Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


ETW Consumer in kernel-mode

Mauro_LeggieriMauro_Leggieri Member Posts: 107

Hi, is there any api to create an event consumer from kernel-mode? Couldn't find any counterpart of the OpenTrace api or similar.

Regards,
Mauro.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,451

    Why? I'm not trying to be snarky (well, maybe I am). I just cannot imagine a case where this would be useful. ETW events are intended for human consumption, or for automated analysis tools producing reports for human consumption. The details, the string handling, the I/O -- all of that is just more difficult in the kernel.

    Tim's first general rule of Windows programming: Never do anything in the kernel that can be done just as well in user mode.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mauro_LeggieriMauro_Leggieri Member Posts: 107
    Hi @Tim_Roberts, I want to detect processes being launched spoofing the parent for an AV style app. Something used more frequently in malware.

    One method is capturing a kernel trace.

    Of course I can add the code in my service and notify the driver when an event reaches but would like to know if a more direct approach is possible.

    Regards,
    Mauro.
  • Mauro_LeggieriMauro_Leggieri Member Posts: 107
    edited November 2019

    Realized I can get that info in the PsSetCreateProcessNotifyRoutine callback because it is executed in the context of the process creator :p

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,855

    Much better idea.

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA