Functions
bool	DeleteTraceSession ()

ULONG	StartPanoptesTrace (LPVOID lpParam)

void	StopPanoptesTrace ()

Function Documentation

◆ DeleteTraceSession()

bool DeleteTraceSession ( )

◆ StartPanoptesTrace()

ULONG StartPanoptesTrace ( LPVOID lpParam )

Definition at line 305 of file events.cpp.

                                         {
    StopAndDeleteTrace();
    PanoptesContext& serviceContext = *(PanoptesContext*)lpParam;
    auto providers = serviceContext.config->m_eventProviders;
 
    // Initialize properties for the single trace session
    ULONG bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + (MAX_PATH * sizeof(WCHAR));
    EVENT_TRACE_PROPERTIES* pProperties = (EVENT_TRACE_PROPERTIES*)malloc(bufferSize);
    ZeroMemory(pProperties, bufferSize);
 
    pProperties->Wnode.BufferSize = bufferSize;
    pProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
    pProperties->Wnode.ClientContext = 1; // QPC clock resolution
    pProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
    pProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
    pProperties->LogFileNameOffset = 0;
 
    // Start the trace session
    TRACEHANDLE hTrace;
    WCHAR sessionName[] = L"Panoptes";
    ULONG result = StartTraceW(&hTrace, sessionName, pProperties);
    if (result != ERROR_SUCCESS)
    {
        // Handle error
        free(pProperties);
        return 1;
    }
 
    // Enable multiple providers
    for (const auto& provider : providers)
    {
        auto [provName, provMatchAny, provMatchAll] = provider;
 
        GUID provGUID = GetProviderGuid(provName).value_or(GUID{});
        if (provGUID == GUID{}) {
            printf("[!] Could not retrieve GUID for %s\n", provName);
            continue;
        }
 
        result = EnableTraceEx2(
            hTrace,
            &provGUID,
            EVENT_CONTROL_CODE_ENABLE_PROVIDER,
            TRACE_LEVEL_INFORMATION,
            provMatchAny,
            provMatchAll,
            0,
            NULL
        );
        if (result != ERROR_SUCCESS)
        {
            // Handle error
            printf("[!] Could not enable trace for %s\n", provName);
            continue;
        }
    }
 
    // Set up the trace session
    EVENT_TRACE_LOGFILEW trace;
    ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILE));
    trace.LoggerName = (LPWSTR)sessionName;
    trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD;
    trace.EventRecordCallback = EventRecordCallback;
 
    // Start processing events
    TRACEHANDLE hProcessTrace = OpenTraceW(&trace);
    if (hProcessTrace == INVALID_PROCESSTRACE_HANDLE)
    {
        // Handle error
        ControlTraceW(hTrace, NULL, pProperties, EVENT_TRACE_CONTROL_STOP);
        free(pProperties);
        return 1;
    }
 
    ProcessTrace(&hProcessTrace, 1, NULL, NULL);
 
    // Clean up
    CloseTrace(hProcessTrace);
    ControlTraceW(hTrace, NULL, pProperties, EVENT_TRACE_CONTROL_STOP);
    free(pProperties);
 
    return 1;
 
}

References bufferSize, PanoptesContext::config, EventRecordCallback(), GetProviderGuid(), hTrace, Configuration::m_eventProviders, MAX_PATH, result, serviceContext, StopAndDeleteTrace(), and trace.

Referenced by WinMain().

◆ StopPanoptesTrace()

void StopPanoptesTrace ( )

Definition at line 297 of file events.cpp.

                         {
    std::wstring Name = TRACE_NAMEW;
    ControlTraceW(NULL, Name.c_str(), traceProp, EVENT_TRACE_CONTROL_STOP);
    if (hTrace != NULL) {
        CloseTrace(hTrace);  // Ensure hTrace is closed
    }
}

References hTrace, TRACE_NAMEW, and traceProp.

Functions

Function Documentation

◆ DeleteTraceSession()

◆ StartPanoptesTrace()

◆ StopPanoptesTrace()