def test_hEvtRpcRegisterLogQuery_hEvtRpcQueryNext(self):
dce, rpctransport = self.connect(2)
try:
resp = even6.hEvtRpcRegisterLogQuery(
dce, 'Security\x00', '*\x00',
even6.EvtQueryChannelName | even6.EvtReadNewestToOldest)
resp.dump()
except Exception as e:
return
log_handle = resp['Handle']
try:
resp = even6.EvtRpcQueryNext(dce, log_handle, 5, 1000, 0)
resp.dump()
except Exception as e:
return
for i in range(resp['NumActualRecords']):
event_offset = resp['EventDataIndices'][i]['Data']
event_size = resp['EventDataSizes'][i]['Data']
event = resp['ResultBuffer'][event_offset:event_offset +
event_size]
buff = ''.join([x.encode('hex') for x in event]).decode('hex')
print(hexdump(buff))
def test_EvtRpcRegisterLogQuery_EvtRpcQueryNext(self):
dce, rpctransport = self.connect()
request = even6.EvtRpcRegisterLogQuery()
request['Path'] = 'Security\x00'
request['Query'] = '*\x00'
request['Flags'] = even6.EvtQueryChannelName | even6.EvtReadNewestToOldest
request.dump()
resp = dce.request(request)
resp.dump()
log_handle = resp['Handle']
request = even6.EvtRpcQueryNext()
request['LogQuery'] = log_handle
request['NumRequestedRecords'] = 5
request['TimeOutEnd'] = 1000
request['Flags'] = 0
request.dump()
resp = dce.request(request)
resp.dump()
for i in xrange(resp['NumActualRecords']):
event_offset = resp['EventDataIndices'][i]['Data']
event_size = resp['EventDataSizes'][i]['Data']
event = resp['ResultBuffer'][event_offset:event_offset + event_size]
class EVEN6Tests(unittest.TestCase):
def connect(self, version):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
if version == 1:
dce.bind(even6.MSRPC_UUID_EVEN6, transfer_syntax=self.ts)
else:
dce.bind(even6.MSRPC_UUID_EVEN6, transfer_syntax=self.ts)
return dce, rpctransport
def test_EvtRpcRegisterLogQuery_EvtRpcQueryNext(self):
dce, rpctransport = self.connect(2)
request = even6.EvtRpcRegisterLogQuery()
request['Path'] = 'Security\x00'
request['Query'] = '*\x00'
request[
'Flags'] = even6.EvtQueryChannelName | even6.EvtReadNewestToOldest
request.dump()
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
return
log_handle = resp['Handle']
request = even6.EvtRpcQueryNext()
request['LogQuery'] = log_handle
request['NumRequestedRecords'] = 5
request['TimeOutEnd'] = 1000
request['Flags'] = 0
request.dump()
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
return
def __next__(self):
if self._resp != None and self._resp['NumActualRecords'] == 0:
return None
if self._resp == None or self._index == self._resp['NumActualRecords']:
req = even6.EvtRpcQueryNext()
req['LogQuery'] = self._handle
req['NumRequestedRecords'] = 20
req['TimeOutEnd'] = 1000
req['Flags'] = 0
self._resp = self._conn.dce.request(req)
if self._resp['NumActualRecords'] == 0:
return None
else:
self._index = 0
offset = self._resp['EventDataIndices'][self._index]['Data']
size = self._resp['EventDataSizes'][self._index]['Data']
self._index += 1
return b''.join(self._resp['ResultBuffer'][offset:offset + size])
def test_hEvtRpcRegisterLogQuery_hEvtRpcQueryNext(self):
dce, rpctransport = self.connect(2)
try:
resp = even6.hEvtRpcRegisterLogQuery(
dce, 'Security\x00', '*\x00',
even6.EvtQueryChannelName | even6.EvtReadNewestToOldest)
resp.dump()
except Exception, e:
return
log_handle = resp['Handle']
try:
resp = even6.EvtRpcQueryNext(dce, log_handle, 5, 1000, 0)
resp.dump()
except Exception, e:
return
for i in range(resp['NumActualRecords']):
event_offset = resp['EventDataIndices'][i]['Data']
event_size = resp['EventDataSizes'][i]['Data']
event = resp['ResultBuffer'][event_offset:event_offset +
event_size]
buff = ''.join([x.encode('hex') for x in event]).decode('hex')
print hexdump(buff)
class SMBTransport(EVEN6Tests):
def setUp(self):