Hello Krabs Team :)
I'm using Lobster to monitor changes happening in the registry. I've encountered a scenario where i need to be in control of EVENT_FILTER_DESCRIPTOR before it is passed to EnableTraceEx2 via the ENABLE_TRACE_PARAMETERS struct. This is because there is undocumented behavior in the registry provider that allows gathering additional data when setting the EVENT_FILTER_DESCRIPTOR.Ptr value accordingly.
Are you aware of a way to control this value from lobster or is it possible to enable the provider myself and catch the callback via a lobster callback in the native layer?
I can also come up with a PR in case you want to include this ability in Lobster.
Thanks!
Hello Krabs Team :)
I'm using Lobster to monitor changes happening in the registry. I've encountered a scenario where i need to be in control of EVENT_FILTER_DESCRIPTOR before it is passed to EnableTraceEx2 via the ENABLE_TRACE_PARAMETERS struct. This is because there is undocumented behavior in the registry provider that allows gathering additional data when setting the EVENT_FILTER_DESCRIPTOR.Ptr value accordingly.
Are you aware of a way to control this value from lobster or is it possible to enable the provider myself and catch the callback via a lobster callback in the native layer?
I can also come up with a PR in case you want to include this ability in Lobster.
Thanks!