patterns/evtx: Added evtx pattern (#100)

* add evtx pattern * fix Readme * fix coding style * space adjustment * space adjustment
2026-03-27 23:37:04 -05:00 · 2023-03-26 17:34:45 +09:00
parent 6ae8b30488
commit a25a8a3615
4 changed files with 59 additions and 0 deletions
--- a/patterns/evtx.hexpat
+++ b/patterns/evtx.hexpat
@@ -0,0 +1,57 @@
+#pragma endian little
+
+struct Header {
+    char signature[0x8];
+    u64  first_chunk_number;
+    u64  last_chunk_number;
+    u64  next_record_identifier;
+    u32  header_size;
+    u16  minor_format_version;
+    u16  major_format_version;
+    u16  header_block_size;
+    u16  number_of_chunks;
+    u8   unknown[0x4C];
+    u32  file_Flag;
+    u32  checkSum;
+    u8   unknown2[3968];
+};
+
+struct BinaryXML{
+    u8 fragment_header_token;
+    u8 major_version;
+    u8 minor_version;
+    u8 flags;
+};
+
+struct Event_Record{
+    u32 signature;
+    u32 size;
+    u64 event_record_identifier;
+    u64 written_data_amd_time;
+    BinaryXML binaryxml;
+};
+
+struct Chunk{
+    char signature[0x8];
+    u64 first_event_record_number;
+    u64 last_event_record_number;
+    u64 first_event_record_identifier;
+    u64 last_event_record_identifier;
+    u32 header_size;
+    u32 last_event_record_data_offset;
+    u32 free_space_offset;
+    u32 event_records_checksum;
+    u8 unknown[64];
+    u32 unknown2;
+    u32 checksum;
+    u8 common_string_offset_array[256];
+    u8 templatePtr[128];
+    Event_Rsecord event_record;
+};
+
+struct Evtx {
+    Header header;
+    Chunk chunk;
+};
+
+Evtx evtx @ 0x00;