Пример #1
0
def some_func(name, guid):
    # define capture provider info "{11111111-1111-1111-1111-111111111111}"
    providers = [etw.ProviderInfo(name, etw.GUID("{" + guid + "}"))]
    # create instance of ETW class
    job = etw.ETW(providers=providers,
                  event_callback=lambda x: print(str(x).replace("'", "\"")))

    # start capture
    job.start()

    # wait some time
    #time.sleep(5)

    while True:
        url = "http://127.0.0.1:8093/query"
        d = [{"Provider": guid}]
        try:
            r = requests.post(url, json.dumps(d))
            response = r.text

            if response == "no":
                # stop capture
                job.stop()
                break
            time.sleep(10)
        except Exception as e:
            print("dead")
            job.stop()
            break
Пример #2
0
def some_func():
    # define capture provider info
    providers = [etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}"))]

    # create instance of ETW and start capture
    with etw.ETW(providers=providers, event_callback=etw.on_event_callback):
        # run capture
        etw.run('etw')
Пример #3
0
def some_fuc():
    guid = {
        'Some provider': etw.GUID("{8E598056-8993-11D2-819E-0000F875A064}")
    }

    job = etw.ETW(guid)

    #etw.run('etw',job)
    # log the out
    etw.run('etw', job, './etwlog')
Пример #4
0
def some_func():
    # define capture GUID
    guid = {
        'Some Provider': etw.GUID("{11111111-1111-1111-1111-111111111111}")
    }

    # create instance of ETW class
    job = etw.ETW(guid)

    # run capture
    etw.run('etw', job)
Пример #5
0
 def __init__(self):
     self.config = RpcServersConfig.load('rpc_servers.json')
     self.events = []
     self.lock = threading.Lock()
     self.session = etw.ETW(providers=[
         etw.ProviderInfo(
             name='Microsoft-Windows-RPC',
             guid=etw.GUID("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"),
             level=etw.evntrace.TRACE_LEVEL_VERBOSE,
             any_keywords=0xffffffffffffffff)
     ],
                            event_callback=self.etw_callback)
Пример #6
0
def some_func():
    # define capture GUID
    guid = {
        'Some Provider': etw.GUID("{11111111-1111-1111-1111-111111111111}")
    }
    # create instance of ETW class
    job = etw.ETW(guid)
    # start capture
    job.start(lambda x: print(x))

    # wait some time
    time.sleep(5)

    # stop capture
    job.stop()
Пример #7
0
def some_func():
    # define capture provider info
    providers = [
        etw.ProviderInfo('Some Provider',
                         etw.GUID("{11111111-1111-1111-1111-111111111111}"))
    ]
    # create instance of ETW class
    job = etw.ETW(providers=providers, event_callback=lambda x: print(x))
    # start capture
    job.start()

    # wait some time
    time.sleep(5)

    # stop capture
    job.stop()
Пример #8
0
def main_function():
    # define capture provider info
    providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-Process', etw.GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"))]
    
    # create instance of ETW class
    job = etw.ETW(providers=providers, event_callback=lambda x: get_me_my_parent(x), task_name_filters="PROCESSSTART")
    
    # start capture
    job.start()

    try:
        while True:
            pass
    except(KeyboardInterrupt):
        job.stop()
        print("ETW monitoring stopped.")