C# Signature:
[DllImport("ntdll.dll", SetLastError=true)]
static extern int NtQueryInformationProcess(IntPtr processHandle,
int processInformationClass, IntPtr processInformation, uint processInformationLength,
IntPtr returnLength);
or:
[DllImport("NTDLL.DLL", SetLastError=true)]
static extern int NtQueryInformationProcess(IntPtr hProcess, PROCESSINFOCLASS pic,
ref PROCESS_BASIC_INFORMATION pbi, int cb, out int pSize);
VB Signature:
Declare Function NtQueryInformationProcess Lib "ntdll.dll" ( _
processHandle As IntPtr, processInformationClass As Integer, _
processInformation As IntPtr, processInformationLength As Integer, _
returnLength As IntPtr) As Integer
User-Defined Types:
None.
Notes:
None.
Tips & Tricks:
Please add some!
Sample Code:
public static IntPtr GetPEBAddress()
{
//Get a handle to our own process
IntPtr hProc = OpenProcess(0x001F0FFF, false, Process.GetCurrentProcess().Id);
//Allocate memory for a new PROCESS_BASIC_INFORMATION structure
IntPtr pbi = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)));
//Allocate memory for a long
IntPtr outLong = Marshal.AllocHGlobal(sizeof(long));
IntPtr outPtr = IntPtr.Zero;
bool querySuccess = false;
//Store API call success in a boolean
querySuccess = Convert.ToBoolean(NtQueryInformationProcess(hProc, 0, pbi, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), outLong));
//Close handle and free allocated memory
CloseHandle(hProc);
Marshal.FreeHGlobal(outLong);
//STATUS_SUCCESS = 0, so if API call was successfull querySuccess should contain 0 ergo we reverse the check.
if(!querySuccess)
outPtr = PtrToStructure<PROCESS_BASIC_INFORMATION>(pbi, typeof(PROCESS_BASIC_INFORMATION)).PebBaseAddress;
//Free allocated space
Marshal.FreeHGlobal(pbi);
//Return pointer to PEB base address
return outPtr;
}
Alternative Managed API:
Do you know one? Please contribute it!
