Crate winevt_memory 

Structs

EvtxChunkHeader

MemoryCarvedRecord

A record found by scanning a raw memory buffer for EVTX record magic.

MemoryRecoveredChunk

A chunk recovered from process memory (Event Log service VAD scan).

RecoveredEtwEvent

An ETW event recovered from a session buffer in kernel memory.

RecoveredEtwSession

An ETW session recovered from kernel memory (_WMI_LOGGER_CONTEXT walk).

Enums

EtwTamperingIndicator

ETW-level tampering indicators.

IntegrityAnomaly

Structural integrity anomalies detected in an EVTX file.

Constants

RECORD_MAGIC

**\0\0 — marks the start of every event record.

Functions

detect_etw_tampering

Detect ETW-level tampering indicators across the given sessions.

identify_eventlog_sessions

Filter sessions whose name starts with "EventLog-".

scan_memory_buffer

Scan an arbitrary byte buffer for EVTX record magic and recover plausible records.