示例#1
0
文件: Native.cs 项目: v4nyl/NoAmci 
        public static Execute.Native.PROCESS_BASIC_INFORMATION NtQueryInformationProcessBasicInformation(IntPtr hProcess)
        {
            Execute.Native.NTSTATUS retValue = NtQueryInformationProcess(hProcess, Execute.Native.PROCESSINFOCLASS.ProcessBasicInformation, out IntPtr pProcInfo);
            if (retValue != Execute.Native.NTSTATUS.Success)
            {
                throw new UnauthorizedAccessException("Access is denied.");
            }

            return((Execute.Native.PROCESS_BASIC_INFORMATION)Marshal.PtrToStructure(pProcInfo, typeof(Execute.Native.PROCESS_BASIC_INFORMATION)));
        }
示例#2
0
        public static IntPtr LoadModuleFromDisk(string DLLPath)
        {
            SPEx.Native.UNICODE_STRING uModuleName = new SPEx.Native.UNICODE_STRING();
            Native.RtlInitUnicodeString(ref uModuleName, DLLPath);
            IntPtr hModule = IntPtr.Zero;

            SPEx.Native.NTSTATUS CallResult = Native.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule);
            if (CallResult != SPEx.Native.NTSTATUS.Success || hModule == IntPtr.Zero)
            {
                return(IntPtr.Zero);
            }
            return(hModule);
        }
示例#3
0
文件: Native.cs 项目: v4nyl/NoAmci 
        public static Execute.Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Execute.Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
        {
            object[] funcargs =
            {
                PathToFile, dwFlags, ModuleFileName, ModuleHandle
            };

            Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs);


            ModuleHandle = (IntPtr)funcargs[3];

            return(retValue);
        }
示例#4
0
文件: Native.cs 项目: v4nyl/NoAmci 
        public static Execute.Native.NTSTATUS NtQueryInformationProcess(IntPtr hProcess, Execute.Native.PROCESSINFOCLASS processInfoClass, out IntPtr pProcInfo)
        {
            int    processInformationLength;
            UInt32 RetLen = 0;

            switch (processInfoClass)
            {
            case Execute.Native.PROCESSINFOCLASS.ProcessWow64Information:
                pProcInfo = Marshal.AllocHGlobal(IntPtr.Size);
                RtlZeroMemory(pProcInfo, IntPtr.Size);
                processInformationLength = IntPtr.Size;
                break;

            case Execute.Native.PROCESSINFOCLASS.ProcessBasicInformation:
                Execute.Native.PROCESS_BASIC_INFORMATION PBI = new Execute.Native.PROCESS_BASIC_INFORMATION();
                pProcInfo = Marshal.AllocHGlobal(Marshal.SizeOf(PBI));
                RtlZeroMemory(pProcInfo, Marshal.SizeOf(PBI));
                Marshal.StructureToPtr(PBI, pProcInfo, true);
                processInformationLength = Marshal.SizeOf(PBI);
                break;

            default:
                throw new InvalidOperationException($"Invalid ProcessInfoClass: {processInfoClass}");
            }

            object[] funcargs =
            {
                hProcess, processInfoClass, pProcInfo, processInformationLength, RetLen
            };

            Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryInformationProcess", typeof(DELEGATES.NtQueryInformationProcess), ref funcargs);
            if (retValue != Execute.Native.NTSTATUS.Success)
            {
                throw new UnauthorizedAccessException("Access is denied.");
            }


            pProcInfo = (IntPtr)funcargs[2];

            return(retValue);
        }