class ReportExportOptionsDialog(QDialog):
def __init__(self, exportContent=False):
QDialog.__init__(self)
self.setWindowTitle(self.tr("Export options"))
self.reportManager = ReportManager()
layout = QVBoxLayout()
self.extractContentCheckBox = QCheckBox(self.tr("E&xtract content"))
if exportContent:
self.extractContentCheckBox.setChecked(True)
else:
self.extractContentCheckBox.setChecked(False)
layout.addWidget(self.extractContentCheckBox)
directoryPathLayout = QHBoxLayout()
pathLabel = QLabel(self.tr("Report extraction path :"))
self.pathLineEdit = QLineEdit(self.reportManager.export_path)
self.pathLineEdit.setReadOnly(True)
pathButton = QPushButton("...")
self.connect(pathButton, SIGNAL("clicked()"), self.askPath)
directoryPathLayout.addWidget(pathLabel)
directoryPathLayout.addWidget(self.pathLineEdit)
directoryPathLayout.addWidget(pathButton)
layout.addLayout(directoryPathLayout)
buttonLayout = QHBoxLayout()
self.buttonOk = QPushButton("O&k")
self.connect(self.buttonOk, SIGNAL("clicked()"), self.accept)
self.buttonCancel = QPushButton("C&ancel")
self.connect(self.buttonCancel, SIGNAL("clicked()"), self.reject)
buttonLayout.addWidget(self.buttonOk)
buttonLayout.addWidget(self.buttonCancel)
layout.addLayout(buttonLayout)
self.setLayout(layout)
def askPath(self):
directory = QFileDialog.getExistingDirectory(
self, self.tr("Report extraction directory"),
self.reportManager.export_path)
if len(directory):
directory = os.path.join(str(directory.toUtf8()), 'dff-report')
self.pathLineEdit.clear()
self.pathLineEdit.insert(directory)
self.reportManager.setExportPath(directory)
def exportContent(self):
if self.extractContentCheckBox.isChecked():
return True
else:
return False
class ReportUI(UI):
def __init__(self, arguments):
UI.__init__(self, arguments)
self.taskManager = TaskManager()
self.reportManager = ReportManager()
self.registryManager = ModuleProcessusManager().get("winreg")
self.evtxManager = ModuleProcessusManager().get("evtx")
self.sqliteManager = ModuleProcessusManager().get('SqliteDB')
self.root = vfs().getnode("/")
def configureProcessing(self):
self.taskManager.addPostProcessingModules(PROCESSING_MODULES)
self.taskManager.addPostProcessingAnalyses(PROCESSING_ANALYSES)
self.taskManager.addAnalyseDependencies()
def launchProcessing(self):
proc = self.taskManager.add("local", {"path": self.dumpPath},
"console")
proc.event.wait()
self.taskManager.join()
def launch(self):
self.startTime = time.time()
self.dumpPath = sys.argv[1]
self.reportPath = sys.argv[2]
#PROCESSING
self.configureProcessing()
self.launchProcessing()
self.searchTaggedNode()
self.addProcessingTime()
self.reportManager.setExportPath(self.reportPath)
self.reportManager.export(exportContent=True)
#SHOW EXECUTION TIME
def addProcessingTime(self):
totalTime = time.time() - self.startTime
if totalTime > 60:
totalTime = str(totalTime / 60) + " minutes"
else:
totalTime = str(totalTime) + " secondes"
page = self.reportManager.createPage("MyAnalysis", "Stats")
page.addText("Processing time ", totalTime)
self.reportManager.addPage(page)
def searchTaggedNode(self):
f = Filter("")
f.compile('tags in ["malware", "suspicious"]')
f.process(self.root)
malwareNodes = f.matchedNodes()
if len(malwareNodes
) != 0: #if get some results we add it to the report
page = self.reportManager.createPage("MyAnalysis", "Files")
page.addNodeList("Malware", malwareNodes)
self.reportManager.addPage(page)
def searchRegistryKeys(self):
regKeys = self.registryManager.getKeys(
{'HKLM\Software\Microsoft\Windows NT\CurrentVersion': ['*']}, root)
table = []
for key in regKeys:
for value in key.values():
data = value.data()
if type(data) != bytearray:
table.append((
value.name,
data,
key.hive.absolute(),
))
registryPage = iself.reportManager.createPage("MyAnalysis", "Registry")
registryPage.addTable("Current version",
["name", "value", "hive path"], table)
self.reportManager.addPage(registryPage)
def searchSQL(self):
cookiePage = reportManager.createPage("MyAnalysis", "Cookies")
for db, node in sqliteManager.databases.iteritems():
sqltables = db.execute("SELECT * FROM cookies").fetchall()
table = []
for row in sqltables:
table.append((row[1], ))
if len(table):
cookiePage.addTable(node.absolute(), ["site"], table)
reportManager.addPage(cookiePage)
def searchEVTX(self):
events = self.evtxManager.getXmlById({"id": [4624]}, "/")
table = []
for event in events:
try:
etime = event.findall(".//TimeCreated")[0].attrib["SystemTime"]
user = event.findall(
".//Data[@Name='SubjectUserName']")[0].text
domain = event.findall(
".//Data[@Name='SubjectDomainName']")[0].text
table.append((
etime,
user,
domain,
))
except:
pass
#NODES COUNT AND STATS (type of files etc ?)
#save to reload ? :)
eventPage = self.reportManager.createPage("MyAnalysis", "Event")
eventPage.addTable("Login", ["time", "user", "domain"], table)
self.reportManager.addPage(eventPage)