search

mandiant / SilkETW

Apache License 2.0
732 stars 123 forks source link

Opcodes can be larger than 9 #13

Open pathtofile opened 4 years ago

pathtofile commented 4 years ago

Hi there, When filtering by opcode, e.g. -f Opcode -fv 2, you limit the possible opcode to filter on to be 0-9, in this code:

SilkUtility.FilterValueObject = byte.Parse(FilterValue);
if ((byte)SilkUtility.FilterValueObject > 9)
{
    SilkUtility.ReturnStatusMessage("[!] Opcode outside valid range (0-9)", ConsoleColor.Red);
    return;
}

However in the underlying ETW API, an Opcode is an UCHAR, so it can be 0-255

pathtofile commented 4 years ago

Gave a shot at fixing it: https://github.com/fireeye/SilkETW/pull/14