private bool EnableProvider()
{
var processProviderGuid = TraceEventSession.GetProviderByName(_provider);
if (processProviderGuid == Guid.Empty)
{
Console.WriteLine("Error could not find {0} etw provider.", _provider);
return(false);
}
_session.EnableProvider(processProviderGuid, TraceEventLevel.Verbose, _keywords);
return(true);
}
public void FetchEvents()
{
var sessionName = "ETWEventSession";
Action <TraceEvent> logAction = delegate(TraceEvent data)
{
string logToMonitor = data.ToString();
string lg = logToMonitor.ToLower();
if (WmiPreId != "0" && (logToMonitor.Contains(WmiPreId) || logToMonitor.Contains("wmiprvse")))
{
return;
}
if (Operation == 4)
{
if (PathToWatchList.PathToWatches.Count > 0)
{
if (PathToWatchList.PathToWatches.FirstOrDefault(x => lg.Contains(x.Path)) != null)
{
Console.WriteLine(logToMonitor);
_xml.LoadXml(logToMonitor.Replace("/>", " Time=\"" + data.TimeStamp + "\" />"));
var xdFile = JsonConvert.SerializeXmlNode(_xml);
ConqueEvent.Enqueue(xdFile);
}
}
}
else if (Operation == 2)
{
if (KeyToWatchList.KeyToWatches.Count > 0)
{
if (KeyToWatchList.KeyToWatches.FirstOrDefault(x => lg.Contains(x.Key)) != null)
{
Console.WriteLine(logToMonitor);
_xml.LoadXml(logToMonitor.Replace("/>", " Time=\"" + data.TimeStamp + "\" />"));
var xdFile = JsonConvert.SerializeXmlNode(_xml);
ConqueEvent.Enqueue(xdFile);
}
}
}
else if (Operation == 3)
{
if (NetConfigList.IpToWatches.Count > 0 || NetConfigList.PortToWatches.Count > 0)
{
var firstIndex = logToMonitor.IndexOf("daddr=\"");
var lastIndex = logToMonitor.Substring(firstIndex + 7).IndexOf("\"");// 7 is length daddr="
var ipAddr = Utility.LongToIpAddress(logToMonitor.Substring(firstIndex + 7, lastIndex));
var firstIndexp = logToMonitor.IndexOf("sport=\"");
var lastIndexp = logToMonitor.Substring(firstIndexp + 7).IndexOf("\"");// 7 is length sport="
var sport = logToMonitor.Substring(firstIndexp + 7, lastIndexp).Replace("-", "");
if (NetConfigList.IpToWatches.FirstOrDefault(x => ipAddr.Contains(x.IpAddress)) != null || NetConfigList.PortToWatches.FirstOrDefault(x => sport.Contains(x.Port)) != null)
{
Console.WriteLine(logToMonitor);
_xml.LoadXml(logToMonitor.Replace("/>", " Time=\"" + data.TimeStamp + "\" />"));
var xdFile = JsonConvert.SerializeXmlNode(_xml);
ConqueEvent.Enqueue(xdFile);
}
}
}
else
{
var log = new StringBuilder(logToMonitor);
Console.WriteLine(logToMonitor);
int i = lg.IndexOf("PID", StringComparison.Ordinal);
int j = lg.LastIndexOf("PID", StringComparison.Ordinal);
if (i != j)
{
log = log.Remove(j, 3).Insert(j, "PIDD");
}
_xml.LoadXml(log.ToString().Replace("/>", " Time=\"" + data.TimeStamp + "\" />"));
var xd = JsonConvert.SerializeXmlNode(_xml);
ConqueEvent.Enqueue(xd);
}
};
if (Operation == 4)//if user choose file event use different session
{
//session.EnableProvider(fileProviderGuid, TraceEventLevel.Informational, 0x100);
using (var kernelSession = new TraceEventSession(KernelTraceEventParser.KernelSessionName, null))
{
using (var kernelSource = new ETWTraceEventSource(KernelTraceEventParser.KernelSessionName, TraceEventSourceType.Session))
{
var kernelParser = new KernelTraceEventParser(kernelSource);
kernelSession.StopOnDispose = true;
kernelSession.EnableKernelProvider(
//KernelTraceEventParser.Keywords.NetworkTCPIP
// KernelTraceEventParser.Keywords.Process |
//KernelTraceEventParser.Keywords.Registry
KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit |
KernelTraceEventParser.Keywords.Thread |
KernelTraceEventParser.Keywords.FileIO
);
kernelParser.All += logAction;
kernelSource.Process();
}
}
}
else
{
using (var session = new TraceEventSession(sessionName, null))
{
session.StopOnDispose = true;
using (var source = new ETWTraceEventSource(sessionName, TraceEventSourceType.Session))
{
var registerParser = new RegisteredTraceEventParser(source);
registerParser.All += logAction;
var processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-Process");
var registryProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-Registry");
var networkProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-Network");
var fileProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-File");
if (processProviderGuid == Guid.Empty)
{
Console.WriteLine("Error could not find Microsoft-Windows-Kernel-Process etw provider.");
}
switch (Operation)
{
case 1:
{
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x10);
source.Process();
break;
}
case 2:
{
session.EnableProvider(registryProviderGuid, TraceEventLevel.Informational, 0x02100);
source.Process();
break;
}
case 3:
{
session.EnableProvider(networkProviderGuid, TraceEventLevel.Informational, 0x10);
source.Process();
break;
}
}
//session.EnableProvider(registryProviderGuid, TraceEventLevel.Informational, 0x02100);
// session.EnableProvider(networkProviderGuid, TraceEventLevel.Informational, 0x10);
// session.EnableProvider(fileProviderGuid, TraceEventLevel.Informational, 0x0200);
}
}
}
}
public CWatcherGC()
{
// Today you have to be Admin to turn on ETW events (anyone can write ETW events).
if (!(TraceEventSession.IsElevated() ?? false))
{
Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
return;//-1;
}
Process[] pr = null;
while (pr == null)
{
pr = Process.GetProcessesByName(/*"TradeSystem"*/ "P2ConnectorNativeImp");
Thread.Sleep(1000);
}
_procId = pr[0].Id;
// As mentioned below, sessions can outlive the process that created them. Thus you need a way of
// naming the session so that you can 'reconnect' to it from another process. This is what the name
// is for. It can be anything, but it should be descriptive and unique. If you expect mulitple versions
// of your program to run simultaneously, you need to generate unique names (e.g. add a process ID suffix)
var sessionName = "ProessMonitorSession";
using (var session = new TraceEventSession(sessionName, null)) // the null second parameter means 'real time session'
{
// Note that sessions create a OS object (a session) that lives beyond the lifetime of the process
// that created it (like Filles), thus you have to be more careful about always cleaning them up.
// An importanty way you can do this is to set the 'StopOnDispose' property which will cause the session to
// stop (and thus the OS object will die) when the TraceEventSession dies. Because we used a 'using'
// statement, this means that any exception in the code below will clean up the OS object.
session.StopOnDispose = true;
// By default, if you hit Ctrl-C your .NET objects may not be disposed, so force it to. It is OK if dispose is called twice.
Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs e) { session.Dispose(); };
// prepare to read from the session, connect the ETWTraceEventSource to the session
using (var source = new ETWTraceEventSource(sessionName, TraceEventSourceType.Session))
{
Action <TraceEvent> action = delegate(TraceEvent data)
{
if (data.ProcessID == _procId)
{
// if (data.EventName == "GC/SuspendEEStart" || data.EventName == "GC/SuspendEEStop")
//Console.WriteLine("GOT EVENT: " + data.ToString());
_logger.Log(data.ToString());
}
// _logger.Log(" MSec=" + data.TimeStampRelativeMSec + " Tid=" + data.ThreadID + " " + data.EventName+
// " preocessorN=" + data.ProcessorNumber);
/* var taskName = data.TaskName;
* if (taskName == "ProcessStart" || taskName == "ProcessStop")
* {
* string exe = (string) data.PayloadByName("ImageName");
* string exeName = Path.GetFileNameWithoutExtension(exe);
*
* int processId = (int) data.PayloadByName("ProcessID");
* if (taskName == "ProcessStart")
* {
* int parentProcessId = (int)data.PayloadByName("ParentProcessID");
* Console.WriteLine("{0:HH:mm:ss.fff}: {1,-12}: {2} ID: {3} ParentID: {4}",
* data.TimeStamp, taskName, exeName, processId, parentProcessId);
* }
* else
* {
* int exitCode = (int) data.PayloadByName("ExitCode");
* long cpuCycles = (long) data.PayloadByName("CPUCycleCount");
* Console.WriteLine("{0:HH:mm:ss.fff}: {1,-12}: {2} ID: {3} EXIT: {4} CPU Cycles: {5:n0}",
* data.TimeStamp, taskName, exeName, processId, exitCode, cpuCycles);
* }
* }
*/
};
// Hook up the parser that knows about Any EventSources regsitered with windows. (e.g. the OS ones.
var registeredParser = new RegisteredTraceEventParser(source);
registeredParser.All += action;
// You can also simply use 'logman query providers' to find out the GUID yourself and wire it in.
//var processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-Process");
var processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-DotNETRuntime");
if (processProviderGuid == Guid.Empty)
{
Console.WriteLine("Error could not find Microsoft-Windows-Kernel-Process etw provider.");
return;//-1;
}
// Using logman query providers Microsoft-Windows-Kernel-Process I get
// 0x0000000000000010 WINEVENT_KEYWORD_PROCESS
// 0x0000000000000020 WINEVENT_KEYWORD_THREAD
// 0x0000000000000040 WINEVENT_KEYWORD_IMAGE
// 0x0000000000000080 WINEVENT_KEYWORD_CPU_PRIORITY
// 0x0000000000000100 WINEVENT_KEYWORD_OTHER_PRIORITY
// 0x0000000000000200 WINEVENT_KEYWORD_PROCESS_FREEZE
// 0x8000000000000000 Microsoft-Windows-Kernel-Process/Analytic
// So 0x10 is WINEVENT_KEYWORD_PROCESS
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x10);
//session.EnableProvider(processProviderGuid, TraceEventLevel.Always, 0x0000000000000001); ;
session.EnableProvider(processProviderGuid, TraceEventLevel.Always, 0x0000000000000000);;
Console.WriteLine("Starting Listening for events");
// go into a loop processing events can calling the callbacks. Because this is live data (not from a file)
// processing never completes by itself, but only because someone called 'source.Close()'.
source.Process();
Console.WriteLine();
Console.WriteLine("Stopping Listening for events");
}
}
}
static int Main(string[] args)
{
bool bNetConnect = false, bNetTransfer = false, bProcess = false, bThread = false, bImageLoad = false;
bool bDns = false, bSysmon = false, bRegistry = false, bFile = false;
if (args.Length == 0)
{
Console.WriteLine("\nUsage: ETWMonitor [net_connect | net_transfer | process | thread | imageload | memory | registry | dns | sysmon]\n");
Console.WriteLine("net_connect : Show new TCP connections");
Console.WriteLine("net_transfer : Show network transfers");
Console.WriteLine("process : Show process creations and exits");
Console.WriteLine("thread : Show suspicious thread creation (cross-process)");
Console.WriteLine("imageload : Show image loading");
Console.WriteLine("file : Show file activity");
Console.WriteLine("registry : Show registry details");
Console.WriteLine("dns : Show DNS requests");
Console.WriteLine("sysmon : Show entries from Sysmon");
return(1);
}
if (args[0] == "net_connect")
{
Console.WriteLine("\nShowing new network connections");
bNetConnect = true;
}
else if (args[0] == "net_transfer")
{
Console.WriteLine("\nShowing network transfers");
bNetTransfer = true;
}
else if (args[0] == "process")
{
Console.WriteLine("\nShowing process creation and exits");
bProcess = true;
}
else if (args[0] == "thread")
{
Console.WriteLine("\nShowing suspicious thread creations (cross-process)");
bThread = true;
}
else if (args[0] == "imageload")
{
Console.WriteLine("\nShowing image loads");
bImageLoad = true;
}
else if (args[0] == "file")
{
Console.WriteLine("\nShowing file system activity");
bFile = true;
}
else if (args[0] == "registry")
{
Console.WriteLine("\nShowing registry details");
bRegistry = true;
}
else if (args[0] == "dns")
{
Console.WriteLine("\nShowing DNS requests");
bDns = true;
}
else if (args[0] == "sysmon")
{
Console.WriteLine("\nShowing Sysmon entries");
bSysmon = true;
}
else
{
Console.WriteLine("\nInvalid option");
return(1);
}
// Today you have to be Admin to turn on ETW events (anyone can write ETW events).
if (!(TraceEventSession.IsElevated() ?? false))
{
Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
return(-1);
}
var sessionName = "";
if (bNetConnect)
{
sessionName = "NetConnectSession";
}
else if (bNetTransfer)
{
sessionName = "NetTransferSession";
}
else if (bProcess)
{
sessionName = "ProcessSession";
}
else if (bThread)
{
sessionName = "ThreadSession";
}
else if (bImageLoad)
{
sessionName = "ImageLoadSession";
}
else if (bFile)
{
sessionName = "FileSession";
}
else if (bRegistry)
{
sessionName = "RegistrySession";
}
else if (bDns)
{
sessionName = "DnsSession";
}
else if (bSysmon)
{
sessionName = "SysmonSession";
}
else
{
Console.WriteLine("Error");
return(-1);
}
using (var session = new TraceEventSession(sessionName, null)) // the null second parameter means 'real time session'
{
session.StopOnDispose = true;
Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs e) { session.Dispose(); };
// prepare to read from the session, connect the ETWTraceEventSource to the session
using (var source = new ETWTraceEventSource(sessionName, TraceEventSourceType.Session))
{
Action <TraceEvent> action = delegate(TraceEvent data)
{
var taskName = data.TaskName;
var EventName = data.EventName;
if (bProcess)
{
if (EventName == "Process/DCStart" || EventName == "Process/Start")
{
ProcessTraceData startprocdata = (ProcessTraceData)data;
string exe = (string)data.PayloadByName("ImageFileName");
Console.Write(DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss ") + EventName);
Console.Write(" PPID: " + startprocdata.ParentID.ToString() + " PID: " + startprocdata.ProcessID.ToString());
Console.Write(" Name: " + exe);
Process PName = GetProcByID2(startprocdata.ParentID);
if (PName != null)
{
Console.Write(" ParentName: " + PName.ProcessName);
}
Console.WriteLine(" CommandLine: " + startprocdata.CommandLine);
}
else if (EventName == "Process/End")
{
ProcessTraceData exitprocdata = (ProcessTraceData)data;
string exe = (string)data.PayloadByName("ImageFileName");
Console.Write(DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss ") + EventName);
Console.WriteLine(" PPID: " + exitprocdata.ParentID.ToString() + " PID: " + exitprocdata.ProcessID.ToString() + " " + exe);
}
}
else if (bNetConnect)
{
if (taskName == "TcpRequestConnect")
{
int threadID = data.ThreadID;
int processID = data.ProcessID;
byte[] local_addr = (byte[])data.PayloadByName("LocalAddress");
byte[] remote_addr = (byte[])data.PayloadByName("RemoteAddress");
if (local_addr == null || remote_addr == null)
{
Console.WriteLine("Null addr!");
}
// First two bytes are address family: 2 for ipv4, 10 for ipv6
// Next two bytes are the port
var family = new byte[2];
family[0] = local_addr[0];
family[1] = local_addr[1];
ushort family_nr = BitConverter.ToUInt16(family, 0);
if (family_nr == 2)
{
var local_port = new byte[2];
var remote_port = new byte[2];
local_port[0] = local_addr[2];
local_port[1] = local_addr[3];
Array.Reverse(local_port); // Need to reverse port
remote_port[0] = remote_addr[2];
remote_port[1] = remote_addr[3];
Array.Reverse(remote_port); // Need to reverse port
ushort local_port_nr = BitConverter.ToUInt16(local_port, 0);
ushort remote_port_nr = BitConverter.ToUInt16(remote_port, 0);
Process proc;
string processname = "<not found>";
if (processID > 0)
{
proc = GetProcByID(processID);
if (proc != null)
{
processname = proc.MainModule.ModuleName;
}
}
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss") + " " + taskName + " PID: " + processID);
int parentid = GetParentProcessID(processID);
if (parentid != 0)
{
Console.Write(" PPID: " + parentid);
}
else
{
Console.Write(" PPID: (null)");
}
Console.Write(" TID: " + threadID + " Name: " + processname);
proc = GetProcByID(parentid);
if (proc != null)
{
Console.Write(" Parent Name: " + proc.ProcessName);
}
else
{
Console.Write(" Parent Name: (null)");
}
string local_ip = local_addr[4] + "." + local_addr[5] + "." + local_addr[6] + "." + local_addr[7];
string remote_ip = remote_addr[4] + "." + remote_addr[5] + "." + remote_addr[6] + "." + remote_addr[7];
Console.Write(" " + local_ip + ":" + local_port_nr + "->");
Console.WriteLine(remote_ip + ":" + remote_port_nr + " ");
}
else if (family_nr == 0x10)
{
Console.WriteLine("IPV6");
}
}
}
else if (bNetTransfer)
{
if (EventName == "TcpIp/Send" || EventName == "TcpIp/Recv")
{
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss") + " " + EventName + " PID: " + data.ProcessID);
Process processname;
processname = GetProcByID(data.ProcessID);
if (processname != null)
{
Console.Write(" Name: " + processname.ProcessName);
}
else
{
Console.Write(" Name: (null)");
}
IPAddress saddr = (IPAddress)data.PayloadByName("saddr");
IPAddress daddr = (IPAddress)data.PayloadByName("daddr");
int sport = (int)data.PayloadByName("sport");
int dport = (int)data.PayloadByName("dport");
int size = (int)data.PayloadByName("size");
Console.Write(" Src: " + saddr.ToString() + ":" + sport + " Dst: " + daddr.ToString() + ":" + dport);
Console.WriteLine(" Size: " + size);
}
}
else if (bThread) // try to catch remote thread injections only
{
if (taskName == "ThreadStart")
{
int destProcessID = (int)data.PayloadByName("ProcessID");
int parentid;
Process processname;
if (data.ProcessID != destProcessID && data.ProcessID != 4)
{
// check if destpid is not a child of srcpid, otherwise we have a problem!
// check the parentpid of srcpid
int destThreadID = (int)data.PayloadByName("ThreadID");
int srcThreadID = data.ThreadID;
parentid = GetParentProcessID(destProcessID);
if (parentid != 0 && parentid != data.ProcessID)
{
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss") + " POSSIBLE THREAD INJECTION: ");
Console.Write(taskName + " TID: " + destThreadID + " SrcTID: " + srcThreadID + " SrcPID: " + data.ProcessID);
Console.Write(" DestPID: " + destProcessID);
processname = GetProcByID(data.ProcessID);
if (processname != null)
{
Console.Write(" SrcName: " + processname.ProcessName);
}
else
{
Console.Write(" SrcName: (null)");
}
processname = GetProcByID(destProcessID);
if (processname != null)
{
Console.WriteLine(" DestName: " + processname.ProcessName);
}
else
{
Console.WriteLine(" DestName: (null)");
}
Console.WriteLine("\nDetailed information:\n" + data.ToString());
}
}
}
}
else if (bImageLoad)
{
if (EventName == "Image/DCStart" || EventName == "Image/Load" || EventName == "Image/Unload")
{
int pid = (int)data.ProcessID;
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss ") + EventName);
Console.Write(" PID: " + pid);
Process processname;
processname = GetProcByID(pid);
if (processname != null)
{
Console.Write(" Name: " + processname.ProcessName);
}
else
{
Console.Write(" Name: (null)");
}
string filename = (string)data.PayloadByName("FileName");
Console.WriteLine(" FileName: " + filename);
}
}
else if (bFile)
{
if (EventName == "CreateNewFile" || EventName == "DeletePath" || EventName == "NameDelete")
{
int pid = (int)data.ProcessID;
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss ") + EventName);
Console.Write(" PID: " + pid);
Process processname;
processname = GetProcByID(pid);
if (processname != null)
{
Console.Write(" Name: " + processname.ProcessName);
}
else
{
Console.Write(" Name: (null)");
}
string filename = "";
if (EventName == "DeletePath")
{
filename = (string)data.PayloadByName("FilePath");
}
else
{
filename = (string)data.PayloadByName("FileName");
}
Console.WriteLine(" File: " + filename);
}
}
else if (bRegistry)
{
if (EventName == "EventID(1)/CreateKey" || EventName == "EventID(5)/SetValueKey" || EventName == "EventID(3)/DeleteKey" || EventName == "EventID(6)/DeleteValueKey")
{
int pid = (int)data.ProcessID;
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss ") + EventName);
Console.Write(" PID: " + pid);
Process processname;
processname = GetProcByID(pid);
if (processname != null)
{
Console.Write(" Name: " + processname.ProcessName);
}
else
{
Console.Write(" Name: (null)");
}
if (EventName == "EventID(1)/CreateKey")
{
string RelativeName = (string)data.PayloadByName("RelativeName");
int status = (int)data.PayloadByName("Status");
Console.WriteLine(" Status: " + status + " RelativeName: " + RelativeName);
}
else if (EventName == "EventID(3)/DeleteKey")
{
int status = (int)data.PayloadByName("Status");
Console.WriteLine(" Status: " + status);
}
else if (EventName == "EventID(5)/SetValueKey")
{
string ValueName = (string)data.PayloadByName("ValueName");
int status = (int)data.PayloadByName("Status");
Console.WriteLine(" Status: " + status + " ValueName: " + ValueName);
}
else if (EventName == "EventID(6)/DeleteValueKey")
{
string ValueName = (string)data.PayloadByName("ValueName");
int status = (int)data.PayloadByName("Status");
Console.WriteLine(" Status: " + status + " ValueName: " + ValueName);
}
}
}
else if (bDns)
{
int pid = (int)data.ProcessID;
Console.Write(data.TimeStamp.ToString("yyyy-MM-dd HH:mm:ss ") + EventName);
Console.Write(" PID: " + pid);
Process processname;
processname = GetProcByID(pid);
if (processname != null)
{
Console.Write(" Name: " + processname.ProcessName);
}
else
{
Console.Write(" Name: (null)");
}
string QueryName = (string)data.PayloadByName("QueryName");
Console.WriteLine(" QueryName: " + QueryName);
}
else if (bSysmon)
{
Console.WriteLine(data.ToString());
}
};
// You can also simply use 'logman query providers' to find out the GUID yourself and wire it in.
Guid processProviderGuid;
if (bProcess)
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
}
else if (bNetConnect)
{
processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-TCPIP");
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x80); // ut:TcpipDiagnosis seems to do the job
}
else if (bNetTransfer)
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.NetworkTCPIP);
}
else if (bThread)
{
processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-Process");
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x20); // WINEVENT_KEYWORD_THREAD
}
else if (bImageLoad)
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.ImageLoad);
}
else if (bFile)
{
processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-File");
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x0000000000001410); // KERNEL_FILE_KEYWORD_CREATE_NEW_FILE, KERNEL_FILE_KEYWORD_DELETE_PATH, KERNEL_FILE_KEYWORD_FILENAME
}
else if (bRegistry)
{
processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Kernel-Registry");
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x0000000000005300); // SetValueKey, CreateKey, DeleteKey, DeleteValueKey
}
else if (bDns)
{
processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-DNS-Client");
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x8000000000000000); //
}
else if (bSysmon)
{
processProviderGuid = TraceEventSession.GetProviderByName("Microsoft-Windows-Sysmon");
session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x8000000000000000); // KERNEL_MEM_KEYWORD_MEMINFO
}
else
{
Console.WriteLine("Error");
return(-1);
}
// We use different parsers depending on the events. For TCP/IP stuff we need to
// use another since we want to register not only ProcessID but also ThreadID for each event
if (bNetConnect || bThread || bFile || bRegistry || bDns || bSysmon)
{
// Hook up the parser that knows about Any EventSources regsitered with windows. (e.g. the OS ones).
var registeredParser = new RegisteredTraceEventParser(source);
registeredParser.All += action;
}
else
{
// Hook up the parser that knows about kernel traces
var KernelParser = new KernelTraceEventParser(source);
KernelParser.All += action;
}
Console.WriteLine("Starting Listening for events");
// go into a loop processing events can calling the callbacks. Because this is live data (not from a file)
// processing never completes by itself, but only because someone called 'source.Close()'.
source.Process();
Console.WriteLine();
Console.WriteLine("Stopping Listening for events");
}
}
return(0);
}