12 replies to this topic

[Slider]

I found some code for receiving notification when an event is logged in the Log Files that are shown in Event Viewer.

I would like to receive a notification whenever a particular error occurs in the Application Log.

Receiving Event Notification (Windows)

I would need help converting some C code if someone has some time.

[dargueta]

You want to convert this to asm? Why?

[Slider]

dargueta said:

You want to convert this to asm? Why?

Is this a serious question?

Andy

[dargueta]

Yes. It'd be rather time-consuming, and I really see no point to it.

[Slider]

I don't need help with every line of code.

I could use help with the Unicode line and the Provider_Name equate.

Andy

;#define UNICODE


 ; #include <windows.h>

 ; #include <stdio.h>

 ; 

 ; #pragma comment(lib, "advapi32.lib")

 ; 

 ; #define PROVIDER_NAME L"MyEventProvider"


  Provider_Name L equ "MyEventProvider"


C:\masm32\SOURCE\C_Code.asm(23) : error A2008: syntax error : L


 ; #define KEYBOARD_EVENT     0


KEYBOARD_EVENT equ    0

Edited by dargueta, 26 January 2011 - 11:12 AM.
Added code tags

[dargueta]

You're going to need a data section and put this in:

Provider_Name dw "MyEventProvider", 0

By the way, in C/C++ code the 'L' must be directly adjacent to the quote it modifies. Usually it follows the string, but the programmer in this case decided not to do so.

Edited by dargueta, 26 January 2011 - 11:17 AM.
Typo

[Slider]

I don't know what to do with the define UNICODE and pragma comment lines.

INCLUDE    \masm32\include\masm32rt.inc


;#define UNICODE


;#include <windows.h>

;#include <stdio.h>


;#pragma comment(lib, "advapi32.lib")


.const


;#define KEYBOARD_EVENT     0


KEYBOARD_EVENT     equ   0


;#define NOTIFICATION_EVENT 1


NOTIFICATION_EVENT equ 1


.data


;#define PROVIDER_NAME L"MyEventProvider"


Provider_Name  db "MyEventProvider",0


; #define RESOURCE_DLL  L"<path>\\Provider.dll" 

; By the way, in C/C++ code the 'L' must be directly adjacent to the quote

; it modifies. Usually it follows the string, but the programmer in this

; case decided not to do so.


RESOURCE_DLL   db "c:\masm32\source\Provider.dll",0 


Compiles to here with no error messages. 


HANDLE GetMessageResources();

DWORD SeekToLastRecord(HANDLE hEventLog);

DWORD GetLastRecordNumber(HANDLE hEventLog, DWORD* pdwMarker);

DWORD ReadRecord(HANDLE hEventLog, PBYTE & pBuffer, DWORD dwRecordNumber, DWORD dwFlags);

DWORD DumpNewRecords(HANDLE hEventLog);

DWORD GetEventTypeName(DWORD EventType);

LPWSTR GetMessageString(DWORD Id, DWORD argc, LPWSTR args);

DWORD ApplyParameterStringsToMessage(CONST LPCWSTR pMessage, LPWSTR & pFinalMessage);

BOOL IsKeyEvent(HANDLE hStdIn);


CONST LPWSTR pEventTypeNames[] = {L"Error", L"Warning", L"Informational", L"Audit Success", L"Audit Failure"};

HANDLE g_hResources = NULL;


.code


void wmain(void)

Edited by dargueta, 27 January 2011 - 12:23 AM.

[dargueta]

For the #define UNICODE part, when passing parameters to ml.exe on the command line, add /D UNICODE.
For the pragma, pass /Fo advapi32.lib on the command line. It should be one of the first ones since it's order-sensitive.

By the way, your "MyEventProvider" string should be declared with the dw directive, not db.

[Slider]

I fixed it and am up to here on the conversion.

RESOURCE_DLL   db "c:\masm32\source\Provider.dll",0 


I think some of these are Prototypes?


HANDLE GetMessageResources();

DWORD SeekToLastRecord(HANDLE hEventLog);

DWORD GetLastRecordNumber(HANDLE hEventLog, DWORD* pdwMarker);

DWORD ReadRecord(HANDLE hEventLog, PBYTE & pBuffer, DWORD dwRecordNumber, DWORD dwFlags);

DWORD DumpNewRecords(HANDLE hEventLog);

DWORD GetEventTypeName(DWORD EventType);

LPWSTR GetMessageString(DWORD Id, DWORD argc, LPWSTR args);

DWORD ApplyParameterStringsToMessage(CONST LPCWSTR pMessage, LPWSTR & pFinalMessage);

BOOL IsKeyEvent(HANDLE hStdIn);


CONST LPWSTR pEventTypeNames[] = {L"Error", L"Warning", L"Informational", L"Audit Success", L"Audit Failure"};

HANDLE g_hResources = NULL;


.code


void wmain(void)

Edited by dargueta, 27 January 2011 - 11:07 AM.
Please use code tags next time.

[dargueta]

Yes, those are all prototypes. I don't know MASM as well as I do NASM, but I'm almost positive you can't put the actual function prototypes in there, and I'm definitely sure the CONST LPWSTR pEventTypeNames[] declaration will not work as is.

Not to be rude, but it doesn't seem like you really know what you're doing here. Why are you trying to convert this to assembly language by hand? If it's for exercise, I have some example code that you'll find easier and more useful.

[Slider]

I won't make any more posts concerning that project.

Andy

[dargueta]

It's not that I want you to stop, I'm just wondering why you want to do this. Maybe I can show you a less frustrating way?