def _json_list_arp_table(self, arp):
self.logger.info('Health : Listing ARP tables')
if self.destination == 'local':
with open(
self.output_dir + '%s_arp_table' % self.computer_name +
self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "IP", "MAC_ADDR", "STATUS"
]]
for entry in arp:
entry.replace('\xff', '')
tokens = entry.split()
entry_to_write = ''
if len(tokens) == 3:
entry_to_write = '"' + self.computer_name + '"|"arp_table"|"' + '"|"'.join(
tokens) + '"\n'
if entry_to_write.find('\.') != 1 and len(
entry_to_write) > 0:
to_write += [[self.computer_name, 'arp_table'] + tokens
]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_arp_table' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_sockets_network(self, connections):
self.logger.info('Health : Listing sockets networks')
if self.destination == 'local':
with open(
self.output_dir + '%s_sockets' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME",
"LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR", "REMOTE_PORT",
"STATUS"
]]
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
to_write += [[
self.computer_name, 'sockets',
unicode(pid),
unicode(name),
unicode(local_address),
unicode(source_port),
unicode(remote_addr),
unicode(remote_port),
unicode(status)
]]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_sockets' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def json_custom_registry_keys(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_custom_registry.json' % self.computer_name), 'wb') as output:
to_json_list = self.__get_custom_registry_keys()
if to_json_list:
json_writer = get_json_writer(output)
write_list_to_json(to_json_list, json_writer)
def json_clipboard(self):
if self.destination == 'local':
with open(
os.path.join(self.output_dir,
'%s_clipboard.json' % self.computer_name),
'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_clipboard(), json_writer)
def _json_all_modules_dll(self):
if self.destination == 'local':
with open(
os.path.join(self.output_dir,
'%s_processes.json' % self.computer_name),
'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_all_modules_dll(), json_writer)
def _json_list_network_adapters(self, ncs):
self.logger.info('Health : Listing network adapters')
if self.destination == 'local':
with open(
self.output_dir +
'%s_networks_cards' % self.computer_name + self.rand_ext,
'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "NETWORK_CARD", "ADAPTER_TYPE",
"DESCRIPTION", "MAC_ADDR", "PRODUCT_NAME",
"PHYSICAL_ADAPTER", "SPEED", "IPv4", "IPv6", "DHCP_SERVER",
"DNS_SERVER", "DATABASE_PATH", "NBTSTAT_VALUE"
]]
for netcard, adapter_type, description, mac_address, product_name, physical_adapter, product_name, \
speed, IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value in ncs:
if netcard is None:
netcard = ' '
if adapter_type is None:
adapter_type = ' '
if description is None:
description = ' '
if mac_address is None:
mac_address = ' '
if physical_adapter is None:
physical_adapter = ' '
if product_name is None:
product_name = ' '
if speed is None:
speed = ' '
if IPv4 is None:
IPv4 = ' '
if IPv6 is None:
IPv6 = ' '
if DHCP_server is None:
DHCP_server = ' '
if DNS_server is None:
DNS_server = ' '
if database_path is None:
database_path = ' '
if nbtstat_value is None:
nbtstat_value = ' '
try:
to_write += [[
self.computer_name, 'networks_cards', netcard,
adapter_type, description, mac_address,
product_name, physical_adapter, speed, IPv4, IPv6,
DHCP_server, DNS_server, database_path,
nbtstat_value
]]
except IOError:
self.logger.error(traceback.format_exc())
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_networks_cards' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def json_clipboard(self):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_clipboard(), json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_all_modules_dll(self):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_all_modules_dll(), json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_share(self, share):
self.logger.info("Health : Listing shares")
if self.destination == 'local':
with open(
self.output_dir + '%s_shares' % self.computer_name +
self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"
]]
to_write += [[self.computer_name, 'shares', name, path]
for name, path in share]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_shares' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_route_table(self, routes):
self.logger.info('Health : Listing routes tables')
if self.destination == 'local':
with open(
self.output_dir + '%s_routes_tables' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [["COMPUTER_NAME", "TYPE", "NAME", "MASK"]]
to_write += [[
self.computer_name, 'routes_tables',
unicode(ip),
unicode(mask)
] for ip, mask in routes]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_routes_tables' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_drives(self, drives):
self.logger.info("Health : Listing drives")
if self.destination == 'local':
with open(
self.output_dir + '%s_list_drives' % self.computer_name +
self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK",
"FILESYSTEM"
]]
to_write += [[
self.computer_name, 'list_drives', phCapt, partCapt,
logicalCapt, fs
] for phCapt, partCapt, logicalCapt, fs in drives]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_list_drives' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_network_drives(self, drives):
self.logger.info("Health : Listing network drives")
if self.destination == 'local':
with open(
self.output_dir +
'%s_list_networks_drives' % self.computer_name +
self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM",
"PARTITION_NAME"
]]
to_write += [[
self.computer_name, 'list_networks_drives', diskCapt,
diskFs, diskPName
] for diskCapt, diskFs, diskPName in drives]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name +
'_list_networks_drives' + self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_kb(self, kbs):
self.logger.info('Health : Listing KB installed on computer')
if self.destination == 'local':
with open(
self.output_dir + '%s_kb' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME",
"FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE",
"INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"
]]
for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs:
to_write += [[
self.computer_name, 'kb', Caption, CSName, FixComments,
HotFixID, InstallDate, InstalledOn, Name,
ServicePackInEffect, Status
]]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_kb' + self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_services(self, services):
self.logger.info('Health : Listing services')
if self.destination == 'local':
with open(
self.output_dir + '%s_services' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE",
"PATH_NAME", "STATUS", "STATE", "START_MODE"
]]
for name, caption, processId, pathName, serviceType, status, state, startMode in services:
to_write += [[
self.computer_name, 'services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode
]]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_services' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_running_process(self, list_running):
self.logger.info("Health : Listing running processes")
if self.destination == 'local':
with open(
self.output_dir + '%s_processes' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "COMMAND",
"EXEC_PATH"
]]
to_write += [[
self.computer_name, 'processes',
unicode(p[0]), p[1],
unicode(p[2]),
unicode(p[3])
] for p in list_running]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_hash_running_process(self, list_running):
self.logger.info("Health : Hashing running processes")
if self.destination == 'local':
with open(
self.output_dir +
'%s_hash_processes' % self.computer_name + self.rand_ext,
'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME",
"EXEC_PATH", "MD5", "SHA1", "CTIME", "MTIME", "ATIME"
]]
for p in list_running:
pid = p[0]
name = p[1]
# cmd = p[2]
exe_path = p[3]
if exe_path and os.path.isfile(exe_path):
ctime = datetime.datetime.fromtimestamp(
os.path.getctime(exe_path))
mtime = datetime.datetime.fromtimestamp(
os.path.getmtime(exe_path))
atime = datetime.datetime.fromtimestamp(
os.path.getatime(exe_path))
md5 = process_md5(unicode(exe_path))
sha1 = process_sha1(unicode(exe_path))
to_write += [[
self.computer_name, 'hash processes',
unicode(pid), name,
unicode(exe_path), md5, sha1, ctime, mtime, atime
]]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_hash_processes' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_sessions(self, sessions):
self.logger.info('Health : Listing sessions')
if self.destination == 'local':
with open(
self.output_dir + '%s_sessions' % self.computer_name +
self.rand_ext, 'ab') as fw:
json_writer = get_json_writer(fw)
to_write = [[
"COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE",
"START_TIME", "LOGON_TYPE"
]]
to_write += [[
self.computer_name, 'sessions',
unicode(logonID), authenticationPackage,
unicode(startime.split('.')[0]),
unicode(logontype)
] for logonID, authenticationPackage, startime, logontype in
sessions]
write_list_to_json(to_write, json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_sessions' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def json_clipboard(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_clipboard.json' % self.computer_name), 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_clipboard(), json_writer)
def json_run_mru_start(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_run_mru_start.json' % self.computer_name), 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_run_mru_start(), json_writer)
def json_usb_history(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_USBHistory.json' % self.computer_name), "wb") as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_usb_history(), json_writer)
def json_windows_value(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_windows_value.json' % self.computer_name), 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_windows_values(), json_writer)
def json_installed_components(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_installed_components.json' % self.computer_name),
'wb') as ouput:
json_writer = get_json_writer(ouput)
write_list_to_json(self.__get_installed_components(), json_writer)
def json_shell_bags(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_shellbag.json' % self.computer_name), "wb") as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_shell_bags(), json_writer)
def json_registry_services(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_registry_services.json' % self.computer_name), 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_registry_services(), json_writer)
def _json_powerpoint_mru(self, str_powerpoint_mru):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_powerpointMRU.json' % self.computer_name), 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_powerpoint_mru(str_powerpoint_mru), json_writer)
def _json_user_assist(self, count_offset, is_win7_or_further):
if self.destination == 'local':
with open(os.path.join(self.output_dir, '%s_user_asist.json' % self.computer_name), 'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_user_assist(count_offset, is_win7_or_further), json_writer)
def _json_all_modules_opened_files(self):
if self.destination == 'local':
with open(os.path.join(self.output_dir,'%s_processes_opened_files.json' % self.computer_name),'wb') as output:
json_writer = get_json_writer(output)
write_list_to_json(self.__get_all_modules_opened_files(), json_writer)
