public void ConvertAll(string captureDirPath, int numEvents, IProgressFeedback progress) { List<BinaryReader> readers = new List<BinaryReader>(1); SortedList<uint, KeyValuePair<BinaryReader, uint>> ids = new SortedList<uint, KeyValuePair<BinaryReader, uint>>(numEvents); uint i = 0; foreach (string filePath in Directory.GetFiles(captureDirPath, "*.log", SearchOption.TopDirectoryOnly)) { FileStream fs = new FileStream(filePath, FileMode.Open, FileAccess.Read); BinaryReader r = new BinaryReader(fs); readers.Add(r); while (fs.Position < fs.Length) { i++; int pct = (int)(((float)i / (float)numEvents) * 100.0f); progress.ProgressUpdate("Indexing", pct); uint id = r.ReadUInt32(); uint size = r.ReadUInt32(); ids.Add(id, new KeyValuePair<BinaryReader, uint>(r, (uint)fs.Position)); fs.Seek(size, SeekOrigin.Current); } } string resultPath = String.Format("{0}\\capture.osd", captureDirPath); BZip2OutputStream outStream = new BZip2OutputStream(new FileStream(resultPath, FileMode.Create)); XmlTextWriter xtw = new XmlTextWriter(outStream, System.Text.Encoding.UTF8); xtw.Formatting = Formatting.Indented; xtw.Indentation = 4; xtw.IndentChar = ' '; xtw.WriteStartDocument(true); xtw.WriteStartElement("events"); i = 0; foreach (KeyValuePair<BinaryReader, uint> pair in ids.Values) { i++; int pct = (int)(((float)i / (float)numEvents) * 100.0f); progress.ProgressUpdate(String.Format("Converting event {0} of {1}", i, numEvents), pct); BinaryReader r = pair.Key; uint offset = pair.Value; r.BaseStream.Seek(offset, SeekOrigin.Begin); UnserializeNode(r, xtw); } xtw.WriteEndElement(); xtw.WriteEndDocument(); xtw.Close(); foreach (BinaryReader r in readers) r.Close(); }
private void PrepareCapture(Process[] processes) { progress.ProgressUpdate("Preparing capture", 100); fileMapping = CreateFileMapping(0xFFFFFFFFu, IntPtr.Zero, enumProtect.PAGE_READWRITE, 0, (uint)Marshal.SizeOf(typeof(Capture)), "oSpyCapture"); if (Marshal.GetLastWin32Error() == ERROR_ALREADY_EXISTS) { throw new Error("Is another instance of oSpy or one or more processes previously monitored still alive?"); } cfgPtr = MapViewOfFile(fileMapping, enumFileMap.FILE_MAP_WRITE, 0, 0, (uint)Marshal.SizeOf(typeof(Capture))); // Create a temporary directory for the capture do { tmpDir = String.Format("{0}{1}", Path.GetTempPath(), Path.GetRandomFileName()); }while (Directory.Exists(tmpDir)); Directory.CreateDirectory(tmpDir); // Write the temporary directory to shared memory char[] tmpDirChars = tmpDir.ToCharArray(); IntPtr ptr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "LogPath").ToInt64()); Marshal.Copy(tmpDirChars, 0, ptr, tmpDirChars.Length); // And make it NUL-terminated Marshal.WriteInt16(ptr, tmpDirChars.Length * Marshal.SizeOf(typeof(UInt16)), 0); // Initialize LogIndex and LogSize logIndexPtr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "LogIndex").ToInt64()); logSizePtr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "LogSize").ToInt64()); Marshal.WriteInt32(logIndexPtr, 0); Marshal.WriteInt32(logSizePtr, 0); // Initialize softwall rules SoftwallRule[] rules = new SoftwallRule[0]; Marshal.WriteInt32(cfgPtr, Marshal.OffsetOf(typeof(Capture), "NumSoftwallRules").ToInt32(), rules.Length); ptr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "SoftwallRules").ToInt64()); foreach (SoftwallRule rule in rules) { Marshal.StructureToPtr(rule, ptr, false); ptr = (IntPtr)(ptr.ToInt64() + Marshal.SizeOf(typeof(SoftwallRule))); } // Copy configuration XML string configPath = Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName) + "\\config.xml"; File.Copy(configPath, String.Format("{0}\\config.xml", tmpDir)); }
private void DoStopCapture() { progress.ProgressUpdate("Stopping capture", 100); UnprepareCapture(true); stopRequest.Reset(); progress.OperationComplete(); progress = null; stopWorkerThread = null; }
private void WaitForUsbAgentServiceToStop() { IntPtr manager = WinApi.OpenSCManager(null, null, WinApi.SC_MANAGER_ALL_ACCESS); if (manager == IntPtr.Zero) { throw new Error("OpenSCManager failed"); } IntPtr service = IntPtr.Zero; try { service = WinApi.OpenService(manager, Constants.UsbAgentName, WinApi.SERVICE_ALL_ACCESS); if (service == IntPtr.Zero) { throw new Error("OpenService failed"); } WinApi.SERVICE_STATUS status = new WinApi.SERVICE_STATUS(); progress.ProgressUpdate("Unplug any USB device being monitored now", 100); bool stopped = false; while (!stopped) { if (!WinApi.QueryServiceStatus(service, ref status)) { throw new Error("Failed to query for service status: 0x{0:x8}", Marshal.GetLastWin32Error()); } stopped = status.dwCurrentState == WinApi.SERVICE_STOPPED; if (!stopped) { Thread.Sleep(250); } } } finally { if (service != IntPtr.Zero) { WinApi.CloseServiceHandle(service); } WinApi.CloseServiceHandle(manager); } }
public void Load(string path, IProgressFeedback progress) { BZip2InputStream inStream = new BZip2InputStream(new FileStream(path, FileMode.Open)); XmlTextReader xtr = new XmlTextReader(inStream); tmpPath = Path.GetTempFileName(); FileStream tmpFileStream = new FileStream(tmpPath, FileMode.Create, FileAccess.ReadWrite); tmpReader = new StreamReader(tmpFileStream); StreamWriter tmpFileWriter = new StreamWriter(tmpFileStream, Encoding.UTF8); events = new SortedDictionary <uint, DumpEvent>(); int prevPct = -1, pct; while (xtr.Read()) { pct = (int)(((float)inStream.Position / (float)inStream.Length) * 100.0f); if (pct != prevPct) { prevPct = pct; progress.ProgressUpdate("Loading", pct); } if (xtr.NodeType == XmlNodeType.Element && xtr.Name == "event") { tmpFileWriter.Flush(); long startOffset = tmpFileStream.Position; XmlReader rdr = xtr.ReadSubtree(); XmlDocument doc = new XmlDocument(); doc.Load(rdr); XmlAttributeCollection attrs = doc.DocumentElement.Attributes; uint id = Convert.ToUInt32(attrs["id"].Value); DumpEventType type = (DumpEventType)Enum.Parse(typeof(DumpEventType), attrs["type"].Value); DateTime timestamp = DateTime.FromFileTimeUtc(Convert.ToInt64(attrs["timestamp"].Value)); string processName = attrs["processName"].Value; uint processId = Convert.ToUInt32(attrs["processId"].Value); uint threadId = Convert.ToUInt32(attrs["threadId"].Value); string eventStr = doc.DocumentElement.InnerXml; tmpFileWriter.Write(eventStr); events[id] = new DumpEvent(this, id, type, timestamp, processName, processId, threadId, startOffset, eventStr.Length); } } xtr.Close(); tmpFileStream.Seek(0, SeekOrigin.Begin); }
public void Load(string path, IProgressFeedback progress) { BZip2InputStream inStream = new BZip2InputStream(new FileStream(path, FileMode.Open)); XmlTextReader xtr = new XmlTextReader(inStream); tmpPath = Path.GetTempFileName(); FileStream tmpFileStream = new FileStream(tmpPath, FileMode.Create, FileAccess.ReadWrite); tmpReader = new StreamReader(tmpFileStream); StreamWriter tmpFileWriter = new StreamWriter(tmpFileStream, Encoding.UTF8); events = new SortedDictionary<uint, DumpEvent>(); int prevPct = -1, pct; while (xtr.Read()) { pct = (int)(((float)inStream.Position / (float)inStream.Length) * 100.0f); if (pct != prevPct) { prevPct = pct; progress.ProgressUpdate("Loading", pct); } if (xtr.NodeType == XmlNodeType.Element && xtr.Name == "event") { tmpFileWriter.Flush(); long startOffset = tmpFileStream.Position; XmlReader rdr = xtr.ReadSubtree(); XmlDocument doc = new XmlDocument(); doc.Load(rdr); XmlAttributeCollection attrs = doc.DocumentElement.Attributes; uint id = Convert.ToUInt32(attrs["id"].Value); DumpEventType type = (DumpEventType) Enum.Parse(typeof(DumpEventType), attrs["type"].Value); DateTime timestamp = DateTime.FromFileTimeUtc(Convert.ToInt64(attrs["timestamp"].Value)); string processName = attrs["processName"].Value; uint processId = Convert.ToUInt32(attrs["processId"].Value); uint threadId = Convert.ToUInt32(attrs["threadId"].Value); string eventStr = doc.DocumentElement.InnerXml; tmpFileWriter.Write(eventStr); events[id] = new DumpEvent(this, id, type, timestamp, processName, processId, threadId, startOffset, eventStr.Length); } } xtr.Close(); tmpFileStream.Seek(0, SeekOrigin.Begin); }
public static IPSession[] ExtractAllFrom(IPPacket[] packets, TCPEvent[] events, IProgressFeedback progress) { // // Find sessions // progress.ProgressUpdate("Identifying sessions", 0); Dictionary <UInt32, IPSession> sessionById = new Dictionary <UInt32, IPSession>(); List <UInt32> sessionIds = new List <UInt32>(); int i = 0; foreach (IPPacket p in packets) { UInt32 id = p.ResourceId; IPSession session; if (sessionById.ContainsKey(id)) { session = sessionById[id]; } else { session = new IPSession(); sessionById[id] = session; sessionIds.Add(id); } session.AddPacket(p); i++; progress.ProgressUpdate("Identifying sessions", (int)((i / (float)packets.Length) * 100.0f)); } // // Add the events to the appropriate sessions // // First off, sort them by timestamp Array.Sort(events); // Then match them with the sessions foreach (TCPEvent ev in events) { if (sessionById.ContainsKey(ev.ResourceId)) { sessionById[ev.ResourceId].AddEvent(ev); } } // // Build an ordered list of sessions // List <IPSession> result = new List <IPSession>(); foreach (UInt32 id in sessionIds) { result.Add(sessionById[id]); } return(result.ToArray()); }
public void ConvertAll(string captureDirPath, int numEvents, IProgressFeedback progress) { List <BinaryReader> readers = new List <BinaryReader>(1); SortedList <uint, KeyValuePair <BinaryReader, uint> > ids = new SortedList <uint, KeyValuePair <BinaryReader, uint> >(numEvents); uint i = 0; foreach (string filePath in Directory.GetFiles(captureDirPath, "*.log", SearchOption.TopDirectoryOnly)) { FileStream fs = new FileStream(filePath, FileMode.Open, FileAccess.Read); BinaryReader r = new BinaryReader(fs); readers.Add(r); while (fs.Position < fs.Length) { i++; int pct = (int)(((float)i / (float)numEvents) * 100.0f); progress.ProgressUpdate("Indexing", pct); uint id = r.ReadUInt32(); uint size = r.ReadUInt32(); ids.Add(id, new KeyValuePair <BinaryReader, uint>(r, (uint)fs.Position)); fs.Seek(size, SeekOrigin.Current); } } string resultPath = String.Format("{0}\\capture.osd", captureDirPath); BZip2OutputStream outStream = new BZip2OutputStream(new FileStream(resultPath, FileMode.Create)); XmlTextWriter xtw = new XmlTextWriter(outStream, System.Text.Encoding.UTF8); xtw.Formatting = Formatting.Indented; xtw.Indentation = 4; xtw.IndentChar = ' '; xtw.WriteStartDocument(true); xtw.WriteStartElement("events"); i = 0; foreach (KeyValuePair <BinaryReader, uint> pair in ids.Values) { i++; int pct = (int)(((float)i / (float)numEvents) * 100.0f); progress.ProgressUpdate(String.Format("Converting event {0} of {1}", i, numEvents), pct); BinaryReader r = pair.Key; uint offset = pair.Value; r.BaseStream.Seek(offset, SeekOrigin.Begin); UnserializeNode(r, xtw); } xtw.WriteEndElement(); xtw.WriteEndDocument(); xtw.Close(); foreach (BinaryReader r in readers) { r.Close(); } }
private void AddEventsToDataSet(Capture.Event[] events, IProgressFeedback progress) { object source = dataGridView.DataSource; dataGridView.DataSource = null; dataSet.Tables[0].BeginLoadData(); DataTable tbl = dataSet.Tables["messages"]; int i = 0; foreach (Capture.Event ev in events) { i++; progress.ProgressUpdate("Loading events", (int) (((float) i / (float) events.Length) * 100.0f)); DataRow row = tbl.NewRow(); row.BeginEdit(); /* Common stuff */ row["Timestamp"] = ev.Timestamp; row["ProcessName"] = ev.ProcessName; row["ProcessId"] = ev.ProcessId; row["ThreadId"] = ev.ThreadId; row["FunctionName"] = ev.FunctionName; row["Backtrace"] = ev.Backtrace; UInt32 returnAddress = 0; string callerModName = ""; if (ev.Backtrace != null) { string[] tokens = ev.Backtrace.Split(new char[] { '\n' }, 2); if (tokens.Length >= 1) { string line = tokens[0]; string[] lineTokens = line.Split(new string[] { "::" }, 2, StringSplitOptions.None); if (lineTokens.Length == 2) { returnAddress = Convert.ToUInt32(lineTokens[1].Substring(2), 16); callerModName = lineTokens[0]; } } } row["ReturnAddress"] = returnAddress; row["CallerModuleName"] = callerModName; row["ResourceId"] = ev.ResourceId; if (ev is Capture.MessageEvent) { Capture.MessageEvent msgEvent = ev as Capture.MessageEvent; row["MsgType"] = MessageType.MESSAGE_TYPE_MESSAGE; row["MsgContext"] = msgEvent.Context; } else { Capture.PacketEvent pktEvent = ev as Capture.PacketEvent; row["MsgType"] = MessageType.MESSAGE_TYPE_PACKET; } row["Message"] = ev.Message; row["Direction"] = ev.Direction; if (ev.LocalEndpoint != null) { row["LocalAddress"] = ev.LocalEndpoint.Address.ToString(); row["LocalPort"] = ev.LocalEndpoint.Port; } if (ev.PeerEndpoint != null) { row["PeerAddress"] = ev.PeerEndpoint.Address.ToString(); row["PeerPort"] = ev.PeerEndpoint.Port; } row["Data"] = ev.Data; row.EndEdit(); tbl.Rows.Add(row); } dataSet.Tables[0].EndLoadData(); dataGridView.DataSource = source; }
public static IPSession[] ExtractAllFrom(IPPacket[] packets, TCPEvent[] events, IProgressFeedback progress) { // // Find sessions // progress.ProgressUpdate("Identifying sessions", 0); Dictionary<UInt32, IPSession> sessionById = new Dictionary<UInt32, IPSession>(); List<UInt32> sessionIds = new List<UInt32>(); int i = 0; foreach (IPPacket p in packets) { UInt32 id = p.ResourceId; IPSession session; if (sessionById.ContainsKey(id)) { session = sessionById[id]; } else { session = new IPSession(); sessionById[id] = session; sessionIds.Add(id); } session.AddPacket(p); i++; progress.ProgressUpdate("Identifying sessions", (int) ((i / (float) packets.Length) * 100.0f)); } // // Add the events to the appropriate sessions // // First off, sort them by timestamp Array.Sort(events); // Then match them with the sessions foreach (TCPEvent ev in events) { if (sessionById.ContainsKey(ev.ResourceId)) sessionById[ev.ResourceId].AddEvent(ev); } // // Build an ordered list of sessions // List<IPSession> result = new List<IPSession>(); foreach (UInt32 id in sessionIds) result.Add(sessionById[id]); return result.ToArray(); }