From 08bacb9e65f8e46c160cba8510bd186350bd991d Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Thu, 23 Jun 2016 15:41:44 +0200
Subject: [PATCH] TdhGetEventMapInformation helper added

---
 include/WinStd/ETW.h | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/include/WinStd/ETW.h b/include/WinStd/ETW.h
index e00c2ef2..967e5742 100644
--- a/include/WinStd/ETW.h
+++ b/include/WinStd/ETW.h
@@ -31,6 +31,7 @@
 #include <vector>
 
 inline ULONG TdhGetEventInformation(_In_ PEVENT_RECORD pEvent, _In_ ULONG TdhContextCount, _In_ PTDH_CONTEXT pTdhContext, _Out_ std::unique_ptr<TRACE_EVENT_INFO> &info);
+inline ULONG TdhGetEventMapInformation(_In_ PEVENT_RECORD pEvent, _In_ LPWSTR pMapName, _Out_ std::unique_ptr<EVENT_MAP_INFO> &info);
 
 namespace winstd
 {
@@ -74,6 +75,33 @@ inline ULONG TdhGetEventInformation(_In_ PEVENT_RECORD pEvent, _In_ ULONG TdhCon
 }
 
 
+///
+/// Retrieves information about the event map contained in the event.
+///
+/// \sa [TdhGetEventMapInformation function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964841.aspx)
+///
+inline ULONG TdhGetEventMapInformation(_In_ PEVENT_RECORD pEvent, _In_ LPWSTR pMapName, _Out_ std::unique_ptr<EVENT_MAP_INFO> &info)
+{
+    BYTE szBuffer[WINSTD_STACK_BUFFER_BYTES];
+    ULONG ulSize = sizeof(szBuffer), ulResult;
+
+    // Try with stack buffer first.
+    ulResult = TdhGetEventMapInformation(pEvent, pMapName, (PEVENT_MAP_INFO)szBuffer, &ulSize);
+    if (ulResult == ERROR_SUCCESS) {
+        // Copy from stack.
+        info.reset((PEVENT_MAP_INFO)new char[ulSize]);
+        memcpy(info.get(), szBuffer, ulSize);
+        return ERROR_SUCCESS;
+    } else if (ulResult == ERROR_INSUFFICIENT_BUFFER) {
+        // Create buffer on heap and retry.
+        info.reset((PEVENT_MAP_INFO)new char[ulSize]);
+        return TdhGetEventMapInformation(pEvent, pMapName, info.get(), &ulSize);
+    }
+
+    return ulResult;
+}
+
+
 namespace winstd
 {
     ///