Can we check if a running application or a program uses .Net framework to execute itself?
There's a trick I once learned from Scott Hanselman's list of interview questions. You can easily list all programs running .NET in command prompt by using:
tasklist /m "mscor*"
It will list all processes that have mscor*
amongst their loaded modules.
We can apply the same method in code:
public static bool IsDotNetProcess(this Process process)
{
var modules = process.Modules.Cast<ProcessModule>().Where(
m => m.ModuleName.StartsWith("mscor", StringComparison.InvariantCultureIgnoreCase));
return modules.Any();
}
Use the CLR COM interfaces ICorPublish and ICorPublishProcess. The easiest way to do this from C# is to borrow some code from SharpDevelop's debugger, and do the following:
ICorPublish publish = new ICorPublish();
ICorPublishProcess process;
process = publish.GetProcess(PidToCheck);
if (process == null || !process.IsManaged)
{
// Not managed.
}
else
{
// Managed.
}
Use System.Reflection.Assembly.LoadFrom
function to load the .exe file. This function will throw exception if you try to load binary file that is not .NET assembly.
I know this is about a million years too late, but in case it helps - my favourite method to figure out if an exe is using .net is to run MSIL disassembler against it which comes with .net SDK. If a .net exe you indeed have, you'll get a nice graphical breakdown of its contents; if a plain old win32 exe it be, you'll get a message telling you so.
Programmatically you'd get the starting image name using Win32 API like NtQueryInformationProcess
, or in .Net use System.Diagnostics.Process.GetProcesses()
and read Process.StartInfo.FileName
.
Then open and decode the PE headers of that image using details prescribed in the MSDN article below:
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
Caveats: will only detect .NET built assemblies e.g. won't detect Win32 EXEs dynamically hosting CLR using CorHost APIs.
I suggest downloading the Redgate's DotNetReflector and checking if it can open the application.
A list of running .NET processes is available in Performance Monitor
. Just run perfmon
and in the Monitoring Tools >> Performance Monitor click + Icon or press Ctrl+N. In the list of available counters, at the beginning of the list find .NET CLR Jit and select a sub item. You will see a list of .NET process in Instances of selected object list.
If you want a method in C# without running your app in Administrator mode, there is solution introduced by Process Hacker tool.
According to Process Hacker / .NET Tools / native.c :
Most .NET processes have a handle open to a section named \BaseNamedObjects\Cor_Private_IPCBlock(v4)<ProcessId>. This is the same object used by the ICorPublish::GetProcess function. Instead of calling that function, we simply check for the existence of that section object. This means: * Better performance. * No need for admin rights to get .NET status of processes owned by other users.
Getting a list of Process handles in C# is a bit of hard work. Instead you can download the DotNetTools.dll from Process Hacker plugins
folder and create an extern
method to use PhGetProcessIsDotNet
function.
精彩评论