|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 2000.
//
// File: wmiTrace.c
//
// Contents: windbg extension to dump WMI Trace Buffers
//
// Classes:
//
// Functions: help Standard KD Extension Function
// strdump Dump the Logger Structure
// logdump Dump the in-memory part of the TraceBuffers
// logsave Save the in-memory part of the TraceBuffers
// to a file.
// wmiLogDump Callable procedure used when caller wishes
// to replace the filter, sort, or output routines
//
// Coupling:
//
// Notes:
//
// History: 04-27-2000 glennp Created
// 07-17-2000 glennp Added support for Stephen Hsiao's
// Non-Blocking Buffers.
// 12-13-2000 glennp Changed from typedefs to struct tags
// per change in compiler behavior.
//
//----------------------------------------------------------------------------
#include "kdExts.h"
#define _WMI_SOURCE_
#include <wmium.h>
#include <ntwmi.h>
#include <evntrace.h>
#include <wmiumkm.h>
#include <traceprt.h>
#include "wmiTrace.h"
#pragma hdrstop
�typedef ULONG64 TARGET_ADDRESS;
typedef VOID (*WMITRACING_KD_LISTENTRY_PROC) ( PVOID Context , TARGET_ADDRESS Buffer , ULONG Length , ULONG CpuNo , ULONG Align , WMI_BUFFER_SOURCE Source );
typedef struct _WMITRACING_BUFFER_SOURCES { ULONG FreeBuffers:1; ULONG FlushBuffers:1; ULONG ActiveBuffers:1; ULONG TransitionBuffer:1;
ULONG PrintInformation:1; ULONG PrintProgressIndicator:1;} WMITRACING_BUFFER_SOURCES;
struct sttSortControl{ ULONG MaxEntries; ULONG CurEntries; WMITRACING_KD_SORTENTRY *pstSortEntries;}; struct sttTraceContext{ struct sttSortControl *pstSortControl; PVOID UserContext; ULONG BufferSize; ULONG Ordinal; WMITRACING_KD_FILTER Filter;}; struct sttSaveContext{ FILE *pfSaveFile;};
extern DBGKD_GET_VERSION64 KernelVersionData;
TARGET_ADDRESS TransitionBuffer;�//+---------------------------------------------------------------------------
//
// Function: void printUnicodeFromAddress
//
// Synopsis: Prints a UNICODE string given the address of the UNICODE_STRING
//
// Arguments: ul64Address The Address of the UNICODE_STRING structure
//
// Returns: <VOID>
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
void printUnicodeFromAddress (TARGET_ADDRESS ul64Address){ TARGET_ADDRESS ul64TarBuffer; ULONG bufferOffset; ULONG lengthRead; ULONG ulInfo;
USHORT usLength; PWCHAR buffer;
ul64TarBuffer = 0; bufferOffset = 0; usLength = 0; buffer = NULL;
GetFieldOffset ("UNICODE_STRING", "Buffer", &bufferOffset); ReadPtr (ul64Address + bufferOffset, &ul64TarBuffer); GetFieldValue (ul64Address, "UNICODE_STRING", "Length", usLength);
buffer = LocalAlloc (LPTR, usLength + sizeof (UNICODE_NULL)); if (buffer == NULL) { dprintf ("<Failed to Allocate Unicode String Buffer>"); return; }
if (usLength > 0) { lengthRead = 0; ulInfo = ReadMemory (ul64TarBuffer, buffer, usLength, &lengthRead); if ((!ulInfo) || (lengthRead != usLength)) { dprintf ("<Failed to Read Entire Unicode String>"); } }
buffer [usLength / 2] = 0; dprintf ("%ws", buffer);
LocalFree(buffer);
return;}�//+---------------------------------------------------------------------------
//
// Function: ULONG lengthUnicodeFromAddress
//
// Synopsis: Get the Length (in bytes) of a UNICODE_STRING (NULL not included)
//
// Arguments: ul64Address The Address of the UNICODE_STRING structure
//
// Returns: Length of String in Bytes
//
// History: 03-27-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
ULONG lengthUnicodeFromAddress (TARGET_ADDRESS ul64Address){ USHORT usLength;
usLength = 0; GetFieldValue (ul64Address, "UNICODE_STRING", "Length", usLength);
return ((ULONG) (usLength));}
//+---------------------------------------------------------------------------
//
// Function: void printUnicodeFromStruct
//
// Synopsis: Prints a UNICODE string from an element in a structure
//
// Arguments: Address The Address of the structure containing the US
// Type The Type of the structure containing the US
// Field The name of the field in the structure
// This must be a UNICODE_STRING substructure
//
// Returns: <VOID>
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
void printUnicodeFromStruct (TARGET_ADDRESS Address, PCHAR Type, PCHAR Field){ ULONG ulUnicodeOffset;
GetFieldOffset (Type, Field, &ulUnicodeOffset); printUnicodeFromAddress (Address + ulUnicodeOffset);
return;}
//+---------------------------------------------------------------------------
//
// Function: ULONG GetWmiTraceAlignment
//
// Synopsis: Determines the Alignment modulus for events on the target
//
// Arguments: <NONE>
//
// Returns: The Alignment (normally 8 bytes)
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
ULONG GetWmiTraceAlignment (void){ ULONG ulInfo; ULONG ulBytesRead; UCHAR alignment; TARGET_ADDRESS tarAddress;
alignment = 8; // Set Default
tarAddress = GetExpression ("NT!WmiTraceAlignment"); ulInfo = ReadMemory (tarAddress, &alignment, sizeof (UCHAR), &ulBytesRead); if ((!ulInfo) || (ulBytesRead != sizeof (UCHAR))) { dprintf ("Failed to Read Alignment.\n"); } return ((ULONG) alignment);}�//+---------------------------------------------------------------------------
//
// Function: TARGET_ADDRESS FindLoggerContextArray
//
// Synopsis: Determines the location and size of the LoggerContext Array
//
// Arguments: -> ElementCount The number of elements in the array put here
//
// Returns: Target Address of the LoggerContext Array
//
// History: 04-05-2000 glennp Created
//
// Notes: Returns 0 on error
//
//----------------------------------------------------------------------------
TARGET_ADDRESS FindLoggerContextArray (PULONG ElementCount)
{ TARGET_ADDRESS address; ULONG pointerSize; ULONG arraySize;
address = 0; pointerSize = GetTypeSize ("PVOID"); if ((arraySize = GetTypeSize ("NT!WmipLoggerContext") / pointerSize) != 0) { // Post Windows 2000 Version
address = GetExpression ("NT!WmipLoggerContext"); } else { // Windows 2000 and Before
ULONG ulOffset; address = GetExpression ("NT!WmipServiceDeviceObject"); ReadPtr (address, &address); GetFieldOffset ("DEVICE_OBJECT", "DeviceExtension", &ulOffset); ReadPtr (address + ulOffset, &address); GetFieldOffset ("WMISERVDEVEXT", "LoggerContextTable", &ulOffset);// ulOffset = 0x50;
address += ulOffset; arraySize = GetTypeSize ("WMISERVDEVEXT.LoggerContextTable") / pointerSize;// arraySize = 32;
}
*ElementCount = arraySize; return (address);}�//+---------------------------------------------------------------------------
//
// Function: TARGET_ADDRESS FindLoggerContext
//
// Synopsis: Finds the Address of a specific LoggerContext
//
// Arguments: ulLoggerId Ordinal of the specific LoggerContext
//
// Returns: Target Address of the LoggerContext
//
// History: 04-05-2000 glennp Created
//
// Notes: Returns 0 on error
//
//----------------------------------------------------------------------------
TARGET_ADDRESS FindLoggerContext (ULONG ulLoggerId)
{ TARGET_ADDRESS tarAddress; ULONG ulMaxLoggerId;
tarAddress = FindLoggerContextArray (&ulMaxLoggerId);
if (tarAddress == 0) { dprintf (" Unable to Access Logger Context Array\n"); } else { if (ulLoggerId >= ulMaxLoggerId) { dprintf (" Logger Id TOO LARGE\n"); } else {// tarAddress += GetTypeSize ("PWMI_LOGGER_CONTEXT") * ulLoggerId; //BUGBUG
tarAddress += GetTypeSize ("PVOID") * ulLoggerId; ReadPointer (tarAddress, &tarAddress); if (tarAddress == 0) { dprintf (" LOGGER ID %2d NOT RUNNING PRESENTLY\n", ulLoggerId); } } }
return (tarAddress);}�//+---------------------------------------------------------------------------
//
// Function: wmiDefaultFilter
//
// Synopsis: Filter procedure for wmiTracing. Returns Key
//
// Arguments: Context Arbitrary context: not used
// pstEvent -> to EventTrace
//
// Returns: Key
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
ULONGLONG __cdecl wmiDefaultFilter ( PVOID Context, const PEVENT_TRACE pstEvent )
{ union { LARGE_INTEGER TimeStamp; ULONGLONG Key; } Union;
Union.TimeStamp = pstEvent->Header.TimeStamp; if (Union.Key == 0) Union.Key = 1;
return (Union.Key);}�//+---------------------------------------------------------------------------
//
// Function: wmiDefaultCompare
//
// Synopsis: Performs comparision of three keys
//
// Arguments: SortElement1 -> to "Left" sort element to compare
// SortElement2 -> to "Right" sort element to compare
//
// Returns: -3,-2,-1, 0, +1,+2,+3 for LessThan, Equal, GreaterThan (Left X Right)
//
// History: 04-05-2000 glennp Created
//
// Notes: The first key, "SequenceNo", is compared in a manor that allows
// wrapping around the 32 bit limit.
// The last key, "Ordinal", cannot have equal values and the code
// takes advantage of that fact. This implies that 0 can never be returned.
//
//----------------------------------------------------------------------------
int __cdecl wmiDefaultCompare ( const WMITRACING_KD_SORTENTRY *SortElementL, const WMITRACING_KD_SORTENTRY *SortElementR ) { int iResult; ULONG SequenceNoL; ULONG SequenceNoR;
SequenceNoL = SortElementL->SequenceNo; SequenceNoR = SortElementR->SequenceNo;
if (SequenceNoL == SequenceNoR) { if (SortElementL->Keyll == SortElementR->Keyll) { iResult = (SortElementL->Ordinal < SortElementR->Ordinal) ? -1 : +1; } else { iResult = (SortElementL->Keyll < SortElementR->Keyll) ? -2 : +2; } } else { iResult = ((SequenceNoL - SequenceNoR) > 0x80000000) ? -3 : +3; // See Notes
}
return (iResult);}�//+---------------------------------------------------------------------------
//
// Function: wmiDefaultOutput
//
// Synopsis: Output procedure for wmiTracing. Performs simple dprintf
//
// Arguments: Context Arbitrary context: point to head of MOF list
// SortElement -> sort element describing this event. Not used.
// pstEvent -> to EventTrace
//
// Returns: <void>
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
void __cdecl wmiDefaultOutput ( PVOID UserContext, PLIST_ENTRY GuidListHeadPtr, const WMITRACING_KD_SORTENTRY *SortEntry, const PEVENT_TRACE pstHeader )
{ WCHAR wcaOutputLine[4096];
wcaOutputLine[0] = 0;
FormatTraceEvent (GuidListHeadPtr, (PEVENT_TRACE) pstHeader, (TCHAR *) wcaOutputLine, sizeof (wcaOutputLine), (TCHAR *) NULL); dprintf ("%s\n", wcaOutputLine);
return;}�//+---------------------------------------------------------------------------
//
// Function: wmiKdProcessLinkList
//
// Synopsis: Calls supplied Procedure for each element in a linked list
//
// Arguments: TarLinklistHeadAddress Target Address of Linklist Head
// Procedure Procedure to call for each Buffer
// Context Procedure Context (passthrough)
// Length Size of the Buffer
// Alignment Entry alignment in bytes
// Source Enum specifying type of buffer
// Offset Offset of LL entry in Buffer
// Print Flag passed to Procedure
//
// Returns: Count of Buffers Processed
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
ULONG wmiKdProcessLinkList ( TARGET_ADDRESS TarLinklistHeadAddress, WMITRACING_KD_LISTENTRY_PROC Procedure, PVOID Context, ULONG Length, ULONG Alignment, WMI_BUFFER_SOURCE Source, ULONG Offset, ULONG Print )
{ ULONG ulBufferCount; TARGET_ADDRESS tarLinklistEntryAddress;
ulBufferCount = 0; tarLinklistEntryAddress = TarLinklistHeadAddress;
while (ReadPtr (tarLinklistEntryAddress, &tarLinklistEntryAddress), // NOTE COMMA!
tarLinklistEntryAddress != TarLinklistHeadAddress) { if (CheckControlC()) break; ++ulBufferCount; if (Print) { dprintf ("%4d\b\b\b\b", ulBufferCount); } Procedure (Context, tarLinklistEntryAddress - Offset, Length, ~0, Alignment, Source); }
return ulBufferCount;}�//+---------------------------------------------------------------------------
//
// Function: VOID wmiDumpProc
//
// Synopsis: Procedure passed to wmiKdProcessBuffers() when dumping the
// Buffers to the screen. Performs Buffer Header fixup and
// then records sort keys for those entries that are selected.
//
// Arguments: Context -> to struct sttTraceContext. Used for 'static' memory
// Buffer Target Address of WMI Event buffer to analyze
// Length Length of the buffer (previous parameter)
// Alignment Alignment used by WMI on target machine
// Source Enum of: free, flush, transition, current buffer source
//
// Returns: <VOID>
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
VOID wmiDumpProc ( PVOID Context , TARGET_ADDRESS Buffer , ULONG Length , ULONG CpuNo , ULONG Alignment , WMI_BUFFER_SOURCE Source ){ ULONG size; ULONG offset; ULONG ulInfo; ULONG ulLengthRead;
PUCHAR pBuffer; WMI_HEADER_TYPE headerType; WMIBUFFERINFO stBufferInfo;
struct sttTraceContext *pstContext;
// Cast Context
pstContext = (struct sttTraceContext *) Context;
// Allocate Buffer
pBuffer = LocalAlloc (LPTR, Length); if (pBuffer == NULL) { dprintf ("Failed to Allocate Buffer.\n"); return; }
// Copy Buffer from Target machine
ulLengthRead = 0; ulInfo = ReadMemory (Buffer, pBuffer, Length, &ulLengthRead); if ((!ulInfo) || (ulLengthRead != Length)) { dprintf ("Failed to Read (Entire?) Buffer.\n"); }
// Get Initial Offset and Fixup Header
memset (&stBufferInfo, 0, sizeof (stBufferInfo)); stBufferInfo.BufferSource = Source; stBufferInfo.Buffer = pBuffer; stBufferInfo.BufferSize = Length; stBufferInfo.Alignment = Alignment; stBufferInfo.ProcessorNumber = CpuNo; offset = WmiGetFirstTraceOffset (&stBufferInfo);
// Inspect Each Event
while ((headerType = WmiGetTraceHeader (pBuffer, offset, &size)) != WMIHT_NONE) { ULONG ulInfo; ULONGLONG ullKey; union { EVENT_TRACE stEvent; CHAR caEvent[4096]; } u;
if (CheckControlC()) break;
// Get a consistant header
ulInfo = WmiParseTraceEvent (pBuffer, offset, headerType, &u, sizeof (u));
// Filter and maybe Add to Sort Q
if ((ullKey = pstContext->Filter (pstContext, &u.stEvent)) != 0) { ULONG CurIndex; PWMI_CLIENT_CONTEXT pstClientContext; struct sttSortControl *pstSortControl; PWMITRACING_KD_SORTENTRY pstSortEntry;
pstClientContext = (PWMI_CLIENT_CONTEXT) &u.stEvent.Header.ClientContext; pstSortControl = pstContext->pstSortControl; CurIndex = pstSortControl->CurEntries; if (CurIndex >= pstSortControl->MaxEntries) { pstSortControl->MaxEntries = pstSortControl->MaxEntries * 2 + 64; pstSortControl->pstSortEntries = realloc (pstSortControl->pstSortEntries, sizeof (WMITRACING_KD_SORTENTRY) * (pstSortControl->MaxEntries)); if (pstSortControl->pstSortEntries == NULL) { dprintf ("Memory Allocation Failure\n"); return; } } pstSortEntry = &pstSortControl->pstSortEntries[CurIndex]; memset (pstSortEntry, 0, sizeof (*pstSortEntry)); pstSortEntry->Address = Buffer; pstSortEntry->Keyll = ullKey; { //BUGBUG: This code should be replaced after Ian/Melur supply a way to access SequenceNo
PULONG pulEntry; pulEntry = (PULONG) &pBuffer[offset]; if (((pulEntry[0] & 0xFF000000) == 0x90000000) && ( pulEntry[1] & 0x00010000)) { pstSortEntry->SequenceNo = pulEntry[2]; } else { pstSortEntry->SequenceNo = 0; } } pstSortEntry->Ordinal = pstContext->Ordinal++; pstSortEntry->Offset = offset; pstSortEntry->Length = size; pstSortEntry->BufferSource = Source; pstSortEntry->HeaderType = headerType; pstSortEntry->CpuNo = (USHORT) CpuNo; pstSortControl->CurEntries++; } // If passes Filtering
size = ((size + (Alignment-1)) / Alignment) * Alignment; //BUGBUG: Need fix in GetTraceHeader or WmiFlush. Then remove this line.
offset += size; // Move to next entry.
}
LocalFree (pBuffer); return;}//+---------------------------------------------------------------------------
//
// Function: ULONG wmiKdWriteFileHeader
//
// Synopsis: Write the file header when performing a Save command.
//
// Arguments: SaveFile Handle to a file where we will write the header
// LoggerId Ordinal of the Stream we are writing the header for
// TarLoggerContext TargetAddress of the LoggerContext
//
// Returns: <VOID>
//
// History: 04-05-2000 glennp Created
//
// Notes: This code should really be in wmi somewhere. It's here due to
// the difficulty of creating a simply parameterized procedure.
//
//----------------------------------------------------------------------------
ULONGwmiKdWriteFileHeader ( FILE *SaveFile , ULONG LoggerId , TARGET_ADDRESS TarLoggerContext )
{ ULONG ulInfo; ULONG ulBytesRead; ULONG ulAlignment; ULONG ulBufferSize; ULONG ulBufferCount; ULONG ulPointerSize; ULONG ulHeaderWritten;
ULONG ulInstanceGuidOffset;
UCHAR MajorVersion; UCHAR MinorVersion; PROCESSORINFO ProcessorInfo;
PCHAR pcEnd;
struct sttFileHeader { WMI_BUFFER_HEADER Buffer; SYSTEM_TRACE_HEADER Event; TRACE_LOGFILE_HEADER Header; WCHAR LogName[256]; //BUGBUG: Size??
WCHAR FileName[256]; //BUGBUG: Size??
} stFileHeader;
ZeroMemory (&stFileHeader, sizeof (stFileHeader));
ulAlignment = GetWmiTraceAlignment (); ulPointerSize = GetTypeSize ("PVOID"); GetFieldOffset ("_WMI_LOGGER_CONTEXT", "InstanceGuid", &ulInstanceGuidOffset);
// Get ProcessorInfo and Kernel-User Shared Data
Ioctl (IG_KD_CONTEXT, &ProcessorInfo, sizeof (ProcessorInfo));
// Get Version Info
if (!HaveDebuggerData ()) { dprintf ("No Version Information Available."); MajorVersion = MinorVersion = 0; } else { MajorVersion = (UCHAR) KernelVersionPacket.MajorVersion; MinorVersion = (UCHAR) KernelVersionPacket.MinorVersion; }
// Get Infomation from LoggerContext on Target
InitTypeRead (TarLoggerContext, _WMI_LOGGER_CONTEXT); ulBufferSize = (ULONG) ReadField (BufferSize); ulBufferCount = (ULONG) ReadField (NumberOfBuffers);
stFileHeader.Buffer.Wnode.BufferSize = ulBufferSize; stFileHeader.Buffer.ClientContext.LoggerId = (USHORT) ((LoggerId) ? LoggerId : KERNEL_LOGGER_ID);
stFileHeader.Buffer.ClientContext.Alignment = (UCHAR) ulAlignment;
ulInfo = ReadMemory (TarLoggerContext + ulInstanceGuidOffset, &stFileHeader.Buffer.Wnode.Guid, sizeof (stFileHeader.Buffer.Wnode.Guid), &ulBytesRead); if ((!ulInfo) || (ulBytesRead != sizeof (stFileHeader.Buffer.Wnode.Guid))) { dprintf ("Unable to Read Wnode.Guid\n"); } stFileHeader.Buffer.Wnode.Flags = WNODE_FLAG_TRACED_GUID; ulInfo = ReadMemory (TarLoggerContext + ulInstanceGuidOffset, &stFileHeader.Buffer.InstanceGuid, sizeof (stFileHeader.Buffer.InstanceGuid), &ulBytesRead); if ((!ulInfo) || (ulBytesRead != sizeof (stFileHeader.Buffer.InstanceGuid))) { dprintf ("Unable to Read InstanceGuid\n"); }
// Single Event (File Header)
stFileHeader.Event.Marker = TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | ((ulPointerSize > 4) ? (TRACE_HEADER_TYPE_SYSTEM64 << 16) : (TRACE_HEADER_TYPE_SYSTEM32 << 16)); stFileHeader.Event.Packet.Group = (UCHAR) EVENT_TRACE_GROUP_HEADER >> 8; stFileHeader.Event.Packet.Type = EVENT_TRACE_TYPE_INFO;
stFileHeader.Header.StartTime.QuadPart = ReadField (StartTime); stFileHeader.Header.BufferSize = ulBufferSize; stFileHeader.Header.VersionDetail.MajorVersion = MajorVersion; stFileHeader.Header.VersionDetail.MinorVersion = MinorVersion;
//
// The following #if 0's show fields in the header difficult to access from the debugger.
//
#if 0
stFileHeader.Header.VersionDetail.SubVersion = TRACE_VERSION_MAJOR; stFileHeader.Header.VersionDetail.SubMinorVersion = TRACE_VERSION_MINOR; stFileHeader.Header.ProviderVersion = NtBuildNumber;#endif
stFileHeader.Header.StartBuffers = 1;#if 0
stFileHeader.Header.BootTime = KeBootTime; stFileHeader.Header.LogFileMode = LocLoggerContext.LogFileMode & (~(EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_FILE_MODE_CIRCULAR));#endif
stFileHeader.Header.NumberOfProcessors = ProcessorInfo.NumberProcessors; stFileHeader.Header.MaximumFileSize = (ULONG) ReadField (MaximumFileSize);#if 0
KeQueryPerformanceCounter (&stFileHeader.Header.PerfFreq); if (WmiUsePerfClock) { stFileHeader.Header.ReservedFlags = 1; } stFileHeader.Header.TimerResolution = KeMaximumIncrement; // DO NOT CHANGE KDDEBUGGER_DATA32!!
#endif
#if 0
stFileHeader.Header.LoggerName = (PWCHAR) ( ( (PUCHAR) ( &stFileHeader.Header ) ) + sizeof(TRACE_LOGFILE_HEADER) ); stFileHeader.Header.LogFileName = (PWCHAR) ( (PUCHAR)stFileHeader.Header.LoggerName + LocLoggerContext.LoggerName.Length + sizeof(UNICODE_NULL));
if (!ReadTargetMemory (LocLoggerContext.LoggerName.Buffer, stFileHeader.Header.LoggerName, LocLoggerContext.LoggerName.Length + sizeof(UNICODE_NULL)) ) { dprintf ("Can't access LoggerName (LoggerContext.LoggerName.Buffer) memory.\n"); } MultiByteToWideChar ( CP_OEMCP, 0, pszSaveFileName, -1, stFileHeader.Header.LogFileName, countof (stFileHeader.FileName));#if 0
RtlQueryTimeZoneInformation(&stFileHeader.Header.TimeZone); stFileHeader.Header.EndTime;#endif
#endif
stFileHeader.Header.PointerSize = ulPointerSize;
pcEnd = (PCHAR) &stFileHeader.LogName; //BUGBUG: Use Calculation Just Below
#if 0
pcEnd = ((PCHAR) stFileHeader.Header.LogFileName) + ((strlen (pszSaveFileName) + 1) * sizeof (WCHAR)); stFileHeader.Buffer.Offset = (ULONG) (pcEnd - ((PCHAR) &stFileHeader));
#endif
stFileHeader.Event.Packet.Size = (USHORT) (pcEnd - ((PCHAR) &stFileHeader.Event));
//
// Fixup Lengths; Write out Header, 0xFF to length of buffer
//
ulHeaderWritten = (ULONG) (pcEnd - ((PCHAR) &stFileHeader));
stFileHeader.Buffer.Offset = ulHeaderWritten; stFileHeader.Buffer.SavedOffset = ulHeaderWritten; stFileHeader.Buffer.CurrentOffset = ulHeaderWritten;
fwrite (&stFileHeader, ulHeaderWritten, 1, SaveFile);
while (ulHeaderWritten < ulBufferSize) { ULONG ulAllOnes; ULONG ulByteCount;
ulAllOnes = ~((ULONG) 0); ulByteCount = ulBufferSize - ulHeaderWritten; if (ulByteCount > sizeof (ulAllOnes)) ulByteCount = sizeof (ulAllOnes); fwrite (&ulAllOnes, ulByteCount, 1, SaveFile); ulHeaderWritten += sizeof (ulAllOnes); }
return (0);}
//+---------------------------------------------------------------------------
//
// Function: VOID wmiSaveProc
//
// Synopsis: Procedure passed to wmiKdProcessBuffers() when saving the
// Buffers to a file for later processing. Performs buffer
// Header fixup and then writes the buffer to the file.
//
// Arguments: Context -> to struct sttSaveContext. Used for 'static' memory
// Buffer Target Address of WMI Event buffer to save
// Length Length of the buffer (previous parameter)
// Alignment Alignment used by WMI on target machine
// Source Enum of: free, flush, transition, current: buffer source
//
// Returns: <VOID>
//
// History: 04-05-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
VOID wmiSaveProc ( PVOID Context , TARGET_ADDRESS Buffer , ULONG Length , ULONG CpuNo , ULONG Alignment , WMI_BUFFER_SOURCE Source ){ ULONG ulInfo; ULONG ulLengthRead; PCHAR pBuffer; struct sttSaveContext *pstContext; WMIBUFFERINFO stBufferInfo;
pstContext = (struct sttSaveContext *) Context;
// Allocate Buffer
pBuffer = LocalAlloc (LPTR, Length); if (pBuffer == NULL) { dprintf ("Failed to Allocate Buffer.\n"); return; }
// Read Buffer
ulLengthRead = 0; ulInfo = ReadMemory (Buffer, pBuffer, Length, &ulLengthRead); if ((!ulInfo) || (ulLengthRead != Length)) { dprintf ("Failed to Read (Entire?) Buffer.\n"); }
// Fixup Buffer Header
memset (&stBufferInfo, 0, sizeof (stBufferInfo)); stBufferInfo.BufferSource = Source; stBufferInfo.Buffer = pBuffer; stBufferInfo.BufferSize = Length; stBufferInfo.ProcessorNumber = CpuNo; stBufferInfo.Alignment = Alignment; WmiGetFirstTraceOffset (&stBufferInfo);
// Write to Log File
ulInfo = fwrite (pBuffer, 1, Length, pstContext->pfSaveFile); if (ulInfo != Length) { dprintf ("Failed to Write Buffer.\n"); }
// Free Buffer, Return
LocalFree (pBuffer); return;}
//+---------------------------------------------------------------------------
//
// Function: ULONG wmiKdProcessNonblockingBuffers
//
// Synopsis: Calls Caller-Supplied Procedure for each Buffer in Locations/
// Lists as specified by 'Sources'. Walks lists, Enumerates
// CPU's buffers, and handles 'Transition Buffer' logic.
//
// Arguments: LoggerId
// LoggerContext
// Procedure
// Context
// Sources
//
// Returns: ULONG: Number of Buffers Processed
//
// History: 04-05-2000 glennp Created
//
// Notes: Sources also controls informational printing
//
//----------------------------------------------------------------------------
ULONGwmiKdProcessNonblockingBuffers( ULONG LoggerId, TARGET_ADDRESS LoggerContext, WMITRACING_KD_LISTENTRY_PROC Procedure, PVOID Context, WMITRACING_BUFFER_SOURCES Sources ){ TARGET_ADDRESS tarAddress; TARGET_ADDRESS tarBufferListPointer;
ULONG pointerSize;
PROCESSORINFO ProcessorInfo;
ULONG ulOrdinal; ULONG ulAlignment; ULONG ulBufferSize; ULONG ulLoopCount; ULONG ulBufferCount; ULONG ulBufferNumber;
ULONG tarBufferListOffset;
// Get Pointer to Context Structure
tarAddress = LoggerContext; if (tarAddress == 0) return (0);
// Initialize Locals
ulBufferNumber = 0; ulBufferCount = 0; ulLoopCount = 0;
// Get Sizes, Offsets, Alignments from Target
pointerSize = GetTypeSize ("PVOID"); ulAlignment = GetWmiTraceAlignment (); GetFieldOffset ("_WMI_BUFFER_HEADER", "GlobalEntry", &tarBufferListOffset);
// Optionally Print LoggerId, Context Address, Logger name
if (Sources.PrintInformation) { dprintf (" Logger Id %2d @ 0x%P Named '", LoggerId, tarAddress); printUnicodeFromStruct (tarAddress, "_WMI_LOGGER_CONTEXT", "LoggerName"); dprintf ("'\n"); }
// Setup ReadField's Context, Find Buffer Size
InitTypeRead (tarAddress, _WMI_LOGGER_CONTEXT); ulBufferSize = (ULONG) ReadField (BufferSize);
// Optionally Print a few interesting numbers
if (Sources.PrintInformation) { dprintf (" Alignment = %ld\n", ulAlignment); dprintf (" BufferSize = %ld\n", ulBufferSize); dprintf (" BufferCount = %ld\n", (ULONG) ReadField (NumberOfBuffers)); dprintf (" MaximumBuffers = %ld\n", (ULONG) ReadField (MaximumBuffers)); dprintf (" MinimumBuffers = %ld\n", (ULONG) ReadField (MinimumBuffers)); dprintf (" EventsLost = %ld\n", (ULONG) ReadField (EventsLost)); dprintf (" LogBuffersLost = %ld\n", (ULONG) ReadField (LogBuffersLost)); dprintf (" RealTimeBuffersLost=%ld\n", (ULONG) ReadField (RealTimeBuffersLost)); dprintf (" BuffersAvailable = %ld\n", (ULONG) ReadField (BuffersAvailable)); dprintf (" LastFlushedBuffer = %ld\n", (ULONG) ReadField (LastFlushedBuffer)); } dprintf (" Processing Global List: 0");
tarBufferListPointer = 0; GetFieldValue (tarAddress, "_WMI_LOGGER_CONTEXT", "GlobalList.Next", tarBufferListPointer);
while (tarBufferListPointer != 0) { WMI_BUFFER_SOURCE source; ULONG ulCpuNumber; int iBufferUses; int iProcessBuffer; TARGET_ADDRESS tarBufferPointer; ULONG ulFree, ulInUse, ulFlush;
iBufferUses = 0; ulCpuNumber = ~((ULONG) 0); iProcessBuffer = FALSE; source = WMIBS_TRANSITION_LIST; tarBufferPointer = tarBufferListPointer - tarBufferListOffset; dprintf ("\b\b\b%3d", ++ulLoopCount);
InitTypeRead (tarBufferPointer, _WMI_BUFFER_HEADER); ulFree = (ULONG) ReadField (State.Free); ulInUse = (ULONG) ReadField (State.InUse); ulFlush = (ULONG) ReadField (State.Flush);
// Decide on Buffer Processing based on Use Flags and 'Sources'
if (ulFree ) iBufferUses += 1; if (ulInUse) iBufferUses += 2; if (ulFlush) iBufferUses += 4; switch (iBufferUses) { case 0: { // No bits set, never used.
break; } case 1: { // Free
iProcessBuffer = Sources.FreeBuffers; source = WMIBS_FREE_LIST; break; } case 2: { // InUse
iProcessBuffer = Sources.ActiveBuffers; source = WMIBS_CURRENT_LIST; //source = WMIBS_FLUSH_LIST;
break; } case 3: { // MULTIPLE BITS SET, ERROR
dprintf ("\n***Error, Inconsistent Flags Bits (Free,InUse) Set.***\n"); break; } case 4: { // Flush
iProcessBuffer = Sources.FlushBuffers; source = WMIBS_FLUSH_LIST; break; } case 5: { dprintf ("\n***Error, Inconsistent Flags Bits (Free,Flush) Set.***\n"); break; } case 6: { dprintf ("\n***Error, Inconsistent Flags Bits (InUse,Flush) Set.***\n"); break; } case 7: { dprintf ("\n***Error, Inconsistent Flags Bits (Free,InUse,Flush) Set.***\n"); break; } }
// ProcessBuffer as Decided Above
if (iProcessBuffer) { ulBufferCount++; Procedure (Context, tarBufferPointer, ulBufferSize, ulCpuNumber, ulAlignment, source); } if (GetFieldValue (tarBufferPointer, "_WMI_BUFFER_HEADER", "GlobalEntry", tarBufferListPointer) != 0) { dprintf ("\n***Error Following Global List.***\n"); tarBufferListPointer = 0; } } dprintf (" Buffers\n");
// Return w/ BufferCount
return (ulBufferCount);} // wmiKdProcessNonblockingBuffers
//+---------------------------------------------------------------------------
//
// Function: ULONG wmiKdProcessBlockingBuffers
//
// Synopsis: Calls Caller-Supplied Procedure for each Buffer in Locations/
// Lists as specified by 'Sources'. Walks lists, Enumerates
// CPU's buffers, and handles 'Transition Buffer' logic.
//
// Arguments: LoggerId
// LoggerContext
// Procedure
// Context
// Sources
//
// Returns: ULONG: Number of Buffers Processed
//
// History: 04-05-2000 glennp Created
//
// Notes: Sources also controls informational printing
//
//----------------------------------------------------------------------------
ULONGwmiKdProcessBlockingBuffers( ULONG LoggerId, TARGET_ADDRESS LoggerContext, WMITRACING_KD_LISTENTRY_PROC Procedure, PVOID Context, WMITRACING_BUFFER_SOURCES Sources ){ TARGET_ADDRESS tarAddress; ULONG pointerSize;
PROCESSORINFO ProcessorInfo;
ULONG ulOrdinal; ULONG ulAlignment; ULONG ulBufferSize; ULONG ulBufferCount; ULONG ulBufferNumber; ULONG ulBufferCountTotal;
ULONG tarFlushListOffset; ULONG tarBufferListOffset;
// Get Pointer to Context Structure
tarAddress = LoggerContext; if (tarAddress == 0) return (0);
// Initialize Locals
ulBufferNumber = 0; ulBufferCount = 0; ulBufferCountTotal = 0;
// Get Sizes, Offsets, Alignments from Target
pointerSize = GetTypeSize ("PVOID"); ulAlignment = GetWmiTraceAlignment (); GetFieldOffset ("_WMI_BUFFER_HEADER", "Entry", &tarBufferListOffset); GetFieldOffset ("_WMI_LOGGER_CONTEXT", "FlushList", &tarFlushListOffset);
// Optionally Print LoggerId, Context Address, Logger name
if (Sources.PrintInformation) { dprintf (" Logger Id %2d @ 0x%P Named '", LoggerId, tarAddress); printUnicodeFromStruct (tarAddress, "_WMI_LOGGER_CONTEXT", "LoggerName"); dprintf ("'\n"); }
// Setup ReadField's Context, Find Buffer Size
InitTypeRead (tarAddress, _WMI_LOGGER_CONTEXT); ulBufferSize = (ULONG) ReadField (BufferSize);
// Optionally Print a few interesting numbers
if (Sources.PrintInformation) { dprintf (" Alignment = %ld\n", ulAlignment); dprintf (" BufferSize = %ld\n", ulBufferSize); dprintf (" BufferCount = %ld\n", (ULONG) ReadField (NumberOfBuffers)); dprintf (" MaximumBuffers = %ld\n", (ULONG) ReadField (MaximumBuffers)); dprintf (" MinimumBuffers = %ld\n", (ULONG) ReadField (MinimumBuffers)); dprintf (" EventsLost = %ld\n", (ULONG) ReadField (EventsLost)); dprintf (" LogBuffersLost = %ld\n", (ULONG) ReadField (LogBuffersLost)); dprintf (" RealTimeBuffersLost=%ld\n", (ULONG) ReadField (RealTimeBuffersLost)); dprintf (" BuffersAvailable = %ld\n", (ULONG) ReadField (BuffersAvailable)); dprintf (" LastFlushedBuffer = %ld\n", (ULONG) ReadField (LastFlushedBuffer)); }
// Setup for Checks against TransitionBuffer Address IF REQUESTED
TransitionBuffer = 0; if (Sources.TransitionBuffer) { TARGET_ADDRESS tarTransitionBuffer;
tarTransitionBuffer = ReadField (TransitionBuffer); if ((tarTransitionBuffer != 0) && (tarTransitionBuffer != (tarAddress + tarFlushListOffset))) {
ULONG tarTransitionBufferOffset; GetFieldOffset ("_WMI_BUFFER_HEADER", "Entry", &tarTransitionBufferOffset); tarTransitionBuffer = tarAddress - tarTransitionBufferOffset; TransitionBuffer = tarTransitionBuffer; } }
// Access the Free Queue Buffers IF REQUESTED
if (Sources.FreeBuffers) { ULONG tarFreeListOffset;
GetFieldOffset ("_WMI_LOGGER_CONTEXT", "FreeList", &tarFreeListOffset);
dprintf (" Processing FreeQueue: "); ulBufferCount = wmiKdProcessLinkList (tarAddress + tarFreeListOffset, Procedure, Context, ulBufferSize, ulAlignment, WMIBS_FREE_LIST, tarBufferListOffset, Sources.PrintProgressIndicator); dprintf ("%ld Buffers\n", ulBufferCount); ulBufferCountTotal += ulBufferCount; }
// Access the Flush Queue Buffers IF REQUESTED
if (Sources.FlushBuffers) { dprintf (" Processing FlushQueue: "); ulBufferCount = wmiKdProcessLinkList (tarAddress + tarFlushListOffset, Procedure, Context, ulBufferSize, ulAlignment, WMIBS_FLUSH_LIST, tarBufferListOffset, Sources.PrintProgressIndicator); dprintf ("%ld Buffers\n", ulBufferCount); ulBufferCountTotal += ulBufferCount; }
// Access the 'Live' buffers (one per cpu) IF REQUESTED
if (Sources.ActiveBuffers) { TARGET_ADDRESS tarProcessorArrayAddress; GetFieldValue (tarAddress,"_WMI_LOGGER_CONTEXT", "ProcessorBuffers", tarProcessorArrayAddress); Ioctl (IG_KD_CONTEXT, &ProcessorInfo, sizeof (ProcessorInfo)); for (ProcessorInfo.Processor = 0; ProcessorInfo.Processor < ProcessorInfo.NumberProcessors; ++ProcessorInfo.Processor) { TARGET_ADDRESS tarProcessorPointer; ReadPtr (tarProcessorArrayAddress + ProcessorInfo.Processor * pointerSize, &tarProcessorPointer); dprintf (" Cpu %d Buffer Header @ 0x%P ", ProcessorInfo.Processor, tarProcessorPointer); Procedure (Context, tarProcessorPointer, ulBufferSize, ProcessorInfo.Processor, ulAlignment, WMIBS_CURRENT_LIST); ulBufferCountTotal += 1; dprintf (" \b\n"); } // Cpu Loop
}
// Process the Transition Entry (if any). Note 'IF REQUESTED' test above in Setup
if (TransitionBuffer != 0) { dprintf (" Transition Buffer @ 0x%P ", TransitionBuffer); Procedure (Context, TransitionBuffer, ulBufferSize, ~0, ulAlignment, WMIBS_TRANSITION_LIST); ulBufferCountTotal += 1; }
// Return w/ BufferCount
return (ulBufferCountTotal);} // wmiKdProcessBlockingBuffers
//+---------------------------------------------------------------------------
//
// Function: ULONG wmiKdProcessBuffers
//
// Synopsis: Decides if the target system is using doubly-linked (blocking)
// or singly-linked (non-blocking) lists of buffers. Then it
// calls the appropriate Buffer-Walking routine. They:
// Call Caller-Supplied Procedure for each Buffer in Locations/
// Lists as specified by 'Sources'. Walk lists, Enumerates
// CPU's buffers, and handles 'Transition Buffer' logic.
//
// Arguments: LoggerId
// LoggerContext
// Procedure
// Context
// Sources
//
// Returns: ULONG: Number of Buffers Processed
//
// History: 04-05-2000 glennp Created
//
// Notes: Sources also controls informational printing
//
//----------------------------------------------------------------------------
ULONGwmiKdProcessBuffers( ULONG LoggerId, TARGET_ADDRESS LoggerContext, WMITRACING_KD_LISTENTRY_PROC Procedure, PVOID Context, WMITRACING_BUFFER_SOURCES Sources ){ ULONG ulBufferCountTotal;
int iBufferMechanism; ULONG tarGlobalListOffset; ULONG tarTransitionBufferOffset;
iBufferMechanism = 0; ulBufferCountTotal = 0;
if ((GetFieldOffset ("_WMI_LOGGER_CONTEXT", "GlobalList", &tarGlobalListOffset) == 0) && (tarGlobalListOffset != 0)) { iBufferMechanism += 1; } if ((GetFieldOffset ("_WMI_LOGGER_CONTEXT", "TransitionBuffer", &tarTransitionBufferOffset) == 0) && (tarTransitionBufferOffset != 0)) { iBufferMechanism += 2; }
switch (iBufferMechanism) { case 0: { // Neither, ???
dprintf ("Unable to determine buffer mechanism. " "Check for complete symbol availability.\n"); break; }
case 1: { // Global, no Transition
ulBufferCountTotal = wmiKdProcessNonblockingBuffers (LoggerId, LoggerContext, Procedure, Context, Sources); break; }
case 2: { // Transition, no Global
ulBufferCountTotal = wmiKdProcessBlockingBuffers (LoggerId, LoggerContext, Procedure, Context, Sources); break; }
case 3: { // Both, ???
dprintf ("Unable to determine buffer mechanism. " "Check for new wmiTrace debugger extension. GO = %d, TB = %d\n", tarGlobalListOffset, tarTransitionBufferOffset); break; }
}
// Return w/ BufferCount
return (ulBufferCountTotal);} // wmiKdProcessBuffers
//+---------------------------------------------------------------------------
//
// Function: VOID wmiLogDump
//
// Synopsis: callable procedure to dump the in-memory part of a tracelog.
// Caller can supply three procedures to:
// 1. Filter and Select the Sort Key for VMI Events,
// 2. Compare the Sort Keys, and
// 3. Print the Output for each Selected Event.
// this procedure is called by the built-in extension logdump.
//
// Arguments: LoggerId -> the Id of the logger stream to process
// Context <OMITTED>
// GuidListHeadPtr -> to a list of MOF Guids from GetTraceGuids
// Filter -> to a replacement Filter procedure
// Compare -> to a replacement Compare (for Sort) procedure
// Output -> to a replacement Output procedure
//
// Returns: VOID
//
// History: 04-05-2000 glennp Created
//
//----------------------------------------------------------------------------
VOID wmiLogDump( ULONG LoggerId, PVOID UserContext, PLIST_ENTRY GuidListHeadPtr, WMITRACING_KD_FILTER Filter, WMITRACING_KD_COMPARE Compare, WMITRACING_KD_OUTPUT Output ){ ULONG ulOrdinal; ULONG ulSortIndex; ULONG ulBufferSize; ULONG ulBufferCountTotal; ULONG ulAlignment; TARGET_ADDRESS tarAddress; PCHAR locBufferAddress; TARGET_ADDRESS lastBufferAddress;
struct sttSortControl stSortControl; struct sttTraceContext stTraceContext; WMITRACING_BUFFER_SOURCES stSources;
// Replace NULL procedures w/ defaults
if (Filter == NULL) Filter = wmiDefaultFilter; if (Compare == NULL) Compare = wmiDefaultCompare; if (Output == NULL) Output = wmiDefaultOutput;
// Initialize Locals
memset (&stSortControl, 0, sizeof (stSortControl)); memset (&stTraceContext, 0, sizeof (stTraceContext)); stTraceContext.pstSortControl = &stSortControl; stTraceContext.UserContext = UserContext; //stTraceContext.Ordinal = 0;
stTraceContext.Filter = Filter;
// Select (All) Sources
stSources.FreeBuffers = 1; stSources.FlushBuffers = 1; stSources.ActiveBuffers = 1; stSources.TransitionBuffer = 1;
// Print Summary and ProgressIndicator
stSources.PrintInformation = 1; stSources.PrintProgressIndicator = 1;
// Print Intro Message
dprintf ("(WmiTrace)LogDump for Log Id %ld\n", LoggerId);
// Get Pointer to Logger Context
tarAddress = FindLoggerContext (LoggerId); ulAlignment = GetWmiTraceAlignment ();
// Filter and Gather all Messages we want
ulBufferCountTotal = wmiKdProcessBuffers (LoggerId, tarAddress, wmiDumpProc, &stTraceContext, stSources);
// Sort the Entries just Gathered
qsort (stSortControl.pstSortEntries, stSortControl.CurEntries, sizeof (stSortControl.pstSortEntries[0]), Compare); if (stSortControl.CurEntries > 0) { dprintf ("LOGGED MESSAGES (%ld):\n", stSortControl.CurEntries); }
// Allocate Buffer
GetFieldValue (tarAddress, "_WMI_LOGGER_CONTEXT", "BufferSize", ulBufferSize); lastBufferAddress = 0; // For the buffer 'cache' (one item for now)
locBufferAddress = LocalAlloc (LPTR, ulBufferSize); if (locBufferAddress == NULL) { dprintf ("FAILED TO ALLOCATE NEEDED BUFFER!\n"); goto Cleanup; }
// Print each (Sorted) Entry
for (ulSortIndex = 0; ulSortIndex < stSortControl.CurEntries; ++ulSortIndex) { const WMITRACING_KD_SORTENTRY *sortEntry; union { EVENT_TRACE stEvent; CHAR caEvent[4096]; } u;
if (CheckControlC()) break;
sortEntry = &stSortControl.pstSortEntries[ulSortIndex];
// Read the entire buffer if not same as last
if (lastBufferAddress != sortEntry->Address) {
{ ULONG ulInfo; ULONG ulBytesRead; // Read Buffer
ulBytesRead = 0; lastBufferAddress = sortEntry->Address; ulInfo = ReadMemory (lastBufferAddress, locBufferAddress, ulBufferSize, &ulBytesRead); if ((!ulInfo) || (ulBytesRead != ulBufferSize)) { dprintf ("Failed to (Re)Read Buffer @ %P.\n", lastBufferAddress); continue; // Try for others
} }
{ WMIBUFFERINFO stBufferInfo; // Perform Fixup
memset (&stBufferInfo, 0, sizeof (stBufferInfo)); stBufferInfo.BufferSource = sortEntry->BufferSource; stBufferInfo.Buffer = locBufferAddress; stBufferInfo.BufferSize = ulBufferSize; stBufferInfo.ProcessorNumber = sortEntry->CpuNo; stBufferInfo.Alignment = ulAlignment; WmiGetFirstTraceOffset (&stBufferInfo); } }
// Get a consistant header
WmiParseTraceEvent (locBufferAddress, sortEntry->Offset, sortEntry->HeaderType, &u, sizeof (u));
// Output the Entry
Output (UserContext, GuidListHeadPtr, sortEntry, &u.stEvent); }
Cleanup: // Free Buffer
LocalFree (locBufferAddress);
// Print Summary
dprintf ("Total of %ld Messages from %ld Buffers\n", stSortControl.CurEntries, ulBufferCountTotal);
// Free the sort elements (pointers + keys)
free (stSortControl.pstSortEntries);
return;} // wmiLogDump
//+---------------------------------------------------------------------------
//
// Function: DECLARE_API(help)
//
// Synopsis: list available functions and syntax
//
// Arguments: <NONE>
//
// Returns: <VOID>
//
// History: 2-17-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
DECLARE_API( help ){ dprintf("WMI Tracing Kernel Debugger Extensions\n"); dprintf(" logdump <LoggerId> [<guid file name>] - Dump the in-memory portion of a log file\n"); dprintf(" logsave <LoggerId> <Save file name> - Save the in-memory portion of a log file in binary form\n"); dprintf(" strdump [<LoggerId>] - Dump the Wmi Trace Event Structures\n");}
//+---------------------------------------------------------------------------
//
// Function: DECLARE_API(logdump)
//
// Synopsis: LOG DUMP: Dumps Trace Messages from a Log Stream to Stdout
//
// Arguments: <Stream Number> [<MofData.Guid File Name>]
//
// Returns: <VOID>
//
// History: 2-17-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
DECLARE_API( logdump ){ ULONG ulStatus; TARGET_ADDRESS tarAddress; ULONG ulLoggerId; LPSTR pszGuidFileName; PLIST_ENTRY GuidListHeadPtr;
const CHAR *argPtr; size_t sztLen; CHAR caFileName[256];
// Defaults
ulLoggerId = 1; GuidListHeadPtr = NULL; pszGuidFileName = "FmtData.txt";
// LoggerId ?
if (args && args[0]) { ulLoggerId = (ULONG) GetExpression (args); } // LoggerId ?
argPtr = args + strspn (args, " \t\n"); sztLen = strspn (argPtr, "0123456789"); if (sztLen > 0) {// ulLoggerId = atol (argPtr);
argPtr += sztLen; }
// Guid Definition File
argPtr = argPtr + strspn (argPtr, " \t\n,"); if (strlen (argPtr)) { sztLen = strcspn (argPtr, " \t\n,"); memcpy (caFileName, argPtr, sztLen); caFileName[sztLen] = '\000'; pszGuidFileName = caFileName; }
// Show LoggerId, FileName
dprintf ("WMI Generic Trace Dump: Debugger Extension. LoggerId = %ld, Guidfile = '%s'\n", ulLoggerId, pszGuidFileName);
// Open Guid File, Dump Log, Cleanup
GuidListHeadPtr = NULL; ulStatus = GetTraceGuids ((TCHAR *) pszGuidFileName, &GuidListHeadPtr); if (ulStatus == 0) { dprintf ("Failed to open Guid file '%hs'\n", pszGuidFileName); } else { dprintf ("Opened Guid File '%hs' with %d Entries.\n", pszGuidFileName, ulStatus); wmiLogDump (ulLoggerId, NULL, GuidListHeadPtr, NULL, NULL, NULL); CleanupTraceEventList (GuidListHeadPtr); } return;} // logdump
//+---------------------------------------------------------------------------
//
// Function: DECLARE_API(logsave)
//
// Synopsis: LOG DUMP: Dumps Trace Messages from a Log Stream to Stdout
//
// Arguments: <Stream Number> [<MofData.Guid File Name>]
//
// Returns: <VOID>
//
// History: 2-17-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
DECLARE_API( logsave ){ ULONG ulStatus; TARGET_ADDRESS tarAddress; ULONG ulLoggerId; LPSTR pszSaveFileName;
const CHAR *argPtr; size_t sztLen; CHAR caFileName[256];
// Defaults
ulLoggerId = 1; pszSaveFileName = "LogData.elg";
// LoggerId ?
if (args && args[0]) { ulLoggerId = (ULONG) GetExpression (args); } // Point beyond LoggerId
argPtr = args + strspn (args, " \t\n"); argPtr += strspn (argPtr, "0123456789");
// Save File
argPtr = argPtr + strspn (argPtr, " \t\n,"); if (strlen (argPtr)) { sztLen = strcspn (argPtr, " \t\n,"); memcpy (caFileName, argPtr, sztLen); caFileName[sztLen] = '\000'; pszSaveFileName = caFileName; }
// Show LoggerId, FileName
dprintf ("WMI Trace Save: Debugger Extension. LoggerId = %ld, Save File = '%s'\n", ulLoggerId, pszSaveFileName);
// Get Pointer to Logger Context
tarAddress = FindLoggerContext (ulLoggerId);
// Check if LoggerId Good
if (tarAddress == 0) { dprintf ("Failed to Find Logger\n"); } else { FILE *pfSaveFile;
// Open Guid File, Dump Log, Cleanup
pfSaveFile = fopen (pszSaveFileName, "ab"); if (pfSaveFile == NULL) { dprintf ("Failed to Open Save File '%hs'\n", pszSaveFileName); } else { WMITRACING_BUFFER_SOURCES stSources; struct sttSaveContext stSaveContext; ULONG ulTotalBufferCount; ULONG ulRealTime;
// See if we are in "RealTime" mode (if so, we'll save FreeBuffers too)
if (GetFieldValue (tarAddress, "_WMI_LOGGER_CONTEXT", "LoggerModeFlags.RealTime", ulRealTime)) { dprintf ("Unable to Retrieve 'RealTime' Flag. Assuming Realtime Mode.\n"); ulRealTime = 1; // Better to get too many than too few.
}
//Write Header
wmiKdWriteFileHeader (pfSaveFile, ulLoggerId, tarAddress); // Select Sources
stSources.FreeBuffers = (ulRealTime) ? 1 : 0; stSources.FlushBuffers = 1; stSources.ActiveBuffers = 1; stSources.TransitionBuffer = 1;
stSources.PrintInformation = 1; stSources.PrintProgressIndicator = 1;
// Setup SaveContext
stSaveContext.pfSaveFile = pfSaveFile; // Write Buffers
ulTotalBufferCount = wmiKdProcessBuffers (ulLoggerId, tarAddress, wmiSaveProc, &stSaveContext, stSources); dprintf ("Saved %d Buffers\n", ulTotalBufferCount); // Close
fclose (pfSaveFile); } }
return;} // logdump
//+---------------------------------------------------------------------------
//
// Function: DECLARE_API(strdump)
//
// Synopsis: STRucture DUMP: dumps generic info (no arg) or stream info (arg)
//
// Arguments: [<Stream Number>]
//
// Returns: <VOID>
//
// History: 2-17-2000 glennp Created
//
// Notes:
//
//----------------------------------------------------------------------------
DECLARE_API( strdump )/*
* dump the structures for trace logging * strdump [<LoggerId>] * If <LoggerId> present, dump structs for that Id * Else dump generic structs */{ TARGET_ADDRESS tarAddress; DWORD dwRead, Flags;
ULONG ulLoggerId; ULONG ulMaxLoggerId;
ULONG pointerSize;
// Defaults
ulLoggerId = ~0; pointerSize = GetTypeSize ("PVOID");
// LoggerId ?
if (args && args[0]) { ulLoggerId = (ULONG) GetExpression (args); }
if (ulLoggerId == ~0) { dprintf ("(WmiTracing)StrDump Generic\n"); tarAddress = FindLoggerContextArray (&ulMaxLoggerId); dprintf (" LoggerContext Array @ 0x%P [%d Elements]\n", tarAddress, ulMaxLoggerId); if (tarAddress) { for (ulLoggerId = 0; ulLoggerId < ulMaxLoggerId; ++ulLoggerId) { TARGET_ADDRESS contextAddress;
contextAddress = tarAddress + pointerSize * ulLoggerId; /*if (*/ReadPointer (contextAddress, &contextAddress)/*) {*/; //dprintf ("UNABLE TO READ POINTER in ARRAY of POINTERS!, Addr = 0x%P\n", contextAddress);
/*} else*/ if (contextAddress != 0) { dprintf (" Logger Id %2d @ 0x%P Named '", ulLoggerId, contextAddress); printUnicodeFromStruct (contextAddress, "_WMI_LOGGER_CONTEXT", "LoggerName"); dprintf ("'\n"); } } } } else { dprintf ("(WmiTracing)StrDump for Log Id %ld\n", ulLoggerId); tarAddress = FindLoggerContext (ulLoggerId); if (tarAddress != 0) { dprintf (" Logger Id %2d @ 0x%P Named '", ulLoggerId, tarAddress); printUnicodeFromStruct (tarAddress, "_WMI_LOGGER_CONTEXT", "LoggerName"); dprintf ("'\n"); InitTypeRead (tarAddress, _WMI_LOGGER_CONTEXT); dprintf (" BufferSize = %ld\n", (ULONG) ReadField (BufferSize)); dprintf (" BufferCount = %ld\n", (ULONG) ReadField (NumberOfBuffers)); dprintf (" MaximumBuffers = %ld\n", (ULONG) ReadField (MaximumBuffers)); dprintf (" MinimumBuffers = %ld\n", (ULONG) ReadField (MinimumBuffers)); dprintf (" EventsLost = %ld\n", (ULONG) ReadField (EventsLost)); dprintf (" LogBuffersLost = %ld\n", (ULONG) ReadField (LogBuffersLost)); dprintf (" RealTimeBuffersLost=%ld\n", (ULONG) ReadField (RealTimeBuffersLost)); dprintf (" BuffersAvailable = %ld\n", (ULONG) ReadField (BuffersAvailable)); dprintf (" LastFlushedBuffer = %ld\n", (ULONG) ReadField (LastFlushedBuffer)); dprintf (" LoggerId = 0x%02lX\n", (ULONG) ReadField (LoggerId)); dprintf (" CollectionOn = %ld\n", (ULONG) ReadField (CollectionOn)); dprintf (" KernelTraceOn = %ld\n", (ULONG) ReadField (KernelTraceOn)); dprintf (" EnableFlags = 0x%08lX\n", (ULONG) ReadField (EnableFlags)); dprintf (" MaximumFileSize = %ld\n", (ULONG) ReadField (MaximumFileSize)); dprintf (" LogFileMode = 0x%08lX\n", (ULONG) ReadField (LogFileMode)); dprintf (" FlushTimer = %I64u\n", ReadField (FlushTimer)); dprintf (" FirstBufferOffset = %I64u\n", ReadField (FirstBufferOffset)); dprintf (" ByteOffset = %I64u\n", ReadField (ByteOffset)); dprintf (" BufferAgeLimit = %I64d\n", ReadField (BufferAgeLimit)); dprintf (" LoggerName = '"); printUnicodeFromStruct (tarAddress, "_WMI_LOGGER_CONTEXT", "LoggerName"); dprintf ( "'\n"); dprintf (" LogFileName = '"); printUnicodeFromStruct (tarAddress, "_WMI_LOGGER_CONTEXT", "LogFileName"); dprintf ( "'\n"); } }
return;}
|
