Example #1
0
 public static extern NtStatus NtQueryInformationProcess(
     SafeKernelObjectHandle ProcessHandle,
     ProcessInformationClass ProcessInformationClass,
     SafeBuffer ProcessInformation,
     int ProcessInformationLength,
     out int ReturnLength
     );
Example #2
0
        public void KphQueryInformationProcess(
            ProcessHandle processHandle,
            ProcessInformationClass processInformationClass,
            IntPtr processInformation,
            int processInformationLength,
            out int returnLength
            )
        {
            byte *inData = stackalloc byte[0x14];
            int   returnLengthLocal;

            *(int *)inData          = processHandle;
            *(int *)(inData + 0x4)  = (int)processInformationClass;
            *(int *)(inData + 0x8)  = processInformation.ToInt32();
            *(int *)(inData + 0xc)  = processInformationLength;
            *(int *)(inData + 0x10) = (int)&returnLengthLocal;

            try
            {
                _fileHandle.IoControl(CtlCode(Control.KphQueryInformationProcess), inData, 0x14, null, 0);
            }
            finally
            {
                returnLength = returnLengthLocal;
            }
        }
Example #3
0
        private void WinApiIsProcessDebugPort()
        {
            ProcessInformationClass flag = ProcessInformationClass.ProcessDebugPort;
            bool check = Functions.WinApiNtQueryInformationProcess <IntPtr>(Process, flag) != IntPtr.Zero;

            LoggingService.Info($"{System.Reflection.MethodBase.GetCurrentMethod().Name}() => {check}.");
        }
Example #4
0
 internal unsafe T QueryInformationProcess <T>(ProcessInformationClass infoClass, ref T buff, out uint returnSize) where T : unmanaged
 {
     fixed(void *buffP = &buff)
     {
         PInvoke.NTSTATUS status = NtQueryInformationProcess(handle, infoClass, buffP, (uint)sizeof(T), out returnSize);
         if (status.Severity != PInvoke.NTSTATUS.SeverityCode.STATUS_SEVERITY_SUCCESS)
         {
             throw new PInvoke.NTStatusException(status);
         }
         return(buff);
     }
 }
Example #5
0
        public uint Call(IntPtr handle, ProcessInformationClass pic, out IMemoryPointer result, int resultLength, out IMemoryPointer bytesRead)
        {
            IMemoryPointer bytesReadInternal = GameSharpProcess.Instance.AllocateManagedMemory(resultLength);
            IMemoryPointer resultInternal    = GameSharpProcess.Instance.AllocateManagedMemory(resultLength);

            uint retval = Call <uint>(handle, pic, resultInternal.Address, (uint)resultLength, bytesReadInternal.Address);

            bytesRead = bytesReadInternal;
            result    = resultInternal;

            return(retval);
        }
Example #6
0
        internal static T QueryInformation <T>(this Process process, ProcessInformationClass informationClass) where T : unmanaged
        {
            Span <byte> informationBlock = stackalloc byte[Unsafe.SizeOf <T>()];

            var ntStatus = Ntdll.NtQueryInformationProcess(process.SafeHandle, informationClass, out informationBlock[0], informationBlock.Length, out _);

            if (ntStatus != NtStatus.Success)
            {
                throw new Win32Exception(Ntdll.RtlNtStatusToDosError(ntStatus));
            }

            return(MemoryMarshal.Read <T>(informationBlock));
        }
Example #7
0
        public void KphSetInformationProcess(
            ProcessHandle processHandle,
            ProcessInformationClass processInformationClass,
            IntPtr processInformation,
            int processInformationLength
            )
        {
            byte *inData = stackalloc byte[0x10];

            *(int *)inData         = processHandle;
            *(int *)(inData + 0x4) = (int)processInformationClass;
            *(int *)(inData + 0x8) = processInformation.ToInt32();
            *(int *)(inData + 0xc) = processInformationLength;

            _fileHandle.IoControl(CtlCode(Control.KphSetInformationProcess), inData, 0x10, null, 0);
        }
Example #8
0
        internal unsafe T[] QueryInformationProcessArrayInternal <T>(ProcessInformationClass infoClass, ref T[] buff, ref uint validItemCount) where T : unmanaged
        {
            uint returnSize = 0;

            fixed(void *buffP = buff)
            {
                try {
                    PInvoke.NTSTATUS status = NtQueryInformationProcess(handle, infoClass, buffP, (uint)sizeof(T) * validItemCount, out returnSize);
                    if (status.Severity != PInvoke.NTSTATUS.SeverityCode.STATUS_SEVERITY_SUCCESS)
                    {
                        throw new PInvoke.NTStatusException(status);
                    }
                    return(buff);
                } finally {
                    validItemCount = returnSize / ((uint)sizeof(T));
                }
            }
        }
Example #9
0
        internal IntPtr[] QueryInformationProcessArray <T>(ProcessInformationClass infoClass)
        {
            uint validItems = 1;

            IntPtr[] buff;
            for (; ;)
            {
                buff = new IntPtr[validItems];
                try {
                    QueryInformationProcessArrayInternal(infoClass, ref buff, ref validItems);
                } catch (PInvoke.NTStatusException err) when(err.NativeErrorCode == PInvoke.NTSTATUS.Code.STATUS_INFO_LENGTH_MISMATCH)
                {
                    continue;
                }
                break;
            }
            return(buff);
        }
Example #10
0
        /// <summary>
        /// Wrapper for the NtQueryInformationProcess delegate, this will make the code more readable.
        /// </summary>
        /// <typeparam name="T"></typeparam>
        /// <param name="process"></param>
        /// <param name="pic"></param>
        /// <returns></returns>
        public static T NtQueryInformationProcess <T>(GameSharpProcess process, ProcessInformationClass pic) where T : struct
        {
            T returnResult = default;

            uint ntResult = NtQueryInformationProcessWrapper.Call(process.NativeHandle, pic, out IMemoryPointer returnPtr, Marshal.SizeOf <T>(), out IMemoryPointer _);

            // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
            if (ntResult == 0)
            {
                returnResult = returnPtr.Read <T>();
            }
            //else
            //{
            //    LoggingService.Error(
            //        $"Flag: {pic.ToString()}" +
            //        $", Couldn't query NtQueryInformationProcess, Error code: {Marshal.GetLastWin32Error().ToString("X")}" +
            //        $", Return value of NtQueryInformationProcess function is 0x{ntResult.ToString("X")}");
            //}

            return(returnResult);
        }
Example #11
0
        /// <summary>
        ///
        /// </summary>
        /// <param name="ProcessHandle"></param>
        /// <param name="InfoClass"></param>
        /// <param name="Info"></param>
        /// <param name="InfoLength"></param>
        /// <param name="ReturnLength"></param>
        /// <returns></returns>
        public static NTSTATUS NtQueryInformationProcess(IntPtr ProcessHandle, ProcessInformationClass InfoClass, IntPtr Info, uint InfoLength, out uint ReturnLength, [CallerMemberName] string callerName = "")
        {
            if (!PInvokeDebugger.LoggingEnabled)
            {
                return(PInvoke_NtQueryInformationProcess(ProcessHandle, InfoClass, Info, InfoLength, out ReturnLength));
            }

            NTSTATUS         returnValue = PInvoke_NtQueryInformationProcess(ProcessHandle, InfoClass, Info, InfoLength, out ReturnLength);
            PInvokeDebugInfo debugInfo   = PInvokeDebugInfo.TraceDebugInfo(
                ModuleName,
                nameof(NtQueryInformationProcess),
                callerName,
                returnValue,
                nameof(ProcessHandle), ProcessHandle,
                nameof(InfoClass), InfoClass,
                nameof(Info), Info,
                nameof(InfoLength), InfoLength,
                nameof(ReturnLength), ReturnLength
                );

            PInvokeDebugger.SafeCapture(debugInfo);
            return(returnValue);
        }
Example #12
0
 internal static extern NtStatus NtQueryInformationProcess(SafeProcessHandle processHandle, ProcessInformationClass processInformationClass, IntPtr processInformation, int bufferSize, IntPtr returnLength);
Example #13
0
 internal static extern NtStatus NtQueryInformationProcess(SafeProcessHandle processHandle, ProcessInformationClass processInformationClass, ref byte processInformation, int processInformationLength, out int returnLength);
Example #14
0
 public static unsafe extern int NtQueryInformationProcess(SafeHandle hProcess, ProcessInformationClass infoClass, void *buffer, int size, int *actualSize = null);
Example #15
0
 public static extern int NtQueryInformationProcess(SafeMemoryHandle processHandle,
                                                    ProcessInformationClass infoclass,
                                                    ref ProcessBasicInformation processinfo, int length, IntPtr bytesread);
Example #16
0
        public void KphSetInformationProcess(
            ProcessHandle processHandle,
            ProcessInformationClass processInformationClass,
            IntPtr processInformation,
            int processInformationLength
            )
        {
            byte* inData = stackalloc byte[0x10];

            *(int*)inData = processHandle;
            *(int*)(inData + 0x4) = (int)processInformationClass;
            *(int*)(inData + 0x8) = processInformation.ToInt32();
            *(int*)(inData + 0xc) = processInformationLength;

            _fileHandle.IoControl(CtlCode(Control.KphSetInformationProcess), inData, 0x10, null, 0);
        }
Example #17
0
 public static extern Int32 NtQueryInformationProcess(IntPtr processHandle, ProcessInformationClass processInformationClass, ref ProcessBasicInformation processInformation, Int32 processInformationLength, out Int32 returnLength);
Example #18
0
 public static extern uint NtQueryInformationProcess(SafeHandle handle, ProcessInformationClass processInformationClass,
                                                     IntPtr processInformation, uint processInformationLength, out uint returnLength);
Example #19
0
 internal static extern unsafe PInvoke.NTSTATUS NtQueryInformationProcess(SafeProcessHandle handle, ProcessInformationClass informationClass, void *buffer, uint bufferLength, out uint returnLength);
Example #20
0
        /// <summary>
        /// Wrapper for the defautl WinApi NtQueryInformationProcess, makes the code more readable.
        /// </summary>
        /// <typeparam name="T"></typeparam>
        /// <param name="process"></param>
        /// <param name="pic"></param>
        /// <returns></returns>
        public static T WinApiNtQueryInformationProcess <T>(GameSharpProcess process, ProcessInformationClass pic) where T : struct
        {
            T returnResult = default;

            IMemoryPointer ntResult = process.AllocateManagedMemory(Marshal.SizeOf <T>());

            uint result = Ntdll.NtQueryInformationProcess(process.NativeHandle, pic, ntResult.Address, Marshal.SizeOf <T>(), out int _);

            if (result == 0)
            {
                returnResult = ntResult.Read <T>();
            }
            else
            {
                LoggingService.Error(
                    $"Couldn't query NtQueryInformationProcess, Error code: {Marshal.GetLastWin32Error().ToString("X")}, " +
                    $"Return value of NtQueryInformationProcess function is 0x{result.ToString("X")}.");
            }

            return(returnResult);
        }
Example #21
0
 public static extern uint NtQueryInformationProcess(IntPtr processHandle, ProcessInformationClass processInformationClass, IntPtr processInformation, int bufferSize, out int returnLength);
Example #22
0
 public static extern NtStatus NtQueryInformationProcess(
     [In] IntPtr ProcessHandle, [In] ProcessInformationClass ProcessInformationClass, out int ProcessInformation, [In] int ProcessInformationLength, [Optional] out int ReturnLength);
Example #23
0
 internal static extern NTSTATUS PInvoke_NtQueryInformationProcess(IntPtr ProcessHandle, ProcessInformationClass InfoClass, IntPtr Info, uint InfoLength, out uint ReturnLength);
Example #24
0
 public static extern int NtQueryInformationProcess(SafeMemoryHandle processHandle,
     ProcessInformationClass infoclass,
     ref ProcessBasicInformation processinfo, int length, IntPtr bytesread);
Example #25
0
 public static extern int NtQueryInformationProcess(IntPtr hProcess, ProcessInformationClass infoClass, IntPtr buffer, uint size, out uint actualSize);
Example #26
0
        public void KphQueryInformationProcess(
            ProcessHandle processHandle,
            ProcessInformationClass processInformationClass,
            IntPtr processInformation,
            int processInformationLength,
            out int returnLength
            )
        {
            byte* inData = stackalloc byte[0x14];
            int returnLengthLocal;

            *(int*)inData = processHandle;
            *(int*)(inData + 0x4) = (int)processInformationClass;
            *(int*)(inData + 0x8) = processInformation.ToInt32();
            *(int*)(inData + 0xc) = processInformationLength;
            *(int*)(inData + 0x10) = (int)&returnLengthLocal;

            try
            {
                _fileHandle.IoControl(CtlCode(Control.KphQueryInformationProcess), inData, 0x14, null, 0);
            }
            finally
            {
                returnLength = returnLengthLocal;
            }
        }
Example #27
0
 public static extern unsafe Hresult QueryInformationProcess(
     [In] SafeProcessHandle processHandle,
     [In] ProcessInformationClass processInformationClass,
     [In, Out] ProcessBasicInformation *processInformation,
     [In, MarshalAs(UnmanagedType.I4)] int processInformationLength,
     [In, Out, Optional] long *returnLength);
Example #28
0
 public static extern int NtSetInformationProcess(IntPtr hProcss, ProcessInformationClass info, ref int memoryPriority, int size);