Untitled
unknown
plain_text
a year ago
3.1 kB
5
Indexable
#define NTSTRSAFE_LIB
#define TRACE_INFO_BUFFER_SIZE 8192
#define TRACE_INFO_MIN_BUFFERS 96
#define TRACE_INFO_MAX_BUFFERS 118
#define TRACE_INFO_LOGFILE_MODE EVENT_TRACE_BUFFERING_MODE
#define TRACE_INFO_ENABLE_FLAGS EVENT_TRACE_FLAG_SYSTEMCALL
#define MAX_RETRIES 10
#define RETRY_DELAY_MS 100
struct trace_info_t {
EVENT_TRACE_PROPERTIES_V2 properties{};
UNICODE_STRING provider_name{};
wchar_t trace_name[260]{};
wchar_t logger_name[260]{};
};
NTSTATUS start_trace() {
trace_info_t info{};
auto& properties = info.properties;
RtlZeroMemory(&info, sizeof(trace_info_t));
properties.Wnode.BufferSize = sizeof(trace_info_t);
properties.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
properties.Wnode.ClientContext = EVENT_TRACE_CLOCK_PERFCOUNTER;
properties.Wnode.Guid = SystemTraceControlGuid;
properties.BufferSize = TRACE_INFO_BUFFER_SIZE;
properties.MinimumBuffers = TRACE_INFO_MIN_BUFFERS;
properties.MaximumBuffers = TRACE_INFO_MAX_BUFFERS;
properties.MaximumFileSize = 0;
properties.LogFileMode = TRACE_INFO_LOGFILE_MODE;
properties.LoggerNameOffset = offsetof(trace_info_t, logger_name);
properties.FlushTimer = 0;
properties.EnableFlags = TRACE_INFO_ENABLE_FLAGS;
properties.NumberOfBuffers = 1;
core::rtl_init_unicode_string(&info.provider_name, L"NT Kernel Logger");
ULONG return_length{};
NTSTATUS status = STATUS_UNSUCCESSFUL;
LARGE_INTEGER delay;
delay.QuadPart = -((LONGLONG)RETRY_DELAY_MS * 10000);
for (int i = 0; i < MAX_RETRIES; ++i) {
status = core::zw_trace_control(EtwpStartTrace, &info, sizeof(info), &info, sizeof(info), &return_length);
if (NT_SUCCESS(status)) {
return STATUS_SUCCESS;
}
core::ke_delay_execution_thread(KernelMode, FALSE, &delay);
}
return status;
}
NTSTATUS stop_trace() {
trace_info_t info{};
auto& properties = info.properties;
RtlZeroMemory(&info, sizeof(trace_info_t));
properties.Wnode.BufferSize = sizeof(trace_info_t);
properties.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
properties.Wnode.ClientContext = EVENT_TRACE_CLOCK_PERFCOUNTER;
properties.Wnode.Guid = SystemTraceControlGuid;
properties.BufferSize = TRACE_INFO_BUFFER_SIZE;
properties.MinimumBuffers = TRACE_INFO_MIN_BUFFERS;
properties.MaximumBuffers = TRACE_INFO_MAX_BUFFERS;
properties.MaximumFileSize = 0;
properties.LogFileMode = TRACE_INFO_LOGFILE_MODE;
properties.LoggerNameOffset = offsetof(trace_info_t, logger_name);
properties.FlushTimer = 0;
properties.EnableFlags = TRACE_INFO_ENABLE_FLAGS;
properties.NumberOfBuffers = 1;
core::rtl_init_unicode_string(&info.provider_name, L"NT Kernel Logger");
ULONG return_length{};
NTSTATUS status = STATUS_UNSUCCESSFUL;
LARGE_INTEGER delay;
delay.QuadPart = -((LONGLONG)RETRY_DELAY_MS * 10000);
for (int i = 0; i < MAX_RETRIES; ++i) {
status = core::zw_trace_control(EtwpStopTrace, &info, sizeof(info), &info, sizeof(info), &return_length);
if (NT_SUCCESS(status)) {
return STATUS_SUCCESS;
}
core::ke_delay_execution_thread(KernelMode, FALSE, &delay);
}
return status;
}
Editor is loading...
Leave a Comment