Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
CLR profiling: Trying to understand how to fetch variables.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 28.000000000000004%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Vivek Saini
0
Reputation points
I have been experimenting with a .NET CLR profiler for the purposes of building a powershell monitoring AV tool. I wanted to intercept powershell code (IL) using the profiler right before it is JIT compiled using API functions like JITCompilationStarted, GetFunctionInfo, GetMethodName, GetILFunctionBody.
For testing purpose i have used the following simple commands from my cmd (where i have set the environment variables for profiling) for testing.
- powershell.exe -c "Write-Host 'HelloWorld'"
- powershell.exe -c "(New-Object Net.WebClient).DownloadString('http://example.com')"
My intent is to intercept the strings "HelloWorld" and "example.com" before they are actually executed by powershell.
I am using the IMetaDataImport::GetUserString and IMetaDataImport::GetMethodsProps to resolve the string literals (like ldstr "HelloWorld") and function names (for example callvirt Runspace.InvokeCommand)
But I am still unable to locate the strings.
Kindly tell me how to profile powershell in such a way as too retrive IL code corresponding to the entered command?
Sysinternals
{count} votes
-
Vivek Saini 0 Reputation points
2025-10-21T06:39:00.4533333+00:00 Following is a small snippet of code
STDMETHODIMP JITCompilationStarted(FunctionID functionId, BOOL fIsSafeToBlock) { if (!profilerInfo) return S_OK; ClassID classId = 0; ModuleID moduleId = 0; mdToken methodToken = 0; HRESULT hr = profilerInfo->GetFunctionInfo(functionId, &classId, &moduleId, &methodToken); if (FAILED(hr)) return S_OK; WCHAR className[512] = { 0 }; WCHAR methodName[512] = { 0 }; GetMethodName(functionId, className, methodName, 512); std::wstring classNameStr(className); bool isPowerShellRelated = ( classNameStr.find(L"PowerShell") != std::wstring::npos || classNameStr.find(L"System.Management.Automation") != std::wstring::npos || classNameStr.find(L"PSCommand") != std::wstring::npos || classNameStr.find(L"Runspace") != std::wstring::npos || classNameStr.find(L"ScriptBlock") != std::wstring::npos || wcsstr(methodName, L"Write") != NULL || wcsstr(methodName, L"Invoke") != NULL ); // Skip non-PowerShell methods to reduce noise if (!isPowerShellRelated) { return S_OK; } LPCBYTE pMethodHeader = NULL; ULONG ilSize = 0; hr = profilerInfo->GetILFunctionBody(moduleId, methodToken, &pMethodHeader, &ilSize); if (SUCCEEDED(hr) && pMethodHeader != NULL && ilSize > 0) { printf("\n================================================================================\n"); printf("JIT COMPILATION STARTED\n"); printf("================================================================================\n"); printf("Method: %ws.%ws\n", className, methodName); printf("FunctionID: %p\n", (void*)functionId); printf("MethodToken: 0x%08X\n", methodToken); printf("IL Code Size: %lu bytes\n", ilSize); printf("================================================================================\n\n"); PrintHexDump(pMethodHeader, ilSize); DisassembleIL(pMethodHeader, ilSize, className, methodName, moduleId); } return S_OK; }
Sign in to comment
Sign in to answer