qjerome
commented
6 years ago Hi, Thank you very much for opening the issue and providing the solution :). I will fix the thing soon. Cheers,
Closed phaag closed 6 years ago
qjerome
commented
6 years ago Hi, Thank you very much for opening the issue and providing the solution :). I will fix the thing soon. Cheers,
qjerome
commented
6 years ago Hi, I committed the changes, could you please test if those solve the issue? Cheers,
phaag
commented
6 years ago thx @qjerome for fixing! Works!
Hi, If data blocks in NormalSubstituations are bigger than 32K, the int16 Size value in the ValueDescriptor struct in structs.go overflows and parses wrong data. Replacing int16 by uint16 for Size in ValueDescriptor (struct.go line 810) and replacing all depending Size int16 to uint16 in values.go for the various type definitions ( fix compiler errors ) as well as the type casts in values.go ( e.g. uint(a.Size/2) line 447, 477 ) fixes the problem.
Thx for implementing an evtx parser in Go!