private void ThreadProvider_Disposed(IProvider provider)
{
if (_symbols != null)
{
_symbols.Dispose();
}
if (_processHandle != null)
{
_processHandle.Dispose();
}
_symbols = null;
lock (_moduleLoadCompletedEvent)
_moduleLoadCompletedEvent.Close();
foreach (int tid in this.Dictionary.Keys)
{
ThreadItem item = this.Dictionary[tid];
if (item.ThreadQueryLimitedHandle != null)
{
item.ThreadQueryLimitedHandle.Dispose();
}
}
}
private unsafe KVars GetKVars()
{
SymbolProvider symbols = new SymbolProvider();
symbols.LoadModule(Windows.KernelFileName, Windows.KernelBase);
KVars vars = new KVars();
vars.NonPagedPoolStartAddress = symbols.GetSymbolFromName("MmNonPagedPoolStart").Address.ToIntPtr();
vars.NonPagedPoolSizeAddress = symbols.GetSymbolFromName("MmMaximumNonPagedPoolInBytes").Address.ToIntPtr();
vars.PsProcessTypeAddress = symbols.GetSymbolFromName("PsProcessType").Address.ToIntPtr();
vars.PsThreadTypeAddress = symbols.GetSymbolFromName("PsThreadType").Address.ToIntPtr();
int bytesRead;
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolStartAddress.ToInt32(),
&vars.NonPagedPoolStart,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.NonPagedPoolSizeAddress.ToInt32(),
&vars.NonPagedPoolSize,
sizeof(uint),
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsProcessTypeAddress.ToInt32(),
&vars.PsProcessType,
IntPtr.Size,
out bytesRead
);
KProcessHacker.Instance.KphReadVirtualMemoryUnsafe(
ProcessHandle.Current,
vars.PsThreadTypeAddress.ToInt32(),
&vars.PsThreadType,
IntPtr.Size,
out bytesRead
);
symbols.Dispose();
return(vars);
}
private void buttonSnapshot_Click(object sender, EventArgs e)
{
try
{
using (var phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead))
{
_currentHtCollection = phandle.GetHandleTraces();
if (_symbols != null)
{
_symbols.Dispose();
}
SymbolProvider.Options |= SymbolOptions.DeferredLoads;
_symbols = new SymbolProvider(phandle);
WorkQueue.GlobalQueueWorkItem(new Action(() =>
{
var symbols = _symbols;
_symbols.PreloadModules = true;
try
{
foreach (var module in phandle.GetModules())
{
try
{
symbols.LoadModule(module.FileName, module.BaseAddress);
}
catch
{ }
}
}
catch
{ }
try
{
foreach (var module in Windows.GetKernelModules())
{
try
{
symbols.LoadModule(module.FileName, module.BaseAddress);
}
catch
{ }
}
}
catch
{ }
}));
}
this.PopulateHandleTraceList();
}
catch (Exception ex)
{
this.ShowException("Error getting the handle trace snapshot", ex);
}
}
public MainWindow()
{
InitializeComponent();
Win32.LoadLibrary("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll");
SymbolProvider symbols = new SymbolProvider(ProcessHandle.Current);
SymbolProvider.Options |= SymbolOptions.PublicsOnly;
IntPtr ntdllBase = Loader.GetDllHandle("ntdll.dll");
FileHandle ntdllFileHandle = null;
Section section = null;
ProcessHandle.Current.EnumModules((module) =>
{
if (module.BaseName.Equals("ntdll.dll", StringComparison.InvariantCultureIgnoreCase))
{
section = new Section(
ntdllFileHandle = new FileHandle(@"\??\" + module.FileName,
FileShareMode.ReadWrite,
FileAccess.GenericExecute | FileAccess.GenericRead
),
true,
MemoryProtection.ExecuteRead
);
symbols.LoadModule(module.FileName, module.BaseAddress, module.Size);
return(false);
}
return(true);
});
SectionView view = section.MapView((int)ntdllFileHandle.GetSize());
ntdllFileHandle.Dispose();
symbols.EnumSymbols("ntdll!Zw*", (symbol) =>
{
int number = Marshal.ReadInt32(
(symbol.Address.ToIntPtr().Decrement(ntdllBase)).Increment(view.Memory).Increment(1));
_sysCallNames.Add(
number,
"Nt" + symbol.Name.Substring(2)
);
_reverseSysCallNames.Add(
"Nt" + symbol.Name.Substring(2),
number
);
return(true);
});
view.Dispose();
section.Dispose();
symbols.Dispose();
KProcessHacker.Instance = new KProcessHacker();
_logger = new SsLogger(4096, false);
_logger.EventBlockReceived += new EventBlockReceivedDelegate(logger_EventBlockReceived);
_logger.ArgumentBlockReceived += new ArgumentBlockReceivedDelegate(logger_ArgumentBlockReceived);
_logger.AddProcessIdRule(FilterType.Exclude, ProcessHandle.GetCurrentId());
_logger.AddPreviousModeRule(FilterType.Include, KProcessorMode.UserMode);
//_logger.Start();
listEvents.SetDoubleBuffered(true);
}
