예제 #1
0
    def test_etw_multi_providers_bitmask(self):
        """
        Tests the etw capture class using multiple providers

        :return: None
        """

        # Instantiate an ETW object
        capture = etw.ETW(
            {'Microsoft-Windows-PowerShell': GUID("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}")},
            any_keywords=['Runspace'],
            all_keywords=['Pipeline'])

        assert(capture.guids['Microsoft-Windows-PowerShell'][1] == 0x0000000000000001)
        assert(capture.guids['Microsoft-Windows-PowerShell'][2] == 0x0000000000000002)

        # add provider
        capture.add_provider(
            {'Microsoft-Windows-WMI-Activity': GUID("{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}")},
            any_keywords=['Microsoft-Windows-WMI-Activity/Trace'],
            all_keywords=['Microsoft-Windows-WMI-Activity/Operational'])

        assert(capture.guids['Microsoft-Windows-WMI-Activity'][1] == 0x8000000000000000)
        assert(capture.guids['Microsoft-Windows-WMI-Activity'][2] == 0x4000000000000000)

        return
예제 #2
0
    def test_etw_multi_providers_bitmask(self):
        """
        Tests the etw capture class using multiple providers

        :return: None
        """

        # Instantiate an ProviderInfo object
        provider = ProviderInfo('Microsoft-Windows-Kernel-Process',
                                GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"),
                                any_keywords=['WINEVENT_KEYWORD_PROCESS'],
                                all_keywords=['WINEVENT_KEYWORD_THREAD'])

        assert (provider.any_bitmask == 0x0000000000000010)
        assert (provider.all_bitmask == 0x0000000000000020)

        # add provider
        provider = ProviderInfo('Microsoft-Windows-WinINet',
                                GUID("{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}"),
                                any_keywords=['WININET_KEYWORD_HANDLES'],
                                all_keywords=['WININET_KEYWORD_HTTP'])

        assert (provider.any_bitmask == 0x0000000000000001)
        assert (provider.all_bitmask == 0x0000000000000002)

        return
예제 #3
0
    def test_etw_capture_multi_providers(self):
        """
        Tests the etw capture class using multiple providers

        :return: None
        """

        if self.skip_tests:
            self.skipTest('PowerShell version must be greater than 2')

        # Instantiate an ETW object
        capture = etw.ETW({'Microsoft-Windows-PowerShell': GUID("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}")})

        # add provider
        capture.add_provider({'Microsoft-Windows-WMI-Activity': GUID("{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}")})

        capture.start(lambda event_tufo: self.event_tufo_list.append(event_tufo), None)

        # start powershell
        args = ['powershell']
        p = sp.Popen(args, stdout=sp.DEVNULL, stderr=sp.DEVNULL)
        time.sleep(5)
        p.kill()

        # do wmi query
        w = wmi.WMI()
        w.init()
        w.connect('root\\cimv2')
        enum = w.do_query('SELECT * FROM Win32_Process')
        enum.vtbl.Release(enum.this)
        w.fini()

        # Stop the ETW instance
        capture.stop()

        # check for powershell capture
        event = self.find_event('POWERSHELL CONSOLE STARTUP')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 1 field
        self.assertEqual(len(event), 1)

        # check capture
        events = self.find_all_events('MICROSOFT-WINDOWS-WMI-ACTIVITY')
        found = False
        for event in events:
            try:
                if 'SELECT * FROM Win32_Process' in str(event['Operation']):
                    found = True
                    break
            except:
                pass

        self.assertTrue(found)
        self.event_tufo = []

        return
예제 #4
0
    def __init__(self,
                 ring_buf_size=1024,
                 max_str_len=1024,
                 min_buffers=0,
                 max_buffers=0,
                 level=et.TRACE_LEVEL_INFORMATION,
                 any_keywords=None,
                 all_keywords=None,
                 filters=None,
                 event_callback=None,
                 logfile=None,
                 no_conout=False):
        """
        Initializes an instance of RDPETW. The default parameters represent a very typical use case and should not be
        overridden unless the user knows what they are doing.

        :param ring_buf_size: The size of the ring buffer used for capturing events.
        :param max_str_len: The maximum length of the strings the proceed the structure.
                            Unless you know what you are doing, do not modify this value.
        :param min_buffers: The minimum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param max_buffers: The maximum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param level: Logging level
        :param any_keywords: List of keywords to match
        :param all_keywords: List of keywords that all must match
        :param filters: List of filters to apply to capture.
        :param event_callback: Callback for processing events
        :param logfile: Path to logfile.
        :param no_conout: If true does not output live capture to console.
        """

        self.logfile = logfile
        self.no_conout = no_conout
        if event_callback:
            self.event_callback = event_callback
        else:
            self.event_callback = self.on_event

        providers = [
            ProviderInfo(
                'Microsoft-Windows-TerminalServices-RemoteConnectionManager',
                GUID("{C76BAA63-AE81-421C-B425-340B4B24157F}"), level,
                any_keywords, all_keywords),
            ProviderInfo(
                'Microsoft-Windows-TerminalServices-LocalSessionManager',
                GUID("{5D896912-022D-40AA-A3A8-4FA5515C76D7}"), level,
                any_keywords, all_keywords)
        ]

        super().__init__(ring_buf_size=ring_buf_size,
                         max_str_len=max_str_len,
                         min_buffers=min_buffers,
                         max_buffers=max_buffers,
                         event_callback=self.event_callback,
                         task_name_filters=filters,
                         providers=providers)
예제 #5
0
    def __init__(self,
                 ring_buf_size=1024,
                 max_str_len=1024,
                 min_buffers=0,
                 max_buffers=0,
                 level=et.TRACE_LEVEL_INFORMATION,
                 any_keywords=None,
                 all_keywords=None,
                 filters=None,
                 event_callback=None,
                 logfile=None,
                 no_conout=False):
        """
        Initializes an instance of INETETW. The default parameters represent a very typical use case and should not be
        overridden unless the user knows what they are doing.

        :param ring_buf_size: The size of the ring buffer used for capturing events.
        :param max_str_len: The maximum length of the strings the proceed the structure.
                            Unless you know what you are doing, do not modify this value.
        :param min_buffers: The minimum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param max_buffers: The maximum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param level: Logging level
        :param any_keywords: List of keywords to match
        :param all_keywords: List of keywords that all must match
        :param filters: List of filters to apply to capture.
        :param event_callback: Callback for processing events
        :param logfile: Path to logfile.
        :param no_conout: If true does not output live capture to console.
        """

        self.logfile = logfile
        self.no_conout = no_conout
        if event_callback:
            self.event_callback = event_callback
        else:
            self.event_callback = self.on_event

        providers = [
            ProviderInfo('Microsoft-Windows-WinINet',
                         GUID("{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}"), level,
                         any_keywords, all_keywords),
            ProviderInfo('Microsoft-Windows-WinINet-Capture',
                         GUID("{A70FF94F-570B-4979-BA5C-E59C9FEAB61B}"), level,
                         any_keywords, all_keywords)
        ]

        super().__init__(ring_buf_size=ring_buf_size,
                         max_str_len=max_str_len,
                         min_buffers=min_buffers,
                         max_buffers=max_buffers,
                         event_callback=self.event_callback,
                         task_name_filters=filters,
                         providers=providers)
예제 #6
0
파일: com.py 프로젝트: jymcheong/pywintrace
    def create_instance(self, clsid, type, iid):

        if self.initialized is False:
            raise ComException('COM must be initialized before calling CoCreateInstance()')

        ptr = ct.c_void_p(0)
        error = ct.windll.ole32.CoCreateInstance(ct.byref(GUID(clsid)),
                                                 None,
                                                 type,
                                                 ct.byref(GUID(iid)),
                                                 ct.byref(ptr))
        if error != tdh.ERROR_SUCCESS:
            raise ct.WinError()
        return ptr
예제 #7
0
    def test_etw_eq(self):
        """
        Test container classes comparision

        :return: None
        """

        params = et.ENABLE_TRACE_PARAMETERS()
        params.Version = 1
        other_params = et.ENABLE_TRACE_PARAMETERS()
        other_params.Version = 1

        provider = ProviderInfo('Microsoft-Windows-Kernel-Process',
                                GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"),
                                any_keywords=['WINEVENT_KEYWORD_PROCESS'],
                                params=ct.pointer(params))

        other_provider = ProviderInfo(
            'Microsoft-Windows-Kernel-Process',
            GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"),
            any_keywords=['WINEVENT_KEYWORD_PROCESS'],
            params=ct.pointer(other_params))
        self.assertEqual(provider, other_provider)
        other_params.Version = 2
        self.assertNotEqual(provider, other_provider)
        event_id_list = [54]
        event_filter = ep.EVENT_FILTER_EVENT_ID(common.TRUE,
                                                event_id_list).get()
        event_filters = [
            ep.EVENT_FILTER_DESCRIPTOR(
                ct.addressof(event_filter.contents),
                ct.sizeof(event_filter.contents) +
                ct.sizeof(wt.USHORT) * len(event_id_list),
                ep.EVENT_FILTER_TYPE_EVENT_ID)
        ]
        properties = ProviderParameters(0, event_filters)
        other_properties = ProviderParameters(0, event_filters)
        self.assertEqual(properties, other_properties)

        other_properties.get().contents.Version = 1
        self.assertNotEqual(properties, other_properties)

        params = TraceProperties(1024, 1024, 0, 10)
        other_params = TraceProperties(1024, 1024, 0, 10)
        self.assertEqual(params, other_params)
        other_params.get().contents.BufferSize = 1025

        self.assertNotEqual(params, other_params)

        return
예제 #8
0
    def test_etw_capture_multi_providers(self):
        """
        Tests the etw capture class using multiple providers

        :return: None
        """

        # Instantiate an ETW object
        providers = [
            ProviderInfo('Microsoft-Windows-WinINet',
                         GUID("{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}")),
            ProviderInfo('Microsoft-Windows-Kernel-Process',
                         GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"))
        ]

        capture = ETW(providers=providers,
                      event_callback=lambda event_tufo: self.event_tufo_list.
                      append(event_tufo))

        capture.start()

        # start ping
        args = ['ping.exe']
        p = sp.Popen(args, stdout=sp.DEVNULL, stderr=sp.DEVNULL)
        time.sleep(5)
        p.kill()

        self.makeRequest()

        # Stop the ETW instance
        capture.stop()

        # check for process start
        event = self.find_event('PROCESSSTART')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 6 fields
        self.assertEqual(len(event), 6)

        event = self.find_event('WININET_READDATA')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 3 fields
        self.assertEqual(len(event), 3)

        self.event_tufo = []

        return
예제 #9
0
    def test_etw_nt_logger(self):
        """
        Tests to ensure nt kernel logger capture works properly

        :return: None
        """

        capture = ETW(
            session_name='NT Kernel Logger',
            providers=[
                ProviderInfo('Windows Kernel Trace',
                             GUID("{9E814AAD-3204-11D2-9A82-006008A86939}"),
                             any_keywords=['process'])
            ],
            event_callback=lambda event_tufo: self.event_tufo_list.append(
                event_tufo))
        capture.start()

        # start ping.exe
        args = ['ping.exe']
        p = sp.Popen(args, stdout=sp.DEVNULL, stderr=sp.DEVNULL)
        time.sleep(2)
        p.kill()
        capture.stop()

        event = self.find_event('PROCESS')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 10 fields
        self.assertEqual(len(event), 10)
        self.event_tufo = []
        return
예제 #10
0
    def test_etw_capture(self):
        """
        Tests the etw capture

        :return: None
        """

        # Instantiate an ETW object
        capture = ETW(providers=[
            ProviderInfo('Microsoft-Windows-WinINet',
                         GUID("{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}"))
        ],
                      event_callback=lambda event_tufo: self.event_tufo_list.
                      append(event_tufo))
        capture.start()

        self.makeRequest()

        # Ensure that we have a chance for all the events to come back
        time.sleep(5)

        # Stop the ETW instance
        capture.stop()
        event = self.find_event('WININET_READDATA')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 3 fields
        self.assertEqual(len(event), 3)
        self.event_tufo = []

        return
예제 #11
0
    def __init__(self,
                 ring_buf_size=1024,
                 max_str_len=1024,
                 min_buffers=0,
                 max_buffers=0,
                 level=et.TRACE_LEVEL_INFORMATION,
                 any_keywords=None,
                 all_keywords=None):
        """
        Initializes an instance of PROCETW. The default parameters represent a very typical use case and should not be
        overridden unless the user knows what they are doing.

        :param ring_buf_size: The size of the ring buffer used for capturing events.
        :param max_str_len: The maximum length of the strings the proceed the structure.
                            Unless you know what you are doing, do not modify this value.
        :param min_buffers: The minimum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param max_buffers: The maximum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param level: Logging level
        :param any_keywords: List of keywords to match
        :param all_keywords: List of keywords that all must match
        """
        guid = {
            'Microsoft-Windows-Kernel-Process':
            GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}")
        }

        super().__init__(guid, ring_buf_size, max_str_len, min_buffers,
                         max_buffers, level, any_keywords, all_keywords)
예제 #12
0
    def test_etw_capture(self):
        """
        Tests the etw capture

        :return: None
        """

        if self.skip_tests:
            self.skipTest('PowerShell version must be greater than 2')

        # Instantiate an ETW object
        capture = etw.ETW({'Microsoft-Windows-PowerShell': GUID("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}")})
        capture.start(lambda event_tufo: self.event_tufo_list.append(event_tufo), None)

        # start powershell
        args = ['powershell']
        p = sp.Popen(args, stdout=sp.DEVNULL, stderr=sp.DEVNULL)
        time.sleep(5)
        p.kill()

        # Stop the ETW instance
        capture.stop()
        event = self.find_event('POWERSHELL CONSOLE STARTUP')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 1 field
        self.assertEqual(len(event), 1)
        self.event_tufo = []

        return
예제 #13
0
    def test_etw_callback_wait(self):
        """
        Tests the etw capture wait time

        :return: None
        """

        # Instantiate an ETW object
        capture = ETW(providers=[
            ProviderInfo('Microsoft-Windows-Kernel-Process',
                         GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"))
        ],
                      event_callback=lambda event_tufo: self.event_tufo_list.
                      append(event_tufo),
                      callback_wait_time=0.0025)
        capture.start()
        # start ping
        args = ['ping.exe']
        p = sp.Popen(args, stdout=sp.DEVNULL, stderr=sp.DEVNULL)
        time.sleep(5)
        p.kill()

        # Stop the ETW instance
        capture.stop()

        # check for process start
        event = self.find_event('PROCESSSTART')
        self.assertTrue(event)
        event = self.trim_fields(event)

        # This event should have 6 fields
        self.assertEqual(len(event), 6)
        self.event_tufo = []

        return
예제 #14
0
    def test_etw_get_keywords_bitmask(self):
        """
        Tests to ensure the correct bitmask is found for the provider (Windows Kernel Trace)

        :return: None
        """

        assert(etw.get_keywords_bitmask(
            GUID('{9E814AAD-3204-11D2-9A82-006008A86939}'),
            ['process']) == 0x0000000000000001)

        return
예제 #15
0
    def __init__(
            self,
            ring_buf_size=1024,
            max_str_len=1024,
            min_buffers=0,
            max_buffers=0,
            level=et.TRACE_LEVEL_INFORMATION,
            any_keywords=None,
            all_keywords=None):
        """
        Initializes an instance of INETETW. The default parameters represent a very typical use case and should not be
        overridden unless the user knows what they are doing.

        :param ring_buf_size: The size of the ring buffer used for capturing events.
        :param max_str_len: The maximum length of the strings the proceed the structure.
                            Unless you know what you are doing, do not modify this value.
        :param min_buffers: The minimum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param max_buffers: The maximum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param level: Logging level
        :param any_keywords: List of keywords to match
        :param all_keywords: List of keywords that all must match
        """
        guid = {'Microsoft-Windows-WinINet': GUID("{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}")}

        super().__init__(
            guid,
            ring_buf_size,
            max_str_len,
            min_buffers,
            max_buffers,
            level,
            any_keywords,
            all_keywords)

        self.add_provider(
            {'Microsoft-Windows-WinINet-Capture': GUID("{A70FF94F-570B-4979-BA5C-E59C9FEAB61B}")},
            any_keywords,
            all_keywords)
예제 #16
0
    def __init__(self,
                 ring_buf_size=1024,
                 max_str_len=1024,
                 min_buffers=0,
                 max_buffers=0,
                 level=et.TRACE_LEVEL_INFORMATION,
                 any_keywords=None,
                 all_keywords=None):
        """
        Initializes an instance of RDPETW. The default parameters represent a very typical use case and should not be
        overridden unless the user knows what they are doing.

        :param ring_buf_size: The size of the ring buffer used for capturing events.
        :param max_str_len: The maximum length of the strings the proceed the structure.
                            Unless you know what you are doing, do not modify this value.
        :param min_buffers: The minimum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param max_buffers: The maximum number of buffers for an event tracing session.
                            Unless you know what you are doing, do not modify this value.
        :param level: Logging level
        :param any_keywords: List of keywords to match
        :param all_keywords: List of keywords that all must match
        """

        guid = {
            'Microsoft-Windows-TerminalServices-RemoteConnectionManager':
            GUID("{C76BAA63-AE81-421C-B425-340B4B24157F}")
        }

        super().__init__(guid, ring_buf_size, max_str_len, min_buffers,
                         max_buffers, level, any_keywords, all_keywords)

        self.add_provider(
            {
                'Microsoft-Windows-TerminalServices-LocalSessionManager':
                GUID("{5D896912-022D-40AA-A3A8-4FA5515C76D7}")
            }, any_keywords, all_keywords)
예제 #17
0
파일: wmi.py 프로젝트: jymcheong/pywintrace
WBEM_FLAG_NO_ERROR_OBJECT = 0x40
WBEM_FLAG_RETURN_ERROR_OBJECT = 0
WBEM_FLAG_SEND_STATUS = 0x80
WBEM_FLAG_DONT_SEND_STATUS = 0
WBEM_FLAG_ENSURE_LOCATABLE = 0x100
WBEM_FLAG_DIRECT_READ = 0x200
WBEM_FLAG_SEND_ONLY_SELECTED = 0
WBEM_RETURN_WHEN_COMPLETE = 0
WBEM_RETURN_IMMEDIATELY = 0x10
WBEM_MASK_RESERVED_FLAGS = 0x1f000
WBEM_FLAG_USE_AMENDED_QUALIFIERS = 0x20000
WBEM_FLAG_STRONG_VALIDATION = 0x10000

HRESULT = wt.LONG

CLSID_WbemLocator = GUID("{4590f811-1d3a-11d0-891f-00aa004b2e24}")
IID_IWbemLocator = GUID("{dc12a687-737f-11cf-884d-00aa004b2e24}")

# generic prototype
Generic_Proto = ct.WINFUNCTYPE(HRESULT, wt.LPVOID)

#            virtual HRESULT STDMETHODCALLTYPE QueryInterface(
#                /* [in] */ REFIID riid,
#                /* [iid_is][out] */ _COM_Outptr_ void __RPC_FAR *__RPC_FAR *ppvObject) = 0;
#
#            virtual ULONG STDMETHODCALLTYPE AddRef( void) = 0;
#
#            virtual ULONG STDMETHODCALLTYPE Release( void) = 0;

# IUnknown method prototypes
IUnknown_QueryInterface_Proto = ct.WINFUNCTYPE(HRESULT, wt.LPVOID,
예제 #18
0
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
########################################################################

import ctypes as ct
import ctypes.wintypes as wt

from etw.GUID import GUID

# This GUID allow us to enable and disable file share auditing
audit_objectaccess_share = GUID("{0cce9224-69ae-11d9-bed3-505054503030}")

POLICY_AUDIT_EVENT_SUCCESS = 0x1
POLICY_AUDIT_EVENT_FAILURE = 0x2
POLICY_AUDIT_EVENT_NONE = 0x4


class AUDIT_POLICY_INFORMATION(ct.Structure):
    _fields_ = [('AuditSubCategoryGuid', GUID),
                ('AuditingInformation', wt.ULONG), ('AuditCategoryGuid', GUID)]


# Function Definitions
AuditSetSystemPolicy = ct.windll.advapi32.AuditSetSystemPolicy
AuditSetSystemPolicy.argtypes = [
    ct.POINTER(AUDIT_POLICY_INFORMATION), wt.ULONG