Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Linking Event Messages and Resource DLLs

By Andreas Schuster
Copyright © 2011 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

Without knowledge about the binary XML Template, the data in a record's SubstitutionArray can not be interpreted properly. The template is commonly read from the EVTX file. But in some cases, like a single event records carved from unallocated, the template may not be available. Now there's a method to match an event record to its proper message DLL, based on a GUID.

Related Articles

A while ago I noticed that templates contain a full 16 bytes GUID. I've modified the evtxtemplates sample program to display the GUID, and the template's location in the EVTX file. The updated library and sample program will be available for download soon. Here's a short preview of its output:

$ ./evtxtemplates.pl CbsMsg.evtx
Template {47386119-D465-FA45-F96E-E70FFA54FBF7} at chunk 0, offset 0x07d8:
<CbsPackageInitiateChanges 
  xmlns="http://manifests.microsoft.com/win/2004/08/windows/setup_provider">
  <PackageIdentifier>#0 (type 0x01)#</PackageIdentifier>
  <InitialPackageState>#2 (type 0x01)#</InitialPackageState>
  <IntendedPackageState>#4 (type 0x01)#</IntendedPackageState>
  <Client>#5 (type 0x01)#</Client>
</CbsPackageInitiateChanges>

Note the GUID {47386119-D465-FA45-F96E-E70FFA54FBF7}. The same GUID can be found in the WEVT_TEMPLATE resource of a message DLL (or any other PE file that defines resources for the event log service).

The first group of that GUID (the first 4 bytes) are called the TemplateID and are being referenced by the Create Template Instance token (code 0x0c).

It is now possible to apply the method of Timothy Morgan's GrokEVT to the new event log format:

  1. enumerate all (relevant) message DLLs, either by
    1. scanning the file system for PE files with a WEVT_TEMPLATE resource, or
    2. locating these files from their registration with the event log service
  2. build a database of templates, their GUIDs and IDs
  3. look-up the proper template from that database, based on the TemplateID
  4. interpret a record's substitution array according to the template


This post first appeared on Computer Forensic, please read the originial post: here

Share the post

Linking Event Messages and Resource DLLs

×

Subscribe to Computer Forensic

Get updates delivered right to your inbox!

Thank you for your subscription

×