Better exception for when no ETW trace sessions remaining (#24)

* Ensure that comparers.hpp is compiled as unmanaged code when /clr is set. This is necessary to ensure that when boost::* makes use of the std::locale lock, we only take the lock on the native side. If the std::locale lock is taken on the managed side, we introduce a loader lock. Signed-off-by: Zac Brown (ODSP SECURITY) <zbrown@microsoft.com> * Fix bug in krabs::schema_key. Kernel traces differentiate events on opcode, user traces use unique event ids. This change adds opcode to the schema_key object used in the schema cache, allowing us to properly cache for kernel traces. Signed-off-by: Zac Brown (ODSP SECURITY) <zbrown@microsoft.com> * Add EventHeader.EventDescriptor.Level as well for schema_key fields. Signed-off-by: Zac Brown (ODSP SECURITY) <zbrown@microsoft.com> * Remove forced unmanaged code compilation in comparers.hpp when working with C++/CLI. There is a potential for perf impact that needs to be further evaluated. Signed-off-by: Zac Brown (ODSP SECURITY) <zbrown@microsoft.com> * Better error reporting for when system is out of ETW trace sessions for registering. Signed-off-by: Zac Brown (ODSP SECURITY) <zbrown@microsoft.com>
microsoft · May 16, 2017 · 3dff28a · 3dff28a
1 parent 00c76c0
commit 3dff28a
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 21 deletions.
diff --git a/O365.Security.Native.ETW/Errors.hpp b/O365.Security.Native.ETW/Errors.hpp
@@ -42,4 +42,9 @@ namespace O365 { namespace Security { namespace ETW {
         TypeMismatchAssert(System::String^ msg) : System::Exception(msg) { }
     };
 
+    /// <summary>
+    /// Thrown when no trace sessions remaining to register. An existing trace
+    /// session must be deleted first.
+    /// </summary>
+    public ref struct NoTraceSessionsRemaining : public System::Exception {};
 } } }
diff --git a/O365.Security.Native.ETW/KernelTrace.hpp b/O365.Security.Native.ETW/KernelTrace.hpp
@@ -141,18 +141,19 @@ namespace O365 { namespace Security { namespace ETW {
         }
         catch (const krabs::trace_already_registered &)
         {
-            TraceAlreadyRegistered ^err = gcnew TraceAlreadyRegistered;
-            throw err;
+            throw gcnew TraceAlreadyRegistered;
         }
         catch (const krabs::invalid_parameter &)
         {
-            InvalidParameter ^err = gcnew InvalidParameter;
-            throw err;
+            throw gcnew InvalidParameter;
         }
         catch (const krabs::start_trace_failure &)
         {
-            StartTraceFailure ^err = gcnew StartTraceFailure;
-            throw err;
+            throw gcnew StartTraceFailure;
+        }
+        catch (const krabs::no_trace_sessions_remaining &)
+        {
+            throw gcnew NoTraceSessionsRemaining;
         }
         catch (const krabs::need_to_be_admin_failure &)
         {

diff --git a/O365.Security.Native.ETW/UserTrace.hpp b/O365.Security.Native.ETW/UserTrace.hpp
@@ -155,18 +155,19 @@ namespace O365 { namespace Security { namespace ETW {
         }
         catch (const krabs::trace_already_registered &)
         {
-            TraceAlreadyRegistered ^err = gcnew TraceAlreadyRegistered;
-            throw err;
+            throw gcnew TraceAlreadyRegistered;
         }
         catch (const krabs::invalid_parameter &)
         {
-            InvalidParameter ^err = gcnew InvalidParameter;
-            throw err;
+            throw gcnew InvalidParameter;
         }
         catch (const krabs::start_trace_failure &)
         {
-            StartTraceFailure ^err = gcnew StartTraceFailure;
-            throw err;
+            throw gcnew StartTraceFailure;
+        }
+        catch (const krabs::no_trace_sessions_remaining &)
+        {
+            throw gcnew NoTraceSessionsRemaining;
         }
     }
 

diff --git a/krabs/krabs/errors.hpp b/krabs/krabs/errors.hpp
@@ -12,28 +12,28 @@ namespace krabs {
     class trace_already_registered : public std::runtime_error {
     public:
         trace_already_registered()
-        : std::runtime_error("The trace session has already been registered")
+            : std::runtime_error("The trace session has already been registered")
         {}
     };
 
     class invalid_parameter : public std::logic_error {
     public:
         invalid_parameter()
-        : std::logic_error("Invalid parameter given")
+            : std::logic_error("Invalid parameter given")
         {}
     };
 
     class start_trace_failure : public std::runtime_error {
     public:
         start_trace_failure()
-        : std::runtime_error("Failure to start trace")
+            : std::runtime_error("Failure to start trace")
         {}
     };
 
     class need_to_be_admin_failure : public std::runtime_error {
     public:
         need_to_be_admin_failure()
-        : std::runtime_error("Need to be an admin")
+            : std::runtime_error("Need to be an admin")
         {}
     };
 
@@ -55,6 +55,13 @@ namespace krabs {
         {}
     };
 
+    class no_trace_sessions_remaining : public std::runtime_error {
+    public:
+        no_trace_sessions_remaining()
+            : std::runtime_error("No more trace sessions available.")
+        {}
+    };
+
     /**
      * <summary>Checks for common ETW API error codes.</summary>
      */
@@ -65,19 +72,16 @@ namespace krabs {
         }
 
         switch (status) {
-
             case ERROR_ALREADY_EXISTS:
                 throw krabs::trace_already_registered();
-                break;
             case ERROR_INVALID_PARAMETER:
                 throw krabs::invalid_parameter();
-                break;
             case ERROR_ACCESS_DENIED:
                 throw krabs::need_to_be_admin_failure();
-                break;
             case ERROR_NOT_FOUND:
                 throw krabs::could_not_find_schema();
-                break;
+            case ERROR_NO_SYSTEM_RESOURCES:
+                throw krabs::no_trace_sessions_remaining();
             default:
                 throw std::runtime_error("Unexpected error");
         }