пятница, 1 сентября 2017 г.

ETW private loggers

as you know ordinary etw loggers can be checked in compmgmt.msc\performance\data collector sets\event trace sessions
But private etw sessions cannot be showed in compmgmt.msc
Actually all private sessions stored in ntdll!EtwpLoggerArray. This array has size of 0x40 items (see allocation in function EtwpGetNextAvailableLoggerId) and looks like:

EtwpLoggerArray: 000000000524D380
00000000  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000010  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000020  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000030  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000040  80 6D 2B 05-01 00 00 00|01 00 00 00-00 00 00 00  Ђm+.............
00000050  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000060  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000070  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000080  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000090  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
000000A0  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................


We have one private logger context here at 0x52B6D80. Size of context is different:
  • 0x228 on w10
  • 0x220 on w8.1
  • 0x210 on w8
also struсt of context is different and can be partially recovered from function EtwpInitLoggerContext:

typedef struct _etw_private_logger_ctx
{
/*  x86   x64 offsets */
#ifdef _WIN64
      /* 0x0  */  DWORD head[14];
#else
/* 0x0  */        DWORD head[12];
#endif /* _WIN64 */
/* 0x30  0x38 */ IID trace_IID;
/* 0x40  0x48 */ PVOID unk1;
/* 0x44  0x50 */ PVOID unk2;
/* 0x48  0x58 */ RTL_CRITICAL_SECTION cs;
/* 0x60  0x80 */ HANDLE handle1;
/* 0x64  0x88 */ HANDLE handle2;
/* 0x68  0x90 */ PVOID unk;
/* 0x6c  0x98 */ UNICODE_STRING name;
/* 0x74  0xa8 */ UNICODE_STRING fname;

// other fields are emitted
} etw_private_logger_ctx, *petw_private_logger_ctx;


sample of output fromSkyDrive:
  logger context at 00000000052B6D80:
00000000  D3 4D 40 D1-36 23 D3 01|D3 4D 40 D1-36 23 D3 01  УM@С6#У.УM@С6#У.
00000010  02 00 00 00-08 00 00 00|C8 0C 00 00-CC 03 00 00  ........И...М...
00000020  00 00 00 00-00 00 12 C0|00 00 0D C0-FF FF 00 00  .......А...Аяя..
00000030  4A 62 0F 9C-76 D2 4D 40|86 7F D0 9F-D2 59 6B 53  Jb.њvТM@†РџТYkS
00000040  01 00 00 00-00 00 00 00|FF FF FF FF-FF FF FF FF  ........яяяяяяяя
00000050  00 00 00 00-00 00 00 00|00 00 00 00-00 00 00 00  ................
00000060  1C 04 00 00-20 04 00 00|24 04 00 00-40 00 42 00  .... ...$...@.B.
00000070  C0 A6 24 05-AE 00 B0 00|08 9D 29 05-00 00 00 00  А¦$.®.°..ќ).....
00000080  00 00 00 00-00 00 00 00|01 00 00 00-00 10 00 00  ................
00000090  B8 0F 00 00-18 00 00 00|02 00 00 00-02 00 00 00  ё...............
000000A0  01 00 00 00-38 00 01 05|38 10 01 05-34 6E 2B 05  ....8...8...4n+.
000000B0  20 10 01 05-20 10 01 05|40 6E 2B 05-40 6E 2B 05   ... ...@n+.@n+.
000000C0  00 00 00 00-4C 6E 2B 05|4C 6E 2B 05-00 00 00 00  ....Ln+.Ln+.....
000000D0  0A 00 00 00-02 08 02 00|01 00 00 00-10 00 00 00  ................
000000E0  01 00 00 00-00 00 00 00|00 00 00 00-00 00 00 00  ................
000000F0  00 10 00 00-00 00 00 00|00 10 00 00-00 00 00 00  ................
00000100  00 00 00 00-00 00 00 00|00 00 00 00-00 00 00 00  ................
00000110  00 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000120  00 00 00 00-00 00 00 00|02 00 00 00-00 00 00 00  ................
00000130  00 00 01 05-00 00 00 00|00 00 00 00-00 00 00 00  ................
00000140  00 00 00 00-00 00 00 00|00 00 00 00-D8 CA 25 05  ............ШК%.
00000150  D8 CA 25 05-D4 6E 2B 05|D4 6E 2B 05-00 00 00 00  ШК%.Фn+.Фn+.....
00000160  00 00 00 00-00 00 00 00|F0 87 25 05-00 00 00 00  ........р‡%.....
00000170  00 00 00 00-00 00 01 05                          ........

   name: Microsoft SkyDrive Trace Session
   fname: C:\Users\redp\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.6982.0821.etl
   flags: 20802
   IID: {9C0F624A-D276-404D-867F-D09FD2596B53}

Комментариев нет:

Отправить комментарий