0

I would like to use the UpdateProcThreadAttribute() API call in a C# program, but I can't find the hex value of PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON. I was only able to find (0x00000001ui64 << 44) on Microsoft's website, but I don't know how I can implement this into my code and use it as an IntPtr, according to PInvoke.net.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Anonymous-User
  • 43
  • 1
  • 2
  • 7
  • 1
    Does this answer your question? [Where can I find a list of windows API constants](https://stackoverflow.com/questions/718975/where-can-i-find-a-list-of-windows-api-constants) – Sinatr Apr 27 '21 at 14:50
  • 4
    `ui64` is a C++ suffix equivalent to C#'s `UL` suffix (for `ulong`), so it's `(0x1UL << 44)`, or `0x1000_0000_0000UL`, in C#. – madreflection Apr 27 '21 at 14:59

1 Answers1

0

In C/C++, 0x00000001ui64 is an unsigned 64bit integer with a value of 1, and << 44 is left-shifting that value by 44 bits. A left-shift is equivalent to multiplying by 2, so the result of multiplying 1 by 2 44 times is 17592186044416, which in hex is 0x100000000000UL, or 0x1000_0000_0000UL for readibility.

FYI, C# has the same bit-shift operators that C/C++ has.

LPPROC_THREAD_ATTRIBUTE_LIST is a pointer to a PROC_THREAD_ATTRIBUTE_LIST structure. Call InitializeProcThreadAttributeList() 1 time to determine how large that list needs to be, then allocate memory of that size, and call InitializeProcThreadAttributeList() again to initialize the list.

For example (also see .NET : How to PInvoke UpdateProcThreadAttribute):

const int PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = 0x20007;
const long PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000L;

[DllImport("kernel32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool InitializeProcThreadAttributeList(
     IntPtr lpAttributeList,
     int dwAttributeCount,
     int dwFlags,
     ref IntPtr lpSize);

[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);

[DllImport("kernel32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool UpdateProcThreadAttribute(
     IntPtr lpAttributeList,
     uint dwFlags,
     IntPtr Attribute,
     IntPtr lpValue,
     IntPtr cbSize,
     IntPtr lpPreviousValue,
     IntPtr lpReturnSize);

...

IntPtr attrListSize = 0;
InitializeProcThreadAttributeList(
    IntPtr.Zero,
    1,
    0,
    ref attrListSize);

IntPtr attrList = Marshal.AllocHGlobal(attrListSize);
InitializeProcThreadAttributeList(
    attrList,
    1,
    0,
    ref attrListSize);

IntPtr lpValue = Marshal.AllocHGlobal(sizeof(long));
Marshal.WriteInt64(lpValue, PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON);

UpdateProcThreadAttribute(
    attrList,
    0,
    (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY,
    lpValue,
    sizeof(long),
    IntPtr.Zero,
    IntPtr.Zero
);

// use attrList as needed, ie in STARTUPINFOEX.lpAttributeList ...

DeleteProcThreadAttributeList(attrList);

Marshal.FreeHGlobal(lpValue);
Marshal.FreeHGlobal(attrList);
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770