private static void Console_CancelKeyPress(object sender, ConsoleCancelEventArgs e)
 {
     try
     {
         T.Stop();
         T.Dispose();
         P.Dispose();
     }
     catch (Exception error)
     {
         Console.WriteLine(error.Message);
     }
 }
Esempio n. 2
0
 public static void SetupCtrlC(UserTrace trace)
 {
     // It's important that this comes before the
     // trace.Start() call below. The Start() call will
     // block the thread since it gets donated to ETW for
     // processing.
     Console.CancelKeyPress += (sender, eventArg) =>
     {
         if (trace != null)
         {
             Console.WriteLine("Ctrl+C detected, killing trace.");
             // Calling Stop on the trace is important
             // because there are a limited number of trace
             // sessions permitted on the OS. If you kill the
             // program without calling Stop(), the trace session
             // is left open and would need to be manually cleaned
             // up.
             //
             // The easiest way to clean up the traces is to stop
             // and delete them in the Computer Management>Performance
             // section called "Event Trace Sessions".
             //
             // Alternatively, you can restart the machine.
             trace.Stop();
         }
     };
 }
Esempio n. 3
0
        static void Main(string[] args)
        {
            var filter = new EventFilter(Filter
                                         .EventIdIs(3018)
                                         .Or(Filter.EventIdIs(3020)));

            filter.OnEvent += (IEventRecord r) => {
                var      query             = r.GetUnicodeString("QueryName");
                var      result            = r.GetUnicodeString("QueryResults");
                TimeSpan t                 = DateTime.UtcNow - new DateTime(1970, 1, 1);
                int      secondsSinceEpoch = (int)t.TotalSeconds;
                Console.WriteLine($"{secondsSinceEpoch} | {r.Id} | {query} | {result}");
            };

            var provider = new Provider("Microsoft-Windows-DNS-Client");

            provider.AddFilter(filter);

            var trace = new UserTrace();

            trace.Enable(provider);

            Console.CancelKeyPress += (sender, eventArg) =>
            {
                if (trace != null)
                {
                    trace.Stop();
                }
            };
            trace.Start();
        }
Esempio n. 4
0
        static void Main(string[] args)
        {
            var trace           = new UserTrace();
            var processProvider = new Provider("Microsoft-Windows-Kernel-Process");

            processProvider.All = 0x40; // Enable the WINEVENT_KEYWORD_IMAGE flag.
            var filter = new EventFilter(Filter.EventIdIs(5));

            filter.OnEvent += (record) =>
            {
                var dllName = record.GetUnicodeString("ImageName", "<UNKNOWN>");
                if (dllName.ToLower().EndsWith("mscoree.dll"))
                {
                    var pid         = record.GetUInt32("ProcessID", 0);
                    var processName = string.Empty;

                    try { processName = System.Diagnostics.Process.GetProcessById((int)pid).ProcessName; }
                    catch (Exception) { }
                    Console.WriteLine($"{processName} (PID: {pid}) loaded .NET runtime ({dllName})");
                }
            };

            processProvider.AddFilter(filter);
            trace.Enable(processProvider);

            Console.CancelKeyPress += (sender, eventArg) =>
            {
                if (trace != null)
                {
                    trace.Stop();
                }
            };

            trace.Start();
        }
Esempio n. 5
0
        internal void Stop()
        {
            lock (_sync)
            {
                if (!_isRunning)
                {
                    return;
                }

                _trace.Stop();
                Reset();
                _isRunning = false;
            }
        }
Esempio n. 6
0
        static void Main(string[] args)
        {
            var count = 0;
            var cts   = new CancellationTokenSource();
            var trace = new UserTrace("MY AWESOME TEST THING");
            //var provider = new RawProvider(EventSource.GetGuid(typeof(TestEventSource)));

            var provider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));

            // Only pull in method invocations
            var powershellFilter = new EventFilter(Filter.EventIdIs(7937)
                                                   .And(UnicodeString.Contains("Payload", "Started")));

            powershellFilter.OnEvent += e =>
            {
                Console.WriteLine($"{e.ProviderName} - {e.Id}: {count++}");
            };

            provider.AddFilter(powershellFilter);

            Console.CancelKeyPress += (s, e) =>
            {
                cts.Cancel();
                trace.Stop();
            };

            trace.Enable(provider);

            var statsLoop = Task.Run(() => PrintStats(trace, cts.Token));

            Task.Run(() => trace.Start())
            .ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));

            Console.WriteLine("Enter to restart trace");
            Console.ReadKey();

            Task.Run(() => trace.Start())
            .ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));

            Console.WriteLine("Ctrl+C to quit");
            statsLoop.Wait();

            Console.WriteLine("Done");
        }
Esempio n. 7
0
        static void Main(string[] args)
        {
            var filter = new EventFilter(
                Filter.EventIdIs(5)
                //.Or(Filter.EventIdIs(6))
                );

            // Microsoft-Windows-RPC EventID 5 - Client RPC call started
            // EventID 6 - Server RPC call started.

            filter.OnEvent += (IEventRecord r) =>
            {
                var endpoint = r.GetUnicodeString("Endpoint");
                var opNum    = r.GetUInt32("ProcNum");
                var protocol = r.GetUInt32("Protocol");
                Console.WriteLine($"RPC Event {r.Id}");
                Console.WriteLine($"Endpoint: {endpoint}");
                Console.WriteLine($"Protocol {protocol,0:X}");
                Console.WriteLine($"OpNum: {opNum}");
            };

            var provider = new Provider("Microsoft-Windows-RPC");

            provider.AddFilter(filter);

            var trace = new UserTrace();

            trace.Enable(provider);

            Console.CancelKeyPress += (sender, eventArg) =>
            {
                if (trace != null)
                {
                    trace.Stop();
                }
            };

            trace.Start();
        }
Esempio n. 8
0
        static void Main(string[] args)
        {
            var trace = new UserTrace();

            // The name of the PowerShell provider that gives us with detailed
            // method execution logging is "Microsoft-Windows-PowerShell".
            //
            // If you want to explore all the events in this provider,
            // you'll need to use Message Analyzer to load the trace and explore
            // the events.
            //
            // Download: https://www.microsoft.com/en-us/download/details.aspx?id=44226
            var powershellProvider = new Provider("Microsoft-Windows-PowerShell");

            var powershellFilter = new EventFilter(
                Filter.EventIdIs(7937)
                .And(UnicodeString.Contains("Payload", "Started")));

            powershellFilter.OnEvent += OnEvent;

            // The "Any" and "All" flags can be sussed out using Microsoft Message Analyzer.
            powershellProvider.Any = 0x20;
            powershellProvider.AddFilter(powershellFilter);

            trace.Enable(powershellProvider);

            Console.CancelKeyPress += (sender, eventArg) =>
            {
                if (trace != null)
                {
                    trace.Stop();
                }
            };

            // This is a blocking call. Ctrl-C to stop.
            trace.Start();
        }