private ProcessInformation CreateProcessWithStartInfo(SimpleProcessStartupInfo simpleProcessStartupInfo, CreateProcessOptions options) { Logger.LogInfo("CreateProcessWithStartInfo: Entry point."); var stringBuilder = BuildCommandLine(simpleProcessStartupInfo.FileName, simpleProcessStartupInfo.Arguments); Logger.LogInfo("CreateProcessWithStartInfo: command line is {0}.", stringBuilder); using (var startupInfo = new STARTUPINFO()) { Logger.LogInfo("CreateProcessWithStartInfo: Creation flags."); ProcessCreationFlags processCreationFlags = 0; if (simpleProcessStartupInfo.CreateNoWindow) { processCreationFlags |= ProcessCreationFlags.CREATE_NO_WINDOW; } if ((options & CreateProcessOptions.BreakAwayFromJob) != 0) { processCreationFlags |= ProcessCreationFlags.CREATE_BREAKAWAY_FROM_JOB; } var workingDirectory = simpleProcessStartupInfo.WorkingDirectory; if (workingDirectory == string.Empty) { workingDirectory = Environment.CurrentDirectory; } Logger.LogInfo("CreateProcessWithStartInfo: Working directory: {0}.", workingDirectory); if ((options & CreateProcessOptions.AttachDebugger) != 0) { Logger.LogInfo("CreateProcessWithStartInfo: Setting DEBUG_PROCESS flag."); processCreationFlags |= ProcessCreationFlags.DEBUG_PROCESS; processCreationFlags |= ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS; } Logger.LogInfo("CreateProcessWithStartInfo: Calling Win32 CreateProcess."); var processInformation = new PROCESS_INFORMATION(); var environmentPtr = IntPtr.Zero; var lastError = 0; var success = NativeMethods.CreateProcess(null, stringBuilder, null, null, true, processCreationFlags, environmentPtr, workingDirectory, startupInfo, processInformation); Logger.LogInfo("CreateProcessWithStartInfo: CreateProcess result: Success={0}-LastError={1}.", success, Marshal.GetLastWin32Error()); if (!success) { lastError = Marshal.GetLastWin32Error(); } // Assign safe handles as quickly as possible to avoid leaks. var safeProcessHandle = new SafeProcessHandle(processInformation.hProcess); var safeThreadHandle = new SafeProcessHandle(processInformation.hThread); if (!success) { throw new LastWin32ErrorException(lastError, string.Format("Error creating process from file \"{0}\"", simpleProcessStartupInfo.FileName)); } if (safeProcessHandle.IsInvalid || safeThreadHandle.IsInvalid) { Logger.LogInfo("CreateProcessWithStartInfo: Invalid process handle."); throw new Exception(string.Format("Error creating process from file \"{0}\" (invalid process handle)", simpleProcessStartupInfo.FileName)); } Logger.LogInfo("CreateProcessWithStartInfo: Creating ProcessResult instance."); var processResult = new ProcessInformation { ProcessHandle = safeProcessHandle, ProcessId = processInformation.dwProcessId }; safeThreadHandle.Close(); Logger.LogInfo("CreateProcessWithStartInfo: Success!"); return processResult; } }
public int StartProcess(IList <string> procargs) { var pi = new WinProcesses.PROCESS_INFORMATION(); var si = new WinProcesses.STARTUPINFO(); var processCreationFlags = WinProcesses.ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT | WinProcesses.ProcessCreationFlags.CREATE_SUSPENDED; if (spawnNewConsoleWindow) { processCreationFlags |= WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE; } CheckResult(WinProcesses.NativeMethods.CreateProcess(null, new StringBuilder(string.Join(" ", procargs)), null, null, false, processCreationFlags, GetEnvironmentString(), null, si, pi)); hProcess = new WinProcesses.SafeProcessHandle(pi.hProcess); AssignProcessToJobObject(); // resume process main thread CheckResult(WinProcesses.NativeMethods.ResumeThread(pi.hThread)); // and we can close the thread handle CloseHandle(pi.hThread); return(WaitForTheJobToComplete()); }
public int StartProcessUnderDebuggerAndDetach(IList <string> procargs) { var pi = new WinProcesses.PROCESS_INFORMATION(); var si = new WinProcesses.STARTUPINFO(); var processCreationFlags = WinProcesses.ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT | WinProcesses.ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS; if (spawnNewConsoleWindow) { processCreationFlags |= WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE; } CheckResult(WinProcesses.NativeMethods.CreateProcess(null, new StringBuilder(string.Join(" ", procargs)), null, null, false, processCreationFlags, GetEnvironmentString(), null, si, pi)); hProcess = new WinProcesses.SafeProcessHandle(pi.hProcess); CheckResult(WinDebug.NativeMethods.DebugSetProcessKillOnExit(false)); AssignProcessToJobObject(); // resume process main thread by detaching from the debuggee CheckResult(WinDebug.NativeMethods.DebugActiveProcessStop(pi.dwProcessId)); // and we can close the thread handle CloseHandle(pi.hThread); return(WaitForTheJobToComplete()); }
public void AttachToProcess(int pid) { hProcess = CheckResult(WinProcesses.NativeMethods.OpenProcess(WinProcesses.ProcessAccessFlags.All, false, pid)); AssignProcessToJobObject(); WaitForTheJobToComplete(); }
public int AttachToProcess(int pid) { using (new DebugPrivilege(logger)) { hProcess = CheckResult(WinProcesses.NativeMethods.OpenProcess( WinProcesses.ProcessAccessFlags.ProcessSetQuota | WinProcesses.ProcessAccessFlags.ProcessTerminate | WinProcesses.ProcessAccessFlags.QueryInformation, false, pid)); } AssignProcessToJobObject(); return(WaitForTheJobToComplete()); }
public bool Launch() { if (CanLaunch() == false) { throw new Exception("Unable to launch in this state"); } if (args.Length == 0) { return(false); } var DebugCreationFlags = WinProcesses.ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS | WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE; var launchArgs = new StringBuilder(string.Join(" ", args)); bool bRet = WinProcesses.NativeMethods.CreateProcess ( null, launchArgs, null, null, false, DebugCreationFlags, null, null, stStartInfo, stProcessInfo ); if (bRet == true) { // Store so they can be marshalled and closed correctly hProcess = new WinProcesses.SafeProcessHandle(stProcessInfo.hProcess); hThread = new WinProcesses.SafeThreadHandle(stProcessInfo.hThread); bContinue = true; State = RunState.Running; } else { throw new Exception($"Failed to launch loader '{launchArgs}'"); } return(bRet); }
public void StartSuspended() { var pi = new WinProcesses.PROCESS_INFORMATION(); var si = new WinProcesses.STARTUPINFO(); var processCreationFlags = WinProcesses.ProcessCreationFlags.CREATE_SUSPENDED; if (SpawnNewConsoleWindow) { processCreationFlags |= WinProcesses.ProcessCreationFlags.CREATE_NEW_CONSOLE; } if (!WinProcesses.NativeMethods.CreateProcess(null, new StringBuilder(string.Join(" ", args)), null, null, false, processCreationFlags, null, null, si, pi)) { throw new Win32Exception("Error while creating a new process."); } hProcess = new WinProcesses.SafeProcessHandle(pi.hProcess); pid = pi.dwProcessId; hThread = new WinProcesses.SafeThreadHandle(pi.hThread); }
// Reads native process info from a 64/32-bit process in the case where the target architecture // of this process is the same as that of the target process. private bool LoadProcessInfoNative(SafeProcessHandle handle, ProcessAccessFlags flags) { ProcessBasicInformation basicInfo = new ProcessBasicInformation(); int size; int status = NativeMethods.NtQueryInformationProcess( handle, ProcessInfoClass.BasicInformation, ref basicInfo, MarshalUtility.UnmanagedStructSize<ProcessBasicInformation>(), out size); _parentProcessId = basicInfo.ParentProcessId.ToInt32(); // If we can't load the ProcessBasicInfo, then we can't really do anything. if (status != NtStatus.Success || basicInfo.PebBaseAddress == IntPtr.Zero) return false; if (flags.HasFlag(ProcessAccessFlags.VmRead)) { // Follows a pointer from the PROCESS_BASIC_INFORMATION structure in the target process's // address space to read the PEB. Peb peb = MarshalUtility.ReadUnmanagedStructFromProcess<Peb>( handle, basicInfo.PebBaseAddress); _isBeingDebugged = peb.IsBeingDebugged; if (peb.ProcessParameters != IntPtr.Zero) { // Follows a pointer from the PEB structure in the target process's address space to read // the RTL_USER_PROCESS_PARAMS. RtlUserProcessParameters processParameters = new RtlUserProcessParameters(); processParameters = MarshalUtility.ReadUnmanagedStructFromProcess<RtlUserProcessParameters>( handle, peb.ProcessParameters); _commandLine = MarshalUtility.ReadStringUniFromProcess( handle, processParameters.CommandLine.Buffer, processParameters.CommandLine.Length / 2); } } return true; }
public static extern bool GetExitCodeProcess(SafeProcessHandle hProcess, out int lpExitCode);
// Reads native process info from a 64-bit process in the case where this function is executing // in a 32-bit process. private bool LoadProcessInfoWow64(SafeProcessHandle handle, ProcessAccessFlags flags) { ulong pebSize = (ulong)MarshalUtility.UnmanagedStructSize<PebWow64>(); ulong processParamsSize = (ulong)MarshalUtility.UnmanagedStructSize<RtlUserProcessParametersWow64>(); // Read PROCESS_BASIC_INFORMATION up to and including the pointer to PEB structure. int processInfoSize = MarshalUtility.UnmanagedStructSize<ProcessBasicInformationWow64>(); ProcessBasicInformationWow64 pbi = new ProcessBasicInformationWow64(); int result = NativeMethods.NtWow64QueryInformationProcess64( handle, ProcessInfoClass.BasicInformation, ref pbi, processInfoSize, out processInfoSize); if (result != 0) return false; _parentProcessId = (int)pbi.ParentProcessId; Debug.Assert((int)pbi.UniqueProcessId == _processId); if (flags.HasFlag(ProcessAccessFlags.VmRead)) { IntPtr pebBuffer = IntPtr.Zero; IntPtr processParametersBuffer = IntPtr.Zero; IntPtr commandLineBuffer = IntPtr.Zero; try { pebBuffer = Marshal.AllocHGlobal((int)pebSize); // Read PEB up to and including the pointer to RTL_USER_PROCESS_PARAMETERS // structure. result = NativeMethods.NtWow64ReadVirtualMemory64( handle, pbi.PebBaseAddress, pebBuffer, pebSize, out pebSize); if (result != 0) return false; PebWow64 peb = (PebWow64)Marshal.PtrToStructure(pebBuffer, typeof(PebWow64)); _isBeingDebugged = peb.IsBeingDebugged; processParametersBuffer = Marshal.AllocHGlobal((int)processParamsSize); result = NativeMethods.NtWow64ReadVirtualMemory64( handle, peb.ProcessParameters, processParametersBuffer, processParamsSize, out processParamsSize); if (result != 0) return false; RtlUserProcessParametersWow64 processParameters = (RtlUserProcessParametersWow64) Marshal.PtrToStructure( processParametersBuffer, typeof(RtlUserProcessParametersWow64)); ulong commandLineBufferSize = (ulong)processParameters.CommandLine.MaximumLength; commandLineBuffer = Marshal.AllocHGlobal((int)commandLineBufferSize); result = NativeMethods.NtWow64ReadVirtualMemory64( handle, processParameters.CommandLine.Buffer, commandLineBuffer, commandLineBufferSize, out commandLineBufferSize); if (result != 0) return false; _commandLine = Marshal.PtrToStringUni(commandLineBuffer); } finally { if (pebBuffer != IntPtr.Zero) Marshal.FreeHGlobal(pebBuffer); if (commandLineBuffer != IntPtr.Zero) Marshal.FreeHGlobal(commandLineBuffer); if (processParametersBuffer != IntPtr.Zero) Marshal.FreeHGlobal(processParametersBuffer); } } return true; }
public static extern bool TerminateProcess(SafeProcessHandle hProcess, uint uExitCode);
public static extern bool GetProcessAffinityMask(SafeProcessHandle hProcess, out long lpProcessAffinityMask, out long lpSystemAffinityMask);
public static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, [Out] byte[] buffer, uint size, out UInt32 lpNumberOfBytesRead);
public static extern int NtReadVirtualMemory( SafeProcessHandle hProcess, IntPtr baseAddress, [Out] byte[] buffer, uint size, out uint lpNumberOfBytesRead);
public static extern int NtWow64ReadVirtualMemory64( SafeProcessHandle hProcess, ulong baseAddress, IntPtr buffer, ulong bufferSize, out ulong lpNumberOfBytesRead);
public static extern uint QueryFullProcessImageName( SafeProcessHandle hProcess, [MarshalAs(UnmanagedType.U4)] ProcessQueryImageNameMode flags, [Out] StringBuilder lpImageName, ref int size);
public static extern int NtReadVirtualMemory( SafeProcessHandle hProcess, IntPtr baseAddress, [Out] byte[] buffer, uint size, out uint lpNumberOfBytesRead);
public static extern int NtWow64QueryInformationProcess64(SafeProcessHandle hProcess, ProcessInfoClass pic, ref ProcessBasicInformationWow64 pbi, int cb, out int pSize);
private string QueryProcessImageName(SafeProcessHandle handle, ProcessQueryImageNameMode mode) { StringBuilder moduleBuffer = new StringBuilder(1024); int size = moduleBuffer.Capacity; NativeMethods.QueryFullProcessImageName( handle, mode, moduleBuffer, ref size); if (mode == ProcessQueryImageNameMode.NativeSystemFormat) moduleBuffer.Insert(0, "\\\\?\\GLOBALROOT"); return moduleBuffer.ToString(); }
public static extern int NtWow64ReadVirtualMemory64( SafeProcessHandle hProcess, ulong baseAddress, IntPtr buffer, ulong bufferSize, out ulong lpNumberOfBytesRead);
public static extern uint QueryFullProcessImageName( SafeProcessHandle hProcess, [MarshalAs(UnmanagedType.U4)] ProcessQueryImageNameMode flags, [Out] StringBuilder lpImageName, ref int size);
public static extern int NtWow64QueryInformationProcess64(SafeProcessHandle hProcess, ProcessInfoClass pic, ref ProcessBasicInformationWow64 pbi, int cb, out int pSize);
public static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, [Out] byte[] buffer, uint size, out UInt32 lpNumberOfBytesRead);