如何使用C从Windows事件查看器中读取evtx文件? [英] How to read evtx file from windows event viewer using C?
本文介绍了如何使用C从Windows事件查看器中读取evtx文件?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我在C ++中有以下代码,我必须在C..转换它并读取evtx文件...此代码在第52行,C2664,VS 2008错误上给出编译器错误
阅读Evtx文件
I have the following code in C++,i have to convert it in C..and read evtx file...this code is giving compiler error on line 52,C2664, VS 2008 error
Reading Evtx file
#include<windows.h>
#include<iostream>
#include<vector>
#include<fstream>
using namespace std;
typedef unsigned long ULONG;
typedef struct _EVENTLOGHEADER {
ULONG HeaderSize;
ULONG Signature;
ULONG MajorVersion;
ULONG MinorVersion;
ULONG StartOffset;
ULONG EndOffset;
ULONG CurrentRecordNumber;
ULONG OldestRecordNumber;
ULONG MaxSize;
ULONG Flags;
ULONG Retention;
ULONG EndHeaderSize;
} EVENTLOGHEADER, *PEVENTLOGHEADER;
typedef unsigned long DWORD;
typedef unsigned short WORD;
//typedef struct _EVENTLOGRECORD {
//DWORD Length;
//DWORD Reserved;
//DWORD RecordNumber;
//DWORD TimeGenerated;
//DWORD TimeWritten;
//DWORD EventID;
//WORD EventType;
//WORD NumStrings;
//WORD EventCategory;
//WORD ReservedFlags;
//DWORD ClosingRecordNumber;
//DWORD StringOffset;
//DWORD UserSidLength;
//DWORD UserSidOffset;
//DWORD DataLength;
//DWORD DataOffset;
//} EVENTLOGRECORD, *PEVENTLOGRECORD;
void main()
{
Giving File path here
std::string filename = "C:\\Windows\\System32\\winevt\\Logs
\\Application.evtx";
std::fstream file;
Problem lies here in file.open it is giving me error c2664 i checked out with google 2664 is incorrect parameters in function,but parameters should be like this only..can any one suggest me how should i read content of evtx file using this code??
file.open(filename,ios::in|ios::binary);
if(file.is_open()){
_EVENTLOGHEADER logheader;
_EVENTLOGRECORD logRecord;
//Reading the header
file.read((char*)&logheader,sizeof(_EVENTLOGHEADER));
int startOfLog;
//Loop on every record
for(unsigned int numberFile=0;numberFile < logheader.CurrentRecordNumber -1;numberFile++){
//Save the position
startOfLog = file.tellg();
//Read log record
file.read((char*)&logRecord,sizeof(_EVENTLOGRECORD));
/*******************************************************
Here are the other information (section 'Remarks' on the 'EVENTLOGRECORD structure' link
********************************************************/
//Reading sourcename
wchar_t buffData;
wstring SourceName;
file.read((char*)&buffData,sizeof(wchar_t));
while(buffData!=L'\0'){
SourceName.push_back(buffData);
file.read((char*)&buffData,sizeof(wchar_t));
}
//Reading computer name
wstring ComputerName;
file.read((char*)&buffData,sizeof(wchar_t));
while(buffData!=L'\0'){
ComputerName.push_back(buffData);
file.read((char*)&buffData,sizeof(wchar_t));
}
//Sets the position to the SID offset
int readCursor = startOfLog + logRecord.UserSidOffset;
file.seekg(readCursor);
char * userSid = NULL;
if(logRecord.UserSidLength != 0)
{
userSid = (PCHAR)malloc(logRecord.UserSidLength);
file.read(userSid,logRecord.UserSidLength); //Reading the sid
free(userSid);
}
//Sets the position to the Strings offset
readCursor = startOfLog + logRecord.StringOffset;
file.seekg(readCursor);
wstring buffString;
vector<wstring> allStrings;
//Reading all the strings
for(int i=0; i< logRecord.NumStrings; i++) {
file.read((char*)&buffData,sizeof(wchar_t));
while(buffData!=L'\0'){
buffString.push_back(buffData);
file.read((char*)&buffData,sizeof(wchar_t));
}
allStrings.push_back(buffString);
buffString.clear();
}
//Sets the position to the Data offset
readCursor = startOfLog + logRecord.DataOffset;
file.seekg(readCursor);
unsigned char *Data = (unsigned char *)malloc(logRecord.DataLength*sizeof(unsigned char));
file.read((char*)Data,logRecord.DataLength); //Lecture des données
//Sets the position to the end of log offset
readCursor = startOfLog + logRecord.Length - sizeof(DWORD) ;
file.seekg(readCursor);
DWORD length;
file.read((char*)&length,sizeof(DWORD));
//Do what you want with the log record
//Clean before reading next log
ComputerName.clear();
SourceName.clear();
allStrings.clear();
free(Data);
}
}
}
推荐答案
必须用C类型和函数替换C ++类。
而不是std :: fstream你可以使用C库文件函数:
You must replace the C++ classes by C types and function.
Instead ofstd::fstreamyou can use the C library file functions:
#include <stdio.h>
FILE * f = fopen(file_name, "rb")
if (f != NULL)
{
fseek(f, offset, SEEK_SET);
fread(buffer, 1, bytes_to_read, f);
fclose(f);
}
您可以使用代替 / std :: string 类char wchar 具有固定大小的缓冲区,其大小足以容纳最大值。当前大小太小时,预期的字符串长度或使用分配的缓冲区重新分配。
[更新:固定大小缓冲区的示例]
Instead of the std::string classes you can use char/wchar buffers with fixed sizes that are big enough to hold the max. expected string length or use allocated buffers with re-allocation when the current size is too small.
[UPDATE: Example with fixed size buffer]
wchar_t s[MAX_LEN+1];
int i = 0;
while (buffData && i < MAX_LEN)
{
s[i++] = buffData;
}
s[i] = L'\0';
而不是 std :: vector 类,您可以使用已分配字符串的数组。与字符串一样,当最大值时,数组可以是固定大小的。字符串数量已知或必须动态调整大小。
[更新:固定大小缓冲区的示例]
Instead of the std::vector class you can use an array of allocated strings. Like for the strings, the array can be of fixed size when the max. number of strings is known or must be resized dynamically.
[UPDATE: Example with fixed size buffer]
wchar_t *sAll[MAX_STRINGS];
int j = 0;
while (j < MAX_STRINGS && some_condition)
{
// s is a wchar_t* string
sAll[j] = (wchar_t*)malloc((wcslen(s)+1) * sizeof(wchar_t));
wcscpy(sAll[j], s);
j++;
}
// clean up
while (j)
free(sAll[--j]);
这篇关于如何使用C从Windows事件查看器中读取evtx文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
