![]() ![]() process ) # Accessing the process of the event "C:\Windows\system32\dwm.exe", 932 > for module in first_event. exe, Pid = 932, Operation = RegQueryValue, Path = "HKCU\Software\Microsoft\Windows\DWM\ColorPrevalence", Time = 7 / 12 / 2020 1 : 18 : 10.7752429 AM > print ( first_event. ![]() Procmon-parser exports a ProcmonLogsReader class for reading logs directly from a PML file: > from procmon_parser import ProcmonLogsReader > f = open ( "LogFile.PML", "rb" ) > pml_reader = ProcmonLogsReader ( f ) > len ( pml_reader ) # number of logs 53214 > first_event = next ( pml_reader ) # reading the next event in the log > print ( first_event ) Process Name = dwm. dump_configuration ( config, f ) File Formatįor the raw binary format of PMC files you can refer to the docs, or take a look at the source code in configuration_format.py. config = load_configuration ( f ) > config 0 > config Īdding some new rules > new_rules = > config = new_rules + config ĭropping filtered events > config = 1ĭumping the new configuration to a file > with open ( "ProcmonConfiguration1337.pmc", "wb" ) as f. ![]() Loading configuration of a pre-exported Procmon configuration: > from procmon_parser import load_configuration, dump_configuration, Rule > with open ( "ProcmonConfiguration.pmc", "rb" ) as f. PMC (Process Monitor Configuration) Parser Usage Instead of having to convert the file to CSV/XML formats prior to loading.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |