This WIP branch is a possible solution to improving the ability to chain multiple predicates together, either ANDing or ORing. Raises an "issue" to dicuss if this is wanted/needed here: https://github.com/microsoft/krabsetw/issues/122
The existing and/or predicates can only compare 2 at a time, making comparisons of 3+ values requiring chaining of parameters in a way that looks ugly and is inefficient, particularly if generating the chain dynamically.
An example use case may be to listen to Microsoft-Windows-Kernel-Process for process exits where ImageName == foo.exe && ExitCode != 0 && TokenElevationType == 2.
Another example may be to give a vector list of 30 different opcodes to monitor for.
This solution adds the new functions (and, or, none), that takes in a vector or predicates to compare. To enable the predicates to be of arbitrary type, this required making an new base class predicate_base that all other predicates are derived from.
msftclas
commented
4 years ago
This WIP branch is a possible solution to improving the ability to chain multiple predicates together, either ANDing or ORing. Raises an "issue" to dicuss if this is wanted/needed here: https://github.com/microsoft/krabsetw/issues/122
The existing and/or predicates can only compare 2 at a time, making comparisons of 3+ values requiring chaining of parameters in a way that looks ugly and is inefficient, particularly if generating the chain dynamically.
An example use case may be to listen to
Microsoft-Windows-Kernel-Processfor process exits whereImageName == foo.exe && ExitCode != 0 && TokenElevationType == 2. Another example may be to give a vector list of 30 different opcodes to monitor for.This solution adds the new functions (
and,or,none), that takes in a vector or predicates to compare. To enable the predicates to be of arbitrary type, this required making an new base classpredicate_basethat all other predicates are derived from.