Added some additional object queries.

Author: tyranid

NtApiDotNet/NtEvent.cs

@@ -246,6 +246,23 @@ public override NtStatus QueryInformation(EventInformationClass info_class, Safe
             return NtSystemCalls.NtQueryEvent(Handle, info_class, buffer, buffer.GetLength(), out return_length);
         }
 
+        /// <summary>
+        /// Query the information class as an object.
+        /// </summary>
+        /// <param name="info_class">The information class.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The information class as an object.</returns>
+        public override NtResult<object> QueryObject(EventInformationClass info_class, bool throw_on_error)
+        {
+            switch (info_class)
+            {
+                case EventInformationClass.EventBasicInformation:
+                    return Query<EventBasicInformation>(info_class, default, throw_on_error).Cast<object>();
+            }
+
+            return base.QueryObject(info_class, throw_on_error);
+        }
+
         #endregion
 
         #region Public Properties

NtApiDotNet/NtFile.cs

@@ -4829,6 +4829,32 @@ public override NtStatus SetInformation(FileInformationClass info_class, SafeBuf
             return NtSystemCalls.NtSetInformationFile(Handle, io_status, buffer, buffer.GetLength(), info_class);
         }
 
+        /// <summary>
+        /// Query the information class as an object.
+        /// </summary>
+        /// <param name="info_class">The information class.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The information class as an object.</returns>
+        public override NtResult<object> QueryObject(FileInformationClass info_class, bool throw_on_error)
+        {
+            switch (info_class)
+            {
+                case FileInformationClass.FileBasicInformation:
+                    return Query<FileBasicInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FileEndOfFileInformation:
+                    return Query<FileEndOfFileInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FileStandardInformation:
+                    return Query<FileStandardInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FileNetworkOpenInformation:
+                    return Query<FileNetworkOpenInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FileInternalInformation:
+                    return Query<FileInternalInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FileRemoteProtocolInformation:
+                    return Query<FileRemoteProtocolInformation>(info_class, default, throw_on_error).Cast<object>();
+            }
+            return base.QueryObject(info_class, throw_on_error);
+        }
+
         #endregion
 
         #region Public Properties

NtApiDotNet/NtFileNative.cs

@@ -952,6 +952,13 @@ public struct FilePipeLocalInformation
         public NamedPipeEnd NamedPipeEnd;
     }
 
+    [StructLayout(LayoutKind.Sequential)]
+    public struct FilePipeRemoteInformation
+    {
+        public LargeIntegerStruct CollectDataTime;
+        public int MaximumCollectionCount;
+    }
+
     [StructLayout(LayoutKind.Sequential)]
     public struct FileMailslotQueryInformation
     {

NtApiDotNet/NtNamedPipeFile.cs

@@ -301,6 +301,27 @@ public string GetAttributeString(PipeAttributeType attribute_type, string name)
         {
             return GetAttributeString(attribute_type, name, true).Result;
         }
+
+        /// <summary>
+        /// Query the information class as an object.
+        /// </summary>
+        /// <param name="info_class">The information class.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The information class as an object.</returns>
+        public override NtResult<object> QueryObject(FileInformationClass info_class, bool throw_on_error)
+        {
+            switch (info_class)
+            {
+                case FileInformationClass.FilePipeInformation:
+                    return Query<FilePipeInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FilePipeLocalInformation:
+                    return Query<FilePipeLocalInformation>(info_class, default, throw_on_error).Cast<object>();
+                case FileInformationClass.FilePipeRemoteInformation:
+                    return Query<FilePipeRemoteInformation>(info_class, default, throw_on_error).Cast<object>();
+            }
+            return base.QueryObject(info_class, throw_on_error);
+        }
+
         #endregion
 
         #region Public Properties

NtApiDotNet/NtProcess.cs

@@ -2201,6 +2201,14 @@ public override NtResult<object> QueryObject(ProcessInformationClass info_class,
                     return Query<IoCounters>(info_class, default, throw_on_error).Cast<object>();
                 case ProcessInformationClass.ProcessTimes:
                     return Query<KernelUserTimes>(info_class, default, throw_on_error).Cast<object>();
+                case ProcessInformationClass.ProcessQuotaLimits:
+                    return Query<QuotaLimitsEx>(info_class, default, throw_on_error).Cast<object>();
+                case ProcessInformationClass.ProcessVmCounters:
+                    return Query<VmCountersEx>(info_class, default, throw_on_error).Cast<object>();
+                case ProcessInformationClass.ProcessCycleTime:
+                    return Query<ProcessCycleTimeInformation>(info_class, default, throw_on_error).Cast<object>();
+                case ProcessInformationClass.ProcessProtectionInformation:
+                    return Query<PsProtection>(info_class, default, throw_on_error).Cast<object>();
             }
             return base.QueryObject(info_class, throw_on_error);
         }
@@ -2491,10 +2499,8 @@ public int HardErrorMode
 
 
         /// <summary>
-        /// Get the process handle table and try and get them as objects.
+        /// Does the process has a child process restriction?
         /// </summary>
-        /// <returns>The list of handles as objects.</returns>
-        /// <remarks>This function will drop handles it can't duplicate.</remarks>
         public bool IsChildProcessRestricted
         {
             get
@@ -2631,7 +2637,6 @@ public bool VirtualizationEnabled
         /// Get the time spent in user mode.
         /// </summary>
         public double UserTimeSeconds => new TimeSpan(UserTime).TotalSeconds;
-
         /// <summary>
         /// Get the process IO counters.
         /// </summary>

NtApiDotNet/NtProcessNative.cs

@@ -446,6 +446,13 @@ public struct ProcessCombineSecurityDomainInformation
         public IntPtr ProcessHandle;
     }
 
+    [StructLayout(LayoutKind.Sequential)]
+    public struct ProcessCycleTimeInformation
+    {
+        public long AccumulatedCycles;
+        public long CurrentCycleCount;
+    }
+
     public enum ProcessInformationClass
     {
         ProcessBasicInformation, 
@@ -547,7 +554,9 @@ public enum ProcessInformationClass
         ProcessEnableLogging,
         ProcessLeapSecondInformation,
         ProcessFiberShadowStackAllocation,
-        ProcessFreeFiberShadowStackAllocation
+        ProcessFreeFiberShadowStackAllocation,
+        ProcessAltSystemCallInformation,
+        ProcessDynamicEHContinuationTargets,
     }
 
     public enum ProcessMitigationPolicy
@@ -701,6 +710,63 @@ public struct ProcessRevokeFileHandlesInformation
         public UnicodeString TargetDevicePath;
     }
 
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    public struct RateQuotaLimit
+    {
+        public int RateData;
+        public int RatePercent => RateData & 0x7F;
+
+        public override string ToString()
+        {
+            return $"{RatePercent}%";
+        }
+    }
+
+    [Flags]
+    public enum QuotaLimitsExFlags
+    {
+        None = 0,
+        MinEnable = 1,
+        MinDisable = 2,
+        MaxEnable = 4,
+        MaxDisable = 8,
+        UseDefaultLimits = 0x10
+    }
+
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    public struct QuotaLimitsEx
+    {
+        public IntPtr PagedPoolLimit;
+        public IntPtr NonPagedPoolLimit;
+        public IntPtr MinimumWorkingSetSize;
+        public IntPtr MaximumWorkingSetSize;
+        public IntPtr PagefileLimit;
+        public LargeIntegerStruct TimeLimit;
+        public IntPtr WorkingSetLimit;
+        public IntPtr Reserved2;
+        public IntPtr Reserved3;
+        public IntPtr Reserved4;
+        public QuotaLimitsExFlags Flags;
+        public RateQuotaLimit CpuRateLimit;
+    }
+
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    public struct VmCountersEx
+    {
+        public IntPtr PeakVirtualSize;
+        public IntPtr VirtualSize;
+        public int PageFaultCount;
+        public IntPtr PeakWorkingSetSize;
+        public IntPtr WorkingSetSize;
+        public IntPtr QuotaPeakPagedPoolUsage;
+        public IntPtr QuotaPagedPoolUsage;
+        public IntPtr QuotaPeakNonPagedPoolUsage;
+        public IntPtr QuotaNonPagedPoolUsage;
+        public IntPtr PagefileUsage;
+        public IntPtr PeakPagefileUsage;
+        public IntPtr PrivateUsage;
+    }
+
     public static partial class NtSystemCalls
     {
         [DllImport("ntdll.dll")]