Struct ferrisetw::provider::Provider

pub struct Provider {
    pub guid: Option<Guid>,
    pub any: u64,
    pub all: u64,
    pub level: u8,
    pub trace_flags: u32,
    pub flags: u32,
    // some fields omitted
}

Main Provider structure

Fields

guid: Option<Guid>

Option that represents a Provider GUID

any: u64

Provider Any keyword

all: u64

Provider All keyword

level: u8

Provider level flag

trace_flags: u32

Provider trace flags

flags: u32

Provider kernel flags, only apply to KernelProvider

Implementations

impl Provider

pub fn new() -> Self

Use the new function to create a Provider builder

This function will create a by-default provider which can be tweaked afterwards

Example

let my_provider = Provider::new();

pub fn kernel(kernel_provider: &KernelProvider) -> Self

Use the new_kernel function to create a Provider builder wrapping a Kernel Provider

Arguments

• kernel_provider - Reference to a KernelProvider which will be tied to the Provider struct

Example

let my_provider = Provider::kernel(&kernel_providers::IMAGE_LOAD_PROVIDER);

pub fn by_guid(self, guid: &str) -> Self

Use the by_guid function to bind a GUID with a Provider

Arguments

• guid - A string representation of the GUID, without curly braces, that is being binded to the Provider

Example

let my_provider = Provider::new().by_guid("22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716");

pub fn by_name(self, name: String) -> Self

Use the by_name function to bind a GUID with a Provider

This function will look for the Provider GUID by means of the ITraceDataProviderCollection interface.

Remark

This function is considerably slow, prefer using the by_guid function when possible

Arguments

• name - Provider name to find

Safety Note

This function won't fail if the Provider GUID can't be found, it will log the event and set the Guid field to None. This behavior might change in the future

Example

let my_provider = Provider::new().by_name(String::from("Microsoft-Windows-WinINet"));

pub fn any(self, any: u64) -> Self

Use the any function to set the any flag in the Provider instance More info

Arguments

• any - Any flag value to set

Example

let my_provider = Provider::new().any(0xf0010000000003ff);

pub fn all(self, all: u64) -> Self

Use the all function to set the all flag in the Provider instance More info

Arguments

• all - All flag value to set

Example

let my_provider = Provider::new().all(0x4000000000000000);

pub fn level(self, level: u8) -> Self

Use the level function to set the level flag in the Provider instance

Arguments

• level - Level flag value to set

Example

// LogAlways (0x0)
// Critical (0x1)
// Error (0x2)
// Warning (0x3)
// Information (0x4)
// Verbose (0x5)
let my_provider = Provider::new().level(0x5);

pub fn trace_flags(self, trace_flag: u32) -> Self

Use the trace_flags function to set the trace_flags flag in the Provider instance More info

Arguments

• trace_flags - TraceFlags value to set

Example

let my_provider = Provider::new().trace_flags(0x1);

pub fn add_callback<T>(self, callback: T) -> Self where
    T: FnMut(EventRecord, &mut SchemaLocator) + Send + Sync + 'static, 

Use the add_callback function to add a callback function that will be called when the Provider generates an Event

Arguments

• callback - Callback to add

Remarks

The SchemaLocator has to be mutable because whenever we obtain a new Schema it will be saved into the SchemaLocator instance cache

Example

Provider::new().add_callback(|record: EventRecord, schema_locator: &mut SchemaLocator| {
    // Handle Event
});

pub fn build(self) -> Result<Self, ProviderError>

Use the build function to build the provider

Safety Note

This function might return an ProviderError::NoGuid if the GUID is not set in the Provider struct

Example

Provider::new()
  .by_guid("22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716")
  .add_callback(process_callback)
  .build()?

Trait Implementations

impl Debug for Provider

fn fmt(&self, _f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.