/// <summary>
/// Constructor from an manged buffer.
/// </summary>
/// <param name="sid">A buffer containing a valid SID.</param>
/// <exception cref="NtException">Thrown if the buffer is not valid.</exception>
public Sid(byte[] sid)
{
using (SafeHGlobalBuffer buffer = new SafeHGlobalBuffer(sid))
{
InitializeFromPointer(buffer.DangerousGetHandle()).ToNtException();
}
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="acl">Buffer containing an ACL in memory</param>
/// <param name="defaulted">True if the ACL was defaulted</param>
public Acl(byte[] acl, bool defaulted)
{
using (var buffer = new SafeHGlobalBuffer(acl))
{
InitializeFromPointer(buffer.DangerousGetHandle(), defaulted);
}
}
private NtResult <IContext> GetAmd64Context(ContextFlags flags, bool throw_on_error)
{
var context = new ContextAmd64
{
ContextFlags = flags
};
// Buffer needs to be 16 bytes aligned, so allocate some extract space in case.
using (var buffer = new SafeHGlobalBuffer(Marshal.SizeOf(context) + 16))
{
int write_ofs = 0;
long ptr = buffer.DangerousGetHandle().ToInt64();
// Almost certainly 16 byte aligned, but just in case.
if ((ptr & 0xF) != 0)
{
write_ofs = (int)(0x10 - (ptr & 0xF));
}
Marshal.StructureToPtr(context, buffer.DangerousGetHandle() + write_ofs, false);
var sbuffer = buffer.GetStructAtOffset <ContextAmd64>(write_ofs);
return(NtSystemCalls.NtGetContextThread(Handle, sbuffer).CreateResult(throw_on_error, () => sbuffer.Result).Cast <IContext>());
}
}
private IContext GetAmd64Context(ContextFlags flags)
{
var context = new ContextAmd64();
context.ContextFlags = flags;
// Buffer needs to be 16 bytes aligned, so allocate some extract space in case.
using (var buffer = new SafeHGlobalBuffer(Marshal.SizeOf(context) + 16))
{
int write_ofs = 0;
long ptr = buffer.DangerousGetHandle().ToInt64();
// Almost certainly 8 byte aligned, but just in case.
if ((ptr & 0xF) != 0)
{
write_ofs = (int)(0x10 - (ptr & 0xF));
}
Marshal.StructureToPtr(context, buffer.DangerousGetHandle() + write_ofs, false);
var sbuffer = buffer.GetStructAtOffset <ContextAmd64>(write_ofs);
NtSystemCalls.NtGetContextThread(Handle, sbuffer).ToNtException();
return(sbuffer.Result);
}
}
/// <summary>
/// Read structured memory array from a process.
/// </summary>
/// <param name="process">The process to read from.</param>
/// <param name="base_address">The base address in the process.</param>
/// <param name="count">The number of elements in the array to read.</param>
/// <returns>The read structure.</returns>
/// <exception cref="NtException">Thrown on error.</exception>
/// <typeparam name="T">Type of structure to read.</typeparam>
public static T[] ReadMemoryArray <T>(SafeKernelObjectHandle process, long base_address, int count) where T : new()
{
int element_size = Marshal.SizeOf(typeof(T));
using (var buffer = new SafeHGlobalBuffer(element_size * count))
{
NtSystemCalls.NtReadVirtualMemory(process,
new IntPtr(base_address), buffer, buffer.Length, out int return_length).ToNtException();
if (return_length != buffer.Length)
{
throw new NtException(NtStatus.STATUS_PARTIAL_COPY);
}
T[] result = new T[count];
for (int i = 0; i < count; ++i)
{
int offset = i * element_size;
result[i] = (T)Marshal.PtrToStructure(buffer.DangerousGetHandle() + offset, typeof(T));
}
return(result);
}
}
/// <summary>
/// Get a list of handles
/// </summary>
/// <param name="pid">A process ID to filter on. If -1 will get all handles</param>
/// <param name="allow_query">True to allow the handles returned to query for certain properties</param>
/// <returns>The list of handles</returns>
public static IEnumerable <NtHandle> GetHandles(int pid, bool allow_query)
{
SafeHGlobalBuffer handleInfo = new SafeHGlobalBuffer(0x10000);
try
{
NtStatus status = 0;
int return_length = 0;
while ((status = NtSystemCalls.NtQuerySystemInformation(SystemInformationClass.SystemHandleInformation,
handleInfo.DangerousGetHandle(),
handleInfo.Length,
out return_length)) == NtStatus.STATUS_INFO_LENGTH_MISMATCH)
{
int length = handleInfo.Length * 2;
handleInfo.Close();
handleInfo = new SafeHGlobalBuffer(length);
}
status.ToNtException();
IntPtr handleInfoBuf = handleInfo.DangerousGetHandle();
int handle_count = Marshal.ReadInt32(handleInfoBuf);
List <NtHandle> ret = new List <NtHandle>();
handleInfoBuf += IntPtr.Size;
for (int i = 0; i < handle_count; ++i)
{
SystemHandleTableInfoEntry entry = (SystemHandleTableInfoEntry)Marshal.PtrToStructure(handleInfoBuf, typeof(SystemHandleTableInfoEntry));
if (pid == -1 || entry.UniqueProcessId == pid)
{
ret.Add(new NtHandle(entry, allow_query));
}
handleInfoBuf += Marshal.SizeOf(typeof(SystemHandleTableInfoEntry));
}
return(ret);
}
finally
{
handleInfo.Close();
}
}
