From df1ae42d0e596341f027194e25774e56ad298872 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sun, 24 Jul 2022 20:34:56 +0200
Subject: [PATCH] Changes to lookup event definition version #4169 (#4173)

---
 plaso/output/formatting_helper.py |  3 ++-
 plaso/output/winevt_rc.py         | 30 +++++++++++++++++++++++-------
 tests/output/winevt_rc.py         |  2 +-
 3 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/plaso/output/formatting_helper.py b/plaso/output/formatting_helper.py
index 0be5586f41..a4ca8db482 100644
--- a/plaso/output/formatting_helper.py
+++ b/plaso/output/formatting_helper.py
@@ -557,9 +557,10 @@ def _FormatWindowsEventLogMessage(
     provider_identifier = getattr(event_data, 'provider_identifier', None)
     source_name = getattr(event_data, 'source_name', None)
     message_identifier = getattr(event_data, 'message_identifier', None)
+    event_version = getattr(event_data, 'event_version', None)
     if (provider_identifier or source_name) and message_identifier:
       message_string_template = self._winevt_resources_helper.GetMessageString(
-          provider_identifier, source_name, message_identifier)
+          provider_identifier, source_name, message_identifier, event_version)
       if message_string_template:
         string_values = [string or '' for string in event_data.strings]
         try:
diff --git a/plaso/output/winevt_rc.py b/plaso/output/winevt_rc.py
index 43ae504ef1..5cc4c462c6 100644
--- a/plaso/output/winevt_rc.py
+++ b/plaso/output/winevt_rc.py
@@ -366,13 +366,14 @@ def __init__(
 
   def _CacheMessageString(
       self, provider_identifier, log_source, message_identifier,
-      message_string):
+      event_version, message_string):
     """Caches a specific message string.
 
     Args:
       provider_identifier (str): EventLog provider identifier.
       log_source (str): EventLog source, such as "Application Error".
       message_identifier (int): message identifier.
+      event_version (int): event version or None if not set.
       message_string (str): message string.
     """
     if len(self._message_string_cache) >= self._MAXIMUM_CACHED_MESSAGE_STRINGS:
@@ -381,22 +382,27 @@ def _CacheMessageString(
     if provider_identifier:
       lookup_key = '{0:s}:0x{1:08x}'.format(
           provider_identifier, message_identifier)
+      if event_version is not None:
+        lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
       self._message_string_cache[lookup_key] = message_string
       self._message_string_cache.move_to_end(lookup_key, last=False)
 
     if log_source:
       lookup_key = '{0:s}:0x{1:08x}'.format(log_source, message_identifier)
+      if event_version is not None:
+        lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
       self._message_string_cache[lookup_key] = message_string
       self._message_string_cache.move_to_end(lookup_key, last=False)
 
   def _GetCachedMessageString(
-      self, provider_identifier, log_source, message_identifier):
+      self, provider_identifier, log_source, message_identifier, event_version):
     """Retrieves a specific cached message string.
 
     Args:
       provider_identifier (str): EventLog provider identifier.
       log_source (str): EventLog source, such as "Application Error".
       message_identifier (int): message identifier.
+      event_version (int): event version or None if not set.
 
     Returns:
       str: message string or None if not available.
@@ -404,12 +410,16 @@ def _GetCachedMessageString(
     message_string = None
 
     if provider_identifier:
+      if event_version is not None:
+        lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
       lookup_key = '{0:s}:0x{1:08x}'.format(
           provider_identifier, message_identifier)
       message_string = self._message_string_cache.get(lookup_key, None)
 
     if not message_string and log_source:
       lookup_key = '{0:s}:0x{1:08x}'.format(log_source, message_identifier)
+      if event_version is not None:
+        lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
       message_string = self._message_string_cache.get(lookup_key, None)
 
     if message_string:
@@ -490,7 +500,7 @@ def _ReadWindowsEventLogMessageFiles(self, storage_reader):
 
   def _ReadWindowsEventLogMessageString(
       self, storage_reader, provider_identifier, log_source,
-      message_identifier):
+      message_identifier, event_version):
     """Reads an Windows EventLog message string.
 
     Args:
@@ -498,6 +508,7 @@ def _ReadWindowsEventLogMessageString(
       provider_identifier (str): EventLog provider identifier.
       log_source (str): EventLog source, such as "Application Error".
       message_identifier (int): message identifier.
+      event_version (int): event version or None if not set.
 
     Returns:
       str: message string or None if not available.
@@ -537,6 +548,9 @@ def _ReadWindowsEventLogMessageString(
       filter_expression = (
           'provider_identifier == "{0:s}" and identifier == {1:d}').format(
               provider_identifier, message_identifier)
+      if event_version is not None:
+        filter_expression = '{0:s} and version == {1:d}'.format(
+            filter_expression, event_version)
       for event_definition in storage_reader.GetAttributeContainers(
           'windows_wevt_template_event', filter_expression=filter_expression):
         logger.debug(
@@ -603,31 +617,33 @@ def _ReadWindowsEventLogProviders(self, storage_reader):
           self._windows_eventlog_providers[log_source] = provider
 
   def GetMessageString(
-      self, provider_identifier, log_source, message_identifier):
+      self, provider_identifier, log_source, message_identifier, event_version):
     """Retrieves a specific Windows EventLog message string.
 
     Args:
       provider_identifier (str): EventLog provider identifier.
       log_source (str): EventLog source, such as "Application Error".
       message_identifier (int): message identifier.
+      event_version (int): event version or None if not set.
 
     Returns:
       str: message string or None if not available.
     """
     message_string = self._GetCachedMessageString(
-        provider_identifier, log_source, message_identifier)
+        provider_identifier, log_source, message_identifier, event_version)
     if not message_string:
       if self._storage_reader and self._storage_reader.HasAttributeContainers(
           'windows_eventlog_provider'):
         message_string = self._ReadWindowsEventLogMessageString(
             self._storage_reader, provider_identifier, log_source,
-            message_identifier)
+            message_identifier, event_version)
       else:
         message_string = self._GetWinevtRcDatabaseMessageString(
             log_source, message_identifier)
 
       if message_string:
         self._CacheMessageString(
-            provider_identifier, log_source, message_identifier, message_string)
+            provider_identifier, log_source, message_identifier, event_version,
+            message_string)
 
     return message_string
diff --git a/tests/output/winevt_rc.py b/tests/output/winevt_rc.py
index 08dc35489b..6ea4bb6655 100644
--- a/tests/output/winevt_rc.py
+++ b/tests/output/winevt_rc.py
@@ -73,7 +73,7 @@ def testGetMessageString(self):
 
     message_string = test_helper.GetMessageString(
         '{15a7a4f8-0072-4eab-abad-f98a4d666aed}',
-        'Microsoft-Windows-Dhcp-Client', 0xb00003ed)
+        'Microsoft-Windows-Dhcp-Client', 0xb00003ed, None)
     self.assertEqual(message_string, expected_message_string)