Hi, is there any api to create an event consumer from kernel-mode? Couldn’t find any counterpart of the OpenTrace api or similar.
Regards,
Mauro.
Hi, is there any api to create an event consumer from kernel-mode? Couldn’t find any counterpart of the OpenTrace api or similar.
Regards,
Mauro.
Why? I’m not trying to be snarky (well, maybe I am). I just cannot imagine a case where this would be useful. ETW events are intended for human consumption, or for automated analysis tools producing reports for human consumption. The details, the string handling, the I/O – all of that is just more difficult in the kernel.
Tim’s first general rule of Windows programming: Never do anything in the kernel that can be done just as well in user mode.
Hi @Tim_Roberts, I want to detect processes being launched spoofing the parent for an AV style app. Something used more frequently in malware. One method is capturing a kernel trace. Of course I can add the code in my service and notify the driver when an event reaches but would like to know if a more direct approach is possible. Regards, Mauro.
Realized I can get that info in the PsSetCreateProcessNotifyRoutine
callback because it is executed in the context of the process creator
Much better idea.