Ejemplo n.º 1
0
        private void WalkKernelStack()
        {
            try
            {
                IntPtr[] frames = _thandle.CaptureKernelStack(1); // skip the KPH frame

                foreach (IntPtr frame in frames)
                {
                    ulong address = frame.ToUInt64();

                    try
                    {
                        ListViewItem newItem = listViewCallStack.Items.Add(new ListViewItem(new[]
                        {
                            Utils.FormatAddress(address),
                            _symbols.GetSymbolFromAddress(address)
                        }));

                        newItem.Tag = address;
                    }
                    catch (Exception ex2)
                    {
                        Logging.Log(ex2);
                    }
                }
            }
            catch (Exception ex)
            {
                Logging.Log(ex);
            }
        }
Ejemplo n.º 2
0
        private void ResolveThreadStartAddress(int tid, ulong startAddress)
        {
            ResolveMessage result = new ResolveMessage();

            result.Tid = tid;

            if (!_moduleLoadCompletedEvent.SafeWaitHandle.IsClosed)
            {
                try
                {
                    _moduleLoadCompletedEvent.WaitOne();
                }
                catch
                { }
            }

            if (_symbols == null)
            {
                return;
            }

            try
            {
                Interlocked.Increment(ref _loading);

                if (this.LoadingStateChanged != null)
                {
                    this.LoadingStateChanged(Thread.VolatileRead(ref _loading) > 0);
                }

                try
                {
                    SymbolFlags flags;
                    string      fileName;

                    result.Symbol = _symbols.GetSymbolFromAddress(
                        startAddress,
                        out result.ResolveLevel,
                        out flags,
                        out fileName
                        );
                    result.FileName = fileName;
                    _messageQueue.Enqueue(result);
                }
                catch
                { }
            }
            finally
            {
                Interlocked.Decrement(ref _loading);

                if (this.LoadingStateChanged != null)
                {
                    this.LoadingStateChanged(Thread.VolatileRead(ref _loading) > 0);
                }
            }
        }
Ejemplo n.º 3
0
        private void LoadProfileFunctions(IntPtr moduleBase)
        {
            int[] counters = _profileHandle.Collect();
            Dictionary <string, int> functions = new Dictionary <string, int>();

            for (int i = 0; i < counters.Length; i++)
            {
                if (counters[i] != 0)
                {
                    IntPtr realAddress = this.GetAddress(i);
                    IntPtr baseAddress;

                    _kernelSymbols.GetModuleFromAddress(realAddress, out baseAddress);

                    if (baseAddress != moduleBase)
                    {
                        continue;
                    }

                    string fileName;
                    string symbolName;
                    ulong  displacement;

                    symbolName = _kernelSymbols.GetSymbolFromAddress(realAddress.ToUInt64(), out fileName, out displacement);

                    if (symbolName != null)
                    {
                        if (!functions.ContainsKey(symbolName))
                        {
                            functions.Add(symbolName, 0);
                        }

                        functions[symbolName]++;
                    }
                }
            }

            listFunctions.Items.Clear();

            foreach (var function in functions.Keys)
            {
                listFunctions.Items.Add(new ListViewItem(
                                            new string[]
                {
                    function,
                    functions[function].ToString("N0")
                }));
            }
        }
Ejemplo n.º 4
0
        private void listHandleTraces_SelectedIndexChanged(object sender, EventArgs e)
        {
            if (_currentHtCollection == null || listHandleTraces.SelectedItems.Count != 1)
            {
                return;
            }

            var trace = _currentHtCollection[(int)listHandleTraces.SelectedItems[0].Tag];

            listHandleStack.BeginUpdate();
            listHandleStack.Items.Clear();

            foreach (var address in trace.Stack)
            {
                ListViewItem item = new ListViewItem();

                item.Text = "0x" + address.ToInt32().ToString("x8");
                item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _symbols.GetSymbolFromAddress(address.ToUInt64())));
                listHandleStack.Items.Add(item);
            }

            listHandleStack.EndUpdate();
        }
Ejemplo n.º 5
0
        public EventProperties(LogEvent even)
        {
            InitializeComponent();

            _event = even;

            textSystemCall.Text = MainWindow.SysCallNames.ContainsKey(even.Event.CallNumber) ? MainWindow.SysCallNames[even.Event.CallNumber] : "(unknown)";
            textTime.Text       = _event.Event.Time.ToString();
            textMode.Text       = _event.Event.Mode == KProcessorMode.UserMode ? "User-mode" : "Kernel-mode";

            for (int i = 0; i < _event.Event.Arguments.Length; i++)
            {
                ListViewItem item = new ListViewItem();

                item.Text = i.ToString();
                item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "0x" + _event.Event.Arguments[i].ToString("x")));

                if (_event.Arguments[i] != null)
                {
                    string text = "";
                    SsData data = _event.Arguments[i];

                    if (data is SsSimple)
                    {
                        text = (data as SsSimple).Argument.ToString();
                    }
                    else if (data is SsHandle)
                    {
                        SsHandle handle = data as SsHandle;

                        if (!string.IsNullOrEmpty(handle.Name))
                        {
                            text = handle.TypeName + ": " + handle.Name;
                        }
                        else
                        {
                            text = handle.TypeName + ": PID: " + handle.ProcessId.ToString() +
                                   ", TID: " + handle.ThreadId.ToString();
                        }
                    }
                    else if (data is SsUnicodeString)
                    {
                        text = (data as SsUnicodeString).String;
                    }
                    else if (data is SsObjectAttributes)
                    {
                        SsObjectAttributes oa = data as SsObjectAttributes;
                        text = "";

                        if (oa.RootDirectory != null)
                        {
                            text = oa.RootDirectory.Name;
                        }

                        if (oa.ObjectName != null)
                        {
                            if (!string.IsNullOrEmpty(text))
                            {
                                text = text + "\\" + oa.ObjectName.String;
                            }
                            else
                            {
                                text = oa.ObjectName.String;
                            }
                        }
                    }
                    else if (data is SsClientId)
                    {
                        text = "PID: " + (data as SsClientId).Original.ProcessId.ToString() +
                               ", TID: " + (data as SsClientId).Original.ThreadId.ToString();
                    }

                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, text));
                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _event.Arguments[i].GetType().Name.Remove(0, 2)));
                }
                else
                {
                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, ""));
                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, ""));
                }

                listArguments.Items.Add(item);
            }

            SymbolProvider.Options = SymbolOptions.DeferredLoads | SymbolOptions.UndName;

            try
            {
                using (var phandle = new ProcessHandle(_event.Event.ProcessId,
                                                       ProcessAccess.QueryInformation | ProcessAccess.VmRead))
                {
                    _symbols = new SymbolProvider(phandle);

                    phandle.EnumModules((module) =>
                    {
                        _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
                        return(true);
                    });
                    Windows.EnumKernelModules((module) =>
                    {
                        _symbols.LoadModule(module.FileName, module.BaseAddress);
                        return(true);
                    });
                    _symbols.PreloadModules = true;

                    for (int i = 0; i < _event.Event.StackTrace.Length; i++)
                    {
                        var    address = _event.Event.StackTrace[i];
                        string fileName;
                        IntPtr baseAddress;

                        fileName = _symbols.GetModuleFromAddress(address, out baseAddress);

                        listStackTrace.Items.Add(new ListViewItem(new string[]
                        {
                            "0x" + address.ToString("x"),
                            (new System.IO.FileInfo(fileName)).Name + "+0x" + address.Decrement(baseAddress).ToString("x")
                        }));

                        WorkQueue.GlobalQueueWorkItemTag(new Action <int, IntPtr>((i_, address_) =>
                        {
                            string symbol = _symbols.GetSymbolFromAddress(address_.ToUInt64());

                            if (this.IsHandleCreated)
                            {
                                this.BeginInvoke(new Action(() => listStackTrace.Items[i_].SubItems[1].Text = symbol));
                            }
                        }), "resolve-symbol", i, address);
                    }
                }
            }
            catch
            { }

            listArguments.SetDoubleBuffered(true);
            listStackTrace.SetDoubleBuffered(true);
        }