private void WalkKernelStack() { try { IntPtr[] frames = _thandle.CaptureKernelStack(1); // skip the KPH frame foreach (IntPtr frame in frames) { ulong address = frame.ToUInt64(); try { ListViewItem newItem = listViewCallStack.Items.Add(new ListViewItem(new[] { Utils.FormatAddress(address), _symbols.GetSymbolFromAddress(address) })); newItem.Tag = address; } catch (Exception ex2) { Logging.Log(ex2); } } } catch (Exception ex) { Logging.Log(ex); } }
private void ResolveThreadStartAddress(int tid, ulong startAddress) { ResolveMessage result = new ResolveMessage(); result.Tid = tid; if (!_moduleLoadCompletedEvent.SafeWaitHandle.IsClosed) { try { _moduleLoadCompletedEvent.WaitOne(); } catch { } } if (_symbols == null) { return; } try { Interlocked.Increment(ref _loading); if (this.LoadingStateChanged != null) { this.LoadingStateChanged(Thread.VolatileRead(ref _loading) > 0); } try { SymbolFlags flags; string fileName; result.Symbol = _symbols.GetSymbolFromAddress( startAddress, out result.ResolveLevel, out flags, out fileName ); result.FileName = fileName; _messageQueue.Enqueue(result); } catch { } } finally { Interlocked.Decrement(ref _loading); if (this.LoadingStateChanged != null) { this.LoadingStateChanged(Thread.VolatileRead(ref _loading) > 0); } } }
private void LoadProfileFunctions(IntPtr moduleBase) { int[] counters = _profileHandle.Collect(); Dictionary <string, int> functions = new Dictionary <string, int>(); for (int i = 0; i < counters.Length; i++) { if (counters[i] != 0) { IntPtr realAddress = this.GetAddress(i); IntPtr baseAddress; _kernelSymbols.GetModuleFromAddress(realAddress, out baseAddress); if (baseAddress != moduleBase) { continue; } string fileName; string symbolName; ulong displacement; symbolName = _kernelSymbols.GetSymbolFromAddress(realAddress.ToUInt64(), out fileName, out displacement); if (symbolName != null) { if (!functions.ContainsKey(symbolName)) { functions.Add(symbolName, 0); } functions[symbolName]++; } } } listFunctions.Items.Clear(); foreach (var function in functions.Keys) { listFunctions.Items.Add(new ListViewItem( new string[] { function, functions[function].ToString("N0") })); } }
private void listHandleTraces_SelectedIndexChanged(object sender, EventArgs e) { if (_currentHtCollection == null || listHandleTraces.SelectedItems.Count != 1) { return; } var trace = _currentHtCollection[(int)listHandleTraces.SelectedItems[0].Tag]; listHandleStack.BeginUpdate(); listHandleStack.Items.Clear(); foreach (var address in trace.Stack) { ListViewItem item = new ListViewItem(); item.Text = "0x" + address.ToInt32().ToString("x8"); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _symbols.GetSymbolFromAddress(address.ToUInt64()))); listHandleStack.Items.Add(item); } listHandleStack.EndUpdate(); }
public EventProperties(LogEvent even) { InitializeComponent(); _event = even; textSystemCall.Text = MainWindow.SysCallNames.ContainsKey(even.Event.CallNumber) ? MainWindow.SysCallNames[even.Event.CallNumber] : "(unknown)"; textTime.Text = _event.Event.Time.ToString(); textMode.Text = _event.Event.Mode == KProcessorMode.UserMode ? "User-mode" : "Kernel-mode"; for (int i = 0; i < _event.Event.Arguments.Length; i++) { ListViewItem item = new ListViewItem(); item.Text = i.ToString(); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "0x" + _event.Event.Arguments[i].ToString("x"))); if (_event.Arguments[i] != null) { string text = ""; SsData data = _event.Arguments[i]; if (data is SsSimple) { text = (data as SsSimple).Argument.ToString(); } else if (data is SsHandle) { SsHandle handle = data as SsHandle; if (!string.IsNullOrEmpty(handle.Name)) { text = handle.TypeName + ": " + handle.Name; } else { text = handle.TypeName + ": PID: " + handle.ProcessId.ToString() + ", TID: " + handle.ThreadId.ToString(); } } else if (data is SsUnicodeString) { text = (data as SsUnicodeString).String; } else if (data is SsObjectAttributes) { SsObjectAttributes oa = data as SsObjectAttributes; text = ""; if (oa.RootDirectory != null) { text = oa.RootDirectory.Name; } if (oa.ObjectName != null) { if (!string.IsNullOrEmpty(text)) { text = text + "\\" + oa.ObjectName.String; } else { text = oa.ObjectName.String; } } } else if (data is SsClientId) { text = "PID: " + (data as SsClientId).Original.ProcessId.ToString() + ", TID: " + (data as SsClientId).Original.ThreadId.ToString(); } item.SubItems.Add(new ListViewItem.ListViewSubItem(item, text)); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _event.Arguments[i].GetType().Name.Remove(0, 2))); } else { item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "")); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "")); } listArguments.Items.Add(item); } SymbolProvider.Options = SymbolOptions.DeferredLoads | SymbolOptions.UndName; try { using (var phandle = new ProcessHandle(_event.Event.ProcessId, ProcessAccess.QueryInformation | ProcessAccess.VmRead)) { _symbols = new SymbolProvider(phandle); phandle.EnumModules((module) => { _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); return(true); }); Windows.EnumKernelModules((module) => { _symbols.LoadModule(module.FileName, module.BaseAddress); return(true); }); _symbols.PreloadModules = true; for (int i = 0; i < _event.Event.StackTrace.Length; i++) { var address = _event.Event.StackTrace[i]; string fileName; IntPtr baseAddress; fileName = _symbols.GetModuleFromAddress(address, out baseAddress); listStackTrace.Items.Add(new ListViewItem(new string[] { "0x" + address.ToString("x"), (new System.IO.FileInfo(fileName)).Name + "+0x" + address.Decrement(baseAddress).ToString("x") })); WorkQueue.GlobalQueueWorkItemTag(new Action <int, IntPtr>((i_, address_) => { string symbol = _symbols.GetSymbolFromAddress(address_.ToUInt64()); if (this.IsHandleCreated) { this.BeginInvoke(new Action(() => listStackTrace.Items[i_].SubItems[1].Text = symbol)); } }), "resolve-symbol", i, address); } } } catch { } listArguments.SetDoubleBuffered(true); listStackTrace.SetDoubleBuffered(true); }