public SysInfoWindow() { InitializeComponent(); this.AddEscapeToClose(); this.Size = Properties.Settings.Default.SysInfoWindowSize; this.Location = Utils.FitRectangle(new Rectangle( Properties.Settings.Default.SysInfoWindowLocation, this.Size), this).Location; // Load the pool limit addresses. if ( _mmSizeOfPagedPoolInBytes == IntPtr.Zero && KProcessHacker.Instance != null ) { WorkQueue.GlobalQueueWorkItemTag(new Action(() => { try { SymbolProvider symbols = new SymbolProvider(); symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); _mmSizeOfPagedPoolInBytes = symbols.GetSymbolFromName("MmSizeOfPagedPoolInBytes").Address.ToIntPtr(); _mmMaximumNonPagedPoolInBytes = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr(); } catch { } }), "load-mm-addresses"); } }
private void LoadKernelSymbols() { _kernelSymbols = new SymbolProvider(new ProcessHandle(4, ProcessAccess.QueryInformation)); _kernelSymbols.PreloadModules = true; foreach (var module in Windows.GetKernelModules()) { try { _kernelSymbols.LoadModule(module.FileName, module.BaseAddress); } catch { } } }
private unsafe KVars GetKVars() { SymbolProvider symbols = new SymbolProvider(); symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); KVars vars = new KVars(); vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr(); vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr(); vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr(); vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr(); int bytesRead; KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolStartAddress.ToInt32(), &vars.NonPagedPoolStart, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.NonPagedPoolSizeAddress.ToInt32(), &vars.NonPagedPoolSize, sizeof(uint), out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsProcessTypeAddress.ToInt32(), &vars.PsProcessType, IntPtr.Size, out bytesRead ); KProcessHacker.Instance.KphReadVirtualMemoryUnsafe( ProcessHandle.Current, vars.PsThreadTypeAddress.ToInt32(), &vars.PsThreadType, IntPtr.Size, out bytesRead ); symbols.Dispose(); return(vars); }
public EventProperties(LogEvent even) { InitializeComponent(); _event = even; textSystemCall.Text = MainWindow.SysCallNames.ContainsKey(even.Event.CallNumber) ? MainWindow.SysCallNames[even.Event.CallNumber] : "(unknown)"; textTime.Text = _event.Event.Time.ToString(); textMode.Text = _event.Event.Mode == KProcessorMode.UserMode ? "User-mode" : "Kernel-mode"; for (int i = 0; i < _event.Event.Arguments.Length; i++) { ListViewItem item = new ListViewItem(); item.Text = i.ToString(); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "0x" + _event.Event.Arguments[i].ToString("x"))); if (_event.Arguments[i] != null) { string text = ""; SsData data = _event.Arguments[i]; if (data is SsSimple) { text = (data as SsSimple).Argument.ToString(); } else if (data is SsHandle) { SsHandle handle = data as SsHandle; if (!string.IsNullOrEmpty(handle.Name)) { text = handle.TypeName + ": " + handle.Name; } else { text = handle.TypeName + ": PID: " + handle.ProcessId.ToString() + ", TID: " + handle.ThreadId.ToString(); } } else if (data is SsUnicodeString) { text = (data as SsUnicodeString).String; } else if (data is SsObjectAttributes) { SsObjectAttributes oa = data as SsObjectAttributes; text = ""; if (oa.RootDirectory != null) { text = oa.RootDirectory.Name; } if (oa.ObjectName != null) { if (!string.IsNullOrEmpty(text)) { text = text + "\\" + oa.ObjectName.String; } else { text = oa.ObjectName.String; } } } else if (data is SsClientId) { text = "PID: " + (data as SsClientId).Original.ProcessId.ToString() + ", TID: " + (data as SsClientId).Original.ThreadId.ToString(); } item.SubItems.Add(new ListViewItem.ListViewSubItem(item, text)); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, _event.Arguments[i].GetType().Name.Remove(0, 2))); } else { item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "")); item.SubItems.Add(new ListViewItem.ListViewSubItem(item, "")); } listArguments.Items.Add(item); } SymbolProvider.Options = SymbolOptions.DeferredLoads | SymbolOptions.UndName; try { using (var phandle = new ProcessHandle(_event.Event.ProcessId, ProcessAccess.QueryInformation | ProcessAccess.VmRead)) { _symbols = new SymbolProvider(phandle); phandle.EnumModules((module) => { _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); return(true); }); Windows.EnumKernelModules((module) => { _symbols.LoadModule(module.FileName, module.BaseAddress); return(true); }); _symbols.PreloadModules = true; for (int i = 0; i < _event.Event.StackTrace.Length; i++) { var address = _event.Event.StackTrace[i]; string fileName; IntPtr baseAddress; fileName = _symbols.GetModuleFromAddress(address, out baseAddress); listStackTrace.Items.Add(new ListViewItem(new string[] { "0x" + address.ToString("x"), (new System.IO.FileInfo(fileName)).Name + "+0x" + address.Decrement(baseAddress).ToString("x") })); WorkQueue.GlobalQueueWorkItemTag(new Action <int, IntPtr>((i_, address_) => { string symbol = _symbols.GetSymbolFromAddress(address_.ToUInt64()); if (this.IsHandleCreated) { this.BeginInvoke(new Action(() => listStackTrace.Items[i_].SubItems[1].Text = symbol)); } }), "resolve-symbol", i, address); } } } catch { } listArguments.SetDoubleBuffered(true); listStackTrace.SetDoubleBuffered(true); }
public SysInfoWindow() { this.InitializeComponent(); //if (!Settings.Instance.SysInfoWindowBounds.IsEmpty) //this.DesktopBounds = Utils.FitRectangle(Settings.Instance.SysInfoWindowBounds, this); // Load the pool limit addresses. if (_mmSizeOfPagedPoolInBytes == IntPtr.Zero) { WorkQueue.GlobalQueueWorkItemTag(new Action(() => { try { using (SymbolProvider symbols = new SymbolProvider()) { symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase); _mmSizeOfPagedPoolInBytes = (IntPtr)symbols.GetSymbolFromName("MmSizeOfPagedPoolInBytes").Address; _mmMaximumNonPagedPoolInBytes = (IntPtr)symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address; } } catch (Exception) { } }), "load-mm-addresses"); } this.trackerMemory.values = Program.ProcessProvider.PhysicalMemoryHistory; this.trackerMemory.DrawColor = Settings.Instance.PlotterMemoryPrivateColor; this.trackerCommit.Maximum = (int)Program.ProcessProvider.Performance.CommitLimit; this.trackerCommit.values = Program.ProcessProvider.CommitHistory; this.trackerCommit.DrawColor = Settings.Instance.PlotterMemoryWSColor; // Set indicators color this.indicatorCpu.Color1 = Settings.Instance.PlotterCPUUserColor; this.indicatorCpu.Color2 = Settings.Instance.PlotterCPUKernelColor; this.indicatorIO.Color1 = Settings.Instance.PlotterIOROColor; this.indicatorPhysical.Color1 = Settings.Instance.PlotterMemoryPrivateColor; this.plotterCPU.LineColor2 = Settings.Instance.PlotterCPUKernelColor; this.plotterCPU.LineColor1 = Settings.Instance.PlotterCPUUserColor; this.plotterIO.LineColor1 = Settings.Instance.PlotterIOROColor; this.plotterIO.LineColor2 = Settings.Instance.PlotterIOWColor; // Maximum physical memory. this.indicatorPhysical.Maximum = _pages; // Set up the plotter controls. plotterCPU.Data1 = Program.ProcessProvider.CpuKernelHistory; plotterCPU.Data2 = Program.ProcessProvider.CpuUserHistory; plotterCPU.GetToolTip = i => Program.ProcessProvider.MostCpuHistory[i] + "\n" + ((plotterCPU.Data1[i] + plotterCPU.Data2[i]) * 100).ToString("N2") + "% (K " + (plotterCPU.Data1[i] * 100).ToString("N2") + "%, U " + (plotterCPU.Data2[i] * 100).ToString("N2") + "%)" + "\n" + Program.ProcessProvider.TimeHistory[i].ToString(); plotterIO.LongData1 = Program.ProcessProvider.IoReadOtherHistory; plotterIO.LongData2 = Program.ProcessProvider.IoWriteHistory; plotterIO.GetToolTip = i => Program.ProcessProvider.MostIoHistory[i] + "\n" + "R+O: " + Utils.FormatSize(plotterIO.LongData1[i]) + "\n" + "W: " + Utils.FormatSize(plotterIO.LongData2[i]) + "\n" + Program.ProcessProvider.TimeHistory[i].ToString(); //plotterMemory.Data1 = Program.ProcessProvider.CommitHistory; //plotterMemory.Data2 = Program.ProcessProvider.PhysicalMemoryHistory; //plotterMemory.GetToolTip = i => "Commit: " + plotterMemory.Data1[i] + "\n" + // "Phys. Memory: " + plotterMemory.Data2[i] + "\n" + Program.ProcessProvider.TimeHistory[i].ToString(); // Create a plotter per CPU. _cpuPlotters = new Plotter[_noOfCPUs]; tableCPUs.ColumnCount = (int)_noOfCPUs; tableCPUs.ColumnStyles.Clear(); tableCPUs.Dock = DockStyle.Fill; for (int i = 0; i < _cpuPlotters.Length; i++) { Plotter plotter; tableCPUs.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 1.0f / _noOfCPUs)); _cpuPlotters[i] = plotter = new Plotter(); plotter.BackColor = Color.Black; plotter.Dock = DockStyle.Fill; plotter.Margin = new Padding(i == 0 ? 0 : 3, 0, 0, 0); // nice spacing plotter.UseSecondLine = true; plotter.Data1 = Program.ProcessProvider.CpusKernelHistory[i]; plotter.Data2 = Program.ProcessProvider.CpusUserHistory[i]; plotter.GetToolTip = j => Program.ProcessProvider.MostCpuHistory[j] + "\n" + ((plotter.Data1[j] + plotter.Data2[j]) * 100).ToString("N2") + "% (K " + (plotter.Data1[j] * 100).ToString("N2") + "%, U " + (plotter.Data2[j] * 100).ToString("N2") + "%)" + "\n" + Program.ProcessProvider.TimeHistory[j].ToString(); this.tableCPUs.Controls.Add(plotter, i, 0); } this.checkShowOneGraphPerCPU.Checked = Settings.Instance.ShowOneGraphPerCPU; if (_noOfCPUs == 1) { checkShowOneGraphPerCPU.Enabled = false; } Program.ProcessProvider.Updated += ProcessProvider_Updated; //We need to do this here or TopMost property gets over-rided by AlwaysOnTopCheckbox this.TopMost = Settings.Instance.AlwaysOnTop; this.UpdateGraphs(); this.UpdateInfo(); }
private void LoadSymbols() { // Ensure we only load symbols once. if (Interlocked.CompareExchange(ref _symbolsStartedLoading, 1, 0) == 1) { return; } // Start loading symbols; avoid the UI blocking on the dbghelp call lock. _symbolsWorkQueue.QueueWorkItemTag(new Action(() => { try { // Needed (maybe) to display the EULA Win32.SymbolServerSetOptions(SymbolServerOption.Unattended, 0); } catch (Exception ex) { Logging.Log(ex); } try { // Use the process handle if we have one, otherwise use the default ID generator. if (_processHandle != null) { _symbols = new SymbolProvider(_processHandle); } else { _symbols = new SymbolProvider(); } SymbolProvider.Options = SymbolOptions.DeferredLoads | (Settings.Instance.DbgHelpUndecorate ? SymbolOptions.UndName : 0); if (!string.IsNullOrEmpty(Settings.Instance.DbgHelpSearchPath)) { _symbols.SearchPath = Settings.Instance.DbgHelpSearchPath; } try { if (_pid > 4) { using (var phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights | Program.MinProcessReadMemoryRights)) { if (OSVersion.Architecture == OSArch.I386 || !phandle.IsWow64) { // Load the process' modules. try { _symbols.LoadProcessModules(phandle); } catch { } } else { // Load the process' WOW64 modules. try { _symbols.LoadProcessWow64Modules(_pid); } catch { } } // If the process is CSRSS we should load kernel modules // due to the presence of kernel-mode threads. if (phandle.KnownProcessType == KnownProcess.WindowsSubsystem) { this.LoadKernelSymbols(true); } } } else { this.LoadKernelSymbols(true); } } catch (WindowsException ex) { // Did we get Access Denied? At least load // kernel32.dll and ntdll.dll. try { ProcessHandle.Current.EnumModules(module => { if ( module.BaseName.Equals("kernel32.dll", StringComparison.OrdinalIgnoreCase) || module.BaseName.Equals("ntdll.dll", StringComparison.OrdinalIgnoreCase) ) { _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); } return(true); }); } catch (Exception ex2) { Logging.Log(ex2); } Logging.Log(ex); } catch (Exception ex) { Logging.Log(ex); } } finally { _moduleLoadCompletedEvent.Set(); } }), "symbols-load"); }
public MainWindow() { InitializeComponent(); Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll"); SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current); SymbolProvider.Options |= SymbolOptions.PublicsOnly; IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll"); FileHandle ntdllFileHandle = null; Section section = null; ProcessHandle.Current.EnumModules((module) => { if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase)) { section = new Section( ntdllFileHandle = new FileHandle(@"\??\" + module.FileName, FileShareMode.ReadWrite, FileAccess.GenericExecute | FileAccess.GenericRead ), true, MemoryProtection.ExecuteRead ); symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); return(false); } return(true); }); SectionView view = section.MapView((int)ntdllFileHandle.GetSize()); ntdllFileHandle.Dispose(); symbols.EnumSymbols("ntdll!Zw*", (symbol) => { int number = Marshal.ReadInt32( (symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1)); _sysCallNames.Add( number, "Nt" + symbol.Name.Substring(2) ); _reverseSysCallNames.Add( "Nt" + symbol.Name.Substring(2), number ); return(true); }); view.Dispose(); section.Dispose(); symbols.Dispose(); KProcessHacker.Instance = new KProcessHacker(); _logger = new SsLogger(4096, false); _logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived); _logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived); _logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId()); _logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode); //_logger.Start(); listEvents.SetDoubleBuffered(true); }
public ThreadProvider(int pid) : base() { this.Name = this.GetType().Name; _pid = pid; _messageQueue.AddListener( new MessageQueueListener <ResolveMessage>((message) => { if (message.Symbol != null) { this.Dictionary[message.Tid].StartAddress = message.Symbol; this.Dictionary[message.Tid].FileName = message.FileName; this.Dictionary[message.Tid].StartAddressLevel = message.ResolveLevel; this.Dictionary[message.Tid].JustResolved = true; } })); this.ProviderUpdate += new ProviderUpdateOnce(UpdateOnce); this.Disposed += ThreadProvider_Disposed; try { // Try to get a good process handle we can use the same handle for stack walking. try { _processAccess = ProcessAccess.QueryInformation | ProcessAccess.VmRead; _processHandle = new ProcessHandle(_pid, _processAccess); } catch { try { if (KProcessHacker.Instance != null) { _processAccess = Program.MinProcessReadMemoryRights; _processHandle = new ProcessHandle(_pid, _processAccess); } else { _processAccess = Program.MinProcessQueryRights; _processHandle = new ProcessHandle(_pid, _processAccess); } } catch (WindowsException ex) { Logging.Log(ex); } } // Start loading symbols; avoid the UI blocking on the dbghelp call lock. _symbolsWorkQueue.QueueWorkItemTag(new Action(() => { try { // Needed (maybe) to display the EULA Win32.SymbolServerSetOptions(SymbolServerOption.Unattended, 0); } catch (Exception ex) { Logging.Log(ex); } try { // Use the process handle if we have one, otherwise use the default ID generator. if (_processHandle != null) { _symbols = new SymbolProvider(_processHandle); } else { _symbols = new SymbolProvider(); } SymbolProvider.Options = SymbolOptions.DeferredLoads | (Properties.Settings.Default.DbgHelpUndecorate ? SymbolOptions.UndName : 0); if (Properties.Settings.Default.DbgHelpSearchPath != "") { _symbols.SearchPath = Properties.Settings.Default.DbgHelpSearchPath; } try { if (_pid != 4) { using (var phandle = new ProcessHandle(_pid, Program.MinProcessQueryRights | Program.MinProcessReadMemoryRights)) { if (IntPtr.Size == 4 || !phandle.IsWow64()) { // Load the process' modules. try { _symbols.LoadProcessModules(phandle); } catch { } } else { // Load the process' WOW64 modules. try { _symbols.LoadProcessWow64Modules(_pid); } catch { } } // If the process is CSRSS we should load kernel modules // due to the presence of kernel-mode threads. if (phandle.GetKnownProcessType() == KnownProcess.WindowsSubsystem) { this.LoadKernelSymbols(true); } } } else { this.LoadKernelSymbols(true); } } catch (WindowsException ex) { // Did we get Access Denied? At least load // kernel32.dll and ntdll.dll. try { ProcessHandle.Current.EnumModules((module) => { if (module.BaseName == "kernel32.dll" || module.BaseName == "ntdll.dll") { _symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); } return(true); }); } catch (Exception ex2) { Logging.Log(ex2); } Logging.Log(ex); } catch (Exception ex) { Logging.Log(ex); } } finally { lock (_moduleLoadCompletedEvent) { if (!_moduleLoadCompletedEvent.SafeWaitHandle.IsClosed) { _moduleLoadCompletedEvent.Set(); } } } }), "symbols-load"); } catch (Exception ex) { Logging.Log(ex); } }