commit 922b7beab1292ac6edd320e6f2243400e3075dfe Author: Luis Martinez Date: Fri Sep 17 16:45:52 2021 -0500 initial commit diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..95401d133744 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,15 @@ +pkgbase = evtx + pkgdesc = Cross-platform parser for Windows XML EventLog Format + pkgver = 0.7.2 + pkgrel = 1 + url = https://github.com/omerbenamram/evtx + changelog = CHANGELOG.md + arch = x86_64 + license = MIT + license = Apache + makedepends = cargo + depends = glibc + source = evtx-0.7.2.tar.gz::https://github.com/omerbenamram/evtx/archive/v0.7.2.tar.gz + sha256sums = 31967e3b175a7e0ad4a5d786418066bde66d5ddd4d48626312f59f5081c61ca6 + +pkgname = evtx diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000000..de0d98029056 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,349 @@ +# Changelog +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [0.7.1 - 2021-03-26] +### Changed +- `fast-alloc` is no longer on by default, to support static MUSL builds for `evtx-dump` + to enable it, build with `--features fast-alloc`. +- static binaries are now published for linux! take `evtx-dump` with you everywhere :) +- CI was migrated to github actions from azure pipelines. + +## [0.6.9 - 2021-01-30] + +### Fixed +- Fixed some imports which mistakingly imported serde internals. + +## [0.6.8 - 2020-10-01] + +### Fixed +- Allow for arbitrarily large EVTX files to parse correctly. (#128) + + +## [0.6.7 - 2020-08-28] + +### Added +- calculated_chunk_count field to EvtxParser +- impl Debug for EvtxParser + +### Changed +- Use calculated chunk count rather than header chunk count to continue parsing past +4294901760 bytes of chunk data. +- Moved function/error chunk indexes to u64 instead of u16 to allow for chunk indexes larger than u16 MAX + +## [0.6.6 - 2020-01-22] + +### Fixed +Another tiny fix where the parser might loop for very specific samples - @codekoala thanks for the patch! + + +## [0.6.5 - 2020-01-14] + +10% Speedup by using LTO on release. + +### Changed +- Enabled link-time-optimizations. + +## [0.6.4 - 2020-01-14] + +This release should make `evtx_dump` 3 times faster on windows machines! +Also - about 25% faster on linux machines. + +*NOTE*: this does not affect library code using `evtx`, only the binary target `evtx_dump`. + +If you are using `evtx` as a library, you might benefit significantly from adapting a custom allocator! + +### Changed +- Added `jemalloc`/`rpmalloc`(windows) to take advantage of smarter allocation management. +- Use buffered writing on `evtx_dump`. +- Better utilization of cached strings. + +## [0.6.3 - 2020-01-11] + +This version should be 10-15% faster! + +### Fixed +- When using separate json attributes, if the element's value is empty, remove the empty mapping. #71 + + +## [0.6.2 - 2019-12-17] + +### Fixed +- An edge case where huge files could cause the parser to get stuck. + + +## [0.6.1 - 2019-12-05] + +### Fixed +- A regression with `--seperate-json-attributes` +caused by improvements in 0.6.0 to JSON parsing for non-standard xml documents. + +## [0.6.0 - 2019-11-26] + +### Added +- Support for `EntityRef` nodes. + +### Changed +- Error reporting should be better with this version. + +### Fixed +- A bug where parser was accepting NUL bytes as strings. +- Fixed a bug where UTF-16 strings would yield more bytes after UTF-8 conversion and would be rejected. +- Support an edge case when some data might be missing from `OpenStartElement` node. +- A bug where XML records having multiple nodes with the same name will be incorrectly converted to JSON, ex. +``` + +
HTTP/1.1 200 OK
+
Connection: keep-alive
+
Date: Thu, 18 May 2017 11:37:58 GMT
+
Content-Length: 813
+
Content-Type: application/pkix-crl
+
Last-Modified: Tue, 02 May 2017 22:24:24 GMT
+
ETag: 0x8D491A9FD112A27
+
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
+
x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000
+
x-ms-version: 2009-09-19
+
x-ms-lease-status: unlocked
+
x-ms-blob-type: BlockBlob
+ +``` + +Will now be converted to: +```json + { + "HTTPResponseHeadersInfo": { + "Header": "x-ms-blob-type: BlockBlob", + "Header_1": "HTTP/1.1 200 OK", + "Header_10": "x-ms-version: 2009-09-19", + "Header_11": "x-ms-lease-status: unlocked", + "Header_2": "Connection: keep-alive", + "Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT", + "Header_4": "Content-Length: 813", + "Header_5": "Content-Type: application/pkix-crl", + "Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT", + "Header_7": "ETag: 0x8D491A9FD112A27", + "Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", + "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000" + } +} +``` + +## [0.5.1 - 2019-10-30] + +### Fixed +- A bug which causes a panic (bounds check) on some corrupted records. + + +## [0.5.0 - 2019-10-07] + +### Added +- `EvtxParser::records_json_value()` to allow working with records with a `serde_json::Value`. See `test_into_json_value_records` for an example. +- `EvtxRecord::into_output`, allowing serializing a record using a user-defined `BinXmlOutput` type. + +### Changed + +- `SerializedEvtxRecord` is now generic over it's `data`, allowing a simplified `BinXmlOutput` trait. + +## [0.4.2 - 2019-09-05] + +### Added +- `--separate_json_attributes` to allow producing a flat JSON structure. + +### Changed +- updated deps. + +## [0.4.0 - 2019-06-01] + +File output is now supported by `evtx_dump` + +### Added +- `--output` to allow writing to files, `--no-confirm-overwrite` to allow binary to overwrite existing files. +### Changed +- Logs are now printed to stderr instead of stdout +- Failure exit code is now `1` instead of `-1` +- Some of the structs used in parsing evtx have been moved to [`winstructs`](https://github.com/omerbenamram/winstructs) + +## [0.3.3] - 2019-05-23 + +### Fixed +- A sneaky dbg! print found it's way into the release, added `#![deny(clippy:dbg_macro)]` to ensure this won't happen again. + +## [0.3.2] - 2019-05-20 + +### Changed +- `EvtxParser::from_read_seek` is now public. +- updated deps. + +## [0.3.1] - 2019-05-19 + +Implemented Ansi codecs! + +### Added +- `--ansi-codec` to control the codec that will be used to decode ansi encoded strings inside the document. + +### Fixed +- Parser will now print nicer messages when passed non-evtx files. + +## [0.3.0] - 2019-05-14 + +This is a minor release due to the removal of `failure`. + +### Added +- `--backtraces` to control backtraces in errors +- `-v, -vv, -vv` to control trace output in `evtx_dump`. + +### Changed +- All errors in the crate are all of a uniform `evtx::err::Error` type. + Errors are implemented with `snafu`, and are std compatible. + In addition, errors now all contain backtraces. + +### Fixed +- Parser will now correctly parse files which refer to binxml fragments as sized values. (#33) + +## [0.2.6] - 2019-05-09 + +### Fixed +- Parser is less strict with samples that contain multiple EOF markers (inside nested XML fragments) + +## [0.2.5] - 2019-05-03 + +This version is the first .2 version to have python support! + +### Added +- `IntoIterChunks` for owned iteration over the chunks. + +## [0.2.4] - 2019-05-01 + +### Added +- `--no-indent` flag for xml and json +- `--dont-show-record-number` to avoid printing records number. +- `-o jsonl` for JSON lines output (same as `-o json --no-indent --dont-show-record-number`). + +### Fixed +- Parser is less strict in dirty samples which contain + some amount of corrupted binxml data, and will try to recover the record. + +- Don't unwrap on empty binxmlname elements. + +## [0.2.2] - 2019-04-29 + +### Added +- Performance improvements. Parser should be ~15% faster (thanks @ohadravid) +- `--validate-checksums` flag to optionally be strict about checksum checks for chunk headers. + +### Fixed +- Fixed missing data when parsing `StringArray` nodes. (thanks @ohadravid) +- Samples containing empty chunks (thanks @ohadravid) + +## [0.2.1] - 2019-04-21 + +### Changed +- More API is now public, for use by library authors who want access to lower level primitives and types. + +## [0.2.0] - 2019-04-20 + +This release contains some minor breaking changes to the API. + +### Added +- Added JSON output support! + JSON support is powered by serde and is zero-copy! + This means there isn't much performance difference between the XML output and the JSON output. + +- The deserializer is now lazy (thanks @ohadravid !). + This will allow to perform some filtering on records based on their metadata before serializing them to save time. + +### Changed +- Changed parallel iteration to rely only on `ParserSettings`, so `.parallel_records` has been removed. +- `EvtxParser` now needs to be mutable when deserializing records. +- When outputting target as XML, inner xml strings will be escaped, when using JSON, they will not be escaped. + +### Fixed +- Parser will now coerce values of booleans which are not zero or one to true. + +## [0.1.9] - 2019-04-19 + +### Added +- Now supporting `SystemTime`, floating types, and all numerical array types. + +### Fixed +- strip nuls from ascii strings as well. + +### Changed +- Now using `quick-xml`, which microbenchmarks show that is about 15-20% faster than `xml-rs`. + +## [0.1.8] - 2019-04-18 + +### Fixed +- Removed trailing nul terminators from all strings. + +### Changed +- Changed hex formatting padding. +- Changed binary output formatting to hexdump. + +## [0.1.7] - 2019-04-18 + +### Fixed +- Range error when reading last chunk (#2) + +### Changed +- Parser will now try to read more records even when surpassing the declared chunk number. + + +## [0.1.6] - 2019-04-13 + +### Fixed +- Fixed missing xml close tag (#1) + +### Changed +- Removed `.unwrap()` from xml parsing code. + +## [0.1.5] - 2019-04-02 + +### Added +- renamed associated binary to `evtx_dump` + +### Fixed +- changed `assert_eq` to `debug_assert_eq`, to ensure the library won't crash in FFI. + +## [0.1.4] - 2019-04-01 + +### Fixed +- A regression introduced from [#6](https://github.com/omerbenamram/evtx/pull/6) for files with a single chunk. + +## [0.1.3] - 2019-04-01 + +### Changed +- Removed some uses on `.unwrap()` inside the records iterator, to communicate errors better. + +### Fixed +- A bug with files that have only a single chunk failing at the end. + +## [0.1.2] - 2019-03-31 + +### Added +- Multithreading support via rayon +### Changed +- Removed unsafe memory mapping code, use generics instead. +### Fixed + + +## [0.1.1] - 2019-03-30 + +### Added + +### Changed +- Fixed a bug with chunk iteration + +### Fixed +- Fixed a bug with chunk iteration + +## [0.1.0] - 2019-03-30 +Initial Release + + + + + + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..bc6e20ae3c8f --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,42 @@ +# Maintainer: Luis Martinez + +pkgname=evtx +pkgver=0.7.2 +pkgrel=1 +pkgdesc="Cross-platform parser for Windows XML EventLog Format" +arch=('x86_64') +url="https://github.com/omerbenamram/evtx" +license=('MIT' 'Apache') +depends=('glibc') +makedepends=('cargo') +changelog=CHANGELOG.md +source=("$pkgname-$pkgver.tar.gz::$url/archive/v$pkgver.tar.gz") +sha256sums=('31967e3b175a7e0ad4a5d786418066bde66d5ddd4d48626312f59f5081c61ca6') + +prepare() { + cd "$pkgname-$pkgver" + cargo fetch --locked --target "$CARCH-unknown-linux-gnu" +} + +build() { + export RUSTUP_TOOLCHAIN=stable + export CARGO_TARGET_DIR=target + + cd "$pkgname-$pkgver" + ## must be --locked because not all dependencies are downloaded at this point + cargo build --locked --release --all-features +} + +check() { + export RUSTUP_TOOLCHAIN=stable + + cd "$pkgname-$pkgver" + cargo test --frozen --all-features +} + +package() { + cd "$pkgname-$pkgver" + install -Dm 644 target/release/evtx_dump -t "$pkgdir/usr/bin/" + install -Dm 644 LICENSE-{APACHE,MIT} -t "$pkgdir/usr/share/licenses/$pkgname/" + install -Dm 644 README.md -t "$pkgdir/usr/share/doc/$pkgname/" +}