CeLogImportTable (Compact 2013)

3/28/2014

This structure contains function pointers and data provided by the kernel for use by CeLog.

Syntax

typedef struct _CeLogImportTable {
  DWORD dwVersion;
  FARPROC pCreateEventW;
  FARPROC pEventModify;
  FARPROC pCreateFileMappingW;
  FARPROC pMapViewOfFile;
  FARPROC pUnmapViewOfFile;
  FARPROC pCloseHandle;
  FARPROC pLockPages;
  FARPROC pUnlockPages;
  FARPROC pVirtualAlloc;
  FARPROC pVirtualFree;
  FARPROC pMapPtrToProcess;
  FARPROC pQueryPerformanceCounter;
  FARPROC pQueryPerformanceFrequency;
  FARPROC pNKDbgPrintfW;
  FARPROC pCeLogReSync;
  FARPROC pGetLastError;
  FARPROC pSetLastError;
  FARPROC pGetThreadCallStack;
  FARPROC pInSysCall;
  DWORD* pdwCeLogTLBMiss;
  DWORD dwCeLogLargeBuf;
  DWORD dwCeLogSmallBuf;
  DWORD dwDefaultThreadQuantum;
} CeLogImportTable;

Members

• dwVersion
  Version of this structure.

  Must be set to 4.

• pCreateEventW
  Pointer to the DLL version of the CreateEvent function.

• pEventModify
  Pointer to the DLL version of EventModify.

  EventModify is used to implement the SetEvent, the ResetEvent, and the PulseEvent functions. The equivalent calls for these are:

  SetEvent(h)->pEventModify(h, EVENT_SET)

  ResetEvent(h)->pEventModify(h, EVENT_RESET)

  PulseEvent(h)->pEventModify(h, EVENT_PULSE)

  The pEventModify function that you pass as part of CeLogImportTable does nothing if you call it during a KCall. A CeLog DLL can test whether it's in a KCall by using the pInSysCall function that's part of CeLogImportTable too. See KCall Check section in Remarks.

• pCreateFileMappingW
  Pointer to the DLL version of the CreateFileMapping function.

• pMapViewOfFile
  Pointer to the DLL version of the MapViewOfFile function.

  This pointer will be NULL if the kernel does not include support for memory-mapped files.

• pUnmapViewOfFile
  Pointer to the DLL version of the UnmapViewOfFile function.

• pCloseHandle
  Pointer to the DLL's version of the CloseHandle function.

• pLockPages
  Pointer to the DLL's version of the LockPages function.

• pUnlockPages
  Pointer to the DLL's version of the UnlockPages function.

• pVirtualAlloc
  Pointer to the DLL's version of the VirtualAlloc function.

• pVirtualFree
  Pointer to the DLL version of the VirtualFree function.

• pQueryPerformanceCounter
  Pointer to the DLL version of the QueryPerformanceCounter function.

• pQueryPerformanceFrequency
  Pointer to the DLL version of the QueryPerformanceFrequency function.

• pNKDbgPrintfW
  Pointer to the DLL version of NKDbgPrintf.

• pCeLogReSync
  Pointer to the DLL version of the CeLogReSync function.

• pGetLastError
  Pointer to the DLL version of the GetLastError function.

• pSetLastError
  Pointer to the DLL version of the SetLastError function.

• pGetThreadCallStack
  Pointer to the DLL version of the GetThreadCallStack function.

• pInSysCall
  Pointer to the DLL's version of the InSysCall wrapper function.

  For information about important restrictions for this function, see the Remarks section.

• pdwCeLogTLBMiss
  Pointer to the translation look-aside buffer (TLB) miss count.

  The kernel software TLB miss handler maintains this pointer.

• dwCeLogLargeBuf
  OEM-changeable large buffer size.

• dwCeLogSmallBuf
  OEM-changeable small buffer size.

• dwDefaultThreadQuantum
  Scheduler default thread quantum.

Remarks

This structure is used in conjunction with IOCTL_CELOG_IMPORT, which is the I/O control used by the CeLog DLL to request information about the kernel.

Because an event tracking library loads into the kernel, the kernel often calls CeLogData from within parts of the kernel where it is not safe to make system calls. These restrictions mean that it is not safe to interact with the kernel debugger to perform activities such as setting a breakpoint, or stepping through the code in the debugger.

In addition, it is not safe to call the functions in this structure that are logged during restricted parts of the kernel. Failing to follow these restrictions might cause an unrecoverable system crash.

The following list shows the CeLog events which are logged during restricted parts of the kernel; that is, the following list shows the CeLog events for which the pInSysCall function of this structure returns TRUE.

• CELID_THREAD_SWITCH
• CELID_THREAD_QUANTUMEXPIRE
• CELID_SYSTEM_INVERT
• CELID_THREAD_PRIORITY
• CELID_THREAD_QUANTUM
• CELID_THREAD_SUSPEND
• CELID_THREAD_RESUME
• CELID_PROCESS_CREATE
• CELID_EXTRA_PROCESS_INFO
• CELID_THREAD_CREATE
• CELID_MODULE_LOAD
• CELID_EXTRA_MODULE_INFO
• CELID_MODULE_REFERENCES
• CELID_LOG_MARKER
• CELID_SYNC_END

KCall check

CeLogImportTable g_PubImports;  // Initialization not shown
HANDLE hEvent;  // Initialization not shown
BOOL g_NeedToSetEvent = FALSE;
//
// Note: This code is not thread safe
if (g_NeedToSetEvent || <detect a need to set the event>)
{
   // If we need to set the event
   if (g_PubImports.pInSysCall())
   {
      // We can't set the event now... do it on our next call
      g_NeedToSetEvent = TRUE;
   }
   else
   {
      g_PubImports.pEventModify(hEvent, EVENT_SET);
      g_NeedToSetEvent = FALSE;
   }
}

Requirements

See Also

Reference

CeLog Event Tracking Structures
LockPages
UnlockPages
VirtualAlloc
VirtualFree
QueryPerformanceCounter
QueryPerformanceFrequency
CeLogReSync
GetLastError
SetLastError
GetThreadCallStack

Other Resources

OAL Structures
CreateFileMapping
MapViewOfFile
UnmapViewOfFile
CloseHandle
IOCTL_CELOG_IMPORT