* method, void* obj, void** params, void** exc);
typedef void* (__cdecl* MONO_RUNTIME_INVOKE_ARRAY)(void* method, void* obj, void* params, void** exc);
typedef void* (__cdecl* MONO_RUNTIME_OBJECT_INIT)(void* object);

typedef void* (__cdecl* MONO_FIELD_STATIC_GET_VALUE)(void* vtable, void* field, void* output);
typedef void* (__cdecl* MONO_FIELD_STATIC_SET_VALUE)(void* vtable, void* field, void* input);

typedef void* (__cdecl* IL2CPP_FIELD_STATIC_GET_VALUE)(void* field, void* output);
typedef void* (__cdecl* IL2CPP_FIELD_STATIC_SET_VALUE)(void* field, void* input);

typedef void* (__cdecl* MONO_VALUE_BOX)(void* domain, void* klass, void* val);
typedef void* (__cdecl* MONO_OBJECT_UNBOX)(void* obj);
typedef void* (__cdecl* MONO_CLASS_GET_TYPE)(void* klass);
typedef void* (__cdecl* MONO_CLASS_GET_NESTING_TYPE)(void* klass);



//il2cpp:
typedef UINT_PTR* (__cdecl* IL2CPP_DOMAIN_GET_ASSEMBLIES)(void* domain, SIZE_T* size);

typedef int(__cdecl* IL2CPP_IMAGE_GET_CLASS_COUNT)(void* image);
typedef void* (__cdecl* IL2CPP_IMAGE_GET_CLASS)(void* image, int index);

typedef char* (__cdecl* IL2CPP_TYPE_GET_NAME)(void* ptype);
typedef char* (__cdecl* IL2CPP_TYPE_GET_ASSEMBLY_QUALIFIED_NAME)(void* ptype);

typedef int(__cdecl* IL2CPP_METHOD_GET_PARAM_COUNT)(void* method);
typedef char* (__cdecl* IL2CPP_METHOD_GET_PARAM_NAME)(void* method, int index);
typedef void* (__cdecl* IL2CPP_METHOD_GET_PARAM)(void* method, int index);
typedef void* (__cdecl* IL2CPP_METHOD_GET_RETURN_TYPE)(void* method);
typedef void* (__cdecl* IL2CPP_CLASS_FROM_TYPE)(void* type);
typedef wchar_t* (__cdecl* IL2CPP_STRING_CHARS)(void* stringobject);

typedef uint32_t(__cdecl* MONO_METHOD_GET_FLAGS)(void* method, uint32_t* iflags);
typedef int(__cdecl* MONO_RUNTIME_IS_SHUTTING_DOWN)(void);




G_FREE g_free;
MONO_GET_ROOT_DOMAIN mono_get_root_domain;
MONO_THREAD_ATTACH mono_thread_attach;
MONO_THREAD_DETACH mono_thread_detach;
MONO_THREAD_CLEANUP mono_thread_cleanup;
MONO_OBJECT_GET_CLASS mono_object_get_class;
MONO_CLASS_GET_NAME mono_class_get_name;
MONO_CLASS_GET_NAMESPACE mono_class_get_namespace;
MONO_CLASS_GET_PROPERTIES mono_class_get_properties;
MONO_CLASS_GET_PARENT mono_class_get_parent;
MONO_CLASS_GET_IMAGE mono_class_get_image;
MONO_CLASS_VTABLE mono_class_vtable;
MONO_CLASS_INSTANCE_SIZE mono_class_instance_size;
MONO_CLASS_FROM_MONO_TYPE mono_class_from_mono_type;
MONO_CLASS_IS_GENERIC mono_class_is_generic;

MONO_DOMAIN_FOREACH mono_domain_foreach;
MONO_DOMAIN_SET mono_domain_set;
MONO_DOMAIN_GET mono_domain_get;
MONO_ASSEMBLY_FOREACH mono_assembly_foreach;
MONO_ASSEMBLY_GET_IMAGE mono_assembly_get_image;
MONO_IMAGE_GET_ASSEMBLY mono_image_get_assembly;
MONO_ASSEMBLY_OPEN mono_assembly_open;

MONO_IMAGE_GET_NAME mono_image_get_name;
MONO_IMAGE_GET_TABLE_INFO mono_image_get_table_info;
MONO_IMAGE_GET_FILENAME mono_image_get_filename;
MONO_IMAGE_RVA_MAP mono_image_rva_map;
MONO_IMAGE_OPEN mono_image_open;
MONO_IMAGE_LOADED mono_image_loaded;

MONO_TABLE_INFO_GET_ROWS mono_table_info_get_rows;
MONO_METADATA_DECODE_ROW_COL mono_metadata_decode_row_col;
MONO_METADATA_STRING_HEAP mono_metadata_string_heap;
MONO_CLASS_GET mono_class_get;
MONO_CLASS_FROM_TYPEREF mono_class_from_typeref;
MONO_CLASS_NAME_FROM_TOKEN mono_class_name_from_token;

MONO_CLASS_FROM_NAME_CASE mono_class_from_name_case;
MONO_CLASS_FROM_NAME mono_class_from_name;

MONO_CLASS_NUM_FIELDS mono_class_num_fields;
MONO_CLASS_GET_FIELDS mono_class_get_fields;

MONO_CLASS_NUM_METHODS mono_class_num_methods;
MONO_CLASS_GET_METHODS mono_class_get_methods;

MONO_CLASS_GET_METHOD_FROM_NAME mono_class_get_method_from_name;
MONO_CLASS_GET_ELEMENT_CLASS mono_class_get_element_class;


MONO_FIELD_GET_NAME mono_field_get_name;
MONO_FIELD_GET_TYPE mono_field_get_type;
MONO_FIELD_GET_PARENT mono_field_get_parent;
MONO_FIELD_GET_OFFSET mono_field_get_offset;

MONO_TYPE_GET_NAME mono_type_get_name;
MONO_TYPE_GET_TYPE mono_type_get_type;
MONO_TYPE_GET_NAME_FULL mono_type_get_name_full;
MONO_FIELD_GET_FLAGS mono_field_get_flags;

MONO_METHOD_GET_NAME mono_method_get_name;
MONO_METHOD_GET_HEADER mono_method_get_header;
MONO_METHOD_GET_CLASS mono_method_get_class;
MONO_METHOD_SIG mono_method_signature;
MONO_METHOD_GET_PARAM_NAMES mono_method_get_param_names;

MONO_SIGNATURE_GET_DESC mono_signature_get_desc;
MONO_SIGNATURE_GET_PARAMS mono_signature_get_params;
MONO_SIGNATURE_GET_PARAM_COUNT mono_signature_get_param_count;
MONO_SIGNATURE_GET_RETURN_TYPE mono_signature_get_return_type;


MONO_COMPILE_METHOD mono_compile_method;
MONO_FREE_METHOD mono_free_method;

MONO_JIT_INFO_TABLE_FIND mono_jit_info_table_find;
MONO_JIT_INFO_GET_METHOD mono_jit_info_get_method;
MONO_JIT_INFO_GET_CODE_START mono_jit_info_get_code_start;
MONO_JIT_INFO_GET_CODE_SIZE mono_jit_info_get_code_size;
MONO_JIT_EXEC mono_jit_exec;

MONO_METHOD_HEADER_GET_CODE mono_method_header_get_code;
MONO_DISASM_CODE mono_disasm_code;

MONO_VTABLE_GET_STATIC_FIELD_DATA mono_vtable_get_static_field_data;

MONO_METHOD_DESC_NEW mono_method_desc_new;
MONO_METHOD_DESC_FROM_METHOD mono_method_desc_from_method;
MONO_METHOD_DESC_FREE mono_method_desc_free;
MONO_ASSEMBLY_NAME_NEW mono_assembly_name_new;
MONO_ASSEMBLY_LOADED mono_assembly_loaded;

MONO_STRING_NEW mono_string_new;
MONO_STRING_TO_UTF8 mono_string_to_utf8;
MONO_ARRAY_NEW mono_array_new;
MONO_OBJECT_TO_STRING mono_object_to_string;
MONO_OBJECT_NEW mono_object_new;
MONO_FREE mono_free;
MONO_VALUE_BOX mono_value_box;
MONO_OBJECT_UNBOX mono_object_unbox;
MONO_CLASS_GET_TYPE mono_class_get_type;
MONO_CLASS_GET_NESTING_TYPE mono_class_get_nesting_type;


MONO_METHOD_DESC_SEARCH_IN_IMAGE mono_method_desc_search_in_image;
MONO_RUNTIME_INVOKE mono_runtime_invoke;
MONO_RUNTIME_OBJECT_INIT mono_runtime_object_init;

MONO_FIELD_STATIC_GET_VALUE mono_field_static_get_value;
MONO_FIELD_STATIC_SET_VALUE mono_field_static_set_value;

//il2cpp
IL2CPP_FIELD_STATIC_GET_VALUE il2cpp_field_static_get_value;
IL2CPP_FIELD_STATIC_SET_VALUE il2cpp_field_static_set_value;

IL2CPP_DOMAIN_GET_ASSEMBLIES il2cpp_domain_get_assemblies;

IL2CPP_IMAGE_GET_CLASS_COUNT il2cpp_image_get_class_count;
IL2CPP_IMAGE_GET_CLASS il2cpp_image_get_class;

IL2CPP_TYPE_GET_NAME il2cpp_type_get_name;
IL2CPP_TYPE_GET_ASSEMBLY_QUALIFIED_NAME il2cpp_type_get_assembly_qualified_name;

IL2CPP_METHOD_GET_PARAM_COUNT il2cpp_method_get_param_count;
IL2CPP_METHOD_GET_PARAM_NAME il2cpp_method_get_param_name;
IL2CPP_METHOD_GET_PARAM il2cpp_method_get_param;
IL2CPP_METHOD_GET_RETURN_TYPE il2cpp_method_get_return_type;
IL2CPP_CLASS_FROM_TYPE il2cpp_class_from_type;
IL2CPP_STRING_CHARS il2cpp_string_chars;
MONO_METHOD_GET_FLAGS mono_method_get_flags;
MONO_RUNTIME_IS_SHUTTING_DOWN mono_runtime_is_shutting_down;


HMODULE hMono = NULL;
typedef enum {
    MONO_TYPE_END = 0x00,       /* End of List */
    MONO_TYPE_VOID = 0x01,
    MONO_TYPE_BOOLEAN = 0x02,
    MONO_TYPE_CHAR = 0x03,
    MONO_TYPE_I1 = 0x04,
    MONO_TYPE_U1 = 0x05,
    MONO_TYPE_I2 = 0x06,
    MONO_TYPE_U2 = 0x07,
    MONO_TYPE_I4 = 0x08,
    MONO_TYPE_U4 = 0x09,
    MONO_TYPE_I8 = 0x0a,
    MONO_TYPE_U8 = 0x0b,
    MONO_TYPE_R4 = 0x0c,
    MONO_TYPE_R8 = 0x0d,
    MONO_TYPE_STRING = 0x0e,
    MONO_TYPE_PTR = 0x0f,       /* arg: <type> token */
    MONO_TYPE_BYREF = 0x10,       /* arg: <type> token */
    MONO_TYPE_VALUETYPE = 0x11,       /* arg: <type> token */
    MONO_TYPE_CLASS = 0x12,       /* arg: <type> token */
    MONO_TYPE_VAR = 0x13,       /* number */
    MONO_TYPE_ARRAY = 0x14,       /* type, rank, boundsCount, bound1, loCount, lo1 */
    MONO_TYPE_GENERICINST = 0x15,       /* <type> <type-arg-count> <type-1> \x{2026} <type-n> */
    MONO_TYPE_TYPEDBYREF = 0x16,
    MONO_TYPE_I = 0x18,
    MONO_TYPE_U = 0x19,
    MONO_TYPE_FNPTR = 0x1b,          /* arg: full method signature */
    MONO_TYPE_OBJECT = 0x1c,
    MONO_TYPE_SZARRAY = 0x1d,       /* 0-based one-dim-array */
    MONO_TYPE_MVAR = 0x1e,       /* number */
    MONO_TYPE_CMOD_REQD = 0x1f,       /* arg: typedef or typeref token */
    MONO_TYPE_CMOD_OPT = 0x20,       /* optional arg: typedef or typref token */
    MONO_TYPE_INTERNAL = 0x21,       /* CLR internal type */

    MONO_TYPE_MODIFIER = 0x40,       /* Or with the following types */
    MONO_TYPE_SENTINEL = 0x41,       /* Sentinel for varargs method signature */
    MONO_TYPE_PINNED = 0x45,       /* Local var that points to pinned object */

    MONO_TYPE_ENUM = 0x55        /* an enumeration */
} MonoTypeEnum;

typedef enum {
    MONO_TABLE_MODULE,
    MONO_TABLE_TYPEREF,
    MONO_TABLE_TYPEDEF,
    MONO_TABLE_FIELD_POINTER,
    MONO_TABLE_FIELD,
    MONO_TABLE_METHOD_POINTER,
    MONO_TABLE_METHOD,
    MONO_TABLE_PARAM_POINTER,
    MONO_TABLE_PARAM,
    MONO_TABLE_INTERFACEIMPL,
    MONO_TABLE_MEMBERREF, /* 0xa */
    MONO_TABLE_CONSTANT,
    MONO_TABLE_CUSTOMATTRIBUTE,
    MONO_TABLE_FIELDMARSHAL,
    MONO_TABLE_DECLSECURITY,
    MONO_TABLE_CLASSLAYOUT,
    MONO_TABLE_FIELDLAYOUT, /* 0x10 */
    MONO_TABLE_STANDALONESIG,
    MONO_TABLE_EVENTMAP,
    MONO_TABLE_EVENT_POINTER,
    MONO_TABLE_EVENT,
    MONO_TABLE_PROPERTYMAP,
    MONO_TABLE_PROPERTY_POINTER,
    MONO_TABLE_PROPERTY,
    MONO_TABLE_METHODSEMANTICS,
    MONO_TABLE_METHODIMPL,
    MONO_TABLE_MODULEREF, /* 0x1a */
    MONO_TABLE_TYPESPEC,
    MONO_TABLE_IMPLMAP,
    MONO_TABLE_FIELDRVA,
    MONO_TABLE_UNUSED6,
    MONO_TABLE_UNUSED7,
    MONO_TABLE_ASSEMBLY, /* 0x20 */
    MONO_TABLE_ASSEMBLYPROCESSOR,
    MONO_TABLE_ASSEMBLYOS,
    MONO_TABLE_ASSEMBLYREF,
    MONO_TABLE_ASSEMBLYREFPROCESSOR,
    MONO_TABLE_ASSEMBLYREFOS,
    MONO_TABLE_FILE,
    MONO_TABLE_EXPORTEDTYPE,
    MONO_TABLE_MANIFESTRESOURCE,
    MONO_TABLE_NESTEDCLASS,
    MONO_TABLE_GENERICPARAM, /* 0x2a */
    MONO_TABLE_METHODSPEC,
    MONO_TABLE_GENERICPARAMCONSTRAINT
} MonoMetaTableEnum;


enum {
    MONO_TYPEDEF_FLAGS,
    MONO_TYPEDEF_NAME,
    MONO_TYPEDEF_NAMESPACE,
    MONO_TYPEDEF_EXTENDS,
    MONO_TYPEDEF_FIELD_LIST,
    MONO_TYPEDEF_METHOD_LIST,
    MONO_TYPEDEF_SIZE
};

enum {
    MONO_METHOD_RVA,
    MONO_METHOD_IMPLFLAGS,
    MONO_METHOD_FLAGS,
    MONO_METHOD_NAME,
    MONO_METHOD_SIGNATURE,
    MONO_METHOD_PARAMLIST,
    MONO_METHOD_SIZE
};


typedef enum {
    MONO_TOKEN_MODULE = 0x00000000,
    MONO_TOKEN_TYPE_REF = 0x01000000,
    MONO_TOKEN_TYPE_DEF = 0x02000000,
    MONO_TOKEN_FIELD_DEF = 0x04000000,
    MONO_TOKEN_METHOD_DEF = 0x06000000,
    MONO_TOKEN_PARAM_DEF = 0x08000000,
    MONO_TOKEN_INTERFACE_IMPL = 0x09000000,
    MONO_TOKEN_MEMBER_REF = 0x0a000000,
    MONO_TOKEN_CUSTOM_ATTRIBUTE = 0x0c000000,
    MONO_TOKEN_PERMISSION = 0x0e000000,
    MONO_TOKEN_SIGNATURE = 0x11000000,
    MONO_TOKEN_EVENT = 0x14000000,
    MONO_TOKEN_PROPERTY = 0x17000000,
    MONO_TOKEN_MODULE_REF = 0x1a000000,
    MONO_TOKEN_TYPE_SPEC = 0x1b000000,
    MONO_TOKEN_ASSEMBLY = 0x20000000,
    MONO_TOKEN_ASSEMBLY_REF = 0x23000000,
    MONO_TOKEN_FILE = 0x26000000,
    MONO_TOKEN_EXPORTED_TYPE = 0x27000000,
    MONO_TOKEN_MANIFEST_RESOURCE = 0x28000000,
    MONO_TOKEN_GENERIC_PARAM = 0x2a000000,
    MONO_TOKEN_METHOD_SPEC = 0x2b000000,

    /*
     * These do not match metadata tables directly
     */
     MONO_TOKEN_STRING = 0x70000000,
     MONO_TOKEN_NAME = 0x71000000,
     MONO_TOKEN_BASE_TYPE = 0x72000000
} MonoTokenType;

然后就是通过 API 去获取了,中间踩了很多坑。

第一就是在 get main root 之后,我们需要使用函数 mono_thread_attach 去进行线程的附加,不然出现的情况就是每个 image 你只能获取第一个类,后面的类获取不到。

第二是 如果抄 CE 的代码整合一定要注意循环变量不要定义重复了,这里就是内外循环写错了循环变量导致的指针获取一直是错误的,后面通过调试才发现问题。

这里是我写了names[i],此时正在获取第一个参数,而我此时发现这行代码获取的下标竟然是 8(rax)的值。于是才明白是循环变量写错了。

第三是 在遍历方法和属性的时候一定要记得清空第二个参数的指针,不然会出现很难以理解的问题,如果抄着 CE 的代码导致的问题就是属性可以获取,方法获取很容易出错。

dllmain代码

以下是 mono 平台 dumpsdk的完整代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
void _cdecl AssemblyEnumerator(void* domain, vector<UINT64>* v)
{
    v->push_back((UINT_PTR)domain);
}
WORD UTF8TOUTF16(char* szUtf8) {
#if (_WINDOWS && (_MSC_VER <= 1916))
    std::wstring_convert<std::codecvt_utf8<wchar_t>, wchar_t> convert;

    try {
        std::wstring dest = convert.from_bytes(szUtf8);
        return *(WORD*)&dest[0];
    }
    catch (const std::range_error&) {
        return NULL;
    }
#else
    std::wstring_convert<std::codecvt_utf8_utf16<char16_t>, char16_t> convert;
    std::u16string dest = convert.from_bytes(szUtf8);
    return *(WORD*)&dest[0];
#endif
}
void dumpsdk() {
    HANDLE ths = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
    if (ths != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 me;
        me.dwSize = sizeof(me);

        if (Module32First(ths, &me))
        {
            do
            {
                if (GetProcAddress(me.hModule, "mono_thread_attach"))
                {
                    wprintf(L"MODULE:%s\n", me.szExePath);
                    hMono = me.hModule;
                    break;
                }

            } while (Module32Next(ths, &me));

        }
        CloseHandle(ths);
    }
    InitAPI();
    cout << "API init down" << endl;
    int status;
    if (!mono_get_root_domain) {
        printf("API init error\n");
        return;
    }
    void* domain = (void*)mono_get_root_domain();
    void* mono_selfthread = mono_thread_attach(domain);//出错点 1,一定要进行thread_attach
    vector<UINT64>v;
    mono_assembly_foreach((GFunc)AssemblyEnumerator, &v);
    printf("module count:%d\n", v.size());
    for (auto assembly : v) {
        
        void *image = mono_assembly_get_image((void *)assembly);
        char* s = mono_image_get_name(image);
        printf("module name: %s\n", s);
        void* tdef = mono_image_get_table_info(image, MONO_TABLE_TYPEDEF);
        if (tdef) {//遍历类
            int tdefcount = mono_table_info_get_rows(tdef);
            printf("\tclass count:%d\n", tdefcount);
            printf("\tclass list:\n");
            for (int i = 0; i < tdefcount; i++) {
                void* c = mono_class_get(image, MONO_TOKEN_TYPE_DEF | (i + 1));
                if (c) {
                    printf("c:%p\n", c);
                    void* iter = NULL;
                    void* field = NULL;
                    char* name = mono_class_get_name(c);
                    char* type;
                    std::string sName = std::string(name);
                    if ((BYTE)name[0] == 0xEE) {
                        char szUeName[32];
                        sprintf_s(szUeName, 32, "\\u%04X", UTF8TOUTF16(name));
                        sName = szUeName;
                    }
                    cout << "\t\t\tclass name: " << sName << endl;
                    name = mono_class_get_namespace(c);
                    cout << "\t\t\t" << "field List" << endl;
                    do {//遍历属性
                        field = mono_class_get_fields(c, &iter);
                        if (field) {
                            void* fieldtype = mono_field_get_type(field);
                            name = mono_field_get_name(field);
                            type = mono_type_get_name(fieldtype);
                            std::string sName = std::string(name);
                            std::string sType = std::string(type);
                            if ((BYTE)name[0] == 0xEE) {
                                char szUeName[32];
                                sprintf_s(szUeName, 32, "\\u%04X", UTF8TOUTF16(name));
                                sName = szUeName;
                            }
                            if ((BYTE)type[0] == 0xEE) {
                                char szUeName[32];
                                sprintf_s(szUeName, 32, "\\u%04X", UTF8TOUTF16(type));
                                sType = szUeName;
                            }
                            cout << "\t\t\t\t" << sType << " " << sName << ";" << endl;
                        }
                    } while (field);
                    void* method=NULL;
                    iter = NULL;//出错点3,一定要初始化
                    cout << "\t\t\t" << "method:" << endl;
                    do {//遍历方法
                        method = mono_class_get_methods(c, &iter);
                        //printf("method: %p\n", method);
                        if (method) {
                            printf("0x%p: ", method);
                            uint32_t flags;
                            name = mono_method_get_name(method);
                            flags = mono_method_get_flags(method, NULL);
                            
                            std::string sName = std::string(name);
                            if ((BYTE)name[0] == 0xEE) {
                                char szUeName[32];
                                sprintf_s(szUeName, 32, "\\u%04X", UTF8TOUTF16(name));
                                sName = szUeName;
                            }
                            void* methodsignature = mono_method_signature(method);
                            if (methodsignature) {
                                MonoType* returntype = mono_signature_get_return_type(methodsignature);
                                char* returntypename = mono_type_get_name(returntype);
                                int paramcount = mono_signature_get_param_count(methodsignature);
                                char** names = (char**)calloc(sizeof(char*), paramcount);
                                printf("\t\t\t\t%s ",returntypename);
                                cout <<  sName << "(";
                                //printf("\t\t\t\tnames:%p\n", names);
                                mono_method_get_param_names(method, (const char**)names);
                                for (int j = 0; j <  paramcount; j++) { 
                                    gpointer ITER = NULL;
                                    MonoType* paramtype;
                                    
                                    paramtype = mono_signature_get_params((MonoMethodSignature*)methodsignature, &ITER);
                                    if (paramtype) {
                                        void* type = mono_class_from_mono_type(paramtype);
                                        char* TypeName;
                                        TypeName = mono_class_get_name(type);
                                        printf("%s ", TypeName);
                                        printf("%s", names[j]);//出错点2
                                        if (j != paramcount - 1) {
                                            putchar(',');
                                        }
                                    }
                                    
                                }

                                cout << ");"<<endl;
                                
                            }
                        }
                    } while (method);
                }
            }
        }
    }
}

dump结果

END

感谢 Q 师傅给我的方向上很大的一个建议,那第一就是学东西不能求多,得求精。

所以目标上就先放一放别的,专注游戏安全,以及基础的巩固,windowsCOS 这些基础确实还是差了很多,所以有时间可以去多学学这些。