EventMonitor utility is operational now
This commit is contained in:
parent
fa141fc525
commit
0639169d9a
@ -21,6 +21,7 @@
|
|||||||
#include "StdAfx.h"
|
#include "StdAfx.h"
|
||||||
|
|
||||||
#pragma comment(lib, "tdh.lib")
|
#pragma comment(lib, "tdh.lib")
|
||||||
|
#pragma comment(lib, "Ws2_32.lib")
|
||||||
|
|
||||||
using namespace std;
|
using namespace std;
|
||||||
using namespace winstd;
|
using namespace winstd;
|
||||||
@ -43,17 +44,382 @@ static BOOL WINAPI ConsoleHandler(_In_ DWORD dwCtrlType)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static tstring MapToString(_In_ const EVENT_MAP_INFO *pMapInfo, _In_ LPCBYTE pData)
|
||||||
|
{
|
||||||
|
if ( (pMapInfo->Flag & EVENTMAP_INFO_FLAG_MANIFEST_VALUEMAP) ||
|
||||||
|
((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_VALUEMAP ) && (pMapInfo->Flag & ~EVENTMAP_INFO_FLAG_WBEM_VALUEMAP) != EVENTMAP_INFO_FLAG_WBEM_FLAG))
|
||||||
|
{
|
||||||
|
if ((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_NO_MAP) == EVENTMAP_INFO_FLAG_WBEM_NO_MAP)
|
||||||
|
return tstring_printf(_T("%ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[*(PULONG)pData].OutputOffset);
|
||||||
|
else {
|
||||||
|
for (ULONG i = 0; ; i++) {
|
||||||
|
if (i >= pMapInfo->EntryCount)
|
||||||
|
return tstring_printf(_T("%lu"), *(PULONG)pData);
|
||||||
|
else if (pMapInfo->MapEntryArray[i].Value == *(PULONG)pData)
|
||||||
|
return tstring_printf(_T("%ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (
|
||||||
|
(pMapInfo->Flag & EVENTMAP_INFO_FLAG_MANIFEST_BITMAP) ||
|
||||||
|
(pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_BITMAP ) ||
|
||||||
|
((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_VALUEMAP ) && (pMapInfo->Flag & ~EVENTMAP_INFO_FLAG_WBEM_VALUEMAP) == EVENTMAP_INFO_FLAG_WBEM_FLAG))
|
||||||
|
{
|
||||||
|
tstring out;
|
||||||
|
|
||||||
|
if (pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_NO_MAP) {
|
||||||
|
for (ULONG i = 0; i < pMapInfo->EntryCount; i++)
|
||||||
|
if (*(PULONG)pData & (1 << i))
|
||||||
|
out.append(tstring_printf(out.empty() ? _T("%ls") : _T(" | %ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset));
|
||||||
|
} else {
|
||||||
|
for (ULONG i = 0; i < pMapInfo->EntryCount; i++)
|
||||||
|
if ((pMapInfo->MapEntryArray[i].Value & *(PULONG)pData) == pMapInfo->MapEntryArray[i].Value)
|
||||||
|
out.append(tstring_printf(out.empty() ? _T("%ls") : _T(" | %ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset));
|
||||||
|
}
|
||||||
|
|
||||||
|
return out.empty() ? tstring_printf(_T("%lu"), *(PULONG)pData) : out;
|
||||||
|
}
|
||||||
|
|
||||||
|
return _T("<unknown map>");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static tstring DataToString(_In_ USHORT InType, _In_ USHORT OutType, _In_count_(nDataSize) LPCBYTE pData, _In_ SIZE_T nDataSize, _In_ const EVENT_MAP_INFO *pMapInfo, _In_ BYTE nPtrSize)
|
||||||
|
{
|
||||||
|
assert(pData || !nDataSize);
|
||||||
|
|
||||||
|
switch (InType) {
|
||||||
|
case TDH_INTYPE_UNICODESTRING:
|
||||||
|
case TDH_INTYPE_NONNULLTERMINATEDSTRING:
|
||||||
|
case TDH_INTYPE_UNICODECHAR:
|
||||||
|
return tstring_printf(_T("%.*ls"), nDataSize/sizeof(WCHAR), pData);
|
||||||
|
|
||||||
|
case TDH_INTYPE_ANSISTRING:
|
||||||
|
case TDH_INTYPE_NONNULLTERMINATEDANSISTRING:
|
||||||
|
case TDH_INTYPE_ANSICHAR: {
|
||||||
|
// Convert strings from ANSI code page, all others (JSON, XML etc.) from UTF-8
|
||||||
|
wstring str;
|
||||||
|
MultiByteToWideChar(OutType == TDH_OUTTYPE_STRING ? CP_ACP : CP_UTF8, 0, (LPCSTR)pData, (int)nDataSize, str);
|
||||||
|
return tstring_printf(_T("%ls"), str.c_str());
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_COUNTEDSTRING:
|
||||||
|
return DataToString(TDH_INTYPE_NONNULLTERMINATEDSTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), *(PUSHORT)pData, pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_COUNTEDANSISTRING:
|
||||||
|
return DataToString(TDH_INTYPE_NONNULLTERMINATEDANSISTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), *(PUSHORT)pData, pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_REVERSEDCOUNTEDSTRING:
|
||||||
|
return DataToString(TDH_INTYPE_NONNULLTERMINATEDSTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), MAKEWORD(HIBYTE(*(PUSHORT)pData), LOBYTE(*(PUSHORT)pData)), pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_REVERSEDCOUNTEDANSISTRING:
|
||||||
|
return DataToString(TDH_INTYPE_NONNULLTERMINATEDANSISTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), MAKEWORD(HIBYTE(*(PUSHORT)pData), LOBYTE(*(PUSHORT)pData)), pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_INT8:
|
||||||
|
assert(nDataSize >= sizeof(CHAR));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_STRING: return DataToString(TDH_INTYPE_ANSICHAR, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
|
||||||
|
default : return tstring_printf(_T("%hd"), *(PCHAR)pData);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_UINT8:
|
||||||
|
assert(nDataSize >= sizeof(BYTE));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_STRING : return DataToString(TDH_INTYPE_ANSICHAR, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
|
||||||
|
case TDH_OUTTYPE_HEXINT8: return tstring_printf(_T("0x%x"), *(PBYTE)pData);
|
||||||
|
default : return tstring_printf(_T("%hu" ), *(PBYTE)pData);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_INT16:
|
||||||
|
assert(nDataSize >= sizeof(SHORT));
|
||||||
|
return tstring_printf(_T("%hd"), *(PSHORT)pData);
|
||||||
|
|
||||||
|
case TDH_INTYPE_UINT16:
|
||||||
|
assert(nDataSize >= sizeof(USHORT));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_PORT : return tstring_printf(_T("%hu" ), ntohs(*(PUSHORT)pData));
|
||||||
|
case TDH_OUTTYPE_HEXINT16: return tstring_printf(_T("0x%x"), *(PUSHORT)pData );
|
||||||
|
case TDH_OUTTYPE_STRING : return tstring_printf(_T("%lc" ), *(PUSHORT)pData );
|
||||||
|
default : return tstring_printf(_T("%hu" ), *(PUSHORT)pData );
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_INT32:
|
||||||
|
assert(nDataSize >= sizeof(LONG));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_HRESULT: return tstring_printf(_T("0x%x"), *(PLONG)pData);
|
||||||
|
default : return tstring_printf(_T("%ld" ), *(PLONG)pData);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_UINT32:
|
||||||
|
assert(nDataSize >= sizeof(ULONG));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_HRESULT :
|
||||||
|
case TDH_OUTTYPE_WIN32ERROR:
|
||||||
|
case TDH_OUTTYPE_NTSTATUS :
|
||||||
|
case TDH_OUTTYPE_HEXINT32 : return tstring_printf(_T("0x%x" ), *(PULONG)pData);
|
||||||
|
case TDH_OUTTYPE_IPV4 : return tstring_printf(_T("%d.%d.%d.%d"), (*(PULONG)pData >> 0) & 0xff, (*(PULONG)pData >> 8) & 0xff, (*(PULONG)pData >> 16) & 0xff, (*(PULONG)pData >> 24) & 0xff);
|
||||||
|
default: return pMapInfo ? MapToString(pMapInfo, pData) : tstring_printf(_T("%lu"), *(PULONG)pData);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_HEXINT32:
|
||||||
|
return DataToString(TDH_INTYPE_UINT32, TDH_OUTTYPE_HEXINT32, pData, nDataSize, pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_INT64:
|
||||||
|
assert(nDataSize >= sizeof(LONGLONG));
|
||||||
|
return tstring_printf(_T("%I64d"), *(PLONGLONG)pData);
|
||||||
|
|
||||||
|
case TDH_INTYPE_UINT64:
|
||||||
|
assert(nDataSize >= sizeof(ULONGLONG));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_HEXINT64: return tstring_printf(_T("0x%I64x"), *(PULONGLONG)pData);
|
||||||
|
default : return tstring_printf(_T("%I64u" ), *(PULONGLONG)pData);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_HEXINT64:
|
||||||
|
return DataToString(TDH_INTYPE_UINT64, TDH_OUTTYPE_HEXINT64, pData, nDataSize, pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_FLOAT:
|
||||||
|
assert(nDataSize >= sizeof(FLOAT));
|
||||||
|
return tstring_printf(_T("%f"), *(PFLOAT)pData);
|
||||||
|
|
||||||
|
case TDH_INTYPE_DOUBLE:
|
||||||
|
assert(nDataSize >= sizeof(DOUBLE));
|
||||||
|
return tstring_printf(_T("%I64f"), *(DOUBLE*)pData);
|
||||||
|
|
||||||
|
case TDH_INTYPE_BOOLEAN:
|
||||||
|
assert(nDataSize >= sizeof(ULONG)); // Yes, boolean is really 32-bit.
|
||||||
|
return *(PULONG)pData ? _T("true") : _T("false");
|
||||||
|
|
||||||
|
case TDH_INTYPE_BINARY:
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_IPV6: {
|
||||||
|
auto RtlIpv6AddressToString = (LPTSTR(NTAPI*)(const IN6_ADDR*, LPTSTR))GetProcAddress(GetModuleHandle(_T("ntdll.dll")),
|
||||||
|
#ifdef _UNICODE
|
||||||
|
"RtlIpv6AddressToStringW"
|
||||||
|
#else
|
||||||
|
"RtlIpv6AddressToStringA"
|
||||||
|
#endif
|
||||||
|
);
|
||||||
|
if (RtlIpv6AddressToString) {
|
||||||
|
TCHAR szIPv6Addr[47];
|
||||||
|
RtlIpv6AddressToString((IN6_ADDR*)pData, szIPv6Addr);
|
||||||
|
return tstring_printf(_T("%s"), szIPv6Addr);
|
||||||
|
} else
|
||||||
|
return _T("<IPv6 address>");
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
tstring out;
|
||||||
|
for (SIZE_T i = 0; i < nDataSize; i++)
|
||||||
|
out.append(tstring_printf(i ? _T(" %02x") : _T("%02x"), pData[i]));
|
||||||
|
return out;
|
||||||
|
}}
|
||||||
|
|
||||||
|
case TDH_INTYPE_HEXDUMP:
|
||||||
|
return DataToString(TDH_INTYPE_BINARY, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
|
||||||
|
|
||||||
|
case TDH_INTYPE_GUID: {
|
||||||
|
assert(nDataSize >= sizeof(GUID));
|
||||||
|
WCHAR szGuid[39];
|
||||||
|
StringFromGUID2(*(GUID*)pData, szGuid, _countof(szGuid));
|
||||||
|
return tstring_printf(_T("%ls"), szGuid);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_POINTER:
|
||||||
|
assert(nDataSize >= nPtrSize);
|
||||||
|
switch (nPtrSize) {
|
||||||
|
case sizeof(ULONG ): return tstring_printf(_T("0x%08x" ), *(PULONG )pData);
|
||||||
|
case sizeof(ULONGLONG): return tstring_printf(_T("0x%016I64x"), *(PULONGLONG)pData);
|
||||||
|
default: // Unsupported pointer size.
|
||||||
|
assert(0);
|
||||||
|
return _T("<pointer>");
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_SIZET:
|
||||||
|
assert(nDataSize >= nPtrSize);
|
||||||
|
switch (nPtrSize) {
|
||||||
|
case sizeof(ULONG ): return tstring_printf(_T("%u" ), *(PULONG )pData);
|
||||||
|
case sizeof(ULONGLONG): return tstring_printf(_T("%I64u"), *(PULONGLONG)pData);
|
||||||
|
default: // Unsupported size_t size.
|
||||||
|
assert(0);
|
||||||
|
return _T("<size_t>");
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_FILETIME: {
|
||||||
|
assert(nDataSize >= sizeof(FILETIME));
|
||||||
|
SYSTEMTIME st, st_local;
|
||||||
|
FileTimeToSystemTime((PFILETIME)pData, &st);
|
||||||
|
SystemTimeToTzSpecificLocalTime(NULL, &st, &st_local);
|
||||||
|
return DataToString(TDH_INTYPE_SYSTEMTIME, OutType, (LPCBYTE)&st_local, sizeof(st_local), pMapInfo, nPtrSize);
|
||||||
|
}
|
||||||
|
|
||||||
|
case TDH_INTYPE_SYSTEMTIME:
|
||||||
|
assert(nDataSize >= sizeof(SYSTEMTIME));
|
||||||
|
switch (OutType) {
|
||||||
|
case TDH_OUTTYPE_CULTURE_INSENSITIVE_DATETIME: return tstring_printf(_T("%04d-%02d-%02d %02d:%02d:%02d.%03u"), ((PSYSTEMTIME)pData)->wYear, ((PSYSTEMTIME)pData)->wMonth, ((PSYSTEMTIME)pData)->wDay, ((PSYSTEMTIME)pData)->wHour, ((PSYSTEMTIME)pData)->wMinute, ((PSYSTEMTIME)pData)->wSecond, ((PSYSTEMTIME)pData)->wMilliseconds);
|
||||||
|
default: {
|
||||||
|
tstring out;
|
||||||
|
return GetDateFormat(LOCALE_USER_DEFAULT, DATE_LONGDATE, (PSYSTEMTIME)pData, NULL, out) ? out : tstring(_T("<time>"));
|
||||||
|
}}
|
||||||
|
|
||||||
|
case TDH_INTYPE_WBEMSID:
|
||||||
|
// A WBEM SID is actually a TOKEN_USER structure followed
|
||||||
|
// by the SID. The size of the TOKEN_USER structure differs
|
||||||
|
// depending on whether the events were generated on a 32-bit
|
||||||
|
// or 64-bit architecture. Also the structure is aligned
|
||||||
|
// on an 8-byte boundary, so its size is 8 bytes on a
|
||||||
|
// 32-bit computer and 16 bytes on a 64-bit computer.
|
||||||
|
// Doubling the pointer size handles both cases.
|
||||||
|
assert(nDataSize >= nPtrSize * 2);
|
||||||
|
return (PULONG)pData > 0 ? DataToString(TDH_INTYPE_SID, OutType, pData + nPtrSize * 2, nDataSize - nPtrSize * 2, pMapInfo, nPtrSize) : _T("<WBEM SID>");
|
||||||
|
|
||||||
|
case TDH_INTYPE_SID: {
|
||||||
|
assert(nDataSize >= sizeof(SID));
|
||||||
|
tstring user_name, domain_name;
|
||||||
|
SID_NAME_USE eNameUse;
|
||||||
|
if (LookupAccountSid(NULL, (PSID)pData, &user_name, &domain_name, &eNameUse))
|
||||||
|
return tstring_printf(_T("%s\\%s"), domain_name.c_str(), user_name.c_str());
|
||||||
|
else {
|
||||||
|
unique_ptr<TCHAR[], LocalFree_delete<TCHAR[]> > sid;
|
||||||
|
if (GetLastError() == ERROR_NONE_MAPPED &&
|
||||||
|
ConvertSidToStringSid((PSID)pData, (LPTSTR*)&sid))
|
||||||
|
return tstring_printf(_T("%s"), sid.get());
|
||||||
|
else
|
||||||
|
return _T("<SID>");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
default:
|
||||||
|
// It is not actually an error if we do not understand the given data type.
|
||||||
|
assert(0);
|
||||||
|
return _T("<unknown data type>");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static ULONG GetArraySize(PEVENT_RECORD pEvent, PTRACE_EVENT_INFO pInfo, ULONG i, ULONG *pulArraySize)
|
||||||
|
{
|
||||||
|
if (pInfo->EventPropertyInfoArray[i].Flags & PropertyParamCount) {
|
||||||
|
ULONG ulResult;
|
||||||
|
|
||||||
|
// Get array count property.
|
||||||
|
PROPERTY_DATA_DESCRIPTOR data_desc = { (ULONGLONG)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[pInfo->EventPropertyInfoArray[i].countPropertyIndex].NameOffset), ULONG_MAX };
|
||||||
|
vector<unsigned char> count;
|
||||||
|
if ((ulResult = TdhGetProperty(pEvent, 0, NULL, 1, &data_desc, count)) != ERROR_SUCCESS)
|
||||||
|
return ulResult;
|
||||||
|
|
||||||
|
// Copy count value to output.
|
||||||
|
switch (count.size()) {
|
||||||
|
case sizeof(BYTE ): *pulArraySize = *(const BYTE* )count.data(); break;
|
||||||
|
case sizeof(USHORT): *pulArraySize = *(const USHORT*)count.data(); break;
|
||||||
|
case sizeof(ULONG ): *pulArraySize = *(const ULONG* )count.data(); break;
|
||||||
|
default : return ERROR_MORE_DATA;
|
||||||
|
}
|
||||||
|
} else
|
||||||
|
*pulArraySize = pInfo->EventPropertyInfoArray[i].count;
|
||||||
|
|
||||||
|
return ERROR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static tstring PropertyToString(PEVENT_RECORD pEvent, PTRACE_EVENT_INFO pInfo, ULONG ulPropIndex, LPWSTR pStructureName, ULONG ulStructIndex, BYTE nPtrSize)
|
||||||
|
{
|
||||||
|
ULONG ulResult;
|
||||||
|
|
||||||
|
// Get the size of the array if the property is an array.
|
||||||
|
ULONG ulArraySize = 0;
|
||||||
|
if ((ulResult = GetArraySize(pEvent, pInfo, ulPropIndex, &ulArraySize)) != ERROR_SUCCESS)
|
||||||
|
return tstring_printf(_T("<Error getting array size (error %u)>"), ulResult);;
|
||||||
|
|
||||||
|
tstring out;
|
||||||
|
|
||||||
|
if (ulArraySize > 1)
|
||||||
|
out += tstring_printf(_T("[%u]("), ulArraySize);
|
||||||
|
|
||||||
|
for (ULONG k = 0; k < ulArraySize; k++) {
|
||||||
|
if (pInfo->EventPropertyInfoArray[ulPropIndex].Flags & PropertyStruct) {
|
||||||
|
// The property is a structure: print the members of the structure.
|
||||||
|
tstring out;
|
||||||
|
out += _T('(');
|
||||||
|
for (USHORT j = pInfo->EventPropertyInfoArray[ulPropIndex].structType.StructStartIndex, usLastMember = pInfo->EventPropertyInfoArray[ulPropIndex].structType.StructStartIndex + pInfo->EventPropertyInfoArray[ulPropIndex].structType.NumOfStructMembers; j < usLastMember; j++) {
|
||||||
|
out += tstring_printf(_T("%ls: "), (LPBYTE)pInfo + pInfo->EventPropertyInfoArray[j].NameOffset);
|
||||||
|
out += PropertyToString(pEvent, pInfo, j, (LPWSTR)((LPBYTE)(pInfo) + pInfo->EventPropertyInfoArray[ulPropIndex].NameOffset), k, nPtrSize);
|
||||||
|
}
|
||||||
|
out += _T(')');
|
||||||
|
} else {
|
||||||
|
if (pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.InType == TDH_INTYPE_BINARY &&
|
||||||
|
pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.OutType == TDH_OUTTYPE_IPV6)
|
||||||
|
{
|
||||||
|
// The TDH API does not support IPv6 addresses. If the output type is TDH_OUTTYPE_IPV6,
|
||||||
|
// you will not be able to consume the rest of the event. If you try to consume the
|
||||||
|
// remainder of the event, you will get ERROR_EVT_INVALID_EVENT_DATA.
|
||||||
|
return _T("<The event contains an IPv6 address. Skipping.>");
|
||||||
|
} else {
|
||||||
|
vector<BYTE> data;
|
||||||
|
if (pStructureName) {
|
||||||
|
// To retrieve a member of a structure, you need to specify an array of descriptors.
|
||||||
|
// The first descriptor in the array identifies the name of the structure and the second
|
||||||
|
// descriptor defines the member of the structure whose data you want to retrieve.
|
||||||
|
PROPERTY_DATA_DESCRIPTOR data_desc[2] = {
|
||||||
|
{ (ULONGLONG)pStructureName , ulStructIndex },
|
||||||
|
{ (ULONGLONG)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[ulPropIndex].NameOffset), k }
|
||||||
|
};
|
||||||
|
ulResult = TdhGetProperty(pEvent, 0, NULL, _countof(data_desc), data_desc, data);
|
||||||
|
} else {
|
||||||
|
PROPERTY_DATA_DESCRIPTOR data_desc = { (ULONGLONG)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[ulPropIndex].NameOffset), k };
|
||||||
|
ulResult = TdhGetProperty(pEvent, 0, NULL, 1, &data_desc, data);
|
||||||
|
}
|
||||||
|
if (ulResult == ERROR_EVT_INVALID_EVENT_DATA) {
|
||||||
|
// This happens with empty/NULL data. Not an error actually.
|
||||||
|
assert(data.empty());
|
||||||
|
} else if (ulResult != ERROR_SUCCESS)
|
||||||
|
return tstring_printf(_T("<Error getting property (error %u)>"), ulResult);
|
||||||
|
|
||||||
|
// Get the name/value mapping if the property specifies a value map.
|
||||||
|
unique_ptr<EVENT_MAP_INFO> map_info;
|
||||||
|
ulResult = TdhGetEventMapInformation(pEvent, (LPWSTR)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.MapNameOffset), map_info);
|
||||||
|
if (ulResult == ERROR_NOT_FOUND) {
|
||||||
|
// name/value mapping not found. Not an error actually.
|
||||||
|
assert(!map_info);
|
||||||
|
} else if (ulResult != ERROR_SUCCESS)
|
||||||
|
return tstring_printf(_T("<Error getting map information (error %u)>"), ulResult);
|
||||||
|
else if (pInfo->DecodingSource == DecodingSourceXMLFile) {
|
||||||
|
// The mapped string values defined in a manifest will contain a trailing space
|
||||||
|
// in the EVENT_MAP_ENTRY structure. Replace the trailing space with a null-
|
||||||
|
// terminating character, so that the bit mapped strings are correctly formatted.
|
||||||
|
for (ULONG i = 0; i < map_info->EntryCount; i++) {
|
||||||
|
SIZE_T len = _tcslen((LPCTSTR)((PBYTE)map_info.get() + map_info->MapEntryArray[i].OutputOffset)) - 1;
|
||||||
|
((LPWSTR)((PBYTE)map_info.get() + map_info->MapEntryArray[i].OutputOffset))[len] = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!out.empty()) out += _T(", ");
|
||||||
|
out += !data.empty() ? DataToString(
|
||||||
|
pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.InType,
|
||||||
|
pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.OutType,
|
||||||
|
data.data(),
|
||||||
|
data.size(),
|
||||||
|
map_info.get(),
|
||||||
|
nPtrSize) : _T("<null>");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ulArraySize > 1)
|
||||||
|
out += _T(')');
|
||||||
|
|
||||||
|
return out;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static VOID WINAPI EventRecordCallback(_In_ PEVENT_RECORD pEvent)
|
static VOID WINAPI EventRecordCallback(_In_ PEVENT_RECORD pEvent)
|
||||||
{
|
{
|
||||||
{
|
{
|
||||||
|
// Calculate and print event time-stamp.
|
||||||
FILETIME ft;
|
FILETIME ft;
|
||||||
ft.dwHighDateTime = pEvent->EventHeader.TimeStamp.HighPart;
|
ft.dwHighDateTime = pEvent->EventHeader.TimeStamp.HighPart;
|
||||||
ft.dwLowDateTime = pEvent->EventHeader.TimeStamp.LowPart;
|
ft.dwLowDateTime = pEvent->EventHeader.TimeStamp.LowPart;
|
||||||
|
|
||||||
SYSTEMTIME st;
|
SYSTEMTIME st, st_local;
|
||||||
FileTimeToSystemTime(&ft, &st);
|
FileTimeToSystemTime(&ft, &st);
|
||||||
|
|
||||||
SYSTEMTIME st_local;
|
|
||||||
SystemTimeToTzSpecificLocalTime(NULL, &st, &st_local);
|
SystemTimeToTzSpecificLocalTime(NULL, &st, &st_local);
|
||||||
|
|
||||||
ULONGLONG
|
ULONGLONG
|
||||||
@ -65,10 +431,36 @@ static VOID WINAPI EventRecordCallback(_In_ PEVENT_RECORD pEvent)
|
|||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
// Get event meta-info.
|
||||||
unique_ptr<TRACE_EVENT_INFO> info;
|
unique_ptr<TRACE_EVENT_INFO> info;
|
||||||
ULONG ulResult;
|
ULONG ulResult;
|
||||||
if ((ulResult = TdhGetEventInformation(pEvent, 0, NULL, info)) == ERROR_SUCCESS) {
|
if ((ulResult = TdhGetEventInformation(pEvent, 0, NULL, info)) == ERROR_SUCCESS) {
|
||||||
_ftprintf(stdout, _T(" %ls"), info->EventMessageOffset ? (LPCWSTR)((LPCBYTE)info.get() + info->EventMessageOffset) : L"");
|
if (info->DecodingSource != DecodingSourceWPP) {
|
||||||
|
if (pEvent->EventHeader.Flags & EVENT_HEADER_FLAG_STRING_ONLY) {
|
||||||
|
// This is a string-only event. Print it.
|
||||||
|
_ftprintf(stdout, _T(" %ls"), pEvent->UserData);
|
||||||
|
} else {
|
||||||
|
// This is not a string-only event. Prepare parameters.
|
||||||
|
|
||||||
|
BYTE nPtrSize = (pEvent->EventHeader.Flags & EVENT_HEADER_FLAG_32_BIT_HEADER) ? 4 : 8;
|
||||||
|
vector<tstring> props;
|
||||||
|
vector<DWORD_PTR> props_msg;
|
||||||
|
props.reserve(info->TopLevelPropertyCount);
|
||||||
|
props_msg.reserve(info->TopLevelPropertyCount);
|
||||||
|
for (ULONG i = 0; i < info->TopLevelPropertyCount; i++) {
|
||||||
|
props.push_back(std::move(PropertyToString(pEvent, info.get(), i, NULL, 0, nPtrSize)));
|
||||||
|
props_msg.push_back((DWORD_PTR)props[i].c_str());
|
||||||
|
}
|
||||||
|
|
||||||
|
if (info->EventMessageOffset) {
|
||||||
|
// Format the message.
|
||||||
|
_ftprintf(stdout, _T(" %ls"), wstring_msg(0, (LPCTSTR)((LPCBYTE)info.get() + info->EventMessageOffset), props_msg.data()).c_str());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (info->EventMessageOffset) {
|
||||||
|
// This is a WPP event.
|
||||||
|
_ftprintf(stdout, _T(" %ls"), (LPCBYTE)info.get() + info->EventMessageOffset);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -24,8 +24,12 @@
|
|||||||
|
|
||||||
#include <WinStd/COM.h>
|
#include <WinStd/COM.h>
|
||||||
#include <WinStd/ETW.h>
|
#include <WinStd/ETW.h>
|
||||||
|
#include <WinStd/Win.h>
|
||||||
|
|
||||||
#include <Windows.h>
|
#include <Windows.h>
|
||||||
|
#include <in6addr.h>
|
||||||
|
#include <MSTcpIP.h>
|
||||||
|
#include <Sddl.h>
|
||||||
#include <tchar.h>
|
#include <tchar.h>
|
||||||
|
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
Subproject commit b7e21e972fe4f154a4d9f92a04f8ca08f0a00ad8
|
Subproject commit 5c03df0d74a3984c7ba23398b10ea061cffafc84
|
||||||
Loading…
x
Reference in New Issue
Block a user