:py:mod:`dissect.etl.manifest` ============================== .. py:module:: dissect.etl.manifest Module Contents --------------- Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.etl.manifest.lookup dissect.etl.manifest.compile_file dissect.etl.manifest.compile_xml dissect.etl.manifest.generate_from_file dissect.etl.manifest.generate_from_xml dissect.etl.manifest.get_resource_string dissect.etl.manifest.get_resource_stream Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.etl.manifest.MODPATH dissect.etl.manifest.STRUCT_FMT dissect.etl.manifest.CLASS_FMT dissect.etl.manifest.FIELD_MAP dissect.etl.manifest.CACHE dissect.etl.manifest.c_parser .. py:data:: MODPATH :value: 'dissect.etl.manifests' .. py:data:: STRUCT_FMT :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct {name} {{ {fields} }}; """ .. raw:: html
.. py:data:: CLASS_FMT :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ from uuid import UUID from collections import namedtuple from dissect import cstruct from dissect.cstruct import BaseType, MetaType, Structure Structure._calc_offsets = lambda _: None Keyword = namedtuple('Keyword', ['name', 'message', 'mask']) Task = namedtuple('Task', ['name', 'message', 'value']) Event = namedtuple('Event', ['symbol', 'value', 'version', 'opcode', 'level', 'task', 'keywords', 'template']) class VariableType(BaseType): type: MetaType size: int @classmethod def as_64bit(cls): raise NotImplementedError() @classmethod def as_32bit(cls): raise NotImplementedError() @classmethod def _read(cls, stream, context=None): return cls.type._read(stream, context) @classmethod def _read_0(cls, stream, context=None): return cls.type._read_0(stream, context) @classmethod def _write(cls, stream, data): return cls.type._write(stream, data) class EtwPointer(VariableType): @classmethod def as_64bit(cls): if cls.size == 8: return cls.size = 8 cls.type = cls.cs.uint64 def as_32bit(cls): if cls.size == 4: return cls.size = 4 cls.type = cls.cs.uint32 class UserSID_blob(VariableType): @classmethod def as_64bit(cls): if cls.size == 16: return cls.size = 16 cls.type = cls.cs.char[16] @classmethod def as_32bit(cls): if cls.size == 8: return cls.size = 8 cls.type = cls.cs.char[8] PROVIDER_NAME = {provider_name!r} PROVIDER_GUID = UUID({provider_guid!r}) PROVIDER_SYMBOL = {provider_symbol!r} c_parser = cstruct.cstruct() c_parser.add_custom_type("EtwPointer", EtwPointer) c_parser.add_custom_type("UserSID_blob", UserSID_blob) c_parser.load(""" struct SYSTEMTIME {{ WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }}; struct UserSID {{ uint8 revision; uint8 subAuthorityCount; char authority[6]; uint32 subAuthorities[subAuthorityCount]; }}; struct SID {{ UserSID_blob blob; UserSID sid; }}; {templates} """) STRINGS = {{ {strings} }} KEYWORDS = {{ {keywords} }} EVENTS = {{ {events} }} """ .. raw:: html
.. py:data:: FIELD_MAP .. py:data:: CACHE :type: dict[uuid.UUID, types.ModuleType] .. py:data:: c_parser .. py:function:: lookup(guid: uuid.UUID) -> types.ModuleType .. py:function:: compile_file(guid: uuid.UUID, path: str) -> types.ModuleType .. py:function:: compile_xml(guid: uuid.UUID, s: str) -> types.ModuleType .. py:function:: generate_from_file(path: str) -> str .. py:function:: generate_from_xml(s: str) -> str .. py:function:: get_resource_string(path: str) -> str .. py:function:: get_resource_stream(path: str) -> BinaryIO