Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ETW probe support #3

Open
stevemk14ebr opened this issue Aug 14, 2022 · 8 comments · Fixed by #8
Open

Add ETW probe support #3

stevemk14ebr opened this issue Aug 14, 2022 · 8 comments · Fixed by #8
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@stevemk14ebr
Copy link
Collaborator

The PID and FBT probe types can't be supported until the signing requirements of the dtrace system/kernel extensions is changed by microsoft - as they use the windows hypervisor which doesn't boot when SB and DSE are set to off. The ETW probe type however doesn't rely on the hypervisor and should be implementable. If someone wants to perform that research, lets chat here.

@stevemk14ebr stevemk14ebr added enhancement New feature or request help wanted Extra attention is needed labels Aug 14, 2022
@kirbyUK
Copy link
Contributor

kirbyUK commented Aug 30, 2022

Hi, I saw your talk and thought this was a really cool idea. I've made a start on the ETW probes over at https://github.com/kirbyUK/STrace, though I haven't managed to get a callback yet. I'm looking at it when I have time.

@stevemk14ebr
Copy link
Collaborator Author

stevemk14ebr commented Aug 30, 2022

That's really awesome! Thanks for taking that on. In addition to the ETW probes, there's support in dtrace to have log events published via ETW, evaluating if the current log system in strace should be switched to an ETW based one would be really neat. There is quite a bit of overhead from writing to the output file in the current design.

There's an example dtrace script that shows this functionality in the dtrace repo.

@kirbyUK
Copy link
Contributor

kirbyUK commented Sep 19, 2022

Sorry for being slow to update on this, I've been very busy recently. I just wanted to let you know that as of my just-pushed commit, my branch can now load ETW plugin DLLs and get callbacks from them, so it effectively works end-to-end!

@stevemk14ebr
Copy link
Collaborator Author

That's amazing, great work, thank you! Do you feel comfortable opening a PR with where it's at right now, or do you plan to keep working on it?

Also, have you played with the generation of events too? https://github.com/microsoft/DTrace-on-Windows/blob/6eddceb71a3214620e4438ed94be47620b12616f/samples/windows/etw/AddNewETWEvent.d#L34

@stevemk14ebr
Copy link
Collaborator Author

Reopened so that any additional work to access event data, or publish events, as mentioned in the closing PR, can be tracked!

@stevemk14ebr
Copy link
Collaborator Author

TODO:

@ArkaprabhaChakraborty
Copy link

Hi wanna contribute to this feature. I need some guidance though as I don't know where to begin.

@stevemk14ebr
Copy link
Collaborator Author

@ArkaprabhaChakraborty porting the log implementation (https://github.com/mandiant/STrace/blob/main/C/STrace/Logger.cpp) to produce ETW events would be the most useful change at this time. After you have the driver producing ETW events through macros log LOG_INFO, write a usermode process to consume the ETW events continously and write them to a file on disk. https://github.com/mandiant/STrace/tree/main/C/AddNewEtwEventPlugin gives an example of how to produce ETW events, do this within the driver instead of using a plugin though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants