Skip to content

C development

Joachim Metz edited this page Jul 12, 2022 · 1 revision

TODO: work in progress

Return values

Most of the API functions return 1 if successful or -1 on error.

The close function is an exception since it returns 0 if successful or -1 on error.

More details about the return values for each API function can be found in libevtx.h

Examples

The following examples require the following headers to be included:

#include <stdlib.h>
#include <stdio.h>

#include <libevtx.h>

file structure

Allocate file structure

libevtx_error_t *error = NULL;
libevtx_file_t *file = NULL;

if( libevtx_file_initialize(&file, &error) != 1 )
{
    fprintf(stderr, "Unable to initialize file.\n");

    libevtx_error_free(&error);

    exit(EXIT_FAILURE);
}

When calling the libevtx_file_initialize function the file argument must refer to NULL to allocate and initialize a file structure. The error argument is optional and can be NULL.

The function will return 1 if successful or -1 on error. On error an the library creates an error structure except if error is NULL e.g.

libevtx_file_initialize(&file, NULL);

The error structure must be freed by calling the libevtx_error_free function.

Free file structure

if( libevtx_file_free(&file, &error) != 1 )
{
    fprintf(stderr, "Unable to free file.\n");

    libevtx_error_free(&error);

    exit(EXIT_FAILURE);
}

The function will return 1 if successful or -1 on error. File is set to NULL. The function will also close the file if it was opened.

Open file

filename = "Application.Evtx";

if( libevtx_file_open(file, filename, LIBEVTX_OPEN_READ, &error) != 1 )
{
    fprintf(stderr, "Unable to open file.\n" );

    libevtx_file_free(&file, NULL);
    libevtx_error_free(&error);

    exit(EXIT_FAILURE);
}

libevtx provides both narrow and wide character string functions for filenames. The wide character equivalent of the open function is libevtx_file_open_wide. By default libevtx will only enable wide character string support on Windows since other operating systems have build-in support for UTF-8 narrow character strings.

To compile with wide character support add --enable-wide-character-type=yes to configure, e.g.:

./configure --enable-wide-character-type=yes

Or on Windows define WINAPI and either _UNICODE or UNICODE

When wide character string support is enabled LIBEVTX_HAVE_WIDE_CHARACTER_TYPE is defined in <libevtx/features.h>

Open file using a file-like object

TODO describe

libevtx allows to be compiled with file-like object support using libbfio. The libevtx configure script will automatically detect if a compatible version of libbfio is available.

When libbfio is support is enabled LIBEVTX_HAVE_BFIO is defined in <libevtx/features.h>

Close file

if( libevtx_file_close(file, &error) != 0 )
{
    fprintf(stderr, "Unable to close file.\n" );

    libevtx_file_free(&file, NULL);
    libevtx_error_free(&error);

    exit(EXIT_FAILURE);
}

Also see

  • libevtx.h
  • man 3 libevtx