public IntPtr FindEntry(IntPtr hProc) { Loader.PROCESS_BASIC_INFORMATION pROCESS_BASIC_INFORMATION = default(Loader.PROCESS_BASIC_INFORMATION); uint num = 0u; long v = (long)Loader.ZwQueryInformationProcess(hProc, 0, ref pROCESS_BASIC_INFORMATION, (uint)(IntPtr.Size * 6), ref num); if (!this.nt_success(v)) { throw new SystemException("[x] Failed to get process information!"); } IntPtr lpBaseAddress = IntPtr.Zero; byte[] array = new byte[IntPtr.Size]; if (IntPtr.Size == 4) { lpBaseAddress = (IntPtr)((int)pROCESS_BASIC_INFORMATION.PebAddress + 8); } else { lpBaseAddress = (IntPtr)((long)pROCESS_BASIC_INFORMATION.PebAddress + 16L); } IntPtr zero = IntPtr.Zero; if (!Loader.ReadProcessMemory(hProc, lpBaseAddress, array, array.Length, out zero) || zero == IntPtr.Zero) { throw new SystemException("[x] Failed to read process memory!"); } if (IntPtr.Size == 4) { lpBaseAddress = (IntPtr)BitConverter.ToInt32(array, 0); } else { lpBaseAddress = (IntPtr)BitConverter.ToInt64(array, 0); } this.pModBase_ = lpBaseAddress; if (!Loader.ReadProcessMemory(hProc, lpBaseAddress, this.inner_, this.inner_.Length, out zero) || zero == IntPtr.Zero) { throw new SystemException("[x] Failed to read module start!"); } return(this.GetEntryFromBuffer(this.inner_)); }
private static extern int ZwQueryInformationProcess(IntPtr hProcess, int procInformationClass, ref Loader.PROCESS_BASIC_INFORMATION procInformation, uint ProcInfoLen, ref uint retlen);