Skip to content

Instantly share code, notes, and snippets.

@mattifestation
Last active March 6, 2022 20:11
Show Gist options
  • Save mattifestation/4bc43dfbd46429ec18ce60a2ea1bcf3c to your computer and use it in GitHub Desktop.
Save mattifestation/4bc43dfbd46429ec18ce60a2ea1bcf3c to your computer and use it in GitHub Desktop.
A hand-crafted, artisanal WPP TMF file for amsi.dll
68fdd900-4a3e-11d1-84f4-0000f80464e3 EventTrace
#typev Header 0 "%0EventTrace"
{
BufferSize, ItemULong //10
Version, ItemULong //11
BuildNumber, ItemULong //12
NumProc, ItemULong //13
EndTime, ItemULongLong //14
TimerResolution,ItemULong //15
MaxFileSize, ItemULong //16
LogFileMode, ItemULongX //17
BuffersWritten, ItemULong //18
StartBuffers, ItemULong //19
PointerSize, ItemULong //20
EventsLost, ItemULong //21
CPUSpeed, ItemULong //22
LoggerName, ItemPtr //23
LogFileName, ItemPtr //24
TimeZone, ItemCharHidden[176] //25
BootTime, ItemULongLong //26
PerfFrequency, ItemULongLong //27
StartTime, ItemULongLong //28
ReservedFlags, ItemULongX //29
BuffersLost, ItemULong //30
}
589f8473-ee36-3dff-b2d3-87ad72c4e5b3 AMSIFunctionality
#enumv AMSI_UAC_REQUEST_TYPE
{
AMSI_UAC_REQUEST_TYPE_EXE,0
AMSI_UAC_REQUEST_TYPE_COM,1
AMSI_UAC_REQUEST_TYPE_MSI,2
AMSI_UAC_REQUEST_TYPE_AX,3
AMSI_UAC_REQUEST_TYPE_PACKAGED_APP,4
}
#enumv AMSI_ATTRIBUTE
{
AMSI_ATTRIBUTE_APP_NAME,0
AMSI_ATTRIBUTE_CONTENT_NAME,1
AMSI_ATTRIBUTE_CONTENT_SIZE,2
AMSI_ATTRIBUTE_CONTENT_ADDRESS,3
AMSI_ATTRIBUTE_SESSION,4
AMSI_ATTRIBUTE_REDIRECT_CHAIN_SIZE,5
AMSI_ATTRIBUTE_REDIRECT_CHAIN_ADDRESS,6
AMSI_ATTRIBUTE_ALL_SIZE,7
AMSI_ATTRIBUTE_ALL_ADDRESS,8
AMSI_ATTRIBUTE_QUIET,9
}
#typev amsiantimalware_cxx00 10 "%0[CAmsiBufferStream::QueryInterface] Arg0(%10!p!)" // FUNC=CAmsiBufferStream::QueryInterface FLAGS=DBG_4
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 11 "%0[CAmsiBufferStream::Release]" // FUNC=CAmsiBufferStream::Release FLAGS=DBG_4
{
}
#typev amsiantimalware_cxx00 12 "%0[CAmsiBufferStream::AddRef]" // FUNC=CAmsiBufferStream::AddRef FLAGS=DBG_4
{
}
#typev amsiantimalware_cxx00 13 "%0[CAmsiBufferStream::GetAttribute] attribute(%10!s!), dataSize(%11!u!), data(%12!p!), retData(%13!p!)" // FUNC=CAmsiBufferStream::GetAttribute FLAGS=DBG_4
{
attribute, ItemEnum(AMSI_ATTRIBUTE) //10
dataSize, ItemULong //11
data, ItemPtr //12
retData, ItemPtr //13
}
#typev amsiantimalware_cxx00 14 "%0[CAmsiBufferStream::Read] Arg0(%10!I64u!), Arg1(%11!u!), Arg2(%12!p!), Arg3(%13!p!)" // FUNC=CAmsiBufferStream::Read FLAGS=DBG_4
{
Arg0, ItemULongLong //10
Arg1, ItemLong //11
Arg2, ItemPtr //12
Arg3, ItemPtr //13
}
#typev amsiantimalware_cxx00 15 "%0[AmsiInitialize] appName(%10!p!), &amsiContext(%11!p!)" // FUNC=AmsiInitialize FLAGS=DBG_4
{
appName, ItemPtr //10
amsiContext, ItemPtr //11
}
#typev amsiantimalware_cxx00 16 "%0[AmsiInitialize]" // FUNC=AmsiInitialize FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 17 "%0[AmsiInitialize] Arg0(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_1
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 18 "%0[AmsiInitialize]" // FUNC=AmsiInitialize FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 19 "%0[AmsiInitialize]" // FUNC=AmsiInitialize FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 20 "%0[AmsiInitialize] Arg0(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_1
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 21 "%0[AmsiInitialize] Arg0(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_1
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 22 "%0[AmsiInitialize] amsiContext(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_4
{
amsiContext, ItemPtr //10
}
#typev amsiantimalware_cxx00 23 "%0[AmsiUninitialize] amsiContext(%10!p!)" // FUNC=AmsiUninitialize FLAGS=DBG_4
{
amsiContext, ItemPtr //10
}
#typev amsiantimalware_cxx00 24 "%0[AmsiScanBuffer] amsiContext(%10!p!), buffer(%11!p!), length(%12!u!), amsiSession(%13!p!), result(%14!p!)" // FUNC=AmsiScanBuffer FLAGS=DBG_4
{
amsiContext, ItemPtr //10
buffer, ItemPtr //11
length, ItemULong //12
amsiSession, ItemPtr //13
result, ItemPtr //14
}
#typev amsiantimalware_cxx00 25 "%0[AmsiUacInitialize] amsiUacContext(%10!p!)" // FUNC=AmsiUacInitialize FLAGS=DBG_4
{
amsiUacContext, ItemPtr //10
}
#typev amsiantimalware_cxx00 26 "%0[AmsiUacInitialize]" // FUNC=AmsiUacInitialize FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 27 "%0[AmsiUacInitialize]" // FUNC=AmsiUacInitialize FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 28 "%0[AmsiUacInitialize]" // FUNC=AmsiUacInitialize FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 29 "%0[AmsiUacInitialize] Arg0(%10!p!)" // FUNC=AmsiUacInitialize FLAGS=DBG_1
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 30 "%0[AmsiUacInitialize] amsiUacContext(%10!p!)" // FUNC=AmsiUacInitialize FLAGS=DBG_4
{
amsiUacContext, ItemPtr //10
}
#typev amsiantimalware_cxx00 31 "%0[AmsiUacUninitialize] Arg0(%10!p!)" // FUNC=AmsiUacUninitialize FLAGS=DBG_4
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 32 "%0[AmsiUacScan] amsiUacContext(%10!p!), UacRequestContext(%11!p!), UacRequestType(%12!s!)" // FUNC=AmsiUacScan FLAGS=DBG_4
{
amsiUacContext, ItemPtr //10
UacRequestContext, ItemPtr //11
UacRequestType, ItemEnum(AMSI_UAC_REQUEST_TYPE) //12
}
#typev amsiantimalware_cxx00 33 "%0[AmsiUacScan] Arg0(%10!p!)" // FUNC=AmsiUacScan FLAGS=DBG_1
{
Arg0, ItemPtr //10
}
53928f2d-4ad3-314c-3b3c-3c72f80ad6c1 COMLayer
#enumv AMSI_RESULT
{
AMSI_RESULT_CLEAN,0
AMSI_RESULT_NOT_DETECTED,1
AMSI_RESULT_BLOCKED_BY_ADMIN_START,0x4000
AMSI_RESULT_BLOCKED_BY_ADMIN_END,0x4fff
AMSI_RESULT_DETECTED,32768
}
#typev amsiantimalware_cxx00 10 "%0[CGuidEnum::StartEnum] Arg0(%10!d!)" // FUNC=CGuidEnum::StartEnum FLAGS=DBG_1
{
Arg0, ItemLong //10
}
#typev amsiantimalware_cxx00 11 "%0[CGuidEnum::StartEnum] Arg0(%10!d!)" // FUNC=CGuidEnum::StartEnum FLAGS=DBG_1
{
Arg0, ItemLong //10
}
#typev amsiantimalware_cxx00 12 "%0[CGuidEnum::StartEnum]" // FUNC=CGuidEnum::StartEnum FLAGS=DBG_1
{
}
#typev amsiantimalware_cxx00 13 "%0[CGuidEnum::NextGuid] dwIndex(%10!u!), Uuid(%11!s!)" // FUNC=CGuidEnum::NextGuid FLAGS=DBG_4
{
dwIndex, ItemLong //10
Uuid, ItemWString //11
}
#typev amsiantimalware_cxx00 14 "%0[CGuidEnum::NextGuid] Arg0(%10!d!)" // FUNC=CGuidEnum::NextGuid FLAGS=DBG_1
{
Arg0, ItemLong //10
}
#typev amsiantimalware_cxx00 15 "%0[VerifyProviderIdentity_IAntimalwareUacProvider_] Arg0(%10!d!)" // FUNC=VerifyProviderIdentity_IAntimalwareUacProvider_ FLAGS=DBG_2
{
Arg0, ItemLong //10
}
#typev amsiantimalware_cxx00 16 "%0[VerifyProviderIdentity_IAntimalwareUacProvider_] Arg0(%10!d!)" // FUNC=VerifyProviderIdentity_IAntimalwareUacProvider_ FLAGS=DBG_2
{
Arg0, ItemLong //10
}
#typev amsiantimalware_cxx00 17 "%0[VerifyProviderIdentity_IAntimalwareUacProvider_] Arg0(%10!u!), Arg0(%11!d!)" // FUNC=VerifyProviderIdentity_IAntimalwareUacProvider_ FLAGS=DBG_2
{
Arg0, ItemLong //10
Arg1, ItemLong //11
}
#typev amsiantimalware_cxx00 18 "%0[AmsiComCreateProviders] Arg0(%10!d!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_1
{
Arg0, ItemLong //10
}
#typev amsiantimalware_cxx00 19 "%0[AmsiComCreateProviders]" // FUNC=AmsiComCreateProviders FLAGS=DBG_4
{
}
#typev amsiantimalware_cxx00 20 "%0[AmsiComCreateProviders] Arg0(%10!p!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_2
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 22 "%0[AmsiComCreateProviders] Arg0(%10!u!), Arg1(%11!u!), Arg2(%12!u!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_2
{
Arg0, ItemLong //10
Arg1, ItemLong //11
Arg2, ItemLong //12
}
#typev amsiantimalware_cxx00 24 "%0[AmsiComCreateProviders] Arg0(%10!u!), Arg1(%11!d!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_2
{
Arg0, ItemLong //10
Arg1, ItemLong //11
}
#typev amsiantimalware_cxx00 26 "%0[AmsiComCreateProviders] ProviderGuidTruncated(%10!08X!), Arg1(%11!u!), Duration(%12!I64u!), Arg3(%13!p!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_4
{
ProviderGuidTruncated, ItemLong //10
Arg1, ItemLong //11 1 - indicates AmsiComCreateProviders_IAntimalwareProvider__0, 4 - indicates AmsiComCreateProviders_IAntimalwareUacProvider_ was called
Duration, ItemULongLong //12
Arg3, ItemPtr //13
}
#typev amsiantimalware_cxx00 27 "%0[AmsiComCreateProviders] Arg0(%10!p!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_1
{
Arg0, ItemPtr //10
}
#typev amsiantimalware_cxx00 28 "%0[AmsiComCreateProviders] Arg0(%10!p!), Arg1(%11!u!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_4
{
Arg0, ItemPtr //10
Arg1, ItemLong //11 1 - indicates AmsiComCreateProviders_IAntimalwareProvider__0, 4 - indicates AmsiComCreateProviders_IAntimalwareUacProvider_ was called
}
#typev amsiantimalware_cxx00 29 "%0[CAmsiAntimalware::Scan] stream(%10!p!)" // FUNC=CAmsiAntimalware::Scan FLAGS=DBG_4
{
stream, ItemPtr //10
}
#typev amsiantimalware_cxx00 30 "%0[CAmsiAntimalware::Scan] ProviderIndex(%10!p!), ProviderGuidTruncated(%11!08X!), Result(%12!s!), Duration(%13!I64u!)" // FUNC=CAmsiAntimalware::Scan FLAGS=DBG_4
{
ProviderIndex, ItemPtr //10
ProviderGuidTruncated, ItemLong //11
Result, ItemEnum(AMSI_RESULT) //12
Duration, ItemULongLong //13
}
#typev amsiantimalware_cxx00 31 "%0[CAmsiAntimalware::Scan] ProviderIndex(%10!p!), HResult(%11!u!), Duration(%12!I64u!)" // FUNC=CAmsiAntimalware::Scan FLAGS=DBG_4
{
ProviderIndex, ItemPtr //10
HResult, ItemLong //11
Duration, ItemULongLong //12
}
#typev amsiantimalware_cxx00 32 "%0[CAmsiAntimalware::EtwConfigurationCallback]" // FUNC=CAmsiAntimalware::EtwConfigurationCallback FLAGS=DBG_4
{
}
#typev amsiantimalware_cxx00 33 "%0[CAmsiAntimalware::EtwConfigurationCallback]" // FUNC=CAmsiAntimalware::EtwConfigurationCallback FLAGS=DBG_4
{
}
#typev amsiantimalware_cxx00 34 "%0[CAmsiUacAntimalware::UacScan] UacRequestContext(%10!p!)" // FUNC=[CAmsiUacAntimalware::UacScan FLAGS=DBG_4
{
UacRequestContext, ItemPtr //10
}
#typev amsiantimalware_cxx00 35 "%0[CAmsiUacAntimalware::UacScan] ProviderIndex(%10!p!), ProviderGuidTruncated(%11!08X!), Result(%12!s!), Duration(%13!I64u!)" // FUNC=[CAmsiUacAntimalware::UacScan FLAGS=DBG_4
{
ProviderIndex, ItemPtr //10
ProviderGuidTruncated, ItemLong //11
Result, ItemEnum(AMSI_RESULT) //12
Duration, ItemULongLong //13
}
#typev amsiantimalware_cxx00 36 "%0[CAmsiUacAntimalware::UacScan] ProviderIndex(%10!p!), HResult(%11!u!), Duration(%12!I64u!)" // FUNC=[CAmsiUacAntimalware::UacScan FLAGS=DBG_4
{
ProviderIndex, ItemPtr //10
HResult, ItemLong //11
Duration, ItemULongLong //12
}
b81299c2-b875-3726-1d3a-e6232a5e451b VerifyProtectionLevel
#enumv PS_PROTECTED_TYPE
{
PsProtectedTypeNone,0
PsProtectedTypeProtectedLight,1
PsProtectedTypeProtected,2
}
#enumv PS_PROTECTED_SIGNER
{
PsProtectedSignerNone,0
PsProtectedSignerAuthenticode,1
PsProtectedSignerCodeGen,2
PsProtectedSignerAntimalware,3
PsProtectedSignerLsa,4
PsProtectedSignerWindows,5
PsProtectedSignerWinTcb,6
PsProtectedSignerWinSystem,7
PsProtectedSignerApp,8
}
#typev amsiantimalware_cxx00 10 "%0[VerifyProtectionLevel] Arg0(%10!u!), Arg1(%11!d!)" // FUNC=VerifyProtectionLevel FLAGS=DBG_2
{
Arg0, ItemLong //10
Arg1, ItemLong //11
}
#typev amsiantimalware_cxx00 11 "%0[VerifyProtectionLevel] Arg0(%10!u!), Arg1(%11!d!)" // FUNC=VerifyProtectionLevel FLAGS=DBG_2
{
Arg0, ItemLong //10
Arg1, ItemLong //11
}
#typev amsiantimalware_cxx00 12 "%0[VerifyProtectionLevel] ProcessID(%10!u!), ProtectedType(%11!s!), ProtectedSigner(%12!s!)" // FUNC=VerifyProtectionLevel FLAGS=DBG_4
{
ProcessID, ItemLong //10
ProtectedType, ItemEnum(PS_PROTECTED_TYPE) //11
ProtectedSigner, ItemEnum(PS_PROTECTED_SIGNER) //12
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment