Exemplo n.º 1
0
        private string GetInformationUnicodeString(DriverInformationClass infoClass)
        {
            using (MemoryAlloc data = new MemoryAlloc(0x1000))
            {
                int retLength = 0;

                try
                {
                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }
                catch (WindowsException)
                {
                    data.ResizeNew(retLength);

                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                return(data.ReadStruct <UnicodeString>().Read());
            }
        }
Exemplo n.º 2
0
 public T Read <T>() where T : struct
 {
     using (MemoryAlloc data = this.Read())
     {
         return(data.ReadStruct <T>());
     }
 }
Exemplo n.º 3
0
        public static string GetDeviceName(FileHandle fhandle)
        {
            using (MemoryAlloc data = new MemoryAlloc(600))
            {
                fhandle.IoControl(IoCtlQueryDeviceName, IntPtr.Zero, 0, data, data.Size);

                MountDevName name = data.ReadStruct <MountDevName>();

                return(data.ReadUnicodeString(MountDevName.NameOffset, name.NameLength / 2));
            }
        }
Exemplo n.º 4
0
        /// <summary>
        /// Gets the service's configuration.
        /// </summary>
        public QueryServiceConfig GetConfig()
        {
            int requiredSize = 0;

            Win32.QueryServiceConfig(this, IntPtr.Zero, 0, out requiredSize);

            using (MemoryAlloc data = new MemoryAlloc(requiredSize))
            {
                if (!Win32.QueryServiceConfig(this, data, data.Size, out requiredSize))
                {
                    Win32.ThrowLastError();
                }

                return(data.ReadStruct <QueryServiceConfig>());
            }
        }
Exemplo n.º 5
0
        /// <summary>
        /// Gets the service's description.
        /// </summary>
        /// <returns>A string.</returns>
        public string GetDescription()
        {
            int retLen;

            Win32.QueryServiceConfig2(this, ServiceInfoLevel.Description, IntPtr.Zero, 0, out retLen);

            using (MemoryAlloc data = new MemoryAlloc(retLen))
            {
                if (!Win32.QueryServiceConfig2(this, ServiceInfoLevel.Description, data, retLen, out retLen))
                {
                    Win32.ThrowLastError();
                }

                return(data.ReadStruct <ServiceDescription>().Description);
            }
        }
Exemplo n.º 6
0
        /// <summary>
        /// Gets the token's user.
        /// </summary>
        /// <returns>A WindowsSID instance.</returns>
        public Sid GetUser()
        {
            int retLen;

            Win32.GetTokenInformation(this, TokenInformationClass.TokenUser, IntPtr.Zero, 0, out retLen);

            using (MemoryAlloc data = new MemoryAlloc(retLen))
            {
                if (!Win32.GetTokenInformation(this.Handle, TokenInformationClass.TokenUser, data,
                                               data.Size, out retLen))
                {
                    Win32.Throw();
                }

                TokenUser user = data.ReadStruct <TokenUser>();

                return(new Sid(user.User.Sid, user.User.Attributes));
            }
        }
Exemplo n.º 7
0
        private T QueryStruct <T>(JobObjectInformationClass informationClass)
            where T : struct
        {
            int retLength;

            using (MemoryAlloc data = new MemoryAlloc(Marshal.SizeOf(typeof(T))))
            {
                if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
                {
                    data.Resize(retLength);

                    if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
                    {
                        Win32.ThrowLastError();
                    }
                }

                return(data.ReadStruct <T>());
            }
        }
Exemplo n.º 8
0
        private static string GetReparsePointTarget(FileHandle fhandle)
        {
            using (MemoryAlloc data = new MemoryAlloc(FileSystem.MaximumReparseDataBufferSize))
            {
                fhandle.IoControl(FileSystem.FsCtlGetReparsePoint, IntPtr.Zero, 0, data, data.Size);

                FileSystem.ReparseDataBuffer buffer = data.ReadStruct <FileSystem.ReparseDataBuffer>();

                // Make sure it is in fact a mount point.
                if (buffer.ReparseTag != (uint)IoReparseTag.MountPoint)
                {
                    Win32.Throw(NtStatus.InvalidParameter);
                }

                return(data.ReadUnicodeString(
                           FileSystem.ReparseDataBuffer.MountPointPathBuffer + buffer.SubstituteNameOffset,
                           buffer.SubstituteNameLength / 2
                           ));
            }
        }
Exemplo n.º 9
0
        public string GetLogFileName()
        {
            NtStatus status;
            int      retLength;

            using (var data = new MemoryAlloc(0x1000))
            {
                status = Win32.NtQueryInformationTransactionManager(
                    this,
                    TmInformationClass.TransactionManagerLogPathInformation,
                    data,
                    data.Size,
                    out retLength
                    );

                if (status == NtStatus.BufferTooSmall)
                {
                    // Resize the buffer and try again.
                    data.ResizeNew(retLength);

                    status = Win32.NtQueryInformationTransactionManager(
                        this,
                        TmInformationClass.TransactionManagerLogPathInformation,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                if (status >= NtStatus.Error)
                {
                    Win32.Throw(status);
                }

                TmLogPathInformation logPathInfo = data.ReadStruct <TmLogPathInformation>();

                return(data.ReadUnicodeString(TmLogPathInformation.LogPathOffset, logPathInfo.LogPathLength));
            }
        }
Exemplo n.º 10
0
        private T QueryStruct <T>(JobObjectInformationClass informationClass, int size) where T : struct
        {
            int retLength;

            using (MemoryAlloc data = new MemoryAlloc(size))
            {
                bool ret = Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength);
                int  res = System.Runtime.InteropServices.Marshal.GetLastWin32Error();

                if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
                {
                    data.ResizeNew(retLength);

                    if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
                    {
                        Win32.Throw();
                    }
                }

                return(data.ReadStruct <T>());
            }
        }
Exemplo n.º 11
0
        public int Peek(IntPtr buffer, int length, out int bytesAvailable, out int bytesLeftInMessage)
        {
            using (var data = new MemoryAlloc(FilePipePeekBuffer.DataOffset + length))
            {
                NtStatus status;
                int      returnLength;

                status = this.FsControl(FsCtlPeek, IntPtr.Zero, 0, data, data.Size, out returnLength);

                // If we got a buffer overflow it simply means we didn't
                // read all of the available bytes.
                if (status == NtStatus.BufferOverflow)
                {
                    status = NtStatus.Success;
                }

                if (status >= NtStatus.Error)
                {
                    Win32.Throw(status);
                }

                FilePipePeekBuffer info = data.ReadStruct <FilePipePeekBuffer>();
                int bytesRead;

                bytesAvailable     = info.ReadDataAvailable;
                bytesRead          = returnLength - FilePipePeekBuffer.DataOffset;
                bytesLeftInMessage = info.MessageLength - bytesRead;

                if (buffer != IntPtr.Zero)
                {
                    data.ReadMemory(buffer, 0, FilePipePeekBuffer.DataOffset, bytesRead);
                }

                return(bytesRead);
            }
        }
Exemplo n.º 12
0
        public int[] GetProcessIdList()
        {
            List <int> processIds = new List <int>();
            int        retLength;

            // FIXME: Fixed buffer
            using (MemoryAlloc data = new MemoryAlloc(0x1000))
            {
                if (!Win32.QueryInformationJobObject(this, JobObjectInformationClass.JobObjectBasicProcessIdList,
                                                     data, data.Size, out retLength))
                {
                    Win32.ThrowLastError();
                }

                JobObjectBasicProcessIdList listInfo = data.ReadStruct <JobObjectBasicProcessIdList>();

                for (int i = 0; i < listInfo.NumberOfProcessIdsInList; i++)
                {
                    processIds.Add(data.ReadInt32(8, i));
                }
            }

            return(processIds.ToArray());
        }
Exemplo n.º 13
0
        public static MibUdpTableOwnerPid GetUdpTable()
        {
            MibUdpTableOwnerPid table = new MibUdpTableOwnerPid();
            int length = 0;

            GetExtendedUdpTable(IntPtr.Zero, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);

            using (MemoryAlloc mem = new MemoryAlloc(length))
            {
                GetExtendedUdpTable(mem, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);

                int count = mem.ReadInt32(0);

                table.NumEntries = count;
                table.Table      = new MibUdpRowOwnerPid[count];

                for (int i = 0; i < count; i++)
                {
                    table.Table[i] = mem.ReadStruct <MibUdpRowOwnerPid>(sizeof(int), i);
                }
            }

            return(table);
        }
Exemplo n.º 14
0
        public void EnumObjects(EnumObjectsDelegate callback)
        {
            NtStatus status;
            int      context   = 0;
            bool     firstTime = true;
            int      retLength;

            using (var data = new MemoryAlloc(0x200))
            {
                while (true)
                {
                    while ((status = Win32.NtQueryDirectoryObject(
                                this,
                                data,
                                data.Size,
                                false,
                                firstTime,
                                ref context,
                                out retLength
                                )) == NtStatus.MoreEntries)
                    {
                        // Check if we have at least one entry. If not,
                        // we need to double the buffer size and try again.
                        if (data.ReadStruct <ObjectDirectoryInformation>(0).Name.Buffer != IntPtr.Zero)
                        {
                            break;
                        }

                        if (data.Size > 16 * 1024 * 1024)
                        {
                            Win32.ThrowLastError(status);
                        }

                        data.Resize(data.Size * 2);
                    }

                    if (status >= NtStatus.Error)
                    {
                        Win32.ThrowLastError(status);
                    }

                    int i = 0;

                    while (true)
                    {
                        ObjectDirectoryInformation info = data.ReadStruct <ObjectDirectoryInformation>(i);

                        if (info.Name.Buffer == IntPtr.Zero)
                        {
                            break;
                        }

                        if (!callback(new ObjectEntry(info.Name.Read(), info.TypeName.Read())))
                        {
                            return;
                        }

                        i++;
                    }

                    if (status != NtStatus.MoreEntries)
                    {
                        break;
                    }

                    firstTime = false;
                }
            }
        }
Exemplo n.º 15
0
        private string GetInformationUnicodeString(DriverInformationClass infoClass)
        {
            using (MemoryAlloc data = new MemoryAlloc(0x1000))
            {
                int retLength = 0;

                //try
                //{
                //    KProcessHacker.Instance.KphQueryInformationDriver(
                //        this,
                //        infoClass,
                //        data,
                //        data.Size,
                //        out retLength
                //        );
                //}
                //catch (WindowsException)
                //{
                //    data.ResizeNew(retLength);

                //    KProcessHacker.Instance.KphQueryInformationDriver(
                //        this,
                //        infoClass,
                //        data,
                //        data.Size,
                //        out retLength
                //        );
                //}

                return data.ReadStruct<UnicodeString>().Text;
            }
        }
Exemplo n.º 16
0
        public static string GetVolumeName(string deviceName)
        {
            using (MemoryAlloc data = new MemoryAlloc(MountMgrMountPoint.SizeOf + deviceName.Length * 2))
            {
                MountMgrMountPoint mountPoint = new MountMgrMountPoint
                {
                    DeviceNameLength = (ushort)(deviceName.Length * 2),
                    DeviceNameOffset = MountMgrMountPoint.SizeOf
                };

                data.WriteStruct(mountPoint);
                data.WriteUnicodeString(mountPoint.DeviceNameOffset, deviceName);

                using (var fhandle = OpenMountManager((FileAccess)StandardRights.Synchronize))
                {
                    NtStatus status;
                    int      retLength;

                    using (MemoryAlloc outData = new MemoryAlloc(0x100))
                    {
                        while (true)
                        {
                            status = fhandle.IoControl(
                                IoCtlQueryPoints,
                                data.Memory,
                                data.Size,
                                outData.Memory,
                                outData.Size,
                                out retLength
                                );

                            if (status == NtStatus.BufferOverflow)
                            {
                                outData.ResizeNew(Marshal.ReadInt32(outData.Memory)); // read Size field
                                continue;
                            }
                            else
                            {
                                break;
                            }
                        }

                        status.ThrowIf();

                        MountMgrMountPoints mountPoints = outData.ReadStruct <MountMgrMountPoints>();

                        // Go through the mount points given and return the first symbolic link that seems
                        // to be a volume name.
                        for (int i = 0; i < mountPoints.NumberOfMountPoints; i++)
                        {
                            MountMgrMountPoint mp = outData.ReadStruct <MountMgrMountPoint>(
                                MountMgrMountPoints.MountPointsOffset,
                                MountMgrMountPoint.SizeOf,
                                i
                                );

                            string symLinkName = Marshal.PtrToStringUni(
                                outData.Memory.Increment(mp.SymbolicLinkNameOffset),
                                mp.SymbolicLinkNameLength / 2
                                );

                            if (IsVolumePath(symLinkName))
                            {
                                return(symLinkName);
                            }
                        }

                        return(null);
                    }
                }
            }
        }
Exemplo n.º 17
0
        public static MibUdpTableOwnerPid GetUdpTable()
        {
            MibUdpTableOwnerPid table = new MibUdpTableOwnerPid();
            int length = 0;

            GetExtendedUdpTable(IntPtr.Zero, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);

            using (MemoryAlloc mem = new MemoryAlloc(length))
            {
                GetExtendedUdpTable(mem, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);
                        
                int count = mem.ReadInt32(0);

                table.NumEntries = count;
                table.Table = new MibUdpRowOwnerPid[count];

                for (int i = 0; i < count; i++)
                    table.Table[i] = mem.ReadStruct<MibUdpRowOwnerPid>(sizeof(int), i);
            }

            return table;
        }
Exemplo n.º 18
0
        public static string GetVolumeName(string deviceName)
        {
            using (MemoryAlloc data = new MemoryAlloc(MountMgrMountPoint.SizeOf + deviceName.Length * 2))
            {
                MountMgrMountPoint mountPoint = new MountMgrMountPoint
                {
                    DeviceNameLength = (ushort)(deviceName.Length*2), 
                    DeviceNameOffset = MountMgrMountPoint.SizeOf
                };

                data.WriteStruct(mountPoint);
                data.WriteUnicodeString(mountPoint.DeviceNameOffset, deviceName);

                using (var fhandle = OpenMountManager((FileAccess)StandardRights.Synchronize))
                {
                    NtStatus status;
                    int retLength;

                    using (MemoryAlloc outData = new MemoryAlloc(0x100))
                    {
                        while (true)
                        {
                            status = fhandle.IoControl(
                                IoCtlQueryPoints,
                                data.Memory,
                                data.Size,
                                outData.Memory,
                                outData.Size,
                                out retLength
                                );

                            if (status == NtStatus.BufferOverflow)
                            {
                                outData.ResizeNew(Marshal.ReadInt32(outData.Memory)); // read Size field
                                continue;
                            }
                            else
                            {
                                break;
                            }
                        }

                        status.ThrowIf();

                        MountMgrMountPoints mountPoints = outData.ReadStruct<MountMgrMountPoints>();

                        // Go through the mount points given and return the first symbolic link that seems 
                        // to be a volume name.
                        for (int i = 0; i < mountPoints.NumberOfMountPoints; i++)
                        {
                            MountMgrMountPoint mp = outData.ReadStruct<MountMgrMountPoint>(
                                MountMgrMountPoints.MountPointsOffset,
                                MountMgrMountPoint.SizeOf,
                                i
                                );

                            string symLinkName = Marshal.PtrToStringUni(
                                outData.Memory.Increment(mp.SymbolicLinkNameOffset),
                                mp.SymbolicLinkNameLength / 2
                                );

                            if (IsVolumePath(symLinkName))
                                return symLinkName;
                        }

                        return null;
                    }
                }
            }
        }
Exemplo n.º 19
0
        public string GetSymbolFromAddress(ulong address, out SymbolResolveLevel level, out SymbolFlags flags, out string fileName, out string symbolName, out ulong displacement)
        {
            // Assume failure (and stop the compiler from complaining).
            if (address == 0)
            {
                level = SymbolResolveLevel.Invalid;
                flags = 0;
                fileName = null;
            }

            // Allocate some memory for the symbol information.
            using (var data = new MemoryAlloc(Marshal.SizeOf(typeof(SymbolInfo)) + _maxNameLen))
            {
                var info = new SymbolInfo();

                info.SizeOfStruct = Marshal.SizeOf(info);
                info.MaxNameLen = _maxNameLen - 1;

                Marshal.StructureToPtr(info, data, false);

                // Hack for drivers, since we don't get their module sizes. 
                // Preloading modules will fix this.
                if (this.PreloadModules)
                {
                    ulong b;

                    this.GetModuleFromAddress(address, out b);

                    using (Win32.DbgHelpLock.AcquireContext())
                        Win32.SymFromAddr(_handle, b, out displacement, data);

                    Marshal.StructureToPtr(info, data, false);
                }

                // Get the symbol name.
                using (Win32.DbgHelpLock.AcquireContext())
                {
                    if (Win32.SymFromAddr(_handle, address, out displacement, data))
                    {
                        info = data.ReadStruct<SymbolInfo>();
                    }
                }

                string modFileName;
                ulong modBase;

                // Get the module name.
                if (info.ModBase == 0)
                {
                    modFileName = this.GetModuleFromAddress(address, out modBase);
                }
                else
                {
                    modBase = info.ModBase;

                    lock (_modules)
                        modFileName = _modules.Find(kvp => kvp.Key == info.ModBase).Value;
                }

                // If we don't have a module name, return an address.
                if (modFileName == null)
                {
                    level = SymbolResolveLevel.Address;
                    flags = 0;
                    fileName = null;
                    symbolName = null;

                    return Utils.FormatAddress(address);
                }

                FileInfo fi = null;

                fileName = modFileName;

                try
                {
                    fi = new FileInfo(modFileName);
                    fileName = fi.FullName;
                }
                catch
                { }

                // If we have a module name but not a symbol name, 
                // return a module plus an offset: module+offset.
                if (info.NameLen == 0)
                {
                    level = SymbolResolveLevel.Module;
                    flags = 0;
                    symbolName = null;

                    if (fi != null)
                    {
                        return fi.Name + "+0x" + (address - modBase).ToString("x");
                    }
                    else
                    {
                        var s = modFileName.Split('\\');

                        return s[s.Length - 1] + "+0x" + (address - modBase).ToString("x");
                    }
                }

                // If we have everything, return the full symbol name: module!symbol+offset.
                string name = data.ReadAnsiString(SymbolInfo.NameOffset, info.NameLen);

                level = SymbolResolveLevel.Function;
                flags = info.Flags;
                symbolName = name;

                if (displacement == 0)
                    return fi.Name + "!" + name;
                else
                    return fi.Name + "!" + name + "+0x" + displacement.ToString("x");
            }
        }
Exemplo n.º 20
0
        public int Peek(IntPtr buffer, int length, out int bytesAvailable, out int bytesLeftInMessage)
        {
            using (var data = new MemoryAlloc(FilePipePeekBuffer.DataOffset + length))
            {
                NtStatus status;
                int returnLength;

                status = this.FsControl(FsCtlPeek, IntPtr.Zero, 0, data, data.Size, out returnLength);

                // If we got a buffer overflow it simply means we didn't 
                // read all of the available bytes.
                if (status == NtStatus.BufferOverflow)
                    status = NtStatus.Success;

                if (status >= NtStatus.Error)
                    Win32.ThrowLastError(status);

                FilePipePeekBuffer info = data.ReadStruct<FilePipePeekBuffer>();
                int bytesRead;

                bytesAvailable = info.ReadDataAvailable;
                bytesRead = returnLength - FilePipePeekBuffer.DataOffset;
                bytesLeftInMessage = info.MessageLength - bytesRead;

                if (buffer != IntPtr.Zero)
                    data.ReadMemory(buffer, 0, FilePipePeekBuffer.DataOffset, bytesRead);

                return bytesRead;
            }
        }
Exemplo n.º 21
0
        public static string GetDeviceName(FileHandle fhandle)
        {
            using (MemoryAlloc data = new MemoryAlloc(600))
            {
                fhandle.IoControl(IoCtlQueryDeviceName, IntPtr.Zero, 0, data, data.Size);

                MountDevName name = data.ReadStruct<MountDevName>();

                return data.ReadUnicodeString(MountDevName.NameOffset, name.NameLength / 2);
            }
        }
Exemplo n.º 22
0
        public string GetSymbolFromAddress(ulong address, out SymbolResolveLevel level, out SymbolFlags flags, out string fileName, out string symbolName, out ulong displacement)
        {
            // Assume failure (and stop the compiler from complaining).
            if (address == 0)
            {
                level    = SymbolResolveLevel.Invalid;
                flags    = 0;
                fileName = null;
            }

            // Allocate some memory for the symbol information.
            using (var data = new MemoryAlloc(Marshal.SizeOf(typeof(SymbolInfo)) + _maxNameLen))
            {
                var info = new SymbolInfo();

                info.SizeOfStruct = Marshal.SizeOf(info);
                info.MaxNameLen   = _maxNameLen - 1;

                Marshal.StructureToPtr(info, data, false);

                // Hack for drivers, since we don't get their module sizes.
                // Preloading modules will fix this.
                if (this.PreloadModules)
                {
                    ulong b;

                    this.GetModuleFromAddress(address, out b);

                    using (Win32.DbgHelpLock.AcquireContext())
                        Win32.SymFromAddr(_handle, b, out displacement, data);

                    Marshal.StructureToPtr(info, data, false);
                }

                // Get the symbol name.
                using (Win32.DbgHelpLock.AcquireContext())
                {
                    if (Win32.SymFromAddr(_handle, address, out displacement, data))
                    {
                        info = data.ReadStruct <SymbolInfo>();
                    }
                }

                string modFileName;
                ulong  modBase;

                // Get the module name.
                if (info.ModBase == 0)
                {
                    modFileName = this.GetModuleFromAddress(address, out modBase);
                }
                else
                {
                    modBase = info.ModBase;

                    lock (_modules)
                        modFileName = _modules.Find(kvp => kvp.Key == info.ModBase).Value;
                }

                // If we don't have a module name, return an address.
                if (modFileName == null)
                {
                    level      = SymbolResolveLevel.Address;
                    flags      = 0;
                    fileName   = null;
                    symbolName = null;

                    return(Utils.FormatAddress(address));
                }

                FileInfo fi = null;

                fileName = modFileName;

                try
                {
                    fi       = new FileInfo(modFileName);
                    fileName = fi.FullName;
                }
                catch
                { }

                // If we have a module name but not a symbol name,
                // return a module plus an offset: module+offset.
                if (info.NameLen == 0)
                {
                    level      = SymbolResolveLevel.Module;
                    flags      = 0;
                    symbolName = null;

                    if (fi != null)
                    {
                        return(fi.Name + "+0x" + (address - modBase).ToString("x"));
                    }
                    else
                    {
                        var s = modFileName.Split('\\');

                        return(s[s.Length - 1] + "+0x" + (address - modBase).ToString("x"));
                    }
                }

                // If we have everything, return the full symbol name: module!symbol+offset.
                string name = data.ReadAnsiString(SymbolInfo.NameOffset, info.NameLen);

                level      = SymbolResolveLevel.Function;
                flags      = info.Flags;
                symbolName = name;

                if (displacement == 0)
                {
                    return(fi.Name + "!" + name);
                }
                else
                {
                    return(fi.Name + "!" + name + "+0x" + displacement.ToString("x"));
                }
            }
        }
Exemplo n.º 23
0
        private static string GetReparsePointTarget(FileHandle fhandle)
        {
            using (MemoryAlloc data = new MemoryAlloc(FileSystem.MaximumReparseDataBufferSize))
            {
                fhandle.IoControl(FileSystem.FsCtlGetReparsePoint, IntPtr.Zero, 0, data, data.Size);

                FileSystem.ReparseDataBuffer buffer = data.ReadStruct<FileSystem.ReparseDataBuffer>();

                // Make sure it is in fact a mount point.
                if (buffer.ReparseTag != (uint)IoReparseTag.MountPoint)
                    Win32.Throw(NtStatus.InvalidParameter);

                return data.ReadUnicodeString(
                    FileSystem.ReparseDataBuffer.MountPointPathBuffer + buffer.SubstituteNameOffset,
                    buffer.SubstituteNameLength / 2
                    );
            }
        }
Exemplo n.º 24
0
        private string GetInformationUnicodeString(DriverInformationClass infoClass)
        {
            using (MemoryAlloc data = new MemoryAlloc(0x1000))
            {
                int retLength = 0;

                try
                {
                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }
                catch (WindowsException)
                {
                    data.ResizeNew(retLength);

                    KProcessHacker.Instance.KphQueryInformationDriver(
                        this,
                        infoClass,
                        data,
                        data.Size,
                        out retLength
                        );
                }

                return data.ReadStruct<UnicodeString>().Read();
            }
        }
Exemplo n.º 25
0
        public string GetSymbolFromAddress(ulong address, out SymbolResolveLevel level, out SymbolFlags flags, out string fileName, out string symbolName, out ulong displacement)
        {
            if (address == 0)
            {
                level = SymbolResolveLevel.Invalid;
                flags = 0;
                fileName = null;
            }

            using (var data = new MemoryAlloc(Marshal.SizeOf(typeof(SymbolInfo)) + _maxNameLen))
            {
                var info = new SymbolInfo();

                info.SizeOfStruct = Marshal.SizeOf(info);
                info.MaxNameLen = _maxNameLen - 1;

                Marshal.StructureToPtr(info, data, false);

                if (this.PreloadModules)
                {
                    ulong b;

                    this.GetModuleFromAddress(address, out b);

                    using (Win32.DbgHelpLock.AcquireContext())
                        Win32.SymFromAddr(_handle, b, out displacement, data);

                    Marshal.StructureToPtr(info, data, false);
                }

                using (Win32.DbgHelpLock.AcquireContext())
                {
                    if (Win32.SymFromAddr(_handle, address, out displacement, data))
                    {
                        info = data.ReadStruct<SymbolInfo>();
                    }
                }

                string modFileName;
                ulong modBase;

                if (info.ModBase == 0)
                {
                    modFileName = this.GetModuleFromAddress(address, out modBase);
                }
                else
                {
                    modBase = info.ModBase;

                    lock (_modules)
                        modFileName = _modules.Find(kvp => kvp.Key == info.ModBase).Value;
                }

                if (modFileName == null)
                {
                    level = SymbolResolveLevel.Address;
                    flags = 0;
                    fileName = null;
                    symbolName = null;

                    return Utils.FormatAddress(address);
                }

                FileInfo fi = null;

                fileName = modFileName;

                try
                {
                    fi = new FileInfo(modFileName);
                    fileName = fi.FullName;
                }
                catch
                { }

                if (info.NameLen == 0)
                {
                    level = SymbolResolveLevel.Module;
                    flags = 0;
                    symbolName = null;

                    if (fi != null)
                    {
                        return fi.Name + "+0x" + (address - modBase).ToString("x");
                    }
                    else
                    {
                        var s = modFileName.Split('\\');

                        return s[s.Length - 1] + "+0x" + (address - modBase).ToString("x");
                    }
                }

                string name = Marshal.PtrToStringAnsi(data.Memory.Increment(Win32.SymbolInfoNameOffset), info.NameLen);

                level = SymbolResolveLevel.Function;
                flags = info.Flags;
                symbolName = name;

                if (displacement == 0)
                    return fi.Name + "!" + name;
                else
                    return fi.Name + "!" + name + "+0x" + displacement.ToString("x");
            }
        }