diff options
-rw-r--r-- | src/Makefile.am | 1 | ||||
-rw-r--r-- | src/file_evtx.c | 80 | ||||
-rw-r--r-- | src/file_list.c | 2 |
3 files changed, 83 insertions, 0 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 52ea960..d761d91 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -120,6 +120,7 @@ file_C = filegen.c \ file_emf.c \ file_ess.c \ file_evt.c \ + file_evtx.c \ file_exe.c \ file_exs.c \ file_ext.c \ diff --git a/src/file_evtx.c b/src/file_evtx.c new file mode 100644 index 0000000..68f884f --- /dev/null +++ b/src/file_evtx.c @@ -0,0 +1,80 @@ +/* + + File: file_evtx.c + + Copyright (C) 2019 Christophe GRENIER <grenier@cgsecurity.org> + + This software is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write the Free Software Foundation, Inc., 51 + Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif +#ifdef HAVE_STRING_H +#include <string.h> +#endif +#include <stdio.h> +#include "types.h" +#include "filegen.h" +#include "common.h" + +struct evtx_header +{ + char magic[8]; + uint64_t OldestChunk; + uint64_t CurrentChunkNum; + uint64_t NextRecordNum; + uint32_t HeaderPart1Len; /* 0x80 */ + uint16_t MinorVersion; /* 1 */ + uint16_t MajorVersion; /* 3 */ + uint16_t HeaderSize; /* 0x1000 */ + uint16_t ChunkCount; + char unk[76]; /* 0 */ + uint32_t Flags; + uint32_t Checksum; +} __attribute__ ((gcc_struct, __packed__)); + +static void register_header_check_evtx(file_stat_t *file_stat); + +const file_hint_t file_hint_evtx= { + .extension="evtx", + .description="Microsoft Event Log", + .max_filesize=PHOTOREC_MAX_FILE_SIZE, + .recover=1, + .enable_by_default=1, + .register_header_check=®ister_header_check_evtx +}; + +static int header_check_evtx(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new) +{ + const struct evtx_header *hdr=(const struct evtx_header *)buffer; + if(le32(hdr->HeaderPart1Len) != 0x80 || + le16(hdr->MinorVersion) != 1 || + le16(hdr->MajorVersion) != 3 || + le16(hdr->HeaderSize) != 0x1000) + return 0; + reset_file_recovery(file_recovery_new); + file_recovery_new->extension=file_hint_evtx.extension; + file_recovery_new->calculated_file_size=(uint64_t)le16(hdr->HeaderSize) + (uint64_t)le16(hdr->ChunkCount) * 64 * 1024; + file_recovery_new->data_check=&data_check_size; + file_recovery_new->file_check=&file_check_size; + return 1; +} + +static void register_header_check_evtx(file_stat_t *file_stat) +{ + register_header_check(0, "ElfFile", 8, &header_check_evtx, file_stat); +} diff --git a/src/file_list.c b/src/file_list.c index 61a1dd5..0cbad05 100644 --- a/src/file_list.c +++ b/src/file_list.c @@ -121,6 +121,7 @@ extern const file_hint_t file_hint_elf; extern const file_hint_t file_hint_emf; extern const file_hint_t file_hint_ess; extern const file_hint_t file_hint_evt; +extern const file_hint_t file_hint_evtx; extern const file_hint_t file_hint_exe; extern const file_hint_t file_hint_exs; extern const file_hint_t file_hint_ext2_sb; @@ -458,6 +459,7 @@ file_enable_t list_file_enable[]= { .enable=0, .file_hint=&file_hint_emf }, { .enable=0, .file_hint=&file_hint_ess }, { .enable=0, .file_hint=&file_hint_evt }, + { .enable=0, .file_hint=&file_hint_evtx }, { .enable=0, .file_hint=&file_hint_exe }, { .enable=0, .file_hint=&file_hint_exs }, { .enable=0, .file_hint=&file_hint_ext2_sb }, |