Merge: core update into master

threathunters-io · Aug 1, 2024 · 5113413 · 5113413
2 parents f0bf6fb + 71bb91b
commit 5113413
Show file tree

Hide file tree

Showing 43 changed files with 2,445 additions and 759 deletions.
diff --git a/README.md b/README.md
@@ -1,16 +1,30 @@
 
 Overview
-========
-
+==============
 **bluekrabsetw** is a C++ library that simplifies interacting with ETW. It allows for any number of traces and providers to be enabled and for client code to register for event notifications from these traces. **bluekrabsetw** originates from the **krabsetw** c++ library and seeks to improve and include capabilities that have not yet been included in the former library.
 
 **bluekrabsetw** also provides code to simplify parsing generic event data into strongly typed data types. 
 
 **Threathunters.BlueKrabsetw.Native.ETW** is a C++ CLI (.NET) wrapper around **bluekrabsetw**. It provides the same functionality as bluekrabsetw to .NET applications.
 
-Examples & Documentation
-========
+> ### Additional Capabilities
+> The following capabilities have been integrated into the solution alongside the original krabsetw C++ library:
+> * **Provider Enhanced Runtime Capabilities**:
+>    * Supports enabling and disabling providers dynamically to adapt to changing requirements. This includes: Provider Addition, Removal, and Update Functionality
+>  
+> * **Session Enhanced Runtime Capabilities**:
+>    * todo
+>          
+> * **Decoupling of Functionality to Allow Better Control of Sessions**:
+>    * Provides improved modularity and flexibility, making it easier to manage and control Sessions.
+>
+> * **Improved Pre-Filtering Mechanisms**:
+>    * Optimizes data processing by allowing more efficient filtering before data is collected.
+>
+> These enhancements extend the core features of the original krabsetw C++ library, providing a more robust and flexible solution.
 
+Examples & Documentation
+==============
 * An [ETW Primer](docs/EtwPrimer.md).
 * Simple examples can be found in the `examples` folder.
 * Please refer to [KrabsExample.md](docs/KrabsExample.md) and [LobstersExample.md](docs/LobstersExample.md) for detailed examples.

diff --git a/...unters.BlueKrabsetw.Native.ETW.NetCore/Microsoft.O365.Security.Native.ETW.NetCore.vcxproj b/...unters.BlueKrabsetw.Native.ETW.NetCore/Microsoft.O365.Security.Native.ETW.NetCore.vcxproj
@@ -212,10 +212,10 @@
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\EventTraceProperties.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\AnsiString.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\CountedString.hpp" />
-    <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\DirectEventFilter.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\EventFilter.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\Fluent.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\Predicate.hpp" />
+    <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\PreEventfilter.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Filtering\UnicodeString.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\Guid.hpp" />
     <ClInclude Include="..\Threathunters.BlueKrabsetw.Native.ETW\IEventRecord.hpp" />

diff --git a/Threathunters.BlueKrabsetw.Native.ETW/Filtering/DirectEventFilter.hpp b/Threathunters.BlueKrabsetw.Native.ETW/Filtering/DirectEventFilter.hpp
diff --git a/Threathunters.BlueKrabsetw.Native.ETW/Filtering/PreEventfilter.hpp b/Threathunters.BlueKrabsetw.Native.ETW/Filtering/PreEventfilter.hpp
@@ -0,0 +1,171 @@
+#pragma once
+
+#include "../Conversions.hpp"
+#include "../EventRecordError.hpp"
+#include "../EventRecord.hpp"
+#include "../EventRecordMetadata.hpp"
+#include "../Guid.hpp"
+#include "../IEventRecord.hpp"
+#include "../IEventRecordError.hpp"
+#include "../NativePtr.hpp"
+#include "Predicate.hpp"
+
+using namespace System;
+using namespace System::Collections::Generic;
+using namespace System::Runtime::InteropServices;
+
+namespace Microsoft {
+    namespace O365 {
+        namespace Security {
+            namespace ETW {
+
+                public interface class IPrePredicate
+                {
+                public:
+                    virtual EVENT_FILTER_DESCRIPTOR operator()();
+                };
+
+                public ref class SystemFlags : public IPrePredicate
+                {
+                public:
+                    SystemFlags(unsigned long long a1, unsigned long a2)
+                        : data_(a1)
+                        , size_(a2)
+                    {}
+
+                    virtual EVENT_FILTER_DESCRIPTOR operator()()
+                    {
+                        auto native_filter = new krabs::system_flags(data_, size_);
+
+                        return native_filter->operator()();
+                    }
+
+                private:                  
+                    unsigned long long data_;
+                    unsigned long size_;
+                };
+
+                public ref class EventIds : IPrePredicate
+                {
+                public:
+                    EventIds(IEnumerable<int>^ a1)
+                        : data_(gcnew List<int>(a1))
+                        , filter_in_(true)
+                    {}
+
+                    /*EventIds(... array<int>^ a1)
+                        : data_(gcnew List<int>(a1))
+                        , filter_in_(true)
+                    {}*/
+
+                    virtual EVENT_FILTER_DESCRIPTOR operator()()
+                    {
+                        std::set<unsigned short> x;
+                        for each (auto y in data_)
+                        {
+                            x.insert(static_cast<unsigned short>(y));
+                        }
+
+                        auto native_filter = new krabs::event_ids(x, filter_in_);
+
+                        return native_filter->operator()();
+                    }
+
+                private:
+                    List<int>^ data_;
+                    bool filter_in_;
+                };
+
+                public ref class ProcessIds : IPrePredicate
+                {
+                public:
+                    ProcessIds(IEnumerable<int>^ a1)
+                        : data_(gcnew List<int>(a1))
+                    {}
+
+                    ProcessIds(... array<int>^ a1)
+                        : data_(gcnew List<int>(a1))
+                    {}
+
+                    virtual EVENT_FILTER_DESCRIPTOR operator()()
+                    {
+                        std::set<unsigned short> x;
+                        for each (auto y in data_)
+                        {
+                            x.insert(static_cast<unsigned short>(y));
+                        }
+
+                        auto native_filter = new krabs::event_ids(x, 0);
+
+                        return native_filter->operator()();
+                    }
+
+                private:
+                    List<int>^ data_;
+                };
+
+                public ref class EventNames : IPrePredicate
+                {
+                public:
+                    EventNames(bool a2, IEnumerable<String^>^ a1)
+                        : data_(gcnew List<String^>(a1))
+                        , filter_in_(a2)
+                    {}
+
+                    EventNames(bool a2, ... array<String^>^ a1)
+                        : data_(gcnew List<String^>(a1))
+                        , filter_in_(a2)
+                    {}
+
+                    virtual EVENT_FILTER_DESCRIPTOR operator()()
+                    {
+                        std::set<std::string> x;
+                        for each (auto y in data_)
+                        {
+                            x.insert(msclr::interop::marshal_as<std::string>(y));
+                        }
+
+                        auto native_filter = new krabs::event_names(x, filter_in_);
+
+                        return native_filter->operator()();
+                    }
+
+                private:
+                    List<String^>^ data_;
+                    bool filter_in_;
+                };
+
+                public ref class PreEventFilter
+                {
+                public:
+                    PreEventFilter(IEnumerable<IPrePredicate^>^ filters)
+                        : directFilterList_(gcnew List<IPrePredicate^>(filters)),
+                        filter_(new krabs::pre_event_filter())
+                    {}
+
+                    PreEventFilter(... array<IPrePredicate^>^ filters)
+                        : directFilterList_(gcnew List<IPrePredicate^>(filters)),
+                        filter_(new krabs::pre_event_filter())
+                    {}
+
+                internal:
+                    operator krabs::pre_event_filter& ()
+                    {
+                        auto count = 0;
+                        for each (auto filter in directFilterList_)
+                        {                                 
+                            filter_->descriptor_.descriptor[count++] = filter->operator()();
+                        }
+
+                        filter_->descriptor_.count = count;
+                        return *filter_;
+                    }
+
+                    NativePtr<krabs::pre_event_filter> filter_;
+                    List<IPrePredicate^>^ directFilterList_;
+                };
+            }
+        }
+    }
+}
+