Linking Event Messages and Resource DLLs

Without knowledge about the binary XML template, the data in a record's SubstitutionArray can not be interpreted properly. The template is commonly read from the EVTX file. But in some cases, like a single event records carved from unallocated, the template may not be available. Now there's a method to match an event record to its proper message DLL, based on a GUID.

A while ago I noticed that templates contain a full 16 bytes GUID. I've modified the evtxtemplates sample program to display the GUID, and the template's location in the EVTX file. The updated library and sample program will be available for download soon. Here's a short preview of its output:

$ ./evtxtemplates.pl CbsMsg.evtx
Template {47386119-D465-FA45-F96E-E70FFA54FBF7} at chunk 0, offset 0x07d8:
<CbsPackageInitiateChanges 
  xmlns="http://manifests.microsoft.com/win/2004/08/windows/setup_provider">
  <PackageIdentifier>#0 (type 0x01)#</PackageIdentifier>
  <InitialPackageState>#2 (type 0x01)#</InitialPackageState>
  <IntendedPackageState>#4 (type 0x01)#</IntendedPackageState>
  <Client>#5 (type 0x01)#</Client>
</CbsPackageInitiateChanges>

Note the GUID {47386119-D465-FA45-F96E-E70FFA54FBF7}. The same GUID can be found in the WEVT_TEMPLATE resource of a message DLL (or any other PE file that defines resources for the event log service).

Templates and their GUIDs defined in a event message DLL

The first group of that GUID (the first 4 bytes) are called the TemplateID and are being referenced by the Create Template Instance token (code 0x0c).

It is now possible to apply the method of Timothy Morgan's GrokEVT to the new event log format:

  1. enumerate all (relevant) message DLLs, either by
    1. scanning the file system for PE files with a WEVT_TEMPLATE resource, or
    2. locating these files from their registration with the event log service
  2. build a database of templates, their GUIDs and IDs
  3. look-up the proper template from that database, based on the TemplateID
  4. interpret a record's substitution array according to the template

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12