Beispiel #1
0
def some_func(name, guid):
    # define capture provider info "{11111111-1111-1111-1111-111111111111}"
    providers = [etw.ProviderInfo(name, etw.GUID("{" + guid + "}"))]
    # create instance of ETW class
    job = etw.ETW(providers=providers,
                  event_callback=lambda x: print(str(x).replace("'", "\"")))

    # start capture
    job.start()

    # wait some time
    #time.sleep(5)

    while True:
        url = "http://127.0.0.1:8093/query"
        d = [{"Provider": guid}]
        try:
            r = requests.post(url, json.dumps(d))
            response = r.text

            if response == "no":
                # stop capture
                job.stop()
                break
            time.sleep(10)
        except Exception as e:
            print("dead")
            job.stop()
            break
Beispiel #2
0
def some_func():
    # define capture provider info
    providers = [etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}"))]

    # create instance of ETW and start capture
    with etw.ETW(providers=providers, event_callback=etw.on_event_callback):
        # run capture
        etw.run('etw')
Beispiel #3
0
 def __init__(self):
     self.config = RpcServersConfig.load('rpc_servers.json')
     self.events = []
     self.lock = threading.Lock()
     self.session = etw.ETW(providers=[
         etw.ProviderInfo(
             name='Microsoft-Windows-RPC',
             guid=etw.GUID("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"),
             level=etw.evntrace.TRACE_LEVEL_VERBOSE,
             any_keywords=0xffffffffffffffff)
     ],
                            event_callback=self.etw_callback)
Beispiel #4
0
 def __init__(self,
              event_callback,
              session_name='PSRP_monitor',
              include_pids=None):
     providers = [
         etw.ProviderInfo(
             'Microsoft-Windows-PowerShell',
             etw.GUID('{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'),
             level=5,
             any_keywords=0x4000000000000008 | 0x4000000000000100)
     ]
     super().__init__(event_callback,
                      providers,
                      session_name=session_name,
                      include_pids=include_pids)
Beispiel #5
0
 def __init__(self,
              event_callback,
              session_name='PSRP_monitor',
              include_pids=None):
     providers = [
         etw.ProviderInfo(
             'Microsoft-Windows-WinRM',
             etw.GUID('{A7975C8F-AC13-49F1-87DA-5A984A4AB417}'),
             level=4,
             all_keywords=0x2000000000000005)
     ]
     super().__init__(event_callback,
                      providers,
                      session_name=session_name,
                      include_pids=include_pids)
Beispiel #6
0
def some_func():
    # define capture provider info
    providers = [
        etw.ProviderInfo('Some Provider',
                         etw.GUID("{11111111-1111-1111-1111-111111111111}"))
    ]
    # create instance of ETW class
    job = etw.ETW(providers=providers, event_callback=lambda x: print(x))
    # start capture
    job.start()

    # wait some time
    time.sleep(5)

    # stop capture
    job.stop()
def main_function():
    # define capture provider info
    providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-Process', etw.GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"))]
    
    # create instance of ETW class
    job = etw.ETW(providers=providers, event_callback=lambda x: get_me_my_parent(x), task_name_filters="PROCESSSTART")
    
    # start capture
    job.start()

    try:
        while True:
            pass
    except(KeyboardInterrupt):
        job.stop()
        print("ETW monitoring stopped.")
Beispiel #8
0
 def __init__(self, event_callback):
     # define capture provider info
     providers = [etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}"))]
     super().__init__(providers=providers, event_callback=event_callback)