`dissect.etl.headers.event`#

Module Contents#

Classes#

`EventDescriptor`	An representation of the Event data in a event header.
`ExtType`	Enum where members are also (and must be) ints
`EventHeaderExtendedDataItem`	Loads an extended data item from payload.
`EventHeader`	A baseclass for the different ETL headers.

Functions#

`read_uuid`
`read_instance_info`
`read_stack_trace`
`read_stack_trace64`
`read_provider_traits`

Attributes#

extended_data_item_reader

dissect.etl.headers.event.read_uuid(data: bytes) → uuid.UUID#

dissect.etl.headers.event.read_instance_info(data: bytes) → OrderedDict[str, Any]#

dissect.etl.headers.event.read_stack_trace(data: bytes) → OrderedDict[str, Any]#

dissect.etl.headers.event.read_stack_trace64(data: bytes) → OrderedDict[str, Any]#

dissect.etl.headers.event.read_provider_traits(data: bytes) → OrderedDict[str, Any]#

class dissect.etl.headers.event.EventDescriptor(header)#

An representation of the Event data in a event header.

__slots__ = ['id', 'version', 'channel', 'level', 'opcode', 'task', 'keywords']#

class dissect.etl.headers.event.ExtType#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

RELATED_ACTIVITY_ID = 1#

SID = 2#

TS_ID = 3#

INSTANCE_INFO = 4#

STACK_TRACE32 = 5#

STACK_TRACE64 = 6#

PEBS_INDEX = 7#

PMC_COUNTERS = 8#

PSM_KEY = 9#

EVENT_KEY = 10#

EVENT_SCHEMA_TL = 11#

PROV_TRAITS = 12#

PROCESS_START_KEY = 13#

TYPE_MAX = 14#

UNKNOWN = 0#

dissect.etl.headers.event.extended_data_item_reader#

class dissect.etl.headers.event.EventHeaderExtendedDataItem(payload)#

Loads an extended data item from payload.

__slots__ = ['size', 'reserved1', 'ext_type', 'linkage', 'reserved2', 'data_size', 'data', 'raw_data']#

validate_header() → None#

__getattr__(name: str) → Any#

__repr__()#: Return repr(self).

class dissect.etl.headers.event.EventHeader(marker: Marker, data: memoryview, etl)#

Bases: dissect.etl.headers.headers.Header

A baseclass for the different ETL headers.

property descriptor#: Event descriptor of the header.

property header_extensions: list[EventHeaderExtendedDataItem]#: A list with all the extended data items for this Event.

property minimal_size#: Minimum header size.

property provider_id#: Provider that generated this event.

property activity_id#

The ID associated with the activity in the event.

At least, that is my assumption.

property opcode#: The opcode used in this event.

property thread_id#: The thread id that created this event.

property process_id#: The process id that created this event.

additional_header_fields() → dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

dissect.etl.headers.event#

Module Contents#

Classes#

Functions#

Attributes#

`dissect.etl.headers.event`#