protected override void Update()
{
if (_pid != 4 && _processHandle == null)
{
Logging.Log(Logging.Importance.Warning, "ModuleProvider: Process Handle is null, exiting...");
return;
}
var modules = new Dictionary <IntPtr, ILoadedModule>();
var newdictionary = new Dictionary <IntPtr, ModuleItem>(this.Dictionary);
if (_pid != 4)
{
// Is this a WOW64 process? If it is, get the 32-bit modules.
if (!_isWow64)
{
_processHandle.EnumModules((module) =>
{
if (!modules.ContainsKey(module.BaseAddress))
{
modules.Add(module.BaseAddress, module);
}
return(true);
});
}
else
{
using (DebugBuffer buffer = new DebugBuffer())
{
buffer.Query(
_pid,
RtlQueryProcessDebugFlags.Modules32 |
RtlQueryProcessDebugFlags.NonInvasive
);
var processModules = buffer.GetModules();
foreach (var m in processModules)
{
// Most of the time we will get a duplicate entry -
// the main executable image. Guard against that.
if (!modules.ContainsKey(m.BaseAddress))
{
modules.Add(
m.BaseAddress,
new ProcessModule(
m.BaseAddress,
m.Size,
IntPtr.Zero,
m.Flags,
System.IO.Path.GetFileName(m.FileName),
m.FileName
)
);
}
}
}
}
// add mapped files
_processHandle.EnumMemory((info) =>
{
if (info.Type == MemoryType.Mapped)
{
try
{
string fileName = _processHandle.GetMappedFileName(info.BaseAddress);
if (fileName != null)
{
var fi = new System.IO.FileInfo(fileName);
modules.Add(info.BaseAddress,
new ProcessModule(
info.BaseAddress,
info.RegionSize.ToInt32(),
IntPtr.Zero,
0,
fi.Name, fi.FullName));
}
}
catch
{ }
}
return(true);
});
}
else
{
// Add loaded kernel modules.
Windows.EnumKernelModules((module) =>
{
if (!modules.ContainsKey(module.BaseAddress))
{
modules.Add(module.BaseAddress, module);
}
return(true);
});
}
// look for unloaded modules
foreach (IntPtr b in Dictionary.Keys)
{
if (!modules.ContainsKey(b))
{
this.OnDictionaryRemoved(this.Dictionary[b]);
newdictionary.Remove(b);
}
}
// look for new modules
foreach (IntPtr b in modules.Keys)
{
if (!Dictionary.ContainsKey(b))
{
var m = modules[b];
ModuleItem item = new ModuleItem();
item.RunId = this.RunCount;
item.Name = m.BaseName;
try
{
item.FileName = FileUtils.GetFileName(m.FileName);
}
catch
{ }
item.BaseAddress = b.ToUInt64();
item.Size = m.Size;
item.Flags = m.Flags;
try
{
var info = System.Diagnostics.FileVersionInfo.GetVersionInfo(item.FileName);
item.FileDescription = info.FileDescription;
item.FileCompanyName = info.CompanyName;
item.FileVersion = info.FileVersion;
}
catch
{ }
newdictionary.Add(b, item);
this.OnDictionaryAdded(item);
}
}
this.Dictionary = newdictionary;
}
private void DoFilter()
{
// Stop if cancel
if (!CancelRequested)
{
var handles = Windows.GetHandles();
Dictionary <int, ProcessHandle> processHandles = new Dictionary <int, ProcessHandle>();
// Find handles
for (int i = 0; i < handles.Length; i++)
{
// Check for cancellation here too,
// otherwise the user might have to wait for much time
if (CancelRequested)
{
return;
}
if (i % 20 == 0)
{
OnMatchProgress(i, handles.Length);
}
var handle = handles[i];
CompareHandleBestNameWithFilter(processHandles, handle);
// test Exception
//if (i > 2000) throw new Exception("test");
}
foreach (ProcessHandle phandle in processHandles.Values)
{
phandle.Dispose();
}
// Find DLLs and mapped files
var processes = Windows.GetProcesses();
foreach (var process in processes)
{
try
{
// Modules
using (var phandle = new ProcessHandle(process.Key,
Program.MinProcessQueryRights | Program.MinProcessReadMemoryRights))
{
phandle.EnumModules((module) =>
{
if (module.FileName.ToLowerInvariant().Contains(strFilterLower))
{
this.CallDllMatchListView(process.Key, module);
}
return(true);
});
}
// Memory
using (var phandle = new ProcessHandle(process.Key,
ProcessAccess.QueryInformation | Program.MinProcessReadMemoryRights))
{
phandle.EnumMemory((region) =>
{
if (region.Type != MemoryType.Mapped)
{
return(true);
}
string name = phandle.GetMappedFileName(region.BaseAddress);
if (name != null && name.ToLowerInvariant().Contains(strFilterLower))
{
this.CallMappedFileMatchListView(process.Key, region.BaseAddress, name);
}
return(true);
});
}
// WOW64 Modules
if (OSVersion.Architecture == OSArch.Amd64)
{
using (DebugBuffer buffer = new DebugBuffer())
{
buffer.Query(
process.Key,
RtlQueryProcessDebugFlags.Modules32 |
RtlQueryProcessDebugFlags.NonInvasive
);
buffer.EnumModules((module) =>
{
if (module.FileName.ToLowerInvariant().Contains(strFilterLower))
{
this.CallDllMatchListView(process.Key, module);
}
return(true);
});
}
}
}
catch (Exception ex)
{
Logging.Log(ex);
}
}
OnMatchListView(null);
}
}
