private PSEtwUserTrace SetupEtwTrace() { var trace = new PSEtwUserTrace($"Trace-ProcessWithEtw-{Guid.NewGuid()}", false); var processProvider = CreateProcessProvider(); var powershellProvider = CreatePowerShellProvider(); var networkProvider = CreateNetworkProvider(); var dnsProvider = CreateDnsProvider(); var wmiProvider = CreateWmiActivityProvider(); var registryProvider = CreateRegistryProvider(); var fileProvider = CreateFileProvider(); trace.EnableProvider(processProvider); trace.EnableProvider(powershellProvider); trace.EnableProvider(networkProvider); trace.EnableProvider(dnsProvider); trace.EnableProvider(wmiProvider); trace.EnableProvider(registryProvider); trace.EnableProvider(fileProvider); return(trace); }
protected override void BeginProcessing() { PSEtwUserTrace trace = null; try { _processHandle = ProcessHelper.LaunchProcessSuspended(ProcessName, ProcessArguments, out _processId, out _fullProcessPath); WriteVerbose($"{ProcessName} started suspended with PID {_processId}..."); WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 1 (launch process suspended)") { PercentComplete = 25 }); WriteVerbose($"Setting up trace..."); trace = SetupEtwTrace(); // BUGBUG: At times, it seemed this was necessary to deal with PSReadline messing with stuff? //while (Host.UI.RawUI.KeyAvailable) Host.UI.RawUI.ReadKey(); trace.Start((obj) => { Interlocked.Increment(ref _eventCounts); }); WriteVerbose($"ETW trace setup, resuming {ProcessName} (PID {_processId})..."); WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 2 (trace setup)") { PercentComplete = 50 }); ProcessHelper.ResumeProcess(_processHandle); WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 3 (resume process)") { PercentComplete = 75 }); while (_eventCounts == 0 && !Stopping) { WriteVerbose("Waiting for trace to start..."); Thread.Sleep(TimeSpan.FromSeconds(1)); } var sleepTimeSpan = TimeSpan.FromSeconds(2); while (!Stopping && !_cts.IsCancellationRequested) { WriteVerbose($"Processed {Interlocked.Exchange(ref _eventCounts, 0)} events in last {sleepTimeSpan.Seconds} seconds..."); object[] records = new object[0]; lock (_lock) { records = _records.ToArray(); _records.Clear(); } foreach (var record in records) { WriteObject(record); } Thread.Sleep(sleepTimeSpan); } } catch (Exception ex) { var error = new ErrorRecord(ex, ex.GetType().ToString(), ErrorCategory.InvalidOperation, null); WriteError(error); } finally { WriteVerbose($"{ProcessName} exited. Stopping trace."); if (trace.IsRunning) { trace.Stop(); } WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 4 (stop trace)") { PercentComplete = 100 }); } }
protected override void BeginProcessing() { var traceMan = new PSEtwUserTrace(Name, IncludeVerboseProperties); WriteObject(traceMan); }