private unsafe KVars GetKVars()
{
SymbolProvider symbols = new SymbolProvider();
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
KVars vars = new KVars();
vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr();
vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr();
vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr();
int bytesRead;
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolStartAddress.ToInt32(),
&vars.NonPagedPoolStart,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolSizeAddress.ToInt32(),
&vars.NonPagedPoolSize,
sizeof(uint),
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsProcessTypeAddress.ToInt32(),
&vars.PsProcessType,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsThreadTypeAddress.ToInt32(),
&vars.PsThreadType,
IntPtr.Size,
out bytesRead
);
symbols.Dispose();
return(vars);
}
private unsafe void ScanHiddenObjects()
{
KVars vars = this.GetKVars();
int bytesRead;
throw new NotSupportedException();
listHiddenObjects.Items.Clear();
using (var currentPage = new MemoryAlloc(Windows.PageSize))
{
for (
IntPtr address = vars.NonPagedPoolStart;
address.CompareTo(vars.NonPagedPoolStart.Increment(vars.NonPagedPoolSize)) == -1;
address = address.Increment(Windows.PageSize)
)
{
try
{
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
address.ToInt32(),
(IntPtr)currentPage,
Windows.PageSize,
out bytesRead
);
}
catch
{
continue;
}
for (
IntPtr inner = address;
inner.CompareTo(address.Increment(Windows.PageSize)) == -1;
inner = inner.Increment(8)
)
{
}
labelObjectsScanProgress.Text = string.Format("Scanned 0x{0:x8}", address.ToInt32());
Application.DoEvents();
}
}
labelObjectsScanProgress.Text = "Finished.";
}
private unsafe KVars GetKVars()
{
SymbolProvider symbols = new SymbolProvider();
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
KVars vars = new KVars();
vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr();
vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr();
vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr();
int bytesRead;
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolStartAddress.ToInt32(),
&vars.NonPagedPoolStart,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolSizeAddress.ToInt32(),
&vars.NonPagedPoolSize,
sizeof(uint),
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsProcessTypeAddress.ToInt32(),
&vars.PsProcessType,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsThreadTypeAddress.ToInt32(),
&vars.PsThreadType,
IntPtr.Size,
out bytesRead
);
symbols.Dispose();
return vars;
}
