public MainWindow() { InitializeComponent(); Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll"); SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current); SymbolProvider.Options |= SymbolOptions.PublicsOnly; IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll"); FileHandle ntdllFileHandle = null; Section section = null; ProcessHandle.Current.EnumModules((module) => { if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase)) { section = new Section( ntdllFileHandle = new FileHandle(@"\??\" + module.FileName, FileShareMode.ReadWrite, FileAccess.GenericExecute | FileAccess.GenericRead ), true, MemoryProtection.ExecuteRead ); symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); return false; } return true; }); SectionView view = section.MapView((int)ntdllFileHandle.GetSize()); ntdllFileHandle.Dispose(); symbols.EnumSymbols("ntdll!Zw*", (symbol) => { int number = Marshal.ReadInt32( (symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1)); _sysCallNames.Add( number, "Nt" + symbol.Name.Substring(2) ); return true; }); view.Dispose(); section.Dispose(); symbols.Dispose(); KProcessHacker.Instance = new KProcessHacker(); _logger = new SsLogger(4096, false); _logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived); _logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived); _logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode); _logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId()); listEvents.SetDoubleBuffered(true); }
private unsafe KVars GetKVars() { SymbolProvider symbols = new SymbolProvider(); symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); KVars vars = new KVars(); vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr(); vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr(); vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr(); vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr(); int bytesRead; KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolStartAddress.ToInt32(), &vars.NonPagedPoolStart, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolSizeAddress.ToInt32(), &vars.NonPagedPoolSize, sizeof(uint), out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsProcessTypeAddress.ToInt32(), &vars.PsProcessType, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsThreadTypeAddress.ToInt32(), &vars.PsThreadType, IntPtr.Size, out bytesRead ); symbols.Dispose(); return vars; }