ProSysLib: Dissecting the Process

Vitaly Tomilov

Rate me:

4.84/5 (69 votes)

22 Nov 2010CPOL12 min read

128.1K

2.6K

174

Access detailed information about the current process the easiest way.

processinfo_bin.zip
- Interop.ProSysLib.dll
- ProcessInfo.exe
- PSL32v0.9.dll
- PSL64v0.9.dll
prosyslib_v0.9.zip
- ProSysLib_v0.9
  - Bin
    - PSL32v0.9.dll
    - PSL64v0.9.dll
    - Register.bat
  - Help
    - ReadMe.txt
  - Samples
    - C#2008
      - ProcessInfo
        
        app.config
        
        MainForm.cs
        
        MainForm.Designer.cs
        
        MainForm.resx
        
        ProcessInfo.csproj
        
        ProcessInfo.sln
        
        Program.cs
        
        Properties
        
        AssemblyInfo.cs
        
        Resources.Designer.cs
        
        Resources.resx
        
        Settings.Designer.cs
        
        Settings.settings
      - ProcessViewer
        
        MainForm.cs
        
        MainForm.Designer.cs
        
        MainForm.resx
        
        ProcessViewer.csproj
        
        ProcessViewer.sln
        
        Program.cs
        
        Properties
        
        AssemblyInfo.cs
        
        Resources.Designer.cs
        
        Resources.resx
        
        Settings.Designer.cs
        
        Settings.settings
    - VB6
      - CPUInfo.exe
      - CPUInfo.frm
      - CPUInfo.frx
      - CPUInfo.vbp
      - CPUInfo.vbw
    - VC2008
      - Deployment
        
        Deployment.cpp
        
        Deployment.sln
        
        Deployment.vcproj
        
        stdafx.cpp
        
        stdafx.h
      - PSLDeploy.h
  - Src
    - AutoObject.h
    - CopyAdaptors.h
    - dlldatax.c
    - dlldatax.h
    - GUIDs.h
    - mssccprj.scc
    - ProcessorUsage.cpp
    - ProcessorUsage.h
    - ProSysLib.cpp
    - ProSysLib.def
    - ProSysLib.idl
    - ProSysLib.rc
    - ProSysLib.rgs
    - ProSysLib.sln
    - ProSysLib.vcproj
    - ProSysLib.vcproj.vspscc
    - ProSysLib.vssscc
    - ProSysModule.cpp
    - ProSysModule.h
    - PSLAccount.cpp
    - PSLAccount.h
    - PSLAccounts.cpp
    - PSLAccounts.h
    - PSLCmdParam.cpp
    - PSLCmdParam.h
    - PSLCmdParams.cpp
    - PSLCmdParams.h
    - PSLCore.cpp
    - PSLCore.h
    - PSLCores.cpp
    - PSLCores.h
    - PSLCurrentProcess.cpp
    - PSLCurrentProcess.h
    - PSLDriver.cpp
    - PSLDriver.h
    - PSLDrivers.cpp
    - PSLDrivers.h
    - PSLEnvironmentVar.cpp
    - PSLEnvironmentVar.h
    - PSLEnvironmentVars.cpp
    - PSLEnvironmentVars.h
    - PSLExceptions.cpp
    - PSLExceptions.h
    - PSLHardware.cpp
    - PSLHardware.h
    - PSLIPv4.cpp
    - PSLIPv4.h
    - PSLIPv6.cpp
    - PSLIPv6.h
    - PSLMemory.cpp
    - PSLMemory.h
    - PSLModule.cpp
    - PSLModule.h
    - PSLModules.cpp
    - PSLModules.h
    - PSLModuleVersion.cpp
    - PSLModuleVersion.h
    - PSLMonitor.cpp
    - PSLMonitor.h
    - PSLMonitors.cpp
    - PSLMonitors.h
    - PSLNetwork.cpp
    - PSLNetwork.h
    - PSLOS.cpp
    - PSLOS.h
    - PSLOSVersion.cpp
    - PSLOSVersion.h
    - PSLPrivilege.cpp
    - PSLPrivilege.h
    - PSLPrivileges.cpp
    - PSLPrivileges.h
    - PSLProcess.cpp
    - PSLProcess.h
    - PSLProcesses.cpp
    - PSLProcesses.h
    - PSLProcessIO.cpp
    - PSLProcessIO.h
    - PSLProcessMemory.cpp
    - PSLProcessMemory.h
    - PSLProcessor.cpp
    - PSLProcessor.h
    - PSLRect.cpp
    - PSLRect.h
    - PSLSecurity.cpp
    - PSLSecurity.h
    - PSLService.cpp
    - PSLService.h
    - PSLServices.cpp
    - PSLServices.h
    - PSLSize.cpp
    - PSLSize.h
    - PSLSoftware.cpp
    - PSLSoftware.h
    - PSLSystem.cpp
    - PSLSystem.h
    - PSLSystem.rgs
    - PSLTable.cpp
    - PSLTable.h
    - PSLThread.cpp
    - PSLThread.h
    - PSLThreads.cpp
    - PSLThreads.h
    - PSLTools.cpp
    - PSLTools.h
    - PSLUser.cpp
    - PSLUser.h
    - PSLUtilities.cpp
    - PSLUtilities.h
    - PSLVersionNumber.cpp
    - PSLVersionNumber.h
    - PSLWindow.cpp
    - PSLWindow.h
    - PSLWindows.cpp
    - PSLWindows.h
    - PSLWindowsFilter.cpp
    - PSLWindowsFilter.h
    - PSLWMI.cpp
    - PSLWMI.h
    - resource.h
    - ServiceInfo.cpp
    - ServiceInfo.h
    - stdafx.cpp
    - stdafx.h
    - SystemInfoAccessor.cpp
    - SystemInfoAccessor.h
    - SysUtil.cpp
    - targetver.h
    - tstring.cpp
    - tstring.h
processinfo32_bin.zip
- Interop.ProSysLib.dll
- ProcessInfo.exe
- ProSysLib.dll
processinfo64_bin.zip
- Interop.ProSysLib.dll
- ProcessInfo.exe
- ProSysLib.dll
pslv0.5setup.zip
- PSLv0.5Setup.exe
PSLv0.7Setup.zip
- PSLv0.7Setup.exe

#pragma once

typedef LONG NTSTATUS;
typedef LONG KPRIORITY;

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define STATUS_INFO_LENGTH_MISMATCH      ((NTSTATUS)0xC0000004L)

typedef enum _SYSTEM_INFORMATION_CLASS
{ 
	SystemBasicInformation				 = 0,
	SystemProcessorInformation			 = 1,
	SystemPerformanceInformation		 = 2,
	SystemTimeOfDayInformation			 = 3,
	SystemNotImplemented1				 = 4,
	SystemProcessesAndThreadsInformation = 5,
	SystemCallCounts					 = 6,
	SystemConfigurationInformation		 = 7,
	SystemProcessorTimes				 = 8,
	SystemGlobalFlag					 = 9,
	SystemNotImplemented2				 = 10,
	SystemModuleInformation				 = 11,
	SystemLockInformation				 = 12,
	SystemNotImplemented3				 = 13,
	SystemNotImplemented4				 = 14,
	SystemNotImplemented5				 = 15,
	SystemHandleInformation				 = 16,
	SystemObjectInformation				 = 17,
	SystemPagefileInformation			 = 18,
	SystemInstructionEmulationCounts	 = 19,
	SystemInvalidInfoClass1				 = 20,
	SystemCacheInformation				 = 21,
	SystemPoolTagInformation			 = 22,
	SystemProcessorStatistics			 = 23,
	SystemDpcInformation				 = 24,
	SystemNotImplemented6				 = 25,
	SystemLoadImage						 = 26,
	SystemUnloadImage					 = 27,
	SystemTimeAdjustment				 = 28,
	SystemNotImplemented7				 = 29,
	SystemNotImplemented8				 = 30,
	SystemNotImplemented9				 = 31,
	SystemCrashDumpInformation			 = 32,
	SystemExceptionInformation			 = 33,
	SystemCrashDumpStateInformation		 = 34,
	SystemKernelDebuggerInformation		 = 35,
	SystemContextSwitchInformation		 = 36,
	SystemRegistryQuotaInformation		 = 37,
	SystemLoadAndCallImage				 = 38,
	SystemPrioritySeparation			 = 39,
	SystemNotImplemented10				 = 40,
	SystemNotImplemented11				 = 41,
	SystemInvalidInfoClass2				 = 42,
	SystemInvalidInfoClass3				 = 43,
	SystemTimeZoneInformation			 = 44,
	SystemLookasideInformation			 = 45,
	SystemSetTimeSlipEvent				 = 46,
	SystemCreateSession					 = 47,
	SystemDeleteSession					 = 48,
	SystemInvalidInfoClass4				 = 49,
	SystemRangeStartInformation			 = 50,
	SystemVerifierInformation			 = 51,
	SystemAddVerifier					 = 52,
	SystemSessionProcessesInformation	 = 53
} SYSTEM_INFORMATION_CLASS;

typedef enum _PROCESSINFOCLASS
{
	ProcessBasicInformation = 0,
	ProcessQuotaLimits = 1,
	ProcessIoCounters = 2,
	ProcessVmCounters = 3,
	ProcessTimes = 4,
	ProcessBasePriority = 5,
	ProcessRaisePriority = 6,
	ProcessDebugPort = 7,
	ProcessHandleCount = 20
}PROCESSINFOCLASS;

typedef struct _CLIENT_ID
{
    DWORD         UniqueProcess;
    DWORD         UniqueThread;
}CLIENT_ID;

typedef struct _UNICODE_STRING
{
    USHORT        Length;
    USHORT        MaximumLength;
    PWSTR         Buffer;
} UNICODE_STRING;

typedef struct _VM_COUNTERS
{
    SIZE_T        PeakVirtualSize;
    SIZE_T        VirtualSize;
    ULONG         PageFaultCount;
    SIZE_T        PeakWorkingSetSize;
    SIZE_T        WorkingSetSize;
    SIZE_T        QuotaPeakPagedPoolUsage;
    SIZE_T        QuotaPagedPoolUsage;
    SIZE_T        QuotaPeakNonPagedPoolUsage;
    SIZE_T        QuotaNonPagedPoolUsage;
    SIZE_T        PagefileUsage;
    SIZE_T        PeakPagefileUsage;
} VM_COUNTERS;

typedef struct _SYSTEM_THREAD_INFORMATION
{
	LARGE_INTEGER KernelTime;
	LARGE_INTEGER UserTime;
	LARGE_INTEGER CreateTime;
	ULONG WaitTime;
	PVOID StartAddress;
	CLIENT_ID ClientId;
	KPRIORITY Priority;
	KPRIORITY BasePriority;
	ULONG ContextSwitchCount;
	LONG State;
	LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;

typedef ABIG CProcessID;

typedef struct _SYSTEM_PROCESS_INFORMATION
{
    ULONG             NextEntryDelta;
    ULONG             ThreadCount;
    ULONG             Reserved1[6];
    LARGE_INTEGER     CreateTime;
    LARGE_INTEGER     UserTime;
    LARGE_INTEGER     KernelTime;
    UNICODE_STRING    ProcessName;
    KPRIORITY         BasePriority;
    CProcessID        ProcessId;
    CProcessID        InheritedFromProcessId;
    ULONG             HandleCount;
    ULONG             Reserved2[2];
    VM_COUNTERS       VmCounters;
    IO_COUNTERS       IoCounters;
    SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;

typedef struct _RTL_USER_PROCESS_PARAMETERS
{
	ULONG AllocationSize;
	ULONG Size;
	ULONG Flags;
	ULONG DebugFlags;
	HANDLE hConsole;
	ULONG ProcessGroup;
	HANDLE hStdInput;
	HANDLE hStdOutput;
	HANDLE hStdError;
	UNICODE_STRING CurrentDirectoryName;
	HANDLE CurrentDirectoryHandle;
	UNICODE_STRING DllPath;
	UNICODE_STRING ImagePathName;
	UNICODE_STRING CommandLine;
	PWSTR Environment;
	ULONG dwX;
	ULONG dwY;
	ULONG dwXSize;
	ULONG dwYSize;
	ULONG dwXCountChars;
	ULONG dwYCountChars;
	ULONG dwFillAttribute;
	ULONG dwFlags;
	ULONG wShowWindow;
	UNICODE_STRING WindowTitle;
	UNICODE_STRING DesktopInfo;
	UNICODE_STRING ShellInfo;
	UNICODE_STRING RuntimeInfo;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB_LDR_DATA
{
	ULONG Length;
	BOOLEAN Initialized;
	PVOID SsHandle;
	LIST_ENTRY InLoadOrderModuleList;
	LIST_ENTRY InMemoryOrderModuleList;
	LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _PEB
{
	UCHAR InheritedAddressSpace;
	UCHAR ReadImageFileExecOptions;
	UCHAR BeingDebugged;
	UCHAR Spare;
	PVOID Mutant;
	PVOID ImageBaseAddress;
	PPEB_LDR_DATA Ldr;
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
} PEB, *PPEB;

typedef struct _PROCESS_BASIC_INFORMATION
{
	NTSTATUS ExitStatus;
	PPEB PebBaseAddress;
	ULONG_PTR AffinityMask;
	LONG BasePriority;
	ULONG_PTR UniqueProcessId;
	ULONG_PTR InheritedFromUniqueProcessId;
} PBI;

class CSystemInfoAccessor
{
	typedef LONG (WINAPI * ZwQuerySystemInformationType)(ULONG, PVOID, ULONG, PULONG);
	typedef LONG (WINAPI * ZwReadVirtualMemoryType)(HANDLE, PVOID, PVOID, ULONG, PULONG);
	typedef NTSTATUS (WINAPI * NtQueryInformationProcessType)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
	typedef BOOL (WINAPI * GetProcessHandleCountType)(HANDLE, PDWORD);
	typedef BOOL (WINAPI * CheckRemoteDebuggerPresentType)(HANDLE, PBOOL);

public:

	CSystemInfoAccessor();

	static LONG ZwQuerySystemInformation(ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength = NULL);
	static LONG ZwReadVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG BufferLength, PULONG ReturnLength);
	static LONG NtQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
	static BOOL GetProcessHandleCount(HANDLE hProcess, PDWORD pdwHandleCount);
	static BOOL CheckRemoteDebuggerPresent(HANDLE hProcess, PBOOL pbDebuggerPresent);

private:

	ZwQuerySystemInformationType m_pZwQuerySystemInformation;
	ZwReadVirtualMemoryType m_pZwReadVirtualMemory;
	NtQueryInformationProcessType m_pNtQueryInformationProcess;
	GetProcessHandleCountType m_pGetProcessHandleCount;
	CheckRemoteDebuggerPresentType m_pCheckRemoteDebuggerPresent;
};

extern CSystemInfoAccessor g_SIA;

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Vitaly Tomilov

Software Developer (Senior) Sibedge IT

Ireland

My online CV: cv.vitalytomilov.com

ProSysLib: Dissecting the Process

License

Comments and Discussions