Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2958 lines
85 KiB

  1. /*++
  2. Copyright (c) 1989 Microsoft Corporation
  3. Module Name:
  4. vadump.c
  5. Abstract:
  6. This module contains the routines to dump the virtual address space
  7. of a process.
  8. Author:
  9. Lou Perazzoli (loup) 22-May-1989
  10. Landy Wang (landyw) 02-June-1997
  11. Revision History:
  12. --*/
  13. #include <assert.h>
  14. #include <stdlib.h>
  15. #include <stdio.h>
  16. #include <string.h>
  17. #include <memory.h>
  18. #include <search.h>
  19. #include <ntos.h>
  20. #include <nturtl.h>
  21. #include <windows.h>
  22. #include <heap.h>
  23. #include <dbghelp.h>
  24. #include "psapi.h"
  25. #define SYM_HANDLE INVALID_HANDLE_VALUE
  26. #define DEFAULT_INCR (64*1024)
  27. #define P2KB(x) (((x) * SystemInfo.dwPageSize) / 1024)
  28. #define MAX_SYMNAME_SIZE 1024
  29. CHAR symBuffer[sizeof(IMAGEHLP_SYMBOL)+MAX_SYMNAME_SIZE];
  30. PIMAGEHLP_SYMBOL ThisSymbol;
  31. ULONG_PTR SystemRangeStart;
  32. LIST_ENTRY VaList;
  33. ULONG_PTR ProcessId;
  34. PCHAR ExeName;
  35. ULONG_PTR IsSystemWithShareCount = 0;
  36. ULONG_PTR PageSize;
  37. ULONG_PTR PtesPerPage;
  38. ULONG_PTR PteWidth;
  39. PVOID PteBase;
  40. PVOID UserPteMax;
  41. ULONG_PTR VaMappedByPageTable;
  42. #define IS_USER_PAGE_TABLE_PAGE(Va) (((PVOID)(Va) >= PteBase) && ((PVOID)(Va) < UserPteMax))
  43. SYSTEM_INFO SystemInfo;
  44. typedef struct _VAINFO {
  45. LIST_ENTRY Links;
  46. LIST_ENTRY AllocationBaseHead;
  47. MEMORY_BASIC_INFORMATION BasicInfo;
  48. } VAINFO, *PVAINFO;
  49. PVAINFO LastAllocationBase;
  50. SIZE_T ReservedBytes;
  51. SIZE_T FreeBytes;
  52. SIZE_T ImageReservedBytes;
  53. SIZE_T ImageFreeBytes;
  54. SIZE_T Displacement;
  55. #define OPTIONS_CODE_TOO 0x1
  56. #define OPTIONS_RAW_SYMBOLS 0x2
  57. #define OPTIONS_VERBOSE 0x4
  58. #define OPTIONS_WORKING_SET 0x8
  59. #define OPTIONS_WORKING_SET_OLD 0x10
  60. #define OPTIONS_PAGE_TABLES 0x20
  61. ULONG Options;
  62. BOOLEAN fSummary = FALSE;
  63. BOOLEAN fFast = FALSE;
  64. BOOLEAN fRunning = FALSE;
  65. #define NOACCESS 0
  66. #define READONLY 1
  67. #define READWRITE 2
  68. #define WRITECOPY 3
  69. #define EXECUTE 4
  70. #define EXECUTEREAD 5
  71. #define EXECUTEREADWRITE 6
  72. #define EXECUTEWRITECOPY 7
  73. #define MAXPROTECT 8
  74. ULONG_PTR ImageCommit[MAXPROTECT];
  75. ULONG_PTR MappedCommit[MAXPROTECT];
  76. ULONG_PTR PrivateCommit[MAXPROTECT];
  77. CHAR LogFileName[256];
  78. FILE *LogFile;
  79. BOOL InCtrlc = FALSE;
  80. typedef struct _WSINFOCOUNTS {
  81. ULONG_PTR FaultingPc;
  82. ULONG Faults;
  83. } WSINFOCOUNTS, *PWSINFOCOUNTS;
  84. typedef struct _MODINFO {
  85. PVOID BaseAddress;
  86. ULONG VirtualSize;
  87. LPSTR Name;
  88. ULONG_PTR CommitVector[MAXPROTECT];
  89. ULONG WsHits;
  90. ULONG WsSharedHits;
  91. ULONG WsPrivateHits;
  92. BOOL SymbolsLoaded;
  93. } MODINFO, *PMODINFO;
  94. #define MODINFO_SIZE 100
  95. ULONG ModInfoMax;
  96. MODINFO ModInfo[MODINFO_SIZE];
  97. BOOLEAN bHitModuleMax = FALSE;
  98. typedef struct _SYSTEM_PAGE {
  99. ULONG_PTR Va;
  100. PVOID BaseAddress;
  101. ULONG ResidentPages;
  102. } SYSTEM_PAGE, *PSYSTEM_PAGE;
  103. //
  104. // room for 4 million pagefaults
  105. //
  106. #define MAX_RUNNING_WORKING_SET_BUFFER (4*1024*1024)
  107. ULONG_PTR RunningWorkingSetBuffer[MAX_RUNNING_WORKING_SET_BUFFER];
  108. LONG CurrentWsIndex;
  109. #define INITIAL_WORKING_SET_BLOCK_ENTRYS 4000
  110. PMEMORY_WORKING_SET_INFORMATION WorkingSetInfo;
  111. #define WORKING_SET_BUFFER_ENTRYS 64*1024
  112. PROCESS_WS_WATCH_INFORMATION NewWorkingSetBuffer[WORKING_SET_BUFFER_ENTRYS];
  113. const PCHAR ProtectTable[] = {
  114. "NoAccess",
  115. "ReadOnly",
  116. "Execute",
  117. "ExecuteRead",
  118. "ReadWrite",
  119. "WriteCopy",
  120. "ExecuteReadWrite",
  121. "ExecuteWriteCopy",
  122. "NoAccess",
  123. "ReadOnly Nocache",
  124. "Execute Nocache",
  125. "ExecuteRead Nocache",
  126. "ReadWrite Nocache",
  127. "WriteCopy Nocache",
  128. "ExecuteReadWrite Nocache",
  129. "ExecuteWriteCopy Nocache",
  130. "NoAccess",
  131. "ReadOnly Guard",
  132. "Execute Guard",
  133. "ExecuteRead Guard",
  134. "ReadWrite Guard",
  135. "WriteCopy Guard",
  136. "ExecuteReadWrite Guard",
  137. "ExecuteWriteCopy Guard",
  138. "NoAccess",
  139. "ReadOnly Nocache Guard",
  140. "Execute Nocache Guard",
  141. "ExecuteRead Nocache Guard",
  142. "ReadWrite Nocache Guard",
  143. "WriteCopy Nocache Guard",
  144. "ExecuteReadWrite Nocache Guard",
  145. "ExecuteWriteCopy Nocache Guard"
  146. };
  147. const PCHAR SharedTable[] = {
  148. " ",
  149. "Shared" };
  150. LIST_ENTRY LoadedHeapList;
  151. int UnknownHeapCount = 0;
  152. typedef struct _LOADED_HEAP_SEGMENT {
  153. PVOID BaseVa;
  154. ULONG Length;
  155. ULONG HitsFromThisSegment;
  156. } LOADED_HEAP_SEGMENT, *PLOADED_HEAP_SEGMENT;
  157. typedef struct _LOADED_HEAP {
  158. LIST_ENTRY HeapsList;
  159. LPSTR HeapName;
  160. ULONG HitsFromThisHeap;
  161. PVOID HeapAddress;
  162. ULONG HeapClass;
  163. LOADED_HEAP_SEGMENT Segments[ HEAP_MAXIMUM_SEGMENTS ];
  164. } LOADED_HEAP, *PLOADED_HEAP;
  165. typedef struct _LOADED_THREAD {
  166. HANDLE ThreadID;
  167. PBYTE ThreadTEB;
  168. PBYTE StackBase;
  169. PBYTE StackEnd;
  170. ULONG HitsFromThisStack;
  171. } LOADED_THREAD, *PLOADED_THREAD;
  172. ULONG NumberOfThreads = 0;
  173. PLOADED_THREAD TheThreads;
  174. LOGICAL
  175. SetCurrentPrivilege(
  176. IN LPCTSTR Privilege, // Privilege to enable/disable
  177. IN OUT BOOL *bEnablePrivilege // to enable or disable privilege
  178. );
  179. VOID
  180. Usage(
  181. VOID
  182. );
  183. void
  184. ConvertAppToOem (
  185. IN unsigned argc,
  186. IN char* argv[]
  187. )
  188. /*++
  189. Routine Description:
  190. Converts the command line from ANSI to OEM, and force the app
  191. to use OEM APIs.
  192. Arguments:
  193. argc - Standard C argument count.
  194. argv - Standard C argument strings.
  195. Return Value:
  196. None.
  197. --*/
  198. {
  199. ULONG i;
  200. LPSTR pSrc;
  201. LPSTR pDst;
  202. WCHAR Wide;
  203. for (i = 0; i < argc; i += 1) {
  204. pSrc = argv[i];
  205. pDst = argv[i];
  206. do {
  207. //
  208. // Convert Ansi to Unicode and then to OEM.
  209. //
  210. MultiByteToWideChar (CP_ACP,
  211. MB_PRECOMPOSED,
  212. pSrc++,
  213. 1,
  214. &Wide,
  215. 1);
  216. WideCharToMultiByte (CP_OEMCP,
  217. 0,
  218. &Wide,
  219. 1,
  220. pDst++,
  221. 1,
  222. "_",
  223. NULL);
  224. } while (*pSrc);
  225. }
  226. SetFileApisToOEM ();
  227. }
  228. BOOLEAN
  229. FindAndIncHeapContainingThisVa (
  230. IN PVOID Va,
  231. IN ULONG ShareCount
  232. )
  233. {
  234. PLIST_ENTRY Next;
  235. PLOADED_HEAP pHeap;
  236. PLOADED_HEAP_SEGMENT Segment;
  237. PLOADED_HEAP_SEGMENT LastSegment;
  238. Next = LoadedHeapList.Flink;
  239. while (Next != &LoadedHeapList) {
  240. pHeap = CONTAINING_RECORD(Next, LOADED_HEAP, HeapsList);
  241. Segment = pHeap->Segments;
  242. LastSegment = Segment + HEAP_MAXIMUM_SEGMENTS;
  243. Next = Next->Flink;
  244. while (Segment < LastSegment) {
  245. if (Segment->BaseVa == NULL) {
  246. break;
  247. }
  248. if ((Va > Segment->BaseVa) &&
  249. (Va < (PVOID)((ULONG_PTR)Segment->BaseVa + Segment->Length))) {
  250. pHeap->HitsFromThisHeap += 1;
  251. Segment->HitsFromThisSegment += 1;
  252. if (ShareCount > 1) {
  253. fprintf(stderr, "Error: Heap ShareCount > 1, 0x%p\n", Va);
  254. }
  255. if (!fSummary) {
  256. printf("0x%p ", Va);
  257. if (IsSystemWithShareCount) {
  258. printf("(%d) ", ShareCount);
  259. }
  260. printf("%s\n", pHeap->HeapName);
  261. }
  262. return TRUE;
  263. }
  264. Segment += 1;
  265. }
  266. }
  267. return FALSE;
  268. }
  269. VOID
  270. DumpLoadedHeap (
  271. IN PLOADED_HEAP LoadedHeap
  272. )
  273. {
  274. PLOADED_HEAP_SEGMENT Segment;
  275. PLOADED_HEAP_SEGMENT LastSegment;
  276. printf ("%4d pages from %s (class 0x%08x)\n",
  277. LoadedHeap->HitsFromThisHeap,
  278. LoadedHeap->HeapName,
  279. LoadedHeap->HeapClass);
  280. Segment = LoadedHeap->Segments;
  281. LastSegment = Segment + HEAP_MAXIMUM_SEGMENTS;
  282. while (Segment < LastSegment) {
  283. if (Segment->BaseVa == NULL) {
  284. break;
  285. }
  286. printf("\t0x%p - 0x%p %d pages\n",
  287. Segment->BaseVa,
  288. (ULONG_PTR)Segment->BaseVa + Segment->Length,
  289. Segment->HitsFromThisSegment);
  290. Segment += 1;
  291. }
  292. }
  293. VOID
  294. LoadTheHeaps (
  295. IN HANDLE Process
  296. )
  297. {
  298. HEAP TheHeap;
  299. PLOADED_HEAP LoadedHeap;
  300. PHEAP *ProcessHeaps;
  301. HEAP_SEGMENT TheSegment;
  302. BOOL b;
  303. ULONG cb, i, j;
  304. NTSTATUS Status;
  305. PROCESS_BASIC_INFORMATION ProcessInformation;
  306. PEB ThePeb;
  307. InitializeListHead (&LoadedHeapList);
  308. Status = NtQueryInformationProcess (Process,
  309. ProcessBasicInformation,
  310. &ProcessInformation,
  311. sizeof( ProcessInformation ),
  312. NULL);
  313. if (!NT_SUCCESS (Status)) {
  314. fprintf(stderr, "NtQueryInformationProcess for ProcessBasicInformation"
  315. " failed %lx\n", GetLastError());
  316. return;
  317. }
  318. //
  319. // Read the process's PEB.
  320. //
  321. b = ReadProcessMemory (Process,
  322. ProcessInformation.PebBaseAddress,
  323. &ThePeb,sizeof(ThePeb),
  324. NULL);
  325. if (!b) {
  326. return;
  327. }
  328. //
  329. // Allocate space for and read the array of process heap pointers.
  330. //
  331. cb = ThePeb.NumberOfHeaps * sizeof( PHEAP );
  332. ProcessHeaps = LocalAlloc(LMEM_ZEROINIT,cb);
  333. if (ProcessHeaps == NULL) {
  334. return;
  335. }
  336. b = ReadProcessMemory (Process,
  337. ThePeb.ProcessHeaps,
  338. ProcessHeaps,
  339. cb,
  340. NULL);
  341. if (b) {
  342. for (i = 0; i < ThePeb.NumberOfHeaps; i += 1) {
  343. //
  344. // Read the heap.
  345. //
  346. b = ReadProcessMemory (Process,
  347. ProcessHeaps[i],
  348. &TheHeap,
  349. sizeof(TheHeap),
  350. NULL);
  351. if (!b) {
  352. break;
  353. }
  354. //
  355. // We got the heap, now initialize our heap structure
  356. //
  357. LoadedHeap = LocalAlloc (LMEM_ZEROINIT, sizeof(*LoadedHeap));
  358. if (!LoadedHeap) {
  359. break;
  360. }
  361. LoadedHeap->HeapAddress = ProcessHeaps[i];
  362. LoadedHeap->HeapClass = TheHeap.Flags & HEAP_CLASS_MASK;
  363. switch ( LoadedHeap->HeapClass ) {
  364. case HEAP_CLASS_0:
  365. LoadedHeap->HeapName = "Process Heap";
  366. break;
  367. case HEAP_CLASS_1:
  368. LoadedHeap->HeapName = HeapAlloc(GetProcessHeap(),
  369. HEAP_ZERO_MEMORY,
  370. 16);
  371. if (LoadedHeap->HeapName) {
  372. sprintf(LoadedHeap->HeapName,
  373. "Private Heap %d",
  374. UnknownHeapCount++);
  375. } else {
  376. LoadedHeap->HeapName = "Private Heap";
  377. }
  378. break;
  379. case HEAP_CLASS_2:
  380. LoadedHeap->HeapName = "Kernel Heap";
  381. break;
  382. case HEAP_CLASS_3:
  383. LoadedHeap->HeapName = "GDI Heap";
  384. break;
  385. case HEAP_CLASS_4:
  386. LoadedHeap->HeapName = "User Heap";
  387. break;
  388. case HEAP_CLASS_5:
  389. LoadedHeap->HeapName = "Console Heap";
  390. break;
  391. case HEAP_CLASS_6:
  392. LoadedHeap->HeapName = "User Desktop Heap";
  393. break;
  394. case HEAP_CLASS_7:
  395. LoadedHeap->HeapName = "Csrss Shared Heap";
  396. break;
  397. default:
  398. LoadedHeap->HeapName = HeapAlloc(GetProcessHeap(),
  399. HEAP_ZERO_MEMORY,
  400. 16);
  401. if (LoadedHeap->HeapName) {
  402. sprintf(LoadedHeap->HeapName,
  403. "UNKNOWN Heap %d",
  404. UnknownHeapCount++);
  405. } else {
  406. LoadedHeap->HeapName = "UNKNOWN Heap";
  407. }
  408. break;
  409. }
  410. //
  411. // Now go through the heap segments to compute the
  412. // area covered by the heap.
  413. //
  414. for (j = 0; j < HEAP_MAXIMUM_SEGMENTS; j += 1) {
  415. if (!TheHeap.Segments[j]) {
  416. break;
  417. }
  418. b = ReadProcessMemory (Process,
  419. TheHeap.Segments[j],
  420. &TheSegment,
  421. sizeof(TheSegment),
  422. NULL);
  423. if (!b) {
  424. break;
  425. }
  426. LoadedHeap->Segments[j].BaseVa = TheSegment.BaseAddress;
  427. LoadedHeap->Segments[j].Length = TheSegment.NumberOfPages *
  428. SystemInfo.dwPageSize;
  429. }
  430. InsertTailList (&LoadedHeapList,&LoadedHeap->HeapsList);
  431. }
  432. }
  433. LocalFree (ProcessHeaps);
  434. return;
  435. }
  436. BOOLEAN
  437. FindAndIncStackContainingThisVa (
  438. IN PBYTE Va,
  439. IN ULONG ShareCount
  440. )
  441. {
  442. ULONG i;
  443. for (i = 0 ; i < NumberOfThreads ; i++) {
  444. if ((Va > TheThreads[i].StackBase) &&
  445. (Va < TheThreads[i].StackEnd)) {
  446. TheThreads[i].HitsFromThisStack++;
  447. if (ShareCount > 1) {
  448. fprintf(stderr, "Error: Stack ShareCount > 1, 0x%p\n", Va);
  449. }
  450. if (!fSummary) {
  451. printf("0x%p ", Va);
  452. if (IsSystemWithShareCount) {
  453. printf("(%d) ", ShareCount);
  454. }
  455. printf("Stack for ThreadID %p\n", TheThreads[i].ThreadID);
  456. }
  457. return TRUE;
  458. }
  459. }
  460. return FALSE;
  461. }
  462. VOID
  463. DumpLoadedStacks (
  464. VOID
  465. )
  466. {
  467. ULONG i;
  468. for (i = 0 ; i < NumberOfThreads ; i++) {
  469. printf("%4d pages from stack for thread %p\n",
  470. TheThreads[i].HitsFromThisStack,
  471. TheThreads[i].ThreadID);
  472. }
  473. return;
  474. }
  475. VOID
  476. LoadTheThreads (
  477. IN HANDLE Process,
  478. IN ULONG_PTR ProcessID
  479. )
  480. {
  481. BOOL b;
  482. ULONG i;
  483. NTSTATUS Status;
  484. PSYSTEM_PROCESS_INFORMATION ProcessInfo;
  485. PSYSTEM_THREAD_INFORMATION ThreadInfo;
  486. THREAD_BASIC_INFORMATION ThreadBasicInfo;
  487. TEB TheTeb;
  488. HANDLE Thread;
  489. OBJECT_ATTRIBUTES Obja;
  490. //
  491. // To get the thread IDs of the process, load the system process info
  492. // and look for the matching process. For each thread in it, open the
  493. // thread to get the Teb address, then, read the stack information from
  494. // the Teb in the processes memory.
  495. //
  496. Status = NtQuerySystemInformation(
  497. SystemProcessInformation,
  498. &RunningWorkingSetBuffer, // not in use yet for WS
  499. 512*1024, // don't give the whole thing
  500. // or it will be probed
  501. NULL
  502. );
  503. if (!NT_SUCCESS(Status)) {
  504. fprintf(stderr, "NtQuerySystemInformation for SystemProcessInformation"
  505. " failed %lx\n", GetLastError());
  506. return;
  507. }
  508. ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) &RunningWorkingSetBuffer;
  509. while (ProcessInfo) {
  510. if (ProcessInfo->UniqueProcessId == (HANDLE)ProcessID) {
  511. break;
  512. }
  513. if (ProcessInfo->NextEntryOffset == 0) {
  514. ProcessInfo = NULL;
  515. break;
  516. }
  517. ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) ((PBYTE)ProcessInfo +
  518. ProcessInfo->NextEntryOffset);
  519. }
  520. if (ProcessInfo == NULL) {
  521. fprintf(stderr, "Error: Failed to find process for Stack lookup\n");
  522. return;
  523. }
  524. ThreadInfo = (PSYSTEM_THREAD_INFORMATION) (ProcessInfo + 1);
  525. NumberOfThreads = ProcessInfo->NumberOfThreads;
  526. TheThreads = (PLOADED_THREAD) LocalAlloc(LMEM_ZEROINIT,
  527. sizeof(LOADED_THREAD) * NumberOfThreads);
  528. if (TheThreads == NULL) {
  529. printf("FAILURE: Couldn't allocate memory for thread database\n");
  530. ExitProcess(0);
  531. }
  532. InitializeObjectAttributes(&Obja, NULL, 0, NULL, NULL);
  533. for (i = 0; i < NumberOfThreads; i += 1, ThreadInfo += 1) {
  534. Status = NtOpenThread (&Thread,
  535. MAXIMUM_ALLOWED,
  536. &Obja,
  537. &ThreadInfo->ClientId);
  538. if (!NT_SUCCESS( Status )) {
  539. fprintf(stderr, "NtOpenThread %p failed %lx\n",
  540. ThreadInfo->ClientId.UniqueThread,
  541. GetLastError());
  542. return;
  543. }
  544. Status = NtQueryInformationThread (Thread,
  545. ThreadBasicInformation,
  546. &ThreadBasicInfo,
  547. sizeof( ThreadBasicInfo ),
  548. NULL);
  549. if (!NT_SUCCESS( Status )) {
  550. fprintf(stderr, "NtQueryInformationThread for"
  551. " ThreadBasicInformation failed %lx\n",
  552. GetLastError());
  553. CloseHandle (Thread);
  554. return;
  555. }
  556. //
  557. // Read the threads's TEB.
  558. //
  559. b = ReadProcessMemory (Process,
  560. ThreadBasicInfo.TebBaseAddress,
  561. &TheTeb,
  562. sizeof(TheTeb),
  563. NULL);
  564. if (!b) {
  565. fprintf(stderr, "ReadProcessMemory for"
  566. " TEB %d failed %lx\n",
  567. i,
  568. GetLastError());
  569. CloseHandle (Thread);
  570. return;
  571. }
  572. TheThreads[i].ThreadID = TheTeb.ClientId.UniqueThread;
  573. TheThreads[i].ThreadTEB = (PBYTE)ThreadBasicInfo.TebBaseAddress;
  574. TheThreads[i].StackBase = TheTeb.DeallocationStack;
  575. TheThreads[i].StackEnd = TheTeb.NtTib.StackBase;
  576. CloseHandle(Thread);
  577. }
  578. }
  579. PMODINFO
  580. LocateModInfo(
  581. PVOID Address
  582. )
  583. {
  584. ULONG i;
  585. for (i=0;i<ModInfoMax;i++){
  586. if ( Address >= ModInfo[i].BaseAddress &&
  587. Address <= (PVOID)((ULONG_PTR)ModInfo[i].BaseAddress+ModInfo[i].VirtualSize) ) {
  588. return &ModInfo[i];
  589. }
  590. }
  591. return NULL;
  592. }
  593. VOID
  594. CaptureWorkingSet(
  595. HANDLE Process
  596. )
  597. {
  598. ULONG_PTR NumEntries = INITIAL_WORKING_SET_BLOCK_ENTRYS;
  599. BOOLEAN Done;
  600. SIZE_T Size;
  601. DWORD Error;
  602. Done = FALSE;
  603. while (!Done) {
  604. Size = FIELD_OFFSET(MEMORY_WORKING_SET_INFORMATION, WorkingSetInfo) +
  605. NumEntries * sizeof(MEMORY_WORKING_SET_BLOCK);
  606. WorkingSetInfo = HeapAlloc(GetProcessHeap(), 0, Size);
  607. if (WorkingSetInfo == NULL) {
  608. printf("FAILURE Couldn't allocate working set info buffer\n");
  609. exit(0);
  610. }
  611. if (!QueryWorkingSet(Process, WorkingSetInfo, (DWORD) Size)) {
  612. Error = GetLastError();
  613. if (Error != ERROR_BAD_LENGTH) {
  614. printf("FAILURE query working set %lu\n", Error);
  615. exit(0);
  616. }
  617. }
  618. if (WorkingSetInfo->NumberOfEntries > NumEntries) {
  619. //
  620. // Not big enough so increase the number of entries and
  621. // free the old one.
  622. //
  623. NumEntries = WorkingSetInfo->NumberOfEntries + 100; // Add in some fudge for growth
  624. HeapFree(GetProcessHeap(), 0, WorkingSetInfo);
  625. } else {
  626. Done = TRUE;
  627. }
  628. }
  629. }
  630. int
  631. __cdecl
  632. ulcomp(
  633. const void *e1,
  634. const void *e2
  635. )
  636. {
  637. PULONG p1;
  638. PULONG p2;
  639. p1 = (PULONG)e1;
  640. p2 = (PULONG)e2;
  641. if (*p1 > *p2) {
  642. return 1;
  643. }
  644. if (*p1 < *p2) {
  645. return -1;
  646. }
  647. return 0;
  648. }
  649. int
  650. __cdecl
  651. WSBlockComp(
  652. const void *e1,
  653. const void *e2
  654. )
  655. {
  656. PMEMORY_WORKING_SET_BLOCK p1;
  657. PMEMORY_WORKING_SET_BLOCK p2;
  658. p1 = (PMEMORY_WORKING_SET_BLOCK)e1;
  659. p2 = (PMEMORY_WORKING_SET_BLOCK)e2;
  660. if (p1->VirtualPage > p2->VirtualPage) {
  661. return 1;
  662. }
  663. if (p1->VirtualPage < p2->VirtualPage) {
  664. return -1;
  665. }
  666. return 0;
  667. }
  668. int
  669. __cdecl
  670. wsinfocomp(
  671. const void *e1,
  672. const void *e2
  673. )
  674. {
  675. PWSINFOCOUNTS p1;
  676. PWSINFOCOUNTS p2;
  677. p1 = (PWSINFOCOUNTS)e1;
  678. p2 = (PWSINFOCOUNTS)e2;
  679. return (p1->Faults - p2->Faults);
  680. }
  681. BOOL
  682. CtrlcH (
  683. IN DWORD dwCtrlType
  684. )
  685. {
  686. PWSINFOCOUNTS WsInfoCount;
  687. LONG RunIndex;
  688. LONG CountIndex;
  689. IMAGEHLP_MODULE Mi;
  690. ULONG_PTR Offset;
  691. CHAR Line[256];
  692. if ( dwCtrlType != CTRL_C_EVENT ) {
  693. return FALSE;
  694. }
  695. if ((Options & (OPTIONS_WORKING_SET | OPTIONS_WORKING_SET_OLD)) == OPTIONS_WORKING_SET) {
  696. ;
  697. }
  698. else {
  699. return FALSE;
  700. }
  701. Mi.SizeOfStruct = sizeof(IMAGEHLP_MODULE);
  702. InCtrlc = TRUE;
  703. //
  704. // Sort the running working set buffer
  705. //
  706. qsort((void *)RunningWorkingSetBuffer,(size_t)CurrentWsIndex,(size_t)sizeof(ULONG),ulcomp);
  707. WsInfoCount = LocalAlloc(LMEM_ZEROINIT,CurrentWsIndex*sizeof(*WsInfoCount));
  708. if ( !WsInfoCount ) {
  709. ExitProcess(0);
  710. }
  711. //
  712. // Sum unique PC values
  713. //
  714. CountIndex = 0;
  715. RunIndex = 0;
  716. WsInfoCount[CountIndex].FaultingPc = RunningWorkingSetBuffer[RunIndex];
  717. WsInfoCount[CountIndex].Faults++;
  718. for(RunIndex = 1; RunIndex < CurrentWsIndex; RunIndex++){
  719. if ( WsInfoCount[CountIndex].FaultingPc == RunningWorkingSetBuffer[RunIndex] ) {
  720. WsInfoCount[CountIndex].Faults++;
  721. }
  722. else {
  723. CountIndex++;
  724. WsInfoCount[CountIndex].FaultingPc = RunningWorkingSetBuffer[RunIndex];
  725. WsInfoCount[CountIndex].Faults++;
  726. }
  727. }
  728. //
  729. // Now sort the counted pc/fault count pairs
  730. //
  731. qsort(WsInfoCount,CountIndex,sizeof(*WsInfoCount),wsinfocomp);
  732. //
  733. // Now print the sorted pc/fault count pairs
  734. //
  735. for ( RunIndex = CountIndex-1; RunIndex >= 0 ; RunIndex-- ) {
  736. if (!SymGetModuleInfo((HANDLE)ProcessId, WsInfoCount[RunIndex].FaultingPc, &Mi )) {
  737. printf("%8d, 0x%p\n",WsInfoCount[RunIndex].Faults,WsInfoCount[RunIndex].FaultingPc);
  738. if ( LogFile ) {
  739. fprintf(LogFile,"%8d, 0x%p\n",WsInfoCount[RunIndex].Faults,WsInfoCount[RunIndex].FaultingPc);
  740. }
  741. } else {
  742. if (SymGetSymFromAddr((HANDLE)ProcessId, WsInfoCount[RunIndex].FaultingPc, &Displacement, ThisSymbol )) {
  743. Offset = (ULONG_PTR)WsInfoCount[RunIndex].FaultingPc - ThisSymbol->Address;
  744. if ( Offset ) {
  745. sprintf(Line,"%8d, %s+%x\n",WsInfoCount[RunIndex].Faults,ThisSymbol->Name,Offset);
  746. } else {
  747. sprintf(Line,"%8d, %s\n",WsInfoCount[RunIndex].Faults, ThisSymbol->Name);
  748. }
  749. printf("%s",Line);
  750. if ( LogFile ) {
  751. fprintf(LogFile,"%s",Line);
  752. }
  753. } else {
  754. printf("%8d, 0x%p\n",WsInfoCount[RunIndex].Faults,WsInfoCount[RunIndex].FaultingPc);
  755. if ( LogFile ) {
  756. fprintf(LogFile,"%8d, 0x%p\n",WsInfoCount[RunIndex].Faults,WsInfoCount[RunIndex].FaultingPc);
  757. }
  758. }
  759. }
  760. }
  761. exit(1);
  762. return FALSE;
  763. }
  764. VOID
  765. DumpWorkingSetSnapshot (
  766. IN HANDLE Process
  767. )
  768. {
  769. LOGICAL NewLine;
  770. PSYSTEM_PAGE SystemPageBase;
  771. ULONG i;
  772. ULONG_PTR BaseVa = 0;
  773. ULONG_PTR Va = 0;
  774. ULONG_PTR PteIndex;
  775. ULONG_PTR BaseAddress;
  776. ULONG SystemPages = 0;
  777. ULONG HeapPages = 0;
  778. ULONG StackPages = 0;
  779. ULONG MappedPages = 0;
  780. ULONG SharedMappedPages = 0;
  781. ULONG PrivateMappedPages = 0;
  782. ULONG DataPages = 0;
  783. ULONG SharedDataPages = 0;
  784. ULONG PrivateDataPages = 0;
  785. ULONG ErrorPages = 0;
  786. ULONG QuickPages = 0;
  787. ULONG LpcPages = 0;
  788. ULONG CsrSharedPages = 0;
  789. ULONG SharedCsrSharedPages = 0;
  790. ULONG TebPages = 0;
  791. ULONG TotalStaticCodeData = 0;
  792. ULONG TotalStaticCodeDataShared = 0;
  793. ULONG TotalStaticCodeDataPrivate = 0;
  794. ULONG TotalDynamicData = 0;
  795. ULONG TotalDynamicDataShared = 0;
  796. ULONG TotalDynamicDataPrivate = 0;
  797. ULONG TotalSystem = 0;
  798. ULONG Total, Shareable, Private, Shared;
  799. PMODINFO Mi;
  800. PLOADED_HEAP pHeap;
  801. PLIST_ENTRY Next;
  802. MEMORY_BASIC_INFORMATION BasicInfo;
  803. BOOL b;
  804. ULONG Mstack[7];
  805. WCHAR FileName[MAX_PATH+1];
  806. PWCHAR pwch;
  807. ULONG ShareCount;
  808. BOOLEAN IsShareable;
  809. PMEMORY_WORKING_SET_BLOCK WorkingSetBlock;
  810. PMEMORY_WORKING_SET_BLOCK LastWorkingSetBlock;
  811. ULONG PageTablePageCount;
  812. ULONG PageTablePageMax;
  813. ULONG_PTR SPBase;
  814. ULONG_PTR MIBase;
  815. ULONG_PTR MIEnd;
  816. ULONG_PTR HSBase;
  817. ULONG_PTR HSEnd;
  818. ULONG_PTR SSBase;
  819. ULONG_PTR SSEnd;
  820. NewLine = FALSE;
  821. if (Options & OPTIONS_RAW_SYMBOLS) {
  822. fSummary = FALSE;
  823. }
  824. qsort (&WorkingSetInfo->WorkingSetInfo[0],
  825. WorkingSetInfo->NumberOfEntries,
  826. sizeof(MEMORY_WORKING_SET_BLOCK),
  827. WSBlockComp);
  828. //
  829. // Count the number of user page table page references that faulted.
  830. //
  831. PageTablePageCount = 0;
  832. WorkingSetBlock = &WorkingSetInfo->WorkingSetInfo[0];
  833. LastWorkingSetBlock = WorkingSetBlock + WorkingSetInfo->NumberOfEntries;
  834. while (WorkingSetBlock < LastWorkingSetBlock) {
  835. Va = WorkingSetBlock->VirtualPage << 12;
  836. if (IS_USER_PAGE_TABLE_PAGE(Va)) {
  837. PageTablePageCount += 1;
  838. }
  839. WorkingSetBlock += 1;
  840. }
  841. //
  842. // Allocate memory to hold the user page table page references.
  843. //
  844. SystemPageBase = NULL;
  845. PageTablePageMax = PageTablePageCount;
  846. if (PageTablePageMax != 0) {
  847. SystemPageBase = LocalAlloc (LMEM_ZEROINIT,
  848. PageTablePageMax * sizeof(SYSTEM_PAGE));
  849. if (SystemPageBase == NULL) {
  850. return;
  851. }
  852. }
  853. PageTablePageCount = 0;
  854. WorkingSetBlock = &WorkingSetInfo->WorkingSetInfo[0];
  855. while (WorkingSetBlock < LastWorkingSetBlock) {
  856. Va = WorkingSetBlock->VirtualPage << 12;
  857. IsSystemWithShareCount |= (ULONG_PTR)WorkingSetBlock->ShareCount;
  858. if (IS_USER_PAGE_TABLE_PAGE(Va)) {
  859. SystemPageBase[PageTablePageCount].Va = Va;
  860. PteIndex = (Va - (ULONG_PTR)PteBase) / PteWidth;
  861. BaseAddress = (PteIndex / PtesPerPage) * VaMappedByPageTable;
  862. SystemPageBase[PageTablePageCount].BaseAddress = (PVOID)BaseAddress;
  863. PageTablePageCount += 1;
  864. }
  865. WorkingSetBlock += 1;
  866. }
  867. //
  868. // Attribute each user space page into the system page that backs it.
  869. //
  870. WorkingSetBlock = &WorkingSetInfo->WorkingSetInfo[0];
  871. LastWorkingSetBlock = WorkingSetBlock + WorkingSetInfo->NumberOfEntries;
  872. while (WorkingSetBlock < LastWorkingSetBlock) {
  873. Va = WorkingSetBlock->VirtualPage << 12;
  874. if (Va < SystemRangeStart) {
  875. for (i = 0; i < PageTablePageCount; i += 1) {
  876. if ((Va >= (ULONG_PTR)SystemPageBase[i].BaseAddress) &&
  877. (Va < ((ULONG_PTR)SystemPageBase[i].BaseAddress + VaMappedByPageTable))) {
  878. SystemPageBase[i].ResidentPages += 1;
  879. break;
  880. }
  881. }
  882. }
  883. WorkingSetBlock += 1;
  884. }
  885. WorkingSetBlock = &WorkingSetInfo->WorkingSetInfo[0];
  886. for ( ; WorkingSetBlock < LastWorkingSetBlock; WorkingSetBlock += 1) {
  887. Va = WorkingSetBlock->VirtualPage << 12;
  888. IsShareable = (BOOLEAN) (WorkingSetBlock->Shared == 1);
  889. ShareCount = (ULONG) WorkingSetBlock->ShareCount;
  890. if (Va >= SystemRangeStart) {
  891. if ((!fSummary || (Options & OPTIONS_PAGE_TABLES)) &&
  892. (IS_USER_PAGE_TABLE_PAGE(Va))) {
  893. //
  894. // For each system page, dump the range spanned, number of
  895. // resident pages, and the modules and heaps covered.
  896. //
  897. for (i = 0; Va != SystemPageBase[i].Va; i += 1) {
  898. ;
  899. }
  900. SPBase = (ULONG_PTR) SystemPageBase[i].BaseAddress;
  901. if (NewLine) {
  902. printf("\n");
  903. NewLine = FALSE;
  904. }
  905. printf("0x%p -> (0x%p : 0x%p) %4d "
  906. "Resident Pages\n",
  907. Va,
  908. SPBase,
  909. SPBase + VaMappedByPageTable - 1,
  910. SystemPageBase[i].ResidentPages);
  911. //
  912. // Figure out which modules are covered by this
  913. // page table page. If the base of the module is
  914. // within the page, or the base+size of the
  915. // module is covered, then it is in the page
  916. //
  917. for (i = 0 ; i < ModInfoMax ; i += 1) {
  918. MIBase = (ULONG_PTR) ModInfo[i].BaseAddress;
  919. MIEnd = MIBase + (ULONG_PTR)ModInfo[i].VirtualSize;
  920. if ((MIEnd >= SPBase) &&
  921. (MIBase < SPBase + VaMappedByPageTable)) {
  922. printf(" (0x%p : 0x%p) "
  923. "-> %s\n",
  924. MIBase,
  925. MIEnd,
  926. ModInfo[i].Name
  927. );
  928. NewLine = TRUE;
  929. }
  930. }
  931. //
  932. // Figure out which heaps are covered by this
  933. // page table page.
  934. //
  935. Next = LoadedHeapList.Flink;
  936. while (Next != &LoadedHeapList) {
  937. pHeap = CONTAINING_RECORD (Next,
  938. LOADED_HEAP,
  939. HeapsList);
  940. Next = Next->Flink;
  941. for (i = 0 ; i < HEAP_MAXIMUM_SEGMENTS ; i += 1) {
  942. if (pHeap->Segments[i].BaseVa == NULL) {
  943. break;
  944. }
  945. HSBase = (ULONG_PTR) pHeap->Segments[i].BaseVa;
  946. HSEnd = HSBase +
  947. (ULONG_PTR)pHeap->Segments[i].Length;
  948. if ((HSEnd >= SPBase) &&
  949. (HSBase < (SPBase + VaMappedByPageTable))) {
  950. printf(" (0x%p : 0x%p) "
  951. "-> %s segment %d\n",
  952. HSBase,
  953. HSEnd,
  954. pHeap->HeapName,
  955. i);
  956. NewLine = TRUE;
  957. }
  958. }
  959. }
  960. //
  961. // Figure out which stacks are covered by this
  962. // page table page.
  963. //
  964. for (i = 0 ; i < NumberOfThreads ; i += 1) {
  965. SSBase = (ULONG_PTR)TheThreads[i].StackBase;
  966. SSEnd = (ULONG_PTR)TheThreads[i].StackEnd;
  967. if ((SSEnd >= SPBase) &&
  968. (SSBase < (SPBase + VaMappedByPageTable))) {
  969. printf(" (0x%p : 0x%p) "
  970. "-> Stack for thread %d\n",
  971. SSBase,
  972. SSEnd,
  973. i);
  974. NewLine = TRUE;
  975. }
  976. }
  977. }
  978. SystemPages += 1;
  979. TotalSystem += 1;
  980. continue;
  981. }
  982. Mi = LocateModInfo ((PVOID)Va);
  983. if (Mi == NULL) {
  984. if (FindAndIncHeapContainingThisVa ((PVOID)Va, ShareCount)) {
  985. HeapPages += 1;
  986. TotalDynamicData += 1;
  987. TotalDynamicDataPrivate += 1;
  988. continue;
  989. }
  990. if (FindAndIncStackContainingThisVa ((PVOID)Va, ShareCount)) {
  991. StackPages += 1;
  992. TotalDynamicData += 1;
  993. TotalDynamicDataPrivate += 1;
  994. continue;
  995. }
  996. if (VirtualQueryEx (Process,
  997. (LPVOID) Va,
  998. &BasicInfo,
  999. sizeof(BasicInfo)) ) {
  1000. if (BasicInfo.Type == MEM_MAPPED) {
  1001. if (ProcessId == 0xffffffff) {
  1002. //
  1003. // Look to see if this is a quick thread message
  1004. // stack window
  1005. //
  1006. b = ReadProcessMemory(
  1007. Process,
  1008. BasicInfo.AllocationBase,
  1009. &Mstack,
  1010. sizeof(Mstack),
  1011. NULL);
  1012. if (!b) {
  1013. goto unknownmapped;
  1014. }
  1015. if ((Mstack[0] >= Mstack[1]) &&
  1016. (Mstack[2] == 0x10000)) {
  1017. if (!fSummary) {
  1018. printf("0x%p ", Va);
  1019. if (IsSystemWithShareCount) {
  1020. printf("(%d) ", ShareCount);
  1021. }
  1022. printf("CSRQUICK Base 0x%p\n", BasicInfo.AllocationBase);
  1023. }
  1024. QuickPages += 1;
  1025. TotalDynamicData += 1;
  1026. TotalDynamicDataPrivate += 1;
  1027. if (ShareCount > 1) {
  1028. fprintf(stderr, "Error: QuickPage ShareCount > 1, "
  1029. " 0x%x\n", Va);
  1030. }
  1031. continue;
  1032. }
  1033. if ((BasicInfo.AllocationBase == NtCurrentPeb()->ReadOnlySharedMemoryBase) ||
  1034. (Va == (ULONG_PTR)NtCurrentPeb()->ReadOnlySharedMemoryBase)) {
  1035. if (!fSummary) {
  1036. printf("0x%p", Va);
  1037. if (IsSystemWithShareCount) {
  1038. printf("(%d) ", ShareCount);
  1039. }
  1040. printf("CSRSHARED Base 0x%p", BasicInfo.AllocationBase);
  1041. }
  1042. TotalDynamicData++;
  1043. CsrSharedPages++;
  1044. if (IsShareable) {
  1045. if (ShareCount > 1) {
  1046. TotalDynamicDataShared++;
  1047. SharedCsrSharedPages++;
  1048. }
  1049. } else {
  1050. fprintf(stderr, "Error: CsrShared not "
  1051. " sharable, 0x%x\n", Va);
  1052. }
  1053. continue;
  1054. }
  1055. // Fall Through if not found
  1056. }
  1057. //
  1058. // It's mapped but wasn't CSRSS special page.
  1059. //
  1060. unknownmapped:
  1061. if ( !fSummary ) {
  1062. DWORD cch;
  1063. //
  1064. // See if we can figure out the name associated with
  1065. // this mapped region
  1066. //
  1067. cch = GetMappedFileNameW(Process,
  1068. (LPVOID) Va,
  1069. FileName,
  1070. sizeof(FileName));
  1071. if (cch != 0) {
  1072. //
  1073. // Now go back through the string to
  1074. // find the seperator
  1075. //
  1076. pwch = FileName + cch;
  1077. while ( *pwch != (WCHAR)'\\' ) {
  1078. pwch--;
  1079. }
  1080. pwch++;
  1081. printf("0x%p ", Va);
  1082. if (IsSystemWithShareCount) {
  1083. printf("(%d) ", ShareCount);
  1084. }
  1085. printf("DATAFILE_MAPPED Base 0x%p %ws\n",
  1086. BasicInfo.AllocationBase,
  1087. pwch
  1088. );
  1089. } else {
  1090. printf("0x%p ", Va);
  1091. if (IsSystemWithShareCount) {
  1092. printf("(%d) ", ShareCount);
  1093. }
  1094. printf("UNKNOWN_MAPPED Base 0x%p\n", BasicInfo.AllocationBase);
  1095. }
  1096. }
  1097. TotalDynamicData++;
  1098. MappedPages++;
  1099. if (IsShareable) {
  1100. if (ShareCount > 1) {
  1101. TotalDynamicDataShared++;
  1102. SharedMappedPages++;
  1103. }
  1104. } else {
  1105. TotalDynamicDataPrivate++;
  1106. PrivateMappedPages++;
  1107. }
  1108. continue;
  1109. }
  1110. //
  1111. // Not Mapped section
  1112. //
  1113. for (i = 0 ; i < NumberOfThreads; i += 1) {
  1114. if ((ULONG_PTR) TheThreads[i].ThreadTEB == Va) {
  1115. if (!fSummary) {
  1116. printf("0x%p ", Va);
  1117. if (IsSystemWithShareCount) {
  1118. printf("(%d) ", ShareCount);
  1119. }
  1120. printf("TEB Base 0x%p\n",
  1121. BasicInfo.AllocationBase);
  1122. }
  1123. TotalDynamicData++;
  1124. TebPages++;
  1125. if (ShareCount > 1) {
  1126. fprintf(stderr, "Error: TEB ShareCount > 1, "
  1127. " 0x%x\n", Va);
  1128. }
  1129. TotalDynamicDataPrivate++;
  1130. continue;
  1131. }
  1132. }
  1133. //
  1134. // Wasn't a TEB either it must have been VirtualAlloc'd.
  1135. //
  1136. if (!fSummary) {
  1137. printf("0x%p ", Va);
  1138. if (IsSystemWithShareCount) {
  1139. printf("(%d) ", ShareCount);
  1140. }
  1141. printf("PRIVATE Base 0x%p\n", BasicInfo.AllocationBase );
  1142. }
  1143. TotalDynamicData += 1;
  1144. DataPages += 1;
  1145. if (Va != MM_SHARED_USER_DATA_VA) {
  1146. if (ShareCount > 1) {
  1147. fprintf(stderr, "Error: Private ShareCount > 1, "
  1148. " 0x%x %x\n", Va, ShareCount);
  1149. }
  1150. TotalDynamicDataPrivate += 1;
  1151. PrivateDataPages += 1;
  1152. }
  1153. continue;
  1154. }
  1155. //
  1156. // Hmm, couldn't find out about the page. Say it's data.
  1157. //
  1158. if (!fSummary) {
  1159. printf("0x%p ", Va);
  1160. if (IsSystemWithShareCount) {
  1161. printf("(%d) ", ShareCount);
  1162. }
  1163. printf("UNKOWN\n");
  1164. }
  1165. TotalDynamicData++;
  1166. DataPages++;
  1167. if (IsShareable) {
  1168. if (ShareCount > 1) {
  1169. TotalDynamicDataShared++;
  1170. SharedDataPages++;
  1171. }
  1172. }
  1173. else {
  1174. TotalDynamicDataPrivate++;
  1175. PrivateDataPages++;
  1176. }
  1177. continue;
  1178. }
  1179. //
  1180. // It's from a module.
  1181. //
  1182. Mi->WsHits += 1;
  1183. TotalStaticCodeData += 1;
  1184. if (IsShareable) {
  1185. if (ShareCount > 1) {
  1186. TotalStaticCodeDataShared += 1;
  1187. Mi->WsSharedHits += 1;
  1188. }
  1189. }
  1190. else {
  1191. Mi->WsPrivateHits += 1;
  1192. TotalStaticCodeDataPrivate += 1;
  1193. }
  1194. if ( !fSummary ) {
  1195. printf("0x%p ", Va);
  1196. if (IsSystemWithShareCount) {
  1197. printf("(%d) ", ShareCount);
  1198. }
  1199. printf("%s\n",Mi->Name);
  1200. if (Options & OPTIONS_RAW_SYMBOLS) {
  1201. if (SymGetSymFromAddr((HANDLE)ProcessId,
  1202. Va,
  1203. &Displacement,
  1204. ThisSymbol )) {
  1205. BaseVa = Va;
  1206. if (ThisSymbol->Size) {
  1207. printf("\t(%4x) %s\n",
  1208. ThisSymbol->Size,
  1209. ThisSymbol->Name
  1210. );
  1211. Va += ThisSymbol->Size;
  1212. while ((Va < BaseVa + 4096) &&
  1213. ThisSymbol->Size) {
  1214. if (SymGetSymFromAddr((HANDLE)ProcessId,
  1215. Va,
  1216. &Displacement,
  1217. ThisSymbol)) {
  1218. printf("\t(%4x) %s\n",
  1219. ThisSymbol->Size,
  1220. ThisSymbol->Name
  1221. );
  1222. Va += ThisSymbol->Size;
  1223. }
  1224. else {
  1225. break;
  1226. }
  1227. }
  1228. }
  1229. }
  1230. else {
  1231. ErrorPages++;
  1232. }
  1233. }
  1234. }
  1235. }
  1236. if (!fSummary || (Options & OPTIONS_PAGE_TABLES)) {
  1237. printf("\n");
  1238. }
  1239. if (IsSystemWithShareCount) {
  1240. printf("Category Total Private Shareable Shared\n");
  1241. printf(" Pages KBytes KBytes KBytes KBytes\n");
  1242. } else {
  1243. printf("Category Total Private Shareable\n");
  1244. printf(" Pages KBytes KBytes KBytes\n");
  1245. }
  1246. Total = PageTablePageCount;
  1247. Private = Total;
  1248. Shared = 0;
  1249. Shareable = 0;
  1250. printf(IsSystemWithShareCount ?
  1251. " Page Table Pages %5d %9d %9d %9d %9d\n" :
  1252. " Page Table Pages %5d %9d %9d %9d\n",
  1253. Total,
  1254. P2KB(Total),
  1255. P2KB(Private),
  1256. P2KB(Shareable),
  1257. P2KB(Shared)
  1258. );
  1259. Total = SystemPages - PageTablePageCount;
  1260. Private = Total;
  1261. Shared = 0;
  1262. Shareable = 0;
  1263. printf(IsSystemWithShareCount ?
  1264. " Other System %5d %9d %9d %9d %9d\n" :
  1265. " Other System %5d %9d %9d %9d\n",
  1266. Total,
  1267. P2KB(Total),
  1268. P2KB(Private),
  1269. P2KB(Shareable),
  1270. P2KB(Shared)
  1271. );
  1272. Total = TotalStaticCodeData;
  1273. Private = TotalStaticCodeDataPrivate;
  1274. Shared = TotalStaticCodeDataShared;
  1275. Shareable = Total - Shared - Private;
  1276. printf(IsSystemWithShareCount ?
  1277. " Code/StaticData %5d %9d %9d %9d %9d\n" :
  1278. " Code/StaticData %5d %9d %9d %9d\n",
  1279. Total,
  1280. P2KB(Total),
  1281. P2KB(Private),
  1282. P2KB(Shareable),
  1283. P2KB(Shared)
  1284. );
  1285. Total = HeapPages;
  1286. Private = Total;
  1287. Shared = 0;
  1288. Shareable = 0;
  1289. printf(IsSystemWithShareCount ?
  1290. " Heap %5d %9d %9d %9d %9d\n" :
  1291. " Heap %5d %9d %9d %9d\n",
  1292. Total,
  1293. P2KB(Total),
  1294. P2KB(Private),
  1295. P2KB(Shareable),
  1296. P2KB(Shared)
  1297. );
  1298. Total = StackPages;
  1299. Private = Total;
  1300. Shared = 0;
  1301. Shareable = 0;
  1302. printf(IsSystemWithShareCount ?
  1303. " Stack %5d %9d %9d %9d %9d\n" :
  1304. " Stack %5d %9d %9d %9d\n",
  1305. Total,
  1306. P2KB(Total),
  1307. P2KB(Private),
  1308. P2KB(Shareable),
  1309. P2KB(Shared)
  1310. );
  1311. if ( ProcessId == 0xffffffff ) {
  1312. Total = QuickPages;
  1313. Private = Total;
  1314. Shared = 0;
  1315. Shareable = 0;
  1316. printf(IsSystemWithShareCount ?
  1317. " Quick Thread Stack %5d %9d %9d %9d %9d\n" :
  1318. " Quick Thread Stack %5d %9d %9d %9d\n",
  1319. Total,
  1320. P2KB(Total),
  1321. P2KB(Private),
  1322. P2KB(Shareable),
  1323. P2KB(Shared)
  1324. );
  1325. Total = LpcPages;
  1326. Private = 0;
  1327. Shareable = 0;
  1328. Shared = 0;
  1329. printf(IsSystemWithShareCount ?
  1330. " Lpc Message Windows %5d %9d %9d %9d %9d\n" :
  1331. " Lpc Message Windows %5d %9d %9d %9d\n",
  1332. Total,
  1333. P2KB(Total),
  1334. P2KB(Private),
  1335. P2KB(Shareable),
  1336. P2KB(Shared)
  1337. );
  1338. Total = CsrSharedPages;
  1339. Private = 0;
  1340. Shared = SharedCsrSharedPages;
  1341. Shareable = Total - Shared - Private;
  1342. printf(IsSystemWithShareCount ?
  1343. " Csr Shared Memory %5d %9d %9d %9d %9d\n" :
  1344. " Csr Shared Memory %5d %9d %9d %9d\n",
  1345. Total,
  1346. P2KB(Total),
  1347. P2KB(Private),
  1348. P2KB(Shareable),
  1349. P2KB(Shared)
  1350. );
  1351. }
  1352. Total = TebPages;
  1353. Private = Total;
  1354. Shared = 0;
  1355. Shareable = 0;
  1356. printf(IsSystemWithShareCount ?
  1357. " Teb %5d %9d %9d %9d %9d\n" :
  1358. " Teb %5d %9d %9d %9d\n",
  1359. Total,
  1360. P2KB(Total),
  1361. P2KB(Private),
  1362. P2KB(Shareable),
  1363. P2KB(Shared)
  1364. );
  1365. Total = MappedPages;
  1366. Private = PrivateMappedPages;
  1367. Shared = SharedMappedPages;
  1368. Shareable = Total - Shared - Private;
  1369. printf(IsSystemWithShareCount ?
  1370. " Mapped Data %5d %9d %9d %9d %9d\n" :
  1371. " Mapped Data %5d %9d %9d %9d\n",
  1372. Total,
  1373. P2KB(Total),
  1374. P2KB(Private),
  1375. P2KB(Shareable),
  1376. P2KB(Shared)
  1377. );
  1378. Total = DataPages;
  1379. Private = PrivateDataPages;
  1380. Shared = SharedDataPages;
  1381. Shareable = Total - Shared - Private;
  1382. printf(IsSystemWithShareCount ?
  1383. " Other Data %5d %9d %9d %9d %9d\n" :
  1384. " Other Data %5d %9d %9d %9d\n",
  1385. Total,
  1386. P2KB(Total),
  1387. P2KB(Private),
  1388. P2KB(Shareable),
  1389. P2KB(Shared)
  1390. );
  1391. printf("\n");
  1392. Total = TotalStaticCodeData;
  1393. Private = TotalStaticCodeDataPrivate;
  1394. Shared = TotalStaticCodeDataShared;
  1395. Shareable = Total - Shared - Private;
  1396. printf(IsSystemWithShareCount ?
  1397. " Total Modules %5d %9d %9d %9d %9d\n" :
  1398. " Total Modules %5d %9d %9d %9d\n",
  1399. Total,
  1400. P2KB(Total),
  1401. P2KB(Private),
  1402. P2KB(Shareable),
  1403. P2KB(Shared)
  1404. );
  1405. Total = TotalDynamicData;
  1406. Private = TotalDynamicDataPrivate;
  1407. Shared = TotalDynamicDataShared;
  1408. Shareable = Total - Shared - Private;
  1409. printf(IsSystemWithShareCount ?
  1410. " Total Dynamic Data %5d %9d %9d %9d %9d\n" :
  1411. " Total Dynamic Data %5d %9d %9d %9d\n",
  1412. Total,
  1413. P2KB(Total),
  1414. P2KB(Private),
  1415. P2KB(Shareable),
  1416. P2KB(Shared)
  1417. );
  1418. Total = TotalSystem;
  1419. Private = Total;
  1420. Shared = 0;
  1421. Shareable = 0;
  1422. printf(IsSystemWithShareCount ?
  1423. " Total System %5d %9d %9d %9d %9d\n" :
  1424. " Total System %5d %9d %9d %9d\n",
  1425. Total,
  1426. P2KB(Total),
  1427. P2KB(Private),
  1428. P2KB(Shareable),
  1429. P2KB(Shared)
  1430. );
  1431. Total = TotalSystem + TotalDynamicData + TotalStaticCodeData;
  1432. Private = TotalSystem + TotalDynamicDataPrivate +
  1433. TotalStaticCodeDataPrivate;
  1434. Shared = TotalDynamicDataShared + TotalStaticCodeDataShared;
  1435. Shareable = Total - Shared - Private;
  1436. printf(IsSystemWithShareCount ?
  1437. "Grand Total Working Set %5d %9d %9d %9d %9d\n" :
  1438. "Grand Total Working Set %5d %9d %9d %9d\n",
  1439. Total,
  1440. P2KB(Total),
  1441. P2KB(Private),
  1442. P2KB(Shareable),
  1443. P2KB(Shared)
  1444. );
  1445. printf("\nModule Working Set Contributions in pages\n");
  1446. printf(IsSystemWithShareCount ?
  1447. " Total Private Shareable Shared Module\n" :
  1448. " Total Private Shareable Module\n"
  1449. );
  1450. for (i=0 ; i < ModInfoMax ; i++){
  1451. if ( ModInfo[i].WsHits ) {
  1452. if (IsSystemWithShareCount) {
  1453. printf("%9d %9d %9d %9d %s\n",
  1454. ModInfo[i].WsHits,
  1455. ModInfo[i].WsPrivateHits,
  1456. ModInfo[i].WsHits -
  1457. ModInfo[i].WsSharedHits -
  1458. ModInfo[i].WsPrivateHits,
  1459. ModInfo[i].WsSharedHits,
  1460. ModInfo[i].Name
  1461. );
  1462. }
  1463. else {
  1464. printf("%9d %9d %9d %s\n",
  1465. ModInfo[i].WsHits,
  1466. ModInfo[i].WsPrivateHits,
  1467. ModInfo[i].WsHits -
  1468. ModInfo[i].WsSharedHits -
  1469. ModInfo[i].WsPrivateHits,
  1470. ModInfo[i].Name
  1471. );
  1472. }
  1473. }
  1474. }
  1475. printf("\nHeap Working Set Contributions\n");
  1476. Next = LoadedHeapList.Flink;
  1477. while ( Next != &LoadedHeapList ) {
  1478. pHeap = CONTAINING_RECORD(Next, LOADED_HEAP, HeapsList);
  1479. Next = Next->Flink;
  1480. DumpLoadedHeap(pHeap);
  1481. }
  1482. printf("\nStack Working Set Contributions\n");
  1483. DumpLoadedStacks();
  1484. #if 0
  1485. if ( Options & OPTIONS_VERBOSE ) {
  1486. printf("Raw Working Set Blocks\n\n");
  1487. for (i = 0; i < WorkingSetInfo->NumberOfEntries ; i++) {
  1488. printf("%d %p\n", i, (ULONG_PTR) WorkingSetInfo->WorkingSetInfo[i]);
  1489. i++;
  1490. }
  1491. }
  1492. #endif
  1493. if (SystemPageBase != NULL) {
  1494. LocalFree (SystemPageBase);
  1495. }
  1496. }
  1497. VOID
  1498. DumpWorkingSet (
  1499. IN HANDLE Process
  1500. )
  1501. {
  1502. ULONG i;
  1503. PMODINFO Mi,Mi2;
  1504. NTSTATUS Status;
  1505. ULONG_PTR Offset;
  1506. CHAR Line[256];
  1507. BOOLEAN didone;
  1508. HANDLE ScreenHandle;
  1509. INPUT_RECORD InputRecord;
  1510. DWORD NumRead;
  1511. ScreenHandle = GetStdHandle (STD_INPUT_HANDLE);
  1512. if (ScreenHandle == NULL) {
  1513. printf("Error obtaining screen handle, error was: 0x%lx\n",
  1514. GetLastError());
  1515. ExitProcess(1);
  1516. }
  1517. Status = NtSetInformationProcess (Process, ProcessWorkingSetWatch, NULL, 0);
  1518. if (!NT_SUCCESS(Status) &&
  1519. !(Status == STATUS_PORT_ALREADY_SET) &&
  1520. !(Status == STATUS_ACCESS_DENIED)) {
  1521. return;
  1522. }
  1523. SetConsoleCtrlHandler(CtrlcH,TRUE);
  1524. EmptyWorkingSet(Process);
  1525. while (TRUE) {
  1526. Status = NtQueryInformationProcess (Process,
  1527. ProcessWorkingSetWatch,
  1528. (PVOID *)&NewWorkingSetBuffer,
  1529. sizeof (NewWorkingSetBuffer),
  1530. NULL);
  1531. if (fFast) {
  1532. fFast = FALSE;
  1533. Status = STATUS_NO_MORE_ENTRIES;
  1534. }
  1535. if ( NT_SUCCESS(Status) ) {
  1536. //
  1537. // For each PC/VA pair, print the pc and referenced VA
  1538. // symbolically
  1539. //
  1540. didone = FALSE;
  1541. i = 0;
  1542. while (NewWorkingSetBuffer[i].FaultingPc) {
  1543. if ( NewWorkingSetBuffer[i].FaultingVa ) {
  1544. if ( InCtrlc ) {
  1545. ExitThread(0);
  1546. }
  1547. Mi2 = LocateModInfo((PVOID)NewWorkingSetBuffer[i].FaultingVa);
  1548. if ( !Mi2 || (Mi2 && (Options & OPTIONS_CODE_TOO))) {
  1549. //
  1550. // Add the pc to the running working set
  1551. // watch buffer
  1552. //
  1553. RunningWorkingSetBuffer[CurrentWsIndex++] = (ULONG_PTR)NewWorkingSetBuffer[i].FaultingPc;
  1554. if ( CurrentWsIndex >= MAX_RUNNING_WORKING_SET_BUFFER ) {
  1555. CtrlcH(CTRL_C_EVENT);
  1556. }
  1557. if ( fRunning ) {
  1558. //
  1559. // Print the PC symbolically.
  1560. //
  1561. didone = TRUE;
  1562. Mi = LocateModInfo((PVOID)NewWorkingSetBuffer[i].FaultingPc);
  1563. if ( !Mi ) {
  1564. printf("0x%p",NewWorkingSetBuffer[i].FaultingPc);
  1565. if ( LogFile ) {
  1566. fprintf(LogFile,"0x%p",NewWorkingSetBuffer[i].FaultingPc);
  1567. }
  1568. }
  1569. else {
  1570. if (SymGetSymFromAddr((HANDLE)ProcessId, (DWORD_PTR)NewWorkingSetBuffer[i].FaultingPc, &Displacement, ThisSymbol )) {
  1571. Offset = (ULONG_PTR)NewWorkingSetBuffer[i].FaultingPc - ThisSymbol->Address;
  1572. if ( Offset ) {
  1573. sprintf(Line,"%s+%x",ThisSymbol->Name,Offset);
  1574. }
  1575. else {
  1576. sprintf(Line,"%s",ThisSymbol->Name);
  1577. }
  1578. printf("%s",Line);
  1579. if ( LogFile ) {
  1580. fprintf(LogFile,"%s",Line);
  1581. }
  1582. }
  1583. else {
  1584. printf("0x%p",NewWorkingSetBuffer[i].FaultingPc);
  1585. if ( LogFile ) {
  1586. fprintf(LogFile,"0x%p",NewWorkingSetBuffer[i].FaultingPc);
  1587. }
  1588. }
  1589. }
  1590. //
  1591. // Print the VA Symbolically
  1592. //
  1593. Mi = LocateModInfo((PVOID)NewWorkingSetBuffer[i].FaultingVa);
  1594. if ( !Mi ) {
  1595. printf(" : 0x%p",NewWorkingSetBuffer[i].FaultingVa);
  1596. if ( LogFile ) {
  1597. fprintf(LogFile," : 0x%p",NewWorkingSetBuffer[i].FaultingVa);
  1598. }
  1599. }
  1600. else {
  1601. if (SymGetSymFromAddr((HANDLE)ProcessId, (DWORD_PTR)NewWorkingSetBuffer[i].FaultingVa, &Displacement, ThisSymbol )) {
  1602. Offset = (ULONG_PTR)NewWorkingSetBuffer[i].FaultingVa - ThisSymbol->Address;
  1603. if ( Offset ) {
  1604. sprintf(Line," : %s+%x",ThisSymbol->Name,Offset);
  1605. }
  1606. else {
  1607. sprintf(Line," : %s",ThisSymbol->Name);
  1608. }
  1609. printf("%s",Line);
  1610. if ( LogFile ) {
  1611. fprintf(LogFile,"%s",Line);
  1612. }
  1613. }
  1614. else {
  1615. printf(" : 0x%p",NewWorkingSetBuffer[i].FaultingVa);
  1616. if ( LogFile ) {
  1617. fprintf(LogFile," : 0x%p",NewWorkingSetBuffer[i].FaultingVa);
  1618. }
  1619. }
  1620. }
  1621. printf("\n");
  1622. if ( LogFile ) {
  1623. fprintf(LogFile,"\n");
  1624. }
  1625. }
  1626. }
  1627. }
  1628. i++;
  1629. }
  1630. if ( didone ) {
  1631. printf("\n");
  1632. if ( LogFile ) {
  1633. fprintf(LogFile,"\n");
  1634. }
  1635. }
  1636. }
  1637. Sleep(1000);
  1638. while (PeekConsoleInput (ScreenHandle, &InputRecord, 1, &NumRead) && NumRead != 0) {
  1639. if (!ReadConsoleInput (ScreenHandle, &InputRecord, 1, &NumRead)) {
  1640. break;
  1641. }
  1642. if (InputRecord.EventType == KEY_EVENT) {
  1643. //
  1644. // Ignore control characters.
  1645. //
  1646. if (InputRecord.Event.KeyEvent.uChar.AsciiChar >= ' ') {
  1647. switch (InputRecord.Event.KeyEvent.uChar.AsciiChar) {
  1648. case 'F':
  1649. case 'f':
  1650. EmptyWorkingSet(Process);
  1651. printf("\n*** Working Set Flushed ***\n\n");
  1652. if ( LogFile ) {
  1653. fprintf(LogFile,"\n*** Working Set Flushed ***\n\n");
  1654. }
  1655. break;
  1656. default:
  1657. break;
  1658. }
  1659. }
  1660. }
  1661. }
  1662. }
  1663. }
  1664. VOID
  1665. ComputeModInfo(
  1666. HANDLE Process,
  1667. DWORD_PTR ProcessId
  1668. )
  1669. {
  1670. HMODULE rghModule[MODINFO_SIZE];
  1671. DWORD cbNeeded;
  1672. ULONG ModInfoNext;
  1673. PVOID BaseAddress;
  1674. IMAGEHLP_MODULE ModuleInfo;
  1675. MODULEINFO PsapiModuleInfo;
  1676. ULONG i;
  1677. ModuleInfo.SizeOfStruct = sizeof(IMAGEHLP_MODULE);
  1678. SymInitialize((HANDLE)ProcessId, NULL, FALSE );
  1679. SymSetOptions(SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME);
  1680. for (i=0 ; i < ModInfoMax ; i++){
  1681. if ( ModInfo[i].BaseAddress &&
  1682. ModInfo[i].BaseAddress != (PVOID)-1 &&
  1683. ModInfo[i].Name
  1684. ) {
  1685. LocalFree(ModInfo[i].Name);
  1686. }
  1687. }
  1688. RtlZeroMemory(ModInfo, sizeof(ModInfo));
  1689. if (!EnumProcessModules(Process, rghModule, sizeof(rghModule), &cbNeeded)) {
  1690. return;
  1691. }
  1692. if (cbNeeded > sizeof(rghModule)) {
  1693. cbNeeded = sizeof(rghModule);
  1694. }
  1695. ModInfoMax = cbNeeded / sizeof(HMODULE);
  1696. for (ModInfoNext = 0; ModInfoNext < ModInfoMax; ModInfoNext++) {
  1697. HMODULE hModule;
  1698. DWORD cch;
  1699. CHAR DllName[MAX_PATH];
  1700. hModule = rghModule[ModInfoNext];
  1701. ModInfo[ModInfoNext].BaseAddress = (PVOID) hModule;
  1702. //
  1703. // Get the base name of the module
  1704. //
  1705. cch = GetModuleBaseName(Process, hModule, DllName, sizeof(DllName));
  1706. if (cch == 0) {
  1707. return;
  1708. }
  1709. ModInfo[ModInfoNext].Name = LocalAlloc(LMEM_ZEROINIT, cch+1);
  1710. if ( !ModInfo[ModInfoNext].Name) {
  1711. return;
  1712. }
  1713. memcpy(ModInfo[ModInfoNext].Name, DllName, cch);
  1714. //
  1715. // Get the full path to the module.
  1716. //
  1717. cch = GetModuleFileNameEx (Process, hModule, DllName, sizeof(DllName));
  1718. if (cch == 0) {
  1719. return;
  1720. }
  1721. GetModuleInformation (Process,
  1722. hModule,
  1723. &PsapiModuleInfo,
  1724. sizeof(MODULEINFO));
  1725. ModInfo[ModInfoNext].VirtualSize = PsapiModuleInfo.SizeOfImage;
  1726. BaseAddress = (PVOID)SymLoadModule ((HANDLE)ProcessId,
  1727. NULL,
  1728. DllName,
  1729. NULL,
  1730. (DWORD_PTR)hModule,
  1731. PsapiModuleInfo.SizeOfImage);
  1732. if ((ModInfo[ModInfoNext].BaseAddress) &&
  1733. (ModInfo[ModInfoNext].BaseAddress == BaseAddress)) {
  1734. SymGetModuleInfo(
  1735. (HANDLE)ProcessId,
  1736. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress,
  1737. &ModuleInfo
  1738. );
  1739. if (ModuleInfo.SymType == SymNone) {
  1740. ModInfo[ModInfoNext].SymbolsLoaded = FALSE;
  1741. if (Options & OPTIONS_VERBOSE) {
  1742. fprintf(stderr, "Could not load symbols: %p : %p %s\n",
  1743. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress,
  1744. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress +
  1745. ModInfo[ModInfoNext].VirtualSize,
  1746. ModInfo[ModInfoNext].Name
  1747. );
  1748. }
  1749. } else {
  1750. ModInfo[ModInfoNext].SymbolsLoaded = TRUE;
  1751. if (Options & OPTIONS_VERBOSE) {
  1752. fprintf(stderr, "Symbols loaded: %p : %p %s\n",
  1753. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress,
  1754. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress +
  1755. ModInfo[ModInfoNext].VirtualSize,
  1756. ModInfo[ModInfoNext].Name
  1757. );
  1758. }
  1759. }
  1760. } else {
  1761. ModInfo[ModInfoNext].SymbolsLoaded = FALSE;
  1762. if (Options & OPTIONS_VERBOSE) {
  1763. fprintf(stderr, "Symbols not loaded and conflicting Base: %p (%p) : %p %s\n",
  1764. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress,
  1765. BaseAddress,
  1766. (DWORD_PTR)ModInfo[ModInfoNext].BaseAddress +
  1767. ModInfo[ModInfoNext].VirtualSize,
  1768. ModInfo[ModInfoNext].Name
  1769. );
  1770. }
  1771. }
  1772. }
  1773. if (bHitModuleMax) {
  1774. fprintf(stderr, "\nERROR: The number of modules in the process more than the buffer size\n");
  1775. }
  1776. }
  1777. ProtectionToIndex(
  1778. ULONG Protection
  1779. )
  1780. {
  1781. Protection &= ~PAGE_GUARD;
  1782. switch ( Protection ) {
  1783. case PAGE_NOACCESS:
  1784. return NOACCESS;
  1785. case PAGE_READONLY:
  1786. return READONLY;
  1787. case PAGE_READWRITE:
  1788. return READWRITE;
  1789. case PAGE_WRITECOPY:
  1790. return WRITECOPY;
  1791. case PAGE_EXECUTE:
  1792. return EXECUTE;
  1793. case PAGE_EXECUTE_READ:
  1794. return EXECUTEREAD;
  1795. case PAGE_EXECUTE_READWRITE:
  1796. return EXECUTEREADWRITE;
  1797. case PAGE_EXECUTE_WRITECOPY:
  1798. return EXECUTEWRITECOPY;
  1799. default:
  1800. return 0;
  1801. }
  1802. }
  1803. VOID
  1804. DumpCommit (
  1805. PSZ Header,
  1806. ULONG_PTR *CommitVector
  1807. )
  1808. {
  1809. ULONG_PTR TotalCommitCount;
  1810. ULONG i;
  1811. TotalCommitCount = 0;
  1812. for ( i=0;i<MAXPROTECT;i++){
  1813. TotalCommitCount += CommitVector[i];
  1814. }
  1815. printf("\nTotal %s Commitment %8ld\n",Header,TotalCommitCount);
  1816. if ( CommitVector[NOACCESS] ) {
  1817. printf(" NOACCESS: %9ld\n",CommitVector[NOACCESS]);
  1818. }
  1819. if ( CommitVector[READONLY] ) {
  1820. printf(" READONLY: %9ld\n",CommitVector[READONLY]);
  1821. }
  1822. if ( CommitVector[READWRITE] ) {
  1823. printf(" READWRITE: %9ld\n",CommitVector[READWRITE]);
  1824. }
  1825. if ( CommitVector[WRITECOPY] ) {
  1826. printf(" WRITECOPY: %9ld\n",CommitVector[WRITECOPY]);
  1827. }
  1828. if ( CommitVector[EXECUTE] ) {
  1829. printf(" EXECUTE: %9ld\n",CommitVector[EXECUTE]);
  1830. }
  1831. if ( CommitVector[EXECUTEREAD] ) {
  1832. printf(" EXECUTEREAD: %9ld\n",CommitVector[EXECUTEREAD]);
  1833. }
  1834. if ( CommitVector[EXECUTEREADWRITE] ) {
  1835. printf(" EXECUTEREADWRITE: %9ld\n",CommitVector[EXECUTEREADWRITE]);
  1836. }
  1837. if ( CommitVector[EXECUTEWRITECOPY] ) {
  1838. printf(" EXECUTEWRITECOPY: %9ld\n",CommitVector[EXECUTEWRITECOPY]);
  1839. }
  1840. }
  1841. VOID
  1842. DumpModInfo (
  1843. )
  1844. {
  1845. ULONG i;
  1846. for (i=0 ; i < ModInfoMax ; i++){
  1847. DumpCommit(ModInfo[i].Name, &ModInfo[i].CommitVector[0]);
  1848. }
  1849. }
  1850. VOID
  1851. CaptureVaSpace (
  1852. IN HANDLE Process
  1853. )
  1854. {
  1855. PVOID BaseAddress;
  1856. PVAINFO VaInfo;
  1857. PMODINFO Mod;
  1858. BaseAddress = NULL;
  1859. LastAllocationBase = NULL;
  1860. InitializeListHead(&VaList);
  1861. while ( (ULONG_PTR)BaseAddress < SystemRangeStart ) {
  1862. VaInfo = LocalAlloc(LMEM_ZEROINIT, sizeof(*VaInfo));
  1863. if (!VaInfo) {
  1864. return;
  1865. }
  1866. if ( !VirtualQueryEx(Process,
  1867. BaseAddress,
  1868. &VaInfo->BasicInfo,
  1869. sizeof(VaInfo->BasicInfo)) ) {
  1870. LocalFree (VaInfo);
  1871. return;
  1872. }
  1873. switch (VaInfo->BasicInfo.State ) {
  1874. case MEM_COMMIT :
  1875. if ( VaInfo->BasicInfo.Type == MEM_IMAGE ) {
  1876. ImageCommit[ProtectionToIndex(VaInfo->BasicInfo.Protect)] += VaInfo->BasicInfo.RegionSize;
  1877. Mod = LocateModInfo(BaseAddress);
  1878. if ( Mod ) {
  1879. Mod->CommitVector[ProtectionToIndex(VaInfo->BasicInfo.Protect)] += VaInfo->BasicInfo.RegionSize;
  1880. }
  1881. }
  1882. else {
  1883. if ( VaInfo->BasicInfo.Type == MEM_MAPPED ) {
  1884. MappedCommit[ProtectionToIndex(VaInfo->BasicInfo.Protect)] += VaInfo->BasicInfo.RegionSize;
  1885. }
  1886. else {
  1887. PrivateCommit[ProtectionToIndex(VaInfo->BasicInfo.Protect)] += VaInfo->BasicInfo.RegionSize;
  1888. }
  1889. }
  1890. break;
  1891. case MEM_RESERVE :
  1892. if ( VaInfo->BasicInfo.Type == MEM_IMAGE ) {
  1893. ImageReservedBytes += VaInfo->BasicInfo.RegionSize;
  1894. }
  1895. else {
  1896. ReservedBytes += VaInfo->BasicInfo.RegionSize;
  1897. }
  1898. break;
  1899. case MEM_FREE :
  1900. if ( VaInfo->BasicInfo.Type == MEM_IMAGE ) {
  1901. ImageFreeBytes += VaInfo->BasicInfo.RegionSize;
  1902. }
  1903. else {
  1904. FreeBytes += VaInfo->BasicInfo.RegionSize;
  1905. }
  1906. break;
  1907. }
  1908. if ( LastAllocationBase ) {
  1909. //
  1910. // Normal case
  1911. //
  1912. //
  1913. // See if last one is 0, or if this one doesn't match the
  1914. // last one.
  1915. //
  1916. if ( LastAllocationBase->BasicInfo.AllocationBase == NULL ||
  1917. LastAllocationBase->BasicInfo.AllocationBase != VaInfo->BasicInfo.AllocationBase ) {
  1918. LastAllocationBase = VaInfo;
  1919. InsertTailList(&VaList,&VaInfo->Links);
  1920. InitializeListHead(&VaInfo->AllocationBaseHead);
  1921. }
  1922. else {
  1923. //
  1924. // Current Entry Matches
  1925. //
  1926. InsertTailList(&LastAllocationBase->AllocationBaseHead,&VaInfo->Links);
  1927. }
  1928. }
  1929. else {
  1930. LastAllocationBase = VaInfo;
  1931. InsertTailList(&VaList,&VaInfo->Links);
  1932. InitializeListHead(&VaInfo->AllocationBaseHead);
  1933. }
  1934. BaseAddress = (PVOID)((ULONG_PTR)BaseAddress + VaInfo->BasicInfo.RegionSize);
  1935. }
  1936. }
  1937. PSZ
  1938. MemProtect(
  1939. IN ULONG Protection
  1940. )
  1941. {
  1942. switch ( Protection ) {
  1943. case PAGE_NOACCESS:
  1944. return "No Access";
  1945. case PAGE_READONLY:
  1946. return "Read Only";
  1947. case PAGE_READWRITE:
  1948. return "Read/Write";
  1949. case PAGE_WRITECOPY:
  1950. return "Write Copy";
  1951. case PAGE_EXECUTE:
  1952. return "Execute";
  1953. case PAGE_EXECUTE_READ:
  1954. return "Execute Read";
  1955. case PAGE_EXECUTE_READWRITE:
  1956. return "Execute Read/Write";
  1957. case PAGE_EXECUTE_WRITECOPY:
  1958. return "Execute Write Copy";
  1959. default :
  1960. if ( Protection & PAGE_GUARD ) {
  1961. switch ( Protection & 0xff ) {
  1962. case PAGE_NOACCESS:
  1963. return "-- GUARD -- No Access";
  1964. case PAGE_READONLY:
  1965. return "-- GUARD -- Read Only";
  1966. case PAGE_READWRITE:
  1967. return "-- GUARD -- Read/Write";
  1968. case PAGE_WRITECOPY:
  1969. return "-- GUARD -- Write Copy";
  1970. case PAGE_EXECUTE:
  1971. return "-- GUARD -- Execute";
  1972. case PAGE_EXECUTE_READ:
  1973. return "-- GUARD -- Execute Read";
  1974. case PAGE_EXECUTE_READWRITE:
  1975. return "-- GUARD -- Execute Read/Write";
  1976. case PAGE_EXECUTE_WRITECOPY:
  1977. return "-- GUARD -- Execute Write Copy";
  1978. default:
  1979. return "-- GUARD -- Unknown";
  1980. }
  1981. }
  1982. return "Unknown";
  1983. }
  1984. }
  1985. PSZ
  1986. MemState(
  1987. IN ULONG State
  1988. )
  1989. {
  1990. switch ( State ) {
  1991. case MEM_COMMIT :
  1992. return "Committed";
  1993. case MEM_RESERVE :
  1994. return "Reserved";
  1995. case MEM_FREE :
  1996. return "Free";
  1997. default:
  1998. return "Unknown State";
  1999. }
  2000. }
  2001. PSZ
  2002. MemType(
  2003. IN ULONG Type
  2004. )
  2005. {
  2006. switch ( Type ) {
  2007. case MEM_PRIVATE :
  2008. return "Private";
  2009. case MEM_MAPPED :
  2010. return "Mapped";
  2011. case MEM_IMAGE :
  2012. return "Image";
  2013. default:
  2014. return "Unknown Type";
  2015. }
  2016. }
  2017. VOID
  2018. DumpVaSpace(
  2019. VOID
  2020. )
  2021. {
  2022. PLIST_ENTRY Next;
  2023. PVAINFO VaInfo;
  2024. ULONG_PTR VirtualSize;
  2025. Next = VaList.Flink;
  2026. while ( Next != &VaList) {
  2027. VaInfo = (PVAINFO)(CONTAINING_RECORD(Next,VAINFO,Links));
  2028. printf("\n");
  2029. if ( !IsListEmpty(&VaInfo->AllocationBaseHead) ) {
  2030. PLIST_ENTRY xNext;
  2031. PVAINFO xVaInfo;
  2032. VirtualSize = VaInfo->BasicInfo.RegionSize;
  2033. xNext = VaInfo->AllocationBaseHead.Flink;
  2034. while ( xNext != &VaInfo->AllocationBaseHead) {
  2035. xVaInfo = (PVAINFO)(CONTAINING_RECORD(xNext,VAINFO,Links));
  2036. VirtualSize += xVaInfo->BasicInfo.RegionSize;
  2037. xNext = xNext->Flink;
  2038. }
  2039. }
  2040. else {
  2041. VirtualSize = 0;
  2042. }
  2043. printf("Address: %p Size: %p",
  2044. VaInfo->BasicInfo.BaseAddress,
  2045. VaInfo->BasicInfo.RegionSize);
  2046. if ( VirtualSize ) {
  2047. printf(" RegionSize: %lx\n",VirtualSize);
  2048. }
  2049. else {
  2050. printf("\n");
  2051. }
  2052. printf(" State %s\n",MemState(VaInfo->BasicInfo.State));
  2053. if ( VaInfo->BasicInfo.State == MEM_COMMIT ) {
  2054. printf(" Protect %s\n",MemProtect(VaInfo->BasicInfo.Protect));
  2055. }
  2056. if ( VaInfo->BasicInfo.State == MEM_COMMIT ||
  2057. VaInfo->BasicInfo.State == MEM_RESERVE ) {
  2058. printf(" Type %s\n",MemType(VaInfo->BasicInfo.Type));
  2059. }
  2060. if ( Options & OPTIONS_VERBOSE ) {
  2061. if ( !IsListEmpty(&VaInfo->AllocationBaseHead) ) {
  2062. PLIST_ENTRY xNext;
  2063. PVAINFO xVaInfo;
  2064. xNext = VaInfo->AllocationBaseHead.Flink;
  2065. while ( xNext != &VaInfo->AllocationBaseHead) {
  2066. xVaInfo = (PVAINFO)(CONTAINING_RECORD(xNext,VAINFO,Links));
  2067. printf("\n");
  2068. printf(" Address: %p Size: %p\n",
  2069. xVaInfo->BasicInfo.BaseAddress,
  2070. xVaInfo->BasicInfo.RegionSize
  2071. );
  2072. printf(" RegionSize %p\n",xVaInfo->BasicInfo.RegionSize);
  2073. printf(" State %s\n",MemState(xVaInfo->BasicInfo.State));
  2074. if ( xVaInfo->BasicInfo.State == MEM_COMMIT ) {
  2075. printf(" Protect %s\n",MemProtect(xVaInfo->BasicInfo.Protect));
  2076. }
  2077. if ( xVaInfo->BasicInfo.State == MEM_COMMIT ||
  2078. xVaInfo->BasicInfo.State == MEM_RESERVE ) {
  2079. printf(" Type %s\n",MemType(xVaInfo->BasicInfo.Type));
  2080. }
  2081. xNext = xNext->Flink;
  2082. }
  2083. }
  2084. }
  2085. Next = Next->Flink;
  2086. }
  2087. }
  2088. int
  2089. __cdecl
  2090. main(
  2091. int argc,
  2092. char *argv[],
  2093. char *envp[]
  2094. )
  2095. {
  2096. HANDLE Process;
  2097. OBJECT_ATTRIBUTES Obja;
  2098. UNICODE_STRING Unicode;
  2099. NTSTATUS Status;
  2100. LPSTR lpstrCmd;
  2101. CHAR ch;
  2102. ULONG_PTR Temp;
  2103. VM_COUNTERS VmCounters;
  2104. LPSTR p;
  2105. SYSTEM_BASIC_INFORMATION SystemInformation;
  2106. BOOL bEnabledDebugPriv;
  2107. UNREFERENCED_PARAMETER (envp);
  2108. ExeName = argv[0];
  2109. if (argc == 1) {
  2110. Usage();
  2111. }
  2112. if (!NT_SUCCESS(NtQuerySystemInformation(SystemBasicInformation,
  2113. &SystemInformation,
  2114. sizeof(SystemInformation),
  2115. NULL))) {
  2116. fprintf(stderr, "Failed to get system basic information\n");
  2117. return 1;
  2118. }
  2119. PageSize = SystemInformation.PageSize;
  2120. if (!NT_SUCCESS(NtQuerySystemInformation(SystemRangeStartInformation,
  2121. &SystemRangeStart,
  2122. sizeof(SystemRangeStart),
  2123. NULL))) {
  2124. // assume usermode is the low half of the address space
  2125. SystemRangeStart = (ULONG_PTR)MAXLONG_PTR;
  2126. }
  2127. #if defined (_X86_)
  2128. PteWidth = 4;
  2129. PteBase = (PVOID)0xC0000000;
  2130. #else
  2131. PteWidth = 8;
  2132. PteBase = (PVOID)0x1FFFFF0000000000;
  2133. #endif
  2134. if ((USER_SHARED_DATA) && (USER_SHARED_DATA->ProcessorFeatures[PF_PAE_ENABLED])) {
  2135. PteWidth = 8;
  2136. }
  2137. PtesPerPage = PageSize / PteWidth;
  2138. VaMappedByPageTable = PtesPerPage * PageSize;
  2139. UserPteMax = (PVOID)((ULONG_PTR)PteBase + (SystemRangeStart / PageSize) * PteWidth);
  2140. ThisSymbol = (PIMAGEHLP_SYMBOL) symBuffer;
  2141. ThisSymbol->MaxNameLength = MAX_SYMNAME_SIZE;
  2142. ProcessId = 0;
  2143. GetSystemInfo(&SystemInfo);
  2144. ConvertAppToOem( argc, argv );
  2145. lpstrCmd = GetCommandLine();
  2146. if( lpstrCmd != NULL ) {
  2147. CharToOem( lpstrCmd, lpstrCmd );
  2148. }
  2149. do {
  2150. ch = *lpstrCmd++;
  2151. } while (ch != ' ' && ch != '\t' && ch != '\0');
  2152. while (ch == ' ' || ch == '\t') {
  2153. ch = *lpstrCmd++;
  2154. }
  2155. while (ch == '-') {
  2156. ch = *lpstrCmd++;
  2157. // process multiple switch characters as needed
  2158. do {
  2159. switch (ch) {
  2160. case '?':
  2161. Usage();
  2162. case 'C':
  2163. case 'c':
  2164. Options |= OPTIONS_CODE_TOO;
  2165. ch = *lpstrCmd++;
  2166. break;
  2167. case 'F':
  2168. case 'f':
  2169. fFast = TRUE;
  2170. ch = *lpstrCmd++;
  2171. break;
  2172. case 'L':
  2173. case 'l':
  2174. //
  2175. // l takes log-file-name as argument.
  2176. //
  2177. do
  2178. ch = *lpstrCmd++;
  2179. while (ch == ' ' || ch == '\t');
  2180. p = LogFileName;
  2181. while (ch && (ch != ' ' && ch != '\t')) {
  2182. *p++ = ch;
  2183. ch = *lpstrCmd++;
  2184. }
  2185. LogFile = fopen(LogFileName,"wt");
  2186. break;
  2187. case 'M':
  2188. case 'm':
  2189. Options |= OPTIONS_RAW_SYMBOLS;
  2190. ch = *lpstrCmd++;
  2191. break;
  2192. case 'P':
  2193. case 'p':
  2194. //
  2195. // pid takes a decimal argument.
  2196. //
  2197. do {
  2198. ch = *lpstrCmd++;
  2199. } while (ch == ' ' || ch == '\t');
  2200. if (ch == '-') {
  2201. ch = *lpstrCmd++;
  2202. if (ch == '1') {
  2203. ProcessId = 0xffffffff;
  2204. ch = *lpstrCmd++;
  2205. }
  2206. }
  2207. else {
  2208. while (ch >= '0' && ch <= '9') {
  2209. Temp = ProcessId * 10 + ch - '0';
  2210. if (Temp < ProcessId) {
  2211. fprintf(stderr, "pid number overflow\n");
  2212. ExitProcess(1);
  2213. }
  2214. ProcessId = Temp;
  2215. ch = *lpstrCmd++;
  2216. }
  2217. }
  2218. if (!ProcessId) {
  2219. fprintf(stderr, "bad pid '%ld'\n", ProcessId);
  2220. ExitProcess(1);
  2221. }
  2222. break;
  2223. case 'R':
  2224. case 'r':
  2225. fRunning = TRUE;
  2226. ch = *lpstrCmd++;
  2227. break;
  2228. case 'S':
  2229. case 's':
  2230. fSummary = TRUE;
  2231. ch = *lpstrCmd++;
  2232. break;
  2233. case 'T':
  2234. case 't':
  2235. Options |= OPTIONS_PAGE_TABLES;
  2236. ch = *lpstrCmd++;
  2237. break;
  2238. case 'O':
  2239. case 'o':
  2240. Options |= OPTIONS_WORKING_SET_OLD;
  2241. //
  2242. // Fall through ...
  2243. //
  2244. case 'W':
  2245. case 'w':
  2246. Options |= OPTIONS_WORKING_SET;
  2247. ch = *lpstrCmd++;
  2248. break;
  2249. case 'V':
  2250. case 'v':
  2251. Options |= OPTIONS_VERBOSE;
  2252. ch = *lpstrCmd++;
  2253. break;
  2254. default:
  2255. Usage();
  2256. }
  2257. } while (ch != ' ' && ch != '\t' && ch != '\0');
  2258. // skip over any following white space
  2259. while (ch == ' ' || ch == '\t') {
  2260. ch = *lpstrCmd++;
  2261. }
  2262. }
  2263. //
  2264. // try to enable SeDebugPrivilege to allow opening any process
  2265. //
  2266. bEnabledDebugPriv = TRUE;
  2267. if (!SetCurrentPrivilege(SE_DEBUG_NAME, &bEnabledDebugPriv)) {
  2268. fprintf(stderr, "Failed to set debug privilege\n");
  2269. return 1;
  2270. }
  2271. if ( ProcessId == 0 || ProcessId == 0xffffffff ) {
  2272. ProcessId = 0xffffffff;
  2273. RtlInitUnicodeString(&Unicode,L"\\WindowsSS");
  2274. InitializeObjectAttributes(
  2275. &Obja,
  2276. &Unicode,
  2277. 0,
  2278. NULL,
  2279. NULL
  2280. );
  2281. Status = NtOpenProcess(
  2282. &Process,
  2283. MAXIMUM_ALLOWED, //PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_SET_INFORMATION | PROCESS_QUERY_INFORMATION,
  2284. &Obja,
  2285. NULL
  2286. );
  2287. if ( !NT_SUCCESS(Status) ) {
  2288. fprintf(stderr, "OpenProcess Failed %lx\n",Status);
  2289. return 1;
  2290. }
  2291. }
  2292. else {
  2293. Process = OpenProcess (PROCESS_ALL_ACCESS,FALSE, (ULONG)ProcessId);
  2294. if ( !Process ) {
  2295. fprintf(stderr, "OpenProcess %ld failed %lx\n",ProcessId,GetLastError());
  2296. return 1;
  2297. }
  2298. }
  2299. if (Options & OPTIONS_WORKING_SET_OLD) {
  2300. CaptureWorkingSet (Process);
  2301. LoadTheHeaps (Process);
  2302. LoadTheThreads (Process, ProcessId);
  2303. }
  2304. ComputeModInfo (Process, ProcessId);
  2305. CaptureVaSpace (Process);
  2306. //
  2307. // disable the SeDebugPrivilege if we enabled it above
  2308. //
  2309. if(bEnabledDebugPriv) {
  2310. bEnabledDebugPriv = FALSE;
  2311. SetCurrentPrivilege (SE_DEBUG_NAME, &bEnabledDebugPriv);
  2312. }
  2313. if (Options & OPTIONS_WORKING_SET) {
  2314. if (Options & OPTIONS_WORKING_SET_OLD) {
  2315. DumpWorkingSetSnapshot (Process);
  2316. }
  2317. else {
  2318. DumpWorkingSet (Process);
  2319. }
  2320. return 1;
  2321. }
  2322. if ( !fSummary ) {
  2323. DumpVaSpace();
  2324. }
  2325. DumpCommit(" Image",ImageCommit);
  2326. DumpModInfo();
  2327. DumpCommit("Mapped",MappedCommit);
  2328. DumpCommit(" Priv",PrivateCommit);
  2329. printf("\n");
  2330. printf("Dynamic Reserved Memory %ld\n",
  2331. ReservedBytes
  2332. );
  2333. Status = NtQueryInformationProcess(
  2334. Process,
  2335. ProcessVmCounters,
  2336. (PVOID)&VmCounters,
  2337. sizeof(VmCounters),
  2338. NULL
  2339. );
  2340. if ( !NT_SUCCESS(Status) ) {
  2341. return 1;
  2342. }
  2343. printf("\n");
  2344. printf("PageFaults: %9ld\n",VmCounters.PageFaultCount);
  2345. printf("PeakWorkingSetSize %9ld\n",VmCounters.PeakWorkingSetSize);
  2346. printf("WorkingSetSize %9ld\n",VmCounters.WorkingSetSize);
  2347. printf("PeakPagedPoolUsage %9ld\n",VmCounters.QuotaPeakPagedPoolUsage);
  2348. printf("PagedPoolUsage %9ld\n",VmCounters.QuotaPagedPoolUsage);
  2349. printf("PeakNonPagedPoolUsage %9ld\n",VmCounters.QuotaPeakNonPagedPoolUsage);
  2350. printf("NonPagedPoolUsage %9ld\n",VmCounters.QuotaNonPagedPoolUsage);
  2351. printf("PagefileUsage %9ld\n",VmCounters.PagefileUsage);
  2352. printf("PeakPagefileUsage %9ld\n",VmCounters.PeakPagefileUsage);
  2353. return 0;
  2354. }
  2355. VOID
  2356. Usage (
  2357. VOID
  2358. )
  2359. {
  2360. fprintf(stderr, "Usage:\n"
  2361. " Dump the address space:\n"
  2362. " %s [-sv] -p decimal_process_id\n"
  2363. "\n"
  2364. " Dump the current workingset:\n"
  2365. " %s -o [-mpsv] [-l logfile] -p decimal_process_id\n"
  2366. "\n"
  2367. " Dump new additions to the workingset (Stop with ^C):\n"
  2368. " %s -w [-crv] [-l logfile] -p decimal_process_id\n"
  2369. "\n"
  2370. " -c Include code faults faulting PC summary\n"
  2371. " -m Show all code symbols on page\n"
  2372. " -o Workingset snapshot w/ summary\n"
  2373. " -r Print info on individual faults\n"
  2374. " -s Summary info only\n"
  2375. " -t Include pagetable info in summary\n"
  2376. " -w Track new working set additions\n"
  2377. " -v Verbose\n",
  2378. ExeName,
  2379. ExeName,
  2380. ExeName);
  2381. ExitProcess(1);
  2382. }
  2383. LOGICAL
  2384. SetCurrentPrivilege (
  2385. IN LPCTSTR Privilege, // Privilege to enable/disable
  2386. IN OUT BOOL *bEnablePrivilege // to enable or disable privilege
  2387. )
  2388. /*
  2389. If successful, *bEnablePrivlege is set to the new state.
  2390. If NOT successful, bEnablePrivlege is invalid
  2391. Returns:
  2392. TRUE - success
  2393. FALSE - failure
  2394. */
  2395. {
  2396. HANDLE hToken;
  2397. TOKEN_PRIVILEGES tp;
  2398. LUID luid;
  2399. TOKEN_PRIVILEGES tpPrevious;
  2400. DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
  2401. LOGICAL bSuccess;
  2402. BOOL bEnableIt;
  2403. bEnableIt = *bEnablePrivilege;
  2404. if (!LookupPrivilegeValue(NULL, Privilege, &luid)) {
  2405. return FALSE;
  2406. }
  2407. if(!OpenProcessToken(
  2408. GetCurrentProcess(),
  2409. TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
  2410. &hToken
  2411. )) {
  2412. return FALSE;
  2413. }
  2414. //
  2415. // first pass. get current privilege setting
  2416. //
  2417. tp.PrivilegeCount = 1;
  2418. tp.Privileges[0].Luid = luid;
  2419. tp.Privileges[0].Attributes = 0;
  2420. AdjustTokenPrivileges(
  2421. hToken,
  2422. FALSE,
  2423. &tp,
  2424. sizeof(TOKEN_PRIVILEGES),
  2425. &tpPrevious,
  2426. &cbPrevious
  2427. );
  2428. bSuccess = FALSE;
  2429. if(GetLastError() == ERROR_SUCCESS) {
  2430. //
  2431. // second pass. set privilege based on previous setting
  2432. //
  2433. tpPrevious.PrivilegeCount = 1;
  2434. tpPrevious.Privileges[0].Luid = luid;
  2435. *bEnablePrivilege = tpPrevious.Privileges[0].Attributes | (SE_PRIVILEGE_ENABLED);
  2436. if(bEnableIt) {
  2437. tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
  2438. }
  2439. else {
  2440. tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &
  2441. tpPrevious.Privileges[0].Attributes);
  2442. }
  2443. AdjustTokenPrivileges(
  2444. hToken,
  2445. FALSE,
  2446. &tpPrevious,
  2447. cbPrevious,
  2448. NULL,
  2449. NULL
  2450. );
  2451. if (GetLastError() == ERROR_SUCCESS) {
  2452. bSuccess=TRUE;
  2453. }
  2454. }
  2455. CloseHandle(hToken);
  2456. return bSuccess;
  2457. }