0xrawsec / golang-evtx Goto Github PK

View Code? Open in Web Editor NEW

156.0 156.0 26.0 7.56 MB

License: GNU General Public License v3.0

Go 96.50% Makefile 2.92% Dockerfile 0.59%

golang-evtx's People

Contributors

Stargazers

Watchers

golang-evtx's Issues

Dockerfile not working

Hello !

I tried using your Dockerfile but it doesn't work quite right out of the box.

I get this error :

You should use the make command to use the makefile in tools/evtxdump and update the package installed in the build-env.

Ex:

RUN apk add --no-cache git mercurial make perl-utils \
    && cd /go/src/github.com/0xrawsec/golang-evtx/tools/evtxdump \
    && make

Error checking on corrupt EVTX files

I recently had to parse many event logs and came across some corrupt EVTX files. The evtx.Open() method does not return an error on corrupt EVTX files. After doing some research of my own I discovered this from libyal:
https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#2-file-header

Can you add some error checking within the evtx.Open() function to check whether the evtx.Header.Magic is equal to ElfFile\000? It appears to be that the evtx.Header.Magic value will always be ElfFile\000 for a valid EVTX file. I implemented this in my code to handle the corrupt files but I think it would be appropriate to have more error/sanity checks within Open() so that users can handle potentially broken files cleanly.

Apologies for not being able to supply you with a corrupt EVTX file as I am not allowed to share it. Thank you.

Live-monitoring seems not to be working

Hi!

Based on evtxmon I tried to come up with a minimal monitoring tool myself:

package main

import (
	"log"

	"github.com/0xrawsec/golang-evtx/evtx"
)

func main() {
	ef, err := evtx.OpenDirty(`C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx`)
	if err != nil {
		log.Fatal(err)
	}

	stop := make(chan bool, 1)
	for e := range ef.MonitorEvents(stop) {
		log.Println(string(evtx.ToJSON(e)))
	}

}

Although Sysmon is running ("Event Viewer" shows all/new events) I dont get any output.
If I add ef.SetMonitorExisting(true) some old events (it seems always the same old events are dumped?) are shown but new ones are still missing.
Using evtxmon directly (changed writer.Write(evtx.ToJSON(e)) to log.Println(string(evtx.ToJSON(e)))) resulted in the same issue...

Did I make a mistake?

panic: interface conversion: evtx.Element is evtx.BinXMLEOF, not evtx.Fragment

While working with golang-evtx as a library I was faced with a panic:

panic: interface conversion: evtx.Element is *evtx.BinXMLEOF, not *evtx.Fragment

goroutine 824 [running]:
github.com/0xrawsec/golang-evtx/evtx.Event.GoEvtxMap(0xb3e8, 0x18800002a2a, 0x499, 0x1d2df942e928695, 0xc4202bd280, 0x1d2df942e928695, 0x0, 0x0)
        /opt/golang/src/github.com/0xrawsec/golang-evtx/evtx/event.go:77 +0x321
github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events.func1(0xc420284000, 0xc4202bd280)
        /opt/golang/src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:249 +0x11d
created by github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events
        /opt/golang/src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:244 +0x97

Input is an evtx file on a Win7 system: Microsoft-Windows-ReadyBoost%4Operational.evtx. Unfortunately I can not share the file for privacy reason.

Looking into the code, I see, that you deliberately panic if it's not a evtx.Fragment.
Is there a possibility to implement this element, as evtx.BinXMLEOF is already defined in structs.go.
Sure - I could use carve mode, but then I loose this content.

Many thanks for providing a parser for evtx files in Go.

How to use this package?

I'm not Go developer, but need to use this package to read .evtx file until create a json file. I already create 1 to learn how to use this package but still confused. Can anybody help?

package main

import (
	"fmt"
	"os"

	"github.com/0xrawsec/golang-evtx/evtx"
)

func main() {
	data, _ := os.ReadFile("something.evtx")
	fmt.Printf(evtx.ToJSON(data))
}

What exactly does ModeCarving do?

What exactly does ModeCarving do? Can you explain on that?

Question: Can I use evtxmon to read from evtx file paths that are active?

i'm trying to set up some windows containers so that their windows event log directories are mounted to a shared volume with a sidecar task that monitors and ships directly from those log files.

is this possible with evtxmon? going to try this out on my own but thought i'd post the question here for added support.

(some background trying to get this up with another tool: https://discuss.elastic.co/t/winlogbeat-as-a-docker-sibling-sidecar-container/217409)

Large data (>32k) in NormalSubstitution array

Hi,
If data blocks in NormalSubstituations are bigger than 32K, the int16 Size value in the ValueDescriptor struct in structs.go overflows and parses wrong data.
Replacing int16 by uint16 for Size in ValueDescriptor (struct.go line 810) and replacing all depending Size int16 to uint16 in values.go for the various type definitions ( fix compiler errors ) as well as the type casts in values.go ( e.g. uint(a.Size/2) line 447, 477 ) fixes the problem.

Thx for implementing an evtx parser in Go!

bit 0 of the flag in evtx can not be read?

Add some event in application.evtx and it has dirty logs.

Unable to retrieve any value, how should I use GetString() method?

Please take a look at this,

package main

import (
	"flag"
	"fmt"
	"log"

	"github.com/0xrawsec/golang-evtx/evtx"
)

func main() {
	flag.Parse()

	for _, filename := range flag.Args() {
		eventFile, err := evtx.OpenDirty(filename)
		if err != nil {
			log.Fatal(err)
		}

		for event := range eventFile.FastEvents() {
			if event.EventID() == 7045 {
				path1 := evtx.Path("/Event/EventData/param1")
				fmt.Println(event.GetString(&path1))
			}
		}
	}
}

Bookmarking

Hi @qjerome!
I see that bookmarking it's not yet implemented for windows events monitoring.
Is it in your roadmap or should I implement it by myself?
It would be a great feature.

Change base in GoEvtxMap.GetInt

PANIC - Not initialized slice: parsing *evtx.ValueText

I see this error (with a stacktrace) 9 times in a simple 7MB .evtx file when using evtxdump -c thefile.evtx.

2019/05/14 16:02:16 PANIC - Not initialized slice: parsing *evtx.ValueText
 goroutine 1 [running]:
runtime/debug.Stack(0x5630fd3a98ef, 0xe, 0xc0000a9308)
        /usr/lib/go/src/runtime/debug/stack.go:24 +0x9f
github.com/0xrawsec/golang-utils/log.DontPanicf(0x5630fd3a98ef, 0xe, 0xc0000a9308, 0x2, 0x2)
        /home/wheaties/dev/go/pkg/mod/github.com/0xrawsec/[email protected]/log/log.go:192 +0x8f
github.com/0xrawsec/golang-evtx/evtx.checkParsingError(0x5630fd534e00, 0xc0001e77a0, 0x5630fd537540, 0xc000399860, 0x5630fd535220, 0xc00014a6f0)
        /home/wheaties/dev/golang-evtx/evtx/parser.go:16 +0x113
github.com/0xrawsec/golang-evtx/evtx.Parse(0x5630fd537540, 0xc000399860, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
        /home/wheaties/dev/golang-evtx/evtx/parser.go:150 +0x81d
github.com/0xrawsec/golang-evtx/evtx.(*Attribute).Parse(0xc000409d80, 0x5630fd537540, 0xc000399860, 0x1, 0x2)
        /home/wheaties/dev/golang-evtx/evtx/structs.go:294 +0x246
github.com/0xrawsec/golang-evtx/evtx.(*AttributeList).ParseAttributes(0xc00040a158, 0x5630fd537540, 0xc000399860, 0xc00040a158, 0x5630fd53c8e0)
        /home/wheaties/dev/golang-evtx/evtx/structs.go:315 +0xb4
github.com/0xrawsec/golang-evtx/evtx.(*AttributeList).Parse(0xc00040a158, 0x5630fd537540, 0xc000399860, 0xccdc, 0x0)
        /home/wheaties/dev/golang-evtx/evtx/structs.go:333 +0xda
github.com/0xrawsec/golang-evtx/evtx.(*ElementStart).Parse(0xc00040a120, 0x5630fd537540, 0xc000399860, 0xccd1, 0x0)
        /home/wheaties/dev/golang-evtx/evtx/structs.go:190 +0x6d2
github.com/0xrawsec/golang-evtx/evtx.Parse(0x5630fd537540, 0xc000399860, 0x0, 0x1, 0x5630fd534e60, 0xc00049bede, 0x0, 0x0)
        /home/wheaties/dev/golang-evtx/evtx/parser.go:90 +0x1db
github.com/0xrawsec/golang-evtx/evtx.(*TemplateDefinitionData).Parse(0xc000409bc0, 0x5630fd537540, 0xc000399860, 0xcc26, 0x0)
        /home/wheaties/dev/golang-evtx/evtx/structs.go:714 +0x2af
github.com/0xrawsec/golang-evtx/evtx.(*Chunk).ParseTemplateTable(0xc0004d0800, 0x5630fd537540, 0xc000399860, 0x80, 0x0)
        /home/wheaties/dev/golang-evtx/evtx/chunk.go:163 +0x1f7
main.fetchChunkFromReader(0x5630fd538640, 0xc000010098, 0x3c1000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /home/wheaties/dev/golang-evtx/tools/evtxdump/evtxdump.go:149 +0x37f
main.carveFile(0x7fff2a20c54b, 0x1c, 0x0, 0x0)
        /home/wheaties/dev/golang-evtx/tools/evtxdump/evtxdump.go:178 +0x355
main.main()
        /home/wheaties/dev/golang-evtx/tools/evtxdump/evtxdump.go:369 +0xa65
2019/05/14 16:02:16 ERROR - Not initialized slice

I haven't done much digging into the stack yet, but I can supply the .evtx file privately if necessary.

panic: Index out of range

Hi，here I am again.
Today when I convert a evtx file without carve mode , It shows as follow:

panic: Index out of range

goroutine 166 [running]:
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).ElementToGoEvtx(0xc4208418c0, 0x1142b80, 0xc4206ae8a2, 0xc4202d3b90, 0xc4209563e8)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:484 +0x776
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).NodeToGoEvtx(0xc4208418c0, 0xc4206f6a40, 0xc4206af8d0)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:591 +0x7df
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).NodeToGoEvtx(0xc4208418c0, 0xc4206f69c0, 0x0)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:547 +0x150
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).NodeToGoEvtx(0xc4208418c0, 0xc4206f6980, 0x5)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:547 +0x150
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).NodeToGoEvtx(0xc4208418c0, 0xc4200578a8, 0x0)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:541 +0xdc2
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).ElementToGoEvtx(0xc420a94c60, 0x1142b40, 0xc420bb3ac0, 0x110, 0xc420865e60)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:502 +0x172
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).ElementToGoEvtx(0xc420a94c60, 0x1142b80, 0xc420c1b4c2, 0x6, 0xc420865ee8)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:482 +0x530
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).NodeToGoEvtx(0xc420a94c60, 0xc4206f6640, 0x5)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:591 +0x7df
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).NodeToGoEvtx(0xc420a94c60, 0xc420057e28, 0x0)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:541 +0xdc2
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).GoEvtxMap(0xc420a94c60, 0x0)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:624 +0x9c
github.com/0xrawsec/golang-evtx/evtx.(*Fragment).GoEvtxMap(0xc420ad4660, 0xc420756300)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:103 +0x4f
github.com/0xrawsec/golang-evtx/evtx.Event.GoEvtxMap(0x1fb8, 0x30000002a2a, 0x2dfb, 0x1d344084866810d, 0xc4209da000, 0x1d344084866810d, 0x0, 0x0)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/event.go:79 +0x1c3
github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events.func1(0xc420188020, 0xc4209da000)
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:249 +0x11c
created by github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events
	/Users/darkray/go/src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:244 +0x97

and I have seen the issue #6 , but I can not confirm what the problem is.
thx for ur help ;)

panic: runtime error: makeslice: len out of range on ValueBinary Parse if vd.Size < 0

I came across the following crash when trying to parse a System hive, which occured on both my own parser application and evtxdump. Panic occurs if the *ValueBinary Parse function (in values.go) attempts to make a slice if the Value (from ParseValueReader in parser.go) is of type Binary and the size is less than zero. I hacked it just by setting vd.Size to 0 if it was originally less than zero but I guess there is a better solution?

Dump:

panic: runtime error: makeslice: len out of range

goroutine 24 [running]:
github.com/0xrawsec/golang-evtx/evtx.(*ValueBinary).Parse(0xc4201d1a40, 0x5d8460, 0xc4203f8d20, 0x7, 0x0)
/src/github.com/0xrawsec/golang-evtx/evtx/values.go:618 +0x44
github.com/0xrawsec/golang-evtx/evtx.ParseValueReader(0xec828, 0x5d8460, 0xc4203f8d20, 0x5d7d20, 0xc4202999d0, 0x0, 0x0)
/src/github.com/0xrawsec/golang-evtx/evtx/parser.go:253 +0x9f3
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstanceData).Parse(0xc4201a15a8, 0x5d8460, 0xc4203f8d20, 0x0, 0x0)
/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:796 +0x26e
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstance).Parse(0xc4201a1550, 0x5d8460, 0xc4203f8d20, 0x604, 0x0)
/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:660 +0x114
github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0x0, 0xc4203f8d01, 0x5d76e0, 0xc420460600, 0x0, 0x4945f4)
/src/github.com/0xrawsec/golang-evtx/evtx/parser.go:139 +0xa0a
github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0x0, 0x1, 0x0, 0x5db960, 0x5283c0, 0x5283c0)
/src/github.com/0xrawsec/golang-evtx/evtx/parser.go:64 +0x1148
github.com/0xrawsec/golang-evtx/evtx.ParseValueReader(0x21c93f, 0x5d8460, 0xc4203f8d20, 0x5d7b20, 0xc420298ecc, 0x0, 0x0)
/src/github.com/0xrawsec/golang-evtx/evtx/parser.go:285 +0x530
github.com/0xrawsec/golang-evtx/evtx.(*TemplateInstanceData).Parse(0xc4201a14f8, 0x5d8460, 0xc4203f8d20, 0x5d7320, 0xc4203f8d20)
/src/github.com/0xrawsec/golang-evtx/evtx/structs.go:796 +0x26e
github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0xc4200d2480, 0xc4203f8d00, 0x5d76e0, 0xc4204605a0, 0xc4200d2480, 0x16)
/src/github.com/0xrawsec/golang-evtx/evtx/parser.go:131 +0xd17
github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0xc4200d2480, 0xc420041f00, 0x4dfdcc, 0x5d72e0, 0xc4203f8930, 0x514780)
/src/github.com/0xrawsec/golang-evtx/evtx/parser.go:64 +0x1148
github.com/0xrawsec/golang-evtx/evtx.Event.GoEvtxMap(0x200, 0xcd4800002a2a, 0x69200, 0x1d37864a7bb2980, 0xc4200d2480, 0x1d37864a7bb2980, 0x0, 0x0)
/src/github.com/0xrawsec/golang-evtx/evtx/event.go:65 +0x114
github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events.func1(0xc4204e0530, 0xc4200d2480)
/src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:249 +0x11d
created by github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events
/src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:244 +0x97

Some new logs cannot be dumped with archive logs

Hello everyone,

I have some problem with archive evtx logs on windows server 2016(1607).

Some new logs cannot be shown when using evtxdump.

How it happens: Install one 2016 server, set 'Security Log' to Archieve when is full. Then dump the 'Security.evtx' without open it in eventviewer.
I found out the logs canbe correctly dumped when double click on the evtx file (open it with windows eventviewer).
And also the file was changed only by open it with windows eventviewer.(Some times the evtx file sizes changed at all.)

The different dump only with opend the file:

Here is the evtx file.
Security.zip

Thanks.

Cannot Find Package "evtx"

Perhaps I'm doing something wrong here (apologies for bothering if I am).

$ mkdir /home/user/Go
$ export GOPATH=/home/user/Go
$ go get github.com/0xrawsec/golang-evtx
$ go get github.com/0xrawsec/golang-utils
$ cd src/github.com/0xrawsec/golang-evtx/tools/evtxdump
$ make linux

GOARCH=386 GOOS=linux go build -ldflags "-s -w" -o "release"/linux/evtxdump-386 evtxdump.go
evtxdump.go:25:2: cannot find package "evtx" in any of:
/usr/lib/golang/src/evtx (from $GOROOT)
/home/labadmin/Go/src/evtx (from $GOPATH)
makefile:23: recipe for target 'linux' failed
make: *** [linux] Error 1

Obviously it's not looking in the right place nor finding the evtx package it's looking for that is clearly within the repo here and just in a different spot (it's in /home/user/Go/src/github.com/0xrawsec/golang-evtx/evtx versus where it's looking in /home/user/Go/src/evtx). Just not sure what I need to do differently to fix that.

Clarification on datetime

I am confused on the solution here and think that this still needs more attention. I am parsing via evtxdump.exe the event log located here.

The command I run is: evtxdump.exe security.evtx. To test the new functionality out I chose Event.System.EventRecordID == 2261. In Windows Event Viewer the timestamp for this record is: 2017-04-14T01:21:10.906949900Z. However, from evtxdump stdout I can see that the record is being parsed as:

{"Event":{"EventData":{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x000003e7","SubjectUserName":"SYSTEM","SubjectUserSid":"S-1-5-18"},"System":{"Channel":"Security","Computer":"WIN-03DLIIOFRRA","Correlation":{},"EventID":"4672","EventRecordID":"2261","Execution":{"ProcessID":"536","ThreadID":"624"},"Keywords":"0x8020000000000000","Level":"0","Opcode":"0","Provider":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":{},"Task":"12548","TimeCreated":{"SystemTime":"2017-10-03T14:01:17.380369499Z"},"Version":"0"}}}

As we can see the Event.System.TimeCreated.SystemTime is reporting 2017-10-03T14:01:17.380369499Z as a timestamp. There is a difference in the timestamps. Shouldn't they report the same timestamps?

Data race

Build evtxdump with the following:

go build -race tools/evtxdump/...

Then attempt to dump any EVTX with ./evtxdump $EVTX_FILE

==================
==================
WARNING: DATA RACE
Read at 0x000000c4c5f0 by goroutine 8:
  runtime.slicecopy()
      /usr/local/go/src/runtime/slice.go:197 +0x0
  github.com/0xrawsec/golang-evtx/evtx.UpdateLastElements()
      /home/steve/golang-evtx/evtx/utils.go:81 +0x8c
  github.com/0xrawsec/golang-evtx/evtx.checkFullParsingError()
      /home/steve/golang-evtx/evtx/parser.go:22 +0x40
  github.com/0xrawsec/golang-evtx/evtx.Parse()
      /home/steve/golang-evtx/evtx/parser.go:91 +0x2b6
  github.com/0xrawsec/golang-evtx/evtx.(*TemplateDefinitionData).Parse()
      /home/steve/golang-evtx/evtx/structs.go:718 +0x3d7
  github.com/0xrawsec/golang-evtx/evtx.(*Chunk).ParseTemplateTable()
      /home/steve/golang-evtx/evtx/chunk.go:163 +0x2b1
  github.com/0xrawsec/golang-evtx/evtx.(*File).FetchChunk()
      /home/steve/golang-evtx/evtx/evtx.go:231 +0x5a4
  github.com/0xrawsec/golang-evtx/evtx.(*File).FastEvents.func1.1()
      /home/steve/golang-evtx/evtx/evtx.go:399 +0x186

Previous write at 0x000000c4c5f0 by goroutine 11:
  github.com/0xrawsec/golang-evtx/evtx.UpdateLastElements()
      /home/steve/golang-evtx/evtx/utils.go:82 +0x9c
  github.com/0xrawsec/golang-evtx/evtx.checkFullParsingError()
      /home/steve/golang-evtx/evtx/parser.go:22 +0x40
  github.com/0xrawsec/golang-evtx/evtx.Parse()
      /home/steve/golang-evtx/evtx/parser.go:63 +0x1898
  github.com/0xrawsec/golang-evtx/evtx.Event.GoEvtxMap()
      /home/steve/golang-evtx/evtx/event.go:65 +0x180
  github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events.func1()
      /home/steve/golang-evtx/evtx/chunk.go:249 +0x16f

Goroutine 8 (running) created at:
  github.com/0xrawsec/golang-evtx/evtx.(*File).FastEvents.func1()
      /home/steve/golang-evtx/evtx/evtx.go:392 +0xe8

Goroutine 11 (running) created at:
  github.com/0xrawsec/golang-evtx/evtx.(*Chunk).Events()
      /home/steve/golang-evtx/evtx/chunk.go:244 +0xcf
  github.com/0xrawsec/golang-evtx/evtx.(*File).FastEvents.func1.1()
      /home/steve/golang-evtx/evtx/evtx.go:404 +0x23d
==================

*evtx.File.Events() method seems to be broken

I wanted to test the parser without the concurrency. To my surprise the Events() method does not return any events. I suspect this is related to the issue in the comments of FastEvents() method:

				// We have to create a copy here because otherwise cpc.EventsChan() fails
				// I guess that because EventsChan takes a pointer to an object and that
				// and thus the chan is taken on the pointer and since the object pointed
				// changes -> kaboom

While it's not a major issue, it would still be nice to have the non-concurrent version of the parser available.

panic: runtime error: index out of range

Hi,

First time i have this issue while loading a sysmon.evtx file :

for e := range ef.FastEvents() {
	if !e.IsEventID("3") {
		continue
	}
}

panic: runtime error: index out of range
goroutine 25 [running]:
github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-utils/datastructs.NewSortedSlice(0xc04231dd40, 0x2, 0x2, 0xc000000008, 0xc0421f8080, 0x0)
	X:/dev/neard/www/go/src/github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-utils/datastructs/sortedslice.go:27 +0x9b
github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-evtx/evtx.(*File).Chunks(0xc042156360, 0x8619c0)
	X:/dev/neard/www/go/src/github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-evtx/evtx/evtx.go:169 +0x96
github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-evtx/evtx.(*File).FastEvents.func1.1(0xc0421a7380, 0xc042156360)
	X:/dev/neard/www/go/src/github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-evtx/evtx/evtx.go:309 +0x77
created by github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-evtx/evtx.(*File).FastEvents.func1
	X:/dev/neard/www/go/src/github.com/crazy-max/WindowsSpyBlocker/vendor/github.com/0xrawsec/golang-evtx/evtx/evtx.go:307 +0xa4

Bad TimeStamp On Windows 10

Seems that the Time on FileTime define in utils.go is not right (the date is in the futur o_O)

141 func (v *FileTime) Convert() (sec int64, nsec int64) {
143   nano := int64(10000000)
144   mili := int64(10000)
145   sec = int64(float64(v.Nanoseconds-11644473600*nano) / float64(nano))
146   nsec = (v.Nanoseconds - 11644473600*nano) - sec*mili //==> Not good
147   return
148 }

A quick fix ::

141 func (v *FileTime) Convert() (sec int64, nsec int64) {
142   fmt.Println(v.Nanoseconds)
143   nano := int64(10000000)
144   fix := int64(100)
145   sec = int64(float64(v.Nanoseconds-11644473600*nano) / float64(nano))
146   nsec = ((v.Nanoseconds - 11644473600*nano) - sec*nano)*fix //=>GOOD
147   return
148 }

NB: Just to say a BIG thanks for this library which help us to find bad guy on forensics investigation

How to handle non-ascii string?

Event Eg:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> 
  <EventID Qualifiers="16384">7036</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2018-02-24T13:53:23.976418400Z" /> 
  <EventRecordID>2435844</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="512" ThreadID="2548" /> 
  <Channel>System</Channel> 
  <Computer>ETYY-WSPX</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="param1">Windows Error Reporting Service</Data> 
--------> Check here ------->    <Data Name="param2">正在运行</Data>    ------->
  <Binary>5700650072005300760063002F0034000000</Binary> 
  </EventData>
  </Event>

when call .ToJson() it will display like this:

{
    "Event": {
        "EventData": {
            "param1": "storvsc",
            "param2": "\u0015\ufffd/\ufffd",
            "param3": "\t\u0000/\ufffd",
            "param4": "storvsc"
        },
        "System": {
            "Channel": "System",
            "Computer": "37L4247F27-26",
            "Correlation": {},
            "EventID": {
                "Qualifiers": "16384",
                "Value": "7040"
            },
            "EventRecordID": "96",
            "Execution": {
                "ProcessID": "956",
                "ThreadID": "540"
            },
            "Keywords": "0x8080000000000000",
            "Level": "4",
            "Opcode": "0",
            "Provider": {
                "EventSourceName": "Service Control Manager",
                "Guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
                "Name": "Service Control Manager"
            },
            "Security": {
                "UserID": "S-1-5-18"
            },
            "Task": "0",
            "TimeCreated": {
                "SystemTime": "2016-01-25T04:27:33Z"
            },
            "Version": "0"
        }
    }
}

param3 is bad.

Better precision in SystemTime using evtxdump

@qjerome While using evtxdump to parse an .evtx file, the JSON of an event looks like:

{
 "Event": {
   "EventData": {
     "Hashes": "SHA1=F04EE61F0C6766590492CD3D9E26ECB0D4F501D8,MD5=68D9577E9E9E3A3DF0348AB3B86242B1,SHA256=7AE581DB760BCEEE4D18D6DE7BB98F46584656A65D9435B4E0C4223798F416D2,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5",
     "Image": "C:\\Windows\\splwow64.exe",
     "ImageLoaded": "C:\\Windows\\System32\\dwmapi.dll",
     "ProcessGuid": "B2796A13-E44F-5880-0000-001006E40F00",
     "ProcessId": "4952",
     "Signature": "Microsoft Windows",
     "Signed": "true",
     "UtcTime": "2017-01-19 16:07:45.279"
   },
   "System": {
     "Channel": "Microsoft-Windows-Sysmon/Operational",
     "Computer": "DESKTOP-5SUA567",
     "Correlation": {},
     "EventID": "7",
     "EventRecordID": "116913",
     "Execution": {
       "ProcessID": "1760",
       "ThreadID": "1952"
     },
     "Keywords": "0x8000000000000000",
     "Level": "4",
     "Opcode": "0",
     "Provider": {
       "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
       "Name": "Microsoft-Windows-Sysmon"
     },
     "Security": {
       "UserID": "S-1-5-18"
     },
     "Task": "7",
     "TimeCreated": {
       "SystemTime": "2017-01-19T16:07:45Z"
     },
     "Version": "3"
   }
 }
}

The TimeCreated.SystemTime("2017-01-19T16:07:45Z") field has precision till seconds whereas the original events have a much better precision("2017-01-19T16:07:45.152350300Z").

I don't have much experience in golang and was hoping to get some pointers on how to get the same precision in the JSON as well.

Any help is highly appreciated.

Thanks.

BackupSeeker of evtx.File?

Is there a way to use the function BackupSeeker on a file that I am currently monitor with MonitorEvents?

func evtx.BackupSeeker(seeker io.Seeker) int64

This function accepts an io.Seeker as first argument, but evtx.File doesn't implement the method Seek...
Maybe I'm missing something or there's another way to achieve my goal: when I stop monitoring the file I'd like to save the offset and start from there the next time.

Get Events by Type

Is there a way to filter the events that are searched to only the "Error" and not "warning" or "info"?

I'm trying to count the number of "disk" errors in my event log and trying to speed up the code a little bit by not having to iterate through every event in the event log.

Here is my code:

	diskErrors := 0.0

	t, _ := evtx.Open(`C:\Windows\System32\winevt\Logs\System.evtx`)
	defer t.Close()

	e := t.FastEvents()
	path := evtx.Path("Event/System/EventID/Qualifiers")

	for a := range e {
		d, _ := a.GetMap(&path)

		if d != nil {

			var providerData map[string]interface{} = *d
			switch providerData["Qualifiers"] {
			case "49156":
				switch providerData["Value"] {
				case "7":
					diskErrors += 1
				}
			}
		}
	}

Any help would be appreciated!

0xrawsec / golang-evtx Goto Github PK

golang-evtx's People

Contributors

Stargazers

Watchers

Forkers

golang-evtx's Issues

Recommend Projects

Recommend Topics

Recommend Org