All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- (bugfix) Fix json output when a node with attributes has the same key several times. thanks @yardlogs
- Binaries for linux and mac are now PGO optimized (should yield 10-20% performance improvement).
- Dependencies updated to their latest versions.
- (bugfix) Fix off-by-6 bug in assemble.rs by @dgmcdona in #238
- #232 - Support for size_t, thanks @alexkornitzer
- A new feature for
evtx-dump
which allows selective dumping of event ranges. - Added builds for apple silicon macs via cross compilation.
- Ignore invalid header flags - thanks @Oskar65536
- Don't panic when a date has an invalid value (Use 1061.1.1 if raw value is 0, return an error otherwise) #209
- Use
insta
for snapshot testing - Convert
#text
to an array if multiple elements with the same name exist
- Fix flags to be proper bitmasks and add no-CRC flag (#188) - thanks @Robo210
fast-alloc
is no longer on by default, to support static MUSL builds forevtx-dump
to enable it, build with--features fast-alloc
.- static binaries are now published for linux! take
evtx-dump
with you everywhere :) - CI was migrated to github actions from azure pipelines.
- Fixed some imports which mistakingly imported serde internals.
- Allow for arbitrarily large EVTX files to parse correctly. (#128)
- calculated_chunk_count field to EvtxParser
- impl Debug for EvtxParser
- Use calculated chunk count rather than header chunk count to continue parsing past 4294901760 bytes of chunk data.
- Moved function/error chunk indexes to u64 instead of u16 to allow for chunk indexes larger than u16 MAX
Another tiny fix where the parser might loop for very specific samples - @codekoala thanks for the patch!
10% Speedup by using LTO on release.
- Enabled link-time-optimizations.
This release should make evtx_dump
3 times faster on windows machines! Also -
about 25% faster on linux machines.
NOTE: this does not affect library code using evtx
, only the binary target
evtx_dump
.
If you are using evtx
as a library, you might benefit significantly from
adapting a custom allocator!
- Added
jemalloc
/rpmalloc
(windows) to take advantage of smarter allocation management. - Use buffered writing on
evtx_dump
. - Better utilization of cached strings.
This version should be 10-15% faster!
- When using separate json attributes, if the element's value is empty, remove the empty mapping. #71
- An edge case where huge files could cause the parser to get stuck.
- A regression with
--seperate-json-attributes
caused by improvements in 0.6.0 to JSON parsing for non-standard xml documents.
- Support for
EntityRef
nodes.
- Error reporting should be better with this version.
- A bug where parser was accepting NUL bytes as strings.
- Fixed a bug where UTF-16 strings would yield more bytes after UTF-8 conversion and would be rejected.
- Support an edge case when some data might be missing from
OpenStartElement
node. - A bug where XML records having multiple nodes with the same name will be incorrectly converted to JSON, ex.
<HTTPResponseHeadersInfo>
<Header>HTTP/1.1 200 OK</Header>
<Header>Connection: keep-alive</Header>
<Header>Date: Thu, 18 May 2017 11:37:58 GMT</Header>
<Header>Content-Length: 813</Header>
<Header>Content-Type: application/pkix-crl</Header>
<Header>Last-Modified: Tue, 02 May 2017 22:24:24 GMT</Header>
<Header>ETag: 0x8D491A9FD112A27</Header>
<Header>Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0</Header>
<Header>x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000</Header>
<Header>x-ms-version: 2009-09-19</Header>
<Header>x-ms-lease-status: unlocked</Header>
<Header>x-ms-blob-type: BlockBlob</Header>
</HTTPResponseHeadersInfo>
Will now be converted to:
{
"HTTPResponseHeadersInfo": {
"Header": "x-ms-blob-type: BlockBlob",
"Header_1": "HTTP/1.1 200 OK",
"Header_10": "x-ms-version: 2009-09-19",
"Header_11": "x-ms-lease-status: unlocked",
"Header_2": "Connection: keep-alive",
"Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT",
"Header_4": "Content-Length: 813",
"Header_5": "Content-Type: application/pkix-crl",
"Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT",
"Header_7": "ETag: 0x8D491A9FD112A27",
"Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
"Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000"
}
}
- A bug which causes a panic (bounds check) on some corrupted records.
EvtxParser::records_json_value()
to allow working with records with aserde_json::Value
. Seetest_into_json_value_records
for an example.EvtxRecord::into_output
, allowing serializing a record using a user-definedBinXmlOutput
type.
SerializedEvtxRecord
is now generic over it'sdata
, allowing a simplifiedBinXmlOutput
trait.
--separate_json_attributes
to allow producing a flat JSON structure.
- updated deps.
File output is now supported by evtx_dump
--output
to allow writing to files,--no-confirm-overwrite
to allow binary to overwrite existing files.
- Logs are now printed to stderr instead of stdout
- Failure exit code is now
1
instead of-1
- Some of the structs used in parsing evtx have been moved to
winstructs
- A sneaky dbg! print found it's way into the release, added
#![deny(clippy:dbg_macro)]
to ensure this won't happen again.
EvtxParser::from_read_seek
is now public.- updated deps.
Implemented Ansi codecs!
--ansi-codec
to control the codec that will be used to decode ansi encoded strings inside the document.
- Parser will now print nicer messages when passed non-evtx files.
This is a minor release due to the removal of failure
.
--backtraces
to control backtraces in errors-v, -vv, -vv
to control trace output inevtx_dump
.
- All errors in the crate are all of a uniform
evtx::err::Error
type. Errors are implemented withsnafu
, and are std compatible. In addition, errors now all contain backtraces.
- Parser will now correctly parse files which refer to binxml fragments as sized values. (#33)
- Parser is less strict with samples that contain multiple EOF markers (inside nested XML fragments)
This version is the first .2 version to have python support!
IntoIterChunks
for owned iteration over the chunks.
--no-indent
flag for xml and json--dont-show-record-number
to avoid printing records number.-o jsonl
for JSON lines output (same as-o json --no-indent --dont-show-record-number
).
-
Parser is less strict in dirty samples which contain some amount of corrupted binxml data, and will try to recover the record.
-
Don't unwrap on empty binxmlname elements.
- Performance improvements. Parser should be ~15% faster (thanks @ohadravid)
--validate-checksums
flag to optionally be strict about checksum checks for chunk headers.
- Fixed missing data when parsing
StringArray
nodes. (thanks @ohadravid) - Samples containing empty chunks (thanks @ohadravid)
- More API is now public, for use by library authors who want access to lower level primitives and types.
This release contains some minor breaking changes to the API.
-
Added JSON output support! JSON support is powered by serde and is zero-copy! This means there isn't much performance difference between the XML output and the JSON output.
-
The deserializer is now lazy (thanks @ohadravid !). This will allow to perform some filtering on records based on their metadata before serializing them to save time.
- Changed parallel iteration to rely only on
ParserSettings
, so.parallel_records
has been removed. EvtxParser
now needs to be mutable when deserializing records.- When outputting target as XML, inner xml strings will be escaped, when using JSON, they will not be escaped.
- Parser will now coerce values of booleans which are not zero or one to true.
- Now supporting
SystemTime
, floating types, and all numerical array types.
- strip nuls from ascii strings as well.
- Now using
quick-xml
, which microbenchmarks show that is about 15-20% faster thanxml-rs
.
- Removed trailing nul terminators from all strings.
- Changed hex formatting padding.
- Changed binary output formatting to hexdump.
- Range error when reading last chunk (#2)
- Parser will now try to read more records even when surpassing the declared chunk number.
- Fixed missing xml close tag (#1)
- Removed
.unwrap()
from xml parsing code.
- renamed associated binary to
evtx_dump
- changed
assert_eq
todebug_assert_eq
, to ensure the library won't crash in FFI.
- A regression introduced from #6 for files with a single chunk.
- Removed some uses on
.unwrap()
inside the records iterator, to communicate errors better.
- A bug with files that have only a single chunk failing at the end.
- Multithreading support via rayon
- Removed unsafe memory mapping code, use generics instead.
- Fixed a bug with chunk iteration
- Fixed a bug with chunk iteration
Initial Release