From a25a8a3615c386568498b68c517fa09e317b5a95 Mon Sep 17 00:00:00 2001
From: dora <dora.cpphp@gmail.com>
Date: Sun, 26 Mar 2023 17:34:45 +0900
Subject: [PATCH] patterns/evtx: Added evtx pattern (#100)

* add evtx pattern

* fix Readme

* fix coding style

* space adjustment

* space adjustment
---
 .gitignore                                |   1 +
 README.md                                 |   1 +
 patterns/evtx.hexpat                      |  57 ++++++++++++++++++++++
 tests/patterns/test_data/evtx.hexpat.evtx | Bin 0 -> 69632 bytes
 4 files changed, 59 insertions(+)
 create mode 100644 patterns/evtx.hexpat
 create mode 100644 tests/patterns/test_data/evtx.hexpat.evtx

diff --git a/.gitignore b/.gitignore
index 6eaa32f..f395d4d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 tests/cmake-build-debug/
 
 .idea/
+.DS_Store
\ No newline at end of file
diff --git a/README.md b/README.md
index e99733c..7bc4347 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,7 @@ Hex patterns, include patterns and magic files for the use with the ImHex Hex Ed
 | DEX | | [`patterns/dex.hexpat`](patterns/dex.hexpat) | Dalvik EXecutable Format |
 | DS_Store | `application/octet-stream` | [`patterns/dsstore.hexpat`](patterns/dsstore.hexpat) | .DS_Store file format |
 | UEFI | | [`patterns/uefi.hexpat`](patterns/uefi.hexpat)` | UEFI structs for parsing efivars |
+| EVTX | | [`patterns/evtx.hexpat`](patterns/evtx.hexpat) | MS Windows Vista Event Log |
 
 ### Scripts
 
diff --git a/patterns/evtx.hexpat b/patterns/evtx.hexpat
new file mode 100644
index 0000000..6680a3f
--- /dev/null
+++ b/patterns/evtx.hexpat
@@ -0,0 +1,57 @@
+#pragma endian little
+
+struct Header {
+    char signature[0x8];
+    u64  first_chunk_number;
+    u64  last_chunk_number;
+    u64  next_record_identifier;
+    u32  header_size;
+    u16  minor_format_version;
+    u16  major_format_version;
+    u16  header_block_size;
+    u16  number_of_chunks;
+    u8   unknown[0x4C];
+    u32  file_Flag;
+    u32  checkSum;
+    u8   unknown2[3968];
+};
+
+struct BinaryXML{
+    u8 fragment_header_token;
+    u8 major_version;
+    u8 minor_version;
+    u8 flags;
+};
+
+struct Event_Record{
+    u32 signature;
+    u32 size;
+    u64 event_record_identifier;
+    u64 written_data_amd_time;
+    BinaryXML binaryxml;
+};
+
+struct Chunk{
+    char signature[0x8];
+    u64 first_event_record_number;
+    u64 last_event_record_number;
+    u64 first_event_record_identifier;
+    u64 last_event_record_identifier;
+    u32 header_size;
+    u32 last_event_record_data_offset;
+    u32 free_space_offset;
+    u32 event_records_checksum;
+    u8 unknown[64];
+    u32 unknown2;
+    u32 checksum;
+    u8 common_string_offset_array[256];
+    u8 templatePtr[128];
+    Event_Rsecord event_record;
+};
+
+struct Evtx {
+    Header header;
+    Chunk chunk;
+};
+
+Evtx evtx @ 0x00;
diff --git a/tests/patterns/test_data/evtx.hexpat.evtx b/tests/patterns/test_data/evtx.hexpat.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..5e4995b9c9ddbc7ff1636a4aa7a6b9e688796e80
GIT binary patch
literal 69632
zcmeHQX>4586+Uk~GZ`=AC5b}_n^}@HKsE>z8X#jFn^>{45C=#b1R-`36MGzap$SkC
zN~10+sHo6CUFbr7RBCBeTD7E9LeN%4LR6|MfvH-lw3Mp<pej(&*8RSF-}TJAH_P)F
zLSoJxy?NVR&pr3t^WAgreVs%5x(0^^B<N!PgQGadq(-FK3woLLefz)Py>8Z#Xaq_D
zrGQdEDWDWk3Md7X0!jg;fKosypcGIFRHQ)X(7uiX*@NQHeW~+N#)LtEP0b?z`0wLy
zRgAcT2d0y~^zDc9y`7U3`RhE9e<no!9?yRx(vT9l7Q+xTbuU&3b3f9gI|pgfz3uyd
z+<(qzU&XV1f&6U1{X703$&x@C!+u;0`(6LK7k;}C=ZQc(%iKT<J<r1Z0(7g!U3@X>
zv{9z(|Dlmro?Uj^q}Swm(%{ve^<cltA+LY5>D65?5C3@i#ZNtW|L0H=`f6{HdvVDE
z(w%5XNT=K-1Co_-+<z8F@=pKd(@hCEEW<K{mt%O5@UD;p@HQ@o<YTfLzcJa1Cj;=a
z2iL1`9>kMT8NuC%?1Rr$xF5mu)$&Qa%i?^Qtif*`uGYv^_#c=~eyrdw=1on#fVy(^
zHqw`r9dZOQkDC<1;O$dWyO1weqi@`kl5HmSyO35te2wDml{mT_Gj4t~E?bb<VZ0P+
zY!okfi_Z@$TH|tqOqh^()g(<d?KRR1Z+H7X{<UXb9<jP*Bi=2?ktEA8nia3q$#z7s
z2P7Lr@dr&7NV>+jBx8*=l8k%xaseJVPG4L*Pj2$P4T4fxyo)u~OFWJ?cP?%mi}$~n
zkREtsT@4veLQgR{8#ibBeA;<WT>4C195h~HOwf}y+^`AIJ#lVQwxR-AEhG_>^B7Y?
zF2ap#Id}dxC7bd32<mMFbnFM+=`|s(agco*ZXWhyT>nr#5*;)&?SR(-WPnxF4?l)H
zY(?a$YwoEls6iJ9<Vi|PjaLV5$;pzgnsgquZ$yO5GIL@nA8V|WI_BjV0y%;3?KkVC
z!+2vphD=TzS$D%<SC`+y>)xo7cEmW2jFVf&QBoUk<2-3fQYf(6ulQAqFlieT%Tyvz
zn(Q()HH<Wz5c%0pYEgj0CgT$(AzQthm=DyZFfVm4)%rZU7aqs(^K+4sRFa~VReS8}
z6exVar>!GEW38lWyk^5r6vlK9fJHmta}O9PYx2!XYZfo=O--$X2TC<o-1=<F5Na5#
zz|7gU5=(gD$E5M~2<n9IH&>-ljjWCd<j9gv<UIIDIyt<rCn-Bo7RKtAr$H9f#2Z`W
z{J6}ASFoHpz@g}<Z0=LiDk*7^W@*CPlsQsTXZ#_Eab39MdlX5&oI0P+);2RjxVEEC
z9zJ<s!Oxf7RwEk*d7kuoP?cZ9@$BcV&zfH3yHHTAl$-G^iy9sQ%a6&*P#IUE?kDh`
zC8p2)vh*vT={wx_NcZs**R8Ml$aCo+RjgQk?e@v66ZpJ->2J^8GWq(qx*HmP`1RkQ
z<n)Ewc^a4OPw6&(nyll*@<zkPd+?kRuM=nXujHUFjKm>@*xdMbDUKv1UBYWb?kD69
zxzp6s_;h9LK+gLmmKIsSYQ4gb%QRCPvZ+K!CpBYf<d$Kt_QPJ1OSL5sb|YxXu7T9b
zg^$_rm;2$%<hlpp_v6TdiJ0peD}2`aAur6OoHk-_6ut*Q499w|v~gS7qA5~b2E*m@
zny`8OsGs7BT#C&FDHbnj(uS^>-(WfC*>W;9*7RAqRBO=(IGXf9WF10zV`<0=)=1G@
z=KR~P(TSN{8Eb7WyZzMG=TbY<aQwLG;;A37&5+rwMBRq#y>bx$q<StsG}w~7bu)55
ziZJZNb1~(@*4wZZO76PpSh_))nAWv^-dE@Hz5w+ziZrOYP%WX_Lix=$I%-6|r9>>9
zE>lZA2wSS0P#&0e(Y)HOll?X21SuFxH`!V$>c6mVEVnmHGvi<Bm(2)R+eYgHT}F<6
zEoJi54Q^=%1^Q8b+ttL<^R0ijByw77j($nBxkE^Y^)-&%FR(tz9rVdu`Lbp{e6kxM
zU8(kE^J+GyvBc5~Z45>0ihV43g8d0QW!uyCo0`i)3A4INEZu73X!mo$7VYPv)%4TD
z@X63t521cz`IZ_PxrS|>l4OyMr^Anja?p=wQ9--jiZJ7lqa!%8Z*Y<&NAWXkOgH#3
zQ7ZZ|EiM~Vafz|m##U5P-2~dOF06h@J%kDo^Tql((}pZc-Fz9>gIKa?fuwLwHdu~Z
zQbxXZf`ZgOoo?5Mv>8hlX`h9(<3<rhFOTlsGY7kK-Z$VL<wA$vYPxiG-SmTgz;xw2
z^I(@xKN<g?&luLdcV|Acaib^lKyP$-)Brl5*Y<*AcY^Mn;D(FPqi@A|Giv@uT<yfW
z*U>xD<%ioLyC4-9rWaDIPukE*7{?|Px*J!!ro*AnHEoD=I0Q<z;kN};U@t|vXsN@-
zQRr5h1|zc0Prm~IYIi{6*o|D|;LYU#O1se}3Z>O5+*6}ud`t0L3kY>Ne!S0rwhqsn
zbN<#LMwFcRv4Ezf=-Cd{q8Dv@3sPApT>w&1D7pZ#_keO8pi>X1v%}QIO^BxhSEcCt
znopP6(s%a<PG3^J4aZ^}9u7L5d4FvNe{{#2Fhv7r9>;J!jKe64a>pO9-hOw_np+>a
zZ2#sH`x@4qK!NxMxcv!S2J!lRh#>jF<8&ZfDUQ$Ek-_4)d>P(!6~W`haX95#G5l?M
z#fZ3j3F0V=w->=fNu0e9FH7KS)@>PFO@v+nPiNqz9F8`{tc;%xO=}|J=3%5+4lnoM
zeOCpXJX3tU6LFTp#aEg1%HiSiIGEL27XNZ|p(O6Dg}e&NJE~ulnZ*(B8F-UCIY{>h
zb>}0oe5CvGU!K2o?dnM{`TNu*YgfnQm^n{+htU#=bg#)UfJn_rM7k10w||17=%d@;
z;j$d6rT$ciW{oaiC?6u@T4I^P*oeWB!Pp{W-QG}qMq>=dHzWL8Wr>42n~#Y*Lpd}W
zdN7BPaB}3F<?EGU&Dh7zn?pG>T6-{OGr-eTl{H8=A7is$Ddd!;coO22vbZ~P33GWU
z#Cth3;bZYzL%Cv^L%Et2K9Af+B4YL`C>g@>+e76xcq+&%GsgCjIVJ+$k6g|&V*ruk
zDCCoZaRF*pg`CTgg%FQa94m;NmonoA9C<3ti&0pD^;Tj`VQVNf;|rB!hT{y8d1;1Y
z4^&|a%SsA{a$D7S#Lc0&Hx!Gz$}x&hgktX~7W*v5Eh6_Ek;XD2*I<4>6k&WLvNVW3
z=7F)T=`oLm{+LG_p1t2=9$}reEJlZ72$#6soGdQg35?$b&37eGeiueDIGWUkdyd4>
z05OWYO?b}Hxi22I0b$FV)hNhCHXj%fh&BphO~*sXg|!Am9|fWIZe4B^#Ep!!;YBf&
z?o?;_4p6y6=?~!gAPz<8)@rUO9c?3M?N*ddtM!K#rGGz!(pQy1>A!>!T%WPRNl`k@
zff(Sx5z?d-rCTdNz?vOd*UHz96s1G8p^=8%R$?4NQF_A5AMa3<KFu*D#)cH7yBU=U
zPf@y^Tbl3`rMq!W&Pd~!U2dk;>50;>1ESBLh2XB;`8~3v2T(dy#2iXrQxT;<e3T(*
z<DVT$e}NIe%?zb;b_r)&y}uaUDbDg}9!8(Q^{tB02T*5bX1ii^#pqm%;ii1%%`E@W
zV)VyC82$NIOIy;PhA6%&Lm{Y^bcdQ0qk|a|o?6n~tbDbkgCPnnf+gCBTGEM)VrhTo
zd}PbBTGG{$KEs*)YDotMn_d-gnp)CN=IVhNTGBnLgm&G*$y`5hYR_+Xs<OO`H3rUd
z{s&w?heIvripnttSbUwhTF&RB<(x7y%1Z9m5GsH2%AcC~?VQhkFOKCI#-%7+Q8?C+
z<*ZGL!WD)4>&<mOduZlN8Y?g>u3uLajybM@_3%2MJ;X~opWVzES`8f}M4Luz;S^zQ
z{%M55okiQOvk$M~ckg-Tc0BIht>Nd~a`&v*xrn9QsCQh$?p(EN^cmi+hIcW!vx^=3
z9~ozTx&QDCac-$&*Vx;&^9<C6qu8u*r=a$!MOsAHc5~Y;f3LI*I7ZiYb1k{9?FK8*
z<?mt^wn)GD>$jG3ZTAJw>^NsFI-Eb7^Q3nOIQSVHi!vq>UEA%?<1JxrE4~AoLyyz@
znCaT?q8d&9Y(1SduCvAi7VZ)=p>uQRb=J7f8prl2ThUb&&W+Hu-EIt5*LLUcURrXe
zhf`_RxLTyG>S+-+ult~o(nXym{@(9s$JE<!6hq}sRn~dpAdsSRMdfBcQ@10!?zo0w
zN;eo-36*d7-UDS(`N9mE7@V%<wySFum4g{{o_KEecAX~<hA6~BCEAG26W4j-T!XJW
zu9+S7b;mW#;s}04!`~@B@-85A%|e~O<C>y!DxP%C!hLF^a;GXQDo2$mDpypls65&i
zzrwci<J;~pi^}I`C>9l!JDWoZ#G$rw?sTd<tmWCcD_VF%-yhR`(A~Gl3Q>MVN~*0~
zZRKh!&-*T$uHM$w+cWz1+v%}-`_x9|PE}S^4!oeKTv55A@@i4}rw%`OVW}DH+*7S7
zLrkuyTv55M=EmC7@z9re)m9GaP>7;Sj9jU$Ty5oQE1&){y4uRsRv!8yyV}b6#q^*%
zJ#6JpRaR7v`cqV{s9aHbwW$2#{~0Tb%F`JuB6SA4&R~Z@&V9#5_gK?C)^v|Gh(@ZA
zp}n7Uk2Q!2Zj@AnHadg7Rdfb>KPDB8C@NP}j<Nm$^9Ap5?3PE<$LWj8ovN&;9CBY#
zxuSAK<<+9{C0E{17M0g$(8S;rl`AS&RIax2=@}ETw4!pzMMdT57K<_?@8quQ$`zF>
zDnAJPnN?Iihfujwl@*nvUsP1Cs9aHbwWxg0tH&=WH-kNuK@)>hRIaF8QMsaWMdgLF
z^%a#XDo6L2@D|98z*%FE5TmgA?KM`vercC}ScC_Gzj|RC?uQSZ!9D?MC@NP}K8W4S
z+vX4|cdD|YatK64<%-G`l~;?(-+cM8lBk?tMoVVU#NZT_D=Jr1uBcp5xuSAl&#^o{
zP+Pg8a%c#lbsUSO4?V^x<|lJMj;%&Vy8~kripu*y1x4j^4V61pSy4HpfueFn<%-Iy
zMdjCj>7lZyJf1-lgHu$ls9aIGqVha6rZd<f7u8m-wsNq6+R7D`mzD;dGK7(dyU>4f
z-E==jD-@L<!VHqRWh-~8vZ8Xd1V!bF$`zGYi^{hzeeJwbGuUY>|KA2QF*rr#ipmw0
zD=Jr1uC{Wul^3xL>kRhIkH)8^1IH=URz3j5DdD9>QMu6}C4m#ybZ~rP?xAw0Dk~~S
zH7hDtRIaGJT2%gxjjxnN<?kvgABpFEg}TI7pY(g>`n~eN_rXf+K-~j7$$lJJSWJ#U
zH{nXtl%)8jZv9@ley=<<54ct~gGY|wi+tQ2YCpz>4uE5tEXPFNVQm{`5|3cDGgm&3
zNjEg(Sh`u7N$+;(P=zB6EAS+gk9sMLV~amV7gJj~$fdUOFvln=S5)4OUT&AX4)YG(
l+(zY2RaR7vs#a94s9aHbwW$2Q^iw5KIlou_&MAV*{|{YIV=Vvx

literal 0
HcmV?d00001