public COMDualStringArray(IntPtr ptr, NtProcess process, bool direct_string) : this() { int num_entries = process.ReadMemory <ushort>(ptr.ToInt64()); int sec_offset = process.ReadMemory <ushort>(ptr.ToInt64() + 2); if (num_entries > 0) { MemoryStream stm = new MemoryStream(process.ReadMemory(ptr.ToInt64() + 4, num_entries * 2)); ReadEntries(new BinaryReader(stm), sec_offset, direct_string); } }
static List <COMIPIDEntry> ParseIPIDEntries <T>(NtProcess process, IntPtr ipid_table, ISymbolResolver resolver) where T : struct, IPIDEntryNativeInterface { List <COMIPIDEntry> entries = new List <COMIPIDEntry>(); PageAllocator palloc = new PageAllocator(process, ipid_table); if (palloc.Pages.Length == 0 || palloc.EntrySize < Marshal.SizeOf(typeof(T))) { return(entries); } foreach (IntPtr page in palloc.Pages) { int total_size = palloc.EntriesPerPage * palloc.EntrySize; var data = process.ReadMemory(page.ToInt64(), palloc.EntriesPerPage * palloc.EntrySize); if (data.Length < total_size) { continue; } using (var buf = new SafeHGlobalBuffer(data)) { for (int entry_index = 0; entry_index < palloc.EntriesPerPage; ++entry_index) { IPIDEntryNativeInterface ipid_entry = buf.Read <T>((ulong)(entry_index * palloc.EntrySize)); if ((ipid_entry.Flags != 0xF1EEF1EE) && (ipid_entry.Flags != 0)) { entries.Add(new COMIPIDEntry(ipid_entry, process, resolver)); } } } } return(entries); }
public static ActivationContext FromProcess(NtProcess process, bool default_actctx) { try { bool is_64bit = process.Is64Bit || Environment.Is64BitOperatingSystem; int offset; if (default_actctx) { offset = is_64bit ? DEFAULT_ACTCTX_PEB_OFFSET_64 : DEFAULT_ACTCTX_PEB_OFFSET_32; } else { offset = is_64bit ? ACTCTX_PEB_OFFSET_64 : ACTCTX_PEB_OFFSET_32; } long peb_base = process.PebAddress.ToInt64(); long actctx_base; if (is_64bit) { actctx_base = process.ReadMemory <long>(peb_base + offset); } else { actctx_base = process.ReadMemory <uint>(peb_base + offset); } if (actctx_base == 0) { return(null); } return(FromProcess(process, actctx_base)); } catch (NtException) { return(null); } catch (ArgumentException) { return(null); } }
private static T ReadStruct <T>(this NtProcess process, long address) where T : new() { try { return(process.ReadMemory <T>(address)); } catch (NtException) { System.Diagnostics.Debug.WriteLine(string.Format("Error reading address {0:X}", address)); return(new T()); } }
public static ActivationContext FromProcess(NtProcess process, long actctx_base) { try { var header = process.ReadMemory <ACTIVATION_CONTEXT_DATA>(actctx_base); if (header.Magic != ACTCTX_MAGIC && header.FormatVersion != ACTCTX_VERSION) { return(null); } return(new ActivationContext(process.ReadMemory(actctx_base, header.TotalSize))); } catch (NtException) { return(null); } catch (ArgumentException) { return(null); } }
private static string ReadUnicodeString(NtProcess process, IntPtr ptr) { StringBuilder builder = new StringBuilder(); int pos = 0; do { byte[] data = process.ReadMemory(ptr.ToInt64() + pos, 2); if (data.Length < 2) { break; } char c = BitConverter.ToChar(data, 0); if (c == 0) { break; } builder.Append(c); pos += 2; }while (true); return(builder.ToString()); }
public byte ReadByte(IntPtr address) { return(_process.ReadMemory <byte>(address.ToInt64())); }