def detail_service_open(entry): data = entry["data"] name = data["name"] return (entry["object"] + " " + entry["event"] + "|" + sanitize_generic(name) + " " + data["access"] + "|" + name + " " + pretty_print_arg("services", None, "DesiredAccess", data["access"]).replace("|", " OR "))
def detail_winhook(entry): hid = entry["data"]["id"] phid = pretty_print_arg(None, None, "HookIdentifier", hid) if not phid: phid = hid return (entry["object"] + " " + entry["event"] + "|" + sanitize_generic(phid) + "|" + phid)
def detail_section_map(entry): data = entry["data"] proc_handle = detail_process_aux_handle(data["process"]) sect_handle = data["section"] name = open_handles[ sect_handle] if sect_handle in open_handles else None protect_raw = data["protect"] protect = pretty_print_arg(None, None, "Win32Protect", protect_raw).replace("|", " OR ") addr = data["addr"] mapped[addr] = True if name: return (entry["object"] + " " + entry["event"] + "|" + proc_handle[0] + " " + sanitize_file(name) + " " + sanitize_generic(protect_raw) + "|" + proc_handle[1] + " BaseAddr:" + addr + " File:" + name + " (" + protect + ")") else: return (entry["object"] + " " + entry["event"] + "|" + proc_handle[0] + " " + sanitize_generic(protect_raw) + "|" + proc_handle[1] + " BaseAddr:" + addr + " Section:" + sect_handle + " (" + protect + ")")
def detail_memory_protect(entry): data = entry["data"] handle = detail_process_aux_handle(data["handle"]) protect = pretty_print_arg(None, None, "Protection", data["protection"]).replace("|", " OR ") addr = data["addr"] size = data["size"] return (entry["object"] + " " + entry["event"] + "|" + handle[0] + " " + sanitize_generic(protect) + "|" + handle[1] + " BaseAddr:" + addr + " Size:" + size + " (" + protect + ")")
def detail_device(entry): pretty_code = pretty_print_arg(None, None, "IoControlCode", entry["data"]["code"]) if not pretty_code: pretty_code = entry["data"]["code"] else: pretty_code = pretty_code.replace("|", " OR ") name = entry["data"]["handle"] if name in open_handles: name = open_handles[name] return (entry["object"] + " " + entry["event"] + "|" + sanitize_generic(pretty_code) + " " + sanitize_file(name) + "|" + pretty_code + " " + name)
def detail_file_open(entry): data = entry["data"] handle = data["handle"] name = data["file"] if entry["status"]: open_handles[handle] = name # do not include this event unless it is successfully creating a file if (not "disposition" in data or not entry["status"] or data["disposition"] in ["1", "4"]): return None else: pretty = pretty_print_arg(None, None, "CreateDisposition", data["disposition"]).replace( "|", " OR ") return (entry["object"] + " " + entry["event"] + "|" + sanitize_file(name) + "|" + name + " (" + pretty + ")")
def _parse(self, row): """Parse log row. @param row: row data. @return: parsed information dict. """ arguments = [] try: timestamp = row[0] # Timestamp of current API call invocation. thread_id = row[1] # Thread ID. caller = row[2] # non-system DLL return address parentcaller = row[3] # non-system DLL parent of non-system-DLL return address category = row[4] # Win32 function category. api_name = row[5] # Name of the Windows API. repeated = row[6] # Times log repeated status_value = row[7] # Success or Failure? return_value = row[8] # Value returned by the function. except IndexError as e: log.debug("Unable to parse process log row: %s", e) return None # Now walk through the remaining columns, which will contain API # arguments. for api_arg in row[9:]: # Split the argument name with its value based on the separator. try: arg_name, arg_value = api_arg except ValueError as e: log.debug("Unable to parse analysis row argument (row=%s): %s", api_arg, e) continue argument = {"name": arg_name} if isinstance(arg_value, bytes): arg_value = bytes2str(arg_value) if arg_value and isinstance(arg_value, list) and len(arg_value) >= 1 and isinstance(arg_value[0], bytes): arg_value = " ".join(bytes2str(arg_value)) try: argument["value"] = convert_to_printable(arg_value, self.conversion_cache) except Exception as e: log.error(arg_value, exc_info=True) continue if not self.reporting_mode: argument["raw_value"] = arg_value pretty = pretty_print_arg(category, api_name, arg_name, argument["value"]) if pretty: argument["pretty_value"] = pretty arguments.append(argument) call = { "timestamp": timestamp, "thread_id": str(thread_id), "caller": f"0x{default_converter(caller):08x}", "parentcaller": f"0x{default_converter(parentcaller):08x}", "category": category, "api": api_name, "status": bool(int(status_value)), } if isinstance(return_value, int): call["return"] = f"0x{default_converter(return_value):08x}" else: call["return"] = convert_to_printable(str(return_value), self.conversion_cache) prettyret = pretty_print_retval(call["status"], call["return"]) if prettyret: call["pretty_return"] = prettyret call["arguments"] = arguments call["repeated"] = repeated # add the thread id to our thread set if call["thread_id"] not in self.threads: self.threads.append(call["thread_id"]) return call
def _parse(self, row): """Parse log row. @param row: row data. @return: parsed information dict. """ call = {} arguments = [] try: timestamp = row[0] # Timestamp of current API call invocation. thread_id = row[1] # Thread ID. caller = row[2] # non-system DLL return address parentcaller = row[3] # non-system DLL parent of non-system-DLL return address category = row[4] # Win32 function category. api_name = row[5] # Name of the Windows API. repeated = row[6] # Times log repeated status_value = row[7] # Success or Failure? return_value = row[8] # Value returned by the function. except IndexError as e: log.debug("Unable to parse process log row: %s", e) return None # Now walk through the remaining columns, which will contain API # arguments. for index in range(9, len(row)): argument = {} # Split the argument name with its value based on the separator. try: arg_name, arg_value = row[index] except ValueError as e: log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e) continue argument["name"] = arg_name argument["value"] = convert_to_printable(str(arg_value), self.conversion_cache) if not self.reporting_mode: argument["raw_value"] = arg_value pretty = pretty_print_arg(category, api_name, arg_name, argument["value"]) if pretty: argument["pretty_value"] = pretty arguments.append(argument) call["timestamp"] = timestamp call["thread_id"] = str(thread_id) call["caller"] = "0x%.08x" % caller call["parentcaller"] = "0x%.08x" % parentcaller call["category"] = category call["api"] = api_name call["status"] = bool(int(status_value)) if isinstance(return_value, int) or isinstance(return_value, long): call["return"] = "0x%.08x" % return_value else: call["return"] = convert_to_printable(str(return_value), self.conversion_cache) prettyret = pretty_print_retval(category, api_name, call["status"], call["return"]) if prettyret: call["pretty_return"] = prettyret call["arguments"] = arguments call["repeated"] = repeated # add the thread id to our thread set if call["thread_id"] not in self.threads: self.threads.append(call["thread_id"]) return call
def _parse(self, row): """Parse log row. @param row: row data. @return: parsed information dict. """ call = {} arguments = [] try: timestamp = row[0] # Timestamp of current API call invocation. thread_id = row[1] # Thread ID. caller = row[2] # non-system DLL return address parentcaller = row[ 3] # non-system DLL parent of non-system-DLL return address category = row[4] # Win32 function category. api_name = row[5] # Name of the Windows API. repeated = row[6] # Times log repeated status_value = row[7] # Success or Failure? return_value = row[8] # Value returned by the function. except IndexError as e: log.debug("Unable to parse process log row: %s", e) return None # Now walk through the remaining columns, which will contain API # arguments. for index in range(9, len(row)): argument = {} # Split the argument name with its value based on the separator. try: arg_name, arg_value = row[index] except ValueError as e: log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e) continue argument["name"] = arg_name if isinstance(arg_value, bytes): arg_value = bytes2str(arg_value) argument["value"] = convert_to_printable(str(arg_value), self.conversion_cache) if not self.reporting_mode: argument["raw_value"] = arg_value pretty = pretty_print_arg(category, api_name, arg_name, argument["value"]) if pretty: argument["pretty_value"] = pretty arguments.append(argument) call["timestamp"] = timestamp call["thread_id"] = str(thread_id) call["caller"] = "0x%.08x" % default_converter(caller) call["parentcaller"] = "0x%.08x" % default_converter(parentcaller) call["category"] = category call["api"] = api_name call["status"] = bool(int(status_value)) if isinstance(return_value, int) or isinstance(return_value, int): call["return"] = "0x%.08x" % default_converter(return_value) else: call["return"] = convert_to_printable(str(return_value), self.conversion_cache) prettyret = pretty_print_retval(category, api_name, call["status"], call["return"]) if prettyret: call["pretty_return"] = prettyret call["arguments"] = arguments call["repeated"] = repeated # add the thread id to our thread set if call["thread_id"] not in self.threads: self.threads.append(call["thread_id"]) return call