public static Execute.Native.PROCESS_BASIC_INFORMATION NtQueryInformationProcessBasicInformation(IntPtr hProcess) { Execute.Native.NTSTATUS retValue = NtQueryInformationProcess(hProcess, Execute.Native.PROCESSINFOCLASS.ProcessBasicInformation, out IntPtr pProcInfo); if (retValue != Execute.Native.NTSTATUS.Success) { throw new UnauthorizedAccessException("Access is denied."); } return((Execute.Native.PROCESS_BASIC_INFORMATION)Marshal.PtrToStructure(pProcInfo, typeof(Execute.Native.PROCESS_BASIC_INFORMATION))); }
public static IntPtr LoadModuleFromDisk(string DLLPath) { SPEx.Native.UNICODE_STRING uModuleName = new SPEx.Native.UNICODE_STRING(); Native.RtlInitUnicodeString(ref uModuleName, DLLPath); IntPtr hModule = IntPtr.Zero; SPEx.Native.NTSTATUS CallResult = Native.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule); if (CallResult != SPEx.Native.NTSTATUS.Success || hModule == IntPtr.Zero) { return(IntPtr.Zero); } return(hModule); }
public static Execute.Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Execute.Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { object[] funcargs = { PathToFile, dwFlags, ModuleFileName, ModuleHandle }; Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs); ModuleHandle = (IntPtr)funcargs[3]; return(retValue); }
public static Execute.Native.NTSTATUS NtQueryInformationProcess(IntPtr hProcess, Execute.Native.PROCESSINFOCLASS processInfoClass, out IntPtr pProcInfo) { int processInformationLength; UInt32 RetLen = 0; switch (processInfoClass) { case Execute.Native.PROCESSINFOCLASS.ProcessWow64Information: pProcInfo = Marshal.AllocHGlobal(IntPtr.Size); RtlZeroMemory(pProcInfo, IntPtr.Size); processInformationLength = IntPtr.Size; break; case Execute.Native.PROCESSINFOCLASS.ProcessBasicInformation: Execute.Native.PROCESS_BASIC_INFORMATION PBI = new Execute.Native.PROCESS_BASIC_INFORMATION(); pProcInfo = Marshal.AllocHGlobal(Marshal.SizeOf(PBI)); RtlZeroMemory(pProcInfo, Marshal.SizeOf(PBI)); Marshal.StructureToPtr(PBI, pProcInfo, true); processInformationLength = Marshal.SizeOf(PBI); break; default: throw new InvalidOperationException($"Invalid ProcessInfoClass: {processInfoClass}"); } object[] funcargs = { hProcess, processInfoClass, pProcInfo, processInformationLength, RetLen }; Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryInformationProcess", typeof(DELEGATES.NtQueryInformationProcess), ref funcargs); if (retValue != Execute.Native.NTSTATUS.Success) { throw new UnauthorizedAccessException("Access is denied."); } pProcInfo = (IntPtr)funcargs[2]; return(retValue); }