https://github.com/osquery/osquery logo
#windows
Title
# windows
t

thor

08/24/2018, 6:33 AM
I have one for process events that's coming along alright, missing quite a bit if data from the normal table schema though šŸ˜ž Also haven't sorted out the best trace provider for network events
m

Mike Myers

08/24/2018, 4:21 PM
At a previous job I worked on this problem, here are the providers we used: https://github.com/DigitalOperatives/PAINT/blob/6412814c0a61d8e0a785801970eaf37d3f835b38/PAINT/PAINT.h
t

thor

08/24/2018, 5:31 PM
Any chance you knew how to get command line information for the process events?
Were you using anything for process events? That looks like just networking stuff. Still very useful, thank you very much ā¤ļø
m

Mike Myers

08/24/2018, 6:56 PM
In that project, we were using some network-related ETW providers which carried PID metadata for every packet. So we were not capturing process events per se, but I thought maybe the list of network event providers might be of interest to you.
I noticed that you're using the TDH API directly and if it works that's fine but Microsoft does have a less-known modern C++ wrapper called krabsetw that I really like: https://github.com/Microsoft/krabsetw
šŸ˜„ 1
Regarding the getting of command line information: I dunno where to get that from an ETW provider. The way that ProcessHacker gets it is
NtQueryInformationProcess
t

thor

08/24/2018, 8:28 PM
Hah, yeah, I've been talking with @zacbrown who's one of (the?) authors of Krabs, and his response to my question was "why don't you just use krabs?" šŸ˜„
šŸ˜„ 1
z

zacbrown

08/24/2018, 9:53 PM
Heh. Weird hearing people talk about krabs
@thor and actually, Iā€™m one of three main authors. The other two still work for MSFT but both are on the C++ compiler team now. We all worked on O365 Security tho when it was written
šŸ‘ 2
5 Views