RubyGems - winevt_c - Versions diffs - 0.1.1-x86-mingw32 → 0.2.0-x86-mingw32 - Mend

winevt_c 0.1.1-x86-mingw32 → 0.2.0-x86-mingw32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/example/eventlog.rb +11 -2
data/example/tailing.rb +13 -2
data/ext/winevt/winevt.c +6 -737
data/ext/winevt/winevt_bookmark.c +100 -0
data/ext/winevt/winevt_c.h +65 -0
data/ext/winevt/winevt_channel.c +103 -0
data/ext/winevt/winevt_query.c +245 -0
data/ext/winevt/winevt_subscribe.c +220 -0
data/ext/winevt/winevt_utils.c +236 -0
data/lib/winevt/2.4/winevt.so +0 -0
data/lib/winevt/2.5/winevt.so +0 -0
data/lib/winevt/2.6/winevt.so +0 -0
data/lib/winevt/version.rb +1 -1
metadata +8 -2

data/ext/winevt/winevt_subscribe.c ADDED Viewed

@@ -0,0 +1,220 @@
+#include <winevt_c.h>
+static void subscribe_free(void *ptr);
+static const rb_data_type_t rb_winevt_subscribe_type = {
+  "winevt/subscribe", {
+    0, subscribe_free, 0,
+  }, NULL, NULL,
+  RUBY_TYPED_FREE_IMMEDIATELY
+};
+static void
+subscribe_free(void *ptr)
+{
+  struct WinevtSubscribe *winevtSubscribe = (struct WinevtSubscribe *)ptr;
+  if (winevtSubscribe->signalEvent)
+    CloseHandle(winevtSubscribe->signalEvent);
+  if (winevtSubscribe->subscription)
+    EvtClose(winevtSubscribe->subscription);
+  if (winevtSubscribe->bookmark)
+    EvtClose(winevtSubscribe->bookmark);
+  if (winevtSubscribe->event)
+    EvtClose(winevtSubscribe->event);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_subscribe_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSubscribe *winevtSubscribe;
+  obj = TypedData_Make_Struct(klass,
+                              struct WinevtSubscribe,
+                              &rb_winevt_subscribe_type,
+                              winevtSubscribe);
+  return obj;
+}
+static VALUE
+rb_winevt_subscribe_initialize(VALUE self)
+{
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_set_tail(VALUE self, VALUE rb_tailing_p)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->tailing = RTEST(rb_tailing_p);
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_tail_p(VALUE self, VALUE rb_flag)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->tailing ? Qtrue : Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_subscribe(int argc, VALUE argv, VALUE self)
+{
+  VALUE rb_path, rb_query, rb_bookmark;
+  EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
+  HANDLE hSignalEvent;
+  DWORD len, flags;
+  VALUE wpathBuf, wqueryBuf;
+  PWSTR path, query;
+  DWORD status = ERROR_SUCCESS;
+  struct WinevtBookmark *winevtBookmark;
+  struct WinevtSubscribe *winevtSubscribe;
+  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  rb_scan_args(argc, argv, "21", &rb_path, &rb_query, &rb_bookmark);
+  Check_Type(rb_path, T_STRING);
+  Check_Type(rb_query, T_STRING);
+  if (rb_obj_is_kind_of(rb_bookmark, rb_cBookmark)) {
+    hBookmark = EventBookMark(rb_bookmark)->bookmark;
+  }
+  // path : To wide char
+  len = MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), NULL, 0);
+  path = ALLOCV_N(WCHAR, wpathBuf, len+1);
+  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), path, len);
+  path[len] = L'\0';
+  // query : To wide char
+  len = MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), NULL, 0);
+  query = ALLOCV_N(WCHAR, wqueryBuf, len+1);
+  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), query, len);
+  query[len] = L'\0';
+  if (hBookmark){
+    flags |= EvtSubscribeStartAfterBookmark;
+  } else if (winevtSubscribe->tailing) {
+    flags |= EvtSubscribeToFutureEvents;
+  } else {
+    flags |= EvtSubscribeStartAtOldestRecord;
+  }
+  hSubscription = EvtSubscribe(NULL, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
+  winevtSubscribe->signalEvent = hSignalEvent;
+  winevtSubscribe->subscription = hSubscription;
+  if (hBookmark) {
+    winevtSubscribe->bookmark = hBookmark;
+  } else {
+    winevtSubscribe->bookmark = EvtCreateBookmark(NULL);
+  }
+  status = GetLastError();
+  if (status == ERROR_SUCCESS)
+    return Qtrue;
+  return Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_next(VALUE self)
+{
+  EVT_HANDLE event;
+  ULONG      count;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (EvtNext(winevtSubscribe->subscription, 1, &event, INFINITE, 0, &count) != FALSE) {
+    winevtSubscribe->event = event;
+    EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->event);
+    return Qtrue;
+  }
+  return Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_render(VALUE self)
+{
+  char* result;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  result = render_event(winevtSubscribe->event, EvtRenderEventXml);
+  return rb_str_new2(result);
+}
+static VALUE
+rb_winevt_subscribe_message(VALUE self)
+{
+  char* result;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  result = get_description(winevtSubscribe->event);
+  return rb_str_new2(result);
+}
+static VALUE
+rb_winevt_subscribe_each(VALUE self)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+  RETURN_ENUMERATOR(self, 0, 0);
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  while (rb_winevt_subscribe_next(self)) {
+    rb_yield_values(2, rb_winevt_subscribe_render(self), rb_winevt_subscribe_message(self));
+  }
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_get_bookmark(VALUE self)
+{
+  char* result;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  result = render_event(winevtSubscribe->bookmark, EvtRenderBookmark);
+  return rb_str_new2(result);
+}
+void Init_winevt_subscribe(VALUE rb_cEventLog)
+{
+  rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
+  rb_define_alloc_func(rb_cSubscribe, rb_winevt_subscribe_alloc);
+  rb_define_method(rb_cSubscribe, "initialize", rb_winevt_subscribe_initialize, 0);
+  rb_define_method(rb_cSubscribe, "subscribe", rb_winevt_subscribe_subscribe, -1);
+  rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
+  rb_define_method(rb_cSubscribe, "render", rb_winevt_subscribe_render, 0);
+  rb_define_method(rb_cSubscribe, "message", rb_winevt_subscribe_message, 0);
+  rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
+  rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
+  rb_define_method(rb_cSubscribe, "tail?", rb_winevt_subscribe_tail_p, 0);
+  rb_define_method(rb_cSubscribe, "tail=", rb_winevt_subscribe_set_tail, 1);
+}

data/ext/winevt/winevt_utils.c ADDED Viewed

@@ -0,0 +1,236 @@
+#include <winevt_c.h>
+char*
+wstr_to_mbstr(UINT cp, const WCHAR *wstr, int clen)
+{
+    char *ptr;
+    int len = WideCharToMultiByte(cp, 0, wstr, clen, NULL, 0, NULL, NULL);
+    if (!(ptr = malloc(len))) return 0;
+    WideCharToMultiByte(cp, 0, wstr, clen, ptr, len, NULL, NULL);
+    return ptr;
+}
+char* render_event(EVT_HANDLE handle, DWORD flags)
+{
+  PWSTR      buffer = NULL;
+  ULONG      bufferSize = 0;
+  ULONG      bufferSizeNeeded = 0;
+  EVT_HANDLE event;
+  ULONG      status, count;
+  char*      errBuf;
+  char*      result;
+  LPTSTR     msgBuf;
+  do {
+    if (bufferSizeNeeded > bufferSize) {
+      free(buffer);
+      bufferSize = bufferSizeNeeded;
+      buffer = malloc(bufferSize);
+      if (buffer == NULL) {
+        status = ERROR_OUTOFMEMORY;
+        bufferSize = 0;
+        rb_raise(rb_eWinevtQueryError, "Out of memory");
+        break;
+      }
+    }
+    if (EvtRender(NULL,
+                  handle,
+                  flags,
+                  bufferSize,
+                  buffer,
+                  &bufferSizeNeeded,
+                  &count) != FALSE) {
+      status = ERROR_SUCCESS;
+    } else {
+      status = GetLastError();
+    }
+  } while (status == ERROR_INSUFFICIENT_BUFFER);
+  if (status != ERROR_SUCCESS) {
+    FormatMessage(
+        FORMAT_MESSAGE_ALLOCATE_BUFFER |
+        FORMAT_MESSAGE_FROM_SYSTEM |
+        FORMAT_MESSAGE_IGNORE_INSERTS,
+        NULL, status,
+        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+        &msgBuf, 0, NULL);
+    result = wstr_to_mbstr(CP_ACP, msgBuf, -1);
+    rb_raise(rb_eWinevtQueryError, "ErrorCode: %d\nError: %s\n", status, result);
+  }
+  result = wstr_to_mbstr(CP_UTF8, buffer, -1);
+  if (buffer)
+    free(buffer);
+  return result;
+}
+char* get_description(EVT_HANDLE handle)
+{
+#define MAX_BUFFER 65535
+  WCHAR      buffer[4096], file[4096];
+  WCHAR      descriptionBuffer[MAX_BUFFER];
+  ULONG      bufferSize = 0;
+  ULONG      bufferSizeNeeded = 0;
+  EVT_HANDLE event;
+  ULONG      status, count;
+  char*      errBuf;
+  char*      result = "";
+  LPTSTR     msgBuf;
+  TCHAR publisherName[MAX_PATH];
+  TCHAR fileName[MAX_PATH];
+  EVT_HANDLE hMetadata = NULL;
+  PEVT_VARIANT values = NULL;
+  PEVT_VARIANT pProperty = NULL;
+  PEVT_VARIANT pTemp = NULL;
+  TCHAR paramEXE[MAX_PATH], messageEXE[MAX_PATH];
+  HMODULE hModule = NULL;
+  static PCWSTR eventProperties[] = {L"Event/System/Provider/@Name", L"Event/System/EventID"};
+  EVT_HANDLE renderContext = EvtCreateRenderContext(2, eventProperties, EvtRenderContextValues);
+  if (renderContext == NULL) {
+    rb_raise(rb_eWinevtQueryError, "Failed to create renderContext");
+  }
+  if (EvtRender(renderContext,
+                handle,
+                EvtRenderEventValues,
+                _countof(buffer),
+                buffer,
+                &bufferSizeNeeded,
+                &count) != FALSE) {
+    status = ERROR_SUCCESS;
+  } else {
+    status = GetLastError();
+  }
+  if (status != ERROR_SUCCESS) {
+    FormatMessage(
+        FORMAT_MESSAGE_ALLOCATE_BUFFER |
+        FORMAT_MESSAGE_FROM_SYSTEM |
+        FORMAT_MESSAGE_IGNORE_INSERTS,
+        NULL, status,
+        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+        &msgBuf, 0, NULL);
+    result = wstr_to_mbstr(CP_ACP, msgBuf, -1);
+    rb_raise(rb_eWinevtQueryError, "ErrorCode: %d\nError: %s\n", status, result);
+  }
+  // Obtain buffer as EVT_VARIANT pointer. To avoid ErrorCide 87 in EvtRender.
+  values = (PEVT_VARIANT)buffer;
+  if ((values[0].Type == EvtVarTypeString) && (values[0].StringVal != NULL)) {
+    WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK | WC_DEFAULTCHAR, values[0].StringVal, -1, publisherName, MAX_PATH, NULL, NULL);
+  }
+  DWORD eventId = 0;
+  if (values[1].Type == EvtVarTypeUInt16) {
+    eventId = values[1].UInt16Val;
+  }
+  // Open publisher metadata
+  hMetadata = EvtOpenPublisherMetadata(NULL, values[0].StringVal, NULL, MAKELCID(MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), SORT_DEFAULT), 0);
+  if (hMetadata == NULL) {
+    // When winevt_c cannot open metadata, then give up to obtain
+    // message file and clean up immediately.
+    goto cleanup;
+  }
+  /* TODO: Should we implement parameter file reading in C?
+  // Get the metadata property. If the buffer is not big enough, reallocate the buffer.
+  // Get parameter file first.
+  if  (!EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataParameterFilePath, 0, bufferSize, pProperty, &count)) {
+    status = GetLastError();
+    if (ERROR_INSUFFICIENT_BUFFER == status) {
+      bufferSize = count;
+      pTemp = (PEVT_VARIANT)realloc(pProperty, bufferSize);
+      if (pTemp) {
+        pProperty = pTemp;
+        pTemp = NULL;
+        EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataParameterFilePath, 0, bufferSize, pProperty, &count);
+      } else {
+        rb_raise(rb_eWinevtQueryError, "realloc failed");
+      }
+    }
+    if (ERROR_SUCCESS != (status = GetLastError())) {
+      rb_raise(rb_eWinevtQueryError, "EvtGetPublisherMetadataProperty for parameter file failed with %d\n", GetLastError());
+    }
+  }
+  if ((pProperty->Type == EvtVarTypeString) && (pProperty->StringVal != NULL)) {
+    WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK | WC_DEFAULTCHAR, pProperty->StringVal, -1, fileName, MAX_PATH, NULL, NULL);
+  }
+  if (paramEXE) {
+    ExpandEnvironmentStrings(fileName, paramEXE, _countof(paramEXE));
+  }
+  */
+  // Get the metadata property. If the buffer is not big enough, reallocate the buffer.
+  // Get message file contents.
+  if  (!EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataMessageFilePath, 0, bufferSize, pProperty, &count)) {
+    status = GetLastError();
+    if (ERROR_INSUFFICIENT_BUFFER == status) {
+      bufferSize = count;
+      pTemp = (PEVT_VARIANT)realloc(pProperty, bufferSize);
+      if (pTemp) {
+        pProperty = pTemp;
+        pTemp = NULL;
+        EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataMessageFilePath, 0, bufferSize, pProperty, &count);
+      } else {
+        rb_raise(rb_eWinevtQueryError, "realloc failed");
+      }
+    }
+    if (ERROR_SUCCESS != (status = GetLastError())) {
+      rb_raise(rb_eWinevtQueryError, "EvtGetPublisherMetadataProperty for message file failed with %d\n", GetLastError());
+    }
+  }
+  if ((pProperty->Type == EvtVarTypeString) && (pProperty->StringVal != NULL)) {
+    WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK | WC_DEFAULTCHAR, pProperty->StringVal, -1, fileName, MAX_PATH, NULL, NULL);
+  }
+  if (messageEXE) {
+    ExpandEnvironmentStrings(fileName, messageEXE, _countof(messageEXE));
+  }
+  if (messageEXE != NULL) {
+    hModule = LoadLibraryEx(messageEXE, NULL,
+                            DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
+    if (FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                       hModule,
+                       eventId,
+                       0, // Use current code page. Users must specify character encoding in Ruby side.
+                       descriptionBuffer,
+                       MAX_BUFFER,
+                       NULL)) {
+    } else if (!FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                               hModule,
+                               0xB0000000 | eventId,
+                               0, // Use current code page. Users must specify character encoding in Ruby side.
+                               descriptionBuffer,
+                               MAX_BUFFER,
+                               NULL)){
+      goto cleanup;
+    }
+  }
+  result = wstr_to_mbstr(CP_ACP, descriptionBuffer, -1);
+#undef MAX_BUFFER
+cleanup:
+  if (hMetadata)
+    EvtClose(hMetadata);
+  if (hModule)
+    FreeLibrary(hModule);
+  return result;
+}

data/lib/winevt/2.4/winevt.so CHANGED Viewed

Binary file

data/lib/winevt/2.5/winevt.so CHANGED Viewed

Binary file

data/lib/winevt/2.6/winevt.so CHANGED Viewed

Binary file

data/lib/winevt/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Winevt
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: winevt_c
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: x86-mingw32
 authors:
 - Hiroshi Hatake
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-13 00:00:00.000000000 Z
+date: 2019-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -106,6 +106,12 @@ files:
 - example/tailing.rb
 - ext/winevt/extconf.rb
 - ext/winevt/winevt.c
+- ext/winevt/winevt_bookmark.c
+- ext/winevt/winevt_c.h
+- ext/winevt/winevt_channel.c
+- ext/winevt/winevt_query.c
+- ext/winevt/winevt_subscribe.c
+- ext/winevt/winevt_utils.c
 - lib/winevt.rb
 - lib/winevt/2.4/winevt.so
 - lib/winevt/2.5/winevt.so