関数 | |
BOOL | prs_ev_open_unknown0 (const char *desc, prs_struct *ps, int depth, EVENTLOG_OPEN_UNKNOWN0 *u) |
BOOL | eventlog_io_q_open_eventlog (const char *desc, EVENTLOG_Q_OPEN_EVENTLOG *q_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_r_open_eventlog (const char *desc, EVENTLOG_R_OPEN_EVENTLOG *r_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_q_get_num_records (const char *desc, EVENTLOG_Q_GET_NUM_RECORDS *q_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_r_get_num_records (const char *desc, EVENTLOG_R_GET_NUM_RECORDS *r_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_q_get_oldest_entry (const char *desc, EVENTLOG_Q_GET_OLDEST_ENTRY *q_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_r_get_oldest_entry (const char *desc, EVENTLOG_R_GET_OLDEST_ENTRY *r_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_q_close_eventlog (const char *desc, EVENTLOG_Q_CLOSE_EVENTLOG *q_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_r_close_eventlog (const char *desc, EVENTLOG_R_CLOSE_EVENTLOG *r_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_q_read_eventlog (const char *desc, EVENTLOG_Q_READ_EVENTLOG *q_u, prs_struct *ps, int depth) |
BOOL | eventlog_io_r_read_eventlog (const char *desc, EVENTLOG_Q_READ_EVENTLOG *q_u, EVENTLOG_R_READ_EVENTLOG *r_u, prs_struct *ps, int depth) |
Structure of response seems to be: DWORD num_bytes_in_resp -- MUST be the same as q_u->max_read_size for i=0. | |
BOOL | eventlog_io_q_clear_eventlog (const char *desc, EVENTLOG_Q_CLEAR_EVENTLOG *q_u, prs_struct *ps, int depth) |
The windows client seems to be doing something funny with the file name A call like ClearEventLog(handle, "backup_file") on the client side will result in the backup file name looking like this on the server side: \??${CWD of client} If an absolute path gets specified, such as ClearEventLog(handle, "C:\\temp\\backup_file") then it is still mangled by the client into this: \?? : when it is on the wire. | |
BOOL | eventlog_io_r_clear_eventlog (const char *desc, EVENTLOG_R_CLEAR_EVENTLOG *r_u, prs_struct *ps, int depth) |
BOOL prs_ev_open_unknown0 | ( | const char * | desc, | |
prs_struct * | ps, | |||
int | depth, | |||
EVENTLOG_OPEN_UNKNOWN0 * | u | |||
) |
parse_eventlog.c の 29 行で定義されています。
参照先 EVENTLOG_OPEN_UNKNOWN0::unknown1・EVENTLOG_OPEN_UNKNOWN0::unknown2.
参照元 eventlog_io_q_open_eventlog().
00030 { 00031 if ( !u ) 00032 return False; 00033 00034 if ( !prs_uint16("", ps, depth, &u->unknown1) ) 00035 return False; 00036 if ( !prs_uint16("", ps, depth, &u->unknown2) ) 00037 return False; 00038 00039 return True; 00040 }
BOOL eventlog_io_q_open_eventlog | ( | const char * | desc, | |
EVENTLOG_Q_OPEN_EVENTLOG * | q_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 45 行で定義されています。
参照先 EVENTLOG_Q_OPEN_EVENTLOG::logname・prs_debug()・prs_ev_open_unknown0()・prs_unistr4()・EVENTLOG_Q_OPEN_EVENTLOG::servername・EVENTLOG_Q_OPEN_EVENTLOG::unknown0・EVENTLOG_Q_OPEN_EVENTLOG::unknown1・EVENTLOG_Q_OPEN_EVENTLOG::unknown2.
参照元 api_eventlog_open_eventlog().
00047 { 00048 if(q_u == NULL) 00049 return False; 00050 00051 prs_debug(ps, depth, desc, "eventlog_io_q_open_eventlog"); 00052 depth++; 00053 00054 if(!prs_align(ps)) 00055 return False; 00056 00057 if ( !prs_pointer("", ps, depth, (void*)&q_u->unknown0, sizeof(EVENTLOG_OPEN_UNKNOWN0), (PRS_POINTER_CAST)prs_ev_open_unknown0)) 00058 return False; 00059 00060 if ( !prs_unistr4("logname", ps, depth, &q_u->logname) ) 00061 return False; 00062 if ( !prs_align(ps) ) 00063 return False; 00064 00065 if ( !prs_unistr4("servername", ps, depth, &q_u->servername) ) 00066 return False; 00067 if ( !prs_align(ps) ) 00068 return False; 00069 00070 if ( !prs_uint32("unknown1", ps, depth, &q_u->unknown1) ) 00071 return False; 00072 if ( !prs_uint32("unknown2", ps, depth, &q_u->unknown2) ) 00073 return False; 00074 00075 return True; 00076 }
BOOL eventlog_io_r_open_eventlog | ( | const char * | desc, | |
EVENTLOG_R_OPEN_EVENTLOG * | r_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 78 行で定義されています。
参照先 EVENTLOG_R_OPEN_EVENTLOG::handle・prs_debug()・smb_io_pol_hnd()・EVENTLOG_R_OPEN_EVENTLOG::status.
参照元 api_eventlog_open_eventlog().
00080 { 00081 if(r_u == NULL) 00082 return False; 00083 00084 prs_debug(ps, depth, desc, "eventlog_io_r_open_eventlog"); 00085 depth++; 00086 00087 if(!prs_align(ps)) 00088 return False; 00089 00090 if(!(smb_io_pol_hnd("log handle", &(r_u->handle), ps, depth))) 00091 return False; 00092 00093 if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) 00094 return False; 00095 00096 return True; 00097 }
BOOL eventlog_io_q_get_num_records | ( | const char * | desc, | |
EVENTLOG_Q_GET_NUM_RECORDS * | q_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 99 行で定義されています。
参照先 EVENTLOG_Q_GET_NUM_RECORDS::handle・prs_debug()・smb_io_pol_hnd().
参照元 api_eventlog_get_num_records().
00101 { 00102 if(q_u == NULL) 00103 return False; 00104 00105 prs_debug(ps, depth, desc, "eventlog_io_q_get_num_records"); 00106 depth++; 00107 00108 if(!(prs_align(ps))) 00109 return False; 00110 00111 if(!(smb_io_pol_hnd("log handle", &(q_u->handle), ps, depth))) 00112 return False; 00113 00114 return True; 00115 }
BOOL eventlog_io_r_get_num_records | ( | const char * | desc, | |
EVENTLOG_R_GET_NUM_RECORDS * | r_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 117 行で定義されています。
参照先 EVENTLOG_R_GET_NUM_RECORDS::num_records・prs_debug()・EVENTLOG_R_GET_NUM_RECORDS::status.
参照元 api_eventlog_get_num_records().
00119 { 00120 if(r_u == NULL) 00121 return False; 00122 00123 prs_debug(ps, depth, desc, "eventlog_io_r_get_num_records"); 00124 depth++; 00125 00126 if(!(prs_align(ps))) 00127 return False; 00128 00129 if(!(prs_uint32("num records", ps, depth, &(r_u->num_records)))) 00130 return False; 00131 00132 if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) 00133 return False; 00134 00135 return True; 00136 }
BOOL eventlog_io_q_get_oldest_entry | ( | const char * | desc, | |
EVENTLOG_Q_GET_OLDEST_ENTRY * | q_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 138 行で定義されています。
参照先 EVENTLOG_Q_GET_OLDEST_ENTRY::handle・prs_debug()・smb_io_pol_hnd().
参照元 api_eventlog_get_oldest_entry().
00140 { 00141 if(q_u == NULL) 00142 return False; 00143 00144 prs_debug(ps, depth, desc, "eventlog_io_q_get_oldest_entry"); 00145 depth++; 00146 00147 if(!(prs_align(ps))) 00148 return False; 00149 00150 if(!(smb_io_pol_hnd("log handle", &(q_u->handle), ps, depth))) 00151 return False; 00152 00153 return True; 00154 }
BOOL eventlog_io_r_get_oldest_entry | ( | const char * | desc, | |
EVENTLOG_R_GET_OLDEST_ENTRY * | r_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 156 行で定義されています。
参照先 EVENTLOG_R_GET_OLDEST_ENTRY::oldest_entry・prs_debug()・EVENTLOG_R_GET_OLDEST_ENTRY::status.
参照元 api_eventlog_get_oldest_entry().
00158 { 00159 if(r_u == NULL) 00160 return False; 00161 00162 prs_debug(ps, depth, desc, "eventlog_io_r_get_oldest_entry"); 00163 depth++; 00164 00165 if(!(prs_align(ps))) 00166 return False; 00167 00168 if(!(prs_uint32("oldest entry", ps, depth, &(r_u->oldest_entry)))) 00169 return False; 00170 00171 if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) 00172 return False; 00173 00174 return True; 00175 }
BOOL eventlog_io_q_close_eventlog | ( | const char * | desc, | |
EVENTLOG_Q_CLOSE_EVENTLOG * | q_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 177 行で定義されています。
参照先 EVENTLOG_Q_CLOSE_EVENTLOG::handle・prs_debug()・smb_io_pol_hnd().
参照元 api_eventlog_close_eventlog().
00179 { 00180 if(q_u == NULL) 00181 return False; 00182 00183 prs_debug(ps, depth, desc, "eventlog_io_q_close_eventlog"); 00184 depth++; 00185 00186 if(!(prs_align(ps))) 00187 return False; 00188 00189 if(!(smb_io_pol_hnd("log handle", &(q_u->handle), ps, depth))) 00190 return False; 00191 00192 return True; 00193 }
BOOL eventlog_io_r_close_eventlog | ( | const char * | desc, | |
EVENTLOG_R_CLOSE_EVENTLOG * | r_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 195 行で定義されています。
参照先 EVENTLOG_R_CLOSE_EVENTLOG::handle・prs_debug()・smb_io_pol_hnd()・EVENTLOG_R_CLOSE_EVENTLOG::status.
参照元 api_eventlog_close_eventlog().
00197 { 00198 if(r_u == NULL) 00199 return False; 00200 00201 prs_debug(ps, depth, desc, "eventlog_io_r_close_eventlog"); 00202 depth++; 00203 00204 if(!(prs_align(ps))) 00205 return False; 00206 00207 if(!(smb_io_pol_hnd("log handle", &(r_u->handle), ps, depth))) 00208 return False; 00209 00210 if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) 00211 return False; 00212 00213 return True; 00214 }
BOOL eventlog_io_q_read_eventlog | ( | const char * | desc, | |
EVENTLOG_Q_READ_EVENTLOG * | q_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 216 行で定義されています。
参照先 EVENTLOG_Q_READ_EVENTLOG::flags・EVENTLOG_Q_READ_EVENTLOG::handle・EVENTLOG_Q_READ_EVENTLOG::max_read_size・EVENTLOG_Q_READ_EVENTLOG::offset・prs_debug()・smb_io_pol_hnd().
参照元 api_eventlog_read_eventlog().
00218 { 00219 if(q_u == NULL) 00220 return False; 00221 00222 prs_debug(ps, depth, desc, "eventlog_io_q_read_eventlog"); 00223 depth++; 00224 00225 if(!(prs_align(ps))) 00226 return False; 00227 00228 if(!(smb_io_pol_hnd("log handle", &(q_u->handle), ps, depth))) 00229 return False; 00230 00231 if(!(prs_uint32("read flags", ps, depth, &(q_u->flags)))) 00232 return False; 00233 00234 if(!(prs_uint32("read offset", ps, depth, &(q_u->offset)))) 00235 return False; 00236 00237 if(!(prs_uint32("read buf size", ps, depth, &(q_u->max_read_size)))) 00238 return False; 00239 00240 return True; 00241 }
BOOL eventlog_io_r_read_eventlog | ( | const char * | desc, | |
EVENTLOG_Q_READ_EVENTLOG * | q_u, | |||
EVENTLOG_R_READ_EVENTLOG * | r_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
Structure of response seems to be: DWORD num_bytes_in_resp -- MUST be the same as q_u->max_read_size for i=0.
.n EVENTLOGRECORD record DWORD sent_size -- sum of EVENTLOGRECORD lengths if records returned, 0 otherwise DWORD real_size -- 0 if records returned, otherwise length of next record to be returned WERROR status
parse_eventlog.c の 249 行で定義されています。
参照先 EVENTLOG_R_READ_EVENTLOG::bytes_in_next_record・Eventlog_record::closing_record_number・eventlog_entry::data・Eventlog_record::data_length・Eventlog_record::data_offset・EVENTLOG_R_READ_EVENTLOG::end_of_entries_padding・EVENTLOG_R_READ_EVENTLOG::entry・Eventlog_record::event_category・Eventlog_record::event_id・Eventlog_record::event_type・Eventlog_record::length・EVENTLOG_Q_READ_EVENTLOG::max_read_size・eventlog_entry::next・EVENTLOG_R_READ_EVENTLOG::num_bytes_in_resp・EVENTLOG_R_READ_EVENTLOG::num_records・Eventlog_record::num_strings・prs_debug()・EVENTLOG_R_READ_EVENTLOG::real_size・eventlog_entry::record・Eventlog_record::record_number・Eventlog_record::reserved1・Eventlog_record::reserved2・EVENTLOG_R_READ_EVENTLOG::sent_size・EVENTLOG_R_READ_EVENTLOG::status・Eventlog_record::string_offset・Eventlog_record::time_generated・Eventlog_record::time_written・Eventlog_record::user_sid_length・Eventlog_record::user_sid_offset.
参照元 api_eventlog_read_eventlog().
00254 { 00255 Eventlog_entry *entry; 00256 uint32 record_written = 0; 00257 uint32 record_total = 0; 00258 00259 if(r_u == NULL) 00260 return False; 00261 00262 prs_debug(ps, depth, desc, "eventlog_io_r_read_eventlog"); 00263 depth++; 00264 00265 /* First, see if we've read more logs than we can output */ 00266 00267 if(r_u->num_bytes_in_resp > q_u->max_read_size) { 00268 entry = r_u->entry; 00269 00270 /* remove the size of the last entry from the list */ 00271 00272 while(entry->next != NULL) 00273 entry = entry->next; 00274 00275 r_u->num_bytes_in_resp -= entry->record.length; 00276 00277 /* do not output the last log entry */ 00278 00279 r_u->num_records--; 00280 } 00281 00282 entry = r_u->entry; 00283 record_total = r_u->num_records; 00284 00285 if(r_u->num_bytes_in_resp != 0) 00286 r_u->sent_size = r_u->num_bytes_in_resp; 00287 else 00288 r_u->real_size = r_u->bytes_in_next_record; 00289 00290 if(!(prs_align(ps))) 00291 return False; 00292 if(!(prs_uint32("bytes in resp", ps, depth, &(q_u->max_read_size)))) 00293 return False; 00294 00295 while(entry != NULL && record_written < record_total) 00296 { 00297 DEBUG(11, ("eventlog_io_r_read_eventlog: writing record [%d] out of [%d].\n", record_written, record_total)); 00298 00299 /* Encode the actual eventlog record record */ 00300 00301 if(!(prs_uint32("length", ps, depth, &(entry->record.length)))) 00302 return False; 00303 if(!(prs_uint32("reserved", ps, depth, &(entry->record.reserved1)))) 00304 return False; 00305 if(!(prs_uint32("record number", ps, depth, &(entry->record.record_number)))) 00306 return False; 00307 if(!(prs_uint32("time generated", ps, depth, &(entry->record.time_generated)))) 00308 return False; 00309 if(!(prs_uint32("time written", ps, depth, &(entry->record.time_written)))) 00310 return False; 00311 if(!(prs_uint32("event id", ps, depth, &(entry->record.event_id)))) 00312 return False; 00313 if(!(prs_uint16("event type", ps, depth, &(entry->record.event_type)))) 00314 return False; 00315 if(!(prs_uint16("num strings", ps, depth, &(entry->record.num_strings)))) 00316 return False; 00317 if(!(prs_uint16("event category", ps, depth, &(entry->record.event_category)))) 00318 return False; 00319 if(!(prs_uint16("reserved2", ps, depth, &(entry->record.reserved2)))) 00320 return False; 00321 if(!(prs_uint32("closing record", ps, depth, &(entry->record.closing_record_number)))) 00322 return False; 00323 if(!(prs_uint32("string offset", ps, depth, &(entry->record.string_offset)))) 00324 return False; 00325 if(!(prs_uint32("user sid length", ps, depth, &(entry->record.user_sid_length)))) 00326 return False; 00327 if(!(prs_uint32("user sid offset", ps, depth, &(entry->record.user_sid_offset)))) 00328 return False; 00329 if(!(prs_uint32("data length", ps, depth, &(entry->record.data_length)))) 00330 return False; 00331 if(!(prs_uint32("data offset", ps, depth, &(entry->record.data_offset)))) 00332 return False; 00333 if(!(prs_align(ps))) 00334 return False; 00335 00336 /* Now encoding data */ 00337 00338 if(!(prs_uint8s(False, "buffer", ps, depth, entry->data, 00339 entry->record.length - sizeof(Eventlog_record) - sizeof(entry->record.length)))) 00340 { 00341 return False; 00342 } 00343 00344 if(!(prs_align(ps))) 00345 return False; 00346 if(!(prs_uint32("length 2", ps, depth, &(entry->record.length)))) 00347 return False; 00348 00349 entry = entry->next; 00350 record_written++; 00351 00352 } /* end of encoding EVENTLOGRECORD */ 00353 00354 /* Now pad with whitespace until the end of the response buffer */ 00355 00356 if (q_u->max_read_size - r_u->num_bytes_in_resp) { 00357 if (!r_u->end_of_entries_padding) { 00358 return False; 00359 } 00360 00361 if(!(prs_uint8s(False, "end of entries padding", ps, 00362 depth, r_u->end_of_entries_padding, 00363 (q_u->max_read_size - r_u->num_bytes_in_resp)))) { 00364 free(r_u->end_of_entries_padding); 00365 return False; 00366 } 00367 00368 free(r_u->end_of_entries_padding); 00369 } 00370 00371 /* We had better be DWORD aligned here */ 00372 00373 if(!(prs_uint32("sent size", ps, depth, &(r_u->sent_size)))) 00374 return False; 00375 if(!(prs_uint32("real size", ps, depth, &(r_u->real_size)))) 00376 return False; 00377 if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) 00378 return False; 00379 00380 return True; 00381 }
BOOL eventlog_io_q_clear_eventlog | ( | const char * | desc, | |
EVENTLOG_Q_CLEAR_EVENTLOG * | q_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
The windows client seems to be doing something funny with the file name A call like ClearEventLog(handle, "backup_file") on the client side will result in the backup file name looking like this on the server side: \??${CWD of client} If an absolute path gets specified, such as ClearEventLog(handle, "C:\\temp\\backup_file") then it is still mangled by the client into this: \??: when it is on the wire.
I'm not sure where the \?? is coming from, or why the ${CWD} of the client process would be added in given that the backup file gets written on the server side.
parse_eventlog.c の 397 行で定義されています。
参照先 EVENTLOG_Q_CLEAR_EVENTLOG::backupfile・EVENTLOG_Q_CLEAR_EVENTLOG::handle・prs_debug()・prs_unistr4()・smb_io_pol_hnd().
参照元 api_eventlog_clear_eventlog().
00399 { 00400 if(q_u == NULL) 00401 return False; 00402 00403 prs_debug(ps, depth, desc, "eventlog_io_q_clear_eventlog"); 00404 depth++; 00405 00406 if(!prs_align(ps)) 00407 return False; 00408 if(!(smb_io_pol_hnd("log handle", &(q_u->handle), ps, depth))) 00409 return False; 00410 00411 if ( !prs_unistr4("backupfile", ps, depth, &q_u->backupfile) ) 00412 return False; 00413 00414 return True; 00415 00416 }
BOOL eventlog_io_r_clear_eventlog | ( | const char * | desc, | |
EVENTLOG_R_CLEAR_EVENTLOG * | r_u, | |||
prs_struct * | ps, | |||
int | depth | |||
) |
parse_eventlog.c の 418 行で定義されています。
参照先 prs_debug()・EVENTLOG_R_CLEAR_EVENTLOG::status.
参照元 api_eventlog_clear_eventlog().
00420 { 00421 if(r_u == NULL) 00422 return False; 00423 00424 prs_debug(ps, depth, desc, "eventlog_io_r_clear_eventlog"); 00425 depth++; 00426 00427 if(!prs_align(ps)) 00428 return False; 00429 if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) 00430 return False; 00431 00432 return True; 00433 }