DiskActivityMonitor/EtwListener.cs at master · BlackCrowned/DiskActivityMonitor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
using System;

namespace DiskActivityMonitor
{
    using System.Runtime.InteropServices;

    //    [StructLayout(LayoutKind.Sequential)]
    //    public struct GUID
    //    {
    //        public uint a;
    //        public short b;
    //        public short c;
    //        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
    //        public byte[] d;
    //    }

    //    [StructLayout(LayoutKind.Explicit)]
    //    public struct WnodeHeader
    //    {
    //        [FieldOffset(0)]
    //        public uint BufferSize;
    //        [FieldOffset(4)]
    //        public uint ProviderId;
    //            [FieldOffset(8)]
    //        public ulong HistoricalContext;
    //            [FieldOffset(8)]
    //        public uint Version;
    //            [FieldOffset(12)]
    //        public uint Linkage;

    //            [FieldOffset(16)]
    //        public IntPtr KernelHandle;
    //            [FieldOffset(16)]
    //        public long TimeStamp;
    //        [FieldOffset(24)]
    //        public GUID Guid;
    //        [FieldOffset(40)]
    //        public uint ClientContext;
    //        [FieldOffset(44)]
    //        public uint Flags;
    //    }

    //    [StructLayout(LayoutKind.Sequential)]
    //    public struct EventTraceProperties
    //{
    //        public WnodeHeader Wnode;
    //        public uint BufferSize;
    //        public uint MinimumBuffers;
    //        public uint MaximumBuffers;
    //        public uint MaximumFileSize;
    //        public uint LogFileMode;
    //        public uint FlushTimer;
    //        public uint EnableFlags;
    //        public int AgeLimit;
    //        public uint NumberOfBuffers;
    //        public uint FreeBuffers;
    //        public uint EventsLost;
    //        public uint BuffersWritten;
    //        public uint LogBuffersLost;
    //        public uint RealTimeBuffersLost;
    //        public IntPtr LoggerThreadId;
    //        public uint LogFileNameOffset;
    //        public uint LoggerNameOffset;
    //    }

    public static class EtwListener
    {
        //public static readonly string KERNEL_LOGGER_NAME = "NT Kernel Logger";

        //public static readonly GUID SystemTraceControlGuid = new GUID() { a = 0x9e814aad, b = 0x3204, c = 0x11d2, d = new byte[]{ 0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39 } };

        //[DllImport("sechost.dll")]
        //public static extern ulong StartStrace(out IntPtr sessionHandle, [In] string sessionName, ref EventTraceProperties properties);

        [DllImport("RealTimeETWListener.dll", EntryPoint="genRTL", CallingConvention = CallingConvention.Cdecl)]
        public static extern void genRTL(out IntPtr handle);

        [DllImport("RealTimeETWListener.dll", EntryPoint = "deleteRTL", CallingConvention = CallingConvention.Cdecl)]
        public static extern void deleteRTL(ref IntPtr handle);

        [DllImport("RealTimeETWListener.dll", EntryPoint = "rtlStartTrace", CallingConvention = CallingConvention.Cdecl)]
        public static extern uint rtlStartTrace([In] IntPtr handle);

        [DllImport("RealTimeETWListener.dll", EntryPoint = "rtlStartConsumption", CallingConvention = CallingConvention.Cdecl)]
        public static extern uint rtlStartConsumption([In] IntPtr handle);

        [DllImport("RealTimeETWListener.dll", EntryPoint = "rtlStopConsumption", CallingConvention = CallingConvention.Cdecl)]
        public static extern uint rtlStopConsumption([In] IntPtr handle);
    }
}