private void Parser_ALPCReceiveMessage(ALPCReceiveMessageTraceData obj)
{
if (!IsRunning)
{
return;
}
AddEvent(new AlpcEvent(obj)
{
Type = AlpcEventType.ReceiveMessage,
MessageId = obj.MessageID,
});
ALPCSendMessageTraceData source;
lock (_sendMessages) {
source = _sendMessages.FirstOrDefault(msg => msg.MessageID == obj.MessageID);
}
if (source == null)
{
//Console.WriteLine($"Receive without Send {obj.ProcessName} ({obj.ProcessID}) msg: {obj.MessageID}");
return;
}
var message = new AlpcMessage {
SourceProcess = source.ProcessID,
SourceProcessName = source.ProcessName,
TargetProcess = obj.ProcessID,
TargetProcessName = obj.ProcessName,
MessageId = obj.MessageID,
SourceThread = source.ThreadID,
TargetThread = obj.ThreadID,
SendTime = source.TimeStamp,
ReceiveTime = obj.TimeStamp,
};
lock (_messages) {
_messages.Add(message);
}
_sendMessages.Remove(source);
//Dump(message);
}
private void HandleALPCReceiveMessage(ALPCReceiveMessageTraceData data)
{
Tuple <int, string, int> senderProcess;
if (sentMessages.TryGetValue(data.MessageID, out senderProcess))
{
if (data.ProcessID == pid)
{
connectedProcesses.Add($"{senderProcess.Item2} ({senderProcess.Item1})");
traceOutput.WriteLine($"{data.TimeStampRelativeMSec:0.0000} ({data.ProcessID}.{data.ThreadID}) ALPC {data.ProcessName} " +
$"<--(0x{data.MessageID:X})--- {senderProcess.Item2} ({senderProcess.Item1}.{senderProcess.Item3})");
}
else if (senderProcess.Item1 == pid)
{
connectedProcesses.Add($"{data.ProcessName} ({data.ProcessID})");
traceOutput.WriteLine($"{data.TimeStampRelativeMSec:0.0000} ({senderProcess.Item1}.{senderProcess.Item3}) ALPC {senderProcess.Item2} " +
$"---(0x{data.MessageID:X})--> {data.ProcessName} ({data.ProcessID}.{data.ThreadID})");
}
}
}
