/// <summary>
/// Retrieve Kernel VA Shadow information
/// </summary>
/// <remarks>
/// This information is only exposed via the NtQuerySystemInformation function in the native API. Microsoft has
/// documented this information class, although currently there are 18 unused bits in the 32-bit bit field.
/// </remarks>
private void RetrieveFlags()
{
WriteConsoleVerbose($"Retrieving {Name} info ...");
const int sysInfoLength = sizeof(KernelVaShadowFlags);
WriteConsoleDebug($"Size of {nameof(KernelVaShadowFlags)} bit field: {sysInfoLength} bytes");
var ntStatus = NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemKernelVaShadowInformation,
out var sysInfo,
sysInfoLength,
IntPtr.Zero);
switch (ntStatus)
{
case 0:
SystemInfo = sysInfo;
return;
// STATUS_INVALID_INFO_CLASS || STATUS_NOT_IMPLEMENTED
case -1073741821:
case -1073741822:
throw new NotImplementedException($"System support for querying {Name} information not present.");
}
WriteConsoleVerbose($"Error requesting {Name} information: {ntStatus}");
var symbolicNtStatus = GetSymbolicNtStatus(ntStatus);
throw new Win32Exception(symbolicNtStatus);
}
private static extern int NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS systemInformationClass,
out KernelVaShadowFlags systemInformation,
uint systemInformationLength,
IntPtr returnLength);
