Closed Gabriele91 closed 2 years ago
Hi there,
First of all, thank you all for this fantastic and helpful library.
I have opened this issue since the schema::task_name(), sometimes (w/ WMI Provider), returns an invalid value:
I guess that is caused by schema::TaskNameOffset, which is not chacked.
Indeed, in other cases the value of the offset field is chacked: https://github.com/microsoft/krabsetw/blob/b41b57cd42b1008d633a877a3a5b18c2a5aafe99/krabs/krabs/schema.hpp#L302 https://github.com/microsoft/krabsetw/blob/b41b57cd42b1008d633a877a3a5b18c2a5aafe99/krabs/krabs/schema.hpp#L287
While for the schema::task_name() method is not the case: https://github.com/microsoft/krabsetw/blob/b41b57cd42b1008d633a877a3a5b18c2a5aafe99/krabs/krabs/schema.hpp#L314
So, I guess the fix could be very easy:
inline const wchar_t *schema::task_name() const { if ( pSchema_->TaskNameOffset!= 0 ) return reinterpret_cast<const wchar_t*>( reinterpret_cast<const char*>(pSchema_) + pSchema_->TaskNameOffset); else return L""; }
Why it is not checked? Should be it mandatory? Is it a Microsoft-Windows-WMI-Activity mistake?
Hi there,
First of all, thank you all for this fantastic and helpful library.
I have opened this issue since the schema::task_name(), sometimes (w/ WMI Provider), returns an invalid value:
I guess that is caused by schema::TaskNameOffset, which is not chacked.
Indeed, in other cases the value of the offset field is chacked: https://github.com/microsoft/krabsetw/blob/b41b57cd42b1008d633a877a3a5b18c2a5aafe99/krabs/krabs/schema.hpp#L302 https://github.com/microsoft/krabsetw/blob/b41b57cd42b1008d633a877a3a5b18c2a5aafe99/krabs/krabs/schema.hpp#L287
While for the schema::task_name() method is not the case: https://github.com/microsoft/krabsetw/blob/b41b57cd42b1008d633a877a3a5b18c2a5aafe99/krabs/krabs/schema.hpp#L314
So, I guess the fix could be very easy:
Why it is not checked? Should be it mandatory? Is it a Microsoft-Windows-WMI-Activity mistake?