search

Velocidex / evtx

Golang Parser for Microsoft Event Logs
Apache License 2.0
98 stars 17 forks source link

Some "Value Types" are not parsed with correct format #20

Closed gaddiab closed 2 years ago

gaddiab commented 3 years ago

The switch statement at: https://github.com/Velocidex/evtx/blob/b4f61df6d40145d3a78d48fba36650e00e457f6e/evtx.go#L595 is missing some "Value Types", and missing types handled by the default statement which give wrong data (read it as string),

I can across sample evtx that contains below additional types: 1- 0x07 : Int32Type 2- 0x0c: Real64Type (Floating point 64-bit (double precision))

adding two more Case Statements for theses types:

                case 0x07:
            arg_values[idx] = ctx.ConsumeInt32()

        case 0xc:
            arg_values[idx] = ctx.ConsumeReal64()

and quick implementation for Consume

func (self *ParseContext) ConsumeInt32() (ret int32) {

    if len(self.buff) < self.offset+8 {
        return 0
    }

    buf := bytes.NewReader(self.buff[self.offset:])
    err := binary.Read(buf, binary.LittleEndian, &ret)
    if err != nil {
        fmt.Println("Read Failed:", err)
    }
    self.offset += 4
    return

}

func (self *ParseContext) ConsumeReal64() (ret float64) {

    if len(self.buff) < self.offset+8 {
        return 0
    }

    buf := bytes.NewReader(self.buff[self.offset:])
    err := binary.Read(buf, binary.LittleEndian, &ret)
    if err != nil {
        fmt.Println("Read Failed:", err)
    }
    self.offset += 8
    return

}

added a quick implementation for ConsumeReal64 and ConsumeInt32 and it works,

We can add all other types defined in "Value Types" Section : https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#43-value-types

Thanks & Best Regards

scudette commented 3 years ago

Thanks! this is great - can you send a PR please? Also can you find a sample evtx file that can be shared so we can add it to the test suite? Do you recall the event id and provider of the event in question?

gaddiab commented 3 years ago

Thanks for reply, I will do PR . For sample evtx, I will try to reproduce similar evtx file on my local environment and will share it. The provider is : "Microsoft-Exchange-ActiveMonitoring", and eventId is "3"

Thanks & Best Regards