Skip to content

Instantly share code, notes, and snippets.

@ytoshima

ytoshima/build.bat

Created March 23, 2013 05:04
Show Gist options
  • Save ytoshima/5226532 to your computer and use it in GitHub Desktop.
Save ytoshima/5226532 to your computer and use it in GitHub Desktop.
Download ZIP
ps like command for windows
Raw
build.bat
cl /Zi -D_UNICODE ps2.cpp Psapi.lib
Raw
ps2.cpp
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <psapi.h>
#include <TlHelp32.h>
#include <winternl.h>
#include <locale.h>
#define NPROCS 30000
// Does CreateToolhelp32Snapshot help ??
void reportError()
{
LPVOID lpMessageBuffer;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMessageBuffer, 0, NULL);
_tprintf(_T("Error: %s\r\n"), lpMessageBuffer);
LocalFree(lpMessageBuffer);
}
void PrintProcessNameAndID(DWORD processID)
{
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
// Get a handle to the process.
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID);
// Get the process name.
if (NULL != hProcess) {
HMODULE hMod;
DWORD cbNeeded;
if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
/*
GetModuleBaseName(hProcess, hMod, szProcessName,
sizeof(szProcessName)/sizeof(TCHAR));
*/
GetModuleFileNameEx(hProcess, hMod, szProcessName,
sizeof(szProcessName)/sizeof(TCHAR));
}
}
// Print the process name and identifier.
//_tprintf(TEXT("%s (PID: %u)\n"), szProcessName, processID);
_tprintf(_T("%s (PID: %u)\n"), szProcessName, processID);
// Release the handle to the process.
CloseHandle(hProcess);
}
/*
* convert char array to wchar array.
* caller should delete returned wchar array if it was not null.
*/
WCHAR* chara2wchara(char *pszChar)
{
int nLen;
WCHAR *pszWchar;
nLen = ::MultiByteToWideChar(CP_THREAD_ACP,0,pszChar,-1,NULL,0);
pszWchar = new WCHAR[nLen];
if (pszWchar) {
nLen = ::MultiByteToWideChar(CP_THREAD_ACP,0,pszChar,(int)::strlen(pszChar)+1,pszWchar,nLen);
if (nLen == 0) {
delete pszWchar;
pszWchar = NULL;
}
}
return pszWchar;
}
// method found at www.codeproject.com/KB/threads/GetNtProcessInfo.aspx
typedef NTSTATUS (NTAPI *pfnNtQueryInformationProcess) (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
BYTE *GetPEB(HANDLE hProcess)
{
pfnNtQueryInformationProcess gNtQueryInformationProcess;
gNtQueryInformationProcess = (pfnNtQueryInformationProcess)
GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess");
// GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION info;
gNtQueryInformationProcess(hProcess, ProcessBasicInformation, &info, sizeof(info), NULL);
return (BYTE*)info.PebBaseAddress;
}
#if 0
BYTE *GetPEB(HANDLE hProcess)
{
NtQueryInformationProcess* NtQip = (NtQueryInformationProcess*)
GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION info;
NtQip(hProcess, ProcessBasicInformation, &info, sizeof(info), NULL);
return info.PebBaseAddress;
}
#endif
void dops2()
{
// CString is part of MFC
//CString strMsg;
//CString strBuf;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32;
BOOL bRet = FALSE;
ZeroMemory(&pe32, sizeof(pe32));
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hProcessSnap) {
_tprintf(_T("CreateToolhelp32Snapshot failed with %u.\n"), GetLastError());
return;
}
_tprintf(_T("PID Name Number of threads\n"));
pe32.dwSize = sizeof(PROCESSENTRY32);
bRet = Process32First(hProcessSnap, &pe32);
if (bRet) {
do {
WCHAR *wszExeFile = chara2wchara(pe32.szExeFile);
_tprintf(_T("%-16s %4u %u \n"), wszExeFile, pe32.th32ProcessID, pe32.cntThreads);
if (wszExeFile) delete wszExeFile;
TCHAR szProcessName[MAX_PATH];
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, pe32.th32ProcessID);
if (NULL != hProcess) {
HMODULE hMod;
DWORD cbNeeded;
if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
// LPCTSTR strCommandLine = GetCommandLine();
GetModuleFileNameEx(hProcess, hMod, szProcessName, sizeof(szProcessName));
WCHAR *wszProcessName = chara2wchara(szProcessName);
_tprintf(_T(" (1) %s\n"), wszProcessName);
if (wszProcessName) delete wszProcessName;
wchar_t params[0x200];
DWORD PidTable[0x1000];
int i = 0;
BYTE *peb = GetPEB(hProcess); //
DWORD dw, read;
ReadProcessMemory(hProcess, peb+0x10, &dw, sizeof(DWORD), &read); // params
ReadProcessMemory(hProcess, (PVOID)(dw+0x44), &dw, sizeof(DWORD), &read);
// command line
ReadProcessMemory(hProcess, (PVOID)dw, &params, sizeof(params), &read);
wprintf(L" (2) PID %08x: %s\n", PidTable[i], params);
ReadProcessMemory(hProcess, peb+0x10, &dw, sizeof(DWORD), &read); // params
ReadProcessMemory(hProcess, (PVOID)(dw+0x44-sizeof(UNICODE_STRING)*3-sizeof(HANDLE)), &dw, sizeof(DWORD), &read);
// command line
ReadProcessMemory(hProcess, (PVOID)dw, &params, sizeof(params), &read);
wprintf(L" (3) PID %08x: %s\n", PidTable[i], params);
} else {
continue;
}
CloseHandle(hProcess);
}
} while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle(hProcessSnap);
}
void dops()
{
DWORD processIds[NPROCS];
DWORD nret = 0;
if (EnumProcesses(processIds, NPROCS, &nret) == 0) {
_tprintf(_T("EnumProcesses failed.\n"));
reportError();
}
printf("Returned %d process ids\n", nret);
for (int i = 0; i < nret; i++) {
PrintProcessNameAndID(processIds[i]);
}
}
int main(int argc, char *argv[])
{
_tsetlocale(LC_ALL, _T(""));
dops2();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment