:py:mod:`dissect.eventlog.bxml` =============================== .. py:module:: dissect.eventlog.bxml .. autoapi-nested-parse:: Binary XML classes Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.eventlog.bxml.BxmlToken dissect.eventlog.bxml.BxmlType dissect.eventlog.bxml.BxmlTag dissect.eventlog.bxml.BxmlSub dissect.eventlog.bxml.Template dissect.eventlog.bxml.Bxml dissect.eventlog.bxml.BxmlNameReader dissect.eventlog.bxml.EvtxNameReader dissect.eventlog.bxml.WevtNameReader dissect.eventlog.bxml.Token dissect.eventlog.bxml.BxmlTemplateDescriptor Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.eventlog.bxml.read_systemtime dissect.eventlog.bxml.read_guid dissect.eventlog.bxml.read_sid dissect.eventlog.bxml.parse_bxml dissect.eventlog.bxml.read_value dissect.eventlog.bxml.read_descriptor_array dissect.eventlog.bxml.read_binxml_fragment Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.eventlog.bxml.bxml_def dissect.eventlog.bxml.bxml_struct dissect.eventlog.bxml.TYPE_READERS .. py:class:: BxmlToken Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: BXML_END :value: 0 .. py:attribute:: BXML_START_ELEMENT :value: 1 .. py:attribute:: BXML_CLOSE_START_ELEMENT_TAG :value: 2 .. py:attribute:: BXML_CLOSE_EMPTY_ELEMENT_TAG :value: 3 .. py:attribute:: BXML_END_ELEMENT :value: 4 .. py:attribute:: BXML_VALUE :value: 5 .. py:attribute:: BXML_ATTRIBUTE :value: 6 .. py:attribute:: BXML_TOKEN_CHAR_REFERENCE :value: 8 .. py:attribute:: BXML_TOKEN_ENTITY_REFERENCE :value: 9 .. py:attribute:: BXML_TEMPLATE_INSTANCE :value: 12 .. py:attribute:: BXML_TOKEN_NORMAL_SUBSTITUTION :value: 13 .. py:attribute:: BXML_TOKEN_OPTIONAL_SUBSTITUTION :value: 14 .. py:attribute:: BXML_FRAGMENT_HEADER :value: 15 .. py:class:: BxmlType Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: NULL :value: 0 .. py:attribute:: STRING :value: 1 .. py:attribute:: ANSITRING :value: 2 .. py:attribute:: INT8 :value: 3 .. py:attribute:: UINT8 :value: 4 .. py:attribute:: INT16 :value: 5 .. py:attribute:: UINT16 :value: 6 .. py:attribute:: INT32 :value: 7 .. py:attribute:: UINT32 :value: 8 .. py:attribute:: INT64 :value: 9 .. py:attribute:: UINT64 :value: 10 .. py:attribute:: FLOAT :value: 11 .. py:attribute:: DOUBLE :value: 12 .. py:attribute:: BOOL :value: 13 .. py:attribute:: BINARY :value: 14 .. py:attribute:: GUID :value: 15 .. py:attribute:: SIZET :value: 16 .. py:attribute:: FILETIME :value: 17 .. py:attribute:: SYSTEMTIME :value: 18 .. py:attribute:: SID :value: 19 .. py:attribute:: HEXINT32 :value: 20 .. py:attribute:: HEXINT64 :value: 21 .. py:attribute:: EVTHANDLE :value: 32 .. py:attribute:: BINXML :value: 33 .. py:attribute:: EVTXML :value: 35 .. py:method:: __str__() -> str Return str(self). .. py:data:: bxml_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct BXML_FRAGMENT_HEADER { uint8 major_version; uint8 minor_version; uint8 flags; }; struct BXML_ELEMENT_START_TPL { uint16 dependency_id; uint32 data_size; }; struct BXML_ELEMENT_START { uint32 data_size; }; struct BXML_NAME { uint32 unknown; uint16 hash; uint16 size; wchar value[size]; }; struct BXML_ATTR { uint8 token; }; struct BXML_VALUE_TEXT { uint16 size; wchar value[size]; }; struct BXML_TEMPLATE_REFERENCE { uint8 a; uint32 template_id; uint32 offset; }; struct BXML_TEMPLATE_DEFINITION { uint32 next_template; char identifier[16]; uint32 data_size; }; struct BXML_OPTIONAL_SUBSTITUTION { uint16 sub_id; uint8 value_type; }; struct BXML_TEMPLATE_VALUE_DESC { uint16 size; uint8 type_id; uint8 a; }; typedef struct SID { uint8 revision; uint8 subAuthorityCount; char authority[6]; uint32 subAuthorities[subAuthorityCount]; }; struct SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; """ .. raw:: html
.. py:data:: bxml_struct .. py:function:: read_systemtime(stream) Read systemtime from stream. .. py:function:: read_guid(stream) -> str Read guid from stream. .. py:function:: read_sid(stream) -> str Read SID from stream. .. py:data:: TYPE_READERS .. py:class:: BxmlTag(name: str) .. py:method:: __str__() Return str(self). .. py:method:: add_children(tags: list) -> None .. py:method:: add_attributes(attribute: dict) -> None .. py:class:: BxmlSub(sub_id) .. py:method:: __repr__() Return repr(self). .. py:method:: __str__() Return str(self). .. py:method:: set(value) -> None .. py:method:: get() -> Any .. py:class:: Template .. py:method:: __str__() Return str(self). .. py:method:: add_sub(sub_id: int, tag: BxmlSub) .. py:method:: create_map() .. py:method:: as_map() .. py:method:: as_full_map() .. py:method:: add_child_template(tpl) .. py:class:: Bxml(bxml_stream: io.BytesIO, elf_chunk_stream: io.BytesIO) An object that keeps track of the BXML streams .. py:property:: current_offset :type: int Current offset in the BXML data stream. .. py:method:: read_name_from_stream() -> str Use _reader to read a specific name from stream .. py:method:: set_name_reader(reader) -> None .. py:method:: read_token(template: Template = None) Read the next BXML token from stream. .. py:method:: parse_start_element(more_data: bool, template: Template) -> BxmlTag .. py:method:: read_value(flag_more: bool, template: Template) -> str .. py:method:: read_attribute(template: Template) -> Tuple[str, Any] .. py:method:: read_entity_reference(flag_more: bool, template: Template) -> str .. py:method:: substitute_token_and_add_to_template(template: Template) -> BxmlSub .. py:method:: read_fragment_header() -> BxmlToken .. py:method:: read_char_reference() -> str .. py:method:: read_template_instance() -> Template .. py:class:: BxmlNameReader(bxml: Bxml) An interface to facilitate different methods to read names with BXML data. .. py:method:: read() -> str Read the name from the bxml_datastream. .. py:class:: EvtxNameReader(bxml: Bxml) Bases: :py:obj:`BxmlNameReader` Evtx method to read names in BXML. .. py:method:: read() -> str Read name from BXML data. If the offset is outside the BXML data range elf_chunk data is used. .. py:class:: WevtNameReader(bxml: Bxml) Bases: :py:obj:`BxmlNameReader` WEVT method for reading names. WEVT uses a different method to read BXML_NAME There is no offset and additional unknown 32-bit value. .. py:method:: read() Read the name from the bxml_datastream. .. py:class:: Token(token: int) .. py:attribute:: TOKEN_MASK :value: 31 .. py:attribute:: MORE_MASK :value: 64 .. py:method:: __eq__(other) -> bool Return self==value. .. py:function:: parse_bxml(bxml: Bxml) .. py:class:: BxmlTemplateDescriptor(descriptor_struct) .. py:property:: size .. py:property:: value_type .. py:attribute:: DESCRIPTOR_MASK :value: 127 .. py:attribute:: ARRAY_MASK :value: 128 .. py:method:: read_descriptors_from_stream(stream: io.BytesIO) :classmethod: Read a range of BXML descriptors from stream. .. py:method:: from_stream(stream: io.BytesIO) :classmethod: Read a singular BXML descriptors from stream. .. py:function:: read_value(binxml: Bxml, descriptor: BxmlTemplateDescriptor, template: Template) -> Any 0x00 NullType NULL or empty 0x01 StringType Unicode string 0x02 AnsiStringType ASCII string 0x03 Int8Type 8-bit integer signed 0x04 UInt8Type 8-bit integer unsigned 0x05 Int16Type 16-bit integer signed 0x06 UInt16Type 16-bit integer unsigned 0x07 Int32Type 32-bit integer signed 0x08 UInt32Type 32-bit integer unsigned 0x09 Int64Type 64-bit integer signed 0x0a UInt64Type 64-bit integer unsigned 0x0b Real32Type Floating point 32-bit (single precision) 0x0c Real64Type Floating point 64-bit (double precision) 0x0d BoolType Boolean 0x0e BinaryType Binary data 0x0f GuidType GUID 0x10 SizeT Type Size type 0x11 FileTimeType Filetime (64-bit) 0x12 SysTimeType System time (128-bit) 0x13 SidType NT Security Identifier (SID) 0x14 HexInt32Type 32-bit integer hexadecimal 0x15 HexInt64Type 64-bit integer hexadecimal 0x20 EvtHandle 0x21 BinXmlType Binary XML fragment 0x23 EvtXml .. py:function:: read_descriptor_array(stream: BinaryIO, descriptor: BxmlTemplateDescriptor) -> List[Any] .. py:function:: read_binxml_fragment(bxml: Bxml, template: Template, length)