示例#1
0
        public unsafe UIntPtr[] EnumJobs()
        {
            if (_PspGetNextJob == UIntPtr.Zero)
            {
                var symbol = new SymbolInfo();
                symbol.Init();
                if (_symbolHandler.GetSymbolFromName("PspGetNextJob", ref symbol))
                {
                    var offset = symbol.Address - _ntoskrnlBase;
                    Debug.Assert(_kernelAddress != UIntPtr.Zero);
                    _PspGetNextJob = new UIntPtr(_kernelAddress.ToUInt64() + offset);
                }
            }

            if (_PspGetNextJob == UIntPtr.Zero)
            {
                return(null);
            }

            var addresses = new UIntPtr[2048];                   // unlikely to be more... (famous last words)
            int returned;

            if (DeviceIoControl(_hDevice, KExploreEnumJobs,
                                ref _PspGetNextJob, UIntPtr.Size,
                                addresses, addresses.Length * IntPtr.Size,
                                out returned))
            {
                Array.Resize(ref addresses, returned / IntPtr.Size);
                return(addresses);
            }

            return(null);
        }
示例#2
0
文件: DbgHelper.cs 项目: lzz42/ZHello 
        public static SymbolInfo Create()
        {
            var symbol = new SymbolInfo();

            symbol.Init();
            return(symbol);
        }
示例#3
0
文件: DbgHelper.cs 项目: lzz42/ZHello 
        public SymbolInfo GetSymbolFromAddress(ulong address, out ulong displacement)
        {
            var info = new SymbolInfo();

            info.Init();
            Win32.SymFromAddr(_hProcess, address, out displacement, ref info).ThrowIfWin32Failed();
            return(info);
        }
示例#4
0
        public unsafe KernelObjectData[] EnumJobs()
        {
            int returned;

            if (!_initialized)
            {
                var symbol = new SymbolInfo();
                symbol.Init();
                if (_symbolHandler.GetSymbolFromName("PspGetNextJob", ref symbol))
                {
                    var offset = symbol.Address - _ntoskrnlBase;
                    Debug.Assert(_kernelAddress != UIntPtr.Zero);

                    var functions = new KernelFunctions {
                        PspGetNextJob = new UIntPtr(_kernelAddress.ToUInt64() + offset)
                    };
                    _initialized = DeviceIoControl(_hDevice, KExploreInitFunctions, ref functions, Marshal.SizeOf <KernelFunctions>(),
                                                   IntPtr.Zero, 0, out returned);
                }
            }
            if (!_initialized)
            {
                throw new InvalidOperationException("Failed to locate symbols");
            }

            var jobs   = new KernelObjectData[2048];                 // unlikely to be more... (famous last words)
            var access = (int)JobAccessMask.Query;

            if (DeviceIoControl(_hDevice, KExploreEnumJobs,
                                ref access, sizeof(int),
                                ref jobs[0], jobs.Length * Marshal.SizeOf <KernelObjectData>(), out returned))
            {
                Array.Resize(ref jobs, returned / Marshal.SizeOf <KernelObjectData>());
                return(jobs);
            }

            return(null);
        }
示例#5
0
文件: DbgHelper.cs 项目: lzz42/ZHello 
 public bool TryGetSymbolFromAddress(ulong address, ref SymbolInfo symbol, out ulong displacement)
 {
     symbol.Init();
     return(Win32.SymFromAddr(_hProcess, address, out displacement, ref symbol));
 }