2016-10-25 23:50:31 +00:00
|
|
|
/*
|
|
|
|
|
* PROJECT: ReactOS EventLog File Library
|
|
|
|
|
* LICENSE: GPL - See COPYING in the top level directory
|
|
|
|
|
* FILE: sdk/lib/evtlib/evtlib.h
|
2017-08-11 12:37:15 +00:00
|
|
|
* PURPOSE: Provides functionality for reading and writing
|
|
|
|
|
* EventLog files in the NT <= 5.2 (.evt) format.
|
2016-10-25 23:50:31 +00:00
|
|
|
* PROGRAMMERS: Copyright 2005 Saveliy Tretiakov
|
|
|
|
|
* Michael Martin
|
|
|
|
|
* Hermes Belusca-Maito
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __EVTLIB_H__
|
|
|
|
|
#define __EVTLIB_H__
|
|
|
|
|
|
2017-08-11 12:37:15 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
2018-01-27 15:07:17 +00:00
|
|
|
#ifdef __cplusplus
|
|
|
|
|
extern "C" {
|
|
|
|
|
#endif
|
|
|
|
|
|
2016-10-25 23:50:31 +00:00
|
|
|
/* PSDK/NDK Headers */
|
|
|
|
|
// #define WIN32_NO_STATUS
|
|
|
|
|
// #include <windef.h>
|
|
|
|
|
// #include <winbase.h>
|
|
|
|
|
// #include <winnt.h>
|
|
|
|
|
|
|
|
|
|
#define NTOS_MODE_USER
|
|
|
|
|
#include <ndk/rtlfuncs.h>
|
|
|
|
|
|
|
|
|
|
#ifndef ROUND_DOWN
|
|
|
|
|
#define ROUND_DOWN(n, align) (((ULONG)n) & ~((align) - 1l))
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifndef ROUND_UP
|
|
|
|
|
#define ROUND_UP(n, align) ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Our file format will be compatible with NT's
|
|
|
|
|
*/
|
|
|
|
|
#define MAJORVER 1
|
|
|
|
|
#define MINORVER 1
|
|
|
|
|
#define LOGFILE_SIGNATURE 0x654c664c // "LfLe"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Flags used in the logfile header
|
|
|
|
|
*/
|
|
|
|
|
#define ELF_LOGFILE_HEADER_DIRTY 1
|
|
|
|
|
#define ELF_LOGFILE_HEADER_WRAP 2
|
|
|
|
|
#define ELF_LOGFILE_LOGFULL_WRITTEN 4
|
|
|
|
|
#define ELF_LOGFILE_ARCHIVE_SET 8
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* On-disk event log structures (log file header, event record and EOF record).
|
|
|
|
|
* NOTE: Contrary to what MSDN claims, both the EVENTLOGHEADER and EVENTLOGEOF
|
|
|
|
|
* structures are absent from winnt.h .
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <pshpack4.h> // pshpack1
|
|
|
|
|
|
|
|
|
|
// ELF_LOGFILE_HEADER
|
|
|
|
|
typedef struct _EVENTLOGHEADER
|
|
|
|
|
{
|
|
|
|
|
ULONG HeaderSize;
|
|
|
|
|
ULONG Signature;
|
|
|
|
|
ULONG MajorVersion;
|
|
|
|
|
ULONG MinorVersion;
|
|
|
|
|
ULONG StartOffset;
|
|
|
|
|
ULONG EndOffset;
|
|
|
|
|
ULONG CurrentRecordNumber;
|
|
|
|
|
ULONG OldestRecordNumber;
|
|
|
|
|
ULONG MaxSize;
|
|
|
|
|
ULONG Flags;
|
|
|
|
|
ULONG Retention;
|
|
|
|
|
ULONG EndHeaderSize;
|
|
|
|
|
} EVENTLOGHEADER, *PEVENTLOGHEADER;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Those flags and structure are defined in winnt.h */
|
|
|
|
|
#ifndef _WINNT_
|
|
|
|
|
|
|
|
|
|
/* EventType flags */
|
|
|
|
|
#define EVENTLOG_SUCCESS 0
|
|
|
|
|
#define EVENTLOG_ERROR_TYPE 1
|
|
|
|
|
#define EVENTLOG_WARNING_TYPE 2
|
|
|
|
|
#define EVENTLOG_INFORMATION_TYPE 4
|
|
|
|
|
#define EVENTLOG_AUDIT_SUCCESS 8
|
|
|
|
|
#define EVENTLOG_AUDIT_FAILURE 16
|
|
|
|
|
|
|
|
|
|
typedef struct _EVENTLOGRECORD
|
|
|
|
|
{
|
|
|
|
|
ULONG Length; /* Length of full record, including the data portion */
|
|
|
|
|
ULONG Reserved;
|
|
|
|
|
ULONG RecordNumber;
|
|
|
|
|
ULONG TimeGenerated;
|
|
|
|
|
ULONG TimeWritten;
|
|
|
|
|
ULONG EventID;
|
|
|
|
|
USHORT EventType;
|
|
|
|
|
USHORT NumStrings; /* Number of strings in the 'Strings' array */
|
|
|
|
|
USHORT EventCategory;
|
|
|
|
|
USHORT ReservedFlags;
|
|
|
|
|
ULONG ClosingRecordNumber;
|
|
|
|
|
ULONG StringOffset;
|
|
|
|
|
ULONG UserSidLength;
|
|
|
|
|
ULONG UserSidOffset;
|
|
|
|
|
ULONG DataLength; /* Length of the data portion */
|
|
|
|
|
ULONG DataOffset; /* Offset from beginning of record */
|
|
|
|
|
/*
|
|
|
|
|
* Length-varying data:
|
|
|
|
|
*
|
|
|
|
|
* WCHAR SourceName[];
|
|
|
|
|
* WCHAR ComputerName[];
|
|
|
|
|
* SID UserSid; // Must be aligned on a DWORD boundary
|
|
|
|
|
* WCHAR Strings[];
|
|
|
|
|
* BYTE Data[];
|
|
|
|
|
* CHAR Pad[]; // Padding for DWORD boundary
|
|
|
|
|
* ULONG Length; // Same as the first 'Length' member at the beginning
|
|
|
|
|
*/
|
|
|
|
|
} EVENTLOGRECORD, *PEVENTLOGRECORD;
|
|
|
|
|
|
|
|
|
|
#endif // _WINNT_
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// ELF_EOF_RECORD
|
|
|
|
|
typedef struct _EVENTLOGEOF
|
|
|
|
|
{
|
|
|
|
|
ULONG RecordSizeBeginning;
|
|
|
|
|
ULONG Ones;
|
|
|
|
|
ULONG Twos;
|
|
|
|
|
ULONG Threes;
|
|
|
|
|
ULONG Fours;
|
|
|
|
|
ULONG BeginRecord;
|
|
|
|
|
ULONG EndRecord;
|
|
|
|
|
ULONG CurrentRecordNumber;
|
|
|
|
|
ULONG OldestRecordNumber;
|
|
|
|
|
ULONG RecordSizeEnd;
|
|
|
|
|
} EVENTLOGEOF, *PEVENTLOGEOF;
|
|
|
|
|
|
|
|
|
|
#define EVENTLOGEOF_SIZE_FIXED (5 * sizeof(ULONG))
|
|
|
|
|
C_ASSERT(EVENTLOGEOF_SIZE_FIXED == FIELD_OFFSET(EVENTLOGEOF, BeginRecord));
|
|
|
|
|
|
|
|
|
|
#include <poppack.h>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct _EVENT_OFFSET_INFO
|
|
|
|
|
{
|
|
|
|
|
ULONG EventNumber;
|
|
|
|
|
ULONG EventOffset;
|
|
|
|
|
} EVENT_OFFSET_INFO, *PEVENT_OFFSET_INFO;
|
|
|
|
|
|
|
|
|
|
#define TAG_ELF ' flE'
|
|
|
|
|
#define TAG_ELF_BUF 'BflE'
|
|
|
|
|
|
|
|
|
|
struct _EVTLOGFILE;
|
|
|
|
|
|
|
|
|
|
typedef PVOID
|
|
|
|
|
(NTAPI *PELF_ALLOCATE_ROUTINE)(
|
|
|
|
|
IN SIZE_T Size,
|
|
|
|
|
IN ULONG Flags,
|
|
|
|
|
IN ULONG Tag
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef VOID
|
|
|
|
|
(NTAPI *PELF_FREE_ROUTINE)(
|
|
|
|
|
IN PVOID Ptr,
|
2017-08-11 12:37:15 +00:00
|
|
|
IN ULONG Flags,
|
|
|
|
|
IN ULONG Tag
|
2016-10-25 23:50:31 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef NTSTATUS
|
|
|
|
|
(NTAPI *PELF_FILE_READ_ROUTINE)(
|
|
|
|
|
IN struct _EVTLOGFILE* LogFile,
|
|
|
|
|
IN PLARGE_INTEGER FileOffset,
|
|
|
|
|
OUT PVOID Buffer,
|
|
|
|
|
IN SIZE_T Length,
|
|
|
|
|
OUT PSIZE_T ReadLength OPTIONAL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef NTSTATUS
|
|
|
|
|
(NTAPI *PELF_FILE_WRITE_ROUTINE)(
|
|
|
|
|
IN struct _EVTLOGFILE* LogFile,
|
|
|
|
|
IN PLARGE_INTEGER FileOffset,
|
|
|
|
|
IN PVOID Buffer,
|
|
|
|
|
IN SIZE_T Length,
|
|
|
|
|
OUT PSIZE_T WrittenLength OPTIONAL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef NTSTATUS
|
|
|
|
|
(NTAPI *PELF_FILE_SET_SIZE_ROUTINE)(
|
|
|
|
|
IN struct _EVTLOGFILE* LogFile,
|
|
|
|
|
IN ULONG FileSize,
|
|
|
|
|
IN ULONG OldFileSize
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef NTSTATUS
|
|
|
|
|
(NTAPI *PELF_FILE_FLUSH_ROUTINE)(
|
|
|
|
|
IN struct _EVTLOGFILE* LogFile,
|
|
|
|
|
IN PLARGE_INTEGER FileOffset,
|
|
|
|
|
IN ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct _EVTLOGFILE
|
|
|
|
|
{
|
|
|
|
|
PELF_ALLOCATE_ROUTINE Allocate;
|
|
|
|
|
PELF_FREE_ROUTINE Free;
|
|
|
|
|
PELF_FILE_SET_SIZE_ROUTINE FileSetSize;
|
|
|
|
|
PELF_FILE_WRITE_ROUTINE FileWrite;
|
|
|
|
|
PELF_FILE_READ_ROUTINE FileRead;
|
|
|
|
|
PELF_FILE_FLUSH_ROUTINE FileFlush;
|
|
|
|
|
|
|
|
|
|
EVENTLOGHEADER Header;
|
|
|
|
|
ULONG CurrentSize; /* Equivalent to the file size, is <= MaxSize and can be extended to MaxSize if needed */
|
|
|
|
|
UNICODE_STRING FileName;
|
|
|
|
|
PEVENT_OFFSET_INFO OffsetInfo;
|
|
|
|
|
ULONG OffsetInfoSize;
|
|
|
|
|
ULONG OffsetInfoNext;
|
|
|
|
|
BOOLEAN ReadOnly;
|
|
|
|
|
} EVTLOGFILE, *PEVTLOGFILE;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfCreateFile(
|
2017-08-11 12:37:15 +00:00
|
|
|
IN OUT PEVTLOGFILE LogFile,
|
2016-10-25 23:50:31 +00:00
|
|
|
IN PUNICODE_STRING FileName OPTIONAL,
|
|
|
|
|
IN ULONG FileSize,
|
|
|
|
|
IN ULONG MaxSize,
|
|
|
|
|
IN ULONG Retention,
|
|
|
|
|
IN BOOLEAN CreateNew,
|
|
|
|
|
IN BOOLEAN ReadOnly,
|
|
|
|
|
IN PELF_ALLOCATE_ROUTINE Allocate,
|
|
|
|
|
IN PELF_FREE_ROUTINE Free,
|
|
|
|
|
IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize,
|
|
|
|
|
IN PELF_FILE_WRITE_ROUTINE FileWrite,
|
|
|
|
|
IN PELF_FILE_READ_ROUTINE FileRead,
|
|
|
|
|
IN PELF_FILE_FLUSH_ROUTINE FileFlush); // What about Seek ??
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfReCreateFile(
|
|
|
|
|
IN PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
// NTSTATUS
|
|
|
|
|
// ElfClearFile(PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfBackupFile(
|
|
|
|
|
IN PEVTLOGFILE LogFile,
|
|
|
|
|
IN PEVTLOGFILE BackupLogFile);
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfFlushFile(
|
|
|
|
|
IN PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfCloseFile( // ElfFree
|
|
|
|
|
IN PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfReadRecord(
|
|
|
|
|
IN PEVTLOGFILE LogFile,
|
|
|
|
|
IN ULONG RecordNumber,
|
|
|
|
|
OUT PEVENTLOGRECORD Record,
|
|
|
|
|
IN SIZE_T BufSize, // Length
|
|
|
|
|
OUT PSIZE_T BytesRead OPTIONAL,
|
|
|
|
|
OUT PSIZE_T BytesNeeded OPTIONAL);
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfWriteRecord(
|
|
|
|
|
IN PEVTLOGFILE LogFile,
|
|
|
|
|
IN PEVENTLOGRECORD Record,
|
|
|
|
|
IN SIZE_T BufSize);
|
|
|
|
|
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfGetOldestRecord(
|
|
|
|
|
IN PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfGetCurrentRecord(
|
|
|
|
|
IN PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
ElfGetFlags(
|
|
|
|
|
IN PEVTLOGFILE LogFile);
|
|
|
|
|
|
|
|
|
|
#if DBG
|
|
|
|
|
VOID PRINT_HEADER(PEVENTLOGHEADER Header);
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-01-27 15:07:17 +00:00
|
|
|
#ifdef __cplusplus
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2016-10-25 23:50:31 +00:00
|
|
|
#endif /* __EVTLIB_H__ */
|
