public SysInfoWindow()
{
InitializeComponent();
this.AddEscapeToClose();
this.Size = Properties.Settings.Default.SysInfoWindowSize;
this.Location = Utils.FitRectangle(new Rectangle(
Properties.Settings.Default.SysInfoWindowLocation, this.Size), this).Location;
// Load the pool limit addresses.
if (
_mmSizeOfPagedPoolInBytes == IntPtr.Zero &&
KProcessHacker.Instance != null
)
{
WorkQueue.GlobalQueueWorkItemTag(new Action(() =>
{
try
{
SymbolProvider symbols = new SymbolProvider();
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
_mmSizeOfPagedPoolInBytes =
symbols.GetSymbolFromName("MmSizeOfPagedPoolInBytes").Address.ToIntPtr();
_mmMaximumNonPagedPoolInBytes =
symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
}
catch
{ }
}), "load-mm-addresses");
}
}
public ThreadWindow(int PID, int TID, SymbolProvider symbols, ProcessHandle processHandle)
{
InitializeComponent();
this.AddEscapeToClose();
this.SetTopMost();
listViewCallStack_SelectedIndexChanged(null, null);
_pid = PID;
_tid = TID;
_symbols = symbols;
this.Text = Program.ProcessProvider.Dictionary[_pid].Name + " (PID " + _pid.ToString() +
") - Thread " + _tid.ToString();
listViewCallStack.ContextMenu = listViewCallStack.GetCopyMenu();
try
{
if (processHandle != null)
{
_phandle = processHandle;
_processHandleOwned = false;
}
else
{
_phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead);
}
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to open the process", ex);
this.Close();
return;
}
try
{
_thandle = new ThreadHandle(_tid, ThreadAccess.GetContext | ThreadAccess.SuspendResume);
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to open the thread", ex);
this.Close();
return;
}
}
private void LoadKernelSymbols()
{
_kernelSymbols = new SymbolProvider(new ProcessHandle(4, ProcessAccess.QueryInformation));
_kernelSymbols.PreloadModules = true;
foreach (var module in Windows.GetKernelModules())
{
try
{
_kernelSymbols.LoadModule(module.FileName, module.BaseAddress);
}
catch
{ }
}
}
public ThreadWindow(int PID, int TID, SymbolProvider symbols, ProcessHandle processHandle)
{
InitializeComponent();
this.AddEscapeToClose();
this.SetTopMost();
listViewCallStack_SelectedIndexChanged(null, null);
_pid = PID;
_tid = TID;
_symbols = symbols;
this.Text = Program.ProcessProvider.Dictionary[_pid].Name + " (PID " + _pid.ToString() +
") - Thread " + _tid.ToString();
PropertyInfo property = typeof(ListView).GetProperty("DoubleBuffered",
BindingFlags.NonPublic | BindingFlags.Instance);
property.SetValue(listViewCallStack, true, null);
listViewCallStack.ContextMenu = listViewCallStack.GetCopyMenu();
try
{
if (processHandle != null)
{
_phandle = processHandle;
_processHandleOwned = false;
}
else
{
try
{
_phandle = new ProcessHandle(_pid,
ProcessAccess.QueryInformation | ProcessAccess.VmRead
);
}
catch
{
if (KProcessHacker.Instance != null)
{
_phandle = new ProcessHandle(_pid, Program.MinProcessReadMemoryRights);
}
else
{
throw;
}
}
}
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to open the process", ex);
this.Close();
return;
}
try
{
try
{
_thandle = new ThreadHandle(_tid, ThreadAccess.GetContext | ThreadAccess.SuspendResume);
}
catch
{
if (KProcessHacker.Instance != null)
{
_thandle = new ThreadHandle(_tid,
Program.MinThreadQueryRights | ThreadAccess.SuspendResume
);
}
else
{
throw;
}
}
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to open the thread", ex);
this.Close();
return;
}
}
private void ThreadWindow_FormClosing(object sender, FormClosingEventArgs e)
{
Properties.Settings.Default.ThreadWindowSize = this.Size;
Properties.Settings.Default.CallStackColumns = ColumnSettings.SaveSettings(listViewCallStack);
_symbols = null;
}
public MainWindow()
{
InitializeComponent();
Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll");
SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current);
SymbolProvider.Options |= SymbolOptions.PublicsOnly;
IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll");
FileHandle ntdllFileHandle = null;
Section section = null;
ProcessHandle.Current.EnumModules((module) =>
{
if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase))
{
section = new Section(
ntdllFileHandle = new FileHandle(@"\??\" + module.FileName,
FileShareMode.ReadWrite,
FileAccess.GenericExecute | FileAccess.GenericRead
),
true,
MemoryProtection.ExecuteRead
);
symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
return false;
}
return true;
});
SectionView view = section.MapView((int)ntdllFileHandle.GetSize());
ntdllFileHandle.Dispose();
symbols.EnumSymbols("ntdll!Zw*", (symbol) =>
{
int number = Marshal.ReadInt32(
(symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1));
_sysCallNames.Add(
number,
"Nt" + symbol.Name.Substring(2)
);
return true;
});
view.Dispose();
section.Dispose();
symbols.Dispose();
KProcessHacker.Instance = new KProcessHacker();
_logger = new SsLogger(4096, false);
_logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived);
_logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived);
_logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode);
_logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId());
listEvents.SetDoubleBuffered(true);
}
public SysInfoWindow()
{
this.InitializeComponent();
//if (!Settings.Instance.SysInfoWindowBounds.IsEmpty)
//this.DesktopBounds = Utils.FitRectangle(Settings.Instance.SysInfoWindowBounds, this);
// Load the pool limit addresses.
if (_mmSizeOfPagedPoolInBytes == IntPtr.Zero)
{
WorkQueue.GlobalQueueWorkItemTag(new Action(() =>
{
try
{
using (SymbolProvider symbols = new SymbolProvider())
{
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
_mmSizeOfPagedPoolInBytes = (IntPtr)symbols.GetSymbolFromName("MmSizeOfPagedPoolInBytes").Address;
_mmMaximumNonPagedPoolInBytes = (IntPtr)symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address;
}
}
catch (Exception) { }
}), "load-mm-addresses");
}
this.trackerMemory.values = Program.ProcessProvider.PhysicalMemoryHistory;
this.trackerMemory.DrawColor = Settings.Instance.PlotterMemoryPrivateColor;
this.trackerCommit.Maximum = (int)Program.ProcessProvider.Performance.CommitLimit;
this.trackerCommit.values = Program.ProcessProvider.CommitHistory;
this.trackerCommit.DrawColor = Settings.Instance.PlotterMemoryWSColor;
// Set indicators color
this.indicatorCpu.Color1 = Settings.Instance.PlotterCPUUserColor;
this.indicatorCpu.Color2 = Settings.Instance.PlotterCPUKernelColor;
this.indicatorIO.Color1 = Settings.Instance.PlotterIOROColor;
this.indicatorPhysical.Color1 = Settings.Instance.PlotterMemoryPrivateColor;
this.plotterCPU.LineColor2 = Settings.Instance.PlotterCPUKernelColor;
this.plotterCPU.LineColor1 = Settings.Instance.PlotterCPUUserColor;
this.plotterIO.LineColor1 = Settings.Instance.PlotterIOROColor;
this.plotterIO.LineColor2 = Settings.Instance.PlotterIOWColor;
// Maximum physical memory.
this.indicatorPhysical.Maximum = _pages;
// Set up the plotter controls.
plotterCPU.Data1 = Program.ProcessProvider.CpuKernelHistory;
plotterCPU.Data2 = Program.ProcessProvider.CpuUserHistory;
plotterCPU.GetToolTip = i =>
Program.ProcessProvider.MostCpuHistory[i] + "\n" +
((plotterCPU.Data1[i] + plotterCPU.Data2[i]) * 100).ToString("N2") +
"% (K " + (plotterCPU.Data1[i] * 100).ToString("N2") +
"%, U " + (plotterCPU.Data2[i] * 100).ToString("N2") + "%)" + "\n" +
Program.ProcessProvider.TimeHistory[i].ToString();
plotterIO.LongData1 = Program.ProcessProvider.IoReadOtherHistory;
plotterIO.LongData2 = Program.ProcessProvider.IoWriteHistory;
plotterIO.GetToolTip = i =>
Program.ProcessProvider.MostIoHistory[i] + "\n" +
"R+O: " + Utils.FormatSize(plotterIO.LongData1[i]) + "\n" +
"W: " + Utils.FormatSize(plotterIO.LongData2[i]) + "\n" +
Program.ProcessProvider.TimeHistory[i].ToString();
//plotterMemory.Data1 = Program.ProcessProvider.CommitHistory;
//plotterMemory.Data2 = Program.ProcessProvider.PhysicalMemoryHistory;
//plotterMemory.GetToolTip = i => "Commit: " + plotterMemory.Data1[i] + "\n" +
// "Phys. Memory: " + plotterMemory.Data2[i] + "\n" + Program.ProcessProvider.TimeHistory[i].ToString();
// Create a plotter per CPU.
_cpuPlotters = new Plotter[_noOfCPUs];
tableCPUs.ColumnCount = (int)_noOfCPUs;
tableCPUs.ColumnStyles.Clear();
tableCPUs.Dock = DockStyle.Fill;
for (int i = 0; i < _cpuPlotters.Length; i++)
{
Plotter plotter;
tableCPUs.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 1.0f / _noOfCPUs));
_cpuPlotters[i] = plotter = new Plotter();
plotter.BackColor = Color.Black;
plotter.Dock = DockStyle.Fill;
plotter.Margin = new Padding(i == 0 ? 0 : 3, 0, 0, 0); // nice spacing
plotter.UseSecondLine = true;
plotter.Data1 = Program.ProcessProvider.CpusKernelHistory[i];
plotter.Data2 = Program.ProcessProvider.CpusUserHistory[i];
plotter.GetToolTip = j =>
Program.ProcessProvider.MostCpuHistory[j] + "\n" +
((plotter.Data1[j] + plotter.Data2[j]) * 100).ToString("N2") +
"% (K " + (plotter.Data1[j] * 100).ToString("N2") +
"%, U " + (plotter.Data2[j] * 100).ToString("N2") + "%)" + "\n" +
Program.ProcessProvider.TimeHistory[j].ToString();
this.tableCPUs.Controls.Add(plotter, i, 0);
}
this.checkShowOneGraphPerCPU.Checked = Settings.Instance.ShowOneGraphPerCPU;
if (_noOfCPUs == 1)
checkShowOneGraphPerCPU.Enabled = false;
Program.ProcessProvider.Updated += ProcessProvider_Updated;
//We need to do this here or TopMost property gets over-rided by AlwaysOnTopCheckbox
this.TopMost = Settings.Instance.AlwaysOnTop;
this.UpdateGraphs();
this.UpdateInfo();
}
public EventProperties(LogEvent even)
{
InitializeComponent();
_event = even;
textSystemCall.Text = MainWindow.SysCallNames.ContainsKey(even.Event.CallNumber) ? MainWindow.SysCallNames[even.Event.CallNumber] : "(unknown)";
textTime.Text = _event.Event.Time.ToString();
textMode.Text = _event.Event.Mode == KProcessorMode.UserMode ? "User-mode" : "Kernel-mode";
for (int i = 0; i < _event.Event.Arguments.Length; i++)
{
ListViewItem item = new ListViewItem();
item.Text = i.ToString();
item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "0x" + _event.Event.Arguments[i].ToString("x")));
if (_event.Arguments[i] != null)
{
string text = "";
SsData data = _event.Arguments[i];
if (data is SsSimple)
{
text = (data as SsSimple).Argument.ToString();
}
else if (data is SsHandle)
{
SsHandle handle = data as SsHandle;
if (!string.IsNullOrEmpty(handle.Name))
text = handle.TypeName + ": " + handle.Name;
else
text = handle.TypeName + ": PID: " + handle.ProcessId.ToString() +
", TID: " + handle.ThreadId.ToString();
}
else if (data is SsUnicodeString)
{
text = (data as SsUnicodeString).String;
}
else if (data is SsObjectAttributes)
{
SsObjectAttributes oa = data as SsObjectAttributes;
text = "";
if (oa.RootDirectory != null)
text = oa.RootDirectory.Name;
if (oa.ObjectName != null)
{
if (!string.IsNullOrEmpty(text))
text = text + "\\" + oa.ObjectName.String;
else
text = oa.ObjectName.String;
}
}
else if (data is SsClientId)
{
text = "PID: " + (data as SsClientId).Original.ProcessId.ToString() +
", TID: " + (data as SsClientId).Original.ThreadId.ToString();
}
item.SubItems.Add(new ListViewItem.ListViewSubItem(item, text));
item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _event.Arguments[i].GetType().Name.Remove(0, 2)));
}
else
{
item.SubItems.Add(new ListViewItem.ListViewSubItem(item, ""));
item.SubItems.Add(new ListViewItem.ListViewSubItem(item, ""));
}
listArguments.Items.Add(item);
}
SymbolProvider.Options = SymbolOptions.DeferredLoads | SymbolOptions.UndName;
try
{
using (var phandle = new ProcessHandle(_event.Event.ProcessId,
ProcessAccess.QueryInformation | ProcessAccess.VmRead))
{
_symbols = new SymbolProvider(phandle);
phandle.EnumModules((module) =>
{
_symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
return true;
});
Windows.EnumKernelModules((module) =>
{
_symbols.LoadModule(module.FileName, module.BaseAddress);
return true;
});
_symbols.PreloadModules = true;
for (int i = 0; i < _event.Event.StackTrace.Length; i++)
{
var address = _event.Event.StackTrace[i];
string fileName;
IntPtr baseAddress;
fileName = _symbols.GetModuleFromAddress(address, out baseAddress);
listStackTrace.Items.Add(new ListViewItem(new string[]
{
"0x" + address.ToString("x"),
(new System.IO.FileInfo(fileName)).Name + "+0x" + address.Decrement(baseAddress).ToString("x")
}));
WorkQueue.GlobalQueueWorkItemTag(new Action<int, IntPtr>((i_, address_) =>
{
string symbol = _symbols.GetSymbolFromAddress(address_.ToUInt64());
if (this.IsHandleCreated)
this.BeginInvoke(new Action(() => listStackTrace.Items[i_].SubItems[1].Text = symbol));
}), "resolve-symbol", i, address);
}
}
}
catch
{ }
listArguments.SetDoubleBuffered(true);
listStackTrace.SetDoubleBuffered(true);
}
private void ThreadWindow_FormClosing(object sender, FormClosingEventArgs e)
{
Settings.Instance.ThreadWindowSize = this.Size;
Settings.Instance.CallStackColumns = ColumnSettings.SaveSettings(listViewCallStack);
_symbols = null;
}
private unsafe KVars GetKVars()
{
SymbolProvider symbols = new SymbolProvider();
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
KVars vars = new KVars();
vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr();
vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr();
vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr();
int bytesRead;
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolStartAddress.ToInt32(),
&vars.NonPagedPoolStart,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolSizeAddress.ToInt32(),
&vars.NonPagedPoolSize,
sizeof(uint),
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsProcessTypeAddress.ToInt32(),
&vars.PsProcessType,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsThreadTypeAddress.ToInt32(),
&vars.PsThreadType,
IntPtr.Size,
out bytesRead
);
symbols.Dispose();
return vars;
}
private void buttonSnapshot_Click(object sender, EventArgs e)
{
try
{
using (var phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead))
{
_currentHtCollection = phandle.GetHandleTraces();
if (_symbols != null)
_symbols.Dispose();
SymbolProvider.Options |= SymbolOptions.DeferredLoads;
_symbols = new SymbolProvider(phandle);
WorkQueue.GlobalQueueWorkItem(new Action(() =>
{
var symbols = _symbols;
_symbols.PreloadModules = true;
try
{
foreach (var module in phandle.GetModules())
{
try
{
symbols.LoadModule(module.FileName, module.BaseAddress);
}
catch
{ }
}
}
catch
{ }
try
{
foreach (var module in Windows.GetKernelModules())
{
try
{
symbols.LoadModule(module.FileName, module.BaseAddress);
}
catch
{ }
}
}
catch
{ }
}));
}
this.PopulateHandleTraceList();
}
catch (Exception ex)
{
this.ShowException("Error getting the handle trace snapshot", ex);
}
}