in krabs/krabs/size_provider.hpp [53:103]
inline ULONG size_provider::get_property_size(
const BYTE* propertyStart,
const wchar_t* propertyName,
const EVENT_RECORD& record,
const EVENT_PROPERTY_INFO& propertyInfo)
{
// The values of the event are essentially stored as an ad-hoc
// variant. In order to determine how far we need to advance the
// seeking pointer, we need to know the size of the property that
// we've just looked at. For certain variable-sized types (like a
// string), we need to ask Tdh* to determine the length of the
// property. For others, the size is immediately accessible in
// the schema structure.
if ((propertyInfo.Flags & PropertyParamLength) == 0 &&
propertyInfo.length > 0)
{
// length is a union that may refer to another field for a length
// value. In that case, defer to TDH for the value otherwise
// use the length value directly.
// For pointers check header instead of size, see PointerSize at
// https://docs.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhformatproperty
// for details
if (propertyInfo.nonStructType.InType == TDH_INTYPE_POINTER)
{
return record.EventHeader.Flags & EVENT_HEADER_FLAG_32_BIT_HEADER ? 4 : 8;
}
return propertyInfo.length;
}
ULONG propertyLength = 0;
// If no flags are set on the property, attempt to use the length
// field. If that field is 0, try using our heuristic.
if (propertyInfo.Flags == 0)
{
if (propertyInfo.length > 0)
propertyLength = propertyInfo.length;
else
propertyLength = get_heuristic_size(propertyStart, propertyInfo, record);
}
// Couldn't get the length from the 'length' field or
// the heuristic for size failed -> ask Tdh.
if (propertyLength == 0)
propertyLength = get_tdh_size(propertyName, record);
return propertyLength;
}