in krabs/krabs/size_provider.hpp [105:153]
inline ULONG size_provider::get_heuristic_size(
const BYTE* propertyStart,
const EVENT_PROPERTY_INFO& propertyInfo,
const EVENT_RECORD& record)
{
ULONG propertyLength = 0;
PBYTE pRecordEnd = (PBYTE)record.UserData + record.UserDataLength;
// The calls to Tdh are kind of expensive, especially when krabs is
// included in a managed assembly as this call will be a thunk.
// The following _very_ common property types can be short-circuited
// to prevent the expensive call.
// Be careful! Check IN and OUT types before making an assumption.
// Strings that appear at the end of a record may not be null-terminated.
// If a string is null-terminated, propertyLength includes the null character.
// If a string is not-null terminated, propertyLength includes all bytes up
// to the end of the record buffer.
if (propertyInfo.nonStructType.OutType == TDH_OUTTYPE_STRING)
{
if (propertyInfo.nonStructType.InType == TDH_INTYPE_UNICODESTRING)
{
auto p = (const wchar_t*)propertyStart;
auto pEnd = (const wchar_t*)pRecordEnd;
while (p < pEnd) {
if (!*p++) {
break;
}
}
propertyLength = static_cast<ULONG>(((PBYTE)p) - propertyStart);
}
else if (propertyInfo.nonStructType.InType == TDH_INTYPE_ANSISTRING)
{
auto p = (const char*)propertyStart;
auto pEnd = (const char*)pRecordEnd;
while (p < pEnd) {
if (!*p++) {
break;
}
}
propertyLength = static_cast<ULONG>(((PBYTE)p) - propertyStart);
}
}
return propertyLength;
}