SilkETW – Flexible C# Wrapper For ETW (Event Tracing for Windows)

SilkETW is a flexible C# wrapper ^(https://www.kitploit.com/search/label/Wrapper) for ETW ^(https://docs.microsoft.com/en-us/windows/desktop/etw/about-event-tracing), it is meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While SilkETW has obvious defensive (and offensive) applications it is primarily a research tool in it’s current state.
For easy consumption, output data is serialized to JSON. The JSON data can either be analyzed locally using PowerShell ^(https://www.kitploit.com/search/label/PowerShell) or shipped off to 3rd party infrastructure such as Elasticsearch ^(https://www.elastic.co/).

LICENSE-3RD-PARTY ^(https://github.com/fireeye/SilkETW/blob/master/LICENSE-3RD-PARTY.txt) for further details.

ModuleId                                 Version LicenseUrl                                                   
-------- ------- ----------
McMaster.Extensions.CommandLineUtils 2.3.2 https://licenses.nuget.org/Apache-2.0
Microsoft.Diagnostics.Tracing.TraceEvent 2.0.36 https://github.com/Microsoft/perfview/blob/master/LICENSE.TXT
Newtonsoft.Json 12.0.1 https://licenses.nuget.org/MIT
System.ValueTuple 4.4.0 https://github.com/dotnet/corefx/blob/master/LICENSE.TXT
YaraSharp 1.3.1 https://github.com/stellarbear/YaraSharp/blob/master/LICENSE

Command Line Options
Command line usage is fairly straight forward and user input is validated in the execution prologue. See the image below for further details.

JSON Output Structure
The JSON output, prior to serialization, is formatted according to the following C# struct.

public struct EventRecordStruct
{
public Guid ProviderGuid;
public List YaraMatch;
public string ProviderName;
public string EventName;
public TraceEventOpcode Opcode;
public string OpcodeName;
public DateTime TimeStamp;
public int ThreadID;
public int ProcessID;
public string ProcessName;
public int PointerSize;
public int EventDataLength;
public Hashtable XmlEventData;
}

Note that, depending on the provider and the event type, you will have variable data in the XmlEventData hash table. Sample JSON output can be seen below for “Microsoft-Windows-Kernel-Process” -> “ThreadStop/Stop”.

{
"ProviderGuid":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716",
"YaraMatch":[

],
"ProviderName":"Microsoft-Windows-Kernel-Process",
"EventName":"ThreadStop/Stop",
"Opcode":2,
"OpcodeName":"Stop",
"TimeStamp":"2019-03-03T17:58:14.2862348+00:00",
"ThreadID":11996,
"ProcessID":8416,
"ProcessName":"",
"PointerSize":8,
"EventDataLength":76,
"XmlEventData":{
"FormattedMessage":"Thread 11,996 (in Process 8,416) stopped. ",
"StartAddr":"0x7fffe299a110",
"ThreadID":"11,996",
"UserStackLimit":"0x3d632000",
"StackLimit":"0xfffff38632d39000",
"MSec":"560.5709",
"TebBase":"0x91c000",
"CycleTime":"4,266,270",
"ProcessID":"8,416",
"PID":"8416",
"StackBase":"0xfffff38632d40000",
"SubProcessTag":"0",
"TID":"11996",
"ProviderName":"Microsoft-Windows-Kern el-Process",
"PName":"",
"UserStackBase":"0x3d640000",
"EventName":"ThreadStop/Stop",
"Win32StartAddr":"0x7fffe299a110"
}
}

Usage

Filter data in PowerShell
You can import JSON output from SilkETW in PowerShell using the following simple function.

function Get-SilkData {
param($Path)
$JSONObject = @()
Get-Content $Path | ForEach-Object {
$JSONObject += $_ | ConvertFrom-Json
}
$JSONObject
}

In the example below we will collect process event data from the Kernel ^(https://www.kitploit.com/search/label/Kernel) provider and use image loads to identify Mimikatz ^(https://www.kitploit.com/2019/04/mimikatz-v220-post-exploitation-tool-to.html) execution. We can collect the required data with the following command.

SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:Usersb33fDesktopmimikatz.json

With data in hand it is easy to sort, grep and filter for the properties we are interested in.

Yara
SilkETW includes Yara functionality to filter or tag event data. Again, this has obvious defensive capabilities but it can just as easily be used to augment your ETW research.
In this example we will use the following Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.

rule Seatbelt_GetTokenInformation
{
strings:
$s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase
$s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase
$s3 = /bool(native int,valuetype w+.w+/w+,native int,int32,int32&/
$s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase

condition:
all of ($s*)
}

We can start collecting .Net ETW data with the following command. The “-yo” option here indicates that we should only write Yara matches to disk!

SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:Usersb33fDesktopyara -yo matches -ot file -p C:Usersb33fDesktopyara.json

We can see at runtime that our Yara rule was hit.

Note also that we are only capturing a subset of the “Microsoft-Windows-DotNETRuntime” events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.

Changelog
For details on version specific changes, please refer to the Changelog ^(https://github.com/fireeye/SilkETW/blob/master/Changelog.txt).

Download SilkETW ^(https://github.com/fireeye/SilkETW)

Sony Reveals First PlayStation 5 Details: 8K Graphics, Ray Tracing, SSDs, and PS4 Backwards Compatibility

First details on the PlayStation 5 have been unveiled by Sony, via an exclusive Wired interview ^(https://www.wired.com/story/exclusive-sony-next-gen-console/) with the system’s chief architect appmarsh Cerny, who revealed that the next PlayStation console will include ray-tracing support and have a high-speed solid-state hard drive.

Cerny gave Wired first official details on the PlayStation 4 successor ^(https://www.appmarsh.ca/news/playstation-4-successor/)‘s hardware: It will be powered by a CPU based on the third-generation AMD Ryzen and a GPU based on AMD’s Radeon Navi, which will support ray tracing.

Ray tracing has been the holy grail of graphical tech improvements for the past few years as it models the travel of light to simulate complex interactions in 3D environments, such as sub-surface scattering to allow skin to change colour in certain lights, and various reflective and refractive properties of materials like water and glass.

Cerny also teases new 3D audio technology as part of the CPU, hinting at a “dramatically different” audio experience. “As a gamer,” he says, “it’s been a little bit of a frustration that audio did not change too much between PlayStation 3 and PlayStation 4. With the next console, the dream is to show how dramatically different the audio experience can be when we apply significant amounts of hardware horsepower to it.”

The next-generation PlayStation ^(https://www.appmarsh.ca/news/sony-playstation-classic/) will also have a solid-state drive, Cerny says, which will shrink lengthy load times and hopefully enable faster ways to get into multiplayer matches. Cerny demonstrated the effect to Wired by fast-traveling in Marvel’s Spider-Man on the PlayStation 4 ^(https://www.appmarsh.ca/app-store/sony-ps4-remote-play-ios-app/) Pro which took around 15 seconds to complete. The same action when attempted on the dev kit took 0.8 seconds, Wired reported.

The console will also support disc media, meaning you’ll be able to play your PS4 titles on PS5 without any issues. This, however, extends to the PS4 for now, as both consoles will share the same architecture. The transition from the current generation to the next will be much smoother now, as fans will be able to have their library transferred to the upcoming generation.

While Cerny wouldn’t discuss future PSVR plans, like a next-gen headset to go along with the new console, the company confirmed that the existing PSVR headset will continue to work with the PlayStation 5.

Sony ^(https://www.appmarsh.ca/deals/walmart-sale-playstation-classic/) didn’t offer a release date for the PlayStation 5, other than to confirm it won’t launch in 2019. But Cerny and company hinted that some upcoming games will likely span generations, with releases on both PS4 and PS5.