NTSYSAPI
NTSTATUS
NTAPI
NtTraceControl(IN CtrlCode, IN PVOID InputBuffer, IN ULONG InputBufferLength,
OUT PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength
);Под вистой вызывается со следующими CtrlCode:
- advapi32!EtwpStartLogger - CtrlCode 0x1
- advapi32!EtwpStopLogger - CtrlCode 0x2
- advapi32!EtwpQueryLogger - CtrlCode 0x3
- advapi32!EtwpUpdateLogger - CtrlCode 0x4
- advapi32!EtwpFlushLogger - CtrlCode 0x5
- advapi32!EtwpSetupRealTimeContext - CtrlCode 0xB
- ntdll!EtwEventActivityIdControl - CtrlCode 0xC
- ntdll!EtwEventWriteEndScenario - CtrlCode 0xD
- advapi32!EtwpRealTimeDisconnect - CtrlCode 0xE
- ntdll!EtwpRegisterProvider - CtrlCode 0xF
- ntdll!EtwpNotificationThread - CtrlCode 0x10
- ntdll!EtwSendNotification - CtrlCode 0x11
- ntdll!EtwReplyNotification - CtrlCode 0x12
- ntdll!EtwpReceiveReplyDataBlock - CtrlCode 0x13
- advapi32!EnumerateTraceGuidsEx - CtrlCode 0x15 или 0x16
- advapi32!EnumerateTraceGuids - CtrlCode 0x17
- ntdll!EtwRegisterSecurityProvider - CtrlCode 0x18
- 1 - EtwpStartTrace
- 2 - EtwpStopTrace
- 3 - EtwpQueryTrace
- 4 - EtwpUpdateTrace
- 5 - EtwpFlushTrace
- 0xB - EtwpRealtimeConnect
- 0xC - EtwpCreateActivityId
- 0xD - WdiDispatchControl
- 0xE - EtwpRealtimeDisconnectConsumerByHandle
- 0xF - EtwpRegisterUMGuid
- 0x10 - EtwpReceiveNotification
- 0x11 - EtwpEnableGuid
- 0x12 - EtwpSendReplyDataBlock
- 0x13 - EtwpReceiveReplyDataBlock
- 0x14 - WdiUpdateSem
- 0x15 - EtwpGetTraceGuidList
- 0x16 - EtwpGetTraceGuidInfo
- 0x17 - EtwpEnumerateTraceGuids
- 0x18 - присваивание переменной EtwpSecurityProviderPID значение PID вызвавшего процесса
Can you do a quick SRE of EtwpQueryTrace through NtTraceControl and provide some sample code? I was looking at the user mode call for QueryAllTraces to get all of the sessions going on and wanted to do this in kernel code. So, I looked at the code and it seems to loop from 0-40 (max sessions) and call QueryTrace for each index, for what I think is the session ID, which ends up calling NtTraceControl for op code 3.
ОтветитьУдалитьBut, I can't get the input correct to get the output of a session. I allocate for the sizeof(EVENT_TRACE_PROPERTIES) and add more at the end of the structure for the session name and session log file name and update the pointers like in the example. But I don't know how/where to put the index (session id) ... I keep getting status code 0xc00000d, sometimes 0xc00000005.
Any help is appreciated! Thanks.
I am not sure that you need session name
ОтветитьУдалитьIf you check advapi32!StartTraceA you can see code which compare name of session and put some IID to EVENT_TRACE_PROPERTIES + 0x18:
"NT Kernel Logger" - SystemTraceControlGuid
"Circular Kernel Context Logger" - 54DEA73A-ED1F-42A4-AF71-3E63D056F174
Check content of EVENT_TRACE_PROPERTIES after calling StartTrace