internal NtProcessCreateResult(NtStatus status,
ProcessCreateInfoData create_info, ProcessCreateState create_state) : this(status) {
switch (create_state)
{
case ProcessCreateState.FailOnSectionCreate:
if (create_info.FileHandle != IntPtr.Zero)
{
ImageFile = NtFile.FromHandle(create_info.FileHandle).Duplicate();
}
break;
case ProcessCreateState.FailExeName:
if (create_info.IFEOKey != IntPtr.Zero)
{
IFEOKeyHandle = NtKey.FromHandle(create_info.IFEOKey).Duplicate();
}
break;
case ProcessCreateState.FailExeFormat:
DllCharacteristics = (DllCharacteristics)create_info.DllCharacteristics;
break;
}
Status = status;
CreateState = create_state;
Process = null;
Thread = null;
SectionHandle = null;
}
/// <summary>
/// Get registered notifications.
/// </summary>
/// <returns>The list of registered notifications.</returns>
public static IEnumerable <NtWnf> GetRegisteredNotifications()
{
foreach (string key_name in _root_keys)
{
using (ObjectAttributes obj_attr = new ObjectAttributes(key_name, AttributeFlags.CaseInsensitive))
{
using (var key = NtKey.Open(obj_attr, KeyAccessRights.QueryValue, KeyCreateOptions.NonVolatile, false))
{
if (!key.IsSuccess)
{
continue;
}
foreach (var value in key.Result.QueryValues())
{
if (!ulong.TryParse(value.Name, System.Globalization.NumberStyles.HexNumber, null, out ulong state_name))
{
continue;
}
NtWnf result = new NtWnf(state_name);
result.ReadStateData(value);
result._read_state_data = true;
yield return(result);
}
}
}
}
}
private static string ReadMoniker(NtKey rootkey, Sid sid)
{
PackageSidType sid_type = GetPackageSidType(sid);
Sid child_sid = null;
if (sid_type == PackageSidType.Child)
{
child_sid = sid;
sid = GetPackageSidParent(sid);
}
string path = $@"Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\{sid}";
if (child_sid != null)
{
path = $@"{path}\Children\{child_sid}";
}
using (ObjectAttributes obj_attr = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, rootkey))
{
using (var key = NtKey.Open(obj_attr, KeyAccessRights.QueryValue, KeyCreateOptions.NonVolatile, false))
{
if (key.IsSuccess)
{
var moniker = key.Result.QueryValue("Moniker", false);
if (!moniker.IsSuccess)
{
return(null);
}
if (child_sid == null)
{
return(moniker.Result.ToString().TrimEnd('\0'));
}
var parent_moniker = key.Result.QueryValue("ParentMoniker", false);
string parent_moniker_string;
if (parent_moniker.IsSuccess)
{
parent_moniker_string = parent_moniker.Result.ToString();
}
else
{
parent_moniker_string = ReadMoniker(rootkey, sid) ?? String.Empty;
}
return($"{parent_moniker_string.TrimEnd('\0')}/{moniker.Result.ToString().TrimEnd('\0')}");
}
}
}
return(null);
}
/// <summary>
/// Open an NT object with a specified type.
/// </summary>
/// <param name="typename">The name of the type to open (e.g. Event). If null the method will try and lookup the appropriate type.</param>
/// <param name="path">The path to the object to open.</param>
/// <param name="root">A root directory to open from.</param>
/// <param name="access">Generic access rights to the object.</param>
/// <returns>The opened object.</returns>
/// <exception cref="NtException">Thrown if an error occurred opening the object.</exception>
/// <exception cref="ArgumentException">Thrown if type of resource couldn't be found.</exception>
public static NtObject OpenWithType(string typename, string path, NtObject root, GenericAccessRights access)
{
if (typename == null)
{
typename = NtDirectory.GetDirectoryEntryType(path, root);
if (typename == null)
{
throw new ArgumentException(String.Format("Can't find type for path {0}", path));
}
}
switch (typename.ToLower())
{
case "device":
return(NtFile.Open(path, root, (FileAccessRights)access, FileShareMode.None, FileOpenOptions.None));
case "file":
return(NtFile.Open(path, root, (FileAccessRights)access, FileShareMode.Read | FileShareMode.Write | FileShareMode.Delete, FileOpenOptions.None));
case "event":
return(NtEvent.Open(path, root, (EventAccessRights)access));
case "directory":
return(NtDirectory.Open(path, root, (DirectoryAccessRights)access));
case "symboliclink":
return(NtSymbolicLink.Open(path, root, (SymbolicLinkAccessRights)access));
case "mutant":
return(NtMutant.Open(path, root, (MutantAccessRights)access));
case "semaphore":
return(NtSemaphore.Open(path, root, (SemaphoreAccessRights)access));
case "section":
return(NtSection.Open(path, root, (SectionAccessRights)access));
case "job":
return(NtJob.Open(path, root, (JobAccessRights)access));
case "key":
return(NtKey.Open(path, root, (KeyAccessRights)access));
default:
throw new ArgumentException(String.Format("Can't open type {0}", typename));
}
}
/// <summary>
/// Query list of loaded hives from the Registry.
/// </summary>
/// <param name="convert_file_to_dos">Convert the file path to a DOS path.</param>
/// <returns>The list of loaded hives.</returns>
public static IReadOnlyList <NtKeyHive> GetHiveList(bool convert_file_to_dos)
{
List <NtKeyHive> hives = new List <NtKeyHive>();
using (var key = NtKey.Open(@"\registry\machine\system\currentcontrolset\control\hivelist", null, KeyAccessRights.QueryValue)) {
foreach (var value in key.QueryValues())
{
if (value.Name != "")
{
string file_path = value.ToString();
if (convert_file_to_dos)
{
file_path = NtFileUtils.NtFileNameToDos(file_path);
}
hives.Add(new NtKeyHive(value.Name, file_path));
}
}
}
return(hives.AsReadOnly());
}
private static Dictionary <Sid, string> GetDeviceCapabilities()
{
if (_device_capabilities != null)
{
return(_device_capabilities);
}
var device_capabilities = new Dictionary <Sid, string>();
try
{
using (var base_key = NtKey.Open(@"\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\CapabilityMappings", null, KeyAccessRights.EnumerateSubKeys))
{
using (var key_list = base_key.QueryAccessibleKeys(KeyAccessRights.EnumerateSubKeys).ToDisposableList())
{
foreach (var key in key_list)
{
foreach (var guid in key.QueryKeys())
{
if (Guid.TryParse(guid, out Guid g))
{
Sid sid = GuidToCapabilitySid(g);
if (!device_capabilities.ContainsKey(sid))
{
device_capabilities[sid] = key.Name;
}
}
}
}
}
}
}
catch (NtException)
{
}
_device_capabilities = device_capabilities;
return(_device_capabilities);
}
private void ReadStateData()
{
if (_read_state_data)
{
return;
}
_read_state_data = true;
using (ObjectAttributes obj_attr = new ObjectAttributes(_root_keys[(int)Lifetime], AttributeFlags.CaseInsensitive)) {
using (var key = NtKey.Open(obj_attr, KeyAccessRights.QueryValue, KeyCreateOptions.NonVolatile, false)) {
if (!key.IsSuccess)
{
return;
}
var value = key.Result.QueryValue(StateName.ToString("X016"), false);
if (value.IsSuccess)
{
ReadStateData(value.Result);
}
}
}
}
/// <summary>
/// Try and lookup the moniker associated with a package sid.
/// </summary>
/// <param name="sid">The package sid.</param>
/// <returns>Returns the moniker name. If not found returns null.</returns>
/// <exception cref="ArgumentException">Thrown if SID is not a package sid.</exception>
public static string LookupPackageName(Sid sid)
{
if (!IsPackageSid(sid))
{
throw new ArgumentException("Sid not a package sid", "sid");
}
string ret = null;
try
{
using (NtKey key = NtKey.GetCurrentUserKey())
{
ret = ReadMoniker(key, sid);
}
}
catch (NtException)
{
}
if (ret == null)
{
try
{
using (NtKey key = NtKey.GetMachineKey())
{
ret = ReadMoniker(key, sid);
}
}
catch (NtException)
{
}
}
return(ret);
}
