Merge pull request #4 from airbus-cert/fix-issue-003

Fix issue 003, improve xml render, fix unit test

Author: citronneur

bin/etl2xml

@@ -9,6 +9,7 @@ from construct import ListContainer, Struct, Container
 from etl.error import GroupNotFound, VersionNotFound, EventTypeNotFound, EtwVersionNotFound, EventIdNotFound, \
     GuidNotFound, TlMetaDataNotFound, InvalidType
 from etl.etl import IEtlFileObserver, build_from_stream
+from etl.parsers.etw.core import Guid
 from etl.wintrace import WinTrace
 from etl.event import Event
 from etl.parsers.kernel import FileIo_V2_Name, ImageLoad, DiskIo_TypeGroup1, \
@@ -122,7 +123,7 @@ def log_construct_pattern(xml: Element, pattern: Struct, source: Container):
                 raise InvalidType()
         elif isinstance(source[field.name], ListContainer):
             add_attribute(xml, field.name, bytearray(source[field.name]).hex())
-        elif isinstance(source[field.name], bytes):
+        elif isinstance(source[field.name],  bytes):
             add_attribute(xml, field.name, source[field.name].hex())
         elif isinstance(source[field.name], Container):
             continue
@@ -137,8 +138,11 @@ def log_tracelogging(obj: TraceLogging) -> Element:
     """
     xml = ElementTree.Element("tracelogging")
     xml.set("name", obj.get_name())
-    for k,v in obj.items():
-        add_attribute(xml, k, str(v))
+    for k, v in obj.items():
+        if hasattr(v, "type") and v.type == "Guid":
+            add_attribute(xml, k, str(Guid(v.inner.data1, v.inner.data2, v.inner.data3, v.inner.data4)))
+        else:
+            add_attribute(xml, k, str(v))
     return xml
 
 

etl/parsers/kernel/file.py

@@ -24,4 +24,4 @@ def get_file_name(self) -> str:
         """
         :return: Associate filename
         """
-        return bytearray(self.source.FileName[:-2]).decode("utf-16le")
+        return bytearray(self.source.FileName.string[:-2]).decode("utf-16le")

etl/parsers/kernel/header.py

@@ -41,13 +41,13 @@ def get_session_name(self) -> str:
         """
         :return: ETW Session name
         """
-        return bytearray(self.source.SessionNameString[:-2]).decode("utf-16le")
+        return bytearray(self.source.SessionNameString.string[:-2]).decode("utf-16le")
 
     def get_log_filename(self) -> str:
         """
         :return: Return path of log file name
         """
-        return bytearray(self.source.LogFileNameString[:-2]).decode("utf-16le")
+        return bytearray(self.source.LogFileNameString.string[:-2]).decode("utf-16le")
 
 
 @declare(group=EventTraceGroup.EVENT_TRACE_GROUP_HEADER, version=2, event_types=[5, 32])

etl/parsers/kernel/image.py

@@ -62,7 +62,7 @@ def get_image_filename(self) -> str:
         """
         :return: Return image file name
         """
-        return bytearray(self.source.FileName[:-2]).decode("utf-16le")
+        return bytearray(self.source.FileName.string[:-2]).decode("utf-16le")
 
     def get_process_id(self) -> int:
         """

etl/parsers/kernel/process.py

@@ -33,25 +33,25 @@ def get_image_file_name(self) -> str:
         """
         :return: Image file name
         """
-        return bytearray(self.source.ImageFileName[:-1]).decode("utf8")
+        return bytearray(self.source.ImageFileName.string[:-1]).decode("utf8")
 
     def get_command_line(self) -> str:
         """
         :return: Associate command line of starting process
         """
-        return bytearray(self.source.CommandLine[:-2]).decode("utf-16le")
+        return bytearray(self.source.CommandLine.string[:-2]).decode("utf-16le")
 
     def get_package_full_name(self) -> str:
         """
         :return: Package full name
         """
-        return bytearray(self.source.PackageFullName[:-2]).decode("utf-16le")
+        return bytearray(self.source.PackageFullName.string[:-2]).decode("utf-16le")
 
     def get_application_id(self) -> str:
         """
         :return: Application id
         """
-        return bytearray(self.source.PackageFullName[:-2]).decode("utf-16le")
+        return bytearray(self.source.PackageFullName.string[:-2]).decode("utf-16le")
 
     def get_exit_status(self) -> int:
         """
@@ -102,25 +102,25 @@ def get_image_file_name(self) -> str:
         """
         :return: Image file name
         """
-        return bytearray(self.source.ImageFileName[:-1]).decode("utf8")
+        return bytearray(self.source.ImageFileName.string[:-1]).decode("utf8")
 
     def get_command_line(self) -> str:
         """
         :return: Associate command line of starting process
         """
-        return bytearray(self.source.CommandLine[:-2]).decode("utf-16le")
+        return bytearray(self.source.CommandLine.string[:-2]).decode("utf-16le")
 
     def get_package_full_name(self) -> str:
         """
         :return: Package full name
         """
-        return bytearray(self.source.PackageFullName[:-2]).decode("utf-16le")
+        return bytearray(self.source.PackageFullName.string[:-2]).decode("utf-16le")
 
     def get_application_id(self) -> str:
         """
         :return: Application id
         """
-        return bytearray(self.source.PackageFullName[:-2]).decode("utf-16le")
+        return bytearray(self.source.PackageFullName.string[:-2]).decode("utf-16le")
 
     def get_exit_status(self) -> int:
         """
@@ -181,7 +181,7 @@ def get_image_filename(self) -> str:
         """
         :return: Return image file name
         """
-        return bytearray(self.source.FileName[:-2]).decode("utf-16le")
+        return bytearray(self.source.FileName.string[:-2]).decode("utf-16le")
 
     def get_process_id(self) -> int:
         """

etl/parsers/tracelogging.py

@@ -11,7 +11,7 @@
 from enum import Enum
 from io import BytesIO
 
-from construct import Int16ul, Int8ul, CString, If, GreedyRange, LazyBound, Struct
+from construct import Int16ul, Int8ul, CString, If, GreedyRange, LazyBound, Struct, Int32ul
 from etl.error import TlMetaDataNotFound, TlUnhandledTag
 from etl.utils import Guid, SystemTime
 
@@ -52,12 +52,14 @@ class TagIn(Enum):
 TlMetaDataField = Struct(
     "name" / CString("ascii"),
     "tag_in" / Int8ul,
-    "tag_out" / If(lambda this: this.tag_in & TagIn.CHAIN.value, LazyBound(lambda: Int8ul))
+    "tag_out" / If(lambda this: this.tag_in & TagIn.CHAIN.value, LazyBound(lambda: Int8ul)),
+    "unknown" / If(lambda this: this.tag_out and bool(this.tag_out & 0x80), LazyBound(lambda: Int32ul))
 )
 
 TlMetaData = Struct(
     "size" / Int16ul,
     "tag" / Int8ul,
+    "unknown" / If(lambda this: this.tag & 0x80, LazyBound(lambda: Int8ul)),
     "name" / CString("ascii"),
     "fields" / GreedyRange(TlMetaDataField)
 )
@@ -96,6 +98,10 @@ def read_field(stream, tag):
         # Encode in ascii and ignore last null byte
         return b"".join(current).decode("ascii")[:-1]
 
+    elif tag & 0x1f == TagIn.COUNTEDANSISTRING.value:
+        length = struct.unpack("b", stream.read_exact(1))[0]
+        return stream.read_exact(length + 1).decode("ascii")
+
     elif tag & 0x1f == TagIn.INT8.value:
         return struct.unpack("b", stream.read_exact(1))[0]
     elif tag & 0x1f == TagIn.UINT8.value:

etl/utils.py

@@ -11,10 +11,13 @@
 Global Unique Identifier
 """
 Guid = Struct(
-    "data1" / Int32ul,
-    "data2" / Int16ul,
-    "data3" / Int16ul,
-    "data4" / Byte[8]
+    "type" / Computed("Guid"),
+    "inner" / Struct (
+        "data1" / Int32ul,
+        "data2" / Int16ul,
+        "data3" / Int16ul,
+        "data4" / Byte[8]
+    )
 )
 
 """

tests/example/lxcore_kernel.etl

@@ -75,7 +75,7 @@ def test_tracelogging_guid(self):
         tl = build_tracelogging(event)
         self.assertEqual(tl.get_name(), "Test", "Invalid Name")
         parsed_guid = tl["Engine"]
-        self.assertEqual(Guid(parsed_guid.data1, parsed_guid.data2, parsed_guid.data3, parsed_guid.data4), guid("00000000-0000-0000-0000-000000000000"), "Invalid GUID")
+        self.assertEqual(Guid(parsed_guid.inner.data1, parsed_guid.inner.data2, parsed_guid.inner.data3, parsed_guid.inner.data4), guid("00000000-0000-0000-0000-000000000000"), "Invalid GUID")
 
     def test_array_uint8(self):
         """
@@ -103,4 +103,18 @@ def test_array_uint16(self):
         event.user_data = b'\x10\x00' + b'\x00' * 32
         tl = build_tracelogging(event)
         self.assertEqual(tl.get_name(), "Test", "Invalid Name")
+        self.assertEqual(tl["Engine"], [0] * 16)
+
+    def test_extended_flag(self):
+        """
+        Test the deserialization of an array UINT16 element
+        """
+        event = Container()
+        meta = Container()
+        meta.ext_type = 11
+        meta.data_item = b'\x10\x00\x80\x00Test\x00Engine\x00\x26'
+        event.extended_data = ListContainer([meta])
+        event.user_data = b'\x10\x00' + b'\x00' * 32
+        tl = build_tracelogging(event)
+        self.assertEqual(tl.get_name(), "Test", "Invalid Name")
         self.assertEqual(tl["Engine"], [0] * 16)