Getting list of .NET DLL loaded by particular process in C#

[svch0st]

How can we get list of all .NET Based DLL modules loaded by particular process in C#.

Don't have to use third party binaries or executables. o_o

 

[DildoFagins]

Well, it is kinda complicated, dotnet assemblies are not like regular dlls, tools like process hacker use ETW to list them (never really looked into how it is done, but I think they just search for particular events in the ETW and filter them by process). However if the malware bypasses the ETW logging before loading dotnet assemblies there will be no records in the ETW. In this case the only one thing I can think of is to list all the allocated virtual memory pages and search for some artifacts like PE-headers. Bare in mind that dotnet assemblies that does not have native code in it (most of them doesn't) can be run on pages with only read or read-write rights (no page execute rights needed to run dotnet assembly).

 

[svch0st]

Well, it is kinda complicated, dotnet assemblies are not like regular dlls, tools like process hacker use ETW to list them (never really looked into how it is done, but I think they just search for particular events in the ETW and filter them by process). However if the malware bypasses the ETW logging before loading dotnet assemblies there will be no records in the ETW. In this case the only one thing I can think of is to list all the allocated virtual memory pages and search for some artifacts like PE-headers. Bare in mind that dotnet assemblies that does not have native code in it (most of them doesn't) can be run on pages with only read or read-write rights (no page execute rights needed to run dotnet assembly).

Excatly, it's bit tricky.
Found Sys-Internal Tool - "ListDLLs" {A utility that reports the DLLs loaded into processes}, however, its also not showing .NET DLL and again there is access denied errors.
Anyway, Is there any other ways, we can lookup for Virtual-Memory pages or PE-Headers of loaded DLL modules by a process, within C# ??

 

[DildoFagins]

Anyway, Is there any other ways, we can lookup for Virtual-Memory pages or PE-Headers of loaded DLL modules by a process, within C# ??

You can either look for a ready to use library on nuget (I don't know one, but I think it might exist), or PInvoke some native WinAPIs, here is the example how to do so: https://www.codeproject.com/Articles/716227/Csharp-How-to-Scan-a-Process-Memory - look for continious allocated region of memory that starts with PE-headers. And also this code seems to be written for x86 (using ints for addresses), if you want it to work reliably on x64, compile your dotnet assembly for x64 or anycpu without x86 preferred, and use IntPtr or long/ulong for storing addresses. Look on pinvoke.net for the correct structs and extern methods definition.

 

[isucukbx]

How can we get list of all .NET Based DLL modules loaded by particular process in C#.

Don't have to use third party binaries or executables. o_o

Take a look on megadumper/extremedumper source code

Those softwares have this capability