Python:处理不是经由EXPORT出來的Windows日志

By | 2013/01/11

问题描述需求地址):

在A机器上的日志(*.Evt)文件在A机器上可以直接读取,但是我将A机器上的日志文件拷贝到B机器上打开的时候,就会提示文件已损坏。

问题截图:

evt error

解决办法:

1. 首先找到 0x11111111222222223333333344444444 將之后16bytes 抄下,这16bytes会在0x28000000前,

2. 回到文件开头,把这16bytes从第17byte开始复写到32byte,

3. 最後再改第37byte的值為 0x08,就可以读进事件管理器了。

代码:

import os, sys
 import binascii
 import time

 def convertfile(infile, outfile):

     fread = open(infile, "rb")
     findedstr = ""

     while 1:
         strpart = fread.read(8192).encode('hex')

         '''if at the end or less than 32 char'''
         if strpart == "" or len(strpart) < 32 :
             break

         strposition = strpart.find("11111111222222223333333344444444")
         if strposition <> -1:
             '''if pos at end'''
             remainstrlen = len(strpart)-strposition - 32
             if remainstrlen < 64:
                 findedstr = strpart[strposition+32:] + fread.read((64-remainstrlen)/2).encode('hex')
             else:
                 findedstr = strpart[strposition+32:strposition+64]

             break

         '''get top32 char and end32 char'''
         prepartendstr = strpart[-64:]

         '''read next 64 char'''
         nextpartstartstr = fread.read(64).encode('hex')
         joinstr = prepartendstr + nextpartstartstr

         strposition = joinstr.find("11111111222222223333333344444444")
         if strposition <> -1:
             remainstrlen = len()-strposition-32
             if remainstrlen < 64:
                 findedstr = strpart[strposition+32:] + fread.read((64-remainstrlen)/2).encode('hex')
             else:
                 findedstr = strpart[strposition+32:strposition+64]

             break

         fread.seek(-64,1)

     fread.close()
     print "String find: %s"%findedstr

     '''reread and write to new file'''
     reread = open(infile, "rb")
     fwrite = open(outfile, "wb")
     partcount = 1

     while 1:
         instr = reread.read(8192)
         if instr == "" :
             break

         if partcount <> 1:
             fwrite.write(instr)
         else:
             instr = instr.encode('hex')
             instr = instr[:32] + findedstr + instr[64:]
             instr = instr[:72] + "08" + instr[74:]
             fwrite.write(instr.decode('hex'))

         partcount += 1

     fwrite.close()
     reread.close()

 if __name__ == "__main__":
     if len(sys.argv) == 1 :
         infilepath = raw_input("Please input the path of EVT file -> ")
         outfilepath = infilepath[:infilepath.rfind(".")] + ".new.Evt"
     elif len(sys.argv) == 2 :
         infilepath = sys.argv[1]
         outfilepath = infilepath[:infilepath.rfind(".")] + ".new.Evt"
     elif len(sys.argv) == 3:
         infilepath = sys.argv[1]
         outfilepath = sys.argv[2]
     else:
         print "Error args ."
         raw_input("")
         sys.exit()

     starttime = time.time()
     print "Running..."
     convertfile(infilepath, outfilepath)
     print "Done ."
     endtime = time.time()
     print "Time used: ",(endtime - starttime)," s"

Leave a Reply

Your email address will not be published. Required fields are marked *