Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

ETW Consumer in kernel-mode

Mauro_LeggieriMauro_Leggieri Member Posts: 90

Hi, is there any api to create an event consumer from kernel-mode? Couldn't find any counterpart of the OpenTrace api or similar.

Regards,
Mauro.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,158

    Why? I'm not trying to be snarky (well, maybe I am). I just cannot imagine a case where this would be useful. ETW events are intended for human consumption, or for automated analysis tools producing reports for human consumption. The details, the string handling, the I/O -- all of that is just more difficult in the kernel.

    Tim's first general rule of Windows programming: Never do anything in the kernel that can be done just as well in user mode.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mauro_LeggieriMauro_Leggieri Member Posts: 90
    Hi @Tim_Roberts, I want to detect processes being launched spoofing the parent for an AV style app. Something used more frequently in malware.

    One method is capturing a kernel trace.

    Of course I can add the code in my service and notify the driver when an event reaches but would like to know if a more direct approach is possible.

    Regards,
    Mauro.
  • Mauro_LeggieriMauro_Leggieri Member Posts: 90
    edited November 21

    Realized I can get that info in the PsSetCreateProcessNotifyRoutine callback because it is executed in the context of the process creator :p

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,505

    Much better idea.

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE