Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO

.github/workflows/krabsetw.yml

@@ -30,5 +30,5 @@ jobs:
       run: vstest.console.exe krabs\x64\Debug\krabstests.dll
     - name: test debug net462
       run: vstest.console.exe tests\ManagedETWTests\bin\x64\Debug\net462\EtwTestsCS.dll
-    - name: test debug net6.0
+    - name: test debug net8.0
       run: vstest.console.exe tests\ManagedETWTests\bin\x64\Debug\net8.0\EtwTestsCS.dll

GenerateRefAssemblies.ps1

@@ -13,7 +13,7 @@ if (Test-Path ".\ref") {
 
 $platforms = @("x64", "ARM64")
 $configurations = @("Debug", "DebugSigning", "Release", "ReleaseSigning")
-$targetFrameworks = @("net6.0", "net462")
+$targetFrameworks = @("net8.0", "net462")
 $targetAssemblyName = "Microsoft.O365.Security.Native.ETW.dll"
 
 $generated = @()

Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp

@@ -32,7 +32,7 @@ using namespace System::Security::Permissions;
 // You can specify all the value or you can default the Revision and Build Numbers
 // by using the '*' as shown below:
 
-[assembly:AssemblyVersionAttribute("4.4.5.0")];
+[assembly:AssemblyVersionAttribute("4.4.6.0")];
 
 [assembly:ComVisible(false)];
 

O365.Security.Native.ETW.Debug.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
     <metadata>
         <id>Microsoft.O365.Security.Native.ETW.Debug</id>
-        <version>4.4.5</version>
+        <version>4.4.6</version>
         <title>Microsoft.O365.Security.Native.ETW Debug - managed wrappers for krabsetw</title>
         <authors>Microsoft</authors>
         <owners>Microsoft</owners>
@@ -12,47 +12,48 @@
         <description>Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build.</description>
         <summary>Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build.</summary>
         <releaseNotes>
-            Version 4.4.5:
-              - Fixes error with Refasmer when generating reference assemblies
+            Version 4.4.6:
+              - Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO
+              - Update for .NET Core 8
         </releaseNotes>
         <copyright>© Microsoft Corporation. All rights reserved.</copyright>
         <language />
         <tags>ETW krabs managed cppcli</tags>
         <dependencies>
             <group targetFramework=".NETFramework4.6.2" />
-            <group targetFramework="net6.0" />
+            <group targetFramework="net8.0" />
         </dependencies>
         <references>
             <group targetFramework=".NETFramework4.6.2">
                 <reference file="Microsoft.O365.Security.Native.ETW.dll" />
             </group>
-            <group targetFramework="net6.0">
+            <group targetFramework="net8.0">
                 <reference file="Microsoft.O365.Security.Native.ETW.dll" />
             </group>
         </references>
     </metadata>
 
     <files>
         <file src="ref\net462\Microsoft.O365.Security.Native.ETW.dll" target="ref\net462\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="ref\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="ref\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="ref\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="ref\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
         <file src="ref\net462\Microsoft.O365.Security.Native.ETW.dll" target="lib\net462\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="ref\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="lib\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="ref\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="lib\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
 
         <file src="krabs\x64\DebugSigning\net462\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-x64\lib\net462\Microsoft.O365.Security.Native.ETW.dll" />
         <file src="krabs\x64\DebugSigning\net462\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-x64\lib\net462\Microsoft.O365.Security.Native.ETW.pdb" />
         <file src="krabs\x64\DebugSigning\net462\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-x64\lib\net462\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\x64\DebugSigning\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-x64\lib\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="krabs\x64\DebugSigning\net6.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-x64\lib\net6.0\Microsoft.O365.Security.Native.ETW.pdb" />
-        <file src="krabs\x64\DebugSigning\net6.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-x64\lib\net6.0\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\x64\DebugSigning\net6.0\Ijwhost.dll" target="runtimes\win-x64\native\Ijwhost.dll" />
+        <file src="krabs\x64\DebugSigning\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-x64\lib\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="krabs\x64\DebugSigning\net8.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-x64\lib\net8.0\Microsoft.O365.Security.Native.ETW.pdb" />
+        <file src="krabs\x64\DebugSigning\net8.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-x64\lib\net8.0\Microsoft.O365.Security.Native.ETW.xml" />
+        <file src="krabs\x64\DebugSigning\net8.0\Ijwhost.dll" target="runtimes\win-x64\native\Ijwhost.dll" />
 
         <file src="krabs\ARM64\DebugSigning\net462\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-arm64\lib\net462\Microsoft.O365.Security.Native.ETW.dll" />
         <file src="krabs\ARM64\DebugSigning\net462\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-arm64\lib\net462\Microsoft.O365.Security.Native.ETW.pdb" />
         <file src="krabs\ARM64\DebugSigning\net462\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-arm64\lib\net462\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\ARM64\DebugSigning\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-arm64\lib\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="krabs\ARM64\DebugSigning\net6.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-arm64\lib\net6.0\Microsoft.O365.Security.Native.ETW.pdb" />
-        <file src="krabs\ARM64\DebugSigning\net6.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-arm64\lib\net6.0\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\ARM64\DebugSigning\net6.0\Ijwhost.dll" target="runtimes\win-arm64\native\Ijwhost.dll" />
+        <file src="krabs\ARM64\DebugSigning\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-arm64\lib\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="krabs\ARM64\DebugSigning\net8.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-arm64\lib\net8.0\Microsoft.O365.Security.Native.ETW.pdb" />
+        <file src="krabs\ARM64\DebugSigning\net8.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-arm64\lib\net8.0\Microsoft.O365.Security.Native.ETW.xml" />
+        <file src="krabs\ARM64\DebugSigning\net8.0\Ijwhost.dll" target="runtimes\win-arm64\native\Ijwhost.dll" />
 
         <file src="build\Microsoft.O365.Security.Native.ETW.Debug.targets" target="build\net462\" />
     </files>

O365.Security.Native.ETW.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
     <metadata>
         <id>Microsoft.O365.Security.Native.ETW</id>
-        <version>4.4.5</version>
+        <version>4.4.6</version>
         <title>Microsoft.O365.Security.Native.ETW - managed wrappers for krabsetw</title>
         <authors>Microsoft</authors>
         <owners>Microsoft</owners>
@@ -12,47 +12,48 @@
         <description>Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library.</description>
         <summary>Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library.</summary>
         <releaseNotes>
-            Version 4.4.5:
-              - Fixes error with Refasmer when generating reference assemblies
+            Version 4.4.6:
+              - Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO
+              - Update for .NET Core 8
         </releaseNotes>
         <copyright>© Microsoft Corporation. All rights reserved.</copyright>
         <language />
         <tags>ETW krabs managed cppcli</tags>
         <dependencies>
             <group targetFramework=".NETFramework4.6.2" />
-            <group targetFramework="net6.0" />
+            <group targetFramework="net8.0" />
         </dependencies>
         <references>
             <group targetFramework=".NETFramework4.6.2">
                 <reference file="Microsoft.O365.Security.Native.ETW.dll" />
             </group>
-            <group targetFramework="net6.0">
+            <group targetFramework="net8.0">
                 <reference file="Microsoft.O365.Security.Native.ETW.dll" />
             </group>
         </references>
     </metadata>
 
     <files>
         <file src="ref\net462\Microsoft.O365.Security.Native.ETW.dll" target="ref\net462\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="ref\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="ref\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="ref\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="ref\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
         <file src="ref\net462\Microsoft.O365.Security.Native.ETW.dll" target="lib\net462\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="ref\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="lib\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="ref\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="lib\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
 
         <file src="krabs\x64\ReleaseSigning\net462\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-x64\lib\net462\Microsoft.O365.Security.Native.ETW.dll" />
         <file src="krabs\x64\ReleaseSigning\net462\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-x64\lib\net462\Microsoft.O365.Security.Native.ETW.pdb" />
         <file src="krabs\x64\ReleaseSigning\net462\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-x64\lib\net462\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\x64\ReleaseSigning\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-x64\lib\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="krabs\x64\ReleaseSigning\net6.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-x64\lib\net6.0\Microsoft.O365.Security.Native.ETW.pdb" />
-        <file src="krabs\x64\ReleaseSigning\net6.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-x64\lib\net6.0\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\x64\ReleaseSigning\net6.0\Ijwhost.dll" target="runtimes\win-x64\native\Ijwhost.dll" />
+        <file src="krabs\x64\ReleaseSigning\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-x64\lib\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="krabs\x64\ReleaseSigning\net8.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-x64\lib\net8.0\Microsoft.O365.Security.Native.ETW.pdb" />
+        <file src="krabs\x64\ReleaseSigning\net8.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-x64\lib\net8.0\Microsoft.O365.Security.Native.ETW.xml" />
+        <file src="krabs\x64\ReleaseSigning\net8.0\Ijwhost.dll" target="runtimes\win-x64\native\Ijwhost.dll" />
 
         <file src="krabs\ARM64\ReleaseSigning\net462\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-arm64\lib\net462\Microsoft.O365.Security.Native.ETW.dll" />
         <file src="krabs\ARM64\ReleaseSigning\net462\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-arm64\lib\net462\Microsoft.O365.Security.Native.ETW.pdb" />
         <file src="krabs\ARM64\ReleaseSigning\net462\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-arm64\lib\net462\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\ARM64\ReleaseSigning\net6.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-arm64\lib\net6.0\Microsoft.O365.Security.Native.ETW.dll" />
-        <file src="krabs\ARM64\ReleaseSigning\net6.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-arm64\lib\net6.0\Microsoft.O365.Security.Native.ETW.pdb" />
-        <file src="krabs\ARM64\ReleaseSigning\net6.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-arm64\lib\net6.0\Microsoft.O365.Security.Native.ETW.xml" />
-        <file src="krabs\ARM64\ReleaseSigning\net6.0\Ijwhost.dll" target="runtimes\win-arm64\native\Ijwhost.dll" />
+        <file src="krabs\ARM64\ReleaseSigning\net8.0\Microsoft.O365.Security.Native.ETW.dll" target="runtimes\win-arm64\lib\net8.0\Microsoft.O365.Security.Native.ETW.dll" />
+        <file src="krabs\ARM64\ReleaseSigning\net8.0\Microsoft.O365.Security.Native.ETW.pdb" target="runtimes\win-arm64\lib\net8.0\Microsoft.O365.Security.Native.ETW.pdb" />
+        <file src="krabs\ARM64\ReleaseSigning\net8.0\Microsoft.O365.Security.Native.ETW.xml" target="runtimes\win-arm64\lib\net8.0\Microsoft.O365.Security.Native.ETW.xml" />
+        <file src="krabs\ARM64\ReleaseSigning\net8.0\Ijwhost.dll" target="runtimes\win-arm64\native\Ijwhost.dll" />
 
         <file src="build\Microsoft.O365.Security.Native.ETW.targets" target="build\net462\" />
     </files>

krabs/krabs/parser.hpp

@@ -164,7 +164,7 @@ namespace krabs {
 
             auto &currentPropInfo = schema_.pSchema_->EventPropertyInfoArray[i];
             const wchar_t *pName = reinterpret_cast<const wchar_t*>(
-                                        reinterpret_cast<BYTE*>(schema_.pSchema_) +
+                                        reinterpret_cast<const BYTE*>(schema_.pSchema_) +
                                         currentPropInfo.NameOffset);
 
             ULONG propertyLength = size_provider::get_property_size(

krabs/krabs/property.hpp

@@ -193,7 +193,7 @@ namespace krabs {
         const auto &curr_prop = schema_.pSchema_->EventPropertyInfoArray[index];
 
         const wchar_t *pName = reinterpret_cast<const wchar_t*>(
-            reinterpret_cast<BYTE*>(schema_.pSchema_) +
+            reinterpret_cast<const BYTE*>(schema_.pSchema_) +
             curr_prop.NameOffset);
 
         auto tdh_type = (_TDH_IN_TYPE)curr_prop.nonStructType.InType;

krabs/krabs/schema.hpp

@@ -55,6 +55,26 @@ namespace krabs {
          */
         schema(const EVENT_RECORD &, const krabs::schema_locator &);
 
+        /**
+         * <summary>
+         * Constructs a schema from an event record instance
+         * using the provided TRACE_EVENT_INFO pointer.
+         * </summary>
+         *
+         * <example>
+         *   void on_event(const EVENT_RECORD &record, const krabs::trace_context &trace_context)
+         *   {
+         *       TDHSTATUS status = ERROR_SUCCESS;
+         *       const PTRACE_EVENT_INFO info = trace_context.schema_locator.get_event_schema_no_throw(record, status);
+         *       if (status != ERROR_SUCCESS) {
+         *           // fallback logic here...
+         *       }
+         *       krabs::schema schema(record, info);
+         *   }
+         * </example>
+         */
+        schema(const EVENT_RECORD &, const PTRACE_EVENT_INFO);
+
         /**
          * <summary>Compares two schemas for equality.<summary>
          *
@@ -264,7 +284,7 @@ namespace krabs {
 
     private:
         const EVENT_RECORD &record_;
-        TRACE_EVENT_INFO *pSchema_;
+        const TRACE_EVENT_INFO *pSchema_;
 
     private:
         friend std::wstring event_name(const schema &);
@@ -294,6 +314,11 @@ namespace krabs {
         , pSchema_(schema_locator.get_event_schema(record))
     { }
 
+    inline schema::schema(const EVENT_RECORD &record, const PTRACE_EVENT_INFO pSchema)
+        : record_(record)
+        , pSchema_(pSchema)
+    { }
+
     inline bool schema::operator==(const schema &other) const
     {
         return (pSchema_->ProviderGuid == other.pSchema_->ProviderGuid &&

krabsetw.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
     <metadata>
         <id>Microsoft.O365.Security.Krabsetw</id>
-        <version>4.4.5</version>
+        <version>4.4.6</version>
         <title>Krabs ETW Wrappers</title>
         <authors>Microsoft</authors>
         <owners>Microsoft</owners>
@@ -12,8 +12,9 @@
         <description>Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions</description>
         <summary>Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions</summary>
         <releaseNotes>
-            Version 4.4.5:
-              - Fixes error with Refasmer when generating reference assemblies
+            Version 4.4.6:
+              - Add constructor for schema from EVENT_RECORD and PTRACE_EVENT_INFO
+              - Update for .NET Core 8
         </releaseNotes>
         <copyright>© Microsoft Corporation. All rights reserved.</copyright>
         <language />