Thursday, July 25, 2019

Identify process mode and check .NET process

1 Identify the mode of process:

1.1 Identify the mode of one process:
dumpbin /headers cv210.dll

1.2 Identify the modes of all processes on the current computer:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace WinProcessModeChecker {
    internal class Program {
        private static void Main() {
            if (Is64OsVersion()) {
                PrintProcessMode();
            } else {
                Console.WriteLine("Your OS version is not 64 bit!");
            }
                
            Console.ReadLine();
        }

        private static void PrintProcessMode() {
            foreach (var process in Process.GetProcesses()) {
                var isWow64Process = IsWow64Process(process);

                if (isWow64Process == null) {
                    Console.WriteLine(process.ProcessName + " is denied to access");
                } else if (isWow64Process == true) {
                    Console.WriteLine(process.ProcessName + " is 32-bit (wow mode)");
                } else {
                    Console.WriteLine(process.ProcessName + " is 64-bit");
                }
            }
        }

        /// <summary>
        /// Identify whether the OS version is 64 bit
        /// </summary>
        /// <returns></returns>
        private static bool Is64OsVersion() {
            if ((Environment.OSVersion.Version.Major > 5)
                || ((Environment.OSVersion.Version.Major == 5) && (Environment.OSVersion.Version.Minor >= 1))) {
                return true;
            }

            return false;
        }

        /// <summary>
        /// Identify whether the process is running in wow 64 mode 
        /// </summary>
        /// <remarks>
        /// WOW64 is the x86 emulator that allows 32-bit Windows-based applications to run seamlessly on 64-bit Windows
        /// </remarks>
        /// <param name="process"></param>
        /// <returns></returns>
        private static bool? IsWow64Process(Process process) {
            IntPtr processHandle;
            bool retVal;

            try {
                processHandle = Process.GetProcessById(process.Id).Handle;
            } catch {
                return null; // access is denied to the process
            }

            return NativeMethods.IsWow64Process(processHandle, out retVal) && retVal;
        }
    }

    internal static class NativeMethods {
        [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)]
        [return : MarshalAs(UnmanagedType.Bool)]
        internal static extern bool IsWow64Process([In] IntPtr process, [Out] out bool wow64Process);
    }
}

2 Chech .Net process:

2.1 The .NET application requires mscoree.dll So can use the below code:

  foreach (var process in Process.GetProcesses())
        {
            if (process.Modules.OfType<ProcessModule>().Any(m => m.ModuleName == "mscoree.dll"))
            {
                Console.WriteLine("{0} is a .NET process", process.ProcessName);
            }
        }
2.2 Process Explorer mark .NET applications by yellow color by default. 
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)