public static PROC_VALIDATION ValidateProc(Int32 ProcId)
{
PROC_VALIDATION Pv = new PROC_VALIDATION();
try
{
Process Proc = Process.GetProcessById(ProcId);
ProcessModuleCollection ProcModColl = Proc.Modules;
foreach (ProcessModule Module in ProcModColl)
{
if (Module.FileName.EndsWith("ntdll.dll"))
{
Pv.pNtllBase = Module.BaseAddress;
break;
}
}
Pv.isvalid = true;
Pv.sName = Proc.ProcessName;
Pv.hProc = GetProcessHandle(ProcId);
ulong isWow64 = 0;
uint RetLen = 0;
IntPtr pSysCall = Generic.GetSyscallStub("NtQueryInformationProcess");
NtQueryInformationProcess fSyscallNtQueryInformationProcess = (NtQueryInformationProcess)Marshal.GetDelegateForFunctionPointer(pSysCall, typeof(NtQueryInformationProcess));
fSyscallNtQueryInformationProcess(Pv.hProc, 26, ref isWow64, Marshal.SizeOf(isWow64), ref RetLen);
if (isWow64 == 0)
{
Pv.isWow64 = false;
}
else
{
Pv.isWow64 = true;
}
}
catch
{
Pv.isvalid = false;
}
return(Pv);
}
public static PROC_VALIDATION ValidateProc(Int32 ProcId)
{
PROC_VALIDATION Pv = new PROC_VALIDATION();
try
{
Process Proc = Process.GetProcessById(ProcId);
ProcessModuleCollection ProcModColl = Proc.Modules;
foreach (ProcessModule Module in ProcModColl)
{
if (Module.FileName.EndsWith("ntdll.dll"))
{
Pv.pNtllBase = Module.BaseAddress;
}
}
Pv.isvalid = true;
Pv.sName = Proc.ProcessName;
Pv.hProc = GetProcessHandle(ProcId);
ulong isWow64 = 0;
uint RetLen = 0;
NtQueryInformationProcess(Pv.hProc, 26, ref isWow64, Marshal.SizeOf(isWow64), ref RetLen);
if (isWow64 == 0)
{
Pv.isWow64 = false;
}
else
{
Pv.isWow64 = true;
}
}
catch
{
Pv.isvalid = false;
}
return(Pv);
}