Skip to content
This repository has been archived by the owner on Aug 5, 2024. It is now read-only.

Commit

Permalink
+ SilkETW-SilkService v0.8
Browse files Browse the repository at this point in the history
  • Loading branch information
@FuzzySecurity
FuzzySecurity committed Sep 13, 2019
1 parent 74246ba commit f2f5c6c
Show file tree
Hide file tree
Showing 6 changed files with 63 additions and 9 deletions.
5 changes: 5 additions & 0 deletions Changelog.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
-= SilkETW & SilkService v0.8 =-

* Bug fix: https://github.com/fireeye/SilkETW/issues/4
* Bug fix: https://github.com/fireeye/SilkETW/issues/5

-= SilkETW & SilkService v0.7 =-

* SilkService released.
Expand Down
11 changes: 10 additions & 1 deletion SilkETW/ETWCollector.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,16 @@ public static void StartTrace(CollectorType CollectorType, ulong TraceKeywords,
for (int AttribIndex = 0; AttribIndex < EventElementReader.AttributeCount; AttribIndex++)
{
EventElementReader.MoveToAttribute(AttribIndex);
EventProperties.Add(EventElementReader.Name, EventElementReader.Value);

// Cap maxlen for eventdata elements to 10k
if (EventElementReader.Value.Length > 10000)
{
String DataValue = EventElementReader.Value.Substring(0, Math.Min(EventElementReader.Value.Length, 10000));
EventProperties.Add(EventElementReader.Name, DataValue);
} else
{
EventProperties.Add(EventElementReader.Name, EventElementReader.Value);
}
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions SilkETW/Properties/AssemblyInfo.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,5 @@
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("0.7.0.0")]
[assembly: AssemblyFileVersion("0.7.0.0")]
[assembly: AssemblyVersion("0.8.0.0")]
[assembly: AssemblyFileVersion("0.8.0.0")]
19 changes: 17 additions & 2 deletions SilkETW/h_SilkETW.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,7 +287,7 @@ public static void PrintLogo()
Console.WriteLine("███████║██║█████╗██║ ██╗███████╗ ██║ ╚███╔███╔╝ ");
Console.WriteLine("╚══════╝╚═╝╚════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚══╝╚══╝ ");
Console.ResetColor();
Console.WriteLine(" [v0.7 - Ruben Boonen => @FuzzySec]\n");
Console.WriteLine(" [v0.8 - Ruben Boonen => @FuzzySec]\n");
}

// Print trivia ;)
Expand Down Expand Up @@ -414,6 +414,18 @@ public static bool DirectoryHasPermission(string DirectoryPath, FileSystemRights
return isInRoleWithAccess;
}

public static void RetargetEventSource(String LegacySource)
{
// This is a fix for: https://github.com/fireeye/SilkETW/issues/4
// When both SilkETW and SilkService are used on the same host
// eventlog logging would fail for one or the other as they had
// the same source. This function will retarget the source.
if (EventLog.SourceExists(LegacySource))
{
EventLog.DeleteEventSource(LegacySource);
}
}

public static Boolean WriteEventLogEntry(String Message, EventLogEntryType Type, EventIds EventId, String Path)
{
//--[Event ID's]
Expand All @@ -425,8 +437,11 @@ public static Boolean WriteEventLogEntry(String Message, EventLogEntryType Type,

try
{
// Fix legacy collector source
RetargetEventSource("ETW Collector");

// Event log properties
String Source = "ETW Collector";
String Source = "SilkETW Collector";

// If the source doesn't exist we have to create it first
if (!EventLog.SourceExists(Source))
Expand Down
29 changes: 27 additions & 2 deletions SilkService/ETWCollector.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,18 @@ class ETWCollector
{
public static void StartTrace(CollectorParameters Collector)
{
void RetargetEventSource(String LegacySource)
{
// This is a fix for: https://github.com/fireeye/SilkETW/issues/4
// When both SilkETW and SilkService are used on the same host
// eventlog logging would fail for one or the other as they had
// the same source. This function will retarget the source.
if (EventLog.SourceExists(LegacySource))
{
EventLog.DeleteEventSource(LegacySource);
}
}

Boolean WriteEventLogEntry(String Message, EventLogEntryType Type, EventIds EventId, String Path)
{
//--[Event ID's]
Expand All @@ -29,8 +41,11 @@ Boolean WriteEventLogEntry(String Message, EventLogEntryType Type, EventIds Even

try
{
// Fix legacy collector source
RetargetEventSource("ETW Collector");

// Event log properties
String Source = "ETW Collector";
String Source = "SilkService Collector";

// If the source doesn't exist we have to create it first
if (!EventLog.SourceExists(Source))
Expand Down Expand Up @@ -275,7 +290,17 @@ int ProcessJSONEventData(String JSONData, OutputType OutputType, String Path, St
for (int AttribIndex = 0; AttribIndex < EventElementReader.AttributeCount; AttribIndex++)
{
EventElementReader.MoveToAttribute(AttribIndex);
EventProperties.Add(EventElementReader.Name, EventElementReader.Value);

// Cap maxlen for eventdata elements to 10k
if (EventElementReader.Value.Length > 10000)
{
String DataValue = EventElementReader.Value.Substring(0, Math.Min(EventElementReader.Value.Length, 10000));
EventProperties.Add(EventElementReader.Name, DataValue);
}
else
{
EventProperties.Add(EventElementReader.Name, EventElementReader.Value);
}
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions SilkService/Properties/AssemblyInfo.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,5 @@
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("0.7.0.0")]
[assembly: AssemblyFileVersion("0.7.0.0")]
[assembly: AssemblyVersion("0.8.0.0")]
[assembly: AssemblyFileVersion("0.8.0.0")]

0 comments on commit f2f5c6c

Please sign in to comment.