mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
497 lines
12 KiB
497 lines
12 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 2000
|
|
//
|
|
// File: W M I 2 E V T . C P P
|
|
//
|
|
// Contents: Functions to convert WMI event into eventlog event format
|
|
//
|
|
//
|
|
// History:
|
|
// 06-January-2000 kumarp created
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
/*
|
|
- how to find out the event name from hAuditEvent
|
|
|
|
-
|
|
*/
|
|
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
|
|
#include <windows.h>
|
|
//#include <winnt.h>
|
|
//#include <ntdef.h>
|
|
#include <stdio.h>
|
|
#include <msaudite.h>
|
|
#include <sddl.h>
|
|
|
|
#include "authzp.h"
|
|
#include "adtdef.h"
|
|
//#include "p2prov.h"
|
|
#include "ncevent.h"
|
|
#include "lsaptmp.h"
|
|
|
|
//
|
|
// Property conversion flags
|
|
//
|
|
const DWORD PCF_None = 0x00000000;
|
|
const DWORD PCF_Sid = 0x00000001;
|
|
const DWORD PCF_ = 0x00000000;
|
|
|
|
struct _LsapAdtEventProperty
|
|
{
|
|
PCWSTR szName;
|
|
CIMTYPE Type;
|
|
DWORD dwFlag;
|
|
};
|
|
typedef struct _LsapAdtEventProperty LsapAdtEventProperty;
|
|
|
|
|
|
struct _LsapAdtEventMapEntry
|
|
{
|
|
WORD wCategory;
|
|
DWORD dwEventId;
|
|
|
|
LsapAdtEventProperty* Properties;
|
|
};
|
|
typedef struct _LsapAdtEventMapEntry LsapAdtEventMapEntry;
|
|
|
|
LsapAdtEventProperty Properties_SE_AUDITID_AUTHZ[] =
|
|
{
|
|
{ L"ObjectServer", CIM_STRING, PCF_None },
|
|
{ L"ProcessId", CIM_UINT32, PCF_None },
|
|
{ L"OperationType", CIM_STRING, PCF_None },
|
|
{ L"Objecttype", CIM_STRING, PCF_None },
|
|
{ L"ObjectName", CIM_STRING, PCF_None },
|
|
{ L"HandleId", CIM_UINT64, PCF_None },
|
|
{ L"OperationId", CIM_UINT64, PCF_None },
|
|
|
|
{ L"PrimaryUserSid", CIM_UINT8 | CIM_FLAG_ARRAY, PCF_Sid },
|
|
// { L"PrimaryUserName", CIM_STRING, PCF_None },
|
|
// { L"PrimaryDomain", CIM_STRING, PCF_None },
|
|
// { L"PrimaryLogonId", CIM_UINT64, PCF_None },
|
|
|
|
{ L"ClientUserSid", CIM_UINT8 | CIM_FLAG_ARRAY, PCF_Sid },
|
|
// { L"ClientUserName", CIM_STRING, PCF_None },
|
|
// { L"ClientDomain", CIM_STRING, PCF_None },
|
|
// { L"ClientLogonId", CIM_UINT64, PCF_None },
|
|
|
|
{ L"AccessMask", CIM_UINT32, PCF_None },
|
|
{ L"AdditionalInfo", CIM_STRING, PCF_None },
|
|
|
|
{ NULL, CIM_ILLEGAL, PCF_None },
|
|
};
|
|
|
|
|
|
LsapAdtEventMapEntry LsapAdtEvents[] =
|
|
{
|
|
{
|
|
SE_CATEGID_OBJECT_ACCESS,
|
|
SE_AUDITID_OPEN_HANDLE, //kk SE_AUDITID_AUTHZ,
|
|
Properties_SE_AUDITID_AUTHZ
|
|
}
|
|
};
|
|
const USHORT c_cEventMapEntries = sizeof(LsapAdtEvents) / sizeof(LsapAdtEventMapEntry);
|
|
|
|
const USHORT SE_AUDITID_FIRST = 0x200;
|
|
const USHORT SE_AUDITID_LAST = 0x2ff;
|
|
const USHORT SE_NUM_AUDITID = SE_AUDITID_LAST - SE_AUDITID_FIRST + 1;
|
|
|
|
USHORT g_EventMapRedir[SE_NUM_AUDITID];
|
|
|
|
VOID
|
|
LsapAdtInitEventMapRedir( )
|
|
{
|
|
DWORD dwEventId;
|
|
|
|
for (USHORT i=0; i < SE_NUM_AUDITID; i++)
|
|
{
|
|
dwEventId = SE_AUDITID_FIRST + i;
|
|
g_EventMapRedir[i] = c_cEventMapEntries;
|
|
|
|
for (USHORT j=0; j < c_cEventMapEntries; j++)
|
|
{
|
|
if ( LsapAdtEvents[j].dwEventId == dwEventId )
|
|
{
|
|
g_EventMapRedir[i] = j;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
NTSTATUS
|
|
LsapAdtInitEventMap( )
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
LsapAdtInitEventMapRedir();
|
|
|
|
return Status;
|
|
}
|
|
|
|
NTSTATUS
|
|
LsapAdtGetEventMapEntry(
|
|
IN DWORD dwEventId,
|
|
OUT LsapAdtEventMapEntry** pEventMapEntry
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
USHORT usIndex;
|
|
|
|
usIndex = g_EventMapRedir[dwEventId - SE_AUDITID_FIRST];
|
|
ASSERT(usIndex <= c_cEventMapEntries);
|
|
|
|
if ( usIndex < c_cEventMapEntries )
|
|
{
|
|
*pEventMapEntry = &LsapAdtEvents[usIndex];
|
|
}
|
|
else
|
|
{
|
|
*pEventMapEntry = NULL;
|
|
Status = STATUS_NOT_FOUND;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
NTSTATUS
|
|
LsapAdtGetEventProperty(
|
|
IN HANDLE hEvent,
|
|
IN PCWSTR szPropertyName,
|
|
IN CIMTYPE PropertyType,
|
|
IN LPVOID pData,
|
|
IN DWORD dwBufferSize,
|
|
IN DWORD *pdwBytesRead
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
DWORD dwIndex;
|
|
DWORD dwError = NO_ERROR;
|
|
|
|
// if (!WmiAddEventProp( hEvent, szPropertyName, PropertyType, &dwIndex ))
|
|
if (!WmiAddObjectProp( hEvent, szPropertyName, PropertyType, &dwIndex ))
|
|
{
|
|
goto WinErrorCleanup;
|
|
}
|
|
|
|
//if (!WmiGetEventProp( hEvent, dwIndex,
|
|
if (!WmiGetObjectProp( hEvent, dwIndex,
|
|
pData, dwBufferSize, pdwBytesRead ))
|
|
{
|
|
goto WinErrorCleanup;
|
|
}
|
|
|
|
Cleanup:
|
|
return Status;
|
|
|
|
WinErrorCleanup:
|
|
dwError = GetLastError();
|
|
//kkStatus = mapit();
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtConvertPropertyToString(
|
|
IN LsapAdtEventProperty* pEventProperty,
|
|
IN PVOID pValue,
|
|
IN DWORD dwSize,
|
|
OUT PWSTR szStrValue,
|
|
IN OUT DWORD *pdwRequiredSize
|
|
)
|
|
{
|
|
//
|
|
// perf: use better string allocation scheme
|
|
//
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
DWORD dwError = NO_ERROR;
|
|
CIMTYPE PropertyType;
|
|
BOOL fIsArrary=FALSE;
|
|
DWORD dwRequiredSize = 0xffffffff;
|
|
USHORT usUnitSize = 0xffff;
|
|
DWORD dwPropertyFlag;
|
|
|
|
PropertyType = pEventProperty->Type;
|
|
fIsArrary = FLAG_ON( PropertyType, CIM_FLAG_ARRAY );
|
|
PropertyType &= ~CIM_FLAG_ARRAY;
|
|
dwPropertyFlag = pEventProperty->dwFlag;
|
|
|
|
if ( FLAG_ON( dwPropertyFlag, PCF_Sid ))
|
|
{
|
|
dwRequiredSize = 256;
|
|
}
|
|
else
|
|
{
|
|
switch (PropertyType)
|
|
{
|
|
default:
|
|
ASSERT(FALSE);
|
|
break;
|
|
|
|
case CIM_SINT8:
|
|
case CIM_UINT8:
|
|
dwRequiredSize = 4;
|
|
usUnitSize = 1;
|
|
if ( fIsArrary )
|
|
{
|
|
ASSERT(NYI);
|
|
}
|
|
break;
|
|
|
|
case CIM_SINT16:
|
|
case CIM_UINT16:
|
|
dwRequiredSize = 8;
|
|
usUnitSize = 2;
|
|
if ( fIsArrary )
|
|
{
|
|
ASSERT(NYI);
|
|
}
|
|
break;
|
|
|
|
case CIM_SINT32:
|
|
case CIM_UINT32:
|
|
dwRequiredSize = 12;
|
|
usUnitSize = 4;
|
|
if ( fIsArrary )
|
|
{
|
|
ASSERT(NYI);
|
|
}
|
|
break;
|
|
|
|
case CIM_SINT64:
|
|
case CIM_UINT64:
|
|
dwRequiredSize = 24;
|
|
usUnitSize = 8;
|
|
if ( fIsArrary )
|
|
{
|
|
ASSERT(NYI);
|
|
}
|
|
break;
|
|
|
|
case CIM_STRING:
|
|
dwRequiredSize = (dwSize / sizeof(WCHAR)) + 1;
|
|
usUnitSize = 1;
|
|
if ( fIsArrary )
|
|
{
|
|
ASSERT(NYI);
|
|
}
|
|
break;
|
|
|
|
case CIM_BOOLEAN:
|
|
case CIM_REAL32:
|
|
case CIM_REAL64:
|
|
case CIM_DATETIME:
|
|
case CIM_REFERENCE:
|
|
case CIM_CHAR16:
|
|
case CIM_OBJECT:
|
|
ASSERT(NYI);
|
|
break;
|
|
}
|
|
}
|
|
|
|
ASSERT(dwRequiredSize < 0xffffffff);
|
|
|
|
if (*pdwRequiredSize < dwRequiredSize)
|
|
{
|
|
Status = STATUS_BUFFER_OVERFLOW;
|
|
*pdwRequiredSize = dwRequiredSize;
|
|
goto Cleanup;
|
|
}
|
|
|
|
dwRequiredSize = *pdwRequiredSize;
|
|
|
|
if ( FLAG_ON( dwPropertyFlag, PCF_Sid ))
|
|
{
|
|
Status = LsapRtlConvertSidToString( (PSID) pValue, szStrValue,
|
|
&dwRequiredSize );
|
|
|
|
if ( !NT_SUCCESS( Status ))
|
|
{
|
|
goto WinErrorCleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
switch (PropertyType)
|
|
{
|
|
default:
|
|
ASSERT(FALSE);
|
|
break;
|
|
|
|
case CIM_SINT8:
|
|
wsprintf( szStrValue, L"%d", (INT) *((CHAR *) pValue));
|
|
break;
|
|
|
|
case CIM_UINT8:
|
|
wsprintf( szStrValue, L"%d", (UINT) *((UCHAR *) pValue));
|
|
break;
|
|
|
|
case CIM_SINT16:
|
|
wsprintf( szStrValue, L"%d", (INT) *((SHORT *) pValue));
|
|
break;
|
|
|
|
case CIM_UINT16:
|
|
wsprintf( szStrValue, L"%d", (UINT) *((USHORT *) pValue));
|
|
break;
|
|
|
|
case CIM_SINT32:
|
|
wsprintf( szStrValue, L"%d", *((INT *) pValue));
|
|
break;
|
|
|
|
case CIM_UINT32:
|
|
wsprintf( szStrValue, L"%d", *((UINT *) pValue));
|
|
break;
|
|
|
|
case CIM_SINT64:
|
|
wsprintf( szStrValue, L"%I64d", (INT64) *((UCHAR *) pValue));
|
|
break;
|
|
|
|
case CIM_UINT64:
|
|
wsprintf( szStrValue, L"%I64d", (UINT64) *((UCHAR *) pValue));
|
|
break;
|
|
|
|
case CIM_STRING:
|
|
dwRequiredSize = (dwSize / sizeof(WCHAR)) + 1;
|
|
usUnitSize = 1;
|
|
if ( fIsArrary )
|
|
{
|
|
ASSERT(NYI);
|
|
}
|
|
break;
|
|
|
|
case CIM_BOOLEAN:
|
|
case CIM_REAL32:
|
|
case CIM_REAL64:
|
|
case CIM_DATETIME:
|
|
case CIM_REFERENCE:
|
|
case CIM_CHAR16:
|
|
case CIM_OBJECT:
|
|
ASSERT(NYI);
|
|
break;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
Cleanup:
|
|
|
|
return Status;
|
|
|
|
WinErrorCleanup:
|
|
dwError = GetLastError();
|
|
//kk Status = mapit();
|
|
goto Cleanup;
|
|
}
|
|
|
|
#define MAX_NUM_EVENTLOG_STRINGS 32
|
|
#define MAX_PROPERTY_SIZE 512
|
|
|
|
NTSTATUS
|
|
LsapAdtConvertAndReportEvent(
|
|
IN HANDLE hAuditEvent,
|
|
IN HANDLE hEventLog
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
DWORD dwError = NO_ERROR;
|
|
WORD wEventType = 0;
|
|
WORD wCategory = 0;
|
|
DWORD dwEventId = 0;
|
|
PSID pUserSid = NULL;
|
|
WORD wNumStrings = 0;
|
|
DWORD dwDataSize = 0;
|
|
PWSTR pStrings[MAX_NUM_EVENTLOG_STRINGS] = { 0 };
|
|
PVOID pRawData = NULL;
|
|
DWORD dwEventIdIndex = 0;
|
|
DWORD dwNumBytesRead;
|
|
DWORD dwPropertyIndex = 0;
|
|
PCWSTR szPropertyName;
|
|
CIMTYPE PropertyType;
|
|
BYTE PropertyVal[MAX_PROPERTY_SIZE];
|
|
WORD wStringIndex=0;
|
|
DWORD dwRequiredSize;
|
|
|
|
LsapAdtEventMapEntry* pEventMapEntry = NULL;
|
|
LsapAdtEventProperty* pEventProperty = NULL;
|
|
|
|
Status = LsapAdtGetEventProperty( hAuditEvent, L"AuditId", CIM_UINT32,
|
|
&dwEventId, sizeof(dwEventId),
|
|
&dwNumBytesRead );
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = LsapAdtGetEventMapEntry( dwEventId, &pEventMapEntry );
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
ASSERT( pEventMapEntry->dwEventId == dwEventId );
|
|
|
|
pEventProperty = pEventMapEntry->Properties;
|
|
|
|
while ( ( szPropertyName = pEventProperty->szName ) != NULL )
|
|
{
|
|
PropertyType = pEventProperty->Type;
|
|
|
|
Status = LsapAdtGetEventProperty( hAuditEvent,
|
|
szPropertyName,
|
|
PropertyType,
|
|
PropertyVal, MAX_PROPERTY_SIZE,
|
|
&dwNumBytesRead );
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
// kk alloc strings, init dwRequiredSize
|
|
Status = LsapAdtConvertPropertyToString( pEventProperty,
|
|
PropertyVal,
|
|
dwNumBytesRead,
|
|
pStrings[wNumStrings],
|
|
&dwRequiredSize );
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
pEventProperty++;
|
|
wNumStrings++;
|
|
}
|
|
|
|
|
|
dwError = ReportEvent( hEventLog, wEventType, wCategory, dwEventId,
|
|
pUserSid, wNumStrings, dwDataSize,
|
|
(PCWSTR*) pStrings, pRawData );
|
|
|
|
if (!dwError)
|
|
{
|
|
goto WinErrorCleanup;
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
|
|
return Status;
|
|
|
|
WinErrorCleanup:
|
|
dwError = GetLastError();
|
|
//kkStatus = mapit();
|
|
goto Cleanup;
|
|
}
|
|
|
|
|