dissect.etl.utils#

Module Contents#

Functions#

lookup_guid

bytes_left

Get number of bytes left in the buffer.

Attributes#

dissect.etl.utils.c_global_def = Multiline-String#
Show Value
"""
#define EVENT_TRACE_GROUP_HEADER            0x0000
#define EVENT_TRACE_GROUP_IO                0x0100
#define EVENT_TRACE_GROUP_MEMORY            0x0200
#define EVENT_TRACE_GROUP_PROCESS           0x0300
#define EVENT_TRACE_GROUP_FILE              0x0400
#define EVENT_TRACE_GROUP_THREAD            0x0500
#define EVENT_TRACE_GROUP_TCPIP             0x0600
#define EVENT_TRACE_GROUP_JOB               0x0700
#define EVENT_TRACE_GROUP_UDPIP             0x0800
#define EVENT_TRACE_GROUP_REGISTRY          0x0900
#define EVENT_TRACE_GROUP_DBGPRINT          0x0A00
#define EVENT_TRACE_GROUP_CONFIG            0x0B00
#define EVENT_TRACE_GROUP_SPARE1            0x0C00
#define EVENT_TRACE_GROUP_WNF               0x0D00
#define EVENT_TRACE_GROUP_POOL              0x0E00
#define EVENT_TRACE_GROUP_PERFINFO          0x0F00
#define EVENT_TRACE_GROUP_HEAP              0x1000
#define EVENT_TRACE_GROUP_OBJECT            0x1100
#define EVENT_TRACE_GROUP_POWER             0x1200
#define EVENT_TRACE_GROUP_MODBOUND          0x1300
#define EVENT_TRACE_GROUP_IMAGE             0x1400
#define EVENT_TRACE_GROUP_DPC               0x1500
#define EVENT_TRACE_GROUP_CC                0x1600
#define EVENT_TRACE_GROUP_CRITSEC           0x1700
#define EVENT_TRACE_GROUP_STACKWALK         0x1800
#define EVENT_TRACE_GROUP_UMS               0x1900
#define EVENT_TRACE_GROUP_ALPC              0x1A00
#define EVENT_TRACE_GROUP_SPLITIO           0x1B00
#define EVENT_TRACE_GROUP_THREAD_POOL       0x1C00
#define EVENT_TRACE_GROUP_HYPERVISOR        0x1D00
#define EVENT_TRACE_GROUP_HYPERVISORX       0x1E00

#define EVENT_TRACE_TYPE_INFO               0x00  // Info or point event
#define EVENT_TRACE_TYPE_START              0x01  // Start event
#define EVENT_TRACE_TYPE_END                0x02  // End event
#define EVENT_TRACE_TYPE_STOP               0x02  // Stop event (WinEvent compatible)
#define EVENT_TRACE_TYPE_DC_START           0x03  // Collection start marker
#define EVENT_TRACE_TYPE_DC_END             0x04  // Collection end marker
#define EVENT_TRACE_TYPE_EXTENSION          0x05  // Extension/continuation
#define EVENT_TRACE_TYPE_REPLY              0x06  // Reply event
#define EVENT_TRACE_TYPE_DEQUEUE            0x07  // De-queue event
#define EVENT_TRACE_TYPE_RESUME             0x07  // Resume event (WinEvent compatible)
#define EVENT_TRACE_TYPE_CHECKPOINT         0x08  // Generic checkpoint event
#define EVENT_TRACE_TYPE_SUSPEND            0x08  // Suspend event (WinEvent compatible)
#define EVENT_TRACE_TYPE_WINEVT_SEND        0x09  // Send Event (WinEvent compatible)
#define EVENT_TRACE_TYPE_WINEVT_RECEIVE     0xF0  // Receive Event (WinEvent compatible)
"""
dissect.etl.utils.c_etl_global#
dissect.etl.utils.c_etl_definitions = Multiline-String#
Show Value
"""
#define TRACE_HEADER_TYPE_SYSTEM32          0x01
#define TRACE_HEADER_TYPE_SYSTEM64          0x02
#define TRACE_HEADER_TYPE_COMPACT32         0x03
#define TRACE_HEADER_TYPE_COMPACT64         0x04
#define TRACE_HEADER_TYPE_FULL_HEADER32     0x0A
#define TRACE_HEADER_TYPE_INSTANCE32        0x0B
#define TRACE_HEADER_TYPE_TIMED             0x0C
#define TRACE_HEADER_TYPE_ERROR             0x0D
#define TRACE_HEADER_TYPE_WNODE_HEADER      0x0E
#define TRACE_HEADER_TYPE_MESSAGE           0x0F
#define TRACE_HEADER_TYPE_PERFINFO32        0x10
#define TRACE_HEADER_TYPE_PERFINFO64        0x11
#define TRACE_HEADER_TYPE_EVENT_HEADER32    0x12
#define TRACE_HEADER_TYPE_EVENT_HEADER64    0x13
#define TRACE_HEADER_TYPE_FULL_HEADER64     0x14
#define TRACE_HEADER_TYPE_INSTANCE64        0x15

struct SYSTEMTIME {
    WORD    wYear;
    WORD    wMonth;
    WORD    wDayOfWeek;
    WORD    wDay;
    WORD    wHour;
    WORD    wMinute;
    WORD    wSecond;
    WORD    wMilliseconds;
};

struct TimeZoneInformation {
    LONG        Bias;
    wchar       StandardName[32];
    SYSTEMTIME  StandardDate;
    LONG        StandardBias;
    wchar       DaylightName[32];
    SYSTEMTIME  DaylightDate;
    LONG        DaylightBias;
};

flag ETW_BUFFER_FLAG: uint16 {
    NORMAL           = 0x0000
    FLUSH_MARKER     = 0x0001
    EVENTS_LOST      = 0x0002
    BUFFER_LOST      = 0x0004
    RTBACKUP_CORRUPT = 0x0008
    RTBACKUP         = 0x0010
    PROC_INDEX       = 0x0020
    COMPRESSED  = 0x0040
};

enum ETW_BUFFER_TYPE: uint16 {
    GENERIC      = 0x0000
    RUNDOWN      = 0x0001
    CTX_SWAP     = 0x0002
    REFTIME      = 0x0003
    HEADER       = 0x0004
    BATCHED      = 0x0005
    EMPTY_MARKER = 0x0006
    DBG_INFO     = 0x0007
    MAXIMUM      = 0x0008
};

/* WMI_BUFFER_HEADER (latest)*/
struct BufferHeader {
    uint32           BufferSize;       /* 0x00 */
    uint32           SavedOffset;      /* 0x04 */
    uint32           CurrentOffset;    /* 0x08 */
    uint32           ReferenceCounter; /* 0x0C */
    uint64           TimeDelta;        /* 0x10 */
    int64            SequenceNumber;   /* 0x18 */
    uint64           Defined_1;        /* 0x20 */
    uint16           ProcessorIndex;   /* 0x28 ETW_BUFFER_CONTEXT */
    uint16           LoggerId;         /* 0x2A ETW_BUFFER_CONTEXT */
    uint32           ETW_BUFFER_STATE; /* 0x2C */
    uint32           FilledBytes;      /* 0x30, Filled bytes inside the buffer. */
    ETW_BUFFER_FLAG  BufferFlag;       /* 0x34 */
    ETW_BUFFER_TYPE  BufferType;       /* 0x36 */
    uint32           unk17;            /* 0x38 different for multiple iterations*/
    uint32           unk18;            /* 0x3C different for multiple iterations*/
    uint32           unk19;            /* 0x40 different for multiple iterations*/
    uint32           unk20;            /* 0x44 different for multiple iterations*/
};

/* TRACE_HEADER_TYPE_SYSTEM32, TRACE_HEADER_TYPE_SYSTEM64 */
struct SystemHeader {
    uint16  Version;            /* 0x00 */
    uint16  Marker;             /* 0x02 */
    uint16  Size;               /* 0x04 */
    uint8   OpCode;             /* 0x06 */
    uint8   Group;              /* 0x07 */
    uint32  ThreadId;           /* 0x08 */
    uint32  ProcessId;          /* 0x0c */
    uint64  TimeDelta;          /* 0x10 */
    uint64  ProcessorTime;      /* 0x18 */
};

/* TRACE_HEADER_TYPE_COMPACT32, TRACE_HEADER_TYPE_COMPACT64 */
struct CompactSystemHeader {
    uint16  Version;            /* 0x00 */
    uint16  Marker;             /* 0x02 */
    uint16  Size;               /* 0x04 */
    uint8   OpCode;             /* 0x06 */
    uint8   Group;              /* 0x07 */
    uint32  ThreadId;           /* 0x08 */
    uint32  ProcessId;          /* 0x0c */
    uint64  TimeDelta;          /* 0x10 */
};

/* TRACE_HEADER_TYPE_PERFINFO32, TRACE_HEADER_TYPE_PERFINFO64 */
struct PerformanceInfoHeader {
    uint16  Version;            /* 0x00 */
    uint16  Marker;             /* 0x02 */
    uint16  Size;               /* 0x04 */
    uint8   OpCode;             /* 0x06 */
    uint8   Group;              /* 0x07 */
    uint64  TimeDelta;          /* 0x10 */
};


/* TRACE_HEADER_TYPE_MESSAGE */
struct MessageHeader {
    uint16  Size;               /* 0x00 */
    uint16  Marker;             /* 0x02 */
    uint16  Id;                 /* 0x04 */
    uint16  EventProperty;      /* 0x06 */
};

/* TRACE_HEADER_TYPE_EVENT_HEADER32, TRACE_HEADER_TYPE_EVENT_HEADER64 */
struct EventHeader {
    uint16  Size;               /* 0x00 */
    uint16  Marker;             /* 0x02 */
    uint16  Flags;              /* 0x04 */
    uint16  EventProperty;      /* 0x06 */
    uint32  ThreadId;           /* 0x08 */
    uint32  ProcessId;          /* 0x0c */
    uint64  TimeDelta;          /* 0x10 */
    char    ProviderId[16];     /* 0x18 */
    uint16  Id;                 /* 0x28 */
    uint8   Version;            /* 0x2a */
    uint8   Channel;            /* 0x2b */
    uint8   Level;              /* 0x2c */
    uint8   OpCode;             /* 0x2d */
    uint16  Task;               /* 0x2e */
    uint64  Keywords;           /* 0x30 */
    uint64  ProcessorTime;      /* 0x38 */
    char    ActivityId[16];     /* 0x40 */
};

struct EventTraceHeader {
    uint16  Size;               /* 0x00 */
    uint16  Marker;             /* 0x02 */
    uint32  Version;            /* 0x04 */
    uint32  ThreadId;           /* 0x08 */
    uint32  ProcessId;          /* 0x0C */
    uint64  TimeDelta;          /* 0x10 */
    char    ProviderId[16];     /* 0x18 */
    uint32  KernelTime;         /* 0x28 */
    uint32  UserTime;           /* 0x2B*/
};

// An older header not used anymore
struct EventInstanceHeader {
    uint16  Size;
    uint16  Marker;
    uint32  Version;
    union {
        uint64  ThreadId;
        struct {
            uint32 ThreadId;
            uint32 ProcessId;
        } information;
    } ids;
    uint64  TimeDelta;
    uint64  RegHandle;
    uint32  InstanceId;
    uint32  ParentInstanceId;
    union {
        struct {
            uint32  KernelTime;
            uint32  UserTime;
        };
        uint64  ProcessorTime;
        struct {
            uint32  EventId;
            uint32  Flags;
        };
    };
    uint64  ParentRegHandle;
}

struct EventInstanceGUIDHeader {
    uint16  Size;
    uint16  Marker;
    uint32  Version;
    uint32  ThreadId;
    uint32  ProcessId;
    uint64  TimeDelta;
    char    ProviderId[16];
    union {
        struct {
            uint32  KernelTime;
            uint32  UserTime;
        } cpu_time;
        uint64  ProcessorTime;
        struct {
            uint32  EventId;
            uint32  Flags;
        } event_info;
    } event_metadata;
    uint32  InstanceId;
    uint32  ParentInstanceId;
    char    ParentGuid[16];
};


struct EventHeaderExtendedDataItemHeader {
    uint16  Size;
    uint16  ExtType;
    uint16  Reserved1;
    uint16  DataSize;
    char    Data[DataSize];
};

struct EVENT_HEADER_EXT_TYPE_ITEM_INSTANCE {
    uint32 InstanceId;
    uint32 ParentInstanceId;
    char ParentGuid[16];
};


struct EVENT_HEADER_EXT_TYPE_STACK_TRACE32 {
    uint64 MatchId;
    uint32 Address[];
};

struct EVENT_HEADER_EXT_TYPE_STACK_TRACE64 {
    uint64 MatchId;
    uint64 Address[];
};

struct TRAIT {
    uint16 TraitSize;           // Size of this individual trait including this field
    uint8  Type;                // ETW_PROVIDER_TRAIT_TYPE
    char   Data[TraitSize-3];   // Trait data
};

struct EVENT_HEADER_EXT_TYPE_PROVIDER_TRAIT {
    uint16 TraitSize;
    char   ProviderName[];
};


"""
dissect.etl.utils.c_etl_headers#
dissect.etl.utils.BufferType#
dissect.etl.utils.BufferFlag#
dissect.etl.utils.NullGuid#
dissect.etl.utils.EventTraceGuid#
dissect.etl.utils.DiskIoGuid#
dissect.etl.utils.PageFaultGuid#
dissect.etl.utils.ProcessGuid#
dissect.etl.utils.FileIoGuid#
dissect.etl.utils.ThreadGuid#
dissect.etl.utils.TcpIpGuid#
dissect.etl.utils.JobGuid#
dissect.etl.utils.UdpIpGuid#
dissect.etl.utils.RegistryGuid#
dissect.etl.utils.DbgPrintGuid#
dissect.etl.utils.EventTraceConfigGuid#
dissect.etl.utils.EventTraceSpare1#
dissect.etl.utils.WnfGuid#
dissect.etl.utils.PoolGuid#
dissect.etl.utils.PerfinfoGuid#
dissect.etl.utils.HeapGuid#
dissect.etl.utils.ObjectGuid#
dissect.etl.utils.PowerGuid#
dissect.etl.utils.ModBoundGuid#
dissect.etl.utils.ImageLoadGuid#
dissect.etl.utils.DpcGuid#
dissect.etl.utils.CcGuid#
dissect.etl.utils.CritSecGuid#
dissect.etl.utils.StackWalkGuid#
dissect.etl.utils.UmsEventGuid#
dissect.etl.utils.ALPCGuid#
dissect.etl.utils.SplitIoGuid#
dissect.etl.utils.ThreadPoolGuid#
dissect.etl.utils.HypervisorTraceGuid#
dissect.etl.utils.HypervisorXTraceGuid#
dissect.etl.utils.GROUP_GUID_MAP#
dissect.etl.utils.lookup_guid(group, opcode)#
dissect.etl.utils.bytes_left(stream: io.BytesIO)#

Get number of bytes left in the buffer.