Versions in this module Expand all Collapse all v0 v0.0.5 Feb 18, 2020 v0.0.4 Feb 18, 2020 v0.0.3 Feb 17, 2020 v0.0.2 Jan 10, 2020 Changes in this version + const EVTX_CHUNK_HEADER_MAGIC + const EVTX_CHUNK_HEADER_SIZE + const EVTX_CHUNK_SIZE + const EVTX_EVENT_RECORD_MAGIC + const EVTX_EVENT_RECORD_SIZE + const EVTX_HEADER_MAGIC + func Debug(arg interface{}) + func ExpandLocations(message_file string) []string — windows/amd64 + func ExpandMessage(event_map *ordereddict.Dict, message string) string + func NormalizeEventData(expanded interface{}) + func ParseAttributes(ctx *ParseContext) bool + func ParseBinXML(ctx *ParseContext) + func ParseCloseElement(ctx *ParseContext) bool + func ParseCloseStartElement(ctx *ParseContext) bool + func ParseFile(fd io.ReadSeeker) (*ordereddict.Dict, error) + func ParseOpenStartElement(ctx *ParseContext, has_attr bool) bool + func ParseOptionalSubstitution(ctx *ParseContext) bool + func ParseTemplateInstance(ctx *ParseContext) bool + func ParseValueText(ctx *ParseContext) bool + func ReadName(ctx *ParseContext) string + func ReadPrefixedUnicodeString(ctx *ParseContext, is_null_terminated bool) string + func ReadStructFromFile(fd io.ReadSeeker, offset int64, obj interface{}) error + func UTF16LEToUTF8(data []byte) []byte + type Chunk struct + Fd io.ReadSeeker + Header ChunkHeader + Offset int64 + func GetChunks(fd io.ReadSeeker) ([]*Chunk, error) + func NewChunk(fd io.ReadSeeker, offset int64) (*Chunk, error) + func (self *Chunk) Parse(start_record_id int) ([]*EventRecord, error) + type ChunkHeader struct + FirstEventRecID uint64 + FirstEventRecNumber uint64 + HeaderSize uint32 + LastEventRecID uint64 + LastEventRecNumber uint64 + Magic [8]byte + type EVTXHeader struct + CheckSum uint32 + FileFlags uint32 + Firstchunk uint64 + HeaderBlockSize uint16 + HeaderSize uint32 + LastChunk uint64 + Magic [8]byte + MajorVersion uint16 + MinorVersion uint16 + NextRecordID uint64 + type EventRecord struct + Event interface{} + Header EventRecordHeader + func NewEventRecord(ctx *ParseContext, chunk *Chunk) (*EventRecord, error) + func (self *EventRecord) Parse(ctx *ParseContext) + type EventRecordHeader struct + FileTime uint64 + Magic [4]byte + RecordID uint64 + Size uint32 + type EvtxGUID struct + B [8]uint8 + D uint32 + W1 uint16 + W2 uint16 + func (self *EvtxGUID) ToString() string + type MessageSet struct — windows/amd64 + Channel string + Messages map[int]*pe.Message + Provider string + func GetMessages(provider, channel string) (*MessageSet, error) + type ParseContext struct + func NewParseContext(chunk *Chunk) *ParseContext + func (self *ParseContext) ConsumeBytes(size int) []byte + func (self *ParseContext) ConsumeUint16() uint16 + func (self *ParseContext) ConsumeUint32() uint32 + func (self *ParseContext) ConsumeUint64() uint64 + func (self *ParseContext) ConsumeUint8() uint8 + func (self *ParseContext) CurrentKey() string + func (self *ParseContext) CurrentTemplate() *TemplateNode + func (self *ParseContext) GetTemplateByID(id int) (*TemplateNode, bool) + func (self *ParseContext) NewTemplate(id int) *TemplateNode + func (self *ParseContext) Offset() int + func (self *ParseContext) PopTemplate() + func (self *ParseContext) PushTemplate(key string, template *TemplateNode) + func (self *ParseContext) SetOffset(offset int) + func (self *ParseContext) SkipBytes(count int) + func (self ParseContext) Copy() *ParseContext + type TemplateNode struct + CurrentKey string + Id uint32 + Literal interface{} + NestedArray []*TemplateNode + NestedDict *ordereddict.Dict + Type uint32 + func NewTemplate(id int) *TemplateNode + func (self *TemplateNode) Expand(args map[int]interface{}) interface{} + func (self *TemplateNode) SetExpansion(key string, id, type_id uint32) + func (self *TemplateNode) SetLiteral(key string, literal interface{}) + func (self *TemplateNode) SetNested(key string, nested *TemplateNode)