Exemplo n.º 1
0
        public void UpdateContext()
        {
            bool Result = NativeMethods.GetThreadContext(Handle, ref ContextCache);

            if (!Result)
            {
                return;
            }

            uint ebp = ContextCache.ebp;

            CallstackCache = new DebuggerCallstack();
            CallstackCache.AddFrame(new DebuggerStackFrame(new IntPtr(ContextCache.eip), new IntPtr(ebp), new IntPtr(ContextCache.esp)));

            uint ReturnAddr = 0;

            do
            {
                if (!OwningProcess.ReadMemory(new IntPtr(ebp + 4), ref ReturnAddr))
                {
                    break;
                }
                if (!OwningProcess.ReadMemory(new IntPtr(ebp), ref ebp))
                {
                    break;
                }

                if (ebp == 0 || ReturnAddr == ebp)
                {
                    break;
                }

                CallstackCache.AddFrame(new DebuggerStackFrame(new IntPtr(ReturnAddr), new IntPtr(ebp)));
            }while (CallstackCache.CanCollect);
        }
        public void UpdateContext()
        {
            bool Result = NativeMethods.GetThreadContext(Handle, ref ContextCache);

            if (!Result)
            {
                return;
            }

            uint ebp = ContextCache.ebp;

            CallstackCache = new DebuggerCallstack();
            CallstackCache.AddFrame(new DebuggerStackFrame(ContextCache));

            // Walk the stack to find the return address of the previous call
            // This only works for specific calling conventions
            uint ReturnAddr = 0;

            do
            {
                try
                {
                    if (!OwningProcess.ReadMemory(new IntPtr(ebp + 4), ref ReturnAddr))
                    {
                        break;
                    }
                    if (!OwningProcess.ReadMemory(new IntPtr(ebp), ref ebp))
                    {
                        break;
                    }

                    if (ebp == 0 || ReturnAddr == ebp)
                    {
                        break;
                    }

                    CallstackCache.AddFrame(new DebuggerStackFrame(ReturnAddr, ebp));
                }
                catch
                {
                    break;
                }
            }while (CallstackCache.CanCollect);
        }
Exemplo n.º 3
0
        async void UpdateIPSessions()
        {
            try
            {
                while (!cts.IsCancellationRequested)
                {
                    Kernel32.GetDeviceNameMap();
                    listView1.BeginUpdate();
                    sessions = Iphlpapi.GetIPSessions();
                    IPAddress ipAddress;
                    // add/update items
                    foreach (Iphlpapi.IPSession session in sessions)
                    {
                        // get process info
                        string filePath = Psapi.GetProcessFileName(session.OwningPid);
                        int imageIndex = 0;
                        if (processList.ContainsKey(session.OwningPid))
                        {
                            imageIndex = processList[session.OwningPid].ImageListIndex;
                        }
                        else if (processList.Where(i => i.Value.Path == filePath).Count() > 0)
                        {
                            OwningProcess owningProcess = processList.Where(i => i.Value.Path == filePath).First().Value;
                            processList.TryAdd(session.OwningPid, owningProcess);
                            imageIndex = owningProcess.ImageListIndex;
                        }
                        else
                        {
                            System.Drawing.Icon icon = null;
                            if (filePath != "")
                                icon = System.Drawing.Icon.ExtractAssociatedIcon(filePath);
                            if (icon != null)
                            {
                                imageList1.Images.Add(icon);
                                imageIndex = imageList1.Images.Count - 1;
                                OwningProcess owningProcess = new OwningProcess();
                                owningProcess.Path = filePath;
                                owningProcess.ImageListIndex = imageIndex;
                                processList.TryAdd(session.OwningPid, owningProcess);
                            }
                        }
                        // add process in TV
                        if (!treeView1.Nodes[0].Nodes.ContainsKey(Path.GetFileName(filePath) + " (" + session.OwningPid + ")"))
                            treeView1.Nodes[0].Nodes.Add(Path.GetFileName(filePath) + " (" + session.OwningPid + ")",
                                Path.GetFileName(filePath) + " (" + session.OwningPid + ")", imageIndex, imageIndex).Parent.Expand();
                        
                        // filter
                        if (session.SocketID.LocalEP.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork && comboBox1.SelectedIndex == 1 ||
                            session.SocketID.LocalEP.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6 && comboBox1.SelectedIndex == 0)
                            continue;
                        if (treeView1.SelectedNode != null &&
                            treeView1.SelectedNode.Parent != null)
                            if (session.OwningPid != uint.Parse(Regex.Replace(treeView1.SelectedNode.Text, @"^.*\((\d+)\)$", "$1")))
                                continue;
                        if (filterProtocol.SelectedIndex == 0 && session.SocketID.Protocol != IP.ProtocolFamily.TCP ||
                            filterProtocol.SelectedIndex == 1 && session.SocketID.Protocol != IP.ProtocolFamily.UDP)
                            continue;

                        // update existing items
                        bool found = false;
                        foreach (ListViewItem item in listView1.Items)
                        {
                            // find item
                            if (session.SocketID.Equals(item.Tag))
                            {
                                found = true;
                                item.SubItems[6].Text = session.State;
                                IPEndPoint remoteEP;
                                // resolve IP
                                if (resolveIP.Checked)
                                {
                                    if (((IP.SocketID)item.Tag).Protocol == IP.ProtocolFamily.UDP)
                                    {
                                        if ((remoteEP = UdpDetector.Table.GetRemoteEP(((IP.SocketID)item.Tag).LocalEP)) != null)
                                            if (!DnsRescords.ContainsKey(remoteEP.Address))
                                                ResolveIP(remoteEP.Address);
                                            else if (DnsRescords[remoteEP.Address] != "")
                                                item.SubItems[3].Text = DnsRescords[remoteEP.Address];
                                    }
                                    else if (((IP.SocketID)item.Tag).Protocol == IP.ProtocolFamily.TCP)
                                    {
                                        if (!DnsRescords.ContainsKey(((IP.SocketID)item.Tag).RemoteEP.Address))
                                            ResolveIP(((IP.SocketID)item.Tag).RemoteEP.Address);
                                        else if (DnsRescords[((IP.SocketID)item.Tag).RemoteEP.Address] != "")
                                            item.SubItems[3].Text = DnsRescords[((IP.SocketID)item.Tag).RemoteEP.Address];
                                    }
                                }
                                else
                                {
                                    if (!IPAddress.TryParse(item.SubItems[3].Text, out ipAddress))
                                        item.SubItems[3].Text = ((IP.SocketID)item.Tag).RemoteEP.Address.ToString();
                                }
                                // update remote UDP EP
                                if (((IP.SocketID)item.Tag).Protocol == IP.ProtocolFamily.UDP &&
                                    (item.SubItems[3].Text == "0.0.0.0" || item.SubItems[3].Text == "::" ||
                                    item.SubItems[4].Text == "0") &&
                                    (remoteEP = UdpDetector.Table.GetRemoteEP(((IP.SocketID)item.Tag).LocalEP)) != null)
                                {
                                    item.SubItems[3].Text = remoteEP.Address.ToString();
                                    item.SubItems[4].Text = remoteEP.Port.ToString();
                                }
                                // update bytes
                                if (getBytes.Checked == true)
                                {
                                    ByteCounter.ByteTable.Bytes bytes = ByteCounter.Table.GetBytes((IP.SocketID)item.Tag);
                                    if (bytes.Received > 0 || bytes.Sent > 0)
                                    {
                                        item.SubItems[7].Text = Unit.AutoScale(bytes.Received, "B");
                                        item.SubItems[8].Text = Unit.AutoScale(bytes.Sent, "B");
                                    }
                                    else
                                    {
                                        item.SubItems[7].Text = "";
                                        item.SubItems[8].Text = "";
                                    }
                                }
                            }
                        }

                        if (!found)
                            listView1.Items.Add(new ListViewItem(new string[] { 
                                Path.GetFileName(filePath) + " (" + session.OwningPid + ")",
                                session.SocketID.LocalEP.Address.ToString(),
                                session.SocketID.LocalEP.Port.ToString(),
                                session.SocketID.RemoteEP.Address.ToString(),
                                session.SocketID.RemoteEP.Port.ToString(),
                                session.SocketID.Protocol.ToString(),
                                session.State,
                                "", "" }, imageIndex)).Tag = session.SocketID;
                            
                    }
                    // delete items
                    foreach (ListViewItem item in listView1.Items)
                    {
                        if (!sessions.Any((i) => i.SocketID.Equals(item.Tag)) ||
                            item.SubItems[1].Text.Contains(':') && comboBox1.SelectedIndex == 0 ||
                            !item.SubItems[1].Text.Contains(':') && comboBox1.SelectedIndex == 1 ||
                            filterProtocol.SelectedIndex == 0 && item.SubItems[5].Text != "TCP" ||
                            filterProtocol.SelectedIndex == 1 && item.SubItems[5].Text != "UDP")
                        {
                            item.Remove();
                        }
                        else if (treeView1.SelectedNode != null &&
                            treeView1.SelectedNode.Parent != null)
                            if (item.SubItems[0].Text != treeView1.SelectedNode.Text)
                                item.Remove();
                    }
                        
                    foreach (KeyValuePair<uint, OwningProcess> process in processList)
                        if (sessions.Find(i => i.OwningPid == process.Key) == null)
                        {
                            treeView1.Nodes[0].Nodes.RemoveByKey(Path.GetFileName(process.Value.Path) + " (" + process.Key + ")");
                            OwningProcess value;
                            processList.TryRemove(process.Key, out value);
                        }
                            
                    foreach (ColumnHeader column in listView1.Columns)
                        column.Width = -2;
                    listView1.Sort();
                    listView1.EndUpdate();
                    //Unit.Compare("10.5 KB", "10.5 B");
                    await TaskEx.Delay(1000);
                }
            }
            catch (Exception e) { Global.WriteLog(e.ToString()); }
        }
Exemplo n.º 4
0
        async void UpdateIPSessions()
        {
            try
            {
                while (!cts.IsCancellationRequested)
                {
                    Kernel32.GetDeviceNameMap();
                    listView1.BeginUpdate();
                    sessions = Iphlpapi.GetIPSessions();
                    IPAddress ipAddress;
                    // add/update items
                    foreach (Iphlpapi.IPSession session in sessions)
                    {
                        // get process info
                        string filePath   = "";
                        int    imageIndex = 0;
                        if (processList.ContainsKey(session.OwningPid))
                        {
                            imageIndex = processList[session.OwningPid].ImageListIndex;
                            filePath   = processList[session.OwningPid].Path;
                        }
                        else if (processList.Where(i => i.Value.Path == filePath).Count() > 0)
                        {
                            OwningProcess owningProcess = processList.Where(i => i.Value.Path == filePath).First().Value;
                            processList.TryAdd(session.OwningPid, owningProcess);
                            imageIndex = owningProcess.ImageListIndex;
                            filePath   = owningProcess.Path;
                        }
                        else
                        {
                            System.Drawing.Icon icon = null;
                            filePath = Psapi.GetProcessFileName(session.OwningPid);
                            if (filePath != "")
                            {
                                icon = System.Drawing.Icon.ExtractAssociatedIcon(filePath);
                            }
                            if (icon != null)
                            {
                                imageList1.Images.Add(icon);
                                imageIndex = imageList1.Images.Count - 1;
                                OwningProcess owningProcess = new OwningProcess();
                                owningProcess.Path           = filePath;
                                owningProcess.ImageListIndex = imageIndex;
                                processList.TryAdd(session.OwningPid, owningProcess);
                            }
                        }
                        // add process in TV
                        if (!treeView1.Nodes[0].Nodes.ContainsKey(Path.GetFileName(filePath) + " (" + session.OwningPid + ")"))
                        {
                            treeView1.Nodes[0].Nodes.Add(Path.GetFileName(filePath) + " (" + session.OwningPid + ")",
                                                         Path.GetFileName(filePath) + " (" + session.OwningPid + ")", imageIndex, imageIndex).Parent.Expand();
                        }

                        // filter
                        if (session.SocketID.LocalEP.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork && comboBox1.SelectedIndex == 1 ||
                            session.SocketID.LocalEP.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6 && comboBox1.SelectedIndex == 0)
                        {
                            continue;
                        }
                        if (treeView1.SelectedNode != null &&
                            treeView1.SelectedNode.Parent != null)
                        {
                            if (session.OwningPid != uint.Parse(Regex.Replace(treeView1.SelectedNode.Text, @"^.*\((\d+)\)$", "$1")))
                            {
                                continue;
                            }
                        }
                        if (filterProtocol.SelectedIndex == 0 && session.SocketID.Protocol != IP.ProtocolFamily.TCP ||
                            filterProtocol.SelectedIndex == 1 && session.SocketID.Protocol != IP.ProtocolFamily.UDP)
                        {
                            continue;
                        }

                        // update existing items
                        bool found = false;
                        foreach (ListViewItem item in listView1.Items)
                        {
                            // find item
                            if (session.SocketID.Equals(item.Tag))
                            {
                                found = true;
                                item.SubItems[6].Text = session.State;
                                IPEndPoint remoteEP;
                                // resolve IP
                                if (resolveIP.Checked)
                                {
                                    if (((IP.SocketID)item.Tag).Protocol == IP.ProtocolFamily.UDP)
                                    {
                                        if ((remoteEP = UdpDetector.Table.GetRemoteEP(((IP.SocketID)item.Tag).LocalEP)) != null)
                                        {
                                            if (!DnsRescords.ContainsKey(remoteEP.Address))
                                            {
                                                ResolveIP(remoteEP.Address);
                                            }
                                            else if (DnsRescords[remoteEP.Address] != "")
                                            {
                                                item.SubItems[3].Text = DnsRescords[remoteEP.Address];
                                            }
                                        }
                                    }
                                    else if (((IP.SocketID)item.Tag).Protocol == IP.ProtocolFamily.TCP)
                                    {
                                        if (!DnsRescords.ContainsKey(((IP.SocketID)item.Tag).RemoteEP.Address))
                                        {
                                            ResolveIP(((IP.SocketID)item.Tag).RemoteEP.Address);
                                        }
                                        else if (DnsRescords[((IP.SocketID)item.Tag).RemoteEP.Address] != "")
                                        {
                                            item.SubItems[3].Text = DnsRescords[((IP.SocketID)item.Tag).RemoteEP.Address];
                                        }
                                    }
                                }
                                else
                                {
                                    if (!IPAddress.TryParse(item.SubItems[3].Text, out ipAddress))
                                    {
                                        item.SubItems[3].Text = ((IP.SocketID)item.Tag).RemoteEP.Address.ToString();
                                    }
                                }
                                // update remote UDP EP
                                if (((IP.SocketID)item.Tag).Protocol == IP.ProtocolFamily.UDP &&
                                    (item.SubItems[3].Text == "0.0.0.0" || item.SubItems[3].Text == "::" ||
                                     item.SubItems[4].Text == "0") &&
                                    (remoteEP = UdpDetector.Table.GetRemoteEP(((IP.SocketID)item.Tag).LocalEP)) != null)
                                {
                                    item.SubItems[3].Text = remoteEP.Address.ToString();
                                    item.SubItems[4].Text = remoteEP.Port.ToString();
                                }
                                // update bytes
                                if (getBytes.Checked == true)
                                {
                                    ByteCounter.ByteTable.Bytes bytes = ByteCounter.Table.GetBytes((IP.SocketID)item.Tag);
                                    if (bytes.Received > 0 || bytes.Sent > 0)
                                    {
                                        item.SubItems[7].Text = Unit.AutoScale(bytes.Received, "B");
                                        item.SubItems[8].Text = Unit.AutoScale(bytes.Sent, "B");
                                    }
                                    else
                                    {
                                        item.SubItems[7].Text = "";
                                        item.SubItems[8].Text = "";
                                    }
                                }
                            }
                        }

                        if (!found)
                        {
                            listView1.Items.Add(new ListViewItem(new string[] {
                                Path.GetFileName(filePath) + " (" + session.OwningPid + ")",
                                session.SocketID.LocalEP.Address.ToString(),
                                session.SocketID.LocalEP.Port.ToString(),
                                session.SocketID.RemoteEP.Address.ToString(),
                                session.SocketID.RemoteEP.Port.ToString(),
                                session.SocketID.Protocol.ToString(),
                                session.State,
                                "", ""
                            }, imageIndex)).Tag = session.SocketID;
                        }
                    }
                    // delete items
                    foreach (ListViewItem item in listView1.Items)
                    {
                        if (!sessions.Any((i) => i.SocketID.Equals(item.Tag)) ||
                            item.SubItems[1].Text.Contains(':') && comboBox1.SelectedIndex == 0 ||
                            !item.SubItems[1].Text.Contains(':') && comboBox1.SelectedIndex == 1 ||
                            filterProtocol.SelectedIndex == 0 && item.SubItems[5].Text != "TCP" ||
                            filterProtocol.SelectedIndex == 1 && item.SubItems[5].Text != "UDP")
                        {
                            item.Remove();
                        }
                        else if (treeView1.SelectedNode != null &&
                                 treeView1.SelectedNode.Parent != null)
                        {
                            if (item.SubItems[0].Text != treeView1.SelectedNode.Text)
                            {
                                item.Remove();
                            }
                        }
                    }

                    foreach (KeyValuePair <uint, OwningProcess> process in processList)
                    {
                        if (sessions.Find(i => i.OwningPid == process.Key) == null)
                        {
                            treeView1.Nodes[0].Nodes.RemoveByKey(Path.GetFileName(process.Value.Path) + " (" + process.Key + ")");
                            OwningProcess value;
                            processList.TryRemove(process.Key, out value);
                        }
                    }

                    foreach (ColumnHeader column in listView1.Columns)
                    {
                        column.Width = -2;
                    }
                    listView1.Sort();
                    listView1.EndUpdate();
                    //Unit.Compare("10.5 KB", "10.5 B");
                    await TaskEx.Delay(1000);
                }
            }
            catch (Exception e) { Global.WriteLog(e.ToString()); }
        }