コード例 #1
0
        public static IntPtr GetPEBAddress(uint ProcessId)
        {
            //Get a handle to our own process
            IntPtr hProc = Kernel32.OpenProcess(ProcessAccess.All, false, ProcessId);

            //Allocate memory for a new PROCESS_BASIC_INFORMATION structure
            IntPtr pbi = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)));

            //Allocate memory for a long
            IntPtr outLong = Marshal.AllocHGlobal(sizeof(long));
            IntPtr outPtr  = IntPtr.Zero;

            NtStatus queryStatus = 0;

            //Store API call success in a boolean
            queryStatus = NtDll.NtQueryInformationProcess(hProc, ProcessInfo.ProcessBasicInformation, pbi, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), outLong);

            //Close handle and free allocated memory
            Kernel32.CloseHandle(hProc);
            Marshal.FreeHGlobal(outLong);

            //STATUS_SUCCESS = 0, so if API call was successful querySuccess should contain 0 ergo we reverse the check.
            outPtr = ((PROCESS_BASIC_INFORMATION)Marshal.PtrToStructure(pbi, typeof(PROCESS_BASIC_INFORMATION))).PebBaseAddress;

            //Free allocated space
            Marshal.FreeHGlobal(pbi);

            //Return pointer to PEB base address
            return(outPtr);
        }
コード例 #2
0
 /// <summary>Retrieves information about the specified process using either NtQueryInformationProcess or GetProcessInformation.</summary>
 /// <typeparam name="T">The type of information to retrieve.</typeparam>
 /// <param name="process">
 /// A handle to the process. This handle must have the <c>PROCESS_SET_INFORMATION</c> access right. For more information, see Process
 /// Security and Access Rights.
 /// </param>
 /// <returns>An object containing the requested type of information.</returns>
 /// <exception cref="ArgumentException">Type mismatch.</exception>
 public static T GetInformation <T>(this Process process) where T : struct
 {
     if (CorrespondingTypeAttribute.CanGet <T, NtDll.PROCESSINFOCLASS>(out var pic))
     {
         return(NtDll.NtQueryInformationProcess <T>(process, pic));
     }
     return(GetProcessInformation <T>(process));
 }
コード例 #3
0
ファイル: ProcessUtils.cs プロジェクト: WildGenie/Libraria 
        public static Process GetParentProcess(this Process P)
        {
            PROCESS_BASIC_INFORMATION PBI = new PROCESS_BASIC_INFORMATION();
            int RetLen;
            int Status = 0;

            Status = NtDll.NtQueryInformationProcess(P.Handle, ProcessInformationClasss.ProcessBasicInformation, new IntPtr(&PBI),
                                                     Marshal.SizeOf(PBI), out RetLen);

            if (Status != 0)
            {
                throw new Win32Exception(Status);
            }

            try {
                return(Process.GetProcessById(PBI.Reserved3.ToInt32()));
            } catch (ArgumentException) {
                return(null);
            }
        }