public T FdReadProcessMemory <T>(IntPtr pid, IntPtr address, ulong size) { KERNEL_READ_MEMORY_REQUEST krmr = new KERNEL_READ_MEMORY_REQUEST { ProcessId = pid, Address = address, Size = size }; IntPtr krmrPointer = MarshalUtility.CopyStructToMemory(krmr); int krmrSize = Marshal.SizeOf <KERNEL_READ_MEMORY_REQUEST>(); if (DeviceIoControl(hDriver, IO_READ_MEMORY_REQUEST, krmrPointer, krmrSize, krmrPointer, krmrSize, IntPtr.Zero, IntPtr.Zero)) { try { krmr = MarshalUtility.GetStructFromMemory <KERNEL_READ_MEMORY_REQUEST>(krmrPointer); return((T)Convert.ChangeType((ulong)krmr.Response.ToInt64(), typeof(T))); } catch (Exception) { Console.WriteLine(@"Exception in NµReadProcessMemory!"); return((T)Convert.ChangeType(false, typeof(T))); } } return((T)Convert.ChangeType(false, typeof(T))); }
private ulong FdGetProcessListSize() { IntPtr operationPointer = MarshalUtility.AllocEmptyStruct <KERNEL_PROCESS_LIST_REQUEST>(); int operationSize = Marshal.SizeOf <KERNEL_PROCESS_LIST_REQUEST>(); if (DeviceIoControl(hDriver, IO_PROCESS_LIST_REQUEST, operationPointer, operationSize, operationPointer, operationSize, IntPtr.Zero, IntPtr.Zero)) { KERNEL_PROCESS_LIST_REQUEST operation = MarshalUtility.GetStructFromMemory <KERNEL_PROCESS_LIST_REQUEST>(operationPointer); return(operation.ProcessListSize); } return(0); }
public bool FdWriteProcessMemory(IntPtr pid, IntPtr address, IntPtr value, ulong size) { KERNEL_WRITE_MEMORY_REQUEST kwmr = new KERNEL_WRITE_MEMORY_REQUEST { ProcessId = pid, Address = address, Value = value, Size = size }; IntPtr kwmrPointer = MarshalUtility.CopyStructToMemory(kwmr); int kwmrSize = Marshal.SizeOf <KERNEL_WRITE_MEMORY_REQUEST>(); return(DeviceIoControl(hDriver, IO_WRITE_MEMORY_REQUEST, kwmrPointer, kwmrSize, IntPtr.Zero, 0, IntPtr.Zero, IntPtr.Zero)); }
public bool FdGetModuleList(IntPtr pid, out ModuleListItem[] result) { result = Array.Empty <ModuleListItem>(); ulong moduleListSize = FdGetModuleListSize(pid); if (moduleListSize <= 0) { return(false); } IntPtr moduleListPtr = MarshalUtility.AllocZeroFilled((int)moduleListSize); KERNEL_MODULE_LIST_REQUEST kmlr = new KERNEL_MODULE_LIST_REQUEST { ProcessId = pid, ModuleListPtr = (ulong)moduleListPtr.ToInt64(), ModuleListSize = moduleListSize }; IntPtr kmlrPointer = MarshalUtility.CopyStructToMemory(kmlr); int kmlrSize = Marshal.SizeOf <KERNEL_MODULE_LIST_REQUEST>(); if (DeviceIoControl(hDriver, IO_MODULE_LIST_REQUEST, kmlrPointer, kmlrSize, kmlrPointer, kmlrSize, IntPtr.Zero, IntPtr.Zero)) { kmlr = MarshalUtility.GetStructFromMemory <KERNEL_MODULE_LIST_REQUEST>(kmlrPointer); if (kmlr.ModuleListCount > 0) { byte[] managedBuffer = new byte[moduleListSize]; Marshal.Copy(moduleListPtr, managedBuffer, 0, (int)moduleListSize); Marshal.FreeHGlobal(moduleListPtr); result = new ModuleListItem[kmlr.ModuleListCount]; using (BinaryReader reader = new BinaryReader(new MemoryStream(managedBuffer))) { for (int i = 0; i < result.Length; i++) { result[i] = ModuleListItem.FromByteStream(reader); } } return(true); } } return(false); }
public bool FdGetProcessList(out ProcessListItem[] result) { result = Array.Empty <ProcessListItem>(); ulong processListSize = FdGetProcessListSize(); if (processListSize <= 0) { return(false); } IntPtr processListPtr = MarshalUtility.AllocZeroFilled((int)processListSize); KERNEL_PROCESS_LIST_REQUEST kplr = new KERNEL_PROCESS_LIST_REQUEST { ProcessListPtr = (ulong)processListPtr.ToInt64(), ProcessListSize = processListSize }; IntPtr kplrPointer = MarshalUtility.CopyStructToMemory(kplr); int klprSize = Marshal.SizeOf <KERNEL_PROCESS_LIST_REQUEST>(); if (DeviceIoControl(hDriver, IO_PROCESS_LIST_REQUEST, kplrPointer, klprSize, kplrPointer, klprSize, IntPtr.Zero, IntPtr.Zero)) { kplr = MarshalUtility.GetStructFromMemory <KERNEL_PROCESS_LIST_REQUEST>(kplrPointer); if (kplr.ProcessListCount > 0) { byte[] managedBuffer = new byte[processListSize]; Marshal.Copy(processListPtr, managedBuffer, 0, (int)processListSize); Marshal.FreeHGlobal(processListPtr); result = new ProcessListItem[kplr.ProcessListCount]; using (BinaryReader reader = new BinaryReader(new MemoryStream(managedBuffer))) { for (int i = 0; i < result.Length; i++) { result[i] = ProcessListItem.FromByteStream(reader); } } return(true); } } return(false); }
private ulong FdGetModuleListSize(IntPtr pid) { KERNEL_MODULE_LIST_REQUEST kmlr = new KERNEL_MODULE_LIST_REQUEST { ProcessId = pid, }; IntPtr kmlrPointer = MarshalUtility.CopyStructToMemory(kmlr); int kmlrSize = Marshal.SizeOf <KERNEL_MODULE_LIST_REQUEST>(); if (DeviceIoControl(hDriver, IO_MODULE_LIST_REQUEST, kmlrPointer, kmlrSize, kmlrPointer, kmlrSize, IntPtr.Zero, IntPtr.Zero)) { kmlr = MarshalUtility.GetStructFromMemory <KERNEL_MODULE_LIST_REQUEST>(kmlrPointer); return(kmlr.ModuleListSize); } return(0); }
public bool FdCopyVirtualMemory(IntPtr pid, IntPtr address, IntPtr buffer, ulong bufferSize) { if (hDriver != INVALID_HANDLE_VALUE) { KERNEL_COPY_MEMORY_REQUEST kcmr = new KERNEL_COPY_MEMORY_REQUEST { ProcessId = pid, targetAddress = (ulong)address.ToInt64(), bufferAddress = (ulong)buffer.ToInt64(), bufferSize = bufferSize }; IntPtr kcmrPointer = MarshalUtility.CopyStructToMemory(kcmr); int krmrSize = Marshal.SizeOf <KERNEL_COPY_MEMORY_REQUEST>(); bool result = DeviceIoControl(hDriver, IO_COPY_MEMORY_REQUEST, kcmrPointer, krmrSize, IntPtr.Zero, 0, IntPtr.Zero, IntPtr.Zero); Marshal.FreeHGlobal(kcmrPointer); return(result); } return(false); }