- ETW yana ba ku damar ɗaukar tsarin aiki da abubuwan aikace-aikacen, duka a cikin sararin mai amfani da kuma a cikin kernel, kuma shine mabuɗin don gyarawa da bincike na aiki.
- Akwai nau'ikan masu samar da ETW da yawa, kamar MOF, WPP, tushen bayyananniyar, ko TraceLogging, kowanne yana da nasa tsari da rikitarwa.
- Ana iya aiki da ETW tare da yin amfani da kayan aiki irin su logman, wpr, da PerfView, waɗanda suka dace don haifar da zaman bin diddigi, ɗaukar bayanai, da kuma nazarin shi.
- ETW yana da mahimmanci don mafita na EDR/XDR da bincike na bincike, samun damar cire abubuwan da suka faru na ƙwaƙwalwar ajiya ko da maharin ya share fayiloli.
Binciken Bidiyo don Windows (ETW) Yana ɗaya daga cikin kayan aiki mafi ƙarfi, amma kuma wanda yawancin masu haɓakawa da ƙwararrun tsaro ba su san su ba a cikin mahallin Microsoft. Wannan tsarin yana ba ku damar saka idanu, kamawa, da kuma nazarin abubuwan da tsarin aiki da aikace-aikace suka haifar, duka a cikin yanayin mai amfani da yanayin kernel.
An yi amfani da shi duka biyu na ci-gaba da bincike na bincike ko gano barazanar, ETW yana ba da hangen nesa mai zurfi cikin abin da ke faruwa a matakin tsarin, tare da ƙaramin tasiri akan aiki. A cikin wannan labarin, za mu yi cikakken nazarin yadda ETW ke aiki, kayan aikin da za a yi amfani da su, yadda za a daidaita shi, wane nau'in bayanai za a iya samu, da yadda za a yi amfani da shi daga wurare daban-daban kamar .NET. PowerShell ko ma da gangan daga ƙwaƙwalwar ajiya.
Menene ETW kuma me yasa yake da ƙarfi haka?
Binciko abubuwan da suka faru don Windows shine tsarin gano abubuwan da aka gina a cikin kwayayar Windows.. An ƙirƙira shi don ƙyale masu haɓakawa da masu gudanarwa su yi rikodin da cinye rafukan taron a ainihin lokacin ko daga fayilolin log (.etl). ETW yana da matukar amfani saboda ana iya amfani da shi ta:
- Aikace-aikacen yanayin mai amfani da aka rubuta da farko a cikin C ko C++
- Direbobin kernel
- EDR da tsarin rigakafi
- Ayyuka ko manazarta tsaro
Yana aiki ta hanyar samfuri bisa manyan ayyuka guda uku: da azurtawa (wanda ke haifar da abubuwan da suka faru), da masu sarrafawa (wanda ke tsarawa da sarrafa lokutan bin diddigin), da kuma masu amfani da (wanda ya karanta abubuwan da suka faru).
Muhimman abubuwan da ke cikin yanayin ETW
Samfurin aiki na ETW ya ta'allaka ne da abubuwa na gine-gine da yawa waɗanda ke ba da izinin rabuwa tsakanin janareta na taron da mabukaci taron:
1. Masu bayarwa ko masu kaya
Su ne sassan tsarin ko aikace-aikacen da ke fitar da abubuwan da suka faru. Akwai iri daban-daban:
- Masu samar da tushen MOF: Suna amfani da Tsarin Abubuwan Gudanarwa. Suna da tsari mai rikitarwa kuma ba sa amfani da su.
- Masu samar da WPP: galibi ana amfani da su a cikin direbobi don gyara kuskure.
- Bayyanar tushen samarwa: wanda ya fi kowa a yau. Suna amfani da bayanan XML wanda ke bayyana tsarin taron.
- Masu samar da TraceLogging: madadin mafi sauƙi wanda ya dace da aikace-aikacen zamani.
2. Masu sarrafawa ko masu sarrafawa
Su ke da alhakin farawa, tsayawa, ko daidaita zaman ganowa. Misali, kayan aiki kamar logman Yana aiki azaman mai sarrafawa, yana ba ku damar saita masu samarwa da aka kunna da kuma inda aka rubuta abubuwan da suka faru.
3. Masu amfani
Waɗannan aikace-aikace ne ko rubutun da ke karanta abubuwan da suka faru, ko dai a ainihin lokacin ko ta fayilolin .etl. Wasu sanannun misalan sune:
- Mai Kallon Taron (Mai duba Event Viewer)
- Windows Performance Analyzer (WPA)
- PerfView
- Tsarin EDR kamar Microsoft Defender don Endpoint
Menene ETW ake amfani dashi?
Ana amfani da ETW da yawa a cikin tsarin halittar Microsoft, daga hanyoyin ciki zuwa hanyoyin kasuwanci. Wasu yanayi sun haɗa da:
- Ana gyara aikace-aikacen ainihin lokaci
- Kula da ayyuka (CPU, IO, cibiyar sadarwa…)
- Gyaran direbobin yanayin kernel
- Rigakafin barazanar da ganowa tare da EDR/XDR
- Digital forensic bincike
Yadda ake hulɗa da ETW: kayan aiki masu amfani
Akwai kayan aikin da yawa waɗanda ke ba ku damar aiki tare da ETW daga kusurwoyi daban-daban:
Logman.exe
Kayan aiki kowane layi na umarni Hade a cikin Windows, baya buƙatar gata mai gudanarwa don yin ayyuka da yawa. Yana ba ku damar lissafin masu samarwa da ake da su, zama masu aiki, da kuma saita sabbin zama:
logman query providers: ya lissafa duk masu samar da ETWlogman start miSesion -p {GUID} -o c:\logs\miSesion.etl -ets: Fara zaman sa idologman stop miSesion -ets: yana dakatar da zama
WPR.exe da WPA.exe
Windows Performance Recorder (WPR) ana amfani dashi don farawa ko dakatar da zaman bibiyar, da Windows Performance Analyzer (WPA) yana ba ka damar nazarin su ta gani. Amfani da shi ya zama ruwan dare a cikin ci gaba na ci gaba ko mahallin gyarawa:
wpr -start CPU -start FileIO -start DiskIOwpr -stop resultado.etl
PerfView
Kayan aiki da Microsoft ya ƙera don nazarin ayyukan ci gaba. Yana haifar da alamu, ƙungiyoyi ta tsarin asynchronous, kuma yana sauƙaƙa rikitattun gyara kurakurai. Hakanan yana ba da damar ɗaukar zaman zagaye-robin don guje wa wuce gona da iri:
perfview -ThreadTime -CircularMB:500 -LogFile:salida.log -Merge:true collectAna iya buɗe fayilolin da aka samar (.etl da .etl.ngenpdb) kai tsaye a cikin WPA.
Fahimtar ETW Manifestos
da masu samar da bayyane na tushen ayyana duk abubuwan da suka faru ta hanyar fayil XML. Wannan bayanin ya ƙunshi bayanai kamar:
- Mai bayarwa: suna, GUID da fayilolin albarkatun
- Tashoshi: tashar fitarwa (misali Application, System)
- Matakan: Matsayin tsanani na taron (Mahimmanci, Kuskure, Verbose…)
- Ayyuka da Opcodes: al'amuran rukuni ta hanyar aiki da nau'in aiki
- keywords: tacewa ta nau'ikan taron
- Taswira: lambobin taswira zuwa rubutu mai iya karantawa
- Samfura: ayyana tsarin bayanan da aka haɗa a cikin abubuwan da suka faru
- events: ayyana kowane taron tare da ID, ɗawainiya, opcode, matakin da samfuri
Ɗauki da kuma nazarin alamun ETW
Da zarar an kama alama (.etl file), ana iya canza shi zuwa wasu tsare-tsare ko bincika kai tsaye:
tracerpt archivo.etl -o archivo.xml: fitarwa zuwa XMLtracerpt archivo.etl -o archivo.evtx -of EVTX: yana jujjuyawa zuwa tsarin Duba Eventxperf -i archivo.etl -o archivo.csv: jujjuya zuwa CSV
Hakanan yana yiwuwa a yi ra'ayi kai tsaye tare da PerfView ko ayyana zaman atomatik daga taya ta amfani autologger:
wpr -boottrace -addboot FileIO
NET da ETW
A cikin NET zaku iya amfani da API ɗin TraceProcessing don aiwatar da abubuwan da aikace-aikace ko aka gyara suka haifar. Akwai shi azaman kunshin NuGet kuma injiniyoyin Microsoft ma suna amfani dashi.
Abubuwan Amfani da Tsaro: EDR/XDR da Barazana Farauta
ETW shine ginshiƙin ganowa da amsawa da wuri (EDR/XDR) mafita. Yana haɗawa sosai tare da tsarin kuma yana ba da damar gano halaye kamar:
- Ƙirƙirar matakai masu banƙyama
- gyare-gyaren rajista
- Hanyoyin sadarwar da ba a saba gani ba
- Samun dama ga albarkatun tsarin mahimmanci
Misali, yana yiwuwa a gano dabaru irin su DCSync ta amfani da masu samar da rahoton kwafin mai sarrafa yanki.
Binciken shari'a tare da ETW
Advanced bincike ko da damar maido abubuwan ETW daga RAM Idan mahara ya goge su daga faifan. Ana samun wannan ta hanyar shiga cikin tsarin ciki kamar:
- _WMI_LOGGER_CONTEXT: ya ƙunshi jerin abubuwa kamar GlobalList ko BufferQueue
- _ETW_REALTIME_CONSUMER: yana ba da dama ga UserBufferListHead
Kayan aiki irin su JPCERT Volatility3 plugin Wannan yana ba ku damar dawo da bincika waɗannan alamun kai tsaye daga jujjuyawar RAM. Ana iya sarrafa su da tracefmt ko WPA don gano hanyar shiga DNS, zirga-zirgar hanyar sadarwa, barazanar da aka toshe, da ƙari.
Wannan tsarin yana ba da a m view of tsarin aiki da aikace-aikace yadudduka, ba ka damar hango matsaloli, inganta kayan aiki, da gano abubuwan da ba su da kyau. Ko da yake tana da tsarin koyo mai zurfi, ƙwarewar kayan aiki da tsarin da ya ƙunshi yana ba da fa'ida ta musamman a yanayin Windows na zamani.
Marubuci mai sha'awa game da duniyar bytes da fasaha gabaɗaya. Ina son raba ilimina ta hanyar rubutu, kuma abin da zan yi ke nan a cikin wannan shafi, in nuna muku duk abubuwan da suka fi ban sha'awa game da na'urori, software, hardware, yanayin fasaha, da ƙari. Burina shine in taimaka muku kewaya duniyar dijital ta hanya mai sauƙi da nishaɗi.