process ) # Accessing the process of the event "C:\Windows\system32\dwm.exe", 932 > for module in first_event. exe, Pid = 932, Operation = RegQueryValue, Path = "HKCU\Software\Microsoft\Windows\DWM\ColorPrevalence", Time = 7 / 12 / 2020 1 : 18 : 10.7752429 AM > print ( first_event. Procmon-parser exports a ProcmonLogsReader class for reading logs directly from a PML file: > from procmon_parser import ProcmonLogsReader > f = open ( "LogFile.PML", "rb" ) > pml_reader = ProcmonLogsReader ( f ) > len ( pml_reader ) # number of logs 53214 > first_event = next ( pml_reader ) # reading the next event in the log > print ( first_event ) Process Name = dwm. dump_configuration ( config, f ) File Formatįor the raw binary format of PMC files you can refer to the docs, or take a look at the source code in configuration_format.py. config = load_configuration ( f ) > config 0 > config Īdding some new rules > new_rules = > config = new_rules config ĭropping filtered events > config = 1ĭumping the new configuration to a file > with open ( "ProcmonConfiguration1337.pmc", "wb" ) as f. Loading configuration of a pre-exported Procmon configuration: > from procmon_parser import load_configuration, dump_configuration, Rule > with open ( "ProcmonConfiguration.pmc", "rb" ) as f. PMC (Process Monitor Configuration) Parser Usage Instead of having to convert the file to CSV/XML formats prior to loading. Parsing PML files - making it possible to directly load the raw PML file into convenient python objects. Reduce the size of the log file over time as Procmon captures millions of events. Parsing
0 Comments
Leave a Reply. |