Esempio n. 1
0
        private static void ProcessEventHandler(IEventRecord record)
        {
            var pid       = record.GetUInt32("ProcessID");
            var imageName = record.GetUnicodeString("ImageName");

            Console.WriteLine($"{record.TaskName} pid={pid} ImageName={imageName}");
        }
        private object ParseBasicProperty(Property prop, IEventRecord record)
        {
            object propertyValue = null;

            switch (prop.Type)
            {
            case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING:
                propertyValue = record.GetAnsiString(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY:
                propertyValue = record.GetBinary(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING:
                propertyValue = record.GetCountedString(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_INT8:
                propertyValue = record.GetInt8(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_INT16:
                propertyValue = record.GetInt16(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_INT32:
                propertyValue = record.GetInt32(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_INT64:
                propertyValue = record.GetInt64(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8:
                propertyValue = record.GetUInt8(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16:
                propertyValue = record.GetUInt16(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32:
                propertyValue = record.GetUInt32(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64:
                propertyValue = record.GetUInt64(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING:
                propertyValue = record.GetUnicodeString(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME:
                propertyValue = record.GetDateTime(prop.Name);
                break;

            case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER:
                propertyValue = record.GetUInt64(prop.Name);
                break;

            default:
                propertyValue = "<Unknown type>";
                break;
            }

            return(propertyValue);
        }
Esempio n. 3
0
        /// <summary>
        /// Parse an event log base on tracelogging
        /// </summary>
        /// <param name="record">ETW event record</param>
        /// <param name="eventData">dict will be filled with event data</param>
        public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
        {
            foreach (var property in record.Properties)
            {
                try
                {
                    switch (property.Type)
                    {
                    case 1:
                        eventData[property.Name] = record.GetUnicodeString(property.Name);
                        break;

                    case 2:
                        eventData[property.Name] = record.GetAnsiString(property.Name);
                        break;

                    case 3:
                        eventData[property.Name] = record.GetInt8(property.Name);
                        break;

                    case 4:
                        eventData[property.Name] = record.GetUInt8(property.Name);
                        break;

                    case 5:
                        eventData[property.Name] = record.GetInt16(property.Name);
                        break;

                    case 6:
                        eventData[property.Name] = record.GetUInt16(property.Name);
                        break;

                    case 7:
                        eventData[property.Name] = record.GetInt32(property.Name);
                        break;

                    case 8:
                        eventData[property.Name] = record.GetUInt32(property.Name);
                        break;

                    case 9:
                        eventData[property.Name] = record.GetInt64(property.Name);
                        break;

                    case 10:
                        eventData[property.Name] = record.GetUInt64(property.Name);
                        break;

                    case 13:
                        eventData[property.Name] = record.GetUInt32(property.Name);
                        break;

                    case 14:
                        eventData[property.Name] = record.GetBinary(property.Name);
                        break;

                    case 15:
                        eventData[property.Name] = record.GetBinary(property.Name);
                        break;

                    case 20:
                        eventData[property.Name] = record.GetUInt32(property.Name);
                        break;

                    case 21:
                        eventData[property.Name] = record.GetUInt64(property.Name);
                        break;
                    }
                }
                catch (Exception)
                {
                    eventData[property.Name] = ERROR_PARSING_FIELD;
                }
            }
        }
Esempio n. 4
0
        /// <summary>
        /// Try to parse an event record base on the manifest
        /// </summary>
        /// <param name="record">ETW event record</param>
        /// <param name="eventData">eventdata that will be filled by the parser</param>
        public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
        {
            foreach (var eventDefinition in this.Scheme.instrumentation.events.provider.events)
            {
                if (Int16.Parse(eventDefinition.value) != record.Id)
                {
                    continue;
                }

                var template = this.Scheme.instrumentation.events.provider.templates.Where(x => x.tid == eventDefinition.template).Single();
                foreach (var data in template.datas)
                {
                    try
                    {
                        switch (data.inType)
                        {
                        case Manifest.Data.InType.UnicodeString:
                            eventData[data.name] = record.GetUnicodeString(data.name);
                            break;

                        case Manifest.Data.InType.AnsiString:
                            eventData[data.name] = record.GetAnsiString(data.name);
                            break;

                        case Manifest.Data.InType.GUID:
                            eventData[data.name] = record.GetBinary(data.name);
                            break;

                        case Manifest.Data.InType.UInt32:
                            eventData[data.name] = record.GetUInt32(data.name);
                            break;

                        case Manifest.Data.InType.HexInt32:
                            eventData[data.name] = record.GetInt32(data.name);
                            break;

                        case Manifest.Data.InType.HexInt64:
                            eventData[data.name] = record.GetInt64(data.name);
                            break;

                        case Manifest.Data.InType.Boolean:
                            eventData[data.name] = record.GetUInt32(data.name);
                            break;

                        case Manifest.Data.InType.UInt16:
                            eventData[data.name] = record.GetUInt16(data.name);
                            break;

                        case Manifest.Data.InType.Binary:
                            eventData[data.name] = record.GetBinary(data.name);
                            break;

                        case Manifest.Data.InType.UInt64:
                            eventData[data.name] = record.GetUInt64(data.name);
                            break;

                        case Manifest.Data.InType.Double:
                            eventData[data.name] = record.GetUInt64(data.name);
                            break;

                        case Manifest.Data.InType.UInt8:
                            eventData[data.name] = record.GetUInt8(data.name);
                            break;

                        case Manifest.Data.InType.Int8:
                            eventData[data.name] = record.GetInt64(data.name);
                            break;

                        case Manifest.Data.InType.Int16:
                            eventData[data.name] = record.GetInt16(data.name);
                            break;

                        case Manifest.Data.InType.Int32:
                            eventData[data.name] = record.GetInt32(data.name);
                            break;

                        case Manifest.Data.InType.Int64:
                            eventData[data.name] = record.GetInt64(data.name);
                            break;

                        case Manifest.Data.InType.FILETIME:
                            eventData[data.name] = record.GetBinary(data.name);
                            break;

                        case Manifest.Data.InType.Pointer:
                            eventData[data.name] = record.GetBinary(data.name);
                            break;

                        case Manifest.Data.InType.SYSTEMTIME:
                            eventData[data.name] = record.GetDateTime(data.name);
                            break;

                        case Manifest.Data.InType.SID:
                            eventData[data.name] = record.GetBinary(data.name);
                            break;

                        case Manifest.Data.InType.Float:
                            eventData[data.name] = record.GetUInt32(data.name);
                            break;
                        }
                    }
                    catch (Exception)
                    {
                        eventData[data.name] = ERROR_PARSING_FIELD;
                    }
                }

                break;
            }
        }