From 2c19173bdcac40ef4d640a6358dc2829764d6660 Mon Sep 17 00:00:00 2001
From: Min Jeong <mijeong@microsoft.com>
Date: Tue, 12 Nov 2024 13:46:42 -0800
Subject: [PATCH] Only allocate one EventRecordMetadata^ and reuse it for
 RawProvider events

---
 .../EventRecordMetadata.hpp                              | 9 +++++----
 Microsoft.O365.Security.Native.ETW/RawProvider.hpp       | 8 +++++++-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp b/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp
index 8f112eb..2e14bdb 100644
--- a/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp
+++ b/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp
@@ -17,15 +17,16 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
     /// </summary>
     public ref class EventRecordMetadata : public IEventRecordMetadata
     {
-    protected:
-        const EVENT_RECORD* record_;
-        const EVENT_HEADER* header_;
-
     internal:
         EventRecordMetadata(const EVENT_RECORD& record)
             : record_(&record)
             , header_(&record.EventHeader) { }
 
+        EventRecordMetadata() { }
+
+        const EVENT_RECORD* record_;
+        const EVENT_HEADER* header_;
+
     public:
         // For container ID's, we are expecting format "00000000-0000-0000-0000-0000000000000", 
         // 32 hex digits with 4 hyphens, no braces.
diff --git a/Microsoft.O365.Security.Native.ETW/RawProvider.hpp b/Microsoft.O365.Security.Native.ETW/RawProvider.hpp
index 183c6ff..dbbb3f5 100644
--- a/Microsoft.O365.Security.Native.ETW/RawProvider.hpp
+++ b/Microsoft.O365.Security.Native.ETW/RawProvider.hpp
@@ -122,6 +122,7 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         NativePtr<krabs::provider<>> provider_;
         GCHandle delegateHookHandle_;
         GCHandle delegateHandle_;
+        EventRecordMetadata^ data_;
         void SetUpProvider();
     };
 
@@ -148,6 +149,8 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
         delegateHookHandle_ = GCHandle::Alloc(bridged);
 
         provider_->add_on_event_callback((krabs::c_provider_callback)bridged.ToPointer());
+
+        data_ = gcnew EventRecordMetadata();
     }
 
     inline RawProvider::~RawProvider()
@@ -165,6 +168,9 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
 
     inline void RawProvider::EventNotification(const EVENT_RECORD &record)
     {
-        OnEvent(gcnew EventRecordMetadata(record));
+        data_->record_ = &record;
+        data_->header_ = &record.EventHeader;
+
+        OnEvent(data_);
     }
 } } } }
\ No newline at end of file