/// <summary> /// Constructor from an manged buffer. /// </summary> /// <param name="sid">A buffer containing a valid SID.</param> /// <exception cref="NtException">Thrown if the buffer is not valid.</exception> public Sid(byte[] sid) { using (SafeHGlobalBuffer buffer = new SafeHGlobalBuffer(sid)) { InitializeFromPointer(buffer.DangerousGetHandle()).ToNtException(); } }
/// <summary> /// Constructor /// </summary> /// <param name="acl">Buffer containing an ACL in memory</param> /// <param name="defaulted">True if the ACL was defaulted</param> public Acl(byte[] acl, bool defaulted) { using (var buffer = new SafeHGlobalBuffer(acl)) { InitializeFromPointer(buffer.DangerousGetHandle(), defaulted); } }
private NtResult <IContext> GetAmd64Context(ContextFlags flags, bool throw_on_error) { var context = new ContextAmd64 { ContextFlags = flags }; // Buffer needs to be 16 bytes aligned, so allocate some extract space in case. using (var buffer = new SafeHGlobalBuffer(Marshal.SizeOf(context) + 16)) { int write_ofs = 0; long ptr = buffer.DangerousGetHandle().ToInt64(); // Almost certainly 16 byte aligned, but just in case. if ((ptr & 0xF) != 0) { write_ofs = (int)(0x10 - (ptr & 0xF)); } Marshal.StructureToPtr(context, buffer.DangerousGetHandle() + write_ofs, false); var sbuffer = buffer.GetStructAtOffset <ContextAmd64>(write_ofs); return(NtSystemCalls.NtGetContextThread(Handle, sbuffer).CreateResult(throw_on_error, () => sbuffer.Result).Cast <IContext>()); } }
private IContext GetAmd64Context(ContextFlags flags) { var context = new ContextAmd64(); context.ContextFlags = flags; // Buffer needs to be 16 bytes aligned, so allocate some extract space in case. using (var buffer = new SafeHGlobalBuffer(Marshal.SizeOf(context) + 16)) { int write_ofs = 0; long ptr = buffer.DangerousGetHandle().ToInt64(); // Almost certainly 8 byte aligned, but just in case. if ((ptr & 0xF) != 0) { write_ofs = (int)(0x10 - (ptr & 0xF)); } Marshal.StructureToPtr(context, buffer.DangerousGetHandle() + write_ofs, false); var sbuffer = buffer.GetStructAtOffset <ContextAmd64>(write_ofs); NtSystemCalls.NtGetContextThread(Handle, sbuffer).ToNtException(); return(sbuffer.Result); } }
/// <summary> /// Read structured memory array from a process. /// </summary> /// <param name="process">The process to read from.</param> /// <param name="base_address">The base address in the process.</param> /// <param name="count">The number of elements in the array to read.</param> /// <returns>The read structure.</returns> /// <exception cref="NtException">Thrown on error.</exception> /// <typeparam name="T">Type of structure to read.</typeparam> public static T[] ReadMemoryArray <T>(SafeKernelObjectHandle process, long base_address, int count) where T : new() { int element_size = Marshal.SizeOf(typeof(T)); using (var buffer = new SafeHGlobalBuffer(element_size * count)) { NtSystemCalls.NtReadVirtualMemory(process, new IntPtr(base_address), buffer, buffer.Length, out int return_length).ToNtException(); if (return_length != buffer.Length) { throw new NtException(NtStatus.STATUS_PARTIAL_COPY); } T[] result = new T[count]; for (int i = 0; i < count; ++i) { int offset = i * element_size; result[i] = (T)Marshal.PtrToStructure(buffer.DangerousGetHandle() + offset, typeof(T)); } return(result); } }
/// <summary> /// Get a list of handles /// </summary> /// <param name="pid">A process ID to filter on. If -1 will get all handles</param> /// <param name="allow_query">True to allow the handles returned to query for certain properties</param> /// <returns>The list of handles</returns> public static IEnumerable <NtHandle> GetHandles(int pid, bool allow_query) { SafeHGlobalBuffer handleInfo = new SafeHGlobalBuffer(0x10000); try { NtStatus status = 0; int return_length = 0; while ((status = NtSystemCalls.NtQuerySystemInformation(SystemInformationClass.SystemHandleInformation, handleInfo.DangerousGetHandle(), handleInfo.Length, out return_length)) == NtStatus.STATUS_INFO_LENGTH_MISMATCH) { int length = handleInfo.Length * 2; handleInfo.Close(); handleInfo = new SafeHGlobalBuffer(length); } status.ToNtException(); IntPtr handleInfoBuf = handleInfo.DangerousGetHandle(); int handle_count = Marshal.ReadInt32(handleInfoBuf); List <NtHandle> ret = new List <NtHandle>(); handleInfoBuf += IntPtr.Size; for (int i = 0; i < handle_count; ++i) { SystemHandleTableInfoEntry entry = (SystemHandleTableInfoEntry)Marshal.PtrToStructure(handleInfoBuf, typeof(SystemHandleTableInfoEntry)); if (pid == -1 || entry.UniqueProcessId == pid) { ret.Add(new NtHandle(entry, allow_query)); } handleInfoBuf += Marshal.SizeOf(typeof(SystemHandleTableInfoEntry)); } return(ret); } finally { handleInfo.Close(); } }