пятница, 21 апреля 2017 г.

etwex - ida plugin for Etw traces IIDs searching

For example you may need to find which Etw providers located in some module. There are lots of functions can be used to register provider and manual searching is very boring
So I commited today code for Ida Pro plugin for Etw traces IIDs searching. It currently supports only 32bit PE files (much better if you load appropriate PDB file) and processing following functions:
  • TraceLoggingRegister
  • TraceLoggingRegisterEx
  • WPP_INIT_GUID_ARRAY
  • EtwRegister from import
  • EtwEventRegister from import
  • EventRegister from import
Samples of using:

twinui.dll
10086A04: FA386406-8E25-47F7-A03F-413635A55DC0 TwinUITraceLoggingProvider
_WPP_INIT_GUID_ARRAY@4 at 10224CC3
10088A40: 922771A3-305B-4375-9285-F734E8381CE3 _WPP_ThisDir_CTLGUID_APPPOS
10089150: 7C4A90A3-5BF4-4185-82E0-C073AC7F7007 _WPP_ThisDir_CTLGUID_AUTOPLAYLIB
10088390: F9A92EFE-77C3-4D19-8B00-1EE9E7CBE8C1 _WPP_ThisDir_CTLGUID_SHAREANDDEVICESLIB
10087E00: B22CFA4C-B683-4B89-A0D1-295300055D84 _WPP_ThisDir_CTLGUID_MTCUILIB
10087FB0: A1B23CA8-75BC-48B1-9AA6-BAC320C2DE2E _WPP_ThisDir_CTLGUID_BACKSTACKMUSICPLAYLIB
10087F10: 0A6EAEEE-4B93-43B1-B7D7-4ED7F8403A24 _WPP_ThisDir_CTLGUID_NOWPLAYINGSESSIONMANAGER

dxgkrnl.sys 
49336: 703FCC13-B66F-5868-DDD9-E2DB7F381FFB Microsoft.Windows.TlgAggregateInternal
492FF: C6998471-62CD-424D-A9A3-FE4C1FA378A4 DxgKrnlTelemetry
492AF: 221D444C-D07E-4FDE-B425-15B746CF535B Microsoft.Windows.Graphics.DxgDiagnostics

Комментариев нет:

Отправить комментарий