Skip to content

2.5.4.0
Compare
Choose a tag to compare
@AloisKraus AloisKraus released this 11 Jan 11:15
· 295 commits to main since this release
2.5.4.0
8e96485
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

-LoadSymbol

ETWAnalyzer now stores during extraction for all methods which cannot be resolved the image RVA. This enables scenarios to extract data on network isolated machines. Only the small extracted Json files need to be transferred. On a different machine

ETWAnalyzer -LoadSymbol -fd xxx.json -symServer MS

will resolve the missing symbols the usual way and will update the Json file accordingly. You can do this several times to work around symbol server outages or other transient errors (e.g. path too long) during the initial extraction.
This uses TraceEvent library which shows higher CPU costs compared to what WPA resolves. WPA seems to be able to properly decode inlined methods which will not show up. In practice the differences are not big. The extracted stacktags will NOT be updated and are not reliable, except for all stacktags which do not need method names which is true for all Virus stacktags. The costs of AV can be judged also with no symbol resolution.

Assets 4
Loading