void DumpEvents(LendaEvent* Event1,LendaEvent* Event2){ cout<<"Event1:"<<endl; DumpEvent(Event1); cout<<"\n\nEvent2"<<endl; DumpEvent(Event2); }
VOID WINAPI EventCallback( __in PEVENT_RECORD Event ) /*++ Routine Description: This routine is called by ProcessTrace() for every event in the ETL file. It receives an EVENT_RECORD parameter, which contains the events header and the event payload. Arguments: Event - Supplies the structure that represents an Event. Return Value: None. --*/ { PPROCESSING_CONTEXT LogContext = (PPROCESSING_CONTEXT)Event->UserContext; if ((Event->EventHeader.ProviderId == EventTraceGuid) && (Event->EventHeader.EventDescriptor.Opcode == EVENT_TRACE_TYPE_INFO)) { // // First event in every file is a header event, some information // from which is needed to correctly decode subsequent events. // // N.B. This event is not available if consuming events in real-time mode. // PTRACE_LOGFILE_HEADER LogHeader = (PTRACE_LOGFILE_HEADER)Event->UserData; if (LogHeader != NULL) { LogContext->TimerResolution = LogHeader->TimerResolution; LogContext->PointerSize = LogHeader->PointerSize; LogContext->IsPrivateLogger = (BOOLEAN)(LogHeader->LogFileMode & EVENT_TRACE_PRIVATE_LOGGER_MODE); } return; } if ((Event->EventHeader.Flags & EVENT_HEADER_FLAG_TRACE_MESSAGE) != 0) { // // Ignore WPP events. // return; } DumpEvent(Event, LogContext); LogContext->EventCount += 1; }
int _cdecl main( int argc, char *argv[] ) { BOOL fShowUsage; PCHAR s, s1; ULONG ProcessId; HANDLE Process, ThreadToResume; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING Unicode; NTSTATUS Status; PRTL_EVENT_LOG EventLog; PRTL_EVENT Event; PRTL_EVENT_ID_INFO EventId; STARTUPINFO StartupInfo; PROCESS_INFORMATION ProcessInformation; PCHAR CommandLine; ULONG EventLogFlags; ULONG EventClassMask; ULONG ProcessCreateFlags; InitializeSymbolPathEnvVar(); VerboseFlag = FALSE; EventClassMask = 0xFFFFFFFF; CommandLine = NULL; ProcessId = 0xFFFFFFFF; fShowUsage = FALSE; ProcessCreateFlags = CREATE_SUSPENDED; while (--argc) { s = *++argv; if (*s == '-' || *s == '/') { while (*++s) { switch( toupper( *s ) ) { case 'M': if (--argc) { s1 = *++argv; if (isalpha( *s1 )) { EventClassMask = 0; while (*s1) { switch( toupper( *s1 ) ) { case 'H': if (isdigit( s1[1] )) { while (isdigit( *++s1 )) { switch (*s1) { case '0': EventClassMask |= RTL_EVENT_CLASS_PROCESS_HEAP ; break; case '1': EventClassMask |= RTL_EVENT_CLASS_PRIVATE_HEAP ; break; case '2': EventClassMask |= RTL_EVENT_CLASS_KERNEL_HEAP ; break; case '3': EventClassMask |= RTL_EVENT_CLASS_GDI_HEAP ; break; case '4': EventClassMask |= RTL_EVENT_CLASS_USER_HEAP ; break; case '5': EventClassMask |= RTL_EVENT_CLASS_CONSOLE_HEAP ; break; case '6': EventClassMask |= RTL_EVENT_CLASS_DESKTOP_HEAP ; break; case '7': EventClassMask |= RTL_EVENT_CLASS_CSR_SHARED_HEAP; break; default: fprintf( stderr, "RESMON: Invalid heap class digit '%c' flag.\n", *s1 ); fShowUsage = TRUE; break; } } s1 -= 1; } else { EventClassMask |= RTL_EVENT_CLASS_HEAP_ALL; } break; case 'O': EventClassMask |= RTL_EVENT_CLASS_OB; break; case 'F': EventClassMask |= RTL_EVENT_CLASS_IO; break; case 'V': EventClassMask |= RTL_EVENT_CLASS_VM; break; case 'P': EventClassMask |= RTL_EVENT_CLASS_PAGE_FAULT; break; case 'T': EventClassMask |= RTL_EVENT_CLASS_TRANSITION_FAULT; break; default: fprintf( stderr, "RESMON: Invalid event class letter '%c' flag.\n", *s1 ); fShowUsage = TRUE; break; } s1 += 1; } } else { Status = RtlCharToInteger( s1, 16, &EventClassMask ); } } else { fprintf( stderr, "RESMON: Missing process id of -%c flag.\n", *s ); fShowUsage = TRUE; } break; case 'P': if (--argc) { s1 = *++argv; ProcessId = atoi( s1 ); } else { fprintf( stderr, "RESMON: Missing process id of -%c flag.\n", *s ); fShowUsage = TRUE; } break; case 'O': EventLogFlags |= RTL_EVENT_LOG_INHERIT; break; case '2': ProcessCreateFlags |= CREATE_NEW_CONSOLE; break; case 'V': VerboseFlag = TRUE; break; case '?': case 'H': fShowUsage = TRUE; break; default: fprintf( stderr, "RESMON: Invalid flag - '%c'\n", *s ); fShowUsage = TRUE; break; } } } else if (fShowUsage) { break; } else if (CommandLine != NULL) { fShowUsage = TRUE; break; } else { CommandLine = s; } } if (fShowUsage) { fprintf( stderr, "usage: RESMON [-h] [-o] [-m EventMask] [-p ProcessId | Command]\n" ); fprintf( stderr, "where: -h - displays this help message.\n" ); fprintf( stderr, " -o - monitor all sub-processes too.\n" ); fprintf( stderr, " -m EventMask - specifies which events to monitor.\n" ); fprintf( stderr, " Default is all events. EventMask\n" ); fprintf( stderr, " consists of one or more letters\n" ); fprintf( stderr, " which stand for the following:\n" ); fprintf( stderr, " H[n] - heap events.\n" ); fprintf( stderr, " 0 - process heap.\n" ); fprintf( stderr, " 1 - private heap.\n" ); fprintf( stderr, " 2 - CSRSS heap.\n" ); fprintf( stderr, " 3 - CSR Port heap.\n" ); fprintf( stderr, " F - file events.\n" ); fprintf( stderr, " O - object events.\n" ); fprintf( stderr, " V - virtual memory events.\n" ); fprintf( stderr, " P - page faults.\n" ); fprintf( stderr, " -p ProcessId - specifies which process to monitor.\n" ); fprintf( stderr, " Default is -1 which is the Windows\n" ); fprintf( stderr, " SubSystem process.\n" ); fprintf( stderr, " Command - if -p is not specified then a command to\n" ); fprintf( stderr, " execute may be specified in quotes.\n" ); return 1; } ThreadToResume = NULL; if (CommandLine != NULL) { RtlZeroMemory( &StartupInfo, sizeof( StartupInfo ) ); StartupInfo.cb = sizeof( StartupInfo ); StartupInfo.lpReserved = NULL; StartupInfo.lpReserved2 = NULL; StartupInfo.lpDesktop = NULL; StartupInfo.lpTitle = CommandLine; StartupInfo.dwX = 0; StartupInfo.dwY = 1; StartupInfo.dwXSize = 100; StartupInfo.dwYSize = 100; StartupInfo.dwFlags = 0;//STARTF_SHELLOVERRIDE; StartupInfo.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess( NULL, CommandLine, NULL, NULL, TRUE, ProcessCreateFlags, NULL, NULL, &StartupInfo, &ProcessInformation ) ) { fprintf( stderr, "RESMON: CreateProcess( %s ) failed - %lu\n", CommandLine, GetLastError() ); return 1; } Process = ProcessInformation.hProcess; ThreadToResume = ProcessInformation.hThread; ProcessId = ProcessInformation.dwProcessId; InitializeImageDebugInformation( LoadSymbolsFilter, Process, TRUE, TRUE ); } else if (ProcessId == 0xFFFFFFFF) { RtlInitUnicodeString( &Unicode, L"\\WindowsSS" ); InitializeObjectAttributes( &ObjectAttributes, &Unicode, 0, NULL, NULL ); Status = NtOpenProcess( &Process, MAXIMUM_ALLOWED, &ObjectAttributes, NULL ); if (!NT_SUCCESS( Status )) { fprintf( stderr, "OpenProcess( %wZ ) failed - %lx\n", &Unicode, Status ); return 1; } InitializeImageDebugInformation( LoadSymbolsFilter, Process, FALSE, TRUE ); } else { Process = OpenProcess( PROCESS_ALL_ACCESS, FALSE, ProcessId ); if (!Process) { fprintf( stderr, "OpenProcess( %ld ) failed - %lx\n", ProcessId, GetLastError() ); return 1; } InitializeImageDebugInformation( LoadSymbolsFilter, Process, FALSE, TRUE ); } Status = RtlCreateEventLog( Process, EventLogFlags, EventClassMask, &EventLog ); CloseHandle( Process ); if (NT_SUCCESS( Status )) { if (ThreadToResume != NULL) { printf( "Monitoring Command '%s'\n", CommandLine ); ResumeThread( ThreadToResume ); CloseHandle( ThreadToResume ); } else if (ProcessId == 0xFFFFFFFF) { printf( "Monitoring Windows SubSystem Process\n" ); } else { printf( "Monitoring Process %d\n", ProcessId ); } printf( " Events to monitor:" ); if (EventClassMask & RTL_EVENT_CLASS_HEAP_ALL) { printf( " Heap(" ); if (EventClassMask & RTL_EVENT_CLASS_PROCESS_HEAP) { printf( " Process" ); } if (EventClassMask & RTL_EVENT_CLASS_PRIVATE_HEAP) { printf( " Private" ); } if (EventClassMask & RTL_EVENT_CLASS_KERNEL_HEAP) { printf( " Kernel" ); } if (EventClassMask & RTL_EVENT_CLASS_GDI_HEAP) { printf( " GDI" ); } if (EventClassMask & RTL_EVENT_CLASS_USER_HEAP) { printf( " User" ); } if (EventClassMask & RTL_EVENT_CLASS_CONSOLE_HEAP) { printf( " Console" ); } if (EventClassMask & RTL_EVENT_CLASS_DESKTOP_HEAP) { printf( " Desktop" ); } if (EventClassMask & RTL_EVENT_CLASS_CSR_SHARED_HEAP) { printf( " CSR Shared" ); } printf( ")" ); } if (EventClassMask & RTL_EVENT_CLASS_OB) { printf( " Object" ); } if (EventClassMask & RTL_EVENT_CLASS_IO) { printf( " File I/O" ); } if (EventClassMask & RTL_EVENT_CLASS_VM) { printf( " Virtual Memory" ); } if (EventClassMask & RTL_EVENT_CLASS_PAGE_FAULT) { printf( " Page Faults" ); } if (EventClassMask & RTL_EVENT_CLASS_TRANSITION_FAULT) { printf( " Transition Page Faults" ); } printf( "\n" ); Event = (PRTL_EVENT)EventBuffer; while (TRUE) { if (EventLog->CountOfClients == 0) { break; } Status = RtlWaitForEvent( EventLog, sizeof( EventBuffer ), Event, &EventId ); if (!NT_SUCCESS( Status )) { fprintf( stderr, "RESMON: RtlWaitForEventFailed - %x\n", Status ); } if (CreateProcessEventId == NULL && !_stricmp( EventId->Name, "CreateProcess" ) ) { CreateProcessEventId = EventId; } else if (ExitProcessEventId == NULL && !_stricmp( EventId->Name, "ExitProcess" ) ) { ExitProcessEventId = EventId; } else if (LoadModuleEventId == NULL && !_stricmp( EventId->Name, "LoadModule" ) ) { LoadModuleEventId = EventId; } else if (UnloadModuleEventId == NULL && !_stricmp( EventId->Name, "UnloadModule" ) ) { UnloadModuleEventId = EventId; } else if (PageFaultEventId == NULL && !_stricmp( EventId->Name, "PageFault" ) ) { PageFaultEventId = EventId; } if (CreateProcessEventId == EventId || LoadModuleEventId == EventId ) { LoadSymbolsForEvent( Event, EventId ); DumpEvent( Event, EventId ); } else if (ExitProcessEventId == EventId) { EventLog->CountOfClients -= 1; DumpEvent( Event, EventId ); UnloadProcessForEvent( Event, EventId ); } else if (UnloadModuleEventId == EventId) { DumpEvent( Event, EventId ); UnloadSymbolsForEvent( Event, EventId ); } else { DumpEvent( Event, EventId ); } } RtlDestroyEventLog( EventLog ); } else { if (ThreadToResume != NULL) { fprintf( stderr, "RESMON: Unable (%x) to monitor Command '%s'\n", Status, CommandLine ); TerminateThread( ThreadToResume, GetLastError() ); CloseHandle( ThreadToResume ); } else { fprintf( stderr, "RESMON: Unable (%x) to monitor Process %d\n", Status, ProcessId ); } } return 0; }
/************************************************************************* * SHChangeNotify [SHELL32.@] */ void WINAPI SHChangeNotify(LONG wEventId, UINT uFlags, LPCVOID dwItem1, LPCVOID dwItem2) { LPCITEMIDLIST Pidls[2]; LPNOTIFICATIONLIST ptr; UINT typeFlag = uFlags & SHCNF_TYPE; Pidls[0] = NULL; Pidls[1] = NULL; TRACE("(0x%08x,0x%08x,%p,%p):stub.\n", wEventId, uFlags, dwItem1, dwItem2); if( ( wEventId & SHCNE_NOITEMEVENTS ) && ( dwItem1 || dwItem2 ) ) { TRACE("dwItem1 and dwItem2 are not zero, but should be\n"); dwItem1 = 0; dwItem2 = 0; return; } else if( ( wEventId & SHCNE_ONEITEMEVENTS ) && dwItem2 ) { TRACE("dwItem2 is not zero, but should be\n"); dwItem2 = 0; return; } if( ( ( wEventId & SHCNE_NOITEMEVENTS ) && ( wEventId & ~SHCNE_NOITEMEVENTS ) ) || ( ( wEventId & SHCNE_ONEITEMEVENTS ) && ( wEventId & ~SHCNE_ONEITEMEVENTS ) ) || ( ( wEventId & SHCNE_TWOITEMEVENTS ) && ( wEventId & ~SHCNE_TWOITEMEVENTS ) ) ) { WARN("mutually incompatible events listed\n"); return; } /* convert paths in IDLists*/ switch (typeFlag) { case SHCNF_PATHA: if (dwItem1) Pidls[0] = SHSimpleIDListFromPathA((LPCSTR)dwItem1); //FIXME if (dwItem2) Pidls[1] = SHSimpleIDListFromPathA((LPCSTR)dwItem2); //FIXME break; case SHCNF_PATHW: if (dwItem1) Pidls[0] = SHSimpleIDListFromPathW((LPCWSTR)dwItem1); if (dwItem2) Pidls[1] = SHSimpleIDListFromPathW((LPCWSTR)dwItem2); break; case SHCNF_IDLIST: Pidls[0] = (LPCITEMIDLIST)dwItem1; Pidls[1] = (LPCITEMIDLIST)dwItem2; break; case SHCNF_PRINTERA: case SHCNF_PRINTERW: FIXME("SHChangeNotify with (uFlags & SHCNF_PRINTER)\n"); return; case SHCNF_DWORD: default: FIXME("unknown type %08x\n",typeFlag); return; } { WCHAR path[MAX_PATH]; if( Pidls[0] && SHGetPathFromIDListW(Pidls[0], path )) TRACE("notify %08x on item1 = %s\n", wEventId, debugstr_w(path)); if( Pidls[1] && SHGetPathFromIDListW(Pidls[1], path )) TRACE("notify %08x on item2 = %s\n", wEventId, debugstr_w(path)); } EnterCriticalSection(&SHELL32_ChangenotifyCS); /* loop through the list */ for( ptr = head; ptr; ptr = ptr->next ) { BOOL notify; DWORD i; notify = FALSE; TRACE("trying %p\n", ptr); for( i=0; (i<ptr->cidl) && !notify ; i++ ) { LPCITEMIDLIST pidl = ptr->apidl[i].pidl; BOOL subtree = ptr->apidl[i].fRecursive; if (wEventId & ptr->wEventMask) { if( !pidl ) /* all ? */ notify = TRUE; else if( wEventId & SHCNE_NOITEMEVENTS ) notify = TRUE; else if( wEventId & ( SHCNE_ONEITEMEVENTS | SHCNE_TWOITEMEVENTS ) ) notify = should_notify( Pidls[0], pidl, subtree ); else if( wEventId & SHCNE_TWOITEMEVENTS ) notify = should_notify( Pidls[1], pidl, subtree ); } } if( !notify ) continue; ptr->pidlSignaled = ILClone(Pidls[0]); TRACE("notifying %s, event %s(%x) before\n", NodeName( ptr ), DumpEvent( wEventId ),wEventId ); ptr->wSignalledEvent |= wEventId; if (ptr->dwFlags & SHCNRF_NewDelivery) SendMessageW(ptr->hwnd, ptr->uMsg, (WPARAM) ptr, (LPARAM) GetCurrentProcessId()); else SendMessageW(ptr->hwnd, ptr->uMsg, (WPARAM)Pidls, wEventId); TRACE("notifying %s, event %s(%x) after\n", NodeName( ptr ), DumpEvent( wEventId ),wEventId ); } TRACE("notify Done\n"); LeaveCriticalSection(&SHELL32_ChangenotifyCS); /* if we allocated it, free it. The ANSI flag is also set in its Unicode sibling. */ if ((typeFlag & SHCNF_PATHA) || (typeFlag & SHCNF_PRINTERA)) { SHFree((LPITEMIDLIST)Pidls[0]); SHFree((LPITEMIDLIST)Pidls[1]); } }