I found some code for receiving notification when an event is logged. This example filters for the events written by the example in Reporting an Event.

http://msdn.microsoft.com/en-us/library/aa363677%28v=vs.85%29.aspx

I would need help converting some C code if someone has some time.



Posted on 2011-01-23 20:21:08 by skywalker
Actually that is quite straightforward to transcribe to asm.
It's pure C, no funny business, just a few api calls and regular procs.
I'd like to see you try first, and when you get stuck I'll jump in and finish it.
Oh, and you'll owe me one Virtual Beer.
Fair enough?
Posted on 2011-01-24 00:22:41 by Homer
...and then you guys can plop it in a lib and share it for posterity. That's the spirit!  :mrgreen:
Posted on 2011-01-24 04:37:14 by JimmyClif

Actually that is quite straightforward to transcribe to asm.
It's pure C, no funny business, just a few api calls and regular procs.
I'd like to see you try first, and when you get stuck I'll jump in and finish it.
Oh, and you'll owe me one Virtual Beer.
Fair enough?



I will start the conversion process.

You can have an open tab, this will take a while.



Posted on 2011-01-24 08:24:42 by skywalker
I am having problems with some of the equates.

I understand that if Unicode isn't defined, ANSI is assumed.



;#define UNICODE

; #include <windows.h>
; #include <stdio.h>
;
; #pragma comment(lib, "advapi32.lib")
;
; #define PROVIDER_NAME L"MyEventProvider"

Provider_Name L equ "MyEventProvider"

C:\masm32\SOURCE\C_Code.asm(23) : error A2008: syntax error : L

; #define KEYBOARD_EVENT 0

KEYBOARD_EVENT equ 0

Posted on 2011-01-26 11:38:53 by skywalker
You can just define strings as data.
Make sure you zeroterminate them, whether you use unicode or not.

.data
Provider_Name db "MyEventProvider",0

.code

Posted on 2011-01-26 13:32:12 by Homer
I don't know what to do with the define UNICODE and pragma comment lines.

; Event_Log_Change.asm  Receive notification when an event is logged
;                  Contributors: Homer,dargueta,
;
; http://msdn.microsoft.com/en-us/library/aa363677%28v=vs.85%29.aspx
; http://msdn.microsoft.com/en-us/library/aa363680%28v=vs.85%29.aspx



INCLUDE    \masm32\include\masm32rt.inc

;#define UNICODE

;#include <windows.h>
;#include <stdio.h>

;#pragma comment(lib, "advapi32.lib")

.const

;#define KEYBOARD_EVENT    0

KEYBOARD_EVENT    equ  0

;#define NOTIFICATION_EVENT 1

NOTIFICATION_EVENT equ 1

.data

;#define PROVIDER_NAME L"MyEventProvider"

Provider_Name  db "MyEventProvider",0

; #define RESOURCE_DLL  L"<path>\\Provider.dll"
; By the way, in C/C++ code the 'L' must be directly adjacent to the quote
; it modifies. Usually it follows the string, but the programmer in this
; case decided not to do so.

RESOURCE_DLL  db "c:\masm32\source\Provider.dll",0

Compiles to here with no error messages.

HANDLE GetMessageResources();
DWORD SeekToLastRecord(HANDLE hEventLog);
DWORD GetLastRecordNumber(HANDLE hEventLog, DWORD* pdwMarker);
DWORD ReadRecord(HANDLE hEventLog, PBYTE & pBuffer, DWORD dwRecordNumber, DWORD dwFlags);
DWORD DumpNewRecords(HANDLE hEventLog);
DWORD GetEventTypeName(DWORD EventType);
LPWSTR GetMessageString(DWORD Id, DWORD argc, LPWSTR args);
DWORD ApplyParameterStringsToMessage(CONST LPCWSTR pMessage, LPWSTR & pFinalMessage);
BOOL IsKeyEvent(HANDLE hStdIn);

CONST LPWSTR pEventTypeNames[] = {L"Error", L"Warning", L"Informational", L"Audit Success", L"Audit Failure"};
HANDLE g_hResources = NULL;

.code

void wmain(void)


Posted on 2011-01-26 22:50:58 by skywalker
For pragma commentlib, we write includelib blah.lib
Its a hint for the linker to look in this lib for some functions, the linker is smart enough to include only what is actually referenced so theres no harm in including many libs.

For #define with no value, we write something equ 1
1 is TRUE, 0 is FALSE ;)

If you decide to define unicode, you wil need to change all your string definitions to word size instead of bytes, and you will need to use Wide version of api functions (W) instead of Ansi (A)

Have a nice day :)
Posted on 2011-01-27 00:47:59 by Homer