def get_process_created_details(io, metadata, event, extra_detail_io): io.seek(4, 1) # Unknown fields event.details["PID"] = read_u32(io) io.seek(0x24, 1) # Unknown fields unknown_size1 = read_u8(io) unknown_size2 = read_u8(io) path_info = read_detail_string_info(io) command_line_info = read_detail_string_info(io) io.seek(2 + unknown_size1 + unknown_size2, 1) # Unknown fields event.path = read_detail_string(io, path_info) event.details["Command line"] = read_detail_string(io, command_line_info)
def __init__(self, io, total_size, number_of_events): super(EventOffsetsArray, self).__init__() stream = BytesIO(io.read(total_size)) offsets = [0] * number_of_events for i in range(number_of_events): offsets[i] = read_u32(stream) _ = read_u8(stream) # Unknown flags self.extend(offsets)
def get_filesystem_setdispositioninformation_details(io, metadata, event, details_io, extra_detail_io): is_delete = bool(read_u8(io)) io.seek(3, 1) # Padding if is_delete: event.details["Delete"] = "True" event.category = "Write" else: event.details["Delete"] = "False"
def get_filesystem_event_details(io, metadata, event, extra_detail_io): sub_operation = read_u8(io) # fix operation name if there is more specific sub operation if 0 != sub_operation and FilesystemOperation[event.operation] in FilesystemSubOperations: try: event.operation = FilesystemSubOperations[FilesystemOperation[event.operation]](sub_operation).name except ValueError: event.operation += " <Unknown>" io.seek(1 + sizeof_pvoid(metadata.is_64bit) * 5 + 0x16, 1) # Unknown fields path_info = read_detail_string_info(io) io.seek(2, 1) # Unknown fields event.path = read_detail_string(io, path_info) if event.operation in FilesystemSubOperationHandler: FilesystemSubOperationHandler[event.operation](io, metadata, event, extra_detail_io)
def get_filesystem_event_details(io, metadata, event, extra_detail_io): sub_operation = read_u8(io) io.seek(0x3, 1) # padding # fix operation name if there is more specific sub operation if 0 != sub_operation and FilesystemOperation[event.operation] in FilesystemSubOperations: try: event.operation = FilesystemSubOperations[FilesystemOperation[event.operation]](sub_operation).name except ValueError: event.operation += " <Unknown>" details_io = BytesIO(io.read(metadata.sizeof_pvoid * 5 + 0x14)) path_info = read_detail_string_info(io) io.seek(2, 1) # Padding event.path = read_detail_string(io, path_info) if metadata.should_get_details and event.operation in FilesystemSubOperationHandler: FilesystemSubOperationHandler[event.operation](io, metadata, event, details_io, extra_detail_io)
def get_filesystem_create_file_details(io, metadata, event, details_io, extra_detail_io): event.details["Desired Access"] = get_filesystem_access_mask_string(read_u32(io)) impersonating_sid_length = read_u8(io) io.seek(0x3, 1) # padding details_io.seek(0x10, 1) if metadata.sizeof_pvoid == 8: details_io.seek(4, 1) # Padding for 64 bit disposition_and_options = read_u32(details_io) disposition = disposition_and_options >> 0x18 options = disposition_and_options & 0xffffff if metadata.sizeof_pvoid == 8: details_io.seek(4, 1) # Padding for 64 bit attributes = read_u16(details_io) share_mode = read_u16(details_io) event.details["Disposition"] = get_enum_name_or(FilesystemDisposition, disposition, "<unknown>") event.details["Options"] = get_filesysyem_create_options(options) event.details["Attributes"] = get_filesysyem_create_attributes(attributes) event.details["ShareMode"] = get_filesysyem_create_share_mode(share_mode) details_io.seek(0x4 + metadata.sizeof_pvoid * 2, 1) allocation = read_u32(details_io) allocation_value = allocation if disposition in [FilesystemDisposition.Supersede, FilesystemDisposition.Create, FilesystemDisposition.OpenIf, FilesystemDisposition.OverwriteIf] else "n/a" event.details["AllocationSize"] = allocation_value if impersonating_sid_length: event.details["Impersonating"] = get_sid_string(io.read(impersonating_sid_length)) open_result = None if extra_detail_io: open_result = read_u32(extra_detail_io) event.details["OpenResult"] = get_enum_name_or(FilesystemOpenResult, open_result, "<unknown>") if open_result in [FilesystemOpenResult.Superseded, FilesystemOpenResult.Created, FilesystemOpenResult.Overwritten]: event.category = "Write" elif open_result in [FilesystemOpenResult.Opened, FilesystemOpenResult.Exists, FilesystemOpenResult.DoesNotExist]: pass elif event.details["Disposition"] in ["Open", "<unknown>"]: pass else: event.category = "Write"
def get_filesystem_query_directory_details(io, metadata, event, details_io, extra_detail_io): event.category = "Read Metadata" directory_name_info = read_detail_string_info(io) directory_name = read_detail_string(io, directory_name_info) if directory_name: event.path = event.path + directory_name if event.path[-1] == "\\" else event.path + "\\" + directory_name event.details['Filter'] = directory_name details_io.seek(0x10, 1) if metadata.sizeof_pvoid == 8: details_io.seek(4, 1) # Padding for 64 bit details_io.seek(0x4, 1) if metadata.sizeof_pvoid == 8: details_io.seek(4, 1) # Padding for 64 bit file_information_class = FileInformationClass(read_u32(details_io)) event.details["FileInformationClass"] = file_information_class.name if extra_detail_io and file_information_class in [FileInformationClass.FileDirectoryInformation, FileInformationClass.FileFullDirectoryInformation, FileInformationClass.FileBothDirectoryInformation, FileInformationClass.FileNamesInformation, FileInformationClass.FileIdBothDirectoryInformation, FileInformationClass.FileIdFullDirectoryInformation]: extra_detail_length = len(extra_detail_io.getvalue()) next_entry_offset = -1 # hack so the first iteration won't exit current_entry_offset = 1 i = 0 if directory_name else -1 while True: i += 1 if next_entry_offset == 0 or (current_entry_offset + next_entry_offset) > extra_detail_length: break # No more structures extra_detail_io.seek(current_entry_offset + next_entry_offset, 0) current_entry_offset = extra_detail_io.tell() next_entry_offset = read_u32(extra_detail_io) file_index = read_u32(extra_detail_io) if file_information_class == FileInformationClass.FileNamesInformation: # FILE_NAMES_INFORMATION structure file_name_length = read_u32(extra_detail_io) event.details[str(i)] = read_utf16(extra_detail_io, file_name_length) continue creation_time = read_filetime(extra_detail_io) last_access_time = read_filetime(extra_detail_io) last_write_time = read_filetime(extra_detail_io) change_time = read_filetime(extra_detail_io) end_of_file = read_u64(extra_detail_io) allocation_size = read_u64(extra_detail_io) file_attributes = read_u32(extra_detail_io) file_name_length = read_u32(extra_detail_io) if file_information_class == FileInformationClass.FileDirectoryInformation: # FILE_DIRECTORY_INFORMATION structure event.details[str(i)] = read_utf16(extra_detail_io, file_name_length) continue ea_size = read_u32(extra_detail_io) if file_information_class == FileInformationClass.FileFullDirectoryInformation: # FILE_FULL_DIR_INFORMATION structure event.details[str(i)] = read_utf16(extra_detail_io, file_name_length) continue if file_information_class == FileInformationClass.FileIdFullDirectoryInformation: # FILE_ID_FULL_DIR_INFORMATION structure file_id = read_u64(extra_detail_io) event.details[str(i)] = read_utf16(extra_detail_io, file_name_length) continue short_name_length = read_u8(extra_detail_io) extra_detail_io.seek(1, 1) # Padding short_name = extra_detail_io.read(12 * 2) if file_information_class == FileInformationClass.FileBothDirectoryInformation: # FILE_BOTH_DIR_INFORMATION structure event.details[str(i)] = read_utf16(extra_detail_io, file_name_length) continue # FILE_ID_BOTH_DIR_INFORMATION structure extra_detail_io.seek(2, 1) # Padding file_id = read_u64(extra_detail_io) event.details[str(i)] = read_utf16(extra_detail_io, file_name_length) continue