Skip to content

Commit 1fb9281

Browse files
scripts: cleanup code, imports, formatting, pep8, etc
1 parent 84a03b3 commit 1fb9281

10 files changed

Lines changed: 134 additions & 278 deletions

scripts/evtx_dump.py

Lines changed: 11 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -17,37 +17,26 @@
1717
# limitations under the License.
1818
#
1919
# Version v0.1.1
20-
import mmap
21-
import contextlib
22-
23-
import argparse
24-
25-
from Evtx.Evtx import FileHeader
26-
from Evtx.Views import evtx_file_xml_view
27-
28-
29-
def ascii(s):
30-
return s.encode('ascii', 'replace').decode('ascii')
20+
import Evtx.Evtx as evtx
21+
import Evtx.Views as e_views
3122

3223

3324
def main():
25+
import argparse
26+
3427
parser = argparse.ArgumentParser(
3528
description="Dump a binary EVTX file into XML.")
36-
parser.add_argument("--cleanup", action="store_true",
37-
help="Cleanup unused XML entities (slower)"),
3829
parser.add_argument("evtx", type=str,
3930
help="Path to the Windows EVTX event log file")
4031
args = parser.parse_args()
4132

42-
with open(args.evtx, 'r') as f:
43-
with contextlib.closing(mmap.mmap(f.fileno(), 0,
44-
access=mmap.ACCESS_READ)) as buf:
45-
fh = FileHeader(buf, 0x0)
46-
print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
47-
print("<Events>")
48-
for xml, record in evtx_file_xml_view(fh):
49-
print(ascii(xml))
50-
print("</Events>")
33+
with evtx.Evtx(args.evtx) as log:
34+
print(e_views.XML_HEADER)
35+
print("<Events>")
36+
for record in log.records():
37+
print(record.xml())
38+
print("</Events>")
39+
5140

5241
if __name__ == "__main__":
5342
main()

scripts/evtx_eid_record_numbers.py

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,10 @@
11
#!/usr/bin/env python
22

3-
from lxml.etree import XMLSyntaxError
4-
from Evtx.Evtx import Evtx
5-
from Evtx.Views import evtx_file_xml_view
3+
import lxml.etree
4+
5+
import Evtx.Evtx as evtx
66

77
from filter_records import get_child
8-
from filter_records import to_lxml
98

109

1110
def main():
@@ -20,11 +19,11 @@ def main():
2019
help="The EID of records to extract")
2120
args = parser.parse_args()
2221

23-
with Evtx(args.evtx) as evtx:
24-
for xml, record in evtx_file_xml_view(evtx.get_file_header()):
22+
with evtx.Evtx(args.evtx) as log:
23+
for record in log.records:
2524
try:
26-
node = to_lxml(xml)
27-
except XMLSyntaxError:
25+
node = record.lxml()
26+
except lxml.etree.XMLSyntaxError:
2827
continue
2928
if args.eid != int(get_child(get_child(node, "System"), "EventID").text):
3029
continue

scripts/evtx_extract_record.py

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,7 @@
1717
# limitations under the License.
1818
#
1919
# Version v.0.1
20-
import sys
21-
22-
from Evtx.Evtx import Evtx
20+
import Evtx.Evtx as evtx
2321

2422

2523
def main():
@@ -33,8 +31,8 @@ def main():
3331
help="The record number of the record to extract")
3432
args = parser.parse_args()
3533

36-
with Evtx(args.evtx) as evtx:
37-
record = evtx.get_record(args.record)
34+
with evtx.Evtx(args.evtx) as log:
35+
record = log.get_record(args.record)
3836
if record is None:
3937
raise RuntimeError("Cannot find the record specified.")
4038
print(record.data())

scripts/evtx_find_bugs.py

Lines changed: 0 additions & 45 deletions
This file was deleted.

scripts/evtx_get_pretty_record.py

Lines changed: 0 additions & 73 deletions
This file was deleted.

scripts/evtx_info.py

Lines changed: 74 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -17,94 +17,93 @@
1717
# limitations under the License.
1818
#
1919
# Version v0.1
20+
import Evtx.Evtx as evtx
2021

2122

22-
import sys
23-
import binascii
24-
import mmap
25-
import contextlib
26-
27-
from Evtx.Evtx import FileHeader
23+
def main():
24+
import argparse
25+
parser = argparse.ArgumentParser(
26+
description="Dump information about an EVTX file.")
27+
parser.add_argument("evtx", type=str,
28+
help="Path to the Windows EVTX event log file")
29+
args = parser.parse_args()
2830

31+
with evtx.Evtx(args.evtx) as log:
32+
fh = log.get_file_header()
2933

30-
def main():
31-
with open(sys.argv[1], 'r') as f:
32-
with contextlib.closing(mmap.mmap(f.fileno(), 0,
33-
access=mmap.ACCESS_READ)) as buf:
34-
fh = FileHeader(buf, 0x0)
34+
print("Information from file header:")
35+
print(("Format version : %d.%d" % (fh.major_version(),
36+
fh.minor_version())))
37+
print(("Flags : 0x%08x" % (fh.flags())))
38+
dirty_string = "clean"
39+
if fh.is_dirty():
40+
dirty_string = "dirty"
41+
print(("File is : %s" % (dirty_string)))
42+
full_string = "no"
43+
if fh.is_full():
44+
full_string = "yes"
45+
print(("Log is full : %s" % (full_string)))
46+
print(("Current chunk : %d of %d" % (fh.current_chunk_number(),
47+
fh.chunk_count())))
48+
print(("Oldest chunk : %d" % (fh.oldest_chunk() + 1)))
49+
print(("Next record# : %d" % (fh.next_record_number())))
50+
checksum_string = "fail"
51+
if fh.calculate_checksum() == fh.checksum():
52+
checksum_string = "pass"
53+
print(("Check sum : %s" % (checksum_string)))
54+
print("")
3555

36-
print("Information from file header:")
37-
print(("Format version : %d.%d" % (fh.major_version(),
38-
fh.minor_version())))
39-
print(("Flags : 0x%08x" % (fh.flags())))
40-
dirty_string = "clean"
41-
if fh.is_dirty():
42-
dirty_string = "dirty"
43-
print(("File is : %s" % (dirty_string)))
44-
full_string = "no"
45-
if fh.is_full():
46-
full_string = "yes"
47-
print(("Log is full : %s" % (full_string)))
48-
print(("Current chunk : %d of %d" % (fh.current_chunk_number(),
49-
fh.chunk_count())))
50-
print(("Oldest chunk : %d" % (fh.oldest_chunk() + 1)))
51-
print(("Next record# : %d" % (fh.next_record_number())))
52-
checksum_string = "fail"
53-
if fh.calculate_checksum() == fh.checksum():
54-
checksum_string = "pass"
55-
print(("Check sum : %s" % (checksum_string)))
56-
print("")
56+
if fh.is_dirty():
57+
chunk_count = sum([1 for c in fh.chunks() if c.verify()])
5758

58-
if fh.is_dirty():
59-
chunk_count = sum([1 for c in fh.chunks() if c.verify()])
59+
last_chunk = None
60+
for chunk in fh.chunks():
61+
if not chunk.verify():
62+
continue
63+
last_chunk = chunk
64+
next_record_num = last_chunk.log_last_record_number() + 1
6065

61-
last_chunk = None
62-
for chunk in fh.chunks():
63-
if not chunk.verify():
64-
continue
65-
last_chunk = chunk
66-
next_record_num = last_chunk.log_last_record_number() + 1
66+
print("Suspected updated header values (header is dirty):")
67+
print(("Current chunk : %d of %d" % (chunk_count,
68+
chunk_count)))
69+
print(("Next record# : %d" % (next_record_num)))
70+
print("")
6771

68-
print("Suspected updated header values (header is dirty):")
69-
print(("Current chunk : %d of %d" % (chunk_count,
70-
chunk_count)))
71-
print(("Next record# : %d" % (next_record_num)))
72-
print("")
72+
print("Information from chunks:")
73+
print(" Chunk file (first/last) log (first/last) Header Data")
74+
print("- ----- --------------------- --------------------- ------ ------")
75+
for (i, chunk) in enumerate(fh.chunks(), 1):
76+
note_string = " "
77+
if i == fh.current_chunk_number() + 1:
78+
note_string = "*"
79+
elif i == fh.oldest_chunk() + 1:
80+
note_string = ">"
7381

74-
print("Information from chunks:")
75-
print(" Chunk file (first/last) log (first/last) Header Data")
76-
print("- ----- --------------------- --------------------- ------ ------")
77-
for (i, chunk) in enumerate(fh.chunks(), 1):
78-
note_string = " "
79-
if i == fh.current_chunk_number() + 1:
80-
note_string = "*"
81-
elif i == fh.oldest_chunk() + 1:
82-
note_string = ">"
82+
if not chunk.check_magic():
83+
if chunk.magic() == "\x00\x00\x00\x00\x00\x00\x00\x00":
84+
print("%s %4d [EMPTY]" % (note_string, i))
85+
else:
86+
print("%s %4d [INVALID]" % (note_string, i))
87+
continue
8388

84-
if not chunk.check_magic():
85-
if chunk.magic() == "\x00\x00\x00\x00\x00\x00\x00\x00":
86-
print("%s %4d [EMPTY]" % (note_string, i))
87-
else:
88-
print("%s %4d [INVALID]" % (note_string, i))
89-
continue
89+
header_checksum_string = "fail"
90+
if chunk.calculate_header_checksum() == chunk.header_checksum():
91+
header_checksum_string = "pass"
9092

91-
header_checksum_string = "fail"
92-
if chunk.calculate_header_checksum() == chunk.header_checksum():
93-
header_checksum_string = "pass"
93+
data_checksum_string = "fail"
94+
if chunk.calculate_data_checksum() == chunk.data_checksum():
95+
data_checksum_string = "pass"
9496

95-
data_checksum_string = "fail"
96-
if chunk.calculate_data_checksum() == chunk.data_checksum():
97-
data_checksum_string = "pass"
97+
print("%s %4d %8d %8d %8d %8d %s %s" %
98+
(note_string,
99+
i,
100+
chunk.file_first_record_number(),
101+
chunk.file_last_record_number(),
102+
chunk.log_first_record_number(),
103+
chunk.log_last_record_number(),
104+
header_checksum_string,
105+
data_checksum_string))
98106

99-
print("%s %4d %8d %8d %8d %8d %s %s" % \
100-
(note_string,
101-
i,
102-
chunk.file_first_record_number(),
103-
chunk.file_last_record_number(),
104-
chunk.log_first_record_number(),
105-
chunk.log_last_record_number(),
106-
header_checksum_string,
107-
data_checksum_string))
108107

109108
if __name__ == "__main__":
110109
main()

0 commit comments

Comments
 (0)