atomicshop 2.19.6__py3-none-any.whl → 2.19.7__py3-none-any.whl

atomicshop/__init__.py

@@ -1,4 +1,4 @@
 """Atomic Basic functions and classes to make developer life easier"""
 
 __author__ = "Den Kras"
-__version__ = '2.19.6'
+__version__ = '2.19.7'

atomicshop/basics/bytes_arrays.py

@@ -1,3 +1,7 @@
+from typing import Union
+import string
+
+
 def get_single_byte_from_byte_string(byte_string, index: int):
     """
     Function extracts single byte as byte from byte string object.
@@ -179,3 +183,18 @@ def read_bytes_from_position(
         # Read the specified number of bytes.
         data = file.read(num_bytes)
     return data
+
+
+def convert_bytes_to_printable_string_only(
+        byte_sequence: Union[bytes, bytearray],
+        non_printable_character: str = '.'
+) -> str:
+    """
+    Convert bytes to printable string. If byte is not printable, replace it with 'non_printable_character'.
+    :param byte_sequence: bytes or bytearray, sequence of bytes.
+    :param non_printable_character: string, character to replace non-printable characters.
+    :return:
+    """
+
+    printable = set(string.printable)
+    return ''.join(chr(byte) if chr(byte) in printable else non_printable_character for byte in byte_sequence)

atomicshop/etws/trace.py

@@ -29,6 +29,8 @@ class EventTrace(etw.ETW):
         :param providers: List of tuples with provider name and provider GUID.
             tuple[0] = provider name
             tuple[1] = provider GUID
+
+            Example: [('Microsoft-Windows-DNS-Client', '{1c95126e-7ee8-4e23-86b2-6e7e4a5a8e9b}')]
         :param event_callback: Reference to the callable callback function that will be called for each occurring event.
         :param event_id_filters: List of event IDs that we want to filter. If not provided, all events will be returned.
             The default in the 'etw.ETW' method is 'None'.

atomicshop/wrappers/ctyping/etw_winapi/const.py

@@ -11,10 +11,14 @@ EVENT_CONTROL_CODE_ENABLE_PROVIDER = 1
 
 MAXIMUM_LOGGERS = 64
 ULONG64 = ctypes.c_uint64
+UCHAR = ctypes.c_ubyte
 
 INVALID_HANDLE_VALUE = ctypes.c_void_p(-1).value
 TRACEHANDLE = ULONG64
 
+PROCESS_TRACE_MODE_EVENT_RECORD = 0x10000000     # new event-record callback
+PROCESS_TRACE_MODE_REAL_TIME = 0x00000100
+INVALID_PROCESSTRACE_HANDLE = 0xFFFFFFFFFFFFFFFF  # Often -1 in 64-bit
 
 
 """
@@ -69,10 +73,7 @@ class EVENT_TRACE_PROPERTIES(ctypes.Structure):
         ("RealTimeBuffersLost", wintypes.ULONG),
         ("LoggerThreadId", wintypes.HANDLE),
         ("LogFileNameOffset", wintypes.ULONG),
-        ("LoggerNameOffset", wintypes.ULONG),
-        # Allocate space for the names at the end of the structure
-        ("_LoggerName", wintypes.WCHAR * 1024),
-        ("_LogFileName", wintypes.WCHAR * 1024)
+        ("LoggerNameOffset", wintypes.ULONG)
     ]
 
 
@@ -183,55 +184,59 @@ class EVENT_HEADER(ctypes.Structure):
         ("RelatedActivityId", GUID),
     ]
 
+
+class ETW_BUFFER_CONTEXT(ctypes.Structure):
+    _fields_ = [('ProcessorNumber', ctypes.c_ubyte),
+                ('Alignment', ctypes.c_ubyte),
+                ('LoggerId', ctypes.c_ushort)]
+
+
+class EVENT_HEADER_EXTENDED_DATA_ITEM(ctypes.Structure):
+    _fields_ = [
+        ('Reserved1', ctypes.c_ushort),
+        ('ExtType', ctypes.c_ushort),
+        ('Linkage', ctypes.c_ushort),    # struct{USHORT :1, USHORT :15}
+        ('DataSize', ctypes.c_ushort),
+        ('DataPtr', ctypes.c_ulonglong)
+    ]
+
+
 class EVENT_RECORD(ctypes.Structure):
     _fields_ = [
-        ("EventHeader", EVENT_HEADER),
-        ("BufferContext", wintypes.ULONG),
-        ("ExtendedDataCount", wintypes.USHORT),
-        ("UserDataLength", wintypes.USHORT),
-        ("ExtendedData", wintypes.LPVOID),
-        ("UserData", wintypes.LPVOID),
-        ("UserContext", wintypes.LPVOID)
+        ('EventHeader', EVENT_HEADER),
+        ('BufferContext', ETW_BUFFER_CONTEXT),
+        ('ExtendedDataCount', ctypes.c_ushort),
+        ('UserDataLength', ctypes.c_ushort),
+        ('ExtendedData', ctypes.POINTER(EVENT_HEADER_EXTENDED_DATA_ITEM)),
+        ('UserData', ctypes.c_void_p),
+        ('UserContext', ctypes.c_void_p)
     ]
 
 
-# class EVENT_TRACE_LOGFILE(ctypes.Structure):
-#     _fields_ = [
-#         ("LogFileName", wintypes.LPWSTR),
-#         ("LoggerName", wintypes.LPWSTR),
-#         ("CurrentTime", wintypes.LARGE_INTEGER),
-#         ("BuffersRead", wintypes.ULONG),
-#         ("ProcessTraceMode", wintypes.ULONG),
-#         ("EventRecordCallback", wintypes.LPVOID),
-#         ("BufferSize", wintypes.ULONG),
-#         ("Filled", wintypes.ULONG),
-#         ("EventsLost", wintypes.ULONG),
-#         ("BuffersLost", wintypes.ULONG),
-#         ("RealTimeBuffersLost", wintypes.ULONG),
-#         ("LogBuffersLost", wintypes.ULONG),
-#         ("BuffersWritten", wintypes.ULONG),
-#         ("LogFileMode", wintypes.ULONG),
-#         ("IsKernelTrace", wintypes.ULONG),
-#         ("Context", wintypes.ULONG)  # Placeholder for context pointer
-#     ]
+class EVENT_TRACE_LOGFILE(ctypes.Structure):
+    pass
+
+
+EVENT_RECORD_CALLBACK = ctypes.WINFUNCTYPE(None, ctypes.POINTER(EVENT_RECORD))
+EVENT_TRACE_BUFFER_CALLBACK = ctypes.WINFUNCTYPE(ctypes.c_ulong, ctypes.POINTER(EVENT_TRACE_LOGFILE))
 
 
 class EVENT_TRACE_LOGFILE(ctypes.Structure):
     _fields_ = [
-        ("LogFileName", wintypes.LPWSTR),
-        ("LoggerName", wintypes.LPWSTR),
-        ("CurrentTime", wintypes.LARGE_INTEGER),
-        ("BuffersRead", wintypes.ULONG),
-        ("ProcessTraceMode", wintypes.ULONG),
-        ("CurrentEvent", EVENT_RECORD),
-        ("LogfileHeader", TRACE_LOGFILE_HEADER),
-        ("BufferCallback", wintypes.LPVOID),
-        ("BufferSize", wintypes.ULONG),
-        ("Filled", wintypes.ULONG),
-        ("EventsLost", wintypes.ULONG),
-        ("EventCallback", ctypes.c_void_p),
-        ("IsKernelTrace", wintypes.ULONG),
-        ("Context", wintypes.LPVOID)
+        ('LogFileName', ctypes.c_wchar_p),
+        ('LoggerName', ctypes.c_wchar_p),
+        ('CurrentTime', ctypes.c_longlong),
+        ('BuffersRead', ctypes.c_ulong),
+        ('ProcessTraceMode', ctypes.c_ulong),
+        ('CurrentEvent', EVENT_TRACE),
+        ('LogfileHeader', TRACE_LOGFILE_HEADER),
+        ('BufferCallback', EVENT_TRACE_BUFFER_CALLBACK),
+        ('BufferSize', ctypes.c_ulong),
+        ('Filled', ctypes.c_ulong),
+        ('EventsLost', ctypes.c_ulong),
+        ('EventRecordCallback', EVENT_RECORD_CALLBACK),
+        ('IsKernelTrace', ctypes.c_ulong),
+        ('Context', ctypes.c_void_p)
     ]
 
 
@@ -255,7 +260,7 @@ class PROVIDER_INFORMATION(ctypes.Structure):
 
 
 # Load the necessary library
-advapi32 = ctypes.WinDLL('advapi32')
+advapi32 = ctypes.WinDLL("advapi32", use_last_error=True)
 tdh = ctypes.windll.tdh
 
 # Define necessary TDH functions
@@ -263,6 +268,46 @@ tdh.TdhEnumerateProviders.argtypes = [ctypes.POINTER(PROVIDER_ENUMERATION_INFO),
 tdh.TdhEnumerateProviders.restype = ULONG
 
 
+# Make sure StartTraceW has proper argtypes (if not set in consts)
+StartTrace = advapi32.StartTraceW
+StartTrace.argtypes = [
+    ctypes.POINTER(TRACEHANDLE),
+    wintypes.LPCWSTR,
+    ctypes.POINTER(EVENT_TRACE_PROPERTIES)
+]
+StartTrace.restype = wintypes.ULONG
+
+
+class EVENT_FILTER_DESCRIPTOR(ctypes.Structure):
+    _fields_ = [('Ptr', ctypes.c_ulonglong),
+                ('Size', ctypes.c_ulong),
+                ('Type', ctypes.c_ulong)]
+
+
+class ENABLE_TRACE_PARAMETERS(ctypes.Structure):
+    _fields_ = [
+        ('Version', ctypes.c_ulong),
+            ('EnableProperty', ctypes.c_ulong),
+            ('ControlFlags', ctypes.c_ulong),
+            ('SourceId', GUID),
+            ('EnableFilterDesc', ctypes.POINTER(EVENT_FILTER_DESCRIPTOR)),
+            ('FilterDescCount', ctypes.c_ulong)
+    ]
+
+
+EnableTraceEx2 = advapi32.EnableTraceEx2
+EnableTraceEx2.argtypes = [
+    TRACEHANDLE,                                # TraceHandle (c_uint64)
+    ctypes.POINTER(GUID),                       # ProviderId
+    ctypes.c_ulong,                             # ControlCode
+    ctypes.c_char,                              # Level
+    ctypes.c_ulonglong,                         # MatchAnyKeyword
+    ctypes.c_ulonglong,                         # MatchAllKeyword
+    ctypes.c_ulong,                             # Timeout
+    ctypes.POINTER(ENABLE_TRACE_PARAMETERS)]    # PENABLE_TRACE_PARAMETERS (optional) -> None or pointer
+EnableTraceEx2.restype = ctypes.c_ulong
+
+
 # Define the function prototype
 QueryAllTraces = advapi32.QueryAllTracesW
 QueryAllTraces.argtypes = [
@@ -277,8 +322,13 @@ OpenTrace.argtypes = [ctypes.POINTER(EVENT_TRACE_LOGFILE)]
 OpenTrace.restype = wintypes.ULONG
 
 ProcessTrace = advapi32.ProcessTrace
-ProcessTrace.argtypes = [ctypes.POINTER(wintypes.ULONG), wintypes.ULONG, wintypes.LARGE_INTEGER, wintypes.LARGE_INTEGER]
-ProcessTrace.restype = wintypes.ULONG
+ProcessTrace.argtypes = [
+    ctypes.POINTER(ctypes.c_uint64),  # pointer to array of 64-bit handles
+    wintypes.ULONG,     # handle count
+    ctypes.c_void_p,           # LPFILETIME (start)
+    ctypes.c_void_p            # LPFILETIME (end)
+]
+ProcessTrace.restype  = wintypes.ULONG
 
 CloseTrace = advapi32.CloseTrace
 CloseTrace.argtypes = [wintypes.ULONG]

atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py

@@ -1,5 +1,5 @@
 import ctypes
-from ctypes import wintypes
+import queue
 from ctypes.wintypes import ULONG
 import uuid
 from typing import Literal
@@ -34,7 +34,7 @@ def start_etw_session(
         provider_name_list: list = None,
         verbosity_mode: int = 4,
         maximum_buffers: int = 38
-):
+) -> const.TRACEHANDLE:
     """
     Start an ETW session and enable the specified provider.
 
@@ -77,57 +77,89 @@ def start_etw_session(
         for provider_name in provider_name_list:
             provider_guid_list.append(providers.get_provider_guid_by_name(provider_name))
 
-    properties_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES) + (2 * wintypes.MAX_PATH)
-    properties = (ctypes.c_byte * properties_size)()
-    properties_ptr = ctypes.cast(properties, ctypes.POINTER(const.EVENT_TRACE_PROPERTIES))
-
-    # Initialize the EVENT_TRACE_PROPERTIES structure
-    properties_ptr.contents.Wnode.BufferSize = properties_size
-    properties_ptr.contents.Wnode.Guid = const.GUID()
-    properties_ptr.contents.Wnode.Flags = const.WNODE_FLAG_TRACED_GUID
-    properties_ptr.contents.Wnode.ClientContext = 1   # QPC clock resolution
-    properties_ptr.contents.BufferSize = 1024
-    properties_ptr.contents.MinimumBuffers = 1
-    properties_ptr.contents.MaximumBuffers = maximum_buffers
-    properties_ptr.contents.MaximumFileSize = 0
-    properties_ptr.contents.LogFileMode = const.EVENT_TRACE_REAL_TIME_MODE
-    properties_ptr.contents.FlushTimer = 1
-    properties_ptr.contents.EnableFlags = 0
-
-    # Start the ETW session
-    session_handle = wintypes.HANDLE()
-    status = ctypes.windll.advapi32.StartTraceW(
-        ctypes.byref(session_handle),
-        ctypes.c_wchar_p(session_name),
-        properties_ptr
-    )
+        # (1) Allocate a buffer large enough for EVENT_TRACE_PROPERTIES + space for 2 strings
+        #     The typical approach is to allow enough space for:
+        #       - The structure
+        #       - The "LoggerName" string
+        #       - The "LogFileName" string (even if we don't use it, we must leave offset space)
+        #
+        props_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES)
+        # Add space for 2 x 1024 wide-chars (one for LoggerName, one for LogFileName)
+        # Each wide char = ctypes.sizeof(ctypes.c_wchar).
+        props_size += (2 * 1024 * ctypes.sizeof(ctypes.c_wchar))  # for logger name
+        props_size += (2 * 1024 * ctypes.sizeof(ctypes.c_wchar))  # for log file name
+
+        properties_buffer = ctypes.create_string_buffer(props_size)
+        properties_ptr = ctypes.cast(properties_buffer, ctypes.POINTER(const.EVENT_TRACE_PROPERTIES))
+        props = properties_ptr.contents
+
+        # (2) Fill in basic fields
+        props.Wnode.BufferSize = props_size
+        props.Wnode.Flags = const.WNODE_FLAG_TRACED_GUID  # 0x00020000
+        props.Wnode.ClientContext = 1  # QPC clock
+        props.BufferSize = 1024
+        props.MinimumBuffers = 1
+        props.MaximumBuffers = maximum_buffers
+        props.MaximumFileSize = 0
+        props.LogFileMode = const.EVENT_TRACE_REAL_TIME_MODE  # real-time
+        props.FlushTimer = 1
+        props.EnableFlags = 0
+
+        # (3) Indicate where in this allocated buffer the strings should go
+        struct_size = ctypes.sizeof(const.EVENT_TRACE_PROPERTIES)
+        props.LoggerNameOffset = struct_size
+        props.LogFileNameOffset = struct_size + (2 * 1024 * ctypes.sizeof(ctypes.c_wchar))
+
+        # (4) Copy the session name into the LoggerName space
+        logger_name_address = ctypes.addressof(properties_buffer) + props.LoggerNameOffset
+        session_name_wchar = ctypes.create_unicode_buffer(session_name)
+        ctypes.memmove(
+            logger_name_address,
+            session_name_wchar,
+            len(session_name) * ctypes.sizeof(ctypes.c_wchar)
+        )
 
-    if status != 0:
-        if status == 183:
-            raise ETWSessionExists(f"ETW session [{session_name}] already exists")
-        else:
-            raise Exception(f"StartTraceW failed with error {status}")
-
-    # Enable each provider
-    for provider_guid in provider_guid_list:
-        provider_guid_struct = _string_to_guid(provider_guid)
-        status = ctypes.windll.advapi32.EnableTraceEx2(
-            session_handle,
-            ctypes.byref(provider_guid_struct),
-            const.EVENT_CONTROL_CODE_ENABLE_PROVIDER,
-            verbosity_mode,
-            0,
-            0,
-            0,
-            None
+        # (5) Start the session
+        session_handle = const.TRACEHANDLE(0)
+        status = const.StartTrace(
+            ctypes.byref(session_handle),
+            session_name,  # The session name as an LPCWSTR
+            properties_ptr  # pointer to EVENT_TRACE_PROPERTIES
         )
 
         if status != 0:
-            raise Exception(f"EnableTraceEx2 failed for provider {provider_guid} with error {status}")
-
-    print("ETW session started successfully")
-
-    return session_handle
+            # 183 => ERROR_ALREADY_EXISTS
+            if status == 183:
+                raise ETWSessionExists(f"ETW session [{session_name}] already exists")
+            else:
+                raise Exception(f"StartTraceW failed with error code {status}")
+
+        # (6) If we have providers to enable, enable each
+        if provider_guid_list:
+            for guid_str in provider_guid_list:
+                guid_struct = _string_to_guid(guid_str)
+
+                # Typically you'd do something like:
+                #   advapi32.EnableTraceEx2(TRACEHANDLE, PGUID, CONTROL_CODE, LEVEL, KW, KW, TIMEOUT, FILTER)
+
+                enable_status = const.EnableTraceEx2(
+                    session_handle,  # The session handle
+                    ctypes.byref(guid_struct),  # The provider GUID
+                    const.EVENT_CONTROL_CODE_ENABLE_PROVIDER,  # 1 => enable
+                    verbosity_mode,  # level
+                    0xFFFFFFFFFFFFFFFF, # matchAnyKeyword
+                    0,  # matchAllKeyword
+                    0,  # timeout
+                    None  # enableParameters (optional)
+                )
+
+                if enable_status != 0:
+                    raise Exception(
+                        f"EnableTraceEx2 failed for provider {guid_str} (error={enable_status})"
+                    )
+
+        print(f"ETW session '{session_name}' started successfully.")
+        return session_handle
 
 
 # Function to stop and delete ETW session
@@ -165,6 +197,103 @@ def stop_and_delete_etw_session(session_name: str) -> tuple[bool, int]:
         return True, status
 
 
+@const.EVENT_CALLBACK_TYPE
+def _default_callback(
+        event_record_ptr
+):
+    """
+    This function will be called by Windows for every incoming ETW event.
+    'event_record_ptr' is a pointer to an EVENT_RECORD structure.
+    """
+    # Convert pointer to a Python EVENT_RECORD object
+    event_record = event_record_ptr.contents
+
+    # Do something with event_record (e.g., parse via TDH)
+    print("Received an ETW event!", event_record.EventHeader.ProviderId)
+
+
+def start_etw_consumer(
+        session_name: str,
+        record_queue: queue.Queue
+):
+    """
+    Attach to an existing real-time ETW session by 'session_name'
+    using the "new" EVENT_RECORD callback approach.
+    This call blocks until the ETW session is stopped or an error occurs.
+    """
+    # 1) Create a closure callback that references the queue
+    #    We define an inner function that sees 'record_queue' from outer scope.
+    #    Then we wrap that in EVENT_CALLBACK_TYPE.
+    if record_queue is not None:
+        @const.EVENT_CALLBACK_TYPE
+        def _queue_callback(event_record_ptr):
+            event_record = event_record_ptr.contents
+            # # Example: put a simple dict with the provider ID & possibly more info
+            # record_queue.put({
+            #     "provider_id": str(event_record.EventHeader.ProviderId),
+            #     "process_id": event_record.EventHeader.ProcessId,
+            #     "thread_id": event_record.EventHeader.ThreadId,
+            #     # ... more fields or parse them with TdhGetEventInformation, etc.
+            # })
+            print("Received an ETW event!", event_record.EventHeader.ProviderId)
+            record_queue.put(event_record)
+    else:
+        _queue_callback = _default_callback
+
+    # Keep a reference to the callback so Python doesn't GC it.
+    start_etw_consumer._callback_ref = _queue_callback
+
+    # Prepare the EVENT_TRACE_LOGFILE structure
+    logfile = const.EVENT_TRACE_LOGFILE()
+    # You can also do: logfile.LoggerName = session_name
+    # If you assign session_name (a Python str), ctypes automatically converts it to a temporary c_wchar_p under the hood.
+    # logfile.LoggerName = ctypes.c_wchar_p(session_name)
+    logfile.LoggerName = session_name
+    logfile.LogFileName = None  # Real-time, not from a file
+    logfile.ProcessTraceMode = (const.PROCESS_TRACE_MODE_REAL_TIME | const.PROCESS_TRACE_MODE_EVENT_RECORD)
+
+    # Point to our Python callback
+    logfile.EventRecordCallback = const.EVENT_RECORD_CALLBACK(_default_callback)
+
+    # Open the trace
+    trace_handle = const.OpenTrace(ctypes.byref(logfile))
+    if trace_handle == const.INVALID_PROCESSTRACE_HANDLE:
+        error_code = ctypes.get_last_error()
+        raise OSError(f"OpenTrace failed with error code: {error_code}")
+
+    # trace_handle is actually an unsigned long, but in 64-bit it's a 64-bit handle.
+    # We'll create an array of one handle for ProcessTrace:
+    trace_handle_array = (ctypes.c_uint64 * 1)(trace_handle)
+
+    # Blocking call - will not return until the session is stopped (or error).
+    status = const.ProcessTrace(
+        trace_handle_array,
+        1,  # HandleCount = 1
+        None,  # StartTime = None
+        None  # EndTime = None
+    )
+    if status != 0:
+        raise OSError(f"ProcessTrace failed with error code: {status}")
+
+    print("ProcessTrace returned. ETW consumer finished.")
+
+
+def start_etw_consumer_in_thread(
+        session_name: str,
+        record_queue: queue.Queue
+):
+    """
+    Start an ETW consumer in a separate thread.
+    """
+    import threading
+
+    def _start_etw_consumer():
+        start_etw_consumer(session_name, record_queue)
+
+    thread = threading.Thread(target=_start_etw_consumer)
+    thread.start()
+
+
 def get_all_providers(key_as: Literal['name', 'guid'] = 'name') -> dict:
     """
     Get all ETW providers available on the system.

{atomicshop-2.19.6.dist-info → atomicshop-2.19.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.19.6
+Version: 2.19.7
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.19.6.dist-info → atomicshop-2.19.7.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=knCj__YmUuoKs1yCpFlwbRugLxYK9EFx2UTKQEkbSTc,123
+atomicshop/__init__.py,sha256=mP4RKVYs6CFRxy4SuFUKdwycVZS11TlGgfMVUl8GYy4,123
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -89,7 +89,7 @@ atomicshop/basics/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU
 atomicshop/basics/ansi_escape_codes.py,sha256=uGVRW01v2O052701sOfAdCaM_GLF_cu_jrssuYiPbzA,3216
 atomicshop/basics/argparse_template.py,sha256=horwgSf3MX1ZgRnYxtmmQuz9OU_vKrKggF65gmjlmfg,5836
 atomicshop/basics/booleans.py,sha256=V36NaMf8AffhCom_ovQeOZlYcdtGyIcQwWKki6h7O0M,1745
-atomicshop/basics/bytes_arrays.py,sha256=tU7KF0UAFSErGNcan4Uz1GJxeIYVRuUu9sHVZHgyNnw,6542
+atomicshop/basics/bytes_arrays.py,sha256=xfFW9CBQyzf0iXNWpx-EfrxtN3-tiKzuczPzOb6cOdU,7190
 atomicshop/basics/classes.py,sha256=UayCzPs3eynI3wOzSu-2IJSmTwOB4HwPwgVI2F-7_lQ,12648
 atomicshop/basics/dicts.py,sha256=DeYHIh940pMMBrFhpXt4dsigFVYzTrlqWymNo4Pq_Js,14049
 atomicshop/basics/dicts_nested.py,sha256=StYxYnYPa0SEJr1lmEwAv5zfERWWqoULeyG8e0zRAwE,4107
@@ -115,7 +115,7 @@ atomicshop/etws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/const.py,sha256=v3x_IdCYeSKbCGywiZFOZln80ldpwKW5nuMDuUe51Jg,1257
 atomicshop/etws/providers.py,sha256=CXNx8pYdjtpLIpA66IwrnE64XhY4U5ExnFBMLEb8Uzk,547
 atomicshop/etws/sessions.py,sha256=b_KeiOvgOBJezJokN81TRlrvJiQNJlIWN4Z6UVjuxP0,1335
-atomicshop/etws/trace.py,sha256=WMOjdazK97UcIdhVgcnjh98OCbuEJcnm1Z_yPp_nE2c,7258
+atomicshop/etws/trace.py,sha256=QcB_NYP-KPOaafYd6jCFdPPQsBu4jzac4QicJdWJAoE,7359
 atomicshop/etws/traces/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/traces/trace_dns.py,sha256=WvOZm7KNdP4r6ofkZhUGi9WjtYlkV3mUp_yxita3Qg4,6399
 atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=OM-bkK38uYMwWLZKNOTDa0Xdk3sO6sqsxoMUIiPvm5g,4656
@@ -206,8 +206,8 @@ atomicshop/wrappers/ctyping/file_details_winapi.py,sha256=dmdnCMwx4GgVEctiUIyniV
 atomicshop/wrappers/ctyping/process_winapi.py,sha256=QcXL-ETtlSSkoT8F7pYle97ubGWsjYp8cx8HxkVMgAc,2762
 atomicshop/wrappers/ctyping/win_console.py,sha256=uTtjkz9rY559AaV0dhyZYUSSEe9cn6Du2DgurdMtX-M,1158
 atomicshop/wrappers/ctyping/etw_winapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/ctyping/etw_winapi/const.py,sha256=stZHZ7tSiSAs04ikr7uH-Td_yBXxsF-bp2Q0F3K2fsM,9543
-atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py,sha256=Iwd0wIuoxpjMaaOfZZtT1bPtDTsMO8jjItBE5bvkocM,11546
+atomicshop/wrappers/ctyping/etw_winapi/const.py,sha256=W-NMYlJ8RrMxLRjKcatEHe6wJwNxNMGSmYbXRXrlz6o,11223
+atomicshop/wrappers/ctyping/etw_winapi/etw_functions.py,sha256=EMdCjGd3x6aRcHkY2NRNTlrOuC7TY4rhfqfRtTWkbYU,17225
 atomicshop/wrappers/ctyping/msi_windows_installer/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/ctyping/msi_windows_installer/base.py,sha256=Uu9SlWLsQQ6mjE-ek-ptHcmgiI3Ruah9bdZus70EaVY,4884
 atomicshop/wrappers/ctyping/msi_windows_installer/cabs.py,sha256=htzwb2ROYI8yyc82xApStckPS2yCcoyaw32yC15KROs,3285
@@ -325,8 +325,8 @@ atomicshop/wrappers/socketw/statistics_csv.py,sha256=fgMzDXI0cybwUEqAxprRmY3lqbh
 atomicshop/wrappers/winregw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/winregw/winreg_installed_software.py,sha256=Qzmyktvob1qp6Tjk2DjLfAqr_yXV0sgWzdMW_9kwNjY,2345
 atomicshop/wrappers/winregw/winreg_network.py,sha256=AENV88H1qDidrcpyM9OwEZxX5svfi-Jb4N6FkS1xtqA,8851
-atomicshop-2.19.6.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.19.6.dist-info/METADATA,sha256=Y0sI9FlA-ojjoCn5MnTdwd1xe6nC1Rs8tVkH9dxtyHo,10630
-atomicshop-2.19.6.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.19.6.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.19.6.dist-info/RECORD,,
+atomicshop-2.19.7.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.19.7.dist-info/METADATA,sha256=eWuLCGUrAwVSQ15odcFHEUvTyhT1m9roQxiCYJk1_t8,10630
+atomicshop-2.19.7.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.19.7.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.19.7.dist-info/RECORD,,