News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

ETW Event Consumer, StartTraceA API

Started by Fraile, February 11, 2024, 07:54:00 AM

Previous topic - Next topic

Fraile

Hello everyone, I'm trying to create a small ETW event consumer, but when calling the StartTraceA function, it returns error 161, which means "The specified path is not valid." Any ideas? Thank you all very much.


I use Easy Code by Ramon Salas as my IDE and compiler.

ProcessEventsCallback Proto :DWord, :DWord, :DWord, :DWord

AsigText Macro Name, Text:VarArg
    Local lbl
    Jmp lbl
        Name DB Text, 0
lbl:
EndM

.Const

  WNODE_FLAG_TRACED_GUID      Equ 20000H ; Constante para indicar que el GUID del proveedor está incluido en el nodo
  EVENT_TRACE_REAL_TIME_MODE  Equ 100H
  EVENT_TRACE_USE_PAGED_MEMORY Equ 4000H

.Data?

  pProcessTrace DWord ?
  pProcessTraceCallback DWord ?


.Data

WNODE_HEADER Struct
  BufferSize    DWord 0
  ProviderId    DWord 0
  Version      DWord 0
  Linkage      DWord 0
  KernelHandle  DWord 0
  TimeStamp    LARGE_INTEGER <>
  Guid          GUID <>
  ClientContext DWord 0
  Flags        DWord 0
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
  Wnode        WNODE_HEADER <>
  BufferSize    DWord 0
  MinimumBuffers DWord 0
  MaximumBuffers DWord 0
  MaximumFileSize DWord 0
  LogFileMode  DWord 0
  FlushTimer    DWord 0
  EnableFlags  DWord 0
  AgeLimit      DWord 0
  FlushThreshold DWord 0
  NumberOfBuffers      DWord 0
  FreeBuffers          DWord 0
  EventsLost          DWord 0
  BuffersWritten      DWord 0
  LogBuffersLost      DWord 0
  RealTimeBuffersLost  DWord 0
  LoggerThreadId      HANDLE 0
  LogFileNameOffset    DWord 0
  LoggerNameOffset    DWord 0
EVENT_TRACE_PROPERTIES EndS
EventTracePropertyData Struct
  Props          EVENT_TRACE_PROPERTIES <>
  LoggerName      DB "MyETWSession", 0
  LogFileName    DB  1024 Dup(0)
EventTracePropertyData EndS


  HandleConsola              DD 0

  TraceProperties    EventTracePropertyData <>
  TraceSessionHandle  HANDLE ?

  sessionHandle          DD 0
  tempbuffer              DB 10 Dup(NULL)      ; Buffer temporal para la rutina de paso a numeros decimales.

  ; Definir la estructura de GUID para el proveedor de eventos
  generatedGuid GUID <>
  BufferSize              DD 0


.Code

start:

    Invoke GetStdHandle, STD_OUTPUT_HANDLE
    Mov HandleConsola, Eax  ; edx ahora contiene el identificador de la consola

  ; Cargar la biblioteca dinámica wnetapi32.dll
  Invoke LoadLibrary, TextStr("Advapi32.dll")

  .If Eax

        Mov Edi, Eax


        ; Obtener el puntero a la función StartTraceA
        ; Crear una sesión de ETW
        Invoke GetProcAddress, Edi, TextStr("StartTraceA")
        Mov Esi, Eax

        Push Esi


        ; Llama a CoInitialize para inicializar la biblioteca COM
;        invoke CoInitialize, NULL
   
        ; Llama a CoCreateGuid para generar un GUID
;        invoke CoCreateGuid, ADDR generatedGuid
;   
;        ; Copia el GUID generado a la estructura WNODE_HEADER
;        Lea Esi, generatedGuid
;        Lea Edi, TraceProperties.Props.Wnode.Guid
;        Mov Ecx, SizeOf GUID
;        Rep Movsb
;
;        ; Llama a CoUninitialize para finalizar la biblioteca COM
;        Invoke CoUninitialize


        Invoke LocalAlloc, LPTR, SizeOf EventTracePropertyData
        Mov BufferSize, Eax

        Pop Esi


        ; Inicializar las propiedades de traza

        Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData
        Mov TraceProperties.Props.Wnode.ClientContext, 2
        Mov TraceProperties.Props.Wnode.Flags, WNODE_FLAG_TRACED_GUID


        Mov TraceProperties.Props.LogFileMode, EVENT_TRACE_REAL_TIME_MODE + EVENT_TRACE_USE_PAGED_MEMORY
            Mov TraceProperties.Props.LoggerNameOffset, SizeOf EventTracePropertyData
            Mov TraceProperties.Props.LogFileNameOffset, 0



        Lea Eax, TraceProperties
        Push Eax
        Lea Eax, TraceProperties.LoggerName
        Push Eax
        Lea Eax, sessionHandle
        Push Eax

        Call Esi
        Test Eax, Eax
        Jnz error_exit

        Invoke PasarADecimal, sessionHandle
        Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

        AsigText Error5, "Pasa."
        Invoke WriteConsoleA, HandleConsola, Addr Error5, 5, 0, 0


Jmp exit

        ; Habilitar los proveedores de eventos relevantes para el seguimiento
        ; Por ejemplo, podrías habilitar el proveedor de seguridad de Windows
;        Invoke GetProcAddress, Edi, TextStr("EnableTrace")
;        Mov Esi, Eax
;
;        Lea Eax, FilterDesc
;        Push Eax
;        Lea Eax, EnableTraceParams
;        Push Eax
;        Push 0
;        Push 0
;        Lea Eax, MyEventProvider
;        Push Eax
;        Push 0
;
;        Call Esi
;        Test Eax, Eax
;        Jz error_exitDos
;
;        Invoke GetProcAddress, Edi, TextStr("ProcessTrace")
;        Test Eax, Eax
;        Jz error_exitCuatro
;
;        Mov pProcessTrace, Eax
;
;        Lea Eax, pProcessTraceCallback
;        Mov Process.HandleArray, Eax
;        Mov Process.HandleCount, 1
;        Mov Process.StartTime, 0
;        Mov Process.EndTime, 0
;
;
;
;capture_loop:
;
;        Lea Eax, sessionHandle
;        Push Eax
;        Push 1
;        Push 0
;        Push 0
;        Call Esi
;        Cmp Eax, ERROR_SUCCESS
;        Jne SalirProces
;
;
;        Jmp capture_loop
;
;SalirProces:
;       
;        Invoke PasarADecimal, Eax
;        Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0
;
;        AsigText FinCapture, "Captura interrumpida."
;        Invoke WriteConsoleA, HandleConsola, Addr FinCapture, 21, 0, 0


  .EndIf


;    ; Terminar la sesión de ETW y liberar los recursos
;    invoke ControlTrace, NULL, ADDR ETW_SESSION_NAME, ADDR sessionHandle, 2
    jmp exit

error_exit:
    ; Manejar errores aquí
    ; Por ejemplo, imprimir un mensaje de error y salir

        Invoke PasarADecimal, Eax
        Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

   
    AsigText Error1, "Error al iniciar StartTraceA."
    Invoke WriteConsoleA, HandleConsola, Addr Error1, 29, 0, 0
    Jmp exit

error_exitDos:
    ; Manejar errores aquí
    ; Por ejemplo, imprimir un mensaje de error y salir
    AsigText Error2, "Error al iniciar EnableTrace."
    Invoke WriteConsoleA, HandleConsola, Addr Error2, 29, 0, 0
    Jmp exit

error_exitTres:
    ; Manejar errores aquí
    ; Por ejemplo, imprimir un mensaje de error y salir
    AsigText Error3, "Error al iniciar el procesador de eventos."
    Invoke WriteConsoleA, HandleConsola, Addr Error3, 42, 0, 0
    Jmp exit

error_exitCuatro:
    AsigText Error4, "Error en captura de fundion de proceso de evento."
    Invoke WriteConsoleA, HandleConsola, Addr Error4, 49, 0, 0
    Jmp exit


exit:
    invoke ExitProcess, 0

ProcessEventsCallback proc traceHandle:DWORD, headerPtr:DWORD, context:DWORD, event:DWORD
;    LOCAL eventInfo: EVENT_TRACE
;    LOCAL buffer[512]:BYTE
;
;    Mov Ebx, [event]                        ; Cargar el puntero al evento en ebx
;    Mov Eax, [Ebx]                          ; Acceder a la estructura del evento
;
;; Copiar los campos relevantes de la estructura del evento a eventInfo
;    Lea Edi, eventInfo              ; Dirección de inicio de eventInfo
;    Mov [Edi].EVENT_TRACE_HEADER.SizeA, Eax
;    mov [edi].EVENT_TRACE_HEADER.HeaderType, ah  ; Suponiendo que ah contiene HeaderType
;    mov [edi].EVENT_TRACE_HEADER.MarkerFlags, al ; Suponiendo que al contiene MarkerFlags
;
;    ;Imprimir detalles del evento en la consola
;    Invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM, NULL, eventInfo.EventHeader.EventDescriptor.Id, 0, Addr buffer, SizeOf buffer, NULL
;    Invoke StdOut, Addr buffer

    ret
ProcessEventsCallback EndP
PasarADecimal Proc Valor:DWord
        Push Esi
        Push Edi

        Mov Esi, Valor
        Mov Edi, Offset tempbuffer
        Invoke dwtoa, Esi, Edi

        Pop Edi
        Pop Esi

        Ret

PasarADecimal EndP
End start


sinsi

Your structures seem to be wrong wherever a union is.

From the MASM reference
QuoteWhereas each field in a structure has an offset relative to the first byte of the structure, all the fields in
a union start at the same offset. The size of a structure is the sum of its components; the size of a
union is the length of the longest field.

Fraile

Do you know where I can get the structures for MASM32?

Fraile

I have taken them from the Microsoft website, but they are in C++, the conversion is what might be wrong.

sinsi

Try these
WNODE_HEADER Struct
  BufferSize    DWord 0
  ProviderId    DWord 0
  HistoricalContext      QWord 0
  TimeStamp    LARGE_INTEGER <>
  Guid          GUID <>
  ClientContext DWord 0
  Flags        DWord 0
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
  Wnode        WNODE_HEADER <>
  BufferSize    DWord 0
  MinimumBuffers DWord 0
  MaximumBuffers DWord 0
  MaximumFileSize DWord 0
  LogFileMode  DWord 0
  FlushTimer    DWord 0
  EnableFlags  DWord 0
  FlushThreshold DWord 0
  NumberOfBuffers      DWord 0
  FreeBuffers          DWord 0
  EventsLost          DWord 0
  BuffersWritten      DWord 0
  LogBuffersLost      DWord 0
  RealTimeBuffersLost  DWord 0
  LoggerThreadId      HANDLE 0
  LogFileNameOffset    DWord 0
  LoggerNameOffset    DWord 0
EVENT_TRACE_PROPERTIES EndS

Vortex

#5
Hi Fraile,

Here is the WNODE_HEADER structure converted with h2incX :

https://www.terraspace.co.uk/uasm.html#p3

WNODE_HEADER    struct
    BufferSize    DWORD    ?
    ProviderId    DWORD    ?

    union
        HistoricalContext  ULONG64 ?
        struct
        Version            DWORD  ?
        Linkage            DWORD  ?
        ends
    ends

    union
        KernelHandle    HANDLE      ?
        TimeStamp      LARGE_INTEGER  <>
    ends
   
    Guid                GUID        <>
    ClientContext      DWORD      ?
    Flags              DWORD      ?
   
    WNODE_HEADER ends

PWNODE_HEADER typedef ptr WNODE_HEADER

Fraile

Thank you very much for the help, the "union" thing had me puzzled. Many thanks to everyone.  :greenclp:

rsala

EC coder

Fraile

Excuse me, now the EnableTraceEx2 function is giving me trouble, I think the issue lies in the step or assignment of the GUID. Any ideas?

.....

.Data
  generatedGuid GUID <>


.Code
    Invoke CoInitialize, NULL
;
    ; Llama a CoCreateGuid para generar un GUID

    Invoke CoCreateGuid, Addr generatedGuid
    Test Eax, Eax
    Jnz Error_ExitSiete

    ; Llama a CoUninitialize para finalizar la biblioteca COM
    Invoke CoUninitialize

   Invoke LoadLibrary, TextStr("Advapi32.dll")

   .If Eax

Mov Edi, Eax


; Registramos un proveedor para registro de eventos.
            Invoke GetProcAddress, Edi, TextStr("EventRegister")
Mov Esi, Eax

Lea Eax, ProviderHandle
Push Eax
Push NULL
Push NULL
Lea Eax, generatedGuid
Push Eax

Call Esi

Test Eax, Eax
Jnz error_exitCinco

.......... Here is the error. Code Error: 87

    Invoke GetProcAddress, Edi, TextStr("EnableTraceEx2")
Mov Esi, Eax


    Lea Eax, sessionHandle
Push Eax
Lea Eax, generatedGuid
Push Eax
Push 1
Push 4
Push 0
Push 0
Push 0
Push NULL


Call Esi
Test Eax, Eax
Jnz Error_ExitSeis


   .EndIf


fearless

Might have to update your advapi32.inc for using Invoke for the Event Tracing functions.

I took a version of advapi32.lib from a Win10 SDK v10.0.20348.0 and ran lib2inc utility on it to generate the inc file.

I visited the ms page about the event tracing here: https://learn.microsoft.com/en-us/windows/win32/api/_etw/

I sourced the following files from the SDK as well:

  • evntcons.h
  • evntprov.h
  • evntrace.h
  • relogger.h
  • securitybaseapi.h
  • tdh.h

Then ran the h2incx utility on each of them and put them together in an EventTracing.inc file

I havent done any testing on it, so it may require editing to add in missing stuff, or take out duplicates or other conflicts, but should make a good starting point for use with Event Tracing api usage.



Fraile

Thank you very much, fearless, I'll give it a try.

Fraile

Hello everyone, thanks to your help, I have managed to make StartTraceA work. Reviewing Microsoft's API information, I have built the following:

AsigText Macro Name, Text:VarArg
    Local lbl
    Jmp lbl
        Name DB Text, 0
lbl:
EndM
ZeroMemory Macro lpAddress:Req, dwSize:Req
    Local zero_loop
    Mov Edi, lpAddress
    Mov Ecx, dwSize
    Xor Eax, Eax
    Rep Stosb
EndM

.Const

  WNODE_FLAG_TRACED_GUID                Equ 00020000H ; Constante para indicar que el GUID del proveedor está incluido en el nodo
  EVENT_TRACE_REAL_TIME_MODE            Equ 00000100H
  EVENT_TRACE_USE_PAGED_MEMORY          Equ 01000000H

  PROCESS_TRACE_MODE_EVENT_RECORD        Equ 1000H

  EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING Equ 10000000H
  EVENT_TRACE_FLAG_SECURITY              Equ 00000800H
  EVENT_TRACE_INDEPENDENT_SESSION_MODE  Equ 08000000H
  EVENT_TRACE_FILE_MODE_SEQUENTIAL      Equ 00000001H

  EVENT_CONTROL_CODE_DISABLE_PROVIDER    Equ 0
  EVENT_CONTROL_CODE_ENABLE_PROVIDER    Equ 1
  EVENT_CONTROL_CODE_CAPTURE_STATE      Equ 2

  EVENT_TRACE_CONTROL_QUERY              Equ 0
  EVENT_TRACE_CONTROL_STOP              Equ 1



  MiGuidProviderGuid TextEqu  <{054849625H, 05478H, 04994H, {0A5H, 0BAH, 03EH, 03BH, 003H, 028H, 0C3H, 00DH}}>


.Data?



.Data

WNODE_HEADER Struct
    BufferSize DWord ?
    ProviderId DWord ?
    Union
        HistoricalContext QWord ?
        Struc
            Version DWord ?
            Linkage DWord ?
        EndS
    EndS
    Union
        KernelHandle HANDLE ?
        TimeStamp LARGE_INTEGER <>
    EndS
    Guidx GUID <>
    ClientContext DWord ?
    Flags DWord ?
WNODE_HEADER EndS
EVENT_TRACE_PROPERTIES Struct
    Wnode WNODE_HEADER <>
    BufferSize DWord ?
    MinimumBuffers DWord ?
    MaximumBuffers DWord ?
    MaximumFileSize DWord ?
    LogFileMode DWord ?
    FlushTimer DWord ?
    EnableFlags DWord ?
    Union dummy
        AgeLimit DWord ?
        FlushThreshold DWord ?
    EndS
    NumberOfBuffers DWord ?
    FreeBuffers DWord ?
    EventsLost DWord ?
    BuffersWritten DWord ?
    LogBuffersLost DWord ?
    RealTimeBuffersLost DWord ?
    LoggerThreadId HANDLE ?
    LogFileNameOffset DWord ?
    LoggerNameOffset DWord ?
EVENT_TRACE_PROPERTIES EndS
EventTracePropertyData Struct
    Props        EVENT_TRACE_PROPERTIES <>
    Padding        DB 4 Dup(0)                ; Cuadramos alineacion.
    LoggerName  DB 1024 Dup (0)
    LogFileName  DB 'Frailog.etl', 0
EventTracePropertyData EndS
  HandleConsola              DD 0
  CarroDeRetorno          DB 13 ; Código ASCII para retorno de carro
  NuevaLinea              DB 10 ; Código ASCII para nueva línea

  LoggerNameAux      DB 'frailepatito', 0


  TraceProperties    EventTracePropertyData <> ;EVENT_TRACE_PROPERTIES <> ;EVENT_TRACE_PROPERTIES <>


  sessionHandle          DWord 0
  ProviderHandle          HANDLE 0

  tempbuffer              DB 10 Dup(NULL)      ; Buffer temporal para la rutina de paso a numeros decimales.

  ; Definir la estructura de GUID para el proveedor de eventos
  generatedGuid GUID  <>
  ProviderId    GUID  < 05484962H, 0548H, 0499H, < 0A5H, 0BAH, 03EH, 03BH, 003H, 028H, 0C3H, 00DH>> ;MiGuidProviderGuid


  guidText      Byte 40 Dup(0)  ; Buffer para almacenar el GUID formateado
  formatGUID1  Byte "%08X-", 0 ; Formato para formatear el GUID
  formatGUID2  Byte "%04X-", 0 ; Formato para formatear el GUID
  formatGUID3  Byte "%02X", 0  ; Formato para formatear el GUID

  BufferSize              DD 0

  HandleLibrary              DD 0

.Code


start:

    Invoke GetStdHandle, STD_OUTPUT_HANDLE
    Mov HandleConsola, Eax  ; edx ahora contiene el identificador de la consola

    ;=====================

    ; Llama a CoInitialize para inicializar la biblioteca COM
    Invoke CoInitialize, NULL
;   
    ; Llama a CoCreateGuid para generar un GUID
    Invoke CoCreateGuid, Addr generatedGuid
    Test Eax, Eax
    Jnz Error_ExitSiete

    ; Llama a CoUninitialize para finalizar la biblioteca COM
    Invoke CoUninitialize

    Invoke RtlZeroMemory, Addr TraceProperties.Props, SizeOf EVENT_TRACE_PROPERTIES



  ; Cargar la biblioteca dinámica wnetapi32.dll
  Invoke LoadLibrary, TextStr("Advapi32.dll")

  .If Eax

        Mov Edi, Eax
        Mov HandleLibrary, Eax

        ; Crear una sesión de ETW
        Invoke GetProcAddress, Edi, TextStr("StartTraceA")
        Mov Esi, Eax


        ; Inicializar las propiedades de traza

        Mov TraceProperties.Props.Wnode.BufferSize, SizeOf EventTracePropertyData
        Mov TraceProperties.Props.Wnode.ClientContext, 2
        Mov TraceProperties.Props.Wnode.Flags, WNODE_FLAG_TRACED_GUID



        Push Esi
        Push Edi

        ; Copia el GUID generado a la estructura WNODE_HEADER

        Mov Eax, generatedGuid.Data1
        Mov TraceProperties.Props.Wnode.Guidx.Data1, Eax
        Mov Ax, generatedGuid.Data2
        Mov TraceProperties.Props.Wnode.Guidx.Data2, Ax
        Mov Ax, generatedGuid.Data3
        Mov TraceProperties.Props.Wnode.Guidx.Data3, Ax

        ; Copia el GUID generado a la estructura WNODE_HEADER
        Lea Esi, generatedGuid.Data4
        Lea Edi, TraceProperties.Props.Wnode.Guidx.Data4
        Mov Ecx, 8
        Rep Movsb


        Pop Edi
        Pop Esi


        Mov TraceProperties.Props.LogFileMode, EVENT_TRACE_FILE_MODE_SEQUENTIAL + EVENT_TRACE_INDEPENDENT_SESSION_MODE ;+ EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING + EVENT_TRACE_INDEPENDENT_SESSION_MODE


        Mov TraceProperties.Props.MinimumBuffers, 64
        Mov TraceProperties.Props.MaximumBuffers, 320

        Mov TraceProperties.Props.LoggerNameOffset, SizeOf TraceProperties - 1036 ;1152
        Mov TraceProperties.Props.LogFileNameOffset, SizeOf TraceProperties - 12; SizeOf TraceProperties - 11


    Lea Eax, TraceProperties ;.Props
    Push Eax
    Lea Eax, LoggerNameAux
    Push Eax
    Lea Eax, sessionHandle
    Push Eax

    Call Esi
        Test Eax, Eax
        Jnz error_exit


  .EndIf

    Jmp exit

error_exit:
    ; Manejar errores aquí
    ; Por ejemplo, imprimir un mensaje de error y salir

        Invoke PasarADecimal, Eax
        Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

   
    AsigText Error1, "Error al iniciar StartTraceA."
    Invoke WriteConsoleA, HandleConsola, Addr Error1, 29, 0, 0
    Jmp exit

error_exitDos:
    ; Manejar errores aquí
    ; Por ejemplo, imprimir un mensaje de error y salir
    AsigText Error2, "Error al iniciar EnableTrace."
    Invoke WriteConsoleA, HandleConsola, Addr Error2, 29, 0, 0
    Jmp exit

error_exitTres:
    ; Manejar errores aquí
    ; Por ejemplo, imprimir un mensaje de error y salir
    AsigText Error3, "Error al iniciar el procesador de eventos."
    Invoke WriteConsoleA, HandleConsola, Addr Error3, 42, 0, 0
    Jmp exit

error_exitCuatro:
    AsigText Error4, "Error en captura de fundion de proceso de evento."
    Invoke WriteConsoleA, HandleConsola, Addr Error4, 49, 0, 0
    Jmp exit

error_exitCinco:

    Invoke PasarADecimal, Eax
    Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

    AsigText Error8, "Erron al iniciar EventRegister."
    Invoke WriteConsoleA, HandleConsola, Addr Error8, 31, 0, 0
    Jmp exit

Error_ExitSeis:

    Invoke PasarADecimal, Eax
    Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

    AsigText Error6, "Erron al iniciar EnableTraceEx2."
    Invoke WriteConsoleA, HandleConsola, Addr Error6, 32, 0, 0
    Jmp exit

Error_ExitSiete:

    Invoke PasarADecimal, Eax
    Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

    AsigText Error9, "Erron al iniciar CreandoGUID."
    Invoke WriteConsoleA, HandleConsola, Addr Error9, 29, 0, 0
    Jmp exit

guid_invalido:
    AsigText Error10, "Erron validar GUID."
    Invoke WriteConsoleA, HandleConsola, Addr Error10, 19, 0, 0
    Jmp exit

Error_HandleSesion:
    AsigText Error11, "Erron validar Handle Sesion."
    Invoke WriteConsoleA, HandleConsola, Addr Error11, 28, 0, 0
    Jmp exit

Error_ExitOcho:

    Invoke GetLastError
    Invoke PasarADecimal, Eax
    Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0


    AsigText Error13, "Error en OpenTraceA."
    Invoke WriteConsoleA, HandleConsola, Addr Error13, 20, 0, 0
    Jmp exit

Error_ExitNueve:

    Invoke PasarADecimal, Eax
    Invoke WriteConsoleA, HandleConsola, Addr tempbuffer, 4, 0, 0

    AsigText Error14, "Error en ProcessTrace."
    Invoke WriteConsoleA, HandleConsola, Addr Error14, 22, 0, 0
    Jmp exit


exit:

.
.
.
.


So far so good, I know it creates it properly, because I check it with: "D:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit>xperf -loggers" and the following information appears, attached photo:





What I've detected is an alignment issue, so in the main structure that I use to control the properties passed to StartTraceA, I include: "Padding DB 4 Dup(0)". For some reason, MASM32 (in my case), I have the feeling that it doesn't work well with structures that use "union". So by aligning with "Padding DB 4 Dup(0)", the StartTraceA function works fine; if I remove that line, the StartTraceA function returns error 87.


EventTracePropertyData Struct
    Props        EVENT_TRACE_PROPERTIES <>
    Padding        DB 4 Dup(0)                ; Cuadramos alineacion.
    LoggerName  DB 1024 Dup (0)
    LogFileName  DB 'Frailog.etl', 0
EventTracePropertyData EndS



The problem now is when I call EnableTraceEx or EnableTraceEx2, it gives me error 87. However, EnableTrace does work, but this function is obsolete. And in other functions that I have to call for controlling the events, like ControlTraceA, I still encounter the issue, error 87. Here I put the code for calling ControlTraceA:


Mov Edi, HandleLibrary


        Mov TraceProperties.Props.LogFileNameOffset, 0

    Invoke GetProcAddress, Edi, TextStr("ControlTraceA")
    Test Eax, Eax
    Jz exitFinal

Mov Esi, Eax

Push EVENT_TRACE_CONTROL_QUERY ;EVENT_TRACE_CONTROL_STOP
Lea Eax, TraceProperties.Props
Push Eax
Lea Eax, LoggerNameAux
Push Eax
Push 0

Call Esi


I would greatly appreciate any help; this is overwhelming me. I have a feeling that the problem is due to the "union" within the structures. It causes misalignment. Any ideas?

Thank you very much for your time.


_japheth

Quote from: Fraile on March 06, 2024, 11:07:52 PMI would greatly appreciate any help; this is overwhelming me. I have a feeling that the problem is due to the "union" within the structures. It causes misalignment. Any ideas?

The very first thing to try in such cases is assembler switch -Zp8. That will set default struct alignment to a QWORD - yes, that's the correct setting for both Win64 and Win32.
Dummheit, gepaart mit Dreistigkeit - eine furchtbare Macht.

Fraile

Thank you very much, _japheth. I've tried it, I've also tried putting the ALIGN in the code. But nothing.

_japheth

Quote from: Fraile on March 07, 2024, 10:41:42 PM... But nothing.

If you want more than wild guesses - I'm afraid you'll have to post the whole source then...
Dummheit, gepaart mit Dreistigkeit - eine furchtbare Macht.