static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status = NT_STATUS_OK;
NTSTATUS result = NT_STATUS_OK;
struct policy_handle handle;
struct dcerpc_binding_handle *b = cli->binding_handle;
uint32_t flags = EVENTLOG_BACKWARDS_READ |
EVENTLOG_SEQUENTIAL_READ;
uint32_t offset = 0;
uint32_t number_of_bytes = 0;
uint8_t *data = NULL;
uint32_t sent_size = 0;
uint32_t real_size = 0;
if (argc < 2 || argc > 4) {
printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc >= 3) {
offset = atoi(argv[2]);
}
if (argc >= 4) {
number_of_bytes = atoi(argv[3]);
data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
if (!data) {
goto done;
}
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
do {
enum ndr_err_code ndr_err;
DATA_BLOB blob;
struct EVENTLOGRECORD r;
uint32_t size = 0;
uint32_t pos = 0;
status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
&handle,
flags,
offset,
number_of_bytes,
data,
&sent_size,
&real_size,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) &&
real_size > 0 ) {
number_of_bytes = real_size;
data = talloc_array(mem_ctx, uint8_t, real_size);
if (!data) {
goto done;
}
status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
&handle,
flags,
offset,
number_of_bytes,
data,
&sent_size,
&real_size,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) &&
!NT_STATUS_IS_OK(result)) {
goto done;
}
number_of_bytes = 0;
size = IVAL(data, pos);
while (size > 0) {
blob = data_blob_const(data + pos, size);
/* dump_data(0, blob.data, blob.length); */
ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
(ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
goto done;
}
NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
pos += size;
if (pos + 4 > sent_size) {
break;
}
size = IVAL(data, pos);
}
offset++;
} while (NT_STATUS_IS_OK(result));
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static bool test_ReadEventLog(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
NTSTATUS status;
struct eventlog_ReadEventLogW r;
struct eventlog_CloseEventLog cr;
struct policy_handle handle;
if (!get_policy_handle(tctx, p, &handle))
return false;
r.in.offset = 0;
r.in.handle = &handle;
r.in.flags = EVENTLOG_BACKWARDS_READ|EVENTLOG_SEQUENTIAL_READ;
while (1) {
DATA_BLOB blob;
struct eventlog_Record rec;
struct ndr_pull *ndr;
/* Read first for number of bytes in record */
r.in.number_of_bytes = 0;
r.out.data = NULL;
status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r);
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_END_OF_FILE)) {
break;
}
torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed");
torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_BUFFER_TOO_SMALL,
"ReadEventLog failed");
/* Now read the actual record */
r.in.number_of_bytes = *r.out.real_size;
r.out.data = talloc_size(tctx, r.in.number_of_bytes);
status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed");
/* Decode a user-marshalled record */
blob.length = *r.out.sent_size;
blob.data = talloc_steal(tctx, r.out.data);
ndr = ndr_pull_init_blob(&blob, tctx);
status = ndr_pull_eventlog_Record(
ndr, NDR_SCALARS|NDR_BUFFERS, &rec);
NDR_PRINT_DEBUG(eventlog_Record, &rec);
torture_assert_ntstatus_ok(tctx, status,
"ReadEventLog failed parsing event log record");
r.in.offset++;
}
cr.in.handle = cr.out.handle = &handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_CloseEventLog(p, tctx, &cr),
"CloseEventLog failed");
return true;
}
