Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::EventLog

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb

Overview

This class provides access to the Windows event log on the remote machine.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(hand) ⇒ EventLog

Initializes an instance of the eventlog manipulator.



60
61
62
63
64
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 60

def initialize(hand)
  self.client = self.class.client
  self.handle = hand
  ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
end

Class Attribute Details

.clientObject

Returns the value of attribute client.



26
27
28
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 26

def client
  @client
end

Instance Attribute Details

#clientObject

:nodoc:



53
54
55
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 53

def client
  @client
end

#handleObject

Event Log Instance Stuffs!



52
53
54
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 52

def handle
  @handle
end

Class Method Details

.close(client, handle) ⇒ Object

Close the event log



179
180
181
182
183
184
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 179

def self.close(client, handle)
  request = Packet.create_request('stdapi_sys_eventlog_close')
  request.add_tlv(TLV_TYPE_EVENT_HANDLE, handle);
  response = client.send_request(request, nil)
  return nil
end

.finalize(client, handle) ⇒ Object 



66
67
68
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 66

def self.finalize(client,handle)
  proc { self.close(client,handle) }
end

.open(name) ⇒ Object

Opens the supplied event log.

– NOTE: should support UNCServerName sometime ++



36
37
38
39
40
41
42
43
44
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 36

def EventLog.open(name)
  request = Packet.create_request('stdapi_sys_eventlog_open')

  request.add_tlv(TLV_TYPE_EVENT_SOURCENAME, name);

  response = client.send_request(request)

  return self.new(response.get_tlv_value(TLV_TYPE_EVENT_HANDLE))
end

Instance Method Details

#_read(flags, offset = 0) ⇒ Object

the low level read function (takes flags, not hash, etc).



86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 86

def _read(flags, offset = 0)
  request = Packet.create_request('stdapi_sys_eventlog_read')

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle)
  request.add_tlv(TLV_TYPE_EVENT_READFLAGS, flags)
  request.add_tlv(TLV_TYPE_EVENT_RECORDOFFSET, offset)

  response = client.send_request(request)

  EventLogSubsystem::EventRecord.new(
    response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER),
    response.get_tlv_value(TLV_TYPE_EVENT_TIMEGENERATED),
    response.get_tlv_value(TLV_TYPE_EVENT_TIMEWRITTEN),
    response.get_tlv_value(TLV_TYPE_EVENT_ID),
    response.get_tlv_value(TLV_TYPE_EVENT_TYPE),
    response.get_tlv_value(TLV_TYPE_EVENT_CATEGORY),
    response.get_tlv_values(TLV_TYPE_EVENT_STRING),
    response.get_tlv_value(TLV_TYPE_EVENT_DATA)
  )
end

#clearObject

Clear the specified event log (and return nil).

– I should eventually support BackupFile ++



167
168
169
170
171
172
173
174
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 167

def clear
  request = Packet.create_request('stdapi_sys_eventlog_clear')

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

  response = client.send_request(request)
  return self
end

#closeObject

Instance method



187
188
189
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 187

def close
  self.class.close(self.client, self.handle)
end

#each_backwardsObject

Iterator for read_backwards.



138
139
140
141
142
143
144
145
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 138

def each_backwards
  begin
    loop do
      yield(read_backwards)
    end
  rescue ::Exception
  end
end

#each_forwardsObject

Iterator for read_forwards.



118
119
120
121
122
123
124
125
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 118

def each_forwards
  begin
    loop do
      yield(read_forwards)
    end
  rescue ::Exception
  end
end

#lengthObject

Return the number of records in the event log.



73
74
75
76
77
78
79
80
81
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 73

def length
  request = Packet.create_request('stdapi_sys_eventlog_numrecords')

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_EVENT_NUMRECORDS)
end

#oldestObject

Return the record number of the oldest event (not necessarily 1).



150
151
152
153
154
155
156
157
158
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 150

def oldest
  request = Packet.create_request('stdapi_sys_eventlog_oldest')

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER)
end

#read_backwardsObject

Read the eventlog backwards, meaning from newest to oldest. Returns a EventRecord, and throws an exception after no more records.



131
132
133
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 131

def read_backwards
  _read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ)
end

#read_forwardsObject

Read the eventlog forwards, meaning from oldest to newest. Returns a EventRecord, and throws an exception after no more records.



111
112
113
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 111

def read_forwards
  _read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ)
end