krabsetw
krabsetw copied to clipboard
microsoft
how to handle map and unmap (excluding image files) event type in krabsetw
hi ,I enable the EVENT_TRACE_FLAG_VAMAP in krabsetw, but can not receive event, from msdn, from msdn description, it is alse have no property. how can i handle map and unmap event ? please help
iirc MSDN doesn't document those events. You can dynamically retrieve the property information using the TDH ETW APIs though.
Or just use a tool like EtwExplorer which gives you this information -
[dynamic: ToInstance, Guid("{90cbdc39-4a3e-11d1-84f4-0000f80464e3}"), EventVersion(2)]
class FileIo_V2 : MSNT_SystemTrace
{
};
[dynamic: ToInstance, EventType{37, 38, 39, 40}]
class FileIo_V2_MapFile : FileIo_V2
{
[WmiDataId(1), pointer, read] uint32 ViewBase;
[WmiDataId(2), pointer, read] uint32 FileObject;
[WmiDataId(3), format("x"), read] uint64 MiscInfo;
[WmiDataId(4), extension("SizeT"), read] object ViewSize;
[WmiDataId(5), read] uint32 ProcessId;
};
A quick snippet to enables these events in krabs is -
krabs::kernel_trace trace();
krabs::kernel::vamap_provider provider;
provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context&) {
std::wcout << record.EventHeader.EventDescriptor.Opcode << std::endl;
});
trace.enable(provider);
trace.start();
And then follow any of the krabs examples to parse the properties.
thanks @jdu2600 , i use the following code snippet, and krabsetw throw a exception, this exception indicate TdhGetEventInformation return ERROR_NOT_FOUND(1168)
That's strange. Unfortunately that seems to be a Windows issue.
The raw data is available though, so you could attempt to manually parse it. Something like this -
if (record.UserDataLength == 44) {
auto ViewBase = *(uint64_t*)record.UserData;
auto FileObject = *((uint64_t*)record.UserData + 1);
auto MiscInfo = *((uint64_t*)record.UserData + 2);
auto ViewSize = *((uint64_t*)record.UserData + 3);
}