etw

package module

v0.0.17 Latest Latest Go to latest Published: Jul 27, 2022 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

git.sr.ht/~umgeher/etw

Links

Open Source Insights

README ¶

etw

etw is a Go-package that allows you to receive Event Tracing for Windows (ETW) events in go code.

etw allows you to process events from new TraceLogging providers as well as from classic (aka EventLog) providers, so you could actually listen to anything you can see in Event Viewer window.

ETW API expects you to pass stdcall callback to process events, so etw requires CGO to be used. To use etw you need to have mingw-w64 installed and pass some environment to the Go compiler (take a look at build/vars.sh and examples/tracer/Makefile).

Docs

Package reference is available at https://pkg.go.dev/github.com/bi-zone/etw

Examples are located in examples folder.

Usage

package main

import (
	"log"
	"os"
	"os/signal"
	"sync"

	"github.com/bi-zone/etw"
	"golang.org/x/sys/windows"
)

func main() {
	// Subscribe to Microsoft-Windows-DNS-Client
	guid, _ := windows.GUIDFromString("{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}")
	session, err := etw.NewSession(guid)
	if err != nil {
		log.Fatalf("Failed to create etw session: %s", err)
	}

	// Wait for "DNS query request" events to log outgoing DNS requests.
	cb := func(e *etw.Event) {
		if e.Header.ID != 3006 {
			return
		}
		if data, err := e.EventProperties(); err == nil && data["QueryType"] == "1" {
			log.Printf("PID %d just queried DNS for domain %v", e.Header.ProcessID, data["QueryName"])
		}
	}

	// `session.Process` blocks until `session.Close()`, so start it in routine.
	var wg sync.WaitGroup
	wg.Add(1)
	go func() {
		if err := session.Process(cb); err != nil {
			log.Printf("[ERR] Got error processing events: %s", err)
		}
		wg.Done()
	}()

	// Trap cancellation.
	sigCh := make(chan os.Signal, 1)
	signal.Notify(sigCh, os.Interrupt)
	<-sigCh

	if err := session.Close(); err != nil {
		log.Printf("[ERR] Got error closing the session: %s", err)
	}
	wg.Wait()
}

Note: to run the example you may need to pass CGO-specific variables to Go compiler, the easiest way to do it is:

bash -c 'source ./build/vars.sh && go run main.go'

More sophisticated examples can be found in examples folder.

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Documentation ¶

Rendered for

Index ¶

type PoolSession
- func NewPoolSession(options ...Option) (*PoolSession, error)
- func (s *PoolSession) Process(cb EventCallback) error
- func (s *PoolSession) SubscribeToProvider(guid windows.GUID, bmaskAll uint64, bmaskAny uint64) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type PoolSession ¶

type PoolSession struct {
	// contains filtered or unexported fields
}

func NewPoolSession ¶

func NewPoolSession(options ...Option) (*PoolSession, error)

func (*PoolSession) Process ¶ added in v0.0.5

func (s *PoolSession) Process(cb EventCallback) error

func (*PoolSession) SubscribeToProvider ¶ added in v0.0.5

func (s *PoolSession) SubscribeToProvider(guid windows.GUID, bmaskAll uint64, bmaskAny uint64) error

Source Files ¶

View all Source files

pool.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL