diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e5df9167b8d..7588687a26b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -351,8 +351,6 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Winlogbeat* -- Add handling for missing `EvtVarType`s in experimental api. {issue}19337[19337] {pull}40684[40684] - *Functionbeat* diff --git a/winlogbeat/sys/strings.go b/winlogbeat/sys/strings.go index 34325c32f9d..d542277f17b 100644 --- a/winlogbeat/sys/strings.go +++ b/winlogbeat/sys/strings.go @@ -44,27 +44,3 @@ func RemoveWindowsLineEndings(s string) string { s = strings.Replace(s, "\r\n", "\n", -1) return strings.TrimRight(s, "\n") } - -// BinaryToString converts a binary field which is encoded in hexadecimal -// to its string representation. This is equivalent to hex.EncodeToString -// but its output is in uppercase to be equivalent to the windows -// XML formatting of this fields. -func BinaryToString(bin []byte) string { - if len(bin) == 0 { - return "" - } - - const hexTable = "0123456789ABCDEF" - - size := len(bin) * 2 - buffer := make([]byte, size) - - j := 0 - for _, v := range bin { - buffer[j] = hexTable[v>>4] - buffer[j+1] = hexTable[v&0x0f] - j += 2 - } - - return string(buffer) -} diff --git a/winlogbeat/sys/strings_test.go b/winlogbeat/sys/strings_test.go index 53f2d8ae632..0771b7b3cff 100644 --- a/winlogbeat/sys/strings_test.go +++ b/winlogbeat/sys/strings_test.go @@ -36,12 +36,6 @@ func TestUTF16BytesToString(t *testing.T) { assert.Equal(t, input, output) } -func TestMakeDisplayableBinaryString(t *testing.T) { - input := []byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF} - output := BinaryToString(input) - assert.Equal(t, "0123456789ABCDEF", output) -} - func BenchmarkUTF16BytesToString(b *testing.B) { utf16Bytes := common.StringToUTF16Bytes("A logon was attempted using explicit credentials.") diff --git a/winlogbeat/sys/strings_windows.go b/winlogbeat/sys/strings_windows.go deleted file mode 100644 index c99417594e2..00000000000 --- a/winlogbeat/sys/strings_windows.go +++ /dev/null @@ -1,45 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package sys - -import ( - "golang.org/x/sys/windows" - "golang.org/x/text/encoding" - "golang.org/x/text/encoding/charmap" -) - -var ansiDecoder *encoding.Decoder - -func init() { - ansiCP := windows.GetACP() - for _, enc := range charmap.All { - cm, ok := enc.(*charmap.Charmap) - cmID, _ := cm.ID() - if !ok || uint32(cmID) != ansiCP { - continue - } - ansiDecoder = cm.NewDecoder() - return - } - ansiDecoder = charmap.Windows1250.NewDecoder() -} - -func ANSIBytesToString(enc []byte) (string, error) { - out, err := ansiDecoder.Bytes(enc) - return string(out), err -} diff --git a/winlogbeat/sys/wineventlog/syscall_windows.go b/winlogbeat/sys/wineventlog/syscall_windows.go index 2dde1329e6b..6e03a1969cf 100644 --- a/winlogbeat/sys/wineventlog/syscall_windows.go +++ b/winlogbeat/sys/wineventlog/syscall_windows.go @@ -442,16 +442,11 @@ func (v EvtVariant) Data(buf []byte) (interface{}, error) { switch typ { case EvtVarTypeNull: return nil, nil - case EvtVarTypeString, EvtVarTypeEvtXml: + case EvtVarTypeString: addr := unsafe.Pointer(&buf[0]) offset := v.ValueAsUintPtr() - uintptr(addr) s, err := sys.UTF16BytesToString(buf[offset:]) return s, err - case EvtVarTypeAnsiString: - addr := unsafe.Pointer(&buf[0]) - offset := v.ValueAsUintPtr() - uintptr(addr) - s, err := sys.ANSIBytesToString(buf[offset:]) - return s, err case EvtVarTypeSByte: return int8(v.ValueAsUint8()), nil case EvtVarTypeByte: @@ -481,28 +476,15 @@ func (v EvtVariant) Data(buf []byte) (interface{}, error) { return false, nil } return true, nil - case EvtVarTypeBinary: - addr := unsafe.Pointer(&buf[0]) - offset := v.ValueAsUintPtr() - uintptr(addr) - return sys.BinaryToString(buf[offset:]), nil case EvtVarTypeGuid: addr := unsafe.Pointer(&buf[0]) offset := v.ValueAsUintPtr() - uintptr(addr) guid := (*windows.GUID)(unsafe.Pointer(&buf[offset])) copy := *guid return copy, nil - case EvtVarTypeSizeT: - return v.ValueAsUintPtr(), nil case EvtVarTypeFileTime: ft := (*windows.Filetime)(unsafe.Pointer(&v.Value)) return time.Unix(0, ft.Nanoseconds()).UTC(), nil - case EvtVarTypeSysTime: - st := (*windows.Systemtime)(unsafe.Pointer(&v.Value)) - var ft windows.Filetime - if err := sys.SystemTimeToFileTime(st, &ft); err != nil { - return nil, err - } - return time.Unix(0, ft.Nanoseconds()).UTC(), nil case EvtVarTypeSid: addr := unsafe.Pointer(&buf[0]) offset := v.ValueAsUintPtr() - uintptr(addr) diff --git a/winlogbeat/sys/zsyscall_windows.go b/winlogbeat/sys/zsyscall_windows.go deleted file mode 100644 index 00625824776..00000000000 --- a/winlogbeat/sys/zsyscall_windows.go +++ /dev/null @@ -1,42 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package sys - -import ( - "fmt" - "syscall" - "unsafe" - - "golang.org/x/sys/windows" -) - -var _ unsafe.Pointer - -var ( - modkernel = windows.NewLazySystemDLL("Kernel32.dll") - - procSystemTimeToFileTime = modkernel.NewProc("SystemTimeToFileTime") -) - -func SystemTimeToFileTime(systemTime *windows.Systemtime, fileTime *windows.Filetime) error { - r1, _, err := syscall.SyscallN(procSystemTimeToFileTime.Addr(), uintptr(unsafe.Pointer(systemTime)), uintptr(unsafe.Pointer(fileTime))) - if r1 == 0 { - return fmt.Errorf("error converting system time to file time: %w", err) - } - return nil -} diff --git a/winlogbeat/sys/zsyscall_windows_test.go b/winlogbeat/sys/zsyscall_windows_test.go deleted file mode 100644 index b7bcbe0009a..00000000000 --- a/winlogbeat/sys/zsyscall_windows_test.go +++ /dev/null @@ -1,42 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package sys - -import ( - "testing" - "time" - - "github.com/stretchr/testify/assert" - "golang.org/x/sys/windows" -) - -func TestSystemTimeToFileTime(t *testing.T) { - ts := time.Date( - 2024, time.Month(9), 3, - 0, 0, 0, 0, time.UTC).UnixNano() - st := windows.Systemtime{ - Year: 2024, - Month: 9, - Day: 3, - } - var ft windows.Filetime - if err := SystemTimeToFileTime(&st, &ft); err != nil { - t.Fatal(err) - } - assert.Equal(t, ts, ft.Nanoseconds()) -}