-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapitracertool.ps1
109 lines (93 loc) · 3.61 KB
/
apitracertool.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
function Start-ApiTrace {
param (
[string]$SessionName = "ApiTraceSession",
[string]$LogLevel = "0x10"
)
if (-not $SessionName) {
Write-Host "Session name cannot be empty." -ForegroundColor Red
return
}
if ($LogLevel -notmatch "^0x[0-9A-Fa-f]+$") {
Write-Host "Invalid log level. It must be a hexadecimal value." -ForegroundColor Red
return
}
try {
Write-Host "Starting API call tracing with session name '$SessionName'..." -ForegroundColor Cyan
$command = "logman start $SessionName -p Microsoft-Windows-Kernel-Process $LogLevel -ets"
Invoke-Expression $command
Write-Host "Tracing started successfully." -ForegroundColor Green
} catch {
Write-Host "Error starting ETW tracing: $_" -ForegroundColor Red
}
}
function Stop-ApiTrace {
param (
[string]$SessionName = "ApiTraceSession"
)
if (-not $SessionName) {
Write-Host "Session name cannot be empty." -ForegroundColor Red
return
}
try {
Write-Host "Stopping API call tracing with session name '$SessionName'..." -ForegroundColor Cyan
$command = "logman stop $SessionName -ets"
Invoke-Expression $command
$logFilePath = "C:\\Windows\\System32\\winevt\\Logs\\$SessionName.evtx"
if (Test-Path $logFilePath) {
Write-Host "API call logs found at: $logFilePath" -ForegroundColor Green
Get-WinEvent -Path $logFilePath | Select-Object -First 10 | Format-Table TimeCreated, Message
} else {
Write-Host "No logs found." -ForegroundColor Yellow
}
} catch {
Write-Host "Error stopping tracing or accessing logs: $_" -ForegroundColor Red
}
}
function Show-CLIGUI {
try {
$menuOptions = @(
"Start API Call Tracing",
"Stop Tracing and Display Results",
"Exit"
)
$selection = $menuOptions | Out-GridView -Title "API Tracing Tool" -PassThru
switch ($selection) {
"Start API Call Tracing" {
$sessionName = Read-Host "Enter session name (default: ApiTraceSession)"
$logLevel = Read-Host "Enter log level (default: 0x10)"
if (-not $logLevel -or $logLevel -notmatch "^0x[0-9A-Fa-f]+$") {
Write-Host "Invalid log level. Using default value '0x10'." -ForegroundColor Yellow
$logLevel = "0x10"
}
if (-not $sessionName) {
$sessionName = "ApiTraceSession"
}
Start-ApiTrace -SessionName $sessionName -LogLevel $logLevel
Show-CLIGUI
}
"Stop Tracing and Display Results" {
$sessionName = Read-Host "Enter session name to stop (default: ApiTraceSession)"
if (-not $sessionName) {
$sessionName = "ApiTraceSession"
}
Stop-ApiTrace -SessionName $sessionName
Show-CLIGUI
}
"Exit" {
Write-Host "Exiting..." -ForegroundColor Green
}
default {
Write-Host "Invalid option. Please try again." -ForegroundColor Yellow
Show-CLIGUI
}
}
} catch {
Write-Host "Error displaying graphical interface: $_" -ForegroundColor Red
}
}
function Start-ApiTracerTool {
Write-Host "Welcome to the API Call Tracing Tool." -ForegroundColor Cyan
Write-Host "Ensure you have administrative privileges to run this tool." -ForegroundColor Yellow
Show-CLIGUI
}
Start-ApiTracerTool