Last active
March 6, 2022 20:11
-
-
Save mattifestation/4bc43dfbd46429ec18ce60a2ea1bcf3c to your computer and use it in GitHub Desktop.
A hand-crafted, artisanal WPP TMF file for amsi.dll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
68fdd900-4a3e-11d1-84f4-0000f80464e3 EventTrace | |
#typev Header 0 "%0EventTrace" | |
{ | |
BufferSize, ItemULong //10 | |
Version, ItemULong //11 | |
BuildNumber, ItemULong //12 | |
NumProc, ItemULong //13 | |
EndTime, ItemULongLong //14 | |
TimerResolution,ItemULong //15 | |
MaxFileSize, ItemULong //16 | |
LogFileMode, ItemULongX //17 | |
BuffersWritten, ItemULong //18 | |
StartBuffers, ItemULong //19 | |
PointerSize, ItemULong //20 | |
EventsLost, ItemULong //21 | |
CPUSpeed, ItemULong //22 | |
LoggerName, ItemPtr //23 | |
LogFileName, ItemPtr //24 | |
TimeZone, ItemCharHidden[176] //25 | |
BootTime, ItemULongLong //26 | |
PerfFrequency, ItemULongLong //27 | |
StartTime, ItemULongLong //28 | |
ReservedFlags, ItemULongX //29 | |
BuffersLost, ItemULong //30 | |
} | |
589f8473-ee36-3dff-b2d3-87ad72c4e5b3 AMSIFunctionality | |
#enumv AMSI_UAC_REQUEST_TYPE | |
{ | |
AMSI_UAC_REQUEST_TYPE_EXE,0 | |
AMSI_UAC_REQUEST_TYPE_COM,1 | |
AMSI_UAC_REQUEST_TYPE_MSI,2 | |
AMSI_UAC_REQUEST_TYPE_AX,3 | |
AMSI_UAC_REQUEST_TYPE_PACKAGED_APP,4 | |
} | |
#enumv AMSI_ATTRIBUTE | |
{ | |
AMSI_ATTRIBUTE_APP_NAME,0 | |
AMSI_ATTRIBUTE_CONTENT_NAME,1 | |
AMSI_ATTRIBUTE_CONTENT_SIZE,2 | |
AMSI_ATTRIBUTE_CONTENT_ADDRESS,3 | |
AMSI_ATTRIBUTE_SESSION,4 | |
AMSI_ATTRIBUTE_REDIRECT_CHAIN_SIZE,5 | |
AMSI_ATTRIBUTE_REDIRECT_CHAIN_ADDRESS,6 | |
AMSI_ATTRIBUTE_ALL_SIZE,7 | |
AMSI_ATTRIBUTE_ALL_ADDRESS,8 | |
AMSI_ATTRIBUTE_QUIET,9 | |
} | |
#typev amsiantimalware_cxx00 10 "%0[CAmsiBufferStream::QueryInterface] Arg0(%10!p!)" // FUNC=CAmsiBufferStream::QueryInterface FLAGS=DBG_4 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 11 "%0[CAmsiBufferStream::Release]" // FUNC=CAmsiBufferStream::Release FLAGS=DBG_4 | |
{ | |
} | |
#typev amsiantimalware_cxx00 12 "%0[CAmsiBufferStream::AddRef]" // FUNC=CAmsiBufferStream::AddRef FLAGS=DBG_4 | |
{ | |
} | |
#typev amsiantimalware_cxx00 13 "%0[CAmsiBufferStream::GetAttribute] attribute(%10!s!), dataSize(%11!u!), data(%12!p!), retData(%13!p!)" // FUNC=CAmsiBufferStream::GetAttribute FLAGS=DBG_4 | |
{ | |
attribute, ItemEnum(AMSI_ATTRIBUTE) //10 | |
dataSize, ItemULong //11 | |
data, ItemPtr //12 | |
retData, ItemPtr //13 | |
} | |
#typev amsiantimalware_cxx00 14 "%0[CAmsiBufferStream::Read] Arg0(%10!I64u!), Arg1(%11!u!), Arg2(%12!p!), Arg3(%13!p!)" // FUNC=CAmsiBufferStream::Read FLAGS=DBG_4 | |
{ | |
Arg0, ItemULongLong //10 | |
Arg1, ItemLong //11 | |
Arg2, ItemPtr //12 | |
Arg3, ItemPtr //13 | |
} | |
#typev amsiantimalware_cxx00 15 "%0[AmsiInitialize] appName(%10!p!), &amsiContext(%11!p!)" // FUNC=AmsiInitialize FLAGS=DBG_4 | |
{ | |
appName, ItemPtr //10 | |
amsiContext, ItemPtr //11 | |
} | |
#typev amsiantimalware_cxx00 16 "%0[AmsiInitialize]" // FUNC=AmsiInitialize FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 17 "%0[AmsiInitialize] Arg0(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_1 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 18 "%0[AmsiInitialize]" // FUNC=AmsiInitialize FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 19 "%0[AmsiInitialize]" // FUNC=AmsiInitialize FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 20 "%0[AmsiInitialize] Arg0(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_1 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 21 "%0[AmsiInitialize] Arg0(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_1 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 22 "%0[AmsiInitialize] amsiContext(%10!p!)" // FUNC=AmsiInitialize FLAGS=DBG_4 | |
{ | |
amsiContext, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 23 "%0[AmsiUninitialize] amsiContext(%10!p!)" // FUNC=AmsiUninitialize FLAGS=DBG_4 | |
{ | |
amsiContext, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 24 "%0[AmsiScanBuffer] amsiContext(%10!p!), buffer(%11!p!), length(%12!u!), amsiSession(%13!p!), result(%14!p!)" // FUNC=AmsiScanBuffer FLAGS=DBG_4 | |
{ | |
amsiContext, ItemPtr //10 | |
buffer, ItemPtr //11 | |
length, ItemULong //12 | |
amsiSession, ItemPtr //13 | |
result, ItemPtr //14 | |
} | |
#typev amsiantimalware_cxx00 25 "%0[AmsiUacInitialize] amsiUacContext(%10!p!)" // FUNC=AmsiUacInitialize FLAGS=DBG_4 | |
{ | |
amsiUacContext, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 26 "%0[AmsiUacInitialize]" // FUNC=AmsiUacInitialize FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 27 "%0[AmsiUacInitialize]" // FUNC=AmsiUacInitialize FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 28 "%0[AmsiUacInitialize]" // FUNC=AmsiUacInitialize FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 29 "%0[AmsiUacInitialize] Arg0(%10!p!)" // FUNC=AmsiUacInitialize FLAGS=DBG_1 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 30 "%0[AmsiUacInitialize] amsiUacContext(%10!p!)" // FUNC=AmsiUacInitialize FLAGS=DBG_4 | |
{ | |
amsiUacContext, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 31 "%0[AmsiUacUninitialize] Arg0(%10!p!)" // FUNC=AmsiUacUninitialize FLAGS=DBG_4 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 32 "%0[AmsiUacScan] amsiUacContext(%10!p!), UacRequestContext(%11!p!), UacRequestType(%12!s!)" // FUNC=AmsiUacScan FLAGS=DBG_4 | |
{ | |
amsiUacContext, ItemPtr //10 | |
UacRequestContext, ItemPtr //11 | |
UacRequestType, ItemEnum(AMSI_UAC_REQUEST_TYPE) //12 | |
} | |
#typev amsiantimalware_cxx00 33 "%0[AmsiUacScan] Arg0(%10!p!)" // FUNC=AmsiUacScan FLAGS=DBG_1 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
53928f2d-4ad3-314c-3b3c-3c72f80ad6c1 COMLayer | |
#enumv AMSI_RESULT | |
{ | |
AMSI_RESULT_CLEAN,0 | |
AMSI_RESULT_NOT_DETECTED,1 | |
AMSI_RESULT_BLOCKED_BY_ADMIN_START,0x4000 | |
AMSI_RESULT_BLOCKED_BY_ADMIN_END,0x4fff | |
AMSI_RESULT_DETECTED,32768 | |
} | |
#typev amsiantimalware_cxx00 10 "%0[CGuidEnum::StartEnum] Arg0(%10!d!)" // FUNC=CGuidEnum::StartEnum FLAGS=DBG_1 | |
{ | |
Arg0, ItemLong //10 | |
} | |
#typev amsiantimalware_cxx00 11 "%0[CGuidEnum::StartEnum] Arg0(%10!d!)" // FUNC=CGuidEnum::StartEnum FLAGS=DBG_1 | |
{ | |
Arg0, ItemLong //10 | |
} | |
#typev amsiantimalware_cxx00 12 "%0[CGuidEnum::StartEnum]" // FUNC=CGuidEnum::StartEnum FLAGS=DBG_1 | |
{ | |
} | |
#typev amsiantimalware_cxx00 13 "%0[CGuidEnum::NextGuid] dwIndex(%10!u!), Uuid(%11!s!)" // FUNC=CGuidEnum::NextGuid FLAGS=DBG_4 | |
{ | |
dwIndex, ItemLong //10 | |
Uuid, ItemWString //11 | |
} | |
#typev amsiantimalware_cxx00 14 "%0[CGuidEnum::NextGuid] Arg0(%10!d!)" // FUNC=CGuidEnum::NextGuid FLAGS=DBG_1 | |
{ | |
Arg0, ItemLong //10 | |
} | |
#typev amsiantimalware_cxx00 15 "%0[VerifyProviderIdentity_IAntimalwareUacProvider_] Arg0(%10!d!)" // FUNC=VerifyProviderIdentity_IAntimalwareUacProvider_ FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
} | |
#typev amsiantimalware_cxx00 16 "%0[VerifyProviderIdentity_IAntimalwareUacProvider_] Arg0(%10!d!)" // FUNC=VerifyProviderIdentity_IAntimalwareUacProvider_ FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
} | |
#typev amsiantimalware_cxx00 17 "%0[VerifyProviderIdentity_IAntimalwareUacProvider_] Arg0(%10!u!), Arg0(%11!d!)" // FUNC=VerifyProviderIdentity_IAntimalwareUacProvider_ FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
Arg1, ItemLong //11 | |
} | |
#typev amsiantimalware_cxx00 18 "%0[AmsiComCreateProviders] Arg0(%10!d!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_1 | |
{ | |
Arg0, ItemLong //10 | |
} | |
#typev amsiantimalware_cxx00 19 "%0[AmsiComCreateProviders]" // FUNC=AmsiComCreateProviders FLAGS=DBG_4 | |
{ | |
} | |
#typev amsiantimalware_cxx00 20 "%0[AmsiComCreateProviders] Arg0(%10!p!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_2 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 22 "%0[AmsiComCreateProviders] Arg0(%10!u!), Arg1(%11!u!), Arg2(%12!u!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
Arg1, ItemLong //11 | |
Arg2, ItemLong //12 | |
} | |
#typev amsiantimalware_cxx00 24 "%0[AmsiComCreateProviders] Arg0(%10!u!), Arg1(%11!d!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
Arg1, ItemLong //11 | |
} | |
#typev amsiantimalware_cxx00 26 "%0[AmsiComCreateProviders] ProviderGuidTruncated(%10!08X!), Arg1(%11!u!), Duration(%12!I64u!), Arg3(%13!p!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_4 | |
{ | |
ProviderGuidTruncated, ItemLong //10 | |
Arg1, ItemLong //11 1 - indicates AmsiComCreateProviders_IAntimalwareProvider__0, 4 - indicates AmsiComCreateProviders_IAntimalwareUacProvider_ was called | |
Duration, ItemULongLong //12 | |
Arg3, ItemPtr //13 | |
} | |
#typev amsiantimalware_cxx00 27 "%0[AmsiComCreateProviders] Arg0(%10!p!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_1 | |
{ | |
Arg0, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 28 "%0[AmsiComCreateProviders] Arg0(%10!p!), Arg1(%11!u!)" // FUNC=AmsiComCreateProviders FLAGS=DBG_4 | |
{ | |
Arg0, ItemPtr //10 | |
Arg1, ItemLong //11 1 - indicates AmsiComCreateProviders_IAntimalwareProvider__0, 4 - indicates AmsiComCreateProviders_IAntimalwareUacProvider_ was called | |
} | |
#typev amsiantimalware_cxx00 29 "%0[CAmsiAntimalware::Scan] stream(%10!p!)" // FUNC=CAmsiAntimalware::Scan FLAGS=DBG_4 | |
{ | |
stream, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 30 "%0[CAmsiAntimalware::Scan] ProviderIndex(%10!p!), ProviderGuidTruncated(%11!08X!), Result(%12!s!), Duration(%13!I64u!)" // FUNC=CAmsiAntimalware::Scan FLAGS=DBG_4 | |
{ | |
ProviderIndex, ItemPtr //10 | |
ProviderGuidTruncated, ItemLong //11 | |
Result, ItemEnum(AMSI_RESULT) //12 | |
Duration, ItemULongLong //13 | |
} | |
#typev amsiantimalware_cxx00 31 "%0[CAmsiAntimalware::Scan] ProviderIndex(%10!p!), HResult(%11!u!), Duration(%12!I64u!)" // FUNC=CAmsiAntimalware::Scan FLAGS=DBG_4 | |
{ | |
ProviderIndex, ItemPtr //10 | |
HResult, ItemLong //11 | |
Duration, ItemULongLong //12 | |
} | |
#typev amsiantimalware_cxx00 32 "%0[CAmsiAntimalware::EtwConfigurationCallback]" // FUNC=CAmsiAntimalware::EtwConfigurationCallback FLAGS=DBG_4 | |
{ | |
} | |
#typev amsiantimalware_cxx00 33 "%0[CAmsiAntimalware::EtwConfigurationCallback]" // FUNC=CAmsiAntimalware::EtwConfigurationCallback FLAGS=DBG_4 | |
{ | |
} | |
#typev amsiantimalware_cxx00 34 "%0[CAmsiUacAntimalware::UacScan] UacRequestContext(%10!p!)" // FUNC=[CAmsiUacAntimalware::UacScan FLAGS=DBG_4 | |
{ | |
UacRequestContext, ItemPtr //10 | |
} | |
#typev amsiantimalware_cxx00 35 "%0[CAmsiUacAntimalware::UacScan] ProviderIndex(%10!p!), ProviderGuidTruncated(%11!08X!), Result(%12!s!), Duration(%13!I64u!)" // FUNC=[CAmsiUacAntimalware::UacScan FLAGS=DBG_4 | |
{ | |
ProviderIndex, ItemPtr //10 | |
ProviderGuidTruncated, ItemLong //11 | |
Result, ItemEnum(AMSI_RESULT) //12 | |
Duration, ItemULongLong //13 | |
} | |
#typev amsiantimalware_cxx00 36 "%0[CAmsiUacAntimalware::UacScan] ProviderIndex(%10!p!), HResult(%11!u!), Duration(%12!I64u!)" // FUNC=[CAmsiUacAntimalware::UacScan FLAGS=DBG_4 | |
{ | |
ProviderIndex, ItemPtr //10 | |
HResult, ItemLong //11 | |
Duration, ItemULongLong //12 | |
} | |
b81299c2-b875-3726-1d3a-e6232a5e451b VerifyProtectionLevel | |
#enumv PS_PROTECTED_TYPE | |
{ | |
PsProtectedTypeNone,0 | |
PsProtectedTypeProtectedLight,1 | |
PsProtectedTypeProtected,2 | |
} | |
#enumv PS_PROTECTED_SIGNER | |
{ | |
PsProtectedSignerNone,0 | |
PsProtectedSignerAuthenticode,1 | |
PsProtectedSignerCodeGen,2 | |
PsProtectedSignerAntimalware,3 | |
PsProtectedSignerLsa,4 | |
PsProtectedSignerWindows,5 | |
PsProtectedSignerWinTcb,6 | |
PsProtectedSignerWinSystem,7 | |
PsProtectedSignerApp,8 | |
} | |
#typev amsiantimalware_cxx00 10 "%0[VerifyProtectionLevel] Arg0(%10!u!), Arg1(%11!d!)" // FUNC=VerifyProtectionLevel FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
Arg1, ItemLong //11 | |
} | |
#typev amsiantimalware_cxx00 11 "%0[VerifyProtectionLevel] Arg0(%10!u!), Arg1(%11!d!)" // FUNC=VerifyProtectionLevel FLAGS=DBG_2 | |
{ | |
Arg0, ItemLong //10 | |
Arg1, ItemLong //11 | |
} | |
#typev amsiantimalware_cxx00 12 "%0[VerifyProtectionLevel] ProcessID(%10!u!), ProtectedType(%11!s!), ProtectedSigner(%12!s!)" // FUNC=VerifyProtectionLevel FLAGS=DBG_4 | |
{ | |
ProcessID, ItemLong //10 | |
ProtectedType, ItemEnum(PS_PROTECTED_TYPE) //11 | |
ProtectedSigner, ItemEnum(PS_PROTECTED_SIGNER) //12 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment