/// <summary> /// Retrieve DMA Guard Policy information /// </summary> /// <remarks> /// There's no documented API to retrieve the enablement state of Kernel DMA Protection. The only documented method to /// check its status is the System Information (msinfo32.exe) utility. Reverse-engineering how it obtains the current /// state of Kernel DMA Protection shows it calls the native NtQuerySystemInformation API with an information class /// dedicated to exposing the Kernel DMA Protection enablement state. The returned data is a 1-byte structure with a /// single boolean field showing if the feature is disabled or enabled. /// </remarks> private void RetrieveInfo() { WriteConsoleVerbose($"Retrieving {Name} info ..."); var sysInfoLength = Marshal.SizeOf(typeof(DmaGuardPolicyInfo)); WriteConsoleDebug($"Size of {nameof(DmaGuardPolicy)} structure: {sysInfoLength} bytes"); var ntStatus = NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemDmaGuardPolicyInformation, out var sysInfo, (uint)sysInfoLength, IntPtr.Zero); switch (ntStatus) { case 0: SystemInfo = sysInfo; return; // STATUS_INVALID_INFO_CLASS || STATUS_NOT_IMPLEMENTED case -1073741821: case -1073741822: throw new NotImplementedException($"System support for querying {Name} information not present."); } WriteConsoleVerbose($"Error requesting {Name} information: {ntStatus}"); var symbolicNtStatus = GetSymbolicNtStatus(ntStatus); throw new Win32Exception(symbolicNtStatus); }
private static extern int NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS systemInformationClass, out DmaGuardPolicyInfo systemInformation, uint systemInformationLength, IntPtr returnLength);