Merge pull request #1 from airbus-cert/fix-tl-extended-tag

Fix tl issue, add NpEtw installer

README.md

@@ -13,15 +13,24 @@ We've added Tracelogging support to cover almost all log techniques on the Windo
 With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture ;-)
 No more need for an external NDIS driver.
 
+<<<<<<< HEAD
 This is a huge improvement in terms of use:
 * Enable to mix all kind of events (system and network)
 * Enable to use Wireshark filtering on event log
 * Enable to track network and system logs by Process ID!!!
 * Enable to capture Windows log and network trace into an unique pcap file!!!
+=======
+This is a huge improvement in term of use :
+* Enable to mix all kind of event (system and network)
+* Enable to use wireshark filtering on event log
+* Enable to track network and system log by Process ID !!!
+* Enable to capture Windows log and network trace into an unique pcap file !!!
+* Capture NamedPipe through [NpEtw](https://github.com/kobykahane/NpEtw) file system filter driver
 
 If you want to:
 * [Capture Network Traffic Using Winshark](#Capture-Network-traffic)
 * [Filter on Process ID](#Filtering-on-process-id)
+* [Capture NamedPipe Traffic] (#Capturing-NamedPipe)
 
 ## Install
 
@@ -163,6 +172,37 @@ etw.header.ProcessId == 1234
 
 ![ETW packet capture](doc/images/winshark-process-id.PNG)
 
+
+## Capturing NamedPipe
+
+@kobykahane provide a [file system filter driver](https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/about-file-system-filter-drivers) that emit an ETW for every action perform on a NamedPipe.
+
+### Install
+
+* Pass driver signing check in test mode
+```
+bcdedit /set testsigning on
+```
+* Install [NpEtwSetup.msi](https://github.com/airbus-cert/Winshark/releases)
+* Reboot
+* Update `Winshark` dissector by double clicking `C:\Program Files\Wireshark\WinsharkUpdate.exe` with `Admin` rights
+
+### Capture
+
+* Open a `cmd.exe` in `Admin mode`
+* Start the driver
+```
+sc start NpEtw
+```
+* Create an ETW Session
+```
+logman start namedpipe -p NpEtw -ets -rt
+```
+* Start `Wireshark` and select the `namedpipe` session. Enjoy!
+
+![ETW namedpipe capture](doc/video/namedpipe.gif)
+
+
 ## SSTIC (Symposium sur la sécurité des technologies de l'information et des communications)
 
 This project is part of a presentation made for [SSTIC](https://www.sstic.org/2020/presentation/quand_les_bleus_se_prennent_pour_des_chercheurs_de_vulnrabilites/)

dissector/Tracelogging.lua

@@ -80,9 +80,16 @@ function tracelogging.dissector(buffer, pinfo, tree)
 		if ext_type == 11 then 
 			local size = data(0, 2):le_uint()		
 			local tag = data(2, 1):le_uint()
+			local extended_tag = nil
+			local offset_name = 3
+			-- tag have an extended int format
+			if bit32.band(tag, 0x80) == 0x80 then
+				extended_tag = data(3, 1):le_uint()
+				offset_name = 4
+			end
 			-- name of the protocol
-			name = data(3):stringz():gsub(" ", "_")
-			local scheme_data = data(3 + name:len() + 1):tvb()
+			name = data(offset_name):stringz():gsub(" ", "_")
+			local scheme_data = data(offset_name + name:len() + 1):tvb()
 			local offset_scheme = 0
 			local index_tag = 1
 

transluator/CMakeLists.txt

@@ -20,4 +20,5 @@ install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tra
 install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.FastSerialization.dll" DESTINATION .)
 install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Dia2Lib.dll" DESTINATION .)
 install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/OSExtensions.dll" DESTINATION .)
-install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/TraceReloggerLib.dll" DESTINATION .)
+install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/TraceReloggerLib.dll" DESTINATION .)
+install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/scripts/WinsharkUpdate.bat" DESTINATION .)

transluator/scripts/WinsharkUpdate.bat

@@ -0,0 +1,2 @@
+SET DIR=%~dp0
+"%DIR%\Transluator.exe" "%DIR%\plugins\winshark"