Skip to content

Commit

Permalink
updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@puffyCid
puffyCid committed Jun 15, 2024
1 parent 3a1e85e commit e50ed40
Show file tree
Hide file tree
Showing 7 changed files with 35 additions and 32 deletions.
2 changes: 1 addition & 1 deletion common/src/windows.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1006,7 +1006,7 @@ pub struct NetworkConnectivityInfo {
pub interface_luid: i64,
pub l2_profile_id: i64,
pub connected_time: i32,
pub connect_start_time: i64,
pub connect_start_time: String,
pub l2_profile_flags: i32,
}

Expand Down
9 changes: 4 additions & 5 deletions core/src/artifacts/os/windows/ese/tables.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ use crate::{
nom_unsigned_two_bytes, Endian,
},
strings::extract_ascii_utf16_string,
time::{filetime_to_unixepoch, ole_automationtime_to_unixepoch},
time::{filetime_to_unixepoch, ole_automationtime_to_unixepoch, unixepoch_to_iso},
uuid::format_guid_le_bytes,
},
};
Expand Down Expand Up @@ -207,15 +207,14 @@ fn column_data_to_string<'a>(
if flags.contains(&ColumnFlags::NotNull) {
let (input, filetime_data) = nom_unsigned_eight_bytes(data, Endian::Le)?;
let filetime = filetime_to_unixepoch(&filetime_data);
let value = format!("{filetime}");
(input, value)

(input, unixepoch_to_iso(&filetime))

Check warning on line 211 in core/src/artifacts/os/windows/ese/tables.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/ese/tables.rs#L210-L211 

Added lines #L210 - L211 were not covered by tests
} else {
let (input, float_data) = take(size_of::<u64>())(data)?;
let (_, float_value) = le_f64(float_data)?;
let oletime = ole_automationtime_to_unixepoch(&float_value);

let value = format!("{oletime}");
(input, value)
(input, unixepoch_to_iso(&oletime))
}
}
ColumnType::LongBinary | ColumnType::Binary => {
Expand Down
6 changes: 4 additions & 2 deletions core/src/artifacts/os/windows/registry/keys/data.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ use crate::{
encoding::base64_encode_standard,
nom_helper::{nom_unsigned_four_bytes, nom_unsigned_two_bytes, Endian},
strings::{extract_multiline_utf16_string, extract_utf16_string},
time::{filetime_to_unixepoch, unixepoch_to_iso},
},
};
use log::error;
Expand Down Expand Up @@ -86,7 +87,8 @@ pub(crate) fn parse_qword_filetime(

let value = if filetime {
let (_, value) = le_u64(allocated_data)?;
format!("{value}")
let reg_time = filetime_to_unixepoch(&value);
unixepoch_to_iso(&reg_time)
} else {
let (_, value) = le_i64(allocated_data)?;
format!("{value}")
Expand Down Expand Up @@ -349,7 +351,7 @@ mod tests {
];

let (_, result) = parse_qword_filetime(&test_data, 0, 8, true).unwrap();
assert_eq!(result, "132160996147660000");
assert_eq!(result, "2019-10-21T02:46:54.000Z");
}

#[test]
Expand Down
9 changes: 3 additions & 6 deletions core/src/artifacts/os/windows/srum/tables/application.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,7 @@ pub(crate) fn parse_application(
app.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
app.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
app.timestamp.clone_from(&column.column_data);
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down Expand Up @@ -193,8 +192,7 @@ pub(crate) fn parse_app_timeline(
energy.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
energy.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
energy.timestamp.clone_from(&column.column_data);

Check warning on line 195 in core/src/artifacts/os/windows/srum/tables/application.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/application.rs#L195 

Added line #L195 was not covered by tests
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down Expand Up @@ -382,8 +380,7 @@ pub(crate) fn parse_vfu_provider(
app.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
app.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
app.timestamp.clone_from(&column.column_data);

Check warning on line 383 in core/src/artifacts/os/windows/srum/tables/application.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/application.rs#L383 

Added line #L383 was not covered by tests
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down
16 changes: 9 additions & 7 deletions core/src/artifacts/os/windows/srum/tables/energy.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
use crate::{artifacts::os::windows::srum::error::SrumError, utils::time::unixepoch_to_iso};
use crate::{
artifacts::os::windows::srum::error::SrumError,
utils::time::{filetime_to_unixepoch, unixepoch_to_iso},
};
use common::windows::{EnergyInfo, EnergyUsage, TableDump};
use log::error;
use serde_json::Value;
Expand All @@ -25,8 +28,7 @@ pub(crate) fn parse_energy(
energy.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
energy.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
energy.timestamp.clone_from(&column.column_data);

Check warning on line 31 in core/src/artifacts/os/windows/srum/tables/energy.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/energy.rs#L31 

Added line #L31 was not covered by tests
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down Expand Up @@ -86,8 +88,7 @@ pub(crate) fn parse_energy_usage(
match column.column_name.as_str() {
"AutoIncId" => energy.auto_inc_id = column.column_data.parse::<i32>().unwrap(),
"TimeStamp" => {
energy.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
energy.timestamp.clone_from(&column.column_data);

Check warning on line 91 in core/src/artifacts/os/windows/srum/tables/energy.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/energy.rs#L91 

Added line #L91 was not covered by tests
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand All @@ -104,8 +105,9 @@ pub(crate) fn parse_energy_usage(
energy.user_id.clone_from(&column.column_data);
}
"EventTimestamp" => {
energy.event_timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
energy.event_timestamp = unixepoch_to_iso(&filetime_to_unixepoch(
&column.column_data.parse::<u64>().unwrap_or_default(),
));

Check warning on line 110 in core/src/artifacts/os/windows/srum/tables/energy.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/energy.rs#L108-L110 

Added lines #L108 - L110 were not covered by tests
}
"StateTransition" => {
energy.state_transition = column.column_data.parse::<i32>().unwrap();
Expand Down
20 changes: 12 additions & 8 deletions core/src/artifacts/os/windows/srum/tables/network.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
use crate::{artifacts::os::windows::srum::error::SrumError, utils::time::unixepoch_to_iso};
use crate::{
artifacts::os::windows::srum::error::SrumError,
utils::time::{filetime_to_unixepoch, unixepoch_to_iso},
};
use common::windows::{NetworkConnectivityInfo, NetworkInfo, TableDump};
use log::error;
use serde_json::Value;
Expand Down Expand Up @@ -29,8 +32,8 @@ pub(crate) fn parse_network(
network.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
network.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
network.timestamp.clone_from(&column.column_data);
// unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());

Check warning on line 36 in core/src/artifacts/os/windows/srum/tables/network.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/network.rs#L35-L36 

Added lines #L35 - L36 were not covered by tests
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down Expand Up @@ -96,7 +99,7 @@ pub(crate) fn parse_network_connectivity(
l2_profile_id: 0,
l2_profile_flags: 0,
connected_time: 0,
connect_start_time: 0,
connect_start_time: String::new(),
};

for column in rows {
Expand All @@ -105,8 +108,8 @@ pub(crate) fn parse_network_connectivity(
network.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
network.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
network.timestamp.clone_from(&column.column_data);
//unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down Expand Up @@ -136,8 +139,9 @@ pub(crate) fn parse_network_connectivity(
network.connected_time = column.column_data.parse::<i32>().unwrap_or_default();
}
"ConnectStartTime" => {
network.connect_start_time =
column.column_data.parse::<i64>().unwrap_or_default();
network.connect_start_time = unixepoch_to_iso(&filetime_to_unixepoch(
&column.column_data.parse::<u64>().unwrap_or_default(),
));
}
_ => continue,
}
Expand Down
5 changes: 2 additions & 3 deletions core/src/artifacts/os/windows/srum/tables/notifications.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use crate::{artifacts::os::windows::srum::error::SrumError, utils::time::unixepoch_to_iso};
use crate::artifacts::os::windows::srum::error::SrumError;
use common::windows::{NotificationInfo, TableDump};
use log::error;
use serde_json::Value;
Expand Down Expand Up @@ -27,8 +27,7 @@ pub(crate) fn parse_notification(
notif.auto_inc_id = column.column_data.parse::<i32>().unwrap_or_default();
}
"TimeStamp" => {
notif.timestamp =
unixepoch_to_iso(&column.column_data.parse::<i64>().unwrap_or_default());
notif.timestamp.clone_from(&column.column_data);

Check warning on line 30 in core/src/artifacts/os/windows/srum/tables/notifications.rs

View check run for this annotation

Codecov / codecov/patch

core/src/artifacts/os/windows/srum/tables/notifications.rs#L30 

Added line #L30 was not covered by tests
}
"AppId" => {
if let Some(value) = lookups.get(&column.column_data) {
Expand Down

0 comments on commit e50ed40

Please sign in to comment.