[ADVAPI32][ETWTRACE] Add etwtrace library and link advapi32 to it on NT6+

This commit is contained in:
Timo Kreuzer 2024-09-14 17:35:15 +03:00
parent 98e7e64391
commit b27429b126
3 changed files with 31 additions and 24 deletions

View file

@ -24,14 +24,18 @@ add_library(rtl_um OBJECT
target_link_libraries(rtl_um apisets ${PSEH_LIB})
add_dependencies(rtl_um psdk)
# On NT6+ this is used by advapi32
add_library(etwtrace etw/trace.c)
target_link_libraries(etwtrace ${PSEH_LIB})
add_dependencies(etwtrace psdk)
list(APPEND SOURCE
dbg/dbgui.c
ldr/ldrapi.c
ldr/ldrinit.c
ldr/ldrpe.c
ldr/ldrutils.c
ldr/verifier.c
etw/trace.c)
ldr/verifier.c)
if(ARCH STREQUAL "i386")
list(APPEND ASM_SOURCE dispatch/i386/dispatch.S)
@ -61,7 +65,7 @@ set_module_type(ntdll win32dll ENTRYPOINT 0)
set_subsystem(ntdll console)
################# END HACK #################
target_link_libraries(ntdll csrlib rtl rtl_um rtl_vista ntdllsys libcntpr uuid ${PSEH_LIB})
target_link_libraries(ntdll etwtrace csrlib rtl rtl_um rtl_vista ntdllsys libcntpr uuid ${PSEH_LIB})
if(DLL_EXPORT_VERSION GREATER_EQUAL 0x600)
target_link_libraries(ntdll cryptlib)
endif()

View file

@ -62,6 +62,9 @@ add_library(advapi32 MODULE
set_module_type(advapi32 win32dll UNICODE ENTRYPOINT DllMain 12)
target_link_libraries(advapi32 cryptlib wine ${PSEH_LIB})
if(DLL_EXPORT_VERSION GREATER_EQUAL 0x600)
target_link_libraries(advapi32 etwtrace)
endif()
add_delay_importlibs(advapi32 secur32)
add_importlibs(advapi32 advapi32_vista rpcrt4 kernel32 ntdll)
add_pch(advapi32 advapi32.h "${PCH_SKIP_SOURCE}")

View file

@ -70,9 +70,9 @@
@ stub ComputeAccessTokenFromCodeAuthzLevel
@ stdcall ControlService(long long ptr)
@ stdcall -version=0x502 ControlTraceA(double str ptr long) ntdll.EtwControlTraceA
@ stdcall -stub -version=0x600+ ControlTraceA(double str ptr long)
@ stdcall -version=0x600+ ControlTraceA(double str ptr long) EtwControlTraceA
@ stdcall -version=0x502 ControlTraceW(double wstr ptr long) ntdll.EtwControlTraceW
@ stdcall -stub -version=0x600+ ControlTraceW(double wstr ptr long)
@ stdcall -version=0x600+ ControlTraceW(double wstr ptr long) EtwControlTraceW
@ stub ConvertAccessToSecurityDescriptorA
@ stub ConvertAccessToSecurityDescriptorW
@ stub ConvertSDToStringSDRootDomainA
@ -207,7 +207,7 @@
@ stdcall ElfReportEventAndSourceW(long long ptr long long long ptr ptr long long ptr ptr long ptr ptr)
@ stdcall ElfReportEventW(long long long long ptr long long ptr ptr long ptr ptr)
@ stdcall -version=0x502 EnableTrace(long long long ptr double) ntdll.EtwEnableTrace
@ stdcall -stub -version=0x600+ EnableTrace(long long long ptr double)
@ stdcall -version=0x600+ EnableTrace(long long long ptr double) EtwEnableTrace
@ stdcall EncryptFileA(str)
@ stdcall EncryptFileW(wstr)
@ stub EncryptedFileKeyInfo
@ -220,7 +220,7 @@
@ stdcall EnumServicesStatusExW(long long long long ptr long ptr ptr ptr wstr)
@ stdcall EnumServicesStatusW(long long long ptr long ptr ptr ptr)
@ stdcall -version=0x502 EnumerateTraceGuids(ptr long ptr) ntdll.EtwEnumerateTraceGuids
@ stdcall -stub -version=0x600+ EnumerateTraceGuids(ptr long ptr)
@ stdcall -stub -version=0x600+ EnumerateTraceGuids(ptr long ptr) # EtwEnumerateTraceGuids
@ stdcall EqualDomainSid(ptr ptr ptr)
@ stdcall EqualPrefixSid(ptr ptr)
@ stdcall EqualSid(ptr ptr)
@ -228,9 +228,9 @@
@ stdcall FileEncryptionStatusW(wstr ptr)
@ stdcall FindFirstFreeAce(ptr ptr)
@ stdcall -version=0x502 FlushTraceA(double str ptr) ntdll.EtwFlushTraceA
@ stdcall -stub -version=0x600+ FlushTraceA(double str ptr)
@ stdcall -version=0x600+ FlushTraceA(double str ptr) EtwFlushTraceA
@ stdcall -version=0x502 FlushTraceW(double wstr ptr) ntdll.EtwFlushTraceW
@ stdcall -stub -version=0x600+ FlushTraceW(double wstr ptr)
@ stdcall -version=0x600+ FlushTraceW(double wstr ptr) EtwFlushTraceW
@ stub FreeEncryptedFileKeyInfo
@ stdcall FreeEncryptionCertificateHashList(ptr)
@ stdcall FreeInheritedFromArray(ptr long ptr)
@ -456,9 +456,9 @@
@ stub ProcessIdleTasks
@ stdcall ProcessTrace(ptr long ptr ptr)
@ stdcall -version=0x502 QueryAllTracesA(ptr long ptr) ntdll.EtwQueryAllTracesA
@ stdcall -stub -version=0x600+ QueryAllTracesA(ptr long ptr)
@ stdcall -version=0x600+ QueryAllTracesA(ptr long ptr) EtwQueryAllTracesA
@ stdcall -version=0x502 QueryAllTracesW(ptr long ptr) ntdll.EtwQueryAllTracesW
@ stdcall -stub -version=0x600+ QueryAllTracesW(ptr long ptr)
@ stdcall -version=0x600+ QueryAllTracesW(ptr long ptr) EtwQueryAllTracesW
@ stdcall QueryRecoveryAgentsOnEncryptedFile(wstr ptr)
@ stdcall QueryServiceConfig2A(long long ptr long ptr)
@ stdcall QueryServiceConfig2W(long long ptr long ptr)
@ -470,9 +470,9 @@
@ stdcall QueryServiceStatus(long ptr)
@ stdcall QueryServiceStatusEx(long long ptr long ptr)
@ stdcall -version=0x502 QueryTraceA(double str ptr) ntdll.EtwQueryTraceA
@ stdcall -stub -version=0x600+ QueryTraceA(double str ptr)
@ stdcall -version=0x600+ QueryTraceA(double str ptr) EtwQueryTraceA
@ stdcall -version=0x502 QueryTraceW(double str ptr) ntdll.EtwQueryTraceW
@ stdcall -stub -version=0x600+ QueryTraceW(double str ptr)
@ stdcall -version=0x600+ QueryTraceW(double str ptr) EtwQueryTraceW
@ stdcall QueryUsersOnEncryptedFile(wstr ptr)
@ stdcall ReadEncryptedFileRaw(ptr ptr ptr)
@ stdcall ReadEventLogA(long long long ptr long ptr ptr)
@ -608,13 +608,13 @@
@ stdcall StartServiceCtrlDispatcherW(ptr)
@ stdcall StartServiceW(long long ptr)
@ stdcall -version=0x502 StartTraceA(ptr str ptr) ntdll.EtwStartTraceA
@ stdcall -stub -version=0x600+ StartTraceA(ptr str ptr)
@ stdcall -version=0x600+ StartTraceA(ptr str ptr) EtwStartTraceA
@ stdcall -version=0x502 StartTraceW(ptr wstr ptr) ntdll.EtwStartTraceW
@ stdcall -stub -version=0x600+ StartTraceW(ptr wstr ptr)
@ stdcall -version=0x600+ StartTraceW(ptr wstr ptr) EtwStartTraceW
@ stdcall -version=0x502 StopTraceA(double str ptr) ntdll.EtwStopTraceA
@ stdcall -stub -version=0x600+ StopTraceA(double str ptr)
@ stdcall -version=0x600+ StopTraceA(double str ptr) EtwStopTraceA
@ stdcall -version=0x502 StopTraceW(double wstr ptr) ntdll.EtwStopTraceW
@ stdcall -stub -version=0x600+ StopTraceW(double wstr ptr)
@ stdcall -version=0x600+ StopTraceW(double wstr ptr) EtwStopTraceW
@ stdcall SystemFunction001(ptr ptr ptr)
@ stdcall SystemFunction002(ptr ptr ptr)
@ stdcall SystemFunction003(ptr ptr)
@ -654,7 +654,7 @@
@ stdcall SystemFunction040(ptr long long) # RtlEncryptMemory
@ stdcall SystemFunction041(ptr long long) # RtlDecryptMemory
@ stdcall -version=0x502 TraceEvent(double ptr) ntdll.EtwTraceEvent
@ stdcall -stub -version=0x600+ TraceEvent(double ptr)
@ stdcall -version=0x600+ TraceEvent(double ptr) EtwTraceEvent
@ stdcall TraceEventInstance(double ptr ptr ptr) ntdll.EtwTraceEventInstance
@ varargs TraceMessage() ntdll.EtwTraceMessage
@ stdcall TraceMessageVa() ntdll.EtwTraceMessageVa
@ -667,9 +667,9 @@
@ stub UnregisterIdleTask
@ stdcall UnregisterTraceGuids(double) ntdll.EtwUnregisterTraceGuids
@ stdcall -version=0x502 UpdateTraceA(double str ptr) ntdll.EtwUpdateTraceA
@ stdcall -stub -version=0x600+ UpdateTraceA(double str ptr)
@ stdcall -version=0x600+ UpdateTraceA(double str ptr) EtwUpdateTraceA
@ stdcall -version=0x502 UpdateTraceW(double wstr ptr) ntdll.EtwUpdateTraceW
@ stdcall -stub -version=0x600+ UpdateTraceW(double wstr ptr)
@ stdcall -version=0x600+ UpdateTraceW(double wstr ptr) EtwUpdateTraceW
@ stub WdmWmiServiceMain
@ stub WmiCloseBlock
@ stub WmiCloseTraceWithCursor
@ -688,9 +688,9 @@
@ stub WmiMofEnumerateResourcesA
@ stub WmiMofEnumerateResourcesW
@ stdcall -version=0x502 WmiNotificationRegistrationA(ptr long ptr long long) ntdll.EtwNotificationRegistrationA
@ stdcall -stub -version=0x600+ WmiNotificationRegistrationA(ptr long ptr long long)
@ stdcall -stub -version=0x600+ WmiNotificationRegistrationA(ptr long ptr long long) # EtwNotificationRegistrationA
@ stdcall -version=0x502 WmiNotificationRegistrationW(ptr long ptr long long) ntdll.EtwNotificationRegistrationW
@ stdcall -stub -version=0x600+ WmiNotificationRegistrationW(ptr long ptr long long)
@ stdcall -stub -version=0x600+ WmiNotificationRegistrationW(ptr long ptr long long) # EtwNotificationRegistrationW
@ stub WmiOpenBlock
@ stub WmiOpenTraceWithCursor
@ stub WmiParseTraceEvent
@ -704,9 +704,9 @@
@ stub WmiQuerySingleInstanceMultipleW
@ stub WmiQuerySingleInstanceW
@ stdcall -version=0x502 WmiReceiveNotificationsA(long long long long) ntdll.EtwReceiveNotificationsA
@ stdcall -stub -version=0x600+ WmiReceiveNotificationsA(long long long long)
@ stdcall -stub -version=0x600+ WmiReceiveNotificationsA(long long long long) # EtwReceiveNotificationsA
@ stdcall -version=0x502 WmiReceiveNotificationsW(long long long long) ntdll.EtwReceiveNotificationsW
@ stdcall -stub -version=0x600+ WmiReceiveNotificationsW(long long long long)
@ stdcall -stub -version=0x600+ WmiReceiveNotificationsW(long long long long) # EtwReceiveNotificationsW
@ stub WmiSetSingleInstanceA
@ stub WmiSetSingleInstanceW
@ stub WmiSetSingleItemA