williballenthin
diff --git a/‎scripts/evtx_dump.py‎
Lines changed: 53 additions & 53 deletions b/‎scripts/evtx_dump.py‎
Lines changed: 53 additions & 53 deletions
diff --git a/‎scripts/evtx_eid_record_numbers.py‎
Lines changed: 35 additions & 35 deletions b/‎scripts/evtx_eid_record_numbers.py‎
Lines changed: 35 additions & 35 deletions
diff --git a/‎scripts/evtx_filter_records.py‎
Lines changed: 65 additions & 65 deletions b/‎scripts/evtx_filter_records.py‎
Lines changed: 65 additions & 65 deletions
diff --git a/‎scripts/evtx_find_bugs.py‎
Lines changed: 45 additions & 45 deletions b/‎scripts/evtx_find_bugs.py‎
Lines changed: 45 additions & 45 deletions
@@ -1,53 +1,53 @@
-#!/usr/bin/env python
-#    This file is part of python-evtx.
-#
-#   Copyright 2012, 2013 Willi Ballenthin <william.ballenthin@mandiant.com>
-#                    while at Mandiant <http://www.mandiant.com>
-#
-#   Licensed under the Apache License, Version 2.0 (the "License");
-#   you may not use this file except in compliance with the License.
-#   You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-#   Unless required by applicable law or agreed to in writing, software
-#   distributed under the License is distributed on an "AS IS" BASIS,
-#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#   See the License for the specific language governing permissions and
-#   limitations under the License.
-#
-#   Version v0.1.1
-import mmap
-import contextlib
-
-import argparse
-
-from Evtx.Evtx import FileHeader
-from Evtx.Views import evtx_file_xml_view
-
-
-def ascii(s):
-    return s.encode('ascii', 'replace').decode('ascii')
-
-
-def main():
-    parser = argparse.ArgumentParser(
-        description="Dump a binary EVTX file into XML.")
-    parser.add_argument("--cleanup", action="store_true",
-                        help="Cleanup unused XML entities (slower)"),
-    parser.add_argument("evtx", type=str,
-                        help="Path to the Windows EVTX event log file")
-    args = parser.parse_args()
-
-    with open(args.evtx, 'r') as f:
-        with contextlib.closing(mmap.mmap(f.fileno(), 0,
-                                          access=mmap.ACCESS_READ)) as buf:
-            fh = FileHeader(buf, 0x0)
-            print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
-            print("<Events>")
-            for xml, record in evtx_file_xml_view(fh):
-                print(ascii(xml))
-            print("</Events>")
-
-if __name__ == "__main__":
-    main()
+#!/usr/bin/env python
+#    This file is part of python-evtx.
+#
+#   Copyright 2012, 2013 Willi Ballenthin <william.ballenthin@mandiant.com>
+#                    while at Mandiant <http://www.mandiant.com>
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#   Version v0.1.1
+import mmap
+import contextlib
+
+import argparse
+
+from Evtx.Evtx import FileHeader
+from Evtx.Views import evtx_file_xml_view
+
+
+def ascii(s):
+    return s.encode('ascii', 'replace').decode('ascii')
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Dump a binary EVTX file into XML.")
+    parser.add_argument("--cleanup", action="store_true",
+                        help="Cleanup unused XML entities (slower)"),
+    parser.add_argument("evtx", type=str,
+                        help="Path to the Windows EVTX event log file")
+    args = parser.parse_args()
+
+    with open(args.evtx, 'r') as f:
+        with contextlib.closing(mmap.mmap(f.fileno(), 0,
+                                          access=mmap.ACCESS_READ)) as buf:
+            fh = FileHeader(buf, 0x0)
+            print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
+            print("<Events>")
+            for xml, record in evtx_file_xml_view(fh):
+                print(ascii(xml))
+            print("</Events>")
+
+if __name__ == "__main__":
+    main()
@@ -1,35 +1,35 @@
-#!/usr/bin/env python
-
-from lxml.etree import XMLSyntaxError
-from Evtx.Evtx import Evtx
-from Evtx.Views import evtx_file_xml_view
-
-from filter_records import get_child
-from filter_records import to_lxml
-
-
-def main():
-    import argparse
-
-    parser = argparse.ArgumentParser(
-        description="Print the record numbers of EVTX log entries "
-                    "that match the given EID.")
-    parser.add_argument("evtx", type=str,
-                        help="Path to the Windows EVTX file")
-    parser.add_argument("eid", type=int,
-                        help="The EID of records to extract")
-    args = parser.parse_args()
-
-    with Evtx(args.evtx) as evtx:
-        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
-            try:
-                node = to_lxml(xml)
-            except XMLSyntaxError:
-                continue
-            if args.eid != int(get_child(get_child(node, "System"), "EventID").text):
-                continue
-            print(record.record_num())
-
-
-if __name__ == "__main__":
-    main()
+#!/usr/bin/env python
+
+from lxml.etree import XMLSyntaxError
+from Evtx.Evtx import Evtx
+from Evtx.Views import evtx_file_xml_view
+
+from filter_records import get_child
+from filter_records import to_lxml
+
+
+def main():
+    import argparse
+
+    parser = argparse.ArgumentParser(
+        description="Print the record numbers of EVTX log entries "
+                    "that match the given EID.")
+    parser.add_argument("evtx", type=str,
+                        help="Path to the Windows EVTX file")
+    parser.add_argument("eid", type=int,
+                        help="The EID of records to extract")
+    args = parser.parse_args()
+
+    with Evtx(args.evtx) as evtx:
+        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
+            try:
+                node = to_lxml(xml)
+            except XMLSyntaxError:
+                continue
+            if args.eid != int(get_child(get_child(node, "System"), "EventID").text):
+                continue
+            print(record.record_num())
+
+
+if __name__ == "__main__":
+    main()
@@ -1,65 +1,65 @@
-#!/usr/bin/env python
-
-from lxml import etree
-#import xml.etree.cElementTree as etree
-
-from Evtx.Evtx import Evtx
-from Evtx.Views import evtx_file_xml_view
-
-
-def to_lxml(record_xml):
-    """
-    @type record: Record
-    """
-    return etree.fromstring("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>%s" %
-                         record_xml)
-
-
-def xml_records(filename):
-    """
-    If the second return value is not None, then it is an
-      Exception encountered during parsing.  The first return value
-      will be the XML string.
-
-    @type filename str
-    @rtype: generator of (etree.Element or str), (None or Exception)
-    """
-    with Evtx(filename) as evtx:
-        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
-            try:
-                yield to_lxml(xml), None
-            except etree.XMLSyntaxError as e:
-                yield xml, e
-
-
-def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"):
-    """
-    @type node: etree.Element
-    @type tag: str
-    @type ns: str
-    """
-    return node.find("%s%s" % (ns, tag))
-
-
-def main():
-    import argparse
-
-    parser = argparse.ArgumentParser(
-        description="Print only entries from an EVTX file with a given EID.")
-    parser.add_argument("evtx", type=str,
-                        help="Path to the Windows EVTX file")
-    parser.add_argument("eid", type=int,
-                        help="The EID of records to print")
-
-    args = parser.parse_args()
-
-    for node, err in xml_records(args.evtx):
-        if err is not None:
-            continue
-        sys = get_child(node, "System")
-        if args.eid == int(get_child(sys, "EventID").text):
-            print(etree.tostring(node, pretty_print=True))
-
-
-if __name__ == "__main__":
-    main()
+#!/usr/bin/env python
+
+from lxml import etree
+#import xml.etree.cElementTree as etree
+
+from Evtx.Evtx import Evtx
+from Evtx.Views import evtx_file_xml_view
+
+
+def to_lxml(record_xml):
+    """
+    @type record: Record
+    """
+    return etree.fromstring("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>%s" %
+                         record_xml)
+
+
+def xml_records(filename):
+    """
+    If the second return value is not None, then it is an
+      Exception encountered during parsing.  The first return value
+      will be the XML string.
+
+    @type filename str
+    @rtype: generator of (etree.Element or str), (None or Exception)
+    """
+    with Evtx(filename) as evtx:
+        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
+            try:
+                yield to_lxml(xml), None
+            except etree.XMLSyntaxError as e:
+                yield xml, e
+
+
+def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"):
+    """
+    @type node: etree.Element
+    @type tag: str
+    @type ns: str
+    """
+    return node.find("%s%s" % (ns, tag))
+
+
+def main():
+    import argparse
+
+    parser = argparse.ArgumentParser(
+        description="Print only entries from an EVTX file with a given EID.")
+    parser.add_argument("evtx", type=str,
+                        help="Path to the Windows EVTX file")
+    parser.add_argument("eid", type=int,
+                        help="The EID of records to print")
+
+    args = parser.parse_args()
+
+    for node, err in xml_records(args.evtx):
+        if err is not None:
+            continue
+        sys = get_child(node, "System")
+        if args.eid == int(get_child(sys, "EventID").text):
+            print(etree.tostring(node, pretty_print=True))
+
+
+if __name__ == "__main__":
+    main()
@@ -1,45 +1,45 @@
-#!/usr/bin/env python
-#    This file is part of python-evtx.
-#
-#   Copyright 2012, 2013 Willi Ballenthin <william.ballenthin@mandiant.com>
-#                    while at Mandiant <http://www.mandiant.com>
-#
-#   Licensed under the Apache License, Version 2.0 (the "License");
-#   you may not use this file except in compliance with the License.
-#   You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-#   Unless required by applicable law or agreed to in writing, software
-#   distributed under the License is distributed on an "AS IS" BASIS,
-#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#   See the License for the specific language governing permissions and
-#   limitations under the License.
-#
-#   Version v0.1.1
-
-
-import sys
-import mmap
-import contextlib
-from Evtx.Evtx import FileHeader
-from Evtx.Views import evtx_record_xml_view
-
-
-def main():
-    with open(sys.argv[1], 'r') as f:
-        with contextlib.closing(mmap.mmap(f.fileno(), 0,
-                                          access=mmap.ACCESS_READ)) as buf:
-            fh = FileHeader(buf, 0x0)
-            for chunk in fh.chunks():
-                for record in chunk.records():
-                    try:
-                        evtx_record_xml_view(record).encode("utf-8")
-                    except Exception as e:
-                        print(str(e))
-                        print(repr(e))
-                        print(evtx_record_xml_view(record).encode("utf-8"))
-                        return
-
-if __name__ == "__main__":
-    main()
+#!/usr/bin/env python
+#    This file is part of python-evtx.
+#
+#   Copyright 2012, 2013 Willi Ballenthin <william.ballenthin@mandiant.com>
+#                    while at Mandiant <http://www.mandiant.com>
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#   Version v0.1.1
+
+
+import sys
+import mmap
+import contextlib
+from Evtx.Evtx import FileHeader
+from Evtx.Views import evtx_record_xml_view
+
+
+def main():
+    with open(sys.argv[1], 'r') as f:
+        with contextlib.closing(mmap.mmap(f.fileno(), 0,
+                                          access=mmap.ACCESS_READ)) as buf:
+            fh = FileHeader(buf, 0x0)
+            for chunk in fh.chunks():
+                for record in chunk.records():
+                    try:
+                        evtx_record_xml_view(record).encode("utf-8")
+                    except Exception as e:
+                        print(str(e))
+                        print(repr(e))
+                        print(evtx_record_xml_view(record).encode("utf-8"))
+                        return
+
+if __name__ == "__main__":
+    main()