Title
#windows
thor

thor

08/24/2018, 6:33 AM
I have one for process events that's coming along alright, missing quite a bit if data from the normal table schema though šŸ˜ž Also haven't sorted out the best trace provider for network events
Mike Myers

Mike Myers

08/24/2018, 4:21 PM
At a previous job I worked on this problem, here are the providers we used: https://github.com/DigitalOperatives/PAINT/blob/6412814c0a61d8e0a785801970eaf37d3f835b38/PAINT/PAINT.h
thor

thor

08/24/2018, 5:31 PM
Any chance you knew how to get command line information for the process events?
5:32 PM
Were you using anything for process events? That looks like just networking stuff. Still very useful, thank you very much ā¤ļø
Mike Myers

Mike Myers

08/24/2018, 6:56 PM
In that project, we were using some network-related ETW providers which carried PID metadata for every packet. So we were not capturing process events per se, but I thought maybe the list of network event providers might be of interest to you.
6:59 PM
I noticed that you're using the TDH API directly and if it works that's fine but Microsoft does have a less-known modern C++ wrapper called krabsetw that I really like: https://github.com/Microsoft/krabsetw
šŸ˜„ 1
7:22 PM
Regarding the getting of command line information: I dunno where to get that from an ETW provider. The way that ProcessHacker gets it is
NtQueryInformationProcess
thor

thor

08/24/2018, 8:28 PM
Hah, yeah, I've been talking with @zacbrown who's one of (the?) authors of Krabs, and his response to my question was "why don't you just use krabs?" šŸ˜„
šŸ˜„ 1
zacbrown

zacbrown

08/24/2018, 9:53 PM
Heh. Weird hearing people talk about krabs
9:54 PM
@thor and actually, Iā€™m one of three main authors. The other two still work for MSFT but both are on the C++ compiler team now. We all worked on O365 Security tho when it was written
šŸ‘ 2