Module: Msf::Post::Windows::Eventlog

Includes:

Version

Defined in:

lib/msf/core/post/windows/eventlog.rb

Constant Summary

Constants included from Registry

Registry::HKEY_CLASSES_ROOT, Registry::HKEY_CURRENT_CONFIG, Registry::HKEY_CURRENT_USER, Registry::HKEY_DYN_DATA, Registry::HKEY_LOCAL_MACHINE, Registry::HKEY_PERFORMANCE_DATA, Registry::HKEY_USERS, Registry::REGISTRY_VIEW_32_BIT, Registry::REGISTRY_VIEW_64_BIT, Registry::REGISTRY_VIEW_NATIVE, Registry::REG_BIG_ENDIAN, Registry::REG_BINARY, Registry::REG_DWORD, Registry::REG_EXPAND_SZ, Registry::REG_LINK, Registry::REG_LITTLE_ENDIAN, Registry::REG_MULTI_SZ, Registry::REG_NONE, Registry::REG_QWORD, Registry::REG_SZ

Instance Method Summary

• #eventlog_clear(evt = '') ⇒ Object

  Clears a given eventlog or all eventlogs if none is given.

• #eventlog_list ⇒ Object

  Enumerate eventlogs.

• #initialize(info = {}) ⇒ Object

Methods included from Version

#get_version_info, #get_version_info_fallback_impl, #get_version_info_impl

Methods included from Registry

#meterpreter_registry_createkey, #meterpreter_registry_deletekey, #meterpreter_registry_deleteval, #meterpreter_registry_enumkeys, #meterpreter_registry_enumvals, #meterpreter_registry_getvaldata, #meterpreter_registry_getvalinfo, #meterpreter_registry_key_exist?, #meterpreter_registry_loadkey, #meterpreter_registry_perms, #meterpreter_registry_setvaldata, #meterpreter_registry_unloadkey, #normalize_key, #registry_createkey, #registry_deletekey, #registry_deleteval, #registry_enumkeys, #registry_enumvals, #registry_getvaldata, #registry_getvalinfo, #registry_hive_lookup, #registry_key_exist?, #registry_loadkey, #registry_setvaldata, #registry_unloadkey, #session_has_registry_ext, #shell_registry_cmd, #shell_registry_cmd_result, #shell_registry_createkey, #shell_registry_deletekey, #shell_registry_deleteval, #shell_registry_enumkeys, #shell_registry_enumvals, #shell_registry_getvaldata, #shell_registry_getvalinfo, #shell_registry_key_exist?, #shell_registry_loadkey, #shell_registry_setvaldata, #shell_registry_unloadkey, #split_key

Methods included from CliParse

#win_parse_error, #win_parse_results

Instance Method Details

#eventlog_clear(evt = '') ⇒ Object

Clears a given eventlog or all eventlogs if none is given. Returns an array of eventlogs that where cleared.

# File 'lib/msf/core/post/windows/eventlog.rb', line 43

def eventlog_clear(evt = '')
  evntlog = []
  if evt.empty?
    evntlog = eventloglist
  else
    evntlog << evt
  end
  evntlog.each do |e|
    log = session.sys.eventlog.open(e)
    log.clear
  end
  return evntlog
end

#eventlog_list ⇒ Object

Enumerate eventlogs

# File 'lib/msf/core/post/windows/eventlog.rb', line 27

def eventlog_list
  key = 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\'
  version = get_version_info
  if version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::Server2003_SP2)
    key = "#{key}Eventlog"
  else
    key = "#{key}eventlog"
  end
  eventlogs = registry_enumkeys(key)
  return eventlogs
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/post/windows/eventlog.rb', line 9

def initialize(info = {})
  super(
    update_info(
      info,
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            stdapi_sys_eventlog_*
          ]
        }
      }
    )
  )
end