diff --git a/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp b/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp
index 3e5c918..430f7d7 100644
--- a/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp
+++ b/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp
@@ -32,7 +32,7 @@ using namespace System::Security::Permissions;
// You can specify all the value or you can default the Revision and Build Numbers
// by using the '*' as shown below:
-[assembly:AssemblyVersionAttribute("4.4.0.0")];
+[assembly:AssemblyVersionAttribute("4.4.1.0")];
[assembly:ComVisible(false)];
diff --git a/Microsoft.O365.Security.Native.ETW/EventRecord.hpp b/Microsoft.O365.Security.Native.ETW/EventRecord.hpp
index e3766ba..d758e99 100644
--- a/Microsoft.O365.Security.Native.ETW/EventRecord.hpp
+++ b/Microsoft.O365.Security.Native.ETW/EventRecord.hpp
@@ -774,12 +774,12 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
/// Retrieves the call stack associated with the record, if enabled.
///
/// a list of return addresses
- virtual List^ GetStackTrace()
+ virtual List^ GetStackTrace()
{
- auto stackTrace = gcnew List();
+ auto stackTrace = gcnew List();
for (auto& returnAddress : schema_->stack_trace())
{
- stackTrace->Add(UIntPtr(returnAddress));
+ stackTrace->Add(UInt64(returnAddress));
}
return stackTrace;
}
diff --git a/Microsoft.O365.Security.Native.ETW/IEventRecord.hpp b/Microsoft.O365.Security.Native.ETW/IEventRecord.hpp
index af2c440..9a8f629 100644
--- a/Microsoft.O365.Security.Native.ETW/IEventRecord.hpp
+++ b/Microsoft.O365.Security.Native.ETW/IEventRecord.hpp
@@ -407,7 +407,7 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
/// Retrieves the call stack associated with the record, if enabled.
///
/// a list of return addresses
- List^ GetStackTrace();
+ List^ GetStackTrace();
};
} } } }
\ No newline at end of file
diff --git a/O365.Security.Native.ETW.Debug.nuspec b/O365.Security.Native.ETW.Debug.nuspec
index e02450f..a4e7405 100644
--- a/O365.Security.Native.ETW.Debug.nuspec
+++ b/O365.Security.Native.ETW.Debug.nuspec
@@ -2,7 +2,7 @@
Microsoft.O365.Security.Native.ETW.Debug
- 4.4.0
+ 4.4.1
Microsoft.O365.Security.Native.ETW Debug - managed wrappers for krabsetw
Microsoft
Microsoft
@@ -12,8 +12,8 @@
Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build.
Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build.
- Version 4.4.0:
- - Add support for Windows ARM64
+ Version 4.4.1:
+ - Correctly handle 8-byte long addresses in an x86 application
© Microsoft Corporation. All rights reserved.
diff --git a/O365.Security.Native.ETW.nuspec b/O365.Security.Native.ETW.nuspec
index 58d81e6..48594f3 100644
--- a/O365.Security.Native.ETW.nuspec
+++ b/O365.Security.Native.ETW.nuspec
@@ -2,7 +2,7 @@
Microsoft.O365.Security.Native.ETW
- 4.4.0
+ 4.4.1
Microsoft.O365.Security.Native.ETW - managed wrappers for krabsetw
Microsoft
Microsoft
@@ -12,8 +12,8 @@
Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library.
Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library.
- Version 4.4.0:
- - Add support for Windows ARM64
+ Version 4.4.1:
+ - Correctly handle 8-byte long addresses in an x86 application
© Microsoft Corporation. All rights reserved.
diff --git a/examples/ManagedExamples/UserTrace007_StackTrace.cs b/examples/ManagedExamples/UserTrace007_StackTrace.cs
index b8e4ba2..aaf53ba 100644
--- a/examples/ManagedExamples/UserTrace007_StackTrace.cs
+++ b/examples/ManagedExamples/UserTrace007_StackTrace.cs
@@ -47,7 +47,6 @@ public static void Start()
return; // ignore failures
var callStack = record.GetStackTrace()
- .Select(a => a.ToUInt64())
.Where(a => a < 0xFFFF000000000000) // skip kernel addresses (for now)
.Select(a => MemoryMap.GetClosestSymbol(processId, a));
diff --git a/krabs/krabs/schema.hpp b/krabs/krabs/schema.hpp
index fcaa2ed..f4169d9 100644
--- a/krabs/krabs/schema.hpp
+++ b/krabs/krabs/schema.hpp
@@ -256,11 +256,11 @@ namespace krabs {
* void on_event(const EVENT_RECORD &record, const krabs::trace_context &trace_context)
* {
* krabs::schema schema(record, trace_context.schema_locator);
- * std::vector stack_trace = schema.stack_trace();
+ * std::vector stack_trace = schema.stack_trace();
* }
*
*/
- std::vector stack_trace() const;
+ std::vector stack_trace() const;
private:
const EVENT_RECORD &record_;
@@ -277,8 +277,8 @@ namespace krabs {
friend GUID activity_id(const schema&);
friend int event_id(const EVENT_RECORD &);
friend int event_id(const schema &);
- friend std::vector stack_trace(const schema&);
- friend std::vector stack_trace(const EVENT_RECORD&);
+ friend std::vector stack_trace(const schema&);
+ friend std::vector stack_trace(const EVENT_RECORD&);
friend class parser;
friend class property_iterator;
@@ -408,9 +408,9 @@ namespace krabs {
return record_.EventHeader.ActivityId;
}
- inline std::vector schema::stack_trace() const
+ inline std::vector schema::stack_trace() const
{
- std::vector call_stack;
+ std::vector call_stack;
if (record_.ExtendedDataCount != 0) {
for (USHORT i = 0; i < record_.ExtendedDataCount; i++)
{
diff --git a/krabs/krabs/testing/extended_data_builder.hpp b/krabs/krabs/testing/extended_data_builder.hpp
index ad74a7a..3eeadf2 100644
--- a/krabs/krabs/testing/extended_data_builder.hpp
+++ b/krabs/krabs/testing/extended_data_builder.hpp
@@ -136,7 +136,7 @@ namespace krabs { namespace testing {
auto array_ptr = reinterpret_cast(data_buffer);
auto data_ptr = data_buffer + array_part_size;
- for (int i = 0; i < items_.size(); i++)
+ for (size_t i = 0; i < items_.size(); i++)
{
// 2a: write the struct
auto& destination = array_ptr[i];
diff --git a/krabsetw.nuspec b/krabsetw.nuspec
index 89eec67..6d789e5 100644
--- a/krabsetw.nuspec
+++ b/krabsetw.nuspec
@@ -2,7 +2,7 @@
Microsoft.O365.Security.Krabsetw
- 4.4.0
+ 4.4.1
Krabs ETW Wrappers
Microsoft
Microsoft
@@ -12,8 +12,8 @@
Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions
Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions
- Version 4.4.0:
- - Add support for Windows ARM64
+ Version 4.4.1:
+ - Correctly handle 8-byte long addresses in an x86 application
© Microsoft Corporation. All rights reserved.