evtx 0.11.2

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360

use crate::err::{DeserializationError, DeserializationResult as Result};

use winstructs::guid::Guid;

use crate::ChunkOffset;
use crate::binxml::name::{BinXmlNameEncoding, BinXmlNameRef};
use crate::binxml::value_variant::{BinXmlValue, BinXmlValueType};
use crate::utils::{ByteCursor, Utf16LeSlice};

use log::{error, trace, warn};

use crate::evtx_chunk::EvtxChunk;
use bumpalo::Bump;
use encoding::EncodingRef;
use std::fmt::{self, Formatter};

/// Processing instruction target name.
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
pub(crate) struct BinXMLProcessingInstructionTarget {
    pub name: BinXmlNameRef,
}

/// Open-start element token payload (name and data size).
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
pub(crate) struct BinXMLOpenStartElement {
    pub data_size: u32,
    pub name: BinXmlNameRef,
}

/// Template definition header stored in the chunk template table.
#[derive(Debug, PartialOrd, PartialEq, Clone)]
pub(crate) struct BinXmlTemplateDefinitionHeader {
    /// A pointer to the next template in the bucket.
    pub next_template_offset: ChunkOffset,
    pub guid: Guid,
    pub data_size: u32,
}

impl fmt::Display for BinXmlTemplateDefinitionHeader {
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "<BinXmlTemplateDefinitionHeader - id: {guid}, data_size: {size}>",
            guid = self.guid,
            size = self.data_size
        )
    }
}

/// Entity reference token payload.
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
pub(crate) struct BinXmlEntityReference {
    pub name: BinXmlNameRef,
}

/// Template instance payload parsed into substitution values.
///
/// This avoids allocating legacy token wrappers for every substitution. The values are parsed
/// directly and consumed by the IR builder.
#[derive(Debug, PartialOrd, PartialEq, Clone)]
pub struct BinXmlTemplateValues<'a> {
    pub template_id: u32,
    pub template_def_offset: ChunkOffset,
    pub template_guid: Option<Guid>,
    pub values: Vec<BinXmlValue<'a>>,
}

/// Descriptor for a template substitution value payload.
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
struct TemplateValueDescriptor {
    size: u16,
    value_type: BinXmlValueType,
}

/// Placeholder descriptor within a template definition.
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
pub(crate) struct TemplateSubstitutionDescriptor {
    /// Zero-based index of the substitution value.
    pub substitution_index: u16,
    pub value_type: BinXmlValueType,
    pub ignore: bool,
    /// True for conditional substitutions; optional values may be omitted when empty.
    pub optional: bool,
}

/// Fragment header at the start of a BinXML stream.
#[repr(C)]
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
pub(crate) struct BinXMLFragmentHeader {
    pub major_version: u8,
    pub minor_version: u8,
    pub flags: u8,
}

/// Attribute token payload.
#[derive(Debug, PartialOrd, PartialEq, Eq, Clone)]
pub(crate) struct BinXMLAttribute {
    pub name: BinXmlNameRef,
}

/// Read a `TemplateInstance` and parse its substitution values directly.
///
/// This is used by the direct IR builder path.
pub(crate) fn read_template_values_cursor<'a>(
    cursor: &mut ByteCursor<'a>,
    chunk: Option<&'a EvtxChunk<'a>>,
    ansi_codec: EncodingRef,
    arena: &'a Bump,
) -> Result<BinXmlTemplateValues<'a>> {
    trace!("TemplateInstance at {}", cursor.position());

    let _ = cursor.u8()?;
    let template_id = cursor.u32()?;
    let template_definition_data_offset = cursor.u32()?;
    let mut template_guid: Option<Guid> = None;

    // Need to skip over the template data.
    if (cursor.position() as u32) == template_definition_data_offset {
        let template_header = read_template_definition_header_cursor(cursor)?;
        template_guid = Some(template_header.guid.clone());
        cursor.set_pos_u64(
            cursor.position() + u64::from(template_header.data_size),
            "Skip cached template",
        )?;
    }

    let number_of_substitutions = cursor.u32()?;
    let mut value_descriptors = Vec::with_capacity(number_of_substitutions as usize);

    for _ in 0..number_of_substitutions {
        let size = cursor.u16()?;
        let value_type_token = cursor.u8()?;

        let value_type = BinXmlValueType::from_u8(value_type_token).ok_or(
            DeserializationError::InvalidValueVariant {
                value: value_type_token,
                offset: cursor.position(),
            },
        )?;

        // Empty
        let _ = cursor.u8()?;

        value_descriptors.push(TemplateValueDescriptor { size, value_type })
    }

    trace!("{:?}", value_descriptors);

    let mut values = Vec::with_capacity(number_of_substitutions as usize);

    for descriptor in value_descriptors {
        let position_before_reading_value = cursor.position();
        trace!(
            "Offset `0x{offset:08x} ({offset})`: Substitution: {substitution:?}",
            offset = position_before_reading_value,
            substitution = descriptor.value_type,
        );

        let value = BinXmlValue::deserialize_value_type_cursor_in(
            &descriptor.value_type,
            cursor,
            chunk,
            Some(descriptor.size),
            ansi_codec,
            arena,
        )?;

        trace!("\t {:?}", value);
        // NullType can mean deleted substitution (and data need to be skipped)
        if value == BinXmlValue::NullType {
            trace!("\t Skipping `NullType` descriptor");
            cursor.set_pos_u64(
                cursor.position() + u64::from(descriptor.size),
                "NullType Descriptor",
            )?;
        }

        let current_position = cursor.position();
        let expected_position = position_before_reading_value + u64::from(descriptor.size);

        if expected_position != current_position {
            let diff = expected_position as i128 - current_position as i128;
            // This sometimes occurs with dirty samples, but it's usually still possible to recover the rest of the record.
            // Sometimes however the log will contain a lot of zero fields.
            warn!(
                "Read incorrect amount of data, cursor position is at {}, but should have ended up at {}, last descriptor was {:?}.",
                current_position, expected_position, &descriptor
            );

            match u64::try_from(diff) {
                Ok(u64_diff) => {
                    cursor.set_pos_u64(current_position + u64_diff, "Broken record")?;
                }
                Err(_) => error!("Broken record"),
            }
        }
        values.push(value);
    }

    Ok(BinXmlTemplateValues {
        template_id,
        template_def_offset: template_definition_data_offset,
        template_guid,
        values,
    })
}

fn read_template_definition_header_cursor(
    cursor: &mut ByteCursor<'_>,
) -> Result<BinXmlTemplateDefinitionHeader> {
    // If any of these fail we cannot reliably report the template information in error.
    let next_template_offset = cursor.u32_named("next_template_offset")?;
    let guid_bytes = cursor.take_bytes(16, "template_guid")?;
    let template_guid = Guid::from_buffer(guid_bytes).map_err(|_| {
        DeserializationError::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidData,
            "invalid GUID",
        ))
    })?;
    // Data size includes the fragment header, element and end of file token;
    // except for the first 33 bytes of the template definition (above)
    let data_size = cursor.u32_named("template_data_size")?;

    Ok(BinXmlTemplateDefinitionHeader {
        next_template_offset,
        guid: template_guid,
        data_size,
    })
}

pub(crate) fn read_entity_ref_cursor(
    cursor: &mut ByteCursor<'_>,
    name_encoding: BinXmlNameEncoding,
) -> Result<BinXmlEntityReference> {
    trace!("Offset `0x{:08x}` - EntityReference", cursor.position());
    let name = BinXmlNameRef::from_cursor_with_encoding(cursor, name_encoding)?;
    trace!("\t name: {:?}", name);
    Ok(BinXmlEntityReference { name })
}

pub(crate) fn read_attribute_cursor(
    cursor: &mut ByteCursor<'_>,
    name_encoding: BinXmlNameEncoding,
) -> Result<BinXMLAttribute> {
    trace!("Offset `0x{:08x}` - Attribute", cursor.position());
    let name = BinXmlNameRef::from_cursor_with_encoding(cursor, name_encoding)?;
    Ok(BinXMLAttribute { name })
}

pub(crate) fn read_fragment_header_cursor(
    cursor: &mut ByteCursor<'_>,
) -> Result<BinXMLFragmentHeader> {
    trace!("Offset `0x{:08x}` - FragmentHeader", cursor.position());
    let major_version = cursor.u8_named("fragment_header_major_version")?;
    let minor_version = cursor.u8_named("fragment_header_minor_version")?;
    let flags = cursor.u8_named("fragment_header_flags")?;
    Ok(BinXMLFragmentHeader {
        major_version,
        minor_version,
        flags,
    })
}

pub(crate) fn read_processing_instruction_target_cursor(
    cursor: &mut ByteCursor<'_>,
    name_encoding: BinXmlNameEncoding,
) -> Result<BinXMLProcessingInstructionTarget> {
    trace!(
        "Offset `0x{:08x}` - ProcessingInstructionTarget",
        cursor.position(),
    );

    let name = BinXmlNameRef::from_cursor_with_encoding(cursor, name_encoding)?;
    trace!("\tPITarget Name - {:?}", name);
    Ok(BinXMLProcessingInstructionTarget { name })
}

pub(crate) fn read_processing_instruction_data_cursor<'a>(
    cursor: &mut ByteCursor<'a>,
) -> Result<Utf16LeSlice<'a>> {
    trace!(
        "Offset `0x{:08x}` - ProcessingInstructionTarget",
        cursor.position(),
    );

    let data = cursor
        .len_prefixed_utf16_string(false, "pi_data")?
        .unwrap_or_else(Utf16LeSlice::empty);
    trace!("PIData - {} chars", data.num_chars());
    Ok(data)
}

pub(crate) fn read_substitution_descriptor_cursor(
    cursor: &mut ByteCursor<'_>,
    optional: bool,
) -> Result<TemplateSubstitutionDescriptor> {
    trace!(
        "Offset `0x{:08x}` - SubstitutionDescriptor<optional={}>",
        cursor.position(),
        optional
    );
    let substitution_index = cursor.u16()?;
    let value_type_token = cursor.u8()?;

    let value_type = BinXmlValueType::from_u8(value_type_token).ok_or(
        DeserializationError::InvalidValueVariant {
            value: value_type_token,
            offset: cursor.position(),
        },
    )?;

    let ignore = optional && (value_type == BinXmlValueType::NullType);

    Ok(TemplateSubstitutionDescriptor {
        substitution_index,
        value_type,
        ignore,
        optional,
    })
}

pub(crate) fn read_open_start_element_cursor(
    cursor: &mut ByteCursor<'_>,
    has_attributes: bool,
    has_dependency_identifier: bool,
    name_encoding: BinXmlNameEncoding,
) -> Result<BinXMLOpenStartElement> {
    trace!(
        "Offset `0x{:08x}` - OpenStartElement<has_attributes={}, has_dependency_identifier={}>",
        cursor.position(),
        has_attributes,
        has_dependency_identifier
    );

    // Element start headers come in (at least) two variants:
    // - Template definitions: include a dependency identifier (u16)
    // - Direct record elements / nested BinXML (substitution value type 0x21): omit it
    if has_dependency_identifier {
        let dependency_identifier = cursor.u16_named("open_start_element_dependency_identifier")?;

        trace!(
            "\t Dependency Identifier - `0x{:04x} ({})`",
            dependency_identifier, dependency_identifier
        );
    }

    let data_size = cursor.u32_named("open_start_element_data_size")?;

    trace!("\t Data Size - {}", data_size);
    let name = BinXmlNameRef::from_cursor_with_encoding(cursor, name_encoding)?;
    trace!("\t Name - {:?}", name);

    let _attribute_list_data_size = if has_attributes {
        cursor.u32_named("open_start_element_attribute_list_data_size")?
    } else {
        0
    };

    Ok(BinXMLOpenStartElement { data_size, name })
}