You can see the source for that output here: https://initialrepo.visualstudio.com/15f0c23e-745c-44e0-a5c5-223c432b118c/_apis/git/repositories/d219e8f3-2cd8-416a-83a5-89f9b3e1e5f7/items?path=%2Fhook.d&versionDescriptor%5BversionOptions%5D=0&versionDescriptor%5BversionType%5D=0&versionDescriptor%5Bversion%5D=master&resolveLfs=true&%24format=octetStream&api-version=5.0&download=true …
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
dtrace allows real syscall hooking, even modification of arguments. No BSOD problems- dynamic hooks, speculative tracing. Bad support for wide strings, no functions, no loops.
Show this thread -
Some ideas that could be posted here: Logging of named pipe data IOCTL data ALPC recording COM calls, resolved interfaces and signatures Process launching
Show this thread - Show replies
New conversation -
-
-
Download it here: https://www.microsoft.com/download/details.aspx?id=100441 … Requires: bcdedit /debug on bcdedit /set dtrace on bcdedit /set testsigning on disable secure boot REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\ /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 boot
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
What is speculative tracing?
-
you start tracing when X happens, when Y happens you decide if the recorded data is thrown away or became usefull.
End of conversation
New conversation -
-
-
Maybe it would be nice if the output a given .d gives is pipeable into powershell for further filtering? Like- better with printing too much then let users filter away I will try to do it that way I also embed key structures as comments for easy lookup
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
a bit about how to code it: you cannot cast to array of wide char- so wrap with: struct ustr{ uint16_t buffer[1024]; }; its never instanced- just type info used for wide char access. hook with: syscall:name: entry/return / predicate here- hook only called if eval true /
Show this thread -
I inject info about syscalls args as comment in the predicate not primitive data types you wanna inspect you have to copy first in. on copy the cast decides the copied in data type
Show this thread
End of conversation
New conversation -
-
-
dtrace have great potential - with a bit extra work it can become really nice. its possible to use c++ preprocessor - so boost like macro metaprogramming should be doable. this could enable enumeration like loops and some kinds of functions.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.