def register_listener(callback_func=print_event):
'''
开始监听Sysmon事件,当事件发生的时候调用监听函数。
'''
query_text = "*"
channel_path = "Microsoft-Windows-Sysmon/Operational"
h_evt = win32event.CreateEvent(None, 0, 0, None)
h_sub = win32evtlog.EvtSubscribe(channel_path,
win32evtlog.EvtSubscribeToFutureEvents,
SignalEvent=h_evt,
Query=query_text)
print("开始监听可疑事件")
while True:
while True:
events = win32evtlog.EvtNext(h_sub, 10)
if len(events) == 0:
break
# print('retrieved %s events' %len(events))
for event in events:
callback_func(event)
while True:
# print ('waiting...')
w = win32event.WaitForSingleObjectEx(h_evt, 2000, True)
if w == win32con.WAIT_OBJECT_0:
break
def listen(self, honeypot_configuration):
h = win32event.CreateEvent(None, 0, 0, None)
s = win32evtlog.EvtSubscribe(
self.log_type,
win32evtlog.EvtSubscribeStartAtOldestRecord,
SignalEvent=h,
Query=self.query_text)
while True:
while True:
events = win32evtlog.EvtNext(s, 10)
if len(events) == 0:
break
for event in events:
event_id = None
event_format_xml = win32evtlog.EvtRender(
event, win32evtlog.EvtRenderEventXml)
event_format_dict = xmltodict.parse(event_format_xml)
if isinstance(
event_format_dict['Event']['System']['EventID'],
str):
event_id = event_format_dict['Event']['System'][
'EventID']
else:
event_id = event_format_dict['Event']['System'][
'EventID']['#text']
honeypot = self.__identify_honeypot(
event_id, event_format_xml, honeypot_configuration)
if honeypot is not None:
self.__alert(event_format_dict, event_id, honeypot)
while True:
print("Waiting " + self.log_type)
w = win32event.WaitForSingleObjectEx(h, 10000, True)
if w == win32con.WAIT_OBJECT_0:
break
def poll_events(self):
while True:
# IMPORTANT: the subscription starts immediately so you must consume before waiting for the first signal
while True:
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtnext
# https://mhammond.github.io/pywin32/win32evtlog__EvtNext_meth.html
#
# An error saying EvtNext: The operation identifier is not valid happens
# when you call the method and there are no events to read (i.e. polling).
# There is an unreleased upstream contribution to return
# an empty tuple instead https://github.com/mhammond/pywin32/pull/1648
# For the moment is logged as a debug line.
try:
events = win32evtlog.EvtNext(self._subscription,
self.config.payload_size)
except pywintypes.error as e:
self.log_windows_error(e)
break
else:
if not events:
break
for event in events:
yield event
# https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobjectex
# https://mhammond.github.io/pywin32/win32event__WaitForSingleObjectEx_meth.html
wait_signal = win32event.WaitForSingleObjectEx(
self._event_handle, self.config.timeout, True)
# No more events, end check run
if wait_signal != win32con.WAIT_OBJECT_0:
break
def get_last_days_history(days, callback_func=print_event):
count = 0
print("Get last " + str(days) + " days history...")
today_time = datetime.datetime.now(tz.tzlocal())
path = "Microsoft-Windows-Sysmon/Operational"
handle = win32evtlog.EvtQuery( # Get event log
path,
win32evtlog.EvtQueryReverseDirection,
# "Event/System[EventID=5]",
# None
)
while 1:
events = win32evtlog.EvtNext(handle, 10)
if len(events) == 0:
# remove parsed events
# win32evtlog.ClearEventLog(handle, None): Access Violation (0xC0000005)
print("done")
break
for event in events:
count += 1
print_event(event)
if count % 1000 == 0:
print(count)
def poll_events(self):
while True:
# IMPORTANT: the subscription starts immediately so you must consume before waiting for the first signal
while True:
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtnext
# http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtNext_meth.html
try:
events = win32evtlog.EvtNext(self._subscription,
self._payload_size)
except pywintypes.error as e:
self.log_windows_error(e)
break
else:
if not events:
break
for event in events:
yield event
# https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobjectex
# http://timgolden.me.uk/pywin32-docs/win32event__WaitForSingleObjectEx_meth.html
wait_signal = win32event.WaitForSingleObjectEx(
self._event_handle, self._timeout, True)
# No more events, end check run
if wait_signal != win32con.WAIT_OBJECT_0:
break
def subscribe_and_yield_events(channel, query="*"):
#SUBSCRIBE
h = win32event.CreateEvent(None, 0, 0, None)
s = win32evtlog.EvtSubscribe(channel,
win32evtlog.EvtSubscribeToFutureEvents,
SignalEvent=h,
Query=query)
#LOOP
while True:
while True:
events = win32evtlog.EvtNext(s, 10)
if len(events) == 0:
break
for event in events:
raw_xml = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventXml)
er = LogEvent(raw_xml, source_os=detect_current_os())
if er.is_valid():
yield er
else:
print("[ERROR] Parsing error")
while True:
#print('waiting...')
w = win32event.WaitForSingleObjectEx(h, 200, True)
if w == win32con.WAIT_OBJECT_0:
break
def get_events_xmls(channel_name="Microsoft-Windows-PrintService/Operational",
events_batch_num=100,
backwards=True):
ret = list()
flags = win32evtlog.EvtQueryChannelPath
if backwards:
flags |= win32evtlog.EvtQueryReverseDirection
try:
query_results = win32evtlog.EvtQuery(channel_name, flags, None, None)
except pywintypes.error as e:
print(e)
return ret
events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE, 0)
while events:
for event in events:
ret.append(
win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml))
events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE,
0)
return ret
def load_log_data(log_file):
query_handle = win32evtlog.EvtQuery(log_file, win32evtlog.EvtQueryFilePath)
xml_list = []
while True:
events = win32evtlog.EvtNext(query_handle, 1)
# if there is no record break the loop
if len(events) == 0:
break
else:
xml_content = win32evtlog.EvtRender(events[0],
win32evtlog.EvtRenderEventXml)
xml_list.append(xml_content)
return xml_list
## Demonstrates how to create a "pull" subscription
import win32evtlog, win32event, win32con
query_text = '*[System[Provider[@Name="Microsoft-Windows-Winlogon"]]]'
h = win32event.CreateEvent(None, 0, 0, None)
s = win32evtlog.EvtSubscribe('System',
win32evtlog.EvtSubscribeStartAtOldestRecord,
SignalEvent=h,
Query=query_text)
while 1:
while 1:
events = win32evtlog.EvtNext(s, 10)
if len(events) == 0:
break
##for event in events:
## print(win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml))
print('retrieved %s events' % len(events))
while 1:
print('waiting...')
w = win32event.WaitForSingleObjectEx(h, 2000, True)
if w == win32con.WAIT_OBJECT_0:
break
def main():
path = 'System'
num_events = 5
if len(sys.argv) > 2:
path = sys.argv[1]
num_events = int(sys.argv[2])
elif len(sys.argv) > 1:
path = sys.argv[1]
query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection)
events = win32evtlog.EvtNext(query, num_events)
context = win32evtlog.EvtCreateRenderContext(
win32evtlog.EvtRenderContextSystem)
for i, event in enumerate(events, 1):
result = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventValues,
Context=context)
print(('Event {}'.format(i)))
level_value, level_variant = result[win32evtlog.EvtSystemLevel]
if level_variant != win32evtlog.EvtVarTypeNull:
if level_value == 1:
print(' Level: CRITICAL')
elif level_value == 2:
print(' Level: ERROR')
elif level_value == 3:
print(' Level: WARNING')
elif level_value == 4:
print(' Level: INFO')
elif level_value == 5:
print(' Level: VERBOSE')
else:
print(' Level: UNKNOWN')
time_created_value, time_created_variant = result[
win32evtlog.EvtSystemTimeCreated]
if time_created_variant != win32evtlog.EvtVarTypeNull:
print((' Timestamp: {}'.format(time_created_value.isoformat())))
computer_value, computer_variant = result[
win32evtlog.EvtSystemComputer]
if computer_variant != win32evtlog.EvtVarTypeNull:
print((' FQDN: {}'.format(computer_value)))
provider_name_value, provider_name_variant = result[
win32evtlog.EvtSystemProviderName]
if provider_name_variant != win32evtlog.EvtVarTypeNull:
print((' Provider: {}'.format(provider_name_value)))
try:
metadata = win32evtlog.EvtOpenPublisherMetadata(
provider_name_value)
# pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.')
except Exception:
pass
else:
try:
message = win32evtlog.EvtFormatMessage(
metadata, event, win32evtlog.EvtFormatMessageEvent)
# pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.')
except Exception:
pass
else:
print((' Message: {}'.format(message)))
def main():
path = "System"
num_events = 5
if len(sys.argv) > 2:
path = sys.argv[1]
num_events = int(sys.argv[2])
elif len(sys.argv) > 1:
path = sys.argv[1]
query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection)
events = win32evtlog.EvtNext(query, num_events)
context = win32evtlog.EvtCreateRenderContext(
win32evtlog.EvtRenderContextSystem)
for i, event in enumerate(events, 1):
result = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventValues,
Context=context)
print("Event {}".format(i))
level_value, level_variant = result[win32evtlog.EvtSystemLevel]
if level_variant != win32evtlog.EvtVarTypeNull:
if level_value == 1:
print(" Level: CRITICAL")
elif level_value == 2:
print(" Level: ERROR")
elif level_value == 3:
print(" Level: WARNING")
elif level_value == 4:
print(" Level: INFO")
elif level_value == 5:
print(" Level: VERBOSE")
else:
print(" Level: UNKNOWN")
time_created_value, time_created_variant = result[
win32evtlog.EvtSystemTimeCreated]
if time_created_variant != win32evtlog.EvtVarTypeNull:
print(" Timestamp: {}".format(time_created_value.isoformat()))
computer_value, computer_variant = result[
win32evtlog.EvtSystemComputer]
if computer_variant != win32evtlog.EvtVarTypeNull:
print(" FQDN: {}".format(computer_value))
provider_name_value, provider_name_variant = result[
win32evtlog.EvtSystemProviderName]
if provider_name_variant != win32evtlog.EvtVarTypeNull:
print(" Provider: {}".format(provider_name_value))
try:
metadata = win32evtlog.EvtOpenPublisherMetadata(
provider_name_value)
# pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.')
except Exception:
pass
else:
try:
message = win32evtlog.EvtFormatMessage(
metadata, event, win32evtlog.EvtFormatMessageEvent)
# pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.')
except Exception:
pass
else:
try:
print(" Message: {}".format(message))
except UnicodeEncodeError:
# Obscure error when run under subprocess.Popen(), presumably due to
# not knowing the correct encoding for the console.
# > UnicodeEncodeError: \'charmap\' codec can\'t encode character \'\\u200e\' in position 57: character maps to <undefined>\r\n'
# Can't reproduce when running manually, so it seems more a subprocess.Popen()
# than ours:
print(" Failed to decode:", repr(message))
query = "<QueryList>\
<Query Id=\"0\" Path=\"Microsoft-Windows-Sysmon/Operational\">\
<Select Path=\"Microsoft-Windows-Sysmon/Operational\">\
*[System[TimeCreated[@SystemTime>='2021-05-16T20:33:56.001Z' and @SystemTime<='2021-05-16T20:33:57.000Z']]]\
</Select>\
</Query>\
</QueryList>\
"
path = "Microsoft-Windows-Sysmon/Operational"
handle = win32evtlog.EvtQuery( # Get event log
path, win32evtlog.EvtQueryReverseDirection, query, None)
while 1:
events = win32evtlog.EvtNext(handle, 10)
if len(events) == 0:
# remove parsed events
# win32evtlog.ClearEventLog(handle, None): Access Violation (0xC0000005)
break
for event in events:
count += 1
print(count)
if count % 1 == 0:
# print(count)
record = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventXml)
##print(event)
# print(record)
