📄 straceguiview.cpp
字号:
#include "stdafx.h"
#include "..\sys\strace.h"
#include "StraceGui.h"
#include "StraceGuiDoc.h"
#include "ListCtrlEx.h"
#include "ListVwEx.h"
#include "ProcFilterDlg.h"
#include "StraceGuiView.h"
#include "MainFrm.h"
#include "FilterDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
#define NUM_COLUMNS 9+MaxParaNumbers
#define SERVICENAME_COLUMN 5
HINSTANCE hPSAPI;
STRACE_FILTER strace_filter;
_TCHAR gStraceColumnLabel[NUM_COLUMNS][20] =
{
_T("#"), _T("PID"),_T("TID"),_T("Process Name"), _T("Service ID"),_T("Function"),
_T("ParaBase"),_T("ParaNum"),_T("Time")
};
int gStraceColumnFormat[NUM_COLUMNS] =
{
LVCFMT_LEFT,LVCFMT_LEFT,LVCFMT_LEFT,LVCFMT_LEFT, LVCFMT_LEFT, LVCFMT_LEFT,LVCFMT_LEFT,LVCFMT_LEFT,
};
int gSraceColumnWidth[NUM_COLUMNS] =
{
30, 40,40,100, 40 ,150,80,28,80
};
/////////////////////////////////////////////////////////////////////////////
// CStraceGuiView
IMPLEMENT_DYNCREATE(CStraceGuiView, CListView)
BEGIN_MESSAGE_MAP(CStraceGuiView, CListView)
//{{AFX_MSG_MAP(CStraceGuiView)
ON_COMMAND(ID_SPYING_START, OnSpyingStart)
ON_COMMAND(ID_SPYING_STOP, OnSpyingStop)
ON_UPDATE_COMMAND_UI(ID_SPYING_START, OnUpdateSpyingStart)
ON_UPDATE_COMMAND_UI(ID_SPYING_STOP, OnUpdateSpyingStop)
ON_COMMAND(ID_CLEARLOG, OnClearlog)
ON_COMMAND(ID_VIEW_AUTOSCROLL, OnViewAutoscroll)
ON_UPDATE_COMMAND_UI(ID_VIEW_AUTOSCROLL, OnUpdateViewAutoscroll)
ON_WM_DESTROY()
ON_COMMAND(IDM_FILTER, OnFilter)
ON_COMMAND(ID_CAPKERNEL, OnCapkernel)
ON_UPDATE_COMMAND_UI(ID_CAPKERNEL, OnUpdateCapkernel)
ON_UPDATE_COMMAND_UI(ID_CAPUSER, OnUpdateCapuser)
ON_COMMAND(ID_CAPUSER, OnCapuser)
ON_COMMAND(IDM_VISITHOMEPAGE, OnVisithomepage)
ON_COMMAND(ID_EDIT_COPY, OnEditCopy)
ON_COMMAND(IDM_COPYPROCFILTER, OnCopyprocfilter)
ON_COMMAND(ID_SETFILTER, OnSetfilter)
ON_COMMAND(IDM_COPYFUNC, OnCopyfunc)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CStraceGuiView construction/destruction
CStraceGuiView::CStraceGuiView()
{
// TODO: add construction code here
bAutoScroll = TRUE;
int j=1;
for(int i=NUM_COLUMNS-MaxParaNumbers;i<NUM_COLUMNS;i++,j++){
//gStraceColumnLabel[i]=new CHAR[10];
sprintf(gStraceColumnLabel[i],"Para%02d",j);
gStraceColumnFormat[i]=LVCFMT_LEFT;
gSraceColumnWidth[i]=80;
}
hPSAPI=LoadLibrary("PSAPI.DLL");
AdjustPrivileges(SE_DEBUG_NAME);
StopEvent = CreateEvent(0,FALSE,FALSE,0);
ListClearEvent = CreateEvent(0,FALSE,FALSE,0);
OpCompletedEvent = CreateEvent(0,FALSE,FALSE,0);
strace_filter.ServiceIDFrom=SERVICEIDFROM;
strace_filter.ServiceIDTo=SERVICEIDTO;
strace_filter.CallFrom = CALLFROMALL;
strace_filter.Thrd1=0;
strace_filter.Thrd2=0;
strace_filter.Thrd3=0;
memset(strace_filter.FuncName1,'\0',sizeof(strace_filter.FuncName1));
memset(strace_filter.FuncName2,'\0',sizeof(strace_filter.FuncName2));
memset(strace_filter.FuncName3,'\0',sizeof(strace_filter.FuncName3));
memset(strace_filter.ProcName1,'\0',sizeof(strace_filter.ProcName1));
memset(strace_filter.ProcName2,'\0',sizeof(strace_filter.ProcName2));
GetSymNameFromSymFile();
}
CStraceGuiView::~CStraceGuiView()
{
CloseHandle(StopEvent);
CloseHandle(ListClearEvent);
CloseHandle(OpCompletedEvent);
FreeLibrary(hPSAPI);
}
BOOL CStraceGuiView::PreCreateWindow(CREATESTRUCT& cs)
{
// TODO: Modify the Window class or styles here by modifying
// the CREATESTRUCT cs
cs.style |= LVS_SHOWSELALWAYS | LVS_REPORT;
cs.style &= ~LVS_SORTASCENDING;
return CListView::PreCreateWindow(cs);
}
/////////////////////////////////////////////////////////////////////////////
// CStraceGuiView drawing
void CStraceGuiView::OnDraw(CDC* pDC)
{
CStraceGuiDoc* pDoc = GetDocument();
ASSERT_VALID(pDoc);
// TODO: add draw code for native data here
}
void CStraceGuiView::OnInitialUpdate()
{
CListViewEx::OnInitialUpdate();
CListCtrl& ListCtrl = GetListCtrl();
SetFullRowSel(TRUE);
// insert columns
int i;
LV_COLUMN lvc;
lvc.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM;
for(i = 0; i<NUM_COLUMNS; i++)
{
lvc.iSubItem = i;
lvc.pszText = gStraceColumnLabel[i];
lvc.cx = gSraceColumnWidth[i];
lvc.fmt = gStraceColumnFormat[i];
ListCtrl.InsertColumn(i,&lvc);
}
}
/////////////////////////////////////////////////////////////////////////////
// CStraceGuiView diagnostics
#ifdef _DEBUG
void CStraceGuiView::AssertValid() const
{
CListView::AssertValid();
}
void CStraceGuiView::Dump(CDumpContext& dc) const
{
CListView::Dump(dc);
}
CStraceGuiDoc* CStraceGuiView::GetDocument() // non-debug version is inline
{
ASSERT(m_pDocument->IsKindOf(RUNTIME_CLASS(CStraceGuiDoc)));
return (CStraceGuiDoc*)m_pDocument;
}
#endif //_DEBUG
BOOL CStraceGuiView::SetViewType(DWORD dwViewType)
{
return(ModifyStyle(LVS_TYPEMASK,dwViewType & LVS_TYPEMASK));
}
DWORD CStraceGuiView::GetViewType()
{
return(GetStyle() & LVS_TYPEMASK);
}
/////////////////////////////////////////////////////////////////////////////
// CStraceGuiView message handlers
void CStraceGuiView::OnSpyingStart()
{
BOOL result;
DWORD BytesReturned;
if(PidSelected.GetSize())
{
DWORD ProcessesId[1024];
DWORD done;
int sizeNone=0;
char *msg=new char[200],*msgtemp=new char[20];
strcpy(msg,"进程筛选队列存在已退出的进程,系统将自动将其从\n队列中剔除,下面是其原有进程ID列表:\n");
HINSTANCE hPSAPI=LoadLibrary("PSAPI.DLL");
typedef DWORD (__stdcall *EnumProcessesProc)(DWORD* ProcessesId,
DWORD SizeofProcessesIds,
DWORD* done);
EnumProcessesProc pEnumProcesses;
pEnumProcesses=(EnumProcessesProc)GetProcAddress(hPSAPI,"EnumProcesses");
if(pEnumProcesses(ProcessesId,sizeof(ProcessesId),&done))
{
DWORD size=done/sizeof(DWORD);
for(DWORD i=0;i<(DWORD)PidSelected.GetSize();i++){
for(DWORD j=0;j<size;j++)
if(PidSelected.GetAt(i)==ProcessesId[j])
break;
if(j>=size){
sizeNone++;
sprintf(msgtemp,"%d ",PidSelected.GetAt(i));
strcat(msg,msgtemp);
PidSelected.RemoveAt(i);
}
}
if(sizeNone>0)
AfxMessageBox(msg);
}
PROCESS_FILTER* pfilter = (PROCESS_FILTER* )new WORD[PidSelected.GetSize()+1];
pfilter->EntriesCount = PidSelected.GetSize();
PWORD data = PidSelected.GetData();
memcpy(pfilter->ProcessIdArray,data,PidSelected.GetSize()*sizeof(WORD));
result = DeviceIoControl(
GetDevice(),
IOCTL_STRACE_SETPROCESSFILER,
pfilter,
sizeof(WORD)*(PidSelected.GetSize()+1),
0,
0,
&BytesReturned,
0
);
if(!result)
{
CString error;
GetLastErrorText(error);
AfxMessageBox(CString("进程筛选错误:")+error);
return ;
}
result = DeviceIoControl(
GetDevice(),
IOCTL_STRACE_CLEARBUF,
0,
0,
0,
0,
&BytesReturned,
0
);
if(!result)
{
CString error;
GetLastErrorText(error);
AfxMessageBox(CString("缓冲清除失败: ")+error);
return ;
}
delete pfilter;
}
strace_filter.StracePID =GetCurrentProcessId();
result=DeviceIoControl(
GetDevice(),
IOCTL_STRACE_STARTSPY,
(LPVOID)&strace_filter,
sizeof(DWORD)*4+sizeof(WORD)*3,
NULL,
0,
&BytesReturned,
0
);
if(!result)
{
CString error;
GetLastErrorText(error);
AfxMessageBox(CString("启动失败:")+error);
return ;
}
unsigned ThreadId;
hThread = (HANDLE)_beginthreadex( 0,0, TracingThreadFunc, this, 0, &ThreadId);
}
HANDLE CStraceGuiView::GetDevice()
{
CStraceGuiApp* app = (CStraceGuiApp* )AfxGetApp();
return app->GetDevice();
}
unsigned WINAPI CStraceGuiView::TracingThreadFunc(void * arg)
{
STRACE_RESULT* strace_result ;
strace_result = (STRACE_RESULT* )new BYTE[150000];
DWORD Timeout = 500; // msec
BOOL result;
CStraceGuiView* pThis = (CStraceGuiView* )arg;
HANDLE hDevice = pThis->GetDevice();
DWORD BytesReturned;
CListCtrl& ListCtrl = pThis->GetListCtrl();
LV_ITEM lvi;
char buf[64];
int ItemNum = ListCtrl.GetItemCount();
SYSTEMTIME time;FILETIME file_time;
CString func_name,proc_name;
DWORD func_ptr;
while( WaitForSingleObject(pThis->StopEvent,100)==WAIT_TIMEOUT){
result = DeviceIoControl(
hDevice,
IOCTL_STRACE_WAITFOR_TRACEOVERFLOW,
&Timeout ,
sizeof(DWORD),
0,
0,
&BytesReturned,
0
);
result = DeviceIoControl(
hDevice,
IOCTL_STRACE_GETBUF,
0,
0,
strace_result,
150000,
&BytesReturned,
0
);
TRACE("BR:%d,EC:%d\n",BytesReturned,strace_result->EntriesCount);
//if(BytesReturned<=0) continue;
if(strace_result->EntriesCount>1024) {
result = DeviceIoControl(
hDevice,
IOCTL_STRACE_CLEARBUF,
0,
0,
0,
0,
&BytesReturned,
0
);
continue;
}
ItemNum = ListCtrl.GetItemCount();
for(int i=0;i < strace_result->EntriesCount;i++,ItemNum++)
{
if(strace_result->trace[i].CallNumber<SERVICEIDUSERFROM){
func_ptr = pThis->CallNum2ServicePtr[strace_result->trace[i].CallNumber];
func_name = pThis->ServicePtr2ServiceName[(DWORD)func_ptr];
}else{
func_ptr = pThis->CallNum2ServicePtrWin32k[strace_result->trace[i].CallNumber-SERVICEIDUSERFROM];
func_name = pThis->ServicePtr2ServiceNameWin32k[(DWORD)func_ptr];
}
if(!ApplyFuncNameFilter(func_name)){
ItemNum--;
continue;
}
proc_name=strace_result->trace[i].ProcessName;
if(!ApplyProcNameFilter(proc_name)){
ItemNum--;
continue;
}
itoa(ItemNum,buf,10);
lvi.mask = LVIF_TEXT ;
lvi.iItem = ItemNum;
lvi.iSubItem = 0;
lvi.pszText = buf;
lvi.iImage = i;
lvi.stateMask = LVIS_STATEIMAGEMASK;
lvi.state = INDEXTOSTATEIMAGEMASK(1);
ListCtrl.InsertItem(&lvi);
sprintf(buf,"%4X",strace_result->trace[i].ProcessId);
ListCtrl.SetItemText(ItemNum,1,buf);
sprintf(buf,"%4X",strace_result->trace[i].ThreadId);
ListCtrl.SetItemText(ItemNum,2,buf);
ListCtrl.SetItemText(ItemNum,3,proc_name);
sprintf(buf,"%4X",strace_result->trace[i].CallNumber);
ListCtrl.SetItemText(ItemNum,4,buf);
ListCtrl.SetItemText(ItemNum,5,func_name);
sprintf(buf,"0x%08X",strace_result->trace[i].ParameterTable);
ListCtrl.SetItemText(ItemNum,6,buf);
sprintf(buf,"%02X",strace_result->trace[i].ParameterNumbers);
ListCtrl.SetItemText(ItemNum,7,buf);
FileTimeToLocalFileTime((FILETIME*)&strace_result->trace[i].Time,&file_time);
FileTimeToSystemTime(&file_time,&time);
sprintf(buf,"%d:%d.%d'%3d",time.wHour,time.wMinute,time.wSecond,time.wMilliseconds);
ListCtrl.SetItemText(ItemNum,8,buf);
for(int j=0;j<strace_result->trace[i].ParameterNumbers;j++){
sprintf(buf,"0x%08X",strace_result->trace[i].Parameter[j]);
ListCtrl.SetItemText(ItemNum,9+j,buf);
}
if(ListCtrl.GetCountPerPage())
if(!(ItemNum% ListCtrl.GetCountPerPage( ) ) && pThis->bAutoScroll)
ListCtrl.EnsureVisible( ItemNum , FALSE);
}
if(WaitForSingleObject(pThis->ListClearEvent,0)==WAIT_OBJECT_0){
ListCtrl.DeleteAllItems();
SetEvent(pThis->OpCompletedEvent);
}
}
delete strace_result ;
return 0;
}
int CStraceGuiView::GetSymNameFromSymFile()
{
HANDLE hDevice = GetDevice();
DWORD BytesReturned;
BOOL result;
int i;
NTSDT *nt_sdt = (NTSDT * )new BYTE[sizeof(NTSDT)];
result = DeviceIoControl(
hDevice,
IOCTL_STRACE_GETNTSDT,
0,
0,
nt_sdt,
sizeof(NTSDT),
&BytesReturned,
0
);
if(!result) return -1;
for(i=0;i < nt_sdt->keSDTCount;i++)
{
CallNum2ServicePtr[(WORD)i] = nt_sdt->keSDTAddress[i];
}
for(i=0;i < nt_sdt->w32SDTCount;i++)
CallNum2ServicePtrWin32k[(WORD)i]=nt_sdt->w32SDTAddress[i];
delete nt_sdt;
char file_path[MAX_PATH];
GetSystemDirectory(file_path,sizeof(file_path));
strcat(file_path,"\\ntoskrnl.exe");
ServicePtr2ServiceName.RemoveAll();
ServicePtr2ServiceNameWin32k.RemoveAll();
DWORD BaseOfDll;
POSITION iterator;
WORD CallNum;
DWORD FuncPtr;
DWORD Displacement;
PIMAGEHLP_SYMBOL Symbol = (PIMAGEHLP_SYMBOL )new BYTE[1024];
Symbol->SizeOfStruct = sizeof(IMAGEHLP_SYMBOL );
Symbol->MaxNameLength = 1024;
IMAGEHLP_MODULE ModuleInfo;
ModuleInfo.SizeOfStruct = sizeof(IMAGEHLP_MODULE );
result = SymInitialize(GetCurrentProcess(),0,FALSE);
if(!result) return -1;
BaseOfDll = SymLoadModule(
GetCurrentProcess(),
0,
file_path,
0,
0x80400000,
0);
if(! BOOL(BaseOfDll) ) return -1;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -