def getsids(self):
"""Volatility getsids plugin.
@see volatility/plugins/malware/getsids.py
"""
results = []
command = self.plugins["getsids"](self.config)
for task in command.calculate():
token = task.get_token()
if not token:
continue
for sid_string in token.get_sids():
if sid_string in sidm.well_known_sids:
sid_name = " {0}".format(sidm.well_known_sids[sid_string])
else:
sid_name_re = sidm.find_sid_re(sid_string,
sidm.well_known_sid_re)
if sid_name_re:
sid_name = " {0}".format(sid_name_re)
else:
sid_name = ""
new = {
"filename": str(task.ImageFileName),
"process_id": int(task.UniqueProcessId),
"sid_string": str(sid_string),
"sid_name": str(sid_name),
}
results.append(new)
return dict(config={}, data=results)
def getsids(self):
"""Volatility getsids plugin.
@see volatility/plugins/malware/getsids.py
"""
results = []
command = self.plugins["getsids"](self.config)
for task in command.calculate():
token = task.get_token()
if not token:
continue
for sid_string in token.get_sids():
if sid_string in sidm.well_known_sids:
sid_name = " {0}".format(sidm.well_known_sids[sid_string])
else:
sid_name_re = sidm.find_sid_re(sid_string, sidm.well_known_sid_re)
if sid_name_re:
sid_name = " {0}".format(sid_name_re)
else:
sid_name = ""
new = {
"filename": str(task.ImageFileName),
"process_id": int(task.UniqueProcessId),
"sid_string": str(sid_string),
"sid_name": str(sid_name),
}
results.append(new)
return dict(config={}, data=results)
def get_sid_string(self, data):
"""Take a buffer of data from the event record
and parse it as a SID.
@param data: buffer of data from SidOffset of the
event record to SidOffset + SidLength.
@returns: sid string
"""
sid_name = ""
bufferas = addrspace.BufferAddressSpace(self._config, data = data)
sid = obj.Object("_SID", offset = 0, vm = bufferas)
for i in sid.IdentifierAuthority.Value:
id_auth = i
sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority))
if sid_string in getsids.well_known_sids:
sid_name = " ({0})".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " ({0})".format(sid_name_re)
else:
sid_name = self.extrasids.get(sid_string, "")
sid_string += sid_name
return sid_string
def __init__(self, task=None, sid_string=None, offset=None):
memobj.MemObject.__init__(self, offset)
import volatility.plugins.getsids as getsids
if sid_string:
if sid_string in getsids.well_known_sids:
sid_name = " {0}".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string,
getsids.well_known_sid_re)
if sid_name_re:
sid_name = " {0}".format(sid_name_re)
else:
sid_name = ""
else:
sid_name = ''
sid_string = ''
del (self.fields['offset'])
self.fields['filename'] = str(task.ImageFileName) if task else None
self.fields['process_id'] = str(int(
task.UniqueProcessId)) if task else None
self.fields['sid_string'] = str(sid_string)
self.fields['sid_name'] = str(sid_name)
def __init__(self, task=None, sid_string=None, offset=None):
memobj.MemObject.__init__(self, offset)
import volatility.plugins.getsids as getsids
if sid_string:
if sid_string in getsids.well_known_sids:
sid_name = " {0}".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " {0}".format(sid_name_re)
else:
sid_name = ""
else:
sid_name = ''
sid_string = ''
del(self.fields['offset'])
self.fields['filename'] = str(task.ImageFileName) if task else None
self.fields['process_id'] = str(int(task.UniqueProcessId)) if task else None
self.fields['sid_string'] = str(sid_string)
self.fields['sid_name'] = str(sid_name)
def parse_evt_info(self, name, buf):
ofname = os.path.basename(name.replace('\\', '/'))
locs = self.get_locs(buf)
lines = []
for i in range(0, len(locs)):
line = ""
loc = locs[i]
if loc == 4:
#this is the header, ignore
#or you can parse out the header info
'''
if buf != None:
bufferas = addrspace.BufferAddressSpace(self._config, data = buf)
evtlogheader = obj.Object("evt_log_header", offset = 0, vm = bufferas)
if evtlogheader != None:
print "0x%x" % evtlogheader.magic
'''
continue
if i == len(locs) - 1:
next_loc = -1
else:
next_loc = locs[i+1]
rec = buf[loc-4:]
bufferas = addrspace.BufferAddressSpace(self._config, data = rec)
evtlog = obj.Object("evt_record_struct", offset = 0, vm = bufferas)
if next_loc == -1:
raw_data = buf[loc-4:]
else:
raw_data = buf[loc-4:(next_loc - 1)]
computer_name = ""
source = ""
sid_string = "N/A"
if evtlog.sid_length == 0:
end = evtlog.string_offset
else:
end = evtlog.sid_offset
sid_name = ""
s = rec[evtlog.sid_offset:evtlog.sid_offset + evtlog.sid_length]
bufferas = addrspace.BufferAddressSpace(self._config, data = s)
sid = obj.Object("_SID", offset = 0, vm = bufferas)
for i in sid.IdentifierAuthority.Value:
id_auth = i
sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority))
if sid_string in getsids.well_known_sids:
sid_name = " ({0})".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " ({0})".format(sid_name_re)
else:
try:
sid_name = self.extrasids[sid_string]
except KeyError:
sid_name = ""
sid_string += sid_name
try:
source = remove_unprintable(raw_data[56:end].split("\x00\x00")[0])
computer_name = remove_unprintable(raw_data[56:end].split("\x00\x00")[1])
except IndexError:
pass
stuff = raw_data[evtlog.string_offset:].split("\x00\x00", evtlog.num_strings)
if evtlog.num_strings == 0:
msg = "N/A"
else:
msg = None
for i in range(0, evtlog.num_strings):
try:
item = remove_unprintable(stuff[i])
except IndexError:
item = ""
if msg != None:
msg += ";" + item
else:
msg = item
try:
type = event_types[int(evtlog.event_type)]
except KeyError:
#not sure if there are other types, but in case:
type = "UNKNOWN"
ts = str(self.time_stamp(evtlog.time_written))
if ts != None:
msg = msg.replace("|", "%7c")
line = '{0}|{1}|{2}|{3}|{4}|{5}|{6}|{7}\n'.format(
ts,
ofname,
computer_name,
sid_string,
source,
str(evtlog.event_ID),
type,
msg)
lines.append(line)
return lines
def parse_evt_info(self, name, buf):
ofname = os.path.basename(name.replace('\\', '/'))
locs = self.get_locs(buf)
lines = []
for i in range(0, len(locs)):
line = ""
loc = locs[i]
if loc == 4:
#this is the header, ignore
#or you can parse out the header info
'''
if buf != None:
bufferas = addrspace.BufferAddressSpace(self._config, data = buf)
evtlogheader = obj.Object("evt_log_header", offset = 0, vm = bufferas)
if evtlogheader != None:
print "0x%x" % evtlogheader.magic
'''
continue
if i == len(locs) - 1:
next_loc = -1
else:
next_loc = locs[i + 1]
rec = buf[loc - 4:]
bufferas = addrspace.BufferAddressSpace(self._config, data=rec)
evtlog = obj.Object("evt_record_struct", offset=0, vm=bufferas)
if next_loc == -1:
raw_data = buf[loc - 4:]
else:
raw_data = buf[loc - 4:(next_loc - 1)]
computer_name = ""
source = ""
sid_string = "N/A"
if evtlog.sid_length == 0:
end = evtlog.string_offset
else:
end = evtlog.sid_offset
sid_name = ""
s = rec[evtlog.sid_offset:evtlog.sid_offset +
evtlog.sid_length]
bufferas = addrspace.BufferAddressSpace(self._config, data=s)
sid = obj.Object("_SID", offset=0, vm=bufferas)
for i in sid.IdentifierAuthority.Value:
id_auth = i
sid_string = "S-" + "-".join(
str(i)
for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority))
if sid_string in getsids.well_known_sids:
sid_name = " ({0})".format(
getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(
sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " ({0})".format(sid_name_re)
else:
try:
sid_name = self.extrasids[sid_string]
except KeyError:
sid_name = ""
sid_string += sid_name
try:
source = remove_unprintable(
raw_data[56:end].split("\x00\x00")[0])
computer_name = remove_unprintable(
raw_data[56:end].split("\x00\x00")[1])
except IndexError:
pass
stuff = raw_data[evtlog.string_offset:].split(
"\x00\x00", evtlog.num_strings)
if evtlog.num_strings == 0:
msg = "N/A"
else:
msg = None
for i in range(0, evtlog.num_strings):
try:
item = remove_unprintable(stuff[i])
except IndexError:
item = ""
if msg != None:
msg += ";" + item
else:
msg = item
try:
type = event_types[int(evtlog.event_type)]
except KeyError:
#not sure if there are other types, but in case:
type = "UNKNOWN"
ts = str(self.time_stamp(evtlog.time_written))
if ts != None:
msg = msg.replace("|", "%7c")
line = '{0}|{1}|{2}|{3}|{4}|{5}|{6}|{7}\n'.format(
ts, ofname, computer_name, sid_string, source,
str(evtlog.event_ID), type, msg)
lines.append(line)
return lines