evtx

package module
v0.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2020 License: Apache-2.0 Imports: 12 Imported by: 0

README

A Golang EVTX Parser

This parser is based on code by https://github.com/KasperskyLab/ForensicsTools

Documentation

Overview 

	Modifications by Expel, Inc.

	Modifications made:
	- Made the function readStructFromFile() into a public function ReadStructFromFile()
	- Changed Chunk.Parse to return a slice of data instead of a slice of pointers

   Copyright 2018 Velocidex Innovations

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

Index

Constants

View Source 
const (
	EVTX_HEADER_MAGIC       = "ElfFile\x00"
	EVTX_CHUNK_HEADER_MAGIC = "ElfChnk\x00"
	EVTX_CHUNK_HEADER_SIZE  = 0x200

	EVTX_CHUNK_SIZE = 0x10000

	EVTX_EVENT_RECORD_MAGIC = "\x2a\x2a\x00\x00"
	EVTX_EVENT_RECORD_SIZE  = 24
)

Variables

This section is empty.

Functions

func Debug 

func Debug(arg interface{})

func ExpandMessage 

func ExpandMessage(event_map *ordereddict.Dict, message string) string

func NormalizeEventData 

func NormalizeEventData(expanded interface{})

func ParseAttributes 

func ParseAttributes(ctx *ParseContext) bool

func ParseBinXML 

func ParseBinXML(ctx *ParseContext)

func ParseCloseElement 

func ParseCloseElement(ctx *ParseContext) bool

Represents a closing element (i.e. </Element>)

func ParseCloseStartElement 

func ParseCloseStartElement(ctx *ParseContext) bool

Represents a close of the start element ('>' in <Element>)

func ParseFile 

func ParseFile(fd io.ReadSeeker) (*ordereddict.Dict, error)

func ParseOpenStartElement 

func ParseOpenStartElement(ctx *ParseContext, has_attr bool) bool

This is called when we open a new XML Tag. e.g. "<EventData".

func ParseOptionalSubstitution 

func ParseOptionalSubstitution(ctx *ParseContext) bool

func ParseTemplateInstance 

func ParseTemplateInstance(ctx *ParseContext) bool

func ParseValueText 

func ParseValueText(ctx *ParseContext) bool

func ReadName 

func ReadName(ctx *ParseContext) string

func ReadPrefixedUnicodeString 

func ReadPrefixedUnicodeString(ctx *ParseContext, is_null_terminated bool) string

func ReadStructFromFile 

func ReadStructFromFile(fd io.ReadSeeker, offset int64, obj interface{}) error

func UTF16LEToUTF8 

func UTF16LEToUTF8(data []byte) []byte

Types

type Chunk 

type Chunk struct {
	Header ChunkHeader
	Offset int64
	Fd     io.ReadSeeker
}

func GetChunks 

func GetChunks(fd io.ReadSeeker) ([]*Chunk, error)

Get all the chunks in the file.

func NewChunk 

func NewChunk(fd io.ReadSeeker, offset int64) (*Chunk, error)

func (*Chunk) Parse 

func (self *Chunk) Parse(start_record_id int) ([]EventRecord, error)

type ChunkHeader 

type ChunkHeader struct {
	Magic               [8]byte
	FirstEventRecNumber uint64
	LastEventRecNumber  uint64
	FirstEventRecID     uint64
	LastEventRecID      uint64
	HeaderSize          uint32
}

type EVTXHeader 

type EVTXHeader struct {
	Magic           [8]byte
	Firstchunk      uint64
	LastChunk       uint64
	NextRecordID    uint64
	HeaderSize      uint32
	MinorVersion    uint16
	MajorVersion    uint16
	HeaderBlockSize uint16

	FileFlags uint32
	CheckSum  uint32
	// contains filtered or unexported fields
}

type EventRecord 

type EventRecord struct {
	Header EventRecordHeader
	Event  interface{}
}

func NewEventRecord 

func NewEventRecord(ctx *ParseContext, chunk *Chunk) (*EventRecord, error)

func (*EventRecord) Parse 

func (self *EventRecord) Parse(ctx *ParseContext)

type EventRecordHeader 

type EventRecordHeader struct {
	Magic    [4]byte
	Size     uint32
	RecordID uint64
	FileTime uint64
}

type EvtxGUID 

type EvtxGUID struct {
	D  uint32
	W1 uint16
	W2 uint16
	B  [8]uint8
}

func (*EvtxGUID) ToString 

func (self *EvtxGUID) ToString() string

type ParseContext 

type ParseContext struct {
	// contains filtered or unexported fields
}

func NewParseContext 

func NewParseContext(chunk *Chunk) *ParseContext

func (*ParseContext) ConsumeBytes 

func (self *ParseContext) ConsumeBytes(size int) []byte

func (*ParseContext) ConsumeUint16 

func (self *ParseContext) ConsumeUint16() uint16

func (*ParseContext) ConsumeUint32 

func (self *ParseContext) ConsumeUint32() uint32

func (*ParseContext) ConsumeUint64 

func (self *ParseContext) ConsumeUint64() uint64

func (*ParseContext) ConsumeUint8 

func (self *ParseContext) ConsumeUint8() uint8

func (ParseContext) Copy 

func (self ParseContext) Copy() *ParseContext

Make a copy of the context. This new copy can be used to continue parsing without disturbing the state of this parser context.

func (*ParseContext) CurrentKey 

func (self *ParseContext) CurrentKey() string

func (*ParseContext) CurrentTemplate 

func (self *ParseContext) CurrentTemplate() *TemplateNode

func (*ParseContext) GetTemplateByID 

func (self *ParseContext) GetTemplateByID(id int) (*TemplateNode, bool)

func (*ParseContext) NewTemplate 

func (self *ParseContext) NewTemplate(id int) *TemplateNode

func (*ParseContext) Offset 

func (self *ParseContext) Offset() int

func (*ParseContext) PopTemplate 

func (self *ParseContext) PopTemplate()

func (*ParseContext) PushTemplate 

func (self *ParseContext) PushTemplate(key string, template *TemplateNode)

func (*ParseContext) SetOffset 

func (self *ParseContext) SetOffset(offset int)

func (*ParseContext) SkipBytes 

func (self *ParseContext) SkipBytes(count int)

type TemplateNode 

type TemplateNode struct {
	Id          uint32
	Type        uint32
	Literal     interface{}
	NestedArray []*TemplateNode
	NestedDict  *ordereddict.Dict //map[string]*TemplateNode

	CurrentKey string
}

func NewTemplate 

func NewTemplate(id int) *TemplateNode

func (*TemplateNode) Expand 

func (self *TemplateNode) Expand(args map[int]interface{}) interface{}

func (*TemplateNode) SetExpansion 

func (self *TemplateNode) SetExpansion(key string, id, type_id uint32)

func (*TemplateNode) SetLiteral 

func (self *TemplateNode) SetLiteral(key string, literal interface{})

func (*TemplateNode) SetNested 

func (self *TemplateNode) SetNested(key string, nested *TemplateNode)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.