Example #1
0
        public TreePath RefreshTreePath()
        {
            ProcessNode currentNode = this;
            int         i           = _processNodeTreePathMaxDepth;

            if (_processNodeTreePathBuffer == null)
            {
                _processNodeTreePathBuffer = new ProcessNode[_processNodeTreePathMaxDepth];
            }

            while (i > 0 && currentNode != null)
            {
                _processNodeTreePathBuffer[--i] = currentNode;
                currentNode = currentNode.Parent;
            }

            ProcessNode[] path;

            path = new ProcessNode[_processNodeTreePathMaxDepth - i];
            Array.Copy(_processNodeTreePathBuffer, i, path, 0, _processNodeTreePathMaxDepth - i);

            _treePath = new TreePath(path);

            return(_treePath);
        }
Example #2
0
        public void RefreshItems()
        {
            lock (_listLock)
            {
                foreach (TreeNodeAdv node in treeProcesses.AllNodes)
                {
                    try
                    {
                        ProcessNode pNode = this.FindNode(node);

                        // May not be in the dictionary if the process has terminated but
                        // the node is still being highlighted.
                        if (_provider.Dictionary.ContainsKey(pNode.Pid))
                        {
                            ProcessItem item = _provider.Dictionary[pNode.Pid];

                            node.BackColor = this.GetProcessColor(item);
                        }
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }
            }
        }
Example #3
0
        public void Modify(ProcessItem oldItem, ProcessItem newItem)
        {
            ProcessNode node = _processes[newItem.Pid];

            node.ProcessItem = newItem;

            //if (node.ProcessItem.HasParent && node.PPID != -1)
            //    this.NodesChanged(this, new TreeModelEventArgs(this.GetPath(
            //        _processes.ContainsKey(node.PPID) ? _processes[node.PPID] : null),
            //        new object[] { node }));
        }
Example #4
0
        public void MoveChildrenToRoot(ProcessNode node)
        {
            ProcessNode[] children = node.Children.ToArray();

            foreach (ProcessNode child in children)
            {
                child.Parent = null;
                child.RefreshTreePathRecursive();
            }

            _roots.AddRange(children);
        }
Example #5
0
        public void Remove(ProcessItem item)
        {
            ProcessNode itemNode = _processes[item.Pid];

            ProcessNode[] itemChildren = null;

            // Dispose of the process node we're removing.
            itemNode.Dispose();

            itemChildren = itemNode.Children.ToArray();

            // Check if the node has a parent.
            if (itemNode.Parent == null)
            {
                if (_roots.Contains(itemNode))
                {
                    // Remove the process from the roots and make its children root nodes.
                    _roots.Remove(itemNode);
                    this.MoveChildrenToRoot(itemNode);
                }
            }
            else
            {
                if (itemNode.Parent.Children.Contains(itemNode))
                {
                    // Remove the node from its parent and make its children root nodes.
                    itemNode.Parent.Children.Remove(itemNode);
                    this.MoveChildrenToRoot(itemNode);
                }
            }

            // Remove the process from the process dictionary.
            _processes.Remove(item.Pid);
            this.StructureChanged(this, new TreePathEventArgs(new TreePath()));

            // Expand the children because TreeViewAdv collapses them by default.
            if (itemChildren != null)
            {
                foreach (ProcessNode n in itemChildren)
                {
                    try
                    {
                        _tree.FindTreeNode(n).ExpandAll();
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }
            }

            _tree.Invalidate();
        }
Example #6
0
        public TreePath GetPath(ProcessNode node)
        {
            if (node == null)
            {
                return(TreePath.Empty);
            }

            if (this.GetSortColumn() != string.Empty)
            {
                return(new TreePath(node));
            }

            return(node.TreePath);
        }
Example #7
0
        public TreePath RefreshTreePath()
        {
            ProcessNode         currentNode = this;
            Stack <ProcessNode> stack       = new Stack <ProcessNode>();

            while (currentNode != null)
            {
                stack.Push(currentNode);
                currentNode = currentNode.Parent;
            }

            _treePath = new TreePath(stack.ToArray());

            return(_treePath);
        }
Example #8
0
        public void Add(ProcessItem item)
        {
            ProcessNode itemNode = new ProcessNode(item);

            // Add the process to the list of all processes.
            _processes.Add(item.Pid, itemNode);

            // Find the process' parent and add the process to it if we found it.
            if (item.HasParent && _processes.ContainsKey(item.ParentPid))
            {
                ProcessNode parent = _processes[item.ParentPid];

                parent.Children.Add(itemNode);
                itemNode.Parent = parent;
            }
            else
            {
                // The process doesn't have a parent, so add it to the root nodes.
                _roots.Add(itemNode);
            }

            itemNode.RefreshTreePath();

            // Find this process' children and fix them up.

            // We need to create a copy of the array because we may need
            // to modify the roots list.
            ProcessNode[] roots = _roots.ToArray();

            foreach (ProcessNode node in roots)
            {
                // Notice that we don't replace a node's parent if it
                // already has one. This is to break potential cyclic
                // references.
                if (node.Parent == null && node.ProcessItem.HasParent && node.PPid == item.Pid)
                {
                    // Remove the node from the root list and add it to our
                    // process' child list.
                    _roots.Remove(node);
                    itemNode.Children.Add(node);
                    node.Parent = itemNode;
                    node.RefreshTreePathRecursive();
                }
            }

            this.StructureChanged(this, new TreePathEventArgs(new TreePath()));
        }
        public void Add(ProcessItem item)
        {
            ProcessNode itemNode = new ProcessNode(item);

            // Add the process to the list of all processes.
            _processes.Add(item.Pid, itemNode);

            // Find the process' parent and add the process to it if we found it.
            if (item.HasParent && _processes.ContainsKey(item.ParentPid))
            {
                ProcessNode parent = _processes[item.ParentPid];

                parent.Children.Add(itemNode);
                itemNode.Parent = parent;
            }
            else
            {
                // The process doesn't have a parent, so add it to the root nodes.
                _roots.Add(itemNode);
            }

            itemNode.RefreshTreePath();

            // Find this process' children and fix them up.

            // We need to create a copy of the array because we may need 
            // to modify the roots list.
            ProcessNode[] roots = _roots.ToArray();

            foreach (ProcessNode node in roots)
            {
                // Notice that we don't replace a node's parent if it 
                // already has one. This is to break potential cyclic 
                // references.
                if (node.Parent == null && node.ProcessItem.HasParent && node.PPid == item.Pid)
                {
                    // Remove the node from the root list and add it to our 
                    // process' child list.
                    _roots.Remove(node);
                    itemNode.Children.Add(node);
                    node.Parent = itemNode;
                    node.RefreshTreePathRecursive();
                }
            }

            this.StructureChanged(this, new TreePathEventArgs(new TreePath()));
        }
Example #10
0
        public void Add(ProcessItem item)
        {
            ProcessNode itemNode = new ProcessNode(item);

            _processes.Add(item.Pid, itemNode);

            if (item.HasParent && _processes.ContainsKey(item.ParentPid))
            {
                ProcessNode parent = _processes[item.ParentPid];

                parent.Children.Add(itemNode);
                itemNode.Parent = parent;
            }
            else
            {

                _roots.Add(itemNode);
            }

            itemNode.RefreshTreePath();

            ProcessNode[] roots = _roots.ToArray();

            foreach (ProcessNode node in roots)
            {

                if (node.Parent == null && node.ProcessItem.HasParent && node.PPid == item.Pid)
                {

                    _roots.Remove(node);
                    itemNode.Children.Add(node);
                    node.Parent = itemNode;
                    node.RefreshTreePathRecursive();
                }
            }

            this.StructureChanged(this, new TreePathEventArgs(new TreePath()));
        }
Example #11
0
        public TreePath RefreshTreePath()
        {
            ProcessNode currentNode = this;
            int i = _processNodeTreePathMaxDepth;

            if (_processNodeTreePathBuffer == null)
                _processNodeTreePathBuffer = new ProcessNode[_processNodeTreePathMaxDepth];

            while (i > 0 && currentNode != null)
            {
                _processNodeTreePathBuffer[--i] = currentNode;
                currentNode = currentNode.Parent;
            }

            ProcessNode[] path;

            path = new ProcessNode[_processNodeTreePathMaxDepth - i];
            Array.Copy(_processNodeTreePathBuffer, i, path, 0, _processNodeTreePathMaxDepth - i);

            _treePath = new TreePath(path);

            return _treePath;
        }
        public void MoveChildrenToRoot(ProcessNode node)
        {
            ProcessNode[] children = node.Children.ToArray();

            foreach (ProcessNode child in children)
            {
                child.Parent = null;
                child.RefreshTreePathRecursive();
            }

            _roots.AddRange(children);
        }
        public TreePath GetPath(ProcessNode node)
        {
            if (node == null)
                return TreePath.Empty;

            if (this.GetSortColumn() != "")
            {
                return new TreePath(node);
            }
            else
            {
                return node.TreePath;
            }
        }
Example #14
0
 public TreeNodeAdv FindTreeNode(ProcessNode node)
 {
     return(this.FindTreeNode(node.Pid));
 }
Example #15
0
 public TreeNodeAdv FindTreeNode(ProcessNode node)
 {
     return this.FindTreeNode(node.Pid);
 }
        public string GetToolTip(ProcessNode pNode)
        {
            try
            {
                string cmdText = (!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine) ?
                        (Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", string.Empty), 100) + "\n") : string.Empty);

                string fileText = string.Empty;

                try
                {
                    if (pNode.ProcessItem.VersionInfo != null)
                    {
                        var info = pNode.ProcessItem.VersionInfo;

                        fileText = "File:\n" + PhUtils.FormatFileInfo(info.FileName, info.FileDescription, info.CompanyName, info.FileVersion, 4);
                    }
                }
                catch
                {
                    if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName))
                        fileText = "File:\n    " + pNode.ProcessItem.FileName;
                }

                string runDllText = string.Empty;

                if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) &&
                    pNode.ProcessItem.FileName.EndsWith("\\rundll32.exe",
                    StringComparison.InvariantCultureIgnoreCase) &&
                    !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine))
                {
                    try
                    {
                        // TODO: fix crappy method
                        string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0];

                        // if it doesn't specify an absolute path, assume it's in system32.
                        if (!targetFile.Contains(":", StringComparison.OrdinalIgnoreCase))
                            targetFile = Environment.SystemDirectory + "\\" + targetFile;

                        FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile);

                        runDllText = "\nRunDLL target:\n    " + info.FileName + "\n    " +
                            info.FileDescription + " " + info.FileVersion + "\n    " +
                            info.CompanyName;
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }

                string dllhostText = string.Empty;

                if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) &&
                    pNode.ProcessItem.FileName.EndsWith("\\dllhost.exe", StringComparison.InvariantCultureIgnoreCase) &&
                    !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine))
                {
                    try
                    {
                        string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split(new[]
                        {
                            "/processid:"
                        }, StringSplitOptions.None)[1].Split(' ')[0];

                        using (RegistryKey key = Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid))
                        using (RegistryKey inprocServer32 = key.OpenSubKey("InprocServer32"))
                        {
                            string name = key.GetValue(string.Empty) as string;
                            string fileName = inprocServer32.GetValue(string.Empty) as string;

                            FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName));

                            dllhostText = "\nCOM Target:\n    " + name + " (" + clsid.ToUpper() + ")\n    " +
                                          info.FileName + "\n    " +
                                          info.FileDescription + " " + info.FileVersion + "\n    " + info.CompanyName;
                        }

                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }

                string servicesText = string.Empty;

                try
                {
                    IDictionary<int, List<string>> processServices;
                    IDictionary<string, ServiceItem> services;

                    if (!_tree.DumpMode)
                    {
                        processServices = Program.HackerWindow.ProcessServices;
                        services = Program.ServiceProvider.Dictionary;
                    }
                    else
                    {
                        processServices = _tree.DumpProcessServices;
                        services = _tree.DumpServices;
                    }

                    if (processServices.ContainsKey(pNode.Pid))
                    {
                        foreach (string service in processServices[pNode.Pid])
                        {
                            if (services.ContainsKey(service))
                            {
                                if (string.IsNullOrEmpty(services[service].Status.DisplayName))
                                    servicesText += "    " + service + " (" + services[service].Status.DisplayName + ")\n";
                                else
                                    servicesText += "    " + service + "\n";
                            }
                            else
                            {
                                servicesText += "    " + service + "\n";
                            }
                        }

                        servicesText = "\nServices:\n" + servicesText.TrimEnd('\n');
                    }
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                string otherNotes = string.Empty;

                try
                {
                    if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0)
                        otherNotes += "\n    Image is probably packed - has " +
                            pNode.ProcessItem.ImportFunctions.ToString() + " imports over " +
                            pNode.ProcessItem.ImportModules.ToString() + " modules.";
                    else if (pNode.ProcessItem.IsPacked)
                        otherNotes += "\n    Image is probably packed - error reading PE file.";

                    if (pNode.ProcessItem.FileName != null)
                    {
                        if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted)
                        {
                            if (!string.IsNullOrEmpty(pNode.ProcessItem.VerifySignerName))
                                otherNotes += "\n    Signer: " + pNode.ProcessItem.VerifySignerName;
                            else
                                otherNotes += "\n    Signed.";
                        }
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
                            !Settings.Instance.VerifySignatures)
                        {
                            otherNotes += string.Empty;
                        }
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
                            Settings.Instance.VerifySignatures && !_tree.DumpMode)
                        {
                            otherNotes += "\n    File has not been processed yet. Please wait..."; 
                        }
                        else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature)
                        {
                            otherNotes += "\n    Signature invalid.";
                        }

                        if (Program.ImposterNames.Contains(pNode.Name.ToLowerInvariant()) &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.Trusted &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.Unknown)
                            otherNotes += "\n    Process is using the name of a known process but its signature could not be verified.";
                    }

                    if (pNode.ProcessItem.IsInJob)
                        otherNotes += "\n    Process is in a job.";
                    if (pNode.ProcessItem.ElevationType == TokenElevationType.Full)
                        otherNotes += "\n    Process is elevated.";
                    if (pNode.ProcessItem.IsDotNet)
                        otherNotes += "\n    Process is managed (.NET).";
                    if (pNode.ProcessItem.IsPosix)
                        otherNotes += "\n    Process is POSIX.";
                    if (pNode.ProcessItem.IsWow64)
                        otherNotes += "\n    Process is 32-bit (running under WOW64).";

                    if (otherNotes != string.Empty)
                        otherNotes = "\nNotes:" + otherNotes;
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                return (cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r');
            }
            catch (Exception ex)
            {
                Logging.Log(ex);
            }

            return string.Empty;
        }
        public string GetToolTip(ProcessNode pNode)
        {
            try
            {
                string cmdText = (pNode.ProcessItem.CmdLine != null ?
                        (Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", ""), 100) + "\n") : "");

                string fileText = "";

                try
                {
                    string filename = "";

                    if (pNode.Pid == 4)
                    {
                        filename = FileUtils.GetFileName(Windows.KernelFileName);
                    }
                    else
                    {
                        filename = pNode.ProcessItem.FileName;
                    }

                    FileVersionInfo info = FileVersionInfo.GetVersionInfo(filename);

                    fileText = "File:\n    " + info.FileName + "\n    " +
                        info.FileDescription + " " + info.FileVersion + "\n    " +
                        info.CompanyName;
                }
                catch
                {
                    if (pNode.ProcessItem.FileName != null)
                        fileText = "File:\n    " + pNode.ProcessItem.FileName;
                }

                string runDllText = "";

                if (pNode.ProcessItem.FileName != null &&
                    pNode.ProcessItem.FileName.Equals(Environment.SystemDirectory + "\\rundll32.exe",
                    StringComparison.InvariantCultureIgnoreCase) &&
                    pNode.ProcessItem.CmdLine != null)
                {
                    try
                    {
                        // TODO: fix crappy method
                        string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0];

                        // if it doesn't specify an absolute path, assume it's in system32.
                        if (!targetFile.Contains(":"))
                            targetFile = Environment.SystemDirectory + "\\" + targetFile;

                        FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile);

                        runDllText = "\nRunDLL target:\n    " + info.FileName + "\n    " +
                            info.FileDescription + " " + info.FileVersion + "\n    " +
                            info.CompanyName;
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }

                string dllhostText = "";

                if (pNode.ProcessItem.FileName != null &&
                    pNode.ProcessItem.FileName.Equals(Environment.SystemDirectory + "\\dllhost.exe",
                    StringComparison.InvariantCultureIgnoreCase) &&
                    pNode.ProcessItem.CmdLine != null)
                {
                    try
                    {
                        string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split(
                            new string[] { "/processid:" }, StringSplitOptions.None)[1].Split(' ')[0];
                        var key = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid);
                        var inprocServer32 = key.OpenSubKey("InprocServer32");
                        string name = key.GetValue("") as string;
                        string fileName = inprocServer32.GetValue("") as string;

                        FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName));

                        dllhostText = "\nCOM Target:\n    " + name + " (" + clsid.ToUpper() + ")\n    " +
                            info.FileName + "\n    " +
                            info.FileDescription + " " + info.FileVersion + "\n    " + info.CompanyName;
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }

                string servicesText = "";

                try
                {
                    if (Program.HackerWindow.ProcessServices.ContainsKey(pNode.Pid))
                    {
                        foreach (string service in Program.HackerWindow.ProcessServices[pNode.Pid])
                        {
                            if (Program.ServiceProvider.Dictionary.ContainsKey(service))
                            {
                                if (Program.ServiceProvider.Dictionary[service].Status.DisplayName != "")
                                    servicesText += "    " + service + " (" +
                                    Program.ServiceProvider.Dictionary[service].Status.DisplayName + ")\n";
                                else
                                    servicesText += "    " + service + "\n";
                            }
                            else
                            {
                                servicesText += "    " + service + "\n";
                            }
                        }

                        servicesText = "\nServices:\n" + servicesText.TrimEnd('\n');
                    }
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                string otherNotes = "";

                try
                {
                    if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0)
                        otherNotes += "\n    Image is probably packed - has " +
                            pNode.ProcessItem.ImportFunctions.ToString() + " imports over " +
                            pNode.ProcessItem.ImportModules.ToString() + " modules.";
                    else if (pNode.ProcessItem.IsPacked)
                        otherNotes += "\n    Image is probably packed - error reading PE file.";

                    if (pNode.ProcessItem.FileName != null)
                    {
                        if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted)
                            otherNotes += "\n    Signature present and verified.";
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.TrustedInstaller)
                            otherNotes += "\n    Verified Windows component.";
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
                            !Properties.Settings.Default.VerifySignatures)
                            otherNotes += "";
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
                            Properties.Settings.Default.VerifySignatures)
                            otherNotes += "\n    File has not been processed yet. Please wait...";
                        else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature)
                            otherNotes += "\n    Signature present but invalid.";

                        if (Program.ImposterNames.Contains(pNode.Name.ToLower()) &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.Trusted &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.TrustedInstaller &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.Unknown)
                            otherNotes += "\n    Process is using the name of a known process but its signature could not be verified.";
                    }

                    if (pNode.ProcessItem.IsInJob)
                        otherNotes += "\n    Process is in a job.";
                    if (pNode.ProcessItem.ElevationType == TokenElevationType.Full)
                        otherNotes += "\n    Process is elevated.";
                    if (pNode.ProcessItem.IsDotNet)
                        otherNotes += "\n    Process is managed (.NET).";
                    if (pNode.ProcessItem.IsPosix)
                        otherNotes += "\n    Process is POSIX.";
                    if (pNode.ProcessItem.IsWow64)
                        otherNotes += "\n    Process is 32-bit (running under WOW64).";

                    if (otherNotes != "")
                        otherNotes = "\nNotes:" + otherNotes;
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                return (cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r');
            }
            catch (Exception ex)
            {
                Logging.Log(ex);
            }

            return string.Empty;
        }
Example #18
0
        public string GetToolTip(ProcessNode pNode)
        {
            try
            {
                string cmdText = (!string.IsNullOrEmpty(pNode.ProcessItem.CmdLine) ?
                                  (Utils.CreateEllipsis(pNode.ProcessItem.CmdLine.Replace("\0", string.Empty), 100) + "\n") : string.Empty);

                string fileText = string.Empty;

                try
                {
                    if (pNode.ProcessItem.VersionInfo != null)
                    {
                        var info = pNode.ProcessItem.VersionInfo;

                        fileText = "File:\n" + PhUtils.FormatFileInfo(info.FileName, info.FileDescription, info.CompanyName, info.FileVersion, 4);
                    }
                }
                catch
                {
                    if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName))
                    {
                        fileText = "File:\n    " + pNode.ProcessItem.FileName;
                    }
                }

                string runDllText = string.Empty;

                if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) &&
                    pNode.ProcessItem.FileName.EndsWith("\\rundll32.exe",
                                                        StringComparison.InvariantCultureIgnoreCase) &&
                    !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine))
                {
                    try
                    {
                        // TODO: fix crappy method
                        string targetFile = pNode.ProcessItem.CmdLine.Split(new char[] { ' ' }, 2)[1].Split(',')[0];

                        // if it doesn't specify an absolute path, assume it's in system32.
                        if (!targetFile.Contains(":", StringComparison.OrdinalIgnoreCase))
                        {
                            targetFile = Environment.SystemDirectory + "\\" + targetFile;
                        }

                        FileVersionInfo info = FileVersionInfo.GetVersionInfo(targetFile);

                        runDllText = "\nRunDLL target:\n    " + info.FileName + "\n    " +
                                     info.FileDescription + " " + info.FileVersion + "\n    " +
                                     info.CompanyName;
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }

                string dllhostText = string.Empty;

                if (!string.IsNullOrEmpty(pNode.ProcessItem.FileName) &&
                    pNode.ProcessItem.FileName.EndsWith("\\dllhost.exe", StringComparison.InvariantCultureIgnoreCase) &&
                    !string.IsNullOrEmpty(pNode.ProcessItem.CmdLine))
                {
                    try
                    {
                        string clsid = pNode.ProcessItem.CmdLine.ToLowerInvariant().Split(new[]
                        {
                            "/processid:"
                        }, StringSplitOptions.None)[1].Split(' ')[0];

                        using (RegistryKey key = Registry.ClassesRoot.OpenSubKey("CLSID\\" + clsid))
                            using (RegistryKey inprocServer32 = key.OpenSubKey("InprocServer32"))
                            {
                                string name     = key.GetValue(string.Empty) as string;
                                string fileName = inprocServer32.GetValue(string.Empty) as string;

                                FileVersionInfo info = FileVersionInfo.GetVersionInfo(Environment.ExpandEnvironmentVariables(fileName));

                                dllhostText = "\nCOM Target:\n    " + name + " (" + clsid.ToUpper() + ")\n    " +
                                              info.FileName + "\n    " +
                                              info.FileDescription + " " + info.FileVersion + "\n    " + info.CompanyName;
                            }
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }

                string servicesText = string.Empty;

                try
                {
                    IDictionary <int, List <string> > processServices;
                    IDictionary <string, ServiceItem> services;

                    if (!_tree.DumpMode)
                    {
                        processServices = Program.HackerWindow.ProcessServices;
                        services        = Program.ServiceProvider.Dictionary;
                    }
                    else
                    {
                        processServices = _tree.DumpProcessServices;
                        services        = _tree.DumpServices;
                    }

                    if (processServices.ContainsKey(pNode.Pid))
                    {
                        foreach (string service in processServices[pNode.Pid])
                        {
                            if (services.ContainsKey(service))
                            {
                                if (string.IsNullOrEmpty(services[service].Status.DisplayName))
                                {
                                    servicesText += "    " + service + " (" + services[service].Status.DisplayName + ")\n";
                                }
                                else
                                {
                                    servicesText += "    " + service + "\n";
                                }
                            }
                            else
                            {
                                servicesText += "    " + service + "\n";
                            }
                        }

                        servicesText = "\nServices:\n" + servicesText.TrimEnd('\n');
                    }
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                string otherNotes = string.Empty;

                try
                {
                    if (pNode.ProcessItem.IsPacked && pNode.ProcessItem.ImportModules > 0)
                    {
                        otherNotes += "\n    Image is probably packed - has " +
                                      pNode.ProcessItem.ImportFunctions.ToString() + " imports over " +
                                      pNode.ProcessItem.ImportModules.ToString() + " modules.";
                    }
                    else if (pNode.ProcessItem.IsPacked)
                    {
                        otherNotes += "\n    Image is probably packed - error reading PE file.";
                    }

                    if (pNode.ProcessItem.FileName != null)
                    {
                        if (pNode.ProcessItem.VerifyResult == VerifyResult.Trusted)
                        {
                            if (!string.IsNullOrEmpty(pNode.ProcessItem.VerifySignerName))
                            {
                                otherNotes += "\n    Signer: " + pNode.ProcessItem.VerifySignerName;
                            }
                            else
                            {
                                otherNotes += "\n    Signed.";
                            }
                        }
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
                                 !Settings.Instance.VerifySignatures)
                        {
                            otherNotes += string.Empty;
                        }
                        else if (pNode.ProcessItem.VerifyResult == VerifyResult.Unknown &&
                                 Settings.Instance.VerifySignatures && !_tree.DumpMode)
                        {
                            otherNotes += "\n    File has not been processed yet. Please wait...";
                        }
                        else if (pNode.ProcessItem.VerifyResult != VerifyResult.NoSignature)
                        {
                            otherNotes += "\n    Signature invalid.";
                        }

                        if (Program.ImposterNames.Contains(pNode.Name.ToLowerInvariant()) &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.Trusted &&
                            pNode.ProcessItem.VerifyResult != VerifyResult.Unknown)
                        {
                            otherNotes += "\n    Process is using the name of a known process but its signature could not be verified.";
                        }
                    }

                    if (pNode.ProcessItem.IsInJob)
                    {
                        otherNotes += "\n    Process is in a job.";
                    }
                    if (pNode.ProcessItem.ElevationType == TokenElevationType.Full)
                    {
                        otherNotes += "\n    Process is elevated.";
                    }
                    if (pNode.ProcessItem.IsDotNet)
                    {
                        otherNotes += "\n    Process is managed (.NET).";
                    }
                    if (pNode.ProcessItem.IsPosix)
                    {
                        otherNotes += "\n    Process is POSIX.";
                    }
                    if (pNode.ProcessItem.IsWow64)
                    {
                        otherNotes += "\n    Process is 32-bit (running under WOW64).";
                    }

                    if (otherNotes != string.Empty)
                    {
                        otherNotes = "\nNotes:" + otherNotes;
                    }
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                return((cmdText + fileText + otherNotes + runDllText + dllhostText + servicesText).Trim(' ', '\n', '\r'));
            }
            catch (Exception ex)
            {
                Logging.Log(ex);
            }

            return(string.Empty);
        }