// Reads native process info from a 64/32-bit process in the case where the target architecture // of this process is the same as that of the target process. private bool LoadProcessInfoNative(SafeProcessHandle handle, ProcessAccessFlags flags) { ProcessBasicInformation basicInfo = new ProcessBasicInformation(); int size; int status = NativeMethods.NtQueryInformationProcess( handle, ProcessInfoClass.BasicInformation, ref basicInfo, MarshalUtility.UnmanagedStructSize <ProcessBasicInformation>(), out size); _parentProcessId = basicInfo.ParentProcessId.ToInt32(); // If we can't load the ProcessBasicInfo, then we can't really do anything. if (status != NtStatus.Success || basicInfo.PebBaseAddress == IntPtr.Zero) { return(false); } if (flags.HasFlag(ProcessAccessFlags.VmRead)) { // Follows a pointer from the PROCESS_BASIC_INFORMATION structure in the target process's // address space to read the PEB. Peb peb = MarshalUtility.ReadUnmanagedStructFromProcess <Peb>( handle, basicInfo.PebBaseAddress); _isBeingDebugged = peb.IsBeingDebugged; if (peb.ProcessParameters != IntPtr.Zero) { // Follows a pointer from the PEB structure in the target process's address space to read // the RTL_USER_PROCESS_PARAMS. RtlUserProcessParameters processParameters = new RtlUserProcessParameters(); processParameters = MarshalUtility.ReadUnmanagedStructFromProcess <RtlUserProcessParameters>( handle, peb.ProcessParameters); _commandLine = MarshalUtility.ReadStringUniFromProcess( handle, processParameters.CommandLine.Buffer, processParameters.CommandLine.Length / 2); } } return(true); }
// Reads native process info from a 64/32-bit process in the case where the target architecture // of this process is the same as that of the target process. private bool LoadProcessInfoNative(SafeProcessHandle handle, ProcessAccessFlags flags) { ProcessBasicInformation basicInfo = new ProcessBasicInformation(); int size; int status = NativeMethods.NtQueryInformationProcess( handle, ProcessInfoClass.BasicInformation, ref basicInfo, MarshalUtility.UnmanagedStructSize<ProcessBasicInformation>(), out size); _parentProcessId = basicInfo.ParentProcessId.ToInt32(); // If we can't load the ProcessBasicInfo, then we can't really do anything. if (status != NtStatus.Success || basicInfo.PebBaseAddress == IntPtr.Zero) return false; if (flags.HasFlag(ProcessAccessFlags.VmRead)) { // Follows a pointer from the PROCESS_BASIC_INFORMATION structure in the target process's // address space to read the PEB. Peb peb = MarshalUtility.ReadUnmanagedStructFromProcess<Peb>( handle, basicInfo.PebBaseAddress); _isBeingDebugged = peb.IsBeingDebugged; if (peb.ProcessParameters != IntPtr.Zero) { // Follows a pointer from the PEB structure in the target process's address space to read // the RTL_USER_PROCESS_PARAMS. RtlUserProcessParameters processParameters = new RtlUserProcessParameters(); processParameters = MarshalUtility.ReadUnmanagedStructFromProcess<RtlUserProcessParameters>( handle, peb.ProcessParameters); _commandLine = MarshalUtility.ReadStringUniFromProcess( handle, processParameters.CommandLine.Buffer, processParameters.CommandLine.Length / 2); } } return true; }
// Reads native process info from a 64-bit process in the case where this function is executing // in a 32-bit process. private bool LoadProcessInfoWow64(SafeProcessHandle handle, ProcessAccessFlags flags) { ulong pebSize = (ulong)MarshalUtility.UnmanagedStructSize<PebWow64>(); ulong processParamsSize = (ulong)MarshalUtility.UnmanagedStructSize<RtlUserProcessParametersWow64>(); // Read PROCESS_BASIC_INFORMATION up to and including the pointer to PEB structure. int processInfoSize = MarshalUtility.UnmanagedStructSize<ProcessBasicInformationWow64>(); ProcessBasicInformationWow64 pbi = new ProcessBasicInformationWow64(); int result = NativeMethods.NtWow64QueryInformationProcess64( handle, ProcessInfoClass.BasicInformation, ref pbi, processInfoSize, out processInfoSize); if (result != 0) return false; _parentProcessId = (int)pbi.ParentProcessId; Debug.Assert((int)pbi.UniqueProcessId == _processId); if (flags.HasFlag(ProcessAccessFlags.VmRead)) { IntPtr pebBuffer = IntPtr.Zero; IntPtr processParametersBuffer = IntPtr.Zero; IntPtr commandLineBuffer = IntPtr.Zero; try { pebBuffer = Marshal.AllocHGlobal((int)pebSize); // Read PEB up to and including the pointer to RTL_USER_PROCESS_PARAMETERS // structure. result = NativeMethods.NtWow64ReadVirtualMemory64( handle, pbi.PebBaseAddress, pebBuffer, pebSize, out pebSize); if (result != 0) return false; PebWow64 peb = (PebWow64)Marshal.PtrToStructure(pebBuffer, typeof(PebWow64)); _isBeingDebugged = peb.IsBeingDebugged; processParametersBuffer = Marshal.AllocHGlobal((int)processParamsSize); result = NativeMethods.NtWow64ReadVirtualMemory64( handle, peb.ProcessParameters, processParametersBuffer, processParamsSize, out processParamsSize); if (result != 0) return false; RtlUserProcessParametersWow64 processParameters = (RtlUserProcessParametersWow64) Marshal.PtrToStructure( processParametersBuffer, typeof(RtlUserProcessParametersWow64)); ulong commandLineBufferSize = (ulong)processParameters.CommandLine.MaximumLength; commandLineBuffer = Marshal.AllocHGlobal((int)commandLineBufferSize); result = NativeMethods.NtWow64ReadVirtualMemory64( handle, processParameters.CommandLine.Buffer, commandLineBuffer, commandLineBufferSize, out commandLineBufferSize); if (result != 0) return false; _commandLine = Marshal.PtrToStringUni(commandLineBuffer); } finally { if (pebBuffer != IntPtr.Zero) Marshal.FreeHGlobal(pebBuffer); if (commandLineBuffer != IntPtr.Zero) Marshal.FreeHGlobal(commandLineBuffer); if (processParametersBuffer != IntPtr.Zero) Marshal.FreeHGlobal(processParametersBuffer); } } return true; }
// Reads native process info from a 64-bit process in the case where this function is executing // in a 32-bit process. private bool LoadProcessInfoWow64(SafeProcessHandle handle, ProcessAccessFlags flags) { ulong pebSize = (ulong)MarshalUtility.UnmanagedStructSize <PebWow64>(); ulong processParamsSize = (ulong)MarshalUtility.UnmanagedStructSize <RtlUserProcessParametersWow64>(); // Read PROCESS_BASIC_INFORMATION up to and including the pointer to PEB structure. int processInfoSize = MarshalUtility.UnmanagedStructSize <ProcessBasicInformationWow64>(); ProcessBasicInformationWow64 pbi = new ProcessBasicInformationWow64(); int result = NativeMethods.NtWow64QueryInformationProcess64( handle, ProcessInfoClass.BasicInformation, ref pbi, processInfoSize, out processInfoSize); if (result != 0) { return(false); } _parentProcessId = (int)pbi.ParentProcessId; Debug.Assert((int)pbi.UniqueProcessId == _processId); if (flags.HasFlag(ProcessAccessFlags.VmRead)) { IntPtr pebBuffer = IntPtr.Zero; IntPtr processParametersBuffer = IntPtr.Zero; IntPtr commandLineBuffer = IntPtr.Zero; try { pebBuffer = Marshal.AllocHGlobal((int)pebSize); // Read PEB up to and including the pointer to RTL_USER_PROCESS_PARAMETERS // structure. result = NativeMethods.NtWow64ReadVirtualMemory64( handle, pbi.PebBaseAddress, pebBuffer, pebSize, out pebSize); if (result != 0) { return(false); } PebWow64 peb = (PebWow64)Marshal.PtrToStructure(pebBuffer, typeof(PebWow64)); _isBeingDebugged = peb.IsBeingDebugged; processParametersBuffer = Marshal.AllocHGlobal((int)processParamsSize); result = NativeMethods.NtWow64ReadVirtualMemory64( handle, peb.ProcessParameters, processParametersBuffer, processParamsSize, out processParamsSize); if (result != 0) { return(false); } RtlUserProcessParametersWow64 processParameters = (RtlUserProcessParametersWow64) Marshal.PtrToStructure( processParametersBuffer, typeof(RtlUserProcessParametersWow64)); ulong commandLineBufferSize = (ulong)processParameters.CommandLine.MaximumLength; commandLineBuffer = Marshal.AllocHGlobal((int)commandLineBufferSize); result = NativeMethods.NtWow64ReadVirtualMemory64( handle, processParameters.CommandLine.Buffer, commandLineBuffer, commandLineBufferSize, out commandLineBufferSize); if (result != 0) { return(false); } _commandLine = Marshal.PtrToStringUni(commandLineBuffer); } finally { if (pebBuffer != IntPtr.Zero) { Marshal.FreeHGlobal(pebBuffer); } if (commandLineBuffer != IntPtr.Zero) { Marshal.FreeHGlobal(commandLineBuffer); } if (processParametersBuffer != IntPtr.Zero) { Marshal.FreeHGlobal(processParametersBuffer); } } } return(true); }