diff --git a/Malwless-Modified-exe/Newtonsoft.Json.dll b/Malwless-Modified-exe/Newtonsoft.Json.dll
new file mode 100644
index 0000000..341d08f
Binary files /dev/null and b/Malwless-Modified-exe/Newtonsoft.Json.dll differ
diff --git a/Malwless-Modified-exe/conf/PowerShell.json b/Malwless-Modified-exe/conf/PowerShell.json
new file mode 100644
index 0000000..454fc3f
--- /dev/null
+++ b/Malwless-Modified-exe/conf/PowerShell.json
@@ -0,0 +1,10 @@
+{
+ "ContextInfo": "\tSeverity = Informational\n\tHost Name = ConsoleHost\n\tHost Version = 5.1.16299.431\n\tHost ID = ...\n\t...",
+ "UserData": "",
+ "Payload": "CommandInvocation(Get-ExecutionPolicy): \"Get-ExecutionPolicy\"",
+ "MessageNumber": 1,
+ "MessageTotal": 1,
+ "ScriptBlockText": "Write-Host \"Hello, World!\"",
+ "ScriptBlockId": "eee22606-aaaa-bbbb-cccc-ad5ae03adba7",
+ "Path": "",
+}
diff --git a/Malwless-Modified-exe/conf/Sysmon.json b/Malwless-Modified-exe/conf/Sysmon.json
new file mode 100644
index 0000000..2312bf2
--- /dev/null
+++ b/Malwless-Modified-exe/conf/Sysmon.json
@@ -0,0 +1,69 @@
+{
+ "Archived": "true",
+ "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+a0784|C:\\WINDOWS\\System32\\KERNELBASE.dll+3df6d",
+ "ClientInfo": "user:DESKTOP-ABCDEF\\user",
+ "CommandLine": "calc.exe",
+ "Company": "Microsoft Corporation",
+ "Configuration": "C:\\Windows\\sysmon.xml",
+ "ConfigurationFileHash": "SHA1=E45082AEE50F9E89D40E03F54F2B360ECA9493F6",
+ "Consumer": "\"ActiveScriptEventConsumer.Name=\\\"Backdoor\\\"\"",
+ "Contents": "[ZoneTransfer]",
+ "CurrentDirectory": "C:\\Windows\\System32\\",
+ "Description": "Windows Calculator",
+ "Destination": "\"MsgBox(\"Hello, World!\")\"",
+ "DestinationHostname": "",
+ "DestinationIsIpv6": "false",
+ "DestinationPort": "80",
+ "DestinationPortName": "",
+ "Details": "Binary Data",
+ "Device": "\\Device\\HarddiskVolume1",
+ "EventNamespace": "\"ROOT\\\\cimv2\"",
+ "FileVersion": "10.0.16299.15 (WinBuild.160101.0800)",
+ "Filter": "\"__EventFilter.Name=\\\"Trigger\\\"\"",
+ "GrantedAccess": "0x2000",
+ "Hash": "SHA1=8236636F8344D2DC4EFE3AB0B277202DF58EAE84",
+ "Hashes": "SHA1=8236636F8344D2DC4EFE3AB0B277202DF58EAE84",
+ "Image": "C:\\Windows\\System32\\calc.exe",
+ "ImageLoaded": "C:\\Windows\\System32\\crypt32.dll",
+ "Initiated": "true",
+ "IntegrityLevel": "High",
+ "LogonId": "0x3E7",
+ "Name": "Trigger",
+ "NewName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run2",
+ "NewThreadId": "5000",
+ "Operation": "Created",
+ "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+ "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+ "ParentProcessId": "4000",
+ "PipeName": "\\LSM_API_service",
+ "ProcessId": "4750",
+ "Product": "Microsoft® Windows® Operating System",
+ "Protocol": "tcp",
+ "Query": "\"SELECT * from Win32_ComputerSystem\"",
+ "QueryName": "contoso.com",
+ "QueryResults": "172.217.10.68",
+ "QueryStatus": "0",
+ "Session": 1,
+ "SchemaVersion": "4.00",
+ "Signature": "Microsoft Windows",
+ "SignatureStatus": "Valid",
+ "Signed": "true",
+ "SourceHostname": "",
+ "SourceImage": "C:\\Windows\\System32\\cmd.exe",
+ "SourceIsIpv6": "false",
+ "SourcePort": "50000",
+ "SourcePortName": "",
+ "SourceProcessId": "4015",
+ "SourceThreadId": "4500",
+ "StartAddress": "0xFFFF11AAA1C48C21",
+ "StartFunction": "",
+ "StartModule": "",
+ "State": "Stopped",
+ "TargetFilename": "C:\\Windows\\Temp\\blah.tmp",
+ "TargetImage": "C:\\Windows\\System32\\lsass.exe",
+ "TargetObject": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
+ "TargetProcessId": "4500",
+ "TerminalSessionId": "1",
+ "Type": "Script",
+ "Version": "7.01"
+}
diff --git a/Malwless-Modified-exe/malwless.exe b/Malwless-Modified-exe/malwless.exe
new file mode 100755
index 0000000..24b2e53
Binary files /dev/null and b/Malwless-Modified-exe/malwless.exe differ
diff --git a/Malwless-Modified-exe/rule_test.json b/Malwless-Modified-exe/rule_test.json
new file mode 100644
index 0000000..ce8ca02
--- /dev/null
+++ b/Malwless-Modified-exe/rule_test.json
@@ -0,0 +1,39 @@
+{
+ "name": "MalwLess default",
+ "version": "0.3",
+ "author": "n0dec",
+ "description": "MalwLess default test pack.",
+ "rules": {
+ "vssadmin_delete_shadows": {
+ "enabled": true,
+ "source": "Sysmon",
+ "category": "Process Create",
+ "description": "Deleted shadows copies via vssadmin.",
+ "payload": {
+ "Image": "C:\\Windows\\System32\\vssadmin.exe",
+ "CommandLine": "vssadmin.exe delete shadows /all /quiet"
+ }
+ },
+ "certutil_network_activity": {
+ "enabled": true,
+ "source": "Sysmon",
+ "category": "Network connection detected",
+ "description": "Network activity from certutil tool.",
+ "payload": {
+ "Image": "C:\\Windows\\System32\\certutil.exe",
+ "DestinationIp": "151.101.132.133",
+ "DestinationPort": 443
+ }
+ },
+ "powershell_scriptblock": {
+ "enabled": true,
+ "source": "PowerShell",
+ "category": "4104",
+ "description": "Powershell 4104 event for Invoke-Mimikatz.",
+ "payload": {
+ "ScriptBlockText": "function Invoke-Mimikatz\n{\n<#\n.SYNOPSIS\n\nThis script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz...\nblablabla...",
+ "Path": ""
+ }
+ }
+ }
+}
diff --git a/README.md b/README.md
index 81085e1..42e10c2 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,15 @@
-# MalwLess Simulation Tool (MST)
+# Modified MalwLess Simulation Tool (MST)
+***************************************************************************************************************************************************************************************
+
+
+
+This is an altered version of Malwless software created by [n0dec](https://github.com/n0dec). It exists only because the main version is not supported any longer and doesn't work with the newest versions of Sysmon.
+
+This version implements a simple workaround to fix this issue, it doesn't however improve the functionality in any other way.
+
+
+***************************************************************************************************************************************************************************************
+
`MalwLess` is an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique or attack comes out you can write your own rules and share it a with the community.
These rules can simulate [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) or [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell) events. `MalwLess` can parse the rules and write them directly to the Windows EventLog, then you can foward it to your event collector.
@@ -32,8 +43,9 @@ Site: https://github.com/n0dec/MalwLess
## Download
You can download the latest release from website https://n0dec.github.io/#malwless
+or from releases section https://github.com/n0dec/MalwLess/releases - This release is however incompatible with the newest Sysmon versions (from Sysmon 13 upwards).
-or from releases section https://github.com/n0dec/MalwLess/releases
+Executable version of Malwless working with the newest Sysmon versions can be found in 'Malwless-Modified-exe' directory, inside this repository.
## Usage
#### Requirements
diff --git a/src/Program.cs b/src/Program.cs
index 2686882..a081434 100644
--- a/src/Program.cs
+++ b/src/Program.cs
@@ -113,7 +113,12 @@ public static void Main(string[] args)
case "12":
SysmonClass_v12.WriteSysmonEvent(properties["category"].ToString(), properties["payload"], sysmon_config);
break;
- default:
+ default:
+ if (int.Parse(productMajorVersion) > 13)
+ {
+ SysmonClass_vInfinity.WriteSysmonEvent(properties["category"].ToString(), properties["payload"], sysmon_config);
+ break;
+ }
Console.WriteLine("[!] Error: Sysmon version not supported.");
break;
}
diff --git a/src/SysmonClass_vInfinity.cs b/src/SysmonClass_vInfinity.cs
new file mode 100644
index 0000000..220ce98
--- /dev/null
+++ b/src/SysmonClass_vInfinity.cs
@@ -0,0 +1,512 @@
+using System;
+using System.Security.Cryptography;
+using Newtonsoft.Json.Linq;
+
+namespace MalwLess
+{
+
+ public static class SysmonClass_vInfinity
+ {
+ public static void WriteSysmonEvent(string category, JToken payload, JToken config)
+ {
+ switch (category)
+ {
+ case "Error report":
+ writeErrorReport(payload, config);
+ break;
+ case "Process Create":
+ writeProcessCreate(payload, config);
+ break;
+ case "File creation time changed":
+ writeFileCreateTime(payload, config);
+ break;
+ case "Network connection detected":
+ writeNetworkConnect(payload, config);
+ break;
+ case "Sysmon service state changed":
+ writeServiceStateChanged(payload, config);
+ break;
+ case "Process terminated":
+ writeProcessTerminate(payload, config);
+ break;
+ case "Driver loaded":
+ writeDriverLoad(payload, config);
+ break;
+ case "Image loaded":
+ writeImageLoad(payload, config);
+ break;
+ case "CreateRemoteThread detected":
+ writeCreateRemoteThread(payload, config);
+ break;
+ case "RawAccessRead detected":
+ writeRawAccessRead(payload, config);
+ break;
+ case "Process accessed":
+ writeProcessAccess(payload, config);
+ break;
+ case "File created":
+ writeFileCreate(payload, config);
+ break;
+ case "Registry object added or deleted":
+ writeRegistryEventRegKey(payload, config);
+ break;
+ case "Registry value set":
+ writeRegistryEventRegSetValue(payload, config);
+ break;
+ case "Registry object renamed":
+ writeRegistryEventRegName(payload, config);
+ break;
+ case "File stream created":
+ writeFileCreateStreamHash(payload, config);
+ break;
+ case "Sysmon config state changed":
+ writeServiceConfigurationChanged(payload, config);
+ break;
+ case "Pipe Created":
+ writePipeEventCreate(payload, config);
+ break;
+ case "Pipe Connected":
+ writePipeEventConnect(payload, config);
+ break;
+ case "WmiEventFilter activity detected":
+ writeWmiEventFilter(payload, config);
+ break;
+ case "WmiEventConsumer activity detected":
+ writeWmiEventConsumer(payload, config);
+ break;
+ case "WmiEventConsumerToFilter activity detected":
+ writeWmiEventBinding(payload, config);
+ break;
+ case "File Delete":
+ writeFileDelete(payload, config);
+ break;
+ case "Dns query":
+ writeDnsEvent(payload, config);
+ break;
+ case "Clipboard changed":
+ writeClipboardEvent(payload, config);
+ break;
+ default:
+ Console.WriteLine("Category not supported");
+ break;
+ }
+ }
+
+ static void writeErrorReport(JToken payload, JToken config)
+ {
+
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string ID = payload.Value("ID") ?? "SysmonError";
+ string Description = payload.Value("Description") ?? "Failed";
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_ERROR_EVENT(UtcTime, ID, Description))
+ Console.WriteLine("Error: Writing event");
+
+ }
+
+ static void writeProcessCreate(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string FileVersion = payload.Value("FileVersion") ?? config["FileVersion"].ToString();
+ string Description = payload.Value("Description") ?? config["Description"].ToString();
+ string Product = payload.Value("Product") ?? config["Product"].ToString();
+ string Company = payload.Value("Company") ?? config["Company"].ToString();
+ string OriginalFileName = payload.Value("OriginalFileName") ?? "Test.exe" ?? config["OriginalFileName"].ToString();
+ string CommandLine = payload.Value("CommandLine") ?? config["CommandLine"].ToString();
+ string CurrentDirectory = payload.Value("CurrentDirectory") ?? config["CurrentDirectory"].ToString();
+ string User = payload.Value("User") ?? Utils.getUser();
+ Guid LogonGuid = Guid.Parse(payload.Value("LogonGuid") ?? Guid.NewGuid().ToString());
+ long LogonId = Convert.ToInt64(payload.Value("LogonId") ?? config["LogonId"].ToString(), 16);
+ uint TerminalSessionId = payload.Value("TerminalSessionId") ?? (uint)config["TerminalSessionId"];
+ string IntegrityLevel = payload.Value("IntegrityLevel") ?? config["IntegrityLevel"].ToString();
+ string Hashes = payload.Value("Hashes") ?? config["Hashes"].ToString();
+ Guid ParentProcessGuid = Guid.Parse(payload.Value("ParentProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ParentProcessId = payload.Value("ParentProcessId") ?? (uint)config["ParentProcessId"];
+ string ParentImage = payload.Value("ParentImage") ?? config["ParentImage"].ToString();
+ string ParentCommandLine = payload.Value("ParentCommandLine") ?? config["ParentCommandLine"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_CREATE_PROCESS_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, FileVersion, Description, Product, Company, OriginalFileName, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeFileCreateTime(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetFilename = payload.Value("TargetFilename") ?? config["TargetFilename"].ToString();
+ string CreationUtcTime = payload.Value("CreationUtcTime") ?? Utils.getUtcTime(-600);
+ string PreviousCreationUtcTime = payload.Value("PreviousCreationUtcTime") ?? Utils.getUtcTime(-600);
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_FILE_TIME_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime))
+ Console.WriteLine("Error: Writing event");
+
+ }
+
+ static void writeNetworkConnect(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string User = payload.Value("User") ?? Utils.getUser();
+ string Protocol = payload.Value("Protocol") ?? config["Protocol"].ToString();
+ bool Initiated = payload.Value("Initiated") ?? (bool)config["Initiated"];
+ bool SourceIsIpv6 = payload.Value("SourceIsIpv6") ?? (bool)config["SourceIsIpv6"];
+ string SourceIp = payload.Value("SourceIp") ?? Utils.getSourceIp();
+ string SourceHostname = payload.Value("SourceHostname") ?? Utils.getSourceHostname();
+ ushort SourcePort = payload.Value("SourcePort") ?? (ushort)config["SourcePort"];
+ string SourcePortName = payload.Value("SourcePortName") ?? "";
+ bool DestinationIsIpv6 = payload.Value("DestinationIsIpv6") ?? (bool)config["DestinationIsIpv6"];
+ string DestinationIp = payload.Value("DestinationIp") ?? Utils.getSourceIp();
+ string DestinationHostname = payload.Value("DestinationHostname") ?? config["DestinationHostname"].ToString();
+ ushort DestinationPort = payload.Value("DestinationPort") ?? (ushort)config["DestinationPort"];
+ string DestinationPortName = payload.Value("DestinationPortName") ?? "";
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_NETWORK_CONNECT_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeServiceStateChanged(JToken payload, JToken config)
+ {
+
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string State = payload.Value("State") ?? config["State"].ToString();
+ string Version = payload.Value("Version") ?? config["Version"].ToString();
+ string SchemaVersion = payload.Value("SchemaVersion") ?? config["SchemaVersion"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_SERVICE_STATE_CHANGE_EVENT(UtcTime, State, Version, SchemaVersion))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeProcessTerminate(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_PROCESS_TERMINATE_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeDriverLoad(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string ImageLoaded = payload.Value("ImageLoaded") ?? config["ImageLoaded"].ToString();
+ string Hashes = payload.Value("Hashes") ?? config["Hashes"].ToString();
+ string Signed = payload.Value("Signed") ?? config["Signed"].ToString();
+ string Signature = payload.Value("Signature") ?? config["Signature"].ToString();
+ string SignatureStatus = payload.Value("SignatureStatus") ?? config["SignatureStatus"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_DRIVER_LOAD_EVENT(RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeImageLoad(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string ImageLoaded = payload.Value("ImageLoaded") ?? config["ImageLoaded"].ToString();
+ string FileVersion = payload.Value("FileVersion") ?? config["FileVersion"].ToString();
+ string Description = payload.Value("Description") ?? config["Description"].ToString();
+ string Product = payload.Value("Product") ?? config["Product"].ToString();
+ string Company = payload.Value("Company") ?? config["Company"].ToString();
+ string OriginalFileName = payload.Value("OriginalFileName") ?? config["OriginalFileName"].ToString();
+ string Hashes = payload.Value("Hashes") ?? config["Hashes"].ToString();
+ string Signed = payload.Value("Signed") ?? config["Signed"].ToString();
+ string Signature = payload.Value("Signature") ?? config["Signature"].ToString();
+ string SignatureStatus = payload.Value("SignatureStatus") ?? config["SignatureStatus"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_IMAGE_LOAD_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, FileVersion, Description, Product, Company, OriginalFileName, Hashes, Signed, Signature, SignatureStatus))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeCreateRemoteThread(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid SourceProcessGuid = Guid.Parse(payload.Value("SourceProcessGuid") ?? Guid.NewGuid().ToString());
+ uint SourceProcessId = payload.Value("SourceProcessId") ?? (uint)config["SourceProcessId"];
+ string SourceImage = payload.Value("SourceImage") ?? config["SourceImage"].ToString();
+ Guid TargetProcessGuid = Guid.Parse(payload.Value("TargetProcessGuid") ?? Guid.NewGuid().ToString());
+ uint TargetProcessId = payload.Value("TargetProcessId") ?? (uint)config["TargetProcessId"];
+ string TargetImage = payload.Value("TargetImage") ?? config["TargetImage"].ToString();
+ uint NewThreadId = payload.Value("NewThreadId") ?? (uint)config["NewThreadId"];
+ string StartAddress = payload.Value("StartAddress") ?? config["StartAddress"].ToString();
+ string StartModule = payload.Value("StartModule") ?? config["StartModule"].ToString();
+ string StartFunction = payload.Value("StartFunction") ?? config["StartFunction"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_CREATE_REMOTE_THREAD_EVENT(RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeRawAccessRead(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string Device = payload.Value("Device") ?? config["Device"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_RAWACCESS_READ_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeProcessAccess(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid SourceProcessGUID = Guid.Parse(payload.Value("SourceProcessGUID") ?? Guid.NewGuid().ToString());
+ uint SourceProcessId = payload.Value("SourceProcessId") ?? (uint)config["SourceProcessId"];
+ uint SourceThreadId = payload.Value("SourceThreadId") ?? (uint)config["SourceThreadId"];
+ string SourceImage = payload.Value("SourceImage") ?? config["SourceImage"].ToString();
+ Guid TargetProcessGUID = Guid.Parse(payload.Value("TargetProcessGUID") ?? Guid.NewGuid().ToString());
+ uint TargetProcessId = payload.Value("TargetProcessId") ?? (uint)config["TargetProcessId"];
+ string TargetImage = payload.Value("TargetImage") ?? config["TargetImage"].ToString();
+ int GrantedAccess = Convert.ToInt32(payload.Value("GrantedAccess") ?? config["GrantedAccess"].ToString(), 16);
+ string CallTrace = payload.Value("CallTrace") ?? config["CallTrace"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_ACCESS_PROCESS_EVENT(RuleName, UtcTime, SourceProcessGUID, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGUID, TargetProcessId, TargetImage, GrantedAccess, CallTrace))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeFileCreate(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetFilename = payload.Value("TargetFilename") ?? config["TargetFilename"].ToString();
+ string CreationUtcTime = payload.Value("CreationUtcTime") ?? Utils.getUtcTime(-600);
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_FILE_CREATE_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeRegistryEventRegKey(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "CreateKey";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetObject = payload.Value("TargetObject") ?? config["TargetObject"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_REG_KEY_EVENT(RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeRegistryEventRegSetValue(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "SetValue";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetObject = payload.Value("TargetObject") ?? config["TargetObject"].ToString();
+ string Details = payload.Value("Details") ?? config["Details"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_REG_SETVALUE_EVENT(RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeRegistryEventRegName(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "RenameKey";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetObject = payload.Value("TargetObject") ?? config["TargetObject"].ToString();
+ string NewName = payload.Value("NewName") ?? config["NewName"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_REG_NAME_EVENT(RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, NewName))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeFileCreateStreamHash(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetFilename = payload.Value("TargetFilename") ?? config["TargetFilename"].ToString();
+ string CreationUtcTime = payload.Value("CreationUtcTime") ?? Utils.getUtcTime(-600);
+ string Hash = payload.Value("Hash") ?? config["Hash"].ToString();
+ string Contents = payload.Value("Contents") ?? config["Contents"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_FILE_CREATE_STREAM_HASH_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash, Contents))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeServiceConfigurationChanged(JToken payload, JToken config)
+ {
+
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string Configuration = payload.Value("Configuration") ?? config["Configuration"].ToString();
+ string ConfigurationFileHash = payload.Value("ConfigurationFileHash") ?? config["ConfigurationFileHash"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_SERVICE_CONFIGURATION_CHANGE_EVENT(UtcTime, Configuration, ConfigurationFileHash))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writePipeEventCreate(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "CreatePipe";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string PipeName = payload.Value("PipeName") ?? config["PipeName"].ToString();
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_CREATE_NAMEDPIPE_EVENT(RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writePipeEventConnect(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "ConnectPipe";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string PipeName = payload.Value("PipeName") ?? config["PipeName"].ToString();
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_CONNECT_NAMEDPIPE_EVENT(RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeWmiEventFilter(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "WmiFilterEvent";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string Operation = payload.Value("Operation") ?? config["Operation"].ToString();
+ string User = payload.Value("User") ?? Utils.getUser();
+ string EventNamespace = payload.Value("EventNamespace") ?? config["EventNamespace"].ToString();
+ string Name = payload.Value("Name") ?? config["Name"].ToString();
+ string Query = payload.Value("Query") ?? config["Query"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_WMI_FILTER_EVENT(RuleName, EventType, UtcTime, Operation, User, EventNamespace, Name, Query))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeWmiEventConsumer(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "WmiConsumerEvent";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string Operation = payload.Value("Operation") ?? config["Operation"].ToString();
+ string User = payload.Value("User") ?? Utils.getUser();
+ string Name = payload.Value("Name") ?? config["Name"].ToString();
+ string Type = payload.Value("Type") ?? config["Type"].ToString();
+ string Destination = payload.Value("Destination") ?? config["Destination"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_WMI_CONSUMER_EVENT(RuleName, EventType, UtcTime, Operation, User, Name, Type, Destination))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeWmiEventBinding(JToken payload, JToken config)
+ {
+
+ string RuleName = payload.Value("RuleName") ?? "";
+ string EventType = payload.Value("EventType") ?? "WmiBindingEvent";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ string Operation = payload.Value("Operation") ?? config["Operation"].ToString();
+ string User = payload.Value("User") ?? Utils.getUser();
+ string Consumer = payload.Value("Consumer") ?? config["Consumer"].ToString();
+ string Filter = payload.Value("Filter") ?? config["Filter"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_WMI_BINDING_EVENT(RuleName, EventType, UtcTime, Operation, User, Consumer, Filter))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ private static void writeFileDelete(JToken payload, JToken config)
+ {
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string User = payload.Value("User") ?? Utils.getUser();
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+ string TargetFilename = payload.Value("TargetFilename") ?? config["TargetFilename"].ToString();
+ string Hashes = payload.Value("Hashes") ?? config["Hashes"].ToString();
+ bool IsExecutable = payload.Value("IsExecutable") ?? (bool)config["IsExecutable"];
+ string Archived = payload.Value("Archived") ?? config["Archived"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_FILE_DELETE_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeDnsEvent(JToken payload, JToken config)
+ {
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string QueryName = payload.Value("QueryName") ?? "";
+ string QueryStatus = payload.Value("QueryStatus") ?? "";
+ string QueryResults = payload.Value("QueryResults") ?? "";
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_DNS_QUERY_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryStatus, QueryResults, Image))
+ Console.WriteLine("Error: Writing event");
+ }
+
+ static void writeClipboardEvent(JToken payload, JToken config)
+ {
+ string RuleName = payload.Value("RuleName") ?? "";
+ string UtcTime = payload.Value("UtcTime") ?? Utils.getUtcTime(0);
+ Guid ProcessGuid = Guid.Parse(payload.Value("ProcessGuid") ?? Guid.NewGuid().ToString());
+ uint ProcessId = payload.Value("ProcessId") ?? (uint)config["ProcessId"];
+ string Image = payload.Value("Image") ?? config["Image"].ToString();
+
+ uint Session = payload.Value("Session") ?? (uint)config["Session"];
+ string ClientInfo = payload.Value("ClientInfo") ?? config["ClientInfo"].ToString();
+ string Hashes = payload.Value("Hashes") ?? config["Hashes"].ToString();
+ string Archived = payload.Value("Archived") ?? config["Archived"].ToString();
+
+ if (!Sysmon_vInfinity.Namespace.SYSMON_PROVIDER_vInfinity.EventWriteSYSMON_CLIPBOARD_EVENT(RuleName, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived))
+ Console.WriteLine("Error: Writing event");
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SysmonProvider_vInfinity.cs b/src/SysmonProvider_vInfinity.cs
new file mode 100644
index 0000000..34e80e0
--- /dev/null
+++ b/src/SysmonProvider_vInfinity.cs
@@ -0,0 +1,2011 @@
+namespace Sysmon_vInfinity.Namespace
+{
+ using System;
+ using System.Collections.Generic;
+ using System.Text;
+ using System.Diagnostics;
+ using System.Diagnostics.Eventing;
+ using Microsoft.Win32;
+ using System.Runtime.InteropServices;
+ using System.Security.Principal;
+
+ public static class SYSMON_PROVIDER_vInfinity
+ {
+ //
+ // Provider "Microsoft-Windows-Sysmon" event count = 25
+ //
+
+ internal static EventProviderVersionTwo m_provider = new EventProviderVersionTwo(new Guid("5770385f-c22a-43e0-bf4c-06f5698ffbd9"));
+ //
+ // Task : eventGUIDs
+ //
+ private static Guid SysmonTask_SYSMON_ERRORId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee000000ff");
+ private static Guid SysmonTask_SYSMON_CREATE_PROCESSId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000001");
+ private static Guid SysmonTask_SYSMON_FILE_TIMEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000002");
+ private static Guid SysmonTask_SYSMON_NETWORK_CONNECTId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000003");
+ private static Guid SysmonTask_SYSMON_SERVICE_STATE_CHANGEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000004");
+ private static Guid SysmonTask_SYSMON_PROCESS_TERMINATEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000005");
+ private static Guid SysmonTask_SYSMON_DRIVER_LOADId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000006");
+ private static Guid SysmonTask_SYSMON_IMAGE_LOADId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000007");
+ private static Guid SysmonTask_SYSMON_CREATE_REMOTE_THREADId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000008");
+ private static Guid SysmonTask_SYSMON_RAWACCESS_READId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000009");
+ private static Guid SysmonTask_SYSMON_ACCESS_PROCESSId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee0000000a");
+ private static Guid SysmonTask_SYSMON_FILE_CREATEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee0000000b");
+ private static Guid SysmonTask_SYSMON_REG_KEYId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee0000000c");
+ private static Guid SysmonTask_SYSMON_REG_SETVALUEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee0000000d");
+ private static Guid SysmonTask_SYSMON_REG_NAMEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee0000000e");
+ private static Guid SysmonTask_SYSMON_FILE_CREATE_STREAM_HASHId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee0000000f");
+ private static Guid SysmonTask_SYSMON_SERVICE_CONFIGURATION_CHANGEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000010");
+ private static Guid SysmonTask_SYSMON_CREATE_NAMEDPIPEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000011");
+ private static Guid SysmonTask_SYSMON_CONNECT_NAMEDPIPEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000012");
+ private static Guid SysmonTask_SYSMON_WMI_FILTERId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000013");
+ private static Guid SysmonTask_SYSMON_WMI_CONSUMERId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000014");
+ private static Guid SysmonTask_SYSMON_WMI_BINDINGId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000015");
+ private static Guid SysmonTask_SYSMON_DNS_QUERYId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000016");
+ private static Guid SysmonTask_SYSMON_FILE_DELETEId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000017");
+ private static Guid SysmonTask_SYSMON_CLIPBOARDId = new Guid("c511ffb3-9fbf-45f5-a97b-9bee00000018");
+
+ //
+ // Event Descriptors
+ //
+ private static EventDescriptor SYSMON_ERROR_EVENT;
+ private static EventDescriptor SYSMON_CREATE_PROCESS_EVENT;
+ private static EventDescriptor SYSMON_FILE_TIME_EVENT;
+ private static EventDescriptor SYSMON_NETWORK_CONNECT_EVENT;
+ private static EventDescriptor SYSMON_SERVICE_STATE_CHANGE_EVENT;
+ private static EventDescriptor SYSMON_PROCESS_TERMINATE_EVENT;
+ private static EventDescriptor SYSMON_DRIVER_LOAD_EVENT;
+ private static EventDescriptor SYSMON_IMAGE_LOAD_EVENT;
+ private static EventDescriptor SYSMON_CREATE_REMOTE_THREAD_EVENT;
+ private static EventDescriptor SYSMON_RAWACCESS_READ_EVENT;
+ private static EventDescriptor SYSMON_ACCESS_PROCESS_EVENT;
+ private static EventDescriptor SYSMON_FILE_CREATE_EVENT;
+ private static EventDescriptor SYSMON_REG_KEY_EVENT;
+ private static EventDescriptor SYSMON_REG_SETVALUE_EVENT;
+ private static EventDescriptor SYSMON_REG_NAME_EVENT;
+ private static EventDescriptor SYSMON_FILE_CREATE_STREAM_HASH_EVENT;
+ private static EventDescriptor SYSMON_SERVICE_CONFIGURATION_CHANGE_EVENT;
+ private static EventDescriptor SYSMON_CREATE_NAMEDPIPE_EVENT;
+ private static EventDescriptor SYSMON_CONNECT_NAMEDPIPE_EVENT;
+ private static EventDescriptor SYSMON_WMI_FILTER_EVENT;
+ private static EventDescriptor SYSMON_WMI_CONSUMER_EVENT;
+ private static EventDescriptor SYSMON_WMI_BINDING_EVENT;
+ private static EventDescriptor SYSMON_DNS_QUERY_EVENT;
+ private static EventDescriptor SYSMON_FILE_DELETE_EVENT;
+ private static EventDescriptor SYSMON_CLIPBOARD_EVENT;
+
+ static SYSMON_PROVIDER_vInfinity()
+ {
+ unchecked
+ {
+ SYSMON_ERROR_EVENT = new EventDescriptor(0xff, 0x3, 0x10, 0x2, 0x0, 0xff, (long)0x8000000000000000);
+ SYSMON_CREATE_PROCESS_EVENT = new EventDescriptor(0x1, 0x5, 0x10, 0x4, 0x0, 0x1, (long)0x8000000000000000);
+ SYSMON_FILE_TIME_EVENT = new EventDescriptor(0x2, 0x5, 0x10, 0x4, 0x0, 0x2, (long)0x8000000000000000);
+ SYSMON_NETWORK_CONNECT_EVENT = new EventDescriptor(0x3, 0x5, 0x10, 0x4, 0x0, 0x3, (long)0x8000000000000000);
+ SYSMON_SERVICE_STATE_CHANGE_EVENT = new EventDescriptor(0x4, 0x3, 0x10, 0x4, 0x0, 0x4, (long)0x8000000000000000);
+ SYSMON_PROCESS_TERMINATE_EVENT = new EventDescriptor(0x5, 0x3, 0x10, 0x4, 0x0, 0x5, (long)0x8000000000000000);
+ SYSMON_DRIVER_LOAD_EVENT = new EventDescriptor(0x6, 0x4, 0x10, 0x4, 0x0, 0x6, (long)0x8000000000000000);
+ SYSMON_IMAGE_LOAD_EVENT = new EventDescriptor(0x7, 0x3, 0x10, 0x4, 0x0, 0x7, (long)0x8000000000000000);
+ SYSMON_CREATE_REMOTE_THREAD_EVENT = new EventDescriptor(0x8, 0x2, 0x10, 0x4, 0x0, 0x8, (long)0x8000000000000000);
+ SYSMON_RAWACCESS_READ_EVENT = new EventDescriptor(0x9, 0x2, 0x10, 0x4, 0x0, 0x9, (long)0x8000000000000000);
+ SYSMON_ACCESS_PROCESS_EVENT = new EventDescriptor(0xa, 0x3, 0x10, 0x4, 0x0, 0xa, (long)0x8000000000000000);
+ SYSMON_FILE_CREATE_EVENT = new EventDescriptor(0xb, 0x2, 0x10, 0x4, 0x0, 0xb, (long)0x8000000000000000);
+ SYSMON_REG_KEY_EVENT = new EventDescriptor(0xc, 0x2, 0x10, 0x4, 0x0, 0xc, (long)0x8000000000000000);
+ SYSMON_REG_SETVALUE_EVENT = new EventDescriptor(0xd, 0x2, 0x10, 0x4, 0x0, 0xd, (long)0x8000000000000000);
+ SYSMON_REG_NAME_EVENT = new EventDescriptor(0xe, 0x2, 0x10, 0x4, 0x0, 0xe, (long)0x8000000000000000);
+ SYSMON_FILE_CREATE_STREAM_HASH_EVENT = new EventDescriptor(0xf, 0x2, 0x10, 0x4, 0x0, 0xf, (long)0x8000000000000000);
+ SYSMON_SERVICE_CONFIGURATION_CHANGE_EVENT = new EventDescriptor(0x10, 0x3, 0x10, 0x4, 0x0, 0x10, (long)0x8000000000000000);
+ SYSMON_CREATE_NAMEDPIPE_EVENT = new EventDescriptor(0x11, 0x1, 0x10, 0x4, 0x0, 0x11, (long)0x8000000000000000);
+ SYSMON_CONNECT_NAMEDPIPE_EVENT = new EventDescriptor(0x12, 0x1, 0x10, 0x4, 0x0, 0x12, (long)0x8000000000000000);
+ SYSMON_WMI_FILTER_EVENT = new EventDescriptor(0x13, 0x3, 0x10, 0x4, 0x0, 0x13, (long)0x8000000000000000);
+ SYSMON_WMI_CONSUMER_EVENT = new EventDescriptor(0x14, 0x3, 0x10, 0x4, 0x0, 0x14, (long)0x8000000000000000);
+ SYSMON_WMI_BINDING_EVENT = new EventDescriptor(0x15, 0x3, 0x10, 0x4, 0x0, 0x15, (long)0x8000000000000000);
+ SYSMON_DNS_QUERY_EVENT = new EventDescriptor(0x16, 0x5, 0x10, 0x4, 0x0, 0x16, (long)0x8000000000000000);
+ SYSMON_FILE_DELETE_EVENT = new EventDescriptor(0x17, 0x5, 0x10, 0x4, 0x0, 0x17, (long)0x8000000000000000);
+ SYSMON_CLIPBOARD_EVENT = new EventDescriptor(0x18, 0x5, 0x10, 0x4, 0x0, 0x18, (long)0x8000000000000000);
+ }
+ }
+
+ //
+ // Event method for SYSMON_ERROR_EVENT
+ //
+ public static bool EventWriteSYSMON_ERROR_EVENT(string UtcTime, string ID, string Description)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateError_report(ref SYSMON_ERROR_EVENT, UtcTime, ID, Description);
+ }
+
+ //
+ // Event method for SYSMON_CREATE_PROCESS_EVENT
+ //
+ public static bool EventWriteSYSMON_CREATE_PROCESS_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string FileVersion, string Description, string Product, string Company, string OriginalFileName, string CommandLine, string CurrentDirectory, string User, Guid LogonGuid, long LogonId, uint TerminalSessionId, string IntegrityLevel, string Hashes, Guid ParentProcessGuid, uint ParentProcessId, string ParentImage, string ParentCommandLine)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateProcess_Create(ref SYSMON_CREATE_PROCESS_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, FileVersion, Description, Product, Company, OriginalFileName, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine);
+ }
+
+ //
+ // Event method for SYSMON_FILE_TIME_EVENT
+ //
+ public static bool EventWriteSYSMON_FILE_TIME_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string TargetFilename, string CreationUtcTime, string PreviousCreationUtcTime)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateFile_creation_time_changed(ref SYSMON_FILE_TIME_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime);
+ }
+
+ //
+ // Event method for SYSMON_NETWORK_CONNECT_EVENT
+ //
+ public static bool EventWriteSYSMON_NETWORK_CONNECT_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string User, string Protocol, bool Initiated, bool SourceIsIpv6, string SourceIp, string SourceHostname, ushort SourcePort, string SourcePortName, bool DestinationIsIpv6, string DestinationIp, string DestinationHostname, ushort DestinationPort, string DestinationPortName)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateNetwork_connection_detected(ref SYSMON_NETWORK_CONNECT_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName);
+ }
+
+ //
+ // Event method for SYSMON_SERVICE_STATE_CHANGE_EVENT
+ //
+ public static bool EventWriteSYSMON_SERVICE_STATE_CHANGE_EVENT(string UtcTime, string State, string Version, string SchemaVersion)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateSysmon_service_state_changed(ref SYSMON_SERVICE_STATE_CHANGE_EVENT, UtcTime, State, Version, SchemaVersion);
+ }
+
+ //
+ // Event method for SYSMON_PROCESS_TERMINATE_EVENT
+ //
+ public static bool EventWriteSYSMON_PROCESS_TERMINATE_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateProcess_terminated(ref SYSMON_PROCESS_TERMINATE_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image);
+ }
+
+ //
+ // Event method for SYSMON_DRIVER_LOAD_EVENT
+ //
+ public static bool EventWriteSYSMON_DRIVER_LOAD_EVENT(string RuleName, string UtcTime, string ImageLoaded, string Hashes, string Signed, string Signature, string SignatureStatus)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateDriver_loaded(ref SYSMON_DRIVER_LOAD_EVENT, RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus);
+ }
+
+ //
+ // Event method for SYSMON_IMAGE_LOAD_EVENT
+ //
+ public static bool EventWriteSYSMON_IMAGE_LOAD_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string ImageLoaded, string FileVersion, string Description, string Product, string Company, string OriginalFileName, string Hashes, string Signed, string Signature, string SignatureStatus)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateImage_loaded(ref SYSMON_IMAGE_LOAD_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, FileVersion, Description, Product, Company, OriginalFileName, Hashes, Signed, Signature, SignatureStatus);
+ }
+
+ //
+ // Event method for SYSMON_CREATE_REMOTE_THREAD_EVENT
+ //
+ public static bool EventWriteSYSMON_CREATE_REMOTE_THREAD_EVENT(string RuleName, string UtcTime, Guid SourceProcessGuid, uint SourceProcessId, string SourceImage, Guid TargetProcessGuid, uint TargetProcessId, string TargetImage, uint NewThreadId, string StartAddress, string StartModule, string StartFunction)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateCreateRemoteThread_detected(ref SYSMON_CREATE_REMOTE_THREAD_EVENT, RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction);
+ }
+
+ //
+ // Event method for SYSMON_RAWACCESS_READ_EVENT
+ //
+ public static bool EventWriteSYSMON_RAWACCESS_READ_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string Device)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateRawAccessRead_detected(ref SYSMON_RAWACCESS_READ_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device);
+ }
+
+ //
+ // Event method for SYSMON_ACCESS_PROCESS_EVENT
+ //
+ public static bool EventWriteSYSMON_ACCESS_PROCESS_EVENT(string RuleName, string UtcTime, Guid SourceProcessGUID, uint SourceProcessId, uint SourceThreadId, string SourceImage, Guid TargetProcessGUID, uint TargetProcessId, string TargetImage, int GrantedAccess, string CallTrace)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateProcess_accessed(ref SYSMON_ACCESS_PROCESS_EVENT, RuleName, UtcTime, SourceProcessGUID, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGUID, TargetProcessId, TargetImage, GrantedAccess, CallTrace);
+ }
+
+ //
+ // Event method for SYSMON_FILE_CREATE_EVENT
+ //
+ public static bool EventWriteSYSMON_FILE_CREATE_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string TargetFilename, string CreationUtcTime)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateFile_created(ref SYSMON_FILE_CREATE_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime);
+ }
+
+ //
+ // Event method for SYSMON_REG_KEY_EVENT
+ //
+ public static bool EventWriteSYSMON_REG_KEY_EVENT(string RuleName, string EventType, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string TargetObject)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateRegistry_object_added_or_deleted(ref SYSMON_REG_KEY_EVENT, RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject);
+ }
+
+ //
+ // Event method for SYSMON_REG_SETVALUE_EVENT
+ //
+ public static bool EventWriteSYSMON_REG_SETVALUE_EVENT(string RuleName, string EventType, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string TargetObject, string Details)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateRegistry_value_set(ref SYSMON_REG_SETVALUE_EVENT, RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details);
+ }
+
+ //
+ // Event method for SYSMON_REG_NAME_EVENT
+ //
+ public static bool EventWriteSYSMON_REG_NAME_EVENT(string RuleName, string EventType, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string TargetObject, string NewName)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateRegistry_object_renamed(ref SYSMON_REG_NAME_EVENT, RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, NewName);
+ }
+
+ //
+ // Event method for SYSMON_FILE_CREATE_STREAM_HASH_EVENT
+ //
+ public static bool EventWriteSYSMON_FILE_CREATE_STREAM_HASH_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, string TargetFilename, string CreationUtcTime, string Hash, string Contents)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateFile_stream_created(ref SYSMON_FILE_CREATE_STREAM_HASH_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash, Contents);
+ }
+
+ //
+ // Event method for SYSMON_SERVICE_CONFIGURATION_CHANGE_EVENT
+ //
+ public static bool EventWriteSYSMON_SERVICE_CONFIGURATION_CHANGE_EVENT(string UtcTime, string Configuration, string ConfigurationFileHash)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateSysmon_config_state_changed(ref SYSMON_SERVICE_CONFIGURATION_CHANGE_EVENT, UtcTime, Configuration, ConfigurationFileHash);
+ }
+
+ //
+ // Event method for SYSMON_CREATE_NAMEDPIPE_EVENT
+ //
+ public static bool EventWriteSYSMON_CREATE_NAMEDPIPE_EVENT(string RuleName, string EventType, string UtcTime, Guid ProcessGuid, uint ProcessId, string PipeName, string Image)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplatePipe_Created(ref SYSMON_CREATE_NAMEDPIPE_EVENT, RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image);
+ }
+
+ //
+ // Event method for SYSMON_CONNECT_NAMEDPIPE_EVENT
+ //
+ public static bool EventWriteSYSMON_CONNECT_NAMEDPIPE_EVENT(string RuleName, string EventType, string UtcTime, Guid ProcessGuid, uint ProcessId, string PipeName, string Image)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplatePipe_Connected(ref SYSMON_CONNECT_NAMEDPIPE_EVENT, RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image);
+ }
+
+ //
+ // Event method for SYSMON_WMI_FILTER_EVENT
+ //
+ public static bool EventWriteSYSMON_WMI_FILTER_EVENT(string RuleName, string EventType, string UtcTime, string Operation, string User, string EventNamespace, string Name, string Query)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateWmiEventFilter_activity_detected(ref SYSMON_WMI_FILTER_EVENT, RuleName, EventType, UtcTime, Operation, User, EventNamespace, Name, Query);
+ }
+
+ //
+ // Event method for SYSMON_WMI_CONSUMER_EVENT
+ //
+ public static bool EventWriteSYSMON_WMI_CONSUMER_EVENT(string RuleName, string EventType, string UtcTime, string Operation, string User, string Name, string Type, string Destination)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateWmiEventConsumer_activity_detected(ref SYSMON_WMI_CONSUMER_EVENT, RuleName, EventType, UtcTime, Operation, User, Name, Type, Destination);
+ }
+
+ //
+ // Event method for SYSMON_WMI_BINDING_EVENT
+ //
+ public static bool EventWriteSYSMON_WMI_BINDING_EVENT(string RuleName, string EventType, string UtcTime, string Operation, string User, string Consumer, string Filter)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateWmiEventConsumerToFilter_activity_detected(ref SYSMON_WMI_BINDING_EVENT, RuleName, EventType, UtcTime, Operation, User, Consumer, Filter);
+ }
+
+ //
+ // Event method for SYSMON_DNS_QUERY_EVENT
+ //
+ public static bool EventWriteSYSMON_DNS_QUERY_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string QueryName, string QueryStatus, string QueryResults, string Image)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateDns_query(ref SYSMON_DNS_QUERY_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryStatus, QueryResults, Image);
+ }
+
+ //
+ // Event method for SYSMON_FILE_DELETE_EVENT
+ //
+ public static bool EventWriteSYSMON_FILE_DELETE_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string User, string Image, string TargetFilename, string Hashes, bool IsExecutable, string Archived)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateFile_Delete(ref SYSMON_FILE_DELETE_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived);
+ }
+
+ //
+ // Event method for SYSMON_CLIPBOARD_EVENT
+ //
+ public static bool EventWriteSYSMON_CLIPBOARD_EVENT(string RuleName, string UtcTime, Guid ProcessGuid, uint ProcessId, string Image, uint Session, string ClientInfo, string Hashes, string Archived)
+ {
+ if (!m_provider.IsEnabled())
+ {
+ return true;
+ }
+
+ return m_provider.TemplateClipboard_changed(ref SYSMON_CLIPBOARD_EVENT, RuleName, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived);
+ }
+ }
+
+ internal class EventProviderVersionTwo : EventProvider
+ {
+ internal EventProviderVersionTwo(Guid id)
+ : base(id)
+ { }
+
+ [StructLayout(LayoutKind.Explicit, Size = 16)]
+ private struct EventData
+ {
+ [FieldOffset(0)]
+ internal UInt64 DataPointer;
+ [FieldOffset(8)]
+ internal uint Size;
+ [FieldOffset(12)]
+ internal int Reserved;
+ }
+
+ internal unsafe bool TemplateClipboard_changed(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ uint Session,
+ string ClientInfo,
+ string Hashes,
+ string Archived
+ )
+ {
+ int argumentCount = 9;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ userDataPtr[5].DataPointer = (UInt64)(&Session);
+ userDataPtr[5].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(ClientInfo.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Hashes.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[8].Size = (uint)(Archived.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = ClientInfo, a4 = Hashes, a5 = Archived)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[6].DataPointer = (ulong)a3;
+ userDataPtr[7].DataPointer = (ulong)a4;
+ userDataPtr[8].DataPointer = (ulong)a5;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateCreateRemoteThread_detected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid SourceProcessGuid,
+ uint SourceProcessId,
+ string SourceImage,
+ Guid TargetProcessGuid,
+ uint TargetProcessId,
+ string TargetImage,
+ uint NewThreadId,
+ string StartAddress,
+ string StartModule,
+ string StartFunction
+ )
+ {
+ int argumentCount = 12;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&SourceProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&SourceProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(SourceImage.Length + 1) * sizeof(char);
+
+ userDataPtr[5].DataPointer = (UInt64)(&TargetProcessGuid);
+ userDataPtr[5].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[6].DataPointer = (UInt64)(&TargetProcessId);
+ userDataPtr[6].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(TargetImage.Length + 1) * sizeof(char);
+
+ userDataPtr[8].DataPointer = (UInt64)(&NewThreadId);
+ userDataPtr[8].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[9].Size = (uint)(StartAddress.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[10].Size = (uint)(StartModule.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[11].Size = (uint)(StartFunction.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = SourceImage, a3 = TargetImage, a4 = StartAddress, a5 = StartModule, a6 = StartFunction)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[7].DataPointer = (ulong)a3;
+ userDataPtr[9].DataPointer = (ulong)a4;
+ userDataPtr[10].DataPointer = (ulong)a5;
+ userDataPtr[11].DataPointer = (ulong)a6;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateDns_query(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string QueryName,
+ string QueryStatus,
+ string QueryResults,
+ string Image
+ )
+ {
+ int argumentCount = 8;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(QueryName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(QueryStatus.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(QueryResults.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = QueryName, a3 = QueryStatus, a4 = QueryResults, a5 = Image)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateDriver_loaded(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ string ImageLoaded,
+ string Hashes,
+ string Signed,
+ string Signature,
+ string SignatureStatus
+ )
+ {
+ int argumentCount = 7;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(ImageLoaded.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[3].Size = (uint)(Hashes.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Signed.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Signature.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(SignatureStatus.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = ImageLoaded, a3 = Hashes, a4 = Signed, a5 = Signature, a6 = SignatureStatus)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[3].DataPointer = (ulong)a3;
+ userDataPtr[4].DataPointer = (ulong)a4;
+ userDataPtr[5].DataPointer = (ulong)a5;
+ userDataPtr[6].DataPointer = (ulong)a6;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateError_report(
+ ref EventDescriptor eventDescriptor,
+ string UtcTime,
+ string ID,
+ string Description
+ )
+ {
+ int argumentCount = 3;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(ID.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(Description.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = UtcTime, a1 = ID, a2 = Description)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateFile_Delete(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string User,
+ string Image,
+ string TargetFilename,
+ string Hashes,
+ bool IsExecutable,
+ string Archived
+ )
+ {
+ int argumentCount = 10;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(User.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(TargetFilename.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Hashes.Length + 1) * sizeof(char);
+
+ int IsExecutableInt = IsExecutable ? 1 : 0;
+ userDataPtr[8].DataPointer = (UInt64)(&IsExecutableInt);
+ userDataPtr[8].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[9].Size = (uint)(Archived.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = User, a3 = Image, a4 = TargetFilename, a5 = Hashes, a6 = Archived)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ userDataPtr[9].DataPointer = (ulong)a6;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateFile_created(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string TargetFilename,
+ string CreationUtcTime
+ )
+ {
+ int argumentCount = 7;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(TargetFilename.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(CreationUtcTime.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = TargetFilename, a4 = CreationUtcTime)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateFile_creation_time_changed(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string TargetFilename,
+ string CreationUtcTime,
+ string PreviousCreationUtcTime
+ )
+ {
+ int argumentCount = 8;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(TargetFilename.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(CreationUtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(PreviousCreationUtcTime.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = TargetFilename, a4 = CreationUtcTime, a5 = PreviousCreationUtcTime)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateFile_stream_created(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string TargetFilename,
+ string CreationUtcTime,
+ string Hash,
+ string Contents
+ )
+ {
+ int argumentCount = 9;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(TargetFilename.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(CreationUtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Hash.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[8].Size = (uint)(Contents.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = TargetFilename, a4 = CreationUtcTime, a5 = Hash, a6 = Contents)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ userDataPtr[8].DataPointer = (ulong)a6;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateImage_loaded(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string ImageLoaded,
+ string FileVersion,
+ string Description,
+ string Product,
+ string Company,
+ string OriginalFileName,
+ string Hashes,
+ string Signed,
+ string Signature,
+ string SignatureStatus
+ )
+ {
+ int argumentCount = 15;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(ImageLoaded.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(FileVersion.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Description.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[8].Size = (uint)(Product.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[9].Size = (uint)(Company.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[10].Size = (uint)(OriginalFileName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[11].Size = (uint)(Hashes.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[12].Size = (uint)(Signed.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[13].Size = (uint)(Signature.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[14].Size = (uint)(SignatureStatus.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = ImageLoaded, a4 = FileVersion, a5 = Description, a6 = Product, a7 = Company, a8 = OriginalFileName, a9 = Hashes, a10 = Signed, a11 = Signature, a12 = SignatureStatus)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ userDataPtr[8].DataPointer = (ulong)a6;
+ userDataPtr[9].DataPointer = (ulong)a7;
+ userDataPtr[10].DataPointer = (ulong)a8;
+ userDataPtr[11].DataPointer = (ulong)a9;
+ userDataPtr[12].DataPointer = (ulong)a10;
+ userDataPtr[13].DataPointer = (ulong)a11;
+ userDataPtr[14].DataPointer = (ulong)a12;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateNetwork_connection_detected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string User,
+ string Protocol,
+ bool Initiated,
+ bool SourceIsIpv6,
+ string SourceIp,
+ string SourceHostname,
+ ushort SourcePort,
+ string SourcePortName,
+ bool DestinationIsIpv6,
+ string DestinationIp,
+ string DestinationHostname,
+ ushort DestinationPort,
+ string DestinationPortName
+ )
+ {
+ int argumentCount = 18;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(User.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Protocol.Length + 1) * sizeof(char);
+
+ int InitiatedInt = Initiated ? 1 : 0;
+ userDataPtr[7].DataPointer = (UInt64)(&InitiatedInt);
+ userDataPtr[7].Size = (uint)(sizeof(int));
+
+ int SourceIsIpv6Int = SourceIsIpv6 ? 1 : 0;
+ userDataPtr[8].DataPointer = (UInt64)(&SourceIsIpv6Int);
+ userDataPtr[8].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[9].Size = (uint)(SourceIp.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[10].Size = (uint)(SourceHostname.Length + 1) * sizeof(char);
+
+ userDataPtr[11].DataPointer = (UInt64)(&SourcePort);
+ userDataPtr[11].Size = (uint)(sizeof(short));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[12].Size = (uint)(SourcePortName.Length + 1) * sizeof(char);
+
+ int DestinationIsIpv6Int = DestinationIsIpv6 ? 1 : 0;
+ userDataPtr[13].DataPointer = (UInt64)(&DestinationIsIpv6Int);
+ userDataPtr[13].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[14].Size = (uint)(DestinationIp.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[15].Size = (uint)(DestinationHostname.Length + 1) * sizeof(char);
+
+ userDataPtr[16].DataPointer = (UInt64)(&DestinationPort);
+ userDataPtr[16].Size = (uint)(sizeof(short));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[17].Size = (uint)(DestinationPortName.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = User, a4 = Protocol, a5 = SourceIp, a6 = SourceHostname, a7 = SourcePortName, a8 = DestinationIp, a9 = DestinationHostname, a10 = DestinationPortName)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[9].DataPointer = (ulong)a5;
+ userDataPtr[10].DataPointer = (ulong)a6;
+ userDataPtr[12].DataPointer = (ulong)a7;
+ userDataPtr[14].DataPointer = (ulong)a8;
+ userDataPtr[15].DataPointer = (ulong)a9;
+ userDataPtr[17].DataPointer = (ulong)a10;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplatePipe_Connected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string PipeName,
+ string Image
+ )
+ {
+ int argumentCount = 7;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[3].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[4].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[4].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(PipeName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = PipeName, a4 = Image)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplatePipe_Created(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string PipeName,
+ string Image
+ )
+ {
+ int argumentCount = 7;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[3].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[4].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[4].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(PipeName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = PipeName, a4 = Image)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateProcess_Create(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string FileVersion,
+ string Description,
+ string Product,
+ string Company,
+ string OriginalFileName,
+ string CommandLine,
+ string CurrentDirectory,
+ string User,
+ Guid LogonGuid,
+ long LogonId,
+ uint TerminalSessionId,
+ string IntegrityLevel,
+ string Hashes,
+ Guid ParentProcessGuid,
+ uint ParentProcessId,
+ string ParentImage,
+ string ParentCommandLine
+ )
+ {
+ int argumentCount = 22;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(FileVersion.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Description.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Product.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[8].Size = (uint)(Company.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[9].Size = (uint)(OriginalFileName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[10].Size = (uint)(CommandLine.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[11].Size = (uint)(CurrentDirectory.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[12].Size = (uint)(User.Length + 1) * sizeof(char);
+
+ userDataPtr[13].DataPointer = (UInt64)(&LogonGuid);
+ userDataPtr[13].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[14].DataPointer = (UInt64)(&LogonId);
+ userDataPtr[14].Size = (uint)(sizeof(long));
+
+ userDataPtr[15].DataPointer = (UInt64)(&TerminalSessionId);
+ userDataPtr[15].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[16].Size = (uint)(IntegrityLevel.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[17].Size = (uint)(Hashes.Length + 1) * sizeof(char);
+
+ userDataPtr[18].DataPointer = (UInt64)(&ParentProcessGuid);
+ userDataPtr[18].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[19].DataPointer = (UInt64)(&ParentProcessId);
+ userDataPtr[19].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[20].Size = (uint)(ParentImage.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[21].Size = (uint)(ParentCommandLine.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = FileVersion, a4 = Description, a5 = Product, a6 = Company, a7 = OriginalFileName, a8 = CommandLine, a9 = CurrentDirectory, a10 = User, a11 = IntegrityLevel, a12 = Hashes, a13 = ParentImage, a14 = ParentCommandLine)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ userDataPtr[8].DataPointer = (ulong)a6;
+ userDataPtr[9].DataPointer = (ulong)a7;
+ userDataPtr[10].DataPointer = (ulong)a8;
+ userDataPtr[11].DataPointer = (ulong)a9;
+ userDataPtr[12].DataPointer = (ulong)a10;
+ userDataPtr[16].DataPointer = (ulong)a11;
+ userDataPtr[17].DataPointer = (ulong)a12;
+ userDataPtr[20].DataPointer = (ulong)a13;
+ userDataPtr[21].DataPointer = (ulong)a14;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateProcess_accessed(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid SourceProcessGUID,
+ uint SourceProcessId,
+ uint SourceThreadId,
+ string SourceImage,
+ Guid TargetProcessGUID,
+ uint TargetProcessId,
+ string TargetImage,
+ int GrantedAccess,
+ string CallTrace
+ )
+ {
+ int argumentCount = 11;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&SourceProcessGUID);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&SourceProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ userDataPtr[4].DataPointer = (UInt64)(&SourceThreadId);
+ userDataPtr[4].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(SourceImage.Length + 1) * sizeof(char);
+
+ userDataPtr[6].DataPointer = (UInt64)(&TargetProcessGUID);
+ userDataPtr[6].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[7].DataPointer = (UInt64)(&TargetProcessId);
+ userDataPtr[7].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[8].Size = (uint)(TargetImage.Length + 1) * sizeof(char);
+
+ userDataPtr[9].DataPointer = (UInt64)(&GrantedAccess);
+ userDataPtr[9].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[10].Size = (uint)(CallTrace.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = SourceImage, a3 = TargetImage, a4 = CallTrace)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[5].DataPointer = (ulong)a2;
+ userDataPtr[8].DataPointer = (ulong)a3;
+ userDataPtr[10].DataPointer = (ulong)a4;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateProcess_terminated(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image
+ )
+ {
+ int argumentCount = 5;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateRawAccessRead_detected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string Device
+ )
+ {
+ int argumentCount = 6;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[2].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[2].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[3].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Device.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = UtcTime, a2 = Image, a3 = Device)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[4].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateRegistry_object_added_or_deleted(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string TargetObject
+ )
+ {
+ int argumentCount = 7;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[3].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[4].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[4].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(TargetObject.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = Image, a4 = TargetObject)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateRegistry_object_renamed(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string TargetObject,
+ string NewName
+ )
+ {
+ int argumentCount = 8;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[3].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[4].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[4].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(TargetObject.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(NewName.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = Image, a4 = TargetObject, a5 = NewName)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateRegistry_value_set(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ Guid ProcessGuid,
+ uint ProcessId,
+ string Image,
+ string TargetObject,
+ string Details
+ )
+ {
+ int argumentCount = 8;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ userDataPtr[3].DataPointer = (UInt64)(&ProcessGuid);
+ userDataPtr[3].Size = (uint)(sizeof(Guid));
+
+ userDataPtr[4].DataPointer = (UInt64)(&ProcessId);
+ userDataPtr[4].Size = (uint)(sizeof(int));
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Image.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(TargetObject.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Details.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = Image, a4 = TargetObject, a5 = Details)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[5].DataPointer = (ulong)a3;
+ userDataPtr[6].DataPointer = (ulong)a4;
+ userDataPtr[7].DataPointer = (ulong)a5;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateSysmon_config_state_changed(
+ ref EventDescriptor eventDescriptor,
+ string UtcTime,
+ string Configuration,
+ string ConfigurationFileHash
+ )
+ {
+ int argumentCount = 3;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(Configuration.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(ConfigurationFileHash.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = UtcTime, a1 = Configuration, a2 = ConfigurationFileHash)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateSysmon_service_state_changed(
+ ref EventDescriptor eventDescriptor,
+ string UtcTime,
+ string State,
+ string Version,
+ string SchemaVersion
+ )
+ {
+ int argumentCount = 4;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(State.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(Version.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[3].Size = (uint)(SchemaVersion.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = UtcTime, a1 = State, a2 = Version, a3 = SchemaVersion)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[3].DataPointer = (ulong)a3;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateWmiEventConsumerToFilter_activity_detected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ string Operation,
+ string User,
+ string Consumer,
+ string Filter
+ )
+ {
+ int argumentCount = 7;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[3].Size = (uint)(Operation.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(User.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Consumer.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Filter.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = Operation, a4 = User, a5 = Consumer, a6 = Filter)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[3].DataPointer = (ulong)a3;
+ userDataPtr[4].DataPointer = (ulong)a4;
+ userDataPtr[5].DataPointer = (ulong)a5;
+ userDataPtr[6].DataPointer = (ulong)a6;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateWmiEventConsumer_activity_detected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ string Operation,
+ string User,
+ string Name,
+ string Type,
+ string Destination
+ )
+ {
+ int argumentCount = 8;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[3].Size = (uint)(Operation.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(User.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(Name.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Type.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Destination.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = Operation, a4 = User, a5 = Name, a6 = Type, a7 = Destination)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[3].DataPointer = (ulong)a3;
+ userDataPtr[4].DataPointer = (ulong)a4;
+ userDataPtr[5].DataPointer = (ulong)a5;
+ userDataPtr[6].DataPointer = (ulong)a6;
+ userDataPtr[7].DataPointer = (ulong)a7;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+
+ internal unsafe bool TemplateWmiEventFilter_activity_detected(
+ ref EventDescriptor eventDescriptor,
+ string RuleName,
+ string EventType,
+ string UtcTime,
+ string Operation,
+ string User,
+ string EventNamespace,
+ string Name,
+ string Query
+ )
+ {
+ int argumentCount = 8;
+ bool status = true;
+
+ if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords))
+ {
+ byte* userData = stackalloc byte[sizeof(EventData) * argumentCount];
+ EventData* userDataPtr = (EventData*)userData;
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[0].Size = (uint)(RuleName.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[1].Size = (uint)(EventType.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[2].Size = (uint)(UtcTime.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[3].Size = (uint)(Operation.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[4].Size = (uint)(User.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[5].Size = (uint)(EventNamespace.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[6].Size = (uint)(Name.Length + 1) * sizeof(char);
+
+ // Value is a nul-terminated string (assume no embedded nuls):
+ userDataPtr[7].Size = (uint)(Query.Length + 1) * sizeof(char);
+
+ fixed (char* a0 = RuleName, a1 = EventType, a2 = UtcTime, a3 = Operation, a4 = User, a5 = EventNamespace, a6 = Name, a7 = Query)
+ {
+ userDataPtr[0].DataPointer = (ulong)a0;
+ userDataPtr[1].DataPointer = (ulong)a1;
+ userDataPtr[2].DataPointer = (ulong)a2;
+ userDataPtr[3].DataPointer = (ulong)a3;
+ userDataPtr[4].DataPointer = (ulong)a4;
+ userDataPtr[5].DataPointer = (ulong)a5;
+ userDataPtr[6].DataPointer = (ulong)a6;
+ userDataPtr[7].DataPointer = (ulong)a7;
+ status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData));
+ }
+ }
+
+ return status;
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/Utils.cs b/src/Utils.cs
index fa8f0c2..2fa3208 100644
--- a/src/Utils.cs
+++ b/src/Utils.cs
@@ -36,9 +36,11 @@ public static void printHeader(){
string version = (Assembly.GetEntryAssembly().GetName().Version).ToString();
string header = String.Format(@"
- MalwLess Simulation Tool v{0}
+ MalwLess Simulation Tool v{0}.1
Author: @n0dec
- Site: https://github.com/n0dec/MalwLess
+Modified by: @fusaty
+ Sites: https://github.com/n0dec/MalwLess
+ : https://github.com/fusaty/MalwLess-Modified
", version.Substring(0,version.IndexOf('.', version.IndexOf('.') + 1)));
Console.WriteLine(header.Replace("\t", ""));