Horizontal Logic: performance testing with ps

Friday, January 2, 2009

Searching for malware with Powershell

hmmm.....

This gives me output like:

1/3/2009 11:09 AM,19:9:16:859,100,csrss,1124,16388096,40923136,104357888,15458304,39809024,87851008

which covers WorkingSet, PrivateMemorySize, VirtualMemorySize, and their deltas between measurement interval.

## Use ps to measure Application Memory Deltas

## Run '.\ws_diff [Interval in Seconds] [Process Name] or

## to log all processes continually every 10 seconds -- 'while (1) {.\WS_diff.ps1 10 cmd >> ps_out.txt }'

# Create args as Variables or Objects

$sleep_time = $args[0]

# Create or define PS_Array. Default is ps is called without args.

# Then take measurements $now, $then, $count

if ($args[1] -eq $NULL )

{

$then = ps | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

sleep -seconds $sleep_time

$now = ps | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

$count = ($now | Select Name).count

}

else

{

$ps_array = ( ps $args[1] )

$then = ps -inputobject $ps_array | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

sleep -seconds $sleep_time

$now = ps -inputobject $ps_array | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

$count = ($now | Select Name).count

}

# Declare Time Measurements

$date = (get-date -format g)

$hour = [DateTime]::UtcNow.TimeOfDay.Hours

$minutes = [DateTime]::UtcNow.TimeOfDay.Minutes

$seconds = [DateTime]::UtcNow.TimeOfDay.Seconds

$ms = [DateTime]::UtcNow.TimeOfDay.Milliseconds

# Write output and find diffs. Check if process has multiple instances first

if ( $count -gt 1 )

{

$array_out = 0..$count |

$date + "," +

$hour + ":" + $minutes + ":" + $seconds + ":" + $ms + "," +

$sleep_time + "," + $now[$_].Name + "," + $now[$_].ID + "," +

$now[$_].WorkingSet + "," +

$now[$_].PrivateMemorySize + "," +

$now[$_].VirtualMemorySize + "," +

( ($now[$_].WorkingSet) - ($then[$_].WorkingSet) ) + "," +

( ($now[$_].PrivateMemorySize) - ($then[$_].PrivateMemorySize) ) + "," +

( ($now[$_].VirtualMemorySize) - ($then[$_].VirtualMemorySize) )

}

else

{

$array_out =

$date + "," +

$hour + ":" + $minutes + ":" + $seconds + ":" + $ms + "," +

$sleep_time + "," + $now.Name + "," + $now.ID + "," +

$now.WorkingSet + "," +

$now.PrivateMemorySize + "," +

$now.VirtualMemorySize + "," +

( ($now.WorkingSet) - ($then.WorkingSet) ) + "," +

( ($now.PrivateMemorySize) - ($then.PrivateMemorySize) ) + "," +

( ($now.VirtualMemorySize) - ($then.VirtualMemorySize) )

}

write $array_out

Tuesday, December 30, 2008

Measuring Working Set difference over time

Something performance oriented that I spent way too much time with...

## Use ps to measure WS difference

## Run '.\ws_diff [Measure Interval in Seconds]' or

## to log to text continually every 10 seconds --

## 'while (1) {.\WS_diff.ps1 10 >> ps_out.txt }'

# Take Measurements $Now and $Then and $Count

$then = ps | %{$_ | Select Name,ID, WorkingSet}

sleep -seconds $args[0]

$now = ps | %{$_ | Select Name,ID, WorkingSet}

$count = ($now | Select Name).count

# Declare Time Measurement and Interval

$date = (get-date -format g)

$hour = [DateTime]::UtcNow.TimeOfDay.Hours

$Minutes = [DateTime]::UtcNow.TimeOfDay.Minutes

$seconds = [DateTime]::UtcNow.TimeOfDay.Seconds

$ms = [DateTime]::UtcNow.TimeOfDay.Milliseconds

$interval = $args[0]

## write output and find difference

$text_out = 0..$count |

$date + "," + $hour + ":" + $Minutes + ":" + $seconds + ":" + $ms + "," +

$interval + "," + $Now[$_].Name + "," + $Now[$_].ID + "," +

( ($then[$_].WorkingSet) - ($Now[$_].WorkingSet) )

}

write $text_out

Produces csv output like:

12/30/2008 12:53 PM,20:53:58:953,10,AcroRd32,2204,0

12/30/2008 12:53 PM,20:53:58:953,10,alg,1648,0

12/30/2008 12:53 PM,20:53:58:953,10,CepstralLicSrv,476,0

12/30/2008 12:53 PM,20:53:58:953,10,chrome,336,-4096

12/30/2008 12:53 PM,20:53:58:953,10,chrome,2416,0

12/30/2008 12:53 PM,20:53:58:953,10,chrome,2580,0

12/30/2008 12:53 PM,20:53:58:953,10,chrome,2660,-77824

...