private PSEtwUserTrace SetupEtwTrace()
{
var trace = new PSEtwUserTrace($"Trace-ProcessWithEtw-{Guid.NewGuid()}", false);
var processProvider = CreateProcessProvider();
var powershellProvider = CreatePowerShellProvider();
var networkProvider = CreateNetworkProvider();
var dnsProvider = CreateDnsProvider();
var wmiProvider = CreateWmiActivityProvider();
var registryProvider = CreateRegistryProvider();
var fileProvider = CreateFileProvider();
trace.EnableProvider(processProvider);
trace.EnableProvider(powershellProvider);
trace.EnableProvider(networkProvider);
trace.EnableProvider(dnsProvider);
trace.EnableProvider(wmiProvider);
trace.EnableProvider(registryProvider);
trace.EnableProvider(fileProvider);
return(trace);
}
protected override void BeginProcessing()
{
PSEtwUserTrace trace = null;
try
{
_processHandle = ProcessHelper.LaunchProcessSuspended(ProcessName, ProcessArguments, out _processId, out _fullProcessPath);
WriteVerbose($"{ProcessName} started suspended with PID {_processId}...");
WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 1 (launch process suspended)")
{
PercentComplete = 25
});
WriteVerbose($"Setting up trace...");
trace = SetupEtwTrace();
// BUGBUG: At times, it seemed this was necessary to deal with PSReadline messing with stuff?
//while (Host.UI.RawUI.KeyAvailable) Host.UI.RawUI.ReadKey();
trace.Start((obj) =>
{
Interlocked.Increment(ref _eventCounts);
});
WriteVerbose($"ETW trace setup, resuming {ProcessName} (PID {_processId})...");
WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 2 (trace setup)")
{
PercentComplete = 50
});
ProcessHelper.ResumeProcess(_processHandle);
WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 3 (resume process)")
{
PercentComplete = 75
});
while (_eventCounts == 0 && !Stopping)
{
WriteVerbose("Waiting for trace to start...");
Thread.Sleep(TimeSpan.FromSeconds(1));
}
var sleepTimeSpan = TimeSpan.FromSeconds(2);
while (!Stopping && !_cts.IsCancellationRequested)
{
WriteVerbose($"Processed {Interlocked.Exchange(ref _eventCounts, 0)} events in last {sleepTimeSpan.Seconds} seconds...");
object[] records = new object[0];
lock (_lock)
{
records = _records.ToArray();
_records.Clear();
}
foreach (var record in records)
{
WriteObject(record);
}
Thread.Sleep(sleepTimeSpan);
}
}
catch (Exception ex)
{
var error = new ErrorRecord(ex, ex.GetType().ToString(), ErrorCategory.InvalidOperation, null);
WriteError(error);
}
finally
{
WriteVerbose($"{ProcessName} exited. Stopping trace.");
if (trace.IsRunning)
{
trace.Stop();
}
WriteProgress(new ProgressRecord(0, "Trace-EtwProcess", "Step 4 (stop trace)")
{
PercentComplete = 100
});
}
}
protected override void BeginProcessing()
{
var traceMan = new PSEtwUserTrace(Name, IncludeVerboseProperties);
WriteObject(traceMan);
}
