private static string ReadSecurityDescriptor(NtProcess process, ISymbolResolver resolver, string symbol)
{
IntPtr sd = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName(symbol));
if (sd == IntPtr.Zero)
{
return(String.Empty);
}
IntPtr sd_ptr;
if (process.Is64Bit)
{
sd_ptr = process.ReadStruct <IntPtr>(sd.ToInt64());
}
else
{
sd_ptr = new IntPtr(process.ReadStruct <int>(sd.ToInt64()));
}
if (sd_ptr == IntPtr.Zero)
{
return("D:NO_ACCESS_CONTROL");
}
return(ReadSecurityDescriptorFromAddress(process, sd_ptr));
}
public static IntPtr ReadPointer(NtProcess process, IntPtr p)
{
if (p != IntPtr.Zero)
{
if (process.Is64Bit)
{
return(process.ReadStruct <IntPtr>(p.ToInt64()));
}
else
{
return(new IntPtr(process.ReadStruct <int>(p.ToInt64())));
}
}
return(IntPtr.Zero);
}
void Init <T>(NtProcess process, IntPtr ipid_table) where T : IPageAllocator, new()
{
IPageAllocator page_alloc = process.ReadStruct <T>(ipid_table.ToInt64());
Pages = page_alloc.ReadPages(process);
EntrySize = page_alloc.EntrySize;
EntriesPerPage = page_alloc.EntriesPerPage;
}
public static int ReadInt(NtProcess process, ISymbolResolver resolver, string symbol)
{
IntPtr p = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName(symbol));
if (p != IntPtr.Zero)
{
return(process.ReadStruct <int>(p.ToInt64()));
}
return(0);
}
private static Guid GetProcessAppId(NtProcess process, ISymbolResolver resolver)
{
IntPtr appid = AddressFromSymbol(resolver, process.Is64Bit, GetSymbolName("g_AppId"));
if (appid == IntPtr.Zero)
{
return(Guid.Empty);
}
return(process.ReadStruct <Guid>(appid.ToInt64()));
}
IOXIDEntry IPIDEntryNativeInterface.GetOxidEntry(NtProcess process)
{
return(process.ReadStruct <OXIDEntryNative32>(pOXIDEntry));
}
