From 003414fa9b1af892d85f2da16f7a91d48092e1e9 Mon Sep 17 00:00:00 2001 From: wwh1004 Date: Wed, 19 Nov 2025 13:49:06 +0800 Subject: [PATCH 1/3] Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO --- krabs/krabs/parser.hpp | 2 +- krabs/krabs/property.hpp | 2 +- krabs/krabs/schema.hpp | 27 ++++++++++++++++++++++++++- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/krabs/krabs/parser.hpp b/krabs/krabs/parser.hpp index 2f916c2..d346486 100644 --- a/krabs/krabs/parser.hpp +++ b/krabs/krabs/parser.hpp @@ -164,7 +164,7 @@ namespace krabs { auto ¤tPropInfo = schema_.pSchema_->EventPropertyInfoArray[i]; const wchar_t *pName = reinterpret_cast( - reinterpret_cast(schema_.pSchema_) + + reinterpret_cast(schema_.pSchema_) + currentPropInfo.NameOffset); ULONG propertyLength = size_provider::get_property_size( diff --git a/krabs/krabs/property.hpp b/krabs/krabs/property.hpp index 0cb93e9..f7c5d86 100644 --- a/krabs/krabs/property.hpp +++ b/krabs/krabs/property.hpp @@ -193,7 +193,7 @@ namespace krabs { const auto &curr_prop = schema_.pSchema_->EventPropertyInfoArray[index]; const wchar_t *pName = reinterpret_cast( - reinterpret_cast(schema_.pSchema_) + + reinterpret_cast(schema_.pSchema_) + curr_prop.NameOffset); auto tdh_type = (_TDH_IN_TYPE)curr_prop.nonStructType.InType; diff --git a/krabs/krabs/schema.hpp b/krabs/krabs/schema.hpp index f4169d9..34cc9ba 100644 --- a/krabs/krabs/schema.hpp +++ b/krabs/krabs/schema.hpp @@ -55,6 +55,26 @@ namespace krabs { */ schema(const EVENT_RECORD &, const krabs::schema_locator &); + /** + * + * Constructs a schema from an event record instance + * using the provided TRACE_EVENT_INFO pointer. + * + * + * + * void on_event(const EVENT_RECORD &record, const krabs::trace_context &trace_context) + * { + * TDHSTATUS status = ERROR_SUCCESS; + * const PTRACE_EVENT_INFO info = trace_context.schema_locator.get_event_schema_no_throw(record, status); + * if (status != ERROR_SUCCESS) { + * // fallback logic here... + * } + * krabs::schema schema(record, info); + * } + * + */ + schema(const EVENT_RECORD &, const PTRACE_EVENT_INFO); + /** * Compares two schemas for equality. * @@ -264,7 +284,7 @@ namespace krabs { private: const EVENT_RECORD &record_; - TRACE_EVENT_INFO *pSchema_; + const TRACE_EVENT_INFO *pSchema_; private: friend std::wstring event_name(const schema &); @@ -294,6 +314,11 @@ namespace krabs { , pSchema_(schema_locator.get_event_schema(record)) { } + inline schema::schema(const EVENT_RECORD &record, const PTRACE_EVENT_INFO pSchema) + : record_(record) + , pSchema_(pSchema) + { } + inline bool schema::operator==(const schema &other) const { return (pSchema_->ProviderGuid == other.pSchema_->ProviderGuid && From 9a71196eb11c597399763bc5bdd8475f1e3fa2f3 Mon Sep 17 00:00:00 2001 From: wwh1004 Date: Tue, 2 Dec 2025 22:57:33 +0800 Subject: [PATCH 2/3] Update target framework to net8.0 in build and assembly generation scripts --- .github/workflows/krabsetw.yml | 2 +- GenerateRefAssemblies.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/krabsetw.yml b/.github/workflows/krabsetw.yml index ff09c2b..a8c6565 100644 --- a/.github/workflows/krabsetw.yml +++ b/.github/workflows/krabsetw.yml @@ -30,5 +30,5 @@ jobs: run: vstest.console.exe krabs\x64\Debug\krabstests.dll - name: test debug net462 run: vstest.console.exe tests\ManagedETWTests\bin\x64\Debug\net462\EtwTestsCS.dll - - name: test debug net6.0 + - name: test debug net8.0 run: vstest.console.exe tests\ManagedETWTests\bin\x64\Debug\net8.0\EtwTestsCS.dll diff --git a/GenerateRefAssemblies.ps1 b/GenerateRefAssemblies.ps1 index 4663be6..8dcdf4c 100644 --- a/GenerateRefAssemblies.ps1 +++ b/GenerateRefAssemblies.ps1 @@ -13,7 +13,7 @@ if (Test-Path ".\ref") { $platforms = @("x64", "ARM64") $configurations = @("Debug", "DebugSigning", "Release", "ReleaseSigning") -$targetFrameworks = @("net6.0", "net462") +$targetFrameworks = @("net8.0", "net462") $targetAssemblyName = "Microsoft.O365.Security.Native.ETW.dll" $generated = @() From 03b7c25784988a2518cc4a8db89e587ca75d216d Mon Sep 17 00:00:00 2001 From: wwh1004 Date: Tue, 2 Dec 2025 22:58:07 +0800 Subject: [PATCH 3/3] Bump nuget versions --- .../AssemblyInfo.cpp | 2 +- O365.Security.Native.ETW.Debug.nuspec | 31 ++++++++++--------- O365.Security.Native.ETW.nuspec | 31 ++++++++++--------- krabsetw.nuspec | 7 +++-- 4 files changed, 37 insertions(+), 34 deletions(-) diff --git a/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp b/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp index a48c9fd..3eaa987 100644 --- a/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp +++ b/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp @@ -32,7 +32,7 @@ using namespace System::Security::Permissions; // You can specify all the value or you can default the Revision and Build Numbers // by using the '*' as shown below: -[assembly:AssemblyVersionAttribute("4.4.5.0")]; +[assembly:AssemblyVersionAttribute("4.4.6.0")]; [assembly:ComVisible(false)]; diff --git a/O365.Security.Native.ETW.Debug.nuspec b/O365.Security.Native.ETW.Debug.nuspec index 520ce85..c9a558a 100644 --- a/O365.Security.Native.ETW.Debug.nuspec +++ b/O365.Security.Native.ETW.Debug.nuspec @@ -2,7 +2,7 @@ Microsoft.O365.Security.Native.ETW.Debug - 4.4.5 + 4.4.6 Microsoft.O365.Security.Native.ETW Debug - managed wrappers for krabsetw Microsoft Microsoft @@ -12,21 +12,22 @@ Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build. Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build. - Version 4.4.5: - - Fixes error with Refasmer when generating reference assemblies + Version 4.4.6: + - Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO + - Update for .NET Core 8 © Microsoft Corporation. All rights reserved. ETW krabs managed cppcli - + - + @@ -34,25 +35,25 @@ - + - + - - - - + + + + - - - - + + + + diff --git a/O365.Security.Native.ETW.nuspec b/O365.Security.Native.ETW.nuspec index 017fc9e..a4cbdd2 100644 --- a/O365.Security.Native.ETW.nuspec +++ b/O365.Security.Native.ETW.nuspec @@ -2,7 +2,7 @@ Microsoft.O365.Security.Native.ETW - 4.4.5 + 4.4.6 Microsoft.O365.Security.Native.ETW - managed wrappers for krabsetw Microsoft Microsoft @@ -12,21 +12,22 @@ Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library. Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library. - Version 4.4.5: - - Fixes error with Refasmer when generating reference assemblies + Version 4.4.6: + - Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO + - Update for .NET Core 8 © Microsoft Corporation. All rights reserved. ETW krabs managed cppcli - + - + @@ -34,25 +35,25 @@ - + - + - - - - + + + + - - - - + + + + diff --git a/krabsetw.nuspec b/krabsetw.nuspec index cf6f25e..35462a3 100644 --- a/krabsetw.nuspec +++ b/krabsetw.nuspec @@ -2,7 +2,7 @@ Microsoft.O365.Security.Krabsetw - 4.4.5 + 4.4.6 Krabs ETW Wrappers Microsoft Microsoft @@ -12,8 +12,9 @@ Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions - Version 4.4.5: - - Fixes error with Refasmer when generating reference assemblies + Version 4.4.6: + - Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO + - Update for .NET Core 8 © Microsoft Corporation. All rights reserved.