Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
178 lines (157 sloc) 5.42 KB
package etw
import (
"bytes"
"encoding/binary"
)
// inType indicates the type of data contained in the ETW event.
type inType byte
// Various inType definitions for TraceLogging. These must match the definitions
// found in TraceLoggingProvider.h in the Windows SDK.
const (
inTypeNull inType = iota
inTypeUnicodeString
inTypeANSIString
inTypeInt8
inTypeUint8
inTypeInt16
inTypeUint16
inTypeInt32
inTypeUint32
inTypeInt64
inTypeUint64
inTypeFloat
inTypeDouble
inTypeBool32
inTypeBinary
inTypeGUID
inTypePointerUnsupported
inTypeFileTime
inTypeSystemTime
inTypeSID
inTypeHexInt32
inTypeHexInt64
inTypeCountedString
inTypeCountedANSIString
inTypeStruct
inTypeCountedBinary
inTypeCountedArray inType = 32
inTypeArray inType = 64
)
// outType specifies a hint to the event decoder for how the value should be
// formatted.
type outType byte
// Various outType definitions for TraceLogging. These must match the
// definitions found in TraceLoggingProvider.h in the Windows SDK.
const (
// outTypeDefault indicates that the default formatting for the inType will
// be used by the event decoder.
outTypeDefault outType = iota
outTypeNoPrint
outTypeString
outTypeBoolean
outTypeHex
outTypePID
outTypeTID
outTypePort
outTypeIPv4
outTypeIPv6
outTypeSocketAddress
outTypeXML
outTypeJSON
outTypeWin32Error
outTypeNTStatus
outTypeHResult
outTypeFileTime
outTypeSigned
outTypeUnsigned
outTypeUTF8 outType = 35
outTypePKCS7WithTypeInfo outType = 36
outTypeCodePointer outType = 37
outTypeDateTimeUTC outType = 38
)
// eventMetadata maintains a buffer which builds up the metadata for an ETW
// event. It needs to be paired with EventData which describes the event.
type eventMetadata struct {
buffer bytes.Buffer
}
// bytes returns the raw binary data containing the event metadata. Before being
// returned, the current size of the buffer is written to the start of the
// buffer. The returned value is not copied from the internal buffer, so it can
// be mutated by the eventMetadata object after it is returned.
func (em *eventMetadata) bytes() []byte {
// Finalize the event metadata buffer by filling in the buffer length at the
// beginning.
binary.LittleEndian.PutUint16(em.buffer.Bytes(), uint16(em.buffer.Len()))
return em.buffer.Bytes()
}
// writeEventHeader writes the metadata for the start of an event to the buffer.
// This specifies the event name and tags.
func (em *eventMetadata) writeEventHeader(name string, tags uint32) {
binary.Write(&em.buffer, binary.LittleEndian, uint16(0)) // Length placeholder
em.writeTags(tags)
em.buffer.WriteString(name)
em.buffer.WriteByte(0) // Null terminator for name
}
func (em *eventMetadata) writeFieldInner(name string, inType inType, outType outType, tags uint32, arrSize uint16) {
em.buffer.WriteString(name)
em.buffer.WriteByte(0) // Null terminator for name
if outType == outTypeDefault && tags == 0 {
em.buffer.WriteByte(byte(inType))
} else {
em.buffer.WriteByte(byte(inType | 128))
if tags == 0 {
em.buffer.WriteByte(byte(outType))
} else {
em.buffer.WriteByte(byte(outType | 128))
em.writeTags(tags)
}
}
if arrSize != 0 {
binary.Write(&em.buffer, binary.LittleEndian, arrSize)
}
}
// writeTags writes out the tags value to the event metadata. Tags is a 28-bit
// value, interpreted as bit flags, which are only relevant to the event
// consumer. The event consumer may choose to attribute special meaning to tags
// (e.g. 0x4 could mean the field contains PII). Tags are written as a series of
// bytes, each containing 7 bits of tag value, with the high bit set if there is
// more tag data in the following byte. This allows for a more compact
// representation when not all of the tag bits are needed.
func (em *eventMetadata) writeTags(tags uint32) {
// Only use the top 28 bits of the tags value.
tags &= 0xfffffff
for {
// Tags are written with the most significant bits (e.g. 21-27) first.
val := tags >> 21
if tags&0x1fffff == 0 {
// If there is no more data to write after this, write this value
// without the high bit set, and return.
em.buffer.WriteByte(byte(val & 0x7f))
return
}
em.buffer.WriteByte(byte(val | 0x80))
tags <<= 7
}
}
// writeField writes the metadata for a simple field to the buffer.
func (em *eventMetadata) writeField(name string, inType inType, outType outType, tags uint32) {
em.writeFieldInner(name, inType, outType, tags, 0)
}
// writeArray writes the metadata for an array field to the buffer. The number
// of elements in the array must be written as a uint16 in the event data,
// immediately preceeding the event data.
func (em *eventMetadata) writeArray(name string, inType inType, outType outType, tags uint32) {
em.writeFieldInner(name, inType|inTypeArray, outType, tags, 0)
}
// writeCountedArray writes the metadata for an array field to the buffer. The
// size of a counted array is fixed, and the size is written into the metadata
// directly.
func (em *eventMetadata) writeCountedArray(name string, count uint16, inType inType, outType outType, tags uint32) {
em.writeFieldInner(name, inType|inTypeCountedArray, outType, tags, count)
}
// writeStruct writes the metadata for a nested struct to the buffer. The struct
// contains the next N fields in the metadata, where N is specified by the
// fieldCount argument.
func (em *eventMetadata) writeStruct(name string, fieldCount uint8, tags uint32) {
em.writeFieldInner(name, inTypeStruct, outType(fieldCount), tags, 0)
}
You can’t perform that action at this time.