I have one for process events that's coming along alright, missing quite a bit if data from the normal table schema though š Also haven't sorted out the best trace provider for network events
Any chance you knew how to get command line information for the process events?
Were you using anything for process events? That looks like just networking stuff. Still very useful, thank you very much ā¤ļø
m
Mike Myers
08/24/2018, 6:56 PM
In that project, we were using some network-related ETW providers which carried PID metadata for every packet. So we were not capturing process events per se, but I thought maybe the list of network event providers might be of interest to you.
I noticed that you're using the TDH API directly and if it works that's fine but Microsoft does have a less-known modern C++ wrapper called krabsetw that I really like: https://github.com/Microsoft/krabsetw
š 1
Regarding the getting of command line information: I dunno where to get that from an ETW provider. The way that ProcessHacker gets it is
NtQueryInformationProcess
t
thor
08/24/2018, 8:28 PM
Hah, yeah, I've been talking with @zacbrown who's one of (the?) authors of Krabs, and his response to my question was "why don't you just use krabs?" š
š 1
z
zacbrown
08/24/2018, 9:53 PM
Heh. Weird hearing people talk about krabs
@thor and actually, Iām one of three main authors. The other two still work for MSFT but both are on the C++ compiler team now. We all worked on O365 Security tho when it was written