예제 #1
0
        public static void Start()
        {
            var trace = new KernelTrace("KernelTrace002");

            // Some kernel providers can't be enabled via EnableFlags and you need to call
            // TraceSetInformation with an extended PERFINFO_GROUPMASK instead.
            // e.g. https://docs.microsoft.com/en-us/windows/win32/etw/obtrace
            // Lobster has convenience providers for some of these, but otherwise the same
            // thing could be done with:
            //    var provider = new KernelProvider(SOME_GUID, SOME_MASK_VALUE);
            var objectManagerProvider = new Kernel.ObjectManagerProvider();

            objectManagerProvider.OnEvent += (record) =>
            {
                if (record.Opcode == 33)
                {
                    var name = record.GetUnicodeString("ObjectName", string.Empty);
                    if (name.EndsWith(".dll"))
                    {
                        Console.WriteLine($"Handle closed for object with name {name}");
                    }
                }
            };
            trace.Enable(objectManagerProvider);

            // You can also set a default callback to handle any events that don't
            // have a corresponding provider registered.
            // This is helpful if you're not yet sure which provider GUID is required for a
            // given EnableFlags or PERFINFO_GROUPMASK. In particualar, the PERFINFO_GROUPMASKs
            // aren't documented by Microsoft so it's useful to have a way to receive those events.
            // So we enable them with any placeholder guid for now. For example -
            uint PERF_REG_HIVE = 0x41000000;  // from perfinfo_groupmask.hpp
            var  hiveProvider  = new KernelProvider(Guid.Empty, PERF_REG_HIVE);

            // In this case, the correct provider GUID (unsurprisingly) turns out to be krabs::guids::registry :-)
            // Though the HiveInit/HiveLink/HiveDirty/Counters events enabled aren't documented.
            //
            // You'll also likely receive the EventTrace_Header and any HWConfig events here.
            //  * https://docs.microsoft.com/en-us/windows/win32/etw/eventtrace-header
            //  * https://docs.microsoft.com/en-us/windows/win32/etw/hwconfig
            trace.SetDefaultEventCallback((record) =>
            {
                Console.WriteLine($"{record.ProviderId} provider={record.ProviderName} task_name={record.TaskName} opcode={record.Opcode} opcode_name={record.OpcodeName}");
            });
            trace.Enable(hiveProvider);

            trace.Start();
        }
예제 #2
0
        public void it_should_raise_OnEvent_for_kernel_trace()
        {
            var called = false;

            var trace = new KernelTrace();
            var proxy = new Proxy(trace);

            var provider = new ImageLoadProvider();

            provider.OnEvent += e => { called = true; };

            trace.Enable(provider);
            proxy.PushEvent(ImageLoadEvent.CreateRecord(123, "file.exe"));

            Assert.IsTrue(called, "proxy call raised on event");
        }
예제 #3
0
        public MainViewModel(IUIServices ui)
        {
            UI     = ui;
            _trace = new KernelTrace("DebugPrintTrace");
            var provider = new DebugPrintProvider();

            provider.OnEvent += OnEvent;
            _trace.Enable(provider);

            _bufferReadyEvent = new EventWaitHandle(false, EventResetMode.AutoReset, "DBWIN_BUFFER_READY");
            _dataReadyEvent   = new EventWaitHandle(false, EventResetMode.AutoReset, "DBWIN_DATA_READY");
            _stopEvent        = new AutoResetEvent(false);

            _mmf = MemoryMappedFile.CreateOrOpen("DBWIN_BUFFER", _bufferSize);
            _stm = _mmf.CreateViewStream();
        }
예제 #4
0
            public void it_should_parse_unicode_strings()
            {
                var data = "file.exe";
                var prop = ImageLoadEvent.FileName;

                var provider = new ImageLoadProvider();

                provider.OnEvent += e =>
                {
                    Assert.AreEqual(data, e.GetUnicodeString(prop));
                    Assert.AreEqual(data, e.GetUnicodeString(prop, String.Empty));

                    string result;
                    Assert.IsTrue(e.TryGetUnicodeString(prop, out result));
                    Assert.AreEqual(data, result);
                };

                trace.Enable(provider);
                proxy.PushEvent(PowerShellEvent.CreateRecord(
                                    data, String.Empty, String.Empty));
            }
예제 #5
0
        public static void Start()
        {
            // Kernel traces use the KernelTrace class, which looks and acts
            // a lot like the UserTrace class. A strange quirk about kernel
            // ETW traces is that prior to Win8, the trace was required to
            // have a specific name. On machines where this is the case, this
            // name we provide is ignored and the required one is used.
            var trace = new KernelTrace("My trace name");

            // Lobster provides a bunch of convenience providers for kernel
            // traces. The set of providers that are allowed by kernel traces
            // is hardcoded by Windows, and Lobster provides simple objects to
            // represent these. If other providers were enabled without an
            // update to Lobster, the same thing could be achieved with:
            //    var provider = new KernelProvider(SOME_BITMASK_VALUE, SOME_GUID);
            var processProvider = new Kernel.ProcessProvider();

            // Kernel providers accept callbacks and event filters, as user
            // providers do.
            processProvider.OnEvent += (record) =>
            {
                // We consult against the opcode for kernel providers.
                // The opcodes are documented here:
                // https://msdn.microsoft.com/en-us/library/windows/desktop/aa364083(v=vs.85).aspx
                if (record.Opcode == 0x01)
                {
                    var image = record.GetAnsiString("ImageFileName", "Unknown");
                    var pid   = record.GetUInt32("ProcessId", 0);
                    Console.WriteLine($"{image} started with PID {pid}");
                }
            };

            // From here, a KernelTrace is indistinguishable from a UserTrace
            // in how it's used.
            trace.Enable(processProvider);

            // Another quirk here is that kernel traces can only be done by
            // administrators. :( :( :(
            trace.Start();
        }
예제 #6
0
        static void Main(string[] args)
        {
            // Kernel traces use the KernelTrace class, which looks and acts
            // a lot like the UserTrace class. A strange quirk about kernel
            // ETW traces is that prior to Win8, the trace was required to
            // have a specific name. On machines where this is the case, this
            // name we provide is ignored and the required one is used.
            var trace = new KernelTrace("My trace name");

            // Lobster provides a bunch of convenience providers for kernel
            // traces. The set of providers that are allowed by kernel traces
            // is hardcoded by Windows, and Lobster provides simple objects to
            // represent these. If other providers were enabled without an
            // update to Lobster, the same thing could be achieved with:
            //    var provider = new KernelProvider(SOME_BITMASK_VALUE, SOME_GUID);
            var imageProvider = new Kernel.ImageLoadProvider();

            // Kernel providers accept callbacks and event filters, as user
            // providers do.
            imageProvider.OnEvent += (EventRecord record) =>
            {
                var schema = new Schema(record);
                if (schema.Name == "Load")
                {
                    var parser = new Parser(schema);
                    Console.WriteLine(parser.ParseWStringWithDefault("FileName", "Unknown"));
                }
            };

            // From here, a KernelTrace is indistinguishable from a UserTrace
            // in how it's used.
            trace.Enable(imageProvider);

            // Another quirk here is that kernel traces can only be done by
            // administrators. :( :( :(
            trace.Start();
        }
예제 #7
0
        public static void Start()
        {
            // Kernel traces use the KernelTrace class, which looks and acts
            // a lot like the UserTrace class. A strange quirk about kernel
            // ETW traces is that prior to Win8, the trace was required to
            // have a specific name. On machines where this is the case, this
            // name we provide is ignored and the required one is used.
            var trace = new KernelTrace("My trace name");

            // Lobster provides a bunch of convenience providers for kernel
            // traces. The set of providers that are allowed by kernel traces
            // is hardcoded by Windows, and Lobster provides simple objects to
            // represent these. If other providers were enabled without an
            // update to Lobster, the same thing could be achieved with:
            //    var provider = new KernelProvider(SOME_FLAGS_VALUE, SOME_GUID);
            var processProvider = new Kernel.ProcessProvider();

            // Kernel providers accept callbacks and event filters, as user
            // providers do.
            processProvider.OnEvent += (record) =>
            {
                // We consult against the opcode for kernel providers.
                // The opcodes are documented here:
                // https://msdn.microsoft.com/en-us/library/windows/desktop/aa364083(v=vs.85).aspx
                if (record.Opcode == 0x01)
                {
                    var image = record.GetAnsiString("ImageFileName", "Unknown");
                    var pid   = record.GetUInt32("ProcessId", 0);
                    Console.WriteLine($"{image} started with PID {pid}");
                }
            };

            // Some kernel providers can't be enabled via EnableFlags and you need to call
            // TraceSetInformation with an extended PERFINFO_GROUPMASK instead.
            // e.g. https://docs.microsoft.com/en-us/windows/win32/etw/obtrace
            // Lobster has convenience providers for some of these, but otherwise the same
            // thing could be done with:
            //    var provider = new KernelProvider(SOME_GUID, SOME_MASK_VALUE);
            var objectManagerProvider = new Kernel.ObjectManagerProvider();

            objectManagerProvider.OnEvent += (record) =>
            {
                if (record.Opcode == 33)
                {
                    var name = record.GetUnicodeString("ObjectName", string.Empty);
                    if (!string.IsNullOrEmpty(name))
                    {
                        Console.WriteLine($"Handle closed for object with name {name}");
                    }
                }
            };

            // From here, a KernelTrace is indistinguishable from a UserTrace
            // in how it's used.
            trace.Enable(processProvider);
            trace.Enable(objectManagerProvider);

            // Another quirk here is that kernel traces can only be done by
            // administrators. :( :( :(
            trace.Start();
        }