News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

ETW Event Consumer, StartTraceA API

Started by Fraile, February 11, 2024, 07:54:00 AM

Previous topic - Next topic

Fraile

Hello! Thank you very much, "six_L", for your effort. Let me share my idea: I aim to consume ETW events from the "Microsoft-Windows-Security-Auditing" provider with the GUID "{54849625-5478-4994-a5ba-3e3b0328c30d}". I've managed to make StartTraceA work, as well as EnableTraceEx2, and OpenTraceA. In OpenTraceA, I load the "EventRecordCallback" to point to a procedure that will handle the captured events. When calling ProcessTrace, which is responsible for processing and capturing the events, the application waits as expected, as it blocks the thread to collect all possible events. However, in my program, the procedure pointed to by "EventRecordCallback" never gets triggered. I know I'm on the right track because using the "xperf -loggers" utility, I can see that the session is created correctly, and the provider from which I want to consume events is also set up correctly. But I can't get ProcessTrace to trigger the event capture procedure.



In this photo, you can see how the program remains in a waiting state:

You cannot view this attachment.


Here you can see that everything is properly configured with the "xperf -loggers" utility.

You cannot view this attachment.

I'm very close to getting it but I'm lost again... Any ideas?





Included code, you can open it with Easy Code by Ramon Sala.

You cannot view this attachment.

 



Fraile

I'm almost certain that the issue is that the association is not being done correctly:

Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax

.
.
.
.

ProcessEvent Proc Uses Ebx Esi Edi, pEvent:EVENT_RECORD

    AsigText Error12, "Entra captura."
Invoke WriteConsoleA, HandleConsola, Addr Error12, 14, 0, 0



Ret
ProcessEvent EndP



Fraile

I think the solution might involve creating a thread and executing ProcessTrace within it. What do you think?

six_L

#33
Hi,Fraile
if you'll use the EVENT_RECORD STRUCT,do that:
EVENT_RECORD STRUCT
    EventHeader        EVENT_HEADER <>        ; Event header
    BufferContext        ETW_BUFFER_CONTEXT <>  ; Buffer context
    ExtendedDataCount    WORD ?            ; Number of extended
    UserDataLength        WORD ?            ; User data length
    ExtendedData        QWORD ?            ; extended data items                                               
    UserData        QWORD ?            ; Pointer to user data
    UserContext        QWORD ?            ; Context from OpenTrace
EVENT_RECORD ENDS
PEVENT_RECORD typedef ptr EVENT_RECORD
ProcessEvent Proc Uses Ebx Esi Edi, pEvent:PEVENT_RECORD  ; ==> Not pEvent:EVENT_RECORD
    mov ebx,pEvent
    mov ax,(EVENT_RECORD PTR [ebx]).ExtendedDataCount
the global STRUCT variable transferre the into the specified Local STRUCT variable while you invoke the "ProcessEvent" proc.

Say you, Say me, Say the codes together for ever.

six_L

Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax   ; ==>Mov TraEvent.EventRecordCallback, Eax
Can't edit the post here,  so add another.
Say you, Say me, Say the codes together for ever.

Fraile

Wow!! I hadn't realized that! Thank you so much, six_L. I'm going to try it out and I'll let you know. Thanks a million.

Fraile

Nothing six_L, I don't know why the events are not being processed in the procedure designated for that purpose.

.....

EVENT_RECORD Struct
    EventHeader            EVENT_HEADER <>
    BufferContext          ETW_BUFFER_CONTEXT <>
    ExtendedDataCount      WORD ?
    UserDataLength        WORD ?
    ExtendedData          EVENT_HEADER_EXTENDED_DATA_ITEM <>
    UserData              DWord ?
    UserContext            DWord ?
EVENT_RECORD EndS

EVENT_TRACE_LOGFILEA Struct
    LogFileName DWord ?
    LoggerName DWord ?
    CurrentTime QWord ?
    BuffersRead DWord ?
    Union DUMMYUNIONNAME16
        LogFileMode DWord ?
        ProcessTraceMode DWord ?
    EndS
    CurrentEvent EVENT_TRACE <>
    LogfileHeader TRACE_LOGFILE_HEADER <>
    BufferCallback DWord  ?
    BufferSize DWord ?
    Filled DWord ?
    EventsLost DWord ?
    Union DUMMYUNIONNAME2
        EventCallback DWord  ?
        EventRecordCallback DWord  ?
    EndS
    IsKernelTrace DWord ?
    Context DWord ?
EVENT_TRACE_LOGFILEA EndS

PEVENT_RECORD TypeDef Ptr EVENT_RECORD


....
        Invoke GetProcAddress, Edi, TextStr("OpenTraceA")
        Mov Esi, Eax

        Mov TraEvent.LoggerName, Offset LoggerNameAux

        Mov TraEvent.DUMMYUNIONNAME16.ProcessTraceMode, PROCESS_TRACE_MODE_EVENT_RECORD + PROCESS_TRACE_MODE_REAL_TIME

        Lea Eax, ProcessEvent
        Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax

        Push Offset TraEvent

        Call Esi
.....

ProcessEvent Proc Uses Ebx Esi Edi, pEvent:PEVENT_RECORD

    Local HConsole:DWord



    Invoke GetStdHandle, STD_OUTPUT_HANDLE
    Mov HConsole, Eax  ; edx ahora contiene el identificador de la consola

    AsigText Error12, "Entra captura."
    Invoke WriteConsoleA, HConsole, Addr Error12, 14, 0, 0

    Invoke Sleep, 5000


    Ret
ProcessEvent EndP


I'm leaving all the code in case you want to have it and review it. I would greatly appreciate the help.

Capturing events does capture them, as indicated by the 'xperf' utility, but my procedure does not process them.




When I force the stop with 'xperft', it tells me:





You cannot view this attachment.

six_L

Hi, Fraile
This is an interesting question. It's my first time encountering this class of API. i also need to learn. let's figure out the problem together in the following time.
Say you, Say me, Say the codes together for ever.

Fraile


Thank you very much, six_L. This is also my first time using it. It's leaving me puzzled. Let's see if we can solve it together. Again, thank you very much.

six_L

#39
Hi,Fraile
1)
a bit progress about "dotnet trace" has been gotten.
how are running in your os?
option casemap:none
option win64:7

include    \UASM64\include\windows.inc

includelib \UASM64\Lib\user32.lib
includelib \UASM64\Lib\kernel32.lib
includelib \UASM64\Lib\Advapi32.lib

AssemblyLoadUnloadRundown_V1 STRUCT
    AssemblyID    ULONG64 ?
    AppDomainID    ULONG64 ?
    BindingID    ULONG64 ?
    AssemblyFlags    DWORD ?
    FullyQualifiedAssemblyName WCHAR 1 dup(?)
AssemblyLoadUnloadRundown_V1 ENDS
PAssemblyLoadUnloadRundown_V1 typedef ptr AssemblyLoadUnloadRundown_V1

_MethodLoadVerbose_V1 STRUCT
    MethodID        ULONG64 ?
    ModuleID        ULONG64 ?
    MethodStartAddress    ULONG64 ?
    MethodSize        DWORD ?
    MethodToken        DWORD ?
    MethodFlags        DWORD ?
    MethodNameSpace        WCHAR 1 dup(?)
_MethodLoadVerbose_V1 ENDS
PMethodLoadUnloadVerbose_V1 typedef ptr _MethodLoadVerbose_V1

ETW_BUFFER_CONTEXT STRUCT
    union    DUMMYUNIONNAME
        STRUCT    DUMMYSTRUCTNAME
            ProcessorNumber BYTE ?
            Alignment    BYTE ?
        ENDS
        ProcessorIndex WORD ?
    ENDS
    LoggerId WORD ?
ETW_BUFFER_CONTEXT ENDS
PETW_BUFFER_CONTEXT typedef ptr ETW_BUFFER_CONTEXT

EVENT_DESCRIPTOR STRUCT
    Id    WORD ?
    Version BYTE ?
    Channel BYTE ?
    Level    BYTE ?
    Opcode    BYTE ?
    Task    WORD ?
    Keyword QWORD ?
EVENT_DESCRIPTOR ENDS
PEVENT_DESCRIPTOR typedef ptr EVENT_DESCRIPTOR

EVENT_HEADER STRUCT
    size1        WORD ?            ; Event Size
    HeaderType    WORD ?            ; Header Type
    Flags        WORD ?            ; Flags
    EventProperty    WORD ?            ; User given event property
    ThreadId    DWORD ?            ; Thread Id
    ProcessId    DWORD ?            ; Process Id
    TimeStamp    LARGE_INTEGER <>    ; Event Timestamp
    ProviderId    GUID <>            ; Provider Id
    EventDescriptor EVENT_DESCRIPTOR <>    ; Event Descriptor
    union    DUMMYUNIONNAME
        STRUCT    DUMMYSTRUCTNAME
            KernelTime DWORD ?    ; Kernel Mode CPU ticks
            UserTime DWORD ?    ; User mode CPU ticks
        ENDS
        ProcessorTime QWORD ?        ; Processor Clock
    ENDS
    ActivityId GUID <>            ; Activity Id
EVENT_HEADER ENDS
PEVENT_HEADER typedef ptr EVENT_HEADER

EVENT_RECORD STRUCT
    EventHeader        EVENT_HEADER <>        ; Event header
    BufferContext        ETW_BUFFER_CONTEXT <>  ; Buffer context
    ExtendedDataCount    WORD ?            ; Number of extended
    UserDataLength        WORD ?            ; User data length
    ExtendedData        QWORD ?            ; extended data items                                               
    UserData        QWORD ?            ; Pointer to user data
    UserContext        QWORD ?            ; Context from OpenTrace
EVENT_RECORD ENDS
PEVENT_RECORD typedef ptr EVENT_RECORD

EVENT_TRACE_HEADER STRUCT
    size1    WORD ?                    ; Size of entire record
    union    DUMMYUNIONNAME
        FieldTypeFlags WORD ?            ; Indicates valid fields
        STRUCT    DUMMYSTRUCTNAME
            HeaderType BYTE ?        ; Header type - internal use only
            MarkerFlags BYTE ?        ; Marker - internal use only
        ENDS
    ENDS
    union    DUMMYUNIONNAME2
        Version DWORD ?
        STRUCT    Class
            type1    BYTE ?            ; event type
            Level    BYTE ?            ; trace instrumentation level
            Version WORD ?            ; version of trace record
        ENDS
    ENDS
    ThreadId    DWORD ?                ; Thread Id
    ProcessId    DWORD ?                ; Process Id
    TimeStamp    LARGE_INTEGER <>        ; time when event happens
    union    DUMMYUNIONNAME3
        Guid    GUID <>                ; Guid that identifies event
        GuidPtr ULONGLONG ?            ; use with WNODE_FLAG_USE_GUID_PTR
    ENDS
    union    DUMMYUNIONNAME4
        STRUCT    DUMMYSTRUCTNAME5
            KernelTime    DWORD ?        ; Kernel Mode CPU ticks
            UserTime    DWORD ?        ; User mode CPU ticks
        ENDS
        ProcessorTime        QWORD ?        ; Processor Clock
        STRUCT    DUMMYSTRUCTNAME6
            ClientContext    DWORD ?        ; Reserved
            _Flags        DWORD ?        ; Event Flags
        ENDS
    ENDS
EVENT_TRACE_HEADER ENDS
PEVENT_TRACE_HEADER typedef ptr EVENT_TRACE_HEADER

EVENT_TRACE STRUCT
    Header            EVENT_TRACE_HEADER <>    ; Event trace header
    InstanceId        DWORD ?            ; Instance Id of this event
    ParentInstanceId    DWORD ?            ; Parent Instance Id.
    ParentGuid        GUID <>            ; Parent Guid;
    MofData            QWORD ?            ; Pointer to Variable Data
    MofLength        DWORD ?            ; Variable Datablock Length
    union    DUMMYUNIONNAME
        ClientContext    DWORD ?
        BufferContext    ETW_BUFFER_CONTEXT <>
    ENDS
EVENT_TRACE ENDS
PEVENT_TRACE typedef ptr EVENT_TRACE

TRACE_LOGFILE_HEADER STRUCT
    BufferSize    DWORD ?                ; Logger buffer size in Kbytes
    union    DUMMYUNIONNAME
        Version DWORD ?                ; Logger version
        STRUCT    VersionDetail
            MajorVersion    BYTE ?
            MinorVersion    BYTE ?
            SubVersion    BYTE ?
            SubMinorVersion BYTE ?
        ENDS
    ENDS
    ProviderVersion        DWORD ?            ; defaults to NT version
    NumberOfProcessors    DWORD ?            ; Number of Processors
    EndTime            LARGE_INTEGER <>    ; Time when logger stops
    TimerResolution        DWORD ?            ; assumes timer is constant!!!
    MaximumFileSize        DWORD ?            ; Maximum in Mbytes
    LogFileMode        DWORD ?            ; specify logfile mode
    BuffersWritten        DWORD ?            ; used to file start of Circular File
    union    DUMMYUNIONNAME2
        LogInstanceGuid GUID <>            ; For RealTime Buffer Delivery
        STRUCT    DUMMYSTRUCTNAME
            StartBuffers    DWORD ?        ; Count of buffers written at start.
            PointerSize    DWORD ?        ; Size of pointer type in bits
            EventsLost    DWORD ?        ; Events losts during log session
            CpuSpeedInMHz    DWORD ?        ; Cpu Speed in MHz
        ENDS
    ENDS
;IF DEFINED(_WMIKM_)    ;ring0
    ;LoggerName    QWORD ?
    ;LogFileName    QWORD ?
    ;TimeZone    RTL_TIME_ZONE_INFORMATION ?
;ELSE            ;ring3
    LoggerName    QWORD ?
    LogFileName    QWORD ?
    TimeZone    TIME_ZONE_INFORMATION <>
;ENDIF
    BootTime    LARGE_INTEGER <>
    PerfFreq    LARGE_INTEGER <>        ; Reserved
    StartTime    LARGE_INTEGER <>        ; Reserved
    ReservedFlags    DWORD ?                ; ClockType
    BuffersLost    DWORD ?
TRACE_LOGFILE_HEADER ENDS
PTRACE_LOGFILE_HEADER typedef ptr TRACE_LOGFILE_HEADER

EVENT_TRACE_LOGFILEA STRUCT
    LogFileName    QWORD ?                ; Logfile Name
    LoggerName    QWORD ?                ; LoggerName
    CurrentTime    LONGLONG ?            ; timestamp of last event
    BuffersRead    ULONG ?                ; buffers read to date
    union    DUMMYUNIONNAME
        LogFileMode        DWORD ?        ; Mode of the logfile
        ProcessTraceMode    DWORD ?        ; Processing flags
    ENDS
    CurrentEvent    EVENT_TRACE <>            ; Current Event from this stream
    LogfileHeader    TRACE_LOGFILE_HEADER <>        ; logfile header structure
    BufferCallback    QWORD ?                ; is read
    BufferSize    DWORD ?
    Filled        DWORD ?
    EventsLost    DWORD ?
    union    DUMMYUNIONNAME2
        EventCallback        QWORD ?        ; callback for every event
        EventRecordCallback    QWORD ?
    ENDS
    IsKernelTrace    DWORD ?                ; TRUE for kernel logfile
    Context        QWORD ?                ; reserved for internal use
EVENT_TRACE_LOGFILEA ENDS
PEVENT_TRACE_LOGFILEA typedef ptr EVENT_TRACE_LOGFILEA

WNODE_HEADER STRUCT
    BufferSize    DWORD ?            ; Size of entire buffer inclusive of this ULONG
    ProviderId    DWORD ?            ; Provider Id of driver returning this buffer
    union    DUMMYUNIONNAME
        HistoricalContext QWORD ?    ; Logger use
        STRUCT    DUMMYSTRUCTNAME
            Version DWORD ?        ; Reserved
            Linkage DWORD ?        ; Linkage field reserved for WMI
        ENDS
    ENDS
    union    DUMMYUNIONNAME2
        KernelHandle    HANDLE ?    ; Kernel handle for data block
        TimeStamp    LARGE_INTEGER <>  ; Timestamp as returned in units of 100ns
    ENDS
    Guid        GUID <>            ; Guid for data block returned with results
    ClientContext    DWORD ?
    Flags        DWORD ?            ; Flags, see below
WNODE_HEADER ENDS

EVENT_TRACE_PROPERTIES STRUCT
    Wnode            WNODE_HEADER <>
    BufferSize        DWORD ?        ; buffer size for logging (kbytes)
    MinimumBuffers        DWORD ?        ; minimum to preallocate
    MaximumBuffers        DWORD ?        ; maximum buffers allowed
    MaximumFileSize        DWORD ?        ; maximum logfile size (in MBytes)
    LogFileMode        DWORD ?        ; sequential, circular
    FlushTimer        DWORD ?        ; buffer flush timer, in seconds
    EnableFlags        DWORD ?        ; trace enable flags
    union    DUMMYUNIONNAME
        AgeLimit    DWORD ?        ; unused
        FlushThreshold    DWORD ?        ; Number of buffers to fill before flushing
    ENDS
    NumberOfBuffers        DWORD ?        ; no of buffers in use
    FreeBuffers        DWORD ?        ; no of buffers free
    EventsLost        DWORD ?        ; event records lost
    BuffersWritten        DWORD ?        ; no of buffers written to file
    LogBuffersLost        DWORD ?        ; no of logfile write failures
    RealTimeBuffersLost    DWORD ?        ; no of rt delivery failures
    LoggerThreadId        HANDLE ?    ; thread id of Logger
    LogFileNameOffset    DWORD ?        ; Offset to LogFileName
    LoggerNameOffset    DWORD ?        ; Offset to LoggerName
EVENT_TRACE_PROPERTIES ENDS
PEVENT_TRACE_PROPERTIES typedef ptr EVENT_TRACE_PROPERTIES

_StartTraceA typedef PROTO TraceHandle:QWORD,InstanceName:QWORD,Properties:QWORD
@StartTraceA typedef ptr _StartTraceA
_EnableTraceEx typedef PROTO ProviderId:QWORD,SourceId:QWORD,TraceHandle:QWORD,IsEnabled:DWORD,Level:DWORD,MatchAnyKeyword:DWORD,MatchAllKeyword:DWORD,EnableProperty:DWORD,EnableFilterDesc:QWORD
@EnableTraceEx typedef ptr _EnableTraceEx
_OpenTraceA typedef PROTO Logfile:QWORD
@OpenTraceA typedef ptr _OpenTraceA
_ProcessTrace typedef PROTO HandleArray:QWORD,HandleCount:DWORD,StartTime:QWORD,EndTime:QWORD
@ProcessTrace typedef ptr _ProcessTrace

.const
    IDD_DIALOG    equ    100
    IDI_ICON    equ    200
   
    IDC_TEST    equ    3002
    IDC_EXIT    equ    3003
    IDC_OUTPUT    equ    3004

    AssemblyDCStart_V1        equ 155
    AssemblyLoad_V1            equ 154
    MethodLoadVerbose_V1        equ 143
   
    PROCESS_TRACE_MODE_REAL_TIME    equ < 000000100h>
    PROCESS_TRACE_MODE_EVENT_RECORD    equ < 010000000h>
    WNODE_FLAG_TRACED_GUID        equ < 000020000h>
    EVENT_TRACE_REAL_TIME_MODE    equ < 000000100h>
    EVENT_TRACE_USE_PAGED_MEMORY    equ < 001000000h>
    TRACE_LEVEL_VERBOSE        equ < 5>


.data
    trace        EVENT_TRACE_LOGFILEA <0>
    traceProp    PEVENT_TRACE_PROPERTIES 0
    hTrace        QWORD 0
    dqIndex        QWORD 0



    Name        db "dotnet trace",0
    ;GUID { 0xe13c0d23, 0xccbc, 0x4e12, { 0x93, 0x1b, 0xd9, 0xcc, 0x2e, 0xee, 0x27, 0xe4 } }
    ClrRuntimeProviderGuid \
            dd 0e13c0d23h
            dw 0ccbch
            dw 04e12h
            db 093h, 01bh, 0d9h, 0cch, 02eh, 0eeh, 027h, 0e4h

.data?
    hUserDll    dq ?
    hInstance    HINSTANCE ?
    hMain        dq ?
    hHeap        dq ?
    pStartTraceA    @StartTraceA ?
    pEnableTraceEx    @EnableTraceEx ?
    pOpenTraceA    @OpenTraceA ?
    pProcessTrace    @ProcessTrace ?

.code

ErrorMessage Proc uses rbx lpCaption:qword
    Local lpErrorMessage:QWORD

    call    GetLastError
    lea    rbx,lpErrorMessage
    invoke    FormatMessage, FORMAT_MESSAGE_ALLOCATE_BUFFER or FORMAT_MESSAGE_FROM_SYSTEM, NULL, eax, LANG_NEUTRAL,rbx,0,NULL

    invoke    MessageBox, 0, lpErrorMessage, lpCaption, MB_OK or MB_ICONINFORMATION
    invoke    LocalFree, lpErrorMessage
    ret   

ErrorMessage EndP

GetTraceApiFunctions proc
       
    invoke    LoadLibrary,CStr("Advapi32.dll")
    .if rax
        mov    hUserDll,rax
        invoke    GetProcAddress,hUserDll,CStr("StartTraceA")
        mov    pStartTraceA,rax
        .if    rax == NULL
            invoke    ErrorMessage,CStr("StartTraceA")
            jmp    @Err
        .endif
       
        invoke    GetProcAddress,hUserDll,CStr("EnableTraceEx")
        mov    pEnableTraceEx,rax
        .if    rax == NULL
            invoke    ErrorMessage,CStr("EnableTraceEx")
            jmp    @Err
        .endif
       
        invoke    GetProcAddress,hUserDll,CStr("OpenTraceA")
        mov    pOpenTraceA,rax
        .if    rax == NULL
            invoke    ErrorMessage,CStr("OpenTraceA")
            jmp    @Err
        .endif
       
        invoke    GetProcAddress,hUserDll,CStr("ProcessTrace")
        mov    pProcessTrace,rax
        .if    rax == NULL
            invoke    ErrorMessage,CStr("ProcessTrace")
            jmp    @Err
        .endif
    .else
        invoke    MessageBox,NULL,CStr("Advapi32.dll load Failed"),CStr("LoadLibrary"),MB_OK
        jmp    @Err
    .endif
    mov    rax,0
    ret
@Err:   
    mov    rax,1
    ret

GetTraceApiFunctions endp

AddLog proc pStr:QWORD

        invoke  SendDlgItemMessage, hMain,IDC_OUTPUT,EM_GETLINECOUNT,0,0
        dec     rax
        invoke  SendDlgItemMessage, hMain,IDC_OUTPUT,EM_LINEINDEX,rax,0
        invoke  SendDlgItemMessage, hMain,IDC_OUTPUT,EM_SETSEL,rax,rax
        invoke  SendDlgItemMessage, hMain,IDC_OUTPUT,EM_REPLACESEL,FALSE,pStr
    invoke    SendDlgItemMessage, hMain,IDC_OUTPUT, EM_SCROLLCARET, 0, 0
        ret

AddLog endp

ProcessEvent proc uses rbx rsi rdi EventRecord:PEVENT_RECORD
    Local eventHeader:PEVENT_HEADER
    Local eventDescriptor:PEVENT_DESCRIPTOR
    Local assemblyUserData:AssemblyLoadUnloadRundown_V1
    Local methodUserData:_MethodLoadVerbose_V1
    Local MethodNameSpace:QWORD
    Local MethodName:QWORD
    Local MethodSignature:QWORD
    Local szTmp[512]:BYTE
    Local szTmp1[128]:BYTE
    Local cxId:WORD

     invoke    RtlZeroMemory,ADDR szTmp,sizeof szTmp
    inc    dqIndex
   
    mov    rbx,EventRecord
    lea    rax,(EVENT_RECORD PTR [rbx]).EventHeader
    mov    eventHeader,rax
   
    mov    rsi,eventHeader
    lea    rax,(EVENT_HEADER PTR [rsi]).EventDescriptor
    mov    eventDescriptor,rax

    mov    rdi,eventDescriptor
    mov    cx,(EVENT_DESCRIPTOR PTR [rdi]).Id
    mov    cxId,cx

    .if    cx == AssemblyLoad_V1
        invoke  wsprintf,addr szTmp,CStr("(%d) AssemblyLoad_V1: Id of EVENT_DESCRIPTOR = %i",13,10),dqIndex,cxId
        invoke  AddLog,addr szTmp

    .elseif cx == MethodLoadVerbose_V1    ;/*case MethodLoadVerbose_V1:
        invoke  wsprintf,addr szTmp,CStr("(%d) MethodLoadVerbose_V1: Id of EVENT_DESCRIPTOR = %i",13,10),dqIndex,cxId
        invoke  AddLog,addr szTmp
    .elseif cx == AssemblyDCStart_V1    ;/*case MethodLoadVerbose_V1:
        invoke  wsprintf,addr szTmp,CStr("(%d) AssemblyDCStart_V1: Id of EVENT_DESCRIPTOR = %d",13,10),dqIndex,cxId
        invoke  AddLog,addr szTmp
    .else
        invoke  wsprintf,addr szTmp,CStr("(%d) Unknow: Id of EVENT_DESCRIPTOR = %d",13,10),dqIndex,cxId
        invoke  AddLog,addr szTmp
    .endif

    ret

ProcessEvent endp

WorkerThread proc uses rbx szpBuf:QWORD        ;int main(void)
    Local result:ULONG
    Local bufferSize:ULONG

    invoke  AddLog,CStr("ETW .NET Trace example - @_xpn_",13,10)
   
    invoke    RtlZeroMemory,ADDR trace,sizeof trace
    mov    trace.ProcessTraceMode,PROCESS_TRACE_MODE_REAL_TIME or PROCESS_TRACE_MODE_EVENT_RECORD
    lea    rax,Name
    mov    trace.LoggerName,rax
    lea    rax,ProcessEvent
    mov    trace.EventRecordCallback,rax

    mov    eax,sizeof Name
    add    eax,sizeof EVENT_TRACE_PROPERTIES
    add    eax,sizeof WCHAR
    mov    bufferSize,eax

    invoke    HeapAlloc,hHeap,HEAP_ZERO_MEMORY, bufferSize
    mov    traceProp,rax
   
    mov    rbx,traceProp
    mov    eax,bufferSize
    mov    (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.BufferSize,eax
    mov    (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.ClientContext,2
    mov    (EVENT_TRACE_PROPERTIES PTR [rbx]).Wnode.Flags,WNODE_FLAG_TRACED_GUID
    mov    (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileMode,EVENT_TRACE_REAL_TIME_MODE or EVENT_TRACE_USE_PAGED_MEMORY
    mov    (EVENT_TRACE_PROPERTIES PTR [rbx]).LogFileNameOffset,0
    mov    (EVENT_TRACE_PROPERTIES PTR [rbx]).LoggerNameOffset,sizeof EVENT_TRACE_PROPERTIES
   
    invoke    pStartTraceA,addr hTrace,addr Name, traceProp
    .if rax != ERROR_SUCCESS
        invoke    ErrorMessage,CStr("StartTraceA")
        mov    rax,1
        ret
    .endif
    invoke    pEnableTraceEx,addr ClrRuntimeProviderGuid,NULL,hTrace,1,\
        TRACE_LEVEL_VERBOSE,08h or 010h,0,0,NULL
    .if rax != ERROR_SUCCESS
        invoke    ErrorMessage,CStr("EnableTraceEx")
        mov    rax,2
        ret
    .endif
    invoke    pOpenTraceA,addr trace
    .if rax == 0
        invoke    ErrorMessage,CStr("OpenTraceA")
        mov    rax,3
        ret
    .endif
    mov    hTrace,rax
    invoke    pProcessTrace,addr hTrace,1,NULL,NULL
    .if rax != ERROR_SUCCESS
        invoke    ErrorMessage,CStr("ProcessTrace")
        mov    rax,4
        ret
    .endif

    mov    rax,0
    ret

WorkerThread endp

DlgProc proc uses rdi rsi hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM

    mov eax,uMsg
    .if eax==WM_INITDIALOG
        invoke    LoadIcon,hInstance,IDI_ICON
        invoke    SendMessage,hWnd,WM_SETICON,ICON_BIG,rax
       
        mov    rax,hWnd
        mov    hMain,rax

        invoke    GetTraceApiFunctions

        invoke    GetProcessHeap
        mov    hHeap, rax

        mov    dqIndex,0

    .elseif eax==WM_COMMAND
        mov    rax,wParam
        mov    rdx,rax
        shr    edx,16
        .if edx == BN_CLICKED
            .if ax==IDC_EXIT
                invoke    SendMessage,hWnd,WM_CLOSE,0, 0
            .elseif ax==IDC_TEST
                invoke    CreateThread,NULL,NULL,offset WorkerThread,NULL,NULL,NULL
                invoke    CloseHandle,rax
            .endif
        .endif
    .elseif eax==WM_CLOSE
        invoke  FreeLibrary,hUserDll
         invoke    HeapFree,hHeap,HEAP_ZERO_MEMORY,traceProp
        invoke    EndDialog,hWnd,0
    .endif
    xor rax,rax
    ret

DlgProc endp

WinMainCRTStartup Proc
    invoke    GetModuleHandle,NULL
    mov    hInstance,rax
    invoke    DialogBoxParam,hInstance,IDD_DIALOG,0,addr DlgProc,0
    invoke    ExitProcess,NULL
WinMainCRTStartup Endp

end

2) if we can create a provider codes as the M$ demo, maybe a consumer codes has been changed to uncomplicate.
but i can't get "TraceLoggingRegister" API. How are you doing there?
Say you, Say me, Say the codes together for ever.

Fraile

Hello six_L, GREAT!!!!!, I was doing it in 32 bits, do you think I could switch it to 64 bits?. Congratulations!!!, this project is very important to me.

Fraile

My idea was to capture events from already existing providers. More specifically, security events, to detect, for example, session logins on Windows.... I check all the providers available on the system with "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -providers". The idea of my project is to create a basic SIEM. The system has a maximum number of event controllers.

Fraile


Could you please compress and upload the example again? The file 111.zip is giving me an error. Thank you very much.

stoo23

#43
Hi, 'SixL' was merely following Hutch's Old recommendations regarding uploading images to the Server, by changing the File Extension to .zip

The file is actually the Image file below the 'code' tags in his post  :smiley:
If you have downloaded it, you can simply change the .zip extension to .jpg and you will see the image from the post.  :smiley:

cheers,
Stewart

"you take the blonde I'll take the one with the turban" !!!  :joking:

Fraile

Haha, I thought it was the source code!  :joking: