You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want use etw to record a process's heap alloc, but it don't work. Don't get any EVENT, the callbak function nerver beed called.
My os is win10.
Already set process TracingFlags to 1.
krabs::user_trace trace(L"My magic trace");
// Heap Trace Provider
krabs::provider<> provider(krabs::guid(L"{222962AB-6180-4B88-A825-346B75F2A24A}"));
// Enable Stack Trace
provider.trace_flags(EVENT_ENABLE_PROPERTY_STACK_TRACE);
krabs::event_filter filter(krabs::predicates::process_id_is(dwProcessId));
filter.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {
// Get Stack trace from events
krabs::schema schema(record, trace_context.schema_locator);
for (USHORT i = 0; i < record.ExtendedDataCount; i++)
{
EVENT_HEADER_EXTENDED_DATA_ITEM data_item = record.ExtendedData[i];
// Made assumtion here it's a 64-bit trace
PEVENT_EXTENDED_ITEM_STACK_TRACE64 pst64 = (PEVENT_EXTENDED_ITEM_STACK_TRACE64)data_item.DataPtr;
uint32_t size = (data_item.DataSize - sizeof(ULONG64)) / sizeof(ULONG64);
wprintf(L"Stack Trace Size: %d \n", size);
for (size_t x = 0; x < size; x++)
{
ULONG64 addr = pst64->Address[x];
printf("Stack Trace addr: 0x%llx\n", addr);
}
printf("--------------------------\n");
}
});
// Start ETW Session
provider.add_filter(filter);
trace.enable(provider);
printf("Starting trace...\n");
trace.start();
The text was updated successfully, but these errors were encountered:
I want use etw to record a process's heap alloc, but it don't work. Don't get any EVENT, the callbak function nerver beed called.
My os is win10.
Already set process TracingFlags to 1.
The text was updated successfully, but these errors were encountered: