Initial ETW probe support #8
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm going to merge this even though the event data access isn't fully there yet. Thanks for you work up to this point so much! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3
Adds initial support for ETW probes, and adds a really simple example plugin that uses them. Let me know what you think!
Future Work
While this adds the initial support for the probe type, I think there's still some more interesting things to be done with ETW integration.
Unknown parameters / fields
Some of the function / structure fields have annoying placeholder names because I couldn't work out what they did, but I ended up not needing them. It'd be nice to get these working, especially the callback method parameters in case they're ever useful.
Filtering
Adding a provider to an ETW session allows you to optionally add filters of different types, e.g. on event ID. Currently these aren't supported, though I don't think it'd be too hard to add them, since it's done in the same call as the provider add.
Event decoding
While we can currently receive events, we cannot get the field names and values from them. In userspace this is done with the TDH library. For the kernel-loaded DLLs, we'd need to do some work to determine what's happening under the hood here, so we can import some functions and get this functionality. Without it, what the plugins can do is quite limited.
Publishing to ETW
As you said, this sounds a lot better than writing to a file, but I think it comes at the problem from the other end to this PR - it makes an event provider and writes to it. Would definitely need to look into this seperately.