dissect.etl.manifest#

Module Contents#

Functions#

Attributes#

dissect.etl.manifest.MODPATH = 'dissect.etl.manifests'#
dissect.etl.manifest.STRUCT_FMT = Multiline-String#
Show Value
"""
struct {name} {{
{fields}
}};
"""
dissect.etl.manifest.CLASS_FMT = Multiline-String#
Show Value
"""
from uuid import UUID
from collections import namedtuple

from dissect import cstruct
from dissect.cstruct import RawType
from dissect.cstruct import Structure

Structure._calc_offsets = lambda _: None
Keyword = namedtuple('Keyword', ['name', 'message', 'mask'])
Task = namedtuple('Task', ['name', 'message', 'value'])
Event = namedtuple('Event', ['symbol', 'value', 'version', 'opcode', 'level', 'task', 'keywords', 'template'])


class VariableType(RawType):
    def __init__(self, cstruct, type_, size):
        self._t = type_
        super().__init__(cstruct, 'VariableType', size)

    def as_64bit(self):
        raise NotImplementedError()

    def as_32bit(self):
        raise NotImplementedError()

    def _read(self, stream, context=None):
        return self._t._read(stream, context)

    def _read_array(self, stream, count, context=None):
        return self._t._read_array(stream, count, context)

    def _read_0(self, stream, context=None):
        return self._t._read_0(stream, context)

    def _write(self, stream, data):
        return self._t._write(stream, data)

    def _write_array(self, stream, data):
        return self._t._write_array(stream, data)

    def _write_0(self, stream, data):
        return self._t._write_0(stream, data)


class EtwPointer(VariableType):
    def __init__(self, cstruct):
        super().__init__(cstruct, cstruct.uint64, 8)

    def as_64bit(self):
        if self.size == 8:
            return
        self.size = 8
        self._t = self.cstruct.uint64

    def as_32bit(self):
        if self.size == 4:
            return
        self.size = 4
        self._t = self.cstruct.uint32


class UserSID_blob(VariableType):
    def __init__(self, cstruct):
        super().__init__(cstruct, cstruct.char[16], 16)

    def as_64bit(self):
        if self.size == 16:
            return
        self.size = 16
        self._t = self.cstruct.char[16]

    def as_32bit(self):
        if self.size == 8:
            return
        self.size = 8
        self._t = self.cstruct.char[8]


PROVIDER_NAME = {provider_name!r}
PROVIDER_GUID = UUID({provider_guid!r})
PROVIDER_SYMBOL = {provider_symbol!r}

c_parser = cstruct.cstruct()
c_parser.addtype("EtwPointer", EtwPointer(c_parser))
c_parser.addtype("UserSID_blob", UserSID_blob(c_parser))
c_parser.load("""
struct SYSTEMTIME {{
    WORD    wYear;
    WORD    wMonth;
    WORD    wDayOfWeek;
    WORD    wDay;
    WORD    wHour;
    WORD    wMinute;
    WORD    wSecond;
    WORD    wMilliseconds;
}};

struct UserSID {{
    uint8 revision;
    uint8 subAuthorityCount;
    char authority[6];
    uint32 subAuthorities[subAuthorityCount];
}};

struct SID {{
    UserSID_blob    blob;
    UserSID         sid;
}};

{templates}
""")

STRINGS = {{
{strings}
}}

KEYWORDS = {{
{keywords}
}}

EVENTS = {{
{events}
}}
"""
dissect.etl.manifest.FIELD_MAP#
dissect.etl.manifest.CACHE: dict[uuid.UUID, types.ModuleType]#
dissect.etl.manifest.c_parser#
dissect.etl.manifest.lookup(guid: uuid.UUID) types.ModuleType#
dissect.etl.manifest.compile_file(guid: uuid.UUID, path: str) types.ModuleType#
dissect.etl.manifest.compile_xml(guid: uuid.UUID, s: str) types.ModuleType#
dissect.etl.manifest.generate_from_file(path: str) str#
dissect.etl.manifest.generate_from_xml(s: str) str#
dissect.etl.manifest.get_resource_string(path: str) str#
dissect.etl.manifest.get_resource_stream(path: str) BinaryIO#