1 /*
2  * Common input functions for the evtxtools
3  *
4  * Copyright (C) 2011-2021, Joachim Metz <joachim.metz@gmail.com>
5  *
6  * Refer to AUTHORS for acknowledgements.
7  *
8  * This program is free software: you can redistribute it and/or modify
9  * it under the terms of the GNU Lesser General Public License as published by
10  * the Free Software Foundation, either version 3 of the License, or
11  * (at your option) any later version.
12  *
13  * This program is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  * GNU General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public License
19  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
20  */
21 
22 #include <common.h>
23 #include <narrow_string.h>
24 #include <system_string.h>
25 #include <types.h>
26 #include <wide_string.h>
27 
28 #include "evtxinput.h"
29 #include "evtxtools_libcerror.h"
30 #include "evtxtools_libcpath.h"
31 #include "evtxtools_libevtx.h"
32 #include "evtxtools_wide_string.h"
33 
34 /* Determines the event log type from a string
35  * Returns 1 if successful, 0 if unsupported value or -1 on error
36  */
evtxinput_determine_event_log_type(const system_character_t * string,int * event_log_type,libcerror_error_t ** error)37 int evtxinput_determine_event_log_type(
38      const system_character_t *string,
39      int *event_log_type,
40      libcerror_error_t **error )
41 {
42 	static char *function = "evtxinput_determine_event_log_type";
43 	size_t string_length  = 0;
44 	int result            = 0;
45 
46 	if( string == NULL )
47 	{
48 		libcerror_error_set(
49 		 error,
50 		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
51 		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
52 		 "%s: invalid string.",
53 		 function );
54 
55 		return( -1 );
56 	}
57 	if( event_log_type == NULL )
58 	{
59 		libcerror_error_set(
60 		 error,
61 		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
62 		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
63 		 "%s: invalid event log type.",
64 		 function );
65 
66 		return( -1 );
67 	}
68 	string_length = system_string_length(
69 	                 string );
70 
71 	if( string_length == 6 )
72 	{
73 		if( system_string_compare_no_case(
74 		     string,
75 		     _SYSTEM_STRING( "system" ),
76 		     6 ) == 0 )
77 		{
78 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM;
79 			result          = 1;
80 		}
81 	}
82 	else if( string_length == 8 )
83 	{
84 		if( system_string_compare_no_case(
85 		     string,
86 		     _SYSTEM_STRING( "security" ),
87 		     8 ) == 0 )
88 		{
89 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SECURITY;
90 			result          = 1;
91 		}
92 	}
93 	else if( string_length == 11 )
94 	{
95 		if( system_string_compare_no_case(
96 		     string,
97 		     _SYSTEM_STRING( "application" ),
98 		     11 ) == 0 )
99 		{
100 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION;
101 			result          = 1;
102 		}
103 	}
104 	return( result );
105 }
106 
107 /* Determines the event log type from the filename
108  * Returns 1 if successful, 0 if unsupported value or -1 on error
109  */
evtxinput_determine_event_log_type_from_filename(const system_character_t * filename,int * event_log_type,libcerror_error_t ** error)110 int evtxinput_determine_event_log_type_from_filename(
111      const system_character_t *filename,
112      int *event_log_type,
113      libcerror_error_t **error )
114 {
115 	const system_character_t *path_separator = NULL;
116 	static char *function                    = "evtxinput_determine_event_log_type_from_filename";
117 	size_t filename_length                   = 0;
118 	int result                               = 0;
119 
120 	if( filename == NULL )
121 	{
122 		libcerror_error_set(
123 		 error,
124 		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
125 		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
126 		 "%s: invalid filename.",
127 		 function );
128 
129 		return( -1 );
130 	}
131 	if( event_log_type == NULL )
132 	{
133 		libcerror_error_set(
134 		 error,
135 		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
136 		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
137 		 "%s: invalid event log type.",
138 		 function );
139 
140 		return( -1 );
141 	}
142 	filename_length = system_string_length(
143 	                   filename );
144 
145 	path_separator = system_string_search_character_reverse(
146 			  filename,
147 			  (system_character_t) LIBCPATH_SEPARATOR,
148 			  filename_length );
149 
150 	if( path_separator == NULL )
151 	{
152 		path_separator = filename;
153 	}
154 	else
155 	{
156 		path_separator++;
157 
158 		filename_length = system_string_length(
159 		                   path_separator );
160 	}
161 	if( filename_length == 11 )
162 	{
163 		if( system_string_compare_no_case(
164 		     path_separator,
165 		     _SYSTEM_STRING( "System.evtx" ),
166 		     11 ) == 0 )
167 		{
168 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM;
169 			result          = 1;
170 		}
171 	}
172 	else if( filename_length == 13 )
173 	{
174 		if( system_string_compare_no_case(
175 		     path_separator,
176 		     _SYSTEM_STRING( "Security.evtx" ),
177 		     13 ) == 0 )
178 		{
179 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SECURITY;
180 			result          = 1;
181 		}
182 	}
183 	else if( filename_length == 16 )
184 	{
185 		if( system_string_compare_no_case(
186 		     path_separator,
187 		     _SYSTEM_STRING( "Application.evtx" ),
188 		     16 ) == 0 )
189 		{
190 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION;
191 			result          = 1;
192 		}
193 	}
194 	else if( filename_length == 17 )
195 	{
196 		if( system_string_compare_no_case(
197 		     path_separator,
198 		     _SYSTEM_STRING( "Media Center.evtx" ),
199 		     17 ) == 0 )
200 		{
201 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_MEDIA_CENTER;
202 			result          = 1;
203 		}
204 	}
205 	else if( filename_length == 19 )
206 	{
207 		if( system_string_compare_no_case(
208 		     path_separator,
209 		     _SYSTEM_STRING( "HardwareEvents.evtx" ),
210 		     19 ) == 0 )
211 		{
212 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_HARDWARE_EVENTS;
213 			result          = 1;
214 		}
215 	}
216 	else if( filename_length == 20 )
217 	{
218 		if( system_string_compare_no_case(
219 		     path_separator,
220 		     _SYSTEM_STRING( "DFS Replication.evtx" ),
221 		     20 ) == 0 )
222 		{
223 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_DFS_REPLICATION;
224 			result          = 1;
225 		}
226 	}
227 	else if( filename_length == 22 )
228 	{
229 		if( system_string_compare_no_case(
230 		     path_separator,
231 		     _SYSTEM_STRING( "Internet Explorer.evtx" ),
232 		     22 ) == 0 )
233 		{
234 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_INTERNET_EXPLORER;
235 			result          = 1;
236 		}
237 	}
238 	else if( filename_length == 27 )
239 	{
240 		if( system_string_compare_no_case(
241 		     path_separator,
242 		     _SYSTEM_STRING( "Key Management Service.evtx" ),
243 		     27 ) == 0 )
244 		{
245 			*event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_KEY_MANAGEMENT_SERVICE;
246 			result          = 1;
247 		}
248 	}
249 	return( result );
250 }
251 
252