Please provide API functions to retrieve "string_identifiers_array" values, too

libyal / libevtx

Library and tools to access the Windows XML Event Log (EVTX) format

GNU Lesser General Public License v3.0

188 stars 49 forks source link

Please provide API functions to retrieve "string_identifiers_array" values, too #12

Closed phmarek closed 6 years ago

phmarek commented 6 years ago

Currently the only way to get the string_identifiers_array data seems to be using the XML functions, and to parse the string IDs from the XML blob. That's not a good idea.

Please provide functions similar to libevtx_record_get_utf8_string.

Thank you!

joachimmetz commented 6 years ago

I'm not sure what you are trying to accomplish by having this function.

string_identifiers_array is only used by WEVT templates.

phmarek commented 6 years ago

Well, how would I get the descriptive names of the string data in a record? That information is in string_identifiers_array, right? But that data currently can't be queried.

joachimmetz commented 6 years ago

That information is in string_identifiers_array, right?

Nope, not for regular event log record

have a look at: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#event-data

The "descriptive name" is defined at XML level. It depends on the template of the event log record if it is even used.

phmarek commented 6 years ago

Hmm, I guess I'm confused.

With XML output I get eg.

  <EventData>
    <Data Name="ReasonCode">0x00000000</Data>

but with text only

String: 6                       : 0x00000000

How would a program using the API get the ReasonCode name?

I'm not passing in any parameters about registry hives or templates, so that data must be available in the event log file; which function would give me that string key back?

Thank you very much for the quick answers!

joachimmetz commented 6 years ago

<Data Name="ReasonCode" is part of the event record XML, its an attribute of the data element. It could very well be <ReasonCode>0x00000000</ReasonCode> or <Data Description="ReasonCode". Without the event message template (WEVT) there is no means to consistently derive the "name" of event data (string)

phmarek commented 6 years ago

But where does libevtx get the name from, then? Does it access the WEVTs somewhere? How could I get these key names?

joachimmetz commented 6 years ago

But where does libevtx get the name from, then?

It is part of the binary XML in the event record: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#32-event-record

Does it access the WEVTs somewhere?

not by default, there is experimental functionality to try this

How could I get these key names?

without the template you can only guesstimate, one solution you already provided, is to parse the string IDs from the XML.

phmarek commented 6 years ago

Could libevtx provide these via some API functions as well? (Or does it already?)

joachimmetz commented 6 years ago

Could libevtx provide these via some API functions as well?

Not sure that you mean by these.

If you mean if libevtx could expose WEVT templates, then no. These are stored in PE/COFF resources (there are likely more formats). So out of scope of libevtx.

If you mean string IDs parsed from the XML. Not at the moment, maybe after more research.