public static void OnEtwEvent(Microsoft.O365.Security.ETW.IEventRecord record, string name)
{
// WARNING: this function is called from the worker thread
string line = "ETW " + name + " id: " + record.Id + "; " + " opcode: " + record.Opcode + "; ";
foreach (var property in record.Properties)
{
line += property.Name + ": ";
switch ((EVT_VARIANT_TYPE)property.Type)
{
case EVT_VARIANT_TYPE.EvtVarTypeString: line += record.GetUnicodeString(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeAnsiString: line += record.GetAnsiString(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeByte: line += record.GetUInt8(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeUInt16: line += record.GetUInt16(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeUInt32: line += record.GetUInt32(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeUInt64: line += record.GetUInt64(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeSByte: line += record.GetInt8(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeInt16: line += record.GetInt16(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeInt32: line += record.GetInt32(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeInt64: line += record.GetInt64(property.Name); break;
case EVT_VARIANT_TYPE.EvtVarTypeGuid: break; // ???
default:
break;
}
line += " (Type " + property.Type + ")";
line += "; ";
}
line += " proc (" + record.ProcessId + ")";
Console.WriteLine(line);
}
private void OnProcessEvent(Microsoft.O365.Security.ETW.IEventRecord record)
{
// WARNING: this function is called from the worker thread
if (record.Id != 0)
{
return;
}
if (record.Opcode == 1) // start
{
//EtwAbstractLogger.OnEtwEvent(record, "proc");
/*
* UniqueProcessKey: (Type 16)
* ProcessId: 27204 (Type 8)
* ParentId: 8540 (Type 8)
* SessionId: 1 (Type 8)
* ExitStatus: 259 (Type 7)
* DirectoryTableBase: (Type 16)
* Flags: 0 (Type 8)
* UserSID: (Type 310)
* ImageFileName: calc1.exe (Type 2)
* CommandLine: calc1 (Type 1)
* PackageFullName: (Type 1)
* ApplicationId: (Type 1)
*/
int ProcessId = (int)record.GetUInt32("ProcessId", 0);
string CommandLine = record.GetUnicodeString("CommandLine", null); // Note: the command line may contain a realtive path (!)
string FileName = record.GetAnsiString("ImageFileName", null);
int ParentId = (int)record.GetUInt32("ParentId", 0);
string filePath = GetPathFromCmd(CommandLine, ProcessId, FileName /*, record.Timestamp*/, ParentId);
if (filePath == null)
{
AppLog.Debug("Process Monitor could not resolve path for prosess ({0}) : {1}", ProcessId, CommandLine);
return;
}
//AppLog.Debug("Process Started: {0}", filePath);
App.engine?.RunInEngineThread(() =>
{
// Note: this happens in the engine thread
if (Processes.ContainsKey(ProcessId))
{
AppLog.Debug("Possible PID conflict (pid {0} reused): {1}", ProcessId, filePath);
Processes.Remove(ProcessId);
}
Processes.Add(ProcessId, new ProcInfo()
{
filePath = filePath, StartTime = record.Timestamp
});
});
}
else if (record.Opcode == 2) // stop
{
int ProcessId = (int)record.GetUInt32("ProcessId", 0);
App.engine?.RunInEngineThread(() =>
{
// Note: this happens in the engine thread
ProcInfo info;
if (Processes.TryGetValue(ProcessId, out info))
{
info.StopTime = record.Timestamp;
}
});
}
}