public EtwEventCorrelator(EventProvider transferProvider, EventDescriptor transferEvent)
{
if (transferProvider == null)
{
throw new ArgumentNullException("transferProvider");
}
this._transferProvider = transferProvider;
this._transferEvent = transferEvent;
}
protected override void Dispose(bool disposing)
{
if (disposing && (this.m_eventProvider != null))
{
this.m_eventProvider.Dispose();
this.m_eventProvider = null;
}
base.Dispose(disposing);
}
private void InitProvider(string providerId)
{
Guid controlGuid = new Guid(providerId);
//
// Create The ETW TraceProvider
//
_provider = new EventProvider(controlGuid);
}
protected override void InitializeTarget() {
base.InitializeTarget();
// we will create an EventProvider for ETW
try {
provider = new EventProvider(providerId);
} catch (PlatformNotSupportedException) {
// sorry :(
}
}
public DesignerPerfEventProvider()
{
try
{
this.provider = new EventProvider(new Guid("{B5697126-CBAF-4281-A983-7851DAF56454}"));
}
catch (PlatformNotSupportedException)
{
this.provider = null;
}
}
public VSDesignerPerfEventProvider()
{
try
{
this.provider = new EventProvider(new Guid("{92C79DA3-CA7D-43d6-BF20-BBD15E7A4E49}"));
}
catch (PlatformNotSupportedException)
{
this.provider = null;
}
}
public byte[] CreateManifest()
{
if (this.channelTab != null)
{
this.sb.Append(" <channels>").AppendLine();
foreach (int num in this.channelTab.Keys)
{
this.sb.Append(" <channel name=\"").Append(this.channelTab[num]).Append("\" value=\"").Append(num).Append("\"/>").AppendLine();
}
this.sb.Append(" </channels>").AppendLine();
}
if (this.taskTab != null)
{
this.sb.Append(" <tasks>").AppendLine();
foreach (int num2 in this.taskTab.Keys)
{
Guid guid = EventProvider.GenTaskGuidFromProviderGuid(this.providerGuid, (ushort)num2);
this.sb.Append(" <task name=\"").Append(this.taskTab[num2]).Append("\" eventGUID=\"{").Append(guid.ToString()).Append("}").Append("\" value=\"").Append(num2).Append("\"/>").AppendLine();
}
this.sb.Append(" </tasks>").AppendLine();
}
this.sb.Append(" <opcodes>").AppendLine();
foreach (int num3 in this.opcodeTab.Keys)
{
this.sb.Append(" <opcode name=\"").Append(this.opcodeTab[num3]).Append("\" value=\"").Append(num3).Append("\"/>").AppendLine();
}
this.sb.Append(" </opcodes>").AppendLine();
if (this.keywordTab != null)
{
this.sb.Append(" <keywords>").AppendLine();
foreach (ulong num4 in this.keywordTab.Keys)
{
StringBuilder introduced9 = this.sb.Append(" <keyword name=\"").Append(this.keywordTab[num4]).Append("\" mask=\"");
introduced9.Append(num4.ToString("x", CultureInfo.InvariantCulture)).Append("\"/>").AppendLine();
}
this.sb.Append(" </keywords>").AppendLine();
}
this.sb.Append(" <events>").AppendLine();
this.sb.Append(this.events);
this.sb.Append(" </events>").AppendLine();
if (this.templates.Length > 0)
{
this.sb.Append(" <templates>").AppendLine();
this.sb.Append(this.templates);
this.sb.Append(" </templates>").AppendLine();
}
this.sb.Append("</provider>").AppendLine();
return(Encoding.UTF8.GetBytes(this.sb.ToString()));
}
public object RunPowershell(string command) //Based off of SharpSploit. Look in to AMSI bypass research personally
{
using (PowerShell ps = PowerShell.Create())
{
var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
ps.AddScript(command);
var results = ps.Invoke();
string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray());
ps.Commands.Clear();
return(output);
}
}
public CalculatorServiceEventProvider()
{
Guid providerId;
if (HostingEnvironment.IsHosted) {
DiagnosticSection config = (DiagnosticSection)WebConfigurationManager.GetSection(DiagnosticsConfigSectionName);
providerId = new Guid(config.EtwProviderId);
hostReferenceIsComplete = false;
} else {
DiagnosticSection config = (DiagnosticSection)ConfigurationManager.GetSection(DiagnosticsConfigSectionName);
providerId = new Guid(config.EtwProviderId);
hostReference = string.Empty;
hostReferenceIsComplete = true;
}
innerEventProvider = new EventProvider(providerId);
errorDescriptor = new EventDescriptor(ErrorEventId, Version, Channel, ErrorLevel, Opcode, Task, Keywords);
warningDescriptor = new EventDescriptor(WarningEventId, Version, Channel, WarningLevel, Opcode, Task, Keywords);
infoDescriptor = new EventDescriptor(InfoEventId, Version, Channel, InfoLevel, Opcode, Task, Keywords);
}
static WcfEvents()
{
_provider = new EventProvider(new Guid("83093276-1f35-45a2-8b19-6964cc85c70f"));
_startRequest = new EventDescriptor(1, 0, 0, 4, 0, 0, 1);
_endRequest = new EventDescriptor(2, 0, 0, 4, 0, 0, 1);
}
public OrchestrationEtwListener(string guid)
{
Guid providerGuid = new Guid(guid);
this.m_eventProvider = new EventProvider(providerGuid);
}
private EventProvider GetProvider()
{
if (this.currentProvider == null)
{
lock (syncLock)
{
if (this.currentProvider != null)
{
return this.currentProvider;
}
if (providers.ContainsKey(this.ProviderId))
{
this.currentProvider = providers[this.ProviderId];
}
else
{
this.currentProvider = new EventProvider(this.ProviderId);
providers[this.ProviderId] = this.currentProvider;
}
}
}
return this.currentProvider;
}
public EventWriteInputGenerator(EventSize size)
: base(size)
{
_provider = new EventProvider(new Guid("3838EF9A-CB6F-4A1C-9033-84C0E8EBF5A7"));
_descriptor = new EventDescriptor((ushort)size, 0, 0, 4, 0, 0, 1);
}
private EventProvider GetProvider()
{
if (currentProvider != null)
return currentProvider;
lock (syncLock)
{
if (currentProvider != null)
return currentProvider;
if (!providers.TryGetValue(ProviderId, out currentProvider))
{
currentProvider = new EventProvider(ProviderId);
providers[ProviderId] = currentProvider;
}
}
return currentProvider;
}
public BackgroundDispatcher(EventProvider transferProvider, EventDescriptor transferEvent) : this(new EtwActivityReverterMethodInvoker(new EtwEventCorrelator(transferProvider, transferEvent)))
{
}
private void InitProvider(string providerId)
{
Guid providerGuid = new Guid(providerId);
this.m_provider = new EventProvider(providerGuid);
}
private void InitProvider(string providerId)
{
Guid providerGuid = new Guid(providerId);
this.m_provider = new EventProvider(providerGuid);
}
/// <summary>
/// Class constructor
/// </summary>
static PSEtwLogProvider()
{
etwProvider = new EventProvider(new Guid(PowerShellEventProviderGuid));
}
/// <summary>
/// ProcessRecord
/// </summary>
protected override void ProcessRecord()
{
using (EventProvider provider = new EventProvider(_providerMetadata.Id))
{
EventDescriptor ed = _eventDescriptor.Value;
if (_payload != null && _payload.Length > 0)
{
for (int i = 0; i < _payload.Length; i++)
{
if (_payload[i] == null)
{
_payload[i] = string.Empty;
}
}
provider.WriteEvent(ref ed, _payload);
}
else
{
provider.WriteEvent(ref ed);
}
}
base.ProcessRecord();
}
private void InitProvider(string providerId)
{
Guid controlGuid = new Guid(providerId);
//
// Create The ETW TraceProvider
//
_provider = new EventProvider(controlGuid);
}
protected override void ProcessRecord()
{
using (EventProvider provider = new EventProvider(this.providerMetadata.Id))
{
EventDescriptor eventDescriptor = this.eventDescriptor.Value;
if ((this.payload != null) && (this.payload.Length > 0))
{
for (int i = 0; i < this.payload.Length; i++)
{
if (this.payload[i] == null)
{
this.payload[i] = string.Empty;
}
}
provider.WriteEvent(ref eventDescriptor, this.payload);
}
else
{
provider.WriteEvent(ref eventDescriptor, new object[0]);
}
}
base.ProcessRecord();
}
