dissect.eventlog.wevt
#
Module Contents#
Classes#
Start header of the WEVT_TEMPLATE |
|
Parse WEVT format and reads the files data into memory. |
|
A wrapper that is used to create a wevt_object. |
|
A specific MAPS type, that behaves differently from WEVT_TYPE |
|
A specific WEVT Type that loads multiple TEMP. |
Functions#
Attributes#
- dissect.eventlog.wevt.header_dev = Multiline-String#
Show Value
""" struct Event_Descriptor { char ProviderId[16]; uint32 offset; }; struct CRIM_HEADER { char signature[4]; uint32 size; uint32 unknown; uint32 providers; Event_Descriptor event_providers[providers]; }; struct WEVT_TYPES { uint32 type; uint32 offset; } struct WEVT { char signature[4]; uint32 size; uint32 message_table_id; uint32 nr_of_types; WEVT_TYPES types[nr_of_types]; }; struct WEVT_TYPE { char signature[4]; uint32 size; uint32 nr_of_items; }; """
- dissect.eventlog.wevt.c_wevt_headers#
- dissect.eventlog.wevt.validate_signature(signature, expected_signature)#
- class dissect.eventlog.wevt.CRIM(fh: io.BufferedReader)#
Start header of the WEVT_TEMPLATE Holds the number of providers inside the template
- property file_size#
Return size of the whole file.
- wevt_headers()#
Get the WEVT object for a specific provider
- class dissect.eventlog.wevt.WEVT(provider, fh)#
Parse WEVT format and reads the files data into memory. Additionally, it goes through all items inside the file.
- property len_types#
- property payload_types#
- property provider_id#
- property size#
- __iter__()#
- __repr__()#
Return repr(self).
- class dissect.eventlog.wevt.WEVT_TYPE(offset, data: memoryview)#
A wrapper that is used to create a wevt_object. This class assigns this object the correct offset value and passes the size of the data.
- property nr_of_items#
- property size#
- valid_signatures = ['CHAN', 'TEMP', 'PRVA', 'TASK', 'KEYW', 'LEVL', 'OPCO', 'VMAP', 'BMAP', 'MAPS', 'TTBL', 'EVNT']#
- __iter__()#