#include <wdm.h>
#include <TraceLoggingProvider.h>

Functions
void	TraceInit ()

void	TraceUninit ()

void	Log_DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)

void	Log_DriverExit (PDRIVER_OBJECT DriverObject)

void	Log_MailSlotOpen (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
	Log a mail slot open event.

void	Log_MailSlotCreate (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
	Log a mail slot create event.

void	Log_NamedPipeOpen (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
	Log a named pipe open event.

void	Log_NamedPipeCreate (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
	Log a named pipe create event.

void	Log_FileSuperseded (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
	Log a file superseded event.

void	Log_FileOverwritten (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
	Log a file overwrite event.

void	Log_FileOpen (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
	Log a file open event.

void	Log_FileCreated (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
	Log a file create event.

void	Log_FileRead (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
	Log a file read event.

void	Log_FileWrite (HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
	Log a file write event.

Function Documentation

◆ Log_DriverEntry()

void Log_DriverEntry	(	PDRIVER_OBJECT	DriverObject,
		PUNICODE_STRING	RegistryPath
	)

Definition at line 22 of file trace.cpp.

{
    g_DriverObject = DriverObject;
 
    TraceLoggingWrite(g_hPanoProvider, "PanoptesStart",
        TraceLoggingPointer(DriverObject),
        TraceLoggingUnicodeString(RegistryPath, "RegPath"));
}

References g_DriverObject.

Referenced by DriverEntry().

◆ Log_DriverExit()

void Log_DriverExit ( PDRIVER_OBJECT DriverObject )

Definition at line 34 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "PanoptesExit",
        TraceLoggingPointer(DriverObject));
}

Referenced by UnloadPanoptes().

◆ Log_FileCreated()

void Log_FileCreated	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName,
		BOOLEAN	Oplocked
	)

Log a file create event.

Parameters

ProcessId	The ID of the process that created the file
ThreadId	The ID of the thread that created the file
FileName	The name of the file
Oplocked	Whether the file is oplocked

Definition at line 97 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "FileCreated",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "FileName"),
        TraceLoggingBool(Oplocked, "Oplocked"));
}

Referenced by FileCreationStatus(), and main().

◆ Log_FileOpen()

void Log_FileOpen	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName,
		BOOLEAN	Oplocked
	)

Log a file open event.

Parameters

ProcessId	The ID of the process that opened the file
ThreadId	The ID of the thread that opened the file
FileName	The name of the file
Oplocked	Whether the file is oplocked

Definition at line 111 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "FileOpened",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "FileName"),
        TraceLoggingBool(Oplocked, "Oplocked"));
}

Referenced by FileCreationStatus().

◆ Log_FileOverwritten()

void Log_FileOverwritten	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName
	)

Log a file overwrite event.

Parameters

ProcessId	The ID of the process that overwrote the file
ThreadId	The ID of the thread that overwrote the file
FileName	The name of the file

Definition at line 125 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "FileOverwritten",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "FileName"));
}

Referenced by FileCreationStatus().

◆ Log_FileRead()

void Log_FileRead	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName,
		LARGE_INTEGER	FileOffset,
		ULONG	ReadLength,
		BOOLEAN	Compressed
	)

Log a file read event.

Parameters

ProcessId	The ID of the process that read the file
ThreadId	The ID of the thread that read the file
FileName	The name of the file
FileOffset	The offset of the file
ReadLength	The length of the read
Compressed	Whether the file is compressed

Definition at line 137 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "FileRead",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "FileName"),
        TraceLoggingULong(ReadLength, "ReadLength"),
        TraceLoggingValue(FileOffset.QuadPart, "FileOffset"),
        TraceLoggingBoolean(Compressed, "CompressedFile"));
}

Referenced by FileReadStatus().

◆ Log_FileSuperseded()

void Log_FileSuperseded	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName
	)

Log a file superseded event.

Parameters

ProcessId	The ID of the process that superseded the file
ThreadId	The ID of the thread that superseded the file
FileName	The name of the file

Definition at line 173 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "FileSuperseded",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "FileName"));
}

Referenced by FileCreationStatus().

◆ Log_FileWrite()

void Log_FileWrite	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName,
		LARGE_INTEGER	FileOffset,
		ULONG	ReadLength,
		BOOLEAN	Compressed
	)

Log a file write event.

Parameters

ProcessId	The ID of the process that wrote the file
ThreadId	The ID of the thread that wrote the file
FileName	The name of the file
FileOffset	The offset of the file
ReadLength	The length of the write
Compressed	Whether the file is compressed

Definition at line 155 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "FileWrite",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "FileName"),
        TraceLoggingULong(ReadLength, "WriteLength"),
        TraceLoggingValue(FileOffset.QuadPart, "FileOffset"),
        TraceLoggingBoolean(Compressed, "CompressedFile"));
}

Referenced by FileWriteStatus().

◆ Log_MailSlotCreate()

void Log_MailSlotCreate	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName
	)

Log a mail slot create event.

Parameters

ProcessId	The ID of the process that created the mail slot
ThreadId	The ID of the thread that created the mail slot
FileName	The name of the mail slot

Definition at line 56 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "MailSlotCreate",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "MailSlotName"));
}

Referenced by MailSlotStatus().

◆ Log_MailSlotOpen()

void Log_MailSlotOpen	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName
	)

Log a mail slot open event.

Parameters

ProcessId	The ID of the process that opened the mail slot
ThreadId	The ID of the thread that opened the mail slot
FileName	The name of the mail slot

Definition at line 44 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "MailSlotOpen",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "MailSlotName"));
}

Referenced by MailSlotStatus().

◆ Log_NamedPipeCreate()

void Log_NamedPipeCreate	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName
	)

Log a named pipe create event.

Parameters

ProcessId	The ID of the process that created the named pipe
ThreadId	The ID of the thread that created the named pipe
FileName	The name of the named pipe

Definition at line 70 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "NamedPipeCreate",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "NamedPipeName"));
}

Referenced by NamedPipeStatus().

◆ Log_NamedPipeOpen()

void Log_NamedPipeOpen	(	HANDLE	ProcessId,
		HANDLE	ThreadId,
		PWCH	FileName
	)

Log a named pipe open event.

Parameters

ProcessId	The ID of the process that opened the named pipe
ThreadId	The ID of the thread that opened the named pipe
FileName	The name of the named pipe

Definition at line 82 of file trace.cpp.

{
    TraceLoggingWrite(g_hPanoProvider, "NamedPipeOpen",
        TraceLoggingValue(ProcessId, "SourceProcessId"),
        TraceLoggingValue(ThreadId, "SourceThreadId"),
        TraceLoggingWideString(FileName, "NamedPipeName"));
}

Referenced by NamedPipeStatus().

◆ TraceInit()

void TraceInit ( )

Definition at line 10 of file trace.cpp.

{
    TraceLoggingRegister(g_hPanoProvider);
}

Referenced by DriverEntry(), and main().

◆ TraceUninit()

void TraceUninit ( )

Definition at line 15 of file trace.cpp.

{
    TraceLoggingUnregister(g_hPanoProvider);
}

Referenced by UnloadPanoptes().

Functions

Function Documentation

◆ Log_DriverEntry()

◆ Log_DriverExit()

◆ Log_FileCreated()

◆ Log_FileOpen()

◆ Log_FileOverwritten()

◆ Log_FileRead()

◆ Log_FileSuperseded()

◆ Log_FileWrite()

◆ Log_MailSlotCreate()

◆ Log_MailSlotOpen()

◆ Log_NamedPipeCreate()

◆ Log_NamedPipeOpen()

◆ TraceInit()

◆ TraceUninit()