News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

ETW Event Consumer, StartTraceA API

Started by Fraile, February 11, 2024, 07:54:00 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6
User actions

Fraile

#60
March 23, 2024, 07:21:02 AM
Thank you, really, I don't take it as a bad thing, quite the opposite. It might be old programmer habits, possibly.

NoCforMe

#61
March 23, 2024, 07:21:53 AM
Well, it is redundant, and clutters up your code.

Sorry I can't help you with your substantive issues here.
Assembly language programming should be fun. That's why I do it.

Fraile

#62
March 23, 2024, 07:25:18 AM
You're right. Thank you very much.

Fraile

#63
March 23, 2024, 07:33:30 AM
I rushed to reply to you, I didn't pay close attention to the procedure definition. You are absolutely right.

Fraile

#64
March 23, 2024, 08:42:32 AM
Hi six_L, I've made progress with the documentation, please take a look at this URL when you can:

https://learn.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events

six_L

#65
March 23, 2024, 05:44:41 PM
Hi,Fraile.
1)
Quotehttps://learn.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events
This is a helpful infomation about dotnet trace. Thanks.
2)
i'v recently searched the www world with M$ bing and GitHub. Nothing about Microsoft Windows Security Auditing trace has been found. if we'll get a worked c codes, That's a good beginning.

Regard.
 
Say you, Say me, Say the codes together for ever.

Fraile

#66
March 23, 2024, 10:59:23 PM
Hi six-L, I've also made some progress on that. Let me explain how I think it works: Microsoft doesn't allow gathering security events as we're currently doing it. We need to "subscribe" to Microsoft's own security provider. Here's some documentation I found.

https://stackoverflow.com/questions/75682202/how-to-capture-events-from-etw-provider-microsoft-windows-security-auditing-in

Fraile

#67
March 25, 2024, 04:58:30 AM
Hi six_L, don't you find it odd that in this guy's example, he can see information about loading in the .NET CLR and we can't?

https://gist.github.com/aaaddress1/4add6b873ae6ed70cb125a7587d2e1bc

six_L

#68
March 25, 2024, 09:30:21 PM
Hi,Fraile
1)
The Microsoft Windows Security Auditing trace relates to Ring0. it's not easy.
2)
I can't access the web link. post it here.

regard.
Say you, Say me, Say the codes together for ever.

Fraile

#69
March 25, 2024, 09:54:02 PM
Hi six_L, I've managed to do it. The problem was the format; it works fine with the 'wsprintf' function, using the format value '%S'. I'll pass along all the code; everything is working up to this point. Thank you very much for your help and advice. Now I'm going to try capturing security login events.




Fraile

#70
April 02, 2024, 07:29:50 PM
Hello six_L, I have already managed to consume "security" events, you just need to make a small modification in the code, leaving only the "opentraceA" and "ProcessTrace" functions. You just have to open the system's own session, in this case "Eventlog-Security"

Code Select

.Data

LoggerNameAux      DB 'Eventlog-Security'

.....
.Code

.....


   Invoke RtlZeroMemory, Addr TraEvent, SizeOf EVENT_TRACE_LOGFILEA



   ; Cargar la biblioteca dinĂ¡mica wnetapi32.dll
   Invoke LoadLibrary, TextStr("Advapi32.dll")

   .If Eax

Mov Edi, Eax
Mov HandleLibrary, Eax



; ******************************************************************
; Armamos el identificador de seguimiento ETW para consumir eventos.
; ******************************************************************


    Invoke GetProcAddress, Edi, TextStr("OpenTraceA")
Mov Esi, Eax

Lea Eax, LoggerNameAux
Mov TraEvent.LoggerName, Eax

Mov TraEvent.DUMMYUNIONNAME.ProcessTraceMode, PROCESS_TRACE_MODE_REAL_TIME + PROCESS_TRACE_MODE_EVENT_RECORD

Lea Eax, ProcessEvent
Mov TraEvent.DUMMYUNIONNAME2.EventRecordCallback, Eax

Push Offset TraEvent

Call Esi
Cmp Eax, INVALID_PROCESSTRACE_HANDLE
Je Error_ExitOnce

Mov DWord Ptr TraceHandle, Eax


; ******************************************************************
; Procesamos ProcessTrace.
; ******************************************************************

Mov Edi, HandleLibrary


    Invoke GetProcAddress, Edi, TextStr("ProcessTrace")
Mov Esi, Eax

Push NULL
Push NULL
Push 1
    Push Offset TraceHandle

Call Esi

Fraile

#71
April 02, 2024, 07:31:57 PM
To be able to see the names of the sessions already open, you can use the command "xperf -providers"

Fraile

#72
April 02, 2024, 07:54:22 PM
I'm leaving two articles explaining a little about what I've learned and the purpose of the project. I recommend the book 'Windows Internals Part 2'; the topic of ETW is covered very well there. I'm going to keep working on this event capture project, and I would greatly appreciate your feedback. Thank you very much, everyone, especially 'six_L'.



https://www.linkedin.com/feed/update/urn:li:activity:7178122925810606082

https://www.linkedin.com/feed/update/urn:li:activity:7180514064782004224


Biterider

#73
April 02, 2024, 08:09:08 PM
Hi Fraile
It's great to see you using MASM for a real application. 
Keep up the good work!  :thumbsup:

Biterider

Fraile

#74
April 02, 2024, 08:59:45 PM
Thank you very much, Biterider.  :greenclp:
Print
Go Up Pages 1 ... 3 4 5 6
User actions