Last active
September 26, 2022 23:12
-
-
Save bohops/61b911a8fb80446db47a331c4d7a37e9 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //A Quick POC for monitoring .NET Assembly Load Events with ETW | |
| // References: | |
| // - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers | |
| // - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events | |
| // - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs | |
| using Microsoft.Diagnostics.Tracing; | |
| using Microsoft.Diagnostics.Tracing.Parsers; | |
| using Microsoft.Diagnostics.Tracing.Session; | |
| using System; | |
| using System.Diagnostics; | |
| namespace AssemblyLoadTracer | |
| { | |
| public class AssemblyLoadMonitor | |
| { | |
| public static void Main() | |
| { | |
| if (TraceEventSession.IsElevated() != true) | |
| { | |
| Console.WriteLine("Must be elevated (Admin) to run this program."); | |
| Debugger.Break(); | |
| return; | |
| } | |
| TraceEventSession session = null; | |
| using (session = new TraceEventSession("AssemblyLoadMonitor")) | |
| { | |
| session.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Informational, (ulong)(ClrTraceEventParser.Keywords.Loader)); | |
| session.Source.Clr.All += Print; | |
| session.Source.Process(); | |
| } | |
| } | |
| private static void Print(TraceEvent data) | |
| { | |
| if (data.Opcode == TraceEventOpcode.DataCollectionStart) | |
| { | |
| return; | |
| } | |
| Console.WriteLine(data.ToString()); | |
| if (data is UnhandledTraceEvent) | |
| { | |
| Console.WriteLine(data.Dump()); | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment