def _attributes(self):
attr = VMap()
attr.thisown = False
nstart = Variant(self.startOff)
nstart.thisown = False
attr["start offset"] = nstart
return attr
def start(self, args):
self.origin = args["file"].value()
if args.has_key("start-offset"):
self.soffset = args["start-offset"].value()
else:
self.soffset = 0
self.chunklist = args["chunk-sizes"].value()
nodesize = self.origin.size()
err = ""
if self.soffset < 0:
err += "start offset (" + str(self.soffset) + ") must be equal or greater to 0\n"
if self.soffset >= nodesize:
err += "start offset (" + str(self.soffset) + ") must be lesser than size of provided node\n"
if not err:
for vchunksize in self.chunklist:
cerr = ""
chunksize = vchunksize.value()
if chunksize <= 0:
cerr += "size of chunk (" + str(chunksize) + " bytes) must be positive\n"
if chunksize >= nodesize:
cerr += "size of chunk (" + str(chunksize) + " bytes) must be lesser than size of provided node\n"
if not cerr:
root = Node(self.origin.name() + " splitted by " + str(chunksize), 0, None, self)
root.__disown__()
self.__split(root, chunksize)
self.registerTree(self.origin, root)
else:
err += cerr
if err:
verr = Variant(err)
verr.thisown = False
self.res["error"] = verr
def export(self):
text, ok = QInputDialog.getText(self, "Advanced search", "Filter export name",\
QLineEdit.Normal, "")
if ok and text != "":
siNode = self.vfs.getnode("/Searched items")
filtersNode = Node(str(text), 0, siNode, None)
filtersNode.__disown__()
filtersNode.setDir()
e = event()
e.thisown = False
vnode = Variant(filtersNode)
vnode.thisown = False
e.value = vnode
VFS.Get().notify(e)
nb_row = self.model.rowCount()
for i in range(0, nb_row):
index = self.model.index(i, 0)
if not index.isValid():
continue
data = self.model.data(index, Qt.CheckStateRole)
if data == Qt.Checked or data == Qt.PartiallyChecked:
n = VFS.Get().getNodeFromPointer(long(index.internalId()))
l = VLink(n, filtersNode)
l.__disown__()
else:
box = QMessageBox(QMessageBox.Warning, "Error", "Error node already exists", \
QMessageBox.NoButton, self)
box.exec_()
def start(self, args):
dest = args["dest"].value()
node = args["file"].value()
self.vfs.link(node, dest)
val = Variant(str("linked " + dest.path() + "/" + node.name() + " created").replace("//", "/"))
val.thisown = False
self.res["result"] = val
def start(self, args):
try:
algorithms = args["algorithm"].value()
except IndexError:
algorithms = [Variant("md5")]
node = args["file"].value()
lalgorithms = []
for algo in algorithms:
algo = algo.value()
if self.attributeHash.haveHashCalculated(node, algo):
continue
lalgorithms.append(algo)
hinstances, errors = self.hashCalc(node, lalgorithms)
if len(hinstances):
for hinstance in hinstances:
hexdigest = hinstance.hexdigest()
name = hinstance.name
self.attributeHash.setHash(node, name, hexdigest)
node.registerAttributes(self.attributeHash)
vres = Variant(hexdigest)
vres.thisown = False
self.res[name] = vres
if len(errors):
verr = Variant(errors)
verr.thisown = False
self.res["error"] = verr
def attributes(self, node):
m = VMap()
hashes = self.calculatedHash[long(node.this)]
for h in hashes.iterkeys():
v = Variant(hashes[str(h)])
v.thisown = False
m[str(h)] = v
m.thisown = False
return m
def _attributes(self):
attr = VMap()
attr.thisown = False
self.getKeyAttributes(attr)
self.getValuesAttributes(attr)
vt = Variant(self.createdTime())
vt.thisown = False
attr['created'] = vt
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
ps = Variant(self.pageSize)
ps.thisown = False
attr["page size"] = ps
sps = Variant(self.spareSize)
sps.thisown = False
attr["spare size"] = sps
return attr
def start(self, args):
try:
node = args['file'].value()
key = args['key'].value()
res = self.unxor(node, key)
r = Variant(res)
r.thisown = False
self.res["result"] = r
except:
pass
def start(self, args):
buff = "pid\tname\tstate\tinfo\n"
self.lprocessus = self.tm.lprocessus
for proc in self.lprocessus:
if proc.name != "jobs":
buff += "[" + str(proc.pid) + "]\t" + proc.name + "\t" + proc.state + "\t" + str(proc.stateinfo) + "\n"
if not buff:
buff += "No processus launched yet !"
r = Variant(buff)
r.thisown = False
self.res["result"] = r
def start(self, args):
try:
node = args["file"].value()
self.unpack(node)
if args.has_key("header"):
res = self.header()
else:
res = self.info()
v = Variant(res)
v.thisown = False
self.res["result"] = v
except KeyError:
pass
def matchFilter(self, node):
for priority in [0, 1, 2, 3]:
if priority in self.filters.keys():
for filter in self.filters[priority]:
if not filter[0].match(node, filter[1]):
return False
e = event()
e.type = 0x202
e.thisown = False
vnode = Variant(node)
vnode.thisown = False
e.value = vnode
self.notify(e)
return True
def _attributes(self):
i = 1
attr = VMap()
attr.thisown = False
vlist = VList()
vlist.thisown = False
for f in self.files:
node = f.value()
cattr = Variant(node.absolute())
cattr.thisown = False
vlist.append(cattr)
vvlist = Variant(vlist)
vvlist.thisown = False
attr["concatanated files (ordered)"] = vvlist
return attr
def start(self, args):
buff = ""
node = args["file"].value()
if args.has_key("max-items"):
self.vtreeprinter.setMaxItemListToExpand(args["max-items"].value())
else:
self.vtreeprinter.setMaxItemListToExpand(-1)
if args.has_key("max-depth"):
self.vtreeprinter.setMaxDepth(args["max-depth"].value())
else:
self.vtreeprinter.setMaxDepth(-1)
buff += self.fillBase(node)
buff += self.fillAttributes(node)
vbuff = Variant(buff)
vbuff.thisown = False
self.res["result"] = vbuff
def Event(self, e):
if e.type == 0x200:
self.nodescount = e.value.value()
v = Variant(self.nodescount)
v.thisown = False
self.res["total nodes"] = v
elif e.type == 0x201:
cur = e.value.value()
progress = (cur * 100) / self.nodescount
if progress > self.oldcur:
self.stateinfo = str(progress) + " % (matching node: " + str(len(self.nodes)) + ")"
elif e.type == 0x202:
node = e.value.value()
if self.verbose == True:
print node.absolute()
self.nodes.append(node)
def start(self, args):
if len(args) > 1:
val = Variant("too many arguments")
val.thisown = False
self.res["error"] = val
elif args.has_key("clear"):
self.h.clear()
elif args.has_key("last"):
last = args["last"].value()
if last > len(self.h.hist):
last = 0
else:
last = len(self.h.hist) - last
for i in xrange(last, len(self.h.hist)):
print (str(i) + '\t' + self.h.hist[i]).strip('\n')
else:
for i in xrange(0, len(self.h.hist)):
print (str(i) + '\t' + self.h.hist[i]).strip('\n')
def _attributes(self):
attr = VMap()
zipattr = self.reader.zipcontent.getinfo(self.zipfile)
for key in ZipNode.__slots__:
val = getattr(zipattr, key)
if key != "date_time":
vval = Variant(val)
vval.thisown = False
attr[key] = vval
vt = vtime()
vt.thisown = False
vt.year = zipattr.date_time[0]
vt.month = zipattr.date_time[1]
vt.day = zipattr.date_time[2]
vt.hour = zipattr.date_time[3]
vt.minute = zipattr.date_time[4]
vt.second = zipattr.date_time[5]
vvt = Variant(vt)
vvt.thisown = False
attr["create"] = vvt
return attr
def startCarving(self):
selected = self.selector.selectedItems()
patterns = self.createContext(selected)
args = VMap()
args.thisown = False
args["patterns"] = patterns
args["file"] = self.vnode
startoff = Variant(self.offsetSpinBox.value(), typeId.UInt64)
startoff.thisown = False
args["start-offset"] = startoff
factor = round(float(self.filesize) / 2147483647)
self.startButton.setEnabled(False)
self.stopButton.setEnabled(True)
self.stopButton.setDown(False)
if factor == 0:
factor = 1
proc = self.tm.add("carver", args, ["gui", "thread"])
if proc:
self.doJob(self.filesize, factor, self.offsetSpinBox.value())
self.stateLayout.setEnabled(True)
self.connection(proc.inst)
proc.inst.connection(self)
def start(self, args):
self.nodes = []
self.nodescount = 1
self.oldcur = 0
fname = args["filter_name"].value()
expression = args["expression"].value()
root_node = args["root_node"].value()
if args.has_key("verbose"):
self.verbose = True
else:
self.verbose = False
if args.has_key("recursive"):
recursive = True
else:
recursive = False
f = Filter(fname)
f.connection(self)
try:
f.compile(expression)
except RuntimeError:
val = Variant("provided expression is not valid")
val.thisown = False
self.res["error"] = val
f.process(root_node, recursive)
v = Variant(len(self.nodes))
v.thisown = False
self.res["total of matching nodes"] = v
if args.has_key("save_result"):
si_node = self.vfs.getnode("/Searched items")
if si_node == None:
root = self.vfs.getnode("/")
si_node = Node("Searched items", 0, root)
si_node.__disown__()
fnode = Node(fname, 0, si_node)
fnode.__disown__()
for node in self.nodes:
vl = VLink(node, fnode, node.name())
vl.__disown__()
def _attributes(self):
attr = VMap()
attr.thisown = False
fatstart = Variant(self.partTable.start)
fatstart.thisown = False
attr["partition start"] = fatstart
blocksize = Variant(self.partTable.blocksize)
blocksize.thisown = False
attr["blocksize"] = blocksize
size = Variant(self.partTable.size)
size.thisown = False
attr["size in block"] = size
return attr
def attributes(self, node): #metaexif.status(decoding exif')
attr = VMap()
attr.thisown = False
file = node.open()
tags = EXIF.process_file(file)
if len(tags) == 0:
v = Variant("no exif")
v.thisown = 0
attr["info"] = v
return attr
else:
sortedTags = {}
for tag in tags.keys():
if tag not in ('JPEGThumbnail', 'TIFFThumbnail', 'Filename', 'EXIF MakerNote'):
spaceidx = tag.find(" ")
ifd = tag[:spaceidx].strip()
if ifd == "Image":
ifd = "IFD 0 (Image)"
if ifd == "Thumbnail":
ifd = "IFD 1 (Thumbnail)"
key = tag[spaceidx:].strip()
val = None
if tags[tag].tag in dateTimeTags:
# Try converting from usual string format to vtime, or to string
# if it fails.
try:
vt = time.strptime(str(tags[tag]), '%Y:%m:%d %H:%M:%S')
val = vtime(vt.tm_year, vt.tm_mon, vt.tm_mday, vt.tm_hour, vt.tm_min, vt.tm_sec, 0)
val.thisown = False
except ValueError:
pass
if not val:
try:
val = str(tags[tag])
except:
val = "cannot be decoded"
if ifd not in sortedTags.keys():
sortedTags[ifd] = []
sortedTags[ifd].append((key, val))
for ifd in sortedTags.keys():
m = VMap()
m.thisown = 0
for res in sortedTags[ifd]:
v = Variant(res[1])
v.thisown = False
m[res[0]] = v
vv = Variant(m)
vv.thisown = False
attr[ifd] = vv
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
vmap = VMap()
vmap.thisown = False
for t in self.tables.map:
v = Variant(hex(self.tables.map[t].write))
v.thisown = False
vmap[hex(t)] = v
m = Variant(vmap)
m.thisown = False
attr["tables"] = m
al = Variant(self.aalloc)
al.thisown = False
attr["reallocated blocks"] = al
return attr
def start(self, args):
node = args["dir"].value()
if not node:
val = Variant("Can't find file")
val.thisown = False
self.res["error"] = val
return
if not node.hasChildren():
val = Variant("Can't change current directory on file")
val.thisown = False
self.res["error"] = val
return
self.vfs.setcwd(node)
val = Variant("change path to " + str(node.absolute()))
val.thisown = False
self.res["result"] = val
def __split(self, root, chunksize):
nodesize = self.origin.size()
chunks = nodesize / chunksize
vchunks = Variant(chunks)
vchunks.thisown = False
vmap = VMap()
vmap.thisown = False
vmap["complete chunks"] = vchunks
for idx in xrange(0, chunks * chunksize, chunksize):
snode = SplitNode(self, root, self.origin, idx, chunksize)
lastchunk = nodesize % chunksize
if lastchunk != 0:
snode = SplitNode(self, root, self.origin, self.origin.size() - lastchunk, lastchunk)
vtruncated = Variant(lastchunk)
vtruncated.thisown = False
vmap["truncated chunk (size)"] = vtruncated
vvmap = Variant(vmap)
vvmap.thisown = False
self.res[str(chunksize) + " bytes split"] = vvmap
def readClassName(self, offset, classnamelen, vmap):
try:
self.hive.seek(offset)
head = self.hive.read(4)
cname = self.hive.read(classnamelen)
classmap = VMap()
classmap.thisown = False
vhead = Variant(head)
vhead.thisown = False
classmap["head"] = vhead
vname = Variant(cname)
vname.thisown = False
classmap["Name"] = vname
v = Variant(classmap)
v.thisown = False
vmap["Class name"] = v
except vfsError, e:
print "Base block read Magic ERROR"
def createReport(self):
stats = ""
if self.total_files > 0:
percent = (float(self.extracted_files) * 100) / self.total_files
stats += "extracted file(s): " + str(self.extracted_files) + "/" + str(self.total_files) + " (" + str(round(percent, 2)) + "%)\n"
if self.total_folders > 0:
percent = (float(self.extracted_folders) * 100) / self.total_folders
stats += "extracted folder(s): " + str(self.extracted_folders) + "/" + str(self.total_folders) + " (" + str(round(percent, 2)) + "%)\n"
if self.ommited_files > 0:
percent = (float(self.ommited_files) * 100) / self.total_files
stats += "ommited file(s): " + str(self.ommited_files) + "/" + str(self.total_files) + " (" + str(round(percent, 2)) + "%)\n"
if self.ommited_folders > 0:
percent = (float(self.ommited_folders) * 100) / self.total_folders
stats += "ommited folder(s): " + str(self.ommited_folders) + "/" + str(self.total_folders) + " (" + str(round(percent, 2)) + "%)\n"
if self.files_errors > 0:
percent = (float(self.files_errors) * 100) / self.total_files
stats += "file(s) error: " + str(self.files_errors) + "/" + str(self.total_files) + " (" + str(round(percent, 2)) + "%)\n"
val = Variant(self.log["files"]["nok"])
val.thisown = False
self.res["file(s) errors"] = val
if self.folders_errors > 0:
percent = (float(self.folders_errors) * 100) / self.total_folders
stats += "folder(s) error: " + str(self.folders_errors) + "/" + str(self.total_folders) + " (" + str(round(percent, 2)) + "%)\n"
val = Variant(self.log["folders"]["nok"])
val.thisown = False
self.res["folder(s) errors"] = val
if len(stats):
v = Variant(stats)
v.thisown = False
self.res["statistics"] = v
def start(self, args):
patterns = VList()
patterns.thisown = False
if args.has_key("start-offset"):
startoff = args["start-offset"].value()
else:
startoff = 0
if args.has_key("block-aligned"):
aligned = True
else:
aligned = False
for mimetype in filetypes.keys():
if mimetype in args:
vsubtypes = args[mimetype].value()
for subtype in filetypes[mimetype].keys():
if subtype in vsubtypes:
pattern = VMap()
pattern.thisown = False
descr = filetypes[mimetype][subtype]
filetype = Variant(subtype, typeId.String)
filetype.thisown = False
for p in descr:
pattern["filetype"] = filetype
header = VMap()
header.thisown = False
val = Variant(p[0], typeId.String)
val.thisown = False
header["needle"] = val
val = Variant(len(p[0]), typeId.UInt32)
val.thisown = False
header["size"] = val
footer = VMap()
footer.thisown = False
val = Variant(p[1], typeId.String)
val.thisown = False
footer["needle"] = val
val = Variant(len(p[1]), typeId.UInt32)
val.thisown = False
footer["size"] = val
vheader = Variant(header)
vheader.thisown = False
pattern["header"] = vheader
vfooter = Variant(footer)
vfooter.thisown = False
pattern["footer"] = vfooter
pattern["window"] = Variant(int(p[2]), typeId.UInt32)
if aligned:
val = Variant(True, typeId.Bool)
val.thisown = False
pattern["aligned"] = val
else:
val = Variant(False, typeId.Bool)
val.thisown = False
pattern["aligned"] = val
patterns.append(pattern)
vpatterns = Variant(patterns)
vpatterns.thisown = False
margs = VMap()
margs.thisown = False
margs["patterns"] = vpatterns
margs["file"] = args["file"]
vstartoff = Variant(startoff, typeId.UInt64)
vstartoff.thisown = False
margs["start-offset"] = vstartoff
proc = self.tm.add("carver", margs, ["console"])
if proc:
proc.event.wait()
def _attributes(self):
vt = vtime(long(self.timestamp / 1e6), TIME_UNIX)
vt.thisown = False
v_vt = Variant(vt)
#v_profile_dir = Variant(self.profile_dir())
v_data = Variant(self.data)
v_data1 = Variant(self.data1)
v_data2 = Variant(self.data2)
v_data3 = Variant(self.data3)
v_data4 = Variant(self.data4)
v_vt.thisown = False
#v_profile_dir.thisown = False
v_data.thisown = False
v_data1.thisown = False
v_data2.thisown = False
v_data3.thisown = False
v_data4.thisown = False
attr = VMap()
attr.thisown = False
#attr["profile directory"] = v_profile_dir
if (self.browser == 'firefox'):
if (self.extract == 'history'):
attr['accessed'] = v_vt
attr['visit count'] = v_data
attr['typed'] = v_data1
return attr
elif (self.extract == 'cookies'):
attr['name'] = v_data2
attr['cookie'] = v_data3
attr['accessed'] = v_vt
return attr
elif (self.extract == 'downloads'):
attr['url'] = v_data2
attr['location'] = v_data3
#attr['start'] = v_data2
attr['finished'] = v_vt
return attr
elif (self.extract == 'signons'):
attr['username'] = v_data2
attr['password'] = v_data3
return attr
elif (self.extract == 'formhistory'):
attr['input'] = v_data2
attr['times used'] = v_data3
attr['last used'] = v_vt
return attr
def _attributes(self):
vt = vtime(long(self.timestamp/1e6), TIME_UNIX)
vt.thisown = False
v_vt = Variant(vt)
#v_profile_dir = Variant(self.profile_dir())
v_data = Variant(self.data)
v_data1 = Variant(self.data1)
v_data2 = Variant(self.data2)
v_data3 = Variant(self.data3)
v_data4 = Variant(self.data4)
v_vt.thisown = False
#v_profile_dir.thisown = False
v_data.thisown = False
v_data1.thisown = False
v_data2.thisown = False
v_data3.thisown = False
v_data4.thisown = False
attr = VMap()
attr.thisown = False
#attr["profile directory"] = v_profile_dir
if (self.browser == 'firefox'):
if(self.extract == 'history'):
attr['accessed'] = v_vt
attr['visit count'] = v_data
attr['typed'] = v_data1
return attr
elif(self.extract == 'cookies'):
attr['name'] = v_data2
attr['cookie'] = v_data3
attr['accessed'] = v_vt
return attr
elif(self.extract == 'downloads'):
attr['url'] = v_data2
attr['location'] = v_data3
#attr['start'] = v_data2
attr['finished'] = v_vt
return attr
elif(self.extract == 'signons'):
attr['username'] = v_data2
attr['password'] = v_data3
return attr
elif(self.extract == 'formhistory'):
attr['input'] = v_data2
attr['times used'] = v_data3
attr['last used'] = v_vt
return attr
def readSKBuffer(self, secmap, size):
try:
skcontentbuff = self.hive.read(20)
skstruct = struct.unpack("<BBHIIII", skcontentbuff)
skmap = VMap()
skmap.thisown = False
vrev = Variant(skstruct[0])
vrev.thisown = False
skmap["Revision"] = vrev
vsbz = Variant(skstruct[1])
vsbz.thisown = False
skmap["SBZ"] = vsbz
vcontrol = Variant(skstruct[2])
vcontrol.thisown = False
skmap["Control"] = vcontrol
vowneroff = Variant(skstruct[3])
vowneroff.thisown = False
skmap["Owner offset"] = vowneroff
vgroupoff = Variant(skstruct[4])
vgroupoff.thisown = False
skmap["Group offset"] = vgroupoff
vsacloff = Variant(skstruct[5])
vsacloff.thisown = False
skmap["SACL offset"] = vsacloff
vdacloff = Variant(skstruct[6])
vdacloff.thisown = False
skmap["DACL offset"] = vdacloff
skdata = size - 20
#TODO read & parse skdata
v = Variant(skmap)
v.thisown = False
secmap["SK data header"] = v
except vfsError, e:
print "Base block read Magic ERROR"
def process(self):
matchedNodes = []
e = event()
e.thisown = False
self.__stop = False
if self.recursive:
if self.root != None and len(self.filters) != 0:
#if self.root & 0x0000ffffffffffff == 0:
# nodes = self.root.fsobj()
count = 0
totalnodes = self.root.totalChildrenCount()
vmax = Variant(totalnodes)
vmax.thisown = False
e.type = 0x200
e.value = vmax
self.notify(e)
#if self.matchFilter(self.root):
# count += 1
# matchedNodes.append(self.root.this)
#fsobjs = self.libvfs.fsobjs()
#for fsobj in fsobjs:
# nodes = fsobjs.nodes()
# for node in nodes:
# if self.matchFilter(node):
# matchedNodes.append(node.this)
# count += 1
e.type = 0x201
for (top, dirs, files) in self.vfs.walk(self.root):
if self.__stop:
return matchedNodes
for d in dirs:
if self.__stop:
return matchedNodes
if self.matchFilter(d):
matchedNodes.append(d.this)
count += 1
vcount = Variant(count)
vcount.thisown = False
e.value = vcount
self.notify(e)
#print count, "/", totalnodes
for f in files:
if self.__stop:
return matchedNodes
if self.matchFilter(f):
matchedNodes.append(f.this)
count += 1
vcount = Variant(count)
vcount.thisown = False
e.value = vcount
self.notify(e)
#print count, "/", totalnodes
else:
children = self.root.children()
count = 0
totalnodes = len(children)
vmax = Variant(totalnodes)
vmax.thisown = False
e.type = 0x200
e.value = vmax
self.notify(e)
for child in children:
if self.__stop:
return matchedNodes
if self.matchFilter(child):
matchedNodes.append(child.this)
count += 1
vcount = Variant(count)
vcount.thisown = False
e.value = vcount
self.notify(e)
return matchedNodes
