more ALPC event types

zodiacon · Jan 20, 2018 · d743432 · d743432
1 parent 85524dd
commit d743432
Show file tree

Hide file tree

Showing 9 changed files with 59 additions and 10 deletions.
diff --git a/ProcMonX/Icons/Events/AlpcWaitForNewMessage.ico b/ProcMonX/Icons/Events/AlpcWaitForNewMessage.ico
diff --git a/ProcMonX/Icons/Events/AlpcWaitForReply.ico b/ProcMonX/Icons/Events/AlpcWaitForReply.ico
diff --git a/ProcMonX/Models/Events.cs b/ProcMonX/Models/Events.cs
@@ -10,7 +10,7 @@ public enum EventType {
         None,
         ProcessStart = 100, ProcessStop, ProcessDCStart, ProcessDCStop,
         ThreadStart = 200, ThreadStop, ThreadDCStart, ThreadDCStop,
-        MemoryAlloc = 300, MemoryFree,
+        MemoryAlloc = 300, MemoryFree, HeapRangeCreate, HeapRangeDestory, HeapRangeReserve,
         RegistryOpenKey = 400, RegistryQueryValue, RegistrySetValue, RegistryCreateKey,
         RegistryCloseKey, RegistryEnumerateKey, RegistryEnumerateValues, RegistryFlush,
         RegistryDeleteKey, RegistryDeleteValue, RegistryQueryMultipleValues,
@@ -185,6 +185,18 @@ class EventInfo {
                     Keyword = KernelTraceEventParser.Keywords.AdvancedLocalProcedureCalls,
                     Category = EventCategory.ALPC
                 },
+                new EventInfo {
+                    EventType = EventType.ALPCWaitForNewMessage,
+                    AsString = "ALPC Wait for New Message",
+                    Keyword = KernelTraceEventParser.Keywords.AdvancedLocalProcedureCalls,
+                    Category = EventCategory.ALPC
+                },
+                new EventInfo {
+                    EventType = EventType.AlpcWaitForReply,
+                    AsString = "ALPC Wait for Reply",
+                    Keyword = KernelTraceEventParser.Keywords.AdvancedLocalProcedureCalls,
+                    Category = EventCategory.ALPC
+                },
                 new EventInfo {
                     EventType = EventType.FileRead,
                     AsString = "File Read",
@@ -305,12 +317,12 @@ class EventInfo {
                     Keyword = KernelTraceEventParser.Keywords.VAMap,
                     Category = EventCategory.Files
                 },
-                new EventInfo {
-                    EventType = EventType.DriverMajorFunctionCall,
-                    AsString = "Driver Major Function Call",
-                    Keyword = KernelTraceEventParser.Keywords.Driver,
-                    Category = EventCategory.Driver
-                },
+                //new EventInfo {
+                //    EventType = EventType.DriverMajorFunctionCall,
+                //    AsString = "Driver Major Function Call",
+                //    Keyword = KernelTraceEventParser.Keywords.Driver,
+                //    Category = EventCategory.Driver
+                //},
             }.OrderBy(evt => evt.AsString).ToList();
 
         public static readonly IDictionary<EventType, EventInfo> AllEventsByType = AllEvents.ToDictionary(evt => evt.EventType);

diff --git a/ProcMonX/ProcMonX.csproj b/ProcMonX/ProcMonX.csproj
@@ -141,6 +141,7 @@
     <Compile Include="ViewModels\EventTypeViewModel.cs" />
     <Compile Include="ViewModels\FilterRuleViewModel.cs" />
     <Compile Include="ViewModels\FilterDialogViewModelBase.cs" />
+    <Compile Include="ViewModels\Filters\ProcessIdsFilterViewModel.cs" />
     <Compile Include="ViewModels\Filters\ProcessNamesFilterViewModel.cs" />
     <Compile Include="ViewModels\FilterTypeViewModel.cs" />
     <Compile Include="ViewModels\MainViewModel.cs" />
@@ -406,6 +407,12 @@
     <Resource Include="Icons\Events\DriverMajorFunctionCall.ico" />
     <Resource Include="Icons\Events\hardware-ok.ico" />
   </ItemGroup>
+  <ItemGroup>
+    <Resource Include="Icons\Events\AlpcWaitForReply.ico" />
+  </ItemGroup>
+  <ItemGroup>
+    <Resource Include="Icons\Events\AlpcWaitForNewMessage.ico" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
     <PropertyGroup>

diff --git a/ProcMonX/Tracing/TraceEventFilter.cs b/ProcMonX/Tracing/TraceEventFilter.cs
@@ -41,7 +41,7 @@ public FilterAttribute(string name) {
     class TraceEventFilter {
         ObservableCollection<IFilterRule> _filterRules = new ObservableCollection<IFilterRule>();
 
-        public FilterRuleResult DefaultResult { get; set; } = FilterRuleResult.Include;
+        public FilterRuleResult DefaultResult { get; set; } = FilterRuleResult.Exclude;
 
         public IList<IFilterRule> FilterRules => _filterRules;
 

diff --git a/ProcMonX/Tracing/TraceManager.cs b/ProcMonX/Tracing/TraceManager.cs
@@ -152,6 +152,14 @@ void SetupCallback(EventType type) {
                     _kernelParser.ALPCReceiveMessage += obj => HandleEvent(obj, EventType.AlpcReceiveMessage);
                     break;
 
+                case EventType.ALPCWaitForNewMessage:
+                    _kernelParser.ALPCWaitForNewMessage += obj => HandleEvent(obj, EventType.ALPCWaitForNewMessage);
+                    break;
+
+                case EventType.AlpcWaitForReply:
+                    _kernelParser.ALPCWaitForReply += obj => HandleEvent(obj, EventType.AlpcWaitForReply);
+                    break;
+
                 case EventType.FileRead:
                     _kernelParser.FileIORead += obj => HandleEvent(obj, EventType.FileRead);
                     break;

diff --git a/ProcMonX/ViewModels/Filters/ProcessIdsFilterViewModel.cs b/ProcMonX/ViewModels/Filters/ProcessIdsFilterViewModel.cs
@@ -0,0 +1,16 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using System.Windows;
+
+namespace ProcMonX.ViewModels.Filters {
+    sealed class ProcessIdsFilterViewModel : FilterDialogViewModelBase {
+        public ProcessIdsFilterViewModel(Window dialog) : base(dialog) {
+        }
+
+        public string Title => "Process IDs Filter";
+
+    }
+}
diff --git a/ProcMonX/ViewModels/MainViewModel.cs b/ProcMonX/ViewModels/MainViewModel.cs
@@ -102,6 +102,12 @@ private string GetDetails(TraceEvent evt) {
                 case ALPCReceiveMessageTraceData alpc:
                     return $"Message ID: {alpc.MessageID}";
 
+                case ALPCWaitForReplyTraceData data:
+                    return $"Message ID:;; {data.MessageID}";
+
+                case ALPCWaitForNewMessageTraceData data:
+                    return $"Server:;; {Convert.ToBoolean(data.IsServerPort)};; Port Name:;; {data.PortName}";
+
                 case FileIOReadWriteTraceData data:
                     return $"Filename:;; {data.FileName};; Offset:;; {data.Offset:X};; Size:;; 0x{data.IoSize:X};; IRP:;; 0x{data.IrpPtr:X}";
 
@@ -251,7 +257,7 @@ void Update() {
             _updateTimer.Start();
         }
 
-        public string Title => $"{App.Title} v0.1 (C)2017-2018 by Pavel Yosifovich";
+        public string Title => $"{App.Title} v0.2 Beta (C)2017-2018 by Pavel Yosifovich";
 
         public ICommand ExitCommand => new DelegateCommand(() => Application.Current.Shutdown());
 

diff --git a/ProcMonX/Views/Tabs/CaptureFilterView.xaml b/ProcMonX/Views/Tabs/CaptureFilterView.xaml
@@ -58,7 +58,7 @@
         </ToolBar>
 
         <sf:SfDataGrid Grid.Row="2" ItemsSource="{Binding Filters}" Style="{StaticResource SfDataGridStyle}" SelectionMode="Extended" 
-                       SelectedItems="{Binding SelectedItems, Mode=OneWayToSource}" SelectedItem="{Binding SelectedItem, Mode=TwoWay}">
+                       SelectedItems="{Binding SelectedItems, Mode=OneWayToSource}" SelectedItem="{Binding SelectedItem, Mode=TwoWay}" AllowDraggingRows="True">
             <sf:SfDataGrid.Columns>
                 <sf:GridTextColumn MappingName="Name" HeaderText="Type" MinimumWidth="60" Width="100" />
                 <sf:GridCheckBoxColumn MappingName="IsActive" HeaderText="Active?" ColumnSizer="SizeToHeader" AllowEditing="True" />