public static IntPtr CreateRemoteThread(Process p, IntPtr address, IntPtr param, CreateThreadFlags flags)
{
IntPtr handle = GetProcessHandle(p, ProcessAccessFlags.CreateThread | ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VMOperation | ProcessAccessFlags.VMRead | ProcessAccessFlags.VMWrite);
try {
if (Environment.OSVersion.Version.Major >= 6)
{
return(NTDll.CreateRemoteThread(address, param, handle));
}
else
{
return(CreateRemoteThread(address, param, flags, handle));
}
} finally { CloseProcessHandle(handle); }
}
public static bool ProcessIsChildOf(Process parent, Process child)
{
PROCESS_BASIC_INFORMATION processBasicInformation = new PROCESS_BASIC_INFORMATION();
try
{
uint returnLength;
NTDll.NtQueryInformationProcess(child.Handle, 0, ref processBasicInformation, (uint)Marshal.SizeOf((object)processBasicInformation), out returnLength);
if ((long)processBasicInformation.InheritedFromUniqueProcessId == (long)parent.Id)
{
return(true);
}
}
catch
{
return(false);
}
return(false);
}
public static IntPtr CreateRemoteThread(IntPtr address, IntPtr param, IntPtr handle)
{
NTDll.NtCreateThreadExBuffer outlpvBytesBuffer = new NTDll.NtCreateThreadExBuffer();
outlpvBytesBuffer.Size = Marshal.SizeOf((object)outlpvBytesBuffer);
outlpvBytesBuffer.Unknown1 = 65539UL;
outlpvBytesBuffer.Unknown2 = 8UL;
outlpvBytesBuffer.Unknown3 = Marshal.AllocHGlobal(4);
outlpvBytesBuffer.Unknown4 = 0UL;
outlpvBytesBuffer.Unknown5 = 65540UL;
outlpvBytesBuffer.Unknown6 = 4UL;
outlpvBytesBuffer.Unknown7 = Marshal.AllocHGlobal(4);
outlpvBytesBuffer.Unknown8 = 0UL;
IntPtr outhThread = IntPtr.Zero;
NTDll.NtCreateThreadEx(out outhThread, 2097151, IntPtr.Zero, handle, address, param, false, 0UL, 0UL, 0UL, out outlpvBytesBuffer);
if (outhThread == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(outhThread);
}