// Reads native process info from a 64/32-bit process in the case where the target architecture
// of this process is the same as that of the target process.
private bool LoadProcessInfoNative(SafeProcessHandle handle, ProcessAccessFlags flags)
{
ProcessBasicInformation basicInfo = new ProcessBasicInformation();
int size;
int status = NativeMethods.NtQueryInformationProcess(
handle,
ProcessInfoClass.BasicInformation,
ref basicInfo,
MarshalUtility.UnmanagedStructSize <ProcessBasicInformation>(),
out size);
_parentProcessId = basicInfo.ParentProcessId.ToInt32();
// If we can't load the ProcessBasicInfo, then we can't really do anything.
if (status != NtStatus.Success || basicInfo.PebBaseAddress == IntPtr.Zero)
{
return(false);
}
if (flags.HasFlag(ProcessAccessFlags.VmRead))
{
// Follows a pointer from the PROCESS_BASIC_INFORMATION structure in the target process's
// address space to read the PEB.
Peb peb = MarshalUtility.ReadUnmanagedStructFromProcess <Peb>(
handle,
basicInfo.PebBaseAddress);
_isBeingDebugged = peb.IsBeingDebugged;
if (peb.ProcessParameters != IntPtr.Zero)
{
// Follows a pointer from the PEB structure in the target process's address space to read
// the RTL_USER_PROCESS_PARAMS.
RtlUserProcessParameters processParameters = new RtlUserProcessParameters();
processParameters = MarshalUtility.ReadUnmanagedStructFromProcess <RtlUserProcessParameters>(
handle,
peb.ProcessParameters);
_commandLine = MarshalUtility.ReadStringUniFromProcess(
handle,
processParameters.CommandLine.Buffer,
processParameters.CommandLine.Length / 2);
}
}
return(true);
}
// Reads native process info from a 64/32-bit process in the case where the target architecture
// of this process is the same as that of the target process.
private bool LoadProcessInfoNative(SafeProcessHandle handle, ProcessAccessFlags flags) {
ProcessBasicInformation basicInfo = new ProcessBasicInformation();
int size;
int status = NativeMethods.NtQueryInformationProcess(
handle,
ProcessInfoClass.BasicInformation,
ref basicInfo,
MarshalUtility.UnmanagedStructSize<ProcessBasicInformation>(),
out size);
_parentProcessId = basicInfo.ParentProcessId.ToInt32();
// If we can't load the ProcessBasicInfo, then we can't really do anything.
if (status != NtStatus.Success || basicInfo.PebBaseAddress == IntPtr.Zero)
return false;
if (flags.HasFlag(ProcessAccessFlags.VmRead)) {
// Follows a pointer from the PROCESS_BASIC_INFORMATION structure in the target process's
// address space to read the PEB.
Peb peb = MarshalUtility.ReadUnmanagedStructFromProcess<Peb>(
handle,
basicInfo.PebBaseAddress);
_isBeingDebugged = peb.IsBeingDebugged;
if (peb.ProcessParameters != IntPtr.Zero) {
// Follows a pointer from the PEB structure in the target process's address space to read
// the RTL_USER_PROCESS_PARAMS.
RtlUserProcessParameters processParameters = new RtlUserProcessParameters();
processParameters = MarshalUtility.ReadUnmanagedStructFromProcess<RtlUserProcessParameters>(
handle,
peb.ProcessParameters);
_commandLine = MarshalUtility.ReadStringUniFromProcess(
handle,
processParameters.CommandLine.Buffer,
processParameters.CommandLine.Length / 2);
}
}
return true;
}
// Reads native process info from a 64-bit process in the case where this function is executing
// in a 32-bit process.
private bool LoadProcessInfoWow64(SafeProcessHandle handle, ProcessAccessFlags flags)
{
ulong pebSize = (ulong)MarshalUtility.UnmanagedStructSize<PebWow64>();
ulong processParamsSize =
(ulong)MarshalUtility.UnmanagedStructSize<RtlUserProcessParametersWow64>();
// Read PROCESS_BASIC_INFORMATION up to and including the pointer to PEB structure.
int processInfoSize =
MarshalUtility.UnmanagedStructSize<ProcessBasicInformationWow64>();
ProcessBasicInformationWow64 pbi = new ProcessBasicInformationWow64();
int result = NativeMethods.NtWow64QueryInformationProcess64(
handle,
ProcessInfoClass.BasicInformation,
ref pbi,
processInfoSize,
out processInfoSize);
if (result != 0)
return false;
_parentProcessId = (int)pbi.ParentProcessId;
Debug.Assert((int)pbi.UniqueProcessId == _processId);
if (flags.HasFlag(ProcessAccessFlags.VmRead)) {
IntPtr pebBuffer = IntPtr.Zero;
IntPtr processParametersBuffer = IntPtr.Zero;
IntPtr commandLineBuffer = IntPtr.Zero;
try {
pebBuffer = Marshal.AllocHGlobal((int)pebSize);
// Read PEB up to and including the pointer to RTL_USER_PROCESS_PARAMETERS
// structure.
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
pbi.PebBaseAddress,
pebBuffer,
pebSize,
out pebSize);
if (result != 0)
return false;
PebWow64 peb = (PebWow64)Marshal.PtrToStructure(pebBuffer, typeof(PebWow64));
_isBeingDebugged = peb.IsBeingDebugged;
processParametersBuffer = Marshal.AllocHGlobal((int)processParamsSize);
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
peb.ProcessParameters,
processParametersBuffer,
processParamsSize,
out processParamsSize);
if (result != 0)
return false;
RtlUserProcessParametersWow64 processParameters = (RtlUserProcessParametersWow64)
Marshal.PtrToStructure(
processParametersBuffer,
typeof(RtlUserProcessParametersWow64));
ulong commandLineBufferSize = (ulong)processParameters.CommandLine.MaximumLength;
commandLineBuffer = Marshal.AllocHGlobal((int)commandLineBufferSize);
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
processParameters.CommandLine.Buffer,
commandLineBuffer,
commandLineBufferSize,
out commandLineBufferSize);
if (result != 0)
return false;
_commandLine = Marshal.PtrToStringUni(commandLineBuffer);
} finally {
if (pebBuffer != IntPtr.Zero)
Marshal.FreeHGlobal(pebBuffer);
if (commandLineBuffer != IntPtr.Zero)
Marshal.FreeHGlobal(commandLineBuffer);
if (processParametersBuffer != IntPtr.Zero)
Marshal.FreeHGlobal(processParametersBuffer);
}
}
return true;
}
// Reads native process info from a 64-bit process in the case where this function is executing
// in a 32-bit process.
private bool LoadProcessInfoWow64(SafeProcessHandle handle, ProcessAccessFlags flags)
{
ulong pebSize = (ulong)MarshalUtility.UnmanagedStructSize <PebWow64>();
ulong processParamsSize =
(ulong)MarshalUtility.UnmanagedStructSize <RtlUserProcessParametersWow64>();
// Read PROCESS_BASIC_INFORMATION up to and including the pointer to PEB structure.
int processInfoSize =
MarshalUtility.UnmanagedStructSize <ProcessBasicInformationWow64>();
ProcessBasicInformationWow64 pbi = new ProcessBasicInformationWow64();
int result = NativeMethods.NtWow64QueryInformationProcess64(
handle,
ProcessInfoClass.BasicInformation,
ref pbi,
processInfoSize,
out processInfoSize);
if (result != 0)
{
return(false);
}
_parentProcessId = (int)pbi.ParentProcessId;
Debug.Assert((int)pbi.UniqueProcessId == _processId);
if (flags.HasFlag(ProcessAccessFlags.VmRead))
{
IntPtr pebBuffer = IntPtr.Zero;
IntPtr processParametersBuffer = IntPtr.Zero;
IntPtr commandLineBuffer = IntPtr.Zero;
try {
pebBuffer = Marshal.AllocHGlobal((int)pebSize);
// Read PEB up to and including the pointer to RTL_USER_PROCESS_PARAMETERS
// structure.
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
pbi.PebBaseAddress,
pebBuffer,
pebSize,
out pebSize);
if (result != 0)
{
return(false);
}
PebWow64 peb = (PebWow64)Marshal.PtrToStructure(pebBuffer, typeof(PebWow64));
_isBeingDebugged = peb.IsBeingDebugged;
processParametersBuffer = Marshal.AllocHGlobal((int)processParamsSize);
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
peb.ProcessParameters,
processParametersBuffer,
processParamsSize,
out processParamsSize);
if (result != 0)
{
return(false);
}
RtlUserProcessParametersWow64 processParameters = (RtlUserProcessParametersWow64)
Marshal.PtrToStructure(
processParametersBuffer,
typeof(RtlUserProcessParametersWow64));
ulong commandLineBufferSize = (ulong)processParameters.CommandLine.MaximumLength;
commandLineBuffer = Marshal.AllocHGlobal((int)commandLineBufferSize);
result = NativeMethods.NtWow64ReadVirtualMemory64(
handle,
processParameters.CommandLine.Buffer,
commandLineBuffer,
commandLineBufferSize,
out commandLineBufferSize);
if (result != 0)
{
return(false);
}
_commandLine = Marshal.PtrToStringUni(commandLineBuffer);
} finally {
if (pebBuffer != IntPtr.Zero)
{
Marshal.FreeHGlobal(pebBuffer);
}
if (commandLineBuffer != IntPtr.Zero)
{
Marshal.FreeHGlobal(commandLineBuffer);
}
if (processParametersBuffer != IntPtr.Zero)
{
Marshal.FreeHGlobal(processParametersBuffer);
}
}
}
return(true);
}
