public void SubscribeDynamicEvents(Microsoft.Diagnostics.Tracing.TraceEvent e) { //if (e.PayloadNames.Length > 0) //{ // Console.WriteLine(); // Console.WriteLine($"{e.EventName} {e.EventIndex} {e.FormattedMessage}"); // var dn = string.Join(", ", e.GetDynamicMemberNames().Select(n => n.ToString())); // Console.WriteLine($"{dn}"); // foreach (var name in e.PayloadNames) // { // Console.WriteLine($"name: {name}"); // } // Console.WriteLine(); // //var payloadContainer = e.PayloadValue(0) as IDictionary<string, object>; // //if (payloadContainer == null) // // return null; // //if (payloadContainer["Payload"] is IDictionary<string, object> payload) // // return payload; //} ////Console.WriteLine(e.Dump(true, false)); }
public EventItem(Microsoft.Diagnostics.Tracing.TraceEvent data, string inputs, string result, string outputs, string caller) { // CTOR Used for received kernel events _Index = (int)data.EventIndex; _Start = (int)data.TimeStampRelativeMSec; _End = (int)data.TimeStampRelativeMSec; if (data.TimeStamp != null) { _Timestamp = data.TimeStamp; } else { _Timestamp = DateTime.Now; } if (data.ProcessName != null && data.ProcessName.Length > 0) { _ProcessName = data.ProcessName; } else { _ProcessName = "unknown(" + data.ProcessID.ToString() + ")"; } _ProcessID = data.ProcessID; _ThreadID = data.ThreadID; if (data.ProviderName != null) { _EventSource = data.ProviderName; } if (data.EventName != null) { _Event = data.EventName; } if (inputs != null) { _Inputs = inputs; } if (result != null) { _Result = result; } if (outputs != null) { _Outputs = outputs; } if (caller != null) { _Caller = caller; } }
private void Source_AllEvents(Microsoft.Diagnostics.Tracing.TraceEvent obj) { // Events we care about: // Heap/Alloc // Heap/Realloc // Heap/Free // StackWalk/Stack (it's associated with the previous event) switch (obj.EventName) { case "Heap/Alloc": var lastAllocationData = AggregateAlloc((ulong)obj.PayloadByName("AllocSize"), (ulong)obj.PayloadByName("AllocAddress")); _lastAllocationDataByThread[obj.ThreadID] = lastAllocationData; break; case "Heap/ReAlloc": AggregateRealloc((ulong)obj.PayloadByName("NewAllocSize"), (ulong)obj.PayloadByName("OldAllocSize"), (ulong)obj.PayloadByName("NewAllocAddress"), (ulong)obj.PayloadByName("OldAllocAddress")); break; case "Heap/Free": AggregateFree(obj.ProcessID, _lastAllocationDataByThread[obj.ThreadID], (ulong)obj.PayloadByName("FreeAddress")); break; } }
private void Dynamic_All(Microsoft.Diagnostics.Tracing.TraceEvent obj) { if ((obj.Opcode == Microsoft.Diagnostics.Tracing.TraceEventOpcode.Start) && (string.Compare(obj.TaskName, "ProcessStart", true) == 0)) { int processIsElevated = 0; int processElevationType = 0; int processId = int.MinValue; int sessionId = int.MinValue; DateTime createTime = DateTime.MinValue; int index = int.MinValue; index = obj.PayloadIndex("ProcessTokenIsElevated"); if (index >= 0) { processIsElevated = (int)obj.PayloadValue(index); } if (processIsElevated == 1) { index = obj.PayloadIndex("ProcessID"); if (index >= 0) { processId = (int)obj.PayloadValue(index); } ElevatedProcessInformation elevatedProcess = new ElevatedProcessInformation { ProcessID = processId }; index = obj.PayloadIndex("ProcessTokenElevationType"); if (index >= 0) { processElevationType = (int)obj.PayloadValue(index); elevatedProcess.ElevationType = (TokenElevationType)processElevationType; } index = obj.PayloadIndex("SessionID"); if (index >= 0) { sessionId = (int)obj.PayloadValue(index); elevatedProcess.SessionID = sessionId; } index = obj.PayloadIndex("CreateTime"); if (index >= 0) { createTime = (DateTime)obj.PayloadValue(index); elevatedProcess.CreateTime = createTime; } // Determine whether the process should be logged. It should be logged if // 1. The process logging setting is set to always, or // 2. The process logging is set to "Only When Admin" and the user is in the admins group. bool processShouldBeLogged = (Settings.LogElevatedProcesses == ElevatedProcessLogging.Always); if (Settings.LogElevatedProcesses == ElevatedProcessLogging.OnlyWhenAdmin) { NetNamedPipeBinding binding = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport); ChannelFactory <IAdminGroup> namedPipeFactory = new ChannelFactory <IAdminGroup>(binding, Settings.NamedPipeServiceBaseAddress); IAdminGroup channel = namedPipeFactory.CreateChannel(); processShouldBeLogged = channel.UserSessionIsInList(elevatedProcess.SessionID); namedPipeFactory.Close(); } if (processShouldBeLogged) { elevatedProcessList.Enqueue(elevatedProcess); } } } }