williballenthin
diff --git a/‎scripts/evtx_dump.py‎
Lines changed: 11 additions & 22 deletions b/‎scripts/evtx_dump.py‎
Lines changed: 11 additions & 22 deletions
diff --git a/‎scripts/evtx_eid_record_numbers.py‎
Lines changed: 7 additions & 8 deletions b/‎scripts/evtx_eid_record_numbers.py‎
Lines changed: 7 additions & 8 deletions
diff --git a/‎scripts/evtx_extract_record.py‎
Lines changed: 3 additions & 5 deletions b/‎scripts/evtx_extract_record.py‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎scripts/evtx_find_bugs.py‎
Lines changed: 0 additions & 45 deletions b/‎scripts/evtx_find_bugs.py‎
Lines changed: 0 additions & 45 deletions
diff --git a/‎scripts/evtx_get_pretty_record.py‎
Lines changed: 0 additions & 73 deletions b/‎scripts/evtx_get_pretty_record.py‎
Lines changed: 0 additions & 73 deletions
diff --git a/‎scripts/evtx_info.py‎
Lines changed: 74 additions & 75 deletions b/‎scripts/evtx_info.py‎
Lines changed: 74 additions & 75 deletions
@@ -17,37 +17,26 @@
 #   limitations under the License.
 #
 #   Version v0.1.1
-import mmap
-import contextlib
-
-import argparse
-
-from Evtx.Evtx import FileHeader
-from Evtx.Views import evtx_file_xml_view
-
-
-def ascii(s):
-    return s.encode('ascii', 'replace').decode('ascii')
+import Evtx.Evtx as evtx
+import Evtx.Views as e_views
 
 
 def main():
+    import argparse
+
     parser = argparse.ArgumentParser(
         description="Dump a binary EVTX file into XML.")
-    parser.add_argument("--cleanup", action="store_true",
-                        help="Cleanup unused XML entities (slower)"),
     parser.add_argument("evtx", type=str,
                         help="Path to the Windows EVTX event log file")
     args = parser.parse_args()
 
-    with open(args.evtx, 'r') as f:
-        with contextlib.closing(mmap.mmap(f.fileno(), 0,
-                                          access=mmap.ACCESS_READ)) as buf:
-            fh = FileHeader(buf, 0x0)
-            print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
-            print("<Events>")
-            for xml, record in evtx_file_xml_view(fh):
-                print(ascii(xml))
-            print("</Events>")
+    with evtx.Evtx(args.evtx) as log:
+        print(e_views.XML_HEADER)
+        print("<Events>")
+        for record in log.records():
+            print(record.xml())
+        print("</Events>")
+
 
 if __name__ == "__main__":
     main()
@@ -1,11 +1,10 @@
 #!/usr/bin/env python
 
-from lxml.etree import XMLSyntaxError
-from Evtx.Evtx import Evtx
-from Evtx.Views import evtx_file_xml_view
+import lxml.etree
+
+import Evtx.Evtx as evtx
 
 from filter_records import get_child
-from filter_records import to_lxml
 
 
 def main():
@@ -20,11 +19,11 @@ def main():
                         help="The EID of records to extract")
     args = parser.parse_args()
 
-    with Evtx(args.evtx) as evtx:
-        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
+    with evtx.Evtx(args.evtx) as log:
+        for record in log.records:
             try:
-                node = to_lxml(xml)
-            except XMLSyntaxError:
+                node = record.lxml()
+            except lxml.etree.XMLSyntaxError:
                 continue
             if args.eid != int(get_child(get_child(node, "System"), "EventID").text):
                 continue
 
@@ -17,9 +17,7 @@
 #   limitations under the License.
 #
 #   Version v.0.1
-import sys
-
-from Evtx.Evtx import Evtx
+import Evtx.Evtx as evtx
 
 
 def main():
@@ -33,8 +31,8 @@ def main():
                         help="The record number of the record to extract")
     args = parser.parse_args()
 
-    with Evtx(args.evtx) as evtx:
-        record = evtx.get_record(args.record)
+    with evtx.Evtx(args.evtx) as log:
+        record = log.get_record(args.record)
         if record is None:
             raise RuntimeError("Cannot find the record specified.")
         print(record.data())
 
@@ -17,94 +17,93 @@
 #   limitations under the License.
 #
 #   Version v0.1
+import Evtx.Evtx as evtx
 
 
-import sys
-import binascii
-import mmap
-import contextlib
-
-from Evtx.Evtx import FileHeader
+def main():
+    import argparse
+    parser = argparse.ArgumentParser(
+        description="Dump information about an EVTX file.")
+    parser.add_argument("evtx", type=str,
+                        help="Path to the Windows EVTX event log file")
+    args = parser.parse_args()
 
+    with evtx.Evtx(args.evtx) as log:
+        fh = log.get_file_header()
 
-def main():
-    with open(sys.argv[1], 'r') as f:
-        with contextlib.closing(mmap.mmap(f.fileno(), 0,
-                                          access=mmap.ACCESS_READ)) as buf:
-            fh = FileHeader(buf, 0x0)
+        print("Information from file header:")
+        print(("Format version  : %d.%d" % (fh.major_version(),
+                                            fh.minor_version())))
+        print(("Flags           : 0x%08x" % (fh.flags())))
+        dirty_string = "clean"
+        if fh.is_dirty():
+            dirty_string = "dirty"
+        print(("File is         : %s" % (dirty_string)))
+        full_string = "no"
+        if fh.is_full():
+            full_string = "yes"
+        print(("Log is full     : %s" % (full_string)))
+        print(("Current chunk   : %d of %d" % (fh.current_chunk_number(),
+                                               fh.chunk_count())))
+        print(("Oldest chunk    : %d" % (fh.oldest_chunk() + 1)))
+        print(("Next record#    : %d" % (fh.next_record_number())))
+        checksum_string = "fail"
+        if fh.calculate_checksum() == fh.checksum():
+            checksum_string = "pass"
+        print(("Check sum       : %s" % (checksum_string)))
+        print("")
 
-            print("Information from file header:")
-            print(("Format version  : %d.%d" % (fh.major_version(),
-                                               fh.minor_version())))
-            print(("Flags           : 0x%08x" % (fh.flags())))
-            dirty_string = "clean"
-            if fh.is_dirty():
-                dirty_string = "dirty"
-            print(("File is         : %s" % (dirty_string)))
-            full_string = "no"
-            if fh.is_full():
-                full_string = "yes"
-            print(("Log is full     : %s" % (full_string)))
-            print(("Current chunk   : %d of %d" % (fh.current_chunk_number(),
-                                                  fh.chunk_count())))
-            print(("Oldest chunk    : %d" % (fh.oldest_chunk() + 1)))
-            print(("Next record#    : %d" % (fh.next_record_number())))
-            checksum_string = "fail"
-            if fh.calculate_checksum() == fh.checksum():
-                checksum_string = "pass"
-            print(("Check sum       : %s" % (checksum_string)))
-            print("")
+        if fh.is_dirty():
+            chunk_count = sum([1 for c in fh.chunks() if c.verify()])
 
-            if fh.is_dirty():
-                chunk_count = sum([1 for c in fh.chunks() if c.verify()])
+            last_chunk = None
+            for chunk in fh.chunks():
+                if not chunk.verify():
+                    continue
+                last_chunk = chunk
+            next_record_num = last_chunk.log_last_record_number() + 1
 
-                last_chunk = None
-                for chunk in fh.chunks():
-                    if not chunk.verify():
-                        continue
-                    last_chunk = chunk
-                next_record_num = last_chunk.log_last_record_number() + 1
+            print("Suspected updated header values (header is dirty):")
+            print(("Current chunk   : %d of %d" % (chunk_count,
+                                                   chunk_count)))
+            print(("Next record#    : %d" % (next_record_num)))
+            print("")
 
-                print("Suspected updated header values (header is dirty):")
-                print(("Current chunk   : %d of %d" % (chunk_count,
-                                                      chunk_count)))
-                print(("Next record#    : %d" % (next_record_num)))
-                print("")
+        print("Information from chunks:")
+        print("  Chunk file (first/last)     log (first/last)      Header Data")
+        print("- ----- --------------------- --------------------- ------ ------")
+        for (i, chunk) in enumerate(fh.chunks(), 1):
+            note_string = " "
+            if i == fh.current_chunk_number() + 1:
+                note_string = "*"
+            elif i == fh.oldest_chunk() + 1:
+                note_string = ">"
 
-            print("Information from chunks:")
-            print("  Chunk file (first/last)     log (first/last)      Header Data")
-            print("- ----- --------------------- --------------------- ------ ------")
-            for (i, chunk) in enumerate(fh.chunks(), 1):
-                note_string = " "
-                if i == fh.current_chunk_number() + 1:
-                    note_string = "*"
-                elif i == fh.oldest_chunk() + 1:
-                    note_string = ">"
+            if not chunk.check_magic():
+                if chunk.magic() == "\x00\x00\x00\x00\x00\x00\x00\x00":
+                    print("%s  %4d     [EMPTY]" % (note_string, i))
+                else:
+                    print("%s  %4d   [INVALID]" % (note_string, i))
+                continue
 
-                if not chunk.check_magic():
-                    if chunk.magic() == "\x00\x00\x00\x00\x00\x00\x00\x00":
-                        print("%s  %4d     [EMPTY]" % (note_string, i))
-                    else:
-                        print("%s  %4d   [INVALID]" % (note_string, i))
-                    continue
+            header_checksum_string = "fail"
+            if chunk.calculate_header_checksum() == chunk.header_checksum():
+                header_checksum_string = "pass"
 
-                header_checksum_string = "fail"
-                if chunk.calculate_header_checksum() == chunk.header_checksum():
-                    header_checksum_string = "pass"
+            data_checksum_string = "fail"
+            if chunk.calculate_data_checksum() == chunk.data_checksum():
+                data_checksum_string = "pass"
 
-                data_checksum_string = "fail"
-                if chunk.calculate_data_checksum() == chunk.data_checksum():
-                    data_checksum_string = "pass"
+            print("%s  %4d   %8d  %8d    %8d  %8d   %s   %s" %
+                  (note_string,
+                   i,
+                   chunk.file_first_record_number(),
+                   chunk.file_last_record_number(),
+                   chunk.log_first_record_number(),
+                   chunk.log_last_record_number(),
+                   header_checksum_string,
+                   data_checksum_string))
 
-                print("%s  %4d   %8d  %8d    %8d  %8d   %s   %s" % \
-                    (note_string,
-                     i,
-                     chunk.file_first_record_number(),
-                     chunk.file_last_record_number(),
-                     chunk.log_first_record_number(),
-                     chunk.log_last_record_number(),
-                     header_checksum_string,
-                     data_checksum_string))
 
 if __name__ == "__main__":
     main()