Incorrect EventRecordMetadata->Opcode Size

[FuzzySecurity]

Maybe I'm confused but EventRecordMetadata specifies that the Opcode type is byte: https://github.com/Microsoft/krabsetw/blob/master/O365.Security.Native.ETW/EventRecordMetadata.hpp#L43

However Opcode should be a UInt32 (I think). Consider the Kernel trace example here: https://github.com/Microsoft/krabsetw/blob/master/examples/ManagedExamples/KernelTrace001.cs#L39

Opcode=0x1 -> EVENT_TRACE_FLAG_PROCESS

Looking at the other options on MSDN shows most of them actually don't fit into into a UInt8. https://docs.microsoft.com/en-gb/windows/desktop/ETW/msnt-systemtrace

[swannman]

Thanks for reaching out! Here's what I see:

• EventRecordMetadata.Opcode accesses the EventDescriptor member of the EVENT_HEADER struct
  • EVENT_HEADER is defined in the Windows SDK here
• The EventDescriptor member of EVENT_HEADER is an EVENT_DESCRIPTOR struct
  • EVENT_DESCRIPTOR is defined in the Windows SDK here
• The Opcode member of EVENT_DESCRIPTOR is defined as a UCHAR which is documented to be a byte

Based on this, the existing API appears to be correct. Let me know if I missed something!

Cheers, Matt