/*
* returns a Python list representing the arguments for the process
* with given pid or NULL on error.
*/
PyObject *
psutil_get_arg_list(long pid)
{
int nArgs, i;
LPWSTR *szArglist = NULL;
HANDLE hProcess = NULL;
PVOID pebAddress;
PVOID rtlUserProcParamsAddress;
UNICODE_STRING commandLine;
WCHAR *commandLineContents = NULL;
PyObject *arg = NULL;
PyObject *arg_from_wchar = NULL;
PyObject *argList = NULL;
hProcess = psutil_handle_from_pid(pid);
if (hProcess == NULL) {
return NULL;
}
pebAddress = psutil_get_peb_address(hProcess);
// get the address of ProcessParameters
#ifdef _WIN64
if (!ReadProcessMemory(hProcess, (PCHAR)pebAddress + 32,
&rtlUserProcParamsAddress, sizeof(PVOID), NULL))
#else
if (!ReadProcessMemory(hProcess, (PCHAR)pebAddress + 0x10,
&rtlUserProcParamsAddress, sizeof(PVOID), NULL))
#endif
{
////printf("Could not read the address of ProcessParameters!\n");
PyErr_SetFromWindowsErr(0);
goto error;
}
// read the CommandLine UNICODE_STRING structure
#ifdef _WIN64
if (!ReadProcessMemory(hProcess, (PCHAR)rtlUserProcParamsAddress + 112,
&commandLine, sizeof(commandLine), NULL))
#else
if (!ReadProcessMemory(hProcess, (PCHAR)rtlUserProcParamsAddress + 0x40,
&commandLine, sizeof(commandLine), NULL))
#endif
{
PyErr_SetFromWindowsErr(0);
goto error;
}
// allocate memory to hold the command line
commandLineContents = (WCHAR *)malloc(commandLine.Length + 1);
if (commandLineContents == NULL) {
PyErr_NoMemory();
goto error;
}
// read the command line
if (!ReadProcessMemory(hProcess, commandLine.Buffer,
commandLineContents, commandLine.Length, NULL))
{
PyErr_SetFromWindowsErr(0);
goto error;
}
// Null-terminate the string to prevent wcslen from returning
// incorrect length the length specifier is in characters, but
// commandLine.Length is in bytes.
commandLineContents[(commandLine.Length / sizeof(WCHAR))] = '\0';
// attempt tp parse the command line using Win32 API, fall back
// on string cmdline version otherwise
szArglist = CommandLineToArgvW(commandLineContents, &nArgs);
if (NULL == szArglist) {
// failed to parse arglist
// encode as a UTF8 Python string object from WCHAR string
arg_from_wchar = PyUnicode_FromWideChar(commandLineContents,
commandLine.Length / 2);
if (arg_from_wchar == NULL)
goto error;
#if PY_MAJOR_VERSION >= 3
argList = Py_BuildValue("N", PyUnicode_AsUTF8String(arg_from_wchar));
#else
argList = Py_BuildValue("N", PyUnicode_FromObject(arg_from_wchar));
#endif
if (!argList)
goto error;
}
else {
// arglist parsed as array of UNICODE_STRING, so convert each to
// Python string object and add to arg list
argList = Py_BuildValue("[]");
if (argList == NULL)
goto error;
for (i = 0; i < nArgs; i++) {
arg_from_wchar = NULL;
arg = NULL;
arg_from_wchar = PyUnicode_FromWideChar(szArglist[i],
wcslen(szArglist[i]));
if (arg_from_wchar == NULL)
goto error;
#if PY_MAJOR_VERSION >= 3
arg = PyUnicode_FromObject(arg_from_wchar);
#else
arg = PyUnicode_AsUTF8String(arg_from_wchar);
#endif
if (arg == NULL)
goto error;
Py_XDECREF(arg_from_wchar);
if (PyList_Append(argList, arg))
goto error;
Py_XDECREF(arg);
}
}
if (szArglist != NULL)
LocalFree(szArglist);
free(commandLineContents);
CloseHandle(hProcess);
return argList;
error:
Py_XDECREF(arg);
Py_XDECREF(arg_from_wchar);
Py_XDECREF(argList);
if (hProcess != NULL)
CloseHandle(hProcess);
if (commandLineContents != NULL)
free(commandLineContents);
if (szArglist != NULL)
LocalFree(szArglist);
return NULL;
}
/* Get data from the process with the given pid. The data is returned in the
pdata output member as a nul terminated string which must be freed on
success.
On success 0 is returned. On error the output parameter is not touched, -1
is returned, and an appropriate Python exception is set. */
static int psutil_get_process_data(long pid,
enum psutil_process_data_kind kind,
WCHAR **pdata,
SIZE_T *psize) {
/* This function is quite complex because there are several cases to be
considered:
Two cases are really simple: we (i.e. the python interpreter) and the
target process are both 32 bit or both 64 bit. In that case the memory
layout of the structures matches up and all is well.
When we are 64 bit and the target process is 32 bit we need to use
custom 32 bit versions of the structures.
When we are 32 bit and the target process is 64 bit we need to use
custom 64 bit version of the structures. Also we need to use separate
Wow64 functions to get the information.
A few helper structs are defined above so that the compiler can handle
calculating the correct offsets.
Additional help also came from the following sources:
https://github.com/kohsuke/winp and
http://wj32.org/wp/2009/01/24/howto-get-the-command-line-of-processes/
http://stackoverflow.com/a/14012919
http://www.drdobbs.com/embracing-64-bit-windows/184401966
*/
static _NtQueryInformationProcess NtQueryInformationProcess = NULL;
#ifndef _WIN64
static _NtQueryInformationProcess NtWow64QueryInformationProcess64 = NULL;
static _NtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = NULL;
#endif
HANDLE hProcess = NULL;
LPCVOID src;
SIZE_T size;
WCHAR *buffer = NULL;
#ifdef _WIN64
LPVOID ppeb32 = NULL;
#else
PVOID64 src64;
BOOL weAreWow64;
BOOL theyAreWow64;
#endif
hProcess = psutil_handle_from_pid(pid);
if (hProcess == NULL)
return -1;
if (NtQueryInformationProcess == NULL) {
NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
}
#ifdef _WIN64
/* 64 bit case. Check if the target is a 32 bit process running in WoW64
* mode. */
if (!NT_SUCCESS(NtQueryInformationProcess(hProcess,
ProcessWow64Information,
&ppeb32,
sizeof(LPVOID),
NULL))) {
PyErr_SetFromWindowsErr(0);
goto error;
}
if (ppeb32 != NULL) {
/* We are 64 bit. Target process is 32 bit running in WoW64 mode. */
PEB32 peb32;
RTL_USER_PROCESS_PARAMETERS32 procParameters32;
// read PEB
if (!ReadProcessMemory(hProcess, ppeb32, &peb32, sizeof(peb32), NULL)) {
PyErr_SetFromWindowsErr(0);
goto error;
}
// read process parameters
if (!ReadProcessMemory(hProcess,
UlongToPtr(peb32.ProcessParameters),
&procParameters32,
sizeof(procParameters32),
NULL)) {
PyErr_SetFromWindowsErr(0);
goto error;
}
switch (kind) {
case KIND_CMDLINE:
src = UlongToPtr(procParameters32.CommandLine.Buffer),
size = procParameters32.CommandLine.Length;
break;
case KIND_CWD:
src = UlongToPtr(procParameters32.CurrentDirectoryPath.Buffer);
size = procParameters32.CurrentDirectoryPath.Length;
break;
case KIND_ENVIRON:
src = UlongToPtr(procParameters32.env);
break;
}
} else
#else
/* 32 bit case. Check if the target is also 32 bit. */
if (!IsWow64Process(GetCurrentProcess(), &weAreWow64) ||
!IsWow64Process(hProcess, &theyAreWow64)) {
PyErr_SetFromWindowsErr(0);
goto error;
}
if (weAreWow64 && !theyAreWow64) {
/* We are 32 bit running in WoW64 mode. Target process is 64 bit. */
PROCESS_BASIC_INFORMATION64 pbi64;
PEB64 peb64;
RTL_USER_PROCESS_PARAMETERS64 procParameters64;
if (NtWow64QueryInformationProcess64 == NULL) {
NtWow64QueryInformationProcess64 =
(_NtQueryInformationProcess)GetProcAddress(
GetModuleHandleA("ntdll.dll"),
"NtWow64QueryInformationProcess64");
if (NtWow64QueryInformationProcess64 == NULL) {
PyErr_SetString(PyExc_NotImplementedError,
"NtWow64QueryInformationProcess64 missing");
goto error;
}
}
if (!NT_SUCCESS(NtWow64QueryInformationProcess64(
hProcess,
ProcessBasicInformation,
&pbi64,
sizeof(pbi64),
NULL))) {
PyErr_SetFromWindowsErr(0);
goto error;
}
// read peb
if (NtWow64ReadVirtualMemory64 == NULL) {
NtWow64ReadVirtualMemory64 =
(_NtWow64ReadVirtualMemory64)GetProcAddress(
GetModuleHandleA("ntdll.dll"),
"NtWow64ReadVirtualMemory64");
if (NtWow64ReadVirtualMemory64 == NULL) {
PyErr_SetString(PyExc_NotImplementedError,
"NtWow64ReadVirtualMemory64 missing");
goto error;
}
}
if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(hProcess,
pbi64.PebBaseAddress,
&peb64,
sizeof(peb64),
NULL))) {
PyErr_SetFromWindowsErr(0);
goto error;
}
// read process parameters
if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(hProcess,
peb64.ProcessParameters,
&procParameters64,
sizeof(procParameters64),
NULL))) {
PyErr_SetFromWindowsErr(0);
goto error;
}
switch (kind) {
case KIND_CMDLINE:
src64 = procParameters64.CommandLine.Buffer;
size = procParameters64.CommandLine.Length;
break;
case KIND_CWD:
src64 = procParameters64.CurrentDirectoryPath.Buffer,
size = procParameters64.CurrentDirectoryPath.Length;
break;
case KIND_ENVIRON:
src64 = procParameters64.env;
break;
}
} else
#endif
/* Target process is of the same bitness as us. */
{
PROCESS_BASIC_INFORMATION pbi;
PEB_ peb;
RTL_USER_PROCESS_PARAMETERS_ procParameters;
if (!NT_SUCCESS(NtQueryInformationProcess(hProcess,
ProcessBasicInformation,
&pbi,
sizeof(pbi),
NULL))) {
PyErr_SetFromWindowsErr(0);
goto error;
}
// read peb
if (!ReadProcessMemory(hProcess,
pbi.PebBaseAddress,
&peb,
sizeof(peb),
NULL)) {
PyErr_SetFromWindowsErr(0);
goto error;
}
// read process parameters
if (!ReadProcessMemory(hProcess,
peb.ProcessParameters,
&procParameters,
sizeof(procParameters),
NULL)) {
PyErr_SetFromWindowsErr(0);
goto error;
}
switch (kind) {
case KIND_CMDLINE:
src = procParameters.CommandLine.Buffer;
size = procParameters.CommandLine.Length;
break;
case KIND_CWD:
src = procParameters.CurrentDirectoryPath.Buffer;
size = procParameters.CurrentDirectoryPath.Length;
break;
case KIND_ENVIRON:
src = procParameters.env;
break;
}
}
if (kind == KIND_ENVIRON) {
#ifndef _WIN64
if (weAreWow64 && !theyAreWow64) {
ULONG64 size64;
if (psutil_get_process_region_size64(hProcess, src64, &size64) != 0)
goto error;
size = (SIZE_T)size64;
}
else
#endif
if (psutil_get_process_region_size(hProcess, src, &size) != 0)
goto error;
}
buffer = calloc(size + 2, 1);
if (buffer == NULL) {
PyErr_NoMemory();
goto error;
}
#ifndef _WIN64
if (weAreWow64 && !theyAreWow64) {
if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(hProcess,
src64,
buffer,
size,
NULL))) {
PyErr_SetFromWindowsErr(0);
goto error;
}
} else
#endif
if (!ReadProcessMemory(hProcess, src, buffer, size, NULL)) {
PyErr_SetFromWindowsErr(0);
goto error;
}
CloseHandle(hProcess);
*pdata = buffer;
*psize = size;
return 0;
error:
if (hProcess != NULL)
CloseHandle(hProcess);
if (buffer != NULL)
free(buffer);
return -1;
}