for your information: other uses of binary xml #11
Comments
|
@williballenthin thx, yes I was aware of this since I ran into "[MS-EVEN6]: EventLog Remoting Protocol Version 6.0" per http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx Most of the binary xml functionality has therefore been moved to https://github.com/libyal/libfwevt |
|
@williballenthin the binary XML format is even stored in PE/COFF files: https://github.com/libyal/libexe/blob/master/documentation/Executable%20(EXE)%20file%20format.asciidoc#68-windows-event-template-resource-data |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
over at williballenthin/python-evtx#42 there's an interesting request for a parser for the EVTX log entries queried via RPC. notably, this API returns a binary blob per event record. while the blob header is different from the EVTX record header, its obvious most of the binary XML format is shared. perhaps at your convenience, you might also be interested in reviewing this data.
for example, since records are transmitted independently, strings and templates seem to be placed in-line, rather than defined in a shared location. i think there are a few flags in the node headers which dictate this; however, i'm still exploring.
i'm not expecting anything from you here --- just passing along the pointer.
The text was updated successfully, but these errors were encountered: