fix(sys,etw): Correct string parsing functions

rabbitstack · rabbitstack · commit b4c44cc6e07d · 2025-07-29T21:30:03.000+02:00
diff --git a/pkg/sys/etw/types.go b/pkg/sys/etw/types.go
@@ -555,6 +555,14 @@ type ClassicEventID struct {
 	_    [7]uint8 // reserved
 }
 
+// EventFilterDescriptor defines the filter data that
+// a session passes to the provider's enable callback.
+type EventFilterDescriptor struct {
+	Ptr  uintptr
+	Size uint32
+	Type uint32
+}
+
 // NewClassicEventID creates a new instance of classic event identifier.
 func NewClassicEventID(guid windows.GUID, typ uint16) ClassicEventID {
 	return ClassicEventID{GUID: guid, Type: uint8(typ)}
@@ -604,7 +612,7 @@ func (e *EventRecord) ReadBytes(offset uint16, count uint16) []byte {
 	if offset > e.BufferLen {
 		return nil
 	}
-	return (*[1<<30 - 1]byte)(unsafe.Pointer(e.Buffer + uintptr(offset) + uintptr(count)))[:count:count]
+	return (*[1<<30 - 1]byte)(unsafe.Pointer(e.Buffer + uintptr(offset)))[:count:count]
 }
 
 // ReadUint16 reads the uint16 value from the buffer at the specified offset.
@@ -637,6 +645,7 @@ func (e *EventRecord) ReadAnsiString(offset uint16) (string, uint16) {
 	if offset > e.BufferLen {
 		return "", 0
 	}
+
 	b := make([]byte, e.BufferLen)
 	var i uint16
 	for i < e.BufferLen {
@@ -647,49 +656,52 @@ func (e *EventRecord) ReadAnsiString(offset uint16) (string, uint16) {
 		b[i] = c
 		i++
 	}
+
+	if i == 0 {
+		return "", offset + 1
+	}
+
 	if int(i) > len(b) {
-		return string(b[:len(b)-1]), uint16(len(b))
+		return string(b[:len(b)-1]), uint16(len(b)) + offset
 	}
-	return string(b[:i]), i + 1
+
+	return string(b[:i]), i + 1 + offset
 }
 
 // ReadUTF16String reads the UTF-16 string from the buffer at the specified offset.
-// Returns the UTF-8 string and the number of bytes read from the string.
+// Returns the UTF-8 string and the number of bytes read from the string + the offset.
 func (e *EventRecord) ReadUTF16String(offset uint16) (string, uint16) {
 	if offset > e.BufferLen {
 		return "", 0
 	}
 
+	// we're reading the leading string. First, calculate
+	// the length of the null-terminated UTF16 string
+	i := offset
 	var length uint16
-
-	if offset > 0 {
-		length = e.BufferLen - offset
-	} else {
-		// we're reading the leading string. First, calculate
-		// the length of the null-terminated UTF16 string
-		var i uint16
-		for i < e.BufferLen {
-			c := *(*uint16)(unsafe.Pointer(e.Buffer + uintptr(i)))
-			if c == 0 {
-				break // null terminator
-			}
-			length += 2
-			i += 2
+	for i < e.BufferLen {
+		c := *(*uint16)(unsafe.Pointer(e.Buffer + uintptr(i)))
+		if c == 0 {
+			break // null terminator
 		}
+		length += 2
+		i += 2
 	}
 
-	s := (*[1<<30 - 1]uint16)(unsafe.Pointer(e.Buffer + uintptr(offset)))[:length:length]
-	if offset > 0 {
-		return utf16.Decode(s[:len(s)/2-1-2]), uint16(len(s) + 2)
+	if length == 0 {
+		return "", offset + 2 // null terminator size
 	}
 
-	return utf16.Decode(s[:len(s)/2]), uint16(len(s) + 2)
+	b := (*[1<<30 - 1]uint16)(unsafe.Pointer(e.Buffer + uintptr(offset)))[:length:length]
+	s := b[:len(b)/2]
+
+	return utf16.Decode(s), uint16((len(s)+1)*2) + offset
 }
 
 // ReadNTUnicodeString reads the native Unicode string at the given offset.
 func (e *EventRecord) ReadNTUnicodeString(offset uint16) (string, uint16) {
 	if offset > e.BufferLen {
-		return "", offset
+		return "", 0
 	}
 
 	i := offset
@@ -704,7 +716,7 @@ func (e *EventRecord) ReadNTUnicodeString(offset uint16) (string, uint16) {
 	}
 
 	if length == 0 {
-		return "", offset
+		return "", offset + 2 // null terminator size
 	}
 
 	b := (*[1<<30 - 1]byte)(unsafe.Pointer(e.Buffer + uintptr(offset)))[:length:length]
@@ -715,7 +727,7 @@ func (e *EventRecord) ReadNTUnicodeString(offset uint16) (string, uint16) {
 		Buffer:        (*uint16)(unsafe.Pointer(&b[0])),
 	}
 
-	return s.String(), offset + s.Length
+	return s.String(), s.Length + offset
 }
 
 // ConsumeUTF16String reads the byte slice with UTF16-encoded string
diff --git a/pkg/sys/etw/types_test.go b/pkg/sys/etw/types_test.go
@@ -84,7 +84,7 @@ func TestReadBuffer(t *testing.T) {
 
 				name, noffset := ev.ReadAnsiString(offset)
 				assert.Equal(t, "cmd.exe", name)
-				cmdline, _ := ev.ReadUTF16String(noffset + offset)
+				cmdline, _ := ev.ReadUTF16String(noffset)
 				assert.Equal(t, "C:\\WINDOWS\\system32\\cmd.exe /c dir /-C /W \"\\\\?\\c:\\Users\\nedo\\AppData\\Roaming\\RabbitMQ\\db\\rabbit@archrabbit-mnesia\"", cmdline)
 			},
 		},
