private string GetInformationUnicodeString(DriverInformationClass infoClass)
        {
            using (MemoryAlloc data = new MemoryAlloc(0x1000))
            {
                int retLength = 0;

                try
                {
                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }
                catch (WindowsException)
                {
                    data.Resize(retLength);

                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                return(data.ReadStruct <UnicodeString>().Read());
            }
        }
Beispiel #2
0
        public string GetTarget()
        {
            NtStatus      status;
            int           retLength;
            UnicodeString str = new UnicodeString();

            using (var buffer = new MemoryAlloc(0x200))
            {
                str.Length        = 0;
                str.MaximumLength = (ushort)buffer.Size;
                str.Buffer        = buffer;

                if ((status = Win32.NtQuerySymbolicLinkObject(this, ref str, out retLength)) >= NtStatus.Error)
                {
                    buffer.Resize(retLength);
                    str.MaximumLength = (ushort)retLength;
                    str.Buffer        = buffer;
                }

                if ((status = Win32.NtQuerySymbolicLinkObject(this, ref str, out retLength)) >= NtStatus.Error)
                {
                    Win32.ThrowLastError(status);
                }

                return(str.Read());
            }
        }
Beispiel #3
0
        private string GetInformationUnicodeString(DriverInformationClass infoClass)
        {
            using (MemoryAlloc data = new MemoryAlloc(0x1000))
            {
                int retLength = 0;

                try
                {
                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }
                catch (WindowsException)
                {
                    data.Resize(retLength);

                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                return data.ReadStruct<UnicodeString>().Read();
            }
        }
        public string GetVariable(string name)
        {
            NtStatus      status;
            UnicodeString nameStr;
            UnicodeString valueStr;

            nameStr = new UnicodeString(name);

            try
            {
                using (var data = new MemoryAlloc(100))
                {
                    valueStr               = new UnicodeString();
                    valueStr.Buffer        = data;
                    valueStr.MaximumLength = (ushort)data.Size;

                    status = Win32.RtlQueryEnvironmentVariable_U(
                        this,
                        ref nameStr,
                        ref valueStr
                        );

                    if (status == NtStatus.BufferTooSmall)
                    {
                        // Resize and try again (+2 for the null terminator).
                        data.Resize(valueStr.Length + 2);
                        valueStr.Buffer        = data;
                        valueStr.MaximumLength = (ushort)(valueStr.Length + 2);

                        status = Win32.RtlQueryEnvironmentVariable_U(
                            this,
                            ref nameStr,
                            ref valueStr
                            );
                    }

                    if (status >= NtStatus.Error)
                    {
                        Win32.ThrowLastError(status);
                    }

                    return(valueStr.Read());
                }
            }
            finally
            {
                nameStr.Dispose();
            }
        }
Beispiel #5
0
        private T QueryStruct <T>(JobObjectInformationClass informationClass)
            where T : struct
        {
            int retLength;

            using (MemoryAlloc data = new MemoryAlloc(Marshal.SizeOf(typeof(T))))
            {
                if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
                {
                    data.Resize(retLength);

                    if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
                    {
                        Win32.ThrowLastError();
                    }
                }

                return(data.ReadStruct <T>());
            }
        }
Beispiel #6
0
        public string GetLogFileName()
        {
            NtStatus status;
            int      retLength;

            using (var data = new MemoryAlloc(0x1000))
            {
                status = Win32.NtQueryInformationTransactionManager(
                    this,
                    TmInformationClass.TransactionManagerLogPathInformation,
                    data,
                    data.Size,
                    out retLength
                    );

                if (status == NtStatus.BufferTooSmall)
                {
                    // Resize the buffer and try again.
                    data.Resize(retLength);

                    status = Win32.NtQueryInformationTransactionManager(
                        this,
                        TmInformationClass.TransactionManagerLogPathInformation,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                if (status >= NtStatus.Error)
                {
                    Win32.ThrowLastError(status);
                }

                TmLogPathInformation logPathInfo = data.ReadStruct <TmLogPathInformation>();

                return(data.ReadUnicodeString(TmLogPathInformation.LogPathOffset, logPathInfo.LogPathLength));
            }
        }
        private MemoryAlloc GetPropertiesInformation()
        {
            NtStatus status;
            int      retLength;

            var data = new MemoryAlloc(0x1000);

            status = Win32.NtQueryInformationTransaction(
                this,
                TransactionInformationClass.TransactionPropertiesInformation,
                data,
                data.Size,
                out retLength
                );

            if (status == NtStatus.BufferTooSmall)
            {
                // Resize the buffer and try again.
                data.Resize(retLength);

                status = Win32.NtQueryInformationTransaction(
                    this,
                    TransactionInformationClass.TransactionPropertiesInformation,
                    data,
                    data.Size,
                    out retLength
                    );
            }

            if (status >= NtStatus.Error)
            {
                data.Dispose();
                Win32.ThrowLastError(status);
            }

            return(data);
        }
Beispiel #8
0
        private MemoryAlloc GetBasicInformation()
        {
            NtStatus status;
            int      retLength;

            var data = new MemoryAlloc(0x1000);

            status = Win32.NtQueryInformationResourceManager(
                this,
                ResourceManagerInformationClass.ResourceManagerBasicInformation,
                data,
                data.Size,
                out retLength
                );

            if (status == NtStatus.BufferTooSmall)
            {
                // Resize the buffer and try again.
                data.Resize(retLength);

                status = Win32.NtQueryInformationResourceManager(
                    this,
                    ResourceManagerInformationClass.ResourceManagerBasicInformation,
                    data,
                    data.Size,
                    out retLength
                    );
            }

            if (status >= NtStatus.Error)
            {
                data.Dispose();
                Win32.ThrowLastError(status);
            }

            return(data);
        }
Beispiel #9
0
        /// <summary>
        /// Creates a copy of the security descriptor in self-relative form.
        /// </summary>
        /// <returns>A new self-relative security descriptor.</returns>
        public SecurityDescriptor ToSelfRelative()
        {
            NtStatus status;
            int      retLength;

            using (var data = new MemoryAlloc(Win32.SecurityDescriptorMinLength))
            {
                retLength = data.Size;
                status    = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);

                if (status == NtStatus.BufferTooSmall)
                {
                    data.Resize(retLength);
                    status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
                }

                if (status >= NtStatus.Error)
                {
                    Win32.ThrowLastError(status);
                }

                return(new SecurityDescriptor(data));
            }
        }
Beispiel #10
0
        /// <summary>
        /// Gets the security descriptor of a kernel object.
        /// </summary>
        /// <param name="handle">A handle to a kernel object.</param>
        /// <param name="securityInformation">The information to retrieve.</param>
        /// <returns>A security descriptor.</returns>
        public static SecurityDescriptor GetSecurity(IntPtr handle, SecurityInformation securityInformation)
        {
            NtStatus status;
            int      retLength;

            using (var data = new MemoryAlloc(0x100))
            {
                status = Win32.NtQuerySecurityObject(
                    handle,
                    securityInformation,
                    data,
                    data.Size,
                    out retLength
                    );

                if (status == NtStatus.BufferTooSmall)
                {
                    data.Resize(retLength);

                    status = Win32.NtQuerySecurityObject(
                        handle,
                        securityInformation,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                if (status >= NtStatus.Error)
                {
                    Win32.ThrowLastError(status);
                }

                return(new SecurityDescriptor(data));
            }
        }
 public SecurityDescriptor ToSelfRelative()
 {
     NtStatus status;
     int retLength;
     using (var data = new MemoryAlloc(Win32.SecurityDescriptorMinLength))
     {
         retLength = data.Size;
         status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
         if (status == NtStatus.BufferTooSmall)
         {
             data.Resize(retLength);
             status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
         }
         if (status >= NtStatus.Error)
             Win32.ThrowLastError(status);
         return new SecurityDescriptor(data);
     }
 }
        public string GetVariable(string name)
        {
            NtStatus status;
            UnicodeString nameStr;
            UnicodeString valueStr;

            nameStr = new UnicodeString(name);

            try
            {
                using (var data = new MemoryAlloc(100))
                {
                    valueStr = new UnicodeString();
                    valueStr.Buffer = data;
                    valueStr.MaximumLength = (ushort)data.Size;

                    status = Win32.RtlQueryEnvironmentVariable_U(
                        this,
                        ref nameStr,
                        ref valueStr
                        );

                    if (status == NtStatus.BufferTooSmall)
                    {

                        data.Resize(valueStr.Length + 2);
                        valueStr.Buffer = data;
                        valueStr.MaximumLength = (ushort)(valueStr.Length + 2);

                        status = Win32.RtlQueryEnvironmentVariable_U(
                            this,
                            ref nameStr,
                            ref valueStr
                            );
                    }

                    if (status >= NtStatus.Error)
                        Win32.ThrowLastError(status);

                    return valueStr.Read();
                }
            }
            finally
            {
                nameStr.Dispose();
            }
        }
        public void EnumObjects(EnumObjectsDelegate callback)
        {
            NtStatus status;
            int      context   = 0;
            bool     firstTime = true;
            int      retLength;

            using (var data = new MemoryAlloc(0x200))
            {
                while (true)
                {
                    while ((status = Win32.NtQueryDirectoryObject(
                                this,
                                data,
                                data.Size,
                                false,
                                firstTime,
                                ref context,
                                out retLength
                                )) == NtStatus.MoreEntries)
                    {
                        // Check if we have at least one entry. If not,
                        // we need to double the buffer size and try again.
                        if (data.ReadStruct <ObjectDirectoryInformation>(0).Name.Buffer != IntPtr.Zero)
                        {
                            break;
                        }

                        if (data.Size > 16 * 1024 * 1024)
                        {
                            Win32.ThrowLastError(status);
                        }

                        data.Resize(data.Size * 2);
                    }

                    if (status >= NtStatus.Error)
                    {
                        Win32.ThrowLastError(status);
                    }

                    int i = 0;

                    while (true)
                    {
                        ObjectDirectoryInformation info = data.ReadStruct <ObjectDirectoryInformation>(i);

                        if (info.Name.Buffer == IntPtr.Zero)
                        {
                            break;
                        }

                        if (!callback(new ObjectEntry(info.Name.Read(), info.TypeName.Read())))
                        {
                            return;
                        }

                        i++;
                    }

                    if (status != NtStatus.MoreEntries)
                    {
                        break;
                    }

                    firstTime = false;
                }
            }
        }
        /// <summary>
        /// Gets the security descriptor of a kernel object.
        /// </summary>
        /// <param name="handle">A handle to a kernel object.</param>
        /// <param name="securityInformation">The information to retrieve.</param>
        /// <returns>A security descriptor.</returns>
        public static SecurityDescriptor GetSecurity(IntPtr handle, SecurityInformation securityInformation)
        {
            NtStatus status;
            int retLength;

            using (var data = new MemoryAlloc(0x100))
            {
                status = Win32.NtQuerySecurityObject(
                    handle,
                    securityInformation,
                    data,
                    data.Size,
                    out retLength
                    );

                if (status == NtStatus.BufferTooSmall)
                {
                    data.Resize(retLength);

                    status = Win32.NtQuerySecurityObject(
                        handle,
                        securityInformation,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                if (status >= NtStatus.Error)
                    Win32.ThrowLastError(status);

                return new SecurityDescriptor(data);
            }
        }