private void ParseDelayImports(bool is_64bit)
{
try
{
IntPtr imports = Win32NativeMethods.ImageDirectoryEntryToData(handle, MappedAsImage,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, out int size);
if (imports == IntPtr.Zero)
{
return;
}
SafeHGlobalBuffer buffer = new SafeHGlobalBuffer(imports, size, false);
ulong ofs = 0;
ImageDelayImportDescriptor import_desc = buffer.Read <ImageDelayImportDescriptor>(ofs);
while (import_desc.szName != 0)
{
_imports.Add(ParseSingleImport(import_desc.szName, import_desc.pINT, import_desc.pIAT, is_64bit, true));
ofs += (ulong)Marshal.SizeOf(typeof(ImageDelayImportDescriptor));
import_desc = buffer.Read <ImageDelayImportDescriptor>(ofs);
}
}
catch
{
}
}
internal DllDebugData(SafeHGlobalBuffer buffer) : this()
{
Magic = buffer.Read <uint>(0);
if (Magic == CV_RSDS_MAGIC)
{
Id = new Guid(buffer.ReadBytes(4, 16));
Age = buffer.Read <int>(20);
PdbPath = buffer.ReadNulTerminatedAnsiString(24, Encoding.UTF8);
IdentiferPath = $"{Id:N}{Age:X}".ToUpper();
}
}
private static IEnumerable <UsnJournalRecord> ReadJournal(NtFile volume, ulong start_usn, ulong end_usn, UsnJournalReasonFlags reason_mask, bool unprivileged)
{
if (volume is null)
{
throw new ArgumentNullException(nameof(volume));
}
NtIoControlCode ioctl = unprivileged ? NtWellKnownIoControlCodes.FSCTL_READ_UNPRIVILEGED_USN_JOURNAL : NtWellKnownIoControlCodes.FSCTL_READ_USN_JOURNAL;
Dictionary <long, Tuple <string, string> > ref_paths = new Dictionary <long, Tuple <string, string> >();
var data = QueryUsnJournalData(volume);
end_usn = Math.Min(end_usn, data.NextUsn);
using (var buffer = new SafeHGlobalBuffer(64 * 1024))
{
while (start_usn < end_usn)
{
READ_USN_JOURNAL_DATA_V0 read_journal = new READ_USN_JOURNAL_DATA_V0
{
ReasonMask = reason_mask,
StartUsn = start_usn,
UsnJournalID = data.UsnJournalID
};
using (var in_buffer = read_journal.ToBuffer())
{
int length = volume.FsControl(ioctl, in_buffer, buffer);
int offset = 8;
if (length < 8)
{
yield break;
}
start_usn = buffer.Read <ulong>(0);
while (offset < length)
{
var header = buffer.Read <USN_RECORD_COMMON_HEADER>((ulong)offset);
if (header.MajorVersion == 2 && header.MinorVersion == 0)
{
var entry = new UsnJournalRecord(buffer.GetStructAtOffset <USN_RECORD_V2>(offset), volume, ref_paths);
if (entry.Usn >= end_usn)
{
break;
}
yield return(entry);
}
offset += header.RecordLength;
}
}
}
}
}
private static IEnumerable <string> GetServiceRequiredPrivileges(SafeServiceHandle service)
{
using (var buf = new SafeHGlobalBuffer(8192))
{
if (!Win32NativeMethods.QueryServiceConfig2(service, SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO,
buf, buf.Length, out int needed))
{
return(new string[0]);
}
IntPtr str_pointer = buf.Read <IntPtr>(0);
if (str_pointer == IntPtr.Zero)
{
return(new string[0]);
}
SafeHGlobalBuffer str_buffer = new SafeHGlobalBuffer(str_pointer, 8192 - 8, false);
ulong offset = 0;
List <string> privs = new List <string>();
while (offset < str_buffer.ByteLength)
{
string s = str_buffer.ReadNulTerminatedUnicodeString(offset);
if (s.Length == 0)
{
break;
}
privs.Add(s);
offset += (ulong)(s.Length + 1) * 2;
}
return(privs.AsReadOnly());
}
}
private static IEnumerable <string> GetServiceRequiredPrivileges(SafeServiceHandle service)
{
using (var buf = new SafeHGlobalBuffer(8192)) {
if (!Win32NativeMethods.QueryServiceConfig2(service, SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO,
buf, buf.Length, out int needed))
{
return(new string[0]);
}
return(buf.Read <IntPtr>(0).GetMultiString());
}
}
private static void CheckForFault(SafeHGlobalBuffer buffer, LRPC_MESSAGE_TYPE message_type)
{
var header = buffer.Read <LRPC_HEADER>(0);
if (header.MessageType != LRPC_MESSAGE_TYPE.lmtFault && header.MessageType != message_type)
{
throw new ArgumentException($"Invalid response message type {header.MessageType}");
}
if (header.MessageType == LRPC_MESSAGE_TYPE.lmtFault)
{
var fault = buffer.GetStructAtOffset <LRPC_FAULT_MESSAGE>(0);
throw new RpcFaultException(fault);
}
}
private void ParseExports()
{
_exports = new List <DllExport>();
try
{
IntPtr exports = Win32NativeMethods.ImageDirectoryEntryToDataEx(handle, MappedAsImage,
IMAGE_DIRECTORY_ENTRY_EXPORT, out int size, out IntPtr header_ptr);
if (exports == IntPtr.Zero)
{
return;
}
SafeHGlobalBuffer buffer = new SafeHGlobalBuffer(exports, size, false);
ImageExportDirectory export_directory = buffer.Read <ImageExportDirectory>(0);
if (export_directory.NumberOfFunctions == 0)
{
return;
}
IntPtr funcs = RvaToVA(export_directory.AddressOfFunctions);
IntPtr names = RvaToVA(export_directory.AddressOfNames);
IntPtr name_ordinals = RvaToVA(export_directory.AddressOfNameOrdinals);
long export_base = buffer.DangerousGetHandle().ToInt64();
long export_top = export_base + buffer.Length;
int[] func_rvas = new int[export_directory.NumberOfFunctions];
Marshal.Copy(funcs, func_rvas, 0, func_rvas.Length);
IntPtr[] func_vas = func_rvas.Select(r => r != 0 ? RvaToVA(r) : IntPtr.Zero).ToArray();
int[] name_rvas = new int[export_directory.NumberOfNames];
Marshal.Copy(names, name_rvas, 0, name_rvas.Length);
IntPtr[] name_vas = name_rvas.Select(r => r != 0 ? RvaToVA(r) : IntPtr.Zero).ToArray();
short[] ordinals = new short[export_directory.NumberOfNames];
Marshal.Copy(name_ordinals, ordinals, 0, ordinals.Length);
Dictionary <int, string> ordinal_to_names = new Dictionary <int, string>();
for (int i = 0; i < name_vas.Length; ++i)
{
string name = Marshal.PtrToStringAnsi(name_vas[i]);
int ordinal = ordinals[i];
ordinal_to_names[ordinal] = name;
}
for (int i = 0; i < func_vas.Length; ++i)
{
string forwarder = string.Empty;
long func_va = func_vas[i].ToInt64();
if (func_va >= export_base && func_va < export_top)
{
forwarder = Marshal.PtrToStringAnsi(func_vas[i]);
func_va = 0;
}
_exports.Add(new DllExport(ordinal_to_names.ContainsKey(i) ? ordinal_to_names[i] : null,
i + export_directory.Base, func_va, forwarder));
}
}
catch
{
}
}
