Пример #1
0
        private static NtResult <SafeStructureInOutBuffer <T> > QueryObject <T>(SafeKernelObjectHandle handle,
                                                                                ObjectInformationClass object_info, bool throw_on_error) where T : new()
        {
            SafeStructureInOutBuffer <T> ret = null;
            NtStatus status = NtStatus.STATUS_BUFFER_TOO_SMALL;

            try
            {
                status = NtSystemCalls.NtQueryObject(handle, object_info, SafeHGlobalBuffer.Null, 0, out int return_length);
                if ((status != NtStatus.STATUS_BUFFER_TOO_SMALL) && (status != NtStatus.STATUS_INFO_LENGTH_MISMATCH))
                {
                    return(status.CreateResultFromError <SafeStructureInOutBuffer <T> >(throw_on_error));
                }

                if (return_length == 0)
                {
                    ret = new SafeStructureInOutBuffer <T>();
                }
                else
                {
                    ret = new SafeStructureInOutBuffer <T>(return_length, false);
                }
                status = NtSystemCalls.NtQueryObject(handle, object_info, ret, ret.Length, out return_length);
                return(status.CreateResult(throw_on_error, () => ret));
            }
            finally
            {
                if (ret != null && !status.IsSuccess())
                {
                    ret.Close();
                    ret = null;
                }
            }
        }
Пример #2
0
        public NtStatus ZwQueryObject(
            ProcessHandle processHandle,
            IntPtr handle,
            ObjectInformationClass objectInformationClass,
            IntPtr buffer,
            int bufferLength,
            out int returnLength,
            out int baseAddress
            )
        {
            byte *inData = stackalloc byte[12];

            byte[] outData = new byte[bufferLength + 12];

            *(int *)inData       = processHandle;
            *(int *)(inData + 4) = handle.ToInt32();
            *(int *)(inData + 8) = (int)objectInformationClass;

            _fileHandle.IoControl(CtlCode(Control.ZwQueryObject), inData, 12, outData);

            NtStatus status;

            fixed(byte *outDataPtr = outData)
            {
                status       = *(NtStatus *)outDataPtr;
                returnLength = *(int *)(outDataPtr + 4);
                baseAddress  = *(int *)(outDataPtr + 8);
            }

            if (buffer != IntPtr.Zero)
                Marshal.Copy(outData, 12, buffer, bufferLength); }
Пример #3
0
 public static extern NtStatus NtQueryObject(
     SafeHandle ObjectHandle,
     ObjectInformationClass ObjectInformationClass,
     IntPtr ObjectInformation,
     int ObjectInformationLength,
     out int ReturnLength
     );
Пример #4
0
            public static IntPtr Query(IntPtr hObj, ObjectInformationClass infoClass, int estimatedSize)
            {
                int    size    = estimatedSize;
                IntPtr buf     = Marshal.AllocCoTaskMem(size);
                int    retsize = 0;

                while (true)
                {
                    var ret = NtQueryObject(hObj, infoClass, buf, size, out retsize);
                    if (NT_SUCCESS(ret))
                    {
                        return(buf);
                    }
                    if (ret == NT_STATUS.INFO_LENGTH_MISMATCH || ret == NT_STATUS.BUFFER_OVERFLOW)
                    {
                        buf  = Marshal.ReAllocCoTaskMem(buf, retsize);
                        size = retsize;
                    }
                    else
                    {
                        Marshal.FreeCoTaskMem(buf);
                        return(IntPtr.Zero);
                    }
                }
            }
Пример #5
0
 private static NtResult <T> QueryObjectFixed <T>(SafeKernelObjectHandle handle,
                                                  ObjectInformationClass object_info, bool throw_on_error) where T : new()
 {
     using (var buffer = new SafeStructureInOutBuffer <T>()) {
         return(NtSystemCalls.NtQueryObject(handle, object_info, buffer,
                                            buffer.Length, out int return_length).CreateResult(throw_on_error, () => buffer.Result));
     }
 }
Пример #6
0
 internal unsafe T QueryObjectInformation <T>(ObjectInformationClass infoClass, ref T buff) where T : unmanaged
 {
     fixed(void *buffP = &buff)
     {
         PInvoke.NTSTATUS status = NtQueryObject(handle, infoClass, buffP, (uint)sizeof(T), out _);
         if (status.Severity != PInvoke.NTSTATUS.SeverityCode.STATUS_SEVERITY_SUCCESS)
         {
             throw new PInvoke.NTStatusException(status);
         }
         return(buff);
     }
 }
Пример #7
0
        /// <summary>
        ///
        /// </summary>
        /// <param name="ObjectHandle"></param>
        /// <param name="ObjectInformationClass"></param>
        /// <param name="Info"></param>
        /// <param name="InfoLength"></param>
        /// <param name="ReturnLength"></param>
        /// <returns></returns>
        public static NTSTATUS NtQueryObject(IntPtr ObjectHandle, ObjectInformationClass ObjectInformationClass, IntPtr Info, uint InfoLength, out uint ReturnLength, [CallerMemberName] string callerName = "")
        {
            if (!PInvokeDebugger.LoggingEnabled)
            {
                return(PInvoke_NtQueryObject(ObjectHandle, ObjectInformationClass, Info, InfoLength, out ReturnLength));
            }

            NTSTATUS         returnValue = PInvoke_NtQueryObject(ObjectHandle, ObjectInformationClass, Info, InfoLength, out ReturnLength);
            PInvokeDebugInfo debugInfo   = PInvokeDebugInfo.TraceDebugInfo(
                ModuleName,
                nameof(NtQueryObject),
                callerName,
                returnValue,
                nameof(ObjectHandle), ObjectHandle,
                nameof(ObjectInformationClass), ObjectInformationClass,
                nameof(Info), Info,
                nameof(InfoLength), InfoLength,
                nameof(ReturnLength), ReturnLength
                );

            PInvokeDebugger.SafeCapture(debugInfo);
            return(returnValue);
        }
Пример #8
0
 public unsafe static extern int NtQueryObject(IntPtr hObject, ObjectInformationClass infoClass, UnicodeString *pString, int size, int *returnedSize = null);
Пример #9
0
 public static extern NtStatus NtSetInformationObject(
     SafeHandle ObjectHandle,
     ObjectInformationClass ObjectInformationClass,
     SafeBuffer ObjectInformation,
     int ObjectInformationLength
     );
Пример #10
0
 internal static extern unsafe PInvoke.NTSTATUS NtQueryObject(IntPtr handle, ObjectInformationClass informationClass, void *buffer, uint bufferLength, out uint returnLength);
Пример #11
0
 internal static extern NtStatus NtQueryObject(
     [In] IntPtr handle,
     [In] ObjectInformationClass objectInformationClass,
     [In] IntPtr objectInformation,
     [In] int objectInformationLength,
     [Out] out int returnLength);
Пример #12
0
 public static extern uint NtQueryObject(IntPtr handle, ObjectInformationClass objectInformationClass,
                                         IntPtr objectInformation, uint objectInformationLength, out uint returnLength);
Пример #13
0
 public NtObject(IntPtr hObj, ObjectInformationClass infoClass, Type type)
 {
     Init(hObj, infoClass, Marshal.SizeOf(type));
 }
Пример #14
0
 static extern NT_STATUS NtQueryObject(
     IntPtr ObjectHandle,
     ObjectInformationClass ObjectInformationClass,
     IntPtr ObjectInformation,
     int ObjectInformationLength,
     out int returnLength);
Пример #15
0
 internal unsafe static extern int NtQueryObject(IntPtr hObject, ObjectInformationClass infoClass, void *buffer, int size, int *actualSize = null);
Пример #16
0
        public NtStatus ZwQueryObject(
            ProcessHandle processHandle,
            IntPtr handle,
            ObjectInformationClass objectInformationClass,
            IntPtr buffer,
            int bufferLength,
            out int returnLength,
            out int baseAddress
            )
        {
            byte* inData = stackalloc byte[12];
            byte[] outData = new byte[bufferLength + 12];

            *(int*)inData = processHandle;
            *(int*)(inData + 4) = handle.ToInt32();
            *(int*)(inData + 8) = (int)objectInformationClass;

            _fileHandle.IoControl(CtlCode(Control.ZwQueryObject), inData, 12, outData);

            NtStatus status;

            fixed (byte* outDataPtr = outData)
            {
                status = *(NtStatus*)outDataPtr;
                returnLength = *(int*)(outDataPtr + 4);
                baseAddress = *(int*)(outDataPtr + 8);
            }

            if (buffer != IntPtr.Zero)
                Marshal.Copy(outData, 12, buffer, bufferLength);

            return status;
        }
Пример #17
0
 internal static extern NtStatus NtQueryObject(IntPtr ObjectHandle, ObjectInformationClass ObjectInformationClass, out OBJECT_BASIC_INFORMATION ObjectInformation, int ObjectInformationLength, ref int returnLength);
Пример #18
0
 internal static extern NtStatus NtQueryObject(IntPtr ObjectHandle, ObjectInformationClass ObjectInformationClass, IntPtr ObjectInformation, int ObjectInformationLength, ref int returnLength);
Пример #19
0
        private static SafeStructureInOutBuffer <T> QueryObject <T>(SafeKernelObjectHandle handle, ObjectInformationClass object_info) where T : new()
        {
            SafeStructureInOutBuffer <T> ret = null;
            NtStatus status = NtStatus.STATUS_BUFFER_TOO_SMALL;

            try
            {
                int return_length;
                status = NtSystemCalls.NtQueryObject(handle, object_info, IntPtr.Zero, 0, out return_length);
                if ((status != NtStatus.STATUS_BUFFER_TOO_SMALL) && (status != NtStatus.STATUS_INFO_LENGTH_MISMATCH))
                {
                    status.ToNtException();
                }
                if (return_length == 0)
                {
                    ret = new SafeStructureInOutBuffer <T>();
                }
                else
                {
                    ret = new SafeStructureInOutBuffer <T>(return_length, false);
                }
                status = NtSystemCalls.NtQueryObject(handle, object_info, ret.DangerousGetHandle(), ret.Length, out return_length);
                status.ToNtException();
            }
            finally
            {
                if (ret != null && !status.IsSuccess())
                {
                    ret.Close();
                    ret = null;
                }
            }
            return(ret);
        }
Пример #20
0
 public NtObject(IntPtr hObj, ObjectInformationClass infoClass, int estimatedSize)
 {
     Init(hObj, infoClass, estimatedSize);
 }
Пример #21
0
 internal static extern NTSTATUS PInvoke_NtQueryObject(IntPtr ObjectHandle, ObjectInformationClass ObjectInformationClass, IntPtr Info, uint InfoLength, out uint ReturnLength);
Пример #22
0
 internal static extern NtStatus NtQueryObject(
     [In] IntPtr Handle,
     [In] ObjectInformationClass ObjectInformationClass,
     [In] IntPtr ObjectInformation,
     [In] int ObjectInformationLength,
     [Out] out int ReturnLength);
Пример #23
0
 public void Init(IntPtr hObj, ObjectInformationClass infoClass, int estimatedSize)
 {
     Close();
     Buffer = Query(hObj, infoClass, estimatedSize);
 }
Пример #24
0
 public static extern NTSTATUS NtQueryObject(
     SafeHandle Handle,
     ObjectInformationClass ObjectInformationClass,
     IntPtr ObjectInformation,
     uint ObjectInformationLength,
     out uint ReturnLength);