def __setConnections(self, attrs):
if self._fsobj.connections.has_key(long(self.eproc.UniqueProcessId)):
conns = VMap()
count = 0
for conn_obj in self._fsobj.connections[long(
self.eproc.UniqueProcessId)]:
count += 1
conn = VMap()
conn["Local IP address"] = Variant(str(conn_obj.localAddr))
conn["Local port"] = Variant(int(conn_obj.localPort))
if conn_obj.proto is not None:
conn["Protocol"] = Variant(int(conn_obj.proto))
conn["Protocol type"] = Variant(conn_obj.type)
if conn_obj.ctime is not None:
create_datetime = conn_obj.ctime.as_windows_timestamp()
vt = MS64DateTime(create_datetime)
vt.thisown = False
conn["Create time"] = Variant(vt)
if conn_obj.remoteAddr is not None:
conn["Remote IP address"] = Variant(
str(conn_obj.remoteAddr))
conn["Remote port"] = Variant(int(conn_obj.remotePort))
if conn_obj.state is not None:
conn["State"] = Variant(str(conn_obj.state))
conns["Connection " + str(count)] = Variant(conn)
attrs["Connections"] = conns
def attributesTypes(values, types):
if types == vtime:
val = vtime(*values) #(X, X) vtime take 2 arguments
val.thisown = False
elif (types == int) or (types == long):
if type(values) == str: #XXX strange ?
values = 0
val = types(values)
elif (types == dict):
val = VMap()
for k, v in values.iteritems():
vval = Variant(attributesTypes(*v))
val[k] = vval
elif (types == list):
val = VList()
for v in values:
vval = Variant(attributesTypes(*v))
val.append(vval)
elif (types == str):
if type(values) == unicode:
val = values.encode("ascii", "replace")
else:
val = str(values)
elif (types == VLink): #return node is already created
val = values
else:
val = types(values)
return val
def _attributes(self):
attr = VMap()
attr.thisown = False
try:
vlist = Variant(self.evt_record.getStrings(), typeId.String)
vlist.thisown = False
attr["Log strings"] = vlist
except RuntimeError:
pass
s_name = Variant(self.evt_record.sourceName())
attr["Source name"] = s_name
c_name = Variant(self.evt_record.computerName())
attr["Computer name"] = c_name
event_type = Variant(self.evt_record.eventType())
attr["Event type"] = event_type
time_gen = Variant(self.evt_record.getTimeGenerated())
attr["Time generated"] = time_gen
time_written = Variant(self.evt_record.getTimeWritten())
attr["Time written"] = time_written
return attr
def _attributes(self):
attr = VMap()
vmap = VMap()
for t in self.tables.map:
vmap[hex(t)] = Variant(hex(self.tables.map[t].write))
attr["tables"] = Variant(vmap)
attr["reallocated blocks"] = Variant(self.aalloc)
return attr
def attributes(self, node):
try:
classAttributes = self.nodeAttributes[long(node.this)]
return classAttributes._attributes()
except KeyError:
attr = VMap()
attr.thisown = False
return attr
def attributes(self, node):
try:
classAttributes = self.nodeAttributes[node.uid()]
return classAttributes._attributes()
except KeyError:
attr = VMap()
attr.thisown = False
return attr
def _attributes(self):
attr = VMap()
for i in xrange(0, 2):
vmap = VMap()
name = ["segment 0 (norfs)", "segment 1 (nandfs)"]
vmap["start offset"] = Variant(self.boot.segment[i].start)
vmap["end offset"] = Variant(self.boot.segment[i].end)
vmap["size"] = Variant(self.boot.segment[i].size)
vmap["erse block size"] = Variant(self.boot.segment[i].erasesize)
vmap["block size"] = Variant(self.boot.segment[i].blocksize)
attr[name[i]] = Variant(vmap)
return attr
def _setLoadedModules(self, attrs):
dlls = VList()
for m in self.eproc.get_load_modules():
name = str(m.FullDllName) or 'N/A'
dll = VMap()
dllattribs = VMap()
dllattribs["Base"] = Variant(long(m.DllBase))
dllattribs["Size"] = Variant(long(m.SizeOfImage))
if name != "N/A":
self._setImportedFunctions(name, dllattribs)
dll[name] = Variant(dllattribs)
dlls.append(dll)
attrs["Loaded modules"] = Variant(dlls)
def attributes(self, node):
m = VMap()
hinfos = self.calculatedHash[long(node.this)]
hashes = self.getHashes(node)
for algo in hashes:
v = Variant(str(hashes[algo]))
m[str(algo)] = v
if len(hinfos.hsets):
knownBad = []
knownGood = []
for setId in hinfos.hsets:
hset = self.parent.hashSets.get(setId)
if hset.knownGood:
knownGood.append(hset)
else:
knownBad.append(hset)
if len(knownBad):
badList = VList()
for badSet in knownBad:
vname = Variant(badSet.name)
badList.append(vname)
m["known bad"] = badList
if len(knownGood):
goodList = VList()
for goodSet in knownGood:
vname = Variant(goodSet.name)
goodList.append(vname)
m["known good"] = goodList
return m
def _setFileAttributes(self, handle, files):
file_attrs = VMap()
fileobj = handle.dereference_as("_FILE_OBJECT")
#self._setTimestamp(thrd, thrd_attrs)
fnamedev = fileobj.file_name_with_device()
if True:
if fnamedev.find("\\Device\\HarddiskVolume1") != -1:
fnamedev_overlay = fnamedev.replace(
"\\Device\\HarddiskVolume1",
"WinXpPro/WinXpPro.vmdk/Baselink/VirtualHDD/Partitions/Partition 1/NTFS"
).replace("\\", "/")
node = self.v.getnode(fnamedev_overlay)
if node:
file_attrs["HardDriveImage"] = Variant(node)
else:
file_attrs["HardDriveImage"] = Variant("Not found")
file_attrs["WriteAccess"] = Variant(fileobj.WriteAccess > 0,
typeId.Bool)
file_attrs["ReadAccess"] = Variant(fileobj.ReadAccess > 0, typeId.Bool)
file_attrs["DeleteAccess"] = Variant(fileobj.DeleteAccess > 0,
typeId.Bool)
file_attrs["SharedRead"] = Variant(fileobj.SharedRead > 0, typeId.Bool)
file_attrs["SharedWrite"] = Variant(fileobj.SharedWrite > 0,
typeId.Bool)
file_attrs["SharedDelete"] = Variant(fileobj.SharedDelete > 0,
typeId.Bool)
files[fnamedev] = file_attrs
def attributes(self, node):
try:
attr = self.nodeAttributes[node.uid()]
return AttributesVMap(attr)
except KeyError:
attr = VMap()
return attr
def _attributes(self):
vmap = VMap()
v = Variant(self.cbFormat)
vmap['Clibboard Format'] = v
v = Variant(self.cbDataFormat)
vmap['Clibboard Data Format'] = v
return vmap
def _attributes(self):
attr = VMap()
vt = vtime(self.timestamp, TIME_MS_64)
vt.thisown = False
vmodified = Variant(vt)
attr["modified"] = vmodified
return attr
def _setThreadAttributes(self, handle, threads):
thrd_attrs = VMap()
thrd = handle.dereference_as("_ETHREAD")
thrd_attrs["UniqueProcess"] = Variant(int(thrd.Cid.UniqueProcess))
self._setTimestamp(thrd, thrd_attrs)
threads[str(thrd.Cid.UniqueThread)] = thrd_attrs
def attributes(self, node):
attr = VMap()
vfile = node.open()
img = Image.open(vfile)
info = img._getexif()
vfile.close()
for tag, values in info.items():
if tag in self.dateTimeTags:
try:
decoded = str(TAGS.get(tag, tag))
try:
dt = strptime(values, "%Y:%m:%d %H:%M:%S")
except ValueError:
try:
dt = strptime(values[:-6], "%Y-%m-%dT%H:%M:%S")
except ValueError:
dt = strptime(values.rstrip(' '),
"%a %b %d %H:%M:%S")
vt = vtime(dt.tm_year, dt.tm_mon, dt.tm_mday, dt.tm_hour,
dt.tm_min, dt.tm_sec, 0)
vt.thisown = False
attr[decoded] = Variant(vt)
except Exception as e:
attr[decoded] = Variant(str(values))
else:
decoded = str(TAGS.get(tag, tag))
if isinstance(values, tuple):
vl = VList()
for value in values:
vl.push_back(Variant(value))
attr[decoded] = vl
else:
attr[decoded] = Variant(values)
return attr
def _attributes(self):
attr = VMap()
vt = MS64DateTime(self.timestamp)
vt.thisown = False
vmodified = Variant(vt)
attr["modified"] = vmodified
return attr
def attributes(self, node):
try:
attr = self.nodeAttributes[long(node.this)]
return AttributesVMap(attr)
except KeyError:
attr = VMap()
return attr
def attributes(self, node):
attr = VMap()
try:
attr["skin percent"] = Variant(self.skinnodes[node.uid()])
except Exception:
pass
return attr
def __flagsToVariant(self, flags):
attrsflags = VMap()
for name in sorted(flags.members.keys()):
value = flags.m(name)
if value != 0:
attrsflags[str(name)] = Variant(long(value))
return attrsflags
def _attributes(self):
attr = VMap()
if self.pid != None:
attr["pid"] = Variant(self.pid)
if self.active_threads:
attr["threads"] = Variant(self.active_threads)
if self.inherited_from:
attr["ppid"] = Variant(self.inherited_from)
if self.handle_count:
attr["handle count"] = Variant(self.handle_count)
if self.connections:
attr["connection"] = Variant(self.connections)
if self.create_time:
at = vtime()
at.thisown = False
d = datetime.fromtimestamp(self.create_time).timetuple()
at.year = d[0]
at.month = d[1]
at.day = d[2]
at.hour = d[3]
at.minute = d[4]
at.second = d[5]
at.usecond = 0
attr["creation"] = Variant(at)
return attr
def start(self, args):
if args.has_key("start-offset"):
startoff = args["start-offset"].value()
else:
startoff = 0
if args.has_key("block-aligned"):
aligned = True
else:
aligned = False
patterns = VList()
for mimetype in filetypes.keys():
if mimetype in args:
vsubtypes = args[mimetype].value()
for subtype in filetypes[mimetype].keys():
if subtype in vsubtypes:
pattern = VMap()
descr = filetypes[mimetype][subtype]
for p in descr:
header = VMap()
header["needle"] = Variant(p[0], typeId.String)
header["size"] = Variant(len(p[0]), typeId.UInt32)
footer = VMap()
footer["needle"] = Variant(p[1], typeId.String)
footer["size"] = Variant(len(p[1]), typeId.UInt32)
pattern["filetype"] = Variant(
subtype, typeId.String)
pattern["header"] = Variant(header)
pattern["footer"] = Variant(footer)
pattern["window"] = Variant(
int(p[2]), typeId.UInt32)
if aligned:
pattern["aligned"] = Variant(True, typeId.Bool)
else:
pattern["aligned"] = Variant(
False, typeId.Bool)
patterns.append(pattern)
margs = VMap()
margs["patterns"] = Variant(patterns)
margs["file"] = args["file"]
margs["start-offset"] = Variant(startoff, typeId.UInt64)
proc = self.tm.add("carver", margs, ["console"])
if proc:
proc.event.wait()
def _attributes(self):
i = 1
attr = VMap()
vlist = VList()
for f in self.files:
node = f.value()
vlist.append(Variant(node.absolute()))
attr["concatanated files (ordered)"] = Variant(vlist)
return attr
def attributes(self, node):
attr = VMap()
attr.thisown = False
file = node.open()
parser = guessParser(StringInputStream(file.read()))
file.close()
if not parser:
attr["info"] = Variant("unable to read metadata")
return attr
try:
metadata = extractMetadata(parser)
for data in metadata:
if not(any(data.values)):
continue
attr[data.key] = Variant("; ".join([str(val.value) for val in data.values]))
except HachoirError, err:
attr["info"] = Variant("error while reading metadata")
def attributes(self, node):
attr = VMap()
try:
result = self.nodeAttributes[node.uid()]
v = Variant(result)
attr["malware"] = v
except KeyError:
pass
return attr
def __attributes(self):
attrs = VMap()
if self._baseaddr != -1:
attrs["Virtual Base address"] = Variant(self._boffset)
attrs["Physical Base address"] = Variant(
self._aspace.translate(self._boffset))
else:
attrs["Virtual Base address (not valid addr)"] = Variant(
self._boffset)
return attrs
def __attributes(self):
attrs = VMap()
if self._baseaddr != -1:
attrs["Virtual Base address"] = Variant(self._boffset)
attrs["Physical Base address"] = Variant(
self._ldr_entry.obj_offset)
else:
attrs["Virtual Base address (not valid addr)"] = Variant(
self._boffset)
return attrs
def _attributes(self):
try:
attr = AttributesVMap(ResolveAttributesMap(self, self.AttributesMap))
if self.extraAttr:
(name, vmap) = self.extraAttr
attr[name] = vmap
return attr
except :
attr = VMap()
return attr
def _attributes(self):
try:
attr = VMap()
attr['type'] = Variant(regtype[self.__type])
data = self.decodeData()
if data != None:
attr['data'] = data
except Exception as e:
pass
return attr
def _setHandles(self):
self.handles_map = VMap()
hmap = {}
for handle in self.eproc.ObjectTable.handles():
object_type = handle.get_object_type()
if object_type != None:
if object_type in WinProcNode.handleMapper:
if object_type not in hmap:
hmap[str(object_type)] = VMap()
func = getattr(self, WinProcNode.handleMapper[object_type])
func(handle, hmap[str(object_type)])
else:
pass
#name = str(handle.NameInfo.Name)
# if len(name):
#if object_type not in self.handles_map:
# self.handles_map[object_type] = []
#self.handles_map[object_type].append(name)
for key in hmap:
self.handles_map[key] = hmap[key]
def _attributes(self):
attr = VMap()
attr["Last modified"] = self.getTime(
self.record.metadata().lastModifiedDateTime())
attr["Last fetched"] = self.getTime(
self.record.metadata().lastFetchedDateTime())
attr["Expiration"] = self.getTime(
self.record.metadata().expirationDateTime())
return attr
def __split(self, root, chunksize):
nodesize = self.origin.size()
chunks = nodesize / chunksize
vmap = VMap()
vmap["complete chunks"] = Variant(chunks)
for idx in xrange(0, chunks*chunksize, chunksize):
snode = SplitNode(self, root, self.origin, idx, chunksize)
lastchunk = nodesize % chunksize
if lastchunk != 0:
snode = SplitNode(self, root, self.origin, self.origin.size() - lastchunk, lastchunk)
vmap["truncated chunk (size)"] = Variant(lastchunk)
self.res[str(chunksize) + " bytes split"] = Variant(vmap)
