dissect.eventlog.wevt_object#

Module Contents#

Classes#

WevtObject

Base object that functions as a wrapper for the header

WevtName

Base object that functions as a wrapper for the header

CHAN

Base object that functions as a wrapper for the header

OPCO

Base object that functions as a wrapper for the header

LEVL

Base object that functions as a wrapper for the header

KEYW

Base object that functions as a wrapper for the header

VMAP

Base object that functions as a wrapper for the header

BMAP

Base object that functions as a wrapper for the header

PRVA

Base object that functions as a wrapper for the header

TASK

Base object that functions as a wrapper for the header

EVNT

Base object that functions as a wrapper for the header

TEMP

Base object that functions as a wrapper for the header

TEMP_DESCRIPTOR

Base object that functions as a wrapper for the header

Attributes#

dissect.eventlog.wevt_object.wevt_object_def = Multiline-String#
Show Value
"""
struct DATA_ITEM {
    uint32  size;
    wchar   name[(size/2)-2];
};

struct CHAN {
    uint32  id;
    uint32  data_offset;
    uint32  nr;
    uint32  message_table_id;
};

struct TEMP {
    char          signature[4];
    uint32        size;
    uint32        nr_of_items;
    uint32        nr_of_names;
    uint32        data_offset;
    uint32        binxml_fragments;
    char          identifier[16];
};

struct TEMP_DESCRIPTOR {
    uint32        unknown0;
    uint8         input_type;
    uint8         output_type;
    uint16        unknown1;
    uint32        unknown2;
    uint32        unknown3;
    uint32        data_offset;
}

struct PRVA {
    uint32        unknown;
    uint32        data_offset;
};

struct TASK {
    uint32        id;
    uint32        message_table_id;
    char          mui_id[16];
    uint32        data_offset;
};

struct KEYW {
    uint64        bitmask;
    uint32        message_table_id;
    uint32        data_offset;
};

struct LEVL {
    uint32        id;
    uint32        message_table_id;
    uint32        data_offset;
};

struct EVNT {
    uint16  id;
    uchar   version;
    uchar   channel;
    uchar   level;
    uchar   opcode;
    uint16  task;
    uint64  keyword;
    uint32  message_table_id;
    uint32  template_offset;
    uint32  opcode_offset;
    uint32  level_offset;
    uint32  task_offset;
    uint32  data_counter;
    uint32  data_offset;
    uint32  flags;
};

struct OPCO {
    uint16  task_id;
    uint16  value;
    uint32  message_table_id;
    uint32  data_offset;
};

struct VMAP {
    char   signature[4];
    uint32 size;
    uint32 data_offset;
};

struct BMAP {
    char   signature[4];
    uint32 size;
    uint32 data_offset;
};
"""
dissect.eventlog.wevt_object.wevt_objects#
class dissect.eventlog.wevt_object.WevtObject(offset, data)#

Base object that functions as a wrapper for the header

extract_name(data_offset)#

data_offset is a relative offset that usually points to the data_item. This point is used to read the name for this specific

__getattribute__(name: str)#

Return getattr(self, name).

__repr__()#

Use __slots__ to get all the data we need from the object

class dissect.eventlog.wevt_object.WevtName(offset, data)#

Bases: WevtObject

Base object that functions as a wrapper for the header

class dissect.eventlog.wevt_object.CHAN(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'id', 'message_table_id', 'name', 'nr']#
class dissect.eventlog.wevt_object.OPCO(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'task_id', 'value', 'message_table_id', 'name']#
class dissect.eventlog.wevt_object.LEVL(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'id', 'message_table_id', 'name']#
class dissect.eventlog.wevt_object.KEYW(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'bitmask', 'message_table_id', 'name']#
class dissect.eventlog.wevt_object.VMAP(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'name']#
class dissect.eventlog.wevt_object.BMAP(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'name']#
class dissect.eventlog.wevt_object.PRVA(offset, data)#

Bases: WevtObject

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'unknown']#
class dissect.eventlog.wevt_object.TASK(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'id', 'message_table_id', 'mui_id', 'name']#
class dissect.eventlog.wevt_object.EVNT(offset, data)#

Bases: WevtObject

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'id', 'version', 'channel', 'level', 'opcode', 'task', 'keyword', 'message_table_id',...#
class dissect.eventlog.wevt_object.TEMP(offset, data)#

Bases: WevtObject

Base object that functions as a wrapper for the header

__slots__ = ['offset', 'identifier', 'template', 'names']#
class dissect.eventlog.wevt_object.TEMP_DESCRIPTOR(offset, data)#

Bases: WevtName

Base object that functions as a wrapper for the header

__slots__ = ['inType', 'outType', 'name']#