From b1b1ea7163fdc75f63ebbbd0c52c0d881d56944a Mon Sep 17 00:00:00 2001 From: Dominik Phillips Date: Fri, 2 Aug 2024 14:59:16 +0200 Subject: [PATCH] new feature: switch active session from file to realtime session --- .../ITrace.hpp | 5 ++ .../KernelTrace.hpp | 7 ++ .../UserTrace.hpp | 10 +++ bluekrabs/bluekrabs/etw.hpp | 21 ++++++ .../bluekrabs/filtering/event_filter.hpp | 2 +- bluekrabs/bluekrabs/trace.hpp | 8 ++- examples/NativeExamples/main.cpp | 4 +- .../user_trace_012_open_trace.cpp | 67 +++++++++++++++++-- 8 files changed, 111 insertions(+), 13 deletions(-) diff --git a/Threathunters.BlueKrabsetw.Native.ETW/ITrace.hpp b/Threathunters.BlueKrabsetw.Native.ETW/ITrace.hpp index d2b3783..a94f02f 100644 --- a/Threathunters.BlueKrabsetw.Native.ETW/ITrace.hpp +++ b/Threathunters.BlueKrabsetw.Native.ETW/ITrace.hpp @@ -53,6 +53,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { /// void Update(); + /// + /// Stops listening for events. + /// + void TransitionToRealtime(); + /// /// Get stats about events handled by this trace. /// diff --git a/Threathunters.BlueKrabsetw.Native.ETW/KernelTrace.hpp b/Threathunters.BlueKrabsetw.Native.ETW/KernelTrace.hpp index f97c296..ab784f3 100644 --- a/Threathunters.BlueKrabsetw.Native.ETW/KernelTrace.hpp +++ b/Threathunters.BlueKrabsetw.Native.ETW/KernelTrace.hpp @@ -180,6 +180,8 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { /// virtual void Update(); + virtual void TransitionToRealtime(); + /// /// Get stats about events handled by this trace /// @@ -294,6 +296,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { ExecuteAndConvertExceptions(return trace_->update()); } + inline void KernelTrace::TransitionToRealtime() + { + ExecuteAndConvertExceptions(return trace_->transition_to_realtime()); + } + inline TraceStats KernelTrace::QueryStats() { ExecuteAndConvertExceptions(return TraceStats(trace_->query_stats())); diff --git a/Threathunters.BlueKrabsetw.Native.ETW/UserTrace.hpp b/Threathunters.BlueKrabsetw.Native.ETW/UserTrace.hpp index 213b747..21593a1 100644 --- a/Threathunters.BlueKrabsetw.Native.ETW/UserTrace.hpp +++ b/Threathunters.BlueKrabsetw.Native.ETW/UserTrace.hpp @@ -212,6 +212,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { /// virtual void Update(); + /// + /// + /// + virtual void TransitionToRealtime(); + /// /// Get stats about events handled by this trace /// @@ -315,6 +320,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { ExecuteAndConvertExceptions(return trace_->update()); } + inline void UserTrace::TransitionToRealtime() + { + ExecuteAndConvertExceptions(return trace_->transition_to_realtime()); + } + inline TraceStats UserTrace::QueryStats() { ExecuteAndConvertExceptions(return TraceStats(trace_->query_stats())); diff --git a/bluekrabs/bluekrabs/etw.hpp b/bluekrabs/bluekrabs/etw.hpp index 46960d4..269d341 100644 --- a/bluekrabs/bluekrabs/etw.hpp +++ b/bluekrabs/bluekrabs/etw.hpp @@ -143,6 +143,11 @@ namespace krabs { namespace details { PVOID trace_information, ULONG information_length); + /// + /// + /// + void transition_to_realtime(); + /** * * Notifies the underlying trace of the buffers that were processed. @@ -325,6 +330,22 @@ namespace krabs { namespace details { close_trace(); } + template + void trace_manager::transition_to_realtime() + { + auto info = query_trace(); + + ULONG status = ControlTrace( + NULL, + trace_.name_.c_str(), + &info.properties, + EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME); + + if (status != ERROR_WMI_INSTANCE_NOT_FOUND) { + error_check_common_conditions(status); + } + } + template void trace_manager::set_buffers_processed(size_t processed) { diff --git a/bluekrabs/bluekrabs/filtering/event_filter.hpp b/bluekrabs/bluekrabs/filtering/event_filter.hpp index e24c505..317314c 100644 --- a/bluekrabs/bluekrabs/filtering/event_filter.hpp +++ b/bluekrabs/bluekrabs/filtering/event_filter.hpp @@ -71,7 +71,7 @@ namespace krabs { * Given optional predicate will be applied to ETW API filtered results * */ - event_filter(std::vector event_ids, filter_predicate predicate = nullptr); + event_filter(std::vector event_ids, filter_predicate predicate=nullptr); /** * diff --git a/bluekrabs/bluekrabs/trace.hpp b/bluekrabs/bluekrabs/trace.hpp index 4dc42bd..cc89236 100644 --- a/bluekrabs/bluekrabs/trace.hpp +++ b/bluekrabs/bluekrabs/trace.hpp @@ -292,7 +292,7 @@ namespace krabs { * Transition the ETW trace from real-time to file or vice versa. * */ - void transition(); + void transition_to_realtime(); /** * @@ -559,9 +559,11 @@ namespace krabs { } template - void trace::transition() + void trace::transition_to_realtime() { - return; + //EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME + details::trace_manager manager(*this); + manager.transition_to_realtime(); } template diff --git a/examples/NativeExamples/main.cpp b/examples/NativeExamples/main.cpp index a1e165a..fc06868 100644 --- a/examples/NativeExamples/main.cpp +++ b/examples/NativeExamples/main.cpp @@ -25,8 +25,8 @@ int main(void) //user_trace_009_from_file::start2(); //user_trace_010_direct_filter::start(); //user_trace_011_search_wevt::start(); - //user_trace_012_open_trace::start(); + user_trace_012_open_trace::start(); //user_trace_013_pktmon::start(); //user_trace_014_transition_trace::start(); - user_trace_015_update_trace::start(); + //user_trace_015_update_trace::start(); } \ No newline at end of file diff --git a/examples/NativeExamples/user_trace_012_open_trace.cpp b/examples/NativeExamples/user_trace_012_open_trace.cpp index 4fe3b73..fdf317c 100644 --- a/examples/NativeExamples/user_trace_012_open_trace.cpp +++ b/examples/NativeExamples/user_trace_012_open_trace.cpp @@ -72,16 +72,16 @@ //} - /// /// Note: For existing sessions, pre-filtering capabilities cannot be used. /// void user_trace_012_open_trace::start() { - krabs::user_trace trace(L"DefenderApiLogger"); - krabs::provider<> provider(krabs::guid(L"{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}")); + krabs::user_trace trace(L"SecSense"); + krabs::provider<> sec_provider(krabs::guid(L"{16c6501a-ff2d-46ea-868d-8f96cb0cb52d}")); + krabs::provider<> file_provider(L"Microsoft-Windows-Kernel-File"); - provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) { + auto on_event = [](const EVENT_RECORD& record, const krabs::trace_context& trace_context) { // Once an event is received, if we want krabs to help us analyze it, we need // to snap in a schema to ask it for information. @@ -89,9 +89,30 @@ void user_trace_012_open_trace::start() // We then have the ability to ask a few questions of the event. std::wcout << L"ProviderName " << schema.provider_name() << std::endl; std::wcout << L"EventId" << schema.event_id() << std::endl; - }); + }; + sec_provider.add_on_event_callback(on_event); + file_provider.add_on_event_callback(on_event); + //sec_provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) { + + // // Once an event is received, if we want krabs to help us analyze it, we need + // // to snap in a schema to ask it for information. + // krabs::schema schema(record, trace_context.schema_locator); + // // We then have the ability to ask a few questions of the event. + // std::wcout << L"ProviderName " << schema.provider_name() << std::endl; + // std::wcout << L"EventId" << schema.event_id() << std::endl; + // }); + + + + trace.enable(sec_provider); + trace.enable(file_provider); + + auto stats = trace.query_stats(); + + if ((stats.log_file_mode & 0x100) == 0) { + trace.transition_to_realtime(); + } - trace.enable(provider); trace.open(); std::thread workerThread([&]() { @@ -102,4 +123,36 @@ void user_trace_012_open_trace::start() std::this_thread::sleep_for(std::chrono::seconds(durationInSeconds)); trace.close(); workerThread.join(); -} \ No newline at end of file +} + + +///// +///// Note: For existing sessions, pre-filtering capabilities cannot be used. +///// +//void user_trace_012_open_trace::start() +//{ +// krabs::user_trace trace(L"DefenderApiLogger"); +// krabs::provider<> provider(krabs::guid(L"{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}")); +// +// provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) { +// +// // Once an event is received, if we want krabs to help us analyze it, we need +// // to snap in a schema to ask it for information. +// krabs::schema schema(record, trace_context.schema_locator); +// // We then have the ability to ask a few questions of the event. +// std::wcout << L"ProviderName " << schema.provider_name() << std::endl; +// std::wcout << L"EventId" << schema.event_id() << std::endl; +// }); +// +// trace.enable(provider); +// trace.open(); +// +// std::thread workerThread([&]() { +// trace.process(); +// }); +// +// const int durationInSeconds = 30; +// std::this_thread::sleep_for(std::chrono::seconds(durationInSeconds)); +// trace.close(); +// workerThread.join(); +//} \ No newline at end of file