From 622958066b3d44af021fcea08a4a976dba9cfc37 Mon Sep 17 00:00:00 2001
From: Quentin JEROME <qjerome@users.noreply.github.com>
Date: Thu, 5 Nov 2020 21:20:38 +0100
Subject: [PATCH] Fixed issue #23

---
 evtx/evtx.go           | 17 +++++++++--------
 evtx/test/evtx_test.go | 29 ++++++++++++++++++-----------
 2 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/evtx/evtx.go b/evtx/evtx.go
index b1e9298..a83299c 100644
--- a/evtx/evtx.go
+++ b/evtx/evtx.go
@@ -239,8 +239,6 @@ func (ef *File) FetchChunk(offset int64) (Chunk, error) {
 
 // Chunks returns a chan of all the Chunks found in the current file
 // return (chan Chunk)
-// TODO: need to be improved: the chunk do not need to be loaded into memory there
-// we just need the header to sort them out. If we do so, do not need undordered chunks
 func (ef *File) Chunks() (cc chan Chunk) {
 	ss := datastructs.NewSortedSlice(0, int(ef.Header.ChunkCount))
 	cc = make(chan Chunk)
@@ -373,10 +371,17 @@ func (ef *File) Events() (cgem chan *GoEvtxMap) {
 	go func() {
 		defer close(cgem)
 		for c := range ef.Chunks() {
-			for e := range c.Events() {
-				cgem <- e
+			cpc, err := ef.FetchChunk(c.Offset)
+			switch {
+			case err != nil && err != io.EOF:
+				panic(err)
+			case err == nil:
+				for ev := range cpc.Events() {
+					cgem <- ev
+				}
 			}
 		}
+
 	}()
 	return
 }
@@ -392,10 +397,6 @@ func (ef *File) FastEvents() (cgem chan *GoEvtxMap) {
 		go func() {
 			defer close(chanQueue)
 			for pc := range ef.Chunks() {
-				// We have to create a copy here because otherwise cpc.EventsChan() fails
-				// I guess that because EventsChan takes a pointer to an object and that
-				// and thus the chan is taken on the pointer and since the object pointed
-				// changes -> kaboom
 				cpc, err := ef.FetchChunk(pc.Offset)
 				switch {
 				case err != nil && err != io.EOF:
diff --git a/evtx/test/evtx_test.go b/evtx/test/evtx_test.go
index 2bbf90e..bf7751a 100644
--- a/evtx/test/evtx_test.go
+++ b/evtx/test/evtx_test.go
@@ -10,6 +10,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/0xrawsec/golang-utils/datastructs"
+
 	"github.com/0xrawsec/golang-evtx/evtx"
 	"github.com/0xrawsec/golang-utils/log"
 )
@@ -145,20 +147,25 @@ loop:
 }
 
 func TestParseAllEvents(t *testing.T) {
-	maxChunks := 1000
-	chunkCount := 0
-	ef, _ := evtx.Open(forwardedEvtxFile)
+	eventCnt := 0
+	recordIds := datastructs.NewSyncedSet()
+	ef, err := evtx.OpenDirty(sysmonFile)
+	if err != nil {
+		t.Logf("Failed at opening EVTX file: %s", err)
+		t.Fail()
+	}
 	log.Info(ef.Header)
-	for c := range ef.Chunks() {
-		//log.Info(c.Header)
-		if chunkCount >= maxChunks && maxChunks >= 0 {
-			break
-		}
-		for e := range c.Events() {
-			t.Log(string(evtx.ToJSON(e)))
+	for e := range ef.Events() {
+		if recordIds.Contains(e.EventRecordID()) {
+			t.Log("Event already processed")
+			t.Fail()
 		}
-		chunkCount++
+		//t.Log(string(evtx.ToJSON(e)))
+		recordIds.Add(e.EventRecordID())
+		eventCnt++
+
 	}
+	t.Logf("%d events parsed", eventCnt)
 }
 
 func TestParseChunk(t *testing.T) {