Ejemplo n.º 1
0
        public void TraceRunningProcess(int pid, bool traceChildProcesses, bool collectDriverStats)
        {
            using (var hProcess = Kernel32.OpenProcess(Kernel32.ACCESS_MASK.StandardRight.SYNCHRONIZE, false, pid)) {
                if (hProcess.IsInvalid)
                {
                    Console.Error.WriteLine("ERROR: the process with a given PID was not found or you don't have access to it.");
                    return;
                }
                using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName),
                       customTraceCollector = new TraceCollector(WinTraceUserTraceSessionName)) {
                    InitializeSystemHandlers(kernelTraceCollector, collectDriverStats);
                    InitializeProcessHandlers(kernelTraceCollector, customTraceCollector,
                                              pid, traceChildProcesses);

                    ThreadPool.QueueUserWorkItem((o) => {
                        Kernel32.WaitForSingleObject(hProcess, Constants.INFINITE);
                        StopCollectors(kernelTraceCollector, customTraceCollector);
                        stopEvent.Set();
                    });

                    stopTraceCollectors = () => {
                        StopCollectors(kernelTraceCollector, customTraceCollector);
                    };

                    ThreadPool.QueueUserWorkItem((o) => {
                        kernelTraceCollector.Start();
                    });
                    ThreadPool.QueueUserWorkItem((o) => {
                        customTraceCollector.Start();
                    });

                    stopEvent.WaitOne();
                }
            }
        }
Ejemplo n.º 2
0
        public void TraceSystemOnly()
        {
            using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName)) {
                InitializeSystemHandlers(kernelTraceCollector, true);

                stopTraceCollectors = () => {
                    StopCollector(kernelTraceCollector);
                };

                ThreadPool.QueueUserWorkItem((o) => {
                    kernelTraceCollector.Start();
                });

                stopEvent.WaitOne();
            }
        }
Ejemplo n.º 3
0
        public void TraceNewProcess(IEnumerable <string> procargs, bool spawnNewConsoleWindow,
                                    bool traceChildProcesses, bool collectDriverStats)
        {
            using (var process = new ProcessCreator(procargs)
            {
                SpawnNewConsoleWindow = spawnNewConsoleWindow
            }) {
                process.StartSuspended();

                using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName),
                       customTraceCollector = new TraceCollector(WinTraceUserTraceSessionName)) {
                    InitializeSystemHandlers(kernelTraceCollector, collectDriverStats);
                    InitializeProcessHandlers(kernelTraceCollector, customTraceCollector,
                                              process.ProcessId, traceChildProcesses);

                    ThreadPool.QueueUserWorkItem((o) => {
                        process.Join();
                        StopCollectors(kernelTraceCollector, customTraceCollector);
                        stopEvent.Set();
                    });

                    stopTraceCollectors = () => {
                        StopCollectors(kernelTraceCollector, customTraceCollector);
                    };

                    ThreadPool.QueueUserWorkItem((o) => {
                        kernelTraceCollector.Start();
                    });
                    ThreadPool.QueueUserWorkItem((o) => {
                        customTraceCollector.Start();
                    });

                    Thread.Sleep(1000);

                    // resume thread
                    process.Resume();

                    stopEvent.WaitOne();
                }
            }
        }