yay yay working event logging

git-svn-id: file:///home/svn/incoming/trunk@2641 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/post/meterpreter/extensions/stdapi/constants.rb

@@ -154,3 +154,13 @@ THREAD_ALL_ACCESS           = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF
 ##
 
 CREATE_SUSPENDED            = 0x00000004
+
+##
+#
+# Event Log
+#
+##
+EVENTLOG_SEQUENTIAL_READ    = 0x00000001
+EVENTLOG_SEEK_READ          = 0x00000002
+EVENTLOG_FORWARDS_READ      = 0x00000004
+EVENTLOG_BACKWARDS_READ     = 0x00000008

lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb

@@ -1,7 +1,7 @@
 #!/usr/bin/ruby
 
 require 'thread'
-require 'Rex/Socket/Stream'
+require 'Rex/Socket/Tcp'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Tlv'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Net/SocketSubsystem/TcpClientChannel'
 
@@ -76,7 +76,7 @@ class Socket
 				# representation of the left side of the socket for
 				# the caller to use
 				if (channel != nil)
-					res = Rex::Socket::Stream.new(channel.lsock, nil, nil, nil)
+					res = Rex::Socket::Tcp.new(channel.lsock)
 				end
 			elsif (params.udp?)
 				if (params.server?)

lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb

@@ -11,6 +11,7 @@ require 'Rex/Post/Meterpreter/Extensions/Stdapi/Net/Config'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Net/Socket'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Sys/Process'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Sys/Registry'
+require 'Rex/Post/Meterpreter/Extensions/Stdapi/Sys/EventLog'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/UI'
 
 module Rex
@@ -49,7 +50,8 @@ class Stdapi < Extension
 					'ext'  => ObjectAliases.new(
 						{
 							'process'  => self.process,
-							'registry' => self.registry
+							'registry' => self.registry,
+							'eventlog' => self.eventlog
 						})
 				},
 				{
@@ -99,6 +101,11 @@ class Stdapi < Extension
 	def registry
 		brand(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Registry)
 	end
+
+	# Returns a copy of the EventLog class
+	def eventlog
+		brand(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::EventLog)
+	end
 end
 
 end; end; end; end; end

lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb

@@ -0,0 +1,144 @@
+#!/usr/bin/ruby
+
+require 'Rex/Post/Process'
+require 'Rex/Post/Meterpreter/Packet'
+require 'Rex/Post/Meterpreter/Client'
+require 'Rex/Post/Meterpreter/Extensions/Stdapi/Constants'
+require 'Rex/Post/Meterpreter/Extensions/Stdapi/Stdapi'
+require 'Rex/Post/Meterpreter/Extensions/Stdapi/Sys/EventLogSubsystem/EventRecord'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+
+###
+#
+# Event Log
+# --------
+#
+# This class provides access to the Windows event log on the remote 
+# machine.
+#
+###
+class EventLog
+
+	class <<self
+		attr_accessor :client
+	end
+
+	#
+	# Opens the supplied event log.
+	#
+	#--
+	# NOTE: should support UNCServerName sometime
+	#++
+	#
+	def EventLog.open(name)
+		request = Packet.create_request('stdapi_sys_eventlog_open')
+
+		request.add_tlv(TLV_TYPE_EVENT_SOURCENAME, name);
+
+		response = client.send_request(request)
+
+		return self.new(response.get_tlv_value(TLV_TYPE_EVENT_HANDLE))
+	end
+
+	##
+	#
+	# Event Log Instance Stuffs!
+	#
+	##
+
+#	protected
+
+	attr_accessor :handle
+	attr_accessor :client
+
+	public 
+
+	def initialize(hand)
+		self.client = self.class.client
+		self.handle = hand
+	end
+
+	#
+	# Return the number of records in the event log
+	#
+	def length
+		request = Packet.create_request('stdapi_sys_eventlog_numrecords')
+
+		request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);
+
+		response = client.send_request(request)
+
+		return response.get_tlv_value(TLV_TYPE_EVENT_NUMRECORDS)
+	end
+
+	# the low level read function (takes flags, not hash, etc)
+	def _read(flags, offset = 0)
+		request = Packet.create_request('stdapi_sys_eventlog_read')
+
+		request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle)
+		request.add_tlv(TLV_TYPE_EVENT_READFLAGS, flags)
+		request.add_tlv(TLV_TYPE_EVENT_RECORDOFFSET, offset)
+
+		response = client.send_request(request)
+
+		EventLogSubsystem::EventRecord.new(
+		  response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER),
+		  response.get_tlv_value(TLV_TYPE_EVENT_TIMEGENERATED),
+		  response.get_tlv_value(TLV_TYPE_EVENT_TIMEWRITTEN),
+		  response.get_tlv_value(TLV_TYPE_EVENT_ID),
+		  response.get_tlv_value(TLV_TYPE_EVENT_TYPE),
+		  response.get_tlv_value(TLV_TYPE_EVENT_CATEGORY),
+		  response.get_tlv_values(TLV_TYPE_EVENT_STRING),
+		  response.get_tlv_value(TLV_TYPE_EVENT_DATA)
+		)
+	end
+
+	#
+	# Read the eventlog forwards, meaning from oldest to newest.
+	# Returns a EventRecord, and throws an exception after no more records
+	#
+	def read_forwards
+		_read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ)
+	end
+
+	#
+	# Iterator for read_forwards
+	#
+	def each_forwards
+		begin
+			loop do
+				yield(read_forwards)
+			end
+		rescue Exception
+		end
+	end
+	#
+	# Read the eventlog backwards, meaning from newest to oldest.
+	# Returns a EventRecord, and throws an exception after no more records
+	#
+	def read_backwards
+		_read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ)
+	end
+
+	#
+	# Iterator for read_backwards
+	#
+	def each_backwards
+		begin
+			loop do
+				yield(read_backwards)
+			end
+		rescue Exception
+		end
+	end
+
+
+end
+
+end end end end end end

lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/ruby
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+module EventLogSubsystem
+
+###
+#
+# Event Record
+# --------
+#
+# This class encapsulates the data from an event log record.
+#
+###
+class EventRecord
+
+	attr_reader :num, :generated, :written, :eventid,
+	            :type, :category, :strings, :data
+
+	protected
+
+	attr_writer :num, :generated, :written, :eventid,
+	            :type, :category, :strings, :data
+
+	public 
+
+	def initialize(recnum, timegen, timewri, id, type, cat, strs, data)
+		self.num       = recnum
+		self.generated = Time.at(timegen)
+		self.written   = Time.at(timewri)
+		self.eventid   = id
+		self.type      = type
+		self.category  = cat
+		self.strings   = strs
+		self.data      = data
+	end
+
+end
+
+end end end end end end end

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -126,4 +126,25 @@ TLV_TYPE_REGISTER           = TLV_META_TYPE_GROUP   | 2550
 ##
 TLV_TYPE_IDLE_TIME          = TLV_META_TYPE_UINT    | 3000
 
+##
+#
+# Event Log
+#
+##
+TLV_TYPE_EVENT_SOURCENAME   = TLV_META_TYPE_STRING  | 4000
+TLV_TYPE_EVENT_HANDLE       = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_NUMRECORDS   = TLV_META_TYPE_UINT    | 4002
+
+TLV_TYPE_EVENT_READFLAGS    = TLV_META_TYPE_UINT    | 4003
+TLV_TYPE_EVENT_RECORDOFFSET = TLV_META_TYPE_UINT    | 4004
+
+TLV_TYPE_EVENT_RECORDNUMBER = TLV_META_TYPE_UINT    | 4006
+TLV_TYPE_EVENT_TIMEGENERATED= TLV_META_TYPE_UINT    | 4007
+TLV_TYPE_EVENT_TIMEWRITTEN  = TLV_META_TYPE_UINT    | 4008
+TLV_TYPE_EVENT_ID           = TLV_META_TYPE_UINT    | 4009
+TLV_TYPE_EVENT_TYPE         = TLV_META_TYPE_UINT    | 4010
+TLV_TYPE_EVENT_CATEGORY     = TLV_META_TYPE_UINT    | 4011
+TLV_TYPE_EVENT_STRING       = TLV_META_TYPE_STRING  | 4012
+TLV_TYPE_EVENT_DATA         = TLV_META_TYPE_RAW     | 4013
+
 end; end; end; end; end