### Manage TiEtwAgent Service via CLI Source: https://context7.com/xuanxuan0/tietwagent/llms.txt Commands to install, start, and uninstall the TiEtwAgent service. These operations require administrative privileges to manage the ELAM driver and Windows service configuration. ```cmd bcdedit /set testsigning on TiEtwAgent.exe install net start TiEtwAgent sc query TiEtwAgent TiEtwAgent.exe uninstall ``` -------------------------------- ### Initialize and Run ETW Trace Session Source: https://context7.com/xuanxuan0/tietwagent/llms.txt Sets up a user-mode ETW trace session using the krabsetw library to monitor threat intelligence events. It includes a callback mechanism to parse raw events into a generic structure for detection logic processing. ```cpp #include "krabs.hpp" #include "DetectionLogic.h" using namespace krabs; DWORD agent_worker() { user_trace trace(L"TiEtwAgent"); provider<> provider(L"Microsoft-Windows-Threat-Intelligence"); event_filter filter(predicates::id_is((int)KERNEL_THREATINT_TASK_ALLOCVM_REMOTE)); provider.add_on_event_callback(parse_generic_event); provider.add_filter(filter); trace.enable(provider); trace.start(); return GetLastError(); } VOID parse_generic_event(const EVENT_RECORD& record, const trace_context& trace_context) { schema schema(record, trace_context.schema_locator); parser parser(schema); GenericEvent new_event; new_event.type = schema.event_id(); for (property property : parser.properties()) { wstring wsPropertyName = property.name(); if (new_event.fields.find(wsPropertyName) != new_event.fields.end()) { switch (property.type()) { case TDH_INTYPE_UINT32: new_event.fields[wsPropertyName] = parser.parse(wsPropertyName); break; case TDH_INTYPE_POINTER: new_event.fields[wsPropertyName] = parser.parse(wsPropertyName).address; break; } } } detect_event(new_event); } ``` -------------------------------- ### Core Agent and Service Configuration Source: https://context7.com/xuanxuan0/tietwagent/llms.txt Contains the C++ header definitions for the agent's logging path, YARA feature toggles, and Windows service identification parameters. ```cpp // TiEtwAgent.h - Core configuration #define LOG_FNAME L"C:\\Windows\\Temp\\TiEtwAgent.txt" // Detection log #define YARA_ENABLED false // Set to true to enable YARA scanning const std::string YARA_RULE_DIR{ "c:\\yara_rules" }; // YARA rules path // AgentService.h - Service configuration #define SERVICE_NAME L"TiEtwAgent" #define ETS_NAME L"TiEtwAgent" #define DRIVER_NAME L"elam_driver.sys" // ELAM driver filename ``` -------------------------------- ### YARA Integration and Rule Management Source: https://context7.com/xuanxuan0/tietwagent/llms.txt Provides classes and methods to load YARA rules from a directory and perform memory scanning. This integration allows for pattern-based detection of malicious content within the agent. ```cpp #include "YaraInstance.h" class YaraInstance { public: YaraInstance(); BOOL load_rules(const std::string& yara_dir); BOOL include_rule(std::string rule_path); BOOL close(); private: YR_COMPILER* compiler_; YR_RULES** rules_; }; // Usage example YaraInstance yi; if (yi.load_rules("c:\\yara_rules")) { // Scan memory regions } yi.close(); ``` -------------------------------- ### Process and Memory Utility Functions Source: https://context7.com/xuanxuan0/tietwagent/llms.txt A collection of helper functions for common tasks such as retrieving process names, dumping memory regions, hex conversion, and logging detection events to files or debug consoles. ```cpp #include "Helpers.h" string procName = get_pname(1234); string memDump = dump_memory_ascii(targetPid, baseAddress, 512); string hexValue = itohs(0x40); agent_message("[+] Detection alert: Suspicious activity detected"); log_debug(L"TiEtwAgent: Processing event %d\n", eventId); ``` -------------------------------- ### NuGet Package Configuration for TiEtwAgent Source: https://context7.com/xuanxuan0/tietwagent/llms.txt Defines the external dependencies required for the project, including Krabsetw for ETW parsing, Boost, and YARA-related libraries for signature-based detection. ```xml ``` -------------------------------- ### Analyze Remote Memory Allocations in C++ Source: https://context7.com/xuanxuan0/tietwagent/llms.txt These functions implement heuristic rules to identify suspicious memory allocation patterns, such as RWX memory regions or large allocations. They evaluate event metadata against predefined thresholds to trigger detection reports. ```cpp #include "DetectionLogic.h" // Detection thresholds for suspicious allocations const int ALLOC_PROTECTION = PAGE_EXECUTE_READWRITE; // RWX memory const int ALLOC_TYPE = MEM_RESERVE | MEM_COMMIT; // Reserve+Commit const int MIN_REGION_SIZE = 10240; // Minimum 10KB // Detect suspicious remote memory allocation patterns DWORD allocvm_remote_meta_generic(GenericEvent alloc_event) { // Check region size meets minimum threshold if (alloc_event.fields[L"RegionSize"] >= MIN_REGION_SIZE) { // Check for MEM_RESERVE | MEM_COMMIT allocation type if (alloc_event.fields[L"AllocationType"] == ALLOC_TYPE) { // Check for PAGE_EXECUTE_READWRITE protection if (alloc_event.fields[L"ProtectionMask"] == ALLOC_PROTECTION) { report_detection(ALLOCVM_REMOTE_META_GENERIC, alloc_event); return TRUE; } } } return FALSE; } // Example: Custom detection for large allocations DWORD allocvm_large_region_detection(GenericEvent evt) { const int LARGE_REGION = 1048576; // 1MB threshold if (evt.fields[L"RegionSize"] >= LARGE_REGION) { if (evt.fields[L"ProtectionMask"] & PAGE_EXECUTE) { report_detection(ALLOCVM_REMOTE_META_GENERIC, evt); return TRUE; } } return FALSE; } ``` -------------------------------- ### Configure Include Headers for IDE using CMake Source: https://github.com/xuanxuan0/tietwagent/blob/master/packages/boost.1.75.0.0/lib/native/include/boost/safe_numerics/concept/CMakeLists.txt This CMake script finds all header files (`.hpp`) in the current directory and adds them to a custom target. This helps IDEs recognize and include these headers for better code navigation and IntelliSense. It requires CMake to be configured. ```cmake set(USE_FOLDERS TRUE) file(GLOB include_files RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/*.hpp" ) add_custom_target(concept SOURCES ${include_files}) set_target_properties(concept PROPERTIES FOLDER "safe_numerics") ``` -------------------------------- ### Report Detection Events in C++ Source: https://context7.com/xuanxuan0/tietwagent/llms.txt The report_detection function aggregates event data, performs memory dumping to check for PE headers, and logs the findings. It provides a structured report containing source/target process info and memory characteristics. ```cpp #include "DetectionLogic.h" // Report a detection with full event details void report_detection(int detId, GenericEvent evt) { string procId = to_string(evt.fields[L"CallingProcessId"]); string procImage = get_pname(evt.fields[L"CallingProcessId"]); string targetProcId = to_string(evt.fields[L"TargetProcessId"]); string targetProcImage = get_pname(evt.fields[L"TargetProcessId"]); string protMask = itohs(evt.fields[L"ProtectionMask"]); string allocType = itohs(evt.fields[L"AllocationType"]); string size = to_string(evt.fields[L"RegionSize"]); string baseAddr = itohs(evt.fields[L"BaseAddress"]); // Dump memory at allocation base address string sDump = dump_memory_ascii( evt.fields[L"TargetProcessId"], evt.fields[L"BaseAddress"], MEM_STR_SIZE ); // Build detection report string sOutBody = "\n[ANOMALOUS MEMORY ALLOCATION DETECTED]\n"; sOutBody += "[+] Source: " + procImage + " (PID: " + procId + ")\n"; sOutBody += "[+] Target: " + targetProcImage + " (PID: " + targetProcId + ")\n"; sOutBody += "[+] Protection: " + protMask + "\n"; sOutBody += "[+] Allocation: " + allocType + "\n"; sOutBody += "[+] Region size: " + size + "\n"; sOutBody += "[+] Base address: " + baseAddr + "\n"; // Check for MZ header (PE file injection) if (sDump.rfind("MZ", 0) == 0) { sOutBody += "[+] MZ-header: YES (PE injection detected)\n"; } sOutBody += "[+] Memory dump:\n" + sDump; agent_message(sOutBody); // Write to log file } ``` -------------------------------- ### Add Include Headers to IDE (CMake) Source: https://github.com/xuanxuan0/tietwagent/blob/master/packages/boost.1.75.0.0/lib/native/include/boost/safe_numerics/CMakeLists.txt This snippet uses CMake's `file(GLOB)` command to find all '.hpp' files in the current source directory. It then creates a custom target named 'safe_numerics' that includes these header files, making them accessible to IDEs for features like code completion and navigation. It also includes a 'concept' subdirectory. ```cmake file(GLOB include_files RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.hpp" ) add_custom_target(safe_numerics SOURCES ${include_files}) add_subdirectory("concept") ``` -------------------------------- ### Dispatch ETW Events with C++ Source: https://context7.com/xuanxuan0/tietwagent/llms.txt The detect_event function acts as the central dispatcher for the agent. It routes incoming ETW events to specific detection handlers based on the event type, such as remote memory operations or thread context manipulation. ```cpp #include "DetectionLogic.h" // Main detection dispatcher - called for each parsed ETW event VOID detect_event(GenericEvent evt) { switch (evt.type) { case KERNEL_THREATINT_TASK_ALLOCVM_REMOTE: // Detect suspicious remote memory allocation allocvm_remote_meta_generic(evt); // Add custom detection functions here break; case KERNEL_THREATINT_TASK_PROTECTVM_REMOTE: // Detect remote memory protection changes // your_protectvm_detection(evt); break; case KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE: // Detect APC injection attempts // your_apc_detection(evt); break; case KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE: // Detect thread hijacking attempts // your_threadcontext_detection(evt); break; default: break; } } ``` -------------------------------- ### Define GenericEvent Structure for ETW Parsing Source: https://context7.com/xuanxuan0/tietwagent/llms.txt The GenericEvent class and associated TI_ETW_EVENTS enumeration define the data structure for capturing memory-related ETW events. It maps specific threat intelligence fields such as process IDs and memory protection masks for analysis. ```cpp #include "DetectionLogic.h" class GenericEvent { public: uint8_t type; map fields = { {L"CallingProcessId", 0}, {L"TargetProcessId", 0}, {L"AllocationType", 0}, {L"ProtectionMask", 0}, {L"RegionSize", 0}, {L"BaseAddress", 0} }; }; enum TI_ETW_EVENTS { KERNEL_THREATINT_TASK_ALLOCVM_REMOTE, KERNEL_THREATINT_TASK_PROTECTVM_REMOTE, KERNEL_THREATINT_TASK_MAPVIEW_REMOTE, KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE, KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE, KERNEL_THREATINT_TASK_ALLOCVM_LOCAL, KERNEL_THREATINT_TASK_PROTECTVM_LOCAL, KERNEL_THREATINT_TASK_MAPVIEW_LOCAL, KERNEL_THREATINT_TASK_READVM_LOCAL, KERNEL_THREATINT_TASK_WRITEVM_LOCAL, KERNEL_THREATINT_TASK_READVM_REMOTE, KERNEL_THREATINT_TASK_WRITEVM_REMOTE }; ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.