feat: capture attempted logging events in executions

plugins/CMakeLists.txt

@@ -70,4 +70,5 @@ add_subdirectory(callstack)
 add_subdirectory(apicall_tracer)
 add_subdirectory(memory_regions)
 add_subdirectory(pmemdump)
+add_subdirectory(logging_events)
 #add_subdirectory(volatility)

plugins/apicall_tracer/apicall_tracer.cc

@@ -547,10 +547,10 @@ void uninit_plugin(void* self)
     if (!g_initialized) {
         // create output file
         std::fstream results;
-	results.open(g_database_path,
+	    results.open(g_database_path,
 		     std::fstream::in | std::fstream::out | std::fstream::trunc);
         results.close();
 	throw std::runtime_error(
-            "panda introspection never initialized. Corrupted recording?");
+        "panda introspection never initialized. Corrupted recording?");
     }
 }

plugins/logging_events/CMakeLists.txt

@@ -0,0 +1,41 @@
+set(PANDA_PLUGIN_NAME "logging_events")
+set(PLUGIN_TARGET "panda_${PANDA_PLUGIN_NAME}")
+
+# The logging events plugin requires linking against python
+find_package(PythonLibs 3.8 REQUIRED)
+if (NOT PYTHONLIBS_FOUND)
+	message(FATAL_ERROR "Could not find python libraries. Is python-dev installed?")
+endif()
+include_directories(${PYTHON_INCLUDE_DIRS})
+
+# Set flags, build, and link the actual plugin
+add_definitions(-DNEED_CPU_H)
+include_directories(${CMAKE_CURRENT_BINARY_DIR})
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -std=c++11")
+set(LINK_LIBS ${PYTHON_LIBRARIES} -lavro liboffset libiohal libosi)
+set(SRC_FILES ${PANDA_PLUGIN_NAME}_new.cpp ../volatility/filter.cc)
+
+
+set(LINK_LIBS_I386 ${LINK_LIBS} panda_ipanda-i386 panda_callstack-i386)
+set(LINK_LIBS_X86_64 ${LINK_LIBS} panda_ipanda-x86_64 panda_callstack-x86_64)
+
+set(TARGET_DEPS_I386 panda_ipanda-i386)
+set(TARGET_DEPS_X86_64 panda_ipanda-x86_64)
+
+add_custom_command(OUTPUT ${PANDA_PLUGIN_DIR_I386}/evtxglue.py
+    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/evtxglue.py ${PANDA_PLUGIN_DIR_I386}/evtxglue.py
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/evtxglue.py)
+add_custom_command(OUTPUT ${PANDA_PLUGIN_DIR_X86_64}/evtxglue.py
+    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/evtxglue.py ${PANDA_PLUGIN_DIR_X86_64}/evtxglue.py
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/evtxglue.py)
+add_custom_target(evtxglue-script ALL 
+    DEPENDS ${PANDA_PLUGIN_DIR_I386}/evtxglue.py ${PANDA_PLUGIN_DIR_X86_64}/evtxglue.py)
+
+add_i386_plugin(${PLUGIN_TARGET} SRC_FILES LINK_LIBS_I386)
+add_x86_64_plugin(${PLUGIN_TARGET} SRC_FILES LINK_LIBS_X86_64)
+
+add_dependencies(${PLUGIN_TARGET}-i386 ${TARGET_DEPS_I386})
+add_dependencies(${PLUGIN_TARGET}-x86_64 ${TARGET_DEPS_X86_64})
+
+install(FILES ${PANDA_PLUGIN_DIR_I386}/evtxglue.py DESTINATION lib/panda/i386)
+install(FILES ${PANDA_PLUGIN_DIR_X86_64}/evtxglue.py DESTINATION lib/panda/x86_64)

plugins/logging_events/evtxglue.py

@@ -0,0 +1,27 @@
+import evtxtract, json, traceback
+from collections import defaultdict
+
+def run(imagename):
+    with open(imagename, 'rb') as f:
+        buf = f.read()
+    offsets = evtxtract.carvers.find_evtx_records(buf)
+
+    analysis_results = defaultdict(list)
+    for offset in offsets:
+        try:
+            record = evtxtract.carvers.extract_record(buf, offset)
+            analysis_results[record.substitutions[14][1]].append(str(record))
+            records.append(record)
+        except Exception:
+            continue
+
+    json_str = json.dumps(analysis_results, indent=1)
+    return json_str
+
+if __name__ == "__main__":
+    import argparse
+
+    parser = argparse.ArgumentParser(description="Test analysis")
+    parser.add_argument("--image_name", default="../volatility/mymem.dd")
+    args = parser.parse_args()
+    print(run(args.image_name))