Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::EventLog

Inherits:

Object

• Object
• Rex::Post::Meterpreter::Extensions::Stdapi::Sys::EventLog

Defined in:

lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb

Overview

This class provides access to the Windows event log on the remote machine.

Class Attribute Summary

• .client ⇒ Object

  Returns the value of attribute client.

Instance Attribute Summary

• #client ⇒ Object

  :nodoc:.

• #handle ⇒ Object

  Event Log Instance Stuffs!.

Class Method Summary

• .close(client, handle) ⇒ Object

  Close the event log.

• .finalize(client, handle) ⇒ Object
• .open(name) ⇒ Object

  Opens the supplied event log.

Instance Method Summary

• #_read(flags, offset = 0) ⇒ Object

  the low level read function (takes flags, not hash, etc).

• #clear ⇒ Object

  Clear the specified event log (and return nil).

• #close ⇒ Object

  Instance method.

• #each_backwards ⇒ Object

  Iterator for read_backwards.

• #each_forwards ⇒ Object

  Iterator for read_forwards.

• #initialize(hand) ⇒ EventLog constructor

  Initializes an instance of the eventlog manipulator.

• #length ⇒ Object

  Return the number of records in the event log.

• #oldest ⇒ Object

  Return the record number of the oldest event (not necessarily 1).

• #read_backwards ⇒ Object

  Read the eventlog backwards, meaning from newest to oldest.

• #read_forwards ⇒ Object

  Read the eventlog forwards, meaning from oldest to newest.

Constructor Details

#initialize(hand) ⇒ EventLog

Initializes an instance of the eventlog manipulator.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 60

def initialize(hand)
  self.client = self.class.client
  self.handle = hand

  # Ensure the remote object is closed when all references are removed
  ObjectSpace.define_finalizer(self, self.class.finalize(client, hand))
end

Class Attribute Details

.client ⇒ Object

Returns the value of attribute client.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 26

def client
  @client
end

Instance Attribute Details

#client ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 53

def client
  @client
end

#handle ⇒ Object

Event Log Instance Stuffs!

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 52

def handle
  @handle
end

Class Method Details

.close(client, handle) ⇒ Object

Close the event log

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 192

def self.close(client, handle)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_EVENTLOG_CLOSE)
  request.add_tlv(TLV_TYPE_EVENT_HANDLE, handle);
  client.send_request(request, nil)
  return nil
end

.finalize(client, handle) ⇒ Object

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 68

def self.finalize(client,handle)
  proc do
    deferred_close_proc = proc do
      begin
        self.close(client,handle)
      rescue => e
        elog("finalize method for EventLog failed", error: e)
      end
    end

    # Schedule the finalizing logic out-of-band; as this logic might be called in the context of a Signal.trap, which can't synchronize mutexes
    client.framework.sessions.schedule(deferred_close_proc)
  end
end

.open(name) ⇒ Object

Opens the supplied event log.

– NOTE: should support UNCServerName sometime ++

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 36

def EventLog.open(name)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_EVENTLOG_OPEN)

  request.add_tlv(TLV_TYPE_EVENT_SOURCENAME, name);

  response = client.send_request(request)

  return self.new(response.get_tlv_value(TLV_TYPE_EVENT_HANDLE))
end

Instance Method Details

#_read(flags, offset = 0) ⇒ Object

the low level read function (takes flags, not hash, etc).

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 99

def _read(flags, offset = 0)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_EVENTLOG_READ)

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle)
  request.add_tlv(TLV_TYPE_EVENT_READFLAGS, flags)
  request.add_tlv(TLV_TYPE_EVENT_RECORDOFFSET, offset)

  response = client.send_request(request)

  EventLogSubsystem::EventRecord.new(
    response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER),
    response.get_tlv_value(TLV_TYPE_EVENT_TIMEGENERATED),
    response.get_tlv_value(TLV_TYPE_EVENT_TIMEWRITTEN),
    response.get_tlv_value(TLV_TYPE_EVENT_ID),
    response.get_tlv_value(TLV_TYPE_EVENT_TYPE),
    response.get_tlv_value(TLV_TYPE_EVENT_CATEGORY),
    response.get_tlv_values(TLV_TYPE_EVENT_STRING),
    response.get_tlv_value(TLV_TYPE_EVENT_DATA)
  )
end

#clear ⇒ Object

Clear the specified event log (and return nil).

– I should eventually support BackupFile ++

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 180

def clear
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_EVENTLOG_CLEAR)

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

  client.send_request(request)
  return self
end

#close ⇒ Object

Instance method

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 200

def close
  unless self.handle.nil?
    ObjectSpace.undefine_finalizer(self)
    self.class.close(self.client, self.handle)
    self.handle = nil
  end
end

#each_backwards ⇒ Object

Iterator for read_backwards.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 151

def each_backwards
  begin
    loop do
      yield(read_backwards)
    end
  rescue ::Exception
  end
end

#each_forwards ⇒ Object

Iterator for read_forwards.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 131

def each_forwards
  begin
    loop do
      yield(read_forwards)
    end
  rescue ::Exception
  end
end

#length ⇒ Object

Return the number of records in the event log.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 86

def length
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_EVENTLOG_NUMRECORDS)

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_EVENT_NUMRECORDS)
end

#oldest ⇒ Object

Return the record number of the oldest event (not necessarily 1).

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 163

def oldest
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_EVENTLOG_OLDEST)

  request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER)
end

#read_backwards ⇒ Object

Read the eventlog backwards, meaning from newest to oldest. Returns a EventRecord, and throws an exception after no more records.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 144

def read_backwards
  _read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ)
end

#read_forwards ⇒ Object

Read the eventlog forwards, meaning from oldest to newest. Returns a EventRecord, and throws an exception after no more records.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 124

def read_forwards
  _read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ)
end