EVT API
来源:互联网 发布:大学生网络诈骗 编辑:程序博客网 时间:2024/06/07 13:23
// ETW_FrameWork.cpp : Defines the entry point for the console application.//#include "stdafx.h"#define INITGUID // Include this #define to use SystemTraceControlGuid in Evntrace.h.#include <windows.h>#include <stdio.h>#include <conio.h>#include <strsafe.h>#include <wmistr.h>#include <evntrace.h>#define LOGFILE_PATH L"<FULL PATH TO THE LOG FILE.etl>"int _tmain(int argc, _TCHAR* argv[]){ ULONG status = ERROR_SUCCESS; TRACEHANDLE SessionHandle = 0; EVENT_TRACE_PROPERTIES* pSessionProperties = NULL; ULONG BufferSize = 0; // Allocate memory for the session properties. The memory must // be large enough to include the log file name and session name, // which get appended to the end of the session properties structure. BufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGFILE_PATH) + sizeof(KERNEL_LOGGER_NAME); pSessionProperties = (EVENT_TRACE_PROPERTIES*) malloc(BufferSize); if (NULL == pSessionProperties) { wprintf(L"Unable to allocate %d bytes for properties structure.\n", BufferSize); goto cleanup; } // Set the session properties. You only append the log file name // to the properties structure; the StartTrace function appends // the session name for you. ZeroMemory(pSessionProperties, BufferSize); pSessionProperties->Wnode.BufferSize = BufferSize; pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID; pSessionProperties->Wnode.ClientContext = 1; //QPC clock resolution pSessionProperties->Wnode.Guid = SystemTraceControlGuid; pSessionProperties->EnableFlags = EVENT_TRACE_FLAG_NETWORK_TCPIP; pSessionProperties->LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR; pSessionProperties->MaximumFileSize = 5; // 5 MB pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES); pSessionProperties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(KERNEL_LOGGER_NAME); StringCbCopy((LPWSTR)((char*)pSessionProperties + pSessionProperties->LogFileNameOffset), sizeof(LOGFILE_PATH), LOGFILE_PATH); // Create the trace session. status = StartTrace((PTRACEHANDLE)&SessionHandle, KERNEL_LOGGER_NAME, pSessionProperties); if (ERROR_SUCCESS != status) { if (ERROR_ALREADY_EXISTS == status) { wprintf(L"The NT Kernel Logger session is already in use.\n"); } else { wprintf(L"EnableTrace() failed with %lu\n", status); } goto cleanup; } BOOL TraceOn = TRUE; status = EnableTrace( TraceOn, // TRUE enables the provider 0, // No enable flags TRACE_LEVEL_INFORMATION, // Enable informational, warning, error and critical events NULL,//(LPCGUID)&ProviderGuid, // Provider to enable SessionHandle // Session handle from StartTrace ); if (ERROR_SUCCESS != status) { wprintf(L"EnableTrace() failed with %lu\n", status); TraceOn = FALSE; goto cleanup; } wprintf(L"Press any key to end trace session "); _getch(); return 0;cleanup: if (SessionHandle) { status = ControlTrace(SessionHandle, KERNEL_LOGGER_NAME, pSessionProperties, EVENT_TRACE_CONTROL_STOP); if (ERROR_SUCCESS != status) { wprintf(L"ControlTrace(stop) failed with %lu\n", status); } } if (pSessionProperties) free(pSessionProperties); return 0;}