ETW-Almulahaza - new python-based tool

About the tool

ETW-Almulahaza is a python-based consumer tool that I've created and I'll be updating that help you to monitor ETW traces to see what happens when you execute some malware o tool. This tools is based in pywintrace of FireEye.

Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers. ETW is implemented in the Windows operating system and provides developers a fast, reliable, and versatile set of event tracing features. Microsoft documentation.

The initial version (0.0.1) that I've published right now currently supports monitoring of a specified PID or PIDs and also monitoring of explorer.exe. Also includes its childrens of the processes monitored and Thread IDs.

Some of the features that I would like to add are as follows:

• Add config file to specify providers to monitor and task names. This config file can be read during it execution.
• Convert outputs in other formats to enable analysts and make it actionable during their operations. I am open to listen to proposals :).
• Add providers on the fly to monitor new events, for example file events, registry events, defender events, etc.
• Create graphical visualizations to see the genealogy of the processes and the events generated by each process (files created|read|modified, registry keys created|modified|deleted, etc.)
• Identify possibly process injection and other techniques.
• create logics according to the types of generated events.
• And many other features!

You can see the Github project here: https://github.com/jstnk9/ETW-Almulahaza

Example

The above image is an example of cmd.exe monitoring. As you can see all the threads and subprocesses generated by each one. Also, in case the processes are stopped, the terminal will update the result by adding the word "stopped".

Contact

Twitter: https://twitter.com/Joseliyo_Jstnk

LinkedIn: https://www.linkedin.com/in/joseluissm/

GitHub Project: https://github.com/jstnk9/ETW-Almulahaza

References and acknowledgments

• https://www.fireeye.com/blog/threat-research/2017/09/pywintrace-python-wrapper-for-etw.html
• https://github.com/nasbench/EVTX-ETW-Resources
• dfirence
• Windows Internals Part 2 book.
• https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw-
• https://github.com/fireeye/pywintrace