views: format guids with { and } like in event viewer

Willi Ballenthin · Willi Ballenthin · commit 05cc4d0308e4 · 2016-09-06T12:50:43.000-04:00
diff --git a/Evtx/Nodes.py b/Evtx/Nodes.py
@@ -984,7 +984,7 @@ def fast_substitutions(self):
                 sub_def.append(base64.b64encode(self.unpack_binary(ofs, size)))
             #[15] = parse_guid_type_node,
             elif type_ == 0xF:
-                sub_def.append(self.unpack_guid(ofs))
+                sub_def.append('{' + self.unpack_guid(ofs) + '}')
             #[16] = parse_size_type_node,
             elif type_ == 0x10:
                 if size == 0x4:
@@ -1422,7 +1422,8 @@ def tag_length(self):
         return 16
 
     def string(self):
-        return "{{g}}".format(g=self.guid())
+        print('{' + self.guid() + '}')
+        return '{' + self.guid() + '}'
 
 
 class SizeTypeNode(VariantTypeNode):
diff --git a/Evtx/Views.py b/Evtx/Views.py
@@ -15,6 +15,8 @@
 #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
+import string
+
 from .Nodes import RootNode
 from .Nodes import TemplateNode
 from .Nodes import EndOfStreamNode
@@ -61,9 +63,6 @@ def _make_template_xml_view(root_node, cache=None):
     if cache is None:
         cache = {}
 
-    def escape_format_chars(s):
-        return s.replace("{", "{{").replace("}", "}}")
-
     def rec(node, acc):
         if isinstance(node, EndOfStreamNode):
             pass  # intended
@@ -90,7 +89,7 @@ def rec(node, acc):
         elif isinstance(node, CloseElementNode):
             pass  # intended
         elif isinstance(node, ValueNode):
-            acc.append(escape_format_chars(node.children()[0].string()))
+            acc.append(to_xml_string(node.children()[0].string()))
         elif isinstance(node, AttributeNode):
             pass  # intended
         elif isinstance(node, CDataSectionNode):
@@ -134,6 +133,11 @@ def rec(node, acc):
     return "".join(acc)
 
 
+class SafeDict(dict):
+    def __missing__(self, key):
+        return '{' + key + '}'
+
+
 def _build_record_xml(record, cache=None):
     """
     Note, the cache should be local to the Evtx.Chunk.
@@ -145,21 +149,22 @@ def _build_record_xml(record, cache=None):
     """
     if cache is None:
         cache = {}
-
     def rec(root_node):
         f = _make_template_xml_view(root_node, cache=cache)
         subs_strs = []
         for sub in root_node.fast_substitutions():
             if isinstance(sub, str):
-                #subs_strs.append(to_xml_string(sub))
                 subs_strs.append(sub)
             elif isinstance(sub, RootNode):
                 subs_strs.append(rec(sub))
             elif sub is None:
                 subs_strs.append("")
             else:
                 subs_strs.append(str(sub))
-        return f.format(*subs_strs)
+
+        # maintain substrings like {foo} if foo= isn't a kwarg to format
+        # via: http://stackoverflow.com/a/17215533/87207
+        return string.Formatter().vformat(f, subs_strs, SafeDict())
     xml = rec(record.root())
     return xml
 
