wevt_templates: switch offline cache to single .wevtcache file#279
Merged
omerbenamram merged 7 commits intomasterfrom Jan 3, 2026
Merged
wevt_templates: switch offline cache to single .wevtcache file#279omerbenamram merged 7 commits intomasterfrom
omerbenamram merged 7 commits intomasterfrom
Conversation
This makes offline template fallback portable and binding-friendly by replacing the directory+JSONL cache with a single `.wevtcache` container and keeping `WevtCache` fully in-memory.
…ze field - Remove sorting hack for MAPS offset array - Map 0 is implied at MAPS+16+(count-1)*4, maps 1+ use offsets in array order - VMAP declares its own size field — no boundary guessing needed - Add comprehensive test against real DLL fixtures (adtschema, lsasrv, scesrv, services.exe, wevtsvc) - Document MAPS structure (value maps + bitmap maps for enum/flag types) Fixes wevtsvc.dll parsing which had non-monotonic offset arrays.
Add Windows system DLL/EXE fixtures (via git-lfs) for validating WEVT_TEMPLATE extraction against libfwevt reference implementation: - adtschema.dll: 1 provider, 464 templates, 488 events - lsasrv.dll: 4 providers, 67 templates, 104 events - services.exe: 3 providers, 51 templates, 60 events - wevtsvc.dll: 1 provider, 38 templates, 44 events, 2 maps Snapshot values validated against pyfwevt (libfwevt Python bindings).
The DLL test fixtures are stored in Git LFS. Enable LFS checkout so CI can run the wevt_templates_research tests.
Bump evtx to 0.11.0 and document the WEVT_TEMPLATE cache breaking changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.wevtcachecontainer.WevtCachefully in-memory (no internal filesystem I/O) and update CLI flags/docs accordingly.Test plan
cargo test --features wevt_templatesevtx_dump extract-wevt-templates --output cache.wevtcache --overwrite+evtx_dump --wevt-cache cache.wevtcache <log.evtx>Note
Release v0.11.0
.wevtcachefile (replaces dir +index.jsonl);WevtCacheis pure in-memory. CLI flags renamed to--wevt-cacheandapply-wevt-cache --cache.size).samples/dlls/with snapshot tests for WEVT extraction stats; CI enableslfscheckout.0.11.0, changelog updated.Written by Cursor Bugbot for commit 2adb2b2. This will update automatically on new commits. Configure here.