Beispiel #1
0
    def get_property_name(self, event_info):
        """Get the name for a property.

        :param trace_event_info: TRACE_EVENT_INFO
        :return: (str)
        """
        name_field = rel_ptr_to_str(pointer(event_info), self.NameOffset)
        return name_field
Beispiel #2
0
    def get_event_map_info(self, event_record, event_info):
        """
        When parsing a field in the event property structure, there may be a mapping between a given
        name and the structure it represents. If it exists, we retrieve that mapping here.

        Because this may legitimately return a NULL value we return a tuple containing the success or
        failure status as well as either None (NULL) or an EVENT_MAP_INFO pointer.

        :param self: The EVENT_PROPERTY_INFO structure for the TopLevelProperty of the event we are parsing
        :param event_record: The EventRecord structure for the event we are parsing
        :param event_info: The TraceEventInfo structure for the event we are parsing
        :return: A tuple of the map_info structure and boolean indicating whether we succeeded or not
        """
        map_name = rel_ptr_to_str(pointer(event_info),
                                  self.epi_u1.nonStructType.MapNameOffset)
        map_size = DWORD()
        map_info = ctypes.POINTER(EVENT_MAP_INFO)()

        status = tdh.TdhGetEventMapInformation(event_record, map_name, None,
                                               ctypes.byref(map_size))
        if ERROR_INSUFFICIENT_BUFFER == status:
            map_info = ctypes.cast((ctypes.c_char * map_size.value)(),
                                   ctypes.POINTER(EVENT_MAP_INFO))
            status = tdh.TdhGetEventMapInformation(event_record, map_name,
                                                   map_info,
                                                   ctypes.byref(map_size))

        if ERROR_SUCCESS == status:
            return map_info, True

        # ERROR_NOT_FOUND is actually a perfectly acceptable status
        if ERROR_NOT_FOUND == status:
            return None, True

        # We actually failed.
        raise ctypes.WinError()
Beispiel #3
0
 def ProviderMessage(self):
     if self.ProviderMessageOffset > 0:
         return rel_ptr_to_str(pointer(self), self.ProviderMessageOffset)
     return ""
Beispiel #4
0
 def EventMessage(self):
     if self.EventMessageOffset > 0:
         return rel_ptr_to_str(pointer(self), self.EventMessageOffset)
     return ""
Beispiel #5
0
 def OpcodeName(self):
     if self.OpcodeNameOffset > 0:
         return rel_ptr_to_str(pointer(self), self.OpcodeNameOffset)
     return ""
Beispiel #6
0
 def TaskName(self):
     if self.TaskNameOffset > 0:
         return rel_ptr_to_str(pointer(self), self.TaskNameOffset)
     return ""
Beispiel #7
0
 def KeywordsName(self):
     if self.KeywordsNameOffset > 0:
         return rel_ptr_to_str(pointer(self), self.KeywordsNameOffset)
     return ""
Beispiel #8
0
 def ChannelName(self):
     if self.ChannelNameOffset > 0:
         return rel_ptr_to_str(pointer(self), self.ChannelNameOffset)
     return ""
Beispiel #9
0
 def LevelName(self):
     if self.LevelNameOffset > 0:
         return rel_ptr_to_str(pointer(self), self.LevelNameOffset)
     return ""