def start(self, args):
self.nodes = []
self.nodescount = 1
self.oldcur = 0
fname = args["filter_name"].value()
expression = args["expression"].value()
root_node = args["root_node"].value()
if args.has_key("verbose"):
self.verbose = True
else:
self.verbose = False
if args.has_key("recursive"):
recursive = True
else:
recursive = False
f = Filter(fname)
f.connection(self)
try:
f.compile(expression)
except RuntimeError:
self.res["error"] = Variant("provided expression is not valid")
f.process(root_node, recursive)
self.res["total of matching nodes"] = Variant(len(self.nodes))
if args.has_key("save_result"):
si_node = self.vfs.getnode("/Bookmarks")
if si_node == None:
root = self.vfs.getnode("/")
si_node = Node("Bookmarks", 0, root)
si_node.__disown__()
fnode = Node(fname, 0, si_node)
fnode.__disown__()
for node in self.nodes:
vl = VLink(node, fnode, node.name())
vl.__disown__()
def start(self, args):
self.nodes = []
self.nodescount = 1
self.oldcur = 0
fname = args["filter_name"].value()
expression = args["expression"].value()
root_node = args["root_node"].value()
if args.has_key("verbose"):
self.verbose = True
else:
self.verbose = False
if args.has_key("recursive"):
recursive = True
else:
recursive = False
f = Filter(fname)
f.connection(self)
try:
f.compile(expression)
except RuntimeError:
self.res["error"] = Variant("provided expression is not valid")
f.process(root_node, recursive)
self.res["total of matching nodes"] = Variant(len(self.nodes))
if args.has_key("save_result"):
si_node = self.vfs.getnode("/Bookmarks")
if si_node == None:
root = self.vfs.getnode("/")
si_node = Node("Bookmarks", 0, root)
si_node.__disown__()
fnode = Node(fname, 0, si_node)
fnode.__disown__()
for node in self.nodes:
vl = VLink(node, fnode, node.name())
vl.__disown__()
def makeDirs(self, folders):
sfolders = folders.split("/")
prev = self.origin
for folder in sfolders:
node = self.vfs.getnode(prev.absolute() + "/" + folder)
if node == None:
node = Node(folder, 0, prev, self)
node.setDir()
node.__disown__()
prev = node
return node
def __createProcessesVadTree(self):
pcount = 1
lpcount = len(self.__processes)
for procnode in self.__processes:
proc = procnode.eproc
base, ext = os.path.splitext(str(proc.ImageFileName))
vadroot = Node(base + ".vad", 0, None, self)
vadroot.__disown__()
procnode.setSuspicious(
self.__createVadTree(proc, vadroot, pcount, lpcount))
pcount += 1
self.registerTree(procnode, vadroot)
def parseOrphan(self, root, mfsobj):
orphaned = None
if len(self.__entries) != len(self.__addedEntriesID):
orphaned = Node('Orphaned', 0, root, mfsobj)
orphaned.__disown__()
for eid in xrange(0, len(self.__entries)):
if eid not in self.__addedEntriesID:
try:
if self.__entries[eid]:
orphaned.addChild(self.__entries[eid])
except KeyError:
pass
return orphaned
def parseOrphan(self, root, mfsobj):
orphaned = None
if len(self.__entries) != len(self.__addedEntriesID):
orphaned = Node('Orphaned', 0, root, mfsobj)
orphaned.__disown__()
for eid in xrange(0, len(self.__entries)):
if eid not in self.__addedEntriesID:
try:
if self.__entries[eid]:
orphaned.addChild(self.__entries[eid])
except KeyError:
pass
return orphaned
def start(self, args):
self.parent = args["parent"].value()
if args.has_key("count"):
self.count = args["count"].value()
else:
self.count = 50000
#self.start = args["start_offset"].value()
#self.number_of_nodes = args["number_of_nodes"].value()
self.root = Node("node-test")
self.__disown__()
for x in xrange(0, self.count):
xnode = Node(str(x), 0, self.root, self)
if (x % 10000) == 0:
print "have create " + str(x) + " nodes"
xnode.setDir()
xnode.__disown__()
self.registerTree(self.parent, self.root)
def start(self, args):
self.parent = args["parent"].value()
if args.has_key("count"):
self.count = args["count"].value()
else:
self.count = 50000
# self.start = args["start_offset"].value()
# self.number_of_nodes = args["number_of_nodes"].value()
self.root = Node("node-test")
self.__disown__()
for x in xrange(0, self.count):
xnode = Node(str(x), 0, self.root, self)
if (x % 10000) == 0:
print "have create " + str(x) + " nodes"
xnode.setDir()
xnode.__disown__()
self.registerTree(self.parent, self.root)
def exportClick(self, clickState):
rect = self.timeline.ploter.selectionRect.rect()
exportSelDateMin = self.timeline.draw.findXTime(rect.x())
exportSelDateMax = self.timeline.draw.findXTime(rect.x() + rect.width())
for family in self.configuration:
for time in family[1]:
if time[1][0][1]:
nodes = []
everyNodes = self.timeline.elementsInRangeToNodeList(time[1][5][1], self.timeline.toUSec(exportSelDateMin), self.timeline.toUSec(exportSelDateMax))
for oneGroupNode in everyNodes:
for node in oneGroupNode:
nodes.append(node)
if len(nodes):
if not self.exportedNode:
# Create /timeline if needed
root = vfs.vfs().getnode('/Bookmarks')
baseNode = Node('timeline', 0, root)
baseNode.__disown__()
baseNode.setDir()
e = event()
e.thisown = False
e.value = RCVariant(Variant(baseNode))
self.VFS.notify(e)
# Create /timeline/<ParentName>
self.exportedNode = Node(self.timeline.node.name(), 0, baseNode)
self.exportedNode.__disown__()
self.exportedNode.setDir()
timeBaseName = self.exportedNode.absolute() + '/' + str(exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')) + ' to ' + str(exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S'))
timeBaseNode = vfs.vfs().getnode(timeBaseName)
if not timeBaseNode:
# Create /timeline/<ParentName>/dateStart to dateEnd/<Module:FullTimestampAttributePath>/
timeBaseNode = Node(str(exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')) + ' to ' + str(exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S')), 0, self.exportedNode)
timeBaseNode.__disown__()
timeBaseNode.setDir()
baseFamilyName = timeBaseNode.absolute() + '/' + ':'.join([family[0]] + time[0])
baseFamilyNode = vfs.vfs().getnode(baseFamilyName)
if not baseFamilyNode:
# Create /timeline/<ParentName>/dateStart to dateEnd//<Module:FullTimestampAttributePath> if needed
baseFamilyNode = Node(':'.join([family[0]] + time[0]), 0, timeBaseNode)
baseFamilyNode.__disown__()
baseFamilyNode.setDir()
for node in nodes:
# Add each node in array as child
l = VLink(node, baseFamilyNode)
l.__disown__()
class OptionsLayout(QTabWidget):
''' Manages right panel.
Provides general informations, navigation and timestamp selection.
Navigation allow user to zoom in timeline.
Timestamp selection allow user to select which timestamp to display with
which color.
'''
def __init__(self, parent):
QTabWidget.__init__(self)
self.setTabPosition(QTabWidget.East)
self.init(parent)
self.initShape()
def init(self, parent):
self.VFS = libvfs.VFS.Get()
self.timeline = parent
self.swapIndex = -1
self.swapColor = ''
self.metricIndex = -1
self.configuration = []
self.zoom = False
self.exportedNode = None
def initShape(self):
self.h = QHBoxLayout()
self.vbox = QVBoxLayout()
self.vbox.setMargin(0)
self.vbox.setSpacing(0)
self.vbox.setAlignment(Qt.AlignTop)
self.setLayout(self.vbox)
self.infoBox = QGroupBox('Global information')
# self.infoBox.setFlat(True)
self.totalNodes = QLabel('No time found in nodes')
self.startTime = QLabel('No start time')
self.endTime = QLabel('No end time')
self.navBox = QGroupBox('Navigation')
self.selStartTime = QLabel('No selection start time')
self.selEndTime = QLabel('No selection end time')
self.buttonLayout = QHBoxLayout()
self.zoomButton = QPushButton('Zoom')
self.zoomButton.setEnabled(False)
self.zoomButton.connect(self.zoomButton, SIGNAL("clicked(bool)"), self.zoomClick)
self.dezoomButton = QPushButton('Original Size')
self.dezoomButton.setEnabled(False)
self.dezoomButton.connect(self.dezoomButton, SIGNAL("clicked(bool)"), self.dezoomClick)
self.exportButton = QPushButton('Export')
self.exportButton.setEnabled(False)
self.exportButton.connect(self.exportButton, SIGNAL("clicked(bool)"), self.exportClick)
self.buttonLayout.setAlignment(Qt.AlignLeft)
self.buttonLayout.addWidget(self.zoomButton)
self.buttonLayout.addWidget(self.dezoomButton)
self.selectedNodes = QLabel('Nothing selected')
self.infoLayout = QVBoxLayout()
self.infoLayout.setAlignment(Qt.AlignTop)
self.infoLayout.addWidget(self.totalNodes)
self.infoLayout.addWidget(self.startTime)
self.infoLayout.addWidget(self.endTime)
self.infoBox.setLayout(self.infoLayout)
self.navLayout = QVBoxLayout()
self.navLayout.setAlignment(Qt.AlignTop)
self.navLayout.addWidget(self.selStartTime)
self.navLayout.addWidget(self.selEndTime)
self.navLayout.addLayout(self.buttonLayout)
self.navLayout.addWidget(self.selectedNodes)
self.navLayout.addWidget(self.exportButton)
self.navBox.setLayout(self.navLayout)
self.familyLayout = QVBoxLayout()
self.familyLayout.setMargin(0)
self.familyLayout.setSpacing(0)
self.familyWidget = QWidget()
self.familyWidget.setLayout(self.familyLayout)
self.familyScroll = QScrollArea()
self.insertTab(0, self.infoBox, 'Global')
self.insertTab(1, self.navBox, 'Navigation')
self.insertTab(2, self.familyScroll, 'Display')
def newInformations(self):
if self.timeline.timesCount > 1:
sTimes = str(self.timeline.timesCount) + ' time values'
else:
sTimes = 'One time value'
if self.timeline.nodeCount > 1:
sNodes = str(self.timeline.nodeCount) + ' nodes'
else:
sNodes = 'one node'
self.totalNodes.setText(sTimes + '\n' + sNodes)
if self.timeline.baseDateMin != self.timeline.dateMin:
self.startTime.setText('From ' + str(self.timeline.fromUSec(self.timeline.baseDateMin).strftime('%d.%m.%Y %H:%M:%S')))
if self.timeline.selDateMin:
self.selStartTime.setText('From ' + str(self.timeline.fromUSec(self.timeline.selDateMin).strftime('%d.%m.%Y %H:%M:%S')))
else:
self.selStartTime.setText('No selection start time')
if self.timeline.baseDateMax != self.timeline.dateMax:
self.endTime.setText('To ' + str(self.timeline.fromUSec(self.timeline.baseDateMax).strftime('%d.%m.%Y %H:%M:%S')))
if self.timeline.selDateMax:
self.selEndTime.setText('To ' + str(self.timeline.fromUSec(self.timeline.selDateMax).strftime('%d.%m.%Y %H:%M:%S')))
else:
self.selEndTime.setText('No selection end time')
def dumpOptionsConf(self):
for family in self.configuration:
if not family[1]:
print family[0] + ': empty'
else:
print family[0] + ':'
for time in family[1]:
print '\t' + time[0] + ':'
for param in time[1]:
print '\t\t' + param[0] + ':', param[1]
def createMetricTools(self):
'''
Called once countThread is over.
'''
if not self.configuration:
# First, create configuration dictionary
i = 0
for timeFamily, timeList in self.timeline.timeMap.items():
if len(timeList):
# One sub dictionary per time family
self.configuration.append([timeFamily, []])
for oneMetric in timeList:
# One sub sub dictionary per family sub time
# checked indicate if item is displayed
# color indicate which color to use
if i < len(self.timeline.colors):
self.configuration[-1][1].append([oneMetric, [['checked', True],
['color', self.timeline.colors[i][0]],
['checkBox', None],
['colorWidget', None],
['colorWidgetIndex', -1],
['orderedNodeList', {'dates':None, 'nodes':None}],
['dateLimits', [long(0), long(0xffffffffffffffff)]],
['mainPixmap', [True, None]],
['zoomPixmap', [True, None]]]])
else:
self.configuration[-1][1].append([oneMetric, [['checked', False],
['color', ''],
['checkBox', None],
['colorWidget', None],
['colorWidgetIndex', -1],
['orderedNodeList', {'dates':None, 'nodes':None}],
['dateLimits', [long(0), long(0xffffffffffffffff)]],
['mainPixmap', [True, None]],
['zoomPixmap', [True, None]]]])
i += 1
else:
self.configuration.append([timeFamily, []])
# Configuration object created, now create graphical view of it
# self.dumpOptionsConf()
i = 0
for family in self.configuration:
if family[1]:
box = QGroupBox(family[0])
oneTime = QVBoxLayout()
for time in family[1]:
hbox = QHBoxLayout()
time[1][2][1] = QCheckBox(':'.join(time[0]))
self.connect(time[1][2][1], SIGNAL("stateChanged(int)"), self.checkboxClick)
time[1][3][1] = QComboBox()
for color in self.timeline.colors:
time[1][3][1].addItem(color[0])
palette = time[1][2][1].palette()
if i < len(self.timeline.colors):
time[1][2][1].setChecked(time[1][0][1])
# Colorize foreground
palette.setColor(QPalette.WindowText, self.timeline.colors[i][1])
time[1][3][1].setCurrentIndex(i)
time[1][4][1] = i
else:
# In case every colors are already used, don't check time (default) and don't select any color
palette.setColor(QPalette.WindowText, Qt.gray)
time[1][0][1] = False
time[1][3][1].setEnabled(False)
time[1][2][1].setPalette(palette)
self.connect(time[1][3][1], SIGNAL("currentIndexChanged(const QString&)"), self.colorChange)
hbox.addWidget(time[1][2][1])
hbox.addWidget(time[1][3][1])
oneTime.addLayout(hbox)
i += 1
box.setLayout(oneTime)
optimum = box.minimumSizeHint()
box.setFixedSize(optimum)
if optimum.width() > self.familyLayout.sizeHint().width():
geom = QRect(0, 0, optimum.width(), self.familyLayout.sizeHint().height() + optimum.height())
else:
geom = QRect(0, 0, self.familyLayout.sizeHint().width(), self.familyLayout.sizeHint().height() + optimum.height())
self.familyLayout.addWidget(box)
self.familyLayout.setGeometry(geom)
self.familyWidget.setFixedSize(geom.width(), geom.height())
self.familyScroll.setWidget(self.familyWidget)
else:
# Configuration object already created, we are called because am item has been
# unchecked or its color has changed.
pass
def colorChange(self, colorText):
loop = 2
while loop:
i = 0
for family in self.configuration:
for time in family[1]:
if time[1][3][1]:
if QString(time[1][1][1]) != time[1][3][1].currentText() and self.swapIndex == -1 and self.metricIndex == -1 and time[1][3][1].isEnabled():
# This selection has just been changed
self.swapColor = time[1][1][1]
self.swapIndex = time[1][4][1]
time[1][1][1] = str(colorText)
#Color
palette = time[1][2][1].palette()
palette.setColor(QPalette.WindowText, self.timeline.colors[time[1][3][1].currentIndex()][1])
time[1][2][1].setPalette(palette)
time[1][4][1] = time[1][3][1].currentIndex()
time[1][7][1][0] = True
time[1][8][1][0] = True
self.metricIndex = i
if QString(time[1][1][1]) == colorText and self.swapIndex != -1 and self.metricIndex != i and time[1][3][1].isEnabled():
# This selection is impacted because color is the same as the one just selected
# Changing color relaunch another signal.
time[1][1][1] = self.swapColor
time[1][4][1] = self.swapIndex
time[1][3][1].setCurrentIndex(self.swapIndex)
time[1][7][1][0] = True
time[1][8][1][0] = True
#Color
palette = time[1][2][1].palette()
palette.setColor(QPalette.WindowText, self.timeline.colors[time[1][3][1].currentIndex()][1])
time[1][2][1].setPalette(palette)
self.metricIndex = -1
i += 1
loop -= 1
# if self.swapColor == '':
# Swap already done ; redraw
self.timeline.updatePaintingArea()
self.swapIndex = -1
self.swapColor = ''
self.metricIndex = -1
def checkboxClick(self, newState):
self.selectedNodes.setText('Nothing selected')
self.zoomButton.setEnabled(False)
self.exportButton.setEnabled(False)
for family in self.configuration:
for time in family[1]:
if time[1][2][1]:
palette = time[1][2][1].palette()
if not time[1][2][1].checkState() and time[1][0][1]:
# This box has just been unchecked
time[1][0][1] = False
time[1][3][1].setEnabled(False)
palette.setColor(QPalette.WindowText, Qt.gray)
elif time[1][2][1].checkState() and not time[1][0][1]:
# This box has just been checked
time[1][0][1] = True
time[1][3][1].setEnabled(True)
# Deactivate color already used
palette.setColor(QPalette.WindowText, self.timeline.colors[time[1][3][1].currentIndex()][1])
time[1][1][1] = self.timeline.colors[time[1][3][1].currentIndex()][0]
time[1][4][1] = time[1][3][1].currentIndex()
time[1][7][1][0] = True
time[1][8][1][0] = True
for family2 in self.configuration:
# sure, 2 is ugly, it is used to search color to remove
for time2 in family2[1]:
if time2[1][3][1] and time2[1][3][1].isEnabled():
if self.timeline.colors[time2[1][3][1].currentIndex()][0] == self.timeline.colors[time[1][3][1].currentIndex()][0] and time2[1][3][1] != time[1][3][1]:
palette2 = time2[1][2][1].palette()
time2[1][0][1] = False
time2[1][2][1].setChecked(False)
time2[1][3][1].setEnabled(False)
palette2.setColor(QPalette.WindowText, Qt.gray)
time2[1][2][1].setPalette(palette2)
time[1][2][1].setPalette(palette)
self.timeline.updatePaintingArea()
def zoomClick(self, clickState):
self.timeline.maxOccZoom = 0
rect = self.timeline.ploter.selectionRect.rect()
newSelDateMin = self.timeline.draw.findXTime(rect.x())
newSelDateMax = self.timeline.draw.findXTime(rect.x() + rect.width())
self.timeline.selDateMin = self.timeline.toUSec(newSelDateMin)
self.timeline.selDateMax = self.timeline.toUSec(newSelDateMax)
self.newInformations()
self.dezoomButton.setEnabled(True)
self.zoomButton.setEnabled(False)
self.exportButton.setEnabled(False)
txt = self.selectedNodes.text().__str__()
self.selectedNodes.setText(txt[:txt.rfind(' ')] + ' displayed')
self.zoom = True
self.timeline.updatePaintingArea(True)
def dezoomClick(self, clickState):
self.dezoomButton.setEnabled(False)
self.zoomButton.setEnabled(False)
self.exportButton.setEnabled(False)
self.zoom = False
self.timeline.selDateMin = None
self.timeline.selDateMax = None
self.timeline.maxOccZoom = 0
self.newInformations()
for family in self.configuration:
for time in family[1]:
if time[1][8][1]:
time[1][8][1][0] = True
time[1][8][1][1] = None
self.timeline.updatePaintingArea()
def exportClick(self, clickState):
rect = self.timeline.ploter.selectionRect.rect()
exportSelDateMin = self.timeline.draw.findXTime(rect.x())
exportSelDateMax = self.timeline.draw.findXTime(rect.x() + rect.width())
for family in self.configuration:
for time in family[1]:
if time[1][0][1]:
nodes = []
everyNodes = self.timeline.elementsInRangeToNodeList(time[1][5][1], self.timeline.toUSec(exportSelDateMin), self.timeline.toUSec(exportSelDateMax))
for oneGroupNode in everyNodes:
for node in oneGroupNode:
nodes.append(node)
if len(nodes):
if not self.exportedNode:
# Create /timeline if needed
root = vfs.vfs().getnode('/Bookmarks')
baseNode = Node('timeline', 0, root)
baseNode.__disown__()
baseNode.setDir()
e = event()
e.thisown = False
e.value = RCVariant(Variant(baseNode))
self.VFS.notify(e)
# Create /timeline/<ParentName>
self.exportedNode = Node(self.timeline.node.name(), 0, baseNode)
self.exportedNode.__disown__()
self.exportedNode.setDir()
timeBaseName = self.exportedNode.absolute() + '/' + str(exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')) + ' to ' + str(exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S'))
timeBaseNode = vfs.vfs().getnode(timeBaseName)
if not timeBaseNode:
# Create /timeline/<ParentName>/dateStart to dateEnd/<Module:FullTimestampAttributePath>/
timeBaseNode = Node(str(exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')) + ' to ' + str(exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S')), 0, self.exportedNode)
timeBaseNode.__disown__()
timeBaseNode.setDir()
baseFamilyName = timeBaseNode.absolute() + '/' + ':'.join([family[0]] + time[0])
baseFamilyNode = vfs.vfs().getnode(baseFamilyName)
if not baseFamilyNode:
# Create /timeline/<ParentName>/dateStart to dateEnd//<Module:FullTimestampAttributePath> if needed
baseFamilyNode = Node(':'.join([family[0]] + time[0]), 0, timeBaseNode)
baseFamilyNode.__disown__()
baseFamilyNode.setDir()
for node in nodes:
# Add each node in array as child
l = VLink(node, baseFamilyNode)
l.__disown__()
def exportClick(self, clickState):
rect = self.timeline.ploter.selectionRect.rect()
exportSelDateMin = self.timeline.draw.findXTime(rect.x())
exportSelDateMax = self.timeline.draw.findXTime(rect.x() +
rect.width())
for family in self.configuration:
for time in family[1]:
if time[1][0][1]:
nodes = []
everyNodes = self.timeline.elementsInRangeToNodeList(
time[1][5][1], self.timeline.toUSec(exportSelDateMin),
self.timeline.toUSec(exportSelDateMax))
for oneGroupNode in everyNodes:
for node in oneGroupNode:
nodes.append(node)
if len(nodes):
if not self.exportedNode:
# Create /timeline if needed
root = vfs.vfs().getnode('/Bookmarks')
baseNode = Node('timeline', 0, root)
baseNode.__disown__()
baseNode.setDir()
e = event()
e.thisown = False
e.value = RCVariant(Variant(baseNode))
self.VFS.notify(e)
# Create /timeline/<ParentName>
self.exportedNode = Node(self.timeline.node.name(),
0, baseNode)
self.exportedNode.__disown__()
self.exportedNode.setDir()
timeBaseName = self.exportedNode.absolute(
) + '/' + str(
exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')
) + ' to ' + str(
exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S'))
timeBaseNode = vfs.vfs().getnode(timeBaseName)
if not timeBaseNode:
# Create /timeline/<ParentName>/dateStart to dateEnd/<Module:FullTimestampAttributePath>/
timeBaseNode = Node(
str(
exportSelDateMin.strftime(
'%d.%m.%Y %H:%M:%S')) + ' to ' + str(
exportSelDateMax.strftime(
'%d.%m.%Y %H:%M:%S')), 0,
self.exportedNode)
timeBaseNode.__disown__()
timeBaseNode.setDir()
baseFamilyName = timeBaseNode.absolute(
) + '/' + ':'.join([family[0]] + time[0])
baseFamilyNode = vfs.vfs().getnode(baseFamilyName)
if not baseFamilyNode:
# Create /timeline/<ParentName>/dateStart to dateEnd//<Module:FullTimestampAttributePath> if needed
baseFamilyNode = Node(
':'.join([family[0]] + time[0]), 0,
timeBaseNode)
baseFamilyNode.__disown__()
baseFamilyNode.setDir()
for node in nodes:
# Add each node in array as child
l = VLink(node, baseFamilyNode)
l.__disown__()
class OptionsLayout(QTabWidget):
''' Manages right panel.
Provides general informations, navigation and timestamp selection.
Navigation allow user to zoom in timeline.
Timestamp selection allow user to select which timestamp to display with
which color.
'''
def __init__(self, parent):
QTabWidget.__init__(self)
self.setTabPosition(QTabWidget.East)
self.init(parent)
self.initShape()
def init(self, parent):
self.VFS = libvfs.VFS.Get()
self.timeline = parent
self.swapIndex = -1
self.swapColor = ''
self.metricIndex = -1
self.configuration = []
self.zoom = False
self.exportedNode = None
def initShape(self):
self.h = QHBoxLayout()
self.vbox = QVBoxLayout()
self.vbox.setMargin(0)
self.vbox.setSpacing(0)
self.vbox.setAlignment(Qt.AlignTop)
self.setLayout(self.vbox)
self.infoBox = QGroupBox('Global information')
# self.infoBox.setFlat(True)
self.totalNodes = QLabel('No time found in nodes')
self.startTime = QLabel('No start time')
self.endTime = QLabel('No end time')
self.navBox = QGroupBox('Navigation')
self.selStartTime = QLabel('No selection start time')
self.selEndTime = QLabel('No selection end time')
self.buttonLayout = QHBoxLayout()
self.zoomButton = QPushButton('Zoom')
self.zoomButton.setEnabled(False)
self.zoomButton.connect(self.zoomButton, SIGNAL("clicked(bool)"),
self.zoomClick)
self.dezoomButton = QPushButton('Original Size')
self.dezoomButton.setEnabled(False)
self.dezoomButton.connect(self.dezoomButton, SIGNAL("clicked(bool)"),
self.dezoomClick)
self.exportButton = QPushButton('Export')
self.exportButton.setEnabled(False)
self.exportButton.connect(self.exportButton, SIGNAL("clicked(bool)"),
self.exportClick)
self.buttonLayout.setAlignment(Qt.AlignLeft)
self.buttonLayout.addWidget(self.zoomButton)
self.buttonLayout.addWidget(self.dezoomButton)
self.selectedNodes = QLabel('Nothing selected')
self.infoLayout = QVBoxLayout()
self.infoLayout.setAlignment(Qt.AlignTop)
self.infoLayout.addWidget(self.totalNodes)
self.infoLayout.addWidget(self.startTime)
self.infoLayout.addWidget(self.endTime)
self.infoBox.setLayout(self.infoLayout)
self.navLayout = QVBoxLayout()
self.navLayout.setAlignment(Qt.AlignTop)
self.navLayout.addWidget(self.selStartTime)
self.navLayout.addWidget(self.selEndTime)
self.navLayout.addLayout(self.buttonLayout)
self.navLayout.addWidget(self.selectedNodes)
self.navLayout.addWidget(self.exportButton)
self.navBox.setLayout(self.navLayout)
self.familyLayout = QVBoxLayout()
self.familyLayout.setMargin(0)
self.familyLayout.setSpacing(0)
self.familyWidget = QWidget()
self.familyWidget.setLayout(self.familyLayout)
self.familyScroll = QScrollArea()
self.insertTab(0, self.infoBox, 'Global')
self.insertTab(1, self.navBox, 'Navigation')
self.insertTab(2, self.familyScroll, 'Display')
def newInformations(self):
if self.timeline.timesCount > 1:
sTimes = str(self.timeline.timesCount) + ' time values'
else:
sTimes = 'One time value'
if self.timeline.nodeCount > 1:
sNodes = str(self.timeline.nodeCount) + ' nodes'
else:
sNodes = 'one node'
self.totalNodes.setText(sTimes + '\n' + sNodes)
if self.timeline.baseDateMin != self.timeline.dateMin:
self.startTime.setText('From ' + str(
self.timeline.fromUSec(self.timeline.baseDateMin).strftime(
'%d.%m.%Y %H:%M:%S')))
if self.timeline.selDateMin:
self.selStartTime.setText('From ' + str(
self.timeline.fromUSec(self.timeline.selDateMin).strftime(
'%d.%m.%Y %H:%M:%S')))
else:
self.selStartTime.setText('No selection start time')
if self.timeline.baseDateMax != self.timeline.dateMax:
self.endTime.setText('To ' + str(
self.timeline.fromUSec(self.timeline.baseDateMax).strftime(
'%d.%m.%Y %H:%M:%S')))
if self.timeline.selDateMax:
self.selEndTime.setText('To ' + str(
self.timeline.fromUSec(self.timeline.selDateMax).strftime(
'%d.%m.%Y %H:%M:%S')))
else:
self.selEndTime.setText('No selection end time')
def dumpOptionsConf(self):
for family in self.configuration:
if not family[1]:
print family[0] + ': empty'
else:
print family[0] + ':'
for time in family[1]:
print '\t' + time[0] + ':'
for param in time[1]:
print '\t\t' + param[0] + ':', param[1]
def createMetricTools(self):
'''
Called once countThread is over.
'''
if not self.configuration:
# First, create configuration dictionary
i = 0
for timeFamily, timeList in self.timeline.timeMap.items():
if len(timeList):
# One sub dictionary per time family
self.configuration.append([timeFamily, []])
for oneMetric in timeList:
# One sub sub dictionary per family sub time
# checked indicate if item is displayed
# color indicate which color to use
if i < len(self.timeline.colors):
self.configuration[-1][1].append([
oneMetric,
[['checked', True],
['color', self.timeline.colors[i][0]],
['checkBox', None], ['colorWidget', None],
['colorWidgetIndex', -1],
[
'orderedNodeList', {
'dates': None,
'nodes': None
}
],
[
'dateLimits',
[long(0),
long(0xffffffffffffffff)]
], ['mainPixmap', [True, None]],
['zoomPixmap', [True, None]]]
])
else:
self.configuration[-1][1].append([
oneMetric,
[['checked', False], ['color', ''],
['checkBox', None], ['colorWidget', None],
['colorWidgetIndex', -1],
[
'orderedNodeList', {
'dates': None,
'nodes': None
}
],
[
'dateLimits',
[long(0),
long(0xffffffffffffffff)]
], ['mainPixmap', [True, None]],
['zoomPixmap', [True, None]]]
])
i += 1
else:
self.configuration.append([timeFamily, []])
# Configuration object created, now create graphical view of it
# self.dumpOptionsConf()
i = 0
for family in self.configuration:
if family[1]:
box = QGroupBox(family[0])
oneTime = QVBoxLayout()
for time in family[1]:
hbox = QHBoxLayout()
time[1][2][1] = QCheckBox(':'.join(time[0]))
self.connect(time[1][2][1],
SIGNAL("stateChanged(int)"),
self.checkboxClick)
time[1][3][1] = QComboBox()
for color in self.timeline.colors:
time[1][3][1].addItem(color[0])
palette = time[1][2][1].palette()
if i < len(self.timeline.colors):
time[1][2][1].setChecked(time[1][0][1])
# Colorize foreground
palette.setColor(QPalette.WindowText,
self.timeline.colors[i][1])
time[1][3][1].setCurrentIndex(i)
time[1][4][1] = i
else:
# In case every colors are already used, don't check time (default) and don't select any color
palette.setColor(QPalette.WindowText, Qt.gray)
time[1][0][1] = False
time[1][3][1].setEnabled(False)
time[1][2][1].setPalette(palette)
self.connect(
time[1][3][1],
SIGNAL("currentIndexChanged(const QString&)"),
self.colorChange)
hbox.addWidget(time[1][2][1])
hbox.addWidget(time[1][3][1])
oneTime.addLayout(hbox)
i += 1
box.setLayout(oneTime)
optimum = box.minimumSizeHint()
box.setFixedSize(optimum)
if optimum.width() > self.familyLayout.sizeHint().width():
geom = QRect(
0, 0, optimum.width(),
self.familyLayout.sizeHint().height() +
optimum.height())
else:
geom = QRect(
0, 0,
self.familyLayout.sizeHint().width(),
self.familyLayout.sizeHint().height() +
optimum.height())
self.familyLayout.addWidget(box)
self.familyLayout.setGeometry(geom)
self.familyWidget.setFixedSize(geom.width(), geom.height())
self.familyScroll.setWidget(self.familyWidget)
else:
# Configuration object already created, we are called because am item has been
# unchecked or its color has changed.
pass
def colorChange(self, colorText):
loop = 2
while loop:
i = 0
for family in self.configuration:
for time in family[1]:
if time[1][3][1]:
if QString(time[1][1][1]) != time[1][3][1].currentText(
) and self.swapIndex == -1 and self.metricIndex == -1 and time[
1][3][1].isEnabled():
# This selection has just been changed
self.swapColor = time[1][1][1]
self.swapIndex = time[1][4][1]
time[1][1][1] = str(colorText)
#Color
palette = time[1][2][1].palette()
palette.setColor(
QPalette.WindowText, self.timeline.colors[
time[1][3][1].currentIndex()][1])
time[1][2][1].setPalette(palette)
time[1][4][1] = time[1][3][1].currentIndex()
time[1][7][1][0] = True
time[1][8][1][0] = True
self.metricIndex = i
if QString(
time[1][1][1]
) == colorText and self.swapIndex != -1 and self.metricIndex != i and time[
1][3][1].isEnabled():
# This selection is impacted because color is the same as the one just selected
# Changing color relaunch another signal.
time[1][1][1] = self.swapColor
time[1][4][1] = self.swapIndex
time[1][3][1].setCurrentIndex(self.swapIndex)
time[1][7][1][0] = True
time[1][8][1][0] = True
#Color
palette = time[1][2][1].palette()
palette.setColor(
QPalette.WindowText, self.timeline.colors[
time[1][3][1].currentIndex()][1])
time[1][2][1].setPalette(palette)
self.metricIndex = -1
i += 1
loop -= 1
# if self.swapColor == '':
# Swap already done ; redraw
self.timeline.updatePaintingArea()
self.swapIndex = -1
self.swapColor = ''
self.metricIndex = -1
def checkboxClick(self, newState):
self.selectedNodes.setText('Nothing selected')
self.zoomButton.setEnabled(False)
self.exportButton.setEnabled(False)
for family in self.configuration:
for time in family[1]:
if time[1][2][1]:
palette = time[1][2][1].palette()
if not time[1][2][1].checkState() and time[1][0][1]:
# This box has just been unchecked
time[1][0][1] = False
time[1][3][1].setEnabled(False)
palette.setColor(QPalette.WindowText, Qt.gray)
elif time[1][2][1].checkState() and not time[1][0][1]:
# This box has just been checked
time[1][0][1] = True
time[1][3][1].setEnabled(True)
# Deactivate color already used
palette.setColor(
QPalette.WindowText, self.timeline.colors[
time[1][3][1].currentIndex()][1])
time[1][1][1] = self.timeline.colors[
time[1][3][1].currentIndex()][0]
time[1][4][1] = time[1][3][1].currentIndex()
time[1][7][1][0] = True
time[1][8][1][0] = True
for family2 in self.configuration:
# sure, 2 is ugly, it is used to search color to remove
for time2 in family2[1]:
if time2[1][3][1] and time2[1][3][1].isEnabled(
):
if self.timeline.colors[
time2[1][3][1].currentIndex(
)][0] == self.timeline.colors[
time[1][3][1].currentIndex(
)][0] and time2[1][3][
1] != time[1][3][1]:
palette2 = time2[1][2][1].palette()
time2[1][0][1] = False
time2[1][2][1].setChecked(False)
time2[1][3][1].setEnabled(False)
palette2.setColor(
QPalette.WindowText, Qt.gray)
time2[1][2][1].setPalette(palette2)
time[1][2][1].setPalette(palette)
self.timeline.updatePaintingArea()
def zoomClick(self, clickState):
self.timeline.maxOccZoom = 0
rect = self.timeline.ploter.selectionRect.rect()
newSelDateMin = self.timeline.draw.findXTime(rect.x())
newSelDateMax = self.timeline.draw.findXTime(rect.x() + rect.width())
self.timeline.selDateMin = self.timeline.toUSec(newSelDateMin)
self.timeline.selDateMax = self.timeline.toUSec(newSelDateMax)
self.newInformations()
self.dezoomButton.setEnabled(True)
self.zoomButton.setEnabled(False)
self.exportButton.setEnabled(False)
txt = self.selectedNodes.text().__str__()
self.selectedNodes.setText(txt[:txt.rfind(' ')] + ' displayed')
self.zoom = True
self.timeline.updatePaintingArea(True)
def dezoomClick(self, clickState):
self.dezoomButton.setEnabled(False)
self.zoomButton.setEnabled(False)
self.exportButton.setEnabled(False)
self.zoom = False
self.timeline.selDateMin = None
self.timeline.selDateMax = None
self.timeline.maxOccZoom = 0
self.newInformations()
for family in self.configuration:
for time in family[1]:
if time[1][8][1]:
time[1][8][1][0] = True
time[1][8][1][1] = None
self.timeline.updatePaintingArea()
def exportClick(self, clickState):
rect = self.timeline.ploter.selectionRect.rect()
exportSelDateMin = self.timeline.draw.findXTime(rect.x())
exportSelDateMax = self.timeline.draw.findXTime(rect.x() +
rect.width())
for family in self.configuration:
for time in family[1]:
if time[1][0][1]:
nodes = []
everyNodes = self.timeline.elementsInRangeToNodeList(
time[1][5][1], self.timeline.toUSec(exportSelDateMin),
self.timeline.toUSec(exportSelDateMax))
for oneGroupNode in everyNodes:
for node in oneGroupNode:
nodes.append(node)
if len(nodes):
if not self.exportedNode:
# Create /timeline if needed
root = vfs.vfs().getnode('/Bookmarks')
baseNode = Node('timeline', 0, root)
baseNode.__disown__()
baseNode.setDir()
e = event()
e.thisown = False
e.value = RCVariant(Variant(baseNode))
self.VFS.notify(e)
# Create /timeline/<ParentName>
self.exportedNode = Node(self.timeline.node.name(),
0, baseNode)
self.exportedNode.__disown__()
self.exportedNode.setDir()
timeBaseName = self.exportedNode.absolute(
) + '/' + str(
exportSelDateMin.strftime('%d.%m.%Y %H:%M:%S')
) + ' to ' + str(
exportSelDateMax.strftime('%d.%m.%Y %H:%M:%S'))
timeBaseNode = vfs.vfs().getnode(timeBaseName)
if not timeBaseNode:
# Create /timeline/<ParentName>/dateStart to dateEnd/<Module:FullTimestampAttributePath>/
timeBaseNode = Node(
str(
exportSelDateMin.strftime(
'%d.%m.%Y %H:%M:%S')) + ' to ' + str(
exportSelDateMax.strftime(
'%d.%m.%Y %H:%M:%S')), 0,
self.exportedNode)
timeBaseNode.__disown__()
timeBaseNode.setDir()
baseFamilyName = timeBaseNode.absolute(
) + '/' + ':'.join([family[0]] + time[0])
baseFamilyNode = vfs.vfs().getnode(baseFamilyName)
if not baseFamilyNode:
# Create /timeline/<ParentName>/dateStart to dateEnd//<Module:FullTimestampAttributePath> if needed
baseFamilyNode = Node(
':'.join([family[0]] + time[0]), 0,
timeBaseNode)
baseFamilyNode.__disown__()
baseFamilyNode.setDir()
for node in nodes:
# Add each node in array as child
l = VLink(node, baseFamilyNode)
l.__disown__()
class Volatility(mfso):
def __init__(self):
mfso.__init__(self, "volatility")
self.__disown__()
self._config = ConfigInstance()
def start(self, args):
if not with_volatility:
raise RuntimeError("Volatility not found. Please install it")
self.memdump = args["file"].value()
self._config.updateCtx('location', "file://" + self.memdump.absolute())
self._config.updateCtx('filename', self.memdump.name())
self._config.updateCtx('debug', True)
self.__processes = []
self.__dlls = {}
self.__step = 1
self.__steps = 6
starttime = time.time()
if args.has_key("profile"):
self.stateinfo = "Using provided profile: " + args[
'profile'].toString()
self._config.updateCtx('profile', args['profile'].value())
self._aspace = utils.load_as(self._config)
self._kdbg = tasks.get_kdbg(self._aspace)
self._config.updateCtx('kdbg', self._kdbg.obj_offset)
else:
try:
self.__guessProfile()
except:
traceback.print_exc()
try:
self.root = WinRootNode("Windows RAM", self.memdump, self)
self.registerTree(self.memdump, self.root)
self.__psxview = psxview.PsXview(self._config)
self.__findConnections()
self.__findProcesses()
self.__createProcessTree()
self.__createDlls()
self.__createModules()
self.__createProcessesVadTree()
self.stateinfo = ""
except:
traceback.print_exc()
aspace = self._aspace
count = 0
if debug:
while aspace:
count += 1
print 'AS Layer', str(
count), aspace.__class__.__name__, "(", aspace.name, ")"
aspace = aspace.base
print time.time() - starttime
def __guessProfile(self):
self.__steps += 1
bestguess = None
profiles = [
p.__name__
for p in registry.get_plugin_classes(obj.Profile).values()
]
scan_kdbg = kdbgscan.KDBGScan(self._config)
suglist = []
suglist = [s for s, _ in scan_kdbg.calculate()]
if suglist:
bestguess = suglist[0]
if bestguess in profiles:
profiles = [bestguess] + profiles
chosen = 'none'
profcount = len(profiles)
count = 1
for profile in profiles:
self.stateinfo = "Step {:<2d} / {:<2d} -- Guessing profile: trying profile {:<20s} ({:<2d} / {:<2d})".format(
self.__step, self.__steps, profile, count, profcount)
self._config.updateCtx('profile', profile)
addr_space = utils.load_as(self._config, astype='any')
if hasattr(addr_space, 'dtb'):
chosen = profile
break
count += 1
if debug and bestguess != chosen:
print bestguess, chosen
volmagic = obj.VolMagic(addr_space)
kdbgoffset = volmagic.KDBG.v()
self._kdbg = obj.Object("_KDDEBUGGER_DATA64",
offset=kdbgoffset,
vm=addr_space)
self._config.updateCtx('kdbg', self._kdbg.obj_offset)
self._aspace = addr_space
self.__step += 1
#this method does exactly the same as calculate method in psxview malware plugins
# but as we don't need to yield each result, just create the ps_sources dict
def __findProcesses(self):
all_tasks = list(tasks.pslist(self._aspace))
self.ps_sources = {}
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Looking for all processes structures --> pslist".format(
self.__step, self.__steps)
self.ps_sources['pslist'] = self.__psxview.check_pslist(all_tasks)
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Looking for all processes structures --> psscan".format(
self.__step, self.__steps)
self.ps_sources['psscan'] = self.__psxview.check_psscan()
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Looking for all processes structures --> thrdproc".format(
self.__step, self.__steps)
self.ps_sources['thrdproc'] = self.__psxview.check_thrdproc(
self._aspace)
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Looking for all processes structures --> csrss".format(
self.__step, self.__steps)
self.ps_sources['csrss'] = self.__psxview.check_csrss_handles(
all_tasks)
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Looking for all processes structures --> pspcid".format(
self.__step, self.__steps)
self.ps_sources['pspcid'] = self.__psxview.check_pspcid(self._aspace)
self.__step += 1
def __createProcessTree(self):
seen_offsets = []
procmap = {}
self.__orphaned = {}
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree".format(
self.__step, self.__steps)
for source in self.ps_sources.values():
for offset in source.keys():
if offset not in seen_offsets:
seen_offsets.append(offset)
cproc = source[offset]
uid = int(cproc.UniqueProcessId)
if procmap.has_key(uid):
dtb = []
for _proc in procmap[uid]:
if cproc.ImageFileName == _proc[
0].ImageFileName and cproc.Pcb.DirectoryTableBase == _proc[
0].Pcb.DirectoryTableBase:
dtb.append(_proc)
if len(dtb) == 0:
procmap[uid].append((cproc, offset))
elif cproc.Peb != None:
for _proc, _off in dtb:
if _proc.Peb is None:
procmap[uid].remove(_proc)
else:
procmap[uid] = [(cproc, offset)]
self.__orphaned[cproc] = 0
if len(procmap):
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree {:>3d} / {:<3d}".format(
self.__step, self.__steps, 0, len(procmap))
self.__mainProcNode = Node("Processes", 0, None, self)
self.__mainProcNode.__disown__()
self.__mainProcNode.setDir()
for proc, offset in self.__findRootProcesses(procmap):
self.__orphaned[proc] = 1
procnode = WinProcNode(proc, offset, self.__mainProcNode, self)
self.__processes.append(procnode)
self.__createPtree(procmap, int(proc.UniqueProcessId),
procnode)
count = sum(
[v for v in self.__orphaned.itervalues() if v == 1])
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree {:>3d} / {:<3d}".format(
self.__step, self.__steps, count, len(procmap))
for proc in self.__orphaned:
if debug and self.__orphaned[proc] == 0:
self.__printProcess(proc)
self.registerTree(self.root, self.__mainProcNode)
self.__step += 1
def __findRootProcesses(self, procmap):
for pid in procmap.keys():
for proc in procmap[pid]:
if proc[0].InheritedFromUniqueProcessId not in procmap.keys():
yield proc
def __createPtree(self, procmap, ppid, parent):
for pid in procmap.keys():
for proc, offset in procmap[pid]:
count = sum(
[v for v in self.__orphaned.itervalues() if v == 1])
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating tree {:>3d} / {:<3d}".format(
self.__step, self.__steps, count, len(procmap))
if int(proc.InheritedFromUniqueProcessId) == ppid:
self.__orphaned[proc] = 1
procnode = WinProcNode(proc, offset, parent, self)
self.__processes.append(procnode)
self.__createPtree(procmap, int(proc.UniqueProcessId),
procnode)
def __loadModulesFromProcesses(self):
pcount = 1
lpcount = len(self.__processes)
for procnode in self.__processes:
self.stateinfo = "Step {:<2d} / {:<2d}: Dlls -- Getting loaded modules for each process {:>3d} / {:<3d}".format(
self.__step, self.__steps, pcount, lpcount)
proc = procnode.eproc
if proc.Peb != None:
__aspace = proc.get_process_address_space()
if not hasattr(__aspace, "vtop"):
continue
load_modules = [
load_module for load_module in proc.get_load_modules()
]
lmodcount = len(load_modules)
modcount = 1
for mod in load_modules:
self.stateinfo = "Step {:<2d} / {:<2d}: Dlls -- Getting loaded modules for {:<16s} (process {:>3d} / {:<3d}) (dll {:>6d} / {:<6d})".format(
self.__step, self.__steps, procnode.name(), pcount,
lpcount, modcount, lmodcount)
modcount += 1
paddr = -1
dllname = str(mod.BaseDllName)
#print dir(__aspace)
if __aspace is not None and __aspace.is_valid_address(
mod.DllBase.v()):
paddr = long(__aspace.vtop(mod.DllBase.v()))
if not self.__dlls.has_key(dllname):
self.__dlls[dllname] = [(paddr, __aspace,
mod.DllBase.v(), [procnode])]
else:
exists = False
for item in self.__dlls[dllname]:
if paddr == item[0]:
exists = True
break
if exists:
item[3].append(procnode)
else:
self.__dlls[dllname].append(
(paddr, __aspace, mod.DllBase.v(), [procnode]))
pcount += 1
def __createDlls(self):
self.__loadModulesFromProcesses()
if len(self.__dlls):
self.__mainDllNode = Node("Dlls", 0, None, self)
self.__mainDllNode.setDir()
self.__mainDllNode.__disown__()
dcount = 1
dllcount = len(self.__dlls)
for dllname in self.__dlls:
self.stateinfo = "Step {:<2d} / {:<2d}: Dlls -- Creating nodes ({:>6d} / {:<6d})".format(
self.__step, self.__steps, dcount, dllcount)
if len(self.__dlls[dllname]) > 1:
if debug:
print dllname, [
entry[0] for entry in self.__dlls[dllname]
]
i = 0
for entry in self.__dlls[dllname]:
if entry[0] != -1:
if i == 0:
dllnode = DllNode(dllname, entry[1], entry[2],
self.__mainDllNode, self)
dllnode.__disown__()
else:
dllnode = DllNode(dllname + "-" + str(i),
entry[1], entry[2],
self.__mainDllNode, self)
dllnode.__disown__()
i += 1
else:
entry = self.__dlls[dllname][0]
dllnode = DllNode(dllname, entry[1], entry[2],
self.__mainDllNode, self)
dllnode.__disown__()
self.registerTree(self.root, self.__mainDllNode)
self.__step += 1
def __findConnections(self):
self.connections = {}
conn = namedtuple("aconn", [
'localAddr', 'localPort', 'proto', 'type', 'ctime', 'remoteAddr',
'remotePort', 'state'
])
if self._aspace.profile.metadata.get('major', 0) == 6:
self.stateinfo = "Step {:<2d} / {:<2d}: Connections -- NetScan".format(
self.__step, self.__steps)
for net_object, proto, laddr, lport, raddr, rport, state in netscan.Netscan(
self._config).calculate():
if proto.startswith("UDP"):
raddr = rport = None
if not self.connections.has_key(
long(net_object.Owner.UniqueProcessId)):
self.connections[long(
net_object.Owner.UniqueProcessId)] = [
conn(laddr, lport, None, proto,
net_object.CreateTime or None, raddr, rport,
state)
]
else:
self.connections[long(
net_object.Owner.UniqueProcessId)].append(
conn(laddr, lport, None, proto,
net_object.CreateTime or None, raddr, rport,
state))
else:
socks = {}
conns = {}
self.stateinfo = "Step {:<2d} / {:<2d}: Connections -- ConnScan".format(
self.__step, self.__steps)
for tcp_obj in connscan.ConnScan(self._config).calculate():
if not conns.has_key(long(tcp_obj.Pid)):
conns[long(tcp_obj.Pid)] = {
long(tcp_obj.LocalPort): [tcp_obj]
}
elif not conns[long(tcp_obj.Pid)].has_key(
long(tcp_obj.LocalPort)):
conns[long(tcp_obj.Pid)][long(
tcp_obj.LocalPort)] = [tcp_obj]
else:
conns[long(tcp_obj.Pid)][long(
tcp_obj.LocalPort)].append(tcp_obj)
self.stateinfo = "Step {:<2d} / {:<2d}: Connections -- SockScan".format(
self.__step, self.__steps)
for sock_obj in sockscan.SockScan(self._config).calculate():
if not socks.has_key(long(sock_obj.Pid)):
socks[long(sock_obj.Pid)] = [sock_obj]
else:
socks[long(sock_obj.Pid)].append(sock_obj)
for pid in socks:
pconns = []
for sock_obj in socks[pid]:
if conns.has_key(pid) and conns[pid].has_key(
long(sock_obj.LocalPort)):
for tcp_obj in conns[pid][long(sock_obj.LocalPort)]:
pconns.append(
conn(
tcp_obj.LocalIpAddress, tcp_obj.LocalPort,
sock_obj.Protocol,
protos.protos.get(sock_obj.Protocol.v(),
"-"),
sock_obj.CreateTime,
tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort, None))
del conns[pid][long(sock_obj.LocalPort)]
else:
pconns.append(
conn(sock_obj.LocalIpAddress, sock_obj.LocalPort,
sock_obj.Protocol,
protos.protos.get(sock_obj.Protocol.v(), "-"),
sock_obj.CreateTime, None, None, None))
self.connections[pid] = pconns
for pid in conns:
if len(conns[pid]):
for port in conns[pid]:
for tcp_obj in conns[pid][port]:
if self.connections.has_key(pid):
self.connections[pid].append(
conn(tcp_obj.LocalIpAddress,
tcp_obj.LocalPort, 6, "TCP", None,
tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort, None))
else:
self.connections[pid] = [
conn(tcp_obj.LocalIpAddress,
tcp_obj.LocalPort, 6, "TCP", None,
tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort, None)
]
if debug:
for pid in self.connections:
print "PID", pid
for pconn in self.connections[pid]:
print "\t", pconn
self.__step += 1
def __createModules(self):
self.stateinfo = "Step {:<2d} / {:<2d}: Modules -- ModScan".format(
self.__step, self.__steps)
self.__scanned_modules = Set([
ldr_entry.obj_offset
for ldr_entry in modscan.ModScan(self._config).calculate()
])
self.stateinfo = "Step {:<2d} / {:<2d}: Modules -- Modules calculate".format(
self.__step, self.__steps)
self.__loaded_modules = Set([
module.obj_vm.vtop(module.obj_offset)
for module in modules.Modules(self._config).calculate()
])
self.__unlinked_or_hidden = self.__scanned_modules.difference(
self.__loaded_modules)
self.__modulesNode = Node("Modules", 0, None, self)
self.__modulesNode.setDir()
self.__modulesNode.__disown__()
unknown = 0
address_space = utils.load_as(self._config, astype='physical')
kernel_as = utils.load_as(self._config)
procs = list(tasks.pslist(kernel_as))
modcount = 1
lmodcount = len(self.__scanned_modules)
for offset in self.__scanned_modules:
self.stateinfo = "Step {:<2d} / {:<2d}: Modules -- creating nodes ({:>6d} / {:<6d})".format(
self.__step, self.__steps, modcount, lmodcount)
modcount += 1
ldr_entry = obj.Object('_LDR_DATA_TABLE_ENTRY',
vm=address_space,
offset=offset,
native_vm=kernel_as)
if not ldr_entry.BaseDllName:
unknown += 1
name = "Unknown" + str(unknown)
else:
name = str(ldr_entry.BaseDllName)
unlinked_or_hidden = False
if offset in self.__unlinked_or_hidden:
unlinked_or_hidden = True
aspace = tasks.find_space(kernel_as, procs, ldr_entry.DllBase.v())
n = ModuleNode(name, ldr_entry, self.__modulesNode, self, aspace,
unlinked_or_hidden)
n.__disown__()
self.registerTree(self.root, self.__modulesNode)
self.__step += 1
def __createVadTree(self, proc, procnode, pcount, lpcount):
parents = {}
bad = False
if proc.Peb != None:
aspace = proc.get_process_address_space()
else:
aspace = None
vadtree = [vad for vad in proc.VadRoot.traverse()]
lvadcount = len(vadtree)
vadcount = 1
for vad in vadtree:
self.stateinfo = "Step {:<2d} / {:<2d}: Processes -- Creating Vad Tree for {:<16s} (process {:>3d} / {:<3d}) (vad {:>6d} / {:<6d})".format(
self.__step, self.__steps, procnode.name(), pcount, lpcount,
vadcount, lvadcount)
vadcount += 1
if not vad or (proc.IsWow64
and vad.u.VadFlags.CommitCharge == 0x7ffffffffffff
and vad.End > 0x7fffffff):
continue
parent = parents.get(vad.Parent.obj_offset, None)
if parent is None:
vadnode = VadNode(vad, aspace, procnode, self)
else:
vadnode = VadNode(vad, aspace, parent, self)
if proc._injection_filter(vad):
bad = True
vadnode.setSuspicious(True)
parents[vad.obj_offset] = vadnode
return bad
def __createProcessesVadTree(self):
pcount = 1
lpcount = len(self.__processes)
for procnode in self.__processes:
proc = procnode.eproc
base, ext = os.path.splitext(str(proc.ImageFileName))
vadroot = Node(base + ".vad", 0, None, self)
vadroot.__disown__()
procnode.setSuspicious(
self.__createVadTree(proc, vadroot, pcount, lpcount))
pcount += 1
self.registerTree(procnode, vadroot)
def __printProcess(self, proc):
print "{name:<30}{uid:<10}{puid:<10}{stime:<30}{etime:<30}{cr3:<15}".format(
name=proc.ImageFileName,
uid=proc.UniqueProcessId,
puid=proc.InheritedFromUniqueProcessId,
stime=proc.CreateTime,
etime=proc.ExitTime,
cr3=hex(proc.Pcb.DirectoryTableBase))