Created
August 19, 2019 12:47
-
-
Save tmyt/ea1e0c07f6a057bc5147dbb470a5931d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace detect_coreclr_dll | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| var pids = new uint[2048]; | |
| Psapi.EnumProcesses(pids, 2048 * 4, out var cbNeeded); | |
| for (var i = 0; i < cbNeeded / 4; ++i) | |
| { | |
| var pid = pids[i]; | |
| Console.WriteLine($"{pid}"); | |
| var handle = Kernel32.OpenProcess(Kernel32.ProcessSecurity.ProcessVmRead | Kernel32.ProcessSecurity.ProcessQueryInformation, false, pid); | |
| if (handle == IntPtr.Zero) continue; | |
| var names = GetModuleFileNames(handle); | |
| if (HasCoreClr(names)) | |
| { | |
| Console.WriteLine(names[0]); | |
| } | |
| Kernel32.CloseHandle(handle); | |
| } | |
| } | |
| static string[] GetModuleFileNames(IntPtr hProcess) | |
| { | |
| var modules = new IntPtr[2048]; | |
| Psapi.EnumProcessModulesEx(hProcess, modules, IntPtr.Size * 2048, out var cbNeeded, Psapi.ListModules.ListModulesAll); | |
| var moduleNames = new List<string>(); | |
| for (var i = 0; i < cbNeeded / IntPtr.Size; ++i) | |
| { | |
| var sb = new StringBuilder(256); | |
| Psapi.GetModuleFileNameEx(hProcess, modules[i], sb, 256); | |
| moduleNames.Add(sb.ToString()); | |
| } | |
| return moduleNames.ToArray(); | |
| } | |
| static bool HasCoreClr(string[] modules) | |
| { | |
| return modules.Any(x => x.ToLower().Contains("coreclr.dll")); | |
| } | |
| } | |
| static class Kernel32 | |
| { | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr OpenProcess([MarshalAs(UnmanagedType.I4)] ProcessSecurity dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, | |
| uint dwProcessId); | |
| [DllImport("kernel32.dll")] | |
| [return: MarshalAs(UnmanagedType.Bool)] | |
| public static extern bool CloseHandle(IntPtr hObject); | |
| [Flags] | |
| public enum ProcessSecurity : uint | |
| { | |
| ProcessVmRead = 0x0010, | |
| ProcessQueryInformation = 0x0400, | |
| } | |
| } | |
| static class Psapi | |
| { | |
| [DllImport("psapi.dll")] | |
| [return: MarshalAs(UnmanagedType.Bool)] | |
| public static extern bool EnumProcesses(uint[] lpidProcesses, uint cb, out uint lpcbNeeded); | |
| [DllImport("psapi.dll")] | |
| public static extern uint GetModuleFileNameEx(IntPtr hProcess, IntPtr hModule, StringBuilder lpFilename, | |
| uint nSize); | |
| [DllImport("psapi.dll")] | |
| [return: MarshalAs(UnmanagedType.Bool)] | |
| public static extern bool EnumProcessModulesEx(IntPtr hProcess, IntPtr[] lphModule, int cb, | |
| out uint lpcbNeeded, [MarshalAs(UnmanagedType.I4)] ListModules dwFilterFlag); | |
| public enum ListModules : int | |
| { | |
| ListModules32Bit = 0x01, | |
| ListModules64Bit = 0x02, | |
| ListModulesAll = 0x03, | |
| ListModulesDefault = 0x0, | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
結果