def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows EventLog (EVT) file-like object. Args: parser_mediator: a parser mediator object (instance of ParserMediator). file_object: a file-like object. """ evt_file = pyevt.file() evt_file.set_ascii_codepage(parser_mediator.codepage) try: evt_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceParseError( u'unable to open file with error: {0:s}'.format(exception)) return for record_index, evt_record in enumerate(evt_file.records): try: self._ParseRecord(parser_mediator, record_index, evt_record) except IOError as exception: parser_mediator.ProduceParseError( u'unable to parse event record: {0:d} with error: {1:s}'.format( record_index, exception)) for record_index, evt_record in enumerate(evt_file.recovered_records): try: self._ParseRecord( parser_mediator, record_index, evt_record, recovered=True) except IOError as exception: parser_mediator.ProduceParseError(( u'unable to parse recovered event record: {0:d} with error: ' u'{1:s}').format(record_index, exception)) evt_file.close()
def test_open_close(self): """Tests the open and close functions.""" if not unittest.source: return evt_file = pyevt.file() # Test open and close. evt_file.open(unittest.source) evt_file.close() # Test open and close a second time to validate clean up on close. evt_file.open(unittest.source) evt_file.close() file_object = open(unittest.source, "rb") # Test open_file_object and close. evt_file.open_file_object(file_object) evt_file.close() # Test open_file_object and close a second time to validate clean up on close. evt_file.open_file_object(file_object) evt_file.close() # Test open_file_object and close and dereferencing file_object. evt_file.open_file_object(file_object) del file_object evt_file.close()
def pyevt_test_single_open_close_file_object_with_dereference( filename, mode): """Tests single file-like object open and close with dereference.""" description = ( "Testing single open close of file-like object with dereference of: " "{0:s} with access: {1:s}\t").format( get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: file_object = open(filename, "rb") evt_file = pyevt.file() evt_file.open_file_object(file_object, mode) del file_object evt_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def pyevt_test_multi_open_close_file(filename, mode): """Tests multiple open and close.""" description = ( "Testing multi open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: evt_file = pyevt.file() evt_file.open(filename, mode) evt_file.close() evt_file.open(filename, mode) evt_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def test_close(self): """Tests the close function.""" if not unittest.source: return evt_file = pyevt.file() with self.assertRaises(IOError): evt_file.close()
def main( argc, argv ): result = 0 if argc != 1: print "Usage: pyevt_test_set_ascii_codepage.py\n" return 1 supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258" ] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u" ] evt_file = pyevt.file() for codepage in supported_codepages: print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ), try: evt_file.ascii_codepage = codepage result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ), try: evt_file.set_ascii_codepage( codepage ) result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" for codepage in unsupported_codepages: print "Testing setting unsupported ASCII codepage of: %s:\t" %( codepage ), result = 1 try: evt_file.ascii_codepage = codepage except RuntimeError, exception: if exception.message == "pyevt_file_set_ascii_codepage_from_string: unable to determine ASCII codepage.": result = 0 except:
def _GetEventFileList(self): '''Get file listing of event files from specified source path''' self.filelist = [] if not os.path.isdir(self.options.events_path): raise(Exception("Events directory does not exist: {}".format(self.options.events_path))) for dirName, subdirList, fileList in os.walk(self.options.events_path): for filename in fileList: fullname = os.path.join( dirName, filename ) if (filename.lower().endswith('.evt') or filename.lower().endswith('.evtx')): if IsSupportedEventFile(fullname): self.filelist.append(fullname) elif filename.lower().endswith('.json'): # Check for EvtXtract outputfiles # if IsSupportedEvtXtractFile(fullname): self.filelist.append(fullname) self.filelist.sort() progressBar = ProgressManager.ProgressBarClass( Config.Config.UI_TYPE, count = len(self.filelist), description = u'Enumerating Event Files'.format(dirName) ) _fcnt = 0 for filename in self.filelist: if filename.lower().endswith('evtx'): wefile = pyevtx.file() wefile.open(filename) self.total_records += wefile.get_number_of_records() self.total_records += wefile.get_number_of_recovered_records() wefile.close() elif filename.lower().endswith('evt'): wefile = pyevt.file() wefile.open(filename) self.total_records += wefile.get_number_of_records() self.total_records += wefile.get_number_of_recovered_records() wefile.close() elif filename.lower().endswith('json'): with open(filename) as wefile: jstruct = json.load(wefile) self.total_records += len(jstruct['valid_records']) wefile.close() progressBar.Increment(1) _fcnt += 1 progressBar.Finish()
def pyevt_test_single_open_close_file(filename, mode): """Tests a single open and close.""" description = ( "Testing single open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: evt_file = pyevt.file() evt_file.open(filename, mode) evt_file.close() except TypeError as exception: expected_message = ( "{0:s}: unsupported string object type.").format( "pyevt_file_open") if not filename and str(exception) == expected_message: pass else: error_string = str(exception) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format( "pyevt_file_open") if mode != "w" or str(exception) != expected_message: error_string = str(exception) result = False except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def Parse(self, parser_context, file_entry): """Extract data from a Windows EventLog (EVT) file. Args: parser_context: A parser context object (instance of ParserContext). file_entry: A file entry object (instance of dfvfs.FileEntry). Yields: An event object (instance of WinEvtRecordEvent) that contains the parsed data. """ file_object = file_entry.GetFileObject() evt_file = pyevt.file() evt_file.set_ascii_codepage(parser_context.codepage) try: evt_file.open_file_object(file_object) except IOError as exception: evt_file.close() file_object.close() raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.NAME, file_entry.name, exception)) for record_index in range(0, evt_file.number_of_records): try: evt_record = evt_file.get_record(record_index) self._ParseRecord(parser_context, evt_record, file_entry=file_entry) except IOError as exception: logging.warning(( u'[{0:s}] unable to parse event record: {1:d} in file: {2:s} ' u'with error: {3:s}').format( self.NAME, record_index, file_entry.name, exception)) for record_index in range(0, evt_file.number_of_recovered_records): try: evt_record = evt_file.get_recovered_record(record_index) self._ParseRecord( parser_context, evt_record, file_entry=file_entry, recovered=True) except IOError as exception: logging.info(( u'[{0:s}] unable to parse recovered event record: {1:d} in file: ' u'{2:s} with error: {3:s}').format( self.NAME, record_index, file_entry.name, exception)) evt_file.close() file_object.close()
def pyevt_test_single_open_close_file(filename, mode): if not filename: filename_string = "None" else: filename_string = filename print("Testing single open close of: {0:s} with access: {1:s}\t".format( filename_string, get_mode_string(mode))) result = True try: evt_file = pyevt.file() evt_file.open(filename, mode) evt_file.close() except TypeError as exception: expected_message = ( "{0:s}: unsupported string object type.").format( "pyevt_file_open") if not filename and str(exception) == expected_message: pass else: print(str(exception)) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format( "pyevt_file_open") if mode != "w" or str(exception) != expected_message: print(str(exception)) result = False except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def _OpenFile(self): '''Open the WindowsEventHandler's evt or evtx file handle for processing''' if self.ext.lower().endswith('evtx'): self.eventfile_type = 'evtx' self.file = pyevtx.file() elif self.ext.lower().endswith('evt'): self.eventfile_type = 'evt' self.file = pyevt.file() elif self.ext.lower().endswith('json'): self.eventfile_type = 'evtxtract' self.file = EvtXtractFile() else: raise Exception('{} Is not a supported extention. (.evt || .evtx || .json [EVTXtract json file]) [{}]'.format( self.ext, self.filename )) self.file.open(self.filename)
def _ReadEVT(self, source): """Read an EventLog file. Args: source (str): name of the EventLog file that contains the process start and stop events. Yields: pyevt.record: EventLog record. """ evt_file = pyevt.file() evt_file.open(source) # pylint: disable=not-an-iterable for evt_record in evt_file.records: yield evt_record evt_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows EventLog (EVT) file-like object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). file_object: A file-like object. Raises: UnableToParseFile: when the file cannot be parsed. """ file_name = parser_mediator.GetDisplayName() evt_file = pyevt.file() evt_file.set_ascii_codepage(parser_mediator.codepage) try: evt_file.open_file_object(file_object) except IOError as exception: evt_file.close() raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.NAME, file_name, exception)) for record_index in range(0, evt_file.number_of_records): try: evt_record = evt_file.get_record(record_index) self._ParseRecord(parser_mediator, evt_record,) except IOError as exception: logging.warning(( u'[{0:s}] unable to parse event record: {1:d} in file: {2:s} ' u'with error: {3:s}').format( self.NAME, record_index, file_name, exception)) for record_index in range(0, evt_file.number_of_recovered_records): try: evt_record = evt_file.get_recovered_record(record_index) self._ParseRecord(parser_mediator, evt_record, recovered=True) except IOError as exception: logging.info(( u'[{0:s}] unable to parse recovered event record: {1:d} in file: ' u'{2:s} with error: {3:s}').format( self.NAME, record_index, file_name, exception)) evt_file.close()
def test_open(self): """Tests the open function.""" if not unittest.source: return evt_file = pyevt.file() evt_file.open(unittest.source) with self.assertRaises(IOError): evt_file.open(unittest.source) evt_file.close() with self.assertRaises(TypeError): evt_file.open(None) with self.assertRaises(ValueError): evt_file.open(unittest.source, mode="w")
def test_set_ascii_codepage(self): """Tests the set_ascii_codepage function.""" supported_codepages = ( "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258") evt_file = pyevt.file() for codepage in supported_codepages: evt_file.set_ascii_codepage(codepage) unsupported_codepages = ( "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u") for codepage in unsupported_codepages: with self.assertRaises(RuntimeError): evt_file.set_ascii_codepage(codepage)
def pyevt_test_single_open_close_file_object(filename, mode): print(("Testing single open close of file-like object of: {0:s} " "with access: {1:s}\t").format(filename, get_mode_string(mode))) result = True try: file_object = open(filename, "rb") evt_file = pyevt.file() evt_file.open_file_object(file_object, mode) evt_file.close() except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def pyevt_test_multi_open_close_file(filename, mode): print("Testing multi open close of: {0:s} with access: {1:s}\t".format( filename, get_mode_string(mode))) result = True try: evt_file = pyevt.file() evt_file.open(filename, mode) evt_file.close() evt_file.open(filename, mode) evt_file.close() except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows EventLog (EVT) file-like object. Args: parser_mediator: a parser mediator object (instance of ParserMediator). file_object: a file-like object. Raises: UnableToParseFile: when the file cannot be parsed. """ evt_file = pyevt.file() evt_file.set_ascii_codepage(parser_mediator.codepage) try: evt_file.open_file_object(file_object) except IOError as exception: display_name = parser_mediator.GetDisplayName() raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.NAME, display_name, exception)) for record_index, evt_record in enumerate(evt_file.records): try: self._ParseRecord(parser_mediator, record_index, evt_record) except IOError as exception: parser_mediator.ProduceParseError( u'unable to parse event record: {0:d} with error: {1:s}'.format( record_index, exception)) for record_index, evt_record in enumerate(evt_file.recovered_records): try: self._ParseRecord( parser_mediator, record_index, evt_record, recovered=True) except IOError as exception: parser_mediator.ProduceParseError(( u'unable to parse recovered event record: {0:d} with error: ' u'{1:s}').format(record_index, exception)) evt_file.close()
def test_open_file_object(self): """Tests the open_file_object function.""" if not unittest.source: return file_object = open(unittest.source, "rb") evt_file = pyevt.file() evt_file.open_file_object(file_object) with self.assertRaises(IOError): evt_file.open_file_object(file_object) evt_file.close() # TODO: change IOError into TypeError with self.assertRaises(IOError): evt_file.open_file_object(None) with self.assertRaises(ValueError): evt_file.open_file_object(file_object, mode="w")
def ParseFileObject(self, parser_mediator, file_object): """Parses a Windows EventLog (EVT) file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): a file-like object. """ evt_file = pyevt.file() evt_file.set_ascii_codepage(parser_mediator.codepage) try: evt_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceExtractionError( 'unable to open file with error: {0!s}'.format(exception)) return try: self._ParseRecords(parser_mediator, evt_file) finally: evt_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows EventLog (EVT) file-like object. Args: parser_mediator: a parser mediator object (instance of ParserMediator). file_object: a file-like object. """ evt_file = pyevt.file() evt_file.set_ascii_codepage(parser_mediator.codepage) try: evt_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceParseError( u'unable to open file with error: {0:s}'.format(exception)) return for record_index, evt_record in enumerate(evt_file.records): try: self._ParseRecord(parser_mediator, record_index, evt_record) except IOError as exception: parser_mediator.ProduceParseError( u'unable to parse event record: {0:d} with error: {1:s}'. format(record_index, exception)) for record_index, evt_record in enumerate(evt_file.recovered_records): try: self._ParseRecord(parser_mediator, record_index, evt_record, recovered=True) except IOError as exception: parser_mediator.ProduceParseError(( u'unable to parse recovered event record: {0:d} with error: ' u'{1:s}').format(record_index, exception)) evt_file.close()
def Main(): DEBUG_FILE = sys.argv[1] RECORD_INDEX = sys.argv[2] RECOVERED = sys.argv[3] if DEBUG_FILE.lower().endswith('.evt'): evfile = pyevt.file() evfile.open(DEBUG_FILE) elif DEBUG_FILE.lower().endswith('.evtx'): evfile = evtxfile.file() evfile.open(DEBUG_FILE) else: print u'File needs .evt or .evtx extention. {}'.format(DEBUG_FILE) sys.exit(1) if RECOVERED: record = evtxfile.get_record(RECORD_INDEX) else: record = evtxfile.get_recovered_record(RECORD_INDEX) try: xml_string = record.xml_string except: print u'Record has no xml_string' list_names = [ 'Event.EventData.Data', 'Event.EventData.Binary', ] drec = XmlHandler.GetDictionary( xml_string, force_list=list_names ) print drec
def test_open_file_object(self): """Tests the open_file_object function.""" if not unittest.source: raise unittest.SkipTest("missing source") if not os.path.isfile(unittest.source): raise unittest.SkipTest("source not a regular file") evt_file = pyevt.file() with open(unittest.source, "rb") as file_object: evt_file.open_file_object(file_object) with self.assertRaises(IOError): evt_file.open_file_object(file_object) evt_file.close() with self.assertRaises(TypeError): evt_file.open_file_object(None) with self.assertRaises(ValueError): evt_file.open_file_object(file_object, mode="w")
def pyevt_test_single_open_close_file_object_with_dereference(filename, mode): file_object = open(filename, mode) evt_file = pyevt.file() evt_file.open_file_object(file_object, mode) del file_object evt_file.close()
def pyevt_test_single_open_close_file_object(filename, mode): file_object = open(filename, mode) evt_file = pyevt.file() evt_file.open_file_object(file_object, mode) evt_file.close()
def pyevt_test_multi_open_close_file(filename, mode): evt_file = pyevt.file() evt_file.open(filename, mode) evt_file.close() evt_file.open(filename, mode) evt_file.close()
def main(argc, argv): result = 0 if argc != 1: print "Usage: pyevt_test_set_ascii_codepage.py\n" return 1 supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258" ] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u" ] evt_file = pyevt.file() for codepage in supported_codepages: print "Testing setting supported ASCII codepage of: %s:\t" % ( codepage), try: evt_file.ascii_codepage = codepage result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" print "Testing setting supported ASCII codepage of: %s:\t" % ( codepage), try: evt_file.set_ascii_codepage(codepage) result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" for codepage in unsupported_codepages: print "Testing setting unsupported ASCII codepage of: %s:\t" % ( codepage), result = 1 try: evt_file.ascii_codepage = codepage except RuntimeError, exception: if exception.message == "pyevt_file_set_ascii_codepage_from_string: unable to determine ASCII codepage.": result = 0 except:
def test_signal_abort(self): """Tests the signal_abort function.""" evt_file = pyevt.file() evt_file.signal_abort()
def main(): supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258" ] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u" ] evt_file = pyevt.file() result = True for codepage in supported_codepages: print("Testing setting supported ASCII codepage of: {0:s}:\t".format( codepage)), try: evt_file.ascii_codepage = codepage result = True except: result = False if not result: print("(FAIL)") return False print("(PASS)") print("Testing setting supported ASCII codepage of: {0:s}:\t".format( codepage)), try: evt_file.set_ascii_codepage(codepage) result = True except: result = False if not result: print("(FAIL)") return False print("(PASS)") for codepage in unsupported_codepages: print("Testing setting unsupported ASCII codepage of: {0:s}:\t". format(codepage)), result = False try: evt_file.ascii_codepage = codepage except RuntimeError as exception: expected_message = ( "{0:s}: unable to determine ASCII codepage." ).format("pyevt_file_set_ascii_codepage_from_string") if str(exception) == expected_message: result = True except: pass if not result: print("(FAIL)") return False print("(PASS)") print("Testing setting unsupported ASCII codepage of: {0:s}:\t". format(codepage)), result = False try: evt_file.set_ascii_codepage(codepage) except RuntimeError as exception: expected_message = ( "{0:s}: unable to determine ASCII codepage." ).format("pyevt_file_set_ascii_codepage_from_string") if str(exception) == expected_message: result = True except: pass if not result: print("(FAIL)") return False print("(PASS)") return True
def main(): supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258"] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u"] evt_file = pyevt.file() result = True for codepage in supported_codepages: print("Testing setting supported ASCII codepage of: {0:s}:\t".format( codepage)), try: evt_file.ascii_codepage = codepage result = True except: result = False if not result: print("(FAIL)") return False print("(PASS)") print("Testing setting supported ASCII codepage of: {0:s}:\t".format( codepage)), try: evt_file.set_ascii_codepage(codepage) result = True except: result = False if not result: print("(FAIL)") return False print("(PASS)") for codepage in unsupported_codepages: print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format( codepage)), result = False try: evt_file.ascii_codepage = codepage except RuntimeError as exception: expected_message = ( "{0:s}: unable to determine ASCII codepage.").format( "pyevt_file_set_ascii_codepage_from_string") if str(exception) == expected_message: result = True except: pass if not result: print("(FAIL)") return False print("(PASS)") print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format( codepage)), result = False try: evt_file.set_ascii_codepage(codepage) except RuntimeError as exception: expected_message = ( "{0:s}: unable to determine ASCII codepage.").format( "pyevt_file_set_ascii_codepage_from_string") if str(exception) == expected_message: result = True except: pass if not result: print("(FAIL)") return False print("(PASS)") return True