def display(self, row): self.setCurrentCell(row, 0) node_ptr = self.item(row, 4).text() index = int(self.item(row, 5).text()) processus_manager = ModuleProcessusManager() evt = processus_manager.get('evt') record = evt.evts[long(node_ptr)][index] self.label1.setText("Date : " + record.getTimeGenerated()) self.label2.setText("Source : " + record.sourceName()) self.lab_icon.setPixmap( QPixmap(record.getIcon()).scaled(32, 32, Qt.KeepAspectRatio)) self.label3.setText("Type : " + record.getSingleType()) self.label4.setText("Category : " + str(record.EventCategory)) self.label5.setText("EventId : " + str(record.EventID)) self.label6.setText("Computer : " + record.computerName()) self.log_strings.setPlainText('') for log in record.getStrings(): if log is not None: self.log_strings.setPlainText(self.log_strings.toPlainText() + log + "\n") self.hideOrDipsButton()
def __init__(self, database, parent=None): super(SqliteTablesWidget, self).__init__(parent) self.setColumnCount(2) self.setHorizontalHeaderLabels(["Table", "Number of rows"]) self.verticalHeader().setVisible(False) self.setSelectionBehavior(QtGui.QAbstractItemView.SelectRows) self.setShowGrid(False) self.setSortingEnabled(True) sqlitedriver = ModuleProcessusManager().get('SqliteDB') query = 'SELECT tbl_name FROM sqlite_master where type="table";' tables = sqlitedriver.executeFrom(database, query) if tables is not None: idx = self.rowCount() for table in tables: self.setRowCount(idx + 1) query = "select count(*) from {}".format(table[0]) counter = sqlitedriver.executeFrom(database, query) count = 0 if counter: data = counter.fetchone() if data is not None and len(data) > 0: count = data[0] nameItem = QtGui.QTableWidgetItem() nameItem.setText(QtCore.QString.fromUtf8(table[0])) countItem = SqliteTablesCountItem(count) self.setItem(idx, 0, nameItem) self.setItem(idx, 1, countItem) idx += 1 self.resizeColumnsToContents()
def g_display(self): QWidget.__init__(self) self.evtWidget = None self.evtxWidget = None layout = QHBoxLayout(self) layout.setSpacing(0) layout.setContentsMargins(0, 0, 0, 0) widget = QTabWidget() layout.addWidget(widget) processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') evt = processus_manager.get('evt') try: self.evtxWidgets = evtx.getall('/') if self.evtxWidgets: if self.evtxWidgets.list_widget.count(): widget.addTab(self.evtxWidgets, "Events logs (.evtx)") except Exception as e: pass try: self.evtWidgets = evt.getAllEvtFiles('/') if self.evtWidgets.evtFileListWidget.count(): widget.addTab(self.evtWidgets, "Events logs (.evt)") except Exception as e: pass
def createRegMap(self): processusManager = ModuleProcessusManager() regm = processusManager.get('winreg') if len(regm.registry) > 0: self.hives = regm.registry self.manager = regm for key, values in self.hives.iteritems(): try: h = key.getHive() iterator = h.iterator rtype, sourcenode = values rtype = self.RegType(sourcenode) if rtype != None: try: machine = self.regmap[sourcenode.fsobj().uid()] except: machine = self.regmap[sourcenode.fsobj().uid()] = {} try: regsource = machine[rtype] except: regsource = machine[rtype] = [] regsource.append(key) del(h) except: del(h) pass return True else: return False return False
def createRegMap(self): processusManager = ModuleProcessusManager() regm = processusManager.get('winreg') if len(regm.registry) > 0: self.__columnCount = 1 self.hives = regm.registry self.manager = regm for key, values in self.hives.iteritems(): try: h = key.getHive() iterator = h.iterator rtype, sourcenode = values rtype = self.RegType(sourcenode) if rtype != None: try: machine = self.regmap[sourcenode.fsobj().uid()] except: machine = self.regmap[ sourcenode.fsobj().uid()] = {} try: regsource = machine[rtype] except: regsource = machine[rtype] = [] regsource.append(key) del (h) except: del (h) pass return True else: return False return False
def __init__(self, arguments): UI.__init__(self, arguments) self.taskManager = TaskManager() self.reportManager = ReportManager() self.registryManager = ModuleProcessusManager().get("winreg") self.evtxManager = ModuleProcessusManager().get("evtx") self.sqliteManager = ModuleProcessusManager().get('SqliteDB') self.root = vfs().getnode("/")
def getXML(self, chunk, offset, node=None): processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') if node is not None: self.node = node return evtx.getxml(chunk, offset, node)
def itemRecord(self, row): node_ptr = self.item(row, 4).text() index = int(self.item(row, 5).text()) processus_manager = ModuleProcessusManager() evt = processus_manager.get('evt') record = evt.evts[long(node_ptr)][index] return record
def __init__(self, config={}): processusManager = ModuleProcessusManager() self._registry = processusManager.get('winreg') self._sqlite = processusManager.get('SqliteDB') self._msiecf = processusManager.get('msiecf') self._config = config self._name = "" self.__log = ""
def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode( "/") #NOT USED ! XXX check base path for multi-dump try: self.bruteForce = args["bruteforce"].value() except IndexError: self.bruteForce = False self.containers = {} self.dbbManager = ModuleProcessusManager().get("DBB") self.sqliteManager = ModuleProcessusManager().get("SqliteDB") for dbbProc, node in self.dbbManager.processus().iteritems(): directoryList = node.absolute().split('/') containerName = directoryList[-2] try: self.containers[containerName].add(dbbProc.dbb) except KeyError: self.containers[containerName] = SkypeContainers(node) try: self.containers[containerName].add(dbbProc.dbb) except: pass except: pass for db, node in self.sqliteManager.processus().iteritems(): containerName = None directoryList = node.absolute().split('/') if (directoryList[-3].lower() == 'skype' or directoryList[-3].lower() == '.skype') and directoryList[-1].lower() == 'main.db': containerName = directoryList[-2] if self.bruteForce: containerName = directoryList[-1] if containerName: skypeSqlite = SkypeSqlite(db) for factory in SkypeSqlite.factories: try: self.containers[containerName].add( skypeSqlite.records(factory)) except KeyError: self.containers[containerName] = SkypeContainers(node) try: self.containers[containerName].add( skypeSqlite.records(factory)) except: pass except: pass for name, container in self.containers.iteritems(): container.correlate() self.report()
def dispEventType(self, index): if index == 0: processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') chunks = evtx.data(self.node.uid()) self.display(chunks, self.node) else: self.evtx_table_view.clearContents() self.evtx_table_view.setRowCount(0) event_list = self.evtx_parser.getEventBylevel(index - 1) self.display_chunk(event_list)
def __init__(self, root=None): self._compatible_browsers = [ InternetBrowsers.FIREFOX, InternetBrowsers.CHROME, InternetBrowsers.OPERA, InternetBrowsers.IE ] self.__log = [] processusManager = ModuleProcessusManager() self._registry = processusManager.get('winreg') self._browsers = [] self.__log.append("Trying to find browsers databases") self.__firefox = Firefox(None) self.__chrome = Chrome(None) self.__opera = Opera(None) self.__ie = InternetExplorer(None) self.__browsersInstalledVersion() if self.__firefox.relevantDatabasesFound(): self.__log.append( "\t[OK] Firefox databases found -- installed version: " + self.__firefox.version()) self._browsers.append(self.__firefox) elif self.__firefox.version() != "N/A": self.__log.append( "\t[NOK] Firefox databases not found but is installed -- version: " + self.__firefox.version()) if self.__chrome.relevantDatabasesFound(): self.__log.append( "\t[OK] Chrome databases found -- installed version: " + self.__chrome.version()) self._browsers.append(self.__chrome) elif self.__chrome.version() != "N/A": self.__log.append( "\t[NOK] Chrome databases not found but is installed -- version: " + self.__chrome.version()) if len(self.__opera.history()): self.__log.append( "\t[OK] Opera databases found -- installed version: " + self.__opera.version()) self._browsers.append(self.__opera) elif self.__firefox.version() != "N/A": self.__log.append( "\t[NOK] Opera databases not found but is installed -- version: " + self.__opera.version()) if len(self.__ie.history()): self.__log.append( "\t[OK] Internet Explorer databases found -- installed version: " + self.__ie.version()) self._browsers.append(self.__ie) elif self.__firefox.version() != "N/A": self.__log.append( "\t[NOK] Internet Explorer databases not found but is installed -- version: " + self.__ie.version())
def g_display(self): QWidget.__init__(self) self.layout = QVBoxLayout(self) processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') if not self.preview: self.viewer = EventLogViewer(self.node, evtx.data(self.node.uid())) self.layout.addWidget(self.viewer) self.name = self.node.name() self.viewer.display(evtx.data(self.node.uid()), self.node) else: self.build_preview()
def process(self, root=None): self.registryManager = ModuleProcessusManager().get("winreg") if root != None: self.root = root self.registryManager = ModuleProcessusManager().get("winreg") self.windowsVersions = WindowsVersions() self.computerNames = ComputerNames() self.timeZones = TimeZones() self.shutdownTimes = ShutdownTimes() self.version() self.computer() self.timeZone() self.shutdownTime()
def process(self, root=None): if root != None: self.root = root else: root = self.root self.registryManager = ModuleProcessusManager().get("winreg") self.networkInterfaces = NetworkInterfaces() self.wlanConfigs = WlanConfigs() self.networkList = NetworkList() self.interfaces() self.cards() self.wlan() self.network() self.signatures()
def start(self, args): try: self.preview = args['preview'].value() except IndexError: self.preview = False try: self.node = args['file'].value() except (KeyError, Exception): print "No input file provided. Exiting." t = EVT() t.start(args) processus_manager = ModuleProcessusManager() evt = processus_manager.get('evt') evt.update(t)
def dispAdminEvents(self, checked): self.evtx_table_view.clearContents() if self.display_mode == 0: error_list = self.evtx_parser.getEventBylevel(2) self.admin_pannel.admin_events.setText("All events") tmp_list = self.evtx_parser.getEventBylevel(3) error_list.extend(tmp_list) self.display_mode = 1 self.display_chunk(error_list) elif self.display_mode == 1: self.admin_pannel.admin_events.setText("Admin. events") self.display_mode = 0 processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') chunks = evtx.data(self.node.uid()) self.display(chunks, self.node)
def process(self, root=None): self.registryManager = ModuleProcessusManager().get("winreg") if root != None: self.root = root self.devices = DevicesReg() self.mountedDevices = MountedDevices() self.volumes = Volumes() self.currentControlSet() self.enums('USBSTOR') self.enums('USBPRINT') self.enums('USB') self.enums('IDE') self.storage() self.mounted() self.mountPoints() self.correlate()
def launch(self, args): self.state = "Running" self.lock.acquire() self.launchCount += 1 self.timestart = time.time() self.timeend = 0 self.lock.release() try: self.args = args self.start(args) ModuleProcessusManager().update(self) try: if "gui" in self.exec_flags: if "gui" in self.mod.flags: for func in sched.event_func["add_qwidget"]: func(self) if "console" in self.exec_flags: if "console" in self.mod.flags: self.c_display() except AttributeError: pass except: error = sys.exc_info() self.error(error) self.setState() self.event.set() if not "thread" in self.exec_flags: self.result()
def fill_log_viewer(self, item): ptr = item.data(QListWidgetItem.UserType) node = VFS.Get().getNodeById(ptr.toULongLong()[0]) processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') self.node = node self.evtx_parser.chunks = evtx.data(ptr.toULongLong()[0]) self.evtx_parser.node = node self.admin_pannel.cb = self.admin_pannel.initId( evtx.data(ptr.toULongLong()[0]), 'id') self.admin_pannel.cbs = self.admin_pannel.initId( evtx.data(ptr.toULongLong()[0]), 'source') self.display(evtx.data(ptr.toULongLong()[0]), node)
def populate(self, database, query): self.clear() self.setColumnCount(0) self.setRowCount(0) sqlitedriver = ModuleProcessusManager().get('SqliteDB') try: rows = sqlitedriver.executeFrom(database, query) except apsw.Error: return try: descriptions = rows.getdescription() # if there's no row, this exception is thrown except apsw.ExecutionCompleteError: return header = [] for description in descriptions: header.append(description[0]) self.setColumnCount(len(header)) self.setHorizontalHeaderLabels(header) for idx in xrange(0, len(header)): self.horizontalHeaderItem(idx).setTextAlignment( QtCore.Qt.AlignLeft) finished = False idx = 0 # we use next to be able to continue if there's an error while getting # one row. while not finished: try: row = rows.next() self.setRowCount(idx + 1) for column, data in enumerate(row): if self.__isDate(descriptions[column][0]): item = SqliteRowItemWidget(data, descriptions[column][1], True) else: item = SqliteRowItemWidget(data, descriptions[column][1]) self.setItem(idx, column, item) idx += 1 except StopIteration: finished = True except apsw.Error: continue self.resizeColumnsToContents()
def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode('/') self.registryManager = ModuleProcessusManager().get("winreg") self.uninstalls = Uninstalls() self.MSIs = MSIs() self.ARPCaches = ARPCaches() self.autoRuns = AutoRuns() self.uninstalled() self.msi() self.arpcache() self.runs() self.report()
def g_display(self): QWidget.__init__(self) layout = QHBoxLayout(self) splitter = QSplitter() layout.addWidget(splitter) splitter.setOrientation(Qt.Horizontal) if self.node is not None: processus_manager = ModuleProcessusManager() evt = processus_manager.get('evt') if not self.preview: self.evtWidget = evt.getAllEvtFiles() if self.evtWidget: splitter.addWidget(self.evtWidget) splitter.setStretchFactor(1, 2) else: self.evtWidget = evt.previewWidget(long(self.node.this)) if self.evtWidget: splitter.addWidget(self.evtWidget)
def getEventByParam(self, param, value): if self.node is None: return [] tmp_list = [] nb_chunk = 0 processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') chunks = evtx.data(self.node.uid()) for chunk in chunks: events = chunk.events() tmp_map = {} for event in events: if events[event][param] == value: tmp_map[event] = events[event] tmp_map[event]['chunk_nb'] = nb_chunk tmp_list.append(tmp_map) nb_chunk += 1 return tmp_list
def process(self, root=None): if root != None: root = root else: root = self.root self.__accounts = Account() self.registryManager = ModuleProcessusManager().get("winreg") regKeys = self.registryManager.getKeys( {'HKLM\SAM\SAM\Domains\Account\Users\*': { "values": "*" }}, root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: V = None F = None for value in key.values(): if value.name == 'V': V = value.data() if value.name == 'F': F = value.data() if V and F: self.__accounts.addUser(node, User(V, F)) groupKeys = self.registryManager.getKeys(GroupC.RegistryKeyPath, root) groupSplit = groupKeys.split() for node, keys in groupSplit.iteritems(): for key in keys: for value in key.values(): if value.name == 'C': self.__accounts.addGroup(node, GroupC(value.data())) accountDBKeys = self.registryManager.getKeys( AccountDBF.RegistryKeyPath, root) accountDBKeysSplit = accountDBKeys.split() for node, keys in accountDBKeysSplit.iteritems(): for key in keys: for value in key.values(): if value.name == 'F': self.__accounts.addDB(node, AccountDBF(value.data()))
def getEventsBetween(self, date_begin, date_end): processus_manager = ModuleProcessusManager() evtx = processus_manager.get('evtx') chunks = evtx.data(self.node.uid()) try: date_begin_t = date_begin if type(date_begin) is StringType: date_begin_t = datetime.strptime(date_begin, "%Y-%m-%dT%H:%M:%S") else: date_begin_t = datetime.fromtimestamp(date_begin) date_end_t = date_end if type(date_end) is StringType: date_end_t = datetime.strptime(date_end, "%Y-%m-%dT%H:%M:%S") else: date_end_t = datetime.fromtimestamp(date_end) tmp_list = [] count = 0 chunk_nb = 0 for chunk in chunks: events = chunk.events() tmp_map = {} for event in events: event_date = datetime.strptime(events[event]['date'], "%Y-%m-%dT%H:%M:%S") if event_date >= date_begin_t and event_date <= date_end_t: tmp_map[event] = events[event] tmp_map[event]['chunk_nb'] = chunk_nb #self.getXML(count, event) count += 1 tmp_list.append(tmp_map) chunk_nb += 1 return tmp_list except ValueError: print "One of the date you are trying to use is invalid." return []
__dff_module_testapsw_version__ = "1.0.0" import apsw from struct import unpack from dff.api.module.module import Module from dff.api.module.script import Script from dff.api.types.libtypes import Variant, VList, VMap, Argument, Parameter, typeId from dff.api.apswvfs import apswvfs from dff.api.module.manager import ModuleProcessusManager from dff.modules.databases.sqlite.sqlitemanager import SqliteManager ModuleProcessusManager().register(SqliteManager('SqliteDB')) class SqliteDB(Script): def __init__(self): Script.__init__(self, "SqliteDB") self.name = "SqliteDB" def start(self, args): self.node = args["file"].value() avfs = apswvfs.apswVFS() self.db = apsw.Connection(self.node.absolute(), vfs=avfs.vfsname) def execute(self, cmd): c = self.db.cursor() c.execute("PRAGMA locking_mode=EXCLUSIVE;")
# __dff_module_msiecf_version__ = "1.0.0" import re from dff.api.vfs.vfs import vfs from dff.api.vfs.libvfs import mfso from dff.api.module.module import Module from dff.api.types.libtypes import Argument, typeId from dff.api.module.manager import ModuleProcessusManager from dff.modules.msiecf.msiecf_index import * from msiecfmanager import MsiecfManager ModuleProcessusManager().register(MsiecfManager('msiecf')) class MSIECF(mfso): def __init__(self): mfso.__init__(self, "msiecf") self.vfs = vfs() self.name = "msiecf" self.__disown__() def start(self, args): try: self.node = args['file'].value() if args.has_key("verbose"): verbose = True else:
class Network(Script): def __init__(self): Script.__init__(self, "Network") def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode("/") self.process() self.report() def process(self, root=None): if root != None: self.root = root else: root = self.root self.registryManager = ModuleProcessusManager().get("winreg") self.networkInterfaces = NetworkInterfaces() self.wlanConfigs = WlanConfigs() self.networkList = NetworkList() self.interfaces() self.cards() self.wlan() self.network() self.signatures() def interfaces(self): regKeys = self.registryManager.getKeys( { 'HKLM\SYSTEM\ControlSet*\Services\Tcpip\Parameters\Interfaces\*': [''] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkInterfaces.add( node, NetworkInterface(key.name, key.values())) def cards(self): regKeys = self.registryManager.getKeys( { 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\*': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkInterfaces.setDescription(key.values()) def wlan(self): regKeys = self.registryManager.getKeys( {'HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\*': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): for value in key.values(): if value.name == 'ActiveSettings': self.wlanConfigs.add(node, WlanConfig(value.data())) def network(self): regKeys = self.registryManager.getKeys( { 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkList.add(node, Profiles(key.name, key.values())) def signatures(self): for mode in ['Managed', 'Unmanaged']: regKeys = self.registryManager.getKeys( { 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\\' + mode + '\*': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkList.addSignature( node, Signature(mode, key.values())) def report(self): self.reportManager = ReportManager() translator = NetworkTranslator() page = self.reportManager.createPage( translator.translate("Operating system") + " " + self.root.name().translate(None, "!@#$%^&'\/?").encode( 'UTF-8', 'replace'), translator.translate("Network")) self.networkInterfaces.report(page) self.wlanConfigs.report(page) self.networkList.report(page) self.reportManager.addPage(page)
class System(Script): def __init__(self): Script.__init__(self, "System") def start(self, args): self.translator = SystemTranslator() try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode('/') self.process() self.report() def process(self, root=None): self.registryManager = ModuleProcessusManager().get("winreg") if root != None: self.root = root self.registryManager = ModuleProcessusManager().get("winreg") self.windowsVersions = WindowsVersions() self.computerNames = ComputerNames() self.timeZones = TimeZones() self.shutdownTimes = ShutdownTimes() self.version() self.computer() self.timeZone() self.shutdownTime() def version(self): regKeys = self.registryManager.getKeys( {'HKLM\Software\Microsoft\Windows NT\CurrentVersion': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.windowsVersions.add(node, WindowsVersion(key.values())) def computer(self): regKeys = self.registryManager.getKeys( { 'HKLM\System\ControlSet*\Control\ComputerName\ComputerName': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): for value in key.values(): if value.name == 'ComputerName': self.computerNames.add(node, ComputerName(value.data())) def timeZone(self): regKeys = self.registryManager.getKeys( {'HKLM\System\ControlSet*\Control\TimeZoneInformation': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.timeZones.add(node, TimeZone(key.values())) def shutdownTime(self): regKeys = self.registryManager.getKeys( {'HKLM\System\ControlSet*\Control\Windows': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): for value in key.values(): if value.name == 'ShutdownTime': self.shutdownTimes.add(node, ShutdownTime(value.data())) def report(self): self.reportManager = ReportManager() page = self.reportManager.createPage( self.translator.translate("Operating system") + " " + self.root.name().translate(None, "!@#$%^&'\/?"), self.translator.translate("System")) self.windowsVersions.report(page) self.computerNames.report(page) self.timeZones.report(page) self.shutdownTimes.report(page) self.reportManager.addPage(page)
def __init__(self, name): Script.__init__(self, name) self.vfs = vfs() self.moduleProcessusManager = ModuleProcessusManager() self.searchesResults = {}