ProcessHacker学习笔记
ProcessHacker学习笔记
ProcessHacker是⼀款拥有windows任务管理器的开源软件。学习该软件,可增长windows操作系统多⽅⾯系统机制知识和性能统计设计的能⼒。
1、获取进程内存占⽤率
windows系统下,⽆论任何版本,都可以在任务管理器下查看各个进程的内存占⽤率。
XP 2003系统下显⽰的是进程占⽤的内存⼯作集也就是PROCESS_MEMORY_COUNTERS结构中的WorkingSetSize;
WIN7 VISTA系统下显⽰的则是进程占⽤的私有内存⼯作集也就是Private WorkingSetSize.但是相关结构未公开⽽⽆法直接使⽤API进⾏获取。ProcessHacker采⽤的办法是⾃⼰定义 struct _SYSTEM_PROCESS_INFORMATION 结构(推测是逆向或者其他渠道获取)
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
使⽤此结构获取内存占⽤情况见ProcessHacker中PhEnumProcesses函数。
该函数调⽤NtQuerySystemInformation获取进程信息。并以SYSTEM_PROCESS_INFORMATION结构遍历该函数获取的BUFFER,得到进程的信息及内存占⽤。static _GetExtendedTcpTable GetExtendedTcpTable_I;
static _GetExtendedUdpTable GetExtendedUdpTable_I;
enum函数
typedef DWORD (WINAPI *_GetExtendedTcpTable)(
__out_bcount_opt(*pdwSize) PVOID pTcpTable,
__inout PDWORD pdwSize,
__in BOOL bOrder,
__in ULONG ulAf,
__in TCP_TABLE_CLASS TableClass,
__in ULONG Reserved
);
typedef DWORD (WINAPI *_GetExtendedUdpTable)(
__out_bcount_opt(*pdwSize) PVOID pUdpTable,
__inout PDWORD pdwSize,
__in BOOL bOrder,
__in ULONG ulAf,
__in UDP_TABLE_CLASS TableClass,
__in ULONG Reserved
)
;
额基本就是这么多。跟了半天,但是其实关键就这么⼏点。正所谓⼤道不过三⼆句,说破不值半⽂钱

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。