private void ParseDelayImports(bool is_64bit) { try { IntPtr imports = Win32NativeMethods.ImageDirectoryEntryToData(handle, MappedAsImage, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, out int size); if (imports == IntPtr.Zero) { return; } SafeHGlobalBuffer buffer = new SafeHGlobalBuffer(imports, size, false); ulong ofs = 0; ImageDelayImportDescriptor import_desc = buffer.Read <ImageDelayImportDescriptor>(ofs); while (import_desc.szName != 0) { _imports.Add(ParseSingleImport(import_desc.szName, import_desc.pINT, import_desc.pIAT, is_64bit, true)); ofs += (ulong)Marshal.SizeOf(typeof(ImageDelayImportDescriptor)); import_desc = buffer.Read <ImageDelayImportDescriptor>(ofs); } } catch { } }
internal DllDebugData(SafeHGlobalBuffer buffer) : this() { Magic = buffer.Read <uint>(0); if (Magic == CV_RSDS_MAGIC) { Id = new Guid(buffer.ReadBytes(4, 16)); Age = buffer.Read <int>(20); PdbPath = buffer.ReadNulTerminatedAnsiString(24, Encoding.UTF8); IdentiferPath = $"{Id:N}{Age:X}".ToUpper(); } }
private static IEnumerable <UsnJournalRecord> ReadJournal(NtFile volume, ulong start_usn, ulong end_usn, UsnJournalReasonFlags reason_mask, bool unprivileged) { if (volume is null) { throw new ArgumentNullException(nameof(volume)); } NtIoControlCode ioctl = unprivileged ? NtWellKnownIoControlCodes.FSCTL_READ_UNPRIVILEGED_USN_JOURNAL : NtWellKnownIoControlCodes.FSCTL_READ_USN_JOURNAL; Dictionary <long, Tuple <string, string> > ref_paths = new Dictionary <long, Tuple <string, string> >(); var data = QueryUsnJournalData(volume); end_usn = Math.Min(end_usn, data.NextUsn); using (var buffer = new SafeHGlobalBuffer(64 * 1024)) { while (start_usn < end_usn) { READ_USN_JOURNAL_DATA_V0 read_journal = new READ_USN_JOURNAL_DATA_V0 { ReasonMask = reason_mask, StartUsn = start_usn, UsnJournalID = data.UsnJournalID }; using (var in_buffer = read_journal.ToBuffer()) { int length = volume.FsControl(ioctl, in_buffer, buffer); int offset = 8; if (length < 8) { yield break; } start_usn = buffer.Read <ulong>(0); while (offset < length) { var header = buffer.Read <USN_RECORD_COMMON_HEADER>((ulong)offset); if (header.MajorVersion == 2 && header.MinorVersion == 0) { var entry = new UsnJournalRecord(buffer.GetStructAtOffset <USN_RECORD_V2>(offset), volume, ref_paths); if (entry.Usn >= end_usn) { break; } yield return(entry); } offset += header.RecordLength; } } } } }
private static IEnumerable <string> GetServiceRequiredPrivileges(SafeServiceHandle service) { using (var buf = new SafeHGlobalBuffer(8192)) { if (!Win32NativeMethods.QueryServiceConfig2(service, SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO, buf, buf.Length, out int needed)) { return(new string[0]); } IntPtr str_pointer = buf.Read <IntPtr>(0); if (str_pointer == IntPtr.Zero) { return(new string[0]); } SafeHGlobalBuffer str_buffer = new SafeHGlobalBuffer(str_pointer, 8192 - 8, false); ulong offset = 0; List <string> privs = new List <string>(); while (offset < str_buffer.ByteLength) { string s = str_buffer.ReadNulTerminatedUnicodeString(offset); if (s.Length == 0) { break; } privs.Add(s); offset += (ulong)(s.Length + 1) * 2; } return(privs.AsReadOnly()); } }
private static IEnumerable <string> GetServiceRequiredPrivileges(SafeServiceHandle service) { using (var buf = new SafeHGlobalBuffer(8192)) { if (!Win32NativeMethods.QueryServiceConfig2(service, SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO, buf, buf.Length, out int needed)) { return(new string[0]); } return(buf.Read <IntPtr>(0).GetMultiString()); } }
private static void CheckForFault(SafeHGlobalBuffer buffer, LRPC_MESSAGE_TYPE message_type) { var header = buffer.Read <LRPC_HEADER>(0); if (header.MessageType != LRPC_MESSAGE_TYPE.lmtFault && header.MessageType != message_type) { throw new ArgumentException($"Invalid response message type {header.MessageType}"); } if (header.MessageType == LRPC_MESSAGE_TYPE.lmtFault) { var fault = buffer.GetStructAtOffset <LRPC_FAULT_MESSAGE>(0); throw new RpcFaultException(fault); } }
private void ParseExports() { _exports = new List <DllExport>(); try { IntPtr exports = Win32NativeMethods.ImageDirectoryEntryToDataEx(handle, MappedAsImage, IMAGE_DIRECTORY_ENTRY_EXPORT, out int size, out IntPtr header_ptr); if (exports == IntPtr.Zero) { return; } SafeHGlobalBuffer buffer = new SafeHGlobalBuffer(exports, size, false); ImageExportDirectory export_directory = buffer.Read <ImageExportDirectory>(0); if (export_directory.NumberOfFunctions == 0) { return; } IntPtr funcs = RvaToVA(export_directory.AddressOfFunctions); IntPtr names = RvaToVA(export_directory.AddressOfNames); IntPtr name_ordinals = RvaToVA(export_directory.AddressOfNameOrdinals); long export_base = buffer.DangerousGetHandle().ToInt64(); long export_top = export_base + buffer.Length; int[] func_rvas = new int[export_directory.NumberOfFunctions]; Marshal.Copy(funcs, func_rvas, 0, func_rvas.Length); IntPtr[] func_vas = func_rvas.Select(r => r != 0 ? RvaToVA(r) : IntPtr.Zero).ToArray(); int[] name_rvas = new int[export_directory.NumberOfNames]; Marshal.Copy(names, name_rvas, 0, name_rvas.Length); IntPtr[] name_vas = name_rvas.Select(r => r != 0 ? RvaToVA(r) : IntPtr.Zero).ToArray(); short[] ordinals = new short[export_directory.NumberOfNames]; Marshal.Copy(name_ordinals, ordinals, 0, ordinals.Length); Dictionary <int, string> ordinal_to_names = new Dictionary <int, string>(); for (int i = 0; i < name_vas.Length; ++i) { string name = Marshal.PtrToStringAnsi(name_vas[i]); int ordinal = ordinals[i]; ordinal_to_names[ordinal] = name; } for (int i = 0; i < func_vas.Length; ++i) { string forwarder = string.Empty; long func_va = func_vas[i].ToInt64(); if (func_va >= export_base && func_va < export_top) { forwarder = Marshal.PtrToStringAnsi(func_vas[i]); func_va = 0; } _exports.Add(new DllExport(ordinal_to_names.ContainsKey(i) ? ordinal_to_names[i] : null, i + export_directory.Base, func_va, forwarder)); } } catch { } }