/// <summary>
/// Enumerates the modules loaded by the kernel.
/// </summary>
/// <param name="enumCallback">A callback for the enumeration.</param>
public static void EnumKernelModules(EnumKernelModulesDelegate enumCallback)
{
NtStatus status;
int retLength;
if (_kernelModulesBuffer == null)
{
_kernelModulesBuffer = new MemoryAlloc(0x1000);
}
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
if (status == NtStatus.InfoLengthMismatch)
{
_kernelModulesBuffer.Resize(retLength);
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
RtlProcessModules modules = _kernelModulesBuffer.ReadStruct <RtlProcessModules>();
for (int i = 0; i < modules.NumberOfModules; i++)
{
var module = _kernelModulesBuffer.ReadStruct <RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, i);
var moduleInfo = new Debugging.ModuleInformation(module);
if (!enumCallback(new KernelModule(
moduleInfo.BaseAddress,
moduleInfo.Size,
moduleInfo.Flags,
moduleInfo.BaseName,
FileUtils.GetFileName(moduleInfo.FileName)
)))
{
break;
}
}
}
/// <summary>
/// Gets the page files currently active.
/// </summary>
/// <returns>A collection of page file information structures.</returns>
public static SystemPagefile[] GetPagefiles()
{
int retLength;
List <SystemPagefile> pagefiles = new List <SystemPagefile>();
using (MemoryAlloc data = new MemoryAlloc(0x200))
{
NtStatus status;
while ((status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemPageFileInformation,
data,
data.Size,
out retLength)
) == NtStatus.InfoLengthMismatch)
{
data.Resize(data.Size * 2);
// Fail if we've resized it to over 16MB - protect from infinite resizing
if (data.Size > 16 * 1024 * 1024)
{
throw new OutOfMemoryException();
}
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
pagefiles = new List <SystemPagefile>(2);
int i = 0;
SystemPagefileInformation currentPagefile;
do
{
currentPagefile = data.ReadStruct <SystemPagefileInformation>(i, 0);
pagefiles.Add(new SystemPagefile(
currentPagefile.TotalSize,
currentPagefile.TotalInUse,
currentPagefile.PeakUsage,
FileUtils.GetFileName(currentPagefile.PageFileName.Read())
));
i += currentPagefile.NextEntryOffset;
} while (currentPagefile.NextEntryOffset != 0);
return(pagefiles.ToArray());
}
}
/// <summary>
/// Enumerates the handles opened by every running process.
/// </summary>
/// <returns>An array containing information about the handles.</returns>
public static SystemHandleEntry[] GetHandles()
{
int retLength = 0;
int handleCount = 0;
SystemHandleEntry[] returnHandles;
if (_handlesBuffer == null)
{
_handlesBuffer = new MemoryAlloc(0x1000);
}
MemoryAlloc data = _handlesBuffer;
NtStatus status;
// This is needed because NtQuerySystemInformation with SystemHandleInformation doesn't
// actually give a real return length when called with an insufficient buffer. This code
// tries repeatedly to call the function, doubling the buffer size each time it fails.
while ((status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemHandleInformation,
data,
data.Size,
out retLength)
) == NtStatus.InfoLengthMismatch)
{
data.Resize(data.Size * 2);
// Fail if we've resized it to over 16MB - protect from infinite resizing
if (data.Size > 16 * 1024 * 1024)
{
throw new OutOfMemoryException();
}
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
// The structure of the buffer is the handle count plus an array of SYSTEM_HANDLE_INFORMATION
// structures.
handleCount = data.ReadStruct <SystemHandleInformation>().NumberOfHandles;
returnHandles = new SystemHandleEntry[handleCount];
for (int i = 0; i < handleCount; i++)
{
returnHandles[i] = data.ReadStruct <SystemHandleEntry>(SystemHandleInformation.HandlesOffset, i);
}
return(returnHandles);
}
/// <summary>
/// Gets a dictionary containing the services on the system.
/// </summary>
/// <returns>A dictionary, indexed by service name.</returns>
public static Dictionary <string, EnumServiceStatusProcess> GetServices()
{
using (ServiceManagerHandle manager =
new ServiceManagerHandle(ScManagerAccess.EnumerateService))
{
int requiredSize;
int servicesReturned;
int resume = 0;
if (_servicesBuffer == null)
{
_servicesBuffer = new MemoryAlloc(0x10000);
}
MemoryAlloc data = _servicesBuffer;
if (!Win32.EnumServicesStatusEx(manager, IntPtr.Zero, ServiceQueryType.Win32 | ServiceQueryType.Driver,
ServiceQueryState.All, data,
data.Size, out requiredSize, out servicesReturned,
ref resume, null))
{
// resize buffer
data.Resize(requiredSize);
if (!Win32.EnumServicesStatusEx(manager, IntPtr.Zero, ServiceQueryType.Win32 | ServiceQueryType.Driver,
ServiceQueryState.All, data,
data.Size, out requiredSize, out servicesReturned,
ref resume, null))
{
Win32.ThrowLastError();
}
}
var dictionary = new Dictionary <string, EnumServiceStatusProcess>(servicesReturned);
for (int i = 0; i < servicesReturned; i++)
{
var service = data.ReadStruct <EnumServiceStatusProcess>(i);
dictionary.Add(service.ServiceName, service);
}
return(dictionary);
}
}
/// <summary>
/// Gets the page files currently active.
/// </summary>
/// <returns>A collection of page file information structures.</returns>
public static SystemPagefile[] GetPagefiles()
{
int retLength;
List<SystemPagefile> pagefiles = new List<SystemPagefile>();
using (MemoryAlloc data = new MemoryAlloc(0x200))
{
NtStatus status;
while ((status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemPageFileInformation,
data,
data.Size,
out retLength)
) == NtStatus.InfoLengthMismatch)
{
data.Resize(data.Size * 2);
// Fail if we've resized it to over 16MB - protect from infinite resizing
if (data.Size > 16 * 1024 * 1024)
throw new OutOfMemoryException();
}
if (status >= NtStatus.Error)
Win32.ThrowLastError(status);
pagefiles = new List<SystemPagefile>(2);
int i = 0;
SystemPagefileInformation currentPagefile;
do
{
currentPagefile = data.ReadStruct<SystemPagefileInformation>(i, 0);
pagefiles.Add(new SystemPagefile(
currentPagefile.TotalSize,
currentPagefile.TotalInUse,
currentPagefile.PeakUsage,
FileUtils.GetFileName(currentPagefile.PageFileName.Read())
));
i += currentPagefile.NextEntryOffset;
} while (currentPagefile.NextEntryOffset != 0);
return pagefiles.ToArray();
}
}
/// <summary>
/// Gets a dictionary containing the threads owned by the specified process.
/// </summary>
/// <param name="pid">A process ID.</param>
/// <returns>A dictionary, indexed by thread ID.</returns>
public static Dictionary <int, SystemThreadInformation> GetProcessThreads(int pid)
{
int retLength;
if (_processesBuffer == null)
{
_processesBuffer = new MemoryAlloc(0x10000);
}
MemoryAlloc data = _processesBuffer;
NtStatus status;
int attempts = 0;
while (true)
{
attempts++;
if ((status = Win32.NtQuerySystemInformation(SystemInformationClass.SystemProcessInformation, data.Memory,
data.Size, out retLength)) >= NtStatus.Error)
{
if (attempts > 3)
{
Win32.ThrowLastError(status);
}
data.Resize(retLength);
}
else
{
break;
}
}
int i = 0;
SystemProcessInformation process;
do
{
process = data.ReadStruct <SystemProcessInformation>(i, 0);
if (process.ProcessId == pid)
{
var threads = new Dictionary <int, SystemThreadInformation>();
for (int j = 0; j < process.NumberOfThreads; j++)
{
var thread = data.ReadStruct <SystemThreadInformation>(i +
Marshal.SizeOf(typeof(SystemProcessInformation)), j);
threads.Add(thread.ClientId.ThreadId, thread);
}
return(threads);
}
i += process.NextEntryOffset;
} while (process.NextEntryOffset != 0);
return(null);
}
/// <summary>
/// Gets a dictionary containing the currently running processes.
/// </summary>
/// <param name="getThreads">Whether to get thread information.</param>
/// <returns>A dictionary, indexed by process ID.</returns>
public static Dictionary <int, SystemProcess> GetProcesses(bool getThreads)
{
int retLength;
Dictionary <int, SystemProcess> returnProcesses;
if (_processesBuffer == null)
{
_processesBuffer = new MemoryAlloc(0x10000);
}
MemoryAlloc data = _processesBuffer;
NtStatus status;
int attempts = 0;
while (true)
{
attempts++;
if ((status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemProcessInformation,
data,
data.Size,
out retLength
)) >= NtStatus.Error)
{
if (attempts > 3)
{
Win32.ThrowLastError(status);
}
data.Resize(retLength);
}
else
{
break;
}
}
returnProcesses = new Dictionary <int, SystemProcess>(32); // 32 processes on a computer?
int i = 0;
SystemProcess currentProcess = new SystemProcess();
do
{
currentProcess.Process = data.ReadStruct <SystemProcessInformation>(i, 0);
currentProcess.Name = currentProcess.Process.ImageName.Read();
if (getThreads &&
currentProcess.Process.ProcessId != 0)
{
currentProcess.Threads = new Dictionary <int, SystemThreadInformation>();
for (int j = 0; j < currentProcess.Process.NumberOfThreads; j++)
{
var thread = data.ReadStruct <SystemThreadInformation>(i +
Marshal.SizeOf(typeof(SystemProcessInformation)), j);
currentProcess.Threads.Add(thread.ClientId.ThreadId, thread);
}
}
returnProcesses.Add(currentProcess.Process.ProcessId, currentProcess);
i += currentProcess.Process.NextEntryOffset;
} while (currentProcess.Process.NextEntryOffset != 0);
return(returnProcesses);
}