def getSockets(config,kernel_addr_space): sockets = dict() try: for net_object, protocol, laddr, lport, raddr, rport, state in netscan.Netscan(config).calculate(): owner = net_object.Owner.dereference_as('_EPROCESS') pid = int(owner.UniqueProcessId) if pid in sockets: socketObj = sockets[pid].Socket.add(resultitemtype = 16) else: socketObjList = datastructs.Open_Sockets_ListType() socketObj = socketObjList.Socket.add(resultitemtype = 16) sockets[pid] = socketObjList if type(lport) is str: socketObj.Port = 0 else: socketObj.Port = int(lport) socketObj.LocalAddress = utils._utf8_encode(laddr or "") if type(rport) is str: socketObj.RemotePort = 0 else: socketObj.RemotePort = int(rport) socketObj.RemoteAddress = utils._utf8_encode(raddr) socketObj.Proto = utils._utf8_encode(protocol) socketObj.State = 0 socketObj.RealState = _convert_socket_state(state) socketObj.ProcessName = utils._utf8_encode(owner.ImageFileName) socketObj.Path = utils._utf8_encode(owner.Peb.ProcessParameters.ImagePathName or "") socketObj.FromMemory = "" socketObj.PID = pid except Exception, e: logging.exception(e)
def getSocketsForWindowsXP(config,address_space): sockets = dict() try: for tcp_obj in connscan.ConnScan(config).calculate(): pid = int(tcp_obj.Pid) if pid in sockets: socketObj = sockets[pid].Socket.add(resultitemtype=16) else: socketObjList = datastructs.Open_Sockets_ListType() socketObj = socketObjList.Socket.add(resultitemtype=16) sockets[pid] = socketObjList if type(tcp_obj.LocalPort) is str: socketObj.Port=0 else: socketObj.Port=int(tcp_obj.LocalPort) if type(tcp_obj.RemotePort) is str: socketObj.RemotePort=0 else: socketObj.RemotePort = int(tcp_obj.RemotePort) socketObj.LocalAddress = utils._utf8_encode(tcp_obj.LocalIpAddress) socketObj.RemoteAddress = utils._utf8_encode(tcp_obj.RemoteIpAddress) #socketObj.set_Proto(_utf8_encode(sock.Protocol)) socketObj.State = 0 socketObj.RealState = _convert_socket_state("ESTABLISHED") socketObj.FromMemory = "" socketObj.PID = pid for sock in socketsref.Sockets(config).calculate(): pid = int(sock.Pid) if pid in sockets.keys(): socketObj = sockets[pid].Socket.add(resultitemtype=16) else: socketObjList = datastructs.Open_Sockets_ListType() socketObj = socketObjList.Socket.add(resultitemtype=16) sockets[pid] = socketObjList socketObj.LocalAddress = utils._utf8_encode(sock.LocalIpAddress) socketObj.FromMemory = "" socketObj.PID = int(sock.Pid) socketObj.State = 0 socketObj.RealState = _convert_socket_state("LISTENING") if type(tcp_obj.LocalPort) is str: socketObj.Port = 0 else: socketObj.Port = int(sock.LocalPort) socketObj.Proto = utils._utf8_encode(sock.Protocol) except Exception, e: logging.exception(e)
def execute(self, config): data = krnlModules.Modules(config).calculate() moduleObjList = datastructs.rootType() for module in data: moduleObj = moduleObjList.Module.add(resultitemtype=13) moduleObj.Name = utils._utf8_encode(module.BaseDllName) moduleObj.Path = utils._utf8_encode(module.FullDllName) moduleObj.Address = long(module.DllBase.v()) # This is always 2 in my reference xml from a MemoryAnalysis job. # I don't know if that is a mistake, but that doesn't seem useful. moduleObj.EntryPoint = long(module.EntryPoint.v()) moduleObj.Size = int(module.SizeOfImage) file = open(config.OUTPUT_PATH + "modules.xml", "w") #file.write(moduleObjList.SerializeToString()) file.write(proto2xml(moduleObjList, indent=0)) logging.debug("Completed calculating the kernel modules")
def execute(self,config): data = krnlModules.Modules(config).calculate() moduleObjList = datastructs.rootType() for module in data: moduleObj = moduleObjList.Module.add(resultitemtype=13) moduleObj.Name=utils._utf8_encode(module.BaseDllName) moduleObj.Path=utils._utf8_encode(module.FullDllName) moduleObj.Address=long(module.DllBase.v()) # This is always 2 in my reference xml from a MemoryAnalysis job. # I don't know if that is a mistake, but that doesn't seem useful. moduleObj.EntryPoint=long(module.EntryPoint.v()) moduleObj.Size=int(module.SizeOfImage) file = open(config.OUTPUT_PATH + "modules.xml", "w") #file.write(moduleObjList.SerializeToString()) file.write(proto2xml(moduleObjList,indent=0)) logging.debug("Completed calculating the kernel modules")
def execute(self, options, config): with UpdateCounterForScope('ADFloatingDriver'): output = FileOutputClass(getattr(config, "OUTPUT_PATH"), type(self).operation_name) if not output.Open(): return data = modules.Modules(config).calculate() floatingDrivers = datastructs.rootType() for module in data: driverName = utils._utf8_encode(module.BaseDllName) driverPath = utils._utf8_encode(module.FullDllName) driverFullPath = ExpandPath(driverPath) if not os.path.exists(driverFullPath): driver = floatingDrivers.FloatingDriver.add() driver.Name = driverName driver.Path = driverFullPath output.File.write(proto2xml(floatingDrivers, indent=0)) output.Close()
def getregistrykeyobject(self,reg,key,regObjList): regKeyObject = regObjList.RegistryKey.add(resultitemtype=19) regKeyObject.Name=utils._utf8_encode(key.Name) path = reg lastSlash = reg.rfind("/") if lastSlash >= 0: path = "\\" + reg[:lastSlash].replace("/", "\\") regKeyObject.Path=utils._utf8_encode(path) regKeyObject.Volatile=self.voltext(key) regvalues = rawreg.values(key) if regvalues is not None and len(regvalues) > 0: values = regKeyObject.Values values.Count=len(regvalues) for value in regvalues: regKeyValue = values.RegistryValue.add(resultitemtype=21) regKeyValue.Name=utils._utf8_encode(value.Name) regKeyValue.Type=value.Type.v() or 0 try: regKeyValue.Value = self._get_raw_registry_data2(value) except Exception as e: regKeyValue.Value = "EXCEPTION: " + str(e) return regKeyObject
def getregistrykeyobject(self, reg, key, regObjList): regKeyObject = regObjList.RegistryKey.add(resultitemtype=19) regKeyObject.Name = utils._utf8_encode(key.Name) path = reg lastSlash = reg.rfind("/") if lastSlash >= 0: path = "\\" + reg[:lastSlash].replace("/", "\\") regKeyObject.Path = utils._utf8_encode(path) regKeyObject.Volatile = self.voltext(key) regvalues = rawreg.values(key) if regvalues is not None and len(regvalues) > 0: values = regKeyObject.Values values.Count = len(regvalues) for value in regvalues: regKeyValue = values.RegistryValue.add(resultitemtype=21) regKeyValue.Name = utils._utf8_encode(value.Name) regKeyValue.Type = value.Type.v() or 0 try: regKeyValue.Value = self._get_raw_registry_data2(value) except Exception as e: regKeyValue.Value = "EXCEPTION: " + str(e) return regKeyObject
def LoadSubKeys(self,reg,key,regObjectList): for k in rawreg.subkeys(key): r = reg + '\\' + utils._utf8_encode(k.Name) self.getregistrykeyobject(r,k,regObjectList) self.LoadSubKeys(r,k,regObjectList)
def LoadSubKeys(self, reg, key, regObjectList): for k in rawreg.subkeys(key): r = reg + '\\' + utils._utf8_encode(k.Name) self.getregistrykeyobject(r, k, regObjectList) self.LoadSubKeys(r, k, regObjectList)