[ADVAPI32][ETWTRACE] Add etwtrace library and link advapi32 to it on NT6+

tkreuzer · tkreuzer · commit b27429b12610 · 2024-10-17T18:39:37.000+03:00
diff --git a/dll/ntdll/CMakeLists.txt b/dll/ntdll/CMakeLists.txt
@@ -24,14 +24,18 @@ add_library(rtl_um OBJECT
 target_link_libraries(rtl_um apisets ${PSEH_LIB})
 add_dependencies(rtl_um psdk)
 
+# On NT6+ this is used by advapi32
+add_library(etwtrace etw/trace.c)
+target_link_libraries(etwtrace ${PSEH_LIB})
+add_dependencies(etwtrace psdk)
+
 list(APPEND SOURCE
     dbg/dbgui.c
     ldr/ldrapi.c
     ldr/ldrinit.c
     ldr/ldrpe.c
     ldr/ldrutils.c
-    ldr/verifier.c
-    etw/trace.c)
+    ldr/verifier.c)
 
 if(ARCH STREQUAL "i386")
     list(APPEND ASM_SOURCE dispatch/i386/dispatch.S)
@@ -61,7 +65,7 @@ set_module_type(ntdll win32dll ENTRYPOINT 0)
 set_subsystem(ntdll console)
 ################# END  HACK #################
 
-target_link_libraries(ntdll csrlib rtl rtl_um rtl_vista ntdllsys libcntpr uuid ${PSEH_LIB})
+target_link_libraries(ntdll etwtrace csrlib rtl rtl_um rtl_vista ntdllsys libcntpr uuid ${PSEH_LIB})
 if(DLL_EXPORT_VERSION GREATER_EQUAL 0x600)
     target_link_libraries(ntdll cryptlib)
 endif()
diff --git a/dll/win32/advapi32/CMakeLists.txt b/dll/win32/advapi32/CMakeLists.txt
@@ -62,6 +62,9 @@ add_library(advapi32 MODULE
 
 set_module_type(advapi32 win32dll UNICODE ENTRYPOINT DllMain 12)
 target_link_libraries(advapi32 cryptlib wine ${PSEH_LIB})
+if(DLL_EXPORT_VERSION GREATER_EQUAL 0x600)
+    target_link_libraries(advapi32 etwtrace)
+endif()
 add_delay_importlibs(advapi32 secur32)
 add_importlibs(advapi32 advapi32_vista rpcrt4 kernel32 ntdll)
 add_pch(advapi32 advapi32.h "${PCH_SKIP_SOURCE}")
diff --git a/dll/win32/advapi32/advapi32.spec b/dll/win32/advapi32/advapi32.spec
@@ -70,9 +70,9 @@
 @ stub ComputeAccessTokenFromCodeAuthzLevel
 @ stdcall ControlService(long long ptr)
 @ stdcall -version=0x502 ControlTraceA(double str ptr long) ntdll.EtwControlTraceA
-@ stdcall -stub -version=0x600+ ControlTraceA(double str ptr long)
+@ stdcall -version=0x600+ ControlTraceA(double str ptr long) EtwControlTraceA
 @ stdcall -version=0x502 ControlTraceW(double wstr ptr long) ntdll.EtwControlTraceW
-@ stdcall -stub -version=0x600+ ControlTraceW(double wstr ptr long)
+@ stdcall -version=0x600+ ControlTraceW(double wstr ptr long) EtwControlTraceW
 @ stub ConvertAccessToSecurityDescriptorA
 @ stub ConvertAccessToSecurityDescriptorW
 @ stub ConvertSDToStringSDRootDomainA
@@ -207,7 +207,7 @@
 @ stdcall ElfReportEventAndSourceW(long long ptr long long long ptr ptr long long ptr ptr long ptr ptr)
 @ stdcall ElfReportEventW(long long long long ptr long long ptr ptr long ptr ptr)
 @ stdcall -version=0x502 EnableTrace(long long long ptr double) ntdll.EtwEnableTrace
-@ stdcall -stub -version=0x600+ EnableTrace(long long long ptr double)
+@ stdcall -version=0x600+ EnableTrace(long long long ptr double) EtwEnableTrace
 @ stdcall EncryptFileA(str)
 @ stdcall EncryptFileW(wstr)
 @ stub EncryptedFileKeyInfo
@@ -220,17 +220,17 @@
 @ stdcall EnumServicesStatusExW(long long long long ptr long ptr ptr ptr wstr)
 @ stdcall EnumServicesStatusW(long long long ptr long ptr ptr ptr)
 @ stdcall -version=0x502 EnumerateTraceGuids(ptr long ptr) ntdll.EtwEnumerateTraceGuids
-@ stdcall -stub -version=0x600+ EnumerateTraceGuids(ptr long ptr)
+@ stdcall -stub -version=0x600+ EnumerateTraceGuids(ptr long ptr) # EtwEnumerateTraceGuids
 @ stdcall EqualDomainSid(ptr ptr ptr)
 @ stdcall EqualPrefixSid(ptr ptr)
 @ stdcall EqualSid(ptr ptr)
 @ stdcall FileEncryptionStatusA(str ptr)
 @ stdcall FileEncryptionStatusW(wstr ptr)
 @ stdcall FindFirstFreeAce(ptr ptr)
 @ stdcall -version=0x502 FlushTraceA(double str ptr) ntdll.EtwFlushTraceA
-@ stdcall -stub -version=0x600+ FlushTraceA(double str ptr)
+@ stdcall -version=0x600+ FlushTraceA(double str ptr) EtwFlushTraceA
 @ stdcall -version=0x502 FlushTraceW(double wstr ptr) ntdll.EtwFlushTraceW
-@ stdcall -stub -version=0x600+ FlushTraceW(double wstr ptr)
+@ stdcall -version=0x600+ FlushTraceW(double wstr ptr) EtwFlushTraceW
 @ stub FreeEncryptedFileKeyInfo
 @ stdcall FreeEncryptionCertificateHashList(ptr)
 @ stdcall FreeInheritedFromArray(ptr long ptr)
@@ -456,9 +456,9 @@
 @ stub ProcessIdleTasks
 @ stdcall ProcessTrace(ptr long ptr ptr)
 @ stdcall -version=0x502 QueryAllTracesA(ptr long ptr) ntdll.EtwQueryAllTracesA
-@ stdcall -stub -version=0x600+ QueryAllTracesA(ptr long ptr)
+@ stdcall -version=0x600+ QueryAllTracesA(ptr long ptr) EtwQueryAllTracesA
 @ stdcall -version=0x502 QueryAllTracesW(ptr long ptr) ntdll.EtwQueryAllTracesW
-@ stdcall -stub -version=0x600+ QueryAllTracesW(ptr long ptr)
+@ stdcall -version=0x600+ QueryAllTracesW(ptr long ptr) EtwQueryAllTracesW
 @ stdcall QueryRecoveryAgentsOnEncryptedFile(wstr ptr)
 @ stdcall QueryServiceConfig2A(long long ptr long ptr)
 @ stdcall QueryServiceConfig2W(long long ptr long ptr)
@@ -470,9 +470,9 @@
 @ stdcall QueryServiceStatus(long ptr)
 @ stdcall QueryServiceStatusEx(long long ptr long ptr)
 @ stdcall -version=0x502 QueryTraceA(double str ptr) ntdll.EtwQueryTraceA
-@ stdcall -stub -version=0x600+ QueryTraceA(double str ptr)
+@ stdcall -version=0x600+ QueryTraceA(double str ptr) EtwQueryTraceA
 @ stdcall -version=0x502 QueryTraceW(double str ptr) ntdll.EtwQueryTraceW
-@ stdcall -stub -version=0x600+ QueryTraceW(double str ptr)
+@ stdcall -version=0x600+ QueryTraceW(double str ptr) EtwQueryTraceW
 @ stdcall QueryUsersOnEncryptedFile(wstr ptr)
 @ stdcall ReadEncryptedFileRaw(ptr ptr ptr)
 @ stdcall ReadEventLogA(long long long ptr long ptr ptr)
@@ -608,13 +608,13 @@
 @ stdcall StartServiceCtrlDispatcherW(ptr)
 @ stdcall StartServiceW(long long ptr)
 @ stdcall -version=0x502 StartTraceA(ptr str ptr) ntdll.EtwStartTraceA
-@ stdcall -stub -version=0x600+ StartTraceA(ptr str ptr)
+@ stdcall -version=0x600+ StartTraceA(ptr str ptr) EtwStartTraceA
 @ stdcall -version=0x502 StartTraceW(ptr wstr ptr) ntdll.EtwStartTraceW
-@ stdcall -stub -version=0x600+ StartTraceW(ptr wstr ptr)
+@ stdcall -version=0x600+ StartTraceW(ptr wstr ptr) EtwStartTraceW
 @ stdcall -version=0x502 StopTraceA(double str ptr) ntdll.EtwStopTraceA
-@ stdcall -stub -version=0x600+ StopTraceA(double str ptr)
+@ stdcall -version=0x600+ StopTraceA(double str ptr) EtwStopTraceA
 @ stdcall -version=0x502 StopTraceW(double wstr ptr) ntdll.EtwStopTraceW
-@ stdcall -stub -version=0x600+ StopTraceW(double wstr ptr)
+@ stdcall -version=0x600+ StopTraceW(double wstr ptr) EtwStopTraceW
 @ stdcall SystemFunction001(ptr ptr ptr)
 @ stdcall SystemFunction002(ptr ptr ptr)
 @ stdcall SystemFunction003(ptr ptr)
@@ -654,7 +654,7 @@
 @ stdcall SystemFunction040(ptr long long) # RtlEncryptMemory
 @ stdcall SystemFunction041(ptr long long) # RtlDecryptMemory
 @ stdcall -version=0x502 TraceEvent(double ptr) ntdll.EtwTraceEvent
-@ stdcall -stub -version=0x600+ TraceEvent(double ptr)
+@ stdcall -version=0x600+ TraceEvent(double ptr) EtwTraceEvent
 @ stdcall TraceEventInstance(double ptr ptr ptr) ntdll.EtwTraceEventInstance
 @ varargs TraceMessage() ntdll.EtwTraceMessage
 @ stdcall TraceMessageVa() ntdll.EtwTraceMessageVa
@@ -667,9 +667,9 @@
 @ stub UnregisterIdleTask
 @ stdcall UnregisterTraceGuids(double) ntdll.EtwUnregisterTraceGuids
 @ stdcall -version=0x502 UpdateTraceA(double str ptr) ntdll.EtwUpdateTraceA
-@ stdcall -stub -version=0x600+ UpdateTraceA(double str ptr)
+@ stdcall -version=0x600+ UpdateTraceA(double str ptr) EtwUpdateTraceA
 @ stdcall -version=0x502 UpdateTraceW(double wstr ptr) ntdll.EtwUpdateTraceW
-@ stdcall -stub -version=0x600+ UpdateTraceW(double wstr ptr)
+@ stdcall -version=0x600+ UpdateTraceW(double wstr ptr) EtwUpdateTraceW
 @ stub WdmWmiServiceMain
 @ stub WmiCloseBlock
 @ stub WmiCloseTraceWithCursor
@@ -688,9 +688,9 @@
 @ stub WmiMofEnumerateResourcesA
 @ stub WmiMofEnumerateResourcesW
 @ stdcall -version=0x502 WmiNotificationRegistrationA(ptr long ptr long long) ntdll.EtwNotificationRegistrationA
-@ stdcall -stub -version=0x600+ WmiNotificationRegistrationA(ptr long ptr long long)
+@ stdcall -stub -version=0x600+ WmiNotificationRegistrationA(ptr long ptr long long) # EtwNotificationRegistrationA
 @ stdcall -version=0x502 WmiNotificationRegistrationW(ptr long ptr long long) ntdll.EtwNotificationRegistrationW
-@ stdcall -stub -version=0x600+ WmiNotificationRegistrationW(ptr long ptr long long)
+@ stdcall -stub -version=0x600+ WmiNotificationRegistrationW(ptr long ptr long long) # EtwNotificationRegistrationW
 @ stub WmiOpenBlock
 @ stub WmiOpenTraceWithCursor
 @ stub WmiParseTraceEvent
@@ -704,9 +704,9 @@
 @ stub WmiQuerySingleInstanceMultipleW
 @ stub WmiQuerySingleInstanceW
 @ stdcall -version=0x502 WmiReceiveNotificationsA(long long long long) ntdll.EtwReceiveNotificationsA
-@ stdcall -stub -version=0x600+ WmiReceiveNotificationsA(long long long long)
+@ stdcall -stub -version=0x600+ WmiReceiveNotificationsA(long long long long) # EtwReceiveNotificationsA
 @ stdcall -version=0x502 WmiReceiveNotificationsW(long long long long) ntdll.EtwReceiveNotificationsW
-@ stdcall -stub -version=0x600+ WmiReceiveNotificationsW(long long long long)
+@ stdcall -stub -version=0x600+ WmiReceiveNotificationsW(long long long long) # EtwReceiveNotificationsW
 @ stub WmiSetSingleInstanceA
 @ stub WmiSetSingleInstanceW
 @ stub WmiSetSingleItemA
