private Provider ReadWevtBlock(Guid providerId, BinaryReader r)
{
ReadMagic(r, CrimsonTags.WEVT);
uint length = r.ReadUInt32();
uint messageId = r.ReadUInt32();
uint count = r.ReadUInt32();
var lists = new List <ProviderListOffset>();
for (uint i = 0; i < count; ++i)
{
var plo = new ProviderListOffset();
plo.Type = (EventFieldKind)r.ReadUInt32();
plo.Offset = r.ReadUInt32();
lists.Add(plo);
}
var providerMessage = ResolveMessage(messageId);
string providerName = string.Format(
CultureInfo.InvariantCulture, "Provider_{0:N}", providerId);
string providerSymbol = providerName;
Guid? controlGuid = null;
Guid? groupGuid = null;
var allOpcodes = new List <Tuple <ushort, Opcode> >();
var levels = new List <Level>();
var tasks = new List <Task>();
var keywords = new List <Keyword>();
var events = new List <Event>();
var channels = new List <Channel>();
var maps = new List <Map>();
var templates = new List <Template>();
var filters = new List <Filter>();
Dictionary <uint, EventAttributeInfo> eventAttribMap = null;
foreach (var list in lists)
{
r.BaseStream.Position = list.Offset;
switch (list.Type)
{
case EventFieldKind.Level:
levels.AddRange(ReadLevels(r));
break;
case EventFieldKind.Task:
tasks.AddRange(ReadTasks(r));
break;
case EventFieldKind.Opcode:
allOpcodes.AddRange(ReadOpcodes(r));
break;
case EventFieldKind.Keyword:
keywords.AddRange(ReadKeywords(r));
break;
case EventFieldKind.Event:
events.AddRange(ReadEvents(r));
break;
case EventFieldKind.Channel:
channels.AddRange(ReadChannels(r));
break;
case EventFieldKind.Maps:
maps.AddRange(ReadMaps(r));
break;
case EventFieldKind.Template:
templates.AddRange(ReadTemplates(r));
break;
case EventFieldKind.Filter:
filters.AddRange(ReadFilters(r));
break;
case EventFieldKind.ProviderAttribs:
ReadProviderAttribs(r, out providerName, out controlGuid, out groupGuid);
break;
case EventFieldKind.EventAttribs:
eventAttribMap = ReadEventAttribs(r);
break;
default:
break;
}
}
if (eventAttribMap != null)
{
foreach (var evt in events)
{
var key = evt.Value.Value | (uint)(evt.Version.Value << 16);
if (eventAttribMap.TryGetValue(key, out var entry))
{
if (entry.Name != null)
{
evt.Name = entry.Name;
}
if (entry.Attributes != null)
{
evt.Attributes.AddRange(entry.Attributes);
}
}
}
}
var provider = new Provider(providerName, Located.Create(providerId), providerName)
{
Message = providerMessage,
ControlGuid = controlGuid,
GroupGuid = groupGuid,
};
provider.Levels.AddRange(levels);
provider.Tasks.AddRange(tasks);
provider.Keywords.AddRange(keywords);
provider.Events.AddRange(events);
provider.Channels.AddRange(channels);
provider.Maps.AddRange(maps);
provider.Templates.AddRange(templates);
provider.Filters.AddRange(filters);
provider.Opcodes.AddRange(allOpcodes.Where(x => x.Item1 == 0).Select(x => x.Item2));
foreach (var taskSpecificOpcode in allOpcodes.Where(x => x.Item1 != 0))
{
var task = provider.Tasks.First(x => x.Value == taskSpecificOpcode.Item1);
task.Opcodes.Add(taskSpecificOpcode.Item2);
}
return(provider);
}
private void DumpWevtBlock(BinaryReader r, Guid providerId)
{
var block = r.ReadStruct <ProviderBlock>();
VerifyMagic(0, block.Magic, CrimsonTags.WEVT);
writer.PushDictScope($"WEVT({providerId})");
writer.WriteHex("Magic", block.Magic);
writer.WriteNumber("Length", block.Length);
writer.WriteNumber("MessageId", block.MessageId);
writer.WriteNumber("NumOffsets", block.NumOffsets);
var lists = new List <ProviderListOffset>();
for (uint i = 0; i < block.NumOffsets; ++i)
{
var plo = new ProviderListOffset();
plo.Type = (EventFieldKind)r.ReadUInt32();
plo.Offset = r.ReadUInt32();
lists.Add(plo);
}
foreach (var list in lists)
{
r.BaseStream.Position = list.Offset;
switch (list.Type)
{
case EventFieldKind.Level:
DumpLevels(r);
break;
case EventFieldKind.Task:
DumpTasks(r);
break;
case EventFieldKind.Opcode:
DumpOpcodes(r);
break;
case EventFieldKind.Keyword:
DumpKeywords(r);
break;
case EventFieldKind.Event:
DumpEvents(r);
break;
case EventFieldKind.Channel:
DumpChannels(r);
break;
case EventFieldKind.Maps:
DumpMaps(r);
break;
case EventFieldKind.Template:
DumpTemplates(r);
break;
case EventFieldKind.Filter:
DumpFilters(r);
break;
case EventFieldKind.ProviderAttribs:
DumpProviderAttribs(r);
break;
case EventFieldKind.EventAttribs:
DumpEventAttribs(r);
break;
case EventFieldKind.EventFlags:
DumpEventFlags(r);
break;
case EventFieldKind.CTRT:
default:
writer.WriteLine("Unknown item type {0} at offset {1}.", list.Type, list.Offset);
break;
}
}
writer.PopScope();
}
