private void ThreadProvider_Disposed(IProvider provider) { if (_symbols != null) { _symbols.Dispose(); } if (_processHandle != null) { _processHandle.Dispose(); } _symbols = null; lock (_moduleLoadCompletedEvent) _moduleLoadCompletedEvent.Close(); foreach (int tid in this.Dictionary.Keys) { ThreadItem item = this.Dictionary[tid]; if (item.ThreadQueryLimitedHandle != null) { item.ThreadQueryLimitedHandle.Dispose(); } } }
private unsafe KVars GetKVars() { SymbolProvider symbols = new SymbolProvider(); symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); KVars vars = new KVars(); vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr(); vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr(); vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr(); vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr(); int bytesRead; KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolStartAddress.ToInt32(), &vars.NonPagedPoolStart, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolSizeAddress.ToInt32(), &vars.NonPagedPoolSize, sizeof(uint), out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsProcessTypeAddress.ToInt32(), &vars.PsProcessType, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsThreadTypeAddress.ToInt32(), &vars.PsThreadType, IntPtr.Size, out bytesRead ); symbols.Dispose(); return(vars); }
private void buttonSnapshot_Click(object sender, EventArgs e) { try { using (var phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead)) { _currentHtCollection = phandle.GetHandleTraces(); if (_symbols != null) { _symbols.Dispose(); } SymbolProvider.Options |= SymbolOptions.DeferredLoads; _symbols = new SymbolProvider(phandle); WorkQueue.GlobalQueueWorkItem(new Action(() => { var symbols = _symbols; _symbols.PreloadModules = true; try { foreach (var module in phandle.GetModules()) { try { symbols.LoadModule(module.FileName, module.BaseAddress); } catch { } } } catch { } try { foreach (var module in Windows.GetKernelModules()) { try { symbols.LoadModule(module.FileName, module.BaseAddress); } catch { } } } catch { } })); } this.PopulateHandleTraceList(); } catch (Exception ex) { this.ShowException("Error getting the handle trace snapshot", ex); } }
public MainWindow() { InitializeComponent(); Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll"); SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current); SymbolProvider.Options |= SymbolOptions.PublicsOnly; IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll"); FileHandle ntdllFileHandle = null; Section section = null; ProcessHandle.Current.EnumModules((module) => { if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase)) { section = new Section( ntdllFileHandle = new FileHandle(@"\??\" + module.FileName, FileShareMode.ReadWrite, FileAccess.GenericExecute | FileAccess.GenericRead ), true, MemoryProtection.ExecuteRead ); symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); return(false); } return(true); }); SectionView view = section.MapView((int)ntdllFileHandle.GetSize()); ntdllFileHandle.Dispose(); symbols.EnumSymbols("ntdll!Zw*", (symbol) => { int number = Marshal.ReadInt32( (symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1)); _sysCallNames.Add( number, "Nt" + symbol.Name.Substring(2) ); _reverseSysCallNames.Add( "Nt" + symbol.Name.Substring(2), number ); return(true); }); view.Dispose(); section.Dispose(); symbols.Dispose(); KProcessHacker.Instance = new KProcessHacker(); _logger = new SsLogger(4096, false); _logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived); _logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived); _logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId()); _logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode); //_logger.Start(); listEvents.SetDoubleBuffered(true); }