public void TraceRunningProcess(int pid, bool traceChildProcesses, bool collectDriverStats)
{
using (var hProcess = Kernel32.OpenProcess(Kernel32.ACCESS_MASK.StandardRight.SYNCHRONIZE, false, pid)) {
if (hProcess.IsInvalid)
{
Console.Error.WriteLine("ERROR: the process with a given PID was not found or you don't have access to it.");
return;
}
using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName),
customTraceCollector = new TraceCollector(WinTraceUserTraceSessionName)) {
InitializeSystemHandlers(kernelTraceCollector, collectDriverStats);
InitializeProcessHandlers(kernelTraceCollector, customTraceCollector,
pid, traceChildProcesses);
ThreadPool.QueueUserWorkItem((o) => {
Kernel32.WaitForSingleObject(hProcess, Constants.INFINITE);
StopCollectors(kernelTraceCollector, customTraceCollector);
stopEvent.Set();
});
stopTraceCollectors = () => {
StopCollectors(kernelTraceCollector, customTraceCollector);
};
ThreadPool.QueueUserWorkItem((o) => {
kernelTraceCollector.Start();
});
ThreadPool.QueueUserWorkItem((o) => {
customTraceCollector.Start();
});
stopEvent.WaitOne();
}
}
}
private void InitializeSystemHandlers(TraceCollector kernelCollector, bool collectDriverStats)
{
kernelCollector.AddHandler(new SystemConfigTraceEventHandler(traceOutput));
if (collectDriverStats)
{
kernelCollector.AddHandler(new IsrDpcTraceEventHandler(traceOutput));
}
}
private void StopCollector(TraceCollector collector)
{
collector.Stop();
if (printSummary)
{
collector.PrintSummary();
}
}
static void SetConsoleCtrlCHook(TraceCollector kernelCollector, TraceCollector userCollector)
{
// Set up Ctrl-C to stop both user mode and kernel mode sessions
Console.CancelKeyPress += (object sender, ConsoleCancelEventArgs cancelArgs) => {
cancelArgs.Cancel = true;
kernelCollector.Stop();
userCollector.Stop();
stopEvent.Set();
};
}
private void StopCollectors(TraceCollector collector1, TraceCollector collector2)
{
collector1.Stop();
collector2.Stop();
if (printSummary)
{
collector1.PrintSummary();
collector2.PrintSummary();
}
}
private void InitializeProcessHandlers(TraceCollector kernelCollector, TraceCollector customCollector,
int pid, bool traceChildProcesses)
{
kernelCollector.AddHandler(new FileIOTraceEventHandler(pid, traceOutput));
kernelCollector.AddHandler(new AlpcTraceEventHandler(pid, traceOutput));
kernelCollector.AddHandler(new NetworkTraceEventHandler(pid, traceOutput));
kernelCollector.AddHandler(new ProcessThreadsTraceEventHandler(pid, traceOutput, traceChildProcesses ?
(int processId) => { InitializeProcessHandlers(kernelCollector, customCollector, processId, true); } : emptyAction));
// DISABLED ON PURPOSE:
// kernelCollector.AddHandler(new RegistryTraceEventHandler(pid, traceOutput)); // TODO: strange and sometimes missing key names
customCollector.AddHandler(new EventHandlers.PowerShell.PowerShellTraceEventHandler(pid, traceOutput));
customCollector.AddHandler(new EventHandlers.Rpc.RpcTraceEventHandler(pid, traceOutput));
}
public void TraceSystemOnly()
{
using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName)) {
InitializeSystemHandlers(kernelTraceCollector, true);
stopTraceCollectors = () => {
StopCollector(kernelTraceCollector);
};
ThreadPool.QueueUserWorkItem((o) => {
kernelTraceCollector.Start();
});
stopEvent.WaitOne();
}
}
public void TraceNewProcess(IEnumerable <string> procargs, bool spawnNewConsoleWindow,
bool traceChildProcesses, bool collectDriverStats)
{
using (var process = new ProcessCreator(procargs)
{
SpawnNewConsoleWindow = spawnNewConsoleWindow
}) {
process.StartSuspended();
using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName),
customTraceCollector = new TraceCollector(WinTraceUserTraceSessionName)) {
InitializeSystemHandlers(kernelTraceCollector, collectDriverStats);
InitializeProcessHandlers(kernelTraceCollector, customTraceCollector,
process.ProcessId, traceChildProcesses);
ThreadPool.QueueUserWorkItem((o) => {
process.Join();
StopCollectors(kernelTraceCollector, customTraceCollector);
stopEvent.Set();
});
stopTraceCollectors = () => {
StopCollectors(kernelTraceCollector, customTraceCollector);
};
ThreadPool.QueueUserWorkItem((o) => {
kernelTraceCollector.Start();
});
ThreadPool.QueueUserWorkItem((o) => {
customTraceCollector.Start();
});
Thread.Sleep(1000);
// resume thread
process.Resume();
stopEvent.WaitOne();
}
}
}