Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::EventLog

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb

Overview

This class provides access to the Windows event log on the remote machine.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(hand) ⇒ EventLog

Initializes an instance of the eventlog manipulator.



61
62
63
64
65
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 61

def initialize(hand)
	self.client = self.class.client
	self.handle = hand
	ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
end

Class Attribute Details

.clientObject

Returns the value of attribute client.



27
28
29
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 27

def client
  @client
end

Instance Attribute Details

#clientObject

:nodoc:



54
55
56
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 54

def client
  @client
end

#handleObject

Event Log Instance Stuffs!



53
54
55
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 53

def handle
  @handle
end

Class Method Details

.close(client, handle) ⇒ Object

Close the event log



180
181
182
183
184
185
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 180

def self.close(client, handle)
	request = Packet.create_request('stdapi_sys_eventlog_close')
	request.add_tlv(TLV_TYPE_EVENT_HANDLE, handle);
	response = client.send_request(request, nil)
	return nil
end

.finalize(client, handle) ⇒ Object 



67
68
69
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 67

def self.finalize(client,handle)
	proc { self.close(client,handle) }
end

.open(name) ⇒ Object

Opens the supplied event log.

– NOTE: should support UNCServerName sometime ++



37
38
39
40
41
42
43
44
45
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 37

def EventLog.open(name)
	request = Packet.create_request('stdapi_sys_eventlog_open')

	request.add_tlv(TLV_TYPE_EVENT_SOURCENAME, name);

	response = client.send_request(request)

	return self.new(response.get_tlv_value(TLV_TYPE_EVENT_HANDLE))
end

Instance Method Details

#_read(flags, offset = 0) ⇒ Object

the low level read function (takes flags, not hash, etc).



87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 87

def _read(flags, offset = 0)
	request = Packet.create_request('stdapi_sys_eventlog_read')

	request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle)
	request.add_tlv(TLV_TYPE_EVENT_READFLAGS, flags)
	request.add_tlv(TLV_TYPE_EVENT_RECORDOFFSET, offset)

	response = client.send_request(request)

	EventLogSubsystem::EventRecord.new(
	  response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER),
	  response.get_tlv_value(TLV_TYPE_EVENT_TIMEGENERATED),
	  response.get_tlv_value(TLV_TYPE_EVENT_TIMEWRITTEN),
	  response.get_tlv_value(TLV_TYPE_EVENT_ID),
	  response.get_tlv_value(TLV_TYPE_EVENT_TYPE),
	  response.get_tlv_value(TLV_TYPE_EVENT_CATEGORY),
	  response.get_tlv_values(TLV_TYPE_EVENT_STRING),
	  response.get_tlv_value(TLV_TYPE_EVENT_DATA)
	)
end

#clearObject

Clear the specified event log (and return nil).

– I should eventually support BackupFile ++



168
169
170
171
172
173
174
175
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 168

def clear
	request = Packet.create_request('stdapi_sys_eventlog_clear')

	request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

	response = client.send_request(request)
	return self
end

#closeObject

Instance method



188
189
190
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 188

def close
	self.class.close(self.client, self.handle)
end

#each_backwardsObject

Iterator for read_backwards.



139
140
141
142
143
144
145
146
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 139

def each_backwards
	begin
		loop do
			yield(read_backwards)
		end
	rescue ::Exception
	end
end

#each_forwardsObject

Iterator for read_forwards.



119
120
121
122
123
124
125
126
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 119

def each_forwards
	begin
		loop do
			yield(read_forwards)
		end
	rescue ::Exception
	end
end

#lengthObject

Return the number of records in the event log.



74
75
76
77
78
79
80
81
82
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 74

def length
	request = Packet.create_request('stdapi_sys_eventlog_numrecords')

	request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

	response = client.send_request(request)

	return response.get_tlv_value(TLV_TYPE_EVENT_NUMRECORDS)
end

#oldestObject

Return the record number of the oldest event (not necessarily 1).



151
152
153
154
155
156
157
158
159
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 151

def oldest
	request = Packet.create_request('stdapi_sys_eventlog_oldest')

	request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);

	response = client.send_request(request)

	return response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER)
end

#read_backwardsObject

Read the eventlog backwards, meaning from newest to oldest. Returns a EventRecord, and throws an exception after no more records.



132
133
134
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 132

def read_backwards
	_read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ)
end

#read_forwardsObject

Read the eventlog forwards, meaning from oldest to newest. Returns a EventRecord, and throws an exception after no more records.



112
113
114
 
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb', line 112

def read_forwards
	_read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ)
end