Skip to content

Commit dace409

Browse files
cosmo0920cosmo0920
committed
utils: Expand SID with actual user name and domain
This is needed to compete for the competitor of elastic beats. ref: https://www.elastic.co/guide/en/beats/filebeat/current/processor-translate-sid.html Signed-off-by: Hiroshi Hatake <[email protected]>
1 parent 9dd9c81 commit dace409

File tree

1 file changed

+56
-1
lines changed

1 file changed

+56
-1
lines changed

ext/winevt/winevt_utils.cpp

+56-1
Original file line numberDiff line numberDiff line change
@@ -596,6 +596,55 @@ get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote)
596596
return _wcsdup(result.data());
597597
}
598598

599+
static int ExpandSIDWString(PSID sid, CHAR **out_expanded)
600+
{
601+
#define MAX_NAME 256
602+
DWORD len = MAX_NAME, err = ERROR_SUCCESS;
603+
SID_NAME_USE sid_type = SidTypeUnknown;
604+
char account[MAX_NAME];
605+
char domain[MAX_NAME];
606+
DWORD result_len = 0;
607+
CHAR *formatted = NULL;
608+
VALUE vformatted;
609+
610+
if (!LookupAccountSidA(NULL, sid,
611+
account, &len, domain,
612+
&len, &sid_type)) {
613+
err = GetLastError();
614+
if (err == ERROR_NONE_MAPPED) {
615+
goto not_mapped_error;
616+
}
617+
else {
618+
return -2;
619+
}
620+
621+
goto error;
622+
}
623+
624+
result_len = strlen(domain) + 1 + strlen(account) + 1;
625+
formatted = (CHAR *)ALLOCV(vformatted, result_len);
626+
if (formatted == NULL) {
627+
goto error;
628+
}
629+
630+
_snprintf_s(formatted, result_len, _TRUNCATE, "%s\\%s", domain, account);
631+
632+
*out_expanded = strdup(formatted);
633+
634+
ALLOCV_END(vformatted);
635+
636+
return 0;
637+
638+
not_mapped_error:
639+
640+
return -1;
641+
642+
error:
643+
err = GetLastError();
644+
ALLOCV_END(vformatted);
645+
raise_system_error(rb_eRuntimeError, err);
646+
}
647+
599648
VALUE
600649
render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
601650
{
@@ -787,7 +836,13 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
787836

788837
if (EvtVarTypeNull != pRenderedValues[EvtSystemUserID].Type) {
789838
if (ConvertSidToStringSid(pRenderedValues[EvtSystemUserID].SidVal, &pwsSid)) {
790-
rbstr = rb_utf8_str_new_cstr(pwsSid);
839+
CHAR *expandSID;
840+
if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,
841+
&expandSID) == 0) {
842+
rbstr = rb_utf8_str_new_cstr(expandSID);
843+
} else {
844+
rbstr = rb_utf8_str_new_cstr(pwsSid);
845+
}
791846
rb_hash_aset(hash, rb_str_new2("UserID"), rbstr);
792847
LocalFree(pwsSid);
793848
}

0 commit comments

Comments
 (0)