Skip to content

Commit

Permalink
Changes to handling message file resource paths log2timeline#4259 (lo…
Browse files Browse the repository at this point in the history
  • Loading branch information
joachimmetz authored Dec 31, 2023
1 parent eff61ca commit b1a65b6
Show file tree
Hide file tree
Showing 2 changed files with 106 additions and 6 deletions.
37 changes: 31 additions & 6 deletions plaso/helpers/windows/eventlog_providers.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ def _GetNormalizedPath(self, path):
str: normalized path of a message file.
"""
path_segments = path.split('\\')
filename = path_segments.pop()

if path_segments:
# Check if the first path segment is a drive letter or "%SystemDrive%".
Expand All @@ -23,6 +24,30 @@ def _GetNormalizedPath(self, path):
first_path_segment == '%systemdrive%'):
path_segments[0] = ''

path_segments_lower = [
path_segment.lower() for path_segment in path_segments]

if not path_segments_lower:
# If the path is a filename assume the file is stored in:
# "%SystemRoot%\System32".
path_segments = ['%SystemRoot%', 'System32']

elif path_segments_lower[0] in ('system32', '$(runtime.system32)'):
# Note that the path can be relative so if it starts with "System32"
# asume this represents "%SystemRoot%\System32".
path_segments = ['%SystemRoot%', 'System32'] + path_segments[1:]

elif path_segments_lower[0] in (
'%systemroot%', '%windir%', '$(runtime.windows)'):
path_segments = ['%SystemRoot%'] + path_segments[1:]

# Check if path starts with "\SystemRoot\", "\Windows\" or "\WinNT\" for
# example: "\SystemRoot\system32\drivers\SerCx.sys"
elif not path_segments_lower[0] and path_segments_lower[1] in (
'systemroot', 'windows', 'winnt'):
path_segments = ['%SystemRoot%'] + path_segments[2:]

path_segments.append(filename)
return '\\'.join(path_segments) or '\\'

def Merge(self, first_event_log_provider, second_event_log_provider):
Expand Down Expand Up @@ -50,17 +75,17 @@ def Merge(self, first_event_log_provider, second_event_log_provider):
first_event_log_provider.log_types.append(log_type)

for path in second_event_log_provider.category_message_files:
path = self._GetNormalizedPath(path.lower())
path = self._GetNormalizedPath(path)
if path not in first_event_log_provider.category_message_files:
first_event_log_provider.category_message_files.append(path)

for path in second_event_log_provider.event_message_files:
path = self._GetNormalizedPath(path.lower())
path = self._GetNormalizedPath(path)
if path not in first_event_log_provider.event_message_files:
first_event_log_provider.event_message_files.append(path)

for path in second_event_log_provider.parameter_message_files:
path = self._GetNormalizedPath(path.lower())
path = self._GetNormalizedPath(path)
if path not in first_event_log_provider.parameter_message_files:
first_event_log_provider.parameter_message_files.append(path)

Expand All @@ -71,13 +96,13 @@ def NormalizeMessageFiles(self, event_log_provider):
event_log_provider (EventLogProvider): Event Log provider.
"""
event_log_provider.category_message_files = [
self._GetNormalizedPath(path.lower())
self._GetNormalizedPath(path)
for path in event_log_provider.category_message_files]

event_log_provider.event_message_files = [
self._GetNormalizedPath(path.lower())
self._GetNormalizedPath(path)
for path in event_log_provider.event_message_files]

event_log_provider.parameter_message_files = [
self._GetNormalizedPath(path.lower())
self._GetNormalizedPath(path)
for path in event_log_provider.parameter_message_files]
75 changes: 75 additions & 0 deletions tests/helpers/windows/eventlog_providers.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""Tests for the Windows EventLog providers helper."""

import unittest

from plaso.helpers.windows import eventlog_providers

from tests import test_lib as shared_test_lib


class WindowsEventLogProvidersHelperTest(shared_test_lib.BaseTestCase):
"""Tests for the Windows EventLog providers helper."""

# pylint: disable=protected-access

def testGetNormalizedPath(self):
"""Tests the _GetNormalizedPath function."""
test_helper = eventlog_providers.WindowsEventLogProvidersHelper()

normalized_path = test_helper._GetNormalizedPath(
'%SystemRoot%\\System32\\IoLogMsg.dll')
self.assertEqual(normalized_path, '%SystemRoot%\\System32\\IoLogMsg.dll')

normalized_path = test_helper._GetNormalizedPath(
'%windir%\\System32\\lsasrv.dll')
self.assertEqual(normalized_path, '%SystemRoot%\\System32\\lsasrv.dll')

normalized_path = test_helper._GetNormalizedPath(
'C:\\Windows\\System32\\mscoree.dll')
self.assertEqual(normalized_path, '%SystemRoot%\\System32\\mscoree.dll')

normalized_path = test_helper._GetNormalizedPath(
'werfault.exe')
self.assertEqual(normalized_path, '%SystemRoot%\\System32\\werfault.exe')

normalized_path = test_helper._GetNormalizedPath(
'system32\\drivers\\WdFilter.sys')
self.assertEqual(normalized_path, (
'%SystemRoot%\\System32\\drivers\\WdFilter.sys'))

normalized_path = test_helper._GetNormalizedPath(
'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\84.0.522.52\\'
'eventlog_provider.dll')
self.assertEqual(normalized_path, (
'\\Program Files (x86)\\Microsoft\\Edge\\Application\\84.0.522.52\\'
'eventlog_provider.dll'))

normalized_path = test_helper._GetNormalizedPath(
'%ProgramFiles%\\Windows Defender\\MpClient.dll')
self.assertEqual(normalized_path, (
'%ProgramFiles%\\Windows Defender\\MpClient.dll'))

normalized_path = test_helper._GetNormalizedPath(
'%programdata%\\Microsoft\\Windows Defender\\Definition Updates\\'
'Default\\MpEngine.dll')
self.assertEqual(normalized_path, (
'%programdata%\\Microsoft\\Windows Defender\\Definition Updates\\'
'Default\\MpEngine.dll'))

normalized_path = test_helper._GetNormalizedPath(
'$(runtime.system32)\\WinML.dll')
self.assertEqual(normalized_path, '%SystemRoot%\\System32\\WinML.dll')

normalized_path = test_helper._GetNormalizedPath(
'$(runtime.windows)\\immersivecontrolpanel\\systemsettings.exe')
self.assertEqual(normalized_path, (
'%SystemRoot%\\immersivecontrolpanel\\systemsettings.exe'))

# TODO: add tests for Merge
# TODO: add tests for NormalizeMessageFiles


if __name__ == '__main__':
unittest.main()

0 comments on commit b1a65b6

Please sign in to comment.