private static unsafe IEventTraceOperand BuildOperandFromTdh(EVENT_RECORD *eventRecord, int metadataTableIndex) { uint bufferSize; byte *buffer = (byte *)0; // Not Found if (Tdh.GetEventInformation(eventRecord, 0, IntPtr.Zero, buffer, out bufferSize) == 1168) { return(null); } buffer = (byte *)Marshal.AllocHGlobal((int)bufferSize); Tdh.GetEventInformation(eventRecord, 0, IntPtr.Zero, buffer, out bufferSize); var traceEventInfo = (TRACE_EVENT_INFO *)buffer; IEventTraceOperand traceEventOperand = EventTraceOperandBuilder.Build(traceEventInfo, metadataTableIndex); Marshal.FreeHGlobal((IntPtr)buffer); return(traceEventOperand); }
private List <EventTracePropertyOperand> IterateProperties(byte *buffer, List <EventTracePropertyOperand> operands, int start, int end, EVENT_PROPERTY_INFO *eventPropertyInfoArr) { var returnList = new List <EventTracePropertyOperand>(); for (int i = start; i < end; ++i) { var eventPropertyInfo = &eventPropertyInfoArr[i]; string propertyName = new string((char *)&buffer[eventPropertyInfo->NameOffset]); int structchildren = eventPropertyInfo->StructType.NumOfStructMembers; bool isStruct = (eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyStruct) == PROPERTY_FLAGS.PropertyStruct; bool isVariableArray = (eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyParamCount) == PROPERTY_FLAGS.PropertyParamCount; bool isFixedArray = (eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyParamFixedCount) == PROPERTY_FLAGS.PropertyParamFixedCount; bool isVariableLength = (eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyParamLength) == PROPERTY_FLAGS.PropertyParamLength; bool isFixedLength = (eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyParamFixedLength) == PROPERTY_FLAGS.PropertyParamFixedLength; bool isWbemXmlFragment = (eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyWBEMXmlFragment) == PROPERTY_FLAGS.PropertyWBEMXmlFragment; // NOTE: Do not remove this special case, there are cases like this, we just assume it's a fixed array if (!isFixedArray && !isVariableArray && eventPropertyInfo->count > 1) { isFixedArray = true; } string mapName = null; Dictionary <uint, string> mapOfValues = null; if (eventPropertyInfo->NonStructType.MapNameOffset != 0) { byte *mapBuffer = (byte *)0; uint bufferSize; var fakeEventRecord = new EVENT_RECORD { ProviderId = this.traceEventInfo->ProviderGuid }; mapName = new string((char *)&buffer[eventPropertyInfo->NonStructType.MapNameOffset]); Tdh.GetEventMapInformation(&fakeEventRecord, mapName, mapBuffer, out bufferSize); mapBuffer = (byte *)Marshal.AllocHGlobal((int)bufferSize); Tdh.GetEventMapInformation(&fakeEventRecord, mapName, mapBuffer, out bufferSize); EVENT_MAP_INFO *mapInfo = (EVENT_MAP_INFO *)mapBuffer; if (mapInfo->MapEntryValueType == MAP_VALUETYPE.EVENTMAP_ENTRY_VALUETYPE_ULONG) { var mapEntry = (EVENT_MAP_ENTRY *)&mapInfo->MapEntryArray; mapOfValues = new Dictionary <uint, string>(); for (int j = 0; j < mapInfo->EntryCount; ++j) { var offset = mapEntry[j].OutputOffset; if (offset > bufferSize) { // TDH has a bug (it seems) that is giving rogue values here // We should log this } else { var mapEntryValue = mapEntry[j].Value; string mapEntryName; if (!mapOfValues.TryGetValue(mapEntryValue, out mapEntryName)) { mapEntryName = new string((char *)&mapBuffer[offset]); mapOfValues.Add(mapEntryValue, mapEntryName); } } } } Marshal.FreeHGlobal((IntPtr)mapBuffer); } /* save important information in an object */ var operand = new EventTracePropertyOperand( new PropertyMetadata((TDH_IN_TYPE)eventPropertyInfo->NonStructType.InType, (TDH_OUT_TYPE)eventPropertyInfo->NonStructType.OutType, propertyName, mapOfValues != null, isStruct, isStruct ? structchildren : 0, new MapInformation(mapName, mapOfValues)), i, isVariableArray, isFixedArray, isVariableLength, isFixedLength, isWbemXmlFragment); this.flatPropertyList.Add(operand); operands.Add(operand); returnList.Add(operand); /* if this references a previous field, we need to capture that as a local */ if (isVariableArray) { var reference = operands[eventPropertyInfo->countPropertyIndex]; reference.IsReferencedByOtherProperties = true; operand.SetVariableArraySize(reference); } else if (isFixedArray) { operand.SetFixedArraySize(eventPropertyInfo->count); } /* if this references a previous field, we need to capture that as a local */ if (isVariableLength) { var reference = operands[eventPropertyInfo->lengthPropertyIndex]; reference.IsReferencedByOtherProperties = true; operand.SetVariableLengthSize(reference); } else if (isFixedLength) { operand.SetFixedLengthSize(eventPropertyInfo->length); } if ((eventPropertyInfo->Flags & PROPERTY_FLAGS.PropertyStruct) == PROPERTY_FLAGS.PropertyStruct) { var innerProps = this.IterateProperties( buffer, operands, eventPropertyInfo->StructType.StructStartIndex, eventPropertyInfo->StructType.StructStartIndex + eventPropertyInfo->StructType.NumOfStructMembers, eventPropertyInfoArr); foreach (var innerProp in innerProps) { operand.Children.Add(innerProp); } } } return(returnList); }