Changes to extract WEVT_TEMPLATE event version #4169 (#4172)

log2timeline · Jul 24, 2022 · 7e162c5 · 7e162c5
1 parent 074c0aa
commit 7e162c5
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 11 deletions.
diff --git a/plaso/containers/artifacts.py b/plaso/containers/artifacts.py
@@ -856,6 +856,7 @@ class WindowsWevtTemplateEvent(ArtifactAttributeContainer):
     message_identifier (int): identifier of the event message.
     provider_identifier (str): identifier of the EventLog provider, contains
         a GUID.
+    version (int): event version.
   """
 
   CONTAINER_TYPE = 'windows_wevt_template_event'
@@ -864,24 +865,28 @@ class WindowsWevtTemplateEvent(ArtifactAttributeContainer):
       '_message_file_row_identifier': 'AttributeContainerIdentifier',
       'identifier': 'int',
       'message_identifier': 'int',
-      'provider_identifier': 'str'}
+      'provider_identifier': 'str',
+      'version': 'int'}
 
   def __init__(
-      self, identifier=None, message_identifier=None, provider_identifier=None):
+      self, identifier=None, message_identifier=None, provider_identifier=None,
+      version=None):
     """Initializes a Windows WEVT_TEMPLATE event definition artifact.
 
     Args:
       identifier (Optional[int]): event identifier.
       message_identifier (Optional[int]): identifier of the event message.
       provider_identifier (Optional[str]): identifier of the EventLog provider,
           contains a GUID.
+      version (Optional[int]): event version.
     """
     super(WindowsWevtTemplateEvent, self).__init__()
     self._message_file_identifier = None
     self._message_file_row_identifier = None
     self.identifier = identifier
     self.message_identifier = message_identifier
     self.provider_identifier = provider_identifier
+    self.version = version
 
   def GetMessageFileIdentifier(self):
     """Retrieves the identifier of the associated message file.

diff --git a/plaso/parsers/pe.py b/plaso/parsers/pe.py
@@ -471,10 +471,16 @@ def _ParseWevtTemplate(self, parser_mediator, message_file, data):
                 'Unable to read WEVT event definitions with error: '
                 '{0!s}').format(exception))
           for event_definition in event_definitions.definitions:
+            if event_definition.flags & 0x80:
+              event_version = event_definition.version
+            else:
+              event_version = None
+
             event_definition = artifacts.WindowsWevtTemplateEvent(
                 identifier=event_definition.identifier,
                 message_identifier=event_definition.message_identifier,
-                provider_identifier=provider_identifier)
+                provider_identifier=provider_identifier,
+                version=event_version)
             event_definition.SetMessageFileIdentifier(message_file_identifier)
 
             parser_mediator.AddWindowsWevtTemplateEvent(event_definition)

diff --git a/plaso/parsers/pe_resources.yaml b/plaso/parsers/pe_resources.yaml
@@ -11,11 +11,11 @@ attributes:
   size: 1
   units: bytes
 ---
-name: uint32
+name: uint8
 type: integer
 attributes:
   format: unsigned
-  size: 4
+  size: 1
   units: bytes
 ---
 name: uint16
@@ -25,6 +25,13 @@ attributes:
   size: 2
   units: bytes
 ---
+name: uint32
+type: integer
+attributes:
+  format: unsigned
+  size: 4
+  units: bytes
+---
 name: message_table_header
 type: structure
 attributes:
@@ -132,20 +139,37 @@ attributes:
 members:
 - name: identifier
   data_type: uint16
-- name: unknown1
-  type: stream
-  element_data_type: byte
-  elements_data_size: 6
+# TODO: note that version, channel, level, opcode and task are part of an union.
+- name: version
+  data_type: uint8
+- name: channel
+  data_type: uint8
+- name: level
+  data_type: uint8
+- name: opcode
+  data_type: uint8
+- name: task
+  data_type: uint16
 - name: keywords
   type: stream
   element_data_type: byte
   elements_data_size: 8
 - name: message_identifier
   data_type: uint32
-- name: unknown2
+- name: template_offset
+  data_type: uint32
+- name: opcode_offset
+  data_type: uint32
+- name: level_offset
+  data_type: uint32
+- name: task_offset
+  data_type: uint32
+- name: unknown1
   type: stream
   element_data_type: byte
-  elements_data_size: 28
+  elements_data_size: 8
+- name: flags
+  data_type: uint32
 ---
 name: wevt_event_definitions
 type: structure

diff --git a/tests/parsers/pe.py b/tests/parsers/pe.py
@@ -163,6 +163,7 @@ def testParseFileObjectOnResourceFile(self):
     self.assertEqual(
         attribute_containers[0].provider_identifier,
         '{67883bbc-d592-4d02-8e29-66907fcb07d6}')
+    self.assertIsNone(attribute_containers[0].version)
 
 
 if __name__ == '__main__':