winevt_c 0.2.4-x64-mingw32 → 0.3.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d672023362670f5f0a52991cb7cee6ccad756b099fea44854319e25d02fabfd5
-  data.tar.gz: e739004257c5db401027c4f392c084e9ab69d843313d11e3349f2aa1bc9c5a2a
+  metadata.gz: 143e6fcaac67c8c04040b029480d9bbfbc71c572f212e13a63a360b814140296
+  data.tar.gz: 4224e2cbe5078ef310c625c52e8590aeaec33ba50d773ed2f449a2460cce899f
 SHA512:
-  metadata.gz: f4f785f77ff6252d4cb98825c5d00b29c9ee6390dd33320aa77e6f7aaa725337cff33cec8b5ba9b7f66bc05b45eeb57557829a8fe1568aa2e26e5f749e8a1abd
-  data.tar.gz: b9e871c40d73583ac5d6252d3db29136c9228c7376f251532a7e65df21719b11bda9ec4caa9c80162d7b50153f54fa07c189aa401dc6e3ca824cbdde70f97a3b
+  metadata.gz: 8ef6caaaf8c2f5f949226699f9029a21db7e04ba0784bb200ecd605b007c25387ceb578274c2880496b7e11ab83a09b3ffc09f2e220557cee158e862459563e9
+  data.tar.gz: 074657a3a9846105e5ca3ed4639bbc230aca3afea4609ac5097a44435c4e7ba6c0538987b89e3e43816b4dd8c4de26a04c216575c1ef6f1aafe4e5ddd78dcee9

data/ext/winevt/extconf.rb

@@ -12,8 +12,10 @@ dir_config("winevt", includedir, libdir)
 
 have_library("wevtapi")
 have_func("EvtQuery", "winevt.h")
+have_library("advapi32")
+have_library("ole32")
 
-$LDFLAGS << " -lwevtapi"
+$LDFLAGS << " -lwevtapi -ladvapi32 -lole32"
 $CFLAGS << " -std=c99 -fPIC -fms-extensions "
 # $CFLAGS << " -g -O0"
 

data/ext/winevt/winevt_c.h

@@ -24,6 +24,7 @@
 char* wstr_to_mbstr(UINT cp, const WCHAR *wstr, int clen);
 char* render_event(EVT_HANDLE handle, DWORD flags);
 char* get_description(EVT_HANDLE handle);
+VALUE get_values(EVT_HANDLE handle);
 
 VALUE rb_cQuery;
 VALUE rb_cChannel;

data/ext/winevt/winevt_query.c

@@ -159,6 +159,15 @@ rb_winevt_query_message(VALUE self)
   return rb_utf8_str_new_cstr(result);
 }
 
+static VALUE
+rb_winevt_query_string_inserts(VALUE self)
+{
+  struct WinevtQuery *winevtQuery;
+
+  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
+  return get_values(winevtQuery->event);
+}
+
 static DWORD
 get_evt_seek_flag_from_cstr(char* flag_str)
 {
@@ -221,7 +230,10 @@ rb_winevt_query_each(VALUE self)
   TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
 
   while (rb_winevt_query_next(self)) {
-    rb_yield_values(2, rb_winevt_query_render(self), rb_winevt_query_message(self));
+    rb_yield_values(3,
+                    rb_winevt_query_render(self),
+                    rb_winevt_query_message(self),
+                    rb_winevt_query_string_inserts(self));
   }
 
   return Qnil;
@@ -236,6 +248,7 @@ void Init_winevt_query(VALUE rb_cEventLog)
   rb_define_method(rb_cQuery, "next", rb_winevt_query_next, 0);
   rb_define_method(rb_cQuery, "render", rb_winevt_query_render, 0);
   rb_define_method(rb_cQuery, "message", rb_winevt_query_message, 0);
+  rb_define_method(rb_cQuery, "string_inserts", rb_winevt_query_string_inserts, 0);
   rb_define_method(rb_cQuery, "seek", rb_winevt_query_seek, 1);
   rb_define_method(rb_cQuery, "offset", rb_winevt_query_get_offset, 0);
   rb_define_method(rb_cQuery, "offset=", rb_winevt_query_set_offset, 1);

data/ext/winevt/winevt_subscribe.c

@@ -174,6 +174,15 @@ rb_winevt_subscribe_message(VALUE self)
   return rb_utf8_str_new_cstr(result);
 }
 
+static VALUE
+rb_winevt_subscribe_string_inserts(VALUE self)
+{
+  struct WinevtSubscribe *winevtSubscribe;
+
+  TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return get_values(winevtSubscribe->event);
+}
+
 static VALUE
 rb_winevt_subscribe_each(VALUE self)
 {
@@ -184,7 +193,10 @@ rb_winevt_subscribe_each(VALUE self)
   TypedData_Get_Struct(self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
 
   while (rb_winevt_subscribe_next(self)) {
-    rb_yield_values(2, rb_winevt_subscribe_render(self), rb_winevt_subscribe_message(self));
+    rb_yield_values(3,
+                    rb_winevt_subscribe_render(self),
+                    rb_winevt_subscribe_message(self),
+                    rb_winevt_subscribe_string_inserts(self));
   }
 
   return Qnil;
@@ -213,6 +225,7 @@ void Init_winevt_subscribe(VALUE rb_cEventLog)
   rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
   rb_define_method(rb_cSubscribe, "render", rb_winevt_subscribe_render, 0);
   rb_define_method(rb_cSubscribe, "message", rb_winevt_subscribe_message, 0);
+  rb_define_method(rb_cSubscribe, "string_inserts", rb_winevt_subscribe_string_inserts, 0);
   rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
   rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
   rb_define_method(rb_cSubscribe, "tail?", rb_winevt_subscribe_tail_p, 0);

data/ext/winevt/winevt_utils.c

@@ -1,4 +1,6 @@
 #include <winevt_c.h>
+#include <sddl.h>
+#include <stdlib.h>
 
 char*
 wstr_to_mbstr(UINT cp, const WCHAR *wstr, int clen)
@@ -69,6 +71,183 @@ char* render_event(EVT_HANDLE handle, DWORD flags)
   return result;
 }
 
+VALUE get_values(EVT_HANDLE handle)
+{
+  PWSTR buffer = NULL;
+  ULONG bufferSize = 0;
+  ULONG bufferSizeNeeded = 0;
+  DWORD status, propCount = 0;
+  char *result = "";
+  LPTSTR msgBuf;
+  WCHAR* tmpWChar = NULL;
+  VALUE userValues = rb_ary_new();
+
+  static PCWSTR eventProperties[] = { L"Event/EventData/Data[1]" };
+  EVT_HANDLE renderContext = EvtCreateRenderContext(0, NULL, EvtRenderContextUser);
+  if (renderContext == NULL) {
+    rb_raise(rb_eWinevtQueryError, "Failed to create renderContext");
+  }
+
+  do {
+    if (bufferSizeNeeded > bufferSize) {
+      free(buffer);
+      bufferSize = bufferSizeNeeded;
+      buffer = malloc(bufferSize);
+      if (buffer == NULL) {
+        status = ERROR_OUTOFMEMORY;
+        bufferSize = 0;
+        rb_raise(rb_eWinevtQueryError, "Out of memory");
+        break;
+      }
+    }
+
+    if (EvtRender(renderContext,
+                  handle,
+                  EvtRenderEventValues,
+                  bufferSize,
+                  buffer,
+                  &bufferSizeNeeded,
+                  &propCount) != FALSE) {
+      status = ERROR_SUCCESS;
+    } else {
+      status = GetLastError();
+    }
+  } while (status == ERROR_INSUFFICIENT_BUFFER);
+
+  if (status != ERROR_SUCCESS) {
+    FormatMessage(
+        FORMAT_MESSAGE_ALLOCATE_BUFFER |
+        FORMAT_MESSAGE_FROM_SYSTEM |
+        FORMAT_MESSAGE_IGNORE_INSERTS,
+        NULL, status,
+        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+        &msgBuf, 0, NULL);
+    result = wstr_to_mbstr(CP_ACP, msgBuf, -1);
+
+    rb_raise(rb_eWinevtQueryError, "ErrorCode: %d\nError: %s\n", status, result);
+  }
+
+  PEVT_VARIANT pRenderedValues = (PEVT_VARIANT)buffer;
+  LARGE_INTEGER timestamp;
+  SYSTEMTIME st;
+  FILETIME ft;
+  CHAR strTime[128];
+  VALUE rbObj;
+
+  for (int i = 0; i < propCount; i++) {
+    switch (pRenderedValues[i].Type) {
+    case EvtVarTypeString:
+      if (pRenderedValues[i].StringVal == NULL) {
+        rb_ary_push(userValues, rb_utf8_str_new_cstr("(NULL)"));
+      } else {
+        result = wstr_to_mbstr(CP_UTF8, pRenderedValues[i].StringVal, -1);
+        rb_ary_push(userValues, rb_utf8_str_new_cstr(result));
+      }
+      break;
+    case EvtVarTypeAnsiString:
+      if (pRenderedValues[i].AnsiStringVal == NULL) {
+        rb_ary_push(userValues, rb_utf8_str_new_cstr("(NULL)"));
+      } else {
+        rb_ary_push(userValues, rb_utf8_str_new_cstr((char *)pRenderedValues[i].AnsiStringVal));
+      }
+      break;
+    case EvtVarTypeSByte:
+      rbObj = INT2NUM((INT32)pRenderedValues[i].SByteVal);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeByte:
+      rbObj = INT2NUM((UINT32)pRenderedValues[i].ByteVal);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeInt16:
+      rbObj = INT2NUM((INT32)pRenderedValues[i].Int16Val);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeUInt16:
+      rbObj = UINT2NUM((UINT32)pRenderedValues[i].UInt16Val);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeInt32:
+      rbObj = INT2NUM(pRenderedValues[i].Int32Val);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeUInt32:
+      rbObj = UINT2NUM(pRenderedValues[i].UInt32Val);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeInt64:
+      rbObj = LONG2NUM(pRenderedValues[i].Int64Val);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeUInt64:
+      rbObj = ULONG2NUM(pRenderedValues[i].UInt64Val);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeSingle:
+      sprintf(result, "%f", pRenderedValues[i].SingleVal);
+      rb_ary_push(userValues, rb_utf8_str_new_cstr(result));
+      break;
+    case EvtVarTypeDouble:
+      sprintf(result, "%lf", pRenderedValues[i].DoubleVal);
+      rb_ary_push(userValues, rb_utf8_str_new_cstr(result));
+      break;
+    case EvtVarTypeBoolean:
+      result = pRenderedValues[i].BooleanVal ? "true" : "false";
+      rb_ary_push(userValues, rb_utf8_str_new_cstr(result));
+      break;
+    case EvtVarTypeHexInt32:
+      rbObj = ULONG2NUM(pRenderedValues[i].UInt32Val);
+      rbObj = rb_sprintf("%#x", rbObj);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeHexInt64:
+      rbObj = ULONG2NUM(pRenderedValues[i].UInt64Val);
+      rbObj = rb_sprintf("%#x", rbObj);
+      rb_ary_push(userValues, rbObj);
+      break;
+    case EvtVarTypeGuid:
+      if (pRenderedValues[i].GuidVal != NULL) {
+        StringFromCLSID(pRenderedValues[i].GuidVal, &tmpWChar);
+        result = wstr_to_mbstr(CP_UTF8, tmpWChar, -1);
+        rb_ary_push(userValues, rb_utf8_str_new_cstr(result));
+      } else {
+        rb_ary_push(userValues, rb_utf8_str_new_cstr("?"));
+      }
+      break;
+    case EvtVarTypeSid:
+      if (ConvertSidToStringSidW(pRenderedValues[i].SidVal, &tmpWChar)) {
+        result = wstr_to_mbstr(CP_UTF8, tmpWChar, -1);
+        rb_ary_push(userValues, rb_utf8_str_new_cstr(result));
+      } else {
+        rb_ary_push(userValues, rb_utf8_str_new_cstr("?"));
+      }
+      break;
+    case EvtVarTypeFileTime:
+      timestamp.QuadPart = pRenderedValues[i].FileTimeVal;
+      ft.dwHighDateTime = timestamp.HighPart;
+      ft.dwLowDateTime  = timestamp.LowPart;
+      if (FileTimeToSystemTime( &ft, &st )) {
+        sprintf(strTime, "%04d-%02d-%02d %02d:%02d:%02d.%dZ",
+                st.wYear , st.wMonth , st.wDay ,
+                st.wHour , st.wMinute , st.wSecond,
+                st.wMilliseconds);
+        rb_ary_push(userValues, rb_utf8_str_new_cstr(strTime));
+      } else {
+        rb_ary_push(userValues, rb_utf8_str_new_cstr("?"));
+      }
+      break;
+    default:
+      rb_ary_push(userValues, rb_utf8_str_new_cstr("?"));
+      break;
+    }
+  }
+
+  if (buffer)
+    free(buffer);
+
+  return userValues;
+}
+
 char* get_description(EVT_HANDLE handle)
 {
 #define MAX_BUFFER 65535
@@ -208,11 +387,11 @@ char* get_description(EVT_HANDLE handle)
                             DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
 
     if(!FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
-                         hModule,
-                         eventId,
-                         0, // Use current code page. Users must specify character encoding in Ruby side.
-                         descriptionBuffer,
-                         MAX_BUFFER,
+                       hModule,
+                       eventId,
+                       0, // Use current code page. Users must specify character encoding in Ruby side.
+                       descriptionBuffer,
+                       MAX_BUFFER,
                        NULL)) {
       if (ERROR_MR_MID_NOT_FOUND == GetLastError()) {
         // clear buffer

data/lib/winevt/version.rb

@@ -1,3 +1,3 @@
 module Winevt
-  VERSION = "0.2.4"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: winevt_c
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: x64-mingw32
 authors:
 - Hiroshi Hatake
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-06-22 00:00:00.000000000 Z
+date: 2019-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler