public when_calling_publish() { this.partitionKey = Guid.NewGuid().ToString(); this.version = "0001"; string rowKey = "Unpublished_" + version; this.testEvent = Mock.Of<IEventRecord>(x => x.PartitionKey == partitionKey && x.RowKey == rowKey && x.TypeName == "TestEventType" && x.SourceId == "TestId" && x.SourceType == "TestSourceType" && x.Payload == "serialized event" && x.CorrelationId == "correlation" && x.AssemblyName == "Assembly" && x.Namespace == "Namespace" && x.FullName == "Namespace.TestEventType"); this.queue = new Mock<IPendingEventsQueue>(); queue.Setup(x => x.GetPendingAsync(partitionKey, It.IsAny<Action<IEnumerable<IEventRecord>, bool>>(), It.IsAny<Action<Exception>>())) .Callback<string, Action<IEnumerable<IEventRecord>, bool>, Action<Exception>>((key, success, error) => success(new[] { testEvent }, false)); this.sender = new MessageSenderMock(); var sut = new EventStoreBusPublisher(sender, queue.Object, new MockEventStoreBusPublisherInstrumentation()); var cancellationTokenSource = new CancellationTokenSource(); sut.Start(cancellationTokenSource.Token); sut.SendAsync(partitionKey, 0); Assert.True(sender.SendSignal.WaitOne(3000)); cancellationTokenSource.Cancel(); }
/// <summary> /// Core forward function /// Init eventdata with common data for all record: /// ProviderName /// ProviderGuid /// EventID /// /// Call the inner parser /// Then check filter on eventdata /// If a field match and value does not match event is filtering /// If field is not present event is NOT filtered /// </summary> /// <param name="record">Event Record</param> /// <param name="writer">Writer destination</param> /// <returns></returns> public async Task Forward(IEventRecord record, IETWWriter writer) { Dictionary <String, object> eventData = new Dictionary <string, dynamic>(); eventData["ProviderName"] = record.ProviderName; eventData["ProviderGuid"] = record.ProviderId.ToString(); eventData["EventID"] = record.Id; eventData["ProcessId"] = record.ProcessId; eventData["ThreadId"] = record.ThreadId; eventData["Timestamp"] = record.Timestamp.ToString(); this.Parser.Parse(record, eventData); foreach (var filter in this.Filters) { if (!eventData.ContainsKey(filter.Item1)) { return; } if (eventData[filter.Item1].ToString() != filter.Item2) { return; } } await writer.write(eventData); }
public when_calling_publish() { partitionKey = Guid.NewGuid().ToString(); version = "0001"; var rowKey = "Unpublished_" + version; testEvent = Mock.Of <IEventRecord>(x => x.PartitionKey == partitionKey && x.RowKey == rowKey && x.TypeName == "TestEventType" && x.SourceId == "TestId" && x.SourceType == "TestSourceType" && x.Payload == "serialized event" && x.CorrelationId == "correlation" && x.AssemblyName == "Assembly" && x.Namespace == "Namespace" && x.FullName == "Namespace.TestEventType"); queue = new Mock <IPendingEventsQueue>(); queue.Setup(x => x.GetPendingAsync(partitionKey, It.IsAny <Action <IEnumerable <IEventRecord>, bool> >(), It.IsAny <Action <Exception> >())) .Callback <string, Action <IEnumerable <IEventRecord>, bool>, Action <Exception> >((key, success, error) => success(new[] { testEvent }, false)); sender = new MessageSenderMock(); var sut = new EventStoreBusPublisher(sender, queue.Object, new MockEventStoreBusPublisherInstrumentation()); var cancellationTokenSource = new CancellationTokenSource(); sut.Start(cancellationTokenSource.Token); sut.SendAsync(partitionKey, 0); Assert.True(sender.SendSignal.WaitOne(3000)); cancellationTokenSource.Cancel(); }
public void UpdateEvent(IEventRecord eventData) { var reventRecord = eventData as Event; if (reventRecord == null) throw new ArgumentException("Invalid Event Type."); EventsTable.Update(reventRecord); }
public when_calling_publish() { this.partitionKey = Guid.NewGuid().ToString(); this.version = "0001"; string rowKey = "Unpublished_" + version; this.testEvent = Mock.Of<IEventRecord>(x => x.PartitionKey == partitionKey && x.RowKey == rowKey && x.TypeName == "TestEventType" && x.SourceId == "TestId" && x.SourceType == "TestSourceType" && x.Payload == "serialized event" && x.AssemblyName == "Assembly" && x.Namespace == "Namespace" && x.FullName == "Namespace.TestEventType"); this.queue = new Mock<IPendingEventsQueue>(); queue.Setup(x => x.GetPending(partitionKey)).Returns(new[] { testEvent }); this.sender = new MessageSenderMock(); var sut = new EventStoreBusPublisher(sender, queue.Object); var cancellationTokenSource = new CancellationTokenSource(); sut.Start(cancellationTokenSource.Token); sut.SendAsync(partitionKey); Assert.True(sender.ResetEvent.WaitOne(3000)); cancellationTokenSource.Cancel(); }
public void PublishEventRecord(IEventRecord eventRecord) { _logger.LogDebug("Publishing message to: " + _options.ConnectionString); _logger.LogDebug("Echange Name: " + _options.Exchange ?? "<null>"); var routingKey = string.Format("{0}.{1}", eventRecord.EventType, eventRecord.ModelId.ToString("N")); var message = JsonConvert.SerializeObject(eventRecord); _logger.LogDebug("Message: " + message); var body = Encoding.UTF8.GetBytes(message); var factory = new ConnectionFactory() { Uri = new Uri(_options.ConnectionString) }; using (var connection = factory.CreateConnection()) using (var channel = connection.CreateModel()) { channel.ExchangeDeclare(_options.Exchange, ExchangeType.Topic); channel.BasicPublish(exchange: _options.Exchange, routingKey: routingKey, basicProperties: null, body: body); } _logger.LogDebug(string.Format("{0} on {1} published", eventRecord.EventType, eventRecord.ModelId)); }
private static void ProcessEventHandler(IEventRecord record) { var pid = record.GetUInt32("ProcessID"); var imageName = record.GetUnicodeString("ImageName"); Console.WriteLine($"{record.TaskName} pid={pid} ImageName={imageName}"); }
private static BrokeredMessage BuildMessage(IEventRecord record) { string version = record.RowKey.Substring(RowKeyPrefixIndex); var stream = new MemoryStream(Encoding.UTF8.GetBytes(record.Payload)); try { return(new BrokeredMessage(stream, true) { MessageId = record.PartitionKey + "_" + version, SessionId = record.SourceId, CorrelationId = record.CorrelationId, Properties = { { "Version", version }, { StandardMetadata.SourceType, record.SourceType }, { StandardMetadata.Kind, StandardMetadata.EventKind }, { StandardMetadata.AssemblyName, record.AssemblyName }, { StandardMetadata.FullName, record.FullName }, { StandardMetadata.Namespace, record.Namespace }, { StandardMetadata.SourceId, record.SourceId }, { StandardMetadata.TypeName, record.TypeName }, } }); } catch { stream.Dispose(); throw; } }
private static Message BuildMessage(IEventRecord record) { string version = record.RowKey.Substring(RowKeyPrefixIndex); var bytes = Encoding.UTF8.GetBytes(record.Payload); try { return(new Message(bytes) { MessageId = record.PartitionKey + "_" + version, SessionId = record.SourceId, CorrelationId = record.CorrelationId, UserProperties = { { "Version", version }, { StandardMetadata.SourceType, record.SourceType }, { StandardMetadata.Kind, StandardMetadata.EventKind }, { StandardMetadata.AssemblyName, record.AssemblyName }, { StandardMetadata.FullName, record.FullName }, { StandardMetadata.Namespace, record.Namespace }, { StandardMetadata.SourceId, record.SourceId }, { StandardMetadata.TypeName, record.TypeName }, } }); } catch { throw; } }
internal void HandleRecord(IEventRecord record) { if (record.Id == 3018 || record.Id == 3020) { if (!record.TryGetUnicodeString("QueryName", out string domainName)) { return; } if (!record.TryGetUnicodeString("QueryResults", out string queryResult)) { return; } if (string.IsNullOrWhiteSpace(queryResult)) { return; } var tokens = queryResult.Trim().Split(';'); var parsed = tokens .Where(s => !string.IsNullOrEmpty(s)) .Select(s => s.Trim()) .Distinct() .Select(ParsedDnsRecord.Parse) .Where(r => r != null); var dnsRecords = parsed.ToArray(); foreach (var dnsRecord in dnsRecords) { ReverseDnsCache.AddOrUpdate(dnsRecord.Address, domainName); } } }
public string CreateEvent(IEventRecord eventData) { var reventRecord = eventData as Event; if (reventRecord == null) throw new ArgumentException("Invalid Event Type."); reventRecord.Id = Guid.NewGuid().ToString(); EventsTable.Insert(reventRecord); return reventRecord.Id; }
void DefaultEventHandler(IEventRecord r) { try { var obj = _propertyExtractor.Extract(r); lock (_lock) { _records.Add(obj.ToPSObject()); } } catch { // TODO: log bad record parse } }
private void OnEvent(IEventRecord record) { var item = new DebugItem { Time = record.Timestamp, ProcessId = (int)record.ProcessId, ProcessName = TryGetProcessName(record.ProcessId), ThreadId = (int)record.ThreadId, Text = record.GetAnsiString("Message").TrimEnd('\n', '\r'), Component = record.GetUInt32("Component", 0), IsKernel = true }; AddDebugItem(item); }
internal IDictionary <string, object> Extract(IEventRecord record) { var dict = new Dictionary <string, object>(); dict.Add("EtwEventId", record.Id); dict.Add("Etw" + nameof(record.Timestamp), record.Timestamp); dict.Add("Etw" + nameof(record.ProcessId), record.ProcessId); dict.Add("Etw" + nameof(record.ThreadId), record.ThreadId); dict.Add("Etw" + nameof(record.ProviderName), record.ProviderName); if (_includeVerboseProperties) { dict.Add("EtwEventName", record.Name); dict.Add("Etw" + nameof(record.ProviderId), record.ProviderId); dict.Add("Etw" + nameof(record.Version), record.Version); dict.Add("Etw" + nameof(record.Level), record.Level); } IPropertyParser parser = null; if (providerDictionary.Contains(record.ProviderId)) { parser = providerDictionary.GetByProviderGuid(record.ProviderId); } foreach (var p in record.Properties) { var parsed = parser?.ParseProperty(p.Name, record); if (parsed != null && parsed.Any()) { foreach (var parsedProp in parsed) { dict.Add(parsedProp.Key, parsedProp.Value); } } else { dict.Add(p.Name, ParseBasicProperty(p, record)); } } return(dict); }
private IEnumerable <KeyValuePair <string, object> > ParseContextInfo(IEventRecord record) { const string HostAppKey = "Host Application = "; const string CmdNameKey = "Command Name = "; const string CmdTypeKey = "Command Type = "; const string UsrNameKey = "User = "******"HostProcess", host)); index = data.IndexOf(CmdNameKey, startIndex); var name = index != -1 ? data.ReadToNewline(index + CmdNameKey.Length, out startIndex) : string.Empty; ret.Add(new KeyValuePair <string, object>("CommandName", name)); index = data.IndexOf(CmdTypeKey, startIndex); var type = index != -1 ? data.ReadToNewline(index + CmdTypeKey.Length, out startIndex) : string.Empty; ret.Add(new KeyValuePair <string, object>("CommandType", type)); index = data.IndexOf(UsrNameKey, startIndex); var user = index != -1 ? data.ReadToNewline(index + UsrNameKey.Length, out startIndex) : string.Empty; ret.Add(new KeyValuePair <string, object>("UserName", user)); return(ret); } return(Enumerable.Empty <KeyValuePair <string, object> >()); }
/// <summary> /// Event 7937's payload is basically a big well-formatted string. /// We have to parse it by hand, breaking out the interesting bits. /// Fortunately, interesting bits are separated by \n\r so we can break /// up the parsing by line. /// </summary> /// <param name="record"></param> static void OnEvent(IEventRecord record) { string data = string.Empty; if (!record.TryGetUnicodeString("ContextInfo", out data)) { Console.WriteLine("Could not parse 'ContextInfo' from PowerShell event"); return; } var startIndex = 0; // The order these keys are parsed in is static. There is no // guarantee, however, that future Windows versions won't change // the order. This is confirmed to work in: // - Windows 10 // - Windows Server 2016 // - Windows 8.1 // - Windows Server 2012 R2 var index = data.IndexOf(HostAppKey, startIndex); var host = index != -1 ? ReadToNewline(data, index + HostAppKey.Length, out startIndex) : string.Empty; index = data.IndexOf(CmdNameKey, startIndex); var name = index != -1 ? ReadToNewline(data, index + CmdNameKey.Length, out startIndex) : string.Empty; index = data.IndexOf(CmdTypeKey, startIndex); var type = index != -1 ? ReadToNewline(data, index + CmdTypeKey.Length, out startIndex) : string.Empty; index = data.IndexOf(UserNameKey, startIndex); var user = index != -1 ? ReadToNewline(data, index + UserNameKey.Length, out startIndex) : string.Empty; Console.WriteLine($"user: {user} - {host} invoked PowerShell method '{name}' (type: {type})"); }
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData) { // This function do nothing actually }
public List <IEventRecord> GetByTimeFilter(DateTime fromTime, DateTime toTime, int maxRows, int timeOutSec) { var eventRecordList = new List <IEventRecord>(); ManagementObject vmi = null; // ManagementObject vmi = A.Fake<ManagementObject>(); var er1 = new EventRecord(vmi) { Category = "0", ComputerName = "Herkules", EventCode = "2264", EventType = "2", InsertionStrings = @"C:\Users\Patrik\AppData\Local\Temp\iisexpress\IIS Temporary Compressed Files\Clr4IntegratedAppPoo", Logfile = "Application", Message = @"The directory jabberjowitch specified for caching compressed content C:\Users\Patrik\AppData\Local\Temp\iisexpress\IIS Temporary Compressed Files\Clr4IntegratedAppPool is invalid. Static compression is being disabled.", RecordNumber = "460172", SourceName = "IIS Express", TimeGenerated = DateTime.Now, //"20130619182551.000000-000", // TimeWritten = "20130619182551.000000-000", Type = "Varning" }; eventRecordList.Add(er1); ManagementObject vmi2 = null; var er2 = new EventRecord(vmi2) { Category = "0", ComputerName = "Herkules", EventCode = "0", EventType = "3", InsertionStrings = @"The EventTestWriter was initilized. Go DTD. Do not fail me. jabberjowitch", Logfile = "Application", Message = String.Empty, RecordNumber = "460171", SourceName = "application", TimeGenerated = DateTime.Now, //"20130619182521.000000-000", // TimeWritten = "20130619182521.000000-000", Type = "Information" }; eventRecordList.Add(er2); // https://github.com/FakeItEasy/FakeItEasy ManagementObject vmi3 = null; // var er3 = A.Fake<EventRecord>(() => new EventRecord(vmi3)); // var foo = A.Fake<Foo>(() => new Foo("string passed to constructor")); IEventRecord er3 = A.Fake <IEventRecord>(); // A.CallTo(er3).WithReturnType<string>().Returns("hello world"); eventRecordList.Add(er3); Random rnd = new Random(); for (int i = 4; i <= 20; i++) { var erN = A.Fake <IEventRecord>(); A.CallTo(erN).WithReturnType <string>().Returns("Default Mockstring: " + i.ToString()); A.CallTo(() => erN.ComputerName).Returns("Herkules"); A.CallTo(() => erN.EventCode).Returns(rnd.Next(0, 2000).ToString()); A.CallTo(() => erN.EventType).Returns(rnd.Next(0, 5).ToString()); A.CallTo(() => erN.RecordNumber).Returns((460175 + rnd.Next(1, 200)).ToString()); A.CallTo(() => erN.SourceName).Returns("application"); A.CallTo(() => erN.Message).Returns("jabberjowitch is not a project"); A.CallTo(() => erN.TimeGenerated).Returns(DateTime.Now);// + rnd.Next(111,999).ToString()); eventRecordList.Add(erN); } return(eventRecordList); }
public void StoreEvent(IEventRecord eventRecord) { _eventCollection.InsertOne(eventRecord); }
private IPAddress ParseSaddr(IEventRecord record) => record.GetIPAddress(nameof(PropertyNames.saddr));
public IEnumerable <KeyValuePair <string, object> > ParseProperty(string propertyName, IEventRecord record) { switch (propertyName) { case nameof(PropertyNames.daddr): return(new List <KeyValuePair <string, object> >() { new KeyValuePair <string, object>(propertyName, ParseDaddr(record)) }); case nameof(PropertyNames.saddr): return(new List <KeyValuePair <string, object> >() { new KeyValuePair <string, object>(propertyName, ParseSaddr(record)) }); default: return(Enumerable.Empty <KeyValuePair <string, object> >()); } }
/// <summary> /// Try to parse an event record base on the manifest /// </summary> /// <param name="record">ETW event record</param> /// <param name="eventData">eventdata that will be filled by the parser</param> public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData) { foreach (var eventDefinition in this.Scheme.instrumentation.events.provider.events) { if (Int16.Parse(eventDefinition.value) != record.Id) { continue; } var template = this.Scheme.instrumentation.events.provider.templates.Where(x => x.tid == eventDefinition.template).Single(); foreach (var data in template.datas) { try { switch (data.inType) { case Manifest.Data.InType.UnicodeString: eventData[data.name] = record.GetUnicodeString(data.name); break; case Manifest.Data.InType.AnsiString: eventData[data.name] = record.GetAnsiString(data.name); break; case Manifest.Data.InType.GUID: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.UInt32: eventData[data.name] = record.GetUInt32(data.name); break; case Manifest.Data.InType.HexInt32: eventData[data.name] = record.GetInt32(data.name); break; case Manifest.Data.InType.HexInt64: eventData[data.name] = record.GetInt64(data.name); break; case Manifest.Data.InType.Boolean: eventData[data.name] = record.GetUInt32(data.name); break; case Manifest.Data.InType.UInt16: eventData[data.name] = record.GetUInt16(data.name); break; case Manifest.Data.InType.Binary: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.UInt64: eventData[data.name] = record.GetUInt64(data.name); break; case Manifest.Data.InType.Double: eventData[data.name] = record.GetUInt64(data.name); break; case Manifest.Data.InType.UInt8: eventData[data.name] = record.GetUInt8(data.name); break; case Manifest.Data.InType.Int8: eventData[data.name] = record.GetInt64(data.name); break; case Manifest.Data.InType.Int16: eventData[data.name] = record.GetInt16(data.name); break; case Manifest.Data.InType.Int32: eventData[data.name] = record.GetInt32(data.name); break; case Manifest.Data.InType.Int64: eventData[data.name] = record.GetInt64(data.name); break; case Manifest.Data.InType.FILETIME: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.Pointer: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.SYSTEMTIME: eventData[data.name] = record.GetDateTime(data.name); break; case Manifest.Data.InType.SID: eventData[data.name] = record.GetBinary(data.name); break; case Manifest.Data.InType.Float: eventData[data.name] = record.GetUInt32(data.name); break; } } catch (Exception) { eventData[data.name] = ERROR_PARSING_FIELD; } } break; } }
private static BrokeredMessage BuildMessage(IEventRecord record) { string version = record.RowKey.Substring(RowKeyPrefixIndex); // TODO: should add SessionID to guarantee ordering. // Receiver must be prepared to accept sessions. return new BrokeredMessage(new MemoryStream(Encoding.UTF8.GetBytes(record.Payload)), true) { MessageId = record.PartitionKey + "_" + version, //SessionId = record.PartitionKey, Properties = { { "Version", version }, { "SourceId", record.SourceId }, { "SourceType", record.SourceType }, { "EventType", record.EventType } } }; }
private static void ETWEventsFilter_OnEvent(IEventRecord ETWRecord) { /// Injector_Pid is Injector Process <ETWRecord.ProcessId> uint Injector_Pid = ETWRecord.ProcessId; uint Target_pid = ETWRecord.GetUInt32("ProcessID"); uint Target_tid = ETWRecord.GetUInt32("ThreadID"); /// This LastTID injected to LastPID by Injector_Pid LastTID = Convert.ToInt32(Target_tid); LastPID = Convert.ToInt32(Target_pid); ProcessName = "Process Exited"; TargetProcessName = "Process Exited"; try { if (!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited) { TargetProcessName = Process.GetProcessById(Convert.ToInt32(Target_pid)).ProcessName; } if (!Process.GetProcessById(Convert.ToInt32(Injector_Pid)).HasExited) { ProcessName = Process.GetProcessById(Convert.ToInt32(Injector_Pid)).ProcessName; } } catch (Exception) { } /// Detecting Thread Injection : /// if this was True then Thread was Injected to New Process (Target_pid) if (Injector_Pid != Target_pid) { try { /// adding "PID" and "TID" also "Injector PID" to list if ((!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited)) { Injected_Processes_IDsList.Add(LastPID.ToString() + ":" + LastTID.ToString() + ":" + Convert.ToInt32(Injector_Pid)); } } catch (Exception) { } Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write("[{0}] ", DateTime.Now.ToString()); Console.ForegroundColor = ConsoleColor.Red; Console.Write("Tid {0}", Target_tid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" injected to Process "); Console.ForegroundColor = ConsoleColor.Green; Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" by this Process "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString()); Console.ForegroundColor = ConsoleColor.Gray; if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode) { DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid)); } if (IPS_IDS) { if (Injected_Processes_IDsList.Count > 2) { try { if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0])).HasExited) { DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1])); //Console.ForegroundColor = ConsoleColor.Cyan; //Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1]); Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1] + " Scanned"; } else if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0])).HasExited) { DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1])); //Console.ForegroundColor = ConsoleColor.Cyan; //Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2]); Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1] + " Scanned"; } Console.ForegroundColor = ConsoleColor.Gray; } catch (Exception) { } } } } else { try { if (IsShowAllRecrds) { Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write("[{0}] ", DateTime.Now.ToString()); Console.ForegroundColor = ConsoleColor.Green; Console.Write("Tid {0}", Target_tid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" Created in Process "); Console.ForegroundColor = ConsoleColor.Green; Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString()); Console.ForegroundColor = ConsoleColor.DarkGreen; Console.Write(" by this Process "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString()); Console.ForegroundColor = ConsoleColor.Gray; if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode) { DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid)); } } } catch (Exception) { } } }
internal void DefaultEventRecordHandler(IEventRecord record) { var obj = _propertyExtractor.Extract(record); _callback.Invoke(obj.ToPSObject()); }
private static BrokeredMessage BuildMessage(IEventRecord record) { string version = record.RowKey.Substring(RowKeyPrefixIndex); return new BrokeredMessage(new MemoryStream(Encoding.UTF8.GetBytes(record.Payload)), true) { MessageId = record.PartitionKey + "_" + version, SessionId = record.SourceId, Properties = { { "Version", version }, { StandardMetadata.SourceType, record.SourceType }, { StandardMetadata.Kind, StandardMetadata.EventKind }, { StandardMetadata.AssemblyName, record.AssemblyName }, { StandardMetadata.FullName, record.FullName }, { StandardMetadata.Namespace, record.Namespace }, { StandardMetadata.SourceId, record.SourceId }, { StandardMetadata.TypeName, record.TypeName }, } }; }
public IEnumerable <KeyValuePair <string, object> > ParseProperty(string propertyName, IEventRecord record) { switch (propertyName) { case nameof(PropertyNames.ContextInfo): return(ParseContextInfo(record)); default: return(Enumerable.Empty <KeyValuePair <string, object> >()); } }
private object ParseBasicProperty(Property prop, IEventRecord record) { object propertyValue = null; switch (prop.Type) { case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING: propertyValue = record.GetAnsiString(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY: propertyValue = record.GetBinary(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING: propertyValue = record.GetCountedString(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT8: propertyValue = record.GetInt8(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT16: propertyValue = record.GetInt16(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT32: propertyValue = record.GetInt32(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_INT64: propertyValue = record.GetInt64(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8: propertyValue = record.GetUInt8(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16: propertyValue = record.GetUInt16(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32: propertyValue = record.GetUInt32(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64: propertyValue = record.GetUInt64(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING: propertyValue = record.GetUnicodeString(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME: propertyValue = record.GetDateTime(prop.Name); break; case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER: propertyValue = record.GetUInt64(prop.Name); break; default: propertyValue = "<Unknown type>"; break; } return(propertyValue); }
/// <summary> /// Parse an event log base on tracelogging /// </summary> /// <param name="record">ETW event record</param> /// <param name="eventData">dict will be filled with event data</param> public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData) { foreach (var property in record.Properties) { try { switch (property.Type) { case 1: eventData[property.Name] = record.GetUnicodeString(property.Name); break; case 2: eventData[property.Name] = record.GetAnsiString(property.Name); break; case 3: eventData[property.Name] = record.GetInt8(property.Name); break; case 4: eventData[property.Name] = record.GetUInt8(property.Name); break; case 5: eventData[property.Name] = record.GetInt16(property.Name); break; case 6: eventData[property.Name] = record.GetUInt16(property.Name); break; case 7: eventData[property.Name] = record.GetInt32(property.Name); break; case 8: eventData[property.Name] = record.GetUInt32(property.Name); break; case 9: eventData[property.Name] = record.GetInt64(property.Name); break; case 10: eventData[property.Name] = record.GetUInt64(property.Name); break; case 13: eventData[property.Name] = record.GetUInt32(property.Name); break; case 14: eventData[property.Name] = record.GetBinary(property.Name); break; case 15: eventData[property.Name] = record.GetBinary(property.Name); break; case 20: eventData[property.Name] = record.GetUInt32(property.Name); break; case 21: eventData[property.Name] = record.GetUInt64(property.Name); break; } } catch (Exception) { eventData[property.Name] = ERROR_PARSING_FIELD; } } }
public static Dictionary <String, dynamic> ProcessEventRecord(EtwTrace etwtrace, IEventRecord r) { Dictionary <String, dynamic> rawEvent = new Dictionary <String, dynamic>(); foreach (EtwEvent etwevent in etwtrace.Events) { dynamic value; if (etwevent.Id == r.Id) { Boolean skip = false; foreach (EtwField etwfield in etwevent.Fields) { // Order of processing // Timestamps and literals // Property value extraction // Filtering // Enumerations // Transformations // Translations // Output // Check for timestamp and literal fields in the config if (etwfield.IsTimestamp) { value = DateTime.UtcNow.ToString("o"); } else if (etwfield.IsLiteral) { value = etwfield.LiteralValue; } // Check if the config field is not a field of the ETW event and instead is a property of it // This is useful for getting the Event's Id else if (!etwfield.IsField) { value = r.GetType().GetProperty(etwfield.Name).GetValue(r, null); value = Convert.ToString(value); } else { switch (etwfield.ExtractionMethod) { // Take the extraction method provided in the config and try to use it case FieldExtractionMethod.GetBinary: // I haven't actually had a reason to use GetBinary myself. // This should return a string of hexadecimal values // For example if binaryretvalue = byte[] { 0x00, 0x01, 0x02, 0x03, 0xaa, 0xab } // valuestr will be: 00 01 02 03 AA AB if (r.TryGetBinary(etwfield.Name, out byte[] binaryretvalue))