Shulou(Shulou.com)06/02 Report--

This article is about how to reverse analyze the implementation principle of Etw framework windows kernel monitoring registry. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

The ETW logs of Window7 and the above systems come with an output of registry log information, which can be seen and turned on or off in the Microsoft Windows KernelRegistry / Analytic of windows event Viewer. Its monitoring operations include CreateKey_Opt, OpenKey_Opt, DeleteKey_Opt, QueryKey_Opt, SetValueKey_Opt, DeleteValueKey_Opt, QueryValueKey_Opt monitoring output data, including different contents depending on each operation, for example

CreateKey_Opt

MName = 0x000001e0ca423d30 L "BaseObject": ulongptr

MName = 0x000001e0ca423d30 L "KeyObject": ulongptr

MName = 0x000001e0ca423da8L "Status" ULONG32

MName = 0x000001e0ca423e20L "Disposition" ULONG32

MName = 0x000001e0ca423e98 L "BaseName" 2

MName = 0x000001e0ca423f10L "RelativeName" 0x82

SetValueKey_Opt

MName = 0x0000025ea4054208 L "KeyObject" ulongptr

MName = 0x0000025ea4054280 L "Status" ULONG32

MName = 0x0000025ea40542f8 L "Type" ULONG32

MName = 0x0000025ea4054370 L "DataSize" ULONG32

MName = 0x0000025ea40543e8 L "KeyName" 2

MName = 0x0000025ea4054460 L "ValueName" char*

MName = 0x0000025ea40544d8 L "CapturedDataSize" 2

MName = 0x0000025ea4054550 L "CapturedData" 0

MName = 0x0000025ea40545c8 L "PreviousDataType" ULONG32

MName = 0x0000025ea4054640 L "PreviousDataSize" ULONG32

MName = 0x0000025ea40546b8 L "PreviousDataCapturedSize" 2

MName = 0x0000025ea4054730 L "PreviousData" 0

DeleteValueKey_Opt

MName = 0x000001f3275e5c28 L "KeyObject" ulongptr

MName = 0x0000025ea4054280 L "Status" ULONG32

MName = 0x0000025ea40543e8 L "KeyName" 2

MName = 0x000001f3275e5d90L "ValueName"

DeleteKey_Opt

MName = 0x000001f3275e5c28 L "KeyObject" ulongptr

MName = 0x0000025ea4054280 L "Status" ULONG32

MName = 0x0000025ea40543e8 L "KeyName" 2

For more specific data, readers can study for themselves what we are talking about today is not how to use it, but how the windows kernel outputs this data.

Ntoskrnl.exe, the kernel program of Windows, starts and initializes a lot of information when it initializes. To start the ETW component is to start a content. In the function of void _ _ fastcall EtwInitialize (unsigned int Phase), the bottom several call the EtwRegister function to register some Etw events, as follows

We can see some log events such as EventTracingProvGuid, KernelProvGuid, NetProvGuid, DiskProvGuid and so on. Between these registrations, there is a function EtwpInitializeRegTracing (), which initializes registry events. Follow them and continue to trace them. The implementation is very simple.

Int _ cdeclEtwpInitializeRegTracing ()

{

Return EtwRegister (

(_ GUID *) & RegistryProvGuid

(void (_ _ cdecl *) (_ GUID *, unsignedint, char, unsigned _ int64, unsigned _ _ int64, _ EVENT_FILTER_DESCRIPTOR *, void*)) EtwpRegTraceEnableCallback, 0i64

& EtwpRegTraceHandle)

}

RegistryProvGuid is the id of the registry event:

{70eb4f03-c1de-4f73-a051-33d13d5413bd

The registered callback function is EtwpRegTraceEnableCallback, and the registered handle is: EtwpRegTraceHandle. Finally, the kernel also outputs the log through the EtwWrite write handle EtwpRegTraceHandle.

Pay attention to the knowledge explanation points:

Query the MSDN library. The definition of EtwRegister is as follows:

NTSTATUS EtwRegister (

LPCGUID ProviderId

PETWENABLECALLBACK EnableCallback

PVOID CallbackContext

PREGHANDLE RegHandle

);

EnableCallback is a callback in which the kernel transfers the CallbackContext parameters passed in by the application layer to EnableCallback after the application layer calls EnableTrace. PETWENABLECALLBACK is defined as follows:

Void Etwenablecallback (

LPCGUIDSourceId

ULONGControlCode

UCHAR Level

ULONGLONG MatchAnyKeyword

ULONGLONGMatchAllKeyword

PEVENT_FILTER_DESCRIPTORFilterData

PVOIDCallbackContext

)

ControlCode is the switch of True or false.

Level is the log level

MatchAnyKeyword and MatchAllKeyword are two filter keyword id

FilterData is a parameter that can only be found in windows 7 or above, and is passed by the application layer through EnableTraceEx or EnableTraceEx2.

Let's move on to the implementation of the EtwpRegTraceEnableCallback callback function.

When the Enable log is enabled in the application layer, that is, when ControlId = True, the callback function will filter the callback EtwpRegTraceCallback through the registry of the CmRegisterCallbackEx function. After successful registration, the global variable EtwpRegTracingEnabled will be set to True. If the log is closed when ControlId = False, the callback function of CmUnRegisterCallback logout will be called.

Note:

If (FilterData&& FilterData- > Size = = 4)

EtwpRegTraceOptions= * (unsigned int *) FilterData- > Ptr

These two sentences of code, this is an undocumented implicit "skill". When filtering data is set, the global value of EtwpRegTraceOptions will be set, and different values will output different data. The default is 0. When EtwpRegTraceOptions is 0, the kernel will only output some basic key, value, and type values, but will not output some very specific CaptureData data.

Next, let's look at the EtwpRegTraceCallback function.

Here is the data for assembling QueryValueKey_Opt. Note that EtwpRegTraceOptions & 2, as mentioned earlier, if EtwpRegTraceOptions has a flag bit of 2, it will reassemble the KeyValueData queried in the registry. Note that this size only gives you 2048 bytes at most.

If (EtwpRegTraceOptions & 4)

EtwpCapturePreviousRegistryData ((_ REG_SET_VALUE_KEY_INFORMATION*) Argument2)

If the EtwpRegTraceOptions parameter contains 4, the ValueData before the setting will be output (but it's a bit strange that the output maximum is not set here).

Other types are not explained collectively, in the same way, as defined in the kernel as follows

The latter string of data 80000000000010000000200410000001 is the current MatchKeyWord. As mentioned earlier, the application layer can output different data through the keyword parameter settings of EnableTrace/EnableTraceEx/EnableTraceEx2.

Finally, the combined data will write the handle EtwpRegTraceHandle through the EtwWrite function, and the component of which instance registers the event id,Etw will output the data to the instance.

Let's write a program to show how to get this log output (how to create an Etw is no longer explained)

ULONG64 KeyWord = (ULONG64) ((CreateKey_Keyword |

DeleteKey_Keyword |

SetValueKey_Keyword |

DeleteValueKey_Keyword) & 0xFFFF)

EVENT_FILTER_DESCRIPTOR EnableFilterDesc = {0}

ULONG64 dwVal = 0x02

UCHAR Level = EVENT_CONTROL_CODE_ENABLE_PROVIDER

Level = EVENT_CONTROL_CODE_ENABLE_PROVIDER

EnableFilterDesc.Ptr = (ULONGLONG) & dwVal

EnableFilterDesc.Size = 4

EnableTraceEx (

& RegistryProvGuid

0

M_Session

Level

TRACE_LEVEL_VERBOSE

KeyWord

0

0

& EnableFilterDesc

);

Notice that I set the others that define EnableFilterDesc and set EnableFilterDesc.Size= 4 and dwVal to 2, which requires the windows registry kernel to set the EtwpRegTraceOptions parameters.

After running, you can see the log information of the kernel output

KeyName:

ValueName:

The current operation is SetValueKey, and the set Data

Output CaptureData data, size 1460, the data is as follows

The data before setting is also output here.

At this point, the kernel how to achieve the principle of registry Etw log explanation and examples show that the whole structure is very simple, you do not have to write a special registry driver to achieve monitoring, Microsoft has provided us with a complete solution, but more undocumented details need to be discovered.

The above is how to reverse analyze the implementation principle of the Etw framework windows kernel monitoring registry. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.