diff --git a/data/sources.config b/data/sources.config index 9a67b46e75..2cbe7a0483 100644 --- a/data/sources.config +++ b/data/sources.config @@ -197,8 +197,8 @@ windows:srum:network_usage LOG System Resource Usage Monitor windows:tasks:job JOB Windows Scheduled Task Job windows:timeline:generic Windows Timeline Windows Timeline - Generic windows:timeline:user_engaged Windows Timeline Windows Timeline - User Engaged -windows:user_access_logging:clients UAL User Access Logging CLIENTS record -windows:user_access_logging:dns UAL User Access Logging DNS record +windows:user_access_logging:clients UAL User Access Logging CLIENTS record +windows:user_access_logging:dns UAL User Access Logging DNS record windows:user_access_logging:role_access UAL User Access Logging ROLE_ACCESS record windows:user_access_logging:system_identity UAL User Access Logging SYSTEM_IDENTITY record windows:user_access_logging:virtualmachines UAL User Access Logging VIRTUALMACHINES record diff --git a/plaso/output/winevt_rc.py b/plaso/output/winevt_rc.py index c37e7fe40d..4f1cdc55ca 100644 --- a/plaso/output/winevt_rc.py +++ b/plaso/output/winevt_rc.py @@ -7,6 +7,7 @@ from plaso.containers import artifacts from plaso.engine import path_helper +from plaso.helpers.windows import languages from plaso.helpers.windows import resource_files from plaso.output import logger @@ -354,9 +355,13 @@ def __init__( environment_variables (list[EnvironmentVariableArtifact]): environment variable artifacts. """ + language_tag = languages.WindowsLanguageHelper.GetLanguageTagForLCID( + lcid or self.DEFAULT_LCID) + super(WinevtResourcesHelper, self).__init__() self._data_location = data_location self._environment_variables = environment_variables or None + self._language_tag = language_tag.lower() self._lcid = lcid or self.DEFAULT_LCID self._message_string_cache = collections.OrderedDict() self._storage_reader = storage_reader @@ -495,7 +500,8 @@ def _ReadWindowsEventLogMessageFiles(self, storage_reader): if storage_reader.HasAttributeContainers('windows_eventlog_message_file'): for message_file in storage_reader.GetAttributeContainers( 'windows_eventlog_message_file'): - self._windows_eventlog_message_files[message_file.windows_path] = ( + path = message_file.path.lower() + self._windows_eventlog_message_files[path] = ( message_file.GetIdentifier()) def _ReadWindowsEventLogMessageString( @@ -551,6 +557,7 @@ def _ReadWindowsEventLogMessageString( if event_version is not None: filter_expression = '{0:s} and version == {1:d}'.format( filter_expression, event_version) + for event_definition in storage_reader.GetAttributeContainers( 'windows_wevt_template_event', filter_expression=filter_expression): logger.debug( @@ -564,8 +571,18 @@ def _ReadWindowsEventLogMessageString( for windows_path in provider.event_message_files or []: path, filename = path_helper.PathHelper.GetWindowsSystemPath( windows_path, self._environment_variables) - lookup_path = '\\'.join([path.lower(), filename.lower()]) + path = path.lower() + filename = filename.lower() + lookup_path = '\\'.join([path, filename]) + message_file_identifier = self._windows_eventlog_message_files.get( + lookup_path, None) + if message_file_identifier: + message_file_identifier = message_file_identifier.CopyToString() + message_file_identifiers.append(message_file_identifier) + + mui_filename = '{0:s}.mui'.format(filename) + lookup_path = '\\'.join([path, self._language_tag, mui_filename]) message_file_identifier = self._windows_eventlog_message_files.get( lookup_path, None) if message_file_identifier: @@ -589,7 +606,7 @@ def _ReadWindowsEventLogMessageString( message_strings.append(message_string) if not message_strings: - logger.error( + logger.debug( 'No match for message: 0x{0:08x} of provider: {1:s}'.format( message_identifier, lookup_key)) diff --git a/plaso/parsers/pe.py b/plaso/parsers/pe.py index 74df65615c..7efe18fd40 100644 --- a/plaso/parsers/pe.py +++ b/plaso/parsers/pe.py @@ -471,16 +471,11 @@ def _ParseWevtTemplate(self, parser_mediator, message_file, data): 'Unable to read WEVT event definitions with error: ' '{0!s}').format(exception)) for event_definition in event_definitions.definitions: - if event_definition.flags & 0x80: - event_version = event_definition.version - else: - event_version = None - event_definition = artifacts.WindowsWevtTemplateEvent( identifier=event_definition.identifier, message_identifier=event_definition.message_identifier, provider_identifier=provider_identifier, - version=event_version) + version=event_definition.version) event_definition.SetMessageFileIdentifier(message_file_identifier) parser_mediator.AddWindowsWevtTemplateEvent(event_definition) diff --git a/plaso/parsers/pe_resources.yaml b/plaso/parsers/pe_resources.yaml index 4b6e87a1ba..86a43cbb5f 100644 --- a/plaso/parsers/pe_resources.yaml +++ b/plaso/parsers/pe_resources.yaml @@ -139,7 +139,6 @@ attributes: members: - name: identifier data_type: uint16 -# TODO: note that version, channel, level, opcode and task are part of an union. - name: version data_type: uint8 - name: channel diff --git a/tests/parsers/pe.py b/tests/parsers/pe.py index f9d0676275..9fdb4233e2 100644 --- a/tests/parsers/pe.py +++ b/tests/parsers/pe.py @@ -163,7 +163,7 @@ def testParseFileObjectOnResourceFile(self): self.assertEqual( attribute_containers[0].provider_identifier, '{67883bbc-d592-4d02-8e29-66907fcb07d6}') - self.assertIsNone(attribute_containers[0].version) + self.assertEqual(attribute_containers[0].version, 1) if __name__ == '__main__':