public static IntPtr GetPEBAddress(uint ProcessId) { //Get a handle to our own process IntPtr hProc = Kernel32.OpenProcess(ProcessAccess.All, false, ProcessId); //Allocate memory for a new PROCESS_BASIC_INFORMATION structure IntPtr pbi = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION))); //Allocate memory for a long IntPtr outLong = Marshal.AllocHGlobal(sizeof(long)); IntPtr outPtr = IntPtr.Zero; NtStatus queryStatus = 0; //Store API call success in a boolean queryStatus = NtDll.NtQueryInformationProcess(hProc, ProcessInfo.ProcessBasicInformation, pbi, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), outLong); //Close handle and free allocated memory Kernel32.CloseHandle(hProc); Marshal.FreeHGlobal(outLong); //STATUS_SUCCESS = 0, so if API call was successful querySuccess should contain 0 ergo we reverse the check. outPtr = ((PROCESS_BASIC_INFORMATION)Marshal.PtrToStructure(pbi, typeof(PROCESS_BASIC_INFORMATION))).PebBaseAddress; //Free allocated space Marshal.FreeHGlobal(pbi); //Return pointer to PEB base address return(outPtr); }
public static unsafe void VisitProcesses(ResizeableBuffer resizeableBuffer, SystemProcInfoVisitor visit) { var size = 100 * 1024; while (true) { var buffer = resizeableBuffer.Get(ref size, false); fixed(byte *ptr = buffer) { var status = NtDll.NtQuerySystemInformation( SYSTEM_INFORMATION_CLASS.SystemProcessInformation, (IntPtr)ptr, buffer.Length, out size); if (status == NtStatus.STATUS_INFO_LENGTH_MISMATCH) { continue; } if (!status.IsSuccessful()) { throw new InvalidOperationException($"Can't query SystemProcessInformation. NtStatus: 0x{status:X}"); } VisitProcesses(ptr, buffer, visit); return; } } }
public static IEnumerable <ProcessInfo> GetLockingProcessInfos(string[] paths, LockManagerFeatures features = default) { if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { if ((features & LockManagerFeatures.UseLowLevelApi) != 0) { return(NtDll.GetLockingProcessInfos(paths)); } return(RestartManager.GetLockingProcessInfos(paths)); } else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { return(ProcFileSystem.GetLockingProcessInfos(paths)); } else { if ((features & LockManagerFeatures.ThrowIfNotSupported) != 0) { throw new NotSupportedException("Current OS platform is not supported"); } return(Enumerable.Empty <ProcessInfo>()); } }
public NhaamaHandle(IntPtr handle, NhaamaProcess process) { _handle = handle; _process = process; IntPtr dupHandle = IntPtr.Zero; var status = NtDll.NtDuplicateObject(process.BaseProcess.Handle, handle, Process.GetCurrentProcess().Handle, out dupHandle, 0, false, DuplicateOptions.DUPLICATE_SAME_ACCESS); if (status != NtStatus.Success) { throw new Exception($"Could not duplicate handle. (NtStatus:{status.ToString()})"); } var objectNameInformationPtr = NtDll.NtQueryObject(dupHandle, OBJECT_INFORMATION_CLASS.ObjectNameInformation); if (objectNameInformationPtr == IntPtr.Zero) { return; } var objInfo = Marshal.PtrToStructure <Native.Structs.OBJECT_NAME_INFORMATION>(objectNameInformationPtr); if (objInfo.Name.ToString() != null) { Name = objInfo.Name.ToString(); } Marshal.FreeHGlobal(objectNameInformationPtr); NtDll.NtClose(dupHandle); }
private static bool IsWindowsVersionOrGreater(uint majorVersion, uint minorVersion, ushort servicePackMajor) { var osvi = new NativeStructs.RTL_OSVERSIONINFOEXW(0); ulong conditionMask = Kernel32.VerSetConditionMask ( Kernel32.VerSetConditionMask ( Kernel32.VerSetConditionMask ( 0, NativeConstants.VER_MAJORVERSION, NativeConstants.VER_GREATER_EQUAL ), NativeConstants.VER_MINORVERSION, NativeConstants.VER_GREATER_EQUAL ), NativeConstants.VER_SERVICEPACKMAJOR, NativeConstants.VER_GREATER_EQUAL ); osvi.dwMajorVersion = majorVersion; osvi.dwMinorVersion = minorVersion; osvi.wServicePackMajor = servicePackMajor; return(NtDll.RtlVerifyVersionInfo(ref osvi, NativeConstants.VER_MAJORVERSION | NativeConstants.VER_MINORVERSION | NativeConstants.VER_SERVICEPACKMAJOR, conditionMask) == NativeConstants.STATUS_SUCCESS); }
public override byte[] ReadMemory(long address, int size) { byte[] buffer = new byte[size]; UIntPtr numBytes; int error = 0; if (IsWow64() && !IsWow64Process(processHandle)) { int status = NtDll.NtWow64ReadVirtualMemory64(processHandle, (long)address, buffer, size, out numBytes); error = NtDll.RtlNtStatusToDosError(status); } else { bool success = Kernel32.ReadProcessMemory(processHandle, checked ((IntPtr)address), buffer, size, out numBytes); if (!success) { error = Marshal.GetLastWin32Error(); } } if (error != 0 && error != 299 || (error == 299 && size > 0 && numBytes == UIntPtr.Zero)) { throw new Win32Exception(error); } if (numBytes != (UIntPtr)size) { Array.Resize(ref buffer, (int)numBytes); } return(buffer); }
public unsafe int BufferCB(double sampleTime, IntPtr buffer, int bufferLen) { if (_parent.NewFrame != null) { if (_bitmap == null || _bitmap.Width != Width || _bitmap.Height != Height) { _bitmap?.Dispose(); _bitmap = new Bitmap(Width, Height, PixelFormat.Format24bppRgb); } var bitmapData = _bitmap.LockBits(new Rectangle(0, 0, Width, Height), ImageLockMode.ReadWrite, PixelFormat.Format24bppRgb); var stride1 = bitmapData.Stride; var stride2 = bitmapData.Stride; var dst = (byte *)((IntPtr)bitmapData.Scan0.ToPointer() + stride2 * (Height - 1)); var pointer = (byte *)buffer.ToPointer(); for (var index = 0; index < Height; ++index) { NtDll.memcpy(dst, pointer, stride1); dst -= stride2; pointer += stride1; } _bitmap.UnlockBits(bitmapData); _parent.OnNewFrame(_bitmap); } return(0); }
/// <summary> /// Returns a collection of handles that are currently active within the system /// </summary> /// <returns>A collection of active handles</returns> public static ICollection <HandleInfo> GetHandles() { byte[] buffer; NtStatus status; int size = 1024; uint actualSize = 0; do { buffer = new byte[size]; status = NtDll.NtQuerySystemInformation(SystemInformationType.HandleInformation, buffer, Convert.ToUInt32(size), ref actualSize); if (status != NtStatus.Success && status != NtStatus.BufferTooSmall && status != NtStatus.InfoLengthMismatch) { throw new Win32Exception("Could not retrieve system handle information"); } size = Convert.ToInt32(actualSize); } while (status != NtStatus.Success); int count = Seriz.Parse <int>(buffer); NtDll.SystemHandle[] systemHandles = Seriz.Parse <NtDll.SystemHandle>(buffer.Skip(4).ToArray(), count); List <HandleInfo> results = new List <HandleInfo>(); foreach (var handle in systemHandles) { results.Add(new HandleInfo(Convert.ToInt32(handle.ProcessId), handle.Type, new IntPtr(handle.Handle), handle.AccessMask)); } return(results); }
/// <summary>Retrieves information about the specified process using either NtQueryInformationProcess or GetProcessInformation.</summary> /// <typeparam name="T">The type of information to retrieve.</typeparam> /// <param name="process"> /// A handle to the process. This handle must have the <c>PROCESS_SET_INFORMATION</c> access right. For more information, see Process /// Security and Access Rights. /// </param> /// <returns>An object containing the requested type of information.</returns> /// <exception cref="ArgumentException">Type mismatch.</exception> public static T GetInformation <T>(this Process process) where T : struct { if (CorrespondingTypeAttribute.CanGet <T, NtDll.PROCESSINFOCLASS>(out var pic)) { return(NtDll.NtQueryInformationProcess <T>(process, pic)); } return(GetProcessInformation <T>(process)); }
/// <summary> /// Gets the friendly name, as shown in Windows' control panel. /// </summary> /// <returns>System.String.</returns> private string GetFriendlyName() { var lpVersionInformation = new NtDll.OSVERSIONINFOEX(); lpVersionInformation.dwOSVersionInfoSize = (uint)Marshal.SizeOf(lpVersionInformation); NtDll.RtlGetVersion(ref lpVersionInformation); return(ConvertAdapterName(NameBytes, 0, lpVersionInformation.dwPlatformId, lpVersionInformation.dwMajorVersion)); }
/// <summary> /// Gets the version. /// </summary> /// <returns><see cref="NtDll.OSVERSIONINFOEX" />.</returns> private static NtDll.OSVERSIONINFOEX GetVersion() { var osversioninfoex = new NtDll.OSVERSIONINFOEX(); osversioninfoex.dwOSVersionInfoSize = (uint)Marshal.SizeOf(osversioninfoex); NtDll.RtlGetVersion(ref osversioninfoex); return(osversioninfoex); }
public static bool IsWindowsServer() { var osvi = new NativeStructs.RTL_OSVERSIONINFOEXW(0); osvi.wProductType = NativeConstants.VER_NT_WORKSTATION; ulong conditionMask = Kernel32.VerSetConditionMask(0, NativeConstants.VER_PRODUCT_TYPE, NativeConstants.VER_EQUAL); var result = NtDll.RtlVerifyVersionInfo(ref osvi, NativeConstants.VER_PRODUCT_TYPE, conditionMask); bool clientOS = (result == NativeConstants.STATUS_SUCCESS); return(!clientOS); }
public void Close() { //IntPtr hProcess = OpenProcess(ProcessAccessFlags.DupHandle, false, pid); IntPtr dupHandle = IntPtr.Zero; var status = NtDll.NtDuplicateObject(_process.BaseProcess.Handle, _handle, IntPtr.Zero, out dupHandle, 0, false, DuplicateOptions.DUPLICATE_CLOSE_SOURCE); NtDll.NtClose(dupHandle); if (status != NtStatus.Success) { throw new Exception($"Could not close handle. (NtStatus:{status.ToString()})"); } }
private static bool IsWindows10OrHigher() { var version = NtDll.RtlGetVersion(); if (default(Version) == version) { // Snippet from Koopakiller https://dotnet-snippets.de/snippet/os-version-name-mit-wmi/4929 using (var mos = new ManagementObjectSearcher("SELECT Caption, Version FROM Win32_OperatingSystem")) { var attribs = mos.Get().OfType <ManagementObject>(); //caption = attribs.FirstOrDefault().GetPropertyValue("Caption").ToString() ?? "Unknown"; version = new Version((attribs.FirstOrDefault()?.GetPropertyValue("Version") ?? "0.0.0.0").ToString()); } } return(version >= new Version(10, 0)); }
public int ExecThread(IntPtr Func, IntPtr Param, bool Wait = false) { int Ret = 0; IntPtr Thread; NtDll.RtlCreateUserThread(Proc, Func, Param, out Thread); if (Wait) { Ret = Kernel32.WaitForSingleObject(Thread, uint.MaxValue); } if (!Kernel32.CloseHandle(Thread)) { throw new Win32Exception(); } return(Ret); }
private static bool IsWindows10BuildOrGreaterWin32(int build) { var osVer = new NtDll.OsVersionInfoEXW { DwMajorVersion = 10, DwMinorVersion = 0, DwBuildNumber = (uint)build }; const NtDll.TypeMask mask = NtDll.TypeMask.VerMajorVersion | NtDll.TypeMask.VerMinorVersion | NtDll.TypeMask.VerBuildNumber; ulong cond = NtDll.VerSetConditionMask(0, NtDll.TypeMask.VerMajorVersion, NtDll.Condition.VerGreaterEqual); cond = NtDll.VerSetConditionMask(cond, NtDll.TypeMask.VerMinorVersion, NtDll.Condition.VerGreaterEqual); cond = NtDll.VerSetConditionMask(cond, NtDll.TypeMask.VerBuildNumber, NtDll.Condition.VerGreaterEqual); // HACK: Use RtlVerifyVersionInfo instead of VerifyVersionInfoW as the // latter lies unless the user knew to embed a non-default manifest // announcing support for Windows 10 via supportedOS GUID return(NtDll.RtlVerifyVersionInfo(ref osVer, mask, cond) == 0); }
public static Process GetParentProcess(this Process P) { PROCESS_BASIC_INFORMATION PBI = new PROCESS_BASIC_INFORMATION(); int RetLen; int Status = 0; Status = NtDll.NtQueryInformationProcess(P.Handle, ProcessInformationClasss.ProcessBasicInformation, new IntPtr(&PBI), Marshal.SizeOf(PBI), out RetLen); if (Status != 0) { throw new Win32Exception(Status); } try { return(Process.GetProcessById(PBI.Reserved3.ToInt32())); } catch (ArgumentException) { return(null); } }
/// <summary> /// Returns whether the windows version running on is at least the specified one. /// </summary> private static unsafe bool IsWindowsVersionOrGreaterWin32(int major, int minor, int sp) { var osVer = new NtDll.OsVersionInfoEXW { DwMajorVersion = (uint)major, DwMinorVersion = (uint)minor, DwBuildNumber = 0, DwPlatformId = 0, WServicePackMajor = (ushort)sp }; osVer.DwOSVersionInfoSize = (uint)Marshal.SizeOf(osVer); osVer.SzCsdVersion[0] = (char)0; const NtDll.TypeMask mask = NtDll.TypeMask.VerMajorVersion | NtDll.TypeMask.VerMinorVersion | NtDll.TypeMask.VerServicePackMajor; ulong cond = NtDll.VerSetConditionMask(0, NtDll.TypeMask.VerMajorVersion, NtDll.Condition.VerGreaterEqual); cond = NtDll.VerSetConditionMask(cond, NtDll.TypeMask.VerMinorVersion, NtDll.Condition.VerGreaterEqual); cond = NtDll.VerSetConditionMask(cond, NtDll.TypeMask.VerServicePackMajor, NtDll.Condition.VerGreaterEqual); // HACK: Use RtlVerifyVersionInfo instead of VerifyVersionInfoW as the // latter lies unless the user knew to embed a non-default manifest // announcing support for Windows 10 via supportedOS GUID return(NtDll.RtlVerifyVersionInfo(ref osVer, mask, cond) == 0); }
public static void spoon(out int Res) { Res = -1; ProcessInfo *PInf = (ProcessInfo *)Marshal.AllocHGlobal(sizeof(ProcessInfo)); if (NtDll.RtlCloneUserProcess(CloneProcessFlags.CreateSuspended | CloneProcessFlags.InheritHandles, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, PInf) == CloneStatus.Parent) { Res = Kernel32.GetProcessId(PInf->ProcInfo.Process); Kernel32.ResumeThread(PInf->ProcInfo.Thread); Kernel32.CloseHandle(PInf->ProcInfo.Process); Kernel32.CloseHandle(PInf->ProcInfo.Thread); Marshal.FreeHGlobal(new IntPtr(PInf)); } else { Res = 0; if (Kernel32.FreeConsole()) { Kernel32.AllocConsole(); StreamWriter OutWriter = new StreamWriter(Console.OpenStandardOutput()); OutWriter.AutoFlush = true; Console.SetOut(OutWriter); StreamWriter ErrWriter = new StreamWriter(Console.OpenStandardError()); ErrWriter.AutoFlush = true; Console.SetError(ErrWriter); StreamReader InReader = new StreamReader(Console.OpenStandardInput()); Console.SetIn(InReader); } } }
internal static unsafe bool CryptProtectData(SafeBSTRHandle uncryptedBuffer, out SafeBSTRHandle cryptedBuffer) { byte *uncryptedBufferPtr = null; DATA_BLOB pDataOut = default(DATA_BLOB); try { uncryptedBuffer.AcquirePointer(ref uncryptedBufferPtr); DATA_BLOB pDataIn = new DATA_BLOB((IntPtr)uncryptedBufferPtr, uncryptedBuffer.Length * 2); if (CryptProtectData(new IntPtr(&pDataIn), String.Empty, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECTMEMORY_SAME_PROCESS, new IntPtr(&pDataOut))) { SafeBSTRHandle newHandle = SafeBSTRHandle.Allocate(pDataOut.pbData, pDataOut.cbData); cryptedBuffer = newHandle; return(true); } else { cryptedBuffer = SafeBSTRHandle.Allocate(null, 0); return(false); } } finally { if (uncryptedBufferPtr != null) { uncryptedBuffer.ReleasePointer(); } if (pDataOut.pbData != IntPtr.Zero) { NtDll.ZeroMemory(pDataOut.pbData, (UIntPtr)pDataOut.cbData); Marshal.FreeHGlobal(pDataOut.pbData); } } }
public override int WriteMemory(long address, byte[] data) { UIntPtr numBytes; int error = 0; if (IsWow64() && !IsWow64Process(processHandle)) { int status = NtDll.NtWow64WriteVirtualMemory64(processHandle, address, data, data.Length, out numBytes); error = NtDll.RtlNtStatusToDosError(status); } else { bool success = Kernel32.WriteProcessMemory(processHandle, checked ((IntPtr)address), data, data.Length, out numBytes); if (!success) { error = Marshal.GetLastWin32Error(); } } if (error != 0 && error != 299 || (error == 299 && data.Length > 0 && numBytes == UIntPtr.Zero)) { throw new Win32Exception(error); } return((int)numBytes); }
public NhaamaHandle[] GetHandles() { var handles = new List <NhaamaHandle>(); var nHandleInfoSize = 0x10000; var ipHandlePointer = Marshal.AllocHGlobal(nHandleInfoSize); var nLength = 0; IntPtr ipHandle; while ((NtDll.NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS.SystemHandleInformation, ipHandlePointer, nHandleInfoSize, ref nLength)) == NtStatus.InfoLengthMismatch) { nHandleInfoSize = nLength; Marshal.FreeHGlobal(ipHandlePointer); ipHandlePointer = Marshal.AllocHGlobal(nLength); } byte[] baTemp = new byte[nLength]; Marshal.Copy(ipHandlePointer, baTemp, 0, nLength); long lHandleCount; if (Is64BitProcess()) { lHandleCount = Marshal.ReadInt64(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt64() + 8); } else { lHandleCount = Marshal.ReadInt32(ipHandlePointer); ipHandle = new IntPtr(ipHandlePointer.ToInt32() + 4); } SYSTEM_HANDLE_INFORMATION shHandle; List <SYSTEM_HANDLE_INFORMATION> test = new List <SYSTEM_HANDLE_INFORMATION>(); for (long lIndex = 0; lIndex < lHandleCount; lIndex++) { shHandle = new SYSTEM_HANDLE_INFORMATION(); if (Is64BitProcess()) { shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle) + 8); } else { ipHandle = new IntPtr(ipHandle.ToInt64() + Marshal.SizeOf(shHandle)); shHandle = (SYSTEM_HANDLE_INFORMATION)Marshal.PtrToStructure(ipHandle, shHandle.GetType()); } if (shHandle.ProcessID != BaseProcess.Id) { continue; } try { test.Add(shHandle); } catch { // ignored } } foreach (var systemHandleInformation in test) { try { handles.Add(new NhaamaHandle(new IntPtr(systemHandleInformation.Handle), this)); } catch { //ignored } } return(handles.ToArray()); }