dissect.eventlog.wevt
¶
Module Contents¶
Classes¶
Start header of the WEVT_TEMPLATE |
|
Parse WEVT format and reads the files data into memory. |
|
A wrapper that is used to create a wevt_object. |
|
A specific MAPS type, that behaves differently from WEVT_TYPE |
|
A specific WEVT Type that loads multiple TEMP. |
Functions¶
Attributes¶
- dissect.eventlog.wevt.header_dev = Multiline-String¶
Show Value
""" struct Event_Descriptor { char ProviderId[16]; uint32 offset; }; struct CRIM_HEADER { char signature[4]; uint32 size; uint32 unknown; uint32 providers; Event_Descriptor event_providers[providers]; }; struct WEVT_TYPES { uint32 type; uint32 offset; } struct WEVT { char signature[4]; uint32 size; uint32 message_table_id; uint32 nr_of_types; WEVT_TYPES types[nr_of_types]; }; struct WEVT_TYPE { char signature[4]; uint32 size; uint32 nr_of_items; }; """
- dissect.eventlog.wevt.c_wevt_headers¶
- dissect.eventlog.wevt.validate_signature(signature, expected_signature)¶
- class dissect.eventlog.wevt.CRIM(fh: io.BufferedReader)¶
Start header of the WEVT_TEMPLATE Holds the number of providers inside the template
- property file_size¶
Return size of the whole file.
- wevt_headers()¶
Get the WEVT object for a specific provider
- class dissect.eventlog.wevt.WEVT(provider, fh)¶
Parse WEVT format and reads the files data into memory. Additionally, it goes through all items inside the file.
- property len_types¶
- property payload_types¶
- property provider_id¶
- property size¶
- __iter__()¶
- __repr__()¶
Return repr(self).
- class dissect.eventlog.wevt.WEVT_TYPE(offset, data: memoryview)¶
A wrapper that is used to create a wevt_object. This class assigns this object the correct offset value and passes the size of the data.
- property nr_of_items¶
- property size¶
- valid_signatures = ['CHAN', 'TEMP', 'PRVA', 'TASK', 'KEYW', 'LEVL', 'OPCO', 'VMAP', 'BMAP', 'MAPS', 'TTBL', 'EVNT']¶
- __iter__()¶