ferrisetw 1.1.0

Basically a KrabsETW rip-off written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

use ferrisetw::EventRecord;
use ferrisetw::parser::{Parser, Pointer};
use ferrisetw::provider::*;
use ferrisetw::schema_locator::SchemaLocator;
use ferrisetw::trace::*;
use std::net::{IpAddr, Ipv4Addr};
use std::time::Duration;

fn registry_callback(record: &EventRecord, schema_locator: &SchemaLocator) {
    match schema_locator.event_schema(record) {
        Ok(schema) => {
            if record.event_id() == 7 {
                let parser = Parser::create(record, &schema);
                let pid = record.process_id();
                let key_obj: Pointer = parser.try_parse("KeyObject").unwrap_or(Pointer::default());
                let status: u32 = parser.try_parse("Status").unwrap_or(0);
                let value_name: String = parser.try_parse("ValueName").unwrap_or(String::from(""));
                println!(
                    "QueryValueKey (PID: {}) -> KeyObj: {:#08x}, ValueName: {}, Status: {:#04X}",
                    pid, key_obj, value_name, status,
                );
            }
        }
        Err(err) => println!("Error {:?}", err),
    };
}

fn tcpip_callback(record: &EventRecord, schema_locator: &SchemaLocator) {
    match schema_locator.event_schema(record) {
        Ok(schema) => {
            if record.event_id() == 11 {
                let parser = Parser::create(record, &schema);
                let size: u32 = parser.try_parse("size").unwrap_or(0);
                let daddr: IpAddr = parser
                    .try_parse("daddr")
                    .unwrap_or(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)));
                let dport: u16 = parser.try_parse("dport").unwrap_or(0);
                let saddr: IpAddr = parser
                    .try_parse("saddr")
                    .unwrap_or(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)));
                let sport: u16 = parser.try_parse("sport").unwrap_or(0);
                println!(
                    "{} bytes received from {}:{} to {}:{}",
                    size, saddr, sport, daddr, dport
                );
            }
        }
        Err(err) => println!("Error {:?}", err),
    };
}

fn main() {
    env_logger::init(); // this is optional. This makes the (rare) error logs of ferrisetw to be printed to stderr

    let tcpip_provider = Provider
        ::by_guid("7dd42a49-5329-4832-8dfd-43d979153a88") // Microsoft-Windows-Kernel-Network
        .add_callback(tcpip_callback)
        .build();

    let process_provider = Provider
        ::by_guid("70eb4f03-c1de-4f73-a051-33d13d5413bd") // Microsoft-Windows-Kernel-Registry
        .add_callback(registry_callback)
        .build();

    let user_trace = UserTrace::new()
        .enable(process_provider)
        .enable(tcpip_provider)
        .start_and_process()
        .unwrap();

    std::thread::sleep(Duration::new(10, 0));

    user_trace.stop().unwrap(); // optional. Simply dropping user_trace has the same effect
}