Skip to content

Commit 01a59a9

Browse files
hakrilhakril
committed
Updated some doc and samples
1 parent e2ff50e commit 01a59a9

13 files changed

Lines changed: 4311 additions & 2070 deletions

docs/generate_samples.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,8 @@ def generate_output_result(target, output):
9393

9494
generate_output_result(r"device_manager\device_manager.py", "device_manager_device_manager.txt")
9595

96+
generate_output_result(r"etw\etw_enumeration.py", "etw_etw_enumeration.txt")
97+
generate_output_result(r"etw\uac_trace.py", "etw_uac_trace.txt")
9698

9799
# Require ADMIN / NotAdmin run
98100
# generate_output_result(r"security\query_sacl.py", "security_query_sacl.txt")

docs/source/etw.rst

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
ETW -- Event Tracing for Windows
2+
================================
3+
4+
.. module:: windows.winobject.event_trace
5+
6+
The :class:`EtwManager` instance is accessible via :py:attr:`windows.system.etw
7+
<windows.winobject.system.System.etw>`
8+
9+
.. note::
10+
11+
This code is the result of my research on ``ETW`` that lead to this presentation `ETW for the lazy reverser (FR) <https://www.rump.beer/2019/slides/etw_lazy_reverser.pdf>`_
12+
13+
14+
.. note::
15+
16+
See sample :ref:`sample_etw`
17+
18+
19+
EtwManager
20+
""""""""""
21+
22+
23+
.. autoclass:: EtwManager
24+
:members:
25+
26+
27+
Tracing Events
28+
""""""""""""""
29+
30+
EtwTrace
31+
''''''''
32+
33+
.. autoclass:: EtwTrace
34+
:members:
35+
36+
37+
EventTraceProperties
38+
''''''''''''''''''''
39+
40+
.. autoclass:: EventTraceProperties
41+
:members:
42+
43+
EventRecord
44+
'''''''''''
45+
46+
.. autoclass:: EventRecord
47+
:members:
48+

docs/source/evtlog.rst

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ I have tried to offer some abstraction without completly hidding the some underl
1010

1111
The current API may need some works to provide simpler/highter level API in the future.
1212

13+
The :class:`EvtlogManager` instance is accessible via :py:attr:`windows.system.event_log
14+
<windows.winobject.system.System.event_log>`
15+
1316
For now, the best thing to do is look at the sample:
1417

1518
.. note::

docs/source/index.rst

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,15 +34,19 @@ You can install PythonForWindows using the ``setup.py`` at the root of the proje
3434

3535
python setup.py install
3636

37-
In its current state the project only support Python2 and
38-
``setup.py`` will raise an :class:`NotImplementedError` if launched from python3.
39-
40-
4137
.. warning::
4238

4339
PythonForWindows is not available on Pypi for now and thus cannot be directly installed using ``pip``.
4440

4541

42+
Python3
43+
^^^^^^^
44+
45+
python3 support is still in beta.
46+
All the tests pass on master, but I did not test it heavily on real case.
47+
Do not hesitate report bugs and issues.
48+
49+
4650
Documentation
4751
"""""""""""""
4852

docs/source/sample.rst

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -669,3 +669,27 @@ Query SACL
669669
Output
670670

671671
.. literalinclude:: samples_output\security_query_sacl.txt
672+
673+
674+
.. _sample_etw:
675+
676+
ETW (Event Tracing for Windows)
677+
"""""""""""""""""""""""""""""""
678+
679+
Trace processing
680+
''''''''''''''''
681+
682+
.. literalinclude:: ..\..\samples\etw\uac_trace.py
683+
684+
Output
685+
686+
.. literalinclude:: samples_output\etw_uac_trace.txt
687+
688+
Enumeration
689+
'''''''''''
690+
691+
.. literalinclude:: ..\..\samples\etw\etw_enumeration.py
692+
693+
Output
694+
695+
.. literalinclude:: samples_output\etw_etw_enumeration.txt

docs/source/samples_output/etw_etw_enumeration.txt

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
(cmd) python etw\etw_enumeration.py
2+
ETW Manager is: <windows.winobject.event_trace.EtwManager object at 0x03AFBF70>
3+
4+
Listing some ETW sessions:
5+
* <EventTraceProperties name="AppModel" guid=A922A8BE-2450-438E-9520-FBCDFB46B0BD>
6+
* name: AppModel
7+
* guid: A922A8BE-2450-438E-9520-FBCDFB46B0BD
8+
* id: 4
9+
* logfile:
10+
* <EventTraceProperties name="LwtNetLog" guid=603BA31E-EC5A-4CDE-BE87-ED0A16C3B170>
11+
* name: LwtNetLog
12+
* guid: 603BA31E-EC5A-4CDE-BE87-ED0A16C3B170
13+
* id: 14
14+
* logfile: C:\WINDOWS\System32\LogFiles\WMI\LwtNetLog.etl
15+
16+
Looking for providers for: <EventTraceProperties name="LwtNetLog" guid=603BA31E-EC5A-4CDE-BE87-ED0A16C3B170>
17+
Found a provider/session for target:
18+
* Provider: <TraceProvider for "43D1A55C-76D6-4F7E-995C-64C711E5CAFE">
19+
* Instance: <TraceProviderInstanceInfo Pid=5256 EnableCount=1>
20+
* Process: <WinProcess "RuntimeBroker.exe" pid 5256 at 0x54c39d0>
21+
Found a provider/session for target:
22+
* Provider: <TraceProvider for "43D1A55C-76D6-4F7E-995C-64C711E5CAFE">
23+
* Instance: <TraceProviderInstanceInfo Pid=10768 EnableCount=1>
24+
* Process: <WinProcess "chrome.exe" pid 10768 at 0x54c3930>
25+
Found a provider/session for target:
26+
* Provider: <TraceProvider for "43D1A55C-76D6-4F7E-995C-64C711E5CAFE">
27+
* Instance: <TraceProviderInstanceInfo Pid=10236 EnableCount=1>
28+
* Process: <WinProcess "YourPhone.exe" pid 10236 at 0x54c37d0>

docs/source/samples_output/etw_uac_trace.txt

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
(cmd) python etw\uac_trace.py
2+
Recording UAC event in file <uac.trace> using session named <MY_UAC_MONITOR>
3+
0x1d65bb1febaceea: <EventRecord provider="68FDD900-4A3E-11D1-84F4-0000F80464E3" id=0>
4+
guid: 68FDD900-4A3E-11D1-84F4-0000F80464E3
5+
id: 0
6+
opcode: 0
7+
level: 0
8+
data: '\x01\n\x01\x05\xbbG\x04-D\xd5\xff\xb1[\xd6\x01Zb\x02\t\x01\x04\xf0\x0c\t\x06\xc4\xff\xff\xff@tzres.dll,-302\n\x05\x03@tzres.dll,-301\x03\x05\x02\xc4\xff\xff\xff\xc0\x92\x1c\xd2D[\xd6\x01\x80\x96\x98\xea\xce\xba\xfe\xb1[\xd6\x01\x01MY_UAC_MONITORC:\\Users\\hakril\\Documents\\projets\\PythonForWindows\\samples\\uac.trace'
9+
[...]
10+
0x1d65bb1fec4c011: <EventRecord provider="DEB74A23-5444-3F3B-924B-0E653973F55A" id=11>
11+
guid: DEB74A23-5444-3F3B-924B-0E653973F55A
12+
id: 11
13+
opcode: 0
14+
level: 0
15+
data: '\x9e\x06\x04\x19\x14\x04\x08\x04\xff\xff\xff\xffWinSta0\\DefaultC:\\Windows\\System32\\mmc.exe"C:\\Windows\\System32\\mmc.exe" BAD_MMC_FILENAMEC:\\Users\\hakril\\Documents\\projets\\PythonForWindows\\samples'
16+
0x1d65bb1fec4e48b: <EventRecord provider="C0B508D3-5459-339F-A213-889C238CA5B1" id=10>
17+
guid: C0B508D3-5459-339F-A213-889C238CA5B1
18+
id: 10
19+
opcode: 0
20+
level: 0
21+
data: 'C:\\WINDOWS\\SysWOW64\\mmc.exe"C:\\WINDOWS\\SysWOW64\\mmc.exe" BAD_MMC_FILENAME` '
22+
0x1d65bb1fec7c8eb: <EventRecord provider="C0B508D3-5459-339F-A213-889C238CA5B1" id=13>
23+
guid: C0B508D3-5459-339F-A213-889C238CA5B1
24+
id: 13
25+
opcode: 0
26+
level: 0
27+
data: 'C:\\WINDOWS\\SysWOW64\\mmc.exe'
28+
0x1d65bb1fec7c8f0: <EventRecord provider="C0B508D3-5459-339F-A213-889C238CA5B1" id=14>
29+
guid: C0B508D3-5459-339F-A213-889C238CA5B1
30+
id: 14
31+
opcode: 0
32+
level: 0
33+
data: '"C:\\WINDOWS\\SysWOW64\\mmc.exe" BAD_MMC_FILENAME'
34+
[...]
35+
0x1d65bb1feca018d: <EventRecord provider="172FF31C-2D80-31A6-FCA8-EB000D380666" id=11>
36+
guid: 172FF31C-2D80-31A6-FCA8-EB000D380666
37+
id: 11
38+
opcode: 0
39+
level: 0
40+
data: 'C:\\WINDOWS\\SysWOW64\\mmc.exe'
41+
0x1d65bb1feca030d: <EventRecord provider="172FF31C-2D80-31A6-FCA8-EB000D380666" id=25>
42+
guid: 172FF31C-2D80-31A6-FCA8-EB000D380666
43+
id: 25
44+
opcode: 0
45+
level: 0
46+
data: 'C:\\WINDOWS\\SysWOW64\\mmc.exe\x08\x02TRUEFALSE\x10'
47+
0x1d65bb1fecfcdc0: <EventRecord provider="172FF31C-2D80-31A6-FCA8-EB000D380666" id=27>
48+
guid: 172FF31C-2D80-31A6-FCA8-EB000D380666
49+
id: 27
50+
opcode: 0
51+
level: 0
52+
data: '\x05TRUETRUE'
53+
[...]

0 commit comments

Comments
 (0)