def get_process_started_details(io, metadata, event, extra_detail_io): event.details["Parent PID"] = read_u32(io) command_line_info = read_detail_string_info(io) current_directory_info = read_detail_string_info(io) environment_character_count = read_u32(io) event.details["Command line"] = read_detail_string(io, command_line_info) event.details["Current directory"] = read_detail_string(io, current_directory_info) event.details["Environment"] = read_utf16_multisz(io, environment_character_count * 2)
def read_registry_data(io, reg_type_name, length=0): """Reads registry data (which is present in the Detail column in original Procmon) according to ``reg_type`` """ if reg_type_name == RegistryTypes.REG_DWORD.name: return read_u32(io) elif reg_type_name == RegistryTypes.REG_QWORD.name: return read_u64(io) elif reg_type_name == RegistryTypes.REG_EXPAND_SZ.name or reg_type_name == RegistryTypes.REG_SZ.name: return read_utf16(io) elif reg_type_name == RegistryTypes.REG_BINARY.name: # Assuming the stream ends at the end of the extra detail, so just read everything return io.read(length) elif reg_type_name == RegistryTypes.REG_MULTI_SZ.name: return read_utf16_multisz(io, length) return ''
def get_network_event_details(io, metadata, event, extra_detail_io): flags = read_u16(io) is_source_ipv4 = flags & 1 != 0 is_dest_ipv4 = flags & 2 != 0 is_tcp = flags & 4 != 0 protocol = "TCP" if is_tcp else "UDP" event.operation = protocol + " " + event.operation io.seek(2, 1) # Unknown field event.details['Length'] = read_u32(io) source_ip = io.read(16) dest_ip = io.read(16) source_port = read_u16(io) dest_port = read_u16(io) event.path = "{}:{} -> {}:{}".format( metadata.hostname_idx(source_ip, is_source_ipv4), metadata.port_idx(source_port, is_tcp), metadata.hostname_idx(dest_ip, is_dest_ipv4), metadata.port_idx(dest_port, is_tcp)) extra_details = read_utf16_multisz(io) for i in range(len(extra_details) // 2): event.details[extra_details[i * 2]] = extra_details[i * 2 + 1]