Beispiel #1
        public static void OnEtwEvent(Microsoft.O365.Security.ETW.IEventRecord record, string name)
            // WARNING: this function is called from the worker thread

            string line = "ETW " + name + " id: " + record.Id + "; " + " opcode: " + record.Opcode + "; ";

            foreach (var property in record.Properties)
                line += property.Name + ": ";
                switch ((EVT_VARIANT_TYPE)property.Type)
                case EVT_VARIANT_TYPE.EvtVarTypeString: line += record.GetUnicodeString(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeAnsiString: line += record.GetAnsiString(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeByte: line += record.GetUInt8(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeUInt16: line += record.GetUInt16(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeUInt32: line += record.GetUInt32(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeUInt64: line += record.GetUInt64(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeSByte: line += record.GetInt8(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeInt16: line += record.GetInt16(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeInt32: line += record.GetInt32(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeInt64: line += record.GetInt64(property.Name); break;

                case EVT_VARIANT_TYPE.EvtVarTypeGuid: break;     // ???

                line += " (Type " + property.Type + ")";
                line += "; ";
            line += " proc (" + record.ProcessId + ")";

Beispiel #2
        private void OnDnsQueryEvent(Microsoft.O365.Security.ETW.IEventRecord record)
            // WARNING: this function is called from the worker thread

            if (record.Id != 1001 && record.Id != 1004)

            DateTime TimeStamp = record.Timestamp;
            UInt32   Status    = record.GetUInt32("Status", 0);
            int      ProcessId = (int)record.ProcessId;
            int      ThreadId  = (int)record.ThreadId;
            var      HostName  = record.GetUnicodeString("NodeName", null);
            var      Results   = record.GetUnicodeString("Result", null);

            if (ProcessId == ProcFunc.CurID)
                return; // ignore these events as thay are the result of reverse dns querries....

             * "" ";"
             * "localhost" "[::1]:8307;;" <- wtf is this why is there a port?!
             * "DESKTOP" "fe80::189a:f1c3:3e87:be81%12;;"
             * "" ";;;;;;"
             * "" ";"

            AppLog.Debug("Etw dns_query {0} => {1} for {2}", HostName, Results, ProcessId);

            App.engine?.RunInEngineThread(() =>
                // Note: this happens in the engine thread

                List <IPAddress> RemoteAddresses = new List <IPAddress>();

                foreach (string Result in Results.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
                    IPAddress Address = null;
                    if (!IPAddress.TryParse(Result, out Address) && !IPAddress.TryParse(TextHelpers.Split2(Result, ":", true).Item1, out Address))


                    Dictionary <IPAddress, Dictionary <string, HostNameEntry> > dnsCache = dnsQueryCache.GetOrCreate(ProcessId);

                    Dictionary <string, HostNameEntry> cacheEntries = dnsCache.GetOrCreate(Address);

                    HostNameEntry cacheEntry;
                    if (!cacheEntries.TryGetValue(HostName, out cacheEntry))
                        cacheEntry = new HostNameEntry()
                            HostName = HostName
                        cacheEntries.Add(HostName, cacheEntry);

                    cacheEntry.TimeStamp = TimeStamp;

                DnsQueryEvent?.Invoke(this, new DnsEvent()
                    ProcessId = ProcessId, HostName = HostName, RemoteAddresses = RemoteAddresses, TimeStamp = TimeStamp
Beispiel #3
        private void OnProcessEvent(Microsoft.O365.Security.ETW.IEventRecord record)
            // WARNING: this function is called from the worker thread

            if (record.Id != 0)

            if (record.Opcode == 1) // start
                //EtwAbstractLogger.OnEtwEvent(record, "proc");

                 * UniqueProcessKey:  (Type 16)
                 * ProcessId: 27204 (Type 8)
                 * ParentId: 8540 (Type 8)
                 * SessionId: 1 (Type 8)
                 * ExitStatus: 259 (Type 7)
                 * DirectoryTableBase:  (Type 16)
                 * Flags: 0 (Type 8)
                 * UserSID:  (Type 310)
                 * ImageFileName: calc1.exe (Type 2)
                 * CommandLine: calc1 (Type 1)
                 * PackageFullName:  (Type 1)
                 * ApplicationId:  (Type 1)

                int    ProcessId   = (int)record.GetUInt32("ProcessId", 0);
                string CommandLine = record.GetUnicodeString("CommandLine", null); // Note: the command line may contain a realtive path (!)
                string FileName    = record.GetAnsiString("ImageFileName", null);
                int    ParentId    = (int)record.GetUInt32("ParentId", 0);

                string filePath = GetPathFromCmd(CommandLine, ProcessId, FileName /*, record.Timestamp*/, ParentId);

                if (filePath == null)
                    AppLog.Debug("Process Monitor could not resolve path for prosess ({0}) : {1}", ProcessId, CommandLine);

                //AppLog.Debug("Process Started: {0}", filePath);

                App.engine?.RunInEngineThread(() =>
                    // Note: this happens in the engine thread

                    if (Processes.ContainsKey(ProcessId))
                        AppLog.Debug("Possible PID conflict (pid {0} reused): {1}", ProcessId, filePath);

                    Processes.Add(ProcessId, new ProcInfo()
                        filePath = filePath, StartTime = record.Timestamp
            else if (record.Opcode == 2) // stop
                int ProcessId = (int)record.GetUInt32("ProcessId", 0);

                App.engine?.RunInEngineThread(() =>
                    // Note: this happens in the engine thread

                    ProcInfo info;
                    if (Processes.TryGetValue(ProcessId, out info))
                        info.StopTime = record.Timestamp;