inline std::unique_ptr get_event_schema_from

inline std::unique_ptr get_event_schema_from_tdh()

in krabs/krabs/schema_locator.hpp [134:162]

23 lines of code
2 McCabe index (conditional complexity)


    inline std::unique_ptr<char[]> get_event_schema_from_tdh(const EVENT_RECORD &record)
    {
        // get required size
        ULONG bufferSize = 0;
        ULONG status = TdhGetEventInformation(
            (PEVENT_RECORD)&record,
            0,
            NULL,
            NULL,
            &bufferSize);

        if (status != ERROR_INSUFFICIENT_BUFFER) {
            error_check_common_conditions(status, record);
        }

        // allocate and fill the schema from TDH
        auto buffer = std::unique_ptr<char[]>(new char[bufferSize]);

        error_check_common_conditions(
            TdhGetEventInformation(
            (PEVENT_RECORD)&record,
            0,
            NULL,
            (PTRACE_EVENT_INFO)buffer.get(),
            &bufferSize),
            record);

        return buffer;
    }