def urwid_output(self, ui, offset): ## Get the profile for this case: import VolatilityLinux ctx = VolatilityLinux.get_vol_object(ui.query['case'], ui.query['memory']) buf = format.Buffer(fd=ui.fd)[offset:] result = self.render_profile(buf, ctx, self.volatility_object, ui) return result
def get_length(self, fd, offset): """ Returns the length of the JPEG by reading the blocks. Algorithm taken from Samuel Tardieu <*****@*****.**> * http://www.rfc1149.net/devel/recoverjpeg """ try: buf = format.Buffer(fd=fd)[offset:] j = JPEG(buf) return j.size() except CarverError,e: pyflaglog.log(pyflaglog.DEBUG, "Carver failed: %s" % e) return min(self.fd.size-offset, self.outer.length)
class ParseFormat(Hexeditor.Action): """ Parse the data format and display the parsed output """ event = "e" mode = "parse format" def handle_key(self, ui, key): if self.state == None: self.state = "showing" self.show_frame(ui) else: if key == 'q': self.state = None ui.mode = None ui.top = self.old_frame elif key==" ": ui.top.keypress( (ui.width, ui.height ), "page down") else: ui.top.keypress((ui.width, ui.height), key) return True def draw(self, ui): pass def show_frame(self, ui): try: ## Get the format object: f = Registry.FILEFORMATS.formats[ui.selected] except KeyError,e: print "Error: %s:" % e self.handle_key(ui,"q") return ## Make a buffer buf = format.Buffer(fd = ui.fd) buf = buf[ui.mark:] try: result = f(buf).urwid_output(ui, ui.mark) except Exception,e: print "Error occured %s" % e print FlagFramework.get_bt_string(e) result = [urwid.Text(('body',"Error: %s" % e)),]
def render_pointer(self, ctx, target_obj, offset, ui): ## If this is a pointer to a volatility object we can link ## to it def next_cb(widget): ## Find the physical Address: ui.set_mark(ctx.addr_space.vtop(offset)) ui.reset() if target_obj in maps: return urwid.AttrWrap( urwid.Button("Pointer to %s (0x%08X)" % (target_obj, offset), on_press=next_cb), 'buttn', 'buttnf') elif target_obj in inline_pointers: ## Find out the Physical Address which is the target of this VA phy_offset = ctx.addr_space.vtop(offset) obj = Registry.FILEFORMATS.formats[inline_pointers[\ target_obj]](format.Buffer(fd = ui.fd, offset = phy_offset)) return obj.urwid_output(ui, phy_offset) return urwid.Text("Pointer to %s (0x%08X)" % (target_obj, offset))
def examine_hit(self, fd, offset, length): fd.seek(offset) ## This effectively localises the match to make sure we ## dont try to read wild pointers b = format.Buffer(fd=cStringIO.StringIO(fd.read(0x700))) ## Try to parse it as an URLEntry try: event = IECache.URLEntry(b) except: return ## Size is too big if event['size'].get_value() > 10: return url = event['url'].__str__() args = dict( inode_id=self.fd.inode_id, offset=offset, length=event['size'].get_value() * IECache.blocksize, type=event['type'].get_value().decode("ascii", "ignore"), url=url, _modified='from_unixtime(%d)' % event['modified_time'].get_value(), _accessed='from_unixtime(%d)' % event['accessed_time'].get_value(), filename=event['filename'], ) try: args['headers'] = event['data'] except: pass dbh = DB.DBO(self.case) dbh.insert("ie_history", **args)
test_case = "PyFlagIndexTestCase" test_file = "pyflag_stdimage_0.4.e01" subsystem = 'EWF' order = 30 offset = "16128s" def test01CarveImage(self): """ Carving from Image """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'JPEGCarver']) ## See if we found the two images from within the word ## document: expected = [ "Itest|K1289-0-0|o150712:85550", "Itest|K1289-0-0|o96317:141763"] dbh = DB.DBO(self.test_case) for inode in expected: dbh.execute("select inode from inode where inode=%r limit 1", inode) row = dbh.fetch() self.assert_(row != None) if __name__ == '__main__': import sys fd = open(sys.argv[1]) b = format.Buffer(fd=fd) h = JPEG(b) print "Size of jpeg is %s" % h.size()
class RevEng_GUI(Reports.report): """ Allows us to manipulate data structures in reverse engineering efforts """ name = "DAFT" family = "Misc" description = "Data Analysis Facilitation Tool (Reverse Engineering)" # parameters = { "foo": "any"} def analyse(self, query): pass def display(self, query, result): result.start_form(query) def settings_cb(query, ui): ui.decoration = "naked" try: if query['finish'] and query['MaxRows'] and query[ 'StartOffset']: del query['finish'] del query['submit'] ui.refresh(0, query, parent=1) except KeyError: pass ui.start_form(query) ui.start_table() ui.textfield("Starting Offset", "StartOffset", size=20) ui.textfield("Maximum Rows", "MaxRows") ui.checkbox("Click here to finish", "finish", "yes") ui.end_table() ui.end_form() return ui def popup_cb(query, ui, column_number=None, mode=''): """Popup for defining column attributes""" ## print "I am here" ui.decoration = "naked" if mode == 'insert': pre = 'insert_' else: pre = '' try: if query['finish'] and query['%sname_%s' % (pre, column_number)]: del query['finish'] del query['submit'] ui.refresh(0, query, parent=1) except KeyError: pass ui.start_form(query) ui.start_table() if mode == 'insert': ui.heading("Inserting Column number %s" % column_number) else: ui.heading("Column number %s" % column_number) names = [ x.__name__ for x in Registry.FILEFORMATS.classes if x.visible ] ui.textfield("Name for this field", "%sname_%s" % (pre, column_number)) ui.const_selector("Data Type", '%sdata_type_%s' % (pre, column_number), names, names) try: temp = Registry.FILEFORMATS[query['%sdata_type_%s' % (pre, column_number)]]("", None) ui.row("Description", temp.__doc__) temp.form("%sparameter_%s_" % (pre, column_number), query, ui) except KeyError, e: print 'KeyError: %s' % e ui.checkbox("Visible", "%svisible_%s" % (pre, column_number), "yes", checked=True) ui.checkbox("Click here to finish", "finish", "yes") ui.end_table() ui.end_form() return ui def delete_col_cb(query, ui, column_number=None): """Popup to confirm deletion of column""" ui.decoration = "naked" ui.heading("Delete column number %s?" % column_number) try: if query['submit']: del query['submit'] ui.refresh(0, query, parent=1) except KeyError: pass ui.start_form(query) ui.checkbox("Click here to delete", "delete_%s" % column_number, "yes") ui.end_form() return ui def processquery(query): delcol = -1 insvalues = {} for k in query.keys(): if k.startswith('delete_'): delcol = int(k[7:]) del query[k] break elif k.startswith('insert_'): insvalues[k[7:]] = query[k] if k.startswith('insert_name_'): inscol = int(k[12:]) del query[k] continue elif k.startswith('savenow'): savelayout(query) del query[k] break elif k.startswith('loadlayout'): openlayout(query) del query[k] ### other stuff for ins col parameters if delcol >= 0: count = delcol while 1: try: query['name_%s' % count] count += 1 except KeyError: break for i in range(delcol + 1, count): del query['name_%s' % (i - 1)] del query['data_type_%s' % (i - 1)] del query['visible_%s' % (i - 1)] params = [ k for k in query.keys() if k.startswith('parameters_%s_' % (i - 1)) ] for parameter in params: del query[parameter] query['name_%s' % (i - 1)] = query['name_%s' % i] query['data_type_%s' % (i - 1)] = query['data_type_%s' % i] query['visible_%s' % (i - 1)] = query['visible_%s' % i] key = 'parameter_' params = [ k[11 + len('%s' % i):] for k in query.keys() if k.startswith('%s%s_' % (key, i)) ] for parameter in params: query['%s%s_%s' % (key, (i - 1), parameter)] = query['%s%s_%s' % (key, i, parameter)] del query['name_%s' % (count - 1)] del query['data_type_%s' % (count - 1)] del query['visible_%s' % (count - 1)] params = [ k for k in query.keys() if k.startswith('parameter_%s_' % (count - 1)) ] for parameter in params: del query[params] elif len(insvalues) > 0: count = inscol while 1: try: query['name_%s' % count] count += 1 except KeyError: break for i in range(count, inscol, -1): query['name_%s' % i] = query['name_%s' % (i - 1)] query['data_type_%s' % i] = query['data_type_%s' % (i - 1)] query['visible_%s' % i] = query['visible_%s' % (i - 1)] key = 'parameter_' params = [ k[11 + len('%s' % (i - 1)):] for k in query.keys() if k.startswith('%s%s_' % (key, (i - 1))) ] for parameter in params: query['%s%s_%s' % (key, i, parameter)] = query['%s%s_%s' % (key, (i - 1), parameter)] del query['name_%s' % (i - 1)] del query['data_type_%s' % (i - 1)] del query['visible_%s' % (i - 1)] params = [ k for k in query.keys() if k.startswith('parameter_%s_' % (i - 1)) ] for parameter in params: del query[parameter] for k in insvalues.keys(): query[k] = insvalues[k] def open_cb(query, ui): """Popup for loading a layout""" ui.decoration = "naked" dbh = self.DBO(query['case']) try: if query['finish']: del query['finish'] del query['submit'] ui.refresh(0, query, parent=1) except KeyError: pass ui.start_form(query) ui.start_table() ui.heading("Load a saved layout") try: dbh.execute('select name from DAFTLayouts') rows = [] for row in dbh: rows.append(row['name']) ui.const_selector("Layout Name", "loadlayout", rows, rows) except DB.DBError: dbh.execute( 'create table DAFTLayouts (`name` text, `layout` text)') ui.const_selector("Layout Name", "loadlayout", [''], ['']) ui.checkbox("Click here to finish", "finish", "yes") ui.end_table() ui.end_form() return ui ### Create a list of saved layouts def openlayout(query): dbh = self.DBO(query['case']) keylist = [ 'name_', 'data_type_', 'visible_', 'parameter_', 'fileselect', 'MaxRows', 'StartOffset', 'savelayout' ] try: dbh.execute("select layout from DAFTLayouts where name='%s'" % query['loadlayout']) except DB.DBError: pass rows = [] oldkeys = [] for row in dbh: rows.append(row) try: if len(rows) < 1: raise ValueError for k in keylist: oldkeys = [x for x in query.keys() if x.startswith(k)] for key in oldkeys: del query[key] for kvpair in rows[0]['layout'].split(','): key, value = kvpair.split('=') query[key] = value except ValueError: pass def save_cb(query, ui): """Popup for saving layout""" ui.decoration = "naked" try: if query['finish'] and query['savelayout']: query['savenow'] = 'yes' del query['finish'] del query['submit'] ui.refresh(0, query, parent=1) except KeyError: pass ui.start_form(query) ui.start_table() ui.heading("Save current layout") ui.textfield("Layout name", "savelayout") ui.checkbox("Click here to finish", "finish", "yes") ui.end_table() ui.end_form() return ui def savelayout(query): """Saves the current layout into the DAFTLayouts table""" dbh = self.DBO(query['case']) keylist = [ 'name_', 'data_type_', 'visible_', 'parameter_', 'fileselect', 'MaxRows', 'StartOffset', 'savelayout' ] try: dbh.execute( "select name, layout from DAFTLayouts where name='%s'" % query['savelayout']) except DB.DBError: dbh.execute( "create table DAFTLayouts (`name` text, `layout` text)") dbh.execute( "select name, layout from DAFTLayouts where name='%s'" % query['savelayout']) rows = [] keys = [] for row in dbh: rows.append(row) for k in keylist: keys = keys + [x for x in query.keys() if x.startswith(k)] value = ','.join('%s=%s' % (x, query[x]) for x in keys) if rows == []: dbh.execute( "insert into DAFTLayouts set name='%s', layout='%s'" % (query['savelayout'], value)) else: dbh.execute( "update DAFTLayouts set layout='%s' where name='%s'" % (value, query['savelayout'])) def filelist_cb(query, ui): """Popup to select files to analyse""" ui.decoration = "naked" try: if query['finish'] and query['fileselect']: del query['finish'] del query['submit'] ui.refresh(0, query, parent=1) except KeyError: pass ui.start_form(query) ui.start_table() ui.heading("Select files") values = [] keys = [] dbh.execute("select name, path, inode from file where inode != ''") for row in dbh: values.append('%s%s' % (row['path'], row['name'])) keys.append(row['inode']) ui.const_selector("File", "fileselect", keys, values) ui.checkbox("Click here to finish", "finish", "yes") ui.end_table() ui.end_form() def render_HTMLUI(data): """Callback to render mysql stored data in HTML""" tmp = result.__class__(result) tmp.result = data return tmp ##### Display starts here try: result.heading("Data Analysis Facilitation Tool") dbh = DB.DBO(query['case']) processquery(query) ## Build a struct to work from: try: startoffset = DAFTFormats.numeric(query['StartOffset']) except KeyError: startoffset = 0 try: maxrows = DAFTFormats.numeric(query['MaxRows']) except KeyError: maxrows = 10 fsfd = FileSystem.DBFS(query["case"]) try: fd = fsfd.open(inode=query['fileselect']) fdsize = fsfd.istat(inode=query['fileselect']) fd.block_size = dbh.get_meta('block_size') buf = format.Buffer(fd=fd)[startoffset:] except IOError, e: print 'IOError: %s' % e fd = None fdsize = 0 s = '\x00' * 1024 buf = format.Buffer(string=s) except KeyError, e: print 'KeyError: %s' % e s = '\x00' * 1024 buf = format.Buffer(string=s) fd = None fdsize = 0