search

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Apache License 2.0
625 stars 61 forks source link

5111875 is an unknown value for bool, coercing to `true` #206

Open janstarke opened 2 years ago

janstarke commented 2 years ago

Those (or a similar) messages are created when evtx reads a boolean value (type code 0x0d with a length of 4 which has a value different from 0x00 or 0x01. According to Microsofts definition, a BoolType is An 8-bit integer that MUST be 0x00 or 0x01 (mapping to true or false, respectively). (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/8aa98312-f199-4e37-a51f-d3a2ccb50d60)

There seems to be a bug somewhere either in the creator of evtx files or in the parser.

Microsoft defines the following (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/c73573ae-1c90-43a2-a65f-ad7501155956):

TemplateInstanceData = ValueSpec *Value; Emit using TemplateInstanceDataRule
ValueSpec = NumValues *ValueSpecEntry
ValueSpecEntry = ValueByteLength ValueType %x00
ValueByteLength = WORD
ValueType = 
  NullType / StringType / AnsiStringType / Int8Type / UInt8Type / 
  Int16Type / UInt16Type / Int32Type / UInt32Type / Int64Type / 
  Int64Type / Real32Type / Real64Type / BoolType / BinaryType / 
  GuidType / SizeTType / FileTimeType / SysTimeType / SidType / 
  HexInt32Type / HexInt64Type / BinXmlType / StringArrayType / 
  AnsiStringArrayType / Int8ArrayType / UInt8ArrayType / 
  Int16ArrayType / UInt16ArrayType / Int32ArrayType / UInt32ArrayType/
  Int64ArrayType / UInt64ArrayType / Real32ArrayType / 
  Real64ArrayType / BoolArrayType / GuidArrayType / SizeTArrayType / 
  FileTimeArrayType / SysTimeArrayType / SidArrayType / 
  HexInt32ArrayType / HexInt64ArrayType
BoolType = %x0D

Value = 
  StringValue / AnsiStringValue / Int8Value / UInt8Value / 
  Int16Value / UInt16Value / Int32Value / UInt32Value / Int64Value /
  UInt64Value / Real32Value / Real64Value / BoolValue / BinaryValue / 
  GuidValue / SizeTValue / FileTimeValue / SysTimeValue / SidValue /
  HexInt32Value / HexInt64Value / BinXmlValue / StringArrayValue / 
  AnsiStringArrayValue / Int8ArrayValue / UInt8ArrayValue / 
  Int16ArrayValue / UInt16ArrayValue / Int32ArrayValue / 
  UInt32ArrayValue / Int64ArrayValue / UInt64ArrayValue / 
  Real32ArrayValue / Real64ArrayValue / BoolArrayValue / 
  GuidArrayValue / SizeTArrayValue / FileTimeArrayValue / 
  SysTimeArrayValue / SidArrayValue / HexInt32ArrayValue / 
  HexInt64ArrayValue

So, a boolean should could like the following:

0x00000001 0x01 0x0d 0x00 0x00
    |        |    |    |    |
    |        |    |    |    +-> Value
    |        |    |    +------> %x00
    |        |    +-----------> ValueType
    |        +----------------> ValueByteLength
    +-------------------------> NumValues

But obviously, there are (sometimes) BoolTypes with a ValueByteLength of 4, which violate the specification. You've added a special handling for boolean values which do not match 0x00 or 0x01. Do you know why there are such values?

I'm not sure if this is really a bug of your code, but reading 4 Byte for a boolean value also violates the specification and I was interested in what the reason for this is.