/// <summary> /// Get the type name of the given object. /// </summary> public static string GetObjectType(SafeHandle handle) { using (HeapBuffer buffer = new HeapBuffer()) { NTSTATUS status = NTSTATUS.STATUS_BUFFER_OVERFLOW; // We'll initially give room for 50 characters for the type name uint returnLength = (uint)Marshal.SizeOf <OBJECT_TYPE_INFORMATION>() + 50 * sizeof(char); while (status == NTSTATUS.STATUS_BUFFER_OVERFLOW || status == NTSTATUS.STATUS_BUFFER_TOO_SMALL || status == NTSTATUS.STATUS_INFO_LENGTH_MISMATCH) { buffer.EnsureByteCapacity(returnLength); status = Direct.NtQueryObject( Handle: handle, ObjectInformationClass: OBJECT_INFORMATION_CLASS.ObjectTypeInformation, ObjectInformation: buffer.DangerousGetHandle(), ObjectInformationLength: checked ((uint)buffer.ByteCapacity), ReturnLength: out returnLength); } if (!ErrorMacros.NT_SUCCESS(status)) { throw ErrorHelper.GetIoExceptionForNTStatus(status); } return(new CheckedReader(buffer).ReadStruct <OBJECT_TYPE_INFORMATION>().TypeName.ToString()); } }
public static unsafe void ToUpperInvariant(ref UNICODE_STRING value) { NTSTATUS status = Imports.RtlUpcaseUnicodeString( (UNICODE_STRING *)Structs.AddressOf(ref value), (UNICODE_STRING *)Structs.AddressOf(ref value), false); if (!ErrorMacros.NT_SUCCESS(status)) { ErrorMethods.GetIoExceptionForNTStatus(status); } }
/// <summary> /// Get the name fot he given handle. This is typically the NT path of the object. /// </summary> public static string GetObjectName(SafeHandle handle) { // IoQueryFileDosDeviceName wraps this for file handles, but requires calling ExFreePool to free the allocated memory // https://msdn.microsoft.com/en-us/library/windows/hardware/ff548474.aspx // // http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FType%20independed%2FOBJECT_NAME_INFORMATION.html // // typedef struct _OBJECT_NAME_INFORMATION // { // UNICODE_STRING Name; // WCHAR NameBuffer[0]; // } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; // // The above definition means the API expects a buffer where it can stick a UNICODE_STRING with the buffer immediately following. using (HeapBuffer buffer = new HeapBuffer()) { NTSTATUS status = NTSTATUS.STATUS_BUFFER_OVERFLOW; uint returnLength = 260 * sizeof(char); while (status == NTSTATUS.STATUS_BUFFER_OVERFLOW || status == NTSTATUS.STATUS_BUFFER_TOO_SMALL) { buffer.EnsureByteCapacity(returnLength); status = Direct.NtQueryObject( Handle: handle, ObjectInformationClass: OBJECT_INFORMATION_CLASS.ObjectNameInformation, ObjectInformation: buffer.DangerousGetHandle(), ObjectInformationLength: checked ((uint)buffer.ByteCapacity), ReturnLength: out returnLength); } if (!ErrorMacros.NT_SUCCESS(status)) { throw ErrorHelper.GetIoExceptionForNTStatus(status); } return(new CheckedReader(buffer).ReadStruct <UNICODE_STRING>().ToString()); } }