`dissect.eventlog.wevt_object`¶

Module Contents¶

Classes¶

`WevtObject`	Base object that functions as a wrapper for the header
`WevtName`	Base object that functions as a wrapper for the header
`CHAN`	Base object that functions as a wrapper for the header
`OPCO`	Base object that functions as a wrapper for the header
`LEVL`	Base object that functions as a wrapper for the header
`KEYW`	Base object that functions as a wrapper for the header
`VMAP`	Base object that functions as a wrapper for the header
`BMAP`	Base object that functions as a wrapper for the header
`PRVA`	Base object that functions as a wrapper for the header
`TASK`	Base object that functions as a wrapper for the header
`EVNT`	Base object that functions as a wrapper for the header
`TEMP`	Base object that functions as a wrapper for the header
`TEMP_DESCRIPTOR`	Base object that functions as a wrapper for the header

Attributes¶

`wevt_object_def`
`c_wevt_objects`

dissect.eventlog.wevt_object.wevt_object_def = Multiline-String¶

Show Value

"""
struct DATA_ITEM {
    uint32  size;
    wchar   name[(size/2)-2];
};

struct CHAN {
    uint32  id;
    uint32  data_offset;
    uint32  nr;
    uint32  message_table_id;
};

struct TEMP {
    char    signature[4];
    uint32  size;
    uint32  nr_of_items;
    uint32  nr_of_names;
    uint32  data_offset;
    uint32  binxml_fragments;
    char    identifier[16];
};

struct TEMP_DESCRIPTOR {
    uint32  unknown0;
    uint8   input_type;
    uint8   output_type;
    uint16  unknown1;
    uint32  unknown2;
    uint32  unknown3;
    uint32  data_offset;
}

struct PRVA {
    uint32  unknown;
    uint32  data_offset;
};

struct TASK {
    uint32  id;
    uint32  message_table_id;
    char    mui_id[16];
    uint32  data_offset;
};

struct KEYW {
    uint64  bitmask;
    uint32  message_table_id;
    uint32  data_offset;
};

struct LEVL {
    uint32  id;
    uint32  message_table_id;
    uint32  data_offset;
};

struct EVNT {
    uint16  id;
    uchar   version;
    uchar   channel;
    uchar   level;
    uchar   opcode;
    uint16  task;
    uint64  keyword;
    uint32  message_table_id;
    uint32  template_offset;
    uint32  opcode_offset;
    uint32  level_offset;
    uint32  task_offset;
    uint32  data_counter;
    uint32  data_offset;
    uint32  flags;
};

struct OPCO {
    uint16  task_id;
    uint16  value;
    uint32  message_table_id;
    uint32  data_offset;
};

struct VMAP {
    char   signature[4];
    uint32 size;
    uint32 data_offset;
};

struct BMAP {
    char   signature[4];
    uint32 size;
    uint32 data_offset;
};
"""

dissect.eventlog.wevt_object.c_wevt_objects¶

class dissect.eventlog.wevt_object.WevtObject(offset, data)¶

Base object that functions as a wrapper for the header

offset¶

header¶

data¶

data_start¶

data_offset¶

extract_name(data_offset)¶: data_offset is a relative offset that usually points to the data_item. This point is used to read the name for this specific