diff --git a/samples/Security_with_size_t.evtx b/samples/Security_with_size_t.evtx new file mode 100644 index 00000000..580fce9a Binary files /dev/null and b/samples/Security_with_size_t.evtx differ diff --git a/src/binxml/value_variant.rs b/src/binxml/value_variant.rs index 67492428..2321edb7 100644 --- a/src/binxml/value_variant.rs +++ b/src/binxml/value_variant.rs @@ -263,7 +263,12 @@ impl<'a> BinXmlValue<'a> { (BinXmlValueType::Real64Type, _) => BinXmlValue::Real64Type(try_read!(cursor, f64)?), (BinXmlValueType::BoolType, _) => BinXmlValue::BoolType(try_read!(cursor, bool)?), (BinXmlValueType::GuidType, _) => BinXmlValue::GuidType(try_read!(cursor, guid)?), - // TODO: find a sample with this token. + (BinXmlValueType::SizeTType, Some(4)) => { + BinXmlValue::HexInt32Type(try_read!(cursor, hex32)?) + } + (BinXmlValueType::SizeTType, Some(8)) => { + BinXmlValue::HexInt64Type(try_read!(cursor, hex64)?) + } (BinXmlValueType::SizeTType, _) => { return Err(DeserializationError::UnimplementedValueVariant { name: "SizeT".to_owned(), diff --git a/tests/snapshots/test_record_samples__event_json_with_size_t.snap b/tests/snapshots/test_record_samples__event_json_with_size_t.snap new file mode 100644 index 00000000..6d469614 --- /dev/null +++ b/tests/snapshots/test_record_samples__event_json_with_size_t.snap @@ -0,0 +1,55 @@ +--- +source: tests/test_record_samples.rs +expression: "&value" +--- +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "EventData": { + "HandleId": "0x7eec", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "ObjectName": "C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", + "ObjectServer": "Security", + "ObjectType": "File", + "OldSd": "", + "ProcessId": "0x858", + "ProcessName": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-L0ZZQ76PMUF$", + "SubjectUserSid": "S-1-5-18" + }, + "System": { + "Channel": "Security", + "Computer": "WIN-L0ZZQ76PMUF", + "Correlation": null, + "EventID": 4907, + "EventRecordID": 196, + "Execution": { + "#attributes": { + "ProcessID": 632, + "ThreadID": 684 + } + }, + "Keywords": "0x8020000000000000", + "Level": 0, + "Opcode": 0, + "Provider": { + "#attributes": { + "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "Name": "Microsoft-Windows-Security-Auditing" + } + }, + "Security": null, + "Task": 13568, + "TimeCreated": { + "#attributes": { + "SystemTime": "2015-08-23T21:25:49.063125Z" + } + }, + "Version": 0 + } + } +} diff --git a/tests/test_record_samples.rs b/tests/test_record_samples.rs index 9237f00a..015a2d0e 100644 --- a/tests/test_record_samples.rs +++ b/tests/test_record_samples.rs @@ -166,6 +166,24 @@ fn test_event_xml_sample_with_entity_ref_2() { insta::assert_display_snapshot!(record.data); } +#[test] +fn test_event_json_with_size_t() { + ensure_env_logger_initialized(); + let evtx_file = include_bytes!("../samples/Security_with_size_t.evtx"); + let mut parser = EvtxParser::from_buffer(evtx_file.to_vec()) + .unwrap() + .with_configuration(ParserSettings::new().num_threads(1)); + + let record = parser + .records_json() + .filter_map(|record| record.ok()) + .find(|record| record.event_record_id == 196) + .expect("record to parse correctly"); + + let value: Value = serde_json::from_str(&record.data).expect("to parse correctly"); + insta::assert_json_snapshot!(&value); +} + #[test] fn test_event_json_with_multiple_nodes_same_name() { ensure_env_logger_initialized();