Add GetProcessesWithCurrentDirectory()

Author: KirillOsenkov

LockCheck/Windows/NativeMethods.cs

@@ -1,6 +1,7 @@
 using System;
 using System.IO;
 using System.Runtime.InteropServices;
+using System.Runtime.Versioning;
 using System.Security.Principal;
 using System.Text;
 using Microsoft.Win32.SafeHandles;
@@ -10,6 +11,10 @@ namespace LockCheck.Windows
     internal static class NativeMethods
     {
         private const string NtDll = "ntdll.dll";
+        private const string RestartManagerDll = "rstrtmgr.dll";
+        private const string AdvApi32Dll = "advapi32.dll";
+        private const string KernelDll = "kernel32.dll";
+        private const string PsApiDll = "psapi.dll";
 
         [StructLayout(LayoutKind.Sequential, Pack = 0)]
         internal struct IO_STATUS_BLOCK
@@ -34,17 +39,31 @@ internal static extern uint NtQueryInformationFile(SafeFileHandle fileHandle, re
         [DllImport(NtDll)]
         internal static extern int RtlNtStatusToDosError(uint status);
 
+        [DllImport(NtDll)]
+        internal static extern int NtQueryInformationProcess(SafeProcessHandle ProcessHandle, int ProcessInformationClass, ref PROCESS_BASIC_INFORMATION ProcessInformation, int ProcessInformationLength, IntPtr ReturnLength);
+
+        [DllImport(NtDll)]
+        internal static extern int NtQueryInformationProcess(SafeProcessHandle ProcessHandle, int ProcessInformationClass, ref IntPtr ProcessInformation, int ProcessInformationLength, IntPtr ReturnLength);
+
+        [DllImport(NtDll)]
+        internal static extern int NtWow64QueryInformationProcess64(SafeProcessHandle ProcessHandle, int ProcessInformationClass, ref PROCESS_BASIC_INFORMATION_WOW64 ProcessInformation, int ProcessInformationLength, IntPtr ReturnLength);
+
+        [DllImport(NtDll)]
+        internal static extern int NtWow64ReadVirtualMemory64(SafeProcessHandle hProcess, long lpBaseAddress, ref long lpBuffer, long dwSize, IntPtr lpNumberOfBytesRead);
+
+        [DllImport(NtDll)]
+        internal static extern int NtWow64ReadVirtualMemory64(SafeProcessHandle hProcess, long lpBaseAddress, ref UNICODE_STRING_WOW64 lpBuffer, long dwSize, IntPtr lpNumberOfBytesRead);
+
+        [DllImport(NtDll)]
+        internal static extern int NtWow64ReadVirtualMemory64(SafeProcessHandle hProcess, long lpBaseAddress, [MarshalAs(UnmanagedType.LPWStr)] string lpBuffer, long dwSize, IntPtr lpNumberOfBytesRead);
+
         internal const int ERROR_MR_MID_NOT_FOUND = 317;
 
         internal const uint STATUS_SUCCESS = 0;
         internal const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004;
 
         // ----------------------------------------------------------------------------------------------
 
-        private const string RestartManagerDll = "rstrtmgr.dll";
-        private const string AdvApi32Dll = "advapi32.dll";
-        private const string KernelDll = "kernel32.dll";
-
         [DllImport(RestartManagerDll, CharSet = CharSet.Unicode)]
         internal static extern int RmRegisterResources(uint pSessionHandle,
             uint nFiles,
@@ -174,7 +193,7 @@ internal static extern bool OpenProcessToken(SafeProcessHandle processHandle,
         internal const int PROCESS_VM_WRITE = 0x20;
 
         [DllImport(KernelDll, SetLastError = true)]
-        private static extern SafeProcessHandle OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
+        internal static extern SafeProcessHandle OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
 
         internal static SafeProcessHandle OpenProcessLimited(int pid)
         {
@@ -211,6 +230,22 @@ internal static DateTime GetProcessStartTime(SafeProcessHandle handle)
         [DllImport(KernelDll, SetLastError = true)]
         private static extern bool ProcessIdToSessionId(int dwProcessId, out int sessionId);
 
+        [DllImport(KernelDll, SetLastError = true)]
+        internal static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, ref IntPtr lpBuffer, IntPtr dwSize, IntPtr lpNumberOfBytesRead);
+
+        [DllImport(KernelDll, SetLastError = true)]
+        internal static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, ref UNICODE_STRING lpBuffer, IntPtr dwSize, IntPtr lpNumberOfBytesRead);
+
+        [DllImport(KernelDll, SetLastError = true)]
+        internal static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, ref UNICODE_STRING_32 lpBuffer, IntPtr dwSize, IntPtr lpNumberOfBytesRead);
+
+        [DllImport(KernelDll, SetLastError = true)]
+        internal static extern bool ReadProcessMemory(SafeProcessHandle hProcess, IntPtr lpBaseAddress, [MarshalAs(UnmanagedType.LPWStr)] string lpBuffer, IntPtr dwSize, IntPtr lpNumberOfBytesRead);
+
+        [DllImport(KernelDll, SetLastError = true, CallingConvention = CallingConvention.Winapi)]
+        [return: MarshalAs(UnmanagedType.Bool)]
+        internal static extern bool IsWow64Process([In] SafeProcessHandle processHandle, [Out, MarshalAs(UnmanagedType.Bool)] out bool wow64Process);
+
         internal static int GetProcessSessionId(int dwProcessId)
         {
             if (ProcessIdToSessionId(dwProcessId, out int sessionId))
@@ -308,5 +343,111 @@ internal static SafeFileHandle GetFileHandle(string name)
                 (int)FileAttributes.Normal,
                 IntPtr.Zero);
         }
+
+        [DllImport(PsApiDll, CharSet = CharSet.Auto, SetLastError = true)]
+        [ResourceExposure(ResourceScope.Machine)]
+        public static extern bool EnumProcesses(int[] processIds, int size, out int needed);
+
+        internal static int[] GetProcessIds()
+        {
+            int[] processIds = new int[256];
+            int size;
+
+            for (; ; )
+            {
+                if (!EnumProcesses(processIds, processIds.Length * 4, out size))
+                {
+                    return Array.Empty<int>();
+                }
+
+                if (size == processIds.Length * 4)
+                {
+                    processIds = new int[processIds.Length * 2];
+                    continue;
+                }
+
+                break;
+            }
+
+            int[] ids = new int[size / 4];
+            Array.Copy(processIds, ids, ids.Length);
+
+            return ids;
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct UNICODE_STRING_32
+        {
+            public short Length;
+            public short MaximumLength;
+            public int Buffer;
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct UNICODE_STRING
+        {
+            public short Length;
+            public short MaximumLength;
+            public IntPtr Buffer;
+        }
+
+        // for 32-bit process
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct UNICODE_STRING_WOW64
+        {
+            public short Length;
+            public short MaximumLength;
+            public long Buffer;
+        }
+
+        internal enum PROCESSINFOCLASS : int
+        {
+            ProcessBasicInformation = 0, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
+            ProcessWow64Information = 26, // q: ULONG_PTR
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct PROCESS_BASIC_INFORMATION
+        {
+            public IntPtr Reserved1;
+            public IntPtr PebBaseAddress;
+            public IntPtr Reserved2_0;
+            public IntPtr Reserved2_1;
+            public IntPtr UniqueProcessId;
+            public IntPtr Reserved3;
+        }
+
+        // for 32-bit process in a 64-bit OS only
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct PROCESS_BASIC_INFORMATION_WOW64
+        {
+            public long Reserved1;
+            public long PebBaseAddress;
+            public long Reserved2_0;
+            public long Reserved2_1;
+            public long UniqueProcessId;
+            public long Reserved3;
+        }
+
+        internal static bool GetProcessIsWow64(SafeProcessHandle hProcess)
+        {
+            if ((OSVersion.Major == 5 && OSVersion.Minor >= 1) || OSVersion.Major >= 6)
+            {
+                if (!IsWow64Process(hProcess, out bool retVal))
+                {
+                    return false;
+                }
+
+                return retVal;
+            }
+            else
+            {
+                return false;
+            }
+        }
+
+        internal static readonly Version OSVersion = Environment.OSVersion.Version;
+        internal static readonly bool Is64BitOperatingSystem = Environment.Is64BitOperatingSystem;
+        internal static readonly bool IsCurrentProcessWOW64 = Environment.Is64BitOperatingSystem && !Environment.Is64BitProcess;
     }
 }

LockCheck/Windows/NtDll.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Runtime.InteropServices;
+using static LockCheck.Windows.NativeMethods;
 
 namespace LockCheck.Windows
 {
@@ -99,6 +100,175 @@ private static Exception GetException(uint status, string apiName, string messag
 
             return new NtException(res, status, $"{message} ({apiName}() status {status} (0x{status:8X})");
         }
+
+        /// <summary>
+        /// Gets the processes for which the current directory is the given directory, or a[n indirect] parent directory.
+        /// If the resulting list is not empty, the given directory cannot be deleted, as it is locked by the processes
+        /// returned.
+        /// </summary>
+        public static IEnumerable<int> GetProcessesWithCurrentDirectory(string directory)
+        {
+            if (string.IsNullOrWhiteSpace(directory))
+            {
+                return Array.Empty<int>();
+            }
+
+            var list = new List<int>();
+
+            var processes = GetProcessIds();
+            foreach (var id in processes)
+            {
+                string currentDirectory = GetCurrentDirectory(id);
+                if (currentDirectory != null && currentDirectory.StartsWith(directory, StringComparison.OrdinalIgnoreCase))
+                {
+                    list.Add(id);
+                }
+            }
+
+            return list;
+        }
+
+        public static string GetCurrentDirectory(int processId)
+        {
+            try
+            {
+                return GetProcessParametersString(processId);
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        private static string GetProcessParametersString(int processId)
+        {
+            using var handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, bInheritHandle: false, processId);
+            if (handle.IsInvalid)
+            {
+                return null;
+            }
+
+            bool IsTargetWow64Process = GetProcessIsWow64(handle);
+            bool IsTarget64BitProcess = Is64BitOperatingSystem && !IsTargetWow64Process;
+
+            long offset = IsTarget64BitProcess ? 0x38 : 0x24;
+            long processParametersOffset = IsTarget64BitProcess ? 0x20 : 0x10;
+
+            long pebAddress = 0;
+            if (IsTargetWow64Process) // OS: 64Bit, Current: 32 or 64, Target: 32bit
+            {
+                IntPtr peb32 = new IntPtr();
+
+                int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessWow64Information, ref peb32, IntPtr.Size, IntPtr.Zero);
+                if (hr != 0)
+                {
+                    return null;
+                }
+
+                pebAddress = peb32.ToInt64();
+
+                IntPtr pp = new IntPtr();
+                if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
+                {
+                    return null;
+                }
+
+                UNICODE_STRING_32 us = new UNICODE_STRING_32();
+                if (!ReadProcessMemory(handle, new IntPtr(pp.ToInt64() + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
+                {
+                    return null;
+                }
+
+                if ((us.Buffer == 0) || (us.Length == 0))
+                {
+                    return null;
+                }
+
+                string s = new string('\0', us.Length / 2);
+                if (!ReadProcessMemory(handle, new IntPtr(us.Buffer), s, new IntPtr(us.Length), IntPtr.Zero))
+                {
+                    return null;
+                }
+
+                return s;
+            }
+            else if (IsCurrentProcessWOW64) // OS: 64Bit, Current: 32, Target: 64
+            {
+                // NtWow64QueryInformationProcess64 is an "undocumented API", see issue 1702
+                PROCESS_BASIC_INFORMATION_WOW64 pbi = new PROCESS_BASIC_INFORMATION_WOW64();
+                int hr = NtWow64QueryInformationProcess64(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero);
+                if (hr != 0)
+                {
+                    return null;
+                }
+
+                pebAddress = pbi.PebBaseAddress;
+
+                long pp = 0;
+                hr = NtWow64ReadVirtualMemory64(handle, pebAddress + processParametersOffset, ref pp, Marshal.SizeOf(pp), IntPtr.Zero);
+                if (hr != 0)
+                {
+                    return null;
+                }
+
+                UNICODE_STRING_WOW64 us = new UNICODE_STRING_WOW64();
+                hr = NtWow64ReadVirtualMemory64(handle, pp + offset, ref us, Marshal.SizeOf(us), IntPtr.Zero);
+                if (hr != 0)
+                {
+                    return null;
+                }
+
+                if ((us.Buffer == 0) || (us.Length == 0))
+                {
+                    return null;
+                }
+
+                string s = new string('\0', us.Length / 2);
+                hr = NtWow64ReadVirtualMemory64(handle, us.Buffer, s, us.Length, IntPtr.Zero);
+                if (hr != 0)
+                {
+                    return null;
+                }
+
+                return s;
+            }
+            else // OS, Current, Target: 64 or 32
+            {
+                PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
+                int hr = NtQueryInformationProcess(handle, (int)PROCESSINFOCLASS.ProcessBasicInformation, ref pbi, Marshal.SizeOf(pbi), IntPtr.Zero);
+                if (hr != 0)
+                {
+                    return null;
+                }
+
+                pebAddress = pbi.PebBaseAddress.ToInt64();
+
+                IntPtr pp = new IntPtr();
+                if (!ReadProcessMemory(handle, new IntPtr(pebAddress + processParametersOffset), ref pp, new IntPtr(Marshal.SizeOf(pp)), IntPtr.Zero))
+                {
+                    return null;
+                }
+
+                UNICODE_STRING us = new UNICODE_STRING();
+                if (!ReadProcessMemory(handle, new IntPtr((long)pp + offset), ref us, new IntPtr(Marshal.SizeOf(us)), IntPtr.Zero))
+                {
+                    return null;
+                }
+
+                if (us.Buffer == IntPtr.Zero || us.Length == 0)
+                {
+                    return null;
+                }
+
+                string s = new string('\0', us.Length / 2);
+                if (!ReadProcessMemory(handle, us.Buffer, s, new IntPtr(us.Length), IntPtr.Zero))
+                {
+                    return null;
+                }
+
+                return s;
+            }
+        }
     }
 
     public class NtException : Win32Exception