def main(argv=None):
if argv is None:
argv = sys.argv[1:]
parser = argparse.ArgumentParser(
description="Reconstruct EVTX event log records from binary data.")
parser.add_argument("input", type=str, help="Path to binary input file")
parser.add_argument("-v",
"--verbose",
action="store_true",
help="Enable debug logging")
parser.add_argument("-q",
"--quiet",
action="store_true",
help="Disable all output but errors")
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.DEBUG)
elif args.quiet:
logging.basicConfig(level=logging.ERROR)
else:
logging.basicConfig(level=logging.INFO)
with evtxtract.utils.Mmap(args.input) as mm:
num_complete = 0
num_incomplete = 0
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<evtxtract>')
for r in evtxtract.extract(mm):
if isinstance(r, evtxtract.CompleteRecord):
num_complete += 1
try:
os.write(sys.stdout.fileno(), r.xml.encode('utf-8'))
except Exception as e:
logger.warn('failed to output record at offset: 0x%x: %s',
r.offset,
str(e),
exc_info=True)
elif isinstance(r, evtxtract.IncompleteRecord):
num_incomplete += 1
try:
os.write(sys.stdout.fileno(),
format_incomplete_record(r).encode('utf-8'))
except Exception as e:
logger.warn('failed to output record at offset: 0x%x: %s',
r.offset,
str(e),
exc_info=True)
else:
raise RuntimeError('unexpected return type')
print('</evtxtract>')
logging.info('recovered %d complete records', num_complete)
logging.info('recovered %d incomplete records', num_incomplete)
def main(argv=None):
if argv is None:
argv = sys.argv[1:]
parser = argparse.ArgumentParser(
description="Reconstruct EVTX event log records from binary data.")
parser.add_argument("input", type=str,
help="Path to binary input file")
parser.add_argument("-v", "--verbose", action="store_true",
help="Enable debug logging")
parser.add_argument("-q", "--quiet", action="store_true",
help="Disable all output but errors")
parser.add_argument("-s", "--split", action="store_true",
help="split each event into its own file")
parser.add_argument("-o", "--out", metavar='output-directory', action="store",
help="output directory to store split files")
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.DEBUG)
elif args.quiet:
logging.basicConfig(level=logging.ERROR)
else:
logging.basicConfig(level=logging.INFO)
if args.split and not args.out:
logger.error('Error: the -o argument is required when using -s. please provide an output directory with -o')
exit(1)
if args.out and not os.path.isdir(args.out):
logger.error('Error: {0} is not a directory'.format(args.out))
exit(1)
with evtxtract.utils.Mmap(args.input) as mm:
num_complete = 0
num_incomplete = 0
if not args.split:
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<evtxtract>')
for r in evtxtract.extract(mm):
output_record(args, r)
if isinstance(r, evtxtract.CompleteRecord):
num_complete += 1
elif isinstance(r, evtxtract.IncompleteRecord):
num_incomplete += 1
else:
raise RuntimeError('unexpected return type')
if not args.split:
print('</evtxtract>')
logging.info('recovered %d complete records', num_complete)
logging.info('recovered %d incomplete records', num_incomplete)
def test_evtxtract(image_mmap):
num_complete = 0
num_incomplete = 0
for r in evtxtract.extract(image_mmap):
if isinstance(r, evtxtract.CompleteRecord):
num_complete += 1
elif isinstance(r, evtxtract.IncompleteRecord):
num_incomplete += 1
else:
raise RuntimeError('unexpected return type')
assert num_complete == 52
assert num_incomplete == 1615
def test_evtxtract(image_mmap):
num_complete = 0
num_incomplete = 0
for r in evtxtract.extract(image_mmap):
if isinstance(r, evtxtract.CompleteRecord):
num_complete += 1
elif isinstance(r, evtxtract.IncompleteRecord):
num_incomplete += 1
else:
raise RuntimeError('unexpected return type')
assert num_complete == 52
assert num_incomplete == 1615
def main(argv=None):
if argv is None:
argv = sys.argv[1:]
parser = argparse.ArgumentParser(
description="Reconstruct EVTX event log records from binary data.")
parser.add_argument("input", type=str, help="Path to binary input file")
parser.add_argument("-v",
"--verbose",
action="store_true",
help="Enable debug logging")
parser.add_argument("-q",
"--quiet",
action="store_true",
help="Disable all output but errors")
parser.add_argument("-s",
"--split",
action="store_true",
help="split each event into its own file")
parser.add_argument("-o",
"--out",
metavar='output-directory',
action="store",
help="output directory to store split files")
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.DEBUG)
elif args.quiet:
logging.basicConfig(level=logging.ERROR)
else:
logging.basicConfig(level=logging.INFO)
if args.split and not args.out:
logger.error(
'Error: the -o argument is required when using -s. please provide an output directory with -o'
)
exit(1)
if args.out and not os.path.isdir(args.out):
logger.error('Error: {0} is not a directory'.format(args.out))
exit(1)
with evtxtract.utils.Mmap(args.input) as mm:
num_complete = 0
num_incomplete = 0
if not args.split:
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<evtxtract>')
for r in evtxtract.extract(mm):
output_record(args, r)
if isinstance(r, evtxtract.CompleteRecord):
num_complete += 1
elif isinstance(r, evtxtract.IncompleteRecord):
num_incomplete += 1
else:
raise RuntimeError('unexpected return type')
if not args.split:
print('</evtxtract>')
logging.info('recovered %d complete records', num_complete)
logging.info('recovered %d incomplete records', num_incomplete)