private Provider ReadWevtBlock(Guid providerId, BinaryReader r) { ReadMagic(r, CrimsonTags.WEVT); uint length = r.ReadUInt32(); uint messageId = r.ReadUInt32(); uint count = r.ReadUInt32(); var lists = new List <ProviderListOffset>(); for (uint i = 0; i < count; ++i) { var plo = new ProviderListOffset(); plo.Type = (EventFieldKind)r.ReadUInt32(); plo.Offset = r.ReadUInt32(); lists.Add(plo); } var providerMessage = ResolveMessage(messageId); string providerName = string.Format( CultureInfo.InvariantCulture, "Provider_{0:N}", providerId); string providerSymbol = providerName; Guid? controlGuid = null; Guid? groupGuid = null; var allOpcodes = new List <Tuple <ushort, Opcode> >(); var levels = new List <Level>(); var tasks = new List <Task>(); var keywords = new List <Keyword>(); var events = new List <Event>(); var channels = new List <Channel>(); var maps = new List <Map>(); var templates = new List <Template>(); var filters = new List <Filter>(); Dictionary <uint, EventAttributeInfo> eventAttribMap = null; foreach (var list in lists) { r.BaseStream.Position = list.Offset; switch (list.Type) { case EventFieldKind.Level: levels.AddRange(ReadLevels(r)); break; case EventFieldKind.Task: tasks.AddRange(ReadTasks(r)); break; case EventFieldKind.Opcode: allOpcodes.AddRange(ReadOpcodes(r)); break; case EventFieldKind.Keyword: keywords.AddRange(ReadKeywords(r)); break; case EventFieldKind.Event: events.AddRange(ReadEvents(r)); break; case EventFieldKind.Channel: channels.AddRange(ReadChannels(r)); break; case EventFieldKind.Maps: maps.AddRange(ReadMaps(r)); break; case EventFieldKind.Template: templates.AddRange(ReadTemplates(r)); break; case EventFieldKind.Filter: filters.AddRange(ReadFilters(r)); break; case EventFieldKind.ProviderAttribs: ReadProviderAttribs(r, out providerName, out controlGuid, out groupGuid); break; case EventFieldKind.EventAttribs: eventAttribMap = ReadEventAttribs(r); break; default: break; } } if (eventAttribMap != null) { foreach (var evt in events) { var key = evt.Value.Value | (uint)(evt.Version.Value << 16); if (eventAttribMap.TryGetValue(key, out var entry)) { if (entry.Name != null) { evt.Name = entry.Name; } if (entry.Attributes != null) { evt.Attributes.AddRange(entry.Attributes); } } } } var provider = new Provider(providerName, Located.Create(providerId), providerName) { Message = providerMessage, ControlGuid = controlGuid, GroupGuid = groupGuid, }; provider.Levels.AddRange(levels); provider.Tasks.AddRange(tasks); provider.Keywords.AddRange(keywords); provider.Events.AddRange(events); provider.Channels.AddRange(channels); provider.Maps.AddRange(maps); provider.Templates.AddRange(templates); provider.Filters.AddRange(filters); provider.Opcodes.AddRange(allOpcodes.Where(x => x.Item1 == 0).Select(x => x.Item2)); foreach (var taskSpecificOpcode in allOpcodes.Where(x => x.Item1 != 0)) { var task = provider.Tasks.First(x => x.Value == taskSpecificOpcode.Item1); task.Opcodes.Add(taskSpecificOpcode.Item2); } return(provider); }
private void DumpWevtBlock(BinaryReader r, Guid providerId) { var block = r.ReadStruct <ProviderBlock>(); VerifyMagic(0, block.Magic, CrimsonTags.WEVT); writer.PushDictScope($"WEVT({providerId})"); writer.WriteHex("Magic", block.Magic); writer.WriteNumber("Length", block.Length); writer.WriteNumber("MessageId", block.MessageId); writer.WriteNumber("NumOffsets", block.NumOffsets); var lists = new List <ProviderListOffset>(); for (uint i = 0; i < block.NumOffsets; ++i) { var plo = new ProviderListOffset(); plo.Type = (EventFieldKind)r.ReadUInt32(); plo.Offset = r.ReadUInt32(); lists.Add(plo); } foreach (var list in lists) { r.BaseStream.Position = list.Offset; switch (list.Type) { case EventFieldKind.Level: DumpLevels(r); break; case EventFieldKind.Task: DumpTasks(r); break; case EventFieldKind.Opcode: DumpOpcodes(r); break; case EventFieldKind.Keyword: DumpKeywords(r); break; case EventFieldKind.Event: DumpEvents(r); break; case EventFieldKind.Channel: DumpChannels(r); break; case EventFieldKind.Maps: DumpMaps(r); break; case EventFieldKind.Template: DumpTemplates(r); break; case EventFieldKind.Filter: DumpFilters(r); break; case EventFieldKind.ProviderAttribs: DumpProviderAttribs(r); break; case EventFieldKind.EventAttribs: DumpEventAttribs(r); break; case EventFieldKind.EventFlags: DumpEventFlags(r); break; case EventFieldKind.CTRT: default: writer.WriteLine("Unknown item type {0} at offset {1}.", list.Type, list.Offset); break; } } writer.PopScope(); }