dissect.etl.headers.event

Module Contents

Classes

EventDescriptor	An representation of the Event data in a event header.
ExtType	Enum where members are also (and must be) ints
EventHeaderExtendedDataItem	Loads an extended data item from payload.
EventHeader	A baseclass for the different ETL headers.

Functions

read_uuid
read_instance_info
read_stack_trace
read_stack_trace64
read_provider_traits

Attributes

extended_data_item_reader

dissect.etl.headers.event.read_uuid(data: bytes) → uuid.UUID

dissect.etl.headers.event.read_instance_info(data: bytes) → OrderedDict[str, Any]

dissect.etl.headers.event.read_stack_trace(data: bytes) → OrderedDict[str, Any]

dissect.etl.headers.event.read_stack_trace64(data: bytes) → OrderedDict[str, Any]

dissect.etl.headers.event.read_provider_traits(data: bytes) → OrderedDict[str, Any]

class dissect.etl.headers.event.EventDescriptor(header)

An representation of the Event data in a event header.

__slots__ = ['id', 'version', 'channel', 'level', 'opcode', 'task', 'keywords']

class dissect.etl.headers.event.ExtType

Bases: enum.IntEnum

Enum where members are also (and must be) ints

RELATED_ACTIVITY_ID = 1

SID = 2

TS_ID = 3

INSTANCE_INFO = 4

STACK_TRACE32 = 5

STACK_TRACE64 = 6

PEBS_INDEX = 7

PMC_COUNTERS = 8

PSM_KEY = 9

EVENT_KEY = 10

EVENT_SCHEMA_TL = 11

PROV_TRAITS = 12

PROCESS_START_KEY = 13

TYPE_MAX = 14

UNKNOWN = 0

dissect.etl.headers.event.extended_data_item_reader

class dissect.etl.headers.event.EventHeaderExtendedDataItem(payload)

Loads an extended data item from payload.

__slots__ = ['size', 'reserved1', 'ext_type', 'linkage', 'reserved2', 'data_size', 'data', 'raw_data']

validate_header() → None

__getattr__(name: str) → Any

__repr__()

Return repr(self).

class dissect.etl.headers.event.EventHeader(marker: Marker, data: memoryview, etl)

Bases: dissect.etl.headers.headers.Header

A baseclass for the different ETL headers.

property descriptor

Event descriptor of the header.

property header_extensions: list[EventHeaderExtendedDataItem]

A list with all the extended data items for this Event.

property minimal_size

Minimum header size.

property provider_id

Provider that generated this event.

property activity_id

The ID associated with the activity in the event.

At least, that is my assumption.

property opcode

The opcode used in this event.

property thread_id

The thread id that created this event.

property process_id

The process id that created this event.

additional_header_fields() → dict[str, Any]

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.