private static bool ShouldTrackStep(this TrackingProfile profile, WorkflowTraceStep workflowTraceStep)
{
if (workflowTraceStep is TraceGroup)
{
// Don't filter out a nested TraceGroup.
return(true);
}
ActivityTrace activityTrace = workflowTraceStep as ActivityTrace;
if (activityTrace != null)
{
//check the activity track queries
foreach (ActivityStateQuery activityQuery in profile.Queries.OfType <ActivityStateQuery>())
{
//either all activities are tracked or only this specific one.
if (TrackingFilter.IsActivityLocationTracked(activityQuery, activityTrace.ActivityName, activityTrace.ActivityStatus))
{
return(true);
}
}
//check the ActivityScheduledQuery
foreach (ActivityScheduledQuery activityScheduledQuery in profile.Queries.OfType <ActivityScheduledQuery>())
{
//either all activities are tracked or only this specific one.
if (TrackingFilter.IsActivityScheduledTracked(activityScheduledQuery, activityTrace.ActivityName))
{
return(true);
}
}
}
WorkflowInstanceTrace workflowInstanceTrace = workflowTraceStep as WorkflowInstanceTrace;
if (workflowInstanceTrace != null)
{
foreach (WorkflowInstanceQuery workflowInstanceTrackingQuery in profile.Queries.OfType <WorkflowInstanceQuery>())
{
if (workflowInstanceTrackingQuery.States.Contains(workflowInstanceTrace.InstanceStatus.ToString()))
{
return(true);
}
}
}
UserTrace userTrace = workflowTraceStep as UserTrace;
if (userTrace != null)
{
//presently we (trackign team) do not track any userTrace values through profile om.
return(true);
}
return(false);
}
private static void TrackStateMachineRecord(StateMachineStateRecord stateMachineRecord)
{
UserTrace userTrace = new UserTrace(
stateMachineRecord.InstanceId,
stateMachineRecord.Activity.Id + ":" + stateMachineRecord.Activity.InstanceId,
string.Format("StateMachineTrackingRecord: '{0}' State: '{1}'",
stateMachineRecord.StateMachineName,
stateMachineRecord.StateName));
TraceSource ts = new TraceSource("Microsoft.CoreWf.Tracking", SourceLevels.Information);
//PartialTrustTrace.TraceData(ts, TraceEventType.Information, 1, userTrace);
}
static void Main(string[] args)
{
// UserTrace instances should be used for any non-kernel traces that are defined
// by components or programs in Windows. They can optionally take a name -- if none
// is provided, a random GUID is assigned as the name.
var trace = new UserTrace("Silly Gooby");
// A trace can have any number of providers, which are identified by GUID. These
// GUIDs are defined by the components that emit events, and their GUIDs can
// usually be found with various ETW tools (like wevutil).
var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// UserTrace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
powershellProvider.Any = Provider.AllBitsSet;
// In user_trace_001.cs, we manually filter events by checking the information
// in our callback functions. In this example, we're going to use a provider
// filter to do this for us.
// We instantiate an EventFilter first. An EventFilter is created with a predicate --
// literally just a function that does some check on an EventRecord and returns a boolean
// (true when the even should be passed on to callbacks, false otherwise).
// EventFilters are more than just convenient -- Lobster provides combinators for
// expressing simple but powerful filters that actually execute in the underlying C++
// krabs library. This means that events can be filtered before ever running in the
// CLR (saving us a ton of cost in spinning up objects on event firing).
// The combinators cannot express everything a filter must do, so for complicated
// filters, it's recommended to write the filters in a managed C++/CLI project and
// use those to keep the perf benefits. The filters that Lobster provides are on
// the Filter object (and can be combined with &&, ||, !)
var filter = new EventFilter(Filter.EventIdIs(7937));
// EventFilters have attached callbacks, just like a regular provider.
filter.OnEvent += (EventRecord record) =>
{
var schema = new Schema(record);
System.Diagnostics.Debug.Assert(schema.Id == 7937);
Console.WriteLine("Event 7937 received");
};
// EventFilters are attached to providers. Events that are attached to the filter
// will only be called when the filter allows the event through. Any events attached
// to the provider directly will be called for all events that are fired by the ETW
// producer.
powershellProvider.AddFilter(filter);
trace.Enable(powershellProvider);
trace.Start();
}
// Permet d'afficher l'inscription avec plusieurs données
public async Task <IActionResult> SignUp()
{
string accessToken = await HttpContext.GetTokenAsync("access_token");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
string sexes = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/Sex");
string corpulences = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/corpulences");
string hairSize = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/hairSize");
string hairColor = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/hairColor");
string sexuality = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/sexuality");
string styles = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/styles");
string religions = await client.GetStringAsync(Configuration["URLAPI"] + "api/Data/religions");
List <Religion> resultReligion = JsonConvert.DeserializeObject <List <Religion> >(religions);
List <Sex> resultSexes = JsonConvert.DeserializeObject <List <Sex> >(sexes);
List <Corpulence> resultCorpulences = JsonConvert.DeserializeObject <List <Corpulence> >(corpulences);
List <HairColor> resultHairColors = JsonConvert.DeserializeObject <List <HairColor> >(hairColor);
List <HairSize> resultHairSizes = JsonConvert.DeserializeObject <List <HairSize> >(hairSize);
List <Sexuality> resultSexualities = JsonConvert.DeserializeObject <List <Sexuality> >(sexuality);
List <Style> resultStyle = JsonConvert.DeserializeObject <List <Style> >(styles);
ViewData["sexes"] = resultSexes;
ViewData["corpulences"] = resultCorpulences;
ViewData["hairColors"] = resultHairColors;
ViewData["hairSizes"] = resultHairSizes;
ViewData["sexualities"] = resultSexualities;
ViewData["styles"] = resultStyle;
ViewData["religions"] = resultReligion;
string ip = _accessor.ActionContext.HttpContext.Connection.RemoteIpAddress.ToString();
_logger.LogInformation("A User is trying to sign up with ip : " + ip);
UserTrace trace = new UserTrace
{
Logdate = DateTime.Now,
Ipadress = ip,
Pagevisited = "SignUp : A User is trying to sign up"
};
_context.UserTraces.Add(trace);
_context.SaveChanges();
return(View());
}
protected override void Execute(NativeActivityContext context)
{
TestTraceListenerExtension listenerExtension = context.GetExtension <TestTraceListenerExtension>();
NoPersistHandle handle = _noPersistHandle.Get(context);
handle.Enter(context);
UserTrace.Trace(listenerExtension, context.WorkflowInstanceId, NoPersistenceBlockEntered);
// Schedule all of the Sequence's Activities
base.Execute(context);
UserTrace.Trace(listenerExtension, context.WorkflowInstanceId, NoPersistenceBlockExited);
}
static void Main(string[] args)
{
// UserTrace instances should be used for any non-kernel traces that are defined
// by components or programs in Windows.
var trace = new UserTrace();
// A trace can have any number of providers, which are identified by GUID. These
// GUIDs are defined by the components that emit events, and their GUIDs can
// usually be found with various ETW tools (like wevutil).
var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// UserTrace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
powershellProvider.Any = Provider.AllBitsSet;
// Providers should be wired up to functions that are called when
// events from that provider are fired.
powershellProvider.OnEvent += (EventRecord record) =>
{
// Once an event is received, if we want krabs to help us analyze it, we need
// to snap in a schema to ask it for information.
var schema = new Schema(record);
// We then have the ability to ask a few questions of the event.
Console.WriteLine("Event " + schema.Id + " (" + schema.Name + ") received.");
if (schema.Id == 7937)
{
// The event we're interested in has a field that contains a bunch of
// info about what it's doing. We can snap in a parser to help us get
// the property information out.
var parser = new Parser(schema);
// We need to call the specific method to parse the type we expect.
// If we don't want to deal with the possibility of failure, we can
// provide a default if parsing fails.
var context = parser.ParseWStringWithDefault("ContextInfo", "None.");
Console.WriteLine("Context: " + context);
}
};
// The UserTrace needs to know about the provider that we've set up.
trace.Enable(powershellProvider);
// Begin listening for events. This call blocks, so if you want to do other things
// while this runs, you'll need to call this on another thread.
trace.Start();
}
protected override IAsyncResult BeginExecute(AsyncCodeActivityContext context, AsyncCallback callback, object state)
{
TestTraceListenerExtension listenerExtension = context.GetExtension <TestTraceListenerExtension>();
UserTrace.Trace(listenerExtension, context.WorkflowInstanceId, AsyncOperationBlockEntered);
AsyncWorkState asyncWorkState = new AsyncWorkState()
{
InstanceID = context.WorkflowInstanceId,
Duration = this.Duration.Get(context),
ListenerExtension = listenerExtension
};
return(new AsyncOperationBlockActivityAsyncResult(asyncWorkState, callback, state));
}
protected override void Execute(CodeActivityContext executionContext)
{
UserTrace userTrace = new UserTrace(executionContext.WorkflowInstanceId,
this.Id + ":" + executionContext.ActivityInstanceId, this.Message.Get(executionContext));
//TraceSource ts = new TraceSource("Microsoft.CoreWf.Tracking", SourceLevels.Information);
//ts.TraceData(TraceEventType.Information, 1, userTrace);
// PartialTrustTrace.TraceData(ts, TraceEventType.Information, 1, userTrace);
TestTraceListenerExtension traceExtension = executionContext.GetExtension <TestTraceListenerExtension>();
if (traceExtension != null)
{
traceExtension.TraceData(userTrace);
}
}
protected void OnResumeBookmark(NativeActivityContext context, Bookmark bookmark, object obj)
{
TestTraceListenerExtension listenerExtension = context.GetExtension <TestTraceListenerExtension>();
Guid instanceId = context.WorkflowInstanceId;
UserTrace.Trace(listenerExtension, instanceId, BeforeWait);
Thread.CurrentThread.Join((int)WaitTime.TotalMilliseconds);
if (!(obj is T))
{
throw new Exception("Resume Bookmark with object of type " + typeof(T).FullName);
}
BookmarkValue.Set(context, (T)obj);
UserTrace.Trace(listenerExtension, instanceId, AfterWait);
}
public void it_should_raise_OnEvent_for_raw_provider_on_user_trace()
{
var called = false;
var trace = new UserTrace();
var proxy = new Proxy(trace);
var provider = new RawProvider(PowerShellEvent.ProviderId);
provider.OnEvent += e => { called = true; };
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord("user data", "context info", "payload"));
Assert.IsTrue(called, "proxy call raised on event");
}
static void Main(string[] args)
{
var count = 0;
var cts = new CancellationTokenSource();
var trace = new UserTrace("MY AWESOME TEST THING");
//var provider = new RawProvider(EventSource.GetGuid(typeof(TestEventSource)));
var provider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// Only pull in method invocations
var powershellFilter = new EventFilter(Filter.EventIdIs(7937)
.And(UnicodeString.Contains("Payload", "Started")));
powershellFilter.OnEvent += e =>
{
Console.WriteLine($"{e.ProviderName} - {e.Id}: {count++}");
};
provider.AddFilter(powershellFilter);
Console.CancelKeyPress += (s, e) =>
{
cts.Cancel();
trace.Stop();
};
trace.Enable(provider);
var statsLoop = Task.Run(() => PrintStats(trace, cts.Token));
Task.Run(() => trace.Start())
.ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));
Console.WriteLine("Enter to restart trace");
Console.ReadKey();
Task.Run(() => trace.Start())
.ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));
Console.WriteLine("Ctrl+C to quit");
statsLoop.Wait();
Console.WriteLine("Done");
}
public static void Start()
{
// UserTrace instances should be used for any non-kernel traces that are defined
// by components or programs in Windows.
var trace = new UserTrace();
// A trace can have any number of providers, which are identified by GUID. These
// GUIDs are defined by the components that emit events, and their GUIDs can
// usually be found with various ETW tools (like wevutil).
var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// UserTrace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
powershellProvider.Any = Provider.AllBitsSet;
// Providers should be wired up to functions that are called when
// events from that provider are fired.
powershellProvider.OnEvent += (record) =>
{
// Records have general properties that are applicable to every ETW
// record regardless of schema. They give us general information.
Console.WriteLine("Event " + record.Id + " (" + record.Name + ") received.");
if (record.Id == 7937)
{
// We need to call the specific method to parse the type we expect.
// If we don't want to deal with the possibility of failure, we can
// provide a default if parsing fails.
var context = record.GetUnicodeString("ContextInfo", "None.");
Console.WriteLine("Context: " + context);
}
};
// The UserTrace needs to know about the provider that we've set up.
trace.Enable(powershellProvider);
// Begin listening for events. This call blocks, so if you want to do other things
// while this runs, you'll need to call this on another thread.
trace.Start();
}
static void Main(string[] args)
{
var filter = new EventFilter(Filter
.EventIdIs(3018)
.Or(Filter.EventIdIs(3020)));
filter.OnEvent += (IEventRecord r) => {
var query = r.GetUnicodeString("QueryName");
var result = r.GetUnicodeString("QueryResults");
Console.WriteLine($"DNS query ({r.Id}): {query} - {result}");
};
var provider = new Provider("Microsoft-Windows-DNS-Client");
provider.AddFilter(filter);
var trace = new UserTrace();
trace.Enable(provider);
trace.Start();
}
public static void Start()
{
// While Adminstrator is sufficent to view the Security EventLog,
// SYSTEM is required for the Microsoft-Windows-Security-Auditing provider.
if (!WindowsIdentity.GetCurrent().IsSystem)
{
Console.WriteLine("Microsoft-Windows-Security-Auditing can only be traced by SYSTEM");
return;
}
// Further, only one trace session is allowed for this provider.
// This session is created by the OS and is called 'EventLog-Security'.
// We can't Stop this session, but we can Open a handle to it.
var trace = new UserTrace("EventLog-Security");
var provider = new Provider("Microsoft-Windows-Security-Auditing");
// We also can't modify the flags of the trace session.
// This will silently fail.
provider.Any = Provider.AllBitsSet;
// But we can receive events - but only those configured by the audit policy.
// e.g. to enable event 4703 run -> auditpol /set /subcategory:"Token Right Adjusted Events"
provider.OnEvent += (record) =>
{
Console.WriteLine($"Event {record.Id}({record.Name}) received.");
if (record.Id == 4703) // "A user right was adjusted."
{
var enabledPrivilegeList = record.GetUnicodeString("EnabledPrivilegeList", "");
var disabledPrivilegeList = record.GetUnicodeString("DisabledPrivilegeList", "");
Console.WriteLine($"\tEnabledPrivilegeList={enabledPrivilegeList}");
Console.WriteLine($"\tDisabledPrivilegeList={disabledPrivilegeList}");
}
};
trace.Enable(provider);
trace.Start();
}
static void Main(string[] args)
{
var filter = new EventFilter(
Filter.EventIdIs(5)
//.Or(Filter.EventIdIs(6))
);
// Microsoft-Windows-RPC EventID 5 - Client RPC call started
// EventID 6 - Server RPC call started.
filter.OnEvent += (IEventRecord r) =>
{
var endpoint = r.GetUnicodeString("Endpoint");
var opNum = r.GetUInt32("ProcNum");
var protocol = r.GetUInt32("Protocol");
Console.WriteLine($"RPC Event {r.Id}");
Console.WriteLine($"Endpoint: {endpoint}");
Console.WriteLine($"Protocol {protocol,0:X}");
Console.WriteLine($"OpNum: {opNum}");
};
var provider = new Provider("Microsoft-Windows-RPC");
provider.AddFilter(filter);
var trace = new UserTrace();
trace.Enable(provider);
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
trace.Stop();
}
};
trace.Start();
}
public static void Start()
{
// UserTrace instances should be used for any non-kernel traces that are defined
// by components or programs in Windows. They can optionally take a name -- if none
// is provided, a random GUID is assigned as the name.
var trace = new UserTrace();
// A trace can have any number of providers, which are identified by GUID. These
// GUIDs are defined by the components that emit events, and their GUIDs can
// usually be found with various ETW tools (like wevutil).
var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// UserTrace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
powershellProvider.Any = Provider.AllBitsSet;
// In UserTrace003.cs, we use ETW-based filtering to select a specific event ID.
//
// We can combine ETW-based filtering with predicate filters to filter on specific
// event properties without impacting performance.
var filter = new EventFilter(7937, UnicodeString.Contains("ContextInfo", "Write-Host"));
// EventFilters have attached callbacks, just like a regular provider.
filter.OnEvent += (record) =>
{
System.Diagnostics.Debug.Assert(record.Id == 7937);
Console.WriteLine(record.GetUnicodeString("ContextInfo"));
};
// EventFilters are attached to providers. Events that are attached to the filter
// will only be called when the filter allows the event through. Any events attached
// to the provider directly will be called for all events that are fired by the ETW
// producer.
powershellProvider.AddFilter(filter);
trace.Enable(powershellProvider);
trace.Start();
}
static void Main(string[] args)
{
var trace = new UserTrace();
// The name of the PowerShell provider that gives us with detailed
// method execution logging is "Microsoft-Windows-PowerShell".
//
// If you want to explore all the events in this provider,
// you'll need to use Message Analyzer to load the trace and explore
// the events.
//
// Download: https://www.microsoft.com/en-us/download/details.aspx?id=44226
var powershellProvider = new Provider("Microsoft-Windows-PowerShell");
var powershellFilter = new EventFilter(
Filter.EventIdIs(7937)
.And(UnicodeString.Contains("Payload", "Started")));
powershellFilter.OnEvent += OnEvent;
// The "Any" and "All" flags can be sussed out using Microsoft Message Analyzer.
powershellProvider.Any = 0x20;
powershellProvider.AddFilter(powershellFilter);
trace.Enable(powershellProvider);
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
trace.Stop();
}
};
// This is a blocking call. Ctrl-C to stop.
trace.Start();
}
public void schema_not_found_should_raise_onerror_on_user_trace()
{
var onEventCalled = false;
var onErrorCalled = false;
var trace = new UserTrace();
var proxy = new Proxy(trace);
var provider = new Provider(PowerShellEvent.ProviderId);
provider.OnEvent += e => { onEventCalled = true; };
provider.OnError += e => { onErrorCalled = true; };
var record = PowerShellEvent.CreateRecord("user data", "context info", "payload");
// munge the event so the schema can't be found
record.Id = (ushort)1234;
trace.Enable(provider);
proxy.PushEvent(record);
Assert.IsFalse(onEventCalled, "schema not found raised OnEvent");
Assert.IsTrue(onErrorCalled, "schema not found raised OnError");
}
public static void Start()
{
var trace = new UserTrace("WPP_OLE32");
// WPP providers are basically legacy providers without a registered MOF.
// They are intended for (internal) debugging purposes only.
// Note - WPP software tracing has been superceded by TraceLogging.
//
// Instead of a manifest or MOF, a separate trace message format (TMF)
// file is required to interpret the WPP event data.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-message-format-file
//
// In some cases, the TMF is included in the PDB.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracepdb
//
// Otherwise, you can attempt to reconstruct the TMF by hand.
// https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
//
// Luckily, WPP tracing is usually added using Microsoft's convenience macros.
// And, when you have symbols available, WPP metadata is then fairly straightfoward to extract.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-wpp-software-tracing-to-a-windows-driver
// Each WPP trace provider defines a control GUID that uniquely identifies that provider.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/control-guid
//
// The WPP macros generate control GUID globals named "WPP_ThisDir_CTLGUID_<name>"
//
// For example, this control GUID is in the symbols for combase.dll
// WPP_ThisDir_CTLGUID_OLE32 = bda92ae8-9f11-4d49-ba1d-a4c2abca692e
var ole32WppProvider = new Provider(Guid.Parse("{bda92ae8-9f11-4d49-ba1d-a4c2abca692e}"));
// In evntrace.h there are ten defined trace levels -
// TRACE_LEVEL_NONE 0 // Tracing is not on
// TRACE_LEVEL_CRITICAL 1 // Abnormal exit or termination
// TRACE_LEVEL_ERROR 2 // Severe errors that need logging
// TRACE_LEVEL_WARNING 3 // Warnings such as allocation failure
// TRACE_LEVEL_INFORMATION 4 // Includes non-error cases(e.g.,Entry-Exit)
// TRACE_LEVEL_VERBOSE 5 // Detailed traces from intermediate steps
// TRACE_LEVEL_RESERVED6 6
// TRACE_LEVEL_RESERVED7 7
// TRACE_LEVEL_RESERVED8 8
// TRACE_LEVEL_RESERVED9 9
//
// Microsoft WPP providers are known to use the reserved levels.
// Internally, these levels have names like CHATTY, GARRULOUS and LOQUACIOUS.
//
// Everything at or below the configured level will be traced.
// Technically 9 means trace everything, but the field is a UCHAR
// so 0xFF means definitely trace everything.
ole32WppProvider.Level = 0xFF; // 'TRACE_LEVEL_ALL'
// Flags is a user-defined bitmask field the developer can use to group
// related messages.
// Again, it is a UCHAR for WPP providers so 0xFF means trace everything.
ole32WppProvider.Any = 0xFF; // 'TRACE_FLAGS_ALL'
// We need to enable this provider in order for krabs to correctly enable the OLE32 WPP events.
trace.Enable(ole32WppProvider);
// But we can't add any callbacks directly to krabs WPP providers though. Without the TMF
// information, krabs cannot determine which provider the event belongs to.
//
// WPP providers, like MOF providers, return the message GUID in the ProviderId field.
// So firstly krabs checks if the message GUID matches a provider GUID.
// If you know the message GUIDs then you can create individual dummy providers for those.
//
// Secondly krabs queries TDH to see if it knows the provider GUID for the message GUID.
// https://docs.microsoft.com/en-us/windows/win32/etw/retrieving-event-data-using-tdh
// This works for registered MOF providers - but not for WPP providers. In this case, TDH returns
// an all zero GUID - so we can create a dummy provider for that and add our callbacks there instead.
// If you subscribe to multiple WPP providers, the events from *all* of them will be delivered to this dummy provider.
var allWppDummyProvider = new Provider(Guid.Empty);
allWppDummyProvider.OnEvent += (record) =>
{
// Here be dragons.
//
// krabs does not currently support TMF files for parsing WPP messages.
// Instead you need to manually parse the UserData.
//
// The WPP macros generate message GUID globals named "WPP_<guid>_Traceguids"
// They also generate logging staging functions named "WPP_SF_<format specifiers>"
//
// There seems to be a one-to-one mapping between message GUIDs and staging functions.
// WPP events are a slightly different format to the modern ETW events. In particular,
// they include this message GUID rather than the provider's control GUID.
//
// So message GUIDs would be a good candidate for filtering...
// ... but my experience is that they may change between builds.
// So I've subscribed to the zero GUID instead.
//
// Event ids seem more stable, but they are only unique per message GUID.
//
// In this case, combase.dll only has two logging staging functions.
// WPP_SF_S(...) - which tells us that the event contains a single unicode string.
// WPP_SF_ssdDsS(...) - which tells us that there are 3 ansi strings, a unicode string and dword.
//
// So we can brute force the format...
var message = $"Message:{record.ProviderId} Id:{record.Id} ";
var userData = record.UserData;
var string_1 = Marshal.PtrToStringAnsi(record.UserData);
if (string_1.Length != 1) // definitely an ansi string...
{
// WPP_SF_ssdDsS(...)
userData += string_1.Length + 1;
var string_2 = Marshal.PtrToStringAnsi(userData);
userData += string_2.Length + 1;
var int32_3 = Marshal.ReadInt32(userData);
userData += sizeof(Int32);
var uint32_4 = (UInt32)Marshal.ReadInt32(userData);
userData += sizeof(UInt32);
var string_5 = Marshal.PtrToStringAnsi(userData);
userData += string_5.Length + 1;
var string_6 = Marshal.PtrToStringUni(userData);
message += $"WPP_SF_ssdDsS({string_1}, {string_2}, {int32_3}, {uint32_4}, {string_5}, {string_6})";
}
else // probably a unicode string... (but possibly a single character ansi string)
{
// WPP_SF_S(...)
string_1 = Marshal.PtrToStringUni(record.UserData);
message += $"WPP_SF_S({string_1})";
}
// In this example we only print messages that contain COM class ids.
if (message.Contains(" clsid"))
{
Console.WriteLine(message);
}
};
trace.Enable(allWppDummyProvider);
// Side note - if you want to turn up the verbosity of your COM WPP diagnostic tracing, then enable
// OLE32 tracing via the registry following the instruction here -
// https://support.microsoft.com/en-us/help/926098/how-to-enable-com-and-com-diagnostic-tracing
//
// Alternatively call _ControlTracing (4) via combase's 18f70770-8e64-11cf-9af1-0020af6e72f4 RPC interface.
trace.Start();
}
public async Task <IActionResult> Login(LoginInputModel model, string button)
{
// check if we are in the context of an authorization request
var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
// the user clicked the "cancel" button
if (button != "login")
{
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
if (await _clientStore.IsPkceClientAsync(context.ClientId))
{
// if the client is PKCE then we assume it's native, so this change in how to
// return the response is for better UX for the end user.
return(this.LoadingPage("Redirect", model.ReturnUrl));
}
return(Redirect(model.ReturnUrl));
}
else
{
// since we don't have a valid context, then we just go back to the home page
return(Redirect("~/"));
}
}
if (ModelState.IsValid)
{
var result = await _signInManager.PasswordSignInAsync(model.Username, model.Password, model.RememberLogin, lockoutOnFailure : true);
if (result.Succeeded)
{
string ip = _accessor.ActionContext.HttpContext.Connection.RemoteIpAddress.ToString();
_logger.LogInformation("A User signs in with ip : " + ip);
string userId = _LMcontext.AspNetUsers.Where(u => u.UserName == model.Username).Select(u => u.Id).SingleOrDefault();
UserTrace trace = new UserTrace
{
Logdate = DateTime.Now,
Ipadress = ip,
Pagevisited = "Login : A User signs in ",
Id = userId
};
_LMcontext.UserTraces.Add(trace);
_LMcontext.SaveChanges();
var user = await _userManager.FindByNameAsync(model.Username);
var resultEmailConfirmed = await _userManager.IsEmailConfirmedAsync(user);
if (!resultEmailConfirmed)
{
throw new Exception("Le mail doit être validé");
}
var resultPhoneConfirmed = await _userManager.IsPhoneNumberConfirmedAsync(user);
if (!resultPhoneConfirmed)
{
return(Redirect("~/Account/VerifyPhone"));
}
await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName, clientId : context?.ClientId));
if (context != null)
{
if (await _clientStore.IsPkceClientAsync(context.ClientId))
{
// if the client is PKCE then we assume it's native, so this change in how to
// return the response is for better UX for the end user.
return(this.LoadingPage("Redirect", model.ReturnUrl));
}
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return(Redirect(model.ReturnUrl));
}
// request for a local page
if (Url.IsLocalUrl(model.ReturnUrl))
{
return(Redirect(model.ReturnUrl));
}
else if (string.IsNullOrEmpty(model.ReturnUrl))
{
return(Redirect("~/"));
}
else
{
// user might have clicked on a malicious link - should be logged
throw new Exception("invalid return URL");
}
}
if (result.IsLockedOut)
{
ApplicationUser user = await _userManager.FindByNameAsync(model.Username);
ViewData["Lockout"] = await _userManager.GetLockoutEndDateAsync(user);
return(View("Banned"));
}
await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials", clientId : context?.ClientId));
ModelState.AddModelError(string.Empty, AccountOptions.InvalidCredentialsErrorMessage);
}
// something went wrong, show form with error
var vm = await BuildLoginViewModelAsync(model);
return(View(vm));
}
public void before_each()
{
trace = new UserTrace();
proxy = new Proxy(trace);
}
/// <summary>
/// This function build an ETW usertrace from
/// a configuration INI file and a selected IETWWriter
/// </summary>
/// <param name="config">configuration that come from an ini file</param>
/// <param name="writer">how to writer etw</param>
/// <returns></returns>
public static UserTrace BuildFromConfig(IniData config, IETWWriter writer)
{
var providers = new Dictionary <Guid, Provider>();
foreach (var providerConfig in config.Sections)
{
// try to parse filtering provider
var providerDeclaration = providerConfig.SectionName.Split(new string[] { "://" }, StringSplitOptions.RemoveEmptyEntries);
if (providerDeclaration.Length > 2)
{
continue;
}
string providerName = providerDeclaration[0];
// Try to parse provider name
ProviderGuid providerGuid = null;
if (!ProviderGuid.TryParse(providerName, out providerGuid))
{
continue;
}
Forwarder forwarder = null;
if (!Forwarder.TryBuild(providerGuid, out forwarder))
{
continue;
}
UInt16?eventId = null;
if (providerDeclaration.Length == 2)
{
UInt16 tmp = 0;
if (!UInt16.TryParse(providerDeclaration[1], out tmp))
{
continue;
}
eventId = tmp;
}
if (!providers.ContainsKey(providerGuid.Guid))
{
providers.Add(providerGuid.Guid, new Provider(providerGuid.Guid));
}
var provider = providers[providerGuid.Guid];
var predicate = Filter.AnyEvent();
if (eventId != null)
{
predicate = Filter.EventIdIs(eventId.Value);
}
var filter = new EventFilter(predicate);
foreach (var keyValue in providerConfig.Keys)
{
forwarder.AddFilter(keyValue.KeyName, keyValue.Value);
}
filter.OnEvent += (IEventRecord record) =>
{
try
{
forwarder.Forward(record, writer).Wait();
}
catch (System.AggregateException) { } // Some event ae not documented even for Microsoft
};
provider.AddFilter(filter);
}
if (providers.Count == 0)
{
throw new Exception("Unable to create a trace without provider");
}
UserTrace trace = new UserTrace(String.Format("Splunk-ETW-{0}", Guid.NewGuid().ToString()));
foreach (var provider in providers.Values)
{
trace.Enable(provider);
}
return(trace);
}
public static void Start()
{
var trace = new UserTrace();
// WPP providers are basically legacy providers without a registered MOF.
// They are intended for (internal) debugging purposes only.
// Note - WPP software tracing has been superceded by TraceLogging.
//
// Instead of a manifest or MOF, a separate trace message format (TMF)
// file is required to interpret the WPP event data.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-message-format-file
//
// In some cases, the TMF is included in the PDB.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracepdb
//
// Otherwise, you can attempt to reconstruct the TMF by hand.
// https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
//
// Luckily, WPP tracing is usually added using Microsoft's convenience macros.
// And, when you have symbols available, WPP metadata is then fairly straightfoward to extract.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-wpp-software-tracing-to-a-windows-driver
// Each WPP trace provider defines a control GUID that uniquely identifies that provider.
// https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/control-guid
//
// The WPP macros generate control GUID globals named "WPP_ThisDir_CTLGUID_<name>"
//
// For example, this control GUID in the symbols for combase.dll
// WPP_ThisDir_CTLGUID_OLE32 = bda92ae8-9f11-4d49-ba1d-a4c2abca692e
var ole32WppProvider = new Provider(Guid.Parse("{bda92ae8-9f11-4d49-ba1d-a4c2abca692e}"));
// We use the control GUID to enable WPP tracing for the provider, and to set
// the filtering level and flags.
//
// In evntrace.h there are ten defined trace levels -
// TRACE_LEVEL_NONE 0 // Tracing is not on
// TRACE_LEVEL_CRITICAL 1 // Abnormal exit or termination
// TRACE_LEVEL_ERROR 2 // Severe errors that need logging
// TRACE_LEVEL_WARNING 3 // Warnings such as allocation failure
// TRACE_LEVEL_INFORMATION 4 // Includes non-error cases(e.g.,Entry-Exit)
// TRACE_LEVEL_VERBOSE 5 // Detailed traces from intermediate steps
// TRACE_LEVEL_RESERVED6 6
// TRACE_LEVEL_RESERVED7 7
// TRACE_LEVEL_RESERVED8 8
// TRACE_LEVEL_RESERVED9 9
//
// Microsoft WPP providers are known to use the reserved levels.
// Internally, these levels have names like CHATTY, GARRULOUS and LOQUACIOUS.
//
// Everything at or below the configured level will be traced.
// Technically 9 means trace everything, but the field is a UCHAR
// so 0xFF means definitely trace everything.
ole32WppProvider.Level = 0xFF; // 'TRACE_LEVEL_ALL'
// Flags is a user-defined bitmask field the developer can use to group
// related messages.
// Again, it is a UCHAR for WPP providers so 0xFF means trace everything.
ole32WppProvider.Any = 0xFF; // 'TRACE_FLAGS_ALL'
// WPP events are also a slightly different format to the modern ETW events. In particular,
// they include a message GUID rather than the control GUID. In order to convince krabs to
// forward events to us, we need to register an extra 'provider' using the message GUID.
//
// The WPP macros generate message GUID globals named "WPP_<guid>_Traceguids"
//
// For example, these message GUIDs in the symbols for combase.dll
// WPP_c0e4dd87b1523146a49921a43cd25160_Traceguids = c0e4dd87-b152-3146-a499-21a43cd25160
// WPP_c1647dce9b833d97edb9721fff5f0606_Traceguids = c1647dce-9b83-3d97-edb9-721fff5f0606
var messageGuid_S = new Provider(Guid.Parse("{c0e4dd87-b152-3146-a499-21a43cd25160}"));
messageGuid_S.OnEvent += (record) =>
{
// krabs does not currently support TMF files for parsing WPP messages.
// Instead you need to manually parse the UserData.
//
// The WPP macros generate logging staging functions named "WPP_SF_<format specifiers>"
// In this case this message GUID is always associate with a WPP_SF_S(...) call.
// This tells us that the event contains a single unicode string.
var message = Marshal.PtrToStringUni(record.UserData);
Console.WriteLine($"Id:{record.Id} WPP_SF_S({message})");
};
var messageGuid_ssdDsS = new Provider(Guid.Parse("{c1647dce-9b83-3d97-edb9-721fff5f0606}"));
messageGuid_ssdDsS.OnEvent += (record) =>
{
// WPP_SF_ssdDsS(...)
var userData = record.UserData;
var string_1 = Marshal.PtrToStringAnsi(userData);
userData += string_1.Length + 1;
var string_2 = Marshal.PtrToStringAnsi(userData);
userData += string_2.Length + 1;
var int32_3 = Marshal.ReadInt32(userData);
userData += sizeof(Int32);
var uint32_4 = (UInt32)Marshal.ReadInt32(userData);
userData += sizeof(UInt32);
var string_5 = Marshal.PtrToStringAnsi(userData);
userData += string_5.Length + 1;
var string_6 = Marshal.PtrToStringUni(userData);
Console.WriteLine($"Id:{record.Id} WPP_SF_ssdDsS({string_1}, {string_2}, {int32_3}, {uint32_4}, {string_5}, {string_6})");
};
// Side note - if you want to turn up the verbosity of your COM WPP diagnostic tracing, then enable
// OLE32 tracing via the registry following the instruction here -
// https://support.microsoft.com/en-us/help/926098/how-to-enable-com-and-com-diagnostic-tracing
//
// Alternatively call _ControlTracing (4) via combase's 18f70770-8e64-11cf-9af1-0020af6e72f4 RPC interface.
trace.Enable(ole32WppProvider);
trace.Enable(messageGuid_S);
trace.Enable(messageGuid_ssdDsS);
trace.Start();
}
public async Task <IActionResult> SignUpSend(RegisterInput input)
{
ApplicationUser user = new ApplicationUser();
try
{
string connectionString = Startup.Configuration.GetConnectionString("DefaultConnection");
var services = new ServiceCollection();
services.AddLogging();
services.AddDbContext <ApplicationDbContext>(options =>
options.UseSqlServer(connectionString));
services.AddIdentity <ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores <ApplicationDbContext>()
.AddDefaultTokenProviders();
using (var serviceProvider = services.BuildServiceProvider())
{
using (var scope = serviceProvider.GetRequiredService <IServiceScopeFactory>().CreateScope())
{
var context = scope.ServiceProvider.GetService <ApplicationDbContext>();
var userMgr = scope.ServiceProvider.GetRequiredService <UserManager <ApplicationUser> >();
var checkUser = _userManager.FindByNameAsync(input.UserName).Result;
if (checkUser == null)
{
if (input.ConfirmPassword != input.PasswordHash)
{
throw new Exception("Votre formulaire comporte des erreurs");
}
else
{
user = input;
}
var checkEmail = _userManager.FindByEmailAsync(input.Email).Result;
if (checkEmail != null)
{
throw new Exception("Email déjà utilisé");
}
int now = int.Parse(DateTime.Now.ToString("yyyyMMdd"));
int dob = int.Parse(input.Birthday.ToString("yyyyMMdd"));
int age = (now - dob) / 10000;
if (age < 18)
{
throw new Exception("Vous devez avoir 18 ans pour vous inscrire");
}
// Vérification du numéro de téléphone - Sébastien Berger
PhoneNumber phoneNumber = _phoneUtil.Parse(input.PhoneNumber, input.countryCode);
if (!_phoneUtil.IsValidNumberForRegion(phoneNumber, input.countryCode) && !phoneNumber.HasExtension)
{
throw new Exception("Numéro invalide");
}
else
{
input.PhoneNumber = "+" + phoneNumber.CountryCode.ToString() + phoneNumber.NationalNumber.ToString();
}
user.CorpulenceId = input.CorpulenceId;
user.SexualityId = input.SexualityId;
user.Sexeid = input.Sexeid;
user.HairColorId = input.HairColorId;
user.HairSizeId = input.HairSizeId;
user.QuizCompleted = false;
user.ReligionId = input.ReligionId;
user.AccountCompleted = true;
checkUser = user;
var result = userMgr.CreateAsync(checkUser, user.PasswordHash).Result;
if (!result.Succeeded)
{
throw new Exception(result.Errors.First().Description);
}
else
{
AspNetUserRole userRole = new AspNetUserRole();
userRole.UserId = checkUser.Id;
userRole.RoleId = "Utilisateur";
_context.AspNetUserRoles.Add(userRole);
string ip = _accessor.ActionContext.HttpContext.Connection.RemoteIpAddress.ToString();
_logger.LogInformation("User created a new account with password with ip: " + ip);
string userId = _context.AspNetUsers.Where(u => u.UserName == input.UserName).Select(u => u.Id).SingleOrDefault();
UserTrace trace = new UserTrace
{
Logdate = DateTime.Now,
Ipadress = ip,
Pagevisited = "SignUp : User created a new account",
Id = userId
};
UserStyle us = new UserStyle();
us.Id = user.Id;
us.StyleId = input.StyleId;
_context.UserStyles.Add(us);
_context.UserTraces.Add(trace);
_context.SaveChanges();
var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, Request.Scheme);
string message = "Salut mon pote comment ca va ? si tu veux confirmer ton inscription c'est par <a href='" + callbackUrl + "'>ici</a>";
await _emailSender.SendEmailAsync(user.Email, "Confirmer votre Email", message);
}
Log.Debug($"{checkUser.UserName} created");
}
else
{
throw new Exception("Votre nom d'utilisateur est déjà pris");
}
}
}
return(View("SignUpSuccess", user));
}
catch (Exception e)
{
Log.Debug($"{e.Message} error");
ViewData["error"] = e.Message;
await SignUp();
return(View("SignUp"));
}
}