11#!/usr/bin/env python
22import hexdump
33
4- from Evtx .Evtx import Evtx
4+ import Evtx .Evtx as evtx
55from Evtx .Nodes import RootNode
66from Evtx .Nodes import BXmlTypeNode
77from Evtx .Nodes import TemplateInstanceNode
88from Evtx .Nodes import VariantTypeNode
9- from Evtx .Views import evtx_record_xml_view
109
1110
1211def describe_root (record , root , indent = 0 , suppress_values = False ):
1312 """
14- @type record: Record
15- @type indent: int
16- @rtype: None
13+ Args:
14+ record (Evtx.Record):
15+ indent (int):
1716 """
1817 def format_node (n , extra = None , indent = 0 ):
1918 """
2019 Depends on closure over `record` and `suppress_values`.
21- @type n: BXmlNode
22- @type extra: str
23- @rtype: str
20+
21+ Args:
22+ n (Evtx.Nodes.BXmlNode):
23+ extra (str):
24+
25+ Returns:
26+ str:
2427 """
2528 ret = ""
29+ indent_s = ' ' * indent
30+ name = n .__class__ .__name__
31+ offset = n .offset () - record .offset ()
2632 if extra is not None :
27- ret = "%s%s(offset=%s, %s)" % \
28- (" " * indent , n .__class__ .__name__ , hex (n .offset () - record .offset ()), extra )
33+ ret = "%s%s(offset=%s, %s)" % (indent_s , name , hex (offset ), extra )
2934 else :
30- ret = "%s%s(offset=%s)" % \
31- (" " * indent , n .__class__ .__name__ , hex (n .offset () - record .offset ()))
35+ ret = "%s%s(offset=%s)" % (indent_s , name , hex (offset ))
3236
3337 if not suppress_values and isinstance (n , VariantTypeNode ):
3438 ret += " --> %s" % (n .string ())
@@ -40,14 +44,18 @@ def format_node(n, extra=None, indent=0):
4044
4145 def rec (node , indent = 0 ):
4246 """
43- @type node: BXmlNode
44- @type indent: int
45- @rtype: str
47+ Args:
48+ node (Evtx.Nodes.BXmlNode):
49+ indent (int):
50+
51+ Returns:
52+ str:
4653 """
4754 ret = ""
4855 if isinstance (node , TemplateInstanceNode ):
4956 if node .is_resident_template ():
50- ret += "%s\n " % (format_node (node , extra = "resident=True, length=%s" % (hex (node .template ().data_length ())), indent = indent ))
57+ extra = "resident=True, length=%s" % (hex (node .template ().data_length ()))
58+ ret += "%s\n " % (format_node (node , extra = extra , indent = indent ))
5159 ret += rec (node .template (), indent = indent + 1 )
5260 else :
5361 ret += "%s\n " % (format_node (node , extra = "resident=False" , indent = indent ))
@@ -56,12 +64,15 @@ def rec(node, indent=0):
5664
5765 for child in node .children ():
5866 ret += rec (child , indent = indent + 1 )
67+
5968 if isinstance (node , RootNode ):
6069 ofs = node .tag_and_children_length ()
61- ret += "%sSubstitutions(offset=%s)\n " % (" " * (indent + 1 ),
62- hex (node .offset () - record .offset () + ofs ))
70+ indent_s = ' ' * (indent + 1 )
71+ offset = node .offset () - record .offset () + ofs
72+ ret += "%sSubstitutions(offset=%s)\n " % (indent_s , hex (offset ))
6373 for sub in node .substitutions ():
6474 ret += "%s\n " % (format_node (sub , indent = indent + 2 ))
75+
6576 return ret
6677
6778 ret = ""
@@ -82,15 +93,13 @@ def main():
8293 help = "Do not print the values of substitutions." )
8394 args = parser .parse_args ()
8495
85- with Evtx (args .evtx ) as evtx :
86- hexdump .hexdump (evtx .get_record (args .record ).data ())
96+ with evtx . Evtx (args .evtx ) as log :
97+ hexdump .hexdump (log .get_record (args .record ).data ())
8798
88- print (("record(absolute_offset=%s)" % \
89- (evtx .get_record (args .record ).offset ())))
90- print (describe_root (evtx .get_record (args .record ),
91- evtx .get_record (args .record ).root (),
92- suppress_values = args .suppress_values ))
93- print (evtx_record_xml_view (evtx .get_record (args .record )))
99+ record = log .get_record (args .record )
100+ print ("record(absolute_offset=%s)" % record .offset ())
101+ print (describe_root (record , record .root (), suppress_values = args .suppress_values ))
102+ print (record .xml ())
94103
95104
96105if __name__ == "__main__" :
0 commit comments