private ProcessInformation CreateProcessWithStartInfo(SimpleProcessStartupInfo simpleProcessStartupInfo, CreateProcessOptions options) {
Logger.LogInfo("CreateProcessWithStartInfo: Entry point.");
var stringBuilder = BuildCommandLine(simpleProcessStartupInfo.FileName, simpleProcessStartupInfo.Arguments);
Logger.LogInfo("CreateProcessWithStartInfo: command line is {0}.", stringBuilder);
using (var startupInfo = new STARTUPINFO()) {
Logger.LogInfo("CreateProcessWithStartInfo: Creation flags.");
ProcessCreationFlags processCreationFlags = 0;
if (simpleProcessStartupInfo.CreateNoWindow) {
processCreationFlags |= ProcessCreationFlags.CREATE_NO_WINDOW;
}
if ((options & CreateProcessOptions.BreakAwayFromJob) != 0) {
processCreationFlags |= ProcessCreationFlags.CREATE_BREAKAWAY_FROM_JOB;
}
var workingDirectory = simpleProcessStartupInfo.WorkingDirectory;
if (workingDirectory == string.Empty) {
workingDirectory = Environment.CurrentDirectory;
}
Logger.LogInfo("CreateProcessWithStartInfo: Working directory: {0}.", workingDirectory);
if ((options & CreateProcessOptions.AttachDebugger) != 0) {
Logger.LogInfo("CreateProcessWithStartInfo: Setting DEBUG_PROCESS flag.");
processCreationFlags |= ProcessCreationFlags.DEBUG_PROCESS;
processCreationFlags |= ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS;
}
Logger.LogInfo("CreateProcessWithStartInfo: Calling Win32 CreateProcess.");
var processInformation = new PROCESS_INFORMATION();
var environmentPtr = IntPtr.Zero;
var lastError = 0;
var success = NativeMethods.CreateProcess(null, stringBuilder, null, null, true, processCreationFlags,
environmentPtr, workingDirectory, startupInfo, processInformation);
Logger.LogInfo("CreateProcessWithStartInfo: CreateProcess result: Success={0}-LastError={1}.", success, Marshal.GetLastWin32Error());
if (!success) {
lastError = Marshal.GetLastWin32Error();
}
// Assign safe handles as quickly as possible to avoid leaks.
var safeProcessHandle = new SafeProcessHandle(processInformation.hProcess);
var safeThreadHandle = new SafeProcessHandle(processInformation.hThread);
if (!success) {
throw new LastWin32ErrorException(lastError, string.Format("Error creating process from file \"{0}\"", simpleProcessStartupInfo.FileName));
}
if (safeProcessHandle.IsInvalid || safeThreadHandle.IsInvalid) {
Logger.LogInfo("CreateProcessWithStartInfo: Invalid process handle.");
throw new Exception(string.Format("Error creating process from file \"{0}\" (invalid process handle)", simpleProcessStartupInfo.FileName));
}
Logger.LogInfo("CreateProcessWithStartInfo: Creating ProcessResult instance.");
var processResult = new ProcessInformation {
ProcessHandle = safeProcessHandle,
ProcessId = processInformation.dwProcessId
};
safeThreadHandle.Close();
Logger.LogInfo("CreateProcessWithStartInfo: Success!");
return processResult;
}
}
public int StartProcess(IList <string> procargs)
{
var pi = new WinProcesses.PROCESS_INFORMATION();
var si = new WinProcesses.STARTUPINFO();
var processCreationFlags = WinProcesses.ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT | WinProcesses.ProcessCreationFlags.CREATE_SUSPENDED;
if (spawnNewConsoleWindow)
{
processCreationFlags |= WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE;
}
CheckResult(WinProcesses.NativeMethods.CreateProcess(null, new StringBuilder(string.Join(" ", procargs)), null, null, false,
processCreationFlags, GetEnvironmentString(), null, si, pi));
hProcess = new WinProcesses.SafeProcessHandle(pi.hProcess);
AssignProcessToJobObject();
// resume process main thread
CheckResult(WinProcesses.NativeMethods.ResumeThread(pi.hThread));
// and we can close the thread handle
CloseHandle(pi.hThread);
return(WaitForTheJobToComplete());
}
public int StartProcessUnderDebuggerAndDetach(IList <string> procargs)
{
var pi = new WinProcesses.PROCESS_INFORMATION();
var si = new WinProcesses.STARTUPINFO();
var processCreationFlags = WinProcesses.ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT | WinProcesses.ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS;
if (spawnNewConsoleWindow)
{
processCreationFlags |= WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE;
}
CheckResult(WinProcesses.NativeMethods.CreateProcess(null, new StringBuilder(string.Join(" ", procargs)), null, null, false,
processCreationFlags, GetEnvironmentString(), null, si, pi));
hProcess = new WinProcesses.SafeProcessHandle(pi.hProcess);
CheckResult(WinDebug.NativeMethods.DebugSetProcessKillOnExit(false));
AssignProcessToJobObject();
// resume process main thread by detaching from the debuggee
CheckResult(WinDebug.NativeMethods.DebugActiveProcessStop(pi.dwProcessId));
// and we can close the thread handle
CloseHandle(pi.hThread);
return(WaitForTheJobToComplete());
}
public void AttachToProcess(int pid)
{
hProcess = CheckResult(WinProcesses.NativeMethods.OpenProcess(WinProcesses.ProcessAccessFlags.All, false, pid));
AssignProcessToJobObject();
WaitForTheJobToComplete();
}
public int AttachToProcess(int pid)
{
using (new DebugPrivilege(logger)) {
hProcess = CheckResult(WinProcesses.NativeMethods.OpenProcess(
WinProcesses.ProcessAccessFlags.ProcessSetQuota | WinProcesses.ProcessAccessFlags.ProcessTerminate |
WinProcesses.ProcessAccessFlags.QueryInformation, false, pid));
}
AssignProcessToJobObject();
return(WaitForTheJobToComplete());
}
public bool Launch()
{
if (CanLaunch() == false)
{
throw new Exception("Unable to launch in this state");
}
if (args.Length == 0)
{
return(false);
}
var DebugCreationFlags =
WinProcesses.ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS |
WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE;
var launchArgs = new StringBuilder(string.Join(" ", args));
bool bRet = WinProcesses.NativeMethods.CreateProcess
(
null,
launchArgs,
null,
null,
false,
DebugCreationFlags,
null,
null,
stStartInfo,
stProcessInfo
);
if (bRet == true)
{
// Store so they can be marshalled and closed correctly
hProcess = new WinProcesses.SafeProcessHandle(stProcessInfo.hProcess);
hThread = new WinProcesses.SafeThreadHandle(stProcessInfo.hThread);
bContinue = true;
State = RunState.Running;
}
else
{
throw new Exception($"Failed to launch loader '{launchArgs}'");
}
return(bRet);
}
public void StartSuspended()
{
var pi = new WinProcesses.PROCESS_INFORMATION();
var si = new WinProcesses.STARTUPINFO();
var processCreationFlags = WinProcesses.ProcessCreationFlags.CREATE_SUSPENDED;
if (SpawnNewConsoleWindow)
{
processCreationFlags |= WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE;
}
if (!WinProcesses.NativeMethods.CreateProcess(null, new StringBuilder(string.Join(" ", args)), null, null, false,
processCreationFlags, null, null, si, pi))
{
throw new Win32Exception("Error while creating a new process.");
}
hProcess = new WinProcesses.SafeProcessHandle(pi.hProcess);
pid = pi.dwProcessId;
hThread = new WinProcesses.SafeThreadHandle(pi.hThread);
}
// Reads native process info from a 64/32-bit process in the case where the target architecture
// of this process is the same as that of the target process.
private bool LoadProcessInfoNative(SafeProcessHandle handle, ProcessAccessFlags flags) {
ProcessBasicInformation basicInfo = new ProcessBasicInformation();
int size;
int status = NativeMethods.NtQueryInformationProcess(
handle,
ProcessInfoClass.BasicInformation,
ref basicInfo,
MarshalUtility.UnmanagedStructSize<ProcessBasicInformation>(),
out size);
_parentProcessId = basicInfo.ParentProcessId.ToInt32();
// If we can't load the ProcessBasicInfo, then we can't really do anything.
if (status != NtStatus.Success || basicInfo.PebBaseAddress == IntPtr.Zero)
return false;
if (flags.HasFlag(ProcessAccessFlags.VmRead)) {
// Follows a pointer from the PROCESS_BASIC_INFORMATION structure in the target process's
// address space to read the PEB.
Peb peb = MarshalUtility.ReadUnmanagedStructFromProcess<Peb>(
handle,
basicInfo.PebBaseAddress);
_isBeingDebugged = peb.IsBeingDebugged;
if (peb.ProcessParameters != IntPtr.Zero) {
// Follows a pointer from the PEB structure in the target process's address space to read
// the RTL_USER_PROCESS_PARAMS.
RtlUserProcessParameters processParameters = new RtlUserProcessParameters();
processParameters = MarshalUtility.ReadUnmanagedStructFromProcess<RtlUserProcessParameters>(
handle,
peb.ProcessParameters);
_commandLine = MarshalUtility.ReadStringUniFromProcess(
handle,
processParameters.CommandLine.Buffer,
processParameters.CommandLine.Length / 2);
}
}
return true;
}
public static extern bool GetExitCodeProcess(SafeProcessHandle hProcess, out int lpExitCode);
// Reads native process info from a 64-bit process in the case where this function is executing
// in a 32-bit process.
private bool LoadProcessInfoWow64(SafeProcessHandle handle, ProcessAccessFlags flags)
{
ulong pebSize = (ulong)MarshalUtility.UnmanagedStructSize<PebWow64>();
ulong processParamsSize =
(ulong)MarshalUtility.UnmanagedStructSize<RtlUserProcessParametersWow64>();
// Read PROCESS_BASIC_INFORMATION up to and including the pointer to PEB structure.
int processInfoSize =
MarshalUtility.UnmanagedStructSize<ProcessBasicInformationWow64>();
ProcessBasicInformationWow64 pbi = new ProcessBasicInformationWow64();
int result = NativeMethods.NtWow64QueryInformationProcess64(
handle,
ProcessInfoClass.BasicInformation,
ref pbi,
processInfoSize,
out processInfoSize);
if (result != 0)
return false;
_parentProcessId = (int)pbi.ParentProcessId;
Debug.Assert((int)pbi.UniqueProcessId == _processId);
if (flags.HasFlag(ProcessAccessFlags.VmRead)) {
IntPtr pebBuffer = IntPtr.Zero;
IntPtr processParametersBuffer = IntPtr.Zero;
IntPtr commandLineBuffer = IntPtr.Zero;
try {
pebBuffer = Marshal.AllocHGlobal((int)pebSize);
// Read PEB up to and including the pointer to RTL_USER_PROCESS_PARAMETERS
// structure.
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
pbi.PebBaseAddress,
pebBuffer,
pebSize,
out pebSize);
if (result != 0)
return false;
PebWow64 peb = (PebWow64)Marshal.PtrToStructure(pebBuffer, typeof(PebWow64));
_isBeingDebugged = peb.IsBeingDebugged;
processParametersBuffer = Marshal.AllocHGlobal((int)processParamsSize);
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
peb.ProcessParameters,
processParametersBuffer,
processParamsSize,
out processParamsSize);
if (result != 0)
return false;
RtlUserProcessParametersWow64 processParameters = (RtlUserProcessParametersWow64)
Marshal.PtrToStructure(
processParametersBuffer,
typeof(RtlUserProcessParametersWow64));
ulong commandLineBufferSize = (ulong)processParameters.CommandLine.MaximumLength;
commandLineBuffer = Marshal.AllocHGlobal((int)commandLineBufferSize);
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
processParameters.CommandLine.Buffer,
commandLineBuffer,
commandLineBufferSize,
out commandLineBufferSize);
if (result != 0)
return false;
_commandLine = Marshal.PtrToStringUni(commandLineBuffer);
} finally {
if (pebBuffer != IntPtr.Zero)
Marshal.FreeHGlobal(pebBuffer);
if (commandLineBuffer != IntPtr.Zero)
Marshal.FreeHGlobal(commandLineBuffer);
if (processParametersBuffer != IntPtr.Zero)
Marshal.FreeHGlobal(processParametersBuffer);
}
}
return true;
}
public static extern bool TerminateProcess(SafeProcessHandle hProcess, uint uExitCode);
public static extern bool GetProcessAffinityMask(SafeProcessHandle hProcess, out long lpProcessAffinityMask,
out long lpSystemAffinityMask);
public static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, [Out] byte[] buffer, uint size, out UInt32 lpNumberOfBytesRead);
public static extern int NtReadVirtualMemory(
SafeProcessHandle hProcess,
IntPtr baseAddress,
[Out] byte[] buffer,
uint size,
out uint lpNumberOfBytesRead);
public static extern int NtWow64ReadVirtualMemory64( SafeProcessHandle hProcess, ulong baseAddress, IntPtr buffer, ulong bufferSize, out ulong lpNumberOfBytesRead);
public static extern uint QueryFullProcessImageName( SafeProcessHandle hProcess, [MarshalAs(UnmanagedType.U4)] ProcessQueryImageNameMode flags, [Out] StringBuilder lpImageName, ref int size);
public static extern int NtReadVirtualMemory( SafeProcessHandle hProcess, IntPtr baseAddress, [Out] byte[] buffer, uint size, out uint lpNumberOfBytesRead);
public static extern int NtWow64QueryInformationProcess64(SafeProcessHandle hProcess, ProcessInfoClass pic, ref ProcessBasicInformationWow64 pbi, int cb, out int pSize);
private string QueryProcessImageName(SafeProcessHandle handle, ProcessQueryImageNameMode mode)
{
StringBuilder moduleBuffer = new StringBuilder(1024);
int size = moduleBuffer.Capacity;
NativeMethods.QueryFullProcessImageName(
handle, mode, moduleBuffer, ref size);
if (mode == ProcessQueryImageNameMode.NativeSystemFormat)
moduleBuffer.Insert(0, "\\\\?\\GLOBALROOT");
return moduleBuffer.ToString();
}
public static extern int NtWow64ReadVirtualMemory64(
SafeProcessHandle hProcess,
ulong baseAddress,
IntPtr buffer,
ulong bufferSize,
out ulong lpNumberOfBytesRead);
public static extern uint QueryFullProcessImageName(
SafeProcessHandle hProcess,
[MarshalAs(UnmanagedType.U4)] ProcessQueryImageNameMode flags,
[Out] StringBuilder lpImageName, ref int size);
public static extern int NtWow64QueryInformationProcess64(SafeProcessHandle hProcess, ProcessInfoClass pic, ref ProcessBasicInformationWow64 pbi, int cb, out int pSize);
public static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress,
[Out] byte[] buffer, uint size, out UInt32 lpNumberOfBytesRead);
