npm - @bun-win32/tdh - Versions diffs - 1.0.0 - Mend

@bun-win32/tdh 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/AI.md ADDED Viewed

@@ -0,0 +1,71 @@
+# AI Guide for @bun-win32/tdh
+How to use this package, not what the Win32 API does.
+## Usage
+```ts
+import Tdh, { SomeFlag } from '@bun-win32/tdh';
+// Methods bind lazily on first call
+const result = Tdh.SomeFunctionW(arg1, arg2);
+// Preload: array, single string, or no args (all symbols)
+Tdh.Preload(['SomeFunctionW', 'AnotherFunction']);
+Tdh.Preload('SomeFunctionW');
+Tdh.Preload();
+```
+## Where To Look
+| Need                              | Read             |
+| --------------------------------- | ---------------- |
+| Find a method or its MS Docs link | `structs/Tdh.ts` |
+| Find types, enums, constants      | `types/Tdh.ts`   |
+| Quick examples                    | `README.md`      |
+`index.ts` re-exports the class and all types — import from `@bun-win32/tdh` directly.
+## Calling Convention
+All documented `tdh.dll` exports are bound. Each method maps 1:1 to its DLL export. Names, parameter names, and order match Microsoft Docs.
+### Strings
+`W` methods take UTF-16LE NUL-terminated buffers. `A` methods take ANSI strings.
+```ts
+const wide = Buffer.from('Hello\0', 'utf16le'); // LPCWSTR
+Tdh.SomeFunctionW(wide.ptr);
+// Reading a wide string back from a buffer:
+const text = new TextDecoder('utf-16').decode(buf).replace(/\0.*$/, '');
+```
+### Return types
+- `HANDLE`, `HWND`, etc. → `bigint`
+- `DWORD`, `UINT`, `BOOL`, `INT`, `LONG` → `number`
+- `LPVOID`, `LPWSTR`, etc. → `Pointer`
+- Win32 `BOOL` is `number` (0 or non-zero), **not** JS `boolean`. Do not compare with `=== true`.
+### Pointers, handles, out-parameters
+- **Pointer** params (`LP*`, `P*`, `Pointer`): pass `buffer.ptr` from a caller-allocated `Buffer`.
+- **Handle** params (`HANDLE`, `HWND`, etc.): pass a `bigint` value.
+- **Out-parameters**: allocate a `Buffer`, pass `.ptr`, read the result after the call.
+```ts
+const out = Buffer.alloc(4);
+Tdh.SomeFunction(out.ptr);
+const value = out.readUInt32LE(0);
+```
+### Nullability
+- `| NULL` in a signature → pass `null` (optional pointer).
+- `| 0n` in a signature → pass `0n` (optional handle).
+## Errors and Cleanup
+Return values are raw. If the Win32 function uses last-error semantics, read via `GetLastError()`. Resource cleanup is your responsibility — same as raw Win32.

package/README.md ADDED Viewed

@@ -0,0 +1,71 @@
+# @bun-win32/tdh
+Zero-dependency, zero-overhead Win32 TDH bindings for [Bun](https://bun.sh) on Windows.
+## Overview
+`@bun-win32/tdh` exposes the `tdh.dll` exports using [Bun](https://bun.sh)'s FFI. It provides a single class, `Tdh`, which lazily binds native symbols on first use. You can optionally preload a subset or all symbols up-front via `Preload()`.
+The bindings are strongly typed for a smooth DX in TypeScript.
+`tdh.dll` is the **Trace Data Helper** — the decoding layer for Event Tracing for Windows (ETW). It turns the opaque binary `EVENT_RECORD`s delivered by an ETW session into structured, named, human-readable data, and enumerates the providers and event schemas registered on the machine. Pair it with `@bun-win32/advapi32` (`StartTrace` / `OpenTrace` / `ProcessTrace`) to build a complete trace consumer.
+## Features
+- [Bun](https://bun.sh)-first ergonomics on Windows 10/11.
+- Direct FFI to `tdh.dll` (ETW event metadata, property formatting, provider/field/event-schema enumeration, value/bitmap decoding, manifest loading, and payload filters).
+- In-source docs in `structs/Tdh.ts` with links to Microsoft Docs.
+- Lazy binding on first call; optional eager preload (`Tdh.Preload()`).
+- No wrapper overhead; calls map 1:1 to native APIs.
+- Strongly-typed Win32 aliases (see `types/Tdh.ts`).
+## Requirements
+- [Bun](https://bun.sh) runtime
+- Windows 10 or later
+## Installation
+```sh
+bun add @bun-win32/tdh
+```
+## Quick Start
+```ts
+import Tdh from '@bun-win32/tdh';
+// Optionally bind a subset up-front
+Tdh.Preload(['TdhEnumerateProviders']);
+// Two-call sizing pattern: first NULL to learn the size, then allocate.
+const bufferSize = Buffer.alloc(4);
+// ERROR_INSUFFICIENT_BUFFER (122) on the sizing call is expected.
+Tdh.TdhEnumerateProviders(null, bufferSize.ptr);
+const buffer = Buffer.alloc(bufferSize.readUInt32LE(0));
+const status = Tdh.TdhEnumerateProviders(buffer.ptr, bufferSize.ptr);
+if (status === 0) {
+  // PROVIDER_ENUMERATION_INFO: ULONG NumberOfProviders; ULONG Reserved; TRACE_PROVIDER_INFO[]
+  console.log('Registered ETW providers: %d', buffer.readUInt32LE(0));
+}
+```
+> [!NOTE]
+> AI agents: see `AI.md` for the package binding contract and source-navigation guidance. It explains how to use the package without scanning the entire implementation.
+## Examples
+Run the included examples:
+```sh
+bun run example:etw-live-monitor     # Live, color-coded ETW event stream (cross-package with advapi32)
+bun run example:provider-explorer    # Full ETW provider + event-schema enumeration report
+```
+## Notes
+- Either rely on lazy binding or call `Tdh.Preload()`.
+- Windows only. Bun runtime required.

package/index.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import Tdh from './structs/Tdh';
+export * from './types/Tdh';
+export default Tdh;

package/package.json ADDED Viewed

@@ -0,0 +1,59 @@
+{
+  "author": "Stev Peifer <stev@bell.net>",
+  "bugs": {
+    "url": "https://github.com/ObscuritySRL/bun-win32/issues"
+  },
+  "dependencies": {
+    "@bun-win32/core": "1.1.2"
+  },
+  "description": "Zero-dependency, zero-overhead Win32 TDH bindings for Bun (FFI) on Windows.",
+  "devDependencies": {
+    "@bun-win32/advapi32": "1.0.11",
+    "@bun-win32/kernel32": "1.0.21",
+    "@types/bun": "latest"
+  },
+  "exports": {
+    ".": "./index.ts"
+  },
+  "license": "MIT",
+  "module": "index.ts",
+  "name": "@bun-win32/tdh",
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "private": false,
+  "homepage": "https://github.com/ObscuritySRL/bun-win32#readme",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/ObscuritySRL/bun-win32.git",
+    "directory": "packages/tdh"
+  },
+  "type": "module",
+  "version": "1.0.0",
+  "main": "./index.ts",
+  "keywords": [
+    "bun",
+    "ffi",
+    "win32",
+    "windows",
+    "tdh",
+    "bindings",
+    "typescript",
+    "dll"
+  ],
+  "files": [
+    "AI.md",
+    "README.md",
+    "index.ts",
+    "structs/*.ts",
+    "types/*.ts"
+  ],
+  "sideEffects": false,
+  "engines": {
+    "bun": ">=1.1.0"
+  },
+  "scripts": {
+    "example:etw-live-monitor": "bun ./example/etw-live-monitor.ts",
+    "example:provider-explorer": "bun ./example/provider-explorer.ts"
+  }
+}

package/structs/Tdh.ts ADDED Viewed

@@ -0,0 +1,245 @@
+import { type FFIFunction, FFIType } from 'bun:ffi';
+import { Win32 } from '@bun-win32/core';
+import type {
+  BOOLEAN,
+  DECODING_SOURCE,
+  EVENT_FIELD_TYPE,
+  LPCGUID,
+  LPCVOID,
+  LPGUID,
+  NULL,
+  PBOOLEAN,
+  PBYTE,
+  PCEVENT_DESCRIPTOR,
+  PEVENT_DESCRIPTOR,
+  PEVENT_FILTER_DESCRIPTOR,
+  PEVENT_MAP_INFO,
+  PEVENT_RECORD,
+  PPAYLOAD_FILTER_PREDICATE,
+  PPPROVIDER_FILTER_INFO,
+  PPROPERTY_DATA_DESCRIPTOR,
+  PPROVIDER_ENUMERATION_INFO,
+  PPROVIDER_EVENT_INFO,
+  PPROVIDER_FIELD_INFOARRAY,
+  PPVOID,
+  PTDH_CONTEXT,
+  PTDH_HANDLE,
+  PTRACE_EVENT_INFO,
+  PULONG,
+  PUSHORT,
+  PWCHAR,
+  PWSTR,
+  TDH_HANDLE,
+  TDHSTATUS,
+  ULONG,
+  ULONGLONG,
+  USHORT,
+} from '../types/Tdh';
+/**
+ * Thin, lazy-loaded FFI bindings for `tdh.dll`.
+ *
+ * Each static method corresponds one-to-one with a Win32 export declared in `Symbols`.
+ * The first call to a method binds the underlying native symbol via `bun:ffi` and
+ * memoizes it on the class for subsequent calls. For bulk, up-front binding, use `Preload`.
+ *
+ * Symbols are defined with explicit `FFIType` signatures and kept alphabetized.
+ * You normally do not access `Symbols` directly; call the static methods or preload
+ * a subset for hot paths.
+ *
+ * @example
+ * ```ts
+ * import Tdh from './structs/Tdh';
+ *
+ * // Lazy: bind on first call
+ * const status = Tdh.TdhEnumerateProviders(buffer.ptr, size.ptr);
+ *
+ * // Or preload a subset to avoid per-symbol lazy binding cost
+ * Tdh.Preload(['TdhGetEventInformation', 'TdhFormatProperty']);
+ * ```
+ */
+class Tdh extends Win32 {
+  protected static override name = 'tdh.dll';
+  /** @inheritdoc */
+  protected static override readonly Symbols = {
+    TdhAggregatePayloadFilters: { args: [FFIType.u32, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhCleanupPayloadEventFilterDescriptor: { args: [FFIType.ptr], returns: FFIType.u32 },
+    TdhCloseDecodingHandle: { args: [FFIType.u64], returns: FFIType.u32 },
+    TdhCreatePayloadFilter: { args: [FFIType.ptr, FFIType.ptr, FFIType.u8, FFIType.u32, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhDeletePayloadFilter: { args: [FFIType.ptr], returns: FFIType.u32 },
+    TdhEnumerateManifestProviderEvents: { args: [FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhEnumerateProviderFieldInformation: { args: [FFIType.ptr, FFIType.i32, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhEnumerateProviderFilters: { args: [FFIType.ptr, FFIType.u32, FFIType.ptr, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhEnumerateProviders: { args: [FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhEnumerateProvidersForDecodingSource: { args: [FFIType.i32, FFIType.ptr, FFIType.u32, FFIType.ptr], returns: FFIType.u32 },
+    TdhFormatProperty: { args: [FFIType.ptr, FFIType.ptr, FFIType.u32, FFIType.u16, FFIType.u16, FFIType.u16, FFIType.u16, FFIType.ptr, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetDecodingParameter: { args: [FFIType.u64, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetEventInformation: { args: [FFIType.ptr, FFIType.u32, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetEventMapInformation: { args: [FFIType.ptr, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetManifestEventInformation: { args: [FFIType.ptr, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetProperty: { args: [FFIType.ptr, FFIType.u32, FFIType.ptr, FFIType.u32, FFIType.ptr, FFIType.u32, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetPropertySize: { args: [FFIType.ptr, FFIType.u32, FFIType.ptr, FFIType.u32, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetWppMessage: { args: [FFIType.u64, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhGetWppProperty: { args: [FFIType.u64, FFIType.ptr, FFIType.ptr, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhLoadManifest: { args: [FFIType.ptr], returns: FFIType.u32 },
+    TdhLoadManifestFromBinary: { args: [FFIType.ptr], returns: FFIType.u32 },
+    TdhLoadManifestFromMemory: { args: [FFIType.ptr, FFIType.u32], returns: FFIType.u32 },
+    TdhOpenDecodingHandle: { args: [FFIType.ptr], returns: FFIType.u32 },
+    TdhQueryProviderFieldInformation: { args: [FFIType.ptr, FFIType.u64, FFIType.i32, FFIType.ptr, FFIType.ptr], returns: FFIType.u32 },
+    TdhSetDecodingParameter: { args: [FFIType.u64, FFIType.ptr], returns: FFIType.u32 },
+    TdhUnloadManifest: { args: [FFIType.ptr], returns: FFIType.u32 },
+    TdhUnloadManifestFromMemory: { args: [FFIType.ptr, FFIType.u32], returns: FFIType.u32 },
+  } as const satisfies Record<string, FFIFunction>;
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhaggregatepayloadfilters
+  public static TdhAggregatePayloadFilters(PayloadFilterCount: ULONG, PayloadFilterPtrs: PPVOID, EventMatchALLFlags: PBOOLEAN | NULL, EventFilterDescriptor: PEVENT_FILTER_DESCRIPTOR): TDHSTATUS {
+    return Tdh.Load('TdhAggregatePayloadFilters')(PayloadFilterCount, PayloadFilterPtrs, EventMatchALLFlags, EventFilterDescriptor);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhcleanuppayloadeventfilterdescriptor
+  public static TdhCleanupPayloadEventFilterDescriptor(EventFilterDescriptor: PEVENT_FILTER_DESCRIPTOR): TDHSTATUS {
+    return Tdh.Load('TdhCleanupPayloadEventFilterDescriptor')(EventFilterDescriptor);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhclosedecodinghandle
+  public static TdhCloseDecodingHandle(Handle: TDH_HANDLE): TDHSTATUS {
+    return Tdh.Load('TdhCloseDecodingHandle')(Handle);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhcreatepayloadfilter
+  public static TdhCreatePayloadFilter(ProviderGuid: LPCGUID, EventDescriptor: PCEVENT_DESCRIPTOR, EventMatchANY: BOOLEAN, PayloadPredicateCount: ULONG, PayloadPredicates: PPAYLOAD_FILTER_PREDICATE, PayloadFilter: PPVOID): TDHSTATUS {
+    return Tdh.Load('TdhCreatePayloadFilter')(ProviderGuid, EventDescriptor, EventMatchANY, PayloadPredicateCount, PayloadPredicates, PayloadFilter);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhdeletepayloadfilter
+  public static TdhDeletePayloadFilter(PayloadFilter: PPVOID): TDHSTATUS {
+    return Tdh.Load('TdhDeletePayloadFilter')(PayloadFilter);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhenumeratemanifestproviderevents
+  public static TdhEnumerateManifestProviderEvents(ProviderGuid: LPGUID, Buffer: PPROVIDER_EVENT_INFO | NULL, BufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhEnumerateManifestProviderEvents')(ProviderGuid, Buffer, BufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhenumerateproviderfieldinformation
+  public static TdhEnumerateProviderFieldInformation(pGuid: LPGUID, EventFieldType: EVENT_FIELD_TYPE, pBuffer: PPROVIDER_FIELD_INFOARRAY | NULL, pBufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhEnumerateProviderFieldInformation')(pGuid, EventFieldType, pBuffer, pBufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhenumerateproviderfilters
+  public static TdhEnumerateProviderFilters(Guid: LPGUID, TdhContextCount: ULONG, TdhContext: PTDH_CONTEXT | NULL, FilterCount: PULONG, Buffer: PPPROVIDER_FILTER_INFO | NULL, BufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhEnumerateProviderFilters')(Guid, TdhContextCount, TdhContext, FilterCount, Buffer, BufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhenumerateproviders
+  public static TdhEnumerateProviders(pBuffer: PPROVIDER_ENUMERATION_INFO | NULL, pBufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhEnumerateProviders')(pBuffer, pBufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhenumerateprovidersfordecodingsource
+  public static TdhEnumerateProvidersForDecodingSource(filter: DECODING_SOURCE, buffer: PPROVIDER_ENUMERATION_INFO | NULL, bufferSize: ULONG, bufferRequired: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhEnumerateProvidersForDecodingSource')(filter, buffer, bufferSize, bufferRequired);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhformatproperty
+  public static TdhFormatProperty(
+    EventInfo: PTRACE_EVENT_INFO,
+    MapInfo: PEVENT_MAP_INFO | NULL,
+    PointerSize: ULONG,
+    PropertyInType: USHORT,
+    PropertyOutType: USHORT,
+    PropertyLength: USHORT,
+    UserDataLength: USHORT,
+    UserData: PBYTE,
+    BufferSize: PULONG,
+    Buffer: PWCHAR | NULL,
+    UserDataConsumed: PUSHORT,
+  ): TDHSTATUS {
+    return Tdh.Load('TdhFormatProperty')(EventInfo, MapInfo, PointerSize, PropertyInType, PropertyOutType, PropertyLength, UserDataLength, UserData, BufferSize, Buffer, UserDataConsumed);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetdecodingparameter
+  public static TdhGetDecodingParameter(Handle: TDH_HANDLE, TdhContext: PTDH_CONTEXT): TDHSTATUS {
+    return Tdh.Load('TdhGetDecodingParameter')(Handle, TdhContext);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgeteventinformation
+  public static TdhGetEventInformation(Event: PEVENT_RECORD, TdhContextCount: ULONG, TdhContext: PTDH_CONTEXT | NULL, Buffer: PTRACE_EVENT_INFO | NULL, BufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhGetEventInformation')(Event, TdhContextCount, TdhContext, Buffer, BufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgeteventmapinformation
+  public static TdhGetEventMapInformation(pEvent: PEVENT_RECORD, pMapName: PWSTR, pBuffer: PEVENT_MAP_INFO | NULL, pBufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhGetEventMapInformation')(pEvent, pMapName, pBuffer, pBufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetmanifesteventinformation
+  public static TdhGetManifestEventInformation(ProviderGuid: LPGUID, EventDescriptor: PEVENT_DESCRIPTOR, Buffer: PTRACE_EVENT_INFO | NULL, BufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhGetManifestEventInformation')(ProviderGuid, EventDescriptor, Buffer, BufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetproperty
+  public static TdhGetProperty(pEvent: PEVENT_RECORD, TdhContextCount: ULONG, pTdhContext: PTDH_CONTEXT | NULL, PropertyDataCount: ULONG, pPropertyData: PPROPERTY_DATA_DESCRIPTOR, BufferSize: ULONG, pBuffer: PBYTE): TDHSTATUS {
+    return Tdh.Load('TdhGetProperty')(pEvent, TdhContextCount, pTdhContext, PropertyDataCount, pPropertyData, BufferSize, pBuffer);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetpropertysize
+  public static TdhGetPropertySize(pEvent: PEVENT_RECORD, TdhContextCount: ULONG, pTdhContext: PTDH_CONTEXT | NULL, PropertyDataCount: ULONG, pPropertyData: PPROPERTY_DATA_DESCRIPTOR, pPropertySize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhGetPropertySize')(pEvent, TdhContextCount, pTdhContext, PropertyDataCount, pPropertyData, pPropertySize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetwppmessage
+  public static TdhGetWppMessage(Handle: TDH_HANDLE, EventRecord: PEVENT_RECORD, BufferSize: PULONG, Buffer: PBYTE): TDHSTATUS {
+    return Tdh.Load('TdhGetWppMessage')(Handle, EventRecord, BufferSize, Buffer);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetwppproperty
+  public static TdhGetWppProperty(Handle: TDH_HANDLE, EventRecord: PEVENT_RECORD, PropertyName: PWSTR, BufferSize: PULONG, Buffer: PBYTE): TDHSTATUS {
+    return Tdh.Load('TdhGetWppProperty')(Handle, EventRecord, PropertyName, BufferSize, Buffer);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhloadmanifest
+  public static TdhLoadManifest(Manifest: PWSTR): TDHSTATUS {
+    return Tdh.Load('TdhLoadManifest')(Manifest);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhloadmanifestfrombinary
+  public static TdhLoadManifestFromBinary(BinaryPath: PWSTR): TDHSTATUS {
+    return Tdh.Load('TdhLoadManifestFromBinary')(BinaryPath);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhloadmanifestfrommemory
+  public static TdhLoadManifestFromMemory(pData: LPCVOID, cbData: ULONG): TDHSTATUS {
+    return Tdh.Load('TdhLoadManifestFromMemory')(pData, cbData);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhopendecodinghandle
+  public static TdhOpenDecodingHandle(Handle: PTDH_HANDLE): TDHSTATUS {
+    return Tdh.Load('TdhOpenDecodingHandle')(Handle);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhqueryproviderfieldinformation
+  public static TdhQueryProviderFieldInformation(pGuid: LPGUID, EventFieldValue: ULONGLONG, EventFieldType: EVENT_FIELD_TYPE, pBuffer: PPROVIDER_FIELD_INFOARRAY | NULL, pBufferSize: PULONG): TDHSTATUS {
+    return Tdh.Load('TdhQueryProviderFieldInformation')(pGuid, EventFieldValue, EventFieldType, pBuffer, pBufferSize);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhsetdecodingparameter
+  public static TdhSetDecodingParameter(Handle: TDH_HANDLE, TdhContext: PTDH_CONTEXT): TDHSTATUS {
+    return Tdh.Load('TdhSetDecodingParameter')(Handle, TdhContext);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhunloadmanifest
+  public static TdhUnloadManifest(Manifest: PWSTR): TDHSTATUS {
+    return Tdh.Load('TdhUnloadManifest')(Manifest);
+  }
+  // https://learn.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhunloadmanifestfrommemory
+  public static TdhUnloadManifestFromMemory(pData: LPCVOID, cbData: ULONG): TDHSTATUS {
+    return Tdh.Load('TdhUnloadManifestFromMemory')(pData, cbData);
+  }
+}
+export default Tdh;

package/types/Tdh.ts ADDED Viewed

@@ -0,0 +1,188 @@
+import type { Pointer } from 'bun:ffi';
+import type { HANDLE, ULONG } from '@bun-win32/core';
+export type { BOOLEAN, LPCVOID, NULL, PBYTE, PULONG, ULONG, USHORT } from '@bun-win32/core';
+export enum DECODING_SOURCE {
+  DecodingSourceMax = 4,
+  DecodingSourceTlg = 3,
+  DecodingSourceWbem = 1,
+  DecodingSourceWPP = 2,
+  DecodingSourceXMLFile = 0,
+}
+export enum EVENT_FIELD_TYPE {
+  EventChannelInformation = 2,
+  EventInformationMax = 5,
+  EventKeywordInformation = 0,
+  EventLevelInformation = 1,
+  EventOpcodeInformation = 4,
+  EventTaskInformation = 3,
+}
+export enum MAP_FLAGS {
+  EVENTMAP_INFO_FLAG_MANIFEST_BITMAP = 0x0000_0002,
+  EVENTMAP_INFO_FLAG_MANIFEST_PATTERNMAP = 0x0000_0004,
+  EVENTMAP_INFO_FLAG_MANIFEST_VALUEMAP = 0x0000_0001,
+  EVENTMAP_INFO_FLAG_WBEM_BITMAP = 0x0000_0010,
+  EVENTMAP_INFO_FLAG_WBEM_FLAG = 0x0000_0020,
+  EVENTMAP_INFO_FLAG_WBEM_NO_MAP = 0x0000_0040,
+  EVENTMAP_INFO_FLAG_WBEM_VALUEMAP = 0x0000_0008,
+}
+export enum MAP_VALUETYPE {
+  EVENTMAP_ENTRY_VALUETYPE_STRING = 1,
+  EVENTMAP_ENTRY_VALUETYPE_ULONG = 0,
+}
+export enum PAYLOAD_OPERATOR {
+  PAYLOADFIELD_BETWEEN = 6,
+  PAYLOADFIELD_CONTAINS = 20,
+  PAYLOADFIELD_DOESNTCONTAIN = 21,
+  PAYLOADFIELD_EQ = 0,
+  PAYLOADFIELD_GE = 5,
+  PAYLOADFIELD_GT = 3,
+  PAYLOADFIELD_INVALID = 32,
+  PAYLOADFIELD_IS = 30,
+  PAYLOADFIELD_ISNOT = 31,
+  PAYLOADFIELD_LE = 2,
+  PAYLOADFIELD_LT = 4,
+  PAYLOADFIELD_MODULO = 8,
+  PAYLOADFIELD_NE = 1,
+  PAYLOADFIELD_NOTBETWEEN = 7,
+}
+export enum PROPERTY_FLAGS {
+  PropertyHasCustomSchema = 0x0000_0080,
+  PropertyHasTags = 0x0000_0040,
+  PropertyParamCount = 0x0000_0004,
+  PropertyParamFixedCount = 0x0000_0020,
+  PropertyParamFixedLength = 0x0000_0010,
+  PropertyParamLength = 0x0000_0002,
+  PropertyStruct = 0x0000_0001,
+  PropertyWBEMXmlFragment = 0x0000_0008,
+}
+export enum TDH_CONTEXT_TYPE {
+  TDH_CONTEXT_MAXIMUM = 5,
+  TDH_CONTEXT_PDB_PATH = 4,
+  TDH_CONTEXT_POINTERSIZE = 3,
+  TDH_CONTEXT_WPP_GMT = 2,
+  TDH_CONTEXT_WPP_TMFFILE = 0,
+  TDH_CONTEXT_WPP_TMFSEARCHPATH = 1,
+}
+export enum TDH_IN_TYPE {
+  TDH_INTYPE_ANSICHAR = 307,
+  TDH_INTYPE_ANSISTRING = 2,
+  TDH_INTYPE_BINARY = 14,
+  TDH_INTYPE_BOOLEAN = 13,
+  TDH_INTYPE_COUNTEDANSISTRING = 301,
+  TDH_INTYPE_COUNTEDSTRING = 300,
+  TDH_INTYPE_DOUBLE = 12,
+  TDH_INTYPE_FILETIME = 17,
+  TDH_INTYPE_FLOAT = 11,
+  TDH_INTYPE_GUID = 15,
+  TDH_INTYPE_HEXDUMP = 309,
+  TDH_INTYPE_HEXINT32 = 20,
+  TDH_INTYPE_HEXINT64 = 21,
+  TDH_INTYPE_INT16 = 5,
+  TDH_INTYPE_INT32 = 7,
+  TDH_INTYPE_INT64 = 9,
+  TDH_INTYPE_INT8 = 3,
+  TDH_INTYPE_MANIFEST_COUNTEDANSISTRING = 23,
+  TDH_INTYPE_MANIFEST_COUNTEDBINARY = 25,
+  TDH_INTYPE_MANIFEST_COUNTEDSTRING = 22,
+  TDH_INTYPE_NONNULLTERMINATEDANSISTRING = 305,
+  TDH_INTYPE_NONNULLTERMINATEDSTRING = 304,
+  TDH_INTYPE_NULL = 0,
+  TDH_INTYPE_POINTER = 16,
+  TDH_INTYPE_RESERVED24 = 24,
+  TDH_INTYPE_REVERSEDCOUNTEDANSISTRING = 303,
+  TDH_INTYPE_REVERSEDCOUNTEDSTRING = 302,
+  TDH_INTYPE_SID = 19,
+  TDH_INTYPE_SIZET = 308,
+  TDH_INTYPE_SYSTEMTIME = 18,
+  TDH_INTYPE_UINT16 = 6,
+  TDH_INTYPE_UINT32 = 8,
+  TDH_INTYPE_UINT64 = 10,
+  TDH_INTYPE_UINT8 = 4,
+  TDH_INTYPE_UNICODECHAR = 306,
+  TDH_INTYPE_UNICODESTRING = 1,
+  TDH_INTYPE_WBEMSID = 310,
+}
+export enum TDH_OUT_TYPE {
+  TDH_OUTTYPE_BOOLEAN = 13,
+  TDH_OUTTYPE_BYTE = 3,
+  TDH_OUTTYPE_CIMDATETIME = 26,
+  TDH_OUTTYPE_CODE_POINTER = 37,
+  TDH_OUTTYPE_CULTURE_INSENSITIVE_DATETIME = 33,
+  TDH_OUTTYPE_DATETIME = 2,
+  TDH_OUTTYPE_DATETIME_UTC = 38,
+  TDH_OUTTYPE_DOUBLE = 12,
+  TDH_OUTTYPE_ERRORCODE = 29,
+  TDH_OUTTYPE_ETWTIME = 27,
+  TDH_OUTTYPE_FLOAT = 11,
+  TDH_OUTTYPE_GUID = 14,
+  TDH_OUTTYPE_HEXBINARY = 15,
+  TDH_OUTTYPE_HEXINT16 = 17,
+  TDH_OUTTYPE_HEXINT32 = 18,
+  TDH_OUTTYPE_HEXINT64 = 19,
+  TDH_OUTTYPE_HEXINT8 = 16,
+  TDH_OUTTYPE_HRESULT = 32,
+  TDH_OUTTYPE_INT = 7,
+  TDH_OUTTYPE_IPV4 = 23,
+  TDH_OUTTYPE_IPV6 = 24,
+  TDH_OUTTYPE_JSON = 34,
+  TDH_OUTTYPE_LONG = 9,
+  TDH_OUTTYPE_NOPRINT = 301,
+  TDH_OUTTYPE_NTSTATUS = 31,
+  TDH_OUTTYPE_NULL = 0,
+  TDH_OUTTYPE_PID = 20,
+  TDH_OUTTYPE_PKCS7_WITH_TYPE_INFO = 36,
+  TDH_OUTTYPE_PORT = 22,
+  TDH_OUTTYPE_REDUCEDSTRING = 300,
+  TDH_OUTTYPE_SHORT = 5,
+  TDH_OUTTYPE_SOCKETADDRESS = 25,
+  TDH_OUTTYPE_STRING = 1,
+  TDH_OUTTYPE_TID = 21,
+  TDH_OUTTYPE_UNSIGNEDBYTE = 4,
+  TDH_OUTTYPE_UNSIGNEDINT = 8,
+  TDH_OUTTYPE_UNSIGNEDLONG = 10,
+  TDH_OUTTYPE_UNSIGNEDSHORT = 6,
+  TDH_OUTTYPE_UTF8 = 35,
+  TDH_OUTTYPE_WIN32ERROR = 30,
+  TDH_OUTTYPE_XML = 28,
+}
+export enum TEMPLATE_FLAGS {
+  TEMPLATE_CONTROL_GUID = 0x0000_0004,
+  TEMPLATE_EVENT_DATA = 0x0000_0001,
+  TEMPLATE_USER_DATA = 0x0000_0002,
+}
+export type LPCGUID = Pointer;
+export type LPGUID = Pointer;
+export type PBOOLEAN = Pointer;
+export type PCEVENT_DESCRIPTOR = Pointer;
+export type PEVENT_DESCRIPTOR = Pointer;
+export type PEVENT_FILTER_DESCRIPTOR = Pointer;
+export type PEVENT_MAP_INFO = Pointer;
+export type PEVENT_RECORD = Pointer;
+export type PPAYLOAD_FILTER_PREDICATE = Pointer;
+export type PPPROVIDER_FILTER_INFO = Pointer;
+export type PPROPERTY_DATA_DESCRIPTOR = Pointer;
+export type PPROVIDER_ENUMERATION_INFO = Pointer;
+export type PPROVIDER_EVENT_INFO = Pointer;
+export type PPROVIDER_FIELD_INFOARRAY = Pointer;
+export type PPVOID = Pointer;
+export type PTDH_CONTEXT = Pointer;
+export type PTDH_HANDLE = Pointer;
+export type PTRACE_EVENT_INFO = Pointer;
+export type PUSHORT = Pointer;
+export type PWCHAR = Pointer;
+export type PWSTR = Pointer;
+export type TDHSTATUS = ULONG;
+export type TDH_HANDLE = HANDLE;
+export type ULONGLONG = bigint;