joshfinley · March 29, 2025 07:34
diff --git a/find_etw_guid.js b/find_etw_guid.js
 "use strict";

 function initializeScript()
 {
    return [new host.apiVersionSupport(1, 7)];
 }

 function findRegHandlesForGuid(targetGuidStr)
 {
    let dbgOutput = host.diagnostics.debugLog;

    let hostSiloGlobalsAddr = host.getModuleSymbolAddress("nt", "PspHostSiloGlobals");
    let hostSiloGlobals = host.createTypedObject(hostSiloGlobalsAddr, "nt", "_ESERVERSILO_GLOBALS");
    let guidHashTable = hostSiloGlobals.EtwSiloState.EtwpGuidHashTable;

    for (let bucket of guidHashTable)
    {
        for (let guidEntry of host.namespace.Debugger.Utility.Collections.FromListEntry(bucket.ListHead[0], "nt!_ETW_GUID_ENTRY", "GuidList"))
        {
            let guidStr = guidEntry.Guid.toString().replace(/[{}]/g, "").toLowerCase();
            dbgOutput("GUID: ", guidStr, "\n");

            let targetStr = targetGuidStr.replace(/[{}]/g, "").toLowerCase();
            if (guidStr === targetStr)
            {
                dbgOutput("Found matching GUID: ", guidEntry.Guid, "\n");

                for (let regEntry of host.namespace.Debugger.Utility.Collections.FromListEntry(guidEntry.RegListHead, "nt!_ETW_REG_ENTRY", "RegList"))
                {
                    if (regEntry.DbgUserRegistration != 0)
                    {
                        dbgOutput("\tUser-mode Provider Process: ", regEntry.Process.SeAuditProcessCreationInfo.ImageFileName.Name, 
                            " PID: ", host.parseInt64(regEntry.Process.UniqueProcessId.address, 16).toString(10), "\n");
                    }
                    else
                    {
                        dbgOutput("\tKernel Provider\n");
                    }
                }
                return;
            }
        }
    }

    dbgOutput("GUID not found in ETW registration list.\n");
 }
	"use strict";

	function initializeScript()
	{
	return [new host.apiVersionSupport(1, 7)];
	}

	function findRegHandlesForGuid(targetGuidStr)
	{
	let dbgOutput = host.diagnostics.debugLog;

	let hostSiloGlobalsAddr = host.getModuleSymbolAddress("nt", "PspHostSiloGlobals");
	let hostSiloGlobals = host.createTypedObject(hostSiloGlobalsAddr, "nt", "_ESERVERSILO_GLOBALS");
	let guidHashTable = hostSiloGlobals.EtwSiloState.EtwpGuidHashTable;

	for (let bucket of guidHashTable)
	{
	for (let guidEntry of host.namespace.Debugger.Utility.Collections.FromListEntry(bucket.ListHead[0], "nt!_ETW_GUID_ENTRY", "GuidList"))
	{
	let guidStr = guidEntry.Guid.toString().replace(/[{}]/g, "").toLowerCase();
	dbgOutput("GUID: ", guidStr, "\n");

	let targetStr = targetGuidStr.replace(/[{}]/g, "").toLowerCase();
	if (guidStr === targetStr)
	{
	dbgOutput("Found matching GUID: ", guidEntry.Guid, "\n");

	for (let regEntry of host.namespace.Debugger.Utility.Collections.FromListEntry(guidEntry.RegListHead, "nt!_ETW_REG_ENTRY", "RegList"))
	{
	if (regEntry.DbgUserRegistration != 0)
	{
	dbgOutput("\tUser-mode Provider Process: ", regEntry.Process.SeAuditProcessCreationInfo.ImageFileName.Name,
	" PID: ", host.parseInt64(regEntry.Process.UniqueProcessId.address, 16).toString(10), "\n");
	}
	else
	{
	dbgOutput("\tKernel Provider\n");
	}
	}
	return;
	}
	}
	}

	dbgOutput("GUID not found in ETW registration list.\n");
	}