private static void ProcessEventHandler(IEventRecord record)
{
var pid = record.GetUInt32("ProcessID");
var imageName = record.GetUnicodeString("ImageName");
Console.WriteLine($"{record.TaskName} pid={pid} ImageName={imageName}");
}
private void OnEvent(IEventRecord record)
{
var item = new DebugItem {
Time = record.Timestamp,
ProcessId = (int)record.ProcessId,
ProcessName = TryGetProcessName(record.ProcessId),
ThreadId = (int)record.ThreadId,
Text = record.GetAnsiString("Message").TrimEnd('\n', '\r'),
Component = record.GetUInt32("Component", 0),
IsKernel = true
};
AddDebugItem(item);
}
private static void ETWEventsFilter_OnEvent(IEventRecord ETWRecord)
{
/// Injector_Pid is Injector Process <ETWRecord.ProcessId>
uint Injector_Pid = ETWRecord.ProcessId;
uint Target_pid = ETWRecord.GetUInt32("ProcessID");
uint Target_tid = ETWRecord.GetUInt32("ThreadID");
/// This LastTID injected to LastPID by Injector_Pid
LastTID = Convert.ToInt32(Target_tid);
LastPID = Convert.ToInt32(Target_pid);
ProcessName = "Process Exited";
TargetProcessName = "Process Exited";
try
{
if (!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited)
{
TargetProcessName = Process.GetProcessById(Convert.ToInt32(Target_pid)).ProcessName;
}
if (!Process.GetProcessById(Convert.ToInt32(Injector_Pid)).HasExited)
{
ProcessName = Process.GetProcessById(Convert.ToInt32(Injector_Pid)).ProcessName;
}
}
catch (Exception)
{
}
/// Detecting Thread Injection :
/// if this was True then Thread was Injected to New Process (Target_pid)
if (Injector_Pid != Target_pid)
{
try
{
/// adding "PID" and "TID" also "Injector PID" to list
if ((!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited))
{
Injected_Processes_IDsList.Add(LastPID.ToString() + ":" + LastTID.ToString() + ":" + Convert.ToInt32(Injector_Pid));
}
}
catch (Exception)
{
}
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write("[{0}] ", DateTime.Now.ToString());
Console.ForegroundColor = ConsoleColor.Red;
Console.Write("Tid {0}", Target_tid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" injected to Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" by this Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString());
Console.ForegroundColor = ConsoleColor.Gray;
if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode)
{
DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid));
}
if (IPS_IDS)
{
if (Injected_Processes_IDsList.Count > 2)
{
try
{
if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0])).HasExited)
{
DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1]));
//Console.ForegroundColor = ConsoleColor.Cyan;
//Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1]);
Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1] + " Scanned";
}
else if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0])).HasExited)
{
DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1]));
//Console.ForegroundColor = ConsoleColor.Cyan;
//Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2]);
Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1] + " Scanned";
}
Console.ForegroundColor = ConsoleColor.Gray;
}
catch (Exception)
{
}
}
}
}
else
{
try
{
if (IsShowAllRecrds)
{
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write("[{0}] ", DateTime.Now.ToString());
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("Tid {0}", Target_tid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" Created in Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" by this Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString());
Console.ForegroundColor = ConsoleColor.Gray;
if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode)
{
DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid));
}
}
}
catch (Exception)
{
}
}
}
/// <summary>
/// Parse an event log base on tracelogging
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">dict will be filled with event data</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var property in record.Properties)
{
try
{
switch (property.Type)
{
case 1:
eventData[property.Name] = record.GetUnicodeString(property.Name);
break;
case 2:
eventData[property.Name] = record.GetAnsiString(property.Name);
break;
case 3:
eventData[property.Name] = record.GetInt8(property.Name);
break;
case 4:
eventData[property.Name] = record.GetUInt8(property.Name);
break;
case 5:
eventData[property.Name] = record.GetInt16(property.Name);
break;
case 6:
eventData[property.Name] = record.GetUInt16(property.Name);
break;
case 7:
eventData[property.Name] = record.GetInt32(property.Name);
break;
case 8:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 9:
eventData[property.Name] = record.GetInt64(property.Name);
break;
case 10:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
case 13:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 14:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 15:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 20:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 21:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
}
}
catch (Exception)
{
eventData[property.Name] = ERROR_PARSING_FIELD;
}
}
}
private object ParseBasicProperty(Property prop, IEventRecord record)
{
object propertyValue = null;
switch (prop.Type)
{
case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING:
propertyValue = record.GetAnsiString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY:
propertyValue = record.GetBinary(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING:
propertyValue = record.GetCountedString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT8:
propertyValue = record.GetInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT16:
propertyValue = record.GetInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT32:
propertyValue = record.GetInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT64:
propertyValue = record.GetInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8:
propertyValue = record.GetUInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16:
propertyValue = record.GetUInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32:
propertyValue = record.GetUInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64:
propertyValue = record.GetUInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING:
propertyValue = record.GetUnicodeString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME:
propertyValue = record.GetDateTime(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER:
propertyValue = record.GetUInt64(prop.Name);
break;
default:
propertyValue = "<Unknown type>";
break;
}
return(propertyValue);
}
/// <summary>
/// Try to parse an event record base on the manifest
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">eventdata that will be filled by the parser</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var eventDefinition in this.Scheme.instrumentation.events.provider.events)
{
if (Int16.Parse(eventDefinition.value) != record.Id)
{
continue;
}
var template = this.Scheme.instrumentation.events.provider.templates.Where(x => x.tid == eventDefinition.template).Single();
foreach (var data in template.datas)
{
try
{
switch (data.inType)
{
case Manifest.Data.InType.UnicodeString:
eventData[data.name] = record.GetUnicodeString(data.name);
break;
case Manifest.Data.InType.AnsiString:
eventData[data.name] = record.GetAnsiString(data.name);
break;
case Manifest.Data.InType.GUID:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.UInt32:
eventData[data.name] = record.GetUInt32(data.name);
break;
case Manifest.Data.InType.HexInt32:
eventData[data.name] = record.GetInt32(data.name);
break;
case Manifest.Data.InType.HexInt64:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.Boolean:
eventData[data.name] = record.GetUInt32(data.name);
break;
case Manifest.Data.InType.UInt16:
eventData[data.name] = record.GetUInt16(data.name);
break;
case Manifest.Data.InType.Binary:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.UInt64:
eventData[data.name] = record.GetUInt64(data.name);
break;
case Manifest.Data.InType.Double:
eventData[data.name] = record.GetUInt64(data.name);
break;
case Manifest.Data.InType.UInt8:
eventData[data.name] = record.GetUInt8(data.name);
break;
case Manifest.Data.InType.Int8:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.Int16:
eventData[data.name] = record.GetInt16(data.name);
break;
case Manifest.Data.InType.Int32:
eventData[data.name] = record.GetInt32(data.name);
break;
case Manifest.Data.InType.Int64:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.FILETIME:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.Pointer:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.SYSTEMTIME:
eventData[data.name] = record.GetDateTime(data.name);
break;
case Manifest.Data.InType.SID:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.Float:
eventData[data.name] = record.GetUInt32(data.name);
break;
}
}
catch (Exception)
{
eventData[data.name] = ERROR_PARSING_FIELD;
}
}
break;
}
}
