atomicshop 2.12.24__py3-none-any.whl → 2.12.25__py3-none-any.whl

atomicshop/__init__.py

@@ -1,4 +1,4 @@
 """Atomic Basic functions and classes to make developer life easier"""
 
 __author__ = "Den Kras"
-__version__ = '2.12.24'
+__version__ = '2.12.25'

atomicshop/etw/providers.py

@@ -0,0 +1,5 @@
+from ..wrappers.ctyping.etw_winapi import etw_functions
+
+
+def get_providers():
+    return etw_functions.get_all_providers()

atomicshop/etw/sessions.py

@@ -12,3 +12,32 @@ def stop_and_delete(session_name) -> tuple[bool, int]:
     """
 
     return etw_functions.stop_and_delete_etw_session(session_name)
+
+
+def get_running_list() -> list[dict]:
+    """
+    List all running ETW sessions.
+
+    :return: A list of strings containing the names of all running ETW sessions.
+    """
+
+    return etw_functions.list_etw_sessions()
+
+
+def is_session_running(session_name: str) -> bool:
+    """
+    Check if an ETW session is running.
+
+    :param session_name: The name of the session to check.
+    :return: A boolean indicating if the session is running.
+    """
+
+    # Get all running sessions.
+    running_sessions = get_running_list()
+
+    # Check if the session is in the list of running sessions.
+    for session in running_sessions:
+        if session['session_name'] == session_name:
+            return True
+
+    return False

atomicshop/etw/trace.py

@@ -5,6 +5,7 @@ import sys
 import etw
 
 from ..print_api import print_api
+from . import sessions
 
 
 class EventTrace(etw.ETW):
@@ -13,7 +14,8 @@ class EventTrace(etw.ETW):
             providers: list,
             event_callback=None,
             event_id_filters: list = None,
-            session_name: str = None
+            session_name: str = None,
+            close_existing_session_name: bool = True
     ):
         """
         :param providers: List of tuples with provider name and provider GUID.
@@ -23,6 +25,7 @@ class EventTrace(etw.ETW):
         :param event_id_filters: List of event IDs that we want to filter. If not provided, all events will be returned.
             The default in the 'etw.ETW' method is 'None'.
         :param session_name: The name of the session to create. If not provided, a UUID will be generated.
+        :param close_existing_session_name: Boolean to close existing session names.
         ------------------------------------------
         You should stop the ETW tracing when you are done with it.
             'pywintrace' module starts a new session for ETW tracing, and it will not stop the session when the script
@@ -42,6 +45,7 @@ class EventTrace(etw.ETW):
             atexits.run_callable_on_exit_and_signals(EventTrace.stop)
         """
         self.event_queue = queue.Queue()
+        self.close_existing_session_name: bool = close_existing_session_name
 
         # If no callback function is provided, we will use the default one, which will put the event in the queue.
         if not event_callback:
@@ -61,6 +65,17 @@ class EventTrace(etw.ETW):
         )
 
     def start(self):
+        # Check if the session name already exists.
+        if sessions.is_session_running(self.session_name):
+            print_api(f'ETW Session already running: {self.session_name}', color='yellow')
+
+            # Close the existing session name.
+            if self.close_existing_session_name:
+                print_api(f'Closing existing session: {self.session_name}', color='blue')
+                sessions.stop_and_delete(self.session_name)
+            else:
+                print_api(f'Using existing session: {self.session_name}', color='yellow')
+
         try:
             super().start()
         except OSError as e:

atomicshop/etw/trace_dns.py

@@ -7,7 +7,13 @@ from ..print_api import print_api
 
 
 class DnsTrace:
-    def __init__(self, enable_process_poller: bool = False, attrs: list = None, session_name: str = None):
+    def __init__(
+            self,
+            enable_process_poller: bool = False,
+            attrs: list = None,
+            session_name: str = None,
+            close_existing_session_name: bool = True
+    ):
         """
         DnsTrace class use to trace DNS events from Windows Event Tracing for EventId 3008.
 
@@ -16,6 +22,14 @@ class DnsTrace:
             Then DNS events will be enriched with the process name and command line from the process poller.
         :param attrs: List of attributes to return. If None, all attributes will be returned.
         :param session_name: The name of the session to create. If not provided, a UUID will be generated.
+        :param close_existing_session_name: Boolean to close existing session names.
+            True: if ETW session with 'session_name' exists, you will be notified and the session will be closed.
+                Then the new session with this name will be created.
+            False: if ETW session with 'session_name' exists, you will be notified and the new session will not be
+                created. Instead, the existing session will be used. If there is a buffer from the previous session,
+                you will get the events from the buffer.
+
+        -------------------------------------------------
 
         Usage Example:
             from atomicshop.etw import dns_trace
@@ -36,7 +50,8 @@ class DnsTrace:
             providers=[(dns.ETW_DNS_INFO['provider_name'], dns.ETW_DNS_INFO['provider_guid'])],
             # lambda x: self.event_queue.put(x),
             event_id_filters=[dns.ETW_DNS_INFO['event_id']],
-            session_name=session_name
+            session_name=session_name,
+            close_existing_session_name=close_existing_session_name
         )
 
         if self.enable_process_poller:

atomicshop/monitor/checks/dns.py

@@ -30,7 +30,7 @@ class DnsCheck:
         self.fetch_engine: DnsTrace = (
             DnsTrace(
                 enable_process_poller=True, attrs=['name', 'cmdline', 'domain', 'query_type'],
-                session_name=self.etw_session_name)
+                session_name=self.etw_session_name, close_existing_session_name=True)
         )
 
         if self.settings['alert_always'] and self.settings['alert_about_missing_entries_after_learning']:

atomicshop/wrappers/ctyping/etw_winapi/const.py

@@ -1,14 +1,14 @@
 import ctypes
 from ctypes import wintypes
+from ctypes.wintypes import ULONG
 
 
-# Load the necessary library
-advapi32 = ctypes.WinDLL('advapi32')
-
 # Constants
 EVENT_TRACE_CONTROL_STOP = 1
 WNODE_FLAG_TRACED_GUID = 0x00020000
 
+MAXIMUM_LOGGERS = 64
+
 
 # Define GUID structure
 class GUID(ctypes.Structure):
@@ -53,5 +53,42 @@ class EVENT_TRACE_PROPERTIES(ctypes.Structure):
         ("RealTimeBuffersLost", wintypes.ULONG),
         ("LoggerThreadId", wintypes.HANDLE),
         ("LogFileNameOffset", wintypes.ULONG),
-        ("LoggerNameOffset", wintypes.ULONG)
+        ("LoggerNameOffset", wintypes.ULONG),
+        # Allocate space for the names at the end of the structure
+        ("_LoggerName", wintypes.WCHAR * 1024),
+        ("_LogFileName", wintypes.WCHAR * 1024)
+    ]
+
+
+class PROVIDER_ENUMERATION_INFO(ctypes.Structure):
+    _fields_ = [
+        ("NumberOfProviders", ULONG),
+        ("Reserved", ULONG),
     ]
+
+
+class PROVIDER_INFORMATION(ctypes.Structure):
+    _fields_ = [
+        ("ProviderId", ctypes.c_byte * 16),
+        ("SchemaSource", ULONG),
+        ("ProviderNameOffset", ULONG),
+    ]
+
+
+# Load the necessary library
+advapi32 = ctypes.WinDLL('advapi32')
+tdh = ctypes.windll.tdh
+
+# Define necessary TDH functions
+tdh.TdhEnumerateProviders.argtypes = [ctypes.POINTER(PROVIDER_ENUMERATION_INFO), ctypes.POINTER(ULONG)]
+tdh.TdhEnumerateProviders.restype = ULONG
+
+
+# Define the function prototype
+QueryAllTraces = advapi32.QueryAllTracesW
+QueryAllTraces.argtypes = [
+    ctypes.POINTER(ctypes.POINTER(EVENT_TRACE_PROPERTIES)),
+    wintypes.ULONG,
+    ctypes.POINTER(wintypes.ULONG)
+]
+QueryAllTraces.restype = wintypes.ULONG

atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py

@@ -1,4 +1,7 @@
 import ctypes
+from ctypes.wintypes import ULONG
+import uuid
+
 from . import const
 
 
@@ -35,3 +38,91 @@ def stop_and_delete_etw_session(session_name) -> tuple[bool, int]:
     else:
         # print("ETW session stopped and deleted successfully.")
         return True, status
+
+
+def get_all_providers() -> list[tuple[any, uuid.UUID]]:
+    """
+    Get all ETW providers available on the system.
+
+    :return: A list of tuples containing the provider name and GUID.
+    """
+
+    providers_info_size = ULONG(0)
+    status = const.tdh.TdhEnumerateProviders(None, ctypes.byref(providers_info_size))
+
+    # Initial allocation
+    buffer = (ctypes.c_byte * providers_info_size.value)()
+    providers_info = ctypes.cast(buffer, ctypes.POINTER(const.PROVIDER_ENUMERATION_INFO))
+
+    # Loop to handle resizing
+    while True:
+        status = const.tdh.TdhEnumerateProviders(providers_info, ctypes.byref(providers_info_size))
+
+        if status == 0:
+            break
+        elif status == 0x8007007A:  # ERROR_INSUFFICIENT_BUFFER
+            buffer = (ctypes.c_byte * providers_info_size.value)()
+            providers_info = ctypes.cast(buffer, ctypes.POINTER(const.PROVIDER_ENUMERATION_INFO))
+        else:
+            raise ctypes.WinError(status)
+
+    provider_count = providers_info.contents.NumberOfProviders
+    provider_array = ctypes.cast(
+        ctypes.addressof(providers_info.contents) + ctypes.sizeof(const.PROVIDER_ENUMERATION_INFO),
+        ctypes.POINTER(const.PROVIDER_INFORMATION * provider_count))
+
+    providers = []
+    for i in range(provider_count):
+        provider = provider_array.contents[i]
+        provider_name_offset = provider.ProviderNameOffset
+        provider_name_ptr = ctypes.cast(
+            ctypes.addressof(providers_info.contents) + provider_name_offset, ctypes.c_wchar_p)
+        provider_name = provider_name_ptr.value
+        provider_guid = uuid.UUID(bytes_le=bytes(provider.ProviderId))
+        providers.append((provider_name, provider_guid))
+
+    return providers
+
+
+def list_etw_sessions() -> list[dict]:
+    """
+    List all running ETW sessions.
+
+    :return: A list of dictionaries containing the names of all running ETW sessions and their log files.
+    """
+    # Create an array of EVENT_TRACE_PROPERTIES pointers
+    PropertiesArrayType = ctypes.POINTER(const.EVENT_TRACE_PROPERTIES) * const.MAXIMUM_LOGGERS
+    properties_array = PropertiesArrayType()
+    for i in range(const.MAXIMUM_LOGGERS):
+        properties = const.EVENT_TRACE_PROPERTIES()
+        properties.Wnode.BufferSize = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES)
+        properties_array[i] = ctypes.pointer(properties)
+
+    # Define the number of loggers variable
+    logger_count = ULONG(const.MAXIMUM_LOGGERS)
+
+    # Call QueryAllTraces
+    status = const.QueryAllTraces(properties_array, const.MAXIMUM_LOGGERS, ctypes.byref(logger_count))
+    if status != 0:
+        raise Exception(f"QueryAllTraces failed, error code: {status}")
+
+    # Extract session names
+    session_list: list = []
+    for i in range(logger_count.value):
+        logger_name = None
+        logfile_path = None
+
+        properties = properties_array[i].contents
+        if properties.LoggerNameOffset != 0:
+            logger_name_address = ctypes.addressof(properties) + properties.LoggerNameOffset
+            logger_name = ctypes.wstring_at(logger_name_address)
+        if properties.LogFileNameOffset != 0:
+            logfile_name_address = ctypes.addressof(properties) + properties.LogFileNameOffset
+            logfile_path = ctypes.wstring_at(logfile_name_address)
+
+        session_list.append({
+            'session_name': logger_name,
+            'log_file': logfile_path
+        })
+
+    return session_list

{atomicshop-2.12.24.dist-info → atomicshop-2.12.25.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.12.24
+Version: 2.12.25
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.12.24.dist-info → atomicshop-2.12.25.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=IWq2-3sezAvBANma6AYzXzywVzgI9rJOyd2ZKFBLQ1E,124
+atomicshop/__init__.py,sha256=i0XAOpCKxA2g_BNalWhe-R5FvF3ui38CZEoR2TgPwIg,124
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -102,9 +102,10 @@ atomicshop/basics/threads.py,sha256=xvgdDJdmgN0wmmARoZ-H7Kvl1GOcEbvgaeGL4M3Hcx8,
 atomicshop/basics/timeit_template.py,sha256=fYLrk-X_dhdVtnPU22tarrhhvlggeW6FdKCXM8zkX68,405
 atomicshop/basics/tracebacks.py,sha256=cNfh_oAwF55kSIdqtv3boHZQIoQI8TajxkTnwJwpweI,535
 atomicshop/etw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/etw/sessions.py,sha256=7RzlqOEc2zlikKgaNayCnR0IB-51PUrdMyU7uyoBKn4,582
-atomicshop/etw/trace.py,sha256=7xZ-Kj4-hIdVsaqXhpVtP0i8F6dND9ZMe0ZJWq3qtMk,4529
-atomicshop/etw/trace_dns.py,sha256=08xiTGpAAJ3qxobx-9uG49z5pR7BBsys6a_vrMh6JgE,5920
+atomicshop/etw/providers.py,sha256=fVmWi-uGdtnsQTDpu_ty6dzx0GMhGokiST73LNBEJ38,129
+atomicshop/etw/sessions.py,sha256=k3miewU278xn829cqDbsuH_bmZHPQE9-Zn-hINbxUSE,1330
+atomicshop/etw/trace.py,sha256=tjBvV4RxCSn8Aoxj8NVxmqHekdECne_y4Zv2lbh11ak,5341
+atomicshop/etw/trace_dns.py,sha256=f4homrWp4qMrmjC9UrEWjr9p9MrUg7SwOVbE22_IYgw,6728
 atomicshop/file_io/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/file_io/csvs.py,sha256=y8cJtnlN-NNxNupzJgSeGq9aQ4wNxYLFPX9vNNlUiIc,5830
 atomicshop/file_io/docxs.py,sha256=6tcYFGp0vRsHR47VwcRqwhdt2DQOwrAUYhrwN996n9U,5117
@@ -136,7 +137,7 @@ atomicshop/mitm/engines/__reference_general/responder___reference_general.py,sha
 atomicshop/monitor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/monitor/change_monitor.py,sha256=dGhk5bJPxLCHa2FOVkort99E7vjVojra9GlvhpcKSqE,7551
 atomicshop/monitor/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/checks/dns.py,sha256=edO03gtGYb3tn8eV-wAKPELIkdCJvimjkO8PPF-ho-k,7150
+atomicshop/monitor/checks/dns.py,sha256=YLCFoolq35dnzdnBnfUA2ag-4HfvzcHfRdm3mzX8R8o,7184
 atomicshop/monitor/checks/file.py,sha256=2tIDSlX2KZNc_9i9ji1tcOqupbFTIOj7cKXLyBEDWMk,3263
 atomicshop/monitor/checks/network.py,sha256=CGZWl4WlQrxayZeVF9JspJXwYA-zWx8ECWTVGSlXc98,3825
 atomicshop/monitor/checks/process_running.py,sha256=x66wd6-l466r8sbRQaIli0yswyGt1dH2DVXkGDL6O0Q,1891
@@ -169,8 +170,8 @@ atomicshop/wrappers/certauthw/certauthw.py,sha256=4WvhjANI7Kzqrr_nKmtA8Kf7B6rute
 atomicshop/wrappers/ctyping/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/ctyping/process_winapi.py,sha256=QcXL-ETtlSSkoT8F7pYle97ubGWsjYp8cx8HxkVMgAc,2762
 atomicshop/wrappers/ctyping/etw_winapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/ctyping/etw_winapi/const.py,sha256=-wGLmM8FUPrVOGeyEWnizlumkdX60Ziv6v7ANQd9xgM,1712
-atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py,sha256=T5gyTHk3BLTYKSnUKO4PS4h5xIVRrNrHKPL30r_N3HQ,1732
+atomicshop/wrappers/ctyping/etw_winapi/const.py,sha256=YrAyXBamAmHoQgha7oXwH9g_EqeLYXRGPderuu9FRI8,2765
+atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py,sha256=3DLVXpTeOyTND35T_dKGzKnlLVQ0R3zt3AEcW2bNLNc,5304
 atomicshop/wrappers/ctyping/msi_windows_installer/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/ctyping/msi_windows_installer/base.py,sha256=Uu9SlWLsQQ6mjE-ek-ptHcmgiI3Ruah9bdZus70EaVY,4884
 atomicshop/wrappers/ctyping/msi_windows_installer/cabs.py,sha256=htzwb2ROYI8yyc82xApStckPS2yCcoyaw32yC15KROs,3285
@@ -259,8 +260,8 @@ atomicshop/wrappers/socketw/socket_server_tester.py,sha256=AhpurHJmP2kgzHaUbq5ey
 atomicshop/wrappers/socketw/socket_wrapper.py,sha256=aXBwlEIJhFT0-c4i8iNlFx2It9VpCEpsv--5Oqcpxao,11624
 atomicshop/wrappers/socketw/ssl_base.py,sha256=k4V3gwkbq10MvOH4btU4onLX2GNOsSfUAdcHmL1rpVE,2274
 atomicshop/wrappers/socketw/statistics_csv.py,sha256=t3dtDEfN47CfYVi0CW6Kc2QHTEeZVyYhc57IYYh5nmA,826
-atomicshop-2.12.24.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.12.24.dist-info/METADATA,sha256=wjuGBnA-AbgpeRB_uDgPYzt5XbLF6mIT5yj721N4vi4,10479
-atomicshop-2.12.24.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.12.24.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.12.24.dist-info/RECORD,,
+atomicshop-2.12.25.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.12.25.dist-info/METADATA,sha256=9B-DBn3RCaFkRPibGwrKm8FOiWIRdqjSifbGjXpi9z4,10479
+atomicshop-2.12.25.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.12.25.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.12.25.dist-info/RECORD,,