Пример #1
0
NTSTATUS evlog_evt_entry_to_tdb_entry(TALLOC_CTX *mem_ctx,
				      const struct EVENTLOGRECORD *e,
				      struct eventlog_Record_tdb *t)
{
	uint32_t i;

	ZERO_STRUCTP(t);

	t->size				= e->Length;
	t->reserved			= e->Reserved;
	t->record_number		= e->RecordNumber;
	t->time_generated		= e->TimeGenerated;
	t->time_written			= e->TimeWritten;
	t->event_id			= e->EventID;
	t->event_type			= e->EventType;
	t->num_of_strings		= e->NumStrings;
	t->event_category		= e->EventCategory;
	t->reserved_flags		= e->ReservedFlags;
	t->closing_record_number	= e->ClosingRecordNumber;

	t->stringoffset			= e->StringOffset;
	t->sid_length			= e->UserSidLength;
	t->sid_offset			= e->UserSidOffset;
	t->data_length			= e->DataLength;
	t->data_offset			= e->DataOffset;

	t->source_name_len		= 2 * strlen_m_term(e->SourceName);
	t->source_name			= talloc_strdup(mem_ctx, e->SourceName);
	NT_STATUS_HAVE_NO_MEMORY(t->source_name);

	t->computer_name_len		= 2 * strlen_m_term(e->Computername);
	t->computer_name		= talloc_strdup(mem_ctx, e->Computername);
	NT_STATUS_HAVE_NO_MEMORY(t->computer_name);

	/* t->sid_padding; */
	if (e->UserSidLength > 0) {
		const char *sid_str = NULL;
		smb_ucs2_t *dummy = NULL;
		sid_str = sid_string_talloc(mem_ctx, &e->UserSid);
		t->sid_length = rpcstr_push_talloc(mem_ctx, &dummy, sid_str);
		if (t->sid_length == -1) {
			return NT_STATUS_NO_MEMORY;
		}
		t->sid = data_blob_talloc(mem_ctx, (uint8_t *)dummy, t->sid_length);
		NT_STATUS_HAVE_NO_MEMORY(t->sid.data);
	}

	t->strings			= talloc_array(mem_ctx, const char *, e->NumStrings);
	for (i=0; i < e->NumStrings; i++) {
		t->strings[i]		= talloc_strdup(t->strings, e->Strings[i]);
		NT_STATUS_HAVE_NO_MEMORY(t->strings[i]);
	}

	t->strings_len			= 2 * ndr_size_string_array(t->strings, t->num_of_strings, LIBNDR_FLAG_STR_NULLTERM);
	t->data				= data_blob_talloc(mem_ctx, e->Data, e->DataLength);
	/* t->padding			= r->Pad; */

	return NT_STATUS_OK;
}
Пример #2
0
bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb *entry, bool * eor )
{
	char *start = NULL, *stop = NULL;

	start = line;

	/* empty line signyfiying record delimeter, or we're at the end of the buffer */
	if ( start == NULL || strlen( start ) == 0 ) {
		DEBUG( 6,
		       ( "parse_logentry: found end-of-record indicator.\n" ) );
		*eor = True;
		return True;
	}
	if ( !( stop = strchr( line, ':' ) ) ) {
		return False;
	}

	DEBUG( 6, ( "parse_logentry: trying to parse [%s].\n", line ) );

	if ( 0 == strncmp( start, "LEN", stop - start ) ) {
		/* This will get recomputed later anyway -- probably not necessary */
		entry->size = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "RS1", stop - start ) ) {
		/* For now all these reserved entries seem to have the same value,
		   which can be hardcoded to int(1699505740) for now */
		entry->reserved = talloc_strdup(mem_ctx, "eLfL");
	} else if ( 0 == strncmp( start, "RCN", stop - start ) ) {
		entry->record_number = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "TMG", stop - start ) ) {
		entry->time_generated = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "TMW", stop - start ) ) {
		entry->time_written = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "EID", stop - start ) ) {
		entry->event_id = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "ETP", stop - start ) ) {
		if ( strstr( start, "ERROR" ) ) {
			entry->event_type = EVENTLOG_ERROR_TYPE;
		} else if ( strstr( start, "WARNING" ) ) {
			entry->event_type = EVENTLOG_WARNING_TYPE;
		} else if ( strstr( start, "INFO" ) ) {
			entry->event_type = EVENTLOG_INFORMATION_TYPE;
		} else if ( strstr( start, "AUDIT_SUCCESS" ) ) {
			entry->event_type = EVENTLOG_AUDIT_SUCCESS;
		} else if ( strstr( start, "AUDIT_FAILURE" ) ) {
			entry->event_type = EVENTLOG_AUDIT_FAILURE;
		} else if ( strstr( start, "SUCCESS" ) ) {
			entry->event_type = EVENTLOG_SUCCESS;
		} else {
			/* some other eventlog type -- currently not defined in MSDN docs, so error out */
			return False;
		}
	}

/*
  else if(0 == strncmp(start, "NST", stop - start))
  {
  entry->num_of_strings = atoi(stop + 1);
  }
*/
	else if ( 0 == strncmp( start, "ECT", stop - start ) ) {
		entry->event_category = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "RS2", stop - start ) ) {
		entry->reserved_flags = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "CRN", stop - start ) ) {
		entry->closing_record_number = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "USL", stop - start ) ) {
		entry->sid_length = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "SRC", stop - start ) ) {
		stop++;
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		entry->source_name_len = strlen_m_term(stop);
		entry->source_name = talloc_strdup(mem_ctx, stop);
		if (entry->source_name_len == (uint32_t)-1 ||
				entry->source_name == NULL) {
			return false;
		}
	} else if ( 0 == strncmp( start, "SRN", stop - start ) ) {
		stop++;
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		entry->computer_name_len = strlen_m_term(stop);
		entry->computer_name = talloc_strdup(mem_ctx, stop);
		if (entry->computer_name_len == (uint32_t)-1 ||
				entry->computer_name == NULL) {
			return false;
		}
	} else if ( 0 == strncmp( start, "SID", stop - start ) ) {
		smb_ucs2_t *dummy = NULL;
		stop++;
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		entry->sid_length = rpcstr_push_talloc(mem_ctx,
				&dummy,
				stop);
		if (entry->sid_length == (uint32_t)-1) {
			return false;
		}
		entry->sid = data_blob_talloc(mem_ctx, dummy, entry->sid_length);
		if (entry->sid.data == NULL) {
			return false;
		}
	} else if ( 0 == strncmp( start, "STR", stop - start ) ) {
		size_t tmp_len;
		int num_of_strings;
		/* skip past initial ":" */
		stop++;
		/* now skip any other leading whitespace */
		while ( isspace(stop[0])) {
			stop++;
		}
		tmp_len = strlen_m_term(stop);
		if (tmp_len == (size_t)-1) {
			return false;
		}
		num_of_strings = entry->num_of_strings;
		if (!add_string_to_array(mem_ctx, stop, &entry->strings,
					 &num_of_strings)) {
			return false;
		}
		if (num_of_strings > 0xffff) {
			return false;
		}
		entry->num_of_strings = num_of_strings;
		entry->strings_len += tmp_len;
	} else if ( 0 == strncmp( start, "DAT", stop - start ) ) {
		/* skip past initial ":" */
		stop++;
		/* now skip any other leading whitespace */
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		entry->data_length = strlen_m(stop);
		entry->data = data_blob_talloc(mem_ctx, stop, entry->data_length);
		if (!entry->data.data) {
			return false;
		}
	} else {
		/* some other eventlog entry -- not implemented, so dropping on the floor */
		DEBUG( 10, ( "Unknown entry [%s]. Ignoring.\n", line ) );
		/* For now return true so that we can keep on parsing this mess. Eventually
		   we will return False here. */
		return true;
	}
	return true;
}
Пример #3
0
static bool _reg_perfcount_get_instance_info(struct PERF_INSTANCE_DEFINITION *inst,
					     TALLOC_CTX *mem_ctx,
					     int instId,
					     struct PERF_OBJECT_TYPE *obj,
					     TDB_CONTEXT *names)
{
	TDB_DATA key, data;
	char buf[PERFCOUNT_MAX_LEN] = {0};
	char temp[32] = {0};
	smb_ucs2_t *name = NULL;
	int pad;

	/* First grab the instance data from the data file */
	snprintf(temp, sizeof(temp), "i%d", instId);
	_reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp);
	if (!_reg_perfcount_get_counter_data(key, &data)) {
		DEBUG(3, ("_reg_perfcount_get_counter_data failed\n"));
		return false;
	}
	if(data.dptr == NULL)
	{
		DEBUG(3, ("_reg_perfcount_get_instance_info: No instance data for instance [%s].\n",
			  buf));
		return False;
	}
	inst->counter_data.ByteLength = data.dsize + sizeof(inst->counter_data.ByteLength);
	inst->counter_data.data = talloc_realloc(mem_ctx,
						       inst->counter_data.data,
						       uint8_t,
						       data.dsize);
	if(inst->counter_data.data == NULL)
		return False;
	memset(inst->counter_data.data, 0, data.dsize);
	memcpy(inst->counter_data.data, data.dptr, data.dsize);
	SAFE_FREE(data.dptr);

	/* Fetch instance name */
	snprintf(temp, sizeof(temp), "i%dname", instId);
	_reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp);
	data = tdb_fetch(names, key);
	if(data.dptr == NULL)
	{
		/* Not actually an error, but possibly unintended? -- just logging FYI */
		DEBUG(3, ("_reg_perfcount_get_instance_info: No instance name for instance [%s].\n",
			  buf));
		inst->NameLength = 0;
	}
	else
	{
		memset(buf, 0, PERFCOUNT_MAX_LEN);
		memcpy(buf, data.dptr, MIN(PERFCOUNT_MAX_LEN-1,data.dsize));
		buf[PERFCOUNT_MAX_LEN-1] = '\0';
		inst->NameLength = rpcstr_push_talloc(mem_ctx, &name, buf);
		if (inst->NameLength == (uint32_t)-1 || !name) {
			SAFE_FREE(data.dptr);
			return False;
		}
		inst->data = talloc_realloc(mem_ctx,
						  inst->data,
						  uint8_t,
						  inst->NameLength);
		if (inst->data == NULL) {
			SAFE_FREE(data.dptr);
			return False;
		}
		memcpy(inst->data, name, inst->NameLength);
		SAFE_FREE(data.dptr);
	}

	inst->ParentObjectTitleIndex = 0;
	inst->ParentObjectTitlePointer = 0;
	inst->UniqueID = PERF_NO_UNIQUE_ID;
	inst->NameOffset = 6 * sizeof(uint32_t);

	inst->ByteLength = inst->NameOffset + inst->NameLength;
	/* Need to be aligned on a 64-bit boundary here for counter_data */
	if((pad = (inst->ByteLength % 8)))
	{
		pad = 8 - pad;
		inst->data = talloc_realloc(mem_ctx,
						  inst->data,
						  uint8_t,
						  inst->NameLength + pad);
		memset(inst->data + inst->NameLength, 0, pad);
		inst->ByteLength += pad;
	}

	return True;
}