public void SubscribeDynamicEvents(Microsoft.Diagnostics.Tracing.TraceEvent e)
{
//if (e.PayloadNames.Length > 0)
//{
// Console.WriteLine();
// Console.WriteLine($"{e.EventName} {e.EventIndex} {e.FormattedMessage}");
// var dn = string.Join(", ", e.GetDynamicMemberNames().Select(n => n.ToString()));
// Console.WriteLine($"{dn}");
// foreach (var name in e.PayloadNames)
// {
// Console.WriteLine($"name: {name}");
// }
// Console.WriteLine();
// //var payloadContainer = e.PayloadValue(0) as IDictionary<string, object>;
// //if (payloadContainer == null)
// // return null;
// //if (payloadContainer["Payload"] is IDictionary<string, object> payload)
// // return payload;
//}
////Console.WriteLine(e.Dump(true, false));
}
public EventItem(Microsoft.Diagnostics.Tracing.TraceEvent data, string inputs, string result, string outputs, string caller)
{
// CTOR Used for received kernel events
_Index = (int)data.EventIndex;
_Start = (int)data.TimeStampRelativeMSec;
_End = (int)data.TimeStampRelativeMSec;
if (data.TimeStamp != null)
{
_Timestamp = data.TimeStamp;
}
else
{
_Timestamp = DateTime.Now;
}
if (data.ProcessName != null && data.ProcessName.Length > 0)
{
_ProcessName = data.ProcessName;
}
else
{
_ProcessName = "unknown(" + data.ProcessID.ToString() + ")";
}
_ProcessID = data.ProcessID;
_ThreadID = data.ThreadID;
if (data.ProviderName != null)
{
_EventSource = data.ProviderName;
}
if (data.EventName != null)
{
_Event = data.EventName;
}
if (inputs != null)
{
_Inputs = inputs;
}
if (result != null)
{
_Result = result;
}
if (outputs != null)
{
_Outputs = outputs;
}
if (caller != null)
{
_Caller = caller;
}
}
private void Source_AllEvents(Microsoft.Diagnostics.Tracing.TraceEvent obj)
{
// Events we care about:
// Heap/Alloc
// Heap/Realloc
// Heap/Free
// StackWalk/Stack (it's associated with the previous event)
switch (obj.EventName)
{
case "Heap/Alloc":
var lastAllocationData = AggregateAlloc((ulong)obj.PayloadByName("AllocSize"), (ulong)obj.PayloadByName("AllocAddress"));
_lastAllocationDataByThread[obj.ThreadID] = lastAllocationData;
break;
case "Heap/ReAlloc":
AggregateRealloc((ulong)obj.PayloadByName("NewAllocSize"), (ulong)obj.PayloadByName("OldAllocSize"), (ulong)obj.PayloadByName("NewAllocAddress"), (ulong)obj.PayloadByName("OldAllocAddress"));
break;
case "Heap/Free":
AggregateFree(obj.ProcessID, _lastAllocationDataByThread[obj.ThreadID], (ulong)obj.PayloadByName("FreeAddress"));
break;
}
}
private void Dynamic_All(Microsoft.Diagnostics.Tracing.TraceEvent obj)
{
if ((obj.Opcode == Microsoft.Diagnostics.Tracing.TraceEventOpcode.Start) && (string.Compare(obj.TaskName, "ProcessStart", true) == 0))
{
int processIsElevated = 0;
int processElevationType = 0;
int processId = int.MinValue;
int sessionId = int.MinValue;
DateTime createTime = DateTime.MinValue;
int index = int.MinValue;
index = obj.PayloadIndex("ProcessTokenIsElevated");
if (index >= 0)
{
processIsElevated = (int)obj.PayloadValue(index);
}
if (processIsElevated == 1)
{
index = obj.PayloadIndex("ProcessID");
if (index >= 0)
{
processId = (int)obj.PayloadValue(index);
}
ElevatedProcessInformation elevatedProcess = new ElevatedProcessInformation
{
ProcessID = processId
};
index = obj.PayloadIndex("ProcessTokenElevationType");
if (index >= 0)
{
processElevationType = (int)obj.PayloadValue(index);
elevatedProcess.ElevationType = (TokenElevationType)processElevationType;
}
index = obj.PayloadIndex("SessionID");
if (index >= 0)
{
sessionId = (int)obj.PayloadValue(index);
elevatedProcess.SessionID = sessionId;
}
index = obj.PayloadIndex("CreateTime");
if (index >= 0)
{
createTime = (DateTime)obj.PayloadValue(index);
elevatedProcess.CreateTime = createTime;
}
// Determine whether the process should be logged. It should be logged if
// 1. The process logging setting is set to always, or
// 2. The process logging is set to "Only When Admin" and the user is in the admins group.
bool processShouldBeLogged = (Settings.LogElevatedProcesses == ElevatedProcessLogging.Always);
if (Settings.LogElevatedProcesses == ElevatedProcessLogging.OnlyWhenAdmin)
{
NetNamedPipeBinding binding = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);
ChannelFactory <IAdminGroup> namedPipeFactory = new ChannelFactory <IAdminGroup>(binding, Settings.NamedPipeServiceBaseAddress);
IAdminGroup channel = namedPipeFactory.CreateChannel();
processShouldBeLogged = channel.UserSessionIsInList(elevatedProcess.SessionID);
namedPipeFactory.Close();
}
if (processShouldBeLogged)
{
elevatedProcessList.Enqueue(elevatedProcess);
}
}
}
}
