search

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Other
604 stars 149 forks source link

Fail to use `not_filter` and `and_filter` predicates #103

Closed pathtofile closed 4 years ago

pathtofile commented 4 years ago

I was attempting to use the and_filter, or_filter and not_filter predicates, but my code failed to compile when combining with the other built-in predicates such as id_is. Here is an example that fails to compile:

    // ----- Setup Trace -----
    krabs::user_trace trace;
    krabs::provider<> provider(L"Microsoft-Windows-Kernel-Process");
    provider.all(0x10);

    // TODO: This doesn't work D:
    krabs::predicates::details::and_filter and_filter_fail_a(krabs::predicates::id_is(1), krabs::predicates::id_is(2));
    krabs::event_filter and_filter_fail_b(and_filter_fail_a);

    // TODO: Neither does this not_filter D:
    krabs::predicates::details::not_filter not_filter_fail_a(krabs::predicates::id_is(1));
    krabs::event_filter not_filter_fail_b(not_filter_fail_a);

    // ----- If the aboive worked, add callback and start trace -----
    and_filter_fail_b.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
        krabs::schema schema(record, trace_context.schema_locator); // ...
        });
    not_filter_fail_b.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
        krabs::schema schema(record, trace_context.schema_locator); // ...
        });
    provider.add_filter(and_filter_fail_b);
    provider.add_filter(not_filter_fail_b);
    trace.enable(provider);
    trace.start();

It appears to be because the protoype for the id_is::opertator function is:

bool operator()(const EVENT_RECORD &record, const krabs::trace_context &)

Whilst the and_, or_ and not_ predicates expect it to be:

bool operator()(const EVENT_RECORD &record, const krabs::trace_context &trace_context) const

My code compiles successfully if I alter the id_is::operator function to match the others.

Am I using these predicates wrong? If I'm using them the wrong way, if you supply a working snippet I'd be happy to turn it into an example to put into the code.

If this is a prototype missmatch, happy to also look at fixing that.

jdu2600 commented 4 years ago

Ah. I assume that I introduced that in https://github.com/microsoft/krabsetw/pull/96 I'll add test cases and a fix.

swannman commented 4 years ago

This should be fixed by #104.