omerbenamram · omerbenamram · Feb 17, 2023 · Feb 17, 2023 · ohadravid · Feb 17, 2023
diff --git a/samples/Security_with_size_t.evtx b/samples/Security_with_size_t.evtx
diff --git a/src/binxml/value_variant.rs b/src/binxml/value_variant.rs
@@ -263,7 +263,12 @@ impl<'a> BinXmlValue<'a> {
             (BinXmlValueType::Real64Type, _) => BinXmlValue::Real64Type(try_read!(cursor, f64)?),
             (BinXmlValueType::BoolType, _) => BinXmlValue::BoolType(try_read!(cursor, bool)?),
             (BinXmlValueType::GuidType, _) => BinXmlValue::GuidType(try_read!(cursor, guid)?),
-            // TODO: find a sample with this token.
+            (BinXmlValueType::SizeTType, Some(4)) => {
+                BinXmlValue::HexInt32Type(try_read!(cursor, hex32)?)
+            }
+            (BinXmlValueType::SizeTType, Some(8)) => {
+                BinXmlValue::HexInt64Type(try_read!(cursor, hex64)?)
+            }
             (BinXmlValueType::SizeTType, _) => {
                 return Err(DeserializationError::UnimplementedValueVariant {
                     name: "SizeT".to_owned(),

diff --git a/tests/snapshots/test_record_samples__event_json_with_size_t.snap b/tests/snapshots/test_record_samples__event_json_with_size_t.snap
@@ -0,0 +1,55 @@
+---
+source: tests/test_record_samples.rs
+expression: "&value"
+---
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "EventData": {
+      "HandleId": "0x7eec",
+      "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)",
+      "ObjectName": "C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll",
+      "ObjectServer": "Security",
+      "ObjectType": "File",
+      "OldSd": "",
+      "ProcessId": "0x858",
+      "ProcessName": "C:\\Windows\\servicing\\TrustedInstaller.exe",
+      "SubjectDomainName": "WORKGROUP",
+      "SubjectLogonId": "0x3e7",
+      "SubjectUserName": "WIN-L0ZZQ76PMUF$",
+      "SubjectUserSid": "S-1-5-18"
+    },
+    "System": {
+      "Channel": "Security",
+      "Computer": "WIN-L0ZZQ76PMUF",
+      "Correlation": null,
+      "EventID": 4907,
+      "EventRecordID": 196,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 632,
+          "ThreadID": 684
+        }
+      },
+      "Keywords": "0x8020000000000000",
+      "Level": 0,
+      "Opcode": 0,
+      "Provider": {
+        "#attributes": {
+          "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+          "Name": "Microsoft-Windows-Security-Auditing"
+        }
+      },
+      "Security": null,
+      "Task": 13568,
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2015-08-23T21:25:49.063125Z"
+        }
+      },
+      "Version": 0
+    }
+  }
+}
diff --git a/tests/test_record_samples.rs b/tests/test_record_samples.rs
@@ -166,6 +166,24 @@ fn test_event_xml_sample_with_entity_ref_2() {
     insta::assert_display_snapshot!(record.data);
 }
 
+#[test]
+fn test_event_json_with_size_t() {
+    ensure_env_logger_initialized();
+    let evtx_file = include_bytes!("../samples/Security_with_size_t.evtx");
+    let mut parser = EvtxParser::from_buffer(evtx_file.to_vec())
+        .unwrap()
+        .with_configuration(ParserSettings::new().num_threads(1));
+
+    let record = parser
+        .records_json()
+        .filter_map(|record| record.ok())
+        .find(|record| record.event_record_id == 196)
+        .expect("record to parse correctly");
+
+    let value: Value = serde_json::from_str(&record.data).expect("to parse correctly");
+    insta::assert_json_snapshot!(&value);
+}
+
 #[test]
 fn test_event_json_with_multiple_nodes_same_name() {
     ensure_env_logger_initialized();