Standardized GoEvtxMap.Del API

0xrawsec · Feb 2, 2021 · 7cf7cce · 7cf7cce
1 parent 1936e5f
commit 7cf7cce
Show file tree

Hide file tree

Showing 10 changed files with 77 additions and 26 deletions.
diff --git a/.gitignore b/.gitignore
diff --git a/evtx/goevtx.go b/evtx/goevtx.go
@@ -393,16 +393,17 @@ func (pg *GoEvtxMap) Set(path *GoEvtxPath, new GoEvtxElement) error {
 }
 
 // Del deletes the object referenced by path
-func (pg *GoEvtxMap) Del(path ...string) {
-	if len(path) > 0 {
-		if ge, ok := (*pg)[path[0]]; ok {
-			if len(path) == 1 {
-				delete((*pg), path[0])
+func (pg *GoEvtxMap) Del(path *GoEvtxPath) {
+	if len(*path) > 0 {
+		if ge, ok := (*pg)[(*path)[0]]; ok {
+			if len(*path) == 1 {
+				delete((*pg), (*path)[0])
 			}
 			switch ge.(type) {
 			case GoEvtxMap:
 				p := ge.(GoEvtxMap)
-				p.Del(path[1:]...)
+				np := (*path)[1:]
+				p.Del(&np)
 			}
 		}
 	}
@@ -411,5 +412,5 @@ func (pg *GoEvtxMap) Del(path ...string) {
 // DelXmlns : utility function to delete useless xlmns entry found in every
 // GoEvtxMap
 func (pg *GoEvtxMap) DelXmlns() {
-	pg.Del(XmlnsPath...)
+	pg.Del(&XmlnsPath)
 }
diff --git a/evtx/test/evtx_test.go b/evtx/test/evtx_test.go
@@ -303,6 +303,34 @@ func TestBetweenFilter(t *testing.T) {
 	t.Logf("%d events between %v and %v", i, t1, t2)
 }
 
+func TestDelete(t *testing.T) {
+	utctimePath := evtx.Path("/Event/EventData/UtcTime")
+	ef, _ := evtx.Open(sysmonFile)
+	for e := range ef.FastEvents() {
+		e.Del(&utctimePath)
+		if _, err := e.GetString(&utctimePath); err == nil {
+			t.Errorf("Failed to delete field")
+			t.FailNow()
+		}
+	}
+}
+
+func TestAddDelete(t *testing.T) {
+	geneInfoPath := evtx.Path("/Event/GeneInfo")
+	genInfo := map[string]interface{}{
+		"Signature":   []string{"test", "blop"},
+		"Criticality": 10}
+	ef, _ := evtx.Open(sysmonFile)
+	for e := range ef.FastEvents() {
+		e.Set(&geneInfoPath, genInfo)
+		e.Del(&geneInfoPath)
+		if _, err := e.Get(&geneInfoPath); err == nil {
+			t.Errorf("Failed to delete field")
+			t.FailNow()
+		}
+	}
+}
+
 func TestAllFiles(t *testing.T) {
 	files, err := ioutil.ReadDir(testfilesDir)
 	if err != nil {
@@ -334,5 +362,4 @@ func TestUserID(t *testing.T) {
 			}
 		}
 	}
-
 }
diff --git a/go.mod b/go.mod
@@ -3,7 +3,8 @@ module github.com/0xrawsec/golang-evtx
 go 1.12
 
 require (
-	github.com/0xrawsec/golang-utils v1.1.0
+	github.com/0xrawsec/golang-utils v1.1.3
+	github.com/0xrawsec/golang-win32 v1.0.6
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/segmentio/kafka-go v0.2.2
 )
diff --git a/go.sum b/go.sum
@@ -1,5 +1,9 @@
 github.com/0xrawsec/golang-utils v1.1.0 h1:opQAwRONEfxOOl4nxhpPkXiTYgzAw0/wFATAffNjdII=
 github.com/0xrawsec/golang-utils v1.1.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
+github.com/0xrawsec/golang-utils v1.1.3 h1:ESJhyY4aGuiP4hmDcDNjoL/cc7SWDZVfgg4dEON9eIc=
+github.com/0xrawsec/golang-utils v1.1.3/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
+github.com/0xrawsec/golang-win32 v1.0.6 h1:wVvfd+trSeUkG6m5TFzeBtWHSHetfhPO3b5MVjTgsWk=
+github.com/0xrawsec/golang-win32 v1.0.6/go.mod h1:MAxVU7dr8lujwknuhf4TwjYm8tVEELi2zwx1zDTu/RM=
 github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
@@ -8,7 +12,16 @@ github.com/pkg/sftp v1.10.0/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyH
 github.com/segmentio/kafka-go v0.2.2 h1:KIUln5unPisRL2yyAkZsDR/coiymN9Djunv6JKGQ6JI=
 github.com/segmentio/kafka-go v0.2.2/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190320215829-36c10c0a621f/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190625160430-252024b82959/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
diff --git a/tools/evtxdump/makefile b/tools/evtxdump/makefile
@@ -40,7 +40,7 @@ windows:
 	cd $(RELEASE)/windows; tar -cvzf ../$(MAIN_BASEN_SRC)-windows-$(VERSION).tar.gz *
 
 darwin:
-	GOARCH=386 GOOS=darwin go build $(OPTS) -o $(RELEASE)/darwin/$(MAIN_BASEN_SRC)-386 ./
+	#GOARCH=386 GOOS=darwin go build $(OPTS) -o $(RELEASE)/darwin/$(MAIN_BASEN_SRC)-386 ./
 	GOARCH=amd64 GOOS=darwin go build $(OPTS) -o $(RELEASE)/darwin/$(MAIN_BASEN_SRC)-amd64 ./
 	cd $(RELEASE)/darwin; shasum -a1 * > sha1.txt
 	cd $(RELEASE)/darwin; tar -cvzf ../$(MAIN_BASEN_SRC)-darwin-$(VERSION).tar.gz *

diff --git a/tools/evtxdump/version.go b/tools/evtxdump/version.go
diff --git a/tools/evtxmon/evtxmon.go b/tools/evtxmon/evtxmon.go
@@ -22,6 +22,7 @@ package main
 
 import (
 	"compress/gzip"
+	"encoding/json"
 	"flag"
 	"fmt"
 	"os"
@@ -35,6 +36,7 @@ import (
 	"github.com/0xrawsec/golang-utils/args"
 	"github.com/0xrawsec/golang-utils/datastructs"
 	"github.com/0xrawsec/golang-utils/log"
+	"github.com/0xrawsec/golang-win32/win32/wevtapi"
 )
 
 const (
@@ -159,6 +161,19 @@ func (s *Stats) Summary() {
 	}
 }
 
+func XMLEventToGoEvtxMap(xe *wevtapi.XMLEvent) (*evtx.GoEvtxMap, error) {
+	ge := make(evtx.GoEvtxMap)
+	bytes, err := json.Marshal(xe.ToJSONEvent())
+	if err != nil {
+		return &ge, err
+	}
+	err = json.Unmarshal(bytes, &ge)
+	if err != nil {
+		return &ge, err
+	}
+	return &ge, nil
+}
+
 func main() {
 	var err error
 	var ofile *os.File
@@ -256,6 +271,15 @@ func main() {
 		if monitorExisting {
 			ef.SetMonitorExisting(true)
 		}
+		/*xmlEvents := h.eventProvider.FetchEvents(channels, wevtapi.EvtSubscribeToFutureEvents)
+		for xe := range xmlEvents {
+			event, err := XMLEventToGoEvtxMap(xe)
+			if err != nil {
+				log.Errorf("Failed to convert event: %s", err)
+				log.Debugf("Error data: %v", xe)
+			}
+		}*/
+
 		for e := range ef.MonitorEvents(stop) {
 			if output != "" {
 				writer.Write(evtx.ToJSON(e))

diff --git a/tools/evtxmon/makefile b/tools/evtxmon/makefile
@@ -19,7 +19,7 @@ init: buildversion
 	mkdir -p $(RELEASE)/windows
 	mkdir -p $(RELEASE)/darwin
 
-compile:linux windows darwin
+compile: windows
 
 install:
 	go install ./

diff --git a/tools/evtxmon/version.go b/tools/evtxmon/version.go