dissect.eventlog.bxml
#
Binary XML classes
Module Contents#
Classes#
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
An object that keeps track of the BXML streams |
|
An interface to facilitate different methods to read names with BXML data. |
|
Evtx method to read names in BXML. |
|
WEVT method for reading names. |
|
Functions#
Read systemtime from stream. |
|
Read guid from stream. |
|
Read SID from stream. |
|
0x00 NullType NULL or empty |
|
Attributes#
- class dissect.eventlog.bxml.BxmlToken#
Bases:
enum.IntEnum
Enum where members are also (and must be) ints
- BXML_END = 0#
- BXML_START_ELEMENT = 1#
- BXML_CLOSE_START_ELEMENT_TAG = 2#
- BXML_CLOSE_EMPTY_ELEMENT_TAG = 3#
- BXML_END_ELEMENT = 4#
- BXML_VALUE = 5#
- BXML_ATTRIBUTE = 6#
- BXML_TOKEN_CHAR_REFERENCE = 8#
- BXML_TOKEN_ENTITY_REFERENCE = 9#
- BXML_TEMPLATE_INSTANCE = 12#
- BXML_TOKEN_NORMAL_SUBSTITUTION = 13#
- BXML_TOKEN_OPTIONAL_SUBSTITUTION = 14#
- BXML_FRAGMENT_HEADER = 15#
- class dissect.eventlog.bxml.BxmlType#
Bases:
enum.IntEnum
Enum where members are also (and must be) ints
- NULL = 0#
- STRING = 1#
- ANSITRING = 2#
- INT8 = 3#
- UINT8 = 4#
- INT16 = 5#
- UINT16 = 6#
- INT32 = 7#
- UINT32 = 8#
- INT64 = 9#
- UINT64 = 10#
- FLOAT = 11#
- DOUBLE = 12#
- BOOL = 13#
- BINARY = 14#
- GUID = 15#
- SIZET = 16#
- FILETIME = 17#
- SYSTEMTIME = 18#
- SID = 19#
- HEXINT32 = 20#
- HEXINT64 = 21#
- EVTHANDLE = 32#
- BINXML = 33#
- EVTXML = 35#
- __str__() str #
Return str(self).
- dissect.eventlog.bxml.bxml_def = Multiline-String#
Show Value
""" struct BXML_FRAGMENT_HEADER { uint8 major_version; uint8 minor_version; uint8 flags; }; struct BXML_ELEMENT_START_TPL { uint16 dependency_id; uint32 data_size; }; struct BXML_ELEMENT_START { uint32 data_size; }; struct BXML_NAME { uint32 unknown; uint16 hash; uint16 size; wchar value[size]; }; struct BXML_ATTR { uint8 token; }; struct BXML_VALUE_TEXT { uint16 size; wchar value[size]; }; struct BXML_TEMPLATE_REFERENCE { uint8 a; uint32 template_id; uint32 offset; }; struct BXML_TEMPLATE_DEFINITION { uint32 next_template; char identifier[16]; uint32 data_size; }; struct BXML_OPTIONAL_SUBSTITUTION { uint16 sub_id; uint8 value_type; }; struct BXML_TEMPLATE_VALUE_DESC { uint16 size; uint8 type_id; uint8 a; }; typedef struct SID { uint8 revision; uint8 subAuthorityCount; char authority[6]; uint32 subAuthorities[subAuthorityCount]; }; struct SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; """
- dissect.eventlog.bxml.bxml_struct#
- dissect.eventlog.bxml.read_systemtime(stream)#
Read systemtime from stream.
- dissect.eventlog.bxml.read_guid(stream) str #
Read guid from stream.
- dissect.eventlog.bxml.read_sid(stream) str #
Read SID from stream.
- dissect.eventlog.bxml.TYPE_READERS#
- class dissect.eventlog.bxml.BxmlTag(name: str)#
- __str__()#
Return str(self).
- add_children(tags: list) None #
- add_attributes(attribute: dict) None #
- class dissect.eventlog.bxml.BxmlSub(sub_id)#
- __repr__()#
Return repr(self).
- __str__()#
Return str(self).
- set(value) None #
- get() Any #
- class dissect.eventlog.bxml.Template#
- __str__()#
Return str(self).
- create_map()#
- as_map()#
- as_full_map()#
- add_child_template(tpl)#
- class dissect.eventlog.bxml.Bxml(bxml_stream: io.BytesIO, elf_chunk_stream: io.BytesIO)#
An object that keeps track of the BXML streams
- property current_offset: int#
Current offset in the BXML data stream.
- read_name_from_stream() str #
Use _reader to read a specific name from stream
- set_name_reader(reader) None #
- read_char_reference() str #
- class dissect.eventlog.bxml.BxmlNameReader(bxml: Bxml)#
An interface to facilitate different methods to read names with BXML data.
- read() str #
Read the name from the bxml_datastream.
- class dissect.eventlog.bxml.EvtxNameReader(bxml: Bxml)#
Bases:
BxmlNameReader
Evtx method to read names in BXML.
- read() str #
Read name from BXML data.
If the offset is outside the BXML data range elf_chunk data is used.
- class dissect.eventlog.bxml.WevtNameReader(bxml: Bxml)#
Bases:
BxmlNameReader
WEVT method for reading names.
WEVT uses a different method to read BXML_NAME There is no offset and additional unknown 32-bit value.
- read()#
Read the name from the bxml_datastream.
- class dissect.eventlog.bxml.Token(token: int)#
- TOKEN_MASK = 31#
- MORE_MASK = 64#
- __eq__(other) bool #
Return self==value.
- class dissect.eventlog.bxml.BxmlTemplateDescriptor(descriptor_struct)#
- property size#
- property value_type#
- DESCRIPTOR_MASK = 127#
- ARRAY_MASK = 128#
- classmethod read_descriptors_from_stream(stream: io.BytesIO)#
Read a range of BXML descriptors from stream.
- classmethod from_stream(stream: io.BytesIO)#
Read a singular BXML descriptors from stream.
- dissect.eventlog.bxml.read_value(binxml: Bxml, descriptor: BxmlTemplateDescriptor, template: Template) Any #
0x00 NullType NULL or empty 0x01 StringType Unicode string 0x02 AnsiStringType ASCII string 0x03 Int8Type 8-bit integer signed 0x04 UInt8Type 8-bit integer unsigned 0x05 Int16Type 16-bit integer signed 0x06 UInt16Type 16-bit integer unsigned 0x07 Int32Type 32-bit integer signed 0x08 UInt32Type 32-bit integer unsigned 0x09 Int64Type 64-bit integer signed 0x0a UInt64Type 64-bit integer unsigned 0x0b Real32Type Floating point 32-bit (single precision) 0x0c Real64Type Floating point 64-bit (double precision) 0x0d BoolType Boolean 0x0e BinaryType Binary data 0x0f GuidType GUID 0x10 SizeT Type Size type 0x11 FileTimeType Filetime (64-bit) 0x12 SysTimeType System time (128-bit) 0x13 SidType NT Security Identifier (SID) 0x14 HexInt32Type 32-bit integer hexadecimal 0x15 HexInt64Type 64-bit integer hexadecimal 0x20 EvtHandle 0x21 BinXmlType Binary XML fragment 0x23 EvtXml
- dissect.eventlog.bxml.read_descriptor_array(stream: BinaryIO, descriptor: BxmlTemplateDescriptor) List[Any] #