Closed dgmcdona closed 3 months ago
Hi, thanks for this - do you have a sample that triggers this?
You can see the effects of this by overwriting one of the string table entries with null bytes. Here's an example from samples/security.evtx
. I made the following change to two bytes at offset 0x1094
:
radiff2 -x samples/security.evtx ~/Downloads/security_bad_string_table.evtx
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x00000000 456c6646696c65000000000000000000 ElfFile......... 456c6646696c65000000000000000000 ElfFile.........
0x00000010 1900000000000000b208000000000000 ................ 1900000000000000b208000000000000 ................
...
0x00001090! ec070000f3050000e804000000000000 ................ ec07000000000000e804000000000000 ................
0x000010a0 0000000000000000660900003d030000 ........f...=... 0000000000000000660900003d030000 ........f...=...
0x000010b0 00000000000000004071000000000000 ........@q...... 00000000000000004071000000000000 ........@q......
This causes a change in the JSON output when parsed using the current release:
diff <(jq . sec_good.jsonl | gron) <(jq . sec_bad.jsonl | gron)
13c13
< json.Event.System.Execution["#attributes"].ThreadID = 460;
---
> json.Event.System.Execution["#attributes"][""] = 460;
22d21
< json.Event.System.Task = 12288;
26a26
> json.Event.System[""] = 12288;
This fix produces an identical JSON file to the original since the string cache miss is now handled correctly. I can add a corrupt version of the existing sample + an insta snapshot test if you'd like.
I went ahead and added the test that I mentioned above.
Thank you!
This fixes an off-by-six bug in assemble.rs that was causing string-cache miss backup parsing to fail. When the string cache is populated in
string_cache.rs
, from the given offset in the chunk header, aBinXmlNameLink
(which is 6 total bytes in size) is read from the cursor, followed by theBinXmlName
. On cache misses,assemble.rs
was not reading theBinXmlNameLink
which was in turn failing to advance the cursor by the number of bytes required.This commit adds 6 to the offset in
assemble.rs
, fixing this problem.See https://github.com/omerbenamram/evtx/blob/6f374c8d42370397a6fd45d69ebb9b46dfbf73ae/src/string_cache.rs#L24