X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fwin32%2Fextract-win-el.c;h=ee4c98d08850209dfc585a3e5cf4fe0b10f9f87c;hp=53ba5aaa85251692123e7828ff97a9da6927e46a;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/win32/extract-win-el.c b/src/win32/extract-win-el.c index 53ba5aa..ee4c98d 100755 --- a/src/win32/extract-win-el.c +++ b/src/win32/extract-win-el.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/win32/extract-win-el.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. @@ -40,7 +41,7 @@ int el_last = 0; /** int startEL(char *app, os_el *el) - * Starts the event logging for each el + * Starts the event logging for each el */ int startEL(char *app, os_el *el) { @@ -48,7 +49,7 @@ int startEL(char *app, os_el *el) el->h = OpenEventLog(NULL, app); if(!el->h) { - return(0); + return(0); } el->name = app; @@ -59,7 +60,7 @@ int startEL(char *app, os_el *el) -/** char *el_getCategory(int category_id) +/** char *el_getCategory(int category_id) * Returns a string related to the category id of the log. */ char *el_getCategory(int category_id) @@ -93,7 +94,7 @@ char *el_getCategory(int category_id) /** int el_getEventDLL(char *evt_name, char *source, char *event) * Returns the event. */ -int el_getEventDLL(char *evt_name, char *source, char *event) +int el_getEventDLL(char *evt_name, char *source, char *event) { HKEY key; DWORD ret; @@ -102,21 +103,21 @@ int el_getEventDLL(char *evt_name, char *source, char *event) keyname[255] = '\0'; - snprintf(keyname, 254, - "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s", - evt_name, + snprintf(keyname, 254, + "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s", + evt_name, source); - /* Opening registry */ + /* Opening registry */ if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0, KEY_ALL_ACCESS, &key) != ERROR_SUCCESS) { - return(0); + return(0); } ret = MAX_PATH -1; - if (RegQueryValueEx(key, "EventMessageFile", NULL, + if (RegQueryValueEx(key, "EventMessageFile", NULL, NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS) { event[0] = '\0'; @@ -129,11 +130,11 @@ int el_getEventDLL(char *evt_name, char *source, char *event) -/** char *el_getmessage() +/** char *el_getmessage() * Returns a descriptive message of the event. */ -char *el_getMessage(EVENTLOGRECORD *er, char *name, - char * source, LPTSTR *el_sstring) +char *el_getMessage(EVENTLOGRECORD *er, char *name, + char * source, LPTSTR *el_sstring) { DWORD fm_flags = 0; char tmp_str[257]; @@ -156,12 +157,12 @@ char *el_getMessage(EVENTLOGRECORD *er, char *name, /* Get the file name from the registry (stored on event) */ if(!el_getEventDLL(name, source, event)) { - return(NULL); - } + return(NULL); + } curr_str = event; - /* If our event has multiple libraries, try each one of them */ + /* If our event has multiple libraries, try each one of them */ while((next_str = strchr(curr_str, ';'))) { *next_str = '\0'; @@ -171,11 +172,11 @@ char *el_getMessage(EVENTLOGRECORD *er, char *name, hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES); if(hevt) { - if(!FormatMessage(fm_flags, hevt, er->EventID, + if(!FormatMessage(fm_flags, hevt, er->EventID, 0, (LPTSTR) &message, 0, el_sstring)) { - message = NULL; + message = NULL; } FreeLibrary(hevt); @@ -191,12 +192,12 @@ char *el_getMessage(EVENTLOGRECORD *er, char *name, hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES); if(hevt) { - int hr; - if(!(hr = FormatMessage(fm_flags, hevt, er->EventID, + int hr; + if(!(hr = FormatMessage(fm_flags, hevt, er->EventID, 0, (LPTSTR) &message, 0, el_sstring))) { - message = NULL; + message = NULL; } FreeLibrary(hevt); @@ -212,7 +213,7 @@ char *el_getMessage(EVENTLOGRECORD *er, char *name, /** void readel(os_el *el) * Reads the event log. - */ + */ void readel(os_el *el, int printit) { DWORD nstr; @@ -238,7 +239,7 @@ void readel(os_el *el, int printit) LPSTR el_sstring[57]; /* Er must point to the mbuffer */ - el->er = (EVENTLOGRECORD *) &mbuffer; + el->er = (EVENTLOGRECORD *) &mbuffer; /* Zeroing the last values */ el_string[1024] = '\0'; @@ -247,8 +248,8 @@ void readel(os_el *el, int printit) final_msg[1023] = '\0'; el_sstring[56] = NULL; - /* Reading the event log */ - while(ReadEventLog(el->h, + /* Reading the event log */ + while(ReadEventLog(el->h, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, el->er, BUFFER_SIZE -1, &read, &needed)) @@ -294,27 +295,27 @@ void readel(os_el *el, int printit) el_sstring[nstr] = (LPSTR)sstr; sstr = strchr( (LPSTR)sstr, '\0'); - sstr++; + sstr++; } /* Get a more descriptive message (if available) */ - descriptive_msg = el_getMessage(el->er, el->name, source, + descriptive_msg = el_getMessage(el->er, el->name, source, el_sstring); if(descriptive_msg != NULL) { /* Remove any \n or \r */ - tmp_str = descriptive_msg; + tmp_str = descriptive_msg; while((tmp_str = strchr(tmp_str, '\n'))) { *tmp_str = ' '; - tmp_str++; + tmp_str++; } - tmp_str = descriptive_msg; + tmp_str = descriptive_msg; while((tmp_str = strchr(tmp_str, '\r'))) { *tmp_str = ' '; - tmp_str++; + tmp_str++; } } } @@ -346,20 +347,20 @@ void readel(os_el *el, int printit) if(printit) { - DWORD _evtid = 65535; - int id = (int)el->er->EventID & _evtid; - - snprintf(final_msg, 1022, + DWORD _evtid = 65535; + int id = (int)el->er->EventID & _evtid; + + snprintf(final_msg, 1022, "%d WinEvtLog: %s: %s(%d): %s: %s(%s): %s", (int)el->er->TimeGenerated, el->name, - category, + category, id, source, el_user, el_domain, descriptive_msg != NULL?descriptive_msg:el_string); - + fprintf(fp, "%s\n", final_msg); } @@ -404,18 +405,18 @@ int main(int argc, char **argv) } else if((argc == 3)&&(strcmp(argv[1], "-f") == 0)) { - file = argv[2]; - } + file = argv[2]; + } else help(); - + fp = fopen(file, "w"); if(!fp) { printf("Unable to open file '%s'\n", file); exit(1); } - + win_startel("Application"); win_startel("System"); win_startel("Security");