[Win32utils-devel] Fwd: win32/process problem

Park Heesob phasis at gmail.com
Fri Dec 7 12:05:22 EST 2007


Hi,
----- Original Message ----- 
From: "Daniel Berger" <djberg96 at gmail.com>
To: "Development and ideas for win32utils projects" <win32utils-devel at rubyforge.org>
Sent: Friday, December 07, 2007 11:24 AM
Subject: Re: [Win32utils-devel] Fwd: win32/process problem


> Heesob Park wrote:
>> Hi,
>> 
>> 2007/12/7, Berger, Daniel <Daniel.Berger at qwest.com 
>> <mailto:Daniel.Berger at qwest.com>>:
>> 
>>      > -----Original Message-----
>>      > From: win32utils-devel-bounces at rubyforge.org
>>     <mailto:win32utils-devel-bounces at rubyforge.org>
>>      > [mailto:win32utils-devel-bounces at rubyforge.org
>>     <mailto:win32utils-devel-bounces at rubyforge.org>] On Behalf Of
>>      > Daniel Berger
>>      > Sent: Thursday, December 06, 2007 5:18 AM
>>      > To: Development and ideas for win32utils projects
>>      > Subject: Re: [Win32utils-devel] Fwd: win32/process problem
>>      >
>>      > Heesob Park wrote:
>>      >
>>      > <snip>
>>      >
>>      > > Though it is doubtful whether this is the cause or not,
>>      > Insert flowing
>>      > > two lines before ProcessInfo.new (line #409 of
>>      > > process.rb) might be helpful.
>>      > >
>>      > >       CloseHandle(procinfo[8,4].unpack('L').first)
>>      > >       CloseHandle(procinfo[12,4].unpack('L').first)
>>      >
>>      > I'm somewhat afraid to do that, because I can't be sure other
>>      > people aren't using the process handle afterwards.
>>      >
>>      > At the very least I should document that, however. Hmm, let
>>      > me mull it over.
>> 
>>     Ok, what if we add a "close_handles" option to Process.create? If set to
>>     true (the default), we'll close the handles automatically before
>>     returning from the method. Users could explicitly set it to false if
>>     they want to keep the handles open.
>> 
>>     Seem reasonable?
>> 
>>  
>> Yes, it seems reasonable.
>>  
>> BTW, how about your thought about supporting Process.create as 
>> a different user with CreateProcessWithLoginW API ?
> 
> I think it's a good idea. Let's add a "with_logon" option as well. If 
> set, it will call CreateProcessWithLoginW behind the scenes.
> 
> Any chance I could get you to patch win32-eventlog to handle the other 
> message files so I can work on this instead this weekend? BTW, I've made 
> a couple minor commits since 0.4.6, so you'll want to grab the latest 
> from CVS (there were some bugs in a few error messages).
> 

First of all, I implemented the ParameterMessage formatting routine.
You can test it with the botp_sample_dmpi_security_log_2007_nov_27.evt file attached a few days ago. 
Here is get_description method code:

      def get_description(rec, event_source, lkey)
         str     = rec[rec[36,4].unpack('L')[0] .. -1]         
         num     = rec[26,2].unpack('S')[0] # NumStrings
         hkey    = [0].pack('L')
         key     = BASE_KEY + "#{@source}\\#{event_source}"
         buf     = 0.chr * 8192
         va_list0 = (num == 0) ? [] : str.unpack('Z*' * num)
         
         if RegOpenKeyEx(lkey, key, 0, KEY_READ, hkey) == 0
            value = 'ParameterMessageFile'
            file  = 0.chr * MAX_SIZE
            hkey  = hkey.unpack('L')[0]
            size  = [file.length].pack('L')
            
     if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
         file = file.nstrip
        exe  = 0.chr * MAX_SIZE                
        ExpandEnvironmentStrings(file, exe, exe.size)
        exe = exe.nstrip
        va_list = va_list0.map{|v|
          va = v
          v.scan(/%%(\d+)/).uniq.each {|x|
            exe.split(';').each{ |file|             
                     hmodule  = LoadLibraryEx(file, 0, DONT_RESOLVE_DLL_REFERENCES)
                     if hmodule != 0
                       FormatMessage(
                          FORMAT_MESSAGE_FROM_HMODULE |
                          FORMAT_MESSAGE_ARGUMENT_ARRAY,
                          hmodule,
                          x.first.to_i,
                          0,
                          buf,
                          buf.size,
                          v
                       )
                       FreeLibrary(hmodule)
                       break if buf.nstrip != "" 
                     end
                   }
                   va = va.gsub("%%#{x.first}",buf.nstrip)      
          }
          va
        }
            end
     
            value = 'EventMessageFile'
            file  = 0.chr * MAX_SIZE
            size  = [file.length].pack('L')
            
            if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
               file = file.nstrip
               exe  = 0.chr * MAX_SIZE
               
               ExpandEnvironmentStrings(file, exe, exe.size)
               exe = exe.nstrip
 
        # Try to retrieve message *without* expanding the inserts yet 
               exe.split(';').each{ |file|
                  hmodule  = LoadLibraryEx(file, 0, DONT_RESOLVE_DLL_REFERENCES)
                  event_id = rec[20,4].unpack('L')[0]
                  if hmodule != 0
                     FormatMessage(
                        FORMAT_MESSAGE_FROM_HMODULE |
                        FORMAT_MESSAGE_IGNORE_INSERTS,
                        hmodule,
                        event_id,
                        0,
                        buf,
                        buf.size,
                        nil 
                     )
                     
                     FreeLibrary(hmodule)
                     break if buf.nstrip != "" # All messages read
                  end
               }
               
               # Determine higest %n insert number 
               max_insert = [num,buf.nstrip.scan(/%(\d+)/).map{|x|x[0].to_i}.max].compact.max
               # Insert dummy strings for not provided by caller */
               ((num+1)..(max_insert)).each {|x|va_list.push("%#{x}")}

          if va_list.length== 0
             va_list_ptr = 0.chr * 4
          else
             va_list_ptr = va_list.map{ |x|
                [x + 0.chr].pack('P').unpack('L')[0]
             }.pack('L*')
          end

               exe.split(';').each{ |file|
                  hmodule  = LoadLibraryEx(file, 0, DONT_RESOLVE_DLL_REFERENCES)
                  event_id = rec[20,4].unpack('L')[0]
                  if hmodule != 0
                     FormatMessage(
                        FORMAT_MESSAGE_FROM_HMODULE |
                        FORMAT_MESSAGE_ARGUMENT_ARRAY,
                        hmodule,
                        event_id,
                        0,
                        buf,
                        buf.size,
                        va_list_ptr 
                     )
                     
                     FreeLibrary(hmodule)
                     break if buf.nstrip != "" # All messages read
                  end
               }
            end
            
            RegCloseKey(hkey)
         end
         [va_list0, buf.strip]
      end


Regards,

Park Heesob


More information about the win32utils-devel mailing list