"""
from uuid import UUID
from collections import namedtuple
from dissect import cstruct
from dissect.cstruct import RawType
from dissect.cstruct import Structure
Structure._calc_offsets = lambda _: None
Keyword = namedtuple('Keyword', ['name', 'message', 'mask'])
Task = namedtuple('Task', ['name', 'message', 'value'])
Event = namedtuple('Event', ['symbol', 'value', 'version', 'opcode', 'level', 'task', 'keywords', 'template'])
class VariableType(RawType):
def __init__(self, cstruct, type_, size):
self._t = type_
super().__init__(cstruct, 'VariableType', size)
def as_64bit(self):
raise NotImplementedError()
def as_32bit(self):
raise NotImplementedError()
def _read(self, stream, context=None):
return self._t._read(stream, context)
def _read_array(self, stream, count, context=None):
return self._t._read_array(stream, count, context)
def _read_0(self, stream, context=None):
return self._t._read_0(stream, context)
def _write(self, stream, data):
return self._t._write(stream, data)
def _write_array(self, stream, data):
return self._t._write_array(stream, data)
def _write_0(self, stream, data):
return self._t._write_0(stream, data)
class EtwPointer(VariableType):
def __init__(self, cstruct):
super().__init__(cstruct, cstruct.uint64, 8)
def as_64bit(self):
if self.size == 8:
return
self.size = 8
self._t = self.cstruct.uint64
def as_32bit(self):
if self.size == 4:
return
self.size = 4
self._t = self.cstruct.uint32
class UserSID_blob(VariableType):
def __init__(self, cstruct):
super().__init__(cstruct, cstruct.char[16], 16)
def as_64bit(self):
if self.size == 16:
return
self.size = 16
self._t = self.cstruct.char[16]
def as_32bit(self):
if self.size == 8:
return
self.size = 8
self._t = self.cstruct.char[8]
PROVIDER_NAME = {provider_name!r}
PROVIDER_GUID = UUID({provider_guid!r})
PROVIDER_SYMBOL = {provider_symbol!r}
c_parser = cstruct.cstruct()
c_parser.addtype("EtwPointer", EtwPointer(c_parser))
c_parser.addtype("UserSID_blob", UserSID_blob(c_parser))
c_parser.load("""
struct SYSTEMTIME {{
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
}};
struct UserSID {{
uint8 revision;
uint8 subAuthorityCount;
char authority[6];
uint32 subAuthorities[subAuthorityCount];
}};
struct SID {{
UserSID_blob blob;
UserSID sid;
}};
{templates}
""")
STRINGS = {{
{strings}
}}
KEYWORDS = {{
{keywords}
}}
EVENTS = {{
{events}
}}
"""