{"id":4935,"date":"2018-06-09T00:14:27","date_gmt":"2018-06-09T00:14:27","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4935"},"modified":"2018-06-09T18:42:03","modified_gmt":"2018-06-09T18:42:03","slug":"logman-the-windows-volverine","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/06\/09\/logman-the-windows-volverine\/","title":{"rendered":"Logman, the Windows volverine"},"content":{"rendered":"

Update<\/strong><\/p>\n

Coincidentally, @HECFBlog<\/a> @nicoleibrahim<\/a>\u00a0released<\/a> a tool ETL Parser that helps to at last extract raw buffers and as a result it produces a CSV file with data that can be analyzed row by row. This is the closest so far that I have seen for a tool to be able to help analyze the output of api trace log. Have a look at the screenshot:<\/p>\n

\"\"<\/a><\/p>\n

Old Post<\/strong><\/p>\n

Almost everyone is excited about .etl files that are produced as a result of Event Tracing for Windows<\/a>.<\/p>\n

Almost, because not me.<\/p>\n

This feature is so rich in … features. Except it’s only for MS internal consumption. At least, it seems to be the case in some very really interesting… well… cases…<\/p>\n

…<\/p>\n

It all started when I looked at the logman tool command line arguments; one that immediately caught my attention<\/a> was this one:<\/p>\n

logman create api<\/pre>\n
Aha… A basic API Monitor!<\/p>\n
\"\"<\/a><\/p>\n
But not only that. It allows to run API Monitoring across different systems!!!<\/p>\n
\"\"<\/a><\/p>\n
Oh… this could be a nice covert channel to transfer data between systems. Write one piece that constantly calls a monitored API and feeds it with the data to transfer, and then – on the other end – collect this data on the other system using logman tool. You could definitely implement it in a duplex set-up too.<\/p>\n
Simple.<\/p>\n
So I thought.<\/p>\n
First, I immediately tested the ‘create api’ bit it and it worked like a charm:<\/p>\n
logman create api foo -f bincirc -exe c:\\windows\\notepad.exe -o c:\\test\\notepad.etl\r\n\r\nlogman start foo<\/pre>\n
Now you have to simply run Notepad.exe (c:\\windows\\notepad.exe) and the .etl log will be created&updated as long as notepad.exe runs; the example content of the binary .etl file is as follows:<\/p>\n
\"\"<\/a>You can clearly see the APIs being recorded when Notepad is running:<\/p>\n