Skip to content

Addition of Tracing hooks #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: capemon
Choose a base branch
from
Open

Addition of Tracing hooks #78

wants to merge 8 commits into from

Conversation

cccs-mog
Copy link
Contributor

No description provided.

@cccs-kevin
Copy link

👀

@kevoreilly
Copy link
Owner

It would be great to get these hooks tested and merged - are you able to provide something to test them, either a sample or compiled test code?

@cccs-mog
Copy link
Contributor Author

I have been using an exe version of https://github.com/asgarciap/etw-dns, https://github.com/microsoft/dotnet-samples/tree/master/Microsoft.Diagnostics.Tracing, https://github.com/mxProject/EtwLogViewer, https://github.com/zodiacon/ProcMonXv2(or directly procmon for network events) and https://github.com/hasherezade/hollows_hunter. I also have been using https://learn.microsoft.com/en-us/windows-hardware/test/wpt/xperf-command-line-reference (Xperf for simple tests in bash script). Should be able to provide that using the usual method.

@kevoreilly
Copy link
Owner

Thanks for the info - I just set about compiling the PR in order to start testing. Unfortunately the code seems to be generating a large number of warnings relating to string types.

For example, looking at the first warning:

1>d:\work\cape\capemon\hook_trace.c(31): warning C4133: 'function': incompatible types - from 'LPWSTR' to 'char *const '

It relates to the line:

sprintf( str, fmt, pSid->Revision,

Here the type definition is LPWSTR str which is a wide string, but sprintf takes type char*. The rest of the warnings are similar making me wonder how you are compiling at your end. But ultimately it needs to compile in VS2017, would you be able to address these warnings?

@cccs-mog
Copy link
Contributor Author

Fixed the warning, haven't had a chance to test the change yet. Will comment back/commit after being able to test the recent change. Thanks

@kevoreilly
Copy link
Owner

I have these compiled now without warning. Unfortunately only hollows_hunter of the above links has release exes to test and I haven't been able to see these apis in the logs but they are very noisy with hundreds of pages of behaviour. If I could therefore ask if you would please share the exes you are using to test so I don't have to start compiling other projects in order to test this PR.

@cccs-mog
Copy link
Contributor Author

Sorry for the interminable delay, must have forgotten to do the review here. Anyways here is a zip with a bunch of workeable samples that I have used for the tests:
ETW.zip
This is obviously going to be noisy with those samples because most of them if not all of them are tools that leverage ETW a lot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cccs-mog @cccs-kevin @kevoreilly