def attributes(self, node): m = VMap() hinfos = self.calculatedHash[long(node.this)] hashes = self.getHashes(node) for algo in hashes: v = Variant(str(hashes[algo])) m[str(algo)] = v if len(hinfos.hsets): knownBad = [] knownGood = [] for setId in hinfos.hsets: hset = self.parent.hashSets.get(setId) if hset.knownGood: knownGood.append(hset) else: knownBad.append(hset) if len(knownBad): badList = VList() for badSet in knownBad: vname = Variant(badSet.name) badList.append(vname) m["known bad"] = badList if len(knownGood): goodList = VList() for goodSet in knownGood: vname = Variant(goodSet.name) goodList.append(vname) m["known good"] = goodList return m
def __notifyFailure(self, src, ftype, tb): e = event() e.thisown = False e.type = ftype vl = VList() vl.append(Variant(src)) vl.append(Variant(str(tb))) e.value = RCVariant(Variant(vl)) self.notify(e)
def __notifyFileProgress(self, node, percent): e = event() e.thisown = False e.type = Extract.FileProgress vl = VList() vl.append(Variant(node)) vl.append(Variant(int(percent))) e.value = RCVariant(Variant(vl)) self.notify(e)
def __notifyRename(self, src, dst): e = event() e.thisown = False e.type = Extract.RenameOccured vl = VList() vl.append(Variant(src)) vl.append(Variant(dst)) e.value = RCVariant(Variant(vl)) self.notify(e)
def _attributes(self): i = 1 attr = VMap() vlist = VList() for f in self.files: node = f.value() vlist.append(Variant(node.absolute())) attr["concatanated files (ordered)"] = Variant(vlist) return attr
def _setLoadedModules(self, attrs): dlls = VList() for m in self.eproc.get_load_modules(): name = str(m.FullDllName) or 'N/A' dll = VMap() dllattribs = VMap() dllattribs["Base"] = Variant(long(m.DllBase)) dllattribs["Size"] = Variant(long(m.SizeOfImage)) if name != "N/A": self._setImportedFunctions(name, dllattribs) dll[name] = Variant(dllattribs) dlls.append(dll) attrs["Loaded modules"] = Variant(dlls)
def _setImportedFunctions(self, name, attrs): if self.__pe and hasattr(self.__pe, "DIRECTORY_ENTRY_IMPORT"): found = False for entry in self.__pe.DIRECTORY_ENTRY_IMPORT: if name.lower().find(entry.dll.lower()) != -1: found = True break if found: funcs = VList() for imp in entry.imports: func = VMap() if imp.name: func[str(imp.name)] = Variant(imp.address) else: func[str(imp.ordinal)] = Variant(imp.address) funcs.append(func) attrs["Imported functions"] = Variant(funcs)
def start(self, args): if args.has_key("start-offset"): startoff = args["start-offset"].value() else: startoff = 0 if args.has_key("block-aligned"): aligned = True else: aligned = False patterns = VList() for mimetype in filetypes.keys(): if mimetype in args: vsubtypes = args[mimetype].value() for subtype in filetypes[mimetype].keys(): if subtype in vsubtypes: pattern = VMap() descr = filetypes[mimetype][subtype] for p in descr: header = VMap() header["needle"] = Variant(p[0], typeId.String) header["size"] = Variant(len(p[0]), typeId.UInt32) footer = VMap() footer["needle"] = Variant(p[1], typeId.String) footer["size"] = Variant(len(p[1]), typeId.UInt32) pattern["filetype"] = Variant( subtype, typeId.String) pattern["header"] = Variant(header) pattern["footer"] = Variant(footer) pattern["window"] = Variant( int(p[2]), typeId.UInt32) if aligned: pattern["aligned"] = Variant(True, typeId.Bool) else: pattern["aligned"] = Variant( False, typeId.Bool) patterns.append(pattern) margs = VMap() margs["patterns"] = Variant(patterns) margs["file"] = args["file"] margs["start-offset"] = Variant(startoff, typeId.UInt64) proc = self.tm.add("carver", margs, ["console"]) if proc: proc.event.wait()
def createContext(self, selected): lpatterns = VList() for filetype in selected.iterkeys(): patterns = selected[filetype][0] aligned = selected[filetype][1] for pattern in patterns: vpattern = VMap() vpattern["filetype"] = Variant(filetype, typeId.String) header = VMap() header["needle"] = Variant(pattern[0], typeId.String) header["size"] = Variant(len(pattern[0]), typeId.UInt32) footer = VMap() footer["needle"] = Variant(pattern[1], typeId.String) footer["size"] = Variant(len(pattern[1]), typeId.UInt32) vpattern["header"] = Variant(header) vpattern["footer"] = Variant(footer) vpattern["window"] = Variant(int(pattern[2]), typeId.UInt32) vpattern["aligned"] = Variant(aligned, typeId.Bool) lpatterns.append(vpattern) return lpatterns
def attributes(self, node): m = VMap() idx = node.uid() self.__lock.acquire() if self.__hashs.has_key(idx): hashInfo = self.__hashs[idx] hsets = hashInfo.hsets else: hsets = [] self.__lock.release() hashes = self.__getHashes(node) for algo in hashes: v = Variant(str(hashes[algo])) m[str(algo)] = v if len(hsets): knownBad = [] knownGood = [] for setId in hsets: hset = self.__parent.getHashSetFromId(setId) if hset.knownGood: knownGood.append(hset) else: knownBad.append(hset) if len(knownBad): badList = VList() for badSet in knownBad: vname = Variant(badSet.name) badList.append(vname) m["known bad"] = badList if len(knownGood): goodList = VList() for goodSet in knownGood: vname = Variant(goodSet.name) goodList.append(vname) m["known good"] = goodList return m
def __createReport(self): if len(self.__failed_files): vl = VList() for ffile in self.__failed_files: vl.append(Variant(ffile)) self.res["failed extraction for files"] = vl if len(self.__failed_folders): vl = VList() for ffolder in self.__failed_folders: vl.append(Variant(ffolder)) self.res["failed extraction for folders"] = vl if len(self.__renamed): vmap = VMap() for key in self.__renamed: vl = VList() for val in self.__renamed[key]: vl.append(Variant(val)) vmap[key] = vl self.res["renamed"] = vmap
def decode_REG_MULTI_SZ(self, data): vlist = VList() for line in unicode(data, 'UTF-16').split('\x00'): if line: vlist.append(Variant(line.encode('UTF-8'))) return vlist