вторник, 8 февраля 2011 г.

NtTraceControl

если зрение меня не обманывает прототип выглядит примерно так:

NTSYSAPI
NTSTATUS
NTAPI
NtTraceControl(IN CtrlCode, IN PVOID InputBuffer, IN ULONG InputBufferLength,
OUT PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength
);

Под вистой вызывается со следующими CtrlCode:
  • advapi32!EtwpStartLogger - CtrlCode 0x1
  • advapi32!EtwpStopLogger - CtrlCode 0x2
  • advapi32!EtwpQueryLogger - CtrlCode 0x3
  • advapi32!EtwpUpdateLogger - CtrlCode 0x4
  • advapi32!EtwpFlushLogger - CtrlCode 0x5
  • advapi32!EtwpSetupRealTimeContext - CtrlCode 0xB
  • ntdll!EtwEventActivityIdControl - CtrlCode 0xC
  • ntdll!EtwEventWriteEndScenario - CtrlCode 0xD
  • advapi32!EtwpRealTimeDisconnect - CtrlCode 0xE
  • ntdll!EtwpRegisterProvider - CtrlCode 0xF
  • ntdll!EtwpNotificationThread - CtrlCode 0x10
  • ntdll!EtwSendNotification - CtrlCode 0x11
  • ntdll!EtwReplyNotification - CtrlCode 0x12
  • ntdll!EtwpReceiveReplyDataBlock - CtrlCode 0x13
  • advapi32!EnumerateTraceGuidsEx - CtrlCode 0x15 или 0x16
  • advapi32!EnumerateTraceGuids - CtrlCode 0x17
  • ntdll!EtwRegisterSecurityProvider - CtrlCode 0x18
Соотв-но в ядре эти CtrlCode приводят в вызовам следующих ф-ций:
  • 1 - EtwpStartTrace
  • 2 - EtwpStopTrace
  • 3 - EtwpQueryTrace
  • 4 - EtwpUpdateTrace
  • 5 - EtwpFlushTrace
  • 0xB - EtwpRealtimeConnect
  • 0xC - EtwpCreateActivityId
  • 0xD - WdiDispatchControl
  • 0xE - EtwpRealtimeDisconnectConsumerByHandle
  • 0xF - EtwpRegisterUMGuid
  • 0x10 - EtwpReceiveNotification
  • 0x11 - EtwpEnableGuid
  • 0x12 - EtwpSendReplyDataBlock
  • 0x13 - EtwpReceiveReplyDataBlock
  • 0x14 - WdiUpdateSem
  • 0x15 - EtwpGetTraceGuidList
  • 0x16 - EtwpGetTraceGuidInfo
  • 0x17 - EtwpEnumerateTraceGuids
  • 0x18 - присваивание переменной EtwpSecurityProviderPID значение PID вызвавшего процесса

    2 комментария:

    1. Can you do a quick SRE of EtwpQueryTrace through NtTraceControl and provide some sample code? I was looking at the user mode call for QueryAllTraces to get all of the sessions going on and wanted to do this in kernel code. So, I looked at the code and it seems to loop from 0-40 (max sessions) and call QueryTrace for each index, for what I think is the session ID, which ends up calling NtTraceControl for op code 3.

      But, I can't get the input correct to get the output of a session. I allocate for the sizeof(EVENT_TRACE_PROPERTIES) and add more at the end of the structure for the session name and session log file name and update the pointers like in the example. But I don't know how/where to put the index (session id) ... I keep getting status code 0xc00000d, sometimes 0xc00000005.

      Any help is appreciated! Thanks.

      ОтветитьУдалить
    2. I am not sure that you need session name
      If you check advapi32!StartTraceA you can see code which compare name of session and put some IID to EVENT_TRACE_PROPERTIES + 0x18:
      "NT Kernel Logger" - SystemTraceControlGuid
      "Circular Kernel Context Logger" - 54DEA73A-ED1F-42A4-AF71-3E63D056F174

      Check content of EVENT_TRACE_PROPERTIES after calling StartTrace

      ОтветитьУдалить