Process Hacker Discussion Forum

 
rammerlabs
Member
Posts: 4
Joined: 04 Jan 2019 17:22

Several feature suggestions

08 Jan 2019 22:10

Hello, dmex! Thanks for ProcessHacker!
I use it sometimes and want to suggest several features.

First, "system statistics" - it shows data from NtQuerySystemInformation with classes SystemProcessorPerformanceInformation, SystemPerformanceInformation, SystemFileCacheInformationEx, SystemLowPriorityIoInformation, SystemMemoryListInformation, SystemPagedPoolInformationEx, SystemSystemPtesInformationEx in a table view with a lot of columns, there are: actual value, delta between updates, average delta, minimum and maximum. Also, it colorize rows when values increasing or decreasing:
sys-stats.png
Similar way is used for a process statistics:
proc-stats.png
Next, let's show a little bit "internals" of \REGISTRY\A\* keys in process handles properties via NtEnumerateKey and NtEnumerateValueKey
key-props.png
More, maybe it's useful to show some object properties in a handle properties dialog (for example, describing gerenal-read, general-write, general-execute access rights, etc):
obj-props.png
Next, list of used VM allocations of process contains ActivationContext records with detailed dump of this section (I show it later in text) and colorizing of allocation types and attributes (like VMMap does):
vm-list.png
Also, process modules properties can display LDR_DATA_TABLE_ENTRY.Flags with Windows version specific or show if module was load with activation context:
module-props.png
Now about Activation Context: there are data from roster, general assembly info, redirections of DLL, Classes, COM Servers, COM Type Libraries, Application settings, Compability info:
actctx.png
I think, this knowledge may be useful to search "alien" modules in a process.

Another one is dumping of ApiSetMap section.
apiset.PNG
Finally, last suggestion. It's about PE structure. It not very useful, but interesting. Maybe you know about "Rich header" in a PE-files, that compiled and linked with MS VS?
It can be analysed, it has an information about every instrument (and version) which used to create the PE-file:
rich.png
Hope, you will find any of suggestions useful. As you can see, all of this features are implemented in my program (i write it "just for fun"), so I can share parts of my code to help you.

Bye!

PS: I tried to write a letter to you, but seems it was lost.
 
rammerlabs
Member
Posts: 4
Joined: 04 Jan 2019 17:22

Re: Several feature suggestions

18 Jan 2019 12:20

Sorry for disturbing again, but I can't believe none of suggestions are not interesting and worthless at all?
 
User avatar
Ketch
Member
Posts: 9
Joined: 24 Aug 2018 13:08
OS: Windows 10

Re: Several feature suggestions

20 Jan 2019 20:09

<<<
E.M.A
 
David Xanatos
Member
Posts: 17
Joined: 25 May 2019 06:55

Re: Several feature suggestions

25 May 2019 07:17

rammerlabs wrote: 18 Jan 2019 12:20
Sorry for disturbing again, but I can't believe none of suggestions are not interesting and worthless at all?
I find the suggestions great,
could you share your program in github please.