public Result <string> GetLinkTarget()
{
var type = NtdllHelper.GetObjectType(Name);
if (type != "SymbolicLink")
{
return(Result <string> .Failed("Not a symbolic link"));
}
var objectAttributes = new OBJECT_ATTRIBUTES(Name, 0);
var status = Ntdll.NtOpenSymbolicLinkObject(
out var linkHandle,
ACCESS_MASK.GENERIC_READ,
ref objectAttributes);
if (status < 0)
{
return(Result <string> .Failed("Open file failed with status " + status));
}
using (linkHandle)
{
var targetBuffer = new UNICODE_STRING(new string(' ', 512));
status = Ntdll.NtQuerySymbolicLinkObject(
linkHandle,
ref targetBuffer,
out var len);
return(status < 0
? Result <string> .Failed("Query link failed with status " + status)
: Result <string> .Succeeded(targetBuffer.ToString()));
}
}
public unsafe void ToUpperInvariant(string value, string expected)
{
using (var buffer = new StringBuffer(value))
{
UNICODE_STRING s = buffer.ToUnicodeString();
StringMethods.ToUpperInvariant(ref s);
s.ToString().Should().Be(expected);
}
}
public static IEnumerable <ObjectInformation> GetDirectoryEntries(SafeDirectoryObjectHandle directoryHandle)
{
List <ObjectInformation> infos = new List <ObjectInformation>();
BufferHelper.CachedInvoke((StringBuffer buffer) =>
{
buffer.EnsureCharCapacity(1024);
uint context = 0;
uint returnLength;
NTSTATUS status;
do
{
status = Direct.NtQueryDirectoryObject(
DirectoryHandle: directoryHandle,
Buffer: buffer,
Length: (uint)buffer.ByteCapacity,
ReturnSingleEntry: false,
RestartScan: false,
Context: ref context,
ReturnLength: out returnLength);
if (status != NTSTATUS.STATUS_SUCCESS && status != NTSTATUS.STATUS_MORE_ENTRIES)
{
break;
}
CheckedReader reader = new CheckedReader(buffer);
do
{
UNICODE_STRING name = reader.ReadStruct <UNICODE_STRING>();
if (name.Length == 0)
{
break;
}
UNICODE_STRING type = reader.ReadStruct <UNICODE_STRING>();
infos.Add(new ObjectInformation
{
Name = name.ToString(),
TypeName = type.ToString()
});
} while (true);
} while (status == NTSTATUS.STATUS_MORE_ENTRIES);
if (status != NTSTATUS.STATUS_SUCCESS)
{
throw ErrorHelper.GetIoExceptionForNTStatus(status);
}
});
return(infos.OrderBy(i => i.Name));;
}
public bool TryGetSymbolicLinkTarget(out string result, out NtStatus returnCode)
{
if (Type != WellKnownType.SymbolicLink)
{
throw new InvalidOperationException($"Not a symbolic link, was {Type}");
}
OBJECT_ATTRIBUTES attrib = new OBJECT_ATTRIBUTES(FullName, 0);
returnCode = Win32.NtOpenSymbolicLinkObject(out SafeFileHandle handle, DirectoryAccessEnum.DIRECTORY_QUERY, ref attrib);
using (handle)
{
UNICODE_STRING target = new UNICODE_STRING();
returnCode = Win32.NtQuerySymbolicLinkObject(handle, ref target, out int retLength);
if (returnCode == NtStatus.STATUS_SUCCESS)
{
result = target.ToString();
return(returnCode == NtStatus.STATUS_SUCCESS);
}
if (returnCode != NtStatus.STATUS_BUFFER_TOO_SMALL)
{
result = null;
return(false);
}
target = new UNICODE_STRING((ushort)retLength);
returnCode = Win32.NtQuerySymbolicLinkObject(handle, ref target, out retLength);
if (returnCode != NtStatus.STATUS_SUCCESS)
{
result = null;
return(false);
}
result = target.ToString();
if (result.Contains(";"))
{
result = result.Substring(0, result.IndexOf(';'));
}
if (result.EndsWith("\\"))
{
result = result.Substring(0, result.Length - 1);
}
return(true);
}
}
public static bool RtlInitUnicodeString(IntPtr procHandle, IntPtr lpDestAddress, string pebParam, string masqBinary)
{
// Create new UNICODE_STRING Structure
UNICODE_STRING masq = new UNICODE_STRING(masqBinary);
// Create a pointer to a unmanaged Structure
IntPtr masqPtr = StructureToPtr(masq);
// Change access protection of a memory region to -> PAGE_EXECUTE_READWRITE
IntPtr lpflOldProtect = IntPtr.Zero;
uint PAGE_EXECUTE_READWRITE = 0x40;
if (!VirtualProtectEx(procHandle, lpDestAddress, (uint)Marshal.SizeOf(typeof(UNICODE_STRING)), PAGE_EXECUTE_READWRITE, ref lpflOldProtect))
{
return(false);
}
// Overwrite PEB UNICODE_STRING Structure
IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
if (!WriteProcessMemory(procHandle, lpDestAddress, masqPtr, (uint)Marshal.SizeOf(typeof(UNICODE_STRING)), ref lpNumberOfBytesWritten))
{
return(false);
}
// Read new Masq into UNICODE_STRING Structure
UNICODE_STRING NewMasq = new UNICODE_STRING();
IntPtr NewMasqPtr = StructureToPtr(NewMasq);
IntPtr lpNumberOfBytesRead = IntPtr.Zero;
if (!ReadProcessMemory(procHandle, lpDestAddress, NewMasqPtr, Marshal.SizeOf(typeof(UNICODE_STRING)), out lpNumberOfBytesRead))
{
return(false);
}
NewMasq = PtrToStructure <UNICODE_STRING>(NewMasqPtr);
// Free Unmanged Memory
FreeHandle(masqPtr);
if (NewMasq.ToString() != masqBinary)
{
return(false);
}
return(true);
}
public IEnumerable <string> EnumerateDomains()
{
int cookie = 0;
while (true)
{
IntPtr info;
int count;
var status = SamEnumerateDomainsInSamServer(_handle, ref cookie, out info, 1, out count);
if (status != NTSTATUS.STATUS_SUCCESS && status != NTSTATUS.STATUS_MORE_ENTRIES)
{
Check(status);
}
if (count == 0)
{
break;
}
UNICODE_STRING us = (UNICODE_STRING)Marshal.PtrToStructure(info + 8, typeof(UNICODE_STRING));
SamFreeMemory(info);
yield return(us.ToString());
}
}
public static String GetProcessCommand(IntPtr Handle)
{
var objStr = new UNICODE_STRING(new string(' ', 512));
//var objStr = new UNICODE_STRING();
//IntPtr ipStr = IntPtr.Zero;
String result = String.Empty;
int pSize = 0;
try
{
//IntPtr ipTemp = IntPtr.Zero;
//String s = String.Empty;
//s = s.PadLeft(512, ' ');
//objStr.Length = (ushort)(s.Length * 2);
//objStr.MaximumLength = (ushort)(objStr.Length + 2);
//objStr.Buffer = Marshal.StringToHGlobalUni(s);
//ipStr = Marshal.AllocHGlobal(Marshal.SizeOf(objStr));
if (-1 != NtQueryInformationProcess(Handle, PROCESSINFOCLASS.ProcessImageFileName, ref objStr, Marshal.SizeOf(objStr), ref pSize))
{
//objStr = (UNICODE_STRING)Marshal.PtrToStructure(ipStr, objStr.GetType());
//if (Is64Bits())
//{
// ipTemp = new IntPtr(Convert.ToInt64(objStr.Buffer.ToString(), 10) >> 32);
//}
//else
//{
// ipTemp = objStr.Buffer;
//}
//result = Marshal.PtrToStringUni(ipTemp, objStr.Length >> 1);
result = objStr.ToString();
objStr.Dispose();
//str.Dispose();
return result;
//return String.Empty;
}
else
{
return String.Empty;
}
}
catch
{
return String.Empty;
}
finally
{
//Marshal.FreeHGlobal(ipStr);
}
}