-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ETW probe support #3
Comments
Hi, I saw your talk and thought this was a really cool idea. I've made a start on the ETW probes over at https://github.com/kirbyUK/STrace, though I haven't managed to get a callback yet. I'm looking at it when I have time. |
That's really awesome! Thanks for taking that on. In addition to the ETW probes, there's support in dtrace to have log events published via ETW, evaluating if the current log system in strace should be switched to an ETW based one would be really neat. There is quite a bit of overhead from writing to the output file in the current design. There's an example dtrace script that shows this functionality in the dtrace repo. |
Sorry for being slow to update on this, I've been very busy recently. I just wanted to let you know that as of my just-pushed commit, my branch can now load ETW plugin DLLs and get callbacks from them, so it effectively works end-to-end! |
That's amazing, great work, thank you! Do you feel comfortable opening a PR with where it's at right now, or do you plan to keep working on it? Also, have you played with the generation of events too? https://github.com/microsoft/DTrace-on-Windows/blob/6eddceb71a3214620e4438ed94be47620b12616f/samples/windows/etw/AddNewETWEvent.d#L34 |
Reopened so that any additional work to access event data, or publish events, as mentioned in the closing PR, can be tracked! |
TODO:
|
Hi wanna contribute to this feature. I need some guidance though as I don't know where to begin. |
@ArkaprabhaChakraborty porting the log implementation (https://github.com/mandiant/STrace/blob/main/C/STrace/Logger.cpp) to produce ETW events would be the most useful change at this time. After you have the driver producing ETW events through macros log LOG_INFO, write a usermode process to consume the ETW events continously and write them to a file on disk. https://github.com/mandiant/STrace/tree/main/C/AddNewEtwEventPlugin gives an example of how to produce ETW events, do this within the driver instead of using a plugin though. |
The PID and FBT probe types can't be supported until the signing requirements of the dtrace system/kernel extensions is changed by microsoft - as they use the windows hypervisor which doesn't boot when SB and DSE are set to off. The ETW probe type however doesn't rely on the hypervisor and should be implementable. If someone wants to perform that research, lets chat here.
The text was updated successfully, but these errors were encountered: