EVENT_HEADER_FLAG_CLASSIC_HEADER=0x0100, EVENT_HEADER_FLAG_PROCESSOR_INDEX=0x0200) EventHeaderPropertyFlag = FlagsEnum( Int16ul, EVENT_HEADER_PROPERTY_XML=0x0001, EVENT_HEADER_PROPERTY_FORWARDED_XML=0x0002, EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG=0x0004, EVENT_HEADER_PROPERTY_RELOGGABLE=0x0008) EventDescriptor = Struct("Id" / Int16ul, "Version" / Int8ul, "Channel" / Int8ul, "Level" / Int8ul, "Opcode" / Int8ul, "Task" / Int16ul, "Keyword" / Int64ul) EventHeader = Struct("marker" / wmi_trace_marker(EventHeaderType), "flags" / EventHeaderFlag, "event_property" / EventHeaderPropertyFlag, "thread_id" / Int32ul, "process_id" / Int32ul, "timestamp" / Int64ul, "provider_id" / Guid, "event_descriptor" / EventDescriptor, "processor_time" / Int64ul, "activity_id" / Guid) EventHeaderExtendedDataItem = Struct( "reserved1" / Int16ul, "ext_type" / Int16ul, "reserved2" / Int16ul, "data_size" / Int16ul, "data_item" / Bytes(lambda this: this.data_size)) EventRecord = AlignedStruct( 8, "mark1" / Computed(lambda this: this._io.tell()), "event_header" / EventHeader, "extended_data" / If( lambda this: this.event_header.flags.EVENT_HEADER_FLAG_EXTENDED_INFO,
""" Basic level trace meta infos """ TraceClass = Struct( "type" / Int8ul, "level" / Int8ul, "version" / Int16ul ) """ Header of the event trace Contain interesting sender infos like process id thread id and the GUID It's the base of ETW trace """ TraceHeader = Struct( "marker" / wmi_trace_marker(TraceHeaderType), "class" / TraceClass, "thread_id" / Int32ul, "process_id" / Int32ul, "timestamp" / Int64ul, "guid" / Guid, "processor_time" / Int64ul ) """ A Trace record with header and body Actually version field of header is used to record trace size """ TraceRecord = AlignedStruct(8, "mark1" / Computed(lambda this: this._io.tell()), "event_header" / TraceHeader,
It use by kernel logger to send event but more concise than in system trace format But add timestamp of the event This an event driven log but without some of meta infos """ from construct import Struct, Enum, Int64ul, Bytes, Int8ul, Container from etl.parsers.kernel.core import Mof, build_mof from etl.wmi import WmiTracePacket, wmi_trace_marker PerfInfoTraceMarker = Enum(Int8ul, PERFINFO_TRACE_MARKER_32=0x10, PERFINFO_TRACE_MARKER_64=0x11) PerfInfoTraceRecord = Struct( "marker" / wmi_trace_marker(PerfInfoTraceMarker), "header" / WmiTracePacket, "timestamp" / Int64ul, "mof_data" / Bytes(lambda this: this.header.size - 16)) class PerfInfo: """ A PerfInfo log from Windows Kernel """ def __init__(self, source: Container): self.source = source def get_timestamp(self) -> int: """ :return: Timestamp associated with this event """
from etl.wmi import wmi_trace_marker, WmiTracePacket """ Marker use by the parser to determiner if current trace is a system trace """ SystemTraceMarker = Enum( Int8ul, SYSTEM_TRACE_MARKER_32=0x01, SYSTEM_TRACE_MARKER_64=0x02, COMPACT_TRACE_MARKER_32=0x03, COMPACT_TRACE_MARKER_64=0x04, ) SystemTraceHeader = Struct( "start_mark" / Computed(lambda this: this._io.tell()), "marker" / wmi_trace_marker(SystemTraceMarker), "header" / WmiTracePacket, "thread_id" / Int32ul, "process_id" / Int32ul, "system_time" / Int64ul, "kernel_time" / If(lambda this: this.marker.type.enum in [SystemTraceMarker.SYSTEM_TRACE_MARKER_32, SystemTraceMarker.SYSTEM_TRACE_MARKER_64], LazyBound(lambda: Int32ul)), "user_time" / If(lambda this: this.marker.type.enum in [SystemTraceMarker.SYSTEM_TRACE_MARKER_32, SystemTraceMarker.SYSTEM_TRACE_MARKER_64], LazyBound(lambda: Int32ul)), "sizeof" / Computed(lambda this: this._io.tell() - this.start_mark) ) SystemTraceRecord = Struct( "system_header" / SystemTraceHeader, "mof_data" / Bytes(lambda this: this.system_header.header.size - this.system_header.sizeof) )