Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

497 lines
12 KiB

  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: W M I 2 E V T . C P P
  8. //
  9. // Contents: Functions to convert WMI event into eventlog event format
  10. //
  11. //
  12. // History:
  13. // 06-January-2000 kumarp created
  14. //
  15. //------------------------------------------------------------------------
  16. /*
  17. - how to find out the event name from hAuditEvent
  18. -
  19. */
  20. #include <nt.h>
  21. #include <ntrtl.h>
  22. #include <nturtl.h>
  23. #include <windows.h>
  24. //#include <winnt.h>
  25. //#include <ntdef.h>
  26. #include <stdio.h>
  27. #include <msaudite.h>
  28. #include <sddl.h>
  29. #include "authzp.h"
  30. #include "adtdef.h"
  31. //#include "p2prov.h"
  32. #include "ncevent.h"
  33. #include "lsaptmp.h"
  34. //
  35. // Property conversion flags
  36. //
  37. const DWORD PCF_None = 0x00000000;
  38. const DWORD PCF_Sid = 0x00000001;
  39. const DWORD PCF_ = 0x00000000;
  40. struct _LsapAdtEventProperty
  41. {
  42. PCWSTR szName;
  43. CIMTYPE Type;
  44. DWORD dwFlag;
  45. };
  46. typedef struct _LsapAdtEventProperty LsapAdtEventProperty;
  47. struct _LsapAdtEventMapEntry
  48. {
  49. WORD wCategory;
  50. DWORD dwEventId;
  51. LsapAdtEventProperty* Properties;
  52. };
  53. typedef struct _LsapAdtEventMapEntry LsapAdtEventMapEntry;
  54. LsapAdtEventProperty Properties_SE_AUDITID_AUTHZ[] =
  55. {
  56. { L"ObjectServer", CIM_STRING, PCF_None },
  57. { L"ProcessId", CIM_UINT32, PCF_None },
  58. { L"OperationType", CIM_STRING, PCF_None },
  59. { L"Objecttype", CIM_STRING, PCF_None },
  60. { L"ObjectName", CIM_STRING, PCF_None },
  61. { L"HandleId", CIM_UINT64, PCF_None },
  62. { L"OperationId", CIM_UINT64, PCF_None },
  63. { L"PrimaryUserSid", CIM_UINT8 | CIM_FLAG_ARRAY, PCF_Sid },
  64. // { L"PrimaryUserName", CIM_STRING, PCF_None },
  65. // { L"PrimaryDomain", CIM_STRING, PCF_None },
  66. // { L"PrimaryLogonId", CIM_UINT64, PCF_None },
  67. { L"ClientUserSid", CIM_UINT8 | CIM_FLAG_ARRAY, PCF_Sid },
  68. // { L"ClientUserName", CIM_STRING, PCF_None },
  69. // { L"ClientDomain", CIM_STRING, PCF_None },
  70. // { L"ClientLogonId", CIM_UINT64, PCF_None },
  71. { L"AccessMask", CIM_UINT32, PCF_None },
  72. { L"AdditionalInfo", CIM_STRING, PCF_None },
  73. { NULL, CIM_ILLEGAL, PCF_None },
  74. };
  75. LsapAdtEventMapEntry LsapAdtEvents[] =
  76. {
  77. {
  78. SE_CATEGID_OBJECT_ACCESS,
  79. SE_AUDITID_OPEN_HANDLE, //kk SE_AUDITID_AUTHZ,
  80. Properties_SE_AUDITID_AUTHZ
  81. }
  82. };
  83. const USHORT c_cEventMapEntries = sizeof(LsapAdtEvents) / sizeof(LsapAdtEventMapEntry);
  84. const USHORT SE_AUDITID_FIRST = 0x200;
  85. const USHORT SE_AUDITID_LAST = 0x2ff;
  86. const USHORT SE_NUM_AUDITID = SE_AUDITID_LAST - SE_AUDITID_FIRST + 1;
  87. USHORT g_EventMapRedir[SE_NUM_AUDITID];
  88. VOID
  89. LsapAdtInitEventMapRedir( )
  90. {
  91. DWORD dwEventId;
  92. for (USHORT i=0; i < SE_NUM_AUDITID; i++)
  93. {
  94. dwEventId = SE_AUDITID_FIRST + i;
  95. g_EventMapRedir[i] = c_cEventMapEntries;
  96. for (USHORT j=0; j < c_cEventMapEntries; j++)
  97. {
  98. if ( LsapAdtEvents[j].dwEventId == dwEventId )
  99. {
  100. g_EventMapRedir[i] = j;
  101. break;
  102. }
  103. }
  104. }
  105. }
  106. NTSTATUS
  107. LsapAdtInitEventMap( )
  108. {
  109. NTSTATUS Status = STATUS_SUCCESS;
  110. LsapAdtInitEventMapRedir();
  111. return Status;
  112. }
  113. NTSTATUS
  114. LsapAdtGetEventMapEntry(
  115. IN DWORD dwEventId,
  116. OUT LsapAdtEventMapEntry** pEventMapEntry
  117. )
  118. {
  119. NTSTATUS Status = STATUS_SUCCESS;
  120. USHORT usIndex;
  121. usIndex = g_EventMapRedir[dwEventId - SE_AUDITID_FIRST];
  122. ASSERT(usIndex <= c_cEventMapEntries);
  123. if ( usIndex < c_cEventMapEntries )
  124. {
  125. *pEventMapEntry = &LsapAdtEvents[usIndex];
  126. }
  127. else
  128. {
  129. *pEventMapEntry = NULL;
  130. Status = STATUS_NOT_FOUND;
  131. }
  132. return Status;
  133. }
  134. NTSTATUS
  135. LsapAdtGetEventProperty(
  136. IN HANDLE hEvent,
  137. IN PCWSTR szPropertyName,
  138. IN CIMTYPE PropertyType,
  139. IN LPVOID pData,
  140. IN DWORD dwBufferSize,
  141. IN DWORD *pdwBytesRead
  142. )
  143. {
  144. NTSTATUS Status = STATUS_SUCCESS;
  145. DWORD dwIndex;
  146. DWORD dwError = NO_ERROR;
  147. // if (!WmiAddEventProp( hEvent, szPropertyName, PropertyType, &dwIndex ))
  148. if (!WmiAddObjectProp( hEvent, szPropertyName, PropertyType, &dwIndex ))
  149. {
  150. goto WinErrorCleanup;
  151. }
  152. //if (!WmiGetEventProp( hEvent, dwIndex,
  153. if (!WmiGetObjectProp( hEvent, dwIndex,
  154. pData, dwBufferSize, pdwBytesRead ))
  155. {
  156. goto WinErrorCleanup;
  157. }
  158. Cleanup:
  159. return Status;
  160. WinErrorCleanup:
  161. dwError = GetLastError();
  162. //kkStatus = mapit();
  163. goto Cleanup;
  164. }
  165. NTSTATUS
  166. LsapAdtConvertPropertyToString(
  167. IN LsapAdtEventProperty* pEventProperty,
  168. IN PVOID pValue,
  169. IN DWORD dwSize,
  170. OUT PWSTR szStrValue,
  171. IN OUT DWORD *pdwRequiredSize
  172. )
  173. {
  174. //
  175. // perf: use better string allocation scheme
  176. //
  177. NTSTATUS Status = STATUS_SUCCESS;
  178. DWORD dwError = NO_ERROR;
  179. CIMTYPE PropertyType;
  180. BOOL fIsArrary=FALSE;
  181. DWORD dwRequiredSize = 0xffffffff;
  182. USHORT usUnitSize = 0xffff;
  183. DWORD dwPropertyFlag;
  184. PropertyType = pEventProperty->Type;
  185. fIsArrary = FLAG_ON( PropertyType, CIM_FLAG_ARRAY );
  186. PropertyType &= ~CIM_FLAG_ARRAY;
  187. dwPropertyFlag = pEventProperty->dwFlag;
  188. if ( FLAG_ON( dwPropertyFlag, PCF_Sid ))
  189. {
  190. dwRequiredSize = 256;
  191. }
  192. else
  193. {
  194. switch (PropertyType)
  195. {
  196. default:
  197. ASSERT(FALSE);
  198. break;
  199. case CIM_SINT8:
  200. case CIM_UINT8:
  201. dwRequiredSize = 4;
  202. usUnitSize = 1;
  203. if ( fIsArrary )
  204. {
  205. ASSERT(NYI);
  206. }
  207. break;
  208. case CIM_SINT16:
  209. case CIM_UINT16:
  210. dwRequiredSize = 8;
  211. usUnitSize = 2;
  212. if ( fIsArrary )
  213. {
  214. ASSERT(NYI);
  215. }
  216. break;
  217. case CIM_SINT32:
  218. case CIM_UINT32:
  219. dwRequiredSize = 12;
  220. usUnitSize = 4;
  221. if ( fIsArrary )
  222. {
  223. ASSERT(NYI);
  224. }
  225. break;
  226. case CIM_SINT64:
  227. case CIM_UINT64:
  228. dwRequiredSize = 24;
  229. usUnitSize = 8;
  230. if ( fIsArrary )
  231. {
  232. ASSERT(NYI);
  233. }
  234. break;
  235. case CIM_STRING:
  236. dwRequiredSize = (dwSize / sizeof(WCHAR)) + 1;
  237. usUnitSize = 1;
  238. if ( fIsArrary )
  239. {
  240. ASSERT(NYI);
  241. }
  242. break;
  243. case CIM_BOOLEAN:
  244. case CIM_REAL32:
  245. case CIM_REAL64:
  246. case CIM_DATETIME:
  247. case CIM_REFERENCE:
  248. case CIM_CHAR16:
  249. case CIM_OBJECT:
  250. ASSERT(NYI);
  251. break;
  252. }
  253. }
  254. ASSERT(dwRequiredSize < 0xffffffff);
  255. if (*pdwRequiredSize < dwRequiredSize)
  256. {
  257. Status = STATUS_BUFFER_OVERFLOW;
  258. *pdwRequiredSize = dwRequiredSize;
  259. goto Cleanup;
  260. }
  261. dwRequiredSize = *pdwRequiredSize;
  262. if ( FLAG_ON( dwPropertyFlag, PCF_Sid ))
  263. {
  264. Status = LsapRtlConvertSidToString( (PSID) pValue, szStrValue,
  265. &dwRequiredSize );
  266. if ( !NT_SUCCESS( Status ))
  267. {
  268. goto WinErrorCleanup;
  269. }
  270. }
  271. else
  272. {
  273. switch (PropertyType)
  274. {
  275. default:
  276. ASSERT(FALSE);
  277. break;
  278. case CIM_SINT8:
  279. wsprintf( szStrValue, L"%d", (INT) *((CHAR *) pValue));
  280. break;
  281. case CIM_UINT8:
  282. wsprintf( szStrValue, L"%d", (UINT) *((UCHAR *) pValue));
  283. break;
  284. case CIM_SINT16:
  285. wsprintf( szStrValue, L"%d", (INT) *((SHORT *) pValue));
  286. break;
  287. case CIM_UINT16:
  288. wsprintf( szStrValue, L"%d", (UINT) *((USHORT *) pValue));
  289. break;
  290. case CIM_SINT32:
  291. wsprintf( szStrValue, L"%d", *((INT *) pValue));
  292. break;
  293. case CIM_UINT32:
  294. wsprintf( szStrValue, L"%d", *((UINT *) pValue));
  295. break;
  296. case CIM_SINT64:
  297. wsprintf( szStrValue, L"%I64d", (INT64) *((UCHAR *) pValue));
  298. break;
  299. case CIM_UINT64:
  300. wsprintf( szStrValue, L"%I64d", (UINT64) *((UCHAR *) pValue));
  301. break;
  302. case CIM_STRING:
  303. dwRequiredSize = (dwSize / sizeof(WCHAR)) + 1;
  304. usUnitSize = 1;
  305. if ( fIsArrary )
  306. {
  307. ASSERT(NYI);
  308. }
  309. break;
  310. case CIM_BOOLEAN:
  311. case CIM_REAL32:
  312. case CIM_REAL64:
  313. case CIM_DATETIME:
  314. case CIM_REFERENCE:
  315. case CIM_CHAR16:
  316. case CIM_OBJECT:
  317. ASSERT(NYI);
  318. break;
  319. }
  320. }
  321. Cleanup:
  322. return Status;
  323. WinErrorCleanup:
  324. dwError = GetLastError();
  325. //kk Status = mapit();
  326. goto Cleanup;
  327. }
  328. #define MAX_NUM_EVENTLOG_STRINGS 32
  329. #define MAX_PROPERTY_SIZE 512
  330. NTSTATUS
  331. LsapAdtConvertAndReportEvent(
  332. IN HANDLE hAuditEvent,
  333. IN HANDLE hEventLog
  334. )
  335. {
  336. NTSTATUS Status = STATUS_SUCCESS;
  337. DWORD dwError = NO_ERROR;
  338. WORD wEventType = 0;
  339. WORD wCategory = 0;
  340. DWORD dwEventId = 0;
  341. PSID pUserSid = NULL;
  342. WORD wNumStrings = 0;
  343. DWORD dwDataSize = 0;
  344. PWSTR pStrings[MAX_NUM_EVENTLOG_STRINGS] = { 0 };
  345. PVOID pRawData = NULL;
  346. DWORD dwEventIdIndex = 0;
  347. DWORD dwNumBytesRead;
  348. DWORD dwPropertyIndex = 0;
  349. PCWSTR szPropertyName;
  350. CIMTYPE PropertyType;
  351. BYTE PropertyVal[MAX_PROPERTY_SIZE];
  352. WORD wStringIndex=0;
  353. DWORD dwRequiredSize;
  354. LsapAdtEventMapEntry* pEventMapEntry = NULL;
  355. LsapAdtEventProperty* pEventProperty = NULL;
  356. Status = LsapAdtGetEventProperty( hAuditEvent, L"AuditId", CIM_UINT32,
  357. &dwEventId, sizeof(dwEventId),
  358. &dwNumBytesRead );
  359. if (!NT_SUCCESS(Status))
  360. {
  361. goto Cleanup;
  362. }
  363. Status = LsapAdtGetEventMapEntry( dwEventId, &pEventMapEntry );
  364. if (!NT_SUCCESS(Status))
  365. {
  366. goto Cleanup;
  367. }
  368. ASSERT( pEventMapEntry->dwEventId == dwEventId );
  369. pEventProperty = pEventMapEntry->Properties;
  370. while ( ( szPropertyName = pEventProperty->szName ) != NULL )
  371. {
  372. PropertyType = pEventProperty->Type;
  373. Status = LsapAdtGetEventProperty( hAuditEvent,
  374. szPropertyName,
  375. PropertyType,
  376. PropertyVal, MAX_PROPERTY_SIZE,
  377. &dwNumBytesRead );
  378. if (!NT_SUCCESS(Status))
  379. {
  380. goto Cleanup;
  381. }
  382. // kk alloc strings, init dwRequiredSize
  383. Status = LsapAdtConvertPropertyToString( pEventProperty,
  384. PropertyVal,
  385. dwNumBytesRead,
  386. pStrings[wNumStrings],
  387. &dwRequiredSize );
  388. if (!NT_SUCCESS(Status))
  389. {
  390. goto Cleanup;
  391. }
  392. pEventProperty++;
  393. wNumStrings++;
  394. }
  395. dwError = ReportEvent( hEventLog, wEventType, wCategory, dwEventId,
  396. pUserSid, wNumStrings, dwDataSize,
  397. (PCWSTR*) pStrings, pRawData );
  398. if (!dwError)
  399. {
  400. goto WinErrorCleanup;
  401. }
  402. Cleanup:
  403. return Status;
  404. WinErrorCleanup:
  405. dwError = GetLastError();
  406. //kkStatus = mapit();
  407. goto Cleanup;
  408. }