Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace detect_coreclr_dll
{
class Program
{
static void Main(string[] args)
{
var pids = new uint[2048];
Psapi.EnumProcesses(pids, 2048 * 4, out var cbNeeded);
for (var i = 0; i < cbNeeded / 4; ++i)
{
var pid = pids[i];
Console.WriteLine($"{pid}");
var handle = Kernel32.OpenProcess(Kernel32.ProcessSecurity.ProcessVmRead | Kernel32.ProcessSecurity.ProcessQueryInformation, false, pid);
if (handle == IntPtr.Zero) continue;
var names = GetModuleFileNames(handle);
if (HasCoreClr(names))
{
Console.WriteLine(names[0]);
}
Kernel32.CloseHandle(handle);
}
}
static string[] GetModuleFileNames(IntPtr hProcess)
{
var modules = new IntPtr[2048];
Psapi.EnumProcessModulesEx(hProcess, modules, IntPtr.Size * 2048, out var cbNeeded, Psapi.ListModules.ListModulesAll);
var moduleNames = new List<string>();
for (var i = 0; i < cbNeeded / IntPtr.Size; ++i)
{
var sb = new StringBuilder(256);
Psapi.GetModuleFileNameEx(hProcess, modules[i], sb, 256);
moduleNames.Add(sb.ToString());
}
return moduleNames.ToArray();
}
static bool HasCoreClr(string[] modules)
{
return modules.Any(x => x.ToLower().Contains("coreclr.dll"));
}
}
static class Kernel32
{
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess([MarshalAs(UnmanagedType.I4)] ProcessSecurity dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle,
uint dwProcessId);
[DllImport("kernel32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CloseHandle(IntPtr hObject);
[Flags]
public enum ProcessSecurity : uint
{
ProcessVmRead = 0x0010,
ProcessQueryInformation = 0x0400,
}
}
static class Psapi
{
[DllImport("psapi.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool EnumProcesses(uint[] lpidProcesses, uint cb, out uint lpcbNeeded);
[DllImport("psapi.dll")]
public static extern uint GetModuleFileNameEx(IntPtr hProcess, IntPtr hModule, StringBuilder lpFilename,
uint nSize);
[DllImport("psapi.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool EnumProcessModulesEx(IntPtr hProcess, IntPtr[] lphModule, int cb,
out uint lpcbNeeded, [MarshalAs(UnmanagedType.I4)] ListModules dwFilterFlag);
public enum ListModules : int
{
ListModules32Bit = 0x01,
ListModules64Bit = 0x02,
ListModulesAll = 0x03,
ListModulesDefault = 0x0,
}
}
}
@tmyt

This comment has been minimized.

Copy link
Owner Author

tmyt commented Aug 19, 2019

結果

49368
C:\Program Files\dotnet\dotnet.exe
41024
46872
34664
C:\Users\yutaka\source\repos\llvm_generator\bin\Release\netcoreapp2.1\win-x64\llvm_generator.exe
24392
43640
33892
41900
9040
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.