1 /*
2
3 File: file_evtx.c
4
5 Copyright (C) 2019 Christophe GRENIER <grenier@cgsecurity.org>
6
7 This software is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write the Free Software Foundation, Inc., 51
19 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 #ifdef HAVE_STRING_H
27 #include <string.h>
28 #endif
29 #include <stdio.h>
30 #include "types.h"
31 #include "filegen.h"
32 #include "common.h"
33
34 struct evtx_header
35 {
36 char magic[8];
37 uint64_t OldestChunk;
38 uint64_t CurrentChunkNum;
39 uint64_t NextRecordNum;
40 uint32_t HeaderPart1Len; /* 0x80 */
41 uint16_t MinorVersion; /* 1 */
42 uint16_t MajorVersion; /* 3 */
43 uint16_t HeaderSize; /* 0x1000 */
44 uint16_t ChunkCount;
45 char unk[76]; /* 0 */
46 uint32_t Flags;
47 uint32_t Checksum;
48 } __attribute__ ((gcc_struct, __packed__));
49
50 static void register_header_check_evtx(file_stat_t *file_stat);
51
52 const file_hint_t file_hint_evtx= {
53 .extension="evtx",
54 .description="Microsoft Event Log",
55 .max_filesize=PHOTOREC_MAX_FILE_SIZE,
56 .recover=1,
57 .enable_by_default=1,
58 .register_header_check=®ister_header_check_evtx
59 };
60
header_check_evtx(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)61 static int header_check_evtx(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
62 {
63 const struct evtx_header *hdr=(const struct evtx_header *)buffer;
64 if(le32(hdr->HeaderPart1Len) != 0x80 ||
65 le16(hdr->MinorVersion) != 1 ||
66 le16(hdr->MajorVersion) != 3 ||
67 le16(hdr->HeaderSize) != 0x1000)
68 return 0;
69 reset_file_recovery(file_recovery_new);
70 file_recovery_new->extension=file_hint_evtx.extension;
71 file_recovery_new->calculated_file_size=(uint64_t)le16(hdr->HeaderSize) + (uint64_t)le16(hdr->ChunkCount) * 64 * 1024;
72 file_recovery_new->data_check=&data_check_size;
73 file_recovery_new->file_check=&file_check_size;
74 return 1;
75 }
76
register_header_check_evtx(file_stat_t * file_stat)77 static void register_header_check_evtx(file_stat_t *file_stat)
78 {
79 register_header_check(0, "ElfFile", 8, &header_check_evtx, file_stat);
80 }
81