1 /*
2 * Common input functions for the evtxtools
3 *
4 * Copyright (C) 2011-2021, Joachim Metz <joachim.metz@gmail.com>
5 *
6 * Refer to AUTHORS for acknowledgements.
7 *
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU Lesser General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>.
20 */
21
22 #include <common.h>
23 #include <narrow_string.h>
24 #include <system_string.h>
25 #include <types.h>
26 #include <wide_string.h>
27
28 #include "evtxinput.h"
29 #include "evtxtools_libcerror.h"
30 #include "evtxtools_libcpath.h"
31 #include "evtxtools_libevtx.h"
32 #include "evtxtools_wide_string.h"
33
34 /* Determines the event log type from a string
35 * Returns 1 if successful, 0 if unsupported value or -1 on error
36 */
evtxinput_determine_event_log_type(const system_character_t * string,int * event_log_type,libcerror_error_t ** error)37 int evtxinput_determine_event_log_type(
38 const system_character_t *string,
39 int *event_log_type,
40 libcerror_error_t **error )
41 {
42 static char *function = "evtxinput_determine_event_log_type";
43 size_t string_length = 0;
44 int result = 0;
45
46 if( string == NULL )
47 {
48 libcerror_error_set(
49 error,
50 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
51 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
52 "%s: invalid string.",
53 function );
54
55 return( -1 );
56 }
57 if( event_log_type == NULL )
58 {
59 libcerror_error_set(
60 error,
61 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
62 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
63 "%s: invalid event log type.",
64 function );
65
66 return( -1 );
67 }
68 string_length = system_string_length(
69 string );
70
71 if( string_length == 6 )
72 {
73 if( system_string_compare_no_case(
74 string,
75 _SYSTEM_STRING( "system" ),
76 6 ) == 0 )
77 {
78 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM;
79 result = 1;
80 }
81 }
82 else if( string_length == 8 )
83 {
84 if( system_string_compare_no_case(
85 string,
86 _SYSTEM_STRING( "security" ),
87 8 ) == 0 )
88 {
89 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SECURITY;
90 result = 1;
91 }
92 }
93 else if( string_length == 11 )
94 {
95 if( system_string_compare_no_case(
96 string,
97 _SYSTEM_STRING( "application" ),
98 11 ) == 0 )
99 {
100 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION;
101 result = 1;
102 }
103 }
104 return( result );
105 }
106
107 /* Determines the event log type from the filename
108 * Returns 1 if successful, 0 if unsupported value or -1 on error
109 */
evtxinput_determine_event_log_type_from_filename(const system_character_t * filename,int * event_log_type,libcerror_error_t ** error)110 int evtxinput_determine_event_log_type_from_filename(
111 const system_character_t *filename,
112 int *event_log_type,
113 libcerror_error_t **error )
114 {
115 const system_character_t *path_separator = NULL;
116 static char *function = "evtxinput_determine_event_log_type_from_filename";
117 size_t filename_length = 0;
118 int result = 0;
119
120 if( filename == NULL )
121 {
122 libcerror_error_set(
123 error,
124 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
125 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
126 "%s: invalid filename.",
127 function );
128
129 return( -1 );
130 }
131 if( event_log_type == NULL )
132 {
133 libcerror_error_set(
134 error,
135 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
136 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
137 "%s: invalid event log type.",
138 function );
139
140 return( -1 );
141 }
142 filename_length = system_string_length(
143 filename );
144
145 path_separator = system_string_search_character_reverse(
146 filename,
147 (system_character_t) LIBCPATH_SEPARATOR,
148 filename_length );
149
150 if( path_separator == NULL )
151 {
152 path_separator = filename;
153 }
154 else
155 {
156 path_separator++;
157
158 filename_length = system_string_length(
159 path_separator );
160 }
161 if( filename_length == 11 )
162 {
163 if( system_string_compare_no_case(
164 path_separator,
165 _SYSTEM_STRING( "System.evtx" ),
166 11 ) == 0 )
167 {
168 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM;
169 result = 1;
170 }
171 }
172 else if( filename_length == 13 )
173 {
174 if( system_string_compare_no_case(
175 path_separator,
176 _SYSTEM_STRING( "Security.evtx" ),
177 13 ) == 0 )
178 {
179 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SECURITY;
180 result = 1;
181 }
182 }
183 else if( filename_length == 16 )
184 {
185 if( system_string_compare_no_case(
186 path_separator,
187 _SYSTEM_STRING( "Application.evtx" ),
188 16 ) == 0 )
189 {
190 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION;
191 result = 1;
192 }
193 }
194 else if( filename_length == 17 )
195 {
196 if( system_string_compare_no_case(
197 path_separator,
198 _SYSTEM_STRING( "Media Center.evtx" ),
199 17 ) == 0 )
200 {
201 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_MEDIA_CENTER;
202 result = 1;
203 }
204 }
205 else if( filename_length == 19 )
206 {
207 if( system_string_compare_no_case(
208 path_separator,
209 _SYSTEM_STRING( "HardwareEvents.evtx" ),
210 19 ) == 0 )
211 {
212 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_HARDWARE_EVENTS;
213 result = 1;
214 }
215 }
216 else if( filename_length == 20 )
217 {
218 if( system_string_compare_no_case(
219 path_separator,
220 _SYSTEM_STRING( "DFS Replication.evtx" ),
221 20 ) == 0 )
222 {
223 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_DFS_REPLICATION;
224 result = 1;
225 }
226 }
227 else if( filename_length == 22 )
228 {
229 if( system_string_compare_no_case(
230 path_separator,
231 _SYSTEM_STRING( "Internet Explorer.evtx" ),
232 22 ) == 0 )
233 {
234 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_INTERNET_EXPLORER;
235 result = 1;
236 }
237 }
238 else if( filename_length == 27 )
239 {
240 if( system_string_compare_no_case(
241 path_separator,
242 _SYSTEM_STRING( "Key Management Service.evtx" ),
243 27 ) == 0 )
244 {
245 *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_KEY_MANAGEMENT_SERVICE;
246 result = 1;
247 }
248 }
249 return( result );
250 }
251
252