Skip to content

Commit

Permalink
Changes to improve Event Log message string support log2timeline#4169
Browse files Browse the repository at this point in the history
  • Loading branch information
@joachimmetz
joachimmetz committed Aug 15, 2022
1 parent 483f62a commit ec453f8
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 13 deletions.
4 changes: 2 additions & 2 deletions data/sources.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,8 +197,8 @@ windows:srum:network_usage LOG System Resource Usage Monitor
windows:tasks:job JOB Windows Scheduled Task Job
windows:timeline:generic Windows Timeline Windows Timeline - Generic
windows:timeline:user_engaged Windows Timeline Windows Timeline - User Engaged
windows:user_access_logging:clients UAL User Access Logging CLIENTS record
windows:user_access_logging:dns UAL User Access Logging DNS record
windows:user_access_logging:clients UAL User Access Logging CLIENTS record
windows:user_access_logging:dns UAL User Access Logging DNS record
windows:user_access_logging:role_access UAL User Access Logging ROLE_ACCESS record
windows:user_access_logging:system_identity UAL User Access Logging SYSTEM_IDENTITY record
windows:user_access_logging:virtualmachines UAL User Access Logging VIRTUALMACHINES record
Expand Down
23 changes: 20 additions & 3 deletions plaso/output/winevt_rc.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

from plaso.containers import artifacts
from plaso.engine import path_helper
from plaso.helpers.windows import languages
from plaso.helpers.windows import resource_files
from plaso.output import logger

Expand Down Expand Up @@ -354,9 +355,13 @@ def __init__(
environment_variables (list[EnvironmentVariableArtifact]): environment
variable artifacts.
"""
language_tag = languages.WindowsLanguageHelper.GetLanguageTagForLCID(
lcid or self.DEFAULT_LCID)

super(WinevtResourcesHelper, self).__init__()
self._data_location = data_location
self._environment_variables = environment_variables or None
self._language_tag = language_tag.lower()
self._lcid = lcid or self.DEFAULT_LCID
self._message_string_cache = collections.OrderedDict()
self._storage_reader = storage_reader
Expand Down Expand Up @@ -495,7 +500,8 @@ def _ReadWindowsEventLogMessageFiles(self, storage_reader):
if storage_reader.HasAttributeContainers('windows_eventlog_message_file'):
for message_file in storage_reader.GetAttributeContainers(
'windows_eventlog_message_file'):
self._windows_eventlog_message_files[message_file.windows_path] = (
path = message_file.path.lower()
self._windows_eventlog_message_files[path] = (
message_file.GetIdentifier())

def _ReadWindowsEventLogMessageString(
Expand Down Expand Up @@ -551,6 +557,7 @@ def _ReadWindowsEventLogMessageString(
if event_version is not None:
filter_expression = '{0:s} and version == {1:d}'.format(
filter_expression, event_version)

for event_definition in storage_reader.GetAttributeContainers(
'windows_wevt_template_event', filter_expression=filter_expression):
logger.debug(
Expand All @@ -564,8 +571,18 @@ def _ReadWindowsEventLogMessageString(
for windows_path in provider.event_message_files or []:
path, filename = path_helper.PathHelper.GetWindowsSystemPath(
windows_path, self._environment_variables)
lookup_path = '\\'.join([path.lower(), filename.lower()])
path = path.lower()
filename = filename.lower()

lookup_path = '\\'.join([path, filename])
message_file_identifier = self._windows_eventlog_message_files.get(
lookup_path, None)
if message_file_identifier:
message_file_identifier = message_file_identifier.CopyToString()
message_file_identifiers.append(message_file_identifier)

mui_filename = '{0:s}.mui'.format(filename)
lookup_path = '\\'.join([path, self._language_tag, mui_filename])
message_file_identifier = self._windows_eventlog_message_files.get(
lookup_path, None)
if message_file_identifier:
Expand All @@ -589,7 +606,7 @@ def _ReadWindowsEventLogMessageString(
message_strings.append(message_string)

if not message_strings:
logger.error(
logger.debug(
'No match for message: 0x{0:08x} of provider: {1:s}'.format(
message_identifier, lookup_key))

Expand Down
7 changes: 1 addition & 6 deletions plaso/parsers/pe.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,16 +471,11 @@ def _ParseWevtTemplate(self, parser_mediator, message_file, data):
'Unable to read WEVT event definitions with error: '
'{0!s}').format(exception))
for event_definition in event_definitions.definitions:
if event_definition.flags & 0x80:
event_version = event_definition.version
else:
event_version = None

event_definition = artifacts.WindowsWevtTemplateEvent(
identifier=event_definition.identifier,
message_identifier=event_definition.message_identifier,
provider_identifier=provider_identifier,
version=event_version)
version=event_definition.version)
event_definition.SetMessageFileIdentifier(message_file_identifier)

parser_mediator.AddWindowsWevtTemplateEvent(event_definition)
Expand Down
1 change: 0 additions & 1 deletion plaso/parsers/pe_resources.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,6 @@ attributes:
members:
- name: identifier
data_type: uint16
# TODO: note that version, channel, level, opcode and task are part of an union.
- name: version
data_type: uint8
- name: channel
Expand Down
2 changes: 1 addition & 1 deletion tests/parsers/pe.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ def testParseFileObjectOnResourceFile(self):
self.assertEqual(
attribute_containers[0].provider_identifier,
'{67883bbc-d592-4d02-8e29-66907fcb07d6}')
self.assertIsNone(attribute_containers[0].version)
self.assertEqual(attribute_containers[0].version, 1)


if __name__ == '__main__':
Expand Down

0 comments on commit ec453f8

Please sign in to comment.