static void DumpProcessEntry(NtProcess entry, HashSet<string> mitigation_filter, bool all_mitigations, bool print_command_line) { try { NtProcessMitigations mitigations = entry.Mitigations; Console.WriteLine("Process Mitigations: {0,8} - {1}", entry.ProcessId, entry.GetImageFilePath(false)); if (print_command_line) { Console.WriteLine("Command Line: {0}", GetCommandLine(entry)); } IEnumerable<PropertyInfo> props = _props.Values.Where(p => mitigation_filter.Count == 0 || mitigation_filter.Contains(p.Name)); foreach (PropertyInfo prop in props.OrderBy(p => p.Name)) { object value = prop.GetValue(mitigations); if (!all_mitigations && (value is bool)) { if (!(bool)value) { continue; } } FormatEntry(prop.Name, prop.GetValue(mitigations)); } Console.WriteLine(); } catch (NtException) { // Can end up here if the process is exiting. } }
private void AddThreads(NtProcess entry) { using (DisposableList<NtThread> threads = new DisposableList<NtThread>(entry.GetThreads(ThreadAccessRights.QueryInformation))) { foreach (NtThread thread in threads) { try { using (NtToken token = thread.OpenToken()) { if (token != null) { ListViewItem item = new ListViewItem(String.Format("{0} - {1}", entry.ProcessId, entry.Name)); item.SubItems.Add(thread.ThreadId.ToString()); item.SubItems.Add(token.User.ToString()); item.SubItems.Add(token.ImpersonationLevel.ToString()); item.Tag = thread.Duplicate(); listViewThreads.Items.Add(item); } } } catch (NtException) { } } } }
static string GetCommandLine(NtProcess process) { try { return process.CommandLine; } catch (NtException) { return String.Empty; } }
private static NtToken GetToken(NtProcess process) { try { return process.OpenToken(); } catch (NtException) { return null; } }
private void AddProcessNode(NtProcess entry) { try { using (NtToken token = entry.OpenToken()) { TreeNode node = new TreeNode(String.Format("Pid: {0} - Name: {1} (User:{2}, IL: {3}, R: {4}, AC: {5})", entry.ProcessId, entry.Name, token.User, token.IntegrityLevel, token.Restricted, token.AppContainer)); node.Tag = entry.Duplicate(); treeViewProcesses.Nodes.Add(node); } } catch { // Do nothing } }
public T ReadType <T>(NtProcess process, long base_address) where T : struct { IConvertToNative <T> converter = (IConvertToNative <T>)_base_method.Value.Invoke(process, new object[] { base_address }); return(converter.Convert()); }
private static bool FilterCommandLine(NtProcess proc, string cmdline) { try { return proc.CommandLine.ToLower().Contains(cmdline); } catch { } return false; }
internal ProcessMemoryReader(NtProcess process) { _process = process; PointerSize = _process.Is64Bit ? 8 : 4; }
private NtProcess OpenSpecificProcess(ProcessAccessRights desired_access) { return(Current ? GetCurrentProcess(desired_access) : NtProcess.Open(ProcessId, desired_access)); }
/// <summary> /// Constructor. /// </summary> /// <param name="process">Process to parse from.</param> public NdrParser(NtProcess process) : this(process, null) { }
/// <summary> /// Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information. /// </summary> /// <param name="process">The process to read from.</param> /// <param name="midl_type_pickling_info">Pointer to the MIDL_TYPE_PICKLING_INFO structure.</param> /// <param name="midl_stub_desc">The pointer to the MIDL_STUB_DESC structure.</param> /// <param name="start_offsets">Offsets into the format string to the start of the types.</param> /// <returns>The list of complex types.</returns> /// <remarks>This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter, /// MIDL_STUB_DESC is the third (minus the offset).</remarks> public static IEnumerable <NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, params int[] start_offsets) { return(ReadPicklingComplexTypes(process, midl_type_pickling_info, midl_stub_desc, start_offsets, NdrParserFlags.IgnoreUserMarshal)); }
/// <summary> /// Constructor. /// </summary> /// <param name="process">Process to parse from.</param> /// <param name="symbol_resolver">Specify a symbol resolver to use for looking up symbols.</param> /// <param name="parser_flags">Flags which affect the parsing operation.</param> public NdrParser(NtProcess process, ISymbolResolver symbol_resolver, NdrParserFlags parser_flags) : this(CreateReader(process), process, symbol_resolver, parser_flags) { }
private static IEnumerable <NdrComplexTypeReference> ReadPicklingComplexTypes(NdrParserFlags parser_flags, NtProcess process, IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, bool deref_stub_desc, Func <IMemoryReader, IntPtr, IEnumerable <int> > get_offsets) { NdrParser parser = new NdrParser(process, null, parser_flags); RunWithAccessCatch(() => parser.ReadTypes(midl_type_pickling_info, midl_stub_desc, deref_stub_desc, get_offsets)); return(parser.ComplexTypes); }
private bool CheckSession(NtProcess p, int check_session_id) { var session_id = p.GetSessionId(false); return(session_id.IsSuccess && session_id.Result == check_session_id); }
/// <summary> /// Create a new instance of a symbol resolver. /// </summary> /// <param name="process">The process in which the symbols should be resolved.</param> /// <param name="dbghelp_path">The path to dbghelp.dll, ideally should use the one which comes with Debugging Tools for Windows.</param> /// <param name="symbol_path">The symbol path.</param> /// <returns>The instance of a symbol resolver. Should be disposed when finished.</returns> public static ISymbolResolver Create(NtProcess process, string dbghelp_path, string symbol_path) { return(new DbgHelpSymbolResolver(process, dbghelp_path, symbol_path)); }
public static void AttachToProcess(Process[] processes, ChildDebuggingMode mode) { List <VsDebugTargetInfo2> targetList = new List <VsDebugTargetInfo2>(); IntPtr targetsBuffer = IntPtr.Zero; int targetSize = Marshal.SizeOf(typeof(VsDebugTargetInfo2)); int guidSize = Marshal.SizeOf(typeof(Guid)); try { foreach (Process process in processes) { NtProcess ntproc = new NtProcess(process.Id); VsDebugTargetInfo2 target = new VsDebugTargetInfo2(); DebugProcessOptions options = new DebugProcessOptions { ChildDebuggingMode = mode }; target.dwDebugEngineCount = 1; target.dwProcessId = (uint)process.Id; target.dlo = (uint)DEBUG_LAUNCH_OPERATION.DLO_AlreadyRunning; if (process.Threads.Count == 1) { // If this is a suspended process, then using DLO_AttachToSuspendedLaunchProcess will // bypass the initial loader breakpoint, causing a seamless and transparent attach. // This is usually the desired behavior, as child processes frequently startup and // shutdown, and it is intrusive to be constantly breaking into the debugger. ProcessThread mainThread = process.Threads[0]; if (mainThread.ThreadState == ThreadState.Wait && mainThread.WaitReason == ThreadWaitReason.Suspended) { target.dlo |= (uint)_DEBUG_LAUNCH_OPERATION4.DLO_AttachToSuspendedLaunchProcess; } } target.bstrExe = ntproc.Win32ProcessImagePath; target.cbSize = (uint)targetSize; target.bstrCurDir = null; target.guidPortSupplier = DkmIntegration.Guids.PortSupplier.Default; target.LaunchFlags = (uint)(__VSDBGLAUNCHFLAGS.DBGLAUNCH_Silent | __VSDBGLAUNCHFLAGS.DBGLAUNCH_WaitForAttachComplete); target.bstrOptions = options.OptionsString; target.pDebugEngines = Marshal.AllocCoTaskMem(guidSize); Marshal.StructureToPtr(DkmEngineId.NativeEng, target.pDebugEngines, false); targetList.Add(target); } int elementSize = Marshal.SizeOf(typeof(VsDebugTargetInfo2)); targetsBuffer = Marshal.AllocCoTaskMem(targetList.Count * elementSize); for (int i = 0; i < targetList.Count; ++i) { IntPtr writeAddr = targetsBuffer + i * elementSize; Marshal.StructureToPtr(targetList[i], writeAddr, false); } IVsDebugger2 debugger = (IVsDebugger2)VsPackage.GetGlobalService(typeof(SVsShellDebugger)); Core.Logger.Log("Launching {0} debug targets", processes.Length); int hr = debugger.LaunchDebugTargets2((uint)processes.Length, targetsBuffer); if (hr != 0) { IVsUIShell shell = (IVsUIShell)VsPackage.GetGlobalService(typeof(SVsUIShell)); string error; shell.GetErrorInfo(out error); Core.Logger.LogError("An error occured while attaching to process (hr = 0x{0:x}). {1}", hr, error); } } finally { foreach (VsDebugTargetInfo2 target in targetList) { if (target.pDebugEngines != IntPtr.Zero) { Marshal.FreeCoTaskMem(target.pDebugEngines); } } if (targetsBuffer != IntPtr.Zero) { Marshal.FreeCoTaskMem(targetsBuffer); } } }
private static bool ArbitraryFilter(NtProcess proc, ScriptBlock filter) { try { ICollection<PSObject> os = filter.Invoke(proc); if (os.Count == 1) { return (bool)os.First().BaseObject; } } catch { } return false; }
internal CrossBitnessProcessMemoryReader(NtProcess process) : base(process) { }
/// <summary> /// Constructor. /// </summary> /// <param name="process">Process to parse from.</param> /// <param name="symbol_resolver">Specify a symbol resolver to use for looking up symbols.</param> public NdrParser(NtProcess process, ISymbolResolver symbol_resolver) : this(process, symbol_resolver, NdrParserFlags.None) { }
private void CheckHandles(IEnumerable <TokenEntry> tokens, HashSet <string> type_filter, HashSet <ulong> checked_objects, NtProcess process, IEnumerable <NtHandle> handles) { foreach (NtHandle handle in handles) { if (Stopping) { return; } using (var obj = NtGeneric.DuplicateFrom(process, new IntPtr(handle.Handle), 0, DuplicateObjectOptions.SameAccess, false)) { // We double check type here to ensure we've duplicated a similar handle. if (!obj.IsSuccess) { continue; } if (checked_objects.Add(handle.Object)) { if (CheckUnnamed || !String.IsNullOrEmpty(obj.Result.FullPath)) { DumpObject(tokens, type_filter, AccessRights, obj.Result); } } } } }
private static bool ArbitraryFilter(NtProcess proc, ScriptBlock filter) { return(filter.InvokeWithArg(false, proc)); }
private void btnOK_Click(object sender, EventArgs e) { try { if (radioCurrentProcess.Checked) { Token = OpenImpersonationToken(); } else if (radioSpecificProcess.Checked) { NtProcess process = selectProcessControl.SelectedProcess; if (process == null) { throw new InvalidOperationException("Please select a process from the list"); } using (var token = NtToken.OpenProcessToken(process, false, TokenAccessRights.Duplicate)) { Token = token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation, TokenAccessRights.GenericAll); } } else if (radioAnonymous.Checked) { Token = TokenUtils.GetAnonymousToken(); } if (checkBoxSetIL.Checked) { Token.SetIntegrityLevel((TokenIntegrityLevel)comboBoxIL.SelectedItem); } if (checkBoxLocalAccess.Checked) { AccessRights |= COMAccessRights.ExecuteLocal; } if (checkBoxRemoteAccess.Checked) { AccessRights |= COMAccessRights.ExecuteRemote; } if (!_process_security) { if (checkBoxLocalLaunch.Checked) { LaunchRights |= COMAccessRights.ExecuteLocal; } if (checkBoxRemoteLaunch.Checked) { LaunchRights |= COMAccessRights.ExecuteRemote; } if (checkBoxLocalActivate.Checked) { LaunchRights |= COMAccessRights.ActivateLocal; } if (checkBoxRemoteActivate.Checked) { LaunchRights |= COMAccessRights.ActivateRemote; } if (!_process_security) { Principal = COMSecurity.UserToSid(textBoxPrincipal.Text).ToString(); } } DialogResult = DialogResult.OK; Close(); } catch (Exception ex) { EntryPoint.ShowError(this, ex); } }
internal NtProcessMitigations(NtProcess process) { ProcessDepStatus dep_status = process.DepStatus; DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation; DepEnabled = dep_status.Enabled; DepPermanent = dep_status.Permanent; int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy); EnableBottomUpRandomization = result.GetBit(0); EnableForceRelocateImages = result.GetBit(1); EnableHighEntropy = result.GetBit(2); DisallowStrippedImages = result.GetBit(3); DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy); RaiseExceptionOnInvalidHandleReference = result.GetBit(0); HandleExceptionsPermanentlyEnabled = result.GetBit(1); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy); DisableNonSystemFonts = result.GetBit(0); AuditNonSystemFontLoading = result.GetBit(1); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy); ProhibitDynamicCode = result.GetBit(0); AllowThreadOptOut = result.GetBit(1); AllowRemoteDowngrade = result.GetBit(2); DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessControlFlowGuardPolicy); EnabledControlFlowGuard = result.GetBit(0); EnableExportSuppression = result.GetBit(1); ControlFlowGuardStrictMode = result.GetBit(2); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy); MicrosoftSignedOnly = result.GetBit(0); StoreSignedOnly = result.GetBit(1); SignedMitigationOptIn = result.GetBit(2); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy); NoRemoteImages = result.GetBit(0); NoLowMandatoryLabelImages = result.GetBit(1); PreferSystem32Images = result.GetBit(2); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy); EnabledReturnFlowGuard = result.GetBit(0); ReturnFlowGuardStrictMode = result.GetBit(1); IsChildProcessRestricted = process.IsChildProcessRestricted; using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false)) { IsRestricted = token.Result.Restricted; IsAppContainer = token.Result.AppContainer; IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer; IntegrityLevel = token.Result.IntegrityLevel; } ProcessId = process.ProcessId; Name = process.Name; ImagePath = process.FullPath; CommandLine = process.CommandLine; }
public TokenEntry(NtToken token, NtProcess process) : this(token, token, process) { }
private void DoAccessCheck(IEnumerable <TokenEntry> tokens, IEnumerable <NtProcess> processes, AccessMask access_rights, AccessMask thread_access_rights) { foreach (NtProcess process in processes) { ProcessDetails proc_details = ProcessDetails.FromProcess(process); if (CheckProcess()) { var sd = process.GetSecurityDescriptor(SecurityInformation.AllBasic, false); if (sd.IsSuccess) { foreach (TokenEntry token in tokens) { CheckAccess(token, proc_details, null, _process_type, access_rights, sd.Result); } } else { // Try and open process when under impersonation. foreach (TokenEntry token in tokens) { using (var new_process = token.Token.RunUnderImpersonate(() => NtProcess.Open(process.ProcessId, ProcessAccessRights.MaximumAllowed, false))) { if (new_process.IsSuccess && IsAccessGranted(new_process.Result.GrantedAccessMask, access_rights)) { WriteAccessCheckResult(proc_details, null, new_process.Result.GrantedAccessMask, _process_type.GenericMapping, null, token.Information); } } } } } if (CheckThread()) { using (var threads = process.GetThreads(ThreadAccessRights.MaximumAllowed).ToDisposableList()) { foreach (var thread in threads) { DoAccessCheck(tokens, proc_details, thread, thread_access_rights); } } } } }
public static Win32Process CreateProcess(NtProcess parent, string application_name, string command_line, CreateProcessFlags flags, string desktop) { STARTUPINFOEX start_info = new STARTUPINFOEX(); start_info.StartupInfo.lpDesktop = desktop; PROCESS_INFORMATION proc_info = new PROCESS_INFORMATION(); using (SafeProcThreadAttributeListBuffer attr_list = new SafeProcThreadAttributeListBuffer(1)) { using (var handle_buffer = parent.Handle.DangerousGetHandle().ToBuffer()) { attr_list.AddAttribute(new IntPtr(0x00020000), handle_buffer); start_info.lpAttributeList = attr_list.DangerousGetHandle(); if (!CreateProcess(application_name, command_line, IntPtr.Zero, IntPtr.Zero, false, flags | CreateProcessFlags.EXTENDED_STARTUPINFO_PRESENT, IntPtr.Zero, null, start_info, out proc_info)) { throw new SafeWin32Exception(); } return new Win32Process(proc_info); } } }
public TokenEntry(NtToken token, NtToken imp_token, NtProcess process) { Information = new TokenInformation(token, process); Token = DuplicateToken(imp_token); }
private static bool FilterName(NtProcess proc, string name) { try { return proc.Name.Equals(name, System.StringComparison.OrdinalIgnoreCase); } catch { } return false; }
private static bool IsRestrictedToken(NtProcess process) { NtToken token = null; try { token = GetToken(process); if (token == null) { return false; } return token.Restricted|| token.AppContainer|| token.IntegrityLevel< TokenIntegrityLevel.Medium; } catch (NtException) { return false; } finally { if (token != null) { token.Close(); } } }
static void Main(string[] args) { bool show_help = false; _pid = Process.GetCurrentProcess().Id; try { PrintDeprecationWarning(); OptionSet opts = new OptionSet() { { "p|pid=", "Specify a PID of a process to impersonate when checking", v => _pid = int.Parse(v.Trim()) }, { "n", "Specifes the list of arguments represents names instead of pids", v => _named_process = v != null }, { "i", "Use an indentify level token when impersonating", v => _identify_only = v != null }, { "t", "Dump accessible threads for process", v => _dump_threads = v != null }, { "k", "Dump tokens for accessible objects", v => _dump_token = v != null }, { "a", "Start with all accessible threads instead of processes", v => _dump_threads = _all_threads = v != null }, { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null }, { "sddl", "Dump SDDL strings for objects", v => _print_sddl = v != null }, { "h|help", "show this message and exit", v => show_help = v != null }, }; List <string> pids = opts.Parse(args).Select(s => s.ToLower()).ToList(); if (show_help) { ShowHelp(opts); } else { IEnumerable <ProcessEntry> processes = new ProcessEntry[0]; if (_all_threads) { NtThread[] all_threads = null; using (var imp = NtToken.Impersonate(_pid, _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation)) { if (pids.Count > 0) { List <NtThread> ths = new List <NtThread>(); foreach (string pid_name in pids) { try { ths.Add(NtThread.Open(int.Parse(pid_name), ThreadAccessRights.MaximumAllowed)); } catch (NtException ex) { Console.WriteLine("Error opening tid {0} - {1}", pid_name, ex.Message); } } all_threads = ths.ToArray(); } else { all_threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray(); } List <ProcessEntry> procs = new List <ProcessEntry>(); foreach (var group in all_threads.GroupBy(t => t.ProcessId)) { ProcessEntry entry = null; NtThread[] threads = group.ToArray(); try { entry = new ProcessEntry(NtProcess.Open(group.Key, ProcessAccessRights.MaximumAllowed), threads); } catch (NtException) { entry = new ProcessEntry(group.Key, threads); } procs.Add(entry); } processes = procs; } } else { if (pids.Count > 0 && !_named_process) { List <ProcessEntry> procs = new List <ProcessEntry>(); using (var imp = NtToken.Impersonate(_pid, _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation)) { foreach (string pid_name in pids) { try { procs.Add(new ProcessEntry(NtProcess.Open(int.Parse(pid_name), ProcessAccessRights.MaximumAllowed))); } catch (NtException ex) { Console.WriteLine("Error opening pid {0} - {1}", pid_name, ex.Message); } } } processes = procs; } else { try { HashSet <string> names = new HashSet <string>(pids, StringComparer.OrdinalIgnoreCase); using (var imp = NtToken.Impersonate(_pid, _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation)) { processes = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed).Select(h => new ProcessEntry(h)).ToArray(); } if (_named_process && names.Count > 0) { processes = processes.Where(p => names.Contains(p.Name)); } } catch (NtException ex) { Console.WriteLine(ex); } } } List <ProcessEntry> ps = processes.ToList(); ps.Sort((a, b) => a.Pid - b.Pid); processes = ps; foreach (ProcessEntry process in processes) { Console.WriteLine("{0}: {1} {2}", process.Pid, process.Name, process.GetGrantedAccessString(_map_to_generic)); if (_print_sddl && process.Handle.IsAccessGranted(ProcessAccessRights.ReadControl)) { Console.WriteLine("SDDL: {0}", process.Handle.GetSddl()); } if (_dump_token && process.Token != null) { Console.WriteLine("User: {0}", process.Token.User); if (_print_sddl && process.Token.IsAccessGranted(TokenAccessRights.ReadControl)) { Console.WriteLine("Token SDDL: {0}", process.Token.GetSddl()); } Console.WriteLine("Token Granted Access: {0}", process.Token.GrantedAccessAsString(_map_to_generic)); } if (_dump_threads) { foreach (ThreadEntry thread in process.Threads) { Console.WriteLine("-- Thread {0}: {1}", thread.Tid, thread.Handle.GrantedAccessAsString(_map_to_generic)); if (_print_sddl && thread.Handle.IsAccessGranted(ThreadAccessRights.ReadControl)) { Console.WriteLine("---- SDDL: {0}", thread.Handle.GetSddl()); } if (_dump_token && thread.Token != null) { Console.WriteLine("---- Impersonating {0}", thread.Token.User); if (_print_sddl && thread.Token.IsAccessGranted(TokenAccessRights.ReadControl)) { Console.WriteLine("---- Token SDDL: {0}", thread.Token.GetSddl()); } } } } } } } catch (Exception ex) { Console.WriteLine(ex); } }
public ProcessEntry(NtProcess handle) : this(handle, null) { }
public ProcessEntry(NtProcess handle, NtThread[] threads) { Handle = handle; if (handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { Pid = handle.ProcessId; } if (threads == null) { threads = handle.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray(); } Threads = threads.Select(h => new ThreadEntry(h)).ToArray(); Array.Sort(Threads, (a, b) => a.Tid - b.Tid); ImagePath = String.Empty; Name = String.Empty; if (Pid == 0) { Name = "Idle"; } else if (Pid == 4) { Name = "System"; } else { if (Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { try { ImagePath = Handle.GetImageFilePath(false); Name = Path.GetFileNameWithoutExtension(ImagePath); } catch (NtException) { } } } CommandLine = String.Empty; if (Handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { try { Token = Handle.OpenToken(); } catch (NtException) { } try { CommandLine = Handle.CommandLine; } catch (NtException) { } } }
internal CreateUserProcessResult(SafeKernelObjectHandle process_handle, SafeKernelObjectHandle thread_handle, ProcessCreateInfoData create_info, SectionImageInformation image_info, ClientId client_id) { Process = new NtProcess(process_handle); Thread = new NtThread(thread_handle); ImageFile = new NtFile(new SafeKernelObjectHandle(create_info.Success.FileHandle, true)); SectionHandle = new NtSection(new SafeKernelObjectHandle(create_info.Success.SectionHandle, true)); ImageInfo = image_info; ClientId = client_id; CreateInfo = create_info; CreateState = ProcessCreateState.Success; }
internal ProcessMemoryStream(NtProcess process, IntPtr base_address) { _process = process; _base_address = base_address.ToInt64(); }