/
globals.go
160 lines (138 loc) · 4.71 KB
/
globals.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
package evtx
import (
"encoding/binary"
"errors"
"math"
"runtime"
"sync"
"time"
)
/////////////////////////////////// Errors /////////////////////////////////////
var (
ErrInvalidEvent = errors.New("Error Invalid Event")
// ErrBadEvtxFile error definition
ErrBadEvtxFile = errors.New("Bad file magic")
// ErrBadChunkMagic error definition
ErrBadChunkMagic = errors.New("Bad chunk magic")
// ErrBadChunkSize error definition
ErrBadChunkSize = errors.New("Bad chunk size")
ErrTokenEOF = errors.New("TokenEOF")
)
//////////////////////// Global Variables and their setters /////////////////////
var (
// Debug mode for parser
Debug = false
// ModeCarving flag to identify we run in carving mode
ModeCarving = false
// DefaultMonitorSleep default sleep time between two file update checks when
// monitoring file
DefaultMonitorSleep = 250 * time.Millisecond
// MaxJobs controls the maximum jobs for some functions (MonitorEvents ...)
MaxJobs = int(math.Floor(float64(runtime.NumCPU()) / 2))
)
// SetModeCarving changes the carving mode to value
func SetModeCarving(value bool) {
ModeCarving = value
}
// SetMonitorSleep sets the sleep time between two file update checks when
// monitoring file
func SetMonitorSleep(d time.Duration) {
DefaultMonitorSleep = d
}
// SetMaxJobs sets the number of jobs for parsing
func SetMaxJobs(jobs int) {
MaxJobs = jobs
}
// SetDebug set variable enabling debugging at parser level
func SetDebug(value bool) {
Debug = value
}
////////////////////////// EVTX Constants and globs ////////////////////////////
const (
EventHeaderSize = 24
EvtxMagic = "ElfFile"
// ChunkSize 64KB
ChunkSize = 0x10000
// ChunkHeaderSize
ChunkHeaderSize = 0x80
// ChunkMagic magic string
ChunkMagic = "ElfChnk\x00"
sizeStringBucket = 0x40
sizeTemplateBucket = 0x20
DefaultNameOffset = -1
EventMagic = "\x2a\x2a\x00\x00"
// MaxSliceSize is a constant used to control the allocation size of some
// structures. It is particularly useful to control side effect when carving
MaxSliceSize = ChunkSize
)
//type LastParsedElements
var (
Endianness = binary.LittleEndian
// Used for debug purposes
//lastParsedElements LastParsedElements
lastParsedElements struct {
sync.RWMutex
elements [4]Element
}
)
//////////////////////////////// BinXMLTokens //////////////////////////////////
const (
TokenEOF = 0x00
TokenOpenStartElementTag1, TokenOpenStartElementTag2 = 0x01, 0x41 // (<)name>
TokenCloseStartElementTag = 0x02 // <name(>)
TokenCloseEmptyElementTag = 0x03 // <name(/>)
TokenEndElementTag = 0x04 // (</name>)
TokenValue1, TokenValue2 = 0x05, 0x45 // attribute = ‘‘(value)’’
TokenAttribute1, TokenAttribute2 = 0x06, 0x46 // (attribute) = ‘‘value’’
TokenCDataSection1, TokenCDataSection2 = 0x07, 0x47
TokenCharRef1, TokenCharRef2 = 0x08, 0x48
TokenEntityRef1, TokenEntityRef2 = 0x09, 0x49
TokenPITarget = 0x0a
TokenPIData = 0x0b
TokenTemplateInstance = 0x0c
TokenNormalSubstitution = 0x0d
TokenOptionalSubstitution = 0x0e
FragmentHeaderToken = 0x0f
)
//////////////////////////////// BinXMLValues //////////////////////////////////
const (
NullType = 0x00
StringType = 0x01
AnsiStringType = 0x02
Int8Type = 0x03
UInt8Type = 0x04
Int16Type = 0x05
UInt16Type = 0x06
Int32Type = 0x07
UInt32Type = 0x08
Int64Type = 0x09
UInt64Type = 0x0a
Real32Type = 0x0b
Real64Type = 0x0c
BoolType = 0x0d
BinaryType = 0x0e
GuidType = 0x0f
SizeTType = 0x10
FileTimeType = 0x11
SysTimeType = 0x12
SidType = 0x13
HexInt32Type = 0x14
HexInt64Type = 0x15
EvtHandle = 0x20
BinXmlType = 0x21
EvtXml = 0x23
// If the MSB of the value type (0x80) is use to indicate an array type
ArrayType = 0x80
)
/////////////////////////////////// GoEvtx /////////////////////////////////////
var (
// Paths used by GoEvtxMap
PathSeparator = "/"
XmlnsPath = Path("/Event/xmlns")
ChannelPath = Path("/Event/System/Channel")
EventIDPath = Path("/Event/System/EventID")
EventIDPath2 = Path("/Event/System/EventID/Value")
EventRecordIDPath = Path("/Event/System/EventRecordID")
SystemTimePath = Path("/Event/System/TimeCreated/SystemTime")
UserIDPath = Path("/Event/System/Security/UserID")
)