protected override void Update() { if (_pid != 4 && _processHandle == null) { Logging.Log(Logging.Importance.Warning, "ModuleProvider: Process Handle is null, exiting..."); return; } var modules = new Dictionary <IntPtr, ILoadedModule>(); var newdictionary = new Dictionary <IntPtr, ModuleItem>(this.Dictionary); if (_pid != 4) { // Is this a WOW64 process? If it is, get the 32-bit modules. if (!_isWow64) { _processHandle.EnumModules((module) => { if (!modules.ContainsKey(module.BaseAddress)) { modules.Add(module.BaseAddress, module); } return(true); }); } else { using (DebugBuffer buffer = new DebugBuffer()) { buffer.Query( _pid, RtlQueryProcessDebugFlags.Modules32 | RtlQueryProcessDebugFlags.NonInvasive ); var processModules = buffer.GetModules(); foreach (var m in processModules) { // Most of the time we will get a duplicate entry - // the main executable image. Guard against that. if (!modules.ContainsKey(m.BaseAddress)) { modules.Add( m.BaseAddress, new ProcessModule( m.BaseAddress, m.Size, IntPtr.Zero, m.Flags, System.IO.Path.GetFileName(m.FileName), m.FileName ) ); } } } } // add mapped files _processHandle.EnumMemory((info) => { if (info.Type == MemoryType.Mapped) { try { string fileName = _processHandle.GetMappedFileName(info.BaseAddress); if (fileName != null) { var fi = new System.IO.FileInfo(fileName); modules.Add(info.BaseAddress, new ProcessModule( info.BaseAddress, info.RegionSize.ToInt32(), IntPtr.Zero, 0, fi.Name, fi.FullName)); } } catch { } } return(true); }); } else { // Add loaded kernel modules. Windows.EnumKernelModules((module) => { if (!modules.ContainsKey(module.BaseAddress)) { modules.Add(module.BaseAddress, module); } return(true); }); } // look for unloaded modules foreach (IntPtr b in Dictionary.Keys) { if (!modules.ContainsKey(b)) { this.OnDictionaryRemoved(this.Dictionary[b]); newdictionary.Remove(b); } } // look for new modules foreach (IntPtr b in modules.Keys) { if (!Dictionary.ContainsKey(b)) { var m = modules[b]; ModuleItem item = new ModuleItem(); item.RunId = this.RunCount; item.Name = m.BaseName; try { item.FileName = FileUtils.GetFileName(m.FileName); } catch { } item.BaseAddress = b.ToUInt64(); item.Size = m.Size; item.Flags = m.Flags; try { var info = System.Diagnostics.FileVersionInfo.GetVersionInfo(item.FileName); item.FileDescription = info.FileDescription; item.FileCompanyName = info.CompanyName; item.FileVersion = info.FileVersion; } catch { } newdictionary.Add(b, item); this.OnDictionaryAdded(item); } } this.Dictionary = newdictionary; }
private void DoFilter() { // Stop if cancel if (!CancelRequested) { var handles = Windows.GetHandles(); Dictionary <int, ProcessHandle> processHandles = new Dictionary <int, ProcessHandle>(); // Find handles for (int i = 0; i < handles.Length; i++) { // Check for cancellation here too, // otherwise the user might have to wait for much time if (CancelRequested) { return; } if (i % 20 == 0) { OnMatchProgress(i, handles.Length); } var handle = handles[i]; CompareHandleBestNameWithFilter(processHandles, handle); // test Exception //if (i > 2000) throw new Exception("test"); } foreach (ProcessHandle phandle in processHandles.Values) { phandle.Dispose(); } // Find DLLs and mapped files var processes = Windows.GetProcesses(); foreach (var process in processes) { try { // Modules using (var phandle = new ProcessHandle(process.Key, Program.MinProcessQueryRights | Program.MinProcessReadMemoryRights)) { phandle.EnumModules((module) => { if (module.FileName.ToLowerInvariant().Contains(strFilterLower)) { this.CallDllMatchListView(process.Key, module); } return(true); }); } // Memory using (var phandle = new ProcessHandle(process.Key, ProcessAccess.QueryInformation | Program.MinProcessReadMemoryRights)) { phandle.EnumMemory((region) => { if (region.Type != MemoryType.Mapped) { return(true); } string name = phandle.GetMappedFileName(region.BaseAddress); if (name != null && name.ToLowerInvariant().Contains(strFilterLower)) { this.CallMappedFileMatchListView(process.Key, region.BaseAddress, name); } return(true); }); } // WOW64 Modules if (OSVersion.Architecture == OSArch.Amd64) { using (DebugBuffer buffer = new DebugBuffer()) { buffer.Query( process.Key, RtlQueryProcessDebugFlags.Modules32 | RtlQueryProcessDebugFlags.NonInvasive ); buffer.EnumModules((module) => { if (module.FileName.ToLowerInvariant().Contains(strFilterLower)) { this.CallDllMatchListView(process.Key, module); } return(true); }); } } } catch (Exception ex) { Logging.Log(ex); } } OnMatchListView(null); } }