Enumerates all entries in the database or in a specific bucket
Syntax
BOOLEAN WINAPI RtlTraceDatabaseEnumerate (
PRTL_TRACE_DATABASE pDatabase,
PRTL_TRACE_ENUM pEnumData,
PRTL_TRACE_BLOCK* ppBlock
)
Parameters
- pDatabase
- The database to enumerate
- pEnumData
- Starting point of the enumeration
- ppBlock
- A pointer to a pointer that receives the next block in the enum sequence
Return Value
Nonzero if the enumeration found a new block, zero when finished
Remarks
RTL_TRACE_ENUM is defined as:
typedef struct _RTL_TRACE_ENUM { PRTL_TRACE_DATABASE pDatabase; // will be set to pDatabase by the function ULONG bucketIndex; // bucket index of the block returned in ppBlock PRTL_TRACE_BLOCK pStartingBlock; // a block to start enumeration from } RTL_TRACE_ENUM, *PRTL_TRACE_ENUM;To start the enumeration set all members to zero and keep passing the same structure to the function. To enumerate blocks in a single bucket only, set RTL_TRACE_ENUM::pStartingBlock to a block in the bucket and loop as normal
Example
int __cdecl main() { // LoadNtdllFnPtrs(); - left as an exercise RTL_TRACE_DATABASE* pDatabase = RtlTraceDatabaseCreate(6263, 10000, 0, 0, 0); if(pDatabase) { PVOID trace[5] = {NULL}; USHORT gotFrames = RtlCaptureStackBackTrace(0, 5, trace, NULL); PRTL_TRACE_BLOCK pBlock = NULL; RtlTraceDatabaseAdd(pDatabase, gotFrames, trace, &pBlock); printf("Added trace block %p\n", (PVOID)pBlock); gotFrames = RtlCaptureStackBackTrace(1, 4, trace, NULL); RtlTraceDatabaseAdd(pDatabase, gotFrames, trace, &pBlock); printf("Added second trace block %p\n", (PVOID)pBlock); RTL_TRACE_ENUM enumData2 = {0}; puts("Starting enum"); while(RtlTraceDatabaseEnumerate(pDatabase, &enumData, &pBlock)) { printf("Found block at %p in bucket %Iu\n", (PVOID)pBlock, enumdata.bucketIndex); } puts("Finished enumeration"); RtlTraceDatabaseDestroy(pDatabase); } return 0; }