private static int GetProcessParametersMemberOffset(PebProcessParametersMember offsetType, bool isTargetProc64Bit) { switch (offsetType) { case PebProcessParametersMember.CurrentDirectory: return isTargetProc64Bit ? 0x38 : 0x24; case PebProcessParametersMember.CommandLine: return isTargetProc64Bit ? 0x70 : 0x40; } throw new ArgumentException("unknown PebProcessParametersMember offset type"); }
private static int GetProcessParametersMemberOffset(PebProcessParametersMember offsetType, bool isTargetProc64Bit) { switch (offsetType) { case PebProcessParametersMember.CurrentDirectory: return(isTargetProc64Bit ? 0x38 : 0x24); case PebProcessParametersMember.CommandLine: return(isTargetProc64Bit ? 0x70 : 0x40); } throw new ArgumentException("unknown PebProcessParametersMember offset type"); }
private static string GetProcessParametersString(int processId, PebProcessParametersMember offsetType) { IntPtr handle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead, false, processId); if (handle == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } try { return(GetProcessParametersString(handle, offsetType)); } finally { CloseHandle(handle); } }
private static string GetProcessParametersString(int processId, PebProcessParametersMember offsetType) { IntPtr handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processId); if (handle == IntPtr.Zero) throw new Win32Exception(Marshal.GetLastWin32Error()); try { bool isTargetWow64Process = Is64BitChecker.IsWow64Process(handle); bool isTarget64BitProcess = Environment.Is64BitOperatingSystem && !isTargetWow64Process; long processParametersOffset = GetProcessParametersOffset(isTarget64BitProcess); long offset = GetProcessParametersMemberOffset(offsetType, isTarget64BitProcess); if (isTargetWow64Process) { IntPtr peb32 = new IntPtr(); int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero); if (hr != 0) throw new Win32Exception(hr); long pebAddress = peb32.ToInt64(); IntPtr pp = new IntPtr(); if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero)) throw new Win32Exception(Marshal.GetLastWin32Error()); UNICODE_STRING_32 us = new UNICODE_STRING_32(); if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero)) throw new Win32Exception(Marshal.GetLastWin32Error()); if ((us.Buffer == 0) || (us.Length == 0)) return null; string s = new string('\0', us.Length / 2); if (!ReadProcessMemory(handle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero)) throw new Win32Exception(Marshal.GetLastWin32Error()); return s; } else { PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION(); int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero); if (hr != 0) throw new Win32Exception(hr); long pebAddress = pbi.PebBaseAddress.ToInt64(); IntPtr pp = new IntPtr(); if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero)) throw new Win32Exception(Marshal.GetLastWin32Error()); UNICODE_STRING us = new UNICODE_STRING(); if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero)) throw new Win32Exception(Marshal.GetLastWin32Error()); if ((us.Buffer == IntPtr.Zero) || (us.Length == 0)) return null; string s = new string('\0', us.Length / 2); if (!ReadProcessMemory(handle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero)) throw new Win32Exception(Marshal.GetLastWin32Error()); return s; } } finally { CloseHandle(handle); } }
private static string GetProcessParametersString(IntPtr processHandle, PebProcessParametersMember offsetType) { if (processHandle == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } try { bool isTargetWow64Process = NativeMethods.Is64BitChecker.IsWow64Process(processHandle); bool isTarget64BitProcess = Environment.Is64BitOperatingSystem && !isTargetWow64Process; long processParametersOffset = GetProcessParametersOffset(isTarget64BitProcess); long offset = GetProcessParametersMemberOffset(offsetType, isTarget64BitProcess); if (isTargetWow64Process) { IntPtr peb32 = new IntPtr(); int hr = NtQueryInformationProcess(processHandle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero); if (hr != 0) { throw new Win32Exception(hr); } long pebAddress = peb32.ToInt64(); IntPtr pp = new IntPtr(); if (!ReadProcessMemory(processHandle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } UNICODE_STRING_32 us = new UNICODE_STRING_32(); if (!ReadProcessMemory(processHandle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (us.Buffer == 0 || us.Length == 0) { return(null); } string s = new string('\0', us.Length / 2); if (!ReadProcessMemory(processHandle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(s); } else { PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION(); int hr = NtQueryInformationProcess(processHandle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero); if (hr != 0) { throw new Win32Exception(hr); } long pebAddress = pbi.PebBaseAddress.ToInt64(); IntPtr pp = new IntPtr(); if (!ReadProcessMemory(processHandle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } UNICODE_STRING us = new UNICODE_STRING(); if (!ReadProcessMemory(processHandle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (us.Buffer == IntPtr.Zero || us.Length == 0) { return(null); } string s = new string('\0', us.Length / 2); if (!ReadProcessMemory(processHandle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(s); } } catch (Win32Exception) { return(String.Empty); } }