def getSystemRegistry(computerName,objRegistry,hostPath,tmpIndicators):
print computerName + " - checking system Registry"
configFile = support.resource_path("config\\systemRegistry.txt")
with open(configFile, "r") as keysFile:
keys = keysFile.readlines()
outFile = open(hostPath + "\SYSTEMREGISTRY-" + computerName + ".csv", "w")
outFile.write("reg_path,reg_key,reg_value\n")
keys = keys + tmpIndicators
for key in keys:
key = key.replace("\n","")
result,subkeys = objRegistry.EnumKey(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=key)
if result == 0:
subkeys.append("") #check for the key without subkeys
for subkey in subkeys:
result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=key+"\\"+subkey)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
outFile.write(key.replace(","," ") + "\\" + subkey.replace(","," ") + ",EMPTY,EMPTY\n")
else:
for x in range(0,len(valueNames)):
support.printReg(_winreg.HKEY_LOCAL_MACHINE, valueNames[x], valueTypes[x], key+"\\"+subkey, outFile, objRegistry)
else:
outFile.write(key.replace(","," ") + ",DOES NOT EXIST,DOES NOT EXIST\n")
outFile.close()
def pollReg(computerName, hostPath, username, hive, userpath, objRegistry,
tmpIndicators):
configFile = support.resource_path("config\\UserRegistry.txt")
with open(configFile, "r") as keysFile:
keys = keysFile.readlines()
outFile = open(
hostPath + "\USERREGISTRY-" + username + "-" + computerName + ".csv",
"w")
outFile.write("reg_path,reg_key,reg_value\n")
keys = keys + tmpIndicators
for key in keys:
key = key.replace("\n", "")
if not key.startswith("\\"):
key = "\\" + key
fullkey = userpath + key
if "UserAssist" in key:
result, subkeys = objRegistry.EnumKey(hDefKey=hive,
sSubKeyName=fullkey)
if result == 0:
for subkey in subkeys:
result, valueNames, valueTypes = objRegistry.EnumValues(
hDefKey=hive,
sSubKeyName=fullkey + "\\" + subkey + "\\" + "Count")
if result == 0:
for value in valueNames:
outFile.write(
key.replace(",", " ") + "," +
value.encode('rot13').replace(",", " ") +
",USERASSIST\n")
else:
result, subkeys = objRegistry.EnumKey(hDefKey=hive,
sSubKeyName=fullkey)
if result == 0:
result, valueNames, valueTypes = objRegistry.EnumValues(
hDefKey=hive, sSubKeyName=fullkey)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
outFile.write(key.replace(",", " ") + ",EMPTY,EMPTY\n")
else:
for x in range(0, len(valueNames)):
support.printReg(hive, valueNames[x],
valueTypes[x], fullkey, outFile,
objRegistry, key)
else:
outFile.write(
key.replace(",", " ") + ",DOES NOT EXIST,DOES NOT EXIST\n")
outFile.close()
def getDirectoryList(computerName, objWMIService, hostPath, tmpIndicators):
print computerName + " - enumerating directory lists"
outFile = open(hostPath + "\DIRECTORYLIST-" + computerName + ".csv", "w")
outFile.write("directory,created,modified,last_accessed\n")
configFile = support.resource_path("config\\DirectoryList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n", "")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\", "\\\\")
drivePos = path.find(":") + 1
drive = path[0:drivePos]
path = path[drivePos:]
#path must contain the drive in associators query - for some reason you cant split Path and Drive in this query - also paths must not contain trailing slash
#query = "Associators of {Win32_Directory.Name='" + path + "'} WHERE AssocClass = Win32_Subdirectory ResultRole = PartComponent"
query = "Select Name,CreationDate,LastModified,LastAccessed From WIN32_Directory Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
dirlist = objWMIService.ExecQuery(query)
try:
for dir in dirlist:
dirname = support.convert_to_string(dir.Name)
outFile.write(
dirname.replace(",", " ") + "," +
support.convertDate(dir.CreationDate) + "," +
support.convertDate(dir.LastModified) + "," +
support.convertDate(dir.LastAccessed) + "\n")
except:
pass
outFile.close()
def getDirectoryList(computerName,objWMIService,hostPath,tmpIndicators):
print computerName + " - enumerating directory lists"
outFile = open(hostPath + "\DIRECTORYLIST-" + computerName + ".csv", "w")
outFile.write("directory,created,modified,last_accessed\n")
configFile = support.resource_path("config\\DirectoryList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n","")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\","\\\\")
drivePos = path.find(":")+1
drive = path[0:drivePos]
path = path[drivePos:]
#path must contain the drive in associators query - for some reason you cant split Path and Drive in this query - also paths must not contain trailing slash
#query = "Associators of {Win32_Directory.Name='" + path + "'} WHERE AssocClass = Win32_Subdirectory ResultRole = PartComponent"
query = "Select Name,CreationDate,LastModified,LastAccessed From WIN32_Directory Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
dirlist = objWMIService.ExecQuery(query)
try:
for dir in dirlist:
dirname = support.convert_to_string(dir.Name)
outFile.write(dirname.replace(","," ") + "," + support.convertDate(dir.CreationDate) + "," + support.convertDate(dir.LastModified) + "," +
support.convertDate(dir.LastAccessed) + "\n")
except:
pass
outFile.close()
def pollReg(computerName,hostPath,username,hive,userpath,objRegistry,tmpIndicators):
configFile = support.resource_path("config\\UserRegistry.txt")
with open(configFile, "r") as keysFile:
keys = keysFile.readlines()
outFile = open(hostPath + "\USERREGISTRY-" + username + "-" + computerName + ".csv", "w")
outFile.write("reg_path,reg_key,reg_value\n")
keys = keys + tmpIndicators
for key in keys:
key = key.replace("\n","")
if not key.startswith("\\"):
key = "\\" + key
fullkey = userpath + key
if "UserAssist" in key:
result,subkeys = objRegistry.EnumKey(hDefKey=hive,sSubKeyName=fullkey)
if result == 0:
for subkey in subkeys:
result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=fullkey+"\\"+subkey+"\\"+"Count")
if result == 0:
for value in valueNames:
outFile.write(key.replace(","," ") + "," + value.encode('rot13').replace(","," ") + ",USERASSIST\n")
else:
result,subkeys = objRegistry.EnumKey(hDefKey=hive,sSubKeyName=fullkey)
if result == 0:
result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=fullkey)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
outFile.write(key.replace(","," ") + ",EMPTY,EMPTY\n")
else:
for x in range(0,len(valueNames)):
support.printReg(hive, valueNames[x], valueTypes[x], fullkey, outFile, objRegistry, key)
else:
outFile.write(key.replace(","," ") + ",DOES NOT EXIST,DOES NOT EXIST\n")
outFile.close()
def getFileList(computerName, objWMIService, hostPath, tmpIndicators):
print computerName + " - checking file lists"
outFile = open(hostPath + "\FILELIST-" + computerName + ".csv", "w")
outFile.write("file,created,modified,last_accessed,size\n")
configFile = support.resource_path("config\\FileList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n", "")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\", "\\\\")
drivePos = path.find(":") + 1
drive = path[0:drivePos]
path = path[drivePos:]
query = "Select Name,CreationDate,LastModified,LastAccessed,FileSize From CIM_DataFile Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
filelist = objWMIService.ExecQuery(query)
for file in filelist:
filename = support.convert_to_string(file.Name)
filesize = support.convert_to_string(file.FileSize)
outFile.write(
filename.replace(",", " ") + "," +
support.convertDate(file.CreationDate) + "," +
support.convertDate(file.LastModified) + "," +
support.convertDate(file.LastAccessed) + "," + filesize + "\n")
outFile.close()
def getUserDataExists(computerName,objWMIService,objRegistry,hostPath,tmpIndicators):
print computerName + " - checking for user file existence"
outFile = open(hostPath + "\USERDATAEXISTS-" + computerName + ".csv", "w")
outFile.write("file,exists\n")
key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
result,subkeys = objRegistry.EnumKey(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=key)
if result == 0:
userDirectories = []
for subkey in subkeys:
path = key + "\\" + subkey
value = "ProfileImagePath"
result,user_home = objRegistry.GetExpandedStringValue(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=path,sValueName=value)
if result == 0:
userDirectories.append(user_home.replace("\\","\\\\"))
configFile = support.resource_path("config\\UserDataExists.txt")
with open(configFile, "r") as fileListFile:
fileList = fileListFile.readlines()
fileList = fileList + tmpIndicators
for file in fileList:
file = file.replace("\n","").replace("\\","\\\\")
for dir in userDirectories:
fullPath = dir + "\\\\" + file
files = objWMIService.ExecQuery("Select * From CIM_Datafile Where Name = '" + fullPath + "'")
fullPath = fullPath.replace("\\\\","\\")
if len(files) > 0:
print computerName + " - FILE FOUND: " + fullPath
outFile.write(fullPath + ",1\n")
else:
outFile.write(fullPath + ",0\n")
outFile.close()
def getSystemRegistry(computerName, objRegistry, hostPath, tmpIndicators):
print computerName + " - checking system Registry"
configFile = support.resource_path("config\\systemRegistry.txt")
with open(configFile, "r") as keysFile:
keys = keysFile.readlines()
outFile = open(hostPath + "\SYSTEMREGISTRY-" + computerName + ".csv", "w")
outFile.write("reg_path,reg_key,reg_value\n")
keys = keys + tmpIndicators
for key in keys:
key = key.replace("\n", "")
result, subkeys = objRegistry.EnumKey(
hDefKey=_winreg.HKEY_LOCAL_MACHINE, sSubKeyName=key)
if result == 0:
subkeys.append("") #check for the key without subkeys
for subkey in subkeys:
result, valueNames, valueTypes = objRegistry.EnumValues(
hDefKey=_winreg.HKEY_LOCAL_MACHINE,
sSubKeyName=key + "\\" + subkey)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
outFile.write(
key.replace(",", " ") + "\\" +
subkey.replace(",", " ") + ",EMPTY,EMPTY\n")
else:
for x in range(0, len(valueNames)):
support.printReg(_winreg.HKEY_LOCAL_MACHINE,
valueNames[x], valueTypes[x],
key + "\\" + subkey, outFile,
objRegistry)
else:
outFile.write(
key.replace(",", " ") + ",DOES NOT EXIST,DOES NOT EXIST\n")
outFile.close()
def getFileList(computerName,objWMIService,hostPath,tmpIndicators):
print computerName + " - checking file lists"
outFile = open(hostPath + "\FILELIST-" + computerName + ".csv", "w")
outFile.write("file,created,modified,last_accessed,size\n")
configFile = support.resource_path("config\\FileList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n","")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\","\\\\")
drivePos = path.find(":")+1
drive = path[0:drivePos]
path = path[drivePos:]
query = "Select Name,CreationDate,LastModified,LastAccessed,FileSize From CIM_DataFile Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
filelist = objWMIService.ExecQuery(query)
for file in filelist:
filename = support.convert_to_string(file.Name)
filesize = support.convert_to_string(file.FileSize)
outFile.write(filename.replace(","," ") + "," + support.convertDate(file.CreationDate) + "," + support.convertDate(file.LastModified) + "," +
support.convertDate(file.LastAccessed) + "," + filesize + "\n")
outFile.close()
def getDataExists(computerName, objWMIService, hostPath, tmpIndicators):
print computerName + " - checking for file existence"
configFile = support.resource_path("config\\DataExists.txt")
with open(configFile, "r") as fileListFile:
fileList = fileListFile.readlines()
outFile = open(hostPath + "\DATAEXISTS-" + computerName + ".csv", "w")
outFile.write("file,exists\n")
fileList = fileList + tmpIndicators
for f in fileList:
f = f.strip()
if len(f) > 0:
drive, path, filename, extension = breakFile(f)
query = "Select * From CIM_DataFile"
whereClause = False
requiresAnd = False
if len(filename) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " FileName = \"" + filename + "\""
requiresAnd = True
if len(path) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " Path = \"" + path + "\""
requiresAnd = True
if len(extension) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " Extension = \"" + extension + "\""
requiresAnd = True
if len(drive) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " DRIVE = \"" + drive + "\""
requiresAnd = True
colItems = objWMIService.ExecQuery(query)
if colItems != None and len(colItems) > 0:
for colItem in colItems:
print computerName + " - FILE FOUND: " + f + (
"" if f.upper() == colItem.Name.upper() else " (" +
colItem.Name + ")")
outFile.write(colItem.Name + ",1\n")
else:
outFile.write(f + ",0\n")
outFile.close()
def getDataExists(computerName,objWMIService,hostPath,tmpIndicators):
print computerName + " - checking for file existence"
configFile = support.resource_path("config\\DataExists.txt")
with open(configFile, "r") as fileListFile:
fileList = fileListFile.readlines()
outFile = open(hostPath + "\DATAEXISTS-" + computerName + ".csv", "w")
outFile.write("file,exists\n")
fileList = fileList + tmpIndicators
for f in fileList:
f = f.strip()
if len(f) > 0:
drive,path,filename,extension = breakFile(f)
query = "Select * From CIM_DataFile"
whereClause = False
requiresAnd = False
if len(filename) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " FileName = \"" + filename + "\""
requiresAnd = True
if len(path) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " Path = \"" + path + "\""
requiresAnd = True
if len(extension) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " Extension = \"" + extension + "\""
requiresAnd = True
if len(drive) > 0:
if not whereClause:
query += " WHERE"
whereClause = True
elif requiresAnd:
query += " AND"
query += " DRIVE = \"" + drive + "\""
requiresAnd = True
colItems = objWMIService.ExecQuery(query)
if colItems != None and len(colItems) > 0:
for colItem in colItems:
print computerName + " - FILE FOUND: " + f + ("" if f.upper()==colItem.Name.upper() else " (" + colItem.Name + ")")
outFile.write(colItem.Name + ",1\n")
else:
outFile.write(f + ",0\n")
outFile.close()