def get_service_info(regapi):
ccs = regapi.reg_get_currentcontrolset()
key_name = "{0}\\services".format(ccs)
info = {}
for subkey in regapi.reg_get_all_subkeys(hive_name="system",
key=key_name):
path_value = ""
dll_value = ""
image_path = regapi.reg_get_value(hive_name="system",
key="",
value="ImagePath",
given_root=subkey)
if image_path:
path_value = utils.remove_unprintable(image_path)
for rootkey in regapi.reg_get_all_subkeys(hive_name="system",
key="",
given_root=subkey):
if rootkey.Name == "Parameters":
service_dll = regapi.reg_get_value(hive_name="system",
key="",
value="ServiceDll",
given_root=rootkey)
if service_dll != None:
dll_value = utils.remove_unprintable(service_dll)
break
info[utils.remove_unprintable(str(subkey.Name))] = (dll_value,
path_value)
return info
def USBSTOR(self):
usbstor = self.regapi.reg_get_currentcontrolset() + "\\Enum\\USBSTOR"
for subkey in self.regapi.reg_get_all_subkeys(None, key = usbstor):
device = OrderedDict((name, "") for name in self.usb_struct)
part = subkey.Name.split("&")
if part[0].lower() != "disk":
continue
if len(part) == 4:
device["Vendor"] = part[1][4:]
device["Product"] = part[2][5:]
device["Version"] = part[3][4:]
for serial in self.regapi.reg_get_all_subkeys(None, key = usbstor + "\\" + subkey.Name):
device["Ven/Prod/Rev key update"] = serial.LastWriteTime
serial_part = serial.Name.split('&')
serial_no = serial_part[0] if len(serial_part) == 2 else serial.Name
val = self.regapi.reg_get_value(None, key = usbstor + "\\" + subkey.Name + "\\" + serial.Name, value = "FriendlyName")
if val:
device["Device name"] = utils.remove_unprintable(val)
val = self.regapi.reg_get_value(None, key = usbstor + "\\" + subkey.Name + "\\" + serial.Name, value = "ParentIdPrefix")
if val:
device["Parent prefix ID"] = utils.remove_unprintable(val)
for properties in self.regapi.reg_get_all_subkeys(None, key = usbstor + "\\" + subkey.Name + "\\" + serial.Name + "\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}"):
name = str(properties.Name)
if "0064" in name:
device["Install date"] = properties.LastWriteTime
elif "0065" in name:
device["First install date"] = properties.LastWriteTime
elif "0066" in name:
device["Last arrival date"] = properties.LastWriteTime
elif "0067" in name:
device["Last removal date"] = properties.LastWriteTime
self.usb_devices[serial_no] = device
def get_service_info(regapi):
ccs = regapi.reg_get_currentcontrolset()
key_name = "{0}\\services".format(ccs)
info = {}
for subkey in regapi.reg_get_all_subkeys(hive_name = "system", key = key_name):
path_value = ""
dll_value = ""
failure_value = ""
image_path = regapi.reg_get_value(hive_name = "system", key = "", value = "ImagePath", given_root = subkey)
if image_path:
path_value = utils.remove_unprintable(image_path)
failure_path = regapi.reg_get_value(hive_name = "system", key = "", value = "FailureCommand", given_root = subkey)
if failure_path:
failure_value = utils.remove_unprintable(failure_path)
for rootkey in regapi.reg_get_all_subkeys(hive_name = "system", key = "", given_root = subkey):
if rootkey.Name == "Parameters":
service_dll = regapi.reg_get_value(hive_name = "system", key = "", value = "ServiceDll", given_root = rootkey)
if service_dll != None:
dll_value = utils.remove_unprintable(service_dll)
break
last_write = int(subkey.LastWriteTime)
info[utils.remove_unprintable(str(subkey.Name))] = (dll_value, path_value, failure_value, last_write)
return info
def get_service_info(regapi):
ccs = regapi.reg_get_currentcontrolset()
key_name = "{0}\\services".format(ccs)
info = {}
for subkey in regapi.reg_get_all_subkeys(hive_name="system",
key=key_name):
path_value = ""
dll_value = ""
failure_value = ""
image_path = regapi.reg_get_value(hive_name="system",
key="",
value="ImagePath",
given_root=subkey)
if image_path:
# this could be REG_SZ or REG_MULTI_SZ
if isinstance(image_path, list):
image_path = image_path[0]
path_value = utils.remove_unprintable(image_path)
failure_path = regapi.reg_get_value(hive_name="system",
key="",
value="FailureCommand",
given_root=subkey)
if failure_path:
failure_value = utils.remove_unprintable(failure_path)
for rootkey in regapi.reg_get_all_subkeys(hive_name="system",
key="",
given_root=subkey):
if rootkey.Name == "Parameters":
service_dll = regapi.reg_get_value(hive_name="system",
key="",
value="ServiceDll",
given_root=rootkey)
if service_dll != None:
dll_value = utils.remove_unprintable(service_dll)
break
last_write = int(subkey.LastWriteTime)
info[utils.remove_unprintable(str(
subkey.Name))] = (dll_value, path_value, failure_value,
last_write)
return info
def get_service_dlls(regapi):
ccs = regapi.reg_get_currentcontrolset()
key_name = "{0}\\services".format(ccs)
dlls = {}
for subkey in regapi.reg_get_all_subkeys(hive_name="system",
key=key_name):
for rootkey in regapi.reg_get_all_subkeys(hive_name="system",
key="",
given_root=subkey):
if rootkey.Name == "Parameters":
service_dll = regapi.reg_get_value(hive_name="system",
key="",
value="ServiceDll",
given_root=rootkey)
if service_dll != None:
dlls[utils.remove_unprintable(str(
subkey.Name))] = "{0}".format(
utils.remove_unprintable(service_dll))
return dlls
def reg_get_key_path(self, key):
'''
Takes in a key object and traverses back through its family to build the path
'''
path = key.Name
while key.Parent and key.Parent & 0xffffffff > 0x20:
key = key.Parent.dereference()
if utils.remove_unprintable(str(key.Name)) != "":
path = "{0}\\{1}".format(key.Name, path)
return path
def reg_get_key_path(self, key):
"""
Takes in a key object and traverses back through its family to build the path
"""
path = key.Name
while key.Parent and key.Parent & 0xFFFFFFFF > 0x20:
key = key.Parent.dereference()
if utils.remove_unprintable(key.Name.v()) != "":
path = f"{key.Name}\\{path}"
return path
def get_service_dlls(regapi):
ccs = regapi.reg_get_currentcontrolset()
key_name = "{0}\\services".format(ccs)
dlls = {}
for subkey in regapi.reg_get_all_subkeys(hive_name = "system", key = key_name):
for rootkey in regapi.reg_get_all_subkeys(hive_name = "system", key = "", given_root = subkey):
if rootkey.Name == "Parameters":
service_dll = regapi.reg_get_value(hive_name = "system", key = "", value = "ServiceDll", given_root = rootkey)
if service_dll != None:
dlls[utils.remove_unprintable(str(subkey.Name))] = "{0}".format(utils.remove_unprintable(service_dll))
return dlls
def WindowsPortableDevices(self):
for subkey in self.regapi.reg_get_all_subkeys(None, key = "Microsoft\\Windows Portable Devices\\Devices"):
name = str(subkey.Name)
if not 'USBSTOR#DISK' in name:
continue
val = self.regapi.reg_get_value(None, key = "Microsoft\\Windows Portable Devices\\Devices\\" + name, value = "FriendlyName")
if val:
part = name.split("USBSTOR#DISK&")[1].split("#")[1]
serial_part = part.split("&")
serial_no = serial_part[0] if len(serial_part) == 2 else part
if serial_no in self.usb_devices:
self.usb_devices[serial_no]["Volume name"] = utils.remove_unprintable(val)
def MountedDevices(self):
mounted = self.regapi.reg_yield_values(None, key = "MountedDevices", thetype = "REG_BINARY")
for serial in self.usb_devices:
for value, data in mounted:
data = utils.remove_unprintable(data)
value = str(value)
if "Volume" in value:
if self.usb_devices[serial]["Parent prefix ID"]:
if self.usb_devices[serial]["Parent prefix ID"] in data:
self.usb_devices[serial]["GUID"] = value[11:-1]
else:
if serial in data:
self.usb_devices[serial]["GUID"] = value[11:-1]
if "DosDevices" in value:
if self.usb_devices[serial]["Parent prefix ID"]:
if self.usb_devices[serial]["Parent prefix ID"] in data:
self.usb_devices[serial]["Drive letter"] = value[12:]
else:
if serial in data:
self.usb_devices[serial]["Drive letter"] = value[12:]
if self.usb_devices[serial]["Drive letter"] and self.usb_devices[serial]["GUID"]:
break
def parse_evt_info(self, name, buf, rawtime=False):
loc = buf.find("LfLe")
## Skip the EVTLogHeader at offset 4. Here you can also parse
## and print the header values if you like.
if loc == 4:
loc = buf.find("LfLe", loc + 1)
while loc != -1:
## This record's data (and potentially the data for records
## that follow it, so we'll be careful to chop it in the right
## places before future uses).
rec = buf[loc - 4:]
## Use a buffer AS to instantiate the object
bufferas = addrspace.BufferAddressSpace(self._config, data=rec)
evtlog = obj.Object("EVTRecordStruct", offset=0, vm=bufferas)
rec_size = bufferas.profile.get_obj_size("EVTRecordStruct")
## Calculate the SID string. If the SidLength is zero, the next
## field (list of strings) starts at StringOffset. If the SidLength
## is non-zero, use the data of length SidLength to determine the
## SID string and the next field starts at SidOffet.
if evtlog.SidLength == 0:
end = evtlog.StringOffset
sid_string = "N/A"
else:
## detect manged records based on invalid SID length
if evtlog.SidLength > 68:
loc = buf.find("LfLe", loc + 1)
continue
## these should be appropriately sized SIDs
end = evtlog.SidOffset
sid_string = self.get_sid_string(rec[end:end +
evtlog.SidLength])
computer_name = ""
source = ""
items = rec[rec_size:end].split("\x00\x00")
source = utils.remove_unprintable(items[0])
if len(items) > 1:
computer_name = utils.remove_unprintable(items[1])
strings = rec[evtlog.StringOffset:].split("\x00\x00",
evtlog.NumStrings)
messages = []
for s in range(min(len(strings), evtlog.NumStrings)):
messages.append(utils.remove_unprintable(strings[s]))
# We'll just say N/A if there are no messages, otherwise join them
# together with semi-colons.
if messages:
msg = ";".join(messages)
msg = msg.replace("|", "%7c")
else:
msg = "N/A"
# Records with an invalid timestamp are ignored entirely
if evtlog.TimeWritten != None:
fields = [
str(evtlog.TimeWritten)
if not rawtime else evtlog.TimeWritten,
ntpath.basename(name),
computer_name,
sid_string,
source,
str(evtlog.EventID),
str(evtlog.EventType),
msg,
]
yield fields
## Scan to the next record signature
loc = buf.find("LfLe", loc + 1)
def parse_evt_info(self, name, buf, rawtime = False):
loc = buf.find("LfLe")
## Skip the EVTLogHeader at offset 4. Here you can also parse
## and print the header values if you like.
if loc == 4:
loc = buf.find("LfLe", loc + 1)
while loc != -1:
## This record's data (and potentially the data for records
## that follow it, so we'll be careful to chop it in the right
## places before future uses).
rec = buf[loc - 4:]
## Use a buffer AS to instantiate the object
bufferas = addrspace.BufferAddressSpace(self._config, data = rec)
evtlog = obj.Object("EVTRecordStruct", offset = 0, vm = bufferas)
rec_size = bufferas.profile.get_obj_size("EVTRecordStruct")
## Calculate the SID string. If the SidLength is zero, the next
## field (list of strings) starts at StringOffset. If the SidLength
## is non-zero, use the data of length SidLength to determine the
## SID string and the next field starts at SidOffet.
if evtlog.SidLength == 0:
end = evtlog.StringOffset
sid_string = "N/A"
else:
## detect manged records based on invalid SID length
if evtlog.SidLength > 68:
loc = buf.find("LfLe", loc + 1)
continue
## these should be appropriately sized SIDs
end = evtlog.SidOffset
sid_string = self.get_sid_string(rec[end:end + evtlog.SidLength])
computer_name = ""
source = ""
items = rec[rec_size:end].split("\x00\x00")
source = utils.remove_unprintable(items[0])
if len(items) > 1:
computer_name = utils.remove_unprintable(items[1])
strings = rec[evtlog.StringOffset:].split("\x00\x00", evtlog.NumStrings)
messages = []
for s in range(min(len(strings), evtlog.NumStrings)):
messages.append(utils.remove_unprintable(strings[s]))
# We'll just say N/A if there are no messages, otherwise join them
# together with semi-colons.
if messages:
msg = ";".join(messages)
msg = msg.replace("|", "%7c")
else:
msg = "N/A"
# Records with an invalid timestamp are ignored entirely
if evtlog.TimeWritten != None:
fields = [
str(evtlog.TimeWritten) if not rawtime else evtlog.TimeWritten,
ntpath.basename(name),
computer_name,
sid_string,
source,
str(evtlog.EventID),
str(evtlog.EventType), msg]
yield fields
## Scan to the next record signature
loc = buf.find("LfLe", loc + 1)
def render_xlsx(self, outfd, data):
BoldStyle = Style(font=Font(name='Calibri',
size=11,
bold=True,
italic=False,
vertAlign=None,
underline='none',
strike=False,
color='FFFFFFFF'),
fill=PatternFill(fill_type="solid",
start_color='FF000000',
end_color='FF000000'))
RedStyle = Style(font=Font(name='Calibri',
size=11,
bold=False,
italic=False,
vertAlign=None,
underline='none',
strike=False,
color='FF000000'),
border=Border(left=Side(border_style="thick",
color='FF000000'),
right=Side(border_style="thick",
color='FF000000'),
top=Side(border_style="thick",
color='FF000000'),
bottom=Side(border_style="thick",
color='FF000000'),
diagonal=Side(border_style="thick",
color='FF000000'),
diagonal_direction=0,
outline=Side(border_style="thick",
color='FF000000'),
vertical=Side(border_style="thick",
color='FF000000'),
horizontal=Side(border_style="thick",
color='FF000000')),
fill=PatternFill(start_color = 'FFFF0000',
end_color = 'FFFF0000',
fill_type = 'solid'))
GreenStyle = Style(font=Font(name='Calibri',
size=11,
bold=False,
italic=False,
vertAlign=None,
underline='none',
strike=False,
color='FF000000'),
fill=PatternFill(start_color = "FF00FF00",
end_color = "FF00FF00",
fill_type = "solid"))
wb = Workbook(optimized_write = True)
ws = wb.create_sheet()
ws.title = "Psxview Output"
ws.append(["Offset (P)",
"Name",
"PID",
"pslist",
"psscan",
"thrdproc",
"pspcid",
"csrss",
"session",
"deskthrd",
"Exit Time"])
total = 1
for offset, process, ps_sources in data:
incsrss = ps_sources['csrss'].has_key(offset)
insession = ps_sources['session'].has_key(offset)
indesktop = ps_sources['deskthrd'].has_key(offset)
inpspcid = ps_sources['pspcid'].has_key(offset)
inpslist = ps_sources['pslist'].has_key(offset)
inthread = ps_sources['thrdproc'].has_key(offset)
if self._config.APPLY_RULES:
if not incsrss:
if str(process.ImageFileName).lower() in ["system", "smss.exe", "csrss.exe"]:
incsrss = "Okay"
elif process.ExitTime > 0:
incsrss = "Okay"
if not insession:
if str(process.ImageFileName).lower() in ["system", "smss.exe"]:
insession = "Okay"
elif process.ExitTime > 0:
insession = "Okay"
if not indesktop:
if str(process.ImageFileName).lower() in ["system", "smss.exe"]:
indesktop = "Okay"
elif process.ExitTime > 0:
indesktop = "Okay"
if not inpspcid:
if process.ExitTime > 0:
inpspcid = "Okay"
if not inpslist:
if process.ExitTime > 0:
inpslist = "Okay"
if not inthread:
if process.ExitTime > 0:
inthread = "Okay"
ws.append([hex(offset),
str(utils.remove_unprintable(str(process.ImageFileName)) or ""),
str(process.UniqueProcessId),
str(inpslist),
str(ps_sources['psscan'].has_key(offset)),
str(inthread),
str(inpspcid),
str(incsrss),
str(insession),
str(indesktop),
str(process.ExitTime or '')])
total += 1
wb.save(filename = self._config.OUTPUT_FILE)
wb = load_workbook(filename = self._config.OUTPUT_FILE)
ws = wb.get_sheet_by_name(name = "Psxview Output")
for col in xrange(1, 12):
ws.cell("{0}{1}".format(get_column_letter(col), 1)).style = BoldStyle
for row in xrange(2, total + 1):
for col in xrange(4, 11):
if ws.cell("{0}{1}".format(get_column_letter(col), row)).value == "False":
ws.cell("{0}{1}".format(get_column_letter(col), row)).style = RedStyle
else:
ws.cell("{0}{1}".format(get_column_letter(col), row)).style = GreenStyle
wb.save(filename = self._config.OUTPUT_FILE)
def render_xlsx(self, outfd, data):
BoldStyle = Style(font=Font(name='Calibri',
size=11,
bold=True,
italic=False,
vertAlign=None,
underline='none',
strike=False,
color='FFFFFFFF'),
fill=PatternFill(fill_type="solid",
start_color='FF000000',
end_color='FF000000'))
RedStyle = Style(font=Font(name='Calibri',
size=11,
bold=False,
italic=False,
vertAlign=None,
underline='none',
strike=False,
color='FF000000'),
border=Border(left=Side(border_style="thick",
color='FF000000'),
right=Side(border_style="thick",
color='FF000000'),
top=Side(border_style="thick",
color='FF000000'),
bottom=Side(border_style="thick",
color='FF000000'),
diagonal=Side(border_style="thick",
color='FF000000'),
diagonal_direction=0,
outline=Side(border_style="thick",
color='FF000000'),
vertical=Side(border_style="thick",
color='FF000000'),
horizontal=Side(border_style="thick",
color='FF000000')),
fill=PatternFill(start_color = 'FFFF0000',
end_color = 'FFFF0000',
fill_type = 'solid'))
GreenStyle = Style(font=Font(name='Calibri',
size=11,
bold=False,
italic=False,
vertAlign=None,
underline='none',
strike=False,
color='FF000000'),
fill=PatternFill(start_color = "FF00FF00",
end_color = "FF00FF00",
fill_type = "solid"))
wb = Workbook(optimized_write = True)
ws = wb.create_sheet()
ws.title = "Psxview Output"
ws.append(["Offset (P)",
"Name",
"PID",
"pslist",
"psscan",
"thrdproc",
"pspcid",
"csrss",
"session",
"deskthrd",
"Exit Time"])
total = 1
for offset, process, ps_sources in data:
incsrss = ps_sources['csrss'].has_key(offset)
insession = ps_sources['session'].has_key(offset)
indesktop = ps_sources['deskthrd'].has_key(offset)
inpspcid = ps_sources['pspcid'].has_key(offset)
inpslist = ps_sources['pslist'].has_key(offset)
inthread = ps_sources['thrdproc'].has_key(offset)
if self._config.APPLY_RULES:
if not incsrss:
if str(process.ImageFileName).lower() in ["system", "smss.exe", "csrss.exe"]:
incsrss = "Okay"
elif process.ExitTime > 0:
incsrss = "Okay"
if not insession:
if str(process.ImageFileName).lower() in ["system", "smss.exe"]:
insession = "Okay"
elif process.ExitTime > 0:
insession = "Okay"
if not indesktop:
if str(process.ImageFileName).lower() in ["system", "smss.exe"]:
indesktop = "Okay"
elif process.ExitTime > 0:
indesktop = "Okay"
if not inpspcid:
if process.ExitTime > 0:
inpspcid = "Okay"
if not inpslist:
if process.ExitTime > 0:
inpslist = "Okay"
if not inthread:
if process.ExitTime > 0:
inthread = "Okay"
ws.append([hex(offset),
str(utils.remove_unprintable(str(process.ImageFileName)) or ""),
str(process.UniqueProcessId),
str(inpslist),
str(ps_sources['psscan'].has_key(offset)),
str(inthread),
str(inpspcid),
str(incsrss),
str(insession),
str(indesktop),
str(process.ExitTime or '')])
total += 1
wb.save(filename = self._config.OUTPUT_FILE)
wb = load_workbook(filename = self._config.OUTPUT_FILE)
ws = wb.get_sheet_by_name(name = "Psxview Output")
for col in xrange(1, 12):
ws.cell("{0}{1}".format(get_column_letter(col), 1)).style = BoldStyle
for row in xrange(2, total + 1):
for col in xrange(4, 11):
if ws.cell("{0}{1}".format(get_column_letter(col), row)).value == "False":
ws.cell("{0}{1}".format(get_column_letter(col), row)).style = RedStyle
else:
ws.cell("{0}{1}".format(get_column_letter(col), row)).style = GreenStyle
wb.save(filename = self._config.OUTPUT_FILE)
