]>
Commit | Line | Data |
---|---|---|
1 | // Copyright © 2017 winapi-rs developers | |
2 | // Licensed under the Apache License, Version 2.0 | |
3 | // <LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license | |
4 | // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option. | |
5 | // All files in the project carrying such notice may not be copied, modified, or distributed | |
6 | // except according to those terms. | |
7 | use shared::basetsd::ULONG64; | |
8 | use shared::evntprov::EVENT_DESCRIPTOR; | |
9 | use shared::evntrace::ETW_BUFFER_CONTEXT; | |
10 | use shared::guiddef::{GUID, LPGUID}; | |
11 | use shared::minwindef::{PUCHAR, PULONG, PUSHORT, UCHAR, ULONG, USHORT}; | |
12 | use um::winnt::{ANYSIZE_ARRAY, BOOLEAN, LARGE_INTEGER, PCSTR, PSECURITY_DESCRIPTOR, PSID, PVOID, ULONGLONG}; | |
13 | pub const EVENT_HEADER_EXT_TYPE_RELATED_ACTIVITYID: USHORT = 0x0001; | |
14 | pub const EVENT_HEADER_EXT_TYPE_SID: USHORT = 0x0002; | |
15 | pub const EVENT_HEADER_EXT_TYPE_TS_ID: USHORT = 0x0003; | |
16 | pub const EVENT_HEADER_EXT_TYPE_INSTANCE_INFO: USHORT = 0x0004; | |
17 | pub const EVENT_HEADER_EXT_TYPE_STACK_TRACE32: USHORT = 0x0005; | |
18 | pub const EVENT_HEADER_EXT_TYPE_STACK_TRACE64: USHORT = 0x0006; | |
19 | pub const EVENT_HEADER_EXT_TYPE_PEBS_INDEX: USHORT = 0x0007; | |
20 | pub const EVENT_HEADER_EXT_TYPE_PMC_COUNTERS: USHORT = 0x0008; | |
21 | pub const EVENT_HEADER_EXT_TYPE_PSM_KEY: USHORT = 0x0009; | |
22 | pub const EVENT_HEADER_EXT_TYPE_EVENT_KEY: USHORT = 0x000A; | |
23 | pub const EVENT_HEADER_EXT_TYPE_EVENT_SCHEMA_TL: USHORT = 0x000B; | |
24 | pub const EVENT_HEADER_EXT_TYPE_PROV_TRAITS: USHORT = 0x000C; | |
25 | pub const EVENT_HEADER_EXT_TYPE_PROCESS_START_KEY: USHORT = 0x000D; | |
26 | pub const EVENT_HEADER_EXT_TYPE_CONTROL_GUID: USHORT = 0x000E; | |
27 | pub const EVENT_HEADER_EXT_TYPE_MAX: USHORT = 0x000F; | |
28 | STRUCT!{struct EVENT_HEADER_EXTENDED_DATA_ITEM_s { | |
29 | bitfield: USHORT, | |
30 | }} | |
31 | BITFIELD!{EVENT_HEADER_EXTENDED_DATA_ITEM_s bitfield: USHORT [ | |
32 | Linkage set_Linkage[0..1], | |
33 | Reserved2 set_Reserved2[1..16], | |
34 | ]} | |
35 | STRUCT!{struct EVENT_HEADER_EXTENDED_DATA_ITEM { | |
36 | Reserved1: USHORT, | |
37 | ExtType: USHORT, | |
38 | s: EVENT_HEADER_EXTENDED_DATA_ITEM_s, | |
39 | DataSize: USHORT, | |
40 | DataPtr: ULONGLONG, | |
41 | }} | |
42 | pub type PEVENT_HEADER_EXTENDED_DATA_ITEM = *mut EVENT_HEADER_EXTENDED_DATA_ITEM; | |
43 | STRUCT!{struct EVENT_EXTENDED_ITEM_INSTANCE { | |
44 | InstanceId: ULONG, | |
45 | ParentInstanceId: ULONG, | |
46 | ParentGuid: GUID, | |
47 | }} | |
48 | pub type PEVENT_EXTENDED_ITEM_INSTANCE = *mut EVENT_EXTENDED_ITEM_INSTANCE; | |
49 | STRUCT!{struct EVENT_EXTENDED_ITEM_RELATED_ACTIVITYID { | |
50 | RelatedActivityId: GUID, | |
51 | }} | |
52 | pub type PEVENT_EXTENDED_ITEM_RELATED_ACTIVITYID = *mut EVENT_EXTENDED_ITEM_RELATED_ACTIVITYID; | |
53 | STRUCT!{struct EVENT_EXTENDED_ITEM_TS_ID { | |
54 | SessionId: ULONG, | |
55 | }} | |
56 | pub type PEVENT_EXTENDED_ITEM_TS_ID = *mut EVENT_EXTENDED_ITEM_TS_ID; | |
57 | STRUCT!{struct EVENT_EXTENDED_ITEM_STACK_TRACE32 { | |
58 | MatchId: ULONG64, | |
59 | Address: [ULONG; ANYSIZE_ARRAY], | |
60 | }} | |
61 | pub type PEVENT_EXTENDED_ITEM_STACK_TRACE32 = *mut EVENT_EXTENDED_ITEM_STACK_TRACE32; | |
62 | STRUCT!{struct EVENT_EXTENDED_ITEM_STACK_TRACE64 { | |
63 | MatchId: ULONG64, | |
64 | Address: [ULONG64; ANYSIZE_ARRAY], | |
65 | }} | |
66 | pub type PEVENT_EXTENDED_ITEM_STACK_TRACE64 = *mut EVENT_EXTENDED_ITEM_STACK_TRACE64; | |
67 | STRUCT!{struct EVENT_EXTENDED_ITEM_PEBS_INDEX { | |
68 | PebsIndex: ULONG64, | |
69 | }} | |
70 | pub type PEVENT_EXTENDED_ITEM_PEBS_INDEX = *mut EVENT_EXTENDED_ITEM_PEBS_INDEX; | |
71 | STRUCT!{struct EVENT_EXTENDED_ITEM_PMC_COUNTERS { | |
72 | Counter: [ULONG64; ANYSIZE_ARRAY], | |
73 | }} | |
74 | pub type PEVENT_EXTENDED_ITEM_PMC_COUNTERS = *mut EVENT_EXTENDED_ITEM_PMC_COUNTERS; | |
75 | STRUCT!{struct EVENT_EXTENDED_ITEM_PROCESS_START_KEY { | |
76 | ProcessStartKey: ULONG64, | |
77 | }} | |
78 | pub type PEVENT_EXTENDED_ITEM_PROCESS_START_KEY = *mut EVENT_EXTENDED_ITEM_PROCESS_START_KEY; | |
79 | STRUCT!{struct EVENT_EXTENDED_ITEM_EVENT_KEY { | |
80 | Key: ULONG64, | |
81 | }} | |
82 | pub type PEVENT_EXTENDED_ITEM_EVENT_KEY = *mut EVENT_EXTENDED_ITEM_EVENT_KEY; | |
83 | pub const EVENT_HEADER_PROPERTY_XML: USHORT = 0x0001; | |
84 | pub const EVENT_HEADER_PROPERTY_FORWARDED_XML: USHORT = 0x0002; | |
85 | pub const EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG: USHORT = 0x0004; | |
86 | pub const EVENT_HEADER_PROPERTY_RELOGGABLE: USHORT = 0x0008; | |
87 | pub const EVENT_HEADER_FLAG_EXTENDED_INFO: USHORT = 0x0001; | |
88 | pub const EVENT_HEADER_FLAG_PRIVATE_SESSION: USHORT = 0x0002; | |
89 | pub const EVENT_HEADER_FLAG_STRING_ONLY: USHORT = 0x0004; | |
90 | pub const EVENT_HEADER_FLAG_TRACE_MESSAGE: USHORT = 0x0008; | |
91 | pub const EVENT_HEADER_FLAG_NO_CPUTIME: USHORT = 0x0010; | |
92 | pub const EVENT_HEADER_FLAG_32_BIT_HEADER: USHORT = 0x0020; | |
93 | pub const EVENT_HEADER_FLAG_64_BIT_HEADER: USHORT = 0x0040; | |
94 | pub const EVENT_HEADER_FLAG_CLASSIC_HEADER: USHORT = 0x0100; | |
95 | pub const EVENT_HEADER_FLAG_PROCESSOR_INDEX: USHORT = 0x0200; | |
96 | STRUCT!{struct EVENT_HEADER_u_s { | |
97 | KernelTime: ULONG, | |
98 | UserTime: ULONG, | |
99 | }} | |
100 | UNION!{union EVENT_HEADER_u { | |
101 | [u64; 1], | |
102 | s s_mut: EVENT_HEADER_u_s, | |
103 | ProcessorTime ProcessorTime_mut: ULONG64, | |
104 | }} | |
105 | STRUCT!{struct EVENT_HEADER { | |
106 | Size: USHORT, | |
107 | HeaderType: USHORT, | |
108 | Flags: USHORT, | |
109 | EventProperty: USHORT, | |
110 | ThreadId: ULONG, | |
111 | ProcessId: ULONG, | |
112 | TimeStamp: LARGE_INTEGER, | |
113 | ProviderId: GUID, | |
114 | EventDescriptor: EVENT_DESCRIPTOR, | |
115 | u: EVENT_HEADER_u, | |
116 | ActivityId: GUID, | |
117 | }} | |
118 | pub type PEVENT_HEADER = *mut EVENT_HEADER; | |
119 | STRUCT!{struct EVENT_RECORD { | |
120 | EventHeader: EVENT_HEADER, | |
121 | BufferContext: ETW_BUFFER_CONTEXT, | |
122 | ExtendedDataCount: USHORT, | |
123 | UserDataLength: USHORT, | |
124 | ExtendedData: PEVENT_HEADER_EXTENDED_DATA_ITEM, | |
125 | UserData: PVOID, | |
126 | UserContext: PVOID, | |
127 | }} | |
128 | pub type PEVENT_RECORD = *mut EVENT_RECORD; | |
129 | pub type PCEVENT_RECORD = *const EVENT_RECORD; | |
130 | pub const EVENT_ENABLE_PROPERTY_SID: USHORT = 0x00000001; | |
131 | pub const EVENT_ENABLE_PROPERTY_TS_ID: USHORT = 0x00000002; | |
132 | pub const EVENT_ENABLE_PROPERTY_STACK_TRACE: USHORT = 0x00000004; | |
133 | pub const EVENT_ENABLE_PROPERTY_PSM_KEY: USHORT = 0x00000008; | |
134 | pub const EVENT_ENABLE_PROPERTY_IGNORE_KEYWORD_0: USHORT = 0x00000010; | |
135 | pub const EVENT_ENABLE_PROPERTY_PROVIDER_GROUP: USHORT = 0x00000020; | |
136 | pub const EVENT_ENABLE_PROPERTY_ENABLE_KEYWORD_0: USHORT = 0x00000040; | |
137 | pub const EVENT_ENABLE_PROPERTY_PROCESS_START_KEY: USHORT = 0x00000080; | |
138 | pub const EVENT_ENABLE_PROPERTY_EVENT_KEY: USHORT = 0x00000100; | |
139 | pub const EVENT_ENABLE_PROPERTY_EXCLUDE_INPRIVATE: USHORT = 0x00000200; | |
140 | pub const PROCESS_TRACE_MODE_REAL_TIME: ULONG = 0x00000100; | |
141 | pub const PROCESS_TRACE_MODE_RAW_TIMESTAMP: ULONG = 0x00001000; | |
142 | pub const PROCESS_TRACE_MODE_EVENT_RECORD: ULONG = 0x10000000; | |
143 | #[inline] | |
144 | pub unsafe fn GetEventProcessorIndex(EventRecord: PCEVENT_RECORD) -> ULONG { | |
145 | if (*EventRecord).EventHeader.Flags & EVENT_HEADER_FLAG_PROCESSOR_INDEX != 0 { | |
146 | *(*EventRecord).BufferContext.u.ProcessorIndex() as ULONG | |
147 | } else { | |
148 | (*EventRecord).BufferContext.u.s().ProcessorNumber as ULONG | |
149 | } | |
150 | } | |
151 | ENUM!{enum ETW_PROVIDER_TRAIT_TYPE { | |
152 | EtwProviderTraitTypeGroup = 1, | |
153 | EtwProviderTraitDecodeGuid = 2, | |
154 | EtwProviderTraitTypeMax, | |
155 | }} | |
156 | #[inline] | |
157 | unsafe fn strnlen(s: PCSTR, max_len: isize) -> isize { | |
158 | let mut len = 0; | |
159 | while *s.offset(len) != 0 && len < max_len { | |
160 | len += 1 | |
161 | } | |
162 | len | |
163 | } | |
164 | // Taken from Rust 1.17.0 sources | |
165 | #[inline] | |
166 | unsafe fn read_unaligned<T>(src: *const T) -> T { | |
167 | use core::{mem, ptr}; | |
168 | let mut tmp: T = mem::uninitialized(); | |
169 | ptr::copy_nonoverlapping( | |
170 | src as *const u8, | |
171 | &mut tmp as *mut T as *mut u8, | |
172 | mem::size_of::<T>(), | |
173 | ); | |
174 | tmp | |
175 | } | |
176 | #[inline] | |
177 | pub unsafe fn EtwGetTraitFromProviderTraits( | |
178 | ProviderTraits: PVOID, TraitType: UCHAR, Trait: *mut PVOID, Size: PUSHORT, | |
179 | ) { | |
180 | use core::ptr::null_mut; | |
181 | ||
182 | let ByteCount = read_unaligned(ProviderTraits as *mut USHORT) as isize; | |
183 | let mut Ptr = ProviderTraits as PUCHAR; | |
184 | let PtrEnd = Ptr.offset(ByteCount); | |
185 | *Trait = null_mut(); | |
186 | *Size = 0; | |
187 | if ByteCount < 3 { | |
188 | return; | |
189 | } | |
190 | Ptr = Ptr.offset(2); | |
191 | Ptr = Ptr.offset(strnlen(Ptr as PCSTR, (ByteCount - 3) as isize)); | |
192 | Ptr = Ptr.offset(1); | |
193 | while Ptr < PtrEnd { | |
194 | let TraitByteCount = read_unaligned(Ptr as *const USHORT); | |
195 | if TraitByteCount < 3 { | |
196 | return; | |
197 | } | |
198 | if *Ptr.offset(2) == TraitType && Ptr.offset(TraitByteCount as isize) <= PtrEnd { | |
199 | *Trait = Ptr.offset(3) as PVOID; | |
200 | *Size = TraitByteCount - 3; | |
201 | return; | |
202 | } | |
203 | Ptr = Ptr.offset(TraitByteCount as isize); | |
204 | } | |
205 | } | |
206 | ENUM!{enum EVENTSECURITYOPERATION { | |
207 | EventSecuritySetDACL, | |
208 | EventSecuritySetSACL, | |
209 | EventSecurityAddDACL, | |
210 | EventSecurityAddSACL, | |
211 | EventSecurityMax, | |
212 | }} | |
213 | extern "system" { | |
214 | pub fn EventAccessControl( | |
215 | Guid: LPGUID, | |
216 | Operation: ULONG, | |
217 | Sid: PSID, | |
218 | Rights: ULONG, | |
219 | AllowOrDeny: BOOLEAN, | |
220 | ) -> ULONG; | |
221 | pub fn EventAccessQuery( | |
222 | Guid: LPGUID, | |
223 | Buffer: PSECURITY_DESCRIPTOR, | |
224 | BufferSize: PULONG, | |
225 | ) -> ULONG; | |
226 | pub fn EventAccessRemove( | |
227 | Guid: LPGUID, | |
228 | ) -> ULONG; | |
229 | } |