Documentation ¶
Overview ¶
Modifications by Expel, Inc. Modifications made: - Made the function readStructFromFile() into a public function ReadStructFromFile() - Changed Chunk.Parse to return a slice of data instead of a slice of pointers Copyright 2018 Velocidex Innovations Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- func Debug(arg interface{})
- func ExpandMessage(event_map *ordereddict.Dict, message string) string
- func NormalizeEventData(expanded interface{})
- func ParseAttributes(ctx *ParseContext) bool
- func ParseBinXML(ctx *ParseContext)
- func ParseCloseElement(ctx *ParseContext) bool
- func ParseCloseStartElement(ctx *ParseContext) bool
- func ParseFile(fd io.ReadSeeker) (*ordereddict.Dict, error)
- func ParseOpenStartElement(ctx *ParseContext, has_attr bool) bool
- func ParseOptionalSubstitution(ctx *ParseContext) bool
- func ParseTemplateInstance(ctx *ParseContext) bool
- func ParseValueText(ctx *ParseContext) bool
- func ReadName(ctx *ParseContext) string
- func ReadPrefixedUnicodeString(ctx *ParseContext, is_null_terminated bool) string
- func ReadStructFromFile(fd io.ReadSeeker, offset int64, obj interface{}) error
- func UTF16LEToUTF8(data []byte) []byte
- type Chunk
- type ChunkHeader
- type EVTXHeader
- type EventRecord
- type EventRecordHeader
- type EvtxGUID
- type ParseContext
- func (self *ParseContext) ConsumeBytes(size int) []byte
- func (self *ParseContext) ConsumeUint16() uint16
- func (self *ParseContext) ConsumeUint32() uint32
- func (self *ParseContext) ConsumeUint64() uint64
- func (self *ParseContext) ConsumeUint8() uint8
- func (self ParseContext) Copy() *ParseContext
- func (self *ParseContext) CurrentKey() string
- func (self *ParseContext) CurrentTemplate() *TemplateNode
- func (self *ParseContext) GetTemplateByID(id int) (*TemplateNode, bool)
- func (self *ParseContext) NewTemplate(id int) *TemplateNode
- func (self *ParseContext) Offset() int
- func (self *ParseContext) PopTemplate()
- func (self *ParseContext) PushTemplate(key string, template *TemplateNode)
- func (self *ParseContext) SetOffset(offset int)
- func (self *ParseContext) SkipBytes(count int)
- type TemplateNode
Constants ¶
View Source
const ( EVTX_HEADER_MAGIC = "ElfFile\x00" EVTX_CHUNK_HEADER_MAGIC = "ElfChnk\x00" EVTX_CHUNK_HEADER_SIZE = 0x200 EVTX_CHUNK_SIZE = 0x10000 EVTX_EVENT_RECORD_MAGIC = "\x2a\x2a\x00\x00" EVTX_EVENT_RECORD_SIZE = 24 )
Variables ¶
This section is empty.
Functions ¶
func ExpandMessage ¶
func ExpandMessage(event_map *ordereddict.Dict, message string) string
func NormalizeEventData ¶
func NormalizeEventData(expanded interface{})
func ParseAttributes ¶
func ParseAttributes(ctx *ParseContext) bool
func ParseBinXML ¶
func ParseBinXML(ctx *ParseContext)
func ParseCloseElement ¶
func ParseCloseElement(ctx *ParseContext) bool
Represents a closing element (i.e. </Element>)
func ParseCloseStartElement ¶
func ParseCloseStartElement(ctx *ParseContext) bool
Represents a close of the start element ('>' in <Element>)
func ParseFile ¶
func ParseFile(fd io.ReadSeeker) (*ordereddict.Dict, error)
func ParseOpenStartElement ¶
func ParseOpenStartElement(ctx *ParseContext, has_attr bool) bool
This is called when we open a new XML Tag. e.g. "<EventData".
func ParseOptionalSubstitution ¶
func ParseOptionalSubstitution(ctx *ParseContext) bool
func ParseTemplateInstance ¶
func ParseTemplateInstance(ctx *ParseContext) bool
func ParseValueText ¶
func ParseValueText(ctx *ParseContext) bool
func ReadName ¶
func ReadName(ctx *ParseContext) string
func ReadPrefixedUnicodeString ¶
func ReadPrefixedUnicodeString(ctx *ParseContext, is_null_terminated bool) string
func ReadStructFromFile ¶
func ReadStructFromFile(fd io.ReadSeeker, offset int64, obj interface{}) error
func UTF16LEToUTF8 ¶
Types ¶
type Chunk ¶
type Chunk struct { Header ChunkHeader Offset int64 Fd io.ReadSeeker }
type ChunkHeader ¶
type EVTXHeader ¶
type EventRecord ¶
type EventRecord struct { Header EventRecordHeader Event interface{} }
func NewEventRecord ¶
func NewEventRecord(ctx *ParseContext, chunk *Chunk) (*EventRecord, error)
func (*EventRecord) Parse ¶
func (self *EventRecord) Parse(ctx *ParseContext)
type EventRecordHeader ¶
type ParseContext ¶
type ParseContext struct {
// contains filtered or unexported fields
}
func NewParseContext ¶
func NewParseContext(chunk *Chunk) *ParseContext
func (*ParseContext) ConsumeBytes ¶
func (self *ParseContext) ConsumeBytes(size int) []byte
func (*ParseContext) ConsumeUint16 ¶
func (self *ParseContext) ConsumeUint16() uint16
func (*ParseContext) ConsumeUint32 ¶
func (self *ParseContext) ConsumeUint32() uint32
func (*ParseContext) ConsumeUint64 ¶
func (self *ParseContext) ConsumeUint64() uint64
func (*ParseContext) ConsumeUint8 ¶
func (self *ParseContext) ConsumeUint8() uint8
func (ParseContext) Copy ¶
func (self ParseContext) Copy() *ParseContext
Make a copy of the context. This new copy can be used to continue parsing without disturbing the state of this parser context.
func (*ParseContext) CurrentKey ¶
func (self *ParseContext) CurrentKey() string
func (*ParseContext) CurrentTemplate ¶
func (self *ParseContext) CurrentTemplate() *TemplateNode
func (*ParseContext) GetTemplateByID ¶
func (self *ParseContext) GetTemplateByID(id int) (*TemplateNode, bool)
func (*ParseContext) NewTemplate ¶
func (self *ParseContext) NewTemplate(id int) *TemplateNode
func (*ParseContext) Offset ¶
func (self *ParseContext) Offset() int
func (*ParseContext) PopTemplate ¶
func (self *ParseContext) PopTemplate()
func (*ParseContext) PushTemplate ¶
func (self *ParseContext) PushTemplate(key string, template *TemplateNode)
func (*ParseContext) SetOffset ¶
func (self *ParseContext) SetOffset(offset int)
func (*ParseContext) SkipBytes ¶
func (self *ParseContext) SkipBytes(count int)
type TemplateNode ¶
type TemplateNode struct { Id uint32 Type uint32 Literal interface{} NestedArray []*TemplateNode NestedDict *ordereddict.Dict //map[string]*TemplateNode CurrentKey string }
func NewTemplate ¶
func NewTemplate(id int) *TemplateNode
func (*TemplateNode) Expand ¶
func (self *TemplateNode) Expand(args map[int]interface{}) interface{}
func (*TemplateNode) SetExpansion ¶
func (self *TemplateNode) SetExpansion(key string, id, type_id uint32)
func (*TemplateNode) SetLiteral ¶
func (self *TemplateNode) SetLiteral(key string, literal interface{})
func (*TemplateNode) SetNested ¶
func (self *TemplateNode) SetNested(key string, nested *TemplateNode)
Click to show internal directories.
Click to hide internal directories.