/// <summary>
/// Get a reparse buffer from a byte array.
/// </summary>
/// <param name="ba">The byte array to parse</param>
/// <returns>The reparse buffer.</returns>
public static ReparseBuffer FromByteArray(byte[] ba)
{
BinaryReader reader = new BinaryReader(new MemoryStream(ba), Encoding.Unicode);
ReparseTag tag = (ReparseTag)reader.ReadUInt32();
int data_length = reader.ReadUInt16();
// Reserved
reader.ReadUInt16();
ReparseBuffer buffer = null;
long remaining_length = reader.RemainingLength();
long expected_length = data_length;
if (!NtFileUtils.IsReparseTagMicrosoft(tag))
{
expected_length += 16;
}
if (remaining_length != expected_length)
{
// Corrupted buffer. Return an opaque buffer with all the data until the end.
return(new OpaqueReparseBuffer(tag, reader.ReadToEnd()));
}
switch (tag)
{
case ReparseTag.MOUNT_POINT:
buffer = new MountPointReparseBuffer();
break;
case ReparseTag.SYMLINK:
buffer = new SymlinkReparseBuffer(false);
break;
case ReparseTag.GLOBAL_REPARSE:
buffer = new SymlinkReparseBuffer(true);
break;
case ReparseTag.APPEXECLINK:
buffer = new ExecutionAliasReparseBuffer();
break;
default:
if (NtFileUtils.IsReparseTagMicrosoft(tag))
{
buffer = new OpaqueReparseBuffer(tag);
}
else
{
buffer = new GenericReparseBuffer(tag);
}
break;
}
buffer.ParseBuffer(data_length, reader);
return(buffer);
}
/// <summary>
/// Query list of loaded hives from the Registry.
/// </summary>
/// <param name="convert_file_to_dos">Convert the file path to a DOS path.</param>
/// <returns>The list of loaded hives.</returns>
public static IReadOnlyList <NtKeyHive> GetHiveList(bool convert_file_to_dos)
{
List <NtKeyHive> hives = new List <NtKeyHive>();
using (var key = NtKey.Open(@"\registry\machine\system\currentcontrolset\control\hivelist", null, KeyAccessRights.QueryValue)) {
foreach (var value in key.QueryValues())
{
if (value.Name != "")
{
string file_path = value.ToString();
if (convert_file_to_dos)
{
file_path = NtFileUtils.NtFileNameToDos(file_path);
}
hives.Add(new NtKeyHive(value.Name, file_path));
}
}
}
return(hives.AsReadOnly());
}
/// <summary>
/// Create a Window Station by name.
/// </summary>
/// <param name="object_attributes">Object attributes for the Window Station.</param>
/// <param name="desired_access">Desired access for the Window Station.</param>
/// <param name="kbd_dll_path">Path to Keyboard DLL e.g. kbusa.dll.</param>
/// <param name="keyboard_locale">Locale ID, e.g. 0x4090409.</param>
/// <param name="language_id">Language ID e.g. 0x409.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The Window Station.</returns>
public static NtResult <NtWindowStation> Create(ObjectAttributes object_attributes, WindowStationAccessRights desired_access, string kbd_dll_path,
int language_id, int keyboard_locale, bool throw_on_error)
{
string dll_path;
IntPtr layout_offset;
IntPtr nls_offset;
using (var kbd_dll = SafeLoadLibraryHandle.LoadLibrary(kbd_dll_path, LoadLibraryFlags.None, throw_on_error))
{
if (!kbd_dll.IsSuccess)
{
return(kbd_dll.Cast <NtWindowStation>());
}
dll_path = kbd_dll.Result.FullPath;
layout_offset = GetKdbLayoutOffset(kbd_dll.Result, 1);
nls_offset = GetKdbLayoutOffset(kbd_dll.Result, 2);
}
using (var buffer = new SafeHGlobalBuffer(0x318))
{
BufferUtils.FillBuffer(buffer, 0);
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dll_path), null,
FileAccessRights.GenericRead | FileAccessRights.Synchronize, FileShareMode.Read | FileShareMode.Delete,
FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, throw_on_error))
{
if (!file.IsSuccess)
{
return(file.Cast <NtWindowStation>());
}
var handle = NtSystemCalls.NtUserCreateWindowStation(object_attributes, desired_access, file.Result.Handle,
layout_offset, nls_offset, buffer, new UnicodeString($"{language_id:X08}"), keyboard_locale);
if (handle.IsInvalid)
{
return(NtObjectUtils.CreateResultFromDosError <NtWindowStation>(throw_on_error));
}
return(new NtWindowStation(handle).CreateResult());
}
}
}