Guidance : I want to work at Process Information level

Question

I couldn't find a suitable title for this. I'm going to express my query with examples.

Consider following softwares:

1. Process explorer from sysinternals (an advanced task manager)
2. Resource Manager : resmon.exe (lists each and every fine detail about resource usage about each process).

For me these softwares seems like miracles. I wonder how these are even made. C'mon how a user process can know such fine details about other processes? Who tells this software, what processes are running and what all resources are utilized? Which dlls are used? etc..

Does windows operating system give these software that information? I mean though (obviously the most lower level api) WIN32API. Are there some functions,which on calling return these values

abstractly say:

• GetAllRunningProcesses()
• GetMemoryUsedByProcess(Process* proc)

etc..

Other similar applications are

• network Packet Capture software. How does it get information about all those packets? It clearly sits just infront of the NIC card. How is it possible?
• Anti-virus: It scans memory for viruses. Intercepts other processes. Acts like a sandbox for the user application space. How? How??

If its WIN32API. I swear, I'm going to master it.

I don't want to create a multi-threaded application. I want to get information about other multithreaded applications. I don't want to create a program which communicates using sockets. I want to learn how to learn how to capture all communication packets.

I actually want to work at the lower level. But I don't know, what should I learn. Please guide me in proper direction.

Answer 1

This is really a pretty open-ended question. For things like a list of running processes, look up "PSAPI" or "Toolhelp32". For memory information about a particular process, you can use VirtualQuery.

Capturing network packets is normally done by installing a device driver. If you look, you should be able to find a fair amount about how to write device drivers, though don't expect to create wonders overnight, and do expect to crash your machine a few times in the process (device drivers run in kernel mode, so it's easy for a mistake to crash the machine hard).

I can't say as much with any certainty about anti-virus, because I've never tried to write one. My immediate guess would be that their primary technique is API hooking. There's probably more to it than that, but offhand I've never spent enough time looking at them to know what.

Answer 2

Mark Russinovich's classic, Windows Internals, is the go-to book if you want to get deep in this kind of stuff. I notice that the just-released 5th edition includes Vista. Here's a sample chapter to peek at.

If you like Process Explorer, this is the guy who wrote that, and there are lots of examples using it in the book.

Plus, at 1232 hardcover pages, you can use it to press your clothes.