예제 #1
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            record = Record(buf, int(sys.argv[2]))
            print(hex_dump(buf[record.offset():record.offset() + record.length()]))
            print(record.get_all_string(indent=0))
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    # MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
                    print("0|EVT[%s]: event %d %s|0|0|0|0|0|%s|%s|%s|%s" %
                          (record.source(), record.event_id(),
                           str(record.strings()),
                           record.time_generated().strftime('%s'),
                           record.time_generated().strftime('%s'),
                           record.time_generated().strftime('%s'),
                           record.time_generated().strftime('%s')))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
예제 #3
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            offset = buf.find("LfLe", 0x8)  # skip header
            if offset == -1:
                print "Record not found"
                return -1
            record = Record(buf, offset - 0x4)

            print(hex_dump(buf[record.offset():record.offset() + record.length()]))

            print(record.get_all_string(indent=0))
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    # MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
                    print("0|EVT[%s]: event %d %s|0|0|0|0|0|%s|%s|%s|%s" % (record.source(),
                                                                            record.event_id(),
                                                                            str(record.strings()),
                                                                            record.time_generated().strftime('%s'),
                                                                            record.time_generated().strftime('%s'),
                                                                            record.time_generated().strftime('%s'),
                                                                            record.time_generated().strftime('%s')))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
예제 #5
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    print('%s, %d, "%s", "%s"' %
                          (record.time_generated().isoformat("T") + "Z",
                           record.event_id(), record.source(),
                           str(record.strings())))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
예제 #6
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    print('%s, %d, "%s", "%s"' % (record.time_generated().isoformat("T") + "Z",
                                                  record.event_id(), record.source(),
                                                  str(record.strings())))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
예제 #7
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            record = Record(buf, int(sys.argv[2]))
            print(
                hex_dump(buf[record.offset():record.offset() +
                             record.length()]))
            print(record.get_all_string(indent=0))
예제 #8
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                print(hex_dump(buf[record.offset():record.offset() + record.length()]))
                print(record.get_all_string(indent=0))
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
예제 #9
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            offset = buf.find("LfLe", 0x8)  # skip header
            if offset == -1:
                print "Record not found"
                return -1
            record = Record(buf, offset - 0x4)

            print(
                hex_dump(buf[record.offset():record.offset() +
                             record.length()]))

            print(record.get_all_string(indent=0))