Skip to content

Commit

Permalink
Changes to handling message file resource paths log2timeline#4259
Browse files Browse the repository at this point in the history
  • Loading branch information
joachimmetz committed Dec 31, 2023
1 parent caaea3d commit 122f47c
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 44 deletions.
88 changes: 46 additions & 42 deletions plaso/output/winevt_rc.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,15 @@ def GetValues(self, table_names, column_names, condition):
raise RuntimeError('Cannot retrieve values database not opened.')

if condition:
condition = ' WHERE {0:s}'.format(condition)
condition = f' WHERE {condition:s}'
else:
condition = ''

sql_query = 'SELECT {1:s} FROM {0:s}{2:s}'.format(
', '.join(table_names), ', '.join(column_names), condition)
table_names_string = ', '.join(table_names)
column_names_string = ', '.join(column_names)
sql_query = (
f'SELECT {column_names_string:s} FROM {table_names_string:s}'
f'{condition:s}')

self._cursor.execute(sql_query)

Expand Down Expand Up @@ -161,7 +166,7 @@ def _GetEventLogProviderKey(self, log_source):
"""
table_names = ['event_log_providers']
column_names = ['event_log_provider_key']
condition = 'log_source == "{0:s}"'.format(log_source)
condition = f'log_source == "{log_source:s}"'

values_list = list(self._database_file.GetValues(
table_names, column_names, condition))
Expand Down Expand Up @@ -190,14 +195,14 @@ def _GetMessage(self, message_file_key, lcid, message_identifier):
Raises:
RuntimeError: if more than one value is found in the database.
"""
table_name = 'message_table_{0:d}_0x{1:08x}'.format(message_file_key, lcid)
table_name = f'message_table_{message_file_key:d}_0x{lcid:08x}'

has_table = self._database_file.HasTable(table_name)
if not has_table:
return None

column_names = ['message_string']
condition = 'message_identifier == "0x{0:08x}"'.format(message_identifier)
condition = f'message_identifier == "0x{message_identifier:08x}"'

values = list(self._database_file.GetValues(
[table_name], column_names, condition))
Expand All @@ -222,8 +227,7 @@ def _GetMessageFileKeys(self, event_log_provider_key):
"""
table_names = ['message_file_per_event_log_provider']
column_names = ['message_file_key']
condition = 'event_log_provider_key == {0:d}'.format(
event_log_provider_key)
condition = f'event_log_provider_key == {event_log_provider_key:d}'

generator = self._database_file.GetValues(
table_names, column_names, condition)
Expand Down Expand Up @@ -286,7 +290,7 @@ def GetMetadataAttribute(self, attribute_name):
return None

column_names = ['value']
condition = 'name == "{0:s}"'.format(attribute_name)
condition = f'name == "{attribute_name:s}"'

values = list(self._database_file.GetValues(
[table_name], column_names, condition))
Expand Down Expand Up @@ -318,15 +322,14 @@ def Open(self, filename):

version = self.GetMetadataAttribute('version')
if not version or version != '20150315':
raise RuntimeError('Unsupported version: {0:s}'.format(version))
raise RuntimeError(f'Unsupported version: {version:s}')

string_format = self.GetMetadataAttribute('string_format')
if not string_format:
string_format = 'wrc'

if string_format not in ('pep3101', 'wrc'):
raise RuntimeError('Unsupported string format: {0:s}'.format(
string_format))
raise RuntimeError(f'Unsupported string format: {string_format:s}')

self._string_format = string_format
return True
Expand Down Expand Up @@ -381,17 +384,16 @@ def _CacheMessageString(
self._message_string_cache.popitem(last=True)

if provider_identifier:
lookup_key = '{0:s}:0x{1:08x}'.format(
provider_identifier, message_identifier)
lookup_key = f'{provider_identifier:s}:0x{message_identifier:08x}'
if event_version is not None:
lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
lookup_key = f'{lookup_key:s}:{event_version:d}'
self._message_string_cache[lookup_key] = message_string
self._message_string_cache.move_to_end(lookup_key, last=False)

if log_source:
lookup_key = '{0:s}:0x{1:08x}'.format(log_source, message_identifier)
lookup_key = f'{log_source:s}:0x{message_identifier:08x}'
if event_version is not None:
lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
lookup_key = f'{lookup_key:s}:{event_version:d}'
self._message_string_cache[lookup_key] = message_string
self._message_string_cache.move_to_end(lookup_key, last=False)

Expand All @@ -412,16 +414,15 @@ def _GetCachedMessageString(
message_string = None

if provider_identifier:
lookup_key = '{0:s}:0x{1:08x}'.format(
provider_identifier, message_identifier)
lookup_key = f'{provider_identifier:s}:0x{message_identifier:08x}'
if event_version is not None:
lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
lookup_key = f'{lookup_key:s}:{event_version:d}'
message_string = self._message_string_cache.get(lookup_key, None)

if not message_string and log_source:
lookup_key = '{0:s}:0x{1:08x}'.format(log_source, message_identifier)
lookup_key = f'{log_source:s}:0x{message_identifier:08x}'
if event_version is not None:
lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
lookup_key = f'{lookup_key:s}:{event_version:d}'
message_string = self._message_string_cache.get(lookup_key, None)

if message_string:
Expand All @@ -438,9 +439,9 @@ def _GetWinevtRcDatabaseReader(self):
"""
if not self._winevt_database_reader and self._data_location:
logger.warning((
'Falling back to {0:s}. Please make sure the Windows EventLog '
'message strings in the database correspond to those in the '
'EventLog files.').format(self._WINEVT_RC_DATABASE))
f'Falling back to {self._WINEVT_RC_DATABASE:s}. Please make sure '
f'the Windows EventLog message strings in the database correspond '
f'to those in the EventLog files.'))

database_path = os.path.join(
self._data_location, self._WINEVT_RC_DATABASE)
Expand Down Expand Up @@ -547,24 +548,26 @@ def _ReadWindowsEventLogMessageString(
'windows_eventlog_message_string'):
return None

original_message_identifier = message_identifier

# Map the event identifier to a message identifier as defined by the
# WEVT_TEMPLATE event definition.
if provider_identifier and storage_reader.HasAttributeContainers(
'windows_wevt_template_event'):
# TODO: add message_file_identifiers to filter_expression
filter_expression = (
'provider_identifier == "{0:s}" and identifier == {1:d}').format(
provider_identifier, message_identifier)
f'provider_identifier == "{provider_identifier:s}" and '
f'identifier == {message_identifier:d}')
if event_version is not None:
filter_expression = '{0:s} and version == {1:d}'.format(
filter_expression, event_version)
filter_expression = (
f'{filter_expression:s} and version == {event_version:d}')

for event_definition in storage_reader.GetAttributeContainers(
'windows_wevt_template_event', filter_expression=filter_expression):
logger.debug(
'Message: 0x{0:08x} of provider: {1:s} maps to: 0x{2:08x}'.format(
message_identifier, provider_identifier,
event_definition.message_identifier))
logger.debug((
f'Message: 0x{message_identifier:08x} of provider: '
f'{provider_identifier:s} maps to: '
f'0x{event_definition.message_identifier:08x}'))
message_identifier = event_definition.message_identifier
break

Expand All @@ -580,7 +583,7 @@ def _ReadWindowsEventLogMessageString(
message_file_identifier = message_file_identifier.CopyToString()
message_file_identifiers.append(message_file_identifier)

mui_filename = '{0:s}.mui'.format(filename)
mui_filename = f'{filename:s}.mui'
lookup_path = '\\'.join([path, self._language_tag, mui_filename]).lower()
message_file_identifier = self._windows_eventlog_message_files.get(
lookup_path, None)
Expand All @@ -589,17 +592,17 @@ def _ReadWindowsEventLogMessageString(
message_file_identifiers.append(message_file_identifier)

if not message_file_identifiers:
logger.warning(
'No message file for message: 0x{0:08x} of provider: {1:s}'.format(
message_identifier, lookup_key))
logger.warning((
f'No message file for message: 0x{message_identifier:08x} '
f'(0x{original_message_identifier:08x}) '
f'of provider: {lookup_key:s}'))
return None

message_strings = []
# TODO: add message_file_identifiers to filter_expression
filter_expression = (
'language_identifier == {0:d} and '
'message_identifier == {1:d}').format(
self._lcid, message_identifier)
f'language_identifier == {self._lcid:d} and '
f'message_identifier == {message_identifier:d}')

for message_string in storage_reader.GetAttributeContainers(
'windows_eventlog_message_string',
Expand All @@ -611,8 +614,9 @@ def _ReadWindowsEventLogMessageString(

if not message_strings:
logger.warning((
'No message string for message: 0x{0:08x} of provider: '
'{1:s}').format(message_identifier, lookup_key))
f'No message string for message: 0x{message_identifier:08x} '
f'(0x{original_message_identifier:08x}) '
f'of provider: {lookup_key:s}'))
return None

return message_strings[0].string
Expand Down
6 changes: 4 additions & 2 deletions plaso/parsers/mediator.py
Original file line number Diff line number Diff line change
Expand Up @@ -363,9 +363,11 @@ def GetWindowsEventLogMessageFile(self):
if not path_spec:
return None

if (self._windows_event_log_providers_per_path is None and
self._storage_writer):
if (self._windows_event_log_providers_per_filename is None and
self._windows_event_log_providers_per_path is None):
environment_variables = self._GetEnvironmentVariablesByPathSpec(path_spec)
if not environment_variables:
return None

self._windows_event_log_providers_per_filename = {}
self._windows_event_log_providers_per_path = {}
Expand Down

0 comments on commit 122f47c

Please sign in to comment.