Example #1
0
        private static bool ShouldTrackStep(this TrackingProfile profile, WorkflowTraceStep workflowTraceStep)
        {
            if (workflowTraceStep is TraceGroup)
            {
                // Don't filter out a nested TraceGroup.
                return(true);
            }

            ActivityTrace activityTrace = workflowTraceStep as ActivityTrace;

            if (activityTrace != null)
            {
                //check the activity track queries
                foreach (ActivityStateQuery activityQuery in profile.Queries.OfType <ActivityStateQuery>())
                {
                    //either all activities are tracked or only this specific one.
                    if (TrackingFilter.IsActivityLocationTracked(activityQuery, activityTrace.ActivityName, activityTrace.ActivityStatus))
                    {
                        return(true);
                    }
                }

                //check the ActivityScheduledQuery
                foreach (ActivityScheduledQuery activityScheduledQuery in profile.Queries.OfType <ActivityScheduledQuery>())
                {
                    //either all activities are tracked or only this specific one.
                    if (TrackingFilter.IsActivityScheduledTracked(activityScheduledQuery, activityTrace.ActivityName))
                    {
                        return(true);
                    }
                }
            }

            WorkflowInstanceTrace workflowInstanceTrace = workflowTraceStep as WorkflowInstanceTrace;

            if (workflowInstanceTrace != null)
            {
                foreach (WorkflowInstanceQuery workflowInstanceTrackingQuery in profile.Queries.OfType <WorkflowInstanceQuery>())
                {
                    if (workflowInstanceTrackingQuery.States.Contains(workflowInstanceTrace.InstanceStatus.ToString()))
                    {
                        return(true);
                    }
                }
            }

            UserTrace userTrace = workflowTraceStep as UserTrace;

            if (userTrace != null)
            {
                //presently we (trackign team) do not track any userTrace values through profile om.
                return(true);
            }
            return(false);
        }
Example #2
0
        private static void TrackStateMachineRecord(StateMachineStateRecord stateMachineRecord)
        {
            UserTrace userTrace = new UserTrace(
                stateMachineRecord.InstanceId,
                stateMachineRecord.Activity.Id + ":" + stateMachineRecord.Activity.InstanceId,
                string.Format("StateMachineTrackingRecord: '{0}' State: '{1}'",
                              stateMachineRecord.StateMachineName,
                              stateMachineRecord.StateName));

            TraceSource ts = new TraceSource("Microsoft.CoreWf.Tracking", SourceLevels.Information);
            //PartialTrustTrace.TraceData(ts, TraceEventType.Information, 1, userTrace);
        }
Example #3
0
        static void Main(string[] args)
        {
            // UserTrace instances should be used for any non-kernel traces that are defined
            // by components or programs in Windows. They can optionally take a name -- if none
            // is provided, a random GUID is assigned as the name.
            var trace = new UserTrace("Silly Gooby");

            // A trace can have any number of providers, which are identified by GUID. These
            // GUIDs are defined by the components that emit events, and their GUIDs can
            // usually be found with various ETW tools (like wevutil).
            var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));

            // UserTrace providers typically have any and all flags, whose meanings are
            // unique to the specific providers that are being invoked. To understand these
            // flags, you'll need to look to the ETW event producer.
            powershellProvider.Any = Provider.AllBitsSet;

            // In user_trace_001.cs, we manually filter events by checking the information
            // in our callback functions. In this example, we're going to use a provider
            // filter to do this for us.

            // We instantiate an EventFilter first. An EventFilter is created with a predicate --
            // literally just a function that does some check on an EventRecord and returns a boolean
            // (true when the even should be passed on to callbacks, false otherwise).

            // EventFilters are more than just convenient -- Lobster provides combinators for
            // expressing simple but powerful filters that actually execute in the underlying C++
            // krabs library. This means that events can be filtered before ever running in the
            // CLR (saving us a ton of cost in spinning up objects on event firing).

            // The combinators cannot express everything a filter must do, so for complicated
            // filters, it's recommended to write the filters in a managed C++/CLI project and
            // use those to keep the perf benefits. The filters that Lobster provides are on
            // the Filter object (and can be combined with &&, ||, !)
            var filter = new EventFilter(Filter.EventIdIs(7937));

            // EventFilters have attached callbacks, just like a regular provider.
            filter.OnEvent += (EventRecord record) =>
            {
                var schema = new Schema(record);
                System.Diagnostics.Debug.Assert(schema.Id == 7937);
                Console.WriteLine("Event 7937 received");
            };

            // EventFilters are attached to providers. Events that are attached to the filter
            // will only be called when the filter allows the event through. Any events attached
            // to the provider directly will be called for all events that are fired by the ETW
            // producer.
            powershellProvider.AddFilter(filter);
            trace.Enable(powershellProvider);
            trace.Start();
        }
        // Permet d'afficher l'inscription avec plusieurs données
        public async Task <IActionResult> SignUp()
        {
            string accessToken = await HttpContext.GetTokenAsync("access_token");

            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
            string sexes = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/Sex");

            string corpulences = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/corpulences");

            string hairSize = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/hairSize");

            string hairColor = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/hairColor");

            string sexuality = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/sexuality");

            string styles = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/styles");

            string religions = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/religions");

            List <Religion>   resultReligion    = JsonConvert.DeserializeObject <List <Religion> >(religions);
            List <Sex>        resultSexes       = JsonConvert.DeserializeObject <List <Sex> >(sexes);
            List <Corpulence> resultCorpulences = JsonConvert.DeserializeObject <List <Corpulence> >(corpulences);
            List <HairColor>  resultHairColors  = JsonConvert.DeserializeObject <List <HairColor> >(hairColor);
            List <HairSize>   resultHairSizes   = JsonConvert.DeserializeObject <List <HairSize> >(hairSize);
            List <Sexuality>  resultSexualities = JsonConvert.DeserializeObject <List <Sexuality> >(sexuality);
            List <Style>      resultStyle       = JsonConvert.DeserializeObject <List <Style> >(styles);

            ViewData["sexes"]       = resultSexes;
            ViewData["corpulences"] = resultCorpulences;
            ViewData["hairColors"]  = resultHairColors;
            ViewData["hairSizes"]   = resultHairSizes;
            ViewData["sexualities"] = resultSexualities;
            ViewData["styles"]      = resultStyle;
            ViewData["religions"]   = resultReligion;

            string ip = _accessor.ActionContext.HttpContext.Connection.RemoteIpAddress.ToString();

            _logger.LogInformation("A User is trying to sign up with ip : " + ip);
            UserTrace trace = new UserTrace
            {
                Logdate     = DateTime.Now,
                Ipadress    = ip,
                Pagevisited = "SignUp : A User is trying to sign up"
            };

            _context.UserTraces.Add(trace);
            _context.SaveChanges();

            return(View());
        }
Example #5
0
        protected override void Execute(NativeActivityContext context)
        {
            TestTraceListenerExtension listenerExtension = context.GetExtension <TestTraceListenerExtension>();
            NoPersistHandle            handle            = _noPersistHandle.Get(context);

            handle.Enter(context);

            UserTrace.Trace(listenerExtension, context.WorkflowInstanceId, NoPersistenceBlockEntered);

            // Schedule all of the Sequence's Activities
            base.Execute(context);

            UserTrace.Trace(listenerExtension, context.WorkflowInstanceId, NoPersistenceBlockExited);
        }
Example #6
0
        static void Main(string[] args)
        {
            // UserTrace instances should be used for any non-kernel traces that are defined
            // by components or programs in Windows.
            var trace = new UserTrace();

            // A trace can have any number of providers, which are identified by GUID. These
            // GUIDs are defined by the components that emit events, and their GUIDs can
            // usually be found with various ETW tools (like wevutil).
            var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));

            // UserTrace providers typically have any and all flags, whose meanings are
            // unique to the specific providers that are being invoked. To understand these
            // flags, you'll need to look to the ETW event producer.
            powershellProvider.Any = Provider.AllBitsSet;

            // Providers should be wired up to functions that are called when
            // events from that provider are fired.
            powershellProvider.OnEvent += (EventRecord record) =>
            {
                // Once an event is received, if we want krabs to help us analyze it, we need
                // to snap in a schema to ask it for information.
                var schema = new Schema(record);

                // We then have the ability to ask a few questions of the event.
                Console.WriteLine("Event " + schema.Id + " (" + schema.Name + ") received.");

                if (schema.Id == 7937)
                {
                    // The event we're interested in has a field that contains a bunch of
                    // info about what it's doing. We can snap in a parser to help us get
                    // the property information out.
                    var parser = new Parser(schema);

                    // We need to call the specific method to parse the type we expect.
                    // If we don't want to deal with the possibility of failure, we can
                    // provide a default if parsing fails.
                    var context = parser.ParseWStringWithDefault("ContextInfo", "None.");
                    Console.WriteLine("Context: " + context);
                }
            };

            // The UserTrace needs to know about the provider that we've set up.
            trace.Enable(powershellProvider);

            // Begin listening for events. This call blocks, so if you want to do other things
            // while this runs, you'll need to call this on another thread.
            trace.Start();
        }
        protected override IAsyncResult BeginExecute(AsyncCodeActivityContext context, AsyncCallback callback, object state)
        {
            TestTraceListenerExtension listenerExtension = context.GetExtension <TestTraceListenerExtension>();

            UserTrace.Trace(listenerExtension, context.WorkflowInstanceId, AsyncOperationBlockEntered);

            AsyncWorkState asyncWorkState = new AsyncWorkState()
            {
                InstanceID        = context.WorkflowInstanceId,
                Duration          = this.Duration.Get(context),
                ListenerExtension = listenerExtension
            };

            return(new AsyncOperationBlockActivityAsyncResult(asyncWorkState, callback, state));
        }
Example #8
0
        protected override void Execute(CodeActivityContext executionContext)
        {
            UserTrace userTrace = new UserTrace(executionContext.WorkflowInstanceId,
                                                this.Id + ":" + executionContext.ActivityInstanceId, this.Message.Get(executionContext));
            //TraceSource ts = new TraceSource("Microsoft.CoreWf.Tracking", SourceLevels.Information);
            //ts.TraceData(TraceEventType.Information, 1, userTrace);
            // PartialTrustTrace.TraceData(ts, TraceEventType.Information, 1, userTrace);

            TestTraceListenerExtension traceExtension = executionContext.GetExtension <TestTraceListenerExtension>();

            if (traceExtension != null)
            {
                traceExtension.TraceData(userTrace);
            }
        }
Example #9
0
        protected void OnResumeBookmark(NativeActivityContext context, Bookmark bookmark, object obj)
        {
            TestTraceListenerExtension listenerExtension = context.GetExtension <TestTraceListenerExtension>();
            Guid instanceId = context.WorkflowInstanceId;

            UserTrace.Trace(listenerExtension, instanceId, BeforeWait);
            Thread.CurrentThread.Join((int)WaitTime.TotalMilliseconds);
            if (!(obj is T))
            {
                throw new Exception("Resume Bookmark with object of type " + typeof(T).FullName);
            }

            BookmarkValue.Set(context, (T)obj);
            UserTrace.Trace(listenerExtension, instanceId, AfterWait);
        }
Example #10
0
        public void it_should_raise_OnEvent_for_raw_provider_on_user_trace()
        {
            var called = false;

            var trace = new UserTrace();
            var proxy = new Proxy(trace);

            var provider = new RawProvider(PowerShellEvent.ProviderId);

            provider.OnEvent += e => { called = true; };

            trace.Enable(provider);
            proxy.PushEvent(PowerShellEvent.CreateRecord("user data", "context info", "payload"));

            Assert.IsTrue(called, "proxy call raised on event");
        }
Example #11
0
        static void Main(string[] args)
        {
            var count = 0;
            var cts   = new CancellationTokenSource();
            var trace = new UserTrace("MY AWESOME TEST THING");
            //var provider = new RawProvider(EventSource.GetGuid(typeof(TestEventSource)));

            var provider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));

            // Only pull in method invocations
            var powershellFilter = new EventFilter(Filter.EventIdIs(7937)
                                                   .And(UnicodeString.Contains("Payload", "Started")));

            powershellFilter.OnEvent += e =>
            {
                Console.WriteLine($"{e.ProviderName} - {e.Id}: {count++}");
            };

            provider.AddFilter(powershellFilter);

            Console.CancelKeyPress += (s, e) =>
            {
                cts.Cancel();
                trace.Stop();
            };

            trace.Enable(provider);

            var statsLoop = Task.Run(() => PrintStats(trace, cts.Token));

            Task.Run(() => trace.Start())
            .ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));

            Console.WriteLine("Enter to restart trace");
            Console.ReadKey();

            Task.Run(() => trace.Start())
            .ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));

            Console.WriteLine("Ctrl+C to quit");
            statsLoop.Wait();

            Console.WriteLine("Done");
        }
Example #12
0
        public static void Start()
        {
            // UserTrace instances should be used for any non-kernel traces that are defined
            // by components or programs in Windows.
            var trace = new UserTrace();

            // A trace can have any number of providers, which are identified by GUID. These
            // GUIDs are defined by the components that emit events, and their GUIDs can
            // usually be found with various ETW tools (like wevutil).
            var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));

            // UserTrace providers typically have any and all flags, whose meanings are
            // unique to the specific providers that are being invoked. To understand these
            // flags, you'll need to look to the ETW event producer.
            powershellProvider.Any = Provider.AllBitsSet;

            // Providers should be wired up to functions that are called when
            // events from that provider are fired.
            powershellProvider.OnEvent += (record) =>
            {
                // Records have general properties that are applicable to every ETW
                // record regardless of schema. They give us general information.
                Console.WriteLine("Event " + record.Id + " (" + record.Name + ") received.");

                if (record.Id == 7937)
                {
                    // We need to call the specific method to parse the type we expect.
                    // If we don't want to deal with the possibility of failure, we can
                    // provide a default if parsing fails.
                    var context = record.GetUnicodeString("ContextInfo", "None.");
                    Console.WriteLine("Context: " + context);
                }
            };

            // The UserTrace needs to know about the provider that we've set up.
            trace.Enable(powershellProvider);

            // Begin listening for events. This call blocks, so if you want to do other things
            // while this runs, you'll need to call this on another thread.
            trace.Start();
        }
        static void Main(string[] args)
        {
            var filter = new EventFilter(Filter
                                         .EventIdIs(3018)
                                         .Or(Filter.EventIdIs(3020)));

            filter.OnEvent += (IEventRecord r) => {
                var query  = r.GetUnicodeString("QueryName");
                var result = r.GetUnicodeString("QueryResults");
                Console.WriteLine($"DNS query ({r.Id}): {query} - {result}");
            };

            var provider = new Provider("Microsoft-Windows-DNS-Client");

            provider.AddFilter(filter);

            var trace = new UserTrace();

            trace.Enable(provider);
            trace.Start();
        }
Example #14
0
        public static void Start()
        {
            // While Adminstrator is sufficent to view the Security EventLog,
            // SYSTEM is required for the Microsoft-Windows-Security-Auditing provider.
            if (!WindowsIdentity.GetCurrent().IsSystem)
            {
                Console.WriteLine("Microsoft-Windows-Security-Auditing can only be traced by SYSTEM");
                return;
            }

            // Further, only one trace session is allowed for this provider.
            // This session is created by the OS and is called 'EventLog-Security'.
            // We can't Stop this session, but we can Open a handle to it.
            var trace    = new UserTrace("EventLog-Security");
            var provider = new Provider("Microsoft-Windows-Security-Auditing");

            // We also can't modify the flags of the trace session.
            // This will silently fail.
            provider.Any = Provider.AllBitsSet;

            // But we can receive events - but only those configured by the audit policy.
            // e.g. to enable event 4703 run -> auditpol /set /subcategory:"Token Right Adjusted Events"
            provider.OnEvent += (record) =>
            {
                Console.WriteLine($"Event {record.Id}({record.Name}) received.");

                if (record.Id == 4703) // "A user right was adjusted."
                {
                    var enabledPrivilegeList  = record.GetUnicodeString("EnabledPrivilegeList", "");
                    var disabledPrivilegeList = record.GetUnicodeString("DisabledPrivilegeList", "");

                    Console.WriteLine($"\tEnabledPrivilegeList={enabledPrivilegeList}");
                    Console.WriteLine($"\tDisabledPrivilegeList={disabledPrivilegeList}");
                }
            };

            trace.Enable(provider);

            trace.Start();
        }
Example #15
0
        static void Main(string[] args)
        {
            var filter = new EventFilter(
                Filter.EventIdIs(5)
                //.Or(Filter.EventIdIs(6))
                );

            // Microsoft-Windows-RPC EventID 5 - Client RPC call started
            // EventID 6 - Server RPC call started.

            filter.OnEvent += (IEventRecord r) =>
            {
                var endpoint = r.GetUnicodeString("Endpoint");
                var opNum    = r.GetUInt32("ProcNum");
                var protocol = r.GetUInt32("Protocol");
                Console.WriteLine($"RPC Event {r.Id}");
                Console.WriteLine($"Endpoint: {endpoint}");
                Console.WriteLine($"Protocol {protocol,0:X}");
                Console.WriteLine($"OpNum: {opNum}");
            };

            var provider = new Provider("Microsoft-Windows-RPC");

            provider.AddFilter(filter);

            var trace = new UserTrace();

            trace.Enable(provider);

            Console.CancelKeyPress += (sender, eventArg) =>
            {
                if (trace != null)
                {
                    trace.Stop();
                }
            };

            trace.Start();
        }
Example #16
0
        public static void Start()
        {
            // UserTrace instances should be used for any non-kernel traces that are defined
            // by components or programs in Windows. They can optionally take a name -- if none
            // is provided, a random GUID is assigned as the name.
            var trace = new UserTrace();

            // A trace can have any number of providers, which are identified by GUID. These
            // GUIDs are defined by the components that emit events, and their GUIDs can
            // usually be found with various ETW tools (like wevutil).
            var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));

            // UserTrace providers typically have any and all flags, whose meanings are
            // unique to the specific providers that are being invoked. To understand these
            // flags, you'll need to look to the ETW event producer.
            powershellProvider.Any = Provider.AllBitsSet;

            // In UserTrace003.cs, we use ETW-based filtering to select a specific event ID.
            //
            // We can combine ETW-based filtering with predicate filters to filter on specific
            // event properties without impacting performance.
            var filter = new EventFilter(7937, UnicodeString.Contains("ContextInfo", "Write-Host"));

            // EventFilters have attached callbacks, just like a regular provider.
            filter.OnEvent += (record) =>
            {
                System.Diagnostics.Debug.Assert(record.Id == 7937);
                Console.WriteLine(record.GetUnicodeString("ContextInfo"));
            };

            // EventFilters are attached to providers. Events that are attached to the filter
            // will only be called when the filter allows the event through. Any events attached
            // to the provider directly will be called for all events that are fired by the ETW
            // producer.
            powershellProvider.AddFilter(filter);
            trace.Enable(powershellProvider);
            trace.Start();
        }
Example #17
0
        static void Main(string[] args)
        {
            var trace = new UserTrace();

            // The name of the PowerShell provider that gives us with detailed
            // method execution logging is "Microsoft-Windows-PowerShell".
            //
            // If you want to explore all the events in this provider,
            // you'll need to use Message Analyzer to load the trace and explore
            // the events.
            //
            // Download: https://www.microsoft.com/en-us/download/details.aspx?id=44226
            var powershellProvider = new Provider("Microsoft-Windows-PowerShell");

            var powershellFilter = new EventFilter(
                Filter.EventIdIs(7937)
                .And(UnicodeString.Contains("Payload", "Started")));

            powershellFilter.OnEvent += OnEvent;

            // The "Any" and "All" flags can be sussed out using Microsoft Message Analyzer.
            powershellProvider.Any = 0x20;
            powershellProvider.AddFilter(powershellFilter);

            trace.Enable(powershellProvider);

            Console.CancelKeyPress += (sender, eventArg) =>
            {
                if (trace != null)
                {
                    trace.Stop();
                }
            };

            // This is a blocking call. Ctrl-C to stop.
            trace.Start();
        }
Example #18
0
        public void schema_not_found_should_raise_onerror_on_user_trace()
        {
            var onEventCalled = false;
            var onErrorCalled = false;

            var trace = new UserTrace();
            var proxy = new Proxy(trace);

            var provider = new Provider(PowerShellEvent.ProviderId);

            provider.OnEvent += e => { onEventCalled = true; };
            provider.OnError += e => { onErrorCalled = true; };

            var record = PowerShellEvent.CreateRecord("user data", "context info", "payload");

            // munge the event so the schema can't be found
            record.Id = (ushort)1234;

            trace.Enable(provider);
            proxy.PushEvent(record);

            Assert.IsFalse(onEventCalled, "schema not found raised OnEvent");
            Assert.IsTrue(onErrorCalled, "schema not found raised OnError");
        }
Example #19
0
        public static void Start()
        {
            var trace = new UserTrace("WPP_OLE32");

            // WPP providers are basically legacy providers without a registered MOF.
            // They are intended for (internal) debugging purposes only.
            // Note - WPP software tracing has been superceded by TraceLogging.
            //
            // Instead of a manifest or MOF, a separate trace message format (TMF)
            // file is required to interpret the WPP event data.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-message-format-file
            //
            // In some cases, the TMF is included in the PDB.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracepdb
            //
            // Otherwise, you can attempt to reconstruct the TMF by hand.
            // https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
            //
            // Luckily, WPP tracing is usually added using Microsoft's convenience macros.
            // And, when you have symbols available, WPP metadata is then fairly straightfoward to extract.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-wpp-software-tracing-to-a-windows-driver

            // Each WPP trace provider defines a control GUID that uniquely identifies that provider.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/control-guid
            //
            // The WPP macros generate control GUID globals named "WPP_ThisDir_CTLGUID_<name>"
            //
            // For example, this control GUID is in the symbols for combase.dll
            // WPP_ThisDir_CTLGUID_OLE32 = bda92ae8-9f11-4d49-ba1d-a4c2abca692e
            var ole32WppProvider = new Provider(Guid.Parse("{bda92ae8-9f11-4d49-ba1d-a4c2abca692e}"));

            // In evntrace.h there are ten defined trace levels -
            // TRACE_LEVEL_NONE        0   // Tracing is not on
            // TRACE_LEVEL_CRITICAL    1   // Abnormal exit or termination
            // TRACE_LEVEL_ERROR       2   // Severe errors that need logging
            // TRACE_LEVEL_WARNING     3   // Warnings such as allocation failure
            // TRACE_LEVEL_INFORMATION 4   // Includes non-error cases(e.g.,Entry-Exit)
            // TRACE_LEVEL_VERBOSE     5   // Detailed traces from intermediate steps
            // TRACE_LEVEL_RESERVED6   6
            // TRACE_LEVEL_RESERVED7   7
            // TRACE_LEVEL_RESERVED8   8
            // TRACE_LEVEL_RESERVED9   9
            //
            // Microsoft WPP providers are known to use the reserved levels.
            // Internally, these levels have names like CHATTY, GARRULOUS and LOQUACIOUS.
            //
            // Everything at or below the configured level will be traced.
            // Technically 9 means trace everything, but the field is a UCHAR
            // so 0xFF means definitely trace everything.
            ole32WppProvider.Level = 0xFF;  // 'TRACE_LEVEL_ALL'

            // Flags is a user-defined bitmask field the developer can use to group
            // related messages.
            // Again, it is a UCHAR for WPP providers so 0xFF means trace everything.
            ole32WppProvider.Any = 0xFF;  // 'TRACE_FLAGS_ALL'

            // We need to enable this provider in order for krabs to correctly enable the OLE32 WPP events.
            trace.Enable(ole32WppProvider);

            // But we can't add any callbacks directly to krabs WPP providers though. Without the TMF
            // information, krabs cannot determine which provider the event belongs to.
            //
            // WPP providers, like MOF providers, return the message GUID in the ProviderId field.
            // So firstly krabs checks if the message GUID matches a provider GUID.
            // If you know the message GUIDs then you can create individual dummy providers for those.
            //
            // Secondly krabs queries TDH to see if it knows the provider GUID for the message GUID.
            // https://docs.microsoft.com/en-us/windows/win32/etw/retrieving-event-data-using-tdh
            // This works for registered MOF providers - but not for WPP providers. In this case, TDH returns
            // an all zero GUID - so we can create a dummy provider for that and add our callbacks there instead.
            // If you subscribe to multiple WPP providers, the events from *all* of them will be delivered to this dummy provider.
            var allWppDummyProvider = new Provider(Guid.Empty);

            allWppDummyProvider.OnEvent += (record) =>
            {
                // Here be dragons.
                //
                // krabs does not currently support TMF files for parsing WPP messages.
                // Instead you need to manually parse the UserData.
                //
                // The WPP macros generate message GUID globals named "WPP_<guid>_Traceguids"
                // They also generate logging staging functions named "WPP_SF_<format specifiers>"
                //
                // There seems to be a one-to-one mapping between message GUIDs and staging functions.
                // WPP events are a slightly different format to the modern ETW events. In particular,
                // they include this message GUID rather than the provider's control GUID.
                //
                // So message GUIDs would be a good candidate for filtering...
                // ... but my experience is that they may change between builds.
                // So I've subscribed to the zero GUID instead.
                //
                // Event ids seem more stable, but they are only unique per message GUID.
                //
                // In this case, combase.dll only has two logging staging functions.
                // WPP_SF_S(...) - which tells us that the event contains a single unicode string.
                // WPP_SF_ssdDsS(...) - which tells us that there are 3 ansi strings, a unicode string and dword.
                //
                // So we can brute force the format...

                var message  = $"Message:{record.ProviderId} Id:{record.Id} ";
                var userData = record.UserData;
                var string_1 = Marshal.PtrToStringAnsi(record.UserData);
                if (string_1.Length != 1)  // definitely an ansi string...
                {
                    // WPP_SF_ssdDsS(...)
                    userData += string_1.Length + 1;
                    var string_2 = Marshal.PtrToStringAnsi(userData);
                    userData += string_2.Length + 1;
                    var int32_3 = Marshal.ReadInt32(userData);
                    userData += sizeof(Int32);
                    var uint32_4 = (UInt32)Marshal.ReadInt32(userData);
                    userData += sizeof(UInt32);
                    var string_5 = Marshal.PtrToStringAnsi(userData);
                    userData += string_5.Length + 1;
                    var string_6 = Marshal.PtrToStringUni(userData);
                    message += $"WPP_SF_ssdDsS({string_1}, {string_2}, {int32_3}, {uint32_4}, {string_5}, {string_6})";
                }
                else // probably a unicode string... (but possibly a single character ansi string)
                {
                    // WPP_SF_S(...)
                    string_1 = Marshal.PtrToStringUni(record.UserData);
                    message += $"WPP_SF_S({string_1})";
                }

                // In this example we only print messages that contain COM class ids.
                if (message.Contains(" clsid"))
                {
                    Console.WriteLine(message);
                }
            };
            trace.Enable(allWppDummyProvider);

            // Side note - if you want to turn up the verbosity of your COM WPP diagnostic tracing, then enable
            // OLE32 tracing via the registry following the instruction here -
            // https://support.microsoft.com/en-us/help/926098/how-to-enable-com-and-com-diagnostic-tracing
            //
            // Alternatively call _ControlTracing (4) via combase's 18f70770-8e64-11cf-9af1-0020af6e72f4 RPC interface.

            trace.Start();
        }
Example #20
0
        public async Task <IActionResult> Login(LoginInputModel model, string button)
        {
            // check if we are in the context of an authorization request
            var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);

            // the user clicked the "cancel" button
            if (button != "login")
            {
                if (context != null)
                {
                    // if the user cancels, send a result back into IdentityServer as if they
                    // denied the consent (even if this client does not require consent).
                    // this will send back an access denied OIDC error response to the client.
                    await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);

                    // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
                    if (await _clientStore.IsPkceClientAsync(context.ClientId))
                    {
                        // if the client is PKCE then we assume it's native, so this change in how to
                        // return the response is for better UX for the end user.
                        return(this.LoadingPage("Redirect", model.ReturnUrl));
                    }

                    return(Redirect(model.ReturnUrl));
                }
                else
                {
                    // since we don't have a valid context, then we just go back to the home page
                    return(Redirect("~/"));
                }
            }

            if (ModelState.IsValid)
            {
                var result = await _signInManager.PasswordSignInAsync(model.Username, model.Password, model.RememberLogin, lockoutOnFailure : true);


                if (result.Succeeded)
                {
                    string ip = _accessor.ActionContext.HttpContext.Connection.RemoteIpAddress.ToString();
                    _logger.LogInformation("A User signs in with ip : " + ip);

                    string    userId = _LMcontext.AspNetUsers.Where(u => u.UserName == model.Username).Select(u => u.Id).SingleOrDefault();
                    UserTrace trace  = new UserTrace
                    {
                        Logdate     = DateTime.Now,
                        Ipadress    = ip,
                        Pagevisited = "Login : A User signs in ",
                        Id          = userId
                    };
                    _LMcontext.UserTraces.Add(trace);
                    _LMcontext.SaveChanges();

                    var user = await _userManager.FindByNameAsync(model.Username);

                    var resultEmailConfirmed = await _userManager.IsEmailConfirmedAsync(user);

                    if (!resultEmailConfirmed)
                    {
                        throw new Exception("Le mail doit être validé");
                    }

                    var resultPhoneConfirmed = await _userManager.IsPhoneNumberConfirmedAsync(user);

                    if (!resultPhoneConfirmed)
                    {
                        return(Redirect("~/Account/VerifyPhone"));
                    }

                    await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName, clientId : context?.ClientId));

                    if (context != null)
                    {
                        if (await _clientStore.IsPkceClientAsync(context.ClientId))
                        {
                            // if the client is PKCE then we assume it's native, so this change in how to
                            // return the response is for better UX for the end user.
                            return(this.LoadingPage("Redirect", model.ReturnUrl));
                        }

                        // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
                        return(Redirect(model.ReturnUrl));
                    }

                    // request for a local page
                    if (Url.IsLocalUrl(model.ReturnUrl))
                    {
                        return(Redirect(model.ReturnUrl));
                    }
                    else if (string.IsNullOrEmpty(model.ReturnUrl))
                    {
                        return(Redirect("~/"));
                    }
                    else
                    {
                        // user might have clicked on a malicious link - should be logged
                        throw new Exception("invalid return URL");
                    }
                }

                if (result.IsLockedOut)
                {
                    ApplicationUser user = await _userManager.FindByNameAsync(model.Username);

                    ViewData["Lockout"] = await _userManager.GetLockoutEndDateAsync(user);

                    return(View("Banned"));
                }

                await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials", clientId : context?.ClientId));

                ModelState.AddModelError(string.Empty, AccountOptions.InvalidCredentialsErrorMessage);
            }

            // something went wrong, show form with error
            var vm = await BuildLoginViewModelAsync(model);

            return(View(vm));
        }
Example #21
0
 public void before_each()
 {
     trace = new UserTrace();
     proxy = new Proxy(trace);
 }
Example #22
0
        /// <summary>
        /// This function build an ETW usertrace from
        /// a configuration INI file and a selected IETWWriter
        /// </summary>
        /// <param name="config">configuration that come from an ini file</param>
        /// <param name="writer">how to writer etw</param>
        /// <returns></returns>
        public static UserTrace BuildFromConfig(IniData config, IETWWriter writer)
        {
            var providers = new Dictionary <Guid, Provider>();

            foreach (var providerConfig in config.Sections)
            {
                // try to parse filtering provider
                var providerDeclaration = providerConfig.SectionName.Split(new string[] { "://" }, StringSplitOptions.RemoveEmptyEntries);
                if (providerDeclaration.Length > 2)
                {
                    continue;
                }

                string providerName = providerDeclaration[0];

                // Try to parse provider name
                ProviderGuid providerGuid = null;
                if (!ProviderGuid.TryParse(providerName, out providerGuid))
                {
                    continue;
                }

                Forwarder forwarder = null;
                if (!Forwarder.TryBuild(providerGuid, out forwarder))
                {
                    continue;
                }

                UInt16?eventId = null;
                if (providerDeclaration.Length == 2)
                {
                    UInt16 tmp = 0;
                    if (!UInt16.TryParse(providerDeclaration[1], out tmp))
                    {
                        continue;
                    }
                    eventId = tmp;
                }

                if (!providers.ContainsKey(providerGuid.Guid))
                {
                    providers.Add(providerGuid.Guid, new Provider(providerGuid.Guid));
                }

                var provider = providers[providerGuid.Guid];

                var predicate = Filter.AnyEvent();

                if (eventId != null)
                {
                    predicate = Filter.EventIdIs(eventId.Value);
                }

                var filter = new EventFilter(predicate);
                foreach (var keyValue in providerConfig.Keys)
                {
                    forwarder.AddFilter(keyValue.KeyName, keyValue.Value);
                }

                filter.OnEvent += (IEventRecord record) =>
                {
                    try
                    {
                        forwarder.Forward(record, writer).Wait();
                    }
                    catch (System.AggregateException) { } // Some event ae not documented even for Microsoft
                };

                provider.AddFilter(filter);
            }

            if (providers.Count == 0)
            {
                throw new Exception("Unable to create a trace without provider");
            }

            UserTrace trace = new UserTrace(String.Format("Splunk-ETW-{0}", Guid.NewGuid().ToString()));

            foreach (var provider in providers.Values)
            {
                trace.Enable(provider);
            }

            return(trace);
        }
Example #23
0
        public static void Start()
        {
            var trace = new UserTrace();

            // WPP providers are basically legacy providers without a registered MOF.
            // They are intended for (internal) debugging purposes only.
            // Note - WPP software tracing has been superceded by TraceLogging.
            //
            // Instead of a manifest or MOF, a separate trace message format (TMF)
            // file is required to interpret the WPP event data.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-message-format-file
            //
            // In some cases, the TMF is included in the PDB.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracepdb
            //
            // Otherwise, you can attempt to reconstruct the TMF by hand.
            // https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
            //
            // Luckily, WPP tracing is usually added using Microsoft's convenience macros.
            // And, when you have symbols available, WPP metadata is then fairly straightfoward to extract.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-wpp-software-tracing-to-a-windows-driver

            // Each WPP trace provider defines a control GUID that uniquely identifies that provider.
            // https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/control-guid
            //
            // The WPP macros generate control GUID globals named "WPP_ThisDir_CTLGUID_<name>"
            //
            // For example, this control GUID in the symbols for combase.dll
            // WPP_ThisDir_CTLGUID_OLE32 = bda92ae8-9f11-4d49-ba1d-a4c2abca692e
            var ole32WppProvider = new Provider(Guid.Parse("{bda92ae8-9f11-4d49-ba1d-a4c2abca692e}"));

            // We use the control GUID to enable WPP tracing for the provider, and to set
            // the filtering level and flags.
            //
            // In evntrace.h there are ten defined trace levels -
            // TRACE_LEVEL_NONE        0   // Tracing is not on
            // TRACE_LEVEL_CRITICAL    1   // Abnormal exit or termination
            // TRACE_LEVEL_ERROR       2   // Severe errors that need logging
            // TRACE_LEVEL_WARNING     3   // Warnings such as allocation failure
            // TRACE_LEVEL_INFORMATION 4   // Includes non-error cases(e.g.,Entry-Exit)
            // TRACE_LEVEL_VERBOSE     5   // Detailed traces from intermediate steps
            // TRACE_LEVEL_RESERVED6   6
            // TRACE_LEVEL_RESERVED7   7
            // TRACE_LEVEL_RESERVED8   8
            // TRACE_LEVEL_RESERVED9   9
            //
            // Microsoft WPP providers are known to use the reserved levels.
            // Internally, these levels have names like CHATTY, GARRULOUS and LOQUACIOUS.
            //
            // Everything at or below the configured level will be traced.
            // Technically 9 means trace everything, but the field is a UCHAR
            // so 0xFF means definitely trace everything.
            ole32WppProvider.Level = 0xFF;  // 'TRACE_LEVEL_ALL'

            // Flags is a user-defined bitmask field the developer can use to group
            // related messages.
            // Again, it is a UCHAR for WPP providers so 0xFF means trace everything.
            ole32WppProvider.Any = 0xFF;    // 'TRACE_FLAGS_ALL'

            // WPP events are also a slightly different format to the modern ETW events. In particular,
            // they include a message GUID rather than the control GUID. In order to convince krabs to
            // forward events to us, we need to register an extra 'provider' using the message GUID.
            //
            // The WPP macros generate message GUID globals named "WPP_<guid>_Traceguids"
            //
            // For example, these message GUIDs in the symbols for combase.dll
            // WPP_c0e4dd87b1523146a49921a43cd25160_Traceguids = c0e4dd87-b152-3146-a499-21a43cd25160
            // WPP_c1647dce9b833d97edb9721fff5f0606_Traceguids = c1647dce-9b83-3d97-edb9-721fff5f0606
            var messageGuid_S = new Provider(Guid.Parse("{c0e4dd87-b152-3146-a499-21a43cd25160}"));

            messageGuid_S.OnEvent += (record) =>
            {
                // krabs does not currently support TMF files for parsing WPP messages.
                // Instead you need to manually parse the UserData.
                //
                // The WPP macros generate logging staging functions named "WPP_SF_<format specifiers>"
                // In this case this message GUID is always associate with a WPP_SF_S(...) call.
                // This tells us that the event contains a single unicode string.
                var message = Marshal.PtrToStringUni(record.UserData);
                Console.WriteLine($"Id:{record.Id} WPP_SF_S({message})");
            };

            var messageGuid_ssdDsS = new Provider(Guid.Parse("{c1647dce-9b83-3d97-edb9-721fff5f0606}"));

            messageGuid_ssdDsS.OnEvent += (record) =>
            {
                // WPP_SF_ssdDsS(...)
                var userData = record.UserData;
                var string_1 = Marshal.PtrToStringAnsi(userData);
                userData += string_1.Length + 1;
                var string_2 = Marshal.PtrToStringAnsi(userData);
                userData += string_2.Length + 1;
                var int32_3 = Marshal.ReadInt32(userData);
                userData += sizeof(Int32);
                var uint32_4 = (UInt32)Marshal.ReadInt32(userData);
                userData += sizeof(UInt32);
                var string_5 = Marshal.PtrToStringAnsi(userData);
                userData += string_5.Length + 1;
                var string_6 = Marshal.PtrToStringUni(userData);
                Console.WriteLine($"Id:{record.Id} WPP_SF_ssdDsS({string_1}, {string_2}, {int32_3}, {uint32_4}, {string_5}, {string_6})");
            };

            // Side note - if you want to turn up the verbosity of your COM WPP diagnostic tracing, then enable
            // OLE32 tracing via the registry following the instruction here -
            // https://support.microsoft.com/en-us/help/926098/how-to-enable-com-and-com-diagnostic-tracing
            //
            // Alternatively call _ControlTracing (4) via combase's 18f70770-8e64-11cf-9af1-0020af6e72f4 RPC interface.

            trace.Enable(ole32WppProvider);
            trace.Enable(messageGuid_S);
            trace.Enable(messageGuid_ssdDsS);
            trace.Start();
        }
        public async Task <IActionResult> SignUpSend(RegisterInput input)
        {
            ApplicationUser user = new ApplicationUser();

            try
            {
                string connectionString = Startup.Configuration.GetConnectionString("DefaultConnection");
                var    services         = new ServiceCollection();
                services.AddLogging();
                services.AddDbContext <ApplicationDbContext>(options =>
                                                             options.UseSqlServer(connectionString));

                services.AddIdentity <ApplicationUser, IdentityRole>()
                .AddEntityFrameworkStores <ApplicationDbContext>()
                .AddDefaultTokenProviders();

                using (var serviceProvider = services.BuildServiceProvider())
                {
                    using (var scope = serviceProvider.GetRequiredService <IServiceScopeFactory>().CreateScope())
                    {
                        var context = scope.ServiceProvider.GetService <ApplicationDbContext>();

                        var userMgr = scope.ServiceProvider.GetRequiredService <UserManager <ApplicationUser> >();

                        var checkUser = _userManager.FindByNameAsync(input.UserName).Result;
                        if (checkUser == null)
                        {
                            if (input.ConfirmPassword != input.PasswordHash)
                            {
                                throw new Exception("Votre formulaire comporte des erreurs");
                            }
                            else
                            {
                                user = input;
                            }

                            var checkEmail = _userManager.FindByEmailAsync(input.Email).Result;

                            if (checkEmail != null)
                            {
                                throw new Exception("Email déjà utilisé");
                            }

                            int now = int.Parse(DateTime.Now.ToString("yyyyMMdd"));
                            int dob = int.Parse(input.Birthday.ToString("yyyyMMdd"));
                            int age = (now - dob) / 10000;

                            if (age < 18)
                            {
                                throw new Exception("Vous devez avoir 18 ans pour vous inscrire");
                            }

                            // Vérification du numéro de téléphone - Sébastien Berger
                            PhoneNumber phoneNumber = _phoneUtil.Parse(input.PhoneNumber, input.countryCode);

                            if (!_phoneUtil.IsValidNumberForRegion(phoneNumber, input.countryCode) && !phoneNumber.HasExtension)
                            {
                                throw new Exception("Numéro invalide");
                            }
                            else
                            {
                                input.PhoneNumber = "+" + phoneNumber.CountryCode.ToString() + phoneNumber.NationalNumber.ToString();
                            }

                            user.CorpulenceId     = input.CorpulenceId;
                            user.SexualityId      = input.SexualityId;
                            user.Sexeid           = input.Sexeid;
                            user.HairColorId      = input.HairColorId;
                            user.HairSizeId       = input.HairSizeId;
                            user.QuizCompleted    = false;
                            user.ReligionId       = input.ReligionId;
                            user.AccountCompleted = true;
                            checkUser             = user;

                            var result = userMgr.CreateAsync(checkUser, user.PasswordHash).Result;
                            if (!result.Succeeded)
                            {
                                throw new Exception(result.Errors.First().Description);
                            }
                            else
                            {
                                AspNetUserRole userRole = new AspNetUserRole();
                                userRole.UserId = checkUser.Id;
                                userRole.RoleId = "Utilisateur";

                                _context.AspNetUserRoles.Add(userRole);
                                string ip = _accessor.ActionContext.HttpContext.Connection.RemoteIpAddress.ToString();
                                _logger.LogInformation("User created a new account with password with ip: " + ip);

                                string    userId = _context.AspNetUsers.Where(u => u.UserName == input.UserName).Select(u => u.Id).SingleOrDefault();
                                UserTrace trace  = new UserTrace
                                {
                                    Logdate     = DateTime.Now,
                                    Ipadress    = ip,
                                    Pagevisited = "SignUp : User created a new account",
                                    Id          = userId
                                };
                                UserStyle us = new UserStyle();
                                us.Id      = user.Id;
                                us.StyleId = input.StyleId;

                                _context.UserStyles.Add(us);
                                _context.UserTraces.Add(trace);
                                _context.SaveChanges();

                                var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);

                                code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
                                var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, Request.Scheme);

                                string message = "Salut mon pote comment ca va ? si tu veux confirmer ton inscription c'est par <a href='" + callbackUrl + "'>ici</a>";
                                await _emailSender.SendEmailAsync(user.Email, "Confirmer votre Email", message);
                            }

                            Log.Debug($"{checkUser.UserName} created");
                        }
                        else
                        {
                            throw new Exception("Votre nom d'utilisateur est déjà pris");
                        }
                    }
                }

                return(View("SignUpSuccess", user));
            }
            catch (Exception e)
            {
                Log.Debug($"{e.Message} error");
                ViewData["error"] = e.Message;

                await SignUp();

                return(View("SignUp"));
            }
        }