procmon

package
v0.0.0-...-daad6bc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2024 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Rendered for windows/amd64

Index

Constants

View Source 
const (

	// ProcmonDefaultReceiveSize is the default size of the receive buffer
	// 140k is the maximum size a notification can be, resulting in more memory usage traded off for
	// not missing notifications.
	ProcmonDefaultReceiveSize = (140 * 1024)

	// ProcmonDefaultNumBufs is the default number of overlapped receive buffers
	ProcmonDefaultNumBufs = 50
)
View Source 
const (
	ProcmonStartIOCTL = 0x222006
	ProcmonStopIOCTL  = 0x22200a
	ProcmonStatsIOCTL = 0x22200e

	ProcmonSignature = 0xdd0100000005
)
View Source 
const (
	ProcmonNotifyStop  = 0x0
	ProcmonNotifyStart = 0x1
)
View Source 
const DDProcessNotificationSize = 0x78
View Source 
const DDProcmonStatsSize = 0x30
View Source 
const Signature = 0xdd0100000005

Variables

This section is empty.

Functions

This section is empty.

Types

type DDProcessNotification 

type DDProcessNotification struct {
	Size              uint64
	SizeNeeded        uint64
	ProcessId         uint64
	NotifyType        uint64
	ParentProcessId   uint64
	CreatingProcessId uint64
	CreatingThreadId  uint64
	ImageFileLen      uint64
	ImageFileOffset   uint64
	CommandLineLen    uint64
	CommandLineOffset uint64
	SidLen            uint64
	SidOffset         uint64
	EnvBlockLen       uint64
	EnvOffset         uint64
}

type DDProcessNotifyType 

type DDProcessNotifyType uint32

type DDProcmonStats 

type DDProcmonStats struct {
	ProcessStartCount       uint64
	ProcessStopCount        uint64
	MissedNotifications     uint64
	AllocationFailures      uint64
	WorkItemFailures        uint64
	ReadBufferToSmallErrors uint64
}

type ProcessStartNotification 

type ProcessStartNotification struct {
	Pid               uint64
	PPid              uint64
	CreatingProcessId uint64
	CreatingThreadId  uint64
	OwnerSidString    string
	ImageFile         string
	CmdLine           string
	EnvBlock          []string
	// if this is nonzero, functions as notification to
	// the probe that the buffer size isn't large enough
	RequiredSize uint32
}

type ProcessStopNotification 

type ProcessStopNotification struct {
	Pid uint64
}

type WinProcmon 

type WinProcmon struct {
	// contains filtered or unexported fields
}

func NewWinProcMon 

func NewWinProcMon(onStart chan *ProcessStartNotification, onStop chan *ProcessStopNotification, onError chan bool, bufsize, numbufs int) (*WinProcmon, error)

NewWinProcMon creates a new WinProcmon

requires 3 channels for notification of data (one for start notifications, stop notifications, and error notifications)

the bufsize and numbufs params, respectively, can be used to override the defaults for those parameters (if 0 is provided then defaults are used) Allows caller to configure the number & size of the overlapped buffers used for receiving notifications from the driver

func (*WinProcmon) OnData 

func (wp *WinProcmon) OnData(data []uint8)

func (*WinProcmon) OnError 

func (wp *WinProcmon) OnError(err error)

func (*WinProcmon) Start 

func (wp *WinProcmon) Start() error

func (*WinProcmon) Stop 

func (wp *WinProcmon) Stop()

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.