/*
Copyright 2015-2016 Amebis
Copyright 2016 GÉANT
This file is part of GÉANTLink.
GÉANTLink is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
GÉANTLink is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GÉANTLink. If not, see .
*/
#include "StdAfx.h"
#pragma comment(lib, "tdh.lib")
#pragma comment(lib, "Ws2_32.lib")
using namespace std;
using namespace winstd;
static vector g_traces;
static BOOL WINAPI ConsoleHandler(_In_ DWORD dwCtrlType)
{
switch(dwCtrlType) {
case CTRL_C_EVENT:
case CTRL_BREAK_EVENT:
case CTRL_CLOSE_EVENT:
case CTRL_LOGOFF_EVENT:
case CTRL_SHUTDOWN_EVENT:
for (vector::const_iterator trace = g_traces.cbegin(), trace_end = g_traces.cend(); trace != trace_end; ++trace)
CloseTrace(*trace);
}
return TRUE;
}
static tstring MapToString(_In_ const EVENT_MAP_INFO *pMapInfo, _In_ LPCBYTE pData)
{
if ( (pMapInfo->Flag & EVENTMAP_INFO_FLAG_MANIFEST_VALUEMAP) ||
((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_VALUEMAP ) && (pMapInfo->Flag & ~EVENTMAP_INFO_FLAG_WBEM_VALUEMAP) != EVENTMAP_INFO_FLAG_WBEM_FLAG))
{
if ((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_NO_MAP) == EVENTMAP_INFO_FLAG_WBEM_NO_MAP)
return tstring_printf(_T("%ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[*(PULONG)pData].OutputOffset);
else {
for (ULONG i = 0; ; i++) {
if (i >= pMapInfo->EntryCount)
return tstring_printf(_T("%lu"), *(PULONG)pData);
else if (pMapInfo->MapEntryArray[i].Value == *(PULONG)pData)
return tstring_printf(_T("%ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset);
}
}
} else if (
(pMapInfo->Flag & EVENTMAP_INFO_FLAG_MANIFEST_BITMAP) ||
(pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_BITMAP ) ||
((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_VALUEMAP ) && (pMapInfo->Flag & ~EVENTMAP_INFO_FLAG_WBEM_VALUEMAP) == EVENTMAP_INFO_FLAG_WBEM_FLAG))
{
tstring out;
if (pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_NO_MAP) {
for (ULONG i = 0; i < pMapInfo->EntryCount; i++)
if (*(PULONG)pData & (1 << i))
out.append(tstring_printf(out.empty() ? _T("%ls") : _T(" | %ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset));
} else {
for (ULONG i = 0; i < pMapInfo->EntryCount; i++)
if ((pMapInfo->MapEntryArray[i].Value & *(PULONG)pData) == pMapInfo->MapEntryArray[i].Value)
out.append(tstring_printf(out.empty() ? _T("%ls") : _T(" | %ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset));
}
return out.empty() ? tstring_printf(_T("%lu"), *(PULONG)pData) : out;
}
return _T("");
}
static tstring DataToString(_In_ USHORT InType, _In_ USHORT OutType, _In_count_(nDataSize) LPCBYTE pData, _In_ SIZE_T nDataSize, _In_ const EVENT_MAP_INFO *pMapInfo, _In_ BYTE nPtrSize)
{
assert(pData || !nDataSize);
switch (InType) {
case TDH_INTYPE_UNICODESTRING:
case TDH_INTYPE_NONNULLTERMINATEDSTRING:
case TDH_INTYPE_UNICODECHAR:
return tstring_printf(_T("%.*ls"), nDataSize/sizeof(WCHAR), pData);
case TDH_INTYPE_ANSISTRING:
case TDH_INTYPE_NONNULLTERMINATEDANSISTRING:
case TDH_INTYPE_ANSICHAR: {
// Convert strings from ANSI code page, all others (JSON, XML etc.) from UTF-8
wstring str;
MultiByteToWideChar(OutType == TDH_OUTTYPE_STRING ? CP_ACP : CP_UTF8, 0, (LPCSTR)pData, (int)nDataSize, str);
return tstring_printf(_T("%ls"), str.c_str());
}
case TDH_INTYPE_COUNTEDSTRING:
return DataToString(TDH_INTYPE_NONNULLTERMINATEDSTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), *(PUSHORT)pData, pMapInfo, nPtrSize);
case TDH_INTYPE_COUNTEDANSISTRING:
return DataToString(TDH_INTYPE_NONNULLTERMINATEDANSISTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), *(PUSHORT)pData, pMapInfo, nPtrSize);
case TDH_INTYPE_REVERSEDCOUNTEDSTRING:
return DataToString(TDH_INTYPE_NONNULLTERMINATEDSTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), MAKEWORD(HIBYTE(*(PUSHORT)pData), LOBYTE(*(PUSHORT)pData)), pMapInfo, nPtrSize);
case TDH_INTYPE_REVERSEDCOUNTEDANSISTRING:
return DataToString(TDH_INTYPE_NONNULLTERMINATEDANSISTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), MAKEWORD(HIBYTE(*(PUSHORT)pData), LOBYTE(*(PUSHORT)pData)), pMapInfo, nPtrSize);
case TDH_INTYPE_INT8:
assert(nDataSize >= sizeof(CHAR));
switch (OutType) {
case TDH_OUTTYPE_STRING: return DataToString(TDH_INTYPE_ANSICHAR, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
default : return tstring_printf(_T("%hd"), *(PCHAR)pData);
}
case TDH_INTYPE_UINT8:
assert(nDataSize >= sizeof(BYTE));
switch (OutType) {
case TDH_OUTTYPE_STRING : return DataToString(TDH_INTYPE_ANSICHAR, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
case TDH_OUTTYPE_HEXINT8: return tstring_printf(_T("0x%x"), *(PBYTE)pData);
default : return tstring_printf(_T("%hu" ), *(PBYTE)pData);
}
case TDH_INTYPE_INT16:
assert(nDataSize >= sizeof(SHORT));
return tstring_printf(_T("%hd"), *(PSHORT)pData);
case TDH_INTYPE_UINT16:
assert(nDataSize >= sizeof(USHORT));
switch (OutType) {
case TDH_OUTTYPE_PORT : return tstring_printf(_T("%hu" ), ntohs(*(PUSHORT)pData));
case TDH_OUTTYPE_HEXINT16: return tstring_printf(_T("0x%x"), *(PUSHORT)pData );
case TDH_OUTTYPE_STRING : return tstring_printf(_T("%lc" ), *(PUSHORT)pData );
default : return tstring_printf(_T("%hu" ), *(PUSHORT)pData );
}
case TDH_INTYPE_INT32:
assert(nDataSize >= sizeof(LONG));
switch (OutType) {
case TDH_OUTTYPE_HRESULT: return tstring_printf(_T("0x%x"), *(PLONG)pData);
default : return tstring_printf(_T("%ld" ), *(PLONG)pData);
}
case TDH_INTYPE_UINT32:
assert(nDataSize >= sizeof(ULONG));
switch (OutType) {
case TDH_OUTTYPE_HRESULT :
case TDH_OUTTYPE_WIN32ERROR:
case TDH_OUTTYPE_NTSTATUS :
case TDH_OUTTYPE_HEXINT32 : return tstring_printf(_T("0x%x" ), *(PULONG)pData);
case TDH_OUTTYPE_IPV4 : return tstring_printf(_T("%d.%d.%d.%d"), (*(PULONG)pData >> 0) & 0xff, (*(PULONG)pData >> 8) & 0xff, (*(PULONG)pData >> 16) & 0xff, (*(PULONG)pData >> 24) & 0xff);
default: return pMapInfo ? MapToString(pMapInfo, pData) : tstring_printf(_T("%lu"), *(PULONG)pData);
}
case TDH_INTYPE_HEXINT32:
return DataToString(TDH_INTYPE_UINT32, TDH_OUTTYPE_HEXINT32, pData, nDataSize, pMapInfo, nPtrSize);
case TDH_INTYPE_INT64:
assert(nDataSize >= sizeof(LONGLONG));
return tstring_printf(_T("%I64d"), *(PLONGLONG)pData);
case TDH_INTYPE_UINT64:
assert(nDataSize >= sizeof(ULONGLONG));
switch (OutType) {
case TDH_OUTTYPE_HEXINT64: return tstring_printf(_T("0x%I64x"), *(PULONGLONG)pData);
default : return tstring_printf(_T("%I64u" ), *(PULONGLONG)pData);
}
case TDH_INTYPE_HEXINT64:
return DataToString(TDH_INTYPE_UINT64, TDH_OUTTYPE_HEXINT64, pData, nDataSize, pMapInfo, nPtrSize);
case TDH_INTYPE_FLOAT:
assert(nDataSize >= sizeof(FLOAT));
return tstring_printf(_T("%f"), *(PFLOAT)pData);
case TDH_INTYPE_DOUBLE:
assert(nDataSize >= sizeof(DOUBLE));
return tstring_printf(_T("%I64f"), *(DOUBLE*)pData);
case TDH_INTYPE_BOOLEAN:
assert(nDataSize >= sizeof(ULONG)); // Yes, boolean is really 32-bit.
return *(PULONG)pData ? _T("true") : _T("false");
case TDH_INTYPE_BINARY:
switch (OutType) {
case TDH_OUTTYPE_IPV6: {
auto RtlIpv6AddressToString = (LPTSTR(NTAPI*)(const IN6_ADDR*, LPTSTR))GetProcAddress(GetModuleHandle(_T("ntdll.dll")),
#ifdef _UNICODE
"RtlIpv6AddressToStringW"
#else
"RtlIpv6AddressToStringA"
#endif
);
if (RtlIpv6AddressToString) {
TCHAR szIPv6Addr[47];
RtlIpv6AddressToString((IN6_ADDR*)pData, szIPv6Addr);
return tstring_printf(_T("%s"), szIPv6Addr);
} else
return _T("");
}
default: {
tstring out;
for (SIZE_T i = 0; i < nDataSize; i++)
out.append(tstring_printf(i ? _T(" %02x") : _T("%02x"), pData[i]));
return out;
}}
case TDH_INTYPE_HEXDUMP:
return DataToString(TDH_INTYPE_BINARY, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
case TDH_INTYPE_GUID: {
assert(nDataSize >= sizeof(GUID));
WCHAR szGuid[39];
StringFromGUID2(*(GUID*)pData, szGuid, _countof(szGuid));
return tstring_printf(_T("%ls"), szGuid);
}
case TDH_INTYPE_POINTER:
assert(nDataSize >= nPtrSize);
switch (nPtrSize) {
case sizeof(ULONG ): return tstring_printf(_T("0x%08x" ), *(PULONG )pData);
case sizeof(ULONGLONG): return tstring_printf(_T("0x%016I64x"), *(PULONGLONG)pData);
default: // Unsupported pointer size.
assert(0);
return _T("");
}
case TDH_INTYPE_SIZET:
assert(nDataSize >= nPtrSize);
switch (nPtrSize) {
case sizeof(ULONG ): return tstring_printf(_T("%u" ), *(PULONG )pData);
case sizeof(ULONGLONG): return tstring_printf(_T("%I64u"), *(PULONGLONG)pData);
default: // Unsupported size_t size.
assert(0);
return _T("");
}
case TDH_INTYPE_FILETIME: {
assert(nDataSize >= sizeof(FILETIME));
SYSTEMTIME st, st_local;
FileTimeToSystemTime((PFILETIME)pData, &st);
SystemTimeToTzSpecificLocalTime(NULL, &st, &st_local);
return DataToString(TDH_INTYPE_SYSTEMTIME, OutType, (LPCBYTE)&st_local, sizeof(st_local), pMapInfo, nPtrSize);
}
case TDH_INTYPE_SYSTEMTIME:
assert(nDataSize >= sizeof(SYSTEMTIME));
switch (OutType) {
case TDH_OUTTYPE_CULTURE_INSENSITIVE_DATETIME: return tstring_printf(_T("%04d-%02d-%02d %02d:%02d:%02d.%03u"), ((PSYSTEMTIME)pData)->wYear, ((PSYSTEMTIME)pData)->wMonth, ((PSYSTEMTIME)pData)->wDay, ((PSYSTEMTIME)pData)->wHour, ((PSYSTEMTIME)pData)->wMinute, ((PSYSTEMTIME)pData)->wSecond, ((PSYSTEMTIME)pData)->wMilliseconds);
default: {
tstring out;
return GetDateFormat(LOCALE_USER_DEFAULT, DATE_LONGDATE, (PSYSTEMTIME)pData, NULL, out) ? out : tstring(_T("