mirror of
https://github.com/mastercodeon314/KsDumper-11.git
synced 2024-11-24 06:50:10 +01:00
156 lines
5.1 KiB
C#
156 lines
5.1 KiB
C#
using System;
|
|
using System.IO;
|
|
using System.Runtime.InteropServices;
|
|
using KsDumper11.Utility;
|
|
|
|
namespace KsDumper11.Driver
|
|
{
|
|
public class KsDumperDriverInterface
|
|
{
|
|
public static KsDumperDriverInterface OpenKsDumperDriver()
|
|
{
|
|
return new KsDumperDriverInterface("\\\\.\\KsDumper");
|
|
}
|
|
public static bool IsDriverOpen(string driverPath)
|
|
{
|
|
IntPtr handle = WinApi.CreateFileA(driverPath, FileAccess.ReadWrite, FileShare.ReadWrite, IntPtr.Zero, FileMode.Open, (FileAttributes)0, IntPtr.Zero);
|
|
bool result = handle != WinApi.INVALID_HANDLE_VALUE;
|
|
WinApi.CloseHandle(handle);
|
|
return result;
|
|
}
|
|
|
|
public KsDumperDriverInterface(string registryPath)
|
|
{
|
|
this.driverHandle = WinApi.CreateFileA(registryPath, FileAccess.ReadWrite, FileShare.ReadWrite, IntPtr.Zero, FileMode.Open, (FileAttributes)0, IntPtr.Zero);
|
|
}
|
|
|
|
public bool HasValidHandle()
|
|
{
|
|
return this.driverHandle != WinApi.INVALID_HANDLE_VALUE;
|
|
}
|
|
|
|
public bool GetProcessSummaryList(out ProcessSummary[] result)
|
|
{
|
|
result = new ProcessSummary[0];
|
|
bool flag = this.driverHandle != WinApi.INVALID_HANDLE_VALUE;
|
|
if (flag)
|
|
{
|
|
int requiredBufferSize = this.GetProcessListRequiredBufferSize();
|
|
bool flag2 = requiredBufferSize > 0;
|
|
if (flag2)
|
|
{
|
|
IntPtr bufferPointer = MarshalUtility.AllocZeroFilled(requiredBufferSize);
|
|
Operations.KERNEL_PROCESS_LIST_OPERATION operation = new Operations.KERNEL_PROCESS_LIST_OPERATION
|
|
{
|
|
bufferAddress = (ulong)bufferPointer.ToInt64(),
|
|
bufferSize = requiredBufferSize
|
|
};
|
|
IntPtr operationPointer = MarshalUtility.CopyStructToMemory<Operations.KERNEL_PROCESS_LIST_OPERATION>(operation);
|
|
int operationSize = Marshal.SizeOf<Operations.KERNEL_PROCESS_LIST_OPERATION>();
|
|
bool flag3 = WinApi.DeviceIoControl(this.driverHandle, Operations.IO_GET_PROCESS_LIST, operationPointer, operationSize, operationPointer, operationSize, IntPtr.Zero, IntPtr.Zero);
|
|
if (flag3)
|
|
{
|
|
operation = MarshalUtility.GetStructFromMemory<Operations.KERNEL_PROCESS_LIST_OPERATION>(operationPointer, true);
|
|
bool flag4 = operation.processCount > 0;
|
|
if (flag4)
|
|
{
|
|
byte[] managedBuffer = new byte[requiredBufferSize];
|
|
Marshal.Copy(bufferPointer, managedBuffer, 0, requiredBufferSize);
|
|
Marshal.FreeHGlobal(bufferPointer);
|
|
result = new ProcessSummary[operation.processCount];
|
|
using (BinaryReader reader = new BinaryReader(new MemoryStream(managedBuffer)))
|
|
{
|
|
for (int i = 0; i < result.Length; i++)
|
|
{
|
|
result[i] = ProcessSummary.FromStream(reader);
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private int GetProcessListRequiredBufferSize()
|
|
{
|
|
IntPtr operationPointer = MarshalUtility.AllocEmptyStruct<Operations.KERNEL_PROCESS_LIST_OPERATION>();
|
|
int operationSize = Marshal.SizeOf<Operations.KERNEL_PROCESS_LIST_OPERATION>();
|
|
bool flag = WinApi.DeviceIoControl(this.driverHandle, Operations.IO_GET_PROCESS_LIST, operationPointer, operationSize, operationPointer, operationSize, IntPtr.Zero, IntPtr.Zero);
|
|
if (flag)
|
|
{
|
|
Operations.KERNEL_PROCESS_LIST_OPERATION operation = MarshalUtility.GetStructFromMemory<Operations.KERNEL_PROCESS_LIST_OPERATION>(operationPointer, true);
|
|
bool flag2 = operation.processCount == 0 && operation.bufferSize > 0;
|
|
if (flag2)
|
|
{
|
|
return operation.bufferSize;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
public bool CopyVirtualMemory(int targetProcessId, IntPtr targetAddress, IntPtr bufferAddress, int bufferSize)
|
|
{
|
|
bool flag = this.driverHandle != WinApi.INVALID_HANDLE_VALUE;
|
|
bool flag2;
|
|
if (flag)
|
|
{
|
|
Operations.KERNEL_COPY_MEMORY_OPERATION operation = new Operations.KERNEL_COPY_MEMORY_OPERATION
|
|
{
|
|
targetProcessId = targetProcessId,
|
|
targetAddress = (ulong)targetAddress.ToInt64(),
|
|
bufferAddress = (ulong)bufferAddress.ToInt64(),
|
|
bufferSize = bufferSize
|
|
};
|
|
IntPtr operationPointer = MarshalUtility.CopyStructToMemory<Operations.KERNEL_COPY_MEMORY_OPERATION>(operation);
|
|
bool result = WinApi.DeviceIoControl(this.driverHandle, Operations.IO_COPY_MEMORY, operationPointer, Marshal.SizeOf<Operations.KERNEL_COPY_MEMORY_OPERATION>(), IntPtr.Zero, 0, IntPtr.Zero, IntPtr.Zero);
|
|
Marshal.FreeHGlobal(operationPointer);
|
|
flag2 = result;
|
|
}
|
|
else
|
|
{
|
|
flag2 = false;
|
|
}
|
|
return flag2;
|
|
}
|
|
|
|
public bool UnloadDriver()
|
|
{
|
|
if (driverHandle != WinApi.INVALID_HANDLE_VALUE)
|
|
{
|
|
bool result = WinApi.DeviceIoControl(driverHandle, Operations.IO_UNLOAD_DRIVER, IntPtr.Zero, 0, IntPtr.Zero, 0, IntPtr.Zero, IntPtr.Zero);
|
|
this.Dispose();
|
|
return result;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private readonly IntPtr driverHandle;
|
|
|
|
public void Dispose()
|
|
{
|
|
try
|
|
{
|
|
WinApi.CloseHandle(driverHandle);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
return;
|
|
}
|
|
}
|
|
|
|
~KsDumperDriverInterface()
|
|
{
|
|
try
|
|
{
|
|
WinApi.CloseHandle(driverHandle);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
}
|