def getSockets(config,kernel_addr_space):
sockets = dict()
try:
for net_object, protocol, laddr, lport, raddr, rport, state in netscan.Netscan(config).calculate():
owner = net_object.Owner.dereference_as('_EPROCESS')
pid = int(owner.UniqueProcessId)
if pid in sockets:
socketObj = sockets[pid].Socket.add(resultitemtype = 16)
else:
socketObjList = datastructs.Open_Sockets_ListType()
socketObj = socketObjList.Socket.add(resultitemtype = 16)
sockets[pid] = socketObjList
if type(lport) is str:
socketObj.Port = 0
else:
socketObj.Port = int(lport)
socketObj.LocalAddress = utils._utf8_encode(laddr or "")
if type(rport) is str:
socketObj.RemotePort = 0
else:
socketObj.RemotePort = int(rport)
socketObj.RemoteAddress = utils._utf8_encode(raddr)
socketObj.Proto = utils._utf8_encode(protocol)
socketObj.State = 0
socketObj.RealState = _convert_socket_state(state)
socketObj.ProcessName = utils._utf8_encode(owner.ImageFileName)
socketObj.Path = utils._utf8_encode(owner.Peb.ProcessParameters.ImagePathName or "")
socketObj.FromMemory = ""
socketObj.PID = pid
except Exception, e:
logging.exception(e)
def getSocketsForWindowsXP(config,address_space):
sockets = dict()
try:
for tcp_obj in connscan.ConnScan(config).calculate():
pid = int(tcp_obj.Pid)
if pid in sockets:
socketObj = sockets[pid].Socket.add(resultitemtype=16)
else:
socketObjList = datastructs.Open_Sockets_ListType()
socketObj = socketObjList.Socket.add(resultitemtype=16)
sockets[pid] = socketObjList
if type(tcp_obj.LocalPort) is str:
socketObj.Port=0
else:
socketObj.Port=int(tcp_obj.LocalPort)
if type(tcp_obj.RemotePort) is str:
socketObj.RemotePort=0
else:
socketObj.RemotePort = int(tcp_obj.RemotePort)
socketObj.LocalAddress = utils._utf8_encode(tcp_obj.LocalIpAddress)
socketObj.RemoteAddress = utils._utf8_encode(tcp_obj.RemoteIpAddress)
#socketObj.set_Proto(_utf8_encode(sock.Protocol))
socketObj.State = 0
socketObj.RealState = _convert_socket_state("ESTABLISHED")
socketObj.FromMemory = ""
socketObj.PID = pid
for sock in socketsref.Sockets(config).calculate():
pid = int(sock.Pid)
if pid in sockets.keys():
socketObj = sockets[pid].Socket.add(resultitemtype=16)
else:
socketObjList = datastructs.Open_Sockets_ListType()
socketObj = socketObjList.Socket.add(resultitemtype=16)
sockets[pid] = socketObjList
socketObj.LocalAddress = utils._utf8_encode(sock.LocalIpAddress)
socketObj.FromMemory = ""
socketObj.PID = int(sock.Pid)
socketObj.State = 0
socketObj.RealState = _convert_socket_state("LISTENING")
if type(tcp_obj.LocalPort) is str:
socketObj.Port = 0
else:
socketObj.Port = int(sock.LocalPort)
socketObj.Proto = utils._utf8_encode(sock.Protocol)
except Exception, e:
logging.exception(e)
def execute(self, config):
data = krnlModules.Modules(config).calculate()
moduleObjList = datastructs.rootType()
for module in data:
moduleObj = moduleObjList.Module.add(resultitemtype=13)
moduleObj.Name = utils._utf8_encode(module.BaseDllName)
moduleObj.Path = utils._utf8_encode(module.FullDllName)
moduleObj.Address = long(module.DllBase.v())
# This is always 2 in my reference xml from a MemoryAnalysis job.
# I don't know if that is a mistake, but that doesn't seem useful.
moduleObj.EntryPoint = long(module.EntryPoint.v())
moduleObj.Size = int(module.SizeOfImage)
file = open(config.OUTPUT_PATH + "modules.xml", "w")
#file.write(moduleObjList.SerializeToString())
file.write(proto2xml(moduleObjList, indent=0))
logging.debug("Completed calculating the kernel modules")
def execute(self,config):
data = krnlModules.Modules(config).calculate()
moduleObjList = datastructs.rootType()
for module in data:
moduleObj = moduleObjList.Module.add(resultitemtype=13)
moduleObj.Name=utils._utf8_encode(module.BaseDllName)
moduleObj.Path=utils._utf8_encode(module.FullDllName)
moduleObj.Address=long(module.DllBase.v())
# This is always 2 in my reference xml from a MemoryAnalysis job.
# I don't know if that is a mistake, but that doesn't seem useful.
moduleObj.EntryPoint=long(module.EntryPoint.v())
moduleObj.Size=int(module.SizeOfImage)
file = open(config.OUTPUT_PATH + "modules.xml", "w")
#file.write(moduleObjList.SerializeToString())
file.write(proto2xml(moduleObjList,indent=0))
logging.debug("Completed calculating the kernel modules")
def execute(self, options, config):
with UpdateCounterForScope('ADFloatingDriver'):
output = FileOutputClass(getattr(config, "OUTPUT_PATH"), type(self).operation_name)
if not output.Open():
return
data = modules.Modules(config).calculate()
floatingDrivers = datastructs.rootType()
for module in data:
driverName = utils._utf8_encode(module.BaseDllName)
driverPath = utils._utf8_encode(module.FullDllName)
driverFullPath = ExpandPath(driverPath)
if not os.path.exists(driverFullPath):
driver = floatingDrivers.FloatingDriver.add()
driver.Name = driverName
driver.Path = driverFullPath
output.File.write(proto2xml(floatingDrivers, indent=0))
output.Close()
def getregistrykeyobject(self,reg,key,regObjList):
regKeyObject = regObjList.RegistryKey.add(resultitemtype=19)
regKeyObject.Name=utils._utf8_encode(key.Name)
path = reg
lastSlash = reg.rfind("/")
if lastSlash >= 0:
path = "\\" + reg[:lastSlash].replace("/", "\\")
regKeyObject.Path=utils._utf8_encode(path)
regKeyObject.Volatile=self.voltext(key)
regvalues = rawreg.values(key)
if regvalues is not None and len(regvalues) > 0:
values = regKeyObject.Values
values.Count=len(regvalues)
for value in regvalues:
regKeyValue = values.RegistryValue.add(resultitemtype=21)
regKeyValue.Name=utils._utf8_encode(value.Name)
regKeyValue.Type=value.Type.v() or 0
try:
regKeyValue.Value = self._get_raw_registry_data2(value)
except Exception as e:
regKeyValue.Value = "EXCEPTION: " + str(e)
return regKeyObject
def getregistrykeyobject(self, reg, key, regObjList):
regKeyObject = regObjList.RegistryKey.add(resultitemtype=19)
regKeyObject.Name = utils._utf8_encode(key.Name)
path = reg
lastSlash = reg.rfind("/")
if lastSlash >= 0:
path = "\\" + reg[:lastSlash].replace("/", "\\")
regKeyObject.Path = utils._utf8_encode(path)
regKeyObject.Volatile = self.voltext(key)
regvalues = rawreg.values(key)
if regvalues is not None and len(regvalues) > 0:
values = regKeyObject.Values
values.Count = len(regvalues)
for value in regvalues:
regKeyValue = values.RegistryValue.add(resultitemtype=21)
regKeyValue.Name = utils._utf8_encode(value.Name)
regKeyValue.Type = value.Type.v() or 0
try:
regKeyValue.Value = self._get_raw_registry_data2(value)
except Exception as e:
regKeyValue.Value = "EXCEPTION: " + str(e)
return regKeyObject
def LoadSubKeys(self,reg,key,regObjectList):
for k in rawreg.subkeys(key):
r = reg + '\\' + utils._utf8_encode(k.Name)
self.getregistrykeyobject(r,k,regObjectList)
self.LoadSubKeys(r,k,regObjectList)
def LoadSubKeys(self, reg, key, regObjectList):
for k in rawreg.subkeys(key):
r = reg + '\\' + utils._utf8_encode(k.Name)
self.getregistrykeyobject(r, k, regObjectList)
self.LoadSubKeys(r, k, regObjectList)