コード例 #1
0
 public static extern int NtQueryInformationProcess(
     IntPtr hProcess,
     Execute.Native.PROCESSINFOCLASS pic,
     IntPtr pi,
     int cb,
     out int pSize
     );
コード例 #2
0
        public static Execute.Native.NTSTATUS NtQueryInformationProcess(IntPtr hProcess, Execute.Native.PROCESSINFOCLASS processInfoClass, out IntPtr pProcInfo)
        {
            int    processInformationLength;
            UInt32 RetLen = 0;

            switch (processInfoClass)
            {
            case Execute.Native.PROCESSINFOCLASS.ProcessWow64Information:
                pProcInfo = Marshal.AllocHGlobal(IntPtr.Size);
                RtlZeroMemory(pProcInfo, IntPtr.Size);
                processInformationLength = IntPtr.Size;
                break;

            case Execute.Native.PROCESSINFOCLASS.ProcessBasicInformation:
                Execute.Native.PROCESS_BASIC_INFORMATION PBI = new Execute.Native.PROCESS_BASIC_INFORMATION();
                pProcInfo = Marshal.AllocHGlobal(Marshal.SizeOf(PBI));
                RtlZeroMemory(pProcInfo, Marshal.SizeOf(PBI));
                Marshal.StructureToPtr(PBI, pProcInfo, true);
                processInformationLength = Marshal.SizeOf(PBI);
                break;

            default:
                throw new InvalidOperationException($"Invalid ProcessInfoClass: {processInfoClass}");
            }

            object[] funcargs =
            {
                hProcess, processInfoClass, pProcInfo, processInformationLength, RetLen
            };

            Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryInformationProcess", typeof(DELEGATES.NtQueryInformationProcess), ref funcargs);
            if (retValue != Execute.Native.NTSTATUS.Success)
            {
                throw new UnauthorizedAccessException("Access is denied.");
            }

            // Update the modified variables
            pProcInfo = (IntPtr)funcargs[2];

            return(retValue);
        }