def start(self, args):
self.nodes = []
self.nodescount = 1
self.oldcur = 0
fname = args["filter_name"].value()
expression = args["expression"].value()
root_node = args["root_node"].value()
if args.has_key("verbose"):
self.verbose = True
else:
self.verbose = False
if args.has_key("recursive"):
recursive = True
else:
recursive = False
f = Filter(fname)
f.connection(self)
try:
f.compile(expression)
except RuntimeError:
self.res["error"] = Variant("provided expression is not valid")
f.process(root_node, recursive)
self.res["total of matching nodes"] = Variant(len(self.nodes))
if args.has_key("save_result"):
si_node = self.vfs.getnode("/Bookmarks")
if si_node == None:
root = self.vfs.getnode("/")
si_node = Node("Bookmarks", 0, root)
si_node.__disown__()
fnode = Node(fname, 0, si_node)
fnode.__disown__()
for node in self.nodes:
vl = VLink(node, fnode, node.name())
vl.__disown__()
def start(self, args):
self.parent = args["parent"].value()
if args.has_key("count"):
self.count = args["count"].value()
else:
self.count = 50000
#self.start = args["start_offset"].value()
#self.number_of_nodes = args["number_of_nodes"].value()
self.root = Node("node-test")
self.__disown__()
for x in xrange(0, self.count):
xnode = Node(str(x), 0, self.root, self)
if (x % 10000) == 0:
print "have create " + str(x) + " nodes"
xnode.setDir()
xnode.__disown__()
self.registerTree(self.parent, self.root)
def makeDirs(self, folders):
sfolders = folders.split("/")
prev = self.origin
for folder in sfolders:
node = self.vfs.getnode(prev.absolute() + "/" + folder)
if node == None:
node = Node(folder, 0, prev, self)
node.setDir()
node.__disown__()
prev = node
return node
def __createProcessesVadTree(self):
pcount = 1
lpcount = len(self.__processes)
for procnode in self.__processes:
proc = procnode.eproc
base, ext = os.path.splitext(str(proc.ImageFileName))
vadroot = Node(base + ".vad", 0, None, self)
vadroot.__disown__()
procnode.setSuspicious(
self.__createVadTree(proc, vadroot, pcount, lpcount))
pcount += 1
self.registerTree(procnode, vadroot)
def parseOrphan(self, root, mfsobj):
orphaned = None
if len(self.__entries) != len(self.__addedEntriesID):
orphaned = Node('Orphaned', 0, root, mfsobj)
orphaned.__disown__()
for eid in xrange(0, len(self.__entries)):
if eid not in self.__addedEntriesID:
try:
if self.__entries[eid]:
orphaned.addChild(self.__entries[eid])
except KeyError:
pass
return orphaned
def __createProcessTree(self):
seen_offsets = []
procmap = {}
self.__orphaned = {}
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree".format(
self.__step, self.__steps)
for source in self.ps_sources.values():
for offset in source.keys():
if offset not in seen_offsets:
seen_offsets.append(offset)
cproc = source[offset]
uid = int(cproc.UniqueProcessId)
if procmap.has_key(uid):
dtb = []
for _proc in procmap[uid]:
if cproc.ImageFileName == _proc[
0].ImageFileName and cproc.Pcb.DirectoryTableBase == _proc[
0].Pcb.DirectoryTableBase:
dtb.append(_proc)
if len(dtb) == 0:
procmap[uid].append((cproc, offset))
elif cproc.Peb != None:
for _proc, _off in dtb:
if _proc.Peb is None:
procmap[uid].remove(_proc)
else:
procmap[uid] = [(cproc, offset)]
self.__orphaned[cproc] = 0
if len(procmap):
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree {:>3d} / {:<3d}".format(
self.__step, self.__steps, 0, len(procmap))
self.__mainProcNode = Node("Processes", 0, None, self)
self.__mainProcNode.__disown__()
self.__mainProcNode.setDir()
for proc, offset in self.__findRootProcesses(procmap):
self.__orphaned[proc] = 1
procnode = WinProcNode(proc, offset, self.__mainProcNode, self)
self.__processes.append(procnode)
self.__createPtree(procmap, int(proc.UniqueProcessId),
procnode)
count = sum(
[v for v in self.__orphaned.itervalues() if v == 1])
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree {:>3d} / {:<3d}".format(
self.__step, self.__steps, count, len(procmap))
for proc in self.__orphaned:
if debug and self.__orphaned[proc] == 0:
self.__printProcess(proc)
self.registerTree(self.root, self.__mainProcNode)
self.__step += 1
def __createModules(self):
self.stateinfo = "Step {:<2d} / {:<2d}: Modules -- ModScan".format(
self.__step, self.__steps)
self.__scanned_modules = Set([
ldr_entry.obj_offset
for ldr_entry in modscan.ModScan(self._config).calculate()
])
self.stateinfo = "Step {:<2d} / {:<2d}: Modules -- Modules calculate".format(
self.__step, self.__steps)
self.__loaded_modules = Set([
module.obj_vm.vtop(module.obj_offset)
for module in modules.Modules(self._config).calculate()
])
self.__unlinked_or_hidden = self.__scanned_modules.difference(
self.__loaded_modules)
self.__modulesNode = Node("Modules", 0, None, self)
self.__modulesNode.setDir()
self.__modulesNode.__disown__()
unknown = 0
address_space = utils.load_as(self._config, astype='physical')
kernel_as = utils.load_as(self._config)
procs = list(tasks.pslist(kernel_as))
modcount = 1
lmodcount = len(self.__scanned_modules)
for offset in self.__scanned_modules:
self.stateinfo = "Step {:<2d} / {:<2d}: Modules -- creating nodes ({:>6d} / {:<6d})".format(
self.__step, self.__steps, modcount, lmodcount)
modcount += 1
ldr_entry = obj.Object('_LDR_DATA_TABLE_ENTRY',
vm=address_space,
offset=offset,
native_vm=kernel_as)
if not ldr_entry.BaseDllName:
unknown += 1
name = "Unknown" + str(unknown)
else:
name = str(ldr_entry.BaseDllName)
unlinked_or_hidden = False
if offset in self.__unlinked_or_hidden:
unlinked_or_hidden = True
aspace = tasks.find_space(kernel_as, procs, ldr_entry.DllBase.v())
n = ModuleNode(name, ldr_entry, self.__modulesNode, self, aspace,
unlinked_or_hidden)
n.__disown__()
self.registerTree(self.root, self.__modulesNode)
self.__step += 1
def __createDlls(self):
self.__loadModulesFromProcesses()
if len(self.__dlls):
self.__mainDllNode = Node("Dlls", 0, None, self)
self.__mainDllNode.setDir()
self.__mainDllNode.__disown__()
dcount = 1
dllcount = len(self.__dlls)
for dllname in self.__dlls:
self.stateinfo = "Step {:<2d} / {:<2d}: Dlls -- Creating nodes ({:>6d} / {:<6d})".format(
self.__step, self.__steps, dcount, dllcount)
if len(self.__dlls[dllname]) > 1:
if debug:
print dllname, [
entry[0] for entry in self.__dlls[dllname]
]
i = 0
for entry in self.__dlls[dllname]:
if entry[0] != -1:
if i == 0:
dllnode = DllNode(dllname, entry[1], entry[2],
self.__mainDllNode, self)
dllnode.__disown__()
else:
dllnode = DllNode(dllname + "-" + str(i),
entry[1], entry[2],
self.__mainDllNode, self)
dllnode.__disown__()
i += 1
else:
entry = self.__dlls[dllname][0]
dllnode = DllNode(dllname, entry[1], entry[2],
self.__mainDllNode, self)
dllnode.__disown__()
self.registerTree(self.root, self.__mainDllNode)
self.__step += 1
def exportClick(self, clickState):
rect = self.timeline.ploter.selectionRect.rect()
exportSelDateMin = self.timeline.draw.findXTime(rect.x())
exportSelDateMax = self.timeline.draw.findXTime(rect.x() +
rect.width())
for family in self.configuration:
for time in family[1]:
if time[1][0][1]:
nodes = []
everyNodes = self.timeline.elementsInRangeToNodeList(
time[1][5][1], self.timeline.toUSec(exportSelDateMin),
self.timeline.toUSec(exportSelDateMax))
for oneGroupNode in everyNodes:
for node in oneGroupNode:
nodes.append(node)
if len(nodes):
if not self.exportedNode:
# Create /timeline if needed
root = vfs.vfs().getnode('/Bookmarks')
baseNode = Node('timeline', 0, root)
baseNode.__disown__()
baseNode.setDir()
e = event()
e.thisown = False
e.value = RCVariant(Variant(baseNode))
self.VFS.notify(e)
# Create /timeline/<ParentName>
self.exportedNode = Node(self.timeline.node.name(),
0, baseNode)
self.exportedNode.__disown__()
self.exportedNode.setDir()
timeBaseName = self.exportedNode.absolute(
) + '/' + str(
exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')
) + ' to ' + str(
exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S'))
timeBaseNode = vfs.vfs().getnode(timeBaseName)
if not timeBaseNode:
# Create /timeline/<ParentName>/dateStart to dateEnd/<Module:FullTimestampAttributePath>/
timeBaseNode = Node(
str(
exportSelDateMin.strftime(
'%d.%m.%Y %H:%M:%S')) + ' to ' + str(
exportSelDateMax.strftime(
'%d.%m.%Y %H:%M:%S')), 0,
self.exportedNode)
timeBaseNode.__disown__()
timeBaseNode.setDir()
baseFamilyName = timeBaseNode.absolute(
) + '/' + ':'.join([family[0]] + time[0])
baseFamilyNode = vfs.vfs().getnode(baseFamilyName)
if not baseFamilyNode:
# Create /timeline/<ParentName>/dateStart to dateEnd//<Module:FullTimestampAttributePath> if needed
baseFamilyNode = Node(
':'.join([family[0]] + time[0]), 0,
timeBaseNode)
baseFamilyNode.__disown__()
baseFamilyNode.setDir()
for node in nodes:
# Add each node in array as child
l = VLink(node, baseFamilyNode)
l.__disown__()
