def main():
with open(sys.argv[1], 'r') as f:
with contextlib.closing(
mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
fh = FileHeader(buf, 0x0)
for (i, chunk) in enumerate(fh.chunks()):
for template in chunk.templates().values():
print "Template {%s} at chunk %d, offset %s" % \
(template.guid(), i,
hex(template.absolute_offset(0x0)))
print evtx_template_readable_view(template)
def main():
with open(sys.argv[1], 'r') as f:
with contextlib.closing(mmap.mmap(f.fileno(), 0,
access=mmap.ACCESS_READ)) as buf:
fh = FileHeader(buf, 0x0)
for (i, chunk) in enumerate(fh.chunks()):
for template in chunk.templates().values():
print "Template {%s} at chunk %d, offset %s" % \
(template.guid(), i,
hex(template.absolute_offset(0x0)))
print evtx_template_readable_view(template)
def main():
import argparse
parser = argparse.ArgumentParser(
description="Print the structure of an EVTX record's template.")
parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file")
parser.add_argument("record", type=int, help="Record number")
args = parser.parse_args()
with Evtx(args.evtx) as evtx:
r = evtx.get_record(args.record)
print evtx_template_readable_view(r.root())
def main():
import argparse
parser = argparse.ArgumentParser(
description="Print the structure of an EVTX record's template.")
parser.add_argument("evtx", type=str,
help="Path to the Windows EVTX file")
parser.add_argument("record", type=int,
help="Record number")
args = parser.parse_args()
with Evtx(args.evtx) as evtx:
r = evtx.get_record(args.record)
print evtx_template_readable_view(r.root())
def _get_complete_template(root, current_index=0):
"""
Gets the template from a RootNode while resolving any
nested templates and fixing up their indices.
Depth first ordering/indexing.
Implementation is a huge hack that depends on the
brittle template_format() output.
@type root: RootNode
@type current_index: int
@rtype: str
"""
template = evtx_template_readable_view(
root) # TODO(wb): make sure this is working
# walk through each substitution.
# if its a normal node, continue
# else its a subtemplate, and we count the number of substitutions _it_ has
# so that we can later fixup all the indices
replacements = []
for index, substitution in enumerate(root.substitutions()):
# find all sub-templates
if not isinstance(substitution, BXmlTypeNode):
replacements.append(current_index + index)
continue
# TODO(wb): hack here accessing ._root
subtemplate = _get_complete_template(substitution._root,
current_index=current_index +
index)
replacements.append(subtemplate)
current_index += subtemplate.count("Substitution(index=")
replacements.reverse()
# now walk through all the indices and fix them up depth-first
for i, replacement in enumerate(replacements):
index = len(replacements) - i - 1
if isinstance(replacement, int):
# fixup index
from_pattern = "index=%d," % index
to_pattern = "index=%d," % replacement
template = template.replace(from_pattern, to_pattern)
if isinstance(replacement, basestring):
# insert sub-template
template = _make_replacement(template, index, replacement)
return template
def _get_complete_template(root, current_index=0):
"""
Gets the template from a RootNode while resolving any
nested templates and fixing up their indices.
Depth first ordering/indexing.
Implementation is a huge hack that depends on the
brittle template_format() output.
@type root: RootNode
@type current_index: int
@rtype: str
"""
template = evtx_template_readable_view(root) # TODO(wb): make sure this is working
# walk through each substitution.
# if its a normal node, continue
# else its a subtemplate, and we count the number of substitutions _it_ has
# so that we can later fixup all the indices
replacements = []
for index, substitution in enumerate(root.substitutions()):
# find all sub-templates
if not isinstance(substitution, BXmlTypeNode):
replacements.append(current_index + index)
continue
# TODO(wb): hack here accessing ._root
subtemplate = _get_complete_template(substitution._root,
current_index=current_index + index)
replacements.append(subtemplate)
current_index += subtemplate.count("Substitution(index=")
replacements.reverse()
# now walk through all the indices and fix them up depth-first
for i, replacement in enumerate(replacements):
index = len(replacements) - i - 1
if isinstance(replacement, int):
# fixup index
from_pattern = "index=%d," % index
to_pattern = "index=%d," % replacement
template = template.replace(from_pattern, to_pattern)
if isinstance(replacement, basestring):
# insert sub-template
template = _make_replacement(template, index, replacement)
return template
