|
|
/*++
Copyright (c) 1994-1998 Microsoft Corporation
Module Name:
tlist.c
Abstract:
This module implements a task list application.
Author:
Wesley Witt (wesw) 20-May-1994 Mike Sartain (mikesart) 28-Oct-1994 Added detailed task information Julian Jiggins (julianj) 19-Mar-1998 Added list processes using specific module feature Shaun Cox (shaunco) 9-Jul-1998 Display services running in processes
Environment:
User Mode
--*/
#include "pch.h"
#pragma hdrstop
#include <dbghelp.h>
#include "psapi.h"
#include <tchar.h>
#define BAD_PID ((DWORD)-1)
DWORD numTasks;TASK_LIST tlist[MAX_TASKS];BOOL fShowServices;BOOL fShowMtsPackages;BOOL fShowSessionIds;BOOL fShowCommandLines;
const char *Blanks = " ";
VOID Usage(VOID);VOID PrintThreadInfo(PTASK_LIST pTaskList);BOOL FMatchTaskName(LPTSTR szPN, LPTSTR szWindowTitle, LPTSTR szProcessName);VOID GetFirstPidWithName(LPTSTR szTask);
VOIDPrintTask( DWORD i ){ BOOL NameShown = FALSE;
if (fShowSessionIds) { printf("%2d ", tlist[i].SessionId); } printf( "%4d %-15s ", tlist[i].dwProcessId, tlist[i].ProcessName );
if (fShowServices && tlist[i].ServiceNames[0]) { printf( "Svcs: %s", tlist[i].ServiceNames); NameShown = TRUE; }
if (fShowMtsPackages && tlist[i].MtsPackageNames[0]) { printf( "%sMts: %s", NameShown ? " " : "", tlist[i].MtsPackageNames); NameShown = TRUE; }
if (!NameShown && tlist[i].hwnd) { if (fShowServices || fShowMtsPackages) { printf( "Title: %s", tlist[i].WindowTitle ); } else { printf( " %s", tlist[i].WindowTitle ); } }
printf( "\n" );
if (fShowCommandLines) { printf(" Command Line: %s\n", tlist[i].CommandLine); }}
VOIDPrintTaskTree( DWORD level, DWORD id ){ DWORD i;
DetectOrphans( tlist, numTasks ); for (i=0; i<numTasks; i++) { if (tlist[i].flags) { continue; }
// NOTE: The format of the output below should stay fixed forever. There are tools
// at MS that depend on it.
if (level == 0 || tlist[i].dwInheritedFromProcessId == id) { printf( "%.*s", level*2, Blanks ); printf( "%s (%d)", tlist[i].ProcessName, tlist[i].dwProcessId ); if (tlist[i].hwnd) { printf( " %s", tlist[i].WindowTitle ); } printf( "\n" ); tlist[i].flags = TRUE; if (tlist[i].dwProcessId != 0) { PrintTaskTree( level+1, tlist[i].dwProcessId ); } } }}
int __cdeclmain( int argc, char *argv[] )
/*++
Routine Description:
Main entrypoint for the TLIST application. This app prints a task list to stdout. The task list include the process id, task name, ant the window title.
Arguments:
argc - argument count argv - array of pointers to arguments
Return Value:
0 - success
--*/
{ DWORD i; TASK_LIST_ENUM te; BOOL fTree; BOOL fFindTasksUsingModule; BOOL fPidOnly = FALSE; DWORD cchPN = 0; LPSTR szPN = NULL; DWORD dwPID = BAD_PID; DWORD dwNumServices = 0; LPENUM_SERVICE_STATUS_PROCESS pServiceInfo = NULL;
if (argc > 1 && (argv[1][0] == '-' || argv[1][0] == '/') && argv[1][1] == '?') { Usage(); }
fTree = FALSE; fFindTasksUsingModule = FALSE; if (argc > 1) { if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 't' || argv[1][1] == 'T')) { fTree = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 's' || argv[1][1] == 'S')) { fShowServices = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'k' || argv[1][1] == 'K')) { fShowMtsPackages = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'e' || argv[1][1] == 'E')) { fShowSessionIds = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'c' || argv[1][1] == 'C')) { fShowCommandLines = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'v' || argv[1][1] == 'V')) { fShowServices = TRUE; fShowMtsPackages = TRUE; fShowSessionIds = TRUE; fShowCommandLines = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'p' || argv[1][1] == 'P') && argc == 3) { _strlwr(argv[2]); if (!strcmp(argv[2], "system process")) { printf("0\n"); return 0; } fPidOnly = TRUE; } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'p' || argv[1][1] == 'P') && argc == 4) { _strlwr(argv[2]); if (!strcmp(argv[2], "system")) { _strlwr(argv[3]); if (!strcmp(argv[3], "process")) { printf("0\n"); return 0; } } Usage(); } else if ((argv[1][0] == '-' || argv[1][0] == '/') && (argv[1][1] == 'm' || argv[1][1] == 'M') && argc == 3) { fFindTasksUsingModule = TRUE; } else { szPN = argv[1]; if (!(dwPID = atol(szPN)) && szPN[0] != '0' && szPN[1] != 0) { dwPID = BAD_PID; cchPN = strlen(szPN); _strupr(szPN); } } }
//
// lets be god
//
EnableDebugPriv();
//
// Include 32bit modules in enumeration
//
{ DWORD SymOpt = SymGetOptions(); SymOpt |= SYMOPT_INCLUDE_32BIT_MODULES; SymSetOptions(SYMOPT_INCLUDE_32BIT_MODULES); }
//
// get the task list for the system
//
//
// Get the process information for all active Win32 services.
// This allows us to print the service names next to the processes
// that host them.
//
dwNumServices = GetServiceProcessInfo( &pServiceInfo );
numTasks = GetTaskListEx( tlist, MAX_TASKS, cchPN || (dwPID != BAD_PID), dwNumServices, pServiceInfo);
free( pServiceInfo );
if (fShowMtsPackages) { AddMtsPackageNames(tlist, numTasks); } if (fShowCommandLines) { AddCommandLines(tlist, numTasks); } //
// enumerate all windows and try to get the window
// titles for each task
//
te.tlist = tlist; te.numtasks = numTasks; GetWindowTitles( &te );
//
// print the task list
//
if (fTree) { PrintTaskTree( 0, 0 ); } else if (fFindTasksUsingModule) { PrintTasksUsingModule(argv[2]); } else if (fPidOnly) { GetFirstPidWithName(argv[2]); } else { for (i=0; i<numTasks; i++) { if ((dwPID == BAD_PID) && (!cchPN)) { PrintTask( i ); } else if ((dwPID == tlist[i].dwProcessId) || (cchPN && FMatchTaskName(szPN, tlist[i].WindowTitle, tlist[i].ProcessName))) { PrintTask( i ); PrintThreadInfo(tlist + i); }
if (tlist[i].pThreadInfo) { free(tlist[i].pThreadInfo); } } }
//
// end of program
//
return 0;}
VOIDGetFirstPidWithName( LPTSTR szTask )/*++
Routine Description:
Returns the PID of the first task with a Name matching the specified Name. IF no task is found -1 is returnedArguments:
szTask - module name to search for
--*/{ DWORD i; TCHAR szPName[PROCESS_SIZE + 1]; TCHAR szNameWExe[PROCESS_SIZE + 1] = {0};
_tcsncat(szNameWExe, szTask, (sizeof(szNameWExe)/sizeof(szNameWExe[0]))-1); _tcsncat(szNameWExe, ".exe", (sizeof(szNameWExe)/sizeof(szNameWExe[0]))-_tcslen(szNameWExe)-1);
for (i=0; i<numTasks; i++) { ZeroMemory(szPName, sizeof(szPName)); _tcsncat(szPName, tlist[i].ProcessName, (sizeof(szPName)/sizeof(szPName[0]))-1); _tcslwr(szPName);
if ((!_tcscmp(szPName, szTask))||(!_tcscmp(szPName, szNameWExe))) { if (tlist[i].dwProcessId != 0) { printf("%d\n", tlist[i].dwProcessId); return; } } } printf("-1\n");}
VOIDUsage( VOID )
/*++
Routine Description:
Prints usage text for this tool.
Arguments:
None.
Return Value:
None.
--*/
{ fprintf( stderr, "Microsoft (R) Windows NT (TM) Version 5.1 TLIST\n" VER_LEGALCOPYRIGHT_STR "\n\n" "usage: TLIST" " <<-m <pattern>> | <-t> | <pid> | <pattern> | <-p <processname>>> | <-k> | <-s>\n" " [options]:\n" " -t\n" " Print Task Tree\n\n" " <pid>\n" " List module information for this task.\n\n" " <pattern>\n" " The pattern can be a complete task\n" " name or a regular expression pattern\n" " to use as a match. Tlist matches the\n" " supplied pattern against the task names\n" " and the window titles.\n\n" " -c\n" " Show command lines for each process\n\n" " -e\n" " Show session IDs for each process\n\n" " -k\n" " Show MTS packages active in each process.\n\n" " -m <pattern>\n" " Lists all tasks that have DLL modules loaded\n" " in them that match the given pattern name\n\n" " -s\n" " Show services active in each process.\n\n" " -p <processname>\n" " Returns the PID of the process specified or -1\n" " if the specified process doesn't exist. If there\n" " are multiple instances of the process running only\n" " the instance with the first PID value is returned.\n\n" " -v\n" " Show all process information\n\n" ); ExitProcess(0);}
//
// Routines used to list all processes that have a specific module in use
//
BOOLFindSpecificModuleCallback( LPSTR Name, DWORD_PTR Base, DWORD Size, PVOID Context )
/*++
Routine Description:
Callback function for module enumeration to find a specific module
Arguments:
Name - Module name Base - Base address Size - Size of image Context - User context pointer
Return Value:
TRUE - Continue enumeration FALSE - Stop enumeration
--*/
{ PFIND_MODULE_INFO pFindModuleInfo;
pFindModuleInfo = (PFIND_MODULE_INFO)Context;
if (MatchPattern(Name, pFindModuleInfo->szModuleToFind)) { pFindModuleInfo->fFound = TRUE; strcpy(pFindModuleInfo->szMatchingModuleName, Name); return FALSE; // Found Module so stop enumerating
}
return TRUE;}
BOOLIsTaskUsingModule( PTASK_LIST pTask, LPTSTR szModuleName, LPTSTR szMatchingModuleName )
/*++
Routine Description:
Checks if the given task has the given module loaded
Arguments:
pTaskList - task to search for module szModule - module name to search for
Return Value:
TRUE - if the module is loaded in the task FALSE - if the module is not loaded in the task
--*/
{ FIND_MODULE_INFO FindModuleInfo;
FindModuleInfo.fFound = FALSE; FindModuleInfo.szModuleToFind = szModuleName; FindModuleInfo.szMatchingModuleName = szMatchingModuleName;
EnumerateLoadedModules( (HANDLE) UlongToPtr(pTask->dwProcessId), FindSpecificModuleCallback, &FindModuleInfo );
return FindModuleInfo.fFound;}
voidPrintTasksUsingModule( LPTSTR szModuleName )
/*++
Routine Description:
Enumerates through all the tasks in the system looking for those that have loaded modules of the given name.
Arguments:
szModule - module name to search for
Return Value:
None
--*/
{ BOOL fUsed = FALSE; DWORD i; CHAR szMatchingModuleName[64];
_strupr(szModuleName); // Needed for wildcarding
for (i=0; i<numTasks; i++) { if (IsTaskUsingModule(tlist + i, szModuleName, szMatchingModuleName)) { printf("%s - ", szMatchingModuleName); PrintTask( i ); fUsed = TRUE; } } if (!fUsed) { printf( "No tasks found using %s\n", szModuleName ); }}
BOOLGetVersionStuff( LPTSTR szFileName, VS_FIXEDFILEINFO *pvsRet )
/*++
Routine Description:
Get fixedfileinfo for szFileName.
Arguments:
szFileName - name of file pvsRet - fixedfileinfo return struct
Return Value:
TRUE - success FALSE - failure
--*/
{ DWORD dwHandle; DWORD dwLength; BOOL fRet = FALSE; LPVOID lpvData = NULL;
if (!(dwLength = GetFileVersionInfoSize(szFileName, &dwHandle))) { goto err; }
if (lpvData = malloc(dwLength)) { if (GetFileVersionInfo(szFileName, 0, dwLength, lpvData)) {
UINT uLen; VS_FIXEDFILEINFO *pvs; DWORD *pdwTranslation; DWORD dwDefLang = 0x409;
if (!VerQueryValue(lpvData, "\\VarFileInfo\\Translation", &pdwTranslation, &uLen)) { // if we can't get the langid, default to usa
pdwTranslation = &dwDefLang; uLen = sizeof(DWORD); }
if (VerQueryValue(lpvData, "\\", (LPVOID *)&pvs, &uLen)) { *pvsRet = *pvs; fRet = TRUE; } } }
err: if (lpvData) free(lpvData); return fRet;}
BOOLEnumLoadedModulesCallback( LPSTR Name, DWORD_PTR Base, DWORD Size, PVOID Context )
/*++
Routine Description:
Callback function for module enumeration
Arguments:
Name - Module name Base - Base address Size - Size of image Context - User context pointer
Return Value:
TRUE - Continue enumeration FALSE - Stop enumeration
--*/
{ VS_FIXEDFILEINFO vs; CHAR szBuffer[100];
szBuffer[0] = 0; if (GetVersionStuff( Name, &vs )) { sprintf( szBuffer, "%u.%u.%u.%u %s", HIWORD(vs.dwFileVersionMS), LOWORD(vs.dwFileVersionMS), HIWORD(vs.dwFileVersionLS), LOWORD(vs.dwFileVersionLS), vs.dwFileFlags & VS_FF_DEBUG ? "dbg" : "shp" ); } printf( " %18.18s 0x%p %s\n", szBuffer, (void *)Base, Name ); return TRUE;}
BOOLPrintModuleList( ULONG ProcessId )
/*++
Routine Description:
Prints list of modules in ProcessId
Arguments:
ProcessID - process id
Return Value:
TRUE - success FALSE - failure
--*/
{ EnumerateLoadedModules( (HANDLE) UlongToPtr(ProcessId), EnumLoadedModulesCallback, NULL ); return TRUE;}
DWORDGetWin32StartAddress( HANDLE hThread )
/*++
Routine Description:
Get starting address for thread
Arguments:
hThread
Return Value:
Starting Thread address or 0
--*/
{ NTSTATUS Status; DWORD ThreadInformation;
// make sure we have a handle
if (!hThread) return 0;
// get the threadinfo
Status = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &ThreadInformation, sizeof(ThreadInformation), NULL); if (!NT_SUCCESS(Status)) return 0;
return ThreadInformation;}
ULONGGetLastThreadErr( HANDLE hThread )
/*++
Routine Description:
Get Last Error for a Thread
Arguments:
hThread
Return Value:
LastError or 0
--*/
{ TEB Teb; NTSTATUS Status; HANDLE hProcess; ULONG LastErrorValue; THREAD_BASIC_INFORMATION ThreadInformation;
// make sure we have a handle
if (!hThread) return 0;
// query for basic thread info
Status = NtQueryInformationThread(hThread, ThreadBasicInformation, &ThreadInformation, sizeof(ThreadInformation), NULL); if (!NT_SUCCESS(Status)) return 0;
// get handle to process
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)(DWORD_PTR)ThreadInformation.ClientId.UniqueProcess))) { return 0; }
__try { // read the TEB from the process and get the last error value
if (ReadProcessMemory(hProcess, ThreadInformation.TebBaseAddress, &Teb, sizeof(TEB), NULL)) { LastErrorValue = Teb.LastErrorValue; } } __except(EXCEPTION_EXECUTE_HANDLER) { }
// close the hProcess
CloseHandle(hProcess);
return LastErrorValue;}
BOOLFPrintPEBInfo( HANDLE hProcess )
/*++
Routine Description:
Prints cmdline and cwd of hProcess
Arguments:
hProcess.
Return Value:
TRUE - success FALSE - failure
--*/
{ PEB Peb; NTSTATUS Status; PROCESS_BASIC_INFORMATION BasicInfo; BOOL fRet = FALSE; WCHAR szT[MAX_PATH * 2]; RTL_USER_PROCESS_PARAMETERS ProcessParameters;
Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL); if (!NT_SUCCESS(Status)) { SetLastError(RtlNtStatusToDosError(Status)); return fRet; }
__try { // get the PEB
if (ReadProcessMemory(hProcess, BasicInfo.PebBaseAddress, &Peb, sizeof(PEB), NULL)) { // get the processparameters
if (ReadProcessMemory(hProcess, Peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL)) { // get the CWD
if (ReadProcessMemory(hProcess, ProcessParameters.CurrentDirectory.DosPath.Buffer, szT, sizeof(szT), NULL)) { wprintf(L" CWD: %s\n", szT); }
// get cmdline
if (ReadProcessMemory(hProcess, ProcessParameters.CommandLine.Buffer, szT, sizeof(szT), NULL)) { wprintf(L" CmdLine: %s\n", szT); }
fRet = TRUE; } } } __except(EXCEPTION_EXECUTE_HANDLER) { }
return fRet;}
// copied from the win32 API code since we need to run on NT 4 and this is a
// new API to NT 5
HANDLETlistOpenThread( DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId )
/*++
Routine Description:
A handle to a thread object may be created using OpenThread.
Opening a thread creates a handle to the specified thread. Associated with the thread handle is a set of access rights that may be performed using the thread handle. The caller specifies the desired access to the thread using the DesiredAccess parameter.
Arguments:
mDesiredAccess - Supplies the desired access to the thread object. For NT/Win32, this access is checked against any security descriptor on the target thread. The following object type specific access flags can be specified in addition to the STANDARD_RIGHTS_REQUIRED access flags.
DesiredAccess Flags:
THREAD_TERMINATE - This access is required to terminate the thread using TerminateThread.
THREAD_SUSPEND_RESUME - This access is required to suspend and resume the thread using SuspendThread and ResumeThread.
THREAD_GET_CONTEXT - This access is required to use the GetThreadContext API on a thread object.
THREAD_SET_CONTEXT - This access is required to use the SetThreadContext API on a thread object.
THREAD_SET_INFORMATION - This access is required to set certain information in the thread object.
THREAD_SET_THREAD_TOKEN - This access is required to set the thread token using SetTokenInformation.
THREAD_QUERY_INFORMATION - This access is required to read certain information from the thread object.
SYNCHRONIZE - This access is required to wait on a thread object.
THREAD_ALL_ACCESS - This set of access flags specifies all of the possible access flags for a thread object.
bInheritHandle - Supplies a flag that indicates whether or not the returned handle is to be inherited by a new process during process creation. A value of TRUE indicates that the new process will inherit the handle.
dwThreadId - Supplies the thread id of the thread to open.
Return Value:
NON-NULL - Returns an open handle to the specified thread. The handle may be used by the calling process in any API that requires a handle to a thread. If the open is successful, the handle is granted access to the thread object only to the extent that it requested access through the DesiredAccess parameter.
NULL - The operation failed. Extended error status is available using GetLastError.
--*/
{ NTSTATUS Status; OBJECT_ATTRIBUTES Obja; HANDLE Handle; CLIENT_ID ClientId;
ClientId.UniqueThread = (HANDLE)LongToHandle(dwThreadId); ClientId.UniqueProcess = (HANDLE)NULL;
InitializeObjectAttributes( &Obja, NULL, (bInheritHandle ? OBJ_INHERIT : 0), NULL, NULL ); Status = NtOpenThread( &Handle, (ACCESS_MASK)dwDesiredAccess, &Obja, &ClientId ); if ( NT_SUCCESS(Status) ) { return Handle; } else { return NULL; }}
VOIDPrintThreadInfo( PTASK_LIST pTaskList )
/*++
Routine Description:
Prints all kinds of info about a task
Arguments:
PTASK_LIST of task to print
Return Value:
None.
--*/
{ UINT nThread; HANDLE hProcess;
// from \\kernel\razzle2\src\ntos\inc\ke.h
#define MAX_THREADSTATE (sizeof(szThreadState) / sizeof(TCHAR *))
static const TCHAR *szThreadState[] = { "Initialized", "Ready ", "Running ", "Standby ", "Terminated", "Waiting ", "Transition", "??? " };
// get a handle to the process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pTaskList->dwProcessId); if (!hProcess) return;
// print the CWD and CmdLine
FPrintPEBInfo(hProcess);
printf( " VirtualSize: %6ld KB" " PeakVirtualSize: %6ld KB\n", pTaskList->VirtualSize / 1024, pTaskList->PeakVirtualSize / 1024);
printf( " WorkingSetSize:%6ld KB" " PeakWorkingSetSize:%6ld KB\n", pTaskList->WorkingSetSize / 1024, pTaskList->PeakWorkingSetSize / 1024);
printf( " NumberOfThreads: %ld\n", pTaskList->NumberOfThreads);
// if we got any threadinfo, spit it out
if (pTaskList->pThreadInfo) { for (nThread = 0; nThread < pTaskList->NumberOfThreads; nThread++) {
PTHREAD_INFO pThreadInfo = &pTaskList->pThreadInfo[nThread]; HANDLE hThread = TlistOpenThread(THREAD_QUERY_INFORMATION, FALSE, (DWORD)(DWORD_PTR)pThreadInfo->UniqueThread);
printf(" %4d Win32StartAddr:0x%08x LastErr:0x%08x State:%s\n", HandleToUlong(pThreadInfo->UniqueThread), GetWin32StartAddress(hThread), GetLastThreadErr(hThread), szThreadState[min(pThreadInfo->ThreadState, MAX_THREADSTATE - 1)]);
if (hThread) NtClose(hThread); } }
// print the modules
PrintModuleList( pTaskList->dwProcessId );
// close the hProcess
CloseHandle(hProcess);}
BOOLFMatchTaskName( LPTSTR szPN, LPTSTR szWindowTitle, LPTSTR szProcessName ){ LPTSTR szT; TCHAR szTName[PROCESS_SIZE]= {0};
_tcsncat( szTName, szProcessName, (sizeof(szTName)/sizeof(szTName[0]))-1 ); if (szT = _tcschr( szTName, _T('.') )) szT[0] = _T('\0');
if (MatchPattern( szTName, szPN ) || MatchPattern( szProcessName, szPN ) || MatchPattern( szWindowTitle, szPN )) { return TRUE; }
return FALSE;}
|
