/// <summary>
/// Reads the Thread Basic Information (TBI) struct of a process.
/// </summary>
/// <param name="process">The process to read.</param>
/// <returns>Returns a 32 bit Thread Basic Information (TBI) struct equivalent.</returns>
public static PInvokeStuff.THREAD_BASIC_INFORMATION GetTBI(Process process)
{
IntPtr hThread = PInvokeStuff.OpenThread(PInvokeStuff.ThreadAccess.QueryInformation, false, (uint)process.Threads.OfType <ProcessThread>().First().Id);
if (hThread == null) // Some implementations on StackExchange compare against IntPtr.zero - but MSDN says it returns null, not null pointer
{
throw new Exceptions.PInvokeException(nameof(GetTBI), nameof(PInvokeStuff.OpenThread), Marshal.GetLastWin32Error());
}
try
{
PInvokeStuff.THREAD_BASIC_INFORMATION tbi = new PInvokeStuff.THREAD_BASIC_INFORMATION();
int result = PInvokeStuff.NtQueryInformationThread(hThread, PInvokeStuff.ThreadInfoClass.ThreadBasicInformation, out tbi, (uint)Marshal.SizeOf(tbi));
// NtQueryInformationThread returns nonzero (NTSTATUS) if failed
if (result != 0)
{
throw new Exceptions.PInvokeException(nameof(GetTBI), nameof(PInvokeStuff.NtQueryInformationThread), result);
}
return(tbi);
}
finally
{
PInvokeStuff.CloseHandle(hThread);
}
}
/// <summary>
/// Checks if process handle is associated to a 32 bit process.
/// </summary>
/// <param name="processHandle">The handle of the process to check.</param>
/// <returns>Returns true if process is 32 bit, false if it is 64bit.</returns>
public static bool Is32BitProcess(IntPtr processHandle)
{
bool Is32Bit = false;
try { PInvokeStuff.IsWow64Process(processHandle, out Is32Bit); }
catch { throw new Exceptions.PInvokeException(nameof(Is32BitProcess), nameof(PInvokeStuff.IsWow64Process), Marshal.GetLastWin32Error()); }
return(Is32Bit);
}
/// <summary>
/// Reads the specified memory area of a process into a byte array.
/// </summary>
/// <param name="processHandle">The handle of the target process</param>
/// <param name="memoryAddress">The private memory address of the process to read from. Effectively a pointer.</param>
/// <param name="numberOfBytes"></param>
/// <returns>Returns target memory area as a byte array</returns>
public static byte[] ReadToByteArray(IntPtr processHandle, uint memoryAddress, uint numberOfBytes)
{
byte[] bytes = new byte[numberOfBytes];
var result = PInvokeStuff.ReadProcessMemory(processHandle, memoryAddress, bytes, (uint)bytes.Length, IntPtr.Zero);
// ReadProcessMemory returns 0 if failed
if (!result)
{
throw new Exceptions.PInvokeException(nameof(ReadToByteArray), nameof(PInvokeStuff.ReadProcessMemory), Marshal.GetLastWin32Error());
}
return(bytes);
}
/// <summary>
/// Reads the MODULEINFO struct of a process.
/// </summary>
/// <param name="process">The process to read.</param>
/// <returns>Returns a 32 bit representation of the MODULEINFO struct.</returns>
public static PInvokeStuff.MODULEINFO GetKernel32ModuleInfo(Process process)
{
// GetModuleHandle returns NULL when failed
IntPtr moduleHandle = PInvokeStuff.GetModuleHandle("kernel32.dll");
if (moduleHandle == null)
{
throw new Exceptions.PInvokeException(nameof(GetKernel32ModuleInfo), nameof(PInvokeStuff.GetModuleHandle), Marshal.GetLastWin32Error());
}
PInvokeStuff.MODULEINFO mi = new PInvokeStuff.MODULEINFO();
// GetModuleInformation returns 0 when failed
var result = PInvokeStuff.GetModuleInformation(process.Handle, moduleHandle, out mi, (uint)Marshal.SizeOf(mi));
if (!result)
{
throw new Exceptions.PInvokeException(nameof(GetKernel32ModuleInfo), nameof(PInvokeStuff.GetModuleInformation), Marshal.GetLastWin32Error());
}
return(mi);
}
