Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Functions
panoptes_trace.h File Reference
#include <Windows.h>
#include <TraceLoggingProvider.h>

Go to the source code of this file.

Functions

void TraceInit ()
 
void TraceUninit ()
 
void Log_MailSlotOpen (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
 Log a mail slot open event.
 
void Log_MailSlotCreate (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
 Log a mail slot create event.
 
void Log_NamedPipeOpen (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
 Log a named pipe open event.
 
void Log_NamedPipeCreate (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
 Log a named pipe create event.
 
void Log_FileSuperseded (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
 Log a file superseded event.
 
void Log_FileOverwritten (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
 Log a file overwrite event.
 
void Log_FileOpen (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
 Log a file open event.
 
void Log_FileCreated (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
 Log a file create event.
 
void Log_FileRead (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
 Log a file read event.
 
void Log_FileWrite (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
 Log a file write event.
 

Function Documentation

◆ Log_FileCreated()

void Log_FileCreated ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName,
BOOLEAN  Oplocked 
)

Log a file create event.

Parameters
ProcessIdThe ID of the process that created the file
ThreadIdThe ID of the thread that created the file
FileNameThe name of the file
OplockedWhether the file is oplocked

Definition at line 97 of file trace.cpp.

103{
104 TraceLoggingWrite(g_hPanoProvider, "FileCreated",
105 TraceLoggingValue(ProcessId, "SourceProcessId"),
106 TraceLoggingValue(ThreadId, "SourceThreadId"),
107 TraceLoggingWideString(FileName, "FileName"),
108 TraceLoggingBool(Oplocked, "Oplocked"));
109}

◆ Log_FileOpen()

void Log_FileOpen ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName,
BOOLEAN  Oplocked 
)

Log a file open event.

Parameters
ProcessIdThe ID of the process that opened the file
ThreadIdThe ID of the thread that opened the file
FileNameThe name of the file
OplockedWhether the file is oplocked

Definition at line 111 of file trace.cpp.

117{
118 TraceLoggingWrite(g_hPanoProvider, "FileOpened",
119 TraceLoggingValue(ProcessId, "SourceProcessId"),
120 TraceLoggingValue(ThreadId, "SourceThreadId"),
121 TraceLoggingWideString(FileName, "FileName"),
122 TraceLoggingBool(Oplocked, "Oplocked"));
123}

◆ Log_FileOverwritten()

void Log_FileOverwritten ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName 
)

Log a file overwrite event.

Parameters
ProcessIdThe ID of the process that overwrote the file
ThreadIdThe ID of the thread that overwrote the file
FileNameThe name of the file

Definition at line 125 of file trace.cpp.

130{
131 TraceLoggingWrite(g_hPanoProvider, "FileOverwritten",
132 TraceLoggingValue(ProcessId, "SourceProcessId"),
133 TraceLoggingValue(ThreadId, "SourceThreadId"),
134 TraceLoggingWideString(FileName, "FileName"));
135}

◆ Log_FileRead()

void Log_FileRead ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName,
LARGE_INTEGER  FileOffset,
ULONG  ReadLength,
BOOLEAN  Compressed 
)

Log a file read event.

Parameters
ProcessIdThe ID of the process that read the file
ThreadIdThe ID of the thread that read the file
FileNameThe name of the file
FileOffsetThe offset of the file
ReadLengthThe length of the read
CompressedWhether the file is compressed

Definition at line 137 of file trace.cpp.

145{
146 TraceLoggingWrite(g_hPanoProvider, "FileRead",
147 TraceLoggingValue(ProcessId, "SourceProcessId"),
148 TraceLoggingValue(ThreadId, "SourceThreadId"),
149 TraceLoggingWideString(FileName, "FileName"),
150 TraceLoggingULong(ReadLength, "ReadLength"),
151 TraceLoggingValue(FileOffset.QuadPart, "FileOffset"),
152 TraceLoggingBoolean(Compressed, "CompressedFile"));
153}

◆ Log_FileSuperseded()

void Log_FileSuperseded ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName 
)

Log a file superseded event.

Parameters
ProcessIdThe ID of the process that superseded the file
ThreadIdThe ID of the thread that superseded the file
FileNameThe name of the file

Definition at line 173 of file trace.cpp.

178{
179 TraceLoggingWrite(g_hPanoProvider, "FileSuperseded",
180 TraceLoggingValue(ProcessId, "SourceProcessId"),
181 TraceLoggingValue(ThreadId, "SourceThreadId"),
182 TraceLoggingWideString(FileName, "FileName"));
183}

◆ Log_FileWrite()

void Log_FileWrite ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName,
LARGE_INTEGER  FileOffset,
ULONG  ReadLength,
BOOLEAN  Compressed 
)

Log a file write event.

Parameters
ProcessIdThe ID of the process that wrote the file
ThreadIdThe ID of the thread that wrote the file
FileNameThe name of the file
FileOffsetThe offset of the file
ReadLengthThe length of the write
CompressedWhether the file is compressed

Definition at line 155 of file trace.cpp.

163{
164 TraceLoggingWrite(g_hPanoProvider, "FileWrite",
165 TraceLoggingValue(ProcessId, "SourceProcessId"),
166 TraceLoggingValue(ThreadId, "SourceThreadId"),
167 TraceLoggingWideString(FileName, "FileName"),
168 TraceLoggingULong(ReadLength, "WriteLength"),
169 TraceLoggingValue(FileOffset.QuadPart, "FileOffset"),
170 TraceLoggingBoolean(Compressed, "CompressedFile"));
171}

◆ Log_MailSlotCreate()

void Log_MailSlotCreate ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName 
)

Log a mail slot create event.

Parameters
ProcessIdThe ID of the process that created the mail slot
ThreadIdThe ID of the thread that created the mail slot
FileNameThe name of the mail slot

Definition at line 56 of file trace.cpp.

61{
62 TraceLoggingWrite(g_hPanoProvider, "MailSlotCreate",
63 TraceLoggingValue(ProcessId, "SourceProcessId"),
64 TraceLoggingValue(ThreadId, "SourceThreadId"),
65 TraceLoggingWideString(FileName, "MailSlotName"));
66}

◆ Log_MailSlotOpen()

void Log_MailSlotOpen ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName 
)

Log a mail slot open event.

Parameters
ProcessIdThe ID of the process that opened the mail slot
ThreadIdThe ID of the thread that opened the mail slot
FileNameThe name of the mail slot

Definition at line 44 of file trace.cpp.

49{
50 TraceLoggingWrite(g_hPanoProvider, "MailSlotOpen",
51 TraceLoggingValue(ProcessId, "SourceProcessId"),
52 TraceLoggingValue(ThreadId, "SourceThreadId"),
53 TraceLoggingWideString(FileName, "MailSlotName"));
54}

◆ Log_NamedPipeCreate()

void Log_NamedPipeCreate ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName 
)

Log a named pipe create event.

Parameters
ProcessIdThe ID of the process that created the named pipe
ThreadIdThe ID of the thread that created the named pipe
FileNameThe name of the named pipe

Definition at line 70 of file trace.cpp.

75{
76 TraceLoggingWrite(g_hPanoProvider, "NamedPipeCreate",
77 TraceLoggingValue(ProcessId, "SourceProcessId"),
78 TraceLoggingValue(ThreadId, "SourceThreadId"),
79 TraceLoggingWideString(FileName, "NamedPipeName"));
80}

◆ Log_NamedPipeOpen()

void Log_NamedPipeOpen ( HANDLE  ProcessId,
HANDLE  ThreadId,
PWCH  FileName 
)

Log a named pipe open event.

Parameters
ProcessIdThe ID of the process that opened the named pipe
ThreadIdThe ID of the thread that opened the named pipe
FileNameThe name of the named pipe

Definition at line 82 of file trace.cpp.

87{
88 TraceLoggingWrite(g_hPanoProvider, "NamedPipeOpen",
89 TraceLoggingValue(ProcessId, "SourceProcessId"),
90 TraceLoggingValue(ThreadId, "SourceThreadId"),
91 TraceLoggingWideString(FileName, "NamedPipeName"));
92}

◆ TraceInit()

void TraceInit ( )

Definition at line 10 of file trace.cpp.

11{
12 TraceLoggingRegister(g_hPanoProvider);
13}

◆ TraceUninit()

void TraceUninit ( )

Definition at line 15 of file trace.cpp.

16{
17 TraceLoggingUnregister(g_hPanoProvider);
18}
Generated by doxygen 1.9.8