1 /*
2 * Event record functions
3 *
4 * Copyright (C) 2011-2021, Joachim Metz <joachim.metz@gmail.com>
5 *
6 * Refer to AUTHORS for acknowledgements.
7 *
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU Lesser General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>.
20 */
21
22 #include <common.h>
23 #include <byte_stream.h>
24 #include <memory.h>
25 #include <types.h>
26
27 #include "libevt_debug.h"
28 #include "libevt_event_record.h"
29 #include "libevt_libcerror.h"
30 #include "libevt_libcnotify.h"
31 #include "libevt_libfdatetime.h"
32 #include "libevt_libfwnt.h"
33 #include "libevt_libuna.h"
34 #include "libevt_strings_array.h"
35
36 #include "evt_event_record.h"
37
38 /* Creates a event record
39 * Make sure the value event_record is referencing, is set to NULL
40 * Returns 1 if successful or -1 on error
41 */
libevt_event_record_initialize(libevt_event_record_t ** event_record,libcerror_error_t ** error)42 int libevt_event_record_initialize(
43 libevt_event_record_t **event_record,
44 libcerror_error_t **error )
45 {
46 static char *function = "libevt_event_record_initialize";
47
48 if( event_record == NULL )
49 {
50 libcerror_error_set(
51 error,
52 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
53 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
54 "%s: invalid event record.",
55 function );
56
57 return( -1 );
58 }
59 if( *event_record != NULL )
60 {
61 libcerror_error_set(
62 error,
63 LIBCERROR_ERROR_DOMAIN_RUNTIME,
64 LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
65 "%s: invalid event record value already set.",
66 function );
67
68 return( -1 );
69 }
70 *event_record = memory_allocate_structure(
71 libevt_event_record_t );
72
73 if( *event_record == NULL )
74 {
75 libcerror_error_set(
76 error,
77 LIBCERROR_ERROR_DOMAIN_MEMORY,
78 LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
79 "%s: unable to create event record.",
80 function );
81
82 goto on_error;
83 }
84 if( memory_set(
85 *event_record,
86 0,
87 sizeof( libevt_event_record_t ) ) == NULL )
88 {
89 libcerror_error_set(
90 error,
91 LIBCERROR_ERROR_DOMAIN_MEMORY,
92 LIBCERROR_MEMORY_ERROR_SET_FAILED,
93 "%s: unable to clear event record.",
94 function );
95
96 goto on_error;
97 }
98 return( 1 );
99
100 on_error:
101 if( *event_record != NULL )
102 {
103 memory_free(
104 *event_record );
105
106 *event_record = NULL;
107 }
108 return( -1 );
109 }
110
111 /* Frees a event record
112 * Returns 1 if successful or -1 on error
113 */
libevt_event_record_free(libevt_event_record_t ** event_record,libcerror_error_t ** error)114 int libevt_event_record_free(
115 libevt_event_record_t **event_record,
116 libcerror_error_t **error )
117 {
118 static char *function = "libevt_event_record_free";
119 int result = 1;
120
121 if( event_record == NULL )
122 {
123 libcerror_error_set(
124 error,
125 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
126 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
127 "%s: invalid event record.",
128 function );
129
130 return( -1 );
131 }
132 if( *event_record != NULL )
133 {
134 if( ( *event_record )->source_name != NULL )
135 {
136 memory_free(
137 ( *event_record )->source_name );
138 }
139 if( ( *event_record )->computer_name != NULL )
140 {
141 memory_free(
142 ( *event_record )->computer_name );
143 }
144 if( ( *event_record )->user_security_identifier != NULL )
145 {
146 if( libfwnt_security_identifier_free(
147 &( ( *event_record )->user_security_identifier ),
148 error ) != 1 )
149 {
150 libcerror_error_set(
151 error,
152 LIBCERROR_ERROR_DOMAIN_RUNTIME,
153 LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
154 "%s: unable to free user security identifier.",
155 function );
156
157 result = -1;
158 }
159 }
160 if( ( *event_record )->strings != NULL )
161 {
162 if( libevt_strings_array_free(
163 &( ( *event_record )->strings ),
164 error ) != 1 )
165 {
166 libcerror_error_set(
167 error,
168 LIBCERROR_ERROR_DOMAIN_RUNTIME,
169 LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
170 "%s: unable to free strings.",
171 function );
172
173 result = -1;
174 }
175 }
176 if( ( *event_record )->data != NULL )
177 {
178 memory_free(
179 ( *event_record )->data );
180 }
181 memory_free(
182 *event_record );
183
184 *event_record = NULL;
185 }
186 return( result );
187 }
188
189 /* Reads the event record data
190 * Returns 1 if successful or -1 on error
191 */
libevt_event_record_read_data(libevt_event_record_t * event_record,const uint8_t * data,size_t data_size,libcerror_error_t ** error)192 int libevt_event_record_read_data(
193 libevt_event_record_t *event_record,
194 const uint8_t *data,
195 size_t data_size,
196 libcerror_error_t **error )
197 {
198 const uint8_t *computer_name = NULL;
199 const uint8_t *event_data = NULL;
200 const uint8_t *event_strings = NULL;
201 const uint8_t *source_name = NULL;
202 const uint8_t *user_security_identifier = NULL;
203 static char *function = "libevt_event_record_read_data";
204 size_t computer_name_size = 0;
205 size_t data_offset = 0;
206 size_t event_strings_size = 0;
207 size_t maximum_data_size = 0;
208 size_t maximum_strings_data_size = 0;
209 size_t source_name_size = 0;
210 uint32_t event_data_offset = 0;
211 uint32_t event_data_size = 0;
212 uint32_t event_strings_offset = 0;
213 uint32_t user_security_identifier_offset = 0;
214 uint32_t user_security_identifier_size = 0;
215 uint16_t number_of_event_strings = 0;
216
217 #if defined( HAVE_DEBUG_OUTPUT )
218 uint32_t value_32bit = 0;
219 uint16_t value_16bit = 0;
220 #endif
221
222 if( event_record == NULL )
223 {
224 libcerror_error_set(
225 error,
226 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
227 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
228 "%s: invalid event record.",
229 function );
230
231 return( -1 );
232 }
233 if( event_record->source_name != NULL )
234 {
235 libcerror_error_set(
236 error,
237 LIBCERROR_ERROR_DOMAIN_RUNTIME,
238 LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
239 "%s: invalid event record - source name value already set.",
240 function );
241
242 return( -1 );
243 }
244 if( event_record->computer_name != NULL )
245 {
246 libcerror_error_set(
247 error,
248 LIBCERROR_ERROR_DOMAIN_RUNTIME,
249 LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
250 "%s: invalid event record - computer name value already set.",
251 function );
252
253 return( -1 );
254 }
255 if( event_record->user_security_identifier != NULL )
256 {
257 libcerror_error_set(
258 error,
259 LIBCERROR_ERROR_DOMAIN_RUNTIME,
260 LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
261 "%s: invalid event record - user security identifier value already set.",
262 function );
263
264 return( -1 );
265 }
266 if( event_record->strings != NULL )
267 {
268 libcerror_error_set(
269 error,
270 LIBCERROR_ERROR_DOMAIN_RUNTIME,
271 LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
272 "%s: invalid event record - strings value already set.",
273 function );
274
275 return( -1 );
276 }
277 if( data == NULL )
278 {
279 libcerror_error_set(
280 error,
281 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
282 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
283 "%s: invalid data.",
284 function );
285
286 return( -1 );
287 }
288 if( data_size < sizeof( evt_event_record_t ) )
289 {
290 libcerror_error_set(
291 error,
292 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
293 LIBCERROR_ARGUMENT_ERROR_VALUE_TOO_SMALL,
294 "%s: invalid data size value too small.",
295 function );
296
297 return( -1 );
298 }
299 if( data_size > (size_t) SSIZE_MAX )
300 {
301 libcerror_error_set(
302 error,
303 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
304 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
305 "%s: invalid data size value exceeds maximum.",
306 function );
307
308 return( -1 );
309 }
310 maximum_data_size = data_size - 4;
311
312 #if defined( HAVE_DEBUG_OUTPUT )
313 if( libcnotify_verbose != 0 )
314 {
315 libcnotify_printf(
316 "%s: event record data:\n",
317 function );
318 libcnotify_print_data(
319 data,
320 sizeof( evt_event_record_t ),
321 0 );
322 }
323 #endif
324 if( memory_compare(
325 ( (evt_event_record_t *) data )->signature,
326 "LfLe",
327 4 ) != 0 )
328 {
329 libcerror_error_set(
330 error,
331 LIBCERROR_ERROR_DOMAIN_RUNTIME,
332 LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE,
333 "%s: invalid signature.",
334 function );
335
336 goto on_error;
337 }
338 byte_stream_copy_to_uint32_little_endian(
339 ( (evt_event_record_t *) data )->size,
340 event_record->record_size );
341
342 byte_stream_copy_to_uint32_little_endian(
343 ( (evt_event_record_t *) data )->record_number,
344 event_record->record_number );
345
346 byte_stream_copy_to_uint32_little_endian(
347 ( (evt_event_record_t *) data )->creation_time,
348 event_record->creation_time );
349
350 byte_stream_copy_to_uint32_little_endian(
351 ( (evt_event_record_t *) data )->last_written_time,
352 event_record->last_written_time );
353
354 byte_stream_copy_to_uint32_little_endian(
355 ( (evt_event_record_t *) data )->event_identifier,
356 event_record->event_identifier );
357
358 byte_stream_copy_to_uint16_little_endian(
359 ( (evt_event_record_t *) data )->event_type,
360 event_record->event_type );
361
362 byte_stream_copy_to_uint16_little_endian(
363 ( (evt_event_record_t *) data )->number_of_strings,
364 number_of_event_strings );
365
366 byte_stream_copy_to_uint16_little_endian(
367 ( (evt_event_record_t *) data )->event_category,
368 event_record->event_category );
369
370 byte_stream_copy_to_uint32_little_endian(
371 ( (evt_event_record_t *) data )->event_strings_offset,
372 event_strings_offset );
373
374 byte_stream_copy_to_uint32_little_endian(
375 ( (evt_event_record_t *) data )->user_security_identifier_size,
376 user_security_identifier_size );
377
378 byte_stream_copy_to_uint32_little_endian(
379 ( (evt_event_record_t *) data )->user_security_identifier_offset,
380 user_security_identifier_offset );
381
382 byte_stream_copy_to_uint32_little_endian(
383 ( (evt_event_record_t *) data )->event_data_size,
384 event_data_size );
385
386 byte_stream_copy_to_uint32_little_endian(
387 ( (evt_event_record_t *) data )->event_data_offset,
388 event_data_offset );
389
390 #if defined( HAVE_DEBUG_OUTPUT )
391 if( libcnotify_verbose != 0 )
392 {
393 libcnotify_printf(
394 "%s: size\t\t\t\t\t: %" PRIu32 "\n",
395 function,
396 event_record->record_size );
397
398 libcnotify_printf(
399 "%s: signature\t\t\t\t: %c%c%c%c\n",
400 function,
401 ( (evt_event_record_t *) data )->signature[ 0 ],
402 ( (evt_event_record_t *) data )->signature[ 1 ],
403 ( (evt_event_record_t *) data )->signature[ 2 ],
404 ( (evt_event_record_t *) data )->signature[ 3 ] );
405
406 libcnotify_printf(
407 "%s: record number\t\t\t\t: %" PRIu32 "\n",
408 function,
409 event_record->record_number );
410
411 if( libevt_debug_print_posix_time_value(
412 function,
413 "creation time\t\t\t\t",
414 ( (evt_event_record_t *) data )->creation_time,
415 4,
416 LIBFDATETIME_ENDIAN_LITTLE,
417 LIBFDATETIME_POSIX_TIME_VALUE_TYPE_SECONDS_32BIT_SIGNED,
418 LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME,
419 error ) != 1 )
420 {
421 libcerror_error_set(
422 error,
423 LIBCERROR_ERROR_DOMAIN_RUNTIME,
424 LIBCERROR_RUNTIME_ERROR_PRINT_FAILED,
425 "%s: unable to print POSIX time value.",
426 function );
427
428 goto on_error;
429 }
430 if( libevt_debug_print_posix_time_value(
431 function,
432 "last written time\t\t\t",
433 ( (evt_event_record_t *) data )->last_written_time,
434 4,
435 LIBFDATETIME_ENDIAN_LITTLE,
436 LIBFDATETIME_POSIX_TIME_VALUE_TYPE_SECONDS_32BIT_SIGNED,
437 LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME,
438 error ) != 1 )
439 {
440 libcerror_error_set(
441 error,
442 LIBCERROR_ERROR_DOMAIN_RUNTIME,
443 LIBCERROR_RUNTIME_ERROR_PRINT_FAILED,
444 "%s: unable to print POSIX time value.",
445 function );
446
447 goto on_error;
448 }
449 libcnotify_printf(
450 "%s: event identifier\t\t\t\t: %" PRIu32 "\n",
451 function,
452 event_record->event_identifier );
453
454 libcnotify_printf(
455 "%s: event type\t\t\t\t: %" PRIu16 "\n",
456 function,
457 event_record->event_type );
458
459 libcnotify_printf(
460 "%s: number of event strings\t\t\t: %" PRIu16 "\n",
461 function,
462 number_of_event_strings );
463
464 libcnotify_printf(
465 "%s: event category\t\t\t\t: %" PRIu16 "\n",
466 function,
467 event_record->event_category );
468
469 byte_stream_copy_to_uint16_little_endian(
470 ( (evt_event_record_t *) data )->unknown1,
471 value_16bit );
472 libcnotify_printf(
473 "%s: unknown1\t\t\t\t\t: 0x%04" PRIx16 "\n",
474 function,
475 value_16bit );
476
477 byte_stream_copy_to_uint32_little_endian(
478 ( (evt_event_record_t *) data )->unknown2,
479 value_32bit );
480 libcnotify_printf(
481 "%s: unknown2\t\t\t\t\t: 0x%08" PRIx32 "\n",
482 function,
483 value_32bit );
484
485 libcnotify_printf(
486 "%s: event strings offset\t\t\t: 0x%08" PRIx32 "\n",
487 function,
488 event_strings_offset );
489
490 libcnotify_printf(
491 "%s: user security identifier size\t\t: %" PRIu32 "\n",
492 function,
493 user_security_identifier_size );
494
495 libcnotify_printf(
496 "%s: user security identifier offset\t\t: 0x%08" PRIx32 "\n",
497 function,
498 user_security_identifier_offset );
499
500 libcnotify_printf(
501 "%s: event data size\t\t\t\t: %" PRIu32 "\n",
502 function,
503 event_data_size );
504
505 libcnotify_printf(
506 "%s: event data offset\t\t\t: %" PRIu32 "\n",
507 function,
508 event_data_offset );
509 }
510 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
511
512 data_offset = sizeof( evt_event_record_t );
513
514 source_name = &( data[ data_offset ] );
515 source_name_size = 0;
516
517 while( ( data_offset + 1 ) < maximum_data_size )
518 {
519 source_name_size += 2;
520
521 if( ( data[ data_offset ] == 0 )
522 && ( data[ data_offset + 1 ] == 0 ) )
523 {
524 break;
525 }
526 data_offset += 2;
527 }
528 data_offset += 2;
529
530 if( source_name_size > 0 )
531 {
532 #if defined( HAVE_DEBUG_OUTPUT )
533 if( libcnotify_verbose != 0 )
534 {
535 if( libevt_debug_print_utf16_string_value(
536 function,
537 "source name\t\t\t\t",
538 source_name,
539 source_name_size,
540 LIBUNA_ENDIAN_LITTLE,
541 error ) != 1 )
542 {
543 libcerror_error_set(
544 error,
545 LIBCERROR_ERROR_DOMAIN_RUNTIME,
546 LIBCERROR_RUNTIME_ERROR_PRINT_FAILED,
547 "%s: unable to print source name UTF-16 string value.",
548 function );
549
550 goto on_error;
551 }
552 }
553 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
554
555 if( source_name_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
556 {
557 libcerror_error_set(
558 error,
559 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
560 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
561 "%s: invalid source name size value exceeds maximum allocation size.",
562 function );
563
564 goto on_error;
565 }
566 event_record->source_name = (uint8_t *) memory_allocate(
567 sizeof( uint8_t ) * source_name_size );
568
569 if( event_record->source_name == NULL )
570 {
571 libcerror_error_set(
572 error,
573 LIBCERROR_ERROR_DOMAIN_MEMORY,
574 LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
575 "%s: unable to create source name.",
576 function );
577
578 goto on_error;
579 }
580 if( memory_copy(
581 event_record->source_name,
582 source_name,
583 sizeof( uint8_t ) * source_name_size ) == NULL )
584 {
585 libcerror_error_set(
586 error,
587 LIBCERROR_ERROR_DOMAIN_MEMORY,
588 LIBCERROR_MEMORY_ERROR_COPY_FAILED,
589 "%s: unable to copy source name.",
590 function );
591
592 goto on_error;
593 }
594 event_record->source_name_size = source_name_size;
595 }
596 computer_name = &( data[ data_offset ] );
597 computer_name_size = 0;
598
599 while( ( data_offset + 1 ) < maximum_data_size )
600 {
601 computer_name_size += 2;
602
603 if( ( data[ data_offset ] == 0 )
604 && ( data[ data_offset + 1 ] == 0 ) )
605 {
606 break;
607 }
608 data_offset += 2;
609 }
610 data_offset += 2;
611
612 if( computer_name_size > 0 )
613 {
614 #if defined( HAVE_DEBUG_OUTPUT )
615 if( libcnotify_verbose != 0 )
616 {
617 if( libevt_debug_print_utf16_string_value(
618 function,
619 "computer name\t\t\t\t",
620 computer_name,
621 computer_name_size,
622 LIBUNA_ENDIAN_LITTLE,
623 error ) != 1 )
624 {
625 libcerror_error_set(
626 error,
627 LIBCERROR_ERROR_DOMAIN_RUNTIME,
628 LIBCERROR_RUNTIME_ERROR_PRINT_FAILED,
629 "%s: unable to print computer name UTF-16 string value.",
630 function );
631
632 goto on_error;
633 }
634 }
635 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
636
637 if( computer_name_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
638 {
639 libcerror_error_set(
640 error,
641 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
642 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
643 "%s: invalid computer name size value exceeds maximum allocation size.",
644 function );
645
646 goto on_error;
647 }
648 event_record->computer_name = (uint8_t *) memory_allocate(
649 sizeof( uint8_t ) * computer_name_size );
650
651 if( event_record->computer_name == NULL )
652 {
653 libcerror_error_set(
654 error,
655 LIBCERROR_ERROR_DOMAIN_MEMORY,
656 LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
657 "%s: unable to create computer name.",
658 function );
659
660 goto on_error;
661 }
662 if( memory_copy(
663 event_record->computer_name,
664 computer_name,
665 sizeof( uint8_t ) * computer_name_size ) == NULL )
666 {
667 libcerror_error_set(
668 error,
669 LIBCERROR_ERROR_DOMAIN_MEMORY,
670 LIBCERROR_MEMORY_ERROR_COPY_FAILED,
671 "%s: unable to copy computer name.",
672 function );
673
674 goto on_error;
675 }
676 event_record->computer_name_size = computer_name_size;
677 }
678 /* TODO use dtFabric condition rules to generate code below */
679
680 if( user_security_identifier_size != 0 )
681 {
682 if( ( (size_t) user_security_identifier_offset < data_offset )
683 || ( (size_t) user_security_identifier_offset >= maximum_data_size ) )
684 {
685 libcerror_error_set(
686 error,
687 LIBCERROR_ERROR_DOMAIN_RUNTIME,
688 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
689 "%s: user security identifier offset value out of bounds.",
690 function );
691
692 goto on_error;
693 }
694 if( ( (size_t) user_security_identifier_size > maximum_data_size )
695 || ( (size_t) user_security_identifier_offset >= ( maximum_data_size - user_security_identifier_size ) ) )
696 {
697 libcerror_error_set(
698 error,
699 LIBCERROR_ERROR_DOMAIN_RUNTIME,
700 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
701 "%s: user identifier size value out of bounds.",
702 function );
703
704 goto on_error;
705 }
706 user_security_identifier = &( data[ user_security_identifier_offset ] );
707
708 #if defined( HAVE_DEBUG_OUTPUT )
709 if( libcnotify_verbose != 0 )
710 {
711 if( libevt_debug_print_security_identifier_value(
712 function,
713 "user security identifier\t\t\t",
714 user_security_identifier,
715 user_security_identifier_size,
716 error ) != 1 )
717 {
718 libcerror_error_set(
719 error,
720 LIBCERROR_ERROR_DOMAIN_RUNTIME,
721 LIBCERROR_RUNTIME_ERROR_PRINT_FAILED,
722 "%s: unable to print user security identifier value.",
723 function );
724
725 goto on_error;
726 }
727 }
728 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
729
730 if( libfwnt_security_identifier_initialize(
731 &( event_record->user_security_identifier ),
732 error ) != 1 )
733 {
734 libcerror_error_set(
735 error,
736 LIBCERROR_ERROR_DOMAIN_RUNTIME,
737 LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
738 "%s: unable to create user security identifier.",
739 function );
740
741 goto on_error;
742 }
743 if( libfwnt_security_identifier_copy_from_byte_stream(
744 event_record->user_security_identifier,
745 user_security_identifier,
746 user_security_identifier_size,
747 LIBFWNT_ENDIAN_LITTLE,
748 error ) != 1 )
749 {
750 libcerror_error_set(
751 error,
752 LIBCERROR_ERROR_DOMAIN_RUNTIME,
753 LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
754 "%s: unable to copy byte stream to user security identifier.",
755 function );
756
757 goto on_error;
758 }
759 data_offset += user_security_identifier_size;
760 }
761 if( number_of_event_strings != 0 )
762 {
763 maximum_strings_data_size = event_data_offset;
764
765 if( ( maximum_strings_data_size == 0 )
766 || ( (size_t) maximum_strings_data_size >= maximum_data_size ) )
767 {
768 maximum_strings_data_size = maximum_data_size;
769 }
770 if( ( event_strings_offset < data_offset )
771 || ( (size_t) event_strings_offset >= maximum_strings_data_size ) )
772 {
773 libcerror_error_set(
774 error,
775 LIBCERROR_ERROR_DOMAIN_RUNTIME,
776 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
777 "%s: event strings offset value out of bounds.",
778 function );
779
780 goto on_error;
781 }
782 #if defined( HAVE_DEBUG_OUTPUT )
783 if( libcnotify_verbose != 0 )
784 {
785 if( event_strings_offset > data_offset )
786 {
787 libcnotify_printf(
788 "%s: unknown3 data\n",
789 function );
790 libcnotify_print_data(
791 &( data[ data_offset ] ),
792 event_strings_offset - data_offset,
793 0 );
794 }
795 }
796 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
797
798 event_strings = &( data[ event_strings_offset ] );
799 event_strings_size = maximum_strings_data_size - event_strings_offset;
800
801 if( libevt_strings_array_initialize(
802 &( event_record->strings ),
803 error ) != 1 )
804 {
805 libcerror_error_set(
806 error,
807 LIBCERROR_ERROR_DOMAIN_RUNTIME,
808 LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
809 "%s: unable to create strings array.",
810 function );
811
812 goto on_error;
813 }
814 if( libevt_strings_array_read_data(
815 event_record->strings,
816 event_strings,
817 event_strings_size,
818 error ) != 1 )
819 {
820 libcerror_error_set(
821 error,
822 LIBCERROR_ERROR_DOMAIN_IO,
823 LIBCERROR_IO_ERROR_READ_FAILED,
824 "%s: unable to read strings array.",
825 function );
826
827 goto on_error;
828 }
829 data_offset += event_strings_size;
830 }
831 if( event_data_size != 0 )
832 {
833 if( ( event_data_offset < data_offset )
834 || ( (size_t) event_data_offset >= maximum_data_size ) )
835 {
836 libcerror_error_set(
837 error,
838 LIBCERROR_ERROR_DOMAIN_RUNTIME,
839 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
840 "%s: event data offset value out of bounds.",
841 function );
842
843 goto on_error;
844 }
845 if( ( (size_t) event_data_size > maximum_data_size )
846 || ( (size_t) event_data_offset > ( maximum_data_size - event_data_size ) ) )
847 {
848 libcerror_error_set(
849 error,
850 LIBCERROR_ERROR_DOMAIN_RUNTIME,
851 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
852 "%s: event data size value out of bounds.",
853 function );
854
855 goto on_error;
856 }
857 event_data = &( data[ data_offset ] );
858
859 #if defined( HAVE_DEBUG_OUTPUT )
860 if( libcnotify_verbose != 0 )
861 {
862 libcnotify_printf(
863 "%s: event data\n",
864 function );
865 libcnotify_print_data(
866 event_data,
867 event_data_size,
868 0 );
869 }
870 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
871
872 if( event_data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
873 {
874 libcerror_error_set(
875 error,
876 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
877 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
878 "%s: invalid event data size value exceeds maximum allocation size.",
879 function );
880
881 goto on_error;
882 }
883 event_record->data = (uint8_t *) memory_allocate(
884 sizeof( uint8_t ) * event_data_size );
885
886 if( event_record->data == NULL )
887 {
888 libcerror_error_set(
889 error,
890 LIBCERROR_ERROR_DOMAIN_MEMORY,
891 LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
892 "%s: unable to create data.",
893 function );
894
895 goto on_error;
896 }
897 if( memory_copy(
898 event_record->data,
899 event_data,
900 sizeof( uint8_t ) * event_data_size ) == NULL )
901 {
902 libcerror_error_set(
903 error,
904 LIBCERROR_ERROR_DOMAIN_MEMORY,
905 LIBCERROR_MEMORY_ERROR_COPY_FAILED,
906 "%s: unable to copy data.",
907 function );
908
909 goto on_error;
910 }
911 event_record->data_size = event_data_size;
912
913 data_offset += event_data_size;
914 }
915 #if defined( HAVE_DEBUG_OUTPUT )
916 if( data_offset < maximum_data_size )
917 {
918 if( libcnotify_verbose != 0 )
919 {
920 libcnotify_printf(
921 "%s: alignment padding:\n",
922 function );
923 libcnotify_print_data(
924 &( data[ data_offset ] ),
925 maximum_data_size - data_offset,
926 0 );
927 }
928 }
929 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
930
931 byte_stream_copy_to_uint32_little_endian(
932 &( data[ data_size - 4 ] ),
933 event_record->copy_of_record_size );
934
935 #if defined( HAVE_DEBUG_OUTPUT )
936 if( libcnotify_verbose != 0 )
937 {
938 libcnotify_printf(
939 "%s: copy of size\t\t\t\t: %" PRIu32 "\n",
940 function,
941 event_record->copy_of_record_size );
942
943 libcnotify_printf(
944 "\n" );
945 }
946 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
947
948 return( 1 );
949
950 on_error:
951 if( event_record->data != NULL )
952 {
953 memory_free(
954 event_record->data );
955
956 event_record->data = NULL;
957 }
958 event_record->data_size = 0;
959
960 if( event_record->strings != NULL )
961 {
962 libevt_strings_array_free(
963 &( event_record->strings ),
964 NULL );
965 }
966 if( event_record->user_security_identifier != NULL )
967 {
968 libfwnt_security_identifier_free(
969 &( event_record->user_security_identifier ),
970 NULL );
971 }
972 if( event_record->computer_name != NULL )
973 {
974 memory_free(
975 event_record->computer_name );
976
977 event_record->computer_name = NULL;
978 }
979 event_record->computer_name_size = 0;
980
981 if( event_record->source_name != NULL )
982 {
983 memory_free(
984 event_record->source_name );
985
986 event_record->source_name = NULL;
987 }
988 event_record->source_name_size = 0;
989
990 return( -1 );
991 }
992
993 /* Retrieves the record number
994 * Returns 1 if successful or -1 on error
995 */
libevt_event_record_get_record_number(libevt_event_record_t * event_record,uint32_t * record_number,libcerror_error_t ** error)996 int libevt_event_record_get_record_number(
997 libevt_event_record_t *event_record,
998 uint32_t *record_number,
999 libcerror_error_t **error )
1000 {
1001 static char *function = "libevt_event_record_get_record_number";
1002
1003 if( event_record == NULL )
1004 {
1005 libcerror_error_set(
1006 error,
1007 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1008 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1009 "%s: invalid event record.",
1010 function );
1011
1012 return( -1 );
1013 }
1014 if( record_number == NULL )
1015 {
1016 libcerror_error_set(
1017 error,
1018 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1019 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1020 "%s: invalid record number.",
1021 function );
1022
1023 return( -1 );
1024 }
1025 *record_number = event_record->record_number;
1026
1027 return( 1 );
1028 }
1029
1030 /* Retrieves the creation time
1031 * The timestamp is a 32-bit POSIX date and time value
1032 * Returns 1 if successful or -1 on error
1033 */
libevt_event_record_get_creation_time(libevt_event_record_t * event_record,uint32_t * posix_time,libcerror_error_t ** error)1034 int libevt_event_record_get_creation_time(
1035 libevt_event_record_t *event_record,
1036 uint32_t *posix_time,
1037 libcerror_error_t **error )
1038 {
1039 static char *function = "libevt_event_record_get_creation_time";
1040
1041 if( event_record == NULL )
1042 {
1043 libcerror_error_set(
1044 error,
1045 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1046 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1047 "%s: invalid event record.",
1048 function );
1049
1050 return( -1 );
1051 }
1052 if( posix_time == NULL )
1053 {
1054 libcerror_error_set(
1055 error,
1056 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1057 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1058 "%s: invalid POSIX time.",
1059 function );
1060
1061 return( -1 );
1062 }
1063 *posix_time = event_record->creation_time;
1064
1065 return( 1 );
1066 }
1067
1068 /* Retrieves the last written time
1069 * The timestamp is a 32-bit POSIX date and time value
1070 * Returns 1 if successful or -1 on error
1071 */
libevt_event_record_get_last_written_time(libevt_event_record_t * event_record,uint32_t * posix_time,libcerror_error_t ** error)1072 int libevt_event_record_get_last_written_time(
1073 libevt_event_record_t *event_record,
1074 uint32_t *posix_time,
1075 libcerror_error_t **error )
1076 {
1077 static char *function = "libevt_event_record_get_last_written_time";
1078
1079 if( event_record == NULL )
1080 {
1081 libcerror_error_set(
1082 error,
1083 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1084 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1085 "%s: invalid event record.",
1086 function );
1087
1088 return( -1 );
1089 }
1090 if( posix_time == NULL )
1091 {
1092 libcerror_error_set(
1093 error,
1094 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1095 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1096 "%s: invalid POSIX time.",
1097 function );
1098
1099 return( -1 );
1100 }
1101 *posix_time = event_record->last_written_time;
1102
1103 return( 1 );
1104 }
1105
1106 /* Retrieves the event identifier
1107 * Returns 1 if successful or -1 on error
1108 */
libevt_event_record_get_event_identifier(libevt_event_record_t * event_record,uint32_t * event_identifier,libcerror_error_t ** error)1109 int libevt_event_record_get_event_identifier(
1110 libevt_event_record_t *event_record,
1111 uint32_t *event_identifier,
1112 libcerror_error_t **error )
1113 {
1114 static char *function = "libevt_event_record_get_event_identifier";
1115
1116 if( event_record == NULL )
1117 {
1118 libcerror_error_set(
1119 error,
1120 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1121 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1122 "%s: invalid event record.",
1123 function );
1124
1125 return( -1 );
1126 }
1127 if( event_identifier == NULL )
1128 {
1129 libcerror_error_set(
1130 error,
1131 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1132 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1133 "%s: invalid event identifier.",
1134 function );
1135
1136 return( -1 );
1137 }
1138 *event_identifier = event_record->event_identifier;
1139
1140 return( 1 );
1141 }
1142
1143 /* Retrieves the event type
1144 * Returns 1 if successful or -1 on error
1145 */
libevt_event_record_get_event_type(libevt_event_record_t * event_record,uint16_t * event_type,libcerror_error_t ** error)1146 int libevt_event_record_get_event_type(
1147 libevt_event_record_t *event_record,
1148 uint16_t *event_type,
1149 libcerror_error_t **error )
1150 {
1151 static char *function = "libevt_event_record_get_event_type";
1152
1153 if( event_record == NULL )
1154 {
1155 libcerror_error_set(
1156 error,
1157 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1158 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1159 "%s: invalid event record.",
1160 function );
1161
1162 return( -1 );
1163 }
1164 if( event_type == NULL )
1165 {
1166 libcerror_error_set(
1167 error,
1168 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1169 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1170 "%s: invalid event type.",
1171 function );
1172
1173 return( -1 );
1174 }
1175 *event_type = event_record->event_type;
1176
1177 return( 1 );
1178 }
1179
1180 /* Retrieves the event category
1181 * Returns 1 if successful or -1 on error
1182 */
libevt_event_record_get_event_category(libevt_event_record_t * event_record,uint16_t * event_category,libcerror_error_t ** error)1183 int libevt_event_record_get_event_category(
1184 libevt_event_record_t *event_record,
1185 uint16_t *event_category,
1186 libcerror_error_t **error )
1187 {
1188 static char *function = "libevt_event_record_get_event_category";
1189
1190 if( event_record == NULL )
1191 {
1192 libcerror_error_set(
1193 error,
1194 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1195 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1196 "%s: invalid event record.",
1197 function );
1198
1199 return( -1 );
1200 }
1201 if( event_category == NULL )
1202 {
1203 libcerror_error_set(
1204 error,
1205 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1206 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1207 "%s: invalid event category.",
1208 function );
1209
1210 return( -1 );
1211 }
1212 *event_category = event_record->event_category;
1213
1214 return( 1 );
1215 }
1216
1217 /* Retrieves the size of the UTF-8 encoded source name
1218 * The returned size includes the end of string character
1219 * Returns 1 if successful or -1 on error
1220 */
libevt_event_record_get_utf8_source_name_size(libevt_event_record_t * event_record,size_t * utf8_string_size,libcerror_error_t ** error)1221 int libevt_event_record_get_utf8_source_name_size(
1222 libevt_event_record_t *event_record,
1223 size_t *utf8_string_size,
1224 libcerror_error_t **error )
1225 {
1226 static char *function = "libevt_event_record_get_utf8_source_name_size";
1227
1228 if( event_record == NULL )
1229 {
1230 libcerror_error_set(
1231 error,
1232 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1233 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1234 "%s: invalid event record.",
1235 function );
1236
1237 return( -1 );
1238 }
1239 if( event_record->source_name == NULL )
1240 {
1241 if( utf8_string_size == NULL )
1242 {
1243 libcerror_error_set(
1244 error,
1245 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1246 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1247 "%s: invalid UTF-8 string size.",
1248 function );
1249
1250 return( -1 );
1251 }
1252 *utf8_string_size = 0;
1253 }
1254 else
1255 {
1256 if( libuna_utf8_string_size_from_utf16_stream(
1257 event_record->source_name,
1258 event_record->source_name_size,
1259 LIBUNA_ENDIAN_LITTLE,
1260 utf8_string_size,
1261 error ) != 1 )
1262 {
1263 libcerror_error_set(
1264 error,
1265 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1266 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1267 "%s: unable to determine size of UTF-8 string.",
1268 function );
1269
1270 return( -1 );
1271 }
1272 }
1273 return( 1 );
1274 }
1275
1276 /* Retrieves the UTF-8 encoded source name
1277 * The size should include the end of string character
1278 * Returns 1 if successful or -1 on error
1279 */
libevt_event_record_get_utf8_source_name(libevt_event_record_t * event_record,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1280 int libevt_event_record_get_utf8_source_name(
1281 libevt_event_record_t *event_record,
1282 uint8_t *utf8_string,
1283 size_t utf8_string_size,
1284 libcerror_error_t **error )
1285 {
1286 static char *function = "libevt_event_record_get_utf8_source_name";
1287
1288 if( event_record == NULL )
1289 {
1290 libcerror_error_set(
1291 error,
1292 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1293 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1294 "%s: invalid event record.",
1295 function );
1296
1297 return( -1 );
1298 }
1299 if( libuna_utf8_string_copy_from_utf16_stream(
1300 (libuna_utf8_character_t *) utf8_string,
1301 utf8_string_size,
1302 event_record->source_name,
1303 event_record->source_name_size,
1304 LIBUNA_ENDIAN_LITTLE,
1305 error ) != 1 )
1306 {
1307 libcerror_error_set(
1308 error,
1309 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1310 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1311 "%s: unable to set UTF-8 string.",
1312 function );
1313
1314 return( -1 );
1315 }
1316 return( 1 );
1317 }
1318
1319 /* Retrieves the size of the UTF-16 encoded source name
1320 * The returned size includes the end of string character
1321 * Returns 1 if successful or -1 on error
1322 */
libevt_event_record_get_utf16_source_name_size(libevt_event_record_t * event_record,size_t * utf16_string_size,libcerror_error_t ** error)1323 int libevt_event_record_get_utf16_source_name_size(
1324 libevt_event_record_t *event_record,
1325 size_t *utf16_string_size,
1326 libcerror_error_t **error )
1327 {
1328 static char *function = "libevt_event_record_get_utf16_source_name_size";
1329
1330 if( event_record == NULL )
1331 {
1332 libcerror_error_set(
1333 error,
1334 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1335 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1336 "%s: invalid event record.",
1337 function );
1338
1339 return( -1 );
1340 }
1341 if( event_record->source_name == NULL )
1342 {
1343 if( utf16_string_size == NULL )
1344 {
1345 libcerror_error_set(
1346 error,
1347 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1348 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1349 "%s: invalid UTF-16 string size.",
1350 function );
1351
1352 return( -1 );
1353 }
1354 *utf16_string_size = 0;
1355 }
1356 else
1357 {
1358 if( libuna_utf16_string_size_from_utf16_stream(
1359 event_record->source_name,
1360 event_record->source_name_size,
1361 LIBUNA_ENDIAN_LITTLE,
1362 utf16_string_size,
1363 error ) != 1 )
1364 {
1365 libcerror_error_set(
1366 error,
1367 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1368 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1369 "%s: unable to determine size of UTF-16 string.",
1370 function );
1371
1372 return( -1 );
1373 }
1374 }
1375 return( 1 );
1376 }
1377
1378 /* Retrieves the UTF-16 encoded source name
1379 * The size should include the end of string character
1380 * Returns 1 if successful or -1 on error
1381 */
libevt_event_record_get_utf16_source_name(libevt_event_record_t * event_record,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1382 int libevt_event_record_get_utf16_source_name(
1383 libevt_event_record_t *event_record,
1384 uint16_t *utf16_string,
1385 size_t utf16_string_size,
1386 libcerror_error_t **error )
1387 {
1388 static char *function = "libevt_event_record_get_utf16_source_name";
1389
1390 if( event_record == NULL )
1391 {
1392 libcerror_error_set(
1393 error,
1394 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1395 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1396 "%s: invalid event record.",
1397 function );
1398
1399 return( -1 );
1400 }
1401 if( libuna_utf16_string_copy_from_utf16_stream(
1402 (libuna_utf16_character_t *) utf16_string,
1403 utf16_string_size,
1404 event_record->source_name,
1405 event_record->source_name_size,
1406 LIBUNA_ENDIAN_LITTLE,
1407 error ) != 1 )
1408 {
1409 libcerror_error_set(
1410 error,
1411 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1412 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1413 "%s: unable to set UTF-16 string.",
1414 function );
1415
1416 return( -1 );
1417 }
1418 return( 1 );
1419 }
1420
1421 /* Retrieves the size of the UTF-8 encoded computer name
1422 * The returned size includes the end of string character
1423 * Returns 1 if successful or -1 on error
1424 */
libevt_event_record_get_utf8_computer_name_size(libevt_event_record_t * event_record,size_t * utf8_string_size,libcerror_error_t ** error)1425 int libevt_event_record_get_utf8_computer_name_size(
1426 libevt_event_record_t *event_record,
1427 size_t *utf8_string_size,
1428 libcerror_error_t **error )
1429 {
1430 static char *function = "libevt_event_record_get_utf8_computer_name_size";
1431
1432 if( event_record == NULL )
1433 {
1434 libcerror_error_set(
1435 error,
1436 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1437 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1438 "%s: invalid event record.",
1439 function );
1440
1441 return( -1 );
1442 }
1443 if( event_record->computer_name == NULL )
1444 {
1445 if( utf8_string_size == NULL )
1446 {
1447 libcerror_error_set(
1448 error,
1449 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1450 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1451 "%s: invalid UTF-8 string size.",
1452 function );
1453
1454 return( -1 );
1455 }
1456 *utf8_string_size = 0;
1457 }
1458 else
1459 {
1460 if( libuna_utf8_string_size_from_utf16_stream(
1461 event_record->computer_name,
1462 event_record->computer_name_size,
1463 LIBUNA_ENDIAN_LITTLE,
1464 utf8_string_size,
1465 error ) != 1 )
1466 {
1467 libcerror_error_set(
1468 error,
1469 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1470 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1471 "%s: unable to determine size of UTF-8 string.",
1472 function );
1473
1474 return( -1 );
1475 }
1476 }
1477 return( 1 );
1478 }
1479
1480 /* Retrieves the UTF-8 encoded computer name
1481 * The size should include the end of string character
1482 * Returns 1 if successful or -1 on error
1483 */
libevt_event_record_get_utf8_computer_name(libevt_event_record_t * event_record,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1484 int libevt_event_record_get_utf8_computer_name(
1485 libevt_event_record_t *event_record,
1486 uint8_t *utf8_string,
1487 size_t utf8_string_size,
1488 libcerror_error_t **error )
1489 {
1490 static char *function = "libevt_event_record_get_utf8_computer_name";
1491
1492 if( event_record == NULL )
1493 {
1494 libcerror_error_set(
1495 error,
1496 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1497 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1498 "%s: invalid event record.",
1499 function );
1500
1501 return( -1 );
1502 }
1503 if( libuna_utf8_string_copy_from_utf16_stream(
1504 (libuna_utf8_character_t *) utf8_string,
1505 utf8_string_size,
1506 event_record->computer_name,
1507 event_record->computer_name_size,
1508 LIBUNA_ENDIAN_LITTLE,
1509 error ) != 1 )
1510 {
1511 libcerror_error_set(
1512 error,
1513 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1514 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1515 "%s: unable to set UTF-8 string.",
1516 function );
1517
1518 return( -1 );
1519 }
1520 return( 1 );
1521 }
1522
1523 /* Retrieves the size of the UTF-16 encoded computer name
1524 * The returned size includes the end of string character
1525 * Returns 1 if successful or -1 on error
1526 */
libevt_event_record_get_utf16_computer_name_size(libevt_event_record_t * event_record,size_t * utf16_string_size,libcerror_error_t ** error)1527 int libevt_event_record_get_utf16_computer_name_size(
1528 libevt_event_record_t *event_record,
1529 size_t *utf16_string_size,
1530 libcerror_error_t **error )
1531 {
1532 static char *function = "libevt_event_record_get_utf16_computer_name_size";
1533
1534 if( event_record == NULL )
1535 {
1536 libcerror_error_set(
1537 error,
1538 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1539 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1540 "%s: invalid event record.",
1541 function );
1542
1543 return( -1 );
1544 }
1545 if( event_record->computer_name == NULL )
1546 {
1547 if( utf16_string_size == NULL )
1548 {
1549 libcerror_error_set(
1550 error,
1551 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1552 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1553 "%s: invalid UTF-16 string size.",
1554 function );
1555
1556 return( -1 );
1557 }
1558 *utf16_string_size = 0;
1559 }
1560 else
1561 {
1562 if( libuna_utf16_string_size_from_utf16_stream(
1563 event_record->computer_name,
1564 event_record->computer_name_size,
1565 LIBUNA_ENDIAN_LITTLE,
1566 utf16_string_size,
1567 error ) != 1 )
1568 {
1569 libcerror_error_set(
1570 error,
1571 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1572 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1573 "%s: unable to determine size of UTF-16 string.",
1574 function );
1575
1576 return( -1 );
1577 }
1578 }
1579 return( 1 );
1580 }
1581
1582 /* Retrieves the UTF-16 encoded computer name
1583 * The size should include the end of string character
1584 * Returns 1 if successful or -1 on error
1585 */
libevt_event_record_get_utf16_computer_name(libevt_event_record_t * event_record,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1586 int libevt_event_record_get_utf16_computer_name(
1587 libevt_event_record_t *event_record,
1588 uint16_t *utf16_string,
1589 size_t utf16_string_size,
1590 libcerror_error_t **error )
1591 {
1592 static char *function = "libevt_event_record_get_utf16_computer_name";
1593
1594 if( event_record == NULL )
1595 {
1596 libcerror_error_set(
1597 error,
1598 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1599 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1600 "%s: invalid event record.",
1601 function );
1602
1603 return( -1 );
1604 }
1605 if( libuna_utf16_string_copy_from_utf16_stream(
1606 (libuna_utf16_character_t *) utf16_string,
1607 utf16_string_size,
1608 event_record->computer_name,
1609 event_record->computer_name_size,
1610 LIBUNA_ENDIAN_LITTLE,
1611 error ) != 1 )
1612 {
1613 libcerror_error_set(
1614 error,
1615 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1616 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1617 "%s: unable to set UTF-16 string.",
1618 function );
1619
1620 return( -1 );
1621 }
1622 return( 1 );
1623 }
1624
1625 /* Retrieves the size of the UTF-8 encoded user security identifier
1626 * The returned size includes the end of string character
1627 * Returns 1 if successful, 0 if not available or -1 on error
1628 */
libevt_event_record_get_utf8_user_security_identifier_size(libevt_event_record_t * event_record,size_t * utf8_string_size,libcerror_error_t ** error)1629 int libevt_event_record_get_utf8_user_security_identifier_size(
1630 libevt_event_record_t *event_record,
1631 size_t *utf8_string_size,
1632 libcerror_error_t **error )
1633 {
1634 static char *function = "libevt_event_record_get_utf8_user_security_identifier_size";
1635
1636 if( event_record == NULL )
1637 {
1638 libcerror_error_set(
1639 error,
1640 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1641 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1642 "%s: invalid event record.",
1643 function );
1644
1645 return( -1 );
1646 }
1647 if( event_record->user_security_identifier == NULL )
1648 {
1649 return( 0 );
1650 }
1651 if( libfwnt_security_identifier_get_string_size(
1652 event_record->user_security_identifier,
1653 utf8_string_size,
1654 0,
1655 error ) != 1 )
1656 {
1657 libcerror_error_set(
1658 error,
1659 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1660 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1661 "%s: unable to determine size of UTF-8 string.",
1662 function );
1663
1664 return( -1 );
1665 }
1666 return( 1 );
1667 }
1668
1669 /* Retrieves the UTF-8 encoded user security identifier
1670 * The size should include the end of string character
1671 * Returns 1 if successful, 0 if not available or -1 on error
1672 */
libevt_event_record_get_utf8_user_security_identifier(libevt_event_record_t * event_record,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1673 int libevt_event_record_get_utf8_user_security_identifier(
1674 libevt_event_record_t *event_record,
1675 uint8_t *utf8_string,
1676 size_t utf8_string_size,
1677 libcerror_error_t **error )
1678 {
1679 static char *function = "libevt_event_record_get_utf8_user_security_identifier";
1680
1681 if( event_record == NULL )
1682 {
1683 libcerror_error_set(
1684 error,
1685 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1686 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1687 "%s: invalid event record.",
1688 function );
1689
1690 return( -1 );
1691 }
1692 if( event_record->user_security_identifier == NULL )
1693 {
1694 return( 0 );
1695 }
1696 if( libfwnt_security_identifier_copy_to_utf8_string(
1697 event_record->user_security_identifier,
1698 utf8_string,
1699 utf8_string_size,
1700 0,
1701 error ) != 1 )
1702 {
1703 libcerror_error_set(
1704 error,
1705 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1706 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1707 "%s: unable to set UTF-8 string.",
1708 function );
1709
1710 return( -1 );
1711 }
1712 return( 1 );
1713 }
1714
1715 /* Retrieves the size of the UTF-16 encoded user security identifier
1716 * The returned size includes the end of string character
1717 * Returns 1 if successful, 0 if not available or -1 on error
1718 */
libevt_event_record_get_utf16_user_security_identifier_size(libevt_event_record_t * event_record,size_t * utf16_string_size,libcerror_error_t ** error)1719 int libevt_event_record_get_utf16_user_security_identifier_size(
1720 libevt_event_record_t *event_record,
1721 size_t *utf16_string_size,
1722 libcerror_error_t **error )
1723 {
1724 static char *function = "libevt_event_record_get_utf16_user_security_identifier_size";
1725
1726 if( event_record == NULL )
1727 {
1728 libcerror_error_set(
1729 error,
1730 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1731 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1732 "%s: invalid event record.",
1733 function );
1734
1735 return( -1 );
1736 }
1737 if( event_record->user_security_identifier == NULL )
1738 {
1739 return( 0 );
1740 }
1741 if( libfwnt_security_identifier_get_string_size(
1742 event_record->user_security_identifier,
1743 utf16_string_size,
1744 0,
1745 error ) != 1 )
1746 {
1747 libcerror_error_set(
1748 error,
1749 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1750 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1751 "%s: unable to determine size of UTF-16 string.",
1752 function );
1753
1754 return( -1 );
1755 }
1756 return( 1 );
1757 }
1758
1759 /* Retrieves the UTF-16 encoded user security identifier
1760 * The size should include the end of string character
1761 * Returns 1 if successful, 0 if not available or -1 on error
1762 */
libevt_event_record_get_utf16_user_security_identifier(libevt_event_record_t * event_record,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1763 int libevt_event_record_get_utf16_user_security_identifier(
1764 libevt_event_record_t *event_record,
1765 uint16_t *utf16_string,
1766 size_t utf16_string_size,
1767 libcerror_error_t **error )
1768 {
1769 static char *function = "libevt_event_record_get_utf16_user_security_identifier";
1770
1771 if( event_record == NULL )
1772 {
1773 libcerror_error_set(
1774 error,
1775 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1776 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1777 "%s: invalid event record.",
1778 function );
1779
1780 return( -1 );
1781 }
1782 if( event_record->user_security_identifier == NULL )
1783 {
1784 return( 0 );
1785 }
1786 if( libfwnt_security_identifier_copy_to_utf16_string(
1787 event_record->user_security_identifier,
1788 utf16_string,
1789 utf16_string_size,
1790 0,
1791 error ) != 1 )
1792 {
1793 libcerror_error_set(
1794 error,
1795 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1796 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1797 "%s: unable to set UTF-16 string.",
1798 function );
1799
1800 return( -1 );
1801 }
1802 return( 1 );
1803 }
1804
1805 /* Retrieves the number of strings
1806 * Returns 1 if successful or -1 on error
1807 */
libevt_event_record_get_number_of_strings(libevt_event_record_t * event_record,int * number_of_strings,libcerror_error_t ** error)1808 int libevt_event_record_get_number_of_strings(
1809 libevt_event_record_t *event_record,
1810 int *number_of_strings,
1811 libcerror_error_t **error )
1812 {
1813 static char *function = "libevt_event_record_get_number_of_strings";
1814
1815 if( event_record == NULL )
1816 {
1817 libcerror_error_set(
1818 error,
1819 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1820 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1821 "%s: invalid record values.",
1822 function );
1823
1824 return( -1 );
1825 }
1826 if( event_record->strings == NULL )
1827 {
1828 if( number_of_strings == NULL )
1829 {
1830 libcerror_error_set(
1831 error,
1832 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1833 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1834 "%s: invalid number of strings.",
1835 function );
1836
1837 return( -1 );
1838 }
1839 *number_of_strings = 0;
1840 }
1841 else
1842 {
1843 if( libevt_strings_array_get_number_of_strings(
1844 event_record->strings,
1845 number_of_strings,
1846 error ) != 1 )
1847 {
1848 libcerror_error_set(
1849 error,
1850 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1851 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1852 "%s: unable to retrieve number of strings.",
1853 function );
1854
1855 return( -1 );
1856 }
1857 }
1858 return( 1 );
1859 }
1860
1861 /* Retrieves the size of a specific UTF-8 encoded string
1862 * The returned size includes the end of string character
1863 * Returns 1 if successful or -1 on error
1864 */
libevt_event_record_get_utf8_string_size(libevt_event_record_t * event_record,int string_index,size_t * utf8_string_size,libcerror_error_t ** error)1865 int libevt_event_record_get_utf8_string_size(
1866 libevt_event_record_t *event_record,
1867 int string_index,
1868 size_t *utf8_string_size,
1869 libcerror_error_t **error )
1870 {
1871 static char *function = "libevt_event_record_get_utf8_string_size";
1872
1873 if( event_record == NULL )
1874 {
1875 libcerror_error_set(
1876 error,
1877 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1878 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1879 "%s: invalid record values.",
1880 function );
1881
1882 return( -1 );
1883 }
1884 if( libevt_strings_array_get_utf8_string_size(
1885 event_record->strings,
1886 string_index,
1887 utf8_string_size,
1888 error ) != 1 )
1889 {
1890 libcerror_error_set(
1891 error,
1892 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1893 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1894 "%s: unable to retrieve UTF-8 string size of strings value entry: %d.",
1895 function,
1896 string_index );
1897
1898 return( -1 );
1899 }
1900 return( 1 );
1901 }
1902
1903 /* Retrieves a specific UTF-8 encoded string
1904 * The size should include the end of string character
1905 * Returns 1 if successful or -1 on error
1906 */
libevt_event_record_get_utf8_string(libevt_event_record_t * event_record,int string_index,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1907 int libevt_event_record_get_utf8_string(
1908 libevt_event_record_t *event_record,
1909 int string_index,
1910 uint8_t *utf8_string,
1911 size_t utf8_string_size,
1912 libcerror_error_t **error )
1913 {
1914 static char *function = "libevt_values_record_get_utf8_string";
1915
1916 if( event_record == NULL )
1917 {
1918 libcerror_error_set(
1919 error,
1920 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1921 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1922 "%s: invalid record values.",
1923 function );
1924
1925 return( -1 );
1926 }
1927 if( libevt_strings_array_get_utf8_string(
1928 event_record->strings,
1929 string_index,
1930 utf8_string,
1931 utf8_string_size,
1932 error ) != 1 )
1933 {
1934 libcerror_error_set(
1935 error,
1936 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1937 LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
1938 "%s: unable to copy strings value entry: %d to UTF-8 string.",
1939 function,
1940 string_index );
1941
1942 return( -1 );
1943 }
1944 return( 1 );
1945 }
1946
1947 /* Retrieves the size of a specific UTF-16 encoded string
1948 * The returned size includes the end of string character
1949 * Returns 1 if successful or -1 on error
1950 */
libevt_event_record_get_utf16_string_size(libevt_event_record_t * event_record,int string_index,size_t * utf16_string_size,libcerror_error_t ** error)1951 int libevt_event_record_get_utf16_string_size(
1952 libevt_event_record_t *event_record,
1953 int string_index,
1954 size_t *utf16_string_size,
1955 libcerror_error_t **error )
1956 {
1957 static char *function = "libevt_event_record_get_utf16_string_size";
1958
1959 if( event_record == NULL )
1960 {
1961 libcerror_error_set(
1962 error,
1963 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1964 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1965 "%s: invalid record values.",
1966 function );
1967
1968 return( -1 );
1969 }
1970 if( libevt_strings_array_get_utf16_string_size(
1971 event_record->strings,
1972 string_index,
1973 utf16_string_size,
1974 error ) != 1 )
1975 {
1976 libcerror_error_set(
1977 error,
1978 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1979 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1980 "%s: unable to retrieve UTF-16 string size of strings value entry: %d.",
1981 function,
1982 string_index );
1983
1984 return( -1 );
1985 }
1986 return( 1 );
1987 }
1988
1989 /* Retrieves a specific UTF-16 encoded string
1990 * The size should include the end of string character
1991 * Returns 1 if successful or -1 on error
1992 */
libevt_event_record_get_utf16_string(libevt_event_record_t * event_record,int string_index,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1993 int libevt_event_record_get_utf16_string(
1994 libevt_event_record_t *event_record,
1995 int string_index,
1996 uint16_t *utf16_string,
1997 size_t utf16_string_size,
1998 libcerror_error_t **error )
1999 {
2000 static char *function = "libevt_values_record_get_utf16_string";
2001
2002 if( event_record == NULL )
2003 {
2004 libcerror_error_set(
2005 error,
2006 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2007 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
2008 "%s: invalid record values.",
2009 function );
2010
2011 return( -1 );
2012 }
2013 if( libevt_strings_array_get_utf16_string(
2014 event_record->strings,
2015 string_index,
2016 utf16_string,
2017 utf16_string_size,
2018 error ) != 1 )
2019 {
2020 libcerror_error_set(
2021 error,
2022 LIBCERROR_ERROR_DOMAIN_RUNTIME,
2023 LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
2024 "%s: unable to copy strings value entry: %d to UTF-16 string.",
2025 function,
2026 string_index );
2027
2028 return( -1 );
2029 }
2030 return( 1 );
2031 }
2032
2033 /* Retrieves the size of the data
2034 * Returns 1 if successful, 0 if not available or -1 on error
2035 */
libevt_event_record_get_data_size(libevt_event_record_t * event_record,size_t * data_size,libcerror_error_t ** error)2036 int libevt_event_record_get_data_size(
2037 libevt_event_record_t *event_record,
2038 size_t *data_size,
2039 libcerror_error_t **error )
2040 {
2041 static char *function = "libevt_event_record_get_data_size";
2042
2043 if( event_record == NULL )
2044 {
2045 libcerror_error_set(
2046 error,
2047 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2048 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
2049 "%s: invalid record values.",
2050 function );
2051
2052 return( -1 );
2053 }
2054 if( data_size == NULL )
2055 {
2056 libcerror_error_set(
2057 error,
2058 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2059 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
2060 "%s: invalid data size.",
2061 function );
2062
2063 return( -1 );
2064 }
2065 if( event_record->data == NULL )
2066 {
2067 return( 0 );
2068 }
2069 *data_size = event_record->data_size;
2070
2071 return( 1 );
2072 }
2073
2074 /* Retrieves the data
2075 * Returns 1 if successful, 0 if not available or -1 on error
2076 */
libevt_event_record_get_data(libevt_event_record_t * event_record,uint8_t * data,size_t data_size,libcerror_error_t ** error)2077 int libevt_event_record_get_data(
2078 libevt_event_record_t *event_record,
2079 uint8_t *data,
2080 size_t data_size,
2081 libcerror_error_t **error )
2082 {
2083 static char *function = "libevt_event_record_get_data";
2084
2085 if( event_record == NULL )
2086 {
2087 libcerror_error_set(
2088 error,
2089 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2090 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
2091 "%s: invalid record values.",
2092 function );
2093
2094 return( -1 );
2095 }
2096 if( data == NULL )
2097 {
2098 libcerror_error_set(
2099 error,
2100 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2101 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
2102 "%s: invalid data.",
2103 function );
2104
2105 return( -1 );
2106 }
2107 if( data_size > (size_t) SSIZE_MAX )
2108 {
2109 libcerror_error_set(
2110 error,
2111 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2112 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
2113 "%s: invalid data size value exceeds maximum.",
2114 function );
2115
2116 return( -1 );
2117 }
2118 if( event_record->data == NULL )
2119 {
2120 return( 0 );
2121 }
2122 if( data_size < event_record->data_size )
2123 {
2124 libcerror_error_set(
2125 error,
2126 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
2127 LIBCERROR_ARGUMENT_ERROR_VALUE_TOO_SMALL,
2128 "%s: invalid data size value too small.",
2129 function );
2130
2131 return( -1 );
2132 }
2133 if( memory_copy(
2134 data,
2135 event_record->data,
2136 event_record->data_size ) == NULL )
2137 {
2138 libcerror_error_set(
2139 error,
2140 LIBCERROR_ERROR_DOMAIN_MEMORY,
2141 LIBCERROR_MEMORY_ERROR_COPY_FAILED,
2142 "%s: unable to copy data.",
2143 function );
2144
2145 return( -1 );
2146 }
2147 return( 1 );
2148 }
2149
2150