[FEATURE] In ETW mode: enable or disable listeners depending on settings

etw_listener.cpp

@@ -282,7 +282,7 @@ std::string ipv4FromDword(DWORD ip_dword)
     return oss.str();
 }
 
-bool ETWstart()
+bool ETWstart(ETWProfile& settings)
 {
     krabs::kernel_trace trace(L"HollowsHunter");
     g_initTime = time(NULL);
@@ -419,11 +419,11 @@ bool ETWstart()
         });
 
     bool isOk = true;
-    trace.enable(tcpIpProvider);
-    trace.enable(objectMgrProvider);
-    trace.enable(processProvider);
-    trace.enable(imageLoadProvider);
-    trace.enable(virtualAllocProvider);
+    if (settings.tcpip) trace.enable(tcpIpProvider);
+    if (settings.obj_mgr) trace.enable(objectMgrProvider);
+    if (settings.process_start) trace.enable(processProvider);
+    if (settings.img_load) trace.enable(imageLoadProvider);
+    if (settings.allocation) trace.enable(virtualAllocProvider);
     try {
         std::cout << "Starting listener..." << std::endl;
         trace.start();

etw_listener.h

@@ -16,6 +16,28 @@
 // ETW includes
 #include "krabsetw/krabs/krabs.hpp"
 
-bool ETWstart();
+struct ETWProfile {
+    bool process_start;
+    bool img_load;
+    bool allocation;
+    bool tcpip;
+    bool obj_mgr;
+
+    ETWProfile(bool _process_start = false, bool _img_load = false, bool _allocation = false, bool _tcpip = false, bool _obj_mgr = false)
+        : process_start(_process_start), img_load(_img_load), allocation(_allocation), tcpip(_tcpip), obj_mgr(_obj_mgr)
+    {
+    }
+
+    void setAll()
+    {
+        this->process_start = true;
+        this->img_load = true;
+        this->allocation = true;
+        this->tcpip = true;
+        this->obj_mgr = true;
+    }
+};
+
+bool ETWstart(ETWProfile &settings);
 
 #endif

main.cpp

@@ -52,7 +52,9 @@ t_pesieve_res deploy_scan()
     if (g_hh_args.etw_scan)
     {
 #ifdef USE_ETW
-        if (!ETWstart()) {
+        ETWProfile profile;
+        profile.setAll();
+        if (!ETWstart(profile)) {
             return PESIEVE_ERROR;
         }
 #else