search

libyal / libevtx

Library and tools to access the Windows XML Event Log (EVTX) format
GNU Lesser General Public License v3.0
188 stars 49 forks source link

Get complete message #16

Closed shangshuhao closed 6 years ago

shangshuhao commented 6 years ago

Hi Joachim: Thanks for your work, the library is very useful to me. But I encounter a problem now, I want to get a complete message from evtx files, which API should I use , can you give me an example? Thank you! Now I can get some strings by using libevtx_record_get_utf8_string.

joachimmetz commented 6 years ago

The full messages are not stored in the evtx files

See: https://github.com/libyal/libevtx/wiki/Tools#mounted and https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#541-message-strings for more details

arisjr commented 3 years ago

Hello Joachim,

Thanks for your great work for the 4n6 community, always being able to help.

I would like to reopen this issue, if possible, because I need to use evtxexport on a scenario. No complete message strings are being exported, but the strings are printed separately.

I tried to use the mount option described above, as well as tried to recover the Message strings provider dll's without success on a windows 10 2004, build number 19041 (I couldn't find the message texts on the .rsrc section of the provider files, microsoft-windows-system-events.dll for example, if I am right in the provider search).

Plaso is working fine, did a try with timesketch and the messages are complete, but I have the need to get evtxexport working as plaso does. I dont know if I am doing it right.

Example: 

$ evtxexport -p mnttmp/ -s mnttmp/Windows/System32/config/SYSTEM -S mnttmp/Windows/System32/config/SOFTWARE mnttmp/Windows/System32/winevt/Logs/System.evtx
evtxexport 20210525

Event number                    : 170677
Creation time                   : Jul 31, 2020 00:03:15.516635400 UTC
Written time                    : Jul 31, 2020 00:03:15.516635400 UTC
Event level                     : Error (2)
Computer name                   : note-jr
Source name                     : SCardSvr
Event identifier                : 0x00000262 (610)
Resource filename               : %SystemRoot%\system32\scardsvr.dll
Message filename                : %SystemRoot%\system32\scardsvr.dll
Number of strings               : 4
String: 1                       : A solicitação não pôde ser executada devido a um erro do dispositivo de E/S.
String: 2                       : Gemalto USB Smart Card Reader 0
String: 3                       : TRANSMIT
String: 4                       : 00 ca 01 01

Event number                    : 170678
Creation time                   : Jul 31, 2020 00:03:20.603928900 UTC
Written time                    : Jul 31, 2020 00:03:20.603928900 UTC
Event level                     : Error (2)
Computer name                   : note-jr
Source name                     : SCardSvr
Event identifier                : 0x00000262 (610)
Resource filename               : %SystemRoot%\system32\scardsvr.dll
Message filename                : %SystemRoot%\system32\scardsvr.dll
Number of strings               : 4
String: 1                       : A solicitação não pôde ser executada devido a um erro do dispositivo de E/S.
String: 2                       : Gemalto USB Smart Card Reader 0
String: 3                       : TRANSMIT
String: 4                       : 80 54 01 01

Event number                    : 170679
Creation time                   : Jul 31, 2020 00:03:24.412256800 UTC
Written time                    : Jul 31, 2020 00:03:24.412256800 UTC
Event level                     : Error (2)
Computer name                   : note-jr
Source name                     : SCardSvr
Event identifier                : 0x00000262 (610)
Resource filename               : %SystemRoot%\system32\scardsvr.dll
Message filename                : %SystemRoot%\system32\scardsvr.dll
Number of strings               : 4
String: 1                       : A solicitação não pôde ser executada devido a um erro do dispositivo de E/S.
String: 2                       : Gemalto USB Smart Card Reader 0
String: 3                       : TRANSMIT
String: 4                       : 00 a4 00 0c

[...]
joachimmetz commented 3 years ago

@arisjr in your case this could be caused by the hard coded en-US LCID: https://github.com/libyal/libevtx/blob/main/evtxtools/evtxexport.c#L486

Try changing 0x409 to the LCID for the language of the system you're extracting the message strings from.

I couldn't find the message texts on the .rsrc section of the provider files, microsoft-windows-system-events.dll for example, if I am right in the provider search

in the output you see the message file (as defined by the message provider in the Windows Registry), e.g.

Resource filename               : %SystemRoot%\system32\scardsvr.dll
Message filename                : %SystemRoot%\system32\scardsvr.dll

Now this file could MUI redirect to a language specific file, this is mentioned here https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#multilingual-user-interface-mui-event-message-files

arisjr commented 3 years ago

You were right Joachim!

It was the hard coded LCID, but I saw through strace that I needed to change evtxtools/message_handle.c also, that has "en-US" hard coded. I changed to pt-BR, that is the local system language, and it found the mui files. Now it's working fine!

Thanks and Best regards!