private unsafe KVars GetKVars() { SymbolProvider symbols = new SymbolProvider(); symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); KVars vars = new KVars(); vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr(); vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr(); vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr(); vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr(); int bytesRead; KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolStartAddress.ToInt32(), &vars.NonPagedPoolStart, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolSizeAddress.ToInt32(), &vars.NonPagedPoolSize, sizeof(uint), out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsProcessTypeAddress.ToInt32(), &vars.PsProcessType, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsThreadTypeAddress.ToInt32(), &vars.PsThreadType, IntPtr.Size, out bytesRead ); symbols.Dispose(); return(vars); }
private unsafe void ScanHiddenObjects() { KVars vars = this.GetKVars(); int bytesRead; throw new NotSupportedException(); listHiddenObjects.Items.Clear(); using (var currentPage = new MemoryAlloc(Windows.PageSize)) { for ( IntPtr address = vars.NonPagedPoolStart; address.CompareTo(vars.NonPagedPoolStart.Increment(vars.NonPagedPoolSize)) == -1; address = address.Increment(Windows.PageSize) ) { try { KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, address.ToInt32(), (IntPtr)currentPage, Windows.PageSize, out bytesRead ); } catch { continue; } for ( IntPtr inner = address; inner.CompareTo(address.Increment(Windows.PageSize)) == -1; inner = inner.Increment(8) ) { } labelObjectsScanProgress.Text = string.Format("Scanned 0x{0:x8}", address.ToInt32()); Application.DoEvents(); } } labelObjectsScanProgress.Text = "Finished."; }
private unsafe KVars GetKVars() { SymbolProvider symbols = new SymbolProvider(); symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); KVars vars = new KVars(); vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr(); vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr(); vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr(); vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr(); int bytesRead; KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolStartAddress.ToInt32(), &vars.NonPagedPoolStart, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolSizeAddress.ToInt32(), &vars.NonPagedPoolSize, sizeof(uint), out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsProcessTypeAddress.ToInt32(), &vars.PsProcessType, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsThreadTypeAddress.ToInt32(), &vars.PsThreadType, IntPtr.Size, out bytesRead ); symbols.Dispose(); return vars; }