public EventData(TraceEvent data)
{
evnt = data;
infoStr = "";
properties = new Dictionary <string, string>();
infoStr += "Event Name: " + data.EventName + "\r\n";
infoStr += "Event Message: " + data.FormattedMessage + "\r\n";
foreach (var name in data.PayloadNames)
{
infoStr += name + " - " + data.PayloadStringByName(name) + "\r\n";
properties[name] = data.PayloadStringByName(name);
}
}
private IEnumerable <(string, string)> buildArgs(TraceEvent data)
{
for (int i = 0; i < data.PayloadNames.Length; i++)
{
var key = data.PayloadNames[i];
switch (key)
{
case "CommandLine":
case "PackageFullName":
case "ImageFileName":
yield return(key, escape(data.PayloadStringByName(key)));
break;
case "ParentID":
case "ProcessID":
case "SessionID":
case "ExitStatus":
yield return(key, data.PayloadStringByName(key));
break;
default:
//yield return(key, data.PayloadStringByName(key));
break;
}
}
}
static void ParserDelegate(TraceEvent data)
{
switch (data.EventName)
{
case "FormattedMessage":
Console.WriteLine($"[FormattedMessage] {data.PayloadStringByName("LoggerName")} : {data.PayloadStringByName("FormattedMessage")}");
break;
case "Message":
Console.WriteLine($"[Message] {data.PayloadStringByName("LoggerName")} : {data.PayloadStringByName("EventName")}");
break;
// There are other types of events that are logged by ILogger but won't print them since
// they're irrelevant (i.e. ActivityStart, ActivityEnd, etc.) or are dups
// (ex. "MessageJson" which is just a Json formatted string of "Message")
// You can add more stuff here as needed.
default:
break;
}
}
private int?getParentID(TraceEvent data)
{
var parentIDString = data.PayloadStringByName("ParentID");
if (string.IsNullOrWhiteSpace(parentIDString))
{
return(null);
}
if (int.TryParse(parentIDString, out int foundID))
{
return(foundID);
}
return(null);
}
private string GetDetails(TraceEvent evt)
{
switch (evt)
{
case ProcessTraceData data:
return($"Parent PID:;; {data.ParentID};; Flags:;; {data.Flags};; Image Path:;; {data.ImageFileName};; Command Line:;; {data.CommandLine}");
case ThreadTraceData data:
return($"Win32 Start Address:;; 0x{data.Win32StartAddr:X};; Kernel Stack Base:;; 0x{data.StackBase:X}" +
$" User Stack Base:;; 0x{data.UserStackBase:X};; TEB:;; 0x{data.TebBase:X};; Parent PID:;; {data.ParentProcessID}");
case RegistryTraceData data:
return($"Key:;; {data.KeyName};; Value Name:;; {data.ValueName};; Status:;; 0x{data.Status:X};; Handle:;; 0x{data.KeyHandle:X}");
case ImageLoadTraceData data:
return($"Name:;; {data.FileName};; Address:;; 0x{data.ImageBase:X};; Base:;; 0x{data.DefaultBase:X};; size:;; 0x{data.ImageSize:X}");
case ALPCSendMessageTraceData data:
return($"Message ID: ;;{data.MessageID}");
case ALPCReceiveMessageTraceData alpc:
return($"Message ID: ;;{alpc.MessageID}");
case ALPCWaitForReplyTraceData data:
return($"Message ID:;; {data.MessageID}");
case ALPCWaitForNewMessageTraceData data:
return($"Server:;; {Convert.ToBoolean(data.IsServerPort)};; Port Name:;; {data.PortName}");
case FileIOReadWriteTraceData data:
return($"Filename:;; {data.FileName};; Offset:;; {data.Offset:X};; Size:;; 0x{data.IoSize:X};; IRP:;; 0x{data.IrpPtr:X}");
case FileIOSimpleOpTraceData data:
return($"Filename:;; {data.FileName};; File Object:;; 0x{data.FileObject:X};; IRP:;; 0x{data.IrpPtr:X}");
case FileIOCreateTraceData data:
return($"Attributes:;; {data.FileAttributes};; Options:;; {data.CreateOptions};; Sharing:;; {data.ShareAccess};; File Object:;; 0x{data.FileObject:X};; IRP:;; 0x{data.IrpPtr}");
case VirtualAllocTraceData data:
return($"Address:;; 0x{data.BaseAddr:X};; Size:;; 0x{data.Length:X};; Flags:;; {(VirtualAllocFlags)(data.Flags)}");
case TcpIpConnectTraceData data:
return($"Src Address:;; {data.saddr.ToString()};; Dst Address:;; {data.daddr};; Dst Port:;; {data.dport};; Src Port:;; {data.sport};; Connection ID:;; {data.connid}");
case TcpIpTraceData data:
return($"Src Address:;; {data.saddr.ToString()};; Dst Address:;; {data.daddr};; Dst Port:;; {data.dport};; Src Port:;; {data.sport};; Size:;; {data.size};; Connection ID:;; {data.connid}");
case TcpIpV6TraceData data:
return($"Src Address:;; {data.saddr.ToString()};; Dst Address:;; {data.daddr};; Dst Port:;; {data.dport};; Src Port:;; {data.sport};; Size:;; {data.size};; Connection ID:;; {data.connid}");
case TcpIpSendTraceData data:
return($"Src Address:;; {data.saddr.ToString()};; Dst Address:;; {data.daddr};; Dst Port:;; {data.dport};; Src Port:;; {data.sport};;" +
$" Size:;; {data.size};; Seq:;; {data.seqnum};; Start:;; {data.startime};; End:;; {data.endtime};; Connection ID:;; {data.connid}");
case TcpIpV6SendTraceData data:
return($"Src Address:;; {data.saddr.ToString()};; Dst Address:;; {data.daddr};; Dst Port:;; {data.dport};; Src Port:;; {data.sport};;" +
$" Size:;; {data.size};; Seq:;; {data.seqnum};; Start:;; {data.startime};; End:;; {data.endtime};; Connection ID:;; {data.connid}");
case DiskIOTraceData data:
return($"Disk:;; {data.DiskNumber};; Offset:;; {data.ByteOffset};; Size:;; {data.TransferSize};; Priority:;; {data.Priority};; IRP:;;" +
$" 0x{data.Irp:X};; IRP Flags:;; {data.IrpFlags};; File Key:;; 0x{data.FileKey:X};; Filename:;; {data.FileName}");
case MapFileTraceData data:
return($"Filename:;; {data.FileName};; View Base:;; 0x{data.ViewBase:X};; Offset:;; 0x{data.ByteOffset:X};; Size:;; 0x{data.ViewSize:X}");
case FileIONameTraceData data:
return($"Filename:;; {data.FileName};; File Key:;; 0x{data.FileKey:X}");
case DriverMajorFunctionCallTraceData data:
return($"Major:;; {data.MajorFunction};; Minor:;; {data.MinorFunction};; IRP:;; 0x{data.Irp:X};; Routine:;; 0x{data.RoutineAddr:X};; Unique ID:;; 0x{data.UniqMatchID:X}");
case MemInfoTraceData data:
return($"Zero Pages:;; {data.ZeroPageCount};; Free Pages:;; {data.FreePageCount};; Modified Pages:;; {data.ModifiedPageCount};; Modified No Write Pages:;; {data.ModifiedNoWritePageCount};; Bad Pages:;; {data.BadPageCount}");
case MemoryPageAccessTraceData data:
return($"Page Kind:;; {data.PageKind};; Page List:;; {data.PageList};; PFN:;; {data.PageFrameIndex};; Virtual Address:;; 0x{data.VirtualAddress:X};; File Key:;; {data.FileKey:X};; Filename:;; {data.FileName}");
case MemorySystemMemInfoTraceData data:
return($"Free Pages: {data.FreePages}");
case MemoryPageFaultTraceData data:
return($"Virtual Address:;; 0x{data.VirtualAddress};; Program Counter:;; 0x{data.ProgramCounter}");
}
var sb = new StringBuilder(128);
foreach (var name in evt.PayloadNames)
{
sb.Append(name).Append(":;; ").Append(evt.PayloadStringByName(name)).Append(";; ");
}
return(sb.ToString());
}
public string GetAllPayloads(TraceEvent data)
{
string msg = "";
foreach (string name in data.PayloadNames)
{
msg += String.Format("{0}[{1}]='{2}' ", name, data.PayloadIndex(name), data.PayloadStringByName(name));
}
return(msg);
}