forked from bi-zone/etw
-
Notifications
You must be signed in to change notification settings - Fork 2
/
zsyscall.go
259 lines (226 loc) · 12.8 KB
/
zsyscall.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
// Code generated by 'go generate'; DO NOT EDIT.
package etw
import (
"syscall"
"unsafe"
"golang.org/x/sys/windows"
)
var _ unsafe.Pointer
// Do the interface allocations only once for common
// Errno values.
const (
errnoERROR_IO_PENDING = 997
)
var (
errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
errERROR_EINVAL error = syscall.EINVAL
)
// errnoErr returns common boxed Errno values, to prevent
// allocations at runtime.
func errnoErr(e syscall.Errno) error {
switch e {
case 0:
return errERROR_EINVAL
case errnoERROR_IO_PENDING:
return errERROR_IO_PENDING
}
// TODO: add more here, after collecting data on the common
// error values see on Windows. (perhaps when running
// all.bat?)
return e
}
var (
modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
modtdh = windows.NewLazySystemDLL("tdh.dll")
procControlTraceW = modadvapi32.NewProc("ControlTraceW")
procEnableTraceEx2 = modadvapi32.NewProc("EnableTraceEx2")
procProcessTrace = modadvapi32.NewProc("ProcessTrace")
procStartTraceW = modadvapi32.NewProc("StartTraceW")
procTraceQueryInformation = modadvapi32.NewProc("TraceQueryInformation")
procTraceSetInformation = modadvapi32.NewProc("TraceSetInformation")
procTdhAggregatePayloadFilters = modtdh.NewProc("TdhAggregatePayloadFilters")
procTdhCleanupPayloadEventFilterDescriptor = modtdh.NewProc("TdhCleanupPayloadEventFilterDescriptor")
procTdhCreatePayloadFilter = modtdh.NewProc("TdhCreatePayloadFilter")
procTdhDeletePayloadFilter = modtdh.NewProc("TdhDeletePayloadFilter")
procTdhEnumerateManifestProviderEvents = modtdh.NewProc("TdhEnumerateManifestProviderEvents")
procTdhEnumerateProviderFieldInformation = modtdh.NewProc("TdhEnumerateProviderFieldInformation")
procTdhEnumerateProviders = modtdh.NewProc("TdhEnumerateProviders")
procTdhFormatProperty = modtdh.NewProc("TdhFormatProperty")
procTdhGetEventInformation = modtdh.NewProc("TdhGetEventInformation")
procTdhGetEventMapInformation = modtdh.NewProc("TdhGetEventMapInformation")
procTdhGetProperty = modtdh.NewProc("TdhGetProperty")
procTdhGetPropertySize = modtdh.NewProc("TdhGetPropertySize")
procTdhQueryProviderFieldInformation = modtdh.NewProc("TdhQueryProviderFieldInformation")
)
func controlTrace_64(sessionHandle uint64, instanceName *uint16, properties *eventTraceProperties, controlCode uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procControlTraceW.Addr(), 4, uintptr(sessionHandle), uintptr(unsafe.Pointer(instanceName)), uintptr(unsafe.Pointer(properties)), uintptr(controlCode), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func controlTrace_32(sessionHandleLower uint32, sessionHandleHigher uint32, instanceName *uint16, properties *eventTraceProperties, controlCode uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procControlTraceW.Addr(), 5, uintptr(sessionHandleLower), uintptr(sessionHandleHigher), uintptr(unsafe.Pointer(instanceName)), uintptr(unsafe.Pointer(properties)), uintptr(controlCode), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func enableTraceEx2_32(sessionHandleLower uint32, sessionHandleHigher uint32, providerGuid *windows.GUID, controlCode uint32, level TraceLevel, matchAnyKeywordLower uint32, matchAnyKeywordHigher uint32, matchAllKeywordLower uint32, matchAllKeywordHigher uint32, timeout uint32, enableParameters *enableTraceParameters) (ret error) {
r0, _, _ := syscall.Syscall12(procEnableTraceEx2.Addr(), 11, uintptr(sessionHandleLower), uintptr(sessionHandleHigher), uintptr(unsafe.Pointer(providerGuid)), uintptr(controlCode), uintptr(level), uintptr(matchAnyKeywordLower), uintptr(matchAnyKeywordHigher), uintptr(matchAllKeywordLower), uintptr(matchAllKeywordHigher), uintptr(timeout), uintptr(unsafe.Pointer(enableParameters)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func enableTraceEx2_64(sessionHandle uint64, providerGuid *windows.GUID, controlCode uint32, level TraceLevel, matchAnyKeyword uint64, matchAllKeyword uint64, timeout uint32, enableParameters *enableTraceParameters) (ret error) {
r0, _, _ := syscall.Syscall9(procEnableTraceEx2.Addr(), 8, uintptr(sessionHandle), uintptr(unsafe.Pointer(providerGuid)), uintptr(controlCode), uintptr(level), uintptr(matchAnyKeyword), uintptr(matchAllKeyword), uintptr(timeout), uintptr(unsafe.Pointer(enableParameters)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func processTrace(handleArray *uint64, handleCount uint32, startTime *windows.Filetime, endTime *windows.Filetime) (ret error) {
r0, _, _ := syscall.Syscall6(procProcessTrace.Addr(), 4, uintptr(unsafe.Pointer(handleArray)), uintptr(handleCount), uintptr(unsafe.Pointer(startTime)), uintptr(unsafe.Pointer(endTime)), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func startTrace(sessionHandle *uint64, sessionName *uint16, traceProperties unsafe.Pointer) (ret error) {
r0, _, _ := syscall.Syscall(procStartTraceW.Addr(), 3, uintptr(unsafe.Pointer(sessionHandle)), uintptr(unsafe.Pointer(sessionName)), uintptr(traceProperties))
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func traceQueryInformation_32(sessionHandleLower uint32, sessionHandleHigher uint32, infoClass traceQueryInfoClass, buffer unsafe.Pointer, bufferSize uint32, returnLength *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTraceQueryInformation.Addr(), 6, uintptr(sessionHandleLower), uintptr(sessionHandleHigher), uintptr(infoClass), uintptr(buffer), uintptr(bufferSize), uintptr(unsafe.Pointer(returnLength)))
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func traceQueryInformation_64(sessionHandle uint64, infoClass traceQueryInfoClass, buffer unsafe.Pointer, bufferSize uint32, returnLength *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTraceQueryInformation.Addr(), 5, uintptr(sessionHandle), uintptr(infoClass), uintptr(buffer), uintptr(bufferSize), uintptr(unsafe.Pointer(returnLength)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func traceSetInformation_64(sessionHandle uint64, infoClass traceQueryInfoClass, buffer unsafe.Pointer, bufferSize uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTraceSetInformation.Addr(), 4, uintptr(sessionHandle), uintptr(infoClass), uintptr(buffer), uintptr(bufferSize), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func traceSetInformation_32(sessionHandleLower uint32, sessionHandleHigher uint32, infoClass traceQueryInfoClass, buffer unsafe.Pointer, bufferSize uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTraceSetInformation.Addr(), 5, uintptr(sessionHandleLower), uintptr(sessionHandleHigher), uintptr(infoClass), uintptr(buffer), uintptr(bufferSize), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func aggregatePayloadFilters(payloadFilterCount uint32, payloadFilters *uintptr, eventMatchAllFlags *uint32, filterDescriptor *eventFilterDescriptorC) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhAggregatePayloadFilters.Addr(), 4, uintptr(payloadFilterCount), uintptr(unsafe.Pointer(payloadFilters)), uintptr(unsafe.Pointer(eventMatchAllFlags)), uintptr(unsafe.Pointer(filterDescriptor)), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func cleanupPayloadEventFilterDescriptor(filterDescriptor *eventFilterDescriptorC) (ret error) {
r0, _, _ := syscall.Syscall(procTdhCleanupPayloadEventFilterDescriptor.Addr(), 1, uintptr(unsafe.Pointer(filterDescriptor)), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func createPayloadFilter(providerGuid *windows.GUID, descriptor *EventDescriptor, eventMatchAny bool, payloadPredicateCount uint32, payloadPredicates *payloadFilterPredicate, payloadFilter *uintptr) (ret error) {
var _p0 uint32
if eventMatchAny {
_p0 = 1
}
r0, _, _ := syscall.Syscall6(procTdhCreatePayloadFilter.Addr(), 6, uintptr(unsafe.Pointer(providerGuid)), uintptr(unsafe.Pointer(descriptor)), uintptr(_p0), uintptr(payloadPredicateCount), uintptr(unsafe.Pointer(payloadPredicates)), uintptr(unsafe.Pointer(payloadFilter)))
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func deletePayloadFilter(payloadFilter *uintptr) (ret error) {
r0, _, _ := syscall.Syscall(procTdhDeletePayloadFilter.Addr(), 1, uintptr(unsafe.Pointer(payloadFilter)), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func enumerateManifestProviderEvents(providerGuid *windows.GUID, buffer *providerEventInfo, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall(procTdhEnumerateManifestProviderEvents.Addr(), 3, uintptr(unsafe.Pointer(providerGuid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)))
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func enumerateProviderFieldInformation(guid *windows.GUID, fieldType EventFieldType, buffer *providerFieldInfoArray, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhEnumerateProviderFieldInformation.Addr(), 4, uintptr(unsafe.Pointer(guid)), uintptr(fieldType), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func enumerateProviders(buffer *providerEnumerationInfo, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall(procTdhEnumerateProviders.Addr(), 2, uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func tdhFormatProperty(event *eventRecordC, mapInfo *uint8, pointerSize uint32, inType uint16, outType uint16, propertyLength uint16, userDataLength uint16, userData *uint8, bufferSize *uint32, buffer *uint8, userDataConsumed *uint16) (ret error) {
r0, _, _ := syscall.Syscall12(procTdhFormatProperty.Addr(), 11, uintptr(unsafe.Pointer(event)), uintptr(unsafe.Pointer(mapInfo)), uintptr(pointerSize), uintptr(inType), uintptr(outType), uintptr(propertyLength), uintptr(userDataLength), uintptr(unsafe.Pointer(userData)), uintptr(unsafe.Pointer(bufferSize)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(userDataConsumed)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func tdhGetEventInformation(event *eventRecordC, contextCount uint32, context unsafe.Pointer, buffer *uint8, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhGetEventInformation.Addr(), 5, uintptr(unsafe.Pointer(event)), uintptr(contextCount), uintptr(context), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func tdhGetEventMapInformation(event *eventRecordC, mapName *uint16, buffer *uint8, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhGetEventMapInformation.Addr(), 4, uintptr(unsafe.Pointer(event)), uintptr(unsafe.Pointer(mapName)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func tdhGetProperty(event *eventRecordC, contextCount uint32, context unsafe.Pointer, propertyDataCount uint32, propertyData *propertyDataDescriptor, bufferSize uint32, buffer unsafe.Pointer) (ret error) {
r0, _, _ := syscall.Syscall9(procTdhGetProperty.Addr(), 7, uintptr(unsafe.Pointer(event)), uintptr(contextCount), uintptr(context), uintptr(propertyDataCount), uintptr(unsafe.Pointer(propertyData)), uintptr(bufferSize), uintptr(buffer), 0, 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func tdhGetPropertySize(event *eventRecordC, contextCount uint32, context unsafe.Pointer, propertyDataCount uint32, propertyData *propertyDataDescriptor, propertySize *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhGetPropertySize.Addr(), 6, uintptr(unsafe.Pointer(event)), uintptr(contextCount), uintptr(context), uintptr(propertyDataCount), uintptr(unsafe.Pointer(propertyData)), uintptr(unsafe.Pointer(propertySize)))
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func queryProviderFieldInformation_64(guid *windows.GUID, eventFieldValue uint64, eventFieldType EventFieldType, buffer *providerFieldInfoArray, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhQueryProviderFieldInformation.Addr(), 5, uintptr(unsafe.Pointer(guid)), uintptr(eventFieldValue), uintptr(eventFieldType), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)), 0)
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}
func queryProviderFieldInformation_32(guid *windows.GUID, eventFieldValueLower uint32, eventFieldValueHigher uint32, eventFieldType EventFieldType, buffer *providerFieldInfoArray, bufferSize *uint32) (ret error) {
r0, _, _ := syscall.Syscall6(procTdhQueryProviderFieldInformation.Addr(), 6, uintptr(unsafe.Pointer(guid)), uintptr(eventFieldValueLower), uintptr(eventFieldValueHigher), uintptr(eventFieldType), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferSize)))
if r0 != 0 {
ret = syscall.Errno(r0)
}
return
}