Merged
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Add wevt_templates Cargo feature (optional glob dep) - Add evtx::wevt_templates PE resource extractor - Add evtx_dump extract-wevt-templates subcommand - Add synthetic PE test + ignored Willi sample test
Use a small PE32+ with a WEVT_TEMPLATE resource (id=1/lang=1033) so tests don't generate binary data at runtime.
- Add best-effort TTBL/TEMP discovery (guid + header fields)\n- Extend extract-wevt-templates with --split-ttbl to emit TEMP entries\n- Add tests for TTBL parsing and assert Willi sample yields 46 TEMP entries (ignored)
- Add BinXmlNameEncoding and thread it through BinXmlDeserializer/token readers\n- Parse WEVT inline name layout (hash+len+utf16+nul)\n- Add TEMP BinXML parsing + XML rendering helpers\n- Add evtx_dump flags: --dump-temp-xml (and internal iterator position accessor)\n- Smoke-tested on Willi sample: rendered templates like <Data Name="GroupName">{sub:0}</Data>
- Make evtx_dump feature include wevt_templates for CI/release builds\n- Update README with concise end-to-end offline template rendering flow\n- Refresh subcommand help text
Strip braces + case-normalize GUIDs for --template-guid and manifest template GUIDs so braced/unbraced inputs match. Also normalize provider/template GUIDs when loading the cache index, and add regression tests.
- Add DeserializationError::Truncated for slice/bounds failures. - Introduce utils::bytes (Option + Result APIs) for LE reads + fixed tables, with docs. - Parse EVTX chunk/file/record headers from &[u8] (from_bytes/from_bytes_at); keep reader wrappers. - Make IterChunkRecords parse record headers without building a Cursor (bounds-oriented). - Replace legacy try_read/try_seek macros with ReadExt trait; remove src/macros.rs. - Consolidate UTF-16 decoding into utils::utf16 and reuse from BinXML + WEVT manifest parsing. - Use utils::bytes in wevt_templates (extract + manifest util); remove duplicate wevt_templates/util.rs. - Add optional goblin dep behind wevt_templates for PE resource extraction; update minimal PE fixture. \nTests: cargo test --features fast-alloc --locked --offline
omerbenamram
force-pushed
the
wevt-template-extract
branch
from
201f5ad to
dd1426b
Compare
- Introduce named read helpers (read_*_named) and thread semantic field names into Truncated errors\n- Add WevtManifestError::InvalidGuid; parse GUIDs via Guid::from_buffer (no Cursor)\n- Harden utils::bytes::read_array against offset overflow
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #103
Motivation
Issue #103 is about offline / carved EVTX analysis: records frequently reference template instances (substitution values), but the corresponding template definitions live in provider PE resources (
WEVT_TEMPLATE). Without those templates, you can parse the record BinXML but you can’t reliably render the final event fragment.This PR makes template extraction + spec-backed parsing a first-class, cross-platform workflow in
evtx_dump, so you can:TemplateInstancesubstitution arrayWhat’s implemented
evtx::wevt_templatesis split into focused modules (extract,manifest,binxml,render,temp) with stable re-exports (public API paths remain the same).evtx_dumpworkflow commands:extract-wevt-templates: build the cache/index (including provider/event → template GUID join rows)dump-template-instances: dump per-record substitution arrays (JSONL)apply-wevt-cache: render template + substitutions to XML (substitutions from EVTX record or JSON)docs/wevt_templates.md.Integration / compatibility
evtx_dumpusage is unchanged; these subcommands are additive.wevt_templatesis now built by default as part of theevtx_dumpfeature, so CI (cargo test) and release binaries compile/include the offline-template tooling.evtx_dump) to avoid pulling in template extraction dependencies.References
docs/wevt_templates.mdTests:
cargo test(default features)Note
Introduces end-to-end offline WEVT template support and hardens parsing.
wevt_templatesfeature with optional deps (goblin,glob); newevtx_dumpsubcommands:extract-wevt-templates,dump-template-instances,apply-wevt-cache--wevt-cache-indexfor XML/JSON outputsBinXmlNameEncodingthrough deserializerByteCursor, converts many readers to*_cursorvariants, improves bounds checks and error types; more resilient chunk/file/record header handlingdocs/wevt_templates.mdwith usage and format detailsWritten by Cursor Bugbot for commit 1c9450e. This will update automatically on new commits. Configure here.