diff --git a/bluekrabs/bluekrabs/parser.hpp b/bluekrabs/bluekrabs/parser.hpp index 2f916c2..50996f7 100644 --- a/bluekrabs/bluekrabs/parser.hpp +++ b/bluekrabs/bluekrabs/parser.hpp @@ -87,6 +87,16 @@ namespace krabs { template T parse(const std::wstring &name); + /** + * todo + */ + std::pair parse_in_type(const std::wstring& name); + + /** + * todo + */ + std::pair parse_out_type(const std::wstring& name); + template auto view_of(const std::wstring &name, Adapter &adapter) -> collection_view; @@ -414,6 +424,32 @@ namespace krabs { return pointer::from_bytes(propInfo.pPropertyIndex_, propInfo.length_); } + // pars_type + // ------------------------------------------------------------------------ + + inline std::pair parser::parse_in_type(const std::wstring& name) + { + auto prop_info = find_property(name); + throw_if_property_not_found(prop_info); + + auto in_type_value = (_TDH_IN_TYPE)prop_info.pEventPropertyInfo_->nonStructType.OutType; + auto in_type_str = in_type_to_string(in_type_value); + + return std::make_pair(in_type_str, in_type_value); + } + + inline std::pair parser::parse_out_type(const std::wstring& name) + { + auto prop_info = find_property(name); + throw_if_property_not_found(prop_info); + + auto out_type_value = (_TDH_OUT_TYPE)prop_info.pEventPropertyInfo_->nonStructType.OutType; + auto out_type_str = out_type_to_string(out_type_value); + + return std::make_pair(out_type_str, out_type_value); + } + + // view_of // ------------------------------------------------------------------------ diff --git a/bluekrabs/bluekrabs/tdh_helpers.hpp b/bluekrabs/bluekrabs/tdh_helpers.hpp index 2c5a80e..ad673d9 100644 --- a/bluekrabs/bluekrabs/tdh_helpers.hpp +++ b/bluekrabs/bluekrabs/tdh_helpers.hpp @@ -14,50 +14,103 @@ namespace krabs { -#define CASE_TYPE(enum) case TDH_INTYPE_##enum: return #enum +#define CASE_IN_TYPE(enum) case TDH_INTYPE_##enum: return #enum inline const char* in_type_to_string(_TDH_IN_TYPE type) { switch (type) { - CASE_TYPE(NULL); - CASE_TYPE(UNICODESTRING); - CASE_TYPE(ANSISTRING); - CASE_TYPE(INT8); - CASE_TYPE(UINT8); - CASE_TYPE(INT16); - CASE_TYPE(UINT16); - CASE_TYPE(INT32); - CASE_TYPE(UINT32); - CASE_TYPE(INT64); - CASE_TYPE(UINT64); - CASE_TYPE(FLOAT); - CASE_TYPE(DOUBLE); - CASE_TYPE(BOOLEAN); - CASE_TYPE(BINARY); - CASE_TYPE(GUID); - CASE_TYPE(POINTER); - CASE_TYPE(FILETIME); - CASE_TYPE(SYSTEMTIME); - CASE_TYPE(SID); - CASE_TYPE(HEXINT32); - CASE_TYPE(HEXINT64); - CASE_TYPE(COUNTEDSTRING); - CASE_TYPE(COUNTEDANSISTRING); - CASE_TYPE(REVERSEDCOUNTEDSTRING); - CASE_TYPE(REVERSEDCOUNTEDANSISTRING); - CASE_TYPE(NONNULLTERMINATEDSTRING); - CASE_TYPE(NONNULLTERMINATEDANSISTRING); - CASE_TYPE(UNICODECHAR); - CASE_TYPE(ANSICHAR); - CASE_TYPE(SIZET); - CASE_TYPE(HEXDUMP); - CASE_TYPE(WBEMSID); + CASE_IN_TYPE(NULL); + CASE_IN_TYPE(UNICODESTRING); + CASE_IN_TYPE(ANSISTRING); + CASE_IN_TYPE(INT8); + CASE_IN_TYPE(UINT8); + CASE_IN_TYPE(INT16); + CASE_IN_TYPE(UINT16); + CASE_IN_TYPE(INT32); + CASE_IN_TYPE(UINT32); + CASE_IN_TYPE(INT64); + CASE_IN_TYPE(UINT64); + CASE_IN_TYPE(FLOAT); + CASE_IN_TYPE(DOUBLE); + CASE_IN_TYPE(BOOLEAN); + CASE_IN_TYPE(BINARY); + CASE_IN_TYPE(GUID); + CASE_IN_TYPE(POINTER); + CASE_IN_TYPE(FILETIME); + CASE_IN_TYPE(SYSTEMTIME); + CASE_IN_TYPE(SID); + CASE_IN_TYPE(HEXINT32); + CASE_IN_TYPE(HEXINT64); + CASE_IN_TYPE(COUNTEDSTRING); + CASE_IN_TYPE(COUNTEDANSISTRING); + CASE_IN_TYPE(REVERSEDCOUNTEDSTRING); + CASE_IN_TYPE(REVERSEDCOUNTEDANSISTRING); + CASE_IN_TYPE(NONNULLTERMINATEDSTRING); + CASE_IN_TYPE(NONNULLTERMINATEDANSISTRING); + CASE_IN_TYPE(UNICODECHAR); + CASE_IN_TYPE(ANSICHAR); + CASE_IN_TYPE(SIZET); + CASE_IN_TYPE(HEXDUMP); + CASE_IN_TYPE(WBEMSID); default: return ""; } } -#undef CASE_TYPE +#undef CASE_IN_TYPE + +#define CASE_OUT_TYPE(enum) case TDH_OUTTYPE_##enum: return #enum + + inline const char* out_type_to_string(_TDH_OUT_TYPE type) + { + switch (type) + { + CASE_OUT_TYPE(NULL); + CASE_OUT_TYPE(STRING); + CASE_OUT_TYPE(DATETIME); + CASE_OUT_TYPE(BYTE); + CASE_OUT_TYPE(UNSIGNEDBYTE); + CASE_OUT_TYPE(SHORT); + CASE_OUT_TYPE(UNSIGNEDSHORT); + CASE_OUT_TYPE(INT); + CASE_OUT_TYPE(UNSIGNEDINT); + CASE_OUT_TYPE(LONG); + CASE_OUT_TYPE(UNSIGNEDLONG); + CASE_OUT_TYPE(FLOAT); + CASE_OUT_TYPE(DOUBLE); + CASE_OUT_TYPE(BOOLEAN); + CASE_OUT_TYPE(GUID); + CASE_OUT_TYPE(HEXBINARY); + CASE_OUT_TYPE(HEXINT8); + CASE_OUT_TYPE(HEXINT16); + CASE_OUT_TYPE(HEXINT32); + CASE_OUT_TYPE(HEXINT64); + CASE_OUT_TYPE(PID); + CASE_OUT_TYPE(TID); + CASE_OUT_TYPE(PORT); + CASE_OUT_TYPE(IPV4); + CASE_OUT_TYPE(IPV6); + CASE_OUT_TYPE(SOCKETADDRESS); + CASE_OUT_TYPE(CIMDATETIME); + CASE_OUT_TYPE(ETWTIME); + CASE_OUT_TYPE(XML); + CASE_OUT_TYPE(ERRORCODE); + CASE_OUT_TYPE(WIN32ERROR); + CASE_OUT_TYPE(NTSTATUS); + CASE_OUT_TYPE(HRESULT); + CASE_OUT_TYPE(CULTURE_INSENSITIVE_DATETIME); + CASE_OUT_TYPE(JSON); + CASE_OUT_TYPE(UTF8); + CASE_OUT_TYPE(PKCS7_WITH_TYPE_INFO); + CASE_OUT_TYPE(CODE_POINTER); + CASE_OUT_TYPE(DATETIME_UTC); + CASE_OUT_TYPE(REDUCEDSTRING); + CASE_OUT_TYPE(NOPRINT); + default: return ""; + } + } + +#undef CASE_OUT_TYPE namespace debug { diff --git a/bluekrabs/bluekrabs/trace.hpp b/bluekrabs/bluekrabs/trace.hpp index 2214bc8..1c4bf36 100644 --- a/bluekrabs/bluekrabs/trace.hpp +++ b/bluekrabs/bluekrabs/trace.hpp @@ -497,7 +497,7 @@ namespace krabs { } }; - if (registrationHandle_ == INVALID_PROCESSTRACE_HANDLE) { + if (registrationHandle_ == INVALID_PROCESSTRACE_HANDLE && sessionHandle_ == INVALID_PROCESSTRACE_HANDLE) { insert_unique(p); } else { diff --git a/examples/ManagedExamples/Program.cs b/examples/ManagedExamples/Program.cs index 6ea8750..a4db0eb 100644 --- a/examples/ManagedExamples/Program.cs +++ b/examples/ManagedExamples/Program.cs @@ -23,7 +23,8 @@ static void Main(string[] args) //UserTrace009_OpenTrace.Start(); //UserTrace010_ExtendedData.Start(); //UserTrace011_UpdateTrace.Start(); - UserTrace012_UpdateProvider.Start(); + //UserTrace012_UpdateProvider.Start(); + UserTrace012_UpdateProvider.Start1(); } } } diff --git a/examples/ManagedExamples/UserTrace004.cs b/examples/ManagedExamples/UserTrace004.cs index 9ac2a94..d4773b0 100644 --- a/examples/ManagedExamples/UserTrace004.cs +++ b/examples/ManagedExamples/UserTrace004.cs @@ -39,6 +39,7 @@ public static void Start() { System.Diagnostics.Debug.Assert(record.Id == 7937); Console.WriteLine(record.GetUnicodeString("ContextInfo")); + }; // EventFilters are attached to providers. Events that are attached to the filter diff --git a/examples/ManagedExamples/UserTrace012_UpdateProvider.cs b/examples/ManagedExamples/UserTrace012_UpdateProvider.cs index f61d1a3..d97dab2 100644 --- a/examples/ManagedExamples/UserTrace012_UpdateProvider.cs +++ b/examples/ManagedExamples/UserTrace012_UpdateProvider.cs @@ -54,5 +54,59 @@ public static void Start() trace.Disable(providerApi); } + + public static void Start1() + { + var trace = new UserTrace("SecSense"); + + // Rundown events are not true real-time tracing events. Instead they describe the state of the system. + // Usually these are just extra events in the provider. For example, Microsoft-Windows-Kernel-Process + // has ProcessRundown events as well as ProcessStart events. + var secProvider = new Provider(Guid.Parse("{16c6501a-ff2d-46ea-868d-8f96cb0cb52d}")); + var fileProvider = new Provider(Guid.Parse("{edd08927-9cc4-4e65-b970-c2560fb5c289}")); + + //provider.Any = 0x10; // WINEVENT_KEYWORD_PROCESS + // ...but the rundown events often cannot be enabled by keyword alone. + // The trace needs to be sent EVENT_CONTROL_CODE_CAPTURE_STATE. + // This is what EnableRundownEvents() does. + //provider.EnableRundownEvents(); + + // process rundown events - i.e. running processes + //var processRundownFilter = new EventFilter(Filter.EventIdIs(15)); // ProcessRundown + secProvider.OnEvent += (record) => + { + // Records have general properties that are applicable to every ETW + // record regardless of schema. They give us general information. + Console.WriteLine("Event " + record.Id + " (" + record.Name + ") received."); + }; + //provider.AddFilter(processRundownFilter); + + fileProvider.OnEvent += (record) => + { + // Records have general properties that are applicable to every ETW + // record regardless of schema. They give us general information. + Console.WriteLine("Event " + record.Id + " (" + record.Name + ") received."); + }; + + trace.Enable(secProvider); + trace.Open(); + trace.Enable(fileProvider); + Thread workingThread = new Thread(() => { + trace.Process(); + }); + + workingThread.Start(); + Thread.Sleep(1000); + trace.Close(); + workingThread.Join(); + + } } + + + + + } + + diff --git a/examples/NativeExamples/user_trace_001.cpp b/examples/NativeExamples/user_trace_001.cpp index 60883bf..809646a 100644 --- a/examples/NativeExamples/user_trace_001.cpp +++ b/examples/NativeExamples/user_trace_001.cpp @@ -47,6 +47,8 @@ void user_trace_001::start() // We could alternatively use try_parse if we didn't want an exception to // be thrown in the case of failure. std::wstring context = parser.parse(L"ContextInfo"); + std::cout << "intype " << parser.parse_in_type(L"ContextInfo").first << std::endl; + std::cout << "outtype " << parser.parse_out_type(L"ContextInfo").first << std::endl; std::wcout << L"\tContext: " << context << std::endl; } }); diff --git a/examples/NativeExamples/user_trace_012_open_trace.cpp b/examples/NativeExamples/user_trace_012_open_trace.cpp index 59c82e6..017e740 100644 --- a/examples/NativeExamples/user_trace_012_open_trace.cpp +++ b/examples/NativeExamples/user_trace_012_open_trace.cpp @@ -87,8 +87,29 @@ void user_trace_012_open_trace::start() // to snap in a schema to ask it for information. krabs::schema schema(record, trace_context.schema_locator); // We then have the ability to ask a few questions of the event. - std::wcout << L"ProviderName " << schema.provider_name() << std::endl; - std::wcout << L"EventId" << schema.event_id() << std::endl; + switch (schema.event_id()) { + case 1: + break; + case 17: + break; + case 18: + break; + case 19: + break; + case 22: + break; + case 23: + break; + case 24: + break; + case 35: + break; + default: + std::wcout << L"ProviderName " << schema.provider_name() << std::endl; + std::wcout << L"EventId" << schema.event_id() << std::endl; + break; + } + }; sec_provider.add_on_event_callback(on_event); file_provider.add_on_event_callback(on_event); @@ -126,7 +147,7 @@ void user_trace_012_open_trace::start() trace.process(); }); - const int durationInSeconds = 10; + const int durationInSeconds = 100000; std::this_thread::sleep_for(std::chrono::seconds(durationInSeconds)); auto stats1 = trace.query_stats(); trace.close();