none
P/Invoke to get INFOBLOCK structure and Command line

    Domanda

  • Hi, I've been working on this for several days straight and I can't seem to get it to work correctly... I honestly don't even know that it's getting the correct addresses and don't know how to check for validity:/ But this is what I have so far:

    public partial class Form1 : Form
        {
            IntPtr handle;
            int pebAddress;
            int procInfoAddress;
            string cmdLine;
    
            public Form1()
            {
                InitializeComponent();
    
                if (NativeFunctions.Privileges.EnableDebuggingPrivileges())
                {
                    MessageBox.Show("Successfully got SeDebugPrivilege.");
                    if ((handle = Open(NativeFunctions.Privileges.PROCESS_ALL_ACCESS, true, 3396)) == IntPtr.Zero)
                    {
                        MessageBox.Show("Failed to open process!");
                    }
    
                    else
                    {
                        MessageBox.Show("Successfully opened process.");
                        pebAddress = GetPEBAddress(handle);
                        if (pebAddress == 0 || pebAddress == -1)
                        {
                            MessageBox.Show("Failed to get PEB Address!");
                        }
    
                        else
                        {
                            MessageBox.Show("PEB Address: " + pebAddress.ToString());
                            procInfoAddress = GetProcInfoAddress(handle);
                            if (procInfoAddress == 0)
                            {
                                MessageBox.Show("Failed to get INFOBLOCK Address!");
                            }
    
                            else
                            {
                                MessageBox.Show("INFOBLOCK Address: " + procInfoAddress.ToString());
                                cmdLine = GetCommandLine(handle);
                                MessageBox.Show(cmdLine);
                            }
                        }
                    }
                    Close(handle);
                }
    
                else
                {
                    Application.Exit();
                }
            }
    
            public unsafe int GetPEBAddress(IntPtr handle)
            {
                int address;
                if (handle != null && handle != IntPtr.Zero)
                {
                    NativeFunctions.ProcessInformation.PROCESS_BASIC_INFORMATION pbi = new NativeFunctions.ProcessInformation.PROCESS_BASIC_INFORMATION();
                    uint size = (uint)sizeof(NativeFunctions.ProcessInformation.PROCESS_BASIC_INFORMATION);
                    int returnLength = 0;
                    if (NativeFunctions.ProcessInformation.NtQueryInformationProcess(handle, NativeFunctions.ProcessInformation.PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, size, ref returnLength) == 0)
                    {
                        address = pbi.PebBaseAddress;
                    }
    
                    else
                    {
                        address = 0;
                    }
                }
    
                else
                {
                    address = -1;
                }
                return address;
            }
    
            public unsafe int GetProcInfoAddress(IntPtr handle)
            {
                IntPtr address;
                uint size = (uint)sizeof(IntPtr);
                uint returnLength = 0;
                int offset = (int)0x10;
                int x = pebAddress;
                int y = x + offset;
                MessageBox.Show("Size: " + y);
                if (!NativeFunctions.ProcessInformation.ReadProcessMemory(handle, (IntPtr)y, out address, size, out returnLength)) //(IntPtr)pebAddress + 0x10
                {
                    return 0;
                }
    
                else
                {
                    return address.ToInt32();
                }
            }
    
            public unsafe string GetCommandLine(IntPtr handle)
            {
                IntPtr str;
                uint size = (uint)sizeof(IntPtr);
                uint returnLength = 0;
                int offset = (int)0x40;
                MessageBox.Show(offset.ToString());
                int x = procInfoAddress;
                int y = x + offset;
                MessageBox.Show("Size: " + y);
                if (!NativeFunctions.ProcessInformation.ReadProcessMemory(handle, (IntPtr)y, out str, size, out returnLength))
                {
                    return "FAIL!";
                }
    
                else
                {
                    return Marshal.PtrToStringAuto(str);
                }
            }
    
            public IntPtr Open(int access, bool inherit, int pid)
            {
                return NativeFunctions.Kernel32.OpenProcess(access, inherit, pid);
            }
    
            public void Close(IntPtr handle)
            {
                NativeFunctions.Kernel32.CloseHandle(handle);
            }
        }

    Please help me!

    Aaron Chapman

    martedì 10 aprile 2012 17:32

Risposte

Tutte le risposte