SilkETW icon indicating copy to clipboard operation
SilkETW copied to clipboard
verified publisher icon mandiant

Opcodes can be larger than 9

Open pathtofile opened this issue 5 years ago • 1 comments

Hi there, When filtering by opcode, e.g. -f Opcode -fv 2, you limit the possible opcode to filter on to be 0-9, in this code:

SilkUtility.FilterValueObject = byte.Parse(FilterValue);
if ((byte)SilkUtility.FilterValueObject > 9)
{
    SilkUtility.ReturnStatusMessage("[!] Opcode outside valid range (0-9)", ConsoleColor.Red);
    return;
}

However in the underlying ETW API, an Opcode is an UCHAR, so it can be 0-255

pathtofile avatar May 17 '20 07:05 pathtofile

Gave a shot at fixing it: https://github.com/fireeye/SilkETW/pull/14

pathtofile avatar May 17 '20 15:05 pathtofile