"""
from uuid import UUID
from collections import namedtuple
from dissect import cstruct
from dissect.cstruct import BaseType, MetaType, Structure
Structure._calc_offsets = lambda _: None
Keyword = namedtuple('Keyword', ['name', 'message', 'mask'])
Task = namedtuple('Task', ['name', 'message', 'value'])
Event = namedtuple('Event', ['symbol', 'value', 'version', 'opcode', 'level', 'task', 'keywords', 'template'])
class VariableType(BaseType):
type: MetaType
size: int
@classmethod
def as_64bit(cls):
raise NotImplementedError()
@classmethod
def as_32bit(cls):
raise NotImplementedError()
@classmethod
def _read(cls, stream, context=None):
return cls.type._read(stream, context)
@classmethod
def _read_0(cls, stream, context=None):
return cls.type._read_0(stream, context)
@classmethod
def _write(cls, stream, data):
return cls.type._write(stream, data)
class EtwPointer(VariableType):
@classmethod
def as_64bit(cls):
if cls.size == 8:
return
cls.size = 8
cls.type = cls.cs.uint64
def as_32bit(cls):
if cls.size == 4:
return
cls.size = 4
cls.type = cls.cs.uint32
class UserSID_blob(VariableType):
@classmethod
def as_64bit(cls):
if cls.size == 16:
return
cls.size = 16
cls.type = cls.cs.char[16]
@classmethod
def as_32bit(cls):
if cls.size == 8:
return
cls.size = 8
cls.type = cls.cs.char[8]
PROVIDER_NAME = {provider_name!r}
PROVIDER_GUID = UUID({provider_guid!r})
PROVIDER_SYMBOL = {provider_symbol!r}
c_parser = cstruct.cstruct()
c_parser.add_custom_type("EtwPointer", EtwPointer)
c_parser.add_custom_type("UserSID_blob", UserSID_blob)
c_parser.load("""
struct SYSTEMTIME {{
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
}};
struct UserSID {{
uint8 revision;
uint8 subAuthorityCount;
char authority[6];
uint32 subAuthorities[subAuthorityCount];
}};
struct SID {{
UserSID_blob blob;
UserSID sid;
}};
{templates}
""")
STRINGS = {{
{strings}
}}
KEYWORDS = {{
{keywords}
}}
EVENTS = {{
{events}
}}
"""