1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309

// Licensed under the Apache License, Version 2.0
// <LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
// All files in the project carrying such notice may not be copied, modified, or distributed
// except according to those terms.
use shared::basetsd::{SIZE_T, ULONG64};
use shared::guiddef::{LPCGUID, LPGUID};
use shared::minwindef::{UCHAR, ULONG, USHORT};
use um::winnt::{ANYSIZE_ARRAY, BOOLEAN, PCWSTR, PVOID, ULONGLONG, VOID};
pub const EVENT_MIN_LEVEL: UCHAR = 0;
pub const EVENT_MAX_LEVEL: UCHAR = 0xff;
pub const EVENT_ACTIVITY_CTRL_GET_ID: ULONG = 1;
pub const EVENT_ACTIVITY_CTRL_SET_ID: ULONG = 2;
pub const EVENT_ACTIVITY_CTRL_CREATE_ID: ULONG = 3;
pub const EVENT_ACTIVITY_CTRL_GET_SET_ID: ULONG = 4;
pub const EVENT_ACTIVITY_CTRL_CREATE_SET_ID: ULONG = 5;
pub const MAX_EVENT_DATA_DESCRIPTORS: SIZE_T = 128;
pub const MAX_EVENT_FILTER_DATA_SIZE: SIZE_T = 1024;
pub const MAX_EVENT_FILTER_PAYLOAD_SIZE: SIZE_T = 4096;
pub const MAX_EVENT_FILTER_EVENT_NAME_SIZE: SIZE_T = 4096;
pub const MAX_EVENT_FILTERS_COUNT: SIZE_T = 8;
pub const MAX_EVENT_FILTER_PID_COUNT: SIZE_T = 8;
pub const MAX_EVENT_FILTER_EVENT_ID_COUNT: SIZE_T = 64;
pub const EVENT_FILTER_TYPE_NONE: ULONG = 0x00000000;
pub const EVENT_FILTER_TYPE_SCHEMATIZED: ULONG = 0x80000000;
pub const EVENT_FILTER_TYPE_SYSTEM_FLAGS: ULONG = 0x80000001;
pub const EVENT_FILTER_TYPE_TRACEHANDLE: ULONG = 0x80000002;
pub const EVENT_FILTER_TYPE_PID: ULONG = 0x80000004;
pub const EVENT_FILTER_TYPE_EXECUTABLE_NAME: ULONG = 0x80000008;
pub const EVENT_FILTER_TYPE_PACKAGE_ID: ULONG = 0x80000010;
pub const EVENT_FILTER_TYPE_PACKAGE_APP_ID: ULONG = 0x80000020;
pub const EVENT_FILTER_TYPE_PAYLOAD: ULONG = 0x80000100;
pub const EVENT_FILTER_TYPE_EVENT_ID: ULONG = 0x80000200;
pub const EVENT_FILTER_TYPE_EVENT_NAME: ULONG = 0x80000400;
pub const EVENT_FILTER_TYPE_STACKWALK: ULONG = 0x80001000;
pub const EVENT_FILTER_TYPE_STACKWALK_NAME: ULONG = 0x80001000;
pub const EVENT_FILTER_TYPE_STACKWALK_LEVEL_KW: ULONG = 0x80004000;
pub const EVENT_DATA_DESCRIPTOR_TYPE_NONE: UCHAR = 0;
pub const EVENT_DATA_DESCRIPTOR_TYPE_EVENT_METADATA: UCHAR = 1;
pub const EVENT_DATA_DESCRIPTOR_TYPE_PROVIDER_METADATA: UCHAR = 2;
pub const EVENT_DATA_DESCRIPTOR_TYPE_TIMESTAMP_OVERRIDE: UCHAR = 3;
pub const EVENT_WRITE_FLAG_NO_FAULTING: ULONG = 0x00000001;
pub const EVENT_WRITE_FLAG_INPRIVATE: ULONG = 0x00000002;
pub type REGHANDLE = ULONGLONG;
pub type PREGHANDLE = *mut REGHANDLE;
STRUCT!{struct EVENT_DATA_DESCRIPTOR_u_s {
    Type: UCHAR,
    Reserved1: UCHAR,
    Reserved2: USHORT,
}}
UNION!{union EVENT_DATA_DESCRIPTOR_u {
    [u32; 1],
    Reserved Reserved_mut: ULONG,
    s s_mut: EVENT_DATA_DESCRIPTOR_u_s,
}}
STRUCT!{struct EVENT_DATA_DESCRIPTOR {
    Ptr: ULONGLONG,
    Size: ULONG,
    u: EVENT_DATA_DESCRIPTOR_u,
}}
pub type PEVENT_DATA_DESCRIPTOR = *mut EVENT_DATA_DESCRIPTOR;
STRUCT!{struct EVENT_DESCRIPTOR {
    Id: USHORT,
    Version: UCHAR,
    Channel: UCHAR,
    Level: UCHAR,
    Opcode: UCHAR,
    Task: USHORT,
    Keyword: ULONGLONG,
}}
pub type PEVENT_DESCRIPTOR = *mut EVENT_DESCRIPTOR;
pub type PCEVENT_DESCRIPTOR = *const EVENT_DESCRIPTOR;
STRUCT!{struct EVENT_FILTER_DESCRIPTOR {
    Ptr: ULONGLONG,
    Size: ULONG,
    Type: ULONG,
}}
pub type PEVENT_FILTER_DESCRIPTOR = *mut EVENT_FILTER_DESCRIPTOR;
STRUCT!{struct EVENT_FILTER_HEADER {
    Id: USHORT,
    Version: UCHAR,
    Reserved: [UCHAR; 5],
    InstanceId: ULONGLONG,
    Size: ULONG,
    NextOffset: ULONG,
}}
pub type PEVENT_FILTER_HEADER = *mut EVENT_FILTER_HEADER;
STRUCT!{struct EVENT_FILTER_EVENT_ID {
    FilterIn: BOOLEAN,
    Reserved: UCHAR,
    Count: USHORT,
    Events: [USHORT; ANYSIZE_ARRAY],
}}
pub type PEVENT_FILTER_EVENT_ID = *mut EVENT_FILTER_EVENT_ID;
STRUCT!{struct EVENT_FILTER_EVENT_NAME {
    MatchAnyKeyword: ULONGLONG,
    MatchAllKeyword: ULONGLONG,
    Level: UCHAR,
    FilterIn: BOOLEAN,
    NameCount: USHORT,
    Names: [UCHAR; ANYSIZE_ARRAY],
}}
pub type PEVENT_FILTER_EVENT_NAME = *mut EVENT_FILTER_EVENT_NAME;
STRUCT!{struct EVENT_FILTER_LEVEL_KW {
    MatchAnyKeyword: ULONGLONG,
    MatchAllKeyword: ULONGLONG,
    Level: UCHAR,
    FilterIn: BOOLEAN,
}}
ENUM!{enum EVENT_INFO_CLASS {
    EventProviderBinaryTrackInfo,
    EventProviderSetReserved1,
    EventProviderSetTraits,
    EventProviderUseDescriptorType,
    MaxEventInfo,
}}
FN!{stdcall PENABLECALLBACK(
    SourceId: LPCGUID,
    IsEnabled: ULONG,
    Level: UCHAR,
    MatchAnyKeyword: ULONGLONG,
    MatchAllKeyword: ULONGLONG,
    FilterData: PEVENT_FILTER_DESCRIPTOR,
    CallbackContext: PVOID,
) -> ()}
extern "system" {
    pub fn EventRegister(
        ProviderId: LPCGUID,
        EnableCallback: PENABLECALLBACK,
        CallbackContext: PVOID,
        RegHandle: PREGHANDLE,
    ) -> ULONG;
    pub fn EventUnregister(
        RegHandle: REGHANDLE,
    ) -> ULONG;
    pub fn EventSetInformation(
        RegHandle: REGHANDLE,
        InformationClass: EVENT_INFO_CLASS,
        EventInformation: PVOID,
        InformationLength: ULONG,
    ) -> ULONG;
    pub fn EventEnabled(
        RegHandle: REGHANDLE,
        EventDescriptor: PCEVENT_DESCRIPTOR,
    ) -> BOOLEAN;
    pub fn EventProviderEnabled(
        RegHandle: REGHANDLE,
        Level: UCHAR,
        Keyword: ULONGLONG,
    ) -> BOOLEAN;
    pub fn EventWrite(
        RegHandle: REGHANDLE,
        EventDescriptor: PCEVENT_DESCRIPTOR,
        UserDataCount: ULONG,
        UserData: PEVENT_DATA_DESCRIPTOR,
    ) -> ULONG;
    pub fn EventWriteTransfer(
        RegHandle: REGHANDLE,
        EventDescriptor: PCEVENT_DESCRIPTOR,
        ActivityId: LPCGUID,
        RelatedActivityId: LPCGUID,
        UserDataCount: ULONG,
        UserData: PEVENT_DATA_DESCRIPTOR,
    ) -> ULONG;
    pub fn EventWriteEx(
        RegHandle: REGHANDLE,
        EventDescriptor: PCEVENT_DESCRIPTOR,
        Filter: ULONG64,
        Flags: ULONG,
        ActivityId: LPCGUID,
        RelatedActivityId: LPCGUID,
        UserDataCount: ULONG,
        UserData: PEVENT_DATA_DESCRIPTOR,
    ) -> ULONG;
    pub fn EventWriteString(
        RegHandle: REGHANDLE,
        Level: UCHAR,
        Keyword: ULONGLONG,
        EventString: PCWSTR,
    ) -> ULONG;
    pub fn EventActivityIdControl(
        ControlCode: ULONG,
        ActivityId: LPGUID,
    ) -> ULONG;
}
#[inline]
pub unsafe fn EventDataDescCreate(
    EventDataDescriptor: PEVENT_DATA_DESCRIPTOR,
    DataPtr: *const VOID,
    DataSize: ULONG,
) {
    (*EventDataDescriptor).Ptr = DataPtr as ULONGLONG;
    (*EventDataDescriptor).Size = DataSize;
    *(*EventDataDescriptor).u.Reserved_mut() = 0;
}
#[inline]
pub unsafe fn EventDescCreate(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Id: USHORT,
    Version: UCHAR,
    Channel: UCHAR,
    Level: UCHAR,
    Task: USHORT,
    Opcode: UCHAR,
    Keyword: ULONGLONG,
) {
    (*EventDescriptor).Id = Id;
    (*EventDescriptor).Version = Version;
    (*EventDescriptor).Channel = Channel;
    (*EventDescriptor).Level = Level;
    (*EventDescriptor).Task = Task;
    (*EventDescriptor).Opcode = Opcode;
    (*EventDescriptor).Keyword = Keyword;
}
#[inline]
pub unsafe fn EventDescZero(EventDescriptor: PEVENT_DESCRIPTOR) {
    use core::ptr::write_bytes;
    // FIXME: 16 = sizeof::<EVENT_DESCRIPTOR>()
    write_bytes(EventDescriptor, 0, 16);
}
#[inline]
pub unsafe fn EventDescGetId(EventDescriptor: PCEVENT_DESCRIPTOR) -> USHORT {
    (*EventDescriptor).Id
}
#[inline]
pub unsafe fn EventDescGetVersion(EventDescriptor: PCEVENT_DESCRIPTOR) -> UCHAR {
    (*EventDescriptor).Version
}
#[inline]
pub unsafe fn EventDescGetTask(EventDescriptor: PCEVENT_DESCRIPTOR) -> USHORT {
    (*EventDescriptor).Task
}
#[inline]
pub unsafe fn EventDescGetOpcode(EventDescriptor: PCEVENT_DESCRIPTOR) -> UCHAR {
    (*EventDescriptor).Opcode
}
#[inline]
pub unsafe fn EventDescGetChannel(EventDescriptor: PCEVENT_DESCRIPTOR) -> UCHAR {
    (*EventDescriptor).Channel
}
#[inline]
pub unsafe fn EventDescGetLevel(EventDescriptor: PCEVENT_DESCRIPTOR) -> UCHAR {
    (*EventDescriptor).Level
}
#[inline]
pub unsafe fn EventDescGetKeyword(EventDescriptor: PCEVENT_DESCRIPTOR) -> ULONGLONG {
    (*EventDescriptor).Keyword
}
#[inline]
pub unsafe fn EventDescSetId(EventDescriptor: PEVENT_DESCRIPTOR, Id: USHORT) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Id = Id;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescSetVersion(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Version: UCHAR,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Version = Version;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescSetTask(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Task: USHORT,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Task = Task;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescSetOpcode(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Opcode: UCHAR,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Opcode = Opcode;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescSetLevel(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Level: UCHAR,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Level = Level;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescSetChannel(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Channel: UCHAR,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Channel = Channel;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescSetKeyword(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Keyword: ULONGLONG,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Keyword = Keyword;
    EventDescriptor
}
#[inline]
pub unsafe fn EventDescOrKeyword(
    EventDescriptor: PEVENT_DESCRIPTOR,
    Keyword: ULONGLONG,
) -> PEVENT_DESCRIPTOR {
    (*EventDescriptor).Keyword |= Keyword;
    EventDescriptor
}