dissect.eventlog.bxml¶
Binary XML classes
Module Contents¶
Classes¶
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
An object that keeps track of the BXML streams |
|
An interface to facilitate different methods to read names with BXML data. |
|
Evtx method to read names in BXML. |
|
WEVT method for reading names. |
|
Functions¶
Read systemtime from stream. |
|
Read guid from stream. |
|
Read SID from stream. |
|
0x00 NullType NULL or empty |
|
Attributes¶
- class dissect.eventlog.bxml.BxmlToken¶
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- BXML_END = 0¶
- BXML_START_ELEMENT = 1¶
- BXML_CLOSE_START_ELEMENT_TAG = 2¶
- BXML_CLOSE_EMPTY_ELEMENT_TAG = 3¶
- BXML_END_ELEMENT = 4¶
- BXML_VALUE = 5¶
- BXML_ATTRIBUTE = 6¶
- BXML_TOKEN_CHAR_REFERENCE = 8¶
- BXML_TOKEN_ENTITY_REFERENCE = 9¶
- BXML_TEMPLATE_INSTANCE = 12¶
- BXML_TOKEN_NORMAL_SUBSTITUTION = 13¶
- BXML_TOKEN_OPTIONAL_SUBSTITUTION = 14¶
- BXML_FRAGMENT_HEADER = 15¶
- class dissect.eventlog.bxml.BxmlType¶
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- NULL = 0¶
- STRING = 1¶
- ANSITRING = 2¶
- INT8 = 3¶
- UINT8 = 4¶
- INT16 = 5¶
- UINT16 = 6¶
- INT32 = 7¶
- UINT32 = 8¶
- INT64 = 9¶
- UINT64 = 10¶
- FLOAT = 11¶
- DOUBLE = 12¶
- BOOL = 13¶
- BINARY = 14¶
- GUID = 15¶
- SIZET = 16¶
- FILETIME = 17¶
- SYSTEMTIME = 18¶
- SID = 19¶
- HEXINT32 = 20¶
- HEXINT64 = 21¶
- EVTHANDLE = 32¶
- BINXML = 33¶
- EVTXML = 35¶
- __str__() str¶
Return str(self).
- dissect.eventlog.bxml.bxml_def = Multiline-String¶
Show Value
""" struct BXML_FRAGMENT_HEADER { uint8 major_version; uint8 minor_version; uint8 flags; }; struct BXML_ELEMENT_START_TPL { uint16 dependency_id; uint32 data_size; }; struct BXML_ELEMENT_START { uint32 data_size; }; struct BXML_NAME { uint32 unknown; uint16 hash; uint16 size; wchar value[size]; }; struct BXML_ATTR { uint8 token; }; struct BXML_VALUE_TEXT { uint16 size; wchar value[size]; }; struct BXML_TEMPLATE_REFERENCE { uint8 a; uint32 template_id; uint32 offset; }; struct BXML_TEMPLATE_DEFINITION { uint32 next_template; char identifier[16]; uint32 data_size; }; struct BXML_OPTIONAL_SUBSTITUTION { uint16 sub_id; uint8 value_type; }; struct BXML_TEMPLATE_VALUE_DESC { uint16 size; uint8 type_id; uint8 a; }; typedef struct SID { uint8 revision; uint8 subAuthorityCount; char authority[6]; uint32 subAuthorities[subAuthorityCount]; }; struct SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; """
- dissect.eventlog.bxml.bxml_struct¶
- dissect.eventlog.bxml.read_systemtime(stream)¶
Read systemtime from stream.
- dissect.eventlog.bxml.read_guid(stream) str¶
Read guid from stream.
- dissect.eventlog.bxml.read_sid(stream) str¶
Read SID from stream.
- dissect.eventlog.bxml.TYPE_READERS¶
- class dissect.eventlog.bxml.BxmlTag(name: str)¶
- __str__()¶
Return str(self).
- add_children(tags: list) None¶
- add_attributes(attribute: dict) None¶
- class dissect.eventlog.bxml.BxmlSub(sub_id)¶
- __repr__()¶
Return repr(self).
- __str__()¶
Return str(self).
- set(value) None¶
- get() Any¶
- class dissect.eventlog.bxml.Template¶
- __str__()¶
Return str(self).
- create_map()¶
- as_map()¶
- as_full_map()¶
- add_child_template(tpl)¶
- class dissect.eventlog.bxml.Bxml(bxml_stream: io.BytesIO, elf_chunk_stream: io.BytesIO)¶
An object that keeps track of the BXML streams
- property current_offset: int¶
Current offset in the BXML data stream.
- read_name_from_stream() str¶
Use _reader to read a specific name from stream
- set_name_reader(reader) None¶
- read_char_reference() str¶
- class dissect.eventlog.bxml.BxmlNameReader(bxml: Bxml)¶
An interface to facilitate different methods to read names with BXML data.
- read() str¶
Read the name from the bxml_datastream.
- class dissect.eventlog.bxml.EvtxNameReader(bxml: Bxml)¶
Bases:
BxmlNameReaderEvtx method to read names in BXML.
- read() str¶
Read name from BXML data.
If the offset is outside the BXML data range elf_chunk data is used.
- class dissect.eventlog.bxml.WevtNameReader(bxml: Bxml)¶
Bases:
BxmlNameReaderWEVT method for reading names.
WEVT uses a different method to read BXML_NAME There is no offset and additional unknown 32-bit value.
- read()¶
Read the name from the bxml_datastream.
- class dissect.eventlog.bxml.Token(token: int)¶
- TOKEN_MASK = 31¶
- MORE_MASK = 64¶
- __eq__(other) bool¶
Return self==value.
- class dissect.eventlog.bxml.BxmlTemplateDescriptor(descriptor_struct)¶
- property size¶
- property value_type¶
- DESCRIPTOR_MASK = 127¶
- ARRAY_MASK = 128¶
- classmethod read_descriptors_from_stream(stream: io.BytesIO)¶
Read a range of BXML descriptors from stream.
- classmethod from_stream(stream: io.BytesIO)¶
Read a singular BXML descriptors from stream.
- dissect.eventlog.bxml.read_value(binxml: Bxml, descriptor: BxmlTemplateDescriptor, template: Template) Any¶
0x00 NullType NULL or empty 0x01 StringType Unicode string 0x02 AnsiStringType ASCII string 0x03 Int8Type 8-bit integer signed 0x04 UInt8Type 8-bit integer unsigned 0x05 Int16Type 16-bit integer signed 0x06 UInt16Type 16-bit integer unsigned 0x07 Int32Type 32-bit integer signed 0x08 UInt32Type 32-bit integer unsigned 0x09 Int64Type 64-bit integer signed 0x0a UInt64Type 64-bit integer unsigned 0x0b Real32Type Floating point 32-bit (single precision) 0x0c Real64Type Floating point 64-bit (double precision) 0x0d BoolType Boolean 0x0e BinaryType Binary data 0x0f GuidType GUID 0x10 SizeT Type Size type 0x11 FileTimeType Filetime (64-bit) 0x12 SysTimeType System time (128-bit) 0x13 SidType NT Security Identifier (SID) 0x14 HexInt32Type 32-bit integer hexadecimal 0x15 HexInt64Type 64-bit integer hexadecimal 0x20 EvtHandle 0x21 BinXmlType Binary XML fragment 0x23 EvtXml
- dissect.eventlog.bxml.read_descriptor_array(stream: BinaryIO, descriptor: BxmlTemplateDescriptor) List[Any]¶