new feature: switch active session from file to realtime session

Threathunters.BlueKrabsetw.Native.ETW/ITrace.hpp

@@ -53,6 +53,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         /// </summary>
         void Update();
 
+        /// <summary>
+        /// Stops listening for events.
+        /// </summary>
+        void TransitionToRealtime();
+
         /// <summary>
         /// Get stats about events handled by this trace.
         /// </summary>

Threathunters.BlueKrabsetw.Native.ETW/KernelTrace.hpp

@@ -180,6 +180,8 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         /// </example>
         virtual void Update();
 
+        virtual void TransitionToRealtime();
+
         /// <summary>
         /// Get stats about events handled by this trace
         /// </summary>
@@ -294,6 +296,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         ExecuteAndConvertExceptions(return trace_->update());
     }
 
+    inline void KernelTrace::TransitionToRealtime()
+    {
+        ExecuteAndConvertExceptions(return trace_->transition_to_realtime());
+    }
+
     inline TraceStats KernelTrace::QueryStats()
     {
         ExecuteAndConvertExceptions(return TraceStats(trace_->query_stats()));

Threathunters.BlueKrabsetw.Native.ETW/UserTrace.hpp

@@ -212,6 +212,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         /// </example>
         virtual void Update();
 
+        /// <summary>
+        /// 
+        /// </summary>
+        virtual void TransitionToRealtime();
+
         /// <summary>
         /// Get stats about events handled by this trace
         /// </summary>
@@ -315,6 +320,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         ExecuteAndConvertExceptions(return trace_->update());
     }
 
+    inline void UserTrace::TransitionToRealtime()
+    {
+        ExecuteAndConvertExceptions(return trace_->transition_to_realtime());
+    }
+
     inline TraceStats UserTrace::QueryStats()
     {
         ExecuteAndConvertExceptions(return TraceStats(trace_->query_stats()));

bluekrabs/bluekrabs/etw.hpp

@@ -143,6 +143,11 @@ namespace krabs { namespace details {
             PVOID trace_information,
             ULONG information_length);
 
+        /// <summary>
+        /// 
+        /// </summary>
+        void transition_to_realtime();
+
         /**
          * <summary>
          * Notifies the underlying trace of the buffers that were processed.
@@ -325,6 +330,22 @@ namespace krabs { namespace details {
         close_trace();
     }
 
+    template <typename T>
+    void trace_manager<T>::transition_to_realtime()
+    {
+        auto info = query_trace();
+
+        ULONG status = ControlTrace(
+            NULL,
+            trace_.name_.c_str(),
+            &info.properties,
+            EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME);
+
+        if (status != ERROR_WMI_INSTANCE_NOT_FOUND) {
+            error_check_common_conditions(status);
+        }
+    }
+
     template <typename T>
     void trace_manager<T>::set_buffers_processed(size_t processed)
     {

bluekrabs/bluekrabs/filtering/event_filter.hpp

@@ -71,7 +71,7 @@ namespace krabs {
          *   Given optional predicate will be applied to ETW API filtered results
          * </summary>
          */
-        event_filter(std::vector<unsigned short> event_ids, filter_predicate predicate = nullptr);
+        event_filter(std::vector<unsigned short> event_ids, filter_predicate predicate=nullptr);
 
         /**
          * <summary>

bluekrabs/bluekrabs/trace.hpp

@@ -292,7 +292,7 @@ namespace krabs {
          * Transition the ETW trace from real-time to file or vice versa.
          * </summary>
          */
-        void transition();
+        void transition_to_realtime();
 
         /**
         * <summary>
@@ -559,9 +559,11 @@ namespace krabs {
     }
 
     template <typename T>
-    void trace<T>::transition()
+    void trace<T>::transition_to_realtime()
     {
-        return;
+        //EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME
+        details::trace_manager<trace> manager(*this);
+        manager.transition_to_realtime();
     }
 
     template <typename T>

examples/NativeExamples/main.cpp

@@ -25,8 +25,8 @@ int main(void)
     //user_trace_009_from_file::start2();
     //user_trace_010_direct_filter::start();
     //user_trace_011_search_wevt::start();
-    //user_trace_012_open_trace::start();
+    user_trace_012_open_trace::start();
     //user_trace_013_pktmon::start();
     //user_trace_014_transition_trace::start();
-    user_trace_015_update_trace::start();
+    //user_trace_015_update_trace::start();
 }

examples/NativeExamples/user_trace_012_open_trace.cpp

@@ -72,26 +72,47 @@
 //}
 
 
-
 /// <summary>
 /// Note: For existing sessions, pre-filtering capabilities cannot be used.
 /// </summary>
 void user_trace_012_open_trace::start()
 {
-    krabs::user_trace trace(L"DefenderApiLogger");
-    krabs::provider<> provider(krabs::guid(L"{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}"));
+    krabs::user_trace trace(L"SecSense");
+    krabs::provider<> sec_provider(krabs::guid(L"{16c6501a-ff2d-46ea-868d-8f96cb0cb52d}"));
+    krabs::provider<> file_provider(L"Microsoft-Windows-Kernel-File");
 
-    provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
+    auto on_event = [](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
 
         // Once an event is received, if we want krabs to help us analyze it, we need
         // to snap in a schema to ask it for information.
         krabs::schema schema(record, trace_context.schema_locator);
         // We then have the ability to ask a few questions of the event.
         std::wcout << L"ProviderName " << schema.provider_name() << std::endl;
         std::wcout << L"EventId" << schema.event_id() << std::endl;
-        });
+        };
+    sec_provider.add_on_event_callback(on_event);
+    file_provider.add_on_event_callback(on_event);
+    //sec_provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
+
+    //    // Once an event is received, if we want krabs to help us analyze it, we need
+    //    // to snap in a schema to ask it for information.
+    //    krabs::schema schema(record, trace_context.schema_locator);
+    //    // We then have the ability to ask a few questions of the event.
+    //    std::wcout << L"ProviderName " << schema.provider_name() << std::endl;
+    //    std::wcout << L"EventId" << schema.event_id() << std::endl;
+    //    });
+
+
+
+    trace.enable(sec_provider);
+    trace.enable(file_provider);
+
+    auto stats = trace.query_stats();
+
+    if ((stats.log_file_mode & 0x100) == 0) {
+        trace.transition_to_realtime();
+    }
 
-    trace.enable(provider);
     trace.open();
 
     std::thread workerThread([&]() {
@@ -102,4 +123,36 @@ void user_trace_012_open_trace::start()
     std::this_thread::sleep_for(std::chrono::seconds(durationInSeconds));
     trace.close();
     workerThread.join();
-}
+}
+
+
+///// <summary>
+///// Note: For existing sessions, pre-filtering capabilities cannot be used.
+///// </summary>
+//void user_trace_012_open_trace::start()
+//{
+//    krabs::user_trace trace(L"DefenderApiLogger");
+//    krabs::provider<> provider(krabs::guid(L"{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}"));
+//
+//    provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
+//
+//        // Once an event is received, if we want krabs to help us analyze it, we need
+//        // to snap in a schema to ask it for information.
+//        krabs::schema schema(record, trace_context.schema_locator);
+//        // We then have the ability to ask a few questions of the event.
+//        std::wcout << L"ProviderName " << schema.provider_name() << std::endl;
+//        std::wcout << L"EventId" << schema.event_id() << std::endl;
+//        });
+//
+//    trace.enable(provider);
+//    trace.open();
+//
+//    std::thread workerThread([&]() {
+//        trace.process();
+//        });
+//
+//    const int durationInSeconds = 30;
+//    std::this_thread::sleep_for(std::chrono::seconds(durationInSeconds));
+//    trace.close();
+//    workerThread.join();
+//}