PowerShell和.NET委托(Windows事件跟踪)

时间:2018-01-10 15:44:04

标签: c# powershell tracing etw

我正在尝试使用PowerShell脚本中的krabsetw库(https://github.com/Microsoft/krabsetw)。 该脚本能够创建会话并正确配置,但无法使用任何事件。

脚本:

JFrame frame = new JFrame("");
frame.setLayout(new GridBagLayout());
frame.setPreferredSize(new Dimension(frameSize.x, frameSize.y));
frame.setSize(new Dimension(frameSize.x, frameSize.y));
frame.setMinimumSize(new Dimension(800, 600));
frame.setResizable(true);
frame.setVisible(true);
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
frame.setFocusable(true);
Game game = new Game(frame);
Game.frameSize = new Vector((int) Math.round((GameFrame.frameSize.x - 2) * 1.3), GameFrame.frameSize.y - 2);
game.setSize(new Dimension(frameSize.x, frameSize.y));
game.setPreferredSize(new Dimension(frameSize.x, frameSize.y));
frame.addMouseMotionListener(new GameMouseMotionListener());
frame.addComponentListener(new GameComponentListener(frame, game));
frame.addMouseListener(new GameMouseListener());
frame.addKeyListener(new GameKeyListener());
frame.add(game);

我也尝试过“简单”的动作形式:

Function Parse-ETW()
{
    Param([O365.Security.ETW.IEventRecord] $record)
    Write-Host $record.Id
}

$Trace = New-Object -TypeName O365.Security.ETW.UserTrace -ArgumentList @("Session-$([System.Guid]::NewGuid())") 
$Provider = New-Object -TypeName O365.Security.ETW.Provider -ArgumentList @([System.Guid]::Parse("{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}"))
$Provider.Any = [O365.Security.ETW.Provider]::AllBitsSet

$Job = Register-ObjectEvent -InputObject $Provider -EventName "OnEvent" -Action {Parse-ETW -record $EventArgs}

$Trace.Enable($Provider)
$Trace.Start()

另外,没有结果。 任何想法如何使它工作?

事件消耗方法的C#签名:

Register-ObjectEvent -InputObject $Provider -EventName "OnEvent" -Action {Write-Host "Event arrived"}

使用C#代码

public delegate void IEventRecordDelegate(IEventRecord record);

0 个答案:

没有答案