From 5b9e81e372e64186b259820e3563a9089600f6a4 Mon Sep 17 00:00:00 2001 From: Min Jeong Date: Tue, 12 Nov 2024 14:56:20 -0800 Subject: [PATCH] Use Update() method instead of exposing the internal fields on EventRecordMetadata --- .../EventRecordMetadata.hpp | 11 +++++++++-- Microsoft.O365.Security.Native.ETW/RawProvider.hpp | 3 +-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp b/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp index 2e14bdb..2d07f42 100644 --- a/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp +++ b/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp @@ -17,6 +17,10 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { /// public ref class EventRecordMetadata : public IEventRecordMetadata { + protected: + const EVENT_RECORD* record_; + const EVENT_HEADER* header_; + internal: EventRecordMetadata(const EVENT_RECORD& record) : record_(&record) @@ -24,8 +28,11 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { EventRecordMetadata() { } - const EVENT_RECORD* record_; - const EVENT_HEADER* header_; + virtual void Update(const EVENT_RECORD& record) + { + record_ = &record; + header_ = &record.EventHeader; + } public: // For container ID's, we are expecting format "00000000-0000-0000-0000-0000000000000", diff --git a/Microsoft.O365.Security.Native.ETW/RawProvider.hpp b/Microsoft.O365.Security.Native.ETW/RawProvider.hpp index dbbb3f5..4f81642 100644 --- a/Microsoft.O365.Security.Native.ETW/RawProvider.hpp +++ b/Microsoft.O365.Security.Native.ETW/RawProvider.hpp @@ -168,8 +168,7 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW { inline void RawProvider::EventNotification(const EVENT_RECORD &record) { - data_->record_ = &record; - data_->header_ = &record.EventHeader; + data_->Update(record); OnEvent(data_); }