def detail_service_open(entry):
data = entry["data"]
name = data["name"]
return (entry["object"] + " " + entry["event"] + "|" +
sanitize_generic(name) + " " + data["access"] + "|" + name +
" " + pretty_print_arg("services", None, "DesiredAccess",
data["access"]).replace("|", " OR "))
def detail_winhook(entry):
hid = entry["data"]["id"]
phid = pretty_print_arg(None, None, "HookIdentifier", hid)
if not phid:
phid = hid
return (entry["object"] + " " + entry["event"] + "|" +
sanitize_generic(phid) + "|" + phid)
def detail_section_map(entry):
data = entry["data"]
proc_handle = detail_process_aux_handle(data["process"])
sect_handle = data["section"]
name = open_handles[
sect_handle] if sect_handle in open_handles else None
protect_raw = data["protect"]
protect = pretty_print_arg(None, None, "Win32Protect",
protect_raw).replace("|", " OR ")
addr = data["addr"]
mapped[addr] = True
if name:
return (entry["object"] + " " + entry["event"] + "|" +
proc_handle[0] + " " + sanitize_file(name) + " " +
sanitize_generic(protect_raw) + "|" + proc_handle[1] +
" BaseAddr:" + addr + " File:" + name + " (" + protect +
")")
else:
return (entry["object"] + " " + entry["event"] + "|" +
proc_handle[0] + " " + sanitize_generic(protect_raw) +
"|" + proc_handle[1] + " BaseAddr:" + addr + " Section:" +
sect_handle + " (" + protect + ")")
def detail_memory_protect(entry):
data = entry["data"]
handle = detail_process_aux_handle(data["handle"])
protect = pretty_print_arg(None, None, "Protection",
data["protection"]).replace("|", " OR ")
addr = data["addr"]
size = data["size"]
return (entry["object"] + " " + entry["event"] + "|" + handle[0] +
" " + sanitize_generic(protect) + "|" + handle[1] +
" BaseAddr:" + addr + " Size:" + size + " (" + protect + ")")
def detail_device(entry):
pretty_code = pretty_print_arg(None, None, "IoControlCode",
entry["data"]["code"])
if not pretty_code:
pretty_code = entry["data"]["code"]
else:
pretty_code = pretty_code.replace("|", " OR ")
name = entry["data"]["handle"]
if name in open_handles:
name = open_handles[name]
return (entry["object"] + " " + entry["event"] + "|" +
sanitize_generic(pretty_code) + " " + sanitize_file(name) +
"|" + pretty_code + " " + name)
def detail_file_open(entry):
data = entry["data"]
handle = data["handle"]
name = data["file"]
if entry["status"]:
open_handles[handle] = name
# do not include this event unless it is successfully creating a file
if (not "disposition" in data or not entry["status"]
or data["disposition"] in ["1", "4"]):
return None
else:
pretty = pretty_print_arg(None, None, "CreateDisposition",
data["disposition"]).replace(
"|", " OR ")
return (entry["object"] + " " + entry["event"] + "|" +
sanitize_file(name) + "|" + name + " (" + pretty + ")")
def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
caller = row[2] # non-system DLL return address
parentcaller = row[3] # non-system DLL parent of non-system-DLL return address
category = row[4] # Win32 function category.
api_name = row[5] # Name of the Windows API.
repeated = row[6] # Times log repeated
status_value = row[7] # Success or Failure?
return_value = row[8] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for api_arg in row[9:]:
# Split the argument name with its value based on the separator.
try:
arg_name, arg_value = api_arg
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s", api_arg, e)
continue
argument = {"name": arg_name}
if isinstance(arg_value, bytes):
arg_value = bytes2str(arg_value)
if arg_value and isinstance(arg_value, list) and len(arg_value) >= 1 and isinstance(arg_value[0], bytes):
arg_value = " ".join(bytes2str(arg_value))
try:
argument["value"] = convert_to_printable(arg_value, self.conversion_cache)
except Exception as e:
log.error(arg_value, exc_info=True)
continue
if not self.reporting_mode:
argument["raw_value"] = arg_value
pretty = pretty_print_arg(category, api_name, arg_name, argument["value"])
if pretty:
argument["pretty_value"] = pretty
arguments.append(argument)
call = {
"timestamp": timestamp,
"thread_id": str(thread_id),
"caller": f"0x{default_converter(caller):08x}",
"parentcaller": f"0x{default_converter(parentcaller):08x}",
"category": category,
"api": api_name,
"status": bool(int(status_value)),
}
if isinstance(return_value, int):
call["return"] = f"0x{default_converter(return_value):08x}"
else:
call["return"] = convert_to_printable(str(return_value), self.conversion_cache)
prettyret = pretty_print_retval(call["status"], call["return"])
if prettyret:
call["pretty_return"] = prettyret
call["arguments"] = arguments
call["repeated"] = repeated
# add the thread id to our thread set
if call["thread_id"] not in self.threads:
self.threads.append(call["thread_id"])
return call
def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
call = {}
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
caller = row[2] # non-system DLL return address
parentcaller = row[3] # non-system DLL parent of non-system-DLL return address
category = row[4] # Win32 function category.
api_name = row[5] # Name of the Windows API.
repeated = row[6] # Times log repeated
status_value = row[7] # Success or Failure?
return_value = row[8] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for index in range(9, len(row)):
argument = {}
# Split the argument name with its value based on the separator.
try:
arg_name, arg_value = row[index]
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e)
continue
argument["name"] = arg_name
argument["value"] = convert_to_printable(str(arg_value), self.conversion_cache)
if not self.reporting_mode:
argument["raw_value"] = arg_value
pretty = pretty_print_arg(category, api_name, arg_name, argument["value"])
if pretty:
argument["pretty_value"] = pretty
arguments.append(argument)
call["timestamp"] = timestamp
call["thread_id"] = str(thread_id)
call["caller"] = "0x%.08x" % caller
call["parentcaller"] = "0x%.08x" % parentcaller
call["category"] = category
call["api"] = api_name
call["status"] = bool(int(status_value))
if isinstance(return_value, int) or isinstance(return_value, long):
call["return"] = "0x%.08x" % return_value
else:
call["return"] = convert_to_printable(str(return_value), self.conversion_cache)
prettyret = pretty_print_retval(category, api_name, call["status"], call["return"])
if prettyret:
call["pretty_return"] = prettyret
call["arguments"] = arguments
call["repeated"] = repeated
# add the thread id to our thread set
if call["thread_id"] not in self.threads:
self.threads.append(call["thread_id"])
return call
def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
call = {}
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
caller = row[2] # non-system DLL return address
parentcaller = row[
3] # non-system DLL parent of non-system-DLL return address
category = row[4] # Win32 function category.
api_name = row[5] # Name of the Windows API.
repeated = row[6] # Times log repeated
status_value = row[7] # Success or Failure?
return_value = row[8] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for index in range(9, len(row)):
argument = {}
# Split the argument name with its value based on the separator.
try:
arg_name, arg_value = row[index]
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s",
row[index], e)
continue
argument["name"] = arg_name
if isinstance(arg_value, bytes):
arg_value = bytes2str(arg_value)
argument["value"] = convert_to_printable(str(arg_value),
self.conversion_cache)
if not self.reporting_mode:
argument["raw_value"] = arg_value
pretty = pretty_print_arg(category, api_name, arg_name,
argument["value"])
if pretty:
argument["pretty_value"] = pretty
arguments.append(argument)
call["timestamp"] = timestamp
call["thread_id"] = str(thread_id)
call["caller"] = "0x%.08x" % default_converter(caller)
call["parentcaller"] = "0x%.08x" % default_converter(parentcaller)
call["category"] = category
call["api"] = api_name
call["status"] = bool(int(status_value))
if isinstance(return_value, int) or isinstance(return_value, int):
call["return"] = "0x%.08x" % default_converter(return_value)
else:
call["return"] = convert_to_printable(str(return_value),
self.conversion_cache)
prettyret = pretty_print_retval(category, api_name, call["status"],
call["return"])
if prettyret:
call["pretty_return"] = prettyret
call["arguments"] = arguments
call["repeated"] = repeated
# add the thread id to our thread set
if call["thread_id"] not in self.threads:
self.threads.append(call["thread_id"])
return call
