evtx 0.11.2

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

use crate::err::DeserializationError;
use crate::err::DeserializationResult as Result;

use crate::ChunkOffset;
use crate::utils::ByteCursor;

use std::{fmt::Formatter, io::Cursor};

use std::fmt;

const WEVT_INLINE_NAME_HASH_MULTIPLIER: u32 = 65599;

#[derive(Debug, PartialEq, Eq, PartialOrd, Clone, Hash)]
pub struct BinXmlName {
    str: String,
}

#[derive(Copy, Clone, Debug, PartialEq, Eq)]
pub enum BinXmlNameEncoding {
    /// Standard EVTX encoding where names are referenced by offsets into the chunk string table.
    Offset,
    /// WEVT_TEMPLATE / CRIM 5.x encoding where names are stored inline as:
    /// `u16 name_hash` + `u16 char_count` + `UTF-16LE chars` + `u16 NUL`.
    ///
    /// Primary reference: MS-EVEN6 (`Name = NameHash NameNumChars NullTerminatedUnicodeString`).
    WevtInline,
}

#[derive(Debug, PartialOrd, PartialEq, Eq, Clone, Hash)]
pub struct BinXmlNameRef {
    pub offset: ChunkOffset,
}

impl fmt::Display for BinXmlName {
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.str)
    }
}

#[derive(Debug, PartialEq, PartialOrd, Clone)]
pub(crate) struct BinXmlNameLink {
    pub next_string: Option<ChunkOffset>,
    pub hash: u16,
}

impl BinXmlNameLink {
    pub(crate) fn from_cursor(cursor: &mut ByteCursor<'_>) -> Result<Self> {
        let next_string = cursor.u32()?;
        let name_hash = cursor.u16_named("name_hash")?;

        Ok(BinXmlNameLink {
            next_string: if next_string > 0 {
                Some(next_string)
            } else {
                None
            },
            hash: name_hash,
        })
    }

    pub fn data_size() -> u32 {
        6
    }
}

impl BinXmlNameRef {
    pub(crate) fn from_cursor(cursor: &mut ByteCursor<'_>) -> Result<Self> {
        let name_offset = cursor.u32_named("name_offset")?;

        let position_before_string = cursor.position();
        let need_to_seek = position_before_string == u64::from(name_offset);

        if need_to_seek {
            let _ = BinXmlNameLink::from_cursor(cursor)?;
            let len = cursor.u16_named("string_table_name_len")?;

            let nul_terminator_len = 4;
            let data_size = BinXmlNameLink::data_size() + u32::from(len * 2) + nul_terminator_len;

            cursor.set_pos_u64(position_before_string + u64::from(data_size), "Skip string")?;
        }

        Ok(BinXmlNameRef {
            offset: name_offset,
        })
    }

    pub fn from_stream(cursor: &mut Cursor<&[u8]>) -> Result<Self> {
        let start = cursor.position() as usize;
        let buf = *cursor.get_ref();
        let mut c = ByteCursor::with_pos(buf, start)?;
        let v = Self::from_cursor(&mut c)?;
        cursor.set_position(c.position());
        Ok(v)
    }

    pub fn from_stream_with_encoding(
        cursor: &mut Cursor<&[u8]>,
        encoding: BinXmlNameEncoding,
    ) -> Result<Self> {
        match encoding {
            BinXmlNameEncoding::Offset => Self::from_stream(cursor),
            BinXmlNameEncoding::WevtInline => Self::from_stream_wevt_inline(cursor),
        }
    }

    pub(crate) fn from_cursor_with_encoding(
        cursor: &mut ByteCursor<'_>,
        encoding: BinXmlNameEncoding,
    ) -> Result<Self> {
        match encoding {
            BinXmlNameEncoding::Offset => Self::from_cursor(cursor),
            BinXmlNameEncoding::WevtInline => Self::from_cursor_wevt_inline(cursor),
        }
    }

    fn from_cursor_wevt_inline(cursor: &mut ByteCursor<'_>) -> Result<Self> {
        let name_offset = cursor.position() as ChunkOffset;
        let stored_hash = cursor.u16_named("wevt_inline_name_hash")?;
        // character count
        let char_count = cursor.u16_named("wevt_inline_name_character_count")?;

        let mut hash: u32 = 0;
        for _ in 0..char_count {
            let code_unit = cursor.u16_named("wevt_inline_name_code_unit")?;
            hash = hash
                .wrapping_mul(WEVT_INLINE_NAME_HASH_MULTIPLIER)
                .wrapping_add(u32::from(code_unit));
        }

        let nul = cursor.u16_named("wevt_inline_name_nul")?;
        if nul != 0 {
            return Err(DeserializationError::WevtInlineNameMissingNulTerminator {
                found: nul,
                offset: u64::from(name_offset),
            });
        }

        let expected_hash = (hash & 0xffff) as u16;
        if stored_hash != expected_hash {
            return Err(DeserializationError::WevtInlineNameHashMismatch {
                expected: expected_hash,
                found: stored_hash,
                offset: u64::from(name_offset),
            });
        }

        Ok(BinXmlNameRef {
            offset: name_offset,
        })
    }

    fn from_stream_wevt_inline(cursor: &mut Cursor<&[u8]>) -> Result<Self> {
        let start = cursor.position() as usize;
        let buf = *cursor.get_ref();
        let mut c = ByteCursor::with_pos(buf, start)?;
        let v = Self::from_cursor_wevt_inline(&mut c)?;
        cursor.set_position(c.position());
        Ok(v)
    }
}

impl BinXmlName {
    /// Reads a tuple of (String, Hash, Offset) from a stream.
    pub fn from_stream(cursor: &mut Cursor<&[u8]>) -> Result<Self> {
        let start = cursor.position() as usize;
        let buf = *cursor.get_ref();
        let mut c = ByteCursor::with_pos(buf, start)?;
        let v = Self::from_cursor(&mut c)?;
        cursor.set_position(c.position());
        Ok(v)
    }

    pub(crate) fn from_cursor(cursor: &mut ByteCursor<'_>) -> Result<Self> {
        let name = cursor
            .len_prefixed_utf16_string_utf8(true, "name")?
            .unwrap_or_default();
        Ok(BinXmlName { str: name })
    }

    pub fn as_str(&self) -> &str {
        &self.str
    }
}