use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.
the class WevtapiTest method testEvtOpenPublisherEnum.
public void testEvtOpenPublisherEnum() throws Exception {
Winevt.EVT_RPC_LOGIN login = new Winevt.EVT_RPC_LOGIN("localhost", null, null, null, Winevt.EVT_RPC_LOGIN_FLAGS.EvtRpcLoginAuthDefault);
EVT_HANDLE session = null;
EVT_HANDLE publisherEnumHandle = null;
List<String> publisherList = new ArrayList<String>();
try {
session = Wevtapi.INSTANCE.EvtOpenSession(Winevt.EVT_LOGIN_CLASS.EvtRpcLogin, login, 0, 0);
if (session == null) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
publisherEnumHandle = Wevtapi.INSTANCE.EvtOpenPublisherEnum(session, 0);
if (publisherEnumHandle == null) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
String providerName;
while (true) {
try {
providerName = WevtapiUtil.EvtNextPublisherId(publisherEnumHandle);
} catch (Win32Exception e) {
if (e.getErrorCode() == WinError.ERROR_NO_MORE_ITEMS) {
break;
} else {
throw e;
}
}
publisherList.add(providerName);
}
assertThat(publisherList.size() > 0, is(true));
} finally {
if (publisherEnumHandle != null) {
Wevtapi.INSTANCE.EvtClose(publisherEnumHandle);
}
if (session != null) {
Wevtapi.INSTANCE.EvtClose(session);
}
}
}
use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.
the class WevtapiTest method testEvtOpenChannelEnum.
public void testEvtOpenChannelEnum() throws Exception {
EVT_HANDLE channelHandle = null;
List<String> channelList = new ArrayList<String>();
try {
channelHandle = Wevtapi.INSTANCE.EvtOpenChannelEnum(null, 0);
if (channelHandle == null) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
char[] buff = new char[1024];
IntByReference buffUsed = new IntByReference();
while (true) {
if (!Wevtapi.INSTANCE.EvtNextChannelPath(channelHandle, buff.length, buff, buffUsed)) {
if (Kernel32.INSTANCE.GetLastError() == WinError.ERROR_NO_MORE_ITEMS) {
break;
} else if (Kernel32.INSTANCE.GetLastError() == WinError.ERROR_INSUFFICIENT_BUFFER) {
buff = new char[buffUsed.getValue()];
if (!Wevtapi.INSTANCE.EvtNextChannelPath(channelHandle, buff.length, buff, buffUsed)) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
}
}
channelList.add(Native.toString(buff));
}
assertThat(channelList.size() > 0, is(true));
} finally {
if (channelHandle != null) {
Wevtapi.INSTANCE.EvtClose(channelHandle);
}
}
}
use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.
the class WevtapiTest method testEvtOpenLog.
public void testEvtOpenLog() throws Exception {
File testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample1.evtx").toURI());
EVT_HANDLE logHandle = Wevtapi.INSTANCE.EvtOpenLog(null, testEvtx.getAbsolutePath(), Winevt.EVT_OPEN_LOG_FLAGS.EvtOpenFilePath);
if (logHandle == null) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
Memory buff = new Memory(1024);
IntByReference buffUsed = new IntByReference();
if (!Wevtapi.INSTANCE.EvtGetLogInfo(logHandle, Winevt.EVT_LOG_PROPERTY_ID.EvtLogFileSize, (int) buff.size(), buff, buffUsed)) {
if (Kernel32.INSTANCE.GetLastError() == WinError.ERROR_INSUFFICIENT_BUFFER) {
buff = new Memory(buffUsed.getValue());
if (!Wevtapi.INSTANCE.EvtGetLogInfo(logHandle, Winevt.EVT_LOG_PROPERTY_ID.EvtLogFileSize, (int) buff.size(), buff, buffUsed)) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
} else {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
}
assertThat(buff.getLong(0), is(69632L));
}
use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.
the class WevtapiTest method testModifyChannelConfig.
public void testModifyChannelConfig() throws Exception {
EVT_HANDLE channelHandle = null;
try {
channelHandle = Wevtapi.INSTANCE.EvtOpenChannelConfig(null, "Application", 0);
assertNotNull(channelHandle);
Winevt.EVT_VARIANT evtVariant = WevtapiUtil.EvtGetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog);
assertThat(((WinDef.BOOL) evtVariant.getValue()).booleanValue(), is(true));
Winevt.EVT_VARIANT setter = new Winevt.EVT_VARIANT();
setter.setValue(Winevt.EVT_VARIANT_TYPE.EvtVarTypeBoolean, new BOOL(false));
Wevtapi.INSTANCE.EvtSetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog, 0, setter);
evtVariant = WevtapiUtil.EvtGetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog);
assertThat(((WinDef.BOOL) evtVariant.getValue()).booleanValue(), is(false));
setter.setValue(Winevt.EVT_VARIANT_TYPE.EvtVarTypeBoolean, new BOOL(true));
Wevtapi.INSTANCE.EvtSetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog, 0, setter);
evtVariant = WevtapiUtil.EvtGetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog);
assertThat(((WinDef.BOOL) evtVariant.getValue()).booleanValue(), is(true));
// Writing back is skipped neighter is EvtChannelConfigClassicEventlog
// writable, nor is it a good idea to mess with the log of the developer machine
} finally {
if (channelHandle != null) {
Wevtapi.INSTANCE.EvtClose(channelHandle);
}
}
}
use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.
the class WevtapiTest method testReadEvents.
public void testReadEvents() throws Exception {
EVT_HANDLE queryHandle = null;
EVT_HANDLE contextHandle = null;
File testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample1.evtx").toURI());
StringBuilder sb = new StringBuilder();
try {
// test EvtQuery
queryHandle = Wevtapi.INSTANCE.EvtQuery(null, testEvtx.getPath(), null, Winevt.EVT_QUERY_FLAGS.EvtQueryFilePath);
// test EvtCreateRenderContext
String[] targets = { "Event/System/Provider/@Name", "Event/System/EventRecordID", "Event/System/EventID", "Event/EventData/Data", "Event/System/TimeCreated/@SystemTime" };
contextHandle = Wevtapi.INSTANCE.EvtCreateRenderContext(targets.length, targets, Winevt.EVT_RENDER_CONTEXT_FLAGS.EvtRenderContextValues);
// test EvtNext
int eventArraySize = 10;
int evtNextTimeout = 1000;
int arrayIndex = 0;
EVT_HANDLE[] eventArray = new EVT_HANDLE[eventArraySize];
IntByReference returned = new IntByReference();
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd");
while (Wevtapi.INSTANCE.EvtNext(queryHandle, eventArraySize, eventArray, evtNextTimeout, 0, returned)) {
// test EvtRender
Memory buff;
IntByReference propertyCount = new IntByReference();
Winevt.EVT_VARIANT evtVariant = new Winevt.EVT_VARIANT();
for (int i = 0; i < returned.getValue(); i++) {
buff = WevtapiUtil.EvtRender(contextHandle, eventArray[i], Winevt.EVT_RENDER_FLAGS.EvtRenderEventValues, propertyCount);
assertThat("PropertyCount", propertyCount.getValue(), is(5));
useMemory(evtVariant, buff, 0);
assertThat("Provider Name", (String) evtVariant.getValue(), is("testSource"));
sb.append((String) evtVariant.getValue());
useMemory(evtVariant, buff, 1);
assertThat("EventRecordID", (Long) evtVariant.getValue(), is((long) arrayIndex * eventArraySize + i + 1));
useMemory(evtVariant, buff, 2);
assertThat("EventID", (Short) evtVariant.getValue(), is((short) (5000 + (arrayIndex * eventArraySize + i + 1))));
useMemory(evtVariant, buff, 3);
String[] args = (String[]) evtVariant.getValue();
assertThat("Data#length", args.length, is(1));
assertThat("Data#value", args[0], is("testMessage" + (arrayIndex * eventArraySize + i + 1)));
useMemory(evtVariant, buff, 4);
Date systemtime = ((WinBase.FILETIME) evtVariant.getValue()).toDate();
assertThat("TimeCreated", dateFormat.format(systemtime), is("2016-08-17"));
}
arrayIndex++;
}
if (Kernel32.INSTANCE.GetLastError() != WinError.ERROR_SUCCESS && Kernel32.INSTANCE.GetLastError() != WinError.ERROR_NO_MORE_ITEMS) {
throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
}
assertThat(sb.length() > 0, is(true));
} finally {
// test EvtClose
if (queryHandle != null) {
Wevtapi.INSTANCE.EvtClose(queryHandle);
}
if (contextHandle != null) {
Wevtapi.INSTANCE.EvtClose(contextHandle);
}
}
// =========== Test accessing binary data and empty value ================
queryHandle = null;
contextHandle = null;
testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample2.evtx").toURI());
try {
queryHandle = Wevtapi.INSTANCE.EvtQuery(null, testEvtx.getPath(), null, Winevt.EVT_QUERY_FLAGS.EvtQueryFilePath);
String[] targets = { "Event/EventData/Binary", "Event/System/Correlation" };
contextHandle = Wevtapi.INSTANCE.EvtCreateRenderContext(targets.length, targets, Winevt.EVT_RENDER_CONTEXT_FLAGS.EvtRenderContextValues);
int read = 0;
int eventArraySize = 1;
int evtNextTimeout = 1000;
EVT_HANDLE[] eventArray = new EVT_HANDLE[eventArraySize];
IntByReference returned = new IntByReference();
while (Wevtapi.INSTANCE.EvtNext(queryHandle, eventArraySize, eventArray, evtNextTimeout, 0, returned)) {
Memory buff;
IntByReference propertyCount = new IntByReference();
Winevt.EVT_VARIANT evtVariant = new Winevt.EVT_VARIANT();
for (int i = 0; i < returned.getValue(); i++) {
read++;
buff = WevtapiUtil.EvtRender(contextHandle, eventArray[i], Winevt.EVT_RENDER_FLAGS.EvtRenderEventValues, propertyCount);
assertThat("PropertyCount", propertyCount.getValue(), is(2));
useMemory(evtVariant, buff, 0);
assertThat("Binary", (byte[]) evtVariant.getValue(), is(new byte[] { (byte) 0xD9, (byte) 0x06, 0, 0 }));
useMemory(evtVariant, buff, 1);
assertThat("Correlation", evtVariant.getValue(), nullValue());
}
}
assertThat(read, is(1));
} finally {
// test EvtClose
if (queryHandle != null) {
Wevtapi.INSTANCE.EvtClose(queryHandle);
}
if (contextHandle != null) {
Wevtapi.INSTANCE.EvtClose(contextHandle);
}
}
// =========== Test accessing GUID + SID data ================
queryHandle = null;
contextHandle = null;
testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample3.evtx").toURI());
try {
queryHandle = Wevtapi.INSTANCE.EvtQuery(null, testEvtx.getPath(), null, Winevt.EVT_QUERY_FLAGS.EvtQueryFilePath);
String[] targets = { "Event/System/Security/@UserID", "Event/System/Provider/@Guid" };
contextHandle = Wevtapi.INSTANCE.EvtCreateRenderContext(targets.length, targets, Winevt.EVT_RENDER_CONTEXT_FLAGS.EvtRenderContextValues);
int read = 0;
int eventArraySize = 1;
int evtNextTimeout = 1000;
EVT_HANDLE[] eventArray = new EVT_HANDLE[eventArraySize];
IntByReference returned = new IntByReference();
while (Wevtapi.INSTANCE.EvtNext(queryHandle, eventArraySize, eventArray, evtNextTimeout, 0, returned)) {
Memory buff;
IntByReference propertyCount = new IntByReference();
Winevt.EVT_VARIANT evtVariant = new Winevt.EVT_VARIANT();
for (int i = 0; i < returned.getValue(); i++) {
read++;
buff = WevtapiUtil.EvtRender(contextHandle, eventArray[i], Winevt.EVT_RENDER_FLAGS.EvtRenderEventValues, propertyCount);
assertThat("PropertyCount", propertyCount.getValue(), is(2));
useMemory(evtVariant, buff, 0);
assertThat("Security#UserID", ((WinNT.PSID) evtVariant.getValue()).getSidString(), is("S-1-5-21-3178902164-3053647283-518304804-1001"));
useMemory(evtVariant, buff, 1);
assertThat("Provider#GUID", ((Guid.GUID) evtVariant.getValue()).toGuidString(), is("{B0AA8734-56F7-41CC-B2F4-DE228E98B946}"));
}
}
assertThat(read, is(1));
} finally {
// test EvtClose
if (queryHandle != null) {
Wevtapi.INSTANCE.EvtClose(queryHandle);
}
if (contextHandle != null) {
Wevtapi.INSTANCE.EvtClose(contextHandle);
}
}
}
Aggregations