private static void ProcessEventHandler(IEventRecord record) { var pid = record.GetUInt32("ProcessID"); var imageName = record.GetUnicodeString("ImageName"); Console.WriteLine($"{record.TaskName} pid={pid} ImageName={imageName}"); }
private void OnEvent(IEventRecord record) { var item = new DebugItem { Time = record.Timestamp, ProcessId = (int)record.ProcessId, ProcessName = TryGetProcessName(record.ProcessId), ThreadId = (int)record.ThreadId, Text = record.GetAnsiString("Message").TrimEnd('\n', '\r'), Component = record.GetUInt32("Component", 0), IsKernel = true }; AddDebugItem(item); }
private static void ETWEventsFilter_OnEvent(IEventRecord ETWRecord) { /// Injector_Pid is Injector Process <ETWRecord.ProcessId> uint Injector_Pid = ETWRecord.ProcessId; uint Target_pid = ETWRecord.GetUInt32("ProcessID"); uint Target_tid = ETWRecord.GetUInt32("ThreadID"); /// This LastTID injected to LastPID by Injector_Pid LastTID = Convert.ToInt32(Target_tid); LastPID = Convert.ToInt32(Target_pid); ProcessName = "Process Exited"; TargetProcessName = "Process Exited"; try { if (!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited) { TargetProcessName = Process.GetProcessById(Convert.ToInt32(Target_pid)).ProcessName; } if (!Process.GetProcessById(Convert.ToInt32(Injector_Pid)).HasExited) { ProcessName = Process.GetProcessById(Convert.ToInt32(Injector_Pid)).ProcessName; } } catch (Exception) { } /// Detecting Thread Injection : /// if this was True then Thread was Injected to New Process (Target_pid) if (Injector_Pid != Target_pid) { try { /// adding "PID" and "TID" also "Injector PID" to list if ((!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited)) { Injected_Processes_IDsList.Add(LastPID.ToString() + ":" + LastTID.ToString() + ":" + Convert.ToInt32(Injector_Pid)); } } catch (Exception) { } Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write("[{0}] ", DateTime.Now.ToString()); Console.ForegroundColor = ConsoleColor.Red; Console.Write("Tid {0}", Target_tid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" injected to Process "); Console.ForegroundColor = ConsoleColor.Green; Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" by this Process "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString()); Console.ForegroundColor = ConsoleColor.Gray; if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode) { DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid)); } if (IPS_IDS) { if (Injected_Processes_IDsList.Count > 2) { try { if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0])).HasExited) { DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1])); //Console.ForegroundColor = ConsoleColor.Cyan; //Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1]); Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1] + " Scanned"; } else if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0])).HasExited) { DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1])); //Console.ForegroundColor = ConsoleColor.Cyan; //Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2]); Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1] + " Scanned"; } Console.ForegroundColor = ConsoleColor.Gray; } catch (Exception) { } } } } else { try { if (IsShowAllRecrds) { Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write("[{0}] ", DateTime.Now.ToString()); Console.ForegroundColor = ConsoleColor.Green; Console.Write("Tid {0}", Target_tid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" Created in Process "); Console.ForegroundColor = ConsoleColor.Green; Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" by this Process "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString()); Console.ForegroundColor = ConsoleColor.Gray; if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode) { DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid)); } } } catch (Exception) { } } }
/// <summary> /// Parse an event log base on tracelogging /// </summary> /// <param name="record">ETW event record</param> /// <param name="eventData">dict will be filled with event data</param> public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData) { foreach (var property in record.Properties) { try { switch (property.Type) { case 1: eventData[property.Name] = record.GetUnicodeString(property.Name); break; case 2: eventData[property.Name] = record.GetAnsiString(property.Name); break; case 3: eventData[property.Name] = record.GetInt8(property.Name); break; case 4: eventData[property.Name] = record.GetUInt8(property.Name); break; case 5: eventData[property.Name] = record.GetInt16(property.Name); break; case 6: eventData[property.Name] = record.GetUInt16(property.Name); break; case 7: eventData[property.Name] = record.GetInt32(property.Name); break; case 8: eventData[property.Name] = record.GetUInt32(property.Name); break; case 9: eventData[property.Name] = record.GetInt64(property.Name); break; case 10: eventData[property.Name] = record.GetUInt64(property.Name); break; case 13: eventData[property.Name] = record.GetUInt32(property.Name); break; case 14: eventData[property.Name] = record.GetBinary(property.Name); break; case 15: eventData[property.Name] = record.GetBinary(property.Name); break; case 20: eventData[property.Name] = record.GetUInt32(property.Name); break; case 21: eventData[property.Name] = record.GetUInt64(property.Name); break; } } catch (Exception) { eventData[property.Name] = ERROR_PARSING_FIELD; } } }
private object ParseBasicProperty(Property prop, IEventRecord record) { object propertyValue = null; switch (prop.Type) { case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING: propertyValue = record.GetAnsiString(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY: propertyValue = record.GetBinary(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING: propertyValue = record.GetCountedString(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT8: propertyValue = record.GetInt8(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT16: propertyValue = record.GetInt16(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT32: propertyValue = record.GetInt32(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT64: propertyValue = record.GetInt64(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8: propertyValue = record.GetUInt8(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16: propertyValue = record.GetUInt16(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32: propertyValue = record.GetUInt32(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64: propertyValue = record.GetUInt64(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING: propertyValue = record.GetUnicodeString(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME: propertyValue = record.GetDateTime(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER: propertyValue = record.GetUInt64(prop.Name); break; default: propertyValue = "<Unknown type>"; break; } return(propertyValue); }
/// <summary> /// Try to parse an event record base on the manifest /// </summary> /// <param name="record">ETW event record</param> /// <param name="eventData">eventdata that will be filled by the parser</param> public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData) { foreach (var eventDefinition in this.Scheme.instrumentation.events.provider.events) { if (Int16.Parse(eventDefinition.value) != record.Id) { continue; } var template = this.Scheme.instrumentation.events.provider.templates.Where(x => x.tid == eventDefinition.template).Single(); foreach (var data in template.datas) { try { switch (data.inType) { case Manifest.Data.InType.UnicodeString: eventData[data.name] = record.GetUnicodeString(data.name); break; case Manifest.Data.InType.AnsiString: eventData[data.name] = record.GetAnsiString(data.name); break; case Manifest.Data.InType.GUID: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.UInt32: eventData[data.name] = record.GetUInt32(data.name); break; case Manifest.Data.InType.HexInt32: eventData[data.name] = record.GetInt32(data.name); break; case Manifest.Data.InType.HexInt64: eventData[data.name] = record.GetInt64(data.name); break; case Manifest.Data.InType.Boolean: eventData[data.name] = record.GetUInt32(data.name); break; case Manifest.Data.InType.UInt16: eventData[data.name] = record.GetUInt16(data.name); break; case Manifest.Data.InType.Binary: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.UInt64: eventData[data.name] = record.GetUInt64(data.name); break; case Manifest.Data.InType.Double: eventData[data.name] = record.GetUInt64(data.name); break; case Manifest.Data.InType.UInt8: eventData[data.name] = record.GetUInt8(data.name); break; case Manifest.Data.InType.Int8: eventData[data.name] = record.GetInt64(data.name); break; case Manifest.Data.InType.Int16: eventData[data.name] = record.GetInt16(data.name); break; case Manifest.Data.InType.Int32: eventData[data.name] = record.GetInt32(data.name); break; case Manifest.Data.InType.Int64: eventData[data.name] = record.GetInt64(data.name); break; case Manifest.Data.InType.FILETIME: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.Pointer: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.SYSTEMTIME: eventData[data.name] = record.GetDateTime(data.name); break; case Manifest.Data.InType.SID: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.Float: eventData[data.name] = record.GetUInt32(data.name); break; } } catch (Exception) { eventData[data.name] = ERROR_PARSING_FIELD; } } break; } }