def some_func(name, guid): # define capture provider info "{11111111-1111-1111-1111-111111111111}" providers = [etw.ProviderInfo(name, etw.GUID("{" + guid + "}"))] # create instance of ETW class job = etw.ETW(providers=providers, event_callback=lambda x: print(str(x).replace("'", "\""))) # start capture job.start() # wait some time #time.sleep(5) while True: url = "http://127.0.0.1:8093/query" d = [{"Provider": guid}] try: r = requests.post(url, json.dumps(d)) response = r.text if response == "no": # stop capture job.stop() break time.sleep(10) except Exception as e: print("dead") job.stop() break
def some_func(): # define capture provider info providers = [etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}"))] # create instance of ETW and start capture with etw.ETW(providers=providers, event_callback=etw.on_event_callback): # run capture etw.run('etw')
def __init__(self): self.config = RpcServersConfig.load('rpc_servers.json') self.events = [] self.lock = threading.Lock() self.session = etw.ETW(providers=[ etw.ProviderInfo( name='Microsoft-Windows-RPC', guid=etw.GUID("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), level=etw.evntrace.TRACE_LEVEL_VERBOSE, any_keywords=0xffffffffffffffff) ], event_callback=self.etw_callback)
def __init__(self, event_callback, session_name='PSRP_monitor', include_pids=None): providers = [ etw.ProviderInfo( 'Microsoft-Windows-PowerShell', etw.GUID('{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'), level=5, any_keywords=0x4000000000000008 | 0x4000000000000100) ] super().__init__(event_callback, providers, session_name=session_name, include_pids=include_pids)
def __init__(self, event_callback, session_name='PSRP_monitor', include_pids=None): providers = [ etw.ProviderInfo( 'Microsoft-Windows-WinRM', etw.GUID('{A7975C8F-AC13-49F1-87DA-5A984A4AB417}'), level=4, all_keywords=0x2000000000000005) ] super().__init__(event_callback, providers, session_name=session_name, include_pids=include_pids)
def some_func(): # define capture provider info providers = [ etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}")) ] # create instance of ETW class job = etw.ETW(providers=providers, event_callback=lambda x: print(x)) # start capture job.start() # wait some time time.sleep(5) # stop capture job.stop()
def main_function(): # define capture provider info providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-Process', etw.GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"))] # create instance of ETW class job = etw.ETW(providers=providers, event_callback=lambda x: get_me_my_parent(x), task_name_filters="PROCESSSTART") # start capture job.start() try: while True: pass except(KeyboardInterrupt): job.stop() print("ETW monitoring stopped.")
def __init__(self, event_callback): # define capture provider info providers = [etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}"))] super().__init__(providers=providers, event_callback=event_callback)