procmon

package
v0.0.0-...-17d25f2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 13, 2025 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Rendered for windows/amd64

Index

Constants

View Source
const (

	// ProcmonDefaultReceiveSize is the default size of the receive buffer
	// 140k is the maximum size a notification can be, resulting in more memory usage traded off for
	// not missing notifications.
	ProcmonDefaultReceiveSize = (140 * 1024)

	// ProcmonDefaultNumBufs is the default number of overlapped receive buffers
	ProcmonDefaultNumBufs = 50
)
View Source
const (
	ProcmonStartIOCTL = 0x222006
	ProcmonStopIOCTL  = 0x22200a
	ProcmonStatsIOCTL = 0x22200e

	ProcmonSignature = 0xdd0100000005
)
View Source
const (
	ProcmonNotifyStop  = 0x0
	ProcmonNotifyStart = 0x1
)
View Source
const DDProcessNotificationSize = 0x78
View Source
const DDProcmonStatsSize = 0x30
View Source
const Signature = 0xdd0100000005

Variables

This section is empty.

Functions

This section is empty.

Types

type DDProcessNotification

type DDProcessNotification struct {
	Size              uint64
	SizeNeeded        uint64
	ProcessId         uint64
	NotifyType        uint64
	ParentProcessId   uint64
	CreatingProcessId uint64
	CreatingThreadId  uint64
	ImageFileLen      uint64
	ImageFileOffset   uint64
	CommandLineLen    uint64
	CommandLineOffset uint64
	SidLen            uint64
	SidOffset         uint64
	EnvBlockLen       uint64
	EnvOffset         uint64
}

type DDProcessNotifyType

type DDProcessNotifyType uint32

type DDProcmonStats

type DDProcmonStats struct {
	ProcessStartCount       uint64
	ProcessStopCount        uint64
	MissedNotifications     uint64
	AllocationFailures      uint64
	WorkItemFailures        uint64
	ReadBufferToSmallErrors uint64
}

type ProcessStartNotification

type ProcessStartNotification struct {
	Pid               uint64
	PPid              uint64
	CreatingProcessId uint64
	CreatingThreadId  uint64
	OwnerSidString    string
	ImageFile         string
	CmdLine           string
	EnvBlock          []string
	// if this is nonzero, functions as notification to
	// the probe that the buffer size isn't large enough
	RequiredSize uint32
}

type ProcessStopNotification

type ProcessStopNotification struct {
	Pid uint64
}

type WinProcmon

type WinProcmon struct {
	// contains filtered or unexported fields
}

func NewWinProcMon

func NewWinProcMon(onStart chan *ProcessStartNotification, onStop chan *ProcessStopNotification, onError chan bool, bufsize, numbufs int) (*WinProcmon, error)

NewWinProcMon creates a new WinProcmon

requires 3 channels for notification of data (one for start notifications, stop notifications, and error notifications)

the bufsize and numbufs params, respectively, can be used to override the defaults for those parameters (if 0 is provided then defaults are used) Allows caller to configure the number & size of the overlapped buffers used for receiving notifications from the driver

func (*WinProcmon) OnData

func (wp *WinProcmon) OnData(data []uint8)

func (*WinProcmon) OnError

func (wp *WinProcmon) OnError(err error)

func (*WinProcmon) Start

func (wp *WinProcmon) Start() error

func (*WinProcmon) Stop

func (wp *WinProcmon) Stop()

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL