Ejemplo n.º 1
0
        public SysInfoWindow()
        {
            InitializeComponent();
            this.AddEscapeToClose();

            this.Size     = Properties.Settings.Default.SysInfoWindowSize;
            this.Location = Utils.FitRectangle(new Rectangle(
                                                   Properties.Settings.Default.SysInfoWindowLocation, this.Size), this).Location;

            // Load the pool limit addresses.
            if (
                _mmSizeOfPagedPoolInBytes == IntPtr.Zero &&
                KProcessHacker.Instance != null
                )
            {
                WorkQueue.GlobalQueueWorkItemTag(new Action(() =>
                {
                    try
                    {
                        SymbolProvider symbols = new SymbolProvider();

                        symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
                        _mmSizeOfPagedPoolInBytes =
                            symbols.GetSymbolFromName("MmSizeOfPagedPoolInBytes").Address.ToIntPtr();
                        _mmMaximumNonPagedPoolInBytes =
                            symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
                    }
                    catch
                    { }
                }), "load-mm-addresses");
            }
        }
Ejemplo n.º 2
0
        private void LoadKernelSymbols()
        {
            _kernelSymbols = new SymbolProvider(new ProcessHandle(4, ProcessAccess.QueryInformation));
            _kernelSymbols.PreloadModules = true;

            foreach (var module in Windows.GetKernelModules())
            {
                try
                {
                    _kernelSymbols.LoadModule(module.FileName, module.BaseAddress);
                }
                catch
                { }
            }
        }
Ejemplo n.º 3
0
        private unsafe KVars GetKVars()
        {
            SymbolProvider symbols = new SymbolProvider();

            symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);

            KVars vars = new KVars();

            vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr();
            vars.NonPagedPoolSizeAddress  = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
            vars.PsProcessTypeAddress     = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr();
            vars.PsThreadTypeAddress      = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr();

            int bytesRead;

            KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
                ProcessHandle.Current,
                vars.NonPagedPoolStartAddress.ToInt32(),
                &vars.NonPagedPoolStart,
                IntPtr.Size,
                out bytesRead
                );
            KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
                ProcessHandle.Current,
                vars.NonPagedPoolSizeAddress.ToInt32(),
                &vars.NonPagedPoolSize,
                sizeof(uint),
                out bytesRead
                );
            KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
                ProcessHandle.Current,
                vars.PsProcessTypeAddress.ToInt32(),
                &vars.PsProcessType,
                IntPtr.Size,
                out bytesRead
                );
            KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
                ProcessHandle.Current,
                vars.PsThreadTypeAddress.ToInt32(),
                &vars.PsThreadType,
                IntPtr.Size,
                out bytesRead
                );

            symbols.Dispose();

            return(vars);
        }
Ejemplo n.º 4
0
        public EventProperties(LogEvent even)
        {
            InitializeComponent();

            _event = even;

            textSystemCall.Text = MainWindow.SysCallNames.ContainsKey(even.Event.CallNumber) ? MainWindow.SysCallNames[even.Event.CallNumber] : "(unknown)";
            textTime.Text       = _event.Event.Time.ToString();
            textMode.Text       = _event.Event.Mode == KProcessorMode.UserMode ? "User-mode" : "Kernel-mode";

            for (int i = 0; i < _event.Event.Arguments.Length; i++)
            {
                ListViewItem item = new ListViewItem();

                item.Text = i.ToString();
                item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "0x" + _event.Event.Arguments[i].ToString("x")));

                if (_event.Arguments[i] != null)
                {
                    string text = "";
                    SsData data = _event.Arguments[i];

                    if (data is SsSimple)
                    {
                        text = (data as SsSimple).Argument.ToString();
                    }
                    else if (data is SsHandle)
                    {
                        SsHandle handle = data as SsHandle;

                        if (!string.IsNullOrEmpty(handle.Name))
                        {
                            text = handle.TypeName + ": " + handle.Name;
                        }
                        else
                        {
                            text = handle.TypeName + ": PID: " + handle.ProcessId.ToString() +
                                   ", TID: " + handle.ThreadId.ToString();
                        }
                    }
                    else if (data is SsUnicodeString)
                    {
                        text = (data as SsUnicodeString).String;
                    }
                    else if (data is SsObjectAttributes)
                    {
                        SsObjectAttributes oa = data as SsObjectAttributes;
                        text = "";

                        if (oa.RootDirectory != null)
                        {
                            text = oa.RootDirectory.Name;
                        }

                        if (oa.ObjectName != null)
                        {
                            if (!string.IsNullOrEmpty(text))
                            {
                                text = text + "\\" + oa.ObjectName.String;
                            }
                            else
                            {
                                text = oa.ObjectName.String;
                            }
                        }
                    }
                    else if (data is SsClientId)
                    {
                        text = "PID: " + (data as SsClientId).Original.ProcessId.ToString() +
                               ", TID: " + (data as SsClientId).Original.ThreadId.ToString();
                    }

                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, text));
                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _event.Arguments[i].GetType().Name.Remove(0, 2)));
                }
                else
                {
                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, ""));
                    item.SubItems.Add(new ListViewItem.ListViewSubItem(item, ""));
                }

                listArguments.Items.Add(item);
            }

            SymbolProvider.Options = SymbolOptions.DeferredLoads | SymbolOptions.UndName;

            try
            {
                using (var phandle = new ProcessHandle(_event.Event.ProcessId,
                                                       ProcessAccess.QueryInformation | ProcessAccess.VmRead))
                {
                    _symbols = new SymbolProvider(phandle);

                    phandle.EnumModules((module) =>
                    {
                        _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
                        return(true);
                    });
                    Windows.EnumKernelModules((module) =>
                    {
                        _symbols.LoadModule(module.FileName, module.BaseAddress);
                        return(true);
                    });
                    _symbols.PreloadModules = true;

                    for (int i = 0; i < _event.Event.StackTrace.Length; i++)
                    {
                        var    address = _event.Event.StackTrace[i];
                        string fileName;
                        IntPtr baseAddress;

                        fileName = _symbols.GetModuleFromAddress(address, out baseAddress);

                        listStackTrace.Items.Add(new ListViewItem(new string[]
                        {
                            "0x" + address.ToString("x"),
                            (new System.IO.FileInfo(fileName)).Name + "+0x" + address.Decrement(baseAddress).ToString("x")
                        }));

                        WorkQueue.GlobalQueueWorkItemTag(new Action <int, IntPtr>((i_, address_) =>
                        {
                            string symbol = _symbols.GetSymbolFromAddress(address_.ToUInt64());

                            if (this.IsHandleCreated)
                            {
                                this.BeginInvoke(new Action(() => listStackTrace.Items[i_].SubItems[1].Text = symbol));
                            }
                        }), "resolve-symbol", i, address);
                    }
                }
            }
            catch
            { }

            listArguments.SetDoubleBuffered(true);
            listStackTrace.SetDoubleBuffered(true);
        }
Ejemplo n.º 5
0
        public SysInfoWindow()
        {
            this.InitializeComponent();

            //if (!Settings.Instance.SysInfoWindowBounds.IsEmpty)
            //this.DesktopBounds = Utils.FitRectangle(Settings.Instance.SysInfoWindowBounds, this);

            // Load the pool limit addresses.
            if (_mmSizeOfPagedPoolInBytes == IntPtr.Zero)
            {
                WorkQueue.GlobalQueueWorkItemTag(new Action(() =>
                {
                    try
                    {
                        using (SymbolProvider symbols = new SymbolProvider())
                        {
                            symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);

                            _mmSizeOfPagedPoolInBytes     = (IntPtr)symbols.GetSymbolFromName("MmSizeOfPagedPoolInBytes").Address;
                            _mmMaximumNonPagedPoolInBytes = (IntPtr)symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address;
                        }
                    }
                    catch (Exception) { }
                }), "load-mm-addresses");
            }

            this.trackerMemory.values    = Program.ProcessProvider.PhysicalMemoryHistory;
            this.trackerMemory.DrawColor = Settings.Instance.PlotterMemoryPrivateColor;

            this.trackerCommit.Maximum   = (int)Program.ProcessProvider.Performance.CommitLimit;
            this.trackerCommit.values    = Program.ProcessProvider.CommitHistory;
            this.trackerCommit.DrawColor = Settings.Instance.PlotterMemoryWSColor;

            // Set indicators color
            this.indicatorCpu.Color1 = Settings.Instance.PlotterCPUUserColor;
            this.indicatorCpu.Color2 = Settings.Instance.PlotterCPUKernelColor;

            this.indicatorIO.Color1       = Settings.Instance.PlotterIOROColor;
            this.indicatorPhysical.Color1 = Settings.Instance.PlotterMemoryPrivateColor;

            this.plotterCPU.LineColor2 = Settings.Instance.PlotterCPUKernelColor;
            this.plotterCPU.LineColor1 = Settings.Instance.PlotterCPUUserColor;

            this.plotterIO.LineColor1 = Settings.Instance.PlotterIOROColor;
            this.plotterIO.LineColor2 = Settings.Instance.PlotterIOWColor;

            // Maximum physical memory.
            this.indicatorPhysical.Maximum = _pages;

            // Set up the plotter controls.
            plotterCPU.Data1      = Program.ProcessProvider.CpuKernelHistory;
            plotterCPU.Data2      = Program.ProcessProvider.CpuUserHistory;
            plotterCPU.GetToolTip = i =>
                                    Program.ProcessProvider.MostCpuHistory[i] + "\n" +
                                    ((plotterCPU.Data1[i] + plotterCPU.Data2[i]) * 100).ToString("N2") +
                                    "% (K " + (plotterCPU.Data1[i] * 100).ToString("N2") +
                                    "%, U " + (plotterCPU.Data2[i] * 100).ToString("N2") + "%)" + "\n" +
                                    Program.ProcessProvider.TimeHistory[i].ToString();

            plotterIO.LongData1  = Program.ProcessProvider.IoReadOtherHistory;
            plotterIO.LongData2  = Program.ProcessProvider.IoWriteHistory;
            plotterIO.GetToolTip = i =>
                                   Program.ProcessProvider.MostIoHistory[i] + "\n" +
                                   "R+O: " + Utils.FormatSize(plotterIO.LongData1[i]) + "\n" +
                                   "W: " + Utils.FormatSize(plotterIO.LongData2[i]) + "\n" +
                                   Program.ProcessProvider.TimeHistory[i].ToString();

            //plotterMemory.Data1 = Program.ProcessProvider.CommitHistory;
            //plotterMemory.Data2 = Program.ProcessProvider.PhysicalMemoryHistory;
            //plotterMemory.GetToolTip = i => "Commit: " + plotterMemory.Data1[i] + "\n" +
            //    "Phys. Memory: " + plotterMemory.Data2[i] + "\n" + Program.ProcessProvider.TimeHistory[i].ToString();

            // Create a plotter per CPU.
            _cpuPlotters          = new Plotter[_noOfCPUs];
            tableCPUs.ColumnCount = (int)_noOfCPUs;
            tableCPUs.ColumnStyles.Clear();
            tableCPUs.Dock = DockStyle.Fill;

            for (int i = 0; i < _cpuPlotters.Length; i++)
            {
                Plotter plotter;

                tableCPUs.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 1.0f / _noOfCPUs));
                _cpuPlotters[i] = plotter = new Plotter();

                plotter.BackColor     = Color.Black;
                plotter.Dock          = DockStyle.Fill;
                plotter.Margin        = new Padding(i == 0 ? 0 : 3, 0, 0, 0); // nice spacing
                plotter.UseSecondLine = true;
                plotter.Data1         = Program.ProcessProvider.CpusKernelHistory[i];
                plotter.Data2         = Program.ProcessProvider.CpusUserHistory[i];
                plotter.GetToolTip    = j =>
                                        Program.ProcessProvider.MostCpuHistory[j] + "\n" +
                                        ((plotter.Data1[j] + plotter.Data2[j]) * 100).ToString("N2") +
                                        "% (K " + (plotter.Data1[j] * 100).ToString("N2") +
                                        "%, U " + (plotter.Data2[j] * 100).ToString("N2") + "%)" + "\n" +
                                        Program.ProcessProvider.TimeHistory[j].ToString();

                this.tableCPUs.Controls.Add(plotter, i, 0);
            }

            this.checkShowOneGraphPerCPU.Checked = Settings.Instance.ShowOneGraphPerCPU;

            if (_noOfCPUs == 1)
            {
                checkShowOneGraphPerCPU.Enabled = false;
            }

            Program.ProcessProvider.Updated += ProcessProvider_Updated;

            //We need to do this here or TopMost property gets over-rided by AlwaysOnTopCheckbox
            this.TopMost = Settings.Instance.AlwaysOnTop;

            this.UpdateGraphs();
            this.UpdateInfo();
        }
Ejemplo n.º 6
0
        private void LoadSymbols()
        {
            // Ensure we only load symbols once.
            if (Interlocked.CompareExchange(ref _symbolsStartedLoading, 1, 0) == 1)
            {
                return;
            }

            // Start loading symbols; avoid the UI blocking on the dbghelp call lock.
            _symbolsWorkQueue.QueueWorkItemTag(new Action(() =>
            {
                try
                {
                    // Needed (maybe) to display the EULA
                    Win32.SymbolServerSetOptions(SymbolServerOption.Unattended, 0);
                }
                catch (Exception ex)
                {
                    Logging.Log(ex);
                }

                try
                {
                    // Use the process handle if we have one, otherwise use the default ID generator.
                    if (_processHandle != null)
                    {
                        _symbols = new SymbolProvider(_processHandle);
                    }
                    else
                    {
                        _symbols = new SymbolProvider();
                    }

                    SymbolProvider.Options = SymbolOptions.DeferredLoads |
                                             (Settings.Instance.DbgHelpUndecorate ? SymbolOptions.UndName : 0);

                    if (!string.IsNullOrEmpty(Settings.Instance.DbgHelpSearchPath))
                    {
                        _symbols.SearchPath = Settings.Instance.DbgHelpSearchPath;
                    }

                    try
                    {
                        if (_pid > 4)
                        {
                            using (var phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights | Program.MinProcessReadMemoryRights))
                            {
                                if (OSVersion.Architecture == OSArch.I386 || !phandle.IsWow64)
                                {
                                    // Load the process' modules.
                                    try { _symbols.LoadProcessModules(phandle); }
                                    catch { }
                                }
                                else
                                {
                                    // Load the process' WOW64 modules.
                                    try { _symbols.LoadProcessWow64Modules(_pid); }
                                    catch { }
                                }

                                // If the process is CSRSS we should load kernel modules
                                // due to the presence of kernel-mode threads.
                                if (phandle.KnownProcessType == KnownProcess.WindowsSubsystem)
                                {
                                    this.LoadKernelSymbols(true);
                                }
                            }
                        }
                        else
                        {
                            this.LoadKernelSymbols(true);
                        }
                    }
                    catch (WindowsException ex)
                    {
                        // Did we get Access Denied? At least load
                        // kernel32.dll and ntdll.dll.
                        try
                        {
                            ProcessHandle.Current.EnumModules(module =>
                            {
                                if (
                                    module.BaseName.Equals("kernel32.dll", StringComparison.OrdinalIgnoreCase) ||
                                    module.BaseName.Equals("ntdll.dll", StringComparison.OrdinalIgnoreCase)
                                    )
                                {
                                    _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
                                }

                                return(true);
                            });
                        }
                        catch (Exception ex2)
                        {
                            Logging.Log(ex2);
                        }

                        Logging.Log(ex);
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }
                }
                finally
                {
                    _moduleLoadCompletedEvent.Set();
                }
            }), "symbols-load");
        }
Ejemplo n.º 7
0
        public MainWindow()
        {
            InitializeComponent();

            Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll");

            SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current);

            SymbolProvider.Options |= SymbolOptions.PublicsOnly;

            IntPtr     ntdllBase       = Loader.GetDllHandle("ntdll.dll");
            FileHandle ntdllFileHandle = null;
            Section    section         = null;

            ProcessHandle.Current.EnumModules((module) =>
            {
                if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase))
                {
                    section             = new Section(
                        ntdllFileHandle = new FileHandle(@"\??\" + module.FileName,
                                                         FileShareMode.ReadWrite,
                                                         FileAccess.GenericExecute | FileAccess.GenericRead
                                                         ),
                        true,
                        MemoryProtection.ExecuteRead
                        );

                    symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
                    return(false);
                }

                return(true);
            });

            SectionView view = section.MapView((int)ntdllFileHandle.GetSize());

            ntdllFileHandle.Dispose();

            symbols.EnumSymbols("ntdll!Zw*", (symbol) =>
            {
                int number = Marshal.ReadInt32(
                    (symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1));

                _sysCallNames.Add(
                    number,
                    "Nt" + symbol.Name.Substring(2)
                    );
                _reverseSysCallNames.Add(
                    "Nt" + symbol.Name.Substring(2),
                    number
                    );

                return(true);
            });

            view.Dispose();
            section.Dispose();

            symbols.Dispose();

            KProcessHacker.Instance = new KProcessHacker();

            _logger = new SsLogger(4096, false);
            _logger.EventBlockReceived    += new EventBlockReceivedDelegate(logger_EventBlockReceived);
            _logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived);
            _logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId());
            _logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode);
            //_logger.Start();

            listEvents.SetDoubleBuffered(true);
        }
Ejemplo n.º 8
0
        public ThreadProvider(int pid)
            : base()
        {
            this.Name = this.GetType().Name;
            _pid      = pid;

            _messageQueue.AddListener(
                new MessageQueueListener <ResolveMessage>((message) =>
            {
                if (message.Symbol != null)
                {
                    this.Dictionary[message.Tid].StartAddress      = message.Symbol;
                    this.Dictionary[message.Tid].FileName          = message.FileName;
                    this.Dictionary[message.Tid].StartAddressLevel = message.ResolveLevel;
                    this.Dictionary[message.Tid].JustResolved      = true;
                }
            }));

            this.ProviderUpdate += new ProviderUpdateOnce(UpdateOnce);
            this.Disposed       += ThreadProvider_Disposed;

            try
            {
                // Try to get a good process handle we can use the same handle for stack walking.
                try
                {
                    _processAccess = ProcessAccess.QueryInformation | ProcessAccess.VmRead;
                    _processHandle = new ProcessHandle(_pid, _processAccess);
                }
                catch
                {
                    try
                    {
                        if (KProcessHacker.Instance != null)
                        {
                            _processAccess = Program.MinProcessReadMemoryRights;
                            _processHandle = new ProcessHandle(_pid, _processAccess);
                        }
                        else
                        {
                            _processAccess = Program.MinProcessQueryRights;
                            _processHandle = new ProcessHandle(_pid, _processAccess);
                        }
                    }
                    catch (WindowsException ex)
                    {
                        Logging.Log(ex);
                    }
                }

                // Start loading symbols; avoid the UI blocking on the dbghelp call lock.
                _symbolsWorkQueue.QueueWorkItemTag(new Action(() =>
                {
                    try
                    {
                        // Needed (maybe) to display the EULA
                        Win32.SymbolServerSetOptions(SymbolServerOption.Unattended, 0);
                    }
                    catch (Exception ex)
                    {
                        Logging.Log(ex);
                    }

                    try
                    {
                        // Use the process handle if we have one, otherwise use the default ID generator.
                        if (_processHandle != null)
                        {
                            _symbols = new SymbolProvider(_processHandle);
                        }
                        else
                        {
                            _symbols = new SymbolProvider();
                        }

                        SymbolProvider.Options = SymbolOptions.DeferredLoads |
                                                 (Properties.Settings.Default.DbgHelpUndecorate ? SymbolOptions.UndName : 0);

                        if (Properties.Settings.Default.DbgHelpSearchPath != "")
                        {
                            _symbols.SearchPath = Properties.Settings.Default.DbgHelpSearchPath;
                        }

                        try
                        {
                            if (_pid != 4)
                            {
                                using (var phandle =
                                           new ProcessHandle(_pid, Program.MinProcessQueryRights | Program.MinProcessReadMemoryRights))
                                {
                                    if (IntPtr.Size == 4 || !phandle.IsWow64())
                                    {
                                        // Load the process' modules.
                                        try { _symbols.LoadProcessModules(phandle); }
                                        catch { }
                                    }
                                    else
                                    {
                                        // Load the process' WOW64 modules.
                                        try { _symbols.LoadProcessWow64Modules(_pid); }
                                        catch { }
                                    }

                                    // If the process is CSRSS we should load kernel modules
                                    // due to the presence of kernel-mode threads.
                                    if (phandle.GetKnownProcessType() == KnownProcess.WindowsSubsystem)
                                    {
                                        this.LoadKernelSymbols(true);
                                    }
                                }
                            }
                            else
                            {
                                this.LoadKernelSymbols(true);
                            }
                        }
                        catch (WindowsException ex)
                        {
                            // Did we get Access Denied? At least load
                            // kernel32.dll and ntdll.dll.
                            try
                            {
                                ProcessHandle.Current.EnumModules((module) =>
                                {
                                    if (module.BaseName == "kernel32.dll" || module.BaseName == "ntdll.dll")
                                    {
                                        _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
                                    }

                                    return(true);
                                });
                            }
                            catch (Exception ex2)
                            {
                                Logging.Log(ex2);
                            }

                            Logging.Log(ex);
                        }
                        catch (Exception ex)
                        {
                            Logging.Log(ex);
                        }
                    }
                    finally
                    {
                        lock (_moduleLoadCompletedEvent)
                        {
                            if (!_moduleLoadCompletedEvent.SafeWaitHandle.IsClosed)
                            {
                                _moduleLoadCompletedEvent.Set();
                            }
                        }
                    }
                }), "symbols-load");
            }
            catch (Exception ex)
            {
                Logging.Log(ex);
            }
        }