patterns/evtx: Added evtx pattern (#100)

* add evtx pattern

* fix Readme

* fix coding style

* space adjustment

* space adjustment

.gitignore

@@ -2,3 +2,4 @@
 tests/cmake-build-debug/
 
 .idea/
+.DS_Store

README.md

@@ -75,6 +75,7 @@ Hex patterns, include patterns and magic files for the use with the ImHex Hex Ed
 | DEX | | [`patterns/dex.hexpat`](patterns/dex.hexpat) | Dalvik EXecutable Format |
 | DS_Store | `application/octet-stream` | [`patterns/dsstore.hexpat`](patterns/dsstore.hexpat) | .DS_Store file format |
 | UEFI | | [`patterns/uefi.hexpat`](patterns/uefi.hexpat)` | UEFI structs for parsing efivars |
+| EVTX | | [`patterns/evtx.hexpat`](patterns/evtx.hexpat) | MS Windows Vista Event Log |
 
 ### Scripts
 

patterns/evtx.hexpat

@@ -0,0 +1,57 @@
+#pragma endian little
+
+struct Header {
+    char signature[0x8];
+    u64  first_chunk_number;
+    u64  last_chunk_number;
+    u64  next_record_identifier;
+    u32  header_size;
+    u16  minor_format_version;
+    u16  major_format_version;
+    u16  header_block_size;
+    u16  number_of_chunks;
+    u8   unknown[0x4C];
+    u32  file_Flag;
+    u32  checkSum;
+    u8   unknown2[3968];
+};
+
+struct BinaryXML{
+    u8 fragment_header_token;
+    u8 major_version;
+    u8 minor_version;
+    u8 flags;
+};
+
+struct Event_Record{
+    u32 signature;
+    u32 size;
+    u64 event_record_identifier;
+    u64 written_data_amd_time;
+    BinaryXML binaryxml;
+};
+
+struct Chunk{
+    char signature[0x8];
+    u64 first_event_record_number;
+    u64 last_event_record_number;
+    u64 first_event_record_identifier;
+    u64 last_event_record_identifier;
+    u32 header_size;
+    u32 last_event_record_data_offset;
+    u32 free_space_offset;
+    u32 event_records_checksum;
+    u8 unknown[64];
+    u32 unknown2;
+    u32 checksum;
+    u8 common_string_offset_array[256];
+    u8 templatePtr[128];
+    Event_Rsecord event_record;
+};
+
+struct Evtx {
+    Header header;
+    Chunk chunk;
+};
+
+Evtx evtx @ 0x00;