forked from naksyn/PythonMemoryModule
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathevent_log.py
More file actions
1123 lines (907 loc) · 39.9 KB
/
event_log.py
File metadata and controls
1123 lines (907 loc) · 39.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
import ctypes
import os.path
import xml.dom.minidom
from contextlib import contextmanager
import windows
import windows.generated_def as gdef
from windows import winproxy
from windows.pycompat import int_types, basestring
# Helpers
@contextmanager
def ClosingEvtHandle(handle):
try:
yield handle
finally:
winproxy.EvtClose(handle)
# low-level api helpers
def queryinfo(handle, propertyid):
size = 0x1000
buffer = ctypes.create_string_buffer(size)
evt = ImprovedEVT_VARIANT.from_buffer(buffer)
res = gdef.DWORD()
windows.winproxy.EvtGetLogInfo(handle, propertyid, size, evt, res)
return evt
def arrayproperty(handle, property, index, flags=0):
size = 0x1000
buffer = ctypes.create_string_buffer(size)
evt = ImprovedEVT_VARIANT.from_buffer(buffer)
res = gdef.DWORD()
windows.winproxy.EvtGetObjectArrayProperty(handle, property, index, flags, size, evt, res)
return evt
def generate_query_function(query_function):
def generated_query_function(handle, propertyid, flags=0):
size = 0x10000
buffer = ctypes.create_string_buffer(size)
evt = ImprovedEVT_VARIANT.from_buffer(buffer)
res = gdef.DWORD()
query_function(handle, propertyid, flags, size, evt, res)
return evt
return generated_query_function
chaninfo = generate_query_function(winproxy.EvtGetChannelConfigProperty)
eventinfo = generate_query_function(winproxy.EvtGetEventMetadataProperty)
publishinfo = generate_query_function(winproxy.EvtGetPublisherMetadataProperty)
class EvtHandle(gdef.EVT_HANDLE):
# Class attribute function
# Will pass (self) as first parameter (binding)
# No need to pass any param to close ourself :)
_close_function = windows.winproxy.EvtClose
def __del__(self):
if not bool(self):
return
self._close_function()
# Class high-level API
class EvtQuery(EvtHandle):
"""Represent an Event-log query"""
DEFAULT_TIMEOUT = 0x1000
def __init__(self, handle=0, channel=None, timeout=None):
super(EvtQuery, self).__init__(handle)
self.channel = channel
self.timeout = timeout if timeout is not None else self.DEFAULT_TIMEOUT
def __next__(self):
"""Return the next :class:`EvtEvent` matching the query"""
try:
event = EvtEvent(channel=self.channel)
ret = gdef.DWORD()
windows.winproxy.EvtNext(self, 1, event, self.timeout, 0, ret)
except WindowsError as e:
if e.winerror == gdef.ERROR_NO_MORE_ITEMS:
raise StopIteration
raise
assert ret.value == 1
return event
def __iter__(self):
return self
def seek(self, position, seek_flags=None):
"""Seek to ``position``.
``seek_flags`` can be one of:
* ``None``
* ``EvtSeekRelativeToFirst``
* ``EvtSeekRelativeToLast``
* ``EvtSeekRelativeToBookmark``
If ``seek_flags`` is None:
* ``position >= 0`` will use ``EvtSeekRelativeToFirst``
* ``position < 0`` will use ``EvtSeekRelativeToLast`` and with ``position+1``
* This allow retrieve the ``position`` lasts events
"""
if seek_flags is None:
if position >= 0:
seek_flags = gdef.EvtSeekRelativeToFirst
else:
# -1 + EvtSeekRelativeToLast will give us the last 2 events
# So passing (-1, None) will give us the last event only
# If user do not want this calcul it can directly pass seek_flags
seek_flags = gdef.EvtSeekRelativeToLast
position += 1
windows.winproxy.EvtSeek(self, position, 0, 0, seek_flags)
next = __next__ # Yep.. real name is 'next' in Py2 :D
def all(self): # SqlAlchemy like :)
"""Return a list with all the query results
:rtype: [:class:`EvtEvent`] -- A list of Event
"""
return list(self)
def first(self): # SqlAlchemy like :) -> allow testing in interactive console
"""Return the first query result
:rtype: :class:`EvtEvent` -- An Event
"""
return next(iter(self))
class EvtEvent(EvtHandle):
"""An Event log"""
def __init__(self, handle=0, channel=None):
super(EvtEvent, self).__init__(handle)
self.channel = channel
def render(self, ctx, rtype):
size = 0x10000
buffer = ctypes.c_buffer(size)
rsize = gdef.DWORD()
elementnb = gdef.DWORD()
try:
windows.winproxy.EvtRender(ctx, self, rtype, size, buffer, rsize, elementnb)
except WindowsError as e:
if e.winerror != gdef.ERROR_INSUFFICIENT_BUFFER:
raise
size = rsize.value
buffer = ctypes.c_buffer(size)
windows.winproxy.EvtRender(ctx, self, rtype, size, buffer, rsize, elementnb)
# Adapting return value type
if rtype != gdef.EvtRenderEventValues:
# import pdb;pdb.set_trace()
# assert elementnb.value == 1
return buffer[:rsize.value]
# print("Got <{0}> elt".format(elementnb.value))
return list((ImprovedEVT_VARIANT * elementnb.value).from_buffer(buffer))
def render_xml(self):
xml = self.render(None, 1).decode("utf-16")
assert xml[-1] == "\x00"
return xml[:-1]
def value(self, name, **kwargs):
"""Retrieve a value from the event.
``name`` is an XPath expressions that uniquely identify a node or attribute in the event.
(see https://msdn.microsoft.com/en-us/library/windows/desktop/aa385352(v=vs.85).aspx)
"""
values = self.get_values((name,), **kwargs)
assert len(values) == 1
return values[0]
def get_values(self, values, flags=gdef.EvtRenderContextValues):
nbelt = len(values)
pwstr_values = tuple(gdef.LPWSTR(v) for v in values)
pwstr_rarray = (gdef.LPWSTR * nbelt)(*pwstr_values)
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa385352(v=vs.85).aspx
# An array of XPath expressions that uniquely identify a node or attribute in the event that you want to render.
# Each value wil return 1 node :)
ctx = windows.winproxy.EvtCreateRenderContext(nbelt, pwstr_rarray, gdef.EvtRenderContextValues)
result = self.render(ctx, gdef.EvtRenderEventValues)
windows.winproxy.EvtClose(ctx)
return [r.value for r in result]
def system_values(self): # POC: use this for all @property based on system data ?
ctx = windows.winproxy.EvtCreateRenderContext(0, None, gdef.EvtRenderContextSystem)
result = self.render(ctx, gdef.EvtRenderEventValues)
windows.winproxy.EvtClose(ctx)
return [r.value for r in result]
def event_values(self):
"""The values of the event in a list"""
ctx = windows.winproxy.EvtCreateRenderContext(0, None, gdef.EvtRenderContextUser)
result = self.render(ctx, gdef.EvtRenderEventValues)
windows.winproxy.EvtClose(ctx)
return [r.value for r in result]
def get_raw_values(self, values, flags=gdef.EvtRenderContextValues):
nbelt = len(values)
pwstr_values = tuple(gdef.LPWSTR(v) for v in values)
pwstr_rarray = (gdef.LPWSTR * nbelt)(*pwstr_values)
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa385352(v=vs.85).aspx
# An array of XPath expressions that uniquely identify a node or attribute in the event that you want to render.
# Each value will return 1 node :)
ctx = windows.winproxy.EvtCreateRenderContext(nbelt, pwstr_rarray, gdef.EvtRenderContextValues)
result = self.render(ctx, gdef.EvtRenderEventValues)
windows.winproxy.EvtClose(ctx)
return list(result)
# Properties arround common Event/System values
@property
def provider(self):
"""The provider of the event"""
return self.system_values()[gdef.EvtSystemProviderName]
@property
def computer(self):
"""The computer that generated the event"""
return self.system_values()[gdef.EvtSystemComputer]
@property
def id(self):
"""The ID of the Event"""
return self.value("Event/System/EventID")
@property
def version(self):
"""The version of the Event"""
return self.value("Event/System/Version")
@property
def level(self):
"""The level of the Event"""
return self.value("Event/System/Level")
@property
def opcode(self):
"""The opcode of the Event"""
return self.value("Event/System/Opcode")
@property
def time_created(self):
"""The creation time of the Event"""
return self.value("Event/System/TimeCreated/@SystemTime")
@property
def pid(self):
"""The process ID of the Event"""
return self.value("Event/System/Execution/@ProcessID")
@property
def tid(self):
"""The process ID of the Event"""
return self.value("Event/System/Execution/@ThreadID")
@property
def error_payload(self):
raw = self.value("Event/ProcessingErrorData/EventPayload")
return bytearray(raw) if raw is not None else None
@property
def user(self):
"""The User ID associated with the Event"""
return self.system_values()[gdef.EvtSystemUserID]
@property
def metadata(self):
"""The medata for the current Event
:type: :class:`EventMetadata`
"""
try:
return self.channel.get_event_metadata(self.id)
except KeyError as e:
if not self.channel.config.classic:
raise
# id not found: try via the Provider in the event (classic channel)
return self.channel.get_classic_event_metadata(self.id, self.provider)
# Test
@property
def data(self): # user/event specifique data
"""A dict of EventData Name:Value for the current dict.
:type: :class:`dict`
"""
# What about classic channels where there is no event_metadata ?
# Return a dict with [0-1-2-3-4] as key ? raise ?
# Juste use the render_xml ?
event_data_name = (i["name"] for i in self.metadata.event_data if i["type"] == "data")
return {k:v for k,v in zip(event_data_name, self.event_values())}
def xml_data(self):
xmlevt = xml.dom.minidom.parseString(self.render_xml())
res = {}
eventdata = xmlevt.getElementsByTagName("EventData")
if eventdata:
# <Data Name='FIELD_NAME'>FIELD_VALUE</Data>
for i, datanode in enumerate(xmlevt.getElementsByTagName("Data")):
name = datanode.getAttribute("Name")
if not name:
# Some Data in old EVTX have no name (Windows Powershell)
# Do the best we can by using the position of the event
name = str(i)
if datanode.hasChildNodes():
value = datanode.firstChild.nodeValue
else:
value = ""
if not (name not in res):
import pdb;pdb.set_trace()
res[name] = value
userdata = xmlevt.getElementsByTagName("UserData")
if userdata:
# <UserData>
# <EventXML xmlns="Event_NS">
# <FIELD_NAME>FIELD_VALUE</FIELD_NAME>
# </EventXML>
# </UserData>
for datanode in userdata[0].firstChild.childNodes:
name = datanode.tagName
if datanode.hasChildNodes():
value = datanode.firstChild.nodeValue
else:
value = ""
assert name not in res
res[name] = value
return res
@property
def date(self):
"""``Event.time_created`` as a :class:``datetime``"""
return windows.utils.datetime_from_filetime(self.time_created)
def __repr__(self):
creation_time = windows.utils.datetime_from_filetime(self.time_created)
return '<{0} id="{self.id}" time="{creation_time}">'.format(type(self).__name__, self=self, creation_time=creation_time)
class ImprovedEVT_VARIANT(gdef.EVT_VARIANT):
VALUE_MAPPER = {
gdef.EvtVarTypeNull : 'NoneValue',
gdef.EvtVarTypeString : 'StringVal',
gdef.EvtVarTypeAnsiString : 'AnsiStringVal',
gdef.EvtVarTypeSByte : 'SByteVal',
gdef.EvtVarTypeByte : 'ByteVal',
gdef.EvtVarTypeInt16 : 'Int16Val',
gdef.EvtVarTypeUInt16 : 'UInt16Val',
gdef.EvtVarTypeInt32 : 'Int32Val',
gdef.EvtVarTypeUInt32 : 'UInt32Val',
gdef.EvtVarTypeInt64 : 'Int64Val',
gdef.EvtVarTypeUInt64 : 'UInt64Val',
gdef.EvtVarTypeSingle : 'SingleVal',
gdef.EvtVarTypeDouble : 'DoubleVal',
gdef.EvtVarTypeBoolean : 'BooleanVal',
gdef.EvtVarTypeBinary : 'BinaryVal',
gdef.EvtVarTypeGuid : 'GuidVal',
gdef.EvtVarTypeSizeT : 'SizeTVal',
gdef.EvtVarTypeFileTime : 'FileTimeVal',
gdef.EvtVarTypeSysTime : 'SysTimeVal',
gdef.EvtVarTypeSid : 'SidVal',
gdef.EvtVarTypeHexInt32 : 'UInt32Val',
gdef.EvtVarTypeHexInt64 : 'UInt64Val',
gdef.EvtVarTypeEvtHandle : 'EvtHandleVal',
gdef.EvtVarTypeEvtXml : 'XmlVal',
# Array types: TODO: generic stuff
gdef.EvtVarTypeString + gdef.EVT_VARIANT_TYPE_ARRAY : "StringArr",
gdef.EvtVarTypeUInt16 + gdef.EVT_VARIANT_TYPE_ARRAY : "UInt16Arr",
gdef.EvtVarTypeUInt32 + gdef.EVT_VARIANT_TYPE_ARRAY : "UInt32Arr",
gdef.EvtVarTypeUInt64 + gdef.EVT_VARIANT_TYPE_ARRAY : "UInt64Arr",
}
NoneValue = None
@property
def Type(self):
raw_type = super(ImprovedEVT_VARIANT, self).Type
return gdef.EVT_VARIANT_TYPE.mapper.get(raw_type, raw_type)
@property
def value(self): # Prototype !!
attrname = self.VALUE_MAPPER[self.Type]
# print("Resolve type <{0}> -> {1}".format(self.Type, attrname))
v = getattr(self, attrname)
if self.Type == gdef.EvtVarTypeBinary:
v = v[:self.Count] # No need for a raw UBYTE ptr
elif self.Type == gdef.EvtVarTypeGuid:
v = v[0] # Deref LP_GUID
elif self.Type & gdef.EVT_VARIANT_TYPE_ARRAY:
# TODO: handle all array type
v = v[:self.Count]
return v
@classmethod
def from_value(cls, value, vtype=None):
if vtype is None:
# Guess type
if isinstance(value, int_types):
vtype = gdef.EvtVarTypeUInt64
elif isinstance(value, basestring):
vtype = gdef.EvtVarTypeString
elif isinstance(value, bytes):
# not basestring and bytes -> py3 bytes
vtype = gdef.EvtVarTypeBinary
value = windows.utils.BUFFER(gdef.BYTE).from_buffer_copy(value)
else:
raise NotImplementedError("LATER")
self = cls()
# import pdb;pdb.set_trace()
# Yolo test :)
super(ImprovedEVT_VARIANT, ImprovedEVT_VARIANT).Type.__set__(self, vtype)
# super(ImprovedEVT_VARIANT, self).Type = vtype
attrname = self.VALUE_MAPPER[self.Type]
setattr(self, attrname, value)
if self.Type in (gdef.EvtVarTypeBinary, gdef.EvtVarTypeString):
self.Count = len(value)
return self
def __repr__(self):
return "<{0} of type={1}>".format(type(self).__name__, self.Type)
class EvtChannel(object):
"""An Event Log channel"""
DEFAULT_QUERY_FLAGS = gdef.EvtQueryChannelPath + gdef.EvtQueryForwardDirection
def __init__(self, name):
self.name = name
self.event_metadata_by_id = {}
self.classic_event_metadata_by_id = {} # For classic only
def query(self, filter=None, ids=None, timeout=None):
"""Query the event with the ``ids`` or perform a query with the raw query ``filter``
Both parameters are mutually exclusive.
.. note:: Here are some query examples
List all events with a event data attribute named 'RuleName':
``Event/EventData/Data[@Name='RuleName']``
List all events with a event data value of 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe':
``Event/EventData[Data='C:\\WINDOWS\\System32\\svchost.exe']``
List all events with an EventID of 2006:
``Event/System[EventID=2006]``
List all event with a given EventID while searching for a specific field value (Sysmon for the test here)
``Event/System[EventID=3] and Event/EventData/Data[@Name='DestinationIp'] and Event/EventData[Data='10.0.0.2']``
:rtype: :class:`EvtQuery`
"""
if ids and filter:
raise ValueError("<ids> and <filter> are mutually exclusive")
if ids is not None:
if isinstance(ids, int_types):
ids = (ids,)
ids_filter = " or ".join("EventID={0}".format(id) for id in ids)
filter = "Event/System[{0}]".format(ids_filter)
query_handle = winproxy.EvtQuery(None, self.name, filter, self.DEFAULT_QUERY_FLAGS)
return EvtQuery(query_handle, self, timeout=timeout)
@property
def events(self):
"""The list of all events in the channels, an alias for ``channel.query().all()``
:type: [:class:`EvtEvent`] -- A list of :class:`EvtEvent`
"""
return self.query().all()
@property
def config(self):
"""The configuration of the channel
:type: :class:`ChannelConfig`
"""
return ChannelConfig.from_channel_name(self.name)
def get_event_metadata(self, id):
"""Return the metadata for the event ID ``id``
:rtype: :class:`EventMetadata`
"""
try:
return self.event_metadata_by_id[id]
except KeyError as e:
pass
pub_metada = self.config.publisher.metadata
self.event_metadata_by_id = {evtm.id: evtm for evtm in pub_metada.events_metadata}
return self.event_metadata_by_id[id]
def get_classic_event_metadata(self, id, providername):
if providername not in self.classic_event_metadata_by_id:
# print("CALCUL FOR PROVIDER: <{0}> !!!!!!!!!!!!!!".format(providername))
publisher = EvtPublisher(providername)
events_metadata = {x.id: x for x in publisher.metadata.events_metadata}
self.classic_event_metadata_by_id[providername] = events_metadata
return self.classic_event_metadata_by_id[providername][id]
def __repr__(self):
return '<{0} "{1}">'.format(type(self).__name__, self.name)
class EvtFile(EvtChannel):
"""Represent an Evtx file"""
DEFAULT_QUERY_FLAGS = gdef.EvtQueryFilePath + gdef.EvtQueryForwardDirection
@property
def config(self):
"""Not implemented for EvtFile
:raise: :class:`NotImplementedError`
"""
raise NotImplementedError("Cannot retrieve the configuration of an EvtFile")
class ChannelConfig(EvtHandle):
"""The configuration of a event channel"""
def __init__(self, handle, name=None):
super(ChannelConfig, self).__init__(handle)
self.name = name
@classmethod
def from_channel_name(cls, name):
"""Return the :class:`ChannelConfig` for the channel ``name``"""
return cls(winproxy.EvtOpenChannelConfig(None, name, 0), name)
@property
def publisher(self):
"""The :class:`EvtPublisher` for the channel"""
return EvtPublisher(chaninfo(self, gdef.EvtChannelConfigOwningPublisher).value)
def publishers(self):
"TEST"
return [EvtPublisher(pub) for pub in chaninfo(self, gdef.EvtChannelPublisherList).value]
@property
def keywords(self):
return int(chaninfo(self, gdef.EvtChannelPublishingConfigKeywords).value)
@property
def enabled(self):
return bool(chaninfo(self, gdef.EvtChannelConfigEnabled).value)
@property
def classic(self):
"""``True`` if the channel is a classic event channel (for example the Application or System log)"""
return bool(chaninfo(self, gdef.EvtChannelConfigClassicEventlog).value)
def __repr__(self):
return '<{0} "{1}">'.format(type(self).__name__, self.name)
class PublisherMetadataChannel(object):
"""Represent a PublisherMetadataChannel (see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_publisher_metadata_property_id)"""
def __init__(self, pub_metadata, channel_id):
super(PublisherMetadataChannel, self).__init__()
self.pub_metadata = pub_metadata
self._id = channel_id
def _query_channel_metadata_property(self, propertyid):
return self.pub_metadata.chanrefs.property(propertyid, self._id)
@property
def flags(self):
"""The flags of the ``PublisherMetadataChannel``"""
return int(self._query_channel_metadata_property(gdef.EvtPublisherMetadataChannelReferenceFlags))
@property
def name(self):
"""The name of the ``PublisherMetadataChannel``"""
return str(self._query_channel_metadata_property(gdef.EvtPublisherMetadataChannelReferencePath))
@property
def id(self):
"""The reference id of the ``PublisherMetadataChannel``"""
return int(self._query_channel_metadata_property(gdef.EvtPublisherMetadataChannelReferenceID))
@property
def index(self):
"""The reference index of the ``PublisherMetadataChannel``"""
return int(self._query_channel_metadata_property(gdef.EvtPublisherMetadataChannelReferenceIndex))
@property
def message_id(self):
"""The message id of the ``PublisherMetadataChannel``"""
return int(self._query_channel_metadata_property(gdef.EvtPublisherMetadataChannelReferenceMessageID))
class PublisherMetadataLevel(object):
"""Represent a PublisherMetadataLevel (see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_publisher_metadata_property_id)"""
def __init__(self, pub_metadata, channel_id):
super(PublisherMetadataLevel, self).__init__()
self.pub_metadata = pub_metadata
self._id = channel_id
def _query_level_metadata_property(self, propertyid):
return self.pub_metadata.levelrefs.property(propertyid, self._id)
@property
def name(self):
return str(self._query_level_metadata_property(gdef.EvtPublisherMetadataLevelName))
@property
def value(self):
return int(self._query_level_metadata_property(gdef.EvtPublisherMetadataLevelValue))
@property
def message_id(self):
return int(self._query_level_metadata_property(gdef.EvtPublisherMetadataLevelMessageID))
class PublisherMetadataOpcode(object):
"""Represent a PublisherMetadataOpcode (see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_publisher_metadata_property_id)"""
def __init__(self, pub_metadata, channel_id):
super(PublisherMetadataOpcode, self).__init__()
self.pub_metadata = pub_metadata
self._id = channel_id
def _query_opcode_metadata_property(self, propertyid):
return self.pub_metadata.opcoderefs.property(propertyid, self._id)
@property
def name(self):
"""The name of the ``PublisherMetadataOpcode``"""
return str(self._query_opcode_metadata_property(gdef.EvtPublisherMetadataOpcodeName))
@property
def value(self):
"""The opcode value of the ``PublisherMetadataOpcode``"""
return int(self._query_opcode_metadata_property(gdef.EvtPublisherMetadataOpcodeValue))
@property
def message_id(self):
"""The message id of the ``PublisherMetadataOpcode``"""
return int(self._query_opcode_metadata_property(gdef.EvtPublisherMetadataOpcodeMessageID))
class PublisherMetadataKeyword(object):
"""Represent a PublisherMetadataKeyword (see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_publisher_metadata_property_id)"""
def __init__(self, pub_metadata, channel_id):
super(PublisherMetadataKeyword, self).__init__()
self.pub_metadata = pub_metadata
self._id = channel_id
def _query_keyword_metadata_property(self, propertyid):
return self.pub_metadata.keywordrefs.property(propertyid, self._id)
@property
def name(self):
"""The name of the ``PublisherMetadataKeyword``"""
return str(self._query_keyword_metadata_property(gdef.EvtPublisherMetadataKeywordName))
@property
def value(self):
"""The value of the ``PublisherMetadataKeyword``"""
return int(self._query_keyword_metadata_property(gdef.EvtPublisherMetadataKeywordValue))
@property
def message_id(self):
"""The message id of the ``PublisherMetadataKeyword``"""
return int(self._query_keyword_metadata_property(gdef.EvtPublisherMetadataKeywordMessageID))
class PublisherMetadataTask(object):
"""Represent a PublisherMetadataTask (see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_publisher_metadata_property_id)"""
def __init__(self, pub_metadata, channel_id):
super(PublisherMetadataTask, self).__init__()
self.pub_metadata = pub_metadata
self._id = channel_id
def _query_keyword_metadata_property(self, propertyid):
return self.pub_metadata.taskrefs.property(propertyid, self._id)
@property
def name(self):
"""The name of the ``PublisherMetadataTask``"""
return str(self._query_keyword_metadata_property(gdef.EvtPublisherMetadataTaskName))
@property
def value(self):
"""The value of the ``PublisherMetadataTask``"""
return int(self._query_keyword_metadata_property(gdef.EvtPublisherMetadataTaskValue))
@property
def event_guid(self):
"""The event GUId of the ``PublisherMetadataTask``"""
return self._query_keyword_metadata_property(gdef.EvtPublisherMetadataTaskEventGuid)
@property
def message_id(self):
"""The message ID GUId of the ``PublisherMetadataTask``"""
return int(self._query_keyword_metadata_property(gdef.EvtPublisherMetadataTaskMessageID))
class EvtPublisher(object):
"""An Event provider"""
def __init__(self, name):
self.name = name
@property
def metadata(self):
"""Return the metadata for this publisher
:type: :class:`PublisherMetadata`
"""
return PublisherMetadata.from_publisher_name(self.name)
def __repr__(self):
return '<{0} "{1}">'.format(type(self).__name__, self.name)
class PublisherMetadata(EvtHandle):
"""The metadata about an event provider"""
def __init__(self, handle, name=None):
super(PublisherMetadata, self).__init__(handle)
self.name = name
@classmethod
def from_publisher_name(cls, name):
"""The :class:`PublisherMetadata` for the publisher ``name``"""
return cls(winproxy.EvtOpenPublisherMetadata(None, name, None, 0, 0), name)
@property
def guid(self):
"""The GUID associated with this provider
:type: [:class:`GUID`] -- the GUID in a XXXXXXXXXX-YYYY-ZZZZ-TTTT-VVVVVVVVVV form
"""
return publishinfo(self, gdef.EvtPublisherMetadataPublisherGuid).value
@property
def chanrefs(self):
"""Identifies the channels child element of the provider.
:type: :class:`PropertyArray`
"""
return PropertyArray(publishinfo(self, gdef.EvtPublisherMetadataChannelReferences).value)
@property
def levelrefs(self):
"""Identifies the levels child element of the provider.
:type: :class:`PropertyArray`
"""
return PropertyArray(publishinfo(self, gdef.EvtPublisherMetadataLevels).value)
@property
def opcoderefs(self):
"""Identifies the opcodes child element of the provider.
:type: :class:`PropertyArray`
"""
return PropertyArray(publishinfo(self, gdef.EvtPublisherMetadataOpcodes).value)
@property
def keywordrefs(self):
"""The list of keywords defined by this provider
:type: :class:`PropertyArray`
"""
return PropertyArray(publishinfo(self, gdef.EvtPublisherMetadataKeywords).value)
@property
def taskrefs(self):
"""The list of tasks defined by this provider
:type: :class:`PropertyArray`
"""
return PropertyArray(publishinfo(self, gdef.EvtPublisherMetadataTasks).value)
@property
def channels_metadata(self):
"""The :class:`PublisherMetadataChannel` for each channel this provider defines
:yield: :class:`PublisherMetadataChannel`
"""
return [PublisherMetadataChannel(self, i) for i in range(self.chanrefs.size)]
@property
def levels_metadata(self):
"""The :class:`PublisherMetadataLevel` for each level this provider defines
:yield: :class:`PublisherMetadataLevel`
"""
return [PublisherMetadataLevel(self, i) for i in range(self.levelrefs.size)]
@property
def opcodes_metadata(self):
"""The :class:`PublisherMetadataOpcode` for each opcode this provider defines
:yield: :class:`PublisherMetadataOpcode`
"""
return [PublisherMetadataOpcode(self, i) for i in range(self.opcoderefs.size)]
@property
def tasks_metadata(self):
"""The :class:`PublisherMetadataTask` for each opcode this provider defines
:yield: :class:`PublisherMetadataTask`
"""
return [PublisherMetadataTask(self, i) for i in range(self.taskrefs.size)]
@property
def keywords_metadata(self):
"""The :class:`PublisherMetadataKeyword` for each opcode this provider defines
:yield: :class:`PublisherMetadataKeyword`
"""
return [PublisherMetadataKeyword(self, i) for i in range(self.keywordrefs.size)]
@property
def events_metadata(self):
"""The :class:`EventMetadata` for each event this provider defines
:yield: :class:`EventMetadata`
"""
eh = winproxy.EvtOpenEventMetadataEnum(self, 0)
with ClosingEvtHandle(eh):
while True:
try:
nh = windows.winproxy.EvtNextEventMetadata(eh, 0)
yield EventMetadata(nh)
except WindowsError as e:
if e.winerror != gdef.ERROR_NO_MORE_ITEMS:
raise
break
@property
def channel_name_by_id(self):
"""The dict of channel defined by this provider by their id
:type: :class:`dict`
"""
chansref = self.chanrefs
channame_by_value_id = {}
for i in range(chansref.size):
value = chansref.property(gdef.EvtPublisherMetadataChannelReferenceID, i)
name = chansref.property(gdef.EvtPublisherMetadataChannelReferencePath, i)
channame_by_value_id[value] = name
return channame_by_value_id
@property
def channels(self):
"""The list of :class:`EvtChannel` defined by this provider
:type: [:class:`EvtChannel`] -- A list of :class:`EvtChannel`
"""
chansref = self.chanrefs
propertyid = gdef.EvtPublisherMetadataChannelReferencePath
return [EvtChannel(chansref.property(propertyid, i)) for i in range(chansref.size)]
def message(self, msgid):
"TODO"
size = 0x1000
buffer = ctypes.c_buffer(size)
sbuff = ctypes.cast(buffer, gdef.LPWSTR)
outsize = gdef.DWORD()
try:
winproxy.EvtFormatMessage(self, None, msgid, 0, None, gdef.EvtFormatMessageId, size, sbuff, outsize)
except WindowsError as e:
if e.winerror != gdef.ERROR_EVT_UNRESOLVED_VALUE_INSERT:
raise
return sbuff.value
@property
def message_id(self):
"""
"""
return publishinfo(self, gdef.EvtPublisherMetadataPublisherMessageID).value
@property
def message_filepath(self):
"""
"""
return publishinfo(self, gdef.EvtPublisherMetadataMessageFilePath).value
@property
def message_resource_filepath(self):
"""
"""
return publishinfo(self, gdef.EvtPublisherMetadataResourceFilePath).value
@property
def message_parameter_filepath(self):
"""
"""
return publishinfo(self, gdef.EvtPublisherMetadataParameterFilePath).value
def __repr__(self):
return '<{0} "{1}">'.format(type(self).__name__, self.name)
class PropertyArray(gdef.EVT_OBJECT_ARRAY_PROPERTY_HANDLE):
"TODO"
@property
def size(self):
array_size = gdef.DWORD()
windows.winproxy.EvtGetObjectArraySize(self, array_size)
return array_size.value
def property(self, type, index):
return arrayproperty(self, type, index).value
class EventMetadata(EvtHandle):
"""The Metadata about a given Event type
see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385517(v=vs.85).aspx
"""
@property
def id(self):
"""The ID of the Event"""
# https://docs.microsoft.com/en-us/windows/desktop/wes/eventschema-systempropertiestype-complextype
# Qualifiers:
# A legacy provider uses a 32-bit number to identify its events.
# If the event is logged by a legacy provider, the value of EventID
# element contains the low-order 16 bits of the event identifier and the
# Qualifier attribute contains the high-order 16 bits of the event identifier.
# [Question] Only true for legacy provider / channels ??
return eventinfo(self, gdef.EventMetadataEventID).value & 0xffff
@property
def version(self):
"""The version of the Event"""
return eventinfo(self, gdef.EventMetadataEventVersion).value
@property
def channel_id(self):
"""The Channel attribute of the Event definition"""
return eventinfo(self, gdef.EventMetadataEventChannel).value
@property
def keyword(self):
"""The keyword attribute of the Event definition"""
return eventinfo(self, gdef.EventMetadataEventKeyword).value
@property
def opcode(self):
"""The opcode attribute of the Event definition"""
return eventinfo(self, gdef.EventMetadataEventOpcode).value
@property
def level(self):
"""The level attribute of the Event definition"""
return eventinfo(self, gdef.EventMetadataEventLevel).value
@property
def task(self):
"""The task attribute of the Event definition"""
return eventinfo(self, gdef.EventMetadataEventTask).value
@property
def message_id(self):
"""Identifies the message attribute of the event definition."""
return eventinfo(self, gdef.EventMetadataEventMessageID).value
@property
def template(self):
"""Identifies the template attribute of the event definition which is an XML string"""
return eventinfo(self, gdef.EventMetadataEventTemplate).value
def _parse_event_template_data_element(self, element):
res = {"type": "data"}
res["name"] = element.attributes["name"].value
res["inType"] = element.attributes["inType"].value
res["outType"] = element.attributes["outType"].value
count = element.attributes.get("count", None)
if count:
res["count"] = count.value
length = element.attributes.get("length", None)
if length:
res["length"] = length.value
return res
def _parse_event_template_struct_element(self, element):
res = {"type": "struct"}
res["name"] = element.attributes["name"].value
res["fields"] = [self._parse_event_template_data_element(elt) for elt in element.childNodes if elt.nodeType == elt.ELEMENT_NODE]
return res
def _event_data_generator(self, template):
xmldoc = xml.dom.minidom.parseString(template)
xmltemplate = xmldoc.getElementsByTagName("template")[0]
for element in (n for n in xmltemplate.childNodes if n.nodeType == n.ELEMENT_NODE):
if element.tagName == "data":