Exemple #1
0
        public MainWindow()
        {
            InitializeComponent();

            Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll");

            SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current);

            SymbolProvider.Options |= SymbolOptions.PublicsOnly;

            IntPtr     ntdllBase       = Loader.GetDllHandle("ntdll.dll");
            FileHandle ntdllFileHandle = null;
            Section    section         = null;

            ProcessHandle.Current.EnumModules((module) =>
            {
                if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase))
                {
                    section             = new Section(
                        ntdllFileHandle = new FileHandle(@"\??\" + module.FileName,
                                                         FileShareMode.ReadWrite,
                                                         FileAccess.GenericExecute | FileAccess.GenericRead
                                                         ),
                        true,
                        MemoryProtection.ExecuteRead
                        );

                    symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
                    return(false);
                }

                return(true);
            });

            SectionView view = section.MapView((int)ntdllFileHandle.GetSize());

            ntdllFileHandle.Dispose();

            symbols.EnumSymbols("ntdll!Zw*", (symbol) =>
            {
                int number = Marshal.ReadInt32(
                    (symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1));

                _sysCallNames.Add(
                    number,
                    "Nt" + symbol.Name.Substring(2)
                    );
                _reverseSysCallNames.Add(
                    "Nt" + symbol.Name.Substring(2),
                    number
                    );

                return(true);
            });

            view.Dispose();
            section.Dispose();

            symbols.Dispose();

            KProcessHacker.Instance = new KProcessHacker();

            _logger = new SsLogger(4096, false);
            _logger.EventBlockReceived    += new EventBlockReceivedDelegate(logger_EventBlockReceived);
            _logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived);
            _logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId());
            _logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode);
            //_logger.Start();

            listEvents.SetDoubleBuffered(true);
        }
Exemple #2
0
 private void addKernelModeFiltersMenuItem_Click(object sender, EventArgs e)
 {
     _rules.Add(_logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.KernelMode));
 }