evtx

package
v1.2.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2021 License: GPL-3.0 Imports: 20 Imported by: 11

Documentation

Index

Constants

View Source 
const (
	EventHeaderSize = 24
	EvtxMagic       = "ElfFile"

	// ChunkSize 64KB
	ChunkSize = 0x10000
	// ChunkHeaderSize
	ChunkHeaderSize = 0x80
	// ChunkMagic magic string
	ChunkMagic = "ElfChnk\x00"

	DefaultNameOffset = -1

	EventMagic = "\x2a\x2a\x00\x00"

	// MaxSliceSize is a constant used to control the allocation size of some
	// structures. It is particularly useful to control side effect when carving
	MaxSliceSize = ChunkSize
)
View Source 
const (
	TokenEOF                                             = 0x00
	TokenOpenStartElementTag1, TokenOpenStartElementTag2 = 0x01, 0x41 // (<)name>
	TokenCloseStartElementTag                            = 0x02       // <name(>)
	TokenCloseEmptyElementTag                            = 0x03       // <name(/>)
	TokenEndElementTag                                   = 0x04       // (</name>)
	TokenValue1, TokenValue2                             = 0x05, 0x45 // attribute = ‘‘(value)’’
	TokenAttribute1, TokenAttribute2                     = 0x06, 0x46 // (attribute) = ‘‘value’’
	TokenCDataSection1, TokenCDataSection2               = 0x07, 0x47
	TokenCharRef1, TokenCharRef2                         = 0x08, 0x48
	TokenEntityRef1, TokenEntityRef2                     = 0x09, 0x49
	TokenPITarget                                        = 0x0a
	TokenPIData                                          = 0x0b
	TokenTemplateInstance                                = 0x0c
	TokenNormalSubstitution                              = 0x0d
	TokenOptionalSubstitution                            = 0x0e
	FragmentHeaderToken                                  = 0x0f
)
View Source 
const (
	NullType       = 0x00
	StringType     = 0x01
	AnsiStringType = 0x02
	Int8Type       = 0x03
	UInt8Type      = 0x04
	Int16Type      = 0x05
	UInt16Type     = 0x06
	Int32Type      = 0x07
	UInt32Type     = 0x08
	Int64Type      = 0x09
	UInt64Type     = 0x0a
	Real32Type     = 0x0b
	Real64Type     = 0x0c
	BoolType       = 0x0d
	BinaryType     = 0x0e
	GuidType       = 0x0f
	SizeTType      = 0x10
	FileTimeType   = 0x11
	SysTimeType    = 0x12
	SidType        = 0x13
	HexInt32Type   = 0x14
	HexInt64Type   = 0x15
	EvtHandle      = 0x20
	BinXmlType     = 0x21
	EvtXml         = 0x23

	// If the MSB of the value type (0x80) is use to indicate an array type
	ArrayType = 0x80
)

Variables

View Source 
var (
	ErrCorruptedHeader = fmt.Errorf("Corrupted header")
	ErrDirtyFile       = fmt.Errorf("File is flagged as dirty")
	ErrRepairFailed    = fmt.Errorf("File header could not be repaired")
)
View Source 
var (
	ErrInvalidEvent = errors.New("Error Invalid Event")
	// ErrBadEvtxFile error definition
	ErrBadEvtxFile = errors.New("Bad file magic")
	// ErrBadChunkMagic error definition
	ErrBadChunkMagic = errors.New("Bad chunk magic")
	// ErrBadChunkSize error definition
	ErrBadChunkSize = errors.New("Bad chunk size")
	ErrTokenEOF     = errors.New("TokenEOF")
)
View Source 
var (
	// Debug mode for parser
	Debug = false
	// ModeCarving flag to identify we run in carving mode
	ModeCarving = false
	// DefaultMonitorSleep default sleep time between two file update checks when
	// monitoring file
	DefaultMonitorSleep = 250 * time.Millisecond
	// MaxJobs controls the maximum jobs for some functions (MonitorEvents ...)
	MaxJobs = int(math.Floor(float64(runtime.NumCPU()) / 2))
)

////////////////////// Global Variables and their setters /////////////////////

View Source 
var (
	// Paths used by GoEvtxMap
	PathSeparator     = "/"
	XmlnsPath         = Path("/Event/xmlns")
	ChannelPath       = Path("/Event/System/Channel")
	EventIDPath       = Path("/Event/System/EventID")
	EventIDPath2      = Path("/Event/System/EventID/Value")
	EventRecordIDPath = Path("/Event/System/EventRecordID")
	SystemTimePath    = Path("/Event/System/TimeCreated/SystemTime")
	UserIDPath        = Path("/Event/System/Security/UserID")
)
View Source 
var (
	Endianness = binary.LittleEndian
)
View Source 
var (
	UTF16EndOfString = uint16(0x0)
)

Functions

func BackupSeeker 

func BackupSeeker(seeker io.Seeker) int64

func DebugReader 

func DebugReader(reader io.ReadSeeker, before, after int64)

func GoToSeeker 

func GoToSeeker(seeker io.Seeker, offset int64)

func ReadSeekerSize 

func ReadSeekerSize(reader io.ReadSeeker) int64

func RelGoToSeeker 

func RelGoToSeeker(seeker io.Seeker, offset int64)

func SetDebug added in v1.2.5 

func SetDebug(value bool)

SetDebug set variable enabling debugging at parser level

func SetMaxJobs 

func SetMaxJobs(jobs int)

SetMaxJobs sets the number of jobs for parsing

func SetModeCarving 

func SetModeCarving(value bool)

SetModeCarving changes the carving mode to value

func SetMonitorSleep 

func SetMonitorSleep(d time.Duration)

SetMonitorSleep sets the sleep time between two file update checks when monitoring file

func ToJSON 

func ToJSON(data interface{}) []byte

func UpdateLastElements 

func UpdateLastElements(e Element)

Types

type AnsiString 

type AnsiString struct {
	Size uint16
	// contains filtered or unexported fields
}

func (*AnsiString) Parse 

func (as *AnsiString) Parse(reader io.ReadSeeker) error

func (*AnsiString) Repr 

func (as *AnsiString) Repr() interface{}

func (*AnsiString) String 

func (as *AnsiString) String() string

func (*AnsiString) Value 

func (as *AnsiString) Value() interface{}

type Attribute 

type Attribute struct {
	Token         int8
	NameOffset    int32 // relative to start of chunk
	Name          Name
	AttributeData Element
}

func (*Attribute) IsLast 

func (a *Attribute) IsLast() bool

func (*Attribute) Parse 

func (a *Attribute) Parse(reader io.ReadSeeker) error

type AttributeData 

type AttributeData interface {
	/*
				Can be:
					value text
		      substitution
					character entity reference
					entity reference
	*/
	IsAttributeData() bool
	String() string
}

type AttributeList 

type AttributeList struct {
	Size       int32
	Attributes []Attribute
}

func (*AttributeList) Parse 

func (al *AttributeList) Parse(reader io.ReadSeeker) error

func (*AttributeList) ParseAttributes 

func (al *AttributeList) ParseAttributes(reader io.ReadSeeker) error

func (*AttributeList) ParseSize 

func (al *AttributeList) ParseSize(reader io.ReadSeeker) error

type BinXMLCloseEmptyElementTag 

type BinXMLCloseEmptyElementTag struct {
	Token
}

type BinXMLCloseStartElementTag 

type BinXMLCloseStartElementTag struct {
	Token
}

type BinXMLEOF 

type BinXMLEOF struct {
	Token int8
}

func (*BinXMLEOF) Parse 

func (b *BinXMLEOF) Parse(reader io.ReadSeeker) error

type BinXMLEndElementTag 

type BinXMLEndElementTag struct {
	//Token int8
	Token
}

type BinXMLEntityReference 

type BinXMLEntityReference struct {
	Token      int8
	NameOffset uint32
	Name       Name
}

BinXMLEntityReference implementation

func (*BinXMLEntityReference) Parse 

func (e *BinXMLEntityReference) Parse(reader io.ReadSeeker) error

Parse implements Element

func (*BinXMLEntityReference) String 

func (e *BinXMLEntityReference) String() string

type CDATASection 

type CDATASection struct {
	Token int8
	Text  UnicodeTextString
}

CDATASection : BinXmlCDATASection

type CharEntityRef 

type CharEntityRef struct {
	Token int8
	Value int16
}

func (*CharEntityRef) Parse 

func (cer *CharEntityRef) Parse(reader io.ReadSeeker) error

type Chunk 

type Chunk struct {
	Offset        int64
	Header        ChunkHeader
	StringTable   ChunkStringTable
	TemplateTable TemplateTable
	EventOffsets  []int32
	Data          []byte
}

Chunk structure definition

func NewChunk 

func NewChunk() Chunk

NewChunk initialize and returns a new Chunk structure return Chunk

func (*Chunk) Events 

func (c *Chunk) Events() (cgem chan *GoEvtxMap)

Events returns a channel of *GoEvtxMap return (chan *GoEvtxMap)

func (Chunk) Less 

func (c Chunk) Less(s *datastructs.Sortable) bool

Less implement datastructs.Sortable

func (*Chunk) ParseChunkHeader 

func (c *Chunk) ParseChunkHeader(reader io.ReadSeeker)

ParseChunkHeader parses a chunk header at offset

func (*Chunk) ParseEvent 

func (c *Chunk) ParseEvent(offset int64) (e Event)

ParseEvent parses an Event from the current chunk located at the relative offset in c.Data, does not alter the current Chunk structure @offset : offset to parse the Event at return Event : parsed Event

func (*Chunk) ParseEventOffsets 

func (c *Chunk) ParseEventOffsets(reader io.ReadSeeker) (err error)

ParseEventOffsets parses the offsets at which we can find the events and modifies the current Chunk object @reader : reader object to parse event offsets from

func (*Chunk) ParseStringTable 

func (c *Chunk) ParseStringTable(reader io.ReadSeeker)

ParseStringTable parses the string table located at the current offset in the reader and modify the chunk object @reader : reader object to parse string table from

func (*Chunk) ParseTemplateTable 

func (c *Chunk) ParseTemplateTable(reader io.ReadSeeker) error

ParseTemplaTable parses the template table located at the current offset in the reader passed as parameter and modifies the current Chunk object @reader : reader object to parse string table from

func (Chunk) String 

func (c Chunk) String() string

type ChunkCache 

type ChunkCache struct {
	datastructs.SyncedSet
}

ChunkCache structure as a Set

type ChunkHeader 

type ChunkHeader struct {
	Magic           [8]byte
	NumFirstRecLog  int64
	NumLastRecLog   int64
	FirstEventRecID int64
	LastEventRecID  int64
	SizeHeader      int32
	OffsetLastRec   int32
	Freespace       int32
	CheckSum        uint32
}

ChunkHeader structure definition

func (ChunkHeader) String 

func (ch ChunkHeader) String() string

func (*ChunkHeader) Validate 

func (ch *ChunkHeader) Validate() error

Validate controls the validity of the chunk header

type ChunkSorter 

type ChunkSorter []Chunk

ChunkSorter structure used to sort chunks before parsing the events inside prevent unordered events

func (ChunkSorter) Len 

func (cs ChunkSorter) Len() int

Implement Sortable interface

func (ChunkSorter) Less 

func (cs ChunkSorter) Less(i, j int) bool

Implement Sortable interface

func (ChunkSorter) Swap 

func (cs ChunkSorter) Swap(i, j int)

Implement Sortable interface

type ChunkString 

type ChunkString struct {
	Name
}

ChunkString is similare to BinXMLName

func StringAt 

func StringAt(reader io.ReadSeeker, offset int64) (cs ChunkString, err error)

StringAt : utility function to get a ChunkString object at a given offset @reader : reader containing ChunkString struct @ offset @offset : offset at which we find the ChunkString return ChunkString

type ChunkStringTable 

type ChunkStringTable map[int32]ChunkString

ChunkStringTable definition

type Content 

type Content interface {
}

type ContentStringData 

type ContentStringData interface {
}

type Element 

type Element interface {
	Parse(reader io.ReadSeeker) error
}

func Parse 

func Parse(reader io.ReadSeeker, c *Chunk, tiFlag bool) (Element, error)

Parse : parses an XMLElement from a reader object @reader : reader to parse the Element from @c : chunk pointer used for already parsed templates return (Element, error) : parsed XMLElement and error

func ParseValueReader 

func ParseValueReader(vd ValueDescriptor, reader io.ReadSeeker) (Element, error)

ParseValueReader : Parse a value from a reader according to a ValueDescriptor @vd : a ValueDescriptor structure @reader : the reader position at the offset of the value that have to be parsed return (Element, error) : a XMLElement and error

type ElementStart 

type ElementStart struct {
	Offset             int64
	IsTemplateInstance bool
	Token              int8
	DepID              int16
	Size               int32
	NameOffset         int32 // relative to start of chunk
	Name               Name
	AttributeList      AttributeList
	EOESToken          uint8
}

ElementStart : BinXMLElementStart

func (*ElementStart) HasName 

func (es *ElementStart) HasName() bool

func (*ElementStart) Parse 

func (es *ElementStart) Parse(reader io.ReadSeeker) (err error)

func (ElementStart) String 

func (es ElementStart) String() string

type EmptyElement 

type EmptyElement struct{}

func (EmptyElement) Parse 

func (EmptyElement) Parse(reader io.ReadSeeker) error

type EntityReference 

type EntityReference struct {
	Token            int8
	EntityNameOffset int32
}

EntityReference : BinXmlEntityReference

type ErrEvtxEltNotFound 

type ErrEvtxEltNotFound struct {
	// contains filtered or unexported fields
}

func (*ErrEvtxEltNotFound) Error 

func (e *ErrEvtxEltNotFound) Error() string

type ErrUnknownToken 

type ErrUnknownToken struct {
	Token uint8
}

func (ErrUnknownToken) Error 

func (e ErrUnknownToken) Error() string

type Event 

type Event struct {
	Offset int64 // For debugging purposes
	Header EventHeader
}

Event structure

func (Event) GoEvtxMap 

func (e Event) GoEvtxMap(c *Chunk) (pge *GoEvtxMap, err error)

GoEvtxMap parses the BinXML inside the event and returns a pointer to a structure GoEvtxMap @c : chunk pointer used for template data already parsed return (*GoEvtxMap, error)

func (*Event) IsValid 

func (e *Event) IsValid() bool

IsValid returns true if the Event is valid TODO: find and replace because we now have Validate() method from the header

func (Event) String 

func (e Event) String() string

type EventHeader 

type EventHeader struct {
	Magic     [4]byte
	Size      int32
	ID        int64
	Timestamp FileTime
}

func (*EventHeader) Validate 

func (h *EventHeader) Validate() error

Validate controls the EventHeader

type EventIDType 

type EventIDType int64

EventIDType is an alias to the type of EventID

type File 

type File struct {
	sync.Mutex // We need it if we want to parse (read) chunks in several threads
	Header     FileHeader
	// contains filtered or unexported fields
}

File structure definition

func New 

func New(r io.ReadSeeker) (ef File, err error)

New EvtxFile structure initialized from an open buffer @r : buffer containing evtx data to parse return File : File structure initialized

func Open 

func Open(filepath string) (ef File, err error)

New EvtxFile structure initialized from file @filepath : filepath of the evtx file to parse return File : File structure initialized

func OpenDirty added in v1.2.4 

func OpenDirty(filepath string) (ef File, err error)

OpenDirty is a wrapper around Open to handle the case where the file opened has its dirty flag set

func (*File) Chunks 

func (ef *File) Chunks() (cc chan Chunk)

Chunks returns a chan of all the Chunks found in the current file return (chan Chunk)

func (*File) Close 

func (ef *File) Close() error

Close file

func (*File) Events 

func (ef *File) Events() (cgem chan *GoEvtxMap)

Events returns a chan pointers to all the GoEvtxMap found in the current file this is a slow implementation, FastEvents should be prefered return (chan *GoEvtxMap)

func (*File) FastEvents 

func (ef *File) FastEvents() (cgem chan *GoEvtxMap)

FastEvents returns a chan pointers to all the GoEvtxMap found in the current file. Same as Events method but the fast version return (chan *GoEvtxMap)

func (*File) FetchChunk 

func (ef *File) FetchChunk(offset int64) (Chunk, error)

FetchChunk fetches a Chunk @offset : offset in the current file where to find the Chunk return Chunk : Chunk parsed

func (*File) FetchRawChunk 

func (ef *File) FetchRawChunk(offset int64) (Chunk, error)

FetchRawChunk fetches a raw Chunk (without parsing String and Template tables) @offset : offset in the current file where to find the Chunk return Chunk : Chunk (raw) parsed

func (*File) MonitorEvents 

func (ef *File) MonitorEvents(stop chan bool, sleep ...time.Duration) (cgem chan *GoEvtxMap)

MonitorEvents returns a chan pointers to all the GoEvtxMap found in the File under monitoring. This is the fast version @stop: a channel used to stop the monitoring if needed return (chan *GoEvtxMap)

func (*File) ParseFileHeader 

func (ef *File) ParseFileHeader()

ParseFileHeader parses a the file header of the file structure and modifies the Header of the current structure

func (*File) SetMonitorExisting 

func (ef *File) SetMonitorExisting(value bool)

SetMonitorExisting sets monitorExisting flag of EvtxFile struct in order to return already existing events when using MonitorEvents

func (*File) UnorderedChunks 

func (ef *File) UnorderedChunks() (cc chan Chunk)

UnorderedChunks returns a chan of all the Chunks found in the current file return (chan Chunk)

func (*File) UnorderedEvents 

func (ef *File) UnorderedEvents() (cgem chan *GoEvtxMap)

UnorderedEvents returns a chan pointers to all the GoEvtxMap found in the current file. Same as FastEvents method but the order by time is not guaranteed. It can significantly improve preformances for big files. return (chan *GoEvtxMap)

type FileHeader 

type FileHeader struct {
	Magic           [8]byte
	FirstChunkNum   uint64
	LastChunkNum    uint64
	NextRecordID    uint64
	HeaderSpace     uint32
	MinVersion      uint16
	MajVersion      uint16
	ChunkDataOffset uint16
	ChunkCount      uint16
	Unknown         [76]byte
	Flags           uint32
	CheckSum        uint32
}

FileHeader structure definition

func (*FileHeader) Repair added in v1.2.4 

func (f *FileHeader) Repair(r io.ReadSeeker) error

Repair the header. It makes sense to use this function whenever the file is flagged as dirty

func (FileHeader) String 

func (fh FileHeader) String() string

func (*FileHeader) Verify added in v1.2.4 

func (f *FileHeader) Verify() error

type FileTime 

type FileTime struct {
	Nanoseconds int64
}

func (*FileTime) Convert 

func (v *FileTime) Convert() (sec int64, nsec int64)

func (*FileTime) String 

func (s *FileTime) String() string

func (*FileTime) Time 

func (s *FileTime) Time() UTCTime

type Fragment 

type Fragment struct {
	Offset        int64 // For debug
	Header        FragmentHeader
	BinXMLElement Element
}

func (*Fragment) GoEvtxMap 

func (f *Fragment) GoEvtxMap() *GoEvtxMap

func (*Fragment) Parse 

func (f *Fragment) Parse(reader io.ReadSeeker) error

func (Fragment) String 

func (f Fragment) String() string

type FragmentHeader 

type FragmentHeader struct {
	Token      int8
	MajVersion int8
	MinVersion int8
	Flags      int8
}

FragmentHeader : BinXMLFragmentHeader

func (*FragmentHeader) Parse 

func (fh *FragmentHeader) Parse(reader io.ReadSeeker) error

func (FragmentHeader) String 

func (fh FragmentHeader) String() string

type GUID 

type GUID [16]byte

func (*GUID) String 

func (g *GUID) String() string

type GoEvtxElement 

type GoEvtxElement interface{}

func ElementToGoEvtx 

func ElementToGoEvtx(elt Element) GoEvtxElement

TODO: Not used

type GoEvtxMap 

type GoEvtxMap map[string]interface{}

func (*GoEvtxMap) Add 

func (pg *GoEvtxMap) Add(other GoEvtxMap)

Add : concatenate two GoEvtxMap together @other: other map to concatenate with

func (*GoEvtxMap) After 

func (pg *GoEvtxMap) After(t time.Time) bool

func (*GoEvtxMap) AnyEqual 

func (pg *GoEvtxMap) AnyEqual(path *GoEvtxPath, is []interface{}) bool

Equal returns true if element at path is equal to any object @path : path at witch GoEvtxElement is located @is : slice of interface to test equality with return bool : true if equality is verified

func (*GoEvtxMap) At 

func (pg *GoEvtxMap) At(t time.Time) bool

func (*GoEvtxMap) Before 

func (pg *GoEvtxMap) Before(t time.Time) bool

func (*GoEvtxMap) Between 

func (pg *GoEvtxMap) Between(t1, t2 time.Time) bool

func (*GoEvtxMap) Channel 

func (pg *GoEvtxMap) Channel() string

Channel returns the Channel attribute of the event return string : Channel attribute

func (*GoEvtxMap) Del 

func (pg *GoEvtxMap) Del(path *GoEvtxPath)

Del deletes the object referenced by path

func (*GoEvtxMap) DelXmlns 

func (pg *GoEvtxMap) DelXmlns()

DelXmlns : utility function to delete useless xlmns entry found in every GoEvtxMap

func (*GoEvtxMap) Equal 

func (pg *GoEvtxMap) Equal(path *GoEvtxPath, i interface{}) bool

Equal returns true if element at path is equal to i @path : path at witch GoEvtxElement is located @i : interface to test equality with return bool : true if equality is verified

func (*GoEvtxMap) EventID 

func (pg *GoEvtxMap) EventID() int64

EventID returns the EventID of the Event as a int64 return int64 : EventID

func (*GoEvtxMap) EventRecordID 

func (pg *GoEvtxMap) EventRecordID() int64

EventRecordID returns the EventRecordID of the the event. It panics if the attribute is not found in the event.

func (*GoEvtxMap) Get 

func (pg *GoEvtxMap) Get(path *GoEvtxPath) (*GoEvtxElement, error)

Recursive search in a GoEvtxMap according to a given path @path : path to search for return *GoEvtxElement, error : pointer to the element found at path

func (*GoEvtxMap) GetBool 

func (pg *GoEvtxMap) GetBool(path *GoEvtxPath) (bool, error)

GetBool returns the GoEvtxElement at path as a bool @path : path to search for return (bool, error)

func (*GoEvtxMap) GetBoolStrict 

func (pg *GoEvtxMap) GetBoolStrict(path *GoEvtxPath) bool

func (*GoEvtxMap) GetInt 

func (pg *GoEvtxMap) GetInt(path *GoEvtxPath) (int64, error)

GetInt returns the GoEvtxElement at path as a int64 @path : path to search for return int64, error

func (*GoEvtxMap) GetIntStrict 

func (pg *GoEvtxMap) GetIntStrict(path *GoEvtxPath) int64

func (*GoEvtxMap) GetMap 

func (pg *GoEvtxMap) GetMap(path *GoEvtxPath) (*GoEvtxMap, error)

GetMap : Get the full map containing the path @path : path to search for

func (*GoEvtxMap) GetMapStrict 

func (pg *GoEvtxMap) GetMapStrict(path *GoEvtxPath) *GoEvtxMap

func (*GoEvtxMap) GetMapWhere 

func (pg *GoEvtxMap) GetMapWhere(path *GoEvtxPath, value interface{}) (*GoEvtxMap, error)

func (*GoEvtxMap) GetMapWhereStrict 

func (pg *GoEvtxMap) GetMapWhereStrict(path *GoEvtxPath, value interface{}) *GoEvtxMap

func (*GoEvtxMap) GetStrict 

func (pg *GoEvtxMap) GetStrict(path *GoEvtxPath) *GoEvtxElement

func (*GoEvtxMap) GetString 

func (pg *GoEvtxMap) GetString(path *GoEvtxPath) (string, error)

GetUint returns the GoEvtxElement at path as a string @path : path to search for return string, error

func (*GoEvtxMap) GetStringStrict 

func (pg *GoEvtxMap) GetStringStrict(path *GoEvtxPath) string

func (*GoEvtxMap) GetTime 

func (pg *GoEvtxMap) GetTime(path *GoEvtxPath) (time.Time, error)

GetUint returns the GoEvtxElement at path as a Time struct @path : path to search for return Time

func (*GoEvtxMap) GetTimeStrict 

func (pg *GoEvtxMap) GetTimeStrict(path *GoEvtxPath) time.Time

func (*GoEvtxMap) GetUint 

func (pg *GoEvtxMap) GetUint(path *GoEvtxPath) (uint64, error)

GetUint returns the GoEvtxElement at path as a uint64 @path : path to search for return uint64

func (*GoEvtxMap) GetUintStrict 

func (pg *GoEvtxMap) GetUintStrict(path *GoEvtxPath) uint64

func (*GoEvtxMap) HasKeys 

func (pg *GoEvtxMap) HasKeys(keys ...string) bool

HasKeys : determines whether this map is in a key value form return bool

func (*GoEvtxMap) IsEventID 

func (pg *GoEvtxMap) IsEventID(eids ...interface{}) bool

IsEventID returns true if pg is one of the EventID number specified in parameter @eids : EventID numbers to test against return bool

func (*GoEvtxMap) RegexMatch 

func (pg *GoEvtxMap) RegexMatch(path *GoEvtxPath, pattern *regexp.Regexp) bool

RegexMatch returns true if GoEvtxElement located at path matches a regexp @path : path at witch GoEvtxElement is located @pattern : regexp to test return bool

func (*GoEvtxMap) Set 

func (pg *GoEvtxMap) Set(path *GoEvtxPath, new GoEvtxElement) error

Set sets a new GoEvtxElement at path @path... : path to look for @new : new value return error if any

func (*GoEvtxMap) TimeCreated 

func (pg *GoEvtxMap) TimeCreated() time.Time

TimeCreated returns the creation time of the event. It panics if the attribute is not in the event

func (*GoEvtxMap) UserID 

func (pg *GoEvtxMap) UserID() (userID string, ok bool)

UserID retrieves the UserID attribute located at /Event/System/Security/UserID if present. If not present the ok flag will be false

type GoEvtxPath 

type GoEvtxPath []string

func Path 

func Path(s string) GoEvtxPath

Path : helper function that converts a path string to a table of strings @s : path string, has to be in form of /correct/path/string with (correct, path, string) being keys to look for recursively

func (GoEvtxPath) String 

func (p GoEvtxPath) String() string

type Name 

type Name struct {
	OffsetPrevString int32
	Hash             uint16
	Size             uint16
	UTF16String      UTF16String
}

Name : same as ChunkString

func (*Name) Parse 

func (n *Name) Parse(reader io.ReadSeeker) error

Parse Element implementation

func (*Name) String 

func (n *Name) String() string

type Node 

type Node struct {
	Start   *ElementStart
	Element []Element
	Child   []*Node
}

func NodeTree 

func NodeTree(es []Element, index int) (Node, int)

type NormalSubstitution 

type NormalSubstitution struct {
	Token   int8
	SubID   int16
	ValType int8
}

NormalSubstitution : BinXmlNormalSubstitution

func (*NormalSubstitution) IsAttributeData 

func (n *NormalSubstitution) IsAttributeData() bool

func (*NormalSubstitution) Parse 

func (n *NormalSubstitution) Parse(reader io.ReadSeeker) error

func (*NormalSubstitution) String 

func (n *NormalSubstitution) String() string

type OptionalSubstitution 

type OptionalSubstitution struct {
	NormalSubstitution
}

type PI 

type PI interface {
}

type PIData 

type PIData struct {
	Token int8
	Text  UnicodeTextString
}

PIData : BinXmlPIData

type PITarget 

type PITarget struct {
	Token      int8
	NameOffset int32 // relative to start of chunk
}

PITarget : BinXmlPITarget

type Sid 

type Sid struct {
	Revision            uint8
	SubAuthorityCount   uint8
	IdentifierAuthority [6]uint8
	SubAuthority        []uint32
}

type Substitution 

type Substitution interface {
}

type SysTime 

type SysTime struct {
	Year         int16
	Month        int16
	DayOfWeek    int16
	DayOfMonth   int16
	Hours        int16
	Minutes      int16
	Seconds      int16
	Milliseconds int16
}

func (*SysTime) String 

func (s *SysTime) String() string

type TemplateDefinition 

type TemplateDefinition struct {
	Header TemplateDefinitionHeader
	Data   TemplateDefinitionData
}

func (*TemplateDefinition) Parse 

func (td *TemplateDefinition) Parse(reader io.ReadSeeker) error

func (TemplateDefinition) String 

func (td TemplateDefinition) String() string

type TemplateDefinitionData 

type TemplateDefinitionData struct {
	Unknown3   int32
	ID         [16]byte
	Size       int32
	FragHeader FragmentHeader
	Elements   []Element
	EOFToken   int8
}

func (*TemplateDefinitionData) Parse 

func (td *TemplateDefinitionData) Parse(reader io.ReadSeeker) error

type TemplateDefinitionHeader 

type TemplateDefinitionHeader struct {
	Unknown1   int8
	Unknown2   int32
	DataOffset int32
}

func (*TemplateDefinitionHeader) Parse 

func (tdh *TemplateDefinitionHeader) Parse(reader io.ReadSeeker) error

type TemplateInstance 

type TemplateInstance struct {
	Token      int8
	Definition TemplateDefinition
	Data       TemplateInstanceData
}

TemplateInstance : BinXmlTemplateInstance

func (*TemplateInstance) DataOffset 

func (ti *TemplateInstance) DataOffset(reader io.ReadSeeker) (offset int32, err error)

func (*TemplateInstance) ElementToGoEvtx 

func (ti *TemplateInstance) ElementToGoEvtx(elt Element) GoEvtxElement

func (*TemplateInstance) GoEvtxMap 

func (ti *TemplateInstance) GoEvtxMap() *GoEvtxMap

func (*TemplateInstance) NodeToGoEvtx 

func (ti *TemplateInstance) NodeToGoEvtx(n *Node) GoEvtxMap

func (*TemplateInstance) Parse 

func (ti *TemplateInstance) Parse(reader io.ReadSeeker) error

func (*TemplateInstance) ParseTemplateDefinitionHeader 

func (ti *TemplateInstance) ParseTemplateDefinitionHeader(reader io.ReadSeeker) error

func (*TemplateInstance) Root 

func (ti *TemplateInstance) Root() Node

func (TemplateInstance) String 

func (ti TemplateInstance) String() string

type TemplateInstanceData 

type TemplateInstanceData struct {
	NumValues    int32
	ValDescs     []ValueDescriptor
	Values       []Element
	ValueOffsets []int32
}

TemplateInstanceData structure

func (*TemplateInstanceData) Parse 

func (tid *TemplateInstanceData) Parse(reader io.ReadSeeker) error

Parse Element implementation

type TemplateTable 

type TemplateTable map[int32]TemplateDefinitionData

TemplateTable definition

type Token 

type Token struct {
	Token int8
}

func (*Token) Parse 

func (t *Token) Parse(reader io.ReadSeeker) error

type UTCTime 

type UTCTime time.Time

UTCTime structure definition

func (UTCTime) MarshalJSON 

func (u UTCTime) MarshalJSON() ([]byte, error)

MarshalJSON implements JSON serialization

type UTF16 

type UTF16 uint16

////////////////////////////// UTF16String /////////////////////////////////// NB: We keep those structure for compatibility with parts of the code

type UTF16String 

type UTF16String []uint16

func (*UTF16String) Len 

func (us *UTF16String) Len() int32

func (UTF16String) ToString 

func (us UTF16String) ToString() string

type UnicodeTextString 

type UnicodeTextString struct {
	Size   int16       // Number of characters, has to be x2
	String UTF16String // UTF-16 little-endian string without an end-of-string character
}

func (*UnicodeTextString) GetSize 

func (uts *UnicodeTextString) GetSize() int32

func (*UnicodeTextString) Parse 

func (uts *UnicodeTextString) Parse(reader io.ReadSeeker) error

type UnkVal 

type UnkVal struct {
	Offset int64
	Token  ValueType
	Desc   ValueDescriptor
}

func (*UnkVal) Parse 

func (*UnkVal) Parse(reader io.ReadSeeker) error

func (*UnkVal) Repr 

func (u *UnkVal) Repr() interface{}

func (*UnkVal) String 

func (u *UnkVal) String() string

func (*UnkVal) Value 

func (u *UnkVal) Value() interface{}

type Value 

type Value interface {
	// Repr is the way it is represented in GoEvtx
	Repr() interface{}
	Value() interface{}
	String() string
}

type ValueArrayUInt16 

type ValueArrayUInt16 struct {
	Size uint16
	// contains filtered or unexported fields
}

func (*ValueArrayUInt16) Parse 

func (a *ValueArrayUInt16) Parse(reader io.ReadSeeker) error

func (*ValueArrayUInt16) Repr 

func (a *ValueArrayUInt16) Repr() interface{}

func (*ValueArrayUInt16) String 

func (a *ValueArrayUInt16) String() string

func (*ValueArrayUInt16) Value 

func (a *ValueArrayUInt16) Value() interface{}

type ValueArrayUInt64 

type ValueArrayUInt64 struct {
	Size uint16
	// contains filtered or unexported fields
}

func (*ValueArrayUInt64) Parse 

func (a *ValueArrayUInt64) Parse(reader io.ReadSeeker) error

func (*ValueArrayUInt64) Repr 

func (a *ValueArrayUInt64) Repr() interface{}

func (*ValueArrayUInt64) String 

func (a *ValueArrayUInt64) String() string

func (*ValueArrayUInt64) Value 

func (a *ValueArrayUInt64) Value() interface{}

type ValueBinary 

type ValueBinary struct {
	Size uint16
	// contains filtered or unexported fields
}

func (*ValueBinary) Parse 

func (b *ValueBinary) Parse(reader io.ReadSeeker) error

func (*ValueBinary) Repr 

func (b *ValueBinary) Repr() interface{}

func (*ValueBinary) String 

func (b *ValueBinary) String() string

func (*ValueBinary) Value 

func (b *ValueBinary) Value() interface{}

type ValueBool 

type ValueBool struct {
	ValueInt32
}

func (*ValueBool) Repr 

func (b *ValueBool) Repr() interface{}

func (*ValueBool) String 

func (b *ValueBool) String() string

func (*ValueBool) Value 

func (b *ValueBool) Value() interface{}

type ValueData 

type ValueData []byte

The value data depends on the value type

type ValueDescriptor 

type ValueDescriptor struct {
	Size    uint16
	ValType ValueType
	Unknown int8 // 0x00
}

func (ValueDescriptor) String 

func (v ValueDescriptor) String() string

type ValueFileTime 

type ValueFileTime struct {
	// contains filtered or unexported fields
}

func (*ValueFileTime) Parse 

func (s *ValueFileTime) Parse(reader io.ReadSeeker) error

func (*ValueFileTime) Repr 

func (s *ValueFileTime) Repr() interface{}

func (*ValueFileTime) String 

func (s *ValueFileTime) String() string

func (*ValueFileTime) Value 

func (s *ValueFileTime) Value() interface{}

type ValueGUID 

type ValueGUID struct {
	// contains filtered or unexported fields
}

func (*ValueGUID) Parse 

func (g *ValueGUID) Parse(reader io.ReadSeeker) error

func (*ValueGUID) Repr 

func (g *ValueGUID) Repr() interface{}

func (*ValueGUID) String 

func (g *ValueGUID) String() string

func (*ValueGUID) Value 

func (g *ValueGUID) Value() interface{}

type ValueHexInt32 

type ValueHexInt32 struct {
	ValueUInt32
}

func (*ValueHexInt32) Repr 

func (i *ValueHexInt32) Repr() interface{}

func (*ValueHexInt32) String 

func (i *ValueHexInt32) String() string

func (*ValueHexInt32) Value 

func (i *ValueHexInt32) Value() interface{}

type ValueHexInt64 

type ValueHexInt64 struct {
	ValueUInt64
}

Just for display so that we have not the unsigned format of fmt

func (*ValueHexInt64) Repr 

func (i *ValueHexInt64) Repr() interface{}

func (*ValueHexInt64) String 

func (i *ValueHexInt64) String() string

func (*ValueHexInt64) Value 

func (i *ValueHexInt64) Value() interface{}

type ValueInt16 

type ValueInt16 struct {
	// contains filtered or unexported fields
}

func (*ValueInt16) Parse 

func (i *ValueInt16) Parse(reader io.ReadSeeker) error

func (*ValueInt16) Repr 

func (i *ValueInt16) Repr() interface{}

func (*ValueInt16) String 

func (i *ValueInt16) String() string

func (*ValueInt16) Value 

func (i *ValueInt16) Value() interface{}

type ValueInt32 

type ValueInt32 struct {
	// contains filtered or unexported fields
}

func (*ValueInt32) Parse 

func (i *ValueInt32) Parse(reader io.ReadSeeker) error

func (*ValueInt32) Repr 

func (i *ValueInt32) Repr() interface{}

func (*ValueInt32) String 

func (i *ValueInt32) String() string

func (*ValueInt32) Value 

func (i *ValueInt32) Value() interface{}

type ValueInt64 

type ValueInt64 struct {
	// contains filtered or unexported fields
}

func (*ValueInt64) Parse 

func (i *ValueInt64) Parse(reader io.ReadSeeker) error

func (*ValueInt64) Repr 

func (i *ValueInt64) Repr() interface{}

func (*ValueInt64) String 

func (i *ValueInt64) String() string

func (*ValueInt64) Value 

func (i *ValueInt64) Value() interface{}

type ValueInt8 

type ValueInt8 struct {
	// contains filtered or unexported fields
}

func (*ValueInt8) Parse 

func (i *ValueInt8) Parse(reader io.ReadSeeker) error

func (*ValueInt8) Repr 

func (i *ValueInt8) Repr() interface{}

func (*ValueInt8) String 

func (i *ValueInt8) String() string

func (*ValueInt8) Value 

func (i *ValueInt8) Value() interface{}

type ValueNull 

type ValueNull struct {
	Size uint16
}

func (*ValueNull) Parse 

func (n *ValueNull) Parse(reader io.ReadSeeker) error

func (ValueNull) Repr 

func (ValueNull) Repr() interface{}

func (ValueNull) String 

func (ValueNull) String() string

func (ValueNull) Value 

func (ValueNull) Value() interface{}

type ValueReal32 

type ValueReal32 struct {
	// contains filtered or unexported fields
}

func (*ValueReal32) Parse 

func (v *ValueReal32) Parse(reader io.ReadSeeker) error

func (*ValueReal32) Repr 

func (v *ValueReal32) Repr() interface{}

func (*ValueReal32) String 

func (v *ValueReal32) String() string

func (*ValueReal32) Value 

func (v *ValueReal32) Value() interface{}

type ValueReal64 

type ValueReal64 struct {
	// contains filtered or unexported fields
}

func (*ValueReal64) Parse 

func (v *ValueReal64) Parse(reader io.ReadSeeker) error

func (*ValueReal64) Repr 

func (v *ValueReal64) Repr() interface{}

func (*ValueReal64) String 

func (v *ValueReal64) String() string

func (*ValueReal64) Value 

func (v *ValueReal64) Value() interface{}

type ValueSID 

type ValueSID struct {
	// contains filtered or unexported fields
}

func (*ValueSID) Parse 

func (g *ValueSID) Parse(reader io.ReadSeeker) error

func (*ValueSID) Repr 

func (g *ValueSID) Repr() interface{}

func (*ValueSID) String 

func (g *ValueSID) String() string

func (*ValueSID) Value 

func (g *ValueSID) Value() interface{}

type ValueString 

type ValueString struct {
	Size uint16
	// contains filtered or unexported fields
}

func (*ValueString) Parse 

func (s *ValueString) Parse(reader io.ReadSeeker) error

func (*ValueString) Repr 

func (s *ValueString) Repr() interface{}

func (*ValueString) String 

func (s *ValueString) String() string

func (*ValueString) Value 

func (s *ValueString) Value() interface{}

type ValueStringTable 

type ValueStringTable struct {
	Size uint16
	// contains filtered or unexported fields
}

func (*ValueStringTable) Bytes 

func (st *ValueStringTable) Bytes() []byte

func (*ValueStringTable) Parse 

func (st *ValueStringTable) Parse(reader io.ReadSeeker) error

func (*ValueStringTable) Repr 

func (st *ValueStringTable) Repr() interface{}

func (*ValueStringTable) String 

func (st *ValueStringTable) String() string

func (*ValueStringTable) Value 

func (st *ValueStringTable) Value() interface{}

type ValueSysTime 

type ValueSysTime struct {
	// contains filtered or unexported fields
}

func (*ValueSysTime) Parse 

func (s *ValueSysTime) Parse(reader io.ReadSeeker) error

func (*ValueSysTime) Repr 

func (s *ValueSysTime) Repr() interface{}

func (*ValueSysTime) String 

func (s *ValueSysTime) String() string

func (*ValueSysTime) Time 

func (s *ValueSysTime) Time() UTCTime

func (*ValueSysTime) Value 

func (s *ValueSysTime) Value() interface{}

type ValueText 

type ValueText struct {
	Token   int8
	ValType int8
	Value   UnicodeTextString // UnicodeTextString
}

func (*ValueText) IsAttributeData 

func (vt *ValueText) IsAttributeData() bool

func (*ValueText) Parse 

func (vt *ValueText) Parse(reader io.ReadSeeker) error

func (*ValueText) String 

func (vt *ValueText) String() string

type ValueType 

type ValueType uint8

func (*ValueType) IsArray 

func (v *ValueType) IsArray() bool

func (*ValueType) IsArrayOf 

func (v *ValueType) IsArrayOf(tvt ValueType) bool

func (*ValueType) IsType 

func (v *ValueType) IsType(tvt ValueType) bool

type ValueUInt16 

type ValueUInt16 struct {
	// contains filtered or unexported fields
}

func (*ValueUInt16) Parse 

func (u *ValueUInt16) Parse(reader io.ReadSeeker) error

func (*ValueUInt16) Repr 

func (u *ValueUInt16) Repr() interface{}

func (*ValueUInt16) String 

func (u *ValueUInt16) String() string

func (*ValueUInt16) Value 

func (u *ValueUInt16) Value() interface{}

type ValueUInt32 

type ValueUInt32 struct {
	// contains filtered or unexported fields
}

func (*ValueUInt32) Parse 

func (u *ValueUInt32) Parse(reader io.ReadSeeker) error

func (*ValueUInt32) Repr 

func (u *ValueUInt32) Repr() interface{}

func (*ValueUInt32) String 

func (u *ValueUInt32) String() string

func (*ValueUInt32) Value 

func (u *ValueUInt32) Value() interface{}

type ValueUInt64 

type ValueUInt64 struct {
	// contains filtered or unexported fields
}

func (*ValueUInt64) Parse 

func (u *ValueUInt64) Parse(reader io.ReadSeeker) error

func (*ValueUInt64) Repr 

func (u *ValueUInt64) Repr() interface{}

func (*ValueUInt64) String 

func (u *ValueUInt64) String() string

func (*ValueUInt64) Value 

func (u *ValueUInt64) Value() interface{}

type ValueUInt8 

type ValueUInt8 struct {
	// contains filtered or unexported fields
}

func (*ValueUInt8) Parse 

func (u *ValueUInt8) Parse(reader io.ReadSeeker) error

func (*ValueUInt8) Repr 

func (u *ValueUInt8) Repr() interface{}

func (*ValueUInt8) String 

func (u *ValueUInt8) String() string

func (*ValueUInt8) Value 

func (u *ValueUInt8) Value() interface{}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.