Documentation ¶
Index ¶
Constants ¶
View Source
const ( // NTStatus is the parameter that identifies the NTSTATUS value. NTStatus = "status" // ProcessID represents the process identifier. ProcessID = "pid" // ProcessObject field represents the address of the process object in the kernel. ProcessObject = "proc" // ThreadID field represents the thread identifier. ThreadID = "tid" // ProcessParentID field represents the parent process identifier. ProcessParentID = "ppid" // SessionID fields represents the session identifier. SessionID = "session_id" // UserSID field is the security identifier associated to the process token under which it is run. UserSID = "sid" // ProcessName field denotes the process image name. ProcessName = "name" // Exe field denotes the full path of the executable. Exe = "exe" // Comm field represents the process command line. Comm = "command" // DTB field denotes the address of the process directory table. DTB = "directory_table_base" // ExitStatus is the field that represents the process exit status. ExitStatus = "exit_status" // StartTime field denotes the process start time. StartTime = "start_time" // BasePrio field is the thread base priority assigned by the scheduler. BasePrio = "base_prio" // IOPrio represents the filed that indicates the thread I/O priority. IOPrio = "io_prio" // PagePrio field denotes page priority. PagePrio = "page_prio" // KstackBase field is the start address of the kernel space stacp. KstackBase = "kstack" // KstackLimit field is the end address of the kernel space stacp. KstackLimit = "kstack_limit" // UstackBase field is the start address of the user space stacp. UstackBase = "ustack" // UstackLimit field is the end address of the user space stacp. UstackLimit = "ustack_limit" // ThreadEntrypoint field is the address of the thread main function. ThreadEntrypoint = "entrypoint" // FileObject determines the field name for the file object pointer. FileObject = "file_object" // FileName represents the field that designates the absolute path of the file. FileName = "file_name" // FileCreateOptions is the field that represents the values passed in the CreateDispositions parameter to the NtCreateFile function. FileCreateOptions = "options" // FileOperation is the field that represents the values passed in the CreateOptions parameter to the NtCreateFile function. FileOperation = "operation" // FileCreated represents the name for the file creation field. FileCreated = "created" // FileAccessed represents the name for the file access field. FileAccessed = "accessed" // FileModified represents the name for the file modification field. FileModified = "modified" FileShareMask = "share_mask" // FileType represents the field name that indicates the file type. FileType = "type" // FileAttributes is the field that represents file attribute values. FileAttributes = "attributes" // FileIoSize is the filed that represents the number of bytes in file read/write operations. FileIoSize = "io_size" // FileOffset represents the file for the file offset in read/write operations. FileOffset = "offset" // FileInfoClass represents the file information class. FileInfoClass = "class" // FileKey represents the directory key identifier in EnumDirectory events. FileKey = "file_key" // FileDirectory represents the filed for the directory name in EnumDirectory events. FileDirectory = "dir" // FileIrpPtr represents the I/O request packet id. FileIrpPtr = "irp" // FileExtraInfo is the parameter that represents extra information returned by the file system for the operation. For example for a read request, the actual number of bytes that were read. FileExtraInfo = "extra_info" // RegKeyHandle identifies the parameter name for the registry key handle. RegKeyHandle = "key_handle" // RegKeyName represents the parameter name for the fully qualified key name. RegKeyName = "key_name" // RegValue identifies the parameter name that contains the value RegValue = "value" // RegValueType identifies the parameter that represents registry value type e.g (DWORD, BINARY) RegValueType = "type" // ImageBase identifies the parameter name for the base address of the process in which the image is loaded. ImageBase = "base_address" // ImageSize represents the parameter name for the size of the image in bytes. ImageSize = "image_size" // ImageCheckSum is the parameter name for image checksum. ImageCheckSum = "checksum" // ImageDefaultBase is the parameter name that represents image's base address. ImageDefaultBase = "default_address" // ImageFilename is the parameter name that denotes file name and extension of the DLL/executable image. ImageFilename = "file_name" // NetSize identifies the parameter name that represents the packet size. NetSize = "size" // NetDIP is the parameter name that denotes the destination IP address. NetDIP = "dip" // NetSIP is the parameter name that denotes the source IP address. NetSIP = "sip" // NetDport identifies the parameter name that represents destination port number. NetDport = "dport" // NetSport identifies the parameter name that represents source port number. NetSport = "sport" // NetMSS is the parameter name that represents the maximum TCP segment size. NetMSS = "mss" // NetRcvWin is the parameter name that represents TCP segment's receive window size. NetRcvWin = "rcvwin" // NetSAckopt is the parameter name that represents Selective Acknowledgment option in TCP header. NetSAckopt = "sack_opt" // NetTsopt is the parameter name that represents the time stamp option in TCP header. NetTsopt = "timestamp_opt" // NetWsopt is the parameter name that represents the window scale option in TCP header. NetWsopt = "window_scale_opt" // NetRcvWinScale is the parameter name that represents the TCP receive window scaling factor. NetRcvWinScale = "recv_winscale" // NetSendWinScale is the parameter name that represents the TCP send window scaling factor. NetSendWinScale = "send_winscale" // NetSeqNum is the parameter name that represents that represents the TCP sequence number. NetSeqNum = "seqnum" // NetConnID is the parameter name that represents a unique connection identifier. NetConnID = "connid" // NetL4Proto is the parameter name that identifies the Layer 4 protocol name. NetL4Proto = "l4_proto" // NetDportName is the field that denotes the destination port name. NetDportName = "dport_name" // NetSportName is the field that denotes the source port name. NetSportName = "sport_name" // NetSIPNames is the field that denotes the source IP address names. NetSIPNames = "sip_names" // NetDIPNames is the field that denotes the destination IP address names. NetDIPNames = "dip_names" // HandleID identifies the parameter that specifies the handle identifier. HandleID = "handle_id" // HandleObject identifies the parameter that represents the kernel object to which handle is associated. HandleObject = "handle_object" // HandleObjectName identifies the parameter that represents the kernel object name. HandleObjectName = "handle_name" // HandleObjectTypeID identifies the parameter that represents the kernel object type identifier. HandleObjectTypeID = "type_id" // HandleObjectTypeName identifies the parameter that represents the kernel object type name. HandleObjectTypeName = "handle_type" )
View Source
const (
NA = "na"
)
Variables ¶
View Source
var ( ProcessGuid = syscall.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}} ThreadGuid = syscall.GUID{Data1: 0x3d6fa8d1, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}} ImageGuid = syscall.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x00, 0xa0, 0xc9, 0x11, 0xf5, 0x18}} FileIOGuid = syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x00, 0x00, 0xf8, 0x04, 0x64, 0xe3}} RegistryGuid = syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}} ALPCGuid = syscall.GUID{Data1: 0x45d8cccd, Data2: 0x539f, Data3: 0x4b72, Data4: [8]byte{0xa8, 0xb7, 0x5c, 0x68, 0x31, 0x42, 0x60, 0x9a}} DiskIoGuid = syscall.GUID{Data1: 0x3d6fa8d4, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}} EventTraceConfigGuid = syscall.GUID{Data1: 0x01853a65, Data2: 0x418f, Data3: 0x4f36, Data4: [8]byte{0xae, 0xfc, 0xdc, 0x0f, 0x1d, 0x2f, 0xd2, 0x35}} ObTraceGuid = syscall.GUID{Data1: 0x89497f50, Data2: 0xeffe, Data3: 0x4440, Data4: [8]byte{0x8c, 0xf2, 0xce, 0x6b, 0x1c, 0xdc, 0xac, 0xa7}} PageFaultGuid = syscall.GUID{Data1: 0x3d6fa8d3, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}} PerfInfoGuid = syscall.GUID{Data1: 0xce1dbfb4, Data2: 0x137e, Data3: 0x4da6, Data4: [8]byte{0x87, 0xb0, 0x3f, 0x59, 0xaa, 0x10, 0x2c, 0xbc}} SplitIoGuid = syscall.GUID{Data1: 0xd837ca92, Data2: 0x12b9, Data3: 0x44a5, Data4: [8]byte{0xad, 0x6a, 0x3a, 0x65, 0xb3, 0x57, 0x8a, 0xa8}} TcpIpGuid = syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x00, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}} UdpIpGuid = syscall.GUID{Data1: 0xbf3a50c5, Data2: 0xa9c9, Data3: 0x4988, Data4: [8]byte{0xa0, 0x05, 0x2d, 0xf0, 0xb7, 0xc8, 0x0f, 0x80}} // Process event OpProcessCreate = Pack(ProcessGuid, 1) OpProcessTerminate = Pack(ProcessGuid, 2) OpProcessEnum = Pack(ProcessGuid, 3) // Thread event OpThreadCreate = Pack(ThreadGuid, 1) OpThreadTerminate = Pack(ThreadGuid, 2) OpThreadEnum = Pack(ThreadGuid, 3) // ImageLoad event OpImageUnload = Pack(ImageGuid, 2) OpImageEnum = Pack(ImageGuid, 3) OpImageLoad = Pack(ImageGuid, 10) // file Event OpFileCreate = Pack(FileIOGuid, 64) OpFileCleanup = Pack(FileIOGuid, 65) OpFileClose = Pack(FileIOGuid, 66) OpFileRead = Pack(FileIOGuid, 67) OpFileWrite = Pack(FileIOGuid, 68) OpSetFileInfo = Pack(FileIOGuid, 69) OpFileDelete = Pack(FileIOGuid, 70) OpFileRename = Pack(FileIOGuid, 71) OpEnumDirectory = Pack(FileIOGuid, 72) OpFileFlush = Pack(FileIOGuid, 73) OpQueryFileInfo = Pack(FileIOGuid, 74) OpFSControl = Pack(FileIOGuid, 75) OpFileOpEnd = Pack(FileIOGuid, 76) // Registry OpRegCreateKey = Pack(RegistryGuid, 10) OpRegOpenKey = Pack(RegistryGuid, 11) OpRegDeleteKey = Pack(RegistryGuid, 12) OpRegQueryKey = Pack(RegistryGuid, 13) OpRegSetValue = Pack(RegistryGuid, 14) OpRegDeleteValue = Pack(RegistryGuid, 15) OpRegQueryValue = Pack(RegistryGuid, 16) OpRegEnumKey = Pack(RegistryGuid, 17) OpRegEnumValueKey = Pack(RegistryGuid, 18) OpRegSetInformation = Pack(RegistryGuid, 20) OpRegCreateKCB = Pack(RegistryGuid, 22) OpRegDeleteKCB = Pack(RegistryGuid, 23) OpRegKCBRundown = Pack(RegistryGuid, 25) OpRegOpenKeyV1 = Pack(RegistryGuid, 27) // network/tcp OpSendTCPv4 = Pack(TcpIpGuid, 10) OpRecvTCPv4 = Pack(TcpIpGuid, 11) OpConnectTCPv4 = Pack(TcpIpGuid, 12) OpDisconnectTCPv4 = Pack(TcpIpGuid, 13) OpAcceptTCPv4 = Pack(TcpIpGuid, 15) OpReconnectTCPv4 = Pack(TcpIpGuid, 16) OpSendTCPv6 = Pack(TcpIpGuid, 26) OpRecvTCPv6 = Pack(TcpIpGuid, 27) OpConnectTCPv6 = Pack(TcpIpGuid, 28) OpDisconnectTCPv6 = Pack(TcpIpGuid, 29) OpAcceptTCPv6 = Pack(TcpIpGuid, 31) OpReconnectTCPv6 = Pack(TcpIpGuid, 32) // network/udp OpSendUDPv4 = Pack(UdpIpGuid, 10) OpRecvUDPV4 = Pack(UdpIpGuid, 11) OpSendUDPv6 = Pack(UdpIpGuid, 26) OpRecvUDPV6 = Pack(UdpIpGuid, 27) OpCreateHandle = Pack(ObTraceGuid, 32) OpCloseHandle = Pack(ObTraceGuid, 33) OpALPCSendMessage = Pack(ALPCGuid, 33) OpALPCReceiveMessage = Pack(ALPCGuid, 34) OpALPCWaitForReply = Pack(ALPCGuid, 35) OpALPCWaitForNewMessage = Pack(ALPCGuid, 36) OpALPCUnwait = Pack(ALPCGuid, 37) OpDiskIORead = Pack(DiskIoGuid, 10) OpDiskIOWrite = Pack(DiskIoGuid, 11) OpDiskIOReadInit = Pack(DiskIoGuid, 12) OpDiskIOWriteInit = Pack(DiskIoGuid, 13) OpDiskIOFlush = Pack(DiskIoGuid, 14) OpDiskIOFlushInit = Pack(DiskIoGuid, 15) OpDiskIORedirectedInit = Pack(DiskIoGuid, 16) OpDriverMajorFunctionCall = Pack(DiskIoGuid, 34) OpDriverMajorFunctionReturn = Pack(DiskIoGuid, 35) OpDriverCompletionRoutine = Pack(DiskIoGuid, 37) OpDriverCompleteRequest = Pack(DiskIoGuid, 52) OpDriverCompleteRequestReturn = Pack(DiskIoGuid, 53) )
Functions ¶
func Canonicalize ¶
Canonicalize takes an original kernel event property name and normalizes it to canonical parameter name.
Types ¶
type Hex ¶
type Hex string
Hex is the type alias for hexadecimal values
type Param ¶
func Parse ¶
func Parse(etype EType, evt *tdh.EventRecord, info *tdh.TraceEventInfo) []Param
type Type ¶
type Type uint16
Type defines kernel event parameter type
const ( // Null is a null parameter type Null Type = iota // UnicodeString a string of 16-bit characters. By default, assumed to have been encoded using UTF-16LE UnicodeString // AnsiString a string of 8-bit characters AnsiString // Int8 a signed 8-bit integer Int8 // Uint8 an unsigned 8-bit integer Uint8 // Int16 a signed 16-bit integer Int16 // Uint16 an unsigned 16-bit integer Uint16 // Int32 a signed 32-bit integer Int32 // Uint32 an unsigned 32-bit integer Uint32 // Int64 a signed 64-bit integer Int64 // Uint64 an unsigned 64-bit integer Uint64 // Float an IEEE 4-byte floating-point number Float // Double an IEEE 8-byte floating-point number Double // Bool a 32-bit value where 0 is false and 1 is true Bool // Binary is a binary data of variable size. The size must be specified in the data definition as a constant or a reference to another (integer) data item.For an IP V6 address, the data should be an IN6_ADDR structure. // For a socket address, the data should be a SOCKADDR_STORAGE structure. The AF_INET, AF_INET6, and AF_LINK address families are supported Binary // GUID is a GUID structure. On output, the GUID is rendered in the registry string form, {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} GUID // Pointer an unsigned 32-bit or 64-bit pointer value. The size depends on the architecture of the computer logging the event Pointer // SID a security identifier (SID) structure that uniquely identifies a user or group SID // PID is the process identifier PID // TID is the thread identifier TID // WbemSID is the Web-Based Enterprise Management security identifier. WbemSID // HexInt8 is the hexadecimal representation of 8-bit integer HexInt8 // HexInt16 is the hexadecimal representation of 16-bit integer HexInt16 // HexInt32 is the hexadecimal representation of 32-bit integer HexInt32 // HexInt64 is the hexadecimal representation of 64-bit integer HexInt64 // Port represents the endpoint port number Port // IP is the IP address IP // IPv4 is the IPv4 address IPv4 // IPv6 is the IPv6 address IPv6 // Time represents the timestamp Time // Slice represents a collection of items Slice // Enum represents an enumeration Enum // Map represents a map Map // Object is the generic object Object // Unknown represent an unknown parameter type Unknown )
Click to show internal directories.
Click to hide internal directories.