From 004c57ee06453140c7cc2fc21fe5c25131709719 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Thu, 25 Jul 2024 17:46:35 +0900 Subject: [PATCH] query: subscribe: utils: Provide an option to turn on/off for expanding SID Signed-off-by: Hiroshi Hatake --- ext/winevt/winevt_c.h | 4 ++- ext/winevt/winevt_query.c | 46 ++++++++++++++++++++++++++++++++++- ext/winevt/winevt_subscribe.c | 46 ++++++++++++++++++++++++++++++++++- ext/winevt/winevt_utils.cpp | 5 ++-- 4 files changed, 96 insertions(+), 5 deletions(-) diff --git a/ext/winevt/winevt_c.h b/ext/winevt/winevt_c.h index baafc5e..d54605c 100644 --- a/ext/winevt/winevt_c.h +++ b/ext/winevt/winevt_c.h @@ -46,7 +46,7 @@ EVT_HANDLE connect_to_remote(LPWSTR computerName, LPWSTR domain, DWORD *error_code); WCHAR* get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote); VALUE get_values(EVT_HANDLE handle); -VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers); +VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers, BOOL expandSID); LocaleInfo* get_locale_info_from_rb_str(VALUE rb_locale_str); #ifdef __cplusplus @@ -101,6 +101,7 @@ struct WinevtQuery LONG timeout; BOOL renderAsXML; BOOL preserveQualifiers; + BOOL expandSID; LocaleInfo *localeInfo; EVT_HANDLE remoteHandle; }; @@ -122,6 +123,7 @@ struct WinevtSubscribe DWORD currentRate; BOOL renderAsXML; BOOL preserveQualifiers; + BOOL expandSID; LocaleInfo* localeInfo; EVT_HANDLE remoteHandle; }; diff --git a/ext/winevt/winevt_query.c b/ext/winevt/winevt_query.c index 8778eb1..03ce631 100644 --- a/ext/winevt/winevt_query.c +++ b/ext/winevt/winevt_query.c @@ -153,6 +153,7 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self) winevtQuery->preserveQualifiers = FALSE; winevtQuery->localeInfo = &default_locale; winevtQuery->remoteHandle = hRemoteHandle; + winevtQuery->expandSID = TRUE; ALLOCV_END(wchannelBuf); ALLOCV_END(wpathBuf); @@ -274,7 +275,8 @@ rb_winevt_query_render(VALUE self, EVT_HANDLE event) if (winevtQuery->renderAsXML) { return render_to_rb_str(event, EvtRenderEventXml); } else { - return render_system_event(event, winevtQuery->preserveQualifiers); + return render_system_event(event, winevtQuery->preserveQualifiers, + winevtQuery->expandSID); } } @@ -535,6 +537,40 @@ rb_winevt_query_get_locale(VALUE self) } } +/* + * This method specifies whether expanding SID or not. + * + * @param rb_expand_sid_p [Boolean] + */ +static VALUE +rb_winevt_query_set_expand_sid(VALUE self, VALUE rb_expand_sid_p) +{ + struct WinevtQuery* winevtQuery; + + TypedData_Get_Struct( + self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery); + + winevtQuery->expandSID = RTEST(rb_expand_sid_p); + + return Qnil; +} + +/* + * This method returns whether expanding SID or not. + * + * @return [Boolean] + */ +static VALUE +rb_winevt_query_expand_sid_p(VALUE self) +{ + struct WinevtQuery* winevtQuery; + + TypedData_Get_Struct( + self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery); + + return winevtQuery->expandSID ? Qtrue : Qfalse; +} + /* * This method cancels channel query. * @@ -683,6 +719,14 @@ Init_winevt_query(VALUE rb_cEventLog) * @since 0.8.0 */ rb_define_method(rb_cQuery, "locale=", rb_winevt_query_set_locale, 1); + /* + * @since 0.10.3 + */ + rb_define_method(rb_cQuery, "expand_sid?", rb_winevt_query_expand_sid_p, 0); + /* + * @since 0.10.3 + */ + rb_define_method(rb_cQuery, "expand_sid=", rb_winevt_query_set_expand_sid, 1); /* * @since 0.9.1 */ diff --git a/ext/winevt/winevt_subscribe.c b/ext/winevt/winevt_subscribe.c index b8846f2..b3502ef 100644 --- a/ext/winevt/winevt_subscribe.c +++ b/ext/winevt/winevt_subscribe.c @@ -110,6 +110,7 @@ rb_winevt_subscribe_initialize(VALUE self) winevtSubscribe->readExistingEvents = TRUE; winevtSubscribe->preserveQualifiers = FALSE; winevtSubscribe->localeInfo = &default_locale; + winevtSubscribe->expandSID = TRUE; return Qnil; } @@ -417,7 +418,8 @@ rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event) if (winevtSubscribe->renderAsXML) { return render_to_rb_str(event, EvtRenderEventXml); } else { - return render_system_event(event, winevtSubscribe->preserveQualifiers); + return render_system_event(event, winevtSubscribe->preserveQualifiers, + winevtSubscribe->expandSID); } } @@ -674,6 +676,40 @@ rb_winevt_subscribe_get_locale(VALUE self) } } +/* + * This method specifies whether expanding SID or not. + * + * @param rb_expand_sid_p [Boolean] + */ +static VALUE +rb_winevt_subscribe_set_expand_sid(VALUE self, VALUE rb_expand_sid_p) +{ + struct WinevtSubscribe* winevtSubscribe; + + TypedData_Get_Struct( + self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe); + + winevtSubscribe->expandSID = RTEST(rb_expand_sid_p); + + return Qnil; +} + +/* + * This method returns whether expanding SID or not. + * + * @return [Boolean] + */ +static VALUE +rb_winevt_subscribe_expand_sid_p(VALUE self) +{ + struct WinevtSubscribe* winevtSubscribe; + + TypedData_Get_Struct( + self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe); + + return winevtSubscribe->expandSID ? Qtrue : Qfalse; +} + /* * This method cancels channel subscription. * @@ -771,6 +807,14 @@ Init_winevt_subscribe(VALUE rb_cEventLog) */ rb_define_method( rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1); + /* + * @since 0.10.3 + */ + rb_define_method(rb_cSubscribe, "expand_sid?", rb_winevt_subscribe_expand_sid_p, 0); + /* + * @since 0.10.3 + */ + rb_define_method(rb_cSubscribe, "expand_sid=", rb_winevt_subscribe_set_expand_sid, 1); /* * @since 0.9.1 */ diff --git a/ext/winevt/winevt_utils.cpp b/ext/winevt/winevt_utils.cpp index e92a378..63ba830 100644 --- a/ext/winevt/winevt_utils.cpp +++ b/ext/winevt/winevt_utils.cpp @@ -646,7 +646,7 @@ static int ExpandSIDWString(PSID sid, CHAR **out_expanded) } VALUE -render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers) +render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers, BOOL expandSID_p) { DWORD status = ERROR_SUCCESS; EVT_HANDLE hContext = NULL; @@ -837,7 +837,8 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers) if (EvtVarTypeNull != pRenderedValues[EvtSystemUserID].Type) { if (ConvertSidToStringSid(pRenderedValues[EvtSystemUserID].SidVal, &pwsSid)) { CHAR *expandSID; - if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal, + if (expandSID_p && + ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal, &expandSID) == 0) { rbstr = rb_utf8_str_new_cstr(expandSID); } else {