RtlTraceDatabaseEnumerate

Go to Home Page

Enumerates all entries in the database or in a specific bucket

Syntax

BOOLEAN WINAPI RtlTraceDatabaseEnumerate (
    PRTL_TRACE_DATABASE pDatabase,
    PRTL_TRACE_ENUM pEnumData,
    PRTL_TRACE_BLOCK* ppBlock
)

Parameters

pDatabase
The database to enumerate
pEnumData
Starting point of the enumeration
ppBlock
A pointer to a pointer that receives the next block in the enum sequence

Return Value

Nonzero if the enumeration found a new block, zero when finished

Remarks

RTL_TRACE_ENUM is defined as:

typedef struct _RTL_TRACE_ENUM
{
    PRTL_TRACE_DATABASE pDatabase; // will be set to pDatabase by the function
    ULONG bucketIndex; // bucket index of the block returned in ppBlock
    PRTL_TRACE_BLOCK pStartingBlock; // a block to start enumeration from
} RTL_TRACE_ENUM, *PRTL_TRACE_ENUM;

To start the enumeration set all members to zero and keep passing the same structure to the function. To enumerate blocks in a single bucket only, set RTL_TRACE_ENUM::pStartingBlock to a block in the bucket and loop as normal

Example

int __cdecl main()
{
    // LoadNtdllFnPtrs(); - left as an exercise
    RTL_TRACE_DATABASE* pDatabase = RtlTraceDatabaseCreate(6263, 10000, 0, 0, 0);
    if(pDatabase)
    {
        PVOID trace[5] = {NULL};
        USHORT gotFrames = RtlCaptureStackBackTrace(0, 5, trace, NULL);
        PRTL_TRACE_BLOCK pBlock = NULL;
        RtlTraceDatabaseAdd(pDatabase, gotFrames, trace, &pBlock);
        printf("Added trace block %p\n", (PVOID)pBlock);
        gotFrames = RtlCaptureStackBackTrace(1, 4, trace, NULL);
        RtlTraceDatabaseAdd(pDatabase, gotFrames, trace, &pBlock);
        printf("Added second trace block %p\n", (PVOID)pBlock);
        RTL_TRACE_ENUM enumData2 = {0};
        puts("Starting enum");
        while(RtlTraceDatabaseEnumerate(pDatabase, &enumData, &pBlock))
        {
            printf("Found block at %p in bucket %Iu\n", (PVOID)pBlock, enumdata.bucketIndex);
        }
        puts("Finished enumeration");
        RtlTraceDatabaseDestroy(pDatabase);
    }
    return 0;
}