logo

Software

Words

Pictures

Whiteboard

About

Dumpid

This is a simple program I wrote because the taskmanager of WinNT/2000 doesn't really do what I want, and I wanted to experiment a bit with the PSAPI.DLL.

Download the dumpid.h and the dumpid.cpp files. If you don't have a compiler, drop me a note, and I'll see what I can do.

If you don't have the psapi.h and/or Psapi.Lib files, it won't compile. Download those, and change the <psapi.h> statement in dumpid.h to "psapi.h", and add the Psapi.Lib to your project. Everything will be OK. Promise.

Quick index
Options Option -
Option K Option D
Option E Option M
Option C Option V
Option U Option S
Bugs ToDo
PSAPI PSAPI - Functions
PSAPI - Data structures Option A

Features

This program is mainly useful for retrieving some information about your system. It can be useful to see what dll's are loaded by a program for instance. It is also an alternative to the many "ps & kill" programs you can download which don't have the source code included.

Features include:

Bugs

Currently the only bug I'm aware of is that the program prints no module information on the SYSTEM process. This is mainly because this process is a special case in the code and hence skipped.

There are a few problems however:

Options

If you run the program with an incorrect option, it displays the usage text:

Example: 

Unknow option
Usage:
dumpid -> prints all the processes and ID's
dumpid <option> [num]
<option> effect
   k     kills the process [num]
   d     prints details on all the modules of the process [num]
   e     prints details of the process [num]
   m     prints all the modules used by the process [num]
   c     counts all modules (dlls) used by all the processes
   v     prints all the device drivers
   u     prints deatils on driver [num]
   s     prints details on all the modules used by myself

Basic

The command `dumpid' without options prints all the current processes and their ID's. This is similar to the *NIX command `ps'.

Example: 

38 processes
----------------------------
Nr	PID	Name
0	0	(this is not a real process)
1	8	SYSTEM
2	160	smss.exe
4	204	winlogon.exe
5	232	services.exe
6	244	lsass.exe
7	408	svchost.exe
8	436	spoolsv.exe
9	488	svchost.exe
10	512	mgabg.exe
11	532	navapsvc.exe
12	580	npssvc.exe
13	608	regsvc.exe
14	632	MSTask.exe
15	668	WinMgmt.exe
16	708	mspmspsv.exe
17	720	inetinfo.exe
18	932	alertsvc.exe
19	1188	Explorer.exe
20	1048	PDesk.exe
21	1020	RealPlay.exe
22	1268	Winampa.exe
23	1252	navapw32.exe
24	1548	Icq.exe
25	1748	mozilla.exe
26	1644	UEDIT32.EXE
27	1276	OUTLOOK.EXE
28	1472	MAPISP32.EXE
29	840	WINWORD.EXE
30	1704	mmc.exe
31	1468	mdm.exe
32	1788	psm.exe
33	1752	IEXPLORE.EXE
34	1200	ntvdm.exe
35	680	mspaint.exe
36	1892	cmd.exe
37	1628	dumpid.exe

K [pid]

This tries to kill a process, much like the *NIX command `kill'. It is however not possible to kill every process. The NULL process (System Idle Process) cannot be killed, because it's not a real process. The SYSTEM and perhaps some others can't be killed either.

Example: 

Sending SIGABRT to the process with ID 1020
It's gone man...

Note: It doesn't actually send SIGABRT to the process. This was an earlier approach which didn't quite work since WinX doesn't handle signals very well.

D [pid]

This option prints a list of all the modules used by a process along with their details (DLL base,Image size,Entrypoint).

Example: 

Dumping module details of process 1548
Modules in process 1548: 84
-------------------------------
0	C:\Program Files\ICQ\Icq.exe
		DLL base: 00400000
		Image size: 28672 bytes
		Entrypoint: 00401EDC
1	C:\WINNT\System32\ntdll.dll
		DLL base: 77F80000
		Image size: 499712 bytes
		Entrypoint: 00000000
2	C:\Program Files\ICQ\ICQCore.dll
		DLL base: 21880000
		Image size: 2408448 bytes
		Entrypoint: 219AF663
3	C:\WINNT\system32\VERSION.dll
		DLL base: 77820000
		Image size: 28672 bytes
		Entrypoint: 77821114
4	C:\WINNT\system32\KERNEL32.DLL
		DLL base: 77E80000
		Image size: 741376 bytes
		Entrypoint: 77E83709
5	C:\WINNT\system32\LZ32.DLL
		DLL base: 759B0000
		Image size: 24576 bytes
		Entrypoint: 759B1A3F
6	C:\WINNT\system32\USER32.dll
		DLL base: 77E10000
		Image size: 409600 bytes
		Entrypoint: 77E249C5
7	C:\WINNT\system32\GDI32.DLL
		DLL base: 77F40000
		Image size: 245760 bytes
		Entrypoint: 00000000
...

Note: this may result in a rather large amount of data, you might want to redirect this to a file.

E [pid]

This option prints extended information on a process.

Example: 

Process: Icq.exe(1548)
Details:
Pagefaults:            101668 bytes
Peak Workingset size:  13627392 bytes
Workingset size:       9867264 bytes
Peak paged pool:       97712 bytes
Current paged pool:    81540 bytes
Peak nonpaged pool:    19492 bytes
Current nonpaged pool: 16848 bytes
Pagefile usage:        5345280 bytes
Peak pagefile usage:   5984256 bytes

M [pid]

This option prints all the modules used by a process

Example: 

Dumping modules of process 1548
Modules in process 1548: 84
-------------------------------
0	C:\Program Files\ICQ\Icq.exe
1	C:\WINNT\System32\ntdll.dll
2	C:\Program Files\ICQ\ICQCore.dll
3	C:\WINNT\system32\VERSION.dll
4	C:\WINNT\system32\KERNEL32.DLL
5	C:\WINNT\system32\LZ32.DLL
6	C:\WINNT\system32\USER32.dll
7	C:\WINNT\system32\GDI32.DLL
8	C:\WINNT\System32\WINMM.dll
9	C:\WINNT\system32\ADVAPI32.DLL
10	C:\WINNT\system32\RPCRT4.DLL
11	C:\Program Files\ICQ\ICQPlug.dll
12	C:\Program Files\ICQ\ICQCPRT.dll
13	C:\WINNT\system32\MSVCRT.dll
14	C:\Program Files\ICQ\ICQWCOM.dll
15	C:\WINNT\system32\ole32.dll
16	C:\WINNT\system32\OLEAUT32.dll
17	C:\Program Files\ICQ\ICQWUtl.dll
18	C:\Program Files\ICQ\ICQCUtl.dll
19	C:\Program Files\ICQ\ICQMUtl.dll
20	C:\WINNT\System32\MFC42.DLL
...

C

This option counts all the modules used by all the processes

Example: 

PID	#Modules	Name
----------------------------
8	38	SYSTEM
160	3	smss.exe
204	68	winlogon.exe
232	69	services.exe
244	59	lsass.exe
408	44	svchost.exe
436	55	spoolsv.exe
488	74	svchost.exe
512	7	mgabg.exe
532	32	navapsvc.exe
580	22	npssvc.exe
608	6	regsvc.exe
632	43	MSTask.exe
668	12	WinMgmt.exe
708	22	mspmspsv.exe
...

V

This option lists all the device drivers currently loaded.

Example: 

99 device drivers found
0	ntoskrnl.exe
1	hal.dll
2	BOOTVID.DLL
3	ACPI.sys
4	WMILIB.SYS
5	pci.sys
6	isapnp.sys
7	intelide.sys
8	PCIIDEX.SYS
9	MountMgr.sys
10	ftdisk.sys
11	Diskperf.sys
12	dmload.sys
13	dmio.sys
14	PartMgr.sys
...

U [num]

This option prints some details on a specific device driver.

Example: 

Driver:       cwcwdm.sys
File:         \SystemRoot\system32\drivers\cwcwdm.sys
Load address: BFC8C000

S

This option prints all the details of all the modules used by the program itself. This because you can't assume the program will have the same PID as last time.

Example: 

Dumping module details of process 472
Modules in process 472: 4
-------------------------------
0	C:\CHRIS\C\DUMPID\dumpid.exe
		DLL base: 00400000
		Image size: 110592 bytes
		Entrypoint: 004075DE
1	C:\WINNT\System32\ntdll.dll
		DLL base: 77F80000
		Image size: 499712 bytes
		Entrypoint: 00000000
2	C:\WINNT\system32\KERNEL32.dll
		DLL base: 77E80000
		Image size: 741376 bytes
		Entrypoint: 77E83709
3	C:\CHRIS\C\DUMPID\PSAPI.DLL
		DLL base: 690A0000
		Image size: 45056 bytes
		Entrypoint: 690A10BC

To Do

Things I'd like to add or improve include:

(Not necessarily in that order)

I may or may not include any of those things at some unsepcified later date.

PSAPI

Almost all functionality comes from the functions in PSAPI.DLL. I would include the psapi.h file here somewere, were it not that I'm not allowed to distribute it (it's © Microsoft).

update: It still is, but it's all over the net... just look for the link somewhere at the top.

Data types
Microsoft name What it really means
BOOL int
DWORD unsigned long
HANDLE int
HMODULE int
LPCVOID const void*
LPDWORD unsigned long*
LPTSTR unsigned int*
UINT unsigned int
VOID void

Functions

HANDLE OpenProcess(
  DWORD dwDesiredAccess,  // access flag
  BOOL bInheritHandle,    // handle inheritance option
  DWORD dwProcessId       // process identifier
);

BOOL TerminateProcess(
  HANDLE hProcess, // handle to the process
  UINT uExitCode   // exit code for the process
);

DWORD FormatMessage(
  DWORD dwFlags,      // source and processing options
  LPCVOID lpSource,   // message source
  DWORD dwMessageId,  // message identifier
  DWORD dwLanguageId, // language identifier
  LPTSTR lpBuffer,    // message buffer
  DWORD nSize,        // maximum size of message buffer
  va_list *Arguments  // array of message inserts
);

DWORD GetLastError(VOID);

BOOL CloseHandle(
  HANDLE hObject   // handle to object
);

BOOL GetModuleInformation(
  HANDLE hProcess,         // handle to process
  HMODULE hModule,         // handle to module
  LPMODULEINFO lpmodinfo,  // information buffer
  DWORD cb                 // size of buffer
);

BOOL EnumProcessModules(
  HANDLE hProcess,      // handle to process
  HMODULE *lphModule,   // array of module handles
  DWORD cb,             // size of array
  LPDWORD lpcbNeeded    // number of bytes required
);

DWORD GetModuleFileNameEx(
  HANDLE hProcess,    // handle to process
  HMODULE hModule,    // handle to module
  LPTSTR lpFilename,  // path buffer
  DWORD nSize         // maximum characters to retrieve
);

DWORD GetModuleBaseName(
  HANDLE hProcess,    // handle to process
  HMODULE hModule,    // handle to module
  LPTSTR lpBaseName,  // base name buffer
  DWORD nSize         // maximum characters to retrieve
);

BOOL EnumProcesses(
  DWORD *lpidProcess,  // array of process identifiers
  DWORD cb,            // size of array
  DWORD *cbNeeded      // number of bytes returned
);

int _getpid( void );

BOOL EnumDeviceDrivers(
  LPVOID *lpImageBase,  // array of load addresses
  DWORD cb,             // size of array
  LPDWORD lpcbNeeded    // number of bytes returned
);

DWORD GetDeviceDriverBaseName(
  LPVOID ImageBase,  // driver load address
  LPTSTR lpBaseName, // driver base name buffer
  DWORD nSize        // size of buffer
);

DWORD GetDeviceDriverFileName(
  LPVOID ImageBase,  // driver load address
  LPTSTR lpFilename, // path buffer
  DWORD nSize        // size of buffer
);

BOOL GetProcessMemoryInfo(
  HANDLE Process,                          // handle to process
  PPROCESS_MEMORY_COUNTERS ppsmemCounters, // buffer
  DWORD cb                                 // size of buffer
);

Data structures

typedef struct _PROCESS_MEMORY_COUNTERS {
    DWORD cb;
    DWORD PageFaultCount;
    SIZE_T PeakWorkingSetSize;
    SIZE_T WorkingSetSize;
    SIZE_T QuotaPeakPagedPoolUsage;
    SIZE_T QuotaPagedPoolUsage;
    SIZE_T QuotaPeakNonPagedPoolUsage;
    SIZE_T QuotaNonPagedPoolUsage;
    SIZE_T PagefileUsage;
    SIZE_T PeakPagefileUsage;
} PROCESS_MEMORY_COUNTERS;
typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;


typedef struct _MODULEINFO {
    LPVOID lpBaseOfDll;
    DWORD SizeOfImage;
    LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;

typedef struct _PSAPI_WS_WATCH_INFORMATION {
    LPVOID FaultingPc;
    LPVOID FaultingVa;
} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;

Option a

This option does not show up in the usage text mainly because I'm not finished with it yet. Also, this is a test to see if the output data can be used for further processing.

The `A' option prints the details of all the modules of all the processes as XML. This may result in a rather vast amount of data. On the system I'm typing this on it's around 278KB.

Example: 

<?xml version="1.0" ?>
<processtree count="34">
	<process pid="160">
		<basename>smss.exe</basename>
		<modules count="3">
			<module>
				<name>\SystemRoot\System32\smss.exe</name>
				<dllbase>48580000</dllbase>
				<imagesize>57344</imagesize>
				<entrypoint>48589586</entrypoint>
			</module>
			<module>
				<name>C:\WINNT\System32\ntdll.dll</name>
				<dllbase>77F80000</dllbase>
				<imagesize>499712</imagesize>
				<entrypoint>00000000</entrypoint>
			</module>
			<module>
				<name>C:\WINNT\System32\sfcfiles.dll</name>
				<dllbase>68010000</dllbase>
				<imagesize>1007616</imagesize>
				<entrypoint>68011080</entrypoint>
			</module>
		</modules>
	</process>