def urwid_output(self, ui, offset):
## Get the profile for this case:
import VolatilityLinux
ctx = VolatilityLinux.get_vol_object(ui.query['case'],
ui.query['memory'])
buf = format.Buffer(fd=ui.fd)[offset:]
result = self.render_profile(buf, ctx, self.volatility_object, ui)
return result
def get_length(self, fd, offset):
""" Returns the length of the JPEG by reading the blocks.
Algorithm taken from Samuel Tardieu <*****@*****.**>
* http://www.rfc1149.net/devel/recoverjpeg
"""
try:
buf = format.Buffer(fd=fd)[offset:]
j = JPEG(buf)
return j.size()
except CarverError,e:
pyflaglog.log(pyflaglog.DEBUG, "Carver failed: %s" % e)
return min(self.fd.size-offset, self.outer.length)
class ParseFormat(Hexeditor.Action):
""" Parse the data format and display the parsed output """
event = "e"
mode = "parse format"
def handle_key(self, ui, key):
if self.state == None:
self.state = "showing"
self.show_frame(ui)
else:
if key == 'q':
self.state = None
ui.mode = None
ui.top = self.old_frame
elif key==" ":
ui.top.keypress( (ui.width, ui.height ), "page down")
else:
ui.top.keypress((ui.width, ui.height), key)
return True
def draw(self, ui):
pass
def show_frame(self, ui):
try:
## Get the format object:
f = Registry.FILEFORMATS.formats[ui.selected]
except KeyError,e:
print "Error: %s:" % e
self.handle_key(ui,"q")
return
## Make a buffer
buf = format.Buffer(fd = ui.fd)
buf = buf[ui.mark:]
try:
result = f(buf).urwid_output(ui, ui.mark)
except Exception,e:
print "Error occured %s" % e
print FlagFramework.get_bt_string(e)
result = [urwid.Text(('body',"Error: %s" % e)),]
def render_pointer(self, ctx, target_obj, offset, ui):
## If this is a pointer to a volatility object we can link
## to it
def next_cb(widget):
## Find the physical Address:
ui.set_mark(ctx.addr_space.vtop(offset))
ui.reset()
if target_obj in maps:
return urwid.AttrWrap(
urwid.Button("Pointer to %s (0x%08X)" % (target_obj, offset),
on_press=next_cb), 'buttn', 'buttnf')
elif target_obj in inline_pointers:
## Find out the Physical Address which is the target of this VA
phy_offset = ctx.addr_space.vtop(offset)
obj = Registry.FILEFORMATS.formats[inline_pointers[\
target_obj]](format.Buffer(fd = ui.fd, offset = phy_offset))
return obj.urwid_output(ui, phy_offset)
return urwid.Text("Pointer to %s (0x%08X)" % (target_obj, offset))
def examine_hit(self, fd, offset, length):
fd.seek(offset)
## This effectively localises the match to make sure we
## dont try to read wild pointers
b = format.Buffer(fd=cStringIO.StringIO(fd.read(0x700)))
## Try to parse it as an URLEntry
try:
event = IECache.URLEntry(b)
except:
return
## Size is too big
if event['size'].get_value() > 10:
return
url = event['url'].__str__()
args = dict(
inode_id=self.fd.inode_id,
offset=offset,
length=event['size'].get_value() * IECache.blocksize,
type=event['type'].get_value().decode("ascii", "ignore"),
url=url,
_modified='from_unixtime(%d)' %
event['modified_time'].get_value(),
_accessed='from_unixtime(%d)' %
event['accessed_time'].get_value(),
filename=event['filename'],
)
try:
args['headers'] = event['data']
except:
pass
dbh = DB.DBO(self.case)
dbh.insert("ie_history", **args)
test_case = "PyFlagIndexTestCase"
test_file = "pyflag_stdimage_0.4.e01"
subsystem = 'EWF'
order = 30
offset = "16128s"
def test01CarveImage(self):
""" Carving from Image """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'JPEGCarver'])
## See if we found the two images from within the word
## document:
expected = [ "Itest|K1289-0-0|o150712:85550", "Itest|K1289-0-0|o96317:141763"]
dbh = DB.DBO(self.test_case)
for inode in expected:
dbh.execute("select inode from inode where inode=%r limit 1", inode)
row = dbh.fetch()
self.assert_(row != None)
if __name__ == '__main__':
import sys
fd = open(sys.argv[1])
b = format.Buffer(fd=fd)
h = JPEG(b)
print "Size of jpeg is %s" % h.size()
class RevEng_GUI(Reports.report):
""" Allows us to manipulate data structures in reverse engineering efforts """
name = "DAFT"
family = "Misc"
description = "Data Analysis Facilitation Tool (Reverse Engineering)"
# parameters = { "foo": "any"}
def analyse(self, query):
pass
def display(self, query, result):
result.start_form(query)
def settings_cb(query, ui):
ui.decoration = "naked"
try:
if query['finish'] and query['MaxRows'] and query[
'StartOffset']:
del query['finish']
del query['submit']
ui.refresh(0, query, parent=1)
except KeyError:
pass
ui.start_form(query)
ui.start_table()
ui.textfield("Starting Offset", "StartOffset", size=20)
ui.textfield("Maximum Rows", "MaxRows")
ui.checkbox("Click here to finish", "finish", "yes")
ui.end_table()
ui.end_form()
return ui
def popup_cb(query, ui, column_number=None, mode=''):
"""Popup for defining column attributes"""
## print "I am here"
ui.decoration = "naked"
if mode == 'insert':
pre = 'insert_'
else:
pre = ''
try:
if query['finish'] and query['%sname_%s' %
(pre, column_number)]:
del query['finish']
del query['submit']
ui.refresh(0, query, parent=1)
except KeyError:
pass
ui.start_form(query)
ui.start_table()
if mode == 'insert':
ui.heading("Inserting Column number %s" % column_number)
else:
ui.heading("Column number %s" % column_number)
names = [
x.__name__ for x in Registry.FILEFORMATS.classes if x.visible
]
ui.textfield("Name for this field",
"%sname_%s" % (pre, column_number))
ui.const_selector("Data Type",
'%sdata_type_%s' % (pre, column_number), names,
names)
try:
temp = Registry.FILEFORMATS[query['%sdata_type_%s' %
(pre, column_number)]]("",
None)
ui.row("Description", temp.__doc__)
temp.form("%sparameter_%s_" % (pre, column_number), query, ui)
except KeyError, e:
print 'KeyError: %s' % e
ui.checkbox("Visible",
"%svisible_%s" % (pre, column_number),
"yes",
checked=True)
ui.checkbox("Click here to finish", "finish", "yes")
ui.end_table()
ui.end_form()
return ui
def delete_col_cb(query, ui, column_number=None):
"""Popup to confirm deletion of column"""
ui.decoration = "naked"
ui.heading("Delete column number %s?" % column_number)
try:
if query['submit']:
del query['submit']
ui.refresh(0, query, parent=1)
except KeyError:
pass
ui.start_form(query)
ui.checkbox("Click here to delete", "delete_%s" % column_number,
"yes")
ui.end_form()
return ui
def processquery(query):
delcol = -1
insvalues = {}
for k in query.keys():
if k.startswith('delete_'):
delcol = int(k[7:])
del query[k]
break
elif k.startswith('insert_'):
insvalues[k[7:]] = query[k]
if k.startswith('insert_name_'):
inscol = int(k[12:])
del query[k]
continue
elif k.startswith('savenow'):
savelayout(query)
del query[k]
break
elif k.startswith('loadlayout'):
openlayout(query)
del query[k]
### other stuff for ins col parameters
if delcol >= 0:
count = delcol
while 1:
try:
query['name_%s' % count]
count += 1
except KeyError:
break
for i in range(delcol + 1, count):
del query['name_%s' % (i - 1)]
del query['data_type_%s' % (i - 1)]
del query['visible_%s' % (i - 1)]
params = [
k for k in query.keys()
if k.startswith('parameters_%s_' % (i - 1))
]
for parameter in params:
del query[parameter]
query['name_%s' % (i - 1)] = query['name_%s' % i]
query['data_type_%s' % (i - 1)] = query['data_type_%s' % i]
query['visible_%s' % (i - 1)] = query['visible_%s' % i]
key = 'parameter_'
params = [
k[11 + len('%s' % i):] for k in query.keys()
if k.startswith('%s%s_' % (key, i))
]
for parameter in params:
query['%s%s_%s' %
(key, (i - 1), parameter)] = query['%s%s_%s' %
(key, i,
parameter)]
del query['name_%s' % (count - 1)]
del query['data_type_%s' % (count - 1)]
del query['visible_%s' % (count - 1)]
params = [
k for k in query.keys()
if k.startswith('parameter_%s_' % (count - 1))
]
for parameter in params:
del query[params]
elif len(insvalues) > 0:
count = inscol
while 1:
try:
query['name_%s' % count]
count += 1
except KeyError:
break
for i in range(count, inscol, -1):
query['name_%s' % i] = query['name_%s' % (i - 1)]
query['data_type_%s' % i] = query['data_type_%s' % (i - 1)]
query['visible_%s' % i] = query['visible_%s' % (i - 1)]
key = 'parameter_'
params = [
k[11 + len('%s' % (i - 1)):] for k in query.keys()
if k.startswith('%s%s_' % (key, (i - 1)))
]
for parameter in params:
query['%s%s_%s' %
(key, i, parameter)] = query['%s%s_%s' %
(key, (i - 1),
parameter)]
del query['name_%s' % (i - 1)]
del query['data_type_%s' % (i - 1)]
del query['visible_%s' % (i - 1)]
params = [
k for k in query.keys()
if k.startswith('parameter_%s_' % (i - 1))
]
for parameter in params:
del query[parameter]
for k in insvalues.keys():
query[k] = insvalues[k]
def open_cb(query, ui):
"""Popup for loading a layout"""
ui.decoration = "naked"
dbh = self.DBO(query['case'])
try:
if query['finish']:
del query['finish']
del query['submit']
ui.refresh(0, query, parent=1)
except KeyError:
pass
ui.start_form(query)
ui.start_table()
ui.heading("Load a saved layout")
try:
dbh.execute('select name from DAFTLayouts')
rows = []
for row in dbh:
rows.append(row['name'])
ui.const_selector("Layout Name", "loadlayout", rows, rows)
except DB.DBError:
dbh.execute(
'create table DAFTLayouts (`name` text, `layout` text)')
ui.const_selector("Layout Name", "loadlayout", [''], [''])
ui.checkbox("Click here to finish", "finish", "yes")
ui.end_table()
ui.end_form()
return ui
### Create a list of saved layouts
def openlayout(query):
dbh = self.DBO(query['case'])
keylist = [
'name_', 'data_type_', 'visible_', 'parameter_', 'fileselect',
'MaxRows', 'StartOffset', 'savelayout'
]
try:
dbh.execute("select layout from DAFTLayouts where name='%s'" %
query['loadlayout'])
except DB.DBError:
pass
rows = []
oldkeys = []
for row in dbh:
rows.append(row)
try:
if len(rows) < 1:
raise ValueError
for k in keylist:
oldkeys = [x for x in query.keys() if x.startswith(k)]
for key in oldkeys:
del query[key]
for kvpair in rows[0]['layout'].split(','):
key, value = kvpair.split('=')
query[key] = value
except ValueError:
pass
def save_cb(query, ui):
"""Popup for saving layout"""
ui.decoration = "naked"
try:
if query['finish'] and query['savelayout']:
query['savenow'] = 'yes'
del query['finish']
del query['submit']
ui.refresh(0, query, parent=1)
except KeyError:
pass
ui.start_form(query)
ui.start_table()
ui.heading("Save current layout")
ui.textfield("Layout name", "savelayout")
ui.checkbox("Click here to finish", "finish", "yes")
ui.end_table()
ui.end_form()
return ui
def savelayout(query):
"""Saves the current layout into the DAFTLayouts table"""
dbh = self.DBO(query['case'])
keylist = [
'name_', 'data_type_', 'visible_', 'parameter_', 'fileselect',
'MaxRows', 'StartOffset', 'savelayout'
]
try:
dbh.execute(
"select name, layout from DAFTLayouts where name='%s'" %
query['savelayout'])
except DB.DBError:
dbh.execute(
"create table DAFTLayouts (`name` text, `layout` text)")
dbh.execute(
"select name, layout from DAFTLayouts where name='%s'" %
query['savelayout'])
rows = []
keys = []
for row in dbh:
rows.append(row)
for k in keylist:
keys = keys + [x for x in query.keys() if x.startswith(k)]
value = ','.join('%s=%s' % (x, query[x]) for x in keys)
if rows == []:
dbh.execute(
"insert into DAFTLayouts set name='%s', layout='%s'" %
(query['savelayout'], value))
else:
dbh.execute(
"update DAFTLayouts set layout='%s' where name='%s'" %
(value, query['savelayout']))
def filelist_cb(query, ui):
"""Popup to select files to analyse"""
ui.decoration = "naked"
try:
if query['finish'] and query['fileselect']:
del query['finish']
del query['submit']
ui.refresh(0, query, parent=1)
except KeyError:
pass
ui.start_form(query)
ui.start_table()
ui.heading("Select files")
values = []
keys = []
dbh.execute("select name, path, inode from file where inode != ''")
for row in dbh:
values.append('%s%s' % (row['path'], row['name']))
keys.append(row['inode'])
ui.const_selector("File", "fileselect", keys, values)
ui.checkbox("Click here to finish", "finish", "yes")
ui.end_table()
ui.end_form()
def render_HTMLUI(data):
"""Callback to render mysql stored data in HTML"""
tmp = result.__class__(result)
tmp.result = data
return tmp
##### Display starts here
try:
result.heading("Data Analysis Facilitation Tool")
dbh = DB.DBO(query['case'])
processquery(query)
## Build a struct to work from:
try:
startoffset = DAFTFormats.numeric(query['StartOffset'])
except KeyError:
startoffset = 0
try:
maxrows = DAFTFormats.numeric(query['MaxRows'])
except KeyError:
maxrows = 10
fsfd = FileSystem.DBFS(query["case"])
try:
fd = fsfd.open(inode=query['fileselect'])
fdsize = fsfd.istat(inode=query['fileselect'])
fd.block_size = dbh.get_meta('block_size')
buf = format.Buffer(fd=fd)[startoffset:]
except IOError, e:
print 'IOError: %s' % e
fd = None
fdsize = 0
s = '\x00' * 1024
buf = format.Buffer(string=s)
except KeyError, e:
print 'KeyError: %s' % e
s = '\x00' * 1024
buf = format.Buffer(string=s)
fd = None
fdsize = 0