Add ETW support to README

mandiant · Sep 22, 2022 · f4d179e · f4d179e
1 parent df05086
commit f4d179e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@ Please read to the end of this readme if you're developing new plugins for STrac
 
 # Functionality
 
-Dtrace on windows supports multiple probe types. These include syscall, fbt, etw, profile, and maybe more. This reimplementation **only re-implements the syscall probe types**. All other probe types are considered completely out of scope for this project, and will **never be supported**. Please feel free to fork the project if you wish to add additional probe types. The scope was limited to just syscall probes due to the complexity of the other probe types and the systems they touch.
+Dtrace on windows supports multiple probe types. These include syscall, fbt, etw, profile, and maybe more. This reimplementation **only re-implements the syscall and etw probe types**. All other probe types are considered completely out of scope for this project, and will **never be supported**. Please feel free to fork the project if you wish to add additional probe types. The scope was limited to just syscall and etw probes due to the complexity of the other probe types and the systems they touch.
 
 This reimplementation completely discards the D scripting language (note: NOT DLang the more popular modern language). The complexity of a VM in the kernel like the original DTrace implementation is unsuitable for this project. Instead, this implementation directly exposes the relevant C callbacks required to plug into the DTrace windows kernel interfaces. To enable 'hot-loading' of scripts a DLL based plugin system was used as a replacement for the VM + scripting evironment of the original dtrace. This plugin system accepts a 'normal' usermode DLL without any security checks enabled, or otherwise external dependencies and manually maps it into the kernel adress space. The `plugin dll` has exports which are invoked when kernel syscall callbacks occur. Kernel APIs are resolved via the normal import table (IAT) of the DLL, plugin DLLs link to `ntoskrnl.lib` and then the driver will resolve these APIs at load time, allowing any system apis to be called within plugin DLLs like normal. Performance of this plugin system is excellent as native code, rather than a script interpreter or a JIT, is directly executing between syscall ENTRY and RETURN. This design improves performance compared to the dtrace implementation provided by Microsoft.