[jcifs] EventLog patche question

Raffael Maio raffael.maio at gmail.com
Fri Sep 25 10:45:55 MDT 2009 

Hi again,

Thanks for your suggestion. However, I'm still stuck with it ;( Indeed, I
try to look up in the code of  jcifs.smb.SID.getServerSid() but everything
becomes difficult without any api around ;(

So I try the following code to send a message. But now, my question is about
how to retrieve the answer of the DcerpcHandle after sending something?!?

       DcerpcHandle handle = null;
        LsaPolicyHandle policyHandle = null;
        //MsrpcQueryInformationPolicy rpc;
        lsarpc.LsarDomainInfo info = new lsarpc.LsarDomainInfo();
        
        handle = DcerpcHandle.getHandle("ncacn_np:10.192.57.120"+
"[\\PIPE\\EVENTLOG]", auth);
        

        String s = "Application";
        NdrBuffer buffer = new NdrBuffer(s.getBytes(),0);
        
        String s1 = "10.192.57.120";
        NdrBuffer buffer2 = new NdrBuffer(s1.getBytes(),0);
        
        rpc.unicode_string logname = new rpc.unicode_string();
        logname.encode(buffer);
        rpc.unicode_string server = new rpc.unicode_string();
        server.encode(buffer2);
        
        
        eventlog.EventLogOpenEventLog event = new
eventlog.EventLogOpenEventLog(logname,server);
         handle.sendrecv(event);

-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com] 
Sent: dimanche, 20. septembre 2009 16:50
To: Raffael Maio
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] EventLog patche question

No, but search the archives. I'm pretty sure it was just something
someone posted to the list. The date in the patch looks like
2007-03-20.

I just looked at the patch. Two notes:

1. It's all DCERPC. This is good because all the decoding and encoding
stuff is done for you and the DCERPC layer is very easy and clean in
JCIFS. You just need to create an instance of each type of call (like
new eventlog.EventLogOpenEventLog(logname, servername)) and then run
it with DcerpcHandle.sendrecv. There are lots of examples of this in
the JCIFS code. The jcifs.smb.SID.getServerSid() method is probably a
good simple example of how to use the JCIFS DCERPC layer.

2. String handling is wrong. I don't know what type of strings the
eventlog IDL uses but the patch modifies UnicodeString handling to
compensate which is wrong and dangerous because it could effect other
DCERPC code that uses UnicodeString. To fix this you would need to
figure out how strings are handled properly with the eventlog
interface, adjust the IDL, recompile the stub with midlc and adjust
the code as necessary. Look at the Windows Server Protocol documents
now available from Microsoft's website. There's probably a document
about the eventlog interface with proper IDL. That IDL will show you
how strings are supposed to be handled.

Mike

On Sun, Sep 20, 2009 at 9:14 AM, Raffael Maio <raffael.maio at gmail.com>
wrote:
> Do you have an idea about who did the patch and who would be able to
provide
> some docs about this new class?
>
> -----Original Message-----
> From: Michael B Allen [mailto:ioplex at gmail.com]
> Sent: samedi, 19. septembre 2009 22:48
> To: Raffael Maio
> Cc: jcifs at lists.samba.org
> Subject: Re: [jcifs] EventLog patche question
>
> Oh. No. I have not looked at it since the day I placed it in the
> patches directory.
>
> On Sat, Sep 19, 2009 at 12:39 PM, Raffael Maio <raffael.maio at gmail.com>
> wrote:
>> The question was more related to the eventlog class that has been created
> in
>> the patch directory. Do you have any information about how to use it?
>>
>> 2009/9/19 Michael B Allen <ioplex at gmail.com>
>>>
>>> On Sat, Sep 19, 2009 at 7:47 AM, Raffael Maio <raffael.maio at gmail.com>
>>> wrote:
>>> > Hi all,
>>> >
>>> >
>>> >
>>> > I seen on the patches directory that there is a new class called
>>> > eventlog.
>>> > I recompile the project in order to use this class and it seems to
> work.
>>> >
>>> >
>>> >
>>> > However, now I would like to use it in my test program in order to
>>> > access
>>> > the eventlog of a remote machine. Does someone have an idea about how
> to
>>> > do
>>> > it?! As there is yet no docs available I would appreciate if you  have
>>> > already figure out this problem  to share it J
>>> >
>>> >
>>> >
>>> > Previously I was trying that to access the eventlog pipe like this
>>> > (without
>>> > success).
>>> >
>>> >
>>> >
>>> >         NtlmPasswordAuthentication auth = new
>>> > NtlmPasswordAuthentication("TESTS;administrator:admin");
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >         SmbNamedPipe pipe = new SmbNamedPipe(
>>> > "smb://10.192.10.10/IPC$/EVENTLOG",
>>> >
>>> >               SmbNamedPipe.PIPE_TYPE_RDWR |
>>> > SmbNamedPipe.PIPE_TYPE_TRANSACT
>>> > , auth );
>>> >
>>> >         OutputStream out = pipe.getNamedPipeOutputStream();
>>> >
>>> >         InputStream in = pipe.getNamedPipeInputStream();
>>> >
>>> >
>>> >
>>> > What would be the new way accessing the eventlog now with the new
>>> > classes?
>>>
>>> Get WireShark, capture the transaction and see if it decodes the
>>> response. Then you can write some code to pick apart the entries.
>>>
>>> Mike
>>>
>>> --
>>> Michael B Allen
>>> Java Active Directory Integration
>>> http://www.ioplex.com/
>>
>>
>
>
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
>
>



-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the jCIFS mailing list