예제 #1
0
                            EVENT_HEADER_FLAG_CLASSIC_HEADER=0x0100,
                            EVENT_HEADER_FLAG_PROCESSOR_INDEX=0x0200)

EventHeaderPropertyFlag = FlagsEnum(
    Int16ul,
    EVENT_HEADER_PROPERTY_XML=0x0001,
    EVENT_HEADER_PROPERTY_FORWARDED_XML=0x0002,
    EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG=0x0004,
    EVENT_HEADER_PROPERTY_RELOGGABLE=0x0008)

EventDescriptor = Struct("Id" / Int16ul, "Version" / Int8ul,
                         "Channel" / Int8ul, "Level" / Int8ul,
                         "Opcode" / Int8ul, "Task" / Int16ul,
                         "Keyword" / Int64ul)

EventHeader = Struct("marker" / wmi_trace_marker(EventHeaderType),
                     "flags" / EventHeaderFlag,
                     "event_property" / EventHeaderPropertyFlag,
                     "thread_id" / Int32ul, "process_id" / Int32ul,
                     "timestamp" / Int64ul, "provider_id" / Guid,
                     "event_descriptor" / EventDescriptor,
                     "processor_time" / Int64ul, "activity_id" / Guid)

EventHeaderExtendedDataItem = Struct(
    "reserved1" / Int16ul, "ext_type" / Int16ul, "reserved2" / Int16ul,
    "data_size" / Int16ul, "data_item" / Bytes(lambda this: this.data_size))

EventRecord = AlignedStruct(
    8, "mark1" / Computed(lambda this: this._io.tell()),
    "event_header" / EventHeader, "extended_data" / If(
        lambda this: this.event_header.flags.EVENT_HEADER_FLAG_EXTENDED_INFO,
예제 #2
0
"""
Basic level trace meta infos
"""
TraceClass = Struct(
    "type" / Int8ul,
    "level" / Int8ul,
    "version" / Int16ul
)

"""
Header of the event trace
Contain interesting sender infos like process id thread id and the GUID
It's the base of ETW trace
"""
TraceHeader = Struct(
    "marker" / wmi_trace_marker(TraceHeaderType),
    "class" / TraceClass,
    "thread_id" / Int32ul,
    "process_id" / Int32ul,
    "timestamp" / Int64ul,
    "guid" / Guid,
    "processor_time" / Int64ul
)

"""
A Trace record with header and body
Actually version field of header is used to record trace size
"""
TraceRecord = AlignedStruct(8,
    "mark1" / Computed(lambda this: this._io.tell()),
    "event_header" / TraceHeader,
예제 #3
0
It use by kernel logger to send event but more concise than in system trace format
But add timestamp of the event
This an event driven log but without some of meta infos
"""

from construct import Struct, Enum, Int64ul, Bytes, Int8ul, Container

from etl.parsers.kernel.core import Mof, build_mof
from etl.wmi import WmiTracePacket, wmi_trace_marker

PerfInfoTraceMarker = Enum(Int8ul,
                           PERFINFO_TRACE_MARKER_32=0x10,
                           PERFINFO_TRACE_MARKER_64=0x11)

PerfInfoTraceRecord = Struct(
    "marker" / wmi_trace_marker(PerfInfoTraceMarker),
    "header" / WmiTracePacket, "timestamp" / Int64ul,
    "mof_data" / Bytes(lambda this: this.header.size - 16))


class PerfInfo:
    """
    A PerfInfo log from Windows Kernel
    """
    def __init__(self, source: Container):
        self.source = source

    def get_timestamp(self) -> int:
        """
        :return: Timestamp associated with this event
        """
예제 #4
0
from etl.wmi import wmi_trace_marker, WmiTracePacket

"""
Marker use by the parser to determiner if current trace is a system trace
"""
SystemTraceMarker = Enum(
    Int8ul,
    SYSTEM_TRACE_MARKER_32=0x01,
    SYSTEM_TRACE_MARKER_64=0x02,
    COMPACT_TRACE_MARKER_32=0x03,
    COMPACT_TRACE_MARKER_64=0x04,
)

SystemTraceHeader = Struct(
    "start_mark" / Computed(lambda this: this._io.tell()),
    "marker" / wmi_trace_marker(SystemTraceMarker),
    "header" / WmiTracePacket,
    "thread_id" / Int32ul,
    "process_id" / Int32ul,
    "system_time" / Int64ul,
    "kernel_time" / If(lambda this: this.marker.type.enum in [SystemTraceMarker.SYSTEM_TRACE_MARKER_32, SystemTraceMarker.SYSTEM_TRACE_MARKER_64], LazyBound(lambda: Int32ul)),
    "user_time" / If(lambda this: this.marker.type.enum in [SystemTraceMarker.SYSTEM_TRACE_MARKER_32, SystemTraceMarker.SYSTEM_TRACE_MARKER_64], LazyBound(lambda: Int32ul)),
    "sizeof" / Computed(lambda this: this._io.tell() - this.start_mark)
)


SystemTraceRecord = Struct(
    "system_header" / SystemTraceHeader,
    "mof_data" / Bytes(lambda this: this.system_header.header.size - this.system_header.sizeof)
)