def external_process(self, fd): if self.mime_type == "application/x-winnt-registry": print "Grabbing message sources from %s" % self.fd.inode ## populate the EventMessageSources table from the registry dbh=DB.DBO(self.case) pydbh = DB.DBO() inode_id = self.fd.lookup_id() dbh.execute("select * from reg where reg_key='EventMessageFile' and inode_id=%r", inode_id) for row in dbh: service = os.path.basename(os.path.normpath(row['path'])) pydbh.execute("select * from EventMessageSources where source=%r limit 1",service) pyrow=pydbh.fetch() if not pyrow: filename = row['value'].split("\\")[-1].lower() pydbh.execute("insert ignore into EventMessageSources set filename=%r, source=%r" , (filename, service)) return filename, inode, inode_id = self.ddfs.lookup(inode=self.inode) b = Buffer(fd=fd) pyflaglog.log(pyflaglog.VERBOSE_DEBUG, "Opening %s to extract messages" % self.inode) pydbh = DB.DBO() pydbh.mass_insert_start('EventMessages') try: m=PElib.get_messages(b) for k,v in m.messages.items(): pydbh.mass_insert(filename = os.path.basename(filename), message_id = k, message = v['Message'], offset = v.buffer.offset, ) except (IndexError, IOError, AttributeError): pyflaglog.log(pyflaglog.VERBOSE_DEBUG, "%s does not contain messages" % filename)
def external_process(self, fd): if self.mime_type == "application/x-winnt-registry": print "Grabbing message sources from %s" % self.fd.inode ## populate the EventMessageSources table from the registry dbh = DB.DBO(self.case) pydbh = DB.DBO() inode_id = self.fd.lookup_id() dbh.execute( "select * from reg where reg_key='EventMessageFile' and inode_id=%r", inode_id) for row in dbh: service = os.path.basename(os.path.normpath(row['path'])) pydbh.execute( "select * from EventMessageSources where source=%r limit 1", service) pyrow = pydbh.fetch() if not pyrow: filename = row['value'].split("\\")[-1].lower() pydbh.execute( "insert ignore into EventMessageSources set filename=%r, source=%r", (filename, service)) return filename, inode, inode_id = self.ddfs.lookup(inode=self.inode) b = Buffer(fd=fd) pyflaglog.log(pyflaglog.VERBOSE_DEBUG, "Opening %s to extract messages" % self.inode) pydbh = DB.DBO() pydbh.mass_insert_start('EventMessages') try: m = PElib.get_messages(b) for k, v in m.messages.items(): pydbh.mass_insert( filename=os.path.basename(filename), message_id=k, message=v['Message'], offset=v.buffer.offset, ) except (IndexError, IOError, AttributeError): pyflaglog.log(pyflaglog.VERBOSE_DEBUG, "%s does not contain messages" % filename)
for directory in config.args: for F in recurse(directory): f = F.lower() fd = open(F) data = fd.read(1024) magic = Magic.buffer(data) if "PE" in magic: fd.seek(0) b = Buffer(fd=fd) logging.log(logging.DEBUG, "Opening %s to extract messages" % F) dbh.mass_insert_start('EventMessages') try: m = PElib.get_messages(b) for k, v in m.messages.items(): dbh.mass_insert( filename=os.path.basename(f), message_id=k, message=v['Message'], offset=v.buffer.offset, ) except (IndexError, IOError, AttributeError): logging.log(logging.VERBOSE_DEBUG, "%s does not contain messages" % f) dbh.mass_insert_commit() elif config.mode == 'reg':
Magic=FlagFramework.Magic() for directory in config.args: for F in recurse(directory): f=F.lower() fd = open(F) data = fd.read(1024) magic = Magic.buffer(data) if "PE" in magic: fd.seek(0) b = Buffer(fd=fd) logging.log(logging.DEBUG, "Opening %s to extract messages" % F) dbh.mass_insert_start('EventMessages') try: m=PElib.get_messages(b) for k,v in m.messages.items(): dbh.mass_insert(filename = os.path.basename(f), message_id = k, message = v['Message'], offset = v.buffer.offset, ) except (IndexError, IOError, AttributeError): logging.log(logging.VERBOSE_DEBUG, "%s does not contain messages" % f) dbh.mass_insert_commit() elif config.mode == 'reg': import FileFormats.RegFile as RegFile dbh=DB.DBO()