private void HookCreateProcess(DkmNativeModuleInstance module, string export, StackFrameAnalyzer frameAnalyzer) {
try {
FunctionTracer tracer = new FunctionTracer(
module.FindExportName(export, true), frameAnalyzer);
tracer.OnFunctionEntered += createProcessTracer_OnFunctionEntered;
tracer.OnFunctionExited += createProcessTracer_OnFunctionExited;
tracer.Enable();
_functionTracers.Add(tracer);
} catch (DkmException) {
// For some reason, sandboxed processes act strangely (e.g. FindExportName throws an
// exception with E_FAIL. It's not clear why this happens, but these processes can't
// create child processes anyway, so just handle this failure gracefully.
return;
}
}
private void HookCreateProcess(DkmNativeModuleInstance module, string export, StackFrameAnalyzer frameAnalyzer)
{
try {
FunctionTracer tracer = new FunctionTracer(
module.FindExportName(export, true), frameAnalyzer);
tracer.OnFunctionEntered += createProcessTracer_OnFunctionEntered;
tracer.OnFunctionExited += createProcessTracer_OnFunctionExited;
tracer.Enable();
_functionTracers.Add(tracer);
} catch (DkmException) {
// For some reason, sandboxed processes act strangely (e.g. FindExportName throws an
// exception with E_FAIL. It's not clear why this happens, but these processes can't
// create child processes anyway, so just handle this failure gracefully.
return;
}
}
