public static IntPtr CreateRemoteThread(Process p, IntPtr address, IntPtr param, CreateThreadFlags flags) { IntPtr handle = GetProcessHandle(p, ProcessAccessFlags.CreateThread | ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VMOperation | ProcessAccessFlags.VMRead | ProcessAccessFlags.VMWrite); try { if (Environment.OSVersion.Version.Major >= 6) { return(NTDll.CreateRemoteThread(address, param, handle)); } else { return(CreateRemoteThread(address, param, flags, handle)); } } finally { CloseProcessHandle(handle); } }
public static bool ProcessIsChildOf(Process parent, Process child) { PROCESS_BASIC_INFORMATION processBasicInformation = new PROCESS_BASIC_INFORMATION(); try { uint returnLength; NTDll.NtQueryInformationProcess(child.Handle, 0, ref processBasicInformation, (uint)Marshal.SizeOf((object)processBasicInformation), out returnLength); if ((long)processBasicInformation.InheritedFromUniqueProcessId == (long)parent.Id) { return(true); } } catch { return(false); } return(false); }
public static IntPtr CreateRemoteThread(IntPtr address, IntPtr param, IntPtr handle) { NTDll.NtCreateThreadExBuffer outlpvBytesBuffer = new NTDll.NtCreateThreadExBuffer(); outlpvBytesBuffer.Size = Marshal.SizeOf((object)outlpvBytesBuffer); outlpvBytesBuffer.Unknown1 = 65539UL; outlpvBytesBuffer.Unknown2 = 8UL; outlpvBytesBuffer.Unknown3 = Marshal.AllocHGlobal(4); outlpvBytesBuffer.Unknown4 = 0UL; outlpvBytesBuffer.Unknown5 = 65540UL; outlpvBytesBuffer.Unknown6 = 4UL; outlpvBytesBuffer.Unknown7 = Marshal.AllocHGlobal(4); outlpvBytesBuffer.Unknown8 = 0UL; IntPtr outhThread = IntPtr.Zero; NTDll.NtCreateThreadEx(out outhThread, 2097151, IntPtr.Zero, handle, address, param, false, 0UL, 0UL, 0UL, out outlpvBytesBuffer); if (outhThread == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(outhThread); }