среда, 28 марта 2012 г.

EtwEventRegister on w8 consumer preview

I described already organization of internal data structures for this function on vista/windows 7
Unfortunately on windows 8 consumer preview all was changed.
Now all registered items storing in red-black tree whose root placed in EtwpRegistrationTable

Some excerpts from ntdll.pdb:
struct _RTL_RB_TREE {
  struct _RTL_BALANCED_NODE* Root;
  struct _RTL_BALANCED_NODE* Min;
};
 

Node of this tree looks like
struct _RTL_BALANCED_NODE {
  struct _RTL_BALANCED_NODE* Left;
  struct _RTL_BALANCED_NODE* Right;
  unsigned long ParentValue;
};

As usually we can partially recover event registrations structure from function EtwpAllocateRegistration.I intentionally omitted unimportant details:
struct EtwRegEntry_w8cons
{
/* Win32 Win64 - offsets */
/*   0x0   0x0 */ struct _RTL_BALANCED_NODE Node;

/* Etw reg entry  */
/*   0xC  0x20 */ GUID  ProviderId;
/*  0x28  0x48 */ PVOID InternalCallback;
/*  0x2C  0x50 */ PVOID CallbackContext;
/*  0x34  0x5C */ WORD  Index;
/*  0x36  0x5E */ WORD  Type;
};

As before Type eq 3 if this item was allocated from function EtwEventRegister and 2 if from EtwRegisterTraceGuids[AW]
All operations on EtwpRegistrationTable must be synchronized with SRW lock EtwpProvLock
Sample of output on w8 64bit (deep-first traversing of tree was used):

Type 3 Index 2 InternalCB 000007FACF9F97A0 (C:\Windows\system32\RPCRT4.dll) Microsoft-Windows-RPC-Events
Type 3 Index 1 InternalCB 000007FACF9F97A0 (C:\Windows\system32\RPCRT4.dll) Microsoft-Windows-RPC
Type 3 Index 3 InternalCB 000007FACFA9A198 (C:\Windows\system32\RPCRT4.dll) Microsoft-Windows-Networking-Correlation

Комментариев нет:

Отправить комментарий