static bool test_OpenEventLog(struct torture_context *tctx, struct dcerpc_pipe *p) { struct policy_handle handle; struct eventlog_CloseEventLog cr; if (!get_policy_handle(tctx, p, &handle)) return false; cr.in.handle = cr.out.handle = &handle; torture_assert_ntstatus_ok(tctx, dcerpc_eventlog_CloseEventLog(p, tctx, &cr), "CloseEventLog failed"); return true; }
static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status, result; struct policy_handle handle; struct lsa_String backup_filename; const char *tmp; struct dcerpc_binding_handle *b = cli->binding_handle; if (argc != 3) { printf("Usage: %s logname backupname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]); if (!tmp) { status = NT_STATUS_NO_MEMORY; goto done; } init_lsa_String(&backup_filename, tmp); status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx, &handle, &backup_filename, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result)) { status = result; goto done; } done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status, result; struct policy_handle handle; uint32_t oldest_entry = 0; struct dcerpc_binding_handle *b = cli->binding_handle; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } status = dcerpc_eventlog_GetOldestRecord(b, mem_ctx, &handle, &oldest_entry, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result)) { status = result; goto done; } printf("oldest entry: %d\n", oldest_entry); done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static bool test_GetNumRecords(struct torture_context *tctx, struct dcerpc_pipe *p) { struct eventlog_GetNumRecords r; struct eventlog_CloseEventLog cr; struct policy_handle handle; if (!get_policy_handle(tctx, p, &handle)) return false; r.in.handle = &handle; torture_assert_ntstatus_ok(tctx, dcerpc_eventlog_GetNumRecords(p, tctx, &r), "GetNumRecords failed"); torture_comment(tctx, talloc_asprintf(tctx, "%d records\n", *r.out.number)); cr.in.handle = cr.out.handle = &handle; torture_assert_ntstatus_ok(tctx, dcerpc_eventlog_CloseEventLog(p, tctx, &cr), "CloseEventLog failed"); return true; }
static bool test_ClearEventLog(struct dcerpc_pipe *p, TALLOC_CTX *tctx) { struct eventlog_ClearEventLogW r; struct eventlog_CloseEventLog cr; struct policy_handle handle; if (!get_policy_handle(tctx, p, &handle)) return false; r.in.handle = &handle; r.in.unknown = NULL; torture_assert_ntstatus_ok(tctx, dcerpc_eventlog_ClearEventLogW(p, tctx, &r), "ClearEventLog failed"); cr.in.handle = cr.out.handle = &handle; torture_assert_ntstatus_ok(tctx, dcerpc_eventlog_CloseEventLog(p, tctx, &cr), "CloseEventLog failed"); return true; }
static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status = NT_STATUS_OK; NTSTATUS result = NT_STATUS_OK; struct policy_handle handle; struct dcerpc_binding_handle *b = cli->binding_handle; uint32_t flags = EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ; uint32_t offset = 0; uint32_t number_of_bytes = 0; uint8_t *data = NULL; uint32_t sent_size = 0; uint32_t real_size = 0; if (argc < 2 || argc > 4) { printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]); return NT_STATUS_OK; } if (argc >= 3) { offset = atoi(argv[2]); } if (argc >= 4) { number_of_bytes = atoi(argv[3]); data = talloc_array(mem_ctx, uint8_t, number_of_bytes); if (!data) { goto done; } } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } do { enum ndr_err_code ndr_err; DATA_BLOB blob; struct EVENTLOGRECORD r; uint32_t size = 0; uint32_t pos = 0; status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, &handle, flags, offset, number_of_bytes, data, &sent_size, &real_size, &result); if (!NT_STATUS_IS_OK(status)) { return status; } if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) && real_size > 0 ) { number_of_bytes = real_size; data = talloc_array(mem_ctx, uint8_t, real_size); if (!data) { goto done; } status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, &handle, flags, offset, number_of_bytes, data, &sent_size, &real_size, &result); if (!NT_STATUS_IS_OK(status)) { return status; } } if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) && !NT_STATUS_IS_OK(result)) { goto done; } number_of_bytes = 0; size = IVAL(data, pos); while (size > 0) { blob = data_blob_const(data + pos, size); /* dump_data(0, blob.data, blob.length); */ ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r, (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); goto done; } NDR_PRINT_DEBUG(EVENTLOGRECORD, &r); pos += size; if (pos + 4 > sent_size) { break; } size = IVAL(data, pos); } offset++; } while (NT_STATUS_IS_OK(result)); done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status, result; struct policy_handle handle; uint8_t *buffer = NULL; uint32_t buf_size = 0; uint32_t bytes_needed = 0; struct dcerpc_binding_handle *b = cli->binding_handle; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } status = dcerpc_eventlog_GetLogInformation(b, mem_ctx, &handle, 0, /* level */ buffer, buf_size, &bytes_needed, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) { goto done; } buf_size = bytes_needed; buffer = talloc_array(mem_ctx, uint8_t, bytes_needed); if (!buffer) { status = NT_STATUS_NO_MEMORY; goto done; } status = dcerpc_eventlog_GetLogInformation(b, mem_ctx, &handle, 0, /* level */ buffer, buf_size, &bytes_needed, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result)) { status = result; goto done; } done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status, result; struct policy_handle handle; struct dcerpc_binding_handle *b = cli->binding_handle; uint16_t num_of_strings = 1; uint32_t data_size = 0; struct lsa_String servername, sourcename; struct lsa_String *strings; uint8_t *data = NULL; uint32_t record_number = 0; time_t time_written = 0; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings); if (!strings) { return NT_STATUS_NO_MEMORY; } init_lsa_String(&strings[0], "test event written by rpcclient\n"); init_lsa_String(&servername, NULL); init_lsa_String(&sourcename, "rpcclient"); status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx, &handle, time(NULL), EVENTLOG_INFORMATION_TYPE, 0, /* event_category */ 0, /* event_id */ &sourcename, num_of_strings, data_size, &servername, NULL, /* user_sid */ &strings, data, 0, /* flags */ &record_number, &time_written, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result)) { status = result; goto done; } printf("entry: %d written at %s\n", record_number, http_timestring(talloc_tos(), time_written)); done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static bool test_ReadEventLog(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; struct eventlog_ReadEventLogW r; struct eventlog_CloseEventLog cr; struct policy_handle handle; if (!get_policy_handle(tctx, p, &handle)) return false; r.in.offset = 0; r.in.handle = &handle; r.in.flags = EVENTLOG_BACKWARDS_READ|EVENTLOG_SEQUENTIAL_READ; while (1) { DATA_BLOB blob; struct eventlog_Record rec; struct ndr_pull *ndr; /* Read first for number of bytes in record */ r.in.number_of_bytes = 0; r.out.data = NULL; status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r); if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_END_OF_FILE)) { break; } torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed"); torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_BUFFER_TOO_SMALL, "ReadEventLog failed"); /* Now read the actual record */ r.in.number_of_bytes = *r.out.real_size; r.out.data = talloc_size(tctx, r.in.number_of_bytes); status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed"); /* Decode a user-marshalled record */ blob.length = *r.out.sent_size; blob.data = talloc_steal(tctx, r.out.data); ndr = ndr_pull_init_blob(&blob, tctx); status = ndr_pull_eventlog_Record( ndr, NDR_SCALARS|NDR_BUFFERS, &rec); NDR_PRINT_DEBUG(eventlog_Record, &rec); torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed parsing event log record"); r.in.offset++; } cr.in.handle = cr.out.handle = &handle; torture_assert_ntstatus_ok(tctx, dcerpc_eventlog_CloseEventLog(p, tctx, &cr), "CloseEventLog failed"); return true; }