Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.EtwWriteTransfer
Hello.
Quick question: Is EtwWriteTransfer or any other api that participates in sending data through ETW in kernelmode copying data passed to this api so that it will be used in proper moment OR it is on caller side?
My guess is there should be copying of data happening as ETW is async, thus it would be not possible to hold such buffers on caller side, but I just need to confirm it.
Thanks/
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | Kernel Debugging | 30 Mar 2020 | OSR Seminar Space |
| Developing Minifilters | 20 Apr 2020 | LIVE ONLINE |
| Writing WDF Drivers | 11 May 2020 | LIVE ONLINE |
| Internals & Software Drivers | 28 Sept 2020 | Dulles, VA |
Comments
Looking at the signature of EtwWriteTransfer
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-etwwritetransfer
there is no possible way that the API could signal the caller that is it finished with the parameters if it does not completely consume them synchronously. And the documentation of EVENT_DATA_DESCRIPTOR explicitly lists a maximum size
https://docs.microsoft.com/en-us/windows/win32/api/evntprov/ns-evntprov-event_data_descriptor
so it seems highly unlikely that the pointers are used in any way after the call completes. You could disassemble the function to be sure, but I expect that it essentially does a memcpy and returns