Class ProcessInfo
Contains information needed for the associated functions relating to the process.
Inherited Members
Namespace: ERC
Assembly: ERC.Net.dll
Syntax
public class ProcessInfo : ErcCoreConstructors
ProcessInfo(ErcCore, Process)
Constructor for the Process_Info object, requires an ERC_Core object and a Process.
Declaration
public ProcessInfo(ErcCore core, Process process)Parameters
| Type | Name | Description |
|---|---|---|
| ErcCore | core | An ErcCore object |
| System.Diagnostics.Process | process | The process to gather information from |
ProcessInfo(ErcCore, IntPtr)
Constructor for the Process_Info object, requires an ERC_Core object and a Process.
Declaration
public ProcessInfo(ErcCore core, IntPtr handle)Parameters
| Type | Name | Description |
|---|---|---|
| ErcCore | core | An ErcCore object |
| System.IntPtr | handle | The handle for the process to gather information from |
ProcessInfo(ProcessInfo)
Constructor to use when inheriting from ProcessInfo.
Declaration
protected ProcessInfo(ProcessInfo parent)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | parent | The object to inherit from |
Fields
ModulesInfo
A list containing ModuleInfo objects associuted with the process. ///
Declaration
public List<ModuleInfo> ModulesInfoField Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<ModuleInfo> |
ThreadsInfo
A list containing ThreadInfo objects associuted with the process. ///
Declaration
public List<ThreadInfo> ThreadsInfoField Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<ThreadInfo> |
Properties
ProcessCurrent
.Net Process object for this process
Declaration
public Process ProcessCurrent { get; }Property Value
| Type | Description |
|---|---|
| System.Diagnostics.Process |
ProcessDescription
Process description.
Declaration
public string ProcessDescription { get; }Property Value
| Type | Description |
|---|---|
| System.String |
ProcessHandle
Handle for the process.
Declaration
public IntPtr ProcessHandle { get; }Property Value
| Type | Description |
|---|---|
| System.IntPtr |
ProcessID
Process ID.
Declaration
public int ProcessID { get; }Property Value
| Type | Description |
|---|---|
| System.Int32 |
ProcessMachineType
The machine type the process runs on. Eg. x86 or x64
Declaration
public MachineType ProcessMachineType { get; }Property Value
| Type | Description |
|---|---|
| MachineType |
ProcessName
Name of the process.
Declaration
public string ProcessName { get; }Property Value
| Type | Description |
|---|---|
| System.String |
ProcessPath
Path for the projects main module.
Declaration
public string ProcessPath { get; }Property Value
| Type | Description |
|---|---|
| System.String |
Methods
CreateExcludesList(Boolean, Boolean, Boolean, Boolean, Boolean)
Creates a list of modules to exclude from a search of memory.
Declaration
public List<string> CreateExcludesList(bool aslr = false, bool safeseh = false, bool rebase = false, bool nxcompat = false, bool osdll = false)Parameters
| Type | Name | Description |
|---|---|---|
| System.Boolean | aslr | |
| System.Boolean | safeseh | |
| System.Boolean | rebase | |
| System.Boolean | nxcompat | |
| System.Boolean | osdll |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> | Returns an ErcResult containing a list of stringss |
DumpMemoryRegion(IntPtr, Int32)
Reads process memory from a specific address for a set number of bytes.
Declaration
public ErcResult<byte[]> DumpMemoryRegion(IntPtr startAddress, int length)Parameters
| Type | Name | Description |
|---|---|---|
| System.IntPtr | startAddress | The address to start reading from. |
| System.Int32 | length | Number of bytes to read. |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Byte[]> | Returns a bytes array containing the specified contents of process memory. |
FindNRP(Int32, Boolean)
Searches process registers and identifies pointers to buffers in memory containing a non repeating pattern. Functionality to identify SEH overwrites not yet implements.
Declaration
public ErcResult<List<RegisterInfo>> FindNRP(int searchType = 0, bool extended = false)Parameters
| Type | Name | Description |
|---|---|---|
| System.Int32 | searchType | (Optional) 0 = search term is system default\n1 = search term is in unicode\n2 = search term is in ASCII\n3 = Search term is in UTF8\n4 = Search term is in UTF7\n5 = Search term is in UTF32 |
| System.Boolean | extended | (Optional) Include additional characters in the pattern (!#$%^ etc) in the to be searched |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.List<RegisterInfo>> | Returns a ERC_Result containing a List of RegisterOffset |
GetModuleHandles()
Returns a list of module handles associated with the process.
Declaration
public ErcResult<Dictionary<string, IntPtr>> GetModuleHandles()Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.Dictionary<System.String, System.IntPtr>> | Returns a dictionary containing the handle and path of each module |
GetProcessModuleInformation()
Gets the list of ModuleInfo objects associated with the current process.
Declaration
public ErcResult<List<ModuleInfo>> GetProcessModuleInformation()Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.List<ModuleInfo>> | Returns an ErcResult containing a list of ModuleInfo objects |
GetProcessModules()
Returns a list of files loaded by the current process as List String
Declaration
public ErcResult<Dictionary<string, IntPtr>> GetProcessModules()Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.Dictionary<System.String, System.IntPtr>> | Returns an ErcResult containing a Dictionary of module names and the associated handles |
GetProcessThreadInformation()
Gets the list of ThreadInfo objects associated with the current process.
Declaration
public ErcResult<List<ThreadInfo>> GetProcessThreadInformation()Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.List<ThreadInfo>> | Returns an ErcResult containing a list of ThreadInfo objects |
Is64Bit(Process)
Identifies if a process is 64bit or 32 bit, returns true for 64bit and false for 32bit.
Declaration
public static bool Is64Bit(Process process)Parameters
| Type | Name | Description |
|---|---|---|
| System.Diagnostics.Process | process | The process to be used |
Returns
| Type | Description |
|---|---|
| System.Boolean | Returns true if the process is 64bit and false if it is not. |
ListLocalProcesses(ErcCore)
Gets a list of running processes on the host and removes unusable processes (such as system processes etc)
Declaration
public static ErcResult<Process[]> ListLocalProcesses(ErcCore core)Parameters
| Type | Name | Description |
|---|---|---|
| ErcCore | core | An ErcCore object |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Diagnostics.Process[]> | Returns an ErcResult containing a list of all supported processes |
ListRemoteProcesses(ErcCore, String)
Gets a list of running processes on the host and removes unusable processes.
Declaration
public static ErcResult<Process[]> ListRemoteProcesses(ErcCore core, string machineName)Parameters
| Type | Name | Description |
|---|---|---|
| ErcCore | core | An ErcCore object |
| System.String | machineName | The computer from which to read the list of processes. Can be either the hostname or IP address. |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Diagnostics.Process[]> | Returns an ErcResult containing a list of all supported processes |
SearchAllMemoryPPR(Byte[], List<String>)
Searches all memory associated with a given process and associated modules for POP X POP X RET instructions. Passing a list of module paths or names will exclude those modules from the search.
Declaration
public ErcResult<Dictionary<IntPtr, string>> SearchAllMemoryPPR(byte[] ptrsToExclude, List<string> excludes = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.Byte[] | ptrsToExclude | Takes a byte array of values used to disqualify pointers |
| System.Collections.Generic.List<System.String> | excludes | Takes a list of module names to be excluded from the search |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.Dictionary<System.IntPtr, System.String>> | Returns an ERC_Result containing a dictionary of pointers and the main module in which they were found |
SearchAllMemoryPPR(List<String>)
Searches all memory associated with a given process and associated modules for POP X POP X RET instructions. Passing a list of module paths or names will exclude those modules from the search.
Declaration
public ErcResult<Dictionary<IntPtr, string>> SearchAllMemoryPPR(List<string> excludes = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.Collections.Generic.List<System.String> | excludes | Takes a list of module names to be excluded from the search |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.Dictionary<System.IntPtr, System.String>> | Returns an ERC_Result containing a dictionary of pointers and the main module in which they were found |
SearchMemory(Int32, Byte[], Byte[], String, List<String>)
Searches all memory (the process and associated DLLs) for a specific string or byte array. Strings can be passed as ASCII, Unicode, UTF7 or UTF8. Specific modules can be exclude through passing a Listof strings containing module names or paths.
Declaration
public ErcResult<Dictionary<IntPtr, string>> SearchMemory(int searchType, byte[] ptrsToExclude, byte[] searchBytes = null, string searchString = null, List<string> excludes = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.Int32 | searchType | 0 = search term is in bytes\n1 = search term is in unicode\n2 = search term is in ASCII\n3 = Search term is in UTF8\n4 = Search term is in UTF7\n5 = Search term is in UTF32 |
| System.Byte[] | ptrsToExclude | Takes a byte array of values used to disqualify pointers |
| System.Byte[] | searchBytes | Byte array to be searched for (optional) |
| System.String | searchString | String to be searched for (optional) |
| System.Collections.Generic.List<System.String> | excludes | Modules to be excluded from the search (optional) |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.Dictionary<System.IntPtr, System.String>> | Returns an ERC_Result containing pointers to all instances of the search query. |
SearchMemory(Int32, Byte[], String, List<String>)
Searches all memory (the process and associated DLLs) for a specific string or byte array. Strings can be passed as ASCII, Unicode, UTF7 or UTF8. Specific modules can be exclude through passing a Listof strings containing module names or paths.
Declaration
public ErcResult<Dictionary<IntPtr, string>> SearchMemory(int searchType, byte[] searchBytes = null, string searchString = null, List<string> excludes = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.Int32 | searchType | 0 = search term is in bytes\n1 = search term is in unicode\n2 = search term is in ASCII\n3 = Search term is in UTF8\n4 = Search term is in UTF7\n5 = Search term is in UTF32 |
| System.Byte[] | searchBytes | Byte array to be searched for (optional) |
| System.String | searchString | String to be searched for (optional) |
| System.Collections.Generic.List<System.String> | excludes | Modules to be excluded from the search (optional) |
Returns
| Type | Description |
|---|---|
| ErcResult<System.Collections.Generic.Dictionary<System.IntPtr, System.String>> | Returns an ERC_Result containing pointers to all instances of the search query. |
ToString()
Override of the ToString method. Returns information about the process in a pleasantly formatted string
Declaration
public override string ToString()Returns
| Type | Description |
|---|---|
| System.String | A string |