Hello everyone, I'm trying to create a small ETW event consumer, but when calling the StartTraceA function, it returns error 161, which means "The specified path is not valid." Any ideas? Thank you all very much.
I use Easy Code by Ramon Salas as my IDE and compiler.
ProcessEventsCallback Proto :DWord, :DWord, :DWord, :DWord
AsigText Macro Name, Text:VarArg
Local lbl
Jmp lbl
Name DB Text, 0
lbl:
EndM
.Const
WNODE_FLAG_TRACED_GUID Equ 20000H ; Constante para indicar que el GUID del proveedor está incluido en el nodo
EVENT_TRACE_REAL_TIME_MODE Equ 100H
EVENT_TRACE_USE_PAGED_MEMORY Equ 4000H
.Data?
pProcessTrace DWord ?
pProcessTraceCallback DWord ?
.Data
WNODE_HEADER Struct
BufferSize DWord 0
ProviderId DWord 0
Version DWord 0
Linkage DWord 0
KernelHandle DWord 0
TimeStamp LARGE_INTEGER <>
Guid GUID <>
ClientContext DWord 0
Flags DWord 0
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
Wnode WNODE_HEADER <>
BufferSize DWord 0
MinimumBuffers DWord 0
MaximumBuffers DWord 0
MaximumFileSize DWord 0
LogFileMode DWord 0
FlushTimer DWord 0
EnableFlags DWord 0
AgeLimit DWord 0
FlushThreshold DWord 0
NumberOfBuffers DWord 0
FreeBuffers DWord 0
EventsLost DWord 0
BuffersWritten DWord 0
LogBuffersLost DWord 0
RealTimeBuffersLost DWord 0
LoggerThreadId HANDLE 0
LogFileNameOffset DWord 0
LoggerNameOffset DWord 0
EVENT_TRACE_PROPERTIES EndS
EventTracePropertyData Struct
Props EVENT_TRACE_PROPERTIES <>
LoggerName DB "MyETWSession", 0
LogFileName DB 1024 Dup(0)
EventTracePropertyData EndS
HandleConsola DD 0
TraceProperties EventTracePropertyData <>
TraceSessionHandle HANDLE ?
sessionHandle DD 0
tempbuffer DB 10 Dup(NULL) ; Buffer temporal para la rutina de paso a numeros decimales.
; Definir la estructura de GUID para el proveedor de eventos
generatedGuid GUID <>
BufferSize DD 0
.Code
start:
Invoke GetStdHandle, STD_OUTPUT_HANDLE
Mov HandleConsola, Eax ; edx ahora contiene el identificador de la consola
; Cargar la biblioteca dinámica wnetapi32.dll
Invoke LoadLibrary, TextStr("Advapi32.dll")
.If Eax
Mov Edi, Eax
; Obtener el puntero a la función StartTraceA
; Crear una sesión de ETW
Invoke GetProcAddress, Edi, TextStr("StartTraceA")
Mov Esi, Eax
Push Esi
; Llama a CoInitialize para inicializar la biblioteca COM
; invoke CoInitialize, NULL
; Llama a CoCreateGuid para generar un GUID
; invoke CoCreateGuid, ADDR generatedGuid
;
; ; Copia el GUID generado a la estructura WNODE_HEADER
; Lea Esi, generatedGuid
; Lea Edi, TraceProperties.Props.Wnode.Guid
; Mov Ecx, SizeOf GUID
; Rep Movsb
;
; ; Llama a CoUninitialize para finalizar la biblioteca COM
; Invoke CoUninitialize
Invoke LocalAlloc, LPTR, SizeOf EventTracePropertyData
Mov BufferSize, Eax
Pop Esi
; Inicializar las propiedades de traza
Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData
Mov TraceProperties.Props.Wnode.ClientContext, 2
Mov TraceProperties.Props.Wnode.Flags, WNODE_FLAG_TRACED_GUID
Mov TraceProperties.Props.LogFileMode, EVENT_TRACE_REAL_TIME_MODE + EVENT_TRACE_USE_PAGED_MEMORY
Mov TraceProperties.Props.LoggerNameOffset, SizeOf EventTracePropertyData
Mov TraceProperties.Props.LogFileNameOffset, 0
Lea Eax, TraceProperties
Push Eax
Lea Eax, TraceProperties.LoggerName
Push Eax
Lea Eax, sessionHandle
Push Eax
Call Esi
Test Eax, Eax
Jnz error_exit
Invoke PasarADecimal, sessionHandle
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error5, "Pasa."
Invoke WriteConsoleA, HandleConsola, Addr Error5, 5, 0, 0
Jmp exit
; Habilitar los proveedores de eventos relevantes para el seguimiento
; Por ejemplo, podrías habilitar el proveedor de seguridad de Windows
; Invoke GetProcAddress, Edi, TextStr("EnableTrace")
; Mov Esi, Eax
;
; Lea Eax, FilterDesc
; Push Eax
; Lea Eax, EnableTraceParams
; Push Eax
; Push 0
; Push 0
; Lea Eax, MyEventProvider
; Push Eax
; Push 0
;
; Call Esi
; Test Eax, Eax
; Jz error_exitDos
;
; Invoke GetProcAddress, Edi, TextStr("ProcessTrace")
; Test Eax, Eax
; Jz error_exitCuatro
;
; Mov pProcessTrace, Eax
;
; Lea Eax, pProcessTraceCallback
; Mov Process.HandleArray, Eax
; Mov Process.HandleCount, 1
; Mov Process.StartTime, 0
; Mov Process.EndTime, 0
;
;
;
;capture_loop:
;
; Lea Eax, sessionHandle
; Push Eax
; Push 1
; Push 0
; Push 0
; Call Esi
; Cmp Eax, ERROR_SUCCESS
; Jne SalirProces
;
;
; Jmp capture_loop
;
;SalirProces:
;
; Invoke PasarADecimal, Eax
; Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
;
; AsigText FinCapture, "Captura interrumpida."
; Invoke WriteConsoleA, HandleConsola, Addr FinCapture, 21, 0, 0
.EndIf
; ; Terminar la sesión de ETW y liberar los recursos
; invoke ControlTrace, NULL, ADDR ETW_SESSION_NAME, ADDR sessionHandle, 2
jmp exit
error_exit:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error1, "Error al iniciar StartTraceA."
Invoke WriteConsoleA, HandleConsola, Addr Error1, 29, 0, 0
Jmp exit
error_exitDos:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
AsigText Error2, "Error al iniciar EnableTrace."
Invoke WriteConsoleA, HandleConsola, Addr Error2, 29, 0, 0
Jmp exit
error_exitTres:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
AsigText Error3, "Error al iniciar el procesador de eventos."
Invoke WriteConsoleA, HandleConsola, Addr Error3, 42, 0, 0
Jmp exit
error_exitCuatro:
AsigText Error4, "Error en captura de fundion de proceso de evento."
Invoke WriteConsoleA, HandleConsola, Addr Error4, 49, 0, 0
Jmp exit
exit:
invoke ExitProcess, 0
ProcessEventsCallback proc traceHandle:DWORD, headerPtr:DWORD, context:DWORD, event:DWORD
; LOCAL eventInfo: EVENT_TRACE
; LOCAL buffer[512]:BYTE
;
; Mov Ebx, [event] ; Cargar el puntero al evento en ebx
; Mov Eax, [Ebx] ; Acceder a la estructura del evento
;
;; Copiar los campos relevantes de la estructura del evento a eventInfo
; Lea Edi, eventInfo ; Dirección de inicio de eventInfo
; Mov [Edi].EVENT_TRACE_HEADER.SizeA, Eax
; mov [edi].EVENT_TRACE_HEADER.HeaderType, ah ; Suponiendo que ah contiene HeaderType
; mov [edi].EVENT_TRACE_HEADER.MarkerFlags, al ; Suponiendo que al contiene MarkerFlags
;
; ;Imprimir detalles del evento en la consola
; Invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM, NULL, eventInfo.EventHeader.EventDescriptor.Id, 0, Addr buffer, SizeOf buffer, NULL
; Invoke StdOut, Addr buffer
ret
ProcessEventsCallback EndP
PasarADecimal Proc Valor:DWord
Push Esi
Push Edi
Mov Esi, Valor
Mov Edi, Offset tempbuffer
Invoke dwtoa, Esi, Edi
Pop Edi
Pop Esi
Ret
PasarADecimal EndP
End start
Your structures seem to be wrong wherever a
union is.
From the MASM reference
QuoteWhereas each field in a structure has an offset relative to the first byte of the structure, all the fields in
a union start at the same offset. The size of a structure is the sum of its components; the size of a
union is the length of the longest field.
Do you know where I can get the structures for MASM32?
I have taken them from the Microsoft website, but they are in C++, the conversion is what might be wrong.
Try these
WNODE_HEADER Struct
BufferSize DWord 0
ProviderId DWord 0
HistoricalContext QWord 0
TimeStamp LARGE_INTEGER <>
Guid GUID <>
ClientContext DWord 0
Flags DWord 0
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
Wnode WNODE_HEADER <>
BufferSize DWord 0
MinimumBuffers DWord 0
MaximumBuffers DWord 0
MaximumFileSize DWord 0
LogFileMode DWord 0
FlushTimer DWord 0
EnableFlags DWord 0
FlushThreshold DWord 0
NumberOfBuffers DWord 0
FreeBuffers DWord 0
EventsLost DWord 0
BuffersWritten DWord 0
LogBuffersLost DWord 0
RealTimeBuffersLost DWord 0
LoggerThreadId HANDLE 0
LogFileNameOffset DWord 0
LoggerNameOffset DWord 0
EVENT_TRACE_PROPERTIES EndS
Hi Fraile,
Here is the WNODE_HEADER structure converted with h2incX :
https://www.terraspace.co.uk/uasm.html#p3 (https://www.terraspace.co.uk/uasm.html#p3)
WNODE_HEADER struct
BufferSize DWORD ?
ProviderId DWORD ?
union
HistoricalContext ULONG64 ?
struct
Version DWORD ?
Linkage DWORD ?
ends
ends
union
KernelHandle HANDLE ?
TimeStamp LARGE_INTEGER <>
ends
Guid GUID <>
ClientContext DWORD ?
Flags DWORD ?
WNODE_HEADER ends
PWNODE_HEADER typedef ptr WNODE_HEADER
Thank you very much for the help, the "union" thing had me puzzled. Many thanks to everyone. :greenclp:
Hello,
Thanks Vortex! :thumbsup: :greenclp:
Excuse me, now the EnableTraceEx2 function is giving me trouble, I think the issue lies in the step or assignment of the GUID. Any ideas?
.....
.Data
generatedGuid GUID <>
.Code
Invoke CoInitialize, NULL
;
; Llama a CoCreateGuid para generar un GUID
Invoke CoCreateGuid, Addr generatedGuid
Test Eax, Eax
Jnz Error_ExitSiete
; Llama a CoUninitialize para finalizar la biblioteca COM
Invoke CoUninitialize
Invoke LoadLibrary, TextStr("Advapi32.dll")
.If Eax
Mov Edi, Eax
; Registramos un proveedor para registro de eventos.
Invoke GetProcAddress, Edi, TextStr("EventRegister")
Mov Esi, Eax
Lea Eax, ProviderHandle
Push Eax
Push NULL
Push NULL
Lea Eax, generatedGuid
Push Eax
Call Esi
Test Eax, Eax
Jnz error_exitCinco
.......... Here is the error. Code Error: 87
Invoke GetProcAddress, Edi, TextStr("EnableTraceEx2")
Mov Esi, Eax
Lea Eax, sessionHandle
Push Eax
Lea Eax, generatedGuid
Push Eax
Push 1
Push 4
Push 0
Push 0
Push 0
Push NULL
Call Esi
Test Eax, Eax
Jnz Error_ExitSeis
.EndIf
Might have to update your advapi32.inc for using Invoke for the Event Tracing functions.
I took a version of advapi32.lib from a Win10 SDK v10.0.20348.0 and ran lib2inc utility on it to generate the inc file.
I visited the ms page about the event tracing here: https://learn.microsoft.com/en-us/windows/win32/api/_etw/ (https://learn.microsoft.com/en-us/windows/win32/api/_etw/)
I sourced the following files from the SDK as well:
- evntcons.h
- evntprov.h
- evntrace.h
- relogger.h
- securitybaseapi.h
- tdh.h
Then ran the h2incx utility on each of them and put them together in an EventTracing.inc file
I havent done any testing on it, so it may require editing to add in missing stuff, or take out duplicates or other conflicts, but should make a good starting point for use with Event Tracing api usage.
Thank you very much, fearless, I'll give it a try.
Hello everyone, thanks to your help, I have managed to make StartTraceA work. Reviewing Microsoft's API information, I have built the following:
AsigText Macro Name, Text:VarArg
Local lbl
Jmp lbl
Name DB Text, 0
lbl:
EndM
ZeroMemory Macro lpAddress:Req, dwSize:Req
Local zero_loop
Mov Edi, lpAddress
Mov Ecx, dwSize
Xor Eax, Eax
Rep Stosb
EndM
.Const
WNODE_FLAG_TRACED_GUID Equ 00020000H ; Constante para indicar que el GUID del proveedor está incluido en el nodo
EVENT_TRACE_REAL_TIME_MODE Equ 00000100H
EVENT_TRACE_USE_PAGED_MEMORY Equ 01000000H
PROCESS_TRACE_MODE_EVENT_RECORD Equ 1000H
EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING Equ 10000000H
EVENT_TRACE_FLAG_SECURITY Equ 00000800H
EVENT_TRACE_INDEPENDENT_SESSION_MODE Equ 08000000H
EVENT_TRACE_FILE_MODE_SEQUENTIAL Equ 00000001H
EVENT_CONTROL_CODE_DISABLE_PROVIDER Equ 0
EVENT_CONTROL_CODE_ENABLE_PROVIDER Equ 1
EVENT_CONTROL_CODE_CAPTURE_STATE Equ 2
EVENT_TRACE_CONTROL_QUERY Equ 0
EVENT_TRACE_CONTROL_STOP Equ 1
MiGuidProviderGuid TextEqu <{054849625H, 05478H, 04994H, {0A5H, 0BAH, 03EH, 03BH, 003H, 028H, 0C3H, 00DH}}>
.Data?
.Data
WNODE_HEADER Struct
BufferSize DWord ?
ProviderId DWord ?
Union
HistoricalContext QWord ?
Struc
Version DWord ?
Linkage DWord ?
EndS
EndS
Union
KernelHandle HANDLE ?
TimeStamp LARGE_INTEGER <>
EndS
Guidx GUID <>
ClientContext DWord ?
Flags DWord ?
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
Wnode WNODE_HEADER <>
BufferSize DWord ?
MinimumBuffers DWord ?
MaximumBuffers DWord ?
MaximumFileSize DWord ?
LogFileMode DWord ?
FlushTimer DWord ?
EnableFlags DWord ?
Union dummy
AgeLimit DWord ?
FlushThreshold DWord ?
EndS
NumberOfBuffers DWord ?
FreeBuffers DWord ?
EventsLost DWord ?
BuffersWritten DWord ?
LogBuffersLost DWord ?
RealTimeBuffersLost DWord ?
LoggerThreadId HANDLE ?
LogFileNameOffset DWord ?
LoggerNameOffset DWord ?
EVENT_TRACE_PROPERTIES EndS
EventTracePropertyData Struct
Props EVENT_TRACE_PROPERTIES <>
Padding DB 4 Dup(0) ; Cuadramos alineacion.
LoggerName DB 1024 Dup (0)
LogFileName DB 'Frailog.etl', 0
EventTracePropertyData EndS
HandleConsola DD 0
CarroDeRetorno DB 13 ; Código ASCII para retorno de carro
NuevaLinea DB 10 ; Código ASCII para nueva línea
LoggerNameAux DB 'frailepatito', 0
TraceProperties EventTracePropertyData <> ;EVENT_TRACE_PROPERTIES <> ;EVENT_TRACE_PROPERTIES <>
sessionHandle DWord 0
ProviderHandle HANDLE 0
tempbuffer DB 10 Dup(NULL) ; Buffer temporal para la rutina de paso a numeros decimales.
; Definir la estructura de GUID para el proveedor de eventos
generatedGuid GUID <>
ProviderId GUID < 05484962H, 0548H, 0499H, < 0A5H, 0BAH, 03EH, 03BH, 003H, 028H, 0C3H, 00DH>> ;MiGuidProviderGuid
guidText Byte 40 Dup(0) ; Buffer para almacenar el GUID formateado
formatGUID1 Byte "%08X-", 0 ; Formato para formatear el GUID
formatGUID2 Byte "%04X-", 0 ; Formato para formatear el GUID
formatGUID3 Byte "%02X", 0 ; Formato para formatear el GUID
BufferSize DD 0
HandleLibrary DD 0
.Code
start:
Invoke GetStdHandle, STD_OUTPUT_HANDLE
Mov HandleConsola, Eax ; edx ahora contiene el identificador de la consola
;=====================
; Llama a CoInitialize para inicializar la biblioteca COM
Invoke CoInitialize, NULL
;
; Llama a CoCreateGuid para generar un GUID
Invoke CoCreateGuid, Addr generatedGuid
Test Eax, Eax
Jnz Error_ExitSiete
; Llama a CoUninitialize para finalizar la biblioteca COM
Invoke CoUninitialize
Invoke RtlZeroMemory, Addr TraceProperties.Props, SizeOf EVENT_TRACE_PROPERTIES
; Cargar la biblioteca dinámica wnetapi32.dll
Invoke LoadLibrary, TextStr("Advapi32.dll")
.If Eax
Mov Edi, Eax
Mov HandleLibrary, Eax
; Crear una sesión de ETW
Invoke GetProcAddress, Edi, TextStr("StartTraceA")
Mov Esi, Eax
; Inicializar las propiedades de traza
Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData
Mov TraceProperties.Props.Wnode.ClientContext, 2
Mov TraceProperties.Props.Wnode.Flags, WNODE_FLAG_TRACED_GUID
Push Esi
Push Edi
; Copia el GUID generado a la estructura WNODE_HEADER
Mov Eax, generatedGuid.Data1
Mov TraceProperties.Props.Wnode.Guidx.Data1, Eax
Mov Ax, generatedGuid.Data2
Mov TraceProperties.Props.Wnode.Guidx.Data2, Ax
Mov Ax, generatedGuid.Data3
Mov TraceProperties.Props.Wnode.Guidx.Data3, Ax
; Copia el GUID generado a la estructura WNODE_HEADER
Lea Esi, generatedGuid.Data4
Lea Edi, TraceProperties.Props.Wnode.Guidx.Data4
Mov Ecx, 8
Rep Movsb
Pop Edi
Pop Esi
Mov TraceProperties.Props.LogFileMode, EVENT_TRACE_FILE_MODE_SEQUENTIAL + EVENT_TRACE_INDEPENDENT_SESSION_MODE ;+ EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING + EVENT_TRACE_INDEPENDENT_SESSION_MODE
Mov TraceProperties.Props.MinimumBuffers, 64
Mov TraceProperties.Props.MaximumBuffers, 320
Mov TraceProperties.Props.LoggerNameOffset, SizeOf TraceProperties - 1036 ;1152
Mov TraceProperties.Props.LogFileNameOffset, SizeOf TraceProperties - 12; SizeOf TraceProperties - 11
Lea Eax, TraceProperties ;.Props
Push Eax
Lea Eax, LoggerNameAux
Push Eax
Lea Eax, sessionHandle
Push Eax
Call Esi
Test Eax, Eax
Jnz error_exit
.EndIf
Jmp exit
error_exit:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error1, "Error al iniciar StartTraceA."
Invoke WriteConsoleA, HandleConsola, Addr Error1, 29, 0, 0
Jmp exit
error_exitDos:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
AsigText Error2, "Error al iniciar EnableTrace."
Invoke WriteConsoleA, HandleConsola, Addr Error2, 29, 0, 0
Jmp exit
error_exitTres:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
AsigText Error3, "Error al iniciar el procesador de eventos."
Invoke WriteConsoleA, HandleConsola, Addr Error3, 42, 0, 0
Jmp exit
error_exitCuatro:
AsigText Error4, "Error en captura de fundion de proceso de evento."
Invoke WriteConsoleA, HandleConsola, Addr Error4, 49, 0, 0
Jmp exit
error_exitCinco:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error8, "Erron al iniciar EventRegister."
Invoke WriteConsoleA, HandleConsola, Addr Error8, 31, 0, 0
Jmp exit
Error_ExitSeis:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error6, "Erron al iniciar EnableTraceEx2."
Invoke WriteConsoleA, HandleConsola, Addr Error6, 32, 0, 0
Jmp exit
Error_ExitSiete:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error9, "Erron al iniciar CreandoGUID."
Invoke WriteConsoleA, HandleConsola, Addr Error9, 29, 0, 0
Jmp exit
guid_invalido:
AsigText Error10, "Erron validar GUID."
Invoke WriteConsoleA, HandleConsola, Addr Error10, 19, 0, 0
Jmp exit
Error_HandleSesion:
AsigText Error11, "Erron validar Handle Sesion."
Invoke WriteConsoleA, HandleConsola, Addr Error11, 28, 0, 0
Jmp exit
Error_ExitOcho:
Invoke GetLastError
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error13, "Error en OpenTraceA."
Invoke WriteConsoleA, HandleConsola, Addr Error13, 20, 0, 0
Jmp exit
Error_ExitNueve:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error14, "Error en ProcessTrace."
Invoke WriteConsoleA, HandleConsola, Addr Error14, 22, 0, 0
Jmp exit
exit:
.
.
.
.
So far so good, I know it creates it properly, because I check it with: "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -loggers" and the following information appears, attached photo:
(https://i.postimg.cc/2qN0WQmw/masm32-1.png) (https://postimg.cc/2qN0WQmw)
What I've detected is an alignment issue, so in the main structure that I use to control the properties passed to StartTraceA, I include: "Padding DB 4 Dup(0)". For some reason, MASM32 (in my case), I have the feeling that it doesn't work well with structures that use "union". So by aligning with "Padding DB 4 Dup(0)", the StartTraceA function works fine; if I remove that line, the StartTraceA function returns error 87.
EventTracePropertyData Struct
Props EVENT_TRACE_PROPERTIES <>
Padding DB 4 Dup(0) ; Cuadramos alineacion.
LoggerName DB 1024 Dup (0)
LogFileName DB 'Frailog.etl', 0
EventTracePropertyData EndS
The problem now is when I call EnableTraceEx or EnableTraceEx2, it gives me error 87. However, EnableTrace does work, but this function is obsolete. And in other functions that I have to call for controlling the events, like ControlTraceA, I still encounter the issue, error 87. Here I put the code for calling ControlTraceA:
Mov Edi, HandleLibrary
Mov TraceProperties.Props.LogFileNameOffset, 0
Invoke GetProcAddress, Edi, TextStr("ControlTraceA")
Test Eax, Eax
Jz exitFinal
Mov Esi, Eax
Push EVENT_TRACE_CONTROL_QUERY ;EVENT_TRACE_CONTROL_STOP
Lea Eax, TraceProperties.Props
Push Eax
Lea Eax, LoggerNameAux
Push Eax
Push 0
Call Esi
I would greatly appreciate any help; this is overwhelming me. I have a feeling that the problem is due to the "union" within the structures. It causes misalignment. Any ideas?
Thank you very much for your time.
Quote from: Fraile on March 06, 2024, 11:07:52 PMI would greatly appreciate any help; this is overwhelming me. I have a feeling that the problem is due to the "union" within the structures. It causes misalignment. Any ideas?
The very first thing to try in such cases is assembler switch -Zp8. That will set default struct alignment to a QWORD - yes, that's the correct setting for both Win64
and Win32.
Thank you very much, _japheth. I've tried it, I've also tried putting the ALIGN in the code. But nothing.
Quote from: Fraile on March 07, 2024, 10:41:42 PM... But nothing.
If you want more than wild guesses - I'm afraid you'll have to post the whole source then...
Sure, no problem, this is something personal, hehehe. I'm really into it. I really appreciate your help. And the project, it could turn out really well, the idea is to create an article explaining how a SIEM works.
AsigText Macro Name, Text:VarArg
Local lbl
Jmp lbl
Name DB Text, 0
lbl:
EndM
ZeroMemory Macro lpAddress:Req, dwSize:Req
Local zero_loop
Mov Edi, lpAddress
Mov Ecx, dwSize
Xor Eax, Eax
Rep Stosb
EndM
.Const
WNODE_FLAG_TRACED_GUID Equ 00020000H ; Constante para indicar que el GUID del proveedor está incluido en el nodo
EVENT_TRACE_REAL_TIME_MODE Equ 00000100H
EVENT_TRACE_USE_PAGED_MEMORY Equ 01000000H
PROCESS_TRACE_MODE_EVENT_RECORD Equ 1000H
EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING Equ 10000000H
EVENT_TRACE_FLAG_SECURITY Equ 00000800H
EVENT_TRACE_INDEPENDENT_SESSION_MODE Equ 08000000H
EVENT_TRACE_FILE_MODE_SEQUENTIAL Equ 00000001H
EVENT_CONTROL_CODE_DISABLE_PROVIDER Equ 0
EVENT_CONTROL_CODE_ENABLE_PROVIDER Equ 1
EVENT_CONTROL_CODE_CAPTURE_STATE Equ 2
EVENT_TRACE_CONTROL_QUERY Equ 0
EVENT_TRACE_CONTROL_STOP Equ 1
MiGuidProviderGuid TextEqu <{054849625H, 05478H, 04994H, {0A5H, 0BAH, 03EH, 03BH, 003H, 028H, 0C3H, 00DH}}>
.Data?
.Data
WNODE_HEADER Struct
BufferSize DWord ?
ProviderId DWord ?
Union
HistoricalContext QWord ?
Struc
Version DWord ?
Linkage DWord ?
EndS
EndS
Union
KernelHandle HANDLE ?
TimeStamp LARGE_INTEGER <>
EndS
Guidx GUID <>
ClientContext DWord ?
Flags DWord ?
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
Wnode WNODE_HEADER <>
BufferSize DWord ?
MinimumBuffers DWord ?
MaximumBuffers DWord ?
MaximumFileSize DWord ?
LogFileMode DWord ?
FlushTimer DWord ?
EnableFlags DWord ?
Union DUMMYUNIONNAME
AgeLimit DWord ?
FlushThreshold DWord ?
EndS
NumberOfBuffers DWord ?
FreeBuffers DWord ?
EventsLost DWord ?
BuffersWritten DWord ?
LogBuffersLost DWord ?
RealTimeBuffersLost DWord ?
LoggerThreadId HANDLE ?
LogFileNameOffset DWord ?
LoggerNameOffset DWord ?
EVENT_TRACE_PROPERTIES EndS
EventTracePropertyData Struct
Props EVENT_TRACE_PROPERTIES <>
Padding DB 4 Dup(0) ; Cuadramos alineacion.
LoggerName DB 1024 Dup (0)
LogFileName DB 'Frailog.etl', 0
EventTracePropertyData EndS
HandleConsola DD 0
CarroDeRetorno DB 13 ; Código ASCII para retorno de carro
NuevaLinea DB 10 ; Código ASCII para nueva línea
LoggerNameAux DB 'frailepatito', 0
TraceProperties EventTracePropertyData <>
sessionHandle DWord 0
ProviderHandle HANDLE 0
tempbuffer DB 10 Dup(NULL) ; Buffer temporal para la rutina de paso a numeros decimales.
; Definir la estructura de GUID para el proveedor de eventos
generatedGuid GUID <>
ProviderId GUID < 05484962H, 0548H, 0499H, < 0A5H, 0BAH, 03EH, 03BH, 003H, 028H, 0C3H, 00DH>> ;MiGuidProviderGuid
guidText Byte 40 Dup(0) ; Buffer para almacenar el GUID formateado
formatGUID1 Byte "%08X-", 0 ; Formato para formatear el GUID
formatGUID2 Byte "%04X-", 0 ; Formato para formatear el GUID
formatGUID3 Byte "%02X", 0 ; Formato para formatear el GUID
BufferSize DD 0
HandleLibrary DD 0
.Code
start:
Invoke GetStdHandle, STD_OUTPUT_HANDLE
Mov HandleConsola, Eax ; edx ahora contiene el identificador de la consola
;=====================
AsigText Cabecera0, "----------------------------------"
Invoke WriteConsoleA, HandleConsola, Addr Cabecera0, 25, 0, 0
Invoke ImprimirSaltoDeLinea
AsigText Cabecera1, "FraiETW by Fraile - 2024."
Invoke WriteConsoleA, HandleConsola, Addr Cabecera1, 25, 0, 0
Invoke ImprimirSaltoDeLinea
AsigText Cabecera2, "----------------------------------"
Invoke WriteConsoleA, HandleConsola, Addr Cabecera2, 25, 0, 0
Invoke ImprimirSaltoDeLinea
Invoke ImprimirSaltoDeLinea
;=====================
; Llama a CoInitialize para inicializar la biblioteca COM
Invoke CoInitialize, NULL
;
; Llama a CoCreateGuid para generar un GUID
Invoke CoCreateGuid, Addr generatedGuid
Test Eax, Eax
Jnz Error_ExitSiete
; Formatear el GUID como una cadena
AsigText CreateGUID, "[+] Obtenemos GUID de session: "
Invoke WriteConsoleA, HandleConsola, Addr CreateGUID, 31, 0, 0
Invoke wsprintf, Addr guidText, Addr formatGUID1, generatedGuid.Data1
Invoke WriteConsoleA, HandleConsola, Addr guidText, 9, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID2, generatedGuid.Data2
Invoke WriteConsoleA, HandleConsola, Addr guidText, 5, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID2, generatedGuid.Data3
Invoke WriteConsoleA, HandleConsola, Addr guidText, 5, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [0]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [1]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [2]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [3]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [4]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [5]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [6]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, generatedGuid.Data4 [7]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke ImprimirSaltoDeLinea
;
; Llama a CoUninitialize para finalizar la biblioteca COM
Invoke CoUninitialize
AsigText CreateGUIDProveedor, "[+] GUID de Proveedor: "
Invoke WriteConsoleA, HandleConsola, Addr CreateGUIDProveedor, 23, 0, 0
Invoke wsprintf, Addr guidText, Addr formatGUID1, ProviderId.Data1
Invoke WriteConsoleA, HandleConsola, Addr guidText, 9, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID2, ProviderId.Data2
Invoke WriteConsoleA, HandleConsola, Addr guidText, 5, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID2, ProviderId.Data3
Invoke WriteConsoleA, HandleConsola, Addr guidText, 5, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [0]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [1]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [2]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [3]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [4]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [5]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [6]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, ProviderId.Data4 [7]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke ImprimirSaltoDeLinea
Invoke ImprimirSaltoDeLinea
Invoke RtlZeroMemory, Addr TraceProperties, SizeOf EVENT_TRACE_PROPERTIES
; Cargar la biblioteca dinámica wnetapi32.dll
Invoke LoadLibrary, TextStr("Advapi32.dll")
.If Eax
Mov Edi, Eax
Mov HandleLibrary, Eax
; Registramos un proveedor para registro de eventos.
; Invoke GetProcAddress, Edi, TextStr("EventRegister")
; Mov Esi, Eax
;
; Lea Eax, ProviderHandle
; Push Eax
; Push NULL
; Push NULL
; Lea Eax, generatedGuid
; Push Eax
;
; Call Esi
;
; Test Eax, Eax
; Jnz error_exitCinco
; Push Edi
;
; Invoke PasarADecimal, ProviderHandle
; Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
;
; Pop Edi
; Obtener el puntero a la función StartTraceA
; Crear una sesión de ETW
Invoke GetProcAddress, Edi, TextStr("StartTraceA")
Mov Esi, Eax
; Inicializar las propiedades de traza
Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData
Mov TraceProperties.Props.Wnode.ClientContext, 2
Mov TraceProperties.Props.Wnode.Flags, WNODE_FLAG_TRACED_GUID
Push Esi
Push Edi
; Copia el GUID generado a la estructura WNODE_HEADER
Mov Eax, generatedGuid.Data1
Mov TraceProperties.Props.Wnode.Guidx.Data1, Eax
Mov Ax, generatedGuid.Data2
Mov TraceProperties.Props.Wnode.Guidx.Data2, Ax
Mov Ax, generatedGuid.Data3
Mov TraceProperties.Props.Wnode.Guidx.Data3, Ax
; Copia el GUID generado a la estructura WNODE_HEADER
Lea Esi, generatedGuid.Data4
Lea Edi, TraceProperties.Props.Wnode.Guidx.Data4
Mov Ecx, 8
Rep Movsb
Pop Edi
Pop Esi
Mov TraceProperties.Props.LogFileMode, EVENT_TRACE_FILE_MODE_SEQUENTIAL + EVENT_TRACE_INDEPENDENT_SESSION_MODE ;+ EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING + EVENT_TRACE_INDEPENDENT_SESSION_MODE
Mov TraceProperties.Props.MinimumBuffers, 64
Mov TraceProperties.Props.MaximumBuffers, 320
Mov TraceProperties.Props.LoggerNameOffset, SizeOf TraceProperties - 1036
Mov TraceProperties.Props.LogFileNameOffset, SizeOf TraceProperties - 12
Lea Eax, TraceProperties.Props ;.Props
Push Eax
Lea Eax, LoggerNameAux
Push Eax
Lea Eax, sessionHandle
Push Eax
Call Esi
Test Eax, Eax
Jnz error_exit
Push Esi
Push Edi
; Comprobamos que el handle de sesion es correcto.
Xor Eax, Eax
Mov Eax, sessionHandle
Test Eax, Eax
Jz Error_HandleSesion
AsigText StartTraceA, "[+] StartTraceA Correcto."
Invoke WriteConsoleA, HandleConsola, Addr StartTraceA, 25, 0, 0
Invoke ImprimirSaltoDeLinea
AsigText StartTraceAHandle, " Handle:"
Invoke WriteConsoleA, HandleConsola, Addr StartTraceAHandle, 11, 0, 0
Invoke PasarADecimal, sessionHandle
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
Invoke ImprimirSaltoDeLinea
AsigText WnodeGUID, " GUID:"
Invoke WriteConsoleA, HandleConsola, Addr WnodeGUID, 9, 0, 0
Invoke wsprintf, Addr guidText, Addr formatGUID1, TraceProperties.Props.Wnode.Guidx.Data1
Invoke WriteConsoleA, HandleConsola, Addr guidText, 9, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID2, TraceProperties.Props.Wnode.Guidx.Data2
Invoke WriteConsoleA, HandleConsola, Addr guidText, 5, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID2, TraceProperties.Props.Wnode.Guidx.Data3
Invoke WriteConsoleA, HandleConsola, Addr guidText, 5, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [0]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [1]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [2]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [3]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [4]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [5]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [6]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke wsprintf, Addr guidText, Addr formatGUID3, TraceProperties.Props.Wnode.Guidx.Data4 [7]
Invoke WriteConsoleA, HandleConsola, Addr guidText, 2, NULL, NULL
Invoke ImprimirSaltoDeLinea
AsigText WnodeBufferSize, " BufferSize:"
Invoke WriteConsoleA, HandleConsola, Addr WnodeBufferSize, 15, 0, 0
Invoke PasarADecimal, TraceProperties.Props.BufferSize
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 2, 0, 0
Invoke ImprimirSaltoDeLinea
AsigText WnodeName, " Name:"
Invoke WriteConsoleA, HandleConsola, Addr WnodeName, 9, 0, 0
Invoke WriteConsoleA, HandleConsola, Addr TraceProperties.LoggerName, 12, 0, 0
Invoke ImprimirSaltoDeLinea
; Invoke WriteConsoleA, HandleConsola, Addr TraceProperties.LogFileName, SizeOf TraceProperties.LogFileName, 0, 0
; Invoke ImprimirSaltoDeLinea
Pop Edi
Pop Esi
Jmp exit
; *******************************************************
; Habilitamos el traceo de eventos.
; *******************************************************
; WINEVENT_KEYWORD_PROCESS = 0x10,
; WINEVENT_KEYWORD_THREAD = 0x20,
; WINEVENT_KEYWORD_IMAGE = 0x40,
; WINEVENT_KEYWORD_CPU_PRIORITY = 0x80,
; WINEVENT_KEYWORD_OTHER_PRIORITY = 0x100,
; WINEVENT_KEYWORD_PROCESS_FREEZE = 0x200,
Mov Edi, HandleLibrary
Invoke GetProcAddress, Edi, TextStr("EnableTrace")
Mov Esi, Eax
Push sessionHandle
Lea Eax, ProviderId
Push Eax
Push 4
Push 0
Push 1
; Invoke GetProcAddress, Edi, TextStr("EnableTraceEx2")
; Mov Esi, Eax
;
; Push 0
; Push 0
; Push 0
; Push 0
; Push 5
; Push 1
; Lea Eax, ProviderId
; Push Eax
; Push sessionHandle
Call Esi
Test Eax, Eax
Jnz Error_ExitSeis
Push Edi
Invoke PasarADecimal, 1
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
Pop Edi
; ******************************************************************
; Armamos el identificador de seguimiento ETW para consumir eventos.
; ******************************************************************
.EndIf
; ; Terminar la sesión de ETW y liberar los recursos
; invoke ControlTrace, NULL, ADDR ETW_SESSION_NAME, ADDR sessionHandle, 2
Jmp exit
error_exit:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error1, "Error al iniciar StartTraceA."
Invoke WriteConsoleA, HandleConsola, Addr Error1, 29, 0, 0
Jmp exit
error_exitDos:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
AsigText Error2, "Error al iniciar EnableTrace."
Invoke WriteConsoleA, HandleConsola, Addr Error2, 29, 0, 0
Jmp exit
error_exitTres:
; Manejar errores aquí
; Por ejemplo, imprimir un mensaje de error y salir
AsigText Error3, "Error al iniciar el procesador de eventos."
Invoke WriteConsoleA, HandleConsola, Addr Error3, 42, 0, 0
Jmp exit
error_exitCuatro:
AsigText Error4, "Error en captura de fundion de proceso de evento."
Invoke WriteConsoleA, HandleConsola, Addr Error4, 49, 0, 0
Jmp exit
error_exitCinco:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error8, "Erron al iniciar EventRegister."
Invoke WriteConsoleA, HandleConsola, Addr Error8, 31, 0, 0
Jmp exit
Error_ExitSeis:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error6, "Erron al iniciar EnableTraceEx2."
Invoke WriteConsoleA, HandleConsola, Addr Error6, 32, 0, 0
Jmp exit
Error_ExitSiete:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error9, "Erron al iniciar CreandoGUID."
Invoke WriteConsoleA, HandleConsola, Addr Error9, 29, 0, 0
Jmp exit
guid_invalido:
AsigText Error10, "Erron validar GUID."
Invoke WriteConsoleA, HandleConsola, Addr Error10, 19, 0, 0
Jmp exit
Error_HandleSesion:
AsigText Error11, "Erron validar Handle Sesion."
Invoke WriteConsoleA, HandleConsola, Addr Error11, 28, 0, 0
Jmp exit
Error_ExitOcho:
Invoke GetLastError
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error13, "Error en OpenTraceA."
Invoke WriteConsoleA, HandleConsola, Addr Error13, 20, 0, 0
Jmp exit
Error_ExitNueve:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error14, "Error en ProcessTrace."
Invoke WriteConsoleA, HandleConsola, Addr Error14, 22, 0, 0
Jmp exit
Error_ExitDiez:
Invoke PasarADecimal, Eax
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
AsigText Error15, "Error en ControlTraceA."
Invoke WriteConsoleA, HandleConsola, Addr Error15, 23, 0, 0
Jmp exitFinal
exit:
;Invoke Sleep, 30000
Mov Edi, HandleLibrary
; Invoke GetProcAddress, Edi, TextStr("StopTrace")
; Test Eax, Eax
; Jz exitFinal
;
; Mov Esi, Eax
;
; Push NULL
; Push sessionHandle
Mov TraceProperties.Props.LogFileNameOffset, 0
Invoke GetProcAddress, Edi, TextStr("ControlTraceA")
Test Eax, Eax
Jz exitFinal
Mov Esi, Eax
Push EVENT_TRACE_CONTROL_QUERY ;EVENT_TRACE_CONTROL_STOP
Lea Eax, TraceProperties
Push Eax
;Lea Eax, LoggerNameAux
Push NULL
Push sessionHandle
Call Esi
Test Eax, Eax
Jnz Error_ExitDiez
exitFinal:
AsigText SalidaPrograma, "Fin programa."
Invoke WriteConsoleA, HandleConsola, Addr SalidaPrograma, 13, 0, 0
Invoke ExitProcess, 0
ProcessEvent Proc Uses Ebx Esi Edi, pEvent:Ptr EVENT_RECORD
AsigText Error12, "Entra captura."
Invoke WriteConsoleA, HandleConsola, Addr Error12, 14, 0, 0
Ret
ProcessEvent EndP
PasarADecimal Proc Valor:DWord
Push Esi
Push Edi
Mov Esi, Valor
Mov Edi, Offset tempbuffer
Invoke dwtoa, Esi, Edi
Pop Edi
Pop Esi
Ret
PasarADecimal EndP
ImprimirSaltoDeLinea Proc
; Imprime un retorno de carro (CR) y una nueva línea (LF) en la consola
Invoke WriteConsole, HandleConsola, Addr CarroDeRetorno, 1, 0, 0
Invoke WriteConsole, HandleConsola, Addr NuevaLinea, 1, 0, 0
Ret
ImprimirSaltoDeLinea EndP
End start
I haven't tried your code yet ( it's still not complete, btw ), but caught 2 things
a) is LARGE_INTEGER indeed defined as a qword?
b) this calculations
Mov TraceProperties.Props.LoggerNameOffset, SizeOf TraceProperties - 1036
Mov TraceProperties.Props.LogFileNameOffset, SizeOf TraceProperties - 12
are correct (I guess), but the proper way to do this is:
Mov TraceProperties.Props.LoggerNameOffset, EventTracePropertyData.LoggerName
Mov TraceProperties.Props.LogFileNameOffset, EventTracePropertyData.LogFileName
Well, it's a small example, I haven't completed it because I can't get past 'controltraceA', as you can see. Regarding the calculation question, according to Microsoft, you have to provide the starting offset of the buffer where 'starttraceA' will store the name of the event logger and the buffer for the event file name.
EventTracePropertyData Struct
Props EVENT_TRACE_PROPERTIES <>
Padding DB 4 Dup(0) ; Cuadramos alineacion.
LoggerName DB 1024 Dup (0)
LogFileName DB 'Frailog.etl', 0
EventTracePropertyData EndS
1024 buffer to store the session name and 12 for the event file name, making 1036 the start of the first buffer. That's why the calculation.
EventTracePropertyData Struct
Props EVENT_TRACE_PROPERTIES <>
Padding DB 4 Dup(0) ; Cuadramos alineacion.
LoggerName DB 1024 Dup (0)
LogFileName DB 'Frailog.etl', 0
EventTracePropertyData EndS
.
.
.
Mov TraceProperties.Props.LoggerNameOffset, SizeOf TraceProperties - 1036
Mov TraceProperties.Props.LogFileNameOffset, SizeOf TraceProperties - 12
Padding db 4 dup(0), it's because of the alignment issue, it doesn't allow the session name to start at the beginning of the LoggerName buffer.
(https://i.postimg.cc/Lh3m5j1k/2.png) (https://postimg.cc/Lh3m5j1k)
Quote from: Fraile on March 09, 2024, 07:02:06 AM1024 buffer to store the session name and 12 for the event file name, making 1036 the start of the first buffer. That's why the calculation.
I understand the calculation. I proposed the "proper way", because it does the same thing WITHOUT having to do calculations - because expression STRUCTNAME.MEMBERNAME actually returns the offset of the member within the struct.
Ah!! Right, you're correct. But the reason why I can't use EnableTraceEx, or EnableTraceEx, ControlTraceA to stop the session initiated with StartTraceA... I just can't seem to figure out the error. I've realized that a possible issue might be the size of the buffer defined in "Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData". Playing with the code and altering the buffer, the function that used to work, EnableTrace (obsolete), fails if it's not given the correct configuration. This could possibly be what's causing the other mentioned functions to fail...
Which version of Windows are you using? Different functions are in different DLLs, are you looking in the right place?
Quote from: EnableTraceEx2 functionSechost.dll on Windows 8.1 and Windows Server 2012 R2; Advapi32.dll on Windows 8, Windows Server 2012, Windows 7 and Windows Server 2008 R2
Quote from: Fraile on March 09, 2024, 10:50:19 PMAh!! Right, you're correct. But the reason why I can't use EnableTraceEx, or EnableTraceEx, ControlTraceA to stop the session initiated with StartTraceA... I just can't seem to figure out the error. I've realized that a possible issue might be the size of the buffer defined in "Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData".
The simple fact that you have to add "padding bytes" to your structure is a sign that there's something wrong with the struct's definition.
Try to create and post a listing file...
Yes, that's correct, but the thing is that the structures seem to be fine, both in C and in masm32 they have the same number of bits. I'm at a loss...
It's just that we're only talking about two structures... it's got me really puzzled
Sinsi, I'm working with Windows 10.
OK, so EnableTraceEx2 would be found in sechost.dll but I think you're looking in advapi32.
In Microsoft documentation:
Library Sechost.lib on Windows 8.1 and Windows Server 2012 R2; Advapi32.lib on Windows 8, Windows Server 2012, Windows 7, and Windows Server 2008 R2
DLL Sechost.dll on Windows 8.1 and Windows Server 2012 R2; Advapi32.dll on Windows 8, Windows Server 2012, Windows 7, and Windows Server 2008 R2
My idea is simply to open a session with StartTraceA, which seems to be working fine (apparently), and close it with ControlTraceA. This way, I'll know I'm on the right track. Right now, opening it seems to be working, as I confirm with "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -loggers". Or, I could use EnableTraceEx...
Example in C
// ETW CLR Tracker, by aaaddress1@chroot.org
// rewrite from post "Hiding your .NET - ETW"
// URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/
#define AssemblyDCStart_V1 155
#define AssemblyLoad_V1 154
#define MethodLoadVerbose_V1 143
#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
static GUID ClrRuntimeProviderGuid = { 0xe13c0d23, 0xccbc, 0x4e12, { 0x93, 0x1b, 0xd9, 0xcc, 0x2e, 0xee, 0x27, 0xe4 } };
// Can be stopped with 'logman stop "dotnet trace" -ets'
const char name[] = "dotnet trace\0";
#pragma pack(1)
typedef struct _AssemblyLoadUnloadRundown_V1
{
ULONG64 AssemblyID;
ULONG64 AppDomainID;
ULONG64 BindingID;
ULONG AssemblyFlags;
WCHAR FullyQualifiedAssemblyName[1];
} AssemblyLoadUnloadRundown_V1, * PAssemblyLoadUnloadRundown_V1;
typedef struct _MethodLoadVerbose_V1
{
ULONG64 MethodID;
ULONG64 ModuleID;
ULONG64 MethodStartAddress;
DWORD MethodSize;
DWORD MethodToken;
DWORD MethodFlags;
WCHAR MethodNameSpace[1];
} MethodLoadUnloadVerbose_V1, * PMethodLoadUnloadVerbose_V1;
#pragma pack()
static void NTAPI ProcessEvent(PEVENT_RECORD EventRecord) {
PEVENT_HEADER eventHeader = &EventRecord->EventHeader;
PEVENT_DESCRIPTOR eventDescriptor = &eventHeader->EventDescriptor;
AssemblyLoadUnloadRundown_V1* assemblyUserData;
MethodLoadUnloadVerbose_V1* methodUserData;
switch (eventDescriptor->Id) {
case AssemblyLoad_V1:
assemblyUserData = (AssemblyLoadUnloadRundown_V1*)EventRecord->UserData;
wprintf(L"[%d] - Assembly: %s\n", eventHeader->ProcessId, assemblyUserData->FullyQualifiedAssemblyName);
break;
/*case MethodLoadVerbose_V1:
methodUserData = (struct _MethodLoadVerbose_V1*)EventRecord->UserData;
WCHAR* MethodNameSpace = methodUserData->MethodNameSpace;
WCHAR* MethodName = (WCHAR*)(((char*)methodUserData->MethodNameSpace) + (lstrlenW(methodUserData->MethodNameSpace) * 2) + 2);
WCHAR* MethodSignature = (WCHAR*)(((char*)MethodName) + (lstrlenW(MethodName) * 2) + 2);
wprintf(L"[%d] - MethodNameSpace: %s\n", eventHeader->ProcessId, methodUserData->MethodNameSpace);
wprintf(L"[%d] - MethodName: %s\n", eventHeader->ProcessId, MethodName);
wprintf(L"[%d] - MethodSignature: %s\n", eventHeader->ProcessId, MethodSignature);
break;*/
}
}
int main(void)
{
TRACEHANDLE hTrace = 0;
ULONG result, bufferSize;
EVENT_TRACE_LOGFILEA trace;
EVENT_TRACE_PROPERTIES* traceProp;
printf("ETW .NET Trace example - @_xpn_\n\n");
memset(&trace, 0, sizeof(EVENT_TRACE_LOGFILEA));
trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD;
trace.LoggerName = (LPSTR)name;
trace.EventRecordCallback = (PEVENT_RECORD_CALLBACK)ProcessEvent;
bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(name) + sizeof(WCHAR);
traceProp = (EVENT_TRACE_PROPERTIES*)LocalAlloc(LPTR, bufferSize);
traceProp->Wnode.BufferSize = bufferSize;
traceProp->Wnode.ClientContext = 2;
traceProp->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
traceProp->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_USE_PAGED_MEMORY;
traceProp->LogFileNameOffset = 0;
traceProp->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
if ((result = StartTraceA(&hTrace, (LPCSTR)name, traceProp)) != ERROR_SUCCESS) {
printf("[!] Error starting trace: %d\n", result);
return 1;
}
if ((result = EnableTraceEx(
&ClrRuntimeProviderGuid,
NULL,
hTrace,
1,
TRACE_LEVEL_VERBOSE,
0x8 | 0x10, // LoaderKeyword | JITKeyword
0,
0,
NULL
)) != ERROR_SUCCESS) {
printf("[!] Error EnableTraceEx\n");
return 2;
}
hTrace = OpenTraceA(&trace);
if (hTrace == INVALID_PROCESSTRACE_HANDLE) {
printf("[!] Error OpenTrace\n");
return 3;
}
result = ProcessTrace(&hTrace, 1, NULL, NULL);
if (result != ERROR_SUCCESS) {
printf("[!] Error ProcessTrace\n");
return 4;
}
return 0;
}
I think I've got it now. I can create a session with StartTraceA and close it with ControlTraceA. One of the issues is the alignment, as I've already mentioned. The other problem is the variable passed to StartTraceA, 'sessionHandle.' This variable has to be of type Qword and needs to be moved onto the stack in the following way:
:eusa_boohoo: :eusa_dance:
..
Invoke GetProcAddress, Edi, TextStr("EnableTraceEx2")
Mov Esi, Eax
Push 0
Push 0
Push 0
Push 0
Push 4
Push 1
Lea Eax, ProviderId
Push Eax
Push DWord Ptr [sessionHandle + 4]
Push DWord Ptr [sessionHandle]
Call Esi
..
I'm still working on the project. The idea is to capture Windows security events, such as connection attempts...
hi,Fraile
this translated from your c codes.
win64,No errors happened. but i don't know whether it works.
option casemap:none
option win64:7
include \UASM64\include\windows.inc
includelib \UASM64\Lib\user32.lib
includelib \UASM64\Lib\kernel32.lib
includelib \UASM64\Lib\Advapi32.lib
AssemblyLoadUnloadRundown_V1 STRUCT
AssemblyID ULONG64 ?
AppDomainID ULONG64 ?
BindingID ULONG64 ?
AssemblyFlags DWORD ?
FullyQualifiedAssemblyName WCHAR 1 dup(?)
AssemblyLoadUnloadRundown_V1 ENDS
PAssemblyLoadUnloadRundown_V1 typedef ptr AssemblyLoadUnloadRundown_V1
_MethodLoadVerbose_V1 STRUCT
MethodID ULONG64 ?
ModuleID ULONG64 ?
MethodStartAddress ULONG64 ?
MethodSize DWORD ?
MethodToken DWORD ?
MethodFlags DWORD ?
MethodNameSpace WCHAR 1 dup(?)
_MethodLoadVerbose_V1 ENDS
PMethodLoadUnloadVerbose_V1 typedef ptr _MethodLoadVerbose_V1
ETW_BUFFER_CONTEXT STRUCT
union DUMMYUNIONNAME
STRUCT DUMMYSTRUCTNAME
ProcessorNumber BYTE ?
Alignment BYTE ?
ENDS
ProcessorIndex WORD ?
ENDS
LoggerId WORD ?
ETW_BUFFER_CONTEXT ENDS
PETW_BUFFER_CONTEXT typedef ptr ETW_BUFFER_CONTEXT
EVENT_DESCRIPTOR STRUCT
Id WORD ?
Version BYTE ?
Channel BYTE ?
Level BYTE ?
Opcode BYTE ?
Task WORD ?
Keyword REAL8 ?
EVENT_DESCRIPTOR ENDS
PEVENT_DESCRIPTOR typedef ptr EVENT_DESCRIPTOR
EVENT_HEADER STRUCT
size1 WORD ? ; Event Size
HeaderType WORD ? ; Header Type
Flags WORD ? ; Flags
EventProperty WORD ? ; User given event property
ThreadId DWORD ? ; Thread Id
ProcessId DWORD ? ; Process Id
TimeStamp LARGE_INTEGER <> ; Event Timestamp
ProviderId GUID <> ; Provider Id
EventDescriptor EVENT_DESCRIPTOR <> ; Event Descriptor
union DUMMYUNIONNAME
STRUCT DUMMYSTRUCTNAME
KernelTime DWORD ? ; Kernel Mode CPU ticks
UserTime DWORD ? ; User mode CPU ticks
ENDS
ProcessorTime QWORD ? ; Processor Clock
ENDS
ActivityId GUID <> ; Activity Id
EVENT_HEADER ENDS
PEVENT_HEADER typedef ptr EVENT_HEADER
EVENT_RECORD STRUCT
EventHeader EVENT_HEADER <> ; Event header
BufferContext ETW_BUFFER_CONTEXT <> ; Buffer context
ExtendedDataCount WORD ? ; Number of extended
UserDataLength WORD ? ; User data length
ExtendedData QWORD ? ; extended data items
UserData QWORD ? ; Pointer to user data
UserContext QWORD ? ; Context from OpenTrace
EVENT_RECORD ENDS
PEVENT_RECORD typedef ptr EVENT_RECORD
EVENT_TRACE_HEADER STRUCT
size1 WORD ? ; Size of entire record
union DUMMYUNIONNAME
FieldTypeFlags WORD ? ; Indicates valid fields
STRUCT DUMMYSTRUCTNAME
HeaderType BYTE ? ; Header type - internal use only
MarkerFlags BYTE ? ; Marker - internal use only
ENDS
ENDS
union DUMMYUNIONNAME2
Version DWORD ?
STRUCT Class
type1 BYTE ? ; event type
Level BYTE ? ; trace instrumentation level
Version WORD ? ; version of trace record
ENDS
ENDS
ThreadId DWORD ? ; Thread Id
ProcessId DWORD ? ; Process Id
TimeStamp LARGE_INTEGER <> ; time when event happens
union DUMMYUNIONNAME3
Guid GUID <> ; Guid that identifies event
GuidPtr ULONGLONG ? ; use with WNODE_FLAG_USE_GUID_PTR
ENDS
union DUMMYUNIONNAME4
STRUCT DUMMYSTRUCTNAME5
KernelTime DWORD ? ; Kernel Mode CPU ticks
UserTime DWORD ? ; User mode CPU ticks
ENDS
ProcessorTime QWORD ? ; Processor Clock
STRUCT DUMMYSTRUCTNAME6
ClientContext DWORD ? ; Reserved
_Flags DWORD ? ; Event Flags
ENDS
ENDS
EVENT_TRACE_HEADER ENDS
PEVENT_TRACE_HEADER typedef ptr EVENT_TRACE_HEADER
EVENT_TRACE STRUCT
Header EVENT_TRACE_HEADER <> ; Event trace header
InstanceId DWORD ? ; Instance Id of this event
ParentInstanceId DWORD ? ; Parent Instance Id.
ParentGuid GUID <> ; Parent Guid;
MofData QWORD ? ; Pointer to Variable Data
MofLength DWORD ? ; Variable Datablock Length
union DUMMYUNIONNAME
ClientContext DWORD ?
BufferContext ETW_BUFFER_CONTEXT <>
ENDS
EVENT_TRACE ENDS
PEVENT_TRACE typedef ptr EVENT_TRACE
TRACE_LOGFILE_HEADER STRUCT
BufferSize DWORD ? ; Logger buffer size in Kbytes
union DUMMYUNIONNAME
Version DWORD ? ; Logger version
STRUCT VersionDetail
MajorVersion BYTE ?
MinorVersion BYTE ?
SubVersion BYTE ?
SubMinorVersion BYTE ?
ENDS
ENDS
ProviderVersion DWORD ? ; defaults to NT version
NumberOfProcessors DWORD ? ; Number of Processors
EndTime LARGE_INTEGER <> ; Time when logger stops
TimerResolution DWORD ? ; assumes timer is constant!!!
MaximumFileSize DWORD ? ; Maximum in Mbytes
LogFileMode DWORD ? ; specify logfile mode
BuffersWritten DWORD ? ; used to file start of Circular File
union DUMMYUNIONNAME2
LogInstanceGuid GUID <> ; For RealTime Buffer Delivery
STRUCT DUMMYSTRUCTNAME
StartBuffers DWORD ? ; Count of buffers written at start.
PointerSize DWORD ? ; Size of pointer type in bits
EventsLost DWORD ? ; Events losts during log session
CpuSpeedInMHz DWORD ? ; Cpu Speed in MHz
ENDS
ENDS
;IF DEFINED(_WMIKM_) ;ring0
;LoggerName QWORD ?
;LogFileName QWORD ?
;TimeZone RTL_TIME_ZONE_INFORMATION ?
;ELSE ;ring3
LoggerName QWORD ?
LogFileName QWORD ?
TimeZone TIME_ZONE_INFORMATION <>
;ENDIF
BootTime LARGE_INTEGER <>
PerfFreq LARGE_INTEGER <> ; Reserved
StartTime LARGE_INTEGER <> ; Reserved
ReservedFlags DWORD ? ; ClockType
BuffersLost DWORD ?
TRACE_LOGFILE_HEADER ENDS
PTRACE_LOGFILE_HEADER typedef ptr TRACE_LOGFILE_HEADER
EVENT_TRACE_LOGFILEA STRUCT
LogFileName QWORD ? ; Logfile Name
LoggerName QWORD ? ; LoggerName
CurrentTime LONGLONG ? ; timestamp of last event
BuffersRead ULONG ? ; buffers read to date
union DUMMYUNIONNAME
LogFileMode DWORD ? ; Mode of the logfile
ProcessTraceMode DWORD ? ; Processing flags
ENDS
CurrentEvent EVENT_TRACE <> ; Current Event from this stream
LogfileHeader TRACE_LOGFILE_HEADER <> ; logfile header structure
BufferCallback QWORD ? ; is read
BufferSize DWORD ?
Filled DWORD ?
EventsLost DWORD ?
union DUMMYUNIONNAME2
EventCallback QWORD ? ; callback for every event
EventRecordCallback QWORD ?
ENDS
IsKernelTrace DWORD ? ; TRUE for kernel logfile
Context QWORD ? ; reserved for internal use
EVENT_TRACE_LOGFILEA ENDS
PEVENT_TRACE_LOGFILEA typedef ptr EVENT_TRACE_LOGFILEA
WNODE_HEADER STRUCT
BufferSize DWORD ? ; Size of entire buffer inclusive of this ULONG
ProviderId DWORD ? ; Provider Id of driver returning this buffer
union DUMMYUNIONNAME
HistoricalContext QWORD ? ; Logger use
STRUCT DUMMYSTRUCTNAME
Version DWORD ? ; Reserved
Linkage DWORD ? ; Linkage field reserved for WMI
ENDS
ENDS
union DUMMYUNIONNAME2
CountLost DWORD ? ; Reserved
KernelHandle HANDLE ? ; Kernel handle for data block
TimeStamp LARGE_INTEGER <> ; Timestamp as returned in units of 100ns
ENDS
Guid GUID <> ; Guid for data block returned with results
ClientContext DWORD ?
Flags DWORD ? ; Flags, see below
WNODE_HEADER ENDS
EVENT_TRACE_PROPERTIES STRUCT
Wnode WNODE_HEADER <>
BufferSize DWORD ? ; buffer size for logging (kbytes)
MinimumBuffers DWORD ? ; minimum to preallocate
MaximumBuffers DWORD ? ; maximum buffers allowed
MaximumFileSize DWORD ? ; maximum logfile size (in MBytes)
LogFileMode DWORD ? ; sequential, circular
FlushTimer DWORD ? ; buffer flush timer, in seconds
EnableFlags DWORD ? ; trace enable flags
union DUMMYUNIONNAME
AgeLimit DWORD ? ; unused
FlushThreshold DWORD ? ; Number of buffers to fill before flushing
ENDS
NumberOfBuffers DWORD ? ; no of buffers in use
FreeBuffers DWORD ? ; no of buffers free
EventsLost DWORD ? ; event records lost
BuffersWritten DWORD ? ; no of buffers written to file
LogBuffersLost DWORD ? ; no of logfile write failures
RealTimeBuffersLost DWORD ? ; no of rt delivery failures
LoggerThreadId HANDLE ? ; thread id of Logger
LogFileNameOffset DWORD ? ; Offset to LogFileName
LoggerNameOffset DWORD ? ; Offset to LoggerName
EVENT_TRACE_PROPERTIES ENDS
PEVENT_TRACE_PROPERTIES typedef ptr EVENT_TRACE_PROPERTIES
_StartTraceA typedef PROTO TraceHandle:QWORD,InstanceName:QWORD,Properties:QWORD
@StartTraceA typedef ptr _StartTraceA
_EnableTraceEx typedef PROTO ProviderId:QWORD,SourceId:QWORD,TraceHandle:QWORD,IsEnabled:DWORD,Level:DWORD,MatchAnyKeyword:DWORD,MatchAllKeyword:DWORD,EnableProperty:DWORD,EnableFilterDesc:QWORD
@EnableTraceEx typedef ptr _EnableTraceEx
_OpenTraceA typedef PROTO Logfile:QWORD
@OpenTraceA typedef ptr _OpenTraceA
_ProcessTrace typedef PROTO HandleArray:QWORD,HandleCount:DWORD,StartTime:QWORD,EndTime:QWORD
@ProcessTrace typedef ptr _ProcessTrace
.const
IDD_DIALOG equ 100
IDI_ICON equ 200
IDC_TEST equ 3002
IDC_EXIT equ 3003
IDC_OUTPUT equ 3004
AssemblyDCStart_V1 equ 155
AssemblyLoad_V1 equ 154
MethodLoadVerbose_V1 equ 143
PROCESS_TRACE_MODE_REAL_TIME equ < 000000100h>
PROCESS_TRACE_MODE_EVENT_RECORD equ < 010000000h>
WNODE_FLAG_TRACED_GUID equ < 000020000h>
EVENT_TRACE_REAL_TIME_MODE equ < 000000100h>
EVENT_TRACE_USE_PAGED_MEMORY equ < 001000000h>
TRACE_LEVEL_VERBOSE equ < 5>
.data
Name db "dotnet trace",0
;GUID { 0xe13c0d23, 0xccbc, 0x4e12, { 0x93, 0x1b, 0xd9, 0xcc, 0x2e, 0xee, 0x27, 0xe4 } }
ClrRuntimeProviderGuid \
dd 0e13c0d23h
dw 0ccbch
dw 04e12h
db 093h, 01bh, 0d9h, 0cch, 02eh, 0eeh, 027h, 0e4h
.data?
hUserDll dq ?
hInstance HINSTANCE ?
hMain dq ?
hHeap dq ?
pStartTraceA @StartTraceA ?
pEnableTraceEx @EnableTraceEx ?
pOpenTraceA @OpenTraceA ?
pProcessTrace @ProcessTrace ?
.code
ErrorMessage Proc uses rbx lpCaption:qword
Local lpErrorMessage:QWORD
call GetLastError
lea rbx,lpErrorMessage
invoke FormatMessage, FORMAT_MESSAGE_ALLOCATE_BUFFER or FORMAT_MESSAGE_FROM_SYSTEM, NULL, eax, LANG_NEUTRAL,rbx,0,NULL
invoke MessageBox, 0, lpErrorMessage, lpCaption, MB_OK or MB_ICONINFORMATION
invoke LocalFree, lpErrorMessage
ret
ErrorMessage EndP
GetTraceApiFunctions proc
invoke LoadLibrary,CStr("Advapi32.dll")
.if rax
mov hUserDll,rax
invoke GetProcAddress,hUserDll,CStr("StartTraceA")
mov pStartTraceA,rax
.if rax == NULL
invoke ErrorMessage,CStr("StartTraceA")
jmp @Err
.endif
invoke GetProcAddress,hUserDll,CStr("EnableTraceEx")
mov pEnableTraceEx,rax
.if rax == NULL
invoke ErrorMessage,CStr("EnableTraceEx")
jmp @Err
.endif
invoke GetProcAddress,hUserDll,CStr("OpenTraceA")
mov pOpenTraceA,rax
.if rax == NULL
invoke ErrorMessage,CStr("OpenTraceA")
jmp @Err
.endif
invoke GetProcAddress,hUserDll,CStr("ProcessTrace")
mov pProcessTrace,rax
.if rax == NULL
invoke ErrorMessage,CStr("ProcessTrace")
jmp @Err
.endif
.else
invoke MessageBox,NULL,CStr("Advapi32.dll load Failed"),CStr("GetModuleHandle"),MB_OK
jmp @Err
.endif
mov rax,0
ret
@Err:
mov rax,1
ret
GetTraceApiFunctions endp
AddLog proc pStr:QWORD
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_GETLINECOUNT,0,0
dec rax
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_LINEINDEX,rax,0
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_SETSEL,rax,rax
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_REPLACESEL,FALSE,pStr
invoke SendDlgItemMessage, hMain,IDC_OUTPUT, EM_SCROLLCARET, 0, 0
ret
AddLog endp
ProcessEvent proc uses rbx rsi rdi EventRecord:PEVENT_RECORD
Local eventHeader:PEVENT_HEADER
Local eventDescriptor:PEVENT_DESCRIPTOR
Local assemblyUserData:AssemblyLoadUnloadRundown_V1
Local methodUserData:_MethodLoadVerbose_V1
Local MethodNameSpace:QWORD
Local MethodName:QWORD
Local MethodSignature:QWORD
Local szTmpBuf[1024]:BYTE
Local szTmpBuf1[128]:BYTE
invoke RtlZeroMemory,ADDR szTmpBuf,sizeof szTmpBuf
mov rbx,EventRecord
mov rax,(EVENT_RECORD PTR [rbx]).EventHeader
mov eventHeader,rax
mov rsi,eventHeader
lea rax,(EVENT_HEADER PTR [rsi]).EventDescriptor
mov eventDescriptor,rax
mov rdi,eventDescriptor
mov cx,(EVENT_DESCRIPTOR PTR [rdi]).Id
.if cx == AssemblyLoad_V1
mov rax,(EVENT_RECORD PTR [rbx]).UserData
mov assemblyUserData,rax
invoke wsprintf,addr szTmpBuf,CStr("[%d] - Assembly: %s",13,10),(EVENT_HEADER PTR [rsi]).ProcessId,(AssemblyLoadUnloadRundown_V1 PTR [rax]).FullyQualifiedAssemblyName
invoke AddLog,addr szTmpBuf
;.elseif cx == MethodLoadVerbose_V1 ;/*case MethodLoadVerbose_V1:
; mov rax,(EVENT_RECORD PTR [rbx]).UserData
; mov methodUserData,rax
;
; ;MethodNameSpace = methodUserData->MethodNameSpace
; lea rcx,(_MethodLoadVerbose_V1 PTR [rax]).MethodNameSpace
; mov MethodNameSpace,rcx
;
; lea rsi,methodUserData
; ;MethodName = (WCHAR*)(((char*)methodUserData->MethodNameSpace) + (lstrlenW(methodUserData->MethodNameSpace) * 2) + 2)
; invoke lstrlenW,addr (_MethodLoadVerbose_V1 PTR [rsi]).MethodNameSpace
; shl rax,1 ;*2
; lea rcx,(_MethodLoadVerbose_V1 PTR [rsi]).MethodNameSpace
; add rcx,rax
; add rcx,2
; mov MethodName,rcx
;
; ;MethodSignature = (WCHAR*)(((char*)MethodName) + (lstrlenW(MethodName) * 2) + 2);
; invoke lstrlenW,MethodName
; shl rax,1 ;*2
; mov rcx,MethodName
; add rcx,rax
; add rcx,2
; mov MethodSignature,rcx
;
; mov rbx,eventHeader
; invoke wsprintf,addr szTmpBuf,CStr("[%d] - MethodNameSpace: %s",13,10),(EVENT_HEADER PTR [rbx]).ProcessId,(_MethodLoadVerbose_V1 PTR [rsi]).MethodNameSpace
;
; invoke RtlZeroMemory,ADDR szTmpBuf1,sizeof szTmpBuf1
; invoke wsprintf,addr szTmpBuf1,CStr("[%d] - MethodName: %s",13,10),(EVENT_HEADER PTR [rbx]).ProcessId,MethodName
; invoke lstrcat,addr szTmpBuf,addr szTmpBuf1
;
; invoke RtlZeroMemory,ADDR szTmpBuf1,sizeof szTmpBuf1
; invoke wsprintf,addr szTmpBuf1,CStr("[%d] - MethodSignature: %s",13,10),(EVENT_HEADER PTR [rbx]).ProcessId,MethodSignature
; invoke lstrcat,addr szTmpBuf,addr szTmpBuf1
; invoke AddLog,addr szTmpBuf
.endif
ret
ProcessEvent endp
WorkerThread proc uses rbx szpBuf:QWORD ;int main(void)
Local szTmp[1024]:BYTE
Local hTrace:QWORD
Local result:ULONG
Local bufferSize:ULONG
Local trace:EVENT_TRACE_LOGFILEA
Local traceProp:PEVENT_TRACE_PROPERTIES
invoke AddLog,CStr("ETW .NET Trace example - @_xpn_",13,10)
invoke RtlZeroMemory,ADDR trace,sizeof trace
mov trace.ProcessTraceMode,PROCESS_TRACE_MODE_REAL_TIME or PROCESS_TRACE_MODE_EVENT_RECORD
lea rax,Name
mov trace.LoggerName,rax
lea rax,ProcessEvent
mov trace.EventRecordCallback,rax
mov eax,sizeof Name
add eax,sizeof EVENT_TRACE_PROPERTIES
add eax,sizeof WCHAR
mov bufferSize,eax
invoke HeapAlloc,hHeap,HEAP_ZERO_MEMORY, bufferSize
mov traceProp,rax
mov rbx,traceProp
mov eax,bufferSize
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.BufferSize,eax
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.ClientContext,2
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.Flags,WNODE_FLAG_TRACED_GUID
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileMode,EVENT_TRACE_REAL_TIME_MODE or EVENT_TRACE_USE_PAGED_MEMORY
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileNameOffset,0
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LoggerNameOffset,sizeof EVENT_TRACE_PROPERTIES
invoke pStartTraceA,addr hTrace,addr Name, traceProp
.if rax != ERROR_SUCCESS
invoke ErrorMessage,CStr("StartTraceA")
mov rax,1
ret
.endif
invoke pEnableTraceEx,addr ClrRuntimeProviderGuid,NULL,hTrace,1,\
TRACE_LEVEL_VERBOSE,08h or 010h,0,0,NULL
.if rax != ERROR_SUCCESS
invoke ErrorMessage,CStr("EnableTraceEx")
mov rax,2
ret
.endif
invoke pOpenTraceA,addr trace
.if rax == 0
invoke ErrorMessage,CStr("OpenTraceA")
mov rax,3
ret
.endif
mov hTrace,rax
invoke pProcessTrace,addr hTrace,1,NULL,NULL
.if rax != ERROR_SUCCESS
invoke ErrorMessage,CStr("ProcessTrace")
mov rax,4
ret
.endif
invoke HeapFree,hHeap,HEAP_ZERO_MEMORY,traceProp
mov rax,0
ret
WorkerThread endp
DlgProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_INITDIALOG
invoke LoadIcon,hInstance,IDI_ICON
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,rax
mov rax,hWnd
mov hMain,rax
invoke GetTraceApiFunctions
invoke GetProcessHeap
mov hHeap, rax
.elseif eax==WM_COMMAND
mov rax,wParam
mov rdx,rax
shr edx,16
.if edx == BN_CLICKED
.if ax==IDC_EXIT
invoke SendMessage,hWnd,WM_CLOSE,0, 0
.elseif ax==IDC_TEST
invoke CreateThread,NULL,NULL,offset WorkerThread,NULL,NULL,NULL
invoke CloseHandle,rax
.endif
.endif
.elseif eax==WM_CLOSE
invoke FreeLibrary,hUserDll
invoke EndDialog,hWnd,0
.endif
xor rax,rax
ret
DlgProc endp
WinMainCRTStartup Proc
invoke GetModuleHandle,NULL
mov hInstance,rax
invoke DialogBoxParam,hInstance,IDD_DIALOG,0,addr DlgProc,0
invoke ExitProcess,NULL
WinMainCRTStartup Endp
end
#include <\UASM64\include\resource.h>
#define IDC_TEST 3002
#define IDC_EXIT 3003
#define IDC_OUTPUT 3004
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
100 DIALOGEX 0,0,290,140, 0
STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "Process trace demo"
FONT 9, "Consolas", 700, 0
BEGIN
EDITTEXT IDC_OUTPUT, 2, 2,285, 120,ES_MULTILINE | ES_AUTOVSCROLL | ES_READONLY | WS_BORDER | WS_TABSTOP | WS_VSCROLL
PUSHBUTTON "Test", IDC_TEST, 2,124,30,14,WS_VISIBLE | WS_TABSTOP | BS_PUSHBUTTON
PUSHBUTTON "Exit", IDC_EXIT, 264,124,25,14,WS_VISIBLE | WS_TABSTOP | BS_PUSHBUTTON
END
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
200 ICON MOVEABLE PURE LOADONCALL DISCARDABLE "Amain.ICO"
Hello! Thank you very much, "six_L", for your effort. Let me share my idea: I aim to consume ETW events from the "Microsoft-Windows-Security-Auditing" provider with the GUID "{54849625-5478-4994-a5ba-3e3b0328c30d}". I've managed to make StartTraceA work, as well as EnableTraceEx2, and OpenTraceA. In OpenTraceA, I load the "EventRecordCallback" to point to a procedure that will handle the captured events. When calling ProcessTrace, which is responsible for processing and capturing the events, the application waits as expected, as it blocks the thread to collect all possible events. However, in my program, the procedure pointed to by "EventRecordCallback" never gets triggered. I know I'm on the right track because using the "xperf -loggers" utility, I can see that the session is created correctly, and the provider from which I want to consume events is also set up correctly. But I can't get ProcessTrace to trigger the event capture procedure.
In this photo, you can see how the program remains in a waiting state:
foto1.png
Here you can see that everything is properly configured with the "xperf -loggers" utility.
foto2.png
I'm very close to getting it but I'm lost again... Any ideas?
(https://i.postimg.cc/zyJKcyxs/foto2.png) (https://postimg.cc/zyJKcyxs)
Included code, you can open it with Easy Code by Ramon Sala.
FraiETWCap.zip
I'm almost certain that the issue is that the association is not being done correctly:
Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax
.
.
.
.
ProcessEvent Proc Uses Ebx Esi Edi, pEvent:EVENT_RECORD
AsigText Error12, "Entra captura."
Invoke WriteConsoleA, HandleConsola, Addr Error12, 14, 0, 0
Ret
ProcessEvent EndP
I think the solution might involve creating a thread and executing ProcessTrace within it. What do you think?
Hi,Fraile
if you'll use the EVENT_RECORD STRUCT,do that:
EVENT_RECORD STRUCT
EventHeader EVENT_HEADER <> ; Event header
BufferContext ETW_BUFFER_CONTEXT <> ; Buffer context
ExtendedDataCount WORD ? ; Number of extended
UserDataLength WORD ? ; User data length
ExtendedData QWORD ? ; extended data items
UserData QWORD ? ; Pointer to user data
UserContext QWORD ? ; Context from OpenTrace
EVENT_RECORD ENDS
PEVENT_RECORD typedef ptr EVENT_RECORD
ProcessEvent Proc Uses Ebx Esi Edi, pEvent:PEVENT_RECORD ; ==> Not pEvent:EVENT_RECORD
mov ebx,pEvent
mov ax,(EVENT_RECORD PTR [ebx]).ExtendedDataCount
the global STRUCT variable transferre the into the specified Local STRUCT variable while you invoke the "ProcessEvent" proc.
Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax ; ==>Mov TraEvent.EventRecordCallback, Eax
Can't edit the post here, so add another.
Wow!! I hadn't realized that! Thank you so much, six_L. I'm going to try it out and I'll let you know. Thanks a million.
Nothing six_L, I don't know why the events are not being processed in the procedure designated for that purpose.
.....
EVENT_RECORD Struct
EventHeader EVENT_HEADER <>
BufferContext ETW_BUFFER_CONTEXT <>
ExtendedDataCount WORD ?
UserDataLength WORD ?
ExtendedData EVENT_HEADER_EXTENDED_DATA_ITEM <>
UserData DWord ?
UserContext DWord ?
EVENT_RECORD EndS
EVENT_TRACE_LOGFILEA Struct
LogFileName DWord ?
LoggerName DWord ?
CurrentTime QWord ?
BuffersRead DWord ?
Union DUMMYUNIONNAME16
LogFileMode DWord ?
ProcessTraceMode DWord ?
EndS
CurrentEvent EVENT_TRACE <>
LogfileHeader TRACE_LOGFILE_HEADER <>
BufferCallback DWord ?
BufferSize DWord ?
Filled DWord ?
EventsLost DWord ?
Union DUMMYUNIONNAME2
EventCallback DWord ?
EventRecordCallback DWord ?
EndS
IsKernelTrace DWord ?
Context DWord ?
EVENT_TRACE_LOGFILEA EndS
PEVENT_RECORD TypeDef Ptr EVENT_RECORD
....
Invoke GetProcAddress, Edi, TextStr("OpenTraceA")
Mov Esi, Eax
Mov TraEvent.LoggerName, Offset LoggerNameAux
Mov TraEvent.DUMMYUNIONNAME16.ProcessTraceMode, PROCESS_TRACE_MODE_EVENT_RECORD + PROCESS_TRACE_MODE_REAL_TIME
Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax
Push Offset TraEvent
Call Esi
.....
ProcessEvent Proc Uses Ebx Esi Edi, pEvent:PEVENT_RECORD
Local HConsole:DWord
Invoke GetStdHandle, STD_OUTPUT_HANDLE
Mov HConsole, Eax ; edx ahora contiene el identificador de la consola
AsigText Error12, "Entra captura."
Invoke WriteConsoleA, HConsole, Addr Error12, 14, 0, 0
Invoke Sleep, 5000
Ret
ProcessEvent EndP
I'm leaving all the code in case you want to have it and review it. I would greatly appreciate the help.
Capturing events does capture them, as indicated by the 'xperf' utility, but my procedure does not process them.
(https://i.postimg.cc/9DMBsNRZ/foto1.png) (https://postimg.cc/9DMBsNRZ)
When I force the stop with 'xperft', it tells me:
(https://i.postimg.cc/9rq9T57x/foto2.png) (https://postimg.cc/9rq9T57x)
FraiETWCapRes.zip
Hi, Fraile
This is an interesting question. It's my first time encountering this class of API. i also need to learn. let's figure out the problem together in the following time.
Thank you very much, six_L. This is also my first time using it. It's leaving me puzzled. Let's see if we can solve it together. Again, thank you very much.
Hi,Fraile
1)
a bit progress about "dotnet trace" has been gotten.
how are running in your os?
option casemap:none
option win64:7
include \UASM64\include\windows.inc
includelib \UASM64\Lib\user32.lib
includelib \UASM64\Lib\kernel32.lib
includelib \UASM64\Lib\Advapi32.lib
AssemblyLoadUnloadRundown_V1 STRUCT
AssemblyID ULONG64 ?
AppDomainID ULONG64 ?
BindingID ULONG64 ?
AssemblyFlags DWORD ?
FullyQualifiedAssemblyName WCHAR 1 dup(?)
AssemblyLoadUnloadRundown_V1 ENDS
PAssemblyLoadUnloadRundown_V1 typedef ptr AssemblyLoadUnloadRundown_V1
_MethodLoadVerbose_V1 STRUCT
MethodID ULONG64 ?
ModuleID ULONG64 ?
MethodStartAddress ULONG64 ?
MethodSize DWORD ?
MethodToken DWORD ?
MethodFlags DWORD ?
MethodNameSpace WCHAR 1 dup(?)
_MethodLoadVerbose_V1 ENDS
PMethodLoadUnloadVerbose_V1 typedef ptr _MethodLoadVerbose_V1
ETW_BUFFER_CONTEXT STRUCT
union DUMMYUNIONNAME
STRUCT DUMMYSTRUCTNAME
ProcessorNumber BYTE ?
Alignment BYTE ?
ENDS
ProcessorIndex WORD ?
ENDS
LoggerId WORD ?
ETW_BUFFER_CONTEXT ENDS
PETW_BUFFER_CONTEXT typedef ptr ETW_BUFFER_CONTEXT
EVENT_DESCRIPTOR STRUCT
Id WORD ?
Version BYTE ?
Channel BYTE ?
Level BYTE ?
Opcode BYTE ?
Task WORD ?
Keyword QWORD ?
EVENT_DESCRIPTOR ENDS
PEVENT_DESCRIPTOR typedef ptr EVENT_DESCRIPTOR
EVENT_HEADER STRUCT
size1 WORD ? ; Event Size
HeaderType WORD ? ; Header Type
Flags WORD ? ; Flags
EventProperty WORD ? ; User given event property
ThreadId DWORD ? ; Thread Id
ProcessId DWORD ? ; Process Id
TimeStamp LARGE_INTEGER <> ; Event Timestamp
ProviderId GUID <> ; Provider Id
EventDescriptor EVENT_DESCRIPTOR <> ; Event Descriptor
union DUMMYUNIONNAME
STRUCT DUMMYSTRUCTNAME
KernelTime DWORD ? ; Kernel Mode CPU ticks
UserTime DWORD ? ; User mode CPU ticks
ENDS
ProcessorTime QWORD ? ; Processor Clock
ENDS
ActivityId GUID <> ; Activity Id
EVENT_HEADER ENDS
PEVENT_HEADER typedef ptr EVENT_HEADER
EVENT_RECORD STRUCT
EventHeader EVENT_HEADER <> ; Event header
BufferContext ETW_BUFFER_CONTEXT <> ; Buffer context
ExtendedDataCount WORD ? ; Number of extended
UserDataLength WORD ? ; User data length
ExtendedData QWORD ? ; extended data items
UserData QWORD ? ; Pointer to user data
UserContext QWORD ? ; Context from OpenTrace
EVENT_RECORD ENDS
PEVENT_RECORD typedef ptr EVENT_RECORD
EVENT_TRACE_HEADER STRUCT
size1 WORD ? ; Size of entire record
union DUMMYUNIONNAME
FieldTypeFlags WORD ? ; Indicates valid fields
STRUCT DUMMYSTRUCTNAME
HeaderType BYTE ? ; Header type - internal use only
MarkerFlags BYTE ? ; Marker - internal use only
ENDS
ENDS
union DUMMYUNIONNAME2
Version DWORD ?
STRUCT Class
type1 BYTE ? ; event type
Level BYTE ? ; trace instrumentation level
Version WORD ? ; version of trace record
ENDS
ENDS
ThreadId DWORD ? ; Thread Id
ProcessId DWORD ? ; Process Id
TimeStamp LARGE_INTEGER <> ; time when event happens
union DUMMYUNIONNAME3
Guid GUID <> ; Guid that identifies event
GuidPtr ULONGLONG ? ; use with WNODE_FLAG_USE_GUID_PTR
ENDS
union DUMMYUNIONNAME4
STRUCT DUMMYSTRUCTNAME5
KernelTime DWORD ? ; Kernel Mode CPU ticks
UserTime DWORD ? ; User mode CPU ticks
ENDS
ProcessorTime QWORD ? ; Processor Clock
STRUCT DUMMYSTRUCTNAME6
ClientContext DWORD ? ; Reserved
_Flags DWORD ? ; Event Flags
ENDS
ENDS
EVENT_TRACE_HEADER ENDS
PEVENT_TRACE_HEADER typedef ptr EVENT_TRACE_HEADER
EVENT_TRACE STRUCT
Header EVENT_TRACE_HEADER <> ; Event trace header
InstanceId DWORD ? ; Instance Id of this event
ParentInstanceId DWORD ? ; Parent Instance Id.
ParentGuid GUID <> ; Parent Guid;
MofData QWORD ? ; Pointer to Variable Data
MofLength DWORD ? ; Variable Datablock Length
union DUMMYUNIONNAME
ClientContext DWORD ?
BufferContext ETW_BUFFER_CONTEXT <>
ENDS
EVENT_TRACE ENDS
PEVENT_TRACE typedef ptr EVENT_TRACE
TRACE_LOGFILE_HEADER STRUCT
BufferSize DWORD ? ; Logger buffer size in Kbytes
union DUMMYUNIONNAME
Version DWORD ? ; Logger version
STRUCT VersionDetail
MajorVersion BYTE ?
MinorVersion BYTE ?
SubVersion BYTE ?
SubMinorVersion BYTE ?
ENDS
ENDS
ProviderVersion DWORD ? ; defaults to NT version
NumberOfProcessors DWORD ? ; Number of Processors
EndTime LARGE_INTEGER <> ; Time when logger stops
TimerResolution DWORD ? ; assumes timer is constant!!!
MaximumFileSize DWORD ? ; Maximum in Mbytes
LogFileMode DWORD ? ; specify logfile mode
BuffersWritten DWORD ? ; used to file start of Circular File
union DUMMYUNIONNAME2
LogInstanceGuid GUID <> ; For RealTime Buffer Delivery
STRUCT DUMMYSTRUCTNAME
StartBuffers DWORD ? ; Count of buffers written at start.
PointerSize DWORD ? ; Size of pointer type in bits
EventsLost DWORD ? ; Events losts during log session
CpuSpeedInMHz DWORD ? ; Cpu Speed in MHz
ENDS
ENDS
;IF DEFINED(_WMIKM_) ;ring0
;LoggerName QWORD ?
;LogFileName QWORD ?
;TimeZone RTL_TIME_ZONE_INFORMATION ?
;ELSE ;ring3
LoggerName QWORD ?
LogFileName QWORD ?
TimeZone TIME_ZONE_INFORMATION <>
;ENDIF
BootTime LARGE_INTEGER <>
PerfFreq LARGE_INTEGER <> ; Reserved
StartTime LARGE_INTEGER <> ; Reserved
ReservedFlags DWORD ? ; ClockType
BuffersLost DWORD ?
TRACE_LOGFILE_HEADER ENDS
PTRACE_LOGFILE_HEADER typedef ptr TRACE_LOGFILE_HEADER
EVENT_TRACE_LOGFILEA STRUCT
LogFileName QWORD ? ; Logfile Name
LoggerName QWORD ? ; LoggerName
CurrentTime LONGLONG ? ; timestamp of last event
BuffersRead ULONG ? ; buffers read to date
union DUMMYUNIONNAME
LogFileMode DWORD ? ; Mode of the logfile
ProcessTraceMode DWORD ? ; Processing flags
ENDS
CurrentEvent EVENT_TRACE <> ; Current Event from this stream
LogfileHeader TRACE_LOGFILE_HEADER <> ; logfile header structure
BufferCallback QWORD ? ; is read
BufferSize DWORD ?
Filled DWORD ?
EventsLost DWORD ?
union DUMMYUNIONNAME2
EventCallback QWORD ? ; callback for every event
EventRecordCallback QWORD ?
ENDS
IsKernelTrace DWORD ? ; TRUE for kernel logfile
Context QWORD ? ; reserved for internal use
EVENT_TRACE_LOGFILEA ENDS
PEVENT_TRACE_LOGFILEA typedef ptr EVENT_TRACE_LOGFILEA
WNODE_HEADER STRUCT
BufferSize DWORD ? ; Size of entire buffer inclusive of this ULONG
ProviderId DWORD ? ; Provider Id of driver returning this buffer
union DUMMYUNIONNAME
HistoricalContext QWORD ? ; Logger use
STRUCT DUMMYSTRUCTNAME
Version DWORD ? ; Reserved
Linkage DWORD ? ; Linkage field reserved for WMI
ENDS
ENDS
union DUMMYUNIONNAME2
KernelHandle HANDLE ? ; Kernel handle for data block
TimeStamp LARGE_INTEGER <> ; Timestamp as returned in units of 100ns
ENDS
Guid GUID <> ; Guid for data block returned with results
ClientContext DWORD ?
Flags DWORD ? ; Flags, see below
WNODE_HEADER ENDS
EVENT_TRACE_PROPERTIES STRUCT
Wnode WNODE_HEADER <>
BufferSize DWORD ? ; buffer size for logging (kbytes)
MinimumBuffers DWORD ? ; minimum to preallocate
MaximumBuffers DWORD ? ; maximum buffers allowed
MaximumFileSize DWORD ? ; maximum logfile size (in MBytes)
LogFileMode DWORD ? ; sequential, circular
FlushTimer DWORD ? ; buffer flush timer, in seconds
EnableFlags DWORD ? ; trace enable flags
union DUMMYUNIONNAME
AgeLimit DWORD ? ; unused
FlushThreshold DWORD ? ; Number of buffers to fill before flushing
ENDS
NumberOfBuffers DWORD ? ; no of buffers in use
FreeBuffers DWORD ? ; no of buffers free
EventsLost DWORD ? ; event records lost
BuffersWritten DWORD ? ; no of buffers written to file
LogBuffersLost DWORD ? ; no of logfile write failures
RealTimeBuffersLost DWORD ? ; no of rt delivery failures
LoggerThreadId HANDLE ? ; thread id of Logger
LogFileNameOffset DWORD ? ; Offset to LogFileName
LoggerNameOffset DWORD ? ; Offset to LoggerName
EVENT_TRACE_PROPERTIES ENDS
PEVENT_TRACE_PROPERTIES typedef ptr EVENT_TRACE_PROPERTIES
_StartTraceA typedef PROTO TraceHandle:QWORD,InstanceName:QWORD,Properties:QWORD
@StartTraceA typedef ptr _StartTraceA
_EnableTraceEx typedef PROTO ProviderId:QWORD,SourceId:QWORD,TraceHandle:QWORD,IsEnabled:DWORD,Level:DWORD,MatchAnyKeyword:DWORD,MatchAllKeyword:DWORD,EnableProperty:DWORD,EnableFilterDesc:QWORD
@EnableTraceEx typedef ptr _EnableTraceEx
_OpenTraceA typedef PROTO Logfile:QWORD
@OpenTraceA typedef ptr _OpenTraceA
_ProcessTrace typedef PROTO HandleArray:QWORD,HandleCount:DWORD,StartTime:QWORD,EndTime:QWORD
@ProcessTrace typedef ptr _ProcessTrace
.const
IDD_DIALOG equ 100
IDI_ICON equ 200
IDC_TEST equ 3002
IDC_EXIT equ 3003
IDC_OUTPUT equ 3004
AssemblyDCStart_V1 equ 155
AssemblyLoad_V1 equ 154
MethodLoadVerbose_V1 equ 143
PROCESS_TRACE_MODE_REAL_TIME equ < 000000100h>
PROCESS_TRACE_MODE_EVENT_RECORD equ < 010000000h>
WNODE_FLAG_TRACED_GUID equ < 000020000h>
EVENT_TRACE_REAL_TIME_MODE equ < 000000100h>
EVENT_TRACE_USE_PAGED_MEMORY equ < 001000000h>
TRACE_LEVEL_VERBOSE equ < 5>
.data
trace EVENT_TRACE_LOGFILEA <0>
traceProp PEVENT_TRACE_PROPERTIES 0
hTrace QWORD 0
dqIndex QWORD 0
Name db "dotnet trace",0
;GUID { 0xe13c0d23, 0xccbc, 0x4e12, { 0x93, 0x1b, 0xd9, 0xcc, 0x2e, 0xee, 0x27, 0xe4 } }
ClrRuntimeProviderGuid \
dd 0e13c0d23h
dw 0ccbch
dw 04e12h
db 093h, 01bh, 0d9h, 0cch, 02eh, 0eeh, 027h, 0e4h
.data?
hUserDll dq ?
hInstance HINSTANCE ?
hMain dq ?
hHeap dq ?
pStartTraceA @StartTraceA ?
pEnableTraceEx @EnableTraceEx ?
pOpenTraceA @OpenTraceA ?
pProcessTrace @ProcessTrace ?
.code
ErrorMessage Proc uses rbx lpCaption:qword
Local lpErrorMessage:QWORD
call GetLastError
lea rbx,lpErrorMessage
invoke FormatMessage, FORMAT_MESSAGE_ALLOCATE_BUFFER or FORMAT_MESSAGE_FROM_SYSTEM, NULL, eax, LANG_NEUTRAL,rbx,0,NULL
invoke MessageBox, 0, lpErrorMessage, lpCaption, MB_OK or MB_ICONINFORMATION
invoke LocalFree, lpErrorMessage
ret
ErrorMessage EndP
GetTraceApiFunctions proc
invoke LoadLibrary,CStr("Advapi32.dll")
.if rax
mov hUserDll,rax
invoke GetProcAddress,hUserDll,CStr("StartTraceA")
mov pStartTraceA,rax
.if rax == NULL
invoke ErrorMessage,CStr("StartTraceA")
jmp @Err
.endif
invoke GetProcAddress,hUserDll,CStr("EnableTraceEx")
mov pEnableTraceEx,rax
.if rax == NULL
invoke ErrorMessage,CStr("EnableTraceEx")
jmp @Err
.endif
invoke GetProcAddress,hUserDll,CStr("OpenTraceA")
mov pOpenTraceA,rax
.if rax == NULL
invoke ErrorMessage,CStr("OpenTraceA")
jmp @Err
.endif
invoke GetProcAddress,hUserDll,CStr("ProcessTrace")
mov pProcessTrace,rax
.if rax == NULL
invoke ErrorMessage,CStr("ProcessTrace")
jmp @Err
.endif
.else
invoke MessageBox,NULL,CStr("Advapi32.dll load Failed"),CStr("LoadLibrary"),MB_OK
jmp @Err
.endif
mov rax,0
ret
@Err:
mov rax,1
ret
GetTraceApiFunctions endp
AddLog proc pStr:QWORD
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_GETLINECOUNT,0,0
dec rax
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_LINEINDEX,rax,0
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_SETSEL,rax,rax
invoke SendDlgItemMessage, hMain,IDC_OUTPUT,EM_REPLACESEL,FALSE,pStr
invoke SendDlgItemMessage, hMain,IDC_OUTPUT, EM_SCROLLCARET, 0, 0
ret
AddLog endp
ProcessEvent proc uses rbx rsi rdi EventRecord:PEVENT_RECORD
Local eventHeader:PEVENT_HEADER
Local eventDescriptor:PEVENT_DESCRIPTOR
Local assemblyUserData:AssemblyLoadUnloadRundown_V1
Local methodUserData:_MethodLoadVerbose_V1
Local MethodNameSpace:QWORD
Local MethodName:QWORD
Local MethodSignature:QWORD
Local szTmp[512]:BYTE
Local szTmp1[128]:BYTE
Local cxId:WORD
invoke RtlZeroMemory,ADDR szTmp,sizeof szTmp
inc dqIndex
mov rbx,EventRecord
lea rax,(EVENT_RECORD PTR [rbx]).EventHeader
mov eventHeader,rax
mov rsi,eventHeader
lea rax,(EVENT_HEADER PTR [rsi]).EventDescriptor
mov eventDescriptor,rax
mov rdi,eventDescriptor
mov cx,(EVENT_DESCRIPTOR PTR [rdi]).Id
mov cxId,cx
.if cx == AssemblyLoad_V1
invoke wsprintf,addr szTmp,CStr("(%d) AssemblyLoad_V1: Id of EVENT_DESCRIPTOR = %i",13,10),dqIndex,cxId
invoke AddLog,addr szTmp
.elseif cx == MethodLoadVerbose_V1 ;/*case MethodLoadVerbose_V1:
invoke wsprintf,addr szTmp,CStr("(%d) MethodLoadVerbose_V1: Id of EVENT_DESCRIPTOR = %i",13,10),dqIndex,cxId
invoke AddLog,addr szTmp
.elseif cx == AssemblyDCStart_V1 ;/*case MethodLoadVerbose_V1:
invoke wsprintf,addr szTmp,CStr("(%d) AssemblyDCStart_V1: Id of EVENT_DESCRIPTOR = %d",13,10),dqIndex,cxId
invoke AddLog,addr szTmp
.else
invoke wsprintf,addr szTmp,CStr("(%d) Unknow: Id of EVENT_DESCRIPTOR = %d",13,10),dqIndex,cxId
invoke AddLog,addr szTmp
.endif
ret
ProcessEvent endp
WorkerThread proc uses rbx szpBuf:QWORD ;int main(void)
Local result:ULONG
Local bufferSize:ULONG
invoke AddLog,CStr("ETW .NET Trace example - @_xpn_",13,10)
invoke RtlZeroMemory,ADDR trace,sizeof trace
mov trace.ProcessTraceMode,PROCESS_TRACE_MODE_REAL_TIME or PROCESS_TRACE_MODE_EVENT_RECORD
lea rax,Name
mov trace.LoggerName,rax
lea rax,ProcessEvent
mov trace.EventRecordCallback,rax
mov eax,sizeof Name
add eax,sizeof EVENT_TRACE_PROPERTIES
add eax,sizeof WCHAR
mov bufferSize,eax
invoke HeapAlloc,hHeap,HEAP_ZERO_MEMORY, bufferSize
mov traceProp,rax
mov rbx,traceProp
mov eax,bufferSize
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.BufferSize,eax
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.ClientContext,2
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.Flags,WNODE_FLAG_TRACED_GUID
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileMode,EVENT_TRACE_REAL_TIME_MODE or EVENT_TRACE_USE_PAGED_MEMORY
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileNameOffset,0
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LoggerNameOffset,sizeof EVENT_TRACE_PROPERTIES
invoke pStartTraceA,addr hTrace,addr Name, traceProp
.if rax != ERROR_SUCCESS
invoke ErrorMessage,CStr("StartTraceA")
mov rax,1
ret
.endif
invoke pEnableTraceEx,addr ClrRuntimeProviderGuid,NULL,hTrace,1,\
TRACE_LEVEL_VERBOSE,08h or 010h,0,0,NULL
.if rax != ERROR_SUCCESS
invoke ErrorMessage,CStr("EnableTraceEx")
mov rax,2
ret
.endif
invoke pOpenTraceA,addr trace
.if rax == 0
invoke ErrorMessage,CStr("OpenTraceA")
mov rax,3
ret
.endif
mov hTrace,rax
invoke pProcessTrace,addr hTrace,1,NULL,NULL
.if rax != ERROR_SUCCESS
invoke ErrorMessage,CStr("ProcessTrace")
mov rax,4
ret
.endif
mov rax,0
ret
WorkerThread endp
DlgProc proc uses rdi rsi hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_INITDIALOG
invoke LoadIcon,hInstance,IDI_ICON
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,rax
mov rax,hWnd
mov hMain,rax
invoke GetTraceApiFunctions
invoke GetProcessHeap
mov hHeap, rax
mov dqIndex,0
.elseif eax==WM_COMMAND
mov rax,wParam
mov rdx,rax
shr edx,16
.if edx == BN_CLICKED
.if ax==IDC_EXIT
invoke SendMessage,hWnd,WM_CLOSE,0, 0
.elseif ax==IDC_TEST
invoke CreateThread,NULL,NULL,offset WorkerThread,NULL,NULL,NULL
invoke CloseHandle,rax
.endif
.endif
.elseif eax==WM_CLOSE
invoke FreeLibrary,hUserDll
invoke HeapFree,hHeap,HEAP_ZERO_MEMORY,traceProp
invoke EndDialog,hWnd,0
.endif
xor rax,rax
ret
DlgProc endp
WinMainCRTStartup Proc
invoke GetModuleHandle,NULL
mov hInstance,rax
invoke DialogBoxParam,hInstance,IDD_DIALOG,0,addr DlgProc,0
invoke ExitProcess,NULL
WinMainCRTStartup Endp
end
2) if we can create a provider codes as the M$ demo, maybe a consumer codes has been changed to uncomplicate.
but i can't get "TraceLoggingRegister" API. How are you doing there?
Hello six_L, GREAT!!!!!, I was doing it in 32 bits, do you think I could switch it to 64 bits?. Congratulations!!!, this project is very important to me.
My idea was to capture events from already existing providers. More specifically, security events, to detect, for example, session logins on Windows.... I check all the providers available on the system with "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -providers". The idea of my project is to create a basic SIEM. The system has a maximum number of event controllers.
Could you please compress and upload the example again? The file 111.zip is giving me an error. Thank you very much.
Hi, 'SixL' was merely following Hutch's Old recommendations regarding uploading images to the Server, by changing the File Extension to .zip
The file is actually the Image file below the 'code' tags in his post :smiley:
If you have downloaded it, you can simply change the .zip extension to .jpg and you will see the image from the post. :smiley:
cheers,
Stewart
"you take the blonde I'll take the one with the turban" !!! :joking:
Haha, I thought it was the source code! :joking:
Hi Six_l, I'm trying to convert your code to 32 bits, just out of stubbornness, hehe. One question, do you allocate memory with this part of your code:
invoke HeapAlloc,hHeap,HEAP_ZERO_MEMORY, bufferSize
mov traceProp,rax
mov rbx,traceProp
mov eax,bufferSize
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.BufferSize,eax
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.ClientContext,2
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.Flags,WNODE_FLAG_TRACED_GUID
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileMode,EVENT_TRACE_REAL_TIME_MODE or EVENT_TRACE_USE_PAGED_MEMORY
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileNameOffset,0
mov (EVENT_TRACE_PROPERTIES PTR [rbx]).LoggerNameOffset,sizeof EVENT_TRACE_PROPERTIES
This would be mandatory, or can I pass the structure directly without going through the memory allocation definition? I have it like this:
Invoke RtlZeroMemory, Addr TraceProperties, SizeOf EVENT_TRACE_PROPERTIES
Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData
Mov TraceProperties.Props.Wnode.ClientContext, 2
Mov TraceProperties.Props.Wnode.Flags, WNODE_FLAG_TRACED_GUID
Mov TraceProperties.Props.LogFileMode, EVENT_TRACE_REAL_TIME_MODE + EVENT_TRACE_USE_PAGED_MEMORY
Mov TraceProperties.Props.LoggerNameOffset, SizeOf TraceProperties.Props + 4
Mov TraceProperties.Props.LogFileNameOffset, 0
Thank you very much for your help.
Please Six_L, could you execute "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -loggers" and send me a screenshot to see the difference in capture between your application and mine. Thank you very much.
Hi, Fraile
Quotecould you execute "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -loggers" and send me a screenshot to see the difference in capture between your application and mine.
I didn't download the Windows Performance Toolkit.
i'm transfering your codes. If your codes come from C codes, please post the C codes here.
about the memory allocation, you do which you'r liking mode. due to the "dotnet trace: traceProp = (EVENT_TRACE_PROPERTIES*)LocalAlloc(LPTR, bufferSize) ", i did that.
You have provided a new idea that i never run into. i'll learn a lot knowledge about the process event trace. the dotnet trace codes works fine. he can capture a lot of the ID of .net event(143,144,145,146). i'v only understood the 143.
regard.
Hello Six_L, a question, in theory, do the structures you have put in your code work for both 64-bit and 32-bit systems?
Hello Six_L, another question. In your 64-bit code, I notice that you are calling elements of the EVENT_TRACE_LOGFILEA structure, which are within a "union," but you are not referencing the name of the "union":
invoke RtlZeroMemory, ADDR trace, sizeof trace
mov trace.ProcessTraceMode, PROCESS_TRACE_MODE_REAL_TIME or PROCESS_TRACE_MODE_EVENT_RECORD
lea rax, Name
mov trace.LoggerName, rax
lea rax, ProcessEvent
mov trace.EventRecordCallback, rax
But in the structure, for example "EventRecordCallback," it's inside a "union.
EVENT_TRACE_LOGFILEA STRUCT
LogFileName QWORD ? ; Logfile Name
LoggerName QWORD ? ; LoggerName
CurrentTime LONGLONG ? ; timestamp of last event
BuffersRead ULONG ? ; buffers read to date
union DUMMYUNIONNAME
LogFileMode DWORD ? ; Mode of the logfile
ProcessTraceMode DWORD ? ; Processing flags
ENDS
CurrentEvent EVENT_TRACE <> ; Current Event from this stream
LogfileHeader TRACE_LOGFILE_HEADER <> ; logfile header structure
BufferCallback QWORD ? ; is read
BufferSize DWORD ?
Filled DWORD ?
EventsLost DWORD ?
union DUMMYUNIONNAME2
EventCallback QWORD ? ; callback for every event
EventRecordCallback QWORD ?
ENDS
IsKernelTrace DWORD ? ; TRUE for kernel logfile
Context QWORD ? ; reserved for internal use
EVENT_TRACE_LOGFILEA ENDS
Hi,Fraile
Quotea question, in theory, do the structures you have put in your code work for both 64-bit and 32-bit systems?
1) The address is DWORD in 32bit os. The address is QWORD in 64bit os.
about the structure, you need to edit some variables to DWORD.
for example:
MS:
;============================================
typedef struct _EVENT_TRACE_LOGFILEA {
LPSTR LogFileName;
LPSTR LoggerName;
LONGLONG CurrentTime;
ULONG BuffersRead;
union {
ULONG LogFileMode;
ULONG ProcessTraceMode;
} DUMMYUNIONNAME;
EVENT_TRACE CurrentEvent;
TRACE_LOGFILE_HEADER LogfileHeader;
PEVENT_TRACE_BUFFER_CALLBACKA BufferCallback;
ULONG BufferSize;
ULONG Filled;
ULONG EventsLost;
union {
PEVENT_CALLBACK EventCallback;
PEVENT_RECORD_CALLBACK EventRecordCallback;
} DUMMYUNIONNAME2;
ULONG IsKernelTrace;
PVOID Context;
} EVENT_TRACE_LOGFILEA, *PEVENT_TRACE_LOGFILEA;
;============================================
64bit os:
;============================================
EVENT_TRACE_LOGFILEA STRUCT
LogFileName QWORD ? ; Logfile Name
LoggerName QWORD ? ; LoggerName
CurrentTime LONGLONG ? ; timestamp of last event
BuffersRead ULONG ? ; buffers read to date
union DUMMYUNIONNAME
LogFileMode DWORD ? ; Mode of the logfile
ProcessTraceMode DWORD ? ; Processing flags
ENDS
CurrentEvent EVENT_TRACE <> ; Current Event from this stream
LogfileHeader TRACE_LOGFILE_HEADER <> ; logfile header structure
BufferCallback QWORD ? ; is read
BufferSize DWORD ?
Filled DWORD ?
EventsLost DWORD ?
union DUMMYUNIONNAME2
EventCallback QWORD ? ; callback for every event
EventRecordCallback QWORD ?
ENDS
IsKernelTrace DWORD ? ; TRUE for kernel logfile
Context QWORD ? ; reserved for internal use
EVENT_TRACE_LOGFILEA ENDS
PEVENT_TRACE_LOGFILEA typedef ptr EVENT_TRACE_LOGFILEA
;============================================
32bit os:
;============================================
EVENT_TRACE_LOGFILEA STRUCT
LogFileName DWORD ? ; Logfile Name
LoggerName DWORD ? ; LoggerName
CurrentTime LONGLONG ? ; timestamp of last event
BuffersRead ULONG ? ; buffers read to date
union DUMMYUNIONNAME
LogFileMode DWORD ? ; Mode of the logfile
ProcessTraceMode DWORD ? ; Processing flags
ENDS
CurrentEvent EVENT_TRACE <> ; Current Event from this stream
LogfileHeader TRACE_LOGFILE_HEADER <> ; logfile header structure
BufferCallback DWORD ? ; is read
BufferSize DWORD ?
Filled DWORD ?
EventsLost DWORD ?
union DUMMYUNIONNAME2
EventCallback DWORD ? ; callback for every event
EventRecordCallback DWORD ?
ENDS
IsKernelTrace DWORD ? ; TRUE for kernel logfile
Context DWORD ? ; reserved for internal use
EVENT_TRACE_LOGFILEA ENDS
PEVENT_TRACE_LOGFILEA typedef ptr EVENT_TRACE_LOGFILEA
2) about union in the structures, you can use directly, don't care it. if you want to understand UNION, JJ2007 done an articulate explain. search the forum.
regard.
With C-compiler, it's possible to check aligments
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stddef.h>
// http://www.catb.org/esr/structure-packing/
// http://stackoverflow.com/questions/1208954/c-struct-grabbing-data-by-offset
#ifndef offsetof
#define offsetof(ty,m) ((size_t)&(((ty*)0)->m))
#endif
#define GET_FIELD_OFFSET(type, field) ((size_t)&(((type *)0)->field))
#define GET_FIELD_SIZE(type, field) (sizeof(((type *)0)->field))
#define PRINTSIZE(x) printf("\n%-16s %d %Xh bytes\n",#x,sizeof(x),sizeof(x));
#define PRINTOFSSIZE(type,field) printf("%-16s +%Xh %Xh\n",#field,(LONG)&(((type *)0)->field),sizeof(((type *)0)->field));
int main(void)
{
PRINTSIZE(PSINJECTDATA);
PRINTOFSSIZE(PSINJECTDATA,DataBytes);
PRINTOFSSIZE(PSINJECTDATA,InjectionPoint);
PRINTOFSSIZE(PSINJECTDATA,PageNumber);
return 0;
}
Hello Six_l and TimoVjl, I've done it!!! The event capturer is finally working. It was an alignment issue, after reviewing all the structures and adapting them to 32 bits, as Six_L suggested. Then, I checked the sizes of the structures in bytes, an idea I got from TimoVjl. After all this, I forced alignment to 8, and for now, it's capturing events from the .NET provider. However, my goal is to capture events from the "Microsoft Windows security auditing" provider, whose GUID is "{54849625-5478-4994-a5ba-3e3b0328c30d}". But it seems that it's not working with this provider... I tried to force a connection from the console using net use \\192.168.168.10\admin$ /user:fraile Entrada2020. This triggers a login error event, which is reflected in the event viewer, but the program doesn't CAPTURE it... frustrating.
Thank you for all the collaboration. Truly, thank you very much. If anyone feels like continuing with the project... I'll keep pursuing my goal, which is to capture login session events.
Six_L, do you feel like continuing?
Hello Six_L, can you read the "UserData" field from the "Event_Record" structure?
ProcessEvent Proc Uses Ebx Esi Edi pEvent:PEVENT_RECORD
Local eventHeader:PEVENT_HEADER
Local eventDescriptor:PEVENT_DESCRIPTOR
Local assemblyUserData:PAssemblyLoadUnloadRundown_V1
Local szTmp[512]:Byte
Local IDEvent:Word
Push Esi
Push Edi
Push Ebx
Invoke RtlZeroMemory, Addr szTmp, SizeOf szTmp
Invoke RtlZeroMemory, Addr tempbuffer, SizeOf tempbuffer
Mov Ebx, pEvent
Lea Eax, (EVENT_RECORD Ptr [Ebx]).EventHeader
Mov eventHeader, Eax
Lea Eax, (EVENT_RECORD Ptr [Ebx]).UserData
Mov assemblyUserData, Eax
Mov Esi, eventHeader
Lea Eax, (EVENT_HEADER Ptr [Esi]).EventDescriptor
Mov eventDescriptor, Eax
Mov Edi, eventDescriptor
Mov Cx, (EVENT_DESCRIPTOR Ptr [Edi]).Id
Mov IDEvent, Cx
.If IDEvent != 0
; Mostramos el ID.
; ****************
Invoke PasarADecimal, DWord Ptr IDEvent
Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
; Mostramos la descripción.
; ************************
Mov Edi, assemblyUserData
Lea Eax, (AssemblyLoadUnloadRundown_V1 Ptr [Edi]).FullyQualifiedAssemblyName
Invoke wsprintf, Addr szTmp, Eax
Invoke WriteConsoleA, HandleConsola, Addr szTmp, SizeOf szTmp, 0, 0
; AsigText Error12, "Entra captura."
; Invoke WriteConsoleA, HandleConsola, Addr Error12, 14, 0, 0
Invoke ImprimirSaltoDeLinea
.EndIf
Pop Ebx
Pop Edi
Pop Esi
Xor Eax, Eax
Ret
ProcessEvent EndP
If I can capture with your code, the ID, it works perfectly, but I want to try reading the .NET-specific events from the "AssemblyLoadUnloadRundown_V1" structure, where the event's identification is supposed to be more customized.
Hi,Fraile
1)
Quotecan you read the "UserData" field from the "Event_Record" structure?
Only 143 MethodLoadVerbose_V1 Event id(143,144,145,146) happens in my system. the author of dotnet trace gave the means of data.
.elseif cx == MethodLoadVerbose_V1 ;/*case MethodLoadVerbose_V1:
invoke wsprintf,addr szTmp,CStr("(%d) MethodLoadVerbose_V1: Id of EVENT_DESCRIPTOR = %i",13,10),dqIndex,cxId
invoke AddLog,addr szTmp
mov rax,(EVENT_RECORD PTR [rbx]).UserData
mov methodUserData,rax
;MethodNameSpace = methodUserData->MethodNameSpace
lea rcx,(_MethodLoadVerbose_V1 PTR [rax]).MethodNameSpace
mov MethodNameSpace,rcx
lea rsi,methodUserData
;MethodName = (WCHAR*)(((char*)methodUserData->MethodNameSpace) + (lstrlenW(methodUserData->MethodNameSpace) * 2) + 2)
;invoke lstrlenW,addr (_MethodLoadVerbose_V1 PTR [rsi]).MethodNameSpace
invoke lstrlenW,MethodNameSpace
shl rax,1 ;*2
;lea rcx,(_MethodLoadVerbose_V1 PTR [rsi]).MethodNameSpace
mov rcx,MethodNameSpace
add rcx,rax
add rcx,2
mov MethodName,rcx
;MethodSignature = (WCHAR*)(((char*)MethodName) + (lstrlenW(MethodName) * 2) + 2);
invoke lstrlenW,MethodName
shl rax,1 ;*2
mov rcx,MethodName
add rcx,rax
add rcx,2
mov MethodSignature,rcx
invoke RtlZeroMemory,ADDR szTmp,sizeof szTmp
mov rbx,eventHeader
invoke wsprintf,addr szTmp,CStr(" ProcessId(%d), MethodNameSpace: %S, MethodName: %S, MethodSignature: %S",13,10),(EVENT_HEADER PTR [rbx]).ProcessId, MethodNameSpace,MethodName,MethodSignature
invoke AddLog,addr szTmp
2)
how do you know the guid of {54849625-5478-4994-a5ba-3e3b0328c30d} is the Microsoft Windows security auditing?
regard.
Hi Six_L, you can see it in different ways, one with the xperf utility using "-providers". Another way is through the Event Viewer; when you go into Security, it shows you the provider you need to capture. I'll send you a picture.
(https://i.postimg.cc/6T8Gbs5m/proveedores.png) (https://postimg.cc/6T8Gbs5m)
Quote from: Fraile on March 22, 2024, 10:01:02 PM
ProcessEvent Proc Uses Ebx Esi Edi pEvent:PEVENT_RECORD
. . .
Push Esi
Push Edi
Push Ebx
. . .
Just a small meta-note: if you use
USES <reg>, <reg> ...
in your code, all those pushes and pops are redundant and totally unnecessary, as that's what the assembler codes for you.
Hi NoCforMe,
I don't fully agree with you, the procedure you are showing is a child procedure, which uses the same registers as the parent procedure. The child procedure should preserve the registers used by the parent procedure. If it doesn't, I would appreciate clarification. Thank you very much for your comment.
I'm just saying that you have two things in that code that do exactly the same thing, which is redundant. When you put in USES <reg> <reg> ..., the assembler generates PUSHes and POPs for those registers for you, so your explicitly coding them is superflous and redundant. Not a show-stopper, no harm, but unnecessary.
Thank you, really, I don't take it as a bad thing, quite the opposite. It might be old programmer habits, possibly.
Well, it is redundant, and clutters up your code.
Sorry I can't help you with your substantive issues here.
You're right. Thank you very much.
I rushed to reply to you, I didn't pay close attention to the procedure definition. You are absolutely right.
Hi six_L, I've made progress with the documentation, please take a look at this URL when you can:
https://learn.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events (https://learn.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events)
Hi,Fraile.
1)
Quotehttps://learn.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events
This is a helpful infomation about dotnet trace. Thanks.
2)
i'v recently searched the www world with M$ bing and GitHub. Nothing about Microsoft Windows Security Auditing trace has been found. if we'll get a worked c codes, That's a good beginning.
Regard.
Hi six-L, I've also made some progress on that. Let me explain how I think it works: Microsoft doesn't allow gathering security events as we're currently doing it. We need to "subscribe" to Microsoft's own security provider. Here's some documentation I found.
https://stackoverflow.com/questions/75682202/how-to-capture-events-from-etw-provider-microsoft-windows-security-auditing-in (https://stackoverflow.com/questions/75682202/how-to-capture-events-from-etw-provider-microsoft-windows-security-auditing-in)
Hi six_L, don't you find it odd that in this guy's example, he can see information about loading in the .NET CLR and we can't?
https://gist.github.com/aaaddress1/4add6b873ae6ed70cb125a7587d2e1bc (https://gist.github.com/aaaddress1/4add6b873ae6ed70cb125a7587d2e1bc)
Hi,Fraile
1)
The Microsoft Windows Security Auditing trace relates to Ring0. it's not easy.
2)
I can't access the web link. post it here.
regard.
Hi six_L, I've managed to do it. The problem was the format; it works fine with the 'wsprintf' function, using the format value '%S'. I'll pass along all the code; everything is working up to this point. Thank you very much for your help and advice. Now I'm going to try capturing security login events.
(https://i.postimg.cc/TKtpkN7T/etwok.png) (https://postimg.cc/TKtpkN7T)
Hello six_L, I have already managed to consume "security" events, you just need to make a small modification in the code, leaving only the "opentraceA" and "ProcessTrace" functions. You just have to open the system's own session, in this case "Eventlog-Security"
.Data
LoggerNameAux DB 'Eventlog-Security'
.....
.Code
.....
Invoke RtlZeroMemory, Addr TraEvent, SizeOf EVENT_TRACE_LOGFILEA
; Cargar la biblioteca dinámica wnetapi32.dll
Invoke LoadLibrary, TextStr("Advapi32.dll")
.If Eax
Mov Edi, Eax
Mov HandleLibrary, Eax
; ******************************************************************
; Armamos el identificador de seguimiento ETW para consumir eventos.
; ******************************************************************
Invoke GetProcAddress, Edi, TextStr("OpenTraceA")
Mov Esi, Eax
Lea Eax, LoggerNameAux
Mov TraEvent.LoggerName, Eax
Mov TraEvent.DUMMYUNIONNAME.ProcessTraceMode, PROCESS_TRACE_MODE_REAL_TIME + PROCESS_TRACE_MODE_EVENT_RECORD
Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax
Push Offset TraEvent
Call Esi
Cmp Eax, INVALID_PROCESSTRACE_HANDLE
Je Error_ExitOnce
Mov DWord Ptr TraceHandle, Eax
; ******************************************************************
; Procesamos ProcessTrace.
; ******************************************************************
Mov Edi, HandleLibrary
Invoke GetProcAddress, Edi, TextStr("ProcessTrace")
Mov Esi, Eax
Push NULL
Push NULL
Push 1
Push Offset TraceHandle
Call Esi
To be able to see the names of the sessions already open, you can use the command "xperf -providers"
I'm leaving two articles explaining a little about what I've learned and the purpose of the project. I recommend the book 'Windows Internals Part 2'; the topic of ETW is covered very well there. I'm going to keep working on this event capture project, and I would greatly appreciate your feedback. Thank you very much, everyone, especially 'six_L'.
https://www.linkedin.com/feed/update/urn:li:activity:7178122925810606082 (https://www.linkedin.com/feed/update/urn:li:activity:7178122925810606082)
https://www.linkedin.com/feed/update/urn:li:activity:7180514064782004224 (https://www.linkedin.com/feed/update/urn:li:activity:7180514064782004224)
Hi Fraile
It's great to see you using MASM for a real application.
Keep up the good work! :thumbsup:
Biterider
Thank you very much, Biterider. :greenclp:
Hi, Fraile
The Microsoft Windows Security Auditing trace is an important area. our forum never talk about. you are the First.
Keep up the good work!
regard
Thank you very much, six_L. I will keep you informed and I will share the code through this chat. :greenclp:
Came across this today, which might be useful: https://github.com/jsecurity101/ETWInspector (https://github.com/jsecurity101/ETWInspector)