public void TraceRunningProcess(int pid, bool traceChildProcesses, bool collectDriverStats)
{
using (var hProcess = Kernel32.OpenProcess(Kernel32.ACCESS_MASK.StandardRight.SYNCHRONIZE, false, pid)) {
if (hProcess.IsInvalid)
{
Console.Error.WriteLine("ERROR: the process with a given PID was not found or you don't have access to it.");
return;
}
using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName),
customTraceCollector = new TraceCollector(WinTraceUserTraceSessionName)) {
InitializeSystemHandlers(kernelTraceCollector, collectDriverStats);
InitializeProcessHandlers(kernelTraceCollector, customTraceCollector,
pid, traceChildProcesses);
ThreadPool.QueueUserWorkItem((o) => {
Kernel32.WaitForSingleObject(hProcess, Constants.INFINITE);
StopCollectors(kernelTraceCollector, customTraceCollector);
stopEvent.Set();
});
stopTraceCollectors = () => {
StopCollectors(kernelTraceCollector, customTraceCollector);
};
ThreadPool.QueueUserWorkItem((o) => {
kernelTraceCollector.Start();
});
ThreadPool.QueueUserWorkItem((o) => {
customTraceCollector.Start();
});
stopEvent.WaitOne();
}
}
}
public void TraceSystemOnly()
{
using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName)) {
InitializeSystemHandlers(kernelTraceCollector, true);
stopTraceCollectors = () => {
StopCollector(kernelTraceCollector);
};
ThreadPool.QueueUserWorkItem((o) => {
kernelTraceCollector.Start();
});
stopEvent.WaitOne();
}
}
public void TraceNewProcess(IEnumerable <string> procargs, bool spawnNewConsoleWindow,
bool traceChildProcesses, bool collectDriverStats)
{
using (var process = new ProcessCreator(procargs)
{
SpawnNewConsoleWindow = spawnNewConsoleWindow
}) {
process.StartSuspended();
using (TraceCollector kernelTraceCollector = new TraceCollector(KernelTraceEventParser.KernelSessionName),
customTraceCollector = new TraceCollector(WinTraceUserTraceSessionName)) {
InitializeSystemHandlers(kernelTraceCollector, collectDriverStats);
InitializeProcessHandlers(kernelTraceCollector, customTraceCollector,
process.ProcessId, traceChildProcesses);
ThreadPool.QueueUserWorkItem((o) => {
process.Join();
StopCollectors(kernelTraceCollector, customTraceCollector);
stopEvent.Set();
});
stopTraceCollectors = () => {
StopCollectors(kernelTraceCollector, customTraceCollector);
};
ThreadPool.QueueUserWorkItem((o) => {
kernelTraceCollector.Start();
});
ThreadPool.QueueUserWorkItem((o) => {
customTraceCollector.Start();
});
Thread.Sleep(1000);
// resume thread
process.Resume();
stopEvent.WaitOne();
}
}
}
