public void ConvertAll(string captureDirPath, int numEvents, IProgressFeedback progress)
{
List<BinaryReader> readers = new List<BinaryReader>(1);
SortedList<uint, KeyValuePair<BinaryReader, uint>> ids = new SortedList<uint, KeyValuePair<BinaryReader, uint>>(numEvents);
uint i = 0;
foreach (string filePath in Directory.GetFiles(captureDirPath, "*.log", SearchOption.TopDirectoryOnly))
{
FileStream fs = new FileStream(filePath, FileMode.Open, FileAccess.Read);
BinaryReader r = new BinaryReader(fs);
readers.Add(r);
while (fs.Position < fs.Length)
{
i++;
int pct = (int)(((float)i / (float)numEvents) * 100.0f);
progress.ProgressUpdate("Indexing", pct);
uint id = r.ReadUInt32();
uint size = r.ReadUInt32();
ids.Add(id, new KeyValuePair<BinaryReader, uint>(r, (uint)fs.Position));
fs.Seek(size, SeekOrigin.Current);
}
}
string resultPath = String.Format("{0}\\capture.osd", captureDirPath);
BZip2OutputStream outStream = new BZip2OutputStream(new FileStream(resultPath, FileMode.Create));
XmlTextWriter xtw = new XmlTextWriter(outStream, System.Text.Encoding.UTF8);
xtw.Formatting = Formatting.Indented;
xtw.Indentation = 4;
xtw.IndentChar = ' ';
xtw.WriteStartDocument(true);
xtw.WriteStartElement("events");
i = 0;
foreach (KeyValuePair<BinaryReader, uint> pair in ids.Values)
{
i++;
int pct = (int)(((float)i / (float)numEvents) * 100.0f);
progress.ProgressUpdate(String.Format("Converting event {0} of {1}", i, numEvents), pct);
BinaryReader r = pair.Key;
uint offset = pair.Value;
r.BaseStream.Seek(offset, SeekOrigin.Begin);
UnserializeNode(r, xtw);
}
xtw.WriteEndElement();
xtw.WriteEndDocument();
xtw.Close();
foreach (BinaryReader r in readers)
r.Close();
}
private void PrepareCapture(Process[] processes)
{
progress.ProgressUpdate("Preparing capture", 100);
fileMapping = CreateFileMapping(0xFFFFFFFFu, IntPtr.Zero,
enumProtect.PAGE_READWRITE,
0, (uint)Marshal.SizeOf(typeof(Capture)),
"oSpyCapture");
if (Marshal.GetLastWin32Error() == ERROR_ALREADY_EXISTS)
{
throw new Error("Is another instance of oSpy or one or more processes previously monitored still alive?");
}
cfgPtr = MapViewOfFile(fileMapping, enumFileMap.FILE_MAP_WRITE, 0, 0, (uint)Marshal.SizeOf(typeof(Capture)));
// Create a temporary directory for the capture
do
{
tmpDir = String.Format("{0}{1}", Path.GetTempPath(), Path.GetRandomFileName());
}while (Directory.Exists(tmpDir));
Directory.CreateDirectory(tmpDir);
// Write the temporary directory to shared memory
char[] tmpDirChars = tmpDir.ToCharArray();
IntPtr ptr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "LogPath").ToInt64());
Marshal.Copy(tmpDirChars, 0, ptr, tmpDirChars.Length);
// And make it NUL-terminated
Marshal.WriteInt16(ptr, tmpDirChars.Length * Marshal.SizeOf(typeof(UInt16)), 0);
// Initialize LogIndex and LogSize
logIndexPtr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "LogIndex").ToInt64());
logSizePtr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "LogSize").ToInt64());
Marshal.WriteInt32(logIndexPtr, 0);
Marshal.WriteInt32(logSizePtr, 0);
// Initialize softwall rules
SoftwallRule[] rules = new SoftwallRule[0];
Marshal.WriteInt32(cfgPtr, Marshal.OffsetOf(typeof(Capture), "NumSoftwallRules").ToInt32(), rules.Length);
ptr = (IntPtr)(cfgPtr.ToInt64() + Marshal.OffsetOf(typeof(Capture), "SoftwallRules").ToInt64());
foreach (SoftwallRule rule in rules)
{
Marshal.StructureToPtr(rule, ptr, false);
ptr = (IntPtr)(ptr.ToInt64() + Marshal.SizeOf(typeof(SoftwallRule)));
}
// Copy configuration XML
string configPath = Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName) + "\\config.xml";
File.Copy(configPath, String.Format("{0}\\config.xml", tmpDir));
}
private void DoStopCapture()
{
progress.ProgressUpdate("Stopping capture", 100);
UnprepareCapture(true);
stopRequest.Reset();
progress.OperationComplete();
progress = null;
stopWorkerThread = null;
}
private void WaitForUsbAgentServiceToStop()
{
IntPtr manager = WinApi.OpenSCManager(null, null, WinApi.SC_MANAGER_ALL_ACCESS);
if (manager == IntPtr.Zero)
{
throw new Error("OpenSCManager failed");
}
IntPtr service = IntPtr.Zero;
try
{
service = WinApi.OpenService(manager, Constants.UsbAgentName, WinApi.SERVICE_ALL_ACCESS);
if (service == IntPtr.Zero)
{
throw new Error("OpenService failed");
}
WinApi.SERVICE_STATUS status = new WinApi.SERVICE_STATUS();
progress.ProgressUpdate("Unplug any USB device being monitored now", 100);
bool stopped = false;
while (!stopped)
{
if (!WinApi.QueryServiceStatus(service, ref status))
{
throw new Error("Failed to query for service status: 0x{0:x8}", Marshal.GetLastWin32Error());
}
stopped = status.dwCurrentState == WinApi.SERVICE_STOPPED;
if (!stopped)
{
Thread.Sleep(250);
}
}
}
finally
{
if (service != IntPtr.Zero)
{
WinApi.CloseServiceHandle(service);
}
WinApi.CloseServiceHandle(manager);
}
}
public void Load(string path, IProgressFeedback progress)
{
BZip2InputStream inStream = new BZip2InputStream(new FileStream(path, FileMode.Open));
XmlTextReader xtr = new XmlTextReader(inStream);
tmpPath = Path.GetTempFileName();
FileStream tmpFileStream = new FileStream(tmpPath, FileMode.Create, FileAccess.ReadWrite);
tmpReader = new StreamReader(tmpFileStream);
StreamWriter tmpFileWriter = new StreamWriter(tmpFileStream, Encoding.UTF8);
events = new SortedDictionary <uint, DumpEvent>();
int prevPct = -1, pct;
while (xtr.Read())
{
pct = (int)(((float)inStream.Position / (float)inStream.Length) * 100.0f);
if (pct != prevPct)
{
prevPct = pct;
progress.ProgressUpdate("Loading", pct);
}
if (xtr.NodeType == XmlNodeType.Element && xtr.Name == "event")
{
tmpFileWriter.Flush();
long startOffset = tmpFileStream.Position;
XmlReader rdr = xtr.ReadSubtree();
XmlDocument doc = new XmlDocument();
doc.Load(rdr);
XmlAttributeCollection attrs = doc.DocumentElement.Attributes;
uint id = Convert.ToUInt32(attrs["id"].Value);
DumpEventType type = (DumpEventType)Enum.Parse(typeof(DumpEventType), attrs["type"].Value);
DateTime timestamp = DateTime.FromFileTimeUtc(Convert.ToInt64(attrs["timestamp"].Value));
string processName = attrs["processName"].Value;
uint processId = Convert.ToUInt32(attrs["processId"].Value);
uint threadId = Convert.ToUInt32(attrs["threadId"].Value);
string eventStr = doc.DocumentElement.InnerXml;
tmpFileWriter.Write(eventStr);
events[id] = new DumpEvent(this, id, type, timestamp, processName, processId, threadId, startOffset, eventStr.Length);
}
}
xtr.Close();
tmpFileStream.Seek(0, SeekOrigin.Begin);
}
public void Load(string path, IProgressFeedback progress)
{
BZip2InputStream inStream = new BZip2InputStream(new FileStream(path, FileMode.Open));
XmlTextReader xtr = new XmlTextReader(inStream);
tmpPath = Path.GetTempFileName();
FileStream tmpFileStream = new FileStream(tmpPath, FileMode.Create, FileAccess.ReadWrite);
tmpReader = new StreamReader(tmpFileStream);
StreamWriter tmpFileWriter = new StreamWriter(tmpFileStream, Encoding.UTF8);
events = new SortedDictionary<uint, DumpEvent>();
int prevPct = -1, pct;
while (xtr.Read())
{
pct = (int)(((float)inStream.Position / (float)inStream.Length) * 100.0f);
if (pct != prevPct)
{
prevPct = pct;
progress.ProgressUpdate("Loading", pct);
}
if (xtr.NodeType == XmlNodeType.Element && xtr.Name == "event")
{
tmpFileWriter.Flush();
long startOffset = tmpFileStream.Position;
XmlReader rdr = xtr.ReadSubtree();
XmlDocument doc = new XmlDocument();
doc.Load(rdr);
XmlAttributeCollection attrs = doc.DocumentElement.Attributes;
uint id = Convert.ToUInt32(attrs["id"].Value);
DumpEventType type = (DumpEventType) Enum.Parse(typeof(DumpEventType), attrs["type"].Value);
DateTime timestamp = DateTime.FromFileTimeUtc(Convert.ToInt64(attrs["timestamp"].Value));
string processName = attrs["processName"].Value;
uint processId = Convert.ToUInt32(attrs["processId"].Value);
uint threadId = Convert.ToUInt32(attrs["threadId"].Value);
string eventStr = doc.DocumentElement.InnerXml;
tmpFileWriter.Write(eventStr);
events[id] = new DumpEvent(this, id, type, timestamp, processName, processId, threadId, startOffset, eventStr.Length);
}
}
xtr.Close();
tmpFileStream.Seek(0, SeekOrigin.Begin);
}
public static IPSession[] ExtractAllFrom(IPPacket[] packets, TCPEvent[] events, IProgressFeedback progress)
{
//
// Find sessions
//
progress.ProgressUpdate("Identifying sessions", 0);
Dictionary <UInt32, IPSession> sessionById = new Dictionary <UInt32, IPSession>();
List <UInt32> sessionIds = new List <UInt32>();
int i = 0;
foreach (IPPacket p in packets)
{
UInt32 id = p.ResourceId;
IPSession session;
if (sessionById.ContainsKey(id))
{
session = sessionById[id];
}
else
{
session = new IPSession();
sessionById[id] = session;
sessionIds.Add(id);
}
session.AddPacket(p);
i++;
progress.ProgressUpdate("Identifying sessions",
(int)((i / (float)packets.Length) * 100.0f));
}
//
// Add the events to the appropriate sessions
//
// First off, sort them by timestamp
Array.Sort(events);
// Then match them with the sessions
foreach (TCPEvent ev in events)
{
if (sessionById.ContainsKey(ev.ResourceId))
{
sessionById[ev.ResourceId].AddEvent(ev);
}
}
//
// Build an ordered list of sessions
//
List <IPSession> result = new List <IPSession>();
foreach (UInt32 id in sessionIds)
{
result.Add(sessionById[id]);
}
return(result.ToArray());
}
public void ConvertAll(string captureDirPath, int numEvents, IProgressFeedback progress)
{
List <BinaryReader> readers = new List <BinaryReader>(1);
SortedList <uint, KeyValuePair <BinaryReader, uint> > ids = new SortedList <uint, KeyValuePair <BinaryReader, uint> >(numEvents);
uint i = 0;
foreach (string filePath in Directory.GetFiles(captureDirPath, "*.log", SearchOption.TopDirectoryOnly))
{
FileStream fs = new FileStream(filePath, FileMode.Open, FileAccess.Read);
BinaryReader r = new BinaryReader(fs);
readers.Add(r);
while (fs.Position < fs.Length)
{
i++;
int pct = (int)(((float)i / (float)numEvents) * 100.0f);
progress.ProgressUpdate("Indexing", pct);
uint id = r.ReadUInt32();
uint size = r.ReadUInt32();
ids.Add(id, new KeyValuePair <BinaryReader, uint>(r, (uint)fs.Position));
fs.Seek(size, SeekOrigin.Current);
}
}
string resultPath = String.Format("{0}\\capture.osd", captureDirPath);
BZip2OutputStream outStream = new BZip2OutputStream(new FileStream(resultPath, FileMode.Create));
XmlTextWriter xtw = new XmlTextWriter(outStream, System.Text.Encoding.UTF8);
xtw.Formatting = Formatting.Indented;
xtw.Indentation = 4;
xtw.IndentChar = ' ';
xtw.WriteStartDocument(true);
xtw.WriteStartElement("events");
i = 0;
foreach (KeyValuePair <BinaryReader, uint> pair in ids.Values)
{
i++;
int pct = (int)(((float)i / (float)numEvents) * 100.0f);
progress.ProgressUpdate(String.Format("Converting event {0} of {1}", i, numEvents), pct);
BinaryReader r = pair.Key;
uint offset = pair.Value;
r.BaseStream.Seek(offset, SeekOrigin.Begin);
UnserializeNode(r, xtw);
}
xtw.WriteEndElement();
xtw.WriteEndDocument();
xtw.Close();
foreach (BinaryReader r in readers)
{
r.Close();
}
}
private void AddEventsToDataSet(Capture.Event[] events, IProgressFeedback progress)
{
object source = dataGridView.DataSource;
dataGridView.DataSource = null;
dataSet.Tables[0].BeginLoadData();
DataTable tbl = dataSet.Tables["messages"];
int i = 0;
foreach (Capture.Event ev in events)
{
i++;
progress.ProgressUpdate("Loading events", (int) (((float) i / (float) events.Length) * 100.0f));
DataRow row = tbl.NewRow();
row.BeginEdit();
/* Common stuff */
row["Timestamp"] = ev.Timestamp;
row["ProcessName"] = ev.ProcessName;
row["ProcessId"] = ev.ProcessId;
row["ThreadId"] = ev.ThreadId;
row["FunctionName"] = ev.FunctionName;
row["Backtrace"] = ev.Backtrace;
UInt32 returnAddress = 0;
string callerModName = "";
if (ev.Backtrace != null)
{
string[] tokens = ev.Backtrace.Split(new char[] { '\n' }, 2);
if (tokens.Length >= 1)
{
string line = tokens[0];
string[] lineTokens = line.Split(new string[] { "::" }, 2, StringSplitOptions.None);
if (lineTokens.Length == 2)
{
returnAddress = Convert.ToUInt32(lineTokens[1].Substring(2), 16);
callerModName = lineTokens[0];
}
}
}
row["ReturnAddress"] = returnAddress;
row["CallerModuleName"] = callerModName;
row["ResourceId"] = ev.ResourceId;
if (ev is Capture.MessageEvent)
{
Capture.MessageEvent msgEvent = ev as Capture.MessageEvent;
row["MsgType"] = MessageType.MESSAGE_TYPE_MESSAGE;
row["MsgContext"] = msgEvent.Context;
}
else
{
Capture.PacketEvent pktEvent = ev as Capture.PacketEvent;
row["MsgType"] = MessageType.MESSAGE_TYPE_PACKET;
}
row["Message"] = ev.Message;
row["Direction"] = ev.Direction;
if (ev.LocalEndpoint != null)
{
row["LocalAddress"] = ev.LocalEndpoint.Address.ToString();
row["LocalPort"] = ev.LocalEndpoint.Port;
}
if (ev.PeerEndpoint != null)
{
row["PeerAddress"] = ev.PeerEndpoint.Address.ToString();
row["PeerPort"] = ev.PeerEndpoint.Port;
}
row["Data"] = ev.Data;
row.EndEdit();
tbl.Rows.Add(row);
}
dataSet.Tables[0].EndLoadData();
dataGridView.DataSource = source;
}
public static IPSession[] ExtractAllFrom(IPPacket[] packets, TCPEvent[] events, IProgressFeedback progress)
{
//
// Find sessions
//
progress.ProgressUpdate("Identifying sessions", 0);
Dictionary<UInt32, IPSession> sessionById = new Dictionary<UInt32, IPSession>();
List<UInt32> sessionIds = new List<UInt32>();
int i = 0;
foreach (IPPacket p in packets)
{
UInt32 id = p.ResourceId;
IPSession session;
if (sessionById.ContainsKey(id))
{
session = sessionById[id];
}
else
{
session = new IPSession();
sessionById[id] = session;
sessionIds.Add(id);
}
session.AddPacket(p);
i++;
progress.ProgressUpdate("Identifying sessions",
(int) ((i / (float) packets.Length) * 100.0f));
}
//
// Add the events to the appropriate sessions
//
// First off, sort them by timestamp
Array.Sort(events);
// Then match them with the sessions
foreach (TCPEvent ev in events)
{
if (sessionById.ContainsKey(ev.ResourceId))
sessionById[ev.ResourceId].AddEvent(ev);
}
//
// Build an ordered list of sessions
//
List<IPSession> result = new List<IPSession>();
foreach (UInt32 id in sessionIds)
result.Add(sessionById[id]);
return result.ToArray();
}
