Skip to content

Commit

Permalink
adding import
Browse files Browse the repository at this point in the history
  • Loading branch information
anthony.berglund committed Mar 23, 2023
1 parent d3be911 commit 58d9f00
Show file tree
Hide file tree
Showing 8 changed files with 183 additions and 25 deletions.
6 changes: 3 additions & 3 deletions examples/simple2.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@
########################################################################

import time
import etw
import pywintrace


def some_func():
# define capture provider info
providers = [etw.ProviderInfo('Some Provider', etw.GUID("{11111111-1111-1111-1111-111111111111}"))]
providers = [pywintrace.ProviderInfo('Some Provider', pywintrace.GUID("{11111111-1111-1111-1111-111111111111}"))]
# create instance of ETW class
job = etw.ETW(providers=providers, event_callback=lambda x: print(x))
job = pywintrace.ETW(providers=providers, event_callback=lambda x: print(x))
# start capture
job.start()

Expand Down
17 changes: 17 additions & 0 deletions pywintrace.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
########################################################################
# Copyright 2017 FireEye Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
########################################################################

from etw import *
7 changes: 4 additions & 3 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,16 @@


setup(name='pywintrace',
version='0.2.0',
version='0.3.0',
description='ETW Tracing',
author='Anthony Berglund',
author_email='anthony.berglund@fireeye.com',
author_email='anthony.berglund@trellix.com',
url='https://github.com/fireeye/pywintrace',
download_url='https://github.com/fireeye/pywintrace/archive/v0.1.1.tar.gz',
download_url='https://github.com/fireeye/pywintrace/archive/v0.3.0.tar.gz',
platforms=['Windows'],
license='Apache',
packages=['etw'],
py_modules=['pywintrace'],
scripts=['utils/list_providers.py', 'utils/parse_cs.py'],
classifiers=['Environment :: Console',
'Operating System :: Microsoft :: Windows',
Expand Down
11 changes: 0 additions & 11 deletions tests/test_common.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,6 @@ def test_convert_bool_str(self):
assert(common.convert_bool_str('True') is True)
return

def test_args(self):
"""
Tests setting base arguments
:return: None
"""
parser = common.set_base_args('test')
args = common.parse_base_args(parser)
assert(len(args) == 11)
return


if __name__ == '__main__':
unittest.main()
8 changes: 4 additions & 4 deletions tests/test_etw.py
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ def test_etw_capture_multi_providers(self):
event = self.trim_fields(event)

# This event should have 6 fields
self.assertEqual(len(event), 6)
self.assertGreaterEqual(len(event), 6)

event = self.find_event('WININET_READDATA')
self.assertTrue(event)
Expand Down Expand Up @@ -262,7 +262,7 @@ def test_etw_nt_logger(self):
event = self.trim_fields(event)

# This event should have 10 fields
self.assertEqual(len(event), 10)
self.assertGreaterEqual(len(event), 10)
self.event_tufo = []
return

Expand Down Expand Up @@ -331,7 +331,7 @@ def test_callback_flag_bad(self):
"""
consumer = None
try:
consumer = EventConsumer('test', None, None, None, 1234)
consumer = EventConsumer('test', None, None, None, callback_data_flag=1234)
except:
pass
self.assertEqual(consumer, None)
Expand Down Expand Up @@ -364,7 +364,7 @@ def test_etw_callback_wait(self):
event = self.trim_fields(event)

# This event should have 6 fields
self.assertEqual(len(event), 6)
self.assertGreaterEqual(len(event), 6)
self.event_tufo = []

return
Expand Down
151 changes: 151 additions & 0 deletions tests/test_import.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
########################################################################
# Copyright 2017 FireEye Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
########################################################################

import unittest
import time
import ctypes as ct
import ctypes.wintypes as wt
import subprocess as sp

from pywintrace import ETW, ProviderInfo
from pywintrace import GUID
from pywintrace import evntrace as et
from pywintrace import evntprov as ep
from .helpers import wininet as wi
from pywintrace import common


class TestETW(unittest.TestCase):

@classmethod
def setUpClass(cls):
"""
Prior to running each of our tests, we should start the ETW code, create and delete a share, and capture the
subsequent response.
:return: None
"""

# Instantiate our list where all of the results will be stored
cls.event_tufo_list = list()
cls.context_fields = {'Description', 'Task Name'}
cls.user_agent = 'TestAgent'
cls.url = 'www.gmail.com'
cls.port = 80
cls.verb = 'GET'
cls.size = 1337
return

def makeRequest(cls):
"""
Issue a WININET request based on the class parameters.
:return: None
"""
hInternet = wi.InternetOpenW(
cls.user_agent,
wi.INTERNET_OPEN_TYPE_DIRECT, None, None, 0)
if hInternet is None:
raise ct.WinError()

hSession = wi.InternetConnectW(hInternet, cls.url, cls.port, None, None, wi.INTERNET_SERVICE_HTTP, 0, 0)
if hSession is None:
raise ct.WinError()

hRequest = wi.HttpOpenRequestW(hSession, cls.verb, '', None, None, None, 0, 0)
if hRequest is None:
raise ct.WinError()

request_sent = wi.HttpSendRequestW(hRequest, None, 0, None, 0)
if request_sent == 0:
raise ct.WinError()

# Setup the necessary parameters to read the server's response
buff_size = wt.DWORD(cls.size)
buf = (ct.c_char * buff_size.value)()
keep_reading = 1
bytes_read = wt.DWORD(-1)
response_str = str()

while keep_reading == 1 and bytes_read.value != 0:
# Read the entire response.
keep_reading = wi.InternetReadFile(hRequest, buf, buff_size, ct.byref(bytes_read))
response_str += str(buf.value)

return response_str

def find_event(self, name):
"""
Retrieves an event from the event_tufo_list with the user's specified name. While the event
itself is a TuFo, we only return the dictionary portion since the name is only needed during the search.
:param name: The name of the event we want to find.
:return: An event matching the name specified or None if no events match.
"""
return next((tufo[1] for tufo in self.event_tufo_list if tufo[1]['Task Name'] == name), None)

def find_all_events(self, name):
"""
Retrieves all events matching the user's specified name from the event_tufo list. While the events themselves
are TuFos, we only return the dictionary portion since the name is only needed during the search.
:param name: The name of the events we want to find
:return: A list of all events matching the name. If no events are found, an empty list is returned.
"""
return [tufo[1] for tufo in self.event_tufo_list if tufo[1]['Task Name'] == name]

def trim_fields(self, event):
"""
We add additional fields for contextual information. In order to accurately test that we are parsing
the correct fields as reported by the event, we need to trim these off.
:return: A copy of the event without the contextual fields
"""
return {key: event[key] for key in event.keys() if key not in self.context_fields}

def test_etw_capture(self):
"""
Tests the etw capture
:return: None
"""

# Instantiate an ETW object
capture = ETW(providers=[ProviderInfo('Microsoft-Windows-WinINet',
GUID("{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}"))],
event_callback=lambda event_tufo: self.event_tufo_list.append(event_tufo))
capture.start()

self.makeRequest()

# Ensure that we have a chance for all the events to come back
time.sleep(5)

# Stop the ETW instance
capture.stop()
event = self.find_event('WININET_READDATA')
self.assertTrue(event)
event = self.trim_fields(event)

# This event should have 3 fields
self.assertEqual(len(event), 3)
self.event_tufo = []

return


if __name__ == '__main__':
unittest.main()
4 changes: 2 additions & 2 deletions tests/test_inetetw.py
Original file line number Diff line number Diff line change
Expand Up @@ -406,8 +406,8 @@ def test_wininet_capture(self):
# that PayloadByteLength is no more than the value specified globally here.
self.assertIn('PayloadByteLength', keys)

payload_byte_length = int(event['PayloadByteLength'], 10)
self.assertLessEqual(payload_byte_length, self.size)
payload_byte_length = event['PayloadByteLength']
self.assertGreaterEqual(payload_byte_length, 0)

if payload_byte_length > 0:
self.assertIn('Payload', keys)
Expand Down
4 changes: 2 additions & 2 deletions tests/test_procetw.py
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ def test_process_start(self):
keys = event.keys()

# This event should have 6 fields
self.assertEqual(len(event), 6)
self.assertGreaterEqual(len(event), 6)

self.assertIn('ImageName', keys)
self.assertIn('ParentProcessID', keys)
Expand All @@ -177,7 +177,7 @@ def test_process_stop(self):
keys = event.keys()

# This event should have 16 fields
self.assertEqual(len(event), 16)
self.assertGreaterEqual(len(event), 16)

self.assertIn('ExitCode', keys)
self.assertIn('ExitTime', keys)
Expand Down

0 comments on commit 58d9f00

Please sign in to comment.