Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
EtwWriteTransfer
Hello.
Quick question: Is EtwWriteTransfer or any other api that participates in sending data through ETW in kernelmode copying data passed to this api so that it will be used in proper moment OR it is on caller side?
My guess is there should be copying of data happening as ETW is async, thus it would be not possible to hold such buffers on caller side, but I just need to confirm it.
Thanks/
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | Kernel Debugging | 30 Mar 2020 | OSR Seminar Space |
| Developing Minifilters | 15 Jun 2020 | LIVE ONLINE |
| Writing WDF Drivers | 22 June 2020 | LIVE ONLINE |
| Internals & Software Drivers | 28 Sept 2020 | Dulles, VA |
Comments
Looking at the signature of EtwWriteTransfer
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-etwwritetransfer
there is no possible way that the API could signal the caller that is it finished with the parameters if it does not completely consume them synchronously. And the documentation of EVENT_DATA_DESCRIPTOR explicitly lists a maximum size
https://docs.microsoft.com/en-us/windows/win32/api/evntprov/ns-evntprov-event_data_descriptor
so it seems highly unlikely that the pointers are used in any way after the call completes. You could disassemble the function to be sure, but I expect that it essentially does a memcpy and returns