def _json_list_sockets_network(self, connections):
self.logger.info('Health : Listing sockets networks')
if self.destination == 'local':
with open(
self.output_dir + '%s_sockets' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME",
"LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR", "REMOTE_PORT",
"STATUS"
]]
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
to_write += [[
self.computer_name, 'sockets',
unicode(pid),
unicode(name),
unicode(local_address),
unicode(source_port),
unicode(remote_addr),
unicode(remote_port),
unicode(status)
]]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_sockets' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_windows_prefetch(self, wpref):
with open(
self.output_dir + '\\' + self.computer_name + '_prefetch.csv',
'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(
("COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE",
"EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME", "RUN_COUNT",
"START_TIME", "DURATION", "AVERAGE_DURATION", "DLL_LIST"),
csv_writer)
for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_csv([
self.computer_name, 'prefetch', pref_file,
unicode(format_version),
unicode(file_size),
exec_name.replace('\00', ''),
unicode(tc),
unicode(tm),
unicode(run_count),
unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']),
unicode(hash_table_a['average_duration']), str_c
], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_prefetch.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_drives(self, drives):
with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
for diskCapt, diskFs, diskPName in drives:
write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share):
with open(self.output_dir + '_shares.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
for name, path in share:
write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def csv_clipboard(self):
"""Exports the clipboard contents"""
# TODO : what happens if clipboard contents is a CSV string ?
self.logger.info('Getting clipboard contents')
with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer)
r = None #initialize the local variable r
try:
r = Tk() # Using Tk instead because it supports exotic characters
data = r.selection_get(selection='CLIPBOARD')
r.destroy()
write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer)
except:
if r != None: # Verify that r exist before calling destroy
r.destroy()
win32clipboard.OpenClipboard()
clip = win32clipboard.EnumClipboardFormats(0)
while clip:
try:
format_name = win32clipboard.GetClipboardFormatName(clip)
except win32api.error:
format_name = "?"
self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
if clip == 15: # 15 seems to be a list of filenames
filenames = win32clipboard.GetClipboardData(clip)
for filename in filenames:
write_to_csv([self.computer_name, 'clipboard', filename], csv_writer)
clip = win32clipboard.EnumClipboardFormats(clip)
win32clipboard.CloseClipboard()
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def json_recycle_bin(self):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_recycle_bin' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = ["COMPUTER_NAME", "TYPE", "NAME_1", "NAME_2"]
idl = shell.SHGetSpecialFolderLocation(
0, shellcon.CSIDL_BITBUCKET)
desktop = shell.SHGetDesktopFolder()
files = desktop.BindToObject(idl, None, shell.IID_IShellFolder)
for bin_file in files:
write_to_json(header,
[
self.computer_name, 'recycle_bin',
files.GetDisplayNameOf(
bin_file, shellcon.SHGDN_NORMAL),
files.GetDisplayNameOf(
bin_file, shellcon.SHGDN_FORPARSING)
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_recycle_bin' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_all_modules_dll(self):
"""Outputs all processes and their opened dll in a csv"""
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = Process32First(hProcessSnap, pointer(pe32))
with open(
self.output_dir + '\\' + self.computer_name +
'_processes_dll' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(
["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "MODULE"],
csv_writer)
while ret:
modules = self._GetProcessModules(pe32.th32ProcessID, False)
if len(modules) > 0:
process_name = modules.pop(
0) # first element is the name of the process
for module in modules:
write_to_csv([
self.computer_name, 'processes_dll',
unicode(pe32.th32ProcessID), process_name, module
], csv_writer)
ret = Process32Next(hProcessSnap, pointer(pe32))
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_processes_dll' +
self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_running_process(self, list_running):
self.logger.info("Health : Listing running processes")
with open(
self.output_dir + '%s_processes' % self.computer_name +
self.rand_ext, 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv([
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "COMMAND",
"EXEC_PATH"
], csv_writer)
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
write_to_csv([
self.computer_name, 'processes',
unicode(pid), name,
unicode(cmd),
unicode(exe_path)
], csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_arp_table(self, arp):
self.logger.info('Health : Listing ARP tables')
if self.destination == 'local':
with open(
self.output_dir + '%s_arp_table' % self.computer_name +
self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "IP", "MAC_ADDR", "STATUS"
]]
for entry in arp:
entry.replace('\xff', '')
tokens = entry.split()
entry_to_write = ''
if len(tokens) == 3:
entry_to_write = '"' + self.computer_name + '"|"arp_table"|"' + '"|"'.join(
tokens) + '"\n'
if entry_to_write.find('\.') != 1 and len(
entry_to_write) > 0:
to_write += [[self.computer_name, 'arp_table'] + tokens
]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_arp_table' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_firefox_history(self, fhistory):
with open(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
for time, url, user, profile in fhistory:
write_to_csv([self.computer_name, 'firefox_history', time, url, user, profile], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _json_list_scheduled_jobs(self, is_at_available=False):
self.logger.info('Health : Listing scheduled jobs')
if self.destination == 'local':
file_tasks = self.output_dir + '%s_scheduled_jobs' % self.computer_name + self.rand_ext
with open(file_tasks, 'wb') as tasks_logs:
json_writer = get_json_writer(tasks_logs)
header = [
"COMPUTER_NAME", "TYPE", 'TASK_NAME', 'NEXT_SCHEDULE',
"STATUS"
]
for line in self._list_scheduled_jobs():
write_to_json(header,
[self.computer_name, 'Scheduled Jobs'] +
line.replace('"', '').split(','),
json_writer)
if is_at_available:
for line in self._list_at_scheduled_jobs():
write_to_json(header, [
self.computer_name, 'scheduled_jobs', line[4],
line[2] + ' ' + line[3], line[0]
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_scheduled_jobs' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_hash_running_process(self, list_running):
self.logger.info("Health : Hashing running processes")
with open(self.output_dir + '_hash_processes' + self.rand_ext,
'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv([
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "EXEC_PATH",
"MD5", "SHA1", "CTIME", "MTIME", "ATIME"
], csv_writer)
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
if exe_path:
ctime = datetime.datetime.fromtimestamp(
os.path.getctime(exe_path))
mtime = datetime.datetime.fromtimestamp(
os.path.getmtime(exe_path))
atime = datetime.datetime.fromtimestamp(
os.path.getatime(exe_path))
md5 = process_md5(unicode(exe_path))
sha1 = process_sha1(unicode(exe_path))
write_to_csv([
self.computer_name, 'processes',
unicode(pid), name,
unicode(exe_path), md5, sha1, ctime, mtime, atime
], csv_writer)
record_sha256_logs(self.output_dir + '_hash_processes' + self.rand_ext,
self.output_dir + '_sha256.log')
def _json_windows_prefetch(self, wpref):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_prefetch' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = [
"COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE",
"EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME",
"RUN_COUNT", "START_TIME", "DURATION", "AVERAGE_DURATION",
"DLL_LIST"
]
for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_json(header, [
self.computer_name, 'prefetch', pref_file,
unicode(format_version),
unicode(file_size),
exec_name.replace('\00', ''),
unicode(tc),
unicode(tm),
unicode(run_count),
unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']),
unicode(hash_table_a['average_duration']), str_c
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_prefetch' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_list_scheduled_jobs(self):
self.logger.info('Health : Listing scheduled jobs')
file_tasks = self.output_dir + '_tasks.csv'
with open(file_tasks, 'wb') as tasks_logs:
proc = subprocess.Popen(["schtasks.exe", '/query', '/fo', 'CSV'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
res = proc.communicate()
res = get_terminal_decoded_string(res[0])
# clean and write the command output
write_to_output('"TASK_NAME","NEXT_SCHEDULE","STATUS"\r\n', tasks_logs, self.logger)
column_names = None
for line in res.split('\r\n'):
if line == "":
continue
if line[0] != '"':
continue
if not column_names:
column_names = line
continue
elif column_names == line:
continue
write_to_output(line+"\r\n", tasks_logs, self.logger)
self.logger.info('Health : Listing scheduled jobs')
with open(file_tasks, "r") as fr, open(self.output_dir + "_scheduled_jobs.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "JOB_NAME", "TIME", "STATE"], csv_writer)
for l in fr.readlines():
l = l.decode('utf8')
if l.find('\\') > 0:
l = l[:-1].replace('"', '') # remove the end of line
arr_write = [self.computer_name, 'scheduled_jobs'] + l.split(',')
write_to_csv(arr_write, csv_writer)
self.logger.info('Health : Listing scheduled jobs')
record_sha256_logs(self.output_dir + '_scheduled_jobs.csv', self.output_dir + '_sha256.log')
def csv_clipboard(self):
"""Exports the clipboard contents"""
# TODO : what happens if clipboard contents is a CSV string ?
self.logger.info('Getting clipboard contents')
with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer)
try:
r = Tk() # Using Tk instead because it supports exotic characters
data = r.selection_get(selection='CLIPBOARD')
r.destroy()
write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer)
except:
r.destroy()
win32clipboard.OpenClipboard()
clip = win32clipboard.EnumClipboardFormats(0)
while clip:
try:
format_name = win32clipboard.GetClipboardFormatName(clip)
except win32api.error:
format_name = "?"
self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
if clip == 15: # 15 seems to be a list of filenames
filenames = win32clipboard.GetClipboardData(clip)
for filename in filenames:
write_to_csv([self.computer_name, 'clipboard', filename], csv_writer)
clip = win32clipboard.EnumClipboardFormats(clip)
win32clipboard.CloseClipboard()
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_route_table(self, routes):
with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
for ip, mask in routes:
write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def _csv_infos_fs(self, files):
with open(
self.output_dir + '\\' + self.computer_name + '_Filecatcher' +
self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
for f, mime, md5, sha1, sha256, zip_value, datem, empty in files:
write_to_csv([
self.computer_name, 'Filecatcher',
unicode(datem),
unicode(f),
unicode(md5),
unicode(sha1),
unicode(sha256),
unicode(mime),
unicode(zip_value),
unicode(empty),
self._get_url_VT(sha256)
], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_Filecatcher' +
self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
if self.zip_file:
self.zip_file.close()
def _csv_list_route_table(self, routes):
self.logger.info('Health : Listing routes tables')
with open(self.output_dir + '_routes_tables' + self.rand_ext, 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
for ip, mask in routes:
write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_chrome_history(self, chistory):
with open(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "TIME", "URL", "TITLE", "USER", "PROFILE"), csv_writer)
for time, url, title, user, profile in chistory:
write_to_csv([self.computer_name, 'chrome_history', time, url, title, user, profile], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_drives(self, drives):
self.logger.info("Health : Listing drives")
with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_sessions(self, sessions):
with open(self.output_dir + '_sessions.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer)
for logonID, authenticationPackage, startime, logontype in sessions:
write_to_csv([self.computer_name, 'sessions', unicode(logonID),
authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share):
self.logger.info("Health : Listing shares")
with open(self.output_dir + '_shares.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
for name, path in share:
write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share):
self.logger.info("Health : Listing shares")
with open(self.output_dir + '_shares' + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
for name, path in share:
write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
record_sha256_logs(self.output_dir + '_shares' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
self.logger.info("Health : Listing network drives")
with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
for diskCapt, diskFs, diskPName in drives:
write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes):
self.logger.info('Health : Listing routes tables')
with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
for ip, mask in routes:
write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
self.logger.info("Health : Listing network drives")
with open(self.output_dir + '%s_list_networks_drives' % self.computer_name + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
for diskCapt, diskFs, diskPName in drives:
write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_named_pipes(self, pipes):
with open(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer)
for pipe in pipes:
write_to_csv([self.computer_name, 'named_pipes', pipe], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_drives(self, drives):
self.logger.info("Health : Listing drives")
with open(self.output_dir + '%s_list_drives' % self.computer_name + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives' + self.rand_ext, self.output_dir + '_sha256.log')
def csv_clipboard(self):
"""Exports the clipboard contents"""
# TODO : what happens if clipboard contents is a CSV string ?
with open(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_clipboard(), csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_sessions(self, sessions):
self.logger.info('Health : Listing sessions')
with open(self.output_dir + '_sessions.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer)
for logonID, authenticationPackage, startime, logontype in sessions:
write_to_csv([self.computer_name, 'sessions', unicode(logonID),
authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def _json_list_network_adapters(self, ncs):
self.logger.info('Health : Listing network adapters')
if self.destination == 'local':
with open(
self.output_dir +
'%s_networks_cards' % self.computer_name + self.rand_ext,
'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "NETWORK_CARD", "ADAPTER_TYPE",
"DESCRIPTION", "MAC_ADDR", "PRODUCT_NAME",
"PHYSICAL_ADAPTER", "SPEED", "IPv4", "IPv6", "DHCP_SERVER",
"DNS_SERVER", "DATABASE_PATH", "NBTSTAT_VALUE"
]]
for netcard, adapter_type, description, mac_address, product_name, physical_adapter, product_name, \
speed, IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value in ncs:
if netcard is None:
netcard = ' '
if adapter_type is None:
adapter_type = ' '
if description is None:
description = ' '
if mac_address is None:
mac_address = ' '
if physical_adapter is None:
physical_adapter = ' '
if product_name is None:
product_name = ' '
if speed is None:
speed = ' '
if IPv4 is None:
IPv4 = ' '
if IPv6 is None:
IPv6 = ' '
if DHCP_server is None:
DHCP_server = ' '
if DNS_server is None:
DNS_server = ' '
if database_path is None:
database_path = ' '
if nbtstat_value is None:
nbtstat_value = ' '
try:
to_write += [[
self.computer_name, 'networks_cards', netcard,
adapter_type, description, mac_address,
product_name, physical_adapter, speed, IPv4, IPv6,
DHCP_server, DNS_server, database_path,
nbtstat_value
]]
except IOError:
self.logger.error(traceback.format_exc())
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_networks_cards' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_list_sockets_network(self, connections):
with open(self.output_dir + '_sockets.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR",
"REMOTE_PORT", "STATUS"], csv_writer)
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
write_to_csv([self.computer_name, 'sockets', unicode(pid),
unicode(name), unicode(local_address), unicode(source_port),
unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self, services):
with open(self.output_dir + '_services.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE",
"START_MODE"], csv_writer)
for name, caption, processId, pathName, serviceType, status, state, startMode in services:
write_to_csv([self.computer_name, 'services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode], csv_writer)
record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_infos_fs(self, files):
with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
for f, mime, md5,sha1,sha256, zip_value, datem, empty in files:
write_to_csv([self.computer_name, 'Filecatcher', unicode(datem),
unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime),
unicode(zip_value), unicode(empty), self._get_url_VT(sha256)], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
self.zip_file.close()
def _csv_all_modules_dll(self):
with open(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_all_modules_dll(), csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_all_modules_opened_files(self):
with open(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_all_modules_opened_files(), csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_all_modules_opened_files(self):
"""Outputs all processes and their opened files in a csv"""
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = Process32First(hProcessSnap, pointer(pe32))
with open(
self.output_dir + '\\' + self.computer_name +
'_processes_opened_files' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(
["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "FILENAME"],
csv_writer)
while ret:
try:
p = psutil.Process(pe32.th32ProcessID)
process_name = p.name()
self.logger.info('Getting opened files for : ' +
process_name + '(' +
unicode(pe32.th32ProcessID) + ')')
# We need open a subprocess because get_open_files may hang forever
q = Queue()
process = Process(target=timer_open_files, args=(
p,
q,
))
process.start()
# We wait for 2 seconds
process.join(2)
if process.is_alive():
# If the subprocess is still alive, assume it is hanged and kill it
q.close()
process.terminate()
else:
# Otherwise, continue normal processing
opened_files = q.get()
if isinstance(opened_files, list):
for opened_file in opened_files:
write_to_csv([
self.computer_name,
'processes_opened_files',
unicode(pe32.th32ProcessID), process_name,
opened_file[0]
], csv_writer)
except psutil.AccessDenied:
self.logger.warn('Could not open handle for PID : ' +
unicode(pe32.th32ProcessID))
ret = Process32Next(hProcessSnap, pointer(pe32))
record_sha256_logs(
self.output_dir + '\\' + self.computer_name +
'_processes_opened_files' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def json_clipboard(self):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_clipboard(), json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_all_modules_dll(self):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_all_modules_dll(), json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_list_sockets_network(self, connections):
self.logger.info('Health : Listing sockets networks')
with open(self.output_dir + '_sockets.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR",
"REMOTE_PORT", "STATUS"], csv_writer)
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
write_to_csv([self.computer_name, 'sockets', unicode(pid),
unicode(name), unicode(local_address), unicode(source_port),
unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self, services):
self.logger.info('Health : Listing services')
with open(self.output_dir + '_services.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE",
"START_MODE"], csv_writer)
for name, caption, processId, pathName, serviceType, status, state, startMode in services:
write_to_csv([self.computer_name, 'services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode], csv_writer)
record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def csv_clipboard(self):
"""Exports the clipboard contents"""
with open(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_clipboard(), csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_list_named_pipes(self, pipes):
with open(
self.output_dir + '\\' + self.computer_name +
'_named_pipes.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer)
for pipe in pipes:
write_to_csv([self.computer_name, 'named_pipes', pipe],
csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_arp_table(self, arp):
with open(self.output_dir + "_arp_table.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "IP", "MAC_ADDR", "STATUS"], csv_writer)
for entry in arp:
entry.replace('\xff', '')
tokens = entry.split()
entry_to_write = ''
if len(tokens) == 3:
entry_to_write = '"' + self.computer_name + '"|"arp_table"|"' + '"|"'.join(tokens) + '"\n'
if entry_to_write.find('\.') != 1 and len(entry_to_write) > 0:
arr_to_write = [self.computer_name, 'arp_table'] + tokens
write_to_csv(arr_to_write, csv_writer)
record_sha256_logs(self.output_dir + '_arp_table.csv', self.output_dir + '_sha256.log')
def _csv_list_running_process(self, list_running):
self.logger.info("Health : Listing running processes")
with open(self.output_dir + '_processes.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "COMMAND", "EXEC_PATH"], csv_writer)
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
write_to_csv(
[self.computer_name, 'processes', unicode(pid), name, unicode(cmd), unicode(exe_path)],
csv_writer)
record_sha256_logs(self.output_dir + '_processes.csv', self.output_dir + '_sha256.log')
def _csv_firefox_history(self, fhistory):
with open(
self.output_dir + '\\' + self.computer_name +
'_firefox_history.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for time, url, user, profile in fhistory:
write_to_csv([
self.computer_name, 'firefox_history', time, url, user,
profile
], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name +
'_firefox_history.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_infos_fs(self, files):
with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
for f, mime, hashvalue, zip_value, datem, empty in files:
if 'Permission denied' in hashvalue:
url_vt = 'not URL VT'
else:
url_vt = unicode(VIRUS_TOTAL % hashvalue)
write_to_csv([self.computer_name, 'Filecatcher', unicode(datem),
unicode(f), unicode(hashvalue), unicode(mime),
unicode(zip_value), unicode(empty), url_vt], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
self.zip_file.close()
def _csv_get_startup_files(self, path):
with open(
self.output_dir + self.computer_name + '_startup_files' +
self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv([
"COMPUTER_NAME", "TYPE", "FILENAME", "USER", "MD5", "SHA1",
"SHA256"
], csv_writer)
for startup_file in self._get_startup_files(path):
write_to_csv(startup_file, csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_startup_files' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_list_arp_table(self, arp):
self.logger.info('Health : Listing ARP tables')
with open(self.output_dir + "_arp_table.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "IP", "MAC_ADDR", "STATUS"], csv_writer)
for entry in arp:
entry.replace('\xff', '')
tokens = entry.split()
entry_to_write = ''
if len(tokens) == 3:
entry_to_write = '"' + self.computer_name + '"|"arp_table"|"' + '"|"'.join(tokens) + '"\n'
if entry_to_write.find('\.') != 1 and len(entry_to_write) > 0:
arr_to_write = [self.computer_name, 'arp_table'] + tokens
write_to_csv(arr_to_write, csv_writer)
record_sha256_logs(self.output_dir + '_arp_table.csv', self.output_dir + '_sha256.log')
def _csv_infos_fs(self, files):
with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(['COMPUTER NAME', 'TYPE', 'DATE', 'PATH', 'MD5', 'SHA1', 'SHA256', 'MIMETYPE', 'ZIP',
'EMPTY', 'VT'], csv_writer)
for f, mime, md5, sha1, sha256, zip_value, datem, empty in files:
f = os.path.splitdrive(self.systemroot)[0] + '\\' + f.split('\\', 6)[-1]
write_to_csv([self.computer_name, 'Filecatcher', unicode(datem),
unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime),
unicode(zip_value), unicode(empty), self._get_url_VT(sha256)], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
if self.zip_file:
self.zip_file.close()
def csv_recycle_bin(self):
"""Exports the filenames contained in the recycle bin"""
with open(self.output_dir + '\\' + self.computer_name + '_recycle_bin' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "NAME_1", "NAME_2"), csv_writer)
idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET)
desktop = shell.SHGetDesktopFolder()
files = desktop.BindToObject(idl, None, shell.IID_IShellFolder)
for bin_file in files:
write_to_csv(
[self.computer_name, 'recycle_bin', files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL),
files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING)], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_recycle_bin' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_network_adapters(self, ncs):
self.logger.info('Health : Listing network adapters')
with open(self.output_dir + "_networks_cards.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NETWORK_CARD", "ADAPTER_TYPE", "DESCRIPTION", "MAC_ADDR",
"PRODUCT_NAME", "PHYSICAL_ADAPTER", "SPEED", "IPv4", "IPv6", "DHCP_SERVER", "DNS_SERVER",
"DATABASE_PATH", "NBTSTAT_VALUE"], csv_writer)
for netcard, adapter_type, description, mac_address, product_name, physical_adapter, product_name, speed, \
IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value in ncs:
if netcard is None:
netcard = ' '
if adapter_type is None:
adapter_type = ''
if description is None:
description = ' '
if mac_address is None:
mac_address = ' '
if physical_adapter is None:
physical_adapter = ' '
if product_name is None:
product_name
if speed is None:
speed = ' '
if IPv4 is None:
IPv4 = ' '
if IPv6 is None:
IPv6 = ''
if DHCP_server is None:
DHCP_server = ' '
if DNS_server is None:
DNS_server = ' '
if database_path is None:
database_path = ' '
if nbtstat_value is None:
nbtstat_value = ' '
try:
write_to_csv([self.computer_name,
'networks_cards', netcard, adapter_type,
description, mac_address, product_name,
physical_adapter, speed, IPv4,
IPv6, DHCP_server, DNS_server,
database_path, nbtstat_value], csv_writer)
except IOError:
self.logger.error(traceback.format_exc())
record_sha256_logs(self.output_dir + '_networks_cards.csv', self.output_dir + '_sha256.log')
def _csv_windows_prefetch(self, wpref):
with open(self.output_dir + '\\' + self.computer_name + '_prefetch' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE", "EXEC_NAME", "CREATE_TIME",
"MODIFICATION_TIME", "RUN_COUNT", "START_TIME", "DURATION", "AVERAGE_DURATION",
"DLL_LIST"), csv_writer)
for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_csv([self.computer_name, 'prefetch', pref_file,
unicode(format_version), unicode(file_size), exec_name.replace('\00', ''),
unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c],
csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_prefetch' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_hash_running_process(self, list_running):
with open(self.output_dir + '_hash_processes.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "EXEC_PATH", "MD5", "SHA1", "CTIME", "MTIME", "ATIME"], csv_writer)
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
if exe_path <> None:
ctime = datetime.datetime.fromtimestamp(os.path.getctime(exe_path))
mtime = datetime.datetime.fromtimestamp(os.path.getmtime(exe_path))
atime = datetime.datetime.fromtimestamp(os.path.getatime(exe_path))
md5 = process_md5(unicode(exe_path))
sha1 = process_sha1(unicode(exe_path))
write_to_csv(
[self.computer_name, 'processes', unicode(pid), name, unicode(exe_path), md5, sha1, ctime, mtime, atime],
csv_writer)
record_sha256_logs(self.output_dir + '_hash_processes.csv', self.output_dir + '_sha256.log')
def _csv_all_modules_opened_files(self):
"""Outputs all processes and their opened files in a csv"""
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = Process32First(hProcessSnap, pointer(pe32))
with open(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "FILENAME"], csv_writer)
while ret:
try:
p = psutil.Process(pe32.th32ProcessID)
process_name = p.name()
self.logger.info(
'Getting opened files for : ' + process_name + '(' + unicode(pe32.th32ProcessID) + ')')
# We need open a subprocess because get_open_files may hang forever
q = Queue()
process = Process(target=timer_open_files, args=(p, q,))
process.start()
# We wait for 2 seconds
process.join(2)
if process.is_alive():
# If the subprocess is still alive, assume it is hanged and kill it
q.close()
process.terminate()
else:
# Otherwise, continue normal processing
opened_files = q.get()
if isinstance(opened_files, list):
for opened_file in opened_files:
write_to_csv(
[self.computer_name, 'processes_opened_files', unicode(pe32.th32ProcessID),
process_name,
opened_file[0]], csv_writer)
except psutil.AccessDenied:
self.logger.warn('Could not open handle for PID : ' + unicode(pe32.th32ProcessID))
ret = Process32Next(hProcessSnap, pointer(pe32))
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_all_modules_dll(self):
"""Outputs all processes and their opened dll in a csv"""
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = Process32First(hProcessSnap, pointer(pe32))
with open(self.output_dir + '\\' + self.computer_name + '_processes_dll.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "MODULE"], csv_writer)
while ret:
modules = self._GetProcessModules(pe32.th32ProcessID, False)
if len(modules) > 0:
process_name = modules.pop(0) # first element is the name of the process
for module in modules:
write_to_csv([self.computer_name, 'processes_dll', unicode(pe32.th32ProcessID), process_name, module],
csv_writer)
ret = Process32Next(hProcessSnap, pointer(pe32))
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_dll.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')