1 /*
2 * Record values functions
3 *
4 * Copyright (C) 2011-2021, Joachim Metz <joachim.metz@gmail.com>
5 *
6 * Refer to AUTHORS for acknowledgements.
7 *
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU Lesser General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>.
20 */
21
22 #include <common.h>
23 #include <byte_stream.h>
24 #include <memory.h>
25 #include <system_string.h>
26 #include <types.h>
27
28 #include "libevt_debug.h"
29 #include "libevt_end_of_file_record.h"
30 #include "libevt_event_record.h"
31 #include "libevt_io_handle.h"
32 #include "libevt_libbfio.h"
33 #include "libevt_libcerror.h"
34 #include "libevt_libcnotify.h"
35 #include "libevt_libfdatetime.h"
36 #include "libevt_libfwnt.h"
37 #include "libevt_record_values.h"
38 #include "libevt_unused.h"
39
40 #include "evt_file_header.h"
41 #include "evt_record.h"
42
43 /* Creates record values
44 * Make sure the value record_values is referencing, is set to NULL
45 * Returns 1 if successful or -1 on error
46 */
libevt_record_values_initialize(libevt_record_values_t ** record_values,libcerror_error_t ** error)47 int libevt_record_values_initialize(
48 libevt_record_values_t **record_values,
49 libcerror_error_t **error )
50 {
51 static char *function = "libevt_record_values_initialize";
52
53 if( record_values == NULL )
54 {
55 libcerror_error_set(
56 error,
57 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
58 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
59 "%s: invalid record values.",
60 function );
61
62 return( -1 );
63 }
64 if( *record_values != NULL )
65 {
66 libcerror_error_set(
67 error,
68 LIBCERROR_ERROR_DOMAIN_RUNTIME,
69 LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
70 "%s: invalid record values value already set.",
71 function );
72
73 return( -1 );
74 }
75 *record_values = memory_allocate_structure(
76 libevt_record_values_t );
77
78 if( *record_values == NULL )
79 {
80 libcerror_error_set(
81 error,
82 LIBCERROR_ERROR_DOMAIN_MEMORY,
83 LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
84 "%s: unable to create record values.",
85 function );
86
87 goto on_error;
88 }
89 if( memory_set(
90 *record_values,
91 0,
92 sizeof( libevt_record_values_t ) ) == NULL )
93 {
94 libcerror_error_set(
95 error,
96 LIBCERROR_ERROR_DOMAIN_MEMORY,
97 LIBCERROR_MEMORY_ERROR_SET_FAILED,
98 "%s: unable to clear record values.",
99 function );
100
101 goto on_error;
102 }
103 return( 1 );
104
105 on_error:
106 if( *record_values != NULL )
107 {
108 memory_free(
109 *record_values );
110
111 *record_values = NULL;
112 }
113 return( -1 );
114 }
115
116 /* Frees record values
117 * Returns 1 if successful or -1 on error
118 */
libevt_record_values_free(libevt_record_values_t ** record_values,libcerror_error_t ** error)119 int libevt_record_values_free(
120 libevt_record_values_t **record_values,
121 libcerror_error_t **error )
122 {
123 static char *function = "libevt_record_values_free";
124 int result = 1;
125
126 if( record_values == NULL )
127 {
128 libcerror_error_set(
129 error,
130 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
131 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
132 "%s: invalid record values.",
133 function );
134
135 return( -1 );
136 }
137 if( *record_values != NULL )
138 {
139 if( ( *record_values )->event_record != NULL )
140 {
141 if( libevt_event_record_free(
142 &( ( *record_values )->event_record ),
143 error ) != 1 )
144 {
145 libcerror_error_set(
146 error,
147 LIBCERROR_ERROR_DOMAIN_RUNTIME,
148 LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
149 "%s: unable to free event record.",
150 function );
151
152 result = -1;
153 }
154 }
155 memory_free(
156 *record_values );
157
158 *record_values = NULL;
159 }
160 return( result );
161 }
162
163 /* Reads a record_values
164 * Returns the number of bytes read if successful or -1 on error
165 */
libevt_record_values_read_file_io_handle(libevt_record_values_t * record_values,libbfio_handle_t * file_io_handle,libevt_io_handle_t * io_handle,off64_t * file_offset,uint8_t * has_wrapped,uint8_t strict_mode,libcerror_error_t ** error)166 ssize_t libevt_record_values_read_file_io_handle(
167 libevt_record_values_t *record_values,
168 libbfio_handle_t *file_io_handle,
169 libevt_io_handle_t *io_handle,
170 off64_t *file_offset,
171 uint8_t *has_wrapped,
172 uint8_t strict_mode,
173 libcerror_error_t **error )
174 {
175 uint8_t record_size_data[ 4 ];
176
177 libevt_end_of_file_record_t *end_of_file_record = NULL;
178 uint8_t *record_data = NULL;
179 static char *function = "libevt_record_values_read_file_io_handle";
180 size_t read_size = 0;
181 size_t record_data_offset = 0;
182 ssize_t read_count = 0;
183 ssize_t total_read_count = 0;
184 off64_t safe_file_offset = 0;
185 uint32_t record_data_size = 0;
186
187 if( record_values == NULL )
188 {
189 libcerror_error_set(
190 error,
191 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
192 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
193 "%s: invalid record values.",
194 function );
195
196 return( -1 );
197 }
198 if( io_handle == NULL )
199 {
200 libcerror_error_set(
201 error,
202 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
203 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
204 "%s: invalid IO handle.",
205 function );
206
207 return( -1 );
208 }
209 if( file_offset == NULL )
210 {
211 libcerror_error_set(
212 error,
213 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
214 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
215 "%s: invalid file offset.",
216 function );
217
218 return( -1 );
219 }
220 if( has_wrapped == NULL )
221 {
222 libcerror_error_set(
223 error,
224 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
225 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
226 "%s: invalid has wrapped.",
227 function );
228
229 return( -1 );
230 }
231 safe_file_offset = *file_offset;
232
233 read_count = libbfio_handle_read_buffer_at_offset(
234 file_io_handle,
235 record_size_data,
236 sizeof( uint32_t ),
237 safe_file_offset,
238 error );
239
240 if( read_count != (ssize_t) sizeof( uint32_t ) )
241 {
242 libcerror_error_set(
243 error,
244 LIBCERROR_ERROR_DOMAIN_IO,
245 LIBCERROR_IO_ERROR_READ_FAILED,
246 "%s: unable to read record size data at offset: %" PRIi64 " (0x%08" PRIx64 ").",
247 function,
248 safe_file_offset,
249 safe_file_offset );
250
251 goto on_error;
252 }
253 record_values->offset = safe_file_offset;
254
255 safe_file_offset += read_count;
256 total_read_count = read_count;
257
258 byte_stream_copy_to_uint32_little_endian(
259 record_size_data,
260 record_data_size );
261
262 if( ( record_data_size < 8 )
263 || ( record_data_size > (uint32_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) )
264 {
265 libcerror_error_set(
266 error,
267 LIBCERROR_ERROR_DOMAIN_RUNTIME,
268 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
269 "%s: record data size value out of bounds.",
270 function );
271
272 goto on_error;
273 }
274 /* Allocating record data as 4 bytes and then using realloc here
275 * corrupts the memory
276 */
277 record_data = (uint8_t *) memory_allocate(
278 sizeof( uint8_t ) * record_data_size );
279
280 if( record_data == NULL )
281 {
282 libcerror_error_set(
283 error,
284 LIBCERROR_ERROR_DOMAIN_MEMORY,
285 LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
286 "%s: unable to create record data.",
287 function );
288
289 goto on_error;
290 }
291 byte_stream_copy_from_uint32_little_endian(
292 record_data,
293 record_data_size );
294
295 record_data_offset = 4;
296
297 read_size = record_data_size - record_data_offset;
298
299 if( ( (size64_t) safe_file_offset > io_handle->file_size )
300 || ( read_size > ( io_handle->file_size - safe_file_offset ) ) )
301 {
302 read_size = (size_t) ( io_handle->file_size - safe_file_offset );
303 }
304 read_count = libbfio_handle_read_buffer(
305 file_io_handle,
306 &( record_data[ record_data_offset ] ),
307 read_size,
308 error );
309
310 if( read_count != (ssize_t) read_size )
311 {
312 libcerror_error_set(
313 error,
314 LIBCERROR_ERROR_DOMAIN_IO,
315 LIBCERROR_IO_ERROR_READ_FAILED,
316 "%s: unable to read record data.",
317 function );
318
319 goto on_error;
320 }
321 safe_file_offset += read_count;
322 record_data_offset += read_count;
323 total_read_count += read_count;
324
325 if( record_data_offset < (size_t) record_data_size )
326 {
327 if( *has_wrapped != 0 )
328 {
329 libcerror_error_set(
330 error,
331 LIBCERROR_ERROR_DOMAIN_RUNTIME,
332 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
333 "%s: invalid IO handle - record data has already wrapped.",
334 function );
335
336 goto on_error;
337 }
338 #if defined( HAVE_DEBUG_OUTPUT )
339 if( libcnotify_verbose != 0 )
340 {
341 libcnotify_printf(
342 "%s: record data wrapped at offset: %" PRIi64 " (0x%08" PRIx64 ").\n",
343 function,
344 safe_file_offset,
345 safe_file_offset );
346 }
347 #endif
348 *has_wrapped = 1;
349
350 safe_file_offset = (off64_t) sizeof( evt_file_header_t );
351
352 read_size = (size_t) record_data_size - record_data_offset;
353
354 read_count = libbfio_handle_read_buffer_at_offset(
355 file_io_handle,
356 &( record_data[ record_data_offset ] ),
357 read_size,
358 safe_file_offset,
359 error );
360
361 if( read_count != (ssize_t) read_size )
362 {
363 libcerror_error_set(
364 error,
365 LIBCERROR_ERROR_DOMAIN_IO,
366 LIBCERROR_IO_ERROR_READ_FAILED,
367 "%s: unable to read record data at offset: %" PRIzd " (0x%08" PRIzx ").",
368 function,
369 safe_file_offset,
370 safe_file_offset );
371
372 goto on_error;
373 }
374 safe_file_offset += read_count;
375 total_read_count += read_count;
376 }
377 if( memory_compare(
378 &( record_data[ 4 ] ),
379 evt_file_signature,
380 4 ) == 0 )
381 {
382 record_values->type = LIBEVT_RECORD_TYPE_EVENT;
383 }
384 else if( memory_compare(
385 &( record_data[ 4 ] ),
386 evt_end_of_file_record_signature1,
387 4 ) == 0 )
388 {
389 record_values->type = LIBEVT_RECORD_TYPE_END_OF_FILE;
390 }
391 else
392 {
393 #if defined( HAVE_DEBUG_OUTPUT )
394 if( libcnotify_verbose != 0 )
395 {
396 libcnotify_printf(
397 "%s: record data:\n",
398 function );
399 libcnotify_print_data(
400 record_data,
401 (size_t) record_data_size,
402 LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA );
403 }
404 #endif
405 libcerror_error_set(
406 error,
407 LIBCERROR_ERROR_DOMAIN_RUNTIME,
408 LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE,
409 "%s: unsupported record values signature.",
410 function );
411
412 goto on_error;
413 }
414 if( record_values->type == LIBEVT_RECORD_TYPE_EVENT )
415 {
416 if( libevt_record_values_read_event(
417 record_values,
418 record_data,
419 (size_t) record_data_size,
420 strict_mode,
421 error ) != 1 )
422 {
423 libcerror_error_set(
424 error,
425 LIBCERROR_ERROR_DOMAIN_IO,
426 LIBCERROR_IO_ERROR_READ_FAILED,
427 "%s: unable to read event record values.",
428 function );
429
430 goto on_error;
431 }
432 }
433 else if( record_values->type == LIBEVT_RECORD_TYPE_END_OF_FILE )
434 {
435 if( libevt_end_of_file_record_initialize(
436 &end_of_file_record,
437 error ) != 1 )
438 {
439 libcerror_error_set(
440 error,
441 LIBCERROR_ERROR_DOMAIN_RUNTIME,
442 LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
443 "%s: unable to create end-of-file record.",
444 function );
445
446 goto on_error;
447 }
448 if( libevt_end_of_file_record_read_data(
449 end_of_file_record,
450 record_data,
451 (size_t) record_data_size,
452 error ) != 1 )
453 {
454 libcerror_error_set(
455 error,
456 LIBCERROR_ERROR_DOMAIN_IO,
457 LIBCERROR_IO_ERROR_READ_FAILED,
458 "%s: unable to read end-of-file record.",
459 function );
460
461 goto on_error;
462 }
463 if( libevt_end_of_file_record_free(
464 &end_of_file_record,
465 error ) != 1 )
466 {
467 libcerror_error_set(
468 error,
469 LIBCERROR_ERROR_DOMAIN_RUNTIME,
470 LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
471 "%s: unable to free end-of-file record.",
472 function );
473
474 goto on_error;
475 }
476 }
477 memory_free(
478 record_data );
479
480 *file_offset = safe_file_offset;
481
482 return( total_read_count );
483
484 on_error:
485 if( end_of_file_record != NULL )
486 {
487 libevt_end_of_file_record_free(
488 &end_of_file_record,
489 NULL );
490 }
491 if( record_data != NULL )
492 {
493 memory_free(
494 record_data );
495 }
496 *file_offset = safe_file_offset;
497
498 return( -1 );
499 }
500
501 /* Reads the event record values
502 * Returns 1 if successful or -1 on error
503 */
libevt_record_values_read_event(libevt_record_values_t * record_values,uint8_t * record_data,size_t record_data_size,uint8_t strict_mode,libcerror_error_t ** error)504 int libevt_record_values_read_event(
505 libevt_record_values_t *record_values,
506 uint8_t *record_data,
507 size_t record_data_size,
508 uint8_t strict_mode,
509 libcerror_error_t **error )
510 {
511 libevt_event_record_t *event_record = NULL;
512 static char *function = "libevt_record_values_read_event";
513
514 if( record_values == NULL )
515 {
516 libcerror_error_set(
517 error,
518 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
519 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
520 "%s: invalid record values.",
521 function );
522
523 return( -1 );
524 }
525 if( libevt_event_record_initialize(
526 &event_record,
527 error ) != 1 )
528 {
529 libcerror_error_set(
530 error,
531 LIBCERROR_ERROR_DOMAIN_RUNTIME,
532 LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
533 "%s: unable to create event record.",
534 function );
535
536 goto on_error;
537 }
538 if( libevt_event_record_read_data(
539 event_record,
540 record_data,
541 record_data_size,
542 error ) != 1 )
543 {
544 libcerror_error_set(
545 error,
546 LIBCERROR_ERROR_DOMAIN_IO,
547 LIBCERROR_IO_ERROR_READ_FAILED,
548 "%s: unable to read event record.",
549 function );
550
551 goto on_error;
552 }
553 if( strict_mode != 0 )
554 {
555 if( event_record->record_size != event_record->copy_of_record_size )
556 {
557 libcerror_error_set(
558 error,
559 LIBCERROR_ERROR_DOMAIN_INPUT,
560 LIBCERROR_INPUT_ERROR_VALUE_MISMATCH,
561 "%s: value mismatch for record size and copy of record size.",
562 function );
563
564 goto on_error;
565 }
566 if( record_data_size != (size_t) event_record->record_size )
567 {
568 libcerror_error_set(
569 error,
570 LIBCERROR_ERROR_DOMAIN_INPUT,
571 LIBCERROR_INPUT_ERROR_VALUE_MISMATCH,
572 "%s: value mismatch for record data size and record size.",
573 function );
574
575 goto on_error;
576 }
577 }
578 record_values->event_record = event_record;
579
580 return( 1 );
581
582 on_error:
583 if( event_record != NULL )
584 {
585 libevt_event_record_free(
586 &event_record,
587 NULL );
588 }
589 return( -1 );
590 }
591
592 /* Retrieves the offset
593 * Returns 1 if successful or -1 on error
594 */
libevt_record_values_get_offset(libevt_record_values_t * record_values,off64_t * offset,libcerror_error_t ** error)595 int libevt_record_values_get_offset(
596 libevt_record_values_t *record_values,
597 off64_t *offset,
598 libcerror_error_t **error )
599 {
600 static char *function = "libevt_record_values_get_offset";
601
602 if( record_values == NULL )
603 {
604 libcerror_error_set(
605 error,
606 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
607 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
608 "%s: invalid record values.",
609 function );
610
611 return( -1 );
612 }
613 if( offset == NULL )
614 {
615 libcerror_error_set(
616 error,
617 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
618 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
619 "%s: invalid offset.",
620 function );
621
622 return( -1 );
623 }
624 *offset = record_values->offset;
625
626 return( 1 );
627 }
628
629 /* Retrieves the type
630 * Returns 1 if successful or -1 on error
631 */
libevt_record_values_get_type(libevt_record_values_t * record_values,uint8_t * type,libcerror_error_t ** error)632 int libevt_record_values_get_type(
633 libevt_record_values_t *record_values,
634 uint8_t *type,
635 libcerror_error_t **error )
636 {
637 static char *function = "libevt_record_values_get_type";
638
639 if( record_values == NULL )
640 {
641 libcerror_error_set(
642 error,
643 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
644 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
645 "%s: invalid record values.",
646 function );
647
648 return( -1 );
649 }
650 if( type == NULL )
651 {
652 libcerror_error_set(
653 error,
654 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
655 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
656 "%s: invalid type.",
657 function );
658
659 return( -1 );
660 }
661 *type = record_values->type;
662
663 return( 1 );
664 }
665
666 /* Retrieves the number
667 * Returns 1 if successful or -1 on error
668 */
libevt_record_values_get_number(libevt_record_values_t * record_values,uint32_t * number,libcerror_error_t ** error)669 int libevt_record_values_get_number(
670 libevt_record_values_t *record_values,
671 uint32_t *number,
672 libcerror_error_t **error )
673 {
674 static char *function = "libevt_record_values_get_number";
675
676 if( record_values == NULL )
677 {
678 libcerror_error_set(
679 error,
680 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
681 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
682 "%s: invalid record values.",
683 function );
684
685 return( -1 );
686 }
687 if( libevt_event_record_get_record_number(
688 record_values->event_record,
689 number,
690 error ) != 1 )
691 {
692 libcerror_error_set(
693 error,
694 LIBCERROR_ERROR_DOMAIN_RUNTIME,
695 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
696 "%s: unable to retrieve record number.",
697 function );
698
699 return( -1 );
700 }
701 return( 1 );
702 }
703
704 /* Retrieves the creation time
705 * The timestamp is a 32-bit POSIX date and time value
706 * Returns 1 if successful or -1 on error
707 */
libevt_record_values_get_creation_time(libevt_record_values_t * record_values,uint32_t * posix_time,libcerror_error_t ** error)708 int libevt_record_values_get_creation_time(
709 libevt_record_values_t *record_values,
710 uint32_t *posix_time,
711 libcerror_error_t **error )
712 {
713 static char *function = "libevt_record_values_get_creation_time";
714
715 if( record_values == NULL )
716 {
717 libcerror_error_set(
718 error,
719 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
720 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
721 "%s: invalid record values.",
722 function );
723
724 return( -1 );
725 }
726 if( libevt_event_record_get_creation_time(
727 record_values->event_record,
728 posix_time,
729 error ) != 1 )
730 {
731 libcerror_error_set(
732 error,
733 LIBCERROR_ERROR_DOMAIN_RUNTIME,
734 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
735 "%s: unable to retrieve creation time.",
736 function );
737
738 return( -1 );
739 }
740 return( 1 );
741 }
742
743 /* Retrieves the written time
744 * The timestamp is a 32-bit POSIX date and time value
745 * Returns 1 if successful or -1 on error
746 */
libevt_record_values_get_written_time(libevt_record_values_t * record_values,uint32_t * posix_time,libcerror_error_t ** error)747 int libevt_record_values_get_written_time(
748 libevt_record_values_t *record_values,
749 uint32_t *posix_time,
750 libcerror_error_t **error )
751 {
752 static char *function = "libevt_record_values_get_written_time";
753
754 if( record_values == NULL )
755 {
756 libcerror_error_set(
757 error,
758 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
759 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
760 "%s: invalid record values.",
761 function );
762
763 return( -1 );
764 }
765 if( libevt_event_record_get_last_written_time(
766 record_values->event_record,
767 posix_time,
768 error ) != 1 )
769 {
770 libcerror_error_set(
771 error,
772 LIBCERROR_ERROR_DOMAIN_RUNTIME,
773 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
774 "%s: unable to retrieve last written time.",
775 function );
776
777 return( -1 );
778 }
779 return( 1 );
780 }
781
782 /* Retrieves the event identifier
783 * Returns 1 if successful or -1 on error
784 */
libevt_record_values_get_event_identifier(libevt_record_values_t * record_values,uint32_t * event_identifier,libcerror_error_t ** error)785 int libevt_record_values_get_event_identifier(
786 libevt_record_values_t *record_values,
787 uint32_t *event_identifier,
788 libcerror_error_t **error )
789 {
790 static char *function = "libevt_record_values_get_event_identifier";
791
792 if( record_values == NULL )
793 {
794 libcerror_error_set(
795 error,
796 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
797 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
798 "%s: invalid record values.",
799 function );
800
801 return( -1 );
802 }
803 if( libevt_event_record_get_event_identifier(
804 record_values->event_record,
805 event_identifier,
806 error ) != 1 )
807 {
808 libcerror_error_set(
809 error,
810 LIBCERROR_ERROR_DOMAIN_RUNTIME,
811 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
812 "%s: unable to retrieve event identifier.",
813 function );
814
815 return( -1 );
816 }
817 return( 1 );
818 }
819
820 /* Retrieves the event type
821 * Returns 1 if successful or -1 on error
822 */
libevt_record_values_get_event_type(libevt_record_values_t * record_values,uint16_t * event_type,libcerror_error_t ** error)823 int libevt_record_values_get_event_type(
824 libevt_record_values_t *record_values,
825 uint16_t *event_type,
826 libcerror_error_t **error )
827 {
828 static char *function = "libevt_record_values_get_event_type";
829
830 if( record_values == NULL )
831 {
832 libcerror_error_set(
833 error,
834 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
835 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
836 "%s: invalid record values.",
837 function );
838
839 return( -1 );
840 }
841 if( libevt_event_record_get_event_type(
842 record_values->event_record,
843 event_type,
844 error ) != 1 )
845 {
846 libcerror_error_set(
847 error,
848 LIBCERROR_ERROR_DOMAIN_RUNTIME,
849 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
850 "%s: unable to retrieve event type.",
851 function );
852
853 return( -1 );
854 }
855 return( 1 );
856 }
857
858 /* Retrieves the event category
859 * Returns 1 if successful or -1 on error
860 */
libevt_record_values_get_event_category(libevt_record_values_t * record_values,uint16_t * event_category,libcerror_error_t ** error)861 int libevt_record_values_get_event_category(
862 libevt_record_values_t *record_values,
863 uint16_t *event_category,
864 libcerror_error_t **error )
865 {
866 static char *function = "libevt_record_values_get_event_category";
867
868 if( record_values == NULL )
869 {
870 libcerror_error_set(
871 error,
872 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
873 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
874 "%s: invalid record values.",
875 function );
876
877 return( -1 );
878 }
879 if( libevt_event_record_get_event_category(
880 record_values->event_record,
881 event_category,
882 error ) != 1 )
883 {
884 libcerror_error_set(
885 error,
886 LIBCERROR_ERROR_DOMAIN_RUNTIME,
887 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
888 "%s: unable to retrieve event category.",
889 function );
890
891 return( -1 );
892 }
893 return( 1 );
894 }
895
896 /* Retrieves the size of the UTF-8 encoded source name
897 * The returned size includes the end of string character
898 * Returns 1 if successful or -1 on error
899 */
libevt_record_values_get_utf8_source_name_size(libevt_record_values_t * record_values,size_t * utf8_string_size,libcerror_error_t ** error)900 int libevt_record_values_get_utf8_source_name_size(
901 libevt_record_values_t *record_values,
902 size_t *utf8_string_size,
903 libcerror_error_t **error )
904 {
905 static char *function = "libevt_record_values_get_utf8_source_name_size";
906
907 if( record_values == NULL )
908 {
909 libcerror_error_set(
910 error,
911 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
912 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
913 "%s: invalid record values.",
914 function );
915
916 return( -1 );
917 }
918 if( libevt_event_record_get_utf8_source_name_size(
919 record_values->event_record,
920 utf8_string_size,
921 error ) != 1 )
922 {
923 libcerror_error_set(
924 error,
925 LIBCERROR_ERROR_DOMAIN_RUNTIME,
926 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
927 "%s: unable to retrieve size of source name as UTF-8 string.",
928 function );
929
930 return( -1 );
931 }
932 return( 1 );
933 }
934
935 /* Retrieves the UTF-8 encoded source name
936 * The size should include the end of string character
937 * Returns 1 if successful or -1 on error
938 */
libevt_record_values_get_utf8_source_name(libevt_record_values_t * record_values,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)939 int libevt_record_values_get_utf8_source_name(
940 libevt_record_values_t *record_values,
941 uint8_t *utf8_string,
942 size_t utf8_string_size,
943 libcerror_error_t **error )
944 {
945 static char *function = "libevt_record_values_get_utf8_source_name";
946
947 if( record_values == NULL )
948 {
949 libcerror_error_set(
950 error,
951 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
952 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
953 "%s: invalid record values.",
954 function );
955
956 return( -1 );
957 }
958 if( libevt_event_record_get_utf8_source_name(
959 record_values->event_record,
960 utf8_string,
961 utf8_string_size,
962 error ) != 1 )
963 {
964 libcerror_error_set(
965 error,
966 LIBCERROR_ERROR_DOMAIN_RUNTIME,
967 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
968 "%s: unable to retrieve source name as UTF-8 string.",
969 function );
970
971 return( -1 );
972 }
973 return( 1 );
974 }
975
976 /* Retrieves the size of the UTF-16 encoded source name
977 * The returned size includes the end of string character
978 * Returns 1 if successful or -1 on error
979 */
libevt_record_values_get_utf16_source_name_size(libevt_record_values_t * record_values,size_t * utf16_string_size,libcerror_error_t ** error)980 int libevt_record_values_get_utf16_source_name_size(
981 libevt_record_values_t *record_values,
982 size_t *utf16_string_size,
983 libcerror_error_t **error )
984 {
985 static char *function = "libevt_record_values_get_utf16_source_name_size";
986
987 if( record_values == NULL )
988 {
989 libcerror_error_set(
990 error,
991 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
992 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
993 "%s: invalid record values.",
994 function );
995
996 return( -1 );
997 }
998 if( libevt_event_record_get_utf16_source_name_size(
999 record_values->event_record,
1000 utf16_string_size,
1001 error ) != 1 )
1002 {
1003 libcerror_error_set(
1004 error,
1005 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1006 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1007 "%s: unable to retrieve size of source name as UTF-16 string.",
1008 function );
1009
1010 return( -1 );
1011 }
1012 return( 1 );
1013 }
1014
1015 /* Retrieves the UTF-16 encoded source name
1016 * The size should include the end of string character
1017 * Returns 1 if successful or -1 on error
1018 */
libevt_record_values_get_utf16_source_name(libevt_record_values_t * record_values,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1019 int libevt_record_values_get_utf16_source_name(
1020 libevt_record_values_t *record_values,
1021 uint16_t *utf16_string,
1022 size_t utf16_string_size,
1023 libcerror_error_t **error )
1024 {
1025 static char *function = "libevt_record_values_get_utf16_source_name";
1026
1027 if( record_values == NULL )
1028 {
1029 libcerror_error_set(
1030 error,
1031 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1032 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1033 "%s: invalid record values.",
1034 function );
1035
1036 return( -1 );
1037 }
1038 if( libevt_event_record_get_utf16_source_name(
1039 record_values->event_record,
1040 utf16_string,
1041 utf16_string_size,
1042 error ) != 1 )
1043 {
1044 libcerror_error_set(
1045 error,
1046 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1047 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1048 "%s: unable to retrieve source name as UTF-16 string.",
1049 function );
1050
1051 return( -1 );
1052 }
1053 return( 1 );
1054 }
1055
1056 /* Retrieves the size of the UTF-8 encoded computer name
1057 * The returned size includes the end of string character
1058 * Returns 1 if successful or -1 on error
1059 */
libevt_record_values_get_utf8_computer_name_size(libevt_record_values_t * record_values,size_t * utf8_string_size,libcerror_error_t ** error)1060 int libevt_record_values_get_utf8_computer_name_size(
1061 libevt_record_values_t *record_values,
1062 size_t *utf8_string_size,
1063 libcerror_error_t **error )
1064 {
1065 static char *function = "libevt_record_values_get_utf8_computer_name_size";
1066
1067 if( record_values == NULL )
1068 {
1069 libcerror_error_set(
1070 error,
1071 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1072 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1073 "%s: invalid record values.",
1074 function );
1075
1076 return( -1 );
1077 }
1078 if( libevt_event_record_get_utf8_computer_name_size(
1079 record_values->event_record,
1080 utf8_string_size,
1081 error ) != 1 )
1082 {
1083 libcerror_error_set(
1084 error,
1085 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1086 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1087 "%s: unable to retrieve size of computer name as UTF-8 string.",
1088 function );
1089
1090 return( -1 );
1091 }
1092 return( 1 );
1093 }
1094
1095 /* Retrieves the UTF-8 encoded computer name
1096 * The size should include the end of string character
1097 * Returns 1 if successful or -1 on error
1098 */
libevt_record_values_get_utf8_computer_name(libevt_record_values_t * record_values,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1099 int libevt_record_values_get_utf8_computer_name(
1100 libevt_record_values_t *record_values,
1101 uint8_t *utf8_string,
1102 size_t utf8_string_size,
1103 libcerror_error_t **error )
1104 {
1105 static char *function = "libevt_record_values_get_utf8_computer_name";
1106
1107 if( record_values == NULL )
1108 {
1109 libcerror_error_set(
1110 error,
1111 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1112 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1113 "%s: invalid record values.",
1114 function );
1115
1116 return( -1 );
1117 }
1118 if( libevt_event_record_get_utf8_computer_name(
1119 record_values->event_record,
1120 utf8_string,
1121 utf8_string_size,
1122 error ) != 1 )
1123 {
1124 libcerror_error_set(
1125 error,
1126 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1127 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1128 "%s: unable to retrieve computer name as UTF-8 string.",
1129 function );
1130
1131 return( -1 );
1132 }
1133 return( 1 );
1134 }
1135
1136 /* Retrieves the size of the UTF-16 encoded computer name
1137 * The returned size includes the end of string character
1138 * Returns 1 if successful or -1 on error
1139 */
libevt_record_values_get_utf16_computer_name_size(libevt_record_values_t * record_values,size_t * utf16_string_size,libcerror_error_t ** error)1140 int libevt_record_values_get_utf16_computer_name_size(
1141 libevt_record_values_t *record_values,
1142 size_t *utf16_string_size,
1143 libcerror_error_t **error )
1144 {
1145 static char *function = "libevt_record_values_get_utf16_computer_name_size";
1146
1147 if( record_values == NULL )
1148 {
1149 libcerror_error_set(
1150 error,
1151 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1152 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1153 "%s: invalid record values.",
1154 function );
1155
1156 return( -1 );
1157 }
1158 if( libevt_event_record_get_utf16_computer_name_size(
1159 record_values->event_record,
1160 utf16_string_size,
1161 error ) != 1 )
1162 {
1163 libcerror_error_set(
1164 error,
1165 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1166 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1167 "%s: unable to retrieve size of computer name as UTF-16 string.",
1168 function );
1169
1170 return( -1 );
1171 }
1172 return( 1 );
1173 }
1174
1175 /* Retrieves the UTF-16 encoded computer name
1176 * The size should include the end of string character
1177 * Returns 1 if successful or -1 on error
1178 */
libevt_record_values_get_utf16_computer_name(libevt_record_values_t * record_values,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1179 int libevt_record_values_get_utf16_computer_name(
1180 libevt_record_values_t *record_values,
1181 uint16_t *utf16_string,
1182 size_t utf16_string_size,
1183 libcerror_error_t **error )
1184 {
1185 static char *function = "libevt_record_values_get_utf16_computer_name";
1186
1187 if( record_values == NULL )
1188 {
1189 libcerror_error_set(
1190 error,
1191 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1192 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1193 "%s: invalid record values.",
1194 function );
1195
1196 return( -1 );
1197 }
1198 if( libevt_event_record_get_utf16_computer_name(
1199 record_values->event_record,
1200 utf16_string,
1201 utf16_string_size,
1202 error ) != 1 )
1203 {
1204 libcerror_error_set(
1205 error,
1206 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1207 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1208 "%s: unable to retrieve computer name as UTF-16 string.",
1209 function );
1210
1211 return( -1 );
1212 }
1213 return( 1 );
1214 }
1215
1216 /* Retrieves the size of the UTF-8 encoded user security identifier
1217 * The returned size includes the end of string character
1218 * Returns 1 if successful, 0 if not available or -1 on error
1219 */
libevt_record_values_get_utf8_user_security_identifier_size(libevt_record_values_t * record_values,size_t * utf8_string_size,libcerror_error_t ** error)1220 int libevt_record_values_get_utf8_user_security_identifier_size(
1221 libevt_record_values_t *record_values,
1222 size_t *utf8_string_size,
1223 libcerror_error_t **error )
1224 {
1225 static char *function = "libevt_record_values_get_utf8_user_security_identifier_size";
1226 int result = 0;
1227
1228 if( record_values == NULL )
1229 {
1230 libcerror_error_set(
1231 error,
1232 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1233 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1234 "%s: invalid record values.",
1235 function );
1236
1237 return( -1 );
1238 }
1239 result = libevt_event_record_get_utf8_user_security_identifier_size(
1240 record_values->event_record,
1241 utf8_string_size,
1242 error );
1243
1244 if( result == -1 )
1245 {
1246 libcerror_error_set(
1247 error,
1248 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1249 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1250 "%s: unable to retrieve size of user security identifier as UTF-8 string.",
1251 function );
1252
1253 return( -1 );
1254 }
1255 return( result );
1256 }
1257
1258 /* Retrieves the UTF-8 encoded user security identifier
1259 * The size should include the end of string character
1260 * Returns 1 if successful, 0 if not available or -1 on error
1261 */
libevt_record_values_get_utf8_user_security_identifier(libevt_record_values_t * record_values,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1262 int libevt_record_values_get_utf8_user_security_identifier(
1263 libevt_record_values_t *record_values,
1264 uint8_t *utf8_string,
1265 size_t utf8_string_size,
1266 libcerror_error_t **error )
1267 {
1268 static char *function = "libevt_record_values_get_utf8_user_security_identifier";
1269 int result = 0;
1270
1271 if( record_values == NULL )
1272 {
1273 libcerror_error_set(
1274 error,
1275 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1276 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1277 "%s: invalid record values.",
1278 function );
1279
1280 return( -1 );
1281 }
1282 result = libevt_event_record_get_utf8_user_security_identifier(
1283 record_values->event_record,
1284 utf8_string,
1285 utf8_string_size,
1286 error );
1287
1288 if( result == -1 )
1289 {
1290 libcerror_error_set(
1291 error,
1292 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1293 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1294 "%s: unable to retrieve user security identifier as UTF-8 string.",
1295 function );
1296
1297 return( -1 );
1298 }
1299 return( result );
1300 }
1301
1302 /* Retrieves the size of the UTF-16 encoded user security identifier
1303 * The returned size includes the end of string character
1304 * Returns 1 if successful, 0 if not available or -1 on error
1305 */
libevt_record_values_get_utf16_user_security_identifier_size(libevt_record_values_t * record_values,size_t * utf16_string_size,libcerror_error_t ** error)1306 int libevt_record_values_get_utf16_user_security_identifier_size(
1307 libevt_record_values_t *record_values,
1308 size_t *utf16_string_size,
1309 libcerror_error_t **error )
1310 {
1311 static char *function = "libevt_record_values_get_utf16_user_security_identifier_size";
1312 int result = 0;
1313
1314 if( record_values == NULL )
1315 {
1316 libcerror_error_set(
1317 error,
1318 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1319 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1320 "%s: invalid record values.",
1321 function );
1322
1323 return( -1 );
1324 }
1325 result = libevt_event_record_get_utf16_user_security_identifier_size(
1326 record_values->event_record,
1327 utf16_string_size,
1328 error );
1329
1330 if( result == -1 )
1331 {
1332 libcerror_error_set(
1333 error,
1334 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1335 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1336 "%s: unable to retrieve size of user security identifier as UTF-16 string.",
1337 function );
1338
1339 return( -1 );
1340 }
1341 return( result );
1342 }
1343
1344 /* Retrieves the UTF-16 encoded user security identifier
1345 * The size should include the end of string character
1346 * Returns 1 if successful, 0 if not available or -1 on error
1347 */
libevt_record_values_get_utf16_user_security_identifier(libevt_record_values_t * record_values,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1348 int libevt_record_values_get_utf16_user_security_identifier(
1349 libevt_record_values_t *record_values,
1350 uint16_t *utf16_string,
1351 size_t utf16_string_size,
1352 libcerror_error_t **error )
1353 {
1354 static char *function = "libevt_record_values_get_utf16_user_security_identifier";
1355 int result = 0;
1356
1357 if( record_values == NULL )
1358 {
1359 libcerror_error_set(
1360 error,
1361 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1362 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1363 "%s: invalid record values.",
1364 function );
1365
1366 return( -1 );
1367 }
1368 result = libevt_event_record_get_utf16_user_security_identifier(
1369 record_values->event_record,
1370 utf16_string,
1371 utf16_string_size,
1372 error );
1373
1374 if( result == -1 )
1375 {
1376 libcerror_error_set(
1377 error,
1378 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1379 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1380 "%s: unable to retrieve user security identifier as UTF-16 string.",
1381 function );
1382
1383 return( -1 );
1384 }
1385 return( result );
1386 }
1387
1388 /* Retrieves the number of strings
1389 * Returns 1 if successful or -1 on error
1390 */
libevt_record_values_get_number_of_strings(libevt_record_values_t * record_values,int * number_of_strings,libcerror_error_t ** error)1391 int libevt_record_values_get_number_of_strings(
1392 libevt_record_values_t *record_values,
1393 int *number_of_strings,
1394 libcerror_error_t **error )
1395 {
1396 static char *function = "libevt_record_values_get_number_of_strings";
1397
1398 if( record_values == NULL )
1399 {
1400 libcerror_error_set(
1401 error,
1402 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1403 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1404 "%s: invalid record values.",
1405 function );
1406
1407 return( -1 );
1408 }
1409 if( libevt_event_record_get_number_of_strings(
1410 record_values->event_record,
1411 number_of_strings,
1412 error ) != 1 )
1413 {
1414 libcerror_error_set(
1415 error,
1416 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1417 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1418 "%s: unable to retrieve number of strings.",
1419 function );
1420
1421 return( -1 );
1422 }
1423 return( 1 );
1424 }
1425
1426 /* Retrieves the size of a specific UTF-8 encoded string
1427 * The returned size includes the end of string character
1428 * Returns 1 if successful or -1 on error
1429 */
libevt_record_values_get_utf8_string_size(libevt_record_values_t * record_values,int string_index,size_t * utf8_string_size,libcerror_error_t ** error)1430 int libevt_record_values_get_utf8_string_size(
1431 libevt_record_values_t *record_values,
1432 int string_index,
1433 size_t *utf8_string_size,
1434 libcerror_error_t **error )
1435 {
1436 static char *function = "libevt_record_values_get_utf8_string_size";
1437
1438 if( record_values == NULL )
1439 {
1440 libcerror_error_set(
1441 error,
1442 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1443 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1444 "%s: invalid record values.",
1445 function );
1446
1447 return( -1 );
1448 }
1449 if( libevt_event_record_get_utf8_string_size(
1450 record_values->event_record,
1451 string_index,
1452 utf8_string_size,
1453 error ) != 1 )
1454 {
1455 libcerror_error_set(
1456 error,
1457 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1458 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1459 "%s: unable to retrieve size of UTF-8 string: %d.",
1460 function,
1461 string_index );
1462
1463 return( -1 );
1464 }
1465 return( 1 );
1466 }
1467
1468 /* Retrieves a specific UTF-8 encoded string
1469 * The size should include the end of string character
1470 * Returns 1 if successful or -1 on error
1471 */
libevt_record_values_get_utf8_string(libevt_record_values_t * record_values,int string_index,uint8_t * utf8_string,size_t utf8_string_size,libcerror_error_t ** error)1472 int libevt_record_values_get_utf8_string(
1473 libevt_record_values_t *record_values,
1474 int string_index,
1475 uint8_t *utf8_string,
1476 size_t utf8_string_size,
1477 libcerror_error_t **error )
1478 {
1479 static char *function = "libevt_values_record_get_utf8_string";
1480
1481 if( record_values == NULL )
1482 {
1483 libcerror_error_set(
1484 error,
1485 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1486 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1487 "%s: invalid record values.",
1488 function );
1489
1490 return( -1 );
1491 }
1492 if( libevt_event_record_get_utf8_string(
1493 record_values->event_record,
1494 string_index,
1495 utf8_string,
1496 utf8_string_size,
1497 error ) != 1 )
1498 {
1499 libcerror_error_set(
1500 error,
1501 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1502 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1503 "%s: unable to retrieve UTF-8 string: %d.",
1504 function,
1505 string_index );
1506
1507 return( -1 );
1508 }
1509 return( 1 );
1510 }
1511
1512 /* Retrieves the size of a specific UTF-16 encoded string
1513 * The returned size includes the end of string character
1514 * Returns 1 if successful or -1 on error
1515 */
libevt_record_values_get_utf16_string_size(libevt_record_values_t * record_values,int string_index,size_t * utf16_string_size,libcerror_error_t ** error)1516 int libevt_record_values_get_utf16_string_size(
1517 libevt_record_values_t *record_values,
1518 int string_index,
1519 size_t *utf16_string_size,
1520 libcerror_error_t **error )
1521 {
1522 static char *function = "libevt_record_values_get_utf16_string_size";
1523
1524 if( record_values == NULL )
1525 {
1526 libcerror_error_set(
1527 error,
1528 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1529 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1530 "%s: invalid record values.",
1531 function );
1532
1533 return( -1 );
1534 }
1535 if( libevt_event_record_get_utf16_string_size(
1536 record_values->event_record,
1537 string_index,
1538 utf16_string_size,
1539 error ) != 1 )
1540 {
1541 libcerror_error_set(
1542 error,
1543 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1544 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1545 "%s: unable to retrieve size of UTF-16 string: %d.",
1546 function,
1547 string_index );
1548
1549 return( -1 );
1550 }
1551 return( 1 );
1552 }
1553
1554 /* Retrieves a specific UTF-16 encoded string
1555 * The size should include the end of string character
1556 * Returns 1 if successful or -1 on error
1557 */
libevt_record_values_get_utf16_string(libevt_record_values_t * record_values,int string_index,uint16_t * utf16_string,size_t utf16_string_size,libcerror_error_t ** error)1558 int libevt_record_values_get_utf16_string(
1559 libevt_record_values_t *record_values,
1560 int string_index,
1561 uint16_t *utf16_string,
1562 size_t utf16_string_size,
1563 libcerror_error_t **error )
1564 {
1565 static char *function = "libevt_values_record_get_utf16_string";
1566
1567 if( record_values == NULL )
1568 {
1569 libcerror_error_set(
1570 error,
1571 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1572 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1573 "%s: invalid record values.",
1574 function );
1575
1576 return( -1 );
1577 }
1578 if( libevt_event_record_get_utf16_string(
1579 record_values->event_record,
1580 string_index,
1581 utf16_string,
1582 utf16_string_size,
1583 error ) != 1 )
1584 {
1585 libcerror_error_set(
1586 error,
1587 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1588 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1589 "%s: unable to retrieve UTF-16 string: %d.",
1590 function,
1591 string_index );
1592
1593 return( -1 );
1594 }
1595 return( 1 );
1596 }
1597
1598 /* Retrieves the size of the data
1599 * Returns 1 if successful, 0 if not available or -1 on error
1600 */
libevt_record_values_get_data_size(libevt_record_values_t * record_values,size_t * data_size,libcerror_error_t ** error)1601 int libevt_record_values_get_data_size(
1602 libevt_record_values_t *record_values,
1603 size_t *data_size,
1604 libcerror_error_t **error )
1605 {
1606 static char *function = "libevt_record_values_get_data_size";
1607
1608 if( record_values == NULL )
1609 {
1610 libcerror_error_set(
1611 error,
1612 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1613 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1614 "%s: invalid record values.",
1615 function );
1616
1617 return( -1 );
1618 }
1619 if( libevt_event_record_get_data_size(
1620 record_values->event_record,
1621 data_size,
1622 error ) != 1 )
1623 {
1624 libcerror_error_set(
1625 error,
1626 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1627 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1628 "%s: unable to retrieve data size.",
1629 function );
1630
1631 return( -1 );
1632 }
1633 return( 1 );
1634 }
1635
1636 /* Retrieves the data
1637 * Returns 1 if successful, 0 if not available or -1 on error
1638 */
libevt_record_values_get_data(libevt_record_values_t * record_values,uint8_t * data,size_t data_size,libcerror_error_t ** error)1639 int libevt_record_values_get_data(
1640 libevt_record_values_t *record_values,
1641 uint8_t *data,
1642 size_t data_size,
1643 libcerror_error_t **error )
1644 {
1645 static char *function = "libevt_record_values_get_data";
1646
1647 if( record_values == NULL )
1648 {
1649 libcerror_error_set(
1650 error,
1651 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
1652 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
1653 "%s: invalid record values.",
1654 function );
1655
1656 return( -1 );
1657 }
1658 if( libevt_event_record_get_data(
1659 record_values->event_record,
1660 data,
1661 data_size,
1662 error ) != 1 )
1663 {
1664 libcerror_error_set(
1665 error,
1666 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1667 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
1668 "%s: unable to retrieve data.",
1669 function );
1670
1671 return( -1 );
1672 }
1673 return( 1 );
1674 }
1675
1676 /* Reads record values
1677 * Callback for the (recovered) records list
1678 * Returns 1 if successful or -1 on error
1679 */
libevt_record_values_read_element_data(libevt_io_handle_t * io_handle,libbfio_handle_t * file_io_handle,libfdata_list_element_t * element,libfdata_cache_t * cache,int element_file_index LIBEVT_ATTRIBUTE_UNUSED,off64_t element_offset,size64_t element_size LIBEVT_ATTRIBUTE_UNUSED,uint32_t element_flags LIBEVT_ATTRIBUTE_UNUSED,uint8_t read_flags LIBEVT_ATTRIBUTE_UNUSED,libcerror_error_t ** error)1680 int libevt_record_values_read_element_data(
1681 libevt_io_handle_t *io_handle,
1682 libbfio_handle_t *file_io_handle,
1683 libfdata_list_element_t *element,
1684 libfdata_cache_t *cache,
1685 int element_file_index LIBEVT_ATTRIBUTE_UNUSED,
1686 off64_t element_offset,
1687 size64_t element_size LIBEVT_ATTRIBUTE_UNUSED,
1688 uint32_t element_flags LIBEVT_ATTRIBUTE_UNUSED,
1689 uint8_t read_flags LIBEVT_ATTRIBUTE_UNUSED,
1690 libcerror_error_t **error )
1691 {
1692 libevt_record_values_t *record_values = NULL;
1693 static char *function = "libevt_record_values_read_element_data";
1694 off64_t file_offset = 0;
1695 ssize_t read_count = 0;
1696 uint8_t has_wrapped = 0;
1697
1698 LIBEVT_UNREFERENCED_PARAMETER( element_size )
1699 LIBEVT_UNREFERENCED_PARAMETER( element_file_index )
1700 LIBEVT_UNREFERENCED_PARAMETER( element_flags )
1701 LIBEVT_UNREFERENCED_PARAMETER( read_flags )
1702
1703 #if defined( HAVE_DEBUG_OUTPUT )
1704 if( libcnotify_verbose != 0 )
1705 {
1706 libcnotify_printf(
1707 "%s: reading record at offset: %" PRIi64 " (0x%08" PRIx64 ")\n",
1708 function,
1709 element_offset,
1710 element_offset );
1711 }
1712 #endif
1713 if( libevt_record_values_initialize(
1714 &record_values,
1715 error ) != 1 )
1716 {
1717 libcerror_error_set(
1718 error,
1719 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1720 LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
1721 "%s: unable to create record values.",
1722 function );
1723
1724 goto on_error;
1725 }
1726 /* File offset must be before being passed to libevt_record_values_read
1727 */
1728 file_offset = element_offset;
1729
1730 read_count = libevt_record_values_read_file_io_handle(
1731 record_values,
1732 file_io_handle,
1733 io_handle,
1734 &file_offset,
1735 &has_wrapped,
1736 0,
1737 error );
1738
1739 if( read_count == -1 )
1740 {
1741 libcerror_error_set(
1742 error,
1743 LIBCERROR_ERROR_DOMAIN_IO,
1744 LIBCERROR_IO_ERROR_READ_FAILED,
1745 "%s: unable to read record at offset: %" PRIi64 ".",
1746 function,
1747 element_offset );
1748
1749 goto on_error;
1750 }
1751 if( libfdata_list_element_set_element_value(
1752 element,
1753 (intptr_t *) file_io_handle,
1754 cache,
1755 (intptr_t *) record_values,
1756 (int (*)(intptr_t **, libcerror_error_t **)) &libevt_record_values_free,
1757 LIBFDATA_LIST_ELEMENT_VALUE_FLAG_MANAGED,
1758 error ) != 1 )
1759 {
1760 libcerror_error_set(
1761 error,
1762 LIBCERROR_ERROR_DOMAIN_RUNTIME,
1763 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
1764 "%s: unable to set record values as element value.",
1765 function );
1766
1767 goto on_error;
1768 }
1769 return( 1 );
1770
1771 on_error:
1772 if( record_values != NULL )
1773 {
1774 libevt_record_values_free(
1775 &record_values,
1776 NULL );
1777 }
1778 return( -1 );
1779 }
1780
1781