archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/authz/test/wmiaudit/wmi2evt.cpp

497 lines
13 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: W M I 2 E V T . C P P
  8. //
  9. // Contents: Functions to convert WMI event into eventlog event format
  10. //
  11. //
  12. // History:
  13. // 06-January-2000 kumarp created
  14. //
  15. //------------------------------------------------------------------------
  17. /*
  18. - how to find out the event name from hAuditEvent
  20. -
  21. */
  23. #include <nt.h>
  24. #include <ntrtl.h>
  25. #include <nturtl.h>
  27. #include <windows.h>
  28. //#include <winnt.h>
  29. //#include <ntdef.h>
  30. #include <stdio.h>
  31. #include <msaudite.h>
  32. #include <sddl.h>
  34. #include "authzp.h"
  35. #include "adtdef.h"
  36. //#include "p2prov.h"
  37. #include "ncevent.h"
  38. #include "lsaptmp.h"
  40. //
  41. // Property conversion flags
  42. //
  43. const DWORD PCF_None = 0x00000000;
  44. const DWORD PCF_Sid = 0x00000001;
  45. const DWORD PCF_ = 0x00000000;
  47. struct _LsapAdtEventProperty
  48. {
  49. PCWSTR szName;
  50. CIMTYPE Type;
  51. DWORD dwFlag;
  52. };
  53. typedef struct _LsapAdtEventProperty LsapAdtEventProperty;
  56. struct _LsapAdtEventMapEntry
  57. {
  58. WORD wCategory;
  59. DWORD dwEventId;
  61. LsapAdtEventProperty* Properties;
  62. };
  63. typedef struct _LsapAdtEventMapEntry LsapAdtEventMapEntry;
  65. LsapAdtEventProperty Properties_SE_AUDITID_AUTHZ[] =
  66. {
  67. { L"ObjectServer", CIM_STRING, PCF_None },
  68. { L"ProcessId", CIM_UINT32, PCF_None },
  69. { L"OperationType", CIM_STRING, PCF_None },
  70. { L"Objecttype", CIM_STRING, PCF_None },
  71. { L"ObjectName", CIM_STRING, PCF_None },
  72. { L"HandleId", CIM_UINT64, PCF_None },
  73. { L"OperationId", CIM_UINT64, PCF_None },
  75. { L"PrimaryUserSid", CIM_UINT8 | CIM_FLAG_ARRAY, PCF_Sid },
  76. // { L"PrimaryUserName", CIM_STRING, PCF_None },
  77. // { L"PrimaryDomain", CIM_STRING, PCF_None },
  78. // { L"PrimaryLogonId", CIM_UINT64, PCF_None },
  80. { L"ClientUserSid", CIM_UINT8 | CIM_FLAG_ARRAY, PCF_Sid },
  81. // { L"ClientUserName", CIM_STRING, PCF_None },
  82. // { L"ClientDomain", CIM_STRING, PCF_None },
  83. // { L"ClientLogonId", CIM_UINT64, PCF_None },
  85. { L"AccessMask", CIM_UINT32, PCF_None },
  86. { L"AdditionalInfo", CIM_STRING, PCF_None },
  88. { NULL, CIM_ILLEGAL, PCF_None },
  89. };
  92. LsapAdtEventMapEntry LsapAdtEvents[] =
  93. {
  94. {
  95. SE_CATEGID_OBJECT_ACCESS,
  96. SE_AUDITID_OPEN_HANDLE, //kk SE_AUDITID_AUTHZ,
  97. Properties_SE_AUDITID_AUTHZ
  98. }
  99. };
  100. const USHORT c_cEventMapEntries = sizeof(LsapAdtEvents) / sizeof(LsapAdtEventMapEntry);
  102. const USHORT SE_AUDITID_FIRST = 0x200;
  103. const USHORT SE_AUDITID_LAST = 0x2ff;
  104. const USHORT SE_NUM_AUDITID = SE_AUDITID_LAST - SE_AUDITID_FIRST + 1;
  106. USHORT g_EventMapRedir[SE_NUM_AUDITID];
  108. VOID
  109. LsapAdtInitEventMapRedir( )
  110. {
  111. DWORD dwEventId;
  113. for (USHORT i=0; i < SE_NUM_AUDITID; i++)
  114. {
  115. dwEventId = SE_AUDITID_FIRST + i;
  116. g_EventMapRedir[i] = c_cEventMapEntries;
  118. for (USHORT j=0; j < c_cEventMapEntries; j++)
  119. {
  120. if ( LsapAdtEvents[j].dwEventId == dwEventId )
  121. {
  122. g_EventMapRedir[i] = j;
  123. break;
  124. }
  125. }
  126. }
  127. }
  129. NTSTATUS
  130. LsapAdtInitEventMap( )
  131. {
  132. NTSTATUS Status = STATUS_SUCCESS;
  134. LsapAdtInitEventMapRedir();
  136. return Status;
  137. }
  139. NTSTATUS
  140. LsapAdtGetEventMapEntry(
  141. IN DWORD dwEventId,
  142. OUT LsapAdtEventMapEntry** pEventMapEntry
  143. )
  144. {
  145. NTSTATUS Status = STATUS_SUCCESS;
  146. USHORT usIndex;
  148. usIndex = g_EventMapRedir[dwEventId - SE_AUDITID_FIRST];
  149. ASSERT(usIndex <= c_cEventMapEntries);
  151. if ( usIndex < c_cEventMapEntries )
  152. {
  153. *pEventMapEntry = &LsapAdtEvents[usIndex];
  154. }
  155. else
  156. {
  157. *pEventMapEntry = NULL;
  158. Status = STATUS_NOT_FOUND;
  159. }
  161. return Status;
  162. }
  164. NTSTATUS
  165. LsapAdtGetEventProperty(
  166. IN HANDLE hEvent,
  167. IN PCWSTR szPropertyName,
  168. IN CIMTYPE PropertyType,
  169. IN LPVOID pData,
  170. IN DWORD dwBufferSize,
  171. IN DWORD *pdwBytesRead
  172. )
  173. {
  174. NTSTATUS Status = STATUS_SUCCESS;
  175. DWORD dwIndex;
  176. DWORD dwError = NO_ERROR;
  178. // if (!WmiAddEventProp( hEvent, szPropertyName, PropertyType, &dwIndex ))
  179. if (!WmiAddObjectProp( hEvent, szPropertyName, PropertyType, &dwIndex ))
  180. {
  181. goto WinErrorCleanup;
  182. }
  184. //if (!WmiGetEventProp( hEvent, dwIndex,
  185. if (!WmiGetObjectProp( hEvent, dwIndex,
  186. pData, dwBufferSize, pdwBytesRead ))
  187. {
  188. goto WinErrorCleanup;
  189. }
  191. Cleanup:
  192. return Status;
  194. WinErrorCleanup:
  195. dwError = GetLastError();
  196. //kkStatus = mapit();
  197. goto Cleanup;
  198. }
  201. NTSTATUS
  202. LsapAdtConvertPropertyToString(
  203. IN LsapAdtEventProperty* pEventProperty,
  204. IN PVOID pValue,
  205. IN DWORD dwSize,
  206. OUT PWSTR szStrValue,
  207. IN OUT DWORD *pdwRequiredSize
  208. )
  209. {
  210. //
  211. // perf: use better string allocation scheme
  212. //
  214. NTSTATUS Status = STATUS_SUCCESS;
  215. DWORD dwError = NO_ERROR;
  216. CIMTYPE PropertyType;
  217. BOOL fIsArrary=FALSE;
  218. DWORD dwRequiredSize = 0xffffffff;
  219. USHORT usUnitSize = 0xffff;
  220. DWORD dwPropertyFlag;
  222. PropertyType = pEventProperty->Type;
  223. fIsArrary = FLAG_ON( PropertyType, CIM_FLAG_ARRAY );
  224. PropertyType &= ~CIM_FLAG_ARRAY;
  225. dwPropertyFlag = pEventProperty->dwFlag;
  227. if ( FLAG_ON( dwPropertyFlag, PCF_Sid ))
  228. {
  229. dwRequiredSize = 256;
  230. }
  231. else
  232. {
  233. switch (PropertyType)
  234. {
  235. default:
  236. ASSERT(FALSE);
  237. break;
  239. case CIM_SINT8:
  240. case CIM_UINT8:
  241. dwRequiredSize = 4;
  242. usUnitSize = 1;
  243. if ( fIsArrary )
  244. {
  245. ASSERT(NYI);
  246. }
  247. break;
  249. case CIM_SINT16:
  250. case CIM_UINT16:
  251. dwRequiredSize = 8;
  252. usUnitSize = 2;
  253. if ( fIsArrary )
  254. {
  255. ASSERT(NYI);
  256. }
  257. break;
  259. case CIM_SINT32:
  260. case CIM_UINT32:
  261. dwRequiredSize = 12;
  262. usUnitSize = 4;
  263. if ( fIsArrary )
  264. {
  265. ASSERT(NYI);
  266. }
  267. break;
  269. case CIM_SINT64:
  270. case CIM_UINT64:
  271. dwRequiredSize = 24;
  272. usUnitSize = 8;
  273. if ( fIsArrary )
  274. {
  275. ASSERT(NYI);
  276. }
  277. break;
  279. case CIM_STRING:
  280. dwRequiredSize = (dwSize / sizeof(WCHAR)) + 1;
  281. usUnitSize = 1;
  282. if ( fIsArrary )
  283. {
  284. ASSERT(NYI);
  285. }
  286. break;
  288. case CIM_BOOLEAN:
  289. case CIM_REAL32:
  290. case CIM_REAL64:
  291. case CIM_DATETIME:
  292. case CIM_REFERENCE:
  293. case CIM_CHAR16:
  294. case CIM_OBJECT:
  295. ASSERT(NYI);
  296. break;
  297. }
  298. }
  300. ASSERT(dwRequiredSize < 0xffffffff);
  302. if (*pdwRequiredSize < dwRequiredSize)
  303. {
  304. Status = STATUS_BUFFER_OVERFLOW;
  305. *pdwRequiredSize = dwRequiredSize;
  306. goto Cleanup;
  307. }
  309. dwRequiredSize = *pdwRequiredSize;
  311. if ( FLAG_ON( dwPropertyFlag, PCF_Sid ))
  312. {
  313. Status = LsapRtlConvertSidToString( (PSID) pValue, szStrValue,
  314. &dwRequiredSize );
  316. if ( !NT_SUCCESS( Status ))
  317. {
  318. goto WinErrorCleanup;
  319. }
  320. }
  321. else
  322. {
  323. switch (PropertyType)
  324. {
  325. default:
  326. ASSERT(FALSE);
  327. break;
  329. case CIM_SINT8:
  330. wsprintf( szStrValue, L"%d", (INT) *((CHAR *) pValue));
  331. break;
  333. case CIM_UINT8:
  334. wsprintf( szStrValue, L"%d", (UINT) *((UCHAR *) pValue));
  335. break;
  337. case CIM_SINT16:
  338. wsprintf( szStrValue, L"%d", (INT) *((SHORT *) pValue));
  339. break;
  341. case CIM_UINT16:
  342. wsprintf( szStrValue, L"%d", (UINT) *((USHORT *) pValue));
  343. break;
  345. case CIM_SINT32:
  346. wsprintf( szStrValue, L"%d", *((INT *) pValue));
  347. break;
  349. case CIM_UINT32:
  350. wsprintf( szStrValue, L"%d", *((UINT *) pValue));
  351. break;
  353. case CIM_SINT64:
  354. wsprintf( szStrValue, L"%I64d", (INT64) *((UCHAR *) pValue));
  355. break;
  357. case CIM_UINT64:
  358. wsprintf( szStrValue, L"%I64d", (UINT64) *((UCHAR *) pValue));
  359. break;
  361. case CIM_STRING:
  362. dwRequiredSize = (dwSize / sizeof(WCHAR)) + 1;
  363. usUnitSize = 1;
  364. if ( fIsArrary )
  365. {
  366. ASSERT(NYI);
  367. }
  368. break;
  370. case CIM_BOOLEAN:
  371. case CIM_REAL32:
  372. case CIM_REAL64:
  373. case CIM_DATETIME:
  374. case CIM_REFERENCE:
  375. case CIM_CHAR16:
  376. case CIM_OBJECT:
  377. ASSERT(NYI);
  378. break;
  379. }
  380. }
  384. Cleanup:
  386. return Status;
  388. WinErrorCleanup:
  389. dwError = GetLastError();
  390. //kk Status = mapit();
  391. goto Cleanup;
  392. }
  394. #define MAX_NUM_EVENTLOG_STRINGS 32
  395. #define MAX_PROPERTY_SIZE 512
  397. NTSTATUS
  398. LsapAdtConvertAndReportEvent(
  399. IN HANDLE hAuditEvent,
  400. IN HANDLE hEventLog
  401. )
  402. {
  403. NTSTATUS Status = STATUS_SUCCESS;
  404. DWORD dwError = NO_ERROR;
  405. WORD wEventType = 0;
  406. WORD wCategory = 0;
  407. DWORD dwEventId = 0;
  408. PSID pUserSid = NULL;
  409. WORD wNumStrings = 0;
  410. DWORD dwDataSize = 0;
  411. PWSTR pStrings[MAX_NUM_EVENTLOG_STRINGS] = { 0 };
  412. PVOID pRawData = NULL;
  413. DWORD dwEventIdIndex = 0;
  414. DWORD dwNumBytesRead;
  415. DWORD dwPropertyIndex = 0;
  416. PCWSTR szPropertyName;
  417. CIMTYPE PropertyType;
  418. BYTE PropertyVal[MAX_PROPERTY_SIZE];
  419. WORD wStringIndex=0;
  420. DWORD dwRequiredSize;
  422. LsapAdtEventMapEntry* pEventMapEntry = NULL;
  423. LsapAdtEventProperty* pEventProperty = NULL;
  425. Status = LsapAdtGetEventProperty( hAuditEvent, L"AuditId", CIM_UINT32,
  426. &dwEventId, sizeof(dwEventId),
  427. &dwNumBytesRead );
  429. if (!NT_SUCCESS(Status))
  430. {
  431. goto Cleanup;
  432. }
  434. Status = LsapAdtGetEventMapEntry( dwEventId, &pEventMapEntry );
  436. if (!NT_SUCCESS(Status))
  437. {
  438. goto Cleanup;
  439. }
  441. ASSERT( pEventMapEntry->dwEventId == dwEventId );
  443. pEventProperty = pEventMapEntry->Properties;
  445. while ( ( szPropertyName = pEventProperty->szName ) != NULL )
  446. {
  447. PropertyType = pEventProperty->Type;
  449. Status = LsapAdtGetEventProperty( hAuditEvent,
  450. szPropertyName,
  451. PropertyType,
  452. PropertyVal, MAX_PROPERTY_SIZE,
  453. &dwNumBytesRead );
  455. if (!NT_SUCCESS(Status))
  456. {
  457. goto Cleanup;
  458. }
  460. // kk alloc strings, init dwRequiredSize
  461. Status = LsapAdtConvertPropertyToString( pEventProperty,
  462. PropertyVal,
  463. dwNumBytesRead,
  464. pStrings[wNumStrings],
  465. &dwRequiredSize );
  467. if (!NT_SUCCESS(Status))
  468. {
  469. goto Cleanup;
  470. }
  472. pEventProperty++;
  473. wNumStrings++;
  474. }
  477. dwError = ReportEvent( hEventLog, wEventType, wCategory, dwEventId,
  478. pUserSid, wNumStrings, dwDataSize,
  479. (PCWSTR*) pStrings, pRawData );
  481. if (!dwError)
  482. {
  483. goto WinErrorCleanup;
  484. }
  487. Cleanup:
  489. return Status;
  491. WinErrorCleanup:
  492. dwError = GetLastError();
  493. //kkStatus = mapit();
  494. goto Cleanup;
  495. }