Added more CLR ETW blocking rules
This commit is contained in:
parent
58ca6cbf52
commit
d8c90b5c1e
|
@ -3,7 +3,12 @@
|
||||||
#undef UNICODE
|
#undef UNICODE
|
||||||
#define UNICODE
|
#define UNICODE
|
||||||
|
|
||||||
|
// https://docs.microsoft.com/en-us/dotnet/framework/performance/etw-events-in-the-common-language-runtime
|
||||||
|
#define ModuleLoad_V2 152
|
||||||
#define AssemblyDCStart_V1 155
|
#define AssemblyDCStart_V1 155
|
||||||
|
#define MethodLoadVerbose_V1 143
|
||||||
|
#define MethodJittingStarted 145
|
||||||
|
#define ILStubGenerated 88
|
||||||
|
|
||||||
#include <Windows.h>
|
#include <Windows.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
@ -34,14 +39,21 @@ ULONG NTAPI MyEtwEventWrite(
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Block CLR assembly loading events.
|
switch (EventDescriptor->Id) {
|
||||||
if (EventDescriptor->Id == AssemblyDCStart_V1) {
|
case AssemblyDCStart_V1:
|
||||||
return uResult;
|
// Block CLR assembly loading events.
|
||||||
|
break;
|
||||||
|
case MethodLoadVerbose_V1:
|
||||||
|
// Block CLR method loading events.
|
||||||
|
break;
|
||||||
|
case ILStubGenerated:
|
||||||
|
// Block MSIL stub generation events.
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
// Forward all other ETW events using EtwEventWriteFull.
|
||||||
|
uResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Forward all other ETW events using EtwEventWriteFull.
|
|
||||||
uResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);
|
|
||||||
|
|
||||||
return uResult;
|
return uResult;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue