Repository: jsecurity101/JonMon
Branch: main
Commit: ce5de1c7c647
Files: 87
Total size: 1.4 MB
Directory structure:
gitextract_k5_9flv0/
├── .github/
│ └── ISSUE_TEMPLATE/
│ ├── bug_report.md
│ └── feature_request.md
├── .gitignore
├── Extensions/
│ └── Extension1/
│ └── JonMon-Ext1/
│ ├── JonMon-Ext1.vcxproj
│ ├── dllmain.cpp
│ ├── dllmain.h
│ ├── framework.h
│ ├── pch.cpp
│ └── pch.h
├── JonMon/
│ ├── JonMon.sln
│ ├── JonMon.vcxproj
│ ├── callbacks.cpp
│ ├── callbacks.h
│ ├── driver.cpp
│ ├── driver.h
│ ├── jtime.h
│ ├── minifilter.cpp
│ ├── minifilter.h
│ ├── process.cpp
│ ├── process.h
│ ├── registry.cpp
│ ├── registry.h
│ └── shared.h
├── JonMon-Service/
│ ├── JonMon-Service.vcxproj
│ ├── JonMonService.cpp
│ ├── config.cpp
│ ├── config.h
│ ├── context.cpp
│ ├── context.h
│ ├── etwMain.cpp
│ ├── etwMain.h
│ ├── global.h
│ ├── service.cpp
│ └── service.h
├── JonMonConfig.json
├── JonMonProvider/
│ ├── jonmon.h
│ ├── jonmon.man
│ ├── jonmon.rc
│ └── jonmon.res
├── LICENSE
├── Libs/
│ └── nlohmann/
│ ├── adl_serializer.hpp
│ ├── byte_container_with_subtype.hpp
│ ├── detail/
│ │ ├── abi_macros.hpp
│ │ ├── conversions/
│ │ │ ├── from_json.hpp
│ │ │ ├── to_chars.hpp
│ │ │ └── to_json.hpp
│ │ ├── exceptions.hpp
│ │ ├── hash.hpp
│ │ ├── input/
│ │ │ ├── binary_reader.hpp
│ │ │ ├── input_adapters.hpp
│ │ │ ├── json_sax.hpp
│ │ │ ├── lexer.hpp
│ │ │ ├── parser.hpp
│ │ │ └── position_t.hpp
│ │ ├── iterators/
│ │ │ ├── internal_iterator.hpp
│ │ │ ├── iter_impl.hpp
│ │ │ ├── iteration_proxy.hpp
│ │ │ ├── iterator_traits.hpp
│ │ │ ├── json_reverse_iterator.hpp
│ │ │ └── primitive_iterator.hpp
│ │ ├── json_custom_base_class.hpp
│ │ ├── json_pointer.hpp
│ │ ├── json_ref.hpp
│ │ ├── macro_scope.hpp
│ │ ├── macro_unscope.hpp
│ │ ├── meta/
│ │ │ ├── call_std/
│ │ │ │ ├── begin.hpp
│ │ │ │ └── end.hpp
│ │ │ ├── cpp_future.hpp
│ │ │ ├── detected.hpp
│ │ │ ├── identity_tag.hpp
│ │ │ ├── is_sax.hpp
│ │ │ ├── std_fs.hpp
│ │ │ ├── type_traits.hpp
│ │ │ └── void_t.hpp
│ │ ├── output/
│ │ │ ├── binary_writer.hpp
│ │ │ ├── output_adapters.hpp
│ │ │ └── serializer.hpp
│ │ ├── string_concat.hpp
│ │ ├── string_escape.hpp
│ │ └── value_t.hpp
│ ├── json.hpp
│ ├── json_fwd.hpp
│ ├── ordered_map.hpp
│ └── thirdparty/
│ └── hedley/
│ ├── hedley.hpp
│ └── hedley_undef.hpp
├── README.md
└── deployment/
└── Azure/
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Report to introduce issues within the JonMon code
title: ''
labels: bug
assignees: jsecurity101
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Desktop (please complete the following information):**
- OS Build [e.g. 22621.2283]
**Additional context**
Add any other context about the problem here.
## Please include dump file if applicable
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: jsecurity101
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .gitignore
================================================
# Created by https://www.toptal.com/developers/gitignore/api/visualstudio
# Edit at https://www.toptal.com/developers/gitignore?templates=visualstudio
### VisualStudio ###
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.tlog
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*.json
coverage*.xml
coverage*.info
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio 6 auto-generated project file (contains which files were open etc.)
*.vbp
# Visual Studio 6 workspace and project file (working project files containing files to include in project)
*.dsw
*.dsp
# Visual Studio 6 technical files
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# Visual Studio History (VSHistory) files
.vshistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# Fody - auto-generated XML schema
FodyWeavers.xsd
# VS Code files for those working on multiple tools
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
*.code-workspace
# Local History for Visual Studio Code
.history/
# Windows Installer files from build outputs
*.cab
*.msi
*.msix
*.msm
*.msp
# JetBrains Rider
*.sln.iml
### VisualStudio Patch ###
# Additional files built by Visual Studio
*.vcxproj.*
# End of https://www.toptal.com/developers/gitignore/api/visualstudio
================================================
FILE: Extensions/Extension1/JonMon-Ext1/JonMon-Ext1.vcxproj
================================================
Debug
ARM
Debug
Win32
Release
ARM
Release
Win32
Debug
x64
Release
x64
16.0
Win32Proj
{bd72f0c3-dbd8-4ba2-8ff9-7f357f9232b1}
JonMonExt1
10.0
DynamicLibrary
true
v143
Unicode
DynamicLibrary
false
v143
true
Unicode
DynamicLibrary
true
v143
Unicode
DynamicLibrary
true
v143
Unicode
DynamicLibrary
false
v143
true
Unicode
DynamicLibrary
false
v143
true
Unicode
Level3
true
WIN32;_DEBUG;JONMONEXT1_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
true
Use
pch.h
Windows
true
false
Level3
true
true
true
WIN32;NDEBUG;JONMONEXT1_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
true
Use
pch.h
Windows
true
true
true
false
Level3
true
_DEBUG;JONMONEXT1_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
true
Use
pch.h
Windows
true
false
Level3
true
_DEBUG;JONMONEXT1_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
true
Use
pch.h
Windows
true
false
Level3
true
true
true
NDEBUG;JONMONEXT1_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
true
Use
pch.h
Windows
true
true
true
false
Level3
true
true
true
NDEBUG;JONMONEXT1_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
true
Use
pch.h
Windows
true
true
true
false
Create
Create
Create
Create
Create
Create
================================================
FILE: Extensions/Extension1/JonMon-Ext1/dllmain.cpp
================================================
//
// Author: Jonathan Johnson (@jsecurity101)
// JonMon-Ext1.dll. This is the DLL that will be loaded by JonMon-Service.dll and will query threads to see if they are impersonating a token.
//
#include "pch.h"
#include
#include
#include
#include "tlhelp32.h"
#include "sddl.h"
#include "dllmain.h"
#include "../../../JonMonProvider/jonmon.h"
//
// JonMon TraceLogging Provider Information
//
TRACELOGGING_DECLARE_PROVIDER(g_hJonMon);
TRACELOGGING_DEFINE_PROVIDER(g_hJonMon, "JonMon",
(0xdd82bf6f, 0x5295, 0x4541, 0x96, 0x8d, 0x8c, 0xac, 0x58, 0xe5, 0x72, 0xe4));
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
DWORD IntegritySID(HANDLE hToken, PDWORD *IntegrityLevel) {
PSID pIntegritySid = NULL;
PTOKEN_MANDATORY_LABEL pIntegrityLabel = NULL;
DWORD retValue = 0;
//
// pull thread tokens integrity level
//
DWORD dwTokenInfoSize = 0;
GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwTokenInfoSize);
if (dwTokenInfoSize == 0)
{
printf("GetTokenInformation failed (%d)\n", GetLastError());
retValue = 1;
goto Exit;
}
//
// Allocate memory for the TOKEN_MANDATORY_LABEL structure
//
pIntegrityLabel = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwTokenInfoSize);
if (!pIntegrityLabel)
{
printf("Memory allocation failed\n");
retValue = 1;
goto Exit;
}
//
// Get the TOKEN_MANDATORY_LABEL structure
//
if (!GetTokenInformation(hToken, TokenIntegrityLevel, pIntegrityLabel, dwTokenInfoSize, &dwTokenInfoSize))
{
printf("GetTokenInformation failed (%d)\n", GetLastError());
retValue = 1;
goto Exit;
}
//
// Extract the integrity level SID from the TOKEN_MANDATORY_LABEL structure
//
pIntegritySid = pIntegrityLabel->Label.Sid;
// Convert the integrity level SID to a human-readable string
*IntegrityLevel = GetSidSubAuthority(pIntegritySid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pIntegritySid) - 1));
Exit:
//
// Free resources
//
if (pIntegrityLabel != nullptr)
{
LocalFree(pIntegrityLabel);
}
return retValue;
}
DWORD TokenUserName(HANDLE hToken, LPWSTR* pStringSid)
{
DWORD retValue = 0;
PTOKEN_USER processTokenUser = NULL;
DWORD dwTokenInfoSize = 0;
LPWSTR lpName = NULL;
LPWSTR lpDomain = NULL;
DWORD dwNameSize = 0;
DWORD dwDomainSize = 0;
SID_NAME_USE eSidType;
PSID pUserSid = NULL;
DWORD dwSize = 0;
GetTokenInformation(hToken, TokenUser, NULL, 0, &dwTokenInfoSize);
if (dwTokenInfoSize == 0)
{
printf("GetTokenInformation failed (%d)\n", GetLastError());
retValue = 1;
goto Exit;
}
// Allocate memory for the TOKEN_USER structure
processTokenUser = (PTOKEN_USER)LocalAlloc(LPTR, dwTokenInfoSize);
if (processTokenUser == NULL)
{
printf("Memory allocation failed\n");
retValue = 1;
goto Exit;
}
// Get the TOKEN_USER structure
if (!GetTokenInformation(hToken, TokenUser, processTokenUser, dwTokenInfoSize, &dwTokenInfoSize))
{
printf("GetTokenInformation failed (%d)\n", GetLastError());
retValue = 1;
goto Exit;
}
// Extract the user SID from the TOKEN_USER structure
pUserSid = processTokenUser->User.Sid;
// First call to LookupAccountSid to get the buffer sizes
LookupAccountSidW(NULL, pUserSid, NULL, &dwNameSize, NULL, &dwDomainSize, &eSidType);
if (dwNameSize == 0 || dwDomainSize == 0)
{
printf("LookupAccountSidW failed (%d)\n", GetLastError());
retValue = 1;
goto Exit;
}
// Allocate memory for name and domain
lpName = (LPWSTR)LocalAlloc(0, dwNameSize * sizeof(WCHAR));
lpDomain = (LPWSTR)LocalAlloc(0, dwDomainSize * sizeof(WCHAR));
if (!lpName || !lpDomain)
{
printf("Memory allocation failed\n");
retValue = 1;
goto Exit;
}
// Second call to LookupAccountSid to get the account name
if (!LookupAccountSidW(NULL, pUserSid, lpName, &dwNameSize, lpDomain, &dwDomainSize, &eSidType))
{
printf("LookupAccountSidW failed (%d)\n", GetLastError());
retValue = 1;
goto Exit;
}
//
// put together the username and domain into a string
//
dwSize = wcslen(lpName) + wcslen(lpDomain) + 2;
//
// Allocate memory for the string
//
*pStringSid = (LPWSTR)LocalAlloc(0, dwSize * sizeof(WCHAR));
//
// put together the username and domain into a string
//
wsprintf(*pStringSid, L"%s\\%s", lpDomain, lpName);
Exit:
if (processTokenUser != NULL)
{
LocalFree(processTokenUser);
}
if (lpName != NULL)
{
LocalFree(lpName);
}
if (lpDomain != NULL)
{
LocalFree(lpDomain);
}
return retValue;
}
extern "C" void TokenImpersonationCheck()
{
TraceLoggingRegister(g_hJonMon);
//
// Loop every 60s to use message box
//
while (true)
{
//
// Get snapshot of all threads
//
HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot failed (%d)\n", GetLastError());
return;
}
//
// for each thread attempt to get access token and print handle
//
THREADENTRY32 te32;
te32.dwSize = sizeof(THREADENTRY32);
if (!Thread32First(hThreadSnap, &te32))
{
printf("Thread32First failed (%d)\n", GetLastError());
CloseHandle(hThreadSnap);
return;
}
do
{
//
// OpenThread with THREAD_QUERY_INFORMATION access right
//
HANDLE hThread = NULL;
HANDLE hToken = NULL;
HANDLE processToken = NULL;
HANDLE pHandle = NULL;
DWORD retValue = 0;
TOKEN_STATISTICS tokenStats;
DWORD dwReturnLength;
LPWSTR threadTokenUser = NULL;
LPWSTR processTokenUser = NULL;
PDWORD threadIntegrityLevel = 0;
PDWORD processIntegrityLevel = 0;
SYSTEMTIME st;
BOOL result;
REGHANDLE RegistrationHandle = NULL;
hThread = OpenThread(THREAD_QUERY_INFORMATION, FALSE, te32.th32ThreadID);
if (hThread == NULL)
{
goto Exit;
}
//
// Get thread access token
//
if (!OpenThreadToken(hThread, TOKEN_QUERY, FALSE, &hToken))
{
goto Exit;
}
retValue = IntegritySID(hToken, &threadIntegrityLevel);
if (retValue != 0)
{
goto Exit;
}
if (!GetTokenInformation(hToken, TokenStatistics, &tokenStats, sizeof(TOKEN_STATISTICS), &dwReturnLength))
{
printf("GetTokenInformation failed (%d)\n", GetLastError());
goto Exit;
}
retValue = TokenUserName(hToken, &threadTokenUser);
if (retValue != 0 || threadTokenUser == NULL)
{
goto Exit;
}
//
// Print token handle and impersonation level
//
if (tokenStats.ImpersonationLevel != SecurityImpersonation && tokenStats.ImpersonationLevel != SecurityDelegation)
{
goto Exit;
}
pHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, te32.th32OwnerProcessID);
if (pHandle == NULL) {
printf("OpenProcess failed (%d), ProcessID: %d\n", GetLastError(), te32.th32OwnerProcessID);
goto Exit;
}
result = OpenProcessToken(pHandle, TOKEN_QUERY, &processToken);
if (processToken == NULL) {
printf("OpenProcessToken failed (%d) ProcessId: %d\n", GetLastError(), te32.th32OwnerProcessID);
goto Exit;
}
retValue = IntegritySID(processToken, &processIntegrityLevel);
if (retValue != 0)
{
printf("IntegritySID failed (%d)\n", GetLastError());
goto Exit;
}
retValue = TokenUserName(processToken, &processTokenUser);
if (retValue != 0 || processTokenUser == NULL)
{
goto Exit;
}
if ((*processIntegrityLevel != 16384) && (wcscmp(processTokenUser, threadTokenUser) != 0))
{
GetSystemTime(&st);
TraceLoggingWrite(
g_hJonMon,
"16",
TraceLoggingInt32(16, "EventID"),
TraceLoggingUInt32(te32.th32ThreadID, "ThreadID"),
TraceLoggingUInt32(te32.th32OwnerProcessID, "ProcessID"),
TraceLoggingUInt32(*threadIntegrityLevel, "ThreadIntegrityLevel"),
TraceLoggingSystemTime(st, "EventTime"),
TraceLoggingWideString(threadTokenUser, "ImpersonatedUser")
);
}
Exit:
if (threadTokenUser != NULL)
{
LocalFree(threadTokenUser);
threadTokenUser = NULL;
}
if (processTokenUser != NULL)
{
LocalFree(processTokenUser);
processTokenUser = NULL;
}
if (hThread != NULL)
{
CloseHandle(hThread);
hThread = NULL;
}
if (hToken != NULL)
{
CloseHandle(hToken);
hToken = NULL;
}
if (pHandle != NULL)
{
CloseHandle(pHandle);
pHandle = NULL;
}
if (processToken != NULL)
{
CloseHandle(processToken);
processToken = NULL;
}
} while (Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
Sleep(5000);
}
}
================================================
FILE: Extensions/Extension1/JonMon-Ext1/dllmain.h
================================================
#ifdef JONMON_EXPORTS
#define JONMON_EXPORTS __declspec(dllexport)
#else
#define JONMON_EXPORTS __declspec(dllimport)
#endif
#include "Windows.h"
#include "evntprov.h"
#include "stdio.h"
#include
//
// Export function that will query process tokens
//
extern "C" JONMON_EXPORTS void TokenImpersonationCheck();
================================================
FILE: Extensions/Extension1/JonMon-Ext1/framework.h
================================================
#pragma once
#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
// Windows Header Files
#include
================================================
FILE: Extensions/Extension1/JonMon-Ext1/pch.cpp
================================================
// pch.cpp: source file corresponding to the pre-compiled header
#include "pch.h"
// When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
================================================
FILE: Extensions/Extension1/JonMon-Ext1/pch.h
================================================
// pch.h: This is a precompiled header file.
// Files listed below are compiled only once, improving build performance for future builds.
// This also affects IntelliSense performance, including code completion and many code browsing features.
// However, files listed here are ALL re-compiled if any one of them is updated between builds.
// Do not add files here that you will be updating frequently as this negates the performance advantage.
#ifndef PCH_H
#define PCH_H
// add headers that you want to pre-compile here
#include "framework.h"
#endif //PCH_H
================================================
FILE: JonMon/JonMon.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.4.33205.214
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "JonMon", "JonMon.vcxproj", "{27DCE7FD-EC60-49F7-9245-A39DE05E7056}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "JonMon-Service", "..\JonMon-Service\JonMon-Service.vcxproj", "{BF810292-3774-41A4-B51E-CEF92E26894A}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "JonMon-Ext1", "..\Extensions\Extension1\JonMon-Ext1\JonMon-Ext1.vcxproj", "{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|ARM64.ActiveCfg = Debug|ARM64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|ARM64.Build.0 = Debug|ARM64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|ARM64.Deploy.0 = Debug|ARM64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|x64.ActiveCfg = Debug|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|x64.Build.0 = Debug|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|x64.Deploy.0 = Debug|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|x86.ActiveCfg = Debug|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|x86.Build.0 = Debug|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Debug|x86.Deploy.0 = Debug|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|ARM64.ActiveCfg = Release|ARM64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|ARM64.Build.0 = Release|ARM64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|x64.ActiveCfg = Release|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|x64.Build.0 = Release|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|x64.Deploy.0 = Release|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|x86.ActiveCfg = Release|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|x86.Build.0 = Release|x64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}.Release|x86.Deploy.0 = Release|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Debug|ARM64.ActiveCfg = Debug|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Debug|ARM64.Build.0 = Debug|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Debug|x64.ActiveCfg = Debug|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Debug|x64.Build.0 = Debug|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Debug|x86.ActiveCfg = Debug|Win32
{BF810292-3774-41A4-B51E-CEF92E26894A}.Debug|x86.Build.0 = Debug|Win32
{BF810292-3774-41A4-B51E-CEF92E26894A}.Release|ARM64.ActiveCfg = Release|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Release|ARM64.Build.0 = Release|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Release|x64.ActiveCfg = Release|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Release|x64.Build.0 = Release|x64
{BF810292-3774-41A4-B51E-CEF92E26894A}.Release|x86.ActiveCfg = Release|Win32
{BF810292-3774-41A4-B51E-CEF92E26894A}.Release|x86.Build.0 = Release|Win32
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Debug|ARM64.ActiveCfg = Debug|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Debug|ARM64.Build.0 = Debug|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Debug|x64.ActiveCfg = Debug|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Debug|x64.Build.0 = Debug|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Debug|x86.ActiveCfg = Debug|Win32
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Debug|x86.Build.0 = Debug|Win32
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Release|ARM64.ActiveCfg = Release|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Release|ARM64.Build.0 = Release|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Release|x64.ActiveCfg = Release|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Release|x64.Build.0 = Release|x64
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Release|x86.ActiveCfg = Release|Win32
{BD72F0C3-DBD8-4BA2-8FF9-7F357F9232B1}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {EA991FDB-4D7B-4F75-B564-463A826AC12F}
EndGlobalSection
EndGlobal
================================================
FILE: JonMon/JonMon.vcxproj
================================================
Debug
ARM
Debug
x64
Release
ARM
Release
x64
Debug
ARM64
Release
ARM64
{27DCE7FD-EC60-49F7-9245-A39DE05E7056}
{dd38f7fc-d7bd-488b-9242-7d8754cde80d}
v4.5
12.0
Debug
x64
JonMon
10.0.26100.0
Windows10
true
WindowsKernelModeDriver10.0
Driver
WDM
false
Windows10
false
WindowsKernelModeDriver10.0
Driver
WDM
false
Windows10
true
WindowsKernelModeDriver10.0
Driver
WDM
Windows10
false
WindowsKernelModeDriver10.0
Driver
WDM
DbgengKernelDebugger
DbgengKernelDebugger
false
DbgengKernelDebugger
DbgengKernelDebugger
DbgengKernelDebugger
DbgengKernelDebugger
sha256
Ksecdd.lib;FltMgr.lib;Setupapi.lib;%(AdditionalDependencies)
/INTEGRITYCHECK %(AdditionalOptions)
sha256
Ksecdd.lib;FltMgr.lib;%(AdditionalDependencies)
/INTEGRITYCHECK %(AdditionalOptions)
FltMgr.lib;%(AdditionalDependencies)
FltMgr.lib;%(AdditionalDependencies)
/INTEGRITYCHECK %(AdditionalOptions)
================================================
FILE: JonMon/callbacks.cpp
================================================
#include "callbacks.h"
#include "process.h"
#include "registry.h"
#include "minifilter.h"
PAGED_FILE();
#define MAX_PATH_LENGTH 100
PVOID ProcessRegistrationHandle = NULL;
PVOID ThreadRegistrationHandle = NULL;
LARGE_INTEGER Cookie;
ULONG g_ServicePID = 0;
PDRIVER_OBJECT g_DriverObject = NULL;
EventSchema g_EventSchema = {
FALSE,
FALSE,
FALSE,
FALSE,
FALSE,
FALSE,
FALSE,
FALSE,
FALSE,
0,
0
};
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS RegisterCallbacks(
) {
PAGED_CODE();
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING Altitude;
RtlInitUnicodeString(&Altitude, L"385202");
//
// Checks global g_EventSchema to see if ConfigSet is set to false, if it is will sleep and recheck
//
while (g_EventSchema.ConfigSet == FALSE) {
LARGE_INTEGER interval;
interval.QuadPart = -10000000; // 1 second
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}
if(g_EventSchema.ProcessCreation == TRUE)
{
status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutineEx, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load PsSetCreateProcessNotifyRoutineEx : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetCreateProcessNotifyRoutineEx Loaded\n");
}
if(g_EventSchema.ProcessTermination == TRUE)
{
status = PsSetCreateProcessNotifyRoutine(TerminateProcessNotifyRoutine, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load PsSetCreateProcessNotifyRoutine : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetCreateProcessNotifyRoutine Loaded\n");
}
if(g_EventSchema.RemoteThreadCreation == TRUE)
{
status = PsSetCreateThreadNotifyRoutine(PsCreateThreadNotifyRoutine);
if (!NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load PsSetCreateThreadNotifyRoutine : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetCreateThreadNotifyRoutine Loaded\n");
}
if(g_EventSchema.ImageLoad == TRUE)
{
status = PsSetLoadImageNotifyRoutine(LoadImageRoutine);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load PsSetLoadImageNotifyRoutine : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetLoadImageNotifyRoutine Loaded\n");
}
if(g_EventSchema.ProcessHandleCreation == TRUE || g_EventSchema.ProcessHandleDuplication == TRUE)
{
//
//Setting up callback for PsProcessType
//
OB_CALLBACK_REGISTRATION CallbackRegistration;
OB_OPERATION_REGISTRATION OperationRegistration;
OperationRegistration.ObjectType = PsProcessType;
if(g_EventSchema.ProcessHandleDuplication == TRUE && g_EventSchema.ProcessHandleCreation == TRUE)
{
OperationRegistration.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
}
else if(g_EventSchema.ProcessHandleCreation == TRUE && g_EventSchema.ProcessHandleDuplication == FALSE)
{
OperationRegistration.Operations = OB_OPERATION_HANDLE_CREATE;
}
else if(g_EventSchema.ProcessHandleDuplication == TRUE && g_EventSchema.ProcessHandleCreation == FALSE)
{
OperationRegistration.Operations = OB_OPERATION_HANDLE_DUPLICATE;
}
OperationRegistration.PreOperation = NULL;
OperationRegistration.PostOperation = PostProcessHandleCallback;
//
// Setting members
//
CallbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
CallbackRegistration.OperationRegistrationCount = 1;
CallbackRegistration.Altitude = Altitude;
CallbackRegistration.RegistrationContext = NULL;
CallbackRegistration.OperationRegistration = &OperationRegistration;
status = ObRegisterCallbacks(&CallbackRegistration, &ProcessRegistrationHandle);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load ObRegisterCallbacks : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "ObRegisterCallbacks Loaded\n");
}
if(g_EventSchema.File == TRUE)
{
status = FltCallbackStart(g_DriverObject);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load FltCallbackStart : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "FltCallbackStart Loaded\n");
}
if (g_EventSchema.Registry == TRUE)
{
status = CmRegisterCallbackEx(RegistryCallback, &Altitude, g_DriverObject, NULL, &Cookie, NULL);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to load CmRegisterCallbackEx : 0x%X\n", status);
return status;
}
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "CmRegisterCallbackEx Loaded\n");
}
PsTerminateSystemThread(STATUS_SUCCESS);
return status;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
VOID
LoadImageRoutine(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
) {
FILETIME fileTime;
KeQuerySystemTime(&fileTime);
PAGED_CODE();
ULONGLONG ProcessStartKey = PsGetProcessStartKey(PsGetCurrentProcess());
TraceLoggingWrite(
g_hJonMon,
"ImageLoad",
TraceLoggingInt32(4, "EventID"),
TraceLoggingValue(ProcessId, "ProcessId"),
TraceLoggingValue(ProcessStartKey, "ProcessStartKey"),
TraceLoggingValue(PsGetCurrentThreadId(), "ThreadId"),
TraceLoggingValue(ImageInfo->SystemModeImage, "SystemModeImage"),
TraceLoggingWideString(FullImageName->Buffer, "ImagePath"),
TraceLoggingFileTime(fileTime, "FileTime")
);
}
BOOLEAN ContainsSubstring(PCWSTR keyPath, PCWSTR substring) {
size_t keyPathLen = wcslen(keyPath);
size_t substringLen = wcslen(substring);
if (keyPathLen < substringLen) {
return FALSE;
}
for (PCWSTR p = keyPath; *p != L'\0'; p++) {
if (wcsncmp(p, substring, substringLen) == 0) {
return TRUE;
}
}
return FALSE;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS RegistryCallback(
_In_ PVOID CallbackContext,
_In_ PVOID RegNotifyClass,
_In_ PVOID RegObject
) {
//
//IRQL less == Passive, if not exit
//
if (KeGetCurrentIrql() > PASSIVE_LEVEL) {
return STATUS_UNSUCCESSFUL;
}
PCWSTR keyPath = NULL;
FILETIME fileTime;
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)RegNotifyClass;
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
UNREFERENCED_PARAMETER(CallbackContext);
if (RegObject == NULL)
{
DbgPrint("Callback RegObject is NULL. \n");
status = STATUS_UNSUCCESSFUL;
goto Exit;
}
KeQuerySystemTime(&fileTime);
ULONGLONG sourceProcessId = HandleToULong(PsGetCurrentProcessId());
ULONGLONG sourceThreadId = HandleToULong(PsGetCurrentThreadId());
switch (notifyClass) {
case RegNtPostCreateKeyEx:
{
PREG_POST_OPERATION_INFORMATION object = (PREG_POST_OPERATION_INFORMATION)RegObject;
if (object->Status != STATUS_SUCCESS) {
DbgPrint("[RegNtPostCreateKeyEx] - Status is not success. Status 0x%x\n", object->Status);
goto Exit;
}
PREG_CREATE_KEY_INFORMATION_V1 info = (PREG_CREATE_KEY_INFORMATION_V1)object->PreInformation;
if (*info->Disposition != REG_CREATED_NEW_KEY ) {
DbgPrint("[RegNtPostCreateKeyEx] - Disposition is not REG_CREATED_NEW_KEY. Disposition 0x%x\n", *info->Disposition);
goto Exit;
}
status = GetRegistryKeyPath(object->Object, REGISTRY_TAG, &keyPath);
if (status != STATUS_SUCCESS || keyPath == NULL) {
DbgPrint("[RegNtPostCreateKeyEx] - GetRegistryKeyPath failed. Status 0x%x\n", status);
goto Exit;
}
TraceLoggingWrite(
g_hJonMon,
"RegCreateKey",
TraceLoggingInt32(9, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(sourceProcessId, "SourceProcessId"),
TraceLoggingValue(PsGetProcessStartKey(PsGetCurrentProcess()), "SourceProcessStartKey"),
TraceLoggingWideString(keyPath, "KeyPath"),
TraceLoggingValue(info->DesiredAccess, "DesiredAccess"),
TraceLoggingFileTime(fileTime, "FileTime")
);
break;
}
case RegNtPostSaveKey:
{
PREG_POST_OPERATION_INFORMATION object = (PREG_POST_OPERATION_INFORMATION)RegObject;
if (object->Status == STATUS_SUCCESS) {
status = GetRegistryKeyPath(object->Object, REGISTRY_TAG, &keyPath);
if (keyPath == NULL) {
goto Exit;
}
TraceLoggingWrite(
g_hJonMon,
"RegSaveKey",
TraceLoggingInt32(6, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(sourceProcessId, "SourceProcessId"),
TraceLoggingValue(PsGetProcessStartKey(PsGetCurrentProcess()), "SourceProcessStartKey"),
TraceLoggingWideString(keyPath, "KeyPath"),
TraceLoggingFileTime(fileTime, "FileTime")
);
}
break;
}
case RegNtPreDeleteKey:
{
PREG_DELETE_KEY_INFORMATION object = (PREG_DELETE_KEY_INFORMATION)RegObject;
if (object->Object == NULL)
{
goto Exit;
}
status = GetRegistryKeyPath(object->Object, REGISTRY_TAG, &keyPath);
if (keyPath == NULL) {
goto Exit;
}
TraceLoggingWrite(
g_hJonMon,
"RegDeleteKey",
TraceLoggingInt32(7, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(sourceProcessId, "SourceProcessId"),
TraceLoggingValue(PsGetProcessStartKey(PsGetCurrentProcess()), "SourceProcessStartKey"),
TraceLoggingWideString(keyPath, "KeyPath"),
TraceLoggingFileTime(fileTime, "FileTime")
);
break;
}
case RegNtPostSetValueKey:
{
UNICODE_STRING valueData;
PREG_POST_OPERATION_INFORMATION postObject = (PREG_POST_OPERATION_INFORMATION)RegObject;
if (postObject->Status != STATUS_SUCCESS) {
goto Exit;
}
PREG_SET_VALUE_KEY_INFORMATION info = (PREG_SET_VALUE_KEY_INFORMATION)postObject->PreInformation;
if (info->ValueName == NULL || info->ValueName->Length == 0) {
goto Exit;
}
status = GetRegistryKeyPath(info->Object, REGISTRY_TAG, &keyPath);
if (status != STATUS_SUCCESS || keyPath == NULL) {
DbgPrint("[RegNtPostSetValueKey] - GetRegistryKeyPath failed. Status 0x%x", status);
goto Exit;
}
if (info->DataSize <= 0) {
goto Exit;
}
if(info->Data == NULL)
{
goto Exit;
}
//
// Reducing noise
//
if (ContainsSubstring(keyPath, L"DeliveryOptimization\\Usage")) {
goto Exit;
}
if (ContainsSubstring(keyPath, L"\\DeliveryOptimization\\Config")) {
goto Exit;
}
if (ContainsSubstring(keyPath, L"\\Microsoft\\Input\\TypingInsights")) {
goto Exit;
}
if (ContainsSubstring(keyPath, L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\W32Time")) {
goto Exit;
}
if (ContainsSubstring(keyPath, L"\\REGISTRY\\A\\")) {
goto Exit;
}
//
// Fixing valueName buffer
//
UNICODE_STRING valueName;
valueName.Length = info->ValueName->Length;
valueName.MaximumLength = info->ValueName->Length + sizeof(UNICODE_NULL);
valueName.Buffer = (PWSTR)ExAllocatePool2(POOL_FLAG_PAGED, valueName.MaximumLength, SYSTEM_THREAD_TAG); // Use valueName.Length here.
if (valueName.Buffer == NULL || valueName.Length == 0) {
goto Exit;
}
RtlZeroMemory(valueName.Buffer, valueName.MaximumLength);
RtlCopyMemory(valueName.Buffer, info->ValueName->Buffer, info->ValueName->Length);
//
// adding null terminator
//
valueName.Buffer[valueName.Length / sizeof(WCHAR)] = UNICODE_NULL;
//
// Creating a UNICODE_STRING to hold the data information
//
valueData.Length = (USHORT)info->DataSize;
valueData.MaximumLength = valueData.Length + sizeof(WCHAR); // Account for null terminator
valueData.Buffer = (PWSTR)ExAllocatePool2(POOL_FLAG_PAGED, valueData.MaximumLength, SYSTEM_THREAD_TAG);
if (valueData.Buffer == NULL || valueData.MaximumLength == 0) {
goto Exit;
}
RtlZeroMemory(valueData.Buffer, valueData.MaximumLength);
//
// To do: Update REG_MULTI_SZ and REG_BINARY
//
switch (info->Type)
{
case REG_SZ:
{
RtlCopyMemory(valueData.Buffer, info->Data, valueData.Length);
valueData.Buffer[valueData.Length / sizeof(WCHAR)] = UNICODE_NULL; // Set null terminator
break;
}
case REG_EXPAND_SZ:
{
RtlCopyMemory(valueData.Buffer, info->Data, valueData.Length);
valueData.Buffer[valueData.Length / sizeof(WCHAR)] = UNICODE_NULL; // Set null terminator
break;
}
case REG_MULTI_SZ:
{
RtlCopyMemory(valueData.Buffer, info->Data, valueData.Length);
// Ensure the data is properly double-null terminated
if (valueData.Length >= sizeof(WCHAR) && valueData.Buffer[(valueData.Length / sizeof(WCHAR)) - 1] != UNICODE_NULL)
{
// Add an additional null terminator if the last character isn't already a null terminator
valueData.Buffer[valueData.Length / sizeof(WCHAR)] = UNICODE_NULL; // First null terminator
valueData.Buffer[(valueData.Length / sizeof(WCHAR)) + 1] = UNICODE_NULL; // Second null terminator
}
else
{
// If the data already ends with a null, just add another
valueData.Buffer[valueData.Length / sizeof(WCHAR)] = UNICODE_NULL;
}
break;
}
case REG_DWORD:
{
RtlStringCchPrintfW(valueData.Buffer, valueData.MaximumLength / sizeof(WCHAR), L"%d", *(DWORD*)info->Data);
break;
}
case REG_QWORD:
{
RtlStringCchPrintfW(valueData.Buffer, valueData.MaximumLength / sizeof(WCHAR), L"%lld", *(ULONGLONG*)info->Data);
break;
}
case REG_BINARY:
{
RtlStringCchPrintfW(valueData.Buffer, valueData.MaximumLength / sizeof(WCHAR), L"%d", *(DWORD*)info->Data);
break;
}
default:
{
break;
}
}
//
// check each field below to see if it is null lol
//
if (keyPath == NULL)
{
DbgPrint("keyPath is NULL\n");
}
if (valueName.Buffer == NULL)
{
DbgPrint("valueName.Buffer is NULL\n");
}
if (valueData.Buffer == NULL)
{
DbgPrint("valueData.Buffer is NULL\n");
}
if(info->Type == NULL)
{
DbgPrint("info->Type is NULL\n");
}
if(info->DataSize == NULL)
{
DbgPrint("info->DataSize is NULL\n");
}
TraceLoggingWrite(
g_hJonMon,
"RegSetValueKey",
TraceLoggingInt32(8, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(sourceProcessId, "SourceProcessId"),
TraceLoggingValue(PsGetProcessStartKey(PsGetCurrentProcess()), "SourceProcessStartKey"),
TraceLoggingWideString(keyPath, "KeyPath"),
TraceLoggingWideString(valueName.Buffer, "ValueName"),
TraceLoggingValue(valueData.Buffer, "Data"),
TraceLoggingValue(info->Type, "Type"),
TraceLoggingValue(info->DataSize, "DataSize"),
TraceLoggingFileTime(fileTime, "FileTime")
);
if(valueName.Buffer != NULL)
{
ExFreePoolWithTag(valueName.Buffer, SYSTEM_THREAD_TAG);
}
if(valueData.Buffer != NULL)
{
ExFreePoolWithTag(valueData.Buffer, SYSTEM_THREAD_TAG);
}
break;
}
default:
{
break;
}
}
Exit:
if (keyPath != NULL) {
ExFreePoolWithTag((PVOID)keyPath, REGISTRY_TAG);
}
return status;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
void PsCreateThreadNotifyRoutine(
_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ BOOLEAN Create
) {
NTSTATUS status;
PEPROCESS sourceProcess;
PEPROCESS targetProcess;
FILETIME filetime;
KeQuerySystemTime(&filetime);
PAGED_CODE();
//
// Check if the thread is being created or deleted
//
if (Create != TRUE) {
goto Exit;
}
HANDLE CurrentPID = PsGetCurrentProcessId();
if (CurrentPID == ProcessId) {
goto Exit;
}
if (CurrentPID == (HANDLE)0x4) {
goto Exit;
}
if (ProcessId == (HANDLE)0x4) {
goto Exit;
}
HANDLE sourceThreadId = PsGetCurrentThreadId();
status = PsLookupProcessByProcessId(ProcessId, &targetProcess);
if (status != STATUS_SUCCESS) {
DbgPrint("Failed to get target process, status: %d", status);
goto Exit;
}
status = PsLookupProcessByProcessId(CurrentPID, &sourceProcess);
if (status != STATUS_SUCCESS) {
DbgPrint("Failed to get source process, status: %d", status);
goto Exit;
}
ULONGLONG sourceProcStartKey = PsGetProcessStartKey(sourceProcess);
ULONGLONG targetProcStartKey = PsGetProcessStartKey(targetProcess);
TraceLoggingWrite(
g_hJonMon,
"RemoteThreadCreation",
TraceLoggingInt32(3, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(CurrentPID, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcessStartKey"),
TraceLoggingValue(ThreadId, "NewThreadId"),
TraceLoggingValue(ProcessId, "TargetProcessId"),
TraceLoggingValue(targetProcStartKey, "TargetProcessStartKey"),
TraceLoggingFileTime(filetime, "FileTime")
);
Exit:
return;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
void CreateProcessNotifyRoutineEx(
_In_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_In_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{
FILETIME fileTime;
UNICODE_STRING commandLine{ 0 };
PAGED_CODE();
if (CreateInfo == NULL)
{
goto Exit;
}
KeQuerySystemTime(&fileTime);
ULONGLONG ProcessStartKey = PsGetProcessStartKey(Process);
ULONGLONG parentProcessStartKey = PsGetProcessStartKey(PsGetCurrentProcess());
//
//Checking to see if CommandLine is NULL and if it isn't, creating a buffer
//
if (CreateInfo->CommandLine != NULL) {
//
//create buffer
//
commandLine.Buffer = (PWSTR)ExAllocatePool2(POOL_FLAG_PAGED, CreateInfo->CommandLine->Length + sizeof(UNICODE_NULL), SYSTEM_THREAD_TAG);
if (commandLine.Buffer == NULL)
{
goto Exit;
}
//
//Zero out the buffer
//
RtlZeroMemory(commandLine.Buffer, CreateInfo->CommandLine->Length + sizeof(UNICODE_NULL));
//
//Copy the CommandLine into the buffer
//
RtlCopyMemory(commandLine.Buffer, CreateInfo->CommandLine->Buffer, CreateInfo->CommandLine->Length);
//
//Null terminate the buffer
//
commandLine.Buffer[CreateInfo->CommandLine->Length / sizeof(UNICODE_NULL)] = UNICODE_NULL;
}
else {
commandLine.Buffer = L"NULL";
commandLine.Length = sizeof(L"NULL");
commandLine.MaximumLength = sizeof(L"NULL") + sizeof(UNICODE_NULL);
}
//
// TraceLogging Event
//
TraceLoggingWrite(
g_hJonMon,
"ProcessCreation",
TraceLoggingInt32(1, "EventID"),
TraceLoggingValue(ProcessId, "ProcessId"),
TraceLoggingValue(ProcessStartKey, "ProcessStartKey"),
TraceLoggingValue(CreateInfo->ParentProcessId, "ParentProcessId"),
TraceLoggingValue(parentProcessStartKey, "ParentProcessStartKey"),
TraceLoggingValue(CreateInfo->CreatingThreadId.UniqueProcess, "CreatorProcessId"),
TraceLoggingValue(CreateInfo->CreatingThreadId.UniqueThread, "CreatorThreadId"),
TraceLoggingWideString(commandLine.Buffer, "CommandLine"),
TraceLoggingFileTime(fileTime, "FileTime")
);
Exit:
if (commandLine.Buffer != NULL) {
ExFreePoolWithTag(commandLine.Buffer, SYSTEM_THREAD_TAG);
}
}
_IRQL_requires_max_(PASSIVE_LEVEL)
void PostProcessHandleCallback(
_In_ PVOID RegistrationContext,
_In_ POB_POST_OPERATION_INFORMATION OperationInformation
) {
UNREFERENCED_PARAMETER(RegistrationContext);
FILETIME filetime;
DWORD OperationType;
ACCESS_MASK DesiredAccess;
PAGED_CODE();
KeQuerySystemTime(&filetime);
PEPROCESS targetProcess = (PEPROCESS)OperationInformation->Object;
HANDLE TargetProcessId = PsGetProcessId(targetProcess);
HANDLE SourceProcessId = PsGetCurrentProcessId();
DesiredAccess = OperationInformation->Parameters->CreateHandleInformation.GrantedAccess;
if ((HANDLE)g_ServicePID == SourceProcessId) {
goto Exit;
}
if (DesiredAccess == 0x0) {
goto Exit;
}
if (SourceProcessId == TargetProcessId) {
goto Exit;
}
if (SourceProcessId == (HANDLE)0x4 || TargetProcessId == (HANDLE)0x4) {
goto Exit;
}
switch (OperationInformation->Operation)
{
case OB_OPERATION_HANDLE_CREATE:
{
OperationType = 1;
break;
}
case OB_OPERATION_HANDLE_DUPLICATE:
{
if ((DesiredAccess & 0x40) != 0x40) {
goto Exit;
}
DesiredAccess = OperationInformation->Parameters->DuplicateHandleInformation.GrantedAccess;
OperationType = 2;
break;
}
}
TraceLoggingWrite(
g_hJonMon,
"ProcessHandle",
TraceLoggingInt32(5, "EventID"),
TraceLoggingValue(PsGetCurrentThreadId(), "SourceThreadId"),
TraceLoggingValue(SourceProcessId, "SourceProcessId"),
TraceLoggingValue(PsGetProcessStartKey(PsGetCurrentProcess()), "SourceProcessStartKey"),
TraceLoggingValue(TargetProcessId, "TargetProcessId"),
TraceLoggingValue(PsGetProcessStartKey(targetProcess), "TargetProcessStartKey"),
TraceLoggingValue(OperationType, "OperationType"),
TraceLoggingValue(DesiredAccess, "DesiredAccess"),
TraceLoggingFileTime(filetime, "FileTime")
);
Exit:
return;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
void TerminateProcessNotifyRoutine(
_In_ HANDLE ParentProcessId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
)
{
FILETIME fileTime;
PAGED_CODE();
if (!Create)
{
KeQuerySystemTime(&fileTime);
ULONGLONG sourceProcessStartKey = PsGetProcessStartKey(PsGetCurrentProcess());
ULONGLONG targetProcessStartKey = PsGetProcessStartKey(PsGetCurrentProcess());
TraceLoggingWrite(
g_hJonMon,
"ProcessTermination",
TraceLoggingInt32(2, "EventID"),
TraceLoggingValue(ProcessId, "ProcessId"),
TraceLoggingValue(targetProcessStartKey, "ProcessStartKey"),
TraceLoggingValue(ParentProcessId, "ParentProcessId"),
TraceLoggingValue(sourceProcessStartKey, "ParentProcessStartKey"),
TraceLoggingFileTime(fileTime, "FileTime")
);
goto Exit;
}
Exit:
return;
}
================================================
FILE: JonMon/callbacks.h
================================================
#ifndef _CALLBACK_
#define _CALLBACK_
#include "shared.h"
extern ULONG g_ServicePID;
extern PVOID ProcessRegistrationHandle;
extern PVOID ThreadRegistrationHandle;
extern PDRIVER_OBJECT g_DriverObject;
typedef struct _EventSchema {
BOOLEAN ConfigSet;
BOOLEAN ProcessCreation;
BOOLEAN ProcessTermination;
BOOLEAN ProcessHandleCreation;
BOOLEAN ProcessHandleDuplication;
BOOLEAN RemoteThreadCreation;
BOOLEAN ImageLoad;
BOOLEAN File;
BOOLEAN Registry;
INT ConfigVersion;
INT JonMonVersion;
} EventSchema, * PEventSchema;
typedef struct _HANDLE_CREATION_CALLBACK_INFO {
ULONGLONG SourceProcessStartKey;
HANDLE SourceProcessId;
HANDLE SourceThreadId;
HANDLE TargetProcessId;
PETHREAD SourceThread;
ULONGLONG TargetProcessStartKey;
ACCESS_MASK DesiredAccess;
FILETIME FileTime;
DWORD OperationType;
} HANDLE_CREATION_CALLBACK_INFO, * PHANDLE_CREATION_CALLBACK_INFO;
typedef struct _LOAD_IMAGE_CALLBACK_INFO {
HANDLE SourceProcessId;
HANDLE SourceThread;
PETHREAD SourceEThread;
FILETIME FileTime;
UNICODE_STRING ModuleName;
ULONG SystemModeImage;
} LOAD_IMAGE_CALLBACK_INFO, * PLOAD_IMAGE_CALLBACK_INFO;
typedef struct _PROCESS_CREATE_CALLBACK_INFO {
PEPROCESS Process;
HANDLE ProcessId;
FILETIME FileTime;
HANDLE ParentProcessId;
CLIENT_ID CreatorId;
UNICODE_STRING CommandLine;
} PROCESS_CREATE_CALLBACK_INFO, * PPROCESS_CREATE_CALLBACK_INFO;
typedef struct _THREAD_CREATE_CALLBACK_INFO {
HANDLE SourceProcessId;
HANDLE TargetProcessId;
HANDLE TargetThreadId;
FILETIME FileTime;
} THREAD_CREATE_CALLBACK_INFO, * PTHREAD_CREATE_CALLBACK_INFO;
typedef struct _PROCESS_TERMINATE_CALLBACK_INFO {
FILETIME FileTime;
HANDLE SourceProcessId;
HANDLE TargetProcessId;
} PROCESS_TERMINATE_CALLBACK_INFO, * PPROCESS_TERMINATE_CALLBACK_INFO;
//
// global variable to store the schema
//
extern EventSchema g_EventSchema;
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS RegisterCallbacks(
);
_IRQL_requires_max_(PASSIVE_LEVEL)
VOID CreateProcessNotifyRoutineEx(
_In_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_In_ PPS_CREATE_NOTIFY_INFO CreateInfo
);
_IRQL_requires_max_(PASSIVE_LEVEL)
VOID PsCreateThreadNotifyRoutine(
_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ BOOLEAN Create
);
_IRQL_requires_max_(PASSIVE_LEVEL)
VOID TerminateProcessNotifyRoutine(
_In_ HANDLE ParentProcessId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
);
_IRQL_requires_max_(PASSIVE_LEVEL)
VOID
LoadImageWorkerThread(
_In_ PVOID StartContext
);
_IRQL_requires_max_(PASSIVE_LEVEL)
VOID
LoadImageRoutine(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
);
_IRQL_requires_max_(PASSIVE_LEVEL)
void PostProcessHandleCallback(
_In_ PVOID RegistrationContext,
_In_ POB_POST_OPERATION_INFORMATION OperationInformation
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS RegistryCallback(
_In_ PVOID CallbackContext,
_In_ PVOID RegNotifyClass,
_In_ PVOID RegObject
);
#endif // !_CALLBACK_
================================================
FILE: JonMon/driver.cpp
================================================
#include "driver.h"
#include "callbacks.h"
#include "process.h"
TRACELOGGING_DEFINE_PROVIDER(g_hJonMon, "JonMon",
(0xdd82bf6f, 0x5295, 0x4541, 0x96, 0x8d, 0x8c, 0xac, 0x58, 0xe5, 0x72, 0xe4));
extern "C"
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
TraceLoggingRegister(g_hJonMon);
TraceLoggingWrite(
g_hJonMon,
"100",
TraceLoggingInt32(100, "EventID"),
TraceLoggingBool(TRUE, "TraceLogging Provider Registered")
);
g_RegPath.Buffer = (PWSTR)ExAllocatePool2(POOL_FLAG_PAGED,
RegistryPath->Length, DRIVER_TAG);
if (g_RegPath.Buffer == NULL) {
DbgPrint("Failed allocation\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
//
//Copy DriverObject to global variable
//
g_DriverObject = DriverObject;
g_RegPath.Length = g_RegPath.MaximumLength = RegistryPath->Length;
memcpy(g_RegPath.Buffer, RegistryPath->Buffer, g_RegPath.Length);
DriverObject->DriverUnload = JonMonUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = JonMonCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = JonMonCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = JonMonDeviceControl;
UNICODE_STRING name;
RtlInitUnicodeString(&name, L"\\Device\\JonMon");
PDEVICE_OBJECT DeviceObject;
NTSTATUS status = IoCreateDevice(DriverObject, 0, &name, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject);
if (!NT_SUCCESS(status)) {
DbgPrint("Error creating device: 0x%X\n", status);
ExFreePool(g_RegPath.Buffer);
return status;
}
DriverObject->DeviceObject = DeviceObject;
DeviceObject->Flags |= DO_DIRECT_IO;
UNICODE_STRING symlink;
RtlInitUnicodeString(&symlink, L"\\??\\JonMon");
status = IoCreateSymbolicLink(&symlink, &name);
if (!NT_SUCCESS(status)) {
DbgPrint("Error creating device: 0x%X\n", status);
ExFreePool(g_RegPath.Buffer);
IoDeleteDevice(DeviceObject);
return status;
}
ExFreePool(g_RegPath.Buffer);
return status;
}
NTSTATUS JonMonDeviceControl(
_In_ PDEVICE_OBJECT,
_In_ PIRP Irp
) {
auto irpSp = IoGetCurrentIrpStackLocation(Irp);
auto status = STATUS_INVALID_DEVICE_REQUEST;
auto& dic = irpSp->Parameters.DeviceIoControl;
auto len = 0;
switch (dic.IoControlCode) {
case IOCTL_CHANGE_PROTECTION_LEVEL_PROCESS:
{
ChangePPL();
}
case IOCTL_EVENT_CONFIGURATION:
{
if (dic.InputBufferLength < sizeof(EventSchema)) {
status = STATUS_BUFFER_TOO_SMALL;
break;
}
auto schema = (EventSchema*)Irp->AssociatedIrp.SystemBuffer;
if (schema == nullptr) {
status = STATUS_INVALID_PARAMETER;
break;
}
g_EventSchema.ConfigSet = true;
g_EventSchema.ConfigVersion = schema->ConfigVersion;
g_EventSchema.JonMonVersion = schema->JonMonVersion;
g_EventSchema.ProcessCreation = schema->ProcessCreation;
g_EventSchema.ProcessTermination = schema->ProcessTermination;
g_EventSchema.Registry = schema->Registry;
g_EventSchema.ProcessHandleCreation = schema->ProcessHandleCreation;
g_EventSchema.ProcessHandleDuplication = schema->ProcessHandleDuplication;
g_EventSchema.RemoteThreadCreation = schema->RemoteThreadCreation;
g_EventSchema.ImageLoad = schema->ImageLoad;
g_EventSchema.File = schema->File;
//
// TraceLogging Event
//
TraceLoggingWrite(
g_hJonMon,
"101",
TraceLoggingInt32(101, "EventID"),
TraceLoggingBool(schema->ProcessCreation, "ProcessCreation"),
TraceLoggingBool(schema->ProcessTermination, "ProcessTermination"),
TraceLoggingBool(schema->Registry, "RegistryEvents"),
TraceLoggingBool(schema->ProcessHandleCreation, "ProcessHandleCreation"),
TraceLoggingBool(schema->ProcessHandleDuplication, "ProcessHandleDuplication"),
TraceLoggingBool(schema->RemoteThreadCreation, "RemoteThreadCreation"),
TraceLoggingBool(schema->ImageLoad, "ImageLoad"),
TraceLoggingBool(schema->File, "FileEvents")
);
HANDLE hRegisterCallbackThread = NULL;
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
status = PsCreateSystemThread(&hRegisterCallbackThread, THREAD_ALL_ACCESS, &objectAttributes, NULL, NULL, (PKSTART_ROUTINE)RegisterCallbacks, NULL);
if (!NT_SUCCESS(status)) {
DbgPrint("PsCreateSystemThread - RegisterCallback failed: %x\n", status);
}
if (hRegisterCallbackThread != NULL)
{
ZwClose(hRegisterCallbackThread);
}
status = STATUS_SUCCESS;
break;
}
default:
break;
}
return CompleteRequest(Irp, status, len);
}
VOID AlterPPL(
_In_ ULONG PID,
_In_ ULONG value
) {
ULONG offset = 0x0;
RTL_OSVERSIONINFOEXW osInfo = { 0 };
osInfo.dwOSVersionInfoSize = sizeof(osInfo);
RtlGetVersion((POSVERSIONINFOW)&osInfo);
#ifdef _M_ARM64
if (osInfo.dwBuildNumber < 19045 || osInfo.dwBuildNumber > 26100) {
DbgPrint("OS Version is not supported\n");
return;
}
if (osInfo.dwBuildNumber >= 19045 && osInfo.dwBuildNumber <= 22631) {
offset = 0x939;
}
if (osInfo.dwBuildNumber == 26100) {
offset = 0x6b8;
}
#endif
#ifdef _M_X64
if (osInfo.dwBuildNumber < 19045 || osInfo.dwBuildNumber > 26100) {
DbgPrint("OS Version is not supported\n");
return;
}
if (osInfo.dwBuildNumber >= 19045 && osInfo.dwBuildNumber <= 22631) {
offset = 0x878;
}
if (osInfo.dwBuildNumber == 26100) {
offset = 0x5f8;
}
#endif
PEPROCESS pProcess = NULL;
PPROCESS_SIGNATURE_PROTECTION pSignatureProtect = NULL;
ULONG pid = PID;
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)pid, &pProcess);
if (NT_SUCCESS(status)) {
DbgPrint("Changing PPL value for target PROCESS ID: %d\n", PID);
pSignatureProtect = (PPROCESS_SIGNATURE_PROTECTION)(((ULONG_PTR)pProcess) + offset);
if (value == 1) {
pSignatureProtect->SignatureLevel = 0x11;
pSignatureProtect->SectionSignatureLevel = 0x11;
pSignatureProtect->Protection = { 1,0,3 };
}
if (value == 0)
{
pSignatureProtect->SignatureLevel = 0x0;
pSignatureProtect->SectionSignatureLevel = 0x0;
pSignatureProtect->Protection = { 0,0,0 };
}
DbgPrint("Process ID %d 's protection level has changed\n", PID);
ObDereferenceObject(pProcess);
}
}
VOID ChangePPL()
{
UNICODE_STRING functionName;
RtlInitUnicodeString(&functionName, L"ZwQuerySystemInformation");
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&functionName);
NTSTATUS status;
ULONG bufferSize = 0;
UNICODE_STRING processName, processPath;
RtlInitUnicodeString(&processName, L"JonMon-Service.exe");
RtlInitUnicodeString(&processPath, L"\\Windows\\JonMon-Service.exe");
status = ZwQuerySystemInformation(SystemProcessInformation, NULL, 0, &bufferSize);
if (status != STATUS_INFO_LENGTH_MISMATCH) {
return;
}
if (bufferSize) {
PVOID info = ExAllocatePool2(POOL_FLAG_PAGED, bufferSize, DRIVER_TAG);
if (info) {
status = ZwQuerySystemInformation(SystemProcessInformation, info, bufferSize, &bufferSize);
if (NT_SUCCESS(status)) {
PSYSTEM_PROCESSES processInfo = (PSYSTEM_PROCESSES)info;
UNICODE_STRING imagePath;
imagePath.MaximumLength = 1024;
imagePath.Buffer = (PWSTR)ExAllocatePool2(POOL_FLAG_PAGED, 1024, DRIVER_TAG);
if (imagePath.Buffer == NULL) {
DbgPrint("Failed allocation\n");
return;
}
int count = 0;
do {
do {
if (RtlEqualUnicodeString(&processName, &processInfo->ProcessName, TRUE)) {
status = GetProcessImageName((HANDLE)processInfo->ProcessId, &imagePath);
if (wcsstr(imagePath.Buffer, processPath.Buffer) != NULL) {
g_ServicePID = (ULONG)processInfo->ProcessId;
AlterPPL(g_ServicePID, 1);
count++;
DbgPrint("Found JonMon-Service.exe\n");
}
}
processInfo = (PSYSTEM_PROCESSES)((unsigned char*)processInfo + processInfo->NextEntryDelta);
} while (processInfo->NextEntryDelta);
} while (count != 1);
ExFreePoolWithTag(imagePath.Buffer, DRIVER_TAG);
}
ExFreePoolWithTag(info, DRIVER_TAG);
}
}
}
//
//Function unloads the driver
//
VOID JonMonUnload(
_In_ PDRIVER_OBJECT DriverObject
) {
PAGED_CODE();
TraceLoggingWrite(
g_hJonMon,
"100",
TraceLoggingUInt32(100, "EventID"),
TraceLoggingValue(FALSE, "TraceLogging Provider Registered")
);
TraceLoggingUnregister(g_hJonMon);
AlterPPL(g_ServicePID, 0);
if (g_EventSchema.Registry == TRUE)
{
CmUnRegisterCallback(Cookie);
DbgPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "CmUnRegisterCallback Unloaded\n"));
}
if(g_EventSchema.ProcessCreation == TRUE)
{
PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutineEx, TRUE);
DbgPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetCreateProcessNotifyRoutineEx Unloaded\n"));
}
if (g_EventSchema.ProcessHandleCreation == TRUE || g_EventSchema.ProcessHandleDuplication == TRUE)
{
ObUnRegisterCallbacks(ProcessRegistrationHandle);
DbgPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "ObUnRegisterCallbacks Unloaded\n"));
}
if (g_EventSchema.ImageLoad == TRUE)
{
PsRemoveLoadImageNotifyRoutine(LoadImageRoutine);
DbgPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetLoadImageNotifyRoutine Unloaded\n"));
}
if (g_EventSchema.RemoteThreadCreation == TRUE)
{
PsRemoveCreateThreadNotifyRoutine(PsCreateThreadNotifyRoutine);
DbgPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetCreateThreadNotifyRoutine Unloaded\n"));
}
if (g_EventSchema.ProcessTermination == TRUE)
{
PsSetCreateProcessNotifyRoutine(TerminateProcessNotifyRoutine, TRUE);
DbgPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PsSetCreateProcessNotifyRoutine Unloaded\n"));
}
//sleep for 5 seconds to allow worker threads to finish
LARGE_INTEGER interval;
interval.QuadPart = -(3 * 10000000);
KeDelayExecutionThread(KernelMode, FALSE, &interval);
UNICODE_STRING symlink;
RtlInitUnicodeString(&symlink, L"\\??\\JonMon");
IoDeleteSymbolicLink(&symlink);
IoDeleteDevice(DriverObject->DeviceObject);
DbgPrint("JonMon Driver Unloaded\n");
}
//Function completes the driver requests
NTSTATUS CompleteRequest(
PIRP Irp,
NTSTATUS status,
ULONG_PTR info
) {
PAGED_CODE();
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = info;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
//Function handles the create and close requests. Function just points to CompleteRequest.
NTSTATUS JonMonCreateClose(
_In_ PDEVICE_OBJECT,
_In_ PIRP Irp
) {
PAGED_CODE();
return CompleteRequest(Irp);
}
================================================
FILE: JonMon/driver.h
================================================
#ifndef _DRIVER_
#define _DRIVER_
#include "shared.h"
/*
* Global variable to store the registry path
*/
#define JonMon_DEVICE 0x8010
#define IOCTL_CHANGE_PROTECTION_LEVEL_PROCESS CTL_CODE(JonMon_DEVICE, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_EVENT_CONFIGURATION CTL_CODE(JonMon_DEVICE, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
UNICODE_STRING g_RegPath;
typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
SIZE_T ProcessId;
SIZE_T InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;
typedef struct _PS_PROTECTION {
UCHAR Type : 3;
UCHAR Audit : 1;
UCHAR Signer : 4;
} PS_PROTECTION, * PPS_PROTECTION;
typedef struct _PROCESS_SIGNATURE_PROTECTION {
UCHAR SignatureLevel;
UCHAR SectionSignatureLevel;
PS_PROTECTION Protection;
} PROCESS_SIGNATURE_PROTECTION, * PPROCESS_SIGNATURE_PROTECTION;
typedef NTSTATUS(NTAPI* ZWQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
);
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
/*
* Driver Function Protoypes
*/
NTSTATUS JonMonCreateClose(
_In_ PDEVICE_OBJECT DeviceObject,
_In_ PIRP Irp
);
NTSTATUS CompleteRequest(
PIRP Irp,
NTSTATUS status = STATUS_SUCCESS,
ULONG_PTR info = 0
);
NTSTATUS JonMonDeviceControl(
_In_ PDEVICE_OBJECT,
_In_ PIRP Irp
);
VOID JonMonUnload(
_In_ PDRIVER_OBJECT DriverObject
);
VOID AlterPPL(
_In_ ULONG PID,
_In_ ULONG value
);
VOID ChangePPL();
#endif // !_DRIVER_
================================================
FILE: JonMon/jtime.h
================================================
#ifndef _JTIME_
#define _JTIME_
typedef unsigned short WORD;
typedef unsigned long DWORD;
typedef struct _SYSTEMTIME {
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
} SYSTEMTIME, * PSYSTEMTIME, * LPSYSTEMTIME;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME, * PFILETIME, * LPFILETIME;
#endif // !_TIME_
================================================
FILE: JonMon/minifilter.cpp
================================================
#include "minifilter.h"
#include "process.h"
PAGED_FILE();
PFLT_FILTER gFilterHandle;
NTSTATUS
JonMonFilterUnload
(
_In_ FLT_FILTER_UNLOAD_FLAGS Flags
)
{
PAGED_CODE();
NTSTATUS status;
DbgPrint("In JonMonFilterUnload\n");
if (Flags == FLTFL_FILTER_UNLOAD_MANDATORY) {
FltUnregisterFilter(gFilterHandle);
status = STATUS_SUCCESS;
}
else {
status = STATUS_FLT_DO_NOT_DETACH;
}
return status;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
FLT_POSTOP_CALLBACK_STATUS
FLTAPI
FilterPostCallback
(
_In_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
) {
UNREFERENCED_PARAMETER(Flags);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
ULONG currentProcessId = FltGetRequestorProcessId(Data);
ULONGLONG sourceProcStartKey = PsGetProcessStartKey(PsGetCurrentProcess());
FILETIME filetime;
NTSTATUS status;
PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL;
if (Data->RequestorMode != UserMode) {
goto Exit;
}
if (currentProcessId == 4) {
goto Exit;
}
//
//go to exit if filename is null
//
if (Data->Iopb->TargetFileObject->FileName.Length == 0) {
goto Exit;
}
KeQuerySystemTime(&filetime);
switch (Data->Iopb->MajorFunction) {
case IRP_MJ_CREATE:
{
switch (Data->IoStatus.Information) {
case FILE_CREATED:
{
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInfo);
if (!NT_SUCCESS(status)) {
goto Exit;
}
TraceLoggingWrite(
g_hJonMon,
"FileCreate",
TraceLoggingInt32(10, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingWideString(fileNameInfo->Name.Buffer, "FileName"),
TraceLoggingFileTime(filetime, "EventTime")
);
break;
}
case FILE_OPENED:
{
if (FltObjects->FileObject->Flags & FO_MAILSLOT)
{
DWORD RequestedRights = Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInfo);
if (!NT_SUCCESS(status)) {
goto Exit;
}
TraceLoggingWrite(
g_hJonMon,
"MailslotOpen",
TraceLoggingInt32(14, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingWideString(fileNameInfo->Name.Buffer, "FileName"),
TraceLoggingValue(RequestedRights, "RequestedRights"),
TraceLoggingFileTime(filetime, "EventTime")
);
break;
}
if (FltObjects->FileObject->Flags & FO_NAMED_PIPE)
{
DWORD RequestedRights = Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInfo);
if (!NT_SUCCESS(status)) {
goto Exit;
}
TraceLoggingWrite(
g_hJonMon,
"NamedPipeConnection",
TraceLoggingInt32(12, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingWideString(fileNameInfo->Name.Buffer, "FileName"),
TraceLoggingValue(RequestedRights, "RequestedRights"),
TraceLoggingFileTime(filetime, "EventTime")
);
break;
}
break;
}
case FILE_SUPERSEDED:
{
if (Data->Iopb->TargetFileObject->FileName.Length == 0)
{
break;
}
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInfo);
if (!NT_SUCCESS(status)) {
DbgPrint("[IRP_MJ_CREATE_NAMED_PIPE] Failed to get file info\n");
goto Exit;
}
//
// check to see if FileName is valid before proceeding
//
if (Data->Iopb->Parameters.Create.Options & FO_REMOTE_ORIGIN)
{
//
// only print if fileNameInfo->Name.Buffer contains pipe
//
if (wcsstr(fileNameInfo->Name.Buffer, L"\\pipe\\") != NULL) {
TraceLoggingWrite(
g_hJonMon,
"RemoteNamedPipeConnection",
TraceLoggingInt32(15, "EventID"),
TraceLoggingFileTime(filetime, "EventTime"),
TraceLoggingWideString(fileNameInfo->Name.Buffer, "FileName"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingValue(sourceThreadId, "SourceThreadId")
);
break;
}
}
if (Data->Iopb->Parameters.Create.Options == (FO_REMOTE_ORIGIN | FO_SEQUENTIAL_ONLY | FO_CACHE_SUPPORTED)) {
//
// only print if fileNameInfo->Name.Buffer contains mailslot
//
if (wcsstr(fileNameInfo->Name.Buffer, L"mailslot") != NULL) {
TraceLoggingWrite(
g_hJonMon,
"RemoteMailslotConnection",
TraceLoggingInt32(15, "EventID"),
TraceLoggingFileTime(filetime, "EventTime"),
TraceLoggingWideString(Data->Iopb->TargetFileObject->FileName.Buffer, "FileName"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingValue(sourceThreadId, "SourceThreadId")
);
break;
}
}
break;
}
default:
{
break;
}
}
break;
}
case IRP_MJ_CREATE_NAMED_PIPE:
{
DWORD RequestedRights = Data->Iopb->Parameters.CreatePipe.SecurityContext->DesiredAccess;
DWORD GrantedRights = Data->Iopb->Parameters.CreatePipe.SecurityContext->AccessState->PreviouslyGrantedAccess;
if (Data->IoStatus.Information == FILE_CREATED || Data->IoStatus.Information == FILE_OPENED)
{
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInfo);
if (!NT_SUCCESS(status)) {
DbgPrint("[IRP_MJ_CREATE_NAMED_PIPE] Failed to get file info\n");
goto Exit;
}
switch (Data->IoStatus.Information) {
case FILE_CREATED:
{
bool RemoteCreation = FALSE;
if (FltObjects->FileObject->Flags & FO_REMOTE_ORIGIN) {
DbgPrint(" Creation request came from remote machine\n");
RemoteCreation = TRUE;
}
TraceLoggingWrite(
g_hJonMon,
"NamedPipeCreate",
TraceLoggingInt32(11, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingWideString(fileNameInfo->Name.Buffer, "FileName"),
TraceLoggingValue(RequestedRights, "RequestedRights"),
TraceLoggingValue(GrantedRights, "GrantedRights"),
TraceLoggingFileTime(filetime, "EventTime")
);
break;
}
default:
{
break;
}
}
}
break;
}
case IRP_MJ_CREATE_MAILSLOT:
{
if (Data->IoStatus.Information == FILE_CREATED || Data->IoStatus.Information == FILE_OPENED) {
DWORD RequestedRights = Data->Iopb->Parameters.CreateMailslot.SecurityContext->DesiredAccess;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInfo);
if (!NT_SUCCESS(status)) {
DbgPrint("[IRP_MJ_CREATE_MAILSLOT] Failed to get file info\n");
goto Exit;
}
switch (Data->IoStatus.Information)
{
case FILE_CREATED:
{
TraceLoggingWrite(
g_hJonMon,
"MailslotCreate",
TraceLoggingInt32(13, "EventID"),
TraceLoggingValue(sourceThreadId, "SourceThreadId"),
TraceLoggingValue(currentProcessId, "SourceProcessId"),
TraceLoggingValue(sourceProcStartKey, "SourceProcStartKey"),
TraceLoggingWideString(fileNameInfo->Name.Buffer, "FileName"),
TraceLoggingValue(RequestedRights, "RequestedRights"),
TraceLoggingFileTime(filetime, "EventTime")
);
break;
}
default:
{
break;
}
}
}
break;
}
default:
{
break;
}
}
Exit:
if(fileNameInfo != NULL)
{
FltReleaseFileNameInformation(fileNameInfo);
}
return FLT_POSTOP_FINISHED_PROCESSING;
};
//
// FilterPreCallback placeholder
//
_IRQL_requires_max_(APC_LEVEL)
FLT_PREOP_CALLBACK_STATUS
FLTAPI
FilterPreCallback
(
_In_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PVOID* CompletionContext
) {
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
PAGED_CODE();
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
NTSTATUS
FltCallbackStart
(
_In_ PDRIVER_OBJECT DriverObject
)
{
PAGED_CODE();
NTSTATUS status;
CONST FLT_OPERATION_REGISTRATION FileSystemOperationCallbacks[] = {
{
IRP_MJ_CREATE,
0,
NULL,
FilterPostCallback
},
{
IRP_MJ_CREATE_NAMED_PIPE,
0,
NULL,
FilterPostCallback
},
{
IRP_MJ_CREATE_MAILSLOT,
0,
NULL,
FilterPostCallback
},
{
IRP_MJ_OPERATION_END
}
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
FLTFL_REGISTRATION_SUPPORT_NPFS_MSFS,
NULL,
FileSystemOperationCallbacks,
JonMonFilterUnload,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
};
status = FltRegisterFilter(
DriverObject,
&FilterRegistration,
&gFilterHandle
);
if (!NT_SUCCESS(status)) {
DbgPrint("Failed FltRegisterFilter\n");
return status;
}
status = FltStartFiltering(gFilterHandle);
if (!NT_SUCCESS(status)) {
DbgPrint("Failed FltStartFiltering\n");
FltUnregisterFilter(gFilterHandle);
gFilterHandle = nullptr;
}
return status;
}
================================================
FILE: JonMon/minifilter.h
================================================
#ifndef _MINIFILTER_
#define _MINIFILTER_
#include "shared.h"
extern PFLT_FILTER gFilterHandle;
NTSTATUS
JonMonFilterUnload
(
_In_ FLT_FILTER_UNLOAD_FLAGS Flags
);
_IRQL_requires_max_(PASSIVE_LEVEL)
FLT_POSTOP_CALLBACK_STATUS
FLTAPI
FilterPostCallback
(
_In_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
);
_IRQL_requires_max_(APC_LEVEL)
FLT_PREOP_CALLBACK_STATUS
FLTAPI
FilterPreCallback
(
_In_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PVOID* CompletionContext
);
NTSTATUS
FltCallbackStart
(
_In_ PDRIVER_OBJECT DriverObject
);
#endif // !_MINIFILTER_
================================================
FILE: JonMon/process.cpp
================================================
#include "process.h"
PAGED_FILE();
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
NTSTATUS GetProcessImageName(HANDLE processId, PUNICODE_STRING ProcessImageName)
{
PAGED_CODE();
NTSTATUS status;
ULONG returnedLength;
ULONG bufferLength;
HANDLE hProcess = NULL;
PVOID buffer{};
PEPROCESS eProcess;
UNICODE_STRING routineName;
status = PsLookupProcessByProcessId(processId, &eProcess);
if (!NT_SUCCESS(status))
{
goto Exit;
}
status = ObOpenObjectByPointer(
eProcess,
OBJ_KERNEL_HANDLE, NULL,
0,
0,
KernelMode,
&hProcess);
if (!NT_SUCCESS(status))
{
goto Exit;
}
ObDereferenceObject(eProcess);
if (!ZwQueryInformationProcess) {
RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName);
if (ZwQueryInformationProcess == NULL) {
DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
return STATUS_NOT_FOUND;
}
}
status = ZwQueryInformationProcess(hProcess, ProcessImageFileName, NULL, 0, &returnedLength);
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
goto Exit;
}
bufferLength = returnedLength;
if (ProcessImageName->MaximumLength < bufferLength)
{
ProcessImageName->MaximumLength = (USHORT)bufferLength;
return STATUS_BUFFER_OVERFLOW;
}
buffer = ExAllocatePool2(POOL_FLAG_PAGED, bufferLength, PROCESS_TAG);
if (buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
status = ZwQueryInformationProcess(hProcess, ProcessImageFileName, buffer, bufferLength, &bufferLength);
if (!NT_SUCCESS(status))
{
goto Exit;
}
RtlCopyUnicodeString(ProcessImageName, (PUNICODE_STRING)buffer);
//Adding null terminator
ProcessImageName->Buffer[ProcessImageName->Length / sizeof(UNICODE_NULL)] = UNICODE_NULL;
Exit:
if(hProcess != NULL)
{
ZwClose(hProcess);
}
if (buffer != NULL)
{
ExFreePoolWithTag(buffer, PROCESS_TAG);
}
return status;
}
================================================
FILE: JonMon/process.h
================================================
#ifndef _PROCESS_
#define _PROCESS_
#include "shared.h"
typedef NTSTATUS(*ZWQUERYINFORMATIONPROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
NTSTATUS GetProcessImageName(HANDLE processId, PUNICODE_STRING ProcessImageName);
NTSTATUS GetProcessToken(HANDLE processId, PHANDLE hToken);
#endif // !_PROCESS_
================================================
FILE: JonMon/registry.cpp
================================================
#include "registry.h"
#include "shared.h"
#include "process.h"
#include
PAGED_FILE();
NTSTATUS
GetRegistryKeyPath(
_In_ PVOID object,
_In_ ULONG tag,
_In_ PCWSTR* keyPath
) {
PCUNICODE_STRING registryPath = NULL;
NTSTATUS status;
PWCHAR buffer = NULL;
ULONG bufferSize;
PAGED_CODE();
status = CmCallbackGetKeyObjectIDEx(&Cookie, object, NULL, ®istryPath, 0);
if (!NT_SUCCESS(status) || registryPath == NULL) {
DbgPrint("CmCallbackGetKeyObjectIDEx failed. Status 0x%x", status);
goto Exit;
}
// Allocate a buffer for the registry path
bufferSize = (registryPath->Length / sizeof(WCHAR)) + 1;
buffer = (PWCHAR)ExAllocatePool2(POOL_FLAG_PAGED, bufferSize * sizeof(WCHAR), tag);
if (buffer == NULL) {
DbgPrint("GetRegistryKeyPath - ExAllocatePool2 failed. Status 0x%x", status);
goto Exit;
}
// Zero the buffer before copying the registry path and adding a null terminator
RtlZeroMemory(buffer, bufferSize + sizeof(UNICODE_NULL));
RtlCopyMemory(buffer, registryPath->Buffer, registryPath->Length);
buffer[bufferSize - 1] = UNICODE_NULL;
*keyPath = buffer;
status = STATUS_SUCCESS;
Exit:
if (registryPath != NULL) {
CmCallbackReleaseKeyObjectIDEx(registryPath);
}
return status;
}
================================================
FILE: JonMon/registry.h
================================================
#ifndef _REGISTRY_
#define _REGISTRY_
#include
//
// Structure to hold registry callback info
//
typedef struct _REG_SET_VALUE_CALLBACK_INFO
{
PEPROCESS SourceProcess;
HANDLE SourceProcessId;
HANDLE SourceThreadId;
PETHREAD SourceThread;
ULONG Type;
PCWSTR KeyPath;
PVOID Data;
ULONG DataSize;
UNICODE_STRING ValueName;
} REG_SET_VALUE_CALLBACK_INFO, * PREG_SET_VALUE_CALLBACK_INFO;
typedef struct _REG_CREATE_KEY_CALLBACK_INFO
{
HANDLE SourceProcessId;
ULONGLONG ProcStartKey;
PETHREAD SourceThread;
HANDLE SourceThreadId;
ACCESS_MASK DesiredAccess;
UNICODE_STRING KeyPath;
} REG_CREATE_KEY_CALLBACK_INFO, * PREG_CREATE_KEY_CALLBACK_INFO;
typedef struct _REG_DELETE_KEY_CALLBACK_INFO
{
PEPROCESS SourceProcess;
HANDLE SourceProcessId;
HANDLE SourceThreadId;
PCWSTR KeyPath;
} REG_DELETE_KEY_CALLBACK_INFO, * PREG_DELETE_KEY_CALLBACK_INFO;
NTSTATUS
GetRegistryKeyPath(
_In_ PVOID object,
_In_ ULONG tag,
_In_ PCWSTR* keyPath
);
VOID
SendSetValueRegistryInfo(
_In_ PVOID StartContext
);
VOID
DeleteKey(
_In_ PVOID context,
_In_ PREG_DELETE_KEY_INFORMATION info
);
VOID
CreateKey(
_In_ PVOID StartContext
);
VOID
SaveKey(
_In_ PVOID context,
_In_ PREG_SAVE_KEY_INFORMATION info
);
#endif // !_REGISTRY_
================================================
FILE: JonMon/shared.h
================================================
#ifndef _SHARED_
#define _SHARED_
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define INVALID_HANDLE_VALUE ((HANDLE)(LONG_PTR)-1)
TRACELOGGING_DECLARE_PROVIDER(g_hJonMon);
/*
TraceLogging Event Schema:
---- Security Events ----
EID 1 - Process Creation
EID 2 - Process Termination
EID 3 - Remote Thread Creation
EID 4 - Load Image
EID 5 - ProcessHandle (OpenProcess/DuplicateHandle)
EID 6 - RegistrySaveKey
EID 7 - RegistryDeleteKey
EID 8 - RegistrySetValue
EID 9 - RegistryCreateKey
EID 10 - FileOperation (CreateFile)
EID 11 - NamedPipeCreation
EID 12 - NamedPipeConnection
EID 13 - MailslotCreation
EID 14 - MailslotConnection
EID 15 - RemoteFileConnection (Named Pipes/Mailslots)
---- Debug/Informational Events ----
EID 100 - TraceLogging Provider Registered (True or False)
EID 101 - Event Schema Configuration
EID 102 - Protection Level Changed
*/
//
// https://github.com/winsiderss/systeminformer/blob/0e3d514e23cf4813ba5895c74b6d596c8966e1b3/KSystemInformer/include/kph.h#L31
//
#define PAGED_PASSIVE()\
PAGED_CODE()\
NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL)
//
// https://github.com/winsiderss/systeminformer/blob/0e3d514e23cf4813ba5895c74b6d596c8966e1b3/KSystemInformer/include/kph.h#L31
//
#define PAGED_FILE() \
__pragma(bss_seg("PAGEBBS"))\
__pragma(code_seg("PAGE"))\
__pragma(data_seg("PAGEDATA"))\
__pragma(const_seg("PAGERO"))
/*
* Creating tags to be used with in different scenerios of memory allocation
*/
#define DRIVER_TAG 'monj'
#define REGISTRY_TAG 'regj'
#define PROCESS_TAG 'prcj'
#define THREAD_TAG 'thrj'
#define TOKEN_TAG 'tknj'
#define FILE_TAG 'flj'
#define CALBACK_TAG 'clkj'
#define SYSTEM_THREAD_TAG 'rhsj'
#define MAX_ALLOC 260
extern LARGE_INTEGER Cookie;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5,
} SYSTEM_INFORMATION_CLASS;
typedef struct _LIST_ENTRY* PLIST_ENTRY;
typedef struct _THREAD_LIST_ENTRY* PTHREAD_LIST_ENTRY;
typedef struct _THREAD_LIST_ENTRY {
PLIST_ENTRY PrevThread;
PLIST_ENTRY NextThread;
PETHREAD Thread;
} THREAD_LIST_ENTRY, * PTHREAD_LIST_ENTRY;
#endif // !_SHARED_
================================================
FILE: JonMon-Service/JonMon-Service.vcxproj
================================================
Debug
ARM
Debug
Win32
Release
ARM
Release
Win32
Debug
x64
Release
x64
16.0
Win32Proj
{bf810292-3774-41a4-b51e-cef92e26894a}
JonMonService
10.0
Application
true
v143
Unicode
Application
false
v143
true
Unicode
Application
true
v143
Unicode
Application
true
v143
Unicode
Application
false
v143
true
Unicode
Level3
true
WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
true
Console
true
Level3
true
true
true
WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
true
Console
true
true
true
Level3
true
_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
true
..\Libs;%(AdditionalIncludeDirectories)
MultiThreadedDebug
Console
true
Level3
true
true
true
NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
true
MultiThreaded
..\Libs;%(AdditionalIncludeDirectories)
Console
true
true
true
%(AdditionalDependencies)
UseLinkTimeCodeGeneration
================================================
FILE: JonMon-Service/JonMonService.cpp
================================================
#include
#include
#include
#include "etwMain.h"
#include "service.h"
#include "config.h"
#pragma comment(lib, "setupapi.lib")
int wmain(int argc, wchar_t* argv[])
{
std::wstring VariantString(argv[1]);
std::wstring ConfigPath = L"JonMonConfig.json";
EventSchema_Full eventSchema = { 0 };
if (argc == 3) {
ConfigPath = argv[2];
}
BOOL FileCopy = CopyFileW(ConfigPath.c_str(), L"C:\\Windows\\JonMonConfig.json", FALSE);
if (FileCopy != TRUE) {
printf("[-] JonMonConfig.json did not copy to C:\\Windows\\JonMonConfig.json\n");
}
int result = ConfigFile(L"C:\\Windows\\JonMonConfig.json", &eventSchema);
if (VariantString == L"-etw") {
//Copying resource file to C:\Windows and installing manifest
BOOL FileCopy = CopyFileW(L"JonMon.dll", L"C:\\Windows\\JonMon.dll", FALSE);
if (FileCopy != TRUE) {
printf("[-] JonMon.dll did not copy to C:\\Windows\\JonMon.dll\n");
}
else {
printf("[*] JonMon.dll copied\n");
}
DWORD status = InstallManifest();
TraceEvent(L"JonMonDebug", JonMonDebugGuid, &eventSchema);
}
if (VariantString == L"-c")
{
std::wcout << L"JonMon EventSchema: " << std::endl;
std::wcout << L"ProcessCreationEvents: " << (eventSchema.ProcessCreation_Events ? L"True" : L"False") << std::endl;
std::wcout << L"FileEvents: " << (eventSchema.File_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ProcessTerminationEvents: " << (eventSchema.ProcessTermination_Events ? L"True" : L"False") << std::endl;
std::wcout << L"RegistryEvents: " << (eventSchema.Registry_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ProcessHandleCreationEvents: " << (eventSchema.ProcessHandleCreation_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ProcessHandleDuplicationEvents: " << (eventSchema.ProcessHandleDuplication_Events ? L"True" : L"False") << std::endl;
std::wcout << L"RemoteThreadCreationEvents: " << (eventSchema.RemoteThreadCreation_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ImageLoadEvents: " << (eventSchema.ImageLoad_Events ? L"True" : L"False") << std::endl;
std::wcout << L"RPCEvents: " << (eventSchema.RPC_Events ? L"True" : L"False") << std::endl;
std::wcout << L"NetworkEvents: " << (eventSchema.Network_Events ? L"True" : L"False") << std::endl;
std::wcout << L"DotNetLoadEvents: " << (eventSchema.DotNetLoad_Events ? L"True" : L"False") << std::endl;
std::wcout << L"AMSIEvents: " << (eventSchema.AMSI_Events ? L"True" : L"False") << std::endl;
std::wcout << L"SchedTaskEvents: " << (eventSchema.SchedTask_Events ? L"True" : L"False") << std::endl;
std::wcout << L"WMIEventSubscriptionEvents: " << (eventSchema.WMIEventSubscription_Events ? L"True" : L"False") << std::endl;
std::wcout << L"CryptUnprotectEvents: " << (eventSchema.CryptUnprotect_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ThreatIntelligenceEvents: " << (eventSchema.ThreatIntelligence_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ThreatIntelligenceEvents RemoteReadProcessMemory: " << (eventSchema.ThreatIntelligence_Events_RemoteReadProcessMemory ? L"True" : L"False") << std::endl;
std::wcout << L"ThreatIntelligenceEvents RemoteWriteProcessMemory: " << (eventSchema.ThreatIntelligence_Events_RemoteWriteProcessMemory ? L"True" : L"False") << std::endl;
std::wcout << L"ThreatIntelligenceEvents RemoteVirtualAllocation: " << (eventSchema.ThreatIntelligence_Events_RemoteVirtualAllocation ? L"True" : L"False") << std::endl;
std::wcout << L"ThreatIntelligenceEvents RemoteQueueUserAPC: " << (eventSchema.ThreatIntelligence_Events_RemoteQueueUserAPC ? L"True" : L"False") << std::endl;
std::wcout << L"TokenImpersonationEvents: " << (eventSchema.TokenImpersonation_Events ? L"True" : L"False") << std::endl;
std::wcout << L"ConfigVersion: " << eventSchema.ConfigVersion << std::endl;
std::wcout << L"JonMonVersion: " << eventSchema.JonMonVersion << std::endl;
EventSchema_KM eventSchemaKM = { 0 };
eventSchemaKM.ConfigSet = eventSchema.ConfigSet;
eventSchemaKM.ProcessCreation = eventSchema.ProcessCreation_Events;
eventSchemaKM.ProcessTermination = eventSchema.ProcessTermination_Events;
eventSchemaKM.ProcessHandleCreation = eventSchema.ProcessHandleCreation_Events;
eventSchemaKM.ProcessHandleDuplication = eventSchema.ProcessHandleDuplication_Events;
eventSchemaKM.RemoteThreadCreation = eventSchema.RemoteThreadCreation_Events;
eventSchemaKM.ImageLoad = eventSchema.ImageLoad_Events;
eventSchemaKM.File = eventSchema.File_Events;
eventSchemaKM.Registry = eventSchema.Registry_Events;
eventSchemaKM.ConfigVersion = eventSchema.ConfigVersion;
eventSchemaKM.JonMonVersion = eventSchema.JonMonVersion;
}
if (VariantString == L"-i") {
//Copying resource file to C:\Windows and installing manifest
printf("[*] Starting JonMon Installation Process....\n");
FileCopy = CopyFileW(L"JonMon.dll", L"C:\\Windows\\JonMon.dll", FALSE);
if (FileCopy != TRUE) {
printf("[-] JonMon.dll did not copy to C:\\Windows\\JonMon.dll\n");
}
DWORD status = InstallManifest();
if (status != 0) {
printf("[-] InstallManifest Failed\n");
}
LPWSTR CurrentDirectory = new WCHAR[MAX_PATH];
FileCopy = CopyFileW(L"JonMon.sys", L"C:\\Windows\\JonMon.sys", FALSE);
if (FileCopy != TRUE) {
printf("[-] JonMon.sys did not copy to C:\\Windows\\JonMon.sys\n");
}
FileCopy = CopyFileW(L"JonMon-Service.exe", L"C:\\Windows\\JonMon-Service.exe", FALSE);
if (FileCopy != TRUE) {
printf("[-] JonMon-Service.exe did not copy to C:\\Windows\\JonMon-Service.exe\n");
}
FileCopy = CopyFileW(L".\\Extensions\\JonMon-Ext1.dll", L"C:\\Windows\\JonMon-Ext1.dll", FALSE);
if (FileCopy != TRUE) {
printf("[-] JonMon-Ext1.dlll did not copy to C:\\Windows\\JonMon-Ext1.dlll\n");
}
else {
printf("[*] JonMon-Ext1.dll copied\n");
}
printf("[*] Installing JonMonDrv Service....\n");
status = CreateCustomService(L"JonMonDrv", L"C:\\Windows\\JonMon.sys", SERVICE_KERNEL_DRIVER);
printf("[*] JonMonDrv Service Installed\n");
//
// --- Start Minifilter Settings ---
//
printf("[*] Adding Minifilter registry values....\n");
HKEY hKey;
status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\JonMonDrv", 0, KEY_SET_VALUE, &hKey);
if (hKey == NULL || status != 0) {
printf("[-] Failed to open registry key to JonMonDrv\n");
}
DWORD value = 3;
status = RegSetKeyValueW(hKey, NULL, L"SupportedFeatures", REG_DWORD, &value, sizeof(value));
if (status != ERROR_SUCCESS) {
printf("[-] Failed to set registry value for SupportedFeatures\n");
}
RegCloseKey(hKey);
hKey = NULL;
LONG lRes = RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\JonMonDrv\\Instances", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (lRes != ERROR_SUCCESS) {
printf("[-] Failed to create registry key for Instances\n");
}
lRes = RegSetValueExW(hKey, L"DefaultInstance", 0, REG_SZ, (const BYTE*)L"JonMon Instance", sizeof(L"JonMon Instance"));
if (lRes != ERROR_SUCCESS) {
printf("[-] Failed to set registry value for DefaultInstance\n");
}
RegCloseKey(hKey);
hKey = NULL;
lRes = RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\JonMonDrv\\Instances\\JonMon Instance", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (lRes != ERROR_SUCCESS) {
printf("[-] Failed to create registry key for JonMon Instance\n");
}
lRes = RegSetValueExW(hKey, L"Altitude", 0, REG_SZ, (const BYTE*)L"385202", sizeof(L"385202"));
if (lRes != ERROR_SUCCESS) {
printf("[-] Failed to set registry value for Altitude\n");
}
value = 0;
status = RegSetKeyValueW(hKey,NULL,L"Flags",REG_DWORD,&value,sizeof(value));
if (status != ERROR_SUCCESS) {
printf("[-] Failed to set registry value for Flags\n");
}
RegCloseKey(hKey);
printf("[*] Minifilter registry values added\n");
//
// --- Stop Minifilter Settings ---
//
status = CreateCustomService(L"JonMon", L"C:\\Windows\\JonMon-Service.exe -s", SERVICE_WIN32_OWN_PROCESS);
if (status != 0) {
printf("[-] InstallService Failed\n");
}
status = StartCustomService(L"JonMon");
if (status != 0) {
printf("[-] Failed to start JonMon\n");
}
EventSchema_KM eventSchemaKM = { 0 };
eventSchemaKM.ConfigSet = eventSchema.ConfigSet;
eventSchemaKM.ProcessCreation = eventSchema.ProcessCreation_Events;
eventSchemaKM.ProcessTermination = eventSchema.ProcessTermination_Events;
eventSchemaKM.ProcessHandleCreation = eventSchema.ProcessHandleCreation_Events;
eventSchemaKM.ProcessHandleDuplication = eventSchema.ProcessHandleDuplication_Events;
eventSchemaKM.RemoteThreadCreation = eventSchema.RemoteThreadCreation_Events;
eventSchemaKM.ImageLoad = eventSchema.ImageLoad_Events;
eventSchemaKM.File = eventSchema.File_Events;
eventSchemaKM.Registry = eventSchema.Registry_Events;
eventSchemaKM.ConfigVersion = eventSchema.ConfigVersion;
eventSchemaKM.JonMonVersion = eventSchema.JonMonVersion;
HANDLE hDevice = CreateFile(L"\\\\.\\JonMon", GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE) {
printf("Error %u\n", GetLastError());
goto Exit;
}
DeviceIoControl(hDevice, IOCTL_EVENT_CONFIGURATION, &eventSchemaKM, sizeof(eventSchemaKM), NULL, 0, NULL, NULL);
CloseHandle(hDevice);
}
if (VariantString == L"-s") {
DWORD status = StartCustomService(L"JonMonDrv");
if (status != 0) {
printf("[-] Failed to start JonMonDrv\n");
}
//Starting service for JonMon-Service.exe
SERVICE_TABLE_ENTRYW serviceTable[] =
{
{ const_cast (L""), (LPSERVICE_MAIN_FUNCTIONW)ServiceMain }
};
if (!StartServiceCtrlDispatcherW(serviceTable))
{
// Failed to start service control dispatcher
return GetLastError();
}
}
if (VariantString == L"-u") {
printf("[*] Starting JonMon Uninstallation Process....\n");
DWORD status = StopCustomService(L"JonMonDrv");
if (status != 0) {
printf("[-] Failed to stop JonMonDrv\n");
}
status = DeleteCustomService(L"JonMonDrv");
if (status != 0) {
printf("[-] Failed to delete JonMonDrv\n");
}
status = StopCustomService(L"JonMon");
if (status != 0) {
printf("[-] Failed to stop JonMon\n");
}
status = DeleteCustomService(L"JonMon");
if (status != 0) {
printf("[-] Failed to delete JonMon\n");
}
printf("[*] Deregestering JonMon Provider\n");
status = StopETWTrace();
printf("[*] Removing Files....\n");
DeleteFileW(L"C:\\Windows\\JonMon.sys");
DeleteFileW(L"C:\\Windows\\JonMon-Service.exe");
DeleteFileW(L"C:\\Windows\\JonMon-Ext1.dll");
DeleteFileW(L"C:\\Windows\\JonMon.dll");
DeleteFileW(L"C:\\Windows\\JonMonConfig.json");
printf("[*] JonMon Uninstallation Complete\n");
}
if (VariantString == L"-h") {
printf("Usage: 'JonMon-Service.exe -etw' will start an ETW trace called JonMon to collect events from various providers\n");
printf("Usage: 'JonMon-Service.exe -i' will install the JonMon Services and Driver\n");
printf("Usage: 'JonMon-Service.exe -s' will start the JonMon Services and Driver\n");
printf("Usage: 'JonMon-Service.exe -u' will stop/uninstall all the JonMon Services\n");
printf("Usage: 'JonMon-Service.exe -c' will read the configuration file\n");
}
Exit:
return 0;
}
================================================
FILE: JonMon-Service/config.cpp
================================================
#include "config.h"
#include
#include
#include "nlohmann/json.hpp"
using json = nlohmann::json;
int ConfigFile(
_In_ std::wstring ConfigFile,
_Out_ EventSchema_Full* EventSchemaStruct
)
{
//
// Initialize the EventSchema structure
//
EventSchemaStruct->ConfigSet = true;
EventSchemaStruct->ProcessCreation_Events = false;
EventSchemaStruct->ProcessTermination_Events = false;
EventSchemaStruct->File_Events = false;
EventSchemaStruct->Registry_Events = false;
EventSchemaStruct->ProcessHandleCreation_Events = false;
EventSchemaStruct->ProcessHandleDuplication_Events = false;
EventSchemaStruct->RemoteThreadCreation_Events = false;
EventSchemaStruct->ImageLoad_Events = false;
EventSchemaStruct->RPC_Events = false;
EventSchemaStruct->Network_Events = false;
EventSchemaStruct->DotNetLoad_Events = false;
EventSchemaStruct->AMSI_Events = false;
EventSchemaStruct->SchedTask_Events = false;
EventSchemaStruct->WMIEventSubscription_Events = false;
EventSchemaStruct->CryptUnprotect_Events = false;
EventSchemaStruct->ThreatIntelligence_Events = false;
EventSchemaStruct->ThreatIntelligence_Events_RemoteReadProcessMemory = false;
EventSchemaStruct->ThreatIntelligence_Events_RemoteWriteProcessMemory = false;
EventSchemaStruct->ThreatIntelligence_Events_RemoteVirtualAllocation = false;
EventSchemaStruct->ThreatIntelligence_Events_RemoteQueueUserAPC = false;
EventSchemaStruct->TokenImpersonation_Events = false;
EventSchemaStruct->ConfigVersion = 0;
EventSchemaStruct->JonMonVersion = 0;
//
// Open the JSON configuration file
//
std::ifstream jsonFile(ConfigFile);
if (!jsonFile.is_open()) {
std::wcerr << "Failed to open file: " << ConfigFile << std::endl;
return 1;
}
json jsonData;
jsonFile >> jsonData;
if (jsonData.contains("ConfigVersion")) {
std::string ConfigVersion = jsonData["ConfigVersion"];
EventSchemaStruct->ConfigVersion = std::stoi(ConfigVersion);
}
if (jsonData.contains("JonMonVersion")) {
std::string JonMonVersion = jsonData["JonMonVersion"];
EventSchemaStruct->JonMonVersion = std::stoi(JonMonVersion);
}
if (jsonData.contains("ProcessCreation_Events")) {
EventSchemaStruct->ProcessCreation_Events = jsonData["ProcessCreation_Events"];
}
if (jsonData.contains("File_Events")) {
EventSchemaStruct->File_Events = jsonData["File_Events"];
}
if (jsonData.contains("Registry_Events")) {
EventSchemaStruct->Registry_Events = jsonData["Registry_Events"];
}
if (jsonData.contains("ProcessTermination_Events")) {
EventSchemaStruct->ProcessTermination_Events = jsonData["ProcessTermination_Events"];
}
if (jsonData.contains("ProcessHandleCreation_Events")) {
EventSchemaStruct->ProcessHandleCreation_Events = jsonData["ProcessHandleCreation_Events"];
}
if (jsonData.contains("ProcessHandleDuplication_Events")) {
EventSchemaStruct->ProcessHandleDuplication_Events = jsonData["ProcessHandleDuplication_Events"];
}
if (jsonData.contains("RemoteThreadCreation_Events")) {
EventSchemaStruct->RemoteThreadCreation_Events = jsonData["RemoteThreadCreation_Events"];
}
if (jsonData.contains("ImageLoad_Events")) {
EventSchemaStruct->ImageLoad_Events = jsonData["ImageLoad_Events"];
}
if(jsonData.contains("RPC_Events")) {
EventSchemaStruct->RPC_Events = jsonData["RPC_Events"];
}
if(jsonData.contains("Network_Events")) {
EventSchemaStruct->Network_Events = jsonData["Network_Events"];
}
if(jsonData.contains("DotNetLoad_Events")) {
EventSchemaStruct->DotNetLoad_Events = jsonData["DotNetLoad_Events"];
}
if(jsonData.contains("AMSI_Events")) {
EventSchemaStruct->AMSI_Events = jsonData["AMSI_Events"];
}
if(jsonData.contains("SchedTask_Events")) {
EventSchemaStruct->SchedTask_Events = jsonData["SchedTask_Events"];
}
if (jsonData.contains("WMIEventSubscription_Events")) {
EventSchemaStruct->WMIEventSubscription_Events = jsonData["WMIEventSubscription_Events"];
}
if (jsonData.contains("CryptUnprotect_Events")) {
EventSchemaStruct->CryptUnprotect_Events = jsonData["CryptUnprotect_Events"];
}
if (jsonData.contains("ThreatIntelligence_Events")) {
EventSchemaStruct->ThreatIntelligence_Events_RemoteReadProcessMemory = jsonData["ThreatIntelligence_Events"]["RemoteReadProcessMemory"];
EventSchemaStruct->ThreatIntelligence_Events_RemoteWriteProcessMemory = jsonData["ThreatIntelligence_Events"]["RemoteWriteProcessMemory"];
EventSchemaStruct->ThreatIntelligence_Events_RemoteVirtualAllocation = jsonData["ThreatIntelligence_Events"]["RemoteVirtualAllocation"];
EventSchemaStruct->ThreatIntelligence_Events_RemoteQueueUserAPC = jsonData["ThreatIntelligence_Events"]["RemoteQueueUserAPC"];
if (EventSchemaStruct->ThreatIntelligence_Events_RemoteReadProcessMemory || EventSchemaStruct->ThreatIntelligence_Events_RemoteWriteProcessMemory || EventSchemaStruct->ThreatIntelligence_Events_RemoteVirtualAllocation || EventSchemaStruct->ThreatIntelligence_Events_RemoteQueueUserAPC) {
EventSchemaStruct->ThreatIntelligence_Events = true;
}
}
if (jsonData.contains("TokenImpersonation_Events")) {
EventSchemaStruct->TokenImpersonation_Events = jsonData["TokenImpersonation_Events"];
}
return 0;
}
================================================
FILE: JonMon-Service/config.h
================================================
#pragma once
#include
struct EventSchema_KM {
bool ConfigSet;
bool ProcessCreation;
bool ProcessTermination;
bool ProcessHandleCreation;
bool ProcessHandleDuplication;
bool RemoteThreadCreation;
bool ImageLoad;
bool File;
bool Registry;
int ConfigVersion;
int JonMonVersion;
};
struct EventSchema_Full {
bool ConfigSet;
bool ProcessCreation_Events; // KM Event
bool ProcessTermination_Events; // KM Event
bool ProcessHandleCreation_Events; // KM Event
bool ProcessHandleDuplication_Events; // KM Event
bool RemoteThreadCreation_Events; // KM Event
bool ImageLoad_Events; // KM Event
bool File_Events; // KM Event
bool Registry_Events; // KM Event
bool RPC_Events; // UM Event
bool Network_Events; // UM Event
bool DotNetLoad_Events; // UM Event
bool AMSI_Events; // UM Event
bool SchedTask_Events; // UM Event
bool WMIEventSubscription_Events; // UM Event
bool CryptUnprotect_Events; // UM Event
bool ThreatIntelligence_Events; // UM Event
bool ThreatIntelligence_Events_RemoteReadProcessMemory; // UM Event
bool ThreatIntelligence_Events_RemoteWriteProcessMemory; // UM Event
bool ThreatIntelligence_Events_RemoteVirtualAllocation; // UM Event
bool ThreatIntelligence_Events_RemoteQueueUserAPC; // UM Event
bool TokenImpersonation_Events; // UM Event
int ConfigVersion;
int JonMonVersion;
};
int ConfigFile(
_In_ std::wstring ConfigFile,
_Out_ EventSchema_Full* EventSchemaStruct
);
================================================
FILE: JonMon-Service/context.cpp
================================================
#include
#include
#include "context.h"
#include
#include
#include
#include
std::vector processList;
std::vector initialProcessList;
//
// Mutexes to protect access to the process lists
//
std::mutex processListMutex; // Mutex to protect access to processList
std::mutex initialProcessListMutex; // Mutex to protect access to initialProcessList
//
// Function to enumerate initial processes running on the system and store them in the initialProcessList
//
void InitialProcesses()
{
PTokenInformation tokenInformation = NULL;
PProcessInformation processInformation = NULL;
HANDLE hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnapshot == INVALID_HANDLE_VALUE) {
return;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
// Retrieve information about the first process
if (!Process32First(hProcessSnapshot, &pe32)) {
goto Exit;
}
// Loop through the processes in the snapshot
do {
// Get the process ID
DWORD processID = pe32.th32ProcessID;
//
// if PID 4 is found, skip it
//
if (processID == 4)
{
continue;
}
WCHAR processName[MAX_PATH] = L"";
// Open the process to get its full path
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processID);
if (hProcess != NULL) {
//
// Get token information
//
PTokenInformation tokenInformation = new TokenInformation();
if (tokenInformation == NULL) {
std::wcout << L"Error allocating memory for token information\n";
continue;
}
DWORD status = GetUserInformation(processID, tokenInformation);
if (status != 0) {
std::wcout << L"GetUserInformation failed: " << status << std::endl;
continue;
}
PProcessInformation processInformation = new ProcessInformation();
if (processInformation == NULL) {
std::wcout << L"Error allocating memory for process information\n";
continue;
}
processInformation->processId = processID;
processInformation->authenticationId = tokenInformation->authenticationId;
processInformation->integrityLevel = tokenInformation->integrityLevel;
processInformation->sessionId = tokenInformation->sessionId;
processInformation->tokenType = tokenInformation->tokenType;
processInformation->userName = tokenInformation->userName;
processInformation->linkedAuthenticationId = tokenInformation->linkedAuthenticationId;
// Get the full process image file name
DWORD size = MAX_PATH; // This should be set to the size of the buffer
// Get the full process image file name
if (QueryFullProcessImageName(hProcess, PROCESS_NAME_NATIVE, processName, &size)) {
processInformation->processName = processName;
std::lock_guard lock(initialProcessListMutex);
initialProcessList.push_back(*processInformation);
}
CloseHandle(hProcess); // Close handle to process
}
} while (Process32Next(hProcessSnapshot, &pe32)); // Continue with the next process
// Clean up the snapshot object
Exit:
if (hProcessSnapshot != NULL)
{
CloseHandle(hProcessSnapshot);
}
if (tokenInformation != NULL)
{
delete(tokenInformation);
}
if (processInformation != NULL)
{
delete(processInformation);
}
return;
}
DWORD GetUserInformation(
_In_ DWORD processId,
_In_ PTokenInformation tokenInformation
)
{
DWORD status = 0;
HANDLE hToken = NULL;
HANDLE hProcess = NULL;
DWORD dwLengthNeeded;
PTOKEN_LINKED_TOKEN pTokenLinkedToken = NULL;
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processId);
if (hProcess == NULL)
{
std::wcout << L"OpenProcess failed: " << GetLastError() << std::endl;
return 1;
}
if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
{
std::wcout << L"OpenProcessToken failed: " << GetLastError() << std::endl;
CloseHandle(hProcess);
return 1;
}
status = GetTokenUserInfo(hToken, tokenInformation->userName);
if (status != 0)
{
std::wcout << L"GetTokenUserInfo failed: " << status << std::endl;
goto Exit;
}
// Get Token Type
dwLengthNeeded = 0;
if (!GetTokenInformation(hToken, TokenType, &tokenInformation->tokenType, sizeof(DWORD), &dwLengthNeeded))
{
status = GetLastError();
std::wcout << L"GetTokenInformation (TokenType) failed: " << status << std::endl;
goto Exit;
}
// Get Authentication ID
status = GetAuthenticationId(hToken, &tokenInformation->authenticationId);
if (status != 0)
{
std::wcout << L"GetAuthenticationId failed: " << status << std::endl;
goto Exit;
}
// Get Session ID
dwLengthNeeded = 0;
if (!GetTokenInformation(hToken, TokenSessionId, &tokenInformation->sessionId, sizeof(DWORD), &dwLengthNeeded))
{
status = GetLastError();
std::wcout << L"GetTokenInformation (SessionId) failed: " << status << std::endl;
goto Exit;
}
// Get Linked Authentication ID
pTokenLinkedToken = (PTOKEN_LINKED_TOKEN)LocalAlloc(LPTR, sizeof(TOKEN_LINKED_TOKEN));
if (pTokenLinkedToken == NULL)
{
status = GetLastError();
std::wcout << L"LocalAlloc for pTokenLinkedToken failed: " << status << std::endl;
goto Exit;
}
if (!GetTokenInformation(hToken, TokenLinkedToken, pTokenLinkedToken, sizeof(TOKEN_LINKED_TOKEN), &dwLengthNeeded))
{
status = GetLastError();
if (status == ERROR_NO_SUCH_LOGON_SESSION)
{
tokenInformation->linkedAuthenticationId.LowPart = 0;
tokenInformation->linkedAuthenticationId.HighPart = 0;
}
else
{
std::wcout << L"GetTokenInformation (LinkedToken) failed: " << status << std::endl;
goto Exit;
}
}
else if (pTokenLinkedToken->LinkedToken != NULL)
{
status = GetAuthenticationId(pTokenLinkedToken->LinkedToken, &tokenInformation->linkedAuthenticationId);
if (status != 0)
{
std::wcout << L"GetAuthenticationId (LinkedToken) failed: " << status << std::endl;
goto Exit;
}
}
else
{
tokenInformation->linkedAuthenticationId.LowPart = 0;
tokenInformation->linkedAuthenticationId.HighPart = 0;
}
// Get Integrity Level
status = GetMandatoryLabel(hToken, tokenInformation->integrityLevel);
if (status != 0)
{
std::wcout << L"GetMandatoryLabel failed: " << status << std::endl;
goto Exit;
}
Exit:
if (pTokenLinkedToken != NULL)
{
if (pTokenLinkedToken->LinkedToken != NULL)
{
CloseHandle(pTokenLinkedToken->LinkedToken);
}
LocalFree(pTokenLinkedToken);
}
if (hToken != NULL)
{
CloseHandle(hToken);
}
if (hProcess != NULL)
{
CloseHandle(hProcess);
}
return status;
}
//
// Query the process list to get the process name of a given process id
//
PProcessInformation GetProcessName(
_In_ DWORD processId) {
{
std::lock_guard lock(initialProcessListMutex);
for (auto& process : initialProcessList) {
if (process.processId == processId) {
return &process;
}
}
}
{
std::lock_guard lock(processListMutex);
for (auto& process : processList) {
if (process.processId == processId) {
return &process;
}
}
}
return nullptr;
}
void ClearProcessList() {
//
// lock the process list using a mutex
//
std::lock_guard lock(processListMutex); // Locks the mutex
//
// Clear the existing processList3 to avoid duplication
//
processList.clear();
}
void GetProcessList() {
// Take a snapshot of all processes in the system
PTokenInformation tokenInformation = NULL;
PProcessInformation processInformation = NULL;
HANDLE hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnapshot == INVALID_HANDLE_VALUE) {
return;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
// Retrieve information about the first process
if (!Process32First(hProcessSnapshot, &pe32)) {
goto Exit;
}
// Loop through the processes in the snapshot
do {
DWORD processID = pe32.th32ProcessID;
if (processID == 4) // Skip PID 4
continue;
// Check if process already exists in initialProcessList or processList
bool exists = false;
for (const auto& process : initialProcessList) {
if (process.processId == processID) {
exists = true;
break;
}
}
if (exists)
{
continue;
}
for (const auto& process : processList) {
if (process.processId == processID) {
exists = true;
break;
}
}
if (exists)
{
continue;
}
WCHAR processName[MAX_PATH] = L"";
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processID);
if (hProcess != NULL) {
// Allocate token information
tokenInformation = new TokenInformation();
if (tokenInformation == NULL) {
std::wcout << L"Error allocating memory for token information\n";
CloseHandle(hProcess);
continue;
}
DWORD status = GetUserInformation(processID, tokenInformation);
if (status != 0) {
std::wcout << L"GetUserInformation failed: " << status << std::endl;
delete tokenInformation;
tokenInformation = nullptr;
CloseHandle(hProcess);
continue;
}
// Allocate process information
processInformation = new ProcessInformation();
if (processInformation == NULL) {
std::wcout << L"Error allocating memory for process information\n";
delete tokenInformation;
tokenInformation = nullptr;
CloseHandle(hProcess);
continue;
}
// Populate processInformation
processInformation->processId = processID;
processInformation->authenticationId = tokenInformation->authenticationId;
processInformation->integrityLevel = tokenInformation->integrityLevel;
processInformation->sessionId = tokenInformation->sessionId;
processInformation->tokenType = tokenInformation->tokenType;
processInformation->userName = tokenInformation->userName;
processInformation->linkedAuthenticationId = tokenInformation->linkedAuthenticationId;
// Get the process name
DWORD size = MAX_PATH;
if (QueryFullProcessImageName(hProcess, PROCESS_NAME_NATIVE, processName, &size)) {
processInformation->processName = processName;
std::lock_guard lock(processListMutex);
processList.push_back(*processInformation);
}
// Free allocated memory for this iteration
delete tokenInformation;
delete processInformation;
tokenInformation = nullptr;
processInformation = nullptr;
CloseHandle(hProcess); // Close handle to process
}
} while (Process32Next(hProcessSnapshot, &pe32)); // Continue with the next process
// Clean up and exit
Exit:
if (hProcessSnapshot != NULL) {
CloseHandle(hProcessSnapshot);
}
}
//
// Function to periodically update the process list every second
//
void UpdateProcessListPeriodically() {
while (true) {
GetProcessList();
std::this_thread::sleep_for(std::chrono::milliseconds(100)); // trying to be fast because of sacraficial processes
}
}
void ClearListPeriodically() {
while (true) {
ClearProcessList();
//
// Pause for 5 seconds to allow the process list to be updated
//
std::this_thread::sleep_for(std::chrono::seconds(5));
}
}
DWORD GetTokenUserInfo(
_In_ HANDLE hToken,
_In_ std::wstring& fullUserName
)
{
PTOKEN_USER pTokenUser = NULL;
DWORD status = 0;
DWORD dwLengthNeeded = 0;
DWORD dwSizeName;
DWORD dwSizeDomain;
WCHAR szName[256];
WCHAR szDomain[256];
WCHAR userName[514];
SID_NAME_USE eUse;
if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLengthNeeded))
{
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
std::wcout << L"GetTokenInformation failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
}
pTokenUser = (PTOKEN_USER)LocalAlloc(LPTR, dwLengthNeeded);
if (pTokenUser == NULL)
{
std::wcout << L"LocalAlloc failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
if (!GetTokenInformation(hToken, TokenUser, pTokenUser, dwLengthNeeded, &dwLengthNeeded))
{
std::wcout << L"GetTokenInformation failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
dwSizeName = 256;
dwSizeDomain = 256;
if (!LookupAccountSid(NULL, pTokenUser->User.Sid, szName, &dwSizeName, szDomain, &dwSizeDomain, &eUse))
{
std::wcout << L"LookupAccountSid failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
//
// Combine the domain and user name
//
wcscpy_s(userName, szDomain);
wcscat_s(userName, L"\\");
wcscat_s(userName, szName);
userName[513] = L'\0';
fullUserName.assign(userName);
Exit:
if (pTokenUser != NULL)
{
LocalFree(pTokenUser);
}
return status;
}
DWORD GetAuthenticationId(
_In_ HANDLE hToken,
_In_ PLUID authId
)
{
DWORD status = 0;
DWORD dwLengthNeeded = 0;
PTOKEN_STATISTICS pTokenStatistics = NULL;
*authId = { 0 };
if (!GetTokenInformation(hToken, TokenStatistics, NULL, 0, &dwLengthNeeded))
{
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
std::wcout << L"GetTokenInformation failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
}
pTokenStatistics = (PTOKEN_STATISTICS)LocalAlloc(LPTR, dwLengthNeeded);
if (pTokenStatistics == NULL)
{
std::wcout << L"LocalAlloc failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
if (!GetTokenInformation(hToken, TokenStatistics, pTokenStatistics, dwLengthNeeded, &dwLengthNeeded))
{
status = GetLastError();
if (status != ERROR_NO_SUCH_LOGON_SESSION)
{
std::wcout << L"GetTokenInformation failed: " << status << std::endl;
}
goto Exit;
}
// Successfully retrieved token statistics; assign AuthenticationId
*authId = pTokenStatistics->AuthenticationId;
Exit:
if (pTokenStatistics != NULL)
{
LocalFree(pTokenStatistics);
}
return status;
}
DWORD GetMandatoryLabel(
_In_ HANDLE hToken,
_In_ std::wstring& integrityLevel
)
{
DWORD status = 0;
DWORD dwLengthNeeded = 0;
PTOKEN_MANDATORY_LABEL pTokenMandatoryLabel = NULL;
DWORD dwIntegrityLevel = 0;
WCHAR szIntegrityLevel[1024] = L"Unknown"; // Default value for unknown levels
if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLengthNeeded))
{
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
std::wcout << L"GetTokenInformation failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
}
pTokenMandatoryLabel = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLengthNeeded);
if (pTokenMandatoryLabel == NULL)
{
std::wcout << L"LocalAlloc failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTokenMandatoryLabel, dwLengthNeeded, &dwLengthNeeded))
{
std::wcout << L"GetTokenInformation failed: " << GetLastError() << std::endl;
status = GetLastError();
goto Exit;
}
// Get integrity level RID from SID
dwIntegrityLevel = *GetSidSubAuthority(pTokenMandatoryLabel->Label.Sid, 0);
// Determine integrity level description
if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
{
wcscpy_s(szIntegrityLevel, L"Low");
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_MEDIUM_RID)
{
wcscpy_s(szIntegrityLevel, L"Medium");
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_HIGH_RID)
{
wcscpy_s(szIntegrityLevel, L"High");
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_SYSTEM_RID)
{
wcscpy_s(szIntegrityLevel, L"System");
}
// Assign the integrity level to the output parameter
integrityLevel.assign(szIntegrityLevel);
Exit:
if (pTokenMandatoryLabel != NULL)
{
LocalFree(pTokenMandatoryLabel);
}
return status;
}
================================================
FILE: JonMon-Service/context.h
================================================
#pragma once
#include
#include "tlhelp32.h"
#include
#include
#pragma comment(lib, "tdh.lib")
typedef struct _TokenInformation {
std::wstring userName;
DWORD tokenType;
LUID authenticationId;
LUID linkedAuthenticationId;
std::wstring integrityLevel;
DWORD sessionId;
} TokenInformation, * PTokenInformation;
typedef struct _ProcessInformation {
DWORD processId;
std::wstring processName;
std::wstring userName;
DWORD tokenType;
LUID authenticationId;
LUID linkedAuthenticationId;
std::wstring integrityLevel;
DWORD sessionId;
} ProcessInformation, * PProcessInformation;
//
// global variables that hold process ids and process names of every process currently running
//
extern std::vector processList;
extern std::vector initialProcessList;
DWORD GetUserInformation(
_In_ DWORD processId,
_In_ PTokenInformation tokenInformation
);
DWORD GetMandatoryLabel(
_In_ HANDLE hToken,
_In_ std::wstring& integrityLevel
);
DWORD GetAuthenticationId(
_In_ HANDLE hToken,
_In_ PLUID authId
);
DWORD GetTokenUserInfo(
_In_ HANDLE hToken,
_In_ std::wstring& fullUserName
);
void UpdateProcessListPeriodically();
void ClearListPeriodically();
PProcessInformation GetProcessName(
_In_ DWORD processId
);
void InitialProcesses();
================================================
FILE: JonMon-Service/etwMain.cpp
================================================
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include "global.h"
#include "context.h"
#include "etwMain.h"
#include "service.h"
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "dbghelp.lib")
DWORD lsassPID = 0;
SYSTEMTIME lastEventTime;
DWORD StopETWTrace() {
TRACEHANDLE traceHandle = 0;
ULONG status, bufferSize;
wchar_t traceName[] = L"JonMon";
EVENT_TRACE_PROPERTIES* traceProp;
bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(traceName) + sizeof(WCHAR);
traceProp = (EVENT_TRACE_PROPERTIES*)LocalAlloc(LPTR, bufferSize);
traceProp->Wnode.BufferSize = bufferSize;
traceProp->Wnode.Guid = JonMonGuid;
traceProp->LogFileNameOffset = 0;
traceProp->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
status = StopTrace(traceHandle, traceName, traceProp);
if (status != ERROR_SUCCESS) {
OutputDebugStringW(L"StopTrace Failed");
return status;
}
else {
OutputDebugStringW(L"StopTrace Success");
return status;
}
return 0;
}
DWORD CheckLSASSPID() {
//
// Enumerate initialProcessList to find the LSASS PID
//
Sleep(2000);
for (auto& process : initialProcessList) {
//
// print out each process id and process name
//
std::wstring lsassSubstring = L"lsass.exe";
if (process.processName.find(lsassSubstring) != std::wstring::npos) {
return process.processId;
}
}
}
DWORD TraceEvent(
_In_ LPCWSTR Name,
_In_ GUID TraceGuid,
_In_ EventSchema_Full* EventSchemaStruct
) {
std::thread initialProcesses(InitialProcesses);
std::thread updateThread(UpdateProcessListPeriodically);
std::thread clearThread(ClearListPeriodically);
//
// Detach threads
//
initialProcesses.detach();
updateThread.detach();
clearThread.detach();
printf("[+] Starting ETW Trace\n");
TRACEHANDLE hTrace = 0;
ULONG result, bufferSize;
EVENT_TRACE_LOGFILEW trace;
EVENT_TRACE_PROPERTIES* traceProp = nullptr;
lsassPID = CheckLSASSPID();
memset(&trace, 0, sizeof(EVENT_TRACE_LOGFILEW));
trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD;
trace.LoggerName = (LPWSTR)Name;
trace.EventRecordCallback = (PEVENT_RECORD_CALLBACK)ProcessEvent;
//
// Calculate buffer size
//
ULONG nameLength = (ULONG)(wcslen(Name) + 1);
bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + nameLength * sizeof(WCHAR);
//
// Allocate memory for EVENT_TRACE_PROPERTIES and logger name
//
traceProp = (EVENT_TRACE_PROPERTIES*)LocalAlloc(LPTR, bufferSize);
if (traceProp == nullptr) {
printf("Failed to allocate memory for trace properties\n");
return ERROR_OUTOFMEMORY;
}
//
// Initialize EVENT_TRACE_PROPERTIES
//
traceProp->Wnode.BufferSize = bufferSize;
traceProp->Wnode.ClientContext = 2;
traceProp->Wnode.Guid = TraceGuid;
traceProp->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
traceProp->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_SYSTEM_LOGGER_MODE;
traceProp->LogFileNameOffset = 0;
traceProp->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
//
// Set logger name
//
LPWSTR loggerNamePtr = (LPWSTR)((BYTE*)traceProp + traceProp->LoggerNameOffset);
wcscpy(loggerNamePtr, Name);
//
// Start the trace
//
if ((result = StartTraceW(&hTrace, Name, traceProp)) != ERROR_SUCCESS) {
OutputDebugStringW(L"Error starting trace\n");
LocalFree(traceProp);
return result;
}
//
// Set up and enable trace parameters
//
ENABLE_TRACE_PARAMETERS enableTraceParameters;
ZeroMemory(&enableTraceParameters, sizeof(ENABLE_TRACE_PARAMETERS));
enableTraceParameters.Version = ENABLE_TRACE_PARAMETERS_VERSION_2;
enableTraceParameters.EnableProperty = EVENT_ENABLE_PROPERTY_STACK_TRACE;
printf("[+] JonMon Trace started\n");
if ((result = EnableTraceEx2(
hTrace,
&JonMonTraceLogging,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_VERBOSE,
0,
0,
0,
0
)) != ERROR_SUCCESS) {
OutputDebugStringW(L"Error enabling trace\n");
printf("Error: %lu\n", result);
LocalFree(traceProp); // Ensure traceProp is freed
CloseTrace(hTrace); // Ensure hTrace is closed
return result;
}
//
//DotNet Events
//
if (EventSchemaStruct->DotNetLoad_Events)
{
if ((result = EnableTraceEx2(
hTrace,
&DotNet_Provider,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
0x8,
0,
0,
NULL
)) != ERROR_SUCCESS) {
OutputDebugString(L"[!] Error EnableTraceEx - DotNet\n");
}
}
//
// WMI Events
//
if (EventSchemaStruct->WMIEventSubscription_Events)
{
if ((result = EnableTraceEx2(
hTrace,
&WMIActivty_Provider,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
0,
0,
0,
&enableTraceParameters
)) != ERROR_SUCCESS) {
OutputDebugString(L"[!] Error EnableTraceEx - WMI\n");
}
}
//
// RPC Events
//
if (EventSchemaStruct->RPC_Events)
{
if ((result = EnableTraceEx2(
hTrace,
&RPC_Provider,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
0,
0,
0,
&enableTraceParameters
)) != ERROR_SUCCESS) {
OutputDebugString(L"[!] Error EnableTraceEx - RPC\n");
}
}
//
// AMSI
//
if (EventSchemaStruct->AMSI_Events)
{
if ((result = EnableTraceEx2(
hTrace,
&AMSI_Provider,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
0,
0,
0,
&enableTraceParameters
)) != ERROR_SUCCESS) {
OutputDebugString(L"[!] Error EnableTraceEx - RPC\n");
}
}
//
// Network Events
//
if (EventSchemaStruct->Network_Events)
{
if ((result = EnableTraceEx2(
hTrace,
&Network_Provider,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
0,
0x10,
0,
&enableTraceParameters
)) != ERROR_SUCCESS) {
OutputDebugString(L"[!] Error EnableTraceEx - RPC\n");
}
}
//
// Threat Intellgiene Events
//
if (EventSchemaStruct->ThreatIntelligence_Events)
{
OutputDebugStringW(L"Threat Intelligence Events Enabled\n");
ULONGLONG matchAnyKeyword = 0x0;
if (EventSchemaStruct->ThreatIntelligence_Events_RemoteReadProcessMemory)
{
OutputDebugStringW(L"RemoteReadProcessMemory Enabled\n");
matchAnyKeyword |= 0x20000;
}
if (EventSchemaStruct->ThreatIntelligence_Events_RemoteWriteProcessMemory)
{
OutputDebugStringW(L"RemoteWriteProcessMemory Enabled\n");
matchAnyKeyword |= 0x80000;
}
if (EventSchemaStruct->ThreatIntelligence_Events_RemoteVirtualAllocation)
{
OutputDebugStringW(L"RemoteVirtualAllocation Enabled\n");
matchAnyKeyword |= (0x4 | 0x8);
}
if (EventSchemaStruct->ThreatIntelligence_Events_RemoteQueueUserAPC)
{
OutputDebugStringW(L"RemoteQueueUserAPC Enabled\n");
matchAnyKeyword |= (0x1000 | 0x2000);
}
if ((result = EnableTraceEx2(
hTrace,
&ThreatIntel_Provider,
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
matchAnyKeyword,
0,
0,
&enableTraceParameters
)) != ERROR_SUCCESS) {
OutputDebugString(L"[!] Error EnableTraceEx - ThreatIntelligence\n");
}
}
//
// Free traceProp after trace is successfully started
//
LocalFree(traceProp);
hTrace = OpenTraceW(&trace);
if (hTrace == INVALID_PROCESSTRACE_HANDLE) {
OutputDebugString(L"[!] Error OpenTrace\n");
return 1;
}
//
// Process the trace
//
result = ProcessTrace(&hTrace, 1, NULL, NULL);
if (result != ERROR_SUCCESS) {
printf("[!] Error ProcessTrace\n");
CloseTrace(hTrace); // Ensure hTrace is closed
return result;
}
//
// Close trace handle after processing is complete
//
CloseTrace(hTrace);
return 0;
}
void ProcessEvent(
_In_ PEVENT_RECORD EventRecord
) {
PEVENT_HEADER eventHeader = &EventRecord->EventHeader;
PEVENT_DESCRIPTOR eventDescriptor = &eventHeader->EventDescriptor;
NTSTATUS status;
if (eventHeader->ProviderId == JonMonTraceLogging) {
status = WriteJonMonTraceLoggingEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing JonMon Trace Logging Events\n");
}
}
if (eventHeader->ProviderId == DotNet_Provider) {
switch (eventDescriptor->Id) {
case 154: {
status = WriteDotNetEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing DotNet Events\n");
}
break;
}
default: {
break;
}
}
}
if (eventHeader->ProviderId == Network_Provider)
{
status = WriteNetworkEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing Network Events\n");
}
}
if (eventHeader->ProviderId == DPAPI_Provider)
{
switch (eventDescriptor->Id) {
case 16385: {
status = WriteDpapiEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing DPAPI Events\n");
}
break;
}
default: {
break;
}
}
}
if (eventHeader->ProviderId == WMIActivty_Provider) {
switch (eventDescriptor->Id) {
case 5861:
{
status = WriteWMIEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing WMI Events\n");
}
break;
}
default:
{
break;
}
}
}
if (eventHeader->ProviderId == RPC_Provider) {
switch (eventDescriptor->Id) {
case 5:
{
status = WriteRpcEvents(EventRecord, eventHeader, 0); // 0 == CLIENT
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing RPC Events\n");
}
break;
}
case 6:
{
status = WriteRpcEvents(EventRecord, eventHeader, 1); // 1 == SERVER
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing RPC Events\n");
}
break;
}
default: {
break;
}
}
}
if (eventHeader->ProviderId == AMSI_Provider) {
switch (eventDescriptor->Id) {
case 1101:
{
status = WriteAMSIEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing AMSI Events\n");
}
break;
}
default:
{
break;
}
}
}
if (eventHeader->ProviderId == ThreatIntel_Provider) {
status = WriteThreatIntelEvents(EventRecord, eventHeader);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error writing Threat Intelligence Events\n");
}
}
}
NTSTATUS WriteJonMonTraceLoggingEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = nullptr;
BYTE** propertyDataVector = nullptr;
int vectorCapacity = 10;
int vectorSize = 0;
SYSTEMTIME systemTime;
// Fetch initial event information size
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
goto Exit;
}
// Allocate memory for property data vector
propertyDataVector = (BYTE**)malloc(vectorCapacity * sizeof(BYTE*));
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
// Process each property in the event
for (ULONG i = 0; i < pInfo->TopLevelPropertyCount; i++) {
PROPERTY_DATA_DESCRIPTOR dataDescriptor;
DWORD propertySize = 0;
WCHAR* propertyName = (WCHAR*)((BYTE*)pInfo + pInfo->EventPropertyInfoArray[i].NameOffset);
dataDescriptor.PropertyName = (ULONGLONG)propertyName;
dataDescriptor.ArrayIndex = ULONG_MAX;
// Determine the size of the property
status = TdhGetPropertySize(EventRecord, 0, NULL, 1, &dataDescriptor, &propertySize);
if (status != ERROR_SUCCESS) {
wprintf(L"Error getting size for property %ls\n", propertyName);
goto Exit;
}
BYTE* propertyData = (BYTE*)malloc(propertySize);
if (!propertyData) {
wprintf(L"Error allocating memory for property %ls\n", propertyName);
goto Exit;
}
// Get the actual property data
status = TdhGetProperty(EventRecord, 0, NULL, 1, &dataDescriptor, propertySize, propertyData);
if (status != ERROR_SUCCESS) {
wprintf(L"Error getting data for property %ls\n", propertyName);
goto Exit;
}
// Check if we need to resize the vector
if (vectorSize == vectorCapacity) {
BYTE** resizedVector = (BYTE**)realloc(propertyDataVector, 2 * vectorCapacity * sizeof(BYTE*));
if (!resizedVector) {
OutputDebugString(L"Error resizing propertyDataVector\n");
free(propertyData);
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
propertyDataVector = resizedVector;
vectorCapacity *= 2;
}
// Add the data to the vector
propertyDataVector[vectorSize++] = propertyData;
}
switch (*(INT32*)propertyDataVector[0])
{
case 1:
{
BOOL ProcessReParented = FALSE;
printf("Process Creation Event\n");
PProcessCreationEvent processCreationEvent = (PProcessCreationEvent)malloc(sizeof(ProcessCreationEvent));
if (processCreationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for processCreationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
processCreationEvent->EventId = *(INT32*)propertyDataVector[0];
processCreationEvent->ProcessId = *(INT64*)propertyDataVector[1];
processCreationEvent->ProcessStartKey = *(UINT64*)propertyDataVector[2];
processCreationEvent->ParentProcessId = *(INT64*)propertyDataVector[3];
processCreationEvent->ParentProcessStartKey = *(UINT64*)propertyDataVector[4];
processCreationEvent->CreatorProcessId = *(INT64*)propertyDataVector[5];
processCreationEvent->CreatorThreadId = *(INT64*)propertyDataVector[6];
processCreationEvent->CommandLine = (WCHAR*)propertyDataVector[7];
processCreationEvent->EventTime = *(FILETIME*)propertyDataVector[8];
if (processCreationEvent->ParentProcessId != processCreationEvent->CreatorProcessId) {
ProcessReParented = TRUE;
}
PProcessInformation processInformation = GetProcessName(processCreationEvent->ProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
PProcessInformation parentProcessInformation;
parentProcessInformation = GetProcessName(processCreationEvent->ParentProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (parentProcessInformation == nullptr) {
printf("Parent Process not found\n");
break;
}
FileTimeToSystemTime(&processCreationEvent->EventTime, &systemTime);
EventWriteProcessCreation(
&systemTime,
processCreationEvent->CreatorThreadId,
processCreationEvent->CreatorProcessId,
processCreationEvent->ParentProcessId,
processCreationEvent->ParentProcessStartKey,
parentProcessInformation->processName.c_str(),
parentProcessInformation->userName.c_str(),
parentProcessInformation->authenticationId.LowPart,
parentProcessInformation->integrityLevel.c_str(),
parentProcessInformation->sessionId,
parentProcessInformation->tokenType,
processInformation->processName.c_str(),
processCreationEvent->CommandLine,
processCreationEvent->ProcessId,
processCreationEvent->ProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->linkedAuthenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
processInformation->tokenType,
ProcessReParented
);
free(processCreationEvent);
break;
}
case 2:
{
printf("Process Termination Event\n");
PProcessTerminationEvent processTerminationEvent = (PProcessTerminationEvent)malloc(sizeof(ProcessTerminationEvent));
if (processTerminationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for processTerminationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
processTerminationEvent->EventId = *(INT32*)propertyDataVector[0];
processTerminationEvent->ProcessId = *(INT64*)propertyDataVector[1];
processTerminationEvent->ProcessStartKey = *(UINT64*)propertyDataVector[2];
processTerminationEvent->ParentProcessId = *(INT64*)propertyDataVector[3];
processTerminationEvent->ParentProcessStartKey = *(UINT64*)propertyDataVector[4];
processTerminationEvent->EventTime = *(FILETIME*)propertyDataVector[5];
PProcessInformation processInformation = GetProcessName(processTerminationEvent->ProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
FileTimeToSystemTime(&processTerminationEvent->EventTime, &systemTime);
EventWriteProcessTerminate(
&systemTime,
processTerminationEvent->ParentProcessId,
processTerminationEvent->ParentProcessStartKey,
processInformation->processName.c_str(),
processTerminationEvent->ProcessId
);
free(processTerminationEvent);
break;
}
case 3:
{
printf("Remote Thread Creation Event\n");
PRemoteThreadCreationEvent remoteThreadCreationEvent = (PRemoteThreadCreationEvent)malloc(sizeof(RemoteThreadCreationEvent));
if (remoteThreadCreationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for remoteThreadCreationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
remoteThreadCreationEvent->EventId = *(INT32*)propertyDataVector[0];
remoteThreadCreationEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
remoteThreadCreationEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
remoteThreadCreationEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
remoteThreadCreationEvent->NewThreadId = *(INT64*)propertyDataVector[4];
remoteThreadCreationEvent->TargetProcessId = *(INT64*)propertyDataVector[5];
remoteThreadCreationEvent->TargetProcessStartKey = *(UINT64*)propertyDataVector[6];
remoteThreadCreationEvent->EventTime = *(FILETIME*)propertyDataVector[7];
PProcessInformation processInformation = GetProcessName(remoteThreadCreationEvent->TargetProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
PProcessInformation sourceProcessInformation;
sourceProcessInformation = GetProcessName(remoteThreadCreationEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (sourceProcessInformation == nullptr) {
printf("Source Process not found\n");
break;
}
FileTimeToSystemTime(&remoteThreadCreationEvent->EventTime, &systemTime);
EventWriteRemoteThreadCreation(
&systemTime,
remoteThreadCreationEvent->SourceProcessId,
remoteThreadCreationEvent->SourceProcessStartKey,
remoteThreadCreationEvent->SourceThreadId,
sourceProcessInformation->processName.c_str(),
sourceProcessInformation->userName.c_str(),
sourceProcessInformation->authenticationId.LowPart,
sourceProcessInformation->integrityLevel.c_str(),
sourceProcessInformation->sessionId,
sourceProcessInformation->tokenType,
processInformation->processName.c_str(),
remoteThreadCreationEvent->TargetProcessId,
remoteThreadCreationEvent->TargetProcessStartKey,
remoteThreadCreationEvent->NewThreadId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->linkedAuthenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId
);
//
// Free the memory allocated for the event data
//
free(remoteThreadCreationEvent);
break;
}
case 4:
{
printf("Load Image Event\n");
PLoadImageEvent loadImageEvent = (PLoadImageEvent)malloc(sizeof(LoadImageEvent));
if (loadImageEvent == nullptr) {
OutputDebugString(L"Error allocating memory for loadImageEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
loadImageEvent->EventId = *(INT32*)propertyDataVector[0];
loadImageEvent->ProcessId = *(INT64*)propertyDataVector[1];
loadImageEvent->ProcessStartKey = *(UINT64*)propertyDataVector[2];
loadImageEvent->ThreadId = *(INT64*)propertyDataVector[3];
loadImageEvent->SystemModeImage = *(ULONG*)propertyDataVector[4];
loadImageEvent->ImageName = (WCHAR*)propertyDataVector[5];
loadImageEvent->EventTime = *(FILETIME*)propertyDataVector[6];
FileTimeToSystemTime(&loadImageEvent->EventTime, &systemTime);
if (loadImageEvent->SystemModeImage == 1) {
printf("System Mode Image\n");
EventWriteImageLoaded(
&systemTime,
NULL,
loadImageEvent->ProcessId,
loadImageEvent->ThreadId,
loadImageEvent->ProcessStartKey,
NULL,
0,
0,
NULL,
0,
0,
loadImageEvent->ImageName,
loadImageEvent->SystemModeImage,
);
free(loadImageEvent);
break;
}
PProcessInformation processInformation;
processInformation = GetProcessName(loadImageEvent->ProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteImageLoaded(
&systemTime,
processInformation->processName.c_str(),
loadImageEvent->ProcessId,
loadImageEvent->ThreadId,
loadImageEvent->ProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->linkedAuthenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
processInformation->tokenType,
loadImageEvent->ImageName,
loadImageEvent->SystemModeImage,
);
//
// Free the memory allocated for the event data
//
free(loadImageEvent);
break;
}
case 5:
{
printf("Process Handle Event\n");
PProcessHandleEvent processHandleEvent = (PProcessHandleEvent)malloc(sizeof(ProcessHandleEvent));
if (processHandleEvent == nullptr) {
OutputDebugString(L"Error allocating memory for processHandleEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
processHandleEvent->EventId = *(INT32*)propertyDataVector[0];
processHandleEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
processHandleEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
processHandleEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
processHandleEvent->TargetProcessId = *(INT64*)propertyDataVector[4];
processHandleEvent->TargetProcessStartKey = *(UINT64*)propertyDataVector[5];
processHandleEvent->OperationType = *(INT32*)propertyDataVector[6];
processHandleEvent->DesiredAccess = *(INT32*)propertyDataVector[7];
processHandleEvent->EventTime = *(FILETIME*)propertyDataVector[8];
FileTimeToSystemTime(&processHandleEvent->EventTime, &systemTime);
PProcessInformation sourceProcessInformation;
sourceProcessInformation = GetProcessName(processHandleEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (sourceProcessInformation == nullptr) {
printf("Source Process not found\n");
break;
}
//
// Check to see if source process contains JonMon-Service.exe
//
if (sourceProcessInformation->processName.find(L"Windows\\JonMon-Service.exe") != std::string::npos) {
printf("Exiting because JonMon-Service is the source process\n");
break;
}
PProcessInformation targetProcessInformation;
targetProcessInformation = GetProcessName(processHandleEvent->TargetProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (targetProcessInformation == nullptr) {
printf("Target Process not found\n");
break;
}
EventWriteProcessAccess(
&systemTime,
processHandleEvent->SourceProcessId,
processHandleEvent->SourceThreadId,
processHandleEvent->SourceProcessStartKey,
sourceProcessInformation->processName.c_str(),
sourceProcessInformation->userName.c_str(),
sourceProcessInformation->authenticationId.LowPart,
sourceProcessInformation->integrityLevel.c_str(),
sourceProcessInformation->sessionId,
sourceProcessInformation->tokenType,
processHandleEvent->TargetProcessId,
processHandleEvent->TargetProcessStartKey,
targetProcessInformation->processName.c_str(),
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->linkedAuthenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
targetProcessInformation->tokenType,
processHandleEvent->DesiredAccess,
processHandleEvent->OperationType
);
//
// Free the memory allocated for the event data
//
free(processHandleEvent);
break;
}
case 6:
{
printf("Registry Save Key Event\n");
PRegistrySaveKeyEvent registrySaveKeyEvent = (PRegistrySaveKeyEvent)malloc(sizeof(RegistrySaveKeyEvent));
if (registrySaveKeyEvent == nullptr) {
OutputDebugString(L"Error allocating memory for registrySaveKeyEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
registrySaveKeyEvent->EventId = *(INT32*)propertyDataVector[0];
registrySaveKeyEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
registrySaveKeyEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
registrySaveKeyEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
registrySaveKeyEvent->KeyPath = (WCHAR*)propertyDataVector[4];
registrySaveKeyEvent->EventTime = *(FILETIME*)propertyDataVector[5];
FileTimeToSystemTime(®istrySaveKeyEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(registrySaveKeyEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteRegistrySaveKey(
&systemTime,
processInformation->processName.c_str(),
registrySaveKeyEvent->SourceProcessId,
registrySaveKeyEvent->SourceThreadId,
registrySaveKeyEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
registrySaveKeyEvent->KeyPath
);
//
// Free the memory allocated for the event data
//
free(registrySaveKeyEvent);
break;
}
case 8:
{
printf("Registry Set Value Key Event\n");
PRegistrySetValueKeyEvent registrySetValueKeyEvent = (PRegistrySetValueKeyEvent)malloc(sizeof(RegistrySetValueKeyEvent));
if (registrySetValueKeyEvent == nullptr) {
OutputDebugString(L"Error allocating memory for registrySetValueKeyEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
registrySetValueKeyEvent->EventId = *(INT32*)propertyDataVector[0];
registrySetValueKeyEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
registrySetValueKeyEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
registrySetValueKeyEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
registrySetValueKeyEvent->KeyPath = (WCHAR*)propertyDataVector[4];
registrySetValueKeyEvent->ValueName = (WCHAR*)propertyDataVector[5];
registrySetValueKeyEvent->Data = (WCHAR*)propertyDataVector[6];
registrySetValueKeyEvent->Type = *(INT32*)propertyDataVector[7];
registrySetValueKeyEvent->DataSize = *(INT32*)propertyDataVector[8];
registrySetValueKeyEvent->EventTime = *(FILETIME*)propertyDataVector[9];
FileTimeToSystemTime(®istrySetValueKeyEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(registrySetValueKeyEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteRegistrySetValueKey(
&systemTime,
processInformation->processName.c_str(),
registrySetValueKeyEvent->SourceProcessId,
registrySetValueKeyEvent->SourceThreadId,
registrySetValueKeyEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
registrySetValueKeyEvent->KeyPath,
registrySetValueKeyEvent->Type,
registrySetValueKeyEvent->Data,
registrySetValueKeyEvent->ValueName
);
//
// Free the memory allocated for the event data
//
free(registrySetValueKeyEvent);
break;
}
case 9:
{
printf("Registry Create Key Event\n");
PRegistryCreateKeyEvent registryCreateKeyEvent = (PRegistryCreateKeyEvent)malloc(sizeof(RegistryCreateKeyEvent));
if (registryCreateKeyEvent == nullptr) {
OutputDebugString(L"Error allocating memory for registryCreateKeyEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
registryCreateKeyEvent->EventId = *(INT32*)propertyDataVector[0];
registryCreateKeyEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
registryCreateKeyEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
registryCreateKeyEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
registryCreateKeyEvent->KeyPath = (WCHAR*)propertyDataVector[4];
registryCreateKeyEvent->DesiredAccess = *(INT32*)propertyDataVector[5];
registryCreateKeyEvent->EventTime = *(FILETIME*)propertyDataVector[6];
FileTimeToSystemTime(®istryCreateKeyEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(registryCreateKeyEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteRegistryCreateKey(
&systemTime,
processInformation->processName.c_str(),
registryCreateKeyEvent->SourceProcessId,
registryCreateKeyEvent->SourceThreadId,
registryCreateKeyEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
registryCreateKeyEvent->KeyPath
);
//
// Free the memory allocated for the event data
//
free(registryCreateKeyEvent);
break;
}
case 10:
{
printf("File Operation Event\n");
PFileCreationEvent fileCreationEvent = (PFileCreationEvent)malloc(sizeof(FileCreationEvent));
if (fileCreationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for fileCreationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
fileCreationEvent->EventId = *(INT32*)propertyDataVector[0];
fileCreationEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
fileCreationEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
fileCreationEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
fileCreationEvent->FileName = (WCHAR*)propertyDataVector[4];
fileCreationEvent->EventTime = *(FILETIME*)propertyDataVector[5];
FileTimeToSystemTime(&fileCreationEvent->EventTime, &systemTime);
//
// Filter: Check to see if ending of the file is .exe, .sys, .dll, .js, .vbs, .ps1, .bat, .cmd, .hta, .msi. Set all fileNames to lowercase before checking
//
std::wstring fileName = fileCreationEvent->FileName;
std::transform(fileName.begin(), fileName.end(), fileName.begin(), ::tolower);
std::wregex validExtensions(LR"((\.exe|\.sys|\.dll|\.js|\.vbs|\.ps1|\.bat|\.cmd|\.hta|\.msi)$)");
bool hasValidExtension = std::regex_search(fileName, validExtensions);
if (!hasValidExtension) {
free(fileCreationEvent);
break;
}
PProcessInformation processInformation;
processInformation = GetProcessName(fileCreationEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteFileCreation(
&systemTime,
processInformation->processName.c_str(),
fileCreationEvent->SourceProcessId,
fileCreationEvent->SourceThreadId,
fileCreationEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
fileCreationEvent->FileName
);
//
// Free the memory allocated for the event data
//
free(fileCreationEvent);
break;
}
case 11:
{
printf("Named Pipe Creation Event\n");
PNamedPipeCreateEvent namedPipeCreationEvent = (PNamedPipeCreateEvent)malloc(sizeof(NamedPipeCreateEvent));
if (namedPipeCreationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for namedPipeCreationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
namedPipeCreationEvent->EventId = *(INT32*)propertyDataVector[0];
namedPipeCreationEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
namedPipeCreationEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
namedPipeCreationEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
namedPipeCreationEvent->FileName = (WCHAR*)propertyDataVector[4];
namedPipeCreationEvent->RequestedRights = *(INT32*)propertyDataVector[5];
namedPipeCreationEvent->GrantedRights = *(INT32*)propertyDataVector[6];
namedPipeCreationEvent->EventTime = *(FILETIME*)propertyDataVector[7];
FileTimeToSystemTime(&namedPipeCreationEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(namedPipeCreationEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteNamedPipeCreation(
&systemTime,
processInformation->processName.c_str(),
namedPipeCreationEvent->SourceProcessId,
namedPipeCreationEvent->SourceThreadId,
namedPipeCreationEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
namedPipeCreationEvent->FileName,
namedPipeCreationEvent->RequestedRights
);
//
// Free the memory allocated for the event data
//
free(namedPipeCreationEvent);
break;
}
case 12:
{
printf("Named Pipe Connection Event\n");
PNamedPipeConnectionEvent namedPipeConnectionEvent = (PNamedPipeConnectionEvent)malloc(sizeof(NamedPipeConnectionEvent));
if (namedPipeConnectionEvent == nullptr) {
OutputDebugString(L"Error allocating memory for namedPipeConnectionEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
namedPipeConnectionEvent->EventId = *(INT32*)propertyDataVector[0];
namedPipeConnectionEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
namedPipeConnectionEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
namedPipeConnectionEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
namedPipeConnectionEvent->FileName = (WCHAR*)propertyDataVector[4];
namedPipeConnectionEvent->RequestedRights = *(INT32*)propertyDataVector[5];
namedPipeConnectionEvent->EventTime = *(FILETIME*)propertyDataVector[6];
FileTimeToSystemTime(&namedPipeConnectionEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(namedPipeConnectionEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteNamedPipeConnection(
&systemTime,
processInformation->processName.c_str(),
namedPipeConnectionEvent->SourceProcessId,
namedPipeConnectionEvent->SourceThreadId,
namedPipeConnectionEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
namedPipeConnectionEvent->FileName,
namedPipeConnectionEvent->RequestedRights
);
//
// Free the memory allocated for the event data
//
free(namedPipeConnectionEvent);
break;
}
case 13:
{
printf("Mailslot Creation Event\n");
PMailslotCreateEvent mailslotCreationEvent = (PMailslotCreateEvent)malloc(sizeof(MailslotCreateEvent));
if (mailslotCreationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for mailslotCreationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
mailslotCreationEvent->EventId = *(INT32*)propertyDataVector[0];
mailslotCreationEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
mailslotCreationEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
mailslotCreationEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
mailslotCreationEvent->FileName = (WCHAR*)propertyDataVector[4];
mailslotCreationEvent->RequestedRights = *(INT32*)propertyDataVector[5];
mailslotCreationEvent->EventTime = *(FILETIME*)propertyDataVector[6];
FileTimeToSystemTime(&mailslotCreationEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(mailslotCreationEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteMailslotCreation(
&systemTime,
processInformation->processName.c_str(),
mailslotCreationEvent->SourceProcessId,
mailslotCreationEvent->SourceThreadId,
mailslotCreationEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
mailslotCreationEvent->FileName,
mailslotCreationEvent->RequestedRights
);
//
// Free the memory allocated for the event data
//
free(mailslotCreationEvent);
}
case 14:
{
printf("Mailslot Connection Event\n");
PMailslotConnectionEvent mailslotConnectionEvent = (PMailslotConnectionEvent)malloc(sizeof(MailslotConnectionEvent));
if (mailslotConnectionEvent == nullptr) {
OutputDebugString(L"Error allocating memory for mailslotConnectionEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
mailslotConnectionEvent->EventId = *(INT32*)propertyDataVector[0];
mailslotConnectionEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
mailslotConnectionEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
mailslotConnectionEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
mailslotConnectionEvent->FileName = (WCHAR*)propertyDataVector[4];
mailslotConnectionEvent->RequestedRights = *(INT32*)propertyDataVector[5];
mailslotConnectionEvent->EventTime = *(FILETIME*)propertyDataVector[6];
FileTimeToSystemTime(&mailslotConnectionEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(mailslotConnectionEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteMailslotConnection(
&systemTime,
processInformation->processName.c_str(),
mailslotConnectionEvent->SourceProcessId,
mailslotConnectionEvent->SourceThreadId,
mailslotConnectionEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
mailslotConnectionEvent->FileName,
mailslotConnectionEvent->RequestedRights
);
//
// Free the memory allocated for the event data
//
free(mailslotConnectionEvent);
break;
}
case 15:
{
printf("Remote File Connection Event\n");
PRemoteFileConnectionEvent remoteFileConnectionEvent = (PRemoteFileConnectionEvent)malloc(sizeof(RemoteFileConnectionEvent));
remoteFileConnectionEvent->EventId = *(INT32*)propertyDataVector[0];
remoteFileConnectionEvent->SourceThreadId = *(INT64*)propertyDataVector[1];
remoteFileConnectionEvent->SourceProcessId = *(INT64*)propertyDataVector[2];
remoteFileConnectionEvent->SourceProcessStartKey = *(UINT64*)propertyDataVector[3];
remoteFileConnectionEvent->FileName = (WCHAR*)propertyDataVector[4];
remoteFileConnectionEvent->EventTime = *(FILETIME*)propertyDataVector[5];
FileTimeToSystemTime(&remoteFileConnectionEvent->EventTime, &systemTime);
PProcessInformation processInformation;
processInformation = GetProcessName(remoteFileConnectionEvent->SourceProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
printf("Process not found\n");
break;
}
EventWriteRemoteFileConnection(
&systemTime,
processInformation->processName.c_str(),
remoteFileConnectionEvent->SourceProcessId,
remoteFileConnectionEvent->SourceThreadId,
remoteFileConnectionEvent->SourceProcessStartKey,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
remoteFileConnectionEvent->FileName
);
//
// Free the memory allocated for the event data
//
free(remoteFileConnectionEvent);
break;
}
case 16:
{
std::wstring integirtyLevelString;
OutputDebugStringW(L"Query - Thread Token Impersonation Event\n");
PThreadImpersonationEvent threadImpersonationEvent = (PThreadImpersonationEvent)malloc(sizeof(ThreadImpersonationEvent));
if (threadImpersonationEvent == nullptr) {
OutputDebugString(L"Error allocating memory for threadImpersonationEvent\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
threadImpersonationEvent->EventId = *(INT32*)propertyDataVector[0];
threadImpersonationEvent->ThreadId = *(UINT32*)propertyDataVector[1];
threadImpersonationEvent->ProcessId = *(UINT32*)propertyDataVector[2];
threadImpersonationEvent->threadIntegrityLevel = *(UINT32*)propertyDataVector[3];
threadImpersonationEvent->EventTime = *(SYSTEMTIME*)propertyDataVector[4];
threadImpersonationEvent->ImpersonatedUser = (WCHAR*)propertyDataVector[5];
switch(threadImpersonationEvent->threadIntegrityLevel) {
case 12288:
integirtyLevelString = L"High";
break;
case 16384:
integirtyLevelString = L"System";
break;
default:
free(threadImpersonationEvent);
goto Exit;
}
PProcessInformation processInformation;
processInformation = GetProcessName(threadImpersonationEvent->ProcessId);
// Check if processInformation is not nullptr before dereferencing it
if (processInformation == nullptr) {
OutputDebugStringW(L"Query - Thread Token Impersonation Event Process Information Not Found\n");
break;
}
EventWriteQueryTokenImpersonation(
&threadImpersonationEvent->EventTime,
processInformation->processName.c_str(),
threadImpersonationEvent->ProcessId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
threadImpersonationEvent->ThreadId,
integirtyLevelString.c_str(),
threadImpersonationEvent->ImpersonatedUser
);
//
// Free the memory allocated for the event data
//
free(threadImpersonationEvent);
break;
}
case 100:
{
printf("TraceLogging Provider Registered Event\n");
PTraceLoggingProviderRegistered traceLoggingProviderRegistered = (PTraceLoggingProviderRegistered)malloc(sizeof(TraceLoggingProviderRegistered));
traceLoggingProviderRegistered->EventId = *(INT32*)propertyDataVector[0];
traceLoggingProviderRegistered->IsRegistered = *(BOOL*)propertyDataVector[1];
printf(" EventId %d\n", traceLoggingProviderRegistered->EventId);
printf(" IsRegistered: %s\n", traceLoggingProviderRegistered->IsRegistered ? "true" : "false");
printf("\n");
//
// Free the memory allocated for the event data
//
free(traceLoggingProviderRegistered);
break;
}
case 101:
{
printf("Event Schema Configuration Event\n");
PEventSchemaConfiguration eventSchemaConfiguration = (PEventSchemaConfiguration)malloc(sizeof(EventSchemaConfiguration));
eventSchemaConfiguration->EventId = *(INT32*)propertyDataVector[0];
eventSchemaConfiguration->ProcessCreation = *(BOOL*)propertyDataVector[1];
eventSchemaConfiguration->ProcessTermination = *(BOOL*)propertyDataVector[2];
eventSchemaConfiguration->RegistryEvents = *(BOOL*)propertyDataVector[3];
eventSchemaConfiguration->ProcessHandleCreation = *(BOOL*)propertyDataVector[4];
eventSchemaConfiguration->ProcessHandleDuplication = *(BOOL*)propertyDataVector[5];
eventSchemaConfiguration->RemoteThreadCreation = *(BOOL*)propertyDataVector[6];
eventSchemaConfiguration->ImageLoad = *(BOOL*)propertyDataVector[7];
eventSchemaConfiguration->ThreadImpersonationEvents_KM = *(BOOL*)propertyDataVector[8];
eventSchemaConfiguration->FileEvents = *(BOOL*)propertyDataVector[9];
printf(" EventId %d\n", eventSchemaConfiguration->EventId);
printf(" ProcessCreation %s\n", eventSchemaConfiguration->ProcessCreation ? "true" : "false");
printf(" ProcessTermination %s\n", eventSchemaConfiguration->ProcessTermination ? "true" : "false");
printf(" RegistryEvents %s\n", eventSchemaConfiguration->RegistryEvents ? "true" : "false");
printf(" ProcessHandleCreation %s\n", eventSchemaConfiguration->ProcessHandleCreation ? "true" : "false");
printf(" ProcessHandleDuplication %s\n", eventSchemaConfiguration->ProcessHandleDuplication ? "true" : "false");
printf(" RemoteThreadCreation %s\n", eventSchemaConfiguration->RemoteThreadCreation ? "true" : "false");
printf(" ImageLoad %s\n", eventSchemaConfiguration->ImageLoad ? "true" : "false");
printf(" ThreadImpersonationEvents_KM %s\n", eventSchemaConfiguration->ThreadImpersonationEvents_KM ? "true" : "false");
printf(" FileEvents %s\n", eventSchemaConfiguration->FileEvents ? "true" : "false");
printf("\n");
//
// Free the memory allocated for the event data
//
free(eventSchemaConfiguration);
break;
}
case 102:
{
PDebugLog debugLog = (PDebugLog)malloc(sizeof(DebugLog));
debugLog->EventId = *(INT32*)propertyDataVector[0];
debugLog->ProcessProtection = *(BOOL*)propertyDataVector[1];
OutputDebugString(L"Debug Log Event\n");
OutputDebugString(L" EventId: ");
OutputDebugString(std::to_wstring(debugLog->EventId).c_str());
OutputDebugString(L"\n");
OutputDebugString(L" ProcessProtection: ");
OutputDebugString(debugLog->ProcessProtection ? L"true" : L"false");
EventWriteDebugLog102(
debugLog->EventId,
debugLog->ProcessProtection
);
free(debugLog);
break;
}
default:
{
break;
}
}
Exit:
if (pInfo != nullptr) {
free(pInfo);
}
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < vectorSize; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
return status;
}
NTSTATUS WriteThreatIntelEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = NULL;
SYSTEMTIME systemTime;
BYTE** propertyDataVector = NULL;
PProcessInformation callingProcessInformation;
PProcessInformation targetProcessInformation;
GetSystemTime(&systemTime);
switch (EventHeader->EventDescriptor.Id) {
case 1:
{
UINT32 CallingProcessId, CallingThreadId, TargetProcessId, OriginalProcessId, AllocationType, ProtectionMask;
UINT64 CallingProcessStartKey, TargetProcessStartKey, OriginalProcessStartKey, BaseAddress, RegionSize;
FILETIME CallingProcessCreationTime, CallingThreadCreationTime, TargetProcessCreateTime, OriginalProcessCreateTime;
UINT8 CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessSignatureLevel, OriginalProcessProtection, OriginalProcessSectionSignatureLevel;
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS || pInfo == NULL) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
CallingProcessId = *(UINT32*)propertyDataVector[0];
CallingProcessCreationTime = *(FILETIME*)propertyDataVector[1];
CallingProcessStartKey = *(UINT64*)propertyDataVector[2];
CallingProcessSignatureLevel = *(UINT8*)propertyDataVector[3];
CallingProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[4];
CallingProcessProtection = *(UINT8*)propertyDataVector[5];
CallingThreadId = *(UINT32*)propertyDataVector[6];
CallingThreadCreationTime = *(FILETIME*)propertyDataVector[7];
TargetProcessId = *(UINT32*)propertyDataVector[8];
TargetProcessCreateTime = *(FILETIME*)propertyDataVector[9];
TargetProcessStartKey = *(UINT64*)propertyDataVector[10];
TargetProcessSignatureLevel = *(UINT8*)propertyDataVector[11];
TargetProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[12];
TargetProcessProtection = *(UINT8*)propertyDataVector[13];
OriginalProcessId = *(UINT32*)propertyDataVector[14];
OriginalProcessCreateTime = *(FILETIME*)propertyDataVector[15];
OriginalProcessStartKey = *(UINT64*)propertyDataVector[16];
OriginalProcessSignatureLevel = *(UINT8*)propertyDataVector[17];
OriginalProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[18];
OriginalProcessProtection = *(UINT8*)propertyDataVector[19];
BaseAddress = *(UINT64*)propertyDataVector[20];
RegionSize = *(UINT64*)propertyDataVector[21];
AllocationType = *(UINT32*)propertyDataVector[22];
ProtectionMask = *(UINT32*)propertyDataVector[23];
if (CallingProcessId == TargetProcessId)
{
goto Exit;
}
callingProcessInformation = GetProcessName(CallingProcessId);
if (callingProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
targetProcessInformation = GetProcessName(TargetProcessId);
if (targetProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
EventWriteRemoteVirtualAllocation(
&systemTime,
callingProcessInformation->processName.c_str(),
callingProcessInformation->processId,
callingProcessInformation->userName.c_str(),
callingProcessInformation->authenticationId.LowPart,
callingProcessInformation->integrityLevel.c_str(),
callingProcessInformation->sessionId,
CallingThreadId,
targetProcessInformation->processName.c_str(),
targetProcessInformation->processId,
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
CallingProcessStartKey,
TargetProcessStartKey,
BaseAddress
);
goto Exit;
}
case 4:
{
UINT32 CallingProcessId, CallingThreadId, TargetProcessId, OriginalProcessId, TargetThreadId;
UINT64 CallingProcessStartKey, TargetProcessStartKey, OriginalProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3;
FILETIME CallingProcessCreationTime, CallingThreadCreationTime, TargetProcessCreateTime, OriginalProcessCreateTime, RealEventTime, TargetThreadCreateTime;
UINT8 CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessSignatureLevel, OriginalProcessProtection, OriginalProcessSectionSignatureLevel, TargetThreadAlertable;
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
CallingProcessId = *(UINT32*)propertyDataVector[0];
CallingProcessCreationTime = *(FILETIME*)propertyDataVector[1];
CallingProcessStartKey = *(UINT64*)propertyDataVector[2];
CallingProcessSignatureLevel = *(UINT8*)propertyDataVector[3];
CallingProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[4];
CallingProcessProtection = *(UINT8*)propertyDataVector[5];
CallingThreadId = *(UINT32*)propertyDataVector[6];
CallingThreadCreationTime = *(FILETIME*)propertyDataVector[7];
TargetProcessId = *(UINT32*)propertyDataVector[8];
TargetProcessCreateTime = *(FILETIME*)propertyDataVector[9];
TargetProcessStartKey = *(UINT64*)propertyDataVector[10];
TargetProcessSignatureLevel = *(UINT8*)propertyDataVector[11];
TargetProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[12];
TargetProcessProtection = *(UINT8*)propertyDataVector[13];
TargetThreadId = *(UINT32*)propertyDataVector[14];
TargetThreadCreateTime = *(FILETIME*)propertyDataVector[15];
OriginalProcessId = *(UINT32*)propertyDataVector[16];
OriginalProcessCreateTime = *(FILETIME*)propertyDataVector[17];
OriginalProcessStartKey = *(UINT64*)propertyDataVector[18];
OriginalProcessSignatureLevel = *(UINT8*)propertyDataVector[19];
OriginalProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[20];
OriginalProcessProtection = *(UINT8*)propertyDataVector[21];
TargetThreadAlertable = *(UINT8*)propertyDataVector[22];
ApcRoutine = *(UINT64*)propertyDataVector[23];
ApcArgument1 = *(UINT64*)propertyDataVector[24];
ApcArgument2 = *(UINT64*)propertyDataVector[25];
ApcArgument3 = *(UINT64*)propertyDataVector[26];
RealEventTime = *(FILETIME*)propertyDataVector[27];
callingProcessInformation = GetProcessName(CallingProcessId);
if (callingProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
targetProcessInformation = GetProcessName(TargetProcessId);
if (targetProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
EventWriteRemoteQueueUserAPC(
&systemTime,
callingProcessInformation->processName.c_str(),
callingProcessInformation->processId,
callingProcessInformation->userName.c_str(),
callingProcessInformation->authenticationId.LowPart,
callingProcessInformation->integrityLevel.c_str(),
callingProcessInformation->sessionId,
CallingThreadId,
targetProcessInformation->processName.c_str(),
targetProcessInformation->processId,
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
CallingProcessStartKey,
TargetProcessStartKey,
ApcRoutine,
ApcArgument1,
ApcArgument2,
ApcArgument3
);
goto Exit;
}
case 13:
{
//
// check to see if there is a second between lastEventTime and systemTime
//
if (systemTime.wSecond - lastEventTime.wSecond < 1) {
goto Exit;
}
lastEventTime = systemTime;
UINT32 OperationStatus, CallingProcessId, CallingThreadId, TargetProcessId;
FILETIME CallingProcessCreateTime, CallingThreadCreateTime, TargetProcessCreateTime;
UINT64 CallingProcessStartKey, TargetProcessStartKey, BaseAddress, BytesCopied;
UINT8 CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection;
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
OperationStatus = *(UINT32*)propertyDataVector[0];
CallingProcessId = *(UINT32*)propertyDataVector[1];
CallingProcessCreateTime = *(FILETIME*)propertyDataVector[2];
CallingProcessStartKey = *(UINT64*)propertyDataVector[3];
CallingProcessSignatureLevel = *(UINT8*)propertyDataVector[4];
CallingProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[5];
CallingProcessProtection = *(UINT8*)propertyDataVector[6];
CallingThreadId = *(UINT32*)propertyDataVector[7];
CallingThreadCreateTime = *(FILETIME*)propertyDataVector[8];
TargetProcessId = *(UINT32*)propertyDataVector[9];
TargetProcessCreateTime = *(FILETIME*)propertyDataVector[10];
TargetProcessStartKey = *(UINT64*)propertyDataVector[11];
TargetProcessSignatureLevel = *(UINT8*)propertyDataVector[12];
TargetProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[13];
TargetProcessProtection = *(UINT8*)propertyDataVector[14];
BaseAddress = *(UINT64*)propertyDataVector[15];
BytesCopied = *(UINT64*)propertyDataVector[16];
if (TargetProcessId != lsassPID)
{
goto Exit;
}
callingProcessInformation = GetProcessName(CallingProcessId);
if (callingProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
targetProcessInformation = GetProcessName(TargetProcessId);
if (targetProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
EventWriteRemoteReadProcessMemory(
&systemTime,
callingProcessInformation->processName.c_str(),
callingProcessInformation->processId,
callingProcessInformation->userName.c_str(),
callingProcessInformation->authenticationId.LowPart,
callingProcessInformation->integrityLevel.c_str(),
callingProcessInformation->sessionId,
CallingThreadId,
targetProcessInformation->processName.c_str(),
targetProcessInformation->processId,
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
CallingProcessStartKey,
TargetProcessStartKey
);
goto Exit;
}
case 14:
{
UINT32 OperationStatus, CallingProcessId, CallingThreadId, TargetProcessId;
FILETIME CallingProcessCreateTime, CallingThreadCreateTime, TargetProcessCreateTime;
UINT64 CallingProcessStartKey, TargetProcessStartKey, BaseAddress, BytesCopied;
UINT8 CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection;
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
OperationStatus = *(UINT32*)propertyDataVector[0];
CallingProcessId = *(UINT32*)propertyDataVector[1];
CallingProcessCreateTime = *(FILETIME*)propertyDataVector[2];
CallingProcessStartKey = *(UINT64*)propertyDataVector[3];
CallingProcessSignatureLevel = *(UINT8*)propertyDataVector[4];
CallingProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[5];
CallingProcessProtection = *(UINT8*)propertyDataVector[6];
CallingThreadId = *(UINT32*)propertyDataVector[7];
CallingThreadCreateTime = *(FILETIME*)propertyDataVector[8];
TargetProcessId = *(UINT32*)propertyDataVector[9];
TargetProcessCreateTime = *(FILETIME*)propertyDataVector[10];
TargetProcessStartKey = *(UINT64*)propertyDataVector[11];
TargetProcessSignatureLevel = *(UINT8*)propertyDataVector[12];
TargetProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[13];
TargetProcessProtection = *(UINT8*)propertyDataVector[14];
BaseAddress = *(UINT64*)propertyDataVector[15];
BytesCopied = *(UINT64*)propertyDataVector[16];
callingProcessInformation = GetProcessName(CallingProcessId);
if (callingProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
targetProcessInformation = GetProcessName(TargetProcessId);
if (targetProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
EventWriteRemoteWriteProcessMemory(
&systemTime,
callingProcessInformation->processName.c_str(),
callingProcessInformation->processId,
callingProcessInformation->userName.c_str(),
callingProcessInformation->authenticationId.LowPart,
callingProcessInformation->integrityLevel.c_str(),
callingProcessInformation->sessionId,
CallingThreadId,
targetProcessInformation->processName.c_str(),
targetProcessInformation->processId,
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
CallingProcessStartKey,
TargetProcessStartKey
);
goto Exit;
}
case 21:
{
UINT32 CallingProcessId, CallingThreadId, TargetProcessId, OriginalProcessId, AllocationType, ProtectionMask;
UINT64 CallingProcessStartKey, TargetProcessStartKey, OriginalProcessStartKey, BaseAddress, RegionSize;
FILETIME CallingProcessCreationTime, CallingThreadCreationTime, TargetProcessCreateTime, OriginalProcessCreateTime;
UINT8 CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessSignatureLevel, OriginalProcessProtection, OriginalProcessSectionSignatureLevel;
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
CallingProcessId = *(UINT32*)propertyDataVector[0];
CallingProcessCreationTime = *(FILETIME*)propertyDataVector[1];
CallingProcessStartKey = *(UINT64*)propertyDataVector[2];
CallingProcessSignatureLevel = *(UINT8*)propertyDataVector[3];
CallingProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[4];
CallingProcessProtection = *(UINT8*)propertyDataVector[5];
CallingThreadId = *(UINT32*)propertyDataVector[6];
CallingThreadCreationTime = *(FILETIME*)propertyDataVector[7];
TargetProcessId = *(UINT32*)propertyDataVector[8];
TargetProcessCreateTime = *(FILETIME*)propertyDataVector[9];
TargetProcessStartKey = *(UINT64*)propertyDataVector[10];
TargetProcessSignatureLevel = *(UINT8*)propertyDataVector[11];
TargetProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[12];
TargetProcessProtection = *(UINT8*)propertyDataVector[13];
OriginalProcessId = *(UINT32*)propertyDataVector[14];
OriginalProcessCreateTime = *(FILETIME*)propertyDataVector[15];
OriginalProcessStartKey = *(UINT64*)propertyDataVector[16];
OriginalProcessSignatureLevel = *(UINT8*)propertyDataVector[17];
OriginalProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[18];
OriginalProcessProtection = *(UINT8*)propertyDataVector[19];
BaseAddress = *(UINT64*)propertyDataVector[20];
RegionSize = *(UINT64*)propertyDataVector[21];
AllocationType = *(UINT32*)propertyDataVector[22];
ProtectionMask = *(UINT32*)propertyDataVector[23];
if (CallingProcessId == TargetProcessId)
{
goto Exit;
}
callingProcessInformation = GetProcessName(CallingProcessId);
if (callingProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
targetProcessInformation = GetProcessName(TargetProcessId);
if (targetProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
EventWriteRemoteReadProcessMemory(
&systemTime,
callingProcessInformation->processName.c_str(),
callingProcessInformation->processId,
callingProcessInformation->userName.c_str(),
callingProcessInformation->authenticationId.LowPart,
callingProcessInformation->integrityLevel.c_str(),
callingProcessInformation->sessionId,
CallingThreadId,
targetProcessInformation->processName.c_str(),
targetProcessInformation->processId,
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
CallingProcessStartKey,
TargetProcessStartKey
);
goto Exit;
}
case 24:
{
UINT32 CallingProcessId, CallingThreadId, TargetProcessId, OriginalProcessId, TargetThreadId;
UINT64 CallingProcessStartKey, TargetProcessStartKey, OriginalProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3;
FILETIME CallingProcessCreationTime, CallingThreadCreationTime, TargetProcessCreateTime, OriginalProcessCreateTime, RealEventTime, TargetThreadCreateTime;
UINT8 CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessSignatureLevel, OriginalProcessProtection, OriginalProcessSectionSignatureLevel, TargetThreadAlertable;
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
CallingProcessId = *(UINT32*)propertyDataVector[0];
CallingProcessCreationTime = *(FILETIME*)propertyDataVector[1];
CallingProcessStartKey = *(UINT64*)propertyDataVector[2];
CallingProcessSignatureLevel = *(UINT8*)propertyDataVector[3];
CallingProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[4];
CallingProcessProtection = *(UINT8*)propertyDataVector[5];
CallingThreadId = *(UINT32*)propertyDataVector[6];
CallingThreadCreationTime = *(FILETIME*)propertyDataVector[7];
TargetProcessId = *(UINT32*)propertyDataVector[8];
TargetProcessCreateTime = *(FILETIME*)propertyDataVector[9];
TargetProcessStartKey = *(UINT64*)propertyDataVector[10];
TargetProcessSignatureLevel = *(UINT8*)propertyDataVector[11];
TargetProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[12];
TargetProcessProtection = *(UINT8*)propertyDataVector[13];
TargetThreadId = *(UINT32*)propertyDataVector[14];
TargetThreadCreateTime = *(FILETIME*)propertyDataVector[15];
OriginalProcessId = *(UINT32*)propertyDataVector[16];
OriginalProcessCreateTime = *(FILETIME*)propertyDataVector[17];
OriginalProcessStartKey = *(UINT64*)propertyDataVector[18];
OriginalProcessSignatureLevel = *(UINT8*)propertyDataVector[19];
OriginalProcessSectionSignatureLevel = *(UINT8*)propertyDataVector[20];
OriginalProcessProtection = *(UINT8*)propertyDataVector[21];
TargetThreadAlertable = *(UINT8*)propertyDataVector[22];
ApcRoutine = *(UINT64*)propertyDataVector[23];
ApcArgument1 = *(UINT64*)propertyDataVector[24];
ApcArgument2 = *(UINT64*)propertyDataVector[25];
ApcArgument3 = *(UINT64*)propertyDataVector[26];
RealEventTime = *(FILETIME*)propertyDataVector[27];
callingProcessInformation = GetProcessName(CallingProcessId);
if (callingProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
targetProcessInformation = GetProcessName(TargetProcessId);
if (targetProcessInformation == nullptr) {
OutputDebugString(L"ThreatIntel ETW - Error getting process name\n");
goto Exit;
}
EventWriteRemoteQueueUserAPC(
&systemTime,
callingProcessInformation->processName.c_str(),
callingProcessInformation->processId,
callingProcessInformation->userName.c_str(),
callingProcessInformation->authenticationId.LowPart,
callingProcessInformation->integrityLevel.c_str(),
callingProcessInformation->sessionId,
CallingThreadId,
targetProcessInformation->processName.c_str(),
targetProcessInformation->processId,
targetProcessInformation->userName.c_str(),
targetProcessInformation->authenticationId.LowPart,
targetProcessInformation->integrityLevel.c_str(),
targetProcessInformation->sessionId,
CallingProcessStartKey,
TargetProcessStartKey,
ApcRoutine,
ApcArgument1,
ApcArgument2,
ApcArgument3
);
goto Exit;
}
default:
{
goto Exit;
}
}
Exit:
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < pInfo->TopLevelPropertyCount; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
if (pInfo != nullptr) {
free(pInfo);
}
return 0;
}
BOOL WriteNetworkEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = nullptr;
BYTE** propertyDataVector = nullptr;
int vectorCapacity = 10;
int vectorSize = 0;
SYSTEMTIME systemTime;
UINT32 processId, size, sourceAddress, destinationAddress;
UINT16 sourcePort, destinationPort;
PProcessInformation processInformation;
WCHAR wide_deststring_ip[INET_ADDRSTRLEN];
WCHAR wide_sourcestring_ip[INET_ADDRSTRLEN];
struct in_addr srceaddr = {};
struct in_addr destaddr = {};
BOOL isInitiated = false;
switch (EventHeader->EventDescriptor.Id) {
case 10:
{
isInitiated = true;
//
// Get System Time
//
GetSystemTime(&systemTime);
// Fetch initial event information size
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
// Allocate memory for property data vector
propertyDataVector = (BYTE**)malloc(vectorCapacity * sizeof(BYTE*));
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
// Process each property in the event
for (ULONG i = 0; i < pInfo->TopLevelPropertyCount; i++) {
PROPERTY_DATA_DESCRIPTOR dataDescriptor;
DWORD propertySize = 0;
WCHAR* propertyName = (WCHAR*)((BYTE*)pInfo + pInfo->EventPropertyInfoArray[i].NameOffset);
dataDescriptor.PropertyName = (ULONGLONG)propertyName;
dataDescriptor.ArrayIndex = ULONG_MAX;
// Determine the size of the property
status = TdhGetPropertySize(EventRecord, 0, NULL, 1, &dataDescriptor, &propertySize);
if (status != ERROR_SUCCESS) {
wprintf(L"Error getting size for property %ls\n", propertyName);
goto Exit;
}
BYTE* propertyData = (BYTE*)malloc(propertySize);
if (!propertyData) {
wprintf(L"Error allocating memory for property %ls\n", propertyName);
goto Exit;
}
// Get the actual property data
status = TdhGetProperty(EventRecord, 0, NULL, 1, &dataDescriptor, propertySize, propertyData);
if (status != ERROR_SUCCESS) {
wprintf(L"Error getting data for property %ls\n", propertyName);
goto Exit;
}
// Check if we need to resize the vector
if (vectorSize == vectorCapacity) {
BYTE** resizedVector = (BYTE**)realloc(propertyDataVector, 2 * vectorCapacity * sizeof(BYTE*));
if (!resizedVector) {
OutputDebugString(L"Error resizing propertyDataVector\n");
goto Exit;
}
propertyDataVector = resizedVector;
vectorCapacity *= 2;
}
// Add the data to the vector
propertyDataVector[vectorSize++] = propertyData;
}
processId = *(UINT32*)propertyDataVector[0];
if (processId == 4)
{
goto Exit;
}
size = *(UINT32*)propertyDataVector[1];
destinationAddress = *(UINT32*)propertyDataVector[2];
sourceAddress = *(UINT32*)propertyDataVector[3];
sourcePort = *(UINT16*)propertyDataVector[4];
destinationPort = *(UINT16*)propertyDataVector[5];
destaddr.s_addr = destinationAddress;
srceaddr.s_addr = sourceAddress;
InetNtop(AF_INET, &srceaddr, wide_sourcestring_ip, INET_ADDRSTRLEN);
InetNtop(AF_INET, &destaddr, wide_deststring_ip, INET_ADDRSTRLEN);
processInformation = GetProcessName(processId);
if (processInformation == nullptr) {
OutputDebugString(L"DotNet ETW - Error getting process name\n");
goto Exit;
}
if (processInformation->integrityLevel == L"Low")
{
goto Exit;
}
EventWriteNetworkConnection(
&systemTime,
processId,
processInformation->processName.c_str(),
wide_sourcestring_ip,
wide_deststring_ip,
sourcePort,
destinationPort,
isInitiated,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId
);
break;
}
case 11:
{
//
// Get System Time
//
GetSystemTime(&systemTime);
// Fetch initial event information size
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
// Allocate memory for property data vector
propertyDataVector = (BYTE**)malloc(vectorCapacity * sizeof(BYTE*));
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
// Process each property in the event
for (ULONG i = 0; i < pInfo->TopLevelPropertyCount; i++) {
PROPERTY_DATA_DESCRIPTOR dataDescriptor;
DWORD propertySize = 0;
WCHAR* propertyName = (WCHAR*)((BYTE*)pInfo + pInfo->EventPropertyInfoArray[i].NameOffset);
dataDescriptor.PropertyName = (ULONGLONG)propertyName;
dataDescriptor.ArrayIndex = ULONG_MAX;
// Determine the size of the property
status = TdhGetPropertySize(EventRecord, 0, NULL, 1, &dataDescriptor, &propertySize);
if (status != ERROR_SUCCESS) {
wprintf(L"Error getting size for property %ls\n", propertyName);
goto Exit;
}
BYTE* propertyData = (BYTE*)malloc(propertySize);
if (!propertyData) {
wprintf(L"Error allocating memory for property %ls\n", propertyName);
goto Exit;
}
// Get the actual property data
status = TdhGetProperty(EventRecord, 0, NULL, 1, &dataDescriptor, propertySize, propertyData);
if (status != ERROR_SUCCESS) {
wprintf(L"Error getting data for property %ls\n", propertyName);
goto Exit;
}
// Check if we need to resize the vector
if (vectorSize == vectorCapacity) {
BYTE** resizedVector = (BYTE**)realloc(propertyDataVector, 2 * vectorCapacity * sizeof(BYTE*));
if (!resizedVector) {
OutputDebugString(L"Error resizing propertyDataVector\n");
goto Exit;
}
propertyDataVector = resizedVector;
vectorCapacity *= 2;
}
// Add the data to the vector
propertyDataVector[vectorSize++] = propertyData;
}
processId = *(UINT32*)propertyDataVector[0];
if (processId == 4)
{
goto Exit;
}
size = *(UINT32*)propertyDataVector[1];
destinationAddress = *(UINT32*)propertyDataVector[2];
sourceAddress = *(UINT32*)propertyDataVector[3];
sourcePort = *(UINT16*)propertyDataVector[4];
destinationPort = *(UINT16*)propertyDataVector[5];
destaddr.s_addr = sourceAddress;
srceaddr.s_addr = destinationAddress;
InetNtop(AF_INET, &srceaddr, wide_sourcestring_ip, INET_ADDRSTRLEN);
InetNtop(AF_INET, &destaddr, wide_deststring_ip, INET_ADDRSTRLEN);
processInformation = GetProcessName(processId);
if (processInformation == nullptr) {
OutputDebugString(L"DotNet ETW - Error getting process name\n");
goto Exit;
}
if (processInformation->integrityLevel == L"Low")
{
goto Exit;
}
EventWriteNetworkConnection(
&systemTime,
processId,
processInformation->processName.c_str(),
wide_sourcestring_ip,
wide_deststring_ip,
sourcePort,
destinationPort,
isInitiated,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId
);
break;
}
default:
{
break;
}
}
Exit:
if (pInfo != nullptr) {
free(pInfo);
}
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < vectorSize; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
return status;
}
NTSTATUS ProcessEtwEvent(
_In_ PEVENT_RECORD EventRecord,
_In_ PTRACE_EVENT_INFO PropertyInfo,
_In_ BYTE** EventData
) {
NTSTATUS status = ERROR_SUCCESS;
int vectorSize = 0;
// Process each property in the event
for (ULONG i = 0; i < PropertyInfo->TopLevelPropertyCount; i++) {
PROPERTY_DATA_DESCRIPTOR dataDescriptor;
DWORD propertySize = 0;
WCHAR* propertyName = (WCHAR*)((BYTE*)PropertyInfo + PropertyInfo->EventPropertyInfoArray[i].NameOffset);
dataDescriptor.PropertyName = (ULONGLONG)propertyName;
dataDescriptor.ArrayIndex = ULONG_MAX;
// Determine the size of the property
status = TdhGetPropertySize(EventRecord, 0, NULL, 1, &dataDescriptor, &propertySize);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error getting size for property\n");
goto Exit;
}
BYTE* propertyData = (BYTE*)malloc(propertySize);
if (!propertyData) {
OutputDebugString(L" Error allocating memory for propertyData\n");
goto Exit;
}
// Get the actual property data
status = TdhGetProperty(EventRecord, 0, NULL, 1, &dataDescriptor, propertySize, propertyData);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error getting data for property\n");
goto Exit;
}
//
// Add the data to the vector
//
EventData[vectorSize++] = propertyData;
if (vectorSize > PropertyInfo->TopLevelPropertyCount) {
OutputDebugString(L"Error: vectorSize exceeded allocated EventData size\n");
status = ERROR_BUFFER_OVERFLOW;
goto Exit;
}
}
Exit:
if (status != ERROR_SUCCESS) {
for (int i = 0; i < vectorSize; i++) {
if (EventData[i] != nullptr) {
free(EventData[i]);
}
}
free(EventData);
}
return status;
}
BOOL WriteAMSIEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
ULONG64 Session;
UINT8 ScanStatus;
UINT32 ScanResult, ContentSize, OriginalSize;
std::wstring AppName, ContentName, decodedString;
BYTE* Content;
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = NULL;
SYSTEMTIME systemTime;
BYTE** propertyDataVector = NULL;
PProcessInformation processInformation;
GetSystemTime(&systemTime);
//
// Fetch initial event information size
//
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
Session = *(ULONG64*)propertyDataVector[0];
ScanStatus = *(UINT8*)propertyDataVector[1];
ScanResult = *(UINT32*)propertyDataVector[2];
AppName = (WCHAR*)propertyDataVector[3];
if (AppName != L"VBScript" && AppName != L"JScript" && AppName != L"OFFICE_VBA" && AppName != L"Excel" && AppName != L"Excel.exe")
{
goto Exit;
}
ContentName = (WCHAR*)propertyDataVector[4];
ContentSize = *(UINT32*)propertyDataVector[5];
OriginalSize = *(UINT32*)propertyDataVector[6];
Content = (BYTE*)propertyDataVector[7];
if (ScanResult != (UINT32)1 && ScanResult != (UINT32)32768) {
goto Exit;
}
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"AMSI - Error getting process name\n");
goto Exit;
}
decodedString = std::wstring(reinterpret_cast(Content), ContentSize / sizeof(wchar_t));
EventWriteAMSI(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
AppName.c_str(),
ContentName.c_str(),
ScanStatus,
ScanResult,
ContentSize,
Content,
decodedString.c_str()
);
Exit:
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < pInfo->TopLevelPropertyCount; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
if (pInfo != nullptr) {
free(pInfo);
}
return TRUE;
}
NTSTATUS WriteDotNetEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
UINT64 AssemblyID, AppDomainID, BindingID;
UINT32 AssemblyFlags;
UINT16 ClrInstanceID;
std::wstring FQAN;
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = NULL;
SYSTEMTIME systemTime;
BYTE** propertyDataVector = NULL;
PProcessInformation processInformation;
GetSystemTime(&systemTime);
//
// Fetch initial event information size
//
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
AssemblyID = *(UINT64*)propertyDataVector[0];
AppDomainID = *(UINT64*)propertyDataVector[1];
BindingID = *(UINT64*)propertyDataVector[2];
AssemblyFlags = *(UINT32*)propertyDataVector[3];
FQAN = (WCHAR*)propertyDataVector[4];
ClrInstanceID = *(UINT16*)propertyDataVector[5];
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"DotNet ETW - Error getting process name\n");
goto Exit;
}
EventWriteDotNetLoad(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
FQAN.c_str(),
ClrInstanceID
);
Exit:
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < pInfo->TopLevelPropertyCount; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
if (pInfo != nullptr) {
free(pInfo);
}
return status;
}
NTSTATUS WriteWMIEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
std::wstring Namespace, ESS, Consumer, PossibleCause;
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = NULL;
SYSTEMTIME systemTime;
BYTE** propertyDataVector = NULL;
PProcessInformation processInformation;
GetSystemTime(&systemTime);
//
// Fetch initial event information size
//
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"DotNet ETW - Error getting process name\n");
goto Exit;
}
Namespace = (WCHAR*)propertyDataVector[0];
ESS = (WCHAR*)propertyDataVector[1];
Consumer = (WCHAR*)propertyDataVector[2];
PossibleCause = (WCHAR*)propertyDataVector[3];
EventWriteWMIEventFilter(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
Namespace.c_str(),
ESS.c_str(),
Consumer.c_str(),
PossibleCause.c_str()
);
Exit:
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < pInfo->TopLevelPropertyCount; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
if (pInfo != nullptr) {
free(pInfo);
}
return status;
}
wchar_t* GetCallStack(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER_EXTENDED_DATA_ITEM extendedData,
_In_ HANDLE hProcess
) {
const int MAX_SYM_NAME_LEN = 1024;
std::wstring wtext;
BOOL symInitialized = FALSE;
const char* szSymSearchPath = "srv*http://msdl.microsoft.com/download/symbols";
SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_INCLUDE_32BIT_MODULES | SYMOPT_CASE_INSENSITIVE | SYMOPT_ALLOW_ZERO_ADDRESS | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS);
symInitialized = SymInitialize(hProcess, szSymSearchPath, TRUE);
if (!symInitialized) {
printf("[!] SymInitialize failed: %d\n", GetLastError());
return nullptr;
}
if (EventRecord->ExtendedDataCount == 0) {
SymCleanup(hProcess);
return nullptr;
}
for (USHORT i = 0; i < EventRecord->ExtendedDataCount; i++) {
if (extendedData[i].ExtType == EVENT_HEADER_EXT_TYPE_STACK_TRACE64) {
auto stacktrace = reinterpret_cast(extendedData[i].DataPtr);
int stack_length = extendedData[i].DataSize / sizeof(ULONG64);
for (int j = 0; j < stack_length; j++) {
DWORD64 dwDisplacement = 0;
DWORD64 dwAddress = stacktrace->Address[j];
char buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME_LEN * sizeof(TCHAR)];
PSYMBOL_INFOW pSymbol = (PSYMBOL_INFOW)buffer;
pSymbol->SizeOfStruct = sizeof(SYMBOL_INFOW);
pSymbol->MaxNameLen = MAX_SYM_NAME_LEN;
if (SymFromAddrW(hProcess, dwAddress, &dwDisplacement, pSymbol)) {
wtext += pSymbol->Name;
}
else {
wtext += L"";
}
wtext += L" ";
}
}
}
SymCleanup(hProcess);
if (!wtext.empty()) {
wtext.pop_back(); // Remove trailing space
size_t wtext_len = wtext.length() + 1;
wchar_t* result = new wchar_t[wtext_len];
wcscpy_s(result, wtext_len, wtext.c_str());
return result;
}
return nullptr;
}
NTSTATUS WriteRpcEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader,
_In_ INT32 EventType
) {
PEVENT_HEADER_EXTENDED_DATA_ITEM extendedData = EventRecord->ExtendedData;
wchar_t szInterfaceUUID[64] = { 0 };
GUID interfaceUUID;
UINT32 procNum, protocol, authenticationLevel, authenticationService, impersonationLevel;
std::wstring networkAddress, endpoint, options, methodString, interfaceString;
HANDLE hProcess = GetCurrentProcess();
wchar_t* CallStack;
int result;
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = NULL;
SYSTEMTIME systemTime;
BYTE** propertyDataVector = NULL;
PProcessInformation processInformation;
GetSystemTime(&systemTime);
//
// Fetch initial event information size
//
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
interfaceUUID = *(GUID*)propertyDataVector[0];
procNum = *(UINT32*)propertyDataVector[1];
protocol = *(UINT32*)propertyDataVector[2];
networkAddress = (WCHAR*)propertyDataVector[3];
endpoint = (WCHAR*)propertyDataVector[4];
options = (WCHAR*)propertyDataVector[5];
authenticationLevel = *(UINT32*)propertyDataVector[6];
authenticationService = *(UINT32*)propertyDataVector[7];
impersonationLevel = *(UINT32*)propertyDataVector[8];
//
// convert GUID to string
//
result = StringFromGUID2(interfaceUUID, szInterfaceUUID, 64);
if (result == 0) {
OutputDebugString(L"Error converting GUID to string\n");
goto Exit;
}
//MS-SCMR {367ABB81-9844-35F1-AD32-98F038001003}
if (wcscmp(szInterfaceUUID, L"{367ABB81-9844-35F1-AD32-98F038001003}") == 0) {
interfaceString = L"MS-SCMR";
switch (procNum)
{
case 12:
{
methodString = L"RCreateServiceW";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default:
{
goto Exit;
}
}
goto Exit;
}
//MS-DRSR {E3514235-4B06-11D1-AB04-00C04FC2DCD2}
if (wcscmp(szInterfaceUUID, L"{E3514235-4B06-11D1-AB04-00C04FC2DCD2}") == 0) {
interfaceString = L"MS-DRSR";
switch (procNum) {
case 3:
{
methodString = L"GetNCChanges";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default: {
goto Exit;
}
}
goto Exit;
}
//MS-RRP {338CD001-2244-31F1-AAAA-900038001003}
if (wcscmp(szInterfaceUUID, L"{338CD001-2244-31F1-AAAA-900038001003}") == 0) {
interfaceString = L"MS-RRP";
switch (procNum) {
case 6:
{
methodString = L"BaseRegCreateKey";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
case 22:
{
methodString = L"BaseRegSetValue";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default:
{
goto Exit;
}
}
goto Exit;
}
//MS-SRVS {4B324FC8-1670-01D3-1278-5A47BF6EE188}
if (wcscmp(szInterfaceUUID, L"{4B324FC8-1670-01D3-1278-5A47BF6EE188}") == 0) {
interfaceString = L"MS-SRVS";
switch (procNum) {
case 12:
{
methodString = L"NetrSessionEnum";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default:
{
goto Exit;
}
}
goto Exit;
}
//MS-RPRN {12345678-1234-ABCD-EF00-0123456789AB}
if (wcscmp(szInterfaceUUID, L"{12345678-1234-ABCD-EF00-0123456789AB}") == 0) {
interfaceString = L"MS-RPRN";
switch (procNum) {
case 89:
{
methodString = L"RpcAddPrinterDriverEx";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default:
{
goto Exit;
}
}
goto Exit;
}
//MS-PAR 76F03F96-CDFD-44FC-A22C-64950A001209
if (wcscmp(szInterfaceUUID, L"{76F03F96-CDFD-44FC-A22C-64950A001209}") == 0) {
interfaceString = L"MS-PAR";
switch (procNum) {
case 39:
{
methodString = L"RpcAsyncAddPrinterDriver";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default:
{
goto Exit;
}
}
goto Exit;
}
// MS-EFSR {D9A0A0C0-150F-11D1-8C7A-00C04FC297EB} || {C681D488-D850-11D0-8C52-00C04FD90F7E}"
if ((wcscmp(szInterfaceUUID, L"{C681D488-D850-11D0-8C52-00C04FD90F7E}") == 0) || (wcscmp(szInterfaceUUID, L"{DF1941C5-FE89-4E79-BF10-463657ACF44D}") == 0)) {
interfaceString = L"MS-EFSR";
switch (procNum) {
case 0:
{
methodString = L"EfsRpcOpenFileRaw";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
case 4:
{
methodString = L"EfsRpcEncryptFileSrv";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
case 5:
{
methodString = L"EfsRpcDecryptFileSrv";
processInformation = GetProcessName(EventHeader->ProcessId);
if (processInformation == nullptr) {
OutputDebugString(L"RPC ETW - Error getting process name\n");
goto Exit;
}
CallStack = GetCallStack(EventRecord, extendedData, hProcess);
switch (EventType)
{
case 0:
{
EventWriteRPCClient(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
case 1:
{
EventWriteRPCServer(
&systemTime,
processInformation->processName.c_str(),
processInformation->processId,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
szInterfaceUUID,
procNum,
protocol,
networkAddress.c_str(),
endpoint.c_str(),
interfaceString.c_str(),
methodString.c_str(),
CallStack
);
break;
}
}
if (CallStack != nullptr)
{
delete[] CallStack;
}
goto Exit;
}
default:
{
goto Exit;
}
}
goto Exit;
}
Exit:
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < pInfo->TopLevelPropertyCount; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
if (pInfo != nullptr) {
free(pInfo);
}
return status;
}
NTSTATUS WriteDpapiEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
) {
UINT32 Flags, ProtectionFlags, ReturnValue, CallerProcessID, PlainTextDataSize;
std::wstring OperationType, DataDescription;
GUID MasterKeyGUID;
UINT64 CallerProcessStartKey, CallerProcessCreationTime;
NTSTATUS status = ERROR_SUCCESS;
DWORD bufferSize = 0;
PTRACE_EVENT_INFO pInfo = NULL;
SYSTEMTIME systemTime;
BYTE** propertyDataVector = NULL;
PProcessInformation processInformation;
GetSystemTime(&systemTime);
//
// Fetch initial event information size
//
status = TdhGetEventInformation(EventRecord, 0, NULL, NULL, &bufferSize);
if (status == ERROR_INSUFFICIENT_BUFFER) {
pInfo = (PTRACE_EVENT_INFO)malloc(bufferSize);
if (!pInfo) {
OutputDebugString(L"Error allocating memory for event info\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = TdhGetEventInformation(EventRecord, 0, NULL, pInfo, &bufferSize);
}
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error fetching event info\n");
return status;
}
//
// Allocate memory for property data vector
//
propertyDataVector = (BYTE**)malloc(sizeof(BYTE*) * pInfo->TopLevelPropertyCount);
if (!propertyDataVector) {
OutputDebugString(L"Error allocating memory for propertyDataVector\n");
status = ERROR_NOT_ENOUGH_MEMORY;
goto Exit;
}
status = ProcessEtwEvent(EventRecord, pInfo, propertyDataVector);
if (status != ERROR_SUCCESS) {
OutputDebugString(L"Error processing ETW event\n");
goto Exit;
}
OperationType = (WCHAR*)propertyDataVector[0];
DataDescription = (WCHAR*)propertyDataVector[1];
MasterKeyGUID = *(GUID*)propertyDataVector[2];
Flags = *(UINT32*)propertyDataVector[3];
ProtectionFlags = *(UINT32*)propertyDataVector[4];
ReturnValue = *(UINT32*)propertyDataVector[5];
CallerProcessStartKey = *(UINT64*)propertyDataVector[6];
CallerProcessID = *(UINT32*)propertyDataVector[7];
CallerProcessCreationTime = *(UINT64*)propertyDataVector[8];
PlainTextDataSize = *(UINT32*)propertyDataVector[9];
//
//Seeing if OperationType == SPCryptUnprotect
//
if (OperationType == L"SPCryptUnprotect")
{
processInformation = GetProcessName(CallerProcessID);
if (processInformation == nullptr) {
OutputDebugString(L"DotNet ETW - Error getting process name\n");
goto Exit;
}
EventWriteDPAPIUnprotect(
&systemTime,
processInformation->processName.c_str(),
CallerProcessID,
processInformation->userName.c_str(),
processInformation->authenticationId.LowPart,
processInformation->integrityLevel.c_str(),
processInformation->sessionId,
OperationType.c_str(),
DataDescription.c_str(),
Flags,
ProtectionFlags
);
}
Exit:
// Free each element in propertyDataVector and the vector itself
if (propertyDataVector != nullptr) {
for (int i = 0; i < pInfo->TopLevelPropertyCount; i++) {
if (propertyDataVector[i] != nullptr) {
free(propertyDataVector[i]);
}
}
free(propertyDataVector);
}
if (pInfo != nullptr) {
free(pInfo);
}
return status;
}
================================================
FILE: JonMon-Service/etwMain.h
================================================
#pragma once
#include
#include
#include
#include
#include "../JonMonProvider/jonmon.h"
#include "config.h"
static GUID JonMonGuid = { 0xd8909c24, 0x5be9, 0x4502, { 0x98, 0xca, 0xab, 0x7b, 0xdc, 0x24, 0x89, 0x9d } };
static GUID JonMonDebugGuid = { 0xc5d8e634, 0x9614, 0x45ac, { 0x93, 0x0c, 0xda, 0x88, 0xcd, 0x77, 0xbb, 0x39 } };
struct ProcessData {
ULONG ProcessId;
ULONG ValueOption;
};
NTSTATUS ProcessEtwEvent(
_In_ PEVENT_RECORD EventRecord,
_In_ PTRACE_EVENT_INFO PropertyInfo,
_In_ BYTE** EventData
);
void NTAPI ProcessEvent(
_In_ PEVENT_RECORD EventRecord
);
DWORD StopETWTrace();
DWORD TraceEvent(
_In_ LPCWSTR Name,
_In_ GUID TraceGuid,
_In_ EventSchema_Full* EventSchemaStruct
);
NTSTATUS WriteJonMonTraceLoggingEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
NTSTATUS WriteDotNetEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
BOOL WriteAMSIEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
NTSTATUS WriteWMIEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
BOOL WriteNetworkEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
NTSTATUS WriteThreatIntelEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
#pragma warning(disable: 4996)
wchar_t* GetCallStack(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER_EXTENDED_DATA_ITEM extendedData,
_In_ HANDLE hProcess
);
NTSTATUS WriteRpcEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader,
_In_ INT32 EventType
);
NTSTATUS WriteDpapiEvents(
_In_ PEVENT_RECORD EventRecord,
_In_ PEVENT_HEADER EventHeader
);
//
// Event ID 100
//
typedef struct _TraceLoggingProviderRegistered {
INT32 EventId;
BOOL IsRegistered;
} TraceLoggingProviderRegistered, * PTraceLoggingProviderRegistered;
//
// Event ID 101
//
typedef struct _EventSchemaConfiguration {
INT32 EventId;
BOOL ProcessCreation;
BOOL ProcessTermination;
BOOL RegistryEvents;
BOOL ProcessHandleCreation;
BOOL ProcessHandleDuplication;
BOOL RemoteThreadCreation;
BOOL ImageLoad;
BOOL ThreadImpersonationEvents_KM;
BOOL FileEvents;
} EventSchemaConfiguration, * PEventSchemaConfiguration;
//
// Event ID 102
//
typedef struct _DebugLog {
INT32 EventId;
BOOL ProcessProtection;
} DebugLog, * PDebugLog;
//
//Event ID 1 - Process Creation
//
typedef struct _ProcessCreationEvent {
INT32 EventId;
INT64 ProcessId;
UINT64 ProcessStartKey;
INT64 ParentProcessId;
UINT64 ParentProcessStartKey;
INT64 CreatorProcessId;
INT64 CreatorThreadId;
WCHAR* CommandLine;
FILETIME EventTime;
} ProcessCreationEvent, * PProcessCreationEvent;
//
// Event ID 2 - Process Termination
//
typedef struct _ProcessTerminationEvent {
INT32 EventId;
INT64 ProcessId;
UINT64 ProcessStartKey;
INT64 ParentProcessId;
UINT64 ParentProcessStartKey;
FILETIME EventTime;
} ProcessTerminationEvent, * PProcessTerminationEvent;
//
// Event ID 3 - Remote Thread Creation
//
typedef struct _RemoteThreadCreationEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
INT64 NewThreadId;
INT64 TargetProcessId;
UINT64 TargetProcessStartKey;
FILETIME EventTime;
} RemoteThreadCreationEvent, * PRemoteThreadCreationEvent;
//
// Event ID 4 - Load Image
//
typedef struct _LoadImageEvent {
INT32 EventId;
INT64 ProcessId;
UINT64 ProcessStartKey;
INT64 ThreadId;
ULONG SystemModeImage;
WCHAR* ImageName;
FILETIME EventTime;
} LoadImageEvent, * PLoadImageEvent;
//
// Event ID 5 - ProcessHandle (OpenProcess/DuplicateHandle)
//
typedef struct _ProcessHandleEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
INT64 TargetProcessId;
UINT64 TargetProcessStartKey;
INT32 OperationType;
INT32 DesiredAccess;
FILETIME EventTime;
} ProcessHandleEvent, * PProcessHandleEvent;
//
// Event ID 6 - RegistrySaveKey
//
typedef struct _RegistrySaveKeyEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* KeyPath;
FILETIME EventTime;
} RegistrySaveKeyEvent, * PRegistrySaveKeyEvent;
//
// Event ID 7 - RegistryDeleteKey
//
typedef struct _RegistryDeleteKeyEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* KeyPath;
FILETIME EventTime;
} RegistryDeleteKeyEvent, * PRegistryDeleteKeyEvent;
//
// Event ID 8 - RegistrySetValue
//
typedef struct _RegistrySetValueKeyEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* KeyPath;
WCHAR* ValueName;
WCHAR* Data;
ULONG Type;
ULONG DataSize;
FILETIME EventTime;
} RegistrySetValueKeyEvent, * PRegistrySetValueKeyEvent;
//
// Event ID 9 - RegistryCreateKey
//
typedef struct _RegistryCreateKeyEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* KeyPath;
INT32 DesiredAccess;
FILETIME EventTime;
} RegistryCreateKeyEvent, * PRegistryCreateKeyEvent;
//
// Event ID 10 - File Creation
//
typedef struct _FileCreationEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* FileName;
FILETIME EventTime;
} FileCreationEvent, * PFileCreationEvent;
//
// Event ID 11 - NamedPipeCreation
//
typedef struct _NamedPipeCreateEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* FileName;
ULONG RequestedRights;
ULONG GrantedRights;
FILETIME EventTime;
} NamedPipeCreateEvent, * PNamedPipeCreateEvent;
//
// Event ID 12 - NamedPipeConnection
//
typedef struct _NamedPipeConnectionEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* FileName;
ULONG RequestedRights;
FILETIME EventTime;
} NamedPipeConnectionEvent, * PNamedPipeConnectionEvent;
//
// Event ID 13 - MailslotCreation
//
typedef struct _MailslotCreateEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* FileName;
ULONG RequestedRights;
FILETIME EventTime;
} MailslotCreateEvent, * PMailslotCreateEvent;
//
// Event ID 14 - MailslotConnection
//
typedef struct _MailslotConnectionEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* FileName;
ULONG RequestedRights;
FILETIME EventTime;
} MailslotConnectionEvent, * PMailslotConnectionEvent;
//
// Event ID 15 - RemoteFileConnection (Named Pipes/Mailslots)
//
typedef struct _RemoteFileConnectionEvent {
INT32 EventId;
INT64 SourceThreadId;
INT64 SourceProcessId;
UINT64 SourceProcessStartKey;
WCHAR* FileName;
FILETIME EventTime;
} RemoteFileConnectionEvent, * PRemoteFileConnectionEvent;
//
// Event ID 16 - ThreadImpersonation
//
typedef struct _ThreadImpersonationEvent {
INT32 EventId;
UINT32 ThreadId;
UINT32 ProcessId;
UINT32 threadIntegrityLevel;
SYSTEMTIME EventTime;
WCHAR* ImpersonatedUser;
} ThreadImpersonationEvent, * PThreadImpersonationEvent;
================================================
FILE: JonMon-Service/global.h
================================================
#pragma once
#include
//
//ETW GUIDS
//
static GUID RPC_Provider = { 0x6ad52b32, 0xd609, 0x4be9, { 0xae, 0x07, 0xce, 0x8d, 0xae, 0x93, 0x7e, 0x39 } };
static GUID Network_Provider = { 0x7DD42A49,0x5329,0x4832,{0x8D, 0xFD, 0x43, 0xD9, 0x79, 0x15, 0x3A, 0x88} };
static GUID DotNet_Provider = { 0xe13c0d23, 0xccbc, 0x4e12, { 0x93, 0x1b, 0xd9, 0xcc, 0x2e, 0xee, 0x27, 0xe4 } };
static GUID AMSI_Provider = { 0x2a576b87, 0x09a7, 0x520e, { 0xc2, 0x1a, 0x49, 0x42, 0xf0, 0x27, 0x1d, 0x67 } };
static GUID WMIActivty_Provider = { 0x1418ef04, 0xb0b4, 0x4623, { 0xbf, 0x7e, 0xd7, 0x4a, 0xb4, 0x7b, 0xbd, 0xaa } };
static GUID ThreatIntel_Provider = { 0xf4e1897c, 0xbb5d, 0x5668, { 0xf1, 0xd8, 0x04, 0x0f, 0x4d, 0x8d, 0xd3, 0x44 } };
static GUID DPAPI_Provider = { 0x89fe8f40, 0xcdce, 0x464e, { 0x82, 0x17, 0x15, 0xef, 0x97, 0xd4, 0xc7, 0xc3 } };
static GUID JonMonTraceLogging = { 0xdd82bf6f, 0x5295, 0x4541, { 0x96, 0x8d, 0x8c, 0xac, 0x58, 0xe5, 0x72, 0xe4 } };
//
// EVENT DESCRIPTORS
//
const EVENT_DESCRIPTOR AMSIEvents = { 0x10, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000 };
const EVENT_DESCRIPTOR DPAPIEvent = { 0x1c, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000 };
================================================
FILE: JonMon-Service/service.cpp
================================================
#include
#include
#include "service.h"
#include "config.h"
#include "etwMain.h"
SERVICE_STATUS_HANDLE g_hServiceStatus = NULL;
SERVICE_STATUS g_ServiceStatus = { 0 };
//
// JonMon TraceLogging Provider Information
//
TRACELOGGING_DECLARE_PROVIDER(g_hJonMon);
TRACELOGGING_DEFINE_PROVIDER(g_hJonMon, "JonMon",
(0xdd82bf6f, 0x5295, 0x4541, 0x96, 0x8d, 0x8c, 0xac, 0x58, 0xe5, 0x72, 0xe4));
VOID WINAPI ServiceCtrlHandler(
_In_ DWORD dwCtrl
)
{
switch (dwCtrl)
{
case SERVICE_CONTROL_STOP:
// Update the service status
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
// Perform service-specific cleanup here
// Update the service status
g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
EventUnregisterJonMon();
break;
case SERVICE_CONTROL_PAUSE:
// Update the service status
g_ServiceStatus.dwCurrentState = SERVICE_PAUSE_PENDING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
// Perform service-specific pause here
// Update the service status
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
g_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
break;
case SERVICE_CONTROL_CONTINUE:
// Update the service status
g_ServiceStatus.dwCurrentState = SERVICE_CONTINUE_PENDING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
// Perform service-specific continue here
// Update the service status
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
break;
case SERVICE_CONTROL_SHUTDOWN:
// Perform service-specific shutdown here
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_SHUTDOWN;
g_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
break;
default:
// Update the service status
g_ServiceStatus.dwWin32ExitCode = ERROR_CALL_NOT_IMPLEMENTED;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
break;
}
}
VOID WINAPI ServiceMain(
_In_ DWORD argc,
_In_ LPTSTR* argv
) {
DWORD protectionLevel = 0;
g_hServiceStatus = RegisterServiceCtrlHandlerExA("JonMon", (LPHANDLER_FUNCTION_EX)ServiceCtrlHandler, NULL);
if (g_hServiceStatus == NULL) {
return;
}
g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
g_ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwServiceSpecificExitCode = 0;
if (!SetServiceStatus(g_hServiceStatus, &g_ServiceStatus)) {
return;
}
//
// Register JonMon Providers
//
EventRegisterJonMon();
TraceLoggingRegister(g_hJonMon);
EventSchema_Full eventSchema = { 0 };
int result = ConfigFile(argv[1], &eventSchema);
if (result != 0) {
printf("Failed to read configuration file\n");
return;
}
if (eventSchema.TokenImpersonation_Events)
{
LoadExtensions();
}
protectionLevel = ProtectionCheck();
if (protectionLevel != 31) {
ChangePPL();
}
std::thread protectionCheck(ProtectionCheck);
protectionCheck.detach();
TraceEvent(L"JonMon", JonMonGuid, &eventSchema);
}
DWORD ProtectionCheck()
{
Sleep(5000);
DWORD protectionLevel = 0;
do {
PROCESS_PROTECTION_LEVEL_INFORMATION protectionInfo = { 0 };
if (GetProcessInformation(GetCurrentProcess(), ProcessProtectionLevelInfo, &protectionInfo, sizeof(protectionInfo))) {
if (protectionInfo.ProtectionLevel != 5) {
protectionLevel = 1;
TraceLoggingWrite(
g_hJonMon,
"102",
TraceLoggingInt32(102, "EventID"),
TraceLoggingBool(TRUE, "JonMon Protection Level Changed")
);
}
}
else {
printf("Failed to retrieve PPL. Error code: %lu\n", GetLastError());
TraceLoggingWrite(
g_hJonMon,
"102",
TraceLoggingInt32(102, "EventID"),
TraceLoggingBool(FALSE, "JonMon Protection Level Changed")
);
return 1;
}
} while (protectionLevel == 0);
return 0;
}
VOID ChangePPL() {
HANDLE hDevice = CreateFile(L"\\\\.\\JonMon", GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE) {
printf("Error %u\n", GetLastError());
return;
}
DWORD bytes;
HANDLE hProcess;
if (DeviceIoControl(hDevice, IOCTL_CHANGE_PROTECTION_LEVEL_PROCESS, NULL, NULL, NULL, NULL, NULL, NULL)) {
OutputDebugStringW(L"Protection Level Changed\n");
}
else {
printf("Error: %u\n", GetLastError());
}
CloseHandle(hDevice);
}
VOID LoadExtensions()
{
//
// Loading JonMon-Ext1.dll to capture token impersonation events
//
typedef VOID(__stdcall* TokenImpersonationCheck)();
HMODULE hModule = LoadLibrary(L"JonMon-Ext1.dll");
if (hModule == NULL) {
OutputDebugString(L"Failed to load JonMon-Ext1.dll");
return;
}
//
// Execute the TokenImpersonationCheck function
//
TokenImpersonationCheck TokenImpersonationCheckFunc = (TokenImpersonationCheck)GetProcAddress(hModule, "TokenImpersonationCheck");
if (TokenImpersonationCheckFunc == NULL)
{
OutputDebugString(L"Failed to get TokenImpersonationCheck function address");
return;
}
//
// Call the TokenImpersonationCheck function and give it a thread
//
std::thread tokenImpersonationCheckThread(TokenImpersonationCheckFunc);
tokenImpersonationCheckThread.detach();
}
DWORD CreateCustomService(
_In_ LPCWSTR ServiceName,
_In_ LPCWSTR ImagePath,
_In_ DWORD dwServiceType
) {
SC_HANDLE hSCManager = nullptr;
SC_HANDLE hService = nullptr;
DWORD dwError = 0;
printf("[*] Creating Service %ws....\n", ServiceName);
hSCManager = OpenSCManager(nullptr, nullptr, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE);
if (hSCManager == nullptr) {
printf("[-] Service creation failed on OpenSCManager\n");
dwError = GetLastError();
goto Exit;
}
hService = CreateService(hSCManager, ServiceName, ServiceName, SC_MANAGER_CREATE_SERVICE, dwServiceType, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, ImagePath, nullptr, nullptr, nullptr, nullptr, nullptr);
if (hService == nullptr) {
printf("[-] Service creation failed on CreateService\n");
dwError = GetLastError();
goto Exit;
}
printf("[*] Service %ws created successfully\n", ServiceName);
Exit:
if(hSCManager != nullptr)
{
CloseServiceHandle(hSCManager);
}
if(hService != nullptr)
{
CloseServiceHandle(hService);
}
return 0;
}
DWORD StartCustomService(
_In_ LPCWSTR ServiceName
) {
SC_HANDLE hSCManager = nullptr;
SC_HANDLE hService = nullptr;
DWORD dwError = 0;
printf("[*] Starting Service %ws....\n", ServiceName);
hSCManager = OpenSCManager(nullptr, nullptr, SERVICE_START);
if (hSCManager == nullptr) {
printf("[-] Start service failed on OpenSCManager\n");
dwError = GetLastError();
goto Exit;
}
hService = OpenService(hSCManager, ServiceName, SERVICE_START);
if (hService == nullptr) {
printf("[-] Start service failed on OpenService\n");
dwError = GetLastError();
goto Exit;
}
if (ServiceName == L"JonMon")
{
LPCWSTR serviceArgs[] = { L"C:\\Windows\\JonMonConfig.json"};
if (!StartService(hService, 1, serviceArgs)) {
printf("[-] Start service failed on %ws\n", ServiceName);
dwError = GetLastError();
goto Exit;
}
printf("[*] Service %ws started successfully\n", ServiceName);
}
else if (ServiceName == L"JonMonDrv")
{
if (!StartService(hService, 0, nullptr)) {
printf("[-] Start service failed on %ws\n", ServiceName);
dwError = GetLastError();
goto Exit;
}
printf("[*] Service %ws started successfully\n", ServiceName);
}
Exit:
if (hSCManager != nullptr)
{
CloseServiceHandle(hSCManager);
}
if (hService != nullptr)
{
CloseServiceHandle(hService);
}
return 0;
}
DWORD StopCustomService(
_In_ LPCWSTR ServiceName
) {
printf("[*] Stopping Service %ws....\n", ServiceName);
SC_HANDLE hSCManager = nullptr;
hSCManager = OpenSCManager(nullptr, nullptr, SERVICE_STOP);
if (hSCManager == nullptr) {
printf("[-] OpenSCManager Failed");
return GetLastError();
}
SC_HANDLE hService = OpenService(hSCManager, ServiceName, SERVICE_STOP);
if (hService == nullptr) {
printf("[-] OpenService Failed\n");
CloseServiceHandle(hSCManager);
return GetLastError();
}
SERVICE_STATUS status;
if (!ControlService(hService, SERVICE_CONTROL_STOP, &status)) {
printf("[-] ControlService Failed\n");
CloseServiceHandle(hSCManager);
CloseServiceHandle(hService);
return GetLastError();
}
CloseServiceHandle(hSCManager);
CloseServiceHandle(hService);
if (g_hJonMon != NULL)
{
TraceLoggingUnregister(g_hJonMon);
}
printf("[*] Service %ws stopped successfully\n", ServiceName);
return 0;
}
DWORD DeleteCustomService(
_In_ LPCWSTR ServiceName
) {
printf("[*] Deleting Service %ws....\n", ServiceName);
SC_HANDLE hSCManager = nullptr;
hSCManager = OpenSCManager(nullptr, nullptr, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE);
if (hSCManager == nullptr) {
printf("[-] OpenSCManager Failed\n");
return GetLastError();
}
SC_HANDLE hService = OpenService(hSCManager, ServiceName, DELETE);
if (hService == nullptr) {
printf("[-] OpenService Failed\n");
CloseServiceHandle(hSCManager);
return GetLastError();
}
if (!DeleteService(hService)) {
printf("[-] DeleteService Failed\n");
CloseServiceHandle(hSCManager);
CloseServiceHandle(hService);
return GetLastError();
}
CloseServiceHandle(hSCManager);
CloseServiceHandle(hService);
printf("[*] Service %ws deleted successfully\n", ServiceName);
return 0;
}
DWORD UninstallManifest() {
printf("[*] Uninstalling Manifest....\n");
STARTUPINFOW si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
wchar_t cmdLine[] = L"C:\\Windows\\System32\\wevtutil.exe um JonMon.man";
if (!CreateProcessW(NULL, cmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
printf("CreateProcess Failed");
return GetLastError();
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
printf("[*] Manifest Uninstalled....\n");
return 0;
}
DWORD InstallManifest() {
printf("[*] Installing Manifest....\n");
DWORD dwRet = UninstallManifest();
STARTUPINFOW si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
wchar_t cmdLine[] = L"C:\\Windows\\System32\\wevtutil.exe im JonMon.man";
if (!CreateProcessW(NULL, cmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
printf("[-] CreateProcess Failed");
return GetLastError();
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
printf("[*] Manifest Installed....\n");
return 0;
}
================================================
FILE: JonMon-Service/service.h
================================================
#pragma once
#include
#define JonMon_DEVICE 0x8010
#define IOCTL_CHANGE_PROTECTION_LEVEL_PROCESS CTL_CODE(JonMon_DEVICE, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_EVENT_CONFIGURATION CTL_CODE(JonMon_DEVICE, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
VOID WINAPI ServiceCtrlHandler(
_In_ DWORD dwCtrl
);
VOID WINAPI ServiceMain(
_In_ DWORD argc,
_In_ LPTSTR* argv
);
DWORD CreateCustomService(
_In_ LPCWSTR ServiceName,
_In_ LPCWSTR ImagePath,
_In_ DWORD dwServiceType
);
DWORD StartCustomService(
_In_ LPCWSTR ServiceName
);
DWORD StopCustomService(
_In_ LPCWSTR ServiceName
);
DWORD DeleteCustomService(
_In_ LPCWSTR ServiceName
);
DWORD UninstallManifest();
DWORD InstallManifest();
VOID ChangePPL();
DWORD ProtectionCheck();
VOID LoadExtensions();
================================================
FILE: JonMonConfig.json
================================================
{
"ConfigVersion": "1.0",
"JonMonVersion": "2.0",
"ProcessCreation_Events": false,
"File_Events": false,
"ProcessHandleCreation_Events": false,
"ProcessHandleDuplication_Events": false,
"Registry_Events": false,
"RemoteThreadCreation_Events": false,
"ImageLoad_Events": false,
"ProcessTermination_Events": false,
"RPC_Events": false,
"Network_Events": false,
"DotNetLoad_Events": false,
"AMSI_Events": false,
"SchedTask_Events": false,
"WMIEventSubscription_Events": false,
"CryptUnprotect_Events": false,
"ThreatIntelligence_Events":
{
"RemoteReadProcessMemory": false,
"RemoteWriteProcessMemory": false,
"RemoteVirtualAllocation": false,
"RemoteQueueUserAPC": false
},
"TokenImpersonation_Events": false
}
================================================
FILE: JonMonProvider/jonmon.h
================================================
//**********************************************************************`
//* This is an include file generated by Message Compiler. *`
//* *`
//* Copyright (c) Microsoft Corporation. All Rights Reserved. *`
//**********************************************************************`
#pragma once
//*****************************************************************************
//
// Notes on the ETW event code generated by MC:
//
// - Structures and arrays of structures are treated as an opaque binary blob.
// The caller is responsible for packing the data for the structure into a
// single region of memory, with no padding between values. The macro will
// have an extra parameter for the length of the blob.
// - Arrays of nul-terminated strings must be packed by the caller into a
// single binary blob containing the correct number of strings, with a nul
// after each string. The size of the blob is specified in characters, and
// includes the final nul.
// - Arrays of SID are treated as a single binary blob. The caller is
// responsible for packing the SID values into a single region of memory with
// no padding.
// - The length attribute on the data element in the manifest is significant
// for values with intype win:UnicodeString, win:AnsiString, or win:Binary.
// The length attribute must be specified for win:Binary, and is optional for
// win:UnicodeString and win:AnsiString (if no length is given, the strings
// are assumed to be nul-terminated). For win:UnicodeString, the length is
// measured in characters, not bytes.
// - For an array of win:UnicodeString, win:AnsiString, or win:Binary, the
// length attribute applies to every value in the array, so every value in
// the array must have the same length. The values in the array are provided
// to the macro via a single pointer -- the caller is responsible for packing
// all of the values into a single region of memory with no padding between
// values.
// - Values of type win:CountedUnicodeString, win:CountedAnsiString, and
// win:CountedBinary can be generated and collected on Vista or later.
// However, they may not decode properly without the Windows 10 2018 Fall
// Update.
// - Arrays of type win:CountedUnicodeString, win:CountedAnsiString, and
// win:CountedBinary must be packed by the caller into a single region of
// memory. The format for each item is a UINT16 byte-count followed by that
// many bytes of data. When providing the array to the generated macro, you
// must provide the total size of the packed array data, including the UINT16
// sizes for each item. In the case of win:CountedUnicodeString, the data
// size is specified in WCHAR (16-bit) units. In the case of
// win:CountedAnsiString and win:CountedBinary, the data size is specified in
// bytes.
//
//*****************************************************************************
#include
#include
#include
#ifndef ETW_INLINE
#ifdef _ETW_KM_
// In kernel mode, save stack space by never inlining templates.
#define ETW_INLINE DECLSPEC_NOINLINE __inline
#else
// In user mode, save code size by inlining templates as appropriate.
#define ETW_INLINE __inline
#endif
#endif // ETW_INLINE
#if defined(__cplusplus)
extern "C" {
#endif
//
// MCGEN_DISABLE_PROVIDER_CODE_GENERATION macro:
// Define this macro to have the compiler skip the generated functions in this
// header.
//
#ifndef MCGEN_DISABLE_PROVIDER_CODE_GENERATION
//
// MCGEN_USE_KERNEL_MODE_APIS macro:
// Controls whether the generated code uses kernel-mode or user-mode APIs.
// - Set to 0 to use Windows user-mode APIs such as EventRegister.
// - Set to 1 to use Windows kernel-mode APIs such as EtwRegister.
// Default is based on whether the _ETW_KM_ macro is defined (i.e. by wdm.h).
// Note that the APIs can also be overridden directly, e.g. by setting the
// MCGEN_EVENTWRITETRANSFER or MCGEN_EVENTREGISTER macros.
//
#ifndef MCGEN_USE_KERNEL_MODE_APIS
#ifdef _ETW_KM_
#define MCGEN_USE_KERNEL_MODE_APIS 1
#else
#define MCGEN_USE_KERNEL_MODE_APIS 0
#endif
#endif // MCGEN_USE_KERNEL_MODE_APIS
//
// MCGEN_HAVE_EVENTSETINFORMATION macro:
// Controls how McGenEventSetInformation uses the EventSetInformation API.
// - Set to 0 to disable the use of EventSetInformation
// (McGenEventSetInformation will always return an error).
// - Set to 1 to directly invoke MCGEN_EVENTSETINFORMATION.
// - Set to 2 to to locate EventSetInformation at runtime via GetProcAddress
// (user-mode) or MmGetSystemRoutineAddress (kernel-mode).
// Default is determined as follows:
// - If MCGEN_EVENTSETINFORMATION has been customized, set to 1
// (i.e. use MCGEN_EVENTSETINFORMATION).
// - Else if the target OS version has EventSetInformation, set to 1
// (i.e. use MCGEN_EVENTSETINFORMATION).
// - Else set to 2 (i.e. try to dynamically locate EventSetInformation).
// Note that an McGenEventSetInformation function will only be generated if one
// or more provider in a manifest has provider traits.
//
#ifndef MCGEN_HAVE_EVENTSETINFORMATION
#ifdef MCGEN_EVENTSETINFORMATION // if MCGEN_EVENTSETINFORMATION has been customized,
#define MCGEN_HAVE_EVENTSETINFORMATION 1 // directly invoke MCGEN_EVENTSETINFORMATION(...).
#elif MCGEN_USE_KERNEL_MODE_APIS // else if using kernel-mode APIs,
#if NTDDI_VERSION >= 0x06040000 // if target OS is Windows 10 or later,
#define MCGEN_HAVE_EVENTSETINFORMATION 1 // directly invoke MCGEN_EVENTSETINFORMATION(...).
#else // else
#define MCGEN_HAVE_EVENTSETINFORMATION 2 // find "EtwSetInformation" via MmGetSystemRoutineAddress.
#endif // else (using user-mode APIs)
#else // if target OS and SDK is Windows 8 or later,
#if WINVER >= 0x0602 && defined(EVENT_FILTER_TYPE_SCHEMATIZED)
#define MCGEN_HAVE_EVENTSETINFORMATION 1 // directly invoke MCGEN_EVENTSETINFORMATION(...).
#else // else
#define MCGEN_HAVE_EVENTSETINFORMATION 2 // find "EventSetInformation" via GetModuleHandleExW/GetProcAddress.
#endif
#endif
#endif // MCGEN_HAVE_EVENTSETINFORMATION
//
// MCGEN Override Macros
//
// The following override macros may be defined before including this header
// to control the APIs used by this header:
//
// - MCGEN_EVENTREGISTER
// - MCGEN_EVENTUNREGISTER
// - MCGEN_EVENTSETINFORMATION
// - MCGEN_EVENTWRITETRANSFER
//
// If the the macro is undefined, the MC implementation will default to the
// corresponding ETW APIs. For example, if the MCGEN_EVENTREGISTER macro is
// undefined, the EventRegister[MyProviderName] macro will use EventRegister
// in user mode and will use EtwRegister in kernel mode.
//
// To prevent issues from conflicting definitions of these macros, the value
// of the override macro will be used as a suffix in certain internal function
// names. Because of this, the override macros must follow certain rules:
//
// - The macro must be defined before any MC-generated header is included and
// must not be undefined or redefined after any MC-generated header is
// included. Different translation units (i.e. different .c or .cpp files)
// may set the macros to different values, but within a translation unit
// (within a single .c or .cpp file), the macro must be set once and not
// changed.
// - The override must be an object-like macro, not a function-like macro
// (i.e. the override macro must not have a parameter list).
// - The override macro's value must be a simple identifier, i.e. must be
// something that starts with a letter or '_' and contains only letters,
// numbers, and '_' characters.
// - If the override macro's value is the name of a second object-like macro,
// the second object-like macro must follow the same rules. (The override
// macro's value can also be the name of a function-like macro, in which
// case the function-like macro does not need to follow the same rules.)
//
// For example, the following will cause compile errors:
//
// #define MCGEN_EVENTWRITETRANSFER MyNamespace::MyClass::MyFunction // Value has non-identifier characters (colon).
// #define MCGEN_EVENTWRITETRANSFER GetEventWriteFunctionPointer(7) // Value has non-identifier characters (parentheses).
// #define MCGEN_EVENTWRITETRANSFER(h,e,a,r,c,d) EventWrite(h,e,c,d) // Override is defined as a function-like macro.
// #define MY_OBJECT_LIKE_MACRO MyNamespace::MyClass::MyEventWriteFunction
// #define MCGEN_EVENTWRITETRANSFER MY_OBJECT_LIKE_MACRO // Evaluates to something with non-identifier characters (colon).
//
// The following would be ok:
//
// #define MCGEN_EVENTWRITETRANSFER MyEventWriteFunction1 // OK, suffix will be "MyEventWriteFunction1".
// #define MY_OBJECT_LIKE_MACRO MyEventWriteFunction2
// #define MCGEN_EVENTWRITETRANSFER MY_OBJECT_LIKE_MACRO // OK, suffix will be "MyEventWriteFunction2".
// #define MY_FUNCTION_LIKE_MACRO(h,e,a,r,c,d) MyNamespace::MyClass::MyEventWriteFunction3(h,e,c,d)
// #define MCGEN_EVENTWRITETRANSFER MY_FUNCTION_LIKE_MACRO // OK, suffix will be "MY_FUNCTION_LIKE_MACRO".
//
#ifndef MCGEN_EVENTREGISTER
#if MCGEN_USE_KERNEL_MODE_APIS
#define MCGEN_EVENTREGISTER EtwRegister
#else
#define MCGEN_EVENTREGISTER EventRegister
#endif
#endif // MCGEN_EVENTREGISTER
#ifndef MCGEN_EVENTUNREGISTER
#if MCGEN_USE_KERNEL_MODE_APIS
#define MCGEN_EVENTUNREGISTER EtwUnregister
#else
#define MCGEN_EVENTUNREGISTER EventUnregister
#endif
#endif // MCGEN_EVENTUNREGISTER
#ifndef MCGEN_EVENTSETINFORMATION
#if MCGEN_USE_KERNEL_MODE_APIS
#define MCGEN_EVENTSETINFORMATION EtwSetInformation
#else
#define MCGEN_EVENTSETINFORMATION EventSetInformation
#endif
#endif // MCGEN_EVENTSETINFORMATION
#ifndef MCGEN_EVENTWRITETRANSFER
#if MCGEN_USE_KERNEL_MODE_APIS
#define MCGEN_EVENTWRITETRANSFER EtwWriteTransfer
#else
#define MCGEN_EVENTWRITETRANSFER EventWriteTransfer
#endif
#endif // MCGEN_EVENTWRITETRANSFER
//
// MCGEN_EVENT_ENABLED macro:
// Override to control how the EventWrite[EventName] macros determine whether
// an event is enabled. The default behavior is for EventWrite[EventName] to
// use the EventEnabled[EventName] macros.
//
#ifndef MCGEN_EVENT_ENABLED
#define MCGEN_EVENT_ENABLED(EventName) EventEnabled##EventName()
#endif
//
// MCGEN_EVENT_ENABLED_FORCONTEXT macro:
// Override to control how the EventWrite[EventName]_ForContext macros
// determine whether an event is enabled. The default behavior is for
// EventWrite[EventName]_ForContext to use the
// EventEnabled[EventName]_ForContext macros.
//
#ifndef MCGEN_EVENT_ENABLED_FORCONTEXT
#define MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, EventName) EventEnabled##EventName##_ForContext(pContext)
#endif
//
// MCGEN_ENABLE_CHECK macro:
// Determines whether the specified event would be considered as enabled
// based on the state of the specified context. Slightly faster than calling
// McGenEventEnabled directly.
//
#ifndef MCGEN_ENABLE_CHECK
#define MCGEN_ENABLE_CHECK(Context, Descriptor) (Context.IsEnabled && McGenEventEnabled(&Context, &Descriptor))
#endif
#if !defined(MCGEN_TRACE_CONTEXT_DEF)
#define MCGEN_TRACE_CONTEXT_DEF
// This structure is for use by MC-generated code and should not be used directly.
typedef struct _MCGEN_TRACE_CONTEXT
{
TRACEHANDLE RegistrationHandle;
TRACEHANDLE Logger; // Used as pointer to provider traits.
ULONGLONG MatchAnyKeyword;
ULONGLONG MatchAllKeyword;
ULONG Flags;
ULONG IsEnabled;
UCHAR Level;
UCHAR Reserve;
USHORT EnableBitsCount;
PULONG EnableBitMask;
const ULONGLONG* EnableKeyWords;
const UCHAR* EnableLevel;
} MCGEN_TRACE_CONTEXT, *PMCGEN_TRACE_CONTEXT;
#endif // MCGEN_TRACE_CONTEXT_DEF
#if !defined(MCGEN_LEVEL_KEYWORD_ENABLED_DEF)
#define MCGEN_LEVEL_KEYWORD_ENABLED_DEF
//
// Determines whether an event with a given Level and Keyword would be
// considered as enabled based on the state of the specified context.
// Note that you may want to use MCGEN_ENABLE_CHECK instead of calling this
// function directly.
//
FORCEINLINE
BOOLEAN
McGenLevelKeywordEnabled(
_In_ PMCGEN_TRACE_CONTEXT EnableInfo,
_In_ UCHAR Level,
_In_ ULONGLONG Keyword
)
{
//
// Check if the event Level is lower than the level at which
// the channel is enabled.
// If the event Level is 0 or the channel is enabled at level 0,
// all levels are enabled.
//
if ((Level <= EnableInfo->Level) || // This also covers the case of Level == 0.
(EnableInfo->Level == 0)) {
//
// Check if Keyword is enabled
//
if ((Keyword == (ULONGLONG)0) ||
((Keyword & EnableInfo->MatchAnyKeyword) &&
((Keyword & EnableInfo->MatchAllKeyword) == EnableInfo->MatchAllKeyword))) {
return TRUE;
}
}
return FALSE;
}
#endif // MCGEN_LEVEL_KEYWORD_ENABLED_DEF
#if !defined(MCGEN_EVENT_ENABLED_DEF)
#define MCGEN_EVENT_ENABLED_DEF
//
// Determines whether the specified event would be considered as enabled based
// on the state of the specified context. Note that you may want to use
// MCGEN_ENABLE_CHECK instead of calling this function directly.
//
FORCEINLINE
BOOLEAN
McGenEventEnabled(
_In_ PMCGEN_TRACE_CONTEXT EnableInfo,
_In_ PCEVENT_DESCRIPTOR EventDescriptor
)
{
return McGenLevelKeywordEnabled(EnableInfo, EventDescriptor->Level, EventDescriptor->Keyword);
}
#endif // MCGEN_EVENT_ENABLED_DEF
#if !defined(MCGEN_CONTROL_CALLBACK)
#define MCGEN_CONTROL_CALLBACK
// This function is for use by MC-generated code and should not be used directly.
DECLSPEC_NOINLINE __inline
VOID
__stdcall
McGenControlCallbackV2(
_In_ LPCGUID SourceId,
_In_ ULONG ControlCode,
_In_ UCHAR Level,
_In_ ULONGLONG MatchAnyKeyword,
_In_ ULONGLONG MatchAllKeyword,
_In_opt_ PEVENT_FILTER_DESCRIPTOR FilterData,
_Inout_opt_ PVOID CallbackContext
)
/*++
Routine Description:
This is the notification callback for Windows Vista and later.
Arguments:
SourceId - The GUID that identifies the session that enabled the provider.
ControlCode - The parameter indicates whether the provider
is being enabled or disabled.
Level - The level at which the event is enabled.
MatchAnyKeyword - The bitmask of keywords that the provider uses to
determine the category of events that it writes.
MatchAllKeyword - This bitmask additionally restricts the category
of events that the provider writes.
FilterData - The provider-defined data.
CallbackContext - The context of the callback that is defined when the provider
called EtwRegister to register itself.
Remarks:
ETW calls this function to notify provider of enable/disable
--*/
{
PMCGEN_TRACE_CONTEXT Ctx = (PMCGEN_TRACE_CONTEXT)CallbackContext;
ULONG Ix;
#ifndef MCGEN_PRIVATE_ENABLE_CALLBACK_V2
UNREFERENCED_PARAMETER(SourceId);
UNREFERENCED_PARAMETER(FilterData);
#endif
if (Ctx == NULL) {
return;
}
switch (ControlCode) {
case EVENT_CONTROL_CODE_ENABLE_PROVIDER:
Ctx->Level = Level;
Ctx->MatchAnyKeyword = MatchAnyKeyword;
Ctx->MatchAllKeyword = MatchAllKeyword;
Ctx->IsEnabled = EVENT_CONTROL_CODE_ENABLE_PROVIDER;
for (Ix = 0; Ix < Ctx->EnableBitsCount; Ix += 1) {
if (McGenLevelKeywordEnabled(Ctx, Ctx->EnableLevel[Ix], Ctx->EnableKeyWords[Ix]) != FALSE) {
Ctx->EnableBitMask[Ix >> 5] |= (1 << (Ix % 32));
} else {
Ctx->EnableBitMask[Ix >> 5] &= ~(1 << (Ix % 32));
}
}
break;
case EVENT_CONTROL_CODE_DISABLE_PROVIDER:
Ctx->IsEnabled = EVENT_CONTROL_CODE_DISABLE_PROVIDER;
Ctx->Level = 0;
Ctx->MatchAnyKeyword = 0;
Ctx->MatchAllKeyword = 0;
if (Ctx->EnableBitsCount > 0) {
#pragma warning(suppress: 26451) // Arithmetic overflow cannot occur, no matter the value of EnableBitCount
RtlZeroMemory(Ctx->EnableBitMask, (((Ctx->EnableBitsCount - 1) / 32) + 1) * sizeof(ULONG));
}
break;
default:
break;
}
#ifdef MCGEN_PRIVATE_ENABLE_CALLBACK_V2
//
// Call user defined callback
//
MCGEN_PRIVATE_ENABLE_CALLBACK_V2(
SourceId,
ControlCode,
Level,
MatchAnyKeyword,
MatchAllKeyword,
FilterData,
CallbackContext
);
#endif // MCGEN_PRIVATE_ENABLE_CALLBACK_V2
return;
}
#endif // MCGEN_CONTROL_CALLBACK
#ifndef _mcgen_PENABLECALLBACK
#if MCGEN_USE_KERNEL_MODE_APIS
#define _mcgen_PENABLECALLBACK PETWENABLECALLBACK
#else
#define _mcgen_PENABLECALLBACK PENABLECALLBACK
#endif
#endif // _mcgen_PENABLECALLBACK
#if !defined(_mcgen_PASTE2)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_PASTE2(a, b) _mcgen_PASTE2_imp(a, b)
#define _mcgen_PASTE2_imp(a, b) a##b
#endif // _mcgen_PASTE2
#if !defined(_mcgen_PASTE3)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_PASTE3(a, b, c) _mcgen_PASTE3_imp(a, b, c)
#define _mcgen_PASTE3_imp(a, b, c) a##b##_##c
#endif // _mcgen_PASTE3
//
// Macro validation
//
// Validate MCGEN_EVENTREGISTER:
// Trigger an error if MCGEN_EVENTREGISTER is not an unqualified (simple) identifier:
struct _mcgen_PASTE2(MCGEN_EVENTREGISTER_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTREGISTER);
// Trigger an error if MCGEN_EVENTREGISTER is redefined:
typedef struct _mcgen_PASTE2(MCGEN_EVENTREGISTER_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTREGISTER)
MCGEN_EVENTREGISTER_must_not_be_redefined_between_headers;
// Trigger an error if MCGEN_EVENTREGISTER is defined as a function-like macro:
typedef void MCGEN_EVENTREGISTER_must_not_be_a_functionLike_macro_MCGEN_EVENTREGISTER;
typedef int _mcgen_PASTE2(MCGEN_EVENTREGISTER_must_not_be_a_functionLike_macro_, MCGEN_EVENTREGISTER);
// Validate MCGEN_EVENTUNREGISTER:
// Trigger an error if MCGEN_EVENTUNREGISTER is not an unqualified (simple) identifier:
struct _mcgen_PASTE2(MCGEN_EVENTUNREGISTER_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTUNREGISTER);
// Trigger an error if MCGEN_EVENTUNREGISTER is redefined:
typedef struct _mcgen_PASTE2(MCGEN_EVENTUNREGISTER_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTUNREGISTER)
MCGEN_EVENTUNREGISTER_must_not_be_redefined_between_headers;
// Trigger an error if MCGEN_EVENTUNREGISTER is defined as a function-like macro:
typedef void MCGEN_EVENTUNREGISTER_must_not_be_a_functionLike_macro_MCGEN_EVENTUNREGISTER;
typedef int _mcgen_PASTE2(MCGEN_EVENTUNREGISTER_must_not_be_a_functionLike_macro_, MCGEN_EVENTUNREGISTER);
// Validate MCGEN_EVENTSETINFORMATION:
// Trigger an error if MCGEN_EVENTSETINFORMATION is not an unqualified (simple) identifier:
struct _mcgen_PASTE2(MCGEN_EVENTSETINFORMATION_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTSETINFORMATION);
// Trigger an error if MCGEN_EVENTSETINFORMATION is redefined:
typedef struct _mcgen_PASTE2(MCGEN_EVENTSETINFORMATION_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTSETINFORMATION)
MCGEN_EVENTSETINFORMATION_must_not_be_redefined_between_headers;
// Trigger an error if MCGEN_EVENTSETINFORMATION is defined as a function-like macro:
typedef void MCGEN_EVENTSETINFORMATION_must_not_be_a_functionLike_macro_MCGEN_EVENTSETINFORMATION;
typedef int _mcgen_PASTE2(MCGEN_EVENTSETINFORMATION_must_not_be_a_functionLike_macro_, MCGEN_EVENTSETINFORMATION);
// Validate MCGEN_EVENTWRITETRANSFER:
// Trigger an error if MCGEN_EVENTWRITETRANSFER is not an unqualified (simple) identifier:
struct _mcgen_PASTE2(MCGEN_EVENTWRITETRANSFER_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTWRITETRANSFER);
// Trigger an error if MCGEN_EVENTWRITETRANSFER is redefined:
typedef struct _mcgen_PASTE2(MCGEN_EVENTWRITETRANSFER_definition_must_be_an_unqualified_identifier_, MCGEN_EVENTWRITETRANSFER)
MCGEN_EVENTWRITETRANSFER_must_not_be_redefined_between_headers;;
// Trigger an error if MCGEN_EVENTWRITETRANSFER is defined as a function-like macro:
typedef void MCGEN_EVENTWRITETRANSFER_must_not_be_a_functionLike_macro_MCGEN_EVENTWRITETRANSFER;
typedef int _mcgen_PASTE2(MCGEN_EVENTWRITETRANSFER_must_not_be_a_functionLike_macro_, MCGEN_EVENTWRITETRANSFER);
#ifndef McGenEventWrite_def
#define McGenEventWrite_def
// This macro is for use by MC-generated code and should not be used directly.
#define McGenEventWrite _mcgen_PASTE2(McGenEventWrite_, MCGEN_EVENTWRITETRANSFER)
// This function is for use by MC-generated code and should not be used directly.
DECLSPEC_NOINLINE __inline
ULONG __stdcall
McGenEventWrite(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_opt_ LPCGUID ActivityId,
_In_range_(1, 128) ULONG EventDataCount,
_Pre_cap_(EventDataCount) EVENT_DATA_DESCRIPTOR* EventData
)
{
const USHORT UNALIGNED* Traits;
// Some customized MCGEN_EVENTWRITETRANSFER macros might ignore ActivityId.
UNREFERENCED_PARAMETER(ActivityId);
Traits = (const USHORT UNALIGNED*)(UINT_PTR)Context->Logger;
if (Traits == NULL) {
EventData[0].Ptr = 0;
EventData[0].Size = 0;
EventData[0].Reserved = 0;
} else {
EventData[0].Ptr = (ULONG_PTR)Traits;
EventData[0].Size = *Traits;
EventData[0].Reserved = 2; // EVENT_DATA_DESCRIPTOR_TYPE_PROVIDER_METADATA
}
return MCGEN_EVENTWRITETRANSFER(
Context->RegistrationHandle,
Descriptor,
ActivityId,
NULL,
EventDataCount,
EventData);
}
#endif // McGenEventWrite_def
#if !defined(McGenEventRegisterUnregister)
#define McGenEventRegisterUnregister
// This macro is for use by MC-generated code and should not be used directly.
#define McGenEventRegister _mcgen_PASTE2(McGenEventRegister_, MCGEN_EVENTREGISTER)
#pragma warning(push)
#pragma warning(disable:6103)
// This function is for use by MC-generated code and should not be used directly.
DECLSPEC_NOINLINE __inline
ULONG __stdcall
McGenEventRegister(
_In_ LPCGUID ProviderId,
_In_opt_ _mcgen_PENABLECALLBACK EnableCallback,
_In_opt_ PVOID CallbackContext,
_Inout_ PREGHANDLE RegHandle
)
/*++
Routine Description:
This function registers the provider with ETW.
Arguments:
ProviderId - Provider ID to register with ETW.
EnableCallback - Callback to be used.
CallbackContext - Context for the callback.
RegHandle - Pointer to registration handle.
Remarks:
Should not be called if the provider is already registered (i.e. should not
be called if *RegHandle != 0). Repeatedly registering a provider is a bug
and may indicate a race condition. However, for compatibility with previous
behavior, this function will return SUCCESS in this case.
--*/
{
ULONG Error;
if (*RegHandle != 0)
{
Error = 0; // ERROR_SUCCESS
}
else
{
Error = MCGEN_EVENTREGISTER(ProviderId, EnableCallback, CallbackContext, RegHandle);
}
return Error;
}
#pragma warning(pop)
// This macro is for use by MC-generated code and should not be used directly.
#define McGenEventUnregister _mcgen_PASTE2(McGenEventUnregister_, MCGEN_EVENTUNREGISTER)
// This function is for use by MC-generated code and should not be used directly.
DECLSPEC_NOINLINE __inline
ULONG __stdcall
McGenEventUnregister(_Inout_ PREGHANDLE RegHandle)
/*++
Routine Description:
Unregister from ETW and set *RegHandle = 0.
Arguments:
RegHandle - the pointer to the provider registration handle
Remarks:
If provider has not been registered (i.e. if *RegHandle == 0),
return SUCCESS. It is safe to call McGenEventUnregister even if the
call to McGenEventRegister returned an error.
--*/
{
ULONG Error;
if(*RegHandle == 0)
{
Error = 0; // ERROR_SUCCESS
}
else
{
Error = MCGEN_EVENTUNREGISTER(*RegHandle);
*RegHandle = (REGHANDLE)0;
}
return Error;
}
#endif // McGenEventRegisterUnregister
#ifndef _mcgen_EVENT_BIT_SET
#if defined(_M_IX86) || defined(_M_X64)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_EVENT_BIT_SET(EnableBits, BitPosition) ((((const unsigned char*)EnableBits)[BitPosition >> 3] & (1u << (BitPosition & 7))) != 0)
#else // CPU type
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_EVENT_BIT_SET(EnableBits, BitPosition) ((EnableBits[BitPosition >> 5] & (1u << (BitPosition & 31))) != 0)
#endif // CPU type
#endif // _mcgen_EVENT_BIT_SET
#endif // MCGEN_DISABLE_PROVIDER_CODE_GENERATION
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Provider "JonMon" event count 27
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Provider GUID = d8909c24-5be9-4502-98ca-ab7bdc24899d
EXTERN_C __declspec(selectany) const GUID JonMonProvider = {0xd8909c24, 0x5be9, 0x4502, {0x98, 0xca, 0xab, 0x7b, 0xdc, 0x24, 0x89, 0x9d}};
#ifndef JonMonProvider_Traits
#define JonMonProvider_Traits NULL
#endif // JonMonProvider_Traits
//
// Channel
//
#define JonMonProvider_CHANNEL_JonMon 0x10
#define JonMonProvider_CHANNEL_JonMon_KEYWORD 0x8000000000000000
//
// Event Descriptors
//
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR ProcessCreation = {0x1, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define ProcessCreation_value 0x1
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR ProcessTerminate = {0x2, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define ProcessTerminate_value 0x2
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RemoteThreadCreation = {0x3, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RemoteThreadCreation_value 0x3
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR ImageLoaded = {0x4, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define ImageLoaded_value 0x4
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR ProcessAccess = {0x5, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define ProcessAccess_value 0x5
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RegistrySaveKey = {0x6, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RegistrySaveKey_value 0x6
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RegistrySetValueKey = {0x8, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RegistrySetValueKey_value 0x8
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RegistryCreateKey = {0x9, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RegistryCreateKey_value 0x9
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR FileCreation = {0xa, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define FileCreation_value 0xa
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR NamedPipeCreation = {0xb, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define NamedPipeCreation_value 0xb
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR NamedPipeConnection = {0xc, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define NamedPipeConnection_value 0xc
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR MailslotCreation = {0xd, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define MailslotCreation_value 0xd
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR MailslotConnection = {0xe, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define MailslotConnection_value 0xe
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RemoteFileConnection = {0xf, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RemoteFileConnection_value 0xf
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR DotNetLoad = {0x10, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define DotNetLoad_value 0x10
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR WMIEventFilter = {0x11, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define WMIEventFilter_value 0x11
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RPCClient = {0x12, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RPCClient_value 0x12
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RPCServer = {0x13, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RPCServer_value 0x13
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR DPAPIUnprotect = {0x14, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define DPAPIUnprotect_value 0x14
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR NetworkConnection = {0x15, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define NetworkConnection_value 0x15
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR AMSI = {0x16, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define AMSI_value 0x16
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RemoteReadProcessMemory = {0x17, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RemoteReadProcessMemory_value 0x17
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RemoteWriteProcessMemory = {0x18, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RemoteWriteProcessMemory_value 0x18
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RemoteVirtualAllocation = {0x19, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RemoteVirtualAllocation_value 0x19
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR RemoteQueueUserAPC = {0x1a, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define RemoteQueueUserAPC_value 0x1a
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR QueryTokenImpersonation = {0x1b, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define QueryTokenImpersonation_value 0x1b
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR DebugLog102 = {0x66, 0x0, 0x10, 0x4, 0x0, 0x0, 0x8000000000000000};
#define DebugLog102_value 0x66
//
// MCGEN_DISABLE_PROVIDER_CODE_GENERATION macro:
// Define this macro to have the compiler skip the generated functions in this
// header.
//
#ifndef MCGEN_DISABLE_PROVIDER_CODE_GENERATION
//
// Event Enablement Bits
// These variables are for use by MC-generated code and should not be used directly.
//
EXTERN_C __declspec(selectany) DECLSPEC_CACHEALIGN ULONG JonMonEnableBits[1];
EXTERN_C __declspec(selectany) const ULONGLONG JonMonKeywords[1] = {0x8000000000000000};
EXTERN_C __declspec(selectany) const unsigned char JonMonLevels[1] = {4};
//
// Provider context
//
EXTERN_C __declspec(selectany) MCGEN_TRACE_CONTEXT JonMonProvider_Context = {0, (ULONG_PTR)JonMonProvider_Traits, 0, 0, 0, 0, 0, 0, 1, JonMonEnableBits, JonMonKeywords, JonMonLevels};
//
// Provider REGHANDLE
//
#define JonMonHandle (JonMonProvider_Context.RegistrationHandle)
//
// This macro is set to 0, indicating that the EventWrite[Name] macros do not
// have an Activity parameter. This is controlled by the -km and -um options.
//
#define JonMonProvider_EventWriteActivity 0
//
// Register with ETW using the control GUID specified in the manifest.
// Invoke this macro during module initialization (i.e. program startup,
// DLL process attach, or driver load) to initialize the provider.
// Note that if this function returns an error, the error means that
// will not work, but no action needs to be taken -- even if EventRegister
// returns an error, it is generally safe to use EventWrite and
// EventUnregister macros (they will be no-ops if EventRegister failed).
//
#ifndef EventRegisterJonMon
#define EventRegisterJonMon() McGenEventRegister(&JonMonProvider, McGenControlCallbackV2, &JonMonProvider_Context, &JonMonHandle)
#endif
//
// Register with ETW using a specific control GUID (i.e. a GUID other than what
// is specified in the manifest). Advanced scenarios only.
//
#ifndef EventRegisterByGuidJonMon
#define EventRegisterByGuidJonMon(Guid) McGenEventRegister(&(Guid), McGenControlCallbackV2, &JonMonProvider_Context, &JonMonHandle)
#endif
//
// Unregister with ETW and close the provider.
// Invoke this macro during module shutdown (i.e. program exit, DLL process
// detach, or driver unload) to unregister the provider.
// Note that you MUST call EventUnregister before DLL or driver unload
// (not optional): failure to unregister a provider before DLL or driver unload
// will result in crashes.
//
#ifndef EventUnregisterJonMon
#define EventUnregisterJonMon() McGenEventUnregister(&JonMonHandle)
#endif
//
// MCGEN_ENABLE_FORCONTEXT_CODE_GENERATION macro:
// Define this macro to enable support for caller-allocated provider context.
//
#ifdef MCGEN_ENABLE_FORCONTEXT_CODE_GENERATION
//
// Advanced scenarios: Caller-allocated provider context.
// Use when multiple differently-configured provider handles are needed,
// e.g. for container-aware drivers, one context per container.
//
// Usage:
//
// - Caller enables the feature before including this header, e.g.
// #define MCGEN_ENABLE_FORCONTEXT_CODE_GENERATION 1
// - Caller allocates memory, e.g. pContext = malloc(sizeof(McGenContext_JonMon));
// - Caller registers the provider, e.g. EventRegisterJonMon_ForContext(pContext);
// - Caller writes events, e.g. EventWriteMyEvent_ForContext(pContext, ...);
// - Caller unregisters, e.g. EventUnregisterJonMon_ForContext(pContext);
// - Caller frees memory, e.g. free(pContext);
//
typedef struct tagMcGenContext_JonMon {
// The fields of this structure are subject to change and should
// not be accessed directly. To access the provider's REGHANDLE,
// use JonMonHandle_ForContext(pContext).
MCGEN_TRACE_CONTEXT Context;
ULONG EnableBits[1];
} McGenContext_JonMon;
#define EventRegisterJonMon_ForContext(pContext) _mcgen_PASTE2(_mcgen_RegisterForContext_JonMon_, MCGEN_EVENTREGISTER)(&JonMonProvider, pContext)
#define EventRegisterByGuidJonMon_ForContext(Guid, pContext) _mcgen_PASTE2(_mcgen_RegisterForContext_JonMon_, MCGEN_EVENTREGISTER)(&(Guid), pContext)
#define EventUnregisterJonMon_ForContext(pContext) McGenEventUnregister(&(pContext)->Context.RegistrationHandle)
//
// Provider REGHANDLE for caller-allocated context.
//
#define JonMonHandle_ForContext(pContext) ((pContext)->Context.RegistrationHandle)
// This function is for use by MC-generated code and should not be used directly.
// Initialize and register the caller-allocated context.
__inline
ULONG __stdcall
_mcgen_PASTE2(_mcgen_RegisterForContext_JonMon_, MCGEN_EVENTREGISTER)(
_In_ LPCGUID pProviderId,
_Out_ McGenContext_JonMon* pContext)
{
RtlZeroMemory(pContext, sizeof(*pContext));
pContext->Context.Logger = (ULONG_PTR)JonMonProvider_Traits;
pContext->Context.EnableBitsCount = 1;
pContext->Context.EnableBitMask = pContext->EnableBits;
pContext->Context.EnableKeyWords = JonMonKeywords;
pContext->Context.EnableLevel = JonMonLevels;
return McGenEventRegister(
pProviderId,
McGenControlCallbackV2,
&pContext->Context,
&pContext->Context.RegistrationHandle);
}
// This function is for use by MC-generated code and should not be used directly.
// Trigger a compile error if called with the wrong parameter type.
FORCEINLINE
_Ret_ McGenContext_JonMon*
_mcgen_CheckContextType_JonMon(_In_ McGenContext_JonMon* pContext)
{
return pContext;
}
#endif // MCGEN_ENABLE_FORCONTEXT_CODE_GENERATION
//
// Enablement check macro for event "ProcessCreation"
//
#define EventEnabledProcessCreation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledProcessCreation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "ProcessCreation"
//
#define EventWriteProcessCreation(EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented) \
MCGEN_EVENT_ENABLED(ProcessCreation) \
? _mcgen_TEMPLATE_FOR_ProcessCreation(&JonMonProvider_Context, &ProcessCreation, EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented) : 0
#define EventWriteProcessCreation_AssumeEnabled(EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented) \
_mcgen_TEMPLATE_FOR_ProcessCreation(&JonMonProvider_Context, &ProcessCreation, EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented)
#define EventWriteProcessCreation_ForContext(pContext, EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, ProcessCreation) \
? _mcgen_TEMPLATE_FOR_ProcessCreation(&(pContext)->Context, &ProcessCreation, EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented) : 0
#define EventWriteProcessCreation_ForContextAssumeEnabled(pContext, EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented) \
_mcgen_TEMPLATE_FOR_ProcessCreation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &ProcessCreation, EventTime, CreatorThreadId, CreatorProcessId, ParentProcessId, ParentProcessStartKey, ParentProcessFilePath, ParentProcessUser, ParentProcessUserLogonId, ParentProcessIntegrityLevel, ParentProcessSessionId, ParentProcessTokenType, ProcessFilePath, ProcessCommandLine, ProcessId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ProcessReparented)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_ProcessCreation _mcgen_PASTE2(McTemplateU0yiiiizzqzqqzziizqqzqqt_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "ProcessTerminate"
//
#define EventEnabledProcessTerminate() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledProcessTerminate_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "ProcessTerminate"
//
#define EventWriteProcessTerminate(EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId) \
MCGEN_EVENT_ENABLED(ProcessTerminate) \
? _mcgen_TEMPLATE_FOR_ProcessTerminate(&JonMonProvider_Context, &ProcessTerminate, EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId) : 0
#define EventWriteProcessTerminate_AssumeEnabled(EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId) \
_mcgen_TEMPLATE_FOR_ProcessTerminate(&JonMonProvider_Context, &ProcessTerminate, EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId)
#define EventWriteProcessTerminate_ForContext(pContext, EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, ProcessTerminate) \
? _mcgen_TEMPLATE_FOR_ProcessTerminate(&(pContext)->Context, &ProcessTerminate, EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId) : 0
#define EventWriteProcessTerminate_ForContextAssumeEnabled(pContext, EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId) \
_mcgen_TEMPLATE_FOR_ProcessTerminate(&_mcgen_CheckContextType_JonMon(pContext)->Context, &ProcessTerminate, EventTime, SourceProcessId, SourceProcessStartKey, TargetProcessFilePath, TargetProcessId)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_ProcessTerminate _mcgen_PASTE2(McTemplateU0yiizi_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RemoteThreadCreation"
//
#define EventEnabledRemoteThreadCreation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRemoteThreadCreation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RemoteThreadCreation"
//
#define EventWriteRemoteThreadCreation(EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId) \
MCGEN_EVENT_ENABLED(RemoteThreadCreation) \
? _mcgen_TEMPLATE_FOR_RemoteThreadCreation(&JonMonProvider_Context, &RemoteThreadCreation, EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId) : 0
#define EventWriteRemoteThreadCreation_AssumeEnabled(EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId) \
_mcgen_TEMPLATE_FOR_RemoteThreadCreation(&JonMonProvider_Context, &RemoteThreadCreation, EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId)
#define EventWriteRemoteThreadCreation_ForContext(pContext, EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RemoteThreadCreation) \
? _mcgen_TEMPLATE_FOR_RemoteThreadCreation(&(pContext)->Context, &RemoteThreadCreation, EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId) : 0
#define EventWriteRemoteThreadCreation_ForContextAssumeEnabled(pContext, EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId) \
_mcgen_TEMPLATE_FOR_RemoteThreadCreation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RemoteThreadCreation, EventTime, SourceProcessId, SourceProcessStartKey, SourceThreadId, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, TargetProcessFilePath, TargetProcessId, TargetProcessStartKey, TargetThreadId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessUserLinkedLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RemoteThreadCreation _mcgen_PASTE2(McTemplateU0yiiizzqzqqziiizqqzq_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "ImageLoaded"
//
#define EventEnabledImageLoaded() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledImageLoaded_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "ImageLoaded"
//
#define EventWriteImageLoaded(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage) \
MCGEN_EVENT_ENABLED(ImageLoaded) \
? _mcgen_TEMPLATE_FOR_ImageLoaded(&JonMonProvider_Context, &ImageLoaded, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage) : 0
#define EventWriteImageLoaded_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage) \
_mcgen_TEMPLATE_FOR_ImageLoaded(&JonMonProvider_Context, &ImageLoaded, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage)
#define EventWriteImageLoaded_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, ImageLoaded) \
? _mcgen_TEMPLATE_FOR_ImageLoaded(&(pContext)->Context, &ImageLoaded, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage) : 0
#define EventWriteImageLoaded_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage) \
_mcgen_TEMPLATE_FOR_ImageLoaded(&_mcgen_CheckContextType_JonMon(pContext)->Context, &ImageLoaded, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, ModulePath, SystemModeImage)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_ImageLoaded _mcgen_PASTE2(McTemplateU0yziiizqqzqqzi_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "ProcessAccess"
//
#define EventEnabledProcessAccess() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledProcessAccess_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "ProcessAccess"
//
#define EventWriteProcessAccess(EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType) \
MCGEN_EVENT_ENABLED(ProcessAccess) \
? _mcgen_TEMPLATE_FOR_ProcessAccess(&JonMonProvider_Context, &ProcessAccess, EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType) : 0
#define EventWriteProcessAccess_AssumeEnabled(EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType) \
_mcgen_TEMPLATE_FOR_ProcessAccess(&JonMonProvider_Context, &ProcessAccess, EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType)
#define EventWriteProcessAccess_ForContext(pContext, EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, ProcessAccess) \
? _mcgen_TEMPLATE_FOR_ProcessAccess(&(pContext)->Context, &ProcessAccess, EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType) : 0
#define EventWriteProcessAccess_ForContextAssumeEnabled(pContext, EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType) \
_mcgen_TEMPLATE_FOR_ProcessAccess(&_mcgen_CheckContextType_JonMon(pContext)->Context, &ProcessAccess, EventTime, SourceProcessId, SourceThreadId, SourceProcessStartKey, SourceProcessFilePath, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceProcessTokenType, ProcessId, ProcessStartKey, ProcessFilePath, ProcessUser, ProcessUserLogonId, ProcessUserLinkedLogonId, ProcessIntegrityLevel, ProcessSessionId, ProcessTokenType, DesiredAccess, OperationType)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_ProcessAccess _mcgen_PASTE2(McTemplateU0yiiizzqzqqiizzqqzqqdd_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RegistrySaveKey"
//
#define EventEnabledRegistrySaveKey() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRegistrySaveKey_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RegistrySaveKey"
//
#define EventWriteRegistrySaveKey(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
MCGEN_EVENT_ENABLED(RegistrySaveKey) \
? _mcgen_TEMPLATE_FOR_RegistrySaveKey(&JonMonProvider_Context, &RegistrySaveKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) : 0
#define EventWriteRegistrySaveKey_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
_mcgen_TEMPLATE_FOR_RegistrySaveKey(&JonMonProvider_Context, &RegistrySaveKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath)
#define EventWriteRegistrySaveKey_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RegistrySaveKey) \
? _mcgen_TEMPLATE_FOR_RegistrySaveKey(&(pContext)->Context, &RegistrySaveKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) : 0
#define EventWriteRegistrySaveKey_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
_mcgen_TEMPLATE_FOR_RegistrySaveKey(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RegistrySaveKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RegistrySaveKey _mcgen_PASTE2(McTemplateU0yziiizqzqz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RegistrySetValueKey"
//
#define EventEnabledRegistrySetValueKey() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRegistrySetValueKey_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RegistrySetValueKey"
//
#define EventWriteRegistrySetValueKey(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName) \
MCGEN_EVENT_ENABLED(RegistrySetValueKey) \
? _mcgen_TEMPLATE_FOR_RegistrySetValueKey(&JonMonProvider_Context, &RegistrySetValueKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName) : 0
#define EventWriteRegistrySetValueKey_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName) \
_mcgen_TEMPLATE_FOR_RegistrySetValueKey(&JonMonProvider_Context, &RegistrySetValueKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName)
#define EventWriteRegistrySetValueKey_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RegistrySetValueKey) \
? _mcgen_TEMPLATE_FOR_RegistrySetValueKey(&(pContext)->Context, &RegistrySetValueKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName) : 0
#define EventWriteRegistrySetValueKey_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName) \
_mcgen_TEMPLATE_FOR_RegistrySetValueKey(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RegistrySetValueKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath, DataType, Data, ValueName)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RegistrySetValueKey _mcgen_PASTE2(McTemplateU0yziiizqzqzdzz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RegistryCreateKey"
//
#define EventEnabledRegistryCreateKey() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRegistryCreateKey_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RegistryCreateKey"
//
#define EventWriteRegistryCreateKey(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
MCGEN_EVENT_ENABLED(RegistryCreateKey) \
? _mcgen_TEMPLATE_FOR_RegistryCreateKey(&JonMonProvider_Context, &RegistryCreateKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) : 0
#define EventWriteRegistryCreateKey_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
_mcgen_TEMPLATE_FOR_RegistryCreateKey(&JonMonProvider_Context, &RegistryCreateKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath)
#define EventWriteRegistryCreateKey_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RegistryCreateKey) \
? _mcgen_TEMPLATE_FOR_RegistryCreateKey(&(pContext)->Context, &RegistryCreateKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) : 0
#define EventWriteRegistryCreateKey_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath) \
_mcgen_TEMPLATE_FOR_RegistryCreateKey(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RegistryCreateKey, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, RegKeyPath)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RegistryCreateKey _mcgen_PASTE2(McTemplateU0yziiizqzqz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "FileCreation"
//
#define EventEnabledFileCreation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledFileCreation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "FileCreation"
//
#define EventWriteFileCreation(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
MCGEN_EVENT_ENABLED(FileCreation) \
? _mcgen_TEMPLATE_FOR_FileCreation(&JonMonProvider_Context, &FileCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) : 0
#define EventWriteFileCreation_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
_mcgen_TEMPLATE_FOR_FileCreation(&JonMonProvider_Context, &FileCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName)
#define EventWriteFileCreation_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, FileCreation) \
? _mcgen_TEMPLATE_FOR_FileCreation(&(pContext)->Context, &FileCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) : 0
#define EventWriteFileCreation_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
_mcgen_TEMPLATE_FOR_FileCreation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &FileCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_FileCreation _mcgen_PASTE2(McTemplateU0yziiizqzqz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "NamedPipeCreation"
//
#define EventEnabledNamedPipeCreation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledNamedPipeCreation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "NamedPipeCreation"
//
#define EventWriteNamedPipeCreation(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED(NamedPipeCreation) \
? _mcgen_TEMPLATE_FOR_NamedPipeCreation(&JonMonProvider_Context, &NamedPipeCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteNamedPipeCreation_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_NamedPipeCreation(&JonMonProvider_Context, &NamedPipeCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
#define EventWriteNamedPipeCreation_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, NamedPipeCreation) \
? _mcgen_TEMPLATE_FOR_NamedPipeCreation(&(pContext)->Context, &NamedPipeCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteNamedPipeCreation_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_NamedPipeCreation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &NamedPipeCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_NamedPipeCreation _mcgen_PASTE2(McTemplateU0yziiizqzqzd_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "NamedPipeConnection"
//
#define EventEnabledNamedPipeConnection() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledNamedPipeConnection_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "NamedPipeConnection"
//
#define EventWriteNamedPipeConnection(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED(NamedPipeConnection) \
? _mcgen_TEMPLATE_FOR_NamedPipeConnection(&JonMonProvider_Context, &NamedPipeConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteNamedPipeConnection_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_NamedPipeConnection(&JonMonProvider_Context, &NamedPipeConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
#define EventWriteNamedPipeConnection_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, NamedPipeConnection) \
? _mcgen_TEMPLATE_FOR_NamedPipeConnection(&(pContext)->Context, &NamedPipeConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteNamedPipeConnection_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_NamedPipeConnection(&_mcgen_CheckContextType_JonMon(pContext)->Context, &NamedPipeConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_NamedPipeConnection _mcgen_PASTE2(McTemplateU0yziiizqzqzd_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "MailslotCreation"
//
#define EventEnabledMailslotCreation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledMailslotCreation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "MailslotCreation"
//
#define EventWriteMailslotCreation(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED(MailslotCreation) \
? _mcgen_TEMPLATE_FOR_MailslotCreation(&JonMonProvider_Context, &MailslotCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteMailslotCreation_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_MailslotCreation(&JonMonProvider_Context, &MailslotCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
#define EventWriteMailslotCreation_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, MailslotCreation) \
? _mcgen_TEMPLATE_FOR_MailslotCreation(&(pContext)->Context, &MailslotCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteMailslotCreation_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_MailslotCreation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &MailslotCreation, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_MailslotCreation _mcgen_PASTE2(McTemplateU0yziiizqzqzd_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "MailslotConnection"
//
#define EventEnabledMailslotConnection() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledMailslotConnection_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "MailslotConnection"
//
#define EventWriteMailslotConnection(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED(MailslotConnection) \
? _mcgen_TEMPLATE_FOR_MailslotConnection(&JonMonProvider_Context, &MailslotConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteMailslotConnection_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_MailslotConnection(&JonMonProvider_Context, &MailslotConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
#define EventWriteMailslotConnection_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, MailslotConnection) \
? _mcgen_TEMPLATE_FOR_MailslotConnection(&(pContext)->Context, &MailslotConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) : 0
#define EventWriteMailslotConnection_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights) \
_mcgen_TEMPLATE_FOR_MailslotConnection(&_mcgen_CheckContextType_JonMon(pContext)->Context, &MailslotConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName, RequestedRights)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_MailslotConnection _mcgen_PASTE2(McTemplateU0yziiizqzqzd_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RemoteFileConnection"
//
#define EventEnabledRemoteFileConnection() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRemoteFileConnection_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RemoteFileConnection"
//
#define EventWriteRemoteFileConnection(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
MCGEN_EVENT_ENABLED(RemoteFileConnection) \
? _mcgen_TEMPLATE_FOR_RemoteFileConnection(&JonMonProvider_Context, &RemoteFileConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) : 0
#define EventWriteRemoteFileConnection_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
_mcgen_TEMPLATE_FOR_RemoteFileConnection(&JonMonProvider_Context, &RemoteFileConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName)
#define EventWriteRemoteFileConnection_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RemoteFileConnection) \
? _mcgen_TEMPLATE_FOR_RemoteFileConnection(&(pContext)->Context, &RemoteFileConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) : 0
#define EventWriteRemoteFileConnection_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName) \
_mcgen_TEMPLATE_FOR_RemoteFileConnection(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RemoteFileConnection, EventTime, ProcessFilePath, ProcessId, ProcessThreadId, ProcessStartKey, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, FileName)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RemoteFileConnection _mcgen_PASTE2(McTemplateU0yziiizqzqz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "DotNetLoad"
//
#define EventEnabledDotNetLoad() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledDotNetLoad_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "DotNetLoad"
//
#define EventWriteDotNetLoad(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID) \
MCGEN_EVENT_ENABLED(DotNetLoad) \
? _mcgen_TEMPLATE_FOR_DotNetLoad(&JonMonProvider_Context, &DotNetLoad, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID) : 0
#define EventWriteDotNetLoad_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID) \
_mcgen_TEMPLATE_FOR_DotNetLoad(&JonMonProvider_Context, &DotNetLoad, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID)
#define EventWriteDotNetLoad_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, DotNetLoad) \
? _mcgen_TEMPLATE_FOR_DotNetLoad(&(pContext)->Context, &DotNetLoad, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID) : 0
#define EventWriteDotNetLoad_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID) \
_mcgen_TEMPLATE_FOR_DotNetLoad(&_mcgen_CheckContextType_JonMon(pContext)->Context, &DotNetLoad, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AssemblyName, ClrInstanceID)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_DotNetLoad _mcgen_PASTE2(McTemplateU0yzizqzqzh_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "WMIEventFilter"
//
#define EventEnabledWMIEventFilter() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledWMIEventFilter_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "WMIEventFilter"
//
#define EventWriteWMIEventFilter(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause) \
MCGEN_EVENT_ENABLED(WMIEventFilter) \
? _mcgen_TEMPLATE_FOR_WMIEventFilter(&JonMonProvider_Context, &WMIEventFilter, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause) : 0
#define EventWriteWMIEventFilter_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause) \
_mcgen_TEMPLATE_FOR_WMIEventFilter(&JonMonProvider_Context, &WMIEventFilter, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause)
#define EventWriteWMIEventFilter_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, WMIEventFilter) \
? _mcgen_TEMPLATE_FOR_WMIEventFilter(&(pContext)->Context, &WMIEventFilter, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause) : 0
#define EventWriteWMIEventFilter_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause) \
_mcgen_TEMPLATE_FOR_WMIEventFilter(&_mcgen_CheckContextType_JonMon(pContext)->Context, &WMIEventFilter, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, Namespace, ESS, Consumer, PossibleCause)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_WMIEventFilter _mcgen_PASTE2(McTemplateU0yzizqzqzzzz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RPCClient"
//
#define EventEnabledRPCClient() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRPCClient_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RPCClient"
//
#define EventWriteRPCClient(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
MCGEN_EVENT_ENABLED(RPCClient) \
? _mcgen_TEMPLATE_FOR_RPCClient(&JonMonProvider_Context, &RPCClient, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) : 0
#define EventWriteRPCClient_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
_mcgen_TEMPLATE_FOR_RPCClient(&JonMonProvider_Context, &RPCClient, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack)
#define EventWriteRPCClient_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RPCClient) \
? _mcgen_TEMPLATE_FOR_RPCClient(&(pContext)->Context, &RPCClient, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) : 0
#define EventWriteRPCClient_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
_mcgen_TEMPLATE_FOR_RPCClient(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RPCClient, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RPCClient _mcgen_PASTE2(McTemplateU0yzizqzqzqqzzzzz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RPCServer"
//
#define EventEnabledRPCServer() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRPCServer_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RPCServer"
//
#define EventWriteRPCServer(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
MCGEN_EVENT_ENABLED(RPCServer) \
? _mcgen_TEMPLATE_FOR_RPCServer(&JonMonProvider_Context, &RPCServer, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) : 0
#define EventWriteRPCServer_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
_mcgen_TEMPLATE_FOR_RPCServer(&JonMonProvider_Context, &RPCServer, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack)
#define EventWriteRPCServer_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RPCServer) \
? _mcgen_TEMPLATE_FOR_RPCServer(&(pContext)->Context, &RPCServer, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) : 0
#define EventWriteRPCServer_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack) \
_mcgen_TEMPLATE_FOR_RPCServer(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RPCServer, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, InterfaceUUID, ProcNum, Protocol, NetworkAddress, Endpoint, InterfaceString, MethodString, CallStack)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RPCServer _mcgen_PASTE2(McTemplateU0yzizqzqzqqzzzzz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "DPAPIUnprotect"
//
#define EventEnabledDPAPIUnprotect() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledDPAPIUnprotect_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "DPAPIUnprotect"
//
#define EventWriteDPAPIUnprotect(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags) \
MCGEN_EVENT_ENABLED(DPAPIUnprotect) \
? _mcgen_TEMPLATE_FOR_DPAPIUnprotect(&JonMonProvider_Context, &DPAPIUnprotect, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags) : 0
#define EventWriteDPAPIUnprotect_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags) \
_mcgen_TEMPLATE_FOR_DPAPIUnprotect(&JonMonProvider_Context, &DPAPIUnprotect, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags)
#define EventWriteDPAPIUnprotect_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, DPAPIUnprotect) \
? _mcgen_TEMPLATE_FOR_DPAPIUnprotect(&(pContext)->Context, &DPAPIUnprotect, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags) : 0
#define EventWriteDPAPIUnprotect_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags) \
_mcgen_TEMPLATE_FOR_DPAPIUnprotect(&_mcgen_CheckContextType_JonMon(pContext)->Context, &DPAPIUnprotect, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, OperationType, DataDescription, Flags, ProtectionFlags)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_DPAPIUnprotect _mcgen_PASTE2(McTemplateU0yzizqzqzzqq_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "NetworkConnection"
//
#define EventEnabledNetworkConnection() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledNetworkConnection_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "NetworkConnection"
//
#define EventWriteNetworkConnection(EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId) \
MCGEN_EVENT_ENABLED(NetworkConnection) \
? _mcgen_TEMPLATE_FOR_NetworkConnection(&JonMonProvider_Context, &NetworkConnection, EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId) : 0
#define EventWriteNetworkConnection_AssumeEnabled(EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId) \
_mcgen_TEMPLATE_FOR_NetworkConnection(&JonMonProvider_Context, &NetworkConnection, EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId)
#define EventWriteNetworkConnection_ForContext(pContext, EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, NetworkConnection) \
? _mcgen_TEMPLATE_FOR_NetworkConnection(&(pContext)->Context, &NetworkConnection, EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId) : 0
#define EventWriteNetworkConnection_ForContextAssumeEnabled(pContext, EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId) \
_mcgen_TEMPLATE_FOR_NetworkConnection(&_mcgen_CheckContextType_JonMon(pContext)->Context, &NetworkConnection, EventTime, ProcessId, ProcessFilePath, SrcIpAddressIpv4, DestIpAddressIpv4, SrcPort, DestPort, Initiated, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_NetworkConnection _mcgen_PASTE2(McTemplateU0yqzzzhhtzqzq_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "AMSI"
//
#define EventEnabledAMSI() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledAMSI_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "AMSI"
//
#define EventWriteAMSI(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent) \
MCGEN_EVENT_ENABLED(AMSI) \
? _mcgen_TEMPLATE_FOR_AMSI(&JonMonProvider_Context, &AMSI, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent) : 0
#define EventWriteAMSI_AssumeEnabled(EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent) \
_mcgen_TEMPLATE_FOR_AMSI(&JonMonProvider_Context, &AMSI, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent)
#define EventWriteAMSI_ForContext(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, AMSI) \
? _mcgen_TEMPLATE_FOR_AMSI(&(pContext)->Context, &AMSI, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent) : 0
#define EventWriteAMSI_ForContextAssumeEnabled(pContext, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent) \
_mcgen_TEMPLATE_FOR_AMSI(&_mcgen_CheckContextType_JonMon(pContext)->Context, &AMSI, EventTime, ProcessFilePath, ProcessId, ProcessUser, ProcessUserLogonId, ProcessIntegrityLevel, ProcessSessionId, AppName, ContentName, ScanStatus, ScanResult, ContentSize, Content, DecodedContent)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_AMSI _mcgen_PASTE2(McTemplateU0yzizqzqzzuqqbr11z_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RemoteReadProcessMemory"
//
#define EventEnabledRemoteReadProcessMemory() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRemoteReadProcessMemory_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RemoteReadProcessMemory"
//
#define EventWriteRemoteReadProcessMemory(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
MCGEN_EVENT_ENABLED(RemoteReadProcessMemory) \
? _mcgen_TEMPLATE_FOR_RemoteReadProcessMemory(&JonMonProvider_Context, &RemoteReadProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) : 0
#define EventWriteRemoteReadProcessMemory_AssumeEnabled(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
_mcgen_TEMPLATE_FOR_RemoteReadProcessMemory(&JonMonProvider_Context, &RemoteReadProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey)
#define EventWriteRemoteReadProcessMemory_ForContext(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RemoteReadProcessMemory) \
? _mcgen_TEMPLATE_FOR_RemoteReadProcessMemory(&(pContext)->Context, &RemoteReadProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) : 0
#define EventWriteRemoteReadProcessMemory_ForContextAssumeEnabled(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
_mcgen_TEMPLATE_FOR_RemoteReadProcessMemory(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RemoteReadProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RemoteReadProcessMemory _mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxx_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RemoteWriteProcessMemory"
//
#define EventEnabledRemoteWriteProcessMemory() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRemoteWriteProcessMemory_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RemoteWriteProcessMemory"
//
#define EventWriteRemoteWriteProcessMemory(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
MCGEN_EVENT_ENABLED(RemoteWriteProcessMemory) \
? _mcgen_TEMPLATE_FOR_RemoteWriteProcessMemory(&JonMonProvider_Context, &RemoteWriteProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) : 0
#define EventWriteRemoteWriteProcessMemory_AssumeEnabled(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
_mcgen_TEMPLATE_FOR_RemoteWriteProcessMemory(&JonMonProvider_Context, &RemoteWriteProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey)
#define EventWriteRemoteWriteProcessMemory_ForContext(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RemoteWriteProcessMemory) \
? _mcgen_TEMPLATE_FOR_RemoteWriteProcessMemory(&(pContext)->Context, &RemoteWriteProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) : 0
#define EventWriteRemoteWriteProcessMemory_ForContextAssumeEnabled(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey) \
_mcgen_TEMPLATE_FOR_RemoteWriteProcessMemory(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RemoteWriteProcessMemory, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RemoteWriteProcessMemory _mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxx_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RemoteVirtualAllocation"
//
#define EventEnabledRemoteVirtualAllocation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRemoteVirtualAllocation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RemoteVirtualAllocation"
//
#define EventWriteRemoteVirtualAllocation(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress) \
MCGEN_EVENT_ENABLED(RemoteVirtualAllocation) \
? _mcgen_TEMPLATE_FOR_RemoteVirtualAllocation(&JonMonProvider_Context, &RemoteVirtualAllocation, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress) : 0
#define EventWriteRemoteVirtualAllocation_AssumeEnabled(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress) \
_mcgen_TEMPLATE_FOR_RemoteVirtualAllocation(&JonMonProvider_Context, &RemoteVirtualAllocation, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress)
#define EventWriteRemoteVirtualAllocation_ForContext(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RemoteVirtualAllocation) \
? _mcgen_TEMPLATE_FOR_RemoteVirtualAllocation(&(pContext)->Context, &RemoteVirtualAllocation, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress) : 0
#define EventWriteRemoteVirtualAllocation_ForContextAssumeEnabled(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress) \
_mcgen_TEMPLATE_FOR_RemoteVirtualAllocation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RemoteVirtualAllocation, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, BaseAddress)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RemoteVirtualAllocation _mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxxx_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "RemoteQueueUserAPC"
//
#define EventEnabledRemoteQueueUserAPC() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledRemoteQueueUserAPC_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "RemoteQueueUserAPC"
//
#define EventWriteRemoteQueueUserAPC(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3) \
MCGEN_EVENT_ENABLED(RemoteQueueUserAPC) \
? _mcgen_TEMPLATE_FOR_RemoteQueueUserAPC(&JonMonProvider_Context, &RemoteQueueUserAPC, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3) : 0
#define EventWriteRemoteQueueUserAPC_AssumeEnabled(EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3) \
_mcgen_TEMPLATE_FOR_RemoteQueueUserAPC(&JonMonProvider_Context, &RemoteQueueUserAPC, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3)
#define EventWriteRemoteQueueUserAPC_ForContext(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, RemoteQueueUserAPC) \
? _mcgen_TEMPLATE_FOR_RemoteQueueUserAPC(&(pContext)->Context, &RemoteQueueUserAPC, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3) : 0
#define EventWriteRemoteQueueUserAPC_ForContextAssumeEnabled(pContext, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3) \
_mcgen_TEMPLATE_FOR_RemoteQueueUserAPC(&_mcgen_CheckContextType_JonMon(pContext)->Context, &RemoteQueueUserAPC, EventTime_, SourceProcessFilePath, SourceProcessId, SourceProcessUser, SourceProcessUserLogonId, SourceProcessIntegrityLevel, SourceProcessSessionId, SourceThreadId, TargetProcessFilePath, TargetProcessId, TargetProcessUser, TargetProcessUserLogonId, TargetProcessIntegrityLevel, TargetProcessSessionId, SourceProcessStartKey, TargetProcessStartKey, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_RemoteQueueUserAPC _mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxxxxxx_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "QueryTokenImpersonation"
//
#define EventEnabledQueryTokenImpersonation() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledQueryTokenImpersonation_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "QueryTokenImpersonation"
//
#define EventWriteQueryTokenImpersonation(EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName) \
MCGEN_EVENT_ENABLED(QueryTokenImpersonation) \
? _mcgen_TEMPLATE_FOR_QueryTokenImpersonation(&JonMonProvider_Context, &QueryTokenImpersonation, EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName) : 0
#define EventWriteQueryTokenImpersonation_AssumeEnabled(EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName) \
_mcgen_TEMPLATE_FOR_QueryTokenImpersonation(&JonMonProvider_Context, &QueryTokenImpersonation, EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName)
#define EventWriteQueryTokenImpersonation_ForContext(pContext, EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, QueryTokenImpersonation) \
? _mcgen_TEMPLATE_FOR_QueryTokenImpersonation(&(pContext)->Context, &QueryTokenImpersonation, EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName) : 0
#define EventWriteQueryTokenImpersonation_ForContextAssumeEnabled(pContext, EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName) \
_mcgen_TEMPLATE_FOR_QueryTokenImpersonation(&_mcgen_CheckContextType_JonMon(pContext)->Context, &QueryTokenImpersonation, EventTime_, ProcessFilePath, ProcessId, ProcessUserName, ProcessUserLogonId, ProcessIntegrityLevel, TargetThreadId, TargetThreadIntegrityLevel, TargetThreadUserName)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_QueryTokenImpersonation _mcgen_PASTE2(McTemplateU0yzqzqzqzz_, MCGEN_EVENTWRITETRANSFER)
//
// Enablement check macro for event "DebugLog102"
//
#define EventEnabledDebugLog102() _mcgen_EVENT_BIT_SET(JonMonEnableBits, 0)
#define EventEnabledDebugLog102_ForContext(pContext) _mcgen_EVENT_BIT_SET(_mcgen_CheckContextType_JonMon(pContext)->EnableBits, 0)
//
// Event write macros for event "DebugLog102"
//
#define EventWriteDebugLog102(EventId, ProtectionLevel) \
MCGEN_EVENT_ENABLED(DebugLog102) \
? _mcgen_TEMPLATE_FOR_DebugLog102(&JonMonProvider_Context, &DebugLog102, EventId, ProtectionLevel) : 0
#define EventWriteDebugLog102_AssumeEnabled(EventId, ProtectionLevel) \
_mcgen_TEMPLATE_FOR_DebugLog102(&JonMonProvider_Context, &DebugLog102, EventId, ProtectionLevel)
#define EventWriteDebugLog102_ForContext(pContext, EventId, ProtectionLevel) \
MCGEN_EVENT_ENABLED_FORCONTEXT(pContext, DebugLog102) \
? _mcgen_TEMPLATE_FOR_DebugLog102(&(pContext)->Context, &DebugLog102, EventId, ProtectionLevel) : 0
#define EventWriteDebugLog102_ForContextAssumeEnabled(pContext, EventId, ProtectionLevel) \
_mcgen_TEMPLATE_FOR_DebugLog102(&_mcgen_CheckContextType_JonMon(pContext)->Context, &DebugLog102, EventId, ProtectionLevel)
// This macro is for use by MC-generated code and should not be used directly.
#define _mcgen_TEMPLATE_FOR_DebugLog102 _mcgen_PASTE2(McTemplateU0dt_, MCGEN_EVENTWRITETRANSFER)
#endif // MCGEN_DISABLE_PROVIDER_CODE_GENERATION
//
// MCGEN_DISABLE_PROVIDER_CODE_GENERATION macro:
// Define this macro to have the compiler skip the generated functions in this
// header.
//
#ifndef MCGEN_DISABLE_PROVIDER_CODE_GENERATION
//
// Template Functions
//
//
// Function for template "EID102" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0dt_def
#define McTemplateU0dt_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0dt_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const signed int _Arg0,
_In_ const signed int _Arg1
)
{
#define McTemplateU0dt_ARGCOUNT 2
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0dt_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],&_Arg0, sizeof(const signed int) );
EventDataDescCreate(&EventData[2],&_Arg1, sizeof(const signed int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0dt_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0dt_def
//
// Function for template "EID1" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yiiiizzqzqqzziizqqzqqt_def
#define McTemplateU0yiiiizzqzqqzziizqqzqqt_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yiiiizzqzqqzziizqqzqqt_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_ const signed __int64 _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_ const signed __int64 _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_opt_ PCWSTR _Arg6,
_In_ const unsigned int _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const unsigned int _Arg9,
_In_ const unsigned int _Arg10,
_In_opt_ PCWSTR _Arg11,
_In_opt_ PCWSTR _Arg12,
_In_ const signed __int64 _Arg13,
_In_ const signed __int64 _Arg14,
_In_opt_ PCWSTR _Arg15,
_In_ const unsigned int _Arg16,
_In_ const unsigned int _Arg17,
_In_opt_ PCWSTR _Arg18,
_In_ const unsigned int _Arg19,
_In_ const unsigned int _Arg20,
_In_ const signed int _Arg21
)
{
#define McTemplateU0yiiiizzqzqqzziizqqzqqt_ARGCOUNT 22
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yiiiizzqzqqzziizqqzqqt_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],&_Arg1, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],
(_Arg6 != NULL) ? _Arg6 : L"NULL",
(_Arg6 != NULL) ? (ULONG)((wcslen(_Arg6) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[8],&_Arg7, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[12],
(_Arg11 != NULL) ? _Arg11 : L"NULL",
(_Arg11 != NULL) ? (ULONG)((wcslen(_Arg11) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[14],&_Arg13, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[15],&_Arg14, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[16],
(_Arg15 != NULL) ? _Arg15 : L"NULL",
(_Arg15 != NULL) ? (ULONG)((wcslen(_Arg15) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[17],&_Arg16, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[18],&_Arg17, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[19],
(_Arg18 != NULL) ? _Arg18 : L"NULL",
(_Arg18 != NULL) ? (ULONG)((wcslen(_Arg18) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[20],&_Arg19, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[21],&_Arg20, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[22],&_Arg21, sizeof(const signed int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yiiiizzqzqqzziizqqzqqt_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yiiiizzqzqqzziizqqzqqt_def
//
// Function for template "EID5" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yiiizzqzqqiizzqqzqqdd_def
#define McTemplateU0yiiizzqzqqiizzqqzqqdd_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yiiizzqzqqiizzqqzqqdd_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_ const signed __int64 _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_opt_ PCWSTR _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned int _Arg8,
_In_ const unsigned int _Arg9,
_In_ const signed __int64 _Arg10,
_In_ const signed __int64 _Arg11,
_In_opt_ PCWSTR _Arg12,
_In_opt_ PCWSTR _Arg13,
_In_ const unsigned int _Arg14,
_In_ const unsigned int _Arg15,
_In_opt_ PCWSTR _Arg16,
_In_ const unsigned int _Arg17,
_In_ const unsigned int _Arg18,
_In_ const signed int _Arg19,
_In_ const signed int _Arg20
)
{
#define McTemplateU0yiiizzqzqqiizzqqzqqdd_ARGCOUNT 21
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yiiizzqzqqiizzqqzqqdd_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],&_Arg1, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],
(_Arg4 != NULL) ? _Arg4 : L"NULL",
(_Arg4 != NULL) ? (ULONG)((wcslen(_Arg4) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[14],
(_Arg13 != NULL) ? _Arg13 : L"NULL",
(_Arg13 != NULL) ? (ULONG)((wcslen(_Arg13) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[15],&_Arg14, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[16],&_Arg15, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[17],
(_Arg16 != NULL) ? _Arg16 : L"NULL",
(_Arg16 != NULL) ? (ULONG)((wcslen(_Arg16) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[18],&_Arg17, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[19],&_Arg18, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[20],&_Arg19, sizeof(const signed int) );
EventDataDescCreate(&EventData[21],&_Arg20, sizeof(const signed int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yiiizzqzqqiizzqqzqqdd_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yiiizzqzqqiizzqqzqqdd_def
//
// Function for template "EID3" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yiiizzqzqqziiizqqzq_def
#define McTemplateU0yiiizzqzqqziiizqqzq_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yiiizzqzqqziiizqqzq_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_ const signed __int64 _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_opt_ PCWSTR _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned int _Arg8,
_In_ const unsigned int _Arg9,
_In_opt_ PCWSTR _Arg10,
_In_ const signed __int64 _Arg11,
_In_ const signed __int64 _Arg12,
_In_ const signed __int64 _Arg13,
_In_opt_ PCWSTR _Arg14,
_In_ const unsigned int _Arg15,
_In_ const unsigned int _Arg16,
_In_opt_ PCWSTR _Arg17,
_In_ const unsigned int _Arg18
)
{
#define McTemplateU0yiiizzqzqqziiizqqzq_ARGCOUNT 19
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yiiizzqzqqziiizqqzq_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],&_Arg1, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],
(_Arg4 != NULL) ? _Arg4 : L"NULL",
(_Arg4 != NULL) ? (ULONG)((wcslen(_Arg4) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[13],&_Arg12, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[14],&_Arg13, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[15],
(_Arg14 != NULL) ? _Arg14 : L"NULL",
(_Arg14 != NULL) ? (ULONG)((wcslen(_Arg14) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[16],&_Arg15, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[17],&_Arg16, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[18],
(_Arg17 != NULL) ? _Arg17 : L"NULL",
(_Arg17 != NULL) ? (ULONG)((wcslen(_Arg17) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[19],&_Arg18, sizeof(const unsigned int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yiiizzqzqqziiizqqzq_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yiiizzqzqqziiizqqzq_def
//
// Function for template "EID2" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yiizi_def
#define McTemplateU0yiizi_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yiizi_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_ const signed __int64 _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const signed __int64 _Arg4
)
{
#define McTemplateU0yiizi_ARGCOUNT 5
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yiizi_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],&_Arg1, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const signed __int64) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yiizi_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yiizi_def
//
// Function for template "EID21" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yqzzzhhtzqzq_def
#define McTemplateU0yqzzzhhtzqzq_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yqzzzhhtzqzq_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_ const unsigned int _Arg1,
_In_opt_ PCWSTR _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_opt_ PCWSTR _Arg4,
_In_ const unsigned short _Arg5,
_In_ const unsigned short _Arg6,
_In_ const signed int _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const unsigned int _Arg9,
_In_opt_ PCWSTR _Arg10,
_In_ const unsigned int _Arg11
)
{
#define McTemplateU0yqzzzhhtzqzq_ARGCOUNT 12
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yqzzzhhtzqzq_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],&_Arg1, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[3],
(_Arg2 != NULL) ? _Arg2 : L"NULL",
(_Arg2 != NULL) ? (ULONG)((wcslen(_Arg2) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],
(_Arg4 != NULL) ? _Arg4 : L"NULL",
(_Arg4 != NULL) ? (ULONG)((wcslen(_Arg4) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[6],&_Arg5, sizeof(const unsigned short) );
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned short) );
EventDataDescCreate(&EventData[8],&_Arg7, sizeof(const signed int) );
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const unsigned int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yqzzzhhtzqzq_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yqzzzhhtzqzq_def
//
// Function for template "EID4" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yziiizqqzqqzi_def
#define McTemplateU0yziiizqqzqqzi_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yziiizqqzqqzi_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_ const signed __int64 _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_ const unsigned int _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const unsigned int _Arg9,
_In_ const unsigned int _Arg10,
_In_opt_ PCWSTR _Arg11,
_In_ const signed __int64 _Arg12
)
{
#define McTemplateU0yziiizqqzqqzi_ARGCOUNT 13
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yziiizqqzqqzi_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],&_Arg7, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[12],
(_Arg11 != NULL) ? _Arg11 : L"NULL",
(_Arg11 != NULL) ? (ULONG)((wcslen(_Arg11) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[13],&_Arg12, sizeof(const signed __int64) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yziiizqqzqqzi_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yziiizqqzqqzi_def
//
// Function for template "EID6" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yziiizqzqz_def
#define McTemplateU0yziiizqzqz_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yziiizqzqz_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_ const signed __int64 _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned int _Arg8,
_In_opt_ PCWSTR _Arg9
)
{
#define McTemplateU0yziiizqzqz_ARGCOUNT 10
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yziiizqzqz_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[10],
(_Arg9 != NULL) ? _Arg9 : L"NULL",
(_Arg9 != NULL) ? (ULONG)((wcslen(_Arg9) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yziiizqzqz_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yziiizqzqz_def
//
// Function for template "EID11" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yziiizqzqzd_def
#define McTemplateU0yziiizqzqzd_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yziiizqzqzd_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_ const signed __int64 _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned int _Arg8,
_In_opt_ PCWSTR _Arg9,
_In_ const signed int _Arg10
)
{
#define McTemplateU0yziiizqzqzd_ARGCOUNT 11
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yziiizqzqzd_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[10],
(_Arg9 != NULL) ? _Arg9 : L"NULL",
(_Arg9 != NULL) ? (ULONG)((wcslen(_Arg9) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const signed int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yziiizqzqzd_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yziiizqzqzd_def
//
// Function for template "EID8" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yziiizqzqzdzz_def
#define McTemplateU0yziiizqzqzdzz_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yziiizqzqzdzz_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_ const signed __int64 _Arg3,
_In_ const signed __int64 _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned int _Arg8,
_In_opt_ PCWSTR _Arg9,
_In_ const signed int _Arg10,
_In_opt_ PCWSTR _Arg11,
_In_opt_ PCWSTR _Arg12
)
{
#define McTemplateU0yziiizqzqzdzz_ARGCOUNT 13
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yziiizqzqzdzz_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],&_Arg3, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[10],
(_Arg9 != NULL) ? _Arg9 : L"NULL",
(_Arg9 != NULL) ? (ULONG)((wcslen(_Arg9) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const signed int) );
EventDataDescCreate(&EventData[12],
(_Arg11 != NULL) ? _Arg11 : L"NULL",
(_Arg11 != NULL) ? (ULONG)((wcslen(_Arg11) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yziiizqzqzdzz_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yziiizqzqzdzz_def
//
// Function for template "EID23" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqqzizqzqxx_def
#define McTemplateU0yzizqzqqzizqzqxx_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxx_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_ const unsigned int _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const signed __int64 _Arg9,
_In_opt_ PCWSTR _Arg10,
_In_ const unsigned int _Arg11,
_In_opt_ PCWSTR _Arg12,
_In_ const unsigned int _Arg13,
_In_ const unsigned __int64 _Arg14,
_In_ const unsigned __int64 _Arg15
)
{
#define McTemplateU0yzizqzqqzizqzqxx_ARGCOUNT 16
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqqzizqzqxx_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],&_Arg7, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[14],&_Arg13, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[15],&_Arg14, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[16],&_Arg15, sizeof(const unsigned __int64) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqqzizqzqxx_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqqzizqzqxx_def
//
// Function for template "EID25" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqqzizqzqxxx_def
#define McTemplateU0yzizqzqqzizqzqxxx_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxxx_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_ const unsigned int _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const signed __int64 _Arg9,
_In_opt_ PCWSTR _Arg10,
_In_ const unsigned int _Arg11,
_In_opt_ PCWSTR _Arg12,
_In_ const unsigned int _Arg13,
_In_ const unsigned __int64 _Arg14,
_In_ const unsigned __int64 _Arg15,
_In_ const unsigned __int64 _Arg16
)
{
#define McTemplateU0yzizqzqqzizqzqxxx_ARGCOUNT 17
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqqzizqzqxxx_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],&_Arg7, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[14],&_Arg13, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[15],&_Arg14, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[16],&_Arg15, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[17],&_Arg16, sizeof(const unsigned __int64) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqqzizqzqxxx_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqqzizqzqxxx_def
//
// Function for template "EID26" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqqzizqzqxxxxxx_def
#define McTemplateU0yzizqzqqzizqzqxxxxxx_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqqzizqzqxxxxxx_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_ const unsigned int _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const signed __int64 _Arg9,
_In_opt_ PCWSTR _Arg10,
_In_ const unsigned int _Arg11,
_In_opt_ PCWSTR _Arg12,
_In_ const unsigned int _Arg13,
_In_ const unsigned __int64 _Arg14,
_In_ const unsigned __int64 _Arg15,
_In_ const unsigned __int64 _Arg16,
_In_ const unsigned __int64 _Arg17,
_In_ const unsigned __int64 _Arg18,
_In_ const unsigned __int64 _Arg19
)
{
#define McTemplateU0yzizqzqqzizqzqxxxxxx_ARGCOUNT 20
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqqzizqzqxxxxxx_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],&_Arg7, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[14],&_Arg13, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[15],&_Arg14, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[16],&_Arg15, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[17],&_Arg16, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[18],&_Arg17, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[19],&_Arg18, sizeof(const unsigned __int64) );
EventDataDescCreate(&EventData[20],&_Arg19, sizeof(const unsigned __int64) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqqzizqzqxxxxxx_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqqzizqzqxxxxxx_def
//
// Function for template "EID16" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqzh_def
#define McTemplateU0yzizqzqzh_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqzh_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned short _Arg8
)
{
#define McTemplateU0yzizqzqzh_ARGCOUNT 9
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqzh_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned short) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqzh_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqzh_def
//
// Function for template "EID18" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqzqqzzzzz_def
#define McTemplateU0yzizqzqzqqzzzzz_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqzqqzzzzz_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_ const unsigned int _Arg8,
_In_ const unsigned int _Arg9,
_In_opt_ PCWSTR _Arg10,
_In_opt_ PCWSTR _Arg11,
_In_opt_ PCWSTR _Arg12,
_In_opt_ PCWSTR _Arg13,
_In_opt_ PCWSTR _Arg14
)
{
#define McTemplateU0yzizqzqzqqzzzzz_ARGCOUNT 15
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqzqqzzzzz_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],&_Arg8, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[12],
(_Arg11 != NULL) ? _Arg11 : L"NULL",
(_Arg11 != NULL) ? (ULONG)((wcslen(_Arg11) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[13],
(_Arg12 != NULL) ? _Arg12 : L"NULL",
(_Arg12 != NULL) ? (ULONG)((wcslen(_Arg12) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[14],
(_Arg13 != NULL) ? _Arg13 : L"NULL",
(_Arg13 != NULL) ? (ULONG)((wcslen(_Arg13) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[15],
(_Arg14 != NULL) ? _Arg14 : L"NULL",
(_Arg14 != NULL) ? (ULONG)((wcslen(_Arg14) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqzqqzzzzz_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqzqqzzzzz_def
//
// Function for template "EID20" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqzzqq_def
#define McTemplateU0yzizqzqzzqq_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqzzqq_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const unsigned int _Arg9,
_In_ const unsigned int _Arg10
)
{
#define McTemplateU0yzizqzqzzqq_ARGCOUNT 11
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqzzqq_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const unsigned int) );
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqzzqq_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqzzqq_def
//
// Function for template "EID22" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqzzuqqbr11z_def
#define McTemplateU0yzizqzqzzuqqbr11z_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqzzuqqbr11z_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_ const unsigned char _Arg9,
_In_ const unsigned int _Arg10,
_In_ const unsigned int _Arg11,
_In_reads_(_Arg11) const unsigned char* _Arg12,
_In_opt_ PCWSTR _Arg13
)
{
#define McTemplateU0yzizqzqzzuqqbr11z_ARGCOUNT 14
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqzzuqqbr11z_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],&_Arg9, sizeof(const unsigned char) );
EventDataDescCreate(&EventData[11],&_Arg10, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[12],&_Arg11, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[13],_Arg12, (ULONG)sizeof(char)*_Arg11);
EventDataDescCreate(&EventData[14],
(_Arg13 != NULL) ? _Arg13 : L"NULL",
(_Arg13 != NULL) ? (ULONG)((wcslen(_Arg13) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqzzuqqbr11z_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqzzuqqbr11z_def
//
// Function for template "EID17" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzizqzqzzzz_def
#define McTemplateU0yzizqzqzzzz_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzizqzqzzzz_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const signed __int64 _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_opt_ PCWSTR _Arg8,
_In_opt_ PCWSTR _Arg9,
_In_opt_ PCWSTR _Arg10
)
{
#define McTemplateU0yzizqzqzzzz_ARGCOUNT 11
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzizqzqzzzz_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const signed __int64) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[10],
(_Arg9 != NULL) ? _Arg9 : L"NULL",
(_Arg9 != NULL) ? (ULONG)((wcslen(_Arg9) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[11],
(_Arg10 != NULL) ? _Arg10 : L"NULL",
(_Arg10 != NULL) ? (ULONG)((wcslen(_Arg10) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzizqzqzzzz_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzizqzqzzzz_def
//
// Function for template "EID27" (and possibly others).
// This function is for use by MC-generated code and should not be used directly.
//
#ifndef McTemplateU0yzqzqzqzz_def
#define McTemplateU0yzqzqzqzz_def
ETW_INLINE
ULONG
_mcgen_PASTE2(McTemplateU0yzqzqzqzz_, MCGEN_EVENTWRITETRANSFER)(
_In_ PMCGEN_TRACE_CONTEXT Context,
_In_ PCEVENT_DESCRIPTOR Descriptor,
_In_ const SYSTEMTIME* _Arg0,
_In_opt_ PCWSTR _Arg1,
_In_ const unsigned int _Arg2,
_In_opt_ PCWSTR _Arg3,
_In_ const unsigned int _Arg4,
_In_opt_ PCWSTR _Arg5,
_In_ const unsigned int _Arg6,
_In_opt_ PCWSTR _Arg7,
_In_opt_ PCWSTR _Arg8
)
{
#define McTemplateU0yzqzqzqzz_ARGCOUNT 9
EVENT_DATA_DESCRIPTOR EventData[McTemplateU0yzqzqzqzz_ARGCOUNT + 1];
EventDataDescCreate(&EventData[1],_Arg0, sizeof(SYSTEMTIME) );
EventDataDescCreate(&EventData[2],
(_Arg1 != NULL) ? _Arg1 : L"NULL",
(_Arg1 != NULL) ? (ULONG)((wcslen(_Arg1) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[3],&_Arg2, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[4],
(_Arg3 != NULL) ? _Arg3 : L"NULL",
(_Arg3 != NULL) ? (ULONG)((wcslen(_Arg3) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[5],&_Arg4, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[6],
(_Arg5 != NULL) ? _Arg5 : L"NULL",
(_Arg5 != NULL) ? (ULONG)((wcslen(_Arg5) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[7],&_Arg6, sizeof(const unsigned int) );
EventDataDescCreate(&EventData[8],
(_Arg7 != NULL) ? _Arg7 : L"NULL",
(_Arg7 != NULL) ? (ULONG)((wcslen(_Arg7) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
EventDataDescCreate(&EventData[9],
(_Arg8 != NULL) ? _Arg8 : L"NULL",
(_Arg8 != NULL) ? (ULONG)((wcslen(_Arg8) + 1) * sizeof(WCHAR)) : (ULONG)sizeof(L"NULL"));
return McGenEventWrite(Context, Descriptor, NULL, McTemplateU0yzqzqzqzz_ARGCOUNT + 1, EventData);
}
#endif // McTemplateU0yzqzqzqzz_def
#endif // MCGEN_DISABLE_PROVIDER_CODE_GENERATION
#if defined(__cplusplus)
}
#endif
#define MSG_ProcessCreation_EventMessage 0xB0000001L
#define MSG_ProcessTerminate_EventMessage 0xB0000002L
#define MSG_RemoteThreadCreation_EventMessage 0xB0000003L
#define MSG_ImageLoaded_EventMessage 0xB0000004L
#define MSG_ProcessAccess_EventMessage 0xB0000005L
#define MSG_RegistrySaveKey_EventMessage 0xB0000006L
#define MSG_RegistrySetValueKey_EventMessage 0xB0000008L
#define MSG_RegistryCreateKey_EventMessage 0xB0000009L
#define MSG_FileCreation_EventMessage 0xB000000AL
#define MSG_NamedPipeCreation_EventMessage 0xB000000BL
#define MSG_NamedPipeConnection_EventMessage 0xB000000CL
#define MSG_MailslotCreation_EventMessage 0xB000000DL
#define MSG_MailslotConnection_EventMessage 0xB000000EL
#define MSG_RemoteFileConnection_EventMessage 0xB000000FL
#define MSG_DotNetLoad_EventMessage 0xB0000010L
#define MSG_WMIEventFilter_EventMessage 0xB0000011L
#define MSG_RPCClient_EventMessage 0xB0000012L
#define MSG_RPCServer_EventMessage 0xB0000013L
#define MSG_DPAPIUnprotect_EventMessage 0xB0000014L
#define MSG_NetworkConnection_EventMessage 0xB0000015L
#define MSG_AMSI_EventMessage 0xB0000016L
#define MSG_RemoteReadProcessMemory_EventMessage 0xB0000017L
#define MSG_RemoteWriteProcessMemory_EventMessage 0xB0000018L
#define MSG_RemoteVirtualAllocation_EventMessage 0xB0000019L
#define MSG_RemoteQueueUserAPC_EventMessage 0xB000001AL
#define MSG_QueryTokenImpersonation_EventMessage 0xB000001BL
#define MSG_DebugLog102_EventMessage 0xB0000066L
================================================
FILE: JonMonProvider/jonmon.man
================================================
67112660
================================================
FILE: JonMonProvider/jonmon.rc
================================================
LANGUAGE 0x9,0x1
1 11 "MSG00001.bin"
1 WEVT_TEMPLATE "jonmonTEMP.BIN"
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2023 Jonathan Johnson
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: Libs/nlohmann/adl_serializer.hpp
================================================
// __ _____ _____ _____
// __| | __| | | | JSON for Modern C++
// | | |__ | | | | | | version 3.11.3
// |_____|_____|_____|_|___| https://github.com/nlohmann/json
//
// SPDX-FileCopyrightText: 2013-2023 Niels Lohmann
// SPDX-License-Identifier: MIT
#pragma once
#include
#include
#include
#include
#include
NLOHMANN_JSON_NAMESPACE_BEGIN
/// @sa https://json.nlohmann.me/api/adl_serializer/
template
struct adl_serializer
{
/// @brief convert a JSON value to any value type
/// @sa https://json.nlohmann.me/api/adl_serializer/from_json/
template
static auto from_json(BasicJsonType && j, TargetType& val) noexcept(
noexcept(::nlohmann::from_json(std::forward(j), val)))
-> decltype(::nlohmann::from_json(std::forward(j), val), void())
{
::nlohmann::from_json(std::forward(j), val);
}
/// @brief convert a JSON value to any value type
/// @sa https://json.nlohmann.me/api/adl_serializer/from_json/
template
static auto from_json(BasicJsonType && j) noexcept(
noexcept(::nlohmann::from_json(std::forward(j), detail::identity_tag {})))
-> decltype(::nlohmann::from_json(std::forward(j), detail::identity_tag {}))
{
return ::nlohmann::from_json(std::forward(j), detail::identity_tag {});
}
/// @brief convert any value type to a JSON value
/// @sa https://json.nlohmann.me/api/adl_serializer/to_json/
template
static auto to_json(BasicJsonType& j, TargetType && val) noexcept(
noexcept(::nlohmann::to_json(j, std::forward(val))))
-> decltype(::nlohmann::to_json(j, std::forward(val)), void())
{
::nlohmann::to_json(j, std::forward(val));
}
};
NLOHMANN_JSON_NAMESPACE_END
================================================
FILE: Libs/nlohmann/byte_container_with_subtype.hpp
================================================
// __ _____ _____ _____
// __| | __| | | | JSON for Modern C++
// | | |__ | | | | | | version 3.11.3
// |_____|_____|_____|_|___| https://github.com/nlohmann/json
//
// SPDX-FileCopyrightText: 2013-2023 Niels Lohmann
// SPDX-License-Identifier: MIT
#pragma once
#include // uint8_t, uint64_t
#include // tie
#include // move
#include
NLOHMANN_JSON_NAMESPACE_BEGIN
/// @brief an internal type for a backed binary type
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/
template
class byte_container_with_subtype : public BinaryType
{
public:
using container_type = BinaryType;
using subtype_type = std::uint64_t;
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/byte_container_with_subtype/
byte_container_with_subtype() noexcept(noexcept(container_type()))
: container_type()
{}
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/byte_container_with_subtype/
byte_container_with_subtype(const container_type& b) noexcept(noexcept(container_type(b)))
: container_type(b)
{}
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/byte_container_with_subtype/
byte_container_with_subtype(container_type&& b) noexcept(noexcept(container_type(std::move(b))))
: container_type(std::move(b))
{}
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/byte_container_with_subtype/
byte_container_with_subtype(const container_type& b, subtype_type subtype_) noexcept(noexcept(container_type(b)))
: container_type(b)
, m_subtype(subtype_)
, m_has_subtype(true)
{}
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/byte_container_with_subtype/
byte_container_with_subtype(container_type&& b, subtype_type subtype_) noexcept(noexcept(container_type(std::move(b))))
: container_type(std::move(b))
, m_subtype(subtype_)
, m_has_subtype(true)
{}
bool operator==(const byte_container_with_subtype& rhs) const
{
return std::tie(static_cast(*this), m_subtype, m_has_subtype) ==
std::tie(static_cast(rhs), rhs.m_subtype, rhs.m_has_subtype);
}
bool operator!=(const byte_container_with_subtype& rhs) const
{
return !(rhs == *this);
}
/// @brief sets the binary subtype
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/set_subtype/
void set_subtype(subtype_type subtype_) noexcept
{
m_subtype = subtype_;
m_has_subtype = true;
}
/// @brief return the binary subtype
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/subtype/
constexpr subtype_type subtype() const noexcept
{
return m_has_subtype ? m_subtype : static_cast(-1);
}
/// @brief return whether the value has a subtype
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/has_subtype/
constexpr bool has_subtype() const noexcept
{
return m_has_subtype;
}
/// @brief clears the binary subtype
/// @sa https://json.nlohmann.me/api/byte_container_with_subtype/clear_subtype/
void clear_subtype() noexcept
{
m_subtype = 0;
m_has_subtype = false;
}
private:
subtype_type m_subtype = 0;
bool m_has_subtype = false;
};
NLOHMANN_JSON_NAMESPACE_END
================================================
FILE: Libs/nlohmann/detail/abi_macros.hpp
================================================
// __ _____ _____ _____
// __| | __| | | | JSON for Modern C++
// | | |__ | | | | | | version 3.11.3
// |_____|_____|_____|_|___| https://github.com/nlohmann/json
//
// SPDX-FileCopyrightText: 2013-2023 Niels Lohmann
// SPDX-License-Identifier: MIT
#pragma once
// This file contains all macro definitions affecting or depending on the ABI
#ifndef JSON_SKIP_LIBRARY_VERSION_CHECK
#if defined(NLOHMANN_JSON_VERSION_MAJOR) && defined(NLOHMANN_JSON_VERSION_MINOR) && defined(NLOHMANN_JSON_VERSION_PATCH)
#if NLOHMANN_JSON_VERSION_MAJOR != 3 || NLOHMANN_JSON_VERSION_MINOR != 11 || NLOHMANN_JSON_VERSION_PATCH != 3
#warning "Already included a different version of the library!"
#endif
#endif
#endif
#define NLOHMANN_JSON_VERSION_MAJOR 3 // NOLINT(modernize-macro-to-enum)
#define NLOHMANN_JSON_VERSION_MINOR 11 // NOLINT(modernize-macro-to-enum)
#define NLOHMANN_JSON_VERSION_PATCH 3 // NOLINT(modernize-macro-to-enum)
#ifndef JSON_DIAGNOSTICS
#define JSON_DIAGNOSTICS 0
#endif
#ifndef JSON_USE_LEGACY_DISCARDED_VALUE_COMPARISON
#define JSON_USE_LEGACY_DISCARDED_VALUE_COMPARISON 0
#endif
#if JSON_DIAGNOSTICS
#define NLOHMANN_JSON_ABI_TAG_DIAGNOSTICS _diag
#else
#define NLOHMANN_JSON_ABI_TAG_DIAGNOSTICS
#endif
#if JSON_USE_LEGACY_DISCARDED_VALUE_COMPARISON
#define NLOHMANN_JSON_ABI_TAG_LEGACY_DISCARDED_VALUE_COMPARISON _ldvcmp
#else
#define NLOHMANN_JSON_ABI_TAG_LEGACY_DISCARDED_VALUE_COMPARISON
#endif
#ifndef NLOHMANN_JSON_NAMESPACE_NO_VERSION
#define NLOHMANN_JSON_NAMESPACE_NO_VERSION 0
#endif
// Construct the namespace ABI tags component
#define NLOHMANN_JSON_ABI_TAGS_CONCAT_EX(a, b) json_abi ## a ## b
#define NLOHMANN_JSON_ABI_TAGS_CONCAT(a, b) \
NLOHMANN_JSON_ABI_TAGS_CONCAT_EX(a, b)
#define NLOHMANN_JSON_ABI_TAGS \
NLOHMANN_JSON_ABI_TAGS_CONCAT( \
NLOHMANN_JSON_ABI_TAG_DIAGNOSTICS, \
NLOHMANN_JSON_ABI_TAG_LEGACY_DISCARDED_VALUE_COMPARISON)
// Construct the namespace version component
#define NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT_EX(major, minor, patch) \
_v ## major ## _ ## minor ## _ ## patch
#define NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT(major, minor, patch) \
NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT_EX(major, minor, patch)
#if NLOHMANN_JSON_NAMESPACE_NO_VERSION
#define NLOHMANN_JSON_NAMESPACE_VERSION
#else
#define NLOHMANN_JSON_NAMESPACE_VERSION \
NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT(NLOHMANN_JSON_VERSION_MAJOR, \
NLOHMANN_JSON_VERSION_MINOR, \
NLOHMANN_JSON_VERSION_PATCH)
#endif
// Combine namespace components
#define NLOHMANN_JSON_NAMESPACE_CONCAT_EX(a, b) a ## b
#define NLOHMANN_JSON_NAMESPACE_CONCAT(a, b) \
NLOHMANN_JSON_NAMESPACE_CONCAT_EX(a, b)
#ifndef NLOHMANN_JSON_NAMESPACE
#define NLOHMANN_JSON_NAMESPACE \
nlohmann::NLOHMANN_JSON_NAMESPACE_CONCAT( \
NLOHMANN_JSON_ABI_TAGS, \
NLOHMANN_JSON_NAMESPACE_VERSION)
#endif
#ifndef NLOHMANN_JSON_NAMESPACE_BEGIN
#define NLOHMANN_JSON_NAMESPACE_BEGIN \
namespace nlohmann \
{ \
inline namespace NLOHMANN_JSON_NAMESPACE_CONCAT( \
NLOHMANN_JSON_ABI_TAGS, \
NLOHMANN_JSON_NAMESPACE_VERSION) \
{
#endif
#ifndef NLOHMANN_JSON_NAMESPACE_END
#define NLOHMANN_JSON_NAMESPACE_END \
} /* namespace (inline namespace) NOLINT(readability/namespace) */ \
} // namespace nlohmann
#endif
================================================
FILE: Libs/nlohmann/detail/conversions/from_json.hpp
================================================
// __ _____ _____ _____
// __| | __| | | | JSON for Modern C++
// | | |__ | | | | | | version 3.11.3
// |_____|_____|_____|_|___| https://github.com/nlohmann/json
//
// SPDX-FileCopyrightText: 2013-2023 Niels Lohmann
// SPDX-License-Identifier: MIT
#pragma once
#include // transform
#include // array
#include // forward_list
#include // inserter, front_inserter, end
#include