public ProcessDetail(int pid) { // Initialize everything to null in case something fails. this.processId = pid; this.processHandleFlags = LowLevelTypes.ProcessAccessFlags.NONE; this.cachedProcessBasicInfo = null; this.machineTypeIsLoaded = false; this.machineType = LowLevelTypes.MachineType.UNKNOWN; this.cachedPeb = null; this.cachedProcessParams = null; this.cachedCommandLine = null; this.processHandle = IntPtr.Zero; OpenAndCacheProcessHandle(); }
public ProcessViewItem() { Category = ProcessCategory.Other; MachineType = LowLevelTypes.MachineType.UNKNOWN; }
private void CacheMachineType() { System.Diagnostics.Debug.Assert(CanQueryProcessInformation); StringBuilder moduleBuffer = new StringBuilder(1024); int size = moduleBuffer.Capacity; // If our extension is running in a 32-bit process (which it is), then attempts to access // files in C:\windows\system (and a few other files) will redirect to C:\Windows\SysWOW64 // and we will mistakenly think that the image file is a 32-bit image. The way around this // is to use a native system format path, of the form: // \\?\GLOBALROOT\Device\HarddiskVolume0\Windows\System\foo.dat // By using the NATIVE_SYSTEM_FORMAT flag to QueryFullProcessImageName, we can get the path // in this format. NativeMethods.QueryFullProcessImageName( processHandle, LowLevelTypes.ProcessQueryImageNameMode.NATIVE_SYSTEM_FORMAT, moduleBuffer, ref size); moduleBuffer.Insert(0, "\\\\?\\GLOBALROOT"); string module = moduleBuffer.ToString(); // Open the PE File as a binary file, and parse just enough information to determine the // machine type. //http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx using (SafeFileHandle safeHandle = NativeMethods.CreateFile( module, LowLevelTypes.FileAccessFlags.GENERIC_READ, LowLevelTypes.FileShareFlags.SHARE_READ, IntPtr.Zero, LowLevelTypes.FileCreationDisposition.OPEN_EXISTING, LowLevelTypes.FileFlagsAndAttributes.NORMAL, IntPtr.Zero)) { FileStream fs = new FileStream(safeHandle, FileAccess.Read); using (BinaryReader br = new BinaryReader(fs)) { fs.Seek(0x3c, SeekOrigin.Begin); Int32 peOffset = br.ReadInt32(); fs.Seek(peOffset, SeekOrigin.Begin); UInt32 peHead = br.ReadUInt32(); if (peHead != 0x00004550) // "PE\0\0", little-endian throw new Exception("Can't find PE header"); machineType = (LowLevelTypes.MachineType)br.ReadUInt16(); machineTypeIsLoaded = true; } } }