atomicshop 2.14.2__py3-none-any.whl → 2.14.4__py3-none-any.whl

atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py

@@ -1,12 +1,137 @@
 import ctypes
+from ctypes import wintypes
 from ctypes.wintypes import ULONG
 import uuid
+from typing import Literal
 
 from . import const
+from ....etws import providers
+
+class ETWSessionExists(Exception):
+    pass
+
+
+# Convert the GUID string to a GUID structure
+def _string_to_guid(guid_string):
+    guid_string = guid_string.strip('{}')  # Remove curly braces
+    parts = guid_string.split('-')
+    return const.GUID(
+        Data1=int(parts[0], 16),
+        Data2=int(parts[1], 16),
+        Data3=int(parts[2], 16),
+        Data4=(ctypes.c_ubyte * 8)(*[
+            int(parts[3][i:i+2], 16) for i in range(0, 4, 2)
+        ] + [
+            int(parts[4][i:i+2], 16) for i in range(0, 12, 2)
+        ])
+    )
+
+
+# Set up the ETW session
+def start_etw_session(
+        session_name: str,
+        provider_guid_list: list = None,
+        provider_name_list: list = None,
+        verbosity_mode: int = 4,
+        maximum_buffers: int = 38
+):
+    """
+    Start an ETW session and enable the specified provider.
+
+    :param session_name: The name of the session to start.
+    :param provider_guid_list: The GUID list of the providers to enable.
+    :param provider_name_list: The name list of the providers to enable.
+    :param verbosity_mode: The verbosity level of the events to capture.
+        0 - Always: Capture all events. This is typically used for critical events that should always be logged.
+        1 - Critical: Capture critical events that indicate a severe problem.
+        2 - Error: Capture error events that indicate a problem but are not critical.
+        3 - Warning: Capture warning events that indicate a potential problem.
+        4 - Information: Capture informational events that are not indicative of problems.
+        5 - Verbose: Capture detailed trace events for diagnostic purposes.
+    :param maximum_buffers: The maximum number of buffers to use.
+        0 or 16: The default value of ETW class. If you put 0, it will be converted to 16 by default by ETW itself.
+        38: The maximum number of buffers that can be used.
+
+        Event Handling Capacity:
+            16 Buffers: With fewer buffers, the session can handle a smaller volume of events before needing to flush
+            the buffers to the log file or before a real-time consumer needs to process them. If the buffers fill up
+            quickly and cannot be processed in time, events might be lost.
+            38 Buffers: With more buffers, the session can handle a higher volume of events. This reduces the
+            likelihood of losing events in high-traffic scenarios because more events can be held in memory before
+            they need to be processed or written to a log file.
+        Performance Considerations:
+            16 Buffers: Requires less memory, but may be prone to event loss under heavy load if the buffers fill up
+            faster than they can be processed.
+            38 Buffers: Requires more memory, but can improve reliability in capturing all events under heavy load by
+            providing more buffer space. However, it can also increase the memory footprint of the application or
+            system running the ETW session.
+    """
+
+    if not provider_guid_list and not provider_name_list:
+        raise ValueError("Either 'provider_guid_list' or 'provider_name_list' must be provided")
+    elif provider_guid_list and provider_name_list:
+        raise ValueError("Only one of 'provider_guid_list' or 'provider_name_list' must be provided")
+
+    if provider_name_list:
+        provider_guid_list = []
+        for provider_name in provider_name_list:
+            provider_guid_list.append(providers.get_provider_guid_by_name(provider_name))
+
+    properties_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES) + (2 * wintypes.MAX_PATH)
+    properties = (ctypes.c_byte * properties_size)()
+    properties_ptr = ctypes.cast(properties, ctypes.POINTER(const.EVENT_TRACE_PROPERTIES))
+
+    # Initialize the EVENT_TRACE_PROPERTIES structure
+    properties_ptr.contents.Wnode.BufferSize = properties_size
+    properties_ptr.contents.Wnode.Guid = const.GUID()
+    properties_ptr.contents.Wnode.Flags = const.WNODE_FLAG_TRACED_GUID
+    properties_ptr.contents.Wnode.ClientContext = 1   # QPC clock resolution
+    properties_ptr.contents.BufferSize = 1024
+    properties_ptr.contents.MinimumBuffers = 1
+    properties_ptr.contents.MaximumBuffers = maximum_buffers
+    properties_ptr.contents.MaximumFileSize = 0
+    properties_ptr.contents.LogFileMode = const.EVENT_TRACE_REAL_TIME_MODE
+    properties_ptr.contents.FlushTimer = 1
+    properties_ptr.contents.EnableFlags = 0
+
+    # Start the ETW session
+    session_handle = wintypes.HANDLE()
+    status = ctypes.windll.advapi32.StartTraceW(
+        ctypes.byref(session_handle),
+        ctypes.c_wchar_p(session_name),
+        properties_ptr
+    )
+
+    if status != 0:
+        if status == 183:
+            raise ETWSessionExists(f"ETW session [{session_name}] already exists")
+        else:
+            raise Exception(f"StartTraceW failed with error {status}")
+
+    # Enable each provider
+    for provider_guid in provider_guid_list:
+        provider_guid_struct = _string_to_guid(provider_guid)
+        status = ctypes.windll.advapi32.EnableTraceEx2(
+            session_handle,
+            ctypes.byref(provider_guid_struct),
+            const.EVENT_CONTROL_CODE_ENABLE_PROVIDER,
+            verbosity_mode,
+            0,
+            0,
+            0,
+            None
+        )
+
+        if status != 0:
+            raise Exception(f"EnableTraceEx2 failed for provider {provider_guid} with error {status}")
+
+    print("ETW session started successfully")
+
+    return session_handle
 
 
 # Function to stop and delete ETW session
-def stop_and_delete_etw_session(session_name) -> tuple[bool, int]:
+def stop_and_delete_etw_session(session_name: str) -> tuple[bool, int]:
     """
     Stop and delete ETW session.
 
@@ -40,13 +165,19 @@ def stop_and_delete_etw_session(session_name) -> tuple[bool, int]:
         return True, status
 
 
-def get_all_providers() -> list[tuple[any, uuid.UUID]]:
+def get_all_providers(key_as: Literal['name', 'guid'] = 'name') -> dict:
     """
     Get all ETW providers available on the system.
 
-    :return: A list of tuples containing the provider name and GUID.
+    :param key_as: The key to use in the dictionary, either 'name' or 'guid'.
+        'name': The provider name is used as the key, the guid as the value.
+        'guid': The provider guid is used as the key, the name as the value.
+    :return: dict containing the provider name and GUID.
     """
 
+    if key_as not in ['name', 'guid']:
+        raise ValueError("key_as must be either 'name' or 'guid'")
+
     providers_info_size = ULONG(0)
     status = const.tdh.TdhEnumerateProviders(None, ctypes.byref(providers_info_size))
 
@@ -71,7 +202,7 @@ def get_all_providers() -> list[tuple[any, uuid.UUID]]:
         ctypes.addressof(providers_info.contents) + ctypes.sizeof(const.PROVIDER_ENUMERATION_INFO),
         ctypes.POINTER(const.PROVIDER_INFORMATION * provider_count))
 
-    providers = []
+    providers: dict = {}
     for i in range(provider_count):
         provider = provider_array.contents[i]
         provider_name_offset = provider.ProviderNameOffset
@@ -79,7 +210,12 @@ def get_all_providers() -> list[tuple[any, uuid.UUID]]:
             ctypes.addressof(providers_info.contents) + provider_name_offset, ctypes.c_wchar_p)
         provider_name = provider_name_ptr.value
         provider_guid = uuid.UUID(bytes_le=bytes(provider.ProviderId))
-        providers.append((provider_name, provider_guid))
+        provider_guid_string = str(provider_guid)
+
+        if key_as == 'name':
+            providers[provider_name] = provider_guid_string
+        elif key_as == 'guid':
+            providers[provider_guid_string] = provider_name
 
     return providers
 

atomicshop/wrappers/loggingw/reading.py

@@ -1,6 +1,7 @@
 import os
 from typing import Literal, Union
 from pathlib import Path
+import datetime
 
 from ... import filesystem, datetimes
 from ...file_io import csvs
@@ -11,7 +12,6 @@ def get_logs_paths(
         log_file_path: str = None,
         file_name_pattern: str = '*.*',
         date_pattern: str = None,
-        log_type: Literal['csv'] = 'csv',
         latest_only: bool = False,
         previous_day_only: bool = False
 ):
@@ -36,7 +36,6 @@ def get_logs_paths(
     :param date_pattern: Pattern to match the date in the log file name.
         If specified, the function will get the log file by the date pattern.
         If not specified, the function will get the file date by file last modified time.
-    :param log_type: Type of log to get.
     :param latest_only: Boolean, if True, only the latest log file path will be returned.
     :param previous_day_only: Boolean, if True, only the log file path from the previous day will be returned.
     """
@@ -46,9 +45,6 @@ def get_logs_paths(
     elif log_files_directory_path and log_file_path:
         raise ValueError('Both "log_files_directory_path" and "log_file_path" cannot be specified at the same time.')
 
-    if log_type != 'csv':
-        raise ValueError('Only "csv" log type is supported.')
-
     if latest_only and previous_day_only:
         raise ValueError('Both "latest_only" and "previous_day_only" cannot be True at the same time.')
 
@@ -75,16 +71,22 @@ def get_logs_paths(
             for file_index, single_file in enumerate(logs_files):
                 # Get file name from current loop file path.
                 current_file_name: str = Path(single_file['file_path']).name
+                logs_files[file_index]['file_name'] = current_file_name
+
                 # Get the datetime object from the file name by the date pattern.
                 try:
-                    datetime_object = datetimes.get_datetime_from_complex_string_by_pattern(
+                    datetime_object, date_string, timestamp_float = datetimes.get_datetime_from_complex_string_by_pattern(
                         current_file_name, date_pattern)
-                    timestamp_float = datetime_object.timestamp()
                 # ValueError will be raised if the date pattern does not match the file name.
                 except ValueError:
                     timestamp_float = 0
+                    datetime_object = None
+                    date_string = None
+
                 # Update the last modified time to the dictionary.
                 logs_files[file_index]['last_modified'] = timestamp_float
+                logs_files[file_index]['datetime'] = datetime_object
+                logs_files[file_index]['date_string'] = date_string
 
                 if timestamp_float > latest_timestamp:
                     latest_timestamp = timestamp_float
@@ -95,6 +97,8 @@ def get_logs_paths(
                 if single_file['last_modified'] == 0:
                     latest_timestamp += 86400
                     logs_files[file_index]['last_modified'] = latest_timestamp
+                    logs_files[file_index]['datetime'] = datetime.datetime.fromtimestamp(latest_timestamp)
+                    logs_files[file_index]['date_string'] = logs_files[file_index]['datetime'].strftime(date_pattern)
                     break
 
             # Sort the files by the last modified time.
@@ -117,7 +121,7 @@ def get_logs_paths(
     return logs_files
 
 
-def get_logs(
+def get_all_log_files_into_list(
         log_files_directory_path: str = None,
         log_file_path: str = None,
         file_name_pattern: str = '*.*',
@@ -127,9 +131,10 @@ def get_logs(
         remove_logs: bool = False,
         move_to_path: str = None,
         print_kwargs: dict = None
-):
+) -> list:
     """
-    This function gets the logs from the log files. Supports rotating files to get the logs by time.
+    This function gets the logs contents from the log files. Supports rotating files to get the logs by time.
+    All the contents will be merged into one list.
 
     :param log_files_directory_path: Path to the log files. Check the 'get_logs_paths' function for more details.
     :param log_file_path: Path to the log file. Check the 'get_logs_paths' function for more details.
@@ -144,8 +149,9 @@ def get_logs(
         'all' - Each CSV file has a header. Get the header from each file.
     :param remove_logs: Boolean, if True, the logs will be removed after getting them.
     :param move_to_path: Path to move the logs to.
-
     :param print_kwargs: Keyword arguments dict for 'print_api' function.
+
+    :return: List of dictionaries with the logs content.
     """
 
     if not print_kwargs:
@@ -162,8 +168,7 @@ def get_logs(
         log_files_directory_path=log_files_directory_path,
         log_file_path=log_file_path,
         file_name_pattern=file_name_pattern,
-        date_pattern=date_pattern,
-        log_type=log_type)
+        date_pattern=date_pattern)
 
     # Read all the logs.
     logs_content: list = list()
@@ -294,8 +299,7 @@ class LogReader:
         # If the existing logs file count is 0, it means that this is the first check. We need to get the current count.
         if self._existing_logs_file_count == 0:
             self._existing_logs_file_count = len(get_logs_paths(
-                log_file_path=self.log_file_path,
-                log_type='csv'
+                log_file_path=self.log_file_path
             ))
 
             # If the count is still 0, then there are no logs to read.
@@ -311,7 +315,6 @@ class LogReader:
         latest_statistics_file_path_object = get_logs_paths(
             log_file_path=self.log_file_path,
             date_pattern=self.date_pattern,
-            log_type='csv',
             latest_only=True
         )
 
@@ -327,7 +330,6 @@ class LogReader:
             previous_day_statistics_file_path = get_logs_paths(
                 log_file_path=self.log_file_path,
                 date_pattern=self.date_pattern,
-                log_type='csv',
                 previous_day_only=True
             )[0]['file_path']
         # If you get IndexError, it means that there are no previous day logs to read.
@@ -336,8 +338,7 @@ class LogReader:
 
         # Count all the rotated files.
         current_log_files_count: int = len(get_logs_paths(
-            log_file_path=self.log_file_path,
-            log_type='csv'
+            log_file_path=self.log_file_path
         ))
 
         # If the count of the log files is greater than the existing logs file count, it means that the rotation

atomicshop/wrappers/pywin32w/win_event_log/subscribe.py

@@ -205,8 +205,6 @@ def start_subscription(
         Context={'event_queue': event_queue}
     )
 
-    print("Listening for new process creation events...")
-
     try:
         while True:
             time.sleep(1)

atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py

@@ -50,29 +50,8 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
 
         data = super().emit(timeout=timeout)
 
-        event_dict: dict = {
-            'user_sid': data.get("SubjectUserSid", "Unknown"),
-            'user_name': data.get("SubjectUserName", "Unknown"),
-            'domain': data.get("SubjectDomainName", "Unknown"),
-            'pid_hex': data.get("NewProcessId", "0"),
-            'process_name': data.get("NewProcessName", "Unknown"),
-            'command_line': data.get("CommandLine", None),
-            'parent_pid_hex': data.get("ProcessId", "0"),
-            'parent_process_name': data.get("ParentProcessName", "Unknown")
-        }
-
-        try:
-            process_id = int(event_dict['pid_hex'], 16)
-        except ValueError:
-            process_id = "Unknown"
-
-        try:
-            parent_pid = int(event_dict['parent_pid_hex'], 16)
-        except ValueError:
-            parent_pid = "Unknown"
-
-        event_dict['pid'] = process_id
-        event_dict['parent_pid'] = parent_pid
+        data['NewProcessIdInt'] = int(data['NewProcessId'], 16)
+        data['ParentProcessIdInt'] = int(data['ProcessId'], 16)
 
         # if user_sid != "Unknown":
         #     try:
@@ -80,7 +59,7 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
         #     except Exception as e:
         #         print(f"Error looking up account SID: {e}")
 
-        return event_dict
+        return data
 
 
 def enable_audit_process_creation(print_kwargs: dict = None):

atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_terminate.py

@@ -0,0 +1,103 @@
+import subprocess
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+LOG_CHANNEL: str = 'Security'
+EVENT_ID: int = 4689
+
+
+class ProcessTerminateSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process termination.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import process_terminate
+
+        process_terminate_subscriber = process_terminate.ProcessTerminateSubscriber()
+        process_terminate_subscriber.start()
+
+        while True:
+            event = process_terminate_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, event_id=EVENT_ID)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_audit_process_termination()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+
+        data = super().emit(timeout=timeout)
+
+        data['ProcessIdInt'] = int(data['ProcessId'], 16)
+
+        return data
+
+
+def enable_audit_process_termination(print_kwargs: dict = None):
+    """
+    Enable the 'Audit Process Termination' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    if is_audit_process_termination_enabled():
+        print_api("Audit Process Termination is already enabled.", color='yellow', **(print_kwargs or {}))
+        return
+
+    audit_policy_command = [
+        "auditpol", "/set", "/subcategory:Process Termination", "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Process Termination'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Process Termination': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e
+
+
+def is_audit_process_termination_enabled(print_kwargs: dict = None) -> bool:
+    """
+    Check if the 'Audit Process Termination' policy is enabled.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    # Command to check the "Audit Process Creation" policy
+    audit_policy_check_command = [
+        "auditpol", "/get", "/subcategory:Process Termination"
+    ]
+    try:
+        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
+        output = result.stdout
+        # print_api(output)  # Print the output for inspection
+
+        if "Process Termination" in output and "Success and Failure" in output:
+            # print_api(
+            #     "'Audit Process Termination' is enabled for both success and failure.",
+            #     color='green', **(print_kwargs or {}))
+            return True
+        else:
+            # print_api(output, **(print_kwargs or {}))
+            # print_api(
+            #     "'Audit Process Termination' is not fully enabled. Check the output above for details.",
+            #     color='yellow', **(print_kwargs or {}))
+            return False
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to check 'Audit Process Termination': {e}", color='red', error_type=True, **(print_kwargs or {}))
+        return False

{atomicshop-2.14.2.dist-info → atomicshop-2.14.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.14.2
+Version: 2.14.4
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.14.2.dist-info → atomicshop-2.14.4.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=z4rThLLSu1i3Wlh2xQO9kTZiAnom3boVcidQ2m4F8V0,123
+atomicshop/__init__.py,sha256=tunTjRW84u7Nao5t0Z6ZWFYrQDUW_zun_a86yEIubts,123
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -8,7 +8,7 @@ atomicshop/command_line_processing.py,sha256=u5yT9Ger_cu7ni5ID0VFlRbVD46ARHeNC9t
 atomicshop/config_init.py,sha256=z2RXD_mw9nQlAOpuGry1h9QT-2LhNscXgGAktN3dCVQ,2497
 atomicshop/console_output.py,sha256=AOSJjrRryE97PAGtgDL03IBtWSi02aNol8noDnW3k6M,4667
 atomicshop/console_user_response.py,sha256=31HIy9QGXa7f-GVR8MzJauQ79E_ZqAeagF3Ks4GGdDU,3234
-atomicshop/datetimes.py,sha256=olsL01S5tkXk4WPzucxujqgLOh198BLgJntDnGYukRU,15533
+atomicshop/datetimes.py,sha256=wZ75JS6Aq5kTQrCSrjCwBrT-KPO7Xu9_BRWKrY8uU3c,15645
 atomicshop/diff_check.py,sha256=RJvzJhyYAZyRPKVDk1dS7UwZCx0kq__WDZ6N0rNfZUY,27110
 atomicshop/dns.py,sha256=h4uZKoz4wbBlLOOduL1GtRcTm-YpiPnGOEGxUm7hhOI,2140
 atomicshop/domains.py,sha256=Rxu6JhhMqFZRcoFs69IoEd1PtYca0lMCG6F1AomP7z4,3197
@@ -16,6 +16,8 @@ atomicshop/emails.py,sha256=I0KyODQpIMEsNRi9YWSOL8EUPBiWyon3HRdIuSj3AEU,1410
 atomicshop/file_types.py,sha256=-0jzQMRlmU1AP9DARjk-HJm1tVE22E6ngP2mRblyEjY,763
 atomicshop/filesystem.py,sha256=202ue2LkjI1KdaxvB_RHV-2eIczy2-caZGLO4PSePik,53887
 atomicshop/functions.py,sha256=pK8hoCE9z61PtWCxQJsda7YAphrLH1wxU5x-1QJP-sY,499
+atomicshop/get_process_list.py,sha256=hi1NOG-i8S6EcyQ6LTfP4pdxqRfjEijz9SZ5nEbcM9Q,6076
+atomicshop/get_process_name_cmd_dll.py,sha256=CtaSp3mgxxJKCCVW8BLx6BJNx4giCklU_T7USiCEwfc,5162
 atomicshop/hashing.py,sha256=Le8qGFyt3_wX-zGTeQShz7L2HL_b6nVv9PnawjglyHo,3474
 atomicshop/http_parse.py,sha256=nrf2rZcprLqtW8HVrV7TCZ1iTBcWRRy-mXIlAOzcaJs,9703
 atomicshop/inspect_wrapper.py,sha256=sGRVQhrJovNygHTydqJj0hxES-aB2Eg9KbIk3G31apw,11429
@@ -25,9 +27,7 @@ atomicshop/on_exit.py,sha256=Wf1iy2e0b0Zu7oRxrct3VkLdQ_x9B32-z_JerKTt9Z0,5493
 atomicshop/pbtkmultifile_argparse.py,sha256=aEk8nhvoQVu-xyfZosK3ma17CwIgOjzO1erXXdjwtS4,4574
 atomicshop/permissions.py,sha256=P6tiUKV-Gw-c3ePEVsst9bqWaHJbB4ZlJB4xbDYVpEs,4436
 atomicshop/print_api.py,sha256=DhbCQd0MWZZ5GYEk4oTu1opRFC-b31g1VWZgTGewG2Y,11568
-atomicshop/process.py,sha256=R1BtXWjG2g2Q3WlsyhbIlXZz0UkQeagY7fQyBOIX_DM,15951
-atomicshop/process_name_cmd.py,sha256=CtaSp3mgxxJKCCVW8BLx6BJNx4giCklU_T7USiCEwfc,5162
-atomicshop/process_poller.py,sha256=17sc332AcTfSVPorjYsgRwNm75rLCqvpOQsieMwLMKU,16105
+atomicshop/process.py,sha256=U2gyRl0bw2138y-rOMABMVptRvAL81ZfX1JyfxJI_Oo,15973
 atomicshop/python_file_patcher.py,sha256=kd3rBWvTcosLEk-7TycNdfKW9fZbe161iVwmH4niUo0,5515
 atomicshop/python_functions.py,sha256=zJg4ogUwECxrDD7xdDN5JikIUctITM5lsyabr_ZNsRw,4435
 atomicshop/question_answer_engine.py,sha256=DuOn7QEgKKfqZu2cR8mVeFIfFgayfBHiW-jY2VPq_Fo,841
@@ -104,14 +104,14 @@ atomicshop/basics/timeit_template.py,sha256=fYLrk-X_dhdVtnPU22tarrhhvlggeW6FdKCX
 atomicshop/basics/tracebacks.py,sha256=cNfh_oAwF55kSIdqtv3boHZQIoQI8TajxkTnwJwpweI,535
 atomicshop/etws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/const.py,sha256=v3x_IdCYeSKbCGywiZFOZln80ldpwKW5nuMDuUe51Jg,1257
-atomicshop/etws/providers.py,sha256=fVmWi-uGdtnsQTDpu_ty6dzx0GMhGokiST73LNBEJ38,129
-atomicshop/etws/sessions.py,sha256=k3miewU278xn829cqDbsuH_bmZHPQE9-Zn-hINbxUSE,1330
-atomicshop/etws/trace.py,sha256=v2yA3FicR9WIg5n5KlZEuYbLAzTTjiDk7avWxcEjwp8,8439
+atomicshop/etws/providers.py,sha256=CXNx8pYdjtpLIpA66IwrnE64XhY4U5ExnFBMLEb8Uzk,547
+atomicshop/etws/sessions.py,sha256=b_KeiOvgOBJezJokN81TRlrvJiQNJlIWN4Z6UVjuxP0,1335
+atomicshop/etws/trace.py,sha256=WMOjdazK97UcIdhVgcnjh98OCbuEJcnm1Z_yPp_nE2c,7258
 atomicshop/etws/traces/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/etws/traces/trace_dns.py,sha256=-bw7JGDeAl2UtNGoSPeD_gh6ij4IGAbPdB8VWip8fXc,5960
-atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=WdlQiOfRZC-_PpuE6BkOw5zB0DLc3fhVrANyLrgfCac,4833
+atomicshop/etws/traces/trace_dns.py,sha256=rWQ8bv8eMHBRRkA8oxO9caYqj0h4Emw4aZXmoI3Q6fg,6292
+atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=OM-bkK38uYMwWLZKNOTDa0Xdk3sO6sqsxoMUIiPvm5g,4656
 atomicshop/file_io/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/file_io/csvs.py,sha256=y8cJtnlN-NNxNupzJgSeGq9aQ4wNxYLFPX9vNNlUiIc,5830
+atomicshop/file_io/csvs.py,sha256=eS2SSGwcC1MlRPPgoqyFyE-qqH2esUWQvv3wWLMiOuA,5876
 atomicshop/file_io/docxs.py,sha256=6tcYFGp0vRsHR47VwcRqwhdt2DQOwrAUYhrwN996n9U,5117
 atomicshop/file_io/file_io.py,sha256=FOZ6_PjOASxSDHESe4fwDv5miXYR10OHTxkxtEHoZYQ,6555
 atomicshop/file_io/jsons.py,sha256=q9ZU8slBKnHLrtn3TnbK1qxrRpj5ZvCm6AlsFzoANjo,5303
@@ -126,7 +126,7 @@ atomicshop/mitm/initialize_engines.py,sha256=UGdT5DKYNri3MNOxESP7oeSxYiUDrVilJ4j
 atomicshop/mitm/initialize_mitm_server.py,sha256=5JGkyvAvz1sJVeRGMJWSQiQ-VOdrU-NJn633oxQe0cw,13143
 atomicshop/mitm/message.py,sha256=u2U2f2SOHdBNU-6r1Ik2W14ai2EOwxUV4wVfGZA098k,1732
 atomicshop/mitm/shared_functions.py,sha256=PaK_sbnEA5zo9k2ktEOKLmvo-6wRUunxzSNRr41uXIQ,1924
-atomicshop/mitm/statistic_analyzer.py,sha256=WvTal-Aox-enM-5jYtFqiTplNquS4VMnmQYNEIXvZZA,23552
+atomicshop/mitm/statistic_analyzer.py,sha256=ctsf-MBIUvG4-R0K4gFQyi_b42-VCq-5s7hgO9jMOes,38415
 atomicshop/mitm/engines/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/mitm/engines/create_module_template.py,sha256=tRjVSm1sD6FzML71Qbuwvita0qsusdFGm8NZLsZ-XMs,4853
 atomicshop/mitm/engines/create_module_template_example.py,sha256=X5xhvbV6-g9jU_bQVhf_crZmaH50LRWz3bS-faQ18ds,489
@@ -139,13 +139,22 @@ atomicshop/mitm/engines/__reference_general/parser___reference_general.py,sha256
 atomicshop/mitm/engines/__reference_general/recorder___reference_general.py,sha256=KENDVf9OwXD9gwSh4B1XxACCe7iHYjrvnW1t6F64wdE,695
 atomicshop/mitm/engines/__reference_general/responder___reference_general.py,sha256=1AM49UaFTKA0AHw-k3SV3uH3QbG-o6ux0c-GoWkKNU0,6993
 atomicshop/monitor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/change_monitor.py,sha256=dGhk5bJPxLCHa2FOVkort99E7vjVojra9GlvhpcKSqE,7551
+atomicshop/monitor/change_monitor.py,sha256=K5NlVp99XIDDPnQQMdru4BDmua_DtcDIhVAzkTOvD5s,7673
 atomicshop/monitor/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/checks/dns.py,sha256=clslElMi2HZaO3G1nXt2t0O2Yj0vFsJd6CXRdIXCGJM,7038
+atomicshop/monitor/checks/dns.py,sha256=GHBQ2GEPaU3hAmK6l2vM2PKTcBNzDDF9ThZixqnl9Qk,7108
 atomicshop/monitor/checks/file.py,sha256=2tIDSlX2KZNc_9i9ji1tcOqupbFTIOj7cKXLyBEDWMk,3263
 atomicshop/monitor/checks/network.py,sha256=CGZWl4WlQrxayZeVF9JspJXwYA-zWx8ECWTVGSlXc98,3825
 atomicshop/monitor/checks/process_running.py,sha256=x66wd6-l466r8sbRQaIli0yswyGt1dH2DVXkGDL6O0Q,1891
 atomicshop/monitor/checks/url.py,sha256=1PvKt_d7wFg7rDMFpUejAQhj0mqWsmlmrNfjNAV2G4g,4123
+atomicshop/process_poller/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/process_poller/process_pool.py,sha256=1CaG6Cov-Pt_kZohfFeQFT42YBnEwNBA6ge55dxok_8,9600
+atomicshop/process_poller/simple_process_pool.py,sha256=hJkrn-efetLjyC8CevAFcsiKwBBKS8onYbf2ygq2J18,4540
+atomicshop/process_poller/tracer_base.py,sha256=IOiHcnmF-MccOSCErixN5mve9RifZ9cPnGVHCIRchrs,1091
+atomicshop/process_poller/pollers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/process_poller/pollers/psutil_pywin32wmi_dll.py,sha256=XRRfOIy62iOYU8IKRcyECWiL0rqQ35DeYbPsv_SHDVM,4510
+atomicshop/process_poller/tracers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/process_poller/tracers/event_log.py,sha256=Ob5v18VPZ__PN8TP6aJJjQZcDMwfGA2pIKwKjrl5j3k,1417
+atomicshop/process_poller/tracers/sysmon_etw.py,sha256=zn5YGX0Uro_Om7Gp1O4r0nlP1cR7BX1nYQmELPLZc9I,2500
 atomicshop/ssh_scripts/process_from_ipv4.py,sha256=uDBKZ2Ds20614JW1xMLr4IPB-z1LzIwy6QH5-SJ4j0s,1681
 atomicshop/ssh_scripts/process_from_port.py,sha256=uDTkVh4zc3HOTTGv1Et3IxM3PonDJCPuFRL6rnZDQZ4,1389
 atomicshop/startup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -175,8 +184,8 @@ atomicshop/wrappers/certauthw/certauthw.py,sha256=4WvhjANI7Kzqrr_nKmtA8Kf7B6rute
 atomicshop/wrappers/ctyping/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/ctyping/process_winapi.py,sha256=QcXL-ETtlSSkoT8F7pYle97ubGWsjYp8cx8HxkVMgAc,2762
 atomicshop/wrappers/ctyping/etw_winapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/ctyping/etw_winapi/const.py,sha256=jq5nms2qu4FsuXuq3vaHjz9W4ILt9GY-C7CQ8VKcpyg,5764
-atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py,sha256=3DLVXpTeOyTND35T_dKGzKnlLVQ0R3zt3AEcW2bNLNc,5304
+atomicshop/wrappers/ctyping/etw_winapi/const.py,sha256=stZHZ7tSiSAs04ikr7uH-Td_yBXxsF-bp2Q0F3K2fsM,9543
+atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py,sha256=Iwd0wIuoxpjMaaOfZZtT1bPtDTsMO8jjItBE5bvkocM,11546
 atomicshop/wrappers/ctyping/msi_windows_installer/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/ctyping/msi_windows_installer/base.py,sha256=Uu9SlWLsQQ6mjE-ek-ptHcmgiI3Ruah9bdZus70EaVY,4884
 atomicshop/wrappers/ctyping/msi_windows_installer/cabs.py,sha256=htzwb2ROYI8yyc82xApStckPS2yCcoyaw32yC15KROs,3285
@@ -228,7 +237,7 @@ atomicshop/wrappers/loggingw/formatters.py,sha256=mUtcJJfmhLNrwUVYShXTmdu40dBaJu
 atomicshop/wrappers/loggingw/handlers.py,sha256=2A_3Qy1B0RvVWZmQocAB6CmpqlXoKJ-yi6iBWG2jNLo,8274
 atomicshop/wrappers/loggingw/loggers.py,sha256=DHOOTAtqkwn1xgvLHSkOiBm6yFGNuQy1kvbhG-TDog8,2374
 atomicshop/wrappers/loggingw/loggingw.py,sha256=m6YySEedP3_4Ik1S_uGMxETSbmRkmMYmAZxhHBlXSlo,16616
-atomicshop/wrappers/loggingw/reading.py,sha256=bsSUM9_epMO2L-lHBEULFxeqdxXOHfICt-1BtQZn7lA,16712
+atomicshop/wrappers/loggingw/reading.py,sha256=wse-38zUDHB3HUB28R8Ah_Ig3Wxt2tChapKtu-yyy2E,17036
 atomicshop/wrappers/nodejsw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/nodejsw/install_nodejs.py,sha256=QZg-R2iTQt7kFb8wNtnTmwraSGwvUs34JIasdbNa7ZU,5154
 atomicshop/wrappers/playwrightw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -251,9 +260,10 @@ atomicshop/wrappers/pywin32w/console.py,sha256=LstHajPLgXp9qQxFNR44QfH10nOnNp3bC
 atomicshop/wrappers/pywin32w/winshell.py,sha256=i2bKiMldPU7_azsD5xGQDdMwjaM7suKJd3k0Szmcs6c,723
 atomicshop/wrappers/pywin32w/wmi_win32process.py,sha256=qMzXtJ5hBZ5ydAyqpDbSx0nO2RJQL95HdmV5SzNKMhk,6826
 atomicshop/wrappers/pywin32w/win_event_log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=a0SqjtUfo-fVR5jlsoygFlDrjHelOKgCBvia3suyzW8,8217
+atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=FYo2X0Xm3lb3GIdIt_8usoj7JPSDWj0iwsIJ4OwZLQM,8156
 atomicshop/wrappers/pywin32w/win_event_log/subscribes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py,sha256=_no1MnXjhLgOi9Y7xc7HHgTe6sjZkHIIhcVCd5BKZgM,6865
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py,sha256=1PrPiDiuiVfzfzN5BUuxMfUoCgGW7RGgH6HVrjpTnQc,6064
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_terminate.py,sha256=0k09fiAwKDJO404bjxUWSSSLOiNANl-VTJDD_YLq-I8,3763
 atomicshop/wrappers/pywin32w/win_event_log/subscribes/schannel_logging.py,sha256=8nxIcNcbeEuvoBwhujgh7-oIpL9A6J-gg1NM8hOGAVA,3442
 atomicshop/wrappers/socketw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/socketw/accepter.py,sha256=HQC1EyZmyUtVEfFbaBkHCE-VZp6RWyd9mEqAkgsE1fk,1749
@@ -271,8 +281,8 @@ atomicshop/wrappers/socketw/socket_server_tester.py,sha256=AhpurHJmP2kgzHaUbq5ey
 atomicshop/wrappers/socketw/socket_wrapper.py,sha256=aXBwlEIJhFT0-c4i8iNlFx2It9VpCEpsv--5Oqcpxao,11624
 atomicshop/wrappers/socketw/ssl_base.py,sha256=k4V3gwkbq10MvOH4btU4onLX2GNOsSfUAdcHmL1rpVE,2274
 atomicshop/wrappers/socketw/statistics_csv.py,sha256=t3dtDEfN47CfYVi0CW6Kc2QHTEeZVyYhc57IYYh5nmA,826
-atomicshop-2.14.2.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.14.2.dist-info/METADATA,sha256=VIgp-Go_u3KNgCb_tRAE6XcD9IyNa2lHdn0C2WFmscY,10478
-atomicshop-2.14.2.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.14.2.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.14.2.dist-info/RECORD,,
+atomicshop-2.14.4.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.14.4.dist-info/METADATA,sha256=fjxtj_SzmyjVK6o_Z08jX-lLJoz7m_vYNPvn0fCoFYU,10478
+atomicshop-2.14.4.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.14.4.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.14.4.dist-info/RECORD,,