public when_calling_publish()
{
this.partitionKey = Guid.NewGuid().ToString();
this.version = "0001";
string rowKey = "Unpublished_" + version;
this.testEvent = Mock.Of<IEventRecord>(x =>
x.PartitionKey == partitionKey
&& x.RowKey == rowKey
&& x.TypeName == "TestEventType"
&& x.SourceId == "TestId"
&& x.SourceType == "TestSourceType"
&& x.Payload == "serialized event"
&& x.CorrelationId == "correlation"
&& x.AssemblyName == "Assembly"
&& x.Namespace == "Namespace"
&& x.FullName == "Namespace.TestEventType");
this.queue = new Mock<IPendingEventsQueue>();
queue.Setup(x => x.GetPendingAsync(partitionKey, It.IsAny<Action<IEnumerable<IEventRecord>, bool>>(), It.IsAny<Action<Exception>>()))
.Callback<string, Action<IEnumerable<IEventRecord>, bool>, Action<Exception>>((key, success, error) => success(new[] { testEvent }, false));
this.sender = new MessageSenderMock();
var sut = new EventStoreBusPublisher(sender, queue.Object, new MockEventStoreBusPublisherInstrumentation());
var cancellationTokenSource = new CancellationTokenSource();
sut.Start(cancellationTokenSource.Token);
sut.SendAsync(partitionKey, 0);
Assert.True(sender.SendSignal.WaitOne(3000));
cancellationTokenSource.Cancel();
}
/// <summary>
/// Core forward function
/// Init eventdata with common data for all record:
/// ProviderName
/// ProviderGuid
/// EventID
///
/// Call the inner parser
/// Then check filter on eventdata
/// If a field match and value does not match event is filtering
/// If field is not present event is NOT filtered
/// </summary>
/// <param name="record">Event Record</param>
/// <param name="writer">Writer destination</param>
/// <returns></returns>
public async Task Forward(IEventRecord record, IETWWriter writer)
{
Dictionary <String, object> eventData = new Dictionary <string, dynamic>();
eventData["ProviderName"] = record.ProviderName;
eventData["ProviderGuid"] = record.ProviderId.ToString();
eventData["EventID"] = record.Id;
eventData["ProcessId"] = record.ProcessId;
eventData["ThreadId"] = record.ThreadId;
eventData["Timestamp"] = record.Timestamp.ToString();
this.Parser.Parse(record, eventData);
foreach (var filter in this.Filters)
{
if (!eventData.ContainsKey(filter.Item1))
{
return;
}
if (eventData[filter.Item1].ToString() != filter.Item2)
{
return;
}
}
await writer.write(eventData);
}
public when_calling_publish()
{
partitionKey = Guid.NewGuid().ToString();
version = "0001";
var rowKey = "Unpublished_" + version;
testEvent = Mock.Of <IEventRecord>(x =>
x.PartitionKey == partitionKey &&
x.RowKey == rowKey &&
x.TypeName == "TestEventType" &&
x.SourceId == "TestId" &&
x.SourceType == "TestSourceType" &&
x.Payload == "serialized event" &&
x.CorrelationId == "correlation" &&
x.AssemblyName == "Assembly" &&
x.Namespace == "Namespace" &&
x.FullName == "Namespace.TestEventType");
queue = new Mock <IPendingEventsQueue>();
queue.Setup(x => x.GetPendingAsync(partitionKey, It.IsAny <Action <IEnumerable <IEventRecord>, bool> >(), It.IsAny <Action <Exception> >()))
.Callback <string, Action <IEnumerable <IEventRecord>, bool>, Action <Exception> >((key, success, error) => success(new[] { testEvent }, false));
sender = new MessageSenderMock();
var sut = new EventStoreBusPublisher(sender, queue.Object, new MockEventStoreBusPublisherInstrumentation());
var cancellationTokenSource = new CancellationTokenSource();
sut.Start(cancellationTokenSource.Token);
sut.SendAsync(partitionKey, 0);
Assert.True(sender.SendSignal.WaitOne(3000));
cancellationTokenSource.Cancel();
}
public void UpdateEvent(IEventRecord eventData)
{
var reventRecord = eventData as Event;
if (reventRecord == null) throw new ArgumentException("Invalid Event Type.");
EventsTable.Update(reventRecord);
}
public when_calling_publish()
{
this.partitionKey = Guid.NewGuid().ToString();
this.version = "0001";
string rowKey = "Unpublished_" + version;
this.testEvent = Mock.Of<IEventRecord>(x =>
x.PartitionKey == partitionKey
&& x.RowKey == rowKey
&& x.TypeName == "TestEventType"
&& x.SourceId == "TestId"
&& x.SourceType == "TestSourceType"
&& x.Payload == "serialized event"
&& x.AssemblyName == "Assembly"
&& x.Namespace == "Namespace"
&& x.FullName == "Namespace.TestEventType");
this.queue = new Mock<IPendingEventsQueue>();
queue.Setup(x => x.GetPending(partitionKey)).Returns(new[] { testEvent });
this.sender = new MessageSenderMock();
var sut = new EventStoreBusPublisher(sender, queue.Object);
var cancellationTokenSource = new CancellationTokenSource();
sut.Start(cancellationTokenSource.Token);
sut.SendAsync(partitionKey);
Assert.True(sender.ResetEvent.WaitOne(3000));
cancellationTokenSource.Cancel();
}
public void PublishEventRecord(IEventRecord eventRecord)
{
_logger.LogDebug("Publishing message to: " + _options.ConnectionString);
_logger.LogDebug("Echange Name: " + _options.Exchange ?? "<null>");
var routingKey = string.Format("{0}.{1}", eventRecord.EventType, eventRecord.ModelId.ToString("N"));
var message = JsonConvert.SerializeObject(eventRecord);
_logger.LogDebug("Message: " + message);
var body = Encoding.UTF8.GetBytes(message);
var factory = new ConnectionFactory()
{
Uri = new Uri(_options.ConnectionString)
};
using (var connection = factory.CreateConnection())
using (var channel = connection.CreateModel())
{
channel.ExchangeDeclare(_options.Exchange, ExchangeType.Topic);
channel.BasicPublish(exchange: _options.Exchange,
routingKey: routingKey,
basicProperties: null,
body: body);
}
_logger.LogDebug(string.Format("{0} on {1} published", eventRecord.EventType, eventRecord.ModelId));
}
private static void ProcessEventHandler(IEventRecord record)
{
var pid = record.GetUInt32("ProcessID");
var imageName = record.GetUnicodeString("ImageName");
Console.WriteLine($"{record.TaskName} pid={pid} ImageName={imageName}");
}
private static BrokeredMessage BuildMessage(IEventRecord record)
{
string version = record.RowKey.Substring(RowKeyPrefixIndex);
var stream = new MemoryStream(Encoding.UTF8.GetBytes(record.Payload));
try
{
return(new BrokeredMessage(stream, true)
{
MessageId = record.PartitionKey + "_" + version,
SessionId = record.SourceId,
CorrelationId = record.CorrelationId,
Properties =
{
{ "Version", version },
{ StandardMetadata.SourceType, record.SourceType },
{ StandardMetadata.Kind, StandardMetadata.EventKind },
{ StandardMetadata.AssemblyName, record.AssemblyName },
{ StandardMetadata.FullName, record.FullName },
{ StandardMetadata.Namespace, record.Namespace },
{ StandardMetadata.SourceId, record.SourceId },
{ StandardMetadata.TypeName, record.TypeName },
}
});
}
catch
{
stream.Dispose();
throw;
}
}
private static Message BuildMessage(IEventRecord record)
{
string version = record.RowKey.Substring(RowKeyPrefixIndex);
var bytes = Encoding.UTF8.GetBytes(record.Payload);
try
{
return(new Message(bytes)
{
MessageId = record.PartitionKey + "_" + version,
SessionId = record.SourceId,
CorrelationId = record.CorrelationId,
UserProperties =
{
{ "Version", version },
{ StandardMetadata.SourceType, record.SourceType },
{ StandardMetadata.Kind, StandardMetadata.EventKind },
{ StandardMetadata.AssemblyName, record.AssemblyName },
{ StandardMetadata.FullName, record.FullName },
{ StandardMetadata.Namespace, record.Namespace },
{ StandardMetadata.SourceId, record.SourceId },
{ StandardMetadata.TypeName, record.TypeName },
}
});
}
catch
{
throw;
}
}
internal void HandleRecord(IEventRecord record)
{
if (record.Id == 3018 || record.Id == 3020)
{
if (!record.TryGetUnicodeString("QueryName", out string domainName))
{
return;
}
if (!record.TryGetUnicodeString("QueryResults", out string queryResult))
{
return;
}
if (string.IsNullOrWhiteSpace(queryResult))
{
return;
}
var tokens = queryResult.Trim().Split(';');
var parsed = tokens
.Where(s => !string.IsNullOrEmpty(s))
.Select(s => s.Trim())
.Distinct()
.Select(ParsedDnsRecord.Parse)
.Where(r => r != null);
var dnsRecords = parsed.ToArray();
foreach (var dnsRecord in dnsRecords)
{
ReverseDnsCache.AddOrUpdate(dnsRecord.Address, domainName);
}
}
}
public string CreateEvent(IEventRecord eventData)
{
var reventRecord = eventData as Event;
if (reventRecord == null) throw new ArgumentException("Invalid Event Type.");
reventRecord.Id = Guid.NewGuid().ToString();
EventsTable.Insert(reventRecord);
return reventRecord.Id;
}
void DefaultEventHandler(IEventRecord r)
{
try
{
var obj = _propertyExtractor.Extract(r);
lock (_lock) { _records.Add(obj.ToPSObject()); }
}
catch
{
// TODO: log bad record parse
}
}
private void OnEvent(IEventRecord record)
{
var item = new DebugItem {
Time = record.Timestamp,
ProcessId = (int)record.ProcessId,
ProcessName = TryGetProcessName(record.ProcessId),
ThreadId = (int)record.ThreadId,
Text = record.GetAnsiString("Message").TrimEnd('\n', '\r'),
Component = record.GetUInt32("Component", 0),
IsKernel = true
};
AddDebugItem(item);
}
internal IDictionary <string, object> Extract(IEventRecord record)
{
var dict = new Dictionary <string, object>();
dict.Add("EtwEventId", record.Id);
dict.Add("Etw" + nameof(record.Timestamp), record.Timestamp);
dict.Add("Etw" + nameof(record.ProcessId), record.ProcessId);
dict.Add("Etw" + nameof(record.ThreadId), record.ThreadId);
dict.Add("Etw" + nameof(record.ProviderName), record.ProviderName);
if (_includeVerboseProperties)
{
dict.Add("EtwEventName", record.Name);
dict.Add("Etw" + nameof(record.ProviderId), record.ProviderId);
dict.Add("Etw" + nameof(record.Version), record.Version);
dict.Add("Etw" + nameof(record.Level), record.Level);
}
IPropertyParser parser = null;
if (providerDictionary.Contains(record.ProviderId))
{
parser = providerDictionary.GetByProviderGuid(record.ProviderId);
}
foreach (var p in record.Properties)
{
var parsed = parser?.ParseProperty(p.Name, record);
if (parsed != null && parsed.Any())
{
foreach (var parsedProp in parsed)
{
dict.Add(parsedProp.Key, parsedProp.Value);
}
}
else
{
dict.Add(p.Name, ParseBasicProperty(p, record));
}
}
return(dict);
}
private IEnumerable <KeyValuePair <string, object> > ParseContextInfo(IEventRecord record)
{
const string HostAppKey = "Host Application = ";
const string CmdNameKey = "Command Name = ";
const string CmdTypeKey = "Command Type = ";
const string UsrNameKey = "User = "******"HostProcess", host));
index = data.IndexOf(CmdNameKey, startIndex);
var name = index != -1
? data.ReadToNewline(index + CmdNameKey.Length, out startIndex)
: string.Empty;
ret.Add(new KeyValuePair <string, object>("CommandName", name));
index = data.IndexOf(CmdTypeKey, startIndex);
var type = index != -1
? data.ReadToNewline(index + CmdTypeKey.Length, out startIndex)
: string.Empty;
ret.Add(new KeyValuePair <string, object>("CommandType", type));
index = data.IndexOf(UsrNameKey, startIndex);
var user = index != -1
? data.ReadToNewline(index + UsrNameKey.Length, out startIndex)
: string.Empty;
ret.Add(new KeyValuePair <string, object>("UserName", user));
return(ret);
}
return(Enumerable.Empty <KeyValuePair <string, object> >());
}
/// <summary>
/// Event 7937's payload is basically a big well-formatted string.
/// We have to parse it by hand, breaking out the interesting bits.
/// Fortunately, interesting bits are separated by \n\r so we can break
/// up the parsing by line.
/// </summary>
/// <param name="record"></param>
static void OnEvent(IEventRecord record)
{
string data = string.Empty;
if (!record.TryGetUnicodeString("ContextInfo", out data))
{
Console.WriteLine("Could not parse 'ContextInfo' from PowerShell event");
return;
}
var startIndex = 0;
// The order these keys are parsed in is static. There is no
// guarantee, however, that future Windows versions won't change
// the order. This is confirmed to work in:
// - Windows 10
// - Windows Server 2016
// - Windows 8.1
// - Windows Server 2012 R2
var index = data.IndexOf(HostAppKey, startIndex);
var host = index != -1
? ReadToNewline(data, index + HostAppKey.Length, out startIndex)
: string.Empty;
index = data.IndexOf(CmdNameKey, startIndex);
var name = index != -1
? ReadToNewline(data, index + CmdNameKey.Length, out startIndex)
: string.Empty;
index = data.IndexOf(CmdTypeKey, startIndex);
var type = index != -1
? ReadToNewline(data, index + CmdTypeKey.Length, out startIndex)
: string.Empty;
index = data.IndexOf(UserNameKey, startIndex);
var user = index != -1
? ReadToNewline(data, index + UserNameKey.Length, out startIndex)
: string.Empty;
Console.WriteLine($"user: {user} - {host} invoked PowerShell method '{name}' (type: {type})");
}
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
// This function do nothing actually
}
public List <IEventRecord> GetByTimeFilter(DateTime fromTime, DateTime toTime, int maxRows, int timeOutSec)
{
var eventRecordList = new List <IEventRecord>();
ManagementObject vmi = null;
// ManagementObject vmi = A.Fake<ManagementObject>();
var er1 = new EventRecord(vmi)
{
Category = "0",
ComputerName = "Herkules",
EventCode = "2264",
EventType = "2",
InsertionStrings =
@"C:\Users\Patrik\AppData\Local\Temp\iisexpress\IIS Temporary Compressed Files\Clr4IntegratedAppPoo",
Logfile = "Application",
Message =
@"The directory jabberjowitch specified for caching compressed content C:\Users\Patrik\AppData\Local\Temp\iisexpress\IIS Temporary Compressed Files\Clr4IntegratedAppPool is invalid. Static compression is being disabled.",
RecordNumber = "460172",
SourceName = "IIS Express",
TimeGenerated = DateTime.Now, //"20130619182551.000000-000",
// TimeWritten = "20130619182551.000000-000",
Type = "Varning"
};
eventRecordList.Add(er1);
ManagementObject vmi2 = null;
var er2 = new EventRecord(vmi2)
{
Category = "0",
ComputerName = "Herkules",
EventCode = "0",
EventType = "3",
InsertionStrings = @"The EventTestWriter was initilized. Go DTD. Do not fail me. jabberjowitch",
Logfile = "Application",
Message = String.Empty,
RecordNumber = "460171",
SourceName = "application",
TimeGenerated = DateTime.Now, //"20130619182521.000000-000",
// TimeWritten = "20130619182521.000000-000",
Type = "Information"
};
eventRecordList.Add(er2);
// https://github.com/FakeItEasy/FakeItEasy
ManagementObject vmi3 = null;
// var er3 = A.Fake<EventRecord>(() => new EventRecord(vmi3));
// var foo = A.Fake<Foo>(() => new Foo("string passed to constructor"));
IEventRecord er3 = A.Fake <IEventRecord>();
// A.CallTo(er3).WithReturnType<string>().Returns("hello world");
eventRecordList.Add(er3);
Random rnd = new Random();
for (int i = 4; i <= 20; i++)
{
var erN = A.Fake <IEventRecord>();
A.CallTo(erN).WithReturnType <string>().Returns("Default Mockstring: " + i.ToString());
A.CallTo(() => erN.ComputerName).Returns("Herkules");
A.CallTo(() => erN.EventCode).Returns(rnd.Next(0, 2000).ToString());
A.CallTo(() => erN.EventType).Returns(rnd.Next(0, 5).ToString());
A.CallTo(() => erN.RecordNumber).Returns((460175 + rnd.Next(1, 200)).ToString());
A.CallTo(() => erN.SourceName).Returns("application");
A.CallTo(() => erN.Message).Returns("jabberjowitch is not a project");
A.CallTo(() => erN.TimeGenerated).Returns(DateTime.Now);// + rnd.Next(111,999).ToString());
eventRecordList.Add(erN);
}
return(eventRecordList);
}
public void StoreEvent(IEventRecord eventRecord)
{
_eventCollection.InsertOne(eventRecord);
}
private IPAddress ParseSaddr(IEventRecord record) => record.GetIPAddress(nameof(PropertyNames.saddr));
public IEnumerable <KeyValuePair <string, object> > ParseProperty(string propertyName, IEventRecord record)
{
switch (propertyName)
{
case nameof(PropertyNames.daddr):
return(new List <KeyValuePair <string, object> >()
{
new KeyValuePair <string, object>(propertyName, ParseDaddr(record))
});
case nameof(PropertyNames.saddr):
return(new List <KeyValuePair <string, object> >()
{
new KeyValuePair <string, object>(propertyName, ParseSaddr(record))
});
default:
return(Enumerable.Empty <KeyValuePair <string, object> >());
}
}
/// <summary>
/// Try to parse an event record base on the manifest
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">eventdata that will be filled by the parser</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var eventDefinition in this.Scheme.instrumentation.events.provider.events)
{
if (Int16.Parse(eventDefinition.value) != record.Id)
{
continue;
}
var template = this.Scheme.instrumentation.events.provider.templates.Where(x => x.tid == eventDefinition.template).Single();
foreach (var data in template.datas)
{
try
{
switch (data.inType)
{
case Manifest.Data.InType.UnicodeString:
eventData[data.name] = record.GetUnicodeString(data.name);
break;
case Manifest.Data.InType.AnsiString:
eventData[data.name] = record.GetAnsiString(data.name);
break;
case Manifest.Data.InType.GUID:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.UInt32:
eventData[data.name] = record.GetUInt32(data.name);
break;
case Manifest.Data.InType.HexInt32:
eventData[data.name] = record.GetInt32(data.name);
break;
case Manifest.Data.InType.HexInt64:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.Boolean:
eventData[data.name] = record.GetUInt32(data.name);
break;
case Manifest.Data.InType.UInt16:
eventData[data.name] = record.GetUInt16(data.name);
break;
case Manifest.Data.InType.Binary:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.UInt64:
eventData[data.name] = record.GetUInt64(data.name);
break;
case Manifest.Data.InType.Double:
eventData[data.name] = record.GetUInt64(data.name);
break;
case Manifest.Data.InType.UInt8:
eventData[data.name] = record.GetUInt8(data.name);
break;
case Manifest.Data.InType.Int8:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.Int16:
eventData[data.name] = record.GetInt16(data.name);
break;
case Manifest.Data.InType.Int32:
eventData[data.name] = record.GetInt32(data.name);
break;
case Manifest.Data.InType.Int64:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.FILETIME:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.Pointer:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.SYSTEMTIME:
eventData[data.name] = record.GetDateTime(data.name);
break;
case Manifest.Data.InType.SID:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.Float:
eventData[data.name] = record.GetUInt32(data.name);
break;
}
}
catch (Exception)
{
eventData[data.name] = ERROR_PARSING_FIELD;
}
}
break;
}
}
private static BrokeredMessage BuildMessage(IEventRecord record)
{
string version = record.RowKey.Substring(RowKeyPrefixIndex);
// TODO: should add SessionID to guarantee ordering.
// Receiver must be prepared to accept sessions.
return new BrokeredMessage(new MemoryStream(Encoding.UTF8.GetBytes(record.Payload)), true)
{
MessageId = record.PartitionKey + "_" + version,
//SessionId = record.PartitionKey,
Properties =
{
{ "Version", version },
{ "SourceId", record.SourceId },
{ "SourceType", record.SourceType },
{ "EventType", record.EventType }
}
};
}
private static void ETWEventsFilter_OnEvent(IEventRecord ETWRecord)
{
/// Injector_Pid is Injector Process <ETWRecord.ProcessId>
uint Injector_Pid = ETWRecord.ProcessId;
uint Target_pid = ETWRecord.GetUInt32("ProcessID");
uint Target_tid = ETWRecord.GetUInt32("ThreadID");
/// This LastTID injected to LastPID by Injector_Pid
LastTID = Convert.ToInt32(Target_tid);
LastPID = Convert.ToInt32(Target_pid);
ProcessName = "Process Exited";
TargetProcessName = "Process Exited";
try
{
if (!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited)
{
TargetProcessName = Process.GetProcessById(Convert.ToInt32(Target_pid)).ProcessName;
}
if (!Process.GetProcessById(Convert.ToInt32(Injector_Pid)).HasExited)
{
ProcessName = Process.GetProcessById(Convert.ToInt32(Injector_Pid)).ProcessName;
}
}
catch (Exception)
{
}
/// Detecting Thread Injection :
/// if this was True then Thread was Injected to New Process (Target_pid)
if (Injector_Pid != Target_pid)
{
try
{
/// adding "PID" and "TID" also "Injector PID" to list
if ((!Process.GetProcessById(Convert.ToInt32(Target_pid)).HasExited))
{
Injected_Processes_IDsList.Add(LastPID.ToString() + ":" + LastTID.ToString() + ":" + Convert.ToInt32(Injector_Pid));
}
}
catch (Exception)
{
}
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write("[{0}] ", DateTime.Now.ToString());
Console.ForegroundColor = ConsoleColor.Red;
Console.Write("Tid {0}", Target_tid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" injected to Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" by this Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString());
Console.ForegroundColor = ConsoleColor.Gray;
if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode)
{
DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid));
}
if (IPS_IDS)
{
if (Injected_Processes_IDsList.Count > 2)
{
try
{
if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0])).HasExited)
{
DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1]));
//Console.ForegroundColor = ConsoleColor.Cyan;
//Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1]);
Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 1].Split(':')[1] + " Scanned";
}
else if (!Process.GetProcessById(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0])).HasExited)
{
DoSomething(Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0]), Convert.ToInt32(Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1]));
//Console.ForegroundColor = ConsoleColor.Cyan;
//Console.WriteLine = ("[{0}] Process:Thread {1} Scanned", DateTime.Now.ToString(), Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2]);
Console.Title = "[ " + DateTime.Now.ToString() + " ] Process:Thread " + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[0] + ":" + Injected_Processes_IDsList[Injected_Processes_IDsList.Count - 2].Split(':')[1] + " Scanned";
}
Console.ForegroundColor = ConsoleColor.Gray;
}
catch (Exception)
{
}
}
}
}
else
{
try
{
if (IsShowAllRecrds)
{
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write("[{0}] ", DateTime.Now.ToString());
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("Tid {0}", Target_tid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" Created in Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("\"{0}:{1}\"", TargetProcessName, Target_pid.ToString());
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.Write(" by this Process ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\"{0}:{1}\" ", ProcessName, Injector_Pid.ToString());
Console.ForegroundColor = ConsoleColor.Gray;
if (Convert.ToInt32(Target_pid) != 4 && Convert.ToInt32(Target_pid) != 0 && Is_DebugMode)
{
DebugMode_ThreadsDetailShow(Convert.ToInt32(Target_pid), Convert.ToInt32(Target_tid));
}
}
}
catch (Exception)
{
}
}
}
internal void DefaultEventRecordHandler(IEventRecord record)
{
var obj = _propertyExtractor.Extract(record);
_callback.Invoke(obj.ToPSObject());
}
private static BrokeredMessage BuildMessage(IEventRecord record)
{
string version = record.RowKey.Substring(RowKeyPrefixIndex);
return new BrokeredMessage(new MemoryStream(Encoding.UTF8.GetBytes(record.Payload)), true)
{
MessageId = record.PartitionKey + "_" + version,
SessionId = record.SourceId,
Properties =
{
{ "Version", version },
{ StandardMetadata.SourceType, record.SourceType },
{ StandardMetadata.Kind, StandardMetadata.EventKind },
{ StandardMetadata.AssemblyName, record.AssemblyName },
{ StandardMetadata.FullName, record.FullName },
{ StandardMetadata.Namespace, record.Namespace },
{ StandardMetadata.SourceId, record.SourceId },
{ StandardMetadata.TypeName, record.TypeName },
}
};
}
public IEnumerable <KeyValuePair <string, object> > ParseProperty(string propertyName, IEventRecord record)
{
switch (propertyName)
{
case nameof(PropertyNames.ContextInfo):
return(ParseContextInfo(record));
default:
return(Enumerable.Empty <KeyValuePair <string, object> >());
}
}
private object ParseBasicProperty(Property prop, IEventRecord record)
{
object propertyValue = null;
switch (prop.Type)
{
case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING:
propertyValue = record.GetAnsiString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY:
propertyValue = record.GetBinary(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING:
propertyValue = record.GetCountedString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT8:
propertyValue = record.GetInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT16:
propertyValue = record.GetInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT32:
propertyValue = record.GetInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT64:
propertyValue = record.GetInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8:
propertyValue = record.GetUInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16:
propertyValue = record.GetUInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32:
propertyValue = record.GetUInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64:
propertyValue = record.GetUInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING:
propertyValue = record.GetUnicodeString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME:
propertyValue = record.GetDateTime(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER:
propertyValue = record.GetUInt64(prop.Name);
break;
default:
propertyValue = "<Unknown type>";
break;
}
return(propertyValue);
}
/// <summary>
/// Parse an event log base on tracelogging
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">dict will be filled with event data</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var property in record.Properties)
{
try
{
switch (property.Type)
{
case 1:
eventData[property.Name] = record.GetUnicodeString(property.Name);
break;
case 2:
eventData[property.Name] = record.GetAnsiString(property.Name);
break;
case 3:
eventData[property.Name] = record.GetInt8(property.Name);
break;
case 4:
eventData[property.Name] = record.GetUInt8(property.Name);
break;
case 5:
eventData[property.Name] = record.GetInt16(property.Name);
break;
case 6:
eventData[property.Name] = record.GetUInt16(property.Name);
break;
case 7:
eventData[property.Name] = record.GetInt32(property.Name);
break;
case 8:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 9:
eventData[property.Name] = record.GetInt64(property.Name);
break;
case 10:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
case 13:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 14:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 15:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 20:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 21:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
}
}
catch (Exception)
{
eventData[property.Name] = ERROR_PARSING_FIELD;
}
}
}
public static Dictionary <String, dynamic> ProcessEventRecord(EtwTrace etwtrace, IEventRecord r)
{
Dictionary <String, dynamic> rawEvent = new Dictionary <String, dynamic>();
foreach (EtwEvent etwevent in etwtrace.Events)
{
dynamic value;
if (etwevent.Id == r.Id)
{
Boolean skip = false;
foreach (EtwField etwfield in etwevent.Fields)
{
// Order of processing
// Timestamps and literals
// Property value extraction
// Filtering
// Enumerations
// Transformations
// Translations
// Output
// Check for timestamp and literal fields in the config
if (etwfield.IsTimestamp)
{
value = DateTime.UtcNow.ToString("o");
}
else if (etwfield.IsLiteral)
{
value = etwfield.LiteralValue;
}
// Check if the config field is not a field of the ETW event and instead is a property of it
// This is useful for getting the Event's Id
else if (!etwfield.IsField)
{
value = r.GetType().GetProperty(etwfield.Name).GetValue(r, null);
value = Convert.ToString(value);
}
else
{
switch (etwfield.ExtractionMethod)
{
// Take the extraction method provided in the config and try to use it
case FieldExtractionMethod.GetBinary:
// I haven't actually had a reason to use GetBinary myself.
// This should return a string of hexadecimal values
// For example if binaryretvalue = byte[] { 0x00, 0x01, 0x02, 0x03, 0xaa, 0xab }
// valuestr will be: 00 01 02 03 AA AB
if (r.TryGetBinary(etwfield.Name, out byte[] binaryretvalue))
