public static IEnumerable <IntPtr> EnumerateHeaps(IntPtr pebAddress) { DbgOffset pebOffset = DbgOffset.Get("_PEB"); IntPtr processHeapsPtr = pebOffset.GetPointer(pebAddress, "ProcessHeaps").ReadPtr(); if (processHeapsPtr == IntPtr.Zero) { yield break; } if (pebOffset.TryRead <int>(pebAddress, "NumberOfHeaps", out int numberOfHeaps) == false) { yield break; } for (int i = 0; i < numberOfHeaps; i++) { IntPtr entryPtr = processHeapsPtr + (IntPtr.Size * i); yield return(entryPtr.ReadPtr()); } }
static void Main(string[] _) { int processId = Process.GetCurrentProcess().Id; Console.WriteLine($"ThisPID: {processId}"); IntPtr ethreadPtr = GetEThread(processId); if (ethreadPtr == IntPtr.Zero) { Console.WriteLine("THREAD handle not found"); return; } Console.WriteLine($"_ETHREAD address: {ethreadPtr.ToInt64():x}"); Console.WriteLine(); using (KernelMemoryIO memoryIO = new KernelMemoryIO()) { if (memoryIO.IsInitialized == false) { Console.WriteLine("Failed to open device"); return; } { // +0x648 Cid : _CLIENT_ID IntPtr clientIdPtr = _ethreadOffset.GetPointer(ethreadPtr, "Cid"); _CLIENT_ID cid = memoryIO.ReadMemory <_CLIENT_ID>(clientIdPtr); Console.WriteLine($"PID: {cid.Pid} ({cid.Pid:x})"); Console.WriteLine($"TID: {cid.Tid} ({cid.Tid:x})"); if (cid.Pid != processId) { return; } } { // +0x220 Process : Ptr64 _KPROCESS IntPtr processPtr = _kthreadOffset.GetPointer(ethreadPtr, "Process"); IntPtr eprocessPtr = memoryIO.ReadMemory <IntPtr>(processPtr); IntPtr activeProcessLinksPtr = _eprocessOffset.GetPointer(eprocessPtr, "ActiveProcessLinks"); // _LIST_ENTRY entry = memoryIO.ReadMemory<_LIST_ENTRY>(activeProcessLinksPtr); Console.WriteLine("Press any key to hide this process from Task Manager"); Console.ReadLine(); IntPtr deletedEntry = IntPtr.Zero; try { deletedEntry = Unlink(memoryIO, activeProcessLinksPtr); Console.WriteLine(); Console.WriteLine("Press any key to unhide this process"); Console.ReadLine(); } finally { RestoreLink(memoryIO, deletedEntry); } Console.WriteLine("Check this process appeared again in Task Manager"); Console.WriteLine("Press any key to exit"); Console.ReadLine(); } } }