Documentation
¶
Index ¶
Constants ¶
const ( // Include in the ExtendedEventInfo the security identifier (SID) of the user. EVENT_ENABLE_PROPERTY_SID = EnableProperty(0x001) // Include in the ExtendedEventInfo the terminal session identifier. EVENT_ENABLE_PROPERTY_TS_ID = EnableProperty(0x002) // Include in the ExtendedEventInfo a call stack trace for events written // using EventWrite. EVENT_ENABLE_PROPERTY_STACK_TRACE = EnableProperty(0x004) // Filters out all events that do not have a non-zero keyword specified. // By default events with 0 keywords are accepted. EVENT_ENABLE_PROPERTY_IGNORE_KEYWORD_0 = EnableProperty(0x010) // Filters out all events that are either marked as an InPrivate event or // come from a process that is marked as InPrivate. InPrivate implies that // the event or process contains some data that would be considered private // or personal. It is up to the process or event to designate itself as // InPrivate for this to work. EVENT_ENABLE_PROPERTY_EXCLUDE_INPRIVATE = EnableProperty(0x200) )
const ( TRACE_LEVEL_CRITICAL = traceLevel(1) TRACE_LEVEL_ERROR = traceLevel(2) TRACE_LEVEL_WARNING = traceLevel(3) TRACE_LEVEL_INFORMATION = traceLevel(4) TRACE_LEVEL_VERBOSE = traceLevel(5) )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EnableProperty ¶
EnableProperty enables a property of a provider session is subscribing for.
For more info about available properties check original API reference: https://docs.microsoft.com/en-us/windows/win32/api/evntrace/ns-evntrace-enable_trace_parameters
type EtwSession ¶
type EtwSession struct {
// contains filtered or unexported fields
}
EtwSession implements ETW consumer session.
func New ¶
func New(providerName string, traceLevel string, kernelArgs []string) (*EtwSession, error)
New creates new session with specified params.
func (*EtwSession) Process ¶
func (s *EtwSession) Process(cb func([]byte)) error
Process starts processing of ETW events. Events will be passed to @cb synchronously and sequentially. Take a look to EventCallback documentation for more info about events processing.
N.B. Process blocks until `.Close` being called!
type Event ¶
type Event struct {
Header EventHeader `json:"header"`
Info interface{} `json:"info"`
Ext interface{} `json:"ext"`
}
Event is a single event record received from ETW provider. The only thing that is parsed implicitly is an EventHeader (which just translated from C structures mostly 1:1), all other data are parsed on-demand.
Event will be passed to the user EventCallback. It's invalid to use Event methods outside of an EventCallback.
type EventDescriptor ¶
type EventDescriptor struct {
ID uint16 `json:"id"`
Version uint8 `json:"version"`
Channel uint8 `json:"channel"`
Level uint8 `json:"level"`
OpCode uint8 `json:"op_code"`
Task uint16 `json:"task"`
Keyword uint64 `json:"keyword"`
}
EventDescriptor contains low-level metadata that defines received event. Most of fields could be used to refine events filtration.
For detailed information about fields values refer to EVENT_DESCRIPTOR docs: https://docs.microsoft.com/ru-ru/windows/win32/api/evntprov/ns-evntprov-event_descriptor
type EventHeader ¶
type EventHeader struct {
Descriptor EventDescriptor `json:"descriptor"`
ThreadID uint32 `json:"thread_id"`
ProcessID uint32 `json:"process_id"`
TimeStamp time.Time `json:"ts"`
ProviderID provider.GUID `json:"provider_guid"`
ActivityID provider.GUID `json:"activity_guid"`
Flags uint16 `json:"flags"`
KernelTime uint32 `json:"kernel_time"`
UserTime uint32 `json:"user_time"`
ProcessorTime uint64 `json:"processor_time"`
}
EventHeader contains an information that is common for every ETW event record.
EventHeader fields is self-descriptive. If you need more info refer to the original struct docs: https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header
type EventInstanceInfo ¶
type EventInstanceInfo struct {
InstanceID uint32 `json:"id"`
ParentInstanceID uint32 `json:"parent_id"`
ParentGUID provider.GUID `json:"parent_guid"`
}
EventInstanceInfo defines the relationship between events if its provided.
type EventStackTrace ¶
type EventStackTrace struct {
MatchedID uint64 `json:"matched_id"`
Addresses []uint64 `json:"addresses"`
}
EventStackTrace describes a call trace of the event occurred.
type ExistsError ¶
type ExistsError struct{ SessionName string }
ExistsError is returned by NewSession if the session name is already taken.
Having ExistsError you have an option to force kill the session:
var exists etw.ExistsError
s, err = etw.NewSession(s.guid, etw.WithName(sessionName))
if errors.As(err, &exists) {
err = etw.KillSession(exists.SessionName)
}
func (ExistsError) Error ¶
func (e ExistsError) Error() string
type ExtendedEventInfo ¶
type ExtendedEventInfo struct {
SessionID *uint32 `json:"session_id"`
ActivityID *provider.GUID `json:"activity_id"`
UserSID *windows.SID `json:"user_sid"`
InstanceInfo *EventInstanceInfo `json:"instance_info"`
StackTrace *EventStackTrace `json:"stacktrace"`
}
ExtendedEventInfo contains additional information about received event. All ExtendedEventInfo fields are optional and are nils being not set by provider.
Presence of concrete fields is controlled by WithProperty option and an ability of event provider to set the required fields.
More info about fields is available at EVENT_HEADER_EXTENDED_DATA_ITEM.ExtType documentation: https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header_extended_data_item
Source Files