public static void Start()
{
var trace = new KernelTrace("KernelTrace002");
// Some kernel providers can't be enabled via EnableFlags and you need to call
// TraceSetInformation with an extended PERFINFO_GROUPMASK instead.
// e.g. https://docs.microsoft.com/en-us/windows/win32/etw/obtrace
// Lobster has convenience providers for some of these, but otherwise the same
// thing could be done with:
// var provider = new KernelProvider(SOME_GUID, SOME_MASK_VALUE);
var objectManagerProvider = new Kernel.ObjectManagerProvider();
objectManagerProvider.OnEvent += (record) =>
{
if (record.Opcode == 33)
{
var name = record.GetUnicodeString("ObjectName", string.Empty);
if (name.EndsWith(".dll"))
{
Console.WriteLine($"Handle closed for object with name {name}");
}
}
};
trace.Enable(objectManagerProvider);
// You can also set a default callback to handle any events that don't
// have a corresponding provider registered.
// This is helpful if you're not yet sure which provider GUID is required for a
// given EnableFlags or PERFINFO_GROUPMASK. In particualar, the PERFINFO_GROUPMASKs
// aren't documented by Microsoft so it's useful to have a way to receive those events.
// So we enable them with any placeholder guid for now. For example -
uint PERF_REG_HIVE = 0x41000000; // from perfinfo_groupmask.hpp
var hiveProvider = new KernelProvider(Guid.Empty, PERF_REG_HIVE);
// In this case, the correct provider GUID (unsurprisingly) turns out to be krabs::guids::registry :-)
// Though the HiveInit/HiveLink/HiveDirty/Counters events enabled aren't documented.
//
// You'll also likely receive the EventTrace_Header and any HWConfig events here.
// * https://docs.microsoft.com/en-us/windows/win32/etw/eventtrace-header
// * https://docs.microsoft.com/en-us/windows/win32/etw/hwconfig
trace.SetDefaultEventCallback((record) =>
{
Console.WriteLine($"{record.ProviderId} provider={record.ProviderName} task_name={record.TaskName} opcode={record.Opcode} opcode_name={record.OpcodeName}");
});
trace.Enable(hiveProvider);
trace.Start();
}
public void it_should_raise_OnEvent_for_kernel_trace()
{
var called = false;
var trace = new KernelTrace();
var proxy = new Proxy(trace);
var provider = new ImageLoadProvider();
provider.OnEvent += e => { called = true; };
trace.Enable(provider);
proxy.PushEvent(ImageLoadEvent.CreateRecord(123, "file.exe"));
Assert.IsTrue(called, "proxy call raised on event");
}
public MainViewModel(IUIServices ui)
{
UI = ui;
_trace = new KernelTrace("DebugPrintTrace");
var provider = new DebugPrintProvider();
provider.OnEvent += OnEvent;
_trace.Enable(provider);
_bufferReadyEvent = new EventWaitHandle(false, EventResetMode.AutoReset, "DBWIN_BUFFER_READY");
_dataReadyEvent = new EventWaitHandle(false, EventResetMode.AutoReset, "DBWIN_DATA_READY");
_stopEvent = new AutoResetEvent(false);
_mmf = MemoryMappedFile.CreateOrOpen("DBWIN_BUFFER", _bufferSize);
_stm = _mmf.CreateViewStream();
}
public void it_should_parse_unicode_strings()
{
var data = "file.exe";
var prop = ImageLoadEvent.FileName;
var provider = new ImageLoadProvider();
provider.OnEvent += e =>
{
Assert.AreEqual(data, e.GetUnicodeString(prop));
Assert.AreEqual(data, e.GetUnicodeString(prop, String.Empty));
string result;
Assert.IsTrue(e.TryGetUnicodeString(prop, out result));
Assert.AreEqual(data, result);
};
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord(
data, String.Empty, String.Empty));
}
public static void Start()
{
// Kernel traces use the KernelTrace class, which looks and acts
// a lot like the UserTrace class. A strange quirk about kernel
// ETW traces is that prior to Win8, the trace was required to
// have a specific name. On machines where this is the case, this
// name we provide is ignored and the required one is used.
var trace = new KernelTrace("My trace name");
// Lobster provides a bunch of convenience providers for kernel
// traces. The set of providers that are allowed by kernel traces
// is hardcoded by Windows, and Lobster provides simple objects to
// represent these. If other providers were enabled without an
// update to Lobster, the same thing could be achieved with:
// var provider = new KernelProvider(SOME_BITMASK_VALUE, SOME_GUID);
var processProvider = new Kernel.ProcessProvider();
// Kernel providers accept callbacks and event filters, as user
// providers do.
processProvider.OnEvent += (record) =>
{
// We consult against the opcode for kernel providers.
// The opcodes are documented here:
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa364083(v=vs.85).aspx
if (record.Opcode == 0x01)
{
var image = record.GetAnsiString("ImageFileName", "Unknown");
var pid = record.GetUInt32("ProcessId", 0);
Console.WriteLine($"{image} started with PID {pid}");
}
};
// From here, a KernelTrace is indistinguishable from a UserTrace
// in how it's used.
trace.Enable(processProvider);
// Another quirk here is that kernel traces can only be done by
// administrators. :( :( :(
trace.Start();
}
static void Main(string[] args)
{
// Kernel traces use the KernelTrace class, which looks and acts
// a lot like the UserTrace class. A strange quirk about kernel
// ETW traces is that prior to Win8, the trace was required to
// have a specific name. On machines where this is the case, this
// name we provide is ignored and the required one is used.
var trace = new KernelTrace("My trace name");
// Lobster provides a bunch of convenience providers for kernel
// traces. The set of providers that are allowed by kernel traces
// is hardcoded by Windows, and Lobster provides simple objects to
// represent these. If other providers were enabled without an
// update to Lobster, the same thing could be achieved with:
// var provider = new KernelProvider(SOME_BITMASK_VALUE, SOME_GUID);
var imageProvider = new Kernel.ImageLoadProvider();
// Kernel providers accept callbacks and event filters, as user
// providers do.
imageProvider.OnEvent += (EventRecord record) =>
{
var schema = new Schema(record);
if (schema.Name == "Load")
{
var parser = new Parser(schema);
Console.WriteLine(parser.ParseWStringWithDefault("FileName", "Unknown"));
}
};
// From here, a KernelTrace is indistinguishable from a UserTrace
// in how it's used.
trace.Enable(imageProvider);
// Another quirk here is that kernel traces can only be done by
// administrators. :( :( :(
trace.Start();
}
public static void Start()
{
// Kernel traces use the KernelTrace class, which looks and acts
// a lot like the UserTrace class. A strange quirk about kernel
// ETW traces is that prior to Win8, the trace was required to
// have a specific name. On machines where this is the case, this
// name we provide is ignored and the required one is used.
var trace = new KernelTrace("My trace name");
// Lobster provides a bunch of convenience providers for kernel
// traces. The set of providers that are allowed by kernel traces
// is hardcoded by Windows, and Lobster provides simple objects to
// represent these. If other providers were enabled without an
// update to Lobster, the same thing could be achieved with:
// var provider = new KernelProvider(SOME_FLAGS_VALUE, SOME_GUID);
var processProvider = new Kernel.ProcessProvider();
// Kernel providers accept callbacks and event filters, as user
// providers do.
processProvider.OnEvent += (record) =>
{
// We consult against the opcode for kernel providers.
// The opcodes are documented here:
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa364083(v=vs.85).aspx
if (record.Opcode == 0x01)
{
var image = record.GetAnsiString("ImageFileName", "Unknown");
var pid = record.GetUInt32("ProcessId", 0);
Console.WriteLine($"{image} started with PID {pid}");
}
};
// Some kernel providers can't be enabled via EnableFlags and you need to call
// TraceSetInformation with an extended PERFINFO_GROUPMASK instead.
// e.g. https://docs.microsoft.com/en-us/windows/win32/etw/obtrace
// Lobster has convenience providers for some of these, but otherwise the same
// thing could be done with:
// var provider = new KernelProvider(SOME_GUID, SOME_MASK_VALUE);
var objectManagerProvider = new Kernel.ObjectManagerProvider();
objectManagerProvider.OnEvent += (record) =>
{
if (record.Opcode == 33)
{
var name = record.GetUnicodeString("ObjectName", string.Empty);
if (!string.IsNullOrEmpty(name))
{
Console.WriteLine($"Handle closed for object with name {name}");
}
}
};
// From here, a KernelTrace is indistinguishable from a UserTrace
// in how it's used.
trace.Enable(processProvider);
trace.Enable(objectManagerProvider);
// Another quirk here is that kernel traces can only be done by
// administrators. :( :( :(
trace.Start();
}