private static int GetProcessParametersMemberOffset(PebProcessParametersMember offsetType, bool isTargetProc64Bit)
{
switch (offsetType)
{
case PebProcessParametersMember.CurrentDirectory:
return isTargetProc64Bit ? 0x38 : 0x24;
case PebProcessParametersMember.CommandLine:
return isTargetProc64Bit ? 0x70 : 0x40;
}
throw new ArgumentException("unknown PebProcessParametersMember offset type");
}
private static int GetProcessParametersMemberOffset(PebProcessParametersMember offsetType, bool isTargetProc64Bit)
{
switch (offsetType)
{
case PebProcessParametersMember.CurrentDirectory:
return(isTargetProc64Bit ? 0x38 : 0x24);
case PebProcessParametersMember.CommandLine:
return(isTargetProc64Bit ? 0x70 : 0x40);
}
throw new ArgumentException("unknown PebProcessParametersMember offset type");
}
private static string GetProcessParametersString(int processId, PebProcessParametersMember offsetType)
{
IntPtr handle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead, false, processId);
if (handle == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
try
{
return(GetProcessParametersString(handle, offsetType));
}
finally
{
CloseHandle(handle);
}
}
private static string GetProcessParametersString(int processId, PebProcessParametersMember offsetType)
{
IntPtr handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processId);
if (handle == IntPtr.Zero)
throw new Win32Exception(Marshal.GetLastWin32Error());
try
{
bool isTargetWow64Process = Is64BitChecker.IsWow64Process(handle);
bool isTarget64BitProcess = Environment.Is64BitOperatingSystem && !isTargetWow64Process;
long processParametersOffset = GetProcessParametersOffset(isTarget64BitProcess);
long offset = GetProcessParametersMemberOffset(offsetType, isTarget64BitProcess);
if (isTargetWow64Process)
{
IntPtr peb32 = new IntPtr();
int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero);
if (hr != 0) throw new Win32Exception(hr);
long pebAddress = peb32.ToInt64();
IntPtr pp = new IntPtr();
if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
throw new Win32Exception(Marshal.GetLastWin32Error());
UNICODE_STRING_32 us = new UNICODE_STRING_32();
if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
throw new Win32Exception(Marshal.GetLastWin32Error());
if ((us.Buffer == 0) || (us.Length == 0))
return null;
string s = new string('\0', us.Length / 2);
if (!ReadProcessMemory(handle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero))
throw new Win32Exception(Marshal.GetLastWin32Error());
return s;
}
else
{
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero);
if (hr != 0) throw new Win32Exception(hr);
long pebAddress = pbi.PebBaseAddress.ToInt64();
IntPtr pp = new IntPtr();
if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
throw new Win32Exception(Marshal.GetLastWin32Error());
UNICODE_STRING us = new UNICODE_STRING();
if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
throw new Win32Exception(Marshal.GetLastWin32Error());
if ((us.Buffer == IntPtr.Zero) || (us.Length == 0))
return null;
string s = new string('\0', us.Length / 2);
if (!ReadProcessMemory(handle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero))
throw new Win32Exception(Marshal.GetLastWin32Error());
return s;
}
}
finally
{
CloseHandle(handle);
}
}
private static string GetProcessParametersString(IntPtr processHandle, PebProcessParametersMember offsetType)
{
if (processHandle == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
try
{
bool isTargetWow64Process = NativeMethods.Is64BitChecker.IsWow64Process(processHandle);
bool isTarget64BitProcess = Environment.Is64BitOperatingSystem && !isTargetWow64Process;
long processParametersOffset = GetProcessParametersOffset(isTarget64BitProcess);
long offset = GetProcessParametersMemberOffset(offsetType, isTarget64BitProcess);
if (isTargetWow64Process)
{
IntPtr peb32 = new IntPtr();
int hr = NtQueryInformationProcess(processHandle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero);
if (hr != 0)
{
throw new Win32Exception(hr);
}
long pebAddress = peb32.ToInt64();
IntPtr pp = new IntPtr();
if (!ReadProcessMemory(processHandle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
UNICODE_STRING_32 us = new UNICODE_STRING_32();
if (!ReadProcessMemory(processHandle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
if (us.Buffer == 0 || us.Length == 0)
{
return(null);
}
string s = new string('\0', us.Length / 2);
if (!ReadProcessMemory(processHandle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(s);
}
else
{
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
int hr = NtQueryInformationProcess(processHandle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero);
if (hr != 0)
{
throw new Win32Exception(hr);
}
long pebAddress = pbi.PebBaseAddress.ToInt64();
IntPtr pp = new IntPtr();
if (!ReadProcessMemory(processHandle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
UNICODE_STRING us = new UNICODE_STRING();
if (!ReadProcessMemory(processHandle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
if (us.Buffer == IntPtr.Zero || us.Length == 0)
{
return(null);
}
string s = new string('\0', us.Length / 2);
if (!ReadProcessMemory(processHandle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(s);
}
}
catch (Win32Exception)
{
return(String.Empty);
}
}
