Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1211 lines
33 KiB

  1. /*++
  2. Copyright (c) 1990 Microsoft Corporation
  3. Module Name:
  4. elflpc.c
  5. Abstract:
  6. This file contains the routines that deal with the LPC port in the
  7. eventlog service.
  8. Author:
  9. Rajen Shah (rajens) 10-Jul-1991
  10. Revision History:
  11. --*/
  12. //
  13. // INCLUDES
  14. //
  15. #include <eventp.h>
  16. #include <ntiolog.h> // For IO_ERROR_LOG_[MESSAGE/PACKET]
  17. #include <ntiologc.h> // QUOTA error codes
  18. #include <elfkrnl.h>
  19. #include <stdlib.h>
  20. #include <memory.h>
  21. #include <elfextrn.h> // Computername
  22. #include <nt.h> // DbgPrint prototype
  23. #include <ntrtl.h> // DbgPrint prototype
  24. #include <ntdef.h>
  25. #include <ntstatus.h>
  26. #include <nt.h>
  27. #include <ntrtl.h>
  28. #include <nturtl.h>
  29. #include <windef.h>
  30. #include <lmcons.h>
  31. #include <string.h>
  32. #include <lmerr.h>
  33. #include <elfmsg.h>
  34. //
  35. // Global value for the "system" module
  36. //
  37. PLOGMODULE SystemModule = NULL;
  38. NTSTATUS
  39. SetUpLPCPort(
  40. VOID
  41. )
  42. /*++
  43. Routine Description:
  44. This routine sets up the LPC port for the service.
  45. Arguments:
  46. None
  47. Return Value:
  48. --*/
  49. {
  50. NTSTATUS status;
  51. UNICODE_STRING SystemString;
  52. UNICODE_STRING unicodePortName;
  53. OBJECT_ATTRIBUTES objectAttributes;
  54. PORT_MESSAGE connectionRequest;
  55. ELF_LOG0(LPC,
  56. "SetUpLPCPort: Enter\n");
  57. //
  58. // We're going to need this every time, so just get it once
  59. //
  60. ASSERT(SystemModule == NULL);
  61. //
  62. // Get the system module to log driver events
  63. //
  64. RtlInitUnicodeString(&SystemString, ELF_SYSTEM_MODULE_NAME);
  65. SystemModule = GetModuleStruc(&SystemString);
  66. //
  67. // The System log and its default module should have been created by now.
  68. //
  69. ASSERT(_wcsicmp(SystemModule->ModuleName, ELF_SYSTEM_MODULE_NAME) == 0);
  70. //
  71. // Initialize the handles to zero so that we can determine what to do
  72. // if we need to clean up.
  73. //
  74. ElfConnectionPortHandle = NULL;
  75. ElfCommunicationPortHandle = NULL;
  76. //
  77. // Create the LPC port.
  78. //
  79. RtlInitUnicodeString( &unicodePortName, ELF_PORT_NAME_U );
  80. InitializeObjectAttributes(
  81. &objectAttributes,
  82. &unicodePortName,
  83. OBJ_CASE_INSENSITIVE,
  84. NULL,
  85. NULL
  86. );
  87. status = NtCreatePort(&ElfConnectionPortHandle,
  88. &objectAttributes,
  89. 0,
  90. ELF_PORT_MAX_MESSAGE_LENGTH,
  91. ELF_PORT_MAX_MESSAGE_LENGTH * 32);
  92. if (!NT_SUCCESS(status))
  93. {
  94. ELF_LOG2(ERROR,
  95. "SetUpLPCPort: Error creating LPC port %ws %#x\n",
  96. ELF_PORT_NAME_U,
  97. status);
  98. }
  99. ELF_LOG1(LPC,
  100. "SetUpLPCPort: Exiting with status %#x\n",
  101. status);
  102. return status;
  103. }
  104. LPWSTR
  105. ElfpCopyString(
  106. LPWSTR Destination,
  107. LPWSTR Source,
  108. ULONG Length
  109. )
  110. /*++
  111. Routine Description:
  112. Copies a string to the destination. Correctly NUL terminates
  113. the string.
  114. Arguments:
  115. Destination - place where string is to be copied
  116. Source - string that may or may not be NUL terminated
  117. Length - length in bytes of string being copied. May include NUL
  118. Return Value:
  119. LPWSTR to first WCHAR past NUL
  120. --*/
  121. {
  122. //
  123. // Copy the data
  124. //
  125. RtlMoveMemory(Destination, Source, Length);
  126. //
  127. // Make sure it's NULL terminated
  128. //
  129. if (Length != 0)
  130. {
  131. Destination += Length / sizeof(WCHAR) - 1;
  132. if (*Destination != L'\0')
  133. {
  134. Destination++;
  135. *Destination = L'\0';
  136. }
  137. }
  138. else
  139. {
  140. *Destination = L'0';
  141. }
  142. return Destination + 1;
  143. }
  144. NTSTATUS
  145. ElfProcessIoLPCPacket(
  146. ULONG PacketLength,
  147. PIO_ERROR_LOG_MESSAGE pIoErrorLogMessage
  148. )
  149. /*++
  150. Routine Description:
  151. This routine takes the packet received from the LPC port and processes it.
  152. The logfile will be system, the module name will be the driver that
  153. generated the packet, the SID will always be NULL and
  154. there will always be one string, which will be the device name.
  155. It extracts the information from the LPC packet, and then calls the
  156. common routine to do the work of formatting the data into
  157. an event record and writing it out to the log file.
  158. Arguments:
  159. pIoErrorLogMessage - Pointer to the data portion of the packet just
  160. received through the LPC port.
  161. Return Value:
  162. Status of this operation.
  163. --*/
  164. {
  165. NTSTATUS status;
  166. ELF_REQUEST_RECORD Request;
  167. WRITE_PKT WritePkt;
  168. ULONG RecordLength;
  169. PEVENTLOGRECORD EventLogRecord;
  170. LPWSTR DestinationString, SourceString;
  171. PBYTE BinaryData;
  172. ULONG PadSize;
  173. LARGE_INTEGER Time;
  174. ULONG TimeWritten;
  175. PULONG pEndLength;
  176. ULONG i = 0;
  177. PWCHAR pwch;
  178. PWCHAR pwStart;
  179. PWCHAR pwEnd;
  180. ULONG StringLength;
  181. WCHAR LocalComputerName[MAX_COMPUTERNAME_LENGTH + 1];
  182. ULONG ComputerNameLength = MAX_COMPUTERNAME_LENGTH + 1;
  183. BOOL bOK;
  184. PacketLength = min(pIoErrorLogMessage->Size, PacketLength);
  185. try
  186. {
  187. // Get the computer name
  188. bOK = GetComputerNameW(LocalComputerName, &ComputerNameLength);
  189. if(bOK == FALSE)
  190. {
  191. ELF_LOG1(ERROR,
  192. "ElfProcessIoLPCPacket: failed calling GetComputerNameW, last error 0x%x\n",
  193. GetLastError());
  194. return STATUS_UNSUCCESSFUL;
  195. }
  196. ComputerNameLength = (ComputerNameLength+1)*sizeof(WCHAR); // account for the NULL
  197. //
  198. // Validate the packet, First make sure there are the correct
  199. // number of NULL terminated strings, and remember the
  200. // total number of bytes to copy
  201. //
  202. pwStart = pwch = (PWCHAR) ((PBYTE) pIoErrorLogMessage +
  203. pIoErrorLogMessage->EntryData.StringOffset);
  204. pwEnd = (PWCHAR) ((PBYTE) pIoErrorLogMessage + PacketLength);
  205. while (pwch < pwEnd
  206. &&
  207. i < pIoErrorLogMessage->EntryData.NumberOfStrings)
  208. {
  209. if (*pwch == L'\0')
  210. {
  211. i++;
  212. }
  213. pwch++;
  214. }
  215. StringLength = (ULONG) (pwch - pwStart) * sizeof(WCHAR);
  216. //
  217. // Now make sure everything in the packet is true
  218. //
  219. if ((i != pIoErrorLogMessage->EntryData.NumberOfStrings)
  220. ||
  221. (pIoErrorLogMessage->DriverNameOffset
  222. + pIoErrorLogMessage->DriverNameLength >= PacketLength)
  223. ||
  224. (pIoErrorLogMessage->EntryData.StringOffset >= PacketLength)
  225. ||
  226. (FIELD_OFFSET(IO_ERROR_LOG_MESSAGE, EntryData)
  227. + FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData)
  228. + (ULONG) pIoErrorLogMessage->EntryData.DumpDataSize >= PacketLength))
  229. {
  230. //
  231. // It's a bad packet, log it and return
  232. //
  233. ELF_LOG0(ERROR,
  234. "ElfProcessIoLPCPacket: Bad LPC packet -- dumping it to System log\n");
  235. ElfpCreateElfEvent(EVENT_BadDriverPacket,
  236. EVENTLOG_ERROR_TYPE,
  237. 0, // EventCategory
  238. 0, // NumberOfStrings
  239. NULL, // Strings
  240. pIoErrorLogMessage, // Data
  241. PacketLength, // Datalength
  242. 0,
  243. FALSE); // flags
  244. return STATUS_UNSUCCESSFUL;
  245. }
  246. }
  247. except (EXCEPTION_EXECUTE_HANDLER)
  248. {
  249. //
  250. // It's a bad packet, log it and return
  251. //
  252. ELF_LOG1(ERROR,
  253. "ElfProcessIoLPCPacket: Exception %#x caught processing I/O LPC packet\n",
  254. GetExceptionCode());
  255. ElfpCreateElfEvent(EVENT_BadDriverPacket,
  256. EVENTLOG_ERROR_TYPE,
  257. 0, // EventCategory
  258. 0, // NumberOfStrings
  259. NULL, // Strings
  260. NULL, // Data
  261. 0, // Datalength
  262. 0,
  263. FALSE); // flags
  264. return STATUS_UNSUCCESSFUL;
  265. }
  266. //
  267. // The packet should be an IO_ERROR_LOG_MESSAGE
  268. //
  269. ASSERT(pIoErrorLogMessage->Type == IO_TYPE_ERROR_MESSAGE);
  270. //
  271. // Set up write packet in request packet
  272. //
  273. Request.Pkt.WritePkt = &WritePkt;
  274. Request.Flags = 0;
  275. //
  276. // Generate any additional information needed in the record.
  277. //
  278. //
  279. // TIMEWRITTEN
  280. // We need to generate a time when the log is written. This
  281. // gets written in the log so that we can use it to test the
  282. // retention period when wrapping the file.
  283. //
  284. NtQuerySystemTime(&Time);
  285. RtlTimeToSecondsSince1970(
  286. &Time,
  287. &TimeWritten
  288. );
  289. //
  290. // Determine how big a buffer is needed for the eventlog record.
  291. //
  292. RecordLength = sizeof(EVENTLOGRECORD)
  293. + ComputerNameLength // computer name
  294. + 2 * sizeof(WCHAR) // terminating NULLs
  295. + PacketLength
  296. - FIELD_OFFSET(IO_ERROR_LOG_MESSAGE, EntryData)
  297. + sizeof(RecordLength); // final len
  298. //
  299. // Determine how many pad bytes are needed to align to a DWORD
  300. // boundary.
  301. //
  302. PadSize = sizeof(ULONG) - (RecordLength % sizeof(ULONG));
  303. RecordLength += PadSize; // True size needed
  304. //
  305. // Allocate the buffer for the Eventlog record
  306. //
  307. EventLogRecord = (PEVENTLOGRECORD) ElfpAllocateBuffer(RecordLength);
  308. if (EventLogRecord != (PEVENTLOGRECORD) NULL)
  309. {
  310. //
  311. // Fill up the event record
  312. //
  313. EventLogRecord->Length = RecordLength;
  314. RtlTimeToSecondsSince1970(&pIoErrorLogMessage->TimeStamp,
  315. &EventLogRecord->TimeGenerated);
  316. EventLogRecord->Reserved = ELF_LOG_FILE_SIGNATURE;
  317. EventLogRecord->TimeWritten = TimeWritten;
  318. EventLogRecord->EventID = pIoErrorLogMessage->EntryData.ErrorCode;
  319. //
  320. // Set EventType based on the high order nibble of
  321. // pIoErrorLogMessage->EntryData.ErrorCode
  322. //
  323. if (NT_INFORMATION(pIoErrorLogMessage->EntryData.ErrorCode))
  324. {
  325. EventLogRecord->EventType = EVENTLOG_INFORMATION_TYPE;
  326. }
  327. else if (NT_WARNING(pIoErrorLogMessage->EntryData.ErrorCode))
  328. {
  329. EventLogRecord->EventType = EVENTLOG_WARNING_TYPE;
  330. }
  331. else if (NT_ERROR(pIoErrorLogMessage->EntryData.ErrorCode))
  332. {
  333. EventLogRecord->EventType = EVENTLOG_ERROR_TYPE;
  334. }
  335. else
  336. {
  337. //
  338. // Unknown, set to error
  339. //
  340. ELF_LOG1(LPC,
  341. "ElfProcessIoLPCPacket: Unknown EventType (high nibble of ID %#x)\n",
  342. EventLogRecord->EventID);
  343. EventLogRecord->EventType = EVENTLOG_ERROR_TYPE;
  344. }
  345. EventLogRecord->NumStrings = pIoErrorLogMessage->EntryData.NumberOfStrings;
  346. EventLogRecord->EventCategory = pIoErrorLogMessage->EntryData.EventCategory;
  347. EventLogRecord->StringOffset = sizeof(EVENTLOGRECORD)
  348. + pIoErrorLogMessage->DriverNameLength
  349. + ComputerNameLength;
  350. EventLogRecord->DataLength = FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData)
  351. + pIoErrorLogMessage->EntryData.DumpDataSize;
  352. EventLogRecord->DataOffset = EventLogRecord->StringOffset + StringLength;
  353. //
  354. // Quota events contain a SID.
  355. //
  356. if (pIoErrorLogMessage->EntryData.ErrorCode == IO_FILE_QUOTA_LIMIT
  357. ||
  358. pIoErrorLogMessage->EntryData.ErrorCode == IO_FILE_QUOTA_THRESHOLD)
  359. {
  360. PFILE_QUOTA_INFORMATION pFileQuotaInformation =
  361. (PFILE_QUOTA_INFORMATION) pIoErrorLogMessage->EntryData.DumpData;
  362. ELF_LOG0(LPC,
  363. "ElfProcessIoLPCPacket: Event is a Quota event\n");
  364. EventLogRecord->UserSidLength = pFileQuotaInformation->SidLength;
  365. EventLogRecord->UserSidOffset = EventLogRecord->DataOffset
  366. + FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData)
  367. + FIELD_OFFSET(FILE_QUOTA_INFORMATION, Sid);
  368. EventLogRecord->DataLength = EventLogRecord->UserSidOffset -
  369. EventLogRecord->DataOffset;
  370. }
  371. else
  372. {
  373. EventLogRecord->UserSidLength = 0;
  374. EventLogRecord->UserSidOffset = 0;
  375. }
  376. //
  377. // Fill in the variable-length fields
  378. //
  379. //
  380. // MODULENAME
  381. //
  382. // Use the driver name as the module name, since its location is
  383. // described by an offset from the start of the IO_ERROR_LOG_MESSAGE
  384. // turn it into a pointer
  385. //
  386. DestinationString = (LPWSTR) ((LPBYTE) EventLogRecord + sizeof(EVENTLOGRECORD));
  387. SourceString = (LPWSTR) ((LPBYTE) pIoErrorLogMessage
  388. + pIoErrorLogMessage->DriverNameOffset);
  389. DestinationString = ElfpCopyString(DestinationString,
  390. SourceString,
  391. pIoErrorLogMessage->DriverNameLength);
  392. //
  393. // COMPUTERNAME
  394. //
  395. DestinationString = ElfpCopyString(DestinationString,
  396. LocalComputerName,
  397. ComputerNameLength);
  398. //
  399. // STRINGS
  400. //
  401. DestinationString = ElfpCopyString(DestinationString, pwStart, StringLength);
  402. //
  403. // BINARY DATA
  404. //
  405. BinaryData = (LPBYTE) DestinationString;
  406. RtlMoveMemory(BinaryData,
  407. &pIoErrorLogMessage->EntryData,
  408. FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData)
  409. + pIoErrorLogMessage->EntryData.DumpDataSize);
  410. //
  411. // LENGTH at end of record
  412. //
  413. pEndLength = (PULONG) ((LPBYTE) EventLogRecord + RecordLength - sizeof(ULONG));
  414. *pEndLength = RecordLength;
  415. //
  416. // Set up request packet.
  417. // Link event log record into the request structure.
  418. //
  419. Request.Module = SystemModule;
  420. Request.LogFile = Request.Module->LogFile;
  421. Request.Command = ELF_COMMAND_WRITE;
  422. Request.Pkt.WritePkt->Buffer = (PVOID) EventLogRecord;
  423. Request.Pkt.WritePkt->Datasize = RecordLength;
  424. //
  425. // Perform the operation
  426. //
  427. ElfPerformRequest( &Request );
  428. //
  429. // Replicate the event if part of a cluster
  430. //
  431. ElfpReplicateEvent(SystemModule, EventLogRecord, RecordLength);
  432. //
  433. // Free up the buffer
  434. //
  435. ElfpFreeBuffer(EventLogRecord);
  436. status = Request.Status; // Set status of WRITE
  437. }
  438. else
  439. {
  440. ELF_LOG0(ERROR,
  441. "ElfProcessIoLPCPacket: Unable to allocate memory for EventLogRecord\n");
  442. status = STATUS_NO_MEMORY;
  443. }
  444. return status;
  445. }
  446. NTSTATUS
  447. ElfProcessSmLPCPacket(
  448. ULONG PacketLength,
  449. PSM_ERROR_LOG_MESSAGE SmErrorLogMessage
  450. )
  451. /*++
  452. Routine Description:
  453. This routine takes the packet received from the LPC port and processes it.
  454. The packet is an SM_ERROR_LOG_MESSAGE. The logfile will be system, the
  455. module name will be SMSS, the SID will always be NULL and
  456. there will always be one string, which will be the filename
  457. It extracts the information from the LPC packet, and then calls the
  458. common routine to do the work of formatting the data into
  459. an event record and writing it out to the log file.
  460. Arguments:
  461. SmErrorLogMessage - Pointer to the data portion of the packet just
  462. received through the LPC port.
  463. Return Value:
  464. Status of this operation.
  465. --*/
  466. {
  467. NTSTATUS status;
  468. ELF_REQUEST_RECORD Request;
  469. WRITE_PKT WritePkt;
  470. ULONG RecordLength;
  471. PEVENTLOGRECORD EventLogRecord;
  472. LPWSTR DestinationString, SourceString;
  473. PBYTE BinaryData;
  474. ULONG PadSize;
  475. LARGE_INTEGER Time;
  476. ULONG TimeWritten;
  477. PULONG pEndLength;
  478. WCHAR LocalComputerName[MAX_COMPUTERNAME_LENGTH + 1];
  479. ULONG ComputerNameLength = MAX_COMPUTERNAME_LENGTH + 1;
  480. BOOL bOK;
  481. try
  482. {
  483. // Get the computer name
  484. bOK = GetComputerNameW(LocalComputerName, &ComputerNameLength);
  485. if(bOK == FALSE)
  486. {
  487. ELF_LOG1(ERROR,
  488. "ElfProcessIoLPCPacket: failed calling GetComputerNameW, last error 0x%x\n",
  489. GetLastError());
  490. return STATUS_UNSUCCESSFUL;
  491. }
  492. ComputerNameLength = (ComputerNameLength+1)*sizeof(WCHAR);
  493. //
  494. // Validate the packet.
  495. //
  496. if (PacketLength < sizeof(SM_ERROR_LOG_MESSAGE)
  497. ||
  498. //
  499. // Offset begins before header
  500. //
  501. SmErrorLogMessage->StringOffset < sizeof(*SmErrorLogMessage)
  502. ||
  503. //
  504. // Offset begins after packet
  505. //
  506. SmErrorLogMessage->StringOffset >= PacketLength
  507. ||
  508. //
  509. // Length of string longer than packet
  510. //
  511. SmErrorLogMessage->StringLength > PacketLength
  512. ||
  513. //
  514. // String end after end of packet
  515. //
  516. SmErrorLogMessage->StringOffset
  517. + SmErrorLogMessage->StringLength > PacketLength
  518. )
  519. {
  520. RtlRaiseStatus(STATUS_UNSUCCESSFUL);
  521. }
  522. }
  523. except (EXCEPTION_EXECUTE_HANDLER)
  524. {
  525. //
  526. // It's a bad packet, log it and return
  527. //
  528. ELF_LOG1(ERROR,
  529. "ElfProcessSmLPCPacket: Exception %#x caught processing SMSS LPC packet\n",
  530. GetExceptionCode());
  531. ELF_LOG3(ERROR,
  532. "SmErrorLogMessage->StringOffset %#x\n"
  533. "\tPacketLength %#x\n"
  534. "\tSmErrorLogMessage->StringLength %#x\n",
  535. SmErrorLogMessage->StringOffset,
  536. PacketLength,
  537. SmErrorLogMessage->StringLength);
  538. ElfpCreateElfEvent(EVENT_BadDriverPacket,
  539. EVENTLOG_ERROR_TYPE,
  540. 0, // EventCategory
  541. 0, // NumberOfStrings
  542. NULL, // Strings
  543. NULL, // Data
  544. 0, // Datalength
  545. 0,
  546. FALSE); // flags
  547. return STATUS_UNSUCCESSFUL;
  548. }
  549. //
  550. // Set up write packet in request packet
  551. //
  552. Request.Pkt.WritePkt = &WritePkt;
  553. Request.Flags = 0;
  554. //
  555. // Generate any additional information needed in the record.
  556. //
  557. //
  558. // Determine how big a buffer is needed for the eventlog record.
  559. // We overestimate string lengths rather than probing for
  560. // terminating NUL's
  561. //
  562. RecordLength = sizeof(EVENTLOGRECORD)
  563. + sizeof(L"system")
  564. + ComputerNameLength + sizeof(WCHAR)
  565. + SmErrorLogMessage->StringLength + sizeof(WCHAR)
  566. + sizeof(RecordLength);
  567. //
  568. // Since the RecordLength at the end must be ULONG aligned, we round
  569. // up the total size to be ULONG aligned.
  570. //
  571. RecordLength += sizeof(ULONG) - (RecordLength % sizeof(ULONG));
  572. //
  573. // Allocate the buffer for the Eventlog record
  574. //
  575. EventLogRecord = (PEVENTLOGRECORD) ElfpAllocateBuffer(RecordLength);
  576. if (EventLogRecord == NULL)
  577. {
  578. ELF_LOG0(ERROR,
  579. "ElfProcessSmLPCPacket: Unable to allocate memory for EventLogRecord\n");
  580. return STATUS_NO_MEMORY;
  581. }
  582. //
  583. // Fill up the event record
  584. //
  585. EventLogRecord->Length = RecordLength;
  586. EventLogRecord->Reserved = ELF_LOG_FILE_SIGNATURE;
  587. RtlTimeToSecondsSince1970(&SmErrorLogMessage->TimeStamp,
  588. &EventLogRecord->TimeGenerated);
  589. NtQuerySystemTime(&Time);
  590. RtlTimeToSecondsSince1970(&Time, &EventLogRecord->TimeWritten);
  591. EventLogRecord->EventID = SmErrorLogMessage->Status;
  592. //
  593. // set EventType based on the high order nibble of
  594. // the eventID
  595. //
  596. if (NT_INFORMATION(EventLogRecord->EventID))
  597. {
  598. EventLogRecord->EventType = EVENTLOG_INFORMATION_TYPE;
  599. }
  600. else if (NT_WARNING(EventLogRecord->EventID))
  601. {
  602. EventLogRecord->EventType = EVENTLOG_WARNING_TYPE;
  603. }
  604. else if (NT_ERROR(EventLogRecord->EventID))
  605. {
  606. EventLogRecord->EventType = EVENTLOG_ERROR_TYPE;
  607. }
  608. else
  609. {
  610. //
  611. // Unknown, set to error
  612. //
  613. ELF_LOG1(LPC,
  614. "ElfProcessSmLPCPacket: Unknown EventType (high nibble of ID %#x)\n",
  615. EventLogRecord->EventID);
  616. EventLogRecord->EventType = EVENTLOG_ERROR_TYPE;
  617. }
  618. //
  619. // There is a single string; it is the name of the file being
  620. // replaced
  621. //
  622. EventLogRecord->NumStrings = 1;
  623. EventLogRecord->EventCategory = ELF_CATEGORY_SYSTEM_EVENT;
  624. //
  625. // Nothing for ReservedFlags
  626. // Nothing for ClosingRecordNumber
  627. //
  628. EventLogRecord->StringOffset = sizeof(EVENTLOGRECORD)
  629. + sizeof( L"system" )
  630. + ComputerNameLength;
  631. //
  632. // No SID's present
  633. //
  634. EventLogRecord->UserSidLength = 0;
  635. EventLogRecord->UserSidOffset = 0;
  636. EventLogRecord->DataLength = 0;
  637. EventLogRecord->DataOffset = 0;
  638. //
  639. // Fill in the variable-length fields
  640. //
  641. // MODULENAME
  642. //
  643. // SMSS
  644. //
  645. DestinationString = (LPWSTR) ((LPBYTE) EventLogRecord + sizeof(EVENTLOGRECORD));
  646. DestinationString = ElfpCopyString(DestinationString,
  647. L"system",
  648. sizeof(L"system"));
  649. //
  650. // COMPUTERNAME
  651. //
  652. DestinationString = ElfpCopyString(DestinationString,
  653. LocalComputerName,
  654. ComputerNameLength);
  655. //
  656. // STRING
  657. //
  658. SourceString = (LPWSTR) ((LPBYTE) SmErrorLogMessage + SmErrorLogMessage->StringOffset);
  659. ELF_LOG2(LPC,
  660. "ElfProcessSmLPCPacket: String is '%*ws'\n",
  661. SmErrorLogMessage->StringLength,
  662. SourceString);
  663. DestinationString = ElfpCopyString(DestinationString,
  664. SourceString,
  665. SmErrorLogMessage->StringLength);
  666. //
  667. // LENGTH at end of record
  668. //
  669. pEndLength = (PULONG) ((LPBYTE) EventLogRecord + RecordLength - sizeof(ULONG));
  670. *pEndLength = RecordLength;
  671. //
  672. // Set up request packet.
  673. // Link event log record into the request structure.
  674. //
  675. Request.Module = SystemModule;
  676. Request.LogFile = Request.Module->LogFile;
  677. Request.Command = ELF_COMMAND_WRITE;
  678. Request.Pkt.WritePkt->Buffer = (PVOID) EventLogRecord;
  679. Request.Pkt.WritePkt->Datasize = RecordLength;
  680. //
  681. // Perform the operation
  682. //
  683. ElfPerformRequest( &Request );
  684. //
  685. // Replicate the event if part of a cluster
  686. //
  687. ElfpReplicateEvent(SystemModule, EventLogRecord, RecordLength);
  688. //
  689. // Free up the buffer
  690. //
  691. ElfpFreeBuffer( EventLogRecord );
  692. return Request.Status;
  693. }
  694. NTSTATUS
  695. ElfProcessLPCCalls(
  696. VOID
  697. )
  698. /*++
  699. Routine Description:
  700. This routine waits for messages to come through the LPC port to
  701. the system thread. When one does, it calls the appropriate routine to
  702. handle the API, then replies to the system thread indicating that the
  703. call has completed if the message was a request, if it was a datagram,
  704. it just waits for the next message.
  705. Arguments:
  706. Return Value:
  707. --*/
  708. {
  709. NTSTATUS status;
  710. BOOL SendReply = FALSE;
  711. ELF_REPLY_MESSAGE replyMessage;
  712. PELF_PORT_MSG receiveMessage;
  713. PHANDLE PortConnectionHandle;
  714. //
  715. // Loop dispatching API requests.
  716. //
  717. receiveMessage = ElfpAllocateBuffer(ELF_PORT_MAX_MESSAGE_LENGTH + sizeof(PORT_MESSAGE));
  718. if (!receiveMessage)
  719. {
  720. ELF_LOG0(ERROR,
  721. "ElfProcessLPCCalls: Unable to allocate memory for receiveMessage\n");
  722. return STATUS_NO_MEMORY;
  723. }
  724. while (TRUE)
  725. {
  726. //
  727. // On the first call to NtReplyWaitReceivePort, don't send a
  728. // reply since there's nobody to whom to reply. However, on
  729. // subsequent calls send a reply to the message from the prior
  730. // time if that message wasn't an LPC_DATAGRAM.
  731. //
  732. status = NtReplyWaitReceivePort(
  733. ElfConnectionPortHandle,
  734. (PVOID) &PortConnectionHandle,
  735. (PPORT_MESSAGE) (SendReply ? &replyMessage : NULL),
  736. (PPORT_MESSAGE) receiveMessage
  737. );
  738. if (!NT_SUCCESS(status))
  739. {
  740. ELF_LOG1(ERROR,
  741. "ElfProcessLPCCalls: NtReplyWaitReceivePort failed %#x\n",
  742. status);
  743. return status;
  744. }
  745. ELF_LOG0(LPC,
  746. "ElfProcessLPCCalls: Received message\n");
  747. //
  748. // Take the record received and perform the operation. Strip off
  749. // the PortMessage and just send the packet.
  750. //
  751. //
  752. // Set up the response message to be sent on the next call to
  753. // NtReplyWaitReceivePort if this wasn't a datagram.
  754. // 'status' contains the status to return from this call.
  755. // Only process messages that are LPC_REQUEST or LPC_DATAGRAM
  756. //
  757. if (receiveMessage->PortMessage.u2.s2.Type == LPC_REQUEST
  758. ||
  759. receiveMessage->PortMessage.u2.s2.Type == LPC_DATAGRAM)
  760. {
  761. ELF_LOG1(LPC,
  762. "ElfProcessLPCCalls: LPC message type = %ws\n",
  763. (receiveMessage->PortMessage.u2.s2.Type == LPC_REQUEST ? "LPC_REQUEST" :
  764. "LPC_DATAGRAM"));
  765. if (receiveMessage->MessageType == IO_ERROR_LOG)
  766. {
  767. ELF_LOG0(LPC,
  768. "ElfProcessLPCCalls: SM_IO_LOG\n");
  769. status = ElfProcessIoLPCPacket(receiveMessage->PortMessage.u1.s1.DataLength,
  770. &receiveMessage->u.IoErrorLogMessage);
  771. }
  772. else if (receiveMessage->MessageType == SM_ERROR_LOG)
  773. {
  774. ELF_LOG0(LPC,
  775. "ElfProcessLPCCalls: SM_ERROR_LOG\n");
  776. status = ElfProcessSmLPCPacket(receiveMessage->PortMessage.u1.s1.DataLength,
  777. &receiveMessage->u.SmErrorLogMessage);
  778. }
  779. else
  780. {
  781. ELF_LOG1(ERROR,
  782. "ElfProcessLPCCalls: Unknown MessageType %#x\n",
  783. receiveMessage->MessageType);
  784. status = STATUS_UNSUCCESSFUL;
  785. }
  786. if (receiveMessage->PortMessage.u2.s2.Type == LPC_REQUEST)
  787. {
  788. replyMessage.PortMessage.u1.s1.DataLength = sizeof(replyMessage)
  789. - sizeof(PORT_MESSAGE);
  790. replyMessage.PortMessage.u1.s1.TotalLength = sizeof(replyMessage);
  791. replyMessage.PortMessage.u2.ZeroInit = 0;
  792. replyMessage.PortMessage.ClientId
  793. = receiveMessage->PortMessage.ClientId;
  794. replyMessage.PortMessage.MessageId
  795. = receiveMessage->PortMessage.MessageId;
  796. replyMessage.Status = status;
  797. SendReply = TRUE;
  798. }
  799. else
  800. {
  801. SendReply = FALSE;
  802. }
  803. }
  804. else if (receiveMessage->PortMessage.u2.s2.Type == LPC_CONNECTION_REQUEST)
  805. {
  806. PHANDLE pSavedHandle = NULL;
  807. BOOLEAN Accept = TRUE;
  808. ELF_LOG0(LPC,
  809. "ElfProcessLPCCalls: Processing connection request\n");
  810. pSavedHandle = ElfpAllocateBuffer(sizeof (HANDLE));
  811. if (pSavedHandle)
  812. {
  813. status = NtAcceptConnectPort(pSavedHandle,
  814. pSavedHandle,
  815. &receiveMessage->PortMessage,
  816. Accept,
  817. NULL,
  818. NULL);
  819. } else {
  820. ELF_LOG0(ERROR, "ElfProcessLPCCalls: Unable to allocate LPC handle\n");
  821. status = STATUS_NO_MEMORY;
  822. }
  823. if (!Accept)
  824. {
  825. if(pSavedHandle)
  826. {
  827. ElfpFreeBuffer(pSavedHandle);
  828. pSavedHandle = NULL;
  829. }
  830. continue;
  831. }
  832. if (NT_SUCCESS(status))
  833. {
  834. status = NtCompleteConnectPort(*pSavedHandle);
  835. if (!NT_SUCCESS(status))
  836. {
  837. ELF_LOG1(ERROR,
  838. "ElfProcessLPCCalls: NtAcceptConnectPort failed %#x\n",
  839. status);
  840. NtClose(*pSavedHandle);
  841. }
  842. }
  843. if (!NT_SUCCESS(status))
  844. {
  845. ELF_LOG1(ERROR,
  846. "ElfProcessLPCCalls: Cleaning up failed connect\n", status);
  847. if(pSavedHandle)
  848. {
  849. ElfpFreeBuffer(pSavedHandle);
  850. pSavedHandle = NULL;
  851. }
  852. }
  853. }
  854. else if (receiveMessage->PortMessage.u2.s2.Type == LPC_PORT_CLOSED)
  855. {
  856. ELF_LOG0(LPC,
  857. "ElfProcessLPCCalls: Processing port closed\n");
  858. ASSERT(PortConnectionHandle != NULL);
  859. NtClose(*PortConnectionHandle);
  860. ElfpFreeBuffer(PortConnectionHandle);
  861. }
  862. else
  863. {
  864. //
  865. // We received a message type we didn't expect, probably due to
  866. // error.
  867. //
  868. ELF_LOG1(ERROR,
  869. "ElfProcessLPCCalls: Unknown message type %#x received on LPC port\n",
  870. receiveMessage->PortMessage.u2.s2.Type);
  871. }
  872. }
  873. } // ElfProcessLPCCalls
  874. DWORD
  875. MainLPCThread(
  876. LPVOID LPCThreadParm
  877. )
  878. /*++
  879. Routine Description:
  880. This is the main thread that monitors the LPC port from the I/O system.
  881. It takes care of creating the LPC port, and waiting for input, which
  882. it then transforms into the right operation on the event log.
  883. Arguments:
  884. NONE
  885. Return Value:
  886. NONE
  887. --*/
  888. {
  889. NTSTATUS Status;
  890. ELF_LOG0(LPC,
  891. "MainLPCThread: Inside LPC thread\n");
  892. Status = SetUpLPCPort();
  893. if (NT_SUCCESS(Status))
  894. {
  895. //
  896. // Loop forever. This thread will be killed when the service terminates.
  897. //
  898. while (TRUE)
  899. {
  900. Status = ElfProcessLPCCalls ();
  901. }
  902. }
  903. ELF_LOG1(ERROR,
  904. "MainLPCThread: SetUpLPCPort failed %#x\n",
  905. Status);
  906. return Status;
  907. UNREFERENCED_PARAMETER(LPCThreadParm);
  908. }
  909. BOOL
  910. StartLPCThread(
  911. VOID
  912. )
  913. /*++
  914. Routine Description:
  915. This routine starts up the thread that monitors the LPC port.
  916. Arguments:
  917. NONE
  918. Return Value:
  919. TRUE if thread creation succeeded, FALSE otherwise.
  920. Note:
  921. --*/
  922. {
  923. DWORD error;
  924. DWORD ThreadId;
  925. ELF_LOG0(LPC,
  926. "StartLPCThread: Start up the LPC thread\n");
  927. //
  928. // Start up the actual thread.
  929. //
  930. LPCThreadHandle = CreateThread(NULL, // lpThreadAttributes
  931. 4096, // dwStackSize
  932. MainLPCThread, // lpStartAddress
  933. NULL, // lpParameter
  934. 0L, // dwCreationFlags
  935. &ThreadId); // lpThreadId
  936. if (LPCThreadHandle == NULL)
  937. {
  938. error = GetLastError();
  939. ELF_LOG1(ERROR,
  940. "MainLPCThread: CreateThread failed %d\n",
  941. error);
  942. return FALSE;
  943. }
  944. return TRUE;
  945. }