:py:mod:`dissect.eventlog.wevt_object` ====================================== .. py:module:: dissect.eventlog.wevt_object Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.eventlog.wevt_object.WevtObject dissect.eventlog.wevt_object.WevtName dissect.eventlog.wevt_object.CHAN dissect.eventlog.wevt_object.OPCO dissect.eventlog.wevt_object.LEVL dissect.eventlog.wevt_object.KEYW dissect.eventlog.wevt_object.VMAP dissect.eventlog.wevt_object.BMAP dissect.eventlog.wevt_object.PRVA dissect.eventlog.wevt_object.TASK dissect.eventlog.wevt_object.EVNT dissect.eventlog.wevt_object.TEMP dissect.eventlog.wevt_object.TEMP_DESCRIPTOR Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.eventlog.wevt_object.wevt_object_def dissect.eventlog.wevt_object.c_wevt_objects .. py:data:: wevt_object_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct DATA_ITEM { uint32 size; wchar name[(size/2)-2]; }; struct CHAN { uint32 id; uint32 data_offset; uint32 nr; uint32 message_table_id; }; struct TEMP { char signature[4]; uint32 size; uint32 nr_of_items; uint32 nr_of_names; uint32 data_offset; uint32 binxml_fragments; char identifier[16]; }; struct TEMP_DESCRIPTOR { uint32 unknown0; uint8 input_type; uint8 output_type; uint16 unknown1; uint32 unknown2; uint32 unknown3; uint32 data_offset; } struct PRVA { uint32 unknown; uint32 data_offset; }; struct TASK { uint32 id; uint32 message_table_id; char mui_id[16]; uint32 data_offset; }; struct KEYW { uint64 bitmask; uint32 message_table_id; uint32 data_offset; }; struct LEVL { uint32 id; uint32 message_table_id; uint32 data_offset; }; struct EVNT { uint16 id; uchar version; uchar channel; uchar level; uchar opcode; uint16 task; uint64 keyword; uint32 message_table_id; uint32 template_offset; uint32 opcode_offset; uint32 level_offset; uint32 task_offset; uint32 data_counter; uint32 data_offset; uint32 flags; }; struct OPCO { uint16 task_id; uint16 value; uint32 message_table_id; uint32 data_offset; }; struct VMAP { char signature[4]; uint32 size; uint32 data_offset; }; struct BMAP { char signature[4]; uint32 size; uint32 data_offset; }; """ .. raw:: html
.. py:data:: c_wevt_objects .. py:class:: WevtObject(offset, data) Base object that functions as a wrapper for the header .. py:attribute:: offset .. py:attribute:: header .. py:attribute:: data .. py:attribute:: data_start .. py:attribute:: data_offset .. py:method:: extract_name(data_offset) data_offset is a relative offset that usually points to the data_item. This point is used to read the name for this specific .. py:method:: __getattribute__(name: str) .. py:method:: __repr__() Use __slots__ to get all the data we need from the object .. py:class:: WevtName(offset, data) Bases: :py:obj:`WevtObject` Base object that functions as a wrapper for the header .. py:attribute:: name .. py:class:: CHAN(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'id', 'message_table_id', 'name', 'nr'] .. py:class:: OPCO(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'task_id', 'value', 'message_table_id', 'name'] .. py:class:: LEVL(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'id', 'message_table_id', 'name'] .. py:class:: KEYW(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'bitmask', 'message_table_id', 'name'] .. py:class:: VMAP(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'name'] .. py:class:: BMAP(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'name'] .. py:class:: PRVA(offset, data) Bases: :py:obj:`WevtObject` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'unknown'] .. py:class:: TASK(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'id', 'message_table_id', 'mui_id', 'name'] .. py:attribute:: mui_id .. py:class:: EVNT(offset, data) Bases: :py:obj:`WevtObject` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'id', 'version', 'channel', 'level', 'opcode', 'task', 'keyword', 'message_table_id',... .. py:class:: TEMP(offset, data) Bases: :py:obj:`WevtObject` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['offset', 'identifier', 'template', 'names'] .. py:attribute:: template .. py:attribute:: identifier .. py:attribute:: names :type: List[TEMP_DESCRIPTOR] :value: [] .. py:class:: TEMP_DESCRIPTOR(offset, data) Bases: :py:obj:`WevtName` Base object that functions as a wrapper for the header .. py:attribute:: __slots__ :value: ['inType', 'outType', 'name'] .. py:attribute:: inType :value: '' .. py:attribute:: outType :value: ''