public static IntPtr GetPEBAddress(uint ProcessId) { //Get a handle to our own process IntPtr hProc = Kernel32.OpenProcess(ProcessAccess.All, false, ProcessId); //Allocate memory for a new PROCESS_BASIC_INFORMATION structure IntPtr pbi = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION))); //Allocate memory for a long IntPtr outLong = Marshal.AllocHGlobal(sizeof(long)); IntPtr outPtr = IntPtr.Zero; NtStatus queryStatus = 0; //Store API call success in a boolean queryStatus = NtDll.NtQueryInformationProcess(hProc, ProcessInfo.ProcessBasicInformation, pbi, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), outLong); //Close handle and free allocated memory Kernel32.CloseHandle(hProc); Marshal.FreeHGlobal(outLong); //STATUS_SUCCESS = 0, so if API call was successful querySuccess should contain 0 ergo we reverse the check. outPtr = ((PROCESS_BASIC_INFORMATION)Marshal.PtrToStructure(pbi, typeof(PROCESS_BASIC_INFORMATION))).PebBaseAddress; //Free allocated space Marshal.FreeHGlobal(pbi); //Return pointer to PEB base address return(outPtr); }
/// <summary>Retrieves information about the specified process using either NtQueryInformationProcess or GetProcessInformation.</summary> /// <typeparam name="T">The type of information to retrieve.</typeparam> /// <param name="process"> /// A handle to the process. This handle must have the <c>PROCESS_SET_INFORMATION</c> access right. For more information, see Process /// Security and Access Rights. /// </param> /// <returns>An object containing the requested type of information.</returns> /// <exception cref="ArgumentException">Type mismatch.</exception> public static T GetInformation <T>(this Process process) where T : struct { if (CorrespondingTypeAttribute.CanGet <T, NtDll.PROCESSINFOCLASS>(out var pic)) { return(NtDll.NtQueryInformationProcess <T>(process, pic)); } return(GetProcessInformation <T>(process)); }
public static Process GetParentProcess(this Process P) { PROCESS_BASIC_INFORMATION PBI = new PROCESS_BASIC_INFORMATION(); int RetLen; int Status = 0; Status = NtDll.NtQueryInformationProcess(P.Handle, ProcessInformationClasss.ProcessBasicInformation, new IntPtr(&PBI), Marshal.SizeOf(PBI), out RetLen); if (Status != 0) { throw new Win32Exception(Status); } try { return(Process.GetProcessById(PBI.Reserved3.ToInt32())); } catch (ArgumentException) { return(null); } }