public COMDualStringArray(IntPtr ptr, NtProcess process, bool direct_string) : this()
{
int num_entries = process.ReadMemory <ushort>(ptr.ToInt64());
int sec_offset = process.ReadMemory <ushort>(ptr.ToInt64() + 2);
if (num_entries > 0)
{
MemoryStream stm = new MemoryStream(process.ReadMemory(ptr.ToInt64() + 4, num_entries * 2));
ReadEntries(new BinaryReader(stm), sec_offset, direct_string);
}
}
static List <COMIPIDEntry> ParseIPIDEntries <T>(NtProcess process, IntPtr ipid_table, ISymbolResolver resolver)
where T : struct, IPIDEntryNativeInterface
{
List <COMIPIDEntry> entries = new List <COMIPIDEntry>();
PageAllocator palloc = new PageAllocator(process, ipid_table);
if (palloc.Pages.Length == 0 || palloc.EntrySize < Marshal.SizeOf(typeof(T)))
{
return(entries);
}
foreach (IntPtr page in palloc.Pages)
{
int total_size = palloc.EntriesPerPage * palloc.EntrySize;
var data = process.ReadMemory(page.ToInt64(), palloc.EntriesPerPage * palloc.EntrySize);
if (data.Length < total_size)
{
continue;
}
using (var buf = new SafeHGlobalBuffer(data))
{
for (int entry_index = 0; entry_index < palloc.EntriesPerPage; ++entry_index)
{
IPIDEntryNativeInterface ipid_entry = buf.Read <T>((ulong)(entry_index * palloc.EntrySize));
if ((ipid_entry.Flags != 0xF1EEF1EE) && (ipid_entry.Flags != 0))
{
entries.Add(new COMIPIDEntry(ipid_entry, process, resolver));
}
}
}
}
return(entries);
}
public static ActivationContext FromProcess(NtProcess process, bool default_actctx)
{
try
{
bool is_64bit = process.Is64Bit || Environment.Is64BitOperatingSystem;
int offset;
if (default_actctx)
{
offset = is_64bit ? DEFAULT_ACTCTX_PEB_OFFSET_64 : DEFAULT_ACTCTX_PEB_OFFSET_32;
}
else
{
offset = is_64bit ? ACTCTX_PEB_OFFSET_64 : ACTCTX_PEB_OFFSET_32;
}
long peb_base = process.PebAddress.ToInt64();
long actctx_base;
if (is_64bit)
{
actctx_base = process.ReadMemory <long>(peb_base + offset);
}
else
{
actctx_base = process.ReadMemory <uint>(peb_base + offset);
}
if (actctx_base == 0)
{
return(null);
}
return(FromProcess(process, actctx_base));
}
catch (NtException)
{
return(null);
}
catch (ArgumentException)
{
return(null);
}
}
private static T ReadStruct <T>(this NtProcess process, long address) where T : new()
{
try
{
return(process.ReadMemory <T>(address));
}
catch (NtException)
{
System.Diagnostics.Debug.WriteLine(string.Format("Error reading address {0:X}", address));
return(new T());
}
}
public static ActivationContext FromProcess(NtProcess process, long actctx_base)
{
try
{
var header = process.ReadMemory <ACTIVATION_CONTEXT_DATA>(actctx_base);
if (header.Magic != ACTCTX_MAGIC && header.FormatVersion != ACTCTX_VERSION)
{
return(null);
}
return(new ActivationContext(process.ReadMemory(actctx_base, header.TotalSize)));
}
catch (NtException)
{
return(null);
}
catch (ArgumentException)
{
return(null);
}
}
private static string ReadUnicodeString(NtProcess process, IntPtr ptr)
{
StringBuilder builder = new StringBuilder();
int pos = 0;
do
{
byte[] data = process.ReadMemory(ptr.ToInt64() + pos, 2);
if (data.Length < 2)
{
break;
}
char c = BitConverter.ToChar(data, 0);
if (c == 0)
{
break;
}
builder.Append(c);
pos += 2;
}while (true);
return(builder.ToString());
}
public byte ReadByte(IntPtr address)
{
return(_process.ReadMemory <byte>(address.ToInt64()));
}
