added some json functionality, can output to screen

ajread4 · ajread4 · commit 2e8f359be2cb · 2022-12-15T22:59:22.000-05:00
diff --git a/scripts/evtx_dump.py b/scripts/evtx_dump.py
@@ -19,6 +19,9 @@
 #   Version v0.1.1
 import Evtx.Evtx as evtx
 import Evtx.Views as e_views
+import os
+import xmltodict
+from typing import Dict
 
 
 def main():
@@ -28,14 +31,45 @@ def main():
         description="Dump a binary EVTX file into XML.")
     parser.add_argument("evtx", type=str,
                         help="Path to the Windows EVTX event log file")
+    parser.add_argument("-o","--output",type=str,help="Path to the output file")
     args = parser.parse_args()
 
     with evtx.Evtx(args.evtx) as log:
-        print(e_views.XML_HEADER)
-        print("<Events>")
-        for record in log.records():
-            print(record.xml())
-        print("</Events>")
+
+        if (args.output):
+            if(os.path.splitext(args.output)[1]==".json"):
+                for record in log.records():
+                    data_dict=xmltodict.parse(record.xml()) #convert the xml to a dictionary
+                    '''
+                    for event_system_key,event_system_value in data_dict['Event']['System'].items(): #loop through each key and value pair
+                        if isinstance(data_dict['Event']['System'][str(event_system_key)],Dict): #if the dictionary is nested, enter the dictionary
+                            sublist=[]
+                            for event_system_subkey,event_system_subvalue in data_dict['Event']['System'][str(event_system_key)].items(): #loop through the nested dictionary
+                                print(event_system_key+"_"+event_system_subkey[1:] + ":" + str(event_system_subvalue))
+                        else:
+                            print(event_system_key + ":" + str(event_system_value))
+                    '''
+                    for event_system_key, event_system_value in data_dict['Event']['System'].items():  # loop through each key and value pair
+                        if (event_system_key=="EventRecordID"):
+                            json_subline = {}
+                            firstline={event_system_key:event_system_value}
+                            json_subline.update(firstline)
+                    for event_data_key, event_data_value in data_dict['Event']['EventData'].items():  # loop through each key and value pair
+                        for values in event_data_value:
+                            for event_data_subkey,event_data_subvalue in values.items():
+                                if event_data_subkey=="@Name":
+                                    data_name=event_data_subvalue
+                                else:
+                                    data_value=event_data_subvalue
+                            json_subline.update({data_name:data_value})
+            else:
+                print("Invalid File Type")
+        else:
+            print(e_views.XML_HEADER)
+            print("<Events>")
+            for record in log.records():
+                print(record.xml())
+            print("</Events>")
 
 
 if __name__ == "__main__":
