티스토리 뷰

코딩 공부방/보안&해킹

ETW - 기반 지식(2) : EVENT_TRACE_PROPERTIES

TheShield 2022. 3. 17. 23:52
반응형

앞 전에서 이벤트 세션이라는 건, ETW가 이벤트들을 차곡 차곡 

쌓아두는 큐 같은 녀석이라고 했다.

 

즉 관리 매니저 같은 것이다. 

그래서 이 이벤트 세션을 설정해줄 필요성이 있는데,

이 이벤트 세션에 대한 정보를 옵셔너블하게 넣어줄 수 있는 구조체가

 

EVENT_TRACE_PROPERTIES

되겠다.

 

https://docs.microsoft.com/en-us/windows/win32/api/evntrace/ns-evntrace-event_trace_properties

 

EVENT_TRACE_PROPERTIES (evntrace.h) - Win32 apps

The EVENT_TRACE_PROPERTIES structure contains information about an event tracing session and is used with APIs such as StartTrace and ControlTrace.

docs.microsoft.com

구조체가 더럽게 복잡한데 솔직히 별로 안중요해보이고, 

중요한 것만 보도록 하자. 

어차피 나머지는 상하위 호환 및 형식 상의 세팅 용일 뿐 

세팅 용 형 변수 형들은 나가 있어

typedef struct _EVENT_TRACE_PROPERTIES {
  WNODE_HEADER Wnode;
  ULONG        BufferSize;
  ULONG        MinimumBuffers;
  ULONG        MaximumBuffers;
  ULONG        MaximumFileSize;
  ULONG        LogFileMode;
  ULONG        FlushTimer;
  ULONG        EnableFlags;
  union {
    LONG AgeLimit;
    LONG FlushThreshold;
  } DUMMYUNIONNAME;
  ULONG        NumberOfBuffers;
  ULONG        FreeBuffers;
  ULONG        EventsLost;
  ULONG        BuffersWritten;
  ULONG        LogBuffersLost;
  ULONG        RealTimeBuffersLost;
  HANDLE       LoggerThreadId;
  ULONG        LogFileNameOffset;
  ULONG        LoggerNameOffset;
} EVENT_TRACE_PROPERTIES, *PEVENT_TRACE_PROPERTIES;

에서 추려보자.
날려버리고 (별로 중요한 게 안남는데? ) 

typedef struct _EVENT_TRACE_PROPERTIES {
  WNODE_HEADER Wnode;

  ULONG        LogFileMode;
  ULONG        EnableFlags;
  
  union {
    LONG AgeLimit;
    LONG FlushThreshold;
  } DUMMYUNIONNAME;
  

} EVENT_TRACE_PROPERTIES, *PEVENT_TRACE_PROPERTIES;
   
LogFileMode 세션에 대한 로그 플래그, 메모리 버퍼에 가지고 있을 지 
로그 파일에 저장할 지, 리얼 타임 컨슈머로 받을 지 결정한다. (콜백) 
https://docs.microsoft.com/en-us/windows/win32/etw/logging-mode-constants
EnableFlags 어떤 시스템 프로바이더(I/O 종류)를 수집할 지 결정한다.
이건 왜 따로 페이지로 정리가 안되어 있냐..

아래에 정리한다.
 
  • EVENT_TRACE_FLAG_ALPC (0x00100000)
    Enables the ALPC event types.
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_CSWITCH (0x00000010)
    Enables the following Thread event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_DBGPRINT (0x00040000)
    Enables the DbgPrint and DbgPrintEx calls to be converted to ETW events.
  • EVENT_TRACE_FLAG_DISK_FILE_IO (0x00000200)
    Enables the following FileIo event type (you must also enable EVENT_TRACE_FLAG_DISK_IO):
  • EVENT_TRACE_FLAG_DISK_IO (0x00000100)
    Enables the following DiskIo event types:
  • EVENT_TRACE_FLAG_DISK_IO_INIT (0x00000400)
    Enables the following DiskIo event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_DISPATCHER (0x00000800)
    Enables the following Thread event type:
    This value is supported on Windows 7, Windows Server 2008 R2, and later.
  • EVENT_TRACE_FLAG_DPC (0x00000020)
    Enables the following PerfInfo event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_DRIVER (0x00800000)
    Enables the following DiskIo event types:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_FILE_IO (0x02000000)
    Enables the following FileIo event types:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_FILE_IO_INIT (0x04000000)
    Enables the following FileIo event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_IMAGE_LOAD (0x00000004)
    Enables the following Image event type:
  • EVENT_TRACE_FLAG_INTERRUPT (0x00000040)
    Enables the following PerfInfo event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_JOB (0x00080000)
    This value is supported on Windows 10
  • EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS (0x00002000)
    Enables the following PageFault_V2 event type:
  • EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS (0x00001000)
    Enables the following PageFault_V2 event type:
  • EVENT_TRACE_FLAG_NETWORK_TCPIP (0x00010000)
    Enables the TcpIp and UdpIp event types.
  • EVENT_TRACE_FLAG_NO_SYSCONFIG (0x10000000)
    Do not do a system configuration rundown.
    This value is supported on Windows 8, Windows Server 2012, and later.
  • EVENT_TRACE_FLAG_PROCESS (0x00000001)
    Enables the following Process event type:
  • EVENT_TRACE_FLAG_PROCESS_COUNTERS (0x00000008)
    Enables the following Process_V2 event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_PROFILE (0x01000000)
    Enables the following PerfInfo event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_REGISTRY (0x00020000)
    Enables the Registry event types.
  • EVENT_TRACE_FLAG_SPLIT_IO (0x00200000)
    Enables the SplitIo event types.
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_SYSTEMCALL (0x00000080)
    Enables the following PerfInfo event type:
    This value is supported on Windows Vista and later.
  • EVENT_TRACE_FLAG_THREAD (0x00000002)
    Enables the following Thread event type:
  • EVENT_TRACE_FLAG_VAMAP (0x00008000)
    Enables the map and unmap (excluding image files) event type.
    This value is supported on Windows 8, Windows Server 2012, and later.
  • EVENT_TRACE_FLAG_VIRTUAL_ALLOC (0x00004000)
    Enables the following PageFault_V2 event type:
    This value is supported on Windows 7, Windows Server 2008 R2, and later.
   
   

 

자 그럼, 위의 각각의 EnableFlags 에 대해서 공부해보는게 좋지 않을까!

 

뚜비 컨티뉴 

반응형
저작자표시 비영리 변경금지 (새창열림)

'코딩 공부방 > 보안&해킹' 카테고리의 다른 글

악성코드 자동 분석 시스템  (0) 2022.03.26
ETW - 네트워크 추적방식에 대한 스터디  (0) 2022.03.20
ETW - 기반지식(3) : 난해함  (0) 2022.03.18
ETW - 기반 지식 (1)  (0) 2022.03.17
ETW - Python  (0) 2022.03.17
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG more
«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
글 보관함