Created
March 23, 2013 05:04
-
-
Save ytoshima/5226532 to your computer and use it in GitHub Desktop.
ps like command for windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cl /Zi -D_UNICODE ps2.cpp Psapi.lib |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <stdio.h> | |
#include <tchar.h> | |
#include <psapi.h> | |
#include <TlHelp32.h> | |
#include <winternl.h> | |
#include <locale.h> | |
#define NPROCS 30000 | |
// Does CreateToolhelp32Snapshot help ?? | |
void reportError() | |
{ | |
LPVOID lpMessageBuffer; | |
FormatMessage( | |
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, | |
GetLastError(), | |
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), | |
(LPTSTR)&lpMessageBuffer, 0, NULL); | |
_tprintf(_T("Error: %s\r\n"), lpMessageBuffer); | |
LocalFree(lpMessageBuffer); | |
} | |
void PrintProcessNameAndID(DWORD processID) | |
{ | |
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>"); | |
// Get a handle to the process. | |
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID); | |
// Get the process name. | |
if (NULL != hProcess) { | |
HMODULE hMod; | |
DWORD cbNeeded; | |
if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) { | |
/* | |
GetModuleBaseName(hProcess, hMod, szProcessName, | |
sizeof(szProcessName)/sizeof(TCHAR)); | |
*/ | |
GetModuleFileNameEx(hProcess, hMod, szProcessName, | |
sizeof(szProcessName)/sizeof(TCHAR)); | |
} | |
} | |
// Print the process name and identifier. | |
//_tprintf(TEXT("%s (PID: %u)\n"), szProcessName, processID); | |
_tprintf(_T("%s (PID: %u)\n"), szProcessName, processID); | |
// Release the handle to the process. | |
CloseHandle(hProcess); | |
} | |
/* | |
* convert char array to wchar array. | |
* caller should delete returned wchar array if it was not null. | |
*/ | |
WCHAR* chara2wchara(char *pszChar) | |
{ | |
int nLen; | |
WCHAR *pszWchar; | |
nLen = ::MultiByteToWideChar(CP_THREAD_ACP,0,pszChar,-1,NULL,0); | |
pszWchar = new WCHAR[nLen]; | |
if (pszWchar) { | |
nLen = ::MultiByteToWideChar(CP_THREAD_ACP,0,pszChar,(int)::strlen(pszChar)+1,pszWchar,nLen); | |
if (nLen == 0) { | |
delete pszWchar; | |
pszWchar = NULL; | |
} | |
} | |
return pszWchar; | |
} | |
// method found at www.codeproject.com/KB/threads/GetNtProcessInfo.aspx | |
typedef NTSTATUS (NTAPI *pfnNtQueryInformationProcess) ( | |
IN HANDLE ProcessHandle, | |
IN PROCESSINFOCLASS ProcessInformationClass, | |
OUT PVOID ProcessInformation, | |
IN ULONG ProcessInformationLength, | |
OUT PULONG ReturnLength OPTIONAL | |
); | |
BYTE *GetPEB(HANDLE hProcess) | |
{ | |
pfnNtQueryInformationProcess gNtQueryInformationProcess; | |
gNtQueryInformationProcess = (pfnNtQueryInformationProcess) | |
GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess"); | |
// GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess"); | |
PROCESS_BASIC_INFORMATION info; | |
gNtQueryInformationProcess(hProcess, ProcessBasicInformation, &info, sizeof(info), NULL); | |
return (BYTE*)info.PebBaseAddress; | |
} | |
#if 0 | |
BYTE *GetPEB(HANDLE hProcess) | |
{ | |
NtQueryInformationProcess* NtQip = (NtQueryInformationProcess*) | |
GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess"); | |
PROCESS_BASIC_INFORMATION info; | |
NtQip(hProcess, ProcessBasicInformation, &info, sizeof(info), NULL); | |
return info.PebBaseAddress; | |
} | |
#endif | |
void dops2() | |
{ | |
// CString is part of MFC | |
//CString strMsg; | |
//CString strBuf; | |
HANDLE hProcessSnap = NULL; | |
PROCESSENTRY32 pe32; | |
BOOL bRet = FALSE; | |
ZeroMemory(&pe32, sizeof(pe32)); | |
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
if (INVALID_HANDLE_VALUE == hProcessSnap) { | |
_tprintf(_T("CreateToolhelp32Snapshot failed with %u.\n"), GetLastError()); | |
return; | |
} | |
_tprintf(_T("PID Name Number of threads\n")); | |
pe32.dwSize = sizeof(PROCESSENTRY32); | |
bRet = Process32First(hProcessSnap, &pe32); | |
if (bRet) { | |
do { | |
WCHAR *wszExeFile = chara2wchara(pe32.szExeFile); | |
_tprintf(_T("%-16s %4u %u \n"), wszExeFile, pe32.th32ProcessID, pe32.cntThreads); | |
if (wszExeFile) delete wszExeFile; | |
TCHAR szProcessName[MAX_PATH]; | |
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, | |
FALSE, pe32.th32ProcessID); | |
if (NULL != hProcess) { | |
HMODULE hMod; | |
DWORD cbNeeded; | |
if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) { | |
// LPCTSTR strCommandLine = GetCommandLine(); | |
GetModuleFileNameEx(hProcess, hMod, szProcessName, sizeof(szProcessName)); | |
WCHAR *wszProcessName = chara2wchara(szProcessName); | |
_tprintf(_T(" (1) %s\n"), wszProcessName); | |
if (wszProcessName) delete wszProcessName; | |
wchar_t params[0x200]; | |
DWORD PidTable[0x1000]; | |
int i = 0; | |
BYTE *peb = GetPEB(hProcess); // | |
DWORD dw, read; | |
ReadProcessMemory(hProcess, peb+0x10, &dw, sizeof(DWORD), &read); // params | |
ReadProcessMemory(hProcess, (PVOID)(dw+0x44), &dw, sizeof(DWORD), &read); | |
// command line | |
ReadProcessMemory(hProcess, (PVOID)dw, ¶ms, sizeof(params), &read); | |
wprintf(L" (2) PID %08x: %s\n", PidTable[i], params); | |
ReadProcessMemory(hProcess, peb+0x10, &dw, sizeof(DWORD), &read); // params | |
ReadProcessMemory(hProcess, (PVOID)(dw+0x44-sizeof(UNICODE_STRING)*3-sizeof(HANDLE)), &dw, sizeof(DWORD), &read); | |
// command line | |
ReadProcessMemory(hProcess, (PVOID)dw, ¶ms, sizeof(params), &read); | |
wprintf(L" (3) PID %08x: %s\n", PidTable[i], params); | |
} else { | |
continue; | |
} | |
CloseHandle(hProcess); | |
} | |
} while (Process32Next(hProcessSnap, &pe32)); | |
} | |
CloseHandle(hProcessSnap); | |
} | |
void dops() | |
{ | |
DWORD processIds[NPROCS]; | |
DWORD nret = 0; | |
if (EnumProcesses(processIds, NPROCS, &nret) == 0) { | |
_tprintf(_T("EnumProcesses failed.\n")); | |
reportError(); | |
} | |
printf("Returned %d process ids\n", nret); | |
for (int i = 0; i < nret; i++) { | |
PrintProcessNameAndID(processIds[i]); | |
} | |
} | |
int main(int argc, char *argv[]) | |
{ | |
_tsetlocale(LC_ALL, _T("")); | |
dops2(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment