Closed FuzzySecurity closed 5 years ago
Thanks for reaching out! Here's what I see:
EventRecordMetadata.Opcode
accesses the EventDescriptor
member of the EVENT_HEADER
struct
EVENT_HEADER
is defined in the Windows SDK hereEventDescriptor
member of EVENT_HEADER
is an EVENT_DESCRIPTOR
struct
EVENT_DESCRIPTOR
is defined in the Windows SDK hereOpcode
member of EVENT_DESCRIPTOR
is defined as a UCHAR
which is documented to be a byte
Based on this, the existing API appears to be correct. Let me know if I missed something!
Cheers, Matt
Maybe I'm confused but EventRecordMetadata specifies that the Opcode type is
byte
: https://github.com/Microsoft/krabsetw/blob/master/O365.Security.Native.ETW/EventRecordMetadata.hpp#L43However Opcode should be a UInt32 (I think). Consider the Kernel trace example here: https://github.com/Microsoft/krabsetw/blob/master/examples/ManagedExamples/KernelTrace001.cs#L39
Opcode=0x1 -> EVENT_TRACE_FLAG_PROCESS
Looking at the other options on MSDN shows most of them actually don't fit into into a UInt8. https://docs.microsoft.com/en-gb/windows/desktop/ETW/msnt-systemtrace