search

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Apache License 2.0
625 stars 61 forks source link

Feature/visitor #205

Closed janstarke closed 1 year ago

janstarke commented 2 years ago

This PR provides a generic access to the parsed evtx structure, without a need to parse json (which would make everything very slow)

Usage example:

struct MySpecialEvtxDataStructure {}
struct MyVisitor {}
impl EvtxStructureVisitor for MyVisitor {
  type VisitorResult = Option<MySpecialEvtxDataStructure>;
  /* ... */
}
/* ... */
let records = parser.records_to_visitor(|| MyVisitor::new());

I used evtxgrep as PoC to see if everything works as desired, keep as much changes as possible outside of evtx

I also use this in https://github.com/janstarke/evtx2bodyfile

janstarke commented 2 years ago

Another PoC is https://github.com/janstarke/evtx2bodyfile, which I use regularly in forensic investigations