/// <summary> /// Remove a process from the list returned by NtQuerySystemInformation. /// </summary> /// <param name="query"></param> /// <param name="dataPtr"></param> /// <param name="size"></param> /// <param name="returnedSize"></param> /// <returns></returns> internal static unsafe int Detour_NtQuerySystemInformation(int query, IntPtr dataPtr, int size, out int returnedSize) { HideProcess This = (HideProcess)HookRuntimeInfo.Callback; var status = Interop.NtDll.NtQuerySystemInformation(query, dataPtr, size, out returnedSize); if (status == 0 && query == Interop.NtDll.NtQuerySystemProcessInformation && dataPtr != IntPtr.Zero && This != null) { long totalOffset = 0; while (true) { IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset); ref SystemProcessInformation pi = ref *(SystemProcessInformation *)currentPtr; ref SystemProcessInformation nextPi = ref *(SystemProcessInformation *)(IntPtr)((long)currentPtr + pi.NextEntryOffset); if (nextPi.ImageName.Buffer != IntPtr.Zero) { string processName = GetProcessShortName( Marshal.PtrToStringUni(nextPi.ImageName.Buffer, nextPi.ImageName.Length / sizeof(char))); if (processName.Contains(This.ProcessName)) { if (nextPi.NextEntryOffset == 0) { pi.NextEntryOffset = 0; } else { pi.NextEntryOffset += nextPi.NextEntryOffset; } nextPi = pi; } } if (pi.NextEntryOffset == 0) { break; } totalOffset += pi.NextEntryOffset; }
private static unsafe ProcessInfo[] GetProcessInfos(IntPtr dataPtr) { // Use a dictionary to avoid duplicate entries if any // 60 is a reasonable number for processes on a normal machine. Dictionary <int, ProcessInfo> processInfos = new Dictionary <int, ProcessInfo>(60); long totalOffset = 0; while (true) { IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset); ref SystemProcessInformation pi = ref *(SystemProcessInformation *)(currentPtr); // get information for a process ProcessInfo processInfo = new ProcessInfo(); // Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD. processInfo.ProcessId = pi.UniqueProcessId.ToInt32(); processInfo.SessionId = (int)pi.SessionId; processInfo.PoolPagedBytes = (long)pi.QuotaPagedPoolUsage;; processInfo.PoolNonPagedBytes = (long)pi.QuotaNonPagedPoolUsage; processInfo.VirtualBytes = (long)pi.VirtualSize; processInfo.VirtualBytesPeak = (long)pi.PeakVirtualSize; processInfo.WorkingSetPeak = (long)pi.PeakWorkingSetSize; processInfo.WorkingSet = (long)pi.WorkingSetSize; processInfo.PageFileBytesPeak = (long)pi.PeakPagefileUsage; processInfo.PageFileBytes = (long)pi.PagefileUsage; processInfo.PrivateBytes = (long)pi.PrivatePageCount; processInfo.BasePriority = pi.BasePriority; processInfo.HandleCount = (int)pi.HandleCount; if (pi.ImageName.Buffer == IntPtr.Zero) { if (processInfo.ProcessId == NtProcessManager.SystemProcessID) { processInfo.ProcessName = "System"; } else if (processInfo.ProcessId == NtProcessManager.IdleProcessID) { processInfo.ProcessName = "Idle"; } else { // for normal process without name, using the process ID. processInfo.ProcessName = processInfo.ProcessId.ToString(CultureInfo.InvariantCulture); } } else { string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.ImageName.Buffer, pi.ImageName.Length / sizeof(char))); processInfo.ProcessName = processName; } // get the threads for current process processInfos[processInfo.ProcessId] = processInfo; currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi)); int i = 0; while (i < pi.NumberOfThreads) { ref SystemThreadInformation ti = ref *(SystemThreadInformation *)(currentPtr); ThreadInfo threadInfo = new ThreadInfo(); threadInfo._processId = (int)ti.ClientId.UniqueProcess; threadInfo._threadId = (ulong)ti.ClientId.UniqueThread; threadInfo._basePriority = ti.BasePriority; threadInfo._currentPriority = ti.Priority; threadInfo._startAddress = ti.StartAddress; threadInfo._threadState = (ThreadState)ti.ThreadState; threadInfo._threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason); processInfo._threadInfoList.Add(threadInfo); currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti)); i++; }
static ProcessInfo[] GetProcessInfos(IntPtr dataPtr) { // 60 is a reasonable number for processes on a normal machine. Hashtable processInfos = new Hashtable(60); long totalOffset = 0; while(true) { IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset); SystemProcessInformation pi = new SystemProcessInformation(); Marshal.PtrToStructure(currentPtr, pi); // get information for a process ProcessInfo processInfo = new ProcessInfo(); // Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD. processInfo.processId = pi.UniqueProcessId.ToInt32(); processInfo.handleCount = (int)pi.HandleCount; processInfo.sessionId = (int)pi.SessionId; processInfo.poolPagedBytes = (long)pi.QuotaPagedPoolUsage;; processInfo.poolNonpagedBytes = (long)pi.QuotaNonPagedPoolUsage; processInfo.virtualBytes = (long)pi.VirtualSize; processInfo.virtualBytesPeak = (long)pi.PeakVirtualSize; processInfo.workingSetPeak = (long)pi.PeakWorkingSetSize; processInfo.workingSet = (long)pi.WorkingSetSize; processInfo.pageFileBytesPeak = (long)pi.PeakPagefileUsage; processInfo.pageFileBytes = (long)pi.PagefileUsage; processInfo.privateBytes = (long)pi.PrivatePageCount; processInfo.basePriority = pi.BasePriority; if( pi.NamePtr == IntPtr.Zero) { if( processInfo.processId == NtProcessManager.SystemProcessID) { processInfo.processName = "System"; } else if( processInfo.processId == NtProcessManager.IdleProcessID) { processInfo.processName = "Idle"; } else { // for normal process without name, using the process ID. processInfo.processName = processInfo.processId.ToString(CultureInfo.InvariantCulture); } } else { string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.NamePtr, pi.NameLength/sizeof(char))); // // On old operating system (NT4 and windows 2000), the process name might be truncated to 15 // characters. For example, aspnet_admin.exe will show up in performance counter as aspnet_admin.ex. // Process class try to return a nicer name. We used to get the main module name for a process and // use that as the process name. However normal user doesn't have access to module information, // so normal user will see an exception when we try to get a truncated process name. // if (ProcessManager.IsOSOlderThanXP && (processName.Length == 15)) { if (processName.EndsWith(".", StringComparison.OrdinalIgnoreCase)) { processName = processName.Substring(0, 14); } else if (processName.EndsWith(".e", StringComparison.OrdinalIgnoreCase)) { processName = processName.Substring(0, 13); } else if (processName.EndsWith(".ex", StringComparison.OrdinalIgnoreCase)) { processName = processName.Substring(0, 12); } } processInfo.processName = processName; } // get the threads for current process processInfos[processInfo.processId] = processInfo; currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi)); int i = 0; while( i < pi.NumberOfThreads) { SystemThreadInformation ti = new SystemThreadInformation(); Marshal.PtrToStructure(currentPtr, ti); ThreadInfo threadInfo = new ThreadInfo(); threadInfo.processId = (int)ti.UniqueProcess; threadInfo.threadId = (int)ti.UniqueThread; threadInfo.basePriority = ti.BasePriority; threadInfo.currentPriority = ti.Priority; threadInfo.startAddress = ti.StartAddress; threadInfo.threadState = (ThreadState)ti.ThreadState; threadInfo.threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason); processInfo.threadInfoList.Add(threadInfo); currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti)); i++; } if (pi.NextEntryOffset == 0) { break; } totalOffset += pi.NextEntryOffset; } ProcessInfo[] temp = new ProcessInfo[processInfos.Values.Count]; processInfos.Values.CopyTo(temp, 0); return temp; }
static ProcessInfo[] GetProcessInfos(IntPtr dataPtr) { // 60 is a reasonable number for processes on a normal machine. Dictionary<int, ProcessInfo> processInfos = new Dictionary<int, ProcessInfo>(60); long totalOffset = 0; while (true) { IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset); SystemProcessInformation pi = new SystemProcessInformation(); Marshal.PtrToStructure(currentPtr, pi); // get information for a process ProcessInfo processInfo = new ProcessInfo(); // Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD. processInfo.ProcessId = pi.UniqueProcessId.ToInt32(); processInfo.SessionId = (int)pi.SessionId; processInfo.PoolPagedBytes = (long)pi.QuotaPagedPoolUsage; ; processInfo.PoolNonPagedBytes = (long)pi.QuotaNonPagedPoolUsage; processInfo.VirtualBytes = (long)pi.VirtualSize; processInfo.VirtualBytesPeak = (long)pi.PeakVirtualSize; processInfo.WorkingSetPeak = (long)pi.PeakWorkingSetSize; processInfo.WorkingSet = (long)pi.WorkingSetSize; processInfo.PageFileBytesPeak = (long)pi.PeakPagefileUsage; processInfo.PageFileBytes = (long)pi.PagefileUsage; processInfo.PrivateBytes = (long)pi.PrivatePageCount; processInfo.BasePriority = pi.BasePriority; if (pi.NamePtr == IntPtr.Zero) { if (processInfo.ProcessId == NtProcessManager.SystemProcessID) { processInfo.ProcessName = "System"; } else if (processInfo.ProcessId == NtProcessManager.IdleProcessID) { processInfo.ProcessName = "Idle"; } else { // for normal process without name, using the process ID. processInfo.ProcessName = processInfo.ProcessId.ToString(CultureInfo.InvariantCulture); } } else { string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.NamePtr, pi.NameLength / sizeof(char))); processInfo.ProcessName = processName; } // get the threads for current process processInfos[processInfo.ProcessId] = processInfo; currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi)); int i = 0; while (i < pi.NumberOfThreads) { SystemThreadInformation ti = new SystemThreadInformation(); Marshal.PtrToStructure(currentPtr, ti); ThreadInfo threadInfo = new ThreadInfo(); threadInfo._processId = (int)ti.UniqueProcess; threadInfo._threadId = (ulong)ti.UniqueThread; threadInfo._basePriority = ti.BasePriority; threadInfo._currentPriority = ti.Priority; threadInfo._startAddress = ti.StartAddress; threadInfo._threadState = (ThreadState)ti.ThreadState; threadInfo._threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason); processInfo._threadInfoList.Add(threadInfo); currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti)); i++; } if (pi.NextEntryOffset == 0) { break; } totalOffset += pi.NextEntryOffset; } ProcessInfo[] temp = new ProcessInfo[processInfos.Values.Count]; processInfos.Values.CopyTo(temp, 0); return temp; }
static ProcessInfo[] GetProcessInfos(IntPtr dataPtr) { // 60 is a reasonable number for processes on a normal machine. Dictionary <int, ProcessInfo> processInfos = new Dictionary <int, ProcessInfo>(60); long totalOffset = 0; while (true) { IntPtr currentPtr = (IntPtr)((long)dataPtr + totalOffset); SystemProcessInformation pi = new SystemProcessInformation(); Marshal.PtrToStructure(currentPtr, pi); // get information for a process ProcessInfo processInfo = new ProcessInfo(); // Process ID shouldn't overflow. OS API GetCurrentProcessID returns DWORD. processInfo._processId = pi.UniqueProcessId.ToInt32(); processInfo._handleCount = (int)pi.HandleCount; processInfo._sessionId = (int)pi.SessionId; processInfo._poolPagedBytes = (long)pi.QuotaPagedPoolUsage;; processInfo._poolNonpagedBytes = (long)pi.QuotaNonPagedPoolUsage; processInfo._virtualBytes = (long)pi.VirtualSize; processInfo._virtualBytesPeak = (long)pi.PeakVirtualSize; processInfo._workingSetPeak = (long)pi.PeakWorkingSetSize; processInfo._workingSet = (long)pi.WorkingSetSize; processInfo._pageFileBytesPeak = (long)pi.PeakPagefileUsage; processInfo._pageFileBytes = (long)pi.PagefileUsage; processInfo._privateBytes = (long)pi.PrivatePageCount; processInfo._basePriority = pi.BasePriority; if (pi.NamePtr == IntPtr.Zero) { if (processInfo._processId == NtProcessManager.SystemProcessID) { processInfo._processName = "System"; } else if (processInfo._processId == NtProcessManager.IdleProcessID) { processInfo._processName = "Idle"; } else { // for normal process without name, using the process ID. processInfo._processName = processInfo._processId.ToString(CultureInfo.InvariantCulture); } } else { string processName = GetProcessShortName(Marshal.PtrToStringUni(pi.NamePtr, pi.NameLength / sizeof(char))); processInfo._processName = processName; } // get the threads for current process processInfos[processInfo._processId] = processInfo; currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(pi)); int i = 0; while (i < pi.NumberOfThreads) { SystemThreadInformation ti = new SystemThreadInformation(); Marshal.PtrToStructure(currentPtr, ti); ThreadInfo threadInfo = new ThreadInfo(); threadInfo._processId = (int)ti.UniqueProcess; threadInfo._threadId = (int)ti.UniqueThread; threadInfo._basePriority = ti.BasePriority; threadInfo._currentPriority = ti.Priority; threadInfo._startAddress = ti.StartAddress; threadInfo._threadState = (ThreadState)ti.ThreadState; threadInfo._threadWaitReason = NtProcessManager.GetThreadWaitReason((int)ti.WaitReason); processInfo._threadInfoList.Add(threadInfo); currentPtr = (IntPtr)((long)currentPtr + Marshal.SizeOf(ti)); i++; } if (pi.NextEntryOffset == 0) { break; } totalOffset += pi.NextEntryOffset; } ProcessInfo[] temp = new ProcessInfo[processInfos.Values.Count]; processInfos.Values.CopyTo(temp, 0); return(temp); }
public static ProcessInfo[] NtGetProcessInfos(IntPtr dataPtr) { IntPtr ptr; Hashtable hashtable = new Hashtable(100); uint num = 0; Label_000B: ptr = (IntPtr)(((uint)dataPtr) + num); SystemProcessInformation structure = new SystemProcessInformation(); Marshal.PtrToStructure(ptr, structure); ProcessInfo info = new ProcessInfo(); info.processId = structure.UniqueProcessId.ToInt32(); info.handleCount = (int)structure.HandleCount; info.sessionId = (int)structure.SessionId; info.poolPagedBytes = (long)structure.QuotaPagedPoolUsage; info.poolNonpagedBytes = (long)structure.QuotaNonPagedPoolUsage; info.virtualBytes = (long)structure.VirtualSize; info.virtualBytesPeak = (long)structure.PeakVirtualSize; info.workingSetPeak = (long)structure.PeakWorkingSetSize; info.workingSet = (long)structure.WorkingSetSize; info.pageFileBytesPeak = (long)structure.PeakPagefileUsage; info.pageFileBytes = (long)structure.PagefileUsage; info.privateBytes = (long)structure.PrivatePageCount; info.basePriority = structure.BasePriority; hashtable[info.processId] = info; try { ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(structure)); } catch { } for (int i = 0; i < structure.NumberOfThreads; i++) { SystemThreadInformation information2 = new SystemThreadInformation(); Marshal.PtrToStructure(ptr, information2); ThreadInfo info2 = new ThreadInfo { processId = (int)information2.UniqueProcess, threadId = (int)information2.UniqueThread, basePriority = information2.BasePriority, currentPriority = information2.Priority, startAddress = information2.StartAddress, threadState = (ThreadState)information2.ThreadState, threadWaitReason = GetThreadWaitReason((int)information2.WaitReason) }; info.threadInfoList.Add(info2); try { ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(information2)); } catch { } } if (structure.NextEntryOffset != 0) { num += (uint)structure.NextEntryOffset; goto Label_000B; } ProcessInfo[] array = new ProcessInfo[hashtable.Values.Count]; hashtable.Values.CopyTo(array, 0); return(array); }
private static ProcessInfo[] GetProcessInfos(IntPtr dataPtr) { IntPtr ptr; Hashtable hashtable = new Hashtable(60); long num = 0L; Label_000B: ptr = (IntPtr)(((long)dataPtr) + num); SystemProcessInformation structure = new SystemProcessInformation(); Marshal.PtrToStructure(ptr, structure); ProcessInfo info = new ProcessInfo { processId = structure.UniqueProcessId.ToInt32(), handleCount = (int)structure.HandleCount, sessionId = (int)structure.SessionId, poolPagedBytes = (long)((ulong)structure.QuotaPagedPoolUsage), poolNonpagedBytes = (long)((ulong)structure.QuotaNonPagedPoolUsage), virtualBytes = (long)((ulong)structure.VirtualSize), virtualBytesPeak = (long)((ulong)structure.PeakVirtualSize), workingSetPeak = (long)((ulong)structure.PeakWorkingSetSize), workingSet = (long)((ulong)structure.WorkingSetSize), pageFileBytesPeak = (long)((ulong)structure.PeakPagefileUsage), pageFileBytes = (long)((ulong)structure.PagefileUsage), privateBytes = (long)((ulong)structure.PrivatePageCount), basePriority = structure.BasePriority }; if (structure.NamePtr == IntPtr.Zero) { if (info.processId == NtProcessManager.SystemProcessID) { info.processName = "System"; } else if (info.processId == 0) { info.processName = "Idle"; } else { info.processName = info.processId.ToString(CultureInfo.InvariantCulture); } } else { string processShortName = GetProcessShortName(Marshal.PtrToStringUni(structure.NamePtr, structure.NameLength / 2)); if (ProcessManager.IsOSOlderThanXP && (processShortName.Length == 15)) { if (processShortName.EndsWith(".", StringComparison.OrdinalIgnoreCase)) { processShortName = processShortName.Substring(0, 14); } else if (processShortName.EndsWith(".e", StringComparison.OrdinalIgnoreCase)) { processShortName = processShortName.Substring(0, 13); } else if (processShortName.EndsWith(".ex", StringComparison.OrdinalIgnoreCase)) { processShortName = processShortName.Substring(0, 12); } } info.processName = processShortName; } hashtable[info.processId] = info; ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(structure)); for (int i = 0; i < structure.NumberOfThreads; i++) { SystemThreadInformation information2 = new SystemThreadInformation(); Marshal.PtrToStructure(ptr, information2); ThreadInfo info2 = new ThreadInfo { processId = (int)information2.UniqueProcess, threadId = (int)information2.UniqueThread, basePriority = information2.BasePriority, currentPriority = information2.Priority, startAddress = information2.StartAddress, threadState = (ThreadState)information2.ThreadState, threadWaitReason = NtProcessManager.GetThreadWaitReason((int)information2.WaitReason) }; info.threadInfoList.Add(info2); ptr = (IntPtr)(((long)ptr) + Marshal.SizeOf(information2)); } if (structure.NextEntryOffset != 0) { num += structure.NextEntryOffset; goto Label_000B; } ProcessInfo[] array = new ProcessInfo[hashtable.Values.Count]; hashtable.Values.CopyTo(array, 0); return(array); }