C# (CSharp) DbgOffset.GetPointer примеры использования

Пример #1

Файл: KnownStructs.cs Проект: thenson81/DotNetSamples

        public static IEnumerable <IntPtr> EnumerateHeaps(IntPtr pebAddress)
        {
            DbgOffset pebOffset = DbgOffset.Get("_PEB");

            IntPtr processHeapsPtr = pebOffset.GetPointer(pebAddress, "ProcessHeaps").ReadPtr();

            if (processHeapsPtr == IntPtr.Zero)
            {
                yield break;
            }

            if (pebOffset.TryRead <int>(pebAddress, "NumberOfHeaps", out int numberOfHeaps) == false)
            {
                yield break;
            }

            for (int i = 0; i < numberOfHeaps; i++)
            {
                IntPtr entryPtr = processHeapsPtr + (IntPtr.Size * i);
                yield return(entryPtr.ReadPtr());
            }
        }

Пример #2

        static void Main(string[] _)
        {
            int processId = Process.GetCurrentProcess().Id;

            Console.WriteLine($"ThisPID: {processId}");

            IntPtr ethreadPtr = GetEThread(processId);

            if (ethreadPtr == IntPtr.Zero)
            {
                Console.WriteLine("THREAD handle not found");
                return;
            }

            Console.WriteLine($"_ETHREAD address: {ethreadPtr.ToInt64():x}");
            Console.WriteLine();

            using (KernelMemoryIO memoryIO = new KernelMemoryIO())
            {
                if (memoryIO.IsInitialized == false)
                {
                    Console.WriteLine("Failed to open device");
                    return;
                }

                {
                    // +0x648 Cid : _CLIENT_ID
                    IntPtr     clientIdPtr = _ethreadOffset.GetPointer(ethreadPtr, "Cid");
                    _CLIENT_ID cid         = memoryIO.ReadMemory <_CLIENT_ID>(clientIdPtr);

                    Console.WriteLine($"PID: {cid.Pid} ({cid.Pid:x})");
                    Console.WriteLine($"TID: {cid.Tid} ({cid.Tid:x})");

                    if (cid.Pid != processId)
                    {
                        return;
                    }
                }

                {
                    // +0x220 Process : Ptr64 _KPROCESS
                    IntPtr processPtr            = _kthreadOffset.GetPointer(ethreadPtr, "Process");
                    IntPtr eprocessPtr           = memoryIO.ReadMemory <IntPtr>(processPtr);
                    IntPtr activeProcessLinksPtr = _eprocessOffset.GetPointer(eprocessPtr, "ActiveProcessLinks");

                    // _LIST_ENTRY entry = memoryIO.ReadMemory<_LIST_ENTRY>(activeProcessLinksPtr);

                    Console.WriteLine("Press any key to hide this process from Task Manager");
                    Console.ReadLine();
                    IntPtr deletedEntry = IntPtr.Zero;

                    try
                    {
                        deletedEntry = Unlink(memoryIO, activeProcessLinksPtr);

                        Console.WriteLine();

                        Console.WriteLine("Press any key to unhide this process");
                        Console.ReadLine();
                    }
                    finally
                    {
                        RestoreLink(memoryIO, deletedEntry);
                    }

                    Console.WriteLine("Check this process appeared again in Task Manager");
                    Console.WriteLine("Press any key to exit");
                    Console.ReadLine();
                }
            }
        }