Author: DavidXanatos

CHANGELOG.md

@@ -3,6 +3,30 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
 
+
+
+## [1.1.0] - 2020-23-01
+
+### Added
+- added Dark Theme Support
+- added ETW monitoring of the processProvider
+-- allows to capture all process cration events henc elisting of very short lived processes
+-- using ETW data to set image path and command line when the process closed before we could inspect it
+- added option to keep processes listed indefinetly as long as thay have still running children.
+- added functionality to find some types of hidden processes, also usefull to find some already terminated processes
+- added tool bar button to switch between the tree view and a list view more convinient as the last choose list sort column is remembered
+
+### Changed
+- the handle tab is now present twice once as it was and once providing only an open file list
+
+### Fixed
+- handle types are now sorted properly i.e. "[All]" is first
+- fixed bug where in the unifyed list view switching to tree view was not possible
+- fixed issue with some values not being initialized in CWinMainModule
+- fixed High DPI scaling issues
+
+
+
 ## [1.0.2] - 2019-12-24
 
 ### Added

TaskExplorer/API/Windows/Monitors/Etw/krabs.hpp

@@ -46,12 +46,12 @@
 #include "krabs/tdh_helpers.hpp"
 #include "krabs/kernel_providers.hpp"
 
-#include "krabs/testing/proxy.hpp"
+/*#include "krabs/testing/proxy.hpp"
 #include "krabs/testing/filler.hpp"
 #include "krabs/testing/synth_record.hpp"
 #include "krabs/testing/record_builder.hpp"
 #include "krabs/testing/event_filter_proxy.hpp"
-#include "krabs/testing/record_property_thunk.hpp"
+#include "krabs/testing/record_property_thunk.hpp"*/
 
 #include "krabs/filtering/view_adapters.hpp"
 #include "krabs/filtering/comparers.hpp"

TaskExplorer/API/Windows/Monitors/EtwEventMonitor.cpp

@@ -105,6 +105,37 @@ struct SEtwEventMonitor
 		});
 		kernel_trace.enable(file_provider);*/
 
+		proc_provider.add_on_event_callback([This](const EVENT_RECORD &record) {
+			//qDebug() << "process event";
+			krabs::schema schema(record);
+
+			if (schema.event_id() != 0)
+				return;
+
+			int Type = EventTypeUnknow;
+			switch (schema.event_opcode())
+			{
+				case 1: Type = EtwProcessStarted; break;
+				case 2: Type = EtwProcessStopped; break;
+				default: // we dont care for other event types
+					return;
+			}
+
+			krabs::parser parser(schema);
+
+			quint32 ProcessId = parser.parse<uint32_t>(L"ProcessId");
+			QString CommandLine = QString::fromStdWString(parser.parse<wstring>(L"CommandLine"));
+			QString FileName = QString::fromStdString(parser.parse<string>(L"ImageFileName"));
+			quint32 ParentId = parser.parse<uint32_t>(L"ParentId");
+
+			//qDebug() << FILETIME2time(schema.timestamp().QuadPart) << GetTime();
+
+			emit This->ProcessEvent(Type, ProcessId, CommandLine, FileName, ParentId, schema.timestamp().QuadPart);
+
+		});
+		kernel_trace.enable(proc_provider);
+
+
 		auto net_callback = [](CEtwEventMonitor* This, const EVENT_RECORD &record) {
 			//qDebug() << "net event";
 
@@ -267,6 +298,7 @@ struct SEtwEventMonitor
 
 	krabs::kernel::disk_io_provider disk_provider;
 	//krabs::kernel::file_io_provider file_provider;
+	krabs::kernel::process_provider proc_provider;
 	krabs::kernel::network_tcpip_provider tcp_provider;
 	krabs::kernel::network_udpip_provider udp_provider;
 

TaskExplorer/API/Windows/Monitors/EtwEventMonitor.h

@@ -16,6 +16,7 @@ class CEtwEventMonitor : public QObject
 	void		DnsResEvent(quint64 ProcessId, quint64 ThreadId, const QString& HostName, const QStringList& Results);
 	void		FileEvent(int Type, quint64 FileId, quint64 ProcessId, quint64 ThreadId, const QString& FileName);
 	void		DiskEvent(int Type, quint64 FileId, quint64 ProcessId, quint64 ThreadId, quint32 IrpFlags, quint32 TransferSize, quint64 HighResResponseTime);
+	void		ProcessEvent(int Type, quint32 ProcessId, QString CommandLine, QString FileName, quint32 ParentId, quint64 TimeStamp);
 
 protected:
 

TaskExplorer/API/Windows/ProcessHacker.cpp

@@ -29,7 +29,6 @@ extern "C" {
 #include <kphuserp.h>
 }
 
-
 QString CastPhString(PPH_STRING phString, bool bDeRef)
 {
 	QString qString;
@@ -50,20 +49,6 @@ PPH_STRING CastQString(const QString& qString)
 	return PhCreateStringFromUnicodeString(&ustr);
 }
 
-// MSDN: FILETIME Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
-
-quint64 FILETIME2ms(quint64 fileTime)
-{
-	if (fileTime < 116444736000000000ULL)
-		return 0;
-	return (fileTime - 116444736000000000ULL) / 10000ULL;
-}
-
-time_t FILETIME2time(quint64 fileTime)
-{
-	return FILETIME2ms(fileTime) / 1000ULL;
-}
-
 /*
 BOOLEAN PhInitializeNamespacePolicy(
 	VOID

TaskExplorer/API/Windows/ProcessHacker.h

@@ -70,9 +70,6 @@
 QString CastPhString(PPH_STRING phString, bool bDeRef = true);
 PPH_STRING CastQString(const QString& qString);
 
-quint64 FILETIME2ms(quint64 fileTime);
-time_t FILETIME2time(quint64 fileTime);
-
 // Missing phlib definitions
 extern "C" {
 	VERIFY_RESULT NTAPI PhVerifyFileCached(_In_ PPH_STRING FileName, _In_opt_ PPH_STRING PackageFullName, _Out_opt_ PPH_STRING *SignerName, _In_ BOOLEAN CachedOnly);
@@ -86,6 +83,3 @@ int InitPH(bool bSvc = false);
 STATUS InitKPH(QString DeviceName, QString FileName, int SecurityLevel);
 
 void PhShowAbout(QWidget* parent);
-
-
-

TaskExplorer/API/Windows/WinModule.cpp

@@ -553,6 +553,14 @@ STATUS CWinModule::Unload(bool bForce)
 //////////////////////////////////////////////////////////////////////////////////////////////////////
 // CWinMainModule 
 
+CWinMainModule::CWinMainModule(QObject *parent) 
+	: CWinModule(-1, false, parent) 
+{
+	m_ImageSubsystem = 0;
+	m_PebBaseAddress = 0;
+	m_PebBaseAddress32 = 0;
+}
+
 bool CWinMainModule::InitStaticData(quint64 ProcessId, const QString& FileName, bool IsSubsystemProcess, bool IsWow64)
 {
 	QWriteLocker Locker(&m_Mutex);

TaskExplorer/API/Windows/WinModule.h

@@ -103,7 +103,7 @@ class CWinMainModule : public CWinModule
 {
 	Q_OBJECT
 public:
-	CWinMainModule(QObject *parent = nullptr) : CWinModule(-1, false, parent) {}
+	CWinMainModule(QObject *parent = nullptr);
 	virtual ~CWinMainModule() {}
 
 	virtual quint16 GetImageSubsystem() const 				{ QReadLocker Locker(&m_Mutex); return m_ImageSubsystem; }