RubyGems - winevt_c - Versions diffs - 0.1.1 → 0.2.0 - Mend

winevt_c 0.1.1 → 0.2.0

Files changed (12) hide show

checksums.yaml +4 -4
data/example/eventlog.rb +11 -2
data/example/tailing.rb +13 -2
data/ext/winevt/winevt.c +6 -737
data/ext/winevt/winevt_bookmark.c +100 -0
data/ext/winevt/winevt_c.h +65 -0
data/ext/winevt/winevt_channel.c +103 -0
data/ext/winevt/winevt_query.c +245 -0
data/ext/winevt/winevt_subscribe.c +220 -0
data/ext/winevt/winevt_utils.c +236 -0
data/lib/winevt/version.rb +3 -3
metadata +8 -2

data/ext/winevt/winevt_subscribe.c ADDED Viewed

@@ -0,0 +1,220 @@
+#include <winevt_c.h>
+static void subscribe_free(void *ptr);
+static const rb_data_type_t rb_winevt_subscribe_type = {
+  "winevt/subscribe", {
+    0, subscribe_free, 0,
+  }, NULL, NULL,
+  RUBY_TYPED_FREE_IMMEDIATELY
+};
+static void
+subscribe_free(void *ptr)
+{
+  struct WinevtSubscribe *winevtSubscribe = (struct WinevtSubscribe *)ptr;
+  if (winevtSubscribe->signalEvent)
+    CloseHandle(winevtSubscribe->signalEvent);
+  if (winevtSubscribe->subscription)
+    EvtClose(winevtSubscribe->subscription);
+  if (winevtSubscribe->bookmark)
+    EvtClose(winevtSubscribe->bookmark);
+  if (winevtSubscribe->event)
+    EvtClose(winevtSubscribe->event);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_subscribe_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSubscribe *winevtSubscribe;
+  obj = TypedData_Make_Struct(klass,
+                              struct WinevtSubscribe,
+                              &rb_winevt_subscribe_type,
+                              winevtSubscribe);
+  return obj;
+}
+static VALUE
+rb_winevt_subscribe_initialize(VALUE self)
+{
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_set_tail(VALUE self, VALUE rb_tailing_p)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->tailing = RTEST(rb_tailing_p);
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_tail_p(VALUE self, VALUE rb_flag)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->tailing ? Qtrue : Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_subscribe(int argc, VALUE argv, VALUE self)
+{
+  VALUE rb_path, rb_query, rb_bookmark;
+  EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
+  HANDLE hSignalEvent;
+  DWORD len, flags;
+  VALUE wpathBuf, wqueryBuf;
+  PWSTR path, query;
+  DWORD status = ERROR_SUCCESS;
+  struct WinevtBookmark *winevtBookmark;
+  struct WinevtSubscribe *winevtSubscribe;
+  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  rb_scan_args(argc, argv, "21", &rb_path, &rb_query, &rb_bookmark);
+  Check_Type(rb_path, T_STRING);
+  Check_Type(rb_query, T_STRING);
+  if (rb_obj_is_kind_of(rb_bookmark, rb_cBookmark)) {
+    hBookmark = EventBookMark(rb_bookmark)->bookmark;
+  }
+  // path : To wide char
+  len = MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), NULL, 0);
+  path = ALLOCV_N(WCHAR, wpathBuf, len+1);
+  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), path, len);
+  path[len] = L'\0';
+  // query : To wide char
+  len = MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), NULL, 0);
+  query = ALLOCV_N(WCHAR, wqueryBuf, len+1);
+  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), query, len);
+  query[len] = L'\0';
+  if (hBookmark){
+    flags |= EvtSubscribeStartAfterBookmark;
+  } else if (winevtSubscribe->tailing) {
+    flags |= EvtSubscribeToFutureEvents;
+  } else {
+    flags |= EvtSubscribeStartAtOldestRecord;
+  }
+  hSubscription = EvtSubscribe(NULL, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
+  winevtSubscribe->signalEvent = hSignalEvent;
+  winevtSubscribe->subscription = hSubscription;
+  if (hBookmark) {
+    winevtSubscribe->bookmark = hBookmark;
+  } else {
+    winevtSubscribe->bookmark = EvtCreateBookmark(NULL);
+  }
+  status = GetLastError();
+  if (status == ERROR_SUCCESS)
+    return Qtrue;
+  return Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_next(VALUE self)
+{
+  EVT_HANDLE event;
+  ULONG      count;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (EvtNext(winevtSubscribe->subscription, 1, &event, INFINITE, 0, &count) != FALSE) {
+    winevtSubscribe->event = event;
+    EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->event);
+    return Qtrue;
+  }
+  return Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_render(VALUE self)
+{
+  char* result;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  result = render_event(winevtSubscribe->event, EvtRenderEventXml);
+  return rb_str_new2(result);
+}
+static VALUE
+rb_winevt_subscribe_message(VALUE self)
+{
+  char* result;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  result = get_description(winevtSubscribe->event);
+  return rb_str_new2(result);
+}
+static VALUE
+rb_winevt_subscribe_each(VALUE self)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+  RETURN_ENUMERATOR(self, 0, 0);
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  while (rb_winevt_subscribe_next(self)) {
+    rb_yield_values(2, rb_winevt_subscribe_render(self), rb_winevt_subscribe_message(self));
+  }
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_get_bookmark(VALUE self)
+{
+  char* result;
+  struct WinevtSubscribe *winevtSubscribe;
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  result = render_event(winevtSubscribe->bookmark, EvtRenderBookmark);
+  return rb_str_new2(result);
+}
+void Init_winevt_subscribe(VALUE rb_cEventLog)
+{
+  rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
+  rb_define_alloc_func(rb_cSubscribe, rb_winevt_subscribe_alloc);
+  rb_define_method(rb_cSubscribe, "initialize", rb_winevt_subscribe_initialize, 0);
+  rb_define_method(rb_cSubscribe, "subscribe", rb_winevt_subscribe_subscribe, -1);
+  rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
+  rb_define_method(rb_cSubscribe, "render", rb_winevt_subscribe_render, 0);
+  rb_define_method(rb_cSubscribe, "message", rb_winevt_subscribe_message, 0);
+  rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
+  rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
+  rb_define_method(rb_cSubscribe, "tail?", rb_winevt_subscribe_tail_p, 0);
+  rb_define_method(rb_cSubscribe, "tail=", rb_winevt_subscribe_set_tail, 1);
+}

data/ext/winevt/winevt_utils.c ADDED Viewed

@@ -0,0 +1,236 @@
+#include <winevt_c.h>
+char*
+wstr_to_mbstr(UINT cp, const WCHAR *wstr, int clen)
+{
+    char *ptr;
+    int len = WideCharToMultiByte(cp, 0, wstr, clen, NULL, 0, NULL, NULL);
+    if (!(ptr = malloc(len))) return 0;
+    WideCharToMultiByte(cp, 0, wstr, clen, ptr, len, NULL, NULL);
+    return ptr;
+}
+char* render_event(EVT_HANDLE handle, DWORD flags)
+{
+  PWSTR      buffer = NULL;
+  ULONG      bufferSize = 0;
+  ULONG      bufferSizeNeeded = 0;
+  EVT_HANDLE event;
+  ULONG      status, count;
+  char*      errBuf;
+  char*      result;
+  LPTSTR     msgBuf;
+  do {
+    if (bufferSizeNeeded > bufferSize) {
+      free(buffer);
+      bufferSize = bufferSizeNeeded;
+      buffer = malloc(bufferSize);
+      if (buffer == NULL) {
+        status = ERROR_OUTOFMEMORY;
+        bufferSize = 0;
+        rb_raise(rb_eWinevtQueryError, "Out of memory");
+        break;
+      }
+    }
+    if (EvtRender(NULL,
+                  handle,
+                  flags,
+                  bufferSize,
+                  buffer,
+                  &bufferSizeNeeded,
+                  &count) != FALSE) {
+      status = ERROR_SUCCESS;
+    } else {
+      status = GetLastError();
+    }
+  } while (status == ERROR_INSUFFICIENT_BUFFER);
+  if (status != ERROR_SUCCESS) {
+    FormatMessage(
+        FORMAT_MESSAGE_ALLOCATE_BUFFER |
+        FORMAT_MESSAGE_FROM_SYSTEM |
+        FORMAT_MESSAGE_IGNORE_INSERTS,
+        NULL, status,
+        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+        &msgBuf, 0, NULL);
+    result = wstr_to_mbstr(CP_ACP, msgBuf, -1);
+    rb_raise(rb_eWinevtQueryError, "ErrorCode: %d\nError: %s\n", status, result);
+  }
+  result = wstr_to_mbstr(CP_UTF8, buffer, -1);
+  if (buffer)
+    free(buffer);
+  return result;
+}
+char* get_description(EVT_HANDLE handle)
+{
+#define MAX_BUFFER 65535
+  WCHAR      buffer[4096], file[4096];
+  WCHAR      descriptionBuffer[MAX_BUFFER];
+  ULONG      bufferSize = 0;
+  ULONG      bufferSizeNeeded = 0;
+  EVT_HANDLE event;
+  ULONG      status, count;
+  char*      errBuf;
+  char*      result = "";
+  LPTSTR     msgBuf;
+  TCHAR publisherName[MAX_PATH];
+  TCHAR fileName[MAX_PATH];
+  EVT_HANDLE hMetadata = NULL;
+  PEVT_VARIANT values = NULL;
+  PEVT_VARIANT pProperty = NULL;
+  PEVT_VARIANT pTemp = NULL;
+  TCHAR paramEXE[MAX_PATH], messageEXE[MAX_PATH];
+  HMODULE hModule = NULL;
+  static PCWSTR eventProperties[] = {L"Event/System/Provider/@Name", L"Event/System/EventID"};
+  EVT_HANDLE renderContext = EvtCreateRenderContext(2, eventProperties, EvtRenderContextValues);
+  if (renderContext == NULL) {
+    rb_raise(rb_eWinevtQueryError, "Failed to create renderContext");
+  }
+  if (EvtRender(renderContext,
+                handle,
+                EvtRenderEventValues,
+                _countof(buffer),
+                buffer,
+                &bufferSizeNeeded,
+                &count) != FALSE) {
+    status = ERROR_SUCCESS;
+  } else {
+    status = GetLastError();
+  }
+  if (status != ERROR_SUCCESS) {
+    FormatMessage(
+        FORMAT_MESSAGE_ALLOCATE_BUFFER |
+        FORMAT_MESSAGE_FROM_SYSTEM |
+        FORMAT_MESSAGE_IGNORE_INSERTS,
+        NULL, status,
+        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+        &msgBuf, 0, NULL);
+    result = wstr_to_mbstr(CP_ACP, msgBuf, -1);
+    rb_raise(rb_eWinevtQueryError, "ErrorCode: %d\nError: %s\n", status, result);
+  }
+  // Obtain buffer as EVT_VARIANT pointer. To avoid ErrorCide 87 in EvtRender.
+  values = (PEVT_VARIANT)buffer;
+  if ((values[0].Type == EvtVarTypeString) && (values[0].StringVal != NULL)) {
+    WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK | WC_DEFAULTCHAR, values[0].StringVal, -1, publisherName, MAX_PATH, NULL, NULL);
+  }
+  DWORD eventId = 0;
+  if (values[1].Type == EvtVarTypeUInt16) {
+    eventId = values[1].UInt16Val;
+  }
+  // Open publisher metadata
+  hMetadata = EvtOpenPublisherMetadata(NULL, values[0].StringVal, NULL, MAKELCID(MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), SORT_DEFAULT), 0);
+  if (hMetadata == NULL) {
+    // When winevt_c cannot open metadata, then give up to obtain
+    // message file and clean up immediately.
+    goto cleanup;
+  }
+  /* TODO: Should we implement parameter file reading in C?
+  // Get the metadata property. If the buffer is not big enough, reallocate the buffer.
+  // Get parameter file first.
+  if  (!EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataParameterFilePath, 0, bufferSize, pProperty, &count)) {
+    status = GetLastError();
+    if (ERROR_INSUFFICIENT_BUFFER == status) {
+      bufferSize = count;
+      pTemp = (PEVT_VARIANT)realloc(pProperty, bufferSize);
+      if (pTemp) {
+        pProperty = pTemp;
+        pTemp = NULL;
+        EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataParameterFilePath, 0, bufferSize, pProperty, &count);
+      } else {
+        rb_raise(rb_eWinevtQueryError, "realloc failed");
+      }
+    }
+    if (ERROR_SUCCESS != (status = GetLastError())) {
+      rb_raise(rb_eWinevtQueryError, "EvtGetPublisherMetadataProperty for parameter file failed with %d\n", GetLastError());
+    }
+  }
+  if ((pProperty->Type == EvtVarTypeString) && (pProperty->StringVal != NULL)) {
+    WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK | WC_DEFAULTCHAR, pProperty->StringVal, -1, fileName, MAX_PATH, NULL, NULL);
+  }
+  if (paramEXE) {
+    ExpandEnvironmentStrings(fileName, paramEXE, _countof(paramEXE));
+  }
+  */
+  // Get the metadata property. If the buffer is not big enough, reallocate the buffer.
+  // Get message file contents.
+  if  (!EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataMessageFilePath, 0, bufferSize, pProperty, &count)) {
+    status = GetLastError();
+    if (ERROR_INSUFFICIENT_BUFFER == status) {
+      bufferSize = count;
+      pTemp = (PEVT_VARIANT)realloc(pProperty, bufferSize);
+      if (pTemp) {
+        pProperty = pTemp;
+        pTemp = NULL;
+        EvtGetPublisherMetadataProperty(hMetadata, EvtPublisherMetadataMessageFilePath, 0, bufferSize, pProperty, &count);
+      } else {
+        rb_raise(rb_eWinevtQueryError, "realloc failed");
+      }
+    }
+    if (ERROR_SUCCESS != (status = GetLastError())) {
+      rb_raise(rb_eWinevtQueryError, "EvtGetPublisherMetadataProperty for message file failed with %d\n", GetLastError());
+    }
+  }
+  if ((pProperty->Type == EvtVarTypeString) && (pProperty->StringVal != NULL)) {
+    WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK | WC_DEFAULTCHAR, pProperty->StringVal, -1, fileName, MAX_PATH, NULL, NULL);
+  }
+  if (messageEXE) {
+    ExpandEnvironmentStrings(fileName, messageEXE, _countof(messageEXE));
+  }
+  if (messageEXE != NULL) {
+    hModule = LoadLibraryEx(messageEXE, NULL,
+                            DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
+    if (FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                       hModule,
+                       eventId,
+                       0, // Use current code page. Users must specify character encoding in Ruby side.
+                       descriptionBuffer,
+                       MAX_BUFFER,
+                       NULL)) {
+    } else if (!FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                               hModule,
+                               0xB0000000 | eventId,
+                               0, // Use current code page. Users must specify character encoding in Ruby side.
+                               descriptionBuffer,
+                               MAX_BUFFER,
+                               NULL)){
+      goto cleanup;
+    }
+  }
+  result = wstr_to_mbstr(CP_ACP, descriptionBuffer, -1);
+#undef MAX_BUFFER
+cleanup:
+  if (hMetadata)
+    EvtClose(hMetadata);
+  if (hModule)
+    FreeLibrary(hModule);
+  return result;
+}

data/lib/winevt/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
-module Winevt
-  VERSION = "0.1.1"
-end
+module Winevt
+  VERSION = "0.2.0"
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: winevt_c
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Hiroshi Hatake
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-13 00:00:00.000000000 Z
+date: 2019-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -107,6 +107,12 @@ files:
 - example/tailing.rb
 - ext/winevt/extconf.rb
 - ext/winevt/winevt.c
+- ext/winevt/winevt_bookmark.c
+- ext/winevt/winevt_c.h
+- ext/winevt/winevt_channel.c
+- ext/winevt/winevt_query.c
+- ext/winevt/winevt_subscribe.c
+- ext/winevt/winevt_utils.c
 - lib/winevt.rb
 - lib/winevt/query.rb
 - lib/winevt/version.rb