-
Notifications
You must be signed in to change notification settings - Fork 26
/
event.go
93 lines (84 loc) · 2.12 KB
/
event.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package evtx
import (
"bytes"
"fmt"
"io"
"github.com/0xrawsec/golang-utils/log"
)
///////////////////////////////// Event ////////////////////////////////////////
type EventHeader struct {
Magic [4]byte
Size int32
ID int64
Timestamp FileTime
}
// Validate controls the EventHeader
func (h *EventHeader) Validate() error {
// Validate the event magic
if string(h.Magic[:]) != EventMagic {
return fmt.Errorf("Bad event magic %q", h.Magic)
}
// An event cannot be bigger than a Chunk since an event is embedded into a
// chunk
if h.Size >= ChunkSize {
return fmt.Errorf("Too big event")
}
// An event cannot be smaller than its header since the event size include the
// size of the header
if h.Size < EventHeaderSize {
return fmt.Errorf("Too small event")
}
return nil
}
// Event structure
type Event struct {
Offset int64 // For debugging purposes
Header EventHeader
}
// IsValid returns true if the Event is valid
// TODO: find and replace because we now have Validate() method from the header
func (e *Event) IsValid() bool {
// Validate Magic Header
return e.Header.Validate() == nil
}
// GoEvtxMap parses the BinXML inside the event and returns a pointer to a
// structure GoEvtxMap
// @c : chunk pointer used for template data already parsed
// return (*GoEvtxMap, error)
func (e Event) GoEvtxMap(c *Chunk) (pge *GoEvtxMap, err error) {
// An Event can contain only BinXMLFragments
if !e.IsValid() {
err = ErrInvalidEvent
return
}
reader := bytes.NewReader(c.Data)
GoToSeeker(reader, e.Offset+EventHeaderSize)
// Bug here if we put c
element, err := Parse(reader, c, false)
if err != nil && err != io.EOF {
//panic(err)
log.Error(err)
}
// If not a BinXMLFragment a panic will be raised
fragment, ok := element.(*Fragment)
switch {
case !ok && ModeCarving:
return
case !ok:
// Way to raise panic
_ = element.(*Fragment)
}
return fragment.GoEvtxMap(), err
}
func (e Event) String() string {
return fmt.Sprintf(
"Magic: %s\n"+
"Size: %d\n"+
"ID: %d\n"+
"Timestamp: %d\n",
//"Content: %x",
e.Header.Magic,
e.Header.Size,
e.Header.ID,
e.Header.Timestamp)
}