search

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Other
588 stars 147 forks source link

how to handle map and unmap (excluding image files) event type in krabsetw #156

Open yangjian123 opened 3 years ago

yangjian123 commented 3 years ago

hi ,I enable the EVENT_TRACE_FLAG_VAMAP in krabsetw, but can not receive event, from msdn, from msdn description, it is alse have no property. how can i handle map and unmap event ? please help image

jdu2600 commented 3 years ago

iirc MSDN doesn't document those events. You can dynamically retrieve the property information using the TDH ETW APIs though.

Or just use a tool like EtwExplorer which gives you this information -

[dynamic: ToInstance, Guid("{90cbdc39-4a3e-11d1-84f4-0000f80464e3}"), EventVersion(2)]
class FileIo_V2 : MSNT_SystemTrace
{
};

[dynamic: ToInstance, EventType{37, 38, 39, 40}]
class FileIo_V2_MapFile : FileIo_V2
{
    [WmiDataId(1), pointer, read] uint32 ViewBase;
    [WmiDataId(2), pointer, read] uint32 FileObject;
    [WmiDataId(3), format("x"), read] uint64 MiscInfo;
    [WmiDataId(4), extension("SizeT"), read] object ViewSize;
    [WmiDataId(5), read] uint32 ProcessId;
};

A quick snippet to enables these events in krabs is -

krabs::kernel_trace trace();
krabs::kernel::vamap_provider provider;
provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context&) {
    std::wcout << record.EventHeader.EventDescriptor.Opcode << std::endl;
    });
trace.enable(provider);
trace.start();

And then follow any of the krabs examples to parse the properties.

yangjian123 commented 3 years ago

thanks jdu2600 , i will hava a try

yangjian123 commented 3 years ago

hi, @jdu2600 , does this feature don't support on windows 7

jdu2600 commented 3 years ago

Ah. Probably not.

According to Geoff Chappell EVENT_TRACE_FLAG_VAMAP was added in Windows 8.

yangjian123 commented 3 years ago

thanks @jdu2600 , i use the following code snippet, and krabsetw throw a exception, this exception indicate TdhGetEventInformation return ERROR_NOT_FOUND(1168) image image

jdu2600 commented 3 years ago

That's strange. Unfortunately that seems to be a Windows issue.

The raw data is available though, so you could attempt to manually parse it. Something like this -

if (record.UserDataLength == 44) {
    auto ViewBase = *(uint64_t*)record.UserData;
    auto FileObject = *((uint64_t*)record.UserData + 1);
    auto MiscInfo = *((uint64_t*)record.UserData + 2);
    auto ViewSize = *((uint64_t*)record.UserData + 3);
}