using Microsoft.Win32.SafeHandles; using System; using System.ComponentModel; ///

/// Static core class providing tools for manipulating threads. ///

public static class ThreadCore { #region GetThreadContext ///

/// Retrieves the context of the specified thread. ///

/// The type of the context to dump. /// The type must be unmanaged, so it can be fixed while the native call is done. /// The performance is increased if the structure is blittable, which is the case for the structures /// provided with the library. /// A handle to the thread whose context is to be retrieved. /// An instance of the structure where the context is loaded into. /// The context cannot be retrieved from the thread. public static unsafe void GetThreadContext(SafeMemoryHandle threadHandle, ref TContext context) where TContext : unmanaged { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Get the pointer of the structure and pin it, so the GC does not move it fixed (void* contextPtr = &context) { // Get the thread context if (NativeMethods.GetThreadContext(threadHandle, contextPtr) == (void*)0) { throw new Win32Exception("The context cannot be retrieved from the thread."); } } } #endregion #region NtQueryInformationThread ///

/// Retrieves information about the specified thread. ///

/// A handle to the thread to query. /// A structure containing thread information. public static unsafe ThreadBasicInformation NtQueryInformationThread(SafeMemoryHandle threadHandle) { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Create a structure to store thread info var info = new ThreadBasicInformation(); // Get the thread info void* infoPtr = &info; // info is already fixed var ret = NativeMethods.NtQueryInformationThread(threadHandle, ThreadInformationClass.ThreadBasicInformation, infoPtr, MarshalType.SizeAsPointer, out var returnLength); // If the function succeeded if (ret == 0) { return info; } // Else, couldn't get the thread info, throws an exception throw new ApplicationException($"The thread information cannot be queried; error code '{ret}'."); } ///

/// Retrieves information about the specified thread. ///

/// A handle to the thread to query. /// The class of the thread to retrieve. /// The requested data as an unsigned integer. public static unsafe ulong NtQueryInformationThread(SafeMemoryHandle threadHandle, ThreadInformationClass threadInformationClass) { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Get the thread info ulong info = 0; var ret = NativeMethods.NtQueryInformationThread(threadHandle, ThreadInformationClass.ThreadBasicInformation, &info, new IntPtr(sizeof(ulong)), out var returnLength); // If the function succeeded if (ret == 0) { return info; } // Else, couldn't get the thread info, throws an exception throw new ApplicationException($"The thread information cannot be queried; error code '{ret}'."); } #endregion #region ResumeThread ///

/// Decrements a thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed. ///

/// A handle to the thread to be restarted. /// The thread's previous suspend count. public static uint ResumeThread(SafeMemoryHandle threadHandle) { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Resume the thread var ret = NativeMethods.ResumeThread(threadHandle); // If the function failed if (ret == uint.MaxValue) throw new Win32Exception("Couldn't resume the thread."); return ret; } #endregion #region SetThreadContext ///

/// Sets the context for the specified thread. ///

/// The type of the context to set. /// The type must be unmanaged, so it can be fixed while the native call is done. /// The performance is increased if the structure is blittable, which is the case for the structures /// provided with the library. /// A handle to the thread whose context is to be set. /// A pointer to a structure that contains the context to be set in the specified thread. /// The context cannot be set to the thread. public static unsafe void SetThreadContext(SafeMemoryHandle threadHandle, ref TContext context) where TContext : unmanaged { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Get the pointer of the structure and pin it, so the GC does not move it fixed (void* contextPtr = &context) { // Set the thread context if (NativeMethods.SetThreadContext(threadHandle, contextPtr) == 0) { throw new Win32Exception("The context cannot be set to the thread."); } } } #endregion #region SuspendThread ///

/// Suspends the specified thread. ///

/// A handle to the thread that is to be suspended. /// The thread's previous suspend count. public static uint SuspendThread(SafeMemoryHandle threadHandle) { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Suspend the thread var ret = NativeMethods.SuspendThread(threadHandle); // If the function failed if (ret == uint.MaxValue) throw new Win32Exception("Couldn't suspend the thread."); return ret; } #endregion #region TerminateThread ///

/// Terminates a thread. ///

/// A handle to the thread to be terminated. /// The exit code for the thread. public static void TerminateThread(SafeMemoryHandle threadHandle, int exitCode) { // Check if the handle is valid HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle"); // Terminate the thread var ret = NativeMethods.TerminateThread(threadHandle, exitCode); // If the function failed if(!ret) throw new Win32Exception("Couldn't terminate the thread."); } #endregion #region ThreadContextFlags ///

/// Determines which registers are returned or set when using or . ///

[Flags] public enum ThreadContextFlags : uint { ///

/// The Intel 80386 microprocessor, also known as the i386. ///

Intel386 = 0x10000, ///

/// The Intel 80486 microprocessor, also known as the i486. ///

Intel486 = 0x10000, ///

/// SS:SP, CS:IP, FLAGS, BP ///

Control = Intel386 | 0x01, ///

/// AX, BX, CX, DX, SI, DI ///

Integer = Intel386 | 0x02, ///

/// DS, ES, FS, GS ///

Segments = Intel386 | 0x04, ///

/// 387 state ///

FloatingPoint = Intel386 | 0x08, ///

/// DB 0-3,6,7 ///

DebugRegisters = Intel386 | 0x10, ///

/// CPU specific extensions ///

ExtendedRegisters = Intel386 | 0x20, ///

/// All flags excepted FloatingPoint, DebugRegisters and ExtendedRegisters. ///

Full = Control | Integer | Segments, ///

/// All flags. ///

All = Control | Integer | Segments | FloatingPoint | DebugRegisters | ExtendedRegisters } #endregion #region ThreadInformationClass ///

///The numeration that corresponds to the classes of thread information. ///

public enum ThreadInformationClass : uint { ThreadBasicInformation = 0, ThreadTimes = 1, ThreadPriority = 2, ThreadBasePriority = 3, ThreadAffinityMask = 4, ThreadImpersonationToken = 5, ThreadDescriptorTableEntry = 6, ThreadEnableAlignmentFaultFixup = 7, ThreadEventPair_Reusable = 8, ThreadQuerySetWin32StartAddress = 9, ThreadZeroTlsCell = 10, ThreadPerformanceCount = 11, ThreadAmILastThread = 12, ThreadIdealProcessor = 13, ThreadPriorityBoost = 14, ThreadSetTlsArrayAddress = 15, ThreadIsIoPending = 16, ThreadHideFromDebugger = 17, ThreadBreakOnTermination = 18, ThreadSwitchLegacyState = 19, ThreadIsTerminated = 20, ThreadLastSystemCall = 21, ThreadIoPriority = 22, ThreadCycleTime = 23, ThreadPagePriority = 24, ThreadActualBasePriority = 25, ThreadTebInformation = 26, ThreadCSwitchMon = 27, ThreadCSwitchPmu = 28, ThreadWow64Context = 29, ThreadGroupInformation = 30, ThreadUmsInformation = 31, ThreadCounterProfiling = 32, ThreadIdealProcessorEx = 33, ThreadCpuAccountingInformation = 34, ThreadSuspendCount = 35, ThreadHeterogeneousCpuPolicy = 36, ThreadContainerId = 37, ThreadNameInformation = 38, ThreadSelectedCpuSets = 39, ThreadSystemThreadInformation = 40, ThreadActualGroupAffinity = 41, ThreadDynamicCodePolicyInfo = 42, ThreadExplicitCaseSensitivity = 43, ThreadWorkOnBehalfTicket = 44, ThreadSubsystemInformation = 45, ThreadDbgkWerReportActive = 46, ThreadAttachContainer = 47, ThreadManageWritesToExecutableMemory = 48, ThreadPowerThrottlingState = 49, ThreadWorkloadClass = 50, } #endregion #region ProcessBasicInformation ///

/// Structure containing basic information about a process. ///

[StructLayout(LayoutKind.Sequential)] public struct ProcessBasicInformation { ///

/// The exit status. ///

public IntPtr ExitStatus; ///

/// The base address of Process Environment Block. ///

public IntPtr PebBaseAddress; ///

/// The affinity mask. ///

public IntPtr AffinityMask; ///

/// The base priority. ///

public IntPtr BasePriority; ///

/// The process id. ///

public IntPtr ProcessId; ///

/// The process id of the parent process. ///

public IntPtr InheritedFromUniqueProcessId; } #endregion ProcessBasicInformation #region ThreadBasicInformation ///

/// Structure containing basic information about a thread. ///

[StructLayout(LayoutKind.Sequential)] public struct ThreadBasicInformation { ///

/// the exit status (NTSTATUS). ///

public uint ExitStatus; ///

/// The base address of Thread Environment Block. ///

public IntPtr TebBaseAddress; ///

/// The process and thread identifiers. ///

public ClientIdStruct ClientIdStruct; ///

/// The affinity mask. ///

public IntPtr AffinityMask; ///

/// The priority. ///

public int Priority; ///

/// The base priority. ///

public int BasePriority; } #endregion ThreadBasicInformation #region ThreadContext32 ///

/// Represents a thread context for 32-bit processes on Windows. Create a new instance using the constructor with the /// flags. ///

/// /// This structure is blittable and therefore, does not require any marshaling from Platform Invoke. /// Referenced on https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_wow64_context. /// Refer to the header file WinNT.h for definitions of this structure for each processor architecture. /// [StructLayout(LayoutKind.Explicit, Size = ThreadContext32Metadata.TotalSize)] public unsafe struct ThreadContext32 { ///

/// Initializes a new instance of the struct. ///

/// Determines which registers are returned or set during the context query. public ThreadContext32(ThreadContextFlags flags) : this() { ContextFlags = flags; } ///

/// Determines which registers are returned or set when using or /// . /// If the context record is used as an INPUT parameter, then for each portion of the context record controlled by a flag /// whose value is set, it is assumed that portion of the /// context record contains valid context. If the context record is being used to modify a threads context, then only that /// portion of the threads context will be modified. /// If the context record is used as an INPUT/OUTPUT parameter to capture the context of a thread, then only those portions /// of the thread's context corresponding to set flags will be returned. /// The context record is never used as an OUTPUT only parameter. ///

[FieldOffset(ThreadContext32Metadata.Offsets.ContextFlags)] public ThreadContextFlags ContextFlags; ///