def get_message(metadata_handle, message_id):
"""Get a message given the message id.
:param metadata_handle: (EVT_HANDLE)
:param message_id: (DWORD)
:return:
"""
buffer_size = 0
variant = None
buffer_used = byref(DWORD())
result = wevtapi.EvtFormatMessage(metadata_handle, None, message_id, 0,
None, EvtFormatMessageId, buffer_size,
variant, buffer_used)
if result == 0:
# Check our last error
status = kernel32.GetLastError()
if status == ERROR_INSUFFICIENT_BUFFER:
buffer_size = buffer_used._obj.value
c_buffer = ctypes.c_buffer(buffer_size * 2)
unicode_buffer = ctypes.cast(c_buffer, LPWSTR)
result = wevtapi.EvtFormatMessage(metadata_handle, None,
message_id, 0, None,
EvtFormatMessageId, buffer_size,
unicode_buffer, buffer_used)
return unicode_buffer.value
else:
err_no = kernel32.GetLastError()
logging.error(str(WindowsError(err_no,
ctypes.FormatError(err_no))))
def __del__(self):
if self._handle is not None:
result = wevtapi.EvtClose(self._handle)
if not result:
err_no = kernel32.GetLastError()
logging.error(
str(WindowsError(err_no, ctypes.FormatError(err_no))))
def EvtNextPublisherId(publisher_enum):
"""
:param publisher_enum: (EVT_HANDLE) PublisherEnum from EvtOpenPublisherEnum.
:return:
"""
buffer_size = 0
buffer_used = byref(DWORD())
result = wevtapi.EvtNextPublisherId(publisher_enum, buffer_size, None,
buffer_used)
if result == 0:
# Check our last error
status = kernel32.GetLastError()
if status == ERROR_INSUFFICIENT_BUFFER:
buffer_size = buffer_used._obj.value
c_buffer = ctypes.c_buffer(buffer_size * 2)
unicode_buffer = ctypes.cast(c_buffer, LPWSTR)
result = wevtapi.EvtNextPublisherId(publisher_enum, buffer_size,
unicode_buffer, buffer_used)
return unicode_buffer.value
if status == ERROR_NO_MORE_ITEMS:
return
else:
raise (Exception(
"Unhandled error on EvtNextPublisherId. Error: {}".format(
status)))
def get_name_by_pid(pid, access=PROCESS_QUERY_LIMITED_INFORMATION):
"""Get the name of an image by process id.
:param pid: (int) The process id
:param access: (int) The process access flag
:return:
"""
process_handle = kernel32.OpenProcess(
access,
False,
pid
)
if process_handle is None:
err_no = kernel32.GetLastError()
raise(
WindowsError(
err_no, ctypes.FormatError(err_no)
)
)
image_name = GetProcessImageFileName(
process_handle
)
return image_name
def EvtOpenPublisherMetadata(publisher_id, logfile_path=None):
"""A helper function to make calling EvtOpenPublisherMetadata easier.
:param publisher_id: (str) The name of the provider
:return: (EVT_HANDLE)
"""
evt_handle = wevtapi.EvtOpenPublisherMetadata(None, publisher_id,
logfile_path, 0, 0)
if evt_handle is None:
err_no = kernel32.GetLastError()
raise WindowsError(err_no, ctypes.FormatError(err_no))
return evt_handle
def get_property(evt_handle, index, property_id):
"""Get the metadata property for an object in the array.
:param evt_handle: (EVT_HANDLE)
:param index: (DWORD)
:param property_id: (EVT_PUBLISHER_METADATA_PROPERTY_ID)
:return: (EVT_VARIANT|None)
"""
# The first thing we need to do is find out how large our variant buffer will be
# to do this, we set our variant to Null, the result will be 0, and set an error.
buffer_size = 0
variant = None
buffer_used = byref(DWORD())
result = wevtapi.EvtGetObjectArrayProperty(evt_handle, property_id, index,
0, buffer_size, variant,
buffer_used)
if result == 0:
# Check our last error
status = kernel32.GetLastError()
if status == ERROR_INSUFFICIENT_BUFFER:
# If the error is ERROR_INSUFFICIENT_BUFFER,
# we can now determine the buffer size needed.
buffer_size = buffer_used._obj.value
variant_buffer = ctypes.create_string_buffer(buffer_size)
variant = EVT_VARIANT.from_buffer(variant_buffer)
result = wevtapi.EvtGetObjectArrayProperty(evt_handle, property_id,
index, 0, buffer_size,
variant, buffer_used)
return variant
else:
err_no = kernel32.GetLastError()
logging.error(str(WindowsError(err_no,
ctypes.FormatError(err_no))))
def EvtOpenPublisherEnum(session=None):
"""Helper function to call wevtapi.EvtOpenPublisherEnum.
:param session: (None|EVT_HANDLE)A remote session handle that the EvtOpenSession function returns.
Set to NULL to enumerate the registered providers on the local computer.
:return:
"""
provider_list_handle = wevtapi.EvtOpenPublisherEnum(session, 0)
if provider_list_handle is None:
status = kernel32.GetLastError()
raise (Exception(
"EvtOpenPublisherEnum Error. Code: {}".format(status)))
return provider_list_handle
def GetProcessImageFileName(handle):
image_file_name = ctypes.create_unicode_buffer(
wintypes.MAX_PATH
)
string_length = psapi.GetProcessImageFileNameW(
handle,
image_file_name,
len(image_file_name)
)
if string_length == 0:
err_no = kernel32.GetLastError()
if err_no != 0:
err = WindowsError(
err_no, ctypes.FormatError(err_no)
)
raise err
return image_file_name.value
def by_pid(pid, access=PROCESS_ALL_ACCESS):
process_handle = kernel32.OpenProcess(
access,
False,
pid
)
if process_handle is None:
err_no = kernel32.GetLastError()
raise (
WindowsError(
err_no, ctypes.FormatError(err_no)
)
)
process = Process(
pid,
process_handle
)
return process
def EvtGetPublisherMetadataProperty(metadata_handle, property_id):
"""A helper function to make calling EvtGetPublisherMetadataProperty easier.
:param metadata_handle: (EVT_HANDLE) This is a handled returned by EvtOpenPublisherMetadata
:param property_id: (EVT_PUBLISHER_METADATA_PROPERTY_ID) EvtPublisherMetadata* ENUM value
:return: (EVT_VARIANT)
"""
buffer_size = 0
variant = None
buffer_used = byref(DWORD())
result = wevtapi.EvtGetPublisherMetadataProperty(metadata_handle,
property_id, 0,
buffer_size, variant,
buffer_used)
if result == 0:
# Check our last error
status = kernel32.GetLastError()
if status == ERROR_INSUFFICIENT_BUFFER:
# If the error is ERROR_INSUFFICIENT_BUFFER,
# we can now determine the buffer size needed.
buffer_size = buffer_used._obj.value
variant_buffer = ctypes.create_string_buffer(buffer_size)
variant = EVT_VARIANT.from_buffer(variant_buffer)
result = wevtapi.EvtGetPublisherMetadataProperty(
metadata_handle, property_id, 0, buffer_size, variant,
buffer_used)
return variant
else:
error_msg = ctypes.FormatError(status)
raise (Exception(
"Unhandled error on EvtGetPublisherMetadataProperty. Error: {}; Message: {}"
.format(status, error_msg)))