private string GetInformationUnicodeString(DriverInformationClass infoClass)
{
using (MemoryAlloc data = new MemoryAlloc(0x1000))
{
int retLength = 0;
try
{
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
catch (WindowsException)
{
data.Resize(retLength);
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
return(data.ReadStruct <UnicodeString>().Read());
}
}
public string GetTarget()
{
NtStatus status;
int retLength;
UnicodeString str = new UnicodeString();
using (var buffer = new MemoryAlloc(0x200))
{
str.Length = 0;
str.MaximumLength = (ushort)buffer.Size;
str.Buffer = buffer;
if ((status = Win32.NtQuerySymbolicLinkObject(this, ref str, out retLength)) >= NtStatus.Error)
{
buffer.Resize(retLength);
str.MaximumLength = (ushort)retLength;
str.Buffer = buffer;
}
if ((status = Win32.NtQuerySymbolicLinkObject(this, ref str, out retLength)) >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
return(str.Read());
}
}
private string GetInformationUnicodeString(DriverInformationClass infoClass)
{
using (MemoryAlloc data = new MemoryAlloc(0x1000))
{
int retLength = 0;
try
{
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
catch (WindowsException)
{
data.Resize(retLength);
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
return data.ReadStruct<UnicodeString>().Read();
}
}
public string GetVariable(string name)
{
NtStatus status;
UnicodeString nameStr;
UnicodeString valueStr;
nameStr = new UnicodeString(name);
try
{
using (var data = new MemoryAlloc(100))
{
valueStr = new UnicodeString();
valueStr.Buffer = data;
valueStr.MaximumLength = (ushort)data.Size;
status = Win32.RtlQueryEnvironmentVariable_U(
this,
ref nameStr,
ref valueStr
);
if (status == NtStatus.BufferTooSmall)
{
// Resize and try again (+2 for the null terminator).
data.Resize(valueStr.Length + 2);
valueStr.Buffer = data;
valueStr.MaximumLength = (ushort)(valueStr.Length + 2);
status = Win32.RtlQueryEnvironmentVariable_U(
this,
ref nameStr,
ref valueStr
);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
return(valueStr.Read());
}
}
finally
{
nameStr.Dispose();
}
}
private T QueryStruct <T>(JobObjectInformationClass informationClass)
where T : struct
{
int retLength;
using (MemoryAlloc data = new MemoryAlloc(Marshal.SizeOf(typeof(T))))
{
if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
{
data.Resize(retLength);
if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
{
Win32.ThrowLastError();
}
}
return(data.ReadStruct <T>());
}
}
public string GetLogFileName()
{
NtStatus status;
int retLength;
using (var data = new MemoryAlloc(0x1000))
{
status = Win32.NtQueryInformationTransactionManager(
this,
TmInformationClass.TransactionManagerLogPathInformation,
data,
data.Size,
out retLength
);
if (status == NtStatus.BufferTooSmall)
{
// Resize the buffer and try again.
data.Resize(retLength);
status = Win32.NtQueryInformationTransactionManager(
this,
TmInformationClass.TransactionManagerLogPathInformation,
data,
data.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
TmLogPathInformation logPathInfo = data.ReadStruct <TmLogPathInformation>();
return(data.ReadUnicodeString(TmLogPathInformation.LogPathOffset, logPathInfo.LogPathLength));
}
}
private MemoryAlloc GetPropertiesInformation()
{
NtStatus status;
int retLength;
var data = new MemoryAlloc(0x1000);
status = Win32.NtQueryInformationTransaction(
this,
TransactionInformationClass.TransactionPropertiesInformation,
data,
data.Size,
out retLength
);
if (status == NtStatus.BufferTooSmall)
{
// Resize the buffer and try again.
data.Resize(retLength);
status = Win32.NtQueryInformationTransaction(
this,
TransactionInformationClass.TransactionPropertiesInformation,
data,
data.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
data.Dispose();
Win32.ThrowLastError(status);
}
return(data);
}
private MemoryAlloc GetBasicInformation()
{
NtStatus status;
int retLength;
var data = new MemoryAlloc(0x1000);
status = Win32.NtQueryInformationResourceManager(
this,
ResourceManagerInformationClass.ResourceManagerBasicInformation,
data,
data.Size,
out retLength
);
if (status == NtStatus.BufferTooSmall)
{
// Resize the buffer and try again.
data.Resize(retLength);
status = Win32.NtQueryInformationResourceManager(
this,
ResourceManagerInformationClass.ResourceManagerBasicInformation,
data,
data.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
data.Dispose();
Win32.ThrowLastError(status);
}
return(data);
}
/// <summary>
/// Creates a copy of the security descriptor in self-relative form.
/// </summary>
/// <returns>A new self-relative security descriptor.</returns>
public SecurityDescriptor ToSelfRelative()
{
NtStatus status;
int retLength;
using (var data = new MemoryAlloc(Win32.SecurityDescriptorMinLength))
{
retLength = data.Size;
status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
if (status == NtStatus.BufferTooSmall)
{
data.Resize(retLength);
status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
return(new SecurityDescriptor(data));
}
}
/// <summary>
/// Gets the security descriptor of a kernel object.
/// </summary>
/// <param name="handle">A handle to a kernel object.</param>
/// <param name="securityInformation">The information to retrieve.</param>
/// <returns>A security descriptor.</returns>
public static SecurityDescriptor GetSecurity(IntPtr handle, SecurityInformation securityInformation)
{
NtStatus status;
int retLength;
using (var data = new MemoryAlloc(0x100))
{
status = Win32.NtQuerySecurityObject(
handle,
securityInformation,
data,
data.Size,
out retLength
);
if (status == NtStatus.BufferTooSmall)
{
data.Resize(retLength);
status = Win32.NtQuerySecurityObject(
handle,
securityInformation,
data,
data.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
return(new SecurityDescriptor(data));
}
}
public SecurityDescriptor ToSelfRelative()
{
NtStatus status;
int retLength;
using (var data = new MemoryAlloc(Win32.SecurityDescriptorMinLength))
{
retLength = data.Size;
status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
if (status == NtStatus.BufferTooSmall)
{
data.Resize(retLength);
status = Win32.RtlMakeSelfRelativeSD(this, data, ref retLength);
}
if (status >= NtStatus.Error)
Win32.ThrowLastError(status);
return new SecurityDescriptor(data);
}
}
public string GetVariable(string name)
{
NtStatus status;
UnicodeString nameStr;
UnicodeString valueStr;
nameStr = new UnicodeString(name);
try
{
using (var data = new MemoryAlloc(100))
{
valueStr = new UnicodeString();
valueStr.Buffer = data;
valueStr.MaximumLength = (ushort)data.Size;
status = Win32.RtlQueryEnvironmentVariable_U(
this,
ref nameStr,
ref valueStr
);
if (status == NtStatus.BufferTooSmall)
{
data.Resize(valueStr.Length + 2);
valueStr.Buffer = data;
valueStr.MaximumLength = (ushort)(valueStr.Length + 2);
status = Win32.RtlQueryEnvironmentVariable_U(
this,
ref nameStr,
ref valueStr
);
}
if (status >= NtStatus.Error)
Win32.ThrowLastError(status);
return valueStr.Read();
}
}
finally
{
nameStr.Dispose();
}
}
public void EnumObjects(EnumObjectsDelegate callback)
{
NtStatus status;
int context = 0;
bool firstTime = true;
int retLength;
using (var data = new MemoryAlloc(0x200))
{
while (true)
{
while ((status = Win32.NtQueryDirectoryObject(
this,
data,
data.Size,
false,
firstTime,
ref context,
out retLength
)) == NtStatus.MoreEntries)
{
// Check if we have at least one entry. If not,
// we need to double the buffer size and try again.
if (data.ReadStruct <ObjectDirectoryInformation>(0).Name.Buffer != IntPtr.Zero)
{
break;
}
if (data.Size > 16 * 1024 * 1024)
{
Win32.ThrowLastError(status);
}
data.Resize(data.Size * 2);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
int i = 0;
while (true)
{
ObjectDirectoryInformation info = data.ReadStruct <ObjectDirectoryInformation>(i);
if (info.Name.Buffer == IntPtr.Zero)
{
break;
}
if (!callback(new ObjectEntry(info.Name.Read(), info.TypeName.Read())))
{
return;
}
i++;
}
if (status != NtStatus.MoreEntries)
{
break;
}
firstTime = false;
}
}
}
/// <summary>
/// Gets the security descriptor of a kernel object.
/// </summary>
/// <param name="handle">A handle to a kernel object.</param>
/// <param name="securityInformation">The information to retrieve.</param>
/// <returns>A security descriptor.</returns>
public static SecurityDescriptor GetSecurity(IntPtr handle, SecurityInformation securityInformation)
{
NtStatus status;
int retLength;
using (var data = new MemoryAlloc(0x100))
{
status = Win32.NtQuerySecurityObject(
handle,
securityInformation,
data,
data.Size,
out retLength
);
if (status == NtStatus.BufferTooSmall)
{
data.Resize(retLength);
status = Win32.NtQuerySecurityObject(
handle,
securityInformation,
data,
data.Size,
out retLength
);
}
if (status >= NtStatus.Error)
Win32.ThrowLastError(status);
return new SecurityDescriptor(data);
}
}