def getSystemRegistry(computerName,objRegistry,hostPath,tmpIndicators): print computerName + " - checking system Registry" configFile = support.resource_path("config\\systemRegistry.txt") with open(configFile, "r") as keysFile: keys = keysFile.readlines() outFile = open(hostPath + "\SYSTEMREGISTRY-" + computerName + ".csv", "w") outFile.write("reg_path,reg_key,reg_value\n") keys = keys + tmpIndicators for key in keys: key = key.replace("\n","") result,subkeys = objRegistry.EnumKey(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=key) if result == 0: subkeys.append("") #check for the key without subkeys for subkey in subkeys: result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=key+"\\"+subkey) if result == 0: if valueTypes == None or len(valueTypes) == 0: outFile.write(key.replace(","," ") + "\\" + subkey.replace(","," ") + ",EMPTY,EMPTY\n") else: for x in range(0,len(valueNames)): support.printReg(_winreg.HKEY_LOCAL_MACHINE, valueNames[x], valueTypes[x], key+"\\"+subkey, outFile, objRegistry) else: outFile.write(key.replace(","," ") + ",DOES NOT EXIST,DOES NOT EXIST\n") outFile.close()
def pollReg(computerName, hostPath, username, hive, userpath, objRegistry, tmpIndicators): configFile = support.resource_path("config\\UserRegistry.txt") with open(configFile, "r") as keysFile: keys = keysFile.readlines() outFile = open( hostPath + "\USERREGISTRY-" + username + "-" + computerName + ".csv", "w") outFile.write("reg_path,reg_key,reg_value\n") keys = keys + tmpIndicators for key in keys: key = key.replace("\n", "") if not key.startswith("\\"): key = "\\" + key fullkey = userpath + key if "UserAssist" in key: result, subkeys = objRegistry.EnumKey(hDefKey=hive, sSubKeyName=fullkey) if result == 0: for subkey in subkeys: result, valueNames, valueTypes = objRegistry.EnumValues( hDefKey=hive, sSubKeyName=fullkey + "\\" + subkey + "\\" + "Count") if result == 0: for value in valueNames: outFile.write( key.replace(",", " ") + "," + value.encode('rot13').replace(",", " ") + ",USERASSIST\n") else: result, subkeys = objRegistry.EnumKey(hDefKey=hive, sSubKeyName=fullkey) if result == 0: result, valueNames, valueTypes = objRegistry.EnumValues( hDefKey=hive, sSubKeyName=fullkey) if result == 0: if valueTypes == None or len(valueTypes) == 0: outFile.write(key.replace(",", " ") + ",EMPTY,EMPTY\n") else: for x in range(0, len(valueNames)): support.printReg(hive, valueNames[x], valueTypes[x], fullkey, outFile, objRegistry, key) else: outFile.write( key.replace(",", " ") + ",DOES NOT EXIST,DOES NOT EXIST\n") outFile.close()
def getDirectoryList(computerName, objWMIService, hostPath, tmpIndicators): print computerName + " - enumerating directory lists" outFile = open(hostPath + "\DIRECTORYLIST-" + computerName + ".csv", "w") outFile.write("directory,created,modified,last_accessed\n") configFile = support.resource_path("config\\DirectoryList.txt") with open(configFile, "r") as scanPathsFile: scanPaths = scanPathsFile.readlines() scanPaths = scanPaths + tmpIndicators for path in scanPaths: path = path.replace("\n", "") if not path.strip(): continue if "\\" != path[-1:]: path = path + "\\" path = path.replace("\\", "\\\\") drivePos = path.find(":") + 1 drive = path[0:drivePos] path = path[drivePos:] #path must contain the drive in associators query - for some reason you cant split Path and Drive in this query - also paths must not contain trailing slash #query = "Associators of {Win32_Directory.Name='" + path + "'} WHERE AssocClass = Win32_Subdirectory ResultRole = PartComponent" query = "Select Name,CreationDate,LastModified,LastAccessed From WIN32_Directory Where Path = \"" + path + "\"" if drive: query += " And Drive = \"" + drive + "\"" dirlist = objWMIService.ExecQuery(query) try: for dir in dirlist: dirname = support.convert_to_string(dir.Name) outFile.write( dirname.replace(",", " ") + "," + support.convertDate(dir.CreationDate) + "," + support.convertDate(dir.LastModified) + "," + support.convertDate(dir.LastAccessed) + "\n") except: pass outFile.close()
def getDirectoryList(computerName,objWMIService,hostPath,tmpIndicators): print computerName + " - enumerating directory lists" outFile = open(hostPath + "\DIRECTORYLIST-" + computerName + ".csv", "w") outFile.write("directory,created,modified,last_accessed\n") configFile = support.resource_path("config\\DirectoryList.txt") with open(configFile, "r") as scanPathsFile: scanPaths = scanPathsFile.readlines() scanPaths = scanPaths + tmpIndicators for path in scanPaths: path = path.replace("\n","") if not path.strip(): continue if "\\" != path[-1:]: path = path + "\\" path = path.replace("\\","\\\\") drivePos = path.find(":")+1 drive = path[0:drivePos] path = path[drivePos:] #path must contain the drive in associators query - for some reason you cant split Path and Drive in this query - also paths must not contain trailing slash #query = "Associators of {Win32_Directory.Name='" + path + "'} WHERE AssocClass = Win32_Subdirectory ResultRole = PartComponent" query = "Select Name,CreationDate,LastModified,LastAccessed From WIN32_Directory Where Path = \"" + path + "\"" if drive: query += " And Drive = \"" + drive + "\"" dirlist = objWMIService.ExecQuery(query) try: for dir in dirlist: dirname = support.convert_to_string(dir.Name) outFile.write(dirname.replace(","," ") + "," + support.convertDate(dir.CreationDate) + "," + support.convertDate(dir.LastModified) + "," + support.convertDate(dir.LastAccessed) + "\n") except: pass outFile.close()
def pollReg(computerName,hostPath,username,hive,userpath,objRegistry,tmpIndicators): configFile = support.resource_path("config\\UserRegistry.txt") with open(configFile, "r") as keysFile: keys = keysFile.readlines() outFile = open(hostPath + "\USERREGISTRY-" + username + "-" + computerName + ".csv", "w") outFile.write("reg_path,reg_key,reg_value\n") keys = keys + tmpIndicators for key in keys: key = key.replace("\n","") if not key.startswith("\\"): key = "\\" + key fullkey = userpath + key if "UserAssist" in key: result,subkeys = objRegistry.EnumKey(hDefKey=hive,sSubKeyName=fullkey) if result == 0: for subkey in subkeys: result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=fullkey+"\\"+subkey+"\\"+"Count") if result == 0: for value in valueNames: outFile.write(key.replace(","," ") + "," + value.encode('rot13').replace(","," ") + ",USERASSIST\n") else: result,subkeys = objRegistry.EnumKey(hDefKey=hive,sSubKeyName=fullkey) if result == 0: result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=fullkey) if result == 0: if valueTypes == None or len(valueTypes) == 0: outFile.write(key.replace(","," ") + ",EMPTY,EMPTY\n") else: for x in range(0,len(valueNames)): support.printReg(hive, valueNames[x], valueTypes[x], fullkey, outFile, objRegistry, key) else: outFile.write(key.replace(","," ") + ",DOES NOT EXIST,DOES NOT EXIST\n") outFile.close()
def getFileList(computerName, objWMIService, hostPath, tmpIndicators): print computerName + " - checking file lists" outFile = open(hostPath + "\FILELIST-" + computerName + ".csv", "w") outFile.write("file,created,modified,last_accessed,size\n") configFile = support.resource_path("config\\FileList.txt") with open(configFile, "r") as scanPathsFile: scanPaths = scanPathsFile.readlines() scanPaths = scanPaths + tmpIndicators for path in scanPaths: path = path.replace("\n", "") if not path.strip(): continue if "\\" != path[-1:]: path = path + "\\" path = path.replace("\\", "\\\\") drivePos = path.find(":") + 1 drive = path[0:drivePos] path = path[drivePos:] query = "Select Name,CreationDate,LastModified,LastAccessed,FileSize From CIM_DataFile Where Path = \"" + path + "\"" if drive: query += " And Drive = \"" + drive + "\"" filelist = objWMIService.ExecQuery(query) for file in filelist: filename = support.convert_to_string(file.Name) filesize = support.convert_to_string(file.FileSize) outFile.write( filename.replace(",", " ") + "," + support.convertDate(file.CreationDate) + "," + support.convertDate(file.LastModified) + "," + support.convertDate(file.LastAccessed) + "," + filesize + "\n") outFile.close()
def getUserDataExists(computerName,objWMIService,objRegistry,hostPath,tmpIndicators): print computerName + " - checking for user file existence" outFile = open(hostPath + "\USERDATAEXISTS-" + computerName + ".csv", "w") outFile.write("file,exists\n") key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" result,subkeys = objRegistry.EnumKey(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=key) if result == 0: userDirectories = [] for subkey in subkeys: path = key + "\\" + subkey value = "ProfileImagePath" result,user_home = objRegistry.GetExpandedStringValue(hDefKey=_winreg.HKEY_LOCAL_MACHINE,sSubKeyName=path,sValueName=value) if result == 0: userDirectories.append(user_home.replace("\\","\\\\")) configFile = support.resource_path("config\\UserDataExists.txt") with open(configFile, "r") as fileListFile: fileList = fileListFile.readlines() fileList = fileList + tmpIndicators for file in fileList: file = file.replace("\n","").replace("\\","\\\\") for dir in userDirectories: fullPath = dir + "\\\\" + file files = objWMIService.ExecQuery("Select * From CIM_Datafile Where Name = '" + fullPath + "'") fullPath = fullPath.replace("\\\\","\\") if len(files) > 0: print computerName + " - FILE FOUND: " + fullPath outFile.write(fullPath + ",1\n") else: outFile.write(fullPath + ",0\n") outFile.close()
def getSystemRegistry(computerName, objRegistry, hostPath, tmpIndicators): print computerName + " - checking system Registry" configFile = support.resource_path("config\\systemRegistry.txt") with open(configFile, "r") as keysFile: keys = keysFile.readlines() outFile = open(hostPath + "\SYSTEMREGISTRY-" + computerName + ".csv", "w") outFile.write("reg_path,reg_key,reg_value\n") keys = keys + tmpIndicators for key in keys: key = key.replace("\n", "") result, subkeys = objRegistry.EnumKey( hDefKey=_winreg.HKEY_LOCAL_MACHINE, sSubKeyName=key) if result == 0: subkeys.append("") #check for the key without subkeys for subkey in subkeys: result, valueNames, valueTypes = objRegistry.EnumValues( hDefKey=_winreg.HKEY_LOCAL_MACHINE, sSubKeyName=key + "\\" + subkey) if result == 0: if valueTypes == None or len(valueTypes) == 0: outFile.write( key.replace(",", " ") + "\\" + subkey.replace(",", " ") + ",EMPTY,EMPTY\n") else: for x in range(0, len(valueNames)): support.printReg(_winreg.HKEY_LOCAL_MACHINE, valueNames[x], valueTypes[x], key + "\\" + subkey, outFile, objRegistry) else: outFile.write( key.replace(",", " ") + ",DOES NOT EXIST,DOES NOT EXIST\n") outFile.close()
def getFileList(computerName,objWMIService,hostPath,tmpIndicators): print computerName + " - checking file lists" outFile = open(hostPath + "\FILELIST-" + computerName + ".csv", "w") outFile.write("file,created,modified,last_accessed,size\n") configFile = support.resource_path("config\\FileList.txt") with open(configFile, "r") as scanPathsFile: scanPaths = scanPathsFile.readlines() scanPaths = scanPaths + tmpIndicators for path in scanPaths: path = path.replace("\n","") if not path.strip(): continue if "\\" != path[-1:]: path = path + "\\" path = path.replace("\\","\\\\") drivePos = path.find(":")+1 drive = path[0:drivePos] path = path[drivePos:] query = "Select Name,CreationDate,LastModified,LastAccessed,FileSize From CIM_DataFile Where Path = \"" + path + "\"" if drive: query += " And Drive = \"" + drive + "\"" filelist = objWMIService.ExecQuery(query) for file in filelist: filename = support.convert_to_string(file.Name) filesize = support.convert_to_string(file.FileSize) outFile.write(filename.replace(","," ") + "," + support.convertDate(file.CreationDate) + "," + support.convertDate(file.LastModified) + "," + support.convertDate(file.LastAccessed) + "," + filesize + "\n") outFile.close()
def getDataExists(computerName, objWMIService, hostPath, tmpIndicators): print computerName + " - checking for file existence" configFile = support.resource_path("config\\DataExists.txt") with open(configFile, "r") as fileListFile: fileList = fileListFile.readlines() outFile = open(hostPath + "\DATAEXISTS-" + computerName + ".csv", "w") outFile.write("file,exists\n") fileList = fileList + tmpIndicators for f in fileList: f = f.strip() if len(f) > 0: drive, path, filename, extension = breakFile(f) query = "Select * From CIM_DataFile" whereClause = False requiresAnd = False if len(filename) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " FileName = \"" + filename + "\"" requiresAnd = True if len(path) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " Path = \"" + path + "\"" requiresAnd = True if len(extension) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " Extension = \"" + extension + "\"" requiresAnd = True if len(drive) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " DRIVE = \"" + drive + "\"" requiresAnd = True colItems = objWMIService.ExecQuery(query) if colItems != None and len(colItems) > 0: for colItem in colItems: print computerName + " - FILE FOUND: " + f + ( "" if f.upper() == colItem.Name.upper() else " (" + colItem.Name + ")") outFile.write(colItem.Name + ",1\n") else: outFile.write(f + ",0\n") outFile.close()
def getDataExists(computerName,objWMIService,hostPath,tmpIndicators): print computerName + " - checking for file existence" configFile = support.resource_path("config\\DataExists.txt") with open(configFile, "r") as fileListFile: fileList = fileListFile.readlines() outFile = open(hostPath + "\DATAEXISTS-" + computerName + ".csv", "w") outFile.write("file,exists\n") fileList = fileList + tmpIndicators for f in fileList: f = f.strip() if len(f) > 0: drive,path,filename,extension = breakFile(f) query = "Select * From CIM_DataFile" whereClause = False requiresAnd = False if len(filename) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " FileName = \"" + filename + "\"" requiresAnd = True if len(path) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " Path = \"" + path + "\"" requiresAnd = True if len(extension) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " Extension = \"" + extension + "\"" requiresAnd = True if len(drive) > 0: if not whereClause: query += " WHERE" whereClause = True elif requiresAnd: query += " AND" query += " DRIVE = \"" + drive + "\"" requiresAnd = True colItems = objWMIService.ExecQuery(query) if colItems != None and len(colItems) > 0: for colItem in colItems: print computerName + " - FILE FOUND: " + f + ("" if f.upper()==colItem.Name.upper() else " (" + colItem.Name + ")") outFile.write(colItem.Name + ",1\n") else: outFile.write(f + ",0\n") outFile.close()