[Win32utils-devel] Fwd: win32/process problem
Park Heesob
phasis at gmail.com
Fri Dec 7 12:05:22 EST 2007
Hi,
----- Original Message -----
From: "Daniel Berger" <djberg96 at gmail.com>
To: "Development and ideas for win32utils projects" <win32utils-devel at rubyforge.org>
Sent: Friday, December 07, 2007 11:24 AM
Subject: Re: [Win32utils-devel] Fwd: win32/process problem
> Heesob Park wrote:
>> Hi,
>>
>> 2007/12/7, Berger, Daniel <Daniel.Berger at qwest.com
>> <mailto:Daniel.Berger at qwest.com>>:
>>
>> > -----Original Message-----
>> > From: win32utils-devel-bounces at rubyforge.org
>> <mailto:win32utils-devel-bounces at rubyforge.org>
>> > [mailto:win32utils-devel-bounces at rubyforge.org
>> <mailto:win32utils-devel-bounces at rubyforge.org>] On Behalf Of
>> > Daniel Berger
>> > Sent: Thursday, December 06, 2007 5:18 AM
>> > To: Development and ideas for win32utils projects
>> > Subject: Re: [Win32utils-devel] Fwd: win32/process problem
>> >
>> > Heesob Park wrote:
>> >
>> > <snip>
>> >
>> > > Though it is doubtful whether this is the cause or not,
>> > Insert flowing
>> > > two lines before ProcessInfo.new (line #409 of
>> > > process.rb) might be helpful.
>> > >
>> > > CloseHandle(procinfo[8,4].unpack('L').first)
>> > > CloseHandle(procinfo[12,4].unpack('L').first)
>> >
>> > I'm somewhat afraid to do that, because I can't be sure other
>> > people aren't using the process handle afterwards.
>> >
>> > At the very least I should document that, however. Hmm, let
>> > me mull it over.
>>
>> Ok, what if we add a "close_handles" option to Process.create? If set to
>> true (the default), we'll close the handles automatically before
>> returning from the method. Users could explicitly set it to false if
>> they want to keep the handles open.
>>
>> Seem reasonable?
>>
>>
>> Yes, it seems reasonable.
>>
>> BTW, how about your thought about supporting Process.create as
>> a different user with CreateProcessWithLoginW API ?
>
> I think it's a good idea. Let's add a "with_logon" option as well. If
> set, it will call CreateProcessWithLoginW behind the scenes.
>
> Any chance I could get you to patch win32-eventlog to handle the other
> message files so I can work on this instead this weekend? BTW, I've made
> a couple minor commits since 0.4.6, so you'll want to grab the latest
> from CVS (there were some bugs in a few error messages).
>
First of all, I implemented the ParameterMessage formatting routine.
You can test it with the botp_sample_dmpi_security_log_2007_nov_27.evt file attached a few days ago.
Here is get_description method code:
def get_description(rec, event_source, lkey)
str = rec[rec[36,4].unpack('L')[0] .. -1]
num = rec[26,2].unpack('S')[0] # NumStrings
hkey = [0].pack('L')
key = BASE_KEY + "#{@source}\\#{event_source}"
buf = 0.chr * 8192
va_list0 = (num == 0) ? [] : str.unpack('Z*' * num)
if RegOpenKeyEx(lkey, key, 0, KEY_READ, hkey) == 0
value = 'ParameterMessageFile'
file = 0.chr * MAX_SIZE
hkey = hkey.unpack('L')[0]
size = [file.length].pack('L')
if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
file = file.nstrip
exe = 0.chr * MAX_SIZE
ExpandEnvironmentStrings(file, exe, exe.size)
exe = exe.nstrip
va_list = va_list0.map{|v|
va = v
v.scan(/%%(\d+)/).uniq.each {|x|
exe.split(';').each{ |file|
hmodule = LoadLibraryEx(file, 0, DONT_RESOLVE_DLL_REFERENCES)
if hmodule != 0
FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ARGUMENT_ARRAY,
hmodule,
x.first.to_i,
0,
buf,
buf.size,
v
)
FreeLibrary(hmodule)
break if buf.nstrip != ""
end
}
va = va.gsub("%%#{x.first}",buf.nstrip)
}
va
}
end
value = 'EventMessageFile'
file = 0.chr * MAX_SIZE
size = [file.length].pack('L')
if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
file = file.nstrip
exe = 0.chr * MAX_SIZE
ExpandEnvironmentStrings(file, exe, exe.size)
exe = exe.nstrip
# Try to retrieve message *without* expanding the inserts yet
exe.split(';').each{ |file|
hmodule = LoadLibraryEx(file, 0, DONT_RESOLVE_DLL_REFERENCES)
event_id = rec[20,4].unpack('L')[0]
if hmodule != 0
FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_IGNORE_INSERTS,
hmodule,
event_id,
0,
buf,
buf.size,
nil
)
FreeLibrary(hmodule)
break if buf.nstrip != "" # All messages read
end
}
# Determine higest %n insert number
max_insert = [num,buf.nstrip.scan(/%(\d+)/).map{|x|x[0].to_i}.max].compact.max
# Insert dummy strings for not provided by caller */
((num+1)..(max_insert)).each {|x|va_list.push("%#{x}")}
if va_list.length== 0
va_list_ptr = 0.chr * 4
else
va_list_ptr = va_list.map{ |x|
[x + 0.chr].pack('P').unpack('L')[0]
}.pack('L*')
end
exe.split(';').each{ |file|
hmodule = LoadLibraryEx(file, 0, DONT_RESOLVE_DLL_REFERENCES)
event_id = rec[20,4].unpack('L')[0]
if hmodule != 0
FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ARGUMENT_ARRAY,
hmodule,
event_id,
0,
buf,
buf.size,
va_list_ptr
)
FreeLibrary(hmodule)
break if buf.nstrip != "" # All messages read
end
}
end
RegCloseKey(hkey)
end
[va_list0, buf.strip]
end
Regards,
Park Heesob
More information about the win32utils-devel
mailing list