/// <summary>
/// Remove a process from the list returned by NtQuerySystemInformation.
/// </summary>
/// <param name="query"></param>
/// <param name="dataPtr"></param>
/// <param name="size"></param>
/// <param name="returnedSize"></param>
/// <returns></returns>
internal static unsafe int Detour_NtQuerySystemInformation(int query, IntPtr dataPtr, int size, out int returnedSize)
{
HideProcess This = (HideProcess)HookRuntimeInfo.Callback;
var status = Interop.NtDll.NtQuerySystemInformation(query, dataPtr, size, out returnedSize);
if (status == 0 && query == Interop.NtDll.NtQuerySystemProcessInformation && dataPtr != IntPtr.Zero && This != null)
{
long totalOffset = 0;
while (true)
{
IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset);
ref SystemProcessInformation pi = ref *(SystemProcessInformation *)currentPtr;
ref SystemProcessInformation nextPi = ref *(SystemProcessInformation *)(IntPtr)((long)currentPtr + pi.NextEntryOffset);
if (nextPi.ImageName.Buffer != IntPtr.Zero)
{
string processName = GetProcessShortName(
Marshal.PtrToStringUni(nextPi.ImageName.Buffer,
nextPi.ImageName.Length / sizeof(char)));
if (processName.Contains(This.ProcessName))
{
if (nextPi.NextEntryOffset == 0)
{
pi.NextEntryOffset = 0;
}
else
{
pi.NextEntryOffset += nextPi.NextEntryOffset;
}
nextPi = pi;
}
}
if (pi.NextEntryOffset == 0)
{
break;
}
totalOffset += pi.NextEntryOffset;
}
private static unsafe ProcessInfo[] GetProcessInfos(IntPtr dataPtr)
{
// Use a dictionary to avoid duplicate entries if any
// 60 is a reasonable number for processes on a normal machine.
Dictionary <int, ProcessInfo> processInfos = new Dictionary <int, ProcessInfo>(60);
long totalOffset = 0;
while (true)
{
IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset);
ref SystemProcessInformation pi = ref *(SystemProcessInformation *)(currentPtr);
// get information for a process
ProcessInfo processInfo = new ProcessInfo();
// Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD.
processInfo.ProcessId = pi.UniqueProcessId.ToInt32();
processInfo.SessionId = (int)pi.SessionId;
processInfo.PoolPagedBytes = (long)pi.QuotaPagedPoolUsage;;
processInfo.PoolNonPagedBytes = (long)pi.QuotaNonPagedPoolUsage;
processInfo.VirtualBytes = (long)pi.VirtualSize;
processInfo.VirtualBytesPeak = (long)pi.PeakVirtualSize;
processInfo.WorkingSetPeak = (long)pi.PeakWorkingSetSize;
processInfo.WorkingSet = (long)pi.WorkingSetSize;
processInfo.PageFileBytesPeak = (long)pi.PeakPagefileUsage;
processInfo.PageFileBytes = (long)pi.PagefileUsage;
processInfo.PrivateBytes = (long)pi.PrivatePageCount;
processInfo.BasePriority = pi.BasePriority;
processInfo.HandleCount = (int)pi.HandleCount;
if (pi.ImageName.Buffer == IntPtr.Zero)
{
if (processInfo.ProcessId == NtProcessManager.SystemProcessID)
{
processInfo.ProcessName = "System";
}
else if (processInfo.ProcessId == NtProcessManager.IdleProcessID)
{
processInfo.ProcessName = "Idle";
}
else
{
// for normal process without name, using the process ID.
processInfo.ProcessName = processInfo.ProcessId.ToString(CultureInfo.InvariantCulture);
}
}
else
{
string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.ImageName.Buffer, pi.ImageName.Length / sizeof(char)));
processInfo.ProcessName = processName;
}
// get the threads for current process
processInfos[processInfo.ProcessId] = processInfo;
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi));
int i = 0;
while (i < pi.NumberOfThreads)
{
ref SystemThreadInformation ti = ref *(SystemThreadInformation *)(currentPtr);
ThreadInfo threadInfo = new ThreadInfo();
threadInfo._processId = (int)ti.ClientId.UniqueProcess;
threadInfo._threadId = (ulong)ti.ClientId.UniqueThread;
threadInfo._basePriority = ti.BasePriority;
threadInfo._currentPriority = ti.Priority;
threadInfo._startAddress = ti.StartAddress;
threadInfo._threadState = (ThreadState)ti.ThreadState;
threadInfo._threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason);
processInfo._threadInfoList.Add(threadInfo);
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti));
i++;
}
static ProcessInfo[] GetProcessInfos(IntPtr dataPtr) {
// 60 is a reasonable number for processes on a normal machine.
Hashtable processInfos = new Hashtable(60);
long totalOffset = 0;
while(true) {
IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset);
SystemProcessInformation pi = new SystemProcessInformation();
Marshal.PtrToStructure(currentPtr, pi);
// get information for a process
ProcessInfo processInfo = new ProcessInfo();
// Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD.
processInfo.processId = pi.UniqueProcessId.ToInt32();
processInfo.handleCount = (int)pi.HandleCount;
processInfo.sessionId = (int)pi.SessionId;
processInfo.poolPagedBytes = (long)pi.QuotaPagedPoolUsage;;
processInfo.poolNonpagedBytes = (long)pi.QuotaNonPagedPoolUsage;
processInfo.virtualBytes = (long)pi.VirtualSize;
processInfo.virtualBytesPeak = (long)pi.PeakVirtualSize;
processInfo.workingSetPeak = (long)pi.PeakWorkingSetSize;
processInfo.workingSet = (long)pi.WorkingSetSize;
processInfo.pageFileBytesPeak = (long)pi.PeakPagefileUsage;
processInfo.pageFileBytes = (long)pi.PagefileUsage;
processInfo.privateBytes = (long)pi.PrivatePageCount;
processInfo.basePriority = pi.BasePriority;
if( pi.NamePtr == IntPtr.Zero) {
if( processInfo.processId == NtProcessManager.SystemProcessID) {
processInfo.processName = "System";
}
else if( processInfo.processId == NtProcessManager.IdleProcessID) {
processInfo.processName = "Idle";
}
else {
// for normal process without name, using the process ID.
processInfo.processName = processInfo.processId.ToString(CultureInfo.InvariantCulture);
}
}
else {
string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.NamePtr, pi.NameLength/sizeof(char)));
//
// On old operating system (NT4 and windows 2000), the process name might be truncated to 15
// characters. For example, aspnet_admin.exe will show up in performance counter as aspnet_admin.ex.
// Process class try to return a nicer name. We used to get the main module name for a process and
// use that as the process name. However normal user doesn't have access to module information,
// so normal user will see an exception when we try to get a truncated process name.
//
if (ProcessManager.IsOSOlderThanXP && (processName.Length == 15)) {
if (processName.EndsWith(".", StringComparison.OrdinalIgnoreCase)) {
processName = processName.Substring(0, 14);
}
else if (processName.EndsWith(".e", StringComparison.OrdinalIgnoreCase)) {
processName = processName.Substring(0, 13);
}
else if (processName.EndsWith(".ex", StringComparison.OrdinalIgnoreCase)) {
processName = processName.Substring(0, 12);
}
}
processInfo.processName = processName;
}
// get the threads for current process
processInfos[processInfo.processId] = processInfo;
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi));
int i = 0;
while( i < pi.NumberOfThreads) {
SystemThreadInformation ti = new SystemThreadInformation();
Marshal.PtrToStructure(currentPtr, ti);
ThreadInfo threadInfo = new ThreadInfo();
threadInfo.processId = (int)ti.UniqueProcess;
threadInfo.threadId = (int)ti.UniqueThread;
threadInfo.basePriority = ti.BasePriority;
threadInfo.currentPriority = ti.Priority;
threadInfo.startAddress = ti.StartAddress;
threadInfo.threadState = (ThreadState)ti.ThreadState;
threadInfo.threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason);
processInfo.threadInfoList.Add(threadInfo);
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti));
i++;
}
if (pi.NextEntryOffset == 0) {
break;
}
totalOffset += pi.NextEntryOffset;
}
ProcessInfo[] temp = new ProcessInfo[processInfos.Values.Count];
processInfos.Values.CopyTo(temp, 0);
return temp;
}
static ProcessInfo[] GetProcessInfos(IntPtr dataPtr)
{
// 60 is a reasonable number for processes on a normal machine.
Dictionary<int, ProcessInfo> processInfos = new Dictionary<int, ProcessInfo>(60);
long totalOffset = 0;
while (true)
{
IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset);
SystemProcessInformation pi = new SystemProcessInformation();
Marshal.PtrToStructure(currentPtr, pi);
// get information for a process
ProcessInfo processInfo = new ProcessInfo();
// Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD.
processInfo.ProcessId = pi.UniqueProcessId.ToInt32();
processInfo.SessionId = (int)pi.SessionId;
processInfo.PoolPagedBytes = (long)pi.QuotaPagedPoolUsage; ;
processInfo.PoolNonPagedBytes = (long)pi.QuotaNonPagedPoolUsage;
processInfo.VirtualBytes = (long)pi.VirtualSize;
processInfo.VirtualBytesPeak = (long)pi.PeakVirtualSize;
processInfo.WorkingSetPeak = (long)pi.PeakWorkingSetSize;
processInfo.WorkingSet = (long)pi.WorkingSetSize;
processInfo.PageFileBytesPeak = (long)pi.PeakPagefileUsage;
processInfo.PageFileBytes = (long)pi.PagefileUsage;
processInfo.PrivateBytes = (long)pi.PrivatePageCount;
processInfo.BasePriority = pi.BasePriority;
if (pi.NamePtr == IntPtr.Zero)
{
if (processInfo.ProcessId == NtProcessManager.SystemProcessID)
{
processInfo.ProcessName = "System";
}
else if (processInfo.ProcessId == NtProcessManager.IdleProcessID)
{
processInfo.ProcessName = "Idle";
}
else
{
// for normal process without name, using the process ID.
processInfo.ProcessName = processInfo.ProcessId.ToString(CultureInfo.InvariantCulture);
}
}
else
{
string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.NamePtr, pi.NameLength / sizeof(char)));
processInfo.ProcessName = processName;
}
// get the threads for current process
processInfos[processInfo.ProcessId] = processInfo;
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi));
int i = 0;
while (i < pi.NumberOfThreads)
{
SystemThreadInformation ti = new SystemThreadInformation();
Marshal.PtrToStructure(currentPtr, ti);
ThreadInfo threadInfo = new ThreadInfo();
threadInfo._processId = (int)ti.UniqueProcess;
threadInfo._threadId = (ulong)ti.UniqueThread;
threadInfo._basePriority = ti.BasePriority;
threadInfo._currentPriority = ti.Priority;
threadInfo._startAddress = ti.StartAddress;
threadInfo._threadState = (ThreadState)ti.ThreadState;
threadInfo._threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason);
processInfo._threadInfoList.Add(threadInfo);
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti));
i++;
}
if (pi.NextEntryOffset == 0)
{
break;
}
totalOffset += pi.NextEntryOffset;
}
ProcessInfo[] temp = new ProcessInfo[processInfos.Values.Count];
processInfos.Values.CopyTo(temp, 0);
return temp;
}
static ProcessInfo[] GetProcessInfos(IntPtr dataPtr)
{
// 60 is a reasonable number for processes on a normal machine.
Dictionary <int, ProcessInfo> processInfos = new Dictionary <int, ProcessInfo>(60);
long totalOffset = 0;
while (true)
{
IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset);
SystemProcessInformation pi = new SystemProcessInformation();
Marshal.PtrToStructure(currentPtr, pi);
// get information for a process
ProcessInfo processInfo = new ProcessInfo();
// Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD.
processInfo._processId = pi.UniqueProcessId.ToInt32();
processInfo._handleCount = (int)pi.HandleCount;
processInfo._sessionId = (int)pi.SessionId;
processInfo._poolPagedBytes = (long)pi.QuotaPagedPoolUsage;;
processInfo._poolNonpagedBytes = (long)pi.QuotaNonPagedPoolUsage;
processInfo._virtualBytes = (long)pi.VirtualSize;
processInfo._virtualBytesPeak = (long)pi.PeakVirtualSize;
processInfo._workingSetPeak = (long)pi.PeakWorkingSetSize;
processInfo._workingSet = (long)pi.WorkingSetSize;
processInfo._pageFileBytesPeak = (long)pi.PeakPagefileUsage;
processInfo._pageFileBytes = (long)pi.PagefileUsage;
processInfo._privateBytes = (long)pi.PrivatePageCount;
processInfo._basePriority = pi.BasePriority;
if (pi.NamePtr == IntPtr.Zero)
{
if (processInfo._processId == NtProcessManager.SystemProcessID)
{
processInfo._processName = "System";
}
else if (processInfo._processId == NtProcessManager.IdleProcessID)
{
processInfo._processName = "Idle";
}
else
{
// for normal process without name, using the process ID.
processInfo._processName = processInfo._processId.ToString(CultureInfo.InvariantCulture);
}
}
else
{
string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.NamePtr, pi.NameLength / sizeof(char)));
processInfo._processName = processName;
}
// get the threads for current process
processInfos[processInfo._processId] = processInfo;
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi));
int i = 0;
while (i < pi.NumberOfThreads)
{
SystemThreadInformation ti = new SystemThreadInformation();
Marshal.PtrToStructure(currentPtr, ti);
ThreadInfo threadInfo = new ThreadInfo();
threadInfo._processId = (int)ti.UniqueProcess;
threadInfo._threadId = (int)ti.UniqueThread;
threadInfo._basePriority = ti.BasePriority;
threadInfo._currentPriority = ti.Priority;
threadInfo._startAddress = ti.StartAddress;
threadInfo._threadState = (ThreadState)ti.ThreadState;
threadInfo._threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason);
processInfo._threadInfoList.Add(threadInfo);
currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti));
i++;
}
if (pi.NextEntryOffset == 0)
{
break;
}
totalOffset += pi.NextEntryOffset;
}
ProcessInfo[] temp = new ProcessInfo[processInfos.Values.Count];
processInfos.Values.CopyTo(temp, 0);
return(temp);
}
public static ProcessInfo[] NtGetProcessInfos(IntPtr dataPtr)
{
IntPtr ptr;
Hashtable hashtable = new Hashtable(100);
uint num = 0;
Label_000B:
ptr = (IntPtr)(((uint)dataPtr) + num);
SystemProcessInformation structure = new SystemProcessInformation();
Marshal.PtrToStructure(ptr, structure);
ProcessInfo info = new ProcessInfo();
info.processId = structure.UniqueProcessId.ToInt32();
info.handleCount = (int)structure.HandleCount;
info.sessionId = (int)structure.SessionId;
info.poolPagedBytes = (long)structure.QuotaPagedPoolUsage;
info.poolNonpagedBytes = (long)structure.QuotaNonPagedPoolUsage;
info.virtualBytes = (long)structure.VirtualSize;
info.virtualBytesPeak = (long)structure.PeakVirtualSize;
info.workingSetPeak = (long)structure.PeakWorkingSetSize;
info.workingSet = (long)structure.WorkingSetSize;
info.pageFileBytesPeak = (long)structure.PeakPagefileUsage;
info.pageFileBytes = (long)structure.PagefileUsage;
info.privateBytes = (long)structure.PrivatePageCount;
info.basePriority = structure.BasePriority;
hashtable[info.processId] = info;
try
{
ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(structure));
}
catch
{
}
for (int i = 0; i < structure.NumberOfThreads; i++)
{
SystemThreadInformation information2 = new SystemThreadInformation();
Marshal.PtrToStructure(ptr, information2);
ThreadInfo info2 = new ThreadInfo
{
processId = (int)information2.UniqueProcess,
threadId = (int)information2.UniqueThread,
basePriority = information2.BasePriority,
currentPriority = information2.Priority,
startAddress = information2.StartAddress,
threadState = (ThreadState)information2.ThreadState,
threadWaitReason = GetThreadWaitReason((int)information2.WaitReason)
};
info.threadInfoList.Add(info2);
try
{
ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(information2));
}
catch
{
}
}
if (structure.NextEntryOffset != 0)
{
num += (uint)structure.NextEntryOffset;
goto Label_000B;
}
ProcessInfo[] array = new ProcessInfo[hashtable.Values.Count];
hashtable.Values.CopyTo(array, 0);
return(array);
}
private static ProcessInfo[] GetProcessInfos(IntPtr dataPtr)
{
IntPtr ptr;
Hashtable hashtable = new Hashtable(60);
long num = 0L;
Label_000B:
ptr = (IntPtr)(((long)dataPtr) + num);
SystemProcessInformation structure = new SystemProcessInformation();
Marshal.PtrToStructure(ptr, structure);
ProcessInfo info = new ProcessInfo {
processId = structure.UniqueProcessId.ToInt32(),
handleCount = (int)structure.HandleCount,
sessionId = (int)structure.SessionId,
poolPagedBytes = (long)((ulong)structure.QuotaPagedPoolUsage),
poolNonpagedBytes = (long)((ulong)structure.QuotaNonPagedPoolUsage),
virtualBytes = (long)((ulong)structure.VirtualSize),
virtualBytesPeak = (long)((ulong)structure.PeakVirtualSize),
workingSetPeak = (long)((ulong)structure.PeakWorkingSetSize),
workingSet = (long)((ulong)structure.WorkingSetSize),
pageFileBytesPeak = (long)((ulong)structure.PeakPagefileUsage),
pageFileBytes = (long)((ulong)structure.PagefileUsage),
privateBytes = (long)((ulong)structure.PrivatePageCount),
basePriority = structure.BasePriority
};
if (structure.NamePtr == IntPtr.Zero)
{
if (info.processId == NtProcessManager.SystemProcessID)
{
info.processName = "System";
}
else if (info.processId == 0)
{
info.processName = "Idle";
}
else
{
info.processName = info.processId.ToString(CultureInfo.InvariantCulture);
}
}
else
{
string processShortName = GetProcessShortName(Marshal.PtrToStringUni(structure.NamePtr, structure.NameLength / 2));
if (ProcessManager.IsOSOlderThanXP && (processShortName.Length == 15))
{
if (processShortName.EndsWith(".", StringComparison.OrdinalIgnoreCase))
{
processShortName = processShortName.Substring(0, 14);
}
else if (processShortName.EndsWith(".e", StringComparison.OrdinalIgnoreCase))
{
processShortName = processShortName.Substring(0, 13);
}
else if (processShortName.EndsWith(".ex", StringComparison.OrdinalIgnoreCase))
{
processShortName = processShortName.Substring(0, 12);
}
}
info.processName = processShortName;
}
hashtable[info.processId] = info;
ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(structure));
for (int i = 0; i < structure.NumberOfThreads; i++)
{
SystemThreadInformation information2 = new SystemThreadInformation();
Marshal.PtrToStructure(ptr, information2);
ThreadInfo info2 = new ThreadInfo {
processId = (int)information2.UniqueProcess,
threadId = (int)information2.UniqueThread,
basePriority = information2.BasePriority,
currentPriority = information2.Priority,
startAddress = information2.StartAddress,
threadState = (ThreadState)information2.ThreadState,
threadWaitReason = NtProcessManager.GetThreadWaitReason((int)information2.WaitReason)
};
info.threadInfoList.Add(info2);
ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(information2));
}
if (structure.NextEntryOffset != 0)
{
num += structure.NextEntryOffset;
goto Label_000B;
}
ProcessInfo[] array = new ProcessInfo[hashtable.Values.Count];
hashtable.Values.CopyTo(array, 0);
return(array);
}
