Skip to main content

windows_erg/etw/decode/
events.rs

1#![allow(missing_docs)]
2
3use crate::types::ProcessId;
4use std::net::IpAddr;
5
6/// A decoded ETW event with typed fields.
7#[derive(Debug, Clone)]
8pub enum DecodedEvent {
9    /// Process start event (opcode 1).
10    ProcessStart(ProcessStartEvent),
11    /// Process end event (opcode 2).
12    ProcessEnd(ProcessEndEvent),
13    /// Image load event (opcode 10).
14    ImageLoad(ImageLoadEvent),
15    /// Image unload event (opcode 2).
16    ImageUnload(ImageUnloadEvent),
17    /// TCP/IP kernel event.
18    Tcp(TcpEvent),
19    /// Registry kernel event.
20    Registry(RegistryEvent),
21    /// File I/O kernel event.
22    FileIo(FileIoEvent),
23    /// Generic schema-decoded fields (typically from TDH parsing).
24    Generic(Vec<EventField>),
25    /// Event was not recognized by the direct decoders.
26    Unknown,
27}
28
29/// A named field decoded from ETW payload data.
30#[derive(Debug, Clone)]
31pub struct EventField {
32    pub name: String,
33    pub value: EventFieldValue,
34}
35
36/// Typed value for a schema-decoded ETW field.
37#[derive(Debug, Clone)]
38pub enum EventFieldValue {
39    /// UTF-8 string value.
40    String(String),
41    /// IP address value (IPv4 or IPv6).
42    IpAddr(IpAddr),
43    /// Unsigned 8-bit integer.
44    U8(u8),
45    /// Unsigned 16-bit integer.
46    U16(u16),
47    /// Unsigned 32-bit integer.
48    U32(u32),
49    /// Unsigned 64-bit integer.
50    U64(u64),
51    /// Signed 32-bit integer.
52    I32(i32),
53    /// Signed 64-bit integer.
54    I64(i64),
55    /// Boolean value.
56    Bool(bool),
57    /// GUID value.
58    Guid(windows::core::GUID),
59    /// Opaque binary payload.
60    Binary(Vec<u8>),
61    /// Pointer-sized address represented as u64.
62    Pointer(u64),
63}
64
65/// Decoded operation kind for TCP kernel provider events.
66#[derive(Debug, Clone, Copy, PartialEq, Eq)]
67pub enum TcpOperation {
68    /// Outbound data send.
69    Send,
70    /// Inbound data receive.
71    Receive,
72    /// Connection establishment.
73    Connect,
74    /// Connection teardown.
75    Disconnect,
76    /// Retransmitted segment.
77    Retransmit,
78    /// Accepted incoming connection.
79    Accept,
80    /// Reconnect attempt or completion.
81    Reconnect,
82    /// Data copy operation.
83    Copy,
84    /// Opcode did not match a known TCP operation.
85    Unknown,
86}
87
88/// Typed representation of a decoded TCP event.
89#[derive(Debug, Clone)]
90pub struct TcpEvent {
91    pub operation: TcpOperation,
92    pub process_id: Option<ProcessId>,
93    pub source_ip: Option<IpAddr>,
94    pub source_port: Option<u16>,
95    pub destination_ip: Option<IpAddr>,
96    pub destination_port: Option<u16>,
97    pub size: Option<u32>,
98    pub sequence_number: Option<u32>,
99}
100
101/// Decoded operation kind for Registry kernel provider events.
102#[derive(Debug, Clone, Copy, PartialEq, Eq)]
103pub enum RegistryOperation {
104    /// Create key operation.
105    Create,
106    /// Open key operation.
107    Open,
108    /// Delete key operation.
109    DeleteKey,
110    /// Query key metadata.
111    QueryKey,
112    /// Set value data.
113    SetValue,
114    /// Delete value data.
115    DeleteValue,
116    /// Query value data.
117    QueryValue,
118    /// Enumerate subkeys.
119    EnumerateKey,
120    /// Enumerate values.
121    EnumerateValue,
122    /// Set key information metadata.
123    SetInformation,
124    /// Opcode did not match a known registry operation.
125    Unknown,
126}
127
128/// Typed representation of a decoded Registry event.
129#[derive(Debug, Clone)]
130pub struct RegistryEvent {
131    pub operation: RegistryOperation,
132    pub process_id: Option<ProcessId>,
133    pub key_name: Option<String>,
134    pub relative_name: Option<String>,
135    pub value_name: Option<String>,
136    pub status: Option<u32>,
137    pub key_handle: Option<u64>,
138}
139
140/// Decoded operation kind for File I/O kernel provider events.
141#[derive(Debug, Clone, Copy, PartialEq, Eq)]
142pub enum FileIoOperation {
143    /// File name event (type 0).
144    Name,
145    /// File create/open event (types 32, 64).
146    Create,
147    /// File rundown event (type 36).
148    Rundown,
149    /// Cleanup when the last handle is released (type 65).
150    Cleanup,
151    /// Close when file object is freed (type 66).
152    Close,
153    /// Set file information (type 69).
154    SetInformation,
155    /// Directory enumeration (type 72).
156    DirectoryEnumeration,
157    /// File buffer flush (type 73).
158    Flush,
159    /// Query file information (type 74).
160    QueryInformation,
161    /// File system control operation (type 75).
162    FileSystemControl,
163    /// End-of-operation event (type 76).
164    OperationEnd,
165    /// Directory change notification (type 77).
166    DirectoryNotification,
167    /// File read operation (type 67).
168    Read,
169    /// File write operation (type 68).
170    Write,
171    /// File delete operation (types 35, 70).
172    Delete,
173    /// File rename operation (type 71).
174    Rename,
175    /// Opcode did not match a known File I/O operation.
176    Unknown,
177}
178
179/// Typed representation of a decoded File I/O event.
180#[derive(Debug, Clone)]
181pub struct FileIoEvent {
182    pub operation: FileIoOperation,
183    pub process_id: Option<ProcessId>,
184    pub file_object: Option<u64>,
185    pub irp_ptr: Option<u64>,
186    pub file_key: Option<u64>,
187    pub open_path: Option<String>,
188    pub create_options: Option<u32>,
189    pub file_attributes: Option<u32>,
190    pub share_access: Option<u32>,
191}
192
193/// Typed representation of a decoded process start event.
194#[derive(Debug, Clone)]
195pub struct ProcessStartEvent {
196    pub process_id: ProcessId,
197    pub parent_process_id: ProcessId,
198    pub session_id: Option<u32>,
199    pub exit_status: Option<u32>,
200    pub unique_process_key: Option<u64>,
201    pub directory_table_base: Option<u64>,
202    pub image_file_name: String,
203    pub command_line: Option<String>,
204    pub user_sid: Option<String>,
205    pub version: u8,
206}
207
208/// Typed representation of a decoded process end event.
209#[derive(Debug, Clone)]
210pub struct ProcessEndEvent {
211    pub process_id: ProcessId,
212    pub parent_process_id: ProcessId,
213    pub session_id: Option<u32>,
214    pub exit_status: Option<u32>,
215    pub unique_process_key: Option<u64>,
216    pub directory_table_base: Option<u64>,
217    pub image_file_name: String,
218    pub command_line: Option<String>,
219    pub user_sid: Option<String>,
220    pub version: u8,
221}
222
223/// Typed representation of a decoded image load event.
224#[derive(Debug, Clone)]
225pub struct ImageLoadEvent {
226    pub process_id: ProcessId,
227    pub image_base: u64,
228    pub image_size: u64,
229    pub checksum: u32,
230    pub timestamp: u32,
231    pub default_base: u64,
232    pub file_name: String,
233    pub version: u8,
234}
235
236/// Typed representation of a decoded image unload event.
237#[derive(Debug, Clone)]
238pub struct ImageUnloadEvent {
239    pub process_id: ProcessId,
240    pub image_base: u64,
241    pub image_size: u64,
242    pub checksum: u32,
243    pub timestamp: u32,
244    pub default_base: u64,
245    pub file_name: String,
246    pub version: u8,
247}