public static FProcessInfo[] Fetch()
{
IntPtr hSnap = RKernel32.CreateToolhelp32Snapshot(ETh32cs.SnapProcess, 0);
if (!RApi.IsValidHandle(hSnap))
{
return(null);
}
FObjects <FProcessInfo> process = new FObjects <FProcessInfo>();
SProcessEntry32 pe32 = new SProcessEntry32();
pe32.dwSize = (uint)Marshal.SizeOf(pe32);
bool next = RKernel32.Process32First(hSnap, ref pe32);
while (next)
{
FProcessInfo info = new FProcessInfo();
info.Id = pe32.th32ProcessID;
info.Threads = (int)pe32.cntThreads;
info.FileName = pe32.szExeFile;
process.Push(info);
next = RKernel32.Process32Next(hSnap, ref pe32);
}
RKernel32.CloseHandle(hSnap);
return(process.ToArray());
}
public static bool ListThread(FThreadInfoCollection threads, int processId)
{
threads.Clear();
IntPtr hSnap = RKernel32.CreateToolhelp32Snapshot(ETh32cs.SnapThread, processId);
if (RApi.IsValidHandle(hSnap))
{
SThreadEntry32 te32 = new SThreadEntry32();
te32.dwSize = Marshal.SizeOf(te32);
bool next = RKernel32.Thread32First(hSnap, ref te32);
while (next)
{
if (te32.th32OwnerProcessID == processId)
{
FThreadInfo thread = new FThreadInfo();
thread.ProcessID = te32.th32OwnerProcessID;
thread.Id = te32.th32ThreadID;
thread.Flags = te32.dwFlags;
thread.BasePri = te32.tpBasePri;
thread.DeltaPri = te32.tpDeltaPri;
thread.Usage = te32.cntUsage;
threads.Push(thread);
}
next = RKernel32.Thread32Next(hSnap, ref te32);
}
RKernel32.CloseHandle(hSnap);
return(true);
}
return(false);
}
public int Read(uint address, byte[] buffer, int size)
{
int readed = 0;
RKernel32.ReadProcessMemory(_handle, address, buffer, size, out readed);
return(readed);
}
public static bool ListMemory(FMemoryInfos memories, int processId)
{
memories.Clear();
// List modules
FModuleInfoCollection modules = RModule.ListProcess(processId);
// List memory
uint address = 0;
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
int size = Marshal.SizeOf(mbi);
IntPtr process = RKernel32.OpenProcess(EProcessAccess.QueryInformation, true, processId);
if (!RApi.IsValidHandle(process))
{
return(false);
}
while (RKernel32.VirtualQueryEx(process, address, ref mbi, size) > 0)
{
FMemoryInfo memory = new FMemoryInfo();
memory.AllocationBase = mbi.AllocationBase;
memory.AllocationProtect = mbi.AllocationProtect;
memory.BaseAddress = mbi.BaseAddress;
memory.Protect = mbi.Protect;
memory.RegionSize = mbi.RegionSize;
memory.State = mbi.State;
memory.Type = mbi.Type;
memory.Module = modules.FindByAddress(mbi.AllocationBase);
memories.Push(memory);
address = mbi.BaseAddress + mbi.RegionSize;
}
;
RKernel32.CloseHandle(process);
return(true);
}
public static bool List(FModuleInfoCollection modules, int processId)
{
modules.Clear();
IntPtr hSnap = RKernel32.CreateToolhelp32Snapshot(ETh32cs.SnapModule, processId);
if (!RApi.IsValidHandle(hSnap))
{
return(false);
}
SModuleEntry32 me32 = new SModuleEntry32();
me32.dwSize = Marshal.SizeOf(me32);
bool next = RKernel32.Module32First(hSnap, ref me32);
while (next)
{
FModuleInfo module = new FModuleInfo();
module.Handle = me32.hModule;
module.Name = me32.szModule;
module.Location = me32.szExePath;
module.BaseAddress = me32.modBaseAddr;
module.BaseSize = me32.modBaseSize;
module.ModuleID = me32.th32ModuleID;
module.GlblcntUsage = me32.GlblcntUsage;
module.ProccntUsage = me32.ProccntUsage;
modules.Push(module);
next = RKernel32.Module32Next(hSnap, ref me32);
}
RKernel32.CloseHandle(hSnap);
return(true);
}
public static Nullable <SModuleEntry32> Find(string name)
{
IntPtr hSnap = RKernel32.CreateToolhelp32Snapshot(ETh32cs.SnapModule, 0);
if (!RApi.IsValidHandle(hSnap))
{
return(null);
}
Nullable <SModuleEntry32> module = null;
SModuleEntry32 me32 = new SModuleEntry32();
me32.dwSize = Marshal.SizeOf(me32);
bool next = RKernel32.Module32First(hSnap, ref me32);
while (next)
{
if (me32.szModule == name)
{
module = me32;
break;
}
next = RKernel32.Module32Next(hSnap, ref me32);
}
RKernel32.CloseHandle(hSnap);
return(module);
}
public static bool EnablePrivilege(IntPtr hProcess, string seName, bool enable)
{
IntPtr hToken = IntPtr.Zero;
if (!RAdvapi32.OpenProcessToken(hProcess, EProcessToken.Query | EProcessToken.AdjustPrivileges, ref hToken))
{
int error = RKernel32.GetLastError();
return(false);
}
// Check
STokenPrivileges tokenPrivileges;
tokenPrivileges.PrivilegeCount = 1;
if (!RAdvapi32.LookupPrivilegeValueW(null, seName, out tokenPrivileges.Privileges))
{
return(true);
}
// Adjust
tokenPrivileges.Privileges.Attributes = enable ? ESePrivilege.Enabled : ESePrivilege.None;
if (!RAdvapi32.AdjustTokenPrivileges(hToken, false, ref tokenPrivileges, Marshal.SizeOf(tokenPrivileges), IntPtr.Zero, IntPtr.Zero))
{
int error = RKernel32.GetLastError();
return(false);
}
RKernel32.CloseHandle(hToken);
// Result
int lastError = RKernel32.GetLastError();
return(lastError == RApi.ErrorSuccess);
}
public static int ReadMemory(IntPtr process, uint address, byte[] memory, int length)
{
int read = 0;
RKernel32.ReadProcessMemory(process, address, memory, length, out read);
return(read);
}
public static bool List(FProcessInfoCollection processes)
{
processes.Clear();
IntPtr hSnap = RKernel32.CreateToolhelp32Snapshot(ETh32cs.SnapProcess, 0);
if (RApi.IsValidHandle(hSnap))
{
SProcessEntry32 pe32 = new SProcessEntry32();
pe32.dwSize = (uint)Marshal.SizeOf(pe32);
bool next = RKernel32.Process32First(hSnap, ref pe32);
while (next)
{
FProcessInfo process = new FProcessInfo();
process.Id = pe32.th32ProcessID;
process.Threads = (int)pe32.cntThreads;
process.FileName = pe32.szExeFile;
process.PriClassBase = pe32.pcPriClassBase;
processes.Push(process);
next = RKernel32.Process32Next(hSnap, ref pe32);
}
RKernel32.CloseHandle(hSnap);
return(true);
}
return(false);
}
public bool Install()
{
if (_installed)
{
return(false);
}
// Process
if (_process == null)
{
_process = new RUser32.HWindowsHook(HookProcess);
}
// Scope
if (_scope == EHookScope.Thread)
{
_nextHookPtr = RUser32.SetWindowsHookEx((int)_type, _process, IntPtr.Zero, RKernel32.GetCurrentThreadId());
}
if (_scope == EHookScope.Global)
{
//IntPtr ptr = Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]);
string modulename = global::System.Diagnostics.Process.GetCurrentProcess().MainModule.ModuleName;
IntPtr ptr = RKernel32.GetModuleHandle(modulename);
_nextHookPtr = RUser32.SetWindowsHookEx((int)_type, _process, ptr, 0);
}
_installed = true;
return(true);
}
public void Close()
{
if (_handle != IntPtr.Zero)
{
RKernel32.CloseHandle(_handle);
}
}
public int Write(uint address, byte[] buffer, int size)
{
int writed = 0;
RKernel32.WriteProcessMemory(_handle, address, buffer, size, out writed);
return(writed);
}
public void Open(int id, EProcessAccess access)
{
_id = id;
_handle = RKernel32.OpenProcess(access, false, _id);
if (_handle == IntPtr.Zero)
{
throw new FFatalException("Open process error. (id={0})", _id);
}
}
public static T PtrToStructure <T>(IntPtr hProcess, IntPtr hAddress)
{
Type type = typeof(T);
int size = Marshal.SizeOf(type);
byte[] buffer = new byte[size];
int readed = 0;
RKernel32.ReadProcessMemory(hProcess, (uint)hAddress.ToInt32(), buffer, size, out readed);
if (readed != size)
{
throw new FFatalException("Read process memory error. (size={0} readed={1})", size, readed);
}
IntPtr ptr = Marshal.AllocHGlobal(size);
try {
Marshal.Copy(buffer, 0, ptr, size);
return((T)Marshal.PtrToStructure(ptr, type));
} finally {
Marshal.FreeHGlobal(ptr);
}
}
public static SModuleEntry32[] ListAll(int processId)
{
IntPtr hSnap = RKernel32.CreateToolhelp32Snapshot(ETh32cs.SnapModule, processId);
if (!RApi.IsValidHandle(hSnap))
{
return(null);
}
FObjects <SModuleEntry32> modules = new FObjects <SModuleEntry32>();
SModuleEntry32 me32 = new SModuleEntry32();
me32.dwSize = Marshal.SizeOf(me32);
bool next = RKernel32.Module32First(hSnap, ref me32);
while (next)
{
SModuleEntry32 module = new SModuleEntry32();
module = me32;
modules.Push(module);
next = RKernel32.Module32Next(hSnap, ref me32);
}
RKernel32.CloseHandle(hSnap);
return(modules.ToArray());
}
public static FTrunkInfo[] FetchTrunks(IntPtr hModule)
{
Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule);
SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(null);
}
// Import
uint maddress = (uint)hModule.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor));
if (impDesc.Name == 0)
{
return(null);
}
// Get module Name
// IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name);
// Trunk
IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk);
IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk);
int ftSize = Marshal.SizeOf(typeof(SImageThunkData32));
int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation));
FObjects <FTrunkInfo> infos = new FObjects <FTrunkInfo>();
while (true)
{
SImageThunkData32 origThunk = (SImageThunkData32)Marshal.PtrToStructure(pOrgFt, typeof(SImageThunkData32));
SImageThunkData32 realThunk = (SImageThunkData32)Marshal.PtrToStructure(pFt, typeof(SImageThunkData32));
if (origThunk.Function == 0)
{
break;
}
if ((origThunk.Ordinal & 0x80000000) == 0x80000000)
{
break;
}
/*uint arrd = (uint)(maddress + origThunk.AddressOfData);
* if ((arrd & 0x80000000) == 0x80000000) {
* break;
* }*/
// Read name
IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData);
SImageImportByName byName = (SImageImportByName)Marshal.PtrToStructure(pName, typeof(SImageImportByName));
if (byName.Name[0] == 0)
{
break;
}
// Read memory state
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
//RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize);
RKernel32.VirtualQuery(realThunk.Function, ref mbi, miSize);
// TrunkInfo
FTrunkInfo info = new FTrunkInfo();
info.Name = RAscii.GetString(byName.Name);
info.Address = origThunk.Function;
//info.Entry = (IntPtr)(maddress + origThunk.Function);
info.Entry = (IntPtr)realThunk.Function;
info.Hint = byName.Hint;
info.MemAllocationBase = mbi.AllocationBase;
info.MemAllocationProtect = mbi.AllocationProtect;
info.MemBaseAddress = mbi.BaseAddress;
info.MemProtect = mbi.Protect;
info.MemRegionSize = mbi.RegionSize;
info.MemState = mbi.State;
info.MemType = mbi.Type;
infos.Push(info);
// Loop
pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize);
pFt = (IntPtr)(pFt.ToInt32() + ftSize);
}
return(infos.ToArray());
}
public bool Open()
{
// Dos header
SImageDosHeader dosHeader = _process.ReadStructure <SImageDosHeader>(_handle);
if (dosHeader.e_magic != (uint)EImageSignature.Dos)
{
return(false);
}
_dosHeader = dosHeader;
// Nt header
IntPtr pNtHeader = (IntPtr)(_handle.ToInt32() + dosHeader.e_lfanew);
SImageNtHeaders ntHeaders = _process.ReadStructure <SImageNtHeaders>(pNtHeader);
if (ntHeaders.Signature != (uint)EImageSignature.Nt)
{
return(false);
}
_ntHeaders = ntHeaders;
// Fetch trunks
SImageDataDirectory idd = ntHeaders.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(false);
}
// Import
uint maddress = (uint)_handle.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
SImageImportDescriptor impDesc = _process.ReadStructure <SImageImportDescriptor>(pIdHeader);
if (impDesc.Name == 0)
{
return(false);
}
// Get module Name
// IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name);
// Trunk
IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk);
IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk);
int ftSize = Marshal.SizeOf(typeof(SImageThunkData32));
int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation));
_trunks = new FTrunkInfoCollection();
while (true)
{
SImageThunkData32 origThunk = _process.ReadStructure <SImageThunkData32>(pOrgFt);
SImageThunkData32 realThunk = _process.ReadStructure <SImageThunkData32>(pFt);
if (origThunk.Function == 0)
{
break;
}
if ((origThunk.Ordinal & 0x80000000) == 0x80000000)
{
break;
}
// Read name
IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData);
SImageImportByName byName = _process.ReadStructure <SImageImportByName>(pName);
if (byName.Name[0] == 0)
{
break;
}
// Read memory state
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
//RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize);
RKernel32.VirtualQueryEx(_process.Handle, realThunk.Function, ref mbi, miSize);
// TrunkInfo
FTrunkInfo trunk = new FTrunkInfo();
trunk.Name = RAscii.GetString(byName.Name);
trunk.Address = origThunk.Function;
//info.Entry = (IntPtr)(maddress + origThunk.Function);
trunk.Entry = (IntPtr)realThunk.Function;
trunk.EntryPtr = pFt;
trunk.Hint = byName.Hint;
trunk.MemAllocationBase = mbi.AllocationBase;
trunk.MemAllocationProtect = mbi.AllocationProtect;
trunk.MemBaseAddress = mbi.BaseAddress;
trunk.MemProtect = mbi.Protect;
trunk.MemRegionSize = mbi.RegionSize;
trunk.MemState = mbi.State;
trunk.MemType = mbi.Type;
_trunks.Push(trunk);
// Loop
pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize);
pFt = (IntPtr)(pFt.ToInt32() + ftSize);
}
return(true);
}
