def SvcDoRun(self):
servicemanager.LogMsg(servicemanager.EVENTLOG_INFORMATION_TYPE,
servicemanager.PYS_SERVICE_STARTED,
(self._svc_name_, ' (%s)' % self._svc_name_))
self.server.register_instance(NimbusService())
while win32event.WaitForSingleObject(self.hWaitStop, 0) ==\
win32event.WAIT_TIMEOUT:
self.server.handle_request()
win32evtlogutil.ReportEvent(self._svc_name_,
servicemanager.PYS_SERVICE_STOPPED, 0,
servicemanager.EVENTLOG_INFORMATION_TYPE,
(self._svc_name_, ""))
def Log_Write(self, string):
applicationName = "My Application"
eventID = 1
category = 5 # Shell
myType = win32evtlog.EVENTLOG_WARNING_TYPE
l = string.split()
descr = ["A warning, link", l[0], "changed its status into ", l[1]]
data = "13453576".encode("ascii")
win32evtlogutil.ReportEvent(applicationName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data)
def publishData(self, data, topic, sensorType, qosValue=1):
try:
self.initialize()
self.connect()
payload = self.__makePayload(data, sensorType)
self.user.publish(topic, payload, qos=qosValue)
self.user.loop()
self.disconnect()
except:
print("failed to publish...")
win32evtlogutil.ReportEvent(
"MQQT_CLIENT",
32017,
eventCategory=32017,
eventType=win32evtlog.EVENTLOG_ERROR_TYPE,
strings=["Failed to publish..."],
data=b"Failed to publish...")
def initialize(self):
self.__initializeDataFormat()
try:
user =mqtt.Client("PC1")
except:
print("failed to create client instance...")
win32evtlogutil.ReportEvent(
"MQQT_CLIENT", 32010, eventCategory=32010,
eventType=win32evtlog.EVENTLOG_ERROR_TYPE, strings=["failed to create client instance..."],
data=b"failed to create client instance...")
try:
user.username_pw_set(self.brokerParameter["user name"], self.brokerParameter["password"])
except:
print("failed to set user name or password...")
self.user = user
def write_event_log(self,
message,
eventID=10,
sid=None,
level=None,
source=None):
if sid is None:
sid = self.get_sid()
if source is None:
source = self.applicationName
if level is None:
level = win32evtlog.EVENTLOG_INFORMATION_TYPE
win32evtlogutil.ReportEvent(source,
eventID,
eventType=level,
strings=[message],
sid=sid)
def logEvent(e=1):
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
applicationName = 'iSpy Phone on Network Checker'
eventID = e # 0 - Away. 1 - Reachable.
category = 7 # Network
myType = win32evtlog.EVENTLOG_INFORMATION_TYPE
descr = None # ['A warning', 'An even more dire warning']
data = None # 'Application\0Data'.encode('ascii')
win32evtlogutil.ReportEvent(applicationName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
def write_event(self, msg, ev_type, source_name='EVENTLOGTEST'):
# Thanks to http://rosettacode.org/wiki/Write_to_Windows_event_log
import win32api
import win32con
import win32security
import win32evtlogutil
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
applicationName = source_name
eventID = 1
category = 5
myType = ev_type
descr = [msg, msg]
data = "Application\0Data".encode("ascii")
win32evtlogutil.ReportEvent(applicationName, eventID, eventCategory=category,
eventType=myType, strings=descr, data=data, sid=my_sid)
def eventLogger(info):
import win32api
import win32con
import win32evtlog
import win32security
import win32evtlogutil
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
applicationName = "Superior parser for BashIm"
eventID = 4624
category = 5 # Shell
myType = win32evtlog.EVENTLOG_INFORMATION_TYPE
descr = [info]
data = "Application\0Data".encode("ascii")
win32evtlogutil.ReportEvent(applicationName, eventID, eventCategory=category,
eventType=myType, strings=descr, data=data, sid=my_sid)
def ArtilleryStartEvent():
process = win32api.GetCurrentProcess()
token = win32security.OpenProcessToken(process, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(token,
win32security.TokenUser)[0]
AppName = "Artillery"
eventID = 1
category = 5
myType = win32evtlog.EVENTLOG_INFORMATION_TYPE
descr = [
"Artillery has started and begun monitoring the selected ports ",
]
data = "Application\0Data".encode("ascii")
win32evtlogutil.ReportEvent(AppName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
def write_event_log(self, message, eventID=10, sid=None,
level=None, source=None):
if sid is None:
sid = self.get_sid()
if source is None:
source = self.applicationName
if level is None:
level = win32evtlog.EVENTLOG_INFORMATION_TYPE
# Retry on exception for up to 10 sec.
t = time.monotonic()
while True:
try:
win32evtlogutil.ReportEvent(source, eventID,
eventType=level, strings=[message], sid=sid)
break
except:
if time.monotonic() - t < 10:
continue
raise
def write_result_eventlog_baseline(self, res):
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(\
th, win32security.TokenUser)[0]
myType = win32evtlog.EVENTLOG_WARNING_TYPE
applicationName = "SysmonCorrelator"
data = "Not configured, use -l option"
eventID = 1
category = 2
descr = ["Engine: Baseline", "Data: "]
descr.append(res)
win32evtlogutil.ReportEvent(applicationName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
def ReportNewDevice(sMsg):
if 'stdout' in gsUIChoice:
print(time.strftime("%H:%M:%S")+': '+sMsg)
if 'notification' in gsUIChoice:
# https://plyer.readthedocs.io/en/latest/#
# https://github.com/kivy/plyer
# no way to have notification remain permanently
if gbOSLinux:
# notifications appear both on desktop (briefly) and in tray
notification.notify(title='New device on LAN', message=sMsg, app_name='lanwatch', timeout=8*60*60)
if gbOSWindows:
notification.notify(title='New device on LAN', message=sMsg, app_name='lanwatch', timeout=8*60*60)
if 'syslog' in gsUIChoice:
if gbOSLinux:
syslog.syslog(sMsg)
# on Linux, to see output:
# sudo journalctl --pager-end
# or
# sudo journalctl | grep lanwatch
if gbOSWindows:
# https://stackoverflow.com/questions/51385195/writing-to-windows-event-log-using-win32evtlog-from-pywin32-library
# https://www.programcreek.com/python/example/96660/win32evtlogutil.ReportEvent
# https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-elements
win32evtlogutil.ReportEvent(
"lanwatch",
#7040, # event ID # https://www.rapidtables.com/convert/number/decimal-to-binary.html
1610612737, # event ID # https://www.rapidtables.com/convert/number/decimal-to-binary.html
eventCategory=1,
eventType=win32evtlog.EVENTLOG_INFORMATION_TYPE,
strings=[sMsg],
data=b"")
def HoneyPotEvent():
#lets try and write an event log
process = win32api.GetCurrentProcess()
token = win32security.OpenProcessToken(process, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(token,
win32security.TokenUser)[0]
AppName = "Artillery"
eventID = 1
category = 5
myType = win32evtlog.EVENTLOG_WARNING_TYPE
descr = [
"Artillery Detected access to a honeypot port",
"The offending ip has been blocked and added to the local routing table",
]
data = "Application\0Data".encode("ascii")
win32evtlogutil.ReportEvent(AppName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
def msg(self, event_id, event_type, strings, data=None):
"""
write an event to windows events log
:arg event_type: the event type
it must one of the ``EVENTLOG_FOO_TYPE`` constants defined
in ``win32evtlog``
:arg list strings: a list of strings to write to the event
:arg int event_id: the resource identifier for this event
:arg bytes data: binary data to write to the event
"""
win32evtlogutil.ReportEvent(self.app_name,
event_id,
eventType=event_type,
strings=strings,
data=data,
sid=self.sid)
def logEvent(e, desc=''):
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
win32api.CloseHandle(th)
applicationName = 'Automatic Security Tracker'
eventID = e # 0 - Stop. 1 - Start.
category = 7 # Network
myType = win32evtlog.EVENTLOG_INFORMATION_TYPE
descr = [desc] # ['A warning', 'An even more dire warning']
data = None # 'Application\0Data'.encode('ascii')
win32evtlogutil.ReportEvent(applicationName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
v = 'START' if e else 'STOP'
print('Logged event', v, e)
def __makePayload(self, data, sensorType):
id = 3
payload = ""
try:
timeNow = self.__timestampFormatter(datetime.utcnow())
except:
print("failed to get time...")
try:
if (sensorType == 0):
bprValue = data.split(",")
payload = self.__bpr.pack(id, 0, int(timeNow),
float(bprValue[0]) * 100,
float(bprValue[1]) * 100)
elif (sensorType == 1):
acclAxisValue = data.split(",")
payload = self.__aclo.pack(id, 1, int(timeNow),
float(acclAxisValue[0]) * 100,
float(acclAxisValue[1]) * 100,
float(acclAxisValue[2]) * 100)
elif (sensorType == 2):
payload = struct.pack("i", id) + struct.pack(
"i", timeNow) + data.encode("utf-8")
except:
print("failed create payload...")
win32evtlogutil.ReportEvent(
"MQQT_CLIENT",
32016,
eventCategory=32016,
eventType=win32evtlog.EVENTLOG_ERROR_TYPE,
strings=["Failed to create payload..."],
data=b"Failed to create payload...")
return payload
def ErrLogger(self, msg, text):
win32evtlogutil.ReportEvent(self._svc_display_name_,
servicemanager.PYS_SERVICE_STOPPED, 0,
servicemanager.EVENTLOG_ERROR_TYPE,
(self._svc_name_, unicode(msg)),
unicode(text))
def Logger(self, state, msg):
win32evtlogutil.ReportEvent(self._svc_display_name_, state, 0,
servicemanager.EVENTLOG_INFORMATION_TYPE,
(self._svc_name_, unicode(msg)))
def generate_event():
"""
Function which generates win32 events.
Randomly choosing event id, category application name and event description from pre-defined lists.
"""
EVT_APP_NAME = random.choice(apps)
EVT_ID = random.randint(1337, 99999)
EVT_CATEG = random.randint(0, 25565)
evntstrslist = [
"""
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
""",
"""
_โฅ__โฅ_____โฅ__โฅ___ Put This
_โฅ_____โฅ_โฅ_____โฅ__ Heart
_โฅ______โฅ______โฅ__ On Your
__โฅ_____/______โฅ__ Page If
___โฅ____\\_____โฅ___ You Had
____โฅ___/___โฅ_____ Your Heart
______โฅ_\\_โฅ_______ Broken
________โฅ_________โฆโฆโฆโฆโฆ.
""",
"""
โโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโโโโโโฌโฌโฌโฌโฌโฌโฌโโฌโฌโโ
โโโโโโโโโฌโฌโโโโโโโฌโฌโฌโฌโฌโฌโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโ
โโโโโโโโฌโฌโฌโฌโฌโฌโโโโฌโฌโฌโฌโฌโฌโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโฌโฌโฌโฌโฌโฌโฌโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโโโโโโโโโโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโ
โโโโโโโโโโโฌโฌโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโฌโฌโฌโฌโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโ
โโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโฌโโฌโฌโโโ
โโโโโโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโโโฌโฌโฌโฌโฌโโโ
โโโโโโโโโโโโโโโโโโโโฌโโโโโฌโฌโฌโโโโโฌโฌโฌโฌโฌโฌโโโ
โโโโโโโโโโโโโโโโโโโฌโฌโฌโโโฌโโโโโโฌโฌโฌโฌโฌโฌโฌโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโโ
โโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโโโ
โโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโโโโโ
โโโโโโโโโโโโโโโโโโฌโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโฌโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโฌโฌโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโฌโฌโฌโฌโฌโฌโโโโโโโโโโโโ
""",
"""
________________________________BBBBBBBBBBBB
_______________________________BBBBBBBBBBBBB0
__BBBBBBBBB___________________BBBBBBBBBBBBBBB,
_BBBBBBBBBBBB________________BBBBBBBBBBBBBBBB0,
_BBBBBBBBBBBBB_______________BBBBBBBBBBBBBBBB0
BBBBBBBBBBBBBBBB____________BBBBBBBBBBBBBBBBB,
_BBBBBBBBBBBBBBBB___________BBBBBBBBBBBBBBBB0,
__BBBBBBBBBBBBBBBB_________BBBBBBBBBBBBBBBBB,
__BBBBBBBBBBBBBBBB_________BBBBBBBBBBBBBBBB,
___BBBBBBBBBBBBBBBB________BBBBBBBBBBBBBBB,
____BBBBBBBBBBBBBBB________BBBBBBBBBBBBBB0,
_____BBBBBBBBBBBBBB_______BBBBBBBBBBBBBB0,
______BBBBBBBBBBBBB_______BBBBBBBBBBBBBB,
_______BBBBBBBBBBBBB______BBBBBBBBBBBBB,
________BBBBBBBBBBBB______BBBBBBBBBB00,
__________BBBBBBBBBB______BBBBBBBBBBB,
___________BBBBBBBBBB_____BBBBBBBBBB0
____________BBBBBBBBB_____BBBBBBBBBB
______________BBBBBBB_____BBBBBBBB0
______________BBBBBBB_____BBBBBBBB
_______________BBBBBB_____BBBBBBB
________________BBBBBBBBBBBBBBBBB_
______________BBBBBBBBBBBBBBBBBBBBBB
____________BBBBBBBBBBBBBBBBBBBBBBBBBB_
__________BBBBBBBBBBBBB_________BBBBBBBB
_________BBBBB__BBBBB____________BBBBBBBBB
________BBB________B______________BBBBBBBBB
_______BBB_________B______________BBBBBBBBBB,
_______BBB______BB_B_BBB__________BBBBBBBBBB,
_______BBB_____BBB_B_BBBB________BBBBBBBBBBB,
_______BBB________000___________BBBBBBBBBBBB,
_______BBBB______00000_________BBBBBBBBBBBBB,
____00000BBBBBBBBB000BBBBBBBBBBBBBBBBBBBBBB00000000,
___0BBBB00BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB00BBBBBB0B0,
__0BBBBBB00BBBB00______B000000BBBBBBBBBB000B00BBBB0B0,
_0BBBBBBBB_BBBB00___B__BBBB000BBBBBBBBB00B0___B00000,
_00BBBBB____BBBB00BBBBBB000BBBBBBBBBBBB0,
__0BB_________B0B00000000BBBBBBBBBB0BB
________________00BBBBBBBBBBBB000000
_____________BBBBB0B00000000000BBBB_
___________BB0B00BBBBBB0__BBBBBBBBBBB,
__________BB_______BBBBB_BB0B00BB____BB,
__________0B________BBBB_BBB__________BB,
__________0BBBBBBBBBBBB__BBBBB_________B,
____________________________BBBB0BBBBBBB
""",
"""
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโ
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโโโ
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโโโโ
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโโโโโ
โผโผโผโผโผโผโผโผโผโผโผโโโโโโโโโโ
โผโผโผโผโผโผโผโผโผโโโโโโโโโโโโโ
โผโผโผโผโผโผโผโผโโโโโโโโโโโโโโโ
โผโผโผโผโผโผโผโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโผโผโโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโผโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโผโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโผโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโโโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโผโโโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโโโโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโผโโโโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโผโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โผโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโ
โผโผโโโโโโโโโโโโโโโผโผโผโโโโโโโโโโโ
โผโผโโโโโโโโโโโโผโผโผโผโผโผโผโโโโโโโโโโ
โผโผโโโโโโโโโโโผโผโผโผโผโผโผโผโโโโโโโโโโ
โผโผโผโโโโโโโโโผโผโผโผโผโผโผโผโผโผโโโโโโโโโ
โผโผโผโผโผโโโโโผโผโผโผโผโผโผโผโผโผโผโผโผโโโโโโโโ
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโโโโโโโโ
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโโโโโโโ
โผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโผโโโโโโ
""",
"""
_____________________________ยถยถ___________________
__________________________ยถยถยถยถยถ___________________
_________________________ยถยถยถยถยถยถยถ__________________
_______________________ยถยถยถยถยถยถยถยถยถ__________________
_______________________ยถยถยถยถยถยถยถยถยถยถ_________________
________________________ยถยถยถยถยถยถยถยถยถยถ________________
________________________ยถยถยถยถยถยถยถยถยถยถ________________
_____________________ยถ___ยถยถยถยถยถยถยถยถยถยถ_______________
___________________ยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ_______________
__________________ยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ______________
________________ยถยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถยถยถ______________
______________ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ_____________
______________ยถยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ____________
_______________ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ____________
________________ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___________
____________ยถ___ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___________
___________ยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ__________
_________ยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ__________
_______ยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ_________
______ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถยถยถ_________
______ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ________
_______ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถยถยถยถ_______
__________________________________________________
_________________ยถยถ_ยถยถ________ยถยถ__________________
_________________ยถยถ_ยถยถ________ยถยถ__________________
_________________ยถยถ___________ยถยถ__________________
___ยถยถยถยถยถยถ___ยถยถยถยถยถยถยถ_ยถยถ___ยถยถยถยถยถยถยถ___ยถยถยถยถยถยถยถ__ยถยถยถยถ__
__ยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถ_ยถยถ__ยถยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถ_ยถยถยถยถยถยถ_
_ยถยถยถ__ยถยถยถ__ยถยถ___ยถยถยถ_ยถยถ__ยถยถ___ยถยถยถ_ยถยถยถ__ยถยถยถยถ_ยถยถ___ยถยถ
ยถยถยถ____ยถยถ_ยถยถ_____ยถยถ_ยถยถ_ยถยถ_____ยถยถ_ยถยถ____ยถยถยถ_ยถยถยถยถ___
ยถยถ_____ยถยถ_ยถยถ_____ยถยถ_ยถยถ_ยถยถ_____ยถยถ_ยถยถ_____ยถยถ_ยถยถยถยถยถยถ_
ยถยถยถ____ยถยถ_ยถยถ_____ยถยถ_ยถยถ_ยถยถ_____ยถยถ_ยถยถ____ยถยถยถ____ยถยถยถยถ
_ยถยถยถ__ยถยถยถ__ยถยถ___ยถยถยถ_ยถยถ__ยถยถ___ยถยถยถ_ยถยถยถ__ยถยถยถยถ_ยถยถ___ยถยถ
_ยถยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถ_ยถยถ__ยถยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถ_ยถยถยถยถยถยถยถ
__ยถยถยถยถ_ยถยถ____ยถยถยถยถยถยถ_ยถยถ___ยถยถยถยถ_ยถยถ___ยถยถยถยถ_ยถยถ__ยถยถยถยถยถ_
""",
"""
________________________________________________ยถยถ_ยถยถยถยถยถยถยถยถยถ
______________________________________________ยถยถยถยถ________ยถยถ
____________________________________________ยถยถ_ยถยถยถ_______ยถยถ
_____ยถยถยถยถยถยถยถยถ_____ยถยถ___ยถยถยถยถ_______________ยถยถ___ยถยถ______ยถยถ
___ยถยถยถ______ยถยถยถ__ยถยถยถ__ยถยถ________________ยถยถ____ยถยถยถ_____ยถยถ
____________ยถยถยถ__ยถยถ_ยถยถยถ_______________ยถยถ______ยถยถ_____ยถยถ
___ยถยถยถยถยถยถยถยถยถยถยถ__ยถยถยถยถยถ____ยถยถยถยถยถยถยถยถยถ__ยถยถ_______ยถยถยถ_____ยถยถ
_ยถยถยถยถ______ยถยถยถ__ยถยถ_ยถยถยถ___ยถยถยถยถยถยถยถยถยถ__ยถยถยถยถยถยถยถยถยถยถยถยถยถยถ__ยถยถ
ยถยถยถ_______ยถยถยถ__ยถยถยถ__ยถยถยถ_____________________ยถยถยถ_____ยถยถ
ยถยถยถยถ____ยถยถยถยถยถ__ยถยถ____ยถยถยถ____________________ยถยถ_____ยถยถ
_ยถยถยถยถยถยถยถยถ_ยถยถยถ__ยถยถ_____ยถยถ____________________ยถยถ_____ยถยถ
______________________________________________________ยถยถ__
________________________________________ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ
_______________________________ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ__
________________________ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ_____________
__________________ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ________________
_________________ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ______________________
ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ_________________________
ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ_ยถ_ยถยถยถยถยถยถยถยถ_________________________
ยถยถยถยถยถยถยถยถยถยถยถยถยถยถยถ__ยถยถยถยถยถ___ยถ__ยถยถยถยถยถยถ________________________
_ยถยถยถยถยถยถยถยถยถยถยถยถ____ยถยถยถยถยถยถยถยถยถ___ยถยถยถยถยถยถ_______________________
__ยถยถยถยถยถยถยถยถยถ______ยถยถยถยถยถ_______ยถยถยถยถยถยถยถ______________________
___ยถยถยถยถยถยถ________ยถยถยถยถยถ_________ยถยถยถยถยถยถยถ____________________
____ยถยถยถยถ_________ยถยถยถยถยถ__________ยถยถยถยถยถยถยถยถ__________________
""",
"""
โโโโโโโ
โโโโโโโโโโโ
โโโโโโโโโโโ
โโโโโโโโโโโ
โโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโ
โโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
""",
"""
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX XX
XX MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMMMMMMssssssssssssssssssssssssssMMMMMMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMss''' '''ssMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMyy'' ''yyMMMMMMMMMMMM XX
XX MMMMMMMMyy'' ''yyMMMMMMMM XX
XX MMMMMy'' ''yMMMMM XX
XX MMMy' 'yMMM XX
XX Mh' 'hM XX
XX - - XX
XX XX
XX :: :: XX
XX MMhh. ..hhhhhh.. ..hhhhhh.. .hhMM XX
XX MMMMMh ..hhMMMMMMMMMMhh. .hhMMMMMMMMMMhh.. hMMMMM XX
XX ---MMM .hMMMMdd:::dMMMMMMMhh.. ..hhMMMMMMMd:::ddMMMMh. MMM--- XX
XX MMMMMM MMmm'' 'mmMMMMMMMMyy. .yyMMMMMMMMmm' ''mmMM MMMMMM XX
XX ---mMM '' 'mmMMMMMMMM MMMMMMMMmm' '' MMm--- XX
XX yyyym' . 'mMMMMm' 'mMMMMm' . 'myyyy XX
XX mm'' .y' ..yyyyy.. '''' '''' ..yyyyy.. 'y. ''mm XX
XX MN .sMMMMMMMMMss. . . .ssMMMMMMMMMs. NM XX
XX N` MMMMMMMMMMMMMN M M NMMMMMMMMMMMMM `N XX
XX + .sMNNNNNMMMMMN+ `N N` +NMMMMMNNNNNMs. + XX
XX o+++ ++++Mo M M oM++++ +++o XX
XX oo oo XX
XX oM oo oo Mo XX
XX oMMo M M oMMo XX
XX +MMMM s s MMMM+ XX
XX +MMMMM+ +++NNNN+ +NNNN+++ +MMMMM+ XX
XX +MMMMMMM+ ++NNMMMMMMMMN+ +NMMMMMMMMNN++ +MMMMMMM+ XX
XX MMMMMMMMMNN+++NNMMMMMMMMMMMMMMNNNNMMMMMMMMMMMMMMNN+++NNMMMMMMMMM XX
XX yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy XX
XX m yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy m XX
XX MMm yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy mMM XX
XX MMMm .yyMMMMMMMMMMMMMMMM MMMMMMMMMM MMMMMMMMMMMMMMMMyy. mMMM XX
XX MMMMd ''''hhhhh odddo obbbo hhhh'''' dMMMM XX
XX MMMMMd 'hMMMMMMMMMMddddddMMMMMMMMMMh' dMMMMM XX
XX MMMMMMd 'hMMMMMMMMMMMMMMMMMMMMMMh' dMMMMMM XX
XX MMMMMMM- ''ddMMMMMMMMMMMMMMdd'' -MMMMMMM XX
XX MMMMMMMM '::dddddddd::' MMMMMMMM XX
XX MMMMMMMM- -MMMMMMMM XX
XX MMMMMMMMM MMMMMMMMM XX
XX MMMMMMMMMy yMMMMMMMMM XX
XX MMMMMMMMMMy. .yMMMMMMMMMM XX
XX MMMMMMMMMMMMy. .yMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMy. .yMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMs. .sMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMMMss. .... .ssMMMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMMMMMNo oNNNNo oNMMMMMMMMMMMMMMMMMMMM XX
XX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
.o88o. o8o .
888 `" `"' .o8
o888oo .oooo.o .ooooo. .ooooo. oooo .ooooo. .o888oo oooo ooo
888 d88( "8 d88' `88b d88' `"Y8 `888 d88' `88b 888 `88. .8'
888 `"Y88b. 888 888 888 888 888ooo888 888 `88..8'
888 o. )88b 888 888 888 .o8 888 888 .o 888 . `888'
o888o 8""888P' `Y8bod8P' `Y8bod8P' o888o `Y8bod8P' "888" d8'
.o...P'
`XER0'
""",
"""
:================:
/||# nmap -A _ ||
/ || ||
| || ||
\\ || ||
==================
........... / \\.............
:\\ ############ \\
: ---------------------------------
: | * |__________|| :::::::::: |
\\ | | || ....... |
--------------------------------- 8
""",
"""
....::::....
::::::::::::::::::::::::..
;;;;,,::::,,,,,,,,,,,,::::,,,,;;
,,ii,,,,iijjjjjjLLKKEEffjjjjjjii,,,,ii,,
..iiii,,;;LLffjj,,jjiiLLLL,,ii,,jjffLL,,,,;;ii
..ii,,,,jjjjLLjjjj;;jjLL##WWffjj;;jjjjLLjjtt,,,,ii..
::ii,,,,tt;;,,ffjjjj;;jjKKKKKKKKjj;;ffjjff,,;;tt,,,,ii,,
..ii,,iijj,,::::jj,,ff;;jjEE####EEjj;;ff,,jj::::,,jjii,,ii..
..iiiijjff;;::::jj::jj;;iijjEEEEjjii;;jj,,jj::::;;ffjjiiii..
..,,iiiiiiiiiiff::,,jj,,iiffff;;,,jj,,,,ffiiiiiiiiii,,..
::iijj;;ii,,;;ii;;jjjj;;iiii,,iiiijjii::
,,ii,,,,,,,,iijjjjii,,,,,,,,ii,,
..,,.. ..,,.. ..,,,,,,,,,,,,,,,,,,,,..
iijjjj iijjjj.. ..::::::::::::..
iittjj:: ,,iitt..
,,iiiitt.. ,,;;ii..
,,iijjjjii ,,;;ii....ii;;
,,iijjjjjj::,,iitt..,,jjjjjjtt;;;;,,.. ::iittii;; ..jjffttii,,
,,;;jjiiiitt,,;;ii..,,jjffttjjjjjjjjjj,, ,,jjjjjjjjii..::;;jjjjiijjii..
,,;;jj,,;;ttii;;ii..,,iijj,,iijjffiijjjj.. ,,ttttjjii::iiffff;;iijjii
,,iijj..;;ttjjiitt..,,iitt..iijjjj,,iijj;;..iijjjjttjjjj::;;jjii..iiiiii
,,iijj ::;;iijjjj..,,iijj..iijjjj,,iijj;;,,jjLLiiiijjjj,,iiffff;;iijjii
,,iijj ,,;;;;tt..,,iitt..iijjjj,,iijj;;iijjjj iijjjj,,;;jjjjiijjii..
,,;;jj ..;;;;ii..,,iijj..;;jjjj,,iijj;;iijjffiiiijjjj,,;;jjtt;;..
iiiijj iittjj..;;jjjj..iijjff,,iijj;;..iijjjjjjjjjj,,;;jjii
..;;:: ..;;,, ..;;,, ..,,.. ,,;; ..,,ii;;ii,, ,,;;..
""",
"""
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
""",
"""
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
"""
]
EVT_STRS = random.choice(evntstrslist)
EVT_DATA = random.choice(evntstrslist).decode()
win32evtlogutil.ReportEvent(EVT_APP_NAME, EVT_ID, EVT_CATEG, eventType=win32evtlog.EVENTLOG_WARNING_TYPE, strings = EVT_STRS, data = EVT_DATA)
def write_result_eventlog_hierarchy(self, res):
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(\
th, win32security.TokenUser)[0]
myType = win32evtlog.EVENTLOG_WARNING_TYPE
applicationName = "SysmonCorrelator"
tab = '--'
data = "Not configured, use -l option"
for anomaly in res:
eventID = anomaly['RuleID']
category = 1
descr = [
"RuleName: " + anomaly['Rulename'],
"RuleID: " + str(anomaly['RuleID']),
"Computer: " + anomaly['Computer'],
"Data: ",
]
alert = ""
alert += "\n"
alert += "\tPHE ALERT [%s]: %s\n" % (anomaly['RuleID'],
anomaly['Rulename'])
tab = '--'
ntabs = 0
for process in reversed(anomaly['ProcessChain']):
ntabs += 1
if process.acciones['1'][0]['Alert']:
alert += "\t!%s> %s (%s) [%s] %s\n" % (
tab * ntabs, get_action_from_id(1), process.pid,
process.acciones['1'][0]['ProcessTTL'], process.cmd)
#process.acciones['1'][0]['Alert'] = False
else:
alert += "\t%s> %s (%s) [%s] %s\n" % (
tab * ntabs, get_action_from_id(1), process.pid,
process.acciones['1'][0]['ProcessTTL'], process.cmd)
for action_type in process.acciones:
for action in process.acciones[action_type]:
param = get_default_parameter_from_id(\
int(action_type))
if int(action_type) != 1:
if action['Alert']:
alert += "\t!%s> %s %s\n" %\
(tab*(ntabs+2), \
get_action_from_id(int(action_type)),
action[param])
# Special case for Real Parent
elif action['CreationType'] == 'InjectedThread':
alert += "\t!%s> [I] REAL PARENT %s\n" % \
(tab*(ntabs+2),
action['RealParent'])
descr.append(alert)
self.log.debug("Writing to eventlog: %s" % anomaly)
win32evtlogutil.ReportEvent(applicationName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
# Writing to the windows logs in Python
import win32evtlogutil
win32evtlogutil.ReportEvent(ApplicationName, EventID, EventCategory, EventType,
Inserts, Data, SID)
def log_msg(prog, event_id, msg_type, message):
win32evtlogutil.ReportEvent(prog,
event_id,
eventType=msg_type,
strings=[message])
def test():
# check if running on Windows NT, if not, display notice and terminate
if win32api.GetVersion() & 0x80000000:
print("This sample only runs on NT")
return
import sys, getopt
opts, args = getopt.getopt(sys.argv[1:], "rwh?c:t:v")
computer = None
do_read = do_write = 1
logType = "Application"
verbose = 0
if len(args) > 0:
print("Invalid args")
usage()
return 1
for opt, val in opts:
if opt == '-t':
logType = val
if opt == '-c':
computer = val
if opt in ['-h', '-?']:
usage()
return
if opt == '-r':
do_read = 0
if opt == '-w':
do_write = 0
if opt == '-v':
verbose = verbose + 1
if do_write:
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(th,
win32security.TokenUser)[0]
win32evtlogutil.ReportEvent(
logType,
2,
strings=["The message text for event 2", "Another insert"],
data="Raw\0Data".encode("ascii"),
sid=my_sid)
win32evtlogutil.ReportEvent(
logType,
1,
eventType=win32evtlog.EVENTLOG_WARNING_TYPE,
strings=["A warning", "An even more dire warning"],
data="Raw\0Data".encode("ascii"),
sid=my_sid)
win32evtlogutil.ReportEvent(
logType,
1,
eventType=win32evtlog.EVENTLOG_INFORMATION_TYPE,
strings=["An info", "Too much info"],
data="Raw\0Data".encode("ascii"),
sid=my_sid)
print("Successfully wrote 3 records to the log")
if do_read:
ReadLog(computer, logType, verbose > 0)
class SyslogUDPHandler(SocketServer.BaseRequestHandler):
def handle(self):
data = bytes.decode(self.request[0].strip())
socket = self.request[1]
print()
win32evtlogutil.ReportEvent(
logger_name, # Application name
1001, # Event ID
0, # Event category
win32evtlog.EVENTLOG_INFORMATION_TYPE,
(self.client_address[0], str(data)))
if __name__ == "__main__":
try:
win32evtlogutil.AddSourceToRegistry(logger_name)
win32evtlogutil.ReportEvent(
logger_name, # Application name
1001, # Event ID
0, # Event category
win32evtlog.EVENTLOG_INFORMATION_TYPE,
(logger_name, "Started."))
server = SocketServer.UDPServer((HOST, PORT), SyslogUDPHandler)
server.serve_forever(poll_interval=0.5)
except (IOError, SystemExit):
raise
except KeyboardInterrupt:
print("Crtl+C Pressed. Shutting down.")
c, addr = s.accept() # Establish connection with client.
hostname = str(addr[0])
print("Got connection from %s" % hostname)
c.send(nasty_msg)
print("Blocking the address: %s" % hostname)
# If there is a full connection, create a firewall rule
# Run the command associated with the platform being run:
if platform == "Windows":
print("Sending alert to EVENT LOG")
win32evtlogutil.ReportEvent(
"HoneyPortAlert",
4242,
eventType=win32evtlog.EVENTLOG_WARNING_TYPE,
strings=[
"Detected HoneyPort Hit",
"HoneyPort hit from " + hostname + " on port " + str(port)
],
data=(hostname + "\0" + str(port)).encode("ascii"))
print("Creating a Windows Firewall Rule\n")
fw_result = call(
'netsh advfirewall firewall add rule name="honeyports" dir=in remoteip= '
+ hostname + ' localport=any protocol=TCP action=block > NUL',
shell=True)
flush = 'netsh', 'advfirewall reset'
fwlist = "netsh", """ advfirewall firewall show rule name=honeyports | find "RemoteIP" """
elif platform == "Linux":
print("Creating a Linux Firewall Rule\n")
fw_result = os.popen('/sbin/iptables -A INPUT -s ' + hostname +
import win32api
import win32con
import win32evtlog
import win32security
import win32evtlogutil
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
applicationName = "My Application"
eventID = 1
category = 5 # Shell
myType = win32evtlog.EVENTLOG_WARNING_TYPE
descr = ["A warning", "An even more dire warning"]
data = "Application\0Data".encode("ascii")
win32evtlogutil.ReportEvent(applicationName,
eventID,
eventCategory=category,
eventType=myType,
strings=descr,
data=data,
sid=my_sid)
def SvcDoRun(self):
# import servicemanager
# Write a 'started' event to the event log... (not required)
#
win32evtlogutil.ReportEvent(self._svc_name_,
servicemanager.PYS_SERVICE_STARTED, 0,
servicemanager.EVENTLOG_INFORMATION_TYPE,
(self._svc_name_, ''))
# methode 1: wait for beeing stopped ...
# win32event.WaitForSingleObject(self.hWaitStop, win32event.INFINITE)
# methode 2: wait for beeing stopped ...
self.timeout = 1000
self.logger.info('service is begin...')
cnt_end = 0 #็ปๆๆไปถๆถ่กๆฐ
while self.isAlive:
# wait for service stop signal, if timeout, loop again
rc = win32event.WaitForSingleObject(self.hWaitStop, self.timeout)
self.logger.info('service is running...')
if self._CompareDateFile(): #ๅฝๅๆถ้ดๅๆไปถ้ๆถ้ดไธๆ ท
cnt = self._getLineCnt() #ๅๅง่กๆฐ
self.logger.info('ๅผๅง่กๆฐcnt' + str(cnt))
if self._getLineCnt() and (cnt_end != cnt): #ๅ
ๅฎนไธไธบ็ฉบ
#---------------------
for line in linecache.getlines(self.case_log_file):
start = line.find('|') #็ฌฌไธไธช|
end = line.find('|', line.find('|') + 1) #็ฌฌไบไธช|
if line[start + 1:end] == '1014': #ๅ็ฐ้่ฏฏ
print(line[start - 19:start])
#os.system('mstsc')
self.logger.info('ๆง่กmstsc') #้ๅฏposๆบ
else:
self.logger.info('ๆฒกๆฐ่ฎฐๅฝ')
cnt_end = self._getLineCnt()
self.logger.info('ๆๅ่กๆฐcnt_end' + str(cnt_end))
time.sleep(50) #้ด้ไธๅ้
else: #ๅฝๅๆถ้ดๅๆไปถๆถ้ดไธไธ่ด๏ผๅฏปๆพๅฝๅๆถ้ด็ๆฅๅฟ
current_time = time.strftime('%Y%m%d',
time.localtime(
time.time())) #ๅฝๅๆถ้ด
self.case_log_file = os.path.join(self.case_log_dir, 'CASE_' +
current_time + '.log') #ๆไปถ
cnt = self._getLineCnt() #ๅๅง่กๆฐ
cnt_end = 0 #็ปๆๆถๆไปถ่กๆฐ
if self._getLineCnt(): #ๅ
ๅฎนไธไธบ็ฉบ
#---------------------
for line in linecache.getlines(self.case_log_file):
start = line.find('|') #็ฌฌไธไธช|
end = line.find('|', line.find('|') + 1) #็ฌฌไบไธช|
if line[start + 1:end] == '1014': #ๅ็ฐ้่ฏฏ
print(line[start - 19:start])
#os.system('mstsc')
self.logger.info('ๆง่กmstsc') #้ๅฏposๆบ
cnt_end = self._getLineCnt() #ๆฏๅฆๆๆฐๅข่ก
time.sleep(50)
# ---------------------
# and write a 'stopped' event to the event log (not required)
#
win32evtlogutil.ReportEvent(self._svc_name_,
servicemanager.PYS_SERVICE_STOPPED, 0,
servicemanager.EVENTLOG_INFORMATION_TYPE,
(self._svc_name_, ''))
self.ReportServiceStatus(win32service.SERVICE_STOPPED)
return
def log(eventID, category, logdesc, data):
eventType = 4
if category in eventCategories:
eventType = eventCategories[category]
win32evtlogutil.ReportEvent(applicationName, eventID, eventCategory=eventType, eventType=eventType, strings=logdesc, data=data.encode('ascii'), sid=token_sid)
def _log_detail(self, descripton, type):
win32evtlogutil.ReportEvent(self.appName, 1, eventType=type, strings=[descripton])