public MainWindow()
{
InitializeComponent();
Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll");
SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current);
SymbolProvider.Options |= SymbolOptions.PublicsOnly;
IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll");
FileHandle ntdllFileHandle = null;
Section section = null;
ProcessHandle.Current.EnumModules((module) =>
{
if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase))
{
section = new Section(
ntdllFileHandle = new FileHandle(@"\??\" + module.FileName,
FileShareMode.ReadWrite,
FileAccess.GenericExecute | FileAccess.GenericRead
),
true,
MemoryProtection.ExecuteRead
);
symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
return false;
}
return true;
});
SectionView view = section.MapView((int)ntdllFileHandle.GetSize());
ntdllFileHandle.Dispose();
symbols.EnumSymbols("ntdll!Zw*", (symbol) =>
{
int number = Marshal.ReadInt32(
(symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1));
_sysCallNames.Add(
number,
"Nt" + symbol.Name.Substring(2)
);
return true;
});
view.Dispose();
section.Dispose();
symbols.Dispose();
KProcessHacker.Instance = new KProcessHacker();
_logger = new SsLogger(4096, false);
_logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived);
_logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived);
_logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode);
_logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId());
listEvents.SetDoubleBuffered(true);
}
private unsafe KVars GetKVars()
{
SymbolProvider symbols = new SymbolProvider();
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
KVars vars = new KVars();
vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr();
vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr();
vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr();
int bytesRead;
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolStartAddress.ToInt32(),
&vars.NonPagedPoolStart,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolSizeAddress.ToInt32(),
&vars.NonPagedPoolSize,
sizeof(uint),
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsProcessTypeAddress.ToInt32(),
&vars.PsProcessType,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsThreadTypeAddress.ToInt32(),
&vars.PsThreadType,
IntPtr.Size,
out bytesRead
);
symbols.Dispose();
return vars;
}
