internal SsHandle(MemoryRegion data) { KphSsHandle handleInfo = data.ReadStruct <KphSsHandle>(); if (handleInfo.TypeNameOffset != 0) { this.TypeName = SsLogger.ReadWString(new MemoryRegion(data, handleInfo.TypeNameOffset)); } if (handleInfo.NameOffset != 0) { this.Name = SsLogger.ReadWString(new MemoryRegion(data, handleInfo.NameOffset)); } this.ProcessId = handleInfo.ClientId.ProcessId; this.ThreadId = handleInfo.ClientId.ThreadId; }
public MainWindow() { InitializeComponent(); Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll"); SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current); SymbolProvider.Options |= SymbolOptions.PublicsOnly; IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll"); FileHandle ntdllFileHandle = null; Section section = null; ProcessHandle.Current.EnumModules((module) => { if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase)) { section = new Section( ntdllFileHandle = new FileHandle(@"\??\" + module.FileName, FileShareMode.ReadWrite, FileAccess.GenericExecute | FileAccess.GenericRead ), true, MemoryProtection.ExecuteRead ); symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); return false; } return true; }); SectionView view = section.MapView((int)ntdllFileHandle.GetSize()); ntdllFileHandle.Dispose(); symbols.EnumSymbols("ntdll!Zw*", (symbol) => { int number = Marshal.ReadInt32( (symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1)); _sysCallNames.Add( number, "Nt" + symbol.Name.Substring(2) ); return true; }); view.Dispose(); section.Dispose(); symbols.Dispose(); KProcessHacker.Instance = new KProcessHacker(); _logger = new SsLogger(4096, false); _logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived); _logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived); _logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode); _logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId()); listEvents.SetDoubleBuffered(true); }