Example #1
1
func walkKey(t *testing.T, k registry.Key, kname string) {
	names, err := k.ReadValueNames(-1)
	if err != nil {
		t.Fatalf("reading value names of %s failed: %v", kname, err)
	}
	for _, name := range names {
		_, valtype, err := k.GetValue(name, nil)
		if err != nil {
			t.Fatalf("reading value type of %s of %s failed: %v", name, kname, err)
		}
		switch valtype {
		case registry.NONE:
		case registry.SZ:
			_, _, err := k.GetStringValue(name)
			if err != nil {
				t.Error(err)
			}
		case registry.EXPAND_SZ:
			s, _, err := k.GetStringValue(name)
			if err != nil {
				t.Error(err)
			}
			_, err = registry.ExpandString(s)
			if err != nil {
				t.Error(err)
			}
		case registry.DWORD, registry.QWORD:
			_, _, err := k.GetIntegerValue(name)
			if err != nil {
				t.Error(err)
			}
		case registry.BINARY:
			_, _, err := k.GetBinaryValue(name)
			if err != nil {
				t.Error(err)
			}
		case registry.MULTI_SZ:
			_, _, err := k.GetStringsValue(name)
			if err != nil {
				t.Error(err)
			}
		case registry.FULL_RESOURCE_DESCRIPTOR, registry.RESOURCE_LIST, registry.RESOURCE_REQUIREMENTS_LIST:
			// TODO: not implemented
		default:
			t.Fatalf("value type %d of %s of %s failed: %v", valtype, name, kname, err)
		}
	}

	names, err = k.ReadSubKeyNames(-1)
	if err != nil {
		t.Fatalf("reading sub-keys of %s failed: %v", kname, err)
	}
	for _, name := range names {
		func() {
			subk, err := registry.OpenKey(k, name, registry.ENUMERATE_SUB_KEYS|registry.QUERY_VALUE)
			if err != nil {
				if err == syscall.ERROR_ACCESS_DENIED {
					// ignore error, if we are not allowed to access this key
					return
				}
				t.Fatalf("opening sub-keys %s of %s failed: %v", name, kname, err)
			}
			defer subk.Close()

			walkKey(t, subk, kname+`\`+name)
		}()
	}
}
Example #2
0
// queryEventMessageFiles queries the registry to get the value of
// the EventMessageFile key that points to a DLL or EXE containing parameterized
// event log messages. If found, it loads the libraries as a datafiles and
// returns a slice of Handles to the libraries.
func queryEventMessageFiles(providerName, sourceName string) ([]Handle, error) {
	// Open key in registry:
	registryKeyName := fmt.Sprintf(
		"SYSTEM\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
		providerName, sourceName)
	key, err := registry.OpenKey(registry.LOCAL_MACHINE, registryKeyName,
		registry.QUERY_VALUE)
	if err != nil {
		return nil, fmt.Errorf("Failed to open HKLM\\%s", registryKeyName)
	}
	defer func() {
		err := key.Close()
		if err != nil {
			logp.Warn("Failed to close registry key. key=%s err=%v",
				registryKeyName, err)
		}
	}()
	logp.Debug("eventlog", "RegOpenKey opened handle to HKLM\\%s, key=%v",
		registryKeyName, key)

	// Read value from registry:
	value, _, err := key.GetStringValue("EventMessageFile")
	if err != nil {
		return nil, fmt.Errorf("Failed querying EventMessageFile from "+
			"HKLM\\%s. %v", registryKeyName, err)
	}
	value, err = registry.ExpandString(value)
	if err != nil {
		return nil, err
	}

	// Split the value in case there is more than one file in the value.
	eventMessageFiles := strings.Split(value, ";")
	logp.Debug("eventlog", "RegQueryValueEx queried EventMessageFile from "+
		"HKLM\\%s and got [%s]", registryKeyName,
		strings.Join(eventMessageFiles, ","))

	// Load the libraries:
	var handles []Handle
	for _, eventMessageFile := range eventMessageFiles {
		sPtr, err := syscall.UTF16PtrFromString(eventMessageFile)
		if err != nil {
			logp.Debug("eventlog", "Failed to get UTF16Ptr for '%s'. "+
				"Skipping. %v", eventMessageFile, err)
			continue
		}
		handle, err := loadLibraryEx(sPtr, 0, LOAD_LIBRARY_AS_DATAFILE)
		if err != nil {
			logp.Debug("eventlog", "Failed to load library '%s' as data file. "+
				"Skipping. %v", eventMessageFile, err)
			continue
		}
		handles = append(handles, handle)
	}

	logp.Debug("eventlog", "Returning handles %v for sourceName %s", handles,
		sourceName)
	return handles, nil
}
Example #3
0
// queryEventMessageFiles queries the registry to get the value of
// the EventMessageFile key that points to a DLL or EXE containing templated
// event log messages. If found, it loads the libraries as a datafiles and
// returns a slice of Handles.
func queryEventMessageFiles(eventLogName, sourceName string) ([]Handle, error) {
	// Attempt to find the event message file in the registry and then store
	// a Handle to it in the cache, or store nil if an event message file does
	// not exist for the source name.

	// Open key in registry:
	registryKeyName := fmt.Sprintf(
		"SYSTEM\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
		eventLogName, sourceName)
	key, err := registry.OpenKey(registry.LOCAL_MACHINE, registryKeyName,
		registry.QUERY_VALUE)
	if err != nil {
		logp.Debug("eventlog", "Failed to open HKLM\\%s", registryKeyName)
		return nil, err
	}
	defer key.Close()
	logp.Debug("eventlog", "RegOpenKey opened handle to HKLM\\%s, %v",
		registryKeyName, key)

	// Read value from registry:
	value, _, err := key.GetStringValue("EventMessageFile")
	if err != nil {
		logp.Debug("eventlog", "Failed querying EventMessageFile from HKLM\\%s", registryKeyName)
		return nil, err
	}
	value, err = registry.ExpandString(value)
	if err != nil {
		return nil, err
	}

	// Split the value in case there is more than one file specified.
	eventMessageFiles := strings.Split(value, ";")
	logp.Debug("eventlog", "RegQueryValueEx queried EventMessageFile from "+
		"HKLM\\%s and got %v", registryKeyName, eventMessageFiles)

	var handles []Handle
	for _, eventMessageFile := range eventMessageFiles {
		sPtr, err := syscall.UTF16PtrFromString(eventMessageFile)
		if err != nil {
			logp.Debug("Failed to get UTF16Ptr for '%s' (%v). Skipping",
				eventMessageFile, err)
			continue
		}
		handle, err := loadLibraryEx(sPtr, 0, LOAD_LIBRARY_AS_DATAFILE)
		if err != nil {
			logp.Debug("eventlog", "Failed to load library '%s' as data file:"+
				"%v", eventMessageFile, err)
			continue
		}
		handles = append(handles, handle)
	}

	logp.Debug("eventlog", "Returning handles %v for sourceName %s",
		handles, sourceName)
	return handles, nil
}
Example #4
0
func TestExpandString(t *testing.T) {
	got, err := registry.ExpandString("%PATH%")
	if err != nil {
		t.Fatal(err)
	}
	want := os.Getenv("PATH")
	if got != want {
		t.Errorf("want %q string expanded, got %q", want, got)
	}
}
Example #5
0
func testGetStringValue(t *testing.T, k registry.Key, test ValueTest) {
	got, gottype, err := k.GetStringValue(test.Name)
	if err != nil {
		t.Errorf("GetStringValue(%s) failed: %v", test.Name, err)
		return
	}
	if got != test.Value {
		t.Errorf("want %s value %q, got %q", test.Name, test.Value, got)
		return
	}
	if gottype != test.Type {
		t.Errorf("want %s value type %v, got %v", test.Name, test.Type, gottype)
		return
	}
	if gottype == registry.EXPAND_SZ {
		_, err = registry.ExpandString(got)
		if err != nil {
			t.Errorf("ExpandString(%s) failed: %v", got, err)
			return
		}
	}
}