Repository: libyal/libevtx Branch: main Commit: e70e035a00a5 Files: 333 Total size: 2.2 MB Directory structure: gitextract_30yz1f74/ ├── .codecov.yml ├── .github/ │ └── workflows/ │ ├── build.yml │ ├── build_freebsd.yml │ ├── build_macos.yml │ ├── build_ossfuzz.yml │ ├── build_shared.yml │ └── build_wheel.yml ├── .gitignore ├── AUTHORS ├── COPYING ├── COPYING.LESSER ├── ChangeLog ├── Makefile.am ├── NEWS ├── README ├── acinclude.m4 ├── appveyor.yml ├── autogen.ps1 ├── autogen.sh ├── build.ps1 ├── common/ │ ├── Makefile.am │ ├── byte_stream.h │ ├── common.h │ ├── config_borlandc.h │ ├── config_msc.h │ ├── config_winapi.h │ ├── file_stream.h │ ├── memory.h │ ├── narrow_string.h │ ├── system_string.h │ ├── types.h.in │ └── wide_string.h ├── configure.ac ├── documentation/ │ └── Windows XML Event Log (EVTX).asciidoc ├── dpkg/ │ ├── changelog.in │ ├── compat │ ├── control │ ├── copyright │ ├── libevtx-dev.install │ ├── libevtx-python3.install │ ├── libevtx-tools.install │ ├── libevtx.install │ ├── rules │ └── source/ │ └── format ├── dtfabric.yaml ├── evtxtools/ │ ├── Makefile.am │ ├── evtxexport.c │ ├── evtxinfo.c │ ├── evtxinput.c │ ├── evtxinput.h │ ├── evtxtools_getopt.c │ ├── evtxtools_getopt.h │ ├── evtxtools_i18n.h │ ├── evtxtools_libbfio.h │ ├── evtxtools_libcdirectory.h │ ├── evtxtools_libcerror.h │ ├── evtxtools_libclocale.h │ ├── evtxtools_libcnotify.h │ ├── evtxtools_libcpath.h │ ├── evtxtools_libcsplit.h │ ├── evtxtools_libevtx.h │ ├── evtxtools_libexe.h │ ├── evtxtools_libfcache.h │ ├── evtxtools_libfdatetime.h │ ├── evtxtools_libfguid.h │ ├── evtxtools_libfvalue.h │ ├── evtxtools_libfwevt.h │ ├── evtxtools_libfwnt.h │ ├── evtxtools_libregf.h │ ├── evtxtools_libuna.h │ ├── evtxtools_libwrc.h │ ├── evtxtools_output.c │ ├── evtxtools_output.h │ ├── evtxtools_signal.c │ ├── evtxtools_signal.h │ ├── evtxtools_system_split_string.h │ ├── evtxtools_unused.h │ ├── evtxtools_wide_string.c │ ├── evtxtools_wide_string.h │ ├── export_handle.c │ ├── export_handle.h │ ├── info_handle.c │ ├── info_handle.h │ ├── log_handle.c │ ├── log_handle.h │ ├── message_handle.c │ ├── message_handle.h │ ├── message_string.c │ ├── message_string.h │ ├── path_handle.c │ ├── path_handle.h │ ├── registry_file.c │ ├── registry_file.h │ ├── resource_file.c │ └── resource_file.h ├── include/ │ ├── Makefile.am │ ├── libevtx/ │ │ ├── codepage.h │ │ ├── definitions.h.in │ │ ├── error.h │ │ ├── extern.h │ │ ├── features.h.in │ │ └── types.h.in │ └── libevtx.h.in ├── libevtx/ │ ├── Makefile.am │ ├── evtx_chunk.h │ ├── evtx_event_record.h │ ├── evtx_file_header.h │ ├── libevtx.c │ ├── libevtx.rc.in │ ├── libevtx_byte_stream.c │ ├── libevtx_byte_stream.h │ ├── libevtx_checksum.c │ ├── libevtx_checksum.h │ ├── libevtx_chunk.c │ ├── libevtx_chunk.h │ ├── libevtx_chunks_table.c │ ├── libevtx_chunks_table.h │ ├── libevtx_codepage.c │ ├── libevtx_codepage.h │ ├── libevtx_debug.c │ ├── libevtx_debug.h │ ├── libevtx_definitions.h.in │ ├── libevtx_error.c │ ├── libevtx_error.h │ ├── libevtx_extern.h │ ├── libevtx_file.c │ ├── libevtx_file.h │ ├── libevtx_i18n.c │ ├── libevtx_i18n.h │ ├── libevtx_io_handle.c │ ├── libevtx_io_handle.h │ ├── libevtx_libbfio.h │ ├── libevtx_libcdata.h │ ├── libevtx_libcerror.h │ ├── libevtx_libclocale.h │ ├── libevtx_libcnotify.h │ ├── libevtx_libfcache.h │ ├── libevtx_libfdata.h │ ├── libevtx_libfdatetime.h │ ├── libevtx_libfguid.h │ ├── libevtx_libfwevt.h │ ├── libevtx_libuna.h │ ├── libevtx_notify.c │ ├── libevtx_notify.h │ ├── libevtx_record.c │ ├── libevtx_record.h │ ├── libevtx_record_values.c │ ├── libevtx_record_values.h │ ├── libevtx_support.c │ ├── libevtx_support.h │ ├── libevtx_template_definition.c │ ├── libevtx_template_definition.h │ ├── libevtx_types.h │ └── libevtx_unused.h ├── libevtx.ini ├── libevtx.pc.in ├── libevtx.spec.in ├── m4/ │ ├── common.m4 │ ├── libbfio.m4 │ ├── libcdata.m4 │ ├── libcdirectory.m4 │ ├── libcerror.m4 │ ├── libcfile.m4 │ ├── libclocale.m4 │ ├── libcnotify.m4 │ ├── libcpath.m4 │ ├── libcsplit.m4 │ ├── libcthreads.m4 │ ├── libexe.m4 │ ├── libfcache.m4 │ ├── libfdata.m4 │ ├── libfdatetime.m4 │ ├── libfguid.m4 │ ├── libfvalue.m4 │ ├── libfwevt.m4 │ ├── libfwnt.m4 │ ├── libregf.m4 │ ├── libuna.m4 │ ├── libwrc.m4 │ ├── pthread.m4 │ ├── python.m4 │ ├── tests.m4 │ └── types.m4 ├── manuals/ │ ├── Makefile.am │ ├── evtxexport.1 │ ├── evtxinfo.1 │ └── libevtx.3 ├── msvscpp/ │ ├── Makefile.am │ ├── evtx_test_chunk/ │ │ └── evtx_test_chunk.vcproj │ ├── evtx_test_chunks_table/ │ │ └── evtx_test_chunks_table.vcproj │ ├── evtx_test_error/ │ │ └── evtx_test_error.vcproj │ ├── evtx_test_file/ │ │ └── evtx_test_file.vcproj │ ├── evtx_test_io_handle/ │ │ └── evtx_test_io_handle.vcproj │ ├── evtx_test_notify/ │ │ └── evtx_test_notify.vcproj │ ├── evtx_test_record/ │ │ └── evtx_test_record.vcproj │ ├── evtx_test_record_values/ │ │ └── evtx_test_record_values.vcproj │ ├── evtx_test_support/ │ │ └── evtx_test_support.vcproj │ ├── evtx_test_template_definition/ │ │ └── evtx_test_template_definition.vcproj │ ├── evtx_test_tools_info_handle/ │ │ └── evtx_test_tools_info_handle.vcproj │ ├── evtx_test_tools_message_handle/ │ │ └── evtx_test_tools_message_handle.vcproj │ ├── evtx_test_tools_message_string/ │ │ └── evtx_test_tools_message_string.vcproj │ ├── evtx_test_tools_output/ │ │ └── evtx_test_tools_output.vcproj │ ├── evtx_test_tools_path_handle/ │ │ └── evtx_test_tools_path_handle.vcproj │ ├── evtx_test_tools_registry_file/ │ │ └── evtx_test_tools_registry_file.vcproj │ ├── evtx_test_tools_resource_file/ │ │ └── evtx_test_tools_resource_file.vcproj │ ├── evtx_test_tools_signal/ │ │ └── evtx_test_tools_signal.vcproj │ ├── evtxexport/ │ │ └── evtxexport.vcproj │ ├── evtxinfo/ │ │ └── evtxinfo.vcproj │ ├── libbfio/ │ │ └── libbfio.vcproj │ ├── libcdata/ │ │ └── libcdata.vcproj │ ├── libcdirectory/ │ │ └── libcdirectory.vcproj │ ├── libcerror/ │ │ └── libcerror.vcproj │ ├── libcfile/ │ │ └── libcfile.vcproj │ ├── libclocale/ │ │ └── libclocale.vcproj │ ├── libcnotify/ │ │ └── libcnotify.vcproj │ ├── libcpath/ │ │ └── libcpath.vcproj │ ├── libcsplit/ │ │ └── libcsplit.vcproj │ ├── libcthreads/ │ │ └── libcthreads.vcproj │ ├── libevtx/ │ │ └── libevtx.vcproj │ ├── libevtx.sln │ ├── libexe/ │ │ └── libexe.vcproj │ ├── libfcache/ │ │ └── libfcache.vcproj │ ├── libfdata/ │ │ └── libfdata.vcproj │ ├── libfdatetime/ │ │ └── libfdatetime.vcproj │ ├── libfguid/ │ │ └── libfguid.vcproj │ ├── libfvalue/ │ │ └── libfvalue.vcproj │ ├── libfwevt/ │ │ └── libfwevt.vcproj │ ├── libfwnt/ │ │ └── libfwnt.vcproj │ ├── libregf/ │ │ └── libregf.vcproj │ ├── libuna/ │ │ └── libuna.vcproj │ ├── libwrc/ │ │ └── libwrc.vcproj │ └── pyevtx/ │ └── pyevtx.vcproj ├── ossfuzz/ │ ├── Makefile.am │ ├── file_fuzzer.cc │ ├── ossfuzz_libbfio.h │ ├── ossfuzz_libevtx.h │ └── record_fuzzer.cc ├── po/ │ ├── ChangeLog │ ├── Makevars.in │ └── POTFILES.in ├── pyevtx/ │ ├── Makefile.am │ ├── pyevtx.c │ ├── pyevtx.h │ ├── pyevtx_codepage.c │ ├── pyevtx_codepage.h │ ├── pyevtx_datetime.c │ ├── pyevtx_datetime.h │ ├── pyevtx_error.c │ ├── pyevtx_error.h │ ├── pyevtx_event_levels.c │ ├── pyevtx_event_levels.h │ ├── pyevtx_file.c │ ├── pyevtx_file.h │ ├── pyevtx_file_flags.c │ ├── pyevtx_file_flags.h │ ├── pyevtx_file_object_io_handle.c │ ├── pyevtx_file_object_io_handle.h │ ├── pyevtx_integer.c │ ├── pyevtx_integer.h │ ├── pyevtx_libbfio.h │ ├── pyevtx_libcerror.h │ ├── pyevtx_libclocale.h │ ├── pyevtx_libevtx.h │ ├── pyevtx_libfwnt.h │ ├── pyevtx_python.h │ ├── pyevtx_record.c │ ├── pyevtx_record.h │ ├── pyevtx_records.c │ ├── pyevtx_records.h │ ├── pyevtx_strings.c │ ├── pyevtx_strings.h │ └── pyevtx_unused.h ├── pyproject.toml ├── runtests.ps1 ├── runtests.sh ├── setup.cfg.in ├── setup.py ├── synclibs.ps1 ├── synclibs.sh ├── synctestdata.ps1 ├── synctestdata.sh ├── tests/ │ ├── Makefile.am │ ├── build.sh │ ├── evtx_test_chunk.c │ ├── evtx_test_chunks_table.c │ ├── evtx_test_error.c │ ├── evtx_test_file.c │ ├── evtx_test_functions.c │ ├── evtx_test_functions.h │ ├── evtx_test_getopt.c │ ├── evtx_test_getopt.h │ ├── evtx_test_io_handle.c │ ├── evtx_test_libbfio.h │ ├── evtx_test_libcerror.h │ ├── evtx_test_libclocale.h │ ├── evtx_test_libcnotify.h │ ├── evtx_test_libevtx.h │ ├── evtx_test_libuna.h │ ├── evtx_test_macros.h │ ├── evtx_test_memory.c │ ├── evtx_test_memory.h │ ├── evtx_test_notify.c │ ├── evtx_test_record.c │ ├── evtx_test_record_values.c │ ├── evtx_test_support.c │ ├── evtx_test_template_definition.c │ ├── evtx_test_tools_info_handle.c │ ├── evtx_test_tools_message_handle.c │ ├── evtx_test_tools_message_string.c │ ├── evtx_test_tools_output.c │ ├── evtx_test_tools_path_handle.c │ ├── evtx_test_tools_registry_file.c │ ├── evtx_test_tools_resource_file.c │ ├── evtx_test_tools_signal.c │ ├── evtx_test_unused.h │ ├── lsan.suppressions │ ├── pkgbuild.sh │ ├── pyevtx_test_file.py │ ├── pyevtx_test_support.py │ ├── runtests.py │ ├── runtests.sh │ ├── syncsharedlibs.sh │ ├── test_evtxexport.sh │ ├── test_evtxinfo.ps1 │ ├── test_evtxinfo.sh │ ├── test_library.ps1 │ ├── test_library.sh │ ├── test_manpage.sh │ ├── test_python_module.sh │ ├── test_runner.sh │ ├── test_tools.ps1 │ └── test_tools.sh └── tox.ini ================================================ FILE CONTENTS ================================================ ================================================ FILE: .codecov.yml ================================================ coverage: precision: 2 round: down range: 70...100 status: project: true patch: true changes: false ignore: - "libbfio/*" - "libcdata/*" - "libcdirectory/*" - "libcerror/*" - "libcfile/*" - "libclocale/*" - "libcnotify/*" - "libcpath/*" - "libcsplit/*" - "libcthreads/*" - "libexe/*" - "libfcache/*" - "libfdata/*" - "libfdatetime/*" - "libfguid/*" - "libfvalue/*" - "libfwevt/*" - "libfwnt/*" - "libregf/*" - "libuna/*" - "libwrc/*" - "tests/*" ================================================ FILE: .github/workflows/build.yml ================================================ # Build from source. name: build on: [push, pull_request] permissions: read-all jobs: build_ubuntu: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x86' compiler: 'clang' configure_options: '' - architecture: 'x64' compiler: 'clang' configure_options: '' - architecture: 'x86' compiler: 'gcc' configure_options: '' - architecture: 'x64' compiler: 'gcc' configure_options: '' - architecture: 'x64' compiler: 'gcc' configure_options: '--with-pthread=no' - architecture: 'x64' compiler: 'gcc' configure_options: '--enable-wide-character-type' - architecture: 'x64' compiler: 'gcc' configure_options: '--enable-static-executables=yes --enable-multi-threading-support=no' steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config - name: Download test data run: | if test -x "synctestdata.sh"; then ./synctestdata.sh; fi - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} - name: Run tests run: | tests/runtests.sh build_dist: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x64' compiler: 'gcc' configure_options: '' steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config - name: Download test data run: | if test -x "synctestdata.sh"; then ./synctestdata.sh; fi - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} - name: Run tests run: | make distcheck build_python_ubuntu: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x64' compiler: 'gcc' configure_options: '--enable-python' python_version: '' steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | sudo add-apt-repository universe && sudo apt-get update && sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config python3-dev python-dev-is-python3 - name: Download test data run: | if test -x "synctestdata.sh"; then ./synctestdata.sh; fi - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} - name: Run tests env: PYTHON_VERSION: ${{ matrix.python_version }} run: | tests/runtests.sh build_setup_py_ubuntu: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x64' compiler: 'gcc' configure_options: '' python-version: '3.10' steps: - uses: actions/checkout@v5 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install build dependencies run: | sudo add-apt-repository universe && sudo apt-get update && sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config python3-dev python-dev-is-python3 - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} - name: Build Python module run: | python setup.py build coverage_ubuntu: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x86' compiler: 'gcc' configure_options: '--enable-wide-character-type' - architecture: 'x64' compiler: 'gcc' configure_options: '--enable-wide-character-type' steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config - name: Download test data run: | if test -x "synctestdata.sh"; then ./synctestdata.sh; fi - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} --enable-shared=no CFLAGS="--coverage -O0" CPPFLAGS="-DOPTIMIZATION_DISABLED" LDFLAGS="--coverage" - name: Run tests run: | make check CHECK_WITH_STDERR=1 SKIP_TOOLS_END_TO_END_TESTS=1 - name: Generate coverage data run: | for DIRECTORY in `find . -maxdepth 1 -type d`; do \ (cd ${DIRECTORY} && find . -maxdepth 1 -name \*.gcno -type f -exec gcov -pb {} \;) \ done - name: Upload coverage report to Codecov uses: codecov/codecov-action@v5 with: name: linux-${{ matrix.architecture }}-gcc-no-optimization token: ${{ secrets.CODECOV_TOKEN }} ================================================ FILE: .github/workflows/build_freebsd.yml ================================================ # Build from source on FreeBSD. name: build_freebsd on: [push] permissions: read-all jobs: build_freebsd: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 - name: Building from source id: build_freebsd uses: vmactions/freebsd-vm@v1 with: usesh: true mem: 4096 # Note that the test scripts require bash prepare: | pkg install -y autoconf automake bash gettext git libtool pkgconf run: | tests/build.sh tests/runtests.sh ================================================ FILE: .github/workflows/build_macos.yml ================================================ # Build from source. name: build_macos on: [push, pull_request] permissions: read-all jobs: build_macos: runs-on: ${{ matrix.os }} strategy: matrix: include: - os: macos-14 configure_options: '' - os: macos-15 configure_options: '' - os: macos-15-intel configure_options: '' - os: macos-26 configure_options: '' steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | brew update -q brew install -q autoconf automake gettext gnu-sed libtool pkg-config || true brew link --force gettext ln -s /usr/local/bin/glibtoolize /usr/local/bin/libtoolize - name: Download test data run: | if test -x "synctestdata.sh"; then ./synctestdata.sh; fi - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} - name: Run tests run: | tests/runtests.sh ================================================ FILE: .github/workflows/build_ossfuzz.yml ================================================ # Build OSSFuzz fuzz targets from source. name: build_ossfuzz on: push: branches: [main] permissions: read-all jobs: build_ossfuzz: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x64' compiler: 'gcc' configure_options: '' steps: - name: Install build dependencies run: | sudo apt-get -y install git - uses: actions/checkout@v5 with: repository: google/oss-fuzz path: oss-fuzz - name: Build OSSFuzz fuzz targets working-directory: oss-fuzz run: | mkdir -p projects/libevtx cp projects/libyal/build.sh projects/libevtx/ cp projects/libyal/project.yaml projects/libevtx/ head -n 20 projects/libyal/Dockerfile > projects/libevtx/Dockerfile echo "RUN git clone --depth 1 https://github.com/libyal/libevtx.git libevtx" >> projects/libevtx/Dockerfile tail -n 3 projects/libyal/Dockerfile >> projects/libevtx/Dockerfile python3 infra/helper.py build_image --pull libevtx python3 infra/helper.py build_fuzzers --sanitizer address libevtx python3 infra/helper.py check_build libevtx ================================================ FILE: .github/workflows/build_shared.yml ================================================ # Build from source with libyal dependencies as shared libraries. name: build_shared on: push: branches: [main] permissions: read-all jobs: build_shared_ubuntu: runs-on: ubuntu-latest strategy: matrix: include: - architecture: 'x64' compiler: 'gcc' configure_options: '' - architecture: 'x64' compiler: 'gcc' configure_options: '--enable-wide-character-type' steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config - name: Download test data run: | if test -x "synctestdata.sh"; then ./synctestdata.sh; fi - name: Prepare shared libraries run: | tests/syncsharedlibs.sh --use-head - name: Building from source env: CC: ${{ matrix.compiler }} run: | tests/build.sh ${{ matrix.configure_options }} - name: Run tests run: | tests/runtests.sh ================================================ FILE: .github/workflows/build_wheel.yml ================================================ # Build Python wheels from source using cibuildwheel. name: build_wheels on: [push, pull_request] permissions: read-all jobs: build_wheels_linux: name: Build wheels on ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: matrix: include: - os: ubuntu-24.04-arm - os: ubuntu-latest steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config - name: Prepare build run: | ./synclibs.sh ./autogen.sh ./configure make sources >/dev/null - name: Build Python wheels uses: pypa/cibuildwheel@v3.3.0 env: CIBW_TEST_COMMAND: python tests/runtests.py CIBW_TEST_SOURCES: tests with: package-dir: . output-dir: dist - uses: actions/upload-artifact@v4 with: name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} path: dist/*.whl build_wheels_macos: name: Build wheels on ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: matrix: include: - os: macos-14 - os: macos-15-intel steps: - uses: actions/checkout@v5 - name: Install build dependencies run: | brew update -q brew install -q autoconf automake gettext gnu-sed libtool pkg-config || true brew link --force gettext ln -s /usr/local/bin/glibtoolize /usr/local/bin/libtoolize - name: Prepare build run: | ./synclibs.sh ./autogen.sh ./configure make sources >/dev/null - name: Build Python wheels uses: pypa/cibuildwheel@v3.3.0 env: CIBW_TEST_COMMAND: python tests/runtests.py CIBW_TEST_SOURCES: tests with: package-dir: . output-dir: dist - uses: actions/upload-artifact@v4 with: name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} path: dist/*.whl build_wheels_windows: name: Build wheels on ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: matrix: include: - os: windows-11-arm - os: windows-latest steps: - uses: actions/checkout@v5 - name: Prepare build run: | .\synclibs.ps1 .\autogen.ps1 - name: Build Python wheels uses: pypa/cibuildwheel@v3.3.0 env: CIBW_TEST_COMMAND: python tests/runtests.py CIBW_TEST_SOURCES: tests with: package-dir: . output-dir: dist - uses: actions/upload-artifact@v4 with: name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} path: dist/*.whl ================================================ FILE: .gitignore ================================================ # Files to ignore by git # # Version: 20231119 # Generic auto-generated build files *~ *.a *.gcda *.gcno *.gcov *.la *.lai *.lib *.lineno *.lo *.log *.loT *.o *.obj *.Plo *.Po *.so *.so.[0-9][0-9]* *.so.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]* *.swp *.Tpo *.trs *.whl /*.egg-info/ __pycache__ .deps .dirstamp .libs .tox INSTALL Makefile Makefile.bcc Makefile.in stamp-h[1-9] # Specific auto-generated build files /ABOUT-NLS /aclocal.m4 /autom4te.cache/ /build /compile /confdefs.h /config.cache /config.guess /config.log /config.rpath /config.status /config.sub /configure /conftest.c /depcomp /dist /install-sh /libtool /ltmain.sh /m4/codeset.m4 /m4/extern-inline.m4 /m4/fcntl-o.m4 /m4/gettext.m4 /m4/glibc21.m4 /m4/glibc2.m4 /m4/host-cpu-c-abi.m4 /m4/iconv.m4 /m4/intdiv0.m4 /m4/intldir.m4 /m4/intl.m4 /m4/intlmacosx.m4 /m4/intmax.m4 /m4/inttypes_h.m4 /m4/inttypes-pri.m4 /m4/lcmessage.m4 /m4/lib-ld.m4 /m4/lib-link.m4 /m4/lib-prefix.m4 /m4/libtool.m4 /m4/lock.m4 /m4/longlong.m4 /m4/lt~obsolete.m4 /m4/ltoptions.m4 /m4/ltsugar.m4 /m4/ltversion.m4 /m4/nls.m4 /m4/pkg.m4 /m4/po.m4 /m4/printf-posix.m4 /m4/progtest.m4 /m4/size_max.m4 /m4/stdint_h.m4 /m4/threadlib.m4 /m4/uintmax_t.m4 /m4/visibility.m4 /m4/wchar_t.m4 /m4/wint_t.m4 /m4/xsize.m4 /MANIFEST /missing /po/boldquot.sed /po/en@boldquot.header /po/en@quot.header /po/insert-header.sin /po/Makefile.in.in /po/Makevars /po/Makevars.template /po/POTFILES /po/quot.sed /po/remove-potcdate.sed /po/remove-potcdate.sin /po/Rules-quot /test-driver /ylwrap # Project specific files /common/config.h /common/config.h.in /common/types.h /dpkg/changelog /include/libevtx.h /include/libevtx/definitions.h /include/libevtx/features.h /include/libevtx/types.h /libevtx.pc /libevtx.spec /libevtx/libevtx.rc /libevtx/libevtx_definitions.h /setup.cfg /evtxtools/*.exe /evtxtools/evtxexport /evtxtools/evtxinfo /tests/*.exe /tests/evtx_test_chunk /tests/evtx_test_chunks_table /tests/evtx_test_error /tests/evtx_test_file /tests/evtx_test_io_handle /tests/evtx_test_notify /tests/evtx_test_record /tests/evtx_test_record_values /tests/evtx_test_support /tests/evtx_test_template_definition /tests/evtx_test_tools_info_handle /tests/evtx_test_tools_message_handle /tests/evtx_test_tools_message_string /tests/evtx_test_tools_output /tests/evtx_test_tools_path_handle /tests/evtx_test_tools_registry_file /tests/evtx_test_tools_resource_file /tests/evtx_test_tools_signal /tests/input /tests/notify_stream.log /tests/tmp* # Local library dependencies specific files /libbfio /libcdata /libcdirectory /libcerror /libcfile /libclocale /libcnotify /libcpath /libcsplit /libcthreads /libexe /libfcache /libfdata /libfdatetime /libfguid /libfvalue /libfwevt /libfwnt /libregf /libuna /libwrc ================================================ FILE: AUTHORS ================================================ Acknowledgements: libevtx Copyright (C) 2011-2025, Joachim Metz ================================================ FILE: COPYING ================================================ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . ================================================ FILE: COPYING.LESSER ================================================ GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. ================================================ FILE: ChangeLog ================================================ TODO * add parameter expansion support * evtxexport: - add add support for .mui files in the same directory - export EventRecordID in non-XML output - non-xml export format use evtexport like approach (add functions to get specific event data) * add clean IO handle function * msvscpp: - check and fix debug output generation * mark file as corrupted on CRC mismatch ? * check signal abort * parse binary data from EventData * event message file ? - correctly deal with \\ in C:\Program Files\Common Files\McAfee\SystemCore\\naievent.dll * improve detecting corrupted recovered event records * improve dealing with corrupted event records? * formatted output - check with test data if output is now correct * wevt - improve (template) codepage handling - improve template definition XML template value handling * message handle: - create: message string object - get %WinDir% from registry * resource file - cache message strings - cache template providers - cache template events - cache template definitions * tests - evtexport: handle "Provider identifier" in debug ouput * XML output change - Keywords add no leading 0's 0x8080000000000000 strings: - support non-contiguous data elements ? libfwevt optimization: - reference value while parsing? - count number of data elements (strings) while parsing - reference binary (data) while parsing * API - get op code (0 => Info) - task category (none if not set) - keywords * recovery: - pass what type of chunk is being read - pass flag to binary xml parsing to ignore parsing errors ? or make this the default behavior - move read xml out of init record function ? * fix message filename retrieval, registry being read wrong ? * implement libevtx_xml_tag_get_attribute_by_utf8_path (and utf16 equivalent) ? * implement libevtx_xml_tag_get_element_by_utf8_path (and utf16 equivalent) ? * store name hash in value identifier * deal with corruption scenario * deal with trailing empty data ? * remove libevtx_libfguid.h once libfvalue wraps the format flags * add recovery scan * add debug function for binary XML token types * codepage support * flag internally if the file is corrupted (CRC mismatch) Format: * what about empty binary xml data in the event record? does it only contain a 0x00 byte? Debug: * libfwevt: character reference print trailing data * handle empty XML document: libevtx_record_values_read_xml_document: XML document: libfwevt_xml_tag_debug_print: invalid XML tag. Recovery: * scan for records in chunk free space 20110919 * see `git log' for more recent change log * initial version based on libesedb 20110919 ================================================ FILE: Makefile.am ================================================ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = \ include \ common \ libcerror \ libcthreads \ libcdata \ libclocale \ libcnotify \ libcsplit \ libuna \ libcfile \ libcpath \ libbfio \ libfcache \ libfdata \ libfdatetime \ libfguid \ libfvalue \ libfwevt \ libfwnt \ libevtx \ libexe \ libregf \ libwrc \ libcdirectory \ evtxtools \ pyevtx \ po \ manuals \ tests \ ossfuzz \ msvscpp DPKG_FILES = \ dpkg/changelog \ dpkg/changelog.in \ dpkg/compat \ dpkg/control \ dpkg/copyright \ dpkg/rules \ dpkg/libevtx.install \ dpkg/libevtx-dev.install \ dpkg/libevtx-python3.install \ dpkg/libevtx-tools.install \ dpkg/source/format GETTEXT_FILES = \ config.rpath \ po/Makevars.in PKGCONFIG_FILES = \ libevtx.pc.in SETUP_PY_FILES = \ pyproject.toml \ setup.cfg \ setup.cfg.in \ setup.py SPEC_FILES = \ libevtx.spec \ libevtx.spec.in EXTRA_DIST = \ $(DPKG_FILES) \ $(GETTEXT_FILES) \ $(PKGCONFIG_FILES) \ $(SETUP_PY_FILES) \ $(SPEC_FILES) DISTCLEANFILES = \ config.status \ config.cache \ config.log \ libevtx.pc \ libevtx.spec \ Makefile \ Makefile.in \ po/Makevars pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = \ libevtx.pc libtool: @LIBTOOL_DEPS@ cd $(srcdir) && $(SHELL) ./config.status --recheck lib: library library: (cd $(srcdir)/common && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcerror && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcthreads && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcdata && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libclocale && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcnotify && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcsplit && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libuna && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcfile && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libcpath && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libbfio && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfcache && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfdata && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfdatetime && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfguid && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfvalue && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfwevt && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libfwnt && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/libevtx && $(MAKE) $(AM_MAKEFLAGS)) (cd $(srcdir)/po && $(MAKE) $(AM_MAKEFLAGS)) ================================================ FILE: NEWS ================================================ ================================================ FILE: README ================================================ libevtx is a library to access the Windows XML Event Log (EVTX) format. Project information: * Status: alpha * Licence: LGPLv3+ Planned: * Multi-threading support For more information see: * Project documentation: https://github.com/libyal/libevtx/wiki/Home * How to build from source: https://github.com/libyal/libevtx/wiki/Building ================================================ FILE: acinclude.m4 ================================================ dnl Checks for required headers and functions dnl dnl Version: 20200713 dnl Function to detect if libevtx dependencies are available AC_DEFUN([AX_LIBEVTX_CHECK_LOCAL], [dnl Check for internationalization functions in libevtx/libevtx_i18n.c AC_CHECK_FUNCS([bindtextdomain]) dnl Headers included in libevtx/libevtx_xml_tag.h AC_CHECK_HEADERS([wctype.h]) dnl Functions used in libevtx/libevtx_xml_tag.h AC_CHECK_FUNCS([towupper]) AS_IF( [test "x$ac_cv_func_towupper" != xyes], [AC_MSG_FAILURE( [Missing function: towupper], [1]) ]) ]) dnl Function to detect if evtxtools dependencies are available AC_DEFUN([AX_EVTXTOOLS_CHECK_LOCAL], [AC_CHECK_HEADERS([signal.h sys/signal.h unistd.h]) AC_CHECK_FUNCS([close getopt setvbuf]) AS_IF( [test "x$ac_cv_func_close" != xyes], [AC_MSG_FAILURE( [Missing function: close], [1]) ]) dnl Headers included in evtxtools/log_handle.c AC_CHECK_HEADERS([stdarg.h varargs.h]) AS_IF( [test "x$ac_cv_header_stdarg_h" != xyes && test "x$ac_cv_header_varargs_h" != xyes], [AC_MSG_FAILURE( [Missing headers: stdarg.h and varargs.h], [1]) ]) ]) dnl Function to check if DLL support is needed AC_DEFUN([AX_LIBEVTX_CHECK_DLL_SUPPORT], [AS_IF( [test "x$enable_shared" = xyes && test "x$ac_cv_enable_static_executables" = xno], [AS_CASE( [$host], [*cygwin* | *mingw* | *msys*], [AC_DEFINE( [HAVE_DLLMAIN], [1], [Define to 1 to enable the DllMain function.]) AC_SUBST( [HAVE_DLLMAIN], [1]) AC_SUBST( [LIBEVTX_DLL_EXPORT], ["-DLIBEVTX_DLL_EXPORT"]) AC_SUBST( [LIBEVTX_DLL_IMPORT], ["-DLIBEVTX_DLL_IMPORT"]) ]) ]) ]) ================================================ FILE: appveyor.yml ================================================ environment: matrix: - TARGET: vs2008 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013 VisualStudioVersion: 9.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python37" - TARGET: vs2010 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013 VisualStudioVersion: 10.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python37" - TARGET: vs2012 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013 VisualStudioVersion: 11.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python37" - TARGET: vs2013 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013 VisualStudioVersion: 12.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python37" - TARGET: vs2015 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015 VisualStudioVersion: 14.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python38" - TARGET: vs2017 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2017 VisualStudioVersion: 15.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python38" - TARGET: vs2019 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 VisualStudioVersion: 16.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python311" - TARGET: vs2022 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 VisualStudioVersion: 17.0 platform: Win32 configuration: Release PYTHON_PATH: "C:\\Python311" - TARGET: vs2022-vsdebug BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 VisualStudioVersion: 17.0 platform: Win32 configuration: VSDebug PYTHON_PATH: "C:\\Python311" - TARGET: vs2022-x64 BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 VisualStudioVersion: 17.0 platform: x64 configuration: Release PYTHON_PATH: "C:\\Python311" - TARGET: vs2022-python BUILD_ENVIRONMENT: msbuild APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 VisualStudioVersion: 17.0 platform: x64 configuration: Release PYTHON_PATH: "C:\\Python311-x64" - TARGET: macos-x64-clang BUILD_ENVIRONMENT: xcode APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma HOMEBREW_NO_INSTALL_CLEANUP: 1 CC: clang CFLAGS: "-I/usr/local/include" LDFLAGS: "-L/usr/local/lib" CONFIGURE_OPTIONS: "" - TARGET: macos-x64-gcc BUILD_ENVIRONMENT: xcode APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma HOMEBREW_NO_INSTALL_CLEANUP: 1 CC: gcc CFLAGS: "-I/usr/local/include" LDFLAGS: "-L/usr/local/lib" CONFIGURE_OPTIONS: "" - TARGET: macos-x64-gcc-python BUILD_ENVIRONMENT: xcode APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma PYTHON: "/usr/local/opt/python@3.11/bin/python3" PYTHON_CONFIG: "/usr/local/opt/python@3.11/bin/python3-config" HOMEBREW_NO_INSTALL_CLEANUP: 1 CC: gcc CFLAGS: "-I/usr/local/include" LDFLAGS: "-L/usr/local/lib" CONFIGURE_OPTIONS: "--enable-python" - TARGET: macos-pkgbuild BUILD_ENVIRONMENT: xcode APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma PYTHON: "/usr/local/opt/python@3.11/bin/python3" PYTHON_CONFIG: "/usr/local/opt/python@3.11/bin/python3-config" HOMEBREW_NO_INSTALL_CLEANUP: 1 CC: gcc CFLAGS: "-I/usr/local/include" LDFLAGS: "-L/usr/local/lib" CONFIGURE_OPTIONS: "--disable-dependency-tracking --prefix=/usr/local --enable-python --with-pyprefix" - TARGET: cygwin64-gcc BUILD_ENVIRONMENT: cygwin64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "" - TARGET: cygwin64-gcc-no-optimization BUILD_ENVIRONMENT: cygwin64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "--enable-shared=no" CFLAGS: "--coverage -O0" CPPFLAGS: "-DOPTIMIZATION_DISABLED" LDFLAGS: "--coverage" - TARGET: cygwin64-gcc-python BUILD_ENVIRONMENT: cygwin64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "--enable-python" - TARGET: cygwin64-gcc-static-executables BUILD_ENVIRONMENT: cygwin64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "--enable-static-executables" - TARGET: mingw-w64-gcc BUILD_ENVIRONMENT: mingw-w64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "" - TARGET: mingw-w64-gcc-no-optimization BUILD_ENVIRONMENT: mingw-w64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "--enable-shared=no" CFLAGS: "--coverage -O0" CPPFLAGS: "-DOPTIMIZATION_DISABLED" LDFLAGS: "--coverage" - TARGET: mingw-w64-gcc-python BUILD_ENVIRONMENT: mingw-w64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "--enable-python" - TARGET: mingw-w64-gcc-static-executables BUILD_ENVIRONMENT: mingw-w64 APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 CONFIGURE_OPTIONS: "--enable-static-executables" matrix: allow_failures: - TARGET: mingw-w64-gcc-python install: - cmd: if [%BUILD_ENVIRONMENT%]==[msbuild] ( git clone https://github.com/libyal/vstools.git ..\vstools ) - ps: If (($env:BUILD_ENVIRONMENT -eq "msbuild") -And (Test-Path ".\synctestdata.ps1")) { .\synctestdata.ps1 } - sh: if ( test ${BUILD_ENVIRONMENT} = "xcode" ) && test -f "./synctestdata.sh"; then ./synctestdata.sh; fi - sh: if test ${BUILD_ENVIRONMENT} = "xcode"; then brew untap homebrew/homebrew-cask-versions && brew update -q; fi - sh: if test ${BUILD_ENVIRONMENT} = "xcode"; then brew install -q autoconf automake gettext gnu-sed libtool pkg-config || true; fi - ps: If ($env:BUILD_ENVIRONMENT -eq "cygwin64") { (New-Object Net.WebClient).DownloadFile("https://cygwin.com/setup-x86_64.exe", "C:\\cygwin64\\setup-x86_64.exe") } - cmd: if [%BUILD_ENVIRONMENT%]==[cygwin64] ( C:\cygwin64\setup-x86_64.exe -qgnNdO -l C:\cygwin64\var\cache\setup -R c:\cygwin64 -s http://cygwin.mirror.constant.com -P gettext-devel -P python3-devel -P wget ) - cmd: if [%BUILD_ENVIRONMENT%]==[mingw-w64] ( C:\msys64\usr\bin\pacman -S --noconfirm --needed autoconf automake gettext-devel libtool make mingw-w64-x86_64-gcc mingw-w64-x86_64-python3 pkg-config ) - ps: If ( ( "cygwin64-gcc-no-optimization", "mingw-w64-gcc-no-optimization" ).Contains( $env:TARGET ) ) { $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://uploader.codecov.io/latest/windows/codecov.exe -Outfile ..\codecov.exe } build_script: - ps: If ($env:BUILD_ENVIRONMENT -eq "msbuild") { .\synclibs.ps1; .\autogen.ps1 } - ps: If ($env:TARGET -eq "vs2008") { .\build.ps1 -VisualStudioVersion 2008 -PythonPath $env:PYTHON_PATH -VSToolsOptions "--no-python-dll" } - ps: If ( ( "vs2010", "vs2012", "vs2013", "vs2015" ).Contains( $env:TARGET ) ) { .\build.ps1 -VisualStudioVersion $env:TARGET.Substring(2, 4) -Configuration $env:CONFIGURATION -Platform $env:PLATFORM -PythonPath $env:PYTHON_PATH -VSToolsOptions "--extend-with-x64 --no-python-dll" } - ps: If ( ( "vs2017", "vs2019", "vs2022", "vs2022-vsdebug", "vs2022-x64" ).Contains( $env:TARGET ) ) { .\build.ps1 -VisualStudioVersion $env:TARGET.Substring(2, 4) -Configuration $env:CONFIGURATION -Platform $env:PLATFORM -PythonPath $env:PYTHON_PATH -VSToolsOptions "--extend-with-x64 --no-python-dll --with-dokany" } - ps: If ($env:TARGET -eq "vs2022-python") { .\build.ps1 -VisualStudioVersion $env:TARGET.Substring(2, 4) -Configuration $env:CONFIGURATION -Platform $env:PLATFORM -PythonPath $env:PYTHON_PATH -VSToolsOptions "--extend-with-x64 --python-path $env:PYTHON_PATH --with-dokany" } - sh: if test ${BUILD_ENVIRONMENT} = "xcode"; then export PATH="/usr/local/opt/gettext/bin:$PATH"; export SED="/usr/local/bin/gsed"; tests/build.sh ${CONFIGURE_OPTIONS}; fi - cmd: if [%BUILD_ENVIRONMENT%]==[cygwin64] ( xcopy /i /q /s C:\projects\libevtx C:\cygwin64\home\appveyor\libevtx && C:\cygwin64\bin\bash -e -l -c "cd libevtx && wget -q 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD' -O './config.guess' && wget -q 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD' -O './config.sub'" && C:\cygwin64\bin\bash -e -l -c "cd libevtx && tests/build.sh ${CONFIGURE_OPTIONS}" ) - cmd: if [%BUILD_ENVIRONMENT%]==[mingw-w64] ( xcopy /i /q /s C:\projects\libevtx C:\msys64\home\appveyor\libevtx && C:\msys64\usr\bin\bash -e -l -c "cd libevtx && tests/build.sh ${CONFIGURE_OPTIONS}" ) test_script: - cmd: rem Run tests - ps: If ($env:BUILD_ENVIRONMENT -eq "msbuild") { .\runtests.ps1 } - sh: if test ${BUILD_ENVIRONMENT} = "xcode" && test ${TARGET} != "macos-pkgbuild"; then tests/runtests.sh; fi - sh: if test ${TARGET} = "macos-pkgbuild"; then tests/pkgbuild.sh; fi - cmd: if [%BUILD_ENVIRONMENT%]==[cygwin64] ( C:\cygwin64\bin\bash -l -c "cd libevtx && tests/runtests.sh" ) - cmd: if [%BUILD_ENVIRONMENT%]==[mingw-w64] ( C:\msys64\usr\bin\bash -l -c "cd libevtx && tests/runtests.sh" ) after_test: - cmd: if [%TARGET%]==[cygwin64-gcc-no-optimization] ( C:\cygwin64\bin\bash -e -l -c "cd libevtx && for DIRECTORY in `find . -maxdepth 1 -type d`; do (cd ${DIRECTORY} && find . -maxdepth 1 -name \*.gcno -type f -exec gcov -pb {} \;) done" && C:\projects\codecov.exe -R \cygwin64\home\appveyor\libevtx --name %TARGET% ) - cmd: if [%TARGET%]==[mingw-w64-gcc-no-optimization] ( C:\msys64\usr\bin\bash -e -l -c "cd libevtx && for DIRECTORY in `find . -maxdepth 1 -type d`; do (cd ${DIRECTORY} && find . -maxdepth 1 -name \*.gcno -type f -exec gcov -pb {} \;) done" && C:\projects\codecov.exe -R \msys64\home\appveyor\libevtx --name %TARGET% ) artifacts: - path: dist\*.whl deploy_script: ================================================ FILE: autogen.ps1 ================================================ # Script to generate the necessary files for a msvscpp build # # Version: 20241014 $WinFlex = "..\win_flex_bison\win_flex.exe" $WinBison = "..\win_flex_bison\win_bison.exe" $Library = Get-Content -Path configure.ac | select -skip 3 -first 1 | % { $_ -Replace " \[","" } | % { $_ -Replace "\],","" } $Version = Get-Content -Path configure.ac | select -skip 4 -first 1 | % { $_ -Replace " \[","" } | % { $_ -Replace "\],","" } $Prefix = ${Library}.Substring(3) Get-Content -Path "include\${Library}.h.in" | Out-File -Encoding ascii "include\${Library}.h" Get-Content -Path "include\${Library}\definitions.h.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "include\${Library}\definitions.h" Get-Content -Path "include\${Library}\features.h.in" | % { $_ -Replace "@[A-Z0-9_]*@","0" } | Out-File -Encoding ascii "include\${Library}\features.h" Get-Content -Path "include\${Library}\types.h.in" | % { $_ -Replace "@[A-Z0-9_]*@","0" } | Out-File -Encoding ascii "include\${Library}\types.h" Get-Content -Path "common\types.h.in" | % { $_ -Replace "@PACKAGE@","${Library}" } | Out-File -Encoding ascii "common\types.h" Get-Content -Path "${Library}\${Library}_definitions.h.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "${Library}\${Library}_definitions.h" Get-Content -Path "${Library}\${Library}.rc.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "${Library}\${Library}.rc" If (Test-Path "setup.cfg.in") { Get-Content -Path "setup.cfg.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "setup.cfg" } If (Test-Path "${Prefix}.net") { Get-Content -Path "${Prefix}.net\${Prefix}.net.rc.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "${Prefix}.net\${Prefix}.net.rc" } $NamePrefix = "" ForEach (${Library} in Get-ChildItem -Directory -Path "lib*") { ForEach (${DirectoryElement} in Get-ChildItem -Path "${Library}\*.l") { $OutputFile = ${DirectoryElement} -Replace ".l$",".c" $NamePrefix = Split-Path -path ${DirectoryElement} -leaf $NamePrefix = ${NamePrefix} -Replace ".l$","_" Write-Host "Running: ${WinFlex} -Cf ${DirectoryElement}" # PowerShell will raise NativeCommandError if win_flex writes to stdout or stderr # therefore 2>&1 is added and the output is stored in a variable. $Output = Invoke-Expression -Command "& '${WinFlex}' -Cf ${DirectoryElement} 2>&1" Write-Host ${Output} # Moving manually since `win_flex -o filename' does not provide the expected behavior. Move-Item "lex.yy.c" ${OutputFile} -force } ForEach (${DirectoryElement} in Get-ChildItem -Path "${Library}\*.y") { $OutputFile = ${DirectoryElement} -Replace ".y$",".c" Write-Host "Running: ${WinBison} -d -v -l -p ${NamePrefix} -o ${OutputFile} ${DirectoryElement}" # PowerShell will raise NativeCommandError if win_bison writes to stdout or stderr # therefore 2>&1 is added and the output is stored in a variable. $Output = Invoke-Expression -Command "& '${WinBison}' -d -v -l -p ${NamePrefix} -o ${OutputFile} ${DirectoryElement} 2>&1" Write-Host ${Output} } } ================================================ FILE: autogen.sh ================================================ #!/bin/sh # Script to generate configure and Makefile using the autotools. # # Version: 20241013 EXIT_SUCCESS=0; EXIT_FAILURE=1; BINDIR=`which aclocal`; BINDIR=`dirname ${BINDIR}`; if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/usr/bin"; then BINDIR="/usr/bin"; fi if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/usr/local/bin"; then BINDIR="/usr/local/bin"; fi if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/opt/local/bin"; then # Default location of MacPorts installed binaries. BINDIR="/opt/local/bin"; fi if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/opt/homebrew/bin"; then # Default location of Homebrew installed binaries. BINDIR="/opt/homebrew/bin"; fi if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/mingw32/bin"; then # Default location of 32-bit MSYS2-MinGW installed binaries. BINDIR="/mingw32/bin"; fi if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/mingw64/bin"; then # Default location of 64-bit MSYS2-MinGW installed binaries. BINDIR="/mingw64/bin"; fi if ! test -x "${BINDIR}/aclocal"; then echo "Unable to find autotools"; exit ${EXIT_FAILURE}; fi ACLOCAL="${BINDIR}/aclocal"; AUTOCONF="${BINDIR}/autoconf"; AUTOHEADER="${BINDIR}/autoheader"; AUTOMAKE="${BINDIR}/automake"; AUTOPOINT="${BINDIR}/autopoint"; AUTORECONF="${BINDIR}/autoreconf"; LIBTOOLIZE="${BINDIR}/libtoolize"; PKGCONFIG="${BINDIR}/pkg-config"; if test "${OSTYPE}" = "msys"; then # Work-around for autopoint failing to detect gettext version # using func_trace (which is not available) on MSYS by writing # the gettext version to intl/VERSION. if ! test -d intl; then mkdir intl; fi GETTEXT_VERSION=`gettext --version | head -n1 | sed 's/^.* //'`; echo "gettext-${GETTEXT_VERSION}" > intl/VERSION; elif ! test -x "${PKGCONFIG}"; then if test "${BINDIR}" != "/usr/bin"; then # On OpenBSD most of the autotools are located in # /usr/local/bin while pkg-config is located in /usr/bin PKGCONFIG="/usr/bin/pkg-config"; fi if ! test -x "${PKGCONFIG}"; then echo "Unable to find: pkg-config"; exit ${EXIT_FAILURE}; fi fi if test -x "${AUTORECONF}"; then ${AUTORECONF} --force --install if test $? -ne 0; then exit $?; fi else if ! test -x "${ACLOCAL}"; then echo "Unable to find: aclocal"; exit ${EXIT_FAILURE}; fi if ! test -x "${AUTOCONF}"; then echo "Unable to find: autoconf"; exit ${EXIT_FAILURE}; fi if ! test -x "${AUTOHEADER}"; then echo "Unable to find: autoheader"; exit ${EXIT_FAILURE}; fi if ! test -x "${AUTOMAKE}"; then echo "Unable to find: automake"; exit ${EXIT_FAILURE}; fi if ! test -x "${AUTOPOINT}"; then echo "Unable to find: autopoint"; exit ${EXIT_FAILURE}; fi if ! test -x "${LIBTOOLIZE}"; then echo "Unable to find: libtoolize"; exit ${EXIT_FAILURE}; fi ${AUTOPOINT} --force; if test $? -ne 0; then exit $?; fi ${ACLOCAL} --force --install -I m4; if test $? -ne 0; then exit $?; fi ${LIBTOOLIZE} --force; if test $? -ne 0; then exit $?; fi ${AUTOHEADER} --force; if test $? -ne 0; then exit $?; fi ${AUTOCONF} --force; if test $? -ne 0; then exit $?; fi ${AUTOMAKE} --force --add-missing; if test $? -ne 0; then exit $?; fi fi exit ${EXIT_SUCCESS}; ================================================ FILE: build.ps1 ================================================ # Script that builds libevtx # # Version: 20251125 Param ( [string]$Configuration = ${Env:Configuration}, [string]$Platform = ${Env:Platform}, [string]$PlatformToolset = "", [string]$PythonPath = "C:\Python311", [string]$VisualStudioVersion = "", [string]$VSToolsOptions = "--extend-with-x64", [string]$VSToolsPath = "..\vstools" ) $ExitSuccess = 0 $ExitFailure = 1 $Python = "${PythonPath}\python.exe" $Git = "git" $GitUrl = "https://github.com/libyal/vstools.git" $MSVSCppConvert = "${VSToolsPath}\vstools\scripts\msvscpp_convert.py" If (-Not (Test-Path $Python)) { Write-Host "Missing Python: ${Python}" -foreground Red Exit ${ExitFailure} } If (-Not (Test-Path ${VSToolsPath})) { # PowerShell will raise NativeCommandError if git writes to stdout or stderr # therefore 2>&1 is added and the output is stored in a variable. $Output = Invoke-Expression -Command "${Git} clone ${GitUrl} ${VSToolsPath} 2>&1" | %{ "$_" } } Else { Push-Location "${VSToolsPath}" Try { # Make sure vstools are up to date. $Output = Invoke-Expression -Command "${Git} pull 2>&1" | %{ "$_" } } Finally { Pop-Location } } If (-Not (Test-Path ${MSVSCppConvert})) { Write-Host "Missing msvscpp_convert.py: ${MSVSCppConvert}" -foreground Red Exit ${ExitFailure} } If (-Not ${VisualStudioVersion}) { $VisualStudioVersion = "2022" Write-Host "Visual Studio version not set defauting to: ${VisualStudioVersion}" -foreground Red } If ((${VisualStudioVersion} -ne "2008") -And (${VisualStudioVersion} -ne "2010") -And (${VisualStudioVersion} -ne "2012") -And (${VisualStudioVersion} -ne "2013") -And (${VisualStudioVersion} -ne "2015") -And (${VisualStudioVersion} -ne "2017") -And (${VisualStudioVersion} -ne "2019") -And (${VisualStudioVersion} -ne "2022")) { Write-Host "Unsupported Visual Studio version: ${VisualStudioVersion}" -foreground Red Exit ${ExitFailure} } $MSBuild = "" If (${VisualStudioVersion} -eq "2008") { $MSBuild = "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" } ElseIf ((${VisualStudioVersion} -eq "2010") -Or (${VisualStudioVersion} -eq "2012")) { $MSBuild = "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" } ElseIf (${VisualStudioVersion} -eq "2013") { $MSBuild = "C:\Program Files (x86)\MSBuild\12.0\Bin\MSBuild.exe" } ElseIf (${VisualStudioVersion} -eq "2015") { $MSBuild = "C:\Program Files (x86)\MSBuild\14.0\Bin\MSBuild.exe" } ElseIf (${VisualStudioVersion} -eq "2017") { $Results = Get-ChildItem -Path "C:\Program Files\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\15.0\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force If ($Results.Count -eq 0) { $Results = Get-ChildItem -Path "C:\Program Files (x86)\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\15.0\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force } If ($Results.Count -gt 0) { $MSBuild = $Results[0].FullName } } ElseIf (${VisualStudioVersion} -eq "2019" -Or ${VisualStudioVersion} -eq "2022") { $Results = Get-ChildItem -Path "C:\Program Files\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\Current\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force If ($Results.Count -eq 0) { $Results = Get-ChildItem -Path "C:\Program Files (x86)\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\Current\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force } If ($Results.Count -gt 0) { $MSBuild = $Results[0].FullName } } If (-Not ${MSBuild}) { Write-Host "Unable to determine path to msbuild.exe" -foreground Red Exit ${ExitFailure} } ElseIf (-Not (Test-Path ${MSBuild})) { Write-Host "Missing msbuild.exe: ${MSBuild}" -foreground Red Exit ${ExitFailure} } If (${VisualStudioVersion} -eq "2008") { $VSSolutionPath = "msvscpp" } Else { $VSSolutionPath = "vs${VisualStudioVersion}" If (-Not (Test-Path "${VSSolutionPath}")) { ${Env:PYTHONPATH} = ${VSToolsPath} Invoke-Expression -Command "& '${Python}' ${MSVSCppConvert} --output-format ${VisualStudioVersion} ${VSToolsOptions} msvscpp\libevtx.sln 2>&1" | %{ "$_" } } } $VSSolutionFile = "${VSSolutionPath}\libevtx.sln" If (-Not (Test-Path "${VSSolutionFile}")) { Write-Host "Missing Visual Studio ${VisualStudioVersion} solution file: ${VSSolutionFile}" -foreground Red Exit ${ExitFailure} } If (-Not ${Configuration}) { $Configuration = "Release" Write-Host "Configuration not set defauting to: ${Configuration}" } If (-Not ${Platform}) { $Platform = "Win32" Write-Host "Platform not set defauting to: ${Platform}" } $PlatformToolset = "" If (-Not ${PlatformToolset}) { If (${VisualStudioVersion} -eq "2015") { $PlatformToolset = "v140" } ElseIf (${VisualStudioVersion} -eq "2017") { $PlatformToolset = "v141" } ElseIf (${VisualStudioVersion} -eq "2019") { $PlatformToolset = "v142" } ElseIf (${VisualStudioVersion} -eq "2022") { $PlatformToolset = "v143" } Write-Host "PlatformToolset not set defauting to: ${PlatformToolset}" } $MSBuildOptions = "/verbosity:quiet /target:Build /property:Configuration=${Configuration},Platform=${Platform}" If (${PlatformToolset}) { $MSBuildOptions = "${MSBuildOptions} /property:PlatformToolset=${PlatformToolset}" } If (${Env:APPVEYOR} -eq "True") { Invoke-Expression -Command "& '${MSBuild}' ${MSBuildOptions} ${VSSolutionFile} /logger:'C:\Program Files\AppVeyor\BuildAgent\Appveyor.MSBuildLogger.dll' 2>&1" | %{ "$_" } } Else { Invoke-Expression -Command "& '${MSBuild}' ${MSBuildOptions} ${VSSolutionFile} 2>&1" | %{ "$_" } } Exit ${ExitSuccess} ================================================ FILE: common/Makefile.am ================================================ AM_CPPFLAGS = \ -I../include -I$(top_srcdir)/include EXTRA_DIST = \ byte_stream.h \ common.h \ config.h \ config_borlandc.h \ config_msc.h \ config_winapi.h \ file_stream.h \ memory.h \ narrow_string.h \ system_string.h \ types.h \ types.h.in \ wide_string.h DISTCLEANFILES = \ config.h \ types.h \ Makefile \ Makefile.in ================================================ FILE: common/byte_stream.h ================================================ /* * Byte stream functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _BYTE_STREAM_H ) #define _BYTE_STREAM_H #include "common.h" #include "types.h" #if defined( __cplusplus ) extern "C" { #endif #define _BYTE_STREAM_HOST_IS_ENDIAN_BIG ( *((uint32_t *) "\x01\x02\x03\x04" ) == 0x01020304 ) #define _BYTE_STREAM_HOST_IS_ENDIAN_LITTLE ( *((uint32_t *) "\x01\x02\x03\x04" ) == 0x04030201 ) #define _BYTE_STREAM_HOST_IS_ENDIAN_MIDDLE ( *((uint32_t *) "\x01\x02\x03\x04" ) == 0x02010403 ) #define _BYTE_STREAM_ENDIAN_BIG (uint8_t) 'b' #define _BYTE_STREAM_ENDIAN_LITTLE (uint8_t) 'l' #define _BYTE_STREAM_ENDIAN_MIDDLE (uint8_t) 'm' typedef union byte_stream_float32 { float floating_point; uint32_t integer; } byte_stream_float32_t; typedef union byte_stream_float64 { double floating_point; uint64_t integer; } byte_stream_float64_t; #define byte_stream_copy_to_uint16_big_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 0 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; #define byte_stream_copy_to_uint16_little_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 0 ]; #define byte_stream_copy_to_uint24_big_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 0 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; #define byte_stream_copy_to_uint24_little_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 0 ]; #define byte_stream_copy_to_uint32_big_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 0 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 3 ]; #define byte_stream_copy_to_uint32_little_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 3 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 0 ]; #define byte_stream_copy_to_uint48_big_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 0 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 3 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 4 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 5 ]; #define byte_stream_copy_to_uint48_little_endian( byte_stream, value ) \ ( value ) |= ( byte_stream )[ 5 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 4 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 3 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 0 ]; #define byte_stream_copy_to_uint64_big_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 0 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 3 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 4 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 5 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 6 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 7 ]; #define byte_stream_copy_to_uint64_little_endian( byte_stream, value ) \ ( value ) = ( byte_stream )[ 7 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 6 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 5 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 4 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 3 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 2 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 1 ]; \ ( value ) <<= 8; \ ( value ) |= ( byte_stream )[ 0 ]; #define byte_stream_copy_from_uint16_big_endian( byte_stream, value ) \ ( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint16_little_endian( byte_stream, value ) \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint24_big_endian( byte_stream, value ) \ ( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint24_little_endian( byte_stream, value ) \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint32_big_endian( byte_stream, value ) \ ( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 3 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint32_little_endian( byte_stream, value ) \ ( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint48_big_endian( byte_stream, value ) \ ( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \ ( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 5 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint48_little_endian( byte_stream, value ) \ ( byte_stream )[ 5 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \ ( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \ ( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint64_big_endian( byte_stream, value ) \ ( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 56 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 48 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \ ( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \ ( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \ ( byte_stream )[ 5 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 6 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 7 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_copy_from_uint64_little_endian( byte_stream, value ) \ ( byte_stream )[ 7 ] = (uint8_t) ( ( ( value ) >> 56 ) & 0x0ff ); \ ( byte_stream )[ 6 ] = (uint8_t) ( ( ( value ) >> 48 ) & 0x0ff ); \ ( byte_stream )[ 5 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \ ( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \ ( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \ ( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \ ( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \ ( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff ) #define byte_stream_bit_rotate_left_8bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 8 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_right_8bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 8 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_left_16bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 16 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_right_16bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 16 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_left_32bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 32 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_right_32bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 32 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_left_64bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 64 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_right_64bit( byte_stream, number_of_bits ) \ ( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 64 - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_left( value, number_of_bits ) \ ( ( ( value ) << ( number_of_bits ) ) | ( ( value ) >> ( ( sizeof( value ) << 3 ) - ( number_of_bits ) ) ) ) #define byte_stream_bit_rotate_right( value, number_of_bits ) \ ( ( ( value ) >> ( number_of_bits ) ) | ( ( value ) << ( ( sizeof( value ) << 3 ) - ( number_of_bits ) ) ) ) #if defined( __cplusplus ) } #endif #endif /* !defined( _BYTE_STREAM_H ) */ ================================================ FILE: common/common.h ================================================ /* * Common include file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _COMMON_H ) #define _COMMON_H #if defined( HAVE_CONFIG_H ) #include "config.h" #endif /* Include the Borland/CodeGear C++ Builder compiler specific configuration */ #if defined( __BORLANDC__ ) #include "config_borlandc.h" /* Include the Microsoft Visual Studio C++ compiler specific configuration */ #elif defined( _MSC_VER ) #include "config_msc.h" #endif #include "config_winapi.h" #endif /* !defined( _COMMON_H ) */ ================================================ FILE: common/config_borlandc.h ================================================ /* * Configuration for the Borland/CodeGear C++ Builder compiler * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _CONFIG_BORLANDC_H ) #define _CONFIG_BORLANDC_H #endif /* !defined( _CONFIG_BORLANDC_H ) */ ================================================ FILE: common/config_msc.h ================================================ /* * Configuration for the Microsoft Visual Studio C++ compiler * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _CONFIG_MSC_H ) #define _CONFIG_MSC_H /* Disable warning C4127: conditional expression is constant */ #pragma warning( disable : 4127 ) /* Disable warning C4201: nonstandard extension used : nameless struct/union */ #pragma warning( disable : 4201 ) #endif /* !defined( _CONFIG_MSC_H ) */ ================================================ FILE: common/config_winapi.h ================================================ /* * Configuration file for WINAPI * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _CONFIG_WINAPI_H ) #define _CONFIG_WINAPI_H /* Define the earliest supported WINAPI version #define WINVER 0x0501 */ /* If necessary make sure WINAPI is defined */ #if defined( HAVE_WINDOWS_H ) || defined( __BORLANDC__ ) || defined( _MSC_VER ) #include #endif #if defined( WINAPI ) /* Define to the address where bug reports for this package should be sent. */ #define PACKAGE_BUGREPORT "joachim.metz@gmail.com" /* Define the size of the integer for WINAPI */ #if !defined( SIZEOF_INT ) #define SIZEOF_INT 4 #endif /* Define the size of size_t for WINAPI * Do not define when pyconfig.h has been included via python.h */ #if !defined( HAVE_PYCONFIG_H ) #if !defined( SIZEOF_SIZE_T ) #if __WORDSIZE == 64 #define SIZEOF_SIZE_T 8 #else #define SIZEOF_SIZE_T 4 #endif #endif #endif /* !defined( HAVE_PYCONFIG_H ) */ /* Define the size of the wide character for WINAPI */ #if !defined( SIZEOF_WCHAR_T ) #define SIZEOF_WCHAR_T 2 #endif /* Enable the DllMain function */ #define HAVE_DLLMAIN 1 /* Enable verbose output #define HAVE_VERBOSE_OUTPUT 1 */ /* Enable debug output #define HAVE_DEBUG_OUTPUT 1 */ /* Enable both the narrow and wide character functions */ #if !defined( HAVE_WIDE_CHARACTER_TYPE ) #define HAVE_WIDE_CHARACTER_TYPE 1 #endif /* If not controlled by config.h enable multi-thread support */ #if !defined( HAVE_CONFIG_H ) && !defined( HAVE_MULTI_THREAD_SUPPORT ) #define HAVE_MULTI_THREAD_SUPPORT 1 #endif #endif /* defined( WINAPI ) */ #endif /* !defined( _CONFIG_WINAPI_H ) */ ================================================ FILE: common/file_stream.h ================================================ /* * FILE stream functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _FILE_STREAM_H ) #define _FILE_STREAM_H #include "common.h" #if defined( HAVE_GLIB_H ) #include #include #endif #include #if defined( __cplusplus ) extern "C" { #endif #define FILE_STREAM_OPEN_APPEND "a" #define FILE_STREAM_OPEN_READ "r" #define FILE_STREAM_OPEN_WRITE "w" #if defined( WINAPI ) #define FILE_STREAM_BINARY_OPEN_APPEND "ab" #define FILE_STREAM_BINARY_OPEN_READ "rb" #define FILE_STREAM_BINARY_OPEN_WRITE "wb" #else #define FILE_STREAM_BINARY_OPEN_APPEND "a" #define FILE_STREAM_BINARY_OPEN_READ "r" #define FILE_STREAM_BINARY_OPEN_WRITE "w" #endif /* narrow character FILE stream open */ #if defined( HAVE_GLIB_H ) #define file_stream_open( filename, mode ) \ g_fopen( filename, mode ) #elif defined( HAVE_FOPEN ) || defined( WINAPI ) #define file_stream_open( filename, mode ) \ fopen( filename, mode ) #endif /* wide character FILE stream open */ #if defined( WINAPI ) #define file_stream_open_wide( filename, mode ) \ _wfopen( filename, mode ) #endif /* FILE stream close */ #if defined( HAVE_FCLOSE ) || defined( WINAPI ) #define file_stream_close( stream ) \ fclose( stream ) #endif /* FILE stream read */ #if defined( HAVE_FREAD ) || defined( WINAPI ) #define file_stream_read( stream, data, size ) \ fread( data, 1, size, stream ) #endif /* FILE stream write */ #if defined( HAVE_FWRITE ) || defined( WINAPI ) #define file_stream_write( stream, data, size ) \ fwrite( data, 1, size, stream ) #endif /* FILE stream seek */ #if defined( WINAPI ) #define file_stream_seek_offset( stream, offset, whence ) \ fseek( stream, offset, whence ) #elif defined( HAVE_FSEEKO ) #define file_stream_seek_offset( stream, offset, whence ) \ fseeko( stream, offset, whence ) #elif defined( HAVE_FSEEKO64 ) #define file_stream_seek_offset( stream, offset, whence ) \ fseeko64( stream, offset, whence ) #endif /* End of FILE stream */ #if defined( HAVE_FEOF ) || defined( WINAPI ) #define file_stream_at_end( stream ) \ feof( stream ) #endif /* Get narrow character string from FILE stream */ #if defined( HAVE_FGETS ) || defined( WINAPI ) #define file_stream_get_string( stream, string, size ) \ fgets( string, size, stream ) #endif /* Get wide characters string from FILE stream */ #if defined( HAVE_FGETWS ) || defined( WINAPI ) #define file_stream_get_string_wide( stream, string, size ) \ fgetws( string, size, stream ) #endif /* Variable arguments formatted print to stream function */ #if defined( HAVE_GLIB_H ) #define file_stream_vfprintf( stream, format, ... ) \ g_vfprintf( stream, format, __VA_ARGS__ ) /* Borland BCC previous to version 5.6.0 cannot handle the macro form: MACRO( ... ) */ #elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define file_stream_vfprintf \ vfprintf #elif defined( HAVE_VFPRINTF ) || defined( WINAPI ) #define file_stream_vfprintf( stream, format, ... ) \ vfprintf( stream, format, __VA_ARGS__ ) #endif #if defined( __cplusplus ) } #endif #endif /* !defined( _FILE_STREAM_H ) */ ================================================ FILE: common/memory.h ================================================ /* * Memory functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _MEMORY_H ) #define _MEMORY_H #include "common.h" #if defined( HAVE_GLIB_H ) #include #endif #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #if defined( HAVE_STRING_H ) || defined( WINAPI ) #include #endif #if defined( __cplusplus ) extern "C" { #endif /* Note that 128 MiB is an arbitrary selected upper limit here */ #define MEMORY_MAXIMUM_ALLOCATION_SIZE \ ( 128 * 1024 * 1024 ) /* Memory allocation */ #if defined( HAVE_GLIB_H ) #define memory_allocate( size ) \ g_malloc( (gsize) size ) #elif defined( WINAPI ) #define memory_allocate( size ) \ HeapAlloc( GetProcessHeap(), 0, (SIZE_T) size ) #elif defined( HAVE_MALLOC ) #define memory_allocate( size ) \ malloc( size ) #endif #define memory_allocate_structure( type ) \ (type *) memory_allocate( sizeof( type ) ) #define memory_allocate_structure_as_value( type ) \ (intptr_t *) memory_allocate( sizeof( type ) ) /* Memory reallocation */ #if defined( HAVE_GLIB_H ) #define memory_reallocate( buffer, size ) \ g_realloc( (gpointer) buffer, (gsize) size ) #elif defined( WINAPI ) /* HeapReAlloc does not allocate empty (NULL) buffers as realloc does */ #define memory_reallocate( buffer, size ) \ ( buffer == NULL ) ? \ HeapAlloc( GetProcessHeap(), 0, (SIZE_T) size ) : \ HeapReAlloc( GetProcessHeap(), 0, (LPVOID) buffer, (SIZE_T) size ) #elif defined( HAVE_REALLOC ) #define memory_reallocate( buffer, size ) \ realloc( (void *) buffer, size ) #endif /* Memory free */ #if defined( HAVE_GLIB_H ) #define memory_free( buffer ) \ g_free( (gpointer) buffer ) #elif defined( WINAPI ) #define memory_free( buffer ) \ ( buffer == NULL ) ? TRUE : HeapFree( GetProcessHeap(), 0, (LPVOID) buffer ) #elif defined( HAVE_FREE ) #define memory_free( buffer ) \ free( (void *) buffer ) #endif /* Memory compare */ #if defined( HAVE_MEMCMP ) || defined( WINAPI ) #define memory_compare( buffer1, buffer2, size ) \ memcmp( (const void *) buffer1, (const void *) buffer2, size ) #endif /* Memory copy */ #if defined( HAVE_MEMCPY ) || defined( WINAPI ) #define memory_copy( destination, source, count ) \ memcpy( (void *) destination, (void *) source, count ) #endif /* Memory set */ #if defined( HAVE_MEMSET ) || defined( WINAPI ) #define memory_set( buffer, value, count ) \ memset( (void *) buffer, (int) value, count ) #endif #if defined( __cplusplus ) } #endif #endif /* !defined( _MEMORY_H ) */ ================================================ FILE: common/narrow_string.h ================================================ /* * Narrow character string functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _NARROW_STRING_H ) #define _NARROW_STRING_H #include "common.h" #include "memory.h" #include "types.h" #if defined( HAVE_GLIB_H ) #include #endif #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #if defined( HAVE_STRING_H ) || defined( WINAPI ) #include #endif #if defined( __cplusplus ) extern "C" { #endif /* String allocation */ #define narrow_string_allocate( size ) \ (char *) memory_allocate( sizeof( char ) * ( size ) ) /* String reallocation */ #define narrow_string_reallocate( string, size ) \ (char *) memory_reallocate( string, ( sizeof( char ) * ( size ) ) ) /* String length */ #if defined( HAVE_STRLEN ) || defined( WINAPI ) #define narrow_string_length( string ) \ strlen( string ) #endif /* String compare */ #if defined( HAVE_MEMCMP ) || defined( WINAPI ) #define narrow_string_compare( string1, string2, size ) \ memcmp( (void *) string1, (void *) string2, size ) #elif defined( HAVE_STRNCMP ) #define narrow_string_compare( string1, string2, size ) \ strncmp( string1, string2, size ) #endif /* Caseless string compare */ #if defined( HAVE_GLIB_H ) #define narrow_string_compare_no_case( string1, string2, size ) \ g_ascii_strncasecmp( string1, string2, size ) #elif defined( _MSC_VER ) #define narrow_string_compare_no_case( string1, string2, size ) \ _strnicmp( string1, string2, size ) #elif ( defined( WINAPI ) && !defined( __CYGWIN__ ) ) || defined( HAVE_STRNICMP ) #define narrow_string_compare_no_case( string1, string2, size ) \ strnicmp( string1, string2, size ) #elif defined( HAVE_STRNCASECMP ) #define narrow_string_compare_no_case( string1, string2, size ) \ strncasecmp( string1, string2, size ) #elif defined( HAVE_STRCASECMP ) #define narrow_string_compare_no_case( string1, string2, size ) \ strcasecmp( string1, string2 ) #endif /* String copy */ #if defined( HAVE_MEMCPY ) || defined( WINAPI ) #define narrow_string_copy( destination, source, size ) \ (char *) memcpy( (void *) destination, (void *) source, size ) #elif defined( HAVE_STRNCPY ) #define narrow_string_copy( destination, source, size ) \ strncpy( destination, source, size ) #endif /* String character search */ #if defined( HAVE_MEMCHR ) || defined( WINAPI ) #define narrow_string_search_character( string, character, size ) \ (char *) memchr( (void *) string, (int) character, size ) #elif defined( HAVE_STRCHR ) #define narrow_string_search_character( string, character, size ) \ strchr( string, (int) character ) #endif /* String reverse character search */ #if defined( HAVE_MEMRCHR ) && ( HAVE_DECL_MEMRCHR == 1 ) #define narrow_string_search_character_reverse( string, character, size ) \ (char *) memrchr( (void *) string, (int) character, size ) #elif defined( HAVE_STRRCHR ) || defined( WINAPI ) /* (void)(size) is used to suppress unused variable warnings */ #define narrow_string_search_character_reverse( string, character, size ) \ strrchr( string, (int) character ); (void)(size) #endif /* String sub-string search */ #if defined( HAVE_STRSTR ) || defined( WINAPI ) #define narrow_string_search_string( string, substring, size ) \ strstr( string, substring ) #endif /* String formatted print (snprintf) */ #if defined( HAVE_GLIB_H ) #define narrow_string_snprintf( target, size, ... ) \ g_snprintf( target, size, __VA_ARGS__ ) #elif defined( _MSC_VER ) #define narrow_string_snprintf( target, size, ... ) \ sprintf_s( target, size, __VA_ARGS__ ) #elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define narrow_string_snprintf \ snprintf #elif defined( HAVE_SNPRINTF ) || defined( WINAPI ) #define narrow_string_snprintf( target, size, ... ) \ snprintf( target, size, __VA_ARGS__ ) #endif /* String input conversion (sscanf) */ #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define narrow_string_sscanf \ sscanf #elif defined( HAVE_SSCANF ) || defined( WINAPI ) #define narrow_string_sscanf( string, format, ... ) \ sscanf( string, format, __VA_ARGS__ ) #endif /* Variable arguments formatted print to string function (vsnprintf) */ #if defined( HAVE_GLIB_H ) #define narrow_string_vsnprintf( string, size, format, ... ) \ g_vsnprintf( string, size, format, __VA_ARGS__ ) #elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define narrow_string_vsnprintf \ vsnprintf #elif defined( HAVE_VSNPRINTF ) || defined( WINAPI ) #define narrow_string_vsnprintf( string, size, format, ... ) \ vsnprintf( string, size, format, __VA_ARGS__ ) #endif #if defined( __cplusplus ) } #endif #endif /* !defined( _NARROW_STRING_H ) */ ================================================ FILE: common/system_string.h ================================================ /* * System character string functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _SYSTEM_STRING_H ) #define _SYSTEM_STRING_H #include "common.h" #include "narrow_string.h" #include "types.h" #include "wide_string.h" #if defined( _cplusplus ) extern "C" { #endif #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) #if SIZEOF_WCHAR_T != 2 #error Unsupported wide system character size #endif /* Intermediate version of the macro required * for correct evaluation predefined string */ #define _SYSTEM_STRING_INTERMEDIATE( string ) \ L ## string #define _SYSTEM_STRING( string ) \ _SYSTEM_STRING_INTERMEDIATE( string ) #define system_string_allocate( size ) \ wide_string_allocate( size ) #define system_string_reallocate( string, size ) \ wide_string_reallocate( string, size ) #define system_string_compare( destination, source, size ) \ wide_string_compare( destination, source, size ) #define system_string_compare_no_case( destination, source, size ) \ wide_string_compare_no_case( destination, source, size ) #define system_string_copy( destination, source, size ) \ wide_string_copy( destination, source, size ) #define system_string_length( string ) \ wide_string_length( string ) #define system_string_search_character( string, character, size ) \ wide_string_search_character( string, character, size ) #define system_string_search_character_reverse( string, character, size ) \ wide_string_search_character_reverse( string, character, size ) #define system_string_search_string( string, substring, size ) \ wide_string_search_string( string, substring, size ) #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define system_string_sprintf \ wide_string_snwprintf #else #define system_string_sprintf( string, size, format, ... ) \ wide_string_snwprintf( string, size, format, __VA_ARGS__ ) #endif #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define system_string_vsnprintf \ wide_string_vsnwprintf #else #define system_string_vsnprintf( string, size, format, ... ) \ wide_string_vsnwprintf( string, size, format, __VA_ARGS__ ) #endif #else #define _SYSTEM_STRING( string ) \ string #define system_string_allocate( size ) \ narrow_string_allocate( size ) #define system_string_reallocate( string, size ) \ narrow_string_reallocate( string, size ) #define system_string_compare( destination, source, size ) \ narrow_string_compare( destination, source, size ) #define system_string_compare_no_case( destination, source, size ) \ narrow_string_compare_no_case( destination, source, size ) #define system_string_copy( destination, source, size ) \ narrow_string_copy( destination, source, size ) #define system_string_length( string ) \ narrow_string_length( string ) #define system_string_search_character( string, character, size ) \ narrow_string_search_character( string, character, size ) #define system_string_search_character_reverse( string, character, size ) \ narrow_string_search_character_reverse( string, character, size ) #define system_string_search_string( string, substring, size ) \ narrow_string_search_string( string, substring, size ) #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define system_string_sprintf \ narrow_string_snprintf #else #define system_string_sprintf( string, size, format, ... ) \ narrow_string_snprintf( string, size, format, __VA_ARGS__ ) #endif #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define system_string_vsnprintf \ narrow_string_vsnprintf #else #define system_string_vsnprintf( string, size, format, ... ) \ narrow_string_vsnprintf( string, size, format, __VA_ARGS__ ) #endif #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ /* For backwards compatibility */ #define system_string_vsprintf system_string_vsnprintf #if defined( _cplusplus ) } #endif #endif /* !defined( _SYSTEM_STRING_H ) */ ================================================ FILE: common/types.h.in ================================================ /* * Type and type-support definitions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _TYPES_H ) #define _TYPES_H #include "common.h" #if defined( HAVE_LIMITS_H ) || defined( WINAPI ) #include #endif /* Make sure to include inttypes.h or stdint.h before * PRI definitions are defined */ #include <@PACKAGE@/types.h> #if defined( WINAPI ) && ( defined( _UNICODE ) || defined( UNICODE ) ) #define HAVE_WIDE_SYSTEM_CHARACTER 1 /* The system character type is wide * A system string contains either UTF-16 or UTF-32 */ typedef wchar_t system_character_t; typedef wint_t system_integer_t; #define PRIc_SYSTEM "lc" #define PRIs_SYSTEM "ls" #else /* The system character type is narrow * A system string contains either UTF-8 or extended ASCII with a codepage */ typedef char system_character_t; typedef int system_integer_t; #define PRIc_SYSTEM "c" #define PRIs_SYSTEM "s" #endif /* defined( WINAPI ) && ( defined( _UNICODE ) || defined( UNICODE ) ) */ /* Fallback for systems without PRI definitions * Do not define when pyconfig.h has been included via python.h */ #if !defined( HAVE_PYCONFIG_H ) #if !defined( PRId8 ) #define PRId8 "d" #endif #if !defined( PRId16 ) #define PRId16 "d" #endif #if !defined( PRId32 ) #if defined( WINAPI ) #define PRId32 "I32d" #else #define PRId32 "d" #endif #endif /* !defined( PRId32 ) */ #if !defined( PRId64 ) #if defined( WINAPI ) #define PRId64 "I64d" #elif __WORDSIZE == 64 #define PRId64 "ld" #else #define PRId64 "lld" #endif #endif /* !defined( PRId64 ) */ #if !defined( PRIi8 ) #define PRIi8 "i" #endif #if !defined( PRIi16 ) #define PRIi16 "i" #endif #if !defined( PRIi32 ) #if defined( WINAPI ) #define PRIi32 "I32i" #else #define PRIi32 "i" #endif #endif /* !defined( PRIi32 ) */ #if !defined( PRIi64 ) #if defined( WINAPI ) #define PRIi64 "I64i" #elif __WORDSIZE == 64 #define PRIi64 "li" #else #define PRIi64 "lli" #endif #endif /* !defined( PRIi64 ) */ #if !defined( PRIu8 ) #define PRIu8 "u" #endif #if !defined( PRIu16 ) #define PRIu16 "u" #endif #if !defined( PRIu32 ) #if defined( WINAPI ) #define PRIu32 "I32u" #else #define PRIu32 "u" #endif #endif /* !defined( PRIu32 ) */ #if !defined( PRIu64 ) #if defined( WINAPI ) #define PRIu64 "I64u" #elif __WORDSIZE == 64 #define PRIu64 "lu" #else #define PRIu64 "llu" #endif #endif /* !defined( PRIu64 ) */ #if !defined( PRIo8 ) #define PRIo8 "o" #endif #if !defined( PRIo16 ) #define PRIo16 "o" #endif #if !defined( PRIo32 ) #if defined( WINAPI ) #define PRIo32 "I32o" #else #define PRIo32 "o" #endif #endif /* !defined( PRIo32 ) */ #if !defined( PRIo64 ) #if defined( WINAPI ) #define PRIo64 "I64o" #elif __WORDSIZE == 64 #define PRIo64 "lo" #else #define PRIo64 "llo" #endif #endif /* !defined( PRIo64 ) */ #if !defined( PRIx8 ) #define PRIx8 "x" #endif #if !defined( PRIx16 ) #define PRIx16 "x" #endif #if !defined( PRIx32 ) #if defined( WINAPI ) #define PRIx32 "I32x" #else #define PRIx32 "x" #endif #endif /* !defined( PRIx32 ) */ #if !defined( PRIx64 ) #if defined( WINAPI ) #define PRIx64 "I64x" #elif __WORDSIZE == 64 #define PRIx64 "lx" #else #define PRIx64 "llx" #endif #endif /* !defined( PRIx64 ) */ #endif /* !defined( HAVE_PYCONFIG_H ) */ /* Fallback for systems without printf %jd definition */ #if defined( HAVE_PRINTF_JD ) #define PRIjd "jd" #define PRIji "ji" #define PRIju "ju" #define PRIjx "jx" #elif SIZEOF_OFF_T == 8 #define PRIjd PRId64 #define PRIji PRIi64 #define PRIju PRIu64 #define PRIjx PRIx64 #else #define PRIjd PRId32 #define PRIji PRIi32 #define PRIju PRIu32 #define PRIjx PRIx32 #endif /* defined( HAVE_PRINTF_JD ) */ /* Fallback for systems without printf %zd definition */ #if defined( HAVE_PRINTF_ZD ) #define PRIzd "zd" #define PRIzi "zi" #define PRIzu "zu" #define PRIzx "zx" #elif defined( _MSC_VER ) #define PRIzd "Id" #define PRIzi "Ii" #define PRIzu "Iu" #define PRIzx "Ix" #elif SIZEOF_SIZE_T == 8 #define PRIzd PRId64 #define PRIzi PRIi64 #define PRIzu PRIu64 #define PRIzx PRIx64 #else #define PRIzd PRId32 #define PRIzi PRIi32 #define PRIzu PRIu32 #define PRIzx PRIx32 #endif /* defined( HAVE_PRINTF_ZD ) */ /* Fallback for systems without (U)INTx_MAX definitions */ /* The maximum signed 8-bit integer is 127 (0x7f) */ #if !defined( INT8_MAX ) #define INT8_MAX (0x7f) #endif /* The maximum unsigned 8-bit integer is 256 (0xff) */ #if !defined( UINT8_MAX ) #define UINT8_MAX (0xff) #endif /* The maximum signed 16-bit integer is 32767 (0x7ffff) */ #if !defined( INT16_MAX ) #define INT16_MAX (0x7fff) #endif /* The maximum unsigned 16-bit integer is 65535 (0xffff) */ #if !defined( UINT16_MAX ) #define UINT16_MAX (0xffff) #endif /* The maximum signed 32-bit integer is 2147483647 (0x7fffffff) */ #if !defined( INT32_MAX ) #define INT32_MAX (0x7fffffffL) #endif /* The maximum unsigned 32-bit integer is 4294967295 (0xffffffff) */ #if !defined( UINT32_MAX ) #define UINT32_MAX (0xffffffffUL) #endif /* The minimum signed 64-bit integer is -9223372036854775808 (0x8000000000000000) */ #if !defined( INT64_MIN ) #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define INT64_MIN (0x8000000000000000UL) #else #define INT64_MIN (0x8000000000000000ULL) #endif #endif /* !defined( INT64_MIN ) */ /* The maximum signed 64-bit integer is 9223372036854775807 (0x7fffffffffffffff) */ #if !defined( INT64_MAX ) #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define INT64_MAX (0x7fffffffffffffffUL) #else #define INT64_MAX (0x7fffffffffffffffULL) #endif #endif /* !defined( INT64_MAX ) */ /* The maximum unsigned 64-bit integer is 18446744073709551615 (0xffffffffffffffff) */ #if !defined( UINT64_MAX ) #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define UINT64_MAX (0xffffffffffffffffUL) #else #define UINT64_MAX (0xffffffffffffffffULL) #endif #endif /* !defined( UINT64_MAX ) */ /* The maximum signed integer */ #if !defined( INT_MAX ) #define INT_MAX INT32_MAX #endif /* The maximum unsigned integer */ #if !defined( UINT_MAX ) #define UINT_MAX UINT32_MAX #endif /* The maximum signed long integer */ #if !defined( LONG_MAX ) #define LONG_MAX INT32_MAX #endif /* The maximum unsigned long integer */ #if !defined( ULONG_MAX ) #define ULONG_MAX UINT32_MAX #endif /* The maximum signed size type is platform dependent */ #if !defined( SSIZE_MAX ) #if defined( WINAPI ) #if defined( _WIN64 ) #define SSIZE_MAX INT64_MAX #else #define SSIZE_MAX INT32_MAX #endif #else #if __WORDSIZE == 64 #define SSIZE_MAX INT64_MAX #else #define SSIZE_MAX INT32_MAX #endif #endif /* WINAPI */ #endif /* SSIZE_MAX */ #endif /* !defined( _TYPES_H ) */ ================================================ FILE: common/wide_string.h ================================================ /* * Wide character string functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _WIDE_STRING_H ) #define _WIDE_STRING_H #include "common.h" #include "memory.h" #include "types.h" #if defined( HAVE_WCHAR_H ) || defined( WINAPI ) #include #endif #if defined( __cplusplus ) extern "C" { #endif /* Intermediate version of the macro required * for correct evaluation predefined string */ #define _WIDE_STRING_INTERMEDIATE( string ) \ L ## string #define _WIDE_STRING( string ) \ _WIDE_STRING_INTERMEDIATE( string ) /* String allocation */ #define wide_string_allocate( size ) \ (wchar_t *) memory_allocate( sizeof( wchar_t ) * ( size ) ) /* String reallocation */ #define wide_string_reallocate( string, size ) \ (wchar_t *) memory_reallocate( string, ( sizeof( wchar_t ) * ( size ) ) ) /* String length */ #if defined( HAVE_WCSLEN ) || defined( WINAPI ) #define wide_string_length( string ) \ wcslen( string ) #endif /* String compare */ #if defined( HAVE_WMEMCMP ) #define wide_string_compare( string1, string2, size ) \ wmemcmp( (void *) string1, (void *) string2, size ) #elif defined( HAVE_WCSNCMP ) || defined( WINAPI ) #define wide_string_compare( string1, string2, size ) \ wcsncmp( string1, string2, size ) #endif /* Caseless string compare */ #if defined( _MSC_VER ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ >= 0x0551 ) ) #define wide_string_compare_no_case( string1, string2, size ) \ _wcsnicmp( string1, string2, size ) #elif ( defined( WINAPI ) && !defined( __CYGWIN__ ) ) || defined( HAVE_WCSNICMP ) #define wide_string_compare_no_case( string1, string2, size ) \ wcsnicmp( string1, string2, size ) #elif defined( HAVE_WCSNCASECMP ) #define wide_string_compare_no_case( string1, string2, size ) \ wcsncasecmp( string1, string2, size ) #elif defined( HAVE_WCSCASECMP ) #define wide_string_compare_no_case( string1, string2, size ) \ wcscasecmp( string1, string2 ) #endif /* String copy */ #if defined( HAVE_WMEMCPY ) #define wide_string_copy( destination, source, size ) \ (wchar_t *) wmemcpy( (void *) destination, (void *) source, size ) #elif defined( HAVE_WCSNCPY ) || defined( WINAPI ) #define wide_string_copy( destination, source, size ) \ wcsncpy( destination, source, size ) #endif /* String character search */ #if defined( HAVE_WMEMCHR ) #define wide_string_search_character( string, character, size ) \ (wchar_t *) wmemchr( (void *) string, (wchar_t) character, size ) #elif defined( HAVE_WCSCHR ) || defined( WINAPI ) #define wide_string_search_character( string, character, size ) \ wcschr( string, (wchar_t) character ) #endif /* String reverse character search */ #if defined( HAVE_WMEMRCHR ) #define wide_string_search_character_reverse( string, character, size ) \ (wchar_t *) wmemrchr( (void *) string, (wchar_t) character, size ) #elif defined( HAVE_WCSRCHR ) || defined( WINAPI ) /* (void)(size) is used to suppress unused variable warnings */ #define wide_string_search_character_reverse( string, character, size ) \ wcsrchr( string, (wchar_t) character ); (void)(size) #endif /* String sub-string search */ #if defined( HAVE_WCSSTR ) || defined( WINAPI ) #define wide_string_search_string( string, substring, size ) \ wcsstr( string, substring ) #endif /* String formatted print (snwprintf) */ #if defined( _MSC_VER ) #define wide_string_snwprintf( target, size, ... ) \ swprintf_s( target, size, __VA_ARGS__ ) #elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define wide_string_snwprintf \ snwprintf #elif defined( WINAPI ) #define wide_string_snwprintf( target, size, ... ) \ snwprintf( target, size, __VA_ARGS__ ) #elif defined( HAVE_SWPRINTF ) #define wide_string_snwprintf( target, size, ... ) \ swprintf( target, size, __VA_ARGS__ ) #endif /* Variable arguments formatted print to string function (vsnwprintf) */ #if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 ) #define wide_string_vsnwprintf \ _vsnwprintf #elif defined( WINAPI ) #define wide_string_vsnwprintf( string, size, format, ... ) \ _vsnwprintf( string, size, format, __VA_ARGS__ ) #elif defined( HAVE_VSWPRINTF ) #define wide_string_vsnwprintf( string, size, format, ... ) \ vswprintf( string, size, format, __VA_ARGS__ ) #endif #if defined( __cplusplus ) } #endif #endif /* !defined( _WIDE_STRING_H ) */ ================================================ FILE: configure.ac ================================================ AC_PREREQ([2.71]) AC_INIT( [libevtx], [20251215], [joachim.metz@gmail.com]) AC_CONFIG_SRCDIR( [include/libevtx.h.in]) AM_INIT_AUTOMAKE([gnu 1.6 tar-ustar]) AM_EXTRA_RECURSIVE_TARGETS([sources splint]) AC_CONFIG_MACRO_DIR([m4]) dnl Check for host type AC_CANONICAL_HOST dnl Check for libtool DLL support LT_INIT([win32-dll]) dnl Checks for programs AC_PROG_CC AC_PROG_GCC_TRADITIONAL AC_PROG_CXX AC_PROG_MAKE_SET AC_PROG_INSTALL dnl Check for libtool AC_SUBST(LIBTOOL_DEPS) dnl Check for pkg-config AC_PATH_PROG(PKGCONFIG,[pkg-config]) dnl Support of internationalization (i18n) AM_GNU_GETTEXT([external]) AM_GNU_GETTEXT_VERSION([0.21]) dnl Check for compiler language support AC_C_CONST AC_C_VOLATILE dnl Check for large file support AC_SYS_LARGEFILE dnl Check if shared library support should be disabled AX_COMMON_CHECK_DISABLE_SHARED_LIBS dnl Check if tools should be build as static executables AX_COMMON_CHECK_ENABLE_STATIC_EXECUTABLES dnl Check if WINAPI support should be enabled AX_COMMON_CHECK_ENABLE_WINAPI dnl Check if wide character type should be enabled AX_COMMON_CHECK_ENABLE_WIDE_CHARACTER_TYPE dnl Check if verbose output should be enabled AX_COMMON_CHECK_ENABLE_VERBOSE_OUTPUT dnl Check if debug output should be enabled AX_COMMON_CHECK_ENABLE_DEBUG_OUTPUT dnl Check for type definitions AX_TYPES_CHECK_LOCAL dnl Check if common required headers and functions are available AX_COMMON_CHECK_LOCAL dnl Check if libcerror or required headers and functions are available AX_LIBCERROR_CHECK_ENABLE dnl Check if libcthreads or required headers and functions are available AX_LIBCTHREADS_CHECK_ENABLE dnl Check if libcdata or required headers and functions are available AX_LIBCDATA_CHECK_ENABLE dnl Check if libclocale or required headers and functions are available AX_LIBCLOCALE_CHECK_ENABLE dnl Check if libcnotify or required headers and functions are available AX_LIBCNOTIFY_CHECK_ENABLE dnl Check if libcsplit or required headers and functions are available AX_LIBCSPLIT_CHECK_ENABLE dnl Check if libuna or required headers and functions are available AX_LIBUNA_CHECK_ENABLE dnl Check if libcfile or required headers and functions are available AX_LIBCFILE_CHECK_ENABLE dnl Check if libcpath or required headers and functions are available AX_LIBCPATH_CHECK_ENABLE dnl Check if libbfio or required headers and functions are available AX_LIBBFIO_CHECK_ENABLE dnl Check if libfcache or required headers and functions are available AX_LIBFCACHE_CHECK_ENABLE dnl Check if libfdata or required headers and functions are available AX_LIBFDATA_CHECK_ENABLE dnl Check if libfdatetime or required headers and functions are available AX_LIBFDATETIME_CHECK_ENABLE dnl Check if libfguid or required headers and functions are available AX_LIBFGUID_CHECK_ENABLE dnl Check if libfvalue or required headers and functions are available AX_LIBFVALUE_CHECK_ENABLE dnl Check if libfwevt or required headers and functions are available AX_LIBFWEVT_CHECK_ENABLE dnl Check if libfwnt or required headers and functions are available AX_LIBFWNT_CHECK_ENABLE dnl Check if libevtx required headers and functions are available AX_LIBEVTX_CHECK_LOCAL dnl Check if libevtx Python bindings (pyevtx) required headers and functions are available AX_PYTHON_CHECK_ENABLE AS_IF( [test "x${ac_cv_enable_python}" != xno], [dnl Headers included in pyevtx/pyevtx_error.c AC_CHECK_HEADERS([stdarg.h varargs.h]) AS_IF( [test "x$ac_cv_header_stdarg_h" != xyes && test "x$ac_cv_header_varargs_h" != xyes], [AC_MSG_FAILURE( [Missing headers: stdarg.h and varargs.h], [1]) ]) ]) dnl Check if libexe or required headers and functions are available AX_LIBEXE_CHECK_ENABLE dnl Check if libregf or required headers and functions are available AX_LIBREGF_CHECK_ENABLE dnl Check if libwrc or required headers and functions are available AX_LIBWRC_CHECK_ENABLE dnl Check if libcdirectory or required headers and functions are available AX_LIBCDIRECTORY_CHECK_ENABLE dnl Check if evtxtools required headers and functions are available AX_EVTXTOOLS_CHECK_LOCAL dnl Check if DLL support is needed AX_LIBEVTX_CHECK_DLL_SUPPORT dnl Check if tests required headers and functions are available AX_TESTS_CHECK_LOCAL AX_TESTS_CHECK_OSSFUZZ dnl Set additional compiler flags CFLAGS="$CFLAGS -Wall"; dnl Check if requires and build requires should be set in spec file AS_IF( [test "x$ac_cv_libcerror" = xyes || test "x$ac_cv_libcthreads" = xyes || test "x$ac_cv_libcdata" = xyes || test "x$ac_cv_libclocale" = xyes || test "x$ac_cv_libcnotify" = xyes || test "x$ac_cv_libcsplit" = xyes || test "x$ac_cv_libuna" = xyes || test "x$ac_cv_libcfile" = xyes || test "x$ac_cv_libcpath" = xyes || test "x$ac_cv_libbfio" = xyes || test "x$ac_cv_libfcache" = xyes || test "x$ac_cv_libfdata" = xyes || test "x$ac_cv_libfdatetime" = xyes || test "x$ac_cv_libfguid" = xyes || test "x$ac_cv_libfvalue" = xyes || test "x$ac_cv_libfwevt" = xyes || test "x$ac_cv_libfwnt" = xyes], [AC_SUBST( [libevtx_spec_requires], [Requires:]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes || test "x$ac_cv_libregf" = xyes || test "x$ac_cv_libwrc" = xyes || test "x$ac_cv_libcdirectory" = xyes], [AC_SUBST( [libevtx_spec_tools_build_requires], [BuildRequires:]) ]) dnl Set the date for the dpkg files AC_SUBST( [DPKG_DATE], [`date -R 2> /dev/null`]) dnl Set the date for the spec file AC_SUBST( [SPEC_DATE], [`date +"%a %b %e %Y" 2> /dev/null`]) dnl Generate Makefiles AC_CONFIG_FILES([Makefile]) AC_CONFIG_FILES([include/Makefile]) AC_CONFIG_FILES([common/Makefile]) AC_CONFIG_FILES([libcerror/Makefile]) AC_CONFIG_FILES([libcthreads/Makefile]) AC_CONFIG_FILES([libcdata/Makefile]) AC_CONFIG_FILES([libclocale/Makefile]) AC_CONFIG_FILES([libcnotify/Makefile]) AC_CONFIG_FILES([libcsplit/Makefile]) AC_CONFIG_FILES([libuna/Makefile]) AC_CONFIG_FILES([libcfile/Makefile]) AC_CONFIG_FILES([libcpath/Makefile]) AC_CONFIG_FILES([libbfio/Makefile]) AC_CONFIG_FILES([libfcache/Makefile]) AC_CONFIG_FILES([libfdata/Makefile]) AC_CONFIG_FILES([libfdatetime/Makefile]) AC_CONFIG_FILES([libfguid/Makefile]) AC_CONFIG_FILES([libfvalue/Makefile]) AC_CONFIG_FILES([libfwevt/Makefile]) AC_CONFIG_FILES([libfwnt/Makefile]) AC_CONFIG_FILES([libevtx/Makefile]) AC_CONFIG_FILES([pyevtx/Makefile]) AC_CONFIG_FILES([libexe/Makefile]) AC_CONFIG_FILES([libregf/Makefile]) AC_CONFIG_FILES([libwrc/Makefile]) AC_CONFIG_FILES([libcdirectory/Makefile]) AC_CONFIG_FILES([evtxtools/Makefile]) AC_CONFIG_FILES([po/Makefile.in]) AC_CONFIG_FILES([po/Makevars]) AC_CONFIG_FILES([manuals/Makefile]) AC_CONFIG_FILES([tests/Makefile]) AC_CONFIG_FILES([ossfuzz/Makefile]) AC_CONFIG_FILES([msvscpp/Makefile]) dnl Generate header files AC_CONFIG_FILES([include/libevtx.h]) AC_CONFIG_FILES([include/libevtx/definitions.h]) AC_CONFIG_FILES([include/libevtx/features.h]) AC_CONFIG_FILES([include/libevtx/types.h]) AC_CONFIG_FILES([libevtx/libevtx_definitions.h]) dnl Generate distribution specific files AC_CONFIG_FILES([common/types.h]) AC_CONFIG_FILES([dpkg/changelog]) AC_CONFIG_FILES([libevtx/libevtx.rc]) AC_CONFIG_FILES([libevtx.pc]) AC_CONFIG_FILES([libevtx.spec]) AC_CONFIG_FILES([setup.cfg]) dnl Generate a source configuration file AC_CONFIG_HEADERS([common/config.h]) AC_OUTPUT dnl Print a summary AC_MSG_NOTICE([ Building: libcerror support: $ac_cv_libcerror libcthreads support: $ac_cv_libcthreads libcdata support: $ac_cv_libcdata libclocale support: $ac_cv_libclocale libcnotify support: $ac_cv_libcnotify libcsplit support: $ac_cv_libcsplit libuna support: $ac_cv_libuna libcfile support: $ac_cv_libcfile libcpath support: $ac_cv_libcpath libbfio support: $ac_cv_libbfio libfcache support: $ac_cv_libfcache libfdata support: $ac_cv_libfdata libfdatetime support: $ac_cv_libfdatetime libfguid support: $ac_cv_libfguid libfvalue support: $ac_cv_libfvalue libfwevt support: $ac_cv_libfwevt libfwnt support: $ac_cv_libfwnt libexe support: $ac_cv_libexe libregf support: $ac_cv_libregf libwrc support: $ac_cv_libwrc libcdirectory support: $ac_cv_libcdirectory Features: Multi-threading support: $ac_cv_libcthreads_multi_threading Wide character type support: $ac_cv_enable_wide_character_type evtxtools are build as static executables: $ac_cv_enable_static_executables Python (pyevtx) support: $ac_cv_enable_python Verbose output: $ac_cv_enable_verbose_output Debug output: $ac_cv_enable_debug_output ]); ================================================ FILE: documentation/Windows XML Event Log (EVTX).asciidoc ================================================ = Windows XML Event Log (EVTX) format Analysis of EVTX :toc: :toclevels: 4 :numbered!: [abstract] == Summary The Windows XML EventLog (EVTX) format is used by Microsoft Windows to store system log information. This specification is based the work done by A. Schuster `[SCHUSTER11]` and on `[MS-EVEN6]`. It was complemented by other public available information and was enhanced by analyzing test data. This document is intended as a working document of the data format specification for the libevtx project. Special thanks to A. Schuster for his excellent work on the format and test files. [preface] == Document information [cols="1,5"] |=== | Author(s): | Joachim Metz | Abstract: | This document contains information about the Windows XML Event Viewer Log (EVTX) format. | Classification: | Public | Keywords: | Windows XML Event Viewer Log, EVTX |=== [preface] == License .... Copyright (C) 2011-2024, Joachim Metz . Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". .... [preface] == Revision history [cols="1,1,1,5",options="header"] |=== | Version | Author | Date | Comments | 0.0.1 | J.B. Metz | September 2011 | Initial version. | 0.0.2 | J.B. Metz | March 2012 + April 2012 | Additional information. | 0.0.3 | J.B. Metz | May 2012 | Additional information. | 0.0.4 | J.B. Metz | May 2012 | Updates for Windows 8 Consumer Preview. | 0.0.5 | J.B. Metz | October 2012 | Additional information regarding formatted messages. | 0.0.6 | J.B. Metz | December 2012 | Additional information regarding formatted messages. | 0.0.7 | J.B. Metz | February 2013 | Additional information regarding formatted messages. | 0.0.8 | J.B. Metz | February 2013 | Additional information regarding chunk offset values seen in archived EVTX files with thanks to R. Rumble. | 0.0.8 | J.B. Metz | February 2013 | Additional information regarding corruption scenarios. | 0.0.9 | J.B. Metz | March 2013 | Additional information regarding corruption scenarios. | 0.0.10 | J.B. Metz | May 2013 | Additional information regarding corruption scenarios. | 0.0.11 | J.B. Metz | July 2013 | Additional information regarding XML escaping with thanks to G. Torres. | 0.0.12 | J.B. Metz | July 2013 | Additional information regarding ProcessingErrorData. | 0.0.13 | J.B. Metz | July 2013 | Additional information regarding dirty file with invalid number of chunks corruption scenario with thanks to G. Torres. | 0.0.14 | J.B. Metz | October 2013 | Added information about parameter expansion. | 0.0.15 | J.B. Metz | February 2014 | Additional information regarding MUI and "language specific" event message files. | 0.0.16 | J.B. Metz | July 2014 | Additional information about parameter expansion. | 0.0.16 | J.B. Metz | March 2015 | Switched to asccidoc format. | 0.0.17 | J.B. Metz | January 2016 | Additional information about Binary XML type (0x21). | 0.0.18 | J.B. Metz | April 2016 | Fixed typo. | 0.0.19 | J.B. Metz | November 2020 | Changes for formatting. | 0.0.20 | J.B. Metz | May 2021 | Textual and formatting changes. | 0.0.21 | J.B. Metz | Octoboer 2021 | Additional information regarding format versions. | 0.0.22 | J.B. Metz | December 2021 | Additional information about MUI language neutral file. | 0.0.23 | J.B. Metz | December 2023 | Updated references and additional information about SystemResources directory. | 0.0.24 | J.B. Metz | January 2024 | Additional information about parameter message files. | 0.0.25 | J.B. Metz | April 2024 | Additional information about dependency identifier. | 0.0.26 | J.B. Metz | September 2024 | Additional information regarding format edge case with thanks to J. Solomon. |=== :numbered: == Overview The Windows XML EventLog (EVTX) format is used by Microsoft Windows, as of Windows Vista, to store system log information. The EVTX format supersedes the Windows EventLog (EVT) format as used in Windows XP. An EVTX file consists of: * file header * chunks * trailing empty values [cols="1,5",options="header"] |=== | Characteristics | Description | Byte order | little-endian | Date and time values | FILETIME in UTC | Character strings | ASCII strings are Single Byte Character (SBC) or Multi Byte Character (MBC) string stored with a codepage. Sometimes referred to as ANSI string representation. + Though technically maybe incorrect, this document will use term (extended) ASCII string. + Unicode strings are stored in UTF-16 little-endian without the byte order mark (BOM). |=== === Test version The following version of programs were used to test the information within this document: * Windows Vista * Windows 2008 * Windows 7 * Windows 8 * [yellow-background]*TODO: Windows 2012* * Windows 10 (1903, 1909, 2004, 20H2) * Windows 11 (21H2) === Event Log files The event logs files can normally be found in: .... C:\Windows\System32\winevt\Logs\ .... [cols="1,3",options="header"] |=== | Filename | Description | Application.evtx | Application events | DFS Replication.evtx | [yellow-background]*TODO* | HardwareEvents.evtx | [yellow-background]*TODO* | Internet Explorer.evtx | Internet Explorer events | Key Management Service.evtx | [yellow-background]*TODO* | Media Center.evtx | [yellow-background]*TODO* | Microsoft-Windows-Bits-Client%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-CodeIntegrity%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-DateTimeControlPanel%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Diagnosis-PLA%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Diagnostics-Networking%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-DiskDiagnostic%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Forwarding%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-GroupPolicy%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Help%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-International%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Kernel-WDI%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Kernel-WHEA.evtx | [yellow-background]*TODO* | Microsoft-Windows-LanguagePackSetup%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-MUI%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-NetworkAccessProtection%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-ReadyBoost%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx | [yellow-background]*TODO* | Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-RestartManager%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-TaskScheduler%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-UAC%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Winlogon%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-Wired-AutoConfig%4Operational.evtx | [yellow-background]*TODO* | Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx | [yellow-background]*TODO* | ODiag.evtx | [yellow-background]*TODO* | OSession.evtx | Office sessions events | Security.evtx | Security events | Setup.evtx | Setup events | System.evtx | System events |=== == File header The file header is 4096 bytes of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 8 | "ElfFile\x00" | Signature | 8 | 8 | | First chunk number | 16 | 8 | | Last chunk number | 24 | 8 | | Next record identifier | 32 | 4 | 128 | Header size | 36 | 2 | | Minor format version + See section: <> | 38 | 2 | | Major format version + See section: <> | 40 | 2 | 4096 | Header block size + (or chunk data offset) | 42 | 2 | | Number of chunks | 44 | 76 | | [yellow-background]*Unknown (Empty values)* | 120 | 4 | | File flags + See section: <> | 124 | 4 | | Checksum + CRC32 of the first 120 bytes of the file header | 128 | 3968 | | [yellow-background]*Unknown (Empty values)* |=== The CRC-32 is describe in RFC 1952 and uses an initial value of 0. [yellow-background]*TODO: check if: file size = ( Number of chunks * 65536 ) + 4096* === [[format_versions]]Format versions [cols="1,5",options="header"] |=== | Version + (Major.Minor) | Description | 3.1 | Seen on Windows Vista and later | 3.2 | Seen on Windows 10 (2004) and later |=== === [[file_flags]]File flags [cols="1,1,5",options="header"] |=== | Value | Identifier | Description | 0x0001 | | Is dirty | 0x0002 | | Is full |=== == Chunk The chunk is 65536 bytes of size and consists of: * chunk header * array of event records * unused space === Chunk header The chunk header is 512 bytes of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 8 | "ElfChnk\x00" | Signature | 8 | 8 | | First event record number | 16 | 8 | | Last event record number | 24 | 8 | | First event record identifier | 32 | 8 | | Last event record identifier | 40 | 4 | 128 | Header size + (or offset to [yellow-background]*pointer data*) | 44 | 4 | | Last event record data offset + Offset to the data of the last event record. + The offset is relative to the start of the chunk header. | 48 | 4 | | Free space offset + Offset to free space in the chunk. The offset is relative to the start of the chunk header. | 52 | 4 | | Event records checksum + CRC32 of the events records data | 56 | 64 | | [yellow-background]*Unknown (Empty values)* | 120 | 4 | | [yellow-background]*Unknown (flags?)* | 124 | 4 | | Checksum + CRC32 of the first 120 bytes and bytes 128 to 512 of the chunk. |=== The CRC-32 is describe in RFC 1952 with an uses an initial value of 0. The free space offset is not the end of event records data offset, is sometimes point to the end of the chunk, where the chunk after the last event record was filled with 0-byte values. This behavior was seen in archived EVTX files. [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 128 | 64 x 4 = 256 | | [yellow-background]*Common string offset array* + [yellow-background]*The offsets are relative from the start of the chunk* | 384 | 32 x 4 = 128 | | [yellow-background]*TemplatePtr* + [yellow-background]*Array of 32 x 32-bit values* |=== [yellow-background]*The common string offset array contains the offsets of strings that are common in the event records stored in the chunk so that they only have to be stored once in the first event record and can be referenced from successive event records.* [yellow-background]*Identifier/Number of first and last event record in chunk* [yellow-background]*Data after header and before event record?* === Event record The event record is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 4 | "\x2a\x2a\x00\x00" | Signature | 4 | 4 | | Size + The size of the event record including the signature and the size | 8 | 8 | | Event record identifier | 16 | 8 | | Written date and time + Contains a FILETIME + The date and time the event record was written (logged) | 24 | ... | | Event + Contains binary XML + See section: <> | ... | 4 | | Copy of size |=== == [[binary_xml]]Binary XML === Document structure According `[MS-EVEN6]` the binary XML structure should consist of: The document (BinXMLDocument) consists of: * Prologue (BinXMLPI) (zero or one) * Fragment (zero or more) * Miscellaneous (BinXMLPI) (zero or one) * End of file token ==== Fragment The fragment (BinXMLFragment) consists of: * fragment header * an element or a template instance ==== Fragment header The fragment header (BinXMLFragmentHeader) is 4 byte of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x0f | Fragment header token + Should be: BinXmlFragmentHeaderToken + See section: <> | 1 | 1 | 0x01 | Major version | 2 | 1 | 0x01 | Minor version | 3 | 1 | 0x00 | Flags |=== ==== Element An element (BinXMLElement) can either be 'empty' or a 'filled'. BinXMLEmpyElement: * element start * close empty element token Example of an 'empty' element in textual XML: .... .... BinXMLFilledElement: * element start * close start element token * content * end element token Example of a 'filled' element in textual XML: .... 400 .... [yellow-background]*TODO: is it valid for a fragment with more then one element?* ==== Element start The element start (BinXMLElementStart) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x01 + 0x41 | Open start element tag token + Should be: BinXmlTokenOpenStartElementTag + See section: <> 4+| _Optional see notes below_ | 1 | 2 | | Dependency identifier + -1 (0xffff) => not set 4+| _Common_ | 3 | 4 | | Data size + The size of the data. + This includes the size of the element name, attribute list, close element tag, content and end element tag, except for the first 5 or 7 bytes of the element start. 4+| _Optional see notes below_ | 7 | 4 | | Element name offset + The offset is relative from the start of the chunk + See section: <> 4+| _Common_ | 11 | ... | | Attribute list + See section: <> |=== A token type of 0x01 indicates that the element start tag contains no elements; a token type of 0x41 indicates that an attribute list can be expected in the element start tag. [NOTE] The element name can be stored before the attribute list. [NOTE] The name offset is not present in the binary XML in the Windows Event Template resource. [NOTE] According to `[MS-EVEN6]` the dependency identifier is not present when the element start is used in a substitution token with value type: Binary XML (0x21). ==== [[attribute_list]]Attribute list The attribute (BinXmlAttributeList) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 4 | | Data size + Does not include the 4 byte of the size. | 4 | ... | | Array of attributes + See section: <> |=== [yellow-background]*TODO: if attribute list is empty it is trailed by 2 bytes? Is this 32-bit alignment padding?* ==== [[attribute]]Attribute The attribute (BinXmlAttribute) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x06 + 0x46 | Attribute token + Should be: BinXmlTokenAttribute + See section: <> 4+| _Optional see notes below_ | 1 | 4 | | Attribute name offset + The offset is relative from the start of the chunk + See section: <> 4+| _Common_ | 5 | ... | | Attribute data |=== A token type of 0x46 indicates that there is another attribute in the attribute list; a token type of 0x06 indicates that no more attributes exist. [NOTE] The attribute name can be stored before the attribute list. The attribute data (BinXMLAttributeData) can be: * value text * substitution * character entity reference * entity reference [NOTE] The name offset is not present in the binary XML in the Windows Event Template resource. ==== [[name]]Name The name (BinXmlName) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 4 | | [yellow-background]*Unknown* | 4 | 2 | | Name hash + [yellow-background]*Which hash algorithm?* | 6 | 2 | | Number of characters | 8 | ... | | UTF-16 little-endian string with an end-of-string character |=== The unknown 4 bytes are not present in the binary XML in the Windows Event Template resource. ==== Content The content (BinXMLContent) can be: * an element * content string data * character entity reference * entity reference * CDATA section * PI ==== Content string The content string data (BinXMLContentStringData) can be: * value text * substitution [yellow-background]*TODO: a content string containing an end-of-line character seems to be considered empty by Event Viewer* ==== Value text The value text (BinXmlValueText) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x05 + 0x45 | Value token + Should be: BinXmlTokenValue + See section: <> | 1 | 1 | 0x01 | Value type + Should be: StringType + See section: <> | 2 | ... | | Value data + See section: <> |=== A token type of 0x45 indicates that more data can be expected to follow in the current content of the element or attribute; a token type of 0x05 indicates that no more such data follows. A value text can be stored spanning multiple value tokens. ==== Substitution The substitution (BinXmSubstitution) can be: * normal substitution * optional substitution ==== Normal substitution The normal substitution (BinXmNormalSubstitution) is 4 byte of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x0d | Normal substitution token + Should be: BinXmlTokenNormalSubstitution + See section: <> | 1 | 2 | | Substitution identifier + Identifier of the value in the template instance data, where 0 represents the first value | 3 | 1 | | Value type + See section: <> |=== If the value type is an array type (0x80) the substitution is repeated for every element of the array. If the size of an array type is 0 then a single empty element should be created. If the value type is Size (0x10) the corresponding substitution value should be a 32-bit hexadecimal integer (0x14) or 64-bit hexadecimal integer (0x15). The same applies to an array of Size (0x90) where the substitution value should be an array of 32-bit hexadecimal integer (0x94) or an array of 64-bit hexadecimal integer (0x95). If the value type is the Binary XML type (0x21) the value data should be one of the following: * an open start element tag (BinXmlTokenOpenStartElementTag); * a fragment (BinXMLFragment); * a template instance (BinXmlTemplateInstance). ==== Optional substitution The optional substitution (BinXmlOptionalSubstitution) is 4 byte of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x0e | Optional substitution token + Should be: BinXmlTokenOptionallSubstitution + See section: <> | 1 | 2 | | Substitution identifier + Identifier of the value in the template instance data, where 0 represents the first value | 3 | 1 | | Value type + See section: <> |=== If the value type of the corresponding template value is NULL (0x00) the element should be ignored and not created. If the value type is an array type (0x80) the substitution is repeated for every element of the array. If the size of an array type is 0 then a single empty element should be created. If the value type is Size (0x10) the corresponding substitution value should be a 32-bit hexadecimal integer (0x14) or 64-bit hexadecimal integer (0x15). The same applies to an array of Size (0x90) where the substitution value should be an array of 32-bit hexadecimal integer (0x94) or an array of 64-bit hexadecimal integer (0x95). If the value type is the Binary XML type (0x21) the value data should be one of the following: * an open start element tag (BinXmlTokenOpenStartElementTag); * a fragment (BinXMLFragment); * a template instance (BinXmlTemplateInstance). ==== Character entity reference The character entity reference (BinXmlCharacterEntityReference) is 3 byte of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x08 + 0x48 | Character entity reference token + Should be: BinXmlTokenCharRef + See section: <> | 1 | 2 | | Character entity value |=== A token type of 0x48 indicates that more data can be expected to follow in the current content of the element or attribute; a token type of 0x08 indicates that no more such data follows. In the resulting XML the character entity is replaced e.g. `38` becomes `&`. [yellow-background]*According to `[MS-EVEN6]` emit the characters '&' and '#' and the decimal string representation of the value. TODO create a test file.* ==== Entity reference The entity reference (BinXmlEntityReference) is 5 bytes of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x09 + 0x49 | Entity reference token + Should be: BinXmlTokenEntityRef + See section: <> 4+| _Optional see notes below_ | 1 | 4 | | Entity name offset + The offset is relative from the start of the chunk + See section: <> |=== A token type of 0x49 indicates that more data can be expected to follow in the current content of the element or attribute; a token type of 0x09 indicates that no more such data follows. In the resulting string the entity is replaced e.g. `amp` becomes & for a Unicode string and `&` for an XML string. [NOTE] The name offset is not present in the binary XML in the Windows Event Template resource. It currently is assumed that the following entity references are supported lt, gt, amp, quot and apos. ==== CDATA section The entity reference (BinXmlEntityReference) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x07 + 0x47 | CDATA section token + Should be: BinXmlTokenCDATASection + See section: <> | 1 | ... | | CDATA text + See section: <> |=== A token type of 0x47 indicates that more data can be expected to follow in the current content of the element or attribute; a token type of 0x07 indicates that no more such data follows. ==== Template instance The template instance (BinXmlTemplateInstance) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x0c | Template instance token + Should be: BinXmlTokenTemplateInstance + See section: <> | 1 | ... | | Template definition | ... | ... | | Template instance data |=== ==== Template definition The template definition (BinXmlTemplateDefinition) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | | [yellow-background]*Unknown(Version? Or number of template defs?)* + [yellow-background]*Seen: 0x01* | 1 | 4 | | [yellow-background]*Unknown (Template identifier?)* | 5 | 4 | | Template definition data offset + Template definition data | 9 | 4 | | [yellow-background]*Unknown (Next template definition offset)* + [yellow-background]*0 if not used* | 13 | 16 | | Template identifier + Contains a GUID | 29 | 4 | | Data size + The size of the data. + This includes the size of the fragment header, element and end of file token, except for the first 33 bytes of the template definition. | 33 | ... | | Fragment header | ... | ... | | Element | ... | 1 | | End of file token + Should be: BinXmlTokenEOF + See section: <> |=== [NOTE] The template definition data offset either point to the offset directly after this value or somewhere previously in the chunk. The template definition can therefore be stored non-continuous. [yellow-background]*What does the %b0 in `[MS-EVEN6]` signify?* [yellow-background]*Possibly a bit value of 0 seeing that in other MSDN documentation %d16 indicates a decimal value of 16.* ==== Template instance data The template instance data (BinXmlTemplateInstanceData) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 4 | | Number of template values | 4 | ... | | Array of template value descriptors | ... | ... | | Array of template value data |=== The template value descriptor is 4 bytes of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 2 | | Value size | 2 | 1 | | Value type | 1 | 1 | 0x00 | [yellow-background]*Unknown (Empty value)* |=== ==== [[unicode_text_string]]Unicode text string The Unicode text string is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 2 | 2 | | Number of characters | 4 | ... | | UTF-16 little-endian string without an end-of-string character |=== ==== PI The PI consists of: * PI target * PI data ==== PI target The PI target (BinXmlPITarget) is 5 bytes of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x0a | PI target reference token + Should be: BinXmlTokenPITarget + See section: <> 4+| _Optional see notes below_ | 1 | 4 | | PI target name offset + The offset is relative from the start of the chunk + See section: <> |=== [NOTE] The name offset is not present in the binary XML in the Windows Event Template resource. ==== PI data The entity reference (BinXmlPIData) is variable of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 1 | 0x0b | PI data token + Should be: BinXmlTokenCDATASection + See section: <> | 1 | ... | | PI data text + See section: <> |=== === [[token_types]]Token types Binary XML defines multiple token types. [cols="1,1,5",options="header"] |=== | Value | Identifier | Description | 0x00 | BinXmlTokenEOF | End of file | 0x01 + 0x41 | BinXmlTokenOpenStartElementTag | Open start element tag + Indicates the start of a start element, correlates to '<' in '' | 0x02 | BinXmlTokenCloseStartElementTag | Close start element tag + Indicates the end of a start element, correlates to '>' in '' | 0x03 | BinXmlTokenCloseEmptyElementTag | Close empty element tag + Indicates the end of a start element, correlates to '/>' in '' | 0x04 | BinXmlTokenEndElementTag | Close end element tag + Indicates the end of element, correlates to '' | 0x05 + 0x45 | BinXmlTokenValue | Value | 0x06 + 0x46 | BinXmlTokenAttribute | Attribute | 0x07 + 0x47 | BinXmlTokenCDATASection | CDATA section | 0x08 + 0x48 | BinXmlTokenCharRef | Character entity reference | 0x09 + 0x49 | BinXmlTokenEntityRef | Entity reference | 0x0a | BinXmlTokenPITarget | Processing instructions (PI) target + XML processing instructions | 0x0b | BinXmlTokenPIData | Processing instructions (PI) data + XML processing instructions | 0x0c | BinXmlTokenTemplateInstance | Template instance | 0x0d | BinXmlTokenNormalSubstitution | Normal substitution | 0x0e | BinXmlTokenOptionalSubstitution | Optional substitution | 0x0f | BinXmlFragmentHeaderToken | Fragment header token |=== Some of the token types can contain the has more data flag 0x40. [yellow-background]*TODO bitmask of 0x1f ? is this defined in winevt.h ? If so what do the other flags signify?* === [[value_types]]Value types [cols="1,1,5",options="header"] |=== | Value | Identifier | Description | 0x00 | NullType | NULL or empty | 0x01 | StringType | Unicode string + Stored as UTF-16 little-endian without an end-of-string character | 0x02 | AnsiStringType | ASCII string + Stored using a codepage without an end-of-string character | 0x03 | Int8Type | 8-bit integer signed | 0x04 | UInt8Type | 8-bit integer unsigned | 0x05 | Int16Type | 16-bit integer signed | 0x06 | UInt16Type | 16-bit integer unsigned | 0x07 | Int32Type | 32-bit integer signed | 0x08 | UInt32Type | 32-bit integer unsigned | 0x09 | Int64Type | 64-bit integer signed | 0x0a | UInt64Type | 64-bit integer unsigned | 0x0b | Real32Type | Floating point 32-bit (single precision) | 0x0c | Real64Type | Floating point 64-bit (double precision) | 0x0d | BoolType | Boolean + [yellow-background]*An 32-bit integer that MUST be 0x00 or 0x01 (mapping to true or false, respectively).* | 0x0e | BinaryType | Binary data | 0x0f | GuidType | GUID + Stored in little-endian | 0x10 | SizeTType | Size type + Either 32 or 64-bits. This value type should be pair up with a HexInt32Type or HexInt64Type | 0x11 | FileTimeType | FILETIME (64-bit) + Stored in little-endian | 0x12 | SysTimeType | System time (128-bit) + Stored in little-endian | 0x13 | SidType | NT Security Identifier (SID) + See `[LIBFWNT]` | 0x14 | HexInt32Type | 32-bit integer hexadecimal + 32-bit (unsigned) integer that should be represented in hexadecimal notation | 0x15 | HexInt64Type | 64-bit integer hexadecimal + 64-bit (unsigned) integer that should be represented in hexadecimal notation | | | | 0x20 | EvtHandle | [yellow-background]*Unknown* | 0x21 | BinXmlType | Binary XML fragment | | | | 0x23 | EvtXml | [yellow-background]*Unknown* |=== If the MSB of the value type (0x80) is use to indicate an array type. According to `[MSDN]` binary data and binary XML fragment types are not supported. For the string types the end-of-string character is used as a separator. [cols="1,1,5",options="header"] |=== | Value | Identifier | Description | 0x81 | | Array of Unicode strings + Individual strings are stored as UTF-16 little-endian with an end-of-string character | 0x82 | | Array of ASCII strings + Individual strings are stored as ASCII string using a codepage with an end-of-string character | 0x83 | | Array of 8-bit integer signed + Every 1 byte is an individual value | 0x84 | | Array of 8-bit integer unsigned + Every 1 byte is an individual value | 0x85 | | Array of 16-bit integer signed + Every 2 bytes are an individual value in little-endian | 0x86 | | Array of 16-bit integer unsigned + Every 2 bytes are an individual value in little-endian | 0x87 | | Array of 32-bit integer signed + Every 4 bytes are an individual value in little-endian | 0x88 | | Array of 32-bit integer unsigned + Every 4 bytes are an individual value in little-endian | 0x89 | | Array of 64-bit integer signed + Every 8 bytes are an individual value in little-endian | 0x8a | | Array of 64-bit integer unsigned + Every 8 bytes are an individual value in little-endian | 0x8b | | Array of Floating point 32-bit (single precision) + Every 4 bytes are an individual value in little-endian | 0x8c | | Array of Floating point 64-bit (double precision) + Every 8 bytes are an individual value in little-endian | 0x8d | | [yellow-background]*Array of boolean* + [yellow-background]*Every 4 bytes are an individual value in little-endian* | | | | 0x8f | | Array of GUID + Every 16 bytes are an individual value in little-endian | 0x90 | | Array of size type + An individual value is either 32 or 64-bits. This value type should be pair up with an array of HexInt32Type or HexInt64Type | 0x91 | | Array of FILETIME + Every 8 bytes are an individual value in little-endian | 0x92 | | Array of system time + Every 16 bytes are an individual value in little-endian | 0x93 | | [yellow-background]*Array of NT Security Identifiers (SID)* | 0x94 | | Array of 32-bit integer hexadecimal + Every 4 bytes are an individual value in little-endian | 0x95 | | Array of 64-bit integer hexadecimal + Every 8 bytes are an individual value in little-endian |=== ==== String If in a string the characters: <, >, &, " and ' are not escaped they must respectively be replaced by the following character entities: `<`, `>`, `&`, `"` and `'`. This does not apply to Character entity reference and Entity reference encoded strings. Event Viewer will not escape the character entities in the XML view, but will when exported as XML. Event Viewer seems to apply the XML character entity escaping inside element values for &, < and > but not for ' and ". ==== Systemtime The systemtime is 16 bytes of size and consists of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0 | 2 | | Year | 2 | 2 | | Month | 4 | 2 | | Day of week | 6 | 2 | | Day of month | 8 | 2 | | Hours | 10 | 2 | | Minutes | 12 | 2 | | Seconds | 14 | 2 | | Milliseconds |=== ==== Floating point Floating point values are represented as the following stings. [cols="1,1,5",options="header"] |=== | Value | Identifier | Description | -1.#INF | | Negative infinity/overflow | 1.#INF | | Positive infinity/overflow | -1.#IND | | Indeterminate | [-]?0 | | Positive or negative zero | [yellow-background]*[-]?[0-9]+* | | [yellow-background]*Any positive or negative value that can be represented as an integer* | [yellow-background]*[-]?[0-9]+.[0-9]{6}* | | [yellow-background]*Any positive or negative value that can be represented in 6 fractional digits* | [yellow-background]*[-]?[0-9]+.[0-9]{6}e-[0-9]{3}* | | [yellow-background]*Any positive or negative value that could not be represented in 6 fractional digits* |=== [yellow-background]*TODO validate the highlighted ones; 32-bit fractional of 6, 64-bit fractional of 14* == Event === Event identifier The event identifier is 4 bytes of size and consist of: [cols="1,1,1,5",options="header"] |=== | Offset | Size | Value | Description | 0.0 | 16 bits | | Code | 2.0 | 12 bits | | Facility | 3.4 | 1 bit | | Reserved | 3.5 | 1 bit | | Customer flags + 0 => System code + 1 => Customer code | 3.6 | 2 bits | | Severity + 00 => Success + 01 => Informational + 10 => Warning + 11 => Error |=== === Level [cols="1,1,5",options="header"] |=== | Value | Identifier | Description | 0x00000000 | | Identifies an event that should always be logged + (win:LogAlways) + Shown as "Information" in Event Viewer | 0x00000001 | WINEVENT_LEVEL_CRITICAL | Identifies an abnormal exit or termination event + (win:Critical) | 0x00000002 | WINEVENT_LEVEL_ERROR | Identifies a severe error event + (win:Error) | 0x00000003 | WINEVENT_LEVEL_WARNING | Identifies a warning event such as an allocation failure + (win:Warning) | 0x00000004 | WINEVENT_LEVEL_INFO | Identifies a non-error event such as an entry or exit event + (win:Informational) | 0x00000005 | WINEVENT_LEVEL_VERBOSE | Identifies a detailed trace event + (win:Verbose) | 0x00000006 | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel6)* | 0x00000007 | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel7)* | 0x00000008 | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel8)* | 0x00000009 | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel9)* | 0x0000000a | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel10)* | 0x0000000b | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel11)* | 0x0000000c | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel12)* | 0x0000000d | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel13)* | 0x0000000e | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel14)* | 0x0000000f | | [yellow-background]*Reserved* + [yellow-background]*(win:ReservedLevel15)* |=== === Keywords [cols="1,1,5",options="header"] |=== | 0x0000000000000000 | | [yellow-background]*win:AnyKeyword* | | | | [yellow-background]*0x0000000000010000* | | [yellow-background]*Shell* | [yellow-background]*0x0000000000020000* | | [yellow-background]*Properties* | [yellow-background]*0x0000000000040000* | | [yellow-background]*FileClassStoreAndIconCache* | [yellow-background]*0x0000000000080000* | | [yellow-background]*Controls* | [yellow-background]*0x0000000000100000* | | [yellow-background]*APICalls* | [yellow-background]*0x0000000000200000* | | [yellow-background]*InternetExplorer* | [yellow-background]*0x0000000000400000* | | [yellow-background]*ShutdownUX* | [yellow-background]*0x0000000000800000* | | [yellow-background]*CopyEngine* | [yellow-background]*0x0000000001000000* | | [yellow-background]*Tasks* | [yellow-background]*0x0000000002000000* | | [yellow-background]*WDI* | [yellow-background]*0x0000000004000000* | | [yellow-background]*StartupPerf* | [yellow-background]*0x0000000008000000* | | [yellow-background]*StructuredQuery* | | | | 0x0001000000000000 | | [yellow-background]*win:Reserved* | 0x0002000000000000 | | [yellow-background]*win:WDIContext* | 0x0004000000000000 | | [yellow-background]*win:WDIDiag* | 0x0008000000000000 | | [yellow-background]*win:SQM* | 0x0010000000000000 | | [yellow-background]*win:AuditFailure* | 0x0020000000000000 | | [yellow-background]*win:AuditSuccess* | 0x0040000000000000 | | [yellow-background]*win:CorrelationHint* | 0x0080000000000000 | | [yellow-background]*Classic* + [yellow-background]*win:EventlogClassic* | 0x0100000000000000 | | [yellow-background]*win:ReservedKeyword56* | 0x0200000000000000 | | [yellow-background]*win:ReservedKeyword57* | 0x0400000000000000 | | [yellow-background]*win:ReservedKeyword58* | 0x0800000000000000 | | [yellow-background]*win:ReservedKeyword59* | 0x1000000000000000 | | [yellow-background]*win:ReservedKeyword60* | 0x2000000000000000 | | [yellow-background]*win:ReservedKeyword61* | 0x4000000000000000 | | [yellow-background]*win:ReservedKeyword62* | 0x8000000000000000 | | [yellow-background]*win:ReservedKeyword63* + [yellow-background]*Microsoft-Windows-Shell-Core/Diagnostic* |=== === Externally stored values Some of the data that Event Viewer shows is stored outside the event log files. On Windows XP (and earlier) the first step to determine the location of these values is find the corresponding "eventlog type sub key" in the Windows Registry under: .... HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\ .... Every event log type has its own sub key, e.g.: .... HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System .... Common event log types are: * Application * Security * System [NOTE] The event log type is also stored in the "Channel" event XML element. The event log type sub key has a "event source sub key" for every source name, e.g for the source name "Workstation": .... HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Workstation .... [NOTE] The source name is case insensitive; so "Workstation" and "workstation" are considered equivalent. The source name is stored as an attribute of the "Provider" element within the Event XML, e.g. .... .... The "EventSourceName" attribute contains the source name. If there is no "EventSourceName" attribute the "Name" attribute is used. As of Windows Vista the event log type sub key contains the value "ProviderGuid" which should contain the same GUID as indicated in the Event XML: .... {CA4E628D-8567-4896-AB6B-835B221F373F} .... The corresponding provider settings can be found in the event message provider Registry key: .... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{ca4e628d-8567-4896-ab6b-835b221f373f} .... On a Windows Vista (or later) system "wevtutil" can be used to determine more about the provider. E.g. .... wevtutil gp Microsoft-Windows-Search .... ==== Message strings The event message strings are stored in event message files. The event message provider Registry key has a value named "EventMessageFile" which contains a path specification of the event message file, e.g. .... %SystemRoot%\System32\netmsg.dll .... [NOTE] The value can contain multiple filenames separated by a semi colon (;) character and that the name of the event message files is case insensitive. On Windows XP (and earlier) the event source sub key has a value named "EventMessageFile" which contains the same path. As of Windows Vista this value is not always present and using the value "MessageFileName" in the event message provider Registry key seems to be the preferred method. However it is possible that the event message provider Registry key is not present and the event source sub key is needs to be used instead. Here "%SystemRoot%" is case insensitive and needs to be expanded to the Windows directory. The actual value of %SystemRoot% can be found in the Registry value: .... Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Value: SystemRoot .... This value is depended on the Windows version, e.g. [cols="1,5",options="header"] |=== | Value | Version | C:\WINDOWS | Windows XP (NT 5.1) and later | C:\WINNT | Windows NT 3.1, Windows NT 4.0 and Windows 2000 (NT 5.0) | C:\WINNT35 | Windows NT 3.5x | C:\WTSRV | Windows NT 4.0 Terminal Server |=== Other placeholders that found to be used are: .... %WinDir% .... The actual value of e.g. %WinDir% can be found in the Registry value: .... Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\ Value: windir .... Event message files are PE/COFF executables that contains a resource (".rsrc ") section. Event message files can have various extensions, e.g. ".exe", ".dll", ".dll.mui", ".sys". There different types of event message files: * Message-table resource * Multilingual User Interface (MUI) resource The event message files can have any combination of these resources. The rules of preference seems to be: * use message-table resource if present, before checking MUI resource ===== Event resource file The event message provider Registry key has a value named "ResourceFileName". It is currently assumed that this Registry value contains a path specification of the event resource file, e.g. .... %SystemRoot%\System32\tquery.dll .... The event resource file should contain a Windows Event Template (WEVT_TEMPLATE) resource. The MUI resource should also contain a main name type "WEVT_TEMPLATE". On recent version of Windows 10 the WEVT_TEMPLATE resource can also be stored in a corresponding file in the SystemResources directory. .... C:\Windows\SystemResources\tquery.dll.mun .... The information stored in this resource is used to: * determine the message string identifier * determine the string identifiers of channels, keywords, levels, opcodes and tasks * parse Event XML "UserData" For more detailed information see: `[LIBEXE]` and `[LIBFWEVT]`; ===== Message string identifier On Windows XP (and earlier) the message string identifier was a direct mapping of the event identifier as of Windows Vista this is no longer the case. There seem to be multiple methods how the event identifier is mapped to the message string identifier, namely: * Using the event identifier qualifiers * Using the Windows Event Template resource ====== Using the event identifier qualifiers If the EventID element in Event XML has the Qualifiers attribute set, e.g.: .... 7036 .... Then the message string identifier can be determined as following: .... 16384 in hexadecimal is 0x4000 7036 in hexadecimal is 0x1b7c .... .... message string identifier = ( 0x4000 << 16 ) | 0x1b7c = 0x40001b7c .... ====== Using the Windows Event Template (WEVT_TEMPLATE) resource If an event resource file has been specified and if the Provider element in the Event XML has the GUID attribute set, e.g.: .... 1 .... This GUID can be used to find a corresponding provider in the Windows Event Template (WEVT_TEMPLATE) resource. This resource should contain an event definition with the same identifier as the EventID in the Event XML, e.g. in case of the example 1. The event definition will also contain a reference the the message identifier, e.g. in case of the example 0xb9000001. ===== Message-table resource event message files In a message-table resource event message file the event message strings are stored in the message-table resource of the event message file. The resource section of a message-table resource event message file contains a message-table resource which contains the event message strings. E.g. on Windows Vista .... C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll .... The event message strings have identifiers similar to the event identifiers. E.g. if the event identifier is 0 and the message string identifier 0, the corresponding event message string would be: .... %1 .... The placeholder values %1 represent the first string in the event. The event strings are stored as "Data" elements in the "EventData" element .... within the Event XML, e.g. Service has been successfully shut down. .... For a more comprehensive description of how to extract the event strings from the Event XML see section: <>. Sometimes the message string can have more placeholder than the event data contains strings, it seems in such a case the placeholders are not replaced and shown as %# in the resulting string. Note that the event message strings are language specific. An event message file can therefore contain event message strings for multiple languages. ===== Multilingual User Interface (MUI) event message files The resource section of a Multilingual User Interface (MUI) event message file contains Multilingual User Interface (MUI) resource. E.g. on Windows Vista .... C:\Windows\System32\services.exe .... The MUI event message (or language neutral) files do not have to contain a message-table resource but forward to a language specific message-table resource event message file, e.g. "en-US": .... C:\Windows\System32\en-US\services.exe.mui .... Note that it also possible that the corresponding "language specific" event message file is stored in the same directory as the MUI event message file. .... C:\Windows\System32\services.exe.mui .... It is this file that contains the language specific event message-table resource. The event message strings have identifiers similar to the event identifiers. E.g. if the event identifier in XML is: .... 7036 .... This would correspond to the event message string identifier: .... 16384 in hexadecimal is 0x4000 7036 in hexadecimal is 0x1b7c .... .... event message string identifier = ( 0x4000 << 16 ) | 0x1b7c = 0x40001b7c .... The corresponding event message string would be: .... The %1 service entered the %2 state. .... The placeholder values %1 and %2 represent the first and second string in the event. The event strings are stored as "Data" elements in the "EventData" element within the Event XML, e.g. .... Volume Shadow Copy stopped .... ===== [[event_data]]Event data As previously mentioned the event strings (and binary data) are stored as "Data" elements in the "EventData" element within the Event XML. Another way to store the event data is in a "UserData" element. The information in this section is partially deduced on the behavior of the "General", "Details Friendly View" and "Details XML View" of Event Viewer. Let's start out with the following variant of event data. .... SessionEnv D9060000 .... In this case "EventData" in the "Details Friendly View" contains both the value of the "Data" and the "Binary" tag. The value of the Binary tag is additionally interpreted as "Binary Data", which is base16 encoded. .... SessionEnv D9060000 .... If the Data has a corresponding "Name" attribute the "EventData" in the "Details Friendly View" shows the value of the "Name" attribute followed by the value of the "Data" tag, e.g. .... 86400 SuppressDuplicateDuration Software\Microsoft\EventSystem\EventLog .... .... param1 86400 param2 SuppressDuplicateDuration param3 Software\Microsoft\EventSystem\EventLog .... The data of an empty "Data" is not ignored but not directly visible int the "Details Friendly View". In case of the following example on the value of the "Name" attribute would be shown. .... ExtraInfo .... ProcessingErrorData is a variation of EventData: .... 15005 Value 804110C3E253BF01 .... .... ErrorCode 15005 DataItemName Value EventPayload 804110C3E253BF01 .... In some events the data is not stored in a "EventData" tag within the Event XML but in a "UserData" tag, e.g. .... WmiApRpl WmiApRpl 4 44415441 .... In this case the "EventData" in the "Details Friendly View" will show the data as: .... EventXML param1 WmiApRpl param2 WmiApRpl binaryDataSize 4 binaryData 44415441 .... The binary data is not interpreted as the binary data seen with the "EventData" tag. Here "WmiApRpl" is the first string and "44415441" the fourth. Event strings can also be stored as attribute values. .... 4616 Microsoft-Windows-Security-Auditing .... .... EventProcessingFailure Error [Code] 15007 EventID 4616 PublisherID Microsoft-Windows-Security-Auditing .... The corresponding message string is: .... The event logging service encountered an error while processing an incoming event published from %3. .... Which indicates the attribute value should be considered the first event string. Some event records have a corresponding template definition in the WEVT_TEMPLATE data. An example of an event record with a corresponding template definition is: .... 1 user registry handles leaked from ... .... .... Detail .... Note that not all event records have corresponding WEVT_TEMPLATE data or template definition. Sometimes the template definition does not entirely match the event record e.g. the following example where the template definition contains Name="%1" but not the event record. .... http://www.download.windowsupdate.com/... The data is invalid. .... .... %1 %2 .... This however might be a special case of the "EventData". ===== Parsing event data In the initial phases of the libevtx project several attempts have been made to uniformly parse the event data. Firstly the naive approach. This approach considers the element values of the sub elements of the "EventData" or "UserData" elements as event string. Alas this approach fails to handle event strings that are defined as element attributes values mainly seen in "UserData" elements, e.g. .... 4616 Microsoft-Windows-Security-Auditing .... The next approach was to use the template definitions, if available, to parse the "EventData" and "UserData" elements. This approach seemed to solve the issue with the event strings defined as attribute values. Alas not every template definition seem to match the event record data, at least for some of the "EventData" elements, e.g. .... http://www.download.windowsupdate.com/... The data is invalid. .... .... %1 %2 .... However using the template definitions to parse the event data proved an interesting insight that the the binary XML substitution tokens of the template definition match those of the event record. Which is the technique used as of version 20130208. ===== Parameter expansion Parameter expansion is e.g. seen in event identifier 7006 of the Service Control Manager (log source "SC Manager"). .... ScRegSetValueExW FailureActions %%5 .... Here the string translates to: .... The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied. .... The event source sub key has a value named "ParameterMessageFile" which for the Service Control Manager refers to: .... %SystemRoot%\System32\MsObjs.dll .... Here %%5 corresponds to the message string with identifier 5 stored in MsObjs.dll (or its MUI equivalent), which is expanded to "Access is denied.". Note that if no parameter message file is defined EventViewer seems to: * first fallback to the event message files; * next fallback to default parameter message files, like MsObjs.dll and kernel32.dll on Windows 10. ==== Category [yellow-background]*TODO: describe CategoryMessageFile* == Recovery 1. Scan the chunk free space for event records and make sure the size and copy of size match. 2. Ignore any record with an identifier that already exists. Often the free space contains former versions of existing event records. [yellow-background]*How useful are former versions of event records for correcting corrupted event records?* === Detecting corrupted records Comparing the size and copy of size is a quick way to detect corrupted records but sometimes the sizes match while the record is not recoverable. The detection of corrupted records can be improved by looking at: the Binary XML data. [yellow-background]*TODO what about the identifier is it signed?* According `[MS-EVEN6]` the binary XML structure should consist of: The document (BinXMLDocument) consists of: * Prologue (BinXMLPI) (zero or one) * Fragment (zero or more) * Miscellaneous (BinXMLPI) (zero or one) * End of file token This translates to the Binary XML data should start with either: * 0x0a; the data size must be 5 or more bytes (for EVTX) * 0x0f 0x01 0x01 0x00; the data size must be 4 or more bytes * 0x00; which means there is no Binary XML data == Corruption scenarios === String value oddities This has been seen in PI data and CDATA section structures. .... libevtx_binary_xml_document_read_pi_data: type : 0x0b libevtx_binary_xml_document_read_pi_data: number of characters : 18 libevtx_binary_xml_document_read_pi_data: value data: 00000000: 4d 00 79 00 50 00 69 00 44 00 61 00 74 00 61 00 M.y.P.i. D.a.t.a. 00000010: 3d 00 22 00 76 00 61 00 6c 00 75 00 65 00 22 00 =.".v.a. l.u.e.". 00000020: 01 ff ff 0f 05 ff ff 0f .... .... EventViewer seems to interpret 05 ff ff 0f as part of the string? But 18 x 2 seems to be the correct data size. .... ?> .... Even 01 ff ff 0f part of the string looks like valid BinXML. .... libevtx_binary_xml_document_read_cdata_section: type : 0x07 libevtx_binary_xml_document_read_cdata_section: number of characters : 110 libevtx_binary_xml_document_read_cdata_section: value data: 00000000: 0d 00 0a 00 66 00 75 00 6e 00 63 00 74 00 69 00 ....f.u. n.c.t.i. 00000010: 6f 00 6e 00 20 00 6d 00 61 00 74 00 63 00 68 00 o.n. .m. a.t.c.h. 00000020: 77 00 6f 00 28 00 61 00 2c 00 62 00 29 00 0d 00 w.o.(.a. ,.b.)... 00000030: 0a 00 7b 00 0d 00 0a 00 69 00 66 00 20 00 28 00 ..{..... i.f. .(. 00000040: 61 00 20 00 3c 00 20 00 62 00 20 00 26 00 26 00 a. .<. . b. .&.&. 00000050: 20 00 61 00 20 00 3c 00 20 00 30 00 29 00 20 00 .a. .<. .0.). . 00000060: 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 t.h.e.n. .... . . 00000070: 7b 00 0d 00 0a 00 20 00 20 00 72 00 65 00 74 00 {..... . .r.e.t. 00000080: 75 00 72 00 6e 00 20 00 31 00 3b 00 0d 00 0a 00 u.r.n. . 1.;..... 00000090: 20 00 20 00 7d 00 0d 00 0a 00 65 00 6c 00 73 00 . .}... ..e.l.s. 000000a0: 65 00 0d 00 0a 00 20 00 20 00 7b 00 0d 00 0a 00 e..... . .{..... 000000b0: 20 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 . .r.e. t.u.r.n. 000000c0: 20 00 30 00 3b 00 0d 00 0a 00 20 00 20 00 7d 00 .0.;... .. . .}. 000000d0: 0d 00 0a 00 7d 00 0d 00 0a 00 04 04 04 04 ....}... .... .... .... .... EventViewer shows the last line as: .... ЄЄ]]> .... Even the 04 04 part of the string looks like valid BinXML. === Corrupted file header with correct checksum For some reason in EVTX file the file header was written with incorrect data although the checksum checks out. As you can see the first chunk number: 206 exceeds last chunk number: 205. .... signature : ElfFile\x00 first chunk number : 206 last chunk number : 205 next record identifier : 123510 header size : 128 minor version : 1 major version : 3 header block size : 4096 number of chunks : 1024 flags : 0x00000000 checksum : 0x7fc747e2 .... [yellow-background]*TODO check the number of chunks in the file and if the event ids are in sequential order. At first glance it seems to be this way.* === Dirty file with invalid number of chunks In the dirty file with invalid offset values scenarios the file header indicates the incorrect number of chunks in the file; in this case less than the actual number of chunks. .... signature : ElfFile\x00 first chunk number : 0 last chunk number : 35 next record identifier : 150158 header size : 128 minor version : 1 major version : 3 header block size : 4096 number of chunks : 36 flags : 0x00000001 checksum : 0x98053517 .... Event Viewer seems to "correct" files that are dirty and where the number of chunks in the file header is less than the actual number of chunks. The approach implemented in libevtx 20130713 to deal with these files is to keep scanning for chunks after the last chunk indicated by the file header. The records in these chunks are not marked as recovered records. === Corrupt event record Corruption of an event record can occur in multiple ways, the following variant have been seen: * In the middle of a chunk there is suddenly a large block of 0-byte values directly after an event record. * In the middle of a chunk there is an event record that is corrupt e.g. the size of the event record does not match the copy of size. The approach is to start scanning for recoverable event records in the remainder of the chunk. Any event records found are considered recovered. === Corrupted chunk Corruption of an chunk can occur in multiple ways, the following variant have been seen: * In the middle of a chunk there is suddenly a large block of 0-byte values directly after an event record. These 0-byte values continue across the next (expected) chunk header. The approach is to start scanning for recoverable event records until a correct chunk header is found or the end of file is reached. Any event records found are considered recovered. === Empty computer name It is not clear if this is a corruption scenario or an undesirable edge case. It has been observed that the format allows for the computer value to be empty. == Notes === Normal behavior Lets consider a "normal" Application.evtx file. EventViewer shows 20568 events. Using "Save All Events As ..." as an XML file from EventViewer shows 4168 events. Wevtutil get-log-info shows 20568 events. .... wevtutil qli /lf:true file.evtx .... [yellow-background]*TODO behavior of oldestRecordNumber* Wevtutil query-events shows 20568 events. .... wevtutil qe /lf:true file.evtx > file.xml .... .... cat file.xml | grep EventRecordID | wc -l .... This file has the following header. .... signature : ElfFile\x00 first chunk number : 0 last chunk number : 181 next record identifier : 20569 header size : 128 minor version : 1 major version : 3 header block size : 4096 number of chunks : 182 file flags : 0x00000000 checksum : 0x9d4c00e2 .... In the file the event records are in order, meaning that the first chunk contains the event record with the lowest event record number. .... signature : ElfChnk\x00 first event record number : 1 last event record number : 117 first event record identifier : 1 last event record identifier : 117 header size : 128 last event record offset : 0x0000e380 free space offset : 0x0000f3b0 event records checksum : 0x731087d8 .... The number of event records in the chunk should be: .... last event record number - first event record number + 1 .... Successive chunks contain successive event record numbers. .... signature : ElfChnk\x00 first event record number : 118 last event record number : 232 first event record identifier : 118 last event record identifier : 232 header size : 128 last event record offset : 0x0000fcc8 free space offset : 0x0000ff30 event records checksum : 0x7fa7a9df .... [yellow-background]*TODO determine if gaps in event record identifiers is normal behavior?* === Corruption scenario: event record mismatch between size and copy of size Lets consider a dirty Security.evtx file. EventViewer shows 4001 events. Using "Save All Events As ..." as an XML file from EventViewer shows 1180 events. Wevtutil get-log-info shows 4001 events. .... wevtutil qli /lf:true file.evtx .... The "oldestRecordNumber" is 1 and does not match the data in the file. Wevtutil query-events shows 4001 events. .... wevtutil qe /lf:true file.evtx > file.xml .... .... cat file.xml | grep EventRecordID | wc -l .... Looking at the file in more detail the following chunk seems to be corrupt. .... signature : ElfChnk\x00 first event record number : 72431823 last event record number : 72431919 first event record identifier : 72433834 last event record identifier : 72433930 header size : 128 last event record offset : 0x0000fd18 free space offset : 0x0000ffb0 event records checksum : 0x6df0577c checksum : 0x5ff97a22 .... mismatch in chunk: 14 event records CRC-32 checksum (0x6df0577c != 0xd97de631) In the middle of this chunk the size of the event record does not match the copy of size. .... signature : \x2a\x2a\x00\x00 size : 664 identifier : 72433924 written time : Feb 20, 2013 20:50:20.671208000 UTC size copy : 1694526976 .... Judging by the data structures the size points in the middle of the binary XML. In this case scanning for event record signatures in the remainder of the chunk yields 6 results: * 1x corrupt event record (72433924) * 5x recoverable event records (73882240 - 73882244) The discontinuation in event record numbers suggest that the file was copied while event record 72433924 was being written. By continuing scanning for event records in total 21045 event records were found with the first event number of 72432422. === Corruption scenario: cross chunk 0-byte values Lets consider a dirty Security.evtx file. EventViewer shows 102019 events. Using "Save All Events As ..." as an XML file from EventViewer shows 68269 events. Wevtutil get-log-info shows 102019 events. .... wevtutil qli file.evtx /lf:true .... The "oldestRecordNumber" is 20496. Wevtutil query-events shows 19660 events. .... wevtutil qe file.evtx /lf:true > file.xml .... Failed to read events. The event log file is corrupted. .... cat file.xml | grep EventRecordID | wc -l .... Recall that in the previous corruption scenario wevtutil did not report it but in this case it does. .... signature : ElfChnk\x00 first event record number : 40163 last event record number : 40261 first event record identifier : 41158 last event record identifier : 41256 header size : 128 last event record offset : 0x0000fba8 free space offset : 0x0000fe18 event records checksum : 0x9981f715 checksum : 0x4931f4a2 .... .... mismatch in chunk: 402 event records CRC-32 checksum (0x9981f715 != 0x31aa1bb0). .... .... signature : \x2a\x2a\x00\x00 size : 624 identifier : 41173 written time : Mar 15, 2012 11:03:23.546212500 UTC size copy : 0 .... .... chunk header data: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ... 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ .... By continuing scanning for event records in total 98927 event records and 1043 recoverable event records were found. === Other What are .ax files? As seen in: .... Source : Microsoft-Windows-DirectShow-KernelSupport Categories : None Messages : [u'ksproxy.ax'] .... :numbered!: [appendix] == References [cols="1,5",options="header"] |=== | Title | The Shell Core Provider | Author(s) | G. Chappel | Date | December 29, 2008 | URL | http://www.geoffchappell.com/notes/windows/shell/events/core.htm |=== `[LIBEXE]` [cols="1,5",options="header"] |=== | Title | MZ, PE-COFF executable file format (EXE) | Author(s) | J.B. Metz | Date | October 2011 | URL | https://github.com/libyal/libexe/blob/master/documentation/Executable%20(EXE)%20file%20format.asciidoc |=== `[LIBFWEVT]` [cols="1,5",options="header"] |=== | Title | Windows Event manifest binary format | Author(s) | J.B. Metz | Date | October 2011 | URL | https://github.com/libyal/libfwevt/blob/main/documentation/Windows%20Event%20manifest%20binary%20format.asciidoc |=== `[MS-EVEN6]` [cols="1,5",options="header"] |=== | Title | EventLog Remoting Protocol Version 6.0 Specification | URL | http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx |=== `[MSDN]` [cols="1,5",options="header"] |=== | Title | BinXml | URL | https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/e6fc7c72-b8c0-475b-aef7-25eaf1a64530 |=== [cols="1,5",options="header"] |=== | Title | Array Types | URL | https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/3e08eb46-ec3d-464c-9614-16af6e232fa9 |=== [cols="1,5",options="header"] |=== | Title | LevelType Complex Type | URL | https://learn.microsoft.com/en-us/windows/win32/wes/eventmanifestschema-leveltype-complextype |=== [cols="1,5",options="header"] |=== | Title | Type System | URL | https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/8aa98312-f199-4e37-a51f-d3a2ccb50d60 |=== [cols="1,5",options="header"] |=== | Title | MS-PLA: Product Behavior | URL | https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pla/905cad7f-1a12-49b4-a263-461a2977ab71 |=== `[LIBFWNT]` [cols="1,5",options="header"] |=== | Title: | Security Descriptor | URL: | https://github.com/libyal/libfwnt/blob/main/documentation/Security%20Descriptor.asciidoc |=== [cols="1,5",options="header"] |=== | Title | Introducing the Microsoft Vista Event Log File Format. | Author(s) | A. Schuster | Date | 2007 |=== [cols="1,5",options="header"] |=== | Tittle | Linking Event Messages and Resource DLLs | Author(s) | A. Schuster | Date | October 5, 2010 |=== `[SCHUSTER11]` [cols="1,5",options="header"] |=== | Title | Microsoft Windows Event Logging - Dokumentation der Binärformate | Author(s) | A. Schuster | Version | 148 | Date | February 6, 2011 |=== [cols="1,5",options="header"] |=== | Title | Extensible Markup Language (XML) 1.0 (Fifth Edition) | Date | November 26, 2008 | URL | http://www.w3.org/TR/REC-xml/ |=== [appendix] == GNU Free Documentation License Version 1.3, 3 November 2008 Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. === 0. PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. === 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. The "publisher" means any person or entity that distributes copies of the Document to the public. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition. The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. === 2. VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. === 3. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. === 4. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version: A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. O. Preserve any Warranty Disclaimers. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. === 5. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements". === 6. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. === 7. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. === 8. TRANSLATION Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. === 9. TERMINATION You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License. However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it. === 10. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document. === 11. RELICENSING "Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means any set of copyrightable works thus published on the MMC site. "CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization. "Incorporate" means to publish or republish a Document, in whole or in part, as part of another Document. An MMC is "eligible for relicensing" if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008. The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing. ================================================ FILE: dpkg/changelog.in ================================================ libevtx (@VERSION@-1) unstable; urgency=low * Auto-generated -- Joachim Metz @DPKG_DATE@ ================================================ FILE: dpkg/compat ================================================ 10 ================================================ FILE: dpkg/control ================================================ Source: libevtx Priority: extra Maintainer: Joachim Metz Build-Depends: debhelper (>= 9), dh-autoreconf, dh-python, pkg-config, python3-dev, python3-setuptools Standards-Version: 4.1.4 Section: libs Homepage: https://github.com/libyal/libevtx Vcs-Git: https://github.com/libyal/libevtx.git Package: libevtx Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Conflicts: libevtx1 Replaces: libevtx1 Suggests: libevtx-dbg Description: Library to access the Windows XML Event Log (EVTX) format libevtx is a library to access the Windows XML Event Log (EVTX) format. Package: libevtx-dbg Architecture: any Section: debug Depends: libevtx (= ${binary:Version}), ${misc:Depends} Description: Debugging symbols for libevtx Debugging symbols for libevtx. Package: libevtx-dev Section: libdevel Architecture: any Depends: libevtx (= ${binary:Version}), ${misc:Depends} Description: Header files and libraries for developing applications for libevtx Header files and libraries for developing applications for libevtx. Package: libevtx-tools Section: utils Architecture: any Depends: libevtx (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Conflicts: libevtx-utils Replaces: libevtx-utils Description: Several tools for reading Windows XML Event Log (EVTX) files Several tools for reading Windows XML Event Log (EVTX) files. Package: libevtx-tools-dbg Section: debug Architecture: any Depends: libevtx-tools (= ${binary:Version}), ${misc:Depends} Description: Debugging symbols for libevtx-tools Debugging symbols for libevtx-tools. Package: libevtx-python3 Section: python Architecture: any Depends: libevtx (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Conflicts: python3-libevtx Replaces: python3-libevtx Suggests: libevtx-python3-dbg Description: Python 3 bindings for libevtx Python 3 bindings for libevtx. Package: libevtx-python3-dbg Section: debug Architecture: any Depends: libevtx-python3 (= ${binary:Version}), ${misc:Depends} Description: Debugging symbols for libevtx-python3 Debugging symbols for libevtx-python3. ================================================ FILE: dpkg/copyright ================================================ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: libevtx Source: https://github.com/libyal/libevtx Files: * Copyright: 2011-2025, Joachim Metz License: LGPL-3.0+ License: LGPL-3.0+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU Lesser General Public License can be found in "/usr/share/common-licenses/LGPL-3". ================================================ FILE: dpkg/libevtx-dev.install ================================================ usr/include/* usr/lib/*-*/lib*.a usr/lib/*-*/lib*.so usr/lib/*-*/pkgconfig/* usr/share/man/man3 ================================================ FILE: dpkg/libevtx-python3.install ================================================ /usr/lib/python3* ================================================ FILE: dpkg/libevtx-tools.install ================================================ usr/bin usr/share/man/man1 ================================================ FILE: dpkg/libevtx.install ================================================ usr/lib/*-*/lib*.so.* ================================================ FILE: dpkg/rules ================================================ #!/usr/bin/make -f # -*- makefile -*- # Uncomment for debhelper verbose output. # export DH_VERBOSE=1 export SKIP_PYTHON_TESTS=1 %: dh $@ --buildsystem=autoconf --with=autoreconf,python3 .PHONY: override_dh_auto_configure override_dh_auto_configure: dh_auto_configure -- --enable-python CFLAGS="-g" .PHONY: override_dh_install override_dh_install: dh_install --fail-missing -X.la -X/pyevtx.a .PHONY: override_dh_missing override_dh_missing: dh_missing -X.la -X/pyevtx.a --fail-missing .PHONY: override_dh_strip override_dh_strip: ifeq (,$(filter nostrip,$(DEB_BUILD_OPTIONS))) dh_strip -plibevtx --dbg-package=libevtx-dbg dh_strip -plibevtx-tools --dbg-package=libevtx-tools-dbg dh_strip -plibevtx-python3 --dbg-package=libevtx-python3-dbg endif ================================================ FILE: dpkg/source/format ================================================ 3.0 (quilt) ================================================ FILE: dtfabric.yaml ================================================ name: evtx type: format description: Windows XML Event Log (EVTX) format urls: ["https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc" metadata: authors: ['Joachim Metz '] year: 2011 attributes: byte_order: little-endian layout: - data_type: file_header offset: 0 --- name: byte type: integer attributes: format: unsigned size: 1 units: bytes --- name: uint32 type: integer attributes: format: unsigned size: 4 units: bytes --- name: uint64 type: integer attributes: format: unsigned size: 8 units: bytes --- name: file_header type: structure description: File header members: - name: signature type: stream element_data_type: byte elements_data_size: 8 value: "ElfFile\x00" - name: first_chunk_number data_type: uint64 - name: last_chunk_number data_type: uint64 - name: next_record_identifier data_type: uint64 - name: header_size data_type: uint32 - name: minor_format_version data_type: uint16 - name: major_format_version data_type: uint16 - name: header_block_size data_type: uint16 - name: number_of_chunks data_type: uint16 - name: unknown1 type: stream element_data_type: byte elements_data_size: 76 - name: file_flags data_type: uint32 - name: checksum data_type: uint32 ================================================ FILE: evtxtools/Makefile.am ================================================ AM_CPPFLAGS = \ -I../include -I$(top_srcdir)/include \ -I../common -I$(top_srcdir)/common \ @LIBCERROR_CPPFLAGS@ \ @LIBCDATA_CPPFLAGS@ \ @LIBCTHREADS_CPPFLAGS@ \ @LIBCLOCALE_CPPFLAGS@ \ @LIBCNOTIFY_CPPFLAGS@ \ @LIBCSPLIT_CPPFLAGS@ \ @LIBUNA_CPPFLAGS@ \ @LIBCFILE_CPPFLAGS@ \ @LIBCPATH_CPPFLAGS@ \ @LIBBFIO_CPPFLAGS@ \ @LIBFCACHE_CPPFLAGS@ \ @LIBFDATA_CPPFLAGS@ \ @LIBFDATETIME_CPPFLAGS@ \ @LIBFGUID_CPPFLAGS@ \ @LIBFVALUE_CPPFLAGS@ \ @LIBFWEVT_CPPFLAGS@ \ @LIBFWNT_CPPFLAGS@ \ @LIBEXE_CPPFLAGS@ \ @LIBREGF_CPPFLAGS@ \ @LIBWRC_CPPFLAGS@ \ @LIBCDIRECTORY_CPPFLAGS@ \ @PTHREAD_CPPFLAGS@ \ @LIBEVTX_DLL_IMPORT@ AM_LDFLAGS = @STATIC_LDFLAGS@ bin_PROGRAMS = \ evtxexport \ evtxinfo evtxexport_SOURCES = \ evtxexport.c \ evtxinput.c evtxinput.h \ evtxtools_getopt.c evtxtools_getopt.h \ evtxtools_i18n.h \ evtxtools_libbfio.h \ evtxtools_libcdirectory.h \ evtxtools_libcerror.h \ evtxtools_libclocale.h \ evtxtools_libcnotify.h \ evtxtools_libcpath.h \ evtxtools_libcsplit.h \ evtxtools_libevtx.h \ evtxtools_libfcache.h \ evtxtools_libfdatetime.h \ evtxtools_libfguid.h \ evtxtools_libfvalue.h \ evtxtools_libfwevt.h \ evtxtools_libfwnt.h \ evtxtools_libexe.h \ evtxtools_libregf.h \ evtxtools_libuna.h \ evtxtools_libwrc.h \ evtxtools_output.c evtxtools_output.h \ evtxtools_signal.c evtxtools_signal.h \ evtxtools_system_split_string.h \ evtxtools_unused.h \ evtxtools_wide_string.c evtxtools_wide_string.h \ export_handle.c export_handle.h \ log_handle.c log_handle.h \ message_handle.c message_handle.h \ message_string.c message_string.h \ path_handle.c path_handle.h \ registry_file.c registry_file.h \ resource_file.c resource_file.h evtxexport_LDADD = \ @LIBREGF_LIBADD@ \ @LIBWRC_LIBADD@ \ @LIBEXE_LIBADD@ \ @LIBFVALUE_LIBADD@ \ @LIBFWNT_LIBADD@ \ @LIBFWEVT_LIBADD@ \ @LIBFGUID_LIBADD@ \ @LIBFDATETIME_LIBADD@ \ @LIBFDATA_LIBADD@ \ @LIBFCACHE_LIBADD@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBCDIRECTORY_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCTHREADS_LIBADD@ \ @LIBCERROR_LIBADD@ \ @LIBINTL@ \ @PTHREAD_LIBADD@ evtxinfo_SOURCES = \ evtxinfo.c \ evtxinput.c evtxinput.h \ evtxtools_getopt.c evtxtools_getopt.h \ evtxtools_i18n.h \ evtxtools_libcerror.h \ evtxtools_libclocale.h \ evtxtools_libcnotify.h \ evtxtools_libevtx.h \ evtxtools_libfdatetime.h \ evtxtools_libfguid.h \ evtxtools_libfvalue.h \ evtxtools_libfwnt.h \ evtxtools_libuna.h \ evtxtools_output.c evtxtools_output.h \ evtxtools_signal.c evtxtools_signal.h \ evtxtools_wide_string.c evtxtools_wide_string.h \ evtxtools_unused.h \ info_handle.c info_handle.h evtxinfo_LDADD = \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCTHREADS_LIBADD@ \ @LIBCERROR_LIBADD@ \ @LIBINTL@ \ @PTHREAD_LIBADD@ DISTCLEANFILES = \ Makefile \ Makefile.in splint-local: @echo "Running splint on evtxexport ..." -splint -preproc -redef $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(evtxexport_SOURCES) @echo "Running splint on evtxinfo ..." -splint -preproc -redef $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(evtxinfo_SOURCES) ================================================ FILE: evtxtools/evtxexport.c ================================================ /* * Extracts items from a Windows XML Event Viewer Log (EVTX) file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_UNISTD_H ) #include #endif #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtxtools_getopt.h" #include "evtxtools_libcerror.h" #include "evtxtools_libclocale.h" #include "evtxtools_libcnotify.h" #include "evtxtools_libevtx.h" #include "evtxtools_output.h" #include "evtxtools_signal.h" #include "evtxtools_unused.h" #include "export_handle.h" #include "log_handle.h" export_handle_t *evtxexport_export_handle = NULL; int evtxexport_abort = 0; /* Prints the executable usage information */ void usage_fprint( FILE *stream ) { if( stream == NULL ) { return; } fprintf( stream, "Use evtxexport to export items stored in a Windows XML Event Viewer\n" "Log (EVTX) file.\n\n" ); fprintf( stream, "Usage: evtxexport [ -c codepage ] [ -f format ] [ -l log_file ]\n" " [ -m mode ] [ -p resource_files_path ]\n" " [ -r registy_files_path ] [ -s system_file ]\n" " [ -S software_file ] [ -t event_log_type ]\n" " [ -hTvV ] source\n\n" ); fprintf( stream, "\tsource: the source file\n\n" ); fprintf( stream, "\t-c: codepage of ASCII strings, options: ascii, windows-874,\n" "\t windows-932, windows-936, windows-949, windows-950,\n" "\t windows-1250, windows-1251, windows-1252 (default),\n" "\t windows-1253, windows-1254, windows-1255, windows-1256\n" "\t windows-1257 or windows-1258\n" ); fprintf( stream, "\t-f: output format, options: xml, text (default)\n" ); fprintf( stream, "\t-h: shows this help\n" ); fprintf( stream, "\t-l: logs information about the exported items\n" ); fprintf( stream, "\t-m: export mode, option: all, items (default), recovered\n" "\t 'all' exports the (allocated) items and recovered items,\n" "\t 'items' exports the (allocated) items and 'recovered' exports\n" "\t the recovered items\n" ); fprintf( stream, "\t-p: search PATH for the resource files\n" ); fprintf( stream, "\t-r: name of the directory containing the SOFTWARE and SYSTEM\n" "\t (Windows) Registry file\n" ); fprintf( stream, "\t-s: filename of the SYSTEM (Windows) Registry file.\n" "\t This option overrides the path provided by -r\n" ); fprintf( stream, "\t-S: filename of the SOFTWARE (Windows) Registry file.\n" "\t This option overrides the path provided by -r\n" ); fprintf( stream, "\t-t: event log type, options: application, security, system\n" "\t if not specified the event log type is determined based\n" "\t on the filename.\n" ); fprintf( stream, "\t-T: use event template definitions to parse the event record data\n" ); fprintf( stream, "\t-v: verbose output to stderr\n" ); fprintf( stream, "\t-V: print version\n" ); } /* Signal handler for evtxexport */ void evtxexport_signal_handler( evtxtools_signal_t signal EVTXTOOLS_ATTRIBUTE_UNUSED ) { libcerror_error_t *error = NULL; static char *function = "evtxexport_signal_handler"; EVTXTOOLS_UNREFERENCED_PARAMETER( signal ) evtxexport_abort = 1; if( evtxexport_export_handle != NULL ) { if( export_handle_signal_abort( evtxexport_export_handle, &error ) != 1 ) { libcnotify_printf( "%s: unable to signal export handle to abort.\n", function ); libcnotify_print_error_backtrace( error ); libcerror_error_free( &error ); } } /* Force stdin to close otherwise any function reading it will remain blocked */ #if defined( WINAPI ) && !defined( __CYGWIN__ ) if( _close( 0 ) != 0 ) #else if( close( 0 ) != 0 ) #endif { libcnotify_printf( "%s: unable to close stdin.\n", function ); } } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc, wchar_t * const argv[] ) #else int main( int argc, char * const argv[] ) #endif { libcerror_error_t *error = NULL; log_handle_t *log_handle = NULL; system_character_t *option_ascii_codepage = NULL; system_character_t *option_event_log_type = NULL; system_character_t *option_export_format = NULL; system_character_t *option_export_mode = NULL; system_character_t *option_log_filename = NULL; system_character_t *option_resource_files_path = NULL; system_character_t *option_preferred_language = NULL; system_character_t *option_registry_directory_name = NULL; system_character_t *option_software_registry_filename = NULL; system_character_t *option_system_registry_filename = NULL; system_character_t *source = NULL; char *program = "evtxexport"; system_integer_t option = 0; int result = 0; int use_template_definition = 0; int verbose = 0; libcnotify_stream_set( stderr, NULL ); libcnotify_verbose_set( 1 ); if( libclocale_initialize( "evtxtools", &error ) != 1 ) { fprintf( stderr, "Unable to initialize locale values.\n" ); goto on_error; } if( evtxtools_output_initialize( _IONBF, &error ) != 1 ) { fprintf( stderr, "Unable to initialize output settings.\n" ); goto on_error; } evtxoutput_version_fprint( stdout, program ); while( ( option = evtxtools_getopt( argc, argv, _SYSTEM_STRING( "c:f:hl:m:p:r:s:S:t:TvV" ) ) ) != (system_integer_t) -1 ) { switch( option ) { case (system_integer_t) '?': default: fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM "\n", argv[ optind - 1 ] ); usage_fprint( stdout ); return( EXIT_FAILURE ); case (system_integer_t) 'c': option_ascii_codepage = optarg; break; case (system_integer_t) 'f': option_export_format = optarg; break; case (system_integer_t) 'h': usage_fprint( stdout ); return( EXIT_SUCCESS ); case (system_integer_t) 'l': option_log_filename = optarg; break; case (system_integer_t) 'm': option_export_mode = optarg; break; case (system_integer_t) 'p': option_resource_files_path = optarg; break; case (system_integer_t) 'r': option_registry_directory_name = optarg; break; case (system_integer_t) 's': option_system_registry_filename = optarg; break; case (system_integer_t) 'S': option_software_registry_filename = optarg; break; case (system_integer_t) 't': option_event_log_type = optarg; break; case (system_integer_t) 'T': use_template_definition = 1; break; case (system_integer_t) 'v': verbose = 1; break; case (system_integer_t) 'V': evtxoutput_copyright_fprint( stdout ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing source file.\n" ); usage_fprint( stdout ); return( EXIT_FAILURE ); } source = argv[ optind ]; libcnotify_verbose_set( verbose ); libevtx_notify_set_stream( stderr, NULL ); libevtx_notify_set_verbose( verbose ); if( log_handle_initialize( &log_handle, &error ) != 1 ) { fprintf( stderr, "Unable to initialize log handle.\n" ); goto on_error; } if( export_handle_initialize( &evtxexport_export_handle, &error ) != 1 ) { fprintf( stderr, "Unable to initialize export handle.\n" ); goto on_error; } if( option_ascii_codepage != NULL ) { result = export_handle_set_ascii_codepage( evtxexport_export_handle, option_ascii_codepage, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set ASCII codepage in export handle.\n" ); goto on_error; } else if( result == 0 ) { fprintf( stderr, "Unsupported ASCII codepage defaulting to: windows-1252.\n" ); } } if( option_event_log_type != NULL ) { result = export_handle_set_event_log_type( evtxexport_export_handle, option_event_log_type, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set event log type in export handle.\n" ); goto on_error; } } if( option_export_format != NULL ) { result = export_handle_set_export_format( evtxexport_export_handle, option_export_format, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set export format.\n" ); goto on_error; } else if( result == 0 ) { fprintf( stderr, "Unsupported export format defaulting to: text.\n" ); } } if( option_export_mode != NULL ) { result = export_handle_set_export_mode( evtxexport_export_handle, option_export_mode, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set export mode.\n" ); goto on_error; } else if( result == 0 ) { fprintf( stderr, "Unsupported export mode defaulting to: items.\n" ); } } if( ( option_event_log_type == NULL ) || ( result == 0 ) ) { result = export_handle_set_event_log_type_from_filename( evtxexport_export_handle, source, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set event log type from filename in export handle.\n" ); goto on_error; } } if( option_resource_files_path != NULL ) { if( export_handle_set_resource_files_path( evtxexport_export_handle, option_resource_files_path, &error ) != 1 ) { fprintf( stderr, "Unable to set resource files path in export handle.\n" ); goto on_error; } } if( option_software_registry_filename != NULL ) { if( export_handle_set_software_registry_filename( evtxexport_export_handle, option_software_registry_filename, &error ) != 1 ) { fprintf( stderr, "Unable to set software registry filename in export handle.\n" ); goto on_error; } } if( option_system_registry_filename != NULL ) { if( export_handle_set_system_registry_filename( evtxexport_export_handle, option_system_registry_filename, &error ) != 1 ) { fprintf( stderr, "Unable to set system registry filename in export handle.\n" ); goto on_error; } } if( option_registry_directory_name != NULL ) { if( export_handle_set_registry_directory_name( evtxexport_export_handle, option_registry_directory_name, &error ) != 1 ) { fprintf( stderr, "Unable to set registry directory name in export handle.\n" ); goto on_error; } } if( option_preferred_language != NULL ) { /* TODO set preferred language identifier from input */ if( export_handle_set_preferred_language_identifier( evtxexport_export_handle, 0x0409, &error ) != 1 ) { fprintf( stderr, "Unable to set preferred language identifier in export handle.\n" ); goto on_error; } } evtxexport_export_handle->use_template_definition = use_template_definition; evtxexport_export_handle->verbose = verbose; if( log_handle_open( log_handle, option_log_filename, &error ) != 1 ) { fprintf( stderr, "Unable to open log file: %" PRIs_SYSTEM ".\n", option_log_filename ); goto on_error; } if( export_handle_open_input( evtxexport_export_handle, source, &error ) != 1 ) { fprintf( stderr, "Unable to open: %" PRIs_SYSTEM ".\n", source ); goto on_error; } result = export_handle_export_file( evtxexport_export_handle, log_handle, &error ); if( result == -1 ) { fprintf( stderr, "Unable to export file.\n" ); goto on_error; } if( export_handle_close_input( evtxexport_export_handle, &error ) != 0 ) { fprintf( stderr, "Unable to close export handle.\n" ); goto on_error; } if( export_handle_free( &evtxexport_export_handle, &error ) != 1 ) { fprintf( stderr, "Unable to free export handle.\n" ); goto on_error; } if( log_handle_close( log_handle, &error ) != 0 ) { fprintf( stderr, "Unable to close log handle.\n" ); goto on_error; } if( log_handle_free( &log_handle, &error ) != 1 ) { fprintf( stderr, "Unable to free log handle.\n" ); goto on_error; } if( result == 0 ) { fprintf( stdout, "No records to export.\n" ); } return( EXIT_SUCCESS ); on_error: if( error != NULL ) { libcnotify_print_error_backtrace( error ); libcerror_error_free( &error ); } if( evtxexport_export_handle != NULL ) { export_handle_free( &evtxexport_export_handle, NULL ); } if( log_handle != NULL ) { log_handle_free( &log_handle, NULL ); } return( EXIT_FAILURE ); } ================================================ FILE: evtxtools/evtxinfo.c ================================================ /* * Shows information obtained from a Windows XML Event Viewer Log (EVTX) file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #if defined( HAVE_UNISTD_H ) #include #endif #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtxtools_getopt.h" #include "evtxtools_libcerror.h" #include "evtxtools_libclocale.h" #include "evtxtools_libcnotify.h" #include "evtxtools_libevtx.h" #include "evtxtools_output.h" #include "evtxtools_signal.h" #include "evtxtools_unused.h" #include "info_handle.h" info_handle_t *evtxinfo_info_handle = NULL; int evtxinfo_abort = 0; /* Prints the executable usage information */ void usage_fprint( FILE *stream ) { if( stream == NULL ) { return; } fprintf( stream, "Use evtxinfo to determine information about a Windows XML Event Viewer\n" "Log (EVTX) file\n\n" ); fprintf( stream, "Usage: evtxinfo [ -c codepage ] [ -hvV ] source\n\n" ); fprintf( stream, "\tsource: the source file\n\n" ); fprintf( stream, "\t-c: codepage of ASCII strings, options: ascii, windows-874,\n" "\t windows-932, windows-936, windows-949, windows-950,\n" "\t windows-1250, windows-1251, windows-1252 (default),\n" "\t windows-1253, windows-1254, windows-1255, windows-1256\n" "\t windows-1257 or windows-1258\n" ); fprintf( stream, "\t-h: shows this help\n" ); fprintf( stream, "\t-v: verbose output to stderr\n" ); fprintf( stream, "\t-V: print version\n" ); } /* Signal handler for evtxinfo */ void evtxinfo_signal_handler( evtxtools_signal_t signal EVTXTOOLS_ATTRIBUTE_UNUSED ) { libcerror_error_t *error = NULL; static char *function = "evtxinfo_signal_handler"; EVTXTOOLS_UNREFERENCED_PARAMETER( signal ) evtxinfo_abort = 1; if( evtxinfo_info_handle != NULL ) { if( info_handle_signal_abort( evtxinfo_info_handle, &error ) != 1 ) { libcnotify_printf( "%s: unable to signal info handle to abort.\n", function ); libcnotify_print_error_backtrace( error ); libcerror_error_free( &error ); } } /* Force stdin to close otherwise any function reading it will remain blocked */ #if defined( WINAPI ) && !defined( __CYGWIN__ ) if( _close( 0 ) != 0 ) #else if( close( 0 ) != 0 ) #endif { libcnotify_printf( "%s: unable to close stdin.\n", function ); } } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc, wchar_t * const argv[] ) #else int main( int argc, char * const argv[] ) #endif { libevtx_error_t *error = NULL; system_character_t *option_ascii_codepage = NULL; system_character_t *source = NULL; char *program = "evtxinfo"; system_integer_t option = 0; int result = 0; int verbose = 0; libcnotify_stream_set( stderr, NULL ); libcnotify_verbose_set( 1 ); if( libclocale_initialize( "evtxtools", &error ) != 1 ) { fprintf( stderr, "Unable to initialize locale values.\n" ); goto on_error; } if( evtxtools_output_initialize( _IONBF, &error ) != 1 ) { fprintf( stderr, "Unable to initialize output settings.\n" ); goto on_error; } evtxoutput_version_fprint( stdout, program ); while( ( option = evtxtools_getopt( argc, argv, _SYSTEM_STRING( "c:hvV" ) ) ) != (system_integer_t) -1 ) { switch( option ) { case (system_integer_t) '?': default: fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM "\n", argv[ optind - 1 ] ); usage_fprint( stdout ); return( EXIT_FAILURE ); case (system_integer_t) 'c': option_ascii_codepage = optarg; break; case (system_integer_t) 'h': usage_fprint( stdout ); return( EXIT_SUCCESS ); case (system_integer_t) 'v': verbose = 1; break; case (system_integer_t) 'V': evtxoutput_copyright_fprint( stdout ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing source file.\n" ); usage_fprint( stdout ); return( EXIT_FAILURE ); } source = argv[ optind ]; libcnotify_verbose_set( verbose ); libevtx_notify_set_stream( stderr, NULL ); libevtx_notify_set_verbose( verbose ); if( info_handle_initialize( &evtxinfo_info_handle, &error ) != 1 ) { fprintf( stderr, "Unable to initialize info handle.\n" ); goto on_error; } if( option_ascii_codepage != NULL ) { result = info_handle_set_ascii_codepage( evtxinfo_info_handle, option_ascii_codepage, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set ASCII codepage in info handle.\n" ); goto on_error; } else if( result == 0 ) { fprintf( stderr, "Unsupported ASCII codepage defaulting to: windows-1252.\n" ); } } result = info_handle_set_event_log_type_from_filename( evtxinfo_info_handle, source, &error ); if( result == -1 ) { fprintf( stderr, "Unable to set event log type from filename in info handle.\n" ); goto on_error; } if( info_handle_open( evtxinfo_info_handle, source, &error ) != 1 ) { fprintf( stderr, "Unable to open: %" PRIs_SYSTEM ".\n", source ); goto on_error; } if( info_handle_file_fprint( evtxinfo_info_handle, &error ) != 1 ) { fprintf( stderr, "Unable to print file information.\n" ); goto on_error; } if( info_handle_close( evtxinfo_info_handle, &error ) != 0 ) { fprintf( stderr, "Unable to close info handle.\n" ); goto on_error; } if( info_handle_free( &evtxinfo_info_handle, &error ) != 1 ) { fprintf( stderr, "Unable to free info handle.\n" ); goto on_error; } return( EXIT_SUCCESS ); on_error: if( error != NULL ) { libcnotify_print_error_backtrace( error ); libcerror_error_free( &error ); } if( evtxinfo_info_handle != NULL ) { info_handle_free( &evtxinfo_info_handle, NULL ); } return( EXIT_FAILURE ); } ================================================ FILE: evtxtools/evtxinput.c ================================================ /* * Common input functions for the evtxtools * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include "evtxinput.h" #include "evtxtools_libcerror.h" #include "evtxtools_libcpath.h" #include "evtxtools_libevtx.h" #include "evtxtools_wide_string.h" /* Determines the event log type from a string * Returns 1 if successful, 0 if unsupported value or -1 on error */ int evtxinput_determine_event_log_type( const system_character_t *string, int *event_log_type, libcerror_error_t **error ) { static char *function = "evtxinput_determine_event_log_type"; size_t string_length = 0; int result = 0; if( string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid string.", function ); return( -1 ); } if( event_log_type == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid event log type.", function ); return( -1 ); } string_length = system_string_length( string ); if( string_length == 6 ) { if( system_string_compare_no_case( string, _SYSTEM_STRING( "system" ), 6 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM; result = 1; } } else if( string_length == 8 ) { if( system_string_compare_no_case( string, _SYSTEM_STRING( "security" ), 8 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SECURITY; result = 1; } } else if( string_length == 11 ) { if( system_string_compare_no_case( string, _SYSTEM_STRING( "application" ), 11 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION; result = 1; } } return( result ); } /* Determines the event log type from the filename * Returns 1 if successful, 0 if unsupported value or -1 on error */ int evtxinput_determine_event_log_type_from_filename( const system_character_t *filename, int *event_log_type, libcerror_error_t **error ) { const system_character_t *path_separator = NULL; static char *function = "evtxinput_determine_event_log_type_from_filename"; size_t filename_length = 0; int result = 0; if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } if( event_log_type == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid event log type.", function ); return( -1 ); } filename_length = system_string_length( filename ); path_separator = system_string_search_character_reverse( filename, (system_character_t) LIBCPATH_SEPARATOR, filename_length ); if( path_separator == NULL ) { path_separator = filename; } else { path_separator++; filename_length = system_string_length( path_separator ); } if( filename_length == 11 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "System.evtx" ), 11 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM; result = 1; } } else if( filename_length == 13 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "Security.evtx" ), 13 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_SECURITY; result = 1; } } else if( filename_length == 16 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "Application.evtx" ), 16 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION; result = 1; } } else if( filename_length == 17 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "Media Center.evtx" ), 17 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_MEDIA_CENTER; result = 1; } } else if( filename_length == 19 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "HardwareEvents.evtx" ), 19 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_HARDWARE_EVENTS; result = 1; } } else if( filename_length == 20 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "DFS Replication.evtx" ), 20 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_DFS_REPLICATION; result = 1; } } else if( filename_length == 22 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "Internet Explorer.evtx" ), 22 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_INTERNET_EXPLORER; result = 1; } } else if( filename_length == 27 ) { if( system_string_compare_no_case( path_separator, _SYSTEM_STRING( "Key Management Service.evtx" ), 27 ) == 0 ) { *event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_KEY_MANAGEMENT_SERVICE; result = 1; } } return( result ); } ================================================ FILE: evtxtools/evtxinput.h ================================================ /* * Common input functions for the evtxtools * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXINPUT_H ) #define _EVTXINPUT_H #include #include #include "evtxtools_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif enum EVTXTOOLS_EVENT_LOG_TYPES { EVTXTOOLS_EVENT_LOG_TYPE_UNKNOWN, EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION, EVTXTOOLS_EVENT_LOG_TYPE_DFS_REPLICATION, EVTXTOOLS_EVENT_LOG_TYPE_HARDWARE_EVENTS, EVTXTOOLS_EVENT_LOG_TYPE_INTERNET_EXPLORER, EVTXTOOLS_EVENT_LOG_TYPE_KEY_MANAGEMENT_SERVICE, EVTXTOOLS_EVENT_LOG_TYPE_MEDIA_CENTER, EVTXTOOLS_EVENT_LOG_TYPE_SECURITY, EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM }; int evtxinput_determine_event_log_type( const system_character_t *string, int *event_log_type, libcerror_error_t **error ); int evtxinput_determine_event_log_type_from_filename( const system_character_t *filename, int *event_log_type, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXINPUT_H ) */ ================================================ FILE: evtxtools/evtxtools_getopt.c ================================================ /* * GetOpt functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtxtools_getopt.h" #include "evtxtools_libcnotify.h" #if !defined( HAVE_GETOPT ) /* The option index * Start with argument 1 (argument 0 is the program name) */ int optind = 1; /* The current option argument */ system_character_t *optarg = NULL; /* Value to indicate the current option */ system_integer_t optopt = 0; /* The next option in a group */ system_character_t *next_option = NULL; /* Get the program options * Function for platforms that do not have the getopt function * Returns the option character processed, or -1 on error, * ? if the option was not in the options string, : if the option argument was missing */ system_integer_t evtxtools_getopt( int argument_count, system_character_t * const argument_values[], const system_character_t *options_string ) { system_character_t *argument_value = NULL; system_character_t *option_value = NULL; static char *function = "evtxtools_getopt"; size_t options_string_length = 0; if( next_option != NULL ) { argument_value = next_option; next_option = NULL; } else if( optind >= argument_count ) { return( (system_integer_t) -1 ); } else { argument_value = argument_values[ optind ]; /* Check if the argument value is not an empty string */ if( *argument_value == (system_character_t) '\0' ) { return( (system_integer_t) -1 ); } /* Check if the first character is a option marker '-' */ if( *argument_value != (system_character_t) '-' ) { return( (system_integer_t) -1 ); } argument_value++; /* Check if long options are provided '--' */ if( *argument_value == (system_character_t) '-' ) { optind++; return( (system_integer_t) -1 ); } } options_string_length = system_string_length( options_string ); optopt = *argument_value; option_value = system_string_search_character( options_string, optopt, options_string_length ); argument_value++; /* Check if an argument was specified or that the option was not found * in the option string */ if( ( optopt == (system_integer_t) ':' ) || ( option_value == NULL ) ) { if( *argument_value == (system_character_t) '\0' ) { optind++; } if( ( *options_string != (system_character_t) ':' ) && ( optopt != (system_integer_t) '?' ) ) { libcnotify_printf( "%s: no such option: %" PRIc_SYSTEM ".\n", function, optopt ); } return( (system_integer_t) '?' ); } option_value++; /* Check if no option argument is required */ if( *option_value != (system_character_t) ':' ) { optarg = NULL; if( *argument_value == (system_character_t) '\0' ) { optind++; } else { /* Multiple options are grouped */ next_option = argument_value; } } /* Check if the argument is right after the option flag with no space in between */ else if( *argument_value != (system_character_t) '\0' ) { optarg = argument_value; optind++; } else { optind++; /* Check if the argument was provided as the next argument value */ if( argument_count <= optind ) { if( *option_value == ':' ) { return( (system_integer_t) ':' ); } libcnotify_printf( "%s: option: %" PRIc_SYSTEM " requires an argument.\n", function, optopt ); return( (system_integer_t) '?' ); } optarg = argument_values[ optind ]; optind++; } return( optopt ); } #endif /* !defined( HAVE_GETOPT ) */ ================================================ FILE: evtxtools/evtxtools_getopt.h ================================================ /* * GetOpt functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_GETOPT_H ) #define _EVTXTOOLS_GETOPT_H #include #include /* unistd.h is included here to export getopt, optarg, optind and optopt */ #if defined( HAVE_UNISTD_H ) #include #endif #if defined( __cplusplus ) extern "C" { #endif #if defined( HAVE_GETOPT ) #define evtxtools_getopt( argument_count, argument_values, options_string ) \ getopt( argument_count, argument_values, options_string ) #else #if !defined( __CYGWIN__ ) extern int optind; extern system_character_t *optarg; extern system_integer_t optopt; #else int optind; system_character_t *optarg; system_integer_t optopt; #endif /* !defined( __CYGWIN__ ) */ system_integer_t evtxtools_getopt( int argument_count, system_character_t * const argument_values[], const system_character_t *options_string ); #endif /* defined( HAVE_GETOPT ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXTOOLS_GETOPT_H ) */ ================================================ FILE: evtxtools/evtxtools_i18n.h ================================================ /* * Internationalization (i18n) functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_I18N_H ) #define _EVTXTOOLS_I18N_H #include #if defined( HAVE_LIBINTL_H ) #include #endif #if defined( __cplusplus ) extern "C" { #endif /* TODO for now do nothing i18n-like #define _( string ) \ gettext( string ) */ #define _( string ) \ string #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXTOOLS_I18N_H ) */ ================================================ FILE: evtxtools/evtxtools_libbfio.h ================================================ /* * The libbfio header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBBFIO_H ) #define _EVTXTOOLS_LIBBFIO_H #include /* Define HAVE_LOCAL_LIBBFIO for local use of libbfio */ #if defined( HAVE_LOCAL_LIBBFIO ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBBFIO_DLL_IMPORT * before including libbfio.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBBFIO_DLL_IMPORT #endif #include #if defined( HAVE_MULTI_THREAD_SUPPORT ) && !defined( LIBBFIO_HAVE_MULTI_THREAD_SUPPORT ) #error Multi-threading support requires libbfio with multi-threading support #endif #endif /* defined( HAVE_LOCAL_LIBBFIO ) */ #endif /* !defined( _EVTXTOOLS_LIBBFIO_H ) */ ================================================ FILE: evtxtools/evtxtools_libcdirectory.h ================================================ /* * The internal libcdirectory header * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBCDIRECTORY_H ) #define _EVTXTOOLS_LIBCDIRECTORY_H #include /* Define HAVE_LOCAL_LIBCDIRECTORY for local use of libcdirectory */ #if defined( HAVE_LOCAL_LIBCDIRECTORY ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCDIRECTORY_DLL_IMPORT * before including libcdirectory.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCDIRECTORY_DLL_IMPORT #endif #include #endif #endif ================================================ FILE: evtxtools/evtxtools_libcerror.h ================================================ /* * The libcerror header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBCERROR_H ) #define _EVTXTOOLS_LIBCERROR_H #include /* Define HAVE_LOCAL_LIBCERROR for local use of libcerror */ #if defined( HAVE_LOCAL_LIBCERROR ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCERROR_DLL_IMPORT * before including libcerror.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBCERROR_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCERROR ) */ #endif /* !defined( _EVTXTOOLS_LIBCERROR_H ) */ ================================================ FILE: evtxtools/evtxtools_libclocale.h ================================================ /* * The libclocale header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBCLOCALE_H ) #define _EVTXTOOLS_LIBCLOCALE_H #include /* Define HAVE_LOCAL_LIBCLOCALE for local use of libclocale */ #if defined( HAVE_LOCAL_LIBCLOCALE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCLOCALE_DLL_IMPORT * before including libclocale.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBCLOCALE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCLOCALE ) */ #endif /* !defined( _EVTXTOOLS_LIBCLOCALE_H ) */ ================================================ FILE: evtxtools/evtxtools_libcnotify.h ================================================ /* * The libcnotify header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBCNOTIFY_H ) #define _EVTXTOOLS_LIBCNOTIFY_H #include /* Define HAVE_LOCAL_LIBCNOTIFY for local use of libcnotify */ #if defined( HAVE_LOCAL_LIBCNOTIFY ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCNOTIFY_DLL_IMPORT * before including libcnotify.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBCNOTIFY_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCNOTIFY ) */ #endif /* !defined( _EVTXTOOLS_LIBCNOTIFY_H ) */ ================================================ FILE: evtxtools/evtxtools_libcpath.h ================================================ /* * The libcpath header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBCPATH_H ) #define _EVTXTOOLS_LIBCPATH_H #include /* Define HAVE_LOCAL_LIBCPATH for local use of libcpath */ #if defined( HAVE_LOCAL_LIBCPATH ) #include #include #else /* If libtool DLL support is enabled set LIBCPATH_DLL_IMPORT * before including libcpath.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBCPATH_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCPATH ) */ #endif /* !defined( _EVTXTOOLS_LIBCPATH_H ) */ ================================================ FILE: evtxtools/evtxtools_libcsplit.h ================================================ /* * The internal libcsplit header * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBCSPLIT_H ) #define _EVTXTOOLS_LIBCSPLIT_H #include /* Define HAVE_LOCAL_LIBCSPLIT for local use of libcsplit */ #if defined( HAVE_LOCAL_LIBCSPLIT ) #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBCSPLIT_DLL_IMPORT * before including libcsplit.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCSPLIT_DLL_IMPORT #endif #include #endif #endif ================================================ FILE: evtxtools/evtxtools_libevtx.h ================================================ /* * The libevtx header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBEVTX_H ) #define _EVTXTOOLS_LIBEVTX_H #include #include #endif /* !defined( _EVTXTOOLS_LIBEVTX_H ) */ ================================================ FILE: evtxtools/evtxtools_libexe.h ================================================ /* * The libexe header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBEXE_H ) #define _EVTXTOOLS_LIBEXE_H #include /* Define HAVE_LOCAL_LIBEXE for local use of libexe */ #if defined( HAVE_LOCAL_LIBEXE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBEXE_DLL_IMPORT * before including libexe.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBEXE_DLL_IMPORT #endif #include #endif #endif ================================================ FILE: evtxtools/evtxtools_libfcache.h ================================================ /* * The libfcache header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBFCACHE_H ) #define _EVTXTOOLS_LIBFCACHE_H #include /* Define HAVE_LOCAL_LIBFCACHE for local use of libfcache */ #if defined( HAVE_LOCAL_LIBFCACHE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBFCACHE_DLL_IMPORT * before including libfcache.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBFCACHE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFCACHE ) */ #endif /* !defined( _EVTXTOOLS_LIBFCACHE_H ) */ ================================================ FILE: evtxtools/evtxtools_libfdatetime.h ================================================ /* * The libfdatetime header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBFDATETIME_H ) #define _EVTXTOOLS_LIBFDATETIME_H #include /* Define HAVE_LOCAL_LIBFDATETIME for local use of libfdatetime */ #if defined( HAVE_LOCAL_LIBFDATETIME ) #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFDATETIME_DLL_IMPORT * before including libfdatetime.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBFDATETIME_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFDATETIME ) */ #endif /* !defined( _EVTXTOOLS_LIBFDATETIME_H ) */ ================================================ FILE: evtxtools/evtxtools_libfguid.h ================================================ /* * The libfguid header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBFGUID_H ) #define _EVTXTOOLS_LIBFGUID_H #include /* Define HAVE_LOCAL_LIBFGUID for local use of libfguid */ #if defined( HAVE_LOCAL_LIBFGUID ) #include #include #include #else /* If libtool DLL support is enabled set LIBFGUID_DLL_IMPORT * before including libfguid.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBFGUID_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFGUID ) */ #endif /* !defined( _EVTXTOOLS_LIBFGUID_H ) */ ================================================ FILE: evtxtools/evtxtools_libfvalue.h ================================================ /* * The libfvalue header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBFVALUE_H ) #define _EVTXTOOLS_LIBFVALUE_H #include /* Define HAVE_LOCAL_LIBFVALUE for local use of libfvalue */ #if defined( HAVE_LOCAL_LIBFVALUE ) #include #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFVALUE_DLL_IMPORT * before including libfvalue.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFVALUE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFVALUE ) */ #endif /* !defined( _EVTXTOOLS_LIBFVALUE_H ) */ ================================================ FILE: evtxtools/evtxtools_libfwevt.h ================================================ /* * The libfwevt header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBFWEVT_H ) #define _EVTXTOOLS_LIBFWEVT_H #include /* Define HAVE_LOCAL_LIBFWEVT for local use of libfwevt */ #if defined( HAVE_LOCAL_LIBFWEVT ) #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFWEVT_DLL_IMPORT * before including libfwevt.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFWEVT_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFWEVT ) */ #endif /* !defined( _EVTXTOOLS_LIBFWEVT_H ) */ ================================================ FILE: evtxtools/evtxtools_libfwnt.h ================================================ /* * The libfwnt header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBFWNT_H ) #define _EVTXTOOLS_LIBFWNT_H #include /* Define HAVE_LOCAL_LIBFWNT for local use of libfwnt */ #if defined( HAVE_LOCAL_LIBFWNT ) #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFWNT_DLL_IMPORT * before including libfwnt.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBFWNT_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFWNT ) */ #endif /* !defined( _EVTXTOOLS_LIBFWNT_H ) */ ================================================ FILE: evtxtools/evtxtools_libregf.h ================================================ /* * The libregf header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBREGF_H ) #define _EVTXTOOLS_LIBREGF_H #include /* Define HAVE_LOCAL_LIBREGF for local use of libregf */ #if defined( HAVE_LOCAL_LIBREGF ) #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBREGF_DLL_IMPORT * before including libregf.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBREGF_DLL_IMPORT #endif #include #endif #endif ================================================ FILE: evtxtools/evtxtools_libuna.h ================================================ /* * The libuna header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBUNA_H ) #define _EVTXTOOLS_LIBUNA_H #include /* Define HAVE_LOCAL_LIBUNA for local use of libuna */ #if defined( HAVE_LOCAL_LIBUNA ) #include #include #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBUNA_DLL_IMPORT * before including libuna.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBUNA_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBUNA ) */ #endif /* !defined( _EVTXTOOLS_LIBUNA_H ) */ ================================================ FILE: evtxtools/evtxtools_libwrc.h ================================================ /* * The libwrc header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_LIBWRC_H ) #define _EVTXTOOLS_LIBWRC_H #include /* Define HAVE_LOCAL_LIBWRC for local use of libwrc */ #if defined( HAVE_LOCAL_LIBWRC ) #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBWRC_DLL_IMPORT * before including libwrc.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBWRC_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBWRC ) */ #endif /* !defined( _EVTXTOOLS_LIBWRC_H ) */ ================================================ FILE: evtxtools/evtxtools_output.c ================================================ /* * Common output functions for the evtxtools * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include "evtxtools_i18n.h" #include "evtxtools_libbfio.h" #include "evtxtools_libcerror.h" #include "evtxtools_libclocale.h" #include "evtxtools_libevtx.h" #include "evtxtools_libfdatetime.h" #include "evtxtools_libfvalue.h" #include "evtxtools_libfwnt.h" #include "evtxtools_libfguid.h" #include "evtxtools_libuna.h" #include "evtxtools_output.h" /* Initializes output settings * Returns 1 if successful or -1 on error */ int evtxtools_output_initialize( int stdio_mode, libcerror_error_t **error ) { static char *function = "evtxtools_output_initialize"; if( ( stdio_mode != _IOFBF ) && ( stdio_mode != _IOLBF ) && ( stdio_mode != _IONBF ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported standard IO mode.", function ); return( -1 ); } #if !defined( __BORLANDC__ ) if( setvbuf( stdout, NULL, stdio_mode, 0 ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set IO mode of stdout.", function ); return( -1 ); } if( setvbuf( stderr, NULL, stdio_mode, 0 ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set IO mode of stderr.", function ); return( -1 ); } #endif /* !defined( __BORLANDC__ ) */ return( 1 ); } /* Prints the copyright information */ void evtxoutput_copyright_fprint( FILE *stream ) { if( stream == NULL ) { return; } /* TRANSLATORS: This is a proper name. */ fprintf( stream, _( "Copyright (C) 2011-2025, %s.\n" ), _( "Joachim Metz" ) ); fprintf( stream, _( "This is free software; see the source for copying conditions. There is NO\n" "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n" ) ); /* TRANSLATORS: The placeholder indicates the bug-reporting address * for this package. Please add _another line_ saying * "Report translation bugs to <...>\n" with the address for translation * bugs (typically your translation team's web or email address). */ fprintf( stream, _( "Report bugs to <%s>.\n" ), PACKAGE_BUGREPORT ); } /* Prints the (basic) version information */ void evtxoutput_version_fprint( FILE *stream, const char *program ) { if( stream == NULL ) { return; } if( program == NULL ) { return; } fprintf( stream, "%s %s\n\n", program, LIBEVTX_VERSION_STRING ); } /* Prints the detailed version information */ void evtxoutput_version_detailed_fprint( FILE *stream, const char *program ) { if( stream == NULL ) { return; } if( program == NULL ) { return; } fprintf( stream, "%s %s (libevtx %s", program, LIBEVTX_VERSION_STRING, LIBEVTX_VERSION_STRING ); fprintf( stream, ", libuna %s", LIBUNA_VERSION_STRING ); fprintf( stream, ", libbfio %s", LIBBFIO_VERSION_STRING ); /* TODO libfcache, libfdata */ fprintf( stream, ", libfdatetime %s", LIBFDATETIME_VERSION_STRING ); fprintf( stream, ", libfguid %s", LIBFGUID_VERSION_STRING ); fprintf( stream, ", libfvalue %s", LIBFVALUE_VERSION_STRING ); fprintf( stream, ", libfwnt %s", LIBFWNT_VERSION_STRING ); fprintf( stream, ")\n\n" ); } ================================================ FILE: evtxtools/evtxtools_output.h ================================================ /* * Common output functions for the evtxtools * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_OUTPUT_H ) #define _EVTXTOOLS_OUTPUT_H #include #include #include #include "evtxtools_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif int evtxtools_output_initialize( int stdio_mode, libcerror_error_t **error ); void evtxoutput_copyright_fprint( FILE *stream ); void evtxoutput_version_fprint( FILE *stream, const char *program ); void evtxoutput_version_detailed_fprint( FILE *stream, const char *program ); #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXTOOLS_OUTPUT_H ) */ ================================================ FILE: evtxtools/evtxtools_signal.c ================================================ /* * Signal handling functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_SIGNAL_H ) #include #endif #if defined( _MSC_VER ) #include #endif #include "evtxtools_libcerror.h" #include "evtxtools_signal.h" #if defined( WINAPI ) void (*evtxtools_signal_signal_handler)( evtxtools_signal_t ) = NULL; /* Signal handler for Ctrl+C or Ctrl+Break signals */ BOOL WINAPI evtxtools_signal_handler( evtxtools_signal_t signal ) { static char *function = "evtxtools_signal_handler"; switch( signal ) { /* use Ctrl+C or Ctrl+Break to simulate SERVICE_CONTROL_STOP in debug mode */ case CTRL_BREAK_EVENT: case CTRL_C_EVENT: if( evtxtools_signal_signal_handler != NULL ) { evtxtools_signal_signal_handler( signal ); } return( TRUE ); default: break; } return( FALSE ); } #if defined( _MSC_VER ) /* Initialize memory usage and leakage debugging */ void evtxtools_signal_initialize_memory_debug( void ) { int flag = 0; /* Get the current state of the flag and store it in a temporary variable */ flag = _CrtSetDbgFlag( _CRTDBG_REPORT_FLAG ); /* Turn on client block identifiers and automatic leak detection */ flag |= ( _CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF ); /* Set the new state for the flag */ _CrtSetDbgFlag( flag ); } #endif /* defined( _MSC_VER ) */ /* Attaches a signal handler for Ctrl+C or Ctrl+Break signals * Returns 1 if successful or -1 on error */ int evtxtools_signal_attach( void (*signal_handler)( evtxtools_signal_t ), libcerror_error_t **error ) { static char *function = "evtxtools_signal_attach"; if( signal_handler == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid signal handler.", function ); return( -1 ); } evtxtools_signal_signal_handler = signal_handler; if( SetConsoleCtrlHandler( (PHANDLER_ROUTINE) evtxtools_signal_handler, TRUE ) == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to attach signal handler.", function ); return( -1 ); } if( SetConsoleCtrlHandler( NULL, FALSE ) == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to attach break signal.", function ); return( -1 ); } #if defined( _MSC_VER ) evtxtools_signal_initialize_memory_debug(); #endif SetErrorMode( SEM_FAILCRITICALERRORS ); #if defined( LOCALE_SUPPORT ) /* Allow subsequent threads to have their own locale. * If the application is single threaded this call has * no practical effect. */ _configthreadlocale( _ENABLE_PER_THREAD_LOCALE ); /* Set the current thread locale to the user default * ANSI code page. */ setlocale( LC_ALL, "" ); /* Set the the code page used by multibyte functions * to use the same code page as the previous call to setlocale. */ _setmbcp( _MB_CP_LOCALE ); #endif /* defined( LOCALE_SUPPORT ) */ return( 1 ); } /* Detaches a signal handler for Ctrl+C or Ctrl+Break signals * Returns 1 if successful or -1 on error */ int evtxtools_signal_detach( libcerror_error_t **error ) { static char *function = "evtxtools_signal_detach"; if( SetConsoleCtrlHandler( (PHANDLER_ROUTINE) evtxtools_signal_handler, FALSE ) == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to detach signal handler.", function ); return( -1 ); } evtxtools_signal_signal_handler = NULL; return( 1 ); } #else /* Attaches a signal handler for SIGINT * Returns 1 if successful or -1 on error */ int evtxtools_signal_attach( void (*signal_handler)( evtxtools_signal_t ), libcerror_error_t **error ) { static char *function = "evtxtools_signal_attach"; if( signal_handler == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid signal handler.", function ); return( -1 ); } if( signal( SIGINT, signal_handler ) == SIG_ERR ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to attach signal handler.", function ); return( -1 ); } return( 1 ); } /* Detaches a signal handler for SIGINT * Returns 1 if successful or -1 on error */ int evtxtools_signal_detach( libcerror_error_t **error ) { static char *function = "evtxtools_signal_detach"; if( signal( SIGINT, SIG_DFL ) == SIG_ERR ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to detach signal handler.", function ); return( -1 ); } return( 1 ); } #endif /* defined( WINAPI ) */ ================================================ FILE: evtxtools/evtxtools_signal.h ================================================ /* * Signal handling functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_SIGNAL_H ) #define _EVTXTOOLS_SIGNAL_H #include #include #include "evtxtools_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif #if !defined( HAVE_SIGNAL_H ) && !defined( WINAPI ) #error missing signal functions #endif #if defined( WINAPI ) typedef unsigned long evtxtools_signal_t; #else typedef int evtxtools_signal_t; #endif /* defined( WINAPI ) */ #if defined( WINAPI ) BOOL WINAPI evtxtools_signal_handler( evtxtools_signal_t signal ); #if defined( _MSC_VER ) void evtxtools_signal_initialize_memory_debug( void ); #endif /* defined( _MSC_VER ) */ #endif /* defined( WINAPI ) */ int evtxtools_signal_attach( void (*signal_handler)( evtxtools_signal_t ), libcerror_error_t **error ); int evtxtools_signal_detach( libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXTOOLS_SIGNAL_H ) */ ================================================ FILE: evtxtools/evtxtools_system_split_string.h ================================================ /* * Split system string functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_SYSTEM_SPLIT_STRING_H ) #define _EVTXTOOLS_SYSTEM_SPLIT_STRING_H #include #include #include "evtxtools_libcsplit.h" #if defined( __cplusplus ) extern "C" { #endif #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) #define system_split_string_t \ libcsplit_wide_split_string_t #define system_split_string_free( split_string, error ) \ libcsplit_wide_split_string_free( split_string, error ) #define system_split_string_get_number_of_segments( split_string, number_of_segments, error ) \ libcsplit_wide_split_string_get_number_of_segments( split_string, number_of_segments, error ) #define system_split_string_get_segment_by_index( split_string, segment_index, string_segment, string_segment_size, error ) \ libcsplit_wide_split_string_get_segment_by_index( split_string, segment_index, string_segment, string_segment_size, error ) #define system_string_split( string, string_size, delimiter, split_string, error ) \ libcsplit_wide_string_split( string, string_size, (wchar_t) delimiter, split_string, error ) #else #define system_split_string_t \ libcsplit_narrow_split_string_t #define system_split_string_free( split_string, error ) \ libcsplit_narrow_split_string_free( split_string, error ) #define system_split_string_get_number_of_segments( split_string, number_of_segments, error ) \ libcsplit_narrow_split_string_get_number_of_segments( split_string, number_of_segments, error ) #define system_split_string_get_segment_by_index( split_string, segment_index, string_segment, string_segment_size, error ) \ libcsplit_narrow_split_string_get_segment_by_index( split_string, segment_index, string_segment, string_segment_size, error ) #define system_string_split( string, string_size, delimiter, split_string, error ) \ libcsplit_narrow_string_split( string, string_size, (char) delimiter, split_string, error ) #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXTOOLS_SYSTEM_SPLIT_STRING_H ) */ ================================================ FILE: evtxtools/evtxtools_unused.h ================================================ /* * Definitions to silence compiler warnings about unused function attributes/parameters. * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_UNUSED_H ) #define _EVTXTOOLS_UNUSED_H #include #if !defined( EVTXTOOLS_ATTRIBUTE_UNUSED ) #if defined( __GNUC__ ) && __GNUC__ >= 3 #define EVTXTOOLS_ATTRIBUTE_UNUSED __attribute__ ((__unused__)) #else #define EVTXTOOLS_ATTRIBUTE_UNUSED #endif /* defined( __GNUC__ ) && __GNUC__ >= 3 */ #endif /* !defined( EVTXTOOLS_ATTRIBUTE_UNUSED ) */ #if defined( _MSC_VER ) #define EVTXTOOLS_UNREFERENCED_PARAMETER( parameter ) \ UNREFERENCED_PARAMETER( parameter ); #else #define EVTXTOOLS_UNREFERENCED_PARAMETER( parameter ) \ /* parameter */ #endif /* defined( _MSC_VER ) */ #endif /* !defined( _EVTXTOOLS_UNUSED_H ) */ ================================================ FILE: evtxtools/evtxtools_wide_string.c ================================================ /* * Wide character string functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_WCTYPE_H ) #include #endif #include "evtxtools_wide_string.h" #if defined( TOWLOWER ) && !defined( HAVE_WCSNCASECMP ) && !defined( HAVE_WCSCASECMP ) && !defined( WINAPI ) /* Replacement for missing: wcsncasecmp * Compares no more than a specified number of wide characters of string1 and string2, * ignoring case, returning less than, equal to or greater than zero if string1 is * less than, equal to or greater than string. */ int evtxtools_wide_string_compare_no_case( const wchar_t *string1, const wchar_t *string2, size_t comparision_length ) { wint_t character1 = 0; wint_t character2 = 0; if( string1 == string2 ) { return( 0 ); } while( comparision_length > 0 ) { character1 = towlower( *string1 ); character2 = towlower( *string2 ); if( ( character1 == 0 ) || ( character1 != character2 ) ) { return( character1 - character2 ); } string1++; string2++; comparision_length--; } return( 0 ); } #endif /* defined( TOWLOWER ) && !defined( HAVE_WCSNCASECMP ) && !defined( HAVE_WCSCASECMP ) && !defined( WINAPI ) */ ================================================ FILE: evtxtools/evtxtools_wide_string.h ================================================ /* * Wide character string functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTXTOOLS_WIDE_STRING_H ) #define _EVTXTOOLS_WIDE_STRING_H #include #include #include #if defined( __cplusplus ) extern "C" { #endif #if !defined( wide_string_compare_no_case ) #define wide_string_compare_no_case( string1, string2, size ) \ evtxtools_wide_string_compare_no_case( string1, string2, size ) #endif /* !defined( wide_string_compare_no_case ) */ #if defined( TOWLOWER ) && !defined( HAVE_WCSNCASECMP ) && !defined( HAVE_WCSCASECMP ) && !defined( WINAPI ) int evtxtools_wide_string_compare_no_case( const wchar_t *string1, const wchar_t *string2, size_t comparision_length ); #endif /* defined( TOWLOWER ) && !defined( HAVE_WCSNCASECMP ) && !defined( HAVE_WCSCASECMP ) && !defined( WINAPI ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTXTOOLS_WIDE_STRING_H ) */ ================================================ FILE: evtxtools/export_handle.c ================================================ /* * Export handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include "evtxinput.h" #include "evtxtools_libcerror.h" #include "evtxtools_libcnotify.h" #include "evtxtools_libclocale.h" #include "evtxtools_libevtx.h" #include "evtxtools_libfdatetime.h" #include "evtxtools_libfguid.h" #include "evtxtools_libfwevt.h" #include "export_handle.h" #include "log_handle.h" #include "message_handle.h" #include "message_string.h" #include "resource_file.h" #define EXPORT_HANDLE_NOTIFY_STREAM stdout const char *export_handle_get_event_log_key_name( int event_log_type ) { switch( event_log_type ) { case EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION: return( "Application" ); case EVTXTOOLS_EVENT_LOG_TYPE_DFS_REPLICATION: return( "DFS Replication" ); case EVTXTOOLS_EVENT_LOG_TYPE_HARDWARE_EVENTS: return( "Hardware Events" ); case EVTXTOOLS_EVENT_LOG_TYPE_INTERNET_EXPLORER: return( "Internet Explorer" ); case EVTXTOOLS_EVENT_LOG_TYPE_KEY_MANAGEMENT_SERVICE: return( "Key Management Service" ); case EVTXTOOLS_EVENT_LOG_TYPE_MEDIA_CENTER: return( "Media Center" ); case EVTXTOOLS_EVENT_LOG_TYPE_SECURITY: return( "Security" ); case EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM: return( "System" ); default: break; } return( "(Unknown)" ); } const char *export_handle_get_event_level( uint8_t event_level ) { switch( event_level ) { case LIBEVTX_EVENT_LEVEL_CRITICAL: return( "Critical" ); case LIBEVTX_EVENT_LEVEL_ERROR: return( "Error" ); case LIBEVTX_EVENT_LEVEL_WARNING: return( "Warning" ); case 0: case LIBEVTX_EVENT_LEVEL_INFORMATION: return( "Information" ); case LIBEVTX_EVENT_LEVEL_VERBOSE: return( "Verbose" ); default: break; } return( "(Unknown)" ); } /* Creates an export handle * Make sure the value export_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int export_handle_initialize( export_handle_t **export_handle, libcerror_error_t **error ) { static char *function = "export_handle_initialize"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( *export_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid export handle value already set.", function ); return( -1 ); } *export_handle = memory_allocate_structure( export_handle_t ); if( *export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create export handle.", function ); goto on_error; } if( memory_set( *export_handle, 0, sizeof( export_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear export handle.", function ); goto on_error; } if( message_handle_initialize( &( ( *export_handle )->message_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create message handle.", function ); goto on_error; } if( libevtx_file_initialize( &( ( *export_handle )->input_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initialize input file.", function ); goto on_error; } ( *export_handle )->export_mode = EXPORT_MODE_ITEMS; ( *export_handle )->export_format = EXPORT_FORMAT_TEXT; ( *export_handle )->event_log_type = EVTXTOOLS_EVENT_LOG_TYPE_UNKNOWN; ( *export_handle )->ascii_codepage = LIBEVTX_CODEPAGE_WINDOWS_1252; ( *export_handle )->notify_stream = EXPORT_HANDLE_NOTIFY_STREAM; return( 1 ); on_error: if( *export_handle != NULL ) { if( ( *export_handle )->message_handle != NULL ) { message_handle_free( &( ( *export_handle )->message_handle ), NULL ); } memory_free( *export_handle ); *export_handle = NULL; } return( -1 ); } /* Frees an export handle * Returns 1 if successful or -1 on error */ int export_handle_free( export_handle_t **export_handle, libcerror_error_t **error ) { static char *function = "export_handle_free"; int result = 1; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( *export_handle != NULL ) { if( ( *export_handle )->input_is_open != 0 ) { if( export_handle_close_input( *export_handle, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close export handle.", function ); result = -1; } } if( message_handle_free( &( ( *export_handle )->message_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free message handle.", function ); result = -1; } if( libevtx_file_free( &( ( *export_handle )->input_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free input file.", function ); result = -1; } memory_free( *export_handle ); *export_handle = NULL; } return( result ); } /* Signals the export handle to abort * Returns 1 if successful or -1 on error */ int export_handle_signal_abort( export_handle_t *export_handle, libcerror_error_t **error ) { static char *function = "export_handle_signal_abort"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } export_handle->abort = 1; if( message_handle_signal_abort( export_handle->message_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to signal message handle to abort.", function ); return( -1 ); } if( export_handle->input_file != NULL ) { if( libevtx_file_signal_abort( export_handle->input_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to signal input file to abort.", function ); return( -1 ); } } return( 1 ); } /* Sets the export mode * Returns 1 if successful, 0 if unsupported values or -1 on error */ int export_handle_set_export_mode( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ) { static char *function = "export_handle_set_export_mode"; size_t string_length = 0; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid string.", function ); return( -1 ); } string_length = system_string_length( string ); if( string_length == 3 ) { if( system_string_compare( string, _SYSTEM_STRING( "all" ), 3 ) == 0 ) { export_handle->export_mode = EXPORT_MODE_ALL; result = 1; } } else if( string_length == 5 ) { if( system_string_compare( string, _SYSTEM_STRING( "items" ), 5 ) == 0 ) { export_handle->export_mode = EXPORT_MODE_ITEMS; result = 1; } } else if( string_length == 9 ) { if( system_string_compare( string, _SYSTEM_STRING( "recovered" ), 9 ) == 0 ) { export_handle->export_mode = EXPORT_MODE_RECOVERED; result = 1; } } return( result ); } /* Sets the export format * Returns 1 if successful, 0 if unsupported values or -1 on error */ int export_handle_set_export_format( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ) { static char *function = "export_handle_export_format"; size_t string_length = 0; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } string_length = system_string_length( string ); if( string_length == 3 ) { if( system_string_compare( string, _SYSTEM_STRING( "xml" ), 3 ) == 0 ) { export_handle->export_format = EXPORT_FORMAT_XML; result = 1; } } else if( string_length == 4 ) { if( system_string_compare( string, _SYSTEM_STRING( "text" ), 4 ) == 0 ) { export_handle->export_format = EXPORT_FORMAT_TEXT; result = 1; } } return( result ); } /* Sets the ascii codepage * Returns 1 if successful or -1 on error */ int export_handle_set_ascii_codepage( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ) { static char *function = "export_handle_set_ascii_codepage"; size_t string_length = 0; uint32_t feature_flags = 0; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } feature_flags = LIBCLOCALE_CODEPAGE_FEATURE_FLAG_HAVE_KOI8 | LIBCLOCALE_CODEPAGE_FEATURE_FLAG_HAVE_WINDOWS; string_length = system_string_length( string ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libclocale_codepage_copy_from_string_wide( &( export_handle->ascii_codepage ), string, string_length, feature_flags, error ); #else result = libclocale_codepage_copy_from_string( &( export_handle->ascii_codepage ), string, string_length, feature_flags, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine ASCII codepage.", function ); return( -1 ); } else if( result != 0 ) { if( message_handle_set_ascii_codepage( export_handle->message_handle, export_handle->ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in message handle.", function ); return( -1 ); } } return( result ); } /* Sets the preferred language identifier * Returns 1 if successful or -1 on error */ int export_handle_set_preferred_language_identifier( export_handle_t *export_handle, uint32_t preferred_language_identifier, libcerror_error_t **error ) { static char *function = "export_handle_set_preferred_language_identifier"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( message_handle_set_preferred_language_identifier( export_handle->message_handle, preferred_language_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set preferred language identifier in message handle.", function ); return( -1 ); } return( 1 ); } /* Sets the event log type * Returns 1 if successful or -1 on error */ int export_handle_set_event_log_type( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ) { static char *function = "export_handle_set_event_log_type"; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } result = evtxinput_determine_event_log_type( string, &( export_handle->event_log_type ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine event log type.", function ); return( -1 ); } return( result ); } /* Sets the event log type from the filename * Returns 1 if successful or -1 on error */ int export_handle_set_event_log_type_from_filename( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "export_handle_set_event_log_type_from_filename"; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } result = evtxinput_determine_event_log_type_from_filename( filename, &( export_handle->event_log_type ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine event log type from filename.", function ); return( -1 ); } return( result ); } /* Sets the name of the software registry file * Returns 1 if successful or -1 error */ int export_handle_set_software_registry_filename( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "export_handle_set_software_registry_filename"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( message_handle_set_software_registry_filename( export_handle->message_handle, filename, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set SOFTWARE registry filename in message handle.", function ); return( -1 ); } return( 1 ); } /* Sets the name of the system registry file * Returns 1 if successful or -1 error */ int export_handle_set_system_registry_filename( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "export_handle_set_system_registry_filename"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( message_handle_set_system_registry_filename( export_handle->message_handle, filename, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set SYSTEM registry filename in message handle.", function ); return( -1 ); } return( 1 ); } /* Sets the name of the directory containing the software and system registry file * Returns 1 if successful or -1 error */ int export_handle_set_registry_directory_name( export_handle_t *export_handle, const system_character_t *name, libcerror_error_t **error ) { static char *function = "export_handle_set_registry_directory_name"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( message_handle_set_registry_directory_name( export_handle->message_handle, name, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set registry directory name in message handle.", function ); return( -1 ); } return( 1 ); } /* Sets the path of the resource files * Returns 1 if successful or -1 error */ int export_handle_set_resource_files_path( export_handle_t *export_handle, const system_character_t *path, libcerror_error_t **error ) { static char *function = "export_handle_set_resource_files_path"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( message_handle_set_resource_files_path( export_handle->message_handle, path, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set resource files path in message handle.", function ); return( -1 ); } return( 1 ); } /* Opens the input * Returns 1 if successful or -1 on error */ int export_handle_open_input( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "export_handle_open_input"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( export_handle->input_is_open != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid export handle input is already open.", function ); return( -1 ); } if( message_handle_open_input( export_handle->message_handle, export_handle_get_event_log_key_name( export_handle->event_log_type ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open input of message handle.", function ); return( -1 ); } if( libevtx_file_set_ascii_codepage( export_handle->input_file, export_handle->ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in input file.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libevtx_file_open_wide( export_handle->input_file, filename, LIBEVTX_OPEN_READ, error ) != 1 ) #else if( libevtx_file_open( export_handle->input_file, filename, LIBEVTX_OPEN_READ, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open input file.", function ); return( -1 ); } export_handle->input_is_open = 1; return( 1 ); } /* Closes the input * Returns the 0 if succesful or -1 on error */ int export_handle_close_input( export_handle_t *export_handle, libcerror_error_t **error ) { static char *function = "export_handle_close_input"; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( export_handle->input_is_open != 0 ) { if( message_handle_close_input( export_handle->message_handle, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close input of message handle.", function ); result = -1; } if( libevtx_file_close( export_handle->input_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close input file.", function ); result = -1; } export_handle->input_is_open = 0; } return( result ); } /* Copies the GUID string to a byte stream * Returns 1 if successful or -1 on error */ int export_handle_guid_string_copy_to_byte_stream( export_handle_t *export_handle, const system_character_t *string, size_t string_length, uint8_t *byte_stream, size_t byte_stream_size, libcerror_error_t **error ) { libfguid_identifier_t *guid = NULL; static char *function = "export_handle_guid_string_copy_to_byte_stream"; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( libfguid_identifier_initialize( &guid, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create GUID.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libfguid_identifier_copy_from_utf16_string( guid, (uint16_t *) string, string_length, LIBFGUID_STRING_FORMAT_FLAG_USE_MIXED_CASE | LIBFGUID_STRING_FORMAT_FLAG_USE_SURROUNDING_BRACES, error ); #else result = libfguid_identifier_copy_from_utf8_string( guid, (uint8_t *) string, string_length, LIBFGUID_STRING_FORMAT_FLAG_USE_MIXED_CASE | LIBFGUID_STRING_FORMAT_FLAG_USE_SURROUNDING_BRACES, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy GUID from string.", function ); goto on_error; } if( libfguid_identifier_copy_to_byte_stream( guid, byte_stream, byte_stream_size, LIBFGUID_ENDIAN_LITTLE, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy GUID to byte stream.", function ); goto on_error; } if( libfguid_identifier_free( &guid, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free GUID.", function ); goto on_error; } return( 1 ); on_error: if( guid != NULL ) { libfguid_identifier_free( &guid, NULL ); } return( -1 ); } /* Retrieves the template definition from the resource file * Returns 1 if successful, 0 if not available or -1 on error */ int export_handle_resource_file_get_template_definition( export_handle_t *export_handle, resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, libevtx_template_definition_t **template_definition, libcerror_error_t **error ) { libfwevt_event_t *wevt_event = NULL; libfwevt_provider_t *wevt_provider = NULL; libfwevt_template_t *wevt_template = NULL; const uint8_t *template_data = NULL; static char *function = "export_handle_resource_file_get_template_definition"; size_t template_data_size = 0; uint32_t template_data_offset = 0; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid template definition.", function ); return( -1 ); } result = resource_file_get_template_definition( resource_file, provider_identifier, provider_identifier_size, event_identifier, &wevt_provider, &wevt_event, &wevt_template, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve WEVT template definition.", function ); goto on_error; } else if( result != 0 ) { if( libfwevt_template_get_offset( wevt_template, &template_data_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template offset.", function ); goto on_error; } /* TODO make a local copy of the data instead */ if( libfwevt_template_get_data( wevt_template, &template_data, &template_data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template data.", function ); goto on_error; } /* TODO cache the EVTX template definitions ? */ if( libevtx_template_definition_initialize( template_definition, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create template definitions.", function ); goto on_error; } if( libevtx_template_definition_set_data( *template_definition, template_data, template_data_size, template_data_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set template data.", function ); goto on_error; } if( libfwevt_template_free( &wevt_template, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free template definition.", function ); goto on_error; } if( libfwevt_event_free( &wevt_event, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free event.", function ); goto on_error; } if( libfwevt_provider_free( &wevt_provider, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free provider.", function ); goto on_error; } } return( result ); on_error: if( wevt_template != NULL ) { libfwevt_template_free( &wevt_template, NULL ); } if( wevt_event != NULL ) { libfwevt_event_free( &wevt_event, NULL ); } if( wevt_provider != NULL ) { libfwevt_provider_free( &wevt_provider, NULL ); } if( *template_definition != NULL ) { libevtx_template_definition_free( template_definition, NULL ); } return( -1 ); } /* Exports the record event message * Returns 1 if successful or -1 on error */ int export_handle_export_record_event_message( export_handle_t *export_handle, libevtx_record_t *record, const system_character_t *event_provider_identifier, size_t event_provider_identifier_length, const system_character_t *event_source, size_t event_source_length, uint32_t event_identifier, log_handle_t *log_handle, libcerror_error_t **error ) { uint8_t provider_identifier[ 16 ]; libevtx_template_definition_t *template_definition = NULL; message_string_t *message_string = NULL; resource_file_t *resource_file = NULL; system_character_t *message_filename = NULL; system_character_t *resource_filename = NULL; system_character_t *value_string = NULL; static char *function = "export_handle_export_record_event_message"; size_t message_filename_size = 0; size_t resource_filename_size = 0; size_t value_string_size = 0; uint32_t event_identifier_qualifiers = 0; uint32_t message_identifier = 0; int number_of_strings = 0; int result = 0; int value_string_index = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( event_provider_identifier != NULL ) { result = message_handle_get_value_by_provider_identifier( export_handle->message_handle, event_provider_identifier, event_provider_identifier_length, _SYSTEM_STRING( "ResourceFileName" ), 16, &resource_filename, &resource_filename_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource filename by provider identifier.", function ); goto on_error; } result = message_handle_get_value_by_provider_identifier( export_handle->message_handle, event_provider_identifier, event_provider_identifier_length, _SYSTEM_STRING( "MessageFileName" ), 15, &message_filename, &message_filename_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message filename by provider identifier.", function ); goto on_error; } } if( ( message_filename == NULL ) && ( event_source != NULL ) ) { result = message_handle_get_value_by_event_source( export_handle->message_handle, event_source, event_source_length, _SYSTEM_STRING( "EventMessageFile" ), 16, &message_filename, &message_filename_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message filename by event source.", function ); goto on_error; } } if( resource_filename != NULL ) { fprintf( export_handle->notify_stream, "Resource filename\t\t: %" PRIs_SYSTEM "\n", resource_filename ); } if( resource_filename != NULL ) { if( export_handle_guid_string_copy_to_byte_stream( export_handle, event_provider_identifier, event_provider_identifier_length, provider_identifier, 16, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy GUID from string.", function ); goto on_error; } result = message_handle_get_resource_file_by_provider_identifier( export_handle->message_handle, resource_filename, resource_filename_size - 1, provider_identifier, 16, &resource_file, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file.", function ); goto on_error; } else if( result != 0 ) { result = resource_file_get_event_message_identifier( resource_file, provider_identifier, 16, event_identifier, &message_identifier, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message identifier.", function ); goto on_error; } else if( result == 0 ) { message_identifier = 0; } if( export_handle->use_template_definition != 0 ) { result = export_handle_resource_file_get_template_definition( export_handle, resource_file, provider_identifier, 16, event_identifier, &template_definition, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve tempate definition.", function ); goto on_error; } } } memory_free( resource_filename ); resource_filename = NULL; } if( message_filename != NULL ) { fprintf( export_handle->notify_stream, "Message filename\t\t: %" PRIs_SYSTEM "\n", message_filename ); if( message_identifier == 0 ) { result = libevtx_record_get_event_identifier_qualifiers( record, &event_identifier_qualifiers, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event identifier qualifiers.", function ); goto on_error; } else if( result != 0 ) { if( export_handle->verbose != 0 ) { fprintf( export_handle->notify_stream, "Event identifier qualifiers\t: 0x%08" PRIx32 "\n", event_identifier_qualifiers ); } message_identifier = event_identifier_qualifiers << 16; } message_identifier |= event_identifier; } if( export_handle->verbose != 0 ) { fprintf( export_handle->notify_stream, "Message identifier\t\t: 0x%08" PRIx32 "\n", message_identifier ); } result = message_handle_get_message_string( export_handle->message_handle, message_filename, message_filename_size - 1, message_identifier, &message_string, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string.", function ); goto on_error; } memory_free( message_filename ); message_filename = NULL; } if( export_handle->use_template_definition != 0 ) { result = libevtx_record_parse_data_with_template_definition( record, template_definition, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse record data.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } #endif libcerror_error_free( error ); } if( libevtx_template_definition_free( &template_definition, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free template definition.", function ); goto on_error; } } if( libevtx_record_get_number_of_strings( record, &number_of_strings, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of strings in record.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Number of strings\t\t: %d\n", number_of_strings ); for( value_string_index = 0; value_string_index < number_of_strings; value_string_index++ ) { fprintf( export_handle->notify_stream, "String: %d\t\t\t: ", value_string_index + 1 ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_string_size( record, value_string_index, &value_string_size, error ); #else result = libevtx_record_get_utf8_string_size( record, value_string_index, &value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d size.", function, value_string_index ); goto on_error; } if( value_string_size > 0 ) { value_string = system_string_allocate( value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_string( record, value_string_index, (uint16_t *) value_string, value_string_size, error ); #else result = libevtx_record_get_utf8_string( record, value_string_index, (uint8_t *) value_string, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d.", function, value_string_index ); goto on_error; } fprintf( export_handle->notify_stream, "%" PRIs_SYSTEM "", value_string ); memory_free( value_string ); value_string = NULL; } fprintf( export_handle->notify_stream, "\n" ); } if( message_string != NULL ) { if( message_string_fprint( message_string, record, export_handle->notify_stream, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_PRINT_FAILED, "%s: unable to print message string.", function ); goto on_error; } message_string = NULL; } return( 1 ); on_error: if( value_string != NULL ) { memory_free( value_string ); } if( template_definition != NULL ) { libevtx_template_definition_free( &template_definition, NULL ); } if( message_filename != NULL ) { memory_free( message_filename ); } if( resource_filename != NULL ) { memory_free( resource_filename ); } return( -1 ); } /* Exports the record * Returns 1 if successful or -1 on error */ int export_handle_export_record( export_handle_t *export_handle, libevtx_record_t *record, log_handle_t *log_handle, libcerror_error_t **error ) { static char *function = "export_handle_export_record"; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( export_handle->export_format == EXPORT_FORMAT_TEXT ) { if( export_handle_export_record_text( export_handle, record, log_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export record in text.", function ); return( -1 ); } } else if( export_handle->export_format == EXPORT_FORMAT_XML ) { if( export_handle_export_record_xml( export_handle, record, log_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export record in XML.", function ); return( -1 ); } } return( 1 ); } /* Exports the record in the text format * Returns 1 if successful or -1 on error */ int export_handle_export_record_text( export_handle_t *export_handle, libevtx_record_t *record, log_handle_t *log_handle, libcerror_error_t **error ) { system_character_t filetime_string[ 48 ]; libfdatetime_filetime_t *filetime = NULL; system_character_t *source_name = NULL; system_character_t *provider_identifier = NULL; system_character_t *value_string = NULL; static char *function = "export_handle_export_record_text"; size_t source_name_size = 0; size_t provider_identifier_size = 0; size_t value_string_size = 0; uint64_t value_64bit = 0; uint32_t event_identifier = 0; uint8_t event_level = 0; uint8_t event_version = 0; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( libfdatetime_filetime_initialize( &filetime, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create filetime.", function ); goto on_error; } if( libevtx_record_get_identifier( record, &value_64bit, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve identifier.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Event number\t\t\t: %" PRIu64 "\n", value_64bit ); result = libevtx_record_get_creation_time( record, &value_64bit, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve creation time.", function ); goto on_error; } else if( result != 0 ) { if( libfdatetime_filetime_copy_from_64bit( filetime, value_64bit, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy filetime from 64-bit.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libfdatetime_filetime_copy_to_utf16_string( filetime, (uint16_t *) filetime_string, 48, LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS, error ); #else result = libfdatetime_filetime_copy_to_utf8_string( filetime, (uint8_t *) filetime_string, 48, LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy filetime to string.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Creation time\t\t\t: %" PRIs_SYSTEM " UTC\n", filetime_string ); } if( libevtx_record_get_written_time( record, &value_64bit, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve written time.", function ); goto on_error; } if( libfdatetime_filetime_copy_from_64bit( filetime, value_64bit, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy filetime from 64-bit.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libfdatetime_filetime_copy_to_utf16_string( filetime, (uint16_t *) filetime_string, 48, LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS, error ); #else result = libfdatetime_filetime_copy_to_utf8_string( filetime, (uint8_t *) filetime_string, 48, LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy filetime to string.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Written time\t\t\t: %" PRIs_SYSTEM " UTC\n", filetime_string ); if( libfdatetime_filetime_free( &filetime, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free filetime.", function ); goto on_error; } result = libevtx_record_get_event_version( record, &event_version, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event version.", function ); goto on_error; } else if( result != 0 ) { fprintf( export_handle->notify_stream, "Event version\t\t\t: %d\n", event_version ); } if( libevtx_record_get_event_level( record, &event_level, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event level.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Event level\t\t\t: %s (%d)\n", export_handle_get_event_level( event_level ), event_level ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_user_security_identifier_size( record, &value_string_size, error ); #else result = libevtx_record_get_utf8_user_security_identifier_size( record, &value_string_size, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user security identifier size.", function ); goto on_error; } if( ( result != 0 ) && ( value_string_size > 0 ) ) { value_string = system_string_allocate( value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_user_security_identifier( record, (uint16_t *) value_string, value_string_size, error ); #else result = libevtx_record_get_utf8_user_security_identifier( record, (uint8_t *) value_string, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user security identifier.", function ); goto on_error; } fprintf( export_handle->notify_stream, "User security identifier\t: %" PRIs_SYSTEM "\n", value_string ); memory_free( value_string ); value_string = NULL; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_computer_name_size( record, &value_string_size, error ); #else result = libevtx_record_get_utf8_computer_name_size( record, &value_string_size, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve computer name size.", function ); goto on_error; } if( ( result != 0 ) && ( value_string_size > 0 ) ) { value_string = system_string_allocate( value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_computer_name( record, (uint16_t *) value_string, value_string_size, error ); #else result = libevtx_record_get_utf8_computer_name( record, (uint8_t *) value_string, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve computer name.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Computer name\t\t\t: %" PRIs_SYSTEM "\n", value_string ); memory_free( value_string ); value_string = NULL; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_provider_identifier_size( record, &provider_identifier_size, error ); #else result = libevtx_record_get_utf8_provider_identifier_size( record, &provider_identifier_size, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider identifier size.", function ); goto on_error; } if( ( result != 0 ) && ( provider_identifier_size > 0 ) ) { provider_identifier = system_string_allocate( provider_identifier_size ); if( provider_identifier == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create event source.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_provider_identifier( record, (uint16_t *) provider_identifier, provider_identifier_size, error ); #else result = libevtx_record_get_utf8_provider_identifier( record, (uint8_t *) provider_identifier, provider_identifier_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider identifier.", function ); goto on_error; } if( export_handle->verbose != 0 ) { fprintf( export_handle->notify_stream, "Provider identifier\t\t: %" PRIs_SYSTEM "\n", provider_identifier ); } } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_source_name_size( record, &source_name_size, error ); #else result = libevtx_record_get_utf8_source_name_size( record, &source_name_size, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve source name size.", function ); goto on_error; } if( ( result != 0 ) && ( source_name_size > 0 ) ) { source_name = system_string_allocate( source_name_size ); if( source_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create event source.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_source_name( record, (uint16_t *) source_name, source_name_size, error ); #else result = libevtx_record_get_utf8_source_name( record, (uint8_t *) source_name, source_name_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve source name.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Source name\t\t\t: %" PRIs_SYSTEM "\n", source_name ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_channel_name_size( record, &value_string_size, error ); #else result = libevtx_record_get_utf8_channel_name_size( record, &value_string_size, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve channel name size.", function ); goto on_error; } if( ( result != 0 ) && ( value_string_size > 0 ) ) { value_string = system_string_allocate( value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_channel_name( record, (uint16_t *) value_string, value_string_size, error ); #else result = libevtx_record_get_utf8_channel_name( record, (uint8_t *) value_string, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve channel name.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Channel name\t\t\t: %" PRIs_SYSTEM "\n", value_string ); memory_free( value_string ); value_string = NULL; } /* TODO category ? */ if( libevtx_record_get_event_identifier( record, &event_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event identifier.", function ); goto on_error; } fprintf( export_handle->notify_stream, "Event identifier\t\t: 0x%08" PRIx32 " (%" PRIu32 ")\n", event_identifier, event_identifier ); if( export_handle_export_record_event_message( export_handle, record, provider_identifier, provider_identifier_size - 1, source_name, source_name_size - 1, event_identifier, log_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export event message.", function ); goto on_error; } fprintf( export_handle->notify_stream, "\n" ); if( provider_identifier != NULL ) { memory_free( provider_identifier ); provider_identifier = NULL; } if( source_name != NULL ) { memory_free( source_name ); source_name = NULL; } return( 1 ); on_error: if( provider_identifier != NULL ) { memory_free( provider_identifier ); } if( source_name != NULL ) { memory_free( source_name ); } if( value_string != NULL ) { memory_free( value_string ); } if( filetime != NULL ) { libfdatetime_filetime_free( &filetime, NULL ); } return( -1 ); } /* Exports the record in the XML format * Returns 1 if successful or -1 on error */ int export_handle_export_record_xml( export_handle_t *export_handle, libevtx_record_t *record, log_handle_t *log_handle, libcerror_error_t **error ) { system_character_t *event_xml = NULL; static char *function = "export_handle_export_record_xml"; size_t event_xml_size = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libevtx_record_get_utf16_xml_string_size( record, &event_xml_size, error ) != 1 ) #else if( libevtx_record_get_utf8_xml_string_size( record, &event_xml_size, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event XML size.", function ); goto on_error; } if( event_xml_size > 0 ) { event_xml = system_string_allocate( event_xml_size ); if( event_xml == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create event XML.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libevtx_record_get_utf16_xml_string( record, (uint16_t *) event_xml, event_xml_size, error ) != 1 ) #else if( libevtx_record_get_utf8_xml_string( record, (uint8_t *) event_xml, event_xml_size, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event XML.", function ); goto on_error; } /* Note that the event XML ends with a new line */ fprintf( export_handle->notify_stream, "%" PRIs_SYSTEM "", event_xml ); memory_free( event_xml ); event_xml = NULL; } fprintf( export_handle->notify_stream, "\n" ); return( 1 ); on_error: if( event_xml != NULL ) { memory_free( event_xml ); } return( -1 ); } /* Exports the records * Returns the 1 if succesful, 0 if no records are available or -1 on error */ int export_handle_export_records( export_handle_t *export_handle, libevtx_file_t *file, log_handle_t *log_handle, libcerror_error_t **error ) { libevtx_record_t *record = NULL; static char *function = "export_handle_export_records"; int number_of_records = 0; int record_index = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( libevtx_file_get_number_of_records( file, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records.", function ); return( -1 ); } if( number_of_records == 0 ) { return( 0 ); } for( record_index = 0; record_index < number_of_records; record_index++ ) { if( export_handle->abort != 0 ) { return( -1 ); } if( libevtx_file_get_record_by_index( file, record_index, &record, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record: %d.", function, record_index ); /* Be error tollerant for corrupt records in dirty files */ #if defined( HAVE_DEBUG_OUTPUT ) if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } #endif libcerror_error_free( error ); } else if( export_handle_export_record( export_handle, record, log_handle, error ) != 1 ) { fprintf( export_handle->notify_stream, "Unable to export record: %d.\n\n", record_index ); libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export record: %d.", function, record_index ); #if defined( HAVE_DEBUG_OUTPUT ) if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } #endif libcerror_error_free( error ); } if( libevtx_record_free( &record, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free record: %d.", function, record_index ); return( -1 ); } } return( 1 ); } /* Exports the recovered records * Returns the 1 if succesful, 0 if no records are available or -1 on error */ int export_handle_export_recovered_records( export_handle_t *export_handle, libevtx_file_t *file, log_handle_t *log_handle, libcerror_error_t **error ) { libevtx_record_t *record = NULL; static char *function = "export_handle_export_recovered_records"; int number_of_records = 0; int record_index = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( libevtx_file_get_number_of_recovered_records( file, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of recovered records.", function ); return( -1 ); } if( number_of_records == 0 ) { return( 0 ); } for( record_index = 0; record_index < number_of_records; record_index++ ) { if( export_handle->abort != 0 ) { return( -1 ); } if( libevtx_file_get_recovered_record_by_index( file, record_index, &record, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve recovered record: %d.", function, record_index ); #if defined( HAVE_DEBUG_OUTPUT ) if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } #endif libcerror_error_free( error ); } else if( export_handle_export_record( export_handle, record, log_handle, error ) != 1 ) { fprintf( export_handle->notify_stream, "Unable to export recovered record: %d.\n\n", record_index ); libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export recovered record: %d.", function, record_index ); #if defined( HAVE_DEBUG_OUTPUT ) if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } #endif libcerror_error_free( error ); } if( libevtx_record_free( &record, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free record: %d.", function, record_index ); return( -1 ); } } return( 1 ); } /* Exports the records from the file * Returns the 1 if succesful, 0 if no records are available or -1 on error */ int export_handle_export_file( export_handle_t *export_handle, log_handle_t *log_handle, libcerror_error_t **error ) { static char *function = "export_handle_export_file"; int result_recovered_records = 0; int result_records = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } if( export_handle->export_mode != EXPORT_MODE_RECOVERED ) { result_records = export_handle_export_records( export_handle, export_handle->input_file, log_handle, error ); if( result_records == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export records.", function ); return( -1 ); } } if( export_handle->export_mode != EXPORT_MODE_ITEMS ) { result_recovered_records = export_handle_export_recovered_records( export_handle, export_handle->input_file, log_handle, error ); if( result_recovered_records == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export recovered records.", function ); return( -1 ); } } if( ( result_records != 0 ) || ( result_recovered_records != 0 ) ) { return( 1 ); } return( 0 ); } ================================================ FILE: evtxtools/export_handle.h ================================================ /* * Export handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EXPORT_HANDLE_H ) #define _EXPORT_HANDLE_H #include #include #include #include "evtxtools_libcerror.h" #include "evtxtools_libevtx.h" #include "log_handle.h" #include "message_handle.h" #include "message_string.h" #include "resource_file.h" #if defined( __cplusplus ) extern "C" { #endif enum EXPORT_MODES { EXPORT_MODE_ALL = (int) 'a', EXPORT_MODE_ITEMS = (int) 'i', EXPORT_MODE_RECOVERED = (int) 'r' }; enum EXPORT_FORMATS { EXPORT_FORMAT_TEXT = (int) 't', EXPORT_FORMAT_XML = (int) 'x' }; typedef struct export_handle export_handle_t; struct export_handle { /* The export mode */ uint8_t export_mode; /* The export format */ uint8_t export_format; /* The libevtx input file */ libevtx_file_t *input_file; /* The message handle */ message_handle_t *message_handle; /* The event log type */ int event_log_type; /* Value to indicate to use a template definition to parse event data */ int use_template_definition; /* Value to indicate the input is open */ int input_is_open; /* The ascii codepage */ int ascii_codepage; /* The notification output stream */ FILE *notify_stream; /* Value to indicate if abort was signalled */ int abort; /* Value to indicate if the output should be verbose */ int verbose; }; const char *export_handle_get_event_log_key_name( int event_log_type ); const char *export_handle_get_event_level( uint8_t event_level ); int export_handle_initialize( export_handle_t **export_handle, libcerror_error_t **error ); int export_handle_free( export_handle_t **export_handle, libcerror_error_t **error ); int export_handle_signal_abort( export_handle_t *export_handle, libcerror_error_t **error ); int export_handle_set_export_mode( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ); int export_handle_set_export_format( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ); int export_handle_set_ascii_codepage( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ); int export_handle_set_preferred_language_identifier( export_handle_t *export_handle, uint32_t preferred_language_identifier, libcerror_error_t **error ); int export_handle_set_event_log_type( export_handle_t *export_handle, const system_character_t *string, libcerror_error_t **error ); int export_handle_set_event_log_type_from_filename( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ); int export_handle_set_software_registry_filename( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ); int export_handle_set_system_registry_filename( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ); int export_handle_set_registry_directory_name( export_handle_t *export_handle, const system_character_t *name, libcerror_error_t **error ); int export_handle_set_resource_files_path( export_handle_t *export_handle, const system_character_t *path, libcerror_error_t **error ); int export_handle_open_input( export_handle_t *export_handle, const system_character_t *filename, libcerror_error_t **error ); int export_handle_close_input( export_handle_t *export_handle, libcerror_error_t **error ); /* Record specific export functions */ int export_handle_guid_string_copy_to_byte_stream( export_handle_t *export_handle, const system_character_t *string, size_t string_length, uint8_t *byte_stream, size_t byte_stream_size, libcerror_error_t **error ); int export_handle_resource_file_get_template_definition( export_handle_t *export_handle, resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, libevtx_template_definition_t **template_definition, libcerror_error_t **error ); int export_handle_message_string_fprint( export_handle_t *export_handle, message_string_t *message_string, libevtx_record_t *record, libcerror_error_t **error ); int export_handle_export_record_event_message( export_handle_t *export_handle, libevtx_record_t *record, const system_character_t *event_provider_identifier, size_t event_provider_identifier_length, const system_character_t *event_source, size_t event_source_length, uint32_t event_identifier, log_handle_t *log_handle, libcerror_error_t **error ); int export_handle_export_record( export_handle_t *export_handle, libevtx_record_t *record, log_handle_t *log_handle, libcerror_error_t **error ); int export_handle_export_record_text( export_handle_t *export_handle, libevtx_record_t *record, log_handle_t *log_handle, libcerror_error_t **error ); int export_handle_export_record_xml( export_handle_t *export_handle, libevtx_record_t *record, log_handle_t *log_handle, libcerror_error_t **error ); /* File export functions */ int export_handle_export_records( export_handle_t *export_handle, libevtx_file_t *file, log_handle_t *log_handle, libcerror_error_t **error ); int export_handle_export_recovered_records( export_handle_t *export_handle, libevtx_file_t *file, log_handle_t *log_handle, libcerror_error_t **error ); int export_handle_export_file( export_handle_t *export_handle, log_handle_t *log_handle, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _EXPORT_HANDLE_H ) */ ================================================ FILE: evtxtools/info_handle.c ================================================ /* * Info handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include #include "evtxinput.h" #include "evtxtools_libcerror.h" #include "evtxtools_libclocale.h" #include "evtxtools_libfdatetime.h" #include "evtxtools_libevtx.h" #include "info_handle.h" #define INFO_HANDLE_NOTIFY_STREAM stdout /* Creates an info handle * Make sure the value info_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int info_handle_initialize( info_handle_t **info_handle, libcerror_error_t **error ) { static char *function = "info_handle_initialize"; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } if( *info_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid info handle value already set.", function ); return( -1 ); } *info_handle = memory_allocate_structure( info_handle_t ); if( *info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create info handle.", function ); goto on_error; } if( memory_set( *info_handle, 0, sizeof( info_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear info handle.", function ); goto on_error; } if( libevtx_file_initialize( &( ( *info_handle )->input_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initialize input file.", function ); goto on_error; } ( *info_handle )->ascii_codepage = LIBEVTX_CODEPAGE_WINDOWS_1252; ( *info_handle )->notify_stream = INFO_HANDLE_NOTIFY_STREAM; return( 1 ); on_error: if( *info_handle != NULL ) { memory_free( *info_handle ); *info_handle = NULL; } return( -1 ); } /* Frees an info handle * Returns 1 if successful or -1 on error */ int info_handle_free( info_handle_t **info_handle, libcerror_error_t **error ) { static char *function = "info_handle_free"; int result = 1; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } if( *info_handle != NULL ) { if( ( *info_handle )->input_file != NULL ) { if( libevtx_file_free( &( ( *info_handle )->input_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free input file.", function ); result = -1; } } memory_free( *info_handle ); *info_handle = NULL; } return( result ); } /* Signals the info handle to abort * Returns 1 if successful or -1 on error */ int info_handle_signal_abort( info_handle_t *info_handle, libcerror_error_t **error ) { static char *function = "info_handle_signal_abort"; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } info_handle->abort = 1; if( info_handle->input_file != NULL ) { if( libevtx_file_signal_abort( info_handle->input_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to signal input file to abort.", function ); return( -1 ); } } return( 1 ); } /* Sets the ascii codepage * Returns 1 if successful or -1 on error */ int info_handle_set_ascii_codepage( info_handle_t *info_handle, const system_character_t *string, libcerror_error_t **error ) { static char *function = "info_handle_set_ascii_codepage"; size_t string_length = 0; uint32_t feature_flags = 0; int result = 0; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } feature_flags = LIBCLOCALE_CODEPAGE_FEATURE_FLAG_HAVE_KOI8 | LIBCLOCALE_CODEPAGE_FEATURE_FLAG_HAVE_WINDOWS; string_length = system_string_length( string ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libclocale_codepage_copy_from_string_wide( &( info_handle->ascii_codepage ), string, string_length, feature_flags, error ); #else result = libclocale_codepage_copy_from_string( &( info_handle->ascii_codepage ), string, string_length, feature_flags, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine ASCII codepage.", function ); return( -1 ); } return( result ); } /* Sets the event log type from the filename * Returns 1 if successful or -1 on error */ int info_handle_set_event_log_type_from_filename( info_handle_t *info_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "info_handle_set_event_log_type_from_filename"; int result = 0; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } result = evtxinput_determine_event_log_type_from_filename( filename, &( info_handle->event_log_type ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine event log type from filename.", function ); return( -1 ); } return( result ); } /* Opens the info handle * Returns 1 if successful or -1 on error */ int info_handle_open( info_handle_t *info_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "info_handle_open"; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } if( libevtx_file_set_ascii_codepage( info_handle->input_file, info_handle->ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in input file.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libevtx_file_open_wide( info_handle->input_file, filename, LIBEVTX_OPEN_READ, error ) != 1 ) #else if( libevtx_file_open( info_handle->input_file, filename, LIBEVTX_OPEN_READ, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open input file.", function ); return( -1 ); } return( 1 ); } /* Closes the info handle * Returns the 0 if succesful or -1 on error */ int info_handle_close( info_handle_t *info_handle, libcerror_error_t **error ) { static char *function = "info_handle_close"; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } if( libevtx_file_close( info_handle->input_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close input file.", function ); return( -1 ); } return( 0 ); } /* Prints the file information to a stream * Returns 1 if successful or -1 on error */ int info_handle_file_fprint( info_handle_t *info_handle, libcerror_error_t **error ) { const system_character_t *event_log_type = NULL; static char *function = "evtxinfo_file_info_fprint"; uint32_t flags = 0; uint16_t major_version = 0; uint16_t minor_version = 0; int is_corrupted = 0; int number_of_recovered_records = 0; int number_of_records = 0; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } if( libevtx_file_get_format_version( info_handle->input_file, &major_version, &minor_version, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve format version.", function ); return( -1 ); } if( libevtx_file_get_flags( info_handle->input_file, &flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve flags.", function ); return( -1 ); } is_corrupted = libevtx_file_is_corrupted( info_handle->input_file, error ); if( is_corrupted == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine if file is corrupted.", function ); return( -1 ); } if( libevtx_file_get_number_of_records( info_handle->input_file, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records.", function ); return( -1 ); } if( libevtx_file_get_number_of_recovered_records( info_handle->input_file, &number_of_recovered_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of recovered records.", function ); return( -1 ); } fprintf( info_handle->notify_stream, "Windows Event Viewer Log (EVTX) information:\n" ); fprintf( info_handle->notify_stream, "\tVersion\t\t\t\t: %" PRIu32 ".%" PRIu32 "\n", major_version, minor_version ); fprintf( info_handle->notify_stream, "\tNumber of records\t\t: %d\n", number_of_records ); fprintf( info_handle->notify_stream, "\tNumber of recovered records\t: %d\n", number_of_recovered_records ); switch( info_handle->event_log_type ) { case EVTXTOOLS_EVENT_LOG_TYPE_APPLICATION: event_log_type = _SYSTEM_STRING( "Application" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_DFS_REPLICATION: event_log_type = _SYSTEM_STRING( "DFS Replication" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_HARDWARE_EVENTS: event_log_type = _SYSTEM_STRING( "Hardware Events" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_INTERNET_EXPLORER: event_log_type = _SYSTEM_STRING( "Internet Explorer" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_KEY_MANAGEMENT_SERVICE: event_log_type = _SYSTEM_STRING( "Key Management Service" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_MEDIA_CENTER: event_log_type = _SYSTEM_STRING( "Media Center" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_SECURITY: event_log_type = _SYSTEM_STRING( "Security" ); break; case EVTXTOOLS_EVENT_LOG_TYPE_SYSTEM: event_log_type = _SYSTEM_STRING( "System" ); break; } if( event_log_type != NULL ) { fprintf( info_handle->notify_stream, "\tLog type\t\t\t: %" PRIs_SYSTEM "\n", event_log_type ); } if( is_corrupted != 0 ) { fprintf( info_handle->notify_stream, "\tIs corrupted\n" ); } if( flags != 0 ) { fprintf( info_handle->notify_stream, "\tFlags:\n" ); if( ( flags & LIBEVTX_FILE_FLAG_IS_DIRTY ) != 0 ) { fprintf( info_handle->notify_stream, "\t\tIs dirty\n" ); } if( ( flags & LIBEVTX_FILE_FLAG_IS_FULL ) != 0 ) { fprintf( info_handle->notify_stream, "\t\tIs full\n" ); } } fprintf( info_handle->notify_stream, "\n" ); return( 1 ); } ================================================ FILE: evtxtools/info_handle.h ================================================ /* * Info handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _INFO_HANDLE_H ) #define _INFO_HANDLE_H #include #include #include #include "evtxtools_libevtx.h" #include "evtxtools_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct info_handle info_handle_t; struct info_handle { /* The libevtx input file */ libevtx_file_t *input_file; /* The event log type */ int event_log_type; /* The ascii codepage */ int ascii_codepage; /* The notification output stream */ FILE *notify_stream; /* Value to indicate if abort was signalled */ int abort; }; int info_handle_initialize( info_handle_t **info_handle, libcerror_error_t **error ); int info_handle_free( info_handle_t **info_handle, libcerror_error_t **error ); int info_handle_signal_abort( info_handle_t *info_handle, libcerror_error_t **error ); int info_handle_set_ascii_codepage( info_handle_t *info_handle, const system_character_t *string, libcerror_error_t **error ); int info_handle_set_event_log_type_from_filename( info_handle_t *info_handle, const system_character_t *filename, libcerror_error_t **error ); int info_handle_open( info_handle_t *info_handle, const system_character_t *filename, libcerror_error_t **error ); int info_handle_close( info_handle_t *info_handle, libcerror_error_t **error ); int info_handle_file_fprint( info_handle_t *info_handle, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _INFO_HANDLE_H ) */ ================================================ FILE: evtxtools/log_handle.c ================================================ /* * Log handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #if defined( HAVE_STDARG_H ) || defined( WINAPI ) #include #elif defined( HAVE_VARARGS_H ) #include #else #error Missing headers stdarg.h and varargs.h #endif #include "evtxtools_libcerror.h" #include "log_handle.h" /* Creates a log handle * Make sure the value log_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int log_handle_initialize( log_handle_t **log_handle, libcerror_error_t **error ) { static char *function = "log_handle_initialize"; if( log_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid log handle.", function ); return( -1 ); } if( *log_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid log handle value already set.", function ); return( -1 ); } *log_handle = memory_allocate_structure( log_handle_t ); if( *log_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create log handle.", function ); goto on_error; } if( memory_set( *log_handle, 0, sizeof( log_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear log handle.", function ); goto on_error; } return( 1 ); on_error: if( *log_handle != NULL ) { memory_free( *log_handle ); *log_handle = NULL; } return( -1 ); } /* Frees a log handle * Returns 1 if successful or -1 on error */ int log_handle_free( log_handle_t **log_handle, libcerror_error_t **error ) { static char *function = "log_handle_free"; if( log_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid log handle.", function ); return( -1 ); } if( *log_handle != NULL ) { memory_free( *log_handle ); *log_handle = NULL; } return( 1 ); } /* Opens the log handle * Returns 1 if successful or -1 on error */ int log_handle_open( log_handle_t *log_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "log_handle_open"; if( log_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid log handle.", function ); return( -1 ); } if( filename != NULL ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) log_handle->log_stream = file_stream_open_wide( filename, _SYSTEM_STRING( FILE_STREAM_OPEN_APPEND ) ); #else log_handle->log_stream = file_stream_open( filename, FILE_STREAM_OPEN_APPEND ); #endif if( log_handle->log_stream == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file.", function ); return( -1 ); } } return( 1 ); } /* Closes the log handle * Returns the 0 if succesful or -1 on error */ int log_handle_close( log_handle_t *log_handle, libcerror_error_t **error ) { static char *function = "log_handle_close"; if( log_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid log handle.", function ); return( -1 ); } if( log_handle->log_stream != NULL ) { if( file_stream_close( log_handle->log_stream ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close log stream.", function ); return( -1 ); } log_handle->log_stream = NULL; } return( 0 ); } #if defined( HAVE_STDARG_H ) || defined( WINAPI ) #define VARARGS( function, type, argument ) \ function( log_handle_t *log_handle, type argument, ... ) #define VASTART( argument_list, type, name ) \ va_start( argument_list, name ) #define VAEND( argument_list ) \ va_end( argument_list ) #elif defined( HAVE_VARARGS_H ) #define VARARGS( function, type, argument ) \ function( log_handle_t *log_handle, va_alist ) va_dcl #define VASTART( argument_list, type, name ) \ { type name; va_start( argument_list ); name = va_arg( argument_list, type ) #define VAEND( argument_list ) \ va_end( argument_list ); } #endif /* Print a formatted string on the notify stream */ void VARARGS( log_handle_printf, char *, format ) { va_list argument_list; if( ( log_handle != NULL ) && ( log_handle->log_stream != NULL ) ) { VASTART( argument_list, char *, format ); vfprintf( log_handle->log_stream, format, argument_list ); VAEND( argument_list ); } } #undef VARARGS #undef VASTART #undef VAEND ================================================ FILE: evtxtools/log_handle.h ================================================ /* * Log handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LOG_HANDLE_H ) #define _LOG_HANDLE_H #include #include #include #include "evtxtools_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct log_handle log_handle_t; struct log_handle { /* The log stream */ FILE *log_stream; }; int log_handle_initialize( log_handle_t **log_handle, libcerror_error_t **error ); int log_handle_free( log_handle_t **log_handle, libcerror_error_t **error ); int log_handle_open( log_handle_t *log_handle, const system_character_t *filename, libcerror_error_t **error ); int log_handle_close( log_handle_t *log_handle, libcerror_error_t **error ); void log_handle_printf( log_handle_t *log_handle, char *format, ... ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LOG_HANDLE_H ) */ ================================================ FILE: evtxtools/message_handle.c ================================================ /* * Message handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include "evtxtools_libcdirectory.h" #include "evtxtools_libcerror.h" #include "evtxtools_libcpath.h" #include "evtxtools_libcsplit.h" #include "evtxtools_libevtx.h" #include "evtxtools_libfcache.h" #include "evtxtools_libfwevt.h" #include "evtxtools_libregf.h" #include "evtxtools_system_split_string.h" #include "evtxtools_wide_string.h" #include "message_handle.h" #include "message_string.h" #include "path_handle.h" #include "registry_file.h" #include "resource_file.h" /* Creates a message handle * Make sure the value message_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int message_handle_initialize( message_handle_t **message_handle, libcerror_error_t **error ) { static char *function = "message_handle_initialize"; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( *message_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid message handle value already set.", function ); return( -1 ); } *message_handle = memory_allocate_structure( message_handle_t ); if( *message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create message handle.", function ); goto on_error; } if( memory_set( *message_handle, 0, sizeof( message_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear message handle.", function ); memory_free( *message_handle ); *message_handle = NULL; return( -1 ); } if( path_handle_initialize( &( ( *message_handle )->path_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create path handle.", function ); goto on_error; } if( libfcache_cache_initialize( &( ( *message_handle )->resource_file_cache ), 16, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create resource file cache.", function ); goto on_error; } if( libfcache_cache_initialize( &( ( *message_handle )->mui_resource_file_cache ), 16, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create MUI resource file cache.", function ); goto on_error; } ( *message_handle )->ascii_codepage = LIBREGF_CODEPAGE_WINDOWS_1252; ( *message_handle )->preferred_language_identifier = 0x00000409UL; return( 1 ); on_error: if( *message_handle != NULL ) { if( ( *message_handle )->resource_file_cache != NULL ) { libfcache_cache_free( &( ( *message_handle )->resource_file_cache ), NULL ); } if( ( *message_handle )->path_handle != NULL ) { path_handle_free( &( ( *message_handle )->path_handle ), NULL ); } memory_free( *message_handle ); *message_handle = NULL; } return( -1 ); } /* Frees a message handle * Returns 1 if successful or -1 on error */ int message_handle_free( message_handle_t **message_handle, libcerror_error_t **error ) { static char *function = "message_handle_free"; int result = 1; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( *message_handle != NULL ) { if( ( *message_handle )->software_registry_filename != NULL ) { memory_free( ( *message_handle )->software_registry_filename ); } if( ( *message_handle )->system_registry_filename != NULL ) { memory_free( ( *message_handle )->system_registry_filename ); } if( ( *message_handle )->registry_directory_name != NULL ) { memory_free( ( *message_handle )->registry_directory_name ); } if( ( *message_handle )->software_registry_file != NULL ) { if( registry_file_free( &( ( *message_handle )->software_registry_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free software registry file.", function ); result = -1; } } if( ( *message_handle )->system_root_path != NULL ) { memory_free( ( *message_handle )->system_root_path ); } if( ( *message_handle )->windows_directory_path != NULL ) { memory_free( ( *message_handle )->windows_directory_path ); } if( ( *message_handle )->system_registry_file != NULL ) { if( registry_file_free( &( ( *message_handle )->system_registry_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free system registry file.", function ); result = -1; } } if( path_handle_free( &( ( *message_handle )->path_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free path handle.", function ); result = -1; } if( libfcache_cache_free( &( ( *message_handle )->resource_file_cache ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource file cache.", function ); result = -1; } if( libfcache_cache_free( &( ( *message_handle )->mui_resource_file_cache ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free MUI resource file cache.", function ); result = -1; } if( ( *message_handle )->winevt_publishers_key != NULL ) { if( libregf_key_free( &( ( *message_handle )->winevt_publishers_key ), NULL ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free winevt publishers key.", function ); result = -1; } } if( ( *message_handle )->control_set_1_eventlog_services_key != NULL ) { if( libregf_key_free( &( ( *message_handle )->control_set_1_eventlog_services_key ), NULL ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free control set 1 eventlog services key.", function ); result = -1; } } if( ( *message_handle )->control_set_2_eventlog_services_key != NULL ) { if( libregf_key_free( &( ( *message_handle )->control_set_2_eventlog_services_key ), NULL ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free control set 2 key.", function ); result = -1; } } memory_free( *message_handle ); *message_handle = NULL; } return( result ); } /* Signals the message handle to abort * Returns 1 if successful or -1 on error */ int message_handle_signal_abort( message_handle_t *message_handle, libcerror_error_t **error ) { static char *function = "message_handle_signal_abort"; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( message_handle->software_registry_file != NULL ) { if( registry_file_signal_abort( message_handle->software_registry_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to signal software registry file to abort.", function ); return( -1 ); } } if( message_handle->system_registry_file != NULL ) { if( registry_file_signal_abort( message_handle->system_registry_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to signal system registry file to abort.", function ); return( -1 ); } } return( 1 ); } /* Sets the ascii codepage * Returns 1 if successful or -1 on error */ int message_handle_set_ascii_codepage( message_handle_t *message_handle, int ascii_codepage, libcerror_error_t **error ) { static char *function = "message_handle_set_ascii_codepage"; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } message_handle->ascii_codepage = ascii_codepage; return( 1 ); } /* Sets the preferred language identifier * Returns 1 if successful or -1 on error */ int message_handle_set_preferred_language_identifier( message_handle_t *message_handle, uint32_t preferred_language_identifier, libcerror_error_t **error ) { static char *function = "message_handle_set_preferred_language_identifier"; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } message_handle->preferred_language_identifier = preferred_language_identifier; return( 1 ); } /* Sets the name of the software registry file * Returns 1 if successful or -1 error */ int message_handle_set_software_registry_filename( message_handle_t *message_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "message_handle_set_software_registry_filename"; size_t filename_length = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } filename_length = system_string_length( filename ); if( filename_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid filename length value out of bounds.", function ); goto on_error; } if( message_handle->software_registry_filename != NULL ) { memory_free( message_handle->software_registry_filename ); message_handle->software_registry_filename = NULL; } message_handle->software_registry_filename_size = filename_length + 1; message_handle->software_registry_filename = system_string_allocate( message_handle->software_registry_filename_size ); if( message_handle->software_registry_filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create software registry filename.", function ); goto on_error; } if( system_string_copy( message_handle->software_registry_filename, filename, filename_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy software registry filename.", function ); goto on_error; } ( message_handle->software_registry_filename )[ filename_length ] = 0; return( 1 ); on_error: if( message_handle->software_registry_filename != NULL ) { memory_free( message_handle->software_registry_filename ); message_handle->software_registry_filename = NULL; } message_handle->software_registry_filename_size = 0; return( -1 ); } /* Sets the name of the system registry file * Returns 1 if successful or -1 error */ int message_handle_set_system_registry_filename( message_handle_t *message_handle, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "message_handle_set_system_registry_filename"; size_t filename_length = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } filename_length = system_string_length( filename ); if( filename_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid filename length value out of bounds.", function ); goto on_error; } if( message_handle->system_registry_filename != NULL ) { memory_free( message_handle->system_registry_filename ); message_handle->system_registry_filename = NULL; } message_handle->system_registry_filename_size = filename_length + 1; message_handle->system_registry_filename = system_string_allocate( message_handle->system_registry_filename_size ); if( message_handle->system_registry_filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create system registry filename.", function ); goto on_error; } if( system_string_copy( message_handle->system_registry_filename, filename, filename_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy system registry filename.", function ); goto on_error; } ( message_handle->system_registry_filename )[ filename_length ] = 0; return( 1 ); on_error: if( message_handle->system_registry_filename != NULL ) { memory_free( message_handle->system_registry_filename ); message_handle->system_registry_filename = NULL; } message_handle->system_registry_filename_size = 0; return( -1 ); } /* Sets the name of the directory containing the software and system registry file * Returns 1 if successful or -1 error */ int message_handle_set_registry_directory_name( message_handle_t *message_handle, const system_character_t *name, libcerror_error_t **error ) { static char *function = "message_handle_set_registry_directory_name"; size_t name_length = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid name.", function ); return( -1 ); } name_length = system_string_length( name ); if( name_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid name length value out of bounds.", function ); goto on_error; } if( message_handle->registry_directory_name != NULL ) { memory_free( message_handle->registry_directory_name ); message_handle->registry_directory_name = NULL; } message_handle->registry_directory_name_size = name_length + 1; message_handle->registry_directory_name = system_string_allocate( message_handle->registry_directory_name_size ); if( message_handle->registry_directory_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create registry directory name.", function ); goto on_error; } if( system_string_copy( message_handle->registry_directory_name, name, name_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy registry directory name.", function ); goto on_error; } ( message_handle->registry_directory_name )[ name_length ] = 0; return( 1 ); on_error: if( message_handle->registry_directory_name != NULL ) { memory_free( message_handle->registry_directory_name ); message_handle->registry_directory_name = NULL; } message_handle->registry_directory_name_size = 0; return( -1 ); } /* Sets the resource files (search) path * Returns 1 if successful or -1 error */ int message_handle_set_resource_files_path( message_handle_t *message_handle, const system_character_t *path, libcerror_error_t **error ) { static char *function = "message_handle_set_resource_files_path"; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid path.", function ); return( -1 ); } message_handle->resource_files_path = path; return( 1 ); } /* Opens the software registry file * Returns 1 if successful, 0 if not available or -1 on error */ int message_handle_open_software_registry_file( message_handle_t *message_handle, libcerror_error_t **error ) { system_character_t *key_path = NULL; system_character_t *software_filename = NULL; libregf_key_t *sub_key = NULL; libregf_value_t *value = NULL; const char *sub_key_path = NULL; const char *value_name = NULL; static char *function = "message_handle_open_software_registry_file"; size_t key_path_length = 0; size_t value_name_length = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( ( message_handle->software_registry_filename == NULL ) && ( message_handle->registry_directory_name != NULL ) ) { software_filename = system_string_allocate( 9 ); if( software_filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create software filename.", function ); goto on_error; } if( system_string_copy( software_filename, _SYSTEM_STRING( "SOFTWARE" ), 8 ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to set software filename.", function ); goto on_error; } software_filename[ 8 ] = 0; result = path_handle_get_directory_entry_name_by_name_no_case( message_handle->path_handle, message_handle->registry_directory_name, message_handle->registry_directory_name_size - 1, software_filename, 9, LIBCDIRECTORY_ENTRY_TYPE_FILE, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_GENERIC, "%s: unable to determine if directory has entry: %" PRIs_SYSTEM ".", function, software_filename ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libcpath_path_join_wide( &( message_handle->software_registry_filename ), &( message_handle->software_registry_filename_size ), message_handle->registry_directory_name, message_handle->registry_directory_name_size - 1, software_filename, 8, error ); #else result = libcpath_path_join( &( message_handle->software_registry_filename ), &( message_handle->software_registry_filename_size ), message_handle->registry_directory_name, message_handle->registry_directory_name_size - 1, software_filename, 8, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable create software registry filename.", function ); return( -1 ); } memory_free( software_filename ); software_filename = NULL; } if( message_handle->software_registry_filename != NULL ) { if( registry_file_initialize( &( message_handle->software_registry_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initialize software registry file.", function ); return( -1 ); } if( registry_file_set_ascii_codepage( message_handle->software_registry_file, message_handle->ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in software registry file.", function ); return( -1 ); } if( registry_file_open( message_handle->software_registry_file, message_handle->software_registry_filename, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open software registry file.", function ); return( -1 ); } /* Get the value of %SystemRoot% from: * SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot */ key_path = _SYSTEM_STRING( "Microsoft\\Windows NT\\CurrentVersion" ); key_path_length = system_string_length( key_path ); result = registry_file_get_key_by_path( message_handle->software_registry_file, key_path, key_path_length, &sub_key, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, sub_key_path ); goto on_error; } else if( result != 0 ) { value_name = "SystemRoot"; value_name_length = narrow_string_length( value_name ); result = libregf_key_get_value_by_utf8_name( sub_key, (uint8_t *) value_name, value_name_length, &value, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %s.", function, value_name ); goto on_error; } else if( result != 0 ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_value_get_value_utf16_string_size( value, &( message_handle->system_root_path_size ), error ); #else result = libregf_value_get_value_utf8_string_size( value, &( message_handle->system_root_path_size ), error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %s string size.", function, value_name ); goto on_error; } if( ( result != 0 ) && ( message_handle->system_root_path_size > 0 ) ) { if( ( message_handle->system_root_path_size > (size_t) SSIZE_MAX ) || ( ( sizeof( system_character_t ) * message_handle->system_root_path_size ) > (size_t) SSIZE_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid system root path string size value exceeds maximum.", function ); goto on_error; } message_handle->system_root_path = system_string_allocate( message_handle->system_root_path_size ); if( message_handle->system_root_path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create system root path string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_value_get_value_utf16_string( value, (uint16_t *) message_handle->system_root_path, message_handle->system_root_path_size, error ); #else result = libregf_value_get_value_utf8_string( value, (uint8_t *) message_handle->system_root_path, message_handle->system_root_path_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %s string.", function, value_name ); memory_free( message_handle->system_root_path ); message_handle->system_root_path = NULL; message_handle->system_root_path_size = 0; goto on_error; } } if( libregf_value_free( &value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free value.", function ); goto on_error; } } } if( libregf_key_free( &sub_key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free sub key.", function ); goto on_error; } } /* Check if %SystemRoot% contains a sane value */ /* TODO what if system root constists of multiple paths */ if( message_handle->system_root_path != NULL ) { if( ( message_handle->system_root_path_size < 4 ) || ( ( message_handle->system_root_path )[ 1 ] != (system_character_t) ':' ) || ( ( message_handle->system_root_path )[ 2 ] != (system_character_t) '\\' ) ) { memory_free( message_handle->system_root_path ); message_handle->system_root_path = NULL; message_handle->system_root_path_size = 0; } } /* If no usable %SystemRoot% was found use the default: C:\Windows */ if( message_handle->system_root_path == NULL ) { message_handle->system_root_path_size = 11; message_handle->system_root_path = system_string_allocate( message_handle->system_root_path_size ); if( message_handle->system_root_path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create system root path string.", function ); goto on_error; } if( system_string_copy( message_handle->system_root_path, _SYSTEM_STRING( "C:\\Windows" ), 10 ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy default value to system root path string.", function ); memory_free( message_handle->system_root_path ); message_handle->system_root_path = NULL; message_handle->system_root_path_size = 0; goto on_error; } ( message_handle->system_root_path )[ 10 ] = 0; } /* TODO for now %WinDir% is a copy of %SystemRoot% */ if( message_handle->windows_directory_path == NULL ) { message_handle->windows_directory_path_size = message_handle->system_root_path_size; message_handle->windows_directory_path = system_string_allocate( message_handle->windows_directory_path_size ); if( message_handle->windows_directory_path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create windows directory path string.", function ); goto on_error; } if( system_string_copy( message_handle->windows_directory_path, message_handle->system_root_path, message_handle->windows_directory_path_size - 1 ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy default value to windows directory path string.", function ); memory_free( message_handle->windows_directory_path ); message_handle->windows_directory_path = NULL; message_handle->windows_directory_path_size = 0; goto on_error; } ( message_handle->windows_directory_path )[ message_handle->windows_directory_path_size - 1 ] = 0; } return( 1 ); on_error: if( value != NULL ) { libregf_value_free( &value, NULL ); } if( sub_key != NULL ) { libregf_key_free( &sub_key, NULL ); } if( software_filename != NULL ) { memory_free( software_filename ); } return( -1 ); } /* Opens the system registry file * Returns 1 if successful, 0 if not available or -1 on error */ int message_handle_open_system_registry_file( message_handle_t *message_handle, const char *eventlog_key_name, libcerror_error_t **error ) { libregf_key_t *sub_key = NULL; system_character_t *key_path = NULL; system_character_t *system_filename = NULL; static char *function = "message_handle_open_system_registry_file"; size_t eventlog_key_name_length = 0; size_t key_path_length = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( eventlog_key_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid eventlog key name.", function ); return( -1 ); } eventlog_key_name_length = narrow_string_length( eventlog_key_name ); if( ( message_handle->system_registry_filename == NULL ) && ( message_handle->registry_directory_name != NULL ) ) { system_filename = system_string_allocate( 7 ); if( system_filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create system filename.", function ); goto on_error; } if( system_string_copy( system_filename, _SYSTEM_STRING( "SYSTEM" ), 6 ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to set system filename.", function ); goto on_error; } system_filename[ 6 ] = 0; result = path_handle_get_directory_entry_name_by_name_no_case( message_handle->path_handle, message_handle->registry_directory_name, message_handle->registry_directory_name_size - 1, system_filename, 7, LIBCDIRECTORY_ENTRY_TYPE_FILE, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_GENERIC, "%s: unable to determine if directory has entry: %" PRIs_SYSTEM ".", function, system_filename ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libcpath_path_join_wide( &( message_handle->system_registry_filename ), &( message_handle->system_registry_filename_size ), message_handle->registry_directory_name, message_handle->registry_directory_name_size - 1, system_filename, 6, error ); #else result = libcpath_path_join( &( message_handle->system_registry_filename ), &( message_handle->system_registry_filename_size ), message_handle->registry_directory_name, message_handle->registry_directory_name_size - 1, system_filename, 6, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable create system registry filename.", function ); return( -1 ); } memory_free( system_filename ); system_filename = NULL; } if( message_handle->system_registry_filename == NULL ) { return( 0 ); } if( registry_file_initialize( &( message_handle->system_registry_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initialize system registry file.", function ); return( -1 ); } if( registry_file_set_ascii_codepage( message_handle->system_registry_file, message_handle->ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in system registry file.", function ); return( -1 ); } if( registry_file_open( message_handle->system_registry_file, message_handle->system_registry_filename, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open system registry file.", function ); return( -1 ); } /* Get the winevt providers key * SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers */ key_path = _SYSTEM_STRING( "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers" ); key_path_length = system_string_length( key_path ); result = registry_file_get_key_by_path( message_handle->software_registry_file, key_path, key_path_length, &( message_handle->winevt_publishers_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, key_path ); goto on_error; } /* Get the control set 1 eventlog services key: * SYSTEM\ControlSet001\Services\Eventlog */ key_path = _SYSTEM_STRING( "ControlSet001\\Services\\Eventlog" ); key_path_length = system_string_length( key_path ); result = registry_file_get_key_by_path( message_handle->system_registry_file, key_path, key_path_length, &sub_key, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, key_path ); goto on_error; } else if( result != 0 ) { result = libregf_key_get_sub_key_by_utf8_name( sub_key, (uint8_t *) eventlog_key_name, eventlog_key_name_length, &( message_handle->control_set_1_eventlog_services_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, eventlog_key_name ); goto on_error; } } if( libregf_key_free( &sub_key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free sub key.", function ); goto on_error; } /* Get the control set 2 eventlog services key: * SYSTEM\ControlSet002\Services\Eventlog */ key_path = _SYSTEM_STRING( "ControlSet002\\Services\\Eventlog" ); key_path_length = system_string_length( key_path ); result = registry_file_get_key_by_path( message_handle->system_registry_file, key_path, key_path_length, &sub_key, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, key_path ); goto on_error; } else if( result != 0 ) { result = libregf_key_get_sub_key_by_utf8_name( sub_key, (uint8_t *) eventlog_key_name, eventlog_key_name_length, &( message_handle->control_set_2_eventlog_services_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, eventlog_key_name ); goto on_error; } } if( libregf_key_free( &sub_key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free sub key.", function ); goto on_error; } return( 1 ); on_error: if( sub_key != NULL ) { libregf_key_free( &sub_key, NULL ); } if( system_filename != NULL ) { memory_free( system_filename ); } return( -1 ); } /* Opens the input * Returns 1 if successful or -1 on error */ int message_handle_open_input( message_handle_t *message_handle, const char *eventlog_key_name, libcerror_error_t **error ) { static char *function = "message_handle_open_input"; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } result = message_handle_open_software_registry_file( message_handle, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open software registry file.", function ); return( -1 ); } result = message_handle_open_system_registry_file( message_handle, eventlog_key_name, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open system registry file.", function ); return( -1 ); } return( 1 ); } /* Closes the input * Returns the 0 if succesful or -1 on error */ int message_handle_close_input( message_handle_t *message_handle, libcerror_error_t **error ) { static char *function = "message_handle_close_input"; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( message_handle->software_registry_file != NULL ) { if( registry_file_close( message_handle->software_registry_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close software registry file.", function ); result = -1; } } if( message_handle->system_registry_file != NULL ) { if( registry_file_close( message_handle->system_registry_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close system registry file.", function ); result = -1; } } if( libfcache_cache_empty( message_handle->resource_file_cache, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to empty resource file cache.", function ); result = -1; } if( libfcache_cache_empty( message_handle->mui_resource_file_cache, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to empty MUI resource file cache.", function ); result = -1; } return( result ); } /* Retrieves a value for a specific event source * The value is retrieved from the event source key in the SYSTEM Windows Registry File if available * Returns 1 if successful, 0 if such event source or -1 error */ int message_handle_get_value_by_event_source( message_handle_t *message_handle, const system_character_t *event_source, size_t event_source_length, const system_character_t *value_name, size_t value_name_length, system_character_t **value_string, size_t *value_string_size, libcerror_error_t **error ) { libregf_key_t *key = NULL; libregf_value_t *value = NULL; static char *function = "message_handle_get_value_by_event_source"; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid value string.", function ); return( -1 ); } if( *value_string != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid value string value already set.", function ); return( -1 ); } if( value_string_size == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid value string size.", function ); return( -1 ); } if( message_handle->control_set_1_eventlog_services_key != NULL ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_sub_key_by_utf16_name( message_handle->control_set_1_eventlog_services_key, (uint16_t *) event_source, event_source_length, &key, error ); #else result = libregf_key_get_sub_key_by_utf8_name( message_handle->control_set_1_eventlog_services_key, (uint8_t *) event_source, event_source_length, &key, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, event_source ); goto on_error; } } if( result == 0 ) { if( message_handle->control_set_2_eventlog_services_key != NULL ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_sub_key_by_utf16_name( message_handle->control_set_2_eventlog_services_key, (uint16_t *) event_source, event_source_length, &key, error ); #else result = libregf_key_get_sub_key_by_utf8_name( message_handle->control_set_2_eventlog_services_key, (uint8_t *) event_source, event_source_length, &key, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, event_source ); goto on_error; } } } if( result != 0 ) { result = libregf_key_get_value_by_utf8_name( key, (uint8_t *) value_name, value_name_length, &value, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %" PRIs_SYSTEM ".", function, value_name ); goto on_error; } else if( result != 0 ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_value_get_value_utf16_string_size( value, value_string_size, error ); #else result = libregf_value_get_value_utf8_string_size( value, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value string size.", function ); goto on_error; } if( *value_string_size == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing value string.", function ); goto on_error; } *value_string = system_string_allocate( *value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_value_get_value_utf16_string( value, (uint16_t *) *value_string, *value_string_size, error ); #else result = libregf_value_get_value_utf8_string( value, (uint8_t *) *value_string, *value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value string.", function ); goto on_error; } if( libregf_value_free( &value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free value.", function ); goto on_error; } } if( libregf_key_free( &key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free key.", function ); goto on_error; } } return( result ); on_error: if( value != NULL ) { libregf_value_free( &value, NULL ); } if( key != NULL ) { libregf_key_free( &key, NULL ); } if( *value_string != NULL ) { memory_free( *value_string ); *value_string = NULL; } *value_string_size = 0; return( -1 ); } /* Retrieves a value for a specific provider identifier * The value is retrieved from the WINEVT provider key in the SOFTWARE Windows Registry File if available * Returns 1 if successful, 0 if such event source or -1 error */ int message_handle_get_value_by_provider_identifier( message_handle_t *message_handle, const system_character_t *provider_identifier, size_t provider_identifier_length, const system_character_t *value_name, size_t value_name_length, system_character_t **value_string, size_t *value_string_size, libcerror_error_t **error ) { libregf_key_t *key = NULL; libregf_value_t *value = NULL; static char *function = "message_handle_get_value_by_provider_identifier"; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid value string.", function ); return( -1 ); } if( *value_string != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid value string value already set.", function ); return( -1 ); } if( value_string_size == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid value string size.", function ); return( -1 ); } if( message_handle->winevt_publishers_key != NULL ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_sub_key_by_utf16_name( message_handle->winevt_publishers_key, (uint16_t *) provider_identifier, provider_identifier_length, &key, error ); #else result = libregf_key_get_sub_key_by_utf8_name( message_handle->winevt_publishers_key, (uint8_t *) provider_identifier, provider_identifier_length, &key, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %" PRIs_SYSTEM ".", function, provider_identifier ); goto on_error; } } if( result != 0 ) { result = libregf_key_get_value_by_utf8_name( key, (uint8_t *) value_name, value_name_length, &value, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %" PRIs_SYSTEM ".", function, value_name ); goto on_error; } else if( result != 0 ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_value_get_value_utf16_string_size( value, value_string_size, error ); #else result = libregf_value_get_value_utf8_string_size( value, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value string size.", function ); goto on_error; } if( *value_string_size == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing value string.", function ); goto on_error; } *value_string = system_string_allocate( *value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_value_get_value_utf16_string( value, (uint16_t *) *value_string, *value_string_size, error ); #else result = libregf_value_get_value_utf8_string( value, (uint8_t *) *value_string, *value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value string.", function ); goto on_error; } if( libregf_value_free( &value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free value.", function ); goto on_error; } } if( libregf_key_free( &key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free key.", function ); goto on_error; } } return( result ); on_error: if( value != NULL ) { libregf_value_free( &value, NULL ); } if( key != NULL ) { libregf_key_free( &key, NULL ); } if( *value_string != NULL ) { memory_free( *value_string ); *value_string = NULL; } *value_string_size = 0; return( -1 ); } /* Retrieves the path of the resource file based on the resource filename * Returns 1 if successful, 0 if not available or -1 error */ int message_handle_get_resource_file_path( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const system_character_t *language_string, size_t language_string_length, system_character_t **resource_file_path, size_t *resource_file_path_size, libcerror_error_t **error ) { system_character_t *mui_string = NULL; system_character_t *resource_filename_string_segment = NULL; system_split_string_t *resource_filename_split_string = NULL; static char *function = "message_handle_get_resource_file_path"; size_t mui_string_size = 0; size_t resource_file_path_index = 0; size_t resource_filename_directory_name_index = 0; size_t resource_filename_string_segment_size = 0; size_t resource_files_path_length = 0; uint8_t directory_entry_type = 0; int resource_filename_number_of_segments = 0; int resource_filename_segment_index = 0; int result = 0; #if defined( WINAPI ) const system_character_t *volume_letter = NULL; #endif if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( message_handle->system_root_path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid message handle - missing system root path.", function ); goto on_error; } if( ( message_handle->system_root_path_size < 4 ) || ( message_handle->system_root_path_size > (size_t) SSIZE_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid message handle - system root path size value out of bounds.", function ); return( -1 ); } if( resource_filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource filename.", function ); return( -1 ); } if( resource_filename_length == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_ZERO_OR_LESS, "%s: invalid resource filename length is zero.", function ); return( -1 ); } if( resource_filename_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid resource filename length value exceeds maximum.", function ); return( -1 ); } if( language_string != NULL ) { if( language_string_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid language string length value exceeds maximum.", function ); return( -1 ); } } if( resource_file_path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file path.", function ); return( -1 ); } if( *resource_file_path != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid resource file path value already set.", function ); return( -1 ); } if( resource_file_path_size == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file path size.", function ); return( -1 ); } if( resource_filename_length > 2 ) { /* Check if the resource filename starts with a volume letter */ if( ( resource_filename[ 1 ] == (system_character_t) ':' ) && ( ( ( resource_filename[ 0 ] >= (system_character_t) 'A' ) && ( resource_filename[ 0 ] <= (system_character_t) 'Z' ) ) || ( ( resource_filename[ 0 ] >= (system_character_t) 'a' ) && ( resource_filename[ 0 ] <= (system_character_t) 'z' ) ) ) ) { resource_filename_directory_name_index = 2; if( ( resource_filename_length >= 3 ) && ( resource_filename[ 2 ] == (system_character_t) '\\' ) ) { resource_filename_directory_name_index += 1; } #if defined( WINAPI ) volume_letter = resource_filename; #endif } } if( system_string_split( &( resource_filename[ resource_filename_directory_name_index ] ), resource_filename_length - resource_filename_directory_name_index + 1, (system_character_t) '\\', &resource_filename_split_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to split resource filename.", function ); goto on_error; } if( system_split_string_get_number_of_segments( resource_filename_split_string, &resource_filename_number_of_segments, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource filename string segments.", function ); goto on_error; } *resource_file_path_size = 0; for( resource_filename_segment_index = 0; resource_filename_segment_index < resource_filename_number_of_segments; resource_filename_segment_index++ ) { if( system_split_string_get_segment_by_index( resource_filename_split_string, resource_filename_segment_index, &resource_filename_string_segment, &resource_filename_string_segment_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } if( resource_filename_string_segment == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } if( resource_filename_string_segment_size == 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported empty resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } else if( ( resource_filename_string_segment_size == 2 ) && ( resource_filename_string_segment[ 0 ] == (system_character_t) '.' ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported relative path in resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } else if( ( resource_filename_string_segment_size == 3 ) && ( resource_filename_string_segment[ 0 ] == (system_character_t) '.' ) && ( resource_filename_string_segment[ 1 ] == (system_character_t) '.' ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported relative path in resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } else if( ( resource_filename_string_segment[ 0 ] == (system_character_t) '%' ) && ( resource_filename_string_segment[ resource_filename_string_segment_size - 2 ] == (system_character_t) '%' ) ) { if( resource_filename_string_segment_size == 9 ) { /* Expand %WinDir% to WINDOWS */ if( system_string_compare_no_case( resource_filename_string_segment, _SYSTEM_STRING( "%WinDir%" ), 8 ) == 0 ) { resource_filename_string_segment_size = 8; #if defined( WINAPI ) volume_letter = message_handle->windows_directory_path; #endif } } else if( resource_filename_string_segment_size == 13 ) { /* Expand %SystemRoot% */ if( system_string_compare_no_case( resource_filename_string_segment, _SYSTEM_STRING( "%SystemRoot%" ), 12 ) == 0 ) { resource_filename_string_segment_size = message_handle->system_root_path_size - 3; #if defined( WINAPI ) volume_letter = message_handle->system_root_path; #endif } } } *resource_file_path_size += resource_filename_string_segment_size; } if( language_string != NULL ) { /* Add: /.mui */ *resource_file_path_size += language_string_length + 5; } if( message_handle->resource_files_path != NULL ) { resource_files_path_length = system_string_length( message_handle->resource_files_path ); } if( ( message_handle->resource_files_path != NULL ) && ( resource_files_path_length > 0 ) ) { *resource_file_path_size += resource_files_path_length; if( message_handle->resource_files_path[ resource_files_path_length - 1 ] != (system_character_t) LIBCPATH_SEPARATOR ) { *resource_file_path_size += 1; } } #if defined( WINAPI ) else if( volume_letter != NULL ) { *resource_file_path_size += 3; } #endif else { *resource_file_path_size += 2; } *resource_file_path_size += 1; *resource_file_path = system_string_allocate( *resource_file_path_size ); if( *resource_file_path == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create resource file path.", function ); goto on_error; } resource_file_path_index = 0; if( ( message_handle->resource_files_path != NULL ) && ( resource_files_path_length > 0 ) ) { if( system_string_copy( &( ( *resource_file_path )[ resource_file_path_index ] ), message_handle->resource_files_path, resource_files_path_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy resource files path to resource file path.", function ); goto on_error; } resource_file_path_index += resource_files_path_length; if( message_handle->resource_files_path[ resource_files_path_length - 1 ] != (system_character_t) LIBCPATH_SEPARATOR ) { ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) LIBCPATH_SEPARATOR; } } #if defined( WINAPI ) else if( volume_letter != NULL ) { ( *resource_file_path )[ resource_file_path_index++ ] = volume_letter[ 0 ]; ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) ':'; ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) LIBCPATH_SEPARATOR; } #endif else { ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) '.'; ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) LIBCPATH_SEPARATOR; } for( resource_filename_segment_index = 0; resource_filename_segment_index < resource_filename_number_of_segments; resource_filename_segment_index++ ) { if( ( language_string != NULL ) && ( resource_filename_segment_index == ( resource_filename_number_of_segments - 1 ) ) ) { /* Make a copy of the language string so it can be written to */ mui_string_size = language_string_length + 1; mui_string = system_string_allocate( mui_string_size ); if( mui_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create MUI language string.", function ); goto on_error; } if( system_string_copy( mui_string, language_string, language_string_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy MUI language string.", function ); goto on_error; } mui_string[ language_string_length ] = 0; ( *resource_file_path )[ resource_file_path_index ] = 0; result = path_handle_get_directory_entry_name_by_name_no_case( message_handle->path_handle, *resource_file_path, resource_file_path_index + 1, mui_string, mui_string_size, LIBCDIRECTORY_ENTRY_TYPE_DIRECTORY, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_GENERIC, "%s: unable to determine if directory has entry: %" PRIs_SYSTEM ".", function, mui_string ); goto on_error; } else if( result != 0 ) { if( system_string_copy( &( ( *resource_file_path )[ resource_file_path_index ] ), mui_string, language_string_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set MUI language string in resource file path.", function ); goto on_error; } resource_file_path_index += language_string_length; ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) LIBCPATH_SEPARATOR; } memory_free( mui_string ); mui_string = NULL; if( result == 0 ) { break; } } if( system_split_string_get_segment_by_index( resource_filename_split_string, resource_filename_segment_index, &resource_filename_string_segment, &resource_filename_string_segment_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } if( resource_filename_string_segment == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } if( ( resource_filename_string_segment[ 0 ] == (system_character_t) '%' ) && ( resource_filename_string_segment[ resource_filename_string_segment_size - 2 ] == (system_character_t) '%' ) ) { if( resource_filename_string_segment_size == 9 ) { /* Expand %WinDir% */ if( system_string_compare_no_case( resource_filename_string_segment, _SYSTEM_STRING( "%WinDir%" ), 8 ) == 0 ) { resource_filename_string_segment = &( ( message_handle->windows_directory_path )[ 3 ] ); resource_filename_string_segment_size = message_handle->windows_directory_path_size - 3; } } else if( resource_filename_string_segment_size == 13 ) { /* Expand %SystemRoot% */ if( system_string_compare_no_case( resource_filename_string_segment, _SYSTEM_STRING( "%SystemRoot%" ), 12 ) == 0 ) { resource_filename_string_segment = &( ( message_handle->system_root_path )[ 3 ] ); resource_filename_string_segment_size = message_handle->system_root_path_size - 3; } } } if( resource_filename_segment_index < ( resource_filename_number_of_segments - 1 ) ) { directory_entry_type = LIBCDIRECTORY_ENTRY_TYPE_DIRECTORY; } else { if( language_string != NULL ) { /* Add .mui to the filename */ mui_string = system_string_allocate( resource_filename_string_segment_size + 4 ); if( mui_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create MUI resource filename string.", function ); goto on_error; } resource_filename_string_segment_size--; if( system_string_copy( mui_string, resource_filename_string_segment, resource_filename_string_segment_size ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy MUI resource filename string.", function ); goto on_error; } mui_string[ resource_filename_string_segment_size++ ] = (system_character_t) '.'; mui_string[ resource_filename_string_segment_size++ ] = (system_character_t) 'm'; mui_string[ resource_filename_string_segment_size++ ] = (system_character_t) 'u'; mui_string[ resource_filename_string_segment_size++ ] = (system_character_t) 'i'; mui_string[ resource_filename_string_segment_size++ ] = 0; resource_filename_string_segment = mui_string; } directory_entry_type = LIBCDIRECTORY_ENTRY_TYPE_FILE; } ( *resource_file_path )[ resource_file_path_index ] = 0; result = path_handle_get_directory_entry_name_by_name_no_case( message_handle->path_handle, *resource_file_path, resource_file_path_index + 1, resource_filename_string_segment, resource_filename_string_segment_size, directory_entry_type, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_GENERIC, "%s: unable to determine if directory has entry: %" PRIs_SYSTEM ".", function, resource_filename_string_segment ); goto on_error; } else if( result != 0 ) { if( system_string_copy( &( ( *resource_file_path )[ resource_file_path_index ] ), resource_filename_string_segment, resource_filename_string_segment_size - 1 ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set resource filename string segment: %d in resource file path.", function, resource_filename_segment_index ); goto on_error; } resource_file_path_index += resource_filename_string_segment_size - 1; ( *resource_file_path )[ resource_file_path_index++ ] = (system_character_t) LIBCPATH_SEPARATOR; } if( mui_string != NULL ) { memory_free( mui_string ); mui_string = NULL; } if( result == 0 ) { break; } } ( *resource_file_path )[ resource_file_path_index - 1 ] = 0; if( system_split_string_free( &resource_filename_split_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource filename split string.", function ); goto on_error; } return( result ); on_error: if( mui_string != NULL ) { memory_free( mui_string ); } if( resource_filename_split_string != NULL ) { system_split_string_free( &resource_filename_split_string, NULL ); } if( *resource_file_path != NULL ) { memory_free( *resource_file_path ); *resource_file_path = NULL; } *resource_file_path_size = 0; return( -1 ); } /* Retrieves a specific resource file and adds it to the cache * Returns 1 if successful, 0 if resource file was not found or -1 error */ int message_handle_get_resource_file( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const system_character_t *resource_file_path, resource_file_t **resource_file, libcerror_error_t **error ) { static char *function = "message_handle_get_resource_file"; int64_t timestamp = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file_initialize( resource_file, message_handle->preferred_language_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create resource file.", function ); goto on_error; } if( resource_file_set_name( *resource_file, resource_filename, resource_filename_length, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set name in resource file.", function ); goto on_error; } if( resource_file_open( *resource_file, resource_file_path, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open resource file: %" PRIs_SYSTEM ".", function, resource_file_path ); goto on_error; } if( libfcache_date_time_get_timestamp( ×tamp, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve cache timestamp.", function ); return( -1 ); } if( libfcache_cache_set_value_by_index( message_handle->resource_file_cache, message_handle->next_resource_file_cache_index, 0, message_handle->next_resource_file_cache_index, timestamp, (intptr_t *) *resource_file, (int (*)(intptr_t **, libcerror_error_t **)) &resource_file_free, LIBFCACHE_CACHE_VALUE_FLAG_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set resource file in cache entry: %d.", function, message_handle->next_resource_file_cache_index ); goto on_error; } message_handle->next_resource_file_cache_index++; if( message_handle->next_resource_file_cache_index == 16 ) { message_handle->next_resource_file_cache_index = 0; } return( 1 ); on_error: if( *resource_file != NULL ) { resource_file_free( resource_file, NULL ); } return( -1 ); } /* Retrieves a specific resource file from the cache * Returns 1 if successful, 0 if not available or -1 error */ int message_handle_get_resource_file_from_cache( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, resource_file_t **resource_file, libcerror_error_t **error ) { libfcache_cache_value_t *cache_value = NULL; static char *function = "message_handle_get_resource_file_from_cache"; int cache_index = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } for( cache_index = 0; cache_index < 16; cache_index++ ) { if( libfcache_cache_get_value_by_index( message_handle->resource_file_cache, cache_index, &cache_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve cache value: %d.", function, cache_index ); return( -1 ); } if( cache_value != NULL ) { if( libfcache_cache_value_get_value( cache_value, (intptr_t **) resource_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file from cache value: %d.", function, cache_index ); return( -1 ); } } if( *resource_file != NULL ) { if( ( resource_filename_length + 1 ) != ( *resource_file )->name_size ) { *resource_file = NULL; } else if( system_string_compare( resource_filename, ( *resource_file )->name, resource_filename_length ) != 0 ) { *resource_file = NULL; } } if( *resource_file != NULL ) { result = 1; break; } } if( result == 0 ) { *resource_file = NULL; } return( result ); } /* Retrieves a specific MUI resource file and adds it to the cache * Returns 1 if successful, 0 if resource file was not found or -1 error */ int message_handle_get_mui_resource_file( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const system_character_t *resource_file_path, resource_file_t **resource_file, libcerror_error_t **error ) { static char *function = "message_handle_get_mui_resource_file"; int64_t timestamp = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file_initialize( resource_file, message_handle->preferred_language_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create resource file.", function ); goto on_error; } if( resource_file_set_name( *resource_file, resource_filename, resource_filename_length, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set name in resource file.", function ); goto on_error; } if( resource_file_open( *resource_file, resource_file_path, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open resource file: %" PRIs_SYSTEM ".", function, resource_file_path ); goto on_error; } if( libfcache_date_time_get_timestamp( ×tamp, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve cache timestamp.", function ); return( -1 ); } if( libfcache_cache_set_value_by_index( message_handle->mui_resource_file_cache, message_handle->next_mui_resource_file_cache_index, 0, message_handle->next_mui_resource_file_cache_index, timestamp, (intptr_t *) *resource_file, (int (*)(intptr_t **, libcerror_error_t **)) &resource_file_free, LIBFCACHE_CACHE_VALUE_FLAG_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set resource file in cache entry: %d.", function, message_handle->next_mui_resource_file_cache_index ); goto on_error; } message_handle->next_mui_resource_file_cache_index++; if( message_handle->next_mui_resource_file_cache_index == 16 ) { message_handle->next_mui_resource_file_cache_index = 0; } return( 1 ); on_error: if( resource_file != NULL ) { resource_file_free( resource_file, NULL ); } return( -1 ); } /* Retrieves a specific MUI resource file from the cache * Returns 1 if successful, 0 if resource file was not found or -1 error */ int message_handle_get_mui_resource_file_from_cache( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, resource_file_t **resource_file, libcerror_error_t **error ) { libfcache_cache_value_t *cache_value = NULL; static char *function = "message_handle_get_mui_resource_file_from_cache"; int cache_index = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } for( cache_index = 0; cache_index < 16; cache_index++ ) { if( libfcache_cache_get_value_by_index( message_handle->mui_resource_file_cache, cache_index, &cache_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve cache value: %d.", function, cache_index ); return( -1 ); } if( cache_value != NULL ) { if( libfcache_cache_value_get_value( cache_value, (intptr_t **) resource_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file from cache value: %d.", function, cache_index ); return( -1 ); } } if( *resource_file != NULL ) { if( ( resource_filename_length + 1 ) != ( *resource_file )->name_size ) { *resource_file = NULL; } else if( system_string_compare( resource_filename, ( *resource_file )->name, resource_filename_length ) != 0 ) { *resource_file = NULL; } } if( *resource_file != NULL ) { result = 1; break; } } return( result ); } /* Retrieves the message string from a specific resource file * Returns 1 if successful, 0 if not available or -1 error */ int message_handle_get_message_string_from_resource_file( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, uint32_t message_identifier, message_string_t **message_string, libcerror_error_t **error ) { system_character_t *resource_file_path = NULL; system_character_t *mui_resource_file_path = NULL; resource_file_t *resource_file = NULL; static char *function = "message_handle_get_message_string_from_resource_file"; size_t resource_file_path_size = 0; size_t mui_resource_file_path_size = 0; uint32_t mui_file_type = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( resource_filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource filename.", function ); return( -1 ); } if( ( resource_filename_length == 0 ) || ( resource_filename_length > (size_t) SSIZE_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid resource filename length value out of bounds.", function ); return( -1 ); } if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } result = message_handle_get_resource_file_from_cache( message_handle, resource_filename, resource_filename_length, &resource_file, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file from cache.", function ); goto on_error; } if( result == 0 ) { result = message_handle_get_resource_file_path( message_handle, resource_filename, resource_filename_length, NULL, 0, &resource_file_path, &resource_file_path_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file path.", function ); goto on_error; } else if( result != 0 ) { if( message_handle_get_resource_file( message_handle, resource_filename, resource_filename_length, resource_file_path, &resource_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file: %" PRIs_SYSTEM ".", function, resource_file_path ); goto on_error; } } } if( resource_file != NULL ) { result = resource_file_get_message_string( resource_file, message_identifier, message_string, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string: 0x%08" PRIx32 ".", function, message_identifier ); goto on_error; } else if( result == 0 ) { result = resource_file_get_mui_file_type( resource_file, &mui_file_type, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve MUI file type.", function ); goto on_error; } else if( result != 0 ) { if( mui_file_type != 0x00000011UL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported MUI file type: 0x%08" PRIx32 ".", function, mui_file_type ); } resource_file = NULL; result = message_handle_get_mui_resource_file_from_cache( message_handle, resource_filename, resource_filename_length, &resource_file, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve MUI resource file from cache.", function ); goto on_error; } else if( result == 0 ) { /* TODO add support to determine language string */ /* The MUI resource file path is: %PATH%/%LANGUAGE%/%FILENAME%.mui */ result = message_handle_get_resource_file_path( message_handle, resource_filename, resource_filename_length, _SYSTEM_STRING( "en-US" ), 5, &mui_resource_file_path, &mui_resource_file_path_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve MUI resource file path.", function ); goto on_error; } else if( result != 0 ) { if( message_handle_get_mui_resource_file( message_handle, resource_filename, resource_filename_length, mui_resource_file_path, &resource_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve MUI resource file: %" PRIs_SYSTEM ".", function, mui_resource_file_path ); goto on_error; } memory_free( mui_resource_file_path ); mui_resource_file_path = NULL; } } if( resource_file != NULL ) { result = resource_file_get_message_string( resource_file, message_identifier, message_string, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string: 0x%08" PRIx32 ".", function, message_identifier ); goto on_error; } } } } } if( resource_file_path != NULL ) { memory_free( resource_file_path ); resource_file_path = NULL; } return( result ); on_error: if( mui_resource_file_path != NULL ) { memory_free( mui_resource_file_path ); } if( resource_file_path != NULL ) { memory_free( resource_file_path ); } if( *message_string != NULL ) { message_string_free( message_string, NULL ); } return( -1 ); } /* Retrieves the message string from one or more specified resource files * Returns 1 if successful, 0 if not available or -1 error */ int message_handle_get_message_string( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, uint32_t message_identifier, message_string_t **message_string, libcerror_error_t **error ) { system_character_t *resource_filename_string_segment = NULL; system_split_string_t *resource_filename_split_string = NULL; static char *function = "message_handle_get_message_string"; size_t resource_filename_string_segment_size = 0; int resource_filename_number_of_segments = 0; int resource_filename_segment_index = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } /* The resource filename can contain multiple file names separated by ; */ if( system_string_split( resource_filename, resource_filename_length + 1, (system_character_t) ';', &resource_filename_split_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to split resource filename.", function ); goto on_error; } if( system_split_string_get_number_of_segments( resource_filename_split_string, &resource_filename_number_of_segments, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource filename string segments.", function ); goto on_error; } for( resource_filename_segment_index = 0; resource_filename_segment_index < resource_filename_number_of_segments; resource_filename_segment_index++ ) { if( system_split_string_get_segment_by_index( resource_filename_split_string, resource_filename_segment_index, &resource_filename_string_segment, &resource_filename_string_segment_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } if( resource_filename_string_segment == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } result = message_handle_get_message_string_from_resource_file( message_handle, resource_filename_string_segment, resource_filename_string_segment_size - 1, message_identifier, message_string, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string: 0x%08" PRIx32 " from: %" PRIs_SYSTEM ".", function, message_identifier, resource_filename_string_segment ); goto on_error; } else if( result != 0 ) { break; } } if( system_split_string_free( &resource_filename_split_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource filename split string.", function ); goto on_error; } return( result ); on_error: if( resource_filename_split_string != NULL ) { system_split_string_free( &resource_filename_split_string, NULL ); } if( *message_string != NULL ) { message_string_free( message_string, NULL ); } return( -1 ); } /* Retrieves a specific resource file by provider identifier * Returns 1 if successful, 0 if not available or -1 error */ int message_handle_get_resource_file_by_provider_identifier( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const uint8_t *provider_identifier, size_t provider_identifier_size, resource_file_t **resource_file, libcerror_error_t **error ) { libfwevt_provider_t *provider = NULL; system_character_t *resource_file_path = NULL; system_character_t *resource_filename_string_segment = NULL; system_split_string_t *resource_filename_split_string = NULL; static char *function = "message_handle_get_resource_file_by_provider_identifier"; size_t resource_file_path_size = 0; size_t resource_filename_string_segment_size = 0; int resource_filename_number_of_segments = 0; int resource_filename_segment_index = 0; int result = 0; if( message_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message handle.", function ); return( -1 ); } if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } /* The resource filename can contain multiple file names separated by ; */ if( system_string_split( resource_filename, resource_filename_length + 1, (system_character_t) ';', &resource_filename_split_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to split resource filename.", function ); goto on_error; } if( system_split_string_get_number_of_segments( resource_filename_split_string, &resource_filename_number_of_segments, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource filename string segments.", function ); goto on_error; } for( resource_filename_segment_index = 0; resource_filename_segment_index < resource_filename_number_of_segments; resource_filename_segment_index++ ) { if( system_split_string_get_segment_by_index( resource_filename_split_string, resource_filename_segment_index, &resource_filename_string_segment, &resource_filename_string_segment_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource filename string segment: %d.", function, resource_filename_segment_index ); goto on_error; } result = message_handle_get_resource_file_from_cache( message_handle, resource_filename_string_segment, resource_filename_string_segment_size - 1, resource_file, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file: %d from cache.", function, resource_filename_segment_index ); goto on_error; } if( result == 0 ) { result = message_handle_get_resource_file_path( message_handle, resource_filename_string_segment, resource_filename_string_segment_size - 1, NULL, 0, &resource_file_path, &resource_file_path_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file path.", function ); goto on_error; } else if( result != 0 ) { if( message_handle_get_resource_file( message_handle, resource_filename, resource_filename_length, resource_file_path, resource_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource file: %" PRIs_SYSTEM ".", function, resource_file_path ); goto on_error; } memory_free( resource_file_path ); resource_file_path = NULL; } } if( resource_file != NULL ) { result = resource_file_get_provider( *resource_file, provider_identifier, provider_identifier_size, &provider, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider.", function ); goto on_error; } else if( result != 0 ) { if( libfwevt_provider_free( &provider, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free provider.", function ); goto on_error; } break; } } } if( system_split_string_free( &resource_filename_split_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource filename split string.", function ); goto on_error; } return( result ); on_error: if( resource_file_path != NULL ) { memory_free( resource_file_path ); } if( resource_filename_split_string != NULL ) { system_split_string_free( &resource_filename_split_string, NULL ); } return( -1 ); } ================================================ FILE: evtxtools/message_handle.h ================================================ /* * Message handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _MESSAGE_HANDLE_H ) #define _MESSAGE_HANDLE_H #include #include #include "evtxtools_libcerror.h" #include "evtxtools_libfcache.h" #include "evtxtools_libregf.h" #include "message_string.h" #include "path_handle.h" #include "registry_file.h" #include "resource_file.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct message_handle message_handle_t; struct message_handle { /* The SOFTWARE registry filename */ system_character_t *software_registry_filename; /* The SOFTWARE registry filename size */ size_t software_registry_filename_size; /* The SYSTEM registry filename */ system_character_t *system_registry_filename; /* The SYSTEM registry filename size */ size_t system_registry_filename_size; /* The name of the directory containing the SOFTWARE and SYSTEM registry filename */ system_character_t *registry_directory_name; /* The size of the name of the directory containing the SOFTWARE and SYSTEM registry filename */ size_t registry_directory_name_size; /* The SOFTWARE registry file */ registry_file_t *software_registry_file; /* The %SystemRoot% path */ system_character_t *system_root_path; /* The %SystemRoot% path size */ size_t system_root_path_size; /* The %WinDir% path */ system_character_t *windows_directory_path; /* The %WinDir% path size */ size_t windows_directory_path_size; /* The SYSTEM registry file */ registry_file_t *system_registry_file; /* The path handle */ path_handle_t *path_handle; /* The current control set */ uint32_t current_control_set; /* The SOFTWARE WinEvt publishers key */ libregf_key_t *winevt_publishers_key; /* The SYSTEM (control set 1) eventlog services key */ libregf_key_t *control_set_1_eventlog_services_key; /* The SYSTEM (control set 2) eventlog services key */ libregf_key_t *control_set_2_eventlog_services_key; /* The resource files path */ const system_character_t *resource_files_path; /* The resource file cache */ libfcache_cache_t *resource_file_cache; /* The next available resource file cache index */ int next_resource_file_cache_index; /* The MUI resource file cache */ libfcache_cache_t *mui_resource_file_cache; /* The next available MUI resource file cache index */ int next_mui_resource_file_cache_index; /* The ascii codepage */ int ascii_codepage; /* The preferred language identifier */ uint32_t preferred_language_identifier; }; int message_handle_initialize( message_handle_t **message_handle, libcerror_error_t **error ); int message_handle_free( message_handle_t **message_handle, libcerror_error_t **error ); int message_handle_signal_abort( message_handle_t *message_handle, libcerror_error_t **error ); int message_handle_set_ascii_codepage( message_handle_t *message_handle, int ascii_codepage, libcerror_error_t **error ); int message_handle_set_preferred_language_identifier( message_handle_t *message_handle, uint32_t preferred_language_identifier, libcerror_error_t **error ); int message_handle_set_event_log_type_from_filename( message_handle_t *message_handle, const system_character_t *filename, libcerror_error_t **error ); int message_handle_set_software_registry_filename( message_handle_t *message_handle, const system_character_t *filename, libcerror_error_t **error ); int message_handle_set_system_registry_filename( message_handle_t *message_handle, const system_character_t *filename, libcerror_error_t **error ); int message_handle_set_registry_directory_name( message_handle_t *message_handle, const system_character_t *name, libcerror_error_t **error ); int message_handle_set_resource_files_path( message_handle_t *message_handle, const system_character_t *path, libcerror_error_t **error ); int message_handle_open_software_registry_file( message_handle_t *message_handle, libcerror_error_t **error ); int message_handle_open_system_registry_file( message_handle_t *message_handle, const char *eventlog_key_name, libcerror_error_t **error ); int message_handle_open_input( message_handle_t *message_handle, const char *eventlog_key_name, libcerror_error_t **error ); int message_handle_close_input( message_handle_t *message_handle, libcerror_error_t **error ); int message_handle_get_value_by_event_source( message_handle_t *message_handle, const system_character_t *event_source, size_t event_source_length, const system_character_t *value_name, size_t value_name_length, system_character_t **value_string, size_t *value_string_size, libcerror_error_t **error ); int message_handle_get_value_by_provider_identifier( message_handle_t *message_handle, const system_character_t *provider_identifier, size_t provider_identifier_length, const system_character_t *value_name, size_t value_name_length, system_character_t **value_string, size_t *value_string_size, libcerror_error_t **error ); int message_handle_get_resource_file_path( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const system_character_t *language_string, size_t language_string_length, system_character_t **resource_file_path, size_t *resource_file_path_size, libcerror_error_t **error ); int message_handle_get_resource_file( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const system_character_t *resource_file_path, resource_file_t **resource_file, libcerror_error_t **error ); int message_handle_get_resource_file_from_cache( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, resource_file_t **resource_file, libcerror_error_t **error ); int message_handle_get_mui_resource_file_path( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, system_character_t **resource_file_path, size_t *resource_file_path_size, libcerror_error_t **error ); int message_handle_get_mui_resource_file( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const system_character_t *resource_file_path, resource_file_t **resource_file, libcerror_error_t **error ); int message_handle_get_mui_resource_file_from_cache( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, resource_file_t **resource_file, libcerror_error_t **error ); int message_handle_get_message_string_from_resource_file( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, uint32_t message_identifier, message_string_t **message_string, libcerror_error_t **error ); int message_handle_get_message_string( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, uint32_t message_identifier, message_string_t **message_string, libcerror_error_t **error ); int message_handle_get_resource_file_by_provider_identifier( message_handle_t *message_handle, const system_character_t *resource_filename, size_t resource_filename_length, const uint8_t *provider_identifier, size_t provider_identifier_size, resource_file_t **resource_file, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _MESSAGE_HANDLE_H ) */ ================================================ FILE: evtxtools/message_string.c ================================================ /* * Message string * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include #include "evtxtools_libcerror.h" #include "evtxtools_libevtx.h" #include "evtxtools_libwrc.h" #include "message_string.h" /* Creates a message string * Make sure the value message_string is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int message_string_initialize( message_string_t **message_string, uint32_t message_string_identifier, libcerror_error_t **error ) { static char *function = "message_string_initialize"; if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } if( *message_string != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid message string value already set.", function ); return( -1 ); } *message_string = memory_allocate_structure( message_string_t ); if( *message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create message string.", function ); goto on_error; } if( memory_set( *message_string, 0, sizeof( message_string_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear message string.", function ); memory_free( *message_string ); *message_string = NULL; return( -1 ); } ( *message_string )->identifier = message_string_identifier; return( 1 ); on_error: if( *message_string != NULL ) { memory_free( *message_string ); *message_string = NULL; } return( -1 ); } /* Frees a message string * Returns 1 if successful or -1 on error */ int message_string_free( message_string_t **message_string, libcerror_error_t **error ) { static char *function = "message_string_free"; int result = 1; if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } if( *message_string != NULL ) { if( ( *message_string )->string != NULL ) { memory_free( ( *message_string )->string ); } memory_free( *message_string ); *message_string = NULL; } return( result ); } /* Retrieve the message string from the message table resource * Returns 1 if successful, 0 if not available or -1 on error */ int message_string_get_from_message_table_resource( message_string_t *message_string, libwrc_message_table_resource_t *message_table_resource, libcerror_error_t **error ) { static char *function = "message_string_get_from_message_table_resource"; int message_index = 0; int result = 0; if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } if( message_string->string != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid message string - string value already set.", function ); return( -1 ); } result = libwrc_message_table_resource_get_index_by_identifier( message_table_resource, message_string->identifier, &message_index, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message index for identifier: 0x%08" PRIx32 ".", function, message_string->identifier ); goto on_error; } else if( result != 0 ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libwrc_message_table_resource_get_utf16_string_size( message_table_resource, message_index, &( message_string->string_size ), error ); #else result = libwrc_message_table_resource_get_utf8_string_size( message_table_resource, message_index, &( message_string->string_size ), error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message: %d size.", function, message_index ); goto on_error; } message_string->string = system_string_allocate( message_string->string_size ); if( message_string->string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create message string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libwrc_message_table_resource_get_utf16_string( message_table_resource, message_index, (uint16_t *) message_string->string, message_string->string_size, error ); #else result = libwrc_message_table_resource_get_utf8_string( message_table_resource, message_index, (uint8_t *) message_string->string, message_string->string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string: %d.", function, message_index ); goto on_error; } } return( result ); on_error: if( message_string->string != NULL ) { memory_free( message_string->string ); message_string->string = NULL; } message_string->string_size = 0; return( -1 ); } /* Prints the message string to a FILE stream * Returns 1 if successful or -1 on error */ int message_string_fprint( message_string_t *message_string, libevtx_record_t *record, FILE *stream, libcerror_error_t **error ) { system_character_t *value_string = NULL; static char *function = "message_string_fprint"; size_t conversion_specifier_length = 0; size_t message_string_length = 0; size_t message_string_index = 0; size_t value_string_size = 0; system_character_t last_character = 0; int number_of_strings = 0; int result = 0; int value_string_index = 0; if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } if( libevtx_record_get_number_of_strings( record, &number_of_strings, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of strings in record.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) fprintf( stream, "Message format string\t\t: %" PRIs_SYSTEM "\n", message_string->string ); #endif fprintf( stream, "Message string\t\t\t: " ); message_string_length = message_string->string_size - 1; message_string_index = 0; while( message_string_index < message_string_length ) { if( ( ( message_string->string )[ message_string_index ] == (system_character_t) '%' ) && ( ( message_string_index + 1 ) < message_string_length ) ) { /* TODO add support for more conversion specifiers */ /* Ignore %0 = end of string, %r = cariage return */ if( ( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) '0' ) || ( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) 'r' ) ) { message_string_index += 2; continue; } /* Replace: * % = * %! = ! * %% = % * %. = . */ if( ( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) ' ' ) || ( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) '!' ) || ( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) '%' ) || ( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) '.' ) ) { last_character = ( message_string->string )[ message_string_index + 1 ]; fprintf( stream, "%c", last_character ); message_string_index += 2; continue; } /* Replace %b = */ if( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) 'b' ) { last_character = (system_character_t) ' '; fprintf( stream, "%c", last_character ); message_string_index += 2; continue; } /* Replace %n = */ if( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) 'n' ) { if( last_character != (system_character_t) '\n' ) { last_character = (system_character_t) '\n'; fprintf( stream, "%c", last_character ); } message_string_index += 2; continue; } /* Replace %t = */ if( ( message_string->string )[ message_string_index + 1 ] == (system_character_t) 't' ) { last_character = (system_character_t) '\t'; fprintf( stream, "%c", last_character ); message_string_index += 2; continue; } if( ( ( message_string->string )[ message_string_index + 1 ] < (system_character_t) '1' ) || ( ( message_string->string )[ message_string_index + 1 ] > (system_character_t) '9' ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported conversion specifier: %" PRIs_SYSTEM ".", function, &( ( message_string->string )[ message_string_index ] ) ); goto on_error; } value_string_index = (int) ( message_string->string )[ message_string_index + 1 ] - (int) '0'; conversion_specifier_length = 2; if( ( ( message_string_index + 3 ) < message_string_length ) && ( ( message_string->string )[ message_string_index + 2 ] >= (system_character_t) '0' ) && ( ( message_string->string )[ message_string_index + 2 ] <= (system_character_t) '9' ) ) { value_string_index *= 10; value_string_index += (int) ( message_string->string )[ message_string_index + 2 ] - (int) '0'; conversion_specifier_length += 1; } value_string_index -= 1; if( ( ( message_string_index + conversion_specifier_length + 3 ) < message_string_length ) && ( ( message_string->string )[ message_string_index + conversion_specifier_length ] == (system_character_t) '!' ) ) { if( ( ( message_string->string )[ message_string_index + conversion_specifier_length + 1 ] != (system_character_t) 's' ) || ( ( message_string->string )[ message_string_index + conversion_specifier_length + 2 ] != (system_character_t) '!' ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported conversion specifier: %" PRIs_SYSTEM ".", function, &( ( message_string->string )[ message_string_index ] ) ); goto on_error; } conversion_specifier_length += 3; } /* TODO remove index check after user data support */ if( value_string_index < number_of_strings ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_string_size( record, value_string_index, &value_string_size, error ); #else result = libevtx_record_get_utf8_string_size( record, value_string_index, &value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d size.", function, value_string_index ); goto on_error; } if( value_string_size > 0 ) { value_string = system_string_allocate( value_string_size ); if( value_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create value string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_record_get_utf16_string( record, value_string_index, (uint16_t *) value_string, value_string_size, error ); #else result = libevtx_record_get_utf8_string( record, value_string_index, (uint8_t *) value_string, value_string_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d.", function, value_string_index ); goto on_error; } fprintf( stream, "%" PRIs_SYSTEM "", value_string ); memory_free( value_string ); value_string = NULL; } message_string_index += conversion_specifier_length; } else { do { fprintf( stream, "%" PRIc_SYSTEM "", ( message_string->string )[ message_string_index++ ] ); conversion_specifier_length--; } while( conversion_specifier_length > 0 ); last_character = ( message_string->string )[ message_string_index ]; } } else { if( ( message_string->string )[ message_string_index ] != 0 ) { if( ( message_string->string )[ message_string_index ] == (system_character_t) '\r' ) { /* Ignore \r characters */ } else if( ( ( message_string->string )[ message_string_index ] == (system_character_t) '\n' ) && ( last_character == (system_character_t) '\n' ) ) { /* Ignore multiple \n characters */ } else { fprintf( stream, "%" PRIc_SYSTEM "", ( message_string->string )[ message_string_index ] ); last_character = ( message_string->string )[ message_string_index ]; } } message_string_index += 1; } } fprintf( stream, "\n" ); return( 1 ); on_error: if( value_string != NULL ) { memory_free( value_string ); } return( -1 ); } ================================================ FILE: evtxtools/message_string.h ================================================ /* * Message string * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _MESSAGE_STRING_H ) #define _MESSAGE_STRING_H #include #include #include #include "evtxtools_libcerror.h" #include "evtxtools_libevtx.h" #include "evtxtools_libwrc.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct message_string message_string_t; struct message_string { /* The identifier */ uint32_t identifier; /* The string */ system_character_t *string; /* The string size */ size_t string_size; }; int message_string_initialize( message_string_t **message_string, uint32_t message_string_identifier, libcerror_error_t **error ); int message_string_free( message_string_t **message_string, libcerror_error_t **error ); int message_string_get_from_message_table_resource( message_string_t *message_string, libwrc_message_table_resource_t *message_table_resource, libcerror_error_t **error ); int message_string_fprint( message_string_t *message_string, libevtx_record_t *record, FILE *stream, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _MESSAGE_STRING_H ) */ ================================================ FILE: evtxtools/path_handle.c ================================================ /* * Path handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include "evtxtools_libcdirectory.h" #include "evtxtools_libcerror.h" #include "path_handle.h" /* Creates a path handle * Make sure the value path_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int path_handle_initialize( path_handle_t **path_handle, libcerror_error_t **error ) { static char *function = "path_handle_initialize"; if( path_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid path handle.", function ); return( -1 ); } if( *path_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid path handle value already set.", function ); return( -1 ); } *path_handle = memory_allocate_structure( path_handle_t ); if( *path_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create path handle.", function ); goto on_error; } if( memory_set( *path_handle, 0, sizeof( path_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear path handle.", function ); goto on_error; } return( 1 ); on_error: if( *path_handle != NULL ) { memory_free( *path_handle ); *path_handle = NULL; } return( -1 ); } /* Frees a path handle * Returns 1 if successful or -1 on error */ int path_handle_free( path_handle_t **path_handle, libcerror_error_t **error ) { static char *function = "path_handle_free"; int result = 1; if( path_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid path handle.", function ); return( -1 ); } if( *path_handle != NULL ) { if( ( *path_handle )->system_root_path != NULL ) { memory_free( ( *path_handle )->system_root_path ); } memory_free( *path_handle ); *path_handle = NULL; } return( result ); } /* Retrieves the name of a directory entry by name ignoring case * If a corresponding entry is found entry name is update * This function is needed to find case insensitive directory entries on a case sensitive system * Return 1 if successful, 0 if no corresponding entry was found or -1 on error */ int path_handle_get_directory_entry_name_by_name_no_case( path_handle_t *path_handle, const system_character_t *path, size_t path_length, system_character_t *entry_name, size_t entry_name_size, uint8_t entry_type, libcerror_error_t **error ) { libcdirectory_directory_t *directory = NULL; libcdirectory_directory_entry_t *directory_entry = NULL; system_character_t *directory_entry_name = NULL; static char *function = "path_handle_get_directory_entry_name_by_name_no_case"; size_t directory_entry_name_length = 0; int result = 0; if( path_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid path handle.", function ); return( -1 ); } if( path_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid path length value exceeds maximum.", function ); return( -1 ); } if( entry_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid entry name.", function ); return( -1 ); } if( entry_name_size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid entry name size value exceeds maximum.", function ); return( -1 ); } if( entry_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid entry name.", function ); return( -1 ); } if( libcdirectory_directory_initialize( &directory, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create directory.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libcdirectory_directory_open_wide( directory, path, error ); #else result = libcdirectory_directory_open( directory, path, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open directory: %" PRIs_SYSTEM ".", function, path ); goto on_error; } if( libcdirectory_directory_entry_initialize( &directory_entry, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create directory entry.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libcdirectory_directory_has_entry_wide( directory, directory_entry, entry_name, entry_name_size - 1, entry_type, LIBCDIRECTORY_COMPARE_FLAG_NO_CASE, error ); #else result = libcdirectory_directory_has_entry( directory, directory_entry, entry_name, entry_name_size - 1, entry_type, LIBCDIRECTORY_COMPARE_FLAG_NO_CASE, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_GENERIC, "%s: unable to determine if directory has entry: %" PRIs_SYSTEM ".", function, entry_name ); goto on_error; } else if( result != 0 ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libcdirectory_directory_entry_get_name_wide( directory_entry, (wchar_t **) &directory_entry_name, error ); #else result = libcdirectory_directory_entry_get_name( directory_entry, (char **) &directory_entry_name, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve directory entry name.", function ); goto on_error; } directory_entry_name_length = system_string_length( directory_entry_name ); if( ( directory_entry_name_length + 1 ) != entry_name_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: entry name length value out of bounds.", function ); goto on_error; } if( system_string_copy( entry_name, directory_entry_name, directory_entry_name_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set entry name.", function ); goto on_error; } } if( libcdirectory_directory_entry_free( &directory_entry, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free directory entry.", function ); goto on_error; } if( libcdirectory_directory_close( directory, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close directory.", function ); goto on_error; } if( libcdirectory_directory_free( &directory, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free directory.", function ); goto on_error; } return( result ); on_error: if( directory_entry != NULL ) { libcdirectory_directory_entry_free( &directory_entry, NULL ); } if( directory != NULL ) { libcdirectory_directory_free( &directory, NULL ); } return( -1 ); } ================================================ FILE: evtxtools/path_handle.h ================================================ /* * Path handle * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PATH_HANDLE_H ) #define _PATH_HANDLE_H #include #include #include "evtxtools_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct path_handle path_handle_t; struct path_handle { /* The %SystemRoot% path */ system_character_t *system_root_path; /* The %SystemRoot% path size */ size_t system_root_path_size; }; int path_handle_initialize( path_handle_t **path_handle, libcerror_error_t **error ); int path_handle_free( path_handle_t **path_handle, libcerror_error_t **error ); int path_handle_get_directory_entry_name_by_name_no_case( path_handle_t *path_handle, const system_character_t *path, size_t path_length, system_character_t *entry_name, size_t entry_name_size, uint8_t entry_type, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PATH_HANDLE_H ) */ ================================================ FILE: evtxtools/registry_file.c ================================================ /* * Registry file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include "evtxtools_libcerror.h" #include "evtxtools_libregf.h" #include "evtxtools_wide_string.h" #include "registry_file.h" /* Creates a registry file * Make sure the value registry_file is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int registry_file_initialize( registry_file_t **registry_file, libcerror_error_t **error ) { static char *function = "registry_file_initialize"; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( *registry_file != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid registry file value already set.", function ); return( -1 ); } *registry_file = memory_allocate_structure( registry_file_t ); if( *registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create registry file.", function ); goto on_error; } if( memory_set( *registry_file, 0, sizeof( registry_file_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear registry file.", function ); memory_free( *registry_file ); *registry_file = NULL; return( -1 ); } if( libregf_file_initialize( &( ( *registry_file )->regf_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initialize REGF file.", function ); goto on_error; } return( 1 ); on_error: if( *registry_file != NULL ) { memory_free( *registry_file ); *registry_file = NULL; } return( -1 ); } /* Frees a registry file * Returns 1 if successful or -1 on error */ int registry_file_free( registry_file_t **registry_file, libcerror_error_t **error ) { static char *function = "registry_file_free"; int result = 1; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( *registry_file != NULL ) { if( ( *registry_file )->is_open != 0 ) { if( registry_file_close( *registry_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close registry file.", function ); result = -1; } } if( libregf_file_free( &( ( *registry_file )->regf_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free REGF file.", function ); result = -1; } memory_free( *registry_file ); *registry_file = NULL; } return( result ); } /* Signals the registry file to abort * Returns 1 if successful or -1 on error */ int registry_file_signal_abort( registry_file_t *registry_file, libcerror_error_t **error ) { static char *function = "registry_file_signal_abort"; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( registry_file->regf_file != NULL ) { if( libregf_file_signal_abort( registry_file->regf_file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to signal REGF file to abort.", function ); return( -1 ); } } return( 1 ); } /* Sets the ascii codepage * Returns 1 if successful or -1 on error */ int registry_file_set_ascii_codepage( registry_file_t *registry_file, int ascii_codepage, libcerror_error_t **error ) { static char *function = "registry_file_set_ascii_codepage"; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( libregf_file_set_ascii_codepage( registry_file->regf_file, ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in REGF file.", function ); return( -1 ); } return( 1 ); } /* Opens the registry file * Returns 1 if successful or -1 on error */ int registry_file_open( registry_file_t *registry_file, const system_character_t *filename, libcerror_error_t **error ) { libregf_key_t *sub_key = NULL; libregf_value_t *value = NULL; system_character_t *name = NULL; static char *function = "registry_file_open"; const char *sub_key_path = NULL; const char *value_name = NULL; size_t name_size = 0; size_t sub_key_path_length = 0; size_t value_name_length = 0; int number_of_sub_keys = 0; int result = 0; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( registry_file->is_open != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid registry file already open.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libregf_file_open_wide( registry_file->regf_file, filename, LIBREGF_OPEN_READ, error ) != 1 ) #else if( libregf_file_open( registry_file->regf_file, filename, LIBREGF_OPEN_READ, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open REGF file.", function ); goto on_error; } if( libregf_file_get_root_key( registry_file->regf_file, &( registry_file->root_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key.", function ); goto on_error; } if( libregf_key_get_number_of_sub_keys( registry_file->root_key, &number_of_sub_keys, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of sub keys.", function ); goto on_error; } if( number_of_sub_keys == 1 ) { #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_utf16_name_size( registry_file->root_key, &name_size, error ); #else result = libregf_key_get_utf8_name_size( registry_file->root_key, &name_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key name size.", function ); goto on_error; } if( ( result != 0 ) && ( name_size > 0 ) ) { if( ( name_size > (size_t) SSIZE_MAX ) || ( ( sizeof( system_character_t ) * name_size ) > (size_t) SSIZE_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid name size value exceeds maximum.", function ); goto on_error; } name = system_string_allocate( name_size ); if( name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create name string.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_utf16_name( registry_file->root_key, (uint16_t *) name, name_size, error ); #else result = libregf_key_get_utf8_name( registry_file->root_key, (uint8_t *) name, name_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key name.", function ); goto on_error; } result = 0; /* TODO what about Windows NT4 */ if( name_size == 13 ) { /* Root key used by Windows 2000, XP, 2003 */ if( system_string_compare_no_case( name, _SYSTEM_STRING( "$$$PROTO.HIV" ), 12 ) == 0 ) { result = 1; } } else if( name_size == 53 ) { /* Root key used by Windows Vista, 2008, 7 */ if( system_string_compare_no_case( name, _SYSTEM_STRING( "CMI-CreateHive{" ), 15 ) == 0 ) { if( name[ 51 ] == (system_character_t) '}' ) { result = 1; } } } else if( name_size == 58 ) { /* Root key used by Windows 8 */ if( system_string_compare_no_case( name, _SYSTEM_STRING( "CsiTool-CreateHive-{" ), 20 ) == 0 ) { if( name[ 56 ] == (system_character_t) '}' ) { result = 1; } } } memory_free( name ); name = NULL; } if( result != 0 ) { if( libregf_key_get_sub_key( registry_file->root_key, 0, &( registry_file->base_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve base key.", function ); goto on_error; } } } else if( number_of_sub_keys > 1 ) { registry_file->base_key = registry_file->root_key; } if( libregf_key_get_number_of_sub_keys( registry_file->base_key, &number_of_sub_keys, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of sub keys.", function ); goto on_error; } /* Get the current control set from: * SYSTEM\Select\Current */ sub_key_path = "Select"; sub_key_path_length = narrow_string_length( sub_key_path ); result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) sub_key_path, sub_key_path_length, &sub_key, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, sub_key_path ); goto on_error; } else if( result != 0 ) { value_name = "Current"; value_name_length = narrow_string_length( value_name ); result = libregf_key_get_value_by_utf8_name( sub_key, (uint8_t *) value_name, value_name_length, &value, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %s.", function, value_name ); goto on_error; } else if( result != 0 ) { if( libregf_value_get_value_32bit( value, &( registry_file->current_control_set ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve 32-bit value: %s.", function, value_name ); goto on_error; } if( libregf_value_free( &value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free value.", function ); goto on_error; } } } if( libregf_key_free( &sub_key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free sub key.", function ); goto on_error; } /* Retrieve the control set 1 key: SYSTEM\ControlSet001 */ sub_key_path = "ControlSet001"; sub_key_path_length = narrow_string_length( sub_key_path ); result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) sub_key_path, sub_key_path_length, &( registry_file->control_set1_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, sub_key_path ); goto on_error; } /* Retrieve the control set 2 key: SYSTEM\ControlSet002 */ sub_key_path = "ControlSet002"; sub_key_path_length = narrow_string_length( sub_key_path ); result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) sub_key_path, sub_key_path_length, &( registry_file->control_set2_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, sub_key_path ); goto on_error; } if( ( registry_file->current_control_set != 0 ) || ( registry_file->control_set1_key != NULL ) || ( registry_file->control_set2_key != NULL ) ) { if( ( registry_file->current_control_set != 1 ) && ( registry_file->current_control_set != 2 ) ) { /* TODO print debug notification */ registry_file->current_control_set = 1; } if( ( registry_file->current_control_set == 1 ) && ( registry_file->control_set1_key != NULL ) ) { registry_file->current_control_set_key = registry_file->control_set1_key; } else if( ( registry_file->current_control_set == 2 ) && ( registry_file->control_set2_key != NULL ) ) { registry_file->current_control_set_key = registry_file->control_set2_key; } } registry_file->is_open = 1; return( 1 ); on_error: if( value != NULL ) { libregf_value_free( &value, NULL ); } if( sub_key != NULL ) { libregf_key_free( &sub_key, NULL ); } if( registry_file->control_set2_key != NULL ) { libregf_key_free( &( registry_file->control_set2_key ), NULL ); } if( registry_file->control_set1_key != NULL ) { libregf_key_free( &( registry_file->control_set1_key ), NULL ); } if( ( registry_file->base_key != NULL ) && ( registry_file->base_key != registry_file->root_key ) ) { libregf_key_free( &( registry_file->base_key ), NULL ); } if( name != NULL ) { memory_free( name ); } if( registry_file->root_key != NULL ) { libregf_key_free( &( registry_file->root_key ), NULL ); } libregf_file_close( registry_file->regf_file, NULL ); return( -1 ); } /* Closes the registry file * Returns the 0 if succesful or -1 on error */ int registry_file_close( registry_file_t *registry_file, libcerror_error_t **error ) { static char *function = "registry_file_close"; int result = 0; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( registry_file->is_open != 0 ) { if( registry_file->control_set2_key != NULL ) { if( libregf_key_free( &( registry_file->control_set2_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free control set 2 key.", function ); result = -1; } } if( registry_file->control_set1_key != NULL ) { if( libregf_key_free( &( registry_file->control_set1_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free control set 1 key.", function ); result = -1; } } if( ( registry_file->base_key != NULL ) && ( registry_file->base_key != registry_file->root_key ) ) { if( libregf_key_free( &( registry_file->base_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free base key.", function ); result = -1; } } if( registry_file->root_key != NULL ) { if( libregf_key_free( &( registry_file->root_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free root key.", function ); result = -1; } } if( libregf_file_close( registry_file->regf_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close REGF file.", function ); result = -1; } registry_file->is_open = 0; } return( result ); } /* Retrieves the key specified by the path * Returns 1 if successful or -1 on error */ int registry_file_get_key_by_path( registry_file_t *registry_file, const system_character_t *key_path, size_t key_path_length, libregf_key_t **key, libcerror_error_t **error ) { static char *function = "registry_file_get_key_by_path"; int result = 0; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_sub_key_by_utf16_path( registry_file->base_key, (uint16_t *) key_path, key_path_length, key, error ); #else result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) key_path, key_path_length, key, error ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve key by path: %" PRIs_SYSTEM ".", function, key_path ); return( -1 ); } return( result ); } ================================================ FILE: evtxtools/registry_file.h ================================================ /* * Registry file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _REGISTRY_FILE_H ) #define _REGISTRY_FILE_H #include #include #include "evtxtools_libcerror.h" #include "evtxtools_libregf.h" #if defined( __cplusplus ) extern "C" { #endif /* TODO add more types */ enum REGISTRY_FILE_TYPES { REGISTRY_FILE_TYPE_NTUSER_DAT, REGISTRY_FILE_TYPE_SAM, REGISTRY_FILE_TYPE_SECURITY, REGISTRY_FILE_TYPE_SOFTWARE, REGISTRY_FILE_TYPE_SYSTEM }; typedef struct registry_file registry_file_t; struct registry_file { /* The libregf file */ libregf_file_t *regf_file; /* The registry file type */ uint8_t type; /* The libregf root key */ libregf_key_t *root_key; /* The libregf base key */ libregf_key_t *base_key; /* The current control set */ uint32_t current_control_set; /* The current control set key */ libregf_key_t *current_control_set_key; /* The control set 1 key */ libregf_key_t *control_set1_key; /* The control set 2 key */ libregf_key_t *control_set2_key; /* Value to indicate if the message file is open */ int is_open; }; int registry_file_initialize( registry_file_t **registry_file, libcerror_error_t **error ); int registry_file_free( registry_file_t **registry_file, libcerror_error_t **error ); int registry_file_signal_abort( registry_file_t *registry_file, libcerror_error_t **error ); int registry_file_set_ascii_codepage( registry_file_t *registry_file, int ascii_codepage, libcerror_error_t **error ); int registry_file_open( registry_file_t *registry_file, const system_character_t *filename, libcerror_error_t **error ); int registry_file_close( registry_file_t *registry_file, libcerror_error_t **error ); int registry_file_get_key_by_path( registry_file_t *registry_file, const system_character_t *key_path, size_t key_path_length, libregf_key_t **key, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _REGISTRY_FILE_H ) */ ================================================ FILE: evtxtools/resource_file.c ================================================ /* * Resource file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include "evtxtools_libbfio.h" #include "evtxtools_libcerror.h" #include "evtxtools_libcnotify.h" #include "evtxtools_libexe.h" #include "evtxtools_libfcache.h" #include "evtxtools_libfwevt.h" #include "evtxtools_libwrc.h" #include "message_string.h" #include "resource_file.h" /* Creates a resource file * Make sure the value resource_file is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int resource_file_initialize( resource_file_t **resource_file, uint32_t preferred_language_identifier, libcerror_error_t **error ) { static char *function = "resource_file_initialize"; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( *resource_file != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid resource file value already set.", function ); return( -1 ); } *resource_file = memory_allocate_structure( resource_file_t ); if( *resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create resource file.", function ); goto on_error; } if( memory_set( *resource_file, 0, sizeof( resource_file_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear resource file.", function ); memory_free( *resource_file ); *resource_file = NULL; return( -1 ); } if( libexe_file_initialize( &( ( *resource_file )->exe_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create EXE file.", function ); goto on_error; } if( libwrc_stream_initialize( &( ( *resource_file )->resource_stream ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create resource stream.", function ); goto on_error; } if( libfcache_cache_initialize( &( ( *resource_file )->message_string_cache ), 16, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create message string cache.", function ); goto on_error; } ( *resource_file )->preferred_language_identifier = preferred_language_identifier; return( 1 ); on_error: if( *resource_file != NULL ) { if( ( *resource_file )->resource_stream != NULL ) { libwrc_stream_free( &( ( *resource_file )->resource_stream ), NULL ); } if( ( *resource_file )->exe_file != NULL ) { libexe_file_free( &( ( *resource_file )->exe_file ), NULL ); } memory_free( *resource_file ); *resource_file = NULL; } return( -1 ); } /* Frees a resource file * Returns 1 if successful or -1 on error */ int resource_file_free( resource_file_t **resource_file, libcerror_error_t **error ) { static char *function = "resource_file_free"; int result = 1; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( *resource_file != NULL ) { if( ( *resource_file )->is_open != 0 ) { if( resource_file_close( *resource_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close resource file.", function ); result = -1; } } if( libfcache_cache_free( &( ( *resource_file )->message_string_cache ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free message string cache.", function ); result = -1; } if( libwrc_stream_free( &( ( *resource_file )->resource_stream ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource stream.", function ); result = -1; } if( libexe_file_free( &( ( *resource_file )->exe_file ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free EXE file.", function ); result = -1; } if( ( *resource_file )->name != NULL ) { memory_free( ( *resource_file )->name ); } memory_free( *resource_file ); *resource_file = NULL; } return( result ); } /* Opens the resource file * Returns 1 if successful or -1 on error */ int resource_file_open( resource_file_t *resource_file, const system_character_t *filename, libcerror_error_t **error ) { static char *function = "resource_file_open"; uint32_t virtual_address = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file->is_open != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid resource file already open.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libexe_file_open_wide( resource_file->exe_file, filename, LIBEXE_OPEN_READ, error ) != 1 ) #else if( libexe_file_open( resource_file->exe_file, filename, LIBEXE_OPEN_READ, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open EXE file.", function ); goto on_error; } if( libexe_file_get_section_by_name( resource_file->exe_file, ".rsrc", 5, &( resource_file->resource_section ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource section.", function ); goto on_error; } if( libexe_section_get_virtual_address( resource_file->resource_section, &virtual_address, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource section virtual adress.", function ); goto on_error; } if( libexe_section_get_data_file_io_handle( resource_file->resource_section, &( resource_file->resource_section_file_io_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource section file IO handle.", function ); goto on_error; } if( libwrc_stream_set_virtual_address( resource_file->resource_stream, virtual_address, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set resource stream virtual adress.", function ); goto on_error; } if( libwrc_stream_open_file_io_handle( resource_file->resource_stream, resource_file->resource_section_file_io_handle, LIBWRC_OPEN_READ, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open resource stream.", function ); goto on_error; } resource_file->is_open = 1; return( 1 ); on_error: if( resource_file->resource_section_file_io_handle != NULL ) { libbfio_handle_free( &( resource_file->resource_section_file_io_handle ), NULL ); } if( resource_file->resource_section != NULL ) { libexe_section_free( &( resource_file->resource_section ), NULL ); } libexe_file_close( resource_file->exe_file, NULL ); return( -1 ); } /* Closes the resource file * Returns the 0 if succesful or -1 on error */ int resource_file_close( resource_file_t *resource_file, libcerror_error_t **error ) { static char *function = "resource_file_close"; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file->is_open != 0 ) { if( libfcache_cache_empty( resource_file->message_string_cache, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to empty message string cache.", function ); result = -1; } if( resource_file->message_table_resource != NULL ) { if( libwrc_message_table_resource_free( &( resource_file->message_table_resource ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free message table resource.", function ); result = -1; } } if( resource_file->mui_resource != NULL ) { if( libwrc_mui_resource_free( &( resource_file->mui_resource ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free MUI resource.", function ); result = -1; } } if( resource_file->wevt_manifest != NULL ) { if( libfwevt_manifest_free( &( resource_file->wevt_manifest ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free WEVT manifest.", function ); result = -1; } } if( libwrc_stream_close( resource_file->resource_stream, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close resource stream.", function ); result = -1; } if( resource_file->resource_section_file_io_handle != NULL ) { if( libbfio_handle_free( &( resource_file->resource_section_file_io_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource section file IO handle.", function ); result = -1; } } if( resource_file->resource_section != NULL ) { if( libexe_section_free( &( resource_file->resource_section ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource section.", function ); result = -1; } } if( libexe_file_close( resource_file->exe_file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close EXE file.", function ); result = -1; } resource_file->is_open = 0; } return( result ); } /* Sets the name * Returns 1 if successful or -1 error */ int resource_file_set_name( resource_file_t *resource_file, const system_character_t *name, size_t name_length, libcerror_error_t **error ) { static char *function = "resource_file_set_name"; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file->is_open != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid resource file already open.", function ); return( -1 ); } if( name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid name.", function ); return( -1 ); } if( name_length > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid name length value exceeds maximum.", function ); return( -1 ); } if( resource_file->name != NULL ) { memory_free( resource_file->name ); resource_file->name = NULL; } resource_file->name_size = name_length + 1; resource_file->name = system_string_allocate( resource_file->name_size ); if( resource_file->name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create name.", function ); goto on_error; } if( system_string_copy( resource_file->name, name, name_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy name.", function ); goto on_error; } ( resource_file->name )[ name_length ] = 0; return( 1 ); on_error: if( resource_file->name != NULL ) { memory_free( resource_file->name ); resource_file->name = NULL; } resource_file->name_size = 0; return( -1 ); } /* Retrieves a message table resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_message_table_resource( resource_file_t *resource_file, libwrc_message_table_resource_t **message_table_resource, libcerror_error_t **error ) { libwrc_message_table_resource_t *safe_message_table_resource = NULL; libwrc_resource_t *resource = NULL; libwrc_resource_item_t *resource_item = NULL; libwrc_resource_item_t *resource_sub_item = NULL; uint8_t *resource_data = NULL; static char *function = "resource_file_get_message_table_resource"; uint32_t preferred_language_identifier = 0; uint32_t resource_data_size = 0; uint32_t resource_identifier = 0; int number_of_resource_items = 0; int number_of_resource_sub_items = 0; int resource_sub_item_index = 0; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( message_table_resource == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message table resource.", function ); return( -1 ); } result = libwrc_stream_get_resource_by_type( resource_file->resource_stream, LIBWRC_RESOURCE_TYPE_MESSAGE_TABLE, &resource, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message table resource.", function ); goto on_error; } else if( result == 0 ) { return( 0 ); } if( libwrc_resource_get_number_of_items( resource, &number_of_resource_items, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource items.", function ); goto on_error; } if( number_of_resource_items == 0 ) { if( libwrc_resource_free( &resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource.", function ); goto on_error; } return( 0 ); } #if defined( HAVE_DEBUG_OUTPUT ) if( number_of_resource_items != 1 ) { libcnotify_printf( "%s: found more than 1 resource item." ); } #endif if( libwrc_resource_get_item_by_index( resource, 0, &resource_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource item: 0.", function ); goto on_error; } if( libwrc_resource_item_get_number_of_sub_items( resource_item, &number_of_resource_sub_items, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource sub items.", function ); goto on_error; } if( number_of_resource_sub_items < 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported number of resource sub items.", function ); goto on_error; } preferred_language_identifier = resource_file->preferred_language_identifier & 0x000003ffUL; for( resource_sub_item_index = 0; resource_sub_item_index < number_of_resource_sub_items; resource_sub_item_index++ ) { if( libwrc_resource_item_get_sub_item_by_index( resource_item, resource_sub_item_index, &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_resource_item_get_identifier( resource_sub_item, &resource_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d identifier.", function, resource_sub_item_index ); goto on_error; } if( ( resource_identifier & 0x000003ffUL ) == preferred_language_identifier ) { break; } if( libwrc_resource_item_free( &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } } if( resource_sub_item == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: unable to retrieve instrumentation manifest from resource.", function ); goto on_error; } if( libwrc_resource_item_get_size( resource_sub_item, &resource_data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d size.", function, resource_sub_item_index ); goto on_error; } if( ( resource_data_size == 0 ) || ( resource_data_size > MEMORY_MAXIMUM_ALLOCATION_SIZE ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid resource sub item: %d size value out of bounds.", function, resource_sub_item_index ); goto on_error; } resource_data = (uint8_t *) memory_allocate( sizeof( uint8_t ) * resource_data_size ); if( resource_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create resource data.", function ); goto on_error; } if( libwrc_resource_item_read_buffer( resource_sub_item, resource_data, (size_t) resource_data_size, error ) != (ssize_t) resource_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to read data from resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_message_table_resource_initialize( &safe_message_table_resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create message table resource.", function ); goto on_error; } /* TODO add support for ascii codepage */ if( libwrc_message_table_resource_read( safe_message_table_resource, resource_data, (size_t) resource_data_size, LIBEVTX_CODEPAGE_WINDOWS_1252, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read message table resource.", function ); goto on_error; } memory_free( resource_data ); resource_data = NULL; if( libwrc_resource_item_free( &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_resource_item_free( &resource_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource item: 0.", function ); goto on_error; } if( libwrc_resource_free( &resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource.", function ); goto on_error; } *message_table_resource = safe_message_table_resource; return( 1 ); on_error: if( safe_message_table_resource != NULL ) { libwrc_message_table_resource_free( &safe_message_table_resource, NULL ); } if( resource_data != NULL ) { memory_free( resource_data ); } if( resource_sub_item != NULL ) { libwrc_resource_item_free( &resource_sub_item, NULL ); } if( resource_item != NULL ) { libwrc_resource_item_free( &resource_item, NULL ); } if( resource != NULL ) { libwrc_resource_free( &resource, NULL ); } return( -1 ); } /* Retrieves a message string from the cache * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_message_string_from_cache( resource_file_t *resource_file, uint32_t message_string_identifier, message_string_t **message_string, libcerror_error_t **error ) { libfcache_cache_value_t *cache_value = NULL; static char *function = "resource_file_get_message_string_from_cache"; int cache_index = 0; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } for( cache_index = 0; cache_index < 16; cache_index++ ) { if( libfcache_cache_get_value_by_index( resource_file->message_string_cache, cache_index, &cache_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve cache value: %d.", function, cache_index ); return( -1 ); } if( cache_value != NULL ) { if( libfcache_cache_value_get_value( cache_value, (intptr_t **) message_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string from cache value: %d.", function, cache_index ); return( -1 ); } } if( ( *message_string != NULL ) && ( message_string_identifier == ( *message_string )->identifier ) ) { result = 1; break; } } if( result == 0 ) { *message_string = NULL; } return( result ); } /* Retrieves a specific message string * Returns 1 if successful, 0 if no such message string or -1 error */ int resource_file_get_message_string( resource_file_t *resource_file, uint32_t message_string_identifier, message_string_t **message_string, libcerror_error_t **error ) { message_string_t *safe_message_string = NULL; static char *function = "resource_file_get_message_string"; int64_t timestamp = 0; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( message_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid message string.", function ); return( -1 ); } if( resource_file->message_table_resource == NULL ) { result = resource_file_get_message_table_resource( resource_file, &( resource_file->message_table_resource ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message table resource.", function ); goto on_error; } else if( result == 0 ) { return( 0 ); } } result = resource_file_get_message_string_from_cache( resource_file, message_string_identifier, message_string, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string from cache.", function ); goto on_error; } else if( result == 0 ) { if( message_string_initialize( &safe_message_string, message_string_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create message string.", function ); goto on_error; } result = message_string_get_from_message_table_resource( safe_message_string, resource_file->message_table_resource, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message string: 0x%08" PRIx32 ".", function, message_string_identifier ); goto on_error; } else if( result != 0 ) { if( libfcache_date_time_get_timestamp( ×tamp, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve cache timestamp.", function ); goto on_error; } if( libfcache_cache_set_value_by_index( resource_file->message_string_cache, resource_file->next_message_string_cache_index, 0, resource_file->next_message_string_cache_index, timestamp, (intptr_t *) safe_message_string, (int (*)(intptr_t **, libcerror_error_t **)) &message_string_free, LIBFCACHE_CACHE_VALUE_FLAG_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set message string in cache entry: %d.", function, resource_file->next_message_string_cache_index ); goto on_error; } resource_file->next_message_string_cache_index++; if( resource_file->next_message_string_cache_index == 16 ) { resource_file->next_message_string_cache_index = 0; } *message_string = safe_message_string; safe_message_string = NULL; } if( safe_message_string != NULL ) { if( message_string_free( &safe_message_string, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free message string.", function ); goto on_error; } } } return( result ); on_error: if( safe_message_string != NULL ) { message_string_free( &safe_message_string, NULL ); } return( -1 ); } /* Retrieves a MUI resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_mui_resource( resource_file_t *resource_file, libwrc_mui_resource_t **mui_resource, libcerror_error_t **error ) { libwrc_mui_resource_t *safe_mui_resource = NULL; libwrc_resource_t *resource = NULL; libwrc_resource_item_t *resource_item = NULL; libwrc_resource_item_t *resource_sub_item = NULL; uint8_t *resource_data = NULL; static char *function = "resource_file_get_mui_resource"; uint32_t preferred_language_identifier = 0; uint32_t resource_data_size = 0; uint32_t resource_identifier = 0; int number_of_resource_items = 0; int number_of_resource_sub_items = 0; int resource_sub_item_index = 0; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( mui_resource == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid MUI resource.", function ); return( -1 ); } result = libwrc_stream_get_resource_by_utf8_name( resource_file->resource_stream, (uint8_t *) "MUI", 3, &resource, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve MUI resource.", function ); goto on_error; } else if( result == 0 ) { return( 0 ); } if( libwrc_resource_get_number_of_items( resource, &number_of_resource_items, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource items.", function ); goto on_error; } if( number_of_resource_items == 0 ) { if( libwrc_resource_free( &resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource.", function ); goto on_error; } return( 0 ); } #if defined( HAVE_DEBUG_OUTPUT ) if( number_of_resource_items != 1 ) { libcnotify_printf( "%s: found more than 1 resource item." ); } #endif if( libwrc_resource_get_item_by_index( resource, 0, &resource_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource item: 0.", function ); goto on_error; } if( libwrc_resource_item_get_number_of_sub_items( resource_item, &number_of_resource_sub_items, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource sub items.", function ); goto on_error; } if( number_of_resource_sub_items < 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported number of resource sub items.", function ); goto on_error; } preferred_language_identifier = resource_file->preferred_language_identifier & 0x000003ffUL; for( resource_sub_item_index = 0; resource_sub_item_index < number_of_resource_sub_items; resource_sub_item_index++ ) { if( libwrc_resource_item_get_sub_item_by_index( resource_item, resource_sub_item_index, &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_resource_item_get_identifier( resource_sub_item, &resource_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d identifier.", function, resource_sub_item_index ); goto on_error; } if( ( resource_identifier & 0x000003ffUL ) == preferred_language_identifier ) { break; } if( libwrc_resource_item_free( &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } } if( resource_sub_item == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: unable to retrieve instrumentation manifest from resource.", function ); goto on_error; } if( libwrc_resource_item_get_size( resource_sub_item, &resource_data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d size.", function, resource_sub_item_index ); goto on_error; } if( ( resource_data_size == 0 ) || ( resource_data_size > MEMORY_MAXIMUM_ALLOCATION_SIZE ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid resource sub item: %d size value out of bounds.", function, resource_sub_item_index ); goto on_error; } resource_data = (uint8_t *) memory_allocate( sizeof( uint8_t ) * resource_data_size ); if( resource_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create resource data.", function ); goto on_error; } if( libwrc_resource_item_read_buffer( resource_sub_item, resource_data, (size_t) resource_data_size, error ) != (ssize_t) resource_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to read data from resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_mui_resource_initialize( &safe_mui_resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create MUI resource.", function ); goto on_error; } if( libwrc_mui_resource_read( safe_mui_resource, resource_data, (size_t) resource_data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read MUI resource.", function ); goto on_error; } memory_free( resource_data ); resource_data = NULL; if( libwrc_resource_item_free( &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_resource_item_free( &resource_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource item: 0.", function ); goto on_error; } if( libwrc_resource_free( &resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource.", function ); goto on_error; } *mui_resource = safe_mui_resource; return( 1 ); on_error: if( safe_mui_resource != NULL ) { libwrc_mui_resource_free( &safe_mui_resource, NULL ); } if( resource_data != NULL ) { memory_free( resource_data ); } if( resource_sub_item != NULL ) { libwrc_resource_item_free( &resource_sub_item, NULL ); } if( resource_item != NULL ) { libwrc_resource_item_free( &resource_item, NULL ); } if( resource != NULL ) { libwrc_resource_free( &resource, NULL ); } return( -1 ); } /* Retrieves the MUI file type * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_mui_file_type( resource_file_t *resource_file, uint32_t *file_type, libcerror_error_t **error ) { static char *function = "resource_file_get_mui_file_type"; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file->mui_resource == NULL ) { result = resource_file_get_mui_resource( resource_file, &( resource_file->mui_resource ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve MUI resource.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( libwrc_mui_resource_get_file_type( resource_file->mui_resource, file_type, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve file type.", function ); return( -1 ); } return( 1 ); } /* Retrieves the WEVT instrumentation manifest from a WEVT_TEMPLATE resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_wevt_manifest( resource_file_t *resource_file, libfwevt_manifest_t **wevt_manifest, libcerror_error_t **error ) { libfwevt_manifest_t *safe_wevt_manifest = NULL; libwrc_resource_t *resource = NULL; libwrc_resource_item_t *resource_item = NULL; libwrc_resource_item_t *resource_sub_item = NULL; uint8_t *resource_data = NULL; static char *function = "resource_file_get_wevt_manifest"; uint32_t preferred_language_identifier = 0; uint32_t resource_data_size = 0; uint32_t resource_identifier = 0; int number_of_resource_items = 0; int number_of_resource_sub_items = 0; int resource_sub_item_index = 0; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( wevt_manifest == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid WEVT manifest.", function ); return( -1 ); } result = libwrc_stream_get_resource_by_utf8_name( resource_file->resource_stream, (uint8_t *) "WEVT_TEMPLATE", 13, &resource, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve WEVT_TEMPLATE resource.", function ); goto on_error; } else if( result == 0 ) { return( 0 ); } if( libwrc_resource_get_number_of_items( resource, &number_of_resource_items, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource items.", function ); goto on_error; } if( number_of_resource_items == 0 ) { if( libwrc_resource_free( &resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource.", function ); goto on_error; } return( 0 ); } #if defined( HAVE_DEBUG_OUTPUT ) if( number_of_resource_items != 1 ) { libcnotify_printf( "%s: found more than 1 resource item." ); } #endif if( libwrc_resource_get_item_by_index( resource, 0, &resource_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource item: 0.", function ); goto on_error; } if( libwrc_resource_item_get_number_of_sub_items( resource_item, &number_of_resource_sub_items, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of resource sub items.", function ); goto on_error; } if( number_of_resource_sub_items < 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported number of resource sub items.", function ); goto on_error; } preferred_language_identifier = resource_file->preferred_language_identifier & 0x000003ffUL; for( resource_sub_item_index = 0; resource_sub_item_index < number_of_resource_sub_items; resource_sub_item_index++ ) { if( libwrc_resource_item_get_sub_item_by_index( resource_item, resource_sub_item_index, &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_resource_item_get_identifier( resource_sub_item, &resource_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d identifier.", function, resource_sub_item_index ); goto on_error; } if( ( resource_identifier & 0x000003ffUL ) == preferred_language_identifier ) { break; } if( libwrc_resource_item_free( &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } } if( resource_sub_item == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: unable to retrieve instrumentation manifest from resource.", function ); goto on_error; } if( libwrc_resource_item_get_size( resource_sub_item, &resource_data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve resource sub item: %d size.", function, resource_sub_item_index ); goto on_error; } if( ( resource_data_size == 0 ) || ( resource_data_size > MEMORY_MAXIMUM_ALLOCATION_SIZE ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid resource sub item: %d size value out of bounds.", function, resource_sub_item_index ); goto on_error; } resource_data = (uint8_t *) memory_allocate( sizeof( uint8_t ) * resource_data_size ); if( resource_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create resource data.", function ); goto on_error; } if( libwrc_resource_item_read_buffer( resource_sub_item, resource_data, (size_t) resource_data_size, error ) != (ssize_t) resource_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to read data from resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libfwevt_manifest_initialize( &safe_wevt_manifest, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create WEVT manifest.", function ); goto on_error; } if( libfwevt_manifest_read( safe_wevt_manifest, resource_data, (size_t) resource_data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read WEVT manifest.", function ); goto on_error; } memory_free( resource_data ); resource_data = NULL; if( libwrc_resource_item_free( &resource_sub_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource sub item: %d.", function, resource_sub_item_index ); goto on_error; } if( libwrc_resource_item_free( &resource_item, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource item: 0.", function ); goto on_error; } if( libwrc_resource_free( &resource, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free resource.", function ); goto on_error; } *wevt_manifest = safe_wevt_manifest; return( 1 ); on_error: if( safe_wevt_manifest != NULL ) { libfwevt_manifest_free( &safe_wevt_manifest, NULL ); } if( resource_data != NULL ) { memory_free( resource_data ); } if( resource_sub_item != NULL ) { libwrc_resource_item_free( &resource_sub_item, NULL ); } if( resource_item != NULL ) { libwrc_resource_item_free( &resource_item, NULL ); } if( resource != NULL ) { libwrc_resource_free( &resource, NULL ); } return( -1 ); } /* Retrieves a specific provider from the WEVT_TEMPLATE resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_provider( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, libfwevt_provider_t **provider, libcerror_error_t **error ) { static char *function = "resource_file_get_provider"; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( resource_file->wevt_manifest == NULL ) { result = resource_file_get_wevt_manifest( resource_file, &( resource_file->wevt_manifest ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve WEVT manifest.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } result = libfwevt_manifest_get_provider_by_identifier( resource_file->wevt_manifest, provider_identifier, provider_identifier_size, provider, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider from WEVT manifest.", function ); return( -1 ); } return( result ); } /* Retrieves a specific event from a a specific provider from the WEVT_TEMPLATE resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_event( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, libfwevt_provider_t **provider, libfwevt_event_t **event, libcerror_error_t **error ) { static char *function = "resource_file_get_event_message_identifier"; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( provider == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid provider.", function ); return( -1 ); } result = resource_file_get_provider( resource_file, provider_identifier, provider_identifier_size, provider, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider.", function ); goto on_error; } else if( result != 0 ) { result = libfwevt_provider_get_event_by_identifier( *provider, event_identifier, event, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event.", function ); goto on_error; } } return( result ); on_error: if( *provider != NULL ) { libfwevt_provider_free( provider, NULL ); } return( -1 ); } /* Retrieves the template definition from a specific event from a a specific provider from the WEVT_TEMPLATE resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_template_definition( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, libfwevt_provider_t **provider, libfwevt_event_t **event, libfwevt_template_t **template_definition, libcerror_error_t **error ) { libfwevt_event_t *safe_event = NULL; libfwevt_provider_t *safe_provider = NULL; static char *function = "resource_file_get_template_definition"; uint32_t template_offset = 0; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } if( provider == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid provider.", function ); return( -1 ); } if( event == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid event.", function ); return( -1 ); } result = resource_file_get_event( resource_file, provider_identifier, provider_identifier_size, event_identifier, &safe_provider, &safe_event, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event.", function ); goto on_error; } else if( result == 0 ) { return( 0 ); } if( libfwevt_event_get_template_offset( safe_event, &template_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template offset.", function ); goto on_error; } result = 0; if( template_offset != 0 ) { result = libfwevt_provider_get_template_by_offset( safe_provider, template_offset, template_definition, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template by offset.", function ); goto on_error; } else if( result != 0 ) { *provider = safe_provider; *event = safe_event; } } if( result == 0 ) { if( libfwevt_event_free( &safe_event, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free event.", function ); goto on_error; } if( libfwevt_provider_free( &safe_provider, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free provider.", function ); goto on_error; } } return( result ); on_error: if( safe_event != NULL ) { libfwevt_event_free( &safe_event, NULL ); } if( safe_provider != NULL ) { libfwevt_provider_free( &safe_provider, NULL ); } return( -1 ); } /* Retrieves the message identifier from a specific event from a a specific provider from the WEVT_TEMPLATE resource * Returns 1 if successful, 0 if not available or -1 error */ int resource_file_get_event_message_identifier( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, uint32_t *message_identifier, libcerror_error_t **error ) { libfwevt_event_t *event = NULL; libfwevt_provider_t *provider = NULL; static char *function = "resource_file_get_event_message_identifier"; int result = 0; if( resource_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid resource file.", function ); return( -1 ); } result = resource_file_get_event( resource_file, provider_identifier, provider_identifier_size, event_identifier, &provider, &event, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event.", function ); goto on_error; } else if( result != 0 ) { if( libfwevt_event_get_message_identifier( event, message_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve message identifier.", function ); goto on_error; } if( libfwevt_event_free( &event, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free event.", function ); goto on_error; } if( libfwevt_provider_free( &provider, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free provider.", function ); goto on_error; } } return( result ); on_error: if( event != NULL ) { libfwevt_event_free( &event, NULL ); } if( provider != NULL ) { libfwevt_provider_free( &provider, NULL ); } return( -1 ); } ================================================ FILE: evtxtools/resource_file.h ================================================ /* * Resource file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _RESOURCE_FILE_H ) #define _RESOURCE_FILE_H #include #include #include "evtxtools_libbfio.h" #include "evtxtools_libcerror.h" #include "evtxtools_libexe.h" #include "evtxtools_libfcache.h" #include "evtxtools_libfwevt.h" #include "evtxtools_libwrc.h" #include "message_string.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct resource_file resource_file_t; struct resource_file { /* The name */ system_character_t *name; /* The name size */ size_t name_size; /* The libexe file */ libexe_file_t *exe_file; /* The libexe resource (.rsrc) section */ libexe_section_t *resource_section; /* The resource (.rsrc) section file IO handle */ libbfio_handle_t *resource_section_file_io_handle; /* The libwrc resource stream */ libwrc_stream_t *resource_stream; /* The preferred language identifier */ uint32_t preferred_language_identifier; /* The message table resource */ libwrc_message_table_resource_t *message_table_resource; /* The MUI resource */ libwrc_mui_resource_t *mui_resource; /* The instrumentation manifest stored in a WEVT_TEMPLATE resource */ libfwevt_manifest_t *wevt_manifest; /* The message string cache */ libfcache_cache_t *message_string_cache; /* The next available message string cache index */ int next_message_string_cache_index; /* Value to indicate if the message file is open */ int is_open; }; int resource_file_initialize( resource_file_t **resource_file, uint32_t preferred_language_identifier, libcerror_error_t **error ); int resource_file_free( resource_file_t **resource_file, libcerror_error_t **error ); int resource_file_open( resource_file_t *resource_file, const system_character_t *filename, libcerror_error_t **error ); int resource_file_close( resource_file_t *resource_file, libcerror_error_t **error ); int resource_file_set_name( resource_file_t *resource_file, const system_character_t *name, size_t name_length, libcerror_error_t **error ); int resource_file_get_message_table_resource( resource_file_t *resource_file, libwrc_message_table_resource_t **message_table_resource, libcerror_error_t **error ); int resource_file_get_message_string_from_cache( resource_file_t *resource_file, uint32_t message_string_identifier, message_string_t **message_string, libcerror_error_t **error ); int resource_file_get_message_string( resource_file_t *resource_file, uint32_t message_string_identifier, message_string_t **message_string, libcerror_error_t **error ); int resource_file_get_mui_resource( resource_file_t *resource_file, libwrc_mui_resource_t **mui_resource, libcerror_error_t **error ); int resource_file_get_mui_file_type( resource_file_t *resource_file, uint32_t *file_type, libcerror_error_t **error ); int resource_file_get_wevt_manifest( resource_file_t *resource_file, libfwevt_manifest_t **wevt_manifest, libcerror_error_t **error ); int resource_file_get_provider( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, libfwevt_provider_t **provider, libcerror_error_t **error ); int resource_file_get_event( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, libfwevt_provider_t **provider, libfwevt_event_t **event, libcerror_error_t **error ); int resource_file_get_template_definition( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, libfwevt_provider_t **provider, libfwevt_event_t **event, libfwevt_template_t **template_definition, libcerror_error_t **error ); int resource_file_get_event_message_identifier( resource_file_t *resource_file, const uint8_t *provider_identifier, size_t provider_identifier_size, uint32_t event_identifier, uint32_t *message_identifier, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _RESOURCE_FILE_H ) */ ================================================ FILE: include/Makefile.am ================================================ include_HEADERS = \ libevtx.h pkginclude_HEADERS = \ libevtx/codepage.h \ libevtx/definitions.h \ libevtx/error.h \ libevtx/extern.h \ libevtx/features.h \ libevtx/types.h EXTRA_DIST = \ libevtx.h.in \ libevtx/definitions.h.in \ libevtx/features.h.in \ libevtx/types.h.in DISTCLEANFILES = \ libevtx.h \ libevtx/definitions.h \ libevtx/features.h \ libevtx/types.h \ Makefile \ Makefile.in ================================================ FILE: include/libevtx/codepage.h ================================================ /* * Codepage definitions for libevtx * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_CODEPAGE_H ) #define _LIBEVTX_CODEPAGE_H #include #if defined( __cplusplus ) extern "C" { #endif /* The codepage definitions */ enum LIBEVTX_CODEPAGES { LIBEVTX_CODEPAGE_ASCII = 20127, LIBEVTX_CODEPAGE_ISO_8859_1 = 28591, LIBEVTX_CODEPAGE_ISO_8859_2 = 28592, LIBEVTX_CODEPAGE_ISO_8859_3 = 28593, LIBEVTX_CODEPAGE_ISO_8859_4 = 28594, LIBEVTX_CODEPAGE_ISO_8859_5 = 28595, LIBEVTX_CODEPAGE_ISO_8859_6 = 28596, LIBEVTX_CODEPAGE_ISO_8859_7 = 28597, LIBEVTX_CODEPAGE_ISO_8859_8 = 28598, LIBEVTX_CODEPAGE_ISO_8859_9 = 28599, LIBEVTX_CODEPAGE_ISO_8859_10 = 28600, LIBEVTX_CODEPAGE_ISO_8859_11 = 28601, LIBEVTX_CODEPAGE_ISO_8859_13 = 28603, LIBEVTX_CODEPAGE_ISO_8859_14 = 28604, LIBEVTX_CODEPAGE_ISO_8859_15 = 28605, LIBEVTX_CODEPAGE_ISO_8859_16 = 28606, LIBEVTX_CODEPAGE_KOI8_R = 20866, LIBEVTX_CODEPAGE_KOI8_U = 21866, LIBEVTX_CODEPAGE_WINDOWS_874 = 874, LIBEVTX_CODEPAGE_WINDOWS_932 = 932, LIBEVTX_CODEPAGE_WINDOWS_936 = 936, LIBEVTX_CODEPAGE_WINDOWS_949 = 949, LIBEVTX_CODEPAGE_WINDOWS_950 = 950, LIBEVTX_CODEPAGE_WINDOWS_1250 = 1250, LIBEVTX_CODEPAGE_WINDOWS_1251 = 1251, LIBEVTX_CODEPAGE_WINDOWS_1252 = 1252, LIBEVTX_CODEPAGE_WINDOWS_1253 = 1253, LIBEVTX_CODEPAGE_WINDOWS_1254 = 1254, LIBEVTX_CODEPAGE_WINDOWS_1255 = 1255, LIBEVTX_CODEPAGE_WINDOWS_1256 = 1256, LIBEVTX_CODEPAGE_WINDOWS_1257 = 1257, LIBEVTX_CODEPAGE_WINDOWS_1258 = 1258 }; #define LIBEVTX_CODEPAGE_US_ASCII LIBEVTX_CODEPAGE_ASCII #define LIBEVTX_CODEPAGE_ISO_WESTERN_EUROPEAN LIBEVTX_CODEPAGE_ISO_8859_1 #define LIBEVTX_CODEPAGE_ISO_CENTRAL_EUROPEAN LIBEVTX_CODEPAGE_ISO_8859_2 #define LIBEVTX_CODEPAGE_ISO_SOUTH_EUROPEAN LIBEVTX_CODEPAGE_ISO_8859_3 #define LIBEVTX_CODEPAGE_ISO_NORTH_EUROPEAN LIBEVTX_CODEPAGE_ISO_8859_4 #define LIBEVTX_CODEPAGE_ISO_CYRILLIC LIBEVTX_CODEPAGE_ISO_8859_5 #define LIBEVTX_CODEPAGE_ISO_ARABIC LIBEVTX_CODEPAGE_ISO_8859_6 #define LIBEVTX_CODEPAGE_ISO_GREEK LIBEVTX_CODEPAGE_ISO_8859_7 #define LIBEVTX_CODEPAGE_ISO_HEBREW LIBEVTX_CODEPAGE_ISO_8859_8 #define LIBEVTX_CODEPAGE_ISO_TURKISH LIBEVTX_CODEPAGE_ISO_8859_9 #define LIBEVTX_CODEPAGE_ISO_NORDIC LIBEVTX_CODEPAGE_ISO_8859_10 #define LIBEVTX_CODEPAGE_ISO_THAI LIBEVTX_CODEPAGE_ISO_8859_11 #define LIBEVTX_CODEPAGE_ISO_BALTIC LIBEVTX_CODEPAGE_ISO_8859_13 #define LIBEVTX_CODEPAGE_ISO_CELTIC LIBEVTX_CODEPAGE_ISO_8859_14 #define LIBEVTX_CODEPAGE_ISO_LATIN_1 LIBEVTX_CODEPAGE_ISO_8859_1 #define LIBEVTX_CODEPAGE_ISO_LATIN_2 LIBEVTX_CODEPAGE_ISO_8859_2 #define LIBEVTX_CODEPAGE_ISO_LATIN_3 LIBEVTX_CODEPAGE_ISO_8859_3 #define LIBEVTX_CODEPAGE_ISO_LATIN_4 LIBEVTX_CODEPAGE_ISO_8859_4 #define LIBEVTX_CODEPAGE_ISO_LATIN_5 LIBEVTX_CODEPAGE_ISO_8859_9 #define LIBEVTX_CODEPAGE_ISO_LATIN_6 LIBEVTX_CODEPAGE_ISO_8859_10 #define LIBEVTX_CODEPAGE_ISO_LATIN_7 LIBEVTX_CODEPAGE_ISO_8859_13 #define LIBEVTX_CODEPAGE_ISO_LATIN_8 LIBEVTX_CODEPAGE_ISO_8859_14 #define LIBEVTX_CODEPAGE_ISO_LATIN_9 LIBEVTX_CODEPAGE_ISO_8859_15 #define LIBEVTX_CODEPAGE_ISO_LATIN_10 LIBEVTX_CODEPAGE_ISO_8859_16 #define LIBEVTX_CODEPAGE_KOI8_RUSSIAN LIBEVTX_CODEPAGE_KOI8_R #define LIBEVTX_CODEPAGE_KOI8_UKRAINIAN LIBEVTX_CODEPAGE_KOI8_U #define LIBEVTX_CODEPAGE_WINDOWS_THAI LIBEVTX_CODEPAGE_WINDOWS_874 #define LIBEVTX_CODEPAGE_WINDOWS_JAPANESE LIBEVTX_CODEPAGE_WINDOWS_932 #define LIBEVTX_CODEPAGE_WINDOWS_CHINESE_SIMPLIFIED LIBEVTX_CODEPAGE_WINDOWS_936 #define LIBEVTX_CODEPAGE_WINDOWS_KOREAN LIBEVTX_CODEPAGE_WINDOWS_949 #define LIBEVTX_CODEPAGE_WINDOWS_CHINESE_TRADITIONAL LIBEVTX_CODEPAGE_WINDOWS_950 #define LIBEVTX_CODEPAGE_WINDOWS_CENTRAL_EUROPEAN LIBEVTX_CODEPAGE_WINDOWS_1250 #define LIBEVTX_CODEPAGE_WINDOWS_CYRILLIC LIBEVTX_CODEPAGE_WINDOWS_1251 #define LIBEVTX_CODEPAGE_WINDOWS_WESTERN_EUROPEAN LIBEVTX_CODEPAGE_WINDOWS_1252 #define LIBEVTX_CODEPAGE_WINDOWS_GREEK LIBEVTX_CODEPAGE_WINDOWS_1253 #define LIBEVTX_CODEPAGE_WINDOWS_TURKISH LIBEVTX_CODEPAGE_WINDOWS_1254 #define LIBEVTX_CODEPAGE_WINDOWS_HEBREW LIBEVTX_CODEPAGE_WINDOWS_1255 #define LIBEVTX_CODEPAGE_WINDOWS_ARABIC LIBEVTX_CODEPAGE_WINDOWS_1256 #define LIBEVTX_CODEPAGE_WINDOWS_BALTIC LIBEVTX_CODEPAGE_WINDOWS_1257 #define LIBEVTX_CODEPAGE_WINDOWS_VIETNAMESE LIBEVTX_CODEPAGE_WINDOWS_1258 #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_CODEPAGE_H ) */ ================================================ FILE: include/libevtx/definitions.h.in ================================================ /* * Definitions for libevtx * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_DEFINITIONS_H ) #define _LIBEVTX_DEFINITIONS_H #include #define LIBEVTX_VERSION @VERSION@ /* The version string */ #define LIBEVTX_VERSION_STRING "@VERSION@" /* The access flags definitions * bit 1 set to 1 for read access * bit 2 set to 1 for write access * bit 3-8 not used */ enum LIBEVTX_ACCESS_FLAGS { LIBEVTX_ACCESS_FLAG_READ = 0x01, /* Reserved: not supported yet */ LIBEVTX_ACCESS_FLAG_WRITE = 0x02 }; /* The file access macros */ #define LIBEVTX_OPEN_READ ( LIBEVTX_ACCESS_FLAG_READ ) /* Reserved: not supported yet */ #define LIBEVTX_OPEN_WRITE ( LIBEVTX_ACCESS_FLAG_WRITE ) /* Reserved: not supported yet */ #define LIBEVTX_OPEN_READ_WRITE ( LIBEVTX_ACCESS_FLAG_READ | LIBEVTX_ACCESS_FLAG_WRITE ) /* The event level definitions */ enum LIBEVTX_EVENT_LEVELS { LIBEVTX_EVENT_LEVEL_CRITICAL = 1, LIBEVTX_EVENT_LEVEL_ERROR = 2, LIBEVTX_EVENT_LEVEL_WARNING = 3, LIBEVTX_EVENT_LEVEL_INFORMATION = 4, LIBEVTX_EVENT_LEVEL_VERBOSE = 5, }; /* The event file flags */ enum LIBEVTX_FILE_FLAGS { LIBEVTX_FILE_FLAG_IS_DIRTY = 0x00000001UL, LIBEVTX_FILE_FLAG_IS_FULL = 0x00000002UL, }; #endif /* !defined( _LIBEVTX_DEFINITIONS_H ) */ ================================================ FILE: include/libevtx/error.h ================================================ /* * The error code definitions for libevtx * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_ERROR_H ) #define _LIBEVTX_ERROR_H #include /* External error type definition hides internal structure */ typedef intptr_t libevtx_error_t; /* The error domains */ enum LIBEVTX_ERROR_DOMAINS { LIBEVTX_ERROR_DOMAIN_ARGUMENTS = (int) 'a', LIBEVTX_ERROR_DOMAIN_CONVERSION = (int) 'c', LIBEVTX_ERROR_DOMAIN_COMPRESSION = (int) 'C', LIBEVTX_ERROR_DOMAIN_IO = (int) 'I', LIBEVTX_ERROR_DOMAIN_INPUT = (int) 'i', LIBEVTX_ERROR_DOMAIN_MEMORY = (int) 'm', LIBEVTX_ERROR_DOMAIN_OUTPUT = (int) 'o', LIBEVTX_ERROR_DOMAIN_RUNTIME = (int) 'r' }; /* The argument error codes * to signify errors regarding arguments passed to a function */ enum LIBEVTX_ARGUMENT_ERROR { LIBEVTX_ARGUMENT_ERROR_GENERIC = 0, /* The argument contains an invalid value */ LIBEVTX_ARGUMENT_ERROR_INVALID_VALUE = 1, /* The argument contains a value less than zero */ LIBEVTX_ARGUMENT_ERROR_VALUE_LESS_THAN_ZERO = 2, /* The argument contains a value zero or less */ LIBEVTX_ARGUMENT_ERROR_VALUE_ZERO_OR_LESS = 3, /* The argument contains a value that exceeds the maximum * for the specific type */ LIBEVTX_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM = 4, /* The argument contains a value that is too small */ LIBEVTX_ARGUMENT_ERROR_VALUE_TOO_SMALL = 5, /* The argument contains a value that is too large */ LIBEVTX_ARGUMENT_ERROR_VALUE_TOO_LARGE = 6, /* The argument contains a value that is out of bounds */ LIBEVTX_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS = 7, /* The argument contains a value that is not supported */ LIBEVTX_ARGUMENT_ERROR_UNSUPPORTED_VALUE = 8, /* The argument contains a value that conficts with another argument */ LIBEVTX_ARGUMENT_ERROR_CONFLICTING_VALUE = 9 }; /* The conversion error codes * to signify errors regarding conversions */ enum LIBEVTX_CONVERSION_ERROR { LIBEVTX_CONVERSION_ERROR_GENERIC = 0, /* The conversion failed on the input */ LIBEVTX_CONVERSION_ERROR_INPUT_FAILED = 1, /* The conversion failed on the output */ LIBEVTX_CONVERSION_ERROR_OUTPUT_FAILED = 2 }; /* The compression error codes * to signify errors regarding compression */ enum LIBEVTX_COMPRESSION_ERROR { LIBEVTX_COMPRESSION_ERROR_GENERIC = 0, /* The compression failed */ LIBEVTX_COMPRESSION_ERROR_COMPRESS_FAILED = 1, /* The decompression failed */ LIBEVTX_COMPRESSION_ERROR_DECOMPRESS_FAILED = 2 }; /* The input/output error codes * to signify errors regarding input/output */ enum LIBEVTX_IO_ERROR { LIBEVTX_IO_ERROR_GENERIC = 0, /* The open failed */ LIBEVTX_IO_ERROR_OPEN_FAILED = 1, /* The close failed */ LIBEVTX_IO_ERROR_CLOSE_FAILED = 2, /* The seek failed */ LIBEVTX_IO_ERROR_SEEK_FAILED = 3, /* The read failed */ LIBEVTX_IO_ERROR_READ_FAILED = 4, /* The write failed */ LIBEVTX_IO_ERROR_WRITE_FAILED = 5, /* Access denied */ LIBEVTX_IO_ERROR_ACCESS_DENIED = 6, /* The resource is invalid i.e. a missing file */ LIBEVTX_IO_ERROR_INVALID_RESOURCE = 7, /* The ioctl failed */ LIBEVTX_IO_ERROR_IOCTL_FAILED = 8, /* The unlink failed */ LIBEVTX_IO_ERROR_UNLINK_FAILED = 9 }; /* The input error codes * to signify errors regarding handing input data */ enum LIBEVTX_INPUT_ERROR { LIBEVTX_INPUT_ERROR_GENERIC = 0, /* The input contains invalid data */ LIBEVTX_INPUT_ERROR_INVALID_DATA = 1, /* The input contains an unsupported signature */ LIBEVTX_INPUT_ERROR_SIGNATURE_MISMATCH = 2, /* A checksum in the input did not match */ LIBEVTX_INPUT_ERROR_CHECKSUM_MISMATCH = 3, /* A value in the input did not match a previously * read value or calculated value */ LIBEVTX_INPUT_ERROR_VALUE_MISMATCH = 4 }; /* The memory error codes * to signify errors regarding memory */ enum LIBEVTX_MEMORY_ERROR { LIBEVTX_MEMORY_ERROR_GENERIC = 0, /* There is insufficient memory available */ LIBEVTX_MEMORY_ERROR_INSUFFICIENT = 1, /* The memory failed to be copied */ LIBEVTX_MEMORY_ERROR_COPY_FAILED = 2, /* The memory failed to be set */ LIBEVTX_MEMORY_ERROR_SET_FAILED = 3 }; /* The output error codes */ enum LIBEVTX_OUTPUT_ERROR { LIBEVTX_OUTPUT_ERROR_GENERIC = 0, /* There is insuficient space to write the output */ LIBEVTX_OUTPUT_ERROR_INSUFFICIENT_SPACE = 1 }; /* The runtime error codes * to signify errors regarding runtime processing */ enum LIBEVTX_RUNTIME_ERROR { LIBEVTX_RUNTIME_ERROR_GENERIC = 0, /* The value is missing */ LIBEVTX_RUNTIME_ERROR_VALUE_MISSING = 1, /* The value was already set */ LIBEVTX_RUNTIME_ERROR_VALUE_ALREADY_SET = 2, /* The creation and/or initialization of an internal structure failed */ LIBEVTX_RUNTIME_ERROR_INITIALIZE_FAILED = 3, /* The resize of an internal structure failed */ LIBEVTX_RUNTIME_ERROR_RESIZE_FAILED = 4, /* The free and/or finalization of an internal structure failed */ LIBEVTX_RUNTIME_ERROR_FINALIZE_FAILED = 5, /* The value could not be determined */ LIBEVTX_RUNTIME_ERROR_GET_FAILED = 6, /* The value could not be set */ LIBEVTX_RUNTIME_ERROR_SET_FAILED = 7, /* The value could not be appended/prepended */ LIBEVTX_RUNTIME_ERROR_APPEND_FAILED = 8, /* The value could not be copied */ LIBEVTX_RUNTIME_ERROR_COPY_FAILED = 9, /* The value could not be removed */ LIBEVTX_RUNTIME_ERROR_REMOVE_FAILED = 10, /* The value could not be printed */ LIBEVTX_RUNTIME_ERROR_PRINT_FAILED = 11, /* The value was out of bounds */ LIBEVTX_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS = 12, /* The value exceeds the maximum for its specific type */ LIBEVTX_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM = 13, /* The value is unsupported */ LIBEVTX_RUNTIME_ERROR_UNSUPPORTED_VALUE = 14, /* An abort was requested */ LIBEVTX_RUNTIME_ERROR_ABORT_REQUESTED = 15 }; #endif /* !defined( _LIBEVTX_ERROR_H ) */ ================================================ FILE: include/libevtx/extern.h ================================================ /* * The extern definition * * This header should be included in header files that export or import * library functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_EXTERN_H ) #define _LIBEVTX_EXTERN_H /* To export functions from the libevtx DLL define LIBEVTX_DLL_EXPORT * To import functions from the libevtx DLL define LIBEVTX_DLL_IMPORT * Otherwise use default extern statement */ #if defined( LIBEVTX_DLL_EXPORT ) #define LIBEVTX_EXTERN __declspec(dllexport) #elif defined( LIBEVTX_DLL_IMPORT ) #define LIBEVTX_EXTERN extern __declspec(dllimport) #else #define LIBEVTX_EXTERN extern #endif #endif /* !defined( _LIBEVTX_EXTERN_H ) */ ================================================ FILE: include/libevtx/features.h.in ================================================ /* * Features of libevtx * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_FEATURES_H ) #define _LIBEVTX_FEATURES_H /* The libevtx type support features */ #if defined( WINAPI ) || @HAVE_WIDE_CHARACTER_TYPE@ #define LIBEVTX_HAVE_WIDE_CHARACTER_TYPE 1 #endif #if defined( WINAPI ) || @HAVE_MULTI_THREAD_SUPPORT@ #define LIBEVTX_HAVE_MULTI_THREAD_SUPPORT 1 #endif #if defined( HAVE_LIBBFIO ) || ( !defined( WINAPI ) && @HAVE_LIBBFIO@ ) #define LIBEVTX_HAVE_BFIO 1 #endif #if !defined( LIBEVTX_DEPRECATED ) #if defined( __GNUC__ ) && __GNUC__ >= 3 #define LIBEVTX_DEPRECATED __attribute__ ((__deprecated__)) #elif defined( _MSC_VER ) #define LIBEVTX_DEPRECATED __declspec(deprecated) #else #define LIBEVTX_DEPRECATED #endif #endif #endif /* !defined( _LIBEVTX_FEATURES_H ) */ ================================================ FILE: include/libevtx/types.h.in ================================================ /* * Type definitions for libevtx * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_TYPES_H ) #define _LIBEVTX_TYPES_H #include /* Integer type definitions */ #if ( defined( _MSC_VER ) && ( _MSC_VER < 1600 ) ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) ) #ifdef __cplusplus extern "C" { #endif /* Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of the Borland C++ Builder * do not support the (u)int#_t type definitions but have __int# definitions instead */ #if !defined( HAVE_INT8_T ) #define HAVE_INT8_T typedef __int8 int8_t; #endif #if !defined( HAVE_UINT8_T ) #define HAVE_UINT8_T typedef unsigned __int8 uint8_t; #endif #if !defined( HAVE_INT16_T ) #define HAVE_INT16_T typedef __int16 int16_t; #endif #if !defined( HAVE_UINT16_T ) #define HAVE_UINT16_T typedef unsigned __int16 uint16_t; #endif #if !defined( HAVE_INT32_T ) #define HAVE_INT32_T typedef __int32 int32_t; #endif #if !defined( HAVE_UINT32_T ) #define HAVE_UINT32_T typedef unsigned __int32 uint32_t; #endif #if !defined( HAVE_INT64_T ) #define HAVE_INT64_T typedef __int64 int64_t; #endif #if !defined( HAVE_UINT64_T ) #define HAVE_UINT64_T typedef unsigned __int64 uint64_t; #endif #ifdef __cplusplus } #endif #elif defined( _MSC_VER ) || defined( __BORLANDC__ ) /* Later versions of Microsoft Visual Studio C++ and Borland C/C++ define the types in */ #include #else #if @HAVE_SYS_TYPES_H@ || defined( HAVE_SYS_TYPES_H ) #include #else #error Missing system type definitions (sys/types.h) #endif /* Type definitions for compilers that have access to * or */ #if @HAVE_INTTYPES_H@ || defined( HAVE_INTTYPES_H ) #include #elif @HAVE_STDINT_H@ || defined( HAVE_STDINT_H ) #include #else #error Missing integer type definitions (inttypes.h, stdint.h) #endif #endif #ifdef __cplusplus extern "C" { #endif #if defined( _MSC_VER ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) ) /* Microsoft Visual Studio C++ or earlier versions of the Borland C++ Builder * do not support the ssize_t type definition */ #if !defined( HAVE_SSIZE_T ) #define HAVE_SSIZE_T #if defined( _WIN64 ) typedef __int64 ssize_t; #else typedef __int32 ssize_t; #endif #endif /* !defined( HAVE_SSIZE_T ) */ #endif /* defined( _MSC_VER ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) ) */ #if defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) /* Earlier versions of Borland C++ Builder do not support the intptr_t type definition */ #if !defined( HAVE_INTPTR_T ) #define HAVE_INTPTR_T #if defined( _WIN64 ) typedef __int64 intptr_t; #else typedef __int32 intptr_t; #endif #endif /* !defined( HAVE_INTPTR_T ) */ #endif /* defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) */ #if ( !defined( HAVE_SIZE32_T ) && ! @HAVE_SIZE32_T@ ) || HAVE_SIZE32_T == 0 #define HAVE_SIZE32_T 1 typedef uint32_t size32_t; #endif #if ( !defined( HAVE_SSIZE32_T ) && ! @HAVE_SSIZE32_T@ ) || HAVE_SSIZE32_T == 0 #define HAVE_SSIZE32_T 1 typedef int32_t ssize32_t; #endif #if ( !defined( HAVE_SIZE64_T ) && ! @HAVE_SIZE64_T@ ) || HAVE_SIZE64_T == 0 #define HAVE_SIZE64_T 1 typedef uint64_t size64_t; #endif #if ( !defined( HAVE_SSIZE64_T ) && ! @HAVE_SSIZE64_T@ ) || HAVE_SSIZE64_T == 0 #define HAVE_SSIZE64_T 1 typedef int64_t ssize64_t; #endif #if ( !defined( HAVE_OFF64_T ) && ! @HAVE_OFF64_T@ ) || HAVE_OFF64_T == 0 #define HAVE_OFF64_T 1 typedef int64_t off64_t; #endif /* Wide character definition */ #if defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0520 ) #include #elif defined( WINAPI ) #include #elif @HAVE_WCHAR_H@ || defined( HAVE_WCHAR_H ) /* __USE_UNIX98 is required to add swprintf definition */ #if !defined( __USE_UNIX98 ) #define __USE_UNIX98 #define LIBEVTX_DEFINITION_UNIX98 #endif #include #if defined( LIBEVTX_DEFINITION_UNIX98 ) #undef __USE_UNIX98 #undef LIBEVTX_DEFINITION_UNIX98 #endif #endif /* The following type definitions hide internal data structures */ typedef intptr_t libevtx_file_t; typedef intptr_t libevtx_record_t; typedef intptr_t libevtx_template_definition_t; #ifdef __cplusplus } #endif #endif /* !defined( _LIBEVTX_TYPES_H ) */ ================================================ FILE: include/libevtx.h.in ================================================ /* * Library to access the Windows XML Event Log (EVTX) format * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_H ) #define _LIBEVTX_H #include #include #include #include #include #include #include #if defined( LIBEVTX_HAVE_BFIO ) #include #endif #if defined( __cplusplus ) extern "C" { #endif /* ------------------------------------------------------------------------- * Support functions * ------------------------------------------------------------------------- */ /* Returns the library version */ LIBEVTX_EXTERN \ const char *libevtx_get_version( void ); /* Returns the access flags for reading */ LIBEVTX_EXTERN \ int libevtx_get_access_flags_read( void ); /* Retrieves the narrow system string codepage * A value of 0 represents no codepage, UTF-8 encoding is used instead * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_get_codepage( int *codepage, libevtx_error_t **error ); /* Sets the narrow system string codepage * A value of 0 represents no codepage, UTF-8 encoding is used instead * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_set_codepage( int codepage, libevtx_error_t **error ); /* Determines if a file contains an EVTX file signature * Returns 1 if true, 0 if not or -1 on error */ LIBEVTX_EXTERN \ int libevtx_check_file_signature( const char *filename, libevtx_error_t **error ); #if defined( LIBEVTX_HAVE_WIDE_CHARACTER_TYPE ) /* Determines if a file contains an EVTX file signature * Returns 1 if true, 0 if not or -1 on error */ LIBEVTX_EXTERN \ int libevtx_check_file_signature_wide( const wchar_t *filename, libevtx_error_t **error ); #endif /* defined( LIBEVTX_HAVE_WIDE_CHARACTER_TYPE ) */ #if defined( LIBEVTX_HAVE_BFIO ) /* Determines if a file contains an EVTX file signature using a Basic File IO (bfio) handle * Returns 1 if true, 0 if not or -1 on error */ LIBEVTX_EXTERN \ int libevtx_check_file_signature_file_io_handle( libbfio_handle_t *bfio_handle, libevtx_error_t **error ); #endif /* defined( LIBEVTX_HAVE_BFIO ) */ /* ------------------------------------------------------------------------- * Notify functions * ------------------------------------------------------------------------- */ /* Sets the verbose notification */ LIBEVTX_EXTERN \ void libevtx_notify_set_verbose( int verbose ); /* Sets the notification stream * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_notify_set_stream( FILE *stream, libevtx_error_t **error ); /* Opens the notification stream using a filename * The stream is opened in append mode * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_notify_stream_open( const char *filename, libevtx_error_t **error ); /* Closes the notification stream if opened using a filename * Returns 0 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_notify_stream_close( libevtx_error_t **error ); /* ------------------------------------------------------------------------- * Error functions * ------------------------------------------------------------------------- */ /* Frees an error */ LIBEVTX_EXTERN \ void libevtx_error_free( libevtx_error_t **error ); /* Prints a descriptive string of the error to the stream * Returns the number of printed characters if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_error_fprint( libevtx_error_t *error, FILE *stream ); /* Prints a descriptive string of the error to the string * The end-of-string character is not included in the return value * Returns the number of printed characters if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_error_sprint( libevtx_error_t *error, char *string, size_t size ); /* Prints a backtrace of the error to the stream * Returns the number of printed characters if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_error_backtrace_fprint( libevtx_error_t *error, FILE *stream ); /* Prints a backtrace of the error to the string * The end-of-string character is not included in the return value * Returns the number of printed characters if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_error_backtrace_sprint( libevtx_error_t *error, char *string, size_t size ); /* ------------------------------------------------------------------------- * File functions * ------------------------------------------------------------------------- */ /* Creates a file * Make sure the value file is referencing, is set to NULL * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_initialize( libevtx_file_t **file, libevtx_error_t **error ); /* Frees a file * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_free( libevtx_file_t **file, libevtx_error_t **error ); /* Signals a file to abort its current activity * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_signal_abort( libevtx_file_t *file, libevtx_error_t **error ); /* Opens a file * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_open( libevtx_file_t *file, const char *filename, int access_flags, libevtx_error_t **error ); #if defined( LIBEVTX_HAVE_WIDE_CHARACTER_TYPE ) /* Opens a file * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_open_wide( libevtx_file_t *file, const wchar_t *filename, int access_flags, libevtx_error_t **error ); #endif /* defined( LIBEVTX_HAVE_WIDE_CHARACTER_TYPE ) */ #if defined( LIBEVTX_HAVE_BFIO ) /* Opens a file using a Basic File IO (bfio) handle * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libevtx_error_t **error ); #endif /* defined( LIBEVTX_HAVE_BFIO ) */ /* Closes a file * Returns 0 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_close( libevtx_file_t *file, libevtx_error_t **error ); /* Determine if the file corrupted * Returns 1 if corrupted, 0 if not or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_is_corrupted( libevtx_file_t *file, libevtx_error_t **error ); /* Retrieves the file ASCII codepage * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_ascii_codepage( libevtx_file_t *file, int *ascii_codepage, libevtx_error_t **error ); /* Sets the file ASCII codepage * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_set_ascii_codepage( libevtx_file_t *file, int ascii_codepage, libevtx_error_t **error ); /* Retrieves the format version * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_format_version( libevtx_file_t *file, uint16_t *major_version, uint16_t *minor_version, libevtx_error_t **error ); /* Retrieves the flags * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_flags( libevtx_file_t *file, uint32_t *flags, libevtx_error_t **error ); /* Retrieves the number of records * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_number_of_records( libevtx_file_t *file, int *number_of_records, libevtx_error_t **error ); /* Retrieves a specific record * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_record_by_index( libevtx_file_t *file, int record_index, libevtx_record_t **record, libevtx_error_t **error ); /* Retrieves the number of recovered records * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_number_of_recovered_records( libevtx_file_t *file, int *number_of_records, libevtx_error_t **error ); /* Retrieves a specific recovered record * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_get_recovered_record_by_index( libevtx_file_t *file, int record_index, libevtx_record_t **record, libevtx_error_t **error ); /* ------------------------------------------------------------------------- * File functions - deprecated * ------------------------------------------------------------------------- */ /* Retrieves the version * * This function deprecated use libevtx_file_get_format_version instead * * Returns 1 if successful or -1 on error */ LIBEVTX_DEPRECATED \ LIBEVTX_EXTERN \ int libevtx_file_get_version( libevtx_file_t *file, uint16_t *major_version, uint16_t *minor_version, libevtx_error_t **error ); /* Retrieves a specific record * * This function deprecated use libevtx_file_get_record_by_index instead * * Returns 1 if successful or -1 on error */ LIBEVTX_DEPRECATED \ LIBEVTX_EXTERN \ int libevtx_file_get_record( libevtx_file_t *file, int record_index, libevtx_record_t **record, libevtx_error_t **error ); /* Retrieves a specific recovered record * * This function deprecated use libevtx_file_get_recovered_record_by_index instead * * Returns 1 if successful or -1 on error */ LIBEVTX_DEPRECATED \ LIBEVTX_EXTERN \ int libevtx_file_get_recovered_record( libevtx_file_t *file, int record_index, libevtx_record_t **record, libevtx_error_t **error ); /* ------------------------------------------------------------------------- * Record functions * ------------------------------------------------------------------------- */ /* Frees a record * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_free( libevtx_record_t **record, libevtx_error_t **error ); /* Retrieves the offset * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_offset( libevtx_record_t *record, off64_t *offset, libevtx_error_t **error ); /* Retrieves the identifier (record number) * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_identifier( libevtx_record_t *record, uint64_t *identifier, libevtx_error_t **error ); /* Retrieves the 64-bit FILETIME value containing the creation time from the binary XML * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_creation_time( libevtx_record_t *record, uint64_t *filetime, libevtx_error_t **error ); /* Retrieves the 64-bit FILETIME value containing the written time from the event record header * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_written_time( libevtx_record_t *record, uint64_t *filetime, libevtx_error_t **error ); /* Retrieves the event identifier * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_event_identifier( libevtx_record_t *record, uint32_t *event_identifier, libevtx_error_t **error ); /* Retrieves the event identifier qualifiers * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_event_identifier_qualifiers( libevtx_record_t *record, uint32_t *event_identifier_qualifiers, libevtx_error_t **error ); /* Retrieves the event version * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_event_version( libevtx_record_t *record, uint8_t *event_version, libevtx_error_t **error ); /* Retrieves the event level * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_event_level( libevtx_record_t *record, uint8_t *event_level, libevtx_error_t **error ); /* Retrieves the size of the UTF-8 encoded provider identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_provider_identifier_size( libevtx_record_t *record, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves the UTF-8 encoded provider identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_provider_identifier( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-16 encoded provider identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_provider_identifier_size( libevtx_record_t *record, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves the UTF-16 encoded provider identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_provider_identifier( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-8 encoded source name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_source_name_size( libevtx_record_t *record, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves the UTF-8 encoded source name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_source_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-16 encoded source name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_source_name_size( libevtx_record_t *record, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves the UTF-16 encoded source name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_source_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-8 encoded channel name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_channel_name_size( libevtx_record_t *record, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves the UTF-8 encoded channel name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_channel_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-16 encoded channel name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_channel_name_size( libevtx_record_t *record, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves the UTF-16 encoded channel name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_channel_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-8 encoded computer name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_computer_name_size( libevtx_record_t *record, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves the UTF-8 encoded computer name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_computer_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-16 encoded computer name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_computer_name_size( libevtx_record_t *record, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves the UTF-16 encoded computer name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_computer_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-8 encoded user security identifier (SID) * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_user_security_identifier_size( libevtx_record_t *record, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves the UTF-8 encoded user security identifier (SID) * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_user_security_identifier( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-16 encoded user security identifier (SID) * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_user_security_identifier_size( libevtx_record_t *record, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves the UTF-16 encoded user security identifier (SID) * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_user_security_identifier( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* Parses the record data with a template definition * This function needs to be called before accessing the strings otherwise * the record data will be parsed without a template definition by default * Returns 1 if successful, 0 if data could not be parsed or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_parse_data_with_template_definition( libevtx_record_t *record, libevtx_template_definition_t *template_definition, libevtx_error_t **error ); /* Retrieves the number of strings * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_number_of_strings( libevtx_record_t *record, int *number_of_strings, libevtx_error_t **error ); /* Retrieves the size of a specific UTF-8 encoded string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_string_size( libevtx_record_t *record, int string_index, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves a specific UTF-8 encoded string * The size should include the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_string( libevtx_record_t *record, int string_index, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of a specific UTF-16 encoded string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_string_size( libevtx_record_t *record, int string_index, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves a specific UTF-16 encoded string * The size should include the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_string( libevtx_record_t *record, int string_index, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* Retrieves the size of the data * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_data_size( libevtx_record_t *record, size_t *data_size, libevtx_error_t **error ); /* Retrieves the data * Returns 1 if successful, 0 if not available or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_data( libevtx_record_t *record, uint8_t *data, size_t data_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-8 encoded XML string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_xml_string_size( libevtx_record_t *record, size_t *utf8_string_size, libevtx_error_t **error ); /* Retrieves the UTF-8 encoded XML string * The size should include the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf8_xml_string( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libevtx_error_t **error ); /* Retrieves the size of the UTF-16 encoded XML string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_xml_string_size( libevtx_record_t *record, size_t *utf16_string_size, libevtx_error_t **error ); /* Retrieves the UTF-16 encoded XML string * The size should include the end of string character * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_record_get_utf16_xml_string( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libevtx_error_t **error ); /* ------------------------------------------------------------------------- * Record functions - deprecated * ------------------------------------------------------------------------- */ /* Parses the record data * Returns 1 if successful, 0 if data could not be parsed or -1 on error * * This function deprecated use there is no need to call this function anymore. * If you want to parse the record data with a template definition use: * libevtx_record_parse_data_with_template_definition */ LIBEVTX_DEPRECATED \ LIBEVTX_EXTERN \ int libevtx_record_parse_data( libevtx_record_t *record, libevtx_template_definition_t *template_definition, libevtx_error_t **error ); /* ------------------------------------------------------------------------- * Template definition functions * ------------------------------------------------------------------------- */ /* Creates a template definition * Make sure the value template_definition is referencing, is set to NULL * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_template_definition_initialize( libevtx_template_definition_t **template_definition, libevtx_error_t **error ); /* Frees a template definition * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_template_definition_free( libevtx_template_definition_t **template_definition, libevtx_error_t **error ); /* Sets the data * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_template_definition_set_data( libevtx_template_definition_t *template_definition, const uint8_t *data, size_t data_size, uint32_t data_offset, libevtx_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_H ) */ ================================================ FILE: libevtx/Makefile.am ================================================ AM_CPPFLAGS = \ -DLOCALEDIR=\"$(datadir)/locale\" \ -I../include -I$(top_srcdir)/include \ -I../common -I$(top_srcdir)/common \ @LIBCERROR_CPPFLAGS@ \ @LIBCTHREADS_CPPFLAGS@ \ @LIBCDATA_CPPFLAGS@ \ @LIBCLOCALE_CPPFLAGS@ \ @LIBCNOTIFY_CPPFLAGS@ \ @LIBCSPLIT_CPPFLAGS@ \ @LIBUNA_CPPFLAGS@ \ @LIBCFILE_CPPFLAGS@ \ @LIBCPATH_CPPFLAGS@ \ @LIBBFIO_CPPFLAGS@ \ @LIBFCACHE_CPPFLAGS@ \ @LIBFDATA_CPPFLAGS@ \ @LIBFDATETIME_CPPFLAGS@ \ @LIBFGUID_CPPFLAGS@ \ @LIBFVALUE_CPPFLAGS@ \ @LIBFWEVT_CPPFLAGS@ \ @LIBFWNT_CPPFLAGS@ \ @PTHREAD_CPPFLAGS@ \ @LIBEVTX_DLL_EXPORT@ lib_LTLIBRARIES = libevtx.la libevtx_la_SOURCES = \ evtx_chunk.h \ evtx_event_record.h \ evtx_file_header.h \ libevtx.c \ libevtx_byte_stream.c libevtx_byte_stream.h \ libevtx_checksum.c libevtx_checksum.h \ libevtx_chunk.c libevtx_chunk.h \ libevtx_chunks_table.c libevtx_chunks_table.h \ libevtx_codepage.c libevtx_codepage.h \ libevtx_debug.c libevtx_debug.h \ libevtx_definitions.h \ libevtx_error.c libevtx_error.h \ libevtx_extern.h \ libevtx_file.c libevtx_file.h \ libevtx_i18n.c libevtx_i18n.h \ libevtx_io_handle.c libevtx_io_handle.h \ libevtx_libbfio.h \ libevtx_libcdata.h \ libevtx_libcerror.h \ libevtx_libclocale.h \ libevtx_libcnotify.h \ libevtx_libfcache.h \ libevtx_libfdata.h \ libevtx_libfdatetime.h \ libevtx_libfguid.h \ libevtx_libfwevt.h \ libevtx_libuna.h \ libevtx_notify.c libevtx_notify.h \ libevtx_record.c libevtx_record.h \ libevtx_record_values.c libevtx_record_values.h \ libevtx_support.c libevtx_support.h \ libevtx_template_definition.c libevtx_template_definition.h \ libevtx_types.h \ libevtx_unused.h libevtx_la_LIBADD = \ @LIBCERROR_LIBADD@ \ @LIBCTHREADS_LIBADD@ \ @LIBCDATA_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBBFIO_LIBADD@ \ @LIBFCACHE_LIBADD@ \ @LIBFDATA_LIBADD@ \ @LIBFDATETIME_LIBADD@ \ @LIBFGUID_LIBADD@ \ @LIBFWEVT_LIBADD@ \ @LIBFWNT_LIBADD@ \ @LIBFVALUE_LIBADD@ \ @PTHREAD_LIBADD@ libevtx_la_LDFLAGS = -no-undefined -version-info 1:0:0 EXTRA_DIST = \ libevtx_definitions.h.in \ libevtx.rc \ libevtx.rc.in DISTCLEANFILES = \ libevtx_definitions.h \ libevtx.rc \ Makefile \ Makefile.in sources-local: $(BUILT_SOURCES) splint-local: @echo "Running splint on libevtx ..." -splint -preproc -redef $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(libevtx_la_SOURCES) ================================================ FILE: libevtx/evtx_chunk.h ================================================ /* * The chunk definition of a Windows XML Event Log (EVTX) file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_CHUNK_H ) #define _EVTX_CHUNK_H #include #include #if defined( __cplusplus ) extern "C" { #endif typedef struct evtx_chunk_header evtx_chunk_header_t; struct evtx_chunk_header { /* The file signature * Consists of 8 bytes * Consists of: "ElfChnk\x00" */ uint8_t signature[ 8 ]; /* The first event record number * Consists of 8 bytes */ uint8_t first_event_record_number[ 8 ]; /* The last event record number * Consists of 8 bytes */ uint8_t last_event_record_number[ 8 ]; /* The first event record identifier * Consists of 8 bytes */ uint8_t first_event_record_identifier[ 8 ]; /* The last event record identifier * Consists of 8 bytes */ uint8_t last_event_record_identifier[ 8 ]; /* The header size * Consists of 4 bytes */ uint8_t header_size[ 4 ]; /* The last event record offset * Consists 4 bytes */ uint8_t last_event_record_offset[ 4 ]; /* The free space offset * Consists 4 bytes */ uint8_t free_space_offset[ 4 ]; /* Event records checksum * Consists 4 bytes */ uint8_t event_records_checksum[ 4 ]; /* Unknown * Consists 64 bytes */ uint8_t unknown1[ 64 ]; /* Unknown * Consists 4 bytes */ uint8_t unknown2[ 4 ]; /* Checksum * Consists of 4 bytes * Contains a CRC32 of bytes 0 to 120 and 128 to 512 */ uint8_t checksum[ 4 ]; }; #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTX_CHUNK_H ) */ ================================================ FILE: libevtx/evtx_event_record.h ================================================ /* * The event record definition of a Windows XML Event Log (EVTX) file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_EVENT_RECORD_H ) #define _EVTX_EVENT_RECORD_H #include #include #if defined( __cplusplus ) extern "C" { #endif typedef struct evtx_event_record_header evtx_event_record_header_t; struct evtx_event_record_header { /* The file signature * Consists of 4 bytes * Consists of: "\x2a\x2a\x00\x00" */ uint8_t signature[ 4 ]; /* The size * Consists 4 bytes */ uint8_t size[ 4 ]; /* The identifier * Consists 8 bytes */ uint8_t identifier[ 8 ]; /* The written time * Consists 8 bytes * Contains a filetime */ uint8_t written_time[ 8 ]; }; #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTX_EVENT_RECORD_H ) */ ================================================ FILE: libevtx/evtx_file_header.h ================================================ /* * The file header definition of a Windows XML Event Log (EVTX) file * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_FILE_HEADER_H ) #define _EVTX_FILE_HEADER_H #include #include #if defined( __cplusplus ) extern "C" { #endif typedef struct evtx_file_header evtx_file_header_t; struct evtx_file_header { /* The file signature * Consists of 8 bytes * Consists of: "ElfFile\x00" */ uint8_t signature[ 8 ]; /* The first chunk number * Consists of 8 bytes */ uint8_t first_chunk_number[ 8 ]; /* The last chunk number * Consists of 8 bytes */ uint8_t last_chunk_number[ 8 ]; /* The next record identifier * Consists of 8 bytes */ uint8_t next_record_identifier[ 8 ]; /* The header size * Consists of 4 bytes */ uint8_t header_size[ 4 ]; /* The minor version * Consists of 2 bytes */ uint8_t minor_version[ 2 ]; /* The major version * Consists of 2 bytes */ uint8_t major_version[ 2 ]; /* The header block size * Consists of 2 bytes */ uint8_t header_block_size[ 2 ]; /* The number of chunks * Consists of 2 bytes */ uint8_t number_of_chunks[ 2 ]; /* Unknown * Consists 76 bytes */ uint8_t unknown1[ 76 ]; /* The file flags * Consists of 4 bytes */ uint8_t file_flags[ 4 ]; /* Checksum * Consists of 4 bytes * Contains a CRC32 of bytes 0 to 120 */ uint8_t checksum[ 4 ]; }; #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTX_FILE_HEADER_H ) */ ================================================ FILE: libevtx/libevtx.c ================================================ /* * Library to access the Windows XML Event Log (EVTX) format * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #if defined( WINAPI ) #include #endif #include "libevtx_unused.h" /* Define HAVE_LOCAL_LIBEVTX for local use of libevtx */ #if !defined( HAVE_LOCAL_LIBEVTX ) #if defined( WINAPI ) && defined( HAVE_DLLMAIN ) #if defined( _MANAGED ) #pragma managed( push, off ) #endif /* Defines the entry point for the DLL */ BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) { LIBEVTX_UNREFERENCED_PARAMETER( lpvReserved ) switch( fdwReason ) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls( hinstDLL ); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: break; } return( TRUE ); } /* Function that indicates the library is a DLL * Returns 1 */ int libevtx_is_dll( void ) { return( 1 ); } #endif /* defined( WINAPI ) && defined( HAVE_DLLMAIN ) */ #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ ================================================ FILE: libevtx/libevtx.rc.in ================================================ #include #ifdef GCC_WINDRES VS_VERSION_INFO VERSIONINFO #else VS_VERSION_INFO VERSIONINFO MOVEABLE IMPURE LOADONCALL DISCARDABLE #endif FILEVERSION 1,0,0,0 PRODUCTVERSION 1,0,0,0 FILEFLAGSMASK VS_FFI_FILEFLAGSMASK #ifdef _DEBUG FILEFLAGS 0x1L #else FILEFLAGS 0x0L #endif FILEOS VOS__WINDOWS32 FILETYPE VFT_DLL FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904E4" BEGIN VALUE "FileDescription", "Library to access the Windows XML Event Log (EVTX) format\0" VALUE "FileVersion", "@VERSION@" "\0" VALUE "InternalName", "libevtx.dll\0" VALUE "LegalCopyright", "(C) 2011-2025, Joachim Metz \0" VALUE "OriginalFilename", "libevtx.dll\0" VALUE "ProductName", "libevtx\0" VALUE "ProductVersion", "@VERSION@" "\0" VALUE "Comments", "For more information visit https://github.com/libyal/libevtx/\0" END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x0409, 1200 END END ================================================ FILE: libevtx/libevtx_byte_stream.c ================================================ /* * Byte stream functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include "libevtx_byte_stream.h" #include "libevtx_libcerror.h" #include "libevtx_types.h" /* Checks if a byte stream is filled with 0-byte values * Returns 1 if true, 0 if not or -1 on error */ int libevtx_byte_stream_check_for_zero_byte_fill( const uint8_t *byte_stream, size_t byte_stream_size, libcerror_error_t **error ) { libevtx_aligned_t *aligned_byte_stream_index = NULL; uint8_t *byte_stream_index = NULL; static char *function = "libevtx_byte_stream_check_for_zero_byte_fill"; if( byte_stream == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid byte stream.", function ); return( -1 ); } if( byte_stream_size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid byte stream size value exceeds maximum.", function ); return( -1 ); } byte_stream_index = (uint8_t *) byte_stream; /* Only optimize for byte stream larger than the alignment */ if( byte_stream_size > ( 2 * sizeof( libevtx_aligned_t ) ) ) { /* Align the byte stream index */ while( ( (intptr_t) byte_stream_index % sizeof( libevtx_aligned_t ) ) != 0 ) { if( *byte_stream_index != 0 ) { return( 0 ); } byte_stream_index += 1; byte_stream_size -= 1; } aligned_byte_stream_index = (libevtx_aligned_t *) byte_stream_index; while( byte_stream_size > sizeof( libevtx_aligned_t ) ) { if( *aligned_byte_stream_index != 0 ) { return( 0 ); } aligned_byte_stream_index += 1; byte_stream_size -= sizeof( libevtx_aligned_t ); } byte_stream_index = (uint8_t *) aligned_byte_stream_index; } while( byte_stream_size != 0 ) { if( *byte_stream_index != 0 ) { return( 0 ); } byte_stream_index += 1; byte_stream_size -= 1; } return( 1 ); } ================================================ FILE: libevtx/libevtx_byte_stream.h ================================================ /* * Byte stream functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_BYTE_STREAM_H ) #define _LIBEVTX_BYTE_STREAM_H #include #include #include "libevtx_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif int libevtx_byte_stream_check_for_zero_byte_fill( const uint8_t *data, size_t data_size, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_BYTE_STREAM_H ) */ ================================================ FILE: libevtx/libevtx_checksum.c ================================================ /* * Checksum functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include "libevtx_libcerror.h" /* Table of CRC-32 values of 8-bit values */ uint32_t libevtx_checksum_crc32_table[ 256 ]; /* Value to indicate the CRC-32 table been computed */ int libevtx_checksum_crc32_table_computed = 0; /* Initializes the internal CRC-32 table * The table speeds up the CRC-32 calculation */ void libevtx_checksum_initialize_crc32_table( void ) { uint32_t crc32 = 0; uint32_t crc32_table_index = 0; uint8_t bit_iterator = 0; for( crc32_table_index = 0; crc32_table_index < 256; crc32_table_index++ ) { crc32 = (uint32_t) crc32_table_index; for( bit_iterator = 0; bit_iterator < 8; bit_iterator++ ) { if( crc32 & 1 ) { crc32 = (uint32_t) 0xedb88320UL ^ ( crc32 >> 1 ); } else { crc32 = crc32 >> 1; } } libevtx_checksum_crc32_table[ crc32_table_index ] = crc32; } libevtx_checksum_crc32_table_computed = 1; } /* Calculates the CRC-32 of a buffer * Based on RFC 1952 * Returns 1 if successful or -1 on error */ int libevtx_checksum_calculate_little_endian_crc32( uint32_t *crc32, uint8_t *buffer, size_t size, uint32_t initial_value, libcerror_error_t **error ) { static char *function = "libevtx_checksum_calculate_little_endian_crc32"; size_t buffer_offset = 0; uint32_t crc32_table_index = 0; if( crc32 == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid CRC-32.", function ); return( -1 ); } if( buffer == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid buffer.", function ); return( -1 ); } if( size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid size value exceeds maximum.", function ); return( -1 ); } *crc32 = initial_value ^ (uint32_t) 0xffffffffUL; if( libevtx_checksum_crc32_table_computed == 0 ) { libevtx_checksum_initialize_crc32_table(); } for( buffer_offset = 0; buffer_offset < size; buffer_offset++ ) { crc32_table_index = ( *crc32 ^ buffer[ buffer_offset ] ) & 0x000000ffUL; *crc32 = libevtx_checksum_crc32_table[ crc32_table_index ] ^ ( *crc32 >> 8 ); } *crc32 ^= 0xffffffffUL; return( 1 ); } /* Calculates the weak CRC-32 of a buffer * Based on RFC 1952, without initial and final XOR operation * Returns 1 if successful or -1 on error */ int libevtx_checksum_calculate_little_endian_weak_crc32( uint32_t *crc32, uint8_t *buffer, size_t size, uint32_t initial_value, libcerror_error_t **error ) { static char *function = "libevtx_checksum_calculate_little_endian_weak_crc32"; size_t buffer_offset = 0; uint32_t crc32_table_index = 0; if( crc32 == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid CRC-32.", function ); return( -1 ); } if( buffer == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid buffer.", function ); return( -1 ); } if( size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid size value exceeds maximum.", function ); return( -1 ); } *crc32 = initial_value; if( libevtx_checksum_crc32_table_computed == 0 ) { libevtx_checksum_initialize_crc32_table(); } for( buffer_offset = 0; buffer_offset < size; buffer_offset++ ) { crc32_table_index = ( *crc32 ^ buffer[ buffer_offset ] ) & 0x000000ffUL; *crc32 = libevtx_checksum_crc32_table[ crc32_table_index ] ^ ( *crc32 >> 8 ); } return( 1 ); } ================================================ FILE: libevtx/libevtx_checksum.h ================================================ /* * Checksum functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_CHECKSUM_H ) #define _LIBEVTX_CHECKSUM_H #include #include #include "libevtx_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif void libevtx_checksum_initialize_crc32_table( void ); int libevtx_checksum_calculate_little_endian_crc32( uint32_t *crc32, uint8_t *buffer, size_t size, uint32_t initial_value, libcerror_error_t **error ); int libevtx_checksum_calculate_little_endian_weak_crc32( uint32_t *crc32, uint8_t *buffer, size_t size, uint32_t initial_value, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_CHECKSUM_H ) */ ================================================ FILE: libevtx/libevtx_chunk.c ================================================ /* * Chunk functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "libevtx_byte_stream.h" #include "libevtx_checksum.h" #include "libevtx_chunk.h" #include "libevtx_definitions.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcdata.h" #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #include "libevtx_record_values.h" #include "evtx_chunk.h" #include "evtx_event_record.h" const uint8_t *evtx_chunk_signature = (uint8_t *) "ElfChnk"; /* Creates a chunk * Make sure the value chunk is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_chunk_initialize( libevtx_chunk_t **chunk, libcerror_error_t **error ) { static char *function = "libevtx_chunk_initialize"; if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( *chunk != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid chunk value already set.", function ); return( -1 ); } *chunk = memory_allocate_structure( libevtx_chunk_t ); if( *chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create chunk.", function ); goto on_error; } if( memory_set( *chunk, 0, sizeof( libevtx_chunk_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear chunk.", function ); memory_free( *chunk ); *chunk = NULL; return( -1 ); } if( libcdata_array_initialize( &( ( *chunk )->records_array ), 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunk records array.", function ); goto on_error; } if( libcdata_array_initialize( &( ( *chunk )->recovered_records_array ), 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunk recovered records array.", function ); goto on_error; } return( 1 ); on_error: if( *chunk != NULL ) { if( ( *chunk )->records_array != NULL ) { libcdata_array_free( &( ( *chunk )->records_array ), NULL, NULL ); } memory_free( *chunk ); *chunk = NULL; } return( -1 ); } /* Frees a chunk * Returns 1 if successful or -1 on error */ int libevtx_chunk_free( libevtx_chunk_t **chunk, libcerror_error_t **error ) { static char *function = "libevtx_chunk_free"; int result = 1; if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( *chunk != NULL ) { if( libcdata_array_free( &( ( *chunk )->recovered_records_array ), (int (*)(intptr_t **, libcerror_error_t **)) &libevtx_record_values_free, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free the chunk recovered records array.", function ); result = -1; } if( libcdata_array_free( &( ( *chunk )->records_array ), (int (*)(intptr_t **, libcerror_error_t **)) &libevtx_record_values_free, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free the chunk records array.", function ); result = -1; } if( ( *chunk )->data != NULL ) { memory_free( ( *chunk )->data ); } memory_free( *chunk ); *chunk = NULL; } return( result ); } /* Reads the chunk * Returns 1 if successful, 0 if the chunk is 0-byte filled or -1 on error */ int libevtx_chunk_read( libevtx_chunk_t *chunk, libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, off64_t file_offset, libcerror_error_t **error ) { libevtx_record_values_t *record_values = NULL; uint8_t *chunk_data = NULL; static char *function = "libevtx_chunk_read"; size_t chunk_data_offset = 0; size_t chunk_data_size = 0; size_t xml_data_offset = 0; size_t xml_data_size = 0; ssize_t read_count = 0; uint64_t calculated_number_of_event_records = 0; uint64_t first_event_record_identifier = 0; uint64_t first_event_record_number = 0; uint64_t last_event_record_identifier = 0; uint64_t last_event_record_number = 0; uint64_t number_of_event_records = 0; uint32_t calculated_checksum = 0; uint32_t event_records_checksum = 0; uint32_t free_space_offset = 0; uint32_t header_size = 0; uint32_t last_event_record_offset = 0; uint32_t stored_checksum = 0; int entry_index = 0; int result = 0; #if defined( HAVE_DEBUG_OUTPUT ) || defined( HAVE_VERBOSE_OUTPUT ) uint64_t calculated_chunk_number = 0; #endif #if defined( HAVE_DEBUG_OUTPUT ) ssize_t free_space_size = 0; uint32_t value_32bit = 0; #endif if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( chunk->data != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid chunk data already set.", function ); return( -1 ); } if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( ( io_handle->chunk_size < 4 ) || ( io_handle->chunk_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid IO handle - invalid chunk size value out of bounds.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) || defined( HAVE_VERBOSE_OUTPUT ) calculated_chunk_number = (uint64_t) ( ( file_offset - io_handle->chunk_size ) / io_handle->chunk_size ); #endif chunk->file_offset = file_offset; chunk->data = (uint8_t *) memory_allocate( (size_t) io_handle->chunk_size ); if( chunk->data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create chunk data.", function ); goto on_error; } chunk->data_size = (size_t) io_handle->chunk_size; #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: reading chunk: %" PRIu64 " at offset: %" PRIi64 " (0x%08" PRIx64 ")\n", function, calculated_chunk_number, file_offset, file_offset ); } #endif read_count = libbfio_handle_read_buffer_at_offset( file_io_handle, chunk->data, chunk->data_size, file_offset, error ); if( read_count != (ssize_t) chunk->data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read chunk data at offset: %" PRIi64 " (0x%08" PRIx64 ").", function, file_offset, file_offset ); goto on_error; } chunk_data = chunk->data; chunk_data_size = chunk->data_size; #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: chunk header data:\n", function ); libcnotify_print_data( chunk_data, sizeof( evtx_chunk_header_t ), LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); } #endif result = libevtx_byte_stream_check_for_zero_byte_fill( chunk_data, chunk_data_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine of chunk is 0-byte filled.", function ); goto on_error; } else if( result != 0 ) { return( 0 ); } if( memory_compare( ( (evtx_chunk_header_t *) chunk_data )->signature, evtx_chunk_signature, 8 ) != 0 ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: unsupported chunk signature.\n", function ); } #endif chunk->flags |= LIBEVTX_CHUNK_FLAG_IS_CORRUPTED; } else { byte_stream_copy_to_uint64_little_endian( ( (evtx_chunk_header_t *) chunk_data )->first_event_record_number, first_event_record_number ); byte_stream_copy_to_uint64_little_endian( ( (evtx_chunk_header_t *) chunk_data )->last_event_record_number, last_event_record_number ); byte_stream_copy_to_uint64_little_endian( ( (evtx_chunk_header_t *) chunk_data )->first_event_record_identifier, first_event_record_identifier ); byte_stream_copy_to_uint64_little_endian( ( (evtx_chunk_header_t *) chunk_data )->last_event_record_identifier, last_event_record_identifier ); byte_stream_copy_to_uint32_little_endian( ( (evtx_chunk_header_t *) chunk_data )->header_size, header_size ); byte_stream_copy_to_uint32_little_endian( ( (evtx_chunk_header_t *) chunk_data )->last_event_record_offset, last_event_record_offset ); byte_stream_copy_to_uint32_little_endian( ( (evtx_chunk_header_t *) chunk_data )->free_space_offset, free_space_offset ); byte_stream_copy_to_uint32_little_endian( ( (evtx_chunk_header_t *) chunk_data )->event_records_checksum, event_records_checksum ); byte_stream_copy_to_uint32_little_endian( ( (evtx_chunk_header_t *) chunk_data )->checksum, stored_checksum ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: signature\t\t\t\t\t\t: %c%c%c%c%c%c%c\\x%02x\n", function, ( (evtx_chunk_header_t *) chunk_data )->signature[ 0 ], ( (evtx_chunk_header_t *) chunk_data )->signature[ 1 ], ( (evtx_chunk_header_t *) chunk_data )->signature[ 2 ], ( (evtx_chunk_header_t *) chunk_data )->signature[ 3 ], ( (evtx_chunk_header_t *) chunk_data )->signature[ 4 ], ( (evtx_chunk_header_t *) chunk_data )->signature[ 5 ] , ( (evtx_chunk_header_t *) chunk_data )->signature[ 6 ], ( (evtx_chunk_header_t *) chunk_data )->signature[ 7 ] ); libcnotify_printf( "%s: first event record number\t\t\t\t: %" PRIu64 "\n", function, first_event_record_number ); libcnotify_printf( "%s: last event record number\t\t\t\t: %" PRIu64 "\n", function, last_event_record_number ); libcnotify_printf( "%s: first event record identifier\t\t\t: %" PRIu64 "\n", function, first_event_record_identifier ); libcnotify_printf( "%s: last event record identifier\t\t\t: %" PRIu64 "\n", function, last_event_record_identifier ); libcnotify_printf( "%s: header size\t\t\t\t\t\t: %" PRIu32 "\n", function, header_size ); libcnotify_printf( "%s: last event record offset\t\t\t\t: 0x%08" PRIx32 "\n", function, last_event_record_offset ); libcnotify_printf( "%s: free space offset\t\t\t\t\t: 0x%08" PRIx32 "\n", function, free_space_offset ); libcnotify_printf( "%s: event records checksum\t\t\t\t: 0x%08" PRIx32 "\n", function, event_records_checksum ); libcnotify_printf( "%s: unknown1:\n", function ); libcnotify_print_data( ( (evtx_chunk_header_t *) chunk_data )->unknown1, 64, LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); byte_stream_copy_to_uint32_little_endian( ( (evtx_chunk_header_t *) chunk_data )->unknown2, value_32bit ); libcnotify_printf( "%s: unknown2\t\t\t\t\t\t: 0x%08" PRIx32 "\n", function, value_32bit ); libcnotify_printf( "%s: checksum\t\t\t\t\t\t: 0x%08" PRIx32 "\n", function, stored_checksum ); libcnotify_printf( "\n" ); } #endif /* defined( HAVE_DEBUG_OUTPUT ) */ if( header_size != 128 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported header size: %" PRIu32 ".", function, header_size ); goto on_error; } if( libevtx_checksum_calculate_little_endian_crc32( &calculated_checksum, chunk_data, 120, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to calculate CRC-32 checksum.", function ); goto on_error; } if( libevtx_checksum_calculate_little_endian_crc32( &calculated_checksum, &( chunk_data[ 128 ] ), 384, calculated_checksum, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to calculate CRC-32 checksum.", function ); goto on_error; } if( stored_checksum != calculated_checksum ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: mismatch in chunk: %" PRIu64 " header CRC-32 checksum ( 0x%08" PRIx32 " != 0x%08" PRIx32 " ).\n", function, calculated_chunk_number, stored_checksum, calculated_checksum ); } #endif chunk->flags |= LIBEVTX_CHUNK_FLAG_IS_CORRUPTED; } chunk_data_offset = sizeof( evtx_chunk_header_t ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: chunk table data:\n", function ); libcnotify_print_data( &( chunk_data[ chunk_data_offset ] ), 384, LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); } #endif chunk_data_offset += 384; /* TODO can free_space_offset be 0 ? */ if( ( free_space_offset < chunk_data_offset ) || ( free_space_offset > chunk_data_size ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid free space offset value out of bounds.", function ); goto on_error; } if( libevtx_checksum_calculate_little_endian_crc32( &calculated_checksum, &( chunk_data[ 512 ] ), free_space_offset - chunk_data_offset, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to calculate CRC-32 checksum.", function ); goto on_error; } if( event_records_checksum != calculated_checksum ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: mismatch in chunk: %" PRIu64 " event records CRC-32 checksum ( 0x%08" PRIx32 " != 0x%08" PRIx32 " ).\n", function, calculated_chunk_number, event_records_checksum, calculated_checksum ); } #endif chunk->flags |= LIBEVTX_CHUNK_FLAG_IS_CORRUPTED; } while( chunk_data_offset <= last_event_record_offset ) { if( libevtx_record_values_initialize( &record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record values.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: reading record at offset: %" PRIi64 " (0x%08" PRIx64 ")\n", function, file_offset + chunk_data_offset, file_offset + chunk_data_offset ); } #endif result = libevtx_record_values_read_header( record_values, io_handle, chunk_data, chunk_data_size, chunk_data_offset, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read record values header at offset: %" PRIi64 ".", function, file_offset + chunk_data_offset ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif libcerror_error_free( error ); } if( result != 1 ) { break; } chunk_data_offset += record_values->data_size; if( libcdata_array_append_entry( chunk->records_array, &entry_index, (intptr_t *) record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append record values to records array.", function ); goto on_error; } record_values = NULL; number_of_event_records++; } if( first_event_record_number > last_event_record_number ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: invalid chunk: %" PRIu64 " first event record number: %" PRIu64 " exceeds last event record number: %" PRIu64 ".\n", function, calculated_chunk_number, first_event_record_number, last_event_record_number ); } #endif chunk->flags |= LIBEVTX_CHUNK_FLAG_IS_CORRUPTED; } else if( result == 1 ) { calculated_number_of_event_records = last_event_record_number - first_event_record_number + 1; #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: calculated number of records\t\t\t: %" PRIu64 "\n", function, calculated_number_of_event_records ); } #endif if( number_of_event_records != calculated_number_of_event_records ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: mismatch in chunk: %" PRIu64 " number of event records ( %" PRIu64 " != %" PRIu64 " ).\n", function, calculated_chunk_number, number_of_event_records, calculated_number_of_event_records ); } #endif chunk->flags |= LIBEVTX_CHUNK_FLAG_IS_CORRUPTED; } } if( first_event_record_identifier > last_event_record_identifier ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: in chunk: %" PRIu64 " first event record identifier: %" PRIu64 " exceeds last event record identifier: %" PRIu64 ".\n", function, calculated_chunk_number, first_event_record_identifier, last_event_record_identifier ); } #endif /* TODO mark this as corruption ? */ } } if( chunk_data_offset < chunk_data_size ) { #if defined( HAVE_DEBUG_OUTPUT ) free_space_size = chunk_data_size - chunk_data_offset; if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: free space data:\n", function ); libcnotify_print_data( &( chunk_data[ chunk_data_offset ] ), free_space_size, LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); } #endif while( chunk_data_offset < ( chunk_data_size - 4 ) ) { /* TODO optimize scan ? */ if( memory_compare( &( chunk_data[ chunk_data_offset ] ), evtx_event_record_signature, 4 ) == 0 ) { if( record_values == NULL ) { if( libevtx_record_values_initialize( &record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record values.", function ); goto on_error; } } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: reading recovered record at offset: %" PRIi64 " (0x%08" PRIx64 ")\n", function, file_offset + chunk_data_offset, file_offset + chunk_data_offset ); } #endif if( libevtx_record_values_read_header( record_values, io_handle, chunk_data, chunk_data_size, chunk_data_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read record values header at offset: %" PRIi64 ".", function, file_offset + chunk_data_offset ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif libcerror_error_free( error ); } else { xml_data_offset = chunk_data_offset + sizeof( evtx_event_record_header_t ); xml_data_size = 0; if( record_values->data_size > ( sizeof( evtx_event_record_header_t ) + 4 ) ) { xml_data_size = record_values->data_size - ( sizeof( evtx_event_record_header_t ) + 4 ); } result = 0; if( xml_data_size > 0 ) { if( ( xml_data_size >= 5 ) && ( chunk_data[ xml_data_offset ] == 0x0a ) ) { result = 1; } else if( ( xml_data_size >= 4 ) && ( chunk_data[ xml_data_offset ] == 0x0f ) && ( chunk_data[ xml_data_offset + 1 ] == 0x01 ) && ( chunk_data[ xml_data_offset + 2 ] == 0x01 ) && ( chunk_data[ xml_data_offset + 3 ] == 0x00 ) ) { result = 1; } /* TODO what about 0x00 allow it ? */ } if( result != 0 ) { chunk_data_offset += record_values->data_size - 4; if( libcdata_array_append_entry( chunk->recovered_records_array, &entry_index, (intptr_t *) record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append record values to recovered records array.", function ); goto on_error; } record_values = NULL; } } } chunk_data_offset += 4; } if( record_values != NULL ) { if( libevtx_record_values_free( &record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free record values.", function ); goto on_error; } } } return( 1 ); on_error: if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } if( chunk->data != NULL ) { memory_free( chunk->data ); chunk->data = NULL; } return( -1 ); } /* Retrieves the number of records * Returns 1 if successful or -1 on error */ int libevtx_chunk_get_number_of_records( libevtx_chunk_t *chunk, uint16_t *number_of_records, libcerror_error_t **error ) { static char *function = "libevtx_chunk_get_number_of_records"; int chunk_number_of_records = 0; if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( number_of_records == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid number of records.", function ); return( -1 ); } if( libcdata_array_get_number_of_entries( chunk->records_array, &chunk_number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records.", function ); return( -1 ); } if( chunk_number_of_records > (int) UINT16_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid number of chunk records value exceeds maximum.", function ); return( -1 ); } *number_of_records = (uint16_t) chunk_number_of_records; return( 1 ); } /* Retrieves the record at the index * Returns 1 if successful or -1 on error */ int libevtx_chunk_get_record( libevtx_chunk_t *chunk, uint16_t record_index, libevtx_record_values_t **record_values, libcerror_error_t **error ) { static char *function = "libevtx_chunk_get_record"; if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( libcdata_array_get_entry_by_index( chunk->records_array, (int) record_index, (intptr_t **) record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record: %" PRIu16 ".", function, record_index ); return( -1 ); } return( 1 ); } /* Retrieves the number of recovered records * Returns 1 if successful or -1 on error */ int libevtx_chunk_get_number_of_recovered_records( libevtx_chunk_t *chunk, uint16_t *number_of_records, libcerror_error_t **error ) { static char *function = "libevtx_chunk_get_number_of_recovered_records"; int chunk_number_of_records = 0; if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( number_of_records == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid number of records.", function ); return( -1 ); } if( libcdata_array_get_number_of_entries( chunk->recovered_records_array, &chunk_number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records.", function ); return( -1 ); } if( chunk_number_of_records > (int) UINT16_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid number of chunk records value exceeds maximum.", function ); return( -1 ); } *number_of_records = (uint16_t) chunk_number_of_records; return( 1 ); } /* Retrieves the recovered record at the index * Returns 1 if successful or -1 on error */ int libevtx_chunk_get_recovered_record( libevtx_chunk_t *chunk, uint16_t record_index, libevtx_record_values_t **record_values, libcerror_error_t **error ) { static char *function = "libevtx_chunk_get_recovered_record"; if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk.", function ); return( -1 ); } if( libcdata_array_get_entry_by_index( chunk->recovered_records_array, (int) record_index, (intptr_t **) record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record: %" PRIu16 ".", function, record_index ); return( -1 ); } return( 1 ); } ================================================ FILE: libevtx/libevtx_chunk.h ================================================ /* * Chunk functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_CHUNK_H ) #define _LIBEVTX_CHUNK_H #include #include #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcdata.h" #include "libevtx_libcerror.h" #include "libevtx_record_values.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct libevtx_chunk libevtx_chunk_t; struct libevtx_chunk { /* The chunk data */ uint8_t *data; /* The chunk data size */ size_t data_size; /* The (chunk) file offset */ off64_t file_offset; /* The records array */ libcdata_array_t *records_array; /* The recovered records array */ libcdata_array_t *recovered_records_array; /* Various flags */ uint8_t flags; }; int libevtx_chunk_initialize( libevtx_chunk_t **chunk, libcerror_error_t **error ); int libevtx_chunk_free( libevtx_chunk_t **chunk, libcerror_error_t **error ); int libevtx_chunk_read( libevtx_chunk_t *chunk, libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, off64_t file_offset, libcerror_error_t **error ); int libevtx_chunk_get_number_of_records( libevtx_chunk_t *chunk, uint16_t *number_of_records, libcerror_error_t **error ); int libevtx_chunk_get_record( libevtx_chunk_t *chunk, uint16_t record_index, libevtx_record_values_t **record_values, libcerror_error_t **error ); int libevtx_chunk_get_number_of_recovered_records( libevtx_chunk_t *chunk, uint16_t *number_of_records, libcerror_error_t **error ); int libevtx_chunk_get_recovered_record( libevtx_chunk_t *chunk, uint16_t record_index, libevtx_record_values_t **record_values, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_CHUNK_H ) */ ================================================ FILE: libevtx/libevtx_chunks_table.c ================================================ /* * Chunks table functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "libevtx_chunk.h" #include "libevtx_chunks_table.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libfcache.h" #include "libevtx_libfdata.h" #include "libevtx_record_values.h" #include "libevtx_unused.h" /* Creates a chunks table * Make sure the value chunks_table is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_chunks_table_initialize( libevtx_chunks_table_t **chunks_table, libevtx_io_handle_t *io_handle, libfdata_vector_t *chunks_vector, libfcache_cache_t *chunks_cache, libcerror_error_t **error ) { static char *function = "libevtx_chunks_table_initialize"; if( chunks_table == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunks table.", function ); return( -1 ); } if( *chunks_table != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid chunks table value already set.", function ); return( -1 ); } if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } *chunks_table = memory_allocate_structure( libevtx_chunks_table_t ); if( *chunks_table == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create chunks table.", function ); goto on_error; } if( memory_set( *chunks_table, 0, sizeof( libevtx_chunks_table_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear chunks table.", function ); goto on_error; } ( *chunks_table )->io_handle = io_handle; ( *chunks_table )->chunks_vector = chunks_vector; ( *chunks_table )->chunks_cache = chunks_cache; return( 1 ); on_error: if( *chunks_table != NULL ) { memory_free( *chunks_table ); *chunks_table = NULL; } return( -1 ); } /* Frees a chunks table * Returns 1 if successful or -1 on error */ int libevtx_chunks_table_free( libevtx_chunks_table_t **chunks_table, libcerror_error_t **error ) { static char *function = "libevtx_chunks_table_free"; int result = 1; if( chunks_table == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunks table.", function ); return( -1 ); } if( *chunks_table != NULL ) { memory_free( *chunks_table ); *chunks_table = NULL; } return( result ); } /* Reads a chunk * Callback function for the chunk vector * Returns 1 if successful or -1 on error */ int libevtx_chunks_table_read_record( intptr_t *io_handle, libbfio_handle_t *file_io_handle, libfdata_list_element_t *list_element, libfdata_cache_t *cache, int data_range_file_index LIBEVTX_ATTRIBUTE_UNUSED, off64_t data_range_offset, size64_t data_range_size, uint32_t data_range_flags LIBEVTX_ATTRIBUTE_UNUSED, uint8_t read_flags LIBEVTX_ATTRIBUTE_UNUSED, libcerror_error_t **error ) { libevtx_chunk_t *chunk = NULL; libevtx_chunks_table_t *chunks_table = NULL; libevtx_record_values_t *chunk_record_values = NULL; libevtx_record_values_t *record_values = NULL; static char *function = "libevtx_io_handle_read_chunk"; size_t calculated_chunk_data_offset = 0; size_t chunk_data_offset = 0; uint16_t number_of_records = 0; uint16_t record_index = 0; LIBEVTX_UNREFERENCED_PARAMETER( data_range_file_index ); LIBEVTX_UNREFERENCED_PARAMETER( data_range_flags ); LIBEVTX_UNREFERENCED_PARAMETER( read_flags ); if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } chunks_table = (libevtx_chunks_table_t *) io_handle; /* The chunk index is stored in the data range size */ if( data_range_size > (uint64_t) UINT16_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid data range size value out of bounds.", function ); goto on_error; } if( libfdata_vector_get_element_value_by_index( chunks_table->chunks_vector, (intptr_t *) file_io_handle, (libfdata_cache_t *) chunks_table->chunks_cache, (uint16_t) data_range_size, (intptr_t **) &chunk, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve chunk: %" PRIu64 ".", function, data_range_size ); goto on_error; } if( chunk == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing chunk: %" PRIu64 ".", function, data_range_size ); goto on_error; } if( ( data_range_offset < chunk->file_offset ) || ( data_range_offset >= (off64_t) ( chunk->file_offset + chunk->data_size ) ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid chunk file offset value out of bounds.", function ); goto on_error; } calculated_chunk_data_offset = (size_t) ( data_range_offset - chunk->file_offset ); if( libevtx_chunk_get_number_of_records( chunk, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records from chunk.", function ); goto on_error; } /* TODO optimize determining the corresponding record */ for( record_index = 0; record_index < number_of_records; record_index++ ) { if( libevtx_chunk_get_record( chunk, record_index, &chunk_record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record: %" PRIu16 " from chunk.", function, record_index ); goto on_error; } if( chunk_record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing record: %" PRIu16 ".", function, record_index ); goto on_error; } chunk_data_offset = chunk_record_values->chunk_data_offset; if( calculated_chunk_data_offset == chunk_data_offset ) { break; } } /* TODO allow to control look up in normal vs recovered */ if( calculated_chunk_data_offset != chunk_data_offset ) { if( libevtx_chunk_get_number_of_recovered_records( chunk, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of recovered records from chunk.", function ); goto on_error; } for( record_index = 0; record_index < number_of_records; record_index++ ) { if( libevtx_chunk_get_recovered_record( chunk, record_index, &chunk_record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve recovered record: %" PRIu16 " from chunk.", function, record_index ); goto on_error; } if( chunk_record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing recovered record: %" PRIu16 ".", function, record_index ); goto on_error; } chunk_data_offset = chunk_record_values->chunk_data_offset; if( calculated_chunk_data_offset == chunk_data_offset ) { break; } } } if( calculated_chunk_data_offset != chunk_data_offset ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: no record found at offset: %" PRIi64 ".", function, data_range_offset ); goto on_error; } /* The record values are managed by the chunk and freed after usage * A copy is created to make sure that the records values that are passed * to the records list can be managed by the list */ if( libevtx_record_values_clone( &record_values, chunk_record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record values.", function ); goto on_error; } if( libevtx_record_values_read_xml_document( record_values, chunks_table->io_handle, chunk->data, chunk->data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read record values XML document.", function ); goto on_error; } if( libfdata_list_element_set_element_value( list_element, (intptr_t *) file_io_handle, cache, (intptr_t *) record_values, (int (*)(intptr_t **, libcerror_error_t **)) &libevtx_record_values_free, LIBFDATA_LIST_ELEMENT_VALUE_FLAG_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set record values as element value.", function ); goto on_error; } return( 1 ); on_error: if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( -1 ); } ================================================ FILE: libevtx/libevtx_chunks_table.h ================================================ /* * Chunks table functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_CHUNKS_TABLE_H ) #define _LIBEVTX_CHUNKS_TABLE_H #include #include #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libfcache.h" #include "libevtx_libfdata.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct libevtx_chunks_table libevtx_chunks_table_t; struct libevtx_chunks_table { /* The IO handle */ libevtx_io_handle_t *io_handle; /* The chunks vector */ libfdata_vector_t *chunks_vector; /* The chunks cache */ libfcache_cache_t *chunks_cache; }; int libevtx_chunks_table_initialize( libevtx_chunks_table_t **chunks_table, libevtx_io_handle_t *io_handle, libfdata_vector_t *chunks_vector, libfcache_cache_t *chunks_cache, libcerror_error_t **error ); int libevtx_chunks_table_free( libevtx_chunks_table_t **chunks_table, libcerror_error_t **error ); int libevtx_chunks_table_read_record( intptr_t *io_handle, libbfio_handle_t *file_io_handle, libfdata_list_element_t *list_element, libfdata_cache_t *cache, int data_range_file_index, off64_t data_range_offset, size64_t data_range_size, uint32_t data_range_flags, uint8_t read_flags, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_CHUNKS_TABLE_H ) */ ================================================ FILE: libevtx/libevtx_codepage.c ================================================ /* * Codepage functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include "libevtx_codepage.h" #if defined( HAVE_DEBUG_OUTPUT ) libevtx_codepage_t libevtx_codepages[ ] = { { 874, "windows-874", "Thai" }, { 932, "iso-2022-jp", "Japanese (Shift-JIS)" }, { 936, "gb2312", "Chinese Simplified" }, { 949, "ks_c_5601-1987", "Korean" }, { 950, "big5", "Chinese Traditional" }, { 1200, "unicode", "Unicode" }, { 1250, "windows-1250", "Central European" }, { 1251, "windows-1251", "Cyrillic" }, { 1252, "windows-1252", "Western European" }, { 1253, "windows-1253", "Greek" }, { 1254, "windows-1254", "Turkish" }, { 1255, "windows-1255", "Hebrew" }, { 1256, "windows-1256", "Arabic" }, { 1257, "windows-1257", "Baltic" }, { 1258, "windows-1258", "Vietnamese" }, { 20127, "us-ascii", "7-bit American Standard Code for Information Interchange (ASCII)" }, { 20866, "koi8-r", "Cyrillic" }, { 21866, "koi8-u", "Cyrillic" }, { 28591, "iso-8859-1", "Western European" }, { 28592, "iso-8859-2", "Central European" }, { 28593, "iso-8859-3", "Latin 3 " }, { 28594, "iso-8859-4", "Baltic" }, { 28595, "iso-8859-5", "Cyrillic" }, { 28596, "iso-8859-6", "Arabic" }, { 28597, "iso-8859-7", "Greek" }, { 28598, "iso-8859-8-i", "Hebrew" }, { 28599, "iso-8859-7", "Turkish" }, { 28605, "iso-8859-15", "Latin 9 " }, { 50220, "iso-2022-jp", "Japanese (JIS)" }, { 50221, "csISO2022JP", "Japanese (JIS-Allow 1 byte Kana)" }, { 51932, "euc-jp", "Japanese" }, { 51949, "euc-kr", "Korean" }, { 52936, "hz-gb-2312", "Chinese Simplified" }, { 65000, "utf-7", "7-bit Unicode Transformation Format (UTF-7)" }, { 65001, "utf-8", "8-bit Unicode Transformation Format (UTF-8)" }, { (uint32_t) -1, "_UNKNOWN_", "Unknown" } }; /* Retrieves a string containing the codepage identifier */ const char *libevtx_codepage_get_identifier( uint32_t codepage ) { int iterator = 0; while( ( libevtx_codepages[ iterator ] ).codepage != (uint32_t) -1 ) { if( ( libevtx_codepages[ iterator ] ).codepage == codepage ) { break; } iterator++; } return( ( libevtx_codepages[ iterator ] ).identifier ); } /* Retrieves a string containing the codepage description */ const char *libevtx_codepage_get_description( uint32_t codepage ) { int iterator = 0; while( ( libevtx_codepages[ iterator ] ).codepage != (uint32_t) -1 ) { if( ( libevtx_codepages[ iterator ] ).codepage == codepage ) { break; } iterator++; } return( ( libevtx_codepages[ iterator ] ).description ); } #endif /* defined( HAVE_DEBUG_OUTPUT ) */ ================================================ FILE: libevtx/libevtx_codepage.h ================================================ /* * Codepage functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_CODEPAGE_H ) #define _LIBEVTX_INTERNAL_CODEPAGE_H #include #include #if defined( __cplusplus ) extern "C" { #endif /* Define HAVE_LOCAL_LIBEVTX for local use of libevtx * The definitions in are copied here * for local use of libevtx */ #if !defined( HAVE_LOCAL_LIBEVTX ) #include #else /* The codepage definitions */ enum LIBEVTX_CODEPAGES { LIBEVTX_CODEPAGE_ASCII = 20127, LIBEVTX_CODEPAGE_ISO_8859_1 = 28591, LIBEVTX_CODEPAGE_ISO_8859_2 = 28592, LIBEVTX_CODEPAGE_ISO_8859_3 = 28593, LIBEVTX_CODEPAGE_ISO_8859_4 = 28594, LIBEVTX_CODEPAGE_ISO_8859_5 = 28595, LIBEVTX_CODEPAGE_ISO_8859_6 = 28596, LIBEVTX_CODEPAGE_ISO_8859_7 = 28597, LIBEVTX_CODEPAGE_ISO_8859_8 = 28598, LIBEVTX_CODEPAGE_ISO_8859_9 = 28599, LIBEVTX_CODEPAGE_ISO_8859_10 = 28600, LIBEVTX_CODEPAGE_ISO_8859_11 = 28601, LIBEVTX_CODEPAGE_ISO_8859_13 = 28603, LIBEVTX_CODEPAGE_ISO_8859_14 = 28604, LIBEVTX_CODEPAGE_ISO_8859_15 = 28605, LIBEVTX_CODEPAGE_ISO_8859_16 = 28606, LIBEVTX_CODEPAGE_KOI8_R = 20866, LIBEVTX_CODEPAGE_KOI8_U = 21866, LIBEVTX_CODEPAGE_WINDOWS_874 = 874, LIBEVTX_CODEPAGE_WINDOWS_932 = 932, LIBEVTX_CODEPAGE_WINDOWS_936 = 936, LIBEVTX_CODEPAGE_WINDOWS_949 = 949, LIBEVTX_CODEPAGE_WINDOWS_950 = 950, LIBEVTX_CODEPAGE_WINDOWS_1250 = 1250, LIBEVTX_CODEPAGE_WINDOWS_1251 = 1251, LIBEVTX_CODEPAGE_WINDOWS_1252 = 1252, LIBEVTX_CODEPAGE_WINDOWS_1253 = 1253, LIBEVTX_CODEPAGE_WINDOWS_1254 = 1254, LIBEVTX_CODEPAGE_WINDOWS_1255 = 1255, LIBEVTX_CODEPAGE_WINDOWS_1256 = 1256, LIBEVTX_CODEPAGE_WINDOWS_1257 = 1257, LIBEVTX_CODEPAGE_WINDOWS_1258 = 1258 }; #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ #if defined( HAVE_DEBUG_OUTPUT ) typedef struct libevtx_codepage libevtx_codepage_t; struct libevtx_codepage { /* The codepage */ uint32_t codepage; /* The identifier */ const char *identifier; /* The description */ const char *description; }; const char *libevtx_codepage_get_identifier( uint32_t codepage ); const char *libevtx_codepage_get_description( uint32_t codepage ); #endif /* defined( HAVE_DEBUG_OUTPUT ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_INTERNAL_CODEPAGE_H ) */ ================================================ FILE: libevtx/libevtx_debug.c ================================================ /* * Debug functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include "libevtx_debug.h" #include "libevtx_definitions.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #if defined( HAVE_DEBUG_OUTPUT ) /* Prints the file flags */ void libevtx_debug_print_file_flags( uint32_t file_flags ) { if( ( file_flags & LIBEVTX_FILE_FLAG_IS_DIRTY ) != 0 ) { libcnotify_printf( "Is dirty\n" ); } if( ( file_flags & LIBEVTX_FILE_FLAG_IS_FULL ) != 0 ) { libcnotify_printf( "Is full\n" ); } } /* Prints the value type */ void libevtx_debug_print_value_type( uint8_t value_type ) { switch( value_type & 0x7f ) { case LIBEVTX_VALUE_TYPE_NULL: libcnotify_printf( "NULL" ); break; case LIBEVTX_VALUE_TYPE_STRING_UTF16: libcnotify_printf( "UTF-16 string" ); break; case LIBEVTX_VALUE_TYPE_STRING_BYTE_STREAM: libcnotify_printf( "Byte stream string" ); break; case LIBEVTX_VALUE_TYPE_INTEGER_8BIT: libcnotify_printf( "Integer 8-bit signed" ); break; case LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_8BIT: libcnotify_printf( "Integer 8-bit unsigned" ); break; case LIBEVTX_VALUE_TYPE_INTEGER_16BIT: libcnotify_printf( "Integer 16-bit signed" ); break; case LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_16BIT: libcnotify_printf( "Integer 16-bit unsigned" ); break; case LIBEVTX_VALUE_TYPE_INTEGER_32BIT: libcnotify_printf( "Integer 32-bit signed" ); break; case LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_32BIT: libcnotify_printf( "Integer 32-bit unsigned" ); break; case LIBEVTX_VALUE_TYPE_INTEGER_64BIT: libcnotify_printf( "Integer 64-bit signed" ); break; case LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_64BIT: libcnotify_printf( "Integer 64-bit unsigned" ); break; case LIBEVTX_VALUE_TYPE_FLOATING_POINT_32BIT: libcnotify_printf( "Floating point 32-bit (single precision)" ); break; case LIBEVTX_VALUE_TYPE_FLOATING_POINT_64BIT: libcnotify_printf( "Floating point 64-bit (double precision)" ); break; case LIBEVTX_VALUE_TYPE_BOOLEAN: libcnotify_printf( "Boolean" ); break; case LIBEVTX_VALUE_TYPE_BINARY_DATA: libcnotify_printf( "Binary data" ); break; case LIBEVTX_VALUE_TYPE_GUID: libcnotify_printf( "GUID" ); break; case LIBEVTX_VALUE_TYPE_SIZE: libcnotify_printf( "Size" ); break; case LIBEVTX_VALUE_TYPE_FILETIME: libcnotify_printf( "Filetime" ); break; case LIBEVTX_VALUE_TYPE_SYSTEMTIME: libcnotify_printf( "Systemtime" ); break; case LIBEVTX_VALUE_TYPE_NT_SECURITY_IDENTIFIER: libcnotify_printf( "NT Security Identifier (SID)" ); break; case LIBEVTX_VALUE_TYPE_HEXADECIMAL_INTEGER_32BIT: libcnotify_printf( "Hexadecimal integer 32-bit" ); break; case LIBEVTX_VALUE_TYPE_HEXADECIMAL_INTEGER_64BIT: libcnotify_printf( "Hexadecimal integer 64-bit" ); break; case LIBEVTX_VALUE_TYPE_BINARY_XML: libcnotify_printf( "Binary XML" ); break; default: libcnotify_printf( "UNKNOWN" ); break; } } /* Prints the read offsets * Returns 1 if successful or -1 on error */ int libevtx_debug_print_read_offsets( libbfio_handle_t *file_io_handle, libcerror_error_t **error ) { static char *function = "libevtx_debug_print_read_offsets"; off64_t offset = 0; size64_t size = 0; int number_of_offsets = 0; int offset_iterator = 0; if( file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file IO handle.", function ); return( -1 ); } if( libbfio_handle_get_number_of_offsets_read( file_io_handle, &number_of_offsets, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of offsets read.", function ); return( -1 ); } libcnotify_printf( "Offsets read:\n" ); for( offset_iterator = 0; offset_iterator < number_of_offsets; offset_iterator++ ) { if( libbfio_handle_get_offset_read( file_io_handle, offset_iterator, &offset, &size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve offset: %d.", function, offset_iterator ); return( -1 ); } libcnotify_printf( "%08" PRIi64 " ( 0x%08" PRIx64 " ) - %08" PRIi64 " ( 0x%08" PRIx64 " ) size: %" PRIi64 "\n", offset, offset, offset + (off64_t) size, offset + (off64_t) size, size ); } libcnotify_printf( "\n" ); return( 1 ); } #endif /* defined( HAVE_DEBUG_OUTPUT ) */ ================================================ FILE: libevtx/libevtx_debug.h ================================================ /* * Debug functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_DEBUG_H ) #define _LIBEVTX_DEBUG_H #include #include #include "libevtx_libcerror.h" #include "libevtx_libbfio.h" #if defined( __cplusplus ) extern "C" { #endif #if defined( HAVE_DEBUG_OUTPUT ) void libevtx_debug_print_file_flags( uint32_t file_flags ); void libevtx_debug_print_value_type( uint8_t value_type ); int libevtx_debug_print_read_offsets( libbfio_handle_t *file_io_handle, libcerror_error_t **error ); #endif /* defined( HAVE_DEBUG_OUTPUT ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_DEBUG_H ) */ ================================================ FILE: libevtx/libevtx_definitions.h.in ================================================ /* * The internal definitions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_DEFINITIONS_H ) #define _LIBEVTX_INTERNAL_DEFINITIONS_H #include #include #define LIBEVTX_ENDIAN_BIG _BYTE_STREAM_ENDIAN_BIG #define LIBEVTX_ENDIAN_LITTLE _BYTE_STREAM_ENDIAN_LITTLE /* Define HAVE_LOCAL_LIBEVTX for local use of libevtx */ #if !defined( HAVE_LOCAL_LIBEVTX ) #include /* The definitions in are copied here * for local use of libevtx */ #else #define LIBEVTX_VERSION @VERSION@ /* The version string */ #define LIBEVTX_VERSION_STRING "@VERSION@" /* The access flags definitions * bit 1 set to 1 for read access * bit 2 set to 1 for write access * bit 3-8 not used */ enum LIBEVTX_ACCESS_FLAGS { LIBEVTX_ACCESS_FLAG_READ = 0x01, /* Reserved: not supported yet */ LIBEVTX_ACCESS_FLAG_WRITE = 0x02 }; /* The file access macros */ #define LIBEVTX_OPEN_READ ( LIBEVTX_ACCESS_FLAG_READ ) /* Reserved: not supported yet */ #define LIBEVTX_OPEN_WRITE ( LIBEVTX_ACCESS_FLAG_WRITE ) /* Reserved: not supported yet */ #define LIBEVTX_OPEN_READ_WRITE ( LIBEVTX_ACCESS_FLAG_READ | LIBEVTX_ACCESS_FLAG_WRITE ) /* The event level definitions */ enum LIBEVTX_EVENT_LEVELS { LIBEVTX_EVENT_LEVEL_CRITICAL = 1, LIBEVTX_EVENT_LEVEL_ERROR = 2, LIBEVTX_EVENT_LEVEL_WARNING = 3, LIBEVTX_EVENT_LEVEL_INFORMATION = 4, LIBEVTX_EVENT_LEVEL_VERBOSE = 5, }; /* The event file flags */ enum LIBEVTX_FILE_FLAGS { LIBEVTX_FILE_FLAG_IS_DIRTY = 0x00000001UL, LIBEVTX_FILE_FLAG_IS_FULL = 0x00000002UL, }; #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ /* The IO handle flags */ enum LIBEVTX_IO_HANDLE_FLAGS { /* The file is corrupted */ LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED = 0x01 }; /* The chunk flags */ enum LIBEVTX_CHUNK_FLAGS { /* The chunk is corrupted */ LIBEVTX_CHUNK_FLAG_IS_CORRUPTED = 0x01 }; /* The binary XML token definitions */ enum LIBEVTX_BINARY_XML_TOKENS { LIBEVTX_BINARY_XML_TOKEN_END_OF_FILE = 0x00, LIBEVTX_BINARY_XML_TOKEN_OPEN_START_ELEMENT_TAG = 0x01, LIBEVTX_BINARY_XML_TOKEN_CLOSE_START_ELEMENT_TAG = 0x02, LIBEVTX_BINARY_XML_TOKEN_CLOSE_EMPTY_ELEMENT_TAG = 0x03, LIBEVTX_BINARY_XML_TOKEN_END_ELEMENT_TAG = 0x04, LIBEVTX_BINARY_XML_TOKEN_VALUE = 0x05, LIBEVTX_BINARY_XML_TOKEN_ATTRIBUTE = 0x06, LIBEVTX_BINARY_XML_TOKEN_CDATA_SECTION = 0x07, LIBEVTX_BINARY_XML_TOKEN_CHARACTER_REFERENCE = 0x08, LIBEVTX_BINARY_XML_TOKEN_ENTITY_REFERENCE = 0x09, LIBEVTX_BINARY_XML_TOKEN_PI_TARGET = 0x0a, LIBEVTX_BINARY_XML_TOKEN_PI_DATA = 0x0b, LIBEVTX_BINARY_XML_TOKEN_TEMPLATE_INSTANCE = 0x0c, LIBEVTX_BINARY_XML_TOKEN_NORMAL_SUBSTITUTION = 0x0d, LIBEVTX_BINARY_XML_TOKEN_OPTIONAL_SUBSTITUTION = 0x0e, LIBEVTX_BINARY_XML_TOKEN_FRAGMENT_HEADER = 0x0f }; #define LIBEVTX_BINARY_XML_TOKEN_FLAG_HAS_MORE_DATA 0x40 /* The value type definitions */ enum LIBEVTX_VALUE_TYPES { LIBEVTX_VALUE_TYPE_NULL = 0x00, LIBEVTX_VALUE_TYPE_STRING_UTF16 = 0x01, LIBEVTX_VALUE_TYPE_STRING_BYTE_STREAM = 0x02, LIBEVTX_VALUE_TYPE_INTEGER_8BIT = 0x03, LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_8BIT = 0x04, LIBEVTX_VALUE_TYPE_INTEGER_16BIT = 0x05, LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_16BIT = 0x06, LIBEVTX_VALUE_TYPE_INTEGER_32BIT = 0x07, LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_32BIT = 0x08, LIBEVTX_VALUE_TYPE_INTEGER_64BIT = 0x09, LIBEVTX_VALUE_TYPE_UNSIGNED_INTEGER_64BIT = 0x0a, LIBEVTX_VALUE_TYPE_FLOATING_POINT_32BIT = 0x0b, LIBEVTX_VALUE_TYPE_FLOATING_POINT_64BIT = 0x0c, LIBEVTX_VALUE_TYPE_BOOLEAN = 0x0d, LIBEVTX_VALUE_TYPE_BINARY_DATA = 0x0e, LIBEVTX_VALUE_TYPE_GUID = 0x0f, LIBEVTX_VALUE_TYPE_SIZE = 0x10, LIBEVTX_VALUE_TYPE_FILETIME = 0x11, LIBEVTX_VALUE_TYPE_SYSTEMTIME = 0x12, LIBEVTX_VALUE_TYPE_NT_SECURITY_IDENTIFIER = 0x13, LIBEVTX_VALUE_TYPE_HEXADECIMAL_INTEGER_32BIT = 0x14, LIBEVTX_VALUE_TYPE_HEXADECIMAL_INTEGER_64BIT = 0x15, LIBEVTX_VALUE_TYPE_BINARY_XML = 0x21, LIBEVTX_VALUE_TYPE_ARRAY_OF_STRING_UTF16 = 0x81, LIBEVTX_VALUE_TYPE_ARRAY_OF_STRING_BYTE_STREAM = 0x82, LIBEVTX_VALUE_TYPE_ARRAY_OF_INTEGER_8BIT = 0x83, LIBEVTX_VALUE_TYPE_ARRAY_OF_UNSIGNED_INTEGER_8BIT = 0x84, LIBEVTX_VALUE_TYPE_ARRAY_OF_INTEGER_16BIT = 0x85, LIBEVTX_VALUE_TYPE_ARRAY_OF_UNSIGNED_INTEGER_16BIT = 0x86, LIBEVTX_VALUE_TYPE_ARRAY_OF_INTEGER_32BIT = 0x87, LIBEVTX_VALUE_TYPE_ARRAY_OF_UNSIGNED_INTEGER_32BIT = 0x88, LIBEVTX_VALUE_TYPE_ARRAY_OF_INTEGER_64BIT = 0x89, LIBEVTX_VALUE_TYPE_ARRAY_OF_UNSIGNED_INTEGER_64BIT = 0x8a, LIBEVTX_VALUE_TYPE_ARRAY_OF_FLOATING_POINT_32BIT = 0x8b, LIBEVTX_VALUE_TYPE_ARRAY_OF_FLOATING_POINT_64BIT = 0x8c, LIBEVTX_VALUE_TYPE_ARRAY_OF_GUID = 0x8f, LIBEVTX_VALUE_TYPE_ARRAY_OF_SIZE = 0x90, LIBEVTX_VALUE_TYPE_ARRAY_OF_FILETIME = 0x91, LIBEVTX_VALUE_TYPE_ARRAY_OF_SYSTEMTIME = 0x92, LIBEVTX_VALUE_TYPE_ARRAY_OF_NT_SECURITY_IDENTIFIER = 0x93, LIBEVTX_VALUE_TYPE_ARRAY_OF_HEXADECIMAL_INTEGER_32BIT = 0x94, LIBEVTX_VALUE_TYPE_ARRAY_OF_HEXADECIMAL_INTEGER_64BIT = 0x95, }; #define LIBEVTX_VALUE_TYPE_ARRAY 0x80 /* The record flags */ enum LIBEVTX_RECORD_FLAGS { LIBEVTX_RECORD_FLAG_NON_MANAGED_FILE_IO_HANDLE = 0x00, LIBEVTX_RECORD_FLAG_MANAGED_FILE_IO_HANDLE = 0x01, }; #define LIBEVTX_RECORD_FLAGS_DEFAULT LIBEVTX_RECORD_FLAG_NON_MANAGED_FILE_IO_HANDLE /* The XML tag type definitions */ enum LIBEVTX_XML_TAG_TYPES { LIBEVTX_XML_TAG_TYPE_NODE, LIBEVTX_XML_TAG_TYPE_CDATA, LIBEVTX_XML_TAG_TYPE_PI }; /* The maximum number of cache entries definitions */ #define LIBEVTX_MAXIMUM_CACHE_ENTRIES_CHUNKS 16 #define LIBEVTX_MAXIMUM_CACHE_ENTRIES_RECORDS 64 #endif /* !defined( _LIBEVTX_INTERNAL_DEFINITIONS_H ) */ ================================================ FILE: libevtx/libevtx_error.c ================================================ /* * Error functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "libevtx_error.h" #include "libevtx_libcerror.h" #if !defined( HAVE_LOCAL_LIBEVTX ) /* Free an error and its elements */ void libevtx_error_free( libevtx_error_t **error ) { libcerror_error_free( (libcerror_error_t **) error ); } /* Prints a descriptive string of the error to the stream * Returns the number of printed characters if successful or -1 on error */ int libevtx_error_fprint( libevtx_error_t *error, FILE *stream ) { int print_count = 0; print_count = libcerror_error_fprint( (libcerror_error_t *) error, stream ); return( print_count ); } /* Prints a descriptive string of the error to the string * The end-of-string character is not included in the return value * Returns the number of printed characters if successful or -1 on error */ int libevtx_error_sprint( libevtx_error_t *error, char *string, size_t size ) { int print_count = 0; print_count = libcerror_error_sprint( (libcerror_error_t *) error, string, size ); return( print_count ); } /* Prints a backtrace of the error to the stream * Returns the number of printed characters if successful or -1 on error */ int libevtx_error_backtrace_fprint( libevtx_error_t *error, FILE *stream ) { int print_count = 0; print_count = libcerror_error_backtrace_fprint( (libcerror_error_t *) error, stream ); return( print_count ); } /* Prints a backtrace of the error to the string * The end-of-string character is not included in the return value * Returns the number of printed characters if successful or -1 on error */ int libevtx_error_backtrace_sprint( libevtx_error_t *error, char *string, size_t size ) { int print_count = 0; print_count = libcerror_error_backtrace_sprint( (libcerror_error_t *) error, string, size ); return( print_count ); } #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ ================================================ FILE: libevtx/libevtx_error.h ================================================ /* * Error functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_ERROR_H ) #define _LIBEVTX_INTERNAL_ERROR_H #include #include #include #if !defined( HAVE_LOCAL_LIBEVTX ) #include #endif #include "libevtx_extern.h" #if defined( __cplusplus ) extern "C" { #endif #if !defined( HAVE_LOCAL_LIBEVTX ) LIBEVTX_EXTERN \ void libevtx_error_free( libevtx_error_t **error ); LIBEVTX_EXTERN \ int libevtx_error_fprint( libevtx_error_t *error, FILE *stream ); LIBEVTX_EXTERN \ int libevtx_error_sprint( libevtx_error_t *error, char *string, size_t size ); LIBEVTX_EXTERN \ int libevtx_error_backtrace_fprint( libevtx_error_t *error, FILE *stream ); LIBEVTX_EXTERN \ int libevtx_error_backtrace_sprint( libevtx_error_t *error, char *string, size_t size ); #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_INTERNAL_ERROR_H ) */ ================================================ FILE: libevtx/libevtx_extern.h ================================================ /* * The internal extern definition * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_EXTERN_H ) #define _LIBEVTX_INTERNAL_EXTERN_H #include /* Define HAVE_LOCAL_LIBEVTX for local use of libevtx */ #if !defined( HAVE_LOCAL_LIBEVTX ) #include #if defined( __CYGWIN__ ) || defined( __MINGW32__ ) #define LIBEVTX_EXTERN_VARIABLE extern #else #define LIBEVTX_EXTERN_VARIABLE LIBEVTX_EXTERN #endif #else #define LIBEVTX_EXTERN /* extern */ #define LIBEVTX_EXTERN_VARIABLE extern #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ #endif /* !defined( _LIBEVTX_INTERNAL_EXTERN_H ) */ ================================================ FILE: libevtx/libevtx_file.c ================================================ /* * File functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include "libevtx_chunks_table.h" #include "libevtx_codepage.h" #include "libevtx_chunk.h" #include "libevtx_debug.h" #include "libevtx_definitions.h" #include "libevtx_i18n.h" #include "libevtx_io_handle.h" #include "libevtx_file.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #include "libevtx_libfcache.h" #include "libevtx_libfdata.h" #include "libevtx_record.h" #include "libevtx_record_values.h" /* Creates a file * Make sure the value file is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_file_initialize( libevtx_file_t **file, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_initialize"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( *file != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file value already set.", function ); return( -1 ); } internal_file = memory_allocate_structure( libevtx_internal_file_t ); if( internal_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create file.", function ); goto on_error; } if( memory_set( internal_file, 0, sizeof( libevtx_internal_file_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear file.", function ); memory_free( internal_file ); return( -1 ); } if( libevtx_io_handle_initialize( &( internal_file->io_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create IO handle.", function ); goto on_error; } if( libevtx_i18n_initialize( error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initalize internationalization (i18n).", function ); goto on_error; } *file = (libevtx_file_t *) internal_file; return( 1 ); on_error: if( internal_file != NULL ) { if( internal_file->io_handle != NULL ) { libevtx_io_handle_free( &( internal_file->io_handle ), NULL ); } memory_free( internal_file ); } return( -1 ); } /* Frees a file * Returns 1 if successful or -1 on error */ int libevtx_file_free( libevtx_file_t **file, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_free"; int result = 1; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( *file != NULL ) { internal_file = (libevtx_internal_file_t *) *file; if( internal_file->file_io_handle != NULL ) { if( libevtx_file_close( *file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close file.", function ); result = -1; } } *file = NULL; if( libevtx_io_handle_free( &( internal_file->io_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free IO handle.", function ); result = -1; } memory_free( internal_file ); } return( result ); } /* Signals a file to abort its current activity * Returns 1 if successful or -1 on error */ int libevtx_file_signal_abort( libevtx_file_t *file, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_signal_abort"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } internal_file->io_handle->abort = 1; return( 1 ); } /* Opens a file * Returns 1 if successful or -1 on error */ int libevtx_file_open( libevtx_file_t *file, const char *filename, int access_flags, libcerror_error_t **error ) { libbfio_handle_t *file_io_handle = NULL; libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_open"; size_t filename_length = 0; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } if( ( ( access_flags & LIBEVTX_ACCESS_FLAG_READ ) == 0 ) && ( ( access_flags & LIBEVTX_ACCESS_FLAG_WRITE ) == 0 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported access flags.", function ); return( -1 ); } if( ( access_flags & LIBEVTX_ACCESS_FLAG_WRITE ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: write access currently not supported.", function ); return( -1 ); } if( libbfio_file_initialize( &file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file IO handle.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libbfio_handle_set_track_offsets_read( file_io_handle, 1, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set track offsets read in file IO handle.", function ); goto on_error; } #endif filename_length = narrow_string_length( filename ); if( libbfio_file_set_name( file_io_handle, filename, filename_length + 1, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set filename in file IO handle.", function ); goto on_error; } if( libevtx_file_open_file_io_handle( file, file_io_handle, access_flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file: %s.", function, filename ); goto on_error; } internal_file->file_io_handle_created_in_library = 1; return( 1 ); on_error: if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( -1 ); } #if defined( HAVE_WIDE_CHARACTER_TYPE ) /* Opens a file * Returns 1 if successful or -1 on error */ int libevtx_file_open_wide( libevtx_file_t *file, const wchar_t *filename, int access_flags, libcerror_error_t **error ) { libbfio_handle_t *file_io_handle = NULL; libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_open_wide"; size_t filename_length = 0; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } if( ( ( access_flags & LIBEVTX_ACCESS_FLAG_READ ) == 0 ) && ( ( access_flags & LIBEVTX_ACCESS_FLAG_WRITE ) == 0 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported access flags.", function ); return( -1 ); } if( ( access_flags & LIBEVTX_ACCESS_FLAG_WRITE ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: write access currently not supported.", function ); return( -1 ); } if( libbfio_file_initialize( &file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file IO handle.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libbfio_handle_set_track_offsets_read( file_io_handle, 1, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set track offsets read in file IO handle.", function ); goto on_error; } #endif filename_length = wide_string_length( filename ); if( libbfio_file_set_name_wide( file_io_handle, filename, filename_length + 1, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set filename in file IO handle.", function ); goto on_error; } if( libevtx_file_open_file_io_handle( file, file_io_handle, access_flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file: %ls.", function, filename ); goto on_error; } internal_file->file_io_handle_created_in_library = 1; return( 1 ); on_error: if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( -1 ); } #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ /* Opens a file using a Basic File IO (bfio) handle * Returns 1 if successful or -1 on error */ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_open_file_io_handle"; uint8_t file_io_handle_opened_in_library = 0; int bfio_access_flags = 0; int file_io_handle_is_open = 0; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->file_io_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file - file IO handle already set.", function ); return( -1 ); } if( file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file IO handle.", function ); return( -1 ); } if( ( ( access_flags & LIBEVTX_ACCESS_FLAG_READ ) == 0 ) && ( ( access_flags & LIBEVTX_ACCESS_FLAG_WRITE ) == 0 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported access flags.", function ); return( -1 ); } if( ( access_flags & LIBEVTX_ACCESS_FLAG_WRITE ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: write access currently not supported.", function ); return( -1 ); } if( ( access_flags & LIBEVTX_ACCESS_FLAG_READ ) != 0 ) { bfio_access_flags = LIBBFIO_ACCESS_FLAG_READ; } file_io_handle_is_open = libbfio_handle_is_open( file_io_handle, error ); if( file_io_handle_is_open == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file.", function ); goto on_error; } else if( file_io_handle_is_open == 0 ) { if( libbfio_handle_open( file_io_handle, bfio_access_flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file IO handle.", function ); goto on_error; } file_io_handle_opened_in_library = 1; } if( libevtx_file_open_read( internal_file, file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read from file handle.", function ); goto on_error; } internal_file->file_io_handle = file_io_handle; internal_file->file_io_handle_opened_in_library = file_io_handle_opened_in_library; return( 1 ); on_error: if( file_io_handle_opened_in_library != 0 ) { libbfio_handle_close( file_io_handle, error ); } return( -1 ); } /* Closes a file * Returns 0 if successful or -1 on error */ int libevtx_file_close( libevtx_file_t *file, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_close"; int result = 0; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing file IO handle.", function ); return( -1 ); } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( internal_file->file_io_handle_created_in_library != 0 ) { if( libevtx_debug_print_read_offsets( internal_file->file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_PRINT_FAILED, "%s: unable to print the read offsets.", function ); result = -1; } } } #endif if( internal_file->file_io_handle_opened_in_library != 0 ) { if( libbfio_handle_close( internal_file->file_io_handle, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close file IO handle.", function ); result = -1; } internal_file->file_io_handle_opened_in_library = 0; } if( internal_file->file_io_handle_created_in_library != 0 ) { if( libbfio_handle_free( &( internal_file->file_io_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free file IO handle.", function ); result = -1; } internal_file->file_io_handle_created_in_library = 0; } internal_file->file_io_handle = NULL; if( libevtx_io_handle_clear( internal_file->io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to clear IO handle.", function ); result = -1; } if( libfdata_list_free( &( internal_file->recovered_records_list ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free recovered records list.", function ); result = -1; } if( libfdata_list_free( &( internal_file->records_list ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free records list.", function ); result = -1; } if( libfcache_cache_free( &( internal_file->records_cache ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free records cache.", function ); result = -1; } if( libfdata_vector_free( &( internal_file->chunks_vector ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free chunks vector.", function ); result = -1; } if( libfcache_cache_free( &( internal_file->chunks_cache ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free chunks cache.", function ); result = -1; } return( result ); } /* Opens a file for reading * Returns 1 if successful or -1 on error */ int libevtx_file_open_read( libevtx_internal_file_t *internal_file, libbfio_handle_t *file_io_handle, libcerror_error_t **error ) { libevtx_chunk_t *chunk = NULL; libevtx_record_values_t *record_values = NULL; libevtx_chunks_table_t *chunks_table = NULL; static char *function = "libevtx_file_open_read"; off64_t file_offset = 0; size64_t file_size = 0; uint16_t chunk_index = 0; uint16_t number_of_chunks = 0; uint16_t number_of_records = 0; uint16_t record_index = 0; int element_index = 0; int result = 0; int segment_index = 0; #if defined( HAVE_VERBOSE_OUTPUT ) uint64_t previous_record_identifier = 0; #endif #if defined( HAVE_DEBUG_OUTPUT ) uint8_t *trailing_data = NULL; size_t trailing_data_size = 0; ssize_t read_count = 0; #endif if( internal_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( internal_file->chunks_vector != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file - chunks vector already set.", function ); return( -1 ); } if( internal_file->chunks_cache != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file - chunks cache already set.", function ); return( -1 ); } if( internal_file->records_list != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file - records list already set.", function ); return( -1 ); } if( internal_file->recovered_records_list != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file - recovered records list already set.", function ); return( -1 ); } if( internal_file->records_cache != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file - records cache already set.", function ); return( -1 ); } if( libbfio_handle_get_size( file_io_handle, &file_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve file size.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "Reading file header:\n" ); } #endif if( libevtx_io_handle_read_file_header( internal_file->io_handle, file_io_handle, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read file header.", function ); goto on_error; } internal_file->io_handle->chunks_data_size = file_size - internal_file->io_handle->chunks_data_offset; /* TODO clone function ? */ if( libfdata_vector_initialize( &( internal_file->chunks_vector ), (size64_t) internal_file->io_handle->chunk_size, (intptr_t *) internal_file->io_handle, NULL, NULL, (int (*)(intptr_t *, intptr_t *, libfdata_vector_t *, libfdata_cache_t *, int, int, off64_t, size64_t, uint32_t, uint8_t, libcerror_error_t **)) &libevtx_io_handle_read_chunk, NULL, LIBFDATA_DATA_HANDLE_FLAG_NON_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunks vector.", function ); goto on_error; } if( libfdata_vector_append_segment( internal_file->chunks_vector, &segment_index, 0, internal_file->io_handle->chunks_data_offset, internal_file->io_handle->chunks_data_size, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append segment to chunks vector.", function ); goto on_error; } if( libfcache_cache_initialize( &( internal_file->chunks_cache ), LIBEVTX_MAXIMUM_CACHE_ENTRIES_CHUNKS, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunks cache.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "Reading chunks:\n" ); } #endif if( libevtx_chunks_table_initialize( &chunks_table, internal_file->io_handle, internal_file->chunks_vector, internal_file->chunks_cache, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunks table.", function ); goto on_error; } /* TODO clone function ? */ if( libfdata_list_initialize( &( internal_file->records_list ), (intptr_t *) chunks_table, (int (*)(intptr_t **, libcerror_error_t **)) &libevtx_chunks_table_free, NULL, (int (*)(intptr_t *, intptr_t *, libfdata_list_element_t *, libfdata_cache_t *, int, off64_t, size64_t, uint32_t, uint8_t, libcerror_error_t **)) &libevtx_chunks_table_read_record, NULL, LIBFDATA_DATA_HANDLE_FLAG_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create records list.", function ); goto on_error; } /* The chunks_table is managed by the list */ if( libfdata_list_initialize( &( internal_file->recovered_records_list ), (intptr_t *) chunks_table, NULL, NULL, (int (*)(intptr_t *, intptr_t *, libfdata_list_element_t *, libfdata_cache_t *, int, off64_t, size64_t, uint32_t, uint8_t, libcerror_error_t **)) &libevtx_chunks_table_read_record, NULL, LIBFDATA_DATA_HANDLE_FLAG_NON_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create recovered records list.", function ); chunks_table = NULL; goto on_error; } chunks_table = NULL; if( libfcache_cache_initialize( &( internal_file->records_cache ), LIBEVTX_MAXIMUM_CACHE_ENTRIES_RECORDS, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create records cache.", function ); goto on_error; } file_offset = internal_file->io_handle->chunks_data_offset; while( ( file_offset + internal_file->io_handle->chunk_size ) <= (off64_t) file_size ) { if( libevtx_chunk_initialize( &chunk, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunk: %" PRIu16 ".", function, chunk_index ); goto on_error; } result = libevtx_chunk_read( chunk, internal_file->io_handle, file_io_handle, file_offset, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read chunk: %" PRIu16 ".", function, chunk_index ); goto on_error; } else if( result == 0 ) { if( chunk_index < internal_file->io_handle->number_of_chunks ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: corruption detected in chunk: %" PRIu16 ".\n", function, chunk_index ); } #endif internal_file->io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED; } } else { if( ( chunk->flags & LIBEVTX_CHUNK_FLAG_IS_CORRUPTED ) != 0 ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: corruption detected in chunk: %" PRIu16 ".\n", function, chunk_index ); } #endif if( chunk_index < internal_file->io_handle->number_of_chunks ) { internal_file->io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED; } } if( ( chunk_index < internal_file->io_handle->number_of_chunks ) || ( ( chunk->flags & LIBEVTX_CHUNK_FLAG_IS_CORRUPTED ) == 0 ) ) { number_of_chunks++; } if( libevtx_chunk_get_number_of_records( chunk, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve chunk: %" PRIu16 " number of records.", function, chunk_index ); goto on_error; } for( record_index = 0; record_index < number_of_records; record_index++ ) { if( libevtx_chunk_get_record( chunk, record_index, &record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve chunk: %" PRIu16 " record: %" PRIu16 ".", function, chunk_index, record_index ); goto on_error; } if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing chunk: %" PRIu16 " record: %" PRIu16 ".", function, chunk_index, record_index ); goto on_error; } if( record_values->identifier < internal_file->io_handle->first_record_identifier ) { internal_file->io_handle->first_record_identifier = record_values->identifier; } if( record_values->identifier > internal_file->io_handle->last_record_identifier ) { internal_file->io_handle->last_record_identifier = record_values->identifier; } #if defined( HAVE_VERBOSE_OUTPUT ) if( ( chunk_index == 0 ) && ( record_index == 0 ) ) { previous_record_identifier = record_values->identifier; } else { previous_record_identifier++; if( record_values->identifier != previous_record_identifier ) { if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: detected gap in record identifier ( %" PRIu64 " != %" PRIu64 " ).\n", function, previous_record_identifier, record_values->identifier ); } previous_record_identifier = record_values->identifier; } } #endif /* The chunk index is stored in the element data size */ if( ( chunk_index < internal_file->io_handle->number_of_chunks ) || ( ( internal_file->io_handle->file_flags & LIBEVTX_FILE_FLAG_IS_DIRTY ) != 0 ) ) { if( libfdata_list_append_element( internal_file->records_list, &element_index, 0, file_offset + record_values->chunk_data_offset, (size64_t) chunk_index, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append element to records list.", function ); goto on_error; } } else { /* If the file is not dirty, records found in chunks outside the indicated * range are considered recovered */ if( libfdata_list_append_element( internal_file->recovered_records_list, &element_index, 0, file_offset + record_values->chunk_data_offset, (size64_t) chunk_index, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append element to recovered records list.", function ); goto on_error; } } /* TODO cache record values ? */ } if( libevtx_chunk_get_number_of_recovered_records( chunk, &number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve chunk: %" PRIu16 " number of recovered records.", function, chunk_index ); goto on_error; } for( record_index = 0; record_index < number_of_records; record_index++ ) { if( libevtx_chunk_get_recovered_record( chunk, record_index, &record_values, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve chunk: %" PRIu16 " recovered record: %" PRIu16 ".", function, chunk_index, record_index ); goto on_error; } if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing chunk: %" PRIu16 " recovered record: %" PRIu16 ".", function, chunk_index, record_index ); goto on_error; } /* TODO check for and remove duplicate identifiers ? */ /* The chunk index is stored in the element data size */ if( libfdata_list_append_element( internal_file->recovered_records_list, &element_index, 0, file_offset + record_values->chunk_data_offset, (size64_t) chunk_index, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append element to recovered records list.", function ); goto on_error; } } } file_offset += chunk->data_size; if( libevtx_chunk_free( &chunk, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free chunk: %" PRIu16 ".", function, chunk_index ); goto on_error; } chunk_index++; } internal_file->io_handle->chunks_data_size = file_offset - internal_file->io_handle->chunks_data_offset; if( number_of_chunks != internal_file->io_handle->number_of_chunks ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: mismatch in number of chunks ( %" PRIu16 " != %" PRIu16 " ).\n", function, internal_file->io_handle->number_of_chunks, chunk_index ); } #endif internal_file->io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( file_offset < (off64_t) file_size ) { trailing_data_size = (size_t) ( file_size - file_offset ); if( trailing_data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid trailing data size value exceeds maximum allocation size.", function ); goto on_error; } trailing_data = (uint8_t *) memory_allocate( sizeof( uint8_t ) * trailing_data_size ); if( trailing_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create trailing data.", function ); goto on_error; } read_count = libbfio_handle_read_buffer( file_io_handle, trailing_data, trailing_data_size, error ); if( read_count != (ssize_t) trailing_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read trailing data.", function ); goto on_error; } file_offset += read_count; libcnotify_printf( "%s: trailing data:\n", function ); libcnotify_print_data( trailing_data, trailing_data_size, LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); memory_free( trailing_data ); trailing_data = NULL; } } #endif /* defined( HAVE_DEBUG_OUTPUT ) */ return( 1 ); on_error: #if defined( HAVE_DEBUG_OUTPUT ) if( trailing_data != NULL ) { memory_free( trailing_data ); } #endif if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } if( internal_file->records_cache != NULL ) { libfcache_cache_free( &( internal_file->records_cache ), NULL ); } if( internal_file->recovered_records_list != NULL ) { libfdata_list_free( &( internal_file->recovered_records_list ), NULL ); } if( internal_file->records_list != NULL ) { libfdata_list_free( &( internal_file->records_list ), NULL ); } if( chunks_table != NULL ) { libevtx_chunks_table_free( &chunks_table, NULL ); } if( internal_file->chunks_cache != NULL ) { libfcache_cache_free( &( internal_file->chunks_cache ), NULL ); } if( internal_file->chunks_vector != NULL ) { libfdata_vector_free( &( internal_file->chunks_vector ), NULL ); } return( -1 ); } /* Determine if the file corrupted * Returns 1 if corrupted, 0 if not or -1 on error */ int libevtx_file_is_corrupted( libevtx_file_t *file, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_is_corrupted"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( ( internal_file->io_handle->flags & LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED ) != 0 ) { return( 1 ); } return( 0 ); } /* Retrieves the file ASCII codepage * Returns 1 if successful or -1 on error */ int libevtx_file_get_ascii_codepage( libevtx_file_t *file, int *ascii_codepage, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_get_ascii_codepage"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( ascii_codepage == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid ASCII codepage.", function ); return( -1 ); } *ascii_codepage = internal_file->io_handle->ascii_codepage; return( 1 ); } /* Sets the file ASCII codepage * Returns 1 if successful or -1 on error */ int libevtx_file_set_ascii_codepage( libevtx_file_t *file, int ascii_codepage, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_set_ascii_codepage"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( ( ascii_codepage != LIBEVTX_CODEPAGE_ASCII ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_874 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_932 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_936 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_949 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_950 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1250 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1251 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1252 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1253 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1254 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1255 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1256 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1257 ) && ( ascii_codepage != LIBEVTX_CODEPAGE_WINDOWS_1258 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported ASCII codepage.", function ); return( -1 ); } internal_file->io_handle->ascii_codepage = ascii_codepage; return( 1 ); } /* Retrieves the format version * Returns 1 if successful or -1 on error */ int libevtx_file_get_format_version( libevtx_file_t *file, uint16_t *major_version, uint16_t *minor_version, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_get_format_version"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( major_version == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid major version.", function ); return( -1 ); } if( minor_version == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid minor version.", function ); return( -1 ); } *major_version = internal_file->io_handle->major_version; *minor_version = internal_file->io_handle->minor_version; return( 1 ); } /* Retrieves the file version * Returns 1 if successful or -1 on error */ int libevtx_file_get_version( libevtx_file_t *file, uint16_t *major_version, uint16_t *minor_version, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_get_version"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( major_version == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid major version.", function ); return( -1 ); } if( minor_version == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid minor version.", function ); return( -1 ); } *major_version = internal_file->io_handle->major_version; *minor_version = internal_file->io_handle->minor_version; return( 1 ); } /* Retrieves the flags * Returns 1 if successful or -1 on error */ int libevtx_file_get_flags( libevtx_file_t *file, uint32_t *flags, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_get_flags"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file - missing IO handle.", function ); return( -1 ); } if( flags == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid flags.", function ); return( -1 ); } *flags = internal_file->io_handle->file_flags; return( 1 ); } /* Retrieves the number of records * Returns 1 if successful or -1 on error */ int libevtx_file_get_number_of_records( libevtx_file_t *file, int *number_of_records, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_get_number_of_records"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( libfdata_list_get_number_of_elements( internal_file->records_list, number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records.", function ); return( -1 ); } return( 1 ); } /* Retrieves a specific record * Returns 1 if successful or -1 on error */ int libevtx_file_get_record( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; libevtx_record_values_t *record_values = NULL; static char *function = "libevtx_file_get_record"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( libfdata_list_get_element_value_by_index( internal_file->records_list, (intptr_t *) internal_file->file_io_handle, (libfdata_cache_t *) internal_file->records_cache, record_index, (intptr_t **) &record_values, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record values: %d.", function, record_index ); return( -1 ); } if( libevtx_record_initialize( record, internal_file->io_handle, internal_file->file_io_handle, record_values, LIBEVTX_RECORD_FLAGS_DEFAULT, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record.", function ); return( -1 ); } return( 1 ); } /* Retrieves a specific record * Returns 1 if successful or -1 on error */ int libevtx_file_get_record_by_index( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; libevtx_record_values_t *record_values = NULL; static char *function = "libevtx_file_get_record_by_index"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( libfdata_list_get_element_value_by_index( internal_file->records_list, (intptr_t *) internal_file->file_io_handle, (libfdata_cache_t *) internal_file->records_cache, record_index, (intptr_t **) &record_values, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record values: %d.", function, record_index ); return( -1 ); } if( libevtx_record_initialize( record, internal_file->io_handle, internal_file->file_io_handle, record_values, LIBEVTX_RECORD_FLAGS_DEFAULT, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record.", function ); return( -1 ); } return( 1 ); } /* Retrieves the number of recovered records * Returns 1 if successful or -1 on error */ int libevtx_file_get_number_of_recovered_records( libevtx_file_t *file, int *number_of_records, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; static char *function = "libevtx_file_get_number_of_recovered_records"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( libfdata_list_get_number_of_elements( internal_file->recovered_records_list, number_of_records, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of records.", function ); return( -1 ); } return( 1 ); } /* Retrieves a specific recovered record * Returns 1 if successful or -1 on error */ int libevtx_file_get_recovered_record( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; libevtx_record_values_t *record_values = NULL; static char *function = "libevtx_file_get_recovered_record"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( libfdata_list_get_element_value_by_index( internal_file->recovered_records_list, (intptr_t *) internal_file->file_io_handle, (libfdata_cache_t *) internal_file->records_cache, record_index, (intptr_t **) &record_values, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record values: %d.", function, record_index ); return( -1 ); } if( libevtx_record_initialize( record, internal_file->io_handle, internal_file->file_io_handle, record_values, LIBEVTX_RECORD_FLAGS_DEFAULT, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record.", function ); return( -1 ); } return( 1 ); } /* Retrieves a specific recovered record * Returns 1 if successful or -1 on error */ int libevtx_file_get_recovered_record_by_index( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ) { libevtx_internal_file_t *internal_file = NULL; libevtx_record_values_t *record_values = NULL; static char *function = "libevtx_file_get_recovered_record_by_index"; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } internal_file = (libevtx_internal_file_t *) file; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( libfdata_list_get_element_value_by_index( internal_file->recovered_records_list, (intptr_t *) internal_file->file_io_handle, (libfdata_cache_t *) internal_file->records_cache, record_index, (intptr_t **) &record_values, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve record values: %d.", function, record_index ); return( -1 ); } if( libevtx_record_initialize( record, internal_file->io_handle, internal_file->file_io_handle, record_values, LIBEVTX_RECORD_FLAGS_DEFAULT, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create record.", function ); return( -1 ); } return( 1 ); } ================================================ FILE: libevtx/libevtx_file.h ================================================ /* * File functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_FILE_H ) #define _LIBEVTX_INTERNAL_FILE_H #include #include #include "libevtx_extern.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libfcache.h" #include "libevtx_libfdata.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct libevtx_internal_file libevtx_internal_file_t; struct libevtx_internal_file { /* The IO handle */ libevtx_io_handle_t *io_handle; /* The file IO handle */ libbfio_handle_t *file_io_handle; /* Value to indicate if the file IO handle was created inside the library */ uint8_t file_io_handle_created_in_library; /* Value to indicate if the file IO handle was opened inside the library */ uint8_t file_io_handle_opened_in_library; /* The chunks vector */ libfdata_vector_t *chunks_vector; /* The chunks cache */ libfcache_cache_t *chunks_cache; /* The records list */ libfdata_list_t *records_list; /* The recovered records list */ libfdata_list_t *recovered_records_list; /* The records cache */ libfcache_cache_t *records_cache; }; LIBEVTX_EXTERN \ int libevtx_file_initialize( libevtx_file_t **file, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_free( libevtx_file_t **file, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_signal_abort( libevtx_file_t *file, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_open( libevtx_file_t *file, const char *filename, int access_flags, libcerror_error_t **error ); #if defined( HAVE_WIDE_CHARACTER_TYPE ) LIBEVTX_EXTERN \ int libevtx_file_open_wide( libevtx_file_t *file, const wchar_t *filename, int access_flags, libcerror_error_t **error ); #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ LIBEVTX_EXTERN \ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_close( libevtx_file_t *file, libcerror_error_t **error ); int libevtx_file_open_read( libevtx_internal_file_t *internal_file, libbfio_handle_t *file_io_handle, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_is_corrupted( libevtx_file_t *file, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_ascii_codepage( libevtx_file_t *file, int *ascii_codepage, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_set_ascii_codepage( libevtx_file_t *file, int ascii_codepage, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_format_version( libevtx_file_t *file, uint16_t *major_version, uint16_t *minor_version, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_version( libevtx_file_t *file, uint16_t *major_version, uint16_t *minor_version, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_flags( libevtx_file_t *file, uint32_t *flags, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_number_of_records( libevtx_file_t *file, int *number_of_records, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_record( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_record_by_index( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_number_of_recovered_records( libevtx_file_t *file, int *number_of_records, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_recovered_record( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_get_recovered_record_by_index( libevtx_file_t *file, int record_index, libevtx_record_t **record, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_INTERNAL_FILE_H ) */ ================================================ FILE: libevtx/libevtx_i18n.c ================================================ /* * Internationalization (i18n) functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_LIBINTL_H ) && defined( ENABLE_NLS ) #include #endif #include "libevtx_i18n.h" #include "libevtx_libcerror.h" static int libevtx_i18n_initialized = 0; /* Initializes library internationalization functions */ int libevtx_i18n_initialize( libcerror_error_t **error ) { static char *function = "libevtx_i18n_initialize"; if( libevtx_i18n_initialized == 0 ) { #if defined( HAVE_BINDTEXTDOMAIN ) && defined( LOCALEDIR ) if( bindtextdomain( "libevtx", LOCALEDIR ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to bind text domain.", function ); return( -1 ); } #endif /* defined( HAVE_BINDTEXTDOMAIN ) && defined( LOCALEDIR ) */ libevtx_i18n_initialized = 1; } return( 1 ); } ================================================ FILE: libevtx/libevtx_i18n.h ================================================ /* * Internationalization (i18n) functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_I18N_H ) #define _LIBEVTX_I18N_H #include #include #if defined( HAVE_LIBINTL_H ) && defined( ENABLE_NLS ) #include #endif #include "libevtx_libcerror.h" /* TODO #include #define _( string ) \ dgettext( "libevtx", string ) */ #define _( string ) \ string #if defined( __cplusplus ) extern "C" { #endif int libevtx_i18n_initialize( libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_I18N_H ) */ ================================================ FILE: libevtx/libevtx_io_handle.c ================================================ /* * Input/Output (IO) handle functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include "libevtx_checksum.h" #include "libevtx_chunk.h" #include "libevtx_codepage.h" #include "libevtx_debug.h" #include "libevtx_definitions.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #include "libevtx_libfdata.h" #include "libevtx_unused.h" #include "evtx_file_header.h" const uint8_t *evtx_file_signature = (uint8_t *) "ElfFile"; /* Creates an IO handle * Make sure the value io_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_io_handle_initialize( libevtx_io_handle_t **io_handle, libcerror_error_t **error ) { static char *function = "libevtx_io_handle_initialize"; if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( *io_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid IO handle value already set.", function ); return( -1 ); } *io_handle = memory_allocate_structure( libevtx_io_handle_t ); if( *io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create IO handle.", function ); goto on_error; } if( memory_set( *io_handle, 0, sizeof( libevtx_io_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear IO handle.", function ); goto on_error; } ( *io_handle )->chunk_size = 0x00010000UL; ( *io_handle )->ascii_codepage = LIBEVTX_CODEPAGE_WINDOWS_1252; return( 1 ); on_error: if( *io_handle != NULL ) { memory_free( *io_handle ); *io_handle = NULL; } return( -1 ); } /* Frees an IO handle * Returns 1 if successful or -1 on error */ int libevtx_io_handle_free( libevtx_io_handle_t **io_handle, libcerror_error_t **error ) { static char *function = "libevtx_io_handle_free"; int result = 1; if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( *io_handle != NULL ) { memory_free( *io_handle ); *io_handle = NULL; } return( result ); } /* Clears the IO handle * Returns 1 if successful or -1 on error */ int libevtx_io_handle_clear( libevtx_io_handle_t *io_handle, libcerror_error_t **error ) { static char *function = "libevtx_io_handle_clear"; if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( memory_set( io_handle, 0, sizeof( libevtx_io_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear IO handle.", function ); return( -1 ); } io_handle->chunk_size = 0x00010000UL; io_handle->ascii_codepage = LIBEVTX_CODEPAGE_WINDOWS_1252; return( 1 ); } /* Reads the file (or database) header * Returns 1 if successful or -1 on error */ int libevtx_io_handle_read_file_header( libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, off64_t file_offset, libcerror_error_t **error ) { uint8_t *file_header_data = NULL; static char *function = "libevtx_io_handle_read_file_header"; size_t read_size = 4096; ssize_t read_count = 0; uint32_t calculated_checksum = 0; uint32_t stored_checksum = 0; uint16_t first_chunk_number = 0; uint16_t last_chunk_number = 0; #if defined( HAVE_DEBUG_OUTPUT ) uint64_t value_64bit = 0; uint32_t value_32bit = 0; #endif if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } file_header_data = (uint8_t *) memory_allocate( sizeof( uint8_t ) * read_size ); if( file_header_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create file header data.", function ); return( -1 ); } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: reading file header at offset: %" PRIi64 " (0x%08" PRIx64 ")\n", function, file_offset, file_offset ); } #endif read_count = libbfio_handle_read_buffer_at_offset( file_io_handle, file_header_data, read_size, file_offset, error ); if( read_count != (ssize_t) read_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read file header at offset: %" PRIi64 " (0x%08" PRIx64 ").", function, file_offset, file_offset ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: file header data:\n", function ); libcnotify_print_data( file_header_data, sizeof( evtx_file_header_t ), LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); } #endif if( memory_compare( ( (evtx_file_header_t *) file_header_data )->signature, evtx_file_signature, 8 ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported file signature.", function ); goto on_error; } byte_stream_copy_to_uint64_little_endian( ( (evtx_file_header_t *) file_header_data )->first_chunk_number, first_chunk_number ); byte_stream_copy_to_uint64_little_endian( ( (evtx_file_header_t *) file_header_data )->last_chunk_number, last_chunk_number ); byte_stream_copy_to_uint16_little_endian( ( (evtx_file_header_t *) file_header_data )->minor_version, io_handle->minor_version ); byte_stream_copy_to_uint16_little_endian( ( (evtx_file_header_t *) file_header_data )->major_version, io_handle->major_version ); byte_stream_copy_to_uint16_little_endian( ( (evtx_file_header_t *) file_header_data )->header_block_size, io_handle->chunks_data_offset ); byte_stream_copy_to_uint16_little_endian( ( (evtx_file_header_t *) file_header_data )->number_of_chunks, io_handle->number_of_chunks ); byte_stream_copy_to_uint32_little_endian( ( (evtx_file_header_t *) file_header_data )->file_flags, io_handle->file_flags ); byte_stream_copy_to_uint32_little_endian( ( (evtx_file_header_t *) file_header_data )->checksum, stored_checksum ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: signature\t\t\t\t: %c%c%c%c%c%c%c\\x%02x\n", function, ( (evtx_file_header_t *) file_header_data )->signature[ 0 ], ( (evtx_file_header_t *) file_header_data )->signature[ 1 ], ( (evtx_file_header_t *) file_header_data )->signature[ 2 ], ( (evtx_file_header_t *) file_header_data )->signature[ 3 ], ( (evtx_file_header_t *) file_header_data )->signature[ 4 ], ( (evtx_file_header_t *) file_header_data )->signature[ 5 ] , ( (evtx_file_header_t *) file_header_data )->signature[ 6 ] , ( (evtx_file_header_t *) file_header_data )->signature[ 7 ] ); libcnotify_printf( "%s: first chunk number\t\t\t: %" PRIu64 "\n", function, first_chunk_number ); libcnotify_printf( "%s: last chunk number\t\t\t: %" PRIu64 "\n", function, last_chunk_number ); byte_stream_copy_to_uint64_little_endian( ( (evtx_file_header_t *) file_header_data )->next_record_identifier, value_64bit ); libcnotify_printf( "%s: next record identifier\t\t: %" PRIu64 "\n", function, value_64bit ); byte_stream_copy_to_uint32_little_endian( ( (evtx_file_header_t *) file_header_data )->header_size, value_32bit ); libcnotify_printf( "%s: header size\t\t\t\t: %" PRIu32 "\n", function, value_32bit ); libcnotify_printf( "%s: minor version\t\t\t: %" PRIu16 "\n", function, io_handle->minor_version ); libcnotify_printf( "%s: major version\t\t\t: %" PRIu16 "\n", function, io_handle->major_version ); libcnotify_printf( "%s: header block size\t\t\t: %" PRIi64 "\n", function, io_handle->chunks_data_offset ); libcnotify_printf( "%s: number of chunks\t\t\t: %" PRIu16 "\n", function, io_handle->number_of_chunks ); libcnotify_printf( "%s: unknown1:\n", function ); libcnotify_print_data( ( (evtx_file_header_t *) file_header_data )->unknown1, 76, LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); libcnotify_printf( "%s: file flags\t\t\t\t: 0x%08" PRIx32 "\n", function, io_handle->file_flags ); libevtx_debug_print_file_flags( io_handle->file_flags ); libcnotify_printf( "\n" ); libcnotify_printf( "%s: checksum\t\t\t\t: 0x%08" PRIx32 "\n", function, stored_checksum ); libcnotify_printf( "\n" ); } #endif /* defined( HAVE_DEBUG_OUTPUT ) */ if( libevtx_checksum_calculate_little_endian_crc32( &calculated_checksum, file_header_data, 120, 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to calculate CRC-32 checksum.", function ); goto on_error; } if( stored_checksum != calculated_checksum ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: mismatch in file header CRC-32 checksum ( 0x%08" PRIx32 " != 0x%08" PRIx32 " ).\n", function, stored_checksum, calculated_checksum ); } #endif io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: trailing data:\n", function ); libcnotify_print_data( &( file_header_data[ sizeof( evtx_file_header_t ) ] ), read_size - sizeof( evtx_file_header_t ), LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); } #endif if( first_chunk_number > last_chunk_number ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: first chunk number: %" PRIu16 " exceeds last chunk number: %" PRIu16 ".\n", function, first_chunk_number, last_chunk_number ); } #endif io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED; } else if( io_handle->number_of_chunks != ( last_chunk_number - first_chunk_number + 1 ) ) { #if defined( HAVE_VERBOSE_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: mismatch in number of chunks ( %" PRIu16 " != %" PRIu16 " ).\n", function, io_handle->number_of_chunks, last_chunk_number - first_chunk_number + 1 ); } #endif io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED; } memory_free( file_header_data ); file_header_data = NULL; return( 1 ); on_error: if( file_header_data != NULL ) { memory_free( file_header_data ); } return( -1 ); } /* Reads a chunk * Callback function for the chunk vector * Returns 1 if successful or -1 on error */ int libevtx_io_handle_read_chunk( libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, libfdata_vector_t *vector, libfdata_cache_t *cache, int element_index, int element_data_file_index LIBEVTX_ATTRIBUTE_UNUSED, off64_t element_data_offset, size64_t element_data_size LIBEVTX_ATTRIBUTE_UNUSED, uint32_t element_data_flags LIBEVTX_ATTRIBUTE_UNUSED, uint8_t read_flags LIBEVTX_ATTRIBUTE_UNUSED, libcerror_error_t **error ) { libevtx_chunk_t *chunk = NULL; static char *function = "libevtx_io_handle_read_chunk"; LIBEVTX_UNREFERENCED_PARAMETER( element_data_file_index ); LIBEVTX_UNREFERENCED_PARAMETER( element_data_size ); LIBEVTX_UNREFERENCED_PARAMETER( element_data_flags ); LIBEVTX_UNREFERENCED_PARAMETER( read_flags ); if( libevtx_chunk_initialize( &chunk, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create chunk.", function ); goto on_error; } if( libevtx_chunk_read( chunk, io_handle, file_io_handle, element_data_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read chunk.", function ); goto on_error; } if( libfdata_vector_set_element_value_by_index( vector, (intptr_t *) file_io_handle, cache, element_index, (intptr_t *) chunk, (int (*)(intptr_t **, libcerror_error_t **)) &libevtx_chunk_free, LIBFDATA_LIST_ELEMENT_VALUE_FLAG_MANAGED, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set chunk as element value.", function ); goto on_error; } return( 1 ); on_error: if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } return( -1 ); } ================================================ FILE: libevtx/libevtx_io_handle.h ================================================ /* * Input/Output (IO) handle functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_IO_HANDLE_H ) #define _LIBEVTX_IO_HANDLE_H #include #include #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libfdata.h" #if defined( __cplusplus ) extern "C" { #endif extern const uint8_t *evtx_file_signature; typedef struct libevtx_io_handle libevtx_io_handle_t; struct libevtx_io_handle { /* The major version */ uint16_t major_version; /* The minor version */ uint16_t minor_version; /* The number of chunks */ uint16_t number_of_chunks; /* The chunks data offset */ off64_t chunks_data_offset; /* The chunks data size */ size64_t chunks_data_size; /* The file flags */ uint32_t file_flags; /* The chunk size */ uint32_t chunk_size; /* Various flags */ uint8_t flags; /* The first record identifier */ uint64_t first_record_identifier; /* The last record identifier */ uint64_t last_record_identifier; /* The codepage of the ASCII strings */ int ascii_codepage; /* Value to indicate if abort was signalled */ int abort; }; int libevtx_io_handle_initialize( libevtx_io_handle_t **io_handle, libcerror_error_t **error ); int libevtx_io_handle_free( libevtx_io_handle_t **io_handle, libcerror_error_t **error ); int libevtx_io_handle_clear( libevtx_io_handle_t *io_handle, libcerror_error_t **error ); int libevtx_io_handle_read_file_header( libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, off64_t file_offset, libcerror_error_t **error ); int libevtx_io_handle_read_chunk( libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, libfdata_vector_t *vector, libfdata_cache_t *cache, int element_index, int element_data_file_index, off64_t element_data_offset, size64_t element_data_size, uint32_t element_data_flags, uint8_t read_flags, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_IO_HANDLE_H ) */ ================================================ FILE: libevtx/libevtx_libbfio.h ================================================ /* * The libbfio header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBBFIO_H ) #define _LIBEVTX_LIBBFIO_H #include /* Define HAVE_LOCAL_LIBBFIO for local use of libbfio */ #if defined( HAVE_LOCAL_LIBBFIO ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBBFIO_DLL_IMPORT * before including libbfio.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBBFIO_DLL_IMPORT #endif #include #if defined( HAVE_MULTI_THREAD_SUPPORT ) && !defined( LIBBFIO_HAVE_MULTI_THREAD_SUPPORT ) #error Multi-threading support requires libbfio with multi-threading support #endif #endif /* defined( HAVE_LOCAL_LIBBFIO ) */ #endif /* !defined( _LIBEVTX_LIBBFIO_H ) */ ================================================ FILE: libevtx/libevtx_libcdata.h ================================================ /* * The libcdata header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBCDATA_H ) #define _LIBEVTX_LIBCDATA_H #include /* Define HAVE_LOCAL_LIBCDATA for local use of libcdata */ #if defined( HAVE_LOCAL_LIBCDATA ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBCDATA_DLL_IMPORT * before including libcdata.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCDATA_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCDATA ) */ #endif /* !defined( _LIBEVTX_LIBCDATA_H ) */ ================================================ FILE: libevtx/libevtx_libcerror.h ================================================ /* * The libcerror header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBCERROR_H ) #define _LIBEVTX_LIBCERROR_H #include /* Define HAVE_LOCAL_LIBCERROR for local use of libcerror */ #if defined( HAVE_LOCAL_LIBCERROR ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCERROR_DLL_IMPORT * before including libcerror.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCERROR_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCERROR ) */ #endif /* !defined( _LIBEVTX_LIBCERROR_H ) */ ================================================ FILE: libevtx/libevtx_libclocale.h ================================================ /* * The libclocale header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBCLOCALE_H ) #define _LIBEVTX_LIBCLOCALE_H #include /* Define HAVE_LOCAL_LIBCLOCALE for local use of libclocale */ #if defined( HAVE_LOCAL_LIBCLOCALE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCLOCALE_DLL_IMPORT * before including libclocale.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCLOCALE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCLOCALE ) */ #endif /* !defined( _LIBEVTX_LIBCLOCALE_H ) */ ================================================ FILE: libevtx/libevtx_libcnotify.h ================================================ /* * The libcnotify header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBCNOTIFY_H ) #define _LIBEVTX_LIBCNOTIFY_H #include /* Define HAVE_LOCAL_LIBCNOTIFY for local use of libcnotify */ #if defined( HAVE_LOCAL_LIBCNOTIFY ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCNOTIFY_DLL_IMPORT * before including libcnotify.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCNOTIFY_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCNOTIFY ) */ #endif /* !defined( _LIBEVTX_LIBCNOTIFY_H ) */ ================================================ FILE: libevtx/libevtx_libfcache.h ================================================ /* * The libfcache header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBFCACHE_H ) #define _LIBEVTX_LIBFCACHE_H #include /* Define HAVE_LOCAL_LIBFCACHE for local use of libfcache */ #if defined( HAVE_LOCAL_LIBFCACHE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBFCACHE_DLL_IMPORT * before including libfcache.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFCACHE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFCACHE ) */ #endif /* !defined( _LIBEVTX_LIBFCACHE_H ) */ ================================================ FILE: libevtx/libevtx_libfdata.h ================================================ /* * The libfdata header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBFDATA_H ) #define _LIBEVTX_LIBFDATA_H #include /* Define HAVE_LOCAL_LIBFDATA for local use of libfdata */ #if defined( HAVE_LOCAL_LIBFDATA ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFDATA_DLL_IMPORT * before including libfdata.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFDATA_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFDATA ) */ #endif /* !defined( _LIBEVTX_LIBFDATA_H ) */ ================================================ FILE: libevtx/libevtx_libfdatetime.h ================================================ /* * The libfdatetime header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBFDATETIME_H ) #define _LIBEVTX_LIBFDATETIME_H #include /* Define HAVE_LOCAL_LIBFDATETIME for local use of libfdatetime */ #if defined( HAVE_LOCAL_LIBFDATETIME ) #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFDATETIME_DLL_IMPORT * before including libfdatetime.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFDATETIME_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFDATETIME ) */ #endif /* !defined( _LIBEVTX_LIBFDATETIME_H ) */ ================================================ FILE: libevtx/libevtx_libfguid.h ================================================ /* * The libfguid header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBFGUID_H ) #define _LIBEVTX_LIBFGUID_H #include /* Define HAVE_LOCAL_LIBFGUID for local use of libfguid */ #if defined( HAVE_LOCAL_LIBFGUID ) #include #include #include #else /* If libtool DLL support is enabled set LIBFGUID_DLL_IMPORT * before including libfguid.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFGUID_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFGUID ) */ #endif /* !defined( _LIBEVTX_LIBFGUID_H ) */ ================================================ FILE: libevtx/libevtx_libfwevt.h ================================================ /* * The libfwevt header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBFWEVT_H ) #define _LIBEVTX_LIBFWEVT_H #include /* Define HAVE_LOCAL_LIBFWEVT for local use of libfwevt */ #if defined( HAVE_LOCAL_LIBFWEVT ) #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBFWEVT_DLL_IMPORT * before including libfwevt.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFWEVT_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBFWEVT ) */ #endif /* !defined( _LIBEVTX_LIBFWEVT_H ) */ ================================================ FILE: libevtx/libevtx_libuna.h ================================================ /* * The libuna header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_LIBUNA_H ) #define _LIBEVTX_LIBUNA_H #include /* Define HAVE_LOCAL_LIBUNA for local use of libuna */ #if defined( HAVE_LOCAL_LIBUNA ) #include #include #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBUNA_DLL_IMPORT * before including libuna.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBUNA_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBUNA ) */ #endif /* !defined( _LIBEVTX_LIBUNA_H ) */ ================================================ FILE: libevtx/libevtx_notify.c ================================================ /* * Notification functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #include "libevtx_notify.h" #if !defined( HAVE_LOCAL_LIBEVTX ) /* Sets the verbose notification */ void libevtx_notify_set_verbose( int verbose ) { libcnotify_verbose_set( verbose ); } /* Sets the notification stream * Returns 1 if successful or -1 on error */ int libevtx_notify_set_stream( FILE *stream, libcerror_error_t **error ) { static char *function = "libevtx_notify_set_stream"; if( libcnotify_stream_set( stream, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set stream.", function ); return( -1 ); } return( 1 ); } /* Opens the notification stream using a filename * The stream is opened in append mode * Returns 1 if successful or -1 on error */ int libevtx_notify_stream_open( const char *filename, libcerror_error_t **error ) { static char *function = "libevtx_notify_stream_open"; if( libcnotify_stream_open( filename, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open stream.", function ); return( -1 ); } return( 1 ); } /* Closes the notification stream if opened using a filename * Returns 0 if successful or -1 on error */ int libevtx_notify_stream_close( libcerror_error_t **error ) { static char *function = "libevtx_notify_stream_close"; if( libcnotify_stream_close( error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open stream.", function ); return( -1 ); } return( 0 ); } #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ ================================================ FILE: libevtx/libevtx_notify.h ================================================ /* * Notification functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_NOTIFY_H ) #define _LIBEVTX_NOTIFY_H #include #include #include #include "libevtx_extern.h" #include "libevtx_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif #if !defined( HAVE_LOCAL_LIBEVTX ) LIBEVTX_EXTERN \ void libevtx_notify_set_verbose( int verbose ); LIBEVTX_EXTERN \ int libevtx_notify_set_stream( FILE *stream, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_notify_stream_open( const char *filename, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_notify_stream_close( libcerror_error_t **error ); #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_NOTIFY_H ) */ ================================================ FILE: libevtx/libevtx_record.c ================================================ /* * Record functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "libevtx_definitions.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_record.h" #include "libevtx_record_values.h" /* Creates a record * Make sure the value record is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_record_initialize( libevtx_record_t **record, libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, libevtx_record_values_t *record_values, uint8_t flags, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_initialize"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( *record != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid record value already set.", function ); return( -1 ); } if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( ( flags & ~( LIBEVTX_RECORD_FLAG_MANAGED_FILE_IO_HANDLE ) ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported flags: 0x%02" PRIx8 ".", function, flags ); return( -1 ); } internal_record = memory_allocate_structure( libevtx_internal_record_t ); if( internal_record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create internal record.", function ); goto on_error; } if( memory_set( internal_record, 0, sizeof( libevtx_internal_record_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear internal record.", function ); memory_free( internal_record ); return( -1 ); } if( ( flags & LIBEVTX_RECORD_FLAG_MANAGED_FILE_IO_HANDLE ) == 0 ) { internal_record->file_io_handle = file_io_handle; } else { if( libbfio_handle_clone( &( internal_record->file_io_handle ), file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy file IO handle.", function ); goto on_error; } if( libbfio_handle_set_open_on_demand( internal_record->file_io_handle, 1, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to set open on demand in file IO handle.", function ); goto on_error; } } internal_record->io_handle = io_handle; internal_record->record_values = record_values; internal_record->flags = flags; *record = (libevtx_record_t *) internal_record; return( 1 ); on_error: if( internal_record != NULL ) { if( ( flags & LIBEVTX_RECORD_FLAG_MANAGED_FILE_IO_HANDLE ) != 0 ) { if( internal_record->file_io_handle != NULL ) { libbfio_handle_free( &( internal_record->file_io_handle ), NULL ); } } memory_free( internal_record ); } return( -1 ); } /* Frees a record * Returns 1 if successful or -1 on error */ int libevtx_record_free( libevtx_record_t **record, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_free"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } if( *record != NULL ) { internal_record = (libevtx_internal_record_t *) *record; *record = NULL; /* The io_handle and record_values references are freed elsewhere */ if( ( internal_record->flags & LIBEVTX_RECORD_FLAG_MANAGED_FILE_IO_HANDLE ) != 0 ) { if( internal_record->file_io_handle != NULL ) { if( libbfio_handle_close( internal_record->file_io_handle, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close file IO handle.", function ); return( -1 ); } if( libbfio_handle_free( &( internal_record->file_io_handle ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free file IO handle.", function ); return( -1 ); } } } memory_free( internal_record ); } return( 1 ); } /* Retrieves the offset * Returns 1 if successful or -1 on error */ int libevtx_record_get_offset( libevtx_record_t *record, off64_t *offset, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_offset"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( internal_record->record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record - missing record values.", function ); return( -1 ); } if( offset == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid offset.", function ); return( -1 ); } *offset = internal_record->record_values->offset; return( 1 ); } /* Retrieves the identifier (record number) * Returns 1 if successful or -1 on error */ int libevtx_record_get_identifier( libevtx_record_t *record, uint64_t *identifier, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_identifier"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( internal_record->record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record - missing record values.", function ); return( -1 ); } if( identifier == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid identifier.", function ); return( -1 ); } *identifier = internal_record->record_values->identifier; return( 1 ); } /* Retrieves the 64-bit FILETIME value containing the creation time from the binary XML * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_creation_time( libevtx_record_t *record, uint64_t *filetime, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_creation_time"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_creation_time( internal_record->record_values, filetime, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve creation time from record values.", function ); return( -1 ); } return( result ); } /* Retrieves the 64-bit FILETIME value containing the written time from the event record header * Returns 1 if successful or -1 on error */ int libevtx_record_get_written_time( libevtx_record_t *record, uint64_t *filetime, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_written_time"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_written_time( internal_record->record_values, filetime, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve written time from record values.", function ); return( -1 ); } return( 1 ); } /* Retrieves the event identifier * Returns 1 if successful or -1 on error */ int libevtx_record_get_event_identifier( libevtx_record_t *record, uint32_t *event_identifier, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_event_identifier"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_event_identifier( internal_record->record_values, event_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event identifier from record values.", function ); return( -1 ); } return( 1 ); } /* Retrieves the event identifier qualifiers * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_event_identifier_qualifiers( libevtx_record_t *record, uint32_t *event_identifier_qualifiers, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_event_identifier_qualifiers"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_event_identifier_qualifiers( internal_record->record_values, event_identifier_qualifiers, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event identifier qualifiers from record values.", function ); return( -1 ); } return( result ); } /* Retrieves the event version * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_event_version( libevtx_record_t *record, uint8_t *event_version, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_event_version"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_event_version( internal_record->record_values, event_version, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event version from record values.", function ); return( -1 ); } return( result ); } /* Retrieves the event level * Returns 1 if successful or -1 on error */ int libevtx_record_get_event_level( libevtx_record_t *record, uint8_t *event_level, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_event_level"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_event_level( internal_record->record_values, event_level, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve event level from record values.", function ); return( -1 ); } return( 1 ); } /* Retrieves the size of the UTF-8 encoded provider identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_provider_identifier_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_provider_identifier_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_provider_identifier_size( internal_record->record_values, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of provider identifier.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-8 encoded provider identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_provider_identifier( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_provider_identifier"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_provider_identifier( internal_record->record_values, utf8_string, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy provider identifier to UTF-8 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-16 encoded provider identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_provider_identifier_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_provider_identifier_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_provider_identifier_size( internal_record->record_values, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of provider identifier.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-16 encoded provider identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_provider_identifier( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_provider_identifier"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_provider_identifier( internal_record->record_values, utf16_string, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy provider identifier to UTF-16 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-8 encoded source name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_source_name_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_source_name_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_source_name_size( internal_record->record_values, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of source name.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-8 encoded source name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_source_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_source_name"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_source_name( internal_record->record_values, utf8_string, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy source name to UTF-8 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-16 encoded source name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_source_name_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_source_name_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_source_name_size( internal_record->record_values, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of source name.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-16 encoded source name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_source_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_source_name"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_source_name( internal_record->record_values, utf16_string, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy source name to UTF-16 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-8 encoded channel name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_channel_name_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_channel_name_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_channel_name_size( internal_record->record_values, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of channel name.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-8 encoded channel name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_channel_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_channel_name"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_channel_name( internal_record->record_values, utf8_string, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy channel name to UTF-8 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-16 encoded channel name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_channel_name_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_channel_name_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_channel_name_size( internal_record->record_values, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of channel name.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-16 encoded channel name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_channel_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_channel_name"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_channel_name( internal_record->record_values, utf16_string, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy channel name to UTF-16 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-8 encoded computer name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_computer_name_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_computer_name_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_computer_name_size( internal_record->record_values, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of computer name.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-8 encoded computer name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_computer_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_computer_name"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_computer_name( internal_record->record_values, utf8_string, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy computer name to UTF-8 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-16 encoded computer name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_computer_name_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_computer_name_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_computer_name_size( internal_record->record_values, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of computer name.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-16 encoded computer name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_computer_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_computer_name"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_computer_name( internal_record->record_values, utf16_string, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy computer name to UTF-16 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-8 encoded user security identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_user_security_identifier_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_user_security_identifier_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_user_security_identifier_size( internal_record->record_values, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of user security identifier.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-8 encoded user security identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf8_user_security_identifier( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_user_security_identifier"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf8_user_security_identifier( internal_record->record_values, utf8_string, utf8_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy user security identifier to UTF-8 string.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-16 encoded user security identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_user_security_identifier_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_user_security_identifier_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_user_security_identifier_size( internal_record->record_values, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of user security identifier.", function ); return( -1 ); } return( result ); } /* Retrieves the UTF-16 encoded user security identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_utf16_user_security_identifier( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_user_security_identifier"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_utf16_user_security_identifier( internal_record->record_values, utf16_string, utf16_string_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy user security identifier to UTF-16 string.", function ); return( -1 ); } return( result ); } /* Parses the record data with a template definition * This function needs to be called before accessing the strings otherwise * the record data will be parsed without a template definition by default * Returns 1 if successful, 0 if data could not be parsed or -1 on error */ int libevtx_record_parse_data_with_template_definition( libevtx_record_t *record, libevtx_template_definition_t *template_definition, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_parse_data_with_template_definition"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid template definition.", function ); return( -1 ); } result = libevtx_record_values_parse_data( internal_record->record_values, internal_record->io_handle, (libevtx_internal_template_definition_t *) template_definition, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } return( result ); } /* Retrieves the number of strings * Returns 1 if successful or -1 on error */ int libevtx_record_get_number_of_strings( libevtx_record_t *record, int *number_of_strings, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_number_of_strings"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_number_of_strings( internal_record->record_values, internal_record->io_handle, number_of_strings, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve number of strings.", function ); return( -1 ); } return( 1 ); } /* Retrieves the size of a specific UTF-8 encoded string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf8_string_size( libevtx_record_t *record, int string_index, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_string_size"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf8_string_size( internal_record->record_values, internal_record->io_handle, string_index, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve size of UTF-8 string: %d.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves a specific UTF-8 encoded string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf8_string( libevtx_record_t *record, int string_index, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_string"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf8_string( internal_record->record_values, internal_record->io_handle, string_index, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve UTF-8 string: %d.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves the size of a specific UTF-16 encoded string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf16_string_size( libevtx_record_t *record, int string_index, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_string_size"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf16_string_size( internal_record->record_values, internal_record->io_handle, string_index, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve size of UTF-16 string: %d.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves a specific UTF-16 encoded string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf16_string( libevtx_record_t *record, int string_index, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_string"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf16_string( internal_record->record_values, internal_record->io_handle, string_index, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve UTF-16 string: %d.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves the size of the data * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_data_size( libevtx_record_t *record, size_t *data_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_data_size"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_data_size( internal_record->record_values, internal_record->io_handle, data_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve data size.", function ); return( -1 ); } return( result ); } /* Retrieves the data * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_get_data( libevtx_record_t *record, uint8_t *data, size_t data_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_data"; int result = 0; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; result = libevtx_record_values_get_data( internal_record->record_values, internal_record->io_handle, data, data_size, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to retrieve data.", function ); return( -1 ); } return( result ); } /* Retrieves the size of the UTF-8 encoded XML string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf8_xml_string_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_xml_string_size"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf8_xml_string_size( internal_record->record_values, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of event XML.", function ); return( -1 ); } return( 1 ); } /* Retrieves the UTF-8 encoded XML string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf8_xml_string( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf8_xml_string"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf8_xml_string( internal_record->record_values, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy event XML to UTF-8 string.", function ); return( -1 ); } return( 1 ); } /* Retrieves the size of the UTF-16 encoded XML string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf16_xml_string_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_xml_string_size"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf16_xml_string_size( internal_record->record_values, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of event XML.", function ); return( -1 ); } return( 1 ); } /* Retrieves the UTF-16 encoded XML string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_get_utf16_xml_string( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libevtx_internal_record_t *internal_record = NULL; static char *function = "libevtx_record_get_utf16_xml_string"; if( record == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record.", function ); return( -1 ); } internal_record = (libevtx_internal_record_t *) record; if( libevtx_record_values_get_utf16_xml_string( internal_record->record_values, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy event XML to UTF-16 string.", function ); return( -1 ); } return( 1 ); } ================================================ FILE: libevtx/libevtx_record.h ================================================ /* * Record functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_RECORD_H ) #define _LIBEVTX_INTERNAL_RECORD_H #include #include #include "libevtx_extern.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_record_values.h" #include "libevtx_types.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct libevtx_internal_record libevtx_internal_record_t; struct libevtx_internal_record { /* The IO handle */ libevtx_io_handle_t *io_handle; /* The file IO handle */ libbfio_handle_t *file_io_handle; /* The (event) record values */ libevtx_record_values_t *record_values; /* The flags */ uint8_t flags; }; int libevtx_record_initialize( libevtx_record_t **record, libevtx_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, libevtx_record_values_t *record_values, uint8_t flags, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_free( libevtx_record_t **record, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_offset( libevtx_record_t *record, off64_t *offset, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_identifier( libevtx_record_t *record, uint64_t *identifier, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_creation_time( libevtx_record_t *record, uint64_t *filetime, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_written_time( libevtx_record_t *record, uint64_t *filetime, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_event_identifier( libevtx_record_t *record, uint32_t *event_identifier, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_event_identifier_qualifiers( libevtx_record_t *record, uint32_t *event_identifier_qualifiers, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_event_version( libevtx_record_t *record, uint8_t *event_version, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_event_level( libevtx_record_t *record, uint8_t *event_level, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_provider_identifier_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_provider_identifier( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_provider_identifier_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_provider_identifier( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_source_name_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_source_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_source_name_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_source_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_channel_name_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_channel_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_channel_name_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_channel_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_computer_name_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_computer_name( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_computer_name_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_computer_name( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_user_security_identifier_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_user_security_identifier( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_user_security_identifier_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_user_security_identifier( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_parse_data_with_template_definition( libevtx_record_t *record, libevtx_template_definition_t *template_definition, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_number_of_strings( libevtx_record_t *record, int *number_of_strings, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_string_size( libevtx_record_t *record, int string_index, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_string( libevtx_record_t *record, int string_index, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_string_size( libevtx_record_t *record, int string_index, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_string( libevtx_record_t *record, int string_index, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_data_size( libevtx_record_t *record, size_t *data_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_data( libevtx_record_t *record, uint8_t *data, size_t data_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_xml_string_size( libevtx_record_t *record, size_t *utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf8_xml_string( libevtx_record_t *record, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_xml_string_size( libevtx_record_t *record, size_t *utf16_string_size, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_record_get_utf16_xml_string( libevtx_record_t *record, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_INTERNAL_RECORD_H ) */ ================================================ FILE: libevtx/libevtx_record_values.c ================================================ /* * Record values functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include "libevtx_byte_stream.h" #include "libevtx_io_handle.h" #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #include "libevtx_libfdatetime.h" #include "libevtx_libfwevt.h" #include "libevtx_record_values.h" #include "libevtx_template_definition.h" #include "evtx_event_record.h" const uint8_t evtx_event_record_signature[ 4 ] = { 0x2a, 0x2a, 0x00, 0x00 }; /* Creates record values * Make sure the value record_values is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_record_values_initialize( libevtx_record_values_t **record_values, libcerror_error_t **error ) { static char *function = "libevtx_record_values_initialize"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( *record_values != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid record values value already set.", function ); return( -1 ); } *record_values = memory_allocate_structure( libevtx_record_values_t ); if( *record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create record values.", function ); goto on_error; } if( memory_set( *record_values, 0, sizeof( libevtx_record_values_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear record values.", function ); goto on_error; } return( 1 ); on_error: if( *record_values != NULL ) { memory_free( *record_values ); *record_values = NULL; } return( -1 ); } /* Frees record values * Returns 1 if successful or -1 on error */ int libevtx_record_values_free( libevtx_record_values_t **record_values, libcerror_error_t **error ) { static char *function = "libevtx_record_values_free"; int result = 1; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( *record_values != NULL ) { if( ( *record_values )->string_identifiers_array != NULL ) { if( libcdata_array_free( &( ( *record_values )->string_identifiers_array ), NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free the string identifiers array.", function ); result = -1; } } if( ( *record_values )->strings_array != NULL ) { if( libcdata_array_free( &( ( *record_values )->strings_array ), NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free the strings array.", function ); result = -1; } } if( ( *record_values )->xml_document != NULL ) { if( libfwevt_xml_document_free( &( ( *record_values )->xml_document ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free XML document.", function ); result = -1; } } memory_free( *record_values ); *record_values = NULL; } return( result ); } /* Clones the record values * Returns 1 if successful or -1 on error */ int libevtx_record_values_clone( libevtx_record_values_t **destination_record_values, libevtx_record_values_t *source_record_values, libcerror_error_t **error ) { static char *function = "libevtx_record_values_free"; if( destination_record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid destination record values.", function ); return( -1 ); } if( *destination_record_values != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid destination record values value already set.", function ); return( -1 ); } if( source_record_values == NULL ) { *destination_record_values = NULL; return( 1 ); } if( source_record_values->xml_document != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid source record values - XML document value already set.", function ); return( -1 ); } *destination_record_values = memory_allocate_structure( libevtx_record_values_t ); if( *destination_record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create destination record values.", function ); goto on_error; } if( memory_copy( *destination_record_values, source_record_values, sizeof( libevtx_record_values_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_COPY_FAILED, "%s: unable to copy record values.", function ); goto on_error; } ( *destination_record_values )->xml_document = NULL; return( 1 ); on_error: if( *destination_record_values != NULL ) { memory_free( *destination_record_values ); *destination_record_values = NULL; } return( -1 ); } /* Reads the record values header * Returns 1 if successful, 0 if not or -1 on error */ int libevtx_record_values_read_header( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, const uint8_t *chunk_data, size_t chunk_data_size, size_t chunk_data_offset, libcerror_error_t **error ) { const uint8_t *event_record_data = NULL; static char *function = "libevtx_record_values_read_header"; size_t event_record_data_size = 0; uint32_t size_copy = 0; int result = 0; #if defined( HAVE_DEBUG_OUTPUT ) system_character_t filetime_string[ 32 ]; libfdatetime_filetime_t *filetime = NULL; #endif if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( chunk_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk data.", function ); return( -1 ); } if( chunk_data_size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid chunk data size value exceeds maximum.", function ); goto on_error; } if( chunk_data_offset >= chunk_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid chunk data offset value out of bounds.", function ); goto on_error; } event_record_data = &( chunk_data[ chunk_data_offset ] ); event_record_data_size = chunk_data_size - chunk_data_offset; if( event_record_data_size < ( sizeof( evtx_event_record_header_t ) + 4 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid event record data size value too small.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: event record header data:\n", function ); libcnotify_print_data( event_record_data, sizeof( evtx_event_record_header_t ), 0 ); } #endif result = libevtx_byte_stream_check_for_zero_byte_fill( event_record_data, sizeof( evtx_event_record_header_t ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine of event record header is 0-byte filled.", function ); goto on_error; } else if( result != 0 ) { return( 0 ); } if( memory_compare( ( (evtx_event_record_header_t *) event_record_data )->signature, evtx_event_record_signature, 4 ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported event record signature.", function ); goto on_error; } record_values->chunk_data_offset = chunk_data_offset; byte_stream_copy_to_uint32_little_endian( ( (evtx_event_record_header_t *) event_record_data )->size, record_values->data_size ); byte_stream_copy_to_uint64_little_endian( ( (evtx_event_record_header_t *) event_record_data )->identifier, record_values->identifier ); byte_stream_copy_to_uint64_little_endian( ( (evtx_event_record_header_t *) event_record_data )->written_time, record_values->written_time ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: signature\t\t\t\t: \\x%02x\\x%02x\\x%02x\\x%02x\n", function, ( (evtx_event_record_header_t *) event_record_data )->signature[ 0 ], ( (evtx_event_record_header_t *) event_record_data )->signature[ 1 ], ( (evtx_event_record_header_t *) event_record_data )->signature[ 2 ] , ( (evtx_event_record_header_t *) event_record_data )->signature[ 3 ] ); libcnotify_printf( "%s: size\t\t\t\t\t: %" PRIu32 "\n", function, record_values->data_size ); libcnotify_printf( "%s: identifier\t\t\t\t: %" PRIu64 "\n", function, record_values->identifier ); if( libfdatetime_filetime_initialize( &filetime, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file time.", function ); goto on_error; } if( libfdatetime_filetime_copy_from_byte_stream( filetime, ( (evtx_event_record_header_t *) event_record_data )->written_time, 8, LIBFDATETIME_ENDIAN_LITTLE, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy file time from byte stream.", function ); goto on_error; } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libfdatetime_filetime_copy_to_utf16_string( filetime, (uint16_t *) filetime_string, 32, LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS, error ); #else result = libfdatetime_filetime_copy_to_utf8_string( filetime, (uint8_t *) filetime_string, 32, LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to copy file time to string.", function ); goto on_error; } libcnotify_printf( "%s: written time\t\t\t\t: %" PRIs_SYSTEM " UTC\n", function, filetime_string ); if( libfdatetime_filetime_free( &filetime, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free file time.", function ); goto on_error; } } #endif if( ( record_values->data_size < sizeof( evtx_event_record_header_t ) ) || ( record_values->data_size > ( event_record_data_size - 4 ) ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid event record data size value out of bounds.", function ); goto on_error; } byte_stream_copy_to_uint32_little_endian( &( event_record_data[ record_values->data_size - 4 ] ), size_copy ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: size copy\t\t\t\t: %" PRIu32 "\n", function, size_copy ); libcnotify_printf( "\n" ); } #endif if( record_values->data_size != size_copy ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_INPUT, LIBCERROR_INPUT_ERROR_VALUE_MISMATCH, "%s: value mismatch for size and size copy.", function ); goto on_error; } return( 1 ); on_error: #if defined( HAVE_DEBUG_OUTPUT ) if( filetime != NULL ) { libfdatetime_filetime_free( &filetime, NULL ); } #endif return( -1 ); } /* Reads the record values XML document * Returns 1 if successful or -1 on error */ int libevtx_record_values_read_xml_document( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, const uint8_t *chunk_data, size_t chunk_data_size, libcerror_error_t **error ) { static char *function = "libevtx_record_values_read_xml_document"; size_t chunk_data_offset = 0; size_t event_record_data_size = 0; uint8_t flags = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid record values - XML document already set.", function ); return( -1 ); } if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( chunk_data == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid chunk data.", function ); return( -1 ); } if( chunk_data_size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid chunk data size value exceeds maximum.", function ); goto on_error; } if( record_values->chunk_data_offset >= chunk_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid record values - chunk data offset value out of bounds.", function ); goto on_error; } chunk_data_offset = record_values->chunk_data_offset + sizeof( evtx_event_record_header_t ); event_record_data_size = record_values->data_size - ( sizeof( evtx_event_record_header_t ) + 4 ); if( chunk_data_offset >= chunk_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid chunk data offset value out of bounds.", function ); goto on_error; } if( ( chunk_data_offset + event_record_data_size ) > chunk_data_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid event record data size value out of bounds.", function ); goto on_error; } if( libfwevt_xml_document_initialize( &( record_values->xml_document ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create XML document.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: event record data:\n", function ); libcnotify_print_data( &( chunk_data[ chunk_data_offset ] ), event_record_data_size, 0 ); } #endif flags = LIBFWEVT_XML_DOCUMENT_READ_FLAG_HAS_DATA_OFFSETS | LIBFWEVT_XML_DOCUMENT_READ_FLAG_HAS_DEPENDENCY_IDENTIFIERS; if( libfwevt_xml_document_read( record_values->xml_document, chunk_data, chunk_data_size, chunk_data_offset, io_handle->ascii_codepage, flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read binary XML document.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: XML document:\n", function ); if( libfwevt_xml_document_debug_print( record_values->xml_document, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_PRINT_FAILED, "%s: unable to print XML document.", function ); goto on_error; } } #endif return( 1 ); on_error: if( record_values->xml_document != NULL ) { libfwevt_xml_document_free( &( record_values->xml_document ), NULL ); } return( -1 ); } /* Retrieves the event identifier * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_event_identifier( libevtx_record_values_t *record_values, uint32_t *event_identifier, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_value_t *event_identifier_value = NULL; static char *function = "libevtx_record_values_get_event_identifier"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->event_identifier_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "EventID", 7, &( record_values->event_identifier_xml_tag ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventID XML element.", function ); return( -1 ); } } if( libfwevt_xml_tag_get_value( record_values->event_identifier_xml_tag, &event_identifier_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventID XML element value.", function ); return( -1 ); } if( libfwevt_value_get_data_as_32bit_integer( event_identifier_value, event_identifier, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy value to event identifier.", function ); return( -1 ); } return( 1 ); } /* Retrieves the event identifier qualifiers * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_event_identifier_qualifiers( libevtx_record_values_t *record_values, uint32_t *event_identifier_qualifiers, libcerror_error_t **error ) { libfwevt_xml_tag_t *qualifiers_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_value_t *qualifiers_value = NULL; static char *function = "libevtx_record_values_get_event_identifier_qualifiers"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->event_identifier_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "EventID", 7, &( record_values->event_identifier_xml_tag ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventID XML element.", function ); return( -1 ); } } result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->event_identifier_xml_tag, (uint8_t *) "Qualifiers", 10, &qualifiers_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Qualifiers XML attribute.", function ); return( -1 ); } else if( result != 0 ) { if( libfwevt_xml_tag_get_value( qualifiers_xml_tag, &qualifiers_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Qualifiers XML element value.", function ); return( -1 ); } if( qualifiers_value == NULL ) { result = 0; } else if( libfwevt_value_get_data_as_32bit_integer( qualifiers_value, event_identifier_qualifiers, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy value to qualifiers.", function ); return( -1 ); } } return( result ); } /* Retrieves the event version * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_event_version( libevtx_record_values_t *record_values, uint8_t *event_version, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_tag_t *version_xml_tag = NULL; static char *function = "libevtx_record_values_get_event_version"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->version_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Version", 7, &version_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Version XML element.", function ); return( -1 ); } else if( result != 0 ) { if( libfwevt_xml_tag_get_value( version_xml_tag, &( record_values->version_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Version XML element value.", function ); return( -1 ); } } } if( record_values->version_value == NULL ) { result = 0; } else { if( libfwevt_value_get_data_as_8bit_integer( record_values->version_value, event_version, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy value to event version.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the 64-bit FILETIME value containing the creation time from the binary XML * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_creation_time( libevtx_record_values_t *record_values, uint64_t *filetime, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_time_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_tag_t *time_created_xml_tag = NULL; static char *function = "libevtx_record_values_get_creation_time"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->time_created_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "TimeCreated", 11, &time_created_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve TimeCreated XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_attribute_by_utf8_name( time_created_xml_tag, (uint8_t *) "SystemTime", 10, &system_time_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve SystemTime XML attribute.", function ); return( -1 ); } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( system_time_xml_tag, &( record_values->time_created_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider TimeCreated XML element value.", function ); return( -1 ); } } if( record_values->time_created_value == NULL ) { result = 0; } else { if( libfwevt_value_get_data_as_filetime( record_values->time_created_value, filetime, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy TimeCreated value to FILETIME timestamp.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the 64-bit FILETIME value containing the written time from the event record header * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_written_time( libevtx_record_values_t *record_values, uint64_t *filetime, libcerror_error_t **error ) { static char *function = "libevtx_record_values_get_written_time"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( filetime == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid FILETIME timestamp.", function ); return( -1 ); } *filetime = record_values->written_time; return( 1 ); } /* Retrieves the event level * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_event_level( libevtx_record_values_t *record_values, uint8_t *event_level, libcerror_error_t **error ) { libfwevt_xml_tag_t *level_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_event_level"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->level_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Level", 5, &level_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Level XML element.", function ); return( -1 ); } if( libfwevt_xml_tag_get_value( level_xml_tag, &( record_values->level_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Level XML element value.", function ); return( -1 ); } } if( libfwevt_value_get_data_as_8bit_integer( record_values->level_value, event_level, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy value to event level.", function ); return( -1 ); } return( 1 ); } /* Retrieves the size of the UTF-8 encoded provider identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_provider_identifier_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_identifier_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_provider_identifier_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Guid", 4, &provider_identifier_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Guid XML attribute.", function ); return( -1 ); } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_identifier_xml_tag, &( record_values->provider_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider GUID XML element value.", function ); return( -1 ); } } if( record_values->provider_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf8_string_size( record_values->provider_identifier_value, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of provider identifier.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-8 encoded provider identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_provider_identifier( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_identifier_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_provider_identifier"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Guid", 4, &provider_identifier_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Guid XML attribute.", function ); return( -1 ); } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_identifier_xml_tag, &( record_values->provider_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider GUID XML element value.", function ); return( -1 ); } } if( record_values->provider_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf8_string( record_values->provider_identifier_value, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy provider identifier to UTF-8 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-16 encoded provider identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_provider_identifier_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_identifier_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_provider_identifier_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Guid", 4, &provider_identifier_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Guid XML attribute.", function ); return( -1 ); } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_identifier_xml_tag, &( record_values->provider_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider GUID XML element value.", function ); return( -1 ); } } if( record_values->provider_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf16_string_size( record_values->provider_identifier_value, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of provider identifier.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-16 encoded provider identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_provider_identifier( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_identifier_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_provider_identifier"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Guid", 4, &provider_identifier_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Guid XML attribute.", function ); return( -1 ); } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_identifier_xml_tag, &( record_values->provider_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider GUID XML element value.", function ); return( -1 ); } } if( record_values->provider_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf16_string( record_values->provider_identifier_value, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy provider identifier to UTF-16 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-8 encoded source name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_source_name_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_name_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_source_name_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "EventSourceName", 15, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventSourceName XML attribute.", function ); return( -1 ); } else if( result == 0 ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Name", 4, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Name XML attribute.", function ); return( -1 ); } } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_name_xml_tag, &( record_values->provider_name_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider name XML element value.", function ); return( -1 ); } } if( record_values->provider_name_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf8_string_size( record_values->provider_name_value, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of provider name.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-8 encoded source name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_source_name( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_name_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_source_name"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "EventSourceName", 15, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventSourceName XML attribute.", function ); return( -1 ); } else if( result == 0 ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Name", 4, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Name XML attribute.", function ); return( -1 ); } } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_name_xml_tag, &( record_values->provider_name_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider name XML element value.", function ); return( -1 ); } } if( record_values->provider_name_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf8_string( record_values->provider_name_value, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy provider name to UTF-8 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-16 encoded source name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_source_name_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_name_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_source_name_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "EventSourceName", 15, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventSourceName XML attribute.", function ); return( -1 ); } else if( result == 0 ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Name", 4, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Name XML attribute.", function ); return( -1 ); } } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_name_xml_tag, &( record_values->provider_name_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider name XML element value.", function ); return( -1 ); } } if( record_values->provider_name_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf16_string_size( record_values->provider_name_value, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of provider name.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-16 encoded source name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_source_name( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *provider_name_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_source_name"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->provider_xml_tag == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Provider", 8, &( record_values->provider_xml_tag ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Provider XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } } if( record_values->provider_name_value == NULL ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "EventSourceName", 15, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventSourceName XML attribute.", function ); return( -1 ); } else if( result == 0 ) { result = libfwevt_xml_tag_get_attribute_by_utf8_name( record_values->provider_xml_tag, (uint8_t *) "Name", 4, &provider_name_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Name XML attribute.", function ); return( -1 ); } } if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( provider_name_xml_tag, &( record_values->provider_name_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve provider name XML element value.", function ); return( -1 ); } } if( record_values->provider_name_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf16_string( record_values->provider_name_value, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy provider name to UTF-16 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-8 encoded channel name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_channel_name_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *channel_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_channel_name_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->channel_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Channel", 7, &channel_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( channel_xml_tag, &( record_values->channel_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element value.", function ); return( -1 ); } } if( record_values->channel_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf8_string_size( record_values->channel_value, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of channel name.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-8 encoded channel name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_channel_name( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *channel_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_channel_name"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->channel_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Channel", 7, &channel_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( channel_xml_tag, &( record_values->channel_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element value.", function ); return( -1 ); } } if( record_values->channel_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf8_string( record_values->channel_value, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy channel name to UTF-8 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-16 encoded channel name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_channel_name_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *channel_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_channel_name_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->channel_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Channel", 7, &channel_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( channel_xml_tag, &( record_values->channel_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element value.", function ); return( -1 ); } } if( record_values->channel_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf16_string_size( record_values->channel_value, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of channel name.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-16 encoded channel name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_channel_name( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *channel_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_channel_name"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->channel_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Channel", 7, &channel_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( channel_xml_tag, &( record_values->channel_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Channel XML element value.", function ); return( -1 ); } } if( record_values->channel_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf16_string( record_values->channel_value, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy channel name to UTF-16 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-8 encoded computer name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_computer_name_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *computer_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_computer_name_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->computer_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Computer", 8, &computer_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( computer_xml_tag, &( record_values->computer_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element value.", function ); return( -1 ); } } if( record_values->computer_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf8_string_size( record_values->computer_value, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of computer name.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-8 encoded computer name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_computer_name( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *computer_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_computer_name"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->computer_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Computer", 8, &computer_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( computer_xml_tag, &( record_values->computer_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element value.", function ); return( -1 ); } } if( record_values->computer_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf8_string( record_values->computer_value, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy computer name to UTF-8 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-16 encoded computer name * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_computer_name_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *computer_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_computer_name_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->computer_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Computer", 8, &computer_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( computer_xml_tag, &( record_values->computer_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element value.", function ); return( -1 ); } } if( record_values->computer_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf16_string_size( record_values->computer_value, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of computer name.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-16 encoded computer name * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_computer_name( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *computer_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_computer_name"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->computer_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Computer", 8, &computer_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( computer_xml_tag, &( record_values->computer_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Computer XML element value.", function ); return( -1 ); } } if( record_values->computer_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf16_string( record_values->computer_value, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy computer name to UTF-16 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-8 encoded user security identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_user_security_identifier_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *security_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_tag_t *user_id_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_user_security_identifier_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->user_security_identifier_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Security", 8, &security_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Security XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_attribute_by_utf8_name( security_xml_tag, (uint8_t *) "UserID", 6, &user_id_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UserID XML attribute.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( user_id_xml_tag, &( record_values->user_security_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user identifier XML element value.", function ); return( -1 ); } } if( record_values->user_security_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf8_string_size( record_values->user_security_identifier_value, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of user security identifier.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-8 encoded user security identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf8_user_security_identifier( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *security_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_tag_t *user_id_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf8_user_security_identifier"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->user_security_identifier_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Security", 8, &security_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Security XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_attribute_by_utf8_name( security_xml_tag, (uint8_t *) "UserID", 6, &user_id_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UserID XML attribute.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( user_id_xml_tag, &( record_values->user_security_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user identifier XML element value.", function ); return( -1 ); } } if( record_values->user_security_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf8_string( record_values->user_security_identifier_value, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy user security identifier to UTF-8 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-16 encoded user security identifier * The returned size includes the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_user_security_identifier_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *security_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_tag_t *user_id_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_user_security_identifier_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->user_security_identifier_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Security", 8, &security_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Security XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_attribute_by_utf8_name( security_xml_tag, (uint8_t *) "UserID", 6, &user_id_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UserID XML attribute.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( user_id_xml_tag, &( record_values->user_security_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user identifier XML element value.", function ); return( -1 ); } } if( record_values->user_security_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_utf16_string_size( record_values->user_security_identifier_value, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of user security identifier.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the UTF-16 encoded user security identifier * The size should include the end of string character * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_utf16_user_security_identifier( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *security_xml_tag = NULL; libfwevt_xml_tag_t *system_xml_tag = NULL; libfwevt_xml_tag_t *user_id_xml_tag = NULL; static char *function = "libevtx_record_values_get_utf16_user_security_identifier"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->user_security_identifier_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "System", 6, &system_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve System XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( system_xml_tag, (uint8_t *) "Security", 8, &security_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve Security XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_attribute_by_utf8_name( security_xml_tag, (uint8_t *) "UserID", 6, &user_id_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UserID XML attribute.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( user_id_xml_tag, &( record_values->user_security_identifier_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user identifier XML element value.", function ); return( -1 ); } } if( record_values->user_security_identifier_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_to_utf16_string( record_values->user_security_identifier_value, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy user security identifier to UTF-16 string.", function ); return( -1 ); } result = 1; } return( result ); } /* Parses a data XML tag for the record values using the template * Returns 1 if successful, 0 if data could not be parsed or -1 on error */ int libevtx_record_values_parse_data_xml_tag_by_template( libevtx_record_values_t *record_values, libfwevt_xml_tag_t *data_xml_tag, libfwevt_xml_tag_t *template_xml_tag, libcerror_error_t **error ) { libfwevt_xml_tag_t *sub_data_xml_tag = NULL; libfwevt_xml_tag_t *sub_template_xml_tag = NULL; uint8_t *data_name = NULL; uint8_t *template_name = NULL; static char *function = "libevtx_record_values_parse_data_xml_tag_by_template"; size_t data_name_size = 0; size_t template_name_size = 0; uint8_t template_xml_tag_flags = 0; int attribute_index = 0; int entry_index = 0; int sub_element_index = 0; int number_of_data_attributes = 0; int number_of_data_elements = 0; int number_of_template_attributes = 0; int number_of_template_elements = 0; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( libfwevt_xml_tag_get_number_of_attributes( data_xml_tag, &number_of_data_attributes, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of data attributes.", function ); goto on_error; } if( template_xml_tag != NULL ) { if( libfwevt_xml_tag_get_number_of_attributes( template_xml_tag, &number_of_template_attributes, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of template attributes.", function ); goto on_error; } if( number_of_data_attributes != number_of_template_attributes ) { return( 0 ); } } if( libfwevt_xml_tag_get_number_of_elements( data_xml_tag, &number_of_data_elements, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of data elements.", function ); goto on_error; } if( template_xml_tag != NULL ) { if( libfwevt_xml_tag_get_number_of_elements( template_xml_tag, &number_of_template_elements, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of template elements.", function ); goto on_error; } if( number_of_data_elements != number_of_template_elements ) { return( 0 ); } } if( template_xml_tag != NULL ) { if( libfwevt_xml_tag_get_utf8_name_size( data_xml_tag, &data_name_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve data element name size.", function ); goto on_error; } if( libfwevt_xml_tag_get_utf8_name_size( template_xml_tag, &template_name_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template element name size.", function ); goto on_error; } if( data_name_size != template_name_size ) { return( 0 ); } if( ( data_name_size == 0 ) || ( data_name_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid data name size value out of bounds.", function ); goto on_error; } data_name = (uint8_t *) memory_allocate( sizeof( uint8_t ) * data_name_size ); if( data_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create data name.", function ); goto on_error; } template_name = (uint8_t *) memory_allocate( sizeof( uint8_t ) * template_name_size ); if( template_name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create template name.", function ); goto on_error; } if( libfwevt_xml_tag_get_utf8_name( data_xml_tag, data_name, data_name_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve data element name.", function ); goto on_error; } if( libfwevt_xml_tag_get_utf8_name( template_xml_tag, template_name, template_name_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template element name.", function ); goto on_error; } result = memory_compare( data_name, template_name, sizeof( uint8_t ) * template_name_size ); memory_free( template_name ); template_name = NULL; memory_free( data_name ); data_name = NULL; if( result != 0 ) { return( 0 ); } } for( attribute_index = 0; attribute_index < number_of_data_attributes; attribute_index++ ) { if( libfwevt_xml_tag_get_attribute_by_index( data_xml_tag, attribute_index, &sub_data_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve data attribute: %d.", function, attribute_index ); goto on_error; } if( template_xml_tag != NULL ) { if( libfwevt_xml_tag_get_attribute_by_index( template_xml_tag, attribute_index, &sub_template_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template attribute: %d.", function, attribute_index ); goto on_error; } } result = libevtx_record_values_parse_data_xml_tag_by_template( record_values, sub_data_xml_tag, sub_template_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to parse event data attribute: %d XML tag.", function, attribute_index ); goto on_error; } } if( number_of_data_elements == 0 ) { if( template_xml_tag != NULL ) { if( libfwevt_xml_tag_get_flags( template_xml_tag, &template_xml_tag_flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template XML tag flags.", function ); goto on_error; } } else { if( libfwevt_xml_tag_get_flags( data_xml_tag, &template_xml_tag_flags, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve element XML tag flags.", function ); goto on_error; } } if( template_xml_tag_flags == LIBFWEVT_XML_TAG_FLAG_IS_TEMPLATE_DEFINITION ) { if( libcdata_array_append_entry( record_values->string_identifiers_array, &entry_index, (intptr_t *) template_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append template XML tag to string identifiers array.", function ); goto on_error; } if( libcdata_array_append_entry( record_values->strings_array, &entry_index, (intptr_t *) data_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_APPEND_FAILED, "%s: unable to append data XML tag to strings array.", function ); goto on_error; } } } else for( sub_element_index = 0; sub_element_index < number_of_data_elements; sub_element_index++ ) { if( libfwevt_xml_tag_get_element_by_index( data_xml_tag, sub_element_index, &sub_data_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve data sub element: %d.", function, sub_element_index ); goto on_error; } if( template_xml_tag != NULL ) { if( libfwevt_xml_tag_get_element_by_index( template_xml_tag, sub_element_index, &sub_template_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template sub element: %d.", function, sub_element_index ); goto on_error; } } result = libevtx_record_values_parse_data_xml_tag_by_template( record_values, sub_data_xml_tag, sub_template_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to parse event data sub element: %d XML tag.", function, sub_element_index ); goto on_error; } } return( 1 ); on_error: if( template_name != NULL ) { memory_free( template_name ); } if( data_name != NULL ) { memory_free( data_name ); } return( -1 ); } /* Parses the record values data * Returns 1 if successful, 0 if data could not be parsed or -1 on error */ int libevtx_record_values_parse_data( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, libevtx_internal_template_definition_t *internal_template_definition, libcerror_error_t **error ) { libfwevt_xml_tag_t *element_xml_tag = NULL; libfwevt_xml_tag_t *event_data_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; libfwevt_xml_tag_t *template_root_xml_tag = NULL; libfwevt_xml_tag_t *user_data_xml_tag = NULL; static char *function = "libevtx_record_values_parse_data"; int number_of_elements = 0; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->data_parsed != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid record values - data already parsed.", function ); return( -1 ); } if( record_values->string_identifiers_array != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid record values - string identifiers array value already set.", function ); return( -1 ); } if( record_values->strings_array != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid record values - strings array value already set.", function ); return( -1 ); } if( libcdata_array_initialize( &( record_values->string_identifiers_array ), 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create string identifiers array.", function ); goto on_error; } if( libcdata_array_initialize( &( record_values->strings_array ), 0, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create strings array.", function ); goto on_error; } if( internal_template_definition != NULL ) { if( internal_template_definition->xml_document == NULL ) { if( libevtx_template_definition_read( internal_template_definition, io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read template definition.", function ); goto on_error; } } if( libfwevt_xml_document_get_root_xml_tag( internal_template_definition->xml_document, &template_root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve template root XML element.", function ); goto on_error; } } if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); goto on_error; } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "EventData", 9, &event_data_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventData XML element.", function ); goto on_error; } else if( result == 0 ) { result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "ProcessingErrorData", 19, &event_data_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve ProcessingErrorData XML element.", function ); goto on_error; } } if( result != 0 ) { /* The EventData templates start with the EventData or ProcessingErrorData */ result = libevtx_record_values_parse_data_xml_tag_by_template( record_values, event_data_xml_tag, template_root_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to parse event data root element.", function ); goto on_error; } } else { result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "UserData", 8, &user_data_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UserData XML element.", function ); goto on_error; } else if( result != 0 ) { result = 0; /* The UserData templates start with the EventXML tag */ if( libfwevt_xml_tag_get_number_of_elements( user_data_xml_tag, &number_of_elements, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of user data elements.", function ); goto on_error; } if( number_of_elements == 1 ) { if( libfwevt_xml_tag_get_element_by_index( user_data_xml_tag, 0, &element_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve user data element: 0.", function ); goto on_error; } result = libevtx_record_values_parse_data_xml_tag_by_template( record_values, element_xml_tag, template_root_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to parse user data element: 0.", function ); goto on_error; } } } } record_values->data_parsed = 1; return( result ); on_error: if( record_values->strings_array != NULL ) { libcdata_array_free( &( record_values->strings_array ), NULL, NULL ); } if( record_values->string_identifiers_array != NULL ) { libcdata_array_free( &( record_values->string_identifiers_array ), NULL, NULL ); } return( -1 ); } /* Retrieves the number of strings * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_number_of_strings( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int *number_of_strings, libcerror_error_t **error ) { static char *function = "libevtx_record_values_get_number_of_strings"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( libcdata_array_get_number_of_entries( record_values->strings_array, number_of_strings, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of strings.", function ); return( -1 ); } return( 1 ); } /* Retrieves the size of a specific UTF-8 encoded string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf8_string_size( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, size_t *utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *string_xml_tag = NULL; libfwevt_xml_value_t *string_xml_value = NULL; static char *function = "libevtx_record_values_get_utf8_string_size"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( libcdata_array_get_entry_by_index( record_values->strings_array, string_index, (intptr_t **) &string_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d.", function, string_index ); return( -1 ); } if( libfwevt_xml_tag_get_value( string_xml_tag, &string_xml_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value.", function, string_index ); return( -1 ); } /* TODO if string_xml_value == NULL return 0 */ if( libfwevt_xml_value_get_utf8_string_size( string_xml_value, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value size.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves a specific UTF-8 encoded string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf8_string( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *string_xml_tag = NULL; libfwevt_xml_value_t *string_xml_value = NULL; static char *function = "libevtx_record_values_get_utf8_string"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( libcdata_array_get_entry_by_index( record_values->strings_array, string_index, (intptr_t **) &string_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d.", function, string_index ); return( -1 ); } if( libfwevt_xml_tag_get_value( string_xml_tag, &string_xml_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value.", function, string_index ); return( -1 ); } if( libfwevt_xml_value_copy_to_utf8_string( string_xml_value, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves the size of a specific UTF-16 encoded string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf16_string_size( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, size_t *utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *string_xml_tag = NULL; libfwevt_xml_value_t *string_xml_value = NULL; static char *function = "libevtx_record_values_get_utf16_string_size"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( libcdata_array_get_entry_by_index( record_values->strings_array, string_index, (intptr_t **) &string_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d.", function, string_index ); return( -1 ); } if( libfwevt_xml_tag_get_value( string_xml_tag, &string_xml_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value.", function, string_index ); return( -1 ); } /* TODO if string_xml_value == NULL return 0 */ if( libfwevt_xml_value_get_utf16_string_size( string_xml_value, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value size.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves a specific UTF-16 encoded string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf16_string( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *string_xml_tag = NULL; libfwevt_xml_value_t *string_xml_value = NULL; static char *function = "libevtx_record_values_get_utf16_string"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( libcdata_array_get_entry_by_index( record_values->strings_array, string_index, (intptr_t **) &string_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d.", function, string_index ); return( -1 ); } if( libfwevt_xml_tag_get_value( string_xml_tag, &string_xml_value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value.", function, string_index ); return( -1 ); } if( libfwevt_xml_value_copy_to_utf16_string( string_xml_value, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve string: %d value.", function, string_index ); return( -1 ); } return( 1 ); } /* Retrieves the size of the data * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_data_size( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, size_t *data_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *binary_data_tag = NULL; libfwevt_xml_tag_t *event_data_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; static char *function = "libevtx_record_values_get_data_size"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( record_values->binary_data_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "EventData", 9, &event_data_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventData XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( event_data_xml_tag, (uint8_t *) "BinaryData", 10, &binary_data_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve BinaryData XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( binary_data_tag, &( record_values->binary_data_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve BinaryData XML element value.", function ); return( -1 ); } } if( record_values->binary_data_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_get_data_size( record_values->binary_data_value, data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve size of binary data.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the data * Returns 1 if successful, 0 if not available or -1 on error */ int libevtx_record_values_get_data( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, uint8_t *data, size_t data_size, libcerror_error_t **error ) { libfwevt_xml_tag_t *binary_data_tag = NULL; libfwevt_xml_tag_t *event_data_xml_tag = NULL; libfwevt_xml_tag_t *root_xml_tag = NULL; static char *function = "libevtx_record_values_get_data"; int result = 0; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( record_values->xml_document == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid record values - missing XML document.", function ); return( -1 ); } if( record_values->data_parsed == 0 ) { if( libevtx_record_values_parse_data( record_values, io_handle, NULL, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to parse data.", function ); return( -1 ); } } if( record_values->binary_data_value == NULL ) { if( libfwevt_xml_document_get_root_xml_tag( record_values->xml_document, &root_xml_tag, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root XML element.", function ); return( -1 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( root_xml_tag, (uint8_t *) "EventData", 9, &event_data_xml_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve EventData XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } result = libfwevt_xml_tag_get_element_by_utf8_name( event_data_xml_tag, (uint8_t *) "BinaryData", 10, &binary_data_tag, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve BinaryData XML element.", function ); return( -1 ); } else if( result == 0 ) { return( 0 ); } if( libfwevt_xml_tag_get_value( binary_data_tag, &( record_values->binary_data_value ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve BinaryData XML element value.", function ); return( -1 ); } } if( record_values->binary_data_value == NULL ) { result = 0; } else { if( libfwevt_xml_value_copy_data( record_values->binary_data_value, data, data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_COPY_FAILED, "%s: unable to copy binary data.", function ); return( -1 ); } result = 1; } return( result ); } /* Retrieves the size of the UTF-8 encoded XML string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf8_xml_string_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ) { static char *function = "libevtx_record_values_get_utf8_xml_string_size"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( libfwevt_xml_document_get_utf8_xml_string_size( record_values->xml_document, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string size of XML document.", function ); return( -1 ); } return( 1 ); } /* Retrieves the UTF-8 encoded XML string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf8_xml_string( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ) { static char *function = "libevtx_record_values_get_utf8_xml_string"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( libfwevt_xml_document_get_utf8_xml_string( record_values->xml_document, utf8_string, utf8_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-8 string of XML document.", function ); return( -1 ); } return( 1 ); } /* Retrieves the size of the UTF-16 encoded XML string * The returned size includes the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf16_xml_string_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ) { static char *function = "libevtx_record_values_get_utf16_xml_string_size"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( libfwevt_xml_document_get_utf16_xml_string_size( record_values->xml_document, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string size of XML document.", function ); return( -1 ); } return( 1 ); } /* Retrieves the UTF-16 encoded XML string * The size should include the end of string character * Returns 1 if successful or -1 on error */ int libevtx_record_values_get_utf16_xml_string( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ) { static char *function = "libevtx_record_values_get_utf16_xml_string"; if( record_values == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid record values.", function ); return( -1 ); } if( libfwevt_xml_document_get_utf16_xml_string( record_values->xml_document, utf16_string, utf16_string_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve UTF-16 string of XML document.", function ); return( -1 ); } return( 1 ); } ================================================ FILE: libevtx/libevtx_record_values.h ================================================ /* * Record values functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_RECORD_VALUES_H ) #define _LIBEVTX_RECORD_VALUES_H #include #include #include "libevtx_io_handle.h" #include "libevtx_libcdata.h" #include "libevtx_libcerror.h" #include "libevtx_libfwevt.h" #include "libevtx_template_definition.h" #include "libevtx_types.h" #if defined( __cplusplus ) extern "C" { #endif extern const uint8_t evtx_event_record_signature[ 4 ]; typedef struct libevtx_record_values libevtx_record_values_t; struct libevtx_record_values { /* The offset */ off64_t offset; /* The data size */ uint32_t data_size; /* The chunk data offset */ size_t chunk_data_offset; /* The identifier */ uint64_t identifier; /* The written time */ uint64_t written_time; /* The XML document */ libfwevt_xml_document_t *xml_document; /* Reference to the provider XML tag */ libfwevt_xml_tag_t *provider_xml_tag; /* Reference to the provider identifier value */ libfwevt_xml_value_t *provider_identifier_value; /* Reference to the provider name value */ libfwevt_xml_value_t *provider_name_value; /* Reference to the version value */ libfwevt_xml_value_t *version_value; /* Reference to the event identifier XML tag */ libfwevt_xml_tag_t *event_identifier_xml_tag; /* Reference to the time created value */ libfwevt_xml_value_t *time_created_value; /* Reference to the level value */ libfwevt_xml_value_t *level_value; /* Reference to the task value */ libfwevt_xml_value_t *task_value; /* Reference to the oppcode value */ libfwevt_xml_value_t *oppcode_value; /* Reference to the keywords value */ libfwevt_xml_value_t *keywords_value; /* Reference to the channel value */ libfwevt_xml_value_t *channel_value; /* Reference to the computer value */ libfwevt_xml_value_t *computer_value; /* Reference to the user security identifier (SID) value */ libfwevt_xml_value_t *user_security_identifier_value; /* The string identifiers array */ libcdata_array_t *string_identifiers_array; /* The strings array */ libcdata_array_t *strings_array; /* Reference to the BinaryData value */ libfwevt_xml_value_t *binary_data_value; /* Value to indicate the data was parsed */ uint8_t data_parsed; }; int libevtx_record_values_initialize( libevtx_record_values_t **record_values, libcerror_error_t **error ); int libevtx_record_values_free( libevtx_record_values_t **record_values, libcerror_error_t **error ); int libevtx_record_values_clone( libevtx_record_values_t **destination_record_values, libevtx_record_values_t *source_record_values, libcerror_error_t **error ); int libevtx_record_values_read_header( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, const uint8_t *chunk_data, size_t chunk_data_size, size_t chunk_data_offset, libcerror_error_t **error ); int libevtx_record_values_read_xml_document( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, const uint8_t *chunk_data, size_t chunk_data_size, libcerror_error_t **error ); int libevtx_record_values_get_event_identifier( libevtx_record_values_t *record_values, uint32_t *event_identifier, libcerror_error_t **error ); int libevtx_record_values_get_event_identifier_qualifiers( libevtx_record_values_t *record_values, uint32_t *event_identifier_qualifiers, libcerror_error_t **error ); int libevtx_record_values_get_event_version( libevtx_record_values_t *record_values, uint8_t *event_version, libcerror_error_t **error ); int libevtx_record_values_get_creation_time( libevtx_record_values_t *record_values, uint64_t *filetime, libcerror_error_t **error ); int libevtx_record_values_get_written_time( libevtx_record_values_t *record_values, uint64_t *filetime, libcerror_error_t **error ); int libevtx_record_values_get_event_level( libevtx_record_values_t *record_values, uint8_t *event_level, libcerror_error_t **error ); int libevtx_record_values_get_utf8_provider_identifier_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_provider_identifier( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_provider_identifier_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_provider_identifier( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_source_name_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_source_name( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_source_name_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_source_name( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_channel_name_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_channel_name( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_channel_name_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_channel_name( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_computer_name_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_computer_name( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_computer_name_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_computer_name( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_user_security_identifier_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_user_security_identifier( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_user_security_identifier_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_user_security_identifier( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_parse_data( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, libevtx_internal_template_definition_t *internal_template_definition, libcerror_error_t **error ); int libevtx_record_values_get_number_of_strings( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int *number_of_strings, libcerror_error_t **error ); int libevtx_record_values_get_utf8_string_size( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_string( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_string_size( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_string( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, int string_index, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_data_size( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, size_t *data_size, libcerror_error_t **error ); int libevtx_record_values_get_data( libevtx_record_values_t *record_values, libevtx_io_handle_t *io_handle, uint8_t *data, size_t data_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_xml_string_size( libevtx_record_values_t *record_values, size_t *utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf8_xml_string( libevtx_record_values_t *record_values, uint8_t *utf8_string, size_t utf8_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_xml_string_size( libevtx_record_values_t *record_values, size_t *utf16_string_size, libcerror_error_t **error ); int libevtx_record_values_get_utf16_xml_string( libevtx_record_values_t *record_values, uint16_t *utf16_string, size_t utf16_string_size, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_RECORD_VALUES_H ) */ ================================================ FILE: libevtx/libevtx_support.c ================================================ /* * Support functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include "libevtx_definitions.h" #include "libevtx_io_handle.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #include "libevtx_libclocale.h" #include "libevtx_support.h" #if !defined( HAVE_LOCAL_LIBEVTX ) /* Returns the library version */ const char *libevtx_get_version( void ) { return( (const char *) LIBEVTX_VERSION_STRING ); } /* Returns the access flags for reading */ int libevtx_get_access_flags_read( void ) { return( (uint8_t) LIBEVTX_ACCESS_FLAG_READ ); } /* Retrieves the narrow system string codepage * A value of 0 represents no codepage, UTF-8 encoding is used instead * Returns 1 if successful or -1 on error */ int libevtx_get_codepage( int *codepage, libcerror_error_t **error ) { static char *function = "libevtx_get_codepage"; if( libclocale_codepage_get( codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve codepage.", function ); return( -1 ); } return( 1 ); } /* Sets the narrow system string codepage * A value of 0 represents no codepage, UTF-8 encoding is used instead * Returns 1 if successful or -1 on error */ int libevtx_set_codepage( int codepage, libcerror_error_t **error ) { static char *function = "libevtx_set_codepage"; if( libclocale_codepage_set( codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set codepage.", function ); return( -1 ); } return( 1 ); } #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ /* Determines if a file contains an EVTX file signature * Returns 1 if true, 0 if not or -1 on error */ int libevtx_check_file_signature( const char *filename, libcerror_error_t **error ) { libbfio_handle_t *file_io_handle = NULL; static char *function = "libevtx_check_file_signature"; size_t filename_length = 0; int result = 0; if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } filename_length = narrow_string_length( filename ); if( filename_length == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); goto on_error; } if( libbfio_file_initialize( &file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file IO handle.", function ); goto on_error; } if( libbfio_file_set_name( file_io_handle, filename, filename_length, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set filename in file IO handle.", function ); goto on_error; } result = libevtx_check_file_signature_file_io_handle( file_io_handle, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to check file signature using a file handle.", function ); goto on_error; } if( libbfio_handle_free( &file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to free file IO handle.", function ); goto on_error; } return( result ); on_error: if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( -1 ); } #if defined( HAVE_WIDE_CHARACTER_TYPE ) /* Determines if a file contains an EVTX file signature * Returns 1 if true, 0 if not or -1 on error */ int libevtx_check_file_signature_wide( const wchar_t *filename, libcerror_error_t **error ) { libbfio_handle_t *file_io_handle = NULL; static char *function = "libevtx_check_file_signature_wide"; size_t filename_length = 0; int result = 0; if( filename == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } filename_length = wide_string_length( filename ); if( filename_length == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid filename.", function ); return( -1 ); } if( libbfio_file_initialize( &file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file IO handle.", function ); goto on_error; } if( libbfio_file_set_name_wide( file_io_handle, filename, filename_length, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set filename in file IO handle.", function ); goto on_error; } result = libevtx_check_file_signature_file_io_handle( file_io_handle, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to check file signature using a file handle.", function ); goto on_error; } if( libbfio_handle_free( &file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to free file IO handle.", function ); goto on_error; } return( result ); on_error: if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( -1 ); } #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ /* Determines if a file contains an EVTX file signature using a Basic File IO (bfio) handle * Returns 1 if true, 0 if not or -1 on error */ int libevtx_check_file_signature_file_io_handle( libbfio_handle_t *file_io_handle, libcerror_error_t **error ) { uint8_t signature[ 8 ]; static char *function = "libevtx_check_file_signature_file_io_handle"; ssize_t read_count = 0; int file_io_handle_is_open = 0; if( file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file IO handle.", function ); return( -1 ); } file_io_handle_is_open = libbfio_handle_is_open( file_io_handle, error ); if( file_io_handle_is_open == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file.", function ); goto on_error; } else if( file_io_handle_is_open == 0 ) { if( libbfio_handle_open( file_io_handle, LIBBFIO_OPEN_READ, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file.", function ); goto on_error; } } read_count = libbfio_handle_read_buffer_at_offset( file_io_handle, signature, 8, 0, error ); if( read_count != 8 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read signature at offset: 0 (0x00000000).", function ); goto on_error; } if( file_io_handle_is_open == 0 ) { if( libbfio_handle_close( file_io_handle, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close file.", function ); goto on_error; } } if( memory_compare( evtx_file_signature, signature, 8 ) == 0 ) { return( 1 ); } return( 0 ); on_error: if( file_io_handle_is_open == 0 ) { libbfio_handle_close( file_io_handle, NULL ); } return( -1 ); } ================================================ FILE: libevtx/libevtx_support.h ================================================ /* * Support functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_SUPPORT_H ) #define _LIBEVTX_SUPPORT_H #include #include #include "libevtx_extern.h" #include "libevtx_libbfio.h" #include "libevtx_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif #if !defined( HAVE_LOCAL_LIBEVTX ) LIBEVTX_EXTERN \ const char *libevtx_get_version( void ); LIBEVTX_EXTERN \ int libevtx_get_access_flags_read( void ); LIBEVTX_EXTERN \ int libevtx_get_codepage( int *codepage, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_set_codepage( int codepage, libcerror_error_t **error ); #endif /* !defined( HAVE_LOCAL_LIBEVTX ) */ LIBEVTX_EXTERN \ int libevtx_check_file_signature( const char *filename, libcerror_error_t **error ); #if defined( HAVE_WIDE_CHARACTER_TYPE ) LIBEVTX_EXTERN \ int libevtx_check_file_signature_wide( const wchar_t *filename, libcerror_error_t **error ); #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ LIBEVTX_EXTERN \ int libevtx_check_file_signature_file_io_handle( libbfio_handle_t *bfio_handle, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_SUPPORT_H ) */ ================================================ FILE: libevtx/libevtx_template_definition.c ================================================ /* * Template definition functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "libevtx_io_handle.h" #include "libevtx_libcdata.h" #include "libevtx_libcerror.h" #include "libevtx_libcnotify.h" #include "libevtx_libfwevt.h" #include "libevtx_template_definition.h" /* Creates a template definition * Make sure the value template_definition is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int libevtx_template_definition_initialize( libevtx_template_definition_t **template_definition, libcerror_error_t **error ) { libevtx_internal_template_definition_t *internal_template_definition = NULL; static char *function = "libevtx_template_definition_initialize"; if( template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid template definition.", function ); return( -1 ); } if( *template_definition != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid template definition value already set.", function ); return( -1 ); } internal_template_definition = memory_allocate_structure( libevtx_internal_template_definition_t ); if( internal_template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create template definition.", function ); goto on_error; } if( memory_set( internal_template_definition, 0, sizeof( libevtx_internal_template_definition_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear template definition.", function ); goto on_error; } if( libfwevt_template_initialize( &( internal_template_definition->wevt_template ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create WEVT template.", function ); goto on_error; } *template_definition = (libevtx_template_definition_t *) internal_template_definition; return( 1 ); on_error: if( internal_template_definition != NULL ) { memory_free( internal_template_definition ); } return( -1 ); } /* Frees a template definition * Returns 1 if successful or -1 on error */ int libevtx_template_definition_free( libevtx_template_definition_t **template_definition, libcerror_error_t **error ) { libevtx_internal_template_definition_t *internal_template_definition = NULL; static char *function = "libevtx_template_definition_free"; int result = 1; if( template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid template.", function ); return( -1 ); } if( *template_definition != NULL ) { internal_template_definition = (libevtx_internal_template_definition_t *) *template_definition; *template_definition = NULL; if( libfwevt_template_free( &( internal_template_definition->wevt_template ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free WEVT template.", function ); result = -1; } if( internal_template_definition->xml_document != NULL ) { if( libfwevt_xml_document_free( &( internal_template_definition->xml_document ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to free XML document.", function ); result = -1; } } memory_free( internal_template_definition ); } return( result ); } /* Sets the data * Returns 1 if successful or -1 on error */ int libevtx_template_definition_set_data( libevtx_template_definition_t *template_definition, const uint8_t *data, size_t data_size, uint32_t data_offset, libcerror_error_t **error ) { libevtx_internal_template_definition_t *internal_template_definition = NULL; static char *function = "libevtx_template_definition_set_data"; if( template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid template definition.", function ); return( -1 ); } internal_template_definition = (libevtx_internal_template_definition_t *) template_definition; if( libfwevt_template_set_offset( internal_template_definition->wevt_template, data_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set template offset.", function ); return( -1 ); } if( libfwevt_template_set_data( internal_template_definition->wevt_template, data, data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set template data.", function ); return( -1 ); } return( 1 ); } /* Reads the template * Returns 1 if successful or -1 on error */ int libevtx_template_definition_read( libevtx_internal_template_definition_t *internal_template_definition, libevtx_io_handle_t *io_handle, libcerror_error_t **error ) { static char *function = "libevtx_template_definition_read"; if( internal_template_definition == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid template definition.", function ); return( -1 ); } if( internal_template_definition->xml_document != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid template definition - XML document already set.", function ); return( -1 ); } if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( libfwevt_template_set_ascii_codepage( internal_template_definition->wevt_template, io_handle->ascii_codepage, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set ASCII codepage in template.", function ); goto on_error; } if( libfwevt_xml_document_initialize( &( internal_template_definition->xml_document ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create XML document.", function ); goto on_error; } if( libfwevt_template_read_xml_document( internal_template_definition->wevt_template, internal_template_definition->xml_document, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read XML document from template.", function ); goto on_error; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: XML document:\n", function ); if( libfwevt_xml_document_debug_print( internal_template_definition->xml_document, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_PRINT_FAILED, "%s: unable to print XML document.", function ); goto on_error; } libcnotify_printf( "\n" ); } #endif return( 1 ); on_error: if( internal_template_definition->xml_document != NULL ) { libfwevt_xml_document_free( &( internal_template_definition->xml_document ), NULL ); } return( -1 ); } ================================================ FILE: libevtx/libevtx_template_definition.h ================================================ /* * Template definition functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_TEMPLATE_DEFINITION_H ) #define _LIBEVTX_INTERNAL_TEMPLATE_DEFINITION_H #include #include #include "libevtx_extern.h" #include "libevtx_io_handle.h" #include "libevtx_libcdata.h" #include "libevtx_libcerror.h" #include "libevtx_libfwevt.h" #include "libevtx_types.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct libevtx_internal_template_definition libevtx_internal_template_definition_t; struct libevtx_internal_template_definition { /* The WEVT template */ libfwevt_template_t *wevt_template; /* The XML document */ libfwevt_xml_document_t *xml_document; }; LIBEVTX_EXTERN \ int libevtx_template_definition_initialize( libevtx_template_definition_t **template_definition, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_template_definition_free( libevtx_template_definition_t **template_definition, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_template_definition_set_data( libevtx_template_definition_t *template_definition, const uint8_t *data, size_t data_size, uint32_t data_offset, libcerror_error_t **error ); int libevtx_template_definition_read( libevtx_internal_template_definition_t *internal_template_definition, libevtx_io_handle_t *io_handle, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _LIBEVTX_INTERNAL_TEMPLATE_DEFINITION_H ) */ ================================================ FILE: libevtx/libevtx_types.h ================================================ /* * The internal type definitions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_INTERNAL_TYPES_H ) #define _LIBEVTX_INTERNAL_TYPES_H #include #include /* Define HAVE_LOCAL_LIBEVTX for local use of libevtx * The definitions in are copied here * for local use of libevtx */ #if defined( HAVE_LOCAL_LIBEVTX ) /* The following type definitions hide internal data structures */ #if defined( HAVE_DEBUG_OUTPUT ) && !defined( WINAPI ) typedef struct libevtx_file {} libevtx_file_t; typedef struct libevtx_record {} libevtx_record_t; typedef struct libevtx_template_definition {} libevtx_template_definition_t; #else typedef intptr_t libevtx_file_t; typedef intptr_t libevtx_record_t; typedef intptr_t libevtx_template_definition_t; #endif /* defined( HAVE_DEBUG_OUTPUT ) && !defined( WINAPI ) */ #endif /* defined( HAVE_LOCAL_LIBEVTX ) */ /* The largest primary (or scalar) available * supported by a single load and store instruction */ typedef unsigned long int libevtx_aligned_t; #endif /* !defined( _LIBEVTX_INTERNAL_TYPES_H ) */ ================================================ FILE: libevtx/libevtx_unused.h ================================================ /* * Definitions to silence compiler warnings about unused function attributes/parameters. * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _LIBEVTX_UNUSED_H ) #define _LIBEVTX_UNUSED_H #include #if !defined( LIBEVTX_ATTRIBUTE_UNUSED ) #if defined( __GNUC__ ) && __GNUC__ >= 3 #define LIBEVTX_ATTRIBUTE_UNUSED __attribute__ ((__unused__)) #else #define LIBEVTX_ATTRIBUTE_UNUSED #endif #endif #if defined( _MSC_VER ) #define LIBEVTX_UNREFERENCED_PARAMETER( parameter ) \ UNREFERENCED_PARAMETER( parameter ); #else #define LIBEVTX_UNREFERENCED_PARAMETER( parameter ) \ /* parameter */ #endif #endif /* !defined( _LIBEVTX_UNUSED_H ) */ ================================================ FILE: libevtx.ini ================================================ [project] name: "libevtx" status: "alpha" year_of_creation: "2011" data_format: "Windows XML Event Log (EVTX)" documentation_url: "https://github.com/libyal/libevtx/tree/main/documentation" features: ["debug_output", "ossfuzz", "python_bindings", "tools"] [dtFabric] data_types: { "file_header": { "__options__": ["file_io_handle"], "signature": {}, "first_chunk_number": {"usage": "in_function"}, "last_chunk_number": {"usage": "in_function"}, "next_record_identifier": {}, "header_size": {}, "minor_version": {"usage": "in_struct"}, "major_version": {"usage": "in_struct"}, "header_block_size": {"usage": "in_struct"}, "number_of_chunks": {"usage": "in_struct"}, "unknown1": {}, "file_flags": {"usage": "in_struct"}, "checksum": {"usage": "in_function"} }} [library] features: ["pthread", "wide_character_type"] public_types: ["file", "record", "template_definition"] [tools] description: "Several tools for reading Windows XML Event Log (EVTX) files" names: ["evtxexport", "evtxinfo"] [troubleshooting] example: "evtxinfo Application.Evtx" [development] main_object: "file" main_object_filename: "Application.Evtx" [tests] profiles: ["libevtx", "pyevtx", "evtxinfo", "evtxexport", "evtxexport_xml"] info_tool_options_per_profile: [""] info_tool_profiles: ["evtxinfo"] example_filename1: "System.Evtx" example_filename2: "Application.Evtx" ================================================ FILE: libevtx.pc.in ================================================ prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ Name: libevtx Description: Library to access the Windows XML Event Log (EVTX) format Version: @VERSION@ Libs: -L${libdir} -levtx Libs.private: @ax_libbfio_pc_libs_private@ @ax_libcdata_pc_libs_private@ @ax_libcerror_pc_libs_private@ @ax_libcfile_pc_libs_private@ @ax_libclocale_pc_libs_private@ @ax_libcnotify_pc_libs_private@ @ax_libcpath_pc_libs_private@ @ax_libcsplit_pc_libs_private@ @ax_libcthreads_pc_libs_private@ @ax_libfcache_pc_libs_private@ @ax_libfdata_pc_libs_private@ @ax_libfdatetime_pc_libs_private@ @ax_libfguid_pc_libs_private@ @ax_libfvalue_pc_libs_private@ @ax_libfwevt_pc_libs_private@ @ax_libfwnt_pc_libs_private@ @ax_libuna_pc_libs_private@ @ax_pthread_pc_libs_private@ Cflags: -I${includedir} ================================================ FILE: libevtx.spec.in ================================================ Name: libevtx Version: @VERSION@ Release: 1 Summary: Library to access the Windows XML Event Log (EVTX) format Group: System Environment/Libraries License: LGPL-3.0-or-later Source: %{name}-%{version}.tar.gz URL: https://github.com/libyal/libevtx @libevtx_spec_requires@ @ax_libbfio_spec_requires@ @ax_libcdata_spec_requires@ @ax_libcerror_spec_requires@ @ax_libcfile_spec_requires@ @ax_libclocale_spec_requires@ @ax_libcnotify_spec_requires@ @ax_libcpath_spec_requires@ @ax_libcsplit_spec_requires@ @ax_libcthreads_spec_requires@ @ax_libfcache_spec_requires@ @ax_libfdata_spec_requires@ @ax_libfdatetime_spec_requires@ @ax_libfguid_spec_requires@ @ax_libfvalue_spec_requires@ @ax_libfwevt_spec_requires@ @ax_libfwnt_spec_requires@ @ax_libuna_spec_requires@ BuildRequires: gcc @ax_libbfio_spec_build_requires@ @ax_libcdata_spec_build_requires@ @ax_libcerror_spec_build_requires@ @ax_libcfile_spec_build_requires@ @ax_libclocale_spec_build_requires@ @ax_libcnotify_spec_build_requires@ @ax_libcpath_spec_build_requires@ @ax_libcsplit_spec_build_requires@ @ax_libcthreads_spec_build_requires@ @ax_libfcache_spec_build_requires@ @ax_libfdata_spec_build_requires@ @ax_libfdatetime_spec_build_requires@ @ax_libfguid_spec_build_requires@ @ax_libfvalue_spec_build_requires@ @ax_libfwevt_spec_build_requires@ @ax_libfwnt_spec_build_requires@ @ax_libuna_spec_build_requires@ %description -n libevtx Library to access the Windows XML Event Log (EVTX) format %package -n libevtx-static Summary: Library to access the Windows XML Event Log (EVTX) format Group: Development/Libraries Requires: libevtx = %{version}-%{release} %description -n libevtx-static Static library version of libevtx. %package -n libevtx-devel Summary: Header files and libraries for developing applications for libevtx Group: Development/Libraries Requires: libevtx = %{version}-%{release} %description -n libevtx-devel Header files and libraries for developing applications for libevtx. %package -n libevtx-python3 Summary: Python 3 bindings for libevtx Group: System Environment/Libraries Requires: libevtx = %{version}-%{release} python3 BuildRequires: python3-devel python3-setuptools %description -n libevtx-python3 Python 3 bindings for libevtx %package -n libevtx-tools Summary: Several tools for reading Windows XML Event Log (EVTX) files Group: Applications/System Requires: libevtx = %{version}-%{release} @ax_libcdirectory_spec_requires@ @ax_libexe_spec_requires@ @ax_libregf_spec_requires@ @ax_libwrc_spec_requires@ @libevtx_spec_tools_build_requires@ @ax_libcdirectory_spec_build_requires@ @ax_libexe_spec_build_requires@ @ax_libregf_spec_build_requires@ @ax_libwrc_spec_build_requires@ %description -n libevtx-tools Several tools for reading Windows XML Event Log (EVTX) files %prep %setup -q %build %configure --prefix=/usr --libdir=%{_libdir} --mandir=%{_mandir} --enable-python make %{?_smp_mflags} %install rm -rf %{buildroot} %make_install %clean rm -rf %{buildroot} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -n libevtx %license COPYING COPYING.LESSER %doc AUTHORS README %{_libdir}/*.so.* %files -n libevtx-static %license COPYING COPYING.LESSER %doc AUTHORS README %{_libdir}/*.a %files -n libevtx-devel %license COPYING COPYING.LESSER %doc AUTHORS README %{_libdir}/*.so %{_libdir}/pkgconfig/libevtx.pc %{_includedir}/* %{_mandir}/man3/* %files -n libevtx-python3 %license COPYING COPYING.LESSER %doc AUTHORS README %{_libdir}/python3*/site-packages/*.a %{_libdir}/python3*/site-packages/*.so %files -n libevtx-tools %license COPYING COPYING.LESSER %doc AUTHORS README %{_bindir}/* %{_mandir}/man1/* %changelog * @SPEC_DATE@ Joachim Metz @VERSION@-1 - Auto-generated ================================================ FILE: m4/common.m4 ================================================ dnl Checks for common headers and functions dnl dnl Version: 20241013 dnl Function to test if a certain feature was disabled AC_DEFUN([AX_COMMON_ARG_DISABLE], [AC_ARG_ENABLE( [$1], [AS_HELP_STRING( [--disable-$1], [$3])], [ac_cv_enable_$2=$enableval], [ac_cv_enable_$2="yes"])dnl AC_CACHE_CHECK( [whether to disable $3], [ac_cv_enable_$2], [ac_cv_enable_$2="yes"])dnl ]) dnl Function to test if a certain feature was enabled AC_DEFUN([AX_COMMON_ARG_ENABLE], [AC_ARG_ENABLE( [$1], [AS_HELP_STRING( [--enable-$1], [$3 @<:@default=$4@:>@])], [ac_cv_enable_$2=$enableval], [ac_cv_enable_$2=$4])dnl AC_CACHE_CHECK( [whether to enable $3], [ac_cv_enable_$2], [ac_cv_enable_$2=$4])dnl ]) dnl Function to test if the location of a certain feature was provided AC_DEFUN([AX_COMMON_ARG_WITH], [AC_ARG_WITH( [$1], [AS_HELP_STRING( [--with-$1[[=$5]]], [$3 @<:@default=$4@:>@])], [ac_cv_with_$2=$withval], [ac_cv_with_$2=$4])dnl AC_CACHE_CHECK( [whether to use $3], [ac_cv_with_$2], [ac_cv_with_$2=$4])dnl ]) dnl Function to detect whether shared library support should be disabled AC_DEFUN([AX_COMMON_CHECK_DISABLE_SHARED_LIBS], [AX_COMMON_ARG_DISABLE( [shared-libs], [shared_libs], [disable shared library support]) ]) dnl Function to detect whether debug output should be enabled AC_DEFUN([AX_COMMON_CHECK_ENABLE_DEBUG_OUTPUT], [AX_COMMON_ARG_ENABLE( [debug-output], [debug_output], [enable debug output], [no]) AS_IF( [test "x$ac_cv_enable_debug_output" != xno ], [AC_DEFINE( [HAVE_DEBUG_OUTPUT], [1], [Define to 1 if debug output should be used.]) ac_cv_enable_debug_output=yes]) ]) dnl Function to detect whether static executables support should be enabled AC_DEFUN([AX_COMMON_CHECK_ENABLE_STATIC_EXECUTABLES], [AX_COMMON_ARG_ENABLE( [static-executables], [static_executables], [build static executables (binaries)], [no]) AS_IF( [test "x$ac_cv_enable_static_executables" != xno], [STATIC_LDFLAGS="-all-static"; AC_SUBST( [STATIC_LDFLAGS]) ac_cv_enable_static_executables=yes enable_shared=no]) ]) dnl Function to detect whether verbose output should be enabled AC_DEFUN([AX_COMMON_CHECK_ENABLE_VERBOSE_OUTPUT], [AX_COMMON_ARG_ENABLE( [verbose-output], [verbose_output], [enable verbose output], [no]) AS_IF( [test "x$ac_cv_enable_verbose_output" != xno ], [AC_DEFINE( [HAVE_VERBOSE_OUTPUT], [1], [Define to 1 if verbose output should be used.]) ac_cv_enable_verbose_output=yes]) ]) dnl Function to detect whether wide character type support should be enabled AC_DEFUN([AX_COMMON_CHECK_ENABLE_WIDE_CHARACTER_TYPE], [AX_COMMON_ARG_ENABLE( [wide-character-type], [wide_character_type], [enable wide character type support], [no]) ]) dnl Function to detect whether WINAPI support should be enabled AC_DEFUN([AX_COMMON_CHECK_ENABLE_WINAPI], [AX_COMMON_ARG_ENABLE( [winapi], [winapi], [enable WINAPI support for cross-compilation], [auto-detect]) AS_IF( [test "x$ac_cv_enable_winapi" = xauto-detect], [ac_common_check_winapi_target_string="$target" AS_IF( [test "x$ac_common_check_winapi_target_string" = x], [ac_common_check_winapi_target_string="$host"]) AS_CASE( [$ac_common_check_winapi_target_string], [*mingw*],[AC_MSG_NOTICE( [detected MinGW enabling WINAPI support for cross-compilation]) ac_cv_enable_winapi=yes], [*msys*],[AC_MSG_NOTICE( [detected MSYS enabling WINAPI support for cross-compilation]) ac_cv_enable_winapi=yes], [*],[ac_cv_enable_winapi=no]) ]) ]) dnl Function to detect whether printf conversion specifier "%jd" is available AC_DEFUN([AX_COMMON_CHECK_FUNC_PRINTF_JD], [AC_MSG_CHECKING( [whether printf supports the conversion specifier "%jd"]) SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -Wall -Werror" AC_LANG_PUSH(C) dnl First try to see if compilation and linkage without a parameter succeeds AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[printf( "%jd" ); ]] )], [ac_cv_cv_have_printf_jd=no], [ac_cv_cv_have_printf_jd=yes]) dnl Second try to see if compilation and linkage with a parameter succeeds AS_IF( [test "x$ac_cv_cv_have_printf_jd" = xyes], [AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include #include ]], [[printf( "%jd", (off_t) 10 ); ]] )], [ac_cv_cv_have_printf_jd=yes], [ac_cv_cv_have_printf_jd=no]) ]) dnl Third try to see if the program runs correctly AS_IF( [test "x$ac_cv_cv_have_printf_jd" = xyes], [AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[#include #include ]], [[char string[ 3 ]; if( snprintf( string, 3, "%jd", (off_t) 10 ) < 0 ) return( 1 ); if( ( string[ 0 ] != '1' ) || ( string[ 1 ] != '0' ) ) return( 1 ); ]] )], [ac_cv_cv_have_printf_jd=yes], [ac_cv_cv_have_printf_jd=no], [ac_cv_cv_have_printf_jd=undetermined]) ]) AC_LANG_POP(C) CFLAGS="$SAVE_CFLAGS" AS_IF( [test "x$ac_cv_cv_have_printf_jd" = xyes], [AC_MSG_RESULT( [yes]) AC_DEFINE( [HAVE_PRINTF_JD], [1], [Define to 1 whether printf supports the conversion specifier "%jd".]) ], [AC_MSG_RESULT( [$ac_cv_cv_have_printf_jd]) ]) ]) dnl Function to detect whether printf conversion specifier "%zd" is available AC_DEFUN([AX_COMMON_CHECK_FUNC_PRINTF_ZD], [AC_MSG_CHECKING( [whether printf supports the conversion specifier "%zd"]) SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -Wall -Werror" AC_LANG_PUSH(C) dnl First try to see if compilation and linkage without a parameter succeeds AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[printf( "%zd" ); ]] )], [ac_cv_cv_have_printf_zd=no], [ac_cv_cv_have_printf_zd=yes]) dnl Second try to see if compilation and linkage with a parameter succeeds AS_IF( [test "x$ac_cv_cv_have_printf_zd" = xyes], [AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include #include ]], [[printf( "%zd", (size_t) 10 ); ]] )], [ac_cv_cv_have_printf_zd=yes], [ac_cv_cv_have_printf_zd=no]) ]) dnl Third try to see if the program runs correctly AS_IF( [test "x$ac_cv_cv_have_printf_zd" = xyes], [AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[#include #include ]], [[char string[ 3 ]; if( snprintf( string, 3, "%zd", (size_t) 10 ) < 0 ) return( 1 ); if( ( string[ 0 ] != '1' ) || ( string[ 1 ] != '0' ) ) return( 1 ); ]] )], [ac_cv_cv_have_printf_zd=yes], [ac_cv_cv_have_printf_zd=no], [ac_cv_cv_have_printf_zd=undetermined]) ]) AC_LANG_POP(C) CFLAGS="$SAVE_CFLAGS" AS_IF( [test "x$ac_cv_cv_have_printf_zd" = xyes], [AC_MSG_RESULT( [yes]) AC_DEFINE( [HAVE_PRINTF_ZD], [1], [Define to 1 whether printf supports the conversion specifier "%zd".]) ], [AC_MSG_RESULT( [$ac_cv_cv_have_printf_zd]) ]) ]) dnl Function to detect if common dependencies are available AC_DEFUN([AX_COMMON_CHECK_LOCAL], [dnl Headers included in common/common.h AS_IF( [test "x$ac_cv_enable_winapi" = xyes], [AC_CHECK_HEADERS([windows.h]) AS_IF( [test "x$ac_cv_header_windows_h" = xno], [AC_MSG_FAILURE( [Missing header: windows.h header is required to compile with winapi support], [1]) ]) ]) AS_IF( [test "x$ac_cv_enable_winapi" = xno], [AC_CHECK_HEADERS([libintl.h]) ]) dnl Headers included in common/types.h AC_CHECK_HEADERS([limits.h]) dnl Headers included in common/memory.h and common/narrow_string.h AC_CHECK_HEADERS([stdlib.h string.h]) dnl Headers included in common/wide_string.h AC_CHECK_HEADERS([wchar.h wctype.h]) dnl File stream functions used in common/file_stream.h AC_CHECK_FUNCS([fclose feof fgets fopen fread fseeko fseeko64 fwrite vfprintf]) AS_IF( [test "x$ac_cv_func_fclose" != xyes], [AC_MSG_FAILURE( [Missing function: fclose], [1]) ]) AS_IF( [test "x$ac_cv_func_feof" != xyes], [AC_MSG_FAILURE( [Missing function: feof], [1]) ]) AS_IF( [test "x$ac_cv_func_fgets" != xyes], [AC_MSG_FAILURE( [Missing function: fgets], [1]) ]) AS_IF( [test "x$ac_cv_func_fopen" != xyes], [AC_MSG_FAILURE( [Missing function: fopen], [1]) ]) AS_IF( [test "x$ac_cv_func_fread" != xyes], [AC_MSG_FAILURE( [Missing function: fread], [1]) ]) AS_IF( [test "x$ac_cv_func_fseeko" != xyes && test "x$ac_cv_func_fseeko64" != xyes], [AC_MSG_FAILURE( [Missing function: fseeko and fseeko64], [1]) ]) AS_IF( [test "x$ac_cv_func_fwrite" != xyes], [AC_MSG_FAILURE( [Missing function: fwrite], [1]) ]) AS_IF( [test "x$ac_cv_func_vfprintf" != xyes], [AC_MSG_FAILURE( [Missing function: vfprintf], [1]) ]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AC_CHECK_FUNCS([fgetws]) AS_IF( [test "x$ac_cv_func_fgetws" != xyes], [AC_MSG_FAILURE( [Missing function: fgetws], [1]) ]) ]) dnl Memory functions used in common/memory.h AC_CHECK_FUNCS([free malloc memcmp memcpy memset realloc]) AS_IF( [test "x$ac_cv_func_free" != xyes], [AC_MSG_FAILURE( [Missing function: free], [1]) ]) AS_IF( [test "x$ac_cv_func_malloc" != xyes], [AC_MSG_FAILURE( [Missing function: malloc], [1]) ]) AS_IF( [test "x$ac_cv_func_memcmp" != xyes], [AC_MSG_FAILURE( [Missing function: memcmp], [1]) ]) AS_IF( [test "x$ac_cv_func_memcpy" != xyes], [AC_MSG_FAILURE( [Missing function: memcpy], [1]) ]) AS_IF( [test "x$ac_cv_func_memset" != xyes], [AC_MSG_FAILURE( [Missing function: memset], [1]) ]) AS_IF( [test "x$ac_cv_func_realloc" != xyes], [AC_MSG_FAILURE( [Missing function: realloc], [1]) ]) dnl Narrow character string functions used in common/narrow_string.h AC_CHECK_FUNCS([memchr memrchr snprintf sscanf strcasecmp strchr strlen strncasecmp strncmp strncpy strnicmp strrchr strstr vsnprintf]) AS_IF( [test "x$ac_cv_func_memchr" != xyes && test "x$ac_cv_func_strchr" != xyes], [AC_MSG_FAILURE( [Missing functions: memchr and strchr], [1]) ]) AS_IF( [test "x$ac_cv_func_memcmp" != xyes && test "x$ac_cv_func_strncmp" != xyes], [AC_MSG_FAILURE( [Missing functions: memcmp and strncmp], [1]) ]) AS_IF( [test "x$ac_cv_func_memcpy" != xyes && test "x$ac_cv_func_strncpy" != xyes], [AC_MSG_FAILURE( [Missing functions: memcpy and strncpy], [1]) ]) AS_IF( [test "x$ac_cv_func_memrchr" = xyes], [AC_CHECK_DECLS([memrchr]) AS_IF( [test "x$ac_cv_decl_memrchr" != xyes], [ac_cv_func_memrchr=no]) ]) AS_IF( [test "x$ac_cv_func_memrchr" != xyes && test "x$ac_cv_func_strrchr" != xyes], [AC_MSG_FAILURE( [Missing functions: strrchr and memrchr], [1]) ]) AS_IF( [test "x$ac_cv_func_snprintf" != xyes], [AC_MSG_FAILURE( [Missing function: snprintf], [1]) ]) AS_IF( [test "x$ac_cv_func_sscanf" != xyes], [AC_MSG_FAILURE( [Missing function: sscanf], [1]) ]) AS_IF( [test "x$ac_cv_func_strlen" != xyes], [AC_MSG_FAILURE( [Missing function: strlen], [1]) ]) AS_IF( [test "x$ac_cv_func_strcasecmp" != xyes && test "x$ac_cv_func_strncasecmp" != xyes && test "x$ac_cv_func_strnicmp" != xyes], [AC_MSG_FAILURE( [Missing functions: strncasecmp, strcasecmp and strnicmp], [1]) ]) AS_IF( [test "x$ac_cv_func_strstr" != xyes], [AC_MSG_FAILURE( [Missing function: strstr], [1]) ]) AS_IF( [test "x$ac_cv_func_vsnprintf" != xyes], [AC_MSG_FAILURE( [Missing function: vsnprintf], [1]) ]) dnl Wide character string functions used in common/wide_string.h AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AC_CHECK_FUNCS([swprintf towlower wcscasecmp wcschr wcslen wcsncasecmp wcsncmp wcsncpy wcsnicmp wcsrchr wcsstr wmemchr wmemcmp wmemcpy wmemrchr]) AS_IF( [test "x$ac_cv_func_swprintf" != xyes], [AC_MSG_FAILURE( [Missing function: swprintf], [1]) ]) AS_IF( [test "x$ac_cv_func_wmemchr" != xyes && test "x$ac_cv_func_wcschr" != xyes], [AC_MSG_FAILURE( [Missing functions: wmemchr and wcschr], [1]) ]) AS_IF( [test "x$ac_cv_func_wmemcmp" != xyes && test "x$ac_cv_func_wcsncmp" != xyes], [AC_MSG_FAILURE( [Missing functions: wmemcmp and wcsncmp], [1]) ]) AS_IF( [test "x$ac_cv_func_wmemcpy" != xyes && test "x$ac_cv_func_wcsncpy" != xyes], [AC_MSG_FAILURE( [Missing functions: wmemcpy and wcsncpy], [1]) ]) AS_IF( [test "x$ac_cv_func_wmemrchr" != xyes && test "x$ac_cv_func_wcsrchr" != xyes], [AC_MSG_FAILURE( [Missing functions: wmemrchr and wcsrchr], [1]) ]) AS_IF( [test "x$ac_cv_func_wcslen" != xyes], [AC_MSG_FAILURE( [Missing function: wcslen], [1]) ]) AS_IF( [test "x$ac_cv_func_wcsncasecmp" != xyes && test "x$ac_cv_func_wcscasecmp" != xyes && test "x$ac_cv_func_wcsnicmp" != xyes && test "x$ac_cv_func_towlower" != xyes], [AC_MSG_FAILURE( [Missing functions: wcsncasecmp, wcscasecmp, wcsnicmp and towlower], [1]) ]) AS_IF( [test "x$ac_cv_func_wcsstr" != xyes], [AC_MSG_FAILURE( [Missing function: wcsstr], [1]) ]) ]) dnl Check for printf conversion specifier support AX_COMMON_CHECK_FUNC_PRINTF_JD AX_COMMON_CHECK_FUNC_PRINTF_ZD ]) dnl Function to test if a library with a specific definition is available AC_DEFUN([AX_CHECK_LIB_DEFINITION], [AC_CACHE_CHECK( [if `$2' is defined], [ac_cv_$1_definition_$2], [AC_LANG_PUSH(C) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include <$1.h>]], [[int test = $2; return( 0 ); ]] )], [ac_cv_$1_definition_$2=yes], [ac_cv_$1_definition_$2=no]) AC_LANG_POP(C)]) AS_IF( [test "x$ac_cv_$1_definition_$2" != xyes], [ac_cv_$1=no]) ]) dnl Function to test if a library with specific definitions is available AC_DEFUN([AX_CHECK_LIB_DEFINITIONS], [m4_foreach( [definition], [$2], [AX_CHECK_LIB_DEFINITION( [$1], [definition]) ]) ]) dnl Function to test if a library with specific functions is available AC_DEFUN([AX_CHECK_LIB_FUNCTIONS], [m4_foreach( [function], [$3], [AC_CHECK_LIB( [$2], [function], [ac_cv_$1_dummy=yes], [ac_cv_$1=no]) ]) ]) dnl Function to check if an user specified library directory exists AC_DEFUN([AX_CHECK_LIB_DIRECTORY_EXISTS], [AS_IF( [test -d "$ac_cv_with_$1"], [CFLAGS="$CFLAGS -I${ac_cv_with_$1}/include" LDFLAGS="$LDFLAGS -L${ac_cv_with_$1}/lib"], [AC_MSG_FAILURE( [no such directory: $ac_cv_with_$1], [1]) ]) ]) dnl Function to warn if no supported library was found in an user specified directory AC_DEFUN([AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE], [AS_IF( [test "x$ac_cv_$1" != xyes && test "x$ac_cv_with_$1" != x && test "x$ac_cv_with_$1" != xauto-detect && test "x$ac_cv_with_$1" != xyes], [AC_MSG_FAILURE( [unable to find supported $1 in directory: $ac_cv_with_$1], [1]) ]) ]) ================================================ FILE: m4/libbfio.m4 ================================================ dnl Checks for libbfio required headers and functions dnl dnl Version: 20240518 dnl Function to detect if libbfio is available dnl ac_libbfio_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBBFIO_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libbfio" = xno], [ac_cv_libbfio=no], [ac_cv_libbfio=check dnl Check if the directory provided as parameter exists dnl For both --with-libbfio which returns "yes" and --with-libbfio= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libbfio" != x && test "x$ac_cv_with_libbfio" != xauto-detect && test "x$ac_cv_with_libbfio" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libbfio])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libbfio], [libbfio >= 20201125], [ac_cv_libbfio=yes], [ac_cv_libbfio=check]) ]) AS_IF( [test "x$ac_cv_libbfio" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libbfio/features.h defines LIBBFIO_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libbfio_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBBFIO_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBBFIO_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBBFIO_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libbfio_features_h_have_wide_character_type=yes], [ac_cv_header_libbfio_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libbfio_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libbfio_features_h_have_wide_character_type" = xno], [ac_cv_libbfio=no]) ]) AS_IF( [test "x$ac_cv_libbfio" = xyes], [ac_cv_libbfio_CPPFLAGS="$pkg_cv_libbfio_CFLAGS" ac_cv_libbfio_LIBADD="$pkg_cv_libbfio_LIBS"]) ]) AS_IF( [test "x$ac_cv_libbfio" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libbfio.h]) AS_IF( [test "x$ac_cv_header_libbfio_h" = xno], [ac_cv_libbfio=no], [ac_cv_libbfio=yes AX_CHECK_LIB_FUNCTIONS( [libbfio], [bfio], [[libbfio_get_version], [libbfio_handle_free], [libbfio_handle_open], [libbfio_handle_close], [libbfio_handle_exists], [libbfio_handle_read_buffer], [libbfio_handle_read_buffer_at_offset], [libbfio_handle_write_buffer], [libbfio_handle_write_buffer_at_offset], [libbfio_handle_seek_offset], [libbfio_handle_is_open], [libbfio_handle_get_offset], [libbfio_handle_get_size], [libbfio_handle_set_track_offsets_read], [libbfio_handle_get_number_of_offsets_read], [libbfio_handle_get_offset_read], [libbfio_file_initialize], [libbfio_file_get_name_size], [libbfio_file_get_name], [libbfio_file_set_name], [libbfio_pool_initialize], [libbfio_pool_free], [libbfio_pool_clone], [libbfio_pool_get_number_of_handles], [libbfio_pool_get_handle], [libbfio_pool_set_handle], [libbfio_pool_append_handle], [libbfio_pool_remove_handle], [libbfio_pool_get_maximum_number_of_open_handles], [libbfio_pool_set_maximum_number_of_open_handles], [libbfio_pool_open], [libbfio_pool_reopen], [libbfio_pool_close], [libbfio_pool_close_all], [libbfio_pool_read_buffer], [libbfio_pool_read_buffer_at_offset], [libbfio_pool_write_buffer], [libbfio_pool_write_buffer_at_offset], [libbfio_pool_seek_offset], [libbfio_pool_get_offset], [libbfio_pool_get_size], [libbfio_file_pool_open]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libbfio], [bfio], [[libbfio_file_get_name_size_wide], [libbfio_file_get_name_wide], [libbfio_file_set_name_wide], [libbfio_file_pool_open_wide]]) ]) ac_cv_libbfio_LIBADD="-lbfio"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libbfio]) ]) AS_IF( [test "x$ac_cv_libbfio" = xyes], [AC_DEFINE( [HAVE_LIBBFIO], [1], [Define to 1 if you have the `bfio' library (-lbfio).]) ]) AS_IF( [test "x$ac_cv_libbfio" = xyes], [AC_SUBST( [HAVE_LIBBFIO], [1]) ], [AC_SUBST( [HAVE_LIBBFIO], [0]) ]) ]) dnl Function to detect if libbfio dependencies are available AC_DEFUN([AX_LIBBFIO_CHECK_LOCAL], [dnl No additional checks. ac_cv_libbfio_CPPFLAGS="-I../libbfio -I\$(top_srcdir)/libbfio"; ac_cv_libbfio_LIBADD="../libbfio/libbfio.la"; ac_cv_libbfio=local ]) dnl Function to detect how to enable libbfio AC_DEFUN([AX_LIBBFIO_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libbfio], [libbfio], [search for libbfio in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBBFIO_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libbfio" != xyes], [AX_LIBBFIO_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBBFIO], [1], [Define to 1 if the local version of libbfio is used.]) AC_SUBST( [HAVE_LOCAL_LIBBFIO], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBBFIO], [test "x$ac_cv_libbfio" = xlocal]) AS_IF( [test "x$ac_cv_libbfio_CPPFLAGS" != "x"], [AC_SUBST( [LIBBFIO_CPPFLAGS], [$ac_cv_libbfio_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libbfio_LIBADD" != "x"], [AC_SUBST( [LIBBFIO_LIBADD], [$ac_cv_libbfio_LIBADD]) ]) AS_IF( [test "x$ac_cv_libbfio" = xyes], [AC_SUBST( [ax_libbfio_pc_libs_private], [-lbfio]) ]) AS_IF( [test "x$ac_cv_libbfio" = xyes], [AC_SUBST( [ax_libbfio_spec_requires], [libbfio]) AC_SUBST( [ax_libbfio_spec_build_requires], [libbfio-devel]) ]) ]) ================================================ FILE: m4/libcdata.m4 ================================================ dnl Checks for libcdata required headers and functions dnl dnl Version: 20240514 dnl Function to detect if libcdata is available dnl ac_libcdata_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCDATA_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcdata" = xno], [ac_cv_libcdata=no], [ac_cv_libcdata=check dnl Check if the directory provided as parameter exists dnl For both --with-libcdata which returns "yes" and --with-libcdata= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcdata" != x && test "x$ac_cv_with_libcdata" != xauto-detect && test "x$ac_cv_with_libcdata" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcdata])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcdata], [libcdata >= 20230108], [ac_cv_libcdata=yes], [ac_cv_libcdata=check]) ]) AS_IF( [test "x$ac_cv_libcdata" = xyes], [ac_cv_libcdata_CPPFLAGS="$pkg_cv_libcdata_CFLAGS" ac_cv_libcdata_LIBADD="$pkg_cv_libcdata_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcdata" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcdata.h]) AS_IF( [test "x$ac_cv_header_libcdata_h" = xno], [ac_cv_libcdata=no], [ac_cv_libcdata=yes AX_CHECK_LIB_FUNCTIONS( [libcdata], [cdata], [[libcdata_get_version], [libcdata_array_initialize], [libcdata_array_free], [libcdata_array_empty], [libcdata_array_clone], [libcdata_array_resize], [libcdata_array_reverse], [libcdata_array_get_number_of_entries], [libcdata_array_get_entry_by_index], [libcdata_array_get_entry_by_value], [libcdata_array_set_entry_by_index], [libcdata_array_prepend_entry], [libcdata_array_append_entry], [libcdata_array_insert_entry], [libcdata_array_remove_entry], [libcdata_btree_initialize], [libcdata_btree_free], [libcdata_btree_get_number_of_values], [libcdata_btree_get_value_by_index], [libcdata_btree_get_value_by_value], [libcdata_btree_insert_value], [libcdata_btree_replace_value], [libcdata_btree_remove_value], [libcdata_list_initialize], [libcdata_list_free], [libcdata_list_empty], [libcdata_list_clone], [libcdata_list_get_number_of_elements], [libcdata_list_get_first_element], [libcdata_list_get_last_element], [libcdata_list_get_element_by_index], [libcdata_list_get_value_by_index], [libcdata_list_prepend_element], [libcdata_list_prepend_value], [libcdata_list_append_element], [libcdata_list_append_value], [libcdata_list_insert_element], [libcdata_list_insert_element_with_existing], [libcdata_list_insert_value], [libcdata_list_insert_value_with_existing], [libcdata_list_remove_element], [libcdata_list_element_initialize], [libcdata_list_element_free], [libcdata_list_element_get_value], [libcdata_list_element_set_value], [libcdata_list_element_get_previous_element], [libcdata_list_element_set_previous_element], [libcdata_list_element_get_next_element], [libcdata_list_element_get_elements], [libcdata_list_element_set_elements], [libcdata_range_list_initialize], [libcdata_range_list_free], [libcdata_range_list_empty], [libcdata_range_list_clone], [libcdata_range_list_get_number_of_elements], [libcdata_range_list_insert_range], [libcdata_range_list_insert_range_list], [libcdata_range_list_remove_range], [libcdata_range_list_get_range_by_index], [libcdata_range_list_get_range_at_offset], [libcdata_range_list_range_is_present], [libcdata_range_list_range_has_overlapping_range], [libcdata_range_list_get_spanning_range], [libcdata_tree_node_initialize], [libcdata_tree_node_free], [libcdata_tree_node_empty], [libcdata_tree_node_clone], [libcdata_tree_node_get_value], [libcdata_tree_node_set_value], [libcdata_tree_node_get_parent_node], [libcdata_tree_node_set_parent_node], [libcdata_tree_node_get_previous_node], [libcdata_tree_node_set_previous_node], [libcdata_tree_node_get_next_node], [libcdata_tree_node_set_next_node], [libcdata_tree_node_get_nodes], [libcdata_tree_node_set_nodes], [libcdata_tree_node_append_node], [libcdata_tree_node_append_value], [libcdata_tree_node_insert_node], [libcdata_tree_node_insert_value], [libcdata_tree_node_replace_node], [libcdata_tree_node_remove_node], [libcdata_tree_node_get_number_of_sub_nodes], [libcdata_tree_node_get_sub_node_by_index], [libcdata_tree_node_get_leaf_node_list]]) ac_cv_libcdata_LIBADD="-lcdata"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcdata]) ]) AS_IF( [test "x$ac_cv_libcdata" = xyes], [AC_DEFINE( [HAVE_LIBCDATA], [1], [Define to 1 if you have the `cdata' library (-lcdata).]) ]) AS_IF( [test "x$ac_cv_libcdata" = xyes], [AC_SUBST( [HAVE_LIBCDATA], [1]) ], [AC_SUBST( [HAVE_LIBCDATA], [0]) ]) ]) dnl Function to detect if libcdata dependencies are available AC_DEFUN([AX_LIBCDATA_CHECK_LOCAL], [dnl No additional checks. ac_cv_libcdata_CPPFLAGS="-I../libcdata -I\$(top_srcdir)/libcdata"; ac_cv_libcdata_LIBADD="../libcdata/libcdata.la"; ac_cv_libcdata=local ]) dnl Function to detect how to enable libcdata AC_DEFUN([AX_LIBCDATA_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcdata], [libcdata], [search for libcdata in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCDATA_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcdata" != xyes], [AX_LIBCDATA_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCDATA], [1], [Define to 1 if the local version of libcdata is used.]) AC_SUBST( [HAVE_LOCAL_LIBCDATA], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCDATA], [test "x$ac_cv_libcdata" = xlocal]) AS_IF( [test "x$ac_cv_libcdata_CPPFLAGS" != "x"], [AC_SUBST( [LIBCDATA_CPPFLAGS], [$ac_cv_libcdata_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcdata_LIBADD" != "x"], [AC_SUBST( [LIBCDATA_LIBADD], [$ac_cv_libcdata_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcdata" = xyes], [AC_SUBST( [ax_libcdata_pc_libs_private], [-lcdata]) ]) AS_IF( [test "x$ac_cv_libcdata" = xyes], [AC_SUBST( [ax_libcdata_spec_requires], [libcdata]) AC_SUBST( [ax_libcdata_spec_build_requires], [libcdata-devel]) ]) ]) ================================================ FILE: m4/libcdirectory.m4 ================================================ dnl Checks for libcdirectory required headers and functions dnl dnl Version: 20240525 dnl Function to detect if libcdirectory is available dnl ac_libcdirectory_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCDIRECTORY_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcdirectory" = xno], [ac_cv_libcdirectory=no], [ac_cv_libcdirectory=check dnl Check if the directory provided as parameter exists dnl For both --with-libcdirectory which returns "yes" and --with-libcdirectory= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcdirectory" != x && test "x$ac_cv_with_libcdirectory" != xauto-detect && test "x$ac_cv_with_libcdirectory" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcdirectory])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcdirectory], [libcdirectory >= 20120423], [ac_cv_libcdirectory=yes], [ac_cv_libcdirectory=check]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libcdirectory/features.h defines LIBCDIRECTORY_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libcdirectory_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBCDIRECTORY_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBCDIRECTORY_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBCDIRECTORY_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libcdirectory_features_h_have_wide_character_type=yes], [ac_cv_header_libcdirectory_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libcdirectory_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libcdirectory_features_h_have_wide_character_type" = xno], [ac_cv_libcdirectory=no]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xyes], [ac_cv_libcdirectory_CPPFLAGS="$pkg_cv_libcdirectory_CFLAGS" ac_cv_libcdirectory_LIBADD="$pkg_cv_libcdirectory_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcdirectory.h]) AS_IF( [test "x$ac_cv_header_libcdirectory_h" = xno], [ac_cv_libcdirectory=no], [ac_cv_libcdirectory=yes AX_CHECK_LIB_FUNCTIONS( [libcdirectory], [cdirectory], [[libcdirectory_get_version], [libcdirectory_directory_initialize], [libcdirectory_directory_free], [libcdirectory_directory_open], [libcdirectory_directory_close], [libcdirectory_directory_read_entry], [libcdirectory_directory_has_entry], [libcdirectory_directory_entry_initialize], [libcdirectory_directory_entry_free], [libcdirectory_directory_entry_get_type], [libcdirectory_directory_entry_get_name]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libcdirectory], [cdirectory], [[libcdirectory_get_version], [libcdirectory_directory_open_wide], [libcdirectory_directory_has_entry_wide], [libcdirectory_directory_entry_get_name_wide]]) ]) ac_cv_libcdirectory_LIBADD="-lcdirectory"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcdirectory]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xyes], [AC_DEFINE( [HAVE_LIBCDIRECTORY], [1], [Define to 1 if you have the `cdirectory' library (-lcdirectory).]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xyes], [AC_SUBST( [HAVE_LIBCDIRECTORY], [1]) ], [AC_SUBST( [HAVE_LIBCDIRECTORY], [0]) ]) ]) dnl Function to detect if libcdirectory dependencies are available AC_DEFUN([AX_LIBCDIRECTORY_CHECK_LOCAL], [AS_IF( [test "x$ac_cv_enable_winapi" = xno], [dnl Headers included in libcdirectory/libcdirectory_directory.h AC_CHECK_HEADERS([dirent.h errno.h sys/stat.h]) dnl Directory functions used in libcdirectory/libcdirectory_directory.h AC_CHECK_FUNCS([closedir opendir readdir_r]) AS_IF( [test "x$ac_cv_func_closedir" != xyes], [AC_MSG_FAILURE( [Missing functions: closedir], [1]) ]) AS_IF( [test "x$ac_cv_func_opendir" != xyes], [AC_MSG_FAILURE( [Missing functions: opendir], [1]) ]) AS_IF( [test "x$ac_cv_func_readdir_r" != xyes], [AC_MSG_FAILURE( [Missing functions: readdir_r], [1]) ]) ]) ac_cv_libcdirectory_CPPFLAGS="-I../libcdirectory -I\$(top_srcdir)/libcdirectory"; ac_cv_libcdirectory_LIBADD="../libcdirectory/libcdirectory.la"; ac_cv_libcdirectory=local ]) dnl Function to detect how to enable libcdirectory AC_DEFUN([AX_LIBCDIRECTORY_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcdirectory], [libcdirectory], [search for libcdirectory in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCDIRECTORY_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcdirectory" != xyes], [AX_LIBCDIRECTORY_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCDIRECTORY], [1], [Define to 1 if the local version of libcdirectory is used.]) AC_SUBST( [HAVE_LOCAL_LIBCDIRECTORY], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCDIRECTORY], [test "x$ac_cv_libcdirectory" = xlocal]) AS_IF( [test "x$ac_cv_libcdirectory_CPPFLAGS" != "x"], [AC_SUBST( [LIBCDIRECTORY_CPPFLAGS], [$ac_cv_libcdirectory_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcdirectory_LIBADD" != "x"], [AC_SUBST( [LIBCDIRECTORY_LIBADD], [$ac_cv_libcdirectory_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xyes], [AC_SUBST( [ax_libcdirectory_pc_libs_private], [-lstring]) ]) AS_IF( [test "x$ac_cv_libcdirectory" = xyes], [AC_SUBST( [ax_libcdirectory_spec_requires], [libcdirectory]) AC_SUBST( [ax_libcdirectory_spec_build_requires], [libcdirectory-devel]) ]) ]) ================================================ FILE: m4/libcerror.m4 ================================================ dnl Checks for libcerror required headers and functions dnl dnl Version: 20240513 dnl Function to detect if libcerror is available dnl ac_libcerror_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCERROR_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcerror" = xno], [ac_cv_libcerror=no], [ac_cv_libcerror=check dnl Check if the directory provided as parameter exists dnl For both --with-libcerror which returns "yes" and --with-libcerror= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcerror" != x && test "x$ac_cv_with_libcerror" != xauto-detect && test "x$ac_cv_with_libcerror" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcerror])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcerror], [libcerror >= 20120425], [ac_cv_libcerror=yes], [ac_cv_libcerror=check]) ]) AS_IF( [test "x$ac_cv_libcerror" = xyes], [ac_cv_libcerror_CPPFLAGS="$pkg_cv_libcerror_CFLAGS" ac_cv_libcerror_LIBADD="$pkg_cv_libcerror_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcerror" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcerror.h]) AS_IF( [test "x$ac_cv_header_libcerror_h" = xno], [ac_cv_libcerror=no], [ac_cv_libcerror=yes AX_CHECK_LIB_FUNCTIONS( [libcerror], [cerror], [[libcerror_get_version], [libcerror_error_free], [libcerror_error_set], [libcerror_error_matches], [libcerror_error_fprint], [libcerror_error_sprint], [libcerror_error_backtrace_fprint], [libcerror_error_backtrace_sprint], [libcerror_system_set_error]]) ac_cv_libcerror_LIBADD="-lcerror"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcerror]) ]) AS_IF( [test "x$ac_cv_libcerror" = xyes], [AC_DEFINE( [HAVE_LIBCERROR], [1], [Define to 1 if you have the `cerror' library (-lcerror).]) ]) AS_IF( [test "x$ac_cv_libcerror" = xyes], [AC_SUBST( [HAVE_LIBCERROR], [1]) ], [AC_SUBST( [HAVE_LIBCERROR], [0]) ]) ]) dnl Function to detect if libcerror dependencies are available AC_DEFUN([AX_LIBCERROR_CHECK_LOCAL], [dnl Headers included in libcerror/libcerror_error.c AC_CHECK_HEADERS([stdarg.h varargs.h]) AS_IF( [test "x$ac_cv_header_stdarg_h" != xyes && test "x$ac_cv_header_varargs_h" != xyes], [AC_MSG_FAILURE( [Missing headers: stdarg.h and varargs.h], [1]) ]) dnl Wide character string functions used in libcerror/libcerror_error.c AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AC_CHECK_FUNCS([wcstombs]) AS_IF( [test "x$ac_cv_func_wcstombs" != xyes], [AC_MSG_FAILURE( [Missing function: wcstombs], [1]) ]) ]) dnl Check for error string functions used in libcerror/libcerror_system.c AC_FUNC_STRERROR_R() AS_IF( [test "x$ac_cv_have_decl_strerror_r" != xyes], [AC_CHECK_FUNCS([strerror]) AS_IF( [test "x$ac_cv_func_strerror" != xyes], [AC_MSG_FAILURE( [Missing functions: strerror_r and strerror], [1]) ]) ]) ac_cv_libcerror_CPPFLAGS="-I../libcerror -I\$(top_srcdir)/libcerror"; ac_cv_libcerror_LIBADD="../libcerror/libcerror.la"; ac_cv_libcerror=local ]) dnl Function to detect how to enable libcerror AC_DEFUN([AX_LIBCERROR_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcerror], [libcerror], [search for libcerror in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCERROR_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcerror" != xyes], [AX_LIBCERROR_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCERROR], [1], [Define to 1 if the local version of libcerror is used.]) AC_SUBST( [HAVE_LOCAL_LIBCERROR], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCERROR], [test "x$ac_cv_libcerror" = xlocal]) AS_IF( [test "x$ac_cv_libcerror_CPPFLAGS" != "x"], [AC_SUBST( [LIBCERROR_CPPFLAGS], [$ac_cv_libcerror_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcerror_LIBADD" != "x"], [AC_SUBST( [LIBCERROR_LIBADD], [$ac_cv_libcerror_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcerror" = xyes], [AC_SUBST( [ax_libcerror_pc_libs_private], [-lcerror]) ]) AS_IF( [test "x$ac_cv_libcerror" = xyes], [AC_SUBST( [ax_libcerror_spec_requires], [libcerror]) AC_SUBST( [ax_libcerror_spec_build_requires], [libcerror-devel]) ]) ]) ================================================ FILE: m4/libcfile.m4 ================================================ dnl Checks for libcfile required headers and functions dnl dnl Version: 20240514 dnl Function to detect if libcfile is available dnl ac_libcfile_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCFILE_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcfile" = xno], [ac_cv_libcfile=no], [ac_cv_libcfile=check dnl Check if the directory provided as parameter exists dnl For both --with-libcfile which returns "yes" and --with-libcfile= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcfile" != x && test "x$ac_cv_with_libcfile" != xauto-detect && test "x$ac_cv_with_libcfile" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcfile])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcfile], [libcfile >= 20160409], [ac_cv_libcfile=yes], [ac_cv_libcfile=check]) ]) AS_IF( [test "x$ac_cv_libcfile" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libcfile/features.h defines LIBCFILE_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libcfile_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBCFILE_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBCFILE_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBCFILE_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libcfile_features_h_have_wide_character_type=yes], [ac_cv_header_libcfile_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libcfile_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libcfile_features_h_have_wide_character_type" = xno], [ac_cv_libcfile=no]) ]) AS_IF( [test "x$ac_cv_libcfile" = xyes], [ac_cv_libcfile_CPPFLAGS="$pkg_cv_libcfile_CFLAGS" ac_cv_libcfile_LIBADD="$pkg_cv_libcfile_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcfile" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcfile.h]) AS_IF( [test "x$ac_cv_header_libcfile_h" = xno], [ac_cv_libcfile=no], [ac_cv_libcfile=yes AX_CHECK_LIB_FUNCTIONS( [libcfile], [cfile], [[libcfile_get_version], [libcfile_file_initialize], [libcfile_file_free], [libcfile_file_open], [libcfile_file_open_with_error_code], [libcfile_file_close], [libcfile_file_read_buffer], [libcfile_file_read_buffer_with_error_code], [libcfile_file_write_buffer], [libcfile_file_write_buffer_with_error_code], [libcfile_file_seek_offset], [libcfile_file_resize], [libcfile_file_is_open], [libcfile_file_get_offset], [libcfile_file_get_size], [libcfile_file_is_device], [libcfile_file_io_control_read], [libcfile_file_io_control_read_with_error_code], [libcfile_file_exists], [libcfile_file_remove]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libcfile], [cfile], [[libcfile_file_open_wide], [libcfile_file_open_wide_with_error_code], [libcfile_file_exists_wide], [libcfile_file_remove_wide]]) ]) ac_cv_libcfile_LIBADD="-lcfile"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcfile]) ]) AS_IF( [test "x$ac_cv_libcfile" = xyes], [AC_DEFINE( [HAVE_LIBCFILE], [1], [Define to 1 if you have the `cfile' library (-lcfile).]) ]) AS_IF( [test "x$ac_cv_libcfile" = xyes], [AC_SUBST( [HAVE_LIBCFILE], [1]) ], [AC_SUBST( [HAVE_LIBCFILE], [0]) ]) ]) dnl Function to detect if posix_fadvise is available AC_DEFUN([AX_LIBCFILE_CHECK_FUNC_POSIX_FADVISE], [AC_CHECK_FUNCS([posix_fadvise]) AS_IF( [test "x$ac_cv_func_posix_fadvise" = xyes], [AC_MSG_CHECKING( [whether posix_fadvise can be linked]) SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -Wall -Werror" AC_LANG_PUSH(C) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( POSIX_FADV_SEQUENTIAL ) #define POSIX_FADV_SEQUENTIAL 2 #endif posix_fadvise( 0, 0, 0, POSIX_FADV_SEQUENTIAL )]] )], [ac_cv_func_posix_fadvise=yes], [ac_cv_func_posix_fadvise=no]) AC_LANG_POP(C) CFLAGS="$SAVE_CFLAGS" AS_IF( [test "x$ac_cv_func_posix_fadvise" = xyes], [AC_MSG_RESULT( [yes]) AC_DEFINE( [HAVE_POSIX_FADVISE], [1], [Define to 1 if you have the posix_fadvise function.]) ], [AC_MSG_RESULT( [no]) ]) ]) ]) dnl Function to detect if libcfile dependencies are available AC_DEFUN([AX_LIBCFILE_CHECK_LOCAL], [dnl Headers included in libcfile/libcfile_file.c and libcfile/libcfile_support.c AC_CHECK_HEADERS([errno.h stdio.h sys/stat.h]) dnl Headers included in libcfile/libcfile_file.c AC_CHECK_HEADERS([cygwin/fs.h fcntl.h linux/fs.h sys/disk.h sys/disklabel.h sys/ioctl.h unistd.h]) dnl File input/output functions used in libcfile/libcfile_file.c AC_CHECK_FUNCS([close fstat ftruncate ioctl lseek open read write]) AS_IF( [test "x$ac_cv_func_close" != xyes], [AC_MSG_FAILURE( [Missing function: close], [1]) ]) AX_LIBCFILE_CHECK_FUNC_POSIX_FADVISE AS_IF( [test "x$ac_cv_func_fstat" != xyes], [AC_MSG_FAILURE( [Missing function: fstat], [1]) ]) AS_IF( [test "x$ac_cv_func_ftruncate" != xyes], [AC_MSG_FAILURE( [Missing function: ftruncate], [1]) ]) AS_IF( [test x"$ac_cv_enable_winapi" = xno], [AS_IF( [test "x$ac_cv_func_ioctl" != xyes], [AC_MSG_FAILURE( [Missing function: ioctl], [1]) ]) ]) AS_IF( [test "x$ac_cv_func_lseek" != xyes], [AC_MSG_FAILURE( [Missing function: lseek], [1]) ]) AS_IF( [test "x$ac_cv_func_open" != xyes], [AC_MSG_FAILURE( [Missing function: open], [1]) ]) AS_IF( [test "x$ac_cv_func_read" != xyes], [AC_MSG_FAILURE( [Missing function: read], [1]) ]) AS_IF( [test "x$ac_cv_func_write" != xyes], [AC_MSG_FAILURE( [Missing function: write], [1]) ]) dnl File input/output functions used in libcfile/libcfile_support.c AC_CHECK_FUNCS([stat unlink]) AS_IF( [test "x$ac_cv_func_stat" != xyes], [AC_MSG_FAILURE( [Missing function: stat], [1]) ]) AS_IF( [test "x$ac_cv_func_unlink" != xyes], [AC_MSG_FAILURE( [Missing function: unlink], [1]) ]) ac_cv_libcfile_CPPFLAGS="-I../libcfile -I\$(top_srcdir)/libcfile"; ac_cv_libcfile_LIBADD="../libcfile/libcfile.la"; ac_cv_libcfile=local ]) dnl Function to detect how to enable libcfile AC_DEFUN([AX_LIBCFILE_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcfile], [libcfile], [search for libcfile in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCFILE_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcfile" != xyes], [AX_LIBCFILE_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCFILE], [1], [Define to 1 if the local version of libcfile is used.]) AC_SUBST( [HAVE_LOCAL_LIBCFILE], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCFILE], [test "x$ac_cv_libcfile" = xlocal]) AS_IF( [test "x$ac_cv_libcfile_CPPFLAGS" != "x"], [AC_SUBST( [LIBCFILE_CPPFLAGS], [$ac_cv_libcfile_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcfile_LIBADD" != "x"], [AC_SUBST( [LIBCFILE_LIBADD], [$ac_cv_libcfile_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcfile" = xyes], [AC_SUBST( [ax_libcfile_pc_libs_private], [-lcfile]) ]) AS_IF( [test "x$ac_cv_libcfile" = xyes], [AC_SUBST( [ax_libcfile_spec_requires], [libcfile]) AC_SUBST( [ax_libcfile_spec_build_requires], [libcfile-devel]) ]) ]) ================================================ FILE: m4/libclocale.m4 ================================================ dnl Checks for libclocale required headers and functions dnl dnl Version: 20240513 dnl Function to detect if libclocale is available dnl ac_libclocale_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCLOCALE_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libclocale" = xno], [ac_cv_libclocale=no], [ac_cv_libclocale=check dnl Check if the directory provided as parameter exists dnl For both --with-libclocale which returns "yes" and --with-libclocale= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libclocale" != x && test "x$ac_cv_with_libclocale" != xauto-detect && test "x$ac_cv_with_libclocale" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libclocale])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libclocale], [libclocale >= 20120425], [ac_cv_libclocale=yes], [ac_cv_libclocale=check]) ]) AS_IF( [test "x$ac_cv_libclocale" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libclocale/features.h defines LIBCLOCALE_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libclocale_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBCLOCALE_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBCLOCALE_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBCLOCALE_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libclocale_features_h_have_wide_character_type=yes], [ac_cv_header_libclocale_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libclocale_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libclocale_features_h_have_wide_character_type" = xno], [ac_cv_libclocale=no]) ]) AS_IF( [test "x$ac_cv_libclocale" = xyes], [ac_cv_libclocale_CPPFLAGS="$pkg_cv_libclocale_CFLAGS" ac_cv_libclocale_LIBADD="$pkg_cv_libclocale_LIBS"]) ]) AS_IF( [test "x$ac_cv_libclocale" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libclocale.h]) AS_IF( [test "x$ac_cv_header_libclocale_h" = xno], [ac_cv_libclocale=no], [ac_cv_libclocale=yes AX_CHECK_LIB_FUNCTIONS( [libclocale], [clocale], [[libclocale_get_version], [libclocale_codepage], [libclocale_codepage_get], [libclocale_codepage_set], [libclocale_codepage_copy_from_string], [libclocale_locale_get_codepage], [libclocale_locale_get_decimal_point], [libclocale_initialize]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AC_CHECK_LIB( clocale, libclocale_codepage_copy_from_string_wide, [ac_cv_libclocale_dummy=yes], [ac_cv_libclocale=no]) ]) ac_cv_libclocale_LIBADD="-lclocale"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libclocale]) ]) AS_IF( [test "x$ac_cv_libclocale" = xyes], [AC_DEFINE( [HAVE_LIBCLOCALE], [1], [Define to 1 if you have the `clocale' library (-lclocale).]) ]) AS_IF( [test "x$ac_cv_libclocale" = xyes], [AC_SUBST( [HAVE_LIBCLOCALE], [1]) ], [AC_SUBST( [HAVE_LIBCLOCALE], [0]) ]) ]) dnl Function to detect whether nl_langinfo supports CODESET AC_DEFUN([AX_LIBCLOCALE_CHECK_FUNC_LANGINFO_CODESET], [AC_CHECK_FUNCS([nl_langinfo]) AS_IF( [test "x$ac_cv_func_nl_langinfo" = xyes], [AC_CACHE_CHECK( [for nl_langinfo CODESET support], [ac_cv_cv_langinfo_codeset], [AC_LANG_PUSH(C) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[char* charset = nl_langinfo( CODESET );]] )], [ac_cv_cv_langinfo_codeset=yes], [ac_cv_cv_langinfo_codeset=no]) AC_LANG_POP(C) ]) ], [ac_cv_cv_langinfo_codeset=no]) AS_IF( [test "x$ac_cv_cv_langinfo_codeset" = xyes], [AC_DEFINE( [HAVE_LANGINFO_CODESET], [1], [Define if nl_langinfo has CODESET support.]) ]) ]) dnl Function to detect if libclocale dependencies are available AC_DEFUN([AX_LIBCLOCALE_CHECK_LOCAL], [dnl Headers included in libclocale/libclocale_locale.c AC_CHECK_HEADERS([langinfo.h locale.h]) dnl Check for environment functions in libclocale/libclocale_locale.c AC_CHECK_FUNCS([getenv]) AS_IF( [test "x$ac_cv_func_getenv" != xyes], [AC_MSG_FAILURE( [Missing function: getenv], [1]) ]) dnl Check for localization functions in libclocale/libclocale_locale.c AS_IF( [test "x$ac_cv_enable_winapi" = xno], [AC_CHECK_FUNCS([localeconv]) AS_IF( [test "x$ac_cv_func_localeconv" != xyes], [AC_MSG_FAILURE( [Missing function: localeconv], [1]) ]) ]) AC_CHECK_FUNCS([setlocale]) AS_IF( [test "x$ac_cv_func_setlocale" != xyes], [AC_MSG_FAILURE( [Missing function: setlocale], [1]) ]) AX_LIBCLOCALE_CHECK_FUNC_LANGINFO_CODESET ac_cv_libclocale_CPPFLAGS="-I../libclocale -I\$(top_srcdir)/libclocale"; ac_cv_libclocale_LIBADD="../libclocale/libclocale.la"; ac_cv_libclocale=local ]) dnl Function to detect how to enable libclocale AC_DEFUN([AX_LIBCLOCALE_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libclocale], [libclocale], [search for libclocale in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCLOCALE_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libclocale" != xyes], [AX_LIBCLOCALE_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCLOCALE], [1], [Define to 1 if the local version of libclocale is used.]) AC_SUBST( [HAVE_LOCAL_LIBCLOCALE], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCLOCALE], [test "x$ac_cv_libclocale" = xlocal]) AS_IF( [test "x$ac_cv_libclocale_CPPFLAGS" != "x"], [AC_SUBST( [LIBCLOCALE_CPPFLAGS], [$ac_cv_libclocale_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libclocale_LIBADD" != "x"], [AC_SUBST( [LIBCLOCALE_LIBADD], [$ac_cv_libclocale_LIBADD]) ]) AS_IF( [test "x$ac_cv_libclocale" = xyes], [AC_SUBST( [ax_libclocale_pc_libs_private], [-lclocale]) ]) AS_IF( [test "x$ac_cv_libclocale" = xyes], [AC_SUBST( [ax_libclocale_spec_requires], [libclocale]) AC_SUBST( [ax_libclocale_spec_build_requires], [libclocale-devel]) ]) ]) ================================================ FILE: m4/libcnotify.m4 ================================================ dnl Checks for libcnotify required headers and functions dnl dnl Version: 20240513 dnl Function to detect if libcnotify is available dnl ac_libcnotify_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCNOTIFY_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcnotify" = xno], [ac_cv_libcnotify=no], [ac_cv_libcnotify=check dnl Check if the directory provided as parameter exists dnl For both --with-libcnotify which returns "yes" and --with-libcnotify= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcnotify" != x && test "x$ac_cv_with_libcnotify" != xauto-detect && test "x$ac_cv_with_libcnotify" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcnotify])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcnotify], [libcnotify >= 20120425], [ac_cv_libcnotify=yes], [ac_cv_libcnotify=check]) ]) AS_IF( [test "x$ac_cv_libcnotify" = xyes], [ac_cv_libcnotify_CPPFLAGS="$pkg_cv_libcnotify_CFLAGS" ac_cv_libcnotify_LIBADD="$pkg_cv_libcnotify_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcnotify" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcnotify.h]) AS_IF( [test "x$ac_cv_header_libcnotify_h" = xno], [ac_cv_libcnotify=no], [ac_cv_libcnotify=yes AX_CHECK_LIB_FUNCTIONS( [libcnotify], [cnotify], [[libcnotify_get_version], [libcnotify_printf], [libcnotify_print_data], [libcnotify_print_error_backtrace], [libcnotify_stream_set], [libcnotify_stream_open], [libcnotify_stream_close], [libcnotify_verbose_set]]) ac_cv_libcnotify_LIBADD="-lcnotify"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcnotify]) ]) AS_IF( [test "x$ac_cv_libcnotify" = xyes], [AC_DEFINE( [HAVE_LIBCNOTIFY], [1], [Define to 1 if you have the `cnotify' library (-lcnotify).]) ]) AS_IF( [test "x$ac_cv_libcnotify" = xyes], [AC_SUBST( [HAVE_LIBCNOTIFY], [1]) ], [AC_SUBST( [HAVE_LIBCNOTIFY], [0]) ]) ]) dnl Function to detect if libcnotify dependencies are available AC_DEFUN([AX_LIBCNOTIFY_CHECK_LOCAL], [dnl Headers included in libcnotify/libcnotify_print.c AC_CHECK_HEADERS([stdarg.h varargs.h]) AS_IF( [test "x$ac_cv_header_stdarg_h" != xyes && test "x$ac_cv_header_varargs_h" != xyes], [AC_MSG_FAILURE( [Missing headers: stdarg.h and varargs.h], [1]) ]) dnl Headers included in libcnotify/libcnotify_stream.c AC_CHECK_HEADERS([errno.h]) ac_cv_libcnotify_CPPFLAGS="-I../libcnotify -I\$(top_srcdir)/libcnotify"; ac_cv_libcnotify_LIBADD="../libcnotify/libcnotify.la"; ac_cv_libcnotify=local ]) dnl Function to detect how to enable libcnotify AC_DEFUN([AX_LIBCNOTIFY_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcnotify], [libcnotify], [search for libcnotify in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCNOTIFY_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcnotify" != xyes], [AX_LIBCNOTIFY_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCNOTIFY], [1], [Define to 1 if the local version of libcnotify is used.]) AC_SUBST( [HAVE_LOCAL_LIBCNOTIFY], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCNOTIFY], [test "x$ac_cv_libcnotify" = xlocal]) AS_IF( [test "x$ac_cv_libcnotify_CPPFLAGS" != "x"], [AC_SUBST( [LIBCNOTIFY_CPPFLAGS], [$ac_cv_libcnotify_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcnotify_LIBADD" != "x"], [AC_SUBST( [LIBCNOTIFY_LIBADD], [$ac_cv_libcnotify_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcnotify" = xyes], [AC_SUBST( [ax_libcnotify_pc_libs_private], [-lcnotify]) ]) AS_IF( [test "x$ac_cv_libcnotify" = xyes], [AC_SUBST( [ax_libcnotify_spec_requires], [libcnotify]) AC_SUBST( [ax_libcnotify_spec_build_requires], [libcnotify-devel]) ]) ]) ================================================ FILE: m4/libcpath.m4 ================================================ dnl Checks for libcpath required headers and functions dnl dnl Version: 20240518 dnl Function to detect if libcpath is available dnl ac_libcpath_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCPATH_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcpath" = xno], [ac_cv_libcpath=no], [ac_cv_libcpath=check dnl Check if the directory provided as parameter exists dnl For both --with-libcpath which returns "yes" and --with-libcpath= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcpath" != x && test "x$ac_cv_with_libcpath" != xauto-detect && test "x$ac_cv_with_libcpath" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcpath])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcpath], [libcpath >= 20180716], [ac_cv_libcpath=yes], [ac_cv_libcpath=check]) ]) AS_IF( [test "x$ac_cv_libcpath" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libcpath/features.h defines LIBCPATH_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libcpath_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBCPATH_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBCPATH_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBCPATH_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libcpath_features_h_have_wide_character_type=yes], [ac_cv_header_libcpath_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libcpath_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libcpath_features_h_have_wide_character_type" = xno], [ac_cv_libcpath=no]) ]) AS_IF( [test "x$ac_cv_libcpath" = xyes], [ac_cv_libcpath_CPPFLAGS="$pkg_cv_libcpath_CFLAGS" ac_cv_libcpath_LIBADD="$pkg_cv_libcpath_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcpath" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcpath.h]) AS_IF( [test "x$ac_cv_header_libcpath_h" = xno], [ac_cv_libcpath=no], [ac_cv_libcpath=yes AX_CHECK_LIB_FUNCTIONS( [libcpath], [cpath], [[libcpath_get_version], [libcpath_path_change_directory], [libcpath_path_get_current_working_directory], [libcpath_path_get_full_path], [libcpath_path_get_sanitized_filename], [libcpath_path_get_sanitized_path], [libcpath_path_join], [libcpath_path_make_directory]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libcpath], [cpath], [[libcpath_path_change_directory_wide], [libcpath_path_get_current_working_directory_wide], [libcpath_path_get_full_path_wide], [libcpath_path_get_sanitized_filename_wide], [libcpath_path_get_sanitized_path_wide], [libcpath_path_join_wide], [libcpath_path_make_directory_wide]]) ]) ac_cv_libcpath_LIBADD="-lcpath"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcpath]) ]) AS_IF( [test "x$ac_cv_libcpath" = xyes], [AC_DEFINE( [HAVE_LIBCPATH], [1], [Define to 1 if you have the `cpath' library (-lcpath).]) ]) AS_IF( [test "x$ac_cv_libcpath" = xyes], [AC_SUBST( [HAVE_LIBCPATH], [1]) ], [AC_SUBST( [HAVE_LIBCPATH], [0]) ]) ]) dnl Function to detect if mkdir is available dnl Also checks how to use mkdir AC_DEFUN([AX_LIBCPATH_CHECK_FUNC_MKDIR], [AC_CHECK_FUNCS([mkdir]) AS_IF( [test "x$ac_cv_func_mkdir" = xyes], [AC_MSG_CHECKING( [how to use mkdir]) SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -Wall -Werror" AC_LANG_PUSH(C) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include #include ]], [[mkdir( "", 0 )]] )], [AC_MSG_RESULT( [with additional mode argument]) ac_cv_cv_mkdir_mode=yes], [ac_cv_cv_mkdir_mode=no]) AS_IF( [test "x$ac_cv_cv_mkdir_mode" = xno], [AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[mkdir( "" )]] )], [AC_MSG_RESULT( [with single argument]) ac_cv_cv_mkdir=yes], [ac_cv_cv_mkdir=no]) ]) AC_LANG_POP(C) CFLAGS="$SAVE_CFLAGS" AS_IF( [test "x$ac_cv_cv_mkdir_mode" = xno && test "x$ac_cv_cv_mkdir" = xno], [AC_MSG_WARN( [unknown]) ac_cv_func_mkdir=no]) AS_IF( [test "x$ac_cv_func_mkdir" = xyes], [AC_DEFINE( [HAVE_MKDIR], [1], [Define to 1 if you have the mkdir function.]) ]) AS_IF( [test "x$ac_cv_cv_mkdir_mode" = xyes], [AC_DEFINE( [HAVE_MKDIR_MODE], [1], [Define to 1 if you have the mkdir function with a second mode argument.]) ]) ]) AS_IF( [test "x$ac_cv_func_mkdir" = xno], [AC_MSG_FAILURE( [Missing function: mkdir], [1]) ]) ]) dnl Function to detect if libcpath dependencies are available AC_DEFUN([AX_LIBCPATH_CHECK_LOCAL], [dnl Headers included in libcpath/libcpath_path.h AC_CHECK_HEADERS([errno.h sys/stat.h sys/syslimits.h]) dnl Path functions used in libcpath/libcpath_path.h AC_CHECK_FUNCS([chdir getcwd]) AS_IF( [test "x$ac_cv_func_chdir" != xyes], [AC_MSG_FAILURE( [Missing functions: chdir], [1]) ]) AS_IF( [test "x$ac_cv_func_getcwd" != xyes], [AC_MSG_FAILURE( [Missing functions: getcwd], [1]) ]) AX_LIBCPATH_CHECK_FUNC_MKDIR ac_cv_libcpath_CPPFLAGS="-I../libcpath -I\$(top_srcdir)/libcpath"; ac_cv_libcpath_LIBADD="../libcpath/libcpath.la"; ac_cv_libcpath=local ]) dnl Function to detect how to enable libcpath AC_DEFUN([AX_LIBCPATH_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcpath], [libcpath], [search for libcpath in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCPATH_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcpath" != xyes], [AX_LIBCPATH_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCPATH], [1], [Define to 1 if the local version of libcpath is used.]) AC_SUBST( [HAVE_LOCAL_LIBCPATH], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCPATH], [test "x$ac_cv_libcpath" = xlocal]) AS_IF( [test "x$ac_cv_libcpath_CPPFLAGS" != "x"], [AC_SUBST( [LIBCPATH_CPPFLAGS], [$ac_cv_libcpath_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcpath_LIBADD" != "x"], [AC_SUBST( [LIBCPATH_LIBADD], [$ac_cv_libcpath_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcpath" = xyes], [AC_SUBST( [ax_libcpath_pc_libs_private], [-lcpath]) ]) AS_IF( [test "x$ac_cv_libcpath" = xyes], [AC_SUBST( [ax_libcpath_spec_requires], [libcpath]) AC_SUBST( [ax_libcpath_spec_build_requires], [libcpath-devel]) ]) ]) ================================================ FILE: m4/libcsplit.m4 ================================================ dnl Checks for libcsplit required headers and functions dnl dnl Version: 20240513 dnl Function to detect if libcsplit is available dnl ac_libcsplit_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCSPLIT_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcsplit" = xno], [ac_cv_libcsplit=no], [ac_cv_libcsplit=check dnl Check if the directory provided as parameter exists dnl For both --with-libcsplit which returns "yes" and --with-libcsplit= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcsplit" != x && test "x$ac_cv_with_libcsplit" != xauto-detect && test "x$ac_cv_with_libcsplit" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcsplit])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcsplit], [libcsplit >= 20120701], [ac_cv_libcsplit=yes], [ac_cv_libcsplit=check]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libcsplit/features.h defines LIBCSPLIT_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libcsplit_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBCSPLIT_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBCSPLIT_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBCSPLIT_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libcsplit_features_h_have_wide_character_type=yes], [ac_cv_header_libcsplit_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libcsplit_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libcsplit_features_h_have_wide_character_type" = xno], [ac_cv_libcsplit=no]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xyes], [ac_cv_libcsplit_CPPFLAGS="$pkg_cv_libcsplit_CFLAGS" ac_cv_libcsplit_LIBADD="$pkg_cv_libcsplit_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcsplit.h]) AS_IF( [test "x$ac_cv_header_libcsplit_h" = xno], [ac_cv_libcsplit=no], [ac_cv_libcsplit=yes AX_CHECK_LIB_FUNCTIONS( [libcsplit], [csplit], [[libcsplit_get_version], [libcsplit_narrow_string_split], [libcsplit_narrow_split_string_free], [libcsplit_narrow_split_string_get_string], [libcsplit_narrow_split_string_get_number_of_segments], [libcsplit_narrow_split_string_get_segment_by_index], [libcsplit_narrow_split_string_set_segment_by_index]]) dnl Wide string functions AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libcsplit], [csplit], [[libcsplit_wide_string_split], [libcsplit_wide_split_string_free], [libcsplit_wide_split_string_get_string], [libcsplit_wide_split_string_get_number_of_segments], [libcsplit_wide_split_string_get_segment_by_index], [libcsplit_wide_split_string_set_segment_by_index]]) ]) ac_cv_libcsplit_LIBADD="-lcsplit"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcsplit]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xyes], [AC_DEFINE( [HAVE_LIBCSPLIT], [1], [Define to 1 if you have the `csplit' library (-lcsplit).]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xyes], [AC_SUBST( [HAVE_LIBCSPLIT], [1]) ], [AC_SUBST( [HAVE_LIBCSPLIT], [0]) ]) ]) dnl Function to detect if libcsplit dependencies are available AC_DEFUN([AX_LIBCSPLIT_CHECK_LOCAL], [dnl No additional checks. ac_cv_libcsplit_CPPFLAGS="-I../libcsplit -I\$(top_srcdir)/libcsplit"; ac_cv_libcsplit_LIBADD="../libcsplit/libcsplit.la"; ac_cv_libcsplit=local ]) dnl Function to detect how to enable libcsplit AC_DEFUN([AX_LIBCSPLIT_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libcsplit], [libcsplit], [search for libcsplit in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBCSPLIT_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcsplit" != xyes], [AX_LIBCSPLIT_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCSPLIT], [1], [Define to 1 if the local version of libcsplit is used.]) AC_SUBST( [HAVE_LOCAL_LIBCSPLIT], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCSPLIT], [test "x$ac_cv_libcsplit" = xlocal]) AS_IF( [test "x$ac_cv_libcsplit_CPPFLAGS" != "x"], [AC_SUBST( [LIBCSPLIT_CPPFLAGS], [$ac_cv_libcsplit_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcsplit_LIBADD" != "x"], [AC_SUBST( [LIBCSPLIT_LIBADD], [$ac_cv_libcsplit_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xyes], [AC_SUBST( [ax_libcsplit_pc_libs_private], [-lcsplit]) ]) AS_IF( [test "x$ac_cv_libcsplit" = xyes], [AC_SUBST( [ax_libcsplit_spec_requires], [libcsplit]) AC_SUBST( [ax_libcsplit_spec_build_requires], [libcsplit-devel]) ]) ]) ================================================ FILE: m4/libcthreads.m4 ================================================ dnl Checks for libcthreads required headers and functions dnl dnl Version: 20240513 dnl Function to detect if libcthreads is available dnl ac_libcthreads_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBCTHREADS_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libcthreads" = xno], [ac_cv_libcthreads=no], [ac_cv_libcthreads=check dnl Check if the directory provided as parameter exists dnl For both --with-libcthreads which returns "yes" and --with-libcthreads= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libcthreads" != x && test "x$ac_cv_with_libcthreads" != xauto-detect && test "x$ac_cv_with_libcthreads" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libcthreads])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libcthreads], [libcthreads >= 20160404], [ac_cv_libcthreads=yes], [ac_cv_libcthreads=check]) ]) AS_IF( [test "x$ac_cv_libcthreads" = xyes], [ac_cv_libcthreads_CPPFLAGS="$pkg_cv_libcthreads_CFLAGS" ac_cv_libcthreads_LIBADD="$pkg_cv_libcthreads_LIBS"]) ]) AS_IF( [test "x$ac_cv_libcthreads" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libcthreads.h]) AS_IF( [test "x$ac_cv_header_libcthreads_h" = xno], [ac_cv_libcthreads=no], [ac_cv_libcthreads=yes AX_CHECK_LIB_FUNCTIONS( [libcthreads], [cthreads], [[libcthreads_get_version], [libcthreads_thread_create], [libcthreads_thread_join], [libcthreads_thread_attributes_initialize], [libcthreads_thread_attributes_free], [libcthreads_condition_initialize], [libcthreads_condition_free], [libcthreads_condition_broadcast], [libcthreads_condition_signal], [libcthreads_condition_wait], [libcthreads_lock_initialize], [libcthreads_lock_free], [libcthreads_lock_grab], [libcthreads_lock_release], [libcthreads_mutex_initialize], [libcthreads_mutex_free], [libcthreads_mutex_grab], [libcthreads_mutex_try_grab], [libcthreads_mutex_release], [libcthreads_read_write_lock_initialize], [libcthreads_read_write_lock_free], [libcthreads_read_write_lock_grab_for_read], [libcthreads_read_write_lock_grab_for_write], [libcthreads_read_write_lock_release_for_read], [libcthreads_read_write_lock_release_for_write], [libcthreads_queue_initialize], [libcthreads_queue_free], [libcthreads_queue_type_pop], [libcthreads_queue_pop], [libcthreads_queue_try_push], [libcthreads_queue_push], [libcthreads_queue_push_sorted], [libcthreads_thread_pool_create], [libcthreads_thread_pool_push], [libcthreads_thread_pool_push_sorted], [libcthreads_thread_pool_join]]) ac_cv_libcthreads_LIBADD="-lcthreads"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libcthreads]) ]) AS_IF( [test "x$ac_cv_libcthreads" = xyes], [AC_DEFINE( [HAVE_LIBCTHREADS], [1], [Define to 1 if you have the `cthreads' library (-lcthreads).]) ]) AS_IF( [test "x$ac_cv_libcthreads" = xyes], [ac_cv_libcthreads_multi_threading=libcthreads], [ac_cv_libcthreads_multi_threading=no]) AS_IF( [test "x$ac_cv_libcthreads" = xyes], [AC_SUBST( [HAVE_LIBCTHREADS], [1]) ], [AC_SUBST( [HAVE_LIBCTHREADS], [0]) ]) ]) dnl Function to detect if libcthreads dependencies are available AC_DEFUN([AX_LIBCTHREADS_CHECK_LOCAL], [AS_IF( [test "x$ac_cv_enable_winapi" = xno], [dnl Check for enabling pthread support AX_PTHREAD_CHECK_ENABLE ac_cv_libcthreads_multi_threading=$ac_cv_pthread], [ac_cv_libcthreads_multi_threading="winapi"]) AS_IF( [test "x$ac_cv_libcthreads_multi_threading" != xno], [ac_cv_libcthreads_CPPFLAGS="-I../libcthreads -I\$(top_srcdir)/libcthreads"; ac_cv_libcthreads_LIBADD="../libcthreads/libcthreads.la"; ac_cv_libcthreads=local], [ac_cv_libcthreads=no]) ]) dnl Function to detect how to enable libcthreads AC_DEFUN([AX_LIBCTHREADS_CHECK_ENABLE], [AX_COMMON_ARG_ENABLE( [multi-threading-support], [multi_threading_support], [enable multi-threading support], [yes]) AX_COMMON_ARG_WITH( [libcthreads], [libcthreads], [search for libcthreads in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) AS_IF( [test "x$ac_cv_enable_multi_threading_support" = xno], [ac_cv_libcthreads="no" ac_cv_libcthreads_multi_threading="no"], [dnl Check for a shared library version AX_LIBCTHREADS_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libcthreads" != xyes], [AX_LIBCTHREADS_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBCTHREADS], [1], [Define to 1 if the local version of libcthreads is used.]) AC_SUBST( [HAVE_LOCAL_LIBCTHREADS], [1]) ]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBCTHREADS], [test "x$ac_cv_libcthreads" = xlocal]) AS_IF( [test "x$ac_cv_libcthreads_CPPFLAGS" != "x"], [AC_SUBST( [LIBCTHREADS_CPPFLAGS], [$ac_cv_libcthreads_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libcthreads_LIBADD" != "x"], [AC_SUBST( [LIBCTHREADS_LIBADD], [$ac_cv_libcthreads_LIBADD]) ]) AS_IF( [test "x$ac_cv_libcthreads" != xno], [AC_DEFINE( [HAVE_MULTI_THREAD_SUPPORT], [1], [Define to 1 if multi thread support should be used.]) AC_SUBST( [HAVE_MULTI_THREAD_SUPPORT], [1]) ], [AC_SUBST( [HAVE_MULTI_THREAD_SUPPORT], [0]) ]) AS_IF( [test "x$ac_cv_libcthreads" = xyes], [AC_SUBST( [ax_libcthreads_pc_libs_private], [-lcthreads]) ]) AS_IF( [test "x$ac_cv_libcthreads" = xyes], [AC_SUBST( [ax_libcthreads_spec_requires], [libcthreads]) AC_SUBST( [ax_libcthreads_spec_build_requires], [libcthreads-devel]) ]) ]) ================================================ FILE: m4/libexe.m4 ================================================ dnl Checks for libexe required headers and functions dnl dnl Version: 20240601 dnl Function to detect if libexe is available dnl ac_libexe_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBEXE_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libexe" = xno], [ac_cv_libexe=no], [ac_cv_libexe=check dnl Check if the directory provided as parameter exists dnl For both --with-libexe which returns "yes" and --with-libexe= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libexe" != x && test "x$ac_cv_with_libexe" != xauto-detect && test "x$ac_cv_with_libexe" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libexe])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libexe], [libexe >= 20120405], [ac_cv_libexe=yes], [ac_cv_libexe=check]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes && test "x$ac_cv_enable_wide_character_type" != xno], [AC_CACHE_CHECK( [whether libexe/features.h defines LIBEXE_HAVE_WIDE_CHARACTER_TYPE as 1], [ac_cv_header_libexe_features_h_have_wide_character_type], [AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[#if !defined( LIBEXE_HAVE_WIDE_CHARACTER_TYPE ) || ( LIBEXE_HAVE_WIDE_CHARACTER_TYPE != 1 ) #error LIBEXE_HAVE_WIDE_CHARACTER_TYPE not defined #endif]] )], [ac_cv_header_libexe_features_h_have_wide_character_type=yes], [ac_cv_header_libexe_features_h_have_wide_character_type=no]) AC_LANG_POP(C)], [ac_cv_header_libexe_features_h_have_wide_character_type=no]) AS_IF( [test "x$ac_cv_header_libexe_features_h_have_wide_character_type" = xno], [ac_cv_libexe=no]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes], [ac_cv_libexe_CPPFLAGS="$pkg_cv_libexe_CFLAGS" ac_cv_libexe_LIBADD="$pkg_cv_libexe_LIBS"]) ]) AS_IF( [test "x$ac_cv_libexe" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libexe.h]) AS_IF( [test "x$ac_cv_header_libexe_h" = xno], [ac_cv_libexe=no], [ac_cv_libexe=yes AX_CHECK_LIB_FUNCTIONS( [libexe], [exe], [[libexe_get_version], [libexe_file_initialize], [libexe_file_free], [libexe_file_signal_abort], [libexe_file_open], [libexe_file_close]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libexe], [exe], [[libexe_file_open_wide]]) ]) dnl TODO add functions ac_cv_libexe_LIBADD="-lexe"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libexe]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes], [AC_DEFINE( [HAVE_LIBEXE], [1], [Define to 1 if you have the `exe' library (-lexe).]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes], [AC_SUBST( [HAVE_LIBEXE], [1]) ], [AC_SUBST( [HAVE_LIBEXE], [0]) ]) ]) dnl Function to detect if libexe dependencies are available AC_DEFUN([AX_LIBEXE_CHECK_LOCAL], [ac_cv_libexe_CPPFLAGS="-I../libexe -I\$(top_srcdir)/libexe"; ac_cv_libexe_LIBADD="../libexe/libexe.la"; ac_cv_libexe=local ]) dnl Function to detect how to enable libexe AC_DEFUN([AX_LIBEXE_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libexe], [libexe], [search for libexe in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBEXE_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libexe" != xyes], [AX_LIBEXE_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBEXE], [1], [Define to 1 if the local version of libexe is used.]) AC_SUBST( [HAVE_LOCAL_LIBEXE], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBEXE], [test "x$ac_cv_libexe" = xlocal]) AS_IF( [test "x$ac_cv_libexe_CPPFLAGS" != "x"], [AC_SUBST( [LIBEXE_CPPFLAGS], [$ac_cv_libexe_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libexe_LIBADD" != "x"], [AC_SUBST( [LIBEXE_LIBADD], [$ac_cv_libexe_LIBADD]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes], [AC_SUBST( [ax_libexe_pc_libs_private], [-lexe]) ]) AS_IF( [test "x$ac_cv_libexe" = xyes], [AC_SUBST( [ax_libexe_spec_requires], [libexe]) AC_SUBST( [ax_libexe_spec_build_requires], [libexe-devel]) ]) ]) ================================================ FILE: m4/libfcache.m4 ================================================ dnl Checks for libfcache required headers and functions dnl dnl Version: 20240514 dnl Function to detect if libfcache is available dnl ac_libfcache_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFCACHE_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfcache" = xno], [ac_cv_libfcache=no], [ac_cv_libfcache=check dnl Check if the directory provided as parameter exists dnl For both --with-libfcache which returns "yes" and --with-libfcache= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfcache" != x && test "x$ac_cv_with_libfcache" != xauto-detect && test "x$ac_cv_with_libfcache" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libfcache])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfcache], [libfcache >= 20191109], [ac_cv_libfcache=yes], [ac_cv_libfcache=check]) ]) AS_IF( [test "x$ac_cv_libfcache" = xyes], [ac_cv_libfcache_CPPFLAGS="$pkg_cv_libfcache_CFLAGS" ac_cv_libfcache_LIBADD="$pkg_cv_libfcache_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfcache" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfcache.h]) AS_IF( [test "x$ac_cv_header_libfcache_h" = xno], [ac_cv_libfcache=no], [ac_cv_libfcache=yes AX_CHECK_LIB_FUNCTIONS( [libfcache], [fcache], [[libfcache_get_version], [libfcache_cache_initialize], [libfcache_cache_free], [libfcache_cache_clone], [libfcache_cache_clear], [libfcache_cache_get_number_of_entries], [libfcache_cache_get_number_of_cache_values], [libfcache_cache_clear_value_by_index], [libfcache_cache_get_value_by_identifier], [libfcache_cache_get_value_by_index], [libfcache_cache_set_value_by_identifier], [libfcache_cache_set_value_by_index], [libfcache_cache_value_free], [libfcache_cache_value_clear], [libfcache_cache_value_get_identifier], [libfcache_cache_value_set_identifier], [libfcache_cache_value_get_value], [libfcache_cache_value_set_value], [libfcache_date_time_get_timestamp]]) ac_cv_libfcache_LIBADD="-lfcache"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libfcache]) ]) AS_IF( [test "x$ac_cv_libfcache" = xyes], [AC_DEFINE( [HAVE_LIBFCACHE], [1], [Define to 1 if you have the `fcache' library (-lfcache).]) ]) AS_IF( [test "x$ac_cv_libfcache" = xyes], [AC_SUBST( [HAVE_LIBFCACHE], [1]) ], [AC_SUBST( [HAVE_LIBFCACHE], [0]) ]) ]) dnl Function to detect if libfcache dependencies are available AC_DEFUN([AX_LIBFCACHE_CHECK_LOCAL], [dnl Types used in libfcache/libfcache_date_time.h AC_STRUCT_TM dnl Headers included in libfcache/libfcache_date_time.h AC_CHECK_HEADERS([sys/time.h]) dnl Date and time functions used in libfcache/libfcache_date_time.h AC_CHECK_FUNCS([clock_gettime time]) AS_IF( [test "x$ac_cv_func_time" != xyes], [AC_MSG_FAILURE( [Missing function: time], [1]) ]) ac_cv_libfcache_CPPFLAGS="-I../libfcache -I\$(top_srcdir)/libfcache"; ac_cv_libfcache_LIBADD="../libfcache/libfcache.la"; ac_cv_libfcache=local ]) dnl Function to detect how to enable libfcache AC_DEFUN([AX_LIBFCACHE_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfcache], [libfcache], [search for libfcache in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBFCACHE_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfcache" != xyes], [AX_LIBFCACHE_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFCACHE], [1], [Define to 1 if the local version of libfcache is used.]) AC_SUBST( [HAVE_LOCAL_LIBFCACHE], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFCACHE], [test "x$ac_cv_libfcache" = xlocal]) AS_IF( [test "x$ac_cv_libfcache_CPPFLAGS" != "x"], [AC_SUBST( [LIBFCACHE_CPPFLAGS], [$ac_cv_libfcache_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfcache_LIBADD" != "x"], [AC_SUBST( [LIBFCACHE_LIBADD], [$ac_cv_libfcache_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfcache" = xyes], [AC_SUBST( [ax_libfcache_pc_libs_private], [-lfcache]) ]) AS_IF( [test "x$ac_cv_libfcache" = xyes], [AC_SUBST( [ax_libfcache_spec_requires], [libfcache]) AC_SUBST( [ax_libfcache_spec_build_requires], [libfcache-devel]) ]) ]) ================================================ FILE: m4/libfdata.m4 ================================================ dnl Functions for libfdata dnl dnl Version: 20240520 dnl Function to detect if libfdata is available dnl ac_libfdata_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFDATA_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfdata" = xno], [ac_cv_libfdata=no], [ac_cv_libfdata=check dnl Check if the directory provided as parameter exists dnl For both --with-libfdata which returns "yes" and --with-libfdata= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfdata" != x && test "x$ac_cv_with_libfdata" != xauto-detect && test "x$ac_cv_with_libfdata" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libfdata])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfdata], [libfdata >= 20201129], [ac_cv_libfdata=yes], [ac_cv_libfdata=check]) ]) AS_IF( [test "x$ac_cv_libfdata" = xyes], [ac_cv_libfdata_CPPFLAGS="$pkg_cv_libfdata_CFLAGS" ac_cv_libfdata_LIBADD="$pkg_cv_libfdata_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfdata" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfdata.h]) AS_IF( [test "x$ac_cv_header_libfdata_h" = xno], [ac_cv_libfdata=no], [ac_cv_libfdata=yes AX_CHECK_LIB_FUNCTIONS( [libfdata], [fdata], [[libfdata_get_version], [libfdata_area_initialize], [libfdata_area_free], [libfdata_area_clone], [libfdata_area_empty], [libfdata_area_resize], [libfdata_area_get_number_of_segments], [libfdata_area_get_segment_by_index], [libfdata_area_set_segment_by_index], [libfdata_area_prepend_segment], [libfdata_area_append_segment], [libfdata_area_get_element_data_size], [libfdata_area_get_element_value_at_offset], [libfdata_area_set_element_value_at_offset], [libfdata_area_get_size], [libfdata_list_initialize], [libfdata_list_free], [libfdata_list_clone], [libfdata_list_empty], [libfdata_list_resize], [libfdata_list_reverse], [libfdata_list_get_number_of_elements], [libfdata_list_get_list_element_by_index], [libfdata_list_get_element_by_index], [libfdata_list_set_element_by_index], [libfdata_list_prepend_element], [libfdata_list_append_element], [libfdata_list_append_list], [libfdata_list_is_element_set], [libfdata_list_get_element_mapped_range], [libfdata_list_get_mapped_offset], [libfdata_list_set_mapped_offset], [libfdata_list_get_mapped_size_by_index], [libfdata_list_set_mapped_size_by_index], [libfdata_list_get_element_by_index_with_mapped_size], [libfdata_list_set_element_by_index_with_mapped_size], [libfdata_list_append_element_with_mapped_size], [libfdata_list_get_element_index_at_offset], [libfdata_list_get_list_element_at_offset], [libfdata_list_get_element_at_offset], [libfdata_list_cache_element_value], [libfdata_list_get_element_value_by_index], [libfdata_list_get_element_value_at_offset], [libfdata_list_set_element_value_by_index], [libfdata_list_set_element_value_at_offset], [libfdata_list_get_size], [libfdata_list_element_get_mapped_size], [libfdata_list_element_set_mapped_size], [libfdata_list_element_get_element_value], [libfdata_list_element_set_element_value], [libfdata_list_element_get_mapped_size], [libfdata_list_element_set_mapped_size], [libfdata_list_element_get_element_value], [libfdata_list_element_set_element_value], [libfdata_stream_initialize], [libfdata_stream_free], [libfdata_stream_clone], [libfdata_stream_empty], [libfdata_stream_resize], [libfdata_stream_reverse], [libfdata_stream_get_number_of_segments], [libfdata_stream_get_segment_by_index], [libfdata_stream_set_segment_by_index], [libfdata_stream_prepend_segment], [libfdata_stream_append_segment], [libfdata_stream_set_mapped_size], [libfdata_stream_get_segment_mapped_range], [libfdata_stream_get_segment_index_at_offset], [libfdata_stream_get_segment_at_offset], [libfdata_stream_read_buffer], [libfdata_stream_read_buffer_at_offset], [libfdata_stream_write_buffer], [libfdata_stream_seek_offset], [libfdata_stream_get_offset], [libfdata_stream_get_size], [libfdata_range_list_initialize], [libfdata_range_list_free], [libfdata_range_list_clone], [libfdata_range_list_empty], [libfdata_range_list_get_list_element_at_offset], [libfdata_range_list_get_element_at_offset], [libfdata_range_list_insert_element], [libfdata_range_list_get_element_value_at_offset], [libfdata_range_list_set_element_value_at_offset], [libfdata_vector_initialize], [libfdata_vector_free], [libfdata_vector_clone], [libfdata_vector_empty], [libfdata_vector_resize], [libfdata_vector_get_number_of_segments], [libfdata_vector_get_segment_by_index], [libfdata_vector_set_segment_by_index], [libfdata_vector_prepend_segment], [libfdata_vector_append_segment], [libfdata_vector_get_element_data_size], [libfdata_vector_get_number_of_elements], [libfdata_vector_get_element_index_at_offset], [libfdata_vector_get_element_value_by_index], [libfdata_vector_get_element_value_at_offset], [libfdata_vector_set_element_value_by_index], [libfdata_vector_get_size]]) ac_cv_libfdata_LIBADD="-lfdata"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libfdata]) ]) AS_IF( [test "x$ac_cv_libfdata" = xyes], [AC_DEFINE( [HAVE_LIBFDATA], [1], [Define to 1 if you have the `fdata' library (-lfdata).]) ]) AS_IF( [test "x$ac_cv_libfdata" = xyes], [AC_SUBST( [HAVE_LIBFDATA], [1]) ], [AC_SUBST( [HAVE_LIBFDATA], [0]) ]) ]) dnl Function to detect if libfdata dependencies are available AC_DEFUN([AX_LIBFDATA_CHECK_LOCAL], [dnl No additional checks. ac_cv_libfdata_CPPFLAGS="-I../libfdata -I\$(top_srcdir)/libfdata"; ac_cv_libfdata_LIBADD="../libfdata/libfdata.la"; ac_cv_libfdata=local ]) dnl Function to detect how to enable libfdata AC_DEFUN([AX_LIBFDATA_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfdata], [libfdata], [search for libfdata in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBFDATA_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfdata" != xyes], [AX_LIBFDATA_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFDATA], [1], [Define to 1 if the local version of libfdata is used.]) AC_SUBST( [HAVE_LOCAL_LIBFDATA], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFDATA], [test "x$ac_cv_libfdata" = xlocal]) AS_IF( [test "x$ac_cv_libfdata_CPPFLAGS" != "x"], [AC_SUBST( [LIBFDATA_CPPFLAGS], [$ac_cv_libfdata_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfdata_LIBADD" != "x"], [AC_SUBST( [LIBFDATA_LIBADD], [$ac_cv_libfdata_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfdata" = xyes], [AC_SUBST( [ax_libfdata_pc_libs_private], [-lfdata]) ]) AS_IF( [test "x$ac_cv_libfdata" = xyes], [AC_SUBST( [ax_libfdata_spec_requires], [libfdata]) AC_SUBST( [ax_libfdata_spec_build_requires], [libfdata-devel]) ]) ]) ================================================ FILE: m4/libfdatetime.m4 ================================================ dnl Checks for libfdatetime required headers and functions dnl dnl Version: 20240518 dnl Function to detect if libfdatetime is available dnl ac_libfdatetime_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFDATETIME_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfdatetime" = xno], [ac_cv_libfdatetime=no], [ac_cv_libfdatetime=check dnl Check if the directory provided as parameter exists dnl For both --with-libfdatetime which returns "yes" and --with-libfdatetime= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfdatetime" != x && test "x$ac_cv_with_libfdatetime" != xauto-detect && test "x$ac_cv_with_libfdatetime" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libfdatetime])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfdatetime], [libfdatetime >= 20180910], [ac_cv_libfdatetime=yes], [ac_cv_libfdatetime=check]) ]) AS_IF( [test "x$ac_cv_libfdatetime" = xyes], [ac_cv_libfdatetime_CPPFLAGS="$pkg_cv_libfdatetime_CFLAGS" ac_cv_libfdatetime_LIBADD="$pkg_cv_libfdatetime_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfdatetime" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfdatetime.h]) AS_IF( [test "x$ac_cv_header_libfdatetime_h" = xno], [ac_cv_libfdatetime=no], [ac_cv_libfdatetime=yes AX_CHECK_LIB_FUNCTIONS( [libfdatetime], [fdatetime], [[libfdatetime_get_version], [libfdatetime_fat_date_time_initialize], [libfdatetime_fat_date_time_free], [libfdatetime_fat_date_time_copy_from_byte_stream], [libfdatetime_fat_date_time_copy_from_32bit], [libfdatetime_fat_date_time_copy_to_32bit], [libfdatetime_fat_date_time_copy_to_utf8_string], [libfdatetime_fat_date_time_copy_to_utf8_string_with_index], [libfdatetime_fat_date_time_copy_to_utf16_string], [libfdatetime_fat_date_time_copy_to_utf16_string_with_index], [libfdatetime_fat_date_time_copy_to_utf32_string], [libfdatetime_fat_date_time_copy_to_utf32_string_with_index], [libfdatetime_filetime_initialize], [libfdatetime_filetime_free], [libfdatetime_filetime_copy_from_byte_stream], [libfdatetime_filetime_copy_from_64bit], [libfdatetime_filetime_copy_to_64bit], [libfdatetime_filetime_copy_to_utf8_string], [libfdatetime_filetime_copy_to_utf8_string_with_index], [libfdatetime_filetime_copy_to_utf16_string], [libfdatetime_filetime_copy_to_utf16_string_with_index], [libfdatetime_filetime_copy_to_utf32_string], [libfdatetime_filetime_copy_to_utf32_string_with_index], [libfdatetime_filetime_add], [libfdatetime_floatingtime_initialize], [libfdatetime_floatingtime_free], [libfdatetime_floatingtime_copy_from_byte_stream], [libfdatetime_floatingtime_copy_from_64bit], [libfdatetime_floatingtime_copy_to_64bit], [libfdatetime_floatingtime_copy_to_utf8_string], [libfdatetime_floatingtime_copy_to_utf8_string_with_index], [libfdatetime_floatingtime_copy_to_utf16_string], [libfdatetime_floatingtime_copy_to_utf16_string_with_index], [libfdatetime_floatingtime_copy_to_utf32_string], [libfdatetime_floatingtime_copy_to_utf32_string_with_index], [libfdatetime_hfs_time_initialize], [libfdatetime_hfs_time_free], [libfdatetime_hfs_time_copy_from_byte_stream], [libfdatetime_hfs_time_copy_from_32bit], [libfdatetime_hfs_time_copy_to_32bit], [libfdatetime_hfs_time_copy_to_utf8_string], [libfdatetime_hfs_time_copy_to_utf8_string_with_index], [libfdatetime_hfs_time_copy_to_utf16_string], [libfdatetime_hfs_time_copy_to_utf16_string_with_index], [libfdatetime_hfs_time_copy_to_utf32_string], [libfdatetime_hfs_time_copy_to_utf32_string_with_index], [libfdatetime_nsf_timedate_initialize], [libfdatetime_nsf_timedate_free], [libfdatetime_nsf_timedate_copy_from_byte_stream], [libfdatetime_nsf_timedate_copy_from_64bit], [libfdatetime_nsf_timedate_copy_to_64bit], [libfdatetime_nsf_timedate_copy_to_utf8_string], [libfdatetime_nsf_timedate_copy_to_utf8_string_with_index], [libfdatetime_nsf_timedate_copy_to_utf16_string], [libfdatetime_nsf_timedate_copy_to_utf16_string_with_index], [libfdatetime_nsf_timedate_copy_to_utf32_string], [libfdatetime_nsf_timedate_copy_to_utf32_string_with_index], [libfdatetime_posix_time_initialize], [libfdatetime_posix_time_free], [libfdatetime_posix_time_copy_from_byte_stream], [libfdatetime_posix_time_copy_from_32bit], [libfdatetime_posix_time_copy_to_32bit], [libfdatetime_posix_time_copy_from_64bit], [libfdatetime_posix_time_copy_to_64bit], [libfdatetime_posix_time_copy_to_utf8_string], [libfdatetime_posix_time_copy_to_utf8_string_with_index], [libfdatetime_posix_time_copy_to_utf16_string], [libfdatetime_posix_time_copy_to_utf16_string_with_index], [libfdatetime_posix_time_copy_to_utf32_string], [libfdatetime_posix_time_copy_to_utf32_string_with_index], [libfdatetime_systemetime_initialize], [libfdatetime_systemetime_free], [libfdatetime_systemetime_copy_from_byte_stream], [libfdatetime_systemetime_copy_to_utf8_string], [libfdatetime_systemetime_copy_to_utf8_string_with_index], [libfdatetime_systemetime_copy_to_utf16_string], [libfdatetime_systemetime_copy_to_utf16_string_with_index], [libfdatetime_systemetime_copy_to_utf32_string], [libfdatetime_systemetime_copy_to_utf32_string_with_index]]) ac_cv_libfdatetime_LIBADD="-lfdatetime"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libfdatetime]) ]) AS_IF( [test "x$ac_cv_libfdatetime" = xyes], [AC_DEFINE( [HAVE_LIBFDATETIME], [1], [Define to 1 if you have the `fdatetime' library (-lfdatetime).]) ]) AS_IF( [test "x$ac_cv_libfdatetime" = xyes], [AC_SUBST( [HAVE_LIBFDATETIME], [1]) ], [AC_SUBST( [HAVE_LIBFDATETIME], [0]) ]) ]) dnl Function to detect if libfdatetime dependencies are available AC_DEFUN([AX_LIBFDATETIME_CHECK_LOCAL], [dnl No additional checks. ac_cv_libfdatetime_CPPFLAGS="-I../libfdatetime -I\$(top_srcdir)/libfdatetime"; ac_cv_libfdatetime_LIBADD="../libfdatetime/libfdatetime.la"; ac_cv_libfdatetime=local ]) dnl Function to detect how to enable libfdatetime AC_DEFUN([AX_LIBFDATETIME_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfdatetime], [libfdatetime], [search for libfdatetime in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) AX_LIBFDATETIME_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfdatetime" != xyes], [AX_LIBFDATETIME_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFDATETIME], [1], [Define to 1 if the local version of libfdatetime is used.]) AC_SUBST( [HAVE_LOCAL_LIBFDATETIME], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFDATETIME], [test "x$ac_cv_libfdatetime" = xlocal]) AS_IF( [test "x$ac_cv_libfdatetime_CPPFLAGS" != "x"], [AC_SUBST( [LIBFDATETIME_CPPFLAGS], [$ac_cv_libfdatetime_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfdatetime_LIBADD" != "x"], [AC_SUBST( [LIBFDATETIME_LIBADD], [$ac_cv_libfdatetime_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfdatetime" = xyes], [AC_SUBST( [ax_libfdatetime_pc_libs_private], [-lfdatetime]) ]) AS_IF( [test "x$ac_cv_libfdatetime" = xyes], [AC_SUBST( [ax_libfdatetime_spec_requires], [libfdatetime]) AC_SUBST( [ax_libfdatetime_spec_build_requires], [libfdatetime-devel]) ]) ]) ================================================ FILE: m4/libfguid.m4 ================================================ dnl Checks for libfguid required headers and functions dnl dnl Version: 20240519 dnl Function to detect if libfguid is available dnl ac_libfguid_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFGUID_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfguid" = xno], [ac_cv_libfguid=no], [ac_cv_libfguid=check dnl Check if the directory provided as parameter exists dnl For both --with-libfguid which returns "yes" and --with-libfguid= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfguid" != x && test "x$ac_cv_with_libfguid" != xauto-detect && test "x$ac_cv_with_libfguid" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libfguid])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfguid], [libfguid >= 20120426], [ac_cv_libfguid=yes], [ac_cv_libfguid=check]) ]) AS_IF( [test "x$ac_cv_libfguid" = xyes], [ac_cv_libfguid_CPPFLAGS="$pkg_cv_libfguid_CFLAGS" ac_cv_libfguid_LIBADD="$pkg_cv_libfguid_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfguid" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfguid.h]) AS_IF( [test "x$ac_cv_header_libfguid_h" = xno], [ac_cv_libfguid=no], [ac_cv_libfguid=yes AX_CHECK_LIB_FUNCTIONS( [libfguid], [fguid], [[libfguid_get_version], [libfguid_identifier_initialize], [libfguid_identifier_free], [libfguid_identifier_copy_from_byte_stream], [libfguid_identifier_get_string_size], [libfguid_identifier_copy_to_utf8_string], [libfguid_identifier_copy_to_utf8_string_with_index], [libfguid_identifier_copy_to_utf16_string], [libfguid_identifier_copy_to_utf16_string_with_index], [libfguid_identifier_copy_to_utf32_string], [libfguid_identifier_copy_to_utf32_string_with_index]]) ac_cv_libfguid_LIBADD="-lfguid"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libfguid]) ]) AS_IF( [test "x$ac_cv_libfguid" = xyes], [AC_DEFINE( [HAVE_LIBFGUID], [1], [Define to 1 if you have the `fguid' library (-lfguid).]) ]) AS_IF( [test "x$ac_cv_libfguid" = xyes], [AC_SUBST( [HAVE_LIBFGUID], [1]) ], [AC_SUBST( [HAVE_LIBFGUID], [0]) ]) ]) dnl Function to detect if libfguid dependencies are available AC_DEFUN([AX_LIBFGUID_CHECK_LOCAL], [dnl No additional checks. ac_cv_libfguid_CPPFLAGS="-I../libfguid -I\$(top_srcdir)/libfguid"; ac_cv_libfguid_LIBADD="../libfguid/libfguid.la"; ac_cv_libfguid=local ]) dnl Function to detect how to enable libfguid AC_DEFUN([AX_LIBFGUID_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfguid], [libfguid], [search for libfguid in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBFGUID_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfguid" != xyes], [AX_LIBFGUID_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFGUID], [1], [Define to 1 if the local version of libfguid is used.]) AC_SUBST( [HAVE_LOCAL_LIBFGUID], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFGUID], [test "x$ac_cv_libfguid" = xlocal]) AS_IF( [test "x$ac_cv_libfguid_CPPFLAGS" != "x"], [AC_SUBST( [LIBFGUID_CPPFLAGS], [$ac_cv_libfguid_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfguid_LIBADD" != "x"], [AC_SUBST( [LIBFGUID_LIBADD], [$ac_cv_libfguid_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfguid" = xyes], [AC_SUBST( [ax_libfguid_pc_libs_private], [-lfguid]) ]) AS_IF( [test "x$ac_cv_libfguid" = xyes], [AC_SUBST( [ax_libfguid_spec_requires], [libfguid]) AC_SUBST( [ax_libfguid_spec_build_requires], [libfguid-devel]) ]) ]) ================================================ FILE: m4/libfvalue.m4 ================================================ dnl Checks for libfvalue required headers and functions dnl dnl Version: 20240519 dnl Function to detect if libfvalue is available dnl ac_libfvalue_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFVALUE_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfvalue" = xno], [ac_cv_libfvalue=no], [ac_cv_libfvalue=check dnl Check if the directory provided as parameter exists dnl For both --with-libfvalue which returns "yes" and --with-libfvalue= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfvalue" != x && test "x$ac_cv_with_libfvalue" != xauto-detect && test "x$ac_cv_with_libfvalue" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libfvalue])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfvalue], [libfvalue >= 20200711], [ac_cv_libfvalue=yes], [ac_cv_libfvalue=check]) ]) AS_IF( [test "x$ac_cv_libfvalue" = xyes], [ac_cv_libfvalue_CPPFLAGS="$pkg_cv_libfvalue_CFLAGS" ac_cv_libfvalue_LIBADD="$pkg_cv_libfvalue_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfvalue" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfvalue.h]) AS_IF( [test "x$ac_cv_header_libfvalue_h" = xno], [ac_cv_libfvalue=no], [ac_cv_libfvalue=yes AX_CHECK_LIB_FUNCTIONS( [libfvalue], [fvalue], [[libfvalue_get_version], [libfvalue_data_handle_initialize], [libfvalue_data_handle_free], [libfvalue_data_handle_clone], [libfvalue_data_handle_clear], [libfvalue_data_handle_get_data], [libfvalue_data_handle_set_data], [libfvalue_data_handle_get_data_flags], [libfvalue_data_handle_set_data_flags], [libfvalue_data_handle_get_number_of_value_entries], [libfvalue_data_handle_get_value_entry], [libfvalue_data_handle_set_value_entry], [libfvalue_data_handle_append_value_entry], [libfvalue_string_size_from_integer], [libfvalue_utf8_string_copy_from_integer], [libfvalue_utf8_string_with_index_copy_from_integer], [libfvalue_utf8_string_copy_to_integer], [libfvalue_utf8_string_with_index_copy_to_integer], [libfvalue_utf16_string_copy_from_integer], [libfvalue_utf16_string_with_index_copy_from_integer], [libfvalue_utf16_string_copy_to_integer], [libfvalue_utf16_string_with_index_copy_to_integer], [libfvalue_utf32_string_copy_from_integer], [libfvalue_utf32_string_with_index_copy_from_integer], [libfvalue_utf32_string_copy_to_integer], [libfvalue_utf32_string_with_index_copy_to_integer], [libfvalue_utf8_string_split], [libfvalue_utf16_string_split], [libfvalue_split_utf8_string_free], [libfvalue_split_utf8_string_get_string], [libfvalue_split_utf8_string_get_number_of_segments], [libfvalue_split_utf8_string_get_segment_by_index], [libfvalue_split_utf16_string_free], [libfvalue_split_utf16_string_get_string], [libfvalue_split_utf16_string_get_number_of_segments], [libfvalue_split_utf16_string_get_segment_by_index], [libfvalue_table_initialize], [libfvalue_table_free], [libfvalue_table_resize], [libfvalue_table_clone], [libfvalue_table_get_number_of_values], [libfvalue_table_get_index_by_identifier], [libfvalue_table_get_value_by_index], [libfvalue_table_get_value_by_identifier], [libfvalue_table_set_value_by_index], [libfvalue_table_set_value], [libfvalue_table_copy_from_utf8_xml_string], [libfvalue_value_initialize], [libfvalue_value_free], [libfvalue_value_clone], [libfvalue_value_clear], [libfvalue_value_get_type], [libfvalue_value_get_identifier], [libfvalue_value_set_identifier], [libfvalue_value_get_data_handle], [libfvalue_value_has_data], [libfvalue_value_get_data_size], [libfvalue_value_get_data], [libfvalue_value_set_data], [libfvalue_value_copy_data], [libfvalue_value_get_format_flags], [libfvalue_value_set_format_flags], [libfvalue_value_get_number_of_value_entries], [libfvalue_value_get_value_entry], [libfvalue_value_set_value_entry], [libfvalue_value_append_value_entry], [libfvalue_value_copy_from_boolean], [libfvalue_value_copy_to_boolean], [libfvalue_value_copy_from_8bit], [libfvalue_value_copy_to_8bit], [libfvalue_value_copy_from_16bit], [libfvalue_value_copy_to_16bit], [libfvalue_value_copy_from_32bit], [libfvalue_value_copy_to_32bit], [libfvalue_value_copy_from_64bit], [libfvalue_value_copy_to_64bit], [libfvalue_value_copy_from_float], [libfvalue_value_copy_to_float], [libfvalue_value_copy_from_double], [libfvalue_value_copy_to_double], [libfvalue_value_copy_from_utf8_string], [libfvalue_value_get_utf8_string_size], [libfvalue_value_copy_to_utf8_string], [libfvalue_value_copy_to_utf8_string_with_index], [libfvalue_value_copy_from_utf16_string], [libfvalue_value_get_utf16_string_size], [libfvalue_value_copy_to_utf16_string], [libfvalue_value_copy_to_utf16_string_with_index], [libfvalue_value_copy_from_utf32_string], [libfvalue_value_get_utf32_string_size], [libfvalue_value_copy_to_utf32_string], [libfvalue_value_copy_to_utf32_string_with_index], [libfvalue_value_read_from_file_stream], [libfvalue_value_write_to_file_stream], [libfvalue_value_type_initialize], [libfvalue_value_type_initialize_with_data_handle], [libfvalue_value_type_set_data_string], [libfvalue_value_type_append_data_string], [libfvalue_value_type_set_data_strings_array]]) ac_cv_libfvalue_LIBADD="-lfvalue"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libfvalue]) ]) AS_IF( [test "x$ac_cv_libfvalue" = xyes], [AC_DEFINE( [HAVE_LIBFVALUE], [1], [Define to 1 if you have the `fvalue' library (-lfvalue).]) ]) AS_IF( [test "x$ac_cv_libfvalue" = xyes], [AC_SUBST( [HAVE_LIBFVALUE], [1]) ], [AC_SUBST( [HAVE_LIBFVALUE], [0]) ]) ]) dnl Function to detect if libfvalue dependencies are available AC_DEFUN([AX_LIBFVALUE_CHECK_LOCAL], [dnl No additional checks. ac_cv_libfvalue_CPPFLAGS="-I../libfvalue -I\$(top_srcdir)/libfvalue"; ac_cv_libfvalue_LIBADD="../libfvalue/libfvalue.la"; ac_cv_libfvalue=local ]) dnl Function to detect how to enable libfvalue AC_DEFUN([AX_LIBFVALUE_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfvalue], [libfvalue], [search for libfvalue in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBFVALUE_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfvalue" != xyes], [AX_LIBFVALUE_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFVALUE], [1], [Define to 1 if the local version of libfvalue is used.]) AC_SUBST( [HAVE_LOCAL_LIBFVALUE], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFVALUE], [test "x$ac_cv_libfvalue" = xlocal]) AS_IF( [test "x$ac_cv_libfvalue_CPPFLAGS" != "x"], [AC_SUBST( [LIBFVALUE_CPPFLAGS], [$ac_cv_libfvalue_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfvalue_LIBADD" != "x"], [AC_SUBST( [LIBFVALUE_LIBADD], [$ac_cv_libfvalue_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfvalue" = xyes], [AC_SUBST( [ax_libfvalue_pc_libs_private], [-lfvalue]) ]) AS_IF( [test "x$ac_cv_libfvalue" = xyes], [AC_SUBST( [ax_libfvalue_spec_requires], [libfvalue]) AC_SUBST( [ax_libfvalue_spec_build_requires], [libfvalue-devel]) ]) ]) ================================================ FILE: m4/libfwevt.m4 ================================================ dnl Checks for libfwevt required headers and functions dnl dnl Version: 20240501 dnl Function to detect if libfwevt is available dnl ac_libfwevt_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFWEVT_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfwevt" = xno], [ac_cv_libfwevt=no], [ac_cv_libfwevt=check dnl Check if the directory provided as parameter exists dnl For both --with-libfwevt which returns "yes" and --with-libfwevt= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfwevt" != x && test "x$ac_cv_with_libfwevt" != xauto-detect && test "x$ac_cv_with_libfwevt" != xyes], [AS_IF( [test -d "$ac_cv_with_libfwevt"], [CFLAGS="$CFLAGS -I${ac_cv_with_libfwevt}/include" LDFLAGS="$LDFLAGS -L${ac_cv_with_libfwevt}/lib"], [AC_MSG_FAILURE( [no such directory: $ac_cv_with_libfwevt], [1]) ]) ], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfwevt], [libfwevt >= 20240501], [ac_cv_libfwevt=yes], [ac_cv_libfwevt=check]) ]) AS_IF( [test "x$ac_cv_libfwevt" = xyes], [ac_cv_libfwevt_CPPFLAGS="$pkg_cv_libfwevt_CFLAGS" ac_cv_libfwevt_LIBADD="$pkg_cv_libfwevt_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfwevt" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfwevt.h]) AS_IF( [test "x$ac_cv_header_libfwevt_h" = xno], [ac_cv_libfwevt=no], [dnl Check for the individual functions ac_cv_libfwevt=yes AC_CHECK_LIB( fwevt, libfwevt_get_version, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Channel functions AC_CHECK_LIB( fwevt, libfwevt_channel_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_channel_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_channel_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Event functions AC_CHECK_LIB( fwevt, libfwevt_event_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_event_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_event_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_event_get_identifier, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_event_get_message_identifier, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_event_get_template_offset, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Keyword functions AC_CHECK_LIB( fwevt, libfwevt_keyword_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_keyword_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_keyword_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Level functions AC_CHECK_LIB( fwevt, libfwevt_level_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_level_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_level_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Manifest functions AC_CHECK_LIB( fwevt, libfwevt_manifest_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_manifest_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_manifest_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_manifest_get_number_of_providers, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_manifest_get_provider_by_index, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_manifest_get_provider_by_identifier, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Map functions AC_CHECK_LIB( fwevt, libfwevt_map_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_map_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_map_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Opcode functions AC_CHECK_LIB( fwevt, libfwevt_opcode_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_opcode_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_opcode_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Provider functions AC_CHECK_LIB( fwevt, libfwevt_provider_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_channels, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_events, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_keywords, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_levels, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_maps, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_opcodes, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_tasks, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_read_templates, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_compare_identifier, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_channels, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_channel, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_events, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_event, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_event_by_identifier, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_keywords, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_keyword, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_levels, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_level, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_maps, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_map, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_opcodes, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_opcode, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_tasks, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_task, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_number_of_templates, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_template, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_provider_get_template_by_offset, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Task functions AC_CHECK_LIB( fwevt, libfwevt_task_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_task_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_task_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl Template functions AC_CHECK_LIB( fwevt, libfwevt_template_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_read_xml_document, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_set_ascii_codepage, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_get_data, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_set_data [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_get_offset [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_set_offset [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_template_get_size [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl XML document functions AC_CHECK_LIB( fwevt, libfwevt_xml_document_initialize, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_clone, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_get_root_xml_tag, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_read, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_get_utf8_xml_string_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_get_utf8_xml_string, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_get_utf16_xml_string_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_document_get_utf16_xml_string, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl XML tag functions AC_CHECK_LIB( fwevt, libfwevt_xml_tag_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_utf8_name_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_utf8_name, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_utf16_name_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_utf16_name, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_value, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_number_of_attributes, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_attribute_by_index, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_attribute_by_utf8_name, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_attribute_by_utf16_name, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_number_of_elements, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_element_by_index, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_element_by_utf8_name, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_element_by_utf16_name, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_tag_get_flags, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) dnl XML value functions AC_CHECK_LIB( fwevt, libfwevt_xml_value_free, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_value_get_data_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_value_copy_data, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_value_get_data_as_8bit_integer, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_value_get_data_as_32bit_integer, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_value_get_data_as_64bit_integer, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_value_get_data_as_filetime, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_value_get_utf8_string_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_value_copy_to_utf8_string, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_value_get_utf16_string_size, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) AC_CHECK_LIB( fwevt, libfwevt_xml_value_copy_to_utf16_string, [ac_cv_libfwevt_dummy=yes], [ac_cv_libfwevt=no]) ac_cv_libfwevt_LIBADD="-lfwevt"]) ]) AS_IF( [test "x$ac_cv_libfwevt" != xyes && test "x$ac_cv_with_libfwevt" != x && test "x$ac_cv_with_libfwevt" != xauto-detect && test "x$ac_cv_with_libfwevt" != xyes], [AC_MSG_FAILURE( [unable to find supported libfwevt in directory: $ac_cv_with_libfwevt], [1]) ]) ]) AS_IF( [test "x$ac_cv_libfwevt" = xyes], [AC_DEFINE( [HAVE_LIBFWEVT], [1], [Define to 1 if you have the `fwevt' library (-lfwevt).]) ]) AS_IF( [test "x$ac_cv_libfwevt" = xyes], [AC_SUBST( [HAVE_LIBFWEVT], [1]) ], [AC_SUBST( [HAVE_LIBFWEVT], [0]) ]) ]) dnl Function to detect if libfwevt dependencies are available AC_DEFUN([AX_LIBFWEVT_CHECK_LOCAL], [dnl No additional checks. ac_cv_libfwevt_CPPFLAGS="-I../libfwevt -I\$(top_srcdir)/libfwevt"; ac_cv_libfwevt_LIBADD="../libfwevt/libfwevt.la"; ac_cv_libfwevt=local ]) dnl Function to detect how to enable libfwevt AC_DEFUN([AX_LIBFWEVT_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfwevt], [libfwevt], [search for libfwevt in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBFWEVT_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfwevt" != xyes], [AX_LIBFWEVT_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFWEVT], [1], [Define to 1 if the local version of libfwevt is used.]) AC_SUBST( [HAVE_LOCAL_LIBFWEVT], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFWEVT], [test "x$ac_cv_libfwevt" = xlocal]) AS_IF( [test "x$ac_cv_libfwevt_CPPFLAGS" != "x"], [AC_SUBST( [LIBFWEVT_CPPFLAGS], [$ac_cv_libfwevt_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfwevt_LIBADD" != "x"], [AC_SUBST( [LIBFWEVT_LIBADD], [$ac_cv_libfwevt_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfwevt" = xyes], [AC_SUBST( [ax_libfwevt_pc_libs_private], [-lfwevt]) ]) AS_IF( [test "x$ac_cv_libfwevt" = xyes], [AC_SUBST( [ax_libfwevt_spec_requires], [libfwevt]) AC_SUBST( [ax_libfwevt_spec_build_requires], [libfwevt-devel]) ]) ]) ================================================ FILE: m4/libfwnt.m4 ================================================ dnl Checks for libfwnt required headers and functions dnl dnl Version: 20240519 dnl Function to detect if libfwnt is available dnl ac_libfwnt_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBFWNT_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libfwnt" = xno], [ac_cv_libfwnt=no], [ac_cv_libfwnt=check dnl Check if the directory provided as parameter exists dnl For both --with-libfwnt which returns "yes" and --with-libfwnt= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libfwnt" != x && test "x$ac_cv_with_libfwnt" != xauto-detect && test "x$ac_cv_with_libfwnt" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libfwnt])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libfwnt], [libfwnt >= 20191217], [ac_cv_libfwnt=yes], [ac_cv_libfwnt=check]) ]) AS_IF( [test "x$ac_cv_libfwnt" = xyes], [ac_cv_libfwnt_CPPFLAGS="$pkg_cv_libfwnt_CFLAGS" ac_cv_libfwnt_LIBADD="$pkg_cv_libfwnt_LIBS"]) ]) AS_IF( [test "x$ac_cv_libfwnt" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libfwnt.h]) AS_IF( [test "x$ac_cv_header_libfwnt_h" = xno], [ac_cv_libfwnt=no], [ac_cv_libfwnt=yes AX_CHECK_LIB_FUNCTIONS( [libfwnt], [fwnt], [[libfwnt_get_version], [libfwnt_array_initialize], [libfwnt_security_descriptor_initialize], [libfwnt_security_descriptor_free], [libfwnt_security_descriptor_copy_from_byte_stream], [libfwnt_security_descriptor_get_owner], [libfwnt_security_descriptor_get_group], [libfwnt_security_descriptor_get_discretionary_acl], [libfwnt_security_descriptor_get_system_acl], [libfwnt_security_identifier_initialize], [libfwnt_security_identifier_free], [libfwnt_security_identifier_copy_from_byte_stream], [libfwnt_security_identifier_get_string_size], [libfwnt_security_identifier_copy_to_utf8_string], [libfwnt_security_identifier_copy_to_utf8_string_with_index], [libfwnt_security_identifier_copy_to_utf16_string], [libfwnt_security_identifier_copy_to_utf16_string_with_index], [libfwnt_security_identifier_copy_to_utf32_string], [libfwnt_security_identifier_copy_to_utf32_string_with_index], [libfwnt_access_control_list_free], [libfwnt_access_control_list_get_number_of_entries], [libfwnt_access_control_list_get_entry_by_index], [libfwnt_access_control_entry_free], [libfwnt_access_control_entry_get_type], [libfwnt_access_control_entry_get_flags], [libfwnt_access_control_entry_get_access_mask], [libfwnt_access_control_entry_get_security_identifier], [libfwnt_lznt1_decompress], [libfwnt_lzx_decompress], [libfwnt_lzxpress_decompress], [libfwnt_lzxpress_huffman_decompress]]) ac_cv_libfwnt_LIBADD="-lfwnt"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libfwnt]) ]) AS_IF( [test "x$ac_cv_libfwnt" = xyes], [AC_DEFINE( [HAVE_LIBFWNT], [1], [Define to 1 if you have the `fwnt' library (-lfwnt).]) ]) AS_IF( [test "x$ac_cv_libfwnt" = xyes], [AC_SUBST( [HAVE_LIBFWNT], [1]) ], [AC_SUBST( [HAVE_LIBFWNT], [0]) ]) ]) dnl Function to detect if libfwnt dependencies are available AC_DEFUN([AX_LIBFWNT_CHECK_LOCAL], [dnl No additional checks. ac_cv_libfwnt_CPPFLAGS="-I../libfwnt -I\$(top_srcdir)/libfwnt"; ac_cv_libfwnt_LIBADD="../libfwnt/libfwnt.la"; ac_cv_libfwnt=local ]) dnl Function to detect how to enable libfwnt AC_DEFUN([AX_LIBFWNT_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libfwnt], [libfwnt], [search for libfwnt in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBFWNT_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libfwnt" != xyes], [AX_LIBFWNT_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBFWNT], [1], [Define to 1 if the local version of libfwnt is used.]) AC_SUBST( [HAVE_LOCAL_LIBFWNT], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBFWNT], [test "x$ac_cv_libfwnt" = xlocal]) AS_IF( [test "x$ac_cv_libfwnt_CPPFLAGS" != "x"], [AC_SUBST( [LIBFWNT_CPPFLAGS], [$ac_cv_libfwnt_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libfwnt_LIBADD" != "x"], [AC_SUBST( [LIBFWNT_LIBADD], [$ac_cv_libfwnt_LIBADD]) ]) AS_IF( [test "x$ac_cv_libfwnt" = xyes], [AC_SUBST( [ax_libfwnt_pc_libs_private], [-lfwnt]) ]) AS_IF( [test "x$ac_cv_libfwnt" = xyes], [AC_SUBST( [ax_libfwnt_spec_requires], [libfwnt]) AC_SUBST( [ax_libfwnt_spec_build_requires], [libfwnt-devel]) ]) ]) ================================================ FILE: m4/libregf.m4 ================================================ dnl Checks for libregf required headers and functions dnl dnl Version: 20240601 dnl Function to detect if libregf is available dnl ac_libregf_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBREGF_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libregf" = xno], [ac_cv_libregf=no], [ac_cv_libregf=check dnl Check if the directory provided as parameter exists dnl For both --with-libregf which returns "yes" and --with-libregf= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libregf" != x && test "x$ac_cv_with_libregf" != xauto-detect && test "x$ac_cv_with_libregf" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libregf])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libregf], [libregf >= 20120405], [ac_cv_libregf=yes], [ac_cv_libregf=check]) ]) AS_IF( [test "x$ac_cv_libregf" = xyes], [ac_cv_libregf_CPPFLAGS="$pkg_cv_libregf_CFLAGS" ac_cv_libregf_LIBADD="$pkg_cv_libregf_LIBS"]) ]) AS_IF( [test "x$ac_cv_libregf" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libregf.h]) AS_IF( [test "x$ac_cv_header_libregf_h" = xno], [ac_cv_libregf=no], [ac_cv_libregf=yes AX_CHECK_LIB_FUNCTIONS( [libregf], [regf], [[libregf_get_version]]) dnl TODO add functions ac_cv_libregf_LIBADD="-lregf"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libregf]) ]) AS_IF( [test "x$ac_cv_libregf" = xyes], [AC_DEFINE( [HAVE_LIBREGF], [1], [Define to 1 if you have the `regf' library (-lregf).]) ]) AS_IF( [test "x$ac_cv_libregf" = xyes], [AC_SUBST( [HAVE_LIBREGF], [1]) ], [AC_SUBST( [HAVE_LIBREGF], [0]) ]) ]) dnl Function to detect if libregf dependencies are available AC_DEFUN([AX_LIBREGF_CHECK_LOCAL], [dnl Headers included in libregf/libregf_file.h, libregf/libregf_key.h dnl libregf/libregf_key_item_values.h and libregf/libregf_value_item_values.h AC_CHECK_HEADERS([wctype.h]) dnl Functions used in libregf/libregf_file.h, libregf/libregf_key.h dnl libregf/libregf_key_item_values.h and libregf/libregf_value_item_values.h AC_CHECK_FUNCS([towupper]) AS_IF( [test "x$ac_cv_func_towupper" != xyes], [AC_MSG_FAILURE( [Missing function: towupper], [1]) ]) ac_cv_libregf_CPPFLAGS="-I../libregf -I\$(top_srcdir)/libregf"; ac_cv_libregf_LIBADD="../libregf/libregf.la"; ac_cv_libregf=local ]) dnl Function to detect how to enable libregf AC_DEFUN([AX_LIBREGF_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libregf], [libregf], [search for libregf in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBREGF_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libregf" != xyes], [AX_LIBREGF_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBREGF], [1], [Define to 1 if the local version of libregf is used.]) AC_SUBST( [HAVE_LOCAL_LIBREGF], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBREGF], [test "x$ac_cv_libregf" = xlocal]) AS_IF( [test "x$ac_cv_libregf_CPPFLAGS" != "x"], [AC_SUBST( [LIBREGF_CPPFLAGS], [$ac_cv_libregf_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libregf_LIBADD" != "x"], [AC_SUBST( [LIBREGF_LIBADD], [$ac_cv_libregf_LIBADD]) ]) AS_IF( [test "x$ac_cv_libregf" = xyes], [AC_SUBST( [ax_libregf_pc_libs_private], [-lregf]) ]) AS_IF( [test "x$ac_cv_libregf" = xyes], [AC_SUBST( [ax_libregf_spec_requires], [libregf]) AC_SUBST( [ax_libregf_spec_build_requires], [libregf-devel]) ]) ]) ================================================ FILE: m4/libuna.m4 ================================================ dnl Checks for libuna or required headers and functions dnl dnl Version: 20240513 dnl Function to detect if libuna is available dnl ac_libuna_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBUNA_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libuna" = xno], [ac_cv_libuna=no], [ac_cv_libuna=check dnl Check if the directory provided as parameter exists dnl For both --with-libuna which returns "yes" and --with-libuna= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libuna" != x && test "x$ac_cv_with_libuna" != xauto-detect && test "x$ac_cv_with_libuna" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libuna])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libuna], [libuna >= 20230702], [ac_cv_libuna=yes], [ac_cv_libuna=check]) ]) AS_IF( [test "x$ac_cv_libuna" = xyes], [ac_cv_libuna_CPPFLAGS="$pkg_cv_libuna_CFLAGS" ac_cv_libuna_LIBADD="$pkg_cv_libuna_LIBS"]) ]) AS_IF( [test "x$ac_cv_libuna" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libuna.h]) AS_IF( [test "x$ac_cv_header_libuna_h" = xno], [ac_cv_libuna=no], [ac_cv_libuna=yes AX_CHECK_LIB_FUNCTIONS( [libuna], [una], [[libuna_get_version], [libuna_base16_stream_size_to_byte_stream], [libuna_base16_stream_copy_to_byte_stream], [libuna_base16_stream_size_from_byte_stream], [libuna_base16_stream_copy_from_byte_stream], [libuna_base16_stream_with_index_copy_from_byte_stream], [libuna_base32_quintuplet_copy_from_base32_stream], [libuna_base32_quintuplet_copy_to_base32_stream], [libuna_base32_quintuplet_copy_from_byte_stream], [libuna_base32_quintuplet_copy_to_byte_stream], [libuna_base32_stream_size_to_byte_stream], [libuna_base32_stream_copy_to_byte_stream], [libuna_base32_stream_size_from_byte_stream], [libuna_base32_stream_copy_from_byte_stream], [libuna_base32_stream_with_index_copy_from_byte_stream], [libuna_base64_triplet_copy_from_base64_stream], [libuna_base64_triplet_copy_to_base64_stream], [libuna_base64_triplet_copy_from_byte_stream], [libuna_base64_triplet_copy_to_byte_stream], [libuna_base64_stream_size_to_byte_stream], [libuna_base64_stream_copy_to_byte_stream], [libuna_base64_stream_size_from_byte_stream], [libuna_base64_stream_copy_from_byte_stream], [libuna_base64_stream_with_index_copy_from_byte_stream], [libuna_byte_stream_size_from_utf8], [libuna_byte_stream_copy_from_utf8], [libuna_byte_stream_size_from_utf16], [libuna_byte_stream_copy_from_utf16], [libuna_byte_stream_size_from_utf32], [libuna_byte_stream_copy_from_utf32], [libuna_unicode_character_size_to_byte_stream], [libuna_unicode_character_copy_from_byte_stream], [libuna_unicode_character_copy_to_byte_stream], [libuna_unicode_character_size_to_ucs2], [libuna_unicode_character_copy_from_ucs2], [libuna_unicode_character_copy_to_ucs2], [libuna_unicode_character_size_to_ucs4], [libuna_unicode_character_copy_from_ucs4], [libuna_unicode_character_copy_to_ucs4], [libuna_unicode_character_copy_from_utf7_stream], [libuna_unicode_character_copy_to_utf7_stream], [libuna_unicode_character_size_to_utf8], [libuna_unicode_character_copy_from_utf8], [libuna_unicode_character_copy_to_utf8], [libuna_unicode_character_size_to_utf8_rfc2279], [libuna_unicode_character_copy_from_utf8_rfc2279], [libuna_unicode_character_copy_to_utf8_rfc2279], [libuna_unicode_character_size_to_utf16], [libuna_unicode_character_copy_from_utf16], [libuna_unicode_character_copy_to_utf16], [libuna_unicode_character_copy_from_utf16_stream], [libuna_unicode_character_copy_to_utf16_stream], [libuna_unicode_character_copy_from_utf32], [libuna_unicode_character_copy_to_utf32], [libuna_unicode_character_copy_from_utf32_stream], [libuna_unicode_character_copy_to_utf32_stream], [libuna_utf8_stream_size_from_utf8], [libuna_utf8_stream_copy_from_utf8], [libuna_utf8_stream_size_from_utf16], [libuna_utf8_stream_copy_from_utf16], [libuna_utf8_stream_size_from_utf32], [libuna_utf8_stream_copy_from_utf32], [libuna_utf16_stream_size_from_utf8], [libuna_utf16_stream_copy_from_utf8], [libuna_utf16_stream_size_from_utf16], [libuna_utf16_stream_copy_from_utf16], [libuna_utf16_stream_size_from_utf32], [libuna_utf16_stream_copy_from_utf32], [libuna_utf32_stream_size_from_utf8], [libuna_utf32_stream_copy_from_utf8], [libuna_utf32_stream_size_from_utf16], [libuna_utf32_stream_copy_from_utf16], [libuna_utf32_stream_size_from_utf32], [libuna_utf32_stream_copy_from_utf32], [libuna_utf8_string_size_from_byte_stream], [libuna_utf8_string_copy_from_byte_stream], [libuna_utf8_string_with_index_copy_from_byte_stream], [libuna_utf8_string_compare_with_byte_stream], [libuna_utf8_string_size_from_utf7_stream], [libuna_utf8_string_copy_from_utf7_stream], [libuna_utf8_string_with_index_copy_from_utf7_stream], [libuna_utf8_string_compare_with_utf7_stream], [libuna_utf8_string_size_from_utf8_stream], [libuna_utf8_string_copy_from_utf8_stream], [libuna_utf8_string_with_index_copy_from_utf8_stream], [libuna_utf8_string_compare_with_utf8_stream], [libuna_utf8_string_size_from_utf16], [libuna_utf8_string_copy_from_utf16], [libuna_utf8_string_with_index_copy_from_utf16], [libuna_utf8_string_compare_with_utf16], [libuna_utf8_string_size_from_utf16_stream], [libuna_utf8_string_copy_from_utf16_stream], [libuna_utf8_string_with_index_copy_from_utf16_stream], [libuna_utf8_string_compare_with_utf16_stream], [libuna_utf8_string_size_from_utf32], [libuna_utf8_string_copy_from_utf32], [libuna_utf8_string_with_index_copy_from_utf32], [libuna_utf8_string_compare_with_utf32], [libuna_utf8_string_size_from_utf32_stream], [libuna_utf8_string_copy_from_utf32_stream], [libuna_utf8_string_with_index_copy_from_utf32_stream], [libuna_utf8_string_compare_with_utf32_stream], [libuna_utf8_string_size_from_scsu_stream], [libuna_utf8_string_copy_from_scsu_stream], [libuna_utf8_string_with_index_copy_from_scsu_stream], [libuna_utf16_string_size_from_byte_stream], [libuna_utf16_string_copy_from_byte_stream], [libuna_utf16_string_with_index_copy_from_byte_stream], [libuna_utf16_string_compare_with_byte_stream], [libuna_utf16_string_size_from_utf7_stream], [libuna_utf16_string_copy_from_utf7_stream], [libuna_utf16_string_with_index_copy_from_utf7_stream], [libuna_utf16_string_compare_with_utf7_stream], [libuna_utf16_string_size_from_utf8], [libuna_utf16_string_copy_from_utf8], [libuna_utf16_string_with_index_copy_from_utf8], [libuna_utf16_string_size_from_utf8_stream], [libuna_utf16_string_copy_from_utf8_stream], [libuna_utf16_string_with_index_copy_from_utf8_stream], [libuna_utf16_string_compare_with_utf8_stream], [libuna_utf16_string_size_from_utf16_stream], [libuna_utf16_string_copy_from_utf16_stream], [libuna_utf16_string_with_index_copy_from_utf16_stream], [libuna_utf16_string_compare_with_utf16_stream], [libuna_utf16_string_size_from_utf32], [libuna_utf16_string_copy_from_utf32], [libuna_utf16_string_with_index_copy_from_utf32], [libuna_utf16_string_compare_with_utf32], [libuna_utf16_string_size_from_utf32_stream], [libuna_utf16_string_copy_from_utf32_stream], [libuna_utf16_string_with_index_copy_from_utf32_stream], [libuna_utf16_string_compare_with_utf32_stream], [libuna_utf16_string_size_from_scsu_stream], [libuna_utf16_string_copy_from_scsu_stream], [libuna_utf16_string_with_index_copy_from_scsu_stream], [libuna_utf32_string_size_from_byte_stream], [libuna_utf32_string_copy_from_byte_stream], [libuna_utf32_string_with_index_copy_from_byte_stream], [libuna_utf32_string_compare_with_byte_stream], [libuna_utf32_string_size_from_utf7_stream], [libuna_utf32_string_copy_from_utf7_stream], [libuna_utf32_string_with_index_copy_from_utf7_stream], [libuna_utf32_string_compare_with_utf7_stream], [libuna_utf32_string_size_from_utf8_stream], [libuna_utf32_string_size_from_utf8], [libuna_utf32_string_copy_from_utf8], [libuna_utf32_string_copy_from_utf8_stream], [libuna_utf32_string_with_index_copy_from_utf8_stream], [libuna_utf32_string_compare_with_utf8_stream], [libuna_utf32_string_size_from_utf16], [libuna_utf32_string_copy_from_utf16], [libuna_utf32_string_with_index_copy_from_utf16], [libuna_utf32_string_size_from_utf16_stream], [libuna_utf32_string_copy_from_utf16_stream], [libuna_utf32_string_with_index_copy_from_utf16_stream], [libuna_utf32_string_compare_with_utf16_stream], [libuna_utf32_string_size_from_utf32_stream], [libuna_utf32_string_copy_from_utf32_stream], [libuna_utf32_string_with_index_copy_from_utf32_stream], [libuna_utf32_string_compare_with_utf32_stream], [libuna_utf32_string_size_from_scsu_stream], [libuna_utf32_string_copy_from_scsu_stream], [libuna_utf32_string_with_index_copy_from_scsu_stream]]) AX_CHECK_LIB_DEFINITIONS( [libuna], [[LIBUNA_COMPARE_LESS], [LIBUNA_COMPARE_EQUAL], [LIBUNA_COMPARE_GREATER], [LIBUNA_UTF16_STREAM_ALLOW_UNPAIRED_SURROGATE]]) ac_cv_libuna_LIBADD="-luna"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libuna]) ]) AS_IF( [test "x$ac_cv_libuna" = xyes], [AC_DEFINE( [HAVE_LIBUNA], [1], [Define to 1 if you have the `una' library (-luna).]) ]) AS_IF( [test "x$ac_cv_libuna" = xyes], [AC_SUBST( [HAVE_LIBUNA], [1]) ], [AC_SUBST( [HAVE_LIBUNA], [0]) ]) ]) dnl Function to detect if libuna dependencies are available AC_DEFUN([AX_LIBUNA_CHECK_LOCAL], [dnl No additional checks. ac_cv_libuna_CPPFLAGS="-I../libuna -I\$(top_srcdir)/libuna"; ac_cv_libuna_LIBADD="../libuna/libuna.la"; ac_cv_libuna=local ]) dnl Function to detect how to enable libuna AC_DEFUN([AX_LIBUNA_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libuna], [libuna], [search for libuna in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBUNA_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libuna" != xyes], [AX_LIBUNA_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBUNA], [1], [Define to 1 if the local version of libuna is used.]) AC_SUBST( [HAVE_LOCAL_LIBUNA], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBUNA], [test "x$ac_cv_libuna" = xlocal]) AS_IF( [test "x$ac_cv_libuna_CPPFLAGS" != "x"], [AC_SUBST( [LIBUNA_CPPFLAGS], [$ac_cv_libuna_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libuna_LIBADD" != "x"], [AC_SUBST( [LIBUNA_LIBADD], [$ac_cv_libuna_LIBADD]) ]) AS_IF( [test "x$ac_cv_libuna" = xyes], [AC_SUBST( [ax_libuna_pc_libs_private], [-luna]) ]) AS_IF( [test "x$ac_cv_libuna" = xyes], [AC_SUBST( [ax_libuna_spec_requires], [libuna]) AC_SUBST( [ax_libuna_spec_build_requires], [libuna-devel]) ]) ]) ================================================ FILE: m4/libwrc.m4 ================================================ dnl Checks for libwrc required headers and functions dnl dnl Version: 20240601 dnl Function to detect if libwrc is available dnl ac_libwrc_dummy is used to prevent AC_CHECK_LIB adding unnecessary -l arguments AC_DEFUN([AX_LIBWRC_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_libwrc" = xno], [ac_cv_libwrc=no], [ac_cv_libwrc=check dnl Check if the directory provided as parameter exists dnl For both --with-libwrc which returns "yes" and --with-libwrc= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_libwrc" != x && test "x$ac_cv_with_libwrc" != xauto-detect && test "x$ac_cv_with_libwrc" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([libwrc])], [dnl Check for a pkg-config file AS_IF( [test "x$cross_compiling" != "xyes" && test "x$PKGCONFIG" != "x"], [PKG_CHECK_MODULES( [libwrc], [libwrc >= 20211231], [ac_cv_libwrc=yes], [ac_cv_libwrc=check]) ]) AS_IF( [test "x$ac_cv_libwrc" = xyes], [ac_cv_libwrc_CPPFLAGS="$pkg_cv_libwrc_CFLAGS" ac_cv_libwrc_LIBADD="$pkg_cv_libwrc_LIBS"]) ]) AS_IF( [test "x$ac_cv_libwrc" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([libwrc.h]) AS_IF( [test "x$ac_cv_header_libwrc_h" = xno], [ac_cv_libwrc=no], [ac_cv_libwrc=yes AX_CHECK_LIB_FUNCTIONS( [libwrc], [wrc], [[libwrc_get_version], [libwrc_stream_initialize], [libwrc_stream_free], [libwrc_stream_signal_abort], [libwrc_stream_open], [libwrc_stream_close], [libwrc_stream_set_ascii_codepage], [libwrc_stream_get_virtual_address], [libwrc_stream_set_virtual_address], [libwrc_stream_get_number_of_resources], [libwrc_stream_get_resource_by_index], [libwrc_stream_get_resource_by_identifier], [libwrc_stream_get_resource_by_type], [libwrc_stream_get_resource_by_utf8_name], [libwrc_stream_get_resource_by_utf16_name], [libwrc_resource_free], [libwrc_resource_get_identifier], [libwrc_resource_get_utf8_name_size], [libwrc_resource_get_utf8_name], [libwrc_resource_get_utf16_name_size], [libwrc_resource_get_utf16_name], [libwrc_resource_get_type], [libwrc_resource_get_number_of_languages], [libwrc_resource_get_language_identifier], [libwrc_resource_get_number_of_items], [libwrc_resource_get_item_by_index], [libwrc_resource_item_free], [libwrc_resource_item_get_identifier], [libwrc_resource_item_get_utf8_name_size], [libwrc_resource_item_get_utf8_name], [libwrc_resource_item_get_utf16_name_size], [libwrc_resource_item_get_utf16_name], [libwrc_resource_item_read_buffer], [libwrc_resource_item_read_buffer_at_offset], [libwrc_resource_item_seek_offset], [libwrc_resource_item_get_offset], [libwrc_resource_item_get_size], [libwrc_resource_item_get_number_of_sub_items], [libwrc_resource_item_get_sub_item_by_index], [libwrc_message_table_resource_initialize], [libwrc_message_table_resource_free], [libwrc_message_table_resource_read], [libwrc_message_table_resource_get_number_of_messages], [libwrc_message_table_resource_get_identifier], [libwrc_message_table_resource_get_index_by_identifier], [libwrc_message_table_resource_get_utf8_string_size], [libwrc_message_table_resource_get_utf8_string], [libwrc_message_table_resource_get_utf16_string_size], [libwrc_message_table_resource_get_utf16_string], [libwrc_mui_resource_initialize], [libwrc_mui_resource_free], [libwrc_mui_resource_read], [libwrc_mui_resource_get_file_type], [libwrc_mui_resource_get_utf8_main_name_size], [libwrc_mui_resource_get_utf8_main_name], [libwrc_mui_resource_get_utf16_main_name_size], [libwrc_mui_resource_get_utf16_main_name], [libwrc_mui_resource_get_utf8_mui_name_size], [libwrc_mui_resource_get_utf8_mui_name], [libwrc_mui_resource_get_utf16_mui_name_size], [libwrc_mui_resource_get_utf16_mui_name], [libwrc_mui_resource_get_utf8_language_size], [libwrc_mui_resource_get_utf8_language], [libwrc_mui_resource_get_utf16_language_size], [libwrc_mui_resource_get_utf16_language], [libwrc_mui_resource_get_utf8_fallback_language_size], [libwrc_mui_resource_get_utf8_fallback_language], [libwrc_mui_resource_get_utf16_fallback_language_size], [libwrc_mui_resource_get_utf16_fallback_language]]) AS_IF( [test "x$ac_cv_enable_wide_character_type" != xno], [AX_CHECK_LIB_FUNCTIONS( [libwrc], [wrc], [[libwrc_stream_open_wide]]) ]) dnl TODO add functions ac_cv_libwrc_LIBADD="-lwrc"]) ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([libwrc]) ]) AS_IF( [test "x$ac_cv_libwrc" = xyes], [AC_DEFINE( [HAVE_LIBWRC], [1], [Define to 1 if you have the `wrc' library (-lwrc).]) ]) AS_IF( [test "x$ac_cv_libwrc" = xyes], [AC_SUBST( [HAVE_LIBWRC], [1]) ], [AC_SUBST( [HAVE_LIBWRC], [0]) ]) ]) dnl Function to detect if libwrc dependencies are available AC_DEFUN([AX_LIBWRC_CHECK_LOCAL], [ac_cv_libwrc_CPPFLAGS="-I../libwrc -I\$(top_srcdir)/libwrc"; ac_cv_libwrc_LIBADD="../libwrc/libwrc.la"; ac_cv_libwrc=local ]) dnl Function to detect how to enable libwrc AC_DEFUN([AX_LIBWRC_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [libwrc], [libwrc], [search for libwrc in includedir and libdir or in the specified DIR, or no if to use local version], [auto-detect], [DIR]) dnl Check for a shared library version AX_LIBWRC_CHECK_LIB dnl Check if the dependencies for the local library version AS_IF( [test "x$ac_cv_libwrc" != xyes], [AX_LIBWRC_CHECK_LOCAL AC_DEFINE( [HAVE_LOCAL_LIBWRC], [1], [Define to 1 if the local version of libwrc is used.]) AC_SUBST( [HAVE_LOCAL_LIBWRC], [1]) ]) AM_CONDITIONAL( [HAVE_LOCAL_LIBWRC], [test "x$ac_cv_libwrc" = xlocal]) AS_IF( [test "x$ac_cv_libwrc_CPPFLAGS" != "x"], [AC_SUBST( [LIBWRC_CPPFLAGS], [$ac_cv_libwrc_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_libwrc_LIBADD" != "x"], [AC_SUBST( [LIBWRC_LIBADD], [$ac_cv_libwrc_LIBADD]) ]) AS_IF( [test "x$ac_cv_libwrc" = xyes], [AC_SUBST( [ax_libwrc_pc_libs_private], [-lwrc]) ]) AS_IF( [test "x$ac_cv_libwrc" = xyes], [AC_SUBST( [ax_libwrc_spec_requires], [libwrc]) AC_SUBST( [ax_libwrc_spec_build_requires], [libwrc-devel]) ]) ]) ================================================ FILE: m4/pthread.m4 ================================================ dnl Functions for pthread dnl dnl Version: 20240513 dnl Function to detect if pthread is available AC_DEFUN([AX_PTHREAD_CHECK_LIB], [AS_IF( [test "x$ac_cv_enable_shared_libs" = xno || test "x$ac_cv_with_pthread" = xno], [ac_cv_pthread=no], [ac_cv_pthread=check dnl Check if parameters were provided dnl For both --with-pthread which returns "yes" and --with-pthread= which returns "" dnl treat them as auto-detection. AS_IF( [test "x$ac_cv_with_pthread" != x && test "x$ac_cv_with_pthread" != xauto-detect && test "x$ac_cv_with_pthread" != xyes], [AX_CHECK_LIB_DIRECTORY_EXISTS([pthread])]) ]) AS_IF( [test "x$ac_cv_pthread" = xcheck], [dnl Check for headers AC_CHECK_HEADERS([pthread.h]) AS_IF( [test "x$ac_cv_header_pthread_h" = xno], [ac_cv_pthread=no], [ac_cv_pthread=yes AX_CHECK_LIB_FUNCTIONS( [pthread], [pthread], [[pthread_create], [pthread_exit], [pthread_join], [pthread_cond_init], [pthread_cond_destroy], [pthread_cond_broadcast], [pthread_cond_signal], [pthread_cond_wait], [pthread_mutex_init], [pthread_mutex_destroy], [pthread_mutex_lock], [pthread_mutex_trylock], [pthread_mutex_unlock], [pthread_rwlock_init], [pthread_rwlock_destroy], [pthread_rwlock_rdlock], [pthread_rwlock_wrlock], [pthread_rwlock_unlock]]) ac_cv_pthread_LIBADD="-lpthread" ]) AX_CHECK_LIB_DIRECTORY_MSG_ON_FAILURE([pthread]) ]) AS_IF( [test "x$ac_cv_pthread" = xpthread], [AC_DEFINE( [HAVE_PTHREAD], [1], [Define to 1 if you have the 'pthread' library (-lpthread).]) ]) AS_IF( [test "x$ac_cv_pthread" != xno], [AC_SUBST( [HAVE_PTHREAD], [1]) ], [AC_SUBST( [HAVE_PTHREAD], [0]) ]) ]) dnl Function to detect how to enable pthread AC_DEFUN([AX_PTHREAD_CHECK_ENABLE], [AX_COMMON_ARG_WITH( [pthread], [pthread], [search for pthread in includedir and libdir or in the specified DIR, or no if not to use pthread], [auto-detect], [DIR]) dnl Check for a shared library version AX_PTHREAD_CHECK_LIB AS_IF( [test "x$ac_cv_pthread_CPPFLAGS" != "x"], [AC_SUBST( [PTHREAD_CPPFLAGS], [$ac_cv_pthread_CPPFLAGS]) ]) AS_IF( [test "x$ac_cv_pthread_LIBADD" != "x"], [AC_SUBST( [PTHREAD_LIBADD], [$ac_cv_pthread_LIBADD]) ]) AS_IF( [test "x$ac_cv_pthread" = xpthread], [AC_SUBST( [ax_pthread_pc_libs_private], [-lpthread]) ]) ]) ================================================ FILE: m4/python.m4 ================================================ dnl Functions for Python bindings dnl dnl Version: 20251125 dnl Function to check if the python binary is available dnl "python${PYTHON_VERSION} python python# python#.#" AC_DEFUN([AX_PROG_PYTHON], [AS_IF( [test "x${PYTHON_VERSION}" != x], [ax_python_progs="python${PYTHON_VERSION}"], [ax_python_progs="python python3 python3.15 python3.14 python3.14 python3.12 python3.11 python3.10 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2 python2.7 python2.6 python2.5"]) AC_CHECK_PROGS( [PYTHON], [$ax_python_progs]) AS_IF( [test "x${PYTHON}" != x], [ax_prog_python_version=`${PYTHON} -c "import sys; sys.stdout.write('%d.%d' % (sys.version_info[[0]], sys.version_info[[1]]))" 2>/dev/null`; ax_prog_python_platform=`${PYTHON} -c "import sys; sys.stdout.write(sys.platform)" 2>/dev/null`; AC_SUBST( [PYTHON_PLATFORM], [$ax_prog_python_platform]) ], [AC_MSG_ERROR( [Unable to find python]) ]) AC_SUBST( [PYTHON], [$PYTHON]) ]) dnl Function to check if the python-config binary is available dnl "python${PYTHON_VERSION}-config python-config" AC_DEFUN([AX_PROG_PYTHON_CONFIG], [AS_IF( [test "x${PYTHON_CONFIG}" = x && test "x${PYTHON_VERSION}" != x], [AC_CHECK_PROGS( [PYTHON_CONFIG], [python${PYTHON_VERSION}-config]) ]) AS_IF( [test "x${PYTHON_CONFIG}" = x], [AC_CHECK_PROGS( [PYTHON_CONFIG], [python-config python3-config python3.12-config python3.11-config python3.10-config python3.9-config python3.8-config python3.7-config python3.6-config python3.5-config python3.4-config python3.3-config python3.2-config python3.1-config python3.0-config python2-config python2.7-config python2.6-config python2.5-config]) ]) AS_IF( [test "x${PYTHON_CONFIG}" = x], [AC_MSG_ERROR( [Unable to find python-config]) ]) AC_SUBST( [PYTHON_CONFIG], [$PYTHON_CONFIG]) ]) dnl Function to detect if a Python build environment is available AC_DEFUN([AX_PYTHON_CHECK], [AX_PROG_PYTHON AX_PROG_PYTHON_CONFIG AS_IF( [test "x${PYTHON_CONFIG}" != x], [dnl Check for Python includes PYTHON_INCLUDES=`${PYTHON_CONFIG} --includes 2>/dev/null`; AC_MSG_CHECKING( [for Python includes]) AC_MSG_RESULT( [$PYTHON_INCLUDES]) dnl Check for Python libraries PYTHON_LDFLAGS=`${PYTHON_CONFIG} --ldflags 2>/dev/null`; AC_MSG_CHECKING( [for Python libraries]) AC_MSG_RESULT( [$PYTHON_LDFLAGS]) dnl For CygWin and MinGW add the -no-undefined linker flag AS_CASE( [$build], [*-*-cygwin*],[PYTHON_LDFLAGS="${PYTHON_LDFLAGS} -no-undefined"], [*-*-mingw*],[PYTHON_LDFLAGS="${PYTHON_LDFLAGS} -no-undefined"], [*-*-msys*],[PYTHON_LDFLAGS="${PYTHON_LDFLAGS} -no-undefined"], [*],[]) dnl Check for the existence of Python.h BACKUP_CPPFLAGS="${CPPFLAGS}" CPPFLAGS="${CPPFLAGS} ${PYTHON_INCLUDES}" AC_CHECK_HEADERS( [Python.h], [ac_cv_header_python_h=yes], [ac_cv_header_python_h=no]) CPPFLAGS="${BACKUP_CPPFLAGS}" ]) AS_IF( [test "x${ac_cv_header_python_h}" != xyes], [ac_cv_enable_python=no], [ac_cv_enable_python=${ax_prog_python_version} AC_SUBST( [PYTHON_CPPFLAGS], [$PYTHON_INCLUDES]) AC_SUBST( [PYTHON_LDFLAGS], [$PYTHON_LDFLAGS]) dnl Check for Python prefix AS_IF( [test "x${ac_cv_with_pyprefix}" = x || test "x${ac_cv_with_pyprefix}" = xno], [ax_python_prefix="\${prefix}"], [ax_python_prefix=`${PYTHON_CONFIG} --prefix 2>/dev/null`]) AC_SUBST( [PYTHON_PREFIX], [$ax_python_prefix]) dnl Check for Python exec-prefix AS_IF( [test "x${ac_cv_with_pyprefix}" = x || test "x${ac_cv_with_pyprefix}" = xno], [ax_python_exec_prefix="\${exec_prefix}"], [ax_python_exec_prefix=`${PYTHON_CONFIG} --exec-prefix 2>/dev/null`]) AC_SUBST( [PYTHON_EXEC_PREFIX], [$ax_python_exec_prefix]) dnl Check for Python library directory ax_python_pythondir_suffix=`${PYTHON} -c "import sys; import distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_python_lib(0, 0, prefix=''))" 2>/dev/null`; AS_IF( [test "x${ac_cv_with_pythondir}" = x || test "x${ac_cv_with_pythondir}" = xno], [AS_IF( [test "x${ac_cv_with_pyprefix}" = x || test "x${ac_cv_with_pyprefix}" = xno], [ax_python_pythondir="${ax_python_prefix}/${ax_python_pythondir_suffix}"], [ax_python_pythondir=`${PYTHON} -c "import sys; import distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_python_lib()) " 2>/dev/null`])], [ax_python_pythondir=$ac_cv_with_pythondir]) AC_SUBST( [pythondir], [$ax_python_pythondir]) dnl Check for Python platform specific library directory ax_python_pyexecdir_suffix=`${PYTHON} -c "import sys; import distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_python_lib(1, 0, prefix=''))" 2>/dev/null`; ax_python_library_dir=`${PYTHON} -c "import sys; import distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_python_lib(True)) " 2>/dev/null`; AS_IF( [test "x${ac_cv_with_pyprefix}" = x || test "x${ac_cv_with_pyprefix}" = xno], [ax_python_pyexecdir="${ax_python_exec_prefix}/${ax_python_pyexecdir_suffix}"], [ax_python_pyexecdir=$ax_python_library_dir]) AC_SUBST( [pyexecdir], [$ax_python_pyexecdir]) AC_SUBST( [PYTHON_LIBRARY_DIR], [$ax_python_pyexecdir_suffix]) AC_SUBST( [PYTHON_PACKAGE_DIR], [$ax_python_library_dir]) ]) ]) dnl Function to determine the prefix of pythondir AC_DEFUN([AX_PYTHON_CHECK_PYPREFIX], [AX_COMMON_ARG_WITH( [pyprefix], [pyprefix], [use `python-config --prefix' to determine the prefix of pythondir instead of --prefix], [no], [no]) ]) dnl Function to detect if to enable Python AC_DEFUN([AX_PYTHON_CHECK_ENABLE], [AX_PYTHON_CHECK_PYPREFIX AX_COMMON_ARG_ENABLE( [python], [python], [build Python bindings], [no]) AX_COMMON_ARG_WITH( [pythondir], [pythondir], [use to specify the Python directory (pythondir)], [no], [no]) AS_IF( [test "x${ac_cv_enable_python}" != xno], [AX_PYTHON_CHECK]) AM_CONDITIONAL( HAVE_PYTHON, [test "x${ac_cv_enable_python}" != xno]) AM_CONDITIONAL( HAVE_PYTHON_TESTS, [test "x${ac_cv_enable_python}" != xno]) ]) ]) ================================================ FILE: m4/tests.m4 ================================================ dnl Functions for testing dnl dnl Version: 20200712 dnl Function to detect if tests dependencies are available AC_DEFUN([AX_TESTS_CHECK_LOCAL], [AC_CHECK_HEADERS([dlfcn.h]) AC_CHECK_FUNCS([fmemopen getopt mkstemp setenv tzset unlink]) AC_CHECK_LIB( dl, dlsym) AS_IF( [test "x$lt_cv_prog_gnu_ld" = xyes && test "x$ac_cv_lib_dl_dlsym" = xyes], [AC_DEFINE( [HAVE_GNU_DL_DLSYM], [1], [Define to 1 if dlsym function is available in GNU dl.]) ]) ]) dnl Function to detect if OSS-Fuzz build environment is available AC_DEFUN([AX_TESTS_CHECK_OSSFUZZ], [AM_CONDITIONAL( HAVE_LIB_FUZZING_ENGINE, [test "x${LIB_FUZZING_ENGINE}" != x]) AC_SUBST( [LIB_FUZZING_ENGINE], ["${LIB_FUZZING_ENGINE}"]) ]) ================================================ FILE: m4/types.m4 ================================================ dnl Functions for type definitions dnl dnl Version: 20180727 dnl Function to detect if type definitions are available AC_DEFUN([AX_TYPES_CHECK_LOCAL], [AS_IF( [test "x$ac_cv_enable_winapi" = xyes], [ac_cv_enable_wide_character_type=yes]) AS_IF( [test "x$ac_cv_enable_wide_character_type" = xyes], [AC_DEFINE( [HAVE_WIDE_CHARACTER_TYPE], [1], [Define to 1 if wide character type should be used.]) AC_SUBST( [HAVE_WIDE_CHARACTER_TYPE], [1]) ], [AC_SUBST( [HAVE_WIDE_CHARACTER_TYPE], [0]) ]) AC_CHECK_HEADERS([sys/types.h inttypes.h stdint.h wchar.h]) AS_IF( [test "x$ac_cv_header_sys_types_h" = xyes], [AC_SUBST( [HAVE_SYS_TYPES_H], [1])], [AC_SUBST( [HAVE_SYS_TYPES_H], [0]) ]) AS_IF( [test "x$ac_cv_header_inttypes_h" = xyes], [AC_SUBST( [HAVE_INTTYPES_H], [1])], [AC_SUBST( [HAVE_INTTYPES_H], [0]) ]) AS_IF( [test "x$ac_cv_header_stdint_h" = xyes], [AC_SUBST( [HAVE_STDINT_H], [1])], [AC_SUBST( [HAVE_STDINT_H], [0]) ]) AS_IF( [test "x$ac_cv_header_wchar_h" = xyes], [AC_SUBST( [HAVE_WCHAR_H], [1]) ], [AC_SUBST( [HAVE_WCHAR_H], [0]) ]) AC_TYPE_MODE_T AC_TYPE_OFF_T AC_TYPE_SIZE_T AC_CHECK_TYPE( [size32_t], [AC_SUBST( [HAVE_SIZE32_T], [1])], [AC_SUBST( [HAVE_SIZE32_T], [0]) ]) AC_CHECK_TYPE( [ssize32_t], [AC_SUBST( [HAVE_SSIZE32_T], [1])], [AC_SUBST( [HAVE_SSIZE32_T], [0]) ]) AC_CHECK_TYPE( [size64_t], [AC_SUBST( [HAVE_SIZE64_T], [1])], [AC_SUBST( [HAVE_SIZE64_T], [0]) ]) AC_CHECK_TYPE( [ssize64_t], [AC_SUBST( [HAVE_SSIZE64_T], [1])], [AC_SUBST( [HAVE_SSIZE64_T], [0]) ]) AC_CHECK_TYPE( [off64_t], [AC_SUBST( [HAVE_OFF64_T], [1])], [AC_SUBST( [HAVE_OFF64_T], [0]) ]) AC_CHECK_TYPE([ssize_t]) AC_CHECK_TYPE([u64]) AC_CHECK_SIZEOF([int]) AC_CHECK_SIZEOF([long]) AC_CHECK_SIZEOF([off_t]) AC_CHECK_SIZEOF([size_t]) AS_IF( [test "x$ac_cv_header_wchar_h" = xyes], [AC_CHECK_SIZEOF([wchar_t])]) ]) ================================================ FILE: manuals/Makefile.am ================================================ man_MANS = \ evtxexport.1 \ evtxinfo.1 \ libevtx.3 EXTRA_DIST = \ evtxexport.1 \ evtxinfo.1 \ libevtx.3 DISTCLEANFILES = \ Makefile \ Makefile.in ================================================ FILE: manuals/evtxexport.1 ================================================ .Dd April 14, 2019 .Dt evtxexport .Os libevtx .Sh NAME .Nm evtxexport .Nd exports items stored in a Windows XML EventViewer Log (EVTX) file .Sh SYNOPSIS .Nm evtxexport .Op Fl c Ar codepage .Op Fl f Ar format .Op Fl l Ar log_file .Op Fl m Ar mode .Op Fl p Ar message_files_path .Op Fl r Ar registy_files_path .Op Fl s Ar system_file .Op Fl S Ar software_file .Op Fl t Ar event_log_type .Op Fl hTvV .Ar source .Sh DESCRIPTION .Nm evtxexport is a utility to export items stored in a Windows XML EventViewer Log (EVTX) file .Pp .Nm evtxexport is part of the .Nm libevtx package. .Nm libevtx is a library to access the Windows XML EventViewer Log (EVTX) file .Pp .Ar source is the source file. .Pp The options are as follows: .Bl -tag -width Ds .It Fl c Ar codepage specify the codepage of ASCII strings, options: ascii, windows-874, windows-932, windows-936, windows-949, windows-950, windows-1250, windows-1251, windows-1252 (default), windows-1253, windows-1254, windows-1255, windows-1256, windows-1257 or windows-1258 .It Fl f Ar format output format, options: xml, text (default) .It Fl h shows this help .It Fl l Ar log_file specify the file in which to log information about the exported items .It Fl m Ar mode export mode, option: all, items (default), recovered 'all' exports the (allocated) items and recovered items, 'items' exports the (allocated) items and 'recovered' exports the recovered items .It Fl p Ar message_files_path search PATH for the resource files (default is the current working directory) .It Fl r Ar registy_files_path name of the directory containing the SOFTWARE and SYSTEM (Windows) Registry file .It Fl s Ar system_file filename of the SYSTEM (Windows) Registry file This option overrides the path provided by \-r .It Fl S Ar software_file filename of the SOFTWARE (Windows) Registry file This option overrides the path provided by \-r .It Fl t Ar event_log_type event log type, options: application, security, system if not specified the event log type is determined based on the filename. .It Fl T use event template definitions to parse the event record data .It Fl v verbose output to stderr .It Fl V print version .El .Sh ENVIRONMENT None .Sh FILES None .Sh EXAMPLES .Bd -literal # evtxexport evtxexport -p c/ -r c/Windows/System32/config/ c/Windows/System32/winevt/Logs/Apllication.Evtx evtxexport 20120910 .sp .Dl ... .sp .Ed .Sh DIAGNOSTICS Errors, verbose and debug output are printed to stderr when verbose output \-v is enabled. Verbose and debug output are only printed when enabled at compilation. .Sh BUGS Please report bugs of any kind to or on the project website: https://github.com/libyal/libevtx/ .Sh AUTHOR These man pages were written by Joachim Metz. .Sh COPYRIGHT Copyright (C) 2011-2025, Joachim Metz . This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. .Sh SEE ALSO .Xr evtxinfo 1 ================================================ FILE: manuals/evtxinfo.1 ================================================ .Dd April 14, 2019 .Dt evtxinfo .Os libevtx .Sh NAME .Nm evtxinfo .Nd determines information about a Windows XML EventViewer Log (EVTX) file .Sh SYNOPSIS .Nm evtxinfo .Op Fl c Ar codepage .Op Fl hvV .Ar source .Sh DESCRIPTION .Nm evtxinfo is a utility to determine information about a Windows XML EventViewer Log (EVTX) file .Pp .Nm evtxinfo is part of the .Nm libevtx package. .Nm libevtx is a library to accesss the Windows XML EventViewer Log (EVTX) format .Pp .Ar source is the source file. .Pp The options are as follows: .Bl -tag -width Ds .It Fl c Ar codepage specify the codepage of ASCII strings, options: ascii, windows-874, windows-932, windows-936, windows-949, windows-950, windows-1250, windows-1251, windows-1252 (default), windows-1253, windows-1254, windows-1255, windows-1256, windows-1257 or windows-1258 .It Fl h shows this help .It Fl v verbose output to stderr .It Fl V print version .El .Sh ENVIRONMENT None .Sh FILES None .Sh EXAMPLES .Bd -literal .Dl ... .sp .Ed .Sh DIAGNOSTICS Errors, verbose and debug output are printed to stderr when verbose output \-v is enabled. Verbose and debug output are only printed when enabled at compilation. .Sh BUGS Please report bugs of any kind to or on the project website: https://github.com/libyal/libevtx/ .Sh AUTHOR These man pages were written by Joachim Metz. .Sh COPYRIGHT Copyright (C) 2011-2025, Joachim Metz . .Sh SEE ALSO ================================================ FILE: manuals/libevtx.3 ================================================ .Dd May 4, 2024 .Dt libevtx 3 .Os libevtx .Sh NAME .Nm libevtx.h .Nd Library to access the Windows XML Event Log (EVTX) format .Sh SYNOPSIS .In libevtx.h .Pp Support functions .Ft const char * .Fn libevtx_get_version "void" .Ft int .Fn libevtx_get_access_flags_read "void" .Ft int .Fn libevtx_get_codepage "int *codepage" "libevtx_error_t **error" .Ft int .Fn libevtx_set_codepage "int codepage" "libevtx_error_t **error" .Ft int .Fn libevtx_check_file_signature "const char *filename" "libevtx_error_t **error" .Pp Available when compiled with wide character string support: .Ft int .Fn libevtx_check_file_signature_wide "const wchar_t *filename" "libevtx_error_t **error" .Pp Available when compiled with libbfio support: .Ft int .Fn libevtx_check_file_signature_file_io_handle "libbfio_handle_t *bfio_handle" "libevtx_error_t **error" .Pp Notify functions .Ft void .Fn libevtx_notify_set_verbose "int verbose" .Ft int .Fn libevtx_notify_set_stream "FILE *stream" "libevtx_error_t **error" .Ft int .Fn libevtx_notify_stream_open "const char *filename" "libevtx_error_t **error" .Ft int .Fn libevtx_notify_stream_close "libevtx_error_t **error" .Pp Error functions .Ft void .Fn libevtx_error_free "libevtx_error_t **error" .Ft int .Fn libevtx_error_fprint "libevtx_error_t *error" "FILE *stream" .Ft int .Fn libevtx_error_sprint "libevtx_error_t *error" "char *string" "size_t size" .Ft int .Fn libevtx_error_backtrace_fprint "libevtx_error_t *error" "FILE *stream" .Ft int .Fn libevtx_error_backtrace_sprint "libevtx_error_t *error" "char *string" "size_t size" .Pp File functions .Ft int .Fn libevtx_file_initialize "libevtx_file_t **file" "libevtx_error_t **error" .Ft int .Fn libevtx_file_free "libevtx_file_t **file" "libevtx_error_t **error" .Ft int .Fn libevtx_file_signal_abort "libevtx_file_t *file" "libevtx_error_t **error" .Ft int .Fn libevtx_file_open "libevtx_file_t *file" "const char *filename" "int access_flags" "libevtx_error_t **error" .Ft int .Fn libevtx_file_close "libevtx_file_t *file" "libevtx_error_t **error" .Ft int .Fn libevtx_file_is_corrupted "libevtx_file_t *file" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_ascii_codepage "libevtx_file_t *file" "int *ascii_codepage" "libevtx_error_t **error" .Ft int .Fn libevtx_file_set_ascii_codepage "libevtx_file_t *file" "int ascii_codepage" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_format_version "libevtx_file_t *file" "uint16_t *major_version" "uint16_t *minor_version" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_flags "libevtx_file_t *file" "uint32_t *flags" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_number_of_records "libevtx_file_t *file" "int *number_of_records" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_record_by_index "libevtx_file_t *file" "int record_index" "libevtx_record_t **record" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_number_of_recovered_records "libevtx_file_t *file" "int *number_of_records" "libevtx_error_t **error" .Ft int .Fn libevtx_file_get_recovered_record_by_index "libevtx_file_t *file" "int record_index" "libevtx_record_t **record" "libevtx_error_t **error" .Pp Available when compiled with wide character string support: .Ft int .Fn libevtx_file_open_wide "libevtx_file_t *file" "const wchar_t *filename" "int access_flags" "libevtx_error_t **error" .Pp Available when compiled with libbfio support: .Ft int .Fn libevtx_file_open_file_io_handle "libevtx_file_t *file" "libbfio_handle_t *file_io_handle" "int access_flags" "libevtx_error_t **error" .Pp Record functions .Ft int .Fn libevtx_record_free "libevtx_record_t **record" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_offset "libevtx_record_t *record" "off64_t *offset" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_identifier "libevtx_record_t *record" "uint64_t *identifier" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_creation_time "libevtx_record_t *record" "uint64_t *filetime" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_written_time "libevtx_record_t *record" "uint64_t *filetime" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_event_identifier "libevtx_record_t *record" "uint32_t *event_identifier" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_event_identifier_qualifiers "libevtx_record_t *record" "uint32_t *event_identifier_qualifiers" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_event_version "libevtx_record_t *record" "uint8_t *event_version" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_event_level "libevtx_record_t *record" "uint8_t *event_level" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_provider_identifier_size "libevtx_record_t *record" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_provider_identifier "libevtx_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_provider_identifier_size "libevtx_record_t *record" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_provider_identifier "libevtx_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_source_name_size "libevtx_record_t *record" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_source_name "libevtx_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_source_name_size "libevtx_record_t *record" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_source_name "libevtx_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_channel_name_size "libevtx_record_t *record" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_channel_name "libevtx_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_channel_name_size "libevtx_record_t *record" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_channel_name "libevtx_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_computer_name_size "libevtx_record_t *record" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_computer_name "libevtx_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_computer_name_size "libevtx_record_t *record" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_computer_name "libevtx_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_user_security_identifier_size "libevtx_record_t *record" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_user_security_identifier "libevtx_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_user_security_identifier_size "libevtx_record_t *record" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_user_security_identifier "libevtx_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_parse_data_with_template_definition "libevtx_record_t *record" "libevtx_template_definition_t *template_definition" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_number_of_strings "libevtx_record_t *record" "int *number_of_strings" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_string_size "libevtx_record_t *record" "int string_index" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_string "libevtx_record_t *record" "int string_index" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_string_size "libevtx_record_t *record" "int string_index" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_string "libevtx_record_t *record" "int string_index" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_data_size "libevtx_record_t *record" "size_t *data_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_data "libevtx_record_t *record" "uint8_t *data" "size_t data_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_xml_string_size "libevtx_record_t *record" "size_t *utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf8_xml_string "libevtx_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_xml_string_size "libevtx_record_t *record" "size_t *utf16_string_size" "libevtx_error_t **error" .Ft int .Fn libevtx_record_get_utf16_xml_string "libevtx_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevtx_error_t **error" .Pp Template definition functions .Ft int .Fn libevtx_template_definition_initialize "libevtx_template_definition_t **template_definition" "libevtx_error_t **error" .Ft int .Fn libevtx_template_definition_free "libevtx_template_definition_t **template_definition" "libevtx_error_t **error" .Ft int .Fn libevtx_template_definition_set_data "libevtx_template_definition_t *template_definition" "const uint8_t *data" "size_t data_size" "uint32_t data_offset" "libevtx_error_t **error" .Sh DESCRIPTION The .Fn libevtx_get_version function is used to retrieve the library version. .Sh RETURN VALUES Most of the functions return NULL or \-1 on error, dependent on the return type. For the actual return values see "libevtx.h". .Sh ENVIRONMENT None .Sh FILES None .Sh NOTES libevtx can be compiled with wide character support (wchar_t). .sp To compile libevtx with wide character support use: .Ar ./configure --enable-wide-character-type=yes or define: .Ar _UNICODE or .Ar UNICODE during compilation. .sp .Ar LIBEVTX_WIDE_CHARACTER_TYPE in libevtx/features.h can be used to determine if libevtx was compiled with wide character support. .Sh BUGS Please report bugs of any kind on the project issue tracker: https://github.com/libyal/libevtx/issues .Sh AUTHOR These man pages are generated from "libevtx.h". .Sh COPYRIGHT Copyright (C) 2011-2025, Joachim Metz . .sp This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. .Sh SEE ALSO the libevtx.h include file ================================================ FILE: msvscpp/Makefile.am ================================================ MSVSCPP_FILES = \ evtx_test_chunk/evtx_test_chunk.vcproj \ evtx_test_chunks_table/evtx_test_chunks_table.vcproj \ evtx_test_error/evtx_test_error.vcproj \ evtx_test_file/evtx_test_file.vcproj \ evtx_test_io_handle/evtx_test_io_handle.vcproj \ evtx_test_notify/evtx_test_notify.vcproj \ evtx_test_record/evtx_test_record.vcproj \ evtx_test_record_values/evtx_test_record_values.vcproj \ evtx_test_support/evtx_test_support.vcproj \ evtx_test_template_definition/evtx_test_template_definition.vcproj \ evtx_test_tools_info_handle/evtx_test_tools_info_handle.vcproj \ evtx_test_tools_message_handle/evtx_test_tools_message_handle.vcproj \ evtx_test_tools_message_string/evtx_test_tools_message_string.vcproj \ evtx_test_tools_output/evtx_test_tools_output.vcproj \ evtx_test_tools_path_handle/evtx_test_tools_path_handle.vcproj \ evtx_test_tools_registry_file/evtx_test_tools_registry_file.vcproj \ evtx_test_tools_resource_file/evtx_test_tools_resource_file.vcproj \ evtx_test_tools_signal/evtx_test_tools_signal.vcproj \ evtxexport/evtxexport.vcproj \ evtxinfo/evtxinfo.vcproj \ libbfio/libbfio.vcproj \ libcdata/libcdata.vcproj \ libcdirectory/libcdirectory.vcproj \ libcerror/libcerror.vcproj \ libcfile/libcfile.vcproj \ libclocale/libclocale.vcproj \ libcnotify/libcnotify.vcproj \ libcpath/libcpath.vcproj \ libcsplit/libcsplit.vcproj \ libcthreads/libcthreads.vcproj \ libevtx/libevtx.vcproj \ libexe/libexe.vcproj \ libfcache/libfcache.vcproj \ libfdata/libfdata.vcproj \ libfdatetime/libfdatetime.vcproj \ libfguid/libfguid.vcproj \ libfvalue/libfvalue.vcproj \ libfwevt/libfwevt.vcproj \ libfwnt/libfwnt.vcproj \ libregf/libregf.vcproj \ libuna/libuna.vcproj \ libwrc/libwrc.vcproj \ pyevtx/pyevtx.vcproj \ libevtx.sln EXTRA_DIST = \ $(MSVSCPP_FILES) DISTCLEANFILES = \ Makefile \ Makefile.in ================================================ FILE: msvscpp/evtx_test_chunk/evtx_test_chunk.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_chunks_table/evtx_test_chunks_table.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_error/evtx_test_error.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_file/evtx_test_file.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_io_handle/evtx_test_io_handle.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_notify/evtx_test_notify.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_record/evtx_test_record.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_record_values/evtx_test_record_values.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_support/evtx_test_support.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_template_definition/evtx_test_template_definition.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_info_handle/evtx_test_tools_info_handle.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_message_handle/evtx_test_tools_message_handle.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_message_string/evtx_test_tools_message_string.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_output/evtx_test_tools_output.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_path_handle/evtx_test_tools_path_handle.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_registry_file/evtx_test_tools_registry_file.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_resource_file/evtx_test_tools_resource_file.vcproj ================================================ ================================================ FILE: msvscpp/evtx_test_tools_signal/evtx_test_tools_signal.vcproj ================================================ ================================================ FILE: msvscpp/evtxexport/evtxexport.vcproj ================================================ ================================================ FILE: msvscpp/evtxinfo/evtxinfo.vcproj ================================================ ================================================ FILE: msvscpp/libbfio/libbfio.vcproj ================================================ ================================================ FILE: msvscpp/libcdata/libcdata.vcproj ================================================ ================================================ FILE: msvscpp/libcdirectory/libcdirectory.vcproj ================================================ ================================================ FILE: msvscpp/libcerror/libcerror.vcproj ================================================ ================================================ FILE: msvscpp/libcfile/libcfile.vcproj ================================================ ================================================ FILE: msvscpp/libclocale/libclocale.vcproj ================================================ ================================================ FILE: msvscpp/libcnotify/libcnotify.vcproj ================================================ ================================================ FILE: msvscpp/libcpath/libcpath.vcproj ================================================ ================================================ FILE: msvscpp/libcsplit/libcsplit.vcproj ================================================ ================================================ FILE: msvscpp/libcthreads/libcthreads.vcproj ================================================ ================================================ FILE: msvscpp/libevtx/libevtx.vcproj ================================================ ================================================ FILE: msvscpp/libevtx.sln ================================================  Microsoft Visual Studio Solution File, Format Version 10.00 # Visual C++ Express 2008 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfdata", "libfdata\libfdata.vcproj", "{AABC80BB-79B3-49BA-8A90-9AAC2A3B404F}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libexe", "libexe\libexe.vcproj", "{D9D3120F-1242-4538-82CD-A99B1BC9A3DF}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtxexport", "evtxexport\evtxexport.vcproj", "{4C0A33FC-0B42-4735-B5C9-EA49F17A9478}" ProjectSection(ProjectDependencies) = postProject {7F42F80A-6FE8-4634-8455-5D08A1E24BAA} = {7F42F80A-6FE8-4634-8455-5D08A1E24BAA} {B5E43F96-E790-4DBA-8891-4A14E7183D9A} = {B5E43F96-E790-4DBA-8891-4A14E7183D9A} {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} = {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} = {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {62C67404-7985-4120-85BA-3C0424784434} = {62C67404-7985-4120-85BA-3C0424784434} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtxinfo", "evtxinfo\evtxinfo.vcproj", "{0D975F50-1FE8-498E-B597-9960DFC995AC}" ProjectSection(ProjectDependencies) = postProject {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pyevtx", "pyevtx\pyevtx.vcproj", "{2D239718-8401-4E75-88FD-E81DF267543A}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libregf", "libregf\libregf.vcproj", "{7F42F80A-6FE8-4634-8455-5D08A1E24BAA}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfguid", "libfguid\libfguid.vcproj", "{9C232121-5F91-4559-A4F5-AAFAB5BDE0FC}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libclocale", "libclocale\libclocale.vcproj", "{754A36B3-E1DC-4975-89E4-EF0D82ACBC3B}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfcache", "libfcache\libfcache.vcproj", "{4B4599D2-DBF5-4E0A-9669-94032C1320A9}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbfio", "libbfio\libbfio.vcproj", "{7A4327FF-CA12-4A1A-A7CF-5328BDAA9942}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfwevt", "libfwevt\libfwevt.vcproj", "{C6DCD3D9-4397-466E-AC94-49A590DA0EC6}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcfile", "libcfile\libcfile.vcproj", "{3AF383AB-F184-4190-84DF-453ACE4CA89D}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libwrc", "libwrc\libwrc.vcproj", "{B5E43F96-E790-4DBA-8891-4A14E7183D9A}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcdata", "libcdata\libcdata.vcproj", "{55652C23-9FE0-4E5B-930C-C3675C980351}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcthreads", "libcthreads\libcthreads.vcproj", "{48D8ABE8-71E3-4C29-A265-138C36783578}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcpath", "libcpath\libcpath.vcproj", "{6FB36D12-30F9-49F5-B4B6-2E58C4390438}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_chunk", "evtx_test_chunk\evtx_test_chunk.vcproj", "{D840C869-2266-4422-BD66-CAF20CED4832}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_chunks_table", "evtx_test_chunks_table\evtx_test_chunks_table.vcproj", "{2AE899E9-29D4-4921-9B34-470BD450ADDB}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_error", "evtx_test_error\evtx_test_error.vcproj", "{D5374706-39C2-43A0-BCEA-D4A5B3F7E452}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_file", "evtx_test_file\evtx_test_file.vcproj", "{EE2C5CA8-AD6D-43FD-94F5-5711BA1007EB}" ProjectSection(ProjectDependencies) = postProject {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_io_handle", "evtx_test_io_handle\evtx_test_io_handle.vcproj", "{6ECA82D7-4570-4B9E-AF48-D3C7312912C8}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_notify", "evtx_test_notify\evtx_test_notify.vcproj", "{817CFF30-C20D-4B97-B144-0957548613D4}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_record", "evtx_test_record\evtx_test_record.vcproj", "{51C5C6C4-684E-4B2E-A220-3F177CD5D139}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_record_values", "evtx_test_record_values\evtx_test_record_values.vcproj", "{A73C40E8-0224-41D6-8FB0-C46CC44215B0}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_support", "evtx_test_support\evtx_test_support.vcproj", "{98244676-8D2C-4900-A8CA-E7357EA78844}" ProjectSection(ProjectDependencies) = postProject {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_template_definition", "evtx_test_template_definition\evtx_test_template_definition.vcproj", "{F7453089-EA30-4F71-9C6E-630C02E37383}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_info_handle", "evtx_test_tools_info_handle\evtx_test_tools_info_handle.vcproj", "{BE305497-DE84-4503-BCAF-80C8D5C3F730}" ProjectSection(ProjectDependencies) = postProject {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_message_handle", "evtx_test_tools_message_handle\evtx_test_tools_message_handle.vcproj", "{073D74D4-5B99-49FE-863B-9DE654277681}" ProjectSection(ProjectDependencies) = postProject {B5E43F96-E790-4DBA-8891-4A14E7183D9A} = {B5E43F96-E790-4DBA-8891-4A14E7183D9A} {7F42F80A-6FE8-4634-8455-5D08A1E24BAA} = {7F42F80A-6FE8-4634-8455-5D08A1E24BAA} {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} = {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} = {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {62C67404-7985-4120-85BA-3C0424784434} = {62C67404-7985-4120-85BA-3C0424784434} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_message_string", "evtx_test_tools_message_string\evtx_test_tools_message_string.vcproj", "{04AD9DCE-819D-44A3-8645-D9967D9CACFC}" ProjectSection(ProjectDependencies) = postProject {B5E43F96-E790-4DBA-8891-4A14E7183D9A} = {B5E43F96-E790-4DBA-8891-4A14E7183D9A} {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} = {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} = {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_output", "evtx_test_tools_output\evtx_test_tools_output.vcproj", "{1A14908D-59D7-4894-87AA-50712BA07F64}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_path_handle", "evtx_test_tools_path_handle\evtx_test_tools_path_handle.vcproj", "{D02450B3-A0A7-4CFB-9828-F8532D853D9E}" ProjectSection(ProjectDependencies) = postProject {62C67404-7985-4120-85BA-3C0424784434} = {62C67404-7985-4120-85BA-3C0424784434} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_registry_file", "evtx_test_tools_registry_file\evtx_test_tools_registry_file.vcproj", "{D390DD8D-C393-4CB0-B623-48FC41D092BB}" ProjectSection(ProjectDependencies) = postProject {7F42F80A-6FE8-4634-8455-5D08A1E24BAA} = {7F42F80A-6FE8-4634-8455-5D08A1E24BAA} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {62C67404-7985-4120-85BA-3C0424784434} = {62C67404-7985-4120-85BA-3C0424784434} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_resource_file", "evtx_test_tools_resource_file\evtx_test_tools_resource_file.vcproj", "{10D3FA6F-88E6-409E-B210-44E8515F8BA1}" ProjectSection(ProjectDependencies) = postProject {B5E43F96-E790-4DBA-8891-4A14E7183D9A} = {B5E43F96-E790-4DBA-8891-4A14E7183D9A} {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} = {D9D3120F-1242-4538-82CD-A99B1BC9A3DF} {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} = {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evtx_test_tools_signal", "evtx_test_tools_signal\evtx_test_tools_signal.vcproj", "{3FBC46FE-518B-4351-87DF-22B3F8DF6A35}" ProjectSection(ProjectDependencies) = postProject {91D35439-5C77-4084-B94A-45B055A97971} = {91D35439-5C77-4084-B94A-45B055A97971} {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfwnt", "libfwnt\libfwnt.vcproj", "{1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libevtx", "libevtx\libevtx.vcproj", "{91D35439-5C77-4084-B94A-45B055A97971}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {A352758D-DD49-406B-81F3-FC8494D52B88} = {A352758D-DD49-406B-81F3-FC8494D52B88} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {3AF383AB-F184-4190-84DF-453ACE4CA89D} = {3AF383AB-F184-4190-84DF-453ACE4CA89D} {6FB36D12-30F9-49F5-B4B6-2E58C4390438} = {6FB36D12-30F9-49F5-B4B6-2E58C4390438} {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} = {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942} {4B4599D2-DBF5-4E0A-9669-94032C1320A9} = {4B4599D2-DBF5-4E0A-9669-94032C1320A9} {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} = {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} = {C6DCD3D9-4397-466E-AC94-49A590DA0EC6} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} {35A5D4B4-775C-40E3-B364-19562437CD80} = {35A5D4B4-775C-40E3-B364-19562437CD80} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcsplit", "libcsplit\libcsplit.vcproj", "{A352758D-DD49-406B-81F3-FC8494D52B88}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libuna", "libuna\libuna.vcproj", "{40BA88AF-9923-4FC6-8466-CB5833843AC4}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfvalue", "libfvalue\libfvalue.vcproj", "{35A5D4B4-775C-40E3-B364-19562437CD80}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {48D8ABE8-71E3-4C29-A265-138C36783578} = {48D8ABE8-71E3-4C29-A265-138C36783578} {55652C23-9FE0-4E5B-930C-C3675C980351} = {55652C23-9FE0-4E5B-930C-C3675C980351} {E31E45A2-E02E-49E7-843B-F390127F1184} = {E31E45A2-E02E-49E7-843B-F390127F1184} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} {F6707C74-BCE0-40FC-9900-DDA579029FBA} = {F6707C74-BCE0-40FC-9900-DDA579029FBA} {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} = {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC} {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} = {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcnotify", "libcnotify\libcnotify.vcproj", "{E31E45A2-E02E-49E7-843B-F390127F1184}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcerror", "libcerror\libcerror.vcproj", "{5299814A-9BDD-4F91-ADF9-723068B3B642}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfdatetime", "libfdatetime\libfdatetime.vcproj", "{F6707C74-BCE0-40FC-9900-DDA579029FBA}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libcdirectory", "libcdirectory\libcdirectory.vcproj", "{62C67404-7985-4120-85BA-3C0424784434}" ProjectSection(ProjectDependencies) = postProject {5299814A-9BDD-4F91-ADF9-723068B3B642} = {5299814A-9BDD-4F91-ADF9-723068B3B642} {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} = {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B} {40BA88AF-9923-4FC6-8466-CB5833843AC4} = {40BA88AF-9923-4FC6-8466-CB5833843AC4} EndProjectSection EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Release|Win32 = Release|Win32 VSDebug|Win32 = VSDebug|Win32 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F}.Release|Win32.ActiveCfg = Release|Win32 {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F}.Release|Win32.Build.0 = Release|Win32 {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {AABC80BB-79B3-49BA-8A90-9AAC2A3B404F}.VSDebug|Win32.Build.0 = VSDebug|Win32 {D9D3120F-1242-4538-82CD-A99B1BC9A3DF}.Release|Win32.ActiveCfg = Release|Win32 {D9D3120F-1242-4538-82CD-A99B1BC9A3DF}.Release|Win32.Build.0 = Release|Win32 {D9D3120F-1242-4538-82CD-A99B1BC9A3DF}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {D9D3120F-1242-4538-82CD-A99B1BC9A3DF}.VSDebug|Win32.Build.0 = VSDebug|Win32 {4C0A33FC-0B42-4735-B5C9-EA49F17A9478}.Release|Win32.ActiveCfg = Release|Win32 {4C0A33FC-0B42-4735-B5C9-EA49F17A9478}.Release|Win32.Build.0 = Release|Win32 {4C0A33FC-0B42-4735-B5C9-EA49F17A9478}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {4C0A33FC-0B42-4735-B5C9-EA49F17A9478}.VSDebug|Win32.Build.0 = VSDebug|Win32 {0D975F50-1FE8-498E-B597-9960DFC995AC}.Release|Win32.ActiveCfg = Release|Win32 {0D975F50-1FE8-498E-B597-9960DFC995AC}.Release|Win32.Build.0 = Release|Win32 {0D975F50-1FE8-498E-B597-9960DFC995AC}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {0D975F50-1FE8-498E-B597-9960DFC995AC}.VSDebug|Win32.Build.0 = VSDebug|Win32 {2D239718-8401-4E75-88FD-E81DF267543A}.Release|Win32.ActiveCfg = Release|Win32 {2D239718-8401-4E75-88FD-E81DF267543A}.Release|Win32.Build.0 = Release|Win32 {2D239718-8401-4E75-88FD-E81DF267543A}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {2D239718-8401-4E75-88FD-E81DF267543A}.VSDebug|Win32.Build.0 = VSDebug|Win32 {7F42F80A-6FE8-4634-8455-5D08A1E24BAA}.Release|Win32.ActiveCfg = Release|Win32 {7F42F80A-6FE8-4634-8455-5D08A1E24BAA}.Release|Win32.Build.0 = Release|Win32 {7F42F80A-6FE8-4634-8455-5D08A1E24BAA}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {7F42F80A-6FE8-4634-8455-5D08A1E24BAA}.VSDebug|Win32.Build.0 = VSDebug|Win32 {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC}.Release|Win32.ActiveCfg = Release|Win32 {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC}.Release|Win32.Build.0 = Release|Win32 {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {9C232121-5F91-4559-A4F5-AAFAB5BDE0FC}.VSDebug|Win32.Build.0 = VSDebug|Win32 {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B}.Release|Win32.ActiveCfg = Release|Win32 {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B}.Release|Win32.Build.0 = Release|Win32 {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {754A36B3-E1DC-4975-89E4-EF0D82ACBC3B}.VSDebug|Win32.Build.0 = VSDebug|Win32 {4B4599D2-DBF5-4E0A-9669-94032C1320A9}.Release|Win32.ActiveCfg = Release|Win32 {4B4599D2-DBF5-4E0A-9669-94032C1320A9}.Release|Win32.Build.0 = Release|Win32 {4B4599D2-DBF5-4E0A-9669-94032C1320A9}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {4B4599D2-DBF5-4E0A-9669-94032C1320A9}.VSDebug|Win32.Build.0 = VSDebug|Win32 {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942}.Release|Win32.ActiveCfg = Release|Win32 {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942}.Release|Win32.Build.0 = Release|Win32 {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {7A4327FF-CA12-4A1A-A7CF-5328BDAA9942}.VSDebug|Win32.Build.0 = VSDebug|Win32 {C6DCD3D9-4397-466E-AC94-49A590DA0EC6}.Release|Win32.ActiveCfg = Release|Win32 {C6DCD3D9-4397-466E-AC94-49A590DA0EC6}.Release|Win32.Build.0 = Release|Win32 {C6DCD3D9-4397-466E-AC94-49A590DA0EC6}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {C6DCD3D9-4397-466E-AC94-49A590DA0EC6}.VSDebug|Win32.Build.0 = VSDebug|Win32 {3AF383AB-F184-4190-84DF-453ACE4CA89D}.Release|Win32.ActiveCfg = Release|Win32 {3AF383AB-F184-4190-84DF-453ACE4CA89D}.Release|Win32.Build.0 = Release|Win32 {3AF383AB-F184-4190-84DF-453ACE4CA89D}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {3AF383AB-F184-4190-84DF-453ACE4CA89D}.VSDebug|Win32.Build.0 = VSDebug|Win32 {B5E43F96-E790-4DBA-8891-4A14E7183D9A}.Release|Win32.ActiveCfg = Release|Win32 {B5E43F96-E790-4DBA-8891-4A14E7183D9A}.Release|Win32.Build.0 = Release|Win32 {B5E43F96-E790-4DBA-8891-4A14E7183D9A}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {B5E43F96-E790-4DBA-8891-4A14E7183D9A}.VSDebug|Win32.Build.0 = VSDebug|Win32 {55652C23-9FE0-4E5B-930C-C3675C980351}.Release|Win32.ActiveCfg = Release|Win32 {55652C23-9FE0-4E5B-930C-C3675C980351}.Release|Win32.Build.0 = Release|Win32 {55652C23-9FE0-4E5B-930C-C3675C980351}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {55652C23-9FE0-4E5B-930C-C3675C980351}.VSDebug|Win32.Build.0 = VSDebug|Win32 {48D8ABE8-71E3-4C29-A265-138C36783578}.Release|Win32.ActiveCfg = Release|Win32 {48D8ABE8-71E3-4C29-A265-138C36783578}.Release|Win32.Build.0 = Release|Win32 {48D8ABE8-71E3-4C29-A265-138C36783578}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {48D8ABE8-71E3-4C29-A265-138C36783578}.VSDebug|Win32.Build.0 = VSDebug|Win32 {6FB36D12-30F9-49F5-B4B6-2E58C4390438}.Release|Win32.ActiveCfg = Release|Win32 {6FB36D12-30F9-49F5-B4B6-2E58C4390438}.Release|Win32.Build.0 = Release|Win32 {6FB36D12-30F9-49F5-B4B6-2E58C4390438}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {6FB36D12-30F9-49F5-B4B6-2E58C4390438}.VSDebug|Win32.Build.0 = VSDebug|Win32 {D840C869-2266-4422-BD66-CAF20CED4832}.Release|Win32.ActiveCfg = Release|Win32 {D840C869-2266-4422-BD66-CAF20CED4832}.Release|Win32.Build.0 = Release|Win32 {D840C869-2266-4422-BD66-CAF20CED4832}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {D840C869-2266-4422-BD66-CAF20CED4832}.VSDebug|Win32.Build.0 = VSDebug|Win32 {2AE899E9-29D4-4921-9B34-470BD450ADDB}.Release|Win32.ActiveCfg = Release|Win32 {2AE899E9-29D4-4921-9B34-470BD450ADDB}.Release|Win32.Build.0 = Release|Win32 {2AE899E9-29D4-4921-9B34-470BD450ADDB}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {2AE899E9-29D4-4921-9B34-470BD450ADDB}.VSDebug|Win32.Build.0 = VSDebug|Win32 {D5374706-39C2-43A0-BCEA-D4A5B3F7E452}.Release|Win32.ActiveCfg = Release|Win32 {D5374706-39C2-43A0-BCEA-D4A5B3F7E452}.Release|Win32.Build.0 = Release|Win32 {D5374706-39C2-43A0-BCEA-D4A5B3F7E452}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {D5374706-39C2-43A0-BCEA-D4A5B3F7E452}.VSDebug|Win32.Build.0 = VSDebug|Win32 {EE2C5CA8-AD6D-43FD-94F5-5711BA1007EB}.Release|Win32.ActiveCfg = Release|Win32 {EE2C5CA8-AD6D-43FD-94F5-5711BA1007EB}.Release|Win32.Build.0 = Release|Win32 {EE2C5CA8-AD6D-43FD-94F5-5711BA1007EB}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {EE2C5CA8-AD6D-43FD-94F5-5711BA1007EB}.VSDebug|Win32.Build.0 = VSDebug|Win32 {6ECA82D7-4570-4B9E-AF48-D3C7312912C8}.Release|Win32.ActiveCfg = Release|Win32 {6ECA82D7-4570-4B9E-AF48-D3C7312912C8}.Release|Win32.Build.0 = Release|Win32 {6ECA82D7-4570-4B9E-AF48-D3C7312912C8}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {6ECA82D7-4570-4B9E-AF48-D3C7312912C8}.VSDebug|Win32.Build.0 = VSDebug|Win32 {817CFF30-C20D-4B97-B144-0957548613D4}.Release|Win32.ActiveCfg = Release|Win32 {817CFF30-C20D-4B97-B144-0957548613D4}.Release|Win32.Build.0 = Release|Win32 {817CFF30-C20D-4B97-B144-0957548613D4}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {817CFF30-C20D-4B97-B144-0957548613D4}.VSDebug|Win32.Build.0 = VSDebug|Win32 {51C5C6C4-684E-4B2E-A220-3F177CD5D139}.Release|Win32.ActiveCfg = Release|Win32 {51C5C6C4-684E-4B2E-A220-3F177CD5D139}.Release|Win32.Build.0 = Release|Win32 {51C5C6C4-684E-4B2E-A220-3F177CD5D139}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {51C5C6C4-684E-4B2E-A220-3F177CD5D139}.VSDebug|Win32.Build.0 = VSDebug|Win32 {A73C40E8-0224-41D6-8FB0-C46CC44215B0}.Release|Win32.ActiveCfg = Release|Win32 {A73C40E8-0224-41D6-8FB0-C46CC44215B0}.Release|Win32.Build.0 = Release|Win32 {A73C40E8-0224-41D6-8FB0-C46CC44215B0}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {A73C40E8-0224-41D6-8FB0-C46CC44215B0}.VSDebug|Win32.Build.0 = VSDebug|Win32 {98244676-8D2C-4900-A8CA-E7357EA78844}.Release|Win32.ActiveCfg = Release|Win32 {98244676-8D2C-4900-A8CA-E7357EA78844}.Release|Win32.Build.0 = Release|Win32 {98244676-8D2C-4900-A8CA-E7357EA78844}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {98244676-8D2C-4900-A8CA-E7357EA78844}.VSDebug|Win32.Build.0 = VSDebug|Win32 {F7453089-EA30-4F71-9C6E-630C02E37383}.Release|Win32.ActiveCfg = Release|Win32 {F7453089-EA30-4F71-9C6E-630C02E37383}.Release|Win32.Build.0 = Release|Win32 {F7453089-EA30-4F71-9C6E-630C02E37383}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {F7453089-EA30-4F71-9C6E-630C02E37383}.VSDebug|Win32.Build.0 = VSDebug|Win32 {BE305497-DE84-4503-BCAF-80C8D5C3F730}.Release|Win32.ActiveCfg = Release|Win32 {BE305497-DE84-4503-BCAF-80C8D5C3F730}.Release|Win32.Build.0 = Release|Win32 {BE305497-DE84-4503-BCAF-80C8D5C3F730}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {BE305497-DE84-4503-BCAF-80C8D5C3F730}.VSDebug|Win32.Build.0 = VSDebug|Win32 {073D74D4-5B99-49FE-863B-9DE654277681}.Release|Win32.ActiveCfg = Release|Win32 {073D74D4-5B99-49FE-863B-9DE654277681}.Release|Win32.Build.0 = Release|Win32 {073D74D4-5B99-49FE-863B-9DE654277681}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {073D74D4-5B99-49FE-863B-9DE654277681}.VSDebug|Win32.Build.0 = VSDebug|Win32 {04AD9DCE-819D-44A3-8645-D9967D9CACFC}.Release|Win32.ActiveCfg = Release|Win32 {04AD9DCE-819D-44A3-8645-D9967D9CACFC}.Release|Win32.Build.0 = Release|Win32 {04AD9DCE-819D-44A3-8645-D9967D9CACFC}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {04AD9DCE-819D-44A3-8645-D9967D9CACFC}.VSDebug|Win32.Build.0 = VSDebug|Win32 {1A14908D-59D7-4894-87AA-50712BA07F64}.Release|Win32.ActiveCfg = Release|Win32 {1A14908D-59D7-4894-87AA-50712BA07F64}.Release|Win32.Build.0 = Release|Win32 {1A14908D-59D7-4894-87AA-50712BA07F64}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {1A14908D-59D7-4894-87AA-50712BA07F64}.VSDebug|Win32.Build.0 = VSDebug|Win32 {D02450B3-A0A7-4CFB-9828-F8532D853D9E}.Release|Win32.ActiveCfg = Release|Win32 {D02450B3-A0A7-4CFB-9828-F8532D853D9E}.Release|Win32.Build.0 = Release|Win32 {D02450B3-A0A7-4CFB-9828-F8532D853D9E}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {D02450B3-A0A7-4CFB-9828-F8532D853D9E}.VSDebug|Win32.Build.0 = VSDebug|Win32 {D390DD8D-C393-4CB0-B623-48FC41D092BB}.Release|Win32.ActiveCfg = Release|Win32 {D390DD8D-C393-4CB0-B623-48FC41D092BB}.Release|Win32.Build.0 = Release|Win32 {D390DD8D-C393-4CB0-B623-48FC41D092BB}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {D390DD8D-C393-4CB0-B623-48FC41D092BB}.VSDebug|Win32.Build.0 = VSDebug|Win32 {10D3FA6F-88E6-409E-B210-44E8515F8BA1}.Release|Win32.ActiveCfg = Release|Win32 {10D3FA6F-88E6-409E-B210-44E8515F8BA1}.Release|Win32.Build.0 = Release|Win32 {10D3FA6F-88E6-409E-B210-44E8515F8BA1}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {10D3FA6F-88E6-409E-B210-44E8515F8BA1}.VSDebug|Win32.Build.0 = VSDebug|Win32 {3FBC46FE-518B-4351-87DF-22B3F8DF6A35}.Release|Win32.ActiveCfg = Release|Win32 {3FBC46FE-518B-4351-87DF-22B3F8DF6A35}.Release|Win32.Build.0 = Release|Win32 {3FBC46FE-518B-4351-87DF-22B3F8DF6A35}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {3FBC46FE-518B-4351-87DF-22B3F8DF6A35}.VSDebug|Win32.Build.0 = VSDebug|Win32 {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7}.Release|Win32.ActiveCfg = Release|Win32 {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7}.Release|Win32.Build.0 = Release|Win32 {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {1D7A10ED-2939-4C11-BAA0-D37C2A8CD6F7}.VSDebug|Win32.Build.0 = VSDebug|Win32 {91D35439-5C77-4084-B94A-45B055A97971}.Release|Win32.ActiveCfg = Release|Win32 {91D35439-5C77-4084-B94A-45B055A97971}.Release|Win32.Build.0 = Release|Win32 {91D35439-5C77-4084-B94A-45B055A97971}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {91D35439-5C77-4084-B94A-45B055A97971}.VSDebug|Win32.Build.0 = VSDebug|Win32 {A352758D-DD49-406B-81F3-FC8494D52B88}.Release|Win32.ActiveCfg = Release|Win32 {A352758D-DD49-406B-81F3-FC8494D52B88}.Release|Win32.Build.0 = Release|Win32 {A352758D-DD49-406B-81F3-FC8494D52B88}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {A352758D-DD49-406B-81F3-FC8494D52B88}.VSDebug|Win32.Build.0 = VSDebug|Win32 {40BA88AF-9923-4FC6-8466-CB5833843AC4}.Release|Win32.ActiveCfg = Release|Win32 {40BA88AF-9923-4FC6-8466-CB5833843AC4}.Release|Win32.Build.0 = Release|Win32 {40BA88AF-9923-4FC6-8466-CB5833843AC4}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {40BA88AF-9923-4FC6-8466-CB5833843AC4}.VSDebug|Win32.Build.0 = VSDebug|Win32 {35A5D4B4-775C-40E3-B364-19562437CD80}.Release|Win32.ActiveCfg = Release|Win32 {35A5D4B4-775C-40E3-B364-19562437CD80}.Release|Win32.Build.0 = Release|Win32 {35A5D4B4-775C-40E3-B364-19562437CD80}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {35A5D4B4-775C-40E3-B364-19562437CD80}.VSDebug|Win32.Build.0 = VSDebug|Win32 {E31E45A2-E02E-49E7-843B-F390127F1184}.Release|Win32.ActiveCfg = Release|Win32 {E31E45A2-E02E-49E7-843B-F390127F1184}.Release|Win32.Build.0 = Release|Win32 {E31E45A2-E02E-49E7-843B-F390127F1184}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {E31E45A2-E02E-49E7-843B-F390127F1184}.VSDebug|Win32.Build.0 = VSDebug|Win32 {5299814A-9BDD-4F91-ADF9-723068B3B642}.Release|Win32.ActiveCfg = Release|Win32 {5299814A-9BDD-4F91-ADF9-723068B3B642}.Release|Win32.Build.0 = Release|Win32 {5299814A-9BDD-4F91-ADF9-723068B3B642}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {5299814A-9BDD-4F91-ADF9-723068B3B642}.VSDebug|Win32.Build.0 = VSDebug|Win32 {F6707C74-BCE0-40FC-9900-DDA579029FBA}.Release|Win32.ActiveCfg = Release|Win32 {F6707C74-BCE0-40FC-9900-DDA579029FBA}.Release|Win32.Build.0 = Release|Win32 {F6707C74-BCE0-40FC-9900-DDA579029FBA}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {F6707C74-BCE0-40FC-9900-DDA579029FBA}.VSDebug|Win32.Build.0 = VSDebug|Win32 {62C67404-7985-4120-85BA-3C0424784434}.Release|Win32.ActiveCfg = Release|Win32 {62C67404-7985-4120-85BA-3C0424784434}.Release|Win32.Build.0 = Release|Win32 {62C67404-7985-4120-85BA-3C0424784434}.VSDebug|Win32.ActiveCfg = VSDebug|Win32 {62C67404-7985-4120-85BA-3C0424784434}.VSDebug|Win32.Build.0 = VSDebug|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal ================================================ FILE: msvscpp/libexe/libexe.vcproj ================================================ ================================================ FILE: msvscpp/libfcache/libfcache.vcproj ================================================ ================================================ FILE: msvscpp/libfdata/libfdata.vcproj ================================================ ================================================ FILE: msvscpp/libfdatetime/libfdatetime.vcproj ================================================ ================================================ FILE: msvscpp/libfguid/libfguid.vcproj ================================================ ================================================ FILE: msvscpp/libfvalue/libfvalue.vcproj ================================================ ================================================ FILE: msvscpp/libfwevt/libfwevt.vcproj ================================================ ================================================ FILE: msvscpp/libfwnt/libfwnt.vcproj ================================================ ================================================ FILE: msvscpp/libregf/libregf.vcproj ================================================ ================================================ FILE: msvscpp/libuna/libuna.vcproj ================================================ ================================================ FILE: msvscpp/libwrc/libwrc.vcproj ================================================ ================================================ FILE: msvscpp/pyevtx/pyevtx.vcproj ================================================ ================================================ FILE: ossfuzz/Makefile.am ================================================ if HAVE_LIB_FUZZING_ENGINE AM_CPPFLAGS = \ -I../include -I$(top_srcdir)/include \ -I../common -I$(top_srcdir)/common \ @LIBCERROR_CPPFLAGS@ \ @LIBCDATA_CPPFLAGS@ \ @LIBCLOCALE_CPPFLAGS@ \ @LIBCNOTIFY_CPPFLAGS@ \ @LIBUNA_CPPFLAGS@ \ @LIBCFILE_CPPFLAGS@ \ @LIBCPATH_CPPFLAGS@ \ @LIBBFIO_CPPFLAGS@ bin_PROGRAMS = \ file_fuzzer \ record_fuzzer file_fuzzer_SOURCES = \ file_fuzzer.cc \ ossfuzz_libbfio.h \ ossfuzz_libevtx.h file_fuzzer_LDADD = \ @LIB_FUZZING_ENGINE@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCERROR_LIBADD@ \ @LIBINTL@ record_fuzzer_SOURCES = \ ossfuzz_libbfio.h \ ossfuzz_libevtx.h \ record_fuzzer.cc record_fuzzer_LDADD = \ @LIB_FUZZING_ENGINE@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCERROR_LIBADD@ \ @LIBINTL@ endif DISTCLEANFILES = \ Makefile \ Makefile.in splint-local: @echo "Running splint on file_fuzzer ..." -splint -preproc -redef $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(file_fuzzer_SOURCES) @echo "Running splint on record_fuzzer ..." -splint -preproc -redef $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(record_fuzzer_SOURCES) ================================================ FILE: ossfuzz/file_fuzzer.cc ================================================ /* * OSS-Fuzz target for libevtx file type * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include /* Note that some of the OSS-Fuzz engines use C++ */ extern "C" { #include "ossfuzz_libbfio.h" #include "ossfuzz_libevtx.h" #if !defined( LIBEVTX_HAVE_BFIO ) /* Opens a file using a Basic File IO (bfio) handle * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libevtx_error_t **error ); #endif /* !defined( LIBEVTX_HAVE_BFIO ) */ int LLVMFuzzerTestOneInput( const uint8_t *data, size_t size ) { libbfio_handle_t *file_io_handle = NULL; libevtx_file_t *file = NULL; if( libbfio_memory_range_initialize( &file_io_handle, NULL ) != 1 ) { return( 0 ); } if( libbfio_memory_range_set( file_io_handle, (uint8_t *) data, size, NULL ) != 1 ) { goto on_error_libbfio; } if( libevtx_file_initialize( &file, NULL ) != 1 ) { goto on_error_libbfio; } if( libevtx_file_open_file_io_handle( file, file_io_handle, LIBEVTX_OPEN_READ, NULL ) != 1 ) { goto on_error_libevtx; } libevtx_file_close( file, NULL ); on_error_libevtx: libevtx_file_free( &file, NULL ); on_error_libbfio: libbfio_handle_free( &file_io_handle, NULL ); return( 0 ); } } /* extern "C" */ ================================================ FILE: ossfuzz/ossfuzz_libbfio.h ================================================ /* * The libbfio header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _OSSFUZZ_LIBBFIO_H ) #define _OSSFUZZ_LIBBFIO_H #include /* Define HAVE_LOCAL_LIBBFIO for local use of libbfio */ #if defined( HAVE_LOCAL_LIBBFIO ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBBFIO_DLL_IMPORT * before including libbfio.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) && !defined( HAVE_STATIC_EXECUTABLES ) #define LIBBFIO_DLL_IMPORT #endif #include #if defined( HAVE_MULTI_THREAD_SUPPORT ) && !defined( LIBBFIO_HAVE_MULTI_THREAD_SUPPORT ) #error Multi-threading support requires libbfio with multi-threading support #endif #endif /* defined( HAVE_LOCAL_LIBBFIO ) */ #endif /* !defined( _OSSFUZZ_LIBBFIO_H ) */ ================================================ FILE: ossfuzz/ossfuzz_libevtx.h ================================================ /* * The libevtx header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _OSSFUZZ_LIBEVTX_H ) #define _OSSFUZZ_LIBEVTX_H #include #include #endif /* !defined( _OSSFUZZ_LIBEVTX_H ) */ ================================================ FILE: ossfuzz/record_fuzzer.cc ================================================ /* * OSS-Fuzz target for libevtx record type * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include /* Note that some of the OSS-Fuzz engines use C++ */ extern "C" { #include "ossfuzz_libbfio.h" #include "ossfuzz_libevtx.h" #if !defined( LIBEVTX_HAVE_BFIO ) /* Opens a file using a Basic File IO (bfio) handle * Returns 1 if successful or -1 on error */ LIBEVTX_EXTERN \ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libevtx_error_t **error ); #endif /* !defined( LIBEVTX_HAVE_BFIO ) */ int LLVMFuzzerTestOneInput( const uint8_t *data, size_t size ) { libbfio_handle_t *file_io_handle = NULL; libevtx_file_t *file = NULL; libevtx_record_t *record = NULL; int number_of_records = 0; if( libbfio_memory_range_initialize( &file_io_handle, NULL ) != 1 ) { return( 0 ); } if( libbfio_memory_range_set( file_io_handle, (uint8_t *) data, size, NULL ) != 1 ) { goto on_error_libbfio; } if( libevtx_file_initialize( &file, NULL ) != 1 ) { goto on_error_libbfio; } if( libevtx_file_open_file_io_handle( file, file_io_handle, LIBEVTX_OPEN_READ, NULL ) != 1 ) { goto on_error_libevtx_file; } if( libevtx_file_get_number_of_records( file, &number_of_records, NULL ) != 1 ) { goto on_error_libevtx_file; } if( number_of_records > 0 ) { if( libevtx_file_get_record_by_index( file, 0, &record, NULL ) == 1 ) { libevtx_record_free( &record, NULL ); } } libevtx_file_close( file, NULL ); on_error_libevtx_file: libevtx_file_free( &file, NULL ); on_error_libbfio: libbfio_handle_free( &file_io_handle, NULL ); return( 0 ); } } /* extern "C" */ ================================================ FILE: po/ChangeLog ================================================ 2016-11-01 gettextize ================================================ FILE: po/Makevars.in ================================================ # Makefile variables for PO directory in any package using GNU gettext. # Usually the message domain is the same as the package name. DOMAIN = @PACKAGE@ # These two variables depend on the location of this directory. subdir = po top_builddir = .. # These options get passed to xgettext. XGETTEXT_OPTIONS = --keyword=_ --keyword=N_ # This is the copyright holder that gets inserted into the header of the # $(DOMAIN).pot file. Set this to the copyright holder of the surrounding # package. (Note that the msgstr strings, extracted from the package's # sources, belong to the copyright holder of the package.) Translators are # expected to transfer the copyright for their translations to this person # or entity, or to disclaim their copyright. The empty string stands for # the public domain; in this case the translators are expected to disclaim # their copyright. COPYRIGHT_HOLDER = Joachim Metz # This is the email address or URL to which the translators shall report # bugs in the untranslated strings: # - Strings which are not entire sentences, see the maintainer guidelines # in the GNU gettext documentation, section 'Preparing Strings'. # - Strings which use unclear terms or require additional context to be # understood. # - Strings which make invalid assumptions about notation of date, time or # money. # - Pluralisation problems. # - Incorrect English spelling. # - Incorrect formatting. # It can be your email address, or a mailing list address where translators # can write to without being subscribed, or the URL of a web page through # which the translators can contact you. MSGID_BUGS_ADDRESS = @PACKAGE_BUGREPORT@ # This is the list of locale categories, beyond LC_MESSAGES, for which the # message catalogs shall be used. It is usually empty. EXTRA_LOCALE_CATEGORIES = # Additional make targets. sources splint: ================================================ FILE: po/POTFILES.in ================================================ # List of source files which contain translatable strings. ================================================ FILE: pyevtx/Makefile.am ================================================ if HAVE_PYTHON AM_CFLAGS = \ -I../include -I$(top_srcdir)/include \ -I../common -I$(top_srcdir)/common \ @LIBCERROR_CPPFLAGS@ \ @LIBCDATA_CPPFLAGS@ \ @LIBCLOCALE_CPPFLAGS@ \ @LIBCSPLIT_CPPFLAGS@ \ @LIBUNA_CPPFLAGS@ \ @LIBCFILE_CPPFLAGS@ \ @LIBCPATH_CPPFLAGS@ \ @LIBBFIO_CPPFLAGS@ \ @LIBEVTX_DLL_IMPORT@ pyexec_LTLIBRARIES = pyevtx.la pyevtx_la_SOURCES = \ pyevtx.c pyevtx.h \ pyevtx_codepage.c pyevtx_codepage.h \ pyevtx_datetime.c pyevtx_datetime.h \ pyevtx_error.c pyevtx_error.h \ pyevtx_event_levels.c pyevtx_event_levels.h \ pyevtx_file.c pyevtx_file.h \ pyevtx_file_flags.c pyevtx_file_flags.h \ pyevtx_file_object_io_handle.c pyevtx_file_object_io_handle.h \ pyevtx_integer.c pyevtx_integer.h \ pyevtx_libbfio.h \ pyevtx_libcerror.h \ pyevtx_libclocale.h \ pyevtx_libevtx.h \ pyevtx_python.h \ pyevtx_record.c pyevtx_record.h \ pyevtx_records.c pyevtx_records.h \ pyevtx_strings.c pyevtx_strings.h \ pyevtx_unused.h pyevtx_la_LIBADD = \ @LIBCERROR_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCDATA_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBBFIO_LIBADD@ pyevtx_la_CPPFLAGS = $(PYTHON_CPPFLAGS) pyevtx_la_LDFLAGS = -module -avoid-version $(PYTHON_LDFLAGS) endif DISTCLEANFILES = \ Makefile \ Makefile.in ================================================ FILE: pyevtx/pyevtx.c ================================================ /* * Python bindings module for libevtx (pyevtx) * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx.h" #include "pyevtx_error.h" #include "pyevtx_event_levels.h" #include "pyevtx_file.h" #include "pyevtx_file_flags.h" #include "pyevtx_file_object_io_handle.h" #include "pyevtx_libbfio.h" #include "pyevtx_libcerror.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_record.h" #include "pyevtx_records.h" #include "pyevtx_strings.h" #include "pyevtx_unused.h" #if !defined( LIBEVTX_HAVE_BFIO ) LIBEVTX_EXTERN \ int libevtx_check_file_signature_file_io_handle( libbfio_handle_t *file_io_handle, libevtx_error_t **error ); #endif /* !defined( LIBEVTX_HAVE_BFIO ) */ /* The pyevtx module methods */ PyMethodDef pyevtx_module_methods[] = { { "get_version", (PyCFunction) pyevtx_get_version, METH_NOARGS, "get_version() -> String\n" "\n" "Retrieves the version." }, { "check_file_signature", (PyCFunction) pyevtx_check_file_signature, METH_VARARGS | METH_KEYWORDS, "check_file_signature(filename) -> Boolean\n" "\n" "Checks if a file has a Windows XML Event Log (EVTX) file signature." }, { "check_file_signature_file_object", (PyCFunction) pyevtx_check_file_signature_file_object, METH_VARARGS | METH_KEYWORDS, "check_file_signature_file_object(file_object) -> Boolean\n" "\n" "Checks if a file has a Windows XML Event Log (EVTX) file signature using a file-like object." }, { "open", (PyCFunction) pyevtx_open_new_file, METH_VARARGS | METH_KEYWORDS, "open(filename, mode='r') -> Object\n" "\n" "Opens a file." }, { "open_file_object", (PyCFunction) pyevtx_open_new_file_with_file_object, METH_VARARGS | METH_KEYWORDS, "open_file_object(file_object, mode='r') -> Object\n" "\n" "Opens a file using a file-like object." }, /* Sentinel */ { NULL, NULL, 0, NULL } }; /* Retrieves the pyevtx/libevtx version * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_get_version( PyObject *self PYEVTX_ATTRIBUTE_UNUSED, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { const char *version_string = NULL; size_t version_string_length = 0; PYEVTX_UNREFERENCED_PARAMETER( self ) PYEVTX_UNREFERENCED_PARAMETER( arguments ) Py_BEGIN_ALLOW_THREADS version_string = libevtx_get_version(); Py_END_ALLOW_THREADS version_string_length = narrow_string_length( version_string ); /* Pass the string length to PyUnicode_DecodeUTF8 * otherwise it makes the end of string character is part * of the string */ return( PyUnicode_DecodeUTF8( version_string, (Py_ssize_t) version_string_length, NULL ) ); } /* Checks if a file has a Windows XML Event Log (EVTX) file signature * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_check_file_signature( PyObject *self PYEVTX_ATTRIBUTE_UNUSED, PyObject *arguments, PyObject *keywords ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; const char *filename_narrow = NULL; static char *function = "pyevtx_check_file_signature"; static char *keyword_list[] = { "filename", NULL }; int result = 0; #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) const wchar_t *filename_wide = NULL; #else PyObject *utf8_string_object = NULL; #endif PYEVTX_UNREFERENCED_PARAMETER( self ) /* Note that PyArg_ParseTupleAndKeywords with "s" will force Unicode strings to be converted to narrow character string. * On Windows the narrow character strings contains an extended ASCII string with a codepage. Hence we get a conversion * exception. This will also fail if the default encoding is not set correctly. We cannot use "u" here either since that * does not allow us to pass non Unicode string objects and Python (at least 2.7) does not seems to automatically upcast them. */ if( PyArg_ParseTupleAndKeywords( arguments, keywords, "O|", keyword_list, &string_object ) == 0 ) { return( NULL ); } PyErr_Clear(); result = PyObject_IsInstance( string_object, (PyObject *) &PyUnicode_Type ); if( result == -1 ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to determine if string object is of type Unicode.", function ); return( NULL ); } else if( result != 0 ) { PyErr_Clear(); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) #if PY_MAJOR_VERSION >= 3 && PY_MINOR_VERSION >= 3 filename_wide = (wchar_t *) PyUnicode_AsWideCharString( string_object, NULL ); #else filename_wide = (wchar_t *) PyUnicode_AsUnicode( string_object ); #endif Py_BEGIN_ALLOW_THREADS result = libevtx_check_file_signature_wide( filename_wide, &error ); Py_END_ALLOW_THREADS #if PY_MAJOR_VERSION >= 3 && PY_MINOR_VERSION >= 3 PyMem_Free( filename_wide ); #endif #else utf8_string_object = PyUnicode_AsUTF8String( string_object ); if( utf8_string_object == NULL ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to convert Unicode string to UTF-8.", function ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 filename_narrow = PyBytes_AsString( utf8_string_object ); #else filename_narrow = PyString_AsString( utf8_string_object ); #endif Py_BEGIN_ALLOW_THREADS result = libevtx_check_file_signature( filename_narrow, &error ); Py_END_ALLOW_THREADS Py_DecRef( utf8_string_object ); #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to check file signature.", function ); libcerror_error_free( &error ); return( NULL ); } if( result != 0 ) { Py_IncRef( (PyObject *) Py_True ); return( Py_True ); } Py_IncRef( (PyObject *) Py_False ); return( Py_False ); } PyErr_Clear(); #if PY_MAJOR_VERSION >= 3 result = PyObject_IsInstance( string_object, (PyObject *) &PyBytes_Type ); #else result = PyObject_IsInstance( string_object, (PyObject *) &PyString_Type ); #endif if( result == -1 ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to determine if string object is of type string.", function ); return( NULL ); } else if( result != 0 ) { PyErr_Clear(); #if PY_MAJOR_VERSION >= 3 filename_narrow = PyBytes_AsString( string_object ); #else filename_narrow = PyString_AsString( string_object ); #endif Py_BEGIN_ALLOW_THREADS result = libevtx_check_file_signature( filename_narrow, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to check file signature.", function ); libcerror_error_free( &error ); return( NULL ); } if( result != 0 ) { Py_IncRef( (PyObject *) Py_True ); return( Py_True ); } Py_IncRef( (PyObject *) Py_False ); return( Py_False ); } PyErr_Format( PyExc_TypeError, "%s: unsupported string object type.", function ); return( NULL ); } /* Checks if a file has a Windows XML Event Log (EVTX) file signature using a file-like object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_check_file_signature_file_object( PyObject *self PYEVTX_ATTRIBUTE_UNUSED, PyObject *arguments, PyObject *keywords ) { PyObject *file_object = NULL; libbfio_handle_t *file_io_handle = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_check_file_signature_file_object"; static char *keyword_list[] = { "file_object", NULL }; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( self ) if( PyArg_ParseTupleAndKeywords( arguments, keywords, "O|", keyword_list, &file_object ) == 0 ) { return( NULL ); } if( pyevtx_file_object_initialize( &file_io_handle, file_object, &error ) != 1 ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to initialize file IO handle.", function ); libcerror_error_free( &error ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_check_file_signature_file_io_handle( file_io_handle, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to check file signature.", function ); libcerror_error_free( &error ); goto on_error; } if( libbfio_handle_free( &file_io_handle, &error ) != 1 ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to free file IO handle.", function ); libcerror_error_free( &error ); goto on_error; } if( result != 0 ) { Py_IncRef( (PyObject *) Py_True ); return( Py_True ); } Py_IncRef( (PyObject *) Py_False ); return( Py_False ); on_error: if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( NULL ); } /* Creates a new file object and opens it * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_open_new_file( PyObject *self PYEVTX_ATTRIBUTE_UNUSED, PyObject *arguments, PyObject *keywords ) { pyevtx_file_t *pyevtx_file = NULL; static char *function = "pyevtx_open_new_file"; PYEVTX_UNREFERENCED_PARAMETER( self ) /* PyObject_New does not invoke tp_init */ pyevtx_file = PyObject_New( struct pyevtx_file, &pyevtx_file_type_object ); if( pyevtx_file == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create file.", function ); goto on_error; } if( pyevtx_file_init( pyevtx_file ) != 0 ) { goto on_error; } if( pyevtx_file_open( pyevtx_file, arguments, keywords ) == NULL ) { goto on_error; } return( (PyObject *) pyevtx_file ); on_error: if( pyevtx_file != NULL ) { Py_DecRef( (PyObject *) pyevtx_file ); } return( NULL ); } /* Creates a new file object and opens it using a file-like object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_open_new_file_with_file_object( PyObject *self PYEVTX_ATTRIBUTE_UNUSED, PyObject *arguments, PyObject *keywords ) { pyevtx_file_t *pyevtx_file = NULL; static char *function = "pyevtx_open_new_file_with_file_object"; PYEVTX_UNREFERENCED_PARAMETER( self ) /* PyObject_New does not invoke tp_init */ pyevtx_file = PyObject_New( struct pyevtx_file, &pyevtx_file_type_object ); if( pyevtx_file == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create file.", function ); goto on_error; } if( pyevtx_file_init( pyevtx_file ) != 0 ) { goto on_error; } if( pyevtx_file_open_file_object( pyevtx_file, arguments, keywords ) == NULL ) { goto on_error; } return( (PyObject *) pyevtx_file ); on_error: if( pyevtx_file != NULL ) { Py_DecRef( (PyObject *) pyevtx_file ); } return( NULL ); } #if PY_MAJOR_VERSION >= 3 /* The pyevtx module definition */ PyModuleDef pyevtx_module_definition = { PyModuleDef_HEAD_INIT, /* m_name */ "pyevtx", /* m_doc */ "Python libevtx module (pyevtx).", /* m_size */ -1, /* m_methods */ pyevtx_module_methods, /* m_reload */ NULL, /* m_traverse */ NULL, /* m_clear */ NULL, /* m_free */ NULL, }; #endif /* PY_MAJOR_VERSION >= 3 */ /* Initializes the pyevtx module */ #if PY_MAJOR_VERSION >= 3 PyMODINIT_FUNC PyInit_pyevtx( void ) #else PyMODINIT_FUNC initpyevtx( void ) #endif { PyObject *module = NULL; PyGILState_STATE gil_state = 0; #if defined( HAVE_DEBUG_OUTPUT ) libevtx_notify_set_stream( stderr, NULL ); libevtx_notify_set_verbose( 1 ); #endif /* Create the module * This function must be called before grabbing the GIL * otherwise the module will segfault on a version mismatch */ #if PY_MAJOR_VERSION >= 3 module = PyModule_Create( &pyevtx_module_definition ); #else module = Py_InitModule3( "pyevtx", pyevtx_module_methods, "Python libevtx module (pyevtx)." ); #endif if( module == NULL ) { #if PY_MAJOR_VERSION >= 3 return( NULL ); #else return; #endif } #if PY_VERSION_HEX < 0x03070000 PyEval_InitThreads(); #endif gil_state = PyGILState_Ensure(); /* Setup the event_levels type object */ pyevtx_event_levels_type_object.tp_new = PyType_GenericNew; if( pyevtx_event_levels_init_type( &pyevtx_event_levels_type_object ) != 1 ) { goto on_error; } if( PyType_Ready( &pyevtx_event_levels_type_object ) < 0 ) { goto on_error; } Py_IncRef( (PyObject *) &pyevtx_event_levels_type_object ); PyModule_AddObject( module, "event_levels", (PyObject *) &pyevtx_event_levels_type_object ); /* Setup the file type object */ pyevtx_file_type_object.tp_new = PyType_GenericNew; if( PyType_Ready( &pyevtx_file_type_object ) < 0 ) { goto on_error; } Py_IncRef( (PyObject *) &pyevtx_file_type_object ); PyModule_AddObject( module, "file", (PyObject *) &pyevtx_file_type_object ); /* Setup the file_flags type object */ pyevtx_file_flags_type_object.tp_new = PyType_GenericNew; if( pyevtx_file_flags_init_type( &pyevtx_file_flags_type_object ) != 1 ) { goto on_error; } if( PyType_Ready( &pyevtx_file_flags_type_object ) < 0 ) { goto on_error; } Py_IncRef( (PyObject *) &pyevtx_file_flags_type_object ); PyModule_AddObject( module, "file_flags", (PyObject *) &pyevtx_file_flags_type_object ); /* Setup the record type object */ pyevtx_record_type_object.tp_new = PyType_GenericNew; if( PyType_Ready( &pyevtx_record_type_object ) < 0 ) { goto on_error; } Py_IncRef( (PyObject *) &pyevtx_record_type_object ); PyModule_AddObject( module, "record", (PyObject *) &pyevtx_record_type_object ); /* Setup the records type object */ pyevtx_records_type_object.tp_new = PyType_GenericNew; if( PyType_Ready( &pyevtx_records_type_object ) < 0 ) { goto on_error; } Py_IncRef( (PyObject *) &pyevtx_records_type_object ); PyModule_AddObject( module, "records", (PyObject *) &pyevtx_records_type_object ); /* Setup the strings type object */ pyevtx_strings_type_object.tp_new = PyType_GenericNew; if( PyType_Ready( &pyevtx_strings_type_object ) < 0 ) { goto on_error; } Py_IncRef( (PyObject *) &pyevtx_strings_type_object ); PyModule_AddObject( module, "strings", (PyObject *) &pyevtx_strings_type_object ); PyGILState_Release( gil_state ); #if PY_MAJOR_VERSION >= 3 return( module ); #else return; #endif on_error: PyGILState_Release( gil_state ); #if PY_MAJOR_VERSION >= 3 return( NULL ); #else return; #endif } ================================================ FILE: pyevtx/pyevtx.h ================================================ /* * Python bindings module for libevtx (pyevtx) * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_H ) #define _PYEVTX_H #include #include #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif PyObject *pyevtx_get_version( PyObject *self, PyObject *arguments ); PyObject *pyevtx_check_file_signature( PyObject *self, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_check_file_signature_file_object( PyObject *self, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_open_new_file( PyObject *self, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_open_new_file_with_file_object( PyObject *self, PyObject *arguments, PyObject *keywords ); #if PY_MAJOR_VERSION >= 3 PyMODINIT_FUNC PyInit_pyevtx( void ); #else PyMODINIT_FUNC initpyevtx( void ); #endif #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_H ) */ ================================================ FILE: pyevtx/pyevtx_codepage.c ================================================ /* * Codepage functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include "pyevtx_codepage.h" #include "pyevtx_libevtx.h" /* Returns a string representation of the codepage * Codecs and aliases are defined: http://docs.python.org/library/codecs.html#standard-encodings * Returns 1 if successful or NULL if codepage is not supported */ const char *pyevtx_codepage_to_string( int codepage ) { switch( codepage ) { case LIBEVTX_CODEPAGE_ASCII: return( "ascii" ); case LIBEVTX_CODEPAGE_ISO_8859_1: return( "iso-8859-1" ); case LIBEVTX_CODEPAGE_ISO_8859_2: return( "iso-8859-2" ); case LIBEVTX_CODEPAGE_ISO_8859_3: return( "iso-8859-3" ); case LIBEVTX_CODEPAGE_ISO_8859_4: return( "iso-8859-4" ); case LIBEVTX_CODEPAGE_ISO_8859_5: return( "iso-8859-5" ); case LIBEVTX_CODEPAGE_ISO_8859_6: return( "iso-8859-6" ); case LIBEVTX_CODEPAGE_ISO_8859_7: return( "iso-8859-7" ); case LIBEVTX_CODEPAGE_ISO_8859_8: return( "iso-8859-8" ); case LIBEVTX_CODEPAGE_ISO_8859_9: return( "iso-8859-9" ); case LIBEVTX_CODEPAGE_ISO_8859_10: return( "iso-8859-10" ); case LIBEVTX_CODEPAGE_ISO_8859_11: return( "iso-8859-11" ); case LIBEVTX_CODEPAGE_ISO_8859_13: return( "iso-8859-13" ); case LIBEVTX_CODEPAGE_ISO_8859_14: return( "iso-8859-14" ); case LIBEVTX_CODEPAGE_ISO_8859_15: return( "iso-8859-15" ); case LIBEVTX_CODEPAGE_ISO_8859_16: return( "iso-8859-16" ); case LIBEVTX_CODEPAGE_KOI8_R: return( "koi8_r" ); case LIBEVTX_CODEPAGE_KOI8_U: return( "koi8_u" ); case LIBEVTX_CODEPAGE_WINDOWS_874: return( "cp874" ); case LIBEVTX_CODEPAGE_WINDOWS_932: return( "cp932" ); case LIBEVTX_CODEPAGE_WINDOWS_936: return( "cp936" ); case LIBEVTX_CODEPAGE_WINDOWS_949: return( "cp949" ); case LIBEVTX_CODEPAGE_WINDOWS_950: return( "cp950" ); case LIBEVTX_CODEPAGE_WINDOWS_1250: return( "cp1250" ); case LIBEVTX_CODEPAGE_WINDOWS_1251: return( "cp1251" ); case LIBEVTX_CODEPAGE_WINDOWS_1252: return( "cp1252" ); case LIBEVTX_CODEPAGE_WINDOWS_1253: return( "cp1253" ); case LIBEVTX_CODEPAGE_WINDOWS_1254: return( "cp1254" ); case LIBEVTX_CODEPAGE_WINDOWS_1255: return( "cp1255" ); case LIBEVTX_CODEPAGE_WINDOWS_1256: return( "cp1256" ); case LIBEVTX_CODEPAGE_WINDOWS_1257: return( "cp1257" ); case LIBEVTX_CODEPAGE_WINDOWS_1258: return( "cp1258" ); default: break; } return( NULL ); } ================================================ FILE: pyevtx/pyevtx_codepage.h ================================================ /* * Codepage functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_CODEPAGE_H ) #define _PYEVTX_CODEPAGE_H #include #include #if defined( __cplusplus ) extern "C" { #endif const char *pyevtx_codepage_to_string( int codepage ); /* TODO add list function */ #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_CODEPAGE_H ) */ ================================================ FILE: pyevtx/pyevtx_datetime.c ================================================ /* * Date and time functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "pyevtx_datetime.h" #include "pyevtx_python.h" #include /* Creates a new datetime object from date and time elements * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_time_elements( uint16_t year, uint64_t number_of_days, uint8_t hours, uint8_t minutes, uint8_t seconds, uint32_t micro_seconds ) { PyObject *datetime_object = NULL; static char *function = "pyevtx_datetime_new_from_time_elements"; uint32_t days_in_century = 0; uint16_t days_in_year = 0; uint8_t day_of_month = 0; uint8_t days_in_month = 0; uint8_t month = 0; while( number_of_days > 0 ) { if( ( year % 400 ) == 0 ) { days_in_century = 36525; } else { days_in_century = 36524; } if( number_of_days <= days_in_century ) { break; } number_of_days -= days_in_century; year += 100; } while( number_of_days > 0 ) { /* Check for a leap year * The year is ( ( dividable by 4 ) and ( not dividable by 100 ) ) or ( dividable by 400 ) */ if( ( ( ( year % 4 ) == 0 ) && ( ( year % 100 ) != 0 ) ) || ( ( year % 400 ) == 0 ) ) { days_in_year = 366; } else { days_in_year = 365; } if( number_of_days <= days_in_year ) { break; } number_of_days -= days_in_year; year += 1; } /* Determine the month correct the value to days within the month */ month = 1; while( number_of_days > 0 ) { /* February (2) */ if( month == 2 ) { if( ( ( ( year % 4 ) == 0 ) && ( ( year % 100 ) != 0 ) ) || ( ( year % 400 ) == 0 ) ) { days_in_month = 29; } else { days_in_month = 28; } } /* April (4), June (6), September (9), November (11) */ else if( ( month == 4 ) || ( month == 6 ) || ( month == 9 ) || ( month == 11 ) ) { days_in_month = 30; } /* January (1), March (3), May (5), July (7), August (8), October (10), December (12) */ else if( ( month == 1 ) || ( month == 3 ) || ( month == 5 ) || ( month == 7 ) || ( month == 8 ) || ( month == 10 ) || ( month == 12 ) ) { days_in_month = 31; } /* This should never happen, but just in case */ else { PyErr_Format( PyExc_IOError, "%s: unsupported month: %" PRIu8 ".", function, month ); return( NULL ); } if( number_of_days <= days_in_month ) { break; } number_of_days -= days_in_month; month += 1; } /* Determine the day */ day_of_month = (uint8_t) number_of_days; PyDateTime_IMPORT; datetime_object = (PyObject *) PyDateTime_FromDateAndTime( (int) year, (int) month, (int) day_of_month, (int) hours, (int) minutes, (int) seconds, (int) micro_seconds ); return( datetime_object ); } /* Creates a new datetime object from a FAT date time * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_fat_date_time( uint32_t fat_date_time ) { PyObject *datetime_object = NULL; static char *function = "pyevtx_datetime_new_from_fat_date_time"; uint16_t year = 0; uint8_t day_of_month = 0; uint8_t days_in_month = 0; uint8_t hours = 0; uint8_t minutes = 0; uint8_t month = 0; uint8_t seconds = 0; /* The day of month is stored in the next 5 bits */ day_of_month = fat_date_time & 0x1f; fat_date_time >>= 5; /* The month is stored in the next 4 bits */ month = fat_date_time & 0x0f; fat_date_time >>= 4; /* The year is stored in the next 7 bits starting at 1980 */ year = 1980 + ( fat_date_time & 0x7f ); fat_date_time >>= 7; /* The number of seconds are stored in the lower 5 bits * in intervals of 2 seconds */ seconds = ( fat_date_time & 0x1f ) * 2; fat_date_time >>= 5; /* The number of minutes are stored in the next 6 bits */ minutes = fat_date_time & 0x3f; fat_date_time >>= 6; /* The number of hours are stored in the next 5 bits */ hours = fat_date_time & 0x1f; /* February (2) */ if( month == 2 ) { if( ( ( ( year % 4 ) == 0 ) && ( ( year % 100 ) != 0 ) ) || ( ( year % 400 ) == 0 ) ) { days_in_month = 29; } else { days_in_month = 28; } } /* April (4), June (6), September (9), November (11) */ else if( ( month == 4 ) || ( month == 6 ) || ( month == 9 ) || ( month == 11 ) ) { days_in_month = 30; } /* January (1), March (3), May (5), July (7), August (8), October (10), December (12) */ else if( ( month == 1 ) || ( month == 3 ) || ( month == 5 ) || ( month == 7 ) || ( month == 8 ) || ( month == 10 ) || ( month == 12 ) ) { days_in_month = 31; } else { PyErr_Format( PyExc_IOError, "%s: unsupported month: %" PRIu8 ".", function, month ); return( NULL ); } if( ( day_of_month == 0 ) || ( day_of_month > days_in_month ) ) { PyErr_Format( PyExc_IOError, "%s: unsupported day of month: %" PRIu8 ".", function, day_of_month ); return( NULL ); } PyDateTime_IMPORT; datetime_object = (PyObject *) PyDateTime_FromDateAndTime( (int) year, (int) month, (int) day_of_month, (int) hours, (int) minutes, (int) seconds, 0 ); return( datetime_object ); } /* Creates a new datetime object from a FILETIME * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_filetime( uint64_t filetime ) { PyObject *datetime_object = NULL; uint32_t micro_seconds = 0; uint16_t year = 0; uint8_t hours = 0; uint8_t minutes = 0; uint8_t seconds = 0; /* The timestamp is in units of 100 nano seconds correct the value to seconds */ micro_seconds = (uint32_t) ( filetime % 10000000 ) / 10; filetime /= 10000000; /* There are 60 seconds in a minute correct the value to minutes */ seconds = (uint8_t) ( filetime % 60 ); filetime /= 60; /* There are 60 minutes in an hour correct the value to hours */ minutes = (uint8_t) ( filetime % 60 ); filetime /= 60; /* There are 24 hours in a day correct the value to days */ hours = (uint8_t) ( filetime % 24 ); filetime /= 24; /* Add 1 day to compensate that Jan 1 1601 is represented as 0 */ filetime += 1; /* Determine the number of years starting at '1 Jan 1601 00:00:00' * correct the value to days within the year */ year = 1601; if( filetime >= 36159 ) { year = 1700; filetime -= 36159; } datetime_object = pyevtx_datetime_new_from_time_elements( year, filetime, hours, minutes, seconds, micro_seconds ); return( datetime_object ); } /* Creates a new datetime object from a floatingtime * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_floatingtime( uint64_t floatingtime ) { byte_stream_float64_t timestamp; PyObject *datetime_object = NULL; static char *function = "pyevtx_datetime_new_from_floatingtime"; uint32_t days_in_century = 0; uint32_t micro_seconds = 0; uint16_t days_in_year = 0; uint16_t year = 0; uint8_t day_of_month = 0; uint8_t days_in_month = 0; uint8_t hours = 0; uint8_t minutes = 0; uint8_t month = 0; uint8_t seconds = 0; timestamp.integer = floatingtime; /* Determine the number of years starting at '30 Dec 1899 00:00:00' * correct the value to days within the year */ year = 1899; if( timestamp.floating_point >= 2 ) { year = 1900; timestamp.floating_point -= 2; } while( timestamp.floating_point > 0 ) { if( ( year % 400 ) == 0 ) { days_in_century = 36525; } else { days_in_century = 36524; } if( timestamp.floating_point <= days_in_century ) { break; } timestamp.floating_point -= days_in_century; year += 100; } while( timestamp.floating_point > 0 ) { /* Check for a leap year * The year is ( ( dividable by 4 ) and ( not dividable by 100 ) ) or ( dividable by 400 ) */ if( ( ( ( year % 4 ) == 0 ) && ( ( year % 100 ) != 0 ) ) || ( ( year % 400 ) == 0 ) ) { days_in_year = 366; } else { days_in_year = 365; } if( timestamp.floating_point <= days_in_year ) { break; } timestamp.floating_point -= days_in_year; year += 1; } /* Determine the month correct the value to days within the month */ month = 1; while( timestamp.floating_point > 0 ) { /* February (2) */ if( month == 2 ) { if( ( ( ( year % 4 ) == 0 ) && ( ( year % 100 ) != 0 ) ) || ( ( year % 400 ) == 0 ) ) { days_in_month = 29; } else { days_in_month = 28; } } /* April (4), June (6), September (9), November (11) */ else if( ( month == 4 ) || ( month == 6 ) || ( month == 9 ) || ( month == 11 ) ) { days_in_month = 30; } /* January (1), March (3), May (5), July (7), August (8), October (10), December (12) */ else if( ( month == 1 ) || ( month == 3 ) || ( month == 5 ) || ( month == 7 ) || ( month == 8 ) || ( month == 10 ) || ( month == 12 ) ) { days_in_month = 31; } /* This should never happen, but just in case */ else { PyErr_Format( PyExc_IOError, "%s: unsupported month: %" PRIu8 ".", function, month ); return( NULL ); } if( timestamp.floating_point <= days_in_month ) { break; } timestamp.floating_point -= days_in_month; month += 1; } /* Determine the day */ day_of_month = (uint8_t) timestamp.floating_point; timestamp.floating_point -= day_of_month; /* There are 24 hours in a day correct the value to hours */ timestamp.floating_point *= 24; hours = (uint8_t) timestamp.floating_point; timestamp.floating_point -= hours; /* There are 60 minutes in an hour correct the value to minutes */ timestamp.floating_point *= 60; minutes = (uint8_t) timestamp.floating_point; timestamp.floating_point -= minutes; /* There are 60 seconds in a minute correct the value to seconds */ timestamp.floating_point *= 60; seconds = (uint8_t) timestamp.floating_point; timestamp.floating_point -= seconds; /* There are 1000 micro seconds in a seconds correct the value to micro seconds */ timestamp.floating_point *= 1000000; micro_seconds = (uint8_t) timestamp.floating_point; timestamp.floating_point -= micro_seconds; PyDateTime_IMPORT; datetime_object = (PyObject *) PyDateTime_FromDateAndTime( (int) year, (int) month, (int) day_of_month, (int) hours, (int) minutes, (int) seconds, (int) micro_seconds ); return( datetime_object ); } /* Creates a new datetime object from a HFS time * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_hfs_time( uint32_t hfs_time ) { PyObject *datetime_object = NULL; uint16_t year = 0; uint8_t hours = 0; uint8_t minutes = 0; uint8_t seconds = 0; /* There are 60 seconds in a minute correct the value to minutes */ seconds = (uint8_t) ( hfs_time % 60 ); hfs_time /= 60; /* There are 60 minutes in an hour correct the value to hours */ minutes = (uint8_t) ( hfs_time % 60 ); hfs_time /= 60; /* There are 24 hours in a day correct the value to days */ hours = (uint8_t) ( hfs_time % 24 ); hfs_time /= 24; /* Add 1 day to compensate that Jan 1 1904 is represented as 0 */ hfs_time += 1; /* Determine the number of years starting at '1 Jan 1904 00:00:00' * correct the value to days within the year */ year = 1904; if( hfs_time >= 35064 ) { year = 2000; hfs_time -= 35064; } datetime_object = pyevtx_datetime_new_from_time_elements( year, (uint64_t) hfs_time, hours, minutes, seconds, 0 ); return( datetime_object ); } /* Creates a new datetime object from a POSIX time * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_posix_time( int64_t posix_time ) { PyObject *datetime_object = NULL; uint16_t year = 0; uint8_t hours = 0; uint8_t minutes = 0; uint8_t seconds = 0; /* There are 60 seconds in a minute correct the value to minutes */ seconds = posix_time % 60; posix_time /= 60; /* There are 60 minutes in an hour correct the value to hours */ minutes = posix_time % 60; posix_time /= 60; /* There are 24 hours in a day correct the value to days */ hours = posix_time % 24; posix_time /= 24; /* Add 1 day to compensate that Jan 1 1601 is represented as 0 */ posix_time += 1; /* Determine the number of years starting at '1 Jan 1970 00:00:00' * correct the value to days within the year */ year = 1970; if( posix_time >= 10957 ) { year = 2000; posix_time -= 10957; } datetime_object = pyevtx_datetime_new_from_time_elements( year, (uint64_t) posix_time, hours, minutes, seconds, 0 ); return( datetime_object ); } /* Creates a new datetime object from a POSIX time in micro seconds * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_datetime_new_from_posix_time_in_micro_seconds( int64_t posix_time ) { PyObject *datetime_object = NULL; uint32_t micro_seconds = 0; uint16_t year = 0; uint8_t hours = 0; uint8_t minutes = 0; uint8_t seconds = 0; /* There are 1000000 micro seconds in a second correct the value to seconds */ micro_seconds = (uint32_t) ( posix_time % 1000000 ); posix_time /= 1000000; /* There are 60 seconds in a minute correct the value to minutes */ seconds = posix_time % 60; posix_time /= 60; /* There are 60 minutes in an hour correct the value to hours */ minutes = posix_time % 60; posix_time /= 60; /* There are 24 hours in a day correct the value to days */ hours = posix_time % 24; posix_time /= 24; /* Add 1 day to compensate that Jan 1 1970 is represented as 0 */ posix_time += 1; /* Determine the number of years starting at '1 Jan 1970 00:00:00' * correct the value to days within the year */ year = 1970; if( posix_time >= 10957 ) { year = 2000; posix_time -= 10957; } datetime_object = pyevtx_datetime_new_from_time_elements( year, (uint64_t) posix_time, hours, minutes, seconds, micro_seconds ); return( datetime_object ); } ================================================ FILE: pyevtx/pyevtx_datetime.h ================================================ /* * Date and time functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_DATETIME_H ) #define _PYEVTX_DATETIME_H #include #include #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif PyObject *pyevtx_datetime_new_from_time_elements( uint16_t year, uint64_t number_of_days, uint8_t hours, uint8_t minutes, uint8_t seconds, uint32_t micro_seconds ); PyObject *pyevtx_datetime_new_from_fat_date_time( uint32_t fat_date_time ); PyObject *pyevtx_datetime_new_from_filetime( uint64_t filetime ); PyObject *pyevtx_datetime_new_from_floatingtime( uint64_t floatingtime ); PyObject *pyevtx_datetime_new_from_hfs_time( uint32_t hfs_time ); PyObject *pyevtx_datetime_new_from_posix_time( int64_t posix_time ); PyObject *pyevtx_datetime_new_from_posix_time_in_micro_seconds( int64_t posix_time ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_DATETIME_H ) */ ================================================ FILE: pyevtx/pyevtx_error.c ================================================ /* * Error functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDARG_H ) || defined( WINAPI ) #include #elif defined( HAVE_VARARGS_H ) #include #else #error Missing headers stdarg.h and varargs.h #endif #include "pyevtx_error.h" #include "pyevtx_libcerror.h" #include "pyevtx_python.h" #if defined( HAVE_STDARG_H ) || defined( WINAPI ) #define VARARGS( function, error, error_domain, error_code, type, argument ) \ function( error, error_domain, error_code, type argument, ... ) #define VASTART( argument_list, type, name ) \ va_start( argument_list, name ) #define VAEND( argument_list ) \ va_end( argument_list ) #elif defined( HAVE_VARARGS_H ) #define VARARGS( function, error, error_domain, error_code, type, argument ) \ function( error, error_domain, error_code, va_alist ) va_dcl #define VASTART( argument_list, type, name ) \ { type name; va_start( argument_list ); name = va_arg( argument_list, type ) #define VAEND( argument_list ) \ va_end( argument_list ); } #endif /* Fetches an error */ void VARARGS( pyevtx_error_fetch, libcerror_error_t **error, int error_domain, int error_code, const char *, format_string ) { va_list argument_list; char error_string[ PYEVTX_ERROR_STRING_SIZE ]; PyObject *exception_traceback = NULL; PyObject *exception_type = NULL; PyObject *exception_value = NULL; PyObject *string_object = NULL; static char *function = "pyevtx_error_fetch"; char *exception_string = NULL; size_t error_string_length = 0; int print_count = 0; #if PY_MAJOR_VERSION >= 3 PyObject *utf8_string_object = NULL; #endif if( format_string == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing format string.", function ); return; } VASTART( argument_list, const char *, format_string ); print_count = PyOS_vsnprintf( error_string, PYEVTX_ERROR_STRING_SIZE, format_string, argument_list ); VAEND( argument_list ); if( print_count < 0 ) { PyErr_Format( PyExc_ValueError, "%s: unable to format error string.", function ); return; } error_string_length = narrow_string_length( error_string ); if( ( error_string_length >= 1 ) && ( error_string[ error_string_length - 1 ] == '.' ) ) { error_string[ error_string_length - 1 ] = 0; } PyErr_Fetch( &exception_type, &exception_value, &exception_traceback ); string_object = PyObject_Repr( exception_value ); #if PY_MAJOR_VERSION >= 3 utf8_string_object = PyUnicode_AsUTF8String( string_object ); if( utf8_string_object != NULL ) { exception_string = PyBytes_AsString( utf8_string_object ); } #else exception_string = PyString_AsString( string_object ); #endif if( exception_string != NULL ) { libcerror_error_set( error, error_domain, error_code, "%s with error: %s.", error_string, exception_string ); } else { libcerror_error_set( error, error_domain, error_code, "%s.", error_string ); } #if PY_MAJOR_VERSION >= 3 if( utf8_string_object != NULL ) { Py_DecRef( utf8_string_object ); } #endif Py_DecRef( string_object ); return; } #undef VARARGS #undef VASTART #undef VAEND #if defined( HAVE_STDARG_H ) || defined( WINAPI ) #define VARARGS( function, exception_object, type, argument ) \ function( exception_object, type argument, ... ) #define VASTART( argument_list, type, name ) \ va_start( argument_list, name ) #define VAEND( argument_list ) \ va_end( argument_list ) #elif defined( HAVE_VARARGS_H ) #define VARARGS( function, exception_object, type, argument ) \ function( exception_object, va_alist ) va_dcl #define VASTART( argument_list, type, name ) \ { type name; va_start( argument_list ); name = va_arg( argument_list, type ) #define VAEND( argument_list ) \ va_end( argument_list ); } #endif /* Fetches and raises an error */ void VARARGS( pyevtx_error_fetch_and_raise, PyObject *exception_object, const char *, format_string ) { va_list argument_list; char error_string[ PYEVTX_ERROR_STRING_SIZE ]; PyObject *exception_traceback = NULL; PyObject *exception_type = NULL; PyObject *exception_value = NULL; PyObject *string_object = NULL; static char *function = "pyevtx_error_fetch_and_raise"; char *exception_string = NULL; size_t error_string_length = 0; int print_count = 0; #if PY_MAJOR_VERSION >= 3 PyObject *utf8_string_object = NULL; #endif if( format_string == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing format string.", function ); return; } VASTART( argument_list, const char *, format_string ); print_count = PyOS_vsnprintf( error_string, PYEVTX_ERROR_STRING_SIZE, format_string, argument_list ); VAEND( argument_list ); if( print_count < 0 ) { PyErr_Format( PyExc_ValueError, "%s: unable to format exception string.", function ); return; } error_string_length = narrow_string_length( error_string ); if( ( error_string_length >= 1 ) && ( error_string[ error_string_length - 1 ] == '.' ) ) { error_string[ error_string_length - 1 ] = 0; } PyErr_Fetch( &exception_type, &exception_value, &exception_traceback ); string_object = PyObject_Repr( exception_value ); #if PY_MAJOR_VERSION >= 3 utf8_string_object = PyUnicode_AsUTF8String( string_object ); if( utf8_string_object != NULL ) { exception_string = PyBytes_AsString( utf8_string_object ); } #else exception_string = PyString_AsString( string_object ); #endif if( exception_string != NULL ) { PyErr_Format( exception_object, "%s with error: %s.", error_string, exception_string ); } else { PyErr_Format( exception_object, "%s.", error_string ); } Py_DecRef( string_object ); return; } #undef VARARGS #undef VASTART #undef VAEND #if defined( HAVE_STDARG_H ) || defined( WINAPI ) #define VARARGS( function, error, exception_object, type, argument ) \ function( error, exception_object, type argument, ... ) #define VASTART( argument_list, type, name ) \ va_start( argument_list, name ) #define VAEND( argument_list ) \ va_end( argument_list ) #elif defined( HAVE_VARARGS_H ) #define VARARGS( function, error, exception_object, type, argument ) \ function( error, exception_object, va_alist ) va_dcl #define VASTART( argument_list, type, name ) \ { type name; va_start( argument_list ); name = va_arg( argument_list, type ) #define VAEND( argument_list ) \ va_end( argument_list ); } #endif /* Raises an error */ void VARARGS( pyevtx_error_raise, libcerror_error_t *error, PyObject *exception_object, const char *, format_string ) { va_list argument_list; char error_string[ PYEVTX_ERROR_STRING_SIZE ]; char exception_string[ PYEVTX_ERROR_STRING_SIZE ]; static char *function = "pyevtx_error_raise"; size_t error_string_index = 0; int print_count = 0; if( format_string == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing format string.", function ); return; } VASTART( argument_list, const char *, format_string ); print_count = PyOS_vsnprintf( exception_string, PYEVTX_ERROR_STRING_SIZE, format_string, argument_list ); VAEND( argument_list ); if( print_count < 0 ) { PyErr_Format( PyExc_ValueError, "%s: unable to format exception string.", function ); return; } if( error != NULL ) { if( libcerror_error_backtrace_sprint( error, error_string, PYEVTX_ERROR_STRING_SIZE ) != -1 ) { while( error_string_index < PYEVTX_ERROR_STRING_SIZE ) { if( error_string[ error_string_index ] == 0 ) { break; } if( ( error_string[ error_string_index ] == '\n' ) || ( error_string[ error_string_index ] == '\r' ) ) { error_string[ error_string_index ] = ' '; } error_string_index++; } if( error_string_index >= PYEVTX_ERROR_STRING_SIZE ) { error_string[ PYEVTX_ERROR_STRING_SIZE - 1 ] = 0; } PyErr_Format( exception_object, "%s %s", exception_string, error_string ); return; } } PyErr_Format( exception_object, "%s", exception_string ); return; } #undef VARARGS #undef VASTART #undef VAEND ================================================ FILE: pyevtx/pyevtx_error.h ================================================ /* * Error functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_ERROR_H ) #define _PYEVTX_ERROR_H #include #include #include "pyevtx_libcerror.h" #include "pyevtx_python.h" #define PYEVTX_ERROR_STRING_SIZE 2048 #if defined( __cplusplus ) extern "C" { #endif void pyevtx_error_fetch( libcerror_error_t **error, int error_domain, int error_code, const char *format_string, ... ); void pyevtx_error_fetch_and_raise( PyObject *exception_object, const char *format_string, ... ); void pyevtx_error_raise( libcerror_error_t *error, PyObject *exception_object, const char *format_string, ... ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_ERROR_H ) */ ================================================ FILE: pyevtx/pyevtx_event_levels.c ================================================ /* * Python object definition of the libevtx event levels * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx_event_levels.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_unused.h" PyTypeObject pyevtx_event_levels_type_object = { PyVarObject_HEAD_INIT( NULL, 0 ) /* tp_name */ "pyevtx.event_levels", /* tp_basicsize */ sizeof( pyevtx_event_levels_t ), /* tp_itemsize */ 0, /* tp_dealloc */ (destructor) pyevtx_event_levels_free, /* tp_print */ 0, /* tp_getattr */ 0, /* tp_setattr */ 0, /* tp_compare */ 0, /* tp_repr */ 0, /* tp_as_number */ 0, /* tp_as_sequence */ 0, /* tp_as_mapping */ 0, /* tp_hash */ 0, /* tp_call */ 0, /* tp_str */ 0, /* tp_getattro */ 0, /* tp_setattro */ 0, /* tp_as_buffer */ 0, /* tp_flags */ Py_TPFLAGS_DEFAULT, /* tp_doc */ "pyevtx event levels object (wraps LIBEVTX_EVENT_LEVELS)", /* tp_traverse */ 0, /* tp_clear */ 0, /* tp_richcompare */ 0, /* tp_weaklistoffset */ 0, /* tp_iter */ 0, /* tp_iternext */ 0, /* tp_methods */ 0, /* tp_members */ 0, /* tp_getset */ 0, /* tp_base */ 0, /* tp_dict */ 0, /* tp_descr_get */ 0, /* tp_descr_set */ 0, /* tp_dictoffset */ 0, /* tp_init */ (initproc) pyevtx_event_levels_init, /* tp_alloc */ 0, /* tp_new */ 0, /* tp_free */ 0, /* tp_is_gc */ 0, /* tp_bases */ NULL, /* tp_mro */ NULL, /* tp_cache */ NULL, /* tp_subclasses */ NULL, /* tp_weaklist */ NULL, /* tp_del */ 0 }; /* Initializes the type object * Returns 1 if successful or -1 on error */ int pyevtx_event_levels_init_type( PyTypeObject *type_object ) { PyObject *value_object = NULL; if( type_object == NULL ) { return( -1 ); } type_object->tp_dict = PyDict_New(); if( type_object->tp_dict == NULL ) { return( -1 ); } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_EVENT_LEVEL_CRITICAL ); #else value_object = PyInt_FromLong( LIBEVTX_EVENT_LEVEL_CRITICAL ); #endif if( PyDict_SetItemString( type_object->tp_dict, "CRITICAL", value_object ) != 0 ) { goto on_error; } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_EVENT_LEVEL_ERROR ); #else value_object = PyInt_FromLong( LIBEVTX_EVENT_LEVEL_ERROR ); #endif if( PyDict_SetItemString( type_object->tp_dict, "ERROR", value_object ) != 0 ) { goto on_error; } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_EVENT_LEVEL_WARNING ); #else value_object = PyInt_FromLong( LIBEVTX_EVENT_LEVEL_WARNING ); #endif if( PyDict_SetItemString( type_object->tp_dict, "WARNING", value_object ) != 0 ) { goto on_error; } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_EVENT_LEVEL_INFORMATION ); #else value_object = PyInt_FromLong( LIBEVTX_EVENT_LEVEL_INFORMATION ); #endif if( PyDict_SetItemString( type_object->tp_dict, "INFORMATION", value_object ) != 0 ) { goto on_error; } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_EVENT_LEVEL_VERBOSE ); #else value_object = PyInt_FromLong( LIBEVTX_EVENT_LEVEL_VERBOSE ); #endif if( PyDict_SetItemString( type_object->tp_dict, "VERBOSE", value_object ) != 0 ) { goto on_error; } return( 1 ); on_error: if( type_object->tp_dict != NULL ) { Py_DecRef( type_object->tp_dict ); type_object->tp_dict = NULL; } return( -1 ); } /* Creates a new event levels object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_event_levels_new( void ) { pyevtx_event_levels_t *definitions_object = NULL; static char *function = "pyevtx_event_levels_new"; definitions_object = PyObject_New( struct pyevtx_event_levels, &pyevtx_event_levels_type_object ); if( definitions_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create definitions object.", function ); goto on_error; } if( pyevtx_event_levels_init( definitions_object ) != 0 ) { PyErr_Format( PyExc_MemoryError, "%s: unable to initialize definitions object.", function ); goto on_error; } return( (PyObject *) definitions_object ); on_error: if( definitions_object != NULL ) { Py_DecRef( (PyObject *) definitions_object ); } return( NULL ); } /* Initializes an event levels object * Returns 0 if successful or -1 on error */ int pyevtx_event_levels_init( pyevtx_event_levels_t *definitions_object ) { static char *function = "pyevtx_event_levels_init"; if( definitions_object == NULL ) { PyErr_Format( PyExc_TypeError, "%s: invalid definitions object.", function ); return( -1 ); } return( 0 ); } /* Frees an event levels object */ void pyevtx_event_levels_free( pyevtx_event_levels_t *definitions_object ) { struct _typeobject *ob_type = NULL; static char *function = "pyevtx_event_levels_free"; if( definitions_object == NULL ) { PyErr_Format( PyExc_TypeError, "%s: invalid definitions object.", function ); return; } ob_type = Py_TYPE( definitions_object ); if( ob_type == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing ob_type.", function ); return; } if( ob_type->tp_free == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid ob_type - missing tp_free.", function ); return; } ob_type->tp_free( (PyObject*) definitions_object ); } ================================================ FILE: pyevtx/pyevtx_event_levels.h ================================================ /* * Python object definition of the libevtx event levels * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_EVENT_LEVELS_H ) #define _PYEVTX_EVENT_LEVELS_H #include #include #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_event_levels pyevtx_event_levels_t; struct pyevtx_event_levels { /* Python object initialization */ PyObject_HEAD }; extern PyTypeObject pyevtx_event_levels_type_object; int pyevtx_event_levels_init_type( PyTypeObject *type_object ); PyObject *pyevtx_event_levels_new( void ); int pyevtx_event_levels_init( pyevtx_event_levels_t *definitions_object ); void pyevtx_event_levels_free( pyevtx_event_levels_t *definitions_object ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_EVENT_LEVELS_H ) */ ================================================ FILE: pyevtx/pyevtx_file.c ================================================ /* * Python object wrapper of libevtx_file_t * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx_codepage.h" #include "pyevtx_error.h" #include "pyevtx_file.h" #include "pyevtx_file_object_io_handle.h" #include "pyevtx_libbfio.h" #include "pyevtx_libcerror.h" #include "pyevtx_libclocale.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_record.h" #include "pyevtx_records.h" #include "pyevtx_unused.h" #if !defined( LIBEVTX_HAVE_BFIO ) LIBEVTX_EXTERN \ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libevtx_error_t **error ); #endif /* !defined( LIBEVTX_HAVE_BFIO ) */ PyMethodDef pyevtx_file_object_methods[] = { { "signal_abort", (PyCFunction) pyevtx_file_signal_abort, METH_NOARGS, "signal_abort() -> None\n" "\n" "Signals the file to abort the current activity." }, { "open", (PyCFunction) pyevtx_file_open, METH_VARARGS | METH_KEYWORDS, "open(filename, mode='r') -> None\n" "\n" "Opens a file." }, { "open_file_object", (PyCFunction) pyevtx_file_open_file_object, METH_VARARGS | METH_KEYWORDS, "open_file_object(file_object, mode='r') -> None\n" "\n" "Opens a file using a file-like object." }, { "close", (PyCFunction) pyevtx_file_close, METH_NOARGS, "close() -> None\n" "\n" "Closes a file." }, { "is_corrupted", (PyCFunction) pyevtx_file_is_corrupted, METH_NOARGS, "is_corrupted() -> Boolean\n" "\n" "Determines if the file is corrupted." }, { "get_ascii_codepage", (PyCFunction) pyevtx_file_get_ascii_codepage, METH_NOARGS, "get_ascii_codepage() -> String\n" "\n" "Retrieves the codepage for ASCII strings used in the file." }, { "set_ascii_codepage", (PyCFunction) pyevtx_file_set_ascii_codepage, METH_VARARGS | METH_KEYWORDS, "set_ascii_codepage(codepage) -> None\n" "\n" "Sets the codepage for ASCII strings used in the file.\n" "Expects the codepage to be a string containing a Python codec definition." }, { "get_format_version", (PyCFunction) pyevtx_file_get_format_version, METH_NOARGS, "get_format_version() -> Unicode string\n" "\n" "Retrieves the format version." }, { "get_number_of_records", (PyCFunction) pyevtx_file_get_number_of_records, METH_NOARGS, "get_number_of_records() -> Integer\n" "\n" "Retrieves the number of records." }, { "get_record", (PyCFunction) pyevtx_file_get_record, METH_VARARGS | METH_KEYWORDS, "get_record(record_index) -> Object\n" "\n" "Retrieves the record specified by the index." }, { "get_number_of_recovered_records", (PyCFunction) pyevtx_file_get_number_of_recovered_records, METH_NOARGS, "get_number_of_recovered_records() -> Integer\n" "\n" "Retrieves the number of recovered records." }, { "get_recovered_record", (PyCFunction) pyevtx_file_get_recovered_record, METH_VARARGS | METH_KEYWORDS, "get_recovered_record(record_index) -> Object\n" "\n" "Retrieves the recovered record specified by the index." }, /* Sentinel */ { NULL, NULL, 0, NULL } }; PyGetSetDef pyevtx_file_object_get_set_definitions[] = { { "ascii_codepage", (getter) pyevtx_file_get_ascii_codepage, (setter) pyevtx_file_set_ascii_codepage_setter, "The codepage used for ASCII strings in the file.", NULL }, { "format_version", (getter) pyevtx_file_get_format_version, (setter) 0, "The format version.", NULL }, { "number_of_records", (getter) pyevtx_file_get_number_of_records, (setter) 0, "The number of records.", NULL }, { "records", (getter) pyevtx_file_get_records, (setter) 0, "The records.", NULL }, { "number_of_recovered_records", (getter) pyevtx_file_get_number_of_recovered_records, (setter) 0, "The number of recovered records.", NULL }, { "recovered_records", (getter) pyevtx_file_get_recovered_records, (setter) 0, "The recovered records.", NULL }, /* Sentinel */ { NULL, NULL, NULL, NULL, NULL } }; PyTypeObject pyevtx_file_type_object = { PyVarObject_HEAD_INIT( NULL, 0 ) /* tp_name */ "pyevtx.file", /* tp_basicsize */ sizeof( pyevtx_file_t ), /* tp_itemsize */ 0, /* tp_dealloc */ (destructor) pyevtx_file_free, /* tp_print */ 0, /* tp_getattr */ 0, /* tp_setattr */ 0, /* tp_compare */ 0, /* tp_repr */ 0, /* tp_as_number */ 0, /* tp_as_sequence */ 0, /* tp_as_mapping */ 0, /* tp_hash */ 0, /* tp_call */ 0, /* tp_str */ 0, /* tp_getattro */ 0, /* tp_setattro */ 0, /* tp_as_buffer */ 0, /* tp_flags */ Py_TPFLAGS_DEFAULT, /* tp_doc */ "pyevtx file object (wraps libevtx_file_t)", /* tp_traverse */ 0, /* tp_clear */ 0, /* tp_richcompare */ 0, /* tp_weaklistoffset */ 0, /* tp_iter */ 0, /* tp_iternext */ 0, /* tp_methods */ pyevtx_file_object_methods, /* tp_members */ 0, /* tp_getset */ pyevtx_file_object_get_set_definitions, /* tp_base */ 0, /* tp_dict */ 0, /* tp_descr_get */ 0, /* tp_descr_set */ 0, /* tp_dictoffset */ 0, /* tp_init */ (initproc) pyevtx_file_init, /* tp_alloc */ 0, /* tp_new */ 0, /* tp_free */ 0, /* tp_is_gc */ 0, /* tp_bases */ NULL, /* tp_mro */ NULL, /* tp_cache */ NULL, /* tp_subclasses */ NULL, /* tp_weaklist */ NULL, /* tp_del */ 0 }; /* Initializes a file object * Returns 0 if successful or -1 on error */ int pyevtx_file_init( pyevtx_file_t *pyevtx_file ) { libcerror_error_t *error = NULL; static char *function = "pyevtx_file_init"; if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( -1 ); } /* Make sure libevtx file is set to NULL */ pyevtx_file->file = NULL; pyevtx_file->file_io_handle = NULL; if( libevtx_file_initialize( &( pyevtx_file->file ), &error ) != 1 ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to initialize file.", function ); libcerror_error_free( &error ); return( -1 ); } return( 0 ); } /* Frees a file object */ void pyevtx_file_free( pyevtx_file_t *pyevtx_file ) { struct _typeobject *ob_type = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_free"; int result = 0; if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return; } ob_type = Py_TYPE( pyevtx_file ); if( ob_type == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing ob_type.", function ); return; } if( ob_type->tp_free == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid ob_type - missing tp_free.", function ); return; } if( pyevtx_file->file_io_handle != NULL ) { if( pyevtx_file_close( pyevtx_file, NULL ) == NULL ) { return; } } if( pyevtx_file->file != NULL ) { Py_BEGIN_ALLOW_THREADS result = libevtx_file_free( &( pyevtx_file->file ), &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to free libevtx file.", function ); libcerror_error_free( &error ); } } ob_type->tp_free( (PyObject*) pyevtx_file ); } /* Signals the file to abort the current activity * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_signal_abort( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { libcerror_error_t *error = NULL; static char *function = "pyevtx_file_signal_abort"; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_signal_abort( pyevtx_file->file, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to signal abort.", function ); libcerror_error_free( &error ); return( NULL ); } Py_IncRef( Py_None ); return( Py_None ); } /* Opens a file * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_open( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; const char *filename_narrow = NULL; static char *function = "pyevtx_file_open"; static char *keyword_list[] = { "filename", "mode", NULL }; char *mode = NULL; int result = 0; #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) const wchar_t *filename_wide = NULL; #else PyObject *utf8_string_object = NULL; #endif if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } /* Note that PyArg_ParseTupleAndKeywords with "s" will force Unicode strings to be converted to narrow character string. * On Windows the narrow character strings contains an extended ASCII string with a codepage. Hence we get a conversion * exception. This will also fail if the default encoding is not set correctly. We cannot use "u" here either since that * does not allow us to pass non Unicode string objects and Python (at least 2.7) does not seems to automatically upcast them. */ if( PyArg_ParseTupleAndKeywords( arguments, keywords, "O|s", keyword_list, &string_object, &mode ) == 0 ) { return( NULL ); } if( ( mode != NULL ) && ( mode[ 0 ] != 'r' ) ) { PyErr_Format( PyExc_ValueError, "%s: unsupported mode: %s.", function, mode ); return( NULL ); } PyErr_Clear(); result = PyObject_IsInstance( string_object, (PyObject *) &PyUnicode_Type ); if( result == -1 ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to determine if string object is of type Unicode.", function ); return( NULL ); } else if( result != 0 ) { PyErr_Clear(); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) #if PY_MAJOR_VERSION >= 3 && PY_MINOR_VERSION >= 3 filename_wide = (wchar_t *) PyUnicode_AsWideCharString( string_object, NULL ); #else filename_wide = (wchar_t *) PyUnicode_AsUnicode( string_object ); #endif Py_BEGIN_ALLOW_THREADS result = libevtx_file_open_wide( pyevtx_file->file, filename_wide, LIBEVTX_OPEN_READ, &error ); Py_END_ALLOW_THREADS #if PY_MAJOR_VERSION >= 3 && PY_MINOR_VERSION >= 3 PyMem_Free( filename_wide ); #endif #else utf8_string_object = PyUnicode_AsUTF8String( string_object ); if( utf8_string_object == NULL ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to convert Unicode string to UTF-8.", function ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 filename_narrow = PyBytes_AsString( utf8_string_object ); #else filename_narrow = PyString_AsString( utf8_string_object ); #endif Py_BEGIN_ALLOW_THREADS result = libevtx_file_open( pyevtx_file->file, filename_narrow, LIBEVTX_OPEN_READ, &error ); Py_END_ALLOW_THREADS Py_DecRef( utf8_string_object ); #endif if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to open file.", function ); libcerror_error_free( &error ); return( NULL ); } Py_IncRef( Py_None ); return( Py_None ); } PyErr_Clear(); #if PY_MAJOR_VERSION >= 3 result = PyObject_IsInstance( string_object, (PyObject *) &PyBytes_Type ); #else result = PyObject_IsInstance( string_object, (PyObject *) &PyString_Type ); #endif if( result == -1 ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to determine if string object is of type string.", function ); return( NULL ); } else if( result != 0 ) { PyErr_Clear(); #if PY_MAJOR_VERSION >= 3 filename_narrow = PyBytes_AsString( string_object ); #else filename_narrow = PyString_AsString( string_object ); #endif Py_BEGIN_ALLOW_THREADS result = libevtx_file_open( pyevtx_file->file, filename_narrow, LIBEVTX_OPEN_READ, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to open file.", function ); libcerror_error_free( &error ); return( NULL ); } Py_IncRef( Py_None ); return( Py_None ); } PyErr_Format( PyExc_TypeError, "%s: unsupported string object type.", function ); return( NULL ); } /* Opens a file using a file-like object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_open_file_object( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ) { PyObject *file_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_open_file_object"; static char *keyword_list[] = { "file_object", "mode", NULL }; char *mode = NULL; int result = 0; if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } if( PyArg_ParseTupleAndKeywords( arguments, keywords, "O|s", keyword_list, &file_object, &mode ) == 0 ) { return( NULL ); } if( ( mode != NULL ) && ( mode[ 0 ] != 'r' ) ) { PyErr_Format( PyExc_ValueError, "%s: unsupported mode: %s.", function, mode ); return( NULL ); } PyErr_Clear(); result = PyObject_HasAttrString( file_object, "read" ); if( result != 1 ) { PyErr_Format( PyExc_TypeError, "%s: unsupported file object - missing read attribute.", function ); return( NULL ); } PyErr_Clear(); result = PyObject_HasAttrString( file_object, "seek" ); if( result != 1 ) { PyErr_Format( PyExc_TypeError, "%s: unsupported file object - missing seek attribute.", function ); return( NULL ); } if( pyevtx_file->file_io_handle != NULL ) { pyevtx_error_raise( error, PyExc_IOError, "%s: invalid file - file IO handle already set.", function ); goto on_error; } if( pyevtx_file_object_initialize( &( pyevtx_file->file_io_handle ), file_object, &error ) != 1 ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to initialize file IO handle.", function ); libcerror_error_free( &error ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_file_open_file_io_handle( pyevtx_file->file, pyevtx_file->file_io_handle, LIBEVTX_OPEN_READ, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to open file.", function ); libcerror_error_free( &error ); goto on_error; } Py_IncRef( Py_None ); return( Py_None ); on_error: if( pyevtx_file->file_io_handle != NULL ) { libbfio_handle_free( &( pyevtx_file->file_io_handle ), NULL ); } return( NULL ); } /* Closes a file * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_close( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { libcerror_error_t *error = NULL; static char *function = "pyevtx_file_close"; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_close( pyevtx_file->file, &error ); Py_END_ALLOW_THREADS if( result != 0 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to close file.", function ); libcerror_error_free( &error ); return( NULL ); } if( pyevtx_file->file_io_handle != NULL ) { Py_BEGIN_ALLOW_THREADS result = libbfio_handle_free( &( pyevtx_file->file_io_handle ), &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to free libbfio file IO handle.", function ); libcerror_error_free( &error ); return( NULL ); } } Py_IncRef( Py_None ); return( Py_None ); } /* Determines if the file is corrupted * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_is_corrupted( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { libcerror_error_t *error = NULL; static char *function = "pyevtx_file_is_corrupted"; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_is_corrupted( pyevtx_file->file, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine if file is corrupted.", function ); libcerror_error_free( &error ); return( NULL ); } if( result != 0 ) { Py_IncRef( (PyObject *) Py_True ); return( Py_True ); } Py_IncRef( (PyObject *) Py_False ); return( Py_False ); } /* Retrieves the codepage used for ASCII strings in the file * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_ascii_codepage( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; const char *codepage_string = NULL; static char *function = "pyevtx_file_get_ascii_codepage"; int ascii_codepage = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_ascii_codepage( pyevtx_file->file, &ascii_codepage, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve ASCII codepage.", function ); libcerror_error_free( &error ); return( NULL ); } codepage_string = pyevtx_codepage_to_string( ascii_codepage ); if( codepage_string == NULL ) { PyErr_Format( PyExc_ValueError, "%s: unsupported ASCII codepage: %d.", function, ascii_codepage ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 string_object = PyBytes_FromString( codepage_string ); #else string_object = PyString_FromString( codepage_string ); #endif if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert codepage string into string object.", function ); return( NULL ); } return( string_object ); } /* Sets the codepage used for ASCII strings in the file * Returns 1 if successful or -1 on error */ int pyevtx_file_set_ascii_codepage_from_string( pyevtx_file_t *pyevtx_file, const char *codepage_string ) { libcerror_error_t *error = NULL; static char *function = "pyevtx_file_set_ascii_codepage_from_string"; size_t codepage_string_length = 0; uint32_t feature_flags = 0; int ascii_codepage = 0; int result = 0; if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( -1 ); } if( codepage_string == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid codepage string.", function ); return( -1 ); } codepage_string_length = narrow_string_length( codepage_string ); feature_flags = LIBCLOCALE_CODEPAGE_FEATURE_FLAG_HAVE_WINDOWS; if( libclocale_codepage_copy_from_string( &ascii_codepage, codepage_string, codepage_string_length, feature_flags, &error ) != 1 ) { pyevtx_error_raise( error, PyExc_RuntimeError, "%s: unable to determine ASCII codepage.", function ); libcerror_error_free( &error ); return( -1 ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_set_ascii_codepage( pyevtx_file->file, ascii_codepage, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to set ASCII codepage.", function ); libcerror_error_free( &error ); return( -1 ); } return( 1 ); } /* Sets the codepage used for ASCII strings in the file * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_set_ascii_codepage( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ) { char *codepage_string = NULL; static char *keyword_list[] = { "codepage", NULL }; int result = 0; if( PyArg_ParseTupleAndKeywords( arguments, keywords, "s", keyword_list, &codepage_string ) == 0 ) { return( NULL ); } result = pyevtx_file_set_ascii_codepage_from_string( pyevtx_file, codepage_string ); if( result != 1 ) { return( NULL ); } Py_IncRef( Py_None ); return( Py_None ); } /* Sets the codepage used for ASCII strings in the file * Returns a Python object if successful or NULL on error */ int pyevtx_file_set_ascii_codepage_setter( pyevtx_file_t *pyevtx_file, PyObject *string_object, void *closure PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *utf8_string_object = NULL; char *codepage_string = NULL; static char *function = "pyevtx_file_set_ascii_codepage_setter"; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( closure ) PyErr_Clear(); result = PyObject_IsInstance( string_object, (PyObject *) &PyUnicode_Type ); if( result == -1 ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to determine if string object is of type Unicode.", function ); return( -1 ); } else if( result != 0 ) { /* The codepage string should only contain ASCII characters. */ utf8_string_object = PyUnicode_AsUTF8String( string_object ); if( utf8_string_object == NULL ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to convert Unicode string to UTF-8.", function ); return( -1 ); } #if PY_MAJOR_VERSION >= 3 codepage_string = PyBytes_AsString( utf8_string_object ); #else codepage_string = PyString_AsString( utf8_string_object ); #endif if( codepage_string == NULL ) { return( -1 ); } result = pyevtx_file_set_ascii_codepage_from_string( pyevtx_file, codepage_string ); if( result != 1 ) { return( -1 ); } return( 0 ); } PyErr_Clear(); #if PY_MAJOR_VERSION >= 3 result = PyObject_IsInstance( string_object, (PyObject *) &PyBytes_Type ); #else result = PyObject_IsInstance( string_object, (PyObject *) &PyString_Type ); #endif if( result == -1 ) { pyevtx_error_fetch_and_raise( PyExc_RuntimeError, "%s: unable to determine if string object is of type string.", function ); return( -1 ); } else if( result != 0 ) { #if PY_MAJOR_VERSION >= 3 codepage_string = PyBytes_AsString( string_object ); #else codepage_string = PyString_AsString( string_object ); #endif if( codepage_string == NULL ) { return( -1 ); } result = pyevtx_file_set_ascii_codepage_from_string( pyevtx_file, codepage_string ); if( result != 1 ) { return( -1 ); } return( 0 ); } PyErr_Format( PyExc_TypeError, "%s: unsupported string object type.", function ); return( -1 ); } /* Retrieves the format version * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_format_version( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { char utf8_string[ 4 ]; PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_get_format_version"; uint16_t major_version = 0; uint16_t minor_version = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_format_version( pyevtx_file->file, &major_version, &minor_version, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve format version.", function ); libcerror_error_free( &error ); return( NULL ); } if( major_version > 9 ) { PyErr_Format( PyExc_ValueError, "%s: major version out of bounds.", function ); return( NULL ); } if( minor_version > 9 ) { PyErr_Format( PyExc_ValueError, "%s: minor version out of bounds.", function ); return( NULL ); } utf8_string[ 0 ] = '0' + (char) major_version; utf8_string[ 1 ] = '.'; utf8_string[ 2 ] = '0' + (char) minor_version; utf8_string[ 3 ] = 0; /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string. */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) 3, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); return( NULL ); } return( string_object ); } /* Retrieves the number of records * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_number_of_records( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_get_number_of_records"; int number_of_records = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_number_of_records( pyevtx_file->file, &number_of_records, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve number of records.", function ); libcerror_error_free( &error ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 integer_object = PyLong_FromLong( (long) number_of_records ); #else integer_object = PyInt_FromLong( (long) number_of_records ); #endif return( integer_object ); } /* Retrieves a specific record by index * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_record_by_index( PyObject *pyevtx_file, int record_index ) { PyObject *record_object = NULL; libcerror_error_t *error = NULL; libevtx_record_t *record = NULL; static char *function = "pyevtx_file_get_record_by_index"; int result = 0; if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_record_by_index( ( (pyevtx_file_t *) pyevtx_file )->file, record_index, &record, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve record: %d.", function, record_index ); libcerror_error_free( &error ); goto on_error; } record_object = pyevtx_record_new( record, pyevtx_file ); if( record_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create record object.", function ); goto on_error; } return( record_object ); on_error: if( record != NULL ) { libevtx_record_free( &record, NULL ); } return( NULL ); } /* Retrieves a specific record * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_record( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ) { PyObject *record_object = NULL; static char *keyword_list[] = { "record_index", NULL }; int record_index = 0; if( PyArg_ParseTupleAndKeywords( arguments, keywords, "i", keyword_list, &record_index ) == 0 ) { return( NULL ); } record_object = pyevtx_file_get_record_by_index( (PyObject *) pyevtx_file, record_index ); return( record_object ); } /* Retrieves a sequence and iterator object for the records * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_records( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *sequence_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_get_records"; int number_of_records = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_number_of_records( pyevtx_file->file, &number_of_records, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve number of records.", function ); libcerror_error_free( &error ); return( NULL ); } sequence_object = pyevtx_records_new( (PyObject *) pyevtx_file, &pyevtx_file_get_record_by_index, number_of_records ); if( sequence_object == NULL ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to create sequence object.", function ); return( NULL ); } return( sequence_object ); } /* Retrieves the number of recovered records * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_number_of_recovered_records( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_get_number_of_recovered_records"; int number_of_records = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_number_of_recovered_records( pyevtx_file->file, &number_of_records, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve number of recovered records.", function ); libcerror_error_free( &error ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 integer_object = PyLong_FromLong( (long) number_of_records ); #else integer_object = PyInt_FromLong( (long) number_of_records ); #endif return( integer_object ); } /* Retrieves a specific recovered record by index * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_recovered_record_by_index( PyObject *pyevtx_file, int record_index ) { PyObject *record_object = NULL; libcerror_error_t *error = NULL; libevtx_record_t *record = NULL; static char *function = "pyevtx_file_get_recovered_record_by_index"; int result = 0; if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_recovered_record_by_index( ( (pyevtx_file_t *) pyevtx_file )->file, record_index, &record, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve recovered record: %d.", function, record_index ); libcerror_error_free( &error ); goto on_error; } record_object = pyevtx_record_new( record, (PyObject *) pyevtx_file ); if( record_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create recovered record object.", function ); goto on_error; } return( record_object ); on_error: if( record != NULL ) { libevtx_record_free( &record, NULL ); } return( NULL ); } /* Retrieves a specific recovered record * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_recovered_record( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ) { PyObject *record_object = NULL; static char *keyword_list[] = { "record_index", NULL }; int record_index = 0; if( PyArg_ParseTupleAndKeywords( arguments, keywords, "i", keyword_list, &record_index ) == 0 ) { return( NULL ); } record_object = pyevtx_file_get_recovered_record_by_index( (PyObject *) pyevtx_file, record_index ); return( record_object ); } /* Retrieves a sequence and iterator object for the recovered records * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_get_recovered_records( pyevtx_file_t *pyevtx_file, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *sequence_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_file_get_recovered_records"; int number_of_records = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_file == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid file.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_file_get_number_of_recovered_records( pyevtx_file->file, &number_of_records, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve number of recovered records.", function ); libcerror_error_free( &error ); return( NULL ); } sequence_object = pyevtx_records_new( (PyObject *) pyevtx_file, &pyevtx_file_get_recovered_record_by_index, number_of_records ); if( sequence_object == NULL ) { pyevtx_error_raise( error, PyExc_MemoryError, "%s: unable to create sequence object.", function ); return( NULL ); } return( sequence_object ); } ================================================ FILE: pyevtx/pyevtx_file.h ================================================ /* * Python object wrapper of libevtx_file_t * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_FILE_H ) #define _PYEVTX_FILE_H #include #include #include "pyevtx_libbfio.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_file pyevtx_file_t; struct pyevtx_file { /* Python object initialization */ PyObject_HEAD /* The libevtx file */ libevtx_file_t *file; /* The libbfio file IO handle */ libbfio_handle_t *file_io_handle; }; extern PyMethodDef pyevtx_file_object_methods[]; extern PyTypeObject pyevtx_file_type_object; int pyevtx_file_init( pyevtx_file_t *pyevtx_file ); void pyevtx_file_free( pyevtx_file_t *pyevtx_file ); PyObject *pyevtx_file_signal_abort( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_open( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_file_open_file_object( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_file_close( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_is_corrupted( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_get_ascii_codepage( pyevtx_file_t *pyevtx_file, PyObject *arguments ); int pyevtx_file_set_ascii_codepage_from_string( pyevtx_file_t *pyevtx_file, const char *codepage_string ); PyObject *pyevtx_file_set_ascii_codepage( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ); int pyevtx_file_set_ascii_codepage_setter( pyevtx_file_t *pyevtx_file, PyObject *string_object, void *closure ); PyObject *pyevtx_file_get_format_version( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_get_number_of_records( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_get_record_by_index( PyObject *pyevtx_file, int record_index ); PyObject *pyevtx_file_get_record( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_file_get_records( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_get_number_of_recovered_records( pyevtx_file_t *pyevtx_file, PyObject *arguments ); PyObject *pyevtx_file_get_recovered_record_by_index( PyObject *pyevtx_file, int record_index ); PyObject *pyevtx_file_get_recovered_record( pyevtx_file_t *pyevtx_file, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_file_get_recovered_records( pyevtx_file_t *pyevtx_file, PyObject *arguments ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_FILE_H ) */ ================================================ FILE: pyevtx/pyevtx_file_flags.c ================================================ /* * Python object definition of the libevtx file flags * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx_file_flags.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_unused.h" PyTypeObject pyevtx_file_flags_type_object = { PyVarObject_HEAD_INIT( NULL, 0 ) /* tp_name */ "pyevtx.file_flags", /* tp_basicsize */ sizeof( pyevtx_file_flags_t ), /* tp_itemsize */ 0, /* tp_dealloc */ (destructor) pyevtx_file_flags_free, /* tp_print */ 0, /* tp_getattr */ 0, /* tp_setattr */ 0, /* tp_compare */ 0, /* tp_repr */ 0, /* tp_as_number */ 0, /* tp_as_sequence */ 0, /* tp_as_mapping */ 0, /* tp_hash */ 0, /* tp_call */ 0, /* tp_str */ 0, /* tp_getattro */ 0, /* tp_setattro */ 0, /* tp_as_buffer */ 0, /* tp_flags */ Py_TPFLAGS_DEFAULT, /* tp_doc */ "pyevtx file flags object (wraps LIBEVTX_FILE_FLAGS)", /* tp_traverse */ 0, /* tp_clear */ 0, /* tp_richcompare */ 0, /* tp_weaklistoffset */ 0, /* tp_iter */ 0, /* tp_iternext */ 0, /* tp_methods */ 0, /* tp_members */ 0, /* tp_getset */ 0, /* tp_base */ 0, /* tp_dict */ 0, /* tp_descr_get */ 0, /* tp_descr_set */ 0, /* tp_dictoffset */ 0, /* tp_init */ (initproc) pyevtx_file_flags_init, /* tp_alloc */ 0, /* tp_new */ 0, /* tp_free */ 0, /* tp_is_gc */ 0, /* tp_bases */ NULL, /* tp_mro */ NULL, /* tp_cache */ NULL, /* tp_subclasses */ NULL, /* tp_weaklist */ NULL, /* tp_del */ 0 }; /* Initializes the type object * Returns 1 if successful or -1 on error */ int pyevtx_file_flags_init_type( PyTypeObject *type_object ) { PyObject *value_object = NULL; if( type_object == NULL ) { return( -1 ); } type_object->tp_dict = PyDict_New(); if( type_object->tp_dict == NULL ) { return( -1 ); } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_FILE_FLAG_IS_DIRTY ); #else value_object = PyInt_FromLong( LIBEVTX_FILE_FLAG_IS_DIRTY ); #endif if( PyDict_SetItemString( type_object->tp_dict, "IS_DIRTY", value_object ) != 0 ) { goto on_error; } #if PY_MAJOR_VERSION >= 3 value_object = PyLong_FromLong( LIBEVTX_FILE_FLAG_IS_FULL ); #else value_object = PyInt_FromLong( LIBEVTX_FILE_FLAG_IS_FULL ); #endif if( PyDict_SetItemString( type_object->tp_dict, "IS_FULL", value_object ) != 0 ) { goto on_error; } return( 1 ); on_error: if( type_object->tp_dict != NULL ) { Py_DecRef( type_object->tp_dict ); type_object->tp_dict = NULL; } return( -1 ); } /* Creates a new file flags object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_file_flags_new( void ) { pyevtx_file_flags_t *definitions_object = NULL; static char *function = "pyevtx_file_flags_new"; definitions_object = PyObject_New( struct pyevtx_file_flags, &pyevtx_file_flags_type_object ); if( definitions_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create definitions object.", function ); goto on_error; } if( pyevtx_file_flags_init( definitions_object ) != 0 ) { PyErr_Format( PyExc_MemoryError, "%s: unable to initialize definitions object.", function ); goto on_error; } return( (PyObject *) definitions_object ); on_error: if( definitions_object != NULL ) { Py_DecRef( (PyObject *) definitions_object ); } return( NULL ); } /* Initializes a file flags object * Returns 0 if successful or -1 on error */ int pyevtx_file_flags_init( pyevtx_file_flags_t *definitions_object ) { static char *function = "pyevtx_file_flags_init"; if( definitions_object == NULL ) { PyErr_Format( PyExc_TypeError, "%s: invalid definitions object.", function ); return( -1 ); } return( 0 ); } /* Frees a file flags object */ void pyevtx_file_flags_free( pyevtx_file_flags_t *definitions_object ) { struct _typeobject *ob_type = NULL; static char *function = "pyevtx_file_flags_free"; if( definitions_object == NULL ) { PyErr_Format( PyExc_TypeError, "%s: invalid definitions object.", function ); return; } ob_type = Py_TYPE( definitions_object ); if( ob_type == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing ob_type.", function ); return; } if( ob_type->tp_free == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid ob_type - missing tp_free.", function ); return; } ob_type->tp_free( (PyObject*) definitions_object ); } ================================================ FILE: pyevtx/pyevtx_file_flags.h ================================================ /* * Python object definition of the libevtx file flags * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_FILE_FLAGS_H ) #define _PYEVTX_FILE_FLAGS_H #include #include #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_file_flags pyevtx_file_flags_t; struct pyevtx_file_flags { /* Python object initialization */ PyObject_HEAD }; extern PyTypeObject pyevtx_file_flags_type_object; int pyevtx_file_flags_init_type( PyTypeObject *type_object ); PyObject *pyevtx_file_flags_new( void ); int pyevtx_file_flags_init( pyevtx_file_flags_t *definitions_object ); void pyevtx_file_flags_free( pyevtx_file_flags_t *definitions_object ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_FILE_FLAGS_H ) */ ================================================ FILE: pyevtx/pyevtx_file_object_io_handle.c ================================================ /* * Python file object IO handle functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include "pyevtx_error.h" #include "pyevtx_file_object_io_handle.h" #include "pyevtx_integer.h" #include "pyevtx_libbfio.h" #include "pyevtx_libcerror.h" #include "pyevtx_python.h" /* Creates a file object IO handle * Make sure the value file_object_io_handle is referencing, is set to NULL * Returns 1 if successful or -1 on error */ int pyevtx_file_object_io_handle_initialize( pyevtx_file_object_io_handle_t **file_object_io_handle, PyObject *file_object, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_initialize"; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( *file_object_io_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid file object IO handle value already set.", function ); return( -1 ); } if( file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object.", function ); return( -1 ); } *file_object_io_handle = (pyevtx_file_object_io_handle_t *) PyMem_Malloc( sizeof( pyevtx_file_object_io_handle_t ) ); if( *file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create file object IO handle.", function ); goto on_error; } if( memory_set( *file_object_io_handle, 0, sizeof( pyevtx_file_object_io_handle_t ) ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_SET_FAILED, "%s: unable to clear file object IO handle.", function ); goto on_error; } ( *file_object_io_handle )->file_object = file_object; Py_IncRef( ( *file_object_io_handle )->file_object ); return( 1 ); on_error: if( *file_object_io_handle != NULL ) { PyMem_Free( *file_object_io_handle ); *file_object_io_handle = NULL; } return( -1 ); } /* Initializes the file object IO handle * Returns 1 if successful or -1 on error */ int pyevtx_file_object_initialize( libbfio_handle_t **handle, PyObject *file_object, libcerror_error_t **error ) { pyevtx_file_object_io_handle_t *file_object_io_handle = NULL; static char *function = "pyevtx_file_object_initialize"; if( handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid handle.", function ); return( -1 ); } if( *handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid handle value already set.", function ); return( -1 ); } if( pyevtx_file_object_io_handle_initialize( &file_object_io_handle, file_object, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file object IO handle.", function ); goto on_error; } if( libbfio_handle_initialize( handle, (intptr_t *) file_object_io_handle, (int (*)(intptr_t **, libcerror_error_t **)) pyevtx_file_object_io_handle_free, (int (*)(intptr_t **, intptr_t *, libcerror_error_t **)) pyevtx_file_object_io_handle_clone, (int (*)(intptr_t *, int, libcerror_error_t **)) pyevtx_file_object_io_handle_open, (int (*)(intptr_t *, libcerror_error_t **)) pyevtx_file_object_io_handle_close, (ssize_t (*)(intptr_t *, uint8_t *, size_t, libcerror_error_t **)) pyevtx_file_object_io_handle_read, (ssize_t (*)(intptr_t *, const uint8_t *, size_t, libcerror_error_t **)) pyevtx_file_object_io_handle_write, (off64_t (*)(intptr_t *, off64_t, int, libcerror_error_t **)) pyevtx_file_object_io_handle_seek_offset, (int (*)(intptr_t *, libcerror_error_t **)) pyevtx_file_object_io_handle_exists, (int (*)(intptr_t *, libcerror_error_t **)) pyevtx_file_object_io_handle_is_open, (int (*)(intptr_t *, size64_t *, libcerror_error_t **)) pyevtx_file_object_io_handle_get_size, LIBBFIO_FLAG_IO_HANDLE_MANAGED | LIBBFIO_FLAG_IO_HANDLE_CLONE_BY_FUNCTION, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create handle.", function ); goto on_error; } return( 1 ); on_error: if( file_object_io_handle != NULL ) { pyevtx_file_object_io_handle_free( &file_object_io_handle, NULL ); } return( -1 ); } /* Frees a file object IO handle * Returns 1 if succesful or -1 on error */ int pyevtx_file_object_io_handle_free( pyevtx_file_object_io_handle_t **file_object_io_handle, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_free"; PyGILState_STATE gil_state = 0; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( *file_object_io_handle != NULL ) { gil_state = PyGILState_Ensure(); Py_DecRef( ( *file_object_io_handle )->file_object ); PyMem_Free( *file_object_io_handle ); *file_object_io_handle = NULL; PyGILState_Release( gil_state ); } return( 1 ); } /* Clones (duplicates) the file object IO handle and its attributes * Returns 1 if succesful or -1 on error */ int pyevtx_file_object_io_handle_clone( pyevtx_file_object_io_handle_t **destination_file_object_io_handle, pyevtx_file_object_io_handle_t *source_file_object_io_handle, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_clone"; if( destination_file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid destination file object IO handle.", function ); return( -1 ); } if( *destination_file_object_io_handle != NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: destination file object IO handle already set.", function ); return( -1 ); } if( source_file_object_io_handle == NULL ) { *destination_file_object_io_handle = NULL; return( 1 ); } if( pyevtx_file_object_io_handle_initialize( destination_file_object_io_handle, source_file_object_io_handle->file_object, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file object IO handle.", function ); return( -1 ); } if( *destination_file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing destination file object IO handle.", function ); return( -1 ); } return( 1 ); } /* Opens the file object IO handle * Returns 1 if successful or -1 on error */ int pyevtx_file_object_io_handle_open( pyevtx_file_object_io_handle_t *file_object_io_handle, int access_flags, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_open"; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( file_object_io_handle->file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file object IO handle - missing file object.", function ); return( -1 ); } if( ( ( access_flags & LIBBFIO_ACCESS_FLAG_READ ) != 0 ) && ( ( access_flags & LIBBFIO_ACCESS_FLAG_WRITE ) != 0 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported access flags.", function ); return( -1 ); } if( ( access_flags & LIBBFIO_ACCESS_FLAG_WRITE ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: write access currently not supported.", function ); return( -1 ); } /* No need to do anything here, because the file object is already open */ file_object_io_handle->access_flags = access_flags; return( 1 ); } /* Closes the file object IO handle * Returns 0 if successful or -1 on error */ int pyevtx_file_object_io_handle_close( pyevtx_file_object_io_handle_t *file_object_io_handle, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_close"; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( file_object_io_handle->file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file object IO handle - missing file object.", function ); return( -1 ); } /* Do not close the file object, have Python deal with it */ file_object_io_handle->access_flags = 0; return( 0 ); } /* Reads a buffer from the file object * Make sure to hold the GIL state before calling this function * Returns the number of bytes read if successful, or -1 on error */ ssize_t pyevtx_file_object_read_buffer( PyObject *file_object, uint8_t *buffer, size_t size, libcerror_error_t **error ) { PyObject *argument_size = NULL; PyObject *method_name = NULL; PyObject *method_result = NULL; static char *function = "pyevtx_file_object_read_buffer"; char *safe_buffer = NULL; Py_ssize_t safe_read_count = 0; ssize_t read_count = 0; int result = 0; if( file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object.", function ); return( -1 ); } if( buffer == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid buffer.", function ); return( -1 ); } if( size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid size value exceeds maximum.", function ); return( -1 ); } if( size > 0 ) { #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "read" ); #else method_name = PyString_FromString( "read" ); #endif argument_size = PyLong_FromSize_t( size ); PyErr_Clear(); method_result = PyObject_CallMethodObjArgs( file_object, method_name, argument_size, NULL ); if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read from file object.", function ); goto on_error; } if( method_result == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing method result.", function ); goto on_error; } #if PY_MAJOR_VERSION >= 3 result = PyObject_IsInstance( method_result, (PyObject *) &PyBytes_Type ); #else result = PyObject_IsInstance( method_result, (PyObject *) &PyString_Type ); #endif if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine if method result is a binary string object.", function ); goto on_error; } else if( result == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: invalid method result value is not a binary string object.", function ); goto on_error; } #if PY_MAJOR_VERSION >= 3 result = PyBytes_AsStringAndSize( method_result, &safe_buffer, &safe_read_count ); #else result = PyString_AsStringAndSize( method_result, &safe_buffer, &safe_read_count ); #endif if( result == -1 ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read from file object.", function ); goto on_error; } if( safe_read_count > (Py_ssize_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid read count value exceeds maximum.", function ); goto on_error; } read_count = (ssize_t) safe_read_count; if( memory_copy( buffer, safe_buffer, read_count ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_COPY_FAILED, "%s: unable to copy data to buffer.", function ); goto on_error; } Py_DecRef( method_result ); Py_DecRef( argument_size ); Py_DecRef( method_name ); } return( read_count ); on_error: if( method_result != NULL ) { Py_DecRef( method_result ); } if( argument_size != NULL ) { Py_DecRef( argument_size ); } if( method_name != NULL ) { Py_DecRef( method_name ); } return( -1 ); } /* Reads a buffer from the file object IO handle * Returns the number of bytes read if successful, or -1 on error */ ssize_t pyevtx_file_object_io_handle_read( pyevtx_file_object_io_handle_t *file_object_io_handle, uint8_t *buffer, size_t size, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_read"; PyGILState_STATE gil_state = 0; ssize_t read_count = 0; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } gil_state = PyGILState_Ensure(); read_count = pyevtx_file_object_read_buffer( file_object_io_handle->file_object, buffer, size, error ); if( read_count == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read from file object.", function ); goto on_error; } PyGILState_Release( gil_state ); return( read_count ); on_error: PyGILState_Release( gil_state ); return( -1 ); } /* Writes a buffer to the file object * Make sure to hold the GIL state before calling this function * Returns the number of bytes written if successful, or -1 on error */ ssize_t pyevtx_file_object_write_buffer( PyObject *file_object, const uint8_t *buffer, size_t size, libcerror_error_t **error ) { PyObject *argument_string = NULL; PyObject *method_name = NULL; PyObject *method_result = NULL; static char *function = "pyevtx_file_object_write_buffer"; if( file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object.", function ); return( -1 ); } if( buffer == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid buffer.", function ); return( -1 ); } #if SIZEOF_SIZE_T > SIZEOF_INT if( size > (size_t) INT_MAX ) #else if( size > (size_t) SSIZE_MAX ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid size value exceeds maximum.", function ); return( -1 ); } if( size > 0 ) { #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "write" ); #else method_name = PyString_FromString( "write" ); #endif #if PY_MAJOR_VERSION >= 3 argument_string = PyBytes_FromStringAndSize( (char *) buffer, size ); #else argument_string = PyString_FromStringAndSize( (char *) buffer, size ); #endif PyErr_Clear(); method_result = PyObject_CallMethodObjArgs( file_object, method_name, argument_string, NULL ); if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_WRITE_FAILED, "%s: unable to write to file object.", function ); goto on_error; } if( method_result == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing method result.", function ); goto on_error; } Py_DecRef( method_result ); Py_DecRef( argument_string ); Py_DecRef( method_name ); } return( (ssize_t) size ); on_error: if( method_result != NULL ) { Py_DecRef( method_result ); } if( argument_string != NULL ) { Py_DecRef( argument_string ); } if( method_name != NULL ) { Py_DecRef( method_name ); } return( -1 ); } /* Writes a buffer to the file object IO handle * Returns the number of bytes written if successful, or -1 on error */ ssize_t pyevtx_file_object_io_handle_write( pyevtx_file_object_io_handle_t *file_object_io_handle, const uint8_t *buffer, size_t size, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_write"; PyGILState_STATE gil_state = 0; ssize_t write_count = 0; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } gil_state = PyGILState_Ensure(); write_count = pyevtx_file_object_write_buffer( file_object_io_handle->file_object, buffer, size, error ); if( write_count == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_WRITE_FAILED, "%s: unable to write from file object.", function ); goto on_error; } PyGILState_Release( gil_state ); return( write_count ); on_error: PyGILState_Release( gil_state ); return( -1 ); } /* Seeks a certain offset within the file object * Make sure to hold the GIL state before calling this function * Returns 1 if successful or -1 on error */ int pyevtx_file_object_seek_offset( PyObject *file_object, off64_t offset, int whence, libcerror_error_t **error ) { PyObject *argument_offset = NULL; PyObject *argument_whence = NULL; PyObject *method_name = NULL; PyObject *method_result = NULL; static char *function = "pyevtx_file_object_seek_offset"; if( file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object.", function ); return( -1 ); } #if defined( HAVE_LONG_LONG ) if( offset > (off64_t) INT64_MAX ) #else if( offset > (off64_t) LONG_MAX ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid offset value exceeds maximum.", function ); return( -1 ); } if( ( whence != SEEK_CUR ) && ( whence != SEEK_END ) && ( whence != SEEK_SET ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_UNSUPPORTED_VALUE, "%s: unsupported whence.", function ); return( -1 ); } #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "seek" ); #else method_name = PyString_FromString( "seek" ); #endif #if defined( HAVE_LONG_LONG ) argument_offset = PyLong_FromLongLong( (PY_LONG_LONG) offset ); #else argument_offset = PyLong_FromLongLong( (long) offset ); #endif #if PY_MAJOR_VERSION >= 3 argument_whence = PyLong_FromLong( (long) whence ); #else argument_whence = PyInt_FromLong( (long) whence ); #endif PyErr_Clear(); method_result = PyObject_CallMethodObjArgs( file_object, method_name, argument_offset, argument_whence, NULL ); if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_SEEK_FAILED, "%s: unable to seek in file object.", function ); goto on_error; } if( method_result == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing method result.", function ); goto on_error; } Py_DecRef( method_result ); Py_DecRef( argument_whence ); Py_DecRef( argument_offset ); Py_DecRef( method_name ); return( 1 ); on_error: if( method_result != NULL ) { Py_DecRef( method_result ); } if( argument_whence != NULL ) { Py_DecRef( argument_whence ); } if( argument_offset != NULL ) { Py_DecRef( argument_offset ); } if( method_name != NULL ) { Py_DecRef( method_name ); } return( -1 ); } /* Retrieves the current offset within the file object * Make sure to hold the GIL state before calling this function * Returns 1 if successful or -1 on error */ int pyevtx_file_object_get_offset( PyObject *file_object, off64_t *offset, libcerror_error_t **error ) { PyObject *method_name = NULL; PyObject *method_result = NULL; static char *function = "pyevtx_file_object_get_offset"; int result = 0; if( file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object.", function ); return( -1 ); } if( offset == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid offset.", function ); return( -1 ); } #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "get_offset" ); #else method_name = PyString_FromString( "get_offset" ); #endif PyErr_Clear(); /* Determine if the file object has the get_offset method */ result = PyObject_HasAttr( file_object, method_name ); if( result == 0 ) { Py_DecRef( method_name ); /* Fall back to the tell method */ #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "tell" ); #else method_name = PyString_FromString( "tell" ); #endif } PyErr_Clear(); method_result = PyObject_CallMethodObjArgs( file_object, method_name, NULL ); if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve current offset in file object.", function ); goto on_error; } if( method_result == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing method result.", function ); goto on_error; } if( pyevtx_integer_signed_copy_to_64bit( method_result, offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to convert method result into current offset of file object.", function ); goto on_error; } Py_DecRef( method_result ); Py_DecRef( method_name ); return( 1 ); on_error: if( method_result != NULL ) { Py_DecRef( method_result ); } if( method_name != NULL ) { Py_DecRef( method_name ); } return( -1 ); } /* Seeks a certain offset within the file object IO handle * Returns the offset if the seek is successful or -1 on error */ off64_t pyevtx_file_object_io_handle_seek_offset( pyevtx_file_object_io_handle_t *file_object_io_handle, off64_t offset, int whence, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_seek_offset"; PyGILState_STATE gil_state = 0; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } gil_state = PyGILState_Ensure(); if( pyevtx_file_object_seek_offset( file_object_io_handle->file_object, offset, whence, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_SEEK_FAILED, "%s: unable to seek in file object.", function ); goto on_error; } if( pyevtx_file_object_get_offset( file_object_io_handle->file_object, &offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_SEEK_FAILED, "%s: unable to retrieve current offset in file object.", function ); goto on_error; } PyGILState_Release( gil_state ); return( offset ); on_error: PyGILState_Release( gil_state ); return( -1 ); } /* Function to determine if a file exists * Returns 1 if file exists, 0 if not or -1 on error */ int pyevtx_file_object_io_handle_exists( pyevtx_file_object_io_handle_t *file_object_io_handle, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_exists"; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( file_object_io_handle->file_object == NULL ) { return( 0 ); } return( 1 ); } /* Check if the file is open * Returns 1 if open, 0 if not or -1 on error */ int pyevtx_file_object_io_handle_is_open( pyevtx_file_object_io_handle_t *file_object_io_handle, libcerror_error_t **error ) { static char *function = "pyevtx_file_object_io_handle_is_open"; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( file_object_io_handle->file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file object IO handle - missing file object.", function ); return( -1 ); } /* As far as BFIO is concerned the file object is always open */ return( 1 ); } /* Retrieves the size of the file object * Make sure to hold the GIL state before calling this function * Returns 1 if successful or -1 on error */ int pyevtx_file_object_get_size( PyObject *file_object, size64_t *size, libcerror_error_t **error ) { PyObject *method_name = NULL; PyObject *method_result = NULL; static char *function = "pyevtx_file_object_get_size"; if( file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object.", function ); return( -1 ); } if( size == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid size.", function ); return( -1 ); } #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "get_size" ); #else method_name = PyString_FromString( "get_size" ); #endif PyErr_Clear(); method_result = PyObject_CallMethodObjArgs( file_object, method_name, NULL ); if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve size of file object.", function ); goto on_error; } if( method_result == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: missing method result.", function ); goto on_error; } if( pyevtx_integer_unsigned_copy_to_64bit( method_result, size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to convert method result into size of file object.", function ); goto on_error; } Py_DecRef( method_result ); Py_DecRef( method_name ); return( 1 ); on_error: if( method_result != NULL ) { Py_DecRef( method_result ); } if( method_name != NULL ) { Py_DecRef( method_name ); } return( -1 ); } /* Retrieves the file size * Returns 1 if successful or -1 on error */ int pyevtx_file_object_io_handle_get_size( pyevtx_file_object_io_handle_t *file_object_io_handle, size64_t *size, libcerror_error_t **error ) { PyObject *method_name = NULL; static char *function = "pyevtx_file_object_io_handle_get_size"; PyGILState_STATE gil_state = 0; off64_t current_offset = 0; int result = 0; if( file_object_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file object IO handle.", function ); return( -1 ); } if( file_object_io_handle->file_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid file object IO handle - missing file object.", function ); return( -1 ); } gil_state = PyGILState_Ensure(); #if PY_MAJOR_VERSION >= 3 method_name = PyUnicode_FromString( "get_size" ); #else method_name = PyString_FromString( "get_size" ); #endif PyErr_Clear(); /* Determine if the file object has the get_size method */ result = PyObject_HasAttr( file_object_io_handle->file_object, method_name ); if( result != 0 ) { if( pyevtx_file_object_get_size( file_object_io_handle->file_object, size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve size of file object.", function ); goto on_error; } } else { if( pyevtx_file_object_get_offset( file_object_io_handle->file_object, ¤t_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve current offset in file object.", function ); goto on_error; } if( pyevtx_file_object_seek_offset( file_object_io_handle->file_object, 0, SEEK_END, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_SEEK_FAILED, "%s: unable to seek end of file object.", function ); goto on_error; } if( pyevtx_file_object_get_offset( file_object_io_handle->file_object, (off64_t *) size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve end offset in file object.", function ); pyevtx_file_object_seek_offset( file_object_io_handle->file_object, current_offset, SEEK_SET, NULL ); goto on_error; } if( pyevtx_file_object_seek_offset( file_object_io_handle->file_object, current_offset, SEEK_SET, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_SEEK_FAILED, "%s: unable to seek current offset in file object.", function ); goto on_error; } } Py_DecRef( method_name ); PyGILState_Release( gil_state ); return( 1 ); on_error: if( method_name != NULL ) { Py_DecRef( method_name ); } PyGILState_Release( gil_state ); return( 1 ); } ================================================ FILE: pyevtx/pyevtx_file_object_io_handle.h ================================================ /* * Python file object IO handle functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_FILE_OBJECT_IO_HANDLE_H ) #define _PYEVTX_FILE_OBJECT_IO_HANDLE_H #include #include #include "pyevtx_libbfio.h" #include "pyevtx_libcerror.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_file_object_io_handle pyevtx_file_object_io_handle_t; struct pyevtx_file_object_io_handle { /* The python file (like) object */ PyObject *file_object; /* The access flags */ int access_flags; }; int pyevtx_file_object_io_handle_initialize( pyevtx_file_object_io_handle_t **file_object_io_handle, PyObject *file_object, libcerror_error_t **error ); int pyevtx_file_object_initialize( libbfio_handle_t **handle, PyObject *file_object, libcerror_error_t **error ); int pyevtx_file_object_io_handle_free( pyevtx_file_object_io_handle_t **file_object_io_handle, libcerror_error_t **error ); int pyevtx_file_object_io_handle_clone( pyevtx_file_object_io_handle_t **destination_file_object_io_handle, pyevtx_file_object_io_handle_t *source_file_object_io_handle, libcerror_error_t **error ); int pyevtx_file_object_io_handle_open( pyevtx_file_object_io_handle_t *file_object_io_handle, int access_flags, libcerror_error_t **error ); int pyevtx_file_object_io_handle_close( pyevtx_file_object_io_handle_t *file_object_io_handle, libcerror_error_t **error ); ssize_t pyevtx_file_object_read_buffer( PyObject *file_object, uint8_t *buffer, size_t size, libcerror_error_t **error ); ssize_t pyevtx_file_object_io_handle_read( pyevtx_file_object_io_handle_t *file_object_io_handle, uint8_t *buffer, size_t size, libcerror_error_t **error ); ssize_t pyevtx_file_object_write_buffer( PyObject *file_object, const uint8_t *buffer, size_t size, libcerror_error_t **error ); ssize_t pyevtx_file_object_io_handle_write( pyevtx_file_object_io_handle_t *file_object_io_handle, const uint8_t *buffer, size_t size, libcerror_error_t **error ); int pyevtx_file_object_seek_offset( PyObject *file_object, off64_t offset, int whence, libcerror_error_t **error ); int pyevtx_file_object_get_offset( PyObject *file_object, off64_t *offset, libcerror_error_t **error ); off64_t pyevtx_file_object_io_handle_seek_offset( pyevtx_file_object_io_handle_t *file_object_io_handle, off64_t offset, int whence, libcerror_error_t **error ); int pyevtx_file_object_io_handle_exists( pyevtx_file_object_io_handle_t *file_object_io_handle, libcerror_error_t **error ); int pyevtx_file_object_io_handle_is_open( pyevtx_file_object_io_handle_t *file_object_io_handle, libcerror_error_t **error ); int pyevtx_file_object_get_size( PyObject *file_object, size64_t *size, libcerror_error_t **error ); int pyevtx_file_object_io_handle_get_size( pyevtx_file_object_io_handle_t *file_object_io_handle, size64_t *size, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_FILE_OBJECT_IO_HANDLE_H ) */ ================================================ FILE: pyevtx/pyevtx_integer.c ================================================ /* * Integer functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include "pyevtx_error.h" #include "pyevtx_libcerror.h" #include "pyevtx_integer.h" #include "pyevtx_python.h" /* Creates a new signed integer object from a 64-bit value * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_integer_signed_new_from_64bit( int64_t value_64bit ) { PyObject *integer_object = NULL; static char *function = "pyevtx_integer_signed_new_from_64bit"; #if defined( HAVE_LONG_LONG ) if( ( value_64bit < (int64_t) LLONG_MIN ) || ( value_64bit > (int64_t) LLONG_MAX ) ) { PyErr_Format( PyExc_OverflowError, "%s: 64-bit value out of bounds.", function ); return( NULL ); } integer_object = PyLong_FromLongLong( (long long) value_64bit ); #else if( current_offset > (off64_t) LONG_MAX ) { PyErr_Format( PyExc_OverflowError, "%s: 64-bit value out of bounds.", function ); return( NULL ); } integer_object = PyLong_FromLong( (long) value_64bit ); #endif return( integer_object ); } /* Creates a new unsigned integer object from a 64-bit value * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_integer_unsigned_new_from_64bit( uint64_t value_64bit ) { PyObject *integer_object = NULL; static char *function = "pyevtx_integer_unsigned_new_from_64bit"; #if defined( HAVE_LONG_LONG ) if( value_64bit > (uint64_t) ULLONG_MAX ) { PyErr_Format( PyExc_OverflowError, "%s: 64-bit value exceeds maximum.", function ); return( NULL ); } integer_object = PyLong_FromUnsignedLongLong( (long long) value_64bit ); #else if( value_64bit > (uint64_t) ULONG_MAX ) { PyErr_Format( PyExc_OverflowError, "%s: 64-bit value exceeds maximum.", function ); return( NULL ); } integer_object = PyLong_FromUnsignedLong( (long) value_64bit ); #endif return( integer_object ); } /* Copies a Python int or long object to a signed 64-bit value * Returns 1 if successful or -1 on error */ int pyevtx_integer_signed_copy_to_64bit( PyObject *integer_object, int64_t *value_64bit, libcerror_error_t **error ) { static char *function = "pyevtx_integer_signed_copy_to_64bit"; int result = 0; #if defined( HAVE_LONG_LONG ) PY_LONG_LONG long_value = 0; #else long long_value = 0; #endif if( integer_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid integer object.", function ); return( -1 ); } PyErr_Clear(); result = PyObject_IsInstance( integer_object, (PyObject *) &PyLong_Type ); if( result == -1 ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine if integer object is of type long.", function ); return( -1 ); } else if( result != 0 ) { PyErr_Clear(); #if defined( HAVE_LONG_LONG ) long_value = PyLong_AsLongLong( integer_object ); #else long_value = PyLong_AsLong( integer_object ); #endif } #if PY_MAJOR_VERSION < 3 if( result == 0 ) { PyErr_Clear(); result = PyObject_IsInstance( integer_object, (PyObject *) &PyInt_Type ); if( result == -1 ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine if integer object is of type int.", function ); return( -1 ); } else if( result != 0 ) { PyErr_Clear(); long_value = PyInt_AsLong( integer_object ); } } #endif /* PY_MAJOR_VERSION < 3 */ if( result == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unsupported integer object type.", function ); return( -1 ); } if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to convert integer object to long.", function ); return( -1 ); } #if defined( HAVE_LONG_LONG ) && ( SIZEOF_LONG_LONG > 8 ) if( ( long_value < (PY_LONG_LONG) INT64_MIN ) || ( long_value > (PY_LONG_LONG) INT64_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid long value out of bounds.", function ); return( -1 ); } #elif ( SIZEOF_LONG > 8 ) if( ( long_value > (long) INT64_MIN ) || ( long_value > (long) INT64_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid long value out of bounds.", function ); return( -1 ); } #endif *value_64bit = (int64_t) long_value; return( 1 ); } /* Copies a Python int or long object to an unsigned 64-bit value * Returns 1 if successful or -1 on error */ int pyevtx_integer_unsigned_copy_to_64bit( PyObject *integer_object, uint64_t *value_64bit, libcerror_error_t **error ) { static char *function = "pyevtx_integer_unsigned_copy_to_64bit"; int result = 0; #if defined( HAVE_LONG_LONG ) PY_LONG_LONG long_value = 0; #else long long_value = 0; #endif if( integer_object == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid integer object.", function ); return( -1 ); } PyErr_Clear(); result = PyObject_IsInstance( integer_object, (PyObject *) &PyLong_Type ); if( result == -1 ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine if integer object is of type long.", function ); return( -1 ); } else if( result != 0 ) { PyErr_Clear(); #if defined( HAVE_LONG_LONG ) long_value = PyLong_AsUnsignedLongLong( integer_object ); #else long_value = PyLong_AsUnsignedLong( integer_object ); #endif } #if PY_MAJOR_VERSION < 3 if( result == 0 ) { PyErr_Clear(); result = PyObject_IsInstance( integer_object, (PyObject *) &PyInt_Type ); if( result == -1 ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to determine if integer object is of type int.", function ); return( -1 ); } else if( result != 0 ) { PyErr_Clear(); #if defined( HAVE_LONG_LONG ) long_value = PyInt_AsUnsignedLongLongMask( integer_object ); #else long_value = PyInt_AsUnsignedLongMask( integer_object ); #endif } } #endif /* PY_MAJOR_VERSION < 3 */ if( result == 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unsupported integer object type.", function ); return( -1 ); } if( PyErr_Occurred() ) { pyevtx_error_fetch( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to convert integer object to long.", function ); return( -1 ); } #if defined( HAVE_LONG_LONG ) #if ( SIZEOF_LONG_LONG > 8 ) if( ( long_value < (PY_LONG_LONG) 0 ) || ( long_value > (PY_LONG_LONG) UINT64_MAX ) ) #else if( long_value < (PY_LONG_LONG) 0 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid long value out of bounds.", function ); return( -1 ); } #else #if ( SIZEOF_LONG > 8 ) if( ( long_value < (long) 0 ) || ( long_value > (long) UINT64_MAX ) ) #else if( long_value < (PY_LONG_LONG) 0 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid long value out of bounds.", function ); return( -1 ); } #endif *value_64bit = (uint64_t) long_value; return( 1 ); } ================================================ FILE: pyevtx/pyevtx_integer.h ================================================ /* * Integer functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_INTEGER_H ) #define _PYEVTX_INTEGER_H #include #include #include "pyevtx_libcerror.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif PyObject *pyevtx_integer_signed_new_from_64bit( int64_t value_64bit ); PyObject *pyevtx_integer_unsigned_new_from_64bit( uint64_t value_64bit ); int pyevtx_integer_signed_copy_to_64bit( PyObject *integer_object, int64_t *value_64bit, libcerror_error_t **error ); int pyevtx_integer_unsigned_copy_to_64bit( PyObject *integer_object, uint64_t *value_64bit, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_INTEGER_H ) */ ================================================ FILE: pyevtx/pyevtx_libbfio.h ================================================ /* * The libbfio header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_LIBBFIO_H ) #define _PYEVTX_LIBBFIO_H #include /* Define HAVE_LOCAL_LIBBFIO for local use of libbfio */ #if defined( HAVE_LOCAL_LIBBFIO ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBBFIO_DLL_IMPORT * before including libbfio.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBBFIO_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBBFIO ) */ #endif /* !defined( _PYEVTX_LIBBFIO_H ) */ ================================================ FILE: pyevtx/pyevtx_libcerror.h ================================================ /* * The libcerror header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_LIBCERROR_H ) #define _PYEVTX_LIBCERROR_H #include /* Define HAVE_LOCAL_LIBCERROR for local use of libcerror */ #if defined( HAVE_LOCAL_LIBCERROR ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCERROR_DLL_IMPORT * before including libcerror.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCERROR_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCERROR ) */ #endif /* !defined( _PYEVTX_LIBCERROR_H ) */ ================================================ FILE: pyevtx/pyevtx_libclocale.h ================================================ /* * The libclocale header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_LIBCLOCALE_H ) #define _PYEVTX_LIBCLOCALE_H #include /* Define HAVE_LOCAL_LIBCLOCALE for local use of libclocale */ #if defined( HAVE_LOCAL_LIBCLOCALE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCLOCALE_DLL_IMPORT * before including libclocale.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCLOCALE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCLOCALE ) */ #endif /* !defined( _PYEVTX_LIBCLOCALE_H ) */ ================================================ FILE: pyevtx/pyevtx_libevtx.h ================================================ /* * The internal libevtx header * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_LIBEVTX_H ) #define _PYEVTX_LIBEVTX_H #include #include #endif /* !defined( _PYEVTX_LIBEVTX_H ) */ ================================================ FILE: pyevtx/pyevtx_libfwnt.h ================================================ /* * The libfwnt header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_LIBFWNT_H ) #define _PYEVTX_LIBFWNT_H #include /* Define HAVE_LOCAL_LIBFWNT for local use of libfwnt */ #if defined( HAVE_LOCAL_LIBFWNT ) #include #include #include #else /* If libtool DLL support is enabled set LIBFWNT_DLL_IMPORT * before including libfwnt.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBFWNT_DLL_IMPORT #endif #include #endif #endif ================================================ FILE: pyevtx/pyevtx_python.h ================================================ /* * The python header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_PYTHON_H ) #define _PYEVTX_PYTHON_H #include #if PY_MAJOR_VERSION < 3 /* Fix defines in pyconfig.h */ #undef _POSIX_C_SOURCE #undef _XOPEN_SOURCE /* Fix defines in pyport.h */ #undef HAVE_FSTAT #undef HAVE_STAT #undef HAVE_SSIZE_T #undef HAVE_INT32_T #undef HAVE_UINT32_T #undef HAVE_INT64_T #undef HAVE_UINT64_T #endif /* PY_MAJOR_VERSION < 3 */ /* Define PY_SSIZE_T_CLEAN to silence: * DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats * * PY_SSIZE_T_CLEAN was introduced in Python 2.5 */ #define PY_SSIZE_T_CLEAN #include /* Python compatibility macros */ #if !defined( PyMODINIT_FUNC ) #if PY_MAJOR_VERSION >= 3 #define PyMODINIT_FUNC PyObject * #else #define PyMODINIT_FUNC void #endif #endif /* !defined( PyMODINIT_FUNC ) */ #if !defined( PyVarObject_HEAD_INIT ) #define PyVarObject_HEAD_INIT( type, size ) \ PyObject_HEAD_INIT( type ) \ size, #endif /* !defined( PyVarObject_HEAD_INIT ) */ #if PY_MAJOR_VERSION >= 3 #define Py_TPFLAGS_HAVE_ITER 0 #endif #if !defined( Py_TYPE ) #define Py_TYPE( object ) \ ( ( (PyObject *) object )->ob_type ) #endif /* !defined( Py_TYPE ) */ #endif /* !defined( _PYEVTX_PYTHON_H ) */ ================================================ FILE: pyevtx/pyevtx_record.c ================================================ /* * Python object wrapper of libevtx_record_t * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx_datetime.h" #include "pyevtx_error.h" #include "pyevtx_integer.h" #include "pyevtx_libcerror.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_record.h" #include "pyevtx_strings.h" #include "pyevtx_unused.h" PyMethodDef pyevtx_record_object_methods[] = { { "get_offset", (PyCFunction) pyevtx_record_get_offset, METH_NOARGS, "get_offset() -> Integer or None\n" "\n" "Retrieves the offset." }, { "get_identifier", (PyCFunction) pyevtx_record_get_identifier, METH_NOARGS, "get_identifier() -> Integer or None\n" "\n" "Retrieves the identifier." }, { "get_creation_time", (PyCFunction) pyevtx_record_get_creation_time, METH_NOARGS, "get_creation_time() -> Datetime or None\n" "\n" "Retrieves the creation time." }, { "get_creation_time_as_integer", (PyCFunction) pyevtx_record_get_creation_time_as_integer, METH_NOARGS, "get_creation_time_as_integer() -> Integer or None\n" "\n" "Retrieves the creation time as a 64-bit integer containing a FILETIME value." }, { "get_written_time", (PyCFunction) pyevtx_record_get_written_time, METH_NOARGS, "get_written_time() -> Datetime or None\n" "\n" "Retrieves the written time." }, { "get_written_time_as_integer", (PyCFunction) pyevtx_record_get_written_time_as_integer, METH_NOARGS, "get_written_time_as_integer() -> Integer or None\n" "\n" "Retrieves the written time as a 64-bit integer containing a FILETIME value." }, { "get_event_identifier", (PyCFunction) pyevtx_record_get_event_identifier, METH_NOARGS, "get_event_identifier() -> Integer\n" "\n" "Retrieves the event identifier." }, { "get_event_identifier_qualifiers", (PyCFunction) pyevtx_record_get_event_identifier_qualifiers, METH_NOARGS, "get_event_identifier_qualifiers() -> Integer or None\n" "\n" "Retrieves the event identifier qualifiers." }, { "get_event_version", (PyCFunction) pyevtx_record_get_event_version, METH_NOARGS, "get_event_version() -> Integer or None\n" "\n" "Retrieves the event version." }, { "get_event_level", (PyCFunction) pyevtx_record_get_event_level, METH_NOARGS, "get_event_level() -> Integer\n" "\n" "Retrieves the event level." }, { "get_provider_identifier", (PyCFunction) pyevtx_record_get_provider_identifier, METH_NOARGS, "get_provider_identifier() -> Unicode string or None\n" "\n" "Retrieves the provider identifier." }, { "get_source_name", (PyCFunction) pyevtx_record_get_source_name, METH_NOARGS, "get_source_name() -> Unicode string or None\n" "\n" "Retrieves the source name." }, { "get_channel_name", (PyCFunction) pyevtx_record_get_channel_name, METH_NOARGS, "get_channel_name() -> Unicode string or None\n" "\n" "Retrieves the channel name." }, { "get_computer_name", (PyCFunction) pyevtx_record_get_computer_name, METH_NOARGS, "get_computer_name() -> Unicode string or None\n" "\n" "Retrieves the computer name." }, { "get_user_security_identifier", (PyCFunction) pyevtx_record_get_user_security_identifier, METH_NOARGS, "get_user_security_identifier() -> Unicode string or None\n" "\n" "Retrieves the user security identifier." }, { "get_number_of_strings", (PyCFunction) pyevtx_record_get_number_of_strings, METH_NOARGS, "get_number_of_strings() -> Integer\n" "\n" "Retrieves the number of strings." }, { "get_string", (PyCFunction) pyevtx_record_get_string, METH_VARARGS | METH_KEYWORDS, "get_string(string_index) -> Unicode string or None\n" "\n" "Retrieves the string specified by the index." }, { "get_data", (PyCFunction) pyevtx_record_get_data, METH_NOARGS, "get_data()-> Bytes or None\n" "\n" "Retrieves the data." }, { "get_xml_string", (PyCFunction) pyevtx_record_get_xml_string, METH_NOARGS, "get_xml_string() -> Unicode string or None\n" "\n" "Retrieves the XML string." }, /* Sentinel */ { NULL, NULL, 0, NULL } }; PyGetSetDef pyevtx_record_object_get_set_definitions[] = { { "offset", (getter) pyevtx_record_get_offset, (setter) 0, "The offset.", NULL }, { "identifier", (getter) pyevtx_record_get_identifier, (setter) 0, "The identifier.", NULL }, { "creation_time", (getter) pyevtx_record_get_creation_time, (setter) 0, "The creation time.", NULL }, { "written_time", (getter) pyevtx_record_get_written_time, (setter) 0, "The written time.", NULL }, { "event_identifier", (getter) pyevtx_record_get_event_identifier, (setter) 0, "The event identifier.", NULL }, { "event_identifier_qualifiers", (getter) pyevtx_record_get_event_identifier_qualifiers, (setter) 0, "The event identifier qualifiers.", NULL }, { "event_version", (getter) pyevtx_record_get_event_version, (setter) 0, "The event version.", NULL }, { "event_level", (getter) pyevtx_record_get_event_level, (setter) 0, "The event level.", NULL }, { "provider_identifier", (getter) pyevtx_record_get_provider_identifier, (setter) 0, "The provider identifier.", NULL }, { "source_name", (getter) pyevtx_record_get_source_name, (setter) 0, "The source name.", NULL }, { "channel_name", (getter) pyevtx_record_get_channel_name, (setter) 0, "The channel name.", NULL }, { "computer_name", (getter) pyevtx_record_get_computer_name, (setter) 0, "The computer name.", NULL }, { "user_security_identifier", (getter) pyevtx_record_get_user_security_identifier, (setter) 0, "The user security identifier.", NULL }, { "number_of_strings", (getter) pyevtx_record_get_number_of_strings, (setter) 0, "The number of strings.", NULL }, { "strings", (getter) pyevtx_record_get_strings, (setter) 0, "The strings.", NULL }, { "data", (getter) pyevtx_record_get_data, (setter) 0, "The data.", NULL }, { "xml_string", (getter) pyevtx_record_get_xml_string, (setter) 0, "The XML string.", NULL }, /* Sentinel */ { NULL, NULL, NULL, NULL, NULL } }; PyTypeObject pyevtx_record_type_object = { PyVarObject_HEAD_INIT( NULL, 0 ) /* tp_name */ "pyevtx.record", /* tp_basicsize */ sizeof( pyevtx_record_t ), /* tp_itemsize */ 0, /* tp_dealloc */ (destructor) pyevtx_record_free, /* tp_print */ 0, /* tp_getattr */ 0, /* tp_setattr */ 0, /* tp_compare */ 0, /* tp_repr */ 0, /* tp_as_number */ 0, /* tp_as_sequence */ 0, /* tp_as_mapping */ 0, /* tp_hash */ 0, /* tp_call */ 0, /* tp_str */ 0, /* tp_getattro */ 0, /* tp_setattro */ 0, /* tp_as_buffer */ 0, /* tp_flags */ Py_TPFLAGS_DEFAULT, /* tp_doc */ "pyevtx record object (wraps libevtx_record_t)", /* tp_traverse */ 0, /* tp_clear */ 0, /* tp_richcompare */ 0, /* tp_weaklistoffset */ 0, /* tp_iter */ 0, /* tp_iternext */ 0, /* tp_methods */ pyevtx_record_object_methods, /* tp_members */ 0, /* tp_getset */ pyevtx_record_object_get_set_definitions, /* tp_base */ 0, /* tp_dict */ 0, /* tp_descr_get */ 0, /* tp_descr_set */ 0, /* tp_dictoffset */ 0, /* tp_init */ (initproc) pyevtx_record_init, /* tp_alloc */ 0, /* tp_new */ 0, /* tp_free */ 0, /* tp_is_gc */ 0, /* tp_bases */ NULL, /* tp_mro */ NULL, /* tp_cache */ NULL, /* tp_subclasses */ NULL, /* tp_weaklist */ NULL, /* tp_del */ 0 }; /* Creates a new record object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_new( libevtx_record_t *record, PyObject *parent_object ) { pyevtx_record_t *pyevtx_record = NULL; static char *function = "pyevtx_record_new"; if( record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } pyevtx_record = PyObject_New( struct pyevtx_record, &pyevtx_record_type_object ); if( pyevtx_record == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to initialize record.", function ); goto on_error; } if( pyevtx_record_init( pyevtx_record ) != 0 ) { PyErr_Format( PyExc_MemoryError, "%s: unable to initialize record.", function ); goto on_error; } pyevtx_record->record = record; pyevtx_record->parent_object = parent_object; Py_IncRef( (PyObject *) pyevtx_record->parent_object ); return( (PyObject *) pyevtx_record ); on_error: if( pyevtx_record != NULL ) { Py_DecRef( (PyObject *) pyevtx_record ); } return( NULL ); } /* Initializes a record object * Returns 0 if successful or -1 on error */ int pyevtx_record_init( pyevtx_record_t *pyevtx_record ) { static char *function = "pyevtx_record_init"; if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( -1 ); } /* Make sure libevtx record is set to NULL */ pyevtx_record->record = NULL; return( 0 ); } /* Frees a record object */ void pyevtx_record_free( pyevtx_record_t *pyevtx_record ) { struct _typeobject *ob_type = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_free"; int result = 0; if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return; } if( pyevtx_record->record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record - missing libevtx record.", function ); return; } ob_type = Py_TYPE( pyevtx_record ); if( ob_type == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing ob_type.", function ); return; } if( ob_type->tp_free == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid ob_type - missing tp_free.", function ); return; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_free( &( pyevtx_record->record ), &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to free libevtx record.", function ); libcerror_error_free( &error ); } if( pyevtx_record->parent_object != NULL ) { Py_DecRef( (PyObject *) pyevtx_record->parent_object ); } ob_type->tp_free( (PyObject*) pyevtx_record ); } /* Retrieves the offset * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_offset( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_offset"; off64_t offset = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_offset( pyevtx_record->record, &offset, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve offset.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } integer_object = pyevtx_integer_signed_new_from_64bit( (int64_t) offset ); return( integer_object ); } /* Retrieves the identifier * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_identifier"; uint64_t value_64bit = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_identifier( pyevtx_record->record, &value_64bit, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve identifier.", function ); libcerror_error_free( &error ); return( NULL ); } integer_object = pyevtx_integer_unsigned_new_from_64bit( (uint64_t) value_64bit ); return( integer_object ); } /* Retrieves the creation time * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_creation_time( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *datetime_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_creation_time"; uint64_t filetime = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_creation_time( pyevtx_record->record, &filetime, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve creation time.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } datetime_object = pyevtx_datetime_new_from_filetime( filetime ); return( datetime_object ); } /* Retrieves the creation time as an integer * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_creation_time_as_integer( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_creation_time_as_integer"; uint64_t filetime = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_creation_time( pyevtx_record->record, &filetime, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve creation time.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } integer_object = pyevtx_integer_unsigned_new_from_64bit( (uint64_t) filetime ); return( integer_object ); } /* Retrieves the written time * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_written_time( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *datetime_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_written_time"; uint64_t filetime = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_written_time( pyevtx_record->record, &filetime, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve written time.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } datetime_object = pyevtx_datetime_new_from_filetime( filetime ); return( datetime_object ); } /* Retrieves the written time as an integer * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_written_time_as_integer( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_written_time_as_integer"; uint64_t filetime = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_written_time( pyevtx_record->record, &filetime, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve written time.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } integer_object = pyevtx_integer_unsigned_new_from_64bit( (uint64_t) filetime ); return( integer_object ); } /* Retrieves the event identifier * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_event_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_event_identifier"; uint32_t value_32bit = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_event_identifier( pyevtx_record->record, &value_32bit, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve event identifier.", function ); libcerror_error_free( &error ); return( NULL ); } integer_object = PyLong_FromUnsignedLong( (unsigned long) value_32bit ); return( integer_object ); } /* Retrieves the event identifier qualifiers * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_event_identifier_qualifiers( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_event_identifier_qualifiers"; uint32_t value_32bit = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_event_identifier_qualifiers( pyevtx_record->record, &value_32bit, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve event identifier qualifiers.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } integer_object = PyLong_FromUnsignedLong( (unsigned long) value_32bit ); return( integer_object ); } /* Retrieves the event version * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_event_version( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_event_version"; uint8_t event_version = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_event_version( pyevtx_record->record, &event_version, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve event version.", function ); libcerror_error_free( &error ); return( NULL ); } else if( result == 0 ) { Py_IncRef( Py_None ); return( Py_None ); } #if PY_MAJOR_VERSION >= 3 integer_object = PyLong_FromLong( (long) event_version ); #else integer_object = PyInt_FromLong( (long) event_version ); #endif return( integer_object ); } /* Retrieves the event level * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_event_level( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_event_level"; uint8_t event_level = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_event_level( pyevtx_record->record, &event_level, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve event level.", function ); libcerror_error_free( &error ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 integer_object = PyLong_FromLong( (long) event_level ); #else integer_object = PyInt_FromLong( (long) event_level ); #endif return( integer_object ); } /* Retrieves the provider identifier * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_provider_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_provider_identifier"; char *utf8_string = NULL; size_t utf8_string_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_provider_identifier_size( pyevtx_record->record, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of provider identifier as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (char *) PyMem_Malloc( sizeof( char ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_provider_identifier( pyevtx_record->record, (uint8_t *) utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve provider identifier as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } /* Retrieves the source name * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_source_name( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_source_name"; char *utf8_string = NULL; size_t utf8_string_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_source_name_size( pyevtx_record->record, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of source name as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (char *) PyMem_Malloc( sizeof( char ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_source_name( pyevtx_record->record, (uint8_t *) utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve source name as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } /* Retrieves the channel name * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_channel_name( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_channel_name"; char *utf8_string = NULL; size_t utf8_string_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_channel_name_size( pyevtx_record->record, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of channel name as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (char *) PyMem_Malloc( sizeof( char ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_channel_name( pyevtx_record->record, (uint8_t *) utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve channel name as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } /* Retrieves the computer name * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_computer_name( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_computer_name"; char *utf8_string = NULL; size_t utf8_string_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_computer_name_size( pyevtx_record->record, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of computer name as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (char *) PyMem_Malloc( sizeof( char ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_computer_name( pyevtx_record->record, (uint8_t *) utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve computer name as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } /* Retrieves the user security identifier * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_user_security_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_user_security_identifier"; char *utf8_string = NULL; size_t utf8_string_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_user_security_identifier_size( pyevtx_record->record, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of user security identifier as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (char *) PyMem_Malloc( sizeof( char ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_user_security_identifier( pyevtx_record->record, (uint8_t *) utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve user security identifier as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } /* Retrieves the number of strings * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_number_of_strings( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *integer_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_number_of_strings"; int number_of_strings = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_number_of_strings( pyevtx_record->record, &number_of_strings, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve number of strings.", function ); libcerror_error_free( &error ); return( NULL ); } #if PY_MAJOR_VERSION >= 3 integer_object = PyLong_FromLong( (long) number_of_strings ); #else integer_object = PyInt_FromLong( (long) number_of_strings ); #endif return( integer_object ); } /* Retrieves a specific string by index * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_string_by_index( PyObject *pyevtx_record, int string_index ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; uint8_t *utf8_string = NULL; static char *function = "pyevtx_record_get_string_by_index"; size_t utf8_string_size = 0; int result = 0; if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_string_size( ( (pyevtx_record_t *) pyevtx_record )->record, string_index, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of string: %d as UTF-8 string.", function, string_index ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (uint8_t *) PyMem_Malloc( sizeof( uint8_t ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_string( ( (pyevtx_record_t *) pyevtx_record )->record, string_index, utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve string: %d as UTF-8 string.", function, string_index ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( (char *) utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } /* Retrieves a specific string * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_string( pyevtx_record_t *pyevtx_record, PyObject *arguments, PyObject *keywords ) { PyObject *string_object = NULL; static char *keyword_list[] = { "string_index", NULL }; int string_index = 0; if( PyArg_ParseTupleAndKeywords( arguments, keywords, "i", keyword_list, &string_index ) == 0 ) { return( NULL ); } string_object = pyevtx_record_get_string_by_index( (PyObject *) pyevtx_record, string_index ); return( string_object ); } /* Retrieves a sequence and iterator object for the strings * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_strings( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *sequence_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_strings"; int number_of_strings = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_number_of_strings( pyevtx_record->record, &number_of_strings, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve number of strings.", function ); libcerror_error_free( &error ); return( NULL ); } sequence_object = pyevtx_strings_new( (PyObject *) pyevtx_record, &pyevtx_record_get_string_by_index, number_of_strings ); if( sequence_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create sequence object.", function ); return( NULL ); } return( sequence_object ); } /* Retrieves the data * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_data( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *bytes_object = NULL; libcerror_error_t *error = NULL; char *data = NULL; static char *function = "pyevtx_record_get_data"; size_t data_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_data_size( pyevtx_record->record, &data_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve data size.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( data_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } data = (char *) PyMem_Malloc( sizeof( char ) * data_size ); if( data == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create data.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_data( pyevtx_record->record, (uint8_t *) data, data_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve data.", function ); libcerror_error_free( &error ); goto on_error; } /* This is a binary string so include the full size */ #if PY_MAJOR_VERSION >= 3 bytes_object = PyBytes_FromStringAndSize( data, (Py_ssize_t) data_size ); #else bytes_object = PyString_FromStringAndSize( data, (Py_ssize_t) data_size ); #endif if( bytes_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert data into Bytes object.", function ); goto on_error; } PyMem_Free( data ); return( bytes_object ); on_error: if( data != NULL ) { PyMem_Free( data ); } return( NULL ); } /* Retrieves the xml string * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_record_get_xml_string( pyevtx_record_t *pyevtx_record, PyObject *arguments PYEVTX_ATTRIBUTE_UNUSED ) { PyObject *string_object = NULL; libcerror_error_t *error = NULL; static char *function = "pyevtx_record_get_xml_string"; char *utf8_string = NULL; size_t utf8_string_size = 0; int result = 0; PYEVTX_UNREFERENCED_PARAMETER( arguments ) if( pyevtx_record == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid record.", function ); return( NULL ); } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_xml_string_size( pyevtx_record->record, &utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result == -1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to determine size of xml string as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } else if( ( result == 0 ) || ( utf8_string_size == 0 ) ) { Py_IncRef( Py_None ); return( Py_None ); } utf8_string = (char *) PyMem_Malloc( sizeof( char ) * utf8_string_size ); if( utf8_string == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create UTF-8 string.", function ); goto on_error; } Py_BEGIN_ALLOW_THREADS result = libevtx_record_get_utf8_xml_string( pyevtx_record->record, (uint8_t *) utf8_string, utf8_string_size, &error ); Py_END_ALLOW_THREADS if( result != 1 ) { pyevtx_error_raise( error, PyExc_IOError, "%s: unable to retrieve xml string as UTF-8 string.", function ); libcerror_error_free( &error ); goto on_error; } /* Pass the string length to PyUnicode_DecodeUTF8 otherwise it makes * the end of string character is part of the string */ string_object = PyUnicode_DecodeUTF8( utf8_string, (Py_ssize_t) utf8_string_size - 1, NULL ); if( string_object == NULL ) { PyErr_Format( PyExc_IOError, "%s: unable to convert UTF-8 string into Unicode object.", function ); goto on_error; } PyMem_Free( utf8_string ); return( string_object ); on_error: if( utf8_string != NULL ) { PyMem_Free( utf8_string ); } return( NULL ); } ================================================ FILE: pyevtx/pyevtx_record.h ================================================ /* * Python object wrapper of libevtx_record_t * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_RECORD_H ) #define _PYEVTX_RECORD_H #include #include #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_record pyevtx_record_t; struct pyevtx_record { /* Python object initialization */ PyObject_HEAD /* The libevtx record */ libevtx_record_t *record; /* The parent object */ PyObject *parent_object; }; extern PyMethodDef pyevtx_record_object_methods[]; extern PyTypeObject pyevtx_record_type_object; PyObject *pyevtx_record_new( libevtx_record_t *record, PyObject *parent_object ); int pyevtx_record_init( pyevtx_record_t *pyevtx_record ); void pyevtx_record_free( pyevtx_record_t *pyevtx_record ); PyObject *pyevtx_record_get_offset( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_creation_time( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_creation_time_as_integer( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_written_time( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_written_time_as_integer( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_event_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_event_identifier_qualifiers( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_event_version( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_event_level( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_provider_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_source_name( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_channel_name( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_computer_name( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_user_security_identifier( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_number_of_strings( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_string_by_index( PyObject *pyevtx_record, int string_index ); PyObject *pyevtx_record_get_string( pyevtx_record_t *pyevtx_record, PyObject *arguments, PyObject *keywords ); PyObject *pyevtx_record_get_strings( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_data( pyevtx_record_t *pyevtx_record, PyObject *arguments ); PyObject *pyevtx_record_get_xml_string( pyevtx_record_t *pyevtx_record, PyObject *arguments ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_RECORD_H ) */ ================================================ FILE: pyevtx/pyevtx_records.c ================================================ /* * Python object definition of the sequence and iterator object of records * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx_libcerror.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_record.h" #include "pyevtx_records.h" PySequenceMethods pyevtx_records_sequence_methods = { /* sq_length */ (lenfunc) pyevtx_records_len, /* sq_concat */ 0, /* sq_repeat */ 0, /* sq_item */ (ssizeargfunc) pyevtx_records_getitem, /* sq_slice */ 0, /* sq_ass_item */ 0, /* sq_ass_slice */ 0, /* sq_contains */ 0, /* sq_inplace_concat */ 0, /* sq_inplace_repeat */ 0 }; PyTypeObject pyevtx_records_type_object = { PyVarObject_HEAD_INIT( NULL, 0 ) /* tp_name */ "pyevtx.records", /* tp_basicsize */ sizeof( pyevtx_records_t ), /* tp_itemsize */ 0, /* tp_dealloc */ (destructor) pyevtx_records_free, /* tp_print */ 0, /* tp_getattr */ 0, /* tp_setattr */ 0, /* tp_compare */ 0, /* tp_repr */ 0, /* tp_as_number */ 0, /* tp_as_sequence */ &pyevtx_records_sequence_methods, /* tp_as_mapping */ 0, /* tp_hash */ 0, /* tp_call */ 0, /* tp_str */ 0, /* tp_getattro */ 0, /* tp_setattro */ 0, /* tp_as_buffer */ 0, /* tp_flags */ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_ITER, /* tp_doc */ "pyevtx sequence and iterator object of records", /* tp_traverse */ 0, /* tp_clear */ 0, /* tp_richcompare */ 0, /* tp_weaklistoffset */ 0, /* tp_iter */ (getiterfunc) pyevtx_records_iter, /* tp_iternext */ (iternextfunc) pyevtx_records_iternext, /* tp_methods */ 0, /* tp_members */ 0, /* tp_getset */ 0, /* tp_base */ 0, /* tp_dict */ 0, /* tp_descr_get */ 0, /* tp_descr_set */ 0, /* tp_dictoffset */ 0, /* tp_init */ (initproc) pyevtx_records_init, /* tp_alloc */ 0, /* tp_new */ 0, /* tp_free */ 0, /* tp_is_gc */ 0, /* tp_bases */ NULL, /* tp_mro */ NULL, /* tp_cache */ NULL, /* tp_subclasses */ NULL, /* tp_weaklist */ NULL, /* tp_del */ 0 }; /* Creates a new records sequence and iterator object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_records_new( PyObject *parent_object, PyObject* (*get_item_by_index)( PyObject *parent_object, int index ), int number_of_items ) { pyevtx_records_t *sequence_object = NULL; static char *function = "pyevtx_records_new"; if( parent_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid parent object.", function ); return( NULL ); } if( get_item_by_index == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid get item by index function.", function ); return( NULL ); } /* Make sure the records values are initialized */ sequence_object = PyObject_New( struct pyevtx_records, &pyevtx_records_type_object ); if( sequence_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create sequence object.", function ); goto on_error; } sequence_object->parent_object = parent_object; sequence_object->get_item_by_index = get_item_by_index; sequence_object->current_index = 0; sequence_object->number_of_items = number_of_items; Py_IncRef( (PyObject *) sequence_object->parent_object ); return( (PyObject *) sequence_object ); on_error: if( sequence_object != NULL ) { Py_DecRef( (PyObject *) sequence_object ); } return( NULL ); } /* Initializes a records sequence and iterator object * Returns 0 if successful or -1 on error */ int pyevtx_records_init( pyevtx_records_t *sequence_object ) { static char *function = "pyevtx_records_init"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( -1 ); } /* Make sure the records values are initialized */ sequence_object->parent_object = NULL; sequence_object->get_item_by_index = NULL; sequence_object->current_index = 0; sequence_object->number_of_items = 0; PyErr_Format( PyExc_NotImplementedError, "%s: initialize of records not supported.", function ); return( -1 ); } /* Frees a records sequence object */ void pyevtx_records_free( pyevtx_records_t *sequence_object ) { struct _typeobject *ob_type = NULL; static char *function = "pyevtx_records_free"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return; } ob_type = Py_TYPE( sequence_object ); if( ob_type == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing ob_type.", function ); return; } if( ob_type->tp_free == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid ob_type - missing tp_free.", function ); return; } if( sequence_object->parent_object != NULL ) { Py_DecRef( (PyObject *) sequence_object->parent_object ); } ob_type->tp_free( (PyObject*) sequence_object ); } /* The records len() function */ Py_ssize_t pyevtx_records_len( pyevtx_records_t *sequence_object ) { static char *function = "pyevtx_records_len"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( -1 ); } return( (Py_ssize_t) sequence_object->number_of_items ); } /* The records getitem() function */ PyObject *pyevtx_records_getitem( pyevtx_records_t *sequence_object, Py_ssize_t item_index ) { PyObject *record_object = NULL; static char *function = "pyevtx_records_getitem"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( NULL ); } if( sequence_object->get_item_by_index == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - missing get item by index function.", function ); return( NULL ); } if( sequence_object->number_of_items < 0 ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - invalid number of items.", function ); return( NULL ); } if( ( item_index < 0 ) || ( item_index >= (Py_ssize_t) sequence_object->number_of_items ) ) { PyErr_Format( PyExc_ValueError, "%s: invalid invalid item index value out of bounds.", function ); return( NULL ); } record_object = sequence_object->get_item_by_index( sequence_object->parent_object, (int) item_index ); return( record_object ); } /* The records iter() function */ PyObject *pyevtx_records_iter( pyevtx_records_t *sequence_object ) { static char *function = "pyevtx_records_iter"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( NULL ); } Py_IncRef( (PyObject *) sequence_object ); return( (PyObject *) sequence_object ); } /* The records iternext() function */ PyObject *pyevtx_records_iternext( pyevtx_records_t *sequence_object ) { PyObject *record_object = NULL; static char *function = "pyevtx_records_iternext"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( NULL ); } if( sequence_object->get_item_by_index == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - missing get item by index function.", function ); return( NULL ); } if( sequence_object->current_index < 0 ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - invalid current index.", function ); return( NULL ); } if( sequence_object->number_of_items < 0 ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - invalid number of items.", function ); return( NULL ); } if( sequence_object->current_index >= sequence_object->number_of_items ) { PyErr_SetNone( PyExc_StopIteration ); return( NULL ); } record_object = sequence_object->get_item_by_index( sequence_object->parent_object, sequence_object->current_index ); if( record_object != NULL ) { sequence_object->current_index++; } return( record_object ); } ================================================ FILE: pyevtx/pyevtx_records.h ================================================ /* * Python object definition of the sequence and iterator object of records * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_RECORDS_H ) #define _PYEVTX_RECORDS_H #include #include #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_records pyevtx_records_t; struct pyevtx_records { /* Python object initialization */ PyObject_HEAD /* The parent object */ PyObject *parent_object; /* The get item by index callback function */ PyObject* (*get_item_by_index)( PyObject *parent_object, int index ); /* The current index */ int current_index; /* The number of items */ int number_of_items; }; extern PyTypeObject pyevtx_records_type_object; PyObject *pyevtx_records_new( PyObject *parent_object, PyObject* (*get_item_by_index)( PyObject *parent_object, int index ), int number_of_items ); int pyevtx_records_init( pyevtx_records_t *sequence_object ); void pyevtx_records_free( pyevtx_records_t *sequence_object ); Py_ssize_t pyevtx_records_len( pyevtx_records_t *sequence_object ); PyObject *pyevtx_records_getitem( pyevtx_records_t *sequence_object, Py_ssize_t item_index ); PyObject *pyevtx_records_iter( pyevtx_records_t *sequence_object ); PyObject *pyevtx_records_iternext( pyevtx_records_t *sequence_object ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_RECORDS_H ) */ ================================================ FILE: pyevtx/pyevtx_strings.c ================================================ /* * Python object definition of the sequence and iterator object of strings * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #if defined( HAVE_STDLIB_H ) || defined( HAVE_WINAPI ) #include #endif #include "pyevtx_libcerror.h" #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #include "pyevtx_strings.h" PySequenceMethods pyevtx_strings_sequence_methods = { /* sq_length */ (lenfunc) pyevtx_strings_len, /* sq_concat */ 0, /* sq_repeat */ 0, /* sq_item */ (ssizeargfunc) pyevtx_strings_getitem, /* sq_slice */ 0, /* sq_ass_item */ 0, /* sq_ass_slice */ 0, /* sq_contains */ 0, /* sq_inplace_concat */ 0, /* sq_inplace_repeat */ 0 }; PyTypeObject pyevtx_strings_type_object = { PyVarObject_HEAD_INIT( NULL, 0 ) /* tp_name */ "pyevtx.strings", /* tp_basicsize */ sizeof( pyevtx_strings_t ), /* tp_itemsize */ 0, /* tp_dealloc */ (destructor) pyevtx_strings_free, /* tp_print */ 0, /* tp_getattr */ 0, /* tp_setattr */ 0, /* tp_compare */ 0, /* tp_repr */ 0, /* tp_as_number */ 0, /* tp_as_sequence */ &pyevtx_strings_sequence_methods, /* tp_as_mapping */ 0, /* tp_hash */ 0, /* tp_call */ 0, /* tp_str */ 0, /* tp_getattro */ 0, /* tp_setattro */ 0, /* tp_as_buffer */ 0, /* tp_flags */ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_ITER, /* tp_doc */ "pyevtx sequence and iterator object of strings", /* tp_traverse */ 0, /* tp_clear */ 0, /* tp_richcompare */ 0, /* tp_weaklistoffset */ 0, /* tp_iter */ (getiterfunc) pyevtx_strings_iter, /* tp_iternext */ (iternextfunc) pyevtx_strings_iternext, /* tp_methods */ 0, /* tp_members */ 0, /* tp_getset */ 0, /* tp_base */ 0, /* tp_dict */ 0, /* tp_descr_get */ 0, /* tp_descr_set */ 0, /* tp_dictoffset */ 0, /* tp_init */ (initproc) pyevtx_strings_init, /* tp_alloc */ 0, /* tp_new */ 0, /* tp_free */ 0, /* tp_is_gc */ 0, /* tp_bases */ NULL, /* tp_mro */ NULL, /* tp_cache */ NULL, /* tp_subclasses */ NULL, /* tp_weaklist */ NULL, /* tp_del */ 0 }; /* Creates a new strings sequence and iterator object * Returns a Python object if successful or NULL on error */ PyObject *pyevtx_strings_new( PyObject *parent_object, PyObject* (*get_item_by_index)( PyObject *parent_object, int index ), int number_of_items ) { pyevtx_strings_t *sequence_object = NULL; static char *function = "pyevtx_strings_new"; if( parent_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid parent object.", function ); return( NULL ); } if( get_item_by_index == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid get item by index function.", function ); return( NULL ); } /* Make sure the strings values are initialized */ sequence_object = PyObject_New( struct pyevtx_strings, &pyevtx_strings_type_object ); if( sequence_object == NULL ) { PyErr_Format( PyExc_MemoryError, "%s: unable to create sequence object.", function ); goto on_error; } sequence_object->parent_object = parent_object; sequence_object->get_item_by_index = get_item_by_index; sequence_object->current_index = 0; sequence_object->number_of_items = number_of_items; Py_IncRef( (PyObject *) sequence_object->parent_object ); return( (PyObject *) sequence_object ); on_error: if( sequence_object != NULL ) { Py_DecRef( (PyObject *) sequence_object ); } return( NULL ); } /* Initializes a strings sequence and iterator object * Returns 0 if successful or -1 on error */ int pyevtx_strings_init( pyevtx_strings_t *sequence_object ) { static char *function = "pyevtx_strings_init"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( -1 ); } /* Make sure the strings values are initialized */ sequence_object->parent_object = NULL; sequence_object->get_item_by_index = NULL; sequence_object->current_index = 0; sequence_object->number_of_items = 0; PyErr_Format( PyExc_NotImplementedError, "%s: initialize of strings not supported.", function ); return( -1 ); } /* Frees a strings sequence object */ void pyevtx_strings_free( pyevtx_strings_t *sequence_object ) { struct _typeobject *ob_type = NULL; static char *function = "pyevtx_strings_free"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return; } ob_type = Py_TYPE( sequence_object ); if( ob_type == NULL ) { PyErr_Format( PyExc_ValueError, "%s: missing ob_type.", function ); return; } if( ob_type->tp_free == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid ob_type - missing tp_free.", function ); return; } if( sequence_object->parent_object != NULL ) { Py_DecRef( (PyObject *) sequence_object->parent_object ); } ob_type->tp_free( (PyObject*) sequence_object ); } /* The strings len() function */ Py_ssize_t pyevtx_strings_len( pyevtx_strings_t *sequence_object ) { static char *function = "pyevtx_strings_len"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( -1 ); } return( (Py_ssize_t) sequence_object->number_of_items ); } /* The strings getitem() function */ PyObject *pyevtx_strings_getitem( pyevtx_strings_t *sequence_object, Py_ssize_t item_index ) { PyObject *string_object = NULL; static char *function = "pyevtx_strings_getitem"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( NULL ); } if( sequence_object->get_item_by_index == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - missing get item by index function.", function ); return( NULL ); } if( sequence_object->number_of_items < 0 ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - invalid number of items.", function ); return( NULL ); } if( ( item_index < 0 ) || ( item_index >= (Py_ssize_t) sequence_object->number_of_items ) ) { PyErr_Format( PyExc_ValueError, "%s: invalid invalid item index value out of bounds.", function ); return( NULL ); } string_object = sequence_object->get_item_by_index( sequence_object->parent_object, (int) item_index ); return( string_object ); } /* The strings iter() function */ PyObject *pyevtx_strings_iter( pyevtx_strings_t *sequence_object ) { static char *function = "pyevtx_strings_iter"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( NULL ); } Py_IncRef( (PyObject *) sequence_object ); return( (PyObject *) sequence_object ); } /* The strings iternext() function */ PyObject *pyevtx_strings_iternext( pyevtx_strings_t *sequence_object ) { PyObject *string_object = NULL; static char *function = "pyevtx_strings_iternext"; if( sequence_object == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object.", function ); return( NULL ); } if( sequence_object->get_item_by_index == NULL ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - missing get item by index function.", function ); return( NULL ); } if( sequence_object->current_index < 0 ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - invalid current index.", function ); return( NULL ); } if( sequence_object->number_of_items < 0 ) { PyErr_Format( PyExc_ValueError, "%s: invalid sequence object - invalid number of items.", function ); return( NULL ); } if( sequence_object->current_index >= sequence_object->number_of_items ) { PyErr_SetNone( PyExc_StopIteration ); return( NULL ); } string_object = sequence_object->get_item_by_index( sequence_object->parent_object, sequence_object->current_index ); if( string_object != NULL ) { sequence_object->current_index++; } return( string_object ); } ================================================ FILE: pyevtx/pyevtx_strings.h ================================================ /* * Python object definition of the sequence and iterator object of strings * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_STRINGS_H ) #define _PYEVTX_STRINGS_H #include #include #include "pyevtx_libevtx.h" #include "pyevtx_python.h" #if defined( __cplusplus ) extern "C" { #endif typedef struct pyevtx_strings pyevtx_strings_t; struct pyevtx_strings { /* Python object initialization */ PyObject_HEAD /* The parent object */ PyObject *parent_object; /* The get item by index callback function */ PyObject* (*get_item_by_index)( PyObject *parent_object, int index ); /* The current index */ int current_index; /* The number of items */ int number_of_items; }; extern PyTypeObject pyevtx_strings_type_object; PyObject *pyevtx_strings_new( PyObject *parent_object, PyObject* (*get_item_by_index)( PyObject *parent_object, int index ), int number_of_items ); int pyevtx_strings_init( pyevtx_strings_t *sequence_object ); void pyevtx_strings_free( pyevtx_strings_t *sequence_object ); Py_ssize_t pyevtx_strings_len( pyevtx_strings_t *sequence_object ); PyObject *pyevtx_strings_getitem( pyevtx_strings_t *sequence_object, Py_ssize_t item_index ); PyObject *pyevtx_strings_iter( pyevtx_strings_t *sequence_object ); PyObject *pyevtx_strings_iternext( pyevtx_strings_t *sequence_object ); #if defined( __cplusplus ) } #endif #endif /* !defined( _PYEVTX_STRINGS_H ) */ ================================================ FILE: pyevtx/pyevtx_unused.h ================================================ /* * Definitions to silence compiler warnings about unused function attributes/parameters. * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _PYEVTX_UNUSED_H ) #define _PYEVTX_UNUSED_H #include #if !defined( PYEVTX_ATTRIBUTE_UNUSED ) #if defined( __GNUC__ ) && __GNUC__ >= 3 #define PYEVTX_ATTRIBUTE_UNUSED __attribute__ ((__unused__)) #else #define PYEVTX_ATTRIBUTE_UNUSED #endif #endif #if defined( _MSC_VER ) #define PYEVTX_UNREFERENCED_PARAMETER( parameter ) \ UNREFERENCED_PARAMETER( parameter ); #else #define PYEVTX_UNREFERENCED_PARAMETER( parameter ) \ /* parameter */ #endif #endif /* !defined( _PYEVTX_UNUSED_H ) */ ================================================ FILE: pyproject.toml ================================================ [build-system] requires = ["setuptools", "wheel"] build-backend = "setuptools.build_meta" ================================================ FILE: runtests.ps1 ================================================ # Script that runs the tests # # Version: 20220103 $ExitSuccess = 0 $ExitFailure = 1 $ExitIgnore = 77 Set-Location -Path "tests" $Result = ${ExitSuccess} $Lines = Get-Content "Makefile.am" $InTests = $FALSE Foreach (${Line} in ${Lines}) { If (${InTests}) { If (-Not ${Line}) { ${InTests} = $FALSE Continue } ${Line} = ${Line}.TrimStart() If (${Line}.EndsWith(" \")) { ${Line} = ${Line}.Substring(0, ${Line}.Length - 2) } If (-Not (${Line}.EndsWith(".sh"))) { Continue } ${Line} = ${Line}.Substring(0, ${Line}.Length - 3) ${Line} = ".\${Line}.ps1" Try { Invoke-Expression ${Line} } Catch { $LastExitCode = ${ExitIgnore} } If (${LastExitCode} -eq ${ExitFailure}) { $Result = ${ExitFailure} Write-Host "FAIL" -foreground Red -nonewline } ElseIf (${LastExitCode} -eq ${ExitIgnore}) { Write-Host "SKIP" -foreground Cyan -nonewline } Else { Write-Host "PASS" -foreground Green -nonewline } Write-Host ": ${Line}" } ElseIf (${Line}.StartsWith("TESTS = ")) { ${InTests} = $TRUE } } Set-Location -Path ".." Exit ${Result} ================================================ FILE: runtests.sh ================================================ #!/usr/bin/env bash # Script that runs the tests # # Version: 20231119 EXIT_SUCCESS=0; EXIT_FAILURE=1; run_configure_make() { local CONFIGURE_OPTIONS=$@; ./configure ${CONFIGURE_OPTIONS[@]}; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: './configure' failed"; return ${RESULT}; fi make clean > /dev/null; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: 'make clean' failed"; return ${RESULT}; fi make > /dev/null; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: 'make' failed"; return ${RESULT}; fi return ${EXIT_SUCCESS}; } run_configure_make_check() { run_configure_make $@; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then return ${RESULT}; fi make check CHECK_WITH_STDERR=1; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: 'make check' failed"; if test -f tests/test-suite.log; then cat tests/test-suite.log; fi return ${RESULT}; fi return ${EXIT_SUCCESS}; } run_configure_make_check_with_asan() { local LDCONFIG=`which ldconfig 2> /dev/null`; if test -z ${LDCONFIG} || test ! -x ${LDCONFIG}; then return ${EXIT_SUCCESS}; fi local LIBASAN=`ldconfig -p | grep libasan | sed 's/^.* => //' | sort | tail -n 1`; if test -z ${LIBASAN} || test ! -f ${LIBASAN}; then return ${EXIT_SUCCESS}; fi # Using libasan is platform dependent. export CPPFLAGS="-DHAVE_ASAN"; export CFLAGS="-fno-omit-frame-pointer -fsanitize=address -g"; export LDFLAGS="-fsanitize=address -g"; if test -z ${CC} || test ${CC} != "clang"; then LDFLAGS="${LDFLAGS} -lasan"; fi run_configure_make $@; RESULT=$?; export CPPFLAGS=; export CFLAGS=; export LDFLAGS=; if test ${RESULT} -ne ${EXIT_SUCCESS}; then return ${RESULT}; fi make check CHECK_WITH_ASAN=1 CHECK_WITH_STDERR=1; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: 'make check' failed"; if test -f tests/test-suite.log; then cat tests/test-suite.log; fi return ${RESULT}; fi return ${RESULT}; } run_configure_make_check_with_coverage() { # Disable optimization so we can hook malloc and realloc. export CPPFLAGS="-DOPTIMIZATION_DISABLED"; export CFLAGS="--coverage -O0"; export LDFLAGS="--coverage"; # Disable creating a shared library so we can hook memset. run_configure_make_check $@; RESULT=$?; export CPPFLAGS=; export CFLAGS=; export LDFLAGS=; return ${RESULT}; } run_configure_make_check_python() { run_configure_make $@; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then return ${RESULT}; fi make check CHECK_WITH_STDERR=1 SKIP_LIBRARY_TESTS=1 SKIP_TOOLS_TESTS=1; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: 'make check' failed"; if test -f tests/test-suite.log; then cat tests/test-suite.log; fi return ${RESULT}; fi return ${EXIT_SUCCESS}; } run_setup_py_tests() { # Skip this test when running Cygwin on AppVeyor. if test -n "${APPVEYOR}" && test ${TARGET} = "cygwin"; then echo "Running: 'setup.py build' skipped"; return ${EXIT_SUCCESS}; fi PYTHON=$1; ${PYTHON} setup.py build; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Running: 'setup.py build' failed"; return ${RESULT}; fi return ${EXIT_SUCCESS}; } PROJECT_NAME=`basename $PWD`; CONFIGURE_HELP=`./configure --help`; echo "${CONFIGURE_HELP}" | grep -- '--enable-wide-character-type' > /dev/null; HAVE_ENABLE_WIDE_CHARACTER_TYPE=$?; echo "${CONFIGURE_HELP}" | grep -- '--enable-verbose-output' > /dev/null; HAVE_ENABLE_VERBOSE_OUTPUT=$?; echo "${CONFIGURE_HELP}" | grep -- '--enable-debug-output' > /dev/null; HAVE_ENABLE_DEBUG_OUTPUT=$?; echo "${CONFIGURE_HELP}" | grep -- '--with-bzip2' > /dev/null; HAVE_WITH_BZIP2=$?; echo "${CONFIGURE_HELP}" | grep -- '--with-libfuse' > /dev/null; HAVE_WITH_LIBFUSE=$?; echo "${CONFIGURE_HELP}" | grep -- '--with-lzma' > /dev/null; HAVE_WITH_LZMA=$?; echo "${CONFIGURE_HELP}" | grep -- '--with-pthread' > /dev/null; HAVE_WITH_PTHREAD=$?; echo "${CONFIGURE_HELP}" | grep -- '--with-openssl' > /dev/null; HAVE_WITH_OPENSSL=$?; echo "${CONFIGURE_HELP}" | grep -- '--with-zlib' > /dev/null; HAVE_WITH_ZLIB=$?; echo "${CONFIGURE_HELP}" | grep -- '--enable-python' > /dev/null; HAVE_ENABLE_PYTHON=$?; echo "${CONFIGURE_HELP}" | grep -- '--enable-static-executables' > /dev/null; HAVE_ENABLE_STATIC_EXECUTABLES=$?; PYTHON_CONFIG=""; if test -x /usr/bin/whereis; then PYTHON_CONFIG=`/usr/bin/whereis python-config | sed 's/^.*:[ ]*//' 2> /dev/null`; fi # Test "./configure && make && make check" without options. run_configure_make_check; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi if test ${HAVE_ENABLE_VERBOSE_OUTPUT} -eq 0 && test ${HAVE_ENABLE_DEBUG_OUTPUT} -eq 0; then # Test "./configure && make && make check" with verbose and debug output. run_configure_make_check "--enable-verbose-output --enable-debug-output"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi fi if test ${HAVE_WITH_PTHREAD} -eq 0 && test ${PROJECT_NAME} != "libcthreads"; then # Test "./configure && make && make check" without multi-threading support. run_configure_make_check "--with-pthread=no"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi fi if test ${HAVE_WITH_ZLIB} -eq 0; then # Test "./configure && make && make check" with fallback zlib implementation. run_configure_make_check "--with-zlib=no"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi fi if test ${HAVE_WITH_OPENSSL} -eq 0; then # Test "./configure && make && make check" with fallback crypto implementation. run_configure_make_check "--with-openssl=no"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi # Test "./configure && make && make check" with OpenSSL non-EVP implementation. run_configure_make_check "--enable-openssl-evp-cipher=no --enable-openssl-evp-md=no"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi # Test "./configure && make && make check" with OpenSSL EVP implementation. run_configure_make_check "--enable-openssl-evp-cipher=yes --enable-openssl-evp-md=yes"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi fi if test ${HAVE_ENABLE_PYTHON} -eq 0 && test -n "${PYTHON_CONFIG}"; then run_configure_make_check_python "--enable-python"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi PYTHON=`which python 2> /dev/null`; if test -f "setup.py" && ! run_setup_py_tests ${PYTHON}; then exit ${EXIT_FAILURE}; fi fi if test ${HAVE_ENABLE_STATIC_EXECUTABLES} -eq 0; then CONFIGURE_OPTIONS="--enable-static-executables --enable-multi-threading-support=no"; if test ${HAVE_WITH_BZIP2} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-bzip2=no"; fi if test ${HAVE_WITH_LIBFUSE} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-libfuse=no"; fi if test ${HAVE_WITH_LZMA} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-lzma=no"; fi if test ${HAVE_WITH_OPENSSL} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-openssl=no"; fi if test ${HAVE_WITH_ZLIB} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-zlib=no"; fi run_configure_make_check ${CONFIGURE_OPTIONS}; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi fi # Run tests with asan. CONFIGURE_OPTIONS=""; if test ${HAVE_ENABLE_WIDE_CHARACTER_TYPE} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --enable-wide-character-type"; fi if test ${HAVE_WITH_BZIP2} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-bzip2=no"; fi if test ${HAVE_WITH_LZMA} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-lzma=no"; fi if test ${HAVE_WITH_OPENSSL} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-openssl=no"; fi if test ${HAVE_WITH_ZLIB} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-zlib=no"; fi if test ${HAVE_ENABLE_PYTHON} -eq 0 && test -n "${PYTHON_CONFIG}"; then # Issue with running the python bindings with asan disabled for now. # CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --enable-python"; CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS}"; fi run_configure_make_check_with_asan ${CONFIGURE_OPTIONS}; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi # Run tests with coverage. CONFIGURE_OPTIONS="--enable-shared=no"; if test ${HAVE_ENABLE_WIDE_CHARACTER_TYPE} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --enable-wide-character-type"; fi if test ${HAVE_WITH_BZIP2} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-bzip2=no"; fi if test ${HAVE_WITH_LZMA} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-lzma=no"; fi if test ${HAVE_WITH_OPENSSL} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-openssl=no"; fi if test ${HAVE_WITH_ZLIB} -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --with-zlib=no"; fi run_configure_make_check_with_coverage ${CONFIGURE_OPTIONS}; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then exit ${EXIT_FAILURE}; fi exit ${EXIT_SUCCESS}; ================================================ FILE: setup.cfg.in ================================================ [metadata] name = libevtx-python version = @VERSION@ description = Python bindings module for libevtx long_description = Python bindings module for libevtx long_description_content_type = text/plain author = Joachim Metz author_email = joachim.metz@gmail.com license = GNU Lesser General Public License v3 or later (LGPLv3+) license_files = COPYING* classifiers = Development Status :: 3 - Alpha Programming Language :: Python [options] python_requires = >=3.10 ================================================ FILE: setup.py ================================================ #!/usr/bin/env python # # Script to build and install Python-bindings. # Version: 20251125 import copy import datetime import glob import gzip import platform import os import shlex import shutil import subprocess import sys import tarfile import zipfile from setuptools import Extension from setuptools import setup from setuptools._distutils.ccompiler import new_compiler from setuptools.command.build_ext import build_ext from setuptools.command.sdist import sdist if (sys.version_info[0], sys.version_info[1]) < (3, 7): print(("Unsupported Python version: {0:s}, version 3.7 or higher " "required.").format(sys.version)) sys.exit(1) class custom_build_ext(build_ext): """Custom handler for the build_ext command.""" def _RunCommand(self, command): """Runs the command.""" arguments = shlex.split(command) process = subprocess.Popen( arguments, stderr=subprocess.PIPE, stdout=subprocess.PIPE, universal_newlines=True) if not process: raise RuntimeError("Running: {0:s} failed.".format(command)) output, error = process.communicate() if process.returncode != 0: error = "\n".join(error.split("\n")[-5:]) raise RuntimeError("Running: {0:s} failed with error:\n{1:s}.".format( command, error)) return output def build_extensions(self): """Set up the build extensions.""" # TODO: move build customization here? build_ext.build_extensions(self) def run(self): """Runs the build extension.""" compiler = new_compiler(compiler=self.compiler) if compiler.compiler_type == "msvc": self.define = [ ("_CRT_SECURE_NO_WARNINGS", ""), ("UNICODE", ""), ] else: command = "sh configure --disable-nls --disable-shared-libs" output = self._RunCommand(command) print_line = False for line in output.split("\n"): line = line.rstrip() if line == "configure:": print_line = True if print_line: print(line) self.define = [ ("HAVE_CONFIG_H", ""), ] build_ext.run(self) class custom_sdist(sdist): """Custom handler for the sdist command.""" def run(self): """Builds a source distribution (sdist) package.""" if self.formats != ["gztar"] and self.formats != ["zip"]: print("'setup.py sdist' unsupported format.") sys.exit(1) if glob.glob("*.tar.gz"): print("'setup.py sdist' remove existing *.tar.gz files from " "source directory.") sys.exit(1) command = "make dist" exit_code = subprocess.call(command, shell=True) if exit_code != 0: raise RuntimeError("Running: {0:s} failed.".format(command)) if not os.path.exists(self.dist_dir): os.mkdir(self.dist_dir) source_package_file = glob.glob("*.tar.gz")[0] source_package_prefix, _, source_package_suffix = ( source_package_file.partition("-")) sdist_package_file = "{0:s}_python-{1:s}".format( source_package_prefix, source_package_suffix) sdist_package_file = os.path.join(self.dist_dir, sdist_package_file) os.rename(source_package_file, sdist_package_file) # Create and add the PKG-INFO file to the source package. with gzip.open(sdist_package_file, "rb") as input_file: with open(sdist_package_file[:-3], "wb") as output_file: shutil.copyfileobj(input_file, output_file) os.remove(sdist_package_file) self.distribution.metadata.write_pkg_info(".") pkg_info_path = "{0:s}-{1:s}/PKG-INFO".format( source_package_prefix, source_package_suffix[:-7]) with tarfile.open(sdist_package_file[:-3], "a:") as tar_file: tar_file.add("PKG-INFO", arcname=pkg_info_path) os.remove("PKG-INFO") with open(sdist_package_file[:-3], "rb") as input_file: with gzip.open(sdist_package_file, "wb") as output_file: shutil.copyfileobj(input_file, output_file) os.remove(sdist_package_file[:-3]) # Convert the .tar.gz into a .zip if self.formats == ["zip"]: zip_sdist_package_file = "{0:s}.zip".format(sdist_package_file[:-7]) with tarfile.open(sdist_package_file, "r|gz") as tar_file: with zipfile.ZipFile( zip_sdist_package_file, "w", zipfile.ZIP_DEFLATED) as zip_file: for tar_file_entry in tar_file: file_entry = tar_file.extractfile(tar_file_entry) if tar_file_entry.isfile(): modification_time = datetime.datetime.fromtimestamp( tar_file_entry.mtime) zip_modification_time = ( modification_time.year, modification_time.month, modification_time.day, modification_time.hour, modification_time.minute, modification_time.second) zip_info = zipfile.ZipInfo( date_time=zip_modification_time, filename=tar_file_entry.name) zip_info.external_attr = (tar_file_entry.mode & 0xff) << 16 file_data = file_entry.read() zip_file.writestr(zip_info, file_data) os.remove(sdist_package_file) sdist_package_file = zip_sdist_package_file # Inform setuptools what files were created. dist_files = getattr(self.distribution, "dist_files", []) dist_files.append(("sdist", "", sdist_package_file)) class ProjectInformation(object): """Project information.""" def __init__(self): """Initializes project information.""" super(ProjectInformation, self).__init__() self.include_directories = [] self.library_name = None self.library_names = [] self.library_version = None self._ReadConfigureAc() self._ReadMakefileAm() @property def module_name(self): """The Python module name.""" return "py{0:s}".format(self.library_name[3:]) def _ReadConfigureAc(self): """Reads configure.ac to initialize the project information.""" with open("configure.ac", "r", encoding="utf-8") as file_object: found_ac_init = False found_library_name = False for line in file_object.readlines(): line = line.strip() if found_library_name: library_version = line[1:-2] self.library_version = library_version break elif found_ac_init: library_name = line[1:-2] self.library_name = library_name found_library_name = True elif line.startswith("AC_INIT"): found_ac_init = True if not self.library_name or not self.library_version: raise RuntimeError( "Unable to find library name and version in: configure.ac") def _ReadMakefileAm(self): """Reads Makefile.am to initialize the project information.""" if not self.library_name: raise RuntimeError("Missing library name") with open("Makefile.am", "r", encoding="utf-8") as file_object: found_subdirs = False for line in file_object.readlines(): line = line.strip() if found_subdirs: library_name, _, _ = line.partition(" ") self.include_directories.append(library_name) if library_name.startswith("lib"): self.library_names.append(library_name) if library_name == self.library_name: break elif line.startswith("SUBDIRS"): found_subdirs = True if not self.include_directories or not self.library_names: raise RuntimeError( "Unable to find include directories and library names in: " "Makefile.am") project_information = ProjectInformation() CMDCLASS = { "build_ext": custom_build_ext, "sdist": custom_sdist} SOURCES = [] # TODO: replace by detection of MSC DEFINE_MACROS = [] if platform.system() == "Windows": DEFINE_MACROS.append(("WINVER", "0x0501")) # TODO: determine how to handle third party DLLs. for library_name in project_information.library_names: if library_name != project_information.library_name: definition = "HAVE_LOCAL_{0:s}".format(library_name.upper()) DEFINE_MACROS.append((definition, "")) # Put everything inside the Python module to prevent issues with finding # shared libaries since pip does not integrate well with the system package # management. for library_name in project_information.library_names: for source_file in glob.glob(os.path.join(library_name, "*.[ly]")): generated_source_file = "{0:s}.c".format(source_file[:-2]) if not os.path.exists(generated_source_file): raise RuntimeError("Missing generated source file: {0:s}".format( generated_source_file)) source_files = glob.glob(os.path.join(library_name, "*.c")) SOURCES.extend(source_files) source_files = glob.glob(os.path.join(project_information.module_name, "*.c")) SOURCES.extend(source_files) # TODO: find a way to detect missing python.h # e.g. on Ubuntu python-dev is not installed by python-pip setup_args = dict( cmdclass=CMDCLASS, ext_modules=[ Extension( project_information.module_name, define_macros=DEFINE_MACROS, include_dirs=project_information.include_directories, libraries=[], library_dirs=[], sources=SOURCES ) ] ) setup(**setup_args) ================================================ FILE: synclibs.ps1 ================================================ # Script that synchronizes the local library dependencies # # Version: 20180125 Param ( [switch]$UseHead = $false ) $GitUrlPrefix = "https://github.com/libyal" $LocalLibs = "libbfio libcdata libcdirectory libcerror libcfile libclocale libcnotify libcpath libcsplit libcthreads libexe libfcache libfdata libfdatetime libfguid libfvalue libfwevt libfwnt libregf libuna libwrc" $LocalLibs = ${LocalLibs} -split " " $Git = "git" $WinFlex = "..\win_flex_bison\win_flex.exe" $WinBison = "..\win_flex_bison\win_bison.exe" ForEach (${LocalLib} in ${LocalLibs}) { # Split will return an array of a single empty string when LocalLibs is empty. If (-Not (${LocalLib})) { Continue } $GitUrl = "${GitUrlPrefix}/${LocalLib}.git" # PowerShell will raise NativeCommandError if git writes to stdout or stderr # therefore 2>&1 is added and the output is stored in a variable. $Output = Invoke-Expression -Command "${Git} clone ${GitUrl} ${LocalLib}-${pid} 2>&1" Push-Location "${LocalLib}-${pid}" Try { $Output = Invoke-Expression -Command "${Git} fetch --quiet --all --tags --prune 2>&1" $LatestTag = Invoke-Expression -Command "${Git} describe --tags --abbrev=0 2>&1" If (${LatestTag} -and -not ${UseHead}) { Write-Host "Synchronizing: ${LocalLib} from ${GitUrl} tag ${LatestTag}" $Output = Invoke-Expression -Command "${Git} checkout --quiet tags/${LatestTag} 2>&1" } Else { Write-Host "Synchronizing: ${LocalLib} from ${GitUrl} HEAD" } } Finally { Pop-Location } If (Test-Path ${LocalLib}-${pid}) { $LocalLibVersion = Get-Content -Path ${LocalLib}-${pid}\configure.ac | select -skip 4 -first 1 | % { $_ -Replace " \[","" } | % { $_ -Replace "\],","" } If (Test-Path ${LocalLib}) { Remove-Item -Path ${LocalLib} -Force -Recurse } New-Item -ItemType directory -Path ${LocalLib} -Force | Out-Null If (Test-Path ${LocalLib}) { Copy-Item -Path ${LocalLib}-${pid}\${LocalLib}\*.[chly] -Destination ${LocalLib}\ Get-Content -Path ${LocalLib}-${pid}\${LocalLib}\${LocalLib}_definitions.h.in | % { $_ -Replace "@VERSION@",${LocalLibVersion} } > ${LocalLib}\${LocalLib}_definitions.h } Remove-Item -Path ${LocalLib}-${pid} -Force -Recurse $NamePrefix = "" ForEach (${DirectoryElement} in Get-ChildItem -Path "${LocalLib}\*.l") { $OutputFile = ${DirectoryElement} -Replace ".l$",".c" $NamePrefix = Split-Path -path ${DirectoryElement} -leaf $NamePrefix = ${NamePrefix} -Replace "^${LocalLib}_","" $NamePrefix = ${NamePrefix} -Replace ".l$","_" # PowerShell will raise NativeCommandError if win_flex writes to stdout or stderr # therefore 2>&1 is added and the output is stored in a variable. $Output = Invoke-Expression -Command "& '${WinFlex}' -Cf ${DirectoryElement} 2>&1" Write-Host ${Output} # Moving manually sicne win_flex -o does not provide the expected behavior. Move-Item "lex.yy.c" ${OutputFile} -force } ForEach (${DirectoryElement} in Get-ChildItem -Path "${LocalLib}\*.y") { $OutputFile = ${DirectoryElement} -Replace ".y$",".c" # PowerShell will raise NativeCommandError if win_bison writes to stdout or stderr # therefore 2>&1 is added and the output is stored in a variable. $Output = Invoke-Expression -Command "& '${WinBison}' -d -v -l -p ${NamePrefix} -o ${OutputFile} ${DirectoryElement} 2>&1" Write-Host ${Output} } } } ================================================ FILE: synclibs.sh ================================================ #!/bin/sh # Script that synchronizes the local library dependencies # # Version: 20240414 EXIT_SUCCESS=0; EXIT_FAILURE=1; GIT_URL_PREFIX="https://github.com/libyal"; LOCAL_LIBS="libbfio libcdata libcdirectory libcerror libcfile libclocale libcnotify libcpath libcsplit libcthreads libexe libfcache libfdata libfdatetime libfguid libfvalue libfwevt libfwnt libregf libuna libwrc"; OLDIFS=$IFS; IFS=" "; for LOCAL_LIB in ${LOCAL_LIBS}; do GIT_URL="${GIT_URL_PREFIX}/${LOCAL_LIB}.git"; git clone --quiet ${GIT_URL} ${LOCAL_LIB}-$$; if ! test -d ${LOCAL_LIB}-$$; then echo "Unable to git clone: ${GIT_URL}"; IFS=$OLDIFS; exit ${EXIT_FAILURE}; fi (cd ${LOCAL_LIB}-$$ && git fetch --quiet --all --tags --prune) LATEST_TAG=`cd ${LOCAL_LIB}-$$ && git describe --tags --abbrev=0`; if test -n ${LATEST_TAG} && test "$1" != "--use-head"; then echo "Synchronizing: ${LOCAL_LIB} from ${GIT_URL} tag ${LATEST_TAG}"; (cd ${LOCAL_LIB}-$$ && git checkout --quiet tags/${LATEST_TAG}); else echo "Synchronizing: ${LOCAL_LIB} from ${GIT_URL} HEAD"; fi rm -rf ${LOCAL_LIB}; mkdir ${LOCAL_LIB}; if ! test -d ${LOCAL_LIB}; then echo "Missing directory: ${LOCAL_LIB}"; IFS=$OLDIFS; exit ${EXIT_FAILURE}; fi LOCAL_LIB_UPPER=`echo "${LOCAL_LIB}" | tr "[a-z]" "[A-Z]"`; # Note that sed on FreeBSD does not support \s hence that we use [[:space:]] instead. LOCAL_LIB_VERSION=`grep -A 2 AC_INIT ${LOCAL_LIB}-$$/configure.ac | tail -n 1 | sed 's/^[[:space:]]*\[\([0-9]*\)\],[[:space:]]*$/\1/'`; LOCAL_LIB_MAKEFILE_AM="${LOCAL_LIB}/Makefile.am"; cp ${LOCAL_LIB}-$$/${LOCAL_LIB}/*.[chly] ${LOCAL_LIB}; cp ${LOCAL_LIB}-$$/${LOCAL_LIB_MAKEFILE_AM} ${LOCAL_LIB_MAKEFILE_AM}; # Make the necessary changes to libyal/Makefile.am SED_SCRIPT="/AM_CPPFLAGS = / { i\\ if HAVE_LOCAL_${LOCAL_LIB_UPPER} } /lib_LTLIBRARIES = / { s/lib_LTLIBRARIES/noinst_LTLIBRARIES/ } /${LOCAL_LIB}\.c/ { d } /${LOCAL_LIB}_la_LIBADD/ { :loop1 /${LOCAL_LIB}_la_LDFLAGS/ { N i\\ endif d } /${LOCAL_LIB}_la_LDFLAGS/ !{ N b loop1 } } /${LOCAL_LIB}_la_LDFLAGS/ { N i\\ endif d } /DISTCLEANFILES = / { n /${LOCAL_LIB}_definitions.h/ { d } }"; echo "${SED_SCRIPT}" >> ${LOCAL_LIB}-$$.sed; sed -i'~' -f ${LOCAL_LIB}-$$.sed ${LOCAL_LIB_MAKEFILE_AM}; rm -f ${LOCAL_LIB}-$$.sed; sed -i'~' "/AM_CPPFLAGS = /,/noinst_LTLIBRARIES = / { N; s/\\\\\\n.@${LOCAL_LIB_UPPER}_DLL_EXPORT@//; P; D; }" ${LOCAL_LIB_MAKEFILE_AM}; sed -i'~' "/${LOCAL_LIB}_definitions.h.in/d" ${LOCAL_LIB_MAKEFILE_AM}; sed -i'~' "/${LOCAL_LIB}\\.rc/d" ${LOCAL_LIB_MAKEFILE_AM}; if test ${LOCAL_LIB} = "libfplist"; then # TODO: make this more generic to strip the last \\ sed -i'~' '/EXTRA_DIST = /,/^$/s/libfplist_xml_scanner.c \\/libfplist_xml_scanner.c/' ${LOCAL_LIB_MAKEFILE_AM}; elif test ${LOCAL_LIB} = "libodraw"; then # TODO: make this more generic to strip the last \\ sed -i'~' '/EXTRA_DIST = /,/^$/s/libodraw_cue_scanner.c \\/libodraw_cue_scanner.c/' ${LOCAL_LIB_MAKEFILE_AM}; else sed -i'~' '/EXTRA_DIST = /,/^$/d' ${LOCAL_LIB_MAKEFILE_AM}; fi SED_SCRIPT="/^$/ { x N /endif$/ { a\\ D } }"; echo "${SED_SCRIPT}" >> ${LOCAL_LIB}-$$.sed; sed -i'~' -f ${LOCAL_LIB}-$$.sed ${LOCAL_LIB_MAKEFILE_AM}; rm -f ${LOCAL_LIB}-$$.sed; # Make the necessary changes to libcfile/Makefile.am if test ${LOCAL_LIB} = "libcfile"; then if ! test -f "m4/libuna.m4"; then sed -i'~' 's?@LIBUNA_CPPFLAGS@?-I../libuna -I$(top_srcdir)/libuna?' ${LOCAL_LIB_MAKEFILE_AM}; fi fi # Make the necessary changes to libfplist/Makefile.am if test ${LOCAL_LIB} = "libfplist"; then if test -f "m4/libfdatetime.m4"; then sed -i'~' '/@LIBFGUID_CPPFLAGS@/{h; s/FGUID/FDATETIME/; p; g;}' ${LOCAL_LIB_MAKEFILE_AM}; fi fi # Make the necessary changes to libfvalue/Makefile.am if test ${LOCAL_LIB} = "libfvalue"; then if ! test -f "m4/libfdatetime.m4"; then sed -i'~' '/@LIBFDATETIME_CPPFLAGS@/d' ${LOCAL_LIB_MAKEFILE_AM}; fi if ! test -f "m4/libfguid.m4"; then sed -i'~' '/@LIBFGUID_CPPFLAGS@/d' ${LOCAL_LIB_MAKEFILE_AM}; fi if ! test -f "m4/libfwnt.m4"; then sed -i'~' '/@LIBFWNT_CPPFLAGS@/d' ${LOCAL_LIB_MAKEFILE_AM}; fi if ! test -f "m4/libuna.m4"; then sed -i'~' '/@LIBUNA_CPPFLAGS@/d' ${LOCAL_LIB_MAKEFILE_AM}; fi fi # Make the necessary changes to libsmraw/Makefile.am if test ${LOCAL_LIB} = "libsmraw"; then if test -f "m4/libfdatetime.m4"; then sed -i'~' '/@LIBFVALUE_CPPFLAGS@/{h; s/FVALUE/FDATETIME/; p; g;}' ${LOCAL_LIB_MAKEFILE_AM}; fi if test -f "m4/libfguid.m4"; then sed -i'~' '/@LIBFVALUE_CPPFLAGS@/{h; s/FVALUE/FGUID/; p; g;}' ${LOCAL_LIB_MAKEFILE_AM}; fi fi # Remove libyal/libyal.c rm -f ${LOCAL_LIB}/${LOCAL_LIB}.c; # Make the necessary changes to libyal/libyal_defitions.h cp ${LOCAL_LIB}-$$/${LOCAL_LIB}/${LOCAL_LIB}_definitions.h.in ${LOCAL_LIB}/${LOCAL_LIB}_definitions.h; sed -i'~' "s/@VERSION@/${LOCAL_LIB_VERSION}/" ${LOCAL_LIB}/${LOCAL_LIB}_definitions.h; rm -rf ${LOCAL_LIB}-$$; done IFS=$OLDIFS; exit ${EXIT_SUCCESS}; ================================================ FILE: synctestdata.ps1 ================================================ # Script that synchronizes the local test data # # Version: 20251208 $TestSet = "public" $TestInputDirectory = "tests/input" $TestFiles = "System.evtx" If (-Not (Test-Path ${TestInputDirectory})) { New-Item -Name ${TestInputDirectory} -ItemType "directory" | Out-Null } If (-Not (Test-Path "${TestInputDirectory}\${TestSet}")) { New-Item -Name "${TestInputDirectory}\${TestSet}" -ItemType "directory" | Out-Null } ForEach ($TestFile in ${TestFiles} -split " ") { $Url = "https://github.com/log2timeline/plaso/raw/refs/heads/main/test_data/${TestFile}" Invoke-WebRequest -Uri ${Url} -OutFile "${TestInputDirectory}\${TestSet}\${TestFile}" } ================================================ FILE: synctestdata.sh ================================================ #!/bin/sh # Script that synchronizes the local test data # # Version: 20251208 TEST_SET="public"; TEST_INPUT_DIRECTORY="tests/input"; TEST_FILES="System.evtx"; mkdir -p "${TEST_INPUT_DIRECTORY}/${TEST_SET}"; for TEST_FILE in ${TEST_FILES}; do URL="https://github.com/log2timeline/plaso/raw/refs/heads/main/test_data/${TEST_FILE}"; curl -L -o "${TEST_INPUT_DIRECTORY}/${TEST_SET}/${TEST_FILE}" ${URL}; done ================================================ FILE: tests/Makefile.am ================================================ AUTOMAKE_OPTIONS = subdir-objects AM_CPPFLAGS = \ -I../include -I$(top_srcdir)/include \ -I../common -I$(top_srcdir)/common \ @LIBCERROR_CPPFLAGS@ \ @LIBCTHREADS_CPPFLAGS@ \ @LIBCDATA_CPPFLAGS@ \ @LIBCLOCALE_CPPFLAGS@ \ @LIBCNOTIFY_CPPFLAGS@ \ @LIBCSPLIT_CPPFLAGS@ \ @LIBUNA_CPPFLAGS@ \ @LIBCDIRECTORY_CPPFLAGS@ \ @LIBCFILE_CPPFLAGS@ \ @LIBCPATH_CPPFLAGS@ \ @LIBBFIO_CPPFLAGS@ \ @LIBFCACHE_CPPFLAGS@ \ @LIBFDATA_CPPFLAGS@ \ @LIBFDATETIME_CPPFLAGS@ \ @LIBFGUID_CPPFLAGS@ \ @LIBFVALUE_CPPFLAGS@ \ @LIBFWEVT_CPPFLAGS@ \ @LIBFWNT_CPPFLAGS@ \ @LIBEXE_CPPFLAGS@ \ @LIBREGF_CPPFLAGS@ \ @LIBWRC_CPPFLAGS@ \ @PTHREAD_CPPFLAGS@ \ @LIBEVTX_DLL_IMPORT@ if HAVE_PYTHON_TESTS TESTS_PYEVTX = \ test_python_module.sh endif TESTS = \ test_library.sh \ test_tools.sh \ test_evtxinfo.sh \ test_evtxexport.sh \ $(TESTS_PYEVTX) check_SCRIPTS = \ pyevtx_test_file.py \ pyevtx_test_support.py \ test_evtxexport.sh \ test_evtxinfo.sh \ test_library.sh \ test_manpage.sh \ test_python_module.sh \ test_runner.sh \ test_tools.sh EXTRA_DIST = \ $(check_SCRIPTS) check_PROGRAMS = \ evtx_test_chunk \ evtx_test_chunks_table \ evtx_test_error \ evtx_test_file \ evtx_test_io_handle \ evtx_test_notify \ evtx_test_record \ evtx_test_record_values \ evtx_test_support \ evtx_test_template_definition \ evtx_test_tools_info_handle \ evtx_test_tools_message_handle \ evtx_test_tools_message_string \ evtx_test_tools_output \ evtx_test_tools_path_handle \ evtx_test_tools_registry_file \ evtx_test_tools_resource_file \ evtx_test_tools_signal evtx_test_chunk_SOURCES = \ evtx_test_chunk.c \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_unused.h evtx_test_chunk_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_chunks_table_SOURCES = \ evtx_test_chunks_table.c \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_unused.h evtx_test_chunks_table_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_error_SOURCES = \ evtx_test_error.c \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_unused.h evtx_test_error_LDADD = \ ../libevtx/libevtx.la evtx_test_file_SOURCES = \ evtx_test_file.c \ evtx_test_functions.c evtx_test_functions.h \ evtx_test_getopt.c evtx_test_getopt.h \ evtx_test_libbfio.h \ evtx_test_libcerror.h \ evtx_test_libclocale.h \ evtx_test_libcnotify.h \ evtx_test_libevtx.h \ evtx_test_libuna.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_unused.h evtx_test_file_LDADD = \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCTHREADS_LIBADD@ \ @LIBCERROR_LIBADD@ \ @PTHREAD_LIBADD@ evtx_test_io_handle_SOURCES = \ evtx_test_io_handle.c \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_unused.h evtx_test_io_handle_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_notify_SOURCES = \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_notify.c \ evtx_test_unused.h evtx_test_notify_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_record_SOURCES = \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_record.c \ evtx_test_unused.h evtx_test_record_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_record_values_SOURCES = \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_record_values.c \ evtx_test_unused.h evtx_test_record_values_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_support_SOURCES = \ evtx_test_functions.c evtx_test_functions.h \ evtx_test_getopt.c evtx_test_getopt.h \ evtx_test_libbfio.h \ evtx_test_libcerror.h \ evtx_test_libclocale.h \ evtx_test_libcnotify.h \ evtx_test_libevtx.h \ evtx_test_libuna.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_support.c \ evtx_test_unused.h evtx_test_support_LDADD = \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_template_definition_SOURCES = \ evtx_test_libcerror.h \ evtx_test_libevtx.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_template_definition.c \ evtx_test_unused.h evtx_test_template_definition_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_info_handle_SOURCES = \ ../evtxtools/evtxinput.c ../evtxtools/evtxinput.h \ ../evtxtools/info_handle.c ../evtxtools/info_handle.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_tools_info_handle.c \ evtx_test_unused.h evtx_test_tools_info_handle_LDADD = \ @LIBCLOCALE_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_message_handle_SOURCES = \ ../evtxtools/message_handle.c ../evtxtools/message_handle.h \ ../evtxtools/message_string.c ../evtxtools/message_string.h \ ../evtxtools/resource_file.c ../evtxtools/resource_file.h \ ../evtxtools/path_handle.c ../evtxtools/path_handle.h \ ../evtxtools/registry_file.c ../evtxtools/registry_file.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_tools_message_handle.c \ evtx_test_unused.h evtx_test_tools_message_handle_LDADD = \ @LIBWRC_LIBADD@ \ @LIBREGF_LIBADD@ \ @LIBEXE_LIBADD@ \ @LIBFWEVT_LIBADD@ \ @LIBFVALUE_LIBADD@ \ @LIBFWNT_LIBADD@ \ @LIBFGUID_LIBADD@ \ @LIBFDATETIME_LIBADD@ \ @LIBFDATA_LIBADD@ \ @LIBFCACHE_LIBADD@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBCDIRECTORY_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_message_string_SOURCES = \ ../evtxtools/message_string.c ../evtxtools/message_string.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_tools_message_string.c \ evtx_test_unused.h evtx_test_tools_message_string_LDADD = \ @LIBWRC_LIBADD@ \ @LIBEXE_LIBADD@ \ @LIBFWEVT_LIBADD@ \ @LIBFVALUE_LIBADD@ \ @LIBFWNT_LIBADD@ \ @LIBFGUID_LIBADD@ \ @LIBFDATETIME_LIBADD@ \ @LIBFDATA_LIBADD@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_output_SOURCES = \ ../evtxtools/evtxtools_output.c ../evtxtools/evtxtools_output.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_tools_output.c \ evtx_test_unused.h evtx_test_tools_output_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_path_handle_SOURCES = \ ../evtxtools/path_handle.c ../evtxtools/path_handle.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_tools_path_handle.c \ evtx_test_unused.h evtx_test_tools_path_handle_LDADD = \ @LIBCDIRECTORY_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_registry_file_SOURCES = \ ../evtxtools/registry_file.c ../evtxtools/registry_file.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_tools_registry_file.c \ evtx_test_unused.h evtx_test_tools_registry_file_LDADD = \ @LIBREGF_LIBADD@ \ @LIBFDATA_LIBADD@ \ @LIBFCACHE_LIBADD@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBCDIRECTORY_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_resource_file_SOURCES = \ ../evtxtools/message_string.c ../evtxtools/message_string.h \ ../evtxtools/resource_file.c ../evtxtools/resource_file.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_memory.c evtx_test_memory.h \ evtx_test_tools_resource_file.c \ evtx_test_unused.h evtx_test_tools_resource_file_LDADD = \ @LIBWRC_LIBADD@ \ @LIBEXE_LIBADD@ \ @LIBFWEVT_LIBADD@ \ @LIBFVALUE_LIBADD@ \ @LIBFWNT_LIBADD@ \ @LIBFGUID_LIBADD@ \ @LIBFDATETIME_LIBADD@ \ @LIBFDATA_LIBADD@ \ @LIBFCACHE_LIBADD@ \ @LIBBFIO_LIBADD@ \ @LIBCPATH_LIBADD@ \ @LIBCFILE_LIBADD@ \ @LIBUNA_LIBADD@ \ @LIBCSPLIT_LIBADD@ \ @LIBCNOTIFY_LIBADD@ \ @LIBCLOCALE_LIBADD@ \ @LIBCDATA_LIBADD@ \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ evtx_test_tools_signal_SOURCES = \ ../evtxtools/evtxtools_signal.c ../evtxtools/evtxtools_signal.h \ evtx_test_libcerror.h \ evtx_test_macros.h \ evtx_test_tools_signal.c \ evtx_test_unused.h evtx_test_tools_signal_LDADD = \ ../libevtx/libevtx.la \ @LIBCERROR_LIBADD@ DISTCLEANFILES = \ Makefile \ Makefile.in \ notify_stream.log ================================================ FILE: tests/build.sh ================================================ #!/bin/sh # Script to build from source # # Version: 20201121 set -e ./synclibs.sh --use-head ./autogen.sh ./configure "$@" make > /dev/null ================================================ FILE: tests/evtx_test_chunk.c ================================================ /* * Library chunk type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../libevtx/libevtx_chunk.h" #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* Tests the libevtx_chunk_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_chunk_initialize( void ) { libcerror_error_t *error = NULL; libevtx_chunk_t *chunk = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = libevtx_chunk_initialize( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_chunk_free( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_chunk_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); chunk = (libevtx_chunk_t *) 0x12345678UL; result = libevtx_chunk_initialize( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); chunk = NULL; #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test libevtx_chunk_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = libevtx_chunk_initialize( &chunk, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test libevtx_chunk_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = libevtx_chunk_initialize( &chunk, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } return( 0 ); } /* Tests the libevtx_chunk_free function * Returns 1 if successful or 0 if not */ int evtx_test_chunk_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_chunk_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_chunk_get_number_of_records function * Returns 1 if successful or 0 if not */ int evtx_test_chunk_get_number_of_records( void ) { libcerror_error_t *error = NULL; libevtx_chunk_t *chunk = NULL; uint16_t number_of_records = 0; int number_of_records_is_set = 0; int result = 0; /* Initialize test */ result = libevtx_chunk_initialize( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_chunk_get_number_of_records( chunk, &number_of_records, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); number_of_records_is_set = result; /* Test error cases */ result = libevtx_chunk_get_number_of_records( NULL, &number_of_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( number_of_records_is_set != 0 ) { result = libevtx_chunk_get_number_of_records( chunk, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_chunk_free( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } return( 0 ); } /* Tests the libevtx_chunk_get_number_of_recovered_records function * Returns 1 if successful or 0 if not */ int evtx_test_chunk_get_number_of_recovered_records( void ) { libcerror_error_t *error = NULL; libevtx_chunk_t *chunk = NULL; uint16_t number_of_recovered_records = 0; int number_of_recovered_records_is_set = 0; int result = 0; /* Initialize test */ result = libevtx_chunk_initialize( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_chunk_get_number_of_recovered_records( chunk, &number_of_recovered_records, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); number_of_recovered_records_is_set = result; /* Test error cases */ result = libevtx_chunk_get_number_of_recovered_records( NULL, &number_of_recovered_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( number_of_recovered_records_is_set != 0 ) { result = libevtx_chunk_get_number_of_recovered_records( chunk, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_chunk_free( &chunk, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "chunk", chunk ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( chunk != NULL ) { libevtx_chunk_free( &chunk, NULL ); } return( 0 ); } #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) EVTX_TEST_RUN( "libevtx_chunk_initialize", evtx_test_chunk_initialize ); EVTX_TEST_RUN( "libevtx_chunk_free", evtx_test_chunk_free ); /* TODO: add tests for libevtx_chunk_read */ EVTX_TEST_RUN( "libevtx_chunk_get_number_of_records", evtx_test_chunk_get_number_of_records ); /* TODO: add tests for libevtx_chunk_get_record */ EVTX_TEST_RUN( "libevtx_chunk_get_number_of_recovered_records", evtx_test_chunk_get_number_of_recovered_records ); /* TODO: add tests for libevtx_chunk_get_recovered_record */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_chunks_table.c ================================================ /* * Library chunks_table type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../libevtx/libevtx_chunks_table.h" #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* Tests the libevtx_chunks_table_free function * Returns 1 if successful or 0 if not */ int evtx_test_chunks_table_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_chunks_table_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* TODO: add tests for libevtx_chunks_table_initialize */ EVTX_TEST_RUN( "libevtx_chunks_table_free", evtx_test_chunks_table_free ); /* TODO: add tests for libevtx_chunks_table_read_record */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_error.c ================================================ /* * Library error functions test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_unused.h" /* Tests the libevtx_error_free function * Returns 1 if successful or 0 if not */ int evtx_test_error_free( void ) { /* Test invocation of function only */ libevtx_error_free( NULL ); return( 1 ); } /* Tests the libevtx_error_fprint function * Returns 1 if successful or 0 if not */ int evtx_test_error_fprint( void ) { /* Test invocation of function only */ libevtx_error_fprint( NULL, NULL ); return( 1 ); } /* Tests the libevtx_error_sprint function * Returns 1 if successful or 0 if not */ int evtx_test_error_sprint( void ) { /* Test invocation of function only */ libevtx_error_sprint( NULL, NULL, 0 ); return( 1 ); } /* Tests the libevtx_error_backtrace_fprint function * Returns 1 if successful or 0 if not */ int evtx_test_error_backtrace_fprint( void ) { /* Test invocation of function only */ libevtx_error_backtrace_fprint( NULL, NULL ); return( 1 ); } /* Tests the libevtx_error_backtrace_sprint function * Returns 1 if successful or 0 if not */ int evtx_test_error_backtrace_sprint( void ) { /* Test invocation of function only */ libevtx_error_backtrace_sprint( NULL, NULL, 0 ); return( 1 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "libevtx_error_free", evtx_test_error_free ); EVTX_TEST_RUN( "libevtx_error_fprint", evtx_test_error_fprint ); EVTX_TEST_RUN( "libevtx_error_sprint", evtx_test_error_sprint ); EVTX_TEST_RUN( "libevtx_error_backtrace_fprint", evtx_test_error_backtrace_fprint ); EVTX_TEST_RUN( "libevtx_error_backtrace_sprint", evtx_test_error_backtrace_sprint ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_file.c ================================================ /* * Library file type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_functions.h" #include "evtx_test_getopt.h" #include "evtx_test_libbfio.h" #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../libevtx/libevtx_file.h" #if !defined( LIBEVTX_HAVE_BFIO ) LIBEVTX_EXTERN \ int libevtx_check_file_signature_file_io_handle( libbfio_handle_t *file_io_handle, libcerror_error_t **error ); LIBEVTX_EXTERN \ int libevtx_file_open_file_io_handle( libevtx_file_t *file, libbfio_handle_t *file_io_handle, int access_flags, libevtx_error_t **error ); #endif /* !defined( LIBEVTX_HAVE_BFIO ) */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) && SIZEOF_WCHAR_T != 2 && SIZEOF_WCHAR_T != 4 #error Unsupported size of wchar_t #endif /* Define to make evtx_test_file generate verbose output #define EVTX_TEST_FILE_VERBOSE */ /* Creates and opens a source file * Returns 1 if successful or -1 on error */ int evtx_test_file_open_source( libevtx_file_t **file, libbfio_handle_t *file_io_handle, libcerror_error_t **error ) { static char *function = "evtx_test_file_open_source"; int result = 0; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file IO handle.", function ); return( -1 ); } if( libevtx_file_initialize( file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to initialize file.", function ); goto on_error; } result = libevtx_file_open_file_io_handle( *file, file_io_handle, LIBEVTX_OPEN_READ, error ); if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file.", function ); goto on_error; } return( 1 ); on_error: if( *file != NULL ) { libevtx_file_free( file, NULL ); } return( -1 ); } /* Closes and frees a source file * Returns 1 if successful or -1 on error */ int evtx_test_file_close_source( libevtx_file_t **file, libcerror_error_t **error ) { static char *function = "evtx_test_file_close_source"; int result = 0; if( file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file.", function ); return( -1 ); } if( libevtx_file_close( *file, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close file.", function ); result = -1; } if( libevtx_file_free( file, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free file.", function ); result = -1; } return( result ); } /* Tests the libevtx_file_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_file_initialize( void ) { libcerror_error_t *error = NULL; libevtx_file_t *file = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = libevtx_file_initialize( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_file_free( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); file = (libevtx_file_t *) 0x12345678UL; result = libevtx_file_initialize( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); file = NULL; #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test libevtx_file_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = libevtx_file_initialize( &file, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( file != NULL ) { libevtx_file_free( &file, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test libevtx_file_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = libevtx_file_initialize( &file, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( file != NULL ) { libevtx_file_free( &file, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file != NULL ) { libevtx_file_free( &file, NULL ); } return( 0 ); } /* Tests the libevtx_file_free function * Returns 1 if successful or 0 if not */ int evtx_test_file_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_file_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_open function * Returns 1 if successful or 0 if not */ int evtx_test_file_open( const system_character_t *source ) { char narrow_source[ 256 ]; libcerror_error_t *error = NULL; libevtx_file_t *file = NULL; int result = 0; /* Initialize test */ result = evtx_test_get_narrow_source( source, narrow_source, 256, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_file_initialize( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test open */ result = libevtx_file_open( file, narrow_source, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_open( NULL, narrow_source, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_open( file, NULL, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_open( file, narrow_source, -1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Test open when already opened */ result = libevtx_file_open( file, narrow_source, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Clean up */ result = libevtx_file_free( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file != NULL ) { libevtx_file_free( &file, NULL ); } return( 0 ); } #if defined( HAVE_WIDE_CHARACTER_TYPE ) /* Tests the libevtx_file_open_wide function * Returns 1 if successful or 0 if not */ int evtx_test_file_open_wide( const system_character_t *source ) { wchar_t wide_source[ 256 ]; libcerror_error_t *error = NULL; libevtx_file_t *file = NULL; int result = 0; /* Initialize test */ result = evtx_test_get_wide_source( source, wide_source, 256, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_file_initialize( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test open */ result = libevtx_file_open_wide( file, wide_source, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_open_wide( NULL, wide_source, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_open_wide( file, NULL, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_open_wide( file, wide_source, -1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Test open when already opened */ result = libevtx_file_open_wide( file, wide_source, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Clean up */ result = libevtx_file_free( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file != NULL ) { libevtx_file_free( &file, NULL ); } return( 0 ); } #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ /* Tests the libevtx_file_open_file_io_handle function * Returns 1 if successful or 0 if not */ int evtx_test_file_open_file_io_handle( const system_character_t *source ) { libbfio_handle_t *file_io_handle = NULL; libcerror_error_t *error = NULL; libevtx_file_t *file = NULL; size_t string_length = 0; int result = 0; /* Initialize test */ result = libbfio_file_initialize( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); string_length = system_string_length( source ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libbfio_file_set_name_wide( file_io_handle, source, string_length, &error ); #else result = libbfio_file_set_name( file_io_handle, source, string_length, &error ); #endif EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_file_initialize( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test open */ result = libevtx_file_open_file_io_handle( file, file_io_handle, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_open_file_io_handle( NULL, file_io_handle, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_open_file_io_handle( file, NULL, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_open_file_io_handle( file, file_io_handle, -1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Test open when already opened */ result = libevtx_file_open_file_io_handle( file, file_io_handle, LIBEVTX_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Clean up */ result = libevtx_file_free( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libbfio_handle_free( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file != NULL ) { libevtx_file_free( &file, NULL ); } if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( 0 ); } /* Tests the libevtx_file_close function * Returns 1 if successful or 0 if not */ int evtx_test_file_close( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_file_close( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_open and libevtx_file_close functions * Returns 1 if successful or 0 if not */ int evtx_test_file_open_close( const system_character_t *source ) { libcerror_error_t *error = NULL; libevtx_file_t *file = NULL; int result = 0; /* Initialize test */ result = libevtx_file_initialize( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test open and close */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_file_open_wide( file, source, LIBEVTX_OPEN_READ, &error ); #else result = libevtx_file_open( file, source, LIBEVTX_OPEN_READ, &error ); #endif EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_file_close( file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test open and close a second time to validate clean up on close */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libevtx_file_open_wide( file, source, LIBEVTX_OPEN_READ, &error ); #else result = libevtx_file_open( file, source, LIBEVTX_OPEN_READ, &error ); #endif EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_file_close( file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Clean up */ result = libevtx_file_free( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file != NULL ) { libevtx_file_free( &file, NULL ); } return( 0 ); } /* Tests the libevtx_file_signal_abort function * Returns 1 if successful or 0 if not */ int evtx_test_file_signal_abort( libevtx_file_t *file ) { libcerror_error_t *error = NULL; int result = 0; /* Test regular cases */ result = libevtx_file_signal_abort( file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_signal_abort( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_get_ascii_codepage function * Returns 1 if successful or 0 if not */ int evtx_test_file_get_ascii_codepage( libevtx_file_t *file ) { libcerror_error_t *error = NULL; int ascii_codepage = 0; int result = 0; /* Test regular cases */ result = libevtx_file_get_ascii_codepage( file, &ascii_codepage, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_get_ascii_codepage( NULL, &ascii_codepage, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_ascii_codepage( file, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_set_ascii_codepage function * Returns 1 if successful or 0 if not */ int evtx_test_file_set_ascii_codepage( libevtx_file_t *file ) { int supported_codepages[ 15 ] = { LIBEVTX_CODEPAGE_ASCII, LIBEVTX_CODEPAGE_WINDOWS_874, LIBEVTX_CODEPAGE_WINDOWS_932, LIBEVTX_CODEPAGE_WINDOWS_936, LIBEVTX_CODEPAGE_WINDOWS_949, LIBEVTX_CODEPAGE_WINDOWS_950, LIBEVTX_CODEPAGE_WINDOWS_1250, LIBEVTX_CODEPAGE_WINDOWS_1251, LIBEVTX_CODEPAGE_WINDOWS_1252, LIBEVTX_CODEPAGE_WINDOWS_1253, LIBEVTX_CODEPAGE_WINDOWS_1254, LIBEVTX_CODEPAGE_WINDOWS_1255, LIBEVTX_CODEPAGE_WINDOWS_1256, LIBEVTX_CODEPAGE_WINDOWS_1257, LIBEVTX_CODEPAGE_WINDOWS_1258 }; int unsupported_codepages[ 17 ] = { LIBEVTX_CODEPAGE_ISO_8859_1, LIBEVTX_CODEPAGE_ISO_8859_2, LIBEVTX_CODEPAGE_ISO_8859_3, LIBEVTX_CODEPAGE_ISO_8859_4, LIBEVTX_CODEPAGE_ISO_8859_5, LIBEVTX_CODEPAGE_ISO_8859_6, LIBEVTX_CODEPAGE_ISO_8859_7, LIBEVTX_CODEPAGE_ISO_8859_8, LIBEVTX_CODEPAGE_ISO_8859_9, LIBEVTX_CODEPAGE_ISO_8859_10, LIBEVTX_CODEPAGE_ISO_8859_11, LIBEVTX_CODEPAGE_ISO_8859_13, LIBEVTX_CODEPAGE_ISO_8859_14, LIBEVTX_CODEPAGE_ISO_8859_15, LIBEVTX_CODEPAGE_ISO_8859_16, LIBEVTX_CODEPAGE_KOI8_R, LIBEVTX_CODEPAGE_KOI8_U }; libcerror_error_t *error = NULL; int codepage = 0; int index = 0; int result = 0; /* Test set ASCII codepage */ for( index = 0; index < 15; index++ ) { codepage = supported_codepages[ index ]; result = libevtx_file_set_ascii_codepage( file, codepage, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } /* Test error cases */ result = libevtx_file_set_ascii_codepage( NULL, LIBEVTX_CODEPAGE_ASCII, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); for( index = 0; index < 17; index++ ) { codepage = unsupported_codepages[ index ]; result = libevtx_file_set_ascii_codepage( file, codepage, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_file_set_ascii_codepage( file, LIBEVTX_CODEPAGE_WINDOWS_1252, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_get_flags function * Returns 1 if successful or 0 if not */ int evtx_test_file_get_flags( libevtx_file_t *file ) { libcerror_error_t *error = NULL; uint32_t flags = 0; int result = 0; /* Test regular cases */ result = libevtx_file_get_flags( file, &flags, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_get_flags( NULL, &flags, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_flags( file, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_get_number_of_records function * Returns 1 if successful or 0 if not */ int evtx_test_file_get_number_of_records( libevtx_file_t *file ) { libcerror_error_t *error = NULL; int number_of_records = 0; int result = 0; /* Test regular cases */ result = libevtx_file_get_number_of_records( file, &number_of_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_get_number_of_records( NULL, &number_of_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_number_of_records( file, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_get_record_by_index function * Returns 1 if successful or 0 if not */ int evtx_test_file_get_record_by_index( libevtx_file_t *file ) { libcerror_error_t *error = NULL; libevtx_record_t *record = 0; int number_of_records = 0; int result = 0; /* Initialize test */ result = libevtx_file_get_number_of_records( file, &number_of_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); if( number_of_records == 0 ) { return( 1 ); } /* Test regular cases */ result = libevtx_file_get_record_by_index( file, 0, &record, &error ); /* TODO: remove after troubleshooting failing tests */ EVTX_TEST_FPRINT_ERROR( error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record", record ); result = libevtx_record_free( &record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_get_record_by_index( NULL, 0, &record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "record", record ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_record_by_index( file, -1, &record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "record", record ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_record_by_index( file, 0, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "record", record ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_get_number_of_recovered_records function * Returns 1 if successful or 0 if not */ int evtx_test_file_get_number_of_recovered_records( libevtx_file_t *file ) { libcerror_error_t *error = NULL; int number_of_recovered_records = 0; int result = 0; /* Test regular cases */ result = libevtx_file_get_number_of_recovered_records( file, &number_of_recovered_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_get_number_of_recovered_records( NULL, &number_of_recovered_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_number_of_recovered_records( file, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_file_get_recovered_record_by_index function * Returns 1 if successful or 0 if not */ int evtx_test_file_get_recovered_record_by_index( libevtx_file_t *file ) { libcerror_error_t *error = NULL; libevtx_record_t *recovered_record = 0; int number_of_recovered_records = 0; int result = 0; /* Initialize test */ result = libevtx_file_get_number_of_recovered_records( file, &number_of_recovered_records, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); if( number_of_recovered_records == 0 ) { return( 1 ); } /* Test regular cases */ result = libevtx_file_get_recovered_record_by_index( file, 0, &recovered_record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); EVTX_TEST_ASSERT_IS_NOT_NULL( "recovered_record", recovered_record ); result = libevtx_record_free( &recovered_record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_file_get_recovered_record_by_index( NULL, 0, &recovered_record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "recovered_record", recovered_record ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_recovered_record_by_index( file, -1, &recovered_record, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "recovered_record", recovered_record ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_file_get_recovered_record_by_index( file, 0, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "recovered_record", recovered_record ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc, wchar_t * const argv[] ) #else int main( int argc, char * const argv[] ) #endif { libbfio_handle_t *file_io_handle = NULL; libcerror_error_t *error = NULL; libevtx_file_t *file = NULL; system_character_t *source = NULL; system_integer_t option = 0; size_t string_length = 0; int result = 0; while( ( option = evtx_test_getopt( argc, argv, _SYSTEM_STRING( "" ) ) ) != (system_integer_t) -1 ) { switch( option ) { case (system_integer_t) '?': default: fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM ".\n", argv[ optind - 1 ] ); return( EXIT_FAILURE ); } } if( optind < argc ) { source = argv[ optind ]; } #if defined( HAVE_DEBUG_OUTPUT ) && defined( EVTX_TEST_FILE_VERBOSE ) libevtx_notify_set_verbose( 1 ); libevtx_notify_set_stream( stderr, NULL ); #endif EVTX_TEST_RUN( "libevtx_file_initialize", evtx_test_file_initialize ); EVTX_TEST_RUN( "libevtx_file_free", evtx_test_file_free ); #if !defined( __BORLANDC__ ) || ( __BORLANDC__ >= 0x0560 ) if( source != NULL ) { result = libbfio_file_initialize( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); string_length = system_string_length( source ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libbfio_file_set_name_wide( file_io_handle, source, string_length, &error ); #else result = libbfio_file_set_name( file_io_handle, source, string_length, &error ); #endif EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_check_file_signature_file_io_handle( file_io_handle, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } if( result != 0 ) { EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_open", evtx_test_file_open, source ); #if defined( HAVE_WIDE_CHARACTER_TYPE ) EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_open_wide", evtx_test_file_open_wide, source ); #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_open_file_io_handle", evtx_test_file_open_file_io_handle, source ); EVTX_TEST_RUN( "libevtx_file_close", evtx_test_file_close ); EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_open_close", evtx_test_file_open_close, source ); /* Initialize file for tests */ result = evtx_test_file_open_source( &file, file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_signal_abort", evtx_test_file_signal_abort, file ); #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* TODO: add tests for libevtx_file_open_read */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ /* TODO: add tests for libevtx_file_is_corrupted */ EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_get_ascii_codepage", evtx_test_file_get_ascii_codepage, file ); EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_set_ascii_codepage", evtx_test_file_set_ascii_codepage, file ); /* TODO: add tests for libevtx_file_get_format_version */ /* TODO: add tests for libevtx_file_get_version */ EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_get_flags", evtx_test_file_get_flags, file ); EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_get_number_of_records", evtx_test_file_get_number_of_records, file ); EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_get_record_by_index", evtx_test_file_get_record_by_index, file ); EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_get_number_of_recovered_records", evtx_test_file_get_number_of_recovered_records, file ); #if defined( TODO ) EVTX_TEST_RUN_WITH_ARGS( "libevtx_file_get_recovered_record_by_index", evtx_test_file_get_recovered_record_by_index, file ); #endif /* defined( TODO ) */ /* Clean up */ result = evtx_test_file_close_source( &file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "file", file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libbfio_handle_free( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } #endif /* !defined( __BORLANDC__ ) || ( __BORLANDC__ >= 0x0560 ) */ return( EXIT_SUCCESS ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file != NULL ) { libevtx_file_free( &file, NULL ); } if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_functions.c ================================================ /* * Functions for testing * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libbfio.h" #include "evtx_test_libcerror.h" #include "evtx_test_libclocale.h" #include "evtx_test_libuna.h" /* Retrieves source as a narrow string * Returns 1 if successful or -1 on error */ int evtx_test_get_narrow_source( const system_character_t *source, char *narrow_string, size_t narrow_string_size, libcerror_error_t **error ) { static char *function = "evtx_test_get_narrow_source"; size_t narrow_source_size = 0; size_t source_length = 0; #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int result = 0; #endif if( source == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid source.", function ); return( -1 ); } if( narrow_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid narrow string.", function ); return( -1 ); } if( narrow_string_size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid narrow string size value exceeds maximum.", function ); return( -1 ); } source_length = system_string_length( source ); if( source_length > (size_t) ( SSIZE_MAX - 1 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid source length value out of bounds.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libclocale_codepage == 0 ) { #if SIZEOF_WCHAR_T == 4 result = libuna_utf8_string_size_from_utf32( (libuna_utf32_character_t *) source, source_length + 1, &narrow_source_size, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_utf8_string_size_from_utf16( (libuna_utf16_character_t *) source, source_length + 1, &narrow_source_size, error ); #endif } else { #if SIZEOF_WCHAR_T == 4 result = libuna_byte_stream_size_from_utf32( (libuna_utf32_character_t *) source, source_length + 1, libclocale_codepage, &narrow_source_size, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_byte_stream_size_from_utf16( (libuna_utf16_character_t *) source, source_length + 1, libclocale_codepage, &narrow_source_size, error ); #endif } if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_CONVERSION, LIBCERROR_CONVERSION_ERROR_GENERIC, "%s: unable to determine narrow string size.", function ); return( -1 ); } #else narrow_source_size = source_length + 1; #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ if( narrow_string_size < narrow_source_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_TOO_SMALL, "%s: narrow string too small.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( libclocale_codepage == 0 ) { #if SIZEOF_WCHAR_T == 4 result = libuna_utf8_string_copy_from_utf32( (libuna_utf8_character_t *) narrow_string, narrow_string_size, (libuna_utf32_character_t *) source, source_length + 1, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_utf8_string_copy_from_utf16( (libuna_utf8_character_t *) narrow_string, narrow_string_size, (libuna_utf16_character_t *) source, source_length + 1, error ); #endif } else { #if SIZEOF_WCHAR_T == 4 result = libuna_byte_stream_copy_from_utf32( (uint8_t *) narrow_string, narrow_string_size, libclocale_codepage, (libuna_utf32_character_t *) source, source_length + 1, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_byte_stream_copy_from_utf16( (uint8_t *) narrow_string, narrow_string_size, libclocale_codepage, (libuna_utf16_character_t *) source, source_length + 1, error ); #endif } if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_CONVERSION, LIBCERROR_CONVERSION_ERROR_GENERIC, "%s: unable to set narrow string.", function ); return( -1 ); } #else if( system_string_copy( narrow_string, source, source_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_COPY_FAILED, "%s: unable to set narrow string.", function ); return( -1 ); } narrow_string[ source_length ] = 0; #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ return( 1 ); } #if defined( HAVE_WIDE_CHARACTER_TYPE ) /* Retrieves source as a wide string * Returns 1 if successful or -1 on error */ int evtx_test_get_wide_source( const system_character_t *source, wchar_t *wide_string, size_t wide_string_size, libcerror_error_t **error ) { static char *function = "evtx_test_get_wide_source"; size_t wide_source_size = 0; size_t source_length = 0; #if !defined( HAVE_WIDE_SYSTEM_CHARACTER ) int result = 0; #endif if( source == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid source.", function ); return( -1 ); } if( wide_string == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid wide string.", function ); return( -1 ); } if( wide_string_size > (size_t) SSIZE_MAX ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid wide string size value exceeds maximum.", function ); return( -1 ); } source_length = system_string_length( source ); if( source_length > (size_t) ( SSIZE_MAX - 1 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, "%s: invalid source length value out of bounds.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) wide_source_size = source_length + 1; #else if( libclocale_codepage == 0 ) { #if SIZEOF_WCHAR_T == 4 result = libuna_utf32_string_size_from_utf8( (libuna_utf8_character_t *) source, source_length + 1, &wide_source_size, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_utf16_string_size_from_utf8( (libuna_utf8_character_t *) source, source_length + 1, &wide_source_size, error ); #endif } else { #if SIZEOF_WCHAR_T == 4 result = libuna_utf32_string_size_from_byte_stream( (uint8_t *) source, source_length + 1, libclocale_codepage, &wide_source_size, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_utf16_string_size_from_byte_stream( (uint8_t *) source, source_length + 1, libclocale_codepage, &wide_source_size, error ); #endif } if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_CONVERSION, LIBCERROR_CONVERSION_ERROR_GENERIC, "%s: unable to determine wide string size.", function ); return( -1 ); } #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ if( wide_string_size < wide_source_size ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_VALUE_TOO_SMALL, "%s: wide string too small.", function ); return( -1 ); } #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) if( system_string_copy( wide_string, source, source_length ) == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_COPY_FAILED, "%s: unable to set wide string.", function ); return( -1 ); } wide_string[ source_length ] = 0; #else if( libclocale_codepage == 0 ) { #if SIZEOF_WCHAR_T == 4 result = libuna_utf32_string_copy_from_utf8( (libuna_utf32_character_t *) wide_string, wide_string_size, (uint8_t *) source, source_length + 1, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_utf16_string_copy_from_utf8( (libuna_utf16_character_t *) wide_string, wide_string_size, (uint8_t *) source, source_length + 1, error ); #endif } else { #if SIZEOF_WCHAR_T == 4 result = libuna_utf32_string_copy_from_byte_stream( (libuna_utf32_character_t *) wide_string, wide_string_size, (uint8_t *) source, source_length + 1, libclocale_codepage, error ); #elif SIZEOF_WCHAR_T == 2 result = libuna_utf16_string_copy_from_byte_stream( (libuna_utf16_character_t *) wide_string, wide_string_size, (uint8_t *) source, source_length + 1, libclocale_codepage, error ); #endif } if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_CONVERSION, LIBCERROR_CONVERSION_ERROR_GENERIC, "%s: unable to set wide string.", function ); return( -1 ); } #endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */ return( 1 ); } #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ /* Creates a file IO handle for test data * Returns 1 if successful or -1 on error */ int evtx_test_open_file_io_handle( libbfio_handle_t **file_io_handle, uint8_t *data, size_t data_size, libcerror_error_t **error ) { static char *function = "evtx_test_open_file_io_handle"; if( file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file IO handle.", function ); return( -1 ); } if( libbfio_memory_range_initialize( file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, "%s: unable to create file IO handle.", function ); goto on_error; } if( libbfio_memory_range_set( *file_io_handle, data, data_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to set memory range of file IO handle.", function ); goto on_error; } if( libbfio_handle_open( *file_io_handle, LIBBFIO_OPEN_READ, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open file IO handle.", function ); goto on_error; } return( 1 ); on_error: if( *file_io_handle != NULL ) { libbfio_handle_free( file_io_handle, NULL ); } return( -1 ); } /* Closes a file IO handle for test data * Returns 0 if successful or -1 on error */ int evtx_test_close_file_io_handle( libbfio_handle_t **file_io_handle, libcerror_error_t **error ) { static char *function = "evtx_test_close_file_io_handle"; int result = 0; if( file_io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid file IO handle.", function ); return( -1 ); } if( libbfio_handle_close( *file_io_handle, error ) != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_CLOSE_FAILED, "%s: unable to close file IO handle.", function ); result = -1; } if( libbfio_handle_free( file_io_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free file IO handle.", function ); result = -1; } return( result ); } ================================================ FILE: tests/evtx_test_functions.h ================================================ /* * Functions for testing * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_FUNCTIONS_H ) #define _EVTX_TEST_FUNCTIONS_H #include #include #include "evtx_test_libbfio.h" #include "evtx_test_libcerror.h" #if defined( __cplusplus ) extern "C" { #endif int evtx_test_get_narrow_source( const system_character_t *source, char *narrow_string, size_t narrow_string_size, libcerror_error_t **error ); #if defined( HAVE_WIDE_CHARACTER_TYPE ) int evtx_test_get_wide_source( const system_character_t *source, wchar_t *wide_string, size_t wide_string_size, libcerror_error_t **error ); #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ int evtx_test_open_file_io_handle( libbfio_handle_t **file_io_handle, uint8_t *data, size_t data_size, libcerror_error_t **error ); int evtx_test_close_file_io_handle( libbfio_handle_t **file_io_handle, libcerror_error_t **error ); #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTX_TEST_FUNCTIONS_H ) */ ================================================ FILE: tests/evtx_test_getopt.c ================================================ /* * GetOpt functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_getopt.h" #include "evtx_test_libcnotify.h" #if !defined( HAVE_GETOPT ) /* The option index * Start with argument 1 (argument 0 is the program name) */ int optind = 1; /* The current option argument */ system_character_t *optarg = NULL; /* Value to indicate the current option */ system_integer_t optopt = 0; /* The next option in a group */ system_character_t *next_option = NULL; /* Get the program options * Function for platforms that do not have the getopt function * Returns the option character processed, or -1 on error, * ? if the option was not in the options string, : if the option argument was missing */ system_integer_t evtx_test_getopt( int argument_count, system_character_t * const argument_values[], const system_character_t *options_string ) { system_character_t *argument_value = NULL; system_character_t *option_value = NULL; static char *function = "evtx_test_getopt"; size_t options_string_length = 0; if( next_option != NULL ) { argument_value = next_option; next_option = NULL; } else if( optind >= argument_count ) { return( (system_integer_t) -1 ); } else { argument_value = argument_values[ optind ]; /* Check if the argument value is not an empty string */ if( *argument_value == (system_character_t) '\0' ) { return( (system_integer_t) -1 ); } /* Check if the first character is a option marker '-' */ if( *argument_value != (system_character_t) '-' ) { return( (system_integer_t) -1 ); } argument_value++; /* Check if long options are provided '--' */ if( *argument_value == (system_character_t) '-' ) { optind++; return( (system_integer_t) -1 ); } } options_string_length = system_string_length( options_string ); optopt = *argument_value; option_value = system_string_search_character( options_string, optopt, options_string_length ); argument_value++; /* Check if an argument was specified or that the option was not found * in the option string */ if( ( optopt == (system_integer_t) ':' ) || ( option_value == NULL ) ) { if( *argument_value == (system_character_t) '\0' ) { optind++; } if( ( *options_string != (system_character_t) ':' ) && ( optopt != (system_integer_t) '?' ) ) { libcnotify_printf( "%s: no such option: %" PRIc_SYSTEM ".\n", function, optopt ); } return( (system_integer_t) '?' ); } option_value++; /* Check if no option argument is required */ if( *option_value != (system_character_t) ':' ) { optarg = NULL; if( *argument_value == (system_character_t) '\0' ) { optind++; } else { /* Multiple options are grouped */ next_option = argument_value; } } /* Check if the argument is right after the option flag with no space in between */ else if( *argument_value != (system_character_t) '\0' ) { optarg = argument_value; optind++; } else { optind++; /* Check if the argument was provided as the next argument value */ if( argument_count <= optind ) { if( *option_value == ':' ) { return( (system_integer_t) ':' ); } libcnotify_printf( "%s: option: %" PRIc_SYSTEM " requires an argument.\n", function, optopt ); return( (system_integer_t) '?' ); } optarg = argument_values[ optind ]; optind++; } return( optopt ); } #endif /* !defined( HAVE_GETOPT ) */ ================================================ FILE: tests/evtx_test_getopt.h ================================================ /* * GetOpt functions * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_GETOPT_H ) #define _EVTX_TEST_GETOPT_H #include #include /* unistd.h is included here to export getopt, optarg, optind and optopt */ #if defined( HAVE_UNISTD_H ) #include #endif #if defined( __cplusplus ) extern "C" { #endif #if defined( HAVE_GETOPT ) #define evtx_test_getopt( argument_count, argument_values, options_string ) \ getopt( argument_count, argument_values, options_string ) #else #if !defined( __CYGWIN__ ) extern int optind; extern system_character_t *optarg; extern system_integer_t optopt; #else int optind; system_character_t *optarg; system_integer_t optopt; #endif /* !defined( __CYGWIN__ ) */ system_integer_t evtx_test_getopt( int argument_count, system_character_t * const argument_values[], const system_character_t *options_string ); #endif /* defined( HAVE_GETOPT ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTX_TEST_GETOPT_H ) */ ================================================ FILE: tests/evtx_test_io_handle.c ================================================ /* * Library io_handle type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../libevtx/libevtx_io_handle.h" #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* Tests the libevtx_io_handle_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_io_handle_initialize( void ) { libcerror_error_t *error = NULL; libevtx_io_handle_t *io_handle = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = libevtx_io_handle_initialize( &io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "io_handle", io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_io_handle_free( &io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "io_handle", io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_io_handle_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); io_handle = (libevtx_io_handle_t *) 0x12345678UL; result = libevtx_io_handle_initialize( &io_handle, &error ); io_handle = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test libevtx_io_handle_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = libevtx_io_handle_initialize( &io_handle, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( io_handle != NULL ) { libevtx_io_handle_free( &io_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "io_handle", io_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test libevtx_io_handle_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = libevtx_io_handle_initialize( &io_handle, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( io_handle != NULL ) { libevtx_io_handle_free( &io_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "io_handle", io_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( io_handle != NULL ) { libevtx_io_handle_free( &io_handle, NULL ); } return( 0 ); } /* Tests the libevtx_io_handle_free function * Returns 1 if successful or 0 if not */ int evtx_test_io_handle_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_io_handle_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_io_handle_clear function * Returns 1 if successful or 0 if not */ int evtx_test_io_handle_clear( void ) { libcerror_error_t *error = NULL; libevtx_io_handle_t *io_handle = NULL; int result = 0; /* Initialize test */ result = libevtx_io_handle_initialize( &io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "io_handle", io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_io_handle_clear( io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_io_handle_clear( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) /* Test libevtx_io_handle_clear with memset failing */ evtx_test_memset_attempts_before_fail = 0; result = libevtx_io_handle_clear( io_handle, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ /* Clean up */ result = libevtx_io_handle_free( &io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "io_handle", io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( io_handle != NULL ) { libevtx_io_handle_free( &io_handle, NULL ); } return( 0 ); } #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) EVTX_TEST_RUN( "libevtx_io_handle_initialize", evtx_test_io_handle_initialize ); EVTX_TEST_RUN( "libevtx_io_handle_free", evtx_test_io_handle_free ); EVTX_TEST_RUN( "libevtx_io_handle_clear", evtx_test_io_handle_clear ); /* TODO: add tests for libevtx_io_handle_read_file_header */ /* TODO: add tests for libevtx_io_handle_read_chunk */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_libbfio.h ================================================ /* * The libbfio header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_LIBBFIO_H ) #define _EVTX_TEST_LIBBFIO_H #include /* Define HAVE_LOCAL_LIBBFIO for local use of libbfio */ #if defined( HAVE_LOCAL_LIBBFIO ) #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBBFIO_DLL_IMPORT * before including libbfio.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBBFIO_DLL_IMPORT #endif #include #if defined( HAVE_MULTI_THREAD_SUPPORT ) && !defined( LIBBFIO_HAVE_MULTI_THREAD_SUPPORT ) #error Multi-threading support requires libbfio with multi-threading support #endif #endif /* defined( HAVE_LOCAL_LIBBFIO ) */ #endif /* !defined( _EVTX_TEST_LIBBFIO_H ) */ ================================================ FILE: tests/evtx_test_libcerror.h ================================================ /* * The libcerror header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_LIBCERROR_H ) #define _EVTX_TEST_LIBCERROR_H #include /* Define HAVE_LOCAL_LIBCERROR for local use of libcerror */ #if defined( HAVE_LOCAL_LIBCERROR ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCERROR_DLL_IMPORT * before including libcerror.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCERROR_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCERROR ) */ #endif /* !defined( _EVTX_TEST_LIBCERROR_H ) */ ================================================ FILE: tests/evtx_test_libclocale.h ================================================ /* * The libclocale header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_LIBCLOCALE_H ) #define _EVTX_TEST_LIBCLOCALE_H #include /* Define HAVE_LOCAL_LIBCLOCALE for local use of libclocale */ #if defined( HAVE_LOCAL_LIBCLOCALE ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCLOCALE_DLL_IMPORT * before including libclocale.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCLOCALE_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCLOCALE ) */ #endif /* !defined( _EVTX_TEST_LIBCLOCALE_H ) */ ================================================ FILE: tests/evtx_test_libcnotify.h ================================================ /* * The libcnotify header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_LIBCNOTIFY_H ) #define _EVTX_TEST_LIBCNOTIFY_H #include /* Define HAVE_LOCAL_LIBCNOTIFY for local use of libcnotify */ #if defined( HAVE_LOCAL_LIBCNOTIFY ) #include #include #include #include #else /* If libtool DLL support is enabled set LIBCNOTIFY_DLL_IMPORT * before including libcnotify.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBCNOTIFY_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBCNOTIFY ) */ #endif /* !defined( _EVTX_TEST_LIBCNOTIFY_H ) */ ================================================ FILE: tests/evtx_test_libevtx.h ================================================ /* * The libevtx header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_LIBEVTX_H ) #define _EVTX_TEST_LIBEVTX_H #include #include #endif /* !defined( _EVTX_TEST_LIBEVTX_H ) */ ================================================ FILE: tests/evtx_test_libuna.h ================================================ /* * The libuna header wrapper * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_LIBUNA_H ) #define _EVTX_TEST_LIBUNA_H #include /* Define HAVE_LOCAL_LIBUNA for local use of libuna */ #if defined( HAVE_LOCAL_LIBUNA ) #include #include #include #include #include #include #include #include #include #include #include #include #include #include #else /* If libtool DLL support is enabled set LIBUNA_DLL_IMPORT * before including libuna.h */ #if defined( _WIN32 ) && defined( DLL_IMPORT ) #define LIBUNA_DLL_IMPORT #endif #include #endif /* defined( HAVE_LOCAL_LIBUNA ) */ #endif /* !defined( _EVTX_TEST_LIBUNA_H ) */ ================================================ FILE: tests/evtx_test_macros.h ================================================ /* * Macros for testing * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_MACROS_H ) #define _EVTX_TEST_MACROS_H #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #define EVTX_TEST_ASSERT_EQUAL_INT( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%d) != %d\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_INT( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%d) == %d\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_GREATER_THAN_INT( name, value, expected_value ) \ if( value <= expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%d) <= %d\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_LESS_THAN_INT( name, value, expected_value ) \ if( value >= expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%d) >= %d\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_INTPTR( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (0x%08x" PRIjx ") != 0x%08x" PRIjx "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_INTPTR( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (0x%08x" PRIjx ") == 0x%08x" PRIjx "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_FLOAT( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%f) != %f\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_FLOAT( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%f) == %f\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_SIZE( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIzd ") != %" PRIzd "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_SSIZE( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIzd ") != %" PRIzd "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_SSIZE( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIzd ") == %" PRIzd "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_INT8( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi8 ") != %" PRIi8 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_INT8( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi8 ") == %" PRIi8 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_UINT8( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi8 ") != %" PRIu8 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_LESS_THAN_UINT8( name, value, expected_value ) \ if( value >= expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi8 ") >= %" PRIu8 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_INT16( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi16 ") != %" PRIi16 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_INT16( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi16 ") == %" PRIi16 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_UINT16( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi16 ") != %" PRIu16 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_LESS_THAN_UINT16( name, value, expected_value ) \ if( value >= expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi16 ") >= %" PRIu16 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_INT32( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi32 ") != %" PRIi32 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_INT32( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi32 ") == %" PRIi32 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_UINT32( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIu32 ") != %" PRIu32 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_LESS_THAN_UINT32( name, value, expected_value ) \ if( value >= expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIu32 ") >= %" PRIu32 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_INT64( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi64 ") != %" PRIi64 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_NOT_EQUAL_INT64( name, value, expected_value ) \ if( value == expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIi64 ") == %" PRIi64 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_EQUAL_UINT64( name, value, expected_value ) \ if( value != expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIu64 ") != %" PRIu64 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_LESS_THAN_UINT64( name, value, expected_value ) \ if( value >= expected_value ) \ { \ fprintf( stdout, "%s:%d %s (%" PRIu64 ") >= %" PRIu64 "\n", __FILE__, __LINE__, name, value, expected_value ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_IS_NOT_NULL( name, value ) \ if( value == NULL ) \ { \ fprintf( stdout, "%s:%d %s == NULL\n", __FILE__, __LINE__, name ); \ goto on_error; \ } #define EVTX_TEST_ASSERT_IS_NULL( name, value ) \ if( value != NULL ) \ { \ fprintf( stdout, "%s:%d %s != NULL\n", __FILE__, __LINE__, name ); \ goto on_error; \ } #define EVTX_TEST_RUN( name, function ) \ if( function() != 1 ) \ { \ fprintf( stdout, "Unable to run test: %s\n", name ); \ goto on_error; \ } #if !defined( __BORLANDC__ ) || ( __BORLANDC__ >= 0x0560 ) #define EVTX_TEST_RUN_WITH_ARGS( name, function, ... ) \ if( function( __VA_ARGS__ ) != 1 ) \ { \ fprintf( stdout, "Unable to run test: %s\n", name ); \ goto on_error; \ } #endif /* !defined( __BORLANDC__ ) || ( __BORLANDC__ >= 0x0560 ) */ #define EVTX_TEST_FPRINT_ERROR( error ) \ libcerror_error_backtrace_fprint( error, stdout ); #endif /* !defined( _EVTX_TEST_MACROS_H ) */ ================================================ FILE: tests/evtx_test_memory.c ================================================ /* * Memory allocation functions for testing * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #if defined( HAVE_GNU_DL_DLSYM ) && defined( __GNUC__ ) #define __USE_GNU #include #undef __USE_GNU #endif #include "evtx_test_memory.h" #if defined( HAVE_EVTX_TEST_MEMORY ) static void *(*evtx_test_real_malloc)(size_t) = NULL; static void *(*evtx_test_real_memcpy)(void *, const void *, size_t) = NULL; static void *(*evtx_test_real_memset)(void *, int, size_t) = NULL; static void *(*evtx_test_real_realloc)(void *, size_t) = NULL; int evtx_test_malloc_attempts_before_fail = -1; int evtx_test_memcpy_attempts_before_fail = -1; int evtx_test_memset_attempts_before_fail = -1; int evtx_test_realloc_attempts_before_fail = -1; /* Custom malloc for testing memory error cases * Note this function might fail if compiled with optimation * Returns a pointer to newly allocated data or NULL */ void *malloc( size_t size ) { void *ptr = NULL; if( evtx_test_real_malloc == NULL ) { evtx_test_real_malloc = dlsym( RTLD_NEXT, "malloc" ); } if( evtx_test_malloc_attempts_before_fail == 0 ) { evtx_test_malloc_attempts_before_fail = -1; return( NULL ); } else if( evtx_test_malloc_attempts_before_fail > 0 ) { evtx_test_malloc_attempts_before_fail--; } ptr = evtx_test_real_malloc( size ); return( ptr ); } /* Custom memcpy for testing memory error cases * Note this function might fail if compiled with optimation and as a shared libary * Returns a pointer to newly allocated data or NULL */ void *memcpy( void *destination, const void *source, size_t size ) { if( evtx_test_real_memcpy == NULL ) { evtx_test_real_memcpy = dlsym( RTLD_NEXT, "memcpy" ); } if( evtx_test_memcpy_attempts_before_fail == 0 ) { evtx_test_memcpy_attempts_before_fail = -1; return( NULL ); } else if( evtx_test_memcpy_attempts_before_fail > 0 ) { evtx_test_memcpy_attempts_before_fail--; } destination = evtx_test_real_memcpy( destination, source, size ); return( destination ); } /* Custom memset for testing memory error cases * Note this function might fail if compiled with optimation and as a shared libary * Returns a pointer to newly allocated data or NULL */ void *memset( void *ptr, int constant, size_t size ) { if( evtx_test_real_memset == NULL ) { evtx_test_real_memset = dlsym( RTLD_NEXT, "memset" ); } if( evtx_test_memset_attempts_before_fail == 0 ) { evtx_test_memset_attempts_before_fail = -1; return( NULL ); } else if( evtx_test_memset_attempts_before_fail > 0 ) { evtx_test_memset_attempts_before_fail--; } ptr = evtx_test_real_memset( ptr, constant, size ); return( ptr ); } /* Custom realloc for testing memory error cases * Note this function might fail if compiled with optimation * Returns a pointer to reallocated data or NULL */ void *realloc( void *ptr, size_t size ) { if( evtx_test_real_realloc == NULL ) { evtx_test_real_realloc = dlsym( RTLD_NEXT, "realloc" ); } if( evtx_test_realloc_attempts_before_fail == 0 ) { evtx_test_realloc_attempts_before_fail = -1; return( NULL ); } else if( evtx_test_realloc_attempts_before_fail > 0 ) { evtx_test_realloc_attempts_before_fail--; } ptr = evtx_test_real_realloc( ptr, size ); return( ptr ); } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ ================================================ FILE: tests/evtx_test_memory.h ================================================ /* * Memory allocation functions for testing * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_MEMORY_H ) #define _EVTX_TEST_MEMORY_H #include #if defined( __cplusplus ) extern "C" { #endif #if defined( HAVE_GNU_DL_DLSYM ) && defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) && !defined( __arm__ ) && !defined( __clang__ ) && !defined( __CYGWIN__ ) && !defined( __hppa__ ) && !defined( __loongarch__ ) && !defined( __mips__ ) && !defined( __riscv ) && !defined( __sparc__ ) && !defined( HAVE_ASAN ) #define HAVE_EVTX_TEST_MEMORY 1 #endif #if defined( HAVE_EVTX_TEST_MEMORY ) extern int evtx_test_malloc_attempts_before_fail; extern int evtx_test_memcpy_attempts_before_fail; extern int evtx_test_memset_attempts_before_fail; extern int evtx_test_realloc_attempts_before_fail; #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ #if defined( __cplusplus ) } #endif #endif /* !defined( _EVTX_TEST_MEMORY_H ) */ ================================================ FILE: tests/evtx_test_notify.c ================================================ /* * Library notification functions test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_unused.h" /* Tests the libevtx_notify_set_verbose function * Returns 1 if successful or 0 if not */ int evtx_test_notify_set_verbose( void ) { /* Test invocation of function only */ libevtx_notify_set_verbose( 0 ); return( 1 ); } /* Tests the libevtx_notify_set_stream function * Returns 1 if successful or 0 if not */ int evtx_test_notify_set_stream( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test regular cases */ result = libevtx_notify_set_stream( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ /* TODO test libcnotify_stream_set failure */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_notify_stream_open function * Returns 1 if successful or 0 if not */ int evtx_test_notify_stream_open( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test regular cases */ result = libevtx_notify_stream_open( "notify_stream.log", &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_notify_stream_open( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Clean up */ result = libevtx_notify_stream_close( &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_notify_stream_close function * Returns 1 if successful or 0 if not */ int evtx_test_notify_stream_close( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test regular cases */ result = libevtx_notify_stream_close( &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ /* TODO test libcnotify_stream_close failure */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "libevtx_notify_set_verbose", evtx_test_notify_set_verbose ) EVTX_TEST_RUN( "libevtx_notify_set_stream", evtx_test_notify_set_stream ) EVTX_TEST_RUN( "libevtx_notify_stream_open", evtx_test_notify_stream_open ) EVTX_TEST_RUN( "libevtx_notify_stream_close", evtx_test_notify_stream_close ) return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_record.c ================================================ /* * Library record type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../libevtx/libevtx_record.h" /* Tests the libevtx_record_free function * Returns 1 if successful or 0 if not */ int evtx_test_record_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_record_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* TODO: add tests for libevtx_record_initialize */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ EVTX_TEST_RUN( "libevtx_record_free", evtx_test_record_free ); #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* TODO: add tests for libevtx_record_get_offset */ /* TODO: add tests for libevtx_record_get_identifier */ /* TODO: add tests for libevtx_record_get_written_time */ /* TODO: add tests for libevtx_record_get_event_identifier */ /* TODO: add tests for libevtx_record_get_event_identifier_qualifiers */ /* TODO: add tests for libevtx_record_get_event_level */ /* TODO: add tests for libevtx_record_get_utf8_provider_identifier_size */ /* TODO: add tests for libevtx_record_get_utf8_provider_identifier */ /* TODO: add tests for libevtx_record_get_utf16_provider_identifier_size */ /* TODO: add tests for libevtx_record_get_utf16_provider_identifier */ /* TODO: add tests for libevtx_record_get_utf8_source_name_size */ /* TODO: add tests for libevtx_record_get_utf8_source_name */ /* TODO: add tests for libevtx_record_get_utf16_source_name_size */ /* TODO: add tests for libevtx_record_get_utf16_source_name */ /* TODO: add tests for libevtx_record_get_utf8_computer_name_size */ /* TODO: add tests for libevtx_record_get_utf8_computer_name */ /* TODO: add tests for libevtx_record_get_utf16_computer_name_size */ /* TODO: add tests for libevtx_record_get_utf16_computer_name */ /* TODO: add tests for libevtx_record_get_utf8_user_security_identifier_size */ /* TODO: add tests for libevtx_record_get_utf8_user_security_identifier */ /* TODO: add tests for libevtx_record_get_utf16_user_security_identifier_size */ /* TODO: add tests for libevtx_record_get_utf16_user_security_identifier */ /* TODO: add tests for libevtx_record_parse_data_with_template_definition */ /* TODO: add tests for libevtx_record_get_number_of_strings */ /* TODO: add tests for libevtx_record_get_utf8_string_size */ /* TODO: add tests for libevtx_record_get_utf8_string */ /* TODO: add tests for libevtx_record_get_utf16_string_size */ /* TODO: add tests for libevtx_record_get_utf16_string */ /* TODO: add tests for libevtx_record_get_data_size */ /* TODO: add tests for libevtx_record_get_data */ /* TODO: add tests for libevtx_record_get_utf8_xml_string_size */ /* TODO: add tests for libevtx_record_get_utf8_xml_string */ /* TODO: add tests for libevtx_record_get_utf16_xml_string_size */ /* TODO: add tests for libevtx_record_get_utf16_xml_string */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_record_values.c ================================================ /* * Library record_values type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../libevtx/libevtx_record_values.h" #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* Tests the libevtx_record_values_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_initialize( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_record_values_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); record_values = (libevtx_record_values_t *) 0x12345678UL; result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); record_values = NULL; #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test libevtx_record_values_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = libevtx_record_values_initialize( &record_values, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test libevtx_record_values_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = libevtx_record_values_initialize( &record_values, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_free function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_record_values_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_record_values_clone function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_clone( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *destination_record_values = NULL; libevtx_record_values_t *source_record_values = NULL; int result = 0; /* Initialize test */ result = libevtx_record_values_initialize( &source_record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "source_record_values", source_record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_clone( &destination_record_values, source_record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "destination_record_values", destination_record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_record_values_free( &destination_record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "destination_record_values", destination_record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_record_values_clone( &destination_record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "destination_record_values", destination_record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_record_values_clone( NULL, source_record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Clean up */ result = libevtx_record_values_free( &source_record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "source_record_values", source_record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( destination_record_values != NULL ) { libevtx_record_values_free( &destination_record_values, NULL ); } if( source_record_values != NULL ) { libevtx_record_values_free( &source_record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_event_identifier function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_event_identifier( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; uint32_t event_identifier = 0; int event_identifier_is_set = 0; int result = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_event_identifier( record_values, &event_identifier, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); event_identifier_is_set = result; /* Test error cases */ result = libevtx_record_values_get_event_identifier( NULL, &event_identifier, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( event_identifier_is_set != 0 ) { result = libevtx_record_values_get_event_identifier( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_event_identifier_qualifiers function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_event_identifier_qualifiers( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; uint32_t event_identifier_qualifiers = 0; int event_identifier_qualifiers_is_set = 0; int result = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_event_identifier_qualifiers( record_values, &event_identifier_qualifiers, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); event_identifier_qualifiers_is_set = result; /* Test error cases */ result = libevtx_record_values_get_event_identifier_qualifiers( NULL, &event_identifier_qualifiers, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( event_identifier_qualifiers_is_set != 0 ) { result = libevtx_record_values_get_event_identifier_qualifiers( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_event_level function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_event_level( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; uint8_t event_level = 0; int event_level_is_set = 0; int result = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_event_level( record_values, &event_level, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); event_level_is_set = result; /* Test error cases */ result = libevtx_record_values_get_event_level( NULL, &event_level, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( event_level_is_set != 0 ) { result = libevtx_record_values_get_event_level( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_provider_identifier_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_provider_identifier_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf8_provider_identifier_size = 0; int result = 0; int utf8_provider_identifier_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_provider_identifier_size( record_values, &utf8_provider_identifier_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_provider_identifier_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_provider_identifier_size( NULL, &utf8_provider_identifier_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_provider_identifier_size_is_set != 0 ) { result = libevtx_record_values_get_utf8_provider_identifier_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_provider_identifier function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_provider_identifier( void ) { uint8_t utf8_provider_identifier[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf8_provider_identifier_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_provider_identifier( record_values, utf8_provider_identifier, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_provider_identifier_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_provider_identifier( NULL, utf8_provider_identifier, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_provider_identifier_is_set != 0 ) { result = libevtx_record_values_get_utf8_provider_identifier( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_provider_identifier( record_values, utf8_provider_identifier, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_provider_identifier( record_values, utf8_provider_identifier, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_provider_identifier_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_provider_identifier_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf16_provider_identifier_size = 0; int result = 0; int utf16_provider_identifier_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_provider_identifier_size( record_values, &utf16_provider_identifier_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_provider_identifier_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_provider_identifier_size( NULL, &utf16_provider_identifier_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_provider_identifier_size_is_set != 0 ) { result = libevtx_record_values_get_utf16_provider_identifier_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_provider_identifier function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_provider_identifier( void ) { uint16_t utf16_provider_identifier[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf16_provider_identifier_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_provider_identifier( record_values, utf16_provider_identifier, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_provider_identifier_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_provider_identifier( NULL, utf16_provider_identifier, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_provider_identifier_is_set != 0 ) { result = libevtx_record_values_get_utf16_provider_identifier( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_provider_identifier( record_values, utf16_provider_identifier, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_provider_identifier( record_values, utf16_provider_identifier, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_source_name_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_source_name_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf8_source_name_size = 0; int result = 0; int utf8_source_name_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_source_name_size( record_values, &utf8_source_name_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_source_name_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_source_name_size( NULL, &utf8_source_name_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_source_name_size_is_set != 0 ) { result = libevtx_record_values_get_utf8_source_name_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_source_name function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_source_name( void ) { uint8_t utf8_source_name[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf8_source_name_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_source_name( record_values, utf8_source_name, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_source_name_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_source_name( NULL, utf8_source_name, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_source_name_is_set != 0 ) { result = libevtx_record_values_get_utf8_source_name( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_source_name( record_values, utf8_source_name, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_source_name( record_values, utf8_source_name, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_source_name_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_source_name_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf16_source_name_size = 0; int result = 0; int utf16_source_name_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_source_name_size( record_values, &utf16_source_name_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_source_name_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_source_name_size( NULL, &utf16_source_name_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_source_name_size_is_set != 0 ) { result = libevtx_record_values_get_utf16_source_name_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_source_name function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_source_name( void ) { uint16_t utf16_source_name[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf16_source_name_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_source_name( record_values, utf16_source_name, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_source_name_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_source_name( NULL, utf16_source_name, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_source_name_is_set != 0 ) { result = libevtx_record_values_get_utf16_source_name( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_source_name( record_values, utf16_source_name, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_source_name( record_values, utf16_source_name, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_computer_name_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_computer_name_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf8_computer_name_size = 0; int result = 0; int utf8_computer_name_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_computer_name_size( record_values, &utf8_computer_name_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_computer_name_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_computer_name_size( NULL, &utf8_computer_name_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_computer_name_size_is_set != 0 ) { result = libevtx_record_values_get_utf8_computer_name_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_computer_name function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_computer_name( void ) { uint8_t utf8_computer_name[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf8_computer_name_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_computer_name( record_values, utf8_computer_name, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_computer_name_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_computer_name( NULL, utf8_computer_name, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_computer_name_is_set != 0 ) { result = libevtx_record_values_get_utf8_computer_name( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_computer_name( record_values, utf8_computer_name, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_computer_name( record_values, utf8_computer_name, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_computer_name_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_computer_name_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf16_computer_name_size = 0; int result = 0; int utf16_computer_name_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_computer_name_size( record_values, &utf16_computer_name_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_computer_name_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_computer_name_size( NULL, &utf16_computer_name_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_computer_name_size_is_set != 0 ) { result = libevtx_record_values_get_utf16_computer_name_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_computer_name function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_computer_name( void ) { uint16_t utf16_computer_name[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf16_computer_name_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_computer_name( record_values, utf16_computer_name, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_computer_name_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_computer_name( NULL, utf16_computer_name, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_computer_name_is_set != 0 ) { result = libevtx_record_values_get_utf16_computer_name( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_computer_name( record_values, utf16_computer_name, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_computer_name( record_values, utf16_computer_name, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_user_security_identifier_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_user_security_identifier_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf8_user_security_identifier_size = 0; int result = 0; int utf8_user_security_identifier_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_user_security_identifier_size( record_values, &utf8_user_security_identifier_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_user_security_identifier_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_user_security_identifier_size( NULL, &utf8_user_security_identifier_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_user_security_identifier_size_is_set != 0 ) { result = libevtx_record_values_get_utf8_user_security_identifier_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_user_security_identifier function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_user_security_identifier( void ) { uint8_t utf8_user_security_identifier[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf8_user_security_identifier_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_user_security_identifier( record_values, utf8_user_security_identifier, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_user_security_identifier_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_user_security_identifier( NULL, utf8_user_security_identifier, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_user_security_identifier_is_set != 0 ) { result = libevtx_record_values_get_utf8_user_security_identifier( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_user_security_identifier( record_values, utf8_user_security_identifier, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_user_security_identifier( record_values, utf8_user_security_identifier, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_user_security_identifier_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_user_security_identifier_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf16_user_security_identifier_size = 0; int result = 0; int utf16_user_security_identifier_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_user_security_identifier_size( record_values, &utf16_user_security_identifier_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_user_security_identifier_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_user_security_identifier_size( NULL, &utf16_user_security_identifier_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_user_security_identifier_size_is_set != 0 ) { result = libevtx_record_values_get_utf16_user_security_identifier_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_user_security_identifier function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_user_security_identifier( void ) { uint16_t utf16_user_security_identifier[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf16_user_security_identifier_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_user_security_identifier( record_values, utf16_user_security_identifier, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_user_security_identifier_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_user_security_identifier( NULL, utf16_user_security_identifier, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_user_security_identifier_is_set != 0 ) { result = libevtx_record_values_get_utf16_user_security_identifier( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_user_security_identifier( record_values, utf16_user_security_identifier, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_user_security_identifier( record_values, utf16_user_security_identifier, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_xml_string_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_xml_string_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf8_xml_string_size = 0; int result = 0; int utf8_xml_string_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_xml_string_size( record_values, &utf8_xml_string_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_xml_string_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_xml_string_size( NULL, &utf8_xml_string_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_xml_string_size_is_set != 0 ) { result = libevtx_record_values_get_utf8_xml_string_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf8_xml_string function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf8_xml_string( void ) { uint8_t utf8_xml_string[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf8_xml_string_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf8_xml_string( record_values, utf8_xml_string, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf8_xml_string_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf8_xml_string( NULL, utf8_xml_string, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf8_xml_string_is_set != 0 ) { result = libevtx_record_values_get_utf8_xml_string( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_xml_string( record_values, utf8_xml_string, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf8_xml_string( record_values, utf8_xml_string, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_xml_string_size function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_xml_string_size( void ) { libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; size_t utf16_xml_string_size = 0; int result = 0; int utf16_xml_string_size_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_xml_string_size( record_values, &utf16_xml_string_size, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_xml_string_size_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_xml_string_size( NULL, &utf16_xml_string_size, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_xml_string_size_is_set != 0 ) { result = libevtx_record_values_get_utf16_xml_string_size( record_values, NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } /* Tests the libevtx_record_values_get_utf16_xml_string function * Returns 1 if successful or 0 if not */ int evtx_test_record_values_get_utf16_xml_string( void ) { uint16_t utf16_xml_string[ 512 ]; libcerror_error_t *error = NULL; libevtx_record_values_t *record_values = NULL; int result = 0; int utf16_xml_string_is_set = 0; /* Initialize test */ result = libevtx_record_values_initialize( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test regular cases */ result = libevtx_record_values_get_utf16_xml_string( record_values, utf16_xml_string, 512, &error ); EVTX_TEST_ASSERT_NOT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); utf16_xml_string_is_set = result; /* Test error cases */ result = libevtx_record_values_get_utf16_xml_string( NULL, utf16_xml_string, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( utf16_xml_string_is_set != 0 ) { result = libevtx_record_values_get_utf16_xml_string( record_values, NULL, 512, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_xml_string( record_values, utf16_xml_string, 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_record_values_get_utf16_xml_string( record_values, utf16_xml_string, (size_t) SSIZE_MAX + 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } /* Clean up */ result = libevtx_record_values_free( &record_values, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "record_values", record_values ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( record_values != NULL ) { libevtx_record_values_free( &record_values, NULL ); } return( 0 ); } #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) EVTX_TEST_RUN( "libevtx_record_values_initialize", evtx_test_record_values_initialize ); EVTX_TEST_RUN( "libevtx_record_values_free", evtx_test_record_values_free ); EVTX_TEST_RUN( "libevtx_record_values_clone", evtx_test_record_values_clone ); #if defined( TODO ) /* TODO: add tests for libevtx_record_values_read_header */ /* TODO: add tests for libevtx_record_values_read_xml_document */ EVTX_TEST_RUN( "libevtx_record_values_get_event_identifier", evtx_test_record_values_get_event_identifier ); EVTX_TEST_RUN( "libevtx_record_values_get_event_identifier_qualifiers", evtx_test_record_values_get_event_identifier_qualifiers ); EVTX_TEST_RUN( "libevtx_record_values_get_event_level", evtx_test_record_values_get_event_level ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_provider_identifier_size", evtx_test_record_values_get_utf8_provider_identifier_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_provider_identifier", evtx_test_record_values_get_utf8_provider_identifier ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_provider_identifier_size", evtx_test_record_values_get_utf16_provider_identifier_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_provider_identifier", evtx_test_record_values_get_utf16_provider_identifier ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_source_name_size", evtx_test_record_values_get_utf8_source_name_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_source_name", evtx_test_record_values_get_utf8_source_name ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_source_name_size", evtx_test_record_values_get_utf16_source_name_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_source_name", evtx_test_record_values_get_utf16_source_name ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_computer_name_size", evtx_test_record_values_get_utf8_computer_name_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_computer_name", evtx_test_record_values_get_utf8_computer_name ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_computer_name_size", evtx_test_record_values_get_utf16_computer_name_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_computer_name", evtx_test_record_values_get_utf16_computer_name ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_user_security_identifier_size", evtx_test_record_values_get_utf8_user_security_identifier_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_user_security_identifier", evtx_test_record_values_get_utf8_user_security_identifier ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_user_security_identifier_size", evtx_test_record_values_get_utf16_user_security_identifier_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_user_security_identifier", evtx_test_record_values_get_utf16_user_security_identifier ); /* TODO: add tests for libevtx_record_values_parse_data */ /* TODO: add tests for libevtx_record_values_get_number_of_strings */ /* TODO: add tests for libevtx_record_values_get_utf8_string_size */ /* TODO: add tests for libevtx_record_values_get_utf8_string */ /* TODO: add tests for libevtx_record_values_get_utf16_string_size */ /* TODO: add tests for libevtx_record_values_get_utf16_string */ /* TODO: add tests for libevtx_record_values_get_data_size */ /* TODO: add tests for libevtx_record_values_get_data */ EVTX_TEST_RUN( "libevtx_record_values_get_utf8_xml_string_size", evtx_test_record_values_get_utf8_xml_string_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf8_xml_string", evtx_test_record_values_get_utf8_xml_string ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_xml_string_size", evtx_test_record_values_get_utf16_xml_string_size ); EVTX_TEST_RUN( "libevtx_record_values_get_utf16_xml_string", evtx_test_record_values_get_utf16_xml_string ); #endif /* defined( TODO ) */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_support.c ================================================ /* * Library support functions test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_functions.h" #include "evtx_test_getopt.h" #include "evtx_test_libbfio.h" #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #if !defined( LIBEVTX_HAVE_BFIO ) LIBEVTX_EXTERN \ int libevtx_check_file_signature_file_io_handle( libbfio_handle_t *file_io_handle, libcerror_error_t **error ); #endif /* !defined( LIBEVTX_HAVE_BFIO ) */ /* Tests the libevtx_get_version function * Returns 1 if successful or 0 if not */ int evtx_test_get_version( void ) { const char *version_string = NULL; int result = 0; version_string = libevtx_get_version(); result = narrow_string_compare( version_string, LIBEVTX_VERSION_STRING, 9 ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); return( 1 ); on_error: return( 0 ); } /* Tests the libevtx_get_access_flags_read function * Returns 1 if successful or 0 if not */ int evtx_test_get_access_flags_read( void ) { int access_flags = 0; access_flags = libevtx_get_access_flags_read(); EVTX_TEST_ASSERT_EQUAL_INT( "access_flags", access_flags, LIBEVTX_ACCESS_FLAG_READ ); return( 1 ); on_error: return( 0 ); } /* Tests the libevtx_get_codepage function * Returns 1 if successful or 0 if not */ int evtx_test_get_codepage( void ) { libcerror_error_t *error = NULL; int codepage = 0; int result = 0; result = libevtx_get_codepage( &codepage, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_get_codepage( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_set_codepage function * Returns 1 if successful or 0 if not */ int evtx_test_set_codepage( void ) { libcerror_error_t *error = NULL; int result = 0; result = libevtx_set_codepage( 0, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_set_codepage( -1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the libevtx_check_file_signature function * Returns 1 if successful or 0 if not */ int evtx_test_check_file_signature( const system_character_t *source ) { char narrow_source[ 256 ]; libcerror_error_t *error = NULL; int result = 0; if( source != NULL ) { /* Initialize test */ result = evtx_test_get_narrow_source( source, narrow_source, 256, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test check file signature */ result = libevtx_check_file_signature( narrow_source, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } /* Test error cases */ result = libevtx_check_file_signature( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_check_file_signature( "", &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( source != NULL ) { #if defined( HAVE_EVTX_TEST_MEMORY ) /* Test libevtx_check_file_signature with malloc failing in libbfio_file_initialize */ evtx_test_malloc_attempts_before_fail = 0; result = libevtx_check_file_signature( narrow_source, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ } return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } #if defined( HAVE_WIDE_CHARACTER_TYPE ) /* Tests the libevtx_check_file_signature_wide function * Returns 1 if successful or 0 if not */ int evtx_test_check_file_signature_wide( const system_character_t *source ) { wchar_t wide_source[ 256 ]; libcerror_error_t *error = NULL; int result = 0; if( source != NULL ) { /* Initialize test */ result = evtx_test_get_wide_source( source, wide_source, 256, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test check file signature */ result = libevtx_check_file_signature_wide( wide_source, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } /* Test error cases */ result = libevtx_check_file_signature_wide( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = libevtx_check_file_signature_wide( L"", &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); if( source != NULL ) { #if defined( HAVE_EVTX_TEST_MEMORY ) /* Test libevtx_check_file_signature_wide with malloc failing in libbfio_file_initialize */ evtx_test_malloc_attempts_before_fail = 0; result = libevtx_check_file_signature_wide( wide_source, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ } return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ /* Tests the libevtx_check_file_signature_file_io_handle function * Returns 1 if successful or 0 if not */ int evtx_test_check_file_signature_file_io_handle( const system_character_t *source ) { uint8_t empty_block[ 8192 ]; libbfio_handle_t *file_io_handle = NULL; libcerror_error_t *error = NULL; void *memset_result = NULL; size_t source_length = 0; int result = 0; /* Initialize test */ memset_result = memory_set( empty_block, 0, sizeof( uint8_t ) * 8192 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "memset_result", memset_result ); if( source != NULL ) { /* Initialize test */ result = libbfio_file_initialize( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); source_length = system_string_length( source ); #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) result = libbfio_file_set_name_wide( file_io_handle, source, source_length, &error ); #else result = libbfio_file_set_name( file_io_handle, source, source_length, &error ); #endif EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libbfio_handle_open( file_io_handle, LIBBFIO_OPEN_READ, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test check file signature */ result = libevtx_check_file_signature_file_io_handle( file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } /* Test error cases */ result = libevtx_check_file_signature_file_io_handle( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); /* Clean up */ if( source != NULL ) { result = libbfio_handle_close( file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libbfio_handle_free( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); } /* Test check file signature with data too small */ result = evtx_test_open_file_io_handle( &file_io_handle, empty_block, sizeof( uint8_t ) * 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_check_file_signature_file_io_handle( file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); result = evtx_test_close_file_io_handle( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test check file signature with empty block */ result = evtx_test_open_file_io_handle( &file_io_handle, empty_block, sizeof( uint8_t ) * 8192, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "file_io_handle", file_io_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_check_file_signature_file_io_handle( file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = evtx_test_close_file_io_handle( &file_io_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 0 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( file_io_handle != NULL ) { libbfio_handle_free( &file_io_handle, NULL ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc, wchar_t * const argv[] ) #else int main( int argc, char * const argv[] ) #endif { system_character_t *source = NULL; system_integer_t option = 0; while( ( option = evtx_test_getopt( argc, argv, _SYSTEM_STRING( "" ) ) ) != (system_integer_t) -1 ) { switch( option ) { case (system_integer_t) '?': default: fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM ".\n", argv[ optind - 1 ] ); return( EXIT_FAILURE ); } } if( optind < argc ) { source = argv[ optind ]; } EVTX_TEST_RUN( "libevtx_get_version", evtx_test_get_version ); EVTX_TEST_RUN( "libevtx_get_access_flags_read", evtx_test_get_access_flags_read ); EVTX_TEST_RUN( "libevtx_get_codepage", evtx_test_get_codepage ); EVTX_TEST_RUN( "libevtx_set_codepage", evtx_test_set_codepage ); #if !defined( __BORLANDC__ ) || ( __BORLANDC__ >= 0x0560 ) EVTX_TEST_RUN_WITH_ARGS( "libevtx_check_file_signature", evtx_test_check_file_signature, source ); #if defined( HAVE_WIDE_CHARACTER_TYPE ) EVTX_TEST_RUN_WITH_ARGS( "libevtx_check_file_signature_wide", evtx_test_check_file_signature_wide, source ); #endif /* defined( HAVE_WIDE_CHARACTER_TYPE ) */ EVTX_TEST_RUN_WITH_ARGS( "libevtx_check_file_signature_file_io_handle", evtx_test_check_file_signature_file_io_handle, source ); #endif /* !defined( __BORLANDC__ ) || ( __BORLANDC__ >= 0x0560 ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_template_definition.c ================================================ /* * Library template_definition type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_libevtx.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" /* Tests the libevtx_template_definition_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_template_definition_initialize( void ) { libcerror_error_t *error = NULL; libevtx_template_definition_t *template_definition = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = libevtx_template_definition_initialize( &template_definition, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "template_definition", template_definition ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = libevtx_template_definition_free( &template_definition, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "template_definition", template_definition ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = libevtx_template_definition_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); template_definition = (libevtx_template_definition_t *) 0x12345678UL; result = libevtx_template_definition_initialize( &template_definition, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); template_definition = NULL; #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test libevtx_template_definition_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = libevtx_template_definition_initialize( &template_definition, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( template_definition != NULL ) { libevtx_template_definition_free( &template_definition, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "template_definition", template_definition ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test libevtx_template_definition_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = libevtx_template_definition_initialize( &template_definition, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( template_definition != NULL ) { libevtx_template_definition_free( &template_definition, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "template_definition", template_definition ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( template_definition != NULL ) { libevtx_template_definition_free( &template_definition, NULL ); } return( 0 ); } /* Tests the libevtx_template_definition_free function * Returns 1 if successful or 0 if not */ int evtx_test_template_definition_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = libevtx_template_definition_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "libevtx_template_definition_initialize", evtx_test_template_definition_initialize ); EVTX_TEST_RUN( "libevtx_template_definition_free", evtx_test_template_definition_free ); /* TODO: add tests for libevtx_template_definition_set_data */ #if defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) /* TODO: add tests for libevtx_template_definition_read */ #endif /* defined( __GNUC__ ) && !defined( LIBEVTX_DLL_IMPORT ) */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_info_handle.c ================================================ /* * Tools info_handle type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../evtxtools/info_handle.h" /* Tests the info_handle_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_info_handle_initialize( void ) { info_handle_t *info_handle = NULL; libcerror_error_t *error = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = info_handle_initialize( &info_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "info_handle", info_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = info_handle_free( &info_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "info_handle", info_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = info_handle_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); info_handle = (info_handle_t *) 0x12345678UL; result = info_handle_initialize( &info_handle, &error ); info_handle = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test info_handle_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = info_handle_initialize( &info_handle, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( info_handle != NULL ) { info_handle_free( &info_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "info_handle", info_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test info_handle_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = info_handle_initialize( &info_handle, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( info_handle != NULL ) { info_handle_free( &info_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "info_handle", info_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( info_handle != NULL ) { info_handle_free( &info_handle, NULL ); } return( 0 ); } /* Tests the info_handle_free function * Returns 1 if successful or 0 if not */ int evtx_test_tools_info_handle_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = info_handle_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "info_handle_initialize", evtx_test_tools_info_handle_initialize ); EVTX_TEST_RUN( "info_handle_free", evtx_test_tools_info_handle_free ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_message_handle.c ================================================ /* * Tools message_handle type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../evtxtools/message_handle.h" /* Tests the message_handle_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_message_handle_initialize( void ) { libcerror_error_t *error = NULL; message_handle_t *message_handle = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = message_handle_initialize( &message_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "message_handle", message_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = message_handle_free( &message_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "message_handle", message_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = message_handle_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); message_handle = (message_handle_t *) 0x12345678UL; result = message_handle_initialize( &message_handle, &error ); message_handle = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test message_handle_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = message_handle_initialize( &message_handle, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( message_handle != NULL ) { message_handle_free( &message_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "message_handle", message_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test message_handle_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = message_handle_initialize( &message_handle, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( message_handle != NULL ) { message_handle_free( &message_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "message_handle", message_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( message_handle != NULL ) { message_handle_free( &message_handle, NULL ); } return( 0 ); } /* Tests the message_handle_free function * Returns 1 if successful or 0 if not */ int evtx_test_tools_message_handle_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = message_handle_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "message_handle_initialize", evtx_test_tools_message_handle_initialize ); EVTX_TEST_RUN( "message_handle_free", evtx_test_tools_message_handle_free ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_message_string.c ================================================ /* * Tools message_string type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../evtxtools/message_string.h" /* Tests the message_string_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_message_string_initialize( void ) { libcerror_error_t *error = NULL; message_string_t *message_string = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = message_string_initialize( &message_string, 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "message_string", message_string ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = message_string_free( &message_string, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "message_string", message_string ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = message_string_initialize( NULL, 1, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); message_string = (message_string_t *) 0x12345678UL; result = message_string_initialize( &message_string, 1, &error ); message_string = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test message_string_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = message_string_initialize( &message_string, 1, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( message_string != NULL ) { message_string_free( &message_string, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "message_string", message_string ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test message_string_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = message_string_initialize( &message_string, 1, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( message_string != NULL ) { message_string_free( &message_string, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "message_string", message_string ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( message_string != NULL ) { message_string_free( &message_string, NULL ); } return( 0 ); } /* Tests the message_string_free function * Returns 1 if successful or 0 if not */ int evtx_test_tools_message_string_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = message_string_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "message_string_initialize", evtx_test_tools_message_string_initialize ); EVTX_TEST_RUN( "message_string_free", evtx_test_tools_message_string_free ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_output.c ================================================ /* * Tools output functions test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_IO_H ) || defined( WINAPI ) #include #endif #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_unused.h" #include "../evtxtools/evtxtools_output.h" /* Tests the evtxtools_output_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_output_initialize( void ) { libcerror_error_t *error = NULL; int result = 0; result = evtxtools_output_initialize( _IONBF, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "evtxtools_output_initialize", evtx_test_tools_output_initialize ) /* TODO add tests for evtxtools_output_copyright_fprint */ /* TODO add tests for evtxtools_output_version_fprint */ /* TODO add tests for evtxtools_output_version_detailed_fprint */ return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_path_handle.c ================================================ /* * Tools path_handle type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../evtxtools/path_handle.h" /* Tests the path_handle_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_path_handle_initialize( void ) { libcerror_error_t *error = NULL; path_handle_t *path_handle = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = path_handle_initialize( &path_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "path_handle", path_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = path_handle_free( &path_handle, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "path_handle", path_handle ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = path_handle_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); path_handle = (path_handle_t *) 0x12345678UL; result = path_handle_initialize( &path_handle, &error ); path_handle = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test path_handle_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = path_handle_initialize( &path_handle, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( path_handle != NULL ) { path_handle_free( &path_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "path_handle", path_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test path_handle_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = path_handle_initialize( &path_handle, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( path_handle != NULL ) { path_handle_free( &path_handle, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "path_handle", path_handle ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( path_handle != NULL ) { path_handle_free( &path_handle, NULL ); } return( 0 ); } /* Tests the path_handle_free function * Returns 1 if successful or 0 if not */ int evtx_test_tools_path_handle_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = path_handle_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "path_handle_initialize", evtx_test_tools_path_handle_initialize ); EVTX_TEST_RUN( "path_handle_free", evtx_test_tools_path_handle_free ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_registry_file.c ================================================ /* * Tools registry_file type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../evtxtools/registry_file.h" /* Tests the registry_file_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_registry_file_initialize( void ) { libcerror_error_t *error = NULL; registry_file_t *registry_file = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = registry_file_initialize( ®istry_file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "registry_file", registry_file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = registry_file_free( ®istry_file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "registry_file", registry_file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = registry_file_initialize( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); registry_file = (registry_file_t *) 0x12345678UL; result = registry_file_initialize( ®istry_file, &error ); registry_file = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test registry_file_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = registry_file_initialize( ®istry_file, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( registry_file != NULL ) { registry_file_free( ®istry_file, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "registry_file", registry_file ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test registry_file_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = registry_file_initialize( ®istry_file, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( registry_file != NULL ) { registry_file_free( ®istry_file, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "registry_file", registry_file ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( registry_file != NULL ) { registry_file_free( ®istry_file, NULL ); } return( 0 ); } /* Tests the registry_file_free function * Returns 1 if successful or 0 if not */ int evtx_test_tools_registry_file_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = registry_file_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "registry_file_initialize", evtx_test_tools_registry_file_initialize ); EVTX_TEST_RUN( "registry_file_free", evtx_test_tools_registry_file_free ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_resource_file.c ================================================ /* * Tools resource_file type test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_memory.h" #include "evtx_test_unused.h" #include "../evtxtools/resource_file.h" /* Tests the resource_file_initialize function * Returns 1 if successful or 0 if not */ int evtx_test_tools_resource_file_initialize( void ) { libcerror_error_t *error = NULL; resource_file_t *resource_file = NULL; int result = 0; #if defined( HAVE_EVTX_TEST_MEMORY ) int number_of_malloc_fail_tests = 1; int number_of_memset_fail_tests = 1; int test_number = 0; #endif /* Test regular cases */ result = resource_file_initialize( &resource_file, 0x00000409UL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "resource_file", resource_file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); result = resource_file_free( &resource_file, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "resource_file", resource_file ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = resource_file_initialize( NULL, 0x00000409UL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); resource_file = (resource_file_t *) 0x12345678UL; result = resource_file_initialize( &resource_file, 0x00000409UL, &error ); resource_file = NULL; EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); #if defined( HAVE_EVTX_TEST_MEMORY ) for( test_number = 0; test_number < number_of_malloc_fail_tests; test_number++ ) { /* Test resource_file_initialize with malloc failing */ evtx_test_malloc_attempts_before_fail = test_number; result = resource_file_initialize( &resource_file, 0x00000409UL, &error ); if( evtx_test_malloc_attempts_before_fail != -1 ) { evtx_test_malloc_attempts_before_fail = -1; if( resource_file != NULL ) { resource_file_free( &resource_file, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "resource_file", resource_file ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } for( test_number = 0; test_number < number_of_memset_fail_tests; test_number++ ) { /* Test resource_file_initialize with memset failing */ evtx_test_memset_attempts_before_fail = test_number; result = resource_file_initialize( &resource_file, 0x00000409UL, &error ); if( evtx_test_memset_attempts_before_fail != -1 ) { evtx_test_memset_attempts_before_fail = -1; if( resource_file != NULL ) { resource_file_free( &resource_file, NULL ); } } else { EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NULL( "resource_file", resource_file ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); } } #endif /* defined( HAVE_EVTX_TEST_MEMORY ) */ return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } if( resource_file != NULL ) { resource_file_free( &resource_file, NULL ); } return( 0 ); } /* Tests the resource_file_free function * Returns 1 if successful or 0 if not */ int evtx_test_tools_resource_file_free( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test error cases */ result = resource_file_free( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) EVTX_TEST_RUN( "resource_file_initialize", evtx_test_tools_resource_file_initialize ); EVTX_TEST_RUN( "resource_file_free", evtx_test_tools_resource_file_free ); return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_tools_signal.c ================================================ /* * Tools signal functions test program * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #include #include #include #if defined( HAVE_STDLIB_H ) || defined( WINAPI ) #include #endif #include "evtx_test_libcerror.h" #include "evtx_test_macros.h" #include "evtx_test_unused.h" #include "../evtxtools/evtxtools_signal.h" void evtx_test_tools_signal_handler_function( evtxtools_signal_t signal EVTX_TEST_ATTRIBUTE_UNUSED ) { EVTX_TEST_UNREFERENCED_PARAMETER( signal ) } #if defined( WINAPI ) /* Tests the evtxtools_signal_handler function * Returns 1 if successful or 0 if not */ int evtx_test_tools_signal_handler( void ) { BOOL result = 0; /* Test regular cases */ result = evtxtools_signal_handler( CTRL_C_EVENT ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, (int) TRUE ); result = evtxtools_signal_handler( CTRL_LOGOFF_EVENT ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, (int) FALSE ); return( 1 ); on_error: return( 0 ); } #if defined( _MSC_VER ) /* TODO add tests for evtxtools_signal_initialize_memory_debug */ #endif /* defined( _MSC_VER ) */ #endif /* defined( WINAPI ) */ /* Tests the evtxtools_signal_attach function * Returns 1 if successful or 0 if not */ int evtx_test_tools_signal_attach( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test regular cases */ result = evtxtools_signal_attach( evtx_test_tools_signal_handler_function, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); /* Test error cases */ result = evtxtools_signal_attach( NULL, &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, -1 ); EVTX_TEST_ASSERT_IS_NOT_NULL( "error", error ); libcerror_error_free( &error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* Tests the evtxtools_signal_detach function * Returns 1 if successful or 0 if not */ int evtx_test_tools_signal_detach( void ) { libcerror_error_t *error = NULL; int result = 0; /* Test regular cases */ result = evtxtools_signal_detach( &error ); EVTX_TEST_ASSERT_EQUAL_INT( "result", result, 1 ); EVTX_TEST_ASSERT_IS_NULL( "error", error ); return( 1 ); on_error: if( error != NULL ) { libcerror_error_free( &error ); } return( 0 ); } /* The main program */ #if defined( HAVE_WIDE_SYSTEM_CHARACTER ) int wmain( int argc EVTX_TEST_ATTRIBUTE_UNUSED, wchar_t * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #else int main( int argc EVTX_TEST_ATTRIBUTE_UNUSED, char * const argv[] EVTX_TEST_ATTRIBUTE_UNUSED ) #endif { EVTX_TEST_UNREFERENCED_PARAMETER( argc ) EVTX_TEST_UNREFERENCED_PARAMETER( argv ) #if defined( WINAPI ) EVTX_TEST_RUN( "evtxtools_signal_handler", evtx_test_tools_signal_handler ) #if defined( _MSC_VER ) /* TODO add tests for evtxtools_signal_initialize_memory_debug */ #endif /* defined( _MSC_VER ) */ #endif /* defined( WINAPI ) */ EVTX_TEST_RUN( "evtxtools_signal_attach", evtx_test_tools_signal_attach ) EVTX_TEST_RUN( "evtxtools_signal_detach", evtx_test_tools_signal_detach ) return( EXIT_SUCCESS ); on_error: return( EXIT_FAILURE ); } ================================================ FILE: tests/evtx_test_unused.h ================================================ /* * Definitions to silence compiler warnings about unused function attributes/parameters. * * Copyright (C) 2011-2025, Joachim Metz * * Refer to AUTHORS for acknowledgements. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see . */ #if !defined( _EVTX_TEST_UNUSED_H ) #define _EVTX_TEST_UNUSED_H #include #if !defined( EVTX_TEST_ATTRIBUTE_UNUSED ) #if defined( __GNUC__ ) && __GNUC__ >= 3 #define EVTX_TEST_ATTRIBUTE_UNUSED __attribute__ ((__unused__)) #else #define EVTX_TEST_ATTRIBUTE_UNUSED #endif /* defined( __GNUC__ ) && __GNUC__ >= 3 */ #endif /* !defined( EVTX_TEST_ATTRIBUTE_UNUSED ) */ #if defined( _MSC_VER ) #define EVTX_TEST_UNREFERENCED_PARAMETER( parameter ) \ UNREFERENCED_PARAMETER( parameter ); #else #define EVTX_TEST_UNREFERENCED_PARAMETER( parameter ) \ /* parameter */ #endif /* defined( _MSC_VER ) */ #endif /* !defined( _EVTX_TEST_UNUSED_H ) */ ================================================ FILE: tests/lsan.suppressions ================================================ leak:/lib*/libpython* ================================================ FILE: tests/pkgbuild.sh ================================================ #!/bin/sh # Script to build a MacOS pkg # # Version: 20241015 set -e make install DESTDIR=${PWD}/osx-pkg mkdir -p ${PWD}/osx-pkg/usr/share/doc/libevtx cp AUTHORS COPYING COPYING.LESSER NEWS README ${PWD}/osx-pkg/usr/share/doc/libevtx VERSION=`sed '5!d; s/^ \[//;s/\],$//' configure.ac` pkgbuild --root osx-pkg --identifier com.github.libyal.libevtx --version ${VERSION} --ownership recommended ../libevtx-${VERSION}.pkg ================================================ FILE: tests/pyevtx_test_file.py ================================================ #!/usr/bin/env python # # Python-bindings file type test script # # Copyright (C) 2011-2025, Joachim Metz # # Refer to AUTHORS for acknowledgements. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . import argparse import os import sys import unittest import pyevtx class FileTypeTests(unittest.TestCase): """Tests the file type.""" def test_signal_abort(self): """Tests the signal_abort function.""" evtx_file = pyevtx.file() evtx_file.signal_abort() def test_open(self): """Tests the open function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") evtx_file = pyevtx.file() evtx_file.open(test_source) with self.assertRaises(IOError): evtx_file.open(test_source) evtx_file.close() with self.assertRaises(TypeError): evtx_file.open(None) with self.assertRaises(ValueError): evtx_file.open(test_source, mode="w") def test_open_file_object(self): """Tests the open_file_object function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") if not os.path.isfile(test_source): raise unittest.SkipTest("source not a regular file") evtx_file = pyevtx.file() with open(test_source, "rb") as file_object: evtx_file.open_file_object(file_object) with self.assertRaises(IOError): evtx_file.open_file_object(file_object) evtx_file.close() with self.assertRaises(TypeError): evtx_file.open_file_object(None) with self.assertRaises(ValueError): evtx_file.open_file_object(file_object, mode="w") def test_close(self): """Tests the close function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") evtx_file = pyevtx.file() with self.assertRaises(IOError): evtx_file.close() def test_open_close(self): """Tests the open and close functions.""" test_source = getattr(unittest, "source", None) if not test_source: return evtx_file = pyevtx.file() # Test open and close. evtx_file.open(test_source) evtx_file.close() # Test open and close a second time to validate clean up on close. evtx_file.open(test_source) evtx_file.close() if os.path.isfile(test_source): with open(test_source, "rb") as file_object: # Test open_file_object and close. evtx_file.open_file_object(file_object) evtx_file.close() # Test open_file_object and close a second time to validate clean up on close. evtx_file.open_file_object(file_object) evtx_file.close() # Test open_file_object and close and dereferencing file_object. evtx_file.open_file_object(file_object) del file_object evtx_file.close() def test_set_ascii_codepage(self): """Tests the set_ascii_codepage function.""" supported_codepages = ( "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258") evtx_file = pyevtx.file() for codepage in supported_codepages: evtx_file.set_ascii_codepage(codepage) unsupported_codepages = ( "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u") for codepage in unsupported_codepages: with self.assertRaises(RuntimeError): evtx_file.set_ascii_codepage(codepage) def test_get_ascii_codepage(self): """Tests the get_ascii_codepage function and ascii_codepage property.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") evtx_file = pyevtx.file() evtx_file.open(test_source) ascii_codepage = evtx_file.get_ascii_codepage() self.assertIsNotNone(ascii_codepage) self.assertIsNotNone(evtx_file.ascii_codepage) evtx_file.close() def test_get_number_of_records(self): """Tests the get_number_of_records function and number_of_records property.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") evtx_file = pyevtx.file() evtx_file.open(test_source) number_of_records = evtx_file.get_number_of_records() self.assertIsNotNone(number_of_records) self.assertIsNotNone(evtx_file.number_of_records) evtx_file.close() def test_get_number_of_recovered_records(self): """Tests the get_number_of_recovered_records function and number_of_recovered_records property.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") evtx_file = pyevtx.file() evtx_file.open(test_source) number_of_recovered_records = evtx_file.get_number_of_recovered_records() self.assertIsNotNone(number_of_recovered_records) self.assertIsNotNone(evtx_file.number_of_recovered_records) evtx_file.close() if __name__ == "__main__": argument_parser = argparse.ArgumentParser() argument_parser.add_argument( "source", nargs="?", action="store", metavar="PATH", default=None, help="path of the source file.") options, unknown_options = argument_parser.parse_known_args() unknown_options.insert(0, sys.argv[0]) setattr(unittest, "source", options.source) unittest.main(argv=unknown_options, verbosity=2) ================================================ FILE: tests/pyevtx_test_support.py ================================================ #!/usr/bin/env python # # Python-bindings support functions test script # # Copyright (C) 2011-2025, Joachim Metz # # Refer to AUTHORS for acknowledgements. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . import argparse import os import sys import unittest import pyevtx class SupportFunctionsTests(unittest.TestCase): """Tests the support functions.""" def test_get_version(self): """Tests the get_version function.""" version = pyevtx.get_version() self.assertIsNotNone(version) def test_check_file_signature(self): """Tests the check_file_signature function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") result = pyevtx.check_file_signature(test_source) self.assertTrue(result) def test_check_file_signature_file_object(self): """Tests the check_file_signature_file_object function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") if not os.path.isfile(test_source): raise unittest.SkipTest("source not a regular file") with open(test_source, "rb") as file_object: result = pyevtx.check_file_signature_file_object(file_object) self.assertTrue(result) def test_open(self): """Tests the open function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") evtx_file = pyevtx.open(test_source) self.assertIsNotNone(evtx_file) evtx_file.close() with self.assertRaises(TypeError): pyevtx.open(None) with self.assertRaises(ValueError): pyevtx.open(test_source, mode="w") def test_open_file_object(self): """Tests the open_file_object function.""" test_source = getattr(unittest, "source", None) if not test_source: raise unittest.SkipTest("missing source") if not os.path.isfile(test_source): raise unittest.SkipTest("source not a regular file") with open(test_source, "rb") as file_object: evtx_file = pyevtx.open_file_object(file_object) self.assertIsNotNone(evtx_file) evtx_file.close() with self.assertRaises(TypeError): pyevtx.open_file_object(None) with self.assertRaises(ValueError): pyevtx.open_file_object(file_object, mode="w") if __name__ == "__main__": argument_parser = argparse.ArgumentParser() argument_parser.add_argument( "source", nargs="?", action="store", metavar="PATH", default=None, help="path of the source file.") options, unknown_options = argument_parser.parse_known_args() unknown_options.insert(0, sys.argv[0]) setattr(unittest, "source", options.source) unittest.main(argv=unknown_options, verbosity=2) ================================================ FILE: tests/runtests.py ================================================ #!/usr/bin/env python # # Script to run Python test scripts. # # Version: 20231024 import glob import os import sys import unittest test_profile = ".pyevtx" input_glob = "*" option_sets = [] def ReadIgnoreList(test_profile): """Reads the test profile ignore file if it exists. Args: test_profile (str): test profile. Returns: set[str]: ignore list. """ ignore_file_path = os.path.join("tests", "input", test_profile, "ignore") if os.path.isfile(ignore_file_path): with open(ignore_file_path, "r", encoding="utf-8") as file_object: return set([line.strip() for line in file_object.readlines()]) return set() if __name__ == "__main__": print(f"Using Python version {sys.version!s}") test_loader = unittest.TestLoader() test_runner = unittest.TextTestRunner(verbosity=2) test_scripts = test_loader.discover("tests", pattern="*.py") ignore_list = ReadIgnoreList(test_profile) test_set = None source_file = None for test_set in glob.glob(os.path.join("tests", "input", "*")): test_set = test_set.rsplit(os.path.sep, maxsplit=1)[-1] if not test_set or test_set[0] == '.' or test_set in ignore_list: continue source_files = glob.glob(os.path.join( "tests", "input", test_set, input_glob)) if source_files: source_file = source_files[0] break setattr(unittest, "source", source_file) if source_file: for option_set in option_sets: test_file = os.path.basename(source_file) test_options_file_path = os.path.join( "tests", "input", test_profile, test_set, f"{test_file:s}.{option_set:s}") if os.path.isfile(test_options_file_path): with open(test_options_file_path, "r", encoding="utf-8") as file_object: lines = [line.strip() for line in file_object.readlines()] if lines[0] == "# libyal test data options": for line in lines[1:]: key, value = line.split("=", maxsplit=1) if key == 'offset': value = int(value) setattr(unittest, key, value) test_results = test_runner.run(test_scripts) if not test_results.wasSuccessful(): sys.exit(1) ================================================ FILE: tests/runtests.sh ================================================ #!/bin/sh # Script to run tests # # Version: 20201121 if test -f ${PWD}/libevtx/.libs/libevtx.1.dylib && test -f ./pyevtx/.libs/pyevtx.so; then install_name_tool -change /usr/local/lib/libevtx.1.dylib ${PWD}/libevtx/.libs/libevtx.1.dylib ./pyevtx/.libs/pyevtx.so; fi make check CHECK_WITH_STDERR=1; RESULT=$?; if test ${RESULT} -ne 0 && test -f tests/test-suite.log; then cat tests/test-suite.log; fi exit ${RESULT}; ================================================ FILE: tests/syncsharedlibs.sh ================================================ #!/bin/sh # Script that synchronizes the shared library dependencies # # Version: 20201121 EXIT_SUCCESS=0; EXIT_FAILURE=1; GIT_URL_PREFIX="https://github.com/libyal"; SHARED_LIBS="libcerror libcthreads libcdata libclocale libcnotify libcsplit libuna libcfile libcpath libbfio libfcache libfdata libfdatetime libfguid libfwevt libfwnt libfvalue"; USE_HEAD=""; if test "$1" = "--use-head"; then USE_HEAD="--use-head"; fi OLDIFS=$IFS; IFS=" "; for SHARED_LIB in ${SHARED_LIBS}; do GIT_URL="${GIT_URL_PREFIX}/${SHARED_LIB}.git"; git clone --quiet ${GIT_URL} ${SHARED_LIB}-$$; if ! test -d ${SHARED_LIB}-$$; then echo "Unable to git clone: ${GIT_URL}"; IFS=$OLDIFS; exit ${EXIT_FAILURE}; fi (cd ${SHARED_LIB}-$$ && git fetch --quiet --all --tags --prune) LATEST_TAG=`cd ${SHARED_LIB}-$$ && git describe --tags --abbrev=0`; if test -n ${LATEST_TAG} && test -z ${USE_HEAD}; then echo "Synchronizing: ${SHARED_LIB} from ${GIT_URL} tag ${LATEST_TAG}"; (cd ${SHARED_LIB}-$$ && git checkout --quiet tags/${LATEST_TAG}); else echo "Synchronizing: ${SHARED_LIB} from ${GIT_URL} HEAD"; fi (cd ${SHARED_LIB}-$$ && ./synclibs.sh ${USE_HEAD} && ./autogen.sh); CONFIGURE_OPTIONS=""; (cd ${SHARED_LIB}-$$ && ./configure --help | grep -- '--enable-wide-character-type' > /dev/null); if test $? -eq 0; then CONFIGURE_OPTIONS="${CONFIGURE_OPTIONS} --enable-wide-character-type"; fi (cd ${SHARED_LIB}-$$ && ./configure --prefix=/usr ${CONFIGURE_OPTIONS} && make && sudo make install); rm -rf ${SHARED_LIB}-$$; done IFS=$OLDIFS; exit ${EXIT_SUCCESS}; ================================================ FILE: tests/test_evtxexport.sh ================================================ #!/usr/bin/env bash # Export tool testing script # # Version: 20240413 EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_IGNORE=77; PROFILES=("evtxexport" "evtxexport_xml"); OPTIONS_PER_PROFILE=("" "-fxml"); OPTION_SETS=(); INPUT_GLOB="*"; if test -n "${SKIP_TOOLS_TESTS}" || test -n "${SKIP_TOOLS_END_TO_END_TESTS}"; then exit ${EXIT_IGNORE}; fi TEST_EXECUTABLE="../evtxtools/evtxexport"; if ! test -x "${TEST_EXECUTABLE}"; then TEST_EXECUTABLE="../evtxtools/evtxexport.exe"; fi if ! test -x "${TEST_EXECUTABLE}"; then echo "Missing test executable: ${TEST_EXECUTABLE}"; exit ${EXIT_FAILURE}; fi TEST_DIRECTORY=`dirname $0`; TEST_RUNNER="${TEST_DIRECTORY}/test_runner.sh"; if ! test -f "${TEST_RUNNER}"; then echo "Missing test runner: ${TEST_RUNNER}"; exit ${EXIT_FAILURE}; fi source ${TEST_RUNNER}; if ! test -d "input"; then echo "Test input directory not found."; exit ${EXIT_IGNORE}; fi RESULT=`ls input/* | tr ' ' '\n' | wc -l`; if test ${RESULT} -eq ${EXIT_SUCCESS}; then echo "No files or directories found in the test input directory"; exit ${EXIT_IGNORE}; fi for PROFILE_INDEX in ${!PROFILES[*]}; do TEST_PROFILE=${PROFILES[${PROFILE_INDEX}]}; TEST_PROFILE_DIRECTORY=$(get_test_profile_directory "input" "${TEST_PROFILE}"); IGNORE_LIST=$(read_ignore_list "${TEST_PROFILE_DIRECTORY}"); IFS=" " read -a PROFILE_OPTIONS <<< ${OPTIONS_PER_PROFILE[${PROFILE_INDEX}]}; RESULT=${EXIT_SUCCESS}; for TEST_SET_INPUT_DIRECTORY in input/*; do if ! test -d "${TEST_SET_INPUT_DIRECTORY}"; then continue; fi TEST_SET=`basename ${TEST_SET_INPUT_DIRECTORY}`; if check_for_test_set_in_ignore_list "${TEST_SET}" "${IGNORE_LIST}"; then continue; fi TEST_SET_DIRECTORY=$(get_test_set_directory "${TEST_PROFILE_DIRECTORY}" "${TEST_SET_INPUT_DIRECTORY}"); RESULT=${EXIT_SUCCESS}; if test -f "${TEST_SET_DIRECTORY}/files"; then IFS="" read -a INPUT_FILES <<< $(cat ${TEST_SET_DIRECTORY}/files | sed "s?^?${TEST_SET_INPUT_DIRECTORY}/?"); else IFS="" read -a INPUT_FILES <<< $(ls -1d ${TEST_SET_INPUT_DIRECTORY}/${INPUT_GLOB}); fi for INPUT_FILE in "${INPUT_FILES[@]}"; do TESTED_WITH_OPTIONS=0; for OPTION_SET in ${OPTION_SETS[@]}; do TEST_DATA_OPTION_FILE=$(get_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); if test -f ${TEST_DATA_OPTION_FILE}; then TESTED_WITH_OPTIONS=1; IFS=" " read -a OPTIONS <<< $(read_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); run_test_on_input_file "${TEST_SET_DIRECTORY}" "evtxexport" "with_stdout_reference" "${OPTION_SET}" "${TEST_EXECUTABLE}" "${INPUT_FILE}" "${PROFILE_OPTIONS[@]}" "${OPTIONS[@]}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi fi done if test ${TESTED_WITH_OPTIONS} -eq 0; then run_test_on_input_file "${TEST_SET_DIRECTORY}" "evtxexport" "with_stdout_reference" "" "${TEST_EXECUTABLE}" "${INPUT_FILE}" "${PROFILE_OPTIONS[@]}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done # Ignore failures due to corrupted data. if test "${TEST_SET}" = "corrupted"; then RESULT=${EXIT_SUCCESS}; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done done exit ${RESULT}; ================================================ FILE: tests/test_evtxinfo.ps1 ================================================ # Info tool testing script # # Version: 20230410 $ExitSuccess = 0 $ExitFailure = 1 $ExitIgnore = 77 $Profiles = @("evtxinfo") $OptionsPerProfile = @("") $OptionSets = "" $InputGlob = "*" Function GetTestExecutablesDirectory { $TestExecutablesDirectory = "" ForEach (${VSDirectory} in ("msvscpp", "vs2008", "vs2010", "vs2012", "vs2013", "vs2015", "vs2017", "vs2019", "vs2022")) { ForEach (${VSConfiguration} in ("Release", "VSDebug")) { ForEach (${VSPlatform} in ("Win32", "x64")) { $TestExecutablesDirectory = "..\${VSDirectory}\${VSConfiguration}\${VSPlatform}" If (Test-Path ${TestExecutablesDirectory}) { Return ${TestExecutablesDirectory} } } $TestExecutablesDirectory = "..\${VSDirectory}\${VSConfiguration}" If (Test-Path ${TestExecutablesDirectory}) { Return ${TestExecutablesDirectory} } } } Return ${TestExecutablesDirectory} } Function ReadIgnoreList { param( [string]$TestProfileDirectory ) $IgnoreFile = "${TestProfileDirectory}\ignore" $IgnoreList = "" If (Test-Path -Path ${IgnoreFile} -PathType "Leaf") { $IgnoreList = Get-Content -Path ${IgnoreFile} | Where {$_ -notmatch '^#.*'} } Return $IgnoreList } $TestExecutablesDirectory = GetTestExecutablesDirectory If (-Not (Test-Path ${TestExecutablesDirectory})) { Write-Host "Missing test executables directory." -foreground Red Exit ${ExitFailure} } $TestExecutable = "${TestExecutablesDirectory}\evtxinfo.exe" If (-Not (Test-Path -Path "input")) { Exit ${ExitIgnore} } $Result = ${ExitSuccess} For ($ProfileIndex = 0; $ProfileIndex -le ($Profiles.length - 1); $ProfileIndex += 1) { $TestProfile = $Profiles[$ProfileIndex] $Options = $OptionsPerProfile[$ProfileIndex] $TestProfileDirectory = "input\.${TestProfile}" If (-Not (Test-Path -Path ${TestProfileDirectory} -PathType "Container")) { New-Item -ItemType "directory" -Path ${TestProfileDirectory} | Out-Null } $IgnoreList = ReadIgnoreList ${TestProfileDirectory} # Note that the trailing backtick is needed. Get-ChildItem -Path "input" -Exclude ".*" | ForEach-Object ` { $TestSetDirectory = $_ If (-Not (Test-Path -Path ${TestSetDirectory} -PathType Container)) { Continue } $TestSetName = ${TestSetDirectory}.Name If (${IgnoreList}.Contains(${TestSetName})) { Continue } If (-Not (Test-Path -Path "${TestProfileDirectory}\${TestSetName}" -PathType Container)) { New-Item -Name "${TestProfileDirectory}\${TestSetName}" -ItemType "directory" | Out-Null } If (Test-Path -Path "${TestProfileDirectory}\${TestSetName}\files" -PathType Container) { $InputFiles = Get-content -Path "${TestProfileDirectory}\${TestSetName}\files" } Else { $InputFiles = Get-ChildItem -Path "${TestSetDirectory}\${InputGlob}" } ForEach ($InputFile in ${InputFiles}) { $InputFileName = ${InputFile}.Name $TestedWithOptions = $False $TmpDir = "tmp${PID}" New-Item -Name ${TmpDir} -ItemType "directory" | Out-Null Push-Location ${TmpDir} Try { ForEach ($OptionSet in ${OptionSets} -split " ") { $TestDataOptionFile = "..\${TestProfileDirectory}\${TestSetName}\${InputFileName}.${OptionSet}" If (-Not (Test-Path -Path "${TestDataOptionFile}" -PathType "Leaf")) { Continue } $InputOptions = Get-content -Path "${TestDataOptionFile}" -First 1 $TestLog = "${InputFileName}-${OptionSet}.log" Invoke-Expression "..\${TestExecutable} ${Options} ${InputOptions} ${InputFile} > ${TestLog}" $Result = $LastExitCode If (${Result} -ne ${ExitSuccess}) { Break } $TestedWithOptions = $True } If ((${Result} -eq ${ExitSuccess}) -And (-Not (${TestedWithOptions}))) { $TestLog = "${InputFileName}.log" Invoke-Expression "..\${TestExecutable} ${Options} ${InputFile} > ${TestLog}" $Result = $LastExitCode } If (${Result} -eq ${ExitSuccess}) { # Strip header with version. (Get-Content ${TestLog} | Select-Object -Skip 2) | Set-Content ${TestLog} $StoredTestLog = "..\${TestProfileDirectory}\${TestSetName}\${TestLog}" If (Test-Path -Path ${StoredTestLog} -PathType "Leaf") { $Difference = Compare-Object -ReferenceObject (Get-Content -Path ${StoredTestLog}) -DifferenceObject (Get-Content -Path ${TestLog}) If (${Difference}) { $Result = ${ExitFailure} } } Else { Move-Item -Path ${TestLog} -Destination ${StoredTestLog} } } } Finally { Pop-Location Remove-Item ${TmpDir} -Force -Recurse } } If (${Result} -ne ${ExitSuccess}) { Break } } } Exit ${Result} ================================================ FILE: tests/test_evtxinfo.sh ================================================ #!/usr/bin/env bash # Info tool testing script # # Version: 20240413 EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_IGNORE=77; PROFILES=("evtxinfo"); OPTIONS_PER_PROFILE=(""); OPTION_SETS=(); INPUT_GLOB="*"; if test -n "${SKIP_TOOLS_TESTS}" || test -n "${SKIP_TOOLS_END_TO_END_TESTS}"; then exit ${EXIT_IGNORE}; fi TEST_EXECUTABLE="../evtxtools/evtxinfo"; if ! test -x "${TEST_EXECUTABLE}"; then TEST_EXECUTABLE="../evtxtools/evtxinfo.exe"; fi if ! test -x "${TEST_EXECUTABLE}"; then echo "Missing test executable: ${TEST_EXECUTABLE}"; exit ${EXIT_FAILURE}; fi TEST_DIRECTORY=`dirname $0`; TEST_RUNNER="${TEST_DIRECTORY}/test_runner.sh"; if ! test -f "${TEST_RUNNER}"; then echo "Missing test runner: ${TEST_RUNNER}"; exit ${EXIT_FAILURE}; fi source ${TEST_RUNNER}; if ! test -d "input"; then echo "Test input directory not found."; exit ${EXIT_IGNORE}; fi RESULT=`ls input/* | tr ' ' '\n' | wc -l`; if test ${RESULT} -eq ${EXIT_SUCCESS}; then echo "No files or directories found in the test input directory"; exit ${EXIT_IGNORE}; fi for PROFILE_INDEX in ${!PROFILES[*]}; do TEST_PROFILE=${PROFILES[${PROFILE_INDEX}]}; TEST_PROFILE_DIRECTORY=$(get_test_profile_directory "input" "${TEST_PROFILE}"); IGNORE_LIST=$(read_ignore_list "${TEST_PROFILE_DIRECTORY}"); IFS=" " read -a PROFILE_OPTIONS <<< ${OPTIONS_PER_PROFILE[${PROFILE_INDEX}]}; RESULT=${EXIT_SUCCESS}; for TEST_SET_INPUT_DIRECTORY in input/*; do if ! test -d "${TEST_SET_INPUT_DIRECTORY}"; then continue; fi TEST_SET=`basename ${TEST_SET_INPUT_DIRECTORY}`; if check_for_test_set_in_ignore_list "${TEST_SET}" "${IGNORE_LIST}"; then continue; fi TEST_SET_DIRECTORY=$(get_test_set_directory "${TEST_PROFILE_DIRECTORY}" "${TEST_SET_INPUT_DIRECTORY}"); RESULT=${EXIT_SUCCESS}; if test -f "${TEST_SET_DIRECTORY}/files"; then IFS="" read -a INPUT_FILES <<< $(cat ${TEST_SET_DIRECTORY}/files | sed "s?^?${TEST_SET_INPUT_DIRECTORY}/?"); else IFS="" read -a INPUT_FILES <<< $(ls -1d ${TEST_SET_INPUT_DIRECTORY}/${INPUT_GLOB}); fi for INPUT_FILE in "${INPUT_FILES[@]}"; do TESTED_WITH_OPTIONS=0; for OPTION_SET in ${OPTION_SETS[@]}; do TEST_DATA_OPTION_FILE=$(get_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); if test -f ${TEST_DATA_OPTION_FILE}; then TESTED_WITH_OPTIONS=1; IFS=" " read -a OPTIONS <<< $(read_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); run_test_on_input_file "${TEST_SET_DIRECTORY}" "evtxinfo" "with_stdout_reference" "${OPTION_SET}" "${TEST_EXECUTABLE}" "${INPUT_FILE}" "${PROFILE_OPTIONS[@]}" "${OPTIONS[@]}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi fi done if test ${TESTED_WITH_OPTIONS} -eq 0; then run_test_on_input_file "${TEST_SET_DIRECTORY}" "evtxinfo" "with_stdout_reference" "" "${TEST_EXECUTABLE}" "${INPUT_FILE}" "${PROFILE_OPTIONS[@]}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done # Ignore failures due to corrupted data. if test "${TEST_SET}" = "corrupted"; then RESULT=${EXIT_SUCCESS}; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done done exit ${RESULT}; ================================================ FILE: tests/test_library.ps1 ================================================ # Tests library functions and types. # # Version: 20230410 $ExitSuccess = 0 $ExitFailure = 1 $ExitIgnore = 77 $LibraryTests = "chunk chunks_table error io_handle notify record record_values template_definition" $LibraryTestsWithInput = "file support" $OptionSets = "" $InputGlob = "*" Function GetTestExecutablesDirectory { $TestExecutablesDirectory = "" ForEach (${VSDirectory} in ("msvscpp", "vs2008", "vs2010", "vs2012", "vs2013", "vs2015", "vs2017", "vs2019", "vs2022")) { ForEach (${VSConfiguration} in ("Release", "VSDebug")) { ForEach (${VSPlatform} in ("Win32", "x64")) { $TestExecutablesDirectory = "..\${VSDirectory}\${VSConfiguration}\${VSPlatform}" If (Test-Path ${TestExecutablesDirectory}) { Return ${TestExecutablesDirectory} } } $TestExecutablesDirectory = "..\${VSDirectory}\${VSConfiguration}" If (Test-Path ${TestExecutablesDirectory}) { Return ${TestExecutablesDirectory} } } } Return ${TestExecutablesDirectory} } Function ReadIgnoreList { param( [string]$TestProfileDirectory ) $IgnoreFile = "${TestProfileDirectory}\ignore" $IgnoreList = "" If (Test-Path -Path ${IgnoreFile} -PathType "Leaf") { $IgnoreList = Get-Content -Path ${IgnoreFile} | Where {$_ -notmatch '^#.*'} } Return $IgnoreList } Function RunTest { param( [string]$TestType ) $TestDescription = "Testing: ${TestName}" $TestExecutable = "${TestExecutablesDirectory}\evtx_test_${TestName}.exe" If (-Not (Test-Path -Path ${TestExecutable} -PathType "Leaf")) { Write-Host "${TestDescription} (" -nonewline Write-Host "SKIP" -foreground Cyan -nonewline Write-Host ")" Return ${ExitIgnore} } $Output = Invoke-Expression ${TestExecutable} $Result = ${LastExitCode} If (${Result} -ne ${ExitSuccess}) { Write-Host ${Output} -foreground Red } Write-Host "${TestDescription} (" -nonewline If (${Result} -ne ${ExitSuccess}) { Write-Host "FAIL" -foreground Red -nonewline } Else { Write-Host "PASS" -foreground Green -nonewline } Write-Host ")" Return ${Result} } Function RunTestWithInput { param( [string]$TestType ) $TestDescription = "Testing: ${TestName}" $TestExecutable = "${TestExecutablesDirectory}\evtx_test_${TestName}.exe" If (-Not (Test-Path -Path ${TestExecutable} -PathType "Leaf")) { Write-Host "${TestDescription} (" -nonewline Write-Host "SKIP" -foreground Cyan -nonewline Write-Host ")" Return ${ExitIgnore} } $TestProfileDirectory = "input\.libevtx" If (-Not (Test-Path -Path ${TestProfileDirectory} -PathType "Container")) { New-Item -ItemType "directory" -Path ${TestProfileDirectory} } $IgnoreList = ReadIgnoreList ${TestProfileDirectory} $Result = ${ExitSuccess} ForEach ($TestSetInputDirectory in Get-ChildItem -Path "input" -Exclude ".*") { If (-Not (Test-Path -Path ${TestSetInputDirectory} -PathType "Container")) { Continue } If (${TestSetInputDirectory} -Contains ${IgnoreList}) { Continue } $TestSetName = ${TestSetInputDirectory}.Name If (Test-Path -Path "${TestProfileDirectory}\${TestSetName}\files" -PathType "Leaf") { $InputFiles = Get-Content -Path "${TestProfileDirectory}\${TestSetName}\files" | Where {$_ -ne ""} } Else { $InputFiles = Get-ChildItem -Path ${TestSetInputDirectory} -Include ${InputGlob} } ForEach ($InputFile in ${InputFiles}) { $TestedWithOptions = $False ForEach ($OptionSet in ${OptionSets} -split " ") { $InputFileName = ${InputFile}.Name $TestDataOptionFile = "${TestProfileDirectory}\${TestSetName}\${InputFileName}.${OptionSet}" If (-Not (Test-Path -Path "${TestDataOptionFile}" -PathType "Leaf")) { Continue } $InputOptions = Get-content -Path "${TestDataOptionFile}" -First 1 $Output = Invoke-Expression "${TestExecutable} ${InputOptions} ${InputFile}" $Result = $LastExitCode If (${Result} -ne ${ExitSuccess}) { Break } $TestedWithOptions = $True } If ((${Result} -eq ${ExitSuccess}) -And (-Not (${TestedWithOptions}))) { $Output = Invoke-Expression "${TestExecutable} ${InputFile}" $Result = ${LastExitCode} } If (${Result} -ne ${ExitSuccess}) { Break } } If (${Result} -ne ${ExitSuccess}) { Break } } If (${Result} -ne ${ExitSuccess}) { Write-Host ${Output} -foreground Red } Write-Host "${TestDescription} (" -nonewline If (${Result} -ne ${ExitSuccess}) { Write-Host "FAIL" -foreground Red -nonewline } Else { Write-Host "PASS" -foreground Green -nonewline } Write-Host ")" Return ${Result} } $TestExecutablesDirectory = GetTestExecutablesDirectory If (-Not (Test-Path ${TestExecutablesDirectory})) { Write-Host "Missing test executables directory." -foreground Red Exit ${ExitFailure} } $Result = ${ExitIgnore} Foreach (${TestName} in ${LibraryTests} -split " ") { # Split will return an array of a single empty string when LibraryTests is empty. If (-Not (${TestName})) { Continue } $Result = RunTest ${TestName} If ((${Result} -ne ${ExitSuccess}) -And (${Result} -ne ${ExitIgnore})) { Break } } Foreach (${TestName} in ${LibraryTestsWithInput} -split " ") { # Split will return an array of a single empty string when LibraryTestsWithInput is empty. If (-Not (${TestName})) { Continue } If (Test-Path -Path "input" -PathType "Container") { $Result = RunTestWithInput ${TestName} } Else { $Result = RunTest ${TestName} } If ((${Result} -ne ${ExitSuccess}) -And (${Result} -ne ${ExitIgnore})) { Break } } Exit ${Result} ================================================ FILE: tests/test_library.sh ================================================ #!/usr/bin/env bash # Tests library functions and types. # # Version: 20240413 EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_IGNORE=77; LIBRARY_TESTS="chunk chunks_table error io_handle notify record record_values template_definition"; LIBRARY_TESTS_WITH_INPUT="file support"; OPTION_SETS=(); INPUT_GLOB="*"; run_test() { local TEST_NAME=$1; local TEST_DESCRIPTION="Testing: ${TEST_NAME}"; local TEST_EXECUTABLE="./evtx_test_${TEST_NAME}"; if ! test -x "${TEST_EXECUTABLE}"; then TEST_EXECUTABLE="${TEST_EXECUTABLE}.exe"; fi # TODO: add support for TEST_PROFILE and OPTION_SETS? run_test_with_arguments "${TEST_DESCRIPTION}" "${TEST_EXECUTABLE}"; local RESULT=$?; return ${RESULT}; } run_test_with_input() { local TEST_NAME=$1; local TEST_DESCRIPTION="Testing: ${TEST_NAME}"; local TEST_EXECUTABLE="./evtx_test_${TEST_NAME}"; if ! test -x "${TEST_EXECUTABLE}"; then TEST_EXECUTABLE="${TEST_EXECUTABLE}.exe"; fi if ! test -d "input"; then echo "Test input directory not found."; return ${EXIT_IGNORE}; fi local RESULT=`ls input/* | tr ' ' '\n' | wc -l`; if test ${RESULT} -eq ${EXIT_SUCCESS}; then echo "No files or directories found in the test input directory"; return ${EXIT_IGNORE}; fi local TEST_PROFILE_DIRECTORY=$(get_test_profile_directory "input" "libevtx"); local IGNORE_LIST=$(read_ignore_list "${TEST_PROFILE_DIRECTORY}"); RESULT=${EXIT_SUCCESS}; for TEST_SET_INPUT_DIRECTORY in input/*; do if ! test -d "${TEST_SET_INPUT_DIRECTORY}"; then continue; fi if check_for_directory_in_ignore_list "${TEST_SET_INPUT_DIRECTORY}" "${IGNORE_LIST}"; then continue; fi local TEST_SET_DIRECTORY=$(get_test_set_directory "${TEST_PROFILE_DIRECTORY}" "${TEST_SET_INPUT_DIRECTORY}"); if test -f "${TEST_SET_DIRECTORY}/files"; then IFS="" read -a INPUT_FILES <<< $(cat ${TEST_SET_DIRECTORY}/files | sed "s?^?${TEST_SET_INPUT_DIRECTORY}/?"); else IFS="" read -a INPUT_FILES <<< $(ls -1d ${TEST_SET_INPUT_DIRECTORY}/${INPUT_GLOB}); fi for INPUT_FILE in "${INPUT_FILES[@]}"; do OPTION_INPUT_FILE="${INPUT_FILE}"; if test "${OSTYPE}" = "msys"; then # A test executable built with MinGW expects a Windows path. INPUT_FILE=`echo ${INPUT_FILE} | sed 's?/?\\\\?g'`; fi local TESTED_WITH_OPTIONS=0; for OPTION_SET in ${OPTION_SETS[@]}; do local TEST_DATA_OPTION_FILE=$(get_test_data_option_file "${TEST_SET_DIRECTORY}" "${OPTION_INPUT_FILE}" "${OPTION_SET}"); if test -f ${TEST_DATA_OPTION_FILE}; then TESTED_WITH_OPTIONS=1; IFS=" " read -a OPTIONS <<< $(read_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); run_test_on_input_file "${TEST_SET_DIRECTORY}" "${TEST_DESCRIPTION}" "default" "${OPTION_SET}" "${TEST_EXECUTABLE}" "${INPUT_FILE}" "${OPTIONS[@]}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi fi done if test ${TESTED_WITH_OPTIONS} -eq 0; then run_test_on_input_file "${TEST_SET_DIRECTORY}" "${TEST_DESCRIPTION}" "default" "" "${TEST_EXECUTABLE}" "${INPUT_FILE}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done return ${RESULT}; } if test -n "${SKIP_LIBRARY_TESTS}"; then exit ${EXIT_IGNORE}; fi TEST_DIRECTORY=`dirname $0`; TEST_RUNNER="${TEST_DIRECTORY}/test_runner.sh"; if ! test -f "${TEST_RUNNER}"; then echo "Missing test runner: ${TEST_RUNNER}"; exit ${EXIT_FAILURE}; fi source ${TEST_RUNNER}; RESULT=${EXIT_IGNORE}; for TEST_NAME in ${LIBRARY_TESTS}; do run_test "${TEST_NAME}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done if test ${RESULT} -ne ${EXIT_SUCCESS} && test ${RESULT} -ne ${EXIT_IGNORE}; then exit ${RESULT}; fi for TEST_NAME in ${LIBRARY_TESTS_WITH_INPUT}; do if test -d "input"; then run_test_with_input "${TEST_NAME}"; RESULT=$?; else run_test "${TEST_NAME}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done exit ${RESULT}; ================================================ FILE: tests/test_manpage.sh ================================================ #!/usr/bin/env bash # Tests man pages. # # Version: 20240413 EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_IGNORE=77; run_test() { local INPUT_FILE=$1; local RESULT=0 TEST_NAME=`basename ${INPUT_FILE}`; echo -n "Testing man with input: ${TEST_NAME}"; LC_ALL=en_US.UTF-8 MANROFFSEQ='' MANWIDTH=80 man --warnings -E UTF-8 -l -Tutf8 -Z ${INPUT_FILE} > /dev/null 2> ${TMPDIR}/${TEST_NAME}.warnings; RESULT=$?; # For now line break warnings are ignored. if test -f ${TMPDIR}/${TEST_NAME}.warnings; then sed "/can't break line/ d" -i ${TMPDIR}/${TEST_NAME}.warnings; fi if test -s ${TMPDIR}/${TEST_NAME}.warnings; then RESULT=${EXIT_FAILURE}; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo " (FAIL)"; else echo " (PASS)"; fi if test -s ${TMPDIR}/${TEST_NAME}.warnings; then cat ${TMPDIR}/${TEST_NAME}.warnings; fi return ${RESULT}; } if test "${OSTYPE}" = "msys"; then exit ${EXIT_IGNORE}; fi TEST_DIRECTORY=`dirname $0`; TEST_RUNNER="${TEST_DIRECTORY}/test_runner.sh"; if ! test -f "${TEST_RUNNER}"; then echo "Missing test runner: ${TEST_RUNNER}"; exit ${EXIT_FAILURE}; fi source ${TEST_RUNNER}; assert_availability_binary man; RESULT=${EXIT_IGNORE}; TMPDIR="tmp$$"; rm -rf ${TMPDIR}; mkdir ${TMPDIR}; MANUALS_PATH="../manuals"; if ! test -d ${MANUALS_PATH}; then MANUALS_PATH="manuals"; fi if ! test -d ${MANUALS_PATH}; then echo "Manuals directory not found."; exit ${EXIT_IGNORE}; fi for INPUT_FILE in ${MANUALS_PATH}/*.[13]; do run_test "${INPUT_FILE}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done rm -rf ${TMPDIR}; exit ${RESULT}; ================================================ FILE: tests/test_python_module.sh ================================================ #!/usr/bin/env bash # Tests Python module functions and types. # # Version: 20240417 EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_NO_TESTS_RAN=5; EXIT_IGNORE=77; TEST_FUNCTIONS="support"; TEST_FUNCTIONS_WITH_INPUT="file"; OPTION_SETS=(); TEST_TOOL_DIRECTORY="."; INPUT_GLOB="*"; LIBRARY_NAME="libevtx"; PYTHON_MODULE="pyevtx"; test_python_function() { local TEST_FUNCTION=$1; local TEST_DESCRIPTION="Testing Python-bindings functions: ${TEST_FUNCTION}"; local TEST_SCRIPT="${TEST_TOOL_DIRECTORY}/${PYTHON_MODULE}_test_${TEST_FUNCTION}.py"; run_test_with_arguments "${TEST_DESCRIPTION}" "${TEST_SCRIPT}"; local RESULT=$?; return ${RESULT}; } test_python_function_with_input() { local TEST_FUNCTION=$1; local TEST_DESCRIPTION="Testing Python-bindings functions: ${TEST_FUNCTION}"; local TEST_SCRIPT="${TEST_TOOL_DIRECTORY}/${PYTHON_MODULE}_test_${TEST_FUNCTION}.py"; if ! test -d "input"; then echo "Test input directory not found."; return ${EXIT_IGNORE}; fi local RESULT=`ls input/* | tr ' ' '\n' | wc -l`; if test ${RESULT} -eq ${EXIT_SUCCESS}; then echo "No files or directories found in the test input directory"; return ${EXIT_IGNORE}; fi local TEST_PROFILE_DIRECTORY=$(get_test_profile_directory "input" "${PYTHON_MODULE}"); local IGNORE_LIST=$(read_ignore_list "${TEST_PROFILE_DIRECTORY}"); RESULT=${EXIT_SUCCESS}; for TEST_SET_INPUT_DIRECTORY in input/*; do if ! test -d "${TEST_SET_INPUT_DIRECTORY}"; then continue; fi if check_for_directory_in_ignore_list "${TEST_SET_INPUT_DIRECTORY}" "${IGNORE_LIST}"; then continue; fi local TEST_SET_DIRECTORY=$(get_test_set_directory "${TEST_PROFILE_DIRECTORY}" "${TEST_SET_INPUT_DIRECTORY}"); if test -f "${TEST_SET_DIRECTORY}/files"; then IFS="" read -a INPUT_FILES <<< $(cat ${TEST_SET_DIRECTORY}/files | sed "s?^?${TEST_SET_INPUT_DIRECTORY}/?"); else IFS="" read -a INPUT_FILES <<< $(ls -1d ${TEST_SET_INPUT_DIRECTORY}/${INPUT_GLOB}); fi for INPUT_FILE in "${INPUT_FILES[@]}"; do local TESTED_WITH_OPTIONS=0; for OPTION_SET in ${OPTION_SETS[@]}; do local TEST_DATA_OPTION_FILE=$(get_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); if test -f ${TEST_DATA_OPTION_FILE}; then TESTED_WITH_OPTIONS=1; IFS=" " read -a OPTIONS <<< $(read_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); run_test_on_input_file "${TEST_SET_DIRECTORY}" "${TEST_DESCRIPTION}" "default" "${OPTION_SET}" "${TEST_SCRIPT}" "${INPUT_FILE}" "${OPTIONS[@]}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi fi done if test ${TESTED_WITH_OPTIONS} -eq 0; then run_test_on_input_file "${TEST_SET_DIRECTORY}" "${TEST_DESCRIPTION}" "default" "" "${TEST_SCRIPT}" "${INPUT_FILE}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done return ${RESULT}; } if test -n "${SKIP_PYTHON_TESTS}"; then exit ${EXIT_IGNORE}; fi TEST_DIRECTORY=`dirname $0`; TEST_RUNNER="${TEST_DIRECTORY}/test_runner.sh"; if ! test -f "${TEST_RUNNER}"; then echo "Missing test runner: ${TEST_RUNNER}"; exit ${EXIT_FAILURE}; fi source ${TEST_RUNNER}; PLATFORM=`uname -s | sed 's/-.*$//'`; if test "${PLATFORM}" = "MINGW64_NT" || test "${PLATFORM}" = "MSYS_NT"; then cp ../${LIBRARY_NAME}/.libs/*.dll ../${PYTHON_MODULE}/.libs/; cp ../${PYTHON_MODULE}/.libs/${PYTHON_MODULE}.dll ../${PYTHON_MODULE}/.libs/${PYTHON_MODULE}.pyd; fi RESULT=${EXIT_IGNORE}; for TEST_FUNCTION in ${TEST_FUNCTIONS}; do test_python_function "${TEST_FUNCTION}"; RESULT=$?; if test ${RESULT} -eq ${EXIT_NO_TESTS_RAN}; then RESULT=${EXIT_IGNORE}; fi if test ${RESULT} -ne ${EXIT_SUCCESS} && test ${RESULT} -ne ${EXIT_IGNORE}; then break; fi done if test ${RESULT} -ne ${EXIT_SUCCESS} && test ${RESULT} -ne ${EXIT_IGNORE}; then exit ${RESULT}; fi for TEST_FUNCTION in ${TEST_FUNCTIONS_WITH_INPUT}; do if test -d "input"; then test_python_function_with_input "${TEST_FUNCTION}"; RESULT=$?; else test_python_function "${TEST_FUNCTION}"; RESULT=$?; fi if test ${RESULT} -eq ${EXIT_NO_TESTS_RAN}; then RESULT=${EXIT_IGNORE}; fi if test ${RESULT} -ne ${EXIT_SUCCESS} && test ${RESULT} -ne ${EXIT_IGNORE}; then break; fi done exit ${RESULT}; ================================================ FILE: tests/test_runner.sh ================================================ #!/usr/bin/env bash # Bash functions to run an executable for testing. # # Version: 20231119 # # When CHECK_WITH_ASAN is set to a non-empty value the test executable # is run with asan, otherwise it is run without. # # When CHECK_WITH_GDB is set to a non-empty value the test executable # is run with gdb, otherwise it is run without. # # When CHECK_WITH_STDERR is set to a non-empty value the test executable # is run with error output to stderr. # # When CHECK_WITH_VALGRIND is set to a non-empty value the test executable # is run with valgrind, otherwise it is run without. # # PYTHON is used to determine the Python interpreter. EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_IGNORE=77; # Checks the availability of a binary and exits if not available. # # Arguments: # a string containing the name of the binary # assert_availability_binary() { local BINARY=$1; which ${BINARY} > /dev/null 2>&1; if test $? -ne ${EXIT_SUCCESS}; then echo "Missing binary: ${BINARY}"; echo ""; exit ${EXIT_FAILURE}; fi } # Checks the availability of binaries and exits if not available. # # Globals: # CHECK_WITH_GDB # CHECK_WITH_VALGRIND # assert_availability_binaries() { assert_availability_binary cat; assert_availability_binary cut; assert_availability_binary diff; assert_availability_binary file; assert_availability_binary gzip; assert_availability_binary ls; assert_availability_binary readlink; assert_availability_binary sed; assert_availability_binary tr; assert_availability_binary uname; assert_availability_binary wc; assert_availability_binary zcat; if test -n "${CHECK_WITH_GDB}"; then assert_availability_binary gdb; elif test -n "${CHECK_WITH_VALGRIND}"; then assert_availability_binary valgrind; fi } # Checks if the test set is in the ignore list. # # Arguments: # a string containing the test set # a string containing space separated ignore list # # Returns: # an integer containing the exit status to indicate the input directory # was found in the ignore list. # check_for_test_set_in_ignore_list() { local TEST_SET=$1; local IGNORE_LIST=$2; local IFS=" "; for LIST_ELEMENT in ${IGNORE_LIST}; do if test "${LIST_ELEMENT}" = "${TEST_SET}"; then return ${EXIT_SUCCESS}; fi done return ${EXIT_FAILURE}; } # Checks if the input directory is in the ignore list. # # Arguments: # a string containing the path of the test input directory # a string containing space separated ignore list # # Returns: # an integer containing the exit status to indicate the input directory # was found in the ignore list. # check_for_directory_in_ignore_list() { local INPUT_DIRECTORY=$1; local IGNORE_LIST=$2; local INPUT_BASENAME=`basename ${INPUT_DIRECTORY}`; local IFS=" "; for LIST_ELEMENT in ${IGNORE_LIST}; do if test "${LIST_ELEMENT}" = "${INPUT_BASENAME}"; then return ${EXIT_SUCCESS}; fi done return ${EXIT_FAILURE}; } # Searches for the binary variant of the executable in case the test executable # refers to a libtool shell script. # # Arguments: # a string containing the path of the test executable # # Returns: # a string containing the path of the binary variant of the test executable # find_binary_executable() { local TEST_EXECUTABLE=$1; TEST_EXECUTABLE=$( readlink_f "${TEST_EXECUTABLE}" ); # Note that the behavior of `file -bi` is not helpful on Mac OS X. local EXECUTABLE_TYPE=`file -b ${TEST_EXECUTABLE}`; # Check if the test executable is a libtool shell script. # Linux: POSIX shell script, ASCII text executable, with very long lines # Mac OS X: POSIX shell script text executable echo "${EXECUTABLE_TYPE}" | grep "POSIX shell script" > /dev/null 2>&1; RESULT=$?; if test ${RESULT} -eq ${EXIT_SUCCESS}; then local TEST_EXECUTABLE_BASENAME=`basename ${TEST_EXECUTABLE}`; local TEST_EXECUTABLE_DIRNAME=`dirname ${TEST_EXECUTABLE}`; TEST_EXECUTABLE="${TEST_EXECUTABLE_DIRNAME}/.libs/${TEST_EXECUTABLE_BASENAME}"; if test -x ${TEST_EXECUTABLE}; then # Note that the behavior of `file -bi` is not helpful on Mac OS X. EXECUTABLE_TYPE=`file -b ${TEST_EXECUTABLE}`; # Linux: ELF 64-bit LSB executable, x86-64, ... # Mac OS X: Mach-O 64-bit executable x86_64 echo "${EXECUTABLE_TYPE}" | grep "executable" > /dev/null 2>&1; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo "Invalid test executable: ${TEST_EXECUTABLE}"; exit ${EXIT_FAILURE}; fi fi fi echo ${TEST_EXECUTABLE}; } # Searches for the path to the binary variant of the library. # # Arguments: # a string containing the path of the test executable # # Returns: # a string containing the path of the binary variant of the library. # find_binary_library_path() { local TEST_EXECUTABLE=$1; local LIBRARY_NAME=`dirname ${TEST_EXECUTABLE}`; local NAME=`basename ${LIBRARY_NAME}`; if test ${NAME} = ".libs"; then LIBRARY_NAME=`dirname ${LIBRARY_NAME}`; NAME=`basename ${LIBRARY_NAME}`; fi if test ${NAME} = "tests"; then LIBRARY_NAME=`dirname ${LIBRARY_NAME}`; NAME=`basename ${LIBRARY_NAME}`; fi echo ${LIBRARY_NAME} | grep 'tools' > /dev/null 2>&1; if test $? -eq ${EXIT_SUCCESS}; then LIBRARY_NAME=`basename ${LIBRARY_NAME} | sed 's/\(.*\)tools$/lib\1/'`; else LIBRARY_NAME=`basename ${LIBRARY_NAME} | sed 's/^py//' | sed 's/^\([^_]*\)_test_.*$/lib\1/'`; fi TEST_EXECUTABLE=`dirname ${TEST_EXECUTABLE}`; TEST_EXECUTABLE=`dirname ${TEST_EXECUTABLE}`; TEST_EXECUTABLE=`dirname ${TEST_EXECUTABLE}`; local LIBRARY_PATH="${TEST_EXECUTABLE}/${LIBRARY_NAME}/.libs"; if ! test -d "${LIBRARY_PATH}"; then LIBRARY_PATH="../${LIBRARY_NAME}/.libs"; fi echo "${LIBRARY_PATH}"; } # Searches for the path to the binary variant of the Python module # # Arguments: # a string containing the path of the test executable # # Returns: # a string containing the path of the binary variant of the Python module # find_binary_python_module_path() { local TEST_EXECUTABLE=$1; local PYTHON_MODULE_NAME=`basename ${TEST_EXECUTABLE} | sed 's/^py\(.*\)_test_.*$/py\1/'`; TEST_EXECUTABLE=`dirname ${TEST_EXECUTABLE}`; TEST_EXECUTABLE=`dirname ${TEST_EXECUTABLE}`; TEST_EXECUTABLE=`dirname ${TEST_EXECUTABLE}`; local PYTHON_MODULE_PATH="${TEST_EXECUTABLE}/${PYTHON_MODULE_NAME}/.libs"; if ! test -d "${PYTHON_MODULE_PATH}"; then PYTHON_MODULE_PATH="../${PYTHON_MODULE_NAME}/.libs"; fi echo "${PYTHON_MODULE_PATH}"; } # Determines the test data option file. # # Arguments: # a string containing the path of the test set directory # a string containing the path of the test input file # a string containing the name of the test data option set # # Returns: # a string containing the test input files # get_test_data_option_file() { local TEST_SET_DIRECTORY=$1; local INPUT_FILE=$2; local OPTION_SET=$3; local INPUT_NAME=`basename "${INPUT_FILE}"`; local TEST_DATA_OPTION_FILE="${TEST_SET_DIRECTORY}/${INPUT_NAME}.${OPTION_SET}"; echo "${TEST_DATA_OPTION_FILE}"; } # Determines the test profile directory. # The directory is created if it does not exist. # # Arguments: # a string containing the path of the test input directory # a string containing the name of the test profile # # Returns: # a string containing the path of the test profile directory # get_test_profile_directory() { local TEST_INPUT_DIRECTORY=$1; local TEST_PROFILE=$2; local TEST_PROFILE_DIRECTORY="${TEST_INPUT_DIRECTORY}/.${TEST_PROFILE}"; if ! test -d "${TEST_PROFILE_DIRECTORY}"; then mkdir "${TEST_PROFILE_DIRECTORY}"; fi echo "${TEST_PROFILE_DIRECTORY}"; } # Determines the test set directory. # The directory is created if it does not exist. # # Arguments: # a string containing the path of the test profile directory # a string containing the path of the test set input directory # # Returns: # a string containing the path of the test set directory # get_test_set_directory() { local TEST_PROFILE_DIRECTORY=$1; local TEST_SET_INPUT_DIRECTORY=$2; local TEST_SET=`basename ${TEST_SET_INPUT_DIRECTORY}`; local TEST_SET_DIRECTORY="${TEST_PROFILE_DIRECTORY}/${TEST_SET}"; if ! test -d "${TEST_SET_DIRECTORY}"; then mkdir "${TEST_SET_DIRECTORY}"; fi echo "${TEST_SET_DIRECTORY}"; } # Provides a cross-platform variant of "readlink -f" # # Arguments: # a string containing a path # # Returns: # a string containing the path with all symbolic links resolved # readlink_f() { local TARGET="$1" if test -f "${TARGET}"; then while test -L "${TARGET}"; do TARGET=`readlink "${TARGET}"`; done fi local BASENAME=`basename "${TARGET}"`; local DIRNAME=`dirname "${TARGET}"`; DIRNAME=`(cd "${DIRNAME}" && pwd -P)`; echo "${DIRNAME}/${BASENAME}"; } # Reads the test profile ignore file if it exists. # # Arguments: # a string containing the path of the test profile directory # # Returns: # a string containing a space separated ignore list # read_ignore_list() { local TEST_PROFILE_DIRECTORY=$1; local IGNORE_FILE="${TEST_PROFILE_DIRECTORY}/ignore"; local IGNORE_LIST=""; if test -f "${IGNORE_FILE}"; then IGNORE_LIST=`cat ${IGNORE_FILE} | sed '/^#/d' | tr '\n' ' '`; fi echo ${IGNORE_LIST}; } # Reads a test data option file. # # Arguments: # a string containing the path of the test set directory # a string containing the path of the test input file # a string containing the name of the test data option set # # Returns: # a string containing the test data specific options # read_test_data_option_file() { local TEST_SET_DIRECTORY=$1; local INPUT_FILE=$2; local OPTION_SET=$3; local TEST_DATA_OPTION_FILE="${INPUT_FILE}.${OPTION_SET}"; if ! test -f "${TEST_DATA_OPTION_FILE}"; then TEST_DATA_OPTION_FILE=$(get_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); fi local OPTIONS_STRING=`head -n 1 "${TEST_DATA_OPTION_FILE}" | sed 's/[\r\n]*$//'`; if test "${OPTIONS_STRING}" = "# libyal test data options"; then OPTIONS_STRING=`tail -n +2 "${TEST_DATA_OPTION_FILE}" | sed 's/^offset=/-o/;s/^password=/-p/;s/^recovery_password=/-r/;s/^startup_key=/-s/;s/virtual_address=/-v/' | tr '\n' ' '`; fi echo "${OPTIONS_STRING}"; } # Runs the test with optional arguments. # # Globals: # CHECK_WITH_ASAN # CHECK_WITH_GDB # CHECK_WITH_STDERR # CHECK_WITH_VALGRIND # # Arguments: # a string containing the test description # a string containing the path of the test executable # an array containing the arguments for the test executable # # Returns: # an integer containg the exit status of the test executable # run_test_with_arguments() { local TEST_DESCRIPTION=$1; local TEST_EXECUTABLE=$2; shift 2; local ARGUMENTS=("$@"); if ! test -f "${TEST_EXECUTABLE}"; then echo "Missing test executable: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi local PLATFORM=`uname -s | sed 's/-.*$//'`; # Note that the behavior of `file -bi` is not helpful on Mac OS X. local EXECUTABLE_TYPE=`file -b ${TEST_EXECUTABLE}`; # Check if the test executable is a Python script. # Linux: Python script, ASCII text executable # Mac OS X: a python script text executable echo "${EXECUTABLE_TYPE}" | grep -i "python script" > /dev/null 2>&1; local IS_PYTHON_SCRIPT=$?; if test ${IS_PYTHON_SCRIPT} -eq 0 && test -z ${PYTHON}; then local PYTHON=`which python 2> /dev/null`; if ! test -x ${PYTHON}; then echo "Missing executable: ${PYTHON}"; exit ${EXIT_FAILURE}; fi fi local RESULT=0; if test -n "${CHECK_WITH_ASAN}"; then local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); local LSAN_SUPPRESSIONS="lsan.suppressions"; if ! test -f ${LSAN_SUPPRESSIONS}; then LSAN_SUPPRESSIONS="../lsan.suppressions"; fi if test "${PLATFORM}" = "Darwin"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" DYLD_LIBRARY_PATH="${LIBRARY_PATH}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi else local CONFIG_LOG="../config.log"; if ! test -f ${CONFIG_LOG}; then CONFIG_LOG="../../config.log"; fi local CC=`cat ${CONFIG_LOG} | grep -e "^CC=" | sed "s/CC='\\(.*\\)'/\1/"`; local LIBASAN=""; if test -z ${CC} || test ${CC} != "clang"; then local LDCONFIG=`which ldconfig 2> /dev/null`; if test -z ${LDCONFIG} || ! test -x ${LDCONFIG}; then LDCONFIG="/sbin/ldconfig"; fi if test -z ${LDCONFIG} || ! test -x ${LDCONFIG}; then echo "Missing binary: ldconfig"; echo ""; exit ${EXIT_FAILURE}; fi LIBASAN=`${LDCONFIG} -p | grep libasan | sed 's/^.* => //' | sort | tail -n 1`; if ! test -f ${LIBASAN}; then echo "Missing library: ${BINARY}"; echo ""; exit ${EXIT_FAILURE}; fi fi if test ${IS_PYTHON_SCRIPT} -eq 0; then LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" LD_PRELOAD="${LIBASAN}" LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" LD_PRELOAD="${LIBASAN}" LD_LIBRARY_PATH="${LIBRARY_PATH}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi fi elif test -n "${CHECK_WITH_GDB}"; then local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); if test "${PLATFORM}" = "Darwin"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else DYLD_LIBRARY_PATH="${LIBRARY_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi elif test "${PLATFORM}" = "CYGWIN_NT"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else PATH="${LIBRARY_PATH}:${PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi else if test ${IS_PYTHON_SCRIPT} -eq 0; then LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else LD_LIBRARY_PATH="${LIBRARY_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi fi elif test -n "${CHECK_WITH_VALGRIND}"; then local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); local VALGRIND_LOG="valgrind.log-$$"; local VALGRIND_OPTIONS=("--tool=memcheck" "--leak-check=full" "--show-leak-kinds=definite,indirect,possible" "--track-origins=yes" "--log-file=${VALGRIND_LOG}"); if test "${PLATFORM}" = "Darwin"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else DYLD_LIBRARY_PATH="${LIBRARY_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi elif test "${PLATFORM}" = "CYGWIN_NT"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else PATH="${LIBRARY_PATH}:${PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi else if test ${IS_PYTHON_SCRIPT} -eq 0; then LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else LD_LIBRARY_PATH="${LIBRARY_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; fi fi if test ${RESULT} -eq ${EXIT_SUCCESS}; then grep "All heap blocks were freed -- no leaks are possible" ${VALGRIND_LOG} > /dev/null 2>&1; if test $? -ne ${EXIT_SUCCESS}; then # Ignore "still reachable" # Also see: http://valgrind.org/docs/manual/faq.html#faq.deflost grep "definitely lost: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_DIRECTLY_LOST=$?; grep "indirectly lost: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_INDIRECTLY_LOST=$?; grep "possibly lost: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_POSSIBLY_LOST=$?; grep "suppressed: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_SUPPRESSED=$?; if test ${RESULT_DIRECTLY_LOST} -ne ${EXIT_SUCCESS} || test ${RESULT_INDIRECTLY_LOST} -ne ${EXIT_SUCCESS} || test ${RESULT_POSSIBLY_LOST} -ne ${EXIT_SUCCESS} || test ${RESULT_SUPPRESSED} -ne ${EXIT_SUCCESS}; then echo "Memory leakage detected."; cat ${VALGRIND_LOG}; RESULT=${EXIT_FAILURE}; fi fi # Detect valgrind warnings. local NUMBER_OF_LINES=`wc -l ${VALGRIND_LOG} | awk '{ print $1 }'`; if test ${NUMBER_OF_LINES} -ne 15 && test ${NUMBER_OF_LINES} -ne 22; then echo "Unsupported number of lines: ${NUMBER_OF_LINES}"; cat ${VALGRIND_LOG}; RESULT=${EXIT_FAILURE}; fi fi rm -f ${VALGRIND_LOG}; elif test ${IS_PYTHON_SCRIPT} -eq 0; then if ! test -f "${TEST_EXECUTABLE}"; then echo "Invalid test Python script: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); if test "${PLATFORM}" = "Darwin"; then if test -n "${CHECK_WITH_STDERR}"; then DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} 2> /dev/null; RESULT=$?; fi elif test "${PLATFORM}" = "CYGWIN_NT"; then if test -n "${CHECK_WITH_STDERR}"; then PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} 2> /dev/null; RESULT=$?; fi else if test -n "${CHECK_WITH_STDERR}"; then LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]}; RESULT=$?; else LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} 2> /dev/null; RESULT=$?; fi fi else if ! test -x "${TEST_EXECUTABLE}"; then echo "Invalid test executable: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi if test -n "${CHECK_WITH_STDERR}"; then ${TEST_EXECUTABLE} ${ARGUMENTS[@]}; RESULT=$?; else ${TEST_EXECUTABLE} ${ARGUMENTS[@]} 2> /dev/null; RESULT=$?; fi fi if test -n "${TEST_DESCRIPTION}"; then echo -n "${TEST_DESCRIPTION}"; if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo " (FAIL)"; else echo " (PASS)"; fi fi return ${RESULT}; } # Runs the test with an input file and optional arguments. # # Globals: # CHECK_WITH_ASAN # CHECK_WITH_GDB # CHECK_WITH_STDERR # CHECK_WITH_VALGRIND # # Arguments: # a string containing the path of the test executable # a string containing the path of the test input file # an array containing the arguments for the test executable # # Returns: # an integer containg the exit status of the test executable # run_test_with_input_and_arguments() { local TEST_EXECUTABLE=$1; local INPUT_FILE=$2; shift 2; local ARGUMENTS=("$@"); if ! test -f "${TEST_EXECUTABLE}"; then echo "Missing test executable: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi local PLATFORM=`uname -s | sed 's/-.*$//'`; # Note that the behavior of `file -bi` is not helpful on Mac OS X. local EXECUTABLE_TYPE=`file -b ${TEST_EXECUTABLE}`; # Check if the test executable is a Python script. # Linux: Python script, ASCII text executable # Mac OS X: a python script text executable echo "${EXECUTABLE_TYPE}" | grep -i "python script" > /dev/null 2>&1; local IS_PYTHON_SCRIPT=$?; if test ${IS_PYTHON_SCRIPT} -eq 0 && test -z ${PYTHON}; then local PYTHON=`which python 2> /dev/null`; if ! test -x ${PYTHON}; then echo "Missing executable: ${PYTHON}"; exit ${EXIT_FAILURE}; fi fi local RESULT=0; if test -n "${CHECK_WITH_ASAN}"; then local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); local LSAN_SUPPRESSIONS="lsan.suppressions"; if ! test -f ${LSAN_SUPPRESSIONS}; then LSAN_SUPPRESSIONS="../lsan.suppressions"; fi if test "${PLATFORM}" = "Darwin"; then # TODO DYLD_INSERT_LIBRARIES=/Library/Developer/CommandLineTools/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib if test ${IS_PYTHON_SCRIPT} -eq 0; then LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" DYLD_LIBRARY_PATH="${LIBRARY_PATH}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi else local CONFIG_LOG="../config.log"; if ! test -f ${CONFIG_LOG}; then CONFIG_LOG="../../config.log"; fi local CC=`cat ${CONFIG_LOG} | grep -e "^CC=" | sed "s/CC='\\(.*\\)'/\1/"`; local LIBASAN=""; if test -z ${CC} || test ${CC} != "clang"; then local LDCONFIG=`which ldconfig 2> /dev/null`; if test -z ${LDCONFIG} || ! test -x ${LDCONFIG}; then LDCONFIG="/sbin/ldconfig"; fi if test -z ${LDCONFIG} || ! test -x ${LDCONFIG}; then echo "Missing binary: ldconfig"; echo ""; exit ${EXIT_FAILURE}; fi LIBASAN=`${LDCONFIG} -p | grep libasan | sed 's/^.* => //' | sort | tail -n 1`; if ! test -f ${LIBASAN}; then echo "Missing library: ${BINARY}"; echo ""; exit ${EXIT_FAILURE}; fi fi if test ${IS_PYTHON_SCRIPT} -eq 0; then LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" LD_PRELOAD="${LIBASAN}" LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else LSAN_OPTIONS=suppressions="${LSAN_SUPPRESSIONS}" LD_PRELOAD="${LIBASAN}" LD_LIBRARY_PATH="${LIBRARY_PATH}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi fi elif test -n "${CHECK_WITH_GDB}"; then local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); if test "${PLATFORM}" = "Darwin"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else DYLD_LIBRARY_PATH="${LIBRARY_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi elif test "${PLATFORM}" = "CYGWIN_NT"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else PATH="${LIBRARY_PATH}:${PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi else if test ${IS_PYTHON_SCRIPT} -eq 0; then LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else LD_LIBRARY_PATH="${LIBRARY_PATH}" gdb -ex "set non-stop on" -ex "run" -ex "quit" --args "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi fi elif test -n "${CHECK_WITH_VALGRIND}"; then local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); local VALGRIND_LOG="valgrind.log-$$"; local VALGRIND_OPTIONS=("--tool=memcheck" "--leak-check=full" "--show-leak-kinds=definite,indirect,possible" "--track-origins=yes" "--log-file=${VALGRIND_LOG}"); if test "${PLATFORM}" = "Darwin"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else DYLD_LIBRARY_PATH="${LIBRARY_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi elif test "${PLATFORM}" = "CYGWIN_NT"; then if test ${IS_PYTHON_SCRIPT} -eq 0; then PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else PATH="${LIBRARY_PATH}:${PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi else if test ${IS_PYTHON_SCRIPT} -eq 0; then LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else LD_LIBRARY_PATH="${LIBRARY_PATH}" valgrind ${VALGRIND_OPTIONS[@]} "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; fi fi if test ${RESULT} -eq ${EXIT_SUCCESS}; then grep "All heap blocks were freed -- no leaks are possible" ${VALGRIND_LOG} > /dev/null 2>&1; if test $? -ne ${EXIT_SUCCESS}; then # Ignore "still reachable" # Also see: http://valgrind.org/docs/manual/faq.html#faq.deflost grep "definitely lost: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_DIRECTLY_LOST=$?; grep "indirectly lost: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_INDIRECTLY_LOST=$?; grep "possibly lost: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_POSSIBLY_LOST=$?; grep "suppressed: 0 bytes in 0 blocks" ${VALGRIND_LOG} > /dev/null 2>&1; RESULT_SUPPRESSED=$?; if test ${RESULT_DIRECTLY_LOST} -ne ${EXIT_SUCCESS} || test ${RESULT_INDIRECTLY_LOST} -ne ${EXIT_SUCCESS} || test ${RESULT_POSSIBLY_LOST} -ne ${EXIT_SUCCESS} || test ${RESULT_SUPPRESSED} -ne ${EXIT_SUCCESS}; then echo "Memory leakage detected."; cat ${VALGRIND_LOG}; RESULT=${EXIT_FAILURE}; fi fi # Detect valgrind warnings. local NUMBER_OF_LINES=`wc -l ${VALGRIND_LOG} | awk '{ print $1 }'`; if test ${NUMBER_OF_LINES} -ne 15 && test ${NUMBER_OF_LINES} -ne 22; then echo "Unsupported number of lines: ${NUMBER_OF_LINES}"; cat ${VALGRIND_LOG}; RESULT=${EXIT_FAILURE}; fi fi rm -f ${VALGRIND_LOG}; elif test ${IS_PYTHON_SCRIPT} -eq 0; then if ! test -f "${TEST_EXECUTABLE}"; then echo "Invalid test Python script: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi local TEST_EXECUTABLE=$( find_binary_executable ${TEST_EXECUTABLE} ); local LIBRARY_PATH=$( find_binary_library_path ${TEST_EXECUTABLE} ); local PYTHON_MODULE_PATH=$( find_binary_python_module_path ${TEST_EXECUTABLE} ); if test "${PLATFORM}" = "Darwin"; then if test -n "${CHECK_WITH_STDERR}"; then DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else DYLD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}" 2> /dev/null; RESULT=$?; fi elif test "${PLATFORM}" = "CYGWIN_NT"; then if test -n "${CHECK_WITH_STDERR}"; then PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else PATH="${LIBRARY_PATH}:${PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}" 2> /dev/null; RESULT=$?; fi else if test -n "${CHECK_WITH_STDERR}"; then LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else LD_LIBRARY_PATH="${LIBRARY_PATH}" PYTHONPATH="${PYTHON_MODULE_PATH}" "${PYTHON}" "${TEST_EXECUTABLE}" ${ARGUMENTS[@]} "${INPUT_FILE}" 2> /dev/null; RESULT=$?; fi fi else if ! test -x "${TEST_EXECUTABLE}"; then echo "Invalid test executable: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi if test -n "${CHECK_WITH_STDERR}"; then ${TEST_EXECUTABLE} ${ARGUMENTS[@]} "${INPUT_FILE}"; RESULT=$?; else ${TEST_EXECUTABLE} ${ARGUMENTS[@]} "${INPUT_FILE}" 2> /dev/null; RESULT=$?; fi fi return ${RESULT}; } # Runs the test on the input file. # # Note that this function is not intended to be directly invoked # from outside the test runner script. # # Arguments: # a string containing the path of the test set directory # a string containing the description of the test # a string containing the test mode # a string containing the name of the test data option set # a string containing the path of the test executable # a string containing the path of the test input file # an array containing the arguments for the test executable # # Returns: # an integer containg the exit status of the test executable # run_test_on_input_file() { local TEST_SET_DIRECTORY=$1; local TEST_DESCRIPTION=$2; local TEST_MODE=$3; local OPTION_SET=$4; local TEST_EXECUTABLE=$5; local INPUT_FILE=$6; shift 6; local ARGUMENTS=("$@"); local INPUT_NAME=`basename "${INPUT_FILE}"`; local TEST_OUTPUT="${INPUT_NAME}"; if test -n "${OPTION_SET}"; then TEST_OUTPUT="${INPUT_NAME}-${OPTION_SET}"; fi local TMPDIR="tmp$$"; local RESULT=0; rm -rf ${TMPDIR}; mkdir ${TMPDIR}; if test "${TEST_MODE}" = "with_callback"; then test_callback "${TMPDIR}" "${TEST_SET_DIRECTORY}" "${TEST_OUTPUT}" "${TEST_EXECUTABLE}" "${TEST_INPUT}" ${ARGUMENTS[@]}; RESULT=$?; elif test "${TEST_MODE}" = "with_stdout_reference"; then TEST_EXECUTABLE=$( readlink_f "${TEST_EXECUTABLE}" ); if ! test -x ${TEST_EXECUTABLE}; then echo "Invalid test executable: ${TEST_EXECUTABLE}"; echo ""; return ${EXIT_FAILURE}; fi local INPUT_FILE_FULL_PATH=$( readlink_f "${INPUT_FILE}" ); local TEST_LOG="${TEST_OUTPUT}.log"; (cd ${TMPDIR} && run_test_with_input_and_arguments "${TEST_EXECUTABLE}" "${INPUT_FILE_FULL_PATH}" ${ARGUMENTS[@]} > "${TEST_LOG}"); RESULT=$?; # Compare output if test ran successfully. if test ${RESULT} -eq ${EXIT_SUCCESS}; then local TEST_RESULTS="${TMPDIR}/${TEST_LOG}"; local STORED_TEST_RESULTS="${TEST_SET_DIRECTORY}/${TEST_LOG}.gz"; # Strip header with version. sed -i'~' '1,2d' "${TEST_RESULTS}"; if test -f "${STORED_TEST_RESULTS}"; then # Using zcat here since zdiff has issues on Mac OS X. # Note that zcat on Mac OS X requires the input from stdin. zcat < "${STORED_TEST_RESULTS}" | diff "${TEST_RESULTS}" -; RESULT=$?; else gzip "${TEST_RESULTS}"; mv "${TEST_RESULTS}.gz" ${TEST_SET_DIRECTORY}; fi fi else run_test_with_input_and_arguments "${TEST_EXECUTABLE}" "${INPUT_FILE}" ${ARGUMENTS[@]}; RESULT=$?; fi rm -rf ${TMPDIR}; if test -n "${TEST_DESCRIPTION}"; then ARGUMENTS=`echo "${ARGUMENTS[*]}" | tr '\n' ' ' | sed 's/[ ]\$//'`; if test -z "${ARGUMENTS}"; then echo -n "${TEST_DESCRIPTION} with input: ${INPUT_FILE}"; else echo -n "${TEST_DESCRIPTION} with options: '${ARGUMENTS}' and input: ${INPUT_FILE}"; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then echo " (FAIL)"; else echo " (PASS)"; fi fi return ${RESULT}; } ================================================ FILE: tests/test_tools.ps1 ================================================ # Tests tools functions and types. # # Version: 20230410 $ExitSuccess = 0 $ExitFailure = 1 $ExitIgnore = 77 $ToolsTests = "info_handle message_handle message_string output path_handle registry_file resource_file signal" $ToolsTestsWithInput = "" $InputGlob = "*" Function GetTestProfileDirectory { param( [string]$TestInputDirectory, [string]$TestProfile ) $TestProfileDirectory = "${TestInputDirectory}\.${TestProfile}" If (-Not (Test-Path -Path ${TestProfileDirectory} -PathType "Container")) { New-Item -ItemType "directory" -Path ${TestProfileDirectory} } Return ${TestProfileDirectory} } Function GetTestSetDirectory { param( [string]$TestProfileDirectory, [string]$TestSetInputDirectory ) $TestSetDirectory = "${TestProfileDirectory}\${TestSetInputDirectory.Basename}" If (-Not (Test-Path -Path ${TestSetDirectory} -PathType "Container")) { New-Item -ItemType "directory" -Path ${TestSetDirectory} } Return ${TestSetDirectory} } Function GetTestExecutablesDirectory { $TestExecutablesDirectory = "" ForEach (${VSDirectory} in ("msvscpp", "vs2008", "vs2010", "vs2012", "vs2013", "vs2015", "vs2017", "vs2019", "vs2022")) { ForEach (${VSConfiguration} in ("Release", "VSDebug")) { ForEach (${VSPlatform} in ("Win32", "x64")) { $TestExecutablesDirectory = "..\${VSDirectory}\${VSConfiguration}\${VSPlatform}" If (Test-Path ${TestExecutablesDirectory}) { Return ${TestExecutablesDirectory} } } $TestExecutablesDirectory = "..\${VSDirectory}\${VSConfiguration}" If (Test-Path ${TestExecutablesDirectory}) { Return ${TestExecutablesDirectory} } } } Return ${TestExecutablesDirectory} } Function ReadIgnoreList { param( [string]$TestProfileDirectory ) $IgnoreFile = "${TestProfileDirectory}\ignore" $IgnoreList = "" If (Test-Path -Path ${IgnoreFile} -PathType "Leaf") { $IgnoreList = Get-Content -Path ${IgnoreFile} | Where {$_ -notmatch '^#.*'} } Return $IgnoreList } Function RunTest { param( [string]$TestType ) $TestDescription = "Testing: ${TestName}" $TestExecutable = "${TestExecutablesDirectory}\evtx_test_tools_${TestName}.exe" $Output = Invoke-Expression ${TestExecutable} $Result = ${LastExitCode} If (${Result} -ne ${ExitSuccess}) { Write-Host ${Output} -foreground Red } Write-Host "${TestDescription} " -nonewline If (${Result} -ne ${ExitSuccess}) { Write-Host " (FAIL)" } Else { Write-Host " (PASS)" } Return ${Result} } Function RunTestWithInput { param( [string]$TestType ) $TestDescription = "Testing: ${TestName}" $TestExecutable = "${TestExecutablesDirectory}\evtx_test_tools_${TestName}.exe" $TestProfileDirectory = GetTestProfileDirectory "input" "evtxtools" $IgnoreList = ReadIgnoreList ${TestProfileDirectory} $Result = ${ExitSuccess} ForEach ($TestSetInputDirectory in Get-ChildItem -Path "input" -Exclude ".*") { If (-Not (Test-Path -Path ${TestSetInputDirectory} -PathType "Container")) { Continue } If (${TestSetInputDirectory} -Contains ${IgnoreList}) { Continue } $TestSetDirectory = GetTestSetDirectory ${TestProfileDirectory} ${TestSetInputDirectory} If (Test-Path -Path "${TestSetDirectory}\files" -PathType "Leaf") { $InputFiles = Get-Content -Path "${TestSetDirectory}\files" | Where {$_ -ne ""} } Else { $InputFiles = Get-ChildItem -Path ${TestSetInputDirectory} -Include ${InputGlob} } ForEach ($InputFile in ${InputFiles}) { # TODO: add test option support $Output = Invoke-Expression ${TestExecutable} $Result = ${LastExitCode} If (${Result} -ne ${ExitSuccess}) { Break } } If (${Result} -ne ${ExitSuccess}) { Break } } If (${Result} -ne ${ExitSuccess}) { Write-Host ${Output} -foreground Red } Write-Host "${TestDescription} " -nonewline If (${Result} -ne ${ExitSuccess}) { Write-Host " (FAIL)" } Else { Write-Host " (PASS)" } Return ${Result} } $TestExecutablesDirectory = GetTestExecutablesDirectory If (-Not (Test-Path ${TestExecutablesDirectory})) { Write-Host "Missing test executables directory." -foreground Red Exit ${ExitFailure} } $Result = ${ExitIgnore} Foreach (${TestName} in ${ToolsTests} -split " ") { # Split will return an array of a single empty string when ToolsTests is empty. If (-Not (${TestName})) { Continue } $Result = RunTest ${TestName} If (${Result} -ne ${ExitSuccess}) { Break } } Foreach (${TestName} in ${ToolsTestsWithInput} -split " ") { # Split will return an array of a single empty string when ToolsTestsWithInput is empty. If (-Not (${TestName})) { Continue } If (Test-Path -Path "input" -PathType "Container") { $Result = RunTestWithInput ${TestName} } Else { $Result = RunTest ${TestName} } If (${Result} -ne ${ExitSuccess}) { Break } } Exit ${Result} ================================================ FILE: tests/test_tools.sh ================================================ #!/usr/bin/env bash # Tests tools functions and types. # # Version: 20240413 EXIT_SUCCESS=0; EXIT_FAILURE=1; EXIT_IGNORE=77; TOOLS_TESTS="info_handle message_handle message_string output path_handle registry_file resource_file signal"; TOOLS_TESTS_WITH_INPUT=""; OPTION_SETS=(); INPUT_GLOB="*"; run_test() { local TEST_NAME=$1; local TEST_DESCRIPTION="Testing: ${TEST_NAME}"; local TEST_EXECUTABLE="./evtx_test_tools_${TEST_NAME}"; if ! test -x "${TEST_EXECUTABLE}"; then TEST_EXECUTABLE="${TEST_EXECUTABLE}.exe"; fi # TODO: add support for TEST_PROFILE and OPTION_SETS? run_test_with_arguments "${TEST_DESCRIPTION}" "${TEST_EXECUTABLE}"; local RESULT=$?; return ${RESULT}; } run_test_with_input() { local TEST_NAME=$1; local TEST_DESCRIPTION="Testing: ${TEST_NAME}"; local TEST_EXECUTABLE="./evtx_test_tools_${TEST_NAME}"; if ! test -x "${TEST_EXECUTABLE}"; then TEST_EXECUTABLE="${TEST_EXECUTABLE}.exe"; fi if ! test -d "input"; then echo "Test input directory not found."; return ${EXIT_IGNORE}; fi local RESULT=`ls input/* | tr ' ' '\n' | wc -l`; if test ${RESULT} -eq ${EXIT_SUCCESS}; then echo "No files or directories found in the test input directory"; return ${EXIT_IGNORE}; fi local TEST_PROFILE_DIRECTORY=$(get_test_profile_directory "input" "evtxtools"); local IGNORE_LIST=$(read_ignore_list "${TEST_PROFILE_DIRECTORY}"); RESULT=${EXIT_SUCCESS}; for TEST_SET_INPUT_DIRECTORY in input/*; do if ! test -d "${TEST_SET_INPUT_DIRECTORY}"; then continue; fi if check_for_directory_in_ignore_list "${TEST_SET_INPUT_DIRECTORY}" "${IGNORE_LIST}"; then continue; fi local TEST_SET_DIRECTORY=$(get_test_set_directory "${TEST_PROFILE_DIRECTORY}" "${TEST_SET_INPUT_DIRECTORY}"); if test -f "${TEST_SET_DIRECTORY}/files"; then IFS="" read -a INPUT_FILES <<< $(cat ${TEST_SET_DIRECTORY}/files | sed "s?^?${TEST_SET_INPUT_DIRECTORY}/?"); else IFS="" read -a INPUT_FILES <<< $(ls -1d ${TEST_SET_INPUT_DIRECTORY}/${INPUT_GLOB}); fi for INPUT_FILE in "${INPUT_FILES[@]}"; do OPTION_INPUT_FILE="${INPUT_FILE}"; if test "${OSTYPE}" = "msys"; then # A test executable built with MinGW expects a Windows path. INPUT_FILE=`echo ${INPUT_FILE} | sed 's?/?\\\\?g'`; fi local TESTED_WITH_OPTIONS=0; for OPTION_SET in ${OPTION_SETS[@]}; do local TEST_DATA_OPTION_FILE=$(get_test_data_option_file "${TEST_SET_DIRECTORY}" "${OPTION_INPUT_FILE}" "${OPTION_SET}"); if test -f ${TEST_DATA_OPTION_FILE}; then TESTED_WITH_OPTIONS=1; IFS=" " read -a OPTIONS <<< $(read_test_data_option_file "${TEST_SET_DIRECTORY}" "${INPUT_FILE}" "${OPTION_SET}"); run_test_on_input_file "${TEST_SET_DIRECTORY}" "${TEST_DESCRIPTION}" "default" "${OPTION_SET}" "${TEST_EXECUTABLE}" "${INPUT_FILE}" "${OPTIONS[@]}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi fi done if test ${TESTED_WITH_OPTIONS} -eq 0; then run_test_on_input_file "${TEST_SET_DIRECTORY}" "${TEST_DESCRIPTION}" "default" "" "${TEST_EXECUTABLE}" "${INPUT_FILE}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done return ${RESULT}; } if test -n "${SKIP_TOOLS_TESTS}"; then exit ${EXIT_IGNORE}; fi TEST_DIRECTORY=`dirname $0`; TEST_RUNNER="${TEST_DIRECTORY}/test_runner.sh"; if ! test -f "${TEST_RUNNER}"; then echo "Missing test runner: ${TEST_RUNNER}"; exit ${EXIT_FAILURE}; fi source ${TEST_RUNNER}; RESULT=${EXIT_IGNORE}; for TEST_NAME in ${TOOLS_TESTS}; do run_test "${TEST_NAME}"; RESULT=$?; if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done if test ${RESULT} -ne ${EXIT_SUCCESS} && test ${RESULT} -ne ${EXIT_IGNORE}; then exit ${RESULT}; fi for TEST_NAME in ${TOOLS_TESTS_WITH_INPUT}; do if test -d "input"; then run_test_with_input "${TEST_NAME}"; RESULT=$?; else run_test "${TEST_NAME}"; RESULT=$?; fi if test ${RESULT} -ne ${EXIT_SUCCESS}; then break; fi done exit ${RESULT}; ================================================ FILE: tox.ini ================================================ [tox] envlist = py3{10,11,12,13,14} [testenv] usedevelop = True pip_pre = True passenv = CFLAGS CPPFLAGS INCLUDE LDFLAGS LIB deps = build setuptools >= 65 wheel commands = python -m build --no-isolation --outdir=dist --wheel python -m pip install --no-index --find-links=dist libevtx-python python tests/runtests.py