private static string ReadSecurityDescriptor(NtProcess process, ISymbolResolver resolver, string symbol) { IntPtr sd = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName(symbol)); if (sd == IntPtr.Zero) { return(String.Empty); } IntPtr sd_ptr; if (process.Is64Bit) { sd_ptr = process.ReadStruct <IntPtr>(sd.ToInt64()); } else { sd_ptr = new IntPtr(process.ReadStruct <int>(sd.ToInt64())); } if (sd_ptr == IntPtr.Zero) { return("D:NO_ACCESS_CONTROL"); } return(ReadSecurityDescriptorFromAddress(process, sd_ptr)); }
public static IntPtr ReadPointer(NtProcess process, IntPtr p) { if (p != IntPtr.Zero) { if (process.Is64Bit) { return(process.ReadStruct <IntPtr>(p.ToInt64())); } else { return(new IntPtr(process.ReadStruct <int>(p.ToInt64()))); } } return(IntPtr.Zero); }
void Init <T>(NtProcess process, IntPtr ipid_table) where T : IPageAllocator, new() { IPageAllocator page_alloc = process.ReadStruct <T>(ipid_table.ToInt64()); Pages = page_alloc.ReadPages(process); EntrySize = page_alloc.EntrySize; EntriesPerPage = page_alloc.EntriesPerPage; }
public static int ReadInt(NtProcess process, ISymbolResolver resolver, string symbol) { IntPtr p = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName(symbol)); if (p != IntPtr.Zero) { return(process.ReadStruct <int>(p.ToInt64())); } return(0); }
private static Guid GetProcessAppId(NtProcess process, ISymbolResolver resolver) { IntPtr appid = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName("g_AppId")); if (appid == IntPtr.Zero) { return(Guid.Empty); } return(process.ReadStruct <Guid>(appid.ToInt64())); }
IOXIDEntry IPIDEntryNativeInterface.GetOxidEntry(NtProcess process) { return(process.ReadStruct <OXIDEntryNative32>(pOXIDEntry)); }