fix(event): Registry data buffer bound checks

In some occasions, the registry data buffer is provided
without enough length to satisfy the underlying value
type. To prevent panics, when converting the buffer to
an integer data type, incorporate bound checks.

Author: rabbitstack

pkg/event/param_windows.go

@@ -540,11 +540,40 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 			case registry.BINARY:
 				e.AppendParam(params.RegData, params.Binary, b)
 			case registry.DWORD:
-				e.AppendParam(params.RegData, params.Uint32, binary.LittleEndian.Uint32(b))
+				var v uint32
+				switch len(b) {
+				case 4:
+					v = binary.LittleEndian.Uint32(b)
+				case 2:
+					v = uint32(binary.LittleEndian.Uint16(b))
+				case 1:
+					v = uint32(b[0])
+				}
+				e.AppendParam(params.RegData, params.Uint32, v)
 			case registry.DWORD_BIG_ENDIAN:
-				e.AppendParam(params.RegData, params.Uint32, binary.BigEndian.Uint32(b))
+				var v uint32
+				switch len(b) {
+				case 4:
+					v = binary.BigEndian.Uint32(b)
+				case 2:
+					v = uint32(binary.BigEndian.Uint16(b))
+				case 1:
+					v = uint32(b[0])
+				}
+				e.AppendParam(params.RegData, params.Uint32, v)
 			case registry.QWORD:
-				e.AppendParam(params.RegData, params.Uint64, binary.LittleEndian.Uint64(b))
+				var v uint64
+				switch len(b) {
+				case 8:
+					v = binary.LittleEndian.Uint64(b)
+				case 4:
+					v = uint64(binary.LittleEndian.Uint32(b))
+				case 2:
+					v = uint64(binary.LittleEndian.Uint16(b))
+				case 1:
+					v = uint64(b[0])
+				}
+				e.AppendParam(params.RegData, params.Uint64, v)
 			}
 		}
 	case CreateFile: