Example #1
0
 def csv_recent_docs(self):
     """Extracts information about recently opened files saved location and opened date"""
     self.logger.info("Extracting recent docs")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
                                                  path)
     to_csv_list = [
         ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
          "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
     ]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             if item[VALUE_NAME] != "MRUListEx":
                 values_decoded = decode_recent_docs_mru(item[VALUE_DATA])
                 for value_decoded in values_decoded:
                     to_csv_list.append(
                         (self.computer_name, "recent_docs",
                          item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                          item[VALUE_PATH], item[VALUE_NAME],
                          item[KEY_VALUE_STR],
                          registry_obj.get_str_type(item[VALUE_TYPE]),
                          value_decoded))
     with open(
             self.output_dir + "\\" + self.computer_name + "_recent_docs" +
             self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #2
0
    def csv_clipboard(self):
        """Exports the clipboard contents"""
        # TODO : what happens if clipboard contents is a CSV string ?
        self.logger.info('Getting clipboard contents')
        with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer)

            r = None    #initialize the local variable r
            try:
                r = Tk()  # Using Tk instead because it supports exotic characters
                data = r.selection_get(selection='CLIPBOARD')
                r.destroy()
                write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer)
            except:
                if r != None:   # Verify that r exist before calling destroy
                    r.destroy()
                win32clipboard.OpenClipboard()
                clip = win32clipboard.EnumClipboardFormats(0)
                while clip:
                    try:
                        format_name = win32clipboard.GetClipboardFormatName(clip)
                    except win32api.error:
                        format_name = "?"
                    self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
                    if clip == 15:  # 15 seems to be a list of filenames
                        filenames = win32clipboard.GetClipboardData(clip)
                        for filename in filenames:
                            write_to_csv([self.computer_name, 'clipboard', filename], csv_writer)
                    clip = win32clipboard.EnumClipboardFormats(clip)
                win32clipboard.CloseClipboard()
        record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv',
                           self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #3
0
 def _csv_open_save_mru(self, str_opensave_mru):
     """Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
     # TODO : Win XP
     self.logger.info("Extracting open save MRU")
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
                                                  str_opensave_mru)
     to_csv_list = [
         ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
          "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
     ]
     for item in hive_list:
         if item[KEY_VALUE_STR] == 'VALUE':
             if item[VALUE_NAME] != "MRUListEx":
                 pidl = shell.StringAsPIDL(item[VALUE_DATA])
                 path = shell.SHGetPathFromIDList(pidl)
                 to_csv_list.append(
                     (self.computer_name, "opensaveMRU",
                      item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                      item[VALUE_PATH], item[VALUE_NAME],
                      item[KEY_VALUE_STR],
                      registry_obj.get_str_type(item[VALUE_TYPE]), path))
     with open(
             self.output_dir + "\\" + self.computer_name + "_opensaveMRU" +
             self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
 def _csv_list_running_process(self, list_running):
     self.logger.info("Health : Listing running processes")
     with open(
             self.output_dir + '%s_processes' % self.computer_name +
             self.rand_ext, 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv([
             "COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "COMMAND",
             "EXEC_PATH"
         ], csv_writer)
         for p in list_running:
             pid = p[0]
             name = p[1]
             cmd = p[2]
             exe_path = p[3]
             write_to_csv([
                 self.computer_name, 'processes',
                 unicode(pid), name,
                 unicode(cmd),
                 unicode(exe_path)
             ], csv_writer)
     record_sha256_logs(
         self.output_dir + self.computer_name + '_processes' +
         self.rand_ext,
         self.output_dir + self.computer_name + '_sha256.log')
Example #5
0
 def _csv_event_logs(self, is_win_xp):
     """Prints the event logs in a csv, the called method is different for WinXP and lower"""
     server = None  # name of the target computer to get event logs, None to get logs from current computer
     with open(self.output_dir + '\\' + self.computer_name + '_evts.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         if is_win_xp:
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'):
                 write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType,
                               date] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server,
                                                                                               'Application'):
                 write_to_csv(
                     [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType,
                      date] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'):
                 write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType,
                               date] + log, csv_writer)
         else:
             # Exports everything from the event viewer
             evt_handle = win32evtlog.EvtOpenChannelEnum()
             os.mkdir(self.output_dir + r"\evt")
             while True:
                 # opening channel for enumeration
                 logtype = win32evtlog.EvtNextChannelPath(evt_handle)
                 if logtype is None:
                     break
                     # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
                 self._list_evt_vista(server, logtype)
Example #6
0
 def _csv_list_drives(self, drives):
     with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
         for phCapt, partCapt, logicalCapt, fs in drives:
             write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
     record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
Example #7
0
 def _csv_list_network_drives(self, drives):
     with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
         for diskCapt, diskFs, diskPName in drives:
             write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
     record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
Example #8
0
 def _csv_list_share(self, share):
     with open(self.output_dir + '_shares.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
         for name, path in share:
             write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
     record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
Example #9
0
 def _csv_event_logs(self, is_win_xp):
     """Prints the event logs in a csv, the called method is different for WinXP and lower"""
     server = None  # name of the target computer to get event logs, None to get logs from current computer
     with open(self.output_dir + '\\' + self.computer_name + '_evts' + self.rand_ext, 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(['COMPUTER', 'TYPE', 'SOURCE', 'CATEGORY', 'SOURCE NAME', 'ID', 'EVENT_TYPE', 'LOG'], csv_writer)
         if is_win_xp:
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'):
                 write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType,
                               date] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server,
                                                                                               'Application'):
                 write_to_csv(
                     [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType,
                      date] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'):
                 write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType,
                               date] + log, csv_writer)
         else:
             # Exports everything from the event viewer
             evt_handle = win32evtlog.EvtOpenChannelEnum()
             os.mkdir(self.output_dir + r"\evt")
             while True:
                 # opening channel for enumeration
                 logtype = win32evtlog.EvtNextChannelPath(evt_handle)
                 if logtype is None:
                     break
                     # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
                 self._list_evt_vista(server, logtype)
Example #10
0
    def _csv_list_scheduled_jobs(self):
        self.logger.info('Health : Listing scheduled jobs')
        file_tasks = self.output_dir + '_tasks.csv'
        with open(file_tasks, 'wb') as tasks_logs:
            proc = subprocess.Popen(["schtasks.exe", '/query', '/fo', 'CSV'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            res = proc.communicate()
            res = get_terminal_decoded_string(res[0])
            # clean and write the command output
            write_to_output('"TASK_NAME","NEXT_SCHEDULE","STATUS"\r\n', tasks_logs, self.logger)
            column_names = None
            for line in res.split('\r\n'):
                if line == "":
                    continue
                if line[0] != '"':
                    continue
                if not column_names:
                    column_names = line
                    continue
                elif column_names == line:
                    continue
                write_to_output(line+"\r\n", tasks_logs, self.logger)

        self.logger.info('Health : Listing scheduled jobs')
        with open(file_tasks, "r") as fr, open(self.output_dir + "_scheduled_jobs.csv", 'wb') as fw:
            csv_writer = get_csv_writer(fw)
            write_to_csv(["COMPUTER_NAME", "TYPE", "JOB_NAME", "TIME", "STATE"], csv_writer)
            for l in fr.readlines():
                l = l.decode('utf8')
                if l.find('\\') > 0:
                    l = l[:-1].replace('"', '')  # remove the end of line
                    arr_write = [self.computer_name, 'scheduled_jobs'] + l.split(',')
                    write_to_csv(arr_write, csv_writer)
        self.logger.info('Health : Listing scheduled jobs')
        record_sha256_logs(self.output_dir + '_scheduled_jobs.csv', self.output_dir + '_sha256.log')
Example #11
0
 def _csv_list_route_table(self, routes):
     with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
         for ip, mask in routes:
             write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
     record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
Example #12
0
 def csv_custom_registry_keys(self):
     """
     Extracts custom registry keys, the user specifies whether it should be recursive or not.
     The list of registry keys to extract should be comma-separated
     """
     if self.exec_custom_registry_keys:
         self.logger.info("Extracting custom registry keys")
         to_csv_list = [
             ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
              "ATTR_TYPE", "ATTR_DATA")]
         for paths in reader([self.custom_registry_keys]):  # used as a kind of unpack
             for path in paths:
                 temp = path.split("\\")
                 hive = temp[0].upper()
                 path = "\\".join(temp[1:])
                 if hive in ("HKLM", "HKEY_LOCAL_MACHINE"):
                     self._generate_hklm_csv_list(to_csv_list, "custom_registry_key", path,
                                                  is_recursive=self.registry_recursive)
                 elif hive in ("HKU", "HKEY_USERS"):
                     self._generate_hku_csv_list(to_csv_list, "custom_registry_key", path,
                                                 is_recursive=self.registry_recursive)
                 else:  # error
                     self.logger.warn("Must specify HKLM/HKEY_LOCAL_MACHINE or HKU/HKEY_USERS as hive")
                     return
         with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output:
             csv_writer = get_csv_writer(output)
             write_list_to_csv(to_csv_list, csv_writer)
Example #13
0
    def _csv_all_modules_dll(self):
        """Outputs all processes and their opened dll in a csv"""
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)

        pe32 = PROCESSENTRY32()
        pe32.dwSize = sizeof(PROCESSENTRY32)
        ret = Process32First(hProcessSnap, pointer(pe32))

        with open(
                self.output_dir + '\\' + self.computer_name +
                '_processes_dll' + self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_to_csv(
                ["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "MODULE"],
                csv_writer)
            while ret:
                modules = self._GetProcessModules(pe32.th32ProcessID, False)
                if len(modules) > 0:
                    process_name = modules.pop(
                        0)  # first element is the name of the process
                    for module in modules:
                        write_to_csv([
                            self.computer_name, 'processes_dll',
                            unicode(pe32.th32ProcessID), process_name, module
                        ], csv_writer)

                ret = Process32Next(hProcessSnap, pointer(pe32))
        record_sha256_logs(
            self.output_dir + '\\' + self.computer_name + '_processes_dll' +
            self.rand_ext,
            self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #14
0
 def _csv_networks_list(self, key):
     with open(os.path.join(self.output_dir,'%s_network_list_%s' % (self.computer_name, self.rand_ext)), 'wb') as output:
         csv_writer = get_csv_writer(output)
         network_list_result = self._get_network_list(key)
         arr_data = [v.values() for v in network_list_result.values()]
         arr_data.insert(0,network_list_result.values()[0].keys())
         write_list_to_csv(arr_data, csv_writer)
Example #15
0
    def csv_custom_registry_keys(self):

            with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output:
                csv_writer = get_csv_writer(output)
                to_csv_list = self.__get_custom_registry_keys()
                if to_csv_list:
                    write_list_to_csv(to_csv_list, csv_writer)
Example #16
0
    def _csv_infos_fs(self, files):
        with open(
                self.output_dir + '\\' + self.computer_name + '_Filecatcher' +
                self.rand_ext, 'wb') as fw:
            csv_writer = get_csv_writer(fw)
            for f, mime, md5, sha1, sha256, zip_value, datem, empty in files:
                write_to_csv([
                    self.computer_name, 'Filecatcher',
                    unicode(datem),
                    unicode(f),
                    unicode(md5),
                    unicode(sha1),
                    unicode(sha256),
                    unicode(mime),
                    unicode(zip_value),
                    unicode(empty),
                    self._get_url_VT(sha256)
                ], csv_writer)
        record_sha256_logs(
            self.output_dir + '\\' + self.computer_name + '_Filecatcher' +
            self.rand_ext,
            self.output_dir + '\\' + self.computer_name + '_sha256.log')

        if self.zip_file:
            self.zip_file.close()
Example #17
0
 def _csv_hash_running_process(self, list_running):
     self.logger.info("Health : Hashing running processes")
     with open(self.output_dir + '_hash_processes' + self.rand_ext,
               'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv([
             "COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "EXEC_PATH",
             "MD5", "SHA1", "CTIME", "MTIME", "ATIME"
         ], csv_writer)
         for p in list_running:
             pid = p[0]
             name = p[1]
             cmd = p[2]
             exe_path = p[3]
             if exe_path:
                 ctime = datetime.datetime.fromtimestamp(
                     os.path.getctime(exe_path))
                 mtime = datetime.datetime.fromtimestamp(
                     os.path.getmtime(exe_path))
                 atime = datetime.datetime.fromtimestamp(
                     os.path.getatime(exe_path))
                 md5 = process_md5(unicode(exe_path))
                 sha1 = process_sha1(unicode(exe_path))
                 write_to_csv([
                     self.computer_name, 'processes',
                     unicode(pid), name,
                     unicode(exe_path), md5, sha1, ctime, mtime, atime
                 ], csv_writer)
     record_sha256_logs(self.output_dir + '_hash_processes' + self.rand_ext,
                        self.output_dir + '_sha256.log')
Example #18
0
 def _csv_firefox_history(self, fhistory):
     with open(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext, 'wb') as output:
         csv_writer = get_csv_writer(output)
         for time, url, user, profile in fhistory:
             write_to_csv([self.computer_name, 'firefox_history', time, url, user, profile], csv_writer)
     record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext,
                        self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #19
0
 def csv_clipboard(self):
     """Exports the clipboard contents"""
     # TODO : what happens if clipboard contents is a CSV string ?
     self.logger.info('Getting clipboard contents')
     with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
         csv_writer = get_csv_writer(output)
         write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer)
         try:
             r = Tk()  # Using Tk instead because it supports exotic characters
             data = r.selection_get(selection='CLIPBOARD')
             r.destroy()
             write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer)
         except:
             r.destroy()
             win32clipboard.OpenClipboard()
             clip = win32clipboard.EnumClipboardFormats(0)
             while clip:
                 try:
                     format_name = win32clipboard.GetClipboardFormatName(clip)
                 except win32api.error:
                     format_name = "?"
                 self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
                 if clip == 15:  # 15 seems to be a list of filenames
                     filenames = win32clipboard.GetClipboardData(clip)
                     for filename in filenames:
                         write_to_csv([self.computer_name, 'clipboard', filename], csv_writer)
                 clip = win32clipboard.EnumClipboardFormats(clip)
             win32clipboard.CloseClipboard()
     record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv',
                        self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #20
0
    def _csv_windows_prefetch(self, wpref):
        with open(
                self.output_dir + self.computer_name + '_prefetch' +
                self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_to_csv(
                ("COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE",
                 "EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME", "RUN_COUNT",
                 "START_TIME", "DURATION", "AVERAGE_DURATION", "DLL_LIST"),
                csv_writer)
            for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
                str_c = ''
                for s in list_str_c:
                    str_c += s.replace('\0', '') + ';'

                write_to_csv([
                    self.computer_name, 'prefetch', pref_file,
                    unicode(format_version),
                    unicode(file_size),
                    exec_name.replace('\00', ''),
                    unicode(tc),
                    unicode(tm),
                    unicode(run_count),
                    unicode(hash_table_a['start_time']),
                    unicode(hash_table_a['duration']),
                    unicode(hash_table_a['average_duration']), str_c
                ], csv_writer)
        record_sha256_logs(
            self.output_dir + self.computer_name + '_prefetch' + self.rand_ext,
            self.output_dir + self.computer_name + '_sha256.log')
Example #21
0
    def csv_shell_bags(self):
        """
        Extracts shellbags: size, view, icon and position of graphical windows
        In particular, executed graphical programs will leave a key here
        """
        self.logger.info("Extracting shell bags")
        paths = [
            r"Software\Microsoft\Windows\Shell\Bags",
            r"Software\Microsoft\Windows\Shell\BagMRU"
        ]
        paths_usrclass = [
            r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
            r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"
        ]
        hive_list = []
        for path in paths:
            hive_list += self._get_list_from_registry_key(
                registry_obj.HKEY_USERS, path)
        for path in paths_usrclass:
            hive_list += self._get_list_from_registry_key(
                registry_obj.HKEY_USERS, path, is_usrclass=True)
        to_csv_list = [
            ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
             "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
        ]
        for item in hive_list:
            if "ItemPos" in item[VALUE_NAME]:
                try:
                    data = decode_shellbag_itempos_data(item[VALUE_DATA])
                except IndexError:
                    self.logger.error("Error in shellbag data format for " +
                                      item[VALUE_NAME])
                    data = None
                if data:
                    if item[KEY_VALUE_STR] == "VALUE":
                        for data in data:
                            for d in data:
                                to_csv_list.append(
                                    (self.computer_name, "shellbags",
                                     item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                     item[VALUE_PATH], item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(
                                         item[VALUE_TYPE]), d))
                else:
                    if item[KEY_VALUE_STR] == "VALUE":
                        to_csv_list.append(
                            (self.computer_name, "shellbags",
                             item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                             item[VALUE_PATH], item[VALUE_NAME],
                             item[KEY_VALUE_STR],
                             registry_obj.get_str_type(item[VALUE_TYPE]),
                             item[VALUE_DATA]))

        with open(
                self.output_dir + "\\" + self.computer_name + "_shellbags" +
                self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Example #22
0
 def _csv_list_route_table(self, routes):
     self.logger.info('Health : Listing routes tables')
     with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
         for ip, mask in routes:
             write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
     record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
Example #23
0
 def _csv_list_sessions(self, sessions):
     with open(self.output_dir + '_sessions.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer)
         for logonID, authenticationPackage, startime, logontype in sessions:
             write_to_csv([self.computer_name, 'sessions', unicode(logonID),
                           authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
     record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
Example #24
0
 def _csv_list_network_drives(self, drives):
     self.logger.info("Health : Listing network drives")
     with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
         for diskCapt, diskFs, diskPName in drives:
             write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
     record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
Example #25
0
 def _csv_list_drives(self, drives):
     self.logger.info("Health : Listing drives")
     with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
         for phCapt, partCapt, logicalCapt, fs in drives:
             write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
     record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
Example #26
0
 def _csv_list_share(self, share):
     self.logger.info("Health : Listing shares")
     with open(self.output_dir + '_shares.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
         for name, path in share:
             write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
     record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
 def _csv_list_network_drives(self, drives):
     self.logger.info("Health : Listing network drives")
     with open(self.output_dir + '%s_list_networks_drives' % self.computer_name + self.rand_ext, 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
         for diskCapt, diskFs, diskPName in drives:
             write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
     record_sha256_logs(self.output_dir + '_list_networks_drives' + self.rand_ext, self.output_dir + '_sha256.log')
Example #28
0
 def _csv_list_route_table(self, routes):
     self.logger.info('Health : Listing routes tables')
     with open(self.output_dir + '_routes_tables' + self.rand_ext, 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
         for ip, mask in routes:
             write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
     record_sha256_logs(self.output_dir + '_routes_tables' + self.rand_ext, self.output_dir + '_sha256.log')
Example #29
0
 def _csv_list_share(self, share):
     self.logger.info("Health : Listing shares")
     with open(self.output_dir + '_shares' + self.rand_ext, 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
         for name, path in share:
             write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
     record_sha256_logs(self.output_dir + '_shares' + self.rand_ext, self.output_dir + '_sha256.log')
 def _csv_list_drives(self, drives):
     self.logger.info("Health : Listing drives")
     with open(self.output_dir + '%s_list_drives' % self.computer_name + self.rand_ext, 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
         for phCapt, partCapt, logicalCapt, fs in drives:
             write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
     record_sha256_logs(self.output_dir + '_list_drives' + self.rand_ext, self.output_dir + '_sha256.log')
Example #31
0
    def csv_custom_registry_keys(self):

        with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext,
                  "wb") as output:
            csv_writer = get_csv_writer(output)
            to_csv_list = self.__get_custom_registry_keys()
            if to_csv_list:
                write_list_to_csv(to_csv_list, csv_writer)
Example #32
0
 def _csv_chrome_history(self, chistory):
     with open(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext, 'wb') as output:
         csv_writer = get_csv_writer(output)
         write_to_csv(("COMPUTER_NAME", "TYPE", "TIME", "URL", "TITLE", "USER", "PROFILE"), csv_writer)
         for time, url, title, user, profile in chistory:
             write_to_csv([self.computer_name, 'chrome_history', time, url, title, user, profile], csv_writer)
     record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext,
                        self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #33
0
 def _csv_list_named_pipes(self, pipes):
     with open(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext, 'wb') as output:
         csv_writer = get_csv_writer(output)
         write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer)
         for pipe in pipes:
             write_to_csv([self.computer_name, 'named_pipes', pipe], csv_writer)
     record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext,
                        self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #34
0
 def _csv_networks_list(self, key):
     with open(os.path.join(self.output_dir, '%s_network_list_%s' % (self.computer_name, self.rand_ext)),
               'wb') as output:
         csv_writer = get_csv_writer(output)
         network_list_result = self._get_network_list(key)
         arr_data = [v.values() for v in network_list_result.values()]
         arr_data.insert(0, network_list_result.values()[0].keys())
         write_list_to_csv(arr_data, csv_writer)
Example #35
0
 def _csv_list_kb(self, kbs):
     with open(self.output_dir + '_kb.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME", "FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE",
                       "INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"], csv_writer)
         for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs:
             write_to_csv(
                 [self.computer_name, 'kb', Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name,
                  ServicePackInEffect, Status], csv_writer)
Example #36
0
 def _csv_user_assist(self, count_offset, is_win7_or_further):
     """
     Extracts information from UserAssist registry key which contains information about executed programs
     The count offset is for Windows versions before 7, where it would start at 6
     """
     self.logger.info("Extracting user assist")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
     count = "\Count"
     # logged on users
     users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
     hive_list = []
     for i in xrange(users.get_number_of_sub_keys()):
         user = users.get_sub_key(i)
         user_assist_key = user.get_sub_key_by_path(path)
         if user_assist_key:
             for j in xrange(user_assist_key.get_number_of_sub_keys()):
                 # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
                 path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
                 hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
     if is_win7_or_further:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
     else:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
             str_value_datatmp = item[VALUE_DATA]
             # some data are less than 16 bytes for some reason...
             if len(str_value_datatmp) < 16:
                 to_csv_list.append((self.computer_name,
                                     "userassist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name))
             else:
                 if is_win7_or_further:
                     data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
                 else:
                     data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
                 to_csv_list.append((self.computer_name,
                                     "user_assist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name) + tuple(data))
     with open(self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #37
0
 def _csv_user_assist(self, count_offset, is_win7_or_further):
     """
     Extracts information from UserAssist registry key which contains information about executed programs
     The count offset is for Windows versions before 7, where it would start at 6
     """
     self.logger.info("Extracting user assist")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
     count = "\Count"
     # logged on users
     users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
     hive_list = []
     for i in xrange(users.get_number_of_sub_keys()):
         user = users.get_sub_key(i)
         user_assist_key = user.get_sub_key_by_path(path)
         if user_assist_key:
             for j in xrange(user_assist_key.get_number_of_sub_keys()):
                 # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
                 path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
                 hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
     if is_win7_or_further:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
     else:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
             str_value_datatmp = item[VALUE_DATA]
             # some data are less than 16 bytes for some reason...
             if len(str_value_datatmp) < 16:
                 to_csv_list.append((self.computer_name,
                                     "userassist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name))
             else:
                 if is_win7_or_further:
                     data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
                 else:
                     data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
                 to_csv_list.append((self.computer_name,
                                     "user_assist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name) + tuple(data))
     with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #38
0
 def _csv_list_sessions(self, sessions):
     self.logger.info('Health : Listing sessions')
     with open(self.output_dir + '_sessions.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer)
         for logonID, authenticationPackage, startime, logontype in sessions:
             write_to_csv([self.computer_name, 'sessions', unicode(logonID),
                           authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
     record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
Example #39
0
 def csv_registry_services(self):
     """Extracts services"""
     path = r"System\CurrentControlSet\Services"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "registry_services", path)
     with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #40
0
    def csv_clipboard(self):
        """Exports the clipboard contents"""
        # TODO : what happens if clipboard contents is a CSV string ?

        with open(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_clipboard(), csv_writer)
        record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext,
                           self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #41
0
    def csv_startup_programs(self):
        """Extracts programs running at startup from various keys"""
        self.logger.info("Extracting startup programs")
        software = "Software"
        wow = r"\Wow6432Node"
        ts_run = (
            r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
            r"\Microsoft\Windows\CurrentVersion\Run")
        ts_run_once = (
            r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
            r"\Microsoft\Windows\CurrentVersion\RunOnce")
        paths = [
            r"\Microsoft\Windows\CurrentVersion\Run",
            r"\Microsoft\Windows\CurrentVersion\RunOnce",
            r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
            r"\Microsoft\Windows\CurrentVersion\RunServices",
            r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
            r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run,
            ts_run_once
        ]
        to_csv_list = [
            ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
             "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
        ]
        for path in paths:
            full_path = software + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)

        paths = [
            r"\Microsoft\Windows\CurrentVersion\Run",
            r"\Microsoft\Windows\CurrentVersion\RunOnce",
            r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
            r"\Microsoft\Windows\CurrentVersion\RunServices",
            r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
            r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run,
            ts_run_once
        ]
        for path in paths:
            full_path = software + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
        if self.get_autoruns:
            to_csv_list = self._get_files_and_hashes(to_csv_list[1:])
            to_csv_list.insert(
                0, ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE",
                    "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE",
                    "ATTR_DATA", "MD5", "SHA1", "SHA256"))

        with open(
                self.output_dir + "\\" + self.computer_name + "_startup" +
                self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Example #42
0
    def _csv_all_modules_opened_files(self):

        with open(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
                  'wb') as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_all_modules_opened_files(), csv_writer)


        record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
                           self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #43
0
 def csv_run_mru_start(self):
     """Extracts run MRU, containing the last 26 oommands executed using the RUN command"""
     self.logger.info("Extracting Run MRU")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path)
     with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #44
0
 def csv_installer_folder(self):
     """Extracts information about folders which are created at installation"""
     self.logger.info("Extracting installer folders")
     path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "installer_folder", path)
     with open(self.output_dir + "\\" + self.computer_name + "_installer_folder" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #45
0
 def csv_run_mru_start(self):
     """Extracts run MRU, containing the last 26 oommands executed using the RUN command"""
     self.logger.info("Extracting Run MRU")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path)
     with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #46
0
 def csv_installer_folder(self):
     """Extracts information about folders which are created at installation"""
     self.logger.info("Extracting installer folders")
     path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "installer_folder", path)
     with open(self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #47
0
 def csv_registry_services(self):
     """Extracts services"""
     self.logger.info("Extracting services")
     path = r"System\CurrentControlSet\Services"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "registry_services", path)
     with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Example #48
0
 def _csv_list_kb(self, kbs):
     self.logger.info('Health : Listing KB installed on computer')
     with open(self.output_dir + '_kb.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME", "FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE",
                       "INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"], csv_writer)
         for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs:
             write_to_csv(
                 [self.computer_name, 'kb', Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name,
                  ServicePackInEffect, Status], csv_writer)
Example #49
0
 def _csv_infos_fs(self, files):
     with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         for f, mime, md5,sha1,sha256, zip_value, datem, empty in files:
             write_to_csv([self.computer_name, 'Filecatcher', unicode(datem),
                           unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime),
                           unicode(zip_value), unicode(empty), self._get_url_VT(sha256)], csv_writer)
     record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext,
                        self.output_dir + '\\' + self.computer_name + '_sha256.log')
     self.zip_file.close()
Example #50
0
 def _csv_list_sockets_network(self, connections):
     with open(self.output_dir + '_sockets.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR",
                       "REMOTE_PORT", "STATUS"], csv_writer)
         for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
             write_to_csv([self.computer_name, 'sockets', unicode(pid),
                           unicode(name), unicode(local_address), unicode(source_port),
                           unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
     record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
Example #51
0
 def _csv_list_services(self, services):
     with open(self.output_dir + '_services.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE",
                       "START_MODE"], csv_writer)
         for name, caption, processId, pathName, serviceType, status, state, startMode in services:
             write_to_csv([self.computer_name, 'services', caption,
                           unicode(processId), serviceType, pathName,
                           unicode(status), state, startMode], csv_writer)
     record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
Example #52
0
 def _csv_all_modules_dll(self):
     with open(
             self.output_dir + self.computer_name + '_processes_dll' +
             self.rand_ext, 'wb') as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(self.__get_all_modules_dll(), csv_writer)
     record_sha256_logs(
         self.output_dir + self.computer_name + '_processes_dll' +
         self.rand_ext,
         self.output_dir + self.computer_name + '_sha256.log')
Example #53
0
    def _csv_all_modules_opened_files(self):
        """Outputs all processes and their opened files in a csv"""
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)

        pe32 = PROCESSENTRY32()
        pe32.dwSize = sizeof(PROCESSENTRY32)
        ret = Process32First(hProcessSnap, pointer(pe32))

        with open(
                self.output_dir + '\\' + self.computer_name +
                '_processes_opened_files' + self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_to_csv(
                ["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "FILENAME"],
                csv_writer)
            while ret:
                try:
                    p = psutil.Process(pe32.th32ProcessID)
                    process_name = p.name()
                    self.logger.info('Getting opened files for : ' +
                                     process_name + '(' +
                                     unicode(pe32.th32ProcessID) + ')')
                    # We need open a subprocess because get_open_files may hang forever
                    q = Queue()
                    process = Process(target=timer_open_files, args=(
                        p,
                        q,
                    ))
                    process.start()
                    # We wait for 2 seconds
                    process.join(2)
                    if process.is_alive():
                        # If the subprocess is still alive, assume it is hanged and kill it
                        q.close()
                        process.terminate()
                    else:
                        # Otherwise, continue normal processing
                        opened_files = q.get()
                        if isinstance(opened_files, list):
                            for opened_file in opened_files:
                                write_to_csv([
                                    self.computer_name,
                                    'processes_opened_files',
                                    unicode(pe32.th32ProcessID), process_name,
                                    opened_file[0]
                                ], csv_writer)
                except psutil.AccessDenied:
                    self.logger.warn('Could not open handle for PID : ' +
                                     unicode(pe32.th32ProcessID))

                ret = Process32Next(hProcessSnap, pointer(pe32))
        record_sha256_logs(
            self.output_dir + '\\' + self.computer_name +
            '_processes_opened_files' + self.rand_ext,
            self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #54
0
 def _csv_list_sockets_network(self, connections):
     self.logger.info('Health : Listing sockets networks')
     with open(self.output_dir + '_sockets.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR",
                       "REMOTE_PORT", "STATUS"], csv_writer)
         for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
             write_to_csv([self.computer_name, 'sockets', unicode(pid),
                           unicode(name), unicode(local_address), unicode(source_port),
                           unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
     record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
Example #55
0
 def _csv_list_services(self, services):
     self.logger.info('Health : Listing services')
     with open(self.output_dir + '_services.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE",
                       "START_MODE"], csv_writer)
         for name, caption, processId, pathName, serviceType, status, state, startMode in services:
             write_to_csv([self.computer_name, 'services', caption,
                           unicode(processId), serviceType, pathName,
                           unicode(status), state, startMode], csv_writer)
     record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
Example #56
0
 def _csv_list_named_pipes(self, pipes):
     with open(
             self.output_dir + '\\' + self.computer_name +
             '_named_pipes.csv', 'wb') as output:
         csv_writer = get_csv_writer(output)
         write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer)
         for pipe in pipes:
             write_to_csv([self.computer_name, 'named_pipes', pipe],
                          csv_writer)
     record_sha256_logs(
         self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',
         self.output_dir + '\\' + self.computer_name + '_sha256.log')
Example #57
0
    def csv_clipboard(self):
        """Exports the clipboard contents"""

        with open(
                self.output_dir + self.computer_name + '_clipboard' +
                self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_clipboard(), csv_writer)
        record_sha256_logs(
            self.output_dir + self.computer_name + '_clipboard' +
            self.rand_ext,
            self.output_dir + self.computer_name + '_sha256.log')
Example #58
0
    def csv_shell_bags(self):
        """
        Extracts shellbags: size, view, icon and position of graphical windows
        In particular, executed graphical programs will leave a key here
        """
        self.logger.info("Extracting shell bags")
        paths = [r"Software\Microsoft\Windows\Shell\Bags",
                 r"Software\Microsoft\Windows\Shell\BagMRU"]
        paths_usrclass = [r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
                          r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"]
        hive_list = []
        for path in paths:
            hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
        for path in paths_usrclass:
            hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_usrclass=True)
        to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                        "ATTR_TYPE", "ATTR_DATA")]
        for item in hive_list:
            if "ItemPos" in item[VALUE_NAME]:
                try:
                    data = decode_shellbag_itempos_data(item[VALUE_DATA])
                except IndexError:
                    self.logger.error("Error in shellbag data format for " + item[VALUE_NAME])
                    data = None
                if data:
                    if item[KEY_VALUE_STR] == "VALUE":
                        for data in data:
                            for d in data:
                                to_csv_list.append((self.computer_name,
                                                    "shellbags",
                                                    item[VALUE_LAST_WRITE_TIME],
                                                    "HKEY_USERS",
                                                    item[VALUE_PATH],
                                                    item[VALUE_NAME],
                                                    item[KEY_VALUE_STR],
                                                    registry_obj.get_str_type(item[VALUE_TYPE]),
                                                    d))
                else:
                    if item[KEY_VALUE_STR] == "VALUE":
                        to_csv_list.append((self.computer_name,
                                            "shellbags",
                                            item[VALUE_LAST_WRITE_TIME],
                                            "HKEY_USERS",
                                            item[VALUE_PATH],
                                            item[VALUE_NAME],
                                            item[KEY_VALUE_STR],
                                            registry_obj.get_str_type(item[VALUE_TYPE]),
                                            item[VALUE_DATA]))

        with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Example #59
0
 def csv_windows_values(self):
     """
     Extracts windows values, in particular AppInit_DLLs, where any DLL specified here will be loaded by any
     application
     """
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "windows_values", path)
     self._generate_hku_csv_list(to_csv_list, "windows_values", path)
     with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)