I have one for process events that's coming along ...
# windowst
thor
08/24/2018, 6:33 AM
I have one for process events that's coming along alright, missing quite a bit if data from the normal table schema though š Also haven't sorted out the best trace provider for network events
m
Mike Myers
08/24/2018, 4:21 PMAt a previous job I worked on this problem, here are the providers we used: https://github.com/DigitalOperatives/PAINT/blob/6412814c0a61d8e0a785801970eaf37d3f835b38/PAINT/PAINT.h
t
thor
08/24/2018, 5:31 PM
Any chance you knew how to get command line information for the process events?
thor
08/24/2018, 5:32 PM
Were you using anything for process events? That looks like just networking stuff. Still very useful, thank you very much ā¤ļø
m
Mike Myers
08/24/2018, 6:56 PMIn that project, we were using some network-related ETW providers which carried PID metadata for every packet. So we were not capturing process events per se, but I thought maybe the list of network event providers might be of interest to you.
Mike Myers
08/24/2018, 6:59 PMI noticed that you're using the TDH API directly and if it works that's fine but Microsoft does have a less-known modern C++ wrapper called krabsetw that I really like: https://github.com/Microsoft/krabsetw
š 1
Mike Myers
08/24/2018, 7:22 PMRegarding the getting of command line information: I dunno where to get that from an ETW provider. The way that ProcessHacker gets it is
NtQueryInformationProcesst
thor
08/24/2018, 8:28 PM
Hah, yeah, I've been talking with @zacbrown who's one of (the?) authors of Krabs, and his response to my question was "why don't you just use krabs?" š
š 1
z
zacbrown
08/24/2018, 9:53 PMHeh. Weird hearing people talk about krabs
zacbrown
08/24/2018, 9:54 PM@thor and actually, Iām one of three main authors. The other two still work for MSFT but both are on the C++ compiler team now. We all worked on O365 Security tho when it was written
š 2
5 Views