repnz/etw-providers-docs

Stars
203
Rank 192,890 (Top 4 %)
Language
C
Created over 5 years ago
Updated over 4 years ago

repnz/etw-providers-docs

repnz

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Document ETW providers

ETW Providers Docs

Windows 7 - /Manifests-Win7-7600

Windows 10 - /Manifests-Win10-17134

Windows provides the ETW framework for event tracing. The ETW framework comes with many built-in ETW providers, but most of them are not documented very well.

Using tdh.h API provider information can be dumped. For manifest based providers, a manifest can be recreated using the same method perfview uses: (https://github.com/Kae7in/perfview/blob/444fd391db9b8275846e2a5bbb8ec1d6e73a5dad/src/PerfView/Extensibility.cs#L2523) (this is not the original manifest, because manifests are compiled) For non-manifest based providers, currently only keywords are dumped. But theoretically you can register to the provider and just cache all the results from all the events (in this case the event must be raised for it to be documented)

Moreover, in a quest to find more interesting ETW providers, I started reversing specific ETW providers and document the manifests. Some manifests were found in open source Microsoft repositories:

https://github.com/microsoft/Tx/tree/master/Manifests

Currently reverse engineered providers:

/Manifests-Win10-17134/Microsoft-Windows-Kernel-Audit-API-Calls - reverse engineered from ntoskrnl symbols
/Manifests-Win10-17134/Microsoft-Windows-Kernel-General - found in microsoft open source repo

windbg-cheat-sheet

My personal cheat sheet for using WinDbg for kernel debugging

autochk-rootkit

Reverse engineered source code of the autochk rootkit

apc-research

APC Internals Research Code

ida-plugins

A collection of my IDA plugins

ReversingMinesweeper

Reverse Engineering Minesweeper: Reconstruct Minesweeper Source Code

shellcode2exe

Batch script to compile a binary shellcode blob into an exe file

windows-inspector

A driver to intercept low level windows events

windows-imports-searcher

Support Windows OS Reversing by searching easily for references to functions across many DLLs

snax86

A snake game written in x86 Assembly language for windows console

rpcmon

RPC Monitor based on The ETW Microsoft-Windows-Rpc provider

practical-reverse-engineering

Code for the solutions of practical reverse engineering

autoit-analysis

AutoIt Analysis Library: Parser & Emulator For Malware Researchers

simple-os

Simple Protected Mode Kernel for i386

auto-makefile

Generic Makefile Template with Automatic Dependency Generation

PE

PE.Parser, PE.Dumper, PE.Loader

checkpoint-ctf-2018

Solutions to the challenges of the checkpoint CSA CTF

set-critical-thread

Use NtSetInformationThread(ThreadBreakOnTermination) for anti-debugging

real-kernel

16 bit Real mode operating system kernel

tracelogging-providers

A dump of all the trace logging providers from system32

simple-etw-provider

hello world ETW provider

repnz.github.io

The deployed version of my blog

gamekid

Gameboy Emulation Library

supple

Supple way to load dynamic XML configuration files

bluehat-il-2019-slotd

BlueHat IL 2019 vulnerable debugging interface

nc8-reversing-ctf

Solution to the NC8 CTF & nc8 instruction set emulation API

pytreecli

A command line library that allows to build a tree structures command line easily

c-streams

Wrapper for custom streams in the C language

dotflow

DotNet Actor Model POC library

calculator-driver

Simple calculator windows driver