Worked on format support

documentation/Windows Event manifest binary format.asciidoc

@@ -305,7 +305,7 @@ The channel definitions are of variable size and consist of:
 Including the channel definitions header
 | 8 | 4 | | Number of channel definitions
 | 12 | ... | | Array of channel definitions
-| ... | ... | | Channel data
+| ... | ... | | Channel name
 |===
 
 === Channel definition
@@ -334,9 +334,9 @@ or 0xffffffff (-1) if not set
 | | | Operational
 |===
 
-=== Channel data
+=== Channel name
 
-The channel data is of variable size and consists of:
+The channel name is of variable size and consists of:
 
 [cols="1,1,1,5",options="header"]
 |===
@@ -552,21 +552,21 @@ A template definition is of variable size and consists of:
 | 0 | 4 | "TEMP" | Signature
 | 4 | 4 | | Size +
 Including the template header
-| 8 | 4 | | Number of variable descriptors
-| 12 | 4 | | Number of variable names
+| 8 | 4 | | Number of item descriptors
+| 12 | 4 | | Number of item names
 | 16 | 4 | | Template items offset +
 The offset is relative to the start of the instrumentation manifest
 | 20 | 4 | [yellow-background]*1* | [yellow-background]*Unknown (number of BinXML fragments?)*
 | 24 | 16 | | Identifier +
 Contains a GUID
 | 40 | ... | | Binary XML fragment
-| ... | ... | | Template variables descriptors
-| ... | ... | | Template variables names
+| ... | ... | | Template item descriptors
+| ... | ... | | Template item names
 |===
 
 [NOTE]
-If the number of variable descriptors (and number of variable names) the
-template items offset is either 0 or contains the template size.
+If the number of item descriptors (and number of item names) the template items
+offset is either 0 or contains the template size.
 
 === Template binary XML fragment
 

include/libfwevt.h.in

@@ -260,7 +260,7 @@ int libfwevt_level_free(
  * ------------------------------------------------------------------------- */
 
 /* Creates a manifest
- * Make sure the value channel is referencing, is set to NULL
+ * Make sure the value manifest is referencing, is set to NULL
  * Returns 1 if successful or -1 on error
  */
 LIBFWEVT_EXTERN \
@@ -650,17 +650,104 @@ int libfwevt_template_get_size(
  */
 LIBFWEVT_EXTERN \
 int libfwevt_template_get_identifier(
-     libfwevt_template_t *template,
+     libfwevt_template_t *wevt_template,
      uint8_t *guid_data,
      size_t guid_data_size,
      libfwevt_error_t **error );
 
+/* Retrieves the number of items
+ * Returns 1 if successful or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_get_number_of_items(
+     libfwevt_template_t *wevt_template,
+     int *number_of_items,
+     libfwevt_error_t **error );
+
+/* Retrieves a specific item
+ * Returns 1 if successful or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_get_item_by_index(
+     libfwevt_template_t *wevt_template,
+     int item_index,
+     libfwevt_template_item_t **item,
+     libfwevt_error_t **error );
+
+/* -------------------------------------------------------------------------
+ * Template item functions
+ * ------------------------------------------------------------------------- */
+
+/* Frees a template item
+ * Returns 1 if successful or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_free(
+     libfwevt_template_item_t **template_item,
+     libfwevt_error_t **error );
+
+/* Retrieves the input data type
+ * Returns 1 if successful or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_get_input_data_type(
+     libfwevt_template_item_t *template_item,
+     uint8_t *input_data_type,
+     libfwevt_error_t **error );
+
+/* Retrieves the output data type
+ * Returns 1 if successful or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_get_output_data_type(
+     libfwevt_template_item_t *template_item,
+     uint8_t *output_data_type,
+     libfwevt_error_t **error );
+
+/* Retrieves the size of the UTF-8 formatted name
+ * Returns 1 if successful, 0 if not available or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_get_utf8_name_size(
+     libfwevt_template_item_t *template_item,
+     size_t *utf8_string_size,
+     libfwevt_error_t **error );
+
+/* Retrieves the UTF-8 formatted name
+ * Returns 1 if successful, 0 if not available or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_get_utf8_name(
+     libfwevt_template_item_t *template_item,
+     uint8_t *utf8_string,
+     size_t utf8_string_size,
+     libfwevt_error_t **error );
+
+/* Retrieves the size of the UTF-16 formatted name
+ * Returns 1 if successful, 0 if not available or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_get_utf16_name_size(
+     libfwevt_template_item_t *template_item,
+     size_t *utf16_string_size,
+     libfwevt_error_t **error );
+
+/* Retrieves the UTF-16 formatted name
+ * Returns 1 if successful, 0 if not available or -1 on error
+ */
+LIBFWEVT_EXTERN \
+int libfwevt_template_item_get_utf16_name(
+     libfwevt_template_item_t *template_item,
+     uint16_t *utf16_string,
+     size_t utf16_string_size,
+     libfwevt_error_t **error );
+
 /* -------------------------------------------------------------------------
  * XML document functions
  * ------------------------------------------------------------------------- */
 
 /* Creates an XML document
- * Make sure the value channel is referencing, is set to NULL
+ * Make sure the value xml_document is referencing, is set to NULL
  * Returns 1 if successful or -1 on error
  */
 LIBFWEVT_EXTERN \

libfwevt/fwevt_template.h

@@ -137,10 +137,10 @@ struct fwevt_template_channel
 	 */
 	uint8_t identifier[ 4 ];
 
-	/* The data offset
+	/* The name offset
 	 * Consists of 4 bytes
 	 */
-	uint8_t data_offset[ 4 ];
+	uint8_t name_offset[ 4 ];
 
 	/* Unknown
 	 * Consists of 4 bytes

libfwevt/libfwevt_channel.c

@@ -185,8 +185,8 @@ int libfwevt_channel_read_data(
 	libfwevt_internal_channel_t *internal_channel = NULL;
 	fwevt_template_channel_t *wevt_channel        = NULL;
 	static char *function                         = "libfwevt_channel_read_data";
-	uint32_t channel_data_offset                  = 0;
-	uint32_t channel_data_size                    = 0;
+	uint32_t name_offset                          = 0;
+	uint32_t name_size                            = 0;
 
 #if defined( HAVE_DEBUG_OUTPUT )
 	uint32_t value_32bit                          = 0;
@@ -281,8 +281,8 @@ int libfwevt_channel_read_data(
 	 internal_channel->identifier );
 
 	byte_stream_copy_to_uint32_little_endian(
-	 wevt_channel->data_offset,
-	 channel_data_offset );
+	 wevt_channel->name_offset,
+	 name_offset );
 
 #if defined( HAVE_DEBUG_OUTPUT )
 	if( libcnotify_verbose != 0 )
@@ -293,9 +293,9 @@ int libfwevt_channel_read_data(
 		 internal_channel->identifier );
 
 		libcnotify_printf(
-		 "%s: data offset\t\t\t\t\t: 0x%08" PRIx32 "\n",
+		 "%s: name offset\t\t\t\t\t: 0x%08" PRIx32 "\n",
 		 function,
-		 channel_data_offset );
+		 name_offset );
 
 		byte_stream_copy_to_uint32_little_endian(
 		 wevt_channel->unknown1,
@@ -315,31 +315,31 @@ int libfwevt_channel_read_data(
 	}
 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
 
-	if( channel_data_offset > 0 )
+	if( name_offset > 0 )
 	{
-		if( channel_data_offset >= ( data_size - 4 ) )
+		if( name_offset >= ( data_size - 4 ) )
 		{
 			libcerror_error_set(
 			 error,
 			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
 			 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
-			 "%s: invalid channel data offset value out of bounds.",
+			 "%s: invalid name offset value out of bounds.",
 			 function );
 
 			goto on_error;
 		}
 		byte_stream_copy_to_uint32_little_endian(
-		 &( data[ channel_data_offset ] ),
-		 channel_data_size );
+		 &( data[ name_offset ] ),
+		 name_size );
 
-		if( ( data_size < channel_data_size )
-		 || ( channel_data_offset > ( data_size - channel_data_size ) ) )
+		if( ( data_size < name_size )
+		 || ( name_offset > ( data_size - name_size ) ) )
 		{
 			libcerror_error_set(
 			 error,
 			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
 			 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
-			 "%s: invalid channel data size value out of bounds.",
+			 "%s: invalid name size value out of bounds.",
 			 function );
 
 			goto on_error;
@@ -351,8 +351,8 @@ int libfwevt_channel_read_data(
 			 "%s: data:\n",
 			 function );
 			libcnotify_print_data(
-			 &( data[ channel_data_offset ] ),
-			 channel_data_size,
+			 &( data[ name_offset ] ),
+			 name_size,
 			 0 );
 		}
 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
@@ -361,19 +361,19 @@ int libfwevt_channel_read_data(
 		if( libcnotify_verbose != 0 )
 		{
 			libcnotify_printf(
-			 "%s: data size\t\t\t\t\t: %" PRIu32 "\n",
+			 "%s: name size\t\t\t\t\t: %" PRIu32 "\n",
 			 function,
-			 channel_data_size );
+			 name_size );
 		}
 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
 
-		if( channel_data_size >= 4 )
+		if( name_size >= 4 )
 		{
-			channel_data_offset += 4;
-			channel_data_size   -= 4;
+			name_offset += 4;
+			name_size   -= 4;
 
-			if( ( channel_data_size == 0 )
-			 || ( channel_data_size > ( MEMORY_MAXIMUM_ALLOCATION_SIZE / sizeof( uint8_t ) ) ) )
+			if( ( name_size == 0 )
+			 || ( name_size > ( MEMORY_MAXIMUM_ALLOCATION_SIZE / sizeof( uint8_t ) ) ) )
 			{
 				libcerror_error_set(
 				 error,
@@ -385,7 +385,7 @@ int libfwevt_channel_read_data(
 				goto on_error;
 			}
 			internal_channel->name = (uint8_t *) memory_allocate(
-			                                      sizeof( uint8_t ) * channel_data_size );
+			                                      sizeof( uint8_t ) * name_size );
 
 			if( internal_channel->name == NULL )
 			{
@@ -398,12 +398,12 @@ int libfwevt_channel_read_data(
 
 				goto on_error;
 			}
-			internal_channel->name_size = channel_data_size;
+			internal_channel->name_size = (size_t) name_size;
 
 			if( memory_copy(
 			     internal_channel->name,
-			     &( data[ channel_data_offset ] ),
-			     channel_data_size ) == NULL )
+			     &( data[ name_offset ] ),
+			     (size_t) name_size ) == NULL )
 			{
 				libcerror_error_set(
 				 error,