Code clean up and added thread lock support

libyal · Aug 1, 2019 · d8c61b0 · d8c61b0
1 parent 114d662
commit d8c61b0
Show file tree

Hide file tree

Showing 41 changed files with 7,217 additions and 1,583 deletions.
diff --git a/.gitignore b/.gitignore
@@ -133,6 +133,7 @@ stamp-h[1-9]
 /tests/evt_test_notify
 /tests/evt_test_record
 /tests/evt_test_record_values
+/tests/evt_test_strings_array
 /tests/evt_test_support
 /tests/input
 /tests/tmp*

diff --git a/ChangeLog b/ChangeLog
@@ -1,4 +1,9 @@
 TODO:
+* move direct access to event record struct members in record values to functions
+  - replace calls to libfvalue by libuna and libfwnt
+  - handle strings, use split string?
+* API have source and computer name functions return 0
+
 * libevt
   - remove file_get_version
 * evtexport, add date time format selection

diff --git a/README b/README
@@ -5,10 +5,6 @@ Project information:
 * Status: alpha
 * Licence: LGPLv3+
 
-Planned:
-
-* Multi-threading support
-
 For more information see:
 
 * Project documentation: https://github.com/libyal/libevt/wiki/Home

diff --git a/configure.ac b/configure.ac
@@ -2,7 +2,7 @@ AC_PREREQ( 2.59 )
 
 AC_INIT(
  [libevt],
- [20190423],
+ [20190801],
  [joachim.metz@gmail.com])
 
 AC_CONFIG_SRCDIR(
@@ -105,9 +105,6 @@ AX_LIBFDATETIME_CHECK_ENABLE
 dnl Check if libfguid or required headers and functions are available
 AX_LIBFGUID_CHECK_ENABLE
 
-dnl Check if libfvalue or required headers and functions are available
-AX_LIBFVALUE_CHECK_ENABLE
-
 dnl Check if libfwnt or required headers and functions are available
 AX_LIBFWNT_CHECK_ENABLE
 
@@ -130,6 +127,9 @@ AS_IF(
     ])
   ])
 
+dnl Check if libfvalue or required headers and functions are available
+AX_LIBFVALUE_CHECK_ENABLE
+
 dnl Check if libfwevt or required headers and functions are available
 AX_LIBFWEVT_CHECK_ENABLE
 
@@ -180,14 +180,14 @@ CFLAGS="$CFLAGS -Wall";
 
 dnl Check if requires and build requires should be set in spec file
 AS_IF(
- [test "x$ac_cv_libcerror" = xyes || test "x$ac_cv_libcthreads" = xyes || test "x$ac_cv_libcdata" = xyes || test "x$ac_cv_libclocale" = xyes || test "x$ac_cv_libcnotify" = xyes || test "x$ac_cv_libcsplit" = xyes || test "x$ac_cv_libuna" = xyes || test "x$ac_cv_libcfile" = xyes || test "x$ac_cv_libcpath" = xyes || test "x$ac_cv_libbfio" = xyes || test "x$ac_cv_libfcache" = xyes || test "x$ac_cv_libfdata" = xyes || test "x$ac_cv_libfdatetime" = xyes || test "x$ac_cv_libfguid" = xyes || test "x$ac_cv_libfvalue" = xyes || test "x$ac_cv_libfwnt" = xyes],
+ [test "x$ac_cv_libcerror" = xyes || test "x$ac_cv_libcthreads" = xyes || test "x$ac_cv_libcdata" = xyes || test "x$ac_cv_libclocale" = xyes || test "x$ac_cv_libcnotify" = xyes || test "x$ac_cv_libcsplit" = xyes || test "x$ac_cv_libuna" = xyes || test "x$ac_cv_libcfile" = xyes || test "x$ac_cv_libcpath" = xyes || test "x$ac_cv_libbfio" = xyes || test "x$ac_cv_libfcache" = xyes || test "x$ac_cv_libfdata" = xyes || test "x$ac_cv_libfdatetime" = xyes || test "x$ac_cv_libfguid" = xyes || test "x$ac_cv_libfwnt" = xyes],
  [AC_SUBST(
   [libevt_spec_requires],
   [Requires:])
  ])
 
 AS_IF(
- [test "x$ac_cv_libfwevt" = xyes || test "x$ac_cv_libexe" = xyes || test "x$ac_cv_libregf" = xyes || test "x$ac_cv_libwrc" = xyes || test "x$ac_cv_libcdirectory" = xyes],
+ [test "x$ac_cv_libfvalue" = xyes || test "x$ac_cv_libfwevt" = xyes || test "x$ac_cv_libexe" = xyes || test "x$ac_cv_libregf" = xyes || test "x$ac_cv_libwrc" = xyes || test "x$ac_cv_libcdirectory" = xyes],
  [AC_SUBST(
   [libevt_spec_tools_build_requires],
   [BuildRequires:])
@@ -221,12 +221,12 @@ AC_CONFIG_FILES([libfcache/Makefile])
 AC_CONFIG_FILES([libfdata/Makefile])
 AC_CONFIG_FILES([libfdatetime/Makefile])
 AC_CONFIG_FILES([libfguid/Makefile])
-AC_CONFIG_FILES([libfvalue/Makefile])
 AC_CONFIG_FILES([libfwnt/Makefile])
 AC_CONFIG_FILES([libevt/Makefile])
 AC_CONFIG_FILES([pyevt/Makefile])
 AC_CONFIG_FILES([pyevt-python2/Makefile])
 AC_CONFIG_FILES([pyevt-python3/Makefile])
+AC_CONFIG_FILES([libfvalue/Makefile])
 AC_CONFIG_FILES([libfwevt/Makefile])
 AC_CONFIG_FILES([libexe/Makefile])
 AC_CONFIG_FILES([libregf/Makefile])

diff --git a/documentation/Windows Event Log (EVT) format.asciidoc b/documentation/Windows Event Log (EVT) format.asciidoc
@@ -95,13 +95,15 @@ The following version of programs were used to test the information within this
 === Event Log files
 
 On Windows NT 4 the event logs files can be found in:
+
 ....
-C:\WINNT\System32\config\
+C:\WINNT\System32\config
 ....
 
 As of Windows 2000 the default location changed to:
+
 ....
-C:\Windows\System32\config\
+C:\Windows\System32\config
 ....
 
 [cols="1,2",options="header"]
@@ -179,39 +181,49 @@ Contains 32-bit Unix epoch of the date and time in UTC the record was written to
 | 24 | 2 | | Event type
 | 26 | 2 | | Number of strings
 | 28 | 2 | | Event category
-| 30 | 2 | | *Unknown (Event flags)* +
-Usually 0, also see note below
-| 32 | 4 | | *Unknown (Closing record number)* +
+| 30 | 2 | | [yellow-background]*Unknown (Event flags)* +
+Actual usage unknown indicated as reserved +
+See note below about its usage, usually contains 0
+| 32 | 4 | | [yellow-background]*Unknown (Closing record number)* +
 Should be 0 if the file has not been externally modified
-| 36 | 4 | | Strings offset +
+| 36 | 4 | | Event strings offset +
 The offset is relative to the start of the record and must be a multitude of 2 +
 Can contain 0 but the number of strings should also be 0
 | 40 | 4 | | User identifier (SID) size +
 0 if no user identifier is available
 | 44 | 4 | | User identifier (SID) offset +
 The offset is relative to the start of the record +
 Can contain 0 but the user identifier size should also be 0
-| 48 | 4 | | Data size +
+| 48 | 4 | | Event data size +
 0 if no data is available
-| 52 | 4 | | Data offset +
+| 52 | 4 | | Event data offset +
 The offset is relative to the start of the record +
 Can contain 0 but the data size should also be 0
+4+| _Event record members_
 | 56 | ... | | Source name +
 Contains an UTF-16 little-endian string with end-of-string character
 | ... | ... | | Computer name +
 Contains an UTF-16 little-endian string with end-of-string character
 | ... | ... | | User SID +
 Contains a Windows NT security identifier +
 For more information see `[NTSID]`.
-| ... | ... | | Strings +
+| ... | ... | | Event strings +
 Array of UTF-16 little-endian strings with end-of-string character
-| ... | ... | | Data
+| ... | ... | | Event data
 | ... | ... | | [yellow-background]*Padding (empty values)* +
 4-byte alignment
 | ... | 4 | | Copy of size +
 This value is used to indicate the end of the event record
 |===
 
+The user SID offset can be ignored if the user SID size is 0. In this situation
+the strings offset can be the same as the strings offset.
+
+The strings offset can be ignored if the number of strings is 0. In this
+situation the data offset can be the same as the strings offset.
+
+Offsets beyond the record data should be ignored.
+
 [NOTE]
 The event flags field is a copy of the 4 bytes of data passed in the Flags field
 of the ElfrReportEvent RPC call, see `[MS-EVEN]`. These flags are written directly
@@ -221,13 +233,6 @@ the Event Log service does not validate this when writing the strings. Most, if
 not all, events are written using the ReportEvent Win32 API wrapper around the
 RPC function, and will always set this field to be 0.
 
-[NOTE]
-If the user SID size is 0 then the string offset may equal the user SID offset.
-If the number of strings is 0 then the data offset may equal the string offset.
-In both of these cases the offset should be ignored if the size or number of
-strings is 0. Offsets that start or end (offset + size) past the end of the
-record should be ignored.
-
 === Event type
 
 [cols="1,1,5",options="header"]
@@ -266,11 +271,13 @@ Some of the data that Event Viewer shows is stored outside the event log files.
 
 The first step to determine the location of these values is find the
 corresponding "event log type sub key" in the Windows registry under:
+
 ....
-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
 ....
 
 Every event log type has its own sub key, e.g.:
+
 ....
 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
 ....
@@ -283,6 +290,7 @@ Common event log types are:
 
 The event log type sub key has a "event source sub key" for every source name,
 e.g for the source name "Workstation":
+
 ....
 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Workstation
 ....
@@ -297,6 +305,7 @@ The event message strings are stored in event message files.
 
 The event source sub key has a value named "EventMessageFile" which contains a
 path specification of the event message file.
+
 ....
 %SystemRoot%\System32\netmsg.dll
 ....
@@ -315,8 +324,9 @@ programs producing different messages than shown in Event Viewer.
 
 Here "%SystemRoot%" is case insensitive and needs to be expanded to the Windows
 directory. The actual value of %SystemRoot% can be found in the Registry value:
+
 ....
-Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
 Value: SystemRoot
 ....
 
@@ -332,13 +342,15 @@ This value depends on the Windows version, e.g.
 |===
 
 Other environment variables that are frequently used are:
+
 ....
 %WinDir%
 ....
 
 The actual value of e.g. %WinDir% can be found in the Registry value:
+
 ....
-Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\
+Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
 Value: windir
 ....
 
@@ -348,13 +360,15 @@ section. Event message files can have various extensions, e.g. ".exe", ".dll",
 
 The resource section contains a message-table resource which contains the event
 message strings. E.g.
+
 ....
 C:\Windows\System32\netmsg.dll
 ....
 
 The event message strings have identifiers similar to the event identifiers.
 E.g. if the event identifier is 3260 (0x00000cbc) the corresponding event
 message string would be:
+
 ....
 This computer has been successfully joined to %1 '%2'.
 ....
@@ -370,19 +384,22 @@ therefore contain event message strings for multiple languages.
 
 Parameter expansion is e.g. seen in event identifier 0xc0001b58 of the Service
 Control Manager.
+
 ....
 String: 1                       : Application Layer Gateway-service
 String: 2                       : %%1053
 ....
 
 The event source sub key has a value named "ParameterMessageFile" which for the
 Service Control Manager refers to:
+
 ....
 %SystemRoot%\System32\kernel32.dll
 ....
 
 Here %%1053 corresponds to the message string with identifier 1053 stored in
 kernel32.dll, which is expanded to:
+
 ....
 The service did not respond to the start or control request in a timely fashion.
 ....
@@ -395,6 +412,7 @@ name strings are stored in event message files (also see:
 
 The event source sub key has a value named "CategoryMessageFile" which contains
 a path specification of the event message file.
+
 ....
 %SystemRoot%\System32\MsAuditE.dll
 ....

diff --git a/dtfabric.yaml b/dtfabric.yaml
@@ -103,15 +103,15 @@ members:
   data_type: uint16
 - name: unknown2
   data_type: uint32
-- name: strings_offset
+- name: event_strings_offset
   data_type: uint32
-- name: user_identifier_size
+- name: user_security_identifier_size
   data_type: uint32
-- name: user_identifier_offset
+- name: user_security_identifier_offset
   data_type: uint32
-- name: data_size
+- name: event_data_size
   data_type: uint32
-- name: data_offset
+- name: event_data_offset
   data_type: uint32
 - name: source_name
   type: string
@@ -123,15 +123,20 @@ members:
   encoding: utf-16-le
   element_data_type: wchar16
   elements_terminator: "\x00\x00"
-- name: user_identifier
+- name: user_security_identifier
   type: stream
   element_data_type: byte
-  elements_data_size: event_record.user_identifier_size
-- name: data
+  elements_data_size: event_record.user_security_identifier_size
+  condition: event_record.user_security_identifier_offset != 0
+- name: event_strings
+# TODO: add strings array?
+- name: event_data
   type: stream
   element_data_type: byte
-  elements_data_size: event_record.data_size
-# TODO alignment padding
+  elements_data_size: event_record.event_data_size
+- name: alignment_padding
+  type: padding
+  alignment_size: 4
 - name: copy_of_size
   data_type: uint32
 ---

diff --git a/libevt.ini b/libevt.ini
@@ -18,8 +18,35 @@ data_types: {
         "end_of_file_record_offset": {"debug_format": "hexadecimal"},
         "last_record_number": {},
         "first_record_number": {},
-        "copy_of_size": {"usage": "in_function"}},
+        "copy_of_size": {"usage": "in_function"}
+    },
+    "event_record": {
+        "__options__": ["file_io_handle"],
+        "size": {"usage": "in_function"},
+        "signature": {},
+        "record_number": {"usage": "in_struct"},
+        "creation_time": {"usage": "in_struct"},
+        "last_written_time": {"usage": "in_struct"},
+        "event_identifier": {"usage": "in_struct"},
+        "event_type": {"usage": "in_struct"},
+        "number_of_strings": {},
+        "event_category": {"usage": "in_struct"},
+        "unknown1": {"debug_format": "hexadecimal"},
+        "unknown2": {"debug_format": "hexadecimal"},
+        "strings_offset": {"debug_format": "hexadecimal", "usage": "in_function"},
+        "user_security_identifier_size": {"usage": "in_function"},
+        "user_security_identifier_offset": {"debug_format": "hexadecimal", "usage": "in_function"},
+        "data_size": {"usage": "in_function"},
+        "data_offset": {"debug_format": "hexadecimal", "usage": "in_function"},
+        "source_name": {"usage": "in_struct"},
+        "computer_name": {"usage": "in_struct"},
+        "user_security_identifier": {"usage": "in_struct"},
+        "data": {"usage": "in_struct"},
+        "alignment_padding": {"debug_format": "hexadecimal"},
+        "copy_of_size": {"usage": "in_function"}
+    },
     "file_header": {
+        "__options__": ["file_io_handle"],
         "size": {"usage": "in_struct"},
         "signature": {},
         "major_format_version": {"usage": "in_struct"},
@@ -31,7 +58,8 @@ data_types: {
         "maximum_file_size": {},
         "file_flags": {"debug_format": "hexadecimal", "usage": "in_struct"},
         "retention": {"debug_format": "hexadecimal"},
-        "copy_of_size": {"usage": "in_struct"}}}
+        "copy_of_size": {"usage": "in_struct"}
+    }}
 
 [library]
 public_types: ["file", "record"]

diff --git a/libevt.pc.in b/libevt.pc.in
@@ -7,6 +7,6 @@ Name: libevt
 Description: Library to access the Windows Event Log (EVT) format
 Version: @VERSION@
 Libs: -L${libdir} -levt
-Libs.private: @ax_libbfio_pc_libs_private@ @ax_libcdata_pc_libs_private@ @ax_libcerror_pc_libs_private@ @ax_libcfile_pc_libs_private@ @ax_libclocale_pc_libs_private@ @ax_libcnotify_pc_libs_private@ @ax_libcpath_pc_libs_private@ @ax_libcsplit_pc_libs_private@ @ax_libcthreads_pc_libs_private@ @ax_libfcache_pc_libs_private@ @ax_libfdata_pc_libs_private@ @ax_libfdatetime_pc_libs_private@ @ax_libfguid_pc_libs_private@ @ax_libfvalue_pc_libs_private@ @ax_libfwnt_pc_libs_private@ @ax_libuna_pc_libs_private@ @ax_pthread_pc_libs_private@
+Libs.private: @ax_libbfio_pc_libs_private@ @ax_libcdata_pc_libs_private@ @ax_libcerror_pc_libs_private@ @ax_libcfile_pc_libs_private@ @ax_libclocale_pc_libs_private@ @ax_libcnotify_pc_libs_private@ @ax_libcpath_pc_libs_private@ @ax_libcsplit_pc_libs_private@ @ax_libcthreads_pc_libs_private@ @ax_libfcache_pc_libs_private@ @ax_libfdata_pc_libs_private@ @ax_libfdatetime_pc_libs_private@ @ax_libfguid_pc_libs_private@ @ax_libfwnt_pc_libs_private@ @ax_libuna_pc_libs_private@ @ax_pthread_pc_libs_private@
 Cflags: -I${includedir}