Documentation ¶
Index ¶
- Constants
- Variables
- func CloseTrace(handle TraceHandle) error
- func ControlTrace(handle TraceHandle, name string, props *EventTraceProperties, ...) error
- func EnableTrace(guid syscall.GUID, handle TraceHandle, keyword uint32) error
- func ProcessTrace(handle TraceHandle) error
- func SetTraceInformation(handle TraceHandle, infoClass uint8, traceFlags []EventTraceFlags) error
- type BufferContext
- type EventDescriptor
- type EventHeader
- type EventHeaderExtendedDataItem
- type EventRecord
- type EventTrace
- type EventTraceFlags
- type EventTraceHeader
- type EventTraceLogfile
- type EventTraceProperties
- type Linkage
- type TraceHandle
- type TraceLogfileHeader
- type TraceOperation
- type WnodeHeader
Constants ¶
const ( // KernelLoggerSession represents the default session name for NT kernel logger KernelLoggerSession = "NT Kernel Logger" // KernelLoggerRundownSession is the session name for the kernel rundown logger KernelLoggerRundownSession = "Kernel Rundown Logger" // KernelAuditAPICallsSession represents the session name for the kernel audit API logger KernelAuditAPICallsSession = "Kernel Audit API Calls Logger" // WnodeTraceFlagGUID indicates that the structure contains event tracing information WnodeTraceFlagGUID = 0x00020000 // ProcessTraceModeRealtime denotes that there will be a real-time consumers for events forwarded from the providers ProcessTraceModeRealtime = 0x00000100 // ProcessTraceModeEventRecord is the mode that enables the "event record" format for kernel events ProcessTraceModeEventRecord = 0x10000000 )
const ( // TraceSystemTraceEnableFlagsInfo controls system logger event flags TraceSystemTraceEnableFlagsInfo = uint8(4) )
Variables ¶
var KernelAuditAPICallsGUID = syscall.GUID{Data1: 0xe02a841c, Data2: 0x75a3, Data3: 0x4fa7, Data4: [8]byte{0xaf, 0xc8, 0xae, 0x09, 0xcf, 0x9b, 0x7f, 0x23}}
KernelAuditAPICallsGUID represents the GUID for the kernel audit API provider
var KernelRundownGUID = syscall.GUID{Data1: 0x3b9c9951, Data2: 0x3480, Data3: 0x4220, Data4: [8]byte{0x93, 0x77, 0x9c, 0x8e, 0x51, 0x84, 0xf5, 0xcd}}
KernelRundownGUID is the GUID for the kernel rundown logger
var KernelTraceControlGUID = syscall.GUID{Data1: 0x9e814aad, Data2: 0x3204, Data3: 0x11d2, Data4: [8]byte{0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39}}
KernelTraceControlGUID is the GUID for the kernel system logger
Functions ¶
func CloseTrace ¶
func CloseTrace(handle TraceHandle) error
CloseTrace closes a trace. If you call this function before ProcessTrace returns, the CloseTrace function returns ErrorCtxClosePending. The ErrorCtxClosePending code indicates that the CloseTrace function call was successful; the ProcessTrace function will stop processing events after it processes all events in its buffers.
func ControlTrace ¶
func ControlTrace(handle TraceHandle, name string, props *EventTraceProperties, operation TraceOperation) error
ControlTrace performs various operation on the specified event tracing session, such as updating, flushing or stopping the session.
func EnableTrace ¶
func EnableTrace(guid syscall.GUID, handle TraceHandle, keyword uint32) error
EnableTrace influences the behaviour of the specified event trace provider.
func ProcessTrace ¶
func ProcessTrace(handle TraceHandle) error
ProcessTrace function delivers events from one or more event tracing sessions to the consumer. Function sorts the events chronologically and delivers all events generated between StartTime and EndTime. The ProcessTrace function blocks the thread until it delivers all events, the BufferCallback function returns false, or you call CloseTrace.
func SetTraceInformation ¶
func SetTraceInformation(handle TraceHandle, infoClass uint8, traceFlags []EventTraceFlags) error
SetTraceInformation enables or disables event tracing session settings for the specified information class.
Types ¶
type BufferContext ¶
type BufferContext struct { // ProcessorIndex is an union type that contains among other fields the number of the CPU on which // the provider process was running. ProcessorIndex [2]byte // LoggerID identifies of the session that logged the event. LoggerID uint16 }
BufferContext provides context information about the event.
type EventDescriptor ¶
type EventDescriptor struct { // ID represents event identifier. ID uint16 // Version indicates a revision to the event definition. Version uint8 // Channel is the audience for the event (e.g. administrator or developer). Channel uint8 // Level is the severity or level of detail included in the event. Level uint8 // Opcode is step in a sequence of operations being performed within the `Task` field. For MOF-defined events, // the `Opcode` member contains the event type value. Opcode uint8 // Task represents a larger unit of work within an application or component. Task uint16 // Keyword A bitmask that specifies a logical group of related events. Each bit corresponds to one group. An event may belong to one or more groups. // The keyword can contain one or more provider-defined keywords, standard keywords, or both. Keyword uint64 }
EventDescriptor contains metadata that defines the event.
type EventHeader ¶
type EventHeader struct { // Size represents the size of the event, in bytes. Size uint16 // HeaderType is reserved. HeaderType uint16 // Flags provides information about the event such as the type of session it was logged to and if // the event contains extended data. Flags uint16 // EventProperty indicates the source to use for parsing the event data. EventProperty uint16 // ThreadID identifies the thread that generated the event. ThreadID uint32 // ProcessID identifies the process that generated the event. ProcessID uint32 // Timestamps contains the time that the event occurred. Timestamp uint64 // ProviderID is the GUID that uniquely identifies the provider that logged the event. ProviderID syscall.GUID // EventDescriptor defines the information about the event such as the event identifier and severity level. EventDescriptor EventDescriptor // ProcessorTime is the union type that defines elapsed execution time for kernel-mode and user-mode instructions // in CPU units. ProcessorTime [8]byte // ActivityID is the identifier that relates two events. ActivityID syscall.GUID }
EventHeader defines information about the event.
type EventHeaderExtendedDataItem ¶
type EventHeaderExtendedDataItem struct { // Reserverd1 is a reserved field. Reserved1 uint16 // ExtType defines the type of extended data. ExtType uint16 Linkage // DataSize is the size in bytes, of the extended data DataSize uint16 // DataPtr is the pointer to extended data. DataPtr uint64 }
EventHeaderExtendedDataItem defines the extended data that ETW collects as part of the event data.
type EventRecord ¶
type EventRecord struct { // Header represents information about the event such as the time stamp for when it was written. Header EventHeader // BufferContext defines information such as the session that logged the event. BufferContext BufferContext // ExtendedDataCount is the number of extended data structures in the `ExtendedData` field. ExtendedDataCount uint16 // BufferLen represents the size, in bytes, of the event data buffer BufferLen uint16 // ExtendedData designates extended data items that ETW collects. The extended data includes some items, such as the security // identifier (SID) of the user that logged the event. ExtendedData *EventHeaderExtendedDataItem // Buffer represents raw event data that's parsed via TDH API. Buffer uintptr // UserContext is a pointer to custom user data passed in `EventTraceLogfile` structure. UserContext uintptr }
EventRecord defines the layout of an event that ETW delivers.
type EventTrace ¶
type EventTrace struct { // Header contains standard event tracing metadata. Header EventTraceHeader // InstanceID represents the instance identifier. InstanceID uint32 // ParentInstanceID represents instance identifer for a parent event. ParentInstanceID uint32 // ParentGUID is the class GUID of the parent event. ParentGUID syscall.GUID // MofData is the pointer to the beginning of the event-specific data for this event. MofData uintptr // MofLength represents the number of bytes to which `MofData` points. MofLength uint32 // Context is an union type: // union { // ULONG ClientContext; // ETW_BUFFER_CONTEXT BufferContext; // }; // `ClientContext` field is reserved. `BufferContext` Provides information about the event such as the session identifier // and processor number of the CPU on which the provider process ran. Context [2]byte }
EventTrace stores event information that is delivered to an event trace consumer.
type EventTraceFlags ¶
type EventTraceFlags uint32
EventTraceFlags is the type alias for kernel trace events
const ( // ALPC flag activates ALPC events ALPC EventTraceFlags = 0x00100000 // Cswitch flag enables context switch events Cswitch EventTraceFlags = 0x00000010 // DbgPrint flag enables stack walk information DbgPrint EventTraceFlags = 0x00040000 // DiskFileIO flag enables file system events DiskFileIO EventTraceFlags = 0x00000200 // DiskIO flag enables disk I/O events DiskIO EventTraceFlags = 0x00000100 // DiskIOInit flag enables start/end disk I/O events DiskIOInit EventTraceFlags = 0x00000400 // Dispatcher flag activates dispatcher events Dispatcher EventTraceFlags = 0x00000800 // DPC flag enables Deferred Procedure Call events DPC EventTraceFlags = 0x00000020 // Driver flag enables driver events Driver EventTraceFlags = 0x00800000 // FileIO enables file I/O events. FileIO EventTraceFlags = 0x02000000 // FileIOInit flag enables file start/end events. FileIOInit EventTraceFlags = 0x04000000 // ImageLoad flag enables image events. ImageLoad EventTraceFlags = 0x00000004 // Handle flag enables handle events. Handle EventTraceFlags = 0x80000040 // IRQ flag enables IRQ events. IRQ EventTraceFlags = 0x00000040 // Job flag enables job events. Job EventTraceFlags = 0x00080000 // NetTCPIP flag enables network events. NetTCPIP EventTraceFlags = 0x00010000 // Process flag enables process events. Process EventTraceFlags = 0x00000001 // Registry flag enable registry events. Registry EventTraceFlags = 0x00020000 // Syscall flag enables syscall enter/exit events. Syscall EventTraceFlags = 0x00000080 // Thread flag enables thread events. Thread EventTraceFlags = 0x00000002 )
func (EventTraceFlags) String ¶
func (f EventTraceFlags) String() string
String returns the string representation of enabled event trace flags.
type EventTraceHeader ¶
type EventTraceHeader struct { // Size represents the total number of bytes of the event. It includes the size of the header structure, // plus the size of any event-specific data appended to the header. Size uint16 // FieldTypeFlags is an union field represented as follow: // union { // USHORT FieldTypeFlags; // struct { // UCHAR HeaderType; // UCHAR MarkerFlags; // }; // }; // All memebers of this union are reserved for internal use. FieldTypeFlags [2]byte // Versions in an union field with the following declaration: // union { // ULONG Version; // struct { // UCHAR Type; // UCHAR Level; // USHORT Version; // } Class; // }; // `Type` field indicates the general purpose type of this event (e.g. data collection end/start, checkpoint, etc.) // `Level` designates the severity of the generated event and the `Version` tells the consumer which MOF class to use to // decipher the event data. Version [4]byte // ThreadID identifes the thread that generated this event. ThreadID uint32 // ProcessID identifes the process that generated this event. ProcessID uint32 // Timestamp contains the time that the event occurred. Timestamp uint64 // GUID is an union: // union { // GUID Guid; // ULONGLONG GuidPtr; // }; // `Guid` identifies a category of events. `GuidPtr` is the pointer to an event trace class GUID. GUID [16]byte // ProcessorTime is another union type: // union { // struct { // ULONG ClientContext; // ULONG Flags; // }; // struct { // ULONG KernelTime; // ULONG UserTime; // }; // ULONG64 ProcessorTime; // }; // `ClientContext` is reserved, while `Flags` must be set to `WnodeFlagTracedGuid`. The rest of the members // specify elapsed execution time for kernel and user mode instructions respectively. ProcessorTime [8]byte }
EventTraceHeader contains standard event tracing information common to all events.
type EventTraceLogfile ¶
type EventTraceLogfile struct { // LogFileName is the name of the log file used by the event tracing session. LogFileName *uint16 // LoggerName is the name of the event tracing session. Only applicable when consuming events in real time. LoggerName *uint16 // CurrentTime on output, the current time, in 100-nanosecond intervals since midnight, January 1, 1601. CurrentTime int64 // BuffersRead represents the number of buffers processed. BuffersRead uint32 // LogFileMode is union type the dictates the processing mode for events. LogFileMode [4]byte // CurrentEvents contains the last event processed. CurrentEvent EventTrace // LogfileHeader represents global information about the tracing session. LogfileHeader TraceLogfileHeader // BufferCallback is a pointer to the function that receives buffer-related statistics for each buffer ETW flushes. // ETW calls this callback after it delivers all the events in the buffer. BufferCallback uintptr // BufferSize contains the size of each buffer, in bytes. BufferSize uint32 // Filled contains the number of bytes in the buffer that contain valid information. Filled uint32 // EventsLost is an unused field. EventsLost uint32 // EventCallback is the union field that contains pointers to callback functions that ETW calls for each buffer. EventCallback [8]byte // IsKernelTrace specifies whether the event tracing session is the NT kernel logger. IsKernelTrace uint32 // Context is data that a consumer can specify when calling `OpenTrace` function. Context uintptr }
EventTraceLogfile specifies how the consumer wants to read events (from a log file or in real-time) and the callbacks that will receive the events.When ETW flushes a buffer, this structure contains information about the event tracing session and the buffer that ETW flushed.
type EventTraceProperties ¶
type EventTraceProperties struct { // Wnode structure requires `BufferSize`, `Flags` and `GUID` members to be initialized. Wnode WnodeHeader // BufferSize represents the amount of memory allocated for each event tracing session buffer, in kilobytes. // The maximum buffer size is 1 MB. ETW uses the size of physical memory to calculate this value. // If an application expects a relatively low event rate, the buffer size should be set to the memory page size. // To get the page memory size, you can invoke GetSystemInfo() function. // If the event rate is expected to be relatively high, the application should specify a larger buffer size, // and should increase the maximum number of buffers. // // The buffer size affects the rate at which buffers fill and must be flushed. Although a small buffer size requires // less memory, it increases the rate at which buffers must be flushed. BufferSize uint32 // MinimumBuffers specifies the minimum number of buffers allocated for the event tracing session's buffer pool. // The minimum number of buffers that you can specify is two buffers per processor. For example, on a single processor machine, // the minimum number of buffers is two. MinimumBuffers uint32 // MaximumBuffers is the maximum number of buffers allocated for the event tracing session's buffer pool. Typically, this value is // the minimum number of buffers plus twenty. ETW uses the buffer size and the size of physical memory to calculate this value. MaximumBuffers uint32 // MaximumFileSize is the maximum size of the file used to log events, in megabytes. MaximumFileSize uint32 // LogFileMode determines the logging modes for the event tracing session. You use this member to specify that you want events written to a // log file, a real-time consumer, or both. In real-time logging mode, if no consumers are available, events will be written // to disk, and when a consumers begins processing real-time events, the events in the playback file are consumed first. LogFileMode uint32 // FlushTimer specifies how often, in seconds, the trace buffers are forcibly flushed. The minimum flush time is 1 second. // This forced flush is in addition to the automatic flush that occurs whenever a buffer is full and when the trace session // stops. If zero, ETW flushes buffers as soon as they become full. If nonzero, ETW flushes all buffers that contain events // based on the timer value. Typically, you want to flush buffers only when they become full. Forcing the buffers to flush // (either by setting this member to a nonzero value or by calling `FlushTrace`) can increase the file size of the log file // with unfilled buffer space. // // If the consumer is consuming events in real time, you may want to set this member to a nonzero value if the event rate is // low to force events to be delivered before the buffer is full. // For the case of a realtime logger, a value of zero (the default value) means that the flush time will be set to 1 second. // A realtime logger is when LogFileMode is set to `EventTraceRealTimeMode`. FlushTimer uint32 // EnableFlags specifies which kernel events are delievered to the consumer when NT Kernel logger session is started. // For example, registry events, process, disk IO and so on. EnableFlags EventTraceFlags // AgeLimit is not used. AgeLimit int32 // NumberOfBuffers indicates the number of buffers allocated for the event tracing session's buffer pool. NumberOfBuffers uint32 // FreeBuffers indicates the number of buffers that are allocated but unused in the event tracing session's buffer pool. FreeBuffers uint32 // EventsLost counts the number of events that were not recorded. EventsLost uint32 // BuffersWritten counts the number of buffers written. BuffersWritten uint32 // LogBuffersLost determines the number of buffers that could not be written to the log file. LogBuffersLost uint32 // RealTimeBuffersLost represents the number of buffers that could not be delivered in real-time to the consumer. RealTimeBuffersLost uint32 // LoggerThreadID is the thread identifier for the event tracing session. LoggerThreadID uintptr // LogFileNameOffset is the offset from the start of the structure's allocated memory to beginning of the null-terminated // string that contains the log file name. LogFileNameOffset uint32 // LoggerNameOffset is the offset from the start of the structure's allocated memory to beginning of the null-terminated // string that contains the session name. The session name is limited to 1024 characters. The session name is case-insensitive // and must be unique. LoggerNameOffset uint32 }
EventTraceProperties contains information about an event tracing session. Each time a new session is created, or an existing session is about to be modified, this structure is used to describe session properties.
type TraceHandle ¶
type TraceHandle uintptr
TraceHandle is an alias for trace handle type
func OpenTrace ¶
func OpenTrace(ktrace EventTraceLogfile) TraceHandle
OpenTrace opens a real-time trace session or log file for consuming.
func StartTrace ¶
func StartTrace(name string, props *EventTraceProperties) (TraceHandle, error)
StartTrace registers and starts an event tracing session for the specified provider. The trace assumes there will be a real-time event consumer responsible for collecting and processing events. If the function succeeds, it returns the handle to the tracing session.
func (TraceHandle) IsValid ¶
func (handle TraceHandle) IsValid() bool
IsValid determines if the session handle is valid
type TraceLogfileHeader ¶
type TraceLogfileHeader struct { // BufferSize is the size of the event tracing session's buffers in bytes. BufferSize uint32 // Version is the union type that represents version number of the operating system. Version [4]byte // ProviderVersion is the build number of the operating system. ProviderVersion uint32 // NumberOfProcessors indicates the number of processors on the system. NumberOfProcessors uint32 // EndTime is the time at which the event tracing session stopped. This value is 0 for real time event consumers. EndTime uint64 // TimerResolution is the resolution of the hardware timer, in units of 100 nanoseconds. TimerResolution uint32 // MaximumFileSize is the size of the log file, in megabytes. MaximumFileSize uint32 // LogfileMode represents the current logging mode for the event tracing session. LogfileMode uint32 // BuffersWritten is the total number of buffers written by the event tracing session. BuffersWritten uint32 // GUID is a an union type with the two first field reserved for internal usage. Other fields indicate // the number of events lost and the CPU speed in Mhz. GUID [16]byte // LoggerName is a reserved field. LoggerName *uint16 // LogfileName is a reserved field. LogfileName *uint16 // TimeZone contains time-zone information for `BootTime`, `EndTime` and `StartTime` fields. TimeZone syscall.Timezoneinformation // BootTime is the time at which the system was started, in 100-nanosecond intervals since midnight, January 1, 1601. BootTime uint64 // PerfFreq is the frequency of the high-resolution performance counter, if one exists. PerfFreq uint64 // StartTime is the time at which the event tracing session started, in 100-nanosecond intervals since midnight, January 1, 1601. StartTime uint64 // ReservedFlags specifies the clock type. ReservedFlags uint32 // BuffersLost is the total number of buffers lost during the event tracing session. BuffersLost uint32 }
TraceLogfileHeader contains information about an event tracing session and its events.
type TraceOperation ¶
type TraceOperation uint32
TraceOperation is the type alias for the trace operation.
const ( // Query represents the query trace operation. Query TraceOperation = 0 // Stop represents the stop trace operation. Stop TraceOperation = 1 // Update represents the update trace operation. Update TraceOperation = 2 // Flush represents the flush trace operation. Flush TraceOperation = 3 )
type WnodeHeader ¶
type WnodeHeader struct { // BufferSize is the total size of memory allocated, in bytes, for the event tracing session properties. BufferSize uint32 // ProviderID is reserved for internal use. ProviderID uint32 // HostricalContext is an union field with the following C representation: // union { // ULONG64 HistoricalContext; // struct { // ULONG Version; // ULONG Linkage; // }; // }; // On output, HistoricalContext stores the handle to the event tracing session. Version and Linkage fields are reserved for internal use. HistoricalContext [8]byte // KernelHandle is an union with the following C representation: // union { // HANDLE KernelHandle; // LARGE_INTEGER TimeStamp; // }; // `KernelHandle` is reserved for internal use. `TimeStamp` designates the instant at which the information of this // structure was updated. KernelHandle [8]byte // GUID that defines the session. For NT Kernel Logger session we have to set this member to `SystemTraceControlGuid`. GUID syscall.GUID // ClientContext represents clock resolution to use when logging the time stamp for each event. The default is Query performance counter (QPC). ClientContext uint32 // Flags must contain `WnodeFlagTracedGUID` to indicate that the structure contains event tracing information. Flags uint32 }
WnodeHeader is a member of `EventTraceProperties` structure. The majority of the fields in this structure are not relevant to us.