Beispiel #1
0
        private void ReadProcessStartEvent(ref EtwNativeEvent traceEvent)
        {
            if (traceEvent.Version == 0)
            {
                // <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
                // <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
                // <data name="ParentProcessID" inType="win:UInt32" outType="win:PID"></data>
                // <data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"></data>
                // <data name="ImageName" inType="win:UnicodeString" outType="xs:string"></data>
                EventHandler <ProcessEventArgs> handler = this.ProcessStarted;
                if (handler != null)
                {
                    int      processId  = (int)traceEvent.ReadUInt32();
                    DateTime createTime = traceEvent.ReadFileTime();
                    traceEvent.ReadUInt32(); // ignore
                    traceEvent.ReadUInt32(); // ignore
                    string           imageName = traceEvent.ReadUnicodeString();
                    ProcessEventArgs e         = new ProcessEventArgs()
                    {
                        Id        = processId,
                        ImageName = imageName,
                        Timestamp = createTime
                    };

                    handler(this, e);
                }
            }
        }
Beispiel #2
0
        static void CustomCallback(EtwNativeEvent evt)
        {
            if (evt.Id != 11)
            {
                return;
            }

            evt.ReadUInt32(); // skip PID
            uint size  = evt.ReadUInt32();
            uint daddr = evt.ReadUInt32();

            lock (_lock)
            {
                StatisticsBucket bucket = null;
                if (!_statistics.TryGetValue(daddr, out bucket))
                {
                    bucket = new StatisticsBucket {
                        Total = size
                    };
                    _statistics.Add(daddr, bucket);
                    return;
                }

                bucket.Total += size;
            }
        }
Beispiel #3
0
        private void ReadProcessStopEvent(ref EtwNativeEvent traceEvent)
        {
            switch (traceEvent.Version)
            {
            case 0:
            case 1:
                // Both version 0 and version 1 have the same initial fields:
                //
                // <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
                // <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
                // <data name="ExitTime" inType="win:FILETIME" outType="xs:dateTime"></data>
                // <data name="ExitCode" inType="win:UInt32" outType="xs:unsignedInt"></data>
                EventHandler <ProcessEventArgs> handler = this.ProcessStopped;
                if (handler != null)
                {
                    int processId = (int)traceEvent.ReadUInt32();
                    traceEvent.ReadFileTime();     // ignore
                    DateTime         exitTime = traceEvent.ReadFileTime();
                    int              exitCode = (int)traceEvent.ReadUInt32();
                    ProcessEventArgs e        = new ProcessEventArgs()
                    {
                        ExitCode  = exitCode,
                        Id        = processId,
                        Timestamp = exitTime
                    };

                    handler(this, e);
                }

                break;
            }
        }
Beispiel #4
0
        private static Envelope ParseV1(EtwNativeEvent etwNativeEvent)
        {
            // EventId is one. This is a log written using EventSource Byte Array logging support.
            // Reading like this ensures that if exception is thrown, we know what failed
            long   occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
            long   receiveFileTimeUtc   = etwNativeEvent.ReadInt64();
            string protocol             = etwNativeEvent.ReadUnicodeString();
            string source             = etwNativeEvent.ReadUnicodeString();
            string manifestId         = etwNativeEvent.ReadUnicodeString();
            uint   eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.

            etwNativeEvent.ReadInt32();                              // EventSource based byte array writer actually stores the byte array length here. Skip 4 bytes to account for it.
            byte[] eventPayload = etwNativeEvent.ReadBytes();

            return(new Envelope(
                       occurenceFileTimeUtc >= 0
                    ? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
                    : DateTimeOffset.MinValue,
                       receiveFileTimeUtc >= 0
                    ? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
                    : DateTimeOffset.MinValue,
                       protocol,
                       source,
                       manifestId,
                       eventPayload,
                       null));
        }
Beispiel #5
0
        private static BinaryEnvelope ParseV1(EtwNativeEvent etwNativeEvent)
        {
            // EventId is one. This is a log written using EventSource Byte Array logging support.
            // Reading like this ensures that if exception is thrown, we know what failed
            long   occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
            long   receiveFileTimeUtc   = etwNativeEvent.ReadInt64();
            string protocol             = etwNativeEvent.ReadUnicodeString();
            string source             = etwNativeEvent.ReadUnicodeString();
            string manifestId         = etwNativeEvent.ReadUnicodeString();
            uint   eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.

            etwNativeEvent.ReadInt32();                              // EventSource based byte array writer actually stores the byte array length here. Skip 4 bytes to account for it.
            byte[] eventPayload = etwNativeEvent.ReadBytes();

            return(new BinaryEnvelope
            {
                ActivityId = etwNativeEvent.ActivityId,
                OccurenceFileTimeUtc = occurenceFileTimeUtc,
                ReceiveFileTimeUtc = receiveFileTimeUtc,
                Protocol = protocol,
                Source = source,
                PayloadId = manifestId,
                EventPayload = eventPayload,
                EventPayloadLength = eventPayloadLength
            });
        }
Beispiel #6
0
        private static Envelope ParseV0(EtwNativeEvent etwNativeEvent)
        {
            // Reading like this ensures that if exception is thrown, we know what failed
            long   occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
            long   receiveFileTimeUtc   = etwNativeEvent.ReadInt64();
            string protocol             = etwNativeEvent.ReadUnicodeString();

            bool isValid = !(protocol ?? string.Empty).StartsWith(@"rceException: ", StringComparison.OrdinalIgnoreCase);

            string source;
            string manifestId;
            uint   eventPayloadLength;

            byte[] eventPayload;

            if (isValid)
            {
                source             = etwNativeEvent.ReadUnicodeString();
                manifestId         = etwNativeEvent.ReadUnicodeString();
                eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.
                // Payload overflow events also could be saved with event Id 0
                eventPayload = (eventPayloadLength < 65000) ? etwNativeEvent.ReadBytes() : new byte[0];
            }
            else
            {
                protocol           = string.Empty;
                source             = string.Empty;
                manifestId         = string.Empty;
                eventPayloadLength = 0;
                eventPayload       = new byte[0];
            }

            return(new Envelope(
                       occurenceFileTimeUtc >= 0
                    ? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
                    : DateTimeOffset.MinValue,
                       receiveFileTimeUtc >= 0
                    ? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
                    : DateTimeOffset.MinValue,
                       protocol,
                       source,
                       manifestId,
                       eventPayload,
                       null));
        }
Beispiel #7
0
        private Envelope ParseV2(EtwNativeEvent etwNativeEvent)
        {
            uint   packageId            = etwNativeEvent.ReadUInt32();
            long   occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
            long   receiveFileTimeUtc   = etwNativeEvent.ReadInt64();
            string protocol             = etwNativeEvent.ReadUnicodeString();
            string source             = etwNativeEvent.ReadUnicodeString();
            string manifestId         = etwNativeEvent.ReadUnicodeString();
            uint   chunkCount         = etwNativeEvent.ReadUInt32();
            uint   currentChunkNumber = etwNativeEvent.ReadUInt32();
            uint   eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.

            etwNativeEvent.ReadUInt32();
            byte[] eventPayload = etwNativeEvent.ReadBytes();

            if (chunkCount == 1)
            {
                this.eventCache.Clear();

                return(new Envelope(
                           occurenceFileTimeUtc >= 0
                        ? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
                        : DateTimeOffset.MinValue,
                           receiveFileTimeUtc >= 0
                        ? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
                        : DateTimeOffset.MinValue,
                           protocol,
                           source,
                           manifestId,
                           eventPayload,
                           null));
            }
            else if (chunkCount > currentChunkNumber)
            {
                if (this.currentEventPackageId != packageId || this.eventCache.Count != currentChunkNumber)
                {
                    this.eventCache.Clear();
                    this.currentEventPackageId = packageId;
                }

                this.eventCache.Add(eventPayload);

                if (chunkCount == (currentChunkNumber + 1))
                {
                    var payload = ByteArrayHelper.Join(this.eventCache);
                    this.eventCache.Clear();

                    return(new Envelope(
                               occurenceFileTimeUtc >= 0
                            ? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
                            : DateTimeOffset.MinValue,
                               receiveFileTimeUtc >= 0
                            ? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
                            : DateTimeOffset.MinValue,
                               protocol,
                               source,
                               manifestId,
                               eventPayload,
                               null));
                }
            }
            else
            {
                this.eventCache.Clear();
            }

            return(null);
        }
Beispiel #8
0
        private EventManifest ParseChunkedManifest(EtwNativeEvent etwNativeEvent)
        {
            uint   packageId            = etwNativeEvent.ReadUInt32();
            long   occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
            long   receiveFileTimeUtc   = etwNativeEvent.ReadInt64();
            string protocol             = etwNativeEvent.ReadUnicodeString();
            string source             = etwNativeEvent.ReadUnicodeString();
            string manifestId         = etwNativeEvent.ReadUnicodeString();
            uint   chunkCount         = etwNativeEvent.ReadUInt32();
            uint   currentChunkNumber = etwNativeEvent.ReadUInt32();
            string manifest           = etwNativeEvent.ReadUnicodeString();

            if (chunkCount == 1)
            {
                this.manifestCache.Clear();

                return(new EventManifest
                {
                    ActivityId = etwNativeEvent.ActivityId,
                    OccurenceFileTimeUtc = occurenceFileTimeUtc,
                    ReceiveFileTimeUtc = receiveFileTimeUtc,
                    Protocol = protocol,
                    Source = source,
                    ManifestId = manifestId,
                    Manifest = manifest
                });
            }
            else if (chunkCount > currentChunkNumber)
            {
                if (this.currentManifestPackageId != packageId || this.manifestCache.Count != currentChunkNumber)
                {
                    this.manifestCache.Clear();
                    this.currentManifestPackageId = packageId;
                }

                this.manifestCache.Add(manifest);

                if (chunkCount == (currentChunkNumber + 1))
                {
                    string payload = string.Join("", this.manifestCache.ToArray());
                    this.manifestCache.Clear();

                    return(new EventManifest
                    {
                        ActivityId = etwNativeEvent.ActivityId,
                        OccurenceFileTimeUtc = occurenceFileTimeUtc,
                        ReceiveFileTimeUtc = receiveFileTimeUtc,
                        Protocol = protocol,
                        Source = source,
                        ManifestId = manifestId,
                        Manifest = payload,
                    });
                }
            }
            else
            {
                this.manifestCache.Clear();
            }

            return(null);
        }
Beispiel #9
0
        private BinaryEnvelope ParseV2(EtwNativeEvent etwNativeEvent)
        {
            uint   packageId            = etwNativeEvent.ReadUInt32();
            long   occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
            long   receiveFileTimeUtc   = etwNativeEvent.ReadInt64();
            string protocol             = etwNativeEvent.ReadUnicodeString();
            string source             = etwNativeEvent.ReadUnicodeString();
            string manifestId         = etwNativeEvent.ReadUnicodeString();
            uint   chunkCount         = etwNativeEvent.ReadUInt32();
            uint   currentChunkNumber = etwNativeEvent.ReadUInt32();
            uint   eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.

            etwNativeEvent.ReadUInt32();
            byte[] eventPayload = etwNativeEvent.ReadBytes();

            if (chunkCount == 1)
            {
                this.eventCache.Clear();

                return(new BinaryEnvelope
                {
                    ActivityId = etwNativeEvent.ActivityId,
                    OccurenceFileTimeUtc = occurenceFileTimeUtc,
                    ReceiveFileTimeUtc = receiveFileTimeUtc,
                    Protocol = protocol,
                    Source = source,
                    PayloadId = manifestId,
                    EventPayload = eventPayload,
                    EventPayloadLength = eventPayloadLength
                });
            }
            else if (chunkCount > currentChunkNumber)
            {
                if (this.currentEventPackageId != packageId || this.eventCache.Count != currentChunkNumber)
                {
                    this.eventCache.Clear();
                    this.currentEventPackageId = packageId;
                }

                this.eventCache.Add(eventPayload);

                if (chunkCount == (currentChunkNumber + 1))
                {
                    var payload = ByteArrayHelper.Join(this.eventCache);
                    this.eventCache.Clear();

                    return(new BinaryEnvelope
                    {
                        ActivityId = etwNativeEvent.ActivityId,
                        OccurenceFileTimeUtc = occurenceFileTimeUtc,
                        ReceiveFileTimeUtc = receiveFileTimeUtc,
                        Protocol = protocol,
                        Source = source,
                        PayloadId = manifestId,
                        EventPayload = payload,
                        EventPayloadLength = unchecked ((uint)(payload.Length)),
                    });
                }
            }
            else
            {
                this.eventCache.Clear();
            }

            return(null);
        }