From 1f9829dfde858f7bbe6bc1bc4e31df8fd9de8f29 Mon Sep 17 00:00:00 2001 From: ramonn Date: Fri, 14 Jun 2013 10:58:24 +0000 Subject: [PATCH] 2013-06-14 Ramon Novoa * modules/pandora_module_logevent.h, modules/pandora_module_logevent.cc: Merged from 4.0 branch. Improved the reading of log event descriptions. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@8330 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_agents/win32/ChangeLog | 6 ++++++ .../win32/modules/pandora_module_logevent.cc | 14 +++++++++----- .../win32/modules/pandora_module_logevent.h | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/pandora_agents/win32/ChangeLog b/pandora_agents/win32/ChangeLog index f6c34378a8..756f8d52dc 100644 --- a/pandora_agents/win32/ChangeLog +++ b/pandora_agents/win32/ChangeLog @@ -1,3 +1,9 @@ +2013-06-14 Ramon Novoa + + * modules/pandora_module_logevent.h, + modules/pandora_module_logevent.cc: Merged from 4.0 branch. Improved + the reading of log event descriptions. + 2013-04-17 Ramon Novoa * windows/pandora_wmi.cc: Fixed a bug when concatenating multiple ip diff --git a/pandora_agents/win32/modules/pandora_module_logevent.cc b/pandora_agents/win32/modules/pandora_module_logevent.cc index ef049faabe..117f773586 100755 --- a/pandora_agents/win32/modules/pandora_module_logevent.cc +++ b/pandora_agents/win32/modules/pandora_module_logevent.cc @@ -245,10 +245,14 @@ Pandora_Module_Logevent::getLogEvents (list &event_list, unsigned char d // Process read events while (read > 0) { - // Retrieve the event description - getEventDescription (pevlr, description); + // Retrieve the event description (LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE) + getEventDescription (pevlr, description, 0x20 | 0x02); if (description[0] == '\0') { - strcpy (description, "N/A"); + // Retrieve the event description (DONT_RESOLVE_DLL_REFERENCES) + getEventDescription (pevlr, description, DONT_RESOLVE_DLL_REFERENCES); + if (description[0] == '\0') { + strcpy (description, "N/A"); + } } // Filter the event @@ -349,7 +353,7 @@ Pandora_Module_Logevent::timestampToSystemtime (string timestamp, SYSTEMTIME *sy * @return 0 if the description could be retrieved, -1 otherwise. */ void -Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *message) { +Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags) { int i, j, len, offset; LPBYTE data = 0; HMODULE module = 0; @@ -412,7 +416,7 @@ Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *messa while (1) { // Load the DLL - module = LoadLibraryEx (dll_start, 0, 0x20 | 2); + module = LoadLibraryEx (dll_start, 0, flags); if(module == NULL) { pandoraDebug("LoadLibraryEx error %d. Exe file path %s.", GetLastError(), exe_file_path); } else { diff --git a/pandora_agents/win32/modules/pandora_module_logevent.h b/pandora_agents/win32/modules/pandora_module_logevent.h index 90108aabd4..f0e4a759bc 100755 --- a/pandora_agents/win32/modules/pandora_module_logevent.h +++ b/pandora_agents/win32/modules/pandora_module_logevent.h @@ -54,7 +54,7 @@ namespace Pandora_Modules { void closeLogEvent (); int getLogEvents (list &event_list, unsigned char discard); void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time); - void getEventDescription (PEVENTLOGRECORD pevlr, char *message); + void getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags); int filterEvent (PEVENTLOGRECORD pevlr, string description); public: