def get_process_created_details(io, metadata, event, extra_detail_io):
io.seek(4, 1) # Unknown fields
event.details["PID"] = read_u32(io)
io.seek(0x24, 1) # Unknown fields
unknown_size1 = read_u8(io)
unknown_size2 = read_u8(io)
path_info = read_detail_string_info(io)
command_line_info = read_detail_string_info(io)
io.seek(2 + unknown_size1 + unknown_size2, 1) # Unknown fields
event.path = read_detail_string(io, path_info)
event.details["Command line"] = read_detail_string(io, command_line_info)
def __init__(self, io, total_size, number_of_events):
super(EventOffsetsArray, self).__init__()
stream = BytesIO(io.read(total_size))
offsets = [0] * number_of_events
for i in range(number_of_events):
offsets[i] = read_u32(stream)
_ = read_u8(stream) # Unknown flags
self.extend(offsets)
def get_filesystem_setdispositioninformation_details(io, metadata, event, details_io, extra_detail_io):
is_delete = bool(read_u8(io))
io.seek(3, 1) # Padding
if is_delete:
event.details["Delete"] = "True"
event.category = "Write"
else:
event.details["Delete"] = "False"
def get_filesystem_event_details(io, metadata, event, extra_detail_io):
sub_operation = read_u8(io)
# fix operation name if there is more specific sub operation
if 0 != sub_operation and FilesystemOperation[event.operation] in FilesystemSubOperations:
try:
event.operation = FilesystemSubOperations[FilesystemOperation[event.operation]](sub_operation).name
except ValueError:
event.operation += " <Unknown>"
io.seek(1 + sizeof_pvoid(metadata.is_64bit) * 5 + 0x16, 1) # Unknown fields
path_info = read_detail_string_info(io)
io.seek(2, 1) # Unknown fields
event.path = read_detail_string(io, path_info)
if event.operation in FilesystemSubOperationHandler:
FilesystemSubOperationHandler[event.operation](io, metadata, event, extra_detail_io)
def get_filesystem_event_details(io, metadata, event, extra_detail_io):
sub_operation = read_u8(io)
io.seek(0x3, 1) # padding
# fix operation name if there is more specific sub operation
if 0 != sub_operation and FilesystemOperation[event.operation] in FilesystemSubOperations:
try:
event.operation = FilesystemSubOperations[FilesystemOperation[event.operation]](sub_operation).name
except ValueError:
event.operation += " <Unknown>"
details_io = BytesIO(io.read(metadata.sizeof_pvoid * 5 + 0x14))
path_info = read_detail_string_info(io)
io.seek(2, 1) # Padding
event.path = read_detail_string(io, path_info)
if metadata.should_get_details and event.operation in FilesystemSubOperationHandler:
FilesystemSubOperationHandler[event.operation](io, metadata, event, details_io, extra_detail_io)
def get_filesystem_create_file_details(io, metadata, event, details_io, extra_detail_io):
event.details["Desired Access"] = get_filesystem_access_mask_string(read_u32(io))
impersonating_sid_length = read_u8(io)
io.seek(0x3, 1) # padding
details_io.seek(0x10, 1)
if metadata.sizeof_pvoid == 8:
details_io.seek(4, 1) # Padding for 64 bit
disposition_and_options = read_u32(details_io)
disposition = disposition_and_options >> 0x18
options = disposition_and_options & 0xffffff
if metadata.sizeof_pvoid == 8:
details_io.seek(4, 1) # Padding for 64 bit
attributes = read_u16(details_io)
share_mode = read_u16(details_io)
event.details["Disposition"] = get_enum_name_or(FilesystemDisposition, disposition, "<unknown>")
event.details["Options"] = get_filesysyem_create_options(options)
event.details["Attributes"] = get_filesysyem_create_attributes(attributes)
event.details["ShareMode"] = get_filesysyem_create_share_mode(share_mode)
details_io.seek(0x4 + metadata.sizeof_pvoid * 2, 1)
allocation = read_u32(details_io)
allocation_value = allocation if disposition in [FilesystemDisposition.Supersede, FilesystemDisposition.Create,
FilesystemDisposition.OpenIf,
FilesystemDisposition.OverwriteIf] else "n/a"
event.details["AllocationSize"] = allocation_value
if impersonating_sid_length:
event.details["Impersonating"] = get_sid_string(io.read(impersonating_sid_length))
open_result = None
if extra_detail_io:
open_result = read_u32(extra_detail_io)
event.details["OpenResult"] = get_enum_name_or(FilesystemOpenResult, open_result, "<unknown>")
if open_result in [FilesystemOpenResult.Superseded, FilesystemOpenResult.Created, FilesystemOpenResult.Overwritten]:
event.category = "Write"
elif open_result in [FilesystemOpenResult.Opened, FilesystemOpenResult.Exists, FilesystemOpenResult.DoesNotExist]:
pass
elif event.details["Disposition"] in ["Open", "<unknown>"]:
pass
else:
event.category = "Write"
def get_filesystem_query_directory_details(io, metadata, event, details_io, extra_detail_io):
event.category = "Read Metadata"
directory_name_info = read_detail_string_info(io)
directory_name = read_detail_string(io, directory_name_info)
if directory_name:
event.path = event.path + directory_name if event.path[-1] == "\\" else event.path + "\\" + directory_name
event.details['Filter'] = directory_name
details_io.seek(0x10, 1)
if metadata.sizeof_pvoid == 8:
details_io.seek(4, 1) # Padding for 64 bit
details_io.seek(0x4, 1)
if metadata.sizeof_pvoid == 8:
details_io.seek(4, 1) # Padding for 64 bit
file_information_class = FileInformationClass(read_u32(details_io))
event.details["FileInformationClass"] = file_information_class.name
if extra_detail_io and file_information_class in [FileInformationClass.FileDirectoryInformation,
FileInformationClass.FileFullDirectoryInformation,
FileInformationClass.FileBothDirectoryInformation,
FileInformationClass.FileNamesInformation,
FileInformationClass.FileIdBothDirectoryInformation,
FileInformationClass.FileIdFullDirectoryInformation]:
extra_detail_length = len(extra_detail_io.getvalue())
next_entry_offset = -1 # hack so the first iteration won't exit
current_entry_offset = 1
i = 0 if directory_name else -1
while True:
i += 1
if next_entry_offset == 0 or (current_entry_offset + next_entry_offset) > extra_detail_length:
break # No more structures
extra_detail_io.seek(current_entry_offset + next_entry_offset, 0)
current_entry_offset = extra_detail_io.tell()
next_entry_offset = read_u32(extra_detail_io)
file_index = read_u32(extra_detail_io)
if file_information_class == FileInformationClass.FileNamesInformation:
# FILE_NAMES_INFORMATION structure
file_name_length = read_u32(extra_detail_io)
event.details[str(i)] = read_utf16(extra_detail_io, file_name_length)
continue
creation_time = read_filetime(extra_detail_io)
last_access_time = read_filetime(extra_detail_io)
last_write_time = read_filetime(extra_detail_io)
change_time = read_filetime(extra_detail_io)
end_of_file = read_u64(extra_detail_io)
allocation_size = read_u64(extra_detail_io)
file_attributes = read_u32(extra_detail_io)
file_name_length = read_u32(extra_detail_io)
if file_information_class == FileInformationClass.FileDirectoryInformation:
# FILE_DIRECTORY_INFORMATION structure
event.details[str(i)] = read_utf16(extra_detail_io, file_name_length)
continue
ea_size = read_u32(extra_detail_io)
if file_information_class == FileInformationClass.FileFullDirectoryInformation:
# FILE_FULL_DIR_INFORMATION structure
event.details[str(i)] = read_utf16(extra_detail_io, file_name_length)
continue
if file_information_class == FileInformationClass.FileIdFullDirectoryInformation:
# FILE_ID_FULL_DIR_INFORMATION structure
file_id = read_u64(extra_detail_io)
event.details[str(i)] = read_utf16(extra_detail_io, file_name_length)
continue
short_name_length = read_u8(extra_detail_io)
extra_detail_io.seek(1, 1) # Padding
short_name = extra_detail_io.read(12 * 2)
if file_information_class == FileInformationClass.FileBothDirectoryInformation:
# FILE_BOTH_DIR_INFORMATION structure
event.details[str(i)] = read_utf16(extra_detail_io, file_name_length)
continue
# FILE_ID_BOTH_DIR_INFORMATION structure
extra_detail_io.seek(2, 1) # Padding
file_id = read_u64(extra_detail_io)
event.details[str(i)] = read_utf16(extra_detail_io, file_name_length)
continue