Coder Social home page Coder Social logo

realtimepatterndetection's Introduction

RealTimePatternDetection

ETW 概述與架構

ETW 架構 Event Tracing for Windows (ETW) 是 Windows 平台上一個高效能、低負擔的事件追蹤系統。其架構包含以下幾個主要部分:

  • Event Providers:
    • 事件提供者是負責產生事件的源頭。它們可以是內建於操作系統的,也可以是應用程式自己定義的。提供者通過 EventWrite 或 TraceLoggingWrite API 來發送事件。
  • Event Consumers:
    • 事件消費者是負責接收和處理事件的應用程式或工具。這些消費者可以是實時的監控工具、日誌分析工具等。
  • Event Controllers:
    • 事件控制器用來啟動和停止事件提供者,並配置其事件追蹤會話。控制器一般使用 StartTrace、ControlTrace 等 API。
  • Event Tracing Sessions:
    • 事件追蹤會話是事件追蹤的單位,由事件控制器啟動,用來收集和傳送事件。會話可以配置為將事件寫入文件或通過網路實時傳輸。

ETW 串接

串接 ETW 步驟:

  • 啟動事件追蹤Session:
    • 使用 StartTrace API 來啟動一個新的事件追蹤Session。
  • 啟動事件提供者:
    • 使用 EnableTrace API 啟動特定的事件提供者。
  • 處理事件:
    • 實現一個事件處理器,使用 EventRecordCallback 函數來處理事件。這個函數會在每次事件發生時被調用。
  • 停止事件追蹤Session:
    • 使用 StopTrace API 停止事件追蹤Session。

ETW 使用限制

在開發產品時,使用 ETW 需要考量以下限制:

  • 效能問題:
    • 儘管 ETW 設計為高效能,但在高頻率事件產生的情況下,仍可能對系統性能產生影響。
  • 安全性:
    • 某些敏感信息的追蹤可能需要特殊的權限,並且可能涉及到隱私問題。
  • 資料量:
    • 大量的事件資料可能導致存儲和處理的負擔,需要合理的數據管理策略。
  • 相容性:
    • 不同版本的 Windows 對 ETW 的支持和功能可能有所不同,需要考慮相容性問題。

程式

  • 請以系統管理員執行Visual Studio(我使用2022,2019/2017沒有測試),第一次開啟需要比較久的時間來安裝NuGet package(Google Test、Google Mock)

  • 套件管理使用vcpkg,我的path為C:\vcpkg,如果有問題可以去專案屬性中修改

  • 依賴krabsetw、nlohmann-json

    vcpkg.exe install nlohmann-json:x64-windows
vcpkg.exe install krabsetw:x64-windows

  • 此解決方案中有兩個專案,一個為題目要求的程式,一個為測試專案,兩個皆需要系統管理員權限。

功能說明

  • 當程式啟動後,會開啟一個執行緒來Monitor。使用者可以在控制台輸入任意字串來結束程式。
  • 程式會顯示所有的ProcessStartEvent事件。這些事件會經過MemoryScanner進行掃描。
  • 當掃描命中時,事件會被存儲在由JsonGenerator管理的Vector容器中。每30秒,如果容器中有事件,程式會生成一個JSON檔案。

realtimepatterndetection's People

Contributors

asdkmm5050 avatar

Stargazers

QQ avatar

Watchers

avatar

realtimepatterndetection's Issues

Data Loss Observed During Stress Testing

Summary:
During stress testing, it appears that some data is being lost. This issue needs to be investigated and resolved to ensure data integrity under high load conditions.

Steps to Reproduce:

  1. Execute the stress testing script with the following parameters: [provide specific parameters used].
  2. Monitor the child processes and observe the logging output.
  3. Notice that some events are missing or not logged as expected.

Expected Behavior:
All events should be logged accurately, and no data should be lost during stress testing.

Actual Behavior:
Some events are not logged, indicating potential data loss during the stress testing process.

Additional Information:

  • The issue may be related to the way child processes are handled or terminated.
  • Adjusting the number of processes spawned per iteration seems to influence the occurrence of data loss.
  • System specifications: [provide details about the system where the issue was observed].

Script Example:

import multiprocessing
import time
import signal
import sys
import gc


def child_process():
    # turn off gc
    gc.disable()
    s = "i am a shellcode"
    s += s  # suppress unused variable warning and make the code be optimized
    time.sleep(0.5)  # Simulate some work by sleeping for a second


def monitor_process():
    processes = []
    spawn_count = 0

    def signal_handler(sig, frame):
        print(f"\nTotal child processes created: {spawn_count}")
        for p in processes:
            p.terminate()
        sys.exit(0)

    signal.signal(signal.SIGINT, signal_handler)

    start_time = time.time()

    while True:
        # Spawn new child processes
        for _ in range(70):  # Adjust the number of processes spawned per iteration
            p = multiprocessing.Process(target=child_process)
            p.start()
            processes.append(p)
            spawn_count += 1

        # Monitor current status
        open_processes = sum(1 for p in processes if p.is_alive())
        stopped_processes = spawn_count - open_processes
        current_time = time.time()
        elapsed_time = current_time - start_time
        spawn_rate = spawn_count / elapsed_time if elapsed_time > 0 else 0

        # Print real-time status
        print(
            f"Open processes: {open_processes}, Stopped processes: {stopped_processes}, Spawn rate: {spawn_rate:.2f} processes/second"
        )

        # Remove finished processes from the list to free up memory
        processes = [p for p in processes if p.is_alive()]

        # Sleep for a second before the next update
        time.sleep(1)


if __name__ == "__main__":
    monitor_process()

Request:
Please investigate the cause of the data loss during stress testing and suggest or implement a fix to ensure reliable logging and data integrity.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.