//-------------------------------------- //--- 010 Editor v5.0beta1 Binary Template // // File: UTMPTemplate.bt // Author: Matthew Geiger // Revision: 0.1 // Purpose: Parsing entries in wtmp and utmp files on *nix hosts //-------------------------------------- #define UT_LINESIZE 32 #define UT_NAMESIZE 32 #define UT_HOSTSIZE 256 LittleEndian(); typedef enum { /* Should be a short(?), but not on Linux systems I have seen */ EMPTY = 0, /* Record does not contain valid info (formerly known as UT_UNKNOWN on Linux) */ RUN_LVL = 1, /* Change in system run-level (see init(8)) */ BOOT_TIME = 2, /* Time of system boot (in ut_tv) */ NEW_TIME = 3, /* Time after system clock change (in ut_tv) */ OLD_TIME = 4, /* Time before system clock change (in ut_tv) */ INIT_PROCESS = 5, /* Process spawned by init(8) */ LOGIN_PROCESS = 6, /* Session leader process for user login */ USER_PROCESS = 7, /* Normal process */ DEAD_PROCESS = 8, /* Terminated process */ ACCOUNTING = 9 /* Not implemented */ } LOGIN_TYPE; struct exit_status { short e_termination; /* Process termination status. */ short e_exit; /* Process exit status. */ }; struct utmp { LOGIN_TYPE ut_type; /* Type of login. */ int ut_pid; /* Process ID of login process. */ char ut_line[UT_LINESIZE]; /* Devicename. */ char ut_id[4]; /* Inittab ID. */ char ut_user[UT_NAMESIZE]; /* Username. */ char ut_host[UT_HOSTSIZE]; /* Hostname for remote login. */ struct exit_status ut_exit; /* Exit status of a process marked as DEAD_PROCESS. */ long ut_session; /* Session ID, used for windowing. */ time_t high_timeval; /* Time entry was made. */ int low_timeval; int ut_addr_v6[4]; /* Internet address of remote host. */ char __unused[20]; /* Reserved for future use. */ }; FSeek(0); while( !FEof() ) { utmp UTMP_entry; }