Ejemplo n.º 1
0
    /// <summary>
    /// Reads the Thread Basic Information (TBI) struct of a process.
    /// </summary>
    /// <param name="process">The process to read.</param>
    /// <returns>Returns a 32 bit Thread Basic Information (TBI) struct equivalent.</returns>
    public static PInvokeStuff.THREAD_BASIC_INFORMATION GetTBI(Process process)
    {
        IntPtr hThread = PInvokeStuff.OpenThread(PInvokeStuff.ThreadAccess.QueryInformation, false, (uint)process.Threads.OfType <ProcessThread>().First().Id);

        if (hThread == null) // Some implementations on StackExchange compare against IntPtr.zero - but MSDN says it returns null, not null pointer
        {
            throw new Exceptions.PInvokeException(nameof(GetTBI), nameof(PInvokeStuff.OpenThread), Marshal.GetLastWin32Error());
        }

        try
        {
            PInvokeStuff.THREAD_BASIC_INFORMATION tbi = new PInvokeStuff.THREAD_BASIC_INFORMATION();
            int result = PInvokeStuff.NtQueryInformationThread(hThread, PInvokeStuff.ThreadInfoClass.ThreadBasicInformation, out tbi, (uint)Marshal.SizeOf(tbi));
            // NtQueryInformationThread returns nonzero (NTSTATUS) if failed
            if (result != 0)
            {
                throw new Exceptions.PInvokeException(nameof(GetTBI), nameof(PInvokeStuff.NtQueryInformationThread), result);
            }

            return(tbi);
        }
        finally
        {
            PInvokeStuff.CloseHandle(hThread);
        }
    }
Ejemplo n.º 2
0
    /// <summary>
    /// Reads the NT_TIB area of a process, into an incomplete 32 bit representation of the original struct.
    /// </summary>
    /// <param name="process">The process to read.</param>
    /// <returns>Returns an incomplete 32 bit representation of NT_TIB.</returns>
    public static PInvokeStuff.NT_TIB GetTIB(Process process)
    {
        // Read TBI - prerequise for TIB
        PInvokeStuff.THREAD_BASIC_INFORMATION tbi = GetTBI(process);

        // Read NT_TIB equivalent memory area of the process directly into our NT_TIB struct
        PInvokeStuff.NT_TIB tib = ReadToType <PInvokeStuff.NT_TIB>(process.Handle, tbi.TebBaseAddress);

        return(tib);
    }