dissect.etl.headers.event

Module Contents

Classes

EventDescriptor	An representation of the Event data in a event header.
ExtType	Enum where members are also (and must be) ints
EventHeaderExtendedDataItem	Loads an extended data item from payload.
EventHeader	A baseclass for the different ETL headers.

Functions

read_uuid
read_instance_info
read_stack_trace
read_stack_trace64
read_provider_traits

Attributes

extended_data_item_reader

dissect.etl.headers.event.read_uuid(data: bytes) → uuid.UUID

dissect.etl.headers.event.read_instance_info(data: bytes) → collections.OrderedDict[str, Any]

dissect.etl.headers.event.read_stack_trace(data: bytes) → collections.OrderedDict[str, Any]

dissect.etl.headers.event.read_stack_trace64(data: bytes) → collections.OrderedDict[str, Any]

dissect.etl.headers.event.read_provider_traits(data: bytes) → collections.OrderedDict[str, Any]

class dissect.etl.headers.event.EventDescriptor(header: dissect.etl.headers.headers.Header)

An representation of the Event data in a event header.

__slots__ = ['channel', 'id', 'keywords', 'level', 'opcode', 'task', 'version']

id

version

channel

level

opcode

task

keywords

class dissect.etl.headers.event.ExtType

Bases: enum.IntEnum

Enum where members are also (and must be) ints

RELATED_ACTIVITY_ID = 1

SID = 2

TS_ID = 3

INSTANCE_INFO = 4

STACK_TRACE32 = 5

STACK_TRACE64 = 6

PEBS_INDEX = 7

PMC_COUNTERS = 8

PSM_KEY = 9

EVENT_KEY = 10

EVENT_SCHEMA_TL = 11

PROV_TRAITS = 12

PROCESS_START_KEY = 13

TYPE_MAX = 14

UNKNOWN = 0

dissect.etl.headers.event.extended_data_item_reader

class dissect.etl.headers.event.EventHeaderExtendedDataItem(payload: bytes)

Loads an extended data item from payload.

__slots__ = ['data', 'data_size', 'ext_type', 'linkage', 'raw_data', 'reserved1', 'reserved2', 'size']

size

ext_type

reserved1

data_size

data

raw_data

linkage = 0

reserved2 = 0

validate_header() → None

__getattr__(name: str) → Any

__repr__() → str

class dissect.etl.headers.event.EventHeader(marker: Marker, data: memoryview, etl: dissect.etl.etl.ETL)

Bases: dissect.etl.headers.headers.Header

A baseclass for the different ETL headers.

property descriptor: EventDescriptor

Event descriptor of the header.

property header_extensions: list[EventHeaderExtendedDataItem]

A list with all the extended data items for this Event.

property minimal_size: int

Minimum header size.

property provider_id: uuid.UUID

Provider that generated this event.

property activity_id: uuid.UUID

The ID associated with the activity in the event.

At least, that is my assumption.

property opcode: int

The opcode used in this event.

property thread_id: int

The thread id that created this event.

property process_id: int

The process id that created this event.

additional_header_fields() → dict[str, Any]

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.