ホーム › System.Diagnostics.Etw › TdhCreatePayloadFilter
TdhCreatePayloadFilter
関数イベントペイロードに基づくフィルターを作成する。
シグネチャ
// tdh.dll
#include <windows.h>
DWORD TdhCreatePayloadFilter(
const GUID* ProviderGuid,
const EVENT_DESCRIPTOR* EventDescriptor,
BOOLEAN EventMatchANY,
DWORD PayloadPredicateCount,
PAYLOAD_FILTER_PREDICATE* PayloadPredicates,
void** PayloadFilter
);パラメーター
| 名前 | 型 | 方向 | 説明 |
|---|---|---|---|
| ProviderGuid | GUID* | in | フィルタ対象イベントのプロバイダGUID。 |
| EventDescriptor | EVENT_DESCRIPTOR* | in | フィルタ対象イベントを記述するEVENT_DESCRIPTOR。 |
| EventMatchANY | BOOLEAN | in | 述語のいずれか一致でマッチさせるならTRUE、すべて一致ならFALSE。 |
| PayloadPredicateCount | DWORD | in | PayloadPredicates配列の述語数。 |
| PayloadPredicates | PAYLOAD_FILTER_PREDICATE* | in | ペイロード条件を記述するPAYLOAD_FILTER_PREDICATE配列。 |
| PayloadFilter | void** | out | 作成されたペイロードフィルタへのポインタを受け取る出力。 |
戻り値の型: DWORD
各言語での呼び出し定義
// tdh.dll
#include <windows.h>
DWORD TdhCreatePayloadFilter(
const GUID* ProviderGuid,
const EVENT_DESCRIPTOR* EventDescriptor,
BOOLEAN EventMatchANY,
DWORD PayloadPredicateCount,
PAYLOAD_FILTER_PREDICATE* PayloadPredicates,
void** PayloadFilter
);[DllImport("tdh.dll", ExactSpelling = true)]
static extern uint TdhCreatePayloadFilter(
ref Guid ProviderGuid, // GUID*
IntPtr EventDescriptor, // EVENT_DESCRIPTOR*
[MarshalAs(UnmanagedType.U1)] bool EventMatchANY, // BOOLEAN
uint PayloadPredicateCount, // DWORD
IntPtr PayloadPredicates, // PAYLOAD_FILTER_PREDICATE*
IntPtr PayloadFilter // void** out
);<DllImport("tdh.dll", ExactSpelling:=True)>
Public Shared Function TdhCreatePayloadFilter(
ByRef ProviderGuid As Guid, ' GUID*
EventDescriptor As IntPtr, ' EVENT_DESCRIPTOR*
<MarshalAs(UnmanagedType.U1)> EventMatchANY As Boolean, ' BOOLEAN
PayloadPredicateCount As UInteger, ' DWORD
PayloadPredicates As IntPtr, ' PAYLOAD_FILTER_PREDICATE*
PayloadFilter As IntPtr ' void** out
) As UInteger
End Function' ProviderGuid : GUID*
' EventDescriptor : EVENT_DESCRIPTOR*
' EventMatchANY : BOOLEAN
' PayloadPredicateCount : DWORD
' PayloadPredicates : PAYLOAD_FILTER_PREDICATE*
' PayloadFilter : void** out
Declare PtrSafe Function TdhCreatePayloadFilter Lib "tdh" ( _
ByVal ProviderGuid As LongPtr, _
ByVal EventDescriptor As LongPtr, _
ByVal EventMatchANY As Byte, _
ByVal PayloadPredicateCount As Long, _
ByVal PayloadPredicates As LongPtr, _
ByVal PayloadFilter As LongPtr) As Long
' VBA7前提(PtrSafe)。32bit Office では LongPtr→Long。Integer=16bit / Long=32bit / LongLong=64bit。import ctypes
from ctypes import wintypes
TdhCreatePayloadFilter = ctypes.windll.tdh.TdhCreatePayloadFilter
TdhCreatePayloadFilter.restype = wintypes.DWORD
TdhCreatePayloadFilter.argtypes = [
ctypes.c_void_p, # ProviderGuid : GUID*
ctypes.c_void_p, # EventDescriptor : EVENT_DESCRIPTOR*
ctypes.c_byte, # EventMatchANY : BOOLEAN
wintypes.DWORD, # PayloadPredicateCount : DWORD
ctypes.c_void_p, # PayloadPredicates : PAYLOAD_FILTER_PREDICATE*
ctypes.c_void_p, # PayloadFilter : void** out
]require 'fiddle'
require 'fiddle/import'
lib = Fiddle.dlopen('tdh.dll')
TdhCreatePayloadFilter = Fiddle::Function.new(
lib['TdhCreatePayloadFilter'],
[
Fiddle::TYPE_VOIDP, # ProviderGuid : GUID*
Fiddle::TYPE_VOIDP, # EventDescriptor : EVENT_DESCRIPTOR*
Fiddle::TYPE_CHAR, # EventMatchANY : BOOLEAN
-Fiddle::TYPE_INT, # PayloadPredicateCount : DWORD
Fiddle::TYPE_VOIDP, # PayloadPredicates : PAYLOAD_FILTER_PREDICATE*
Fiddle::TYPE_VOIDP, # PayloadFilter : void** out
],
-Fiddle::TYPE_INT)#[link(name = "tdh")]
extern "system" {
fn TdhCreatePayloadFilter(
ProviderGuid: *const GUID, // GUID*
EventDescriptor: *const EVENT_DESCRIPTOR, // EVENT_DESCRIPTOR*
EventMatchANY: u8, // BOOLEAN
PayloadPredicateCount: u32, // DWORD
PayloadPredicates: *mut PAYLOAD_FILTER_PREDICATE, // PAYLOAD_FILTER_PREDICATE*
PayloadFilter: *mut *mut () // void** out
) -> u32;
}
// crates: windows-sys provides ready-made bindings for this API.$sig = @"
[DllImport("tdh.dll")]
public static extern uint TdhCreatePayloadFilter(ref Guid ProviderGuid, IntPtr EventDescriptor, [MarshalAs(UnmanagedType.U1)] bool EventMatchANY, uint PayloadPredicateCount, IntPtr PayloadPredicates, IntPtr PayloadFilter);
"@
$api = Add-Type -MemberDefinition $sig -Name 'tdh_TdhCreatePayloadFilter' -Namespace Win32 -PassThru
# $api::TdhCreatePayloadFilter(ProviderGuid, EventDescriptor, EventMatchANY, PayloadPredicateCount, PayloadPredicates, PayloadFilter)#uselib "tdh.dll"
#func global TdhCreatePayloadFilter "TdhCreatePayloadFilter" sptr, sptr, sptr, sptr, sptr, sptr
; TdhCreatePayloadFilter varptr(ProviderGuid), varptr(EventDescriptor), EventMatchANY, PayloadPredicateCount, varptr(PayloadPredicates), PayloadFilter ; 戻り値は stat
; ProviderGuid : GUID* -> "sptr"
; EventDescriptor : EVENT_DESCRIPTOR* -> "sptr"
; EventMatchANY : BOOLEAN -> "sptr"
; PayloadPredicateCount : DWORD -> "sptr"
; PayloadPredicates : PAYLOAD_FILTER_PREDICATE* -> "sptr"
; PayloadFilter : void** out -> "sptr"
; ※HSP3.7は #func のため戻り値はシステム変数 stat に格納されます。出力引数:
#uselib "tdh.dll" #cfunc global TdhCreatePayloadFilter "TdhCreatePayloadFilter" var, var, int, int, var, sptr ; res = TdhCreatePayloadFilter(ProviderGuid, EventDescriptor, EventMatchANY, PayloadPredicateCount, PayloadPredicates, PayloadFilter) ; ProviderGuid : GUID* -> "var" ; EventDescriptor : EVENT_DESCRIPTOR* -> "var" ; EventMatchANY : BOOLEAN -> "int" ; PayloadPredicateCount : DWORD -> "int" ; PayloadPredicates : PAYLOAD_FILTER_PREDICATE* -> "var" ; PayloadFilter : void** out -> "sptr" ; ※出力/バッファ引数は var 方式(変数を直接渡す)。varptr 方式にも切替可。#uselib "tdh.dll" #cfunc global TdhCreatePayloadFilter "TdhCreatePayloadFilter" sptr, sptr, int, int, sptr, sptr ; res = TdhCreatePayloadFilter(varptr(ProviderGuid), varptr(EventDescriptor), EventMatchANY, PayloadPredicateCount, varptr(PayloadPredicates), PayloadFilter) ; ProviderGuid : GUID* -> "sptr" ; EventDescriptor : EVENT_DESCRIPTOR* -> "sptr" ; EventMatchANY : BOOLEAN -> "int" ; PayloadPredicateCount : DWORD -> "int" ; PayloadPredicates : PAYLOAD_FILTER_PREDICATE* -> "sptr" ; PayloadFilter : void** out -> "sptr" ; ※出力/バッファ引数はポインタ方式(token=sptr / 呼び出しは varptr(変数))。
出力引数:
; DWORD TdhCreatePayloadFilter(GUID* ProviderGuid, EVENT_DESCRIPTOR* EventDescriptor, BOOLEAN EventMatchANY, DWORD PayloadPredicateCount, PAYLOAD_FILTER_PREDICATE* PayloadPredicates, void** PayloadFilter) #uselib "tdh.dll" #cfunc global TdhCreatePayloadFilter "TdhCreatePayloadFilter" var, var, int, int, var, intptr ; res = TdhCreatePayloadFilter(ProviderGuid, EventDescriptor, EventMatchANY, PayloadPredicateCount, PayloadPredicates, PayloadFilter) ; ProviderGuid : GUID* -> "var" ; EventDescriptor : EVENT_DESCRIPTOR* -> "var" ; EventMatchANY : BOOLEAN -> "int" ; PayloadPredicateCount : DWORD -> "int" ; PayloadPredicates : PAYLOAD_FILTER_PREDICATE* -> "var" ; PayloadFilter : void** out -> "intptr" ; ※出力/バッファ引数は var 方式(変数を直接渡す)。varptr 方式にも切替可。; DWORD TdhCreatePayloadFilter(GUID* ProviderGuid, EVENT_DESCRIPTOR* EventDescriptor, BOOLEAN EventMatchANY, DWORD PayloadPredicateCount, PAYLOAD_FILTER_PREDICATE* PayloadPredicates, void** PayloadFilter) #uselib "tdh.dll" #cfunc global TdhCreatePayloadFilter "TdhCreatePayloadFilter" intptr, intptr, int, int, intptr, intptr ; res = TdhCreatePayloadFilter(varptr(ProviderGuid), varptr(EventDescriptor), EventMatchANY, PayloadPredicateCount, varptr(PayloadPredicates), PayloadFilter) ; ProviderGuid : GUID* -> "intptr" ; EventDescriptor : EVENT_DESCRIPTOR* -> "intptr" ; EventMatchANY : BOOLEAN -> "int" ; PayloadPredicateCount : DWORD -> "int" ; PayloadPredicates : PAYLOAD_FILTER_PREDICATE* -> "intptr" ; PayloadFilter : void** out -> "intptr" ; ※出力/バッファ引数はポインタ方式(token=intptr / 呼び出しは varptr(変数))。
import (
"golang.org/x/sys/windows"
"unsafe"
)
var (
tdh = windows.NewLazySystemDLL("tdh.dll")
procTdhCreatePayloadFilter = tdh.NewProc("TdhCreatePayloadFilter")
)
// ProviderGuid (GUID*), EventDescriptor (EVENT_DESCRIPTOR*), EventMatchANY (BOOLEAN), PayloadPredicateCount (DWORD), PayloadPredicates (PAYLOAD_FILTER_PREDICATE*), PayloadFilter (void** out)
r1, _, err := procTdhCreatePayloadFilter.Call(
uintptr(ProviderGuid),
uintptr(EventDescriptor),
uintptr(EventMatchANY),
uintptr(PayloadPredicateCount),
uintptr(PayloadPredicates),
uintptr(PayloadFilter),
)
_ = err // syscall.Errno (valid when the call sets last-error)
_ = r1 // DWORDfunction TdhCreatePayloadFilter(
ProviderGuid: PGUID; // GUID*
EventDescriptor: Pointer; // EVENT_DESCRIPTOR*
EventMatchANY: ByteBool; // BOOLEAN
PayloadPredicateCount: DWORD; // DWORD
PayloadPredicates: Pointer; // PAYLOAD_FILTER_PREDICATE*
PayloadFilter: Pointer // void** out
): DWORD; stdcall;
external 'tdh.dll' name 'TdhCreatePayloadFilter';result := DllCall("tdh\TdhCreatePayloadFilter"
, "Ptr", ProviderGuid ; GUID*
, "Ptr", EventDescriptor ; EVENT_DESCRIPTOR*
, "Char", EventMatchANY ; BOOLEAN
, "UInt", PayloadPredicateCount ; DWORD
, "Ptr", PayloadPredicates ; PAYLOAD_FILTER_PREDICATE*
, "Ptr", PayloadFilter ; void** out
, "UInt") ; return: DWORD●TdhCreatePayloadFilter(ProviderGuid, EventDescriptor, EventMatchANY, PayloadPredicateCount, PayloadPredicates, PayloadFilter) = DLL("tdh.dll", "dword TdhCreatePayloadFilter(void*, void*, byte, dword, void*, void*)")
# 呼び出し: TdhCreatePayloadFilter(ProviderGuid, EventDescriptor, EventMatchANY, PayloadPredicateCount, PayloadPredicates, PayloadFilter)
# ProviderGuid : GUID* -> "void*"
# EventDescriptor : EVENT_DESCRIPTOR* -> "void*"
# EventMatchANY : BOOLEAN -> "byte"
# PayloadPredicateCount : DWORD -> "dword"
# PayloadPredicates : PAYLOAD_FILTER_PREDICATE* -> "void*"
# PayloadFilter : void** out -> "void*"
# なでしこ1は32bit・ANSI(Shift_JIS)。文字列=char*(ANSI)、ポインタ/ハンドル=void*(4byte)。