/// <summary> /// Reads the Thread Basic Information (TBI) struct of a process. /// </summary> /// <param name="process">The process to read.</param> /// <returns>Returns a 32 bit Thread Basic Information (TBI) struct equivalent.</returns> public static PInvokeStuff.THREAD_BASIC_INFORMATION GetTBI(Process process) { IntPtr hThread = PInvokeStuff.OpenThread(PInvokeStuff.ThreadAccess.QueryInformation, false, (uint)process.Threads.OfType <ProcessThread>().First().Id); if (hThread == null) // Some implementations on StackExchange compare against IntPtr.zero - but MSDN says it returns null, not null pointer { throw new Exceptions.PInvokeException(nameof(GetTBI), nameof(PInvokeStuff.OpenThread), Marshal.GetLastWin32Error()); } try { PInvokeStuff.THREAD_BASIC_INFORMATION tbi = new PInvokeStuff.THREAD_BASIC_INFORMATION(); int result = PInvokeStuff.NtQueryInformationThread(hThread, PInvokeStuff.ThreadInfoClass.ThreadBasicInformation, out tbi, (uint)Marshal.SizeOf(tbi)); // NtQueryInformationThread returns nonzero (NTSTATUS) if failed if (result != 0) { throw new Exceptions.PInvokeException(nameof(GetTBI), nameof(PInvokeStuff.NtQueryInformationThread), result); } return(tbi); } finally { PInvokeStuff.CloseHandle(hThread); } }
/// <summary> /// Checks if process handle is associated to a 32 bit process. /// </summary> /// <param name="processHandle">The handle of the process to check.</param> /// <returns>Returns true if process is 32 bit, false if it is 64bit.</returns> public static bool Is32BitProcess(IntPtr processHandle) { bool Is32Bit = false; try { PInvokeStuff.IsWow64Process(processHandle, out Is32Bit); } catch { throw new Exceptions.PInvokeException(nameof(Is32BitProcess), nameof(PInvokeStuff.IsWow64Process), Marshal.GetLastWin32Error()); } return(Is32Bit); }
/// <summary> /// Reads the specified memory area of a process into a byte array. /// </summary> /// <param name="processHandle">The handle of the target process</param> /// <param name="memoryAddress">The private memory address of the process to read from. Effectively a pointer.</param> /// <param name="numberOfBytes"></param> /// <returns>Returns target memory area as a byte array</returns> public static byte[] ReadToByteArray(IntPtr processHandle, uint memoryAddress, uint numberOfBytes) { byte[] bytes = new byte[numberOfBytes]; var result = PInvokeStuff.ReadProcessMemory(processHandle, memoryAddress, bytes, (uint)bytes.Length, IntPtr.Zero); // ReadProcessMemory returns 0 if failed if (!result) { throw new Exceptions.PInvokeException(nameof(ReadToByteArray), nameof(PInvokeStuff.ReadProcessMemory), Marshal.GetLastWin32Error()); } return(bytes); }
/// <summary> /// Reads the MODULEINFO struct of a process. /// </summary> /// <param name="process">The process to read.</param> /// <returns>Returns a 32 bit representation of the MODULEINFO struct.</returns> public static PInvokeStuff.MODULEINFO GetKernel32ModuleInfo(Process process) { // GetModuleHandle returns NULL when failed IntPtr moduleHandle = PInvokeStuff.GetModuleHandle("kernel32.dll"); if (moduleHandle == null) { throw new Exceptions.PInvokeException(nameof(GetKernel32ModuleInfo), nameof(PInvokeStuff.GetModuleHandle), Marshal.GetLastWin32Error()); } PInvokeStuff.MODULEINFO mi = new PInvokeStuff.MODULEINFO(); // GetModuleInformation returns 0 when failed var result = PInvokeStuff.GetModuleInformation(process.Handle, moduleHandle, out mi, (uint)Marshal.SizeOf(mi)); if (!result) { throw new Exceptions.PInvokeException(nameof(GetKernel32ModuleInfo), nameof(PInvokeStuff.GetModuleInformation), Marshal.GetLastWin32Error()); } return(mi); }