dissect.eventlog.bxml#

Binary XML classes

Module Contents#

Classes#

BxmlToken

Enum where members are also (and must be) ints

BxmlType

Enum where members are also (and must be) ints

BxmlTag

BxmlSub

Template

Bxml

An object that keeps track of the BXML streams

BxmlNameReader

An interface to facilitate different methods to read names with BXML data.

EvtxNameReader

Evtx method to read names in BXML.

WevtNameReader

WEVT method for reading names.

Token

BxmlTemplateDescriptor

Functions#

read_systemtime

Read systemtime from stream.

read_guid

Read guid from stream.

read_sid

Read SID from stream.

parse_bxml

read_value

0x00 NullType NULL or empty

read_descriptor_array

read_binxml_fragment

Attributes#

class dissect.eventlog.bxml.BxmlToken#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

BXML_END = 0#
BXML_START_ELEMENT = 1#
BXML_CLOSE_START_ELEMENT_TAG = 2#
BXML_CLOSE_EMPTY_ELEMENT_TAG = 3#
BXML_END_ELEMENT = 4#
BXML_VALUE = 5#
BXML_ATTRIBUTE = 6#
BXML_TOKEN_CHAR_REFERENCE = 8#
BXML_TOKEN_ENTITY_REFERENCE = 9#
BXML_TEMPLATE_INSTANCE = 12#
BXML_TOKEN_NORMAL_SUBSTITUTION = 13#
BXML_TOKEN_OPTIONAL_SUBSTITUTION = 14#
BXML_FRAGMENT_HEADER = 15#
class dissect.eventlog.bxml.BxmlType#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

NULL = 0#
STRING = 1#
ANSITRING = 2#
INT8 = 3#
UINT8 = 4#
INT16 = 5#
UINT16 = 6#
INT32 = 7#
UINT32 = 8#
INT64 = 9#
UINT64 = 10#
FLOAT = 11#
DOUBLE = 12#
BOOL = 13#
BINARY = 14#
GUID = 15#
SIZET = 16#
FILETIME = 17#
SYSTEMTIME = 18#
SID = 19#
HEXINT32 = 20#
HEXINT64 = 21#
EVTHANDLE = 32#
BINXML = 33#
EVTXML = 35#
__str__() str#

Return str(self).

dissect.eventlog.bxml.bxml_def = Multiline-String#
Show Value
"""
struct BXML_FRAGMENT_HEADER {
    uint8 major_version;
    uint8 minor_version;
    uint8 flags;
};

struct BXML_ELEMENT_START_TPL {
    uint16 dependency_id;
    uint32 data_size;
};

struct BXML_ELEMENT_START {
    uint32 data_size;
};

struct BXML_NAME {
    uint32 unknown;
    uint16 hash;
    uint16 size;
    wchar value[size];
};

struct BXML_ATTR {
    uint8 token;
};

struct BXML_VALUE_TEXT {
    uint16 size;
    wchar value[size];
};

struct BXML_TEMPLATE_REFERENCE {
    uint8 a;
    uint32 template_id;
    uint32 offset;
};

struct BXML_TEMPLATE_DEFINITION {
    uint32 next_template;
    char identifier[16];
    uint32 data_size;
};

struct BXML_OPTIONAL_SUBSTITUTION {
    uint16 sub_id;
    uint8 value_type;
};

struct BXML_TEMPLATE_VALUE_DESC {
    uint16 size;
    uint8 type_id;
    uint8 a;
};

typedef struct SID {
    uint8 revision;
    uint8 subAuthorityCount;
    char authority[6];
    uint32 subAuthorities[subAuthorityCount];
};

struct SYSTEMTIME {
    WORD wYear;
    WORD wMonth;
    WORD wDayOfWeek;
    WORD wDay;
    WORD wHour;
    WORD wMinute;
    WORD wSecond;
    WORD wMilliseconds;
};
"""
dissect.eventlog.bxml.bxml_struct#
dissect.eventlog.bxml.read_systemtime(stream)#

Read systemtime from stream.

dissect.eventlog.bxml.read_guid(stream) str#

Read guid from stream.

dissect.eventlog.bxml.read_sid(stream) str#

Read SID from stream.

dissect.eventlog.bxml.TYPE_READERS#
class dissect.eventlog.bxml.BxmlTag(name: str)#
__str__()#

Return str(self).

add_children(tags: list) None#
add_attributes(attribute: dict) None#
class dissect.eventlog.bxml.BxmlSub(sub_id)#
__repr__()#

Return repr(self).

__str__()#

Return str(self).

set(value) None#
get() Any#
class dissect.eventlog.bxml.Template#
__str__()#

Return str(self).

add_sub(sub_id: int, tag: BxmlSub)#
create_map()#
as_map()#
as_full_map()#
add_child_template(tpl)#
class dissect.eventlog.bxml.Bxml(bxml_stream: io.BytesIO, elf_chunk_stream: io.BytesIO)#

An object that keeps track of the BXML streams

property current_offset: int#

Current offset in the BXML data stream.

read_name_from_stream() str#

Use _reader to read a specific name from stream

set_name_reader(reader) None#
read_token(template: Template = None)#

Read the next BXML token from stream.

parse_start_element(more_data: bool, template: Template) BxmlTag#
read_value(flag_more: bool, template: Template) str#
read_attribute(template: Template) Tuple[str, Any]#
read_entity_reference(flag_more: bool, template: Template) str#
substitute_token_and_add_to_template(template: Template) BxmlSub#
read_fragment_header() BxmlToken#
read_char_reference() str#
read_template_instance() Template#
class dissect.eventlog.bxml.BxmlNameReader(bxml: Bxml)#

An interface to facilitate different methods to read names with BXML data.

read() str#

Read the name from the bxml_datastream.

class dissect.eventlog.bxml.EvtxNameReader(bxml: Bxml)#

Bases: BxmlNameReader

Evtx method to read names in BXML.

read() str#

Read name from BXML data.

If the offset is outside the BXML data range elf_chunk data is used.

class dissect.eventlog.bxml.WevtNameReader(bxml: Bxml)#

Bases: BxmlNameReader

WEVT method for reading names.

WEVT uses a different method to read BXML_NAME There is no offset and additional unknown 32-bit value.

read()#

Read the name from the bxml_datastream.

class dissect.eventlog.bxml.Token(token: int)#
TOKEN_MASK = 31#
MORE_MASK = 64#
__eq__(other) bool#

Return self==value.

dissect.eventlog.bxml.parse_bxml(bxml: Bxml)#
class dissect.eventlog.bxml.BxmlTemplateDescriptor(descriptor_struct)#
property size#
property value_type#
DESCRIPTOR_MASK = 127#
ARRAY_MASK = 128#
classmethod read_descriptors_from_stream(stream: io.BytesIO)#

Read a range of BXML descriptors from stream.

classmethod from_stream(stream: io.BytesIO)#

Read a singular BXML descriptors from stream.

dissect.eventlog.bxml.read_value(binxml: Bxml, descriptor: BxmlTemplateDescriptor, template: Template) Any#

0x00 NullType NULL or empty 0x01 StringType Unicode string 0x02 AnsiStringType ASCII string 0x03 Int8Type 8-bit integer signed 0x04 UInt8Type 8-bit integer unsigned 0x05 Int16Type 16-bit integer signed 0x06 UInt16Type 16-bit integer unsigned 0x07 Int32Type 32-bit integer signed 0x08 UInt32Type 32-bit integer unsigned 0x09 Int64Type 64-bit integer signed 0x0a UInt64Type 64-bit integer unsigned 0x0b Real32Type Floating point 32-bit (single precision) 0x0c Real64Type Floating point 64-bit (double precision) 0x0d BoolType Boolean 0x0e BinaryType Binary data 0x0f GuidType GUID 0x10 SizeT Type Size type 0x11 FileTimeType Filetime (64-bit) 0x12 SysTimeType System time (128-bit) 0x13 SidType NT Security Identifier (SID) 0x14 HexInt32Type 32-bit integer hexadecimal 0x15 HexInt64Type 64-bit integer hexadecimal 0x20 EvtHandle 0x21 BinXmlType Binary XML fragment 0x23 EvtXml

dissect.eventlog.bxml.read_descriptor_array(stream: BinaryIO, descriptor: BxmlTemplateDescriptor) List[Any]#
dissect.eventlog.bxml.read_binxml_fragment(bxml: Bxml, template: Template, length)#