fix PMC formatbug when handling PMC with more than 256 rules #28

Author: eronnen

docs/PMC Format.md

@@ -7,13 +7,13 @@ a record structure, that contains the name of the option and its value. The reco
 
 **CONFIGURATION_RECORD**
 
-| Data Type | Description                                                  |
-| --------- | ------------------------------------------------------------ |
-| Uint32    | The size of the record                                       |
-| Uint32    | The size of the first 4 fields (0x10)                        |
-| Uint32    | The size of the first 5 fields (0x10 plus name size in bytes) |
-| Uint32    | The size of the data                                         |
-| Wchar_t[] | The name of the configuration option                         |
+| Data Type | Description                                                                  |
+|-----------|------------------------------------------------------------------------------|
+| Uint32    | The size of the record                                                       |
+| Uint32    | The size of the first 4 fields (0x10)                                        |
+| Uint32    | The size of the first 5 fields (0x10 plus name size in bytes)                |
+| Uint32    | The size of the data                                                         |
+| Wchar_t[] | The name of the configuration option                                         |
 | Byte[]    | the value of the configuration option (format depends on which option it is) |
 
 In the default configuration of Procmon, there are 20 configuration options:
@@ -44,23 +44,22 @@ The filter rules are represented by the following layout:
 **FILTER_RULES**
 
 | Data Type     | Description                      |
-| ------------- | -------------------------------- |
+|---------------|----------------------------------|
 | Byte          | Unknown                          |
-| Byte          | the number of rules in the array |
+| Uint32        | the number of rules in the array |
 | FILTER_RULE[] | array of all the rules           |
-| Byte[3]       | Unknown                          |
 
 Each filter rule contains the column type it checks  (like "PID", "Path", ...), the relation type (like "is", "contains", "starts with", ...) and the value to compare to, and whether to include events that matches this rule or exclude them. A rule is represented by the following layout:
 
 **FILTER_RULE**
 
-| Data Type | Description                                                  |
-| --------- | ------------------------------------------------------------ |
-| Byte[3]   | Unknown                                                      |
-| Uint32    | Column type - see ```class Column(enum.IntEnum)``` in [consts.py](../procmon_parser/consts.py) |
+| Data Type | Description                                                                                             |
+|-----------|---------------------------------------------------------------------------------------------------------|
+| Uint32    | Column type - see ```class Column(enum.IntEnum)``` in [consts.py](../procmon_parser/consts.py)          |
 | Uint32    | Relation type  - see ```class RuleRelation(enum.IntEnum)``` in [consts.py](../procmon_parser/consts.py) |
-| Byte      | Whether to include this filter if it matches an event or exclude it. |
-| Uint32    | The length of the value string in bytes                      |
-| Wchar_t[] | The value                                                    |
-| Byte[5]   | Unknown                                                      |
+| Byte      | Whether to include this filter if it matches an event or exclude it.                                    |
+| Uint32    | The length of the value string in bytes                                                                 |
+| Wchar_t[] | The value                                                                                               |
+| Uint32    | The value as integer                                                                                    |
+| Uint32    | Unknown                                                                                                 |
 

procmon_parser/configuration_format.py

@@ -70,7 +70,6 @@ def get_rule_integer_value(column, value):
 RawRuleStruct = """
 Struct that contains a single rule which can be applied on the process monitor events.
 """ * Struct(
-    "reserved1" / Default(Bytes(3), 0) * "!!Unknown field!!",
     "column" / ColumnType,
     "relation" / RuleRelationType,
     "action" / RuleActionType,
@@ -80,9 +79,9 @@ def get_rule_integer_value(column, value):
     "value" / FixedUTF16CString(lambda this: this.value_length, "value"),
     "after_value_offset" / Tell,  # NOT IN THE REAL FORMAT - USED FOR BUILDING ONLY
     "int_value" / Rebuild(Int32ul, lambda this: get_rule_integer_value(this.column, this.value)),
-    "reserved2" / Default(Bytes(1), 0) * "!!Unknown field!!",
+    "reserved" / Default(Int32ul, 0) * "!!Unknown field!!",
 
-    # To calculate value string in build time
+    # NOT IN THE REAL FORMAT - used to calculate value string in build time
     "value_length" / Pointer(lambda this: this.value_offset,
                              Default(Int32ul, lambda this: this.after_value_offset - this.before_value_offset))
 )
@@ -101,10 +100,9 @@ def _encode(self, obj, context, path):
 RawRulesStruct = """
 Struct that contains a list of procmon rules.
 """ * Struct(
-    "reserved1" / Const(1, Int8ul) * "!!Unknown field!!",
-    "rules_count" / Rebuild(Int8ul, lambda this: len(this.rules)),
+    "reserved" / Const(1, Int8ul) * "!!Unknown field!!",
+    "rules_count" / Rebuild(Int32ul, lambda this: len(this.rules)),
     "rules" / Array(lambda this: this.rules_count, RuleStruct),
-    "reserved1" / Default(Bytes(3), 0) * "!!Unknown field!!",
 )
 
 

setup.py

@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="procmon-parser",
-    version="0.3.12",
+    version="0.3.13",
     author="Ely Ronnen",
     author_email="elyronnen@gmail.com",
     description="Parser to Procmon configuration and log files formats",