Exemplo n.º 1
0
        public static BinaryEventLogRecord Fetch(BinaryReader reader)
        {
            uint recordLength = reader.ReadUInt32();

            reader.BaseStream.Seek(-4, SeekOrigin.Current);
            byte[] recordBytes            = reader.ReadBytes((int)recordLength);
            int    nextStartIndexInBuffer = 0;

            BinaryEventLogRecord eventLog = new BinaryEventLogRecord();

            eventLog._metadata      = Metadata.Fetch(recordBytes);
            nextStartIndexInBuffer += Globals.MetadataSize;
            eventLog._sourceName    = extractString(recordBytes, nextStartIndexInBuffer);
            nextStartIndexInBuffer += eventLog._sourceName.Length * Globals.UnicodeCharSize + Globals.NullCharSize;
            eventLog._computerName  = extractString(recordBytes, nextStartIndexInBuffer);
            nextStartIndexInBuffer += eventLog._computerName.Length * Globals.UnicodeCharSize + Globals.NullCharSize;
            eventLog._userSid       = new byte[eventLog._metadata.UserSidLength];
            Array.Copy(recordBytes, nextStartIndexInBuffer, eventLog._userSid, 0, eventLog._metadata.UserSidLength);
            nextStartIndexInBuffer += (int)eventLog._metadata.UserSidLength;
            eventLog._message       =
                Encoding.Unicode.GetString(recordBytes, nextStartIndexInBuffer,
                                           (int)(eventLog._metadata.DataOffset - eventLog._metadata.StringOffset));
            eventLog._data = new byte[eventLog._metadata.DataLength];
            Array.Copy(recordBytes, eventLog._data, eventLog._metadata.DataLength);
            return(eventLog);
        }
Exemplo n.º 2
0
        public override void Parse()
        {
            FileStream logStream = new FileStream(_fileName, FileMode.Open, FileAccess.Read);

            _logReader = new BinaryReader(logStream);

            _header = Header.Fetch(_logReader);
            _header.Verify();

            while (BinaryEventLogRecord.CanHaveALogRecord(_logReader))
            {
                BinaryEventLogRecord eventLogRecord = BinaryEventLogRecord.Fetch(_logReader);
                eventLogRecord.ContainingFile = this;
                _records.Add(eventLogRecord);
            }

            _footer = Footer.Fetch(_logReader);
            _footer.Verify();

            logStream.Close();
            _logReader.Close();
        }
Exemplo n.º 3
0
        public static BinaryEventLogRecord Fetch(BinaryReader reader)
        {
            uint recordLength = reader.ReadUInt32();
            reader.BaseStream.Seek(-4, SeekOrigin.Current);
            byte[] recordBytes = reader.ReadBytes((int) recordLength);
            int nextStartIndexInBuffer = 0;

            BinaryEventLogRecord eventLog = new BinaryEventLogRecord();
            eventLog._metadata = Metadata.Fetch(recordBytes);
            nextStartIndexInBuffer += Globals.MetadataSize;
            eventLog._sourceName = extractString(recordBytes, nextStartIndexInBuffer);
            nextStartIndexInBuffer += eventLog._sourceName.Length*Globals.UnicodeCharSize + Globals.NullCharSize;
            eventLog._computerName = extractString(recordBytes, nextStartIndexInBuffer);
            nextStartIndexInBuffer += eventLog._computerName.Length*Globals.UnicodeCharSize + Globals.NullCharSize;
            eventLog._userSid = new byte[eventLog._metadata.UserSidLength];
            Array.Copy(recordBytes, nextStartIndexInBuffer, eventLog._userSid, 0, eventLog._metadata.UserSidLength);
            nextStartIndexInBuffer += (int) eventLog._metadata.UserSidLength;
            eventLog._message =
                Encoding.Unicode.GetString(recordBytes, nextStartIndexInBuffer,
                                           (int) (eventLog._metadata.DataOffset - eventLog._metadata.StringOffset));
            eventLog._data = new byte[eventLog._metadata.DataLength];
            Array.Copy(recordBytes, eventLog._data, eventLog._metadata.DataLength);
            return eventLog;
        }