def attributes(self, node): m = VMap() hinfos = self.calculatedHash[long(node.this)] hashes = self.getHashes(node) for algo in hashes: v = Variant(str(hashes[algo])) m[str(algo)] = v if len(hinfos.hsets): knownBad = [] knownGood = [] for setId in hinfos.hsets: hset = self.parent.hashSets.get(setId) if hset.knownGood: knownGood.append(hset) else: knownBad.append(hset) if len(knownBad): badList = VList() for badSet in knownBad: vname = Variant(badSet.name) badList.append(vname) m["known bad"] = badList if len(knownGood): goodList = VList() for goodSet in knownGood: vname = Variant(goodSet.name) goodList.append(vname) m["known good"] = goodList return m
def attributesTypes(values, types): if (types == DateTime): val = DateTime(values) val.thisown = False elif (types == MS64DateTime): val = MS64DateTime(values) val.thisown = False elif (types == DosDateTime): val = DosDateTime(*values) val.thisown = False elif (types == int) or (types == long): if type(values) == str: #XXX strange ? values = 0 val = types(values) elif (types == dict): val = VMap() for k, v in values.iteritems(): vval = Variant(attributesTypes(*v)) val[k] = vval elif (types == list): val = VList() for v in values: vval = Variant(attributesTypes(*v)) val.append(vval) elif (types == str): if type(values) == unicode: val = values.encode("UTF-8", "replace") else: val = str(values) elif (types == VLink): #return node is already created val = values else: val = types(values) return val
def attributes(self, node): attr = VMap() vfile = node.open() img = Image.open(vfile) info = img._getexif() vfile.close() for tag, values in info.items(): if tag in self.dateTimeTags: try: decoded = str(TAGS.get(tag, tag)) try: dt = strptime(values, "%Y:%m:%d %H:%M:%S") except ValueError: try: dt = strptime(values[:-6], "%Y-%m-%dT%H:%M:%S") except ValueError: dt = strptime(values.rstrip(' '), "%a %b %d %H:%M:%S") vt = vtime(dt.tm_year, dt.tm_mon, dt.tm_mday, dt.tm_hour, dt.tm_min, dt.tm_sec, 0) vt.thisown = False attr[decoded] = Variant(vt) except Exception as e: attr[decoded] = Variant(str(values)) else: decoded = str(TAGS.get(tag, tag)) if isinstance(values, tuple): vl = VList() for value in values: vl.push_back(Variant(value)) attr[decoded] = vl else: attr[decoded] = Variant(values) return attr
def __notifyFailure(self, src, ftype, tb): e = event() e.thisown = False e.type = ftype vl = VList() vl.append(Variant(src)) vl.append(Variant(str(tb))) e.value = RCVariant(Variant(vl)) self.notify(e)
def __notifyFileProgress(self, node, percent): e = event() e.thisown = False e.type = Extract.FileProgress vl = VList() vl.append(Variant(node)) vl.append(Variant(int(percent))) e.value = RCVariant(Variant(vl)) self.notify(e)
def __notifyRename(self, src, dst): e = event() e.thisown = False e.type = Extract.RenameOccured vl = VList() vl.append(Variant(src)) vl.append(Variant(dst)) e.value = RCVariant(Variant(vl)) self.notify(e)
def _attributes(self): i = 1 attr = VMap() vlist = VList() for f in self.files: node = f.value() vlist.append(Variant(node.absolute())) attr["concatanated files (ordered)"] = Variant(vlist) return attr
def __createReport(self): if len(self.__failed_files): vl = VList() for ffile in self.__failed_files: vl.append(Variant(ffile)) self.res["failed extraction for files"] = vl if len(self.__failed_folders): vl = VList() for ffolder in self.__failed_folders: vl.append(Variant(ffolder)) self.res["failed extraction for folders"] = vl if len(self.__renamed): vmap = VMap() for key in self.__renamed: vl = VList() for val in self.__renamed[key]: vl.append(Variant(val)) vmap[key] = vl self.res["renamed"] = vmap
def _setLoadedModules(self, attrs): dlls = VList() for m in self.eproc.get_load_modules(): name = str(m.FullDllName) or 'N/A' dll = VMap() dllattribs = VMap() dllattribs["Base"] = Variant(long(m.DllBase)) dllattribs["Size"] = Variant(long(m.SizeOfImage)) if name != "N/A": self._setImportedFunctions(name, dllattribs) dll[name] = Variant(dllattribs) dlls.append(dll) attrs["Loaded modules"] = Variant(dlls)
def attributes(self, node): m = VMap() idx = node.uid() self.__lock.acquire() if self.__hashs.has_key(idx): hashInfo = self.__hashs[idx] hsets = hashInfo.hsets else: hsets = [] self.__lock.release() hashes = self.__getHashes(node) for algo in hashes: v = Variant(str(hashes[algo])) m[str(algo)] = v if len(hsets): knownBad = [] knownGood = [] for setId in hsets: hset = self.__parent.getHashSetFromId(setId) if hset.knownGood: knownGood.append(hset) else: knownBad.append(hset) if len(knownBad): badList = VList() for badSet in knownBad: vname = Variant(badSet.name) badList.append(vname) m["known bad"] = badList if len(knownGood): goodList = VList() for goodSet in knownGood: vname = Variant(goodSet.name) goodList.append(vname) m["known good"] = goodList return m
def _setImportedFunctions(self, name, attrs): if self.__pe and hasattr(self.__pe, "DIRECTORY_ENTRY_IMPORT"): found = False for entry in self.__pe.DIRECTORY_ENTRY_IMPORT: if name.lower().find(entry.dll.lower()) != -1: found = True break if found: funcs = VList() for imp in entry.imports: func = VMap() if imp.name: func[str(imp.name)] = Variant(imp.address) else: func[str(imp.ordinal)] = Variant(imp.address) funcs.append(func) attrs["Imported functions"] = Variant(funcs)
def start(self, args): if args.has_key("start-offset"): startoff = args["start-offset"].value() else: startoff = 0 if args.has_key("block-aligned"): aligned = True else: aligned = False patterns = VList() for mimetype in filetypes.keys(): if mimetype in args: vsubtypes = args[mimetype].value() for subtype in filetypes[mimetype].keys(): if subtype in vsubtypes: pattern = VMap() descr = filetypes[mimetype][subtype] for p in descr: header = VMap() header["needle"] = Variant(p[0], typeId.String) header["size"] = Variant(len(p[0]), typeId.UInt32) footer = VMap() footer["needle"] = Variant(p[1], typeId.String) footer["size"] = Variant(len(p[1]), typeId.UInt32) pattern["filetype"] = Variant( subtype, typeId.String) pattern["header"] = Variant(header) pattern["footer"] = Variant(footer) pattern["window"] = Variant( int(p[2]), typeId.UInt32) if aligned: pattern["aligned"] = Variant(True, typeId.Bool) else: pattern["aligned"] = Variant( False, typeId.Bool) patterns.append(pattern) margs = VMap() margs["patterns"] = Variant(patterns) margs["file"] = args["file"] margs["start-offset"] = Variant(startoff, typeId.UInt64) proc = self.tm.add("carver", margs, ["console"]) if proc: proc.event.wait()
def createContext(self, selected): lpatterns = VList() for filetype in selected.iterkeys(): patterns = selected[filetype][0] aligned = selected[filetype][1] for pattern in patterns: vpattern = VMap() vpattern["filetype"] = Variant(filetype, typeId.String) header = VMap() header["needle"] = Variant(pattern[0], typeId.String) header["size"] = Variant(len(pattern[0]), typeId.UInt32) footer = VMap() footer["needle"] = Variant(pattern[1], typeId.String) footer["size"] = Variant(len(pattern[1]), typeId.UInt32) vpattern["header"] = Variant(header) vpattern["footer"] = Variant(footer) vpattern["window"] = Variant(int(pattern[2]), typeId.UInt32) vpattern["aligned"] = Variant(aligned, typeId.Bool) lpatterns.append(vpattern) return lpatterns
def decode_REG_MULTI_SZ(self, data): vlist = VList() for line in unicode(data, 'UTF-16').split('\x00'): if line: vlist.append(Variant(line.encode('UTF-8'))) return vlist
def attributes(self, node): attr = VMap() vfile = node.open() img = Image.open(vfile) info = img._getexif() vfile.close() for tag, values in info.items(): if tag in self.dateTimeTags: try: decoded = str(TAGS.get(tag, tag)) try: dt = strptime(values, "%Y:%m:%d %H:%M:%S") except ValueError: try: dt = strptime(values[:-6], "%Y-%m-%dT%H:%M:%S") except ValueError: dt = strptime(values.rstrip(' '), "%a %b %d %H:%M:%S") vt = DateTime(dt.tm_year, dt.tm_mon, dt.tm_mday, dt.tm_hour, dt.tm_min, dt.tm_sec) vt.thisown = False attr[decoded] = Variant(vt) except Exception as e: attr[decoded] = Variant(str(values)) else: decoded = str(TAGS.get(tag, tag)) if decoded == "GPSInfo": try: gpsMap = VMap() for subvalue in values: subDecoded = GPSTAGS.get(subvalue, subvalue) v = values[subvalue] if str(subDecoded) == "GPSLatitude": degree = self.toDegree(v) try: ref = gpsMap["GPSLatitudeRef"] except: ref = "" if str(ref) != "N": degree = 0 - degree gpsMap["GPSLatitudeRef"] = Variant(str(degree)) elif str(subDecoded) == "GPSLongitude": degree = self.toDegree(v) try: ref = gpsMap["GPSLongitudeRef"] except: ref = "" if str(ref) != "E": degree = 0 - degree gpsMap["GPSLongitudeRef"] = Variant( str(degree)) #Variant don't handle float.. elif type(v) == str: gpsMap[str(subDecoded)] = Variant(str(v)) elif type(v) == unicode: gpsMap[str(subDecoded)] = Variant( str(v.encode('ascii', 'replace'))) elif type(v) == tuple: vl = VList() for vv in v: if type(vv) == tuple: vl.push_back(Variant(str(vv))) gpsMap[str(subDecoded)] = vl #XXX handle gps datetime else: gpsMap[str(subDecoded)] = Variant(str(v)) attr[decoded] = gpsMap except Exception as e: pass #print "Metaexif error encoding: ", e elif isinstance(values, tuple): vl = VList() for value in values: if type(values) == unicode: vl.push_back( Variant(value.encode('ascii', 'replace'))) elif type(values) == tuple: vl.push_back(Variant(str(value))) else: vl.push_back(Variant(value)) attr[decoded] = vl else: if type(values) == unicode: attr[decoded] = Variant( values.encode('ascii', 'replace')) elif type(values) == tuple: attr[decoded] = Variant(str(values)) else: attr[decoded] = Variant(values) return attr