private static IntPtr GetPebNative(IntPtr hProcess) { var pbi = new NativeMethods.PROCESS_BASIC_INFORMATION(); int res_len = 0; int pbiSize = Marshal.SizeOf(pbi); NativeMethods.NtQueryInformationProcess( hProcess, NativeMethods.ProcessBasicInformation, ref pbi, pbiSize, ref res_len); if (res_len != pbiSize) { throw new Win32Exception("Unable to query process information."); } return(pbi.PebBaseAddress); }
public static Process GetParentProcess(IntPtr handle) { NativeMethods.PROCESS_BASIC_INFORMATION pbi = new NativeMethods.PROCESS_BASIC_INFORMATION(); int pSize; int status = NativeMethods.NtQueryInformationProcess( handle, NativeMethods.PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), out pSize); if (status != 0) throw new Win32Exception(status); try { return Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32()); } catch (ArgumentException) { return null; // Not found } }
public static Process GetParentProcess(IntPtr handle) { NativeMethods.PROCESS_BASIC_INFORMATION pbi = new NativeMethods.PROCESS_BASIC_INFORMATION(); int pSize; int status = NativeMethods.NtQueryInformationProcess( handle, NativeMethods.PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), out pSize); if (status != 0) { throw new Win32Exception(status); } try { return(Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32())); } catch (ArgumentException) { return(null); // Not found } }
private static IntPtr GetPebNative(IntPtr hProcess) { var pbi = new NativeMethods.PROCESS_BASIC_INFORMATION(); int res_len = 0; int pbiSize = Marshal.SizeOf(pbi); NativeMethods.NtQueryInformationProcess( hProcess, NativeMethods.ProcessBasicInformation, ref pbi, pbiSize, ref res_len); if (res_len != pbiSize) { throw new Win32Exception("Unable to query process information."); } return pbi.PebBaseAddress; }
public static string GetCommandLineOfProcess(int processId) { var pid = processId; var pbi = new NativeMethods.PROCESS_BASIC_INFORMATION(); IntPtr proc = NativeMethods.OpenProcess ( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, pid ); if (proc == IntPtr.Zero) { return(""); } if (NativeMethods.NtQueryInformationProcess(proc, 0, ref pbi, pbi.Size, IntPtr.Zero) == 0) { var buff = new byte[IntPtr.Size]; if (NativeMethods.ReadProcessMemory ( proc, (IntPtr)(pbi.PebBaseAddress.ToInt32() + 0x10), buff, IntPtr.Size, out _ )) { var buffPtr = BitConverter.ToInt32(buff, 0); var commandLine = new byte[Marshal.SizeOf(typeof(NativeMethods.UNICODE_STRING))]; if ( NativeMethods.ReadProcessMemory ( proc, (IntPtr)(buffPtr + 0x40), commandLine, Marshal.SizeOf(typeof(NativeMethods.UNICODE_STRING)), out _ ) ) { var ucsData = ByteArrayToStructure <NativeMethods.UNICODE_STRING>(commandLine); var parms = new byte[ucsData.Length]; if ( NativeMethods.ReadProcessMemory ( proc, ucsData.buffer, parms, ucsData.Length, out _ ) ) { return(Encoding.Unicode.GetString(parms)); } } } } NativeMethods.CloseHandle(proc); return(""); }