C# (CSharp) UNICODE_STRING.ToString Beispiele

Beispiel #1

        public Result <string> GetLinkTarget()
        {
            var type = NtdllHelper.GetObjectType(Name);

            if (type != "SymbolicLink")
            {
                return(Result <string> .Failed("Not a symbolic link"));
            }

            var objectAttributes = new OBJECT_ATTRIBUTES(Name, 0);
            var status           = Ntdll.NtOpenSymbolicLinkObject(
                out var linkHandle,
                ACCESS_MASK.GENERIC_READ,
                ref objectAttributes);

            if (status < 0)
            {
                return(Result <string> .Failed("Open file failed with status " + status));
            }

            using (linkHandle)
            {
                var targetBuffer = new UNICODE_STRING(new string(' ', 512));
                status = Ntdll.NtQuerySymbolicLinkObject(
                    linkHandle,
                    ref targetBuffer,
                    out var len);
                return(status < 0
                                        ? Result <string> .Failed("Query link failed with status " + status)
                                        : Result <string> .Succeeded(targetBuffer.ToString()));
            }
        }

Beispiel #2

 public unsafe void ToUpperInvariant(string value, string expected)
 {
     using (var buffer = new StringBuffer(value))
     {
         UNICODE_STRING s = buffer.ToUnicodeString();
         StringMethods.ToUpperInvariant(ref s);
         s.ToString().Should().Be(expected);
     }
 }

Beispiel #3

        public static IEnumerable <ObjectInformation> GetDirectoryEntries(SafeDirectoryObjectHandle directoryHandle)
        {
            List <ObjectInformation> infos = new List <ObjectInformation>();

            BufferHelper.CachedInvoke((StringBuffer buffer) =>
            {
                buffer.EnsureCharCapacity(1024);

                uint context = 0;
                uint returnLength;
                NTSTATUS status;

                do
                {
                    status = Direct.NtQueryDirectoryObject(
                        DirectoryHandle: directoryHandle,
                        Buffer: buffer,
                        Length: (uint)buffer.ByteCapacity,
                        ReturnSingleEntry: false,
                        RestartScan: false,
                        Context: ref context,
                        ReturnLength: out returnLength);

                    if (status != NTSTATUS.STATUS_SUCCESS && status != NTSTATUS.STATUS_MORE_ENTRIES)
                    {
                        break;
                    }

                    CheckedReader reader = new CheckedReader(buffer);

                    do
                    {
                        UNICODE_STRING name = reader.ReadStruct <UNICODE_STRING>();
                        if (name.Length == 0)
                        {
                            break;
                        }
                        UNICODE_STRING type = reader.ReadStruct <UNICODE_STRING>();

                        infos.Add(new ObjectInformation
                        {
                            Name     = name.ToString(),
                            TypeName = type.ToString()
                        });
                    } while (true);
                } while (status == NTSTATUS.STATUS_MORE_ENTRIES);

                if (status != NTSTATUS.STATUS_SUCCESS)
                {
                    throw ErrorHelper.GetIoExceptionForNTStatus(status);
                }
            });

            return(infos.OrderBy(i => i.Name));;
        }

Beispiel #4

        public bool TryGetSymbolicLinkTarget(out string result, out NtStatus returnCode)
        {
            if (Type != WellKnownType.SymbolicLink)
            {
                throw new InvalidOperationException($"Not a symbolic link, was {Type}");
            }

            OBJECT_ATTRIBUTES attrib = new OBJECT_ATTRIBUTES(FullName, 0);

            returnCode = Win32.NtOpenSymbolicLinkObject(out SafeFileHandle handle, DirectoryAccessEnum.DIRECTORY_QUERY, ref attrib);

            using (handle)
            {
                UNICODE_STRING target = new UNICODE_STRING();
                returnCode = Win32.NtQuerySymbolicLinkObject(handle, ref target, out int retLength);

                if (returnCode == NtStatus.STATUS_SUCCESS)
                {
                    result = target.ToString();
                    return(returnCode == NtStatus.STATUS_SUCCESS);
                }

                if (returnCode != NtStatus.STATUS_BUFFER_TOO_SMALL)
                {
                    result = null;
                    return(false);
                }

                target     = new UNICODE_STRING((ushort)retLength);
                returnCode = Win32.NtQuerySymbolicLinkObject(handle, ref target, out retLength);

                if (returnCode != NtStatus.STATUS_SUCCESS)
                {
                    result = null;
                    return(false);
                }

                result = target.ToString();

                if (result.Contains(";"))
                {
                    result = result.Substring(0, result.IndexOf(';'));
                }

                if (result.EndsWith("\\"))
                {
                    result = result.Substring(0, result.Length - 1);
                }

                return(true);
            }
        }

Beispiel #5

Datei: p0wnedMasq.cs Projekt: yuanxiangyua/p0wnedShell

        public static bool RtlInitUnicodeString(IntPtr procHandle, IntPtr lpDestAddress, string pebParam, string masqBinary)
        {
            // Create new UNICODE_STRING Structure
            UNICODE_STRING masq = new UNICODE_STRING(masqBinary);

            // Create a pointer to a unmanaged Structure
            IntPtr masqPtr = StructureToPtr(masq);

            // Change access protection of a memory region to -> PAGE_EXECUTE_READWRITE
            IntPtr lpflOldProtect         = IntPtr.Zero;
            uint   PAGE_EXECUTE_READWRITE = 0x40;

            if (!VirtualProtectEx(procHandle, lpDestAddress, (uint)Marshal.SizeOf(typeof(UNICODE_STRING)), PAGE_EXECUTE_READWRITE, ref lpflOldProtect))
            {
                return(false);
            }

            // Overwrite PEB UNICODE_STRING Structure
            IntPtr lpNumberOfBytesWritten = IntPtr.Zero;

            if (!WriteProcessMemory(procHandle, lpDestAddress, masqPtr, (uint)Marshal.SizeOf(typeof(UNICODE_STRING)), ref lpNumberOfBytesWritten))
            {
                return(false);
            }

            // Read new Masq into UNICODE_STRING Structure
            UNICODE_STRING NewMasq    = new UNICODE_STRING();
            IntPtr         NewMasqPtr = StructureToPtr(NewMasq);

            IntPtr lpNumberOfBytesRead = IntPtr.Zero;

            if (!ReadProcessMemory(procHandle, lpDestAddress, NewMasqPtr, Marshal.SizeOf(typeof(UNICODE_STRING)), out lpNumberOfBytesRead))
            {
                return(false);
            }
            NewMasq = PtrToStructure <UNICODE_STRING>(NewMasqPtr);

            // Free Unmanged Memory
            FreeHandle(masqPtr);

            if (NewMasq.ToString() != masqBinary)
            {
                return(false);
            }

            return(true);
        }

Beispiel #6

Datei: PasswordPolicySamServer.cs Projekt: solind/modSIC

        public IEnumerable <string> EnumerateDomains()
        {
            int cookie = 0;

            while (true)
            {
                IntPtr info;
                int    count;
                var    status = SamEnumerateDomainsInSamServer(_handle, ref cookie, out info, 1, out count);
                if (status != NTSTATUS.STATUS_SUCCESS && status != NTSTATUS.STATUS_MORE_ENTRIES)
                {
                    Check(status);
                }

                if (count == 0)
                {
                    break;
                }

                UNICODE_STRING us = (UNICODE_STRING)Marshal.PtrToStructure(info + 8, typeof(UNICODE_STRING));
                SamFreeMemory(info);
                yield return(us.ToString());
            }
        }

Beispiel #7

Datei: ProcessHelper.cs Projekt: MetalMynds/FlatGlass

        public static String GetProcessCommand(IntPtr Handle)
        {
            var objStr = new UNICODE_STRING(new string(' ', 512));

            //var objStr = new UNICODE_STRING();
            //IntPtr ipStr = IntPtr.Zero;
            String result = String.Empty;

            int pSize = 0;

            try
            {

                //IntPtr ipTemp = IntPtr.Zero;

                //String s = String.Empty;
                //s = s.PadLeft(512, ' ');

                //objStr.Length = (ushort)(s.Length * 2);
                //objStr.MaximumLength = (ushort)(objStr.Length + 2);
                //objStr.Buffer = Marshal.StringToHGlobalUni(s);

                //ipStr = Marshal.AllocHGlobal(Marshal.SizeOf(objStr));
                if (-1 != NtQueryInformationProcess(Handle, PROCESSINFOCLASS.ProcessImageFileName, ref objStr, Marshal.SizeOf(objStr), ref pSize))
                {
                    //objStr = (UNICODE_STRING)Marshal.PtrToStructure(ipStr, objStr.GetType());

                    //if (Is64Bits())
                    //{
                    //    ipTemp = new IntPtr(Convert.ToInt64(objStr.Buffer.ToString(), 10) >> 32);
                    //}
                    //else
                    //{
                    //    ipTemp = objStr.Buffer;
                    //}

                    //result = Marshal.PtrToStringUni(ipTemp, objStr.Length >> 1);
                    result = objStr.ToString();
                    objStr.Dispose();
                    //str.Dispose();

                    return result;
                    //return String.Empty;
                }
                else
                {
                    return String.Empty;
                }
            }
            catch
            {
                return String.Empty;
            }
            finally
            {
                //Marshal.FreeHGlobal(ipStr);
            }
        }