Jump to content
Tuts 4 You

Do you know any app logger tool?


Recommended Posts

Hi guys,


 


short question again: So do you know any app logger tool?So I am looking for any little tool which can log all startet applications on my system in a text file.So I thought that XP does do this already but it dosen't seems to be.Maybe you know any tool already which can do this.Should be just a simple log tool and thats already all.


 


So I did already check the XP task manager and also the ExtensionsTaskManager but it has no log function to log all new created processes etc.


 


The log should be have these infos in the log......



Date: | Time: | Application: | Path:
--------------------------------------------------------------------------
20.05.2014 | 14:57:02 | Notepad.exe | C:\windows
20.05.2014 | 14:58:42 | Calc.exe | C:\windows\System32
20.05.2014 | 14:59:01 | OLLYDBG.EXE | C:\odbg110

...or maybe anybody could code a small tool for this? :) So this would be also nice.Just a tiny tool where I do set the log path of the log file which should be created (if not there) and all gets logged into without to delete older entrys.A tool which I could run into the tray. :)


 


greetz


Link to comment

Hello NOP,


 


thank you for this tool hint so I have checked but it seems to be not the right tool for me so its to much etc and has also many infos which I don't need so far.So the main thing is to get a small size tool which I can run in tray (background) and which need very low resources etc and which then just logs the new startet files as in my exsample and thats already all.Don't need any extra features etc just a very simple app as I do imagine but I think there is no app like this to get.So I hope that anybody could code it for me (as always). :)


 


But thank you for your reply NOP. :)


 


greetz


Link to comment

Hi flashuser,


 


thank you too for this tool hint.Its also a nice info tool to check the past activities but its not this what I am looking for.


 


greetz


Link to comment
Extreme Coders

Api monitor may be the tool you are looking for.


 


API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.


 


http://www.rohitab.com/apimonitor


 


Other than that this superuser post may help


http://superuser.com/questions/209555/whats-the-easiest-way-to-save-task-managers-processes-tab-as-a-csv-file


 


Cheers. :)


Edited by Extreme Coders
Link to comment

I knocked this up quickly for you, hopefully it does what you need


 


Download



http://rghost.net/54440082

I haven't formatted the output because its virtually impossible to tell how big the columns should be because of the length of filepaths / names but I can change if you have any ideas


 


Let me know if you need anything changed or added, error checking etc.


  • Like 1
Link to comment

how r u monitoring for process creation NOP? the program isn't logging certain .exe's for me. example, open cmd, and run fltmc and it won't log it


 


i wrote a x86/x64 kernel driver to do this, i can send it if NOP's doesn't work but i think he's close


Link to comment

I'm using a ManagementEventWatcher, 'Select * From Win32_ProcessStartTrace'


 


and for the process path I'm using 'Select CommandLine from Win32_Process' so the args are logged too


 


I can change if required tho


Link to comment

Hi Extreme Coders,


 


thank you too for the tool tips but its also not this what I want. :)


 


@ NOP


 


Hey thanks for your first coded tool for me so far. :) Not bad but is has some problems.So the first main problem is that it was coded with NET (need installed NFW and need more time to run etc).So I would prefer any other simple used language where I can run the file without any installed extra system add-on etc you know what I mean (X|ASM or etc) = quick run / more fun. :) But I have test your tool and I see you did understand me right so far so the principle how the tool looks and works is already very nice.


 


Some infos:


- The date does not match so I got this results


Today is 20.04.2014


--------------------------------------


20.05.14 <-- ? wrong months and missing full years


20.06.14 <-- ?


20.08.14 <-- ?


------------------------------------


 


- Your tool does not log everything what was not startet.So I did start for exsample a flash game which will run into a flashdebugplayer and this was not logged but you can see this tool running in taskmanger.


- Tool should update the log file in realtime = write new entry directly after app xy was executed into log


- If I press the start button then the tool should go diretly into tray after (little new request if you can add this)


- Also a option to start the tool diretly (without to ask to start) would be nice so than I could put it into autostart folder and if I restart the PC then it should run already in tray.


- Also the output file does not look very good so maybe you could change this a little...


 


So the header description you could add one time only if the log was created or is empty.The date and time lenght is always same where you also can use same lenght each time.Now for the Application name you can use also a static lenght of 20 for exsample (should be enough free space or add a option where I can set the app lenght etc) and for the paths of app and file you can only use the app path (not needed also to add the file which does use the app [12345.txt file starts with Notepad.exe = just path of notepad.exe is ok to know]).



Date: Time: Application: Path:
--------------------------------------------------------------------------
20.05.2014 14:57:02 Notepad.exe C:\windows
20.05.2014 14:58:42 Calc.exe C:\windows\System32
20.05.2014 14:59:01 OLLYDBG.EXE C:\odbg110

If possible then just let try to create the log file as you can see in my exsample.


 


@ simple


 


I am not sure about to use a extra new driver (possible crash etc) to monitor the startet files for this tool so I would like to have it more small & clean & resource-saving as possible without using big zip & zap you know. :)


 


greetz


Link to comment

i think the "industry standard" way to do this is to register an object callback on ps creation. ms actually made it straightforward - http://stackoverflow.com/questions/20502929/process-monitoring-createprocessnotifyroutineex


 


another more involved way it to do a filesys filter driver and do a callback on some irp, and watch for anything ending in .exe


 


u can also do a ssdt hook on ZwCreateProcess but this won't work on x64 nor will it monitor cmd line arguments


 


not sure on why the c# code doesn't monitor all processes


Link to comment

the first main problem is that it was coded with NET (need installed NFW and need more time to run etc)

 

This is what I use so I can't do anything about that sorry, unless someone else is willing to code in different language

 

- The date does not match so I got this results

 

Sorry, was logging minutes not months, now fixed

 

- Tool should update the log file in realtime = write new entry directly after app xy was executed into log

 

It does this already? If you have file open in notepad or similar then refresh / open again

 

- If I press the start button then the tool should go diretly into tray after (little new request if you can add this)

 

Added option

 

- Also a option to start the tool diretly (without to ask to start) would be nice so than I could put it into autostart folder and if I restart the PC then it should run already in tray.

 

Added option

 

- Also the output file does not look very good so maybe you could change this a little...

 

Changed this as per your instructions, option added for filename column width

NOTE: If text is not formatted then you are probably viewing in notepad or similar, changing the font to a monospaced font such as courier new will then view correctly

 

and for the paths of app and file you can only use the app path

Changed

 

- Your tool does not log everything what was not startet.So I did start for exsample a flash game which will run into a flashdebugplayer and this was not logged but you can see this tool running in taskmanger.

 

I'll check into this some more if this .NET app is of use to you but wont spend more time on it if .NET is no good for you?

 

(All menu options are saved, so no need to change on every run)

 

Download...

http://rghost.net/54444894'>>http://rghost.net/54444894
Edited by NOP
  • Like 1
Link to comment

Hi again NOP and thank you for the new version.


 


Ah ok so you only code in NET.So for the moment I have installed NFW so that I can use your tool. :)


 


- Date is working now


- realtime = write works also now


- New output format looks better now but there are still some bugs.


-------------------------


Filename will not logged complete only 15 values of a string: Kopie von notepad.exe get logged as Kopie von notep also if I set the column higher so it does not log longer names.Next bug I see is that not all paths get logged so there are some empty entrys in the path lines for some targets.If I start a exe file from desktop for exsample then your tool does not log the path or if a folder starts with the _ sign then it will also not logged (C:\_Tools) <-- exsample.


 


Also about the paths again,so they will not logged original.So I want that your tool does log the original path where this file which was startet is also stored.So you can test it if you copy your notpad.exe for exsample in any other folder and then start it from there and now your tool does log the path from win..\system32\ folder but from there the tool was not startet.Would be nice if you could fix these little bugs too later = all original paths will logged where the file xy was startet from (desktop and any other locations too etc)


 


Another request: So could you also add a option to open the log file from your tool and tray?Just a another line which I can choose called "Show Log". :)


 


Sure I use your tool also if its a NET file. :) Which minimum NET version does your tool need to run?Net 2,3 or 4 etc?So in my VM I could not use your tool so there I have not installed any NET.


 


Thank you again so far NOP and till later.


 


greetz


Link to comment

The big question always is - what problem are you trying to solve?


 


Without knowing any extra details, I would stick to standard tools from Microsoft, namely ProcMon (which was mentioned earlier). Example command-line:



F:\Hack\Monitors\ProcMon\Procmon.exe /AcceptEula /LoadConfig F:\Hack\Monitors\ProcMon\Processes.PMC /Backingfile F:\Hack\Monitors\ProcMon\ProcessStarts.pml /Quiet /Minimized

This commandline launches Procmon, loads configuration I created (so there are no extra events logged, columns set to my liking, etc.), sets logging output to PML file and minimizes ProcMon to taskbar. It logs everything, including parent process, command-line, environment and what not.. You can see all events in UI, and if you wish, you can convert PML to CSV later (not sure why would you, though..)


 



ZIYvHmO.png



If you don't need details, like environment variables, you can also ignore "Process Start" events, making the log even smaller.


 


So, what's missing from it and requires making a new tool? :)


  • Like 1
Link to comment

here's a just for fun code I put together based on Behrooz's code in case all else fails

 

#include <ntddk.h>
#include <ntstrsafe.h>
#define BUFFER_SIZE 30NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);VOID UnloadRoutine (IN PDRIVER_OBJECT DriverObject);VOID CreateProcessNotifyEx (__inout PEPROCESS Process, __in HANDLE ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo);
UNICODE_STRING StringList[200][100];struct ExeList {UNICODE_STRING Exe1;
};typedef struct ExeList BLOCK_LIST;BOOLEAN UniStrToChar(PUNICODE_STRING UniName, char Name[])
{
    ANSI_STRING AnsiName;
    NTSTATUS ntstatus;
    char* nameptr;    __try
    {
        ntstatus = RtlUnicodeStringToAnsiString(&AnsiName, UniName, TRUE);        if (AnsiName.Length < 260)
        {
            nameptr = (PCHAR)AnsiName.Buffer;            strcpy(Name, nameptr);
        }
        RtlFreeAnsiString(&AnsiName);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        DbgPrint("Exception converting UNICODE string to char\n");
        return FALSE;
    }
    return TRUE;
}
VOID CreateProcessNotifyEx(__inout PEPROCESS Process, __in HANDLE ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo)
{
    char FileName[260] = "X:";    if (CreateInfo)
    {
        if (CreateInfo->FileOpenNameAvailable == TRUE)
        {
            //DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "PID : 0x%X (%d) ImageName :%wZ CmdLine : %wZ \n", ProcessId, ProcessId, CreateInfo->ImageFileName, CreateInfo->CommandLine );           if (UniStrToChar(CreateInfo->ImageFileName, FileName))
           {
              DbgPrint("Currently executing %s", FileName);              UNICODE_STRING fileName;
              OBJECT_ATTRIBUTES objectAttributes;
              IO_STATUS_BLOCK iosb;
              HANDLE fileHandle;
              NTSTATUS status = STATUS_SUCCESS;              LARGE_INTEGER ByteOffset;
              // Setup to write at end-of-file
              ByteOffset.HighPart = -1;
              ByteOffset.LowPart = FILE_WRITE_TO_END_OF_FILE;              if (KeGetCurrentIrql() != PASSIVE_LEVEL)
              {
                  DbgPrint("IRQ not passive\n");
                  goto END;
              }              //RtlInitUnicodeString(&fileName, L"\\SystemRoot\\Windows\\system\\driver\\AntiExecutable\\execlog.txt");
 
              RtlInitUnicodeString(&fileName, L"\\DosDevices\\C:\\ProcessMonLog.txt");              InitializeObjectAttributes(&objectAttributes, &fileName, (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE), NULL, NULL);              status = ZwCreateFile(&fileHandle, GENERIC_WRITE | SYNCHRONIZE, &objectAttributes, &iosb, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OVERWRITE_IF, FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY | FILE_NON_DIRECTORY_FILE, NULL, 0);              if (!NT_SUCCESS(status))
              {
                  DbgPrint("File not opened error %08x\n", status);
                  goto END;
              }
              if (status == STATUS_SUCCESS)
              {
                  //ZwWriteFile(&fileHandle, NULL, NULL, NULL, &iosb, "Test", 5, NULL,NULL);
                  DbgPrint("File opened successfully\n");
 
                  DbgPrint("Writing file..\n");                  status = ZwWriteFile(fileHandle, NULL, NULL, NULL, &iosb, &FileName, 260, &ByteOffset, NULL);
                  CHAR NL[1] = "\n";
                  status = ZwWriteFile(fileHandle, NULL, NULL, NULL, &iosb, &NL, 1, NULL, NULL);                  if (NT_SUCCESS(status))
                  {
                       DbgPrint("File write success\n");
                  }                  status = ZwClose(fileHandle);                  if (!NT_SUCCESS(status))
                  {
                      DbgPrint("File not closed %08x\n", status);
                  }END:
                  DbgPrint("Finished\n");              }
          }
    }
}
}
VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject)
{
    PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)CreateProcessNotifyEx, TRUE);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "Unloaded\n");
}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{    NTSTATUS status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)CreateProcessNotifyEx, FALSE);    if (!NT_SUCCESS(status))
    {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Faild to PsSetCreateProcessNotifyRoutineEx .status : 0x%X \n", status);
    }    DriverObject->DriverUnload = UnloadRoutine;
 
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "Load\n");    return STATUS_SUCCESS;}

Edited by simple
Link to comment

Other solutions above may be more suitable but I'll post this for completeness...
 

Filename will not logged complete only 15 values of a string: Kopie von notepad.exe get logged as Kopie von notep also if I set the column higher so it does not log longer names

 
I'm not sure how you were getting that, the name is never truncated, if the column width is less than the name length then the full name length is always shown even if it breaks the formatting, maybe explaining wrong, do you have a screenshot? What viewer are you using?
 

Also about the paths again,so they will not logged original.So I want that your tool does log the original path where this file which was startet is also stored.So you can test it if you copy your notpad.exe for exsample in any other folder and then start it from there and now your tool does log the path from win..\system32\ folder but from there the tool was not startet.Would be nice if you could fix these little bugs too later = all original paths will logged where the file xy was startet from (desktop and any other locations too etc)

 
Paths are passed from windows from the open process, whatever path is shown is the correct path for the running process
 

Another request: So could you also add a option to open the log file from your tool and tray?Just a another line which I can choose called "Show Log".

 
Added
 

Which minimum NET version does your tool need to run?Net 2,3 or 4 etc?So in my VM I could not use your tool so there I have not installed any NET.

 
v4

 

Download...

http://rghost.net/54459704'>>http://rghost.net/54459704

I think some of the processes weren't being logged when multiple processes were opening. All open processes are now passed to a new thread for processing so the WMI doesn't get clogged waiting for the file operations etc.
 
Some paths were not being logged because the way I was grabbing the open process didn't carry the path and I had to grab that separately which wasn't possible if the process was already closed. I have now changed the way the process is grabbed so paths should also be shown, if an executable path is not passed then a stripped down version of the command line is used which should = the path
 
It "should" work ok now but needs testing. But if it still fails to grab a process or path then the info is not being sent and that's a limitation on the WMI and if still not suitable then I suggest using Kao's method above, the link for the program is in my 1st reply to this thread
:)

Link to comment

Hi again,


 


so there is not really a problem so I just want to log all processes which was startet.Sometime (rarly) it can happen that I forget to check any new xy file which I start and in some rarly cases its a malware and short time later I will just see it (system infected for exsample and malware xy does infect other files too) and then I don't know which xy file was the trigger of that malware.If I now log all then I could later trace back what file was the bad one and where I did got from etc.So as I said I just need any simple small size app which does log the date,time,file & path so thats already all. :)


 


@ NOP


 


Ok I have checked your latest release.Now it works to log full file names.Also thanks for the new added feature view log.All in all I don't see any bug anymore during testing so far.Very good. :) What it need NFW 4!So this is bad so there I need almost 1 GB free space to use the tool on any other OS.So this makes your tool and your tool is not independent in that case.So is there any way to format / change your NET source 1:1 to MASM etc to compile your tool with that language later etc?Just only a question of course no idea whether its possible etc.


 


@ GaBoR


 


Thanks for this tool tip so also this tool I didn't know before but it looks also not bad. :) So I have test the portable free version now a little + log.Log is a little confused to check this quickly.I check this more.


 


Thank you again to all of you guys for infos tool tips tools and help. :)


 


greetz


Link to comment
What it need NFW 4!So this is bad so there I need almost 1 GB free space to use the tool on any other OS

 Yes due to using LINQ which is a min of v3.5

v4 download is approx 55mb, installed approx 200mb

 

So is there any way to format / change your NET source 1:1 to MASM

 No that's not possible sorry

 

:thumbs:

Link to comment

Hi SReg,


 


hehe :) Why do you come so late this time? :)


Ok I have test your ULTRA small size tool and its also very good on the first test also if its works with a extra driver but also its working without problems so far.Thank you too SReg for your tool version which I can use now too without to install any system AddOn as NFW.Nice work.


 


Now I got 2 tools for logging which I can use hehehe. :)


 


greetz


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...