A ghidra script to find all ETW write metadata for each API in a PE file, including any associated public symbols.
See [BSides Brisbane] Kernel ETW is the best ETW for more details.
Many ETW events are extremely useful for cyber security, but are not (well) documented. 😞
For example, the Kernel-Audit-API-Calls provider sounds interesting, but all of the events are called task_nn.
Previously, this was a manual reversing process. Now you can run this Ghidra script on ntoskrnl.exe and grep the results. 😃
| Function | EVENT_DESCRIPTOR Symbol | Id | CallPath |
|---|---|---|---|
| PsSetLoadImageNotifyRoutine | KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINE | 1 | PsSetLoadImageNotifyRoutine->PsSetLoadImageNotifyRoutineEx |
| PsSetLoadImageNotifyRoutineEx | KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINE | 1 | PsSetLoadImageNotifyRoutineEx |
| NtTerminateProcess | KERNEL_AUDIT_API_TERMINATEPROCESS | 2 | NtTerminateProcess->PspLogAuditTerminateRemoteProcessEvent |
| NtCreateSymbolicLinkObject | KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECT | 3 | NtCreateSymbolicLinkObjec |
| IoCreateSymbolicLink | KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECT | 3 | IoCreateSymbolicLink->IoCreateSymbolicLink2->ObCreateSymbolicLink |
| NtSetContextThread | KERNEL_AUDIT_API_SETCONTEXTTHREAD | 4 | NtSetContextThread |
| NtOpenProcess | KERNEL_AUDIT_API_OPENPROCESS | 5 | NtOpenProcess->PsOpenProcess |
| NtAlpcOpenSenderProcess | KERNEL_AUDIT_API_OPENPROCESS | 5 | NtAlpcOpenSenderProcess->PsOpenProcess |
| NtOpenThread | KERNEL_AUDIT_API_OPENTHREAD | 6 | NtOpenThread->PsOpenThread |
| NtAlpcOpenSenderThread | KERNEL_AUDIT_API_OPENTHREAD | 6 | NtAlpcOpenSenderThread->PsOpenThread |
| IoRegisterLastChanceShutdownNotification | KERNEL_AUDIT_API_IOREGISTERLASTCHANCESHUTDOWNNOTIFICATION | 7 | IoRegisterLastChanceShutdownNotification->IopLogAuditIoRegisterNotificationEvent |
| IoRegisterShutdownNotification | KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATION | 8 | IoRegisterShutdownNotification->IopLogAuditIoRegisterNotificationEvent |
There are also trace providers (TraceLogging and WPP) which are not documented by design. This level of debug tracing is intended for the developer only, but might also prove useful for security. For example, the
Microsoft.Windows.Kernel.SysEnv TraceLogging provider includes a SetVariable event which might be useful.
- A full dump of all kernel ETW events is much, much longer.
- By default I also only emit the shallowest events in the call graph. The deeper ones are usually error handling.
The quality of the output depends on the quality of the decompilation. With the help of public symbols, Ghidra is pretty good out of the box for Windows binaries. But if you're not getting the results you want, some manual reversing might help.
Sometimes you'll encounter a novel design pattern not supported by the script. For example, lsasrv.dll stores provider handles in a generic table using Adelson-Velsky/Landis (AVL) trees. So, in order to automatically extract the provider guids, the script would need to be updated to understand the GenericTableAvl APIs.
I'm still missing support for some event write edge cases, but I've tried to flag these in the script output.
- Import the file to analyse - such as
ntoskrnl.exe - Open the Code Browser - but don't autoanalyze just yet. We want types and symbols available.
- Add relevant type archives first. I've provided a minimal ETW header, but I use ntddk64.gdt (or winapi64.gdt for usermode binaries).
- Load the PDB. This will trigger autoanalyze - so go make a ☕...
- Add the local path to this repo to Script Manager's dicectories and refresh the list.
- Run
DumpEtwWrites.java