FLARE-VM Thu 10/23/2025 0:23:30.90 C:\Users\demo\source\repos\self_profiler4>type Run.bat set COR_PROFILER={DF9EDC4B-25C1-4925-A3FB-6AAEB3E2FACD} set COR_PROFILER_PATH=C:\Users\demo\source\repos\self_profiler4\x64\Release\self_profiler4.dll set COR_ENABLE_PROFILING=1 powershell.exe -c "ping google.com" FLARE-VM Thu 10/23/2025 0:23:32.97 C:\Users\demo\source\repos\self_profiler4>Run.bat FLARE-VM Thu 10/23/2025 0:23:35.84 C:\Users\demo\source\repos\self_profiler4>set COR_PROFILER={DF9EDC4B-25C1-4925-A3FB-6AAEB3E2FACD} FLARE-VM Thu 10/23/2025 0:23:35.84 C:\Users\demo\source\repos\self_profiler4>set COR_PROFILER_PATH=C:\Users\demo\source\repos\self_profiler4\x64\Release\self_profiler4.dll FLARE-VM Thu 10/23/2025 0:23:35.84 C:\Users\demo\source\repos\self_profiler4>set COR_ENABLE_PROFILING=1 FLARE-VM Thu 10/23/2025 0:23:35.84 C:\Users\demo\source\repos\self_profiler4>powershell.exe -c "ping google.com" [*] Assembly loading started (ID: 0000021B3558BB40) [+] Assembly loaded: mscorlib (ID: 0000021B3558BB40) [*] Assembly loading started (ID: 0000021B355A6890) [*] Assembly loading started (ID: 0000021B355A73D0) [*] Assembly loading started (ID: 0000021B355A7190) ================================================================================ !!! POWERSHELL DETECTED !!! !!! You are about to execute PowerShell! Assembly: Microsoft.PowerShell.ConsoleHost Assembly ID: 0000021B355A7190 Module ID: 00007FFE351F1000 AppDomain ID: 00007FFE13FB0F80 ================================================================================ [+] Assembly loaded: System (ID: 0000021B355A6890) [+] Assembly loaded: System.Core (ID: 0000021B355A73D0) [*] Assembly loading started (ID: 0000021B355C5A90) ================================================================================ !!! POWERSHELL DETECTED !!! !!! You are about to execute PowerShell! Assembly: System.Management.Automation Assembly ID: 0000021B355C5A90 Module ID: 00007FFD90AA1000 AppDomain ID: 00007FFE13FB0F80 ================================================================================ [*] Assembly loading started (ID: 0000021B355C4AD0) [+] Assembly loaded: Microsoft.Management.Infrastructure (ID: 0000021B355C4AD0) [*] Assembly loading started (ID: 0000021B355C52B0) [+] Assembly loaded: System.Management (ID: 0000021B355C52B0) [*] Assembly loading started (ID: 0000021B355C3F90) [+] Assembly loaded: System.DirectoryServices (ID: 0000021B355C3F90) [*] Assembly loading started (ID: 0000021B355C5190) [+] Assembly loaded: System.Xml (ID: 0000021B355C5190) [*] Assembly loading started (ID: 0000021B355C42F0) [+] Assembly loaded: System.Numerics (ID: 0000021B355C42F0) [*] Assembly loading started (ID: 0000021B355C4530) [+] Assembly loaded: System.Data (ID: 0000021B355C4530) [*] Assembly loading started (ID: 0000021B355C5850) [+] Assembly loaded: System.Configuration (ID: 0000021B355C5850) [*] Assembly loading started (ID: 0000021B355A6E30) [+] Assembly loaded: Anonymously Hosted DynamicMethods Assembly (ID: 0000021B355A6E30) [*] Assembly loading started (ID: 0000021B375DD0F0) ================================================================================ !!! POWERSHELL DETECTED !!! !!! You are about to execute PowerShell! Assembly: Microsoft.PowerShell.Security Assembly ID: 0000021B375DD0F0 Module ID: 00007FFE045C1000 AppDomain ID: 00007FFE13FB0F80 ================================================================================ [*] Assembly loading started (ID: 0000021B375DBEF0) [+] Assembly loaded: System.Transactions (ID: 0000021B375DBEF0) ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.FuncCallInstruction`5..ctor FunctionID: 00007FFDB4234670 MethodToken: 0x06004709 IL Code Size: 35 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 8A 02 28 73 46 00 06 02 03 D0 03 07 00 1B 28 B9 ..(sF.........(. 00000010 00 00 0A 6F 78 0D 00 0A 74 03 07 00 1B 7D 79 18 ...ox...t....}y. 00000020 00 0A 2A ..* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.FuncCallInstruction`5..ctor | IL Code Size: 35 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 8A | conv.ovf.i.un | | 000001 | 02 | ldarg.0 | | 000002 | 28 73 46 00 06 | call System.Management.Automation.Interpreter.CallInstruction..ctor | | 000007 | 02 | ldarg.0 | | 000008 | 03 | ldarg.1 | | 000009 | D0 | ldtoken | | 00000A | 03 | ldarg.1 | | 00000B | 07 | ldloc.1 | | 00000C | 00 | nop | | 00000D | 1B | ldc.i4.5 | | 00000E | 28 B9 00 00 0A | call System.Type.GetTypeFromHandle | | 000013 | 6F 78 0D 00 0A | callvirt System.Reflection.MethodInfo.CreateDelegate | | 000018 | 74 | castclass | | 000019 | 03 | ldarg.1 | | 00001A | 07 | ldloc.1 | | 00001B | 00 | nop | | 00001C | 1B | ldc.i4.5 | | 00001D | 7D 79 18 00 0A | stfld ._target | | 000022 | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.FuncCallInstruction`5.get_ArgumentCount FunctionID: 00007FFDB4234660 MethodToken: 0x06004707 IL Code Size: 3 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 0A 1A 2A ..* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.FuncCallInstruction`5.get_ArgumentCount | IL Code Size: 3 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 0A | stloc.0 | | 000001 | 1A | ldc.i4.4 | | 000002 | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.FuncCallInstruction`5.get_Info FunctionID: 00007FFDB4234658 MethodToken: 0x06004706 IL Code Size: 13 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 32 02 7B 79 18 00 0A 28 30 18 00 0A 2A 2.{y...(0...* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.FuncCallInstruction`5.get_Info | IL Code Size: 13 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 32 02 | blt.s IL_0004 | | 000002 | 7B 79 18 00 0A | ldfld ._target | | 000007 | 28 30 18 00 0A | call System.Reflection.RuntimeReflectionExtensions.GetMethodInfo | | 00000C | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.ActionCallInstruction`6..ctor FunctionID: 00007FFDB4235158 MethodToken: 0x060046D9 IL Code Size: 35 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 8A 02 28 73 46 00 06 02 03 D0 F3 06 00 1B 28 B9 ..(sF.........(. 00000010 00 00 0A 6F 78 0D 00 0A 74 F3 06 00 1B 7D 69 18 ...ox...t....}i. 00000020 00 0A 2A ..* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.ActionCallInstruction`6..ctor | IL Code Size: 35 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 8A | conv.ovf.i.un | | 000001 | 02 | ldarg.0 | | 000002 | 28 73 46 00 06 | call System.Management.Automation.Interpreter.CallInstruction..ctor | | 000007 | 02 | ldarg.0 | | 000008 | 03 | ldarg.1 | | 000009 | D0 | ldtoken | | 00000A | F3 | unknown | | 00000B | 06 | ldloc.0 | | 00000C | 00 | nop | | 00000D | 1B | ldc.i4.5 | | 00000E | 28 B9 00 00 0A | call System.Type.GetTypeFromHandle | | 000013 | 6F 78 0D 00 0A | callvirt System.Reflection.MethodInfo.CreateDelegate | | 000018 | 74 | castclass | | 000019 | F3 | unknown | | 00001A | 06 | ldloc.0 | | 00001B | 00 | nop | | 00001C | 1B | ldc.i4.5 | | 00001D | 7D 69 18 00 0A | stfld ._target | | 000022 | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.ActionCallInstruction`6.get_ArgumentCount FunctionID: 00007FFDB4235148 MethodToken: 0x060046D7 IL Code Size: 3 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 0A 1C 2A ..* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.ActionCallInstruction`6.get_ArgumentCount | IL Code Size: 3 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 0A | stloc.0 | | 000001 | 1C | ldc.i4.6 | | 000002 | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.ActionCallInstruction`6.get_Info FunctionID: 00007FFDB4235140 MethodToken: 0x060046D6 IL Code Size: 13 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 32 02 7B 69 18 00 0A 28 30 18 00 0A 2A 2.{i...(0...* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.ActionCallInstruction`6.get_Info | IL Code Size: 13 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 32 02 | blt.s IL_0004 | | 000002 | 7B 69 18 00 0A | ldfld ._target | | 000007 | 28 30 18 00 0A | call System.Reflection.RuntimeReflectionExtensions.GetMethodInfo | | 00000C | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.FuncCallInstruction`5.Run FunctionID: 00007FFDB4234680 MethodToken: 0x0600470B IL Code Size: 139 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 13 30 09 00 7F 00 00 00 00 00 00 00 03 7B F1 1B .0...........{.. 00000010 00 04 03 7B F3 1B 00 04 1A 59 02 7B 79 18 00 0A ...{.....Y.{y... 00000020 03 7B F1 1B 00 04 03 7B F3 1B 00 04 1A 59 9A A5 .{.....{.....Y.. 00000030 B9 00 00 1B 03 7B F1 1B 00 04 03 7B F3 1B 00 04 .....{.....{.... 00000040 19 59 9A A5 BA 00 00 1B 03 7B F1 1B 00 04 03 7B .Y.......{.....{ 00000050 F3 1B 00 04 18 59 9A A5 51 05 00 1B 03 7B F1 1B .....Y..Q....{.. 00000060 00 04 03 7B F3 1B 00 04 17 59 9A A5 52 05 00 1B ...{.....Y..R... 00000070 6F 7A 18 00 0A 8C 53 05 00 1B A2 03 25 7B F3 1B oz....S.....%{.. 00000080 00 04 19 59 7D F3 1B 00 04 17 2A ...Y}.....* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.FuncCallInstruction`5.Run | IL Code Size: 139 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 13 30 | stloc.s 48 | | 000002 | 09 | ldloc.3 | | 000003 | 00 | nop | | 000004 | 7F | ldsflda | | 000005 | 00 | nop | | 000006 | 00 | nop | | 000007 | 00 | nop | | 000008 | 00 | nop | | 000009 | 00 | nop | | 00000A | 00 | nop | | 00000B | 00 | nop | | 00000C | 03 | ldarg.1 | | 00000D | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000012 | 03 | ldarg.1 | | 000013 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000018 | 1A | ldc.i4.4 | | 000019 | 59 | sub | | 00001A | 02 | ldarg.0 | | 00001B | 7B 79 18 00 0A | ldfld ._target | | 000020 | 03 | ldarg.1 | | 000021 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000026 | 03 | ldarg.1 | | 000027 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 00002C | 1A | ldc.i4.4 | | 00002D | 59 | sub | | 00002E | 9A | ldelem.ref | | 00002F | A5 | unbox.any | | 000030 | B9 | conv.ovf.i8 | | 000031 | 00 | nop | | 000032 | 00 | nop | | 000033 | 1B | ldc.i4.5 | | 000034 | 03 | ldarg.1 | | 000035 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 00003A | 03 | ldarg.1 | | 00003B | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000040 | 19 | ldc.i4.3 | | 000041 | 59 | sub | | 000042 | 9A | ldelem.ref | | 000043 | A5 | unbox.any | | 000044 | BA | conv.ovf.u8 | | 000045 | 00 | nop | | 000046 | 00 | nop | | 000047 | 1B | ldc.i4.5 | | 000048 | 03 | ldarg.1 | | 000049 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 00004E | 03 | ldarg.1 | | 00004F | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000054 | 18 | ldc.i4.2 | | 000055 | 59 | sub | | 000056 | 9A | ldelem.ref | | 000057 | A5 | unbox.any | | 000058 | 51 | stind.ref | | 000059 | 05 | ldarg.3 | | 00005A | 00 | nop | | 00005B | 1B | ldc.i4.5 | | 00005C | 03 | ldarg.1 | | 00005D | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000062 | 03 | ldarg.1 | | 000063 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000068 | 17 | ldc.i4.1 | | 000069 | 59 | sub | | 00006A | 9A | ldelem.ref | | 00006B | A5 | unbox.any | | 00006C | 52 | stind.i1 | | 00006D | 05 | ldarg.3 | | 00006E | 00 | nop | | 00006F | 1B | ldc.i4.5 | | 000070 | 6F 7A 18 00 0A | callvirt .Invoke | | 000075 | 8C | box | | 000076 | 53 | stind.i2 | | 000077 | 05 | ldarg.3 | | 000078 | 00 | nop | | 000079 | 1B | ldc.i4.5 | | 00007A | A2 | stelem.ref | | 00007B | 03 | ldarg.1 | | 00007C | 25 | dup | | 00007D | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000082 | 19 | ldc.i4.3 | | 000083 | 59 | sub | | 000084 | 7D F3 1B 00 04 | stfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000089 | 17 | ldc.i4.1 | | 00008A | 2A | ret | +========+====================+=================================================================+ ================================================================================ JIT COMPILATION STARTED ================================================================================ Method: System.Management.Automation.Interpreter.ActionCallInstruction`6.Run FunctionID: 00007FFDB4235168 MethodToken: 0x060046DB IL Code Size: 159 bytes ================================================================================ Raw IL Bytecode (Hex Dump): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII ------------------------------------------------------------------------- 00000000 13 30 09 00 93 00 00 00 00 00 00 00 02 7B 69 18 .0...........{i. 00000010 00 0A 03 7B F1 1B 00 04 03 7B F3 1B 00 04 1C 59 ...{.....{.....Y 00000020 9A A5 B9 00 00 1B 03 7B F1 1B 00 04 03 7B F3 1B .......{.....{.. 00000030 00 04 1B 59 9A A5 BA 00 00 1B 03 7B F1 1B 00 04 ...Y.......{.... 00000040 03 7B F3 1B 00 04 1A 59 9A A5 51 05 00 1B 03 7B .{.....Y..Q....{ 00000050 F1 1B 00 04 03 7B F3 1B 00 04 19 59 9A A5 52 05 .....{.....Y..R. 00000060 00 1B 03 7B F1 1B 00 04 03 7B F3 1B 00 04 18 59 ...{.....{.....Y 00000070 9A A5 53 05 00 1B 03 7B F1 1B 00 04 03 7B F3 1B ..S....{.....{.. 00000080 00 04 17 59 9A A5 54 05 00 1B 6F 6A 18 00 0A 03 ...Y..T...oj.... 00000090 25 7B F3 1B 00 04 1C 59 7D F3 1B 00 04 17 2A %{.....Y}.....* +========+====================+=================================================================+ | IL DISASSEMBLY | +========+====================+=================================================================+ | Method: System.Management.Automation.Interpreter.ActionCallInstruction`6.Run | IL Code Size: 159 bytes +========+====================+=================================================================+ | Offset | Hex Bytes | IL Instruction | +========+====================+=================================================================+ | 000000 | 13 30 | stloc.s 48 | | 000002 | 09 | ldloc.3 | | 000003 | 00 | nop | | 000004 | 93 | ldelem.u2 | | 000005 | 00 | nop | | 000006 | 00 | nop | | 000007 | 00 | nop | | 000008 | 00 | nop | | 000009 | 00 | nop | | 00000A | 00 | nop | | 00000B | 00 | nop | | 00000C | 02 | ldarg.0 | | 00000D | 7B 69 18 00 0A | ldfld ._target | | 000012 | 03 | ldarg.1 | | 000013 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000018 | 03 | ldarg.1 | | 000019 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 00001E | 1C | ldc.i4.6 | | 00001F | 59 | sub | | 000020 | 9A | ldelem.ref | | 000021 | A5 | unbox.any | | 000022 | B9 | conv.ovf.i8 | | 000023 | 00 | nop | | 000024 | 00 | nop | | 000025 | 1B | ldc.i4.5 | | 000026 | 03 | ldarg.1 | | 000027 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 00002C | 03 | ldarg.1 | | 00002D | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000032 | 1B | ldc.i4.5 | | 000033 | 59 | sub | | 000034 | 9A | ldelem.ref | | 000035 | A5 | unbox.any | | 000036 | BA | conv.ovf.u8 | | 000037 | 00 | nop | | 000038 | 00 | nop | | 000039 | 1B | ldc.i4.5 | | 00003A | 03 | ldarg.1 | | 00003B | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000040 | 03 | ldarg.1 | | 000041 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000046 | 1A | ldc.i4.4 | | 000047 | 59 | sub | | 000048 | 9A | ldelem.ref | | 000049 | A5 | unbox.any | | 00004A | 51 | stind.ref | | 00004B | 05 | ldarg.3 | | 00004C | 00 | nop | | 00004D | 1B | ldc.i4.5 | | 00004E | 03 | ldarg.1 | | 00004F | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000054 | 03 | ldarg.1 | | 000055 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 00005A | 19 | ldc.i4.3 | | 00005B | 59 | sub | | 00005C | 9A | ldelem.ref | | 00005D | A5 | unbox.any | | 00005E | 52 | stind.i1 | | 00005F | 05 | ldarg.3 | | 000060 | 00 | nop | | 000061 | 1B | ldc.i4.5 | | 000062 | 03 | ldarg.1 | | 000063 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 000068 | 03 | ldarg.1 | | 000069 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 00006E | 18 | ldc.i4.2 | | 00006F | 59 | sub | | 000070 | 9A | ldelem.ref | | 000071 | A5 | unbox.any | | 000072 | 53 | stind.i2 | | 000073 | 05 | ldarg.3 | | 000074 | 00 | nop | | 000075 | 1B | ldc.i4.5 | | 000076 | 03 | ldarg.1 | | 000077 | 7B F1 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.Data | | 00007C | 03 | ldarg.1 | | 00007D | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000082 | 17 | ldc.i4.1 | | 000083 | 59 | sub | | 000084 | 9A | ldelem.ref | | 000085 | A5 | unbox.any | | 000086 | 54 | stind.i4 | | 000087 | 05 | ldarg.3 | | 000088 | 00 | nop | | 000089 | 1B | ldc.i4.5 | | 00008A | 6F 6A 18 00 0A | callvirt .Invoke | | 00008F | 03 | ldarg.1 | | 000090 | 25 | dup | | 000091 | 7B F3 1B 00 04 | ldfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 000096 | 1C | ldc.i4.6 | | 000097 | 59 | sub | | 000098 | 7D F3 1B 00 04 | stfld System.Management.Automation.Interpreter.InterpretedFrame.StackIndex | | 00009D | 17 | ldc.i4.1 | | 00009E | 2A | ret | +========+====================+=================================================================+ Pinging google.com [172.217.26.110] with 32 bytes of data: Reply from 172.217.26.110: bytes=32 time=35ms TTL=128 Reply from 172.217.26.110: bytes=32 time=39ms TTL=128 Reply from 172.217.26.110: bytes=32 time=35ms TTL=128 Reply from 172.217.26.110: bytes=32 time=43ms TTL=128 Ping statistics for 172.217.26.110: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 35ms, Maximum = 43ms, Average = 38ms FLARE-VM Thu 10/23/2025 0:23:39.33 C:\Users\demo\source\repos\self_profiler4> ///////////////////////////////////////////////////////////////////////////////////////////////// Code ///////////////////////////////////////////////////////////////////////////////////////////////// #include #include #include #include #include #include #include #include class __declspec(uuid("{DF9EDC4B-25C1-4925-A3FB-6AAEB3E2FACD}")) ProfilerCLSID; class ExampleProfiler : public ICorProfilerCallback3 { private: LONG refCount = 0; ICorProfilerInfo3* profilerInfo = NULL; std::map ilOpcodes = { {0x00, "nop"}, {0x01, "break"}, {0x02, "ldarg.0"}, {0x03, "ldarg.1"}, {0x04, "ldarg.2"}, {0x05, "ldarg.3"}, {0x06, "ldloc.0"}, {0x07, "ldloc.1"}, {0x08, "ldloc.2"}, {0x09, "ldloc.3"}, {0x0A, "stloc.0"}, {0x0B, "stloc.1"}, {0x0C, "stloc.2"}, {0x0D, "stloc.3"}, {0x0E, "ldarg.s"}, {0x0F, "ldarga.s"}, {0x10, "starg.s"}, {0x11, "ldloc.s"}, {0x12, "ldloca.s"}, {0x13, "stloc.s"}, {0x14, "ldnull"}, {0x15, "ldc.i4.m1"}, {0x16, "ldc.i4.0"}, {0x17, "ldc.i4.1"}, {0x18, "ldc.i4.2"}, {0x19, "ldc.i4.3"}, {0x1A, "ldc.i4.4"}, {0x1B, "ldc.i4.5"}, {0x1C, "ldc.i4.6"}, {0x1D, "ldc.i4.7"}, {0x1E, "ldc.i4.8"}, {0x1F, "ldc.i4.s"}, {0x20, "ldc.i4"}, {0x21, "ldc.i8"}, {0x22, "ldc.r4"}, {0x23, "ldc.r8"}, {0x25, "dup"}, {0x26, "pop"}, {0x27, "jmp"}, {0x28, "call"}, {0x29, "calli"}, {0x2A, "ret"}, {0x2B, "br.s"}, {0x2C, "brfalse.s"}, {0x2D, "brtrue.s"}, {0x2E, "beq.s"}, {0x2F, "bge.s"}, {0x30, "bgt.s"}, {0x31, "ble.s"}, {0x32, "blt.s"}, {0x33, "bne.un.s"}, {0x34, "bge.un.s"}, {0x35, "bgt.un.s"}, {0x36, "ble.un.s"}, {0x37, "blt.un.s"}, {0x38, "br"}, {0x39, "brfalse"}, {0x3A, "brtrue"}, {0x3B, "beq"}, {0x3C, "bge"}, {0x3D, "bgt"}, {0x3E, "ble"}, {0x3F, "blt"}, {0x40, "bne.un"}, {0x41, "bge.un"}, {0x42, "bgt.un"}, {0x43, "ble.un"}, {0x44, "blt.un"}, {0x45, "switch"}, {0x46, "ldind.i1"}, {0x47, "ldind.u1"}, {0x48, "ldind.i2"}, {0x49, "ldind.u2"}, {0x4A, "ldind.i4"}, {0x4B, "ldind.u4"}, {0x4C, "ldind.i8"}, {0x4D, "ldind.i"}, {0x4E, "ldind.r4"}, {0x4F, "ldind.r8"}, {0x50, "ldind.ref"}, {0x51, "stind.ref"}, {0x52, "stind.i1"}, {0x53, "stind.i2"}, {0x54, "stind.i4"}, {0x55, "stind.i8"}, {0x56, "stind.r4"}, {0x57, "stind.r8"}, {0x58, "add"}, {0x59, "sub"}, {0x5A, "mul"}, {0x5B, "div"}, {0x5C, "div.un"}, {0x5D, "rem"}, {0x5E, "rem.un"}, {0x5F, "and"}, {0x60, "or"}, {0x61, "xor"}, {0x62, "shl"}, {0x63, "shr"}, {0x64, "shr.un"}, {0x65, "neg"}, {0x66, "not"}, {0x67, "conv.i1"}, {0x68, "conv.i2"}, {0x69, "conv.i4"}, {0x6A, "conv.i8"}, {0x6B, "conv.r4"}, {0x6C, "conv.r8"}, {0x6D, "conv.u4"}, {0x6E, "conv.u8"}, {0x6F, "callvirt"}, {0x70, "cpobj"}, {0x71, "ldobj"}, {0x72, "ldstr"}, {0x73, "newobj"}, {0x74, "castclass"}, {0x75, "isinst"}, {0x76, "conv.r.un"}, {0x79, "unbox"}, {0x7A, "throw"}, {0x7B, "ldfld"}, {0x7C, "ldflda"}, {0x7D, "stfld"}, {0x7E, "ldsfld"}, {0x7F, "ldsflda"}, {0x80, "stsfld"}, {0x81, "stobj"}, {0x82, "conv.ovf.i1.un"}, {0x83, "conv.ovf.i2.un"}, {0x84, "conv.ovf.i4.un"}, {0x85, "conv.ovf.i8.un"}, {0x86, "conv.ovf.u1.un"}, {0x87, "conv.ovf.u2.un"}, {0x88, "conv.ovf.u4.un"}, {0x89, "conv.ovf.u8.un"}, {0x8A, "conv.ovf.i.un"}, {0x8B, "conv.ovf.u.un"}, {0x8C, "box"}, {0x8D, "newarr"}, {0x8E, "ldlen"}, {0x8F, "ldelema"}, {0x90, "ldelem.i1"}, {0x91, "ldelem.u1"}, {0x92, "ldelem.i2"}, {0x93, "ldelem.u2"}, {0x94, "ldelem.i4"}, {0x95, "ldelem.u4"}, {0x96, "ldelem.i8"}, {0x97, "ldelem.i"}, {0x98, "ldelem.r4"}, {0x99, "ldelem.r8"}, {0x9A, "ldelem.ref"}, {0x9B, "stelem.i"}, {0x9C, "stelem.i1"}, {0x9D, "stelem.i2"}, {0x9E, "stelem.i4"}, {0x9F, "stelem.i8"}, {0xA0, "stelem.r4"}, {0xA1, "stelem.r8"}, {0xA2, "stelem.ref"}, {0xA3, "ldelem"}, {0xA4, "stelem"}, {0xA5, "unbox.any"}, {0xB3, "conv.ovf.i1"}, {0xB4, "conv.ovf.u1"}, {0xB5, "conv.ovf.i2"}, {0xB6, "conv.ovf.u2"}, {0xB7, "conv.ovf.i4"}, {0xB8, "conv.ovf.u4"}, {0xB9, "conv.ovf.i8"}, {0xBA, "conv.ovf.u8"}, {0xC2, "refanyval"}, {0xC3, "ckfinite"}, {0xC6, "mkrefany"}, {0xD0, "ldtoken"}, {0xD1, "conv.u2"}, {0xD2, "conv.u1"}, {0xD3, "conv.i"}, {0xD4, "conv.ovf.i"}, {0xD5, "conv.ovf.u"}, {0xD6, "add.ovf"}, {0xD7, "add.ovf.un"}, {0xD8, "mul.ovf"}, {0xD9, "mul.ovf.un"}, {0xDA, "sub.ovf"}, {0xDB, "sub.ovf.un"}, {0xDC, "endfinally"}, {0xDD, "leave"}, {0xDE, "leave.s"}, {0xDF, "stind.i"}, {0xE0, "conv.u"}, {0xFE, "prefix"} }; // Two-byte opcodes (0xFE prefix) std::map twoByteOpcodes = { {0x00, "arglist"}, {0x01, "ceq"}, {0x02, "cgt"}, {0x03, "cgt.un"}, {0x04, "clt"}, {0x05, "clt.un"}, {0x06, "ldftn"}, {0x07, "ldvirtftn"}, {0x09, "ldarg"}, {0x0A, "ldarga"}, {0x0B, "starg"}, {0x0C, "ldloc"}, {0x0D, "ldloca"}, {0x0E, "stloc"}, {0x0F, "localloc"}, {0x11, "endfilter"}, {0x12, "unaligned."}, {0x13, "volatile."}, {0x14, "tail."}, {0x15, "initobj"}, {0x16, "constrained."}, {0x17, "cpblk"}, {0x18, "initblk"}, {0x1A, "rethrow"}, {0x1C, "sizeof"}, {0x1D, "refanytype"}, {0x1E, "readonly."} }; bool IsPowerShellAssembly(const WCHAR* assemblyName) { if (assemblyName == nullptr) return false; std::wstring name(assemblyName); return (name.find(L"System.Management.Automation") != std::wstring::npos || name.find(L"Microsoft.PowerShell") != std::wstring::npos || name.find(L"powershell") != std::wstring::npos || name.find(L"PowerShell") != std::wstring::npos); } bool ResolveMethodToken(IMetaDataImport* pMetaData, mdToken token, WCHAR* fullName, int bufferSize) { if (!pMetaData) return false; WCHAR methodName[512] = { 0 }; WCHAR className[512] = { 0 }; mdTypeDef classToken = 0; ULONG nameLen = 0; if (TypeFromToken(token) == mdtMethodDef) { HRESULT hr = pMetaData->GetMethodProps(token, &classToken, methodName, 512, &nameLen, NULL, NULL, NULL, NULL, NULL); if (FAILED(hr)) return false; hr = pMetaData->GetTypeDefProps(classToken, className, 512, &nameLen, NULL, NULL); if (FAILED(hr)) return false; } else if (TypeFromToken(token) == mdtMemberRef) { HRESULT hr = pMetaData->GetMemberRefProps(token, &classToken, methodName, 512, &nameLen, NULL, NULL); if (FAILED(hr)) return false; if (TypeFromToken(classToken) == mdtTypeRef) { hr = pMetaData->GetTypeRefProps(classToken, NULL, className, 512, &nameLen); if (FAILED(hr)) return false; } else if (TypeFromToken(classToken) == mdtTypeDef) { hr = pMetaData->GetTypeDefProps(classToken, className, 512, &nameLen, NULL, NULL); if (FAILED(hr)) return false; } } else { return false; } swprintf_s(fullName, bufferSize, L"%s.%s", className, methodName); return true; } bool ResolveStringToken(IMetaDataImport* pMetaData, mdToken token, WCHAR* strValue, int bufferSize) { if (!pMetaData) return false; ULONG strLen = 0; HRESULT hr = pMetaData->GetUserString(token, strValue, bufferSize, &strLen); return SUCCEEDED(hr); } bool ResolveFieldToken(IMetaDataImport* pMetaData, mdToken token, WCHAR* fullName, int bufferSize) { if (!pMetaData) return false; WCHAR fieldName[512] = { 0 }; WCHAR className[512] = { 0 }; mdTypeDef classToken = 0; ULONG nameLen = 0; if (TypeFromToken(token) == mdtFieldDef) { HRESULT hr = pMetaData->GetFieldProps(token, &classToken, fieldName, 512, &nameLen, NULL, NULL, NULL, NULL, NULL, NULL); if (FAILED(hr)) return false; hr = pMetaData->GetTypeDefProps(classToken, className, 512, &nameLen, NULL, NULL); if (FAILED(hr)) return false; } else if (TypeFromToken(token) == mdtMemberRef) { HRESULT hr = pMetaData->GetMemberRefProps(token, &classToken, fieldName, 512, &nameLen, NULL, NULL); if (FAILED(hr)) return false; if (TypeFromToken(classToken) == mdtTypeRef) { hr = pMetaData->GetTypeRefProps(classToken, NULL, className, 512, &nameLen); if (FAILED(hr)) return false; } } else { return false; } swprintf_s(fullName, bufferSize, L"%s.%s", className, fieldName); return true; } bool GetMethodName(FunctionID functionId, WCHAR* className, WCHAR* methodName, int bufferSize) { if (!profilerInfo) return false; ClassID classId = 0; ModuleID moduleId = 0; mdToken token = 0; HRESULT hr = profilerInfo->GetFunctionInfo(functionId, &classId, &moduleId, &token); if (FAILED(hr)) return false; IMetaDataImport* pMetaDataImport = NULL; hr = profilerInfo->GetModuleMetaData(moduleId, ofRead, IID_IMetaDataImport, (IUnknown**)&pMetaDataImport); if (FAILED(hr)) return false; mdTypeDef classToken = 0; ULONG methodNameLen = 0; hr = pMetaDataImport->GetMethodProps(token, &classToken, methodName, bufferSize, &methodNameLen, NULL, NULL, NULL, NULL, NULL); if (FAILED(hr)) { pMetaDataImport->Release(); return false; } ULONG classNameLen = 0; hr = pMetaDataImport->GetTypeDefProps(classToken, className, bufferSize, &classNameLen, NULL, NULL); pMetaDataImport->Release(); return SUCCEEDED(hr); } void DisassembleIL(const BYTE* pILCode, ULONG ilSize, const WCHAR* className, const WCHAR* methodName, ModuleID moduleId) { // Get metadata interface for token resolution IMetaDataImport* pMetaData = NULL; HRESULT hr = profilerInfo->GetModuleMetaData(moduleId, ofRead, IID_IMetaDataImport, (IUnknown**)&pMetaData); printf("+========+====================+=================================================================+\n"); printf("| IL DISASSEMBLY |\n"); printf("+========+====================+=================================================================+\n"); printf("| Method: %ws.%ws\n", className, methodName); printf("| IL Code Size: %lu bytes\n", ilSize); printf("+========+====================+=================================================================+\n"); printf("| Offset | Hex Bytes | IL Instruction |\n"); printf("+========+====================+=================================================================+\n"); for (ULONG offset = 0; offset < ilSize;) { BYTE opcode = pILCode[offset]; std::string instruction = "unknown"; char operandStr[512] = { 0 }; int instructionLength = 1; // Handle two-byte opcodes if (opcode == 0xFE && offset + 1 < ilSize) { BYTE secondByte = pILCode[offset + 1]; if (twoByteOpcodes.find(secondByte) != twoByteOpcodes.end()) { instruction = twoByteOpcodes[secondByte]; } else { instruction = "unknown_2byte"; } instructionLength = 2; } else if (ilOpcodes.find(opcode) != ilOpcodes.end()) { instruction = ilOpcodes[opcode]; if ((opcode == 0x28 || opcode == 0x6F) && offset + 4 < ilSize) // call, callvirt { UINT32 token = *(UINT32*)(pILCode + offset + 1); WCHAR resolvedName[512] = { 0 }; if (pMetaData && ResolveMethodToken(pMetaData, token, resolvedName, 512)) { char utf8Name[1024] = { 0 }; WideCharToMultiByte(CP_UTF8, 0, resolvedName, -1, utf8Name, sizeof(utf8Name), NULL, NULL); sprintf_s(operandStr, " %s", utf8Name); } else { sprintf_s(operandStr, " 0x%08X", token); } instructionLength = 5; } else if (opcode == 0x72 && offset + 4 < ilSize) // ldstr { UINT32 token = *(UINT32*)(pILCode + offset + 1); WCHAR resolvedString[512] = { 0 }; if (pMetaData && ResolveStringToken(pMetaData, token, resolvedString, 512)) { char utf8String[1024] = { 0 }; char escapedString[1024] = { 0 }; WideCharToMultiByte(CP_UTF8, 0, resolvedString, -1, utf8String, sizeof(utf8String), NULL, NULL); int escapeIdx = 0; for (int i = 0; utf8String[i] != '\0' && escapeIdx < sizeof(escapedString) - 3; i++) { switch (utf8String[i]) { case '\n': escapedString[escapeIdx++] = '\\'; escapedString[escapeIdx++] = 'n'; break; case '\r': escapedString[escapeIdx++] = '\\'; escapedString[escapeIdx++] = 'r'; break; case '\t': escapedString[escapeIdx++] = '\\'; escapedString[escapeIdx++] = 't'; break; case '\\': escapedString[escapeIdx++] = '\\'; escapedString[escapeIdx++] = '\\'; break; case '"': escapedString[escapeIdx++] = '\\'; escapedString[escapeIdx++] = '"'; break; case '`': escapedString[escapeIdx++] = '\\'; escapedString[escapeIdx++] = '`'; break; default: // Only print printable ASCII characters if (utf8String[i] >= 32 && utf8String[i] <= 126) { escapedString[escapeIdx++] = utf8String[i]; } else { // Show as hex for non-printable characters escapeIdx += sprintf_s(&escapedString[escapeIdx], sizeof(escapedString) - escapeIdx, "\\x%02X", (unsigned char)utf8String[i]); } break; } } escapedString[escapeIdx] = '\0'; // Truncate if too long to fit in table if (strlen(escapedString) > 35) { escapedString[32] = '.'; escapedString[33] = '.'; escapedString[34] = '.'; escapedString[35] = '\0'; } sprintf_s(operandStr, " \"%s\"", escapedString); } else { sprintf_s(operandStr, " 0x%08X", token); } instructionLength = 5; } else if ((opcode == 0x7B || opcode == 0x7D || opcode == 0x7E || opcode == 0x80) && offset + 4 < ilSize) // ldfld, stfld, ldsfld, stsfld { UINT32 token = *(UINT32*)(pILCode + offset + 1); WCHAR resolvedName[512] = { 0 }; if (pMetaData && ResolveFieldToken(pMetaData, token, resolvedName, 512)) { char utf8Name[1024] = { 0 }; WideCharToMultiByte(CP_UTF8, 0, resolvedName, -1, utf8Name, sizeof(utf8Name), NULL, NULL); sprintf_s(operandStr, " %s", utf8Name); } else { sprintf_s(operandStr, " 0x%08X", token); } instructionLength = 5; } else if (opcode == 0x73 && offset + 4 < ilSize) // newobj { UINT32 token = *(UINT32*)(pILCode + offset + 1); WCHAR resolvedName[512] = { 0 }; if (pMetaData && ResolveMethodToken(pMetaData, token, resolvedName, 512)) { char utf8Name[1024] = { 0 }; WideCharToMultiByte(CP_UTF8, 0, resolvedName, -1, utf8Name, sizeof(utf8Name), NULL, NULL); sprintf_s(operandStr, " %s", utf8Name); } else { sprintf_s(operandStr, " 0x%08X", token); } instructionLength = 5; } else if (opcode == 0x20 && offset + 4 < ilSize) // ldc.i4 { INT32 value = *(INT32*)(pILCode + offset + 1); sprintf_s(operandStr, " %d", value); instructionLength = 5; } else if (opcode == 0x1F && offset + 1 < ilSize) // ldc.i4.s { INT8 value = *(INT8*)(pILCode + offset + 1); sprintf_s(operandStr, " %d", value); instructionLength = 2; } else if ((opcode >= 0x0E && opcode <= 0x13) && offset + 1 < ilSize) // ldarg.s, ldloc.s, etc (short form with 1-byte operand) { BYTE value = pILCode[offset + 1]; sprintf_s(operandStr, " %d", value); instructionLength = 2; } else if ((opcode >= 0x2B && opcode <= 0x37) && offset + 1 < ilSize) // branch instructions (short form) { INT8 branchOffset = *(INT8*)(pILCode + offset + 1); ULONG targetOffset = offset + 2 + branchOffset; sprintf_s(operandStr, " IL_%04X", targetOffset); instructionLength = 2; } else if ((opcode >= 0x38 && opcode <= 0x44) && offset + 4 < ilSize) // branch instructions (long form) { INT32 branchOffset = *(INT32*)(pILCode + offset + 1); ULONG targetOffset = offset + 5 + branchOffset; sprintf_s(operandStr, " IL_%04X", targetOffset); instructionLength = 5; } } char hexBytes[64] = { 0 }; for (int i = 0; i < instructionLength && i < 8; i++) { char temp[4]; sprintf_s(temp, "%02X ", pILCode[offset + i]); strcat_s(hexBytes, temp); } while (strlen(hexBytes) < 19) { strcat_s(hexBytes, " "); } char fullInstruction[600]; sprintf_s(fullInstruction, "%s%s", instruction.c_str(), operandStr); printf("| %06X | %-18s | %-63s |\n", offset, hexBytes, fullInstruction); offset += instructionLength; } printf("+========+====================+=================================================================+\n\n"); if (pMetaData) { pMetaData->Release(); } } void PrintHexDump(const BYTE* pILCode, ULONG ilSize) { printf("Raw IL Bytecode (Hex Dump):\n"); printf("Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII\n"); printf("-------------------------------------------------------------------------\n"); for (ULONG i = 0; i < ilSize; i += 16) { printf("%08X ", i); // Print hex bytes for (int j = 0; j < 16; j++) { if (i + j < ilSize) printf("%02X ", pILCode[i + j]); else printf(" "); } // Print ASCII representation printf(" "); for (int j = 0; j < 16 && i + j < ilSize; j++) { BYTE b = pILCode[i + j]; printf("%c", (b >= 32 && b <= 126) ? b : '.'); } printf("\n"); } printf("\n"); } public: ExampleProfiler() { refCount = 0; profilerInfo = NULL; } ~ExampleProfiler() { if (profilerInfo != NULL) profilerInfo->Release(); } STDMETHODIMP_(ULONG) AddRef() { return InterlockedIncrement(&refCount); } STDMETHODIMP_(ULONG) Release() { auto ret = InterlockedDecrement(&refCount); if (ret <= 0) delete(this); return ret; } HRESULT STDMETHODCALLTYPE QueryInterface(REFIID riid, void** ppvObject) override { if (riid == __uuidof(ICorProfilerCallback3) || riid == __uuidof(ICorProfilerCallback2) || riid == __uuidof(ICorProfilerCallback) || riid == IID_IUnknown) { *ppvObject = this; this->AddRef(); return S_OK; } *ppvObject = nullptr; return E_NOINTERFACE; } STDMETHODIMP Initialize(IUnknown* pICorProfilerInfoUnk) { return InitializeForAttach(pICorProfilerInfoUnk, NULL, -1); } STDMETHODIMP Shutdown() { if (profilerInfo != NULL) { profilerInfo->Release(); profilerInfo = NULL; } return S_OK; } HRESULT STDMETHODCALLTYPE InitializeForAttach(IUnknown* pICorProfilerInfoUnk, void* pvClientData, UINT cbClientData) { HRESULT hr = pICorProfilerInfoUnk->QueryInterface(__uuidof(ICorProfilerInfo3), (void**)&profilerInfo); if (FAILED(hr)) return hr; hr = profilerInfo->SetEventMask( COR_PRF_MONITOR_ASSEMBLY_LOADS | COR_PRF_MONITOR_GC | COR_PRF_MONITOR_JIT_COMPILATION ); return hr; } HRESULT STDMETHODCALLTYPE ProfilerAttachComplete(void) { return S_OK; } HRESULT STDMETHODCALLTYPE ProfilerDetachSucceeded(void) { return Shutdown(); } STDMETHODIMP AssemblyLoadStarted(AssemblyID assemblyId) { printf("[*] Assembly loading started (ID: %p)\n", (void*)assemblyId); return S_OK; } STDMETHODIMP AssemblyLoadFinished(AssemblyID assemblyId, HRESULT hrStatus) { if (SUCCEEDED(hrStatus) && profilerInfo != NULL) { LPCBYTE pbPublicKey; ULONG cchName; WCHAR assemblyName[512]; AppDomainID appDomainId; ModuleID moduleId; HRESULT hr = profilerInfo->GetAssemblyInfo( assemblyId, sizeof(assemblyName) / sizeof(WCHAR), &cchName, assemblyName, &appDomainId, &moduleId ); if (SUCCEEDED(hr)) { if (IsPowerShellAssembly(assemblyName)) { printf("================================================================================\n"); printf("!!! POWERSHELL DETECTED !!!\n"); printf("!!! You are about to execute PowerShell!\n"); printf("Assembly: %ws\n", assemblyName); printf("Assembly ID: %p\n", (void*)assemblyId); printf("Module ID: %p\n", (void*)moduleId); printf("AppDomain ID: %p\n", (void*)appDomainId); printf("================================================================================\n\n"); } else { printf("[+] Assembly loaded: %ws (ID: %p)\n", assemblyName, (void*)assemblyId); } } } return S_OK; } STDMETHODIMP JITCompilationStarted(FunctionID functionId, BOOL fIsSafeToBlock) { if (!profilerInfo) return S_OK; ClassID classId = 0; ModuleID moduleId = 0; mdToken methodToken = 0; HRESULT hr = profilerInfo->GetFunctionInfo(functionId, &classId, &moduleId, &methodToken); if (FAILED(hr)) return S_OK; WCHAR className[512] = { 0 }; WCHAR methodName[512] = { 0 }; GetMethodName(functionId, className, methodName, 512); std::wstring classNameStr(className); bool isPowerShellRelated = ( classNameStr.find(L"PowerShell") != std::wstring::npos || classNameStr.find(L"System.Management.Automation") != std::wstring::npos || classNameStr.find(L"PSCommand") != std::wstring::npos || classNameStr.find(L"Runspace") != std::wstring::npos || classNameStr.find(L"ScriptBlock") != std::wstring::npos || wcsstr(methodName, L"Write") != NULL || wcsstr(methodName, L"Invoke") != NULL ); if (!isPowerShellRelated) { return S_OK; } LPCBYTE pMethodHeader = NULL; ULONG ilSize = 0; hr = profilerInfo->GetILFunctionBody(moduleId, methodToken, &pMethodHeader, &ilSize); if (SUCCEEDED(hr) && pMethodHeader != NULL && ilSize > 0) { printf("\n================================================================================\n"); printf("JIT COMPILATION STARTED\n"); printf("================================================================================\n"); printf("Method: %ws.%ws\n", className, methodName); printf("FunctionID: %p\n", (void*)functionId); printf("MethodToken: 0x%08X\n", methodToken); printf("IL Code Size: %lu bytes\n", ilSize); printf("================================================================================\n\n"); PrintHexDump(pMethodHeader, ilSize); DisassembleIL(pMethodHeader, ilSize, className, methodName, moduleId); } return S_OK; } STDMETHODIMP GarbageCollectionFinished(void) { printf("[*] Garbage Collection completed\n"); return S_OK; } STDMETHODIMP AppDomainCreationStarted(AppDomainID appDomainId) { return S_OK; } STDMETHODIMP AppDomainCreationFinished(AppDomainID appDomainId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP AppDomainShutdownStarted(AppDomainID appDomainId) { return S_OK; } STDMETHODIMP AppDomainShutdownFinished(AppDomainID appDomainId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP AssemblyUnloadStarted(AssemblyID assemblyId) { return S_OK; } STDMETHODIMP AssemblyUnloadFinished(AssemblyID assemblyId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP ModuleLoadStarted(ModuleID moduleId) { return S_OK; } STDMETHODIMP ModuleLoadFinished(ModuleID moduleId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP ModuleUnloadStarted(ModuleID moduleId) { return S_OK; } STDMETHODIMP ModuleUnloadFinished(ModuleID moduleId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP ModuleAttachedToAssembly(ModuleID moduleId, AssemblyID assemblyId) { return S_OK; } STDMETHODIMP ClassLoadStarted(ClassID classId) { return S_OK; } STDMETHODIMP ClassLoadFinished(ClassID classId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP ClassUnloadStarted(ClassID classId) { return S_OK; } STDMETHODIMP ClassUnloadFinished(ClassID classId, HRESULT hrStatus) { return S_OK; } STDMETHODIMP FunctionUnloadStarted(FunctionID functionId) { return S_OK; } STDMETHODIMP JITCompilationFinished(FunctionID functionId, HRESULT hrStatus, BOOL fIsSafeToBlock) { return S_OK; } STDMETHODIMP JITCachedFunctionSearchStarted(FunctionID functionId, BOOL* pbUseCachedFunction) { return S_OK; } STDMETHODIMP JITCachedFunctionSearchFinished(FunctionID functionId, COR_PRF_JIT_CACHE result) { return S_OK; } STDMETHODIMP JITFunctionPitched(FunctionID functionId) { return S_OK; } STDMETHODIMP JITInlining(FunctionID callerId, FunctionID calleeId, BOOL* pfShouldInline) { return S_OK; } STDMETHODIMP ThreadCreated(ThreadID threadId) { return S_OK; } STDMETHODIMP ThreadDestroyed(ThreadID threadId) { return S_OK; } STDMETHODIMP ThreadAssignedToOSThread(ThreadID managedThreadId, ULONG osThreadId) { return S_OK; } STDMETHODIMP RemotingClientInvocationStarted() { return S_OK; } STDMETHODIMP RemotingClientSendingMessage(GUID* pCookie, BOOL fIsAsync) { return S_OK; } STDMETHODIMP RemotingClientReceivingReply(GUID* pCookie, BOOL fIsAsync) { return S_OK; } STDMETHODIMP RemotingClientInvocationFinished() { return S_OK; } STDMETHODIMP RemotingServerReceivingMessage(GUID* pCookie, BOOL fIsAsync) { return S_OK; } STDMETHODIMP RemotingServerInvocationStarted() { return S_OK; } STDMETHODIMP RemotingServerInvocationReturned() { return S_OK; } STDMETHODIMP RemotingServerSendingReply(GUID* pCookie, BOOL fIsAsync) { return S_OK; } STDMETHODIMP UnmanagedToManagedTransition(FunctionID functionId, COR_PRF_TRANSITION_REASON reason) { return S_OK; } STDMETHODIMP ManagedToUnmanagedTransition(FunctionID functionId, COR_PRF_TRANSITION_REASON reason) { return S_OK; } STDMETHODIMP RuntimeSuspendStarted(COR_PRF_SUSPEND_REASON suspendReason) { return S_OK; } STDMETHODIMP RuntimeSuspendFinished() { return S_OK; } STDMETHODIMP RuntimeSuspendAborted() { return S_OK; } STDMETHODIMP RuntimeResumeStarted() { return S_OK; } STDMETHODIMP RuntimeResumeFinished() { return S_OK; } STDMETHODIMP RuntimeThreadSuspended(ThreadID threadId) { return S_OK; } STDMETHODIMP RuntimeThreadResumed(ThreadID threadId) { return S_OK; } STDMETHODIMP MovedReferences(ULONG cMovedObjectIDRanges, ObjectID oldObjectIDRangeStart[], ObjectID newObjectIDRangeStart[], ULONG cObjectIDRangeLength[]) { return S_OK; } STDMETHODIMP ObjectAllocated(ObjectID objectId, ClassID classId) { return S_OK; } STDMETHODIMP ObjectsAllocatedByClass(ULONG cClassCount, ClassID classIds[], ULONG cObjects[]) { return S_OK; } STDMETHODIMP ObjectReferences(ObjectID objectId, ClassID classId, ULONG cObjectRefs, ObjectID objectRefIds[]) { return S_OK; } STDMETHODIMP RootReferences(ULONG cRootRefs, ObjectID rootRefIds[]) { return S_OK; } STDMETHODIMP ExceptionThrown(ObjectID thrownObjectId) { return S_OK; } STDMETHODIMP ExceptionSearchFunctionEnter(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionSearchFunctionLeave() { return S_OK; } STDMETHODIMP ExceptionSearchFilterEnter(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionSearchFilterLeave() { return S_OK; } STDMETHODIMP ExceptionSearchCatcherFound(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionOSHandlerEnter(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionOSHandlerLeave(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionUnwindFunctionEnter(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionUnwindFunctionLeave() { return S_OK; } STDMETHODIMP ExceptionUnwindFinallyEnter(FunctionID functionId) { return S_OK; } STDMETHODIMP ExceptionUnwindFinallyLeave() { return S_OK; } STDMETHODIMP ExceptionCatcherEnter(FunctionID functionId, ObjectID objectId) { return S_OK; } STDMETHODIMP ExceptionCatcherLeave() { return S_OK; } STDMETHODIMP COMClassicVTableCreated(ClassID wrappedClassId, REFGUID implementedIID, void* pVTable, ULONG cSlots) { return S_OK; } STDMETHODIMP COMClassicVTableDestroyed(ClassID wrappedClassId, REFGUID implementedIID, void* pVTable) { return S_OK; } STDMETHODIMP ExceptionCLRCatcherFound(void) { return S_OK; } STDMETHODIMP ExceptionCLRCatcherExecute(void) { return S_OK; } STDMETHODIMP ThreadNameChanged(ThreadID threadId, ULONG cchName, WCHAR* name) { return S_OK; } STDMETHODIMP GarbageCollectionStarted(int cGenerations, BOOL generationCollected[], COR_PRF_GC_REASON reason) { return S_OK; } STDMETHODIMP SurvivingReferences(ULONG cSurvivingObjectIDRanges, ObjectID objectIDRangeStart[], ULONG cObjectIDRangeLength[]) { return S_OK; } STDMETHODIMP FinalizeableObjectQueued(DWORD finalizerFlags, ObjectID objectID) { return S_OK; } STDMETHODIMP RootReferences2(ULONG cRootRefs, ObjectID rootRefIds[], COR_PRF_GC_ROOT_KIND rootKinds[], COR_PRF_GC_ROOT_FLAGS rootFlags[], UINT_PTR rootIds[]) { return S_OK; } STDMETHODIMP HandleCreated(GCHandleID handleId, ObjectID initialObjectId) { return S_OK; } STDMETHODIMP HandleDestroyed(GCHandleID handleId) { return S_OK; } }; class ExampleProfilerClassFactory : public IClassFactory { private: long refCount; public: ExampleProfilerClassFactory() { refCount = 0; } ULONG __stdcall AddRef() { return InterlockedIncrement(&refCount); } ULONG __stdcall Release() { auto ret = InterlockedDecrement(&refCount); if (ret <= 0) delete(this); return ret; } HRESULT __stdcall QueryInterface(REFIID riid, void** ppInterface) { if (IID_IUnknown == riid) *ppInterface = static_cast(this); else if (IID_IClassFactory == riid) *ppInterface = static_cast(this); else { *ppInterface = NULL; return (E_NOTIMPL); } reinterpret_cast(*ppInterface)->AddRef(); return (S_OK); } HRESULT __stdcall LockServer(BOOL bLock) { return S_OK; } HRESULT __stdcall CreateInstance(IUnknown* pUnkOuter, REFIID riid, void** ppInterface) { if (NULL != pUnkOuter) return (CLASS_E_NOAGGREGATION); auto* pProfilerCallback = new ExampleProfiler(); if (pProfilerCallback == NULL) return E_OUTOFMEMORY; return pProfilerCallback->QueryInterface(riid, ppInterface); } }; BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) { return TRUE; } STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID FAR* ppv) { HRESULT hr = E_FAIL; if (rclsid == __uuidof(ProfilerCLSID)) { auto* pClassFactory = new ExampleProfilerClassFactory; if (pClassFactory == NULL) return E_OUTOFMEMORY; hr = pClassFactory->QueryInterface(riid, ppv); } return (hr); } STDAPI DllCanUnloadNow(void) { return S_OK; }