1. 事件日志文件是二进制文件,它有若干条记录单元组
成,其中最前面的是记录头,最后面的是记录尾。
2. 每条记录(包括记录头、记录尾)的头、尾的双字是
这条记录的长度(单位:字节)。如记录头48个字节
(0x30),记录就是
30 00 00 00 4C 66 4C 65 …… 30 00 00 00
注意这里是字节顺序:
30 00 00 00
W1L W1H W2L W2H
3.每条记录的第二个双字是特定的码 4C 66 4C 65
4.分析Windows API 日志存储数据结构。
typedef struct _EVENTLOGRECORD {
DWORD Length;
DWORD Reserved;
DWORD RecordNumber;
DWORD TimeGenerated;
DWORD TimeWritten;
DWORD EventID;
WORD EventType;
WORD NumStrings;
WORD EventCategory;
WORD ReservedFlags;
DWORD ClosingRecordNumber;
DWORD StringOffset;
DWORD UserSidLength;
DWORD UserSidOffset;
DWORD DataLength;
DWORD DataOffset;
} EVENTLOGRECORD, *PEVENTLOGRECORD;
5.文档分析
当AppEvent.Evt为空时,文件内容如下:
00000000h: 30 00 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00 ; 0...LfLe........
00000010h: 30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00 ; 0...0...........
00000020h: 00 00 01 00 00 00 00 00 80 3A 09 00 30 00 00 00 ; ........€:..0...
00000030h: 28 00 00 00 11 11 11 11 22 22 22 22 33 33 33 33 ; (.......""""3333
00000040h: 44 44 44 44 30 00 00 00 30 63 01 00 28 02 00 00 ; DDDD0...0c..(...
00000050h: 01 00 00 00 28 00 00 00
当AppEvent.Evt写入1条,来源:Ci 事件id:1001 类型:4 信息项:Hello;Hello
00000000h: 30 00 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00 ; 0...LfLe........
00000010h: 30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00 ; 0...0...........
00000020h: 00 00 01 00 01 00 00 00 80 3A 09 00 30 00 00 00 ; ........€:..0...
00000030h: 78 00 00 00 4C 66 4C 65 01 00 00 00 1F 8B 8A 3E ; x...LfLe.....媻>
00000040h: 1F 8B 8A 3E E9 03 00 00 04 00 02 00 01 00 00 00 ; .媻>?..........
00000050h: 00 00 00 00 58 00 00 00 00 00 00 00 58 00 00 00 ; ....X.......X...
00000060h: 00 00 00 00 70 00 00 00 43 00 69 00 00 00 43 00 ; ....p...C.i...C.
00000070h: 48 00 45 00 4E 00 47 00 4C 00 49 00 41 00 4E 00 ; H.E.N.G.L.I.A.N.
00000080h: 4D 00 41 00 4F 00 00 00 48 00 65 00 6C 00 6C 00 ; M.A.O...H.e.l.l.
00000090h: 6F 00 00 00 48 00 65 00 6C 00 6C 00 6F 00 00 00 ; o...H.e.l.l.o...
000000a0h: 00 00 00 00 78 00 00 00 28 00 00 00 11 11 11 11 ; ....x...(.......
000000b0h: 22 22 22 22 33 33 33 33 44 44 44 44 30 00 00 00 ; """"3333DDDD0...
000000c0h: A8 00 00 00 02 00 00 00 01 00 00 00 28 00 00 00 ; ?..........(...
当AppEvent.Evt写入1条,来源:Application Management 事件id:1002 类型:1 信息项:What;What
00000000h: 30 00 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00 ; 0...LfLe........
00000010h: 30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00 ; 0...0...........
00000020h: 00 00 01 00 01 00 00 00 80 3A 09 00 30 00 00 00 ; ........€:..0...
00000030h: 9C 00 00 00 4C 66 4C 65 01 00 00 00 80 8C 8A 3E ; ?..LfLe....€寠>
00000040h: 80 8C 8A 3E EA 03 00 00 01 00 02 00 01 00 00 00 ; €寠>?..........
00000050h: 00 00 00 00 80 00 00 00 00 00 00 00 80 00 00 00 ; ....€.......€...
00000060h: 00 00 00 00 94 00 00 00 41 00 70 00 70 00 6C 00 ; ....?..A.p.p.l.
00000070h: 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 ; i.c.a.t.i.o.n. .
00000080h: 4D 00 61 00 6E 00 61 00 67 00 65 00 6D 00 65 00 ; M.a.n.a.g.e.m.e.
00000090h: 6E 00 74 00 00 00 43 00 48 00 45 00 4E 00 47 00 ; n.t...C.H.E.N.G.
000000a0h: 4C 00 49 00 41 00 4E 00 4D 00 41 00 4F 00 00 00 ; L.I.A.N.M.A.O...
000000b0h: 57 00 68 00 61 00 74 00 00 00 57 00 68 00 61 00 ; W.h.a.t...W.h.a.
000000c0h: 74 00 00 00 00 00 00 00 9C 00 00 00 28 00 00 00 ; t.......?..(...
000000d0h: 11 11 11 11 22 22 22 22 33 33 33 33 44 44 44 44 ; ....""""3333DDDD
000000e0h: 30 00 00 00 CC 00 00 00 02 00 00 00 01 00 00 00 ; 0...?..........
000000f0h: 28 00 00 00
当AppEvent.Evt写入2条。
第1条来源:Application Management 事件id:1002 类型:1 信息项:What;What
第2条来源:Ci 事件id:1001 类型:4 信息项:Hello;Hello
00000000h: 30 00 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00 ; 0...LfLe........
00000010h: 30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00 ; 0...0...........
00000020h: 00 00 01 00 01 00 00 00 80 3A 09 00 30 00 00 00 ; ........€:..0...
00000030h: 9C 00 00 00 4C 66 4C 65 01 00 00 00 80 8C 8A 3E ; ?..LfLe....€寠>
00000040h: 80 8C 8A 3E EA 03 00 00 01 00 02 00 01 00 00 00 ; €寠>?..........
00000050h: 00 00 00 00 80 00 00 00 00 00 00 00 80 00 00 00 ; ....€.......€...
00000060h: 00 00 00 00 94 00 00 00 41 00 70 00 70 00 6C 00 ; ....?..A.p.p.l.
00000070h: 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 ; i.c.a.t.i.o.n. .
00000080h: 4D 00 61 00 6E 00 61 00 67 00 65 00 6D 00 65 00 ; M.a.n.a.g.e.m.e.
00000090h: 6E 00 74 00 00 00 43 00 48 00 45 00 4E 00 47 00 ; n.t...C.H.E.N.G.
000000a0h: 4C 00 49 00 41 00 4E 00 4D 00 41 00 4F 00 00 00 ; L.I.A.N.M.A.O...
000000b0h: 57 00 68 00 61 00 74 00 00 00 57 00 68 00 61 00 ; W.h.a.t...W.h.a.
000000c0h: 74 00 00 00 00 00 00 00 9C 00 00 00 78 00 00 00 ; t.......?..x...
000000d0h: 4C 66 4C 65 02 00 00 00 90 8D 8A 3E 90 8D 8A 3E ; LfLe....悕?悕?
000000e0h: E9 03 00 00 04 00 02 00 01 00 00 00 00 00 00 00 ; ?..............
000000f0h: 58 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 ; X.......X.......
00000100h: 70 00 00 00 43 00 69 00 00 00 43 00 48 00 45 00 ; p...C.i...C.H.E.
00000110h: 4E 00 47 00 4C 00 49 00 41 00 4E 00 4D 00 41 00 ; N.G.L.I.A.N.M.A.
00000120h: 4F 00 00 00 48 00 65 00 6C 00 6C 00 6F 00 00 00 ; O...H.e.l.l.o...
00000130h: 48 00 65 00 6C 00 6C 00 6F 00 00 00 00 00 00 00 ; H.e.l.l.o.......
00000140h: 78 00 00 00 28 00 00 00 11 11 11 11 22 22 22 22 ; x...(.......""""
00000150h: 33 33 33 33 44 44 44 44 30 00 00 00 44 01 00 00 ; 3333DDDD0...D...
00000160h: 03 00 00 00 01 00 00 00 28 00 00 00
6.数据项分析
分析结果:
当AppEvent.Evt写入2条。
第1条来源:Application Management 事件id:1002 类型:1 信息项:What;What
第2条来源:Ci 事件id:1001 类型:4 信息项:Hello;Hello
•文件头
0000h 30 00 00 00 文件头长度30h=48
4C 66 4C 65 LeLf(开始标记)
01 00 00 00 ..
01 00 00 00 ..
0010h 30 00 00 00 第一条记录的偏移量
30 00 00 00 某条记录的偏移量(任意)
01 00 00 00 [0014h]偏移地址的记录号
00 00 00 00 当[0018h]指向的不是第一句记录时,此时这里的值则为:01 00 00 00表示为起始记录。不能为 00 00 00 00
0020h 00 00 01 00 事件日志文件的总长度65536
01 00 00 00 是一个变值,用于标识是否为系统目录下的日志文件。通常系统会随机产生一个数,来标识为系统目录下的文件。以做特别的处理。
80 3A 09 00 注册表中机器的保留字
30 00 00 00 文件头长度30h=48
•记录项信息
0030h 9C 00 00 00 记录长009Ch个字节
DWORD Length
4C 66 4C 65 LeLf(开始标记)
DWORD Reserved
01 00 00 00 记录串号,当前是第1条记录
DWORD RecordNumber
80 8C 8A 3E 时间代码,从1970年到现在的秒数DWORD TimeGenerated
0040h 80 8C 8A 3E 时间代码,从1970年到现在的秒数DWORD TimeWritten
EA 03 00 00 事件ID号,当前为 1002
DWORD EventID
01 00 02 00 低位为 类型
WORD EventType
//1 错误(红灯)
//2 警告(叹号)
//4 信息(I)
//8 成功审核(锁)
//10h 失败审核
……
本例为 01 错误(红灯)
//高位:消息量,就是事件包含多少条有关消息,本例为2条
WORD NumStrings
01 00 00 00 低位为 事件的种类
WORD EventCategory
本例为1是消息。
高位为 事件的保留标记
WORD ReservedFlags
0050h 00 00 00 00 是事件的结束记录数
DWORD ClosingRecordNumber
80 00 00 00 事件消息的偏移量
DWORD StringOffset
如,本记录开始于0030h
那么,消息信息的开始就为 00B0h
00 00 00 00 用户信息的长度
DWORD UserSidLength
80 00 00 00 用户信息的偏移量(因为没,记录的是事件消息的偏移量)
DWORD UserSidOffset
0060h 00 00 00 00 数据的长度
DWORD DataLength
94 00 00 00 数据的偏移量
如,本记录开始于0030h
那么,数据的开始就为00C4h
DWORD DataOffset
0068h 41 00 70 00 从这里开始是来源信息
... (每个字母以一个WORD存)
0094h 00 00 来源信息结束
0096h 43 00 48 00 从这里开始是计算机名信息
... (每个字母以一个WORD存)
00AEh 00 00 计算机名结束
00B0h 57 00 68 00 从这里开始消息信息,第条以00 00为结束。
... (每个字母以一个WORD存)
00C2h 00 00 消息信息结束
00C4h 00 00 00 00 数据的存储地址,当前为空
00C6h 9C 00 00 00 本条记录的长度
... ... 下面为另一条记录
•文件尾
0144h 28 00 00 00 文件尾长度28h=40
本事件日志文件结尾为016Ch
11 11 11 11
22 22 22 22
33 33 33 33
0154h 44 44 44 44 4个双字的标识
30 00 00 00 第一条记录的偏移量
44 01 00 00 文件尾的偏移量
03 00 00 00 记录尾的串号
(本日志共2条记录,记录尾的串号是3)
0164h 01 00 00 00 第一条记录的串号
28 00 00 00 文件尾长度28h=40