def blobHandler(self, conn, blob):
k = 0 # key index
# create new data (ie. pkt data)
# with appropriate key
data, newdata = blob.data(), ''
self.debug('IN ' + util.hexPlusAscii(blob.data()))
if self.cskey != None and blob.direction == 'cs':
key = self.cskey
elif self.sckey != None and blob.direction == 'sc':
key = self.sckey
else:
key = self.key
for i in xrange(len(data)):
if self.resync and data[i:i + len(key)] == key:
k = 0 # resync if the key is seen
# xor this byte with the aligned byte from the key
newdata += chr(ord(data[i]) ^ ord(key[k]))
k = (k + 1) % len(key) # move key position
# update our connection object with the new data
newblob = self.xorconn[conn.addr].update(
conn.endtime, blob.direction, newdata)
self.debug('OUT ' + repr(self.key) + ' ' + util.hexPlusAscii(newdata))
# if there is another decoder we want to pass this data too
if newblob and 'blobHandler' in dir(self.subDecoder):
# pass to the subDecoder's blobHandler()
self.subDecoder.blobHandler(self.xorconn[conn.addr], newblob)
def blobHandler(self, conn, blob):
k = 0 # key index
# create new data (ie. pkt data)
# with appropriate key
data, newdata = blob.data(), ''
self.debug('IN ' + util.hexPlusAscii(blob.data()))
if self.cskey != None and blob.direction == 'cs':
key = self.cskey
elif self.sckey != None and blob.direction == 'sc':
key = self.sckey
else:
key = self.key
for i in xrange(len(data)):
if self.resync and data[i:i + len(key)] == key:
k = 0 # resync if the key is seen
# xor this byte with the aligned byte from the key
newdata += chr(ord(data[i]) ^ ord(key[k]))
k = (k + 1) % len(key) # move key position
# update our connection object with the new data
newblob = self.xorconn[conn.addr].update(conn.endtime, blob.direction,
newdata)
self.debug('OUT ' + repr(self.key) + ' ' + util.hexPlusAscii(newdata))
# if there is another decoder we want to pass this data too
if newblob and 'blobHandler' in dir(self.subDecoder):
# pass to the subDecoder's blobHandler()
self.subDecoder.blobHandler(self.xorconn[conn.addr], newblob)
def SMBHandler(self, conn, request=None, response=None, requesttime=None, responsetime=None, cmd=None, status=None):
# we only care about valid responses and matching request/response user
# IDs
if status == SMB_STATUS_SUCCESS and request.uid == response.uid:
if cmd == SMB_COM_NT_CREATE_ANDX: # file is being requested/opened
self.debug('%s UID: %s MID: %s NT Create AndX Status: %s' % (
conn.addr, request.uid, response.mid, hex(status)))
filename = request.PARSE_NT_CREATE_ANDX_REQUEST(
request.smbdata)
if type(filename) == type(None):
self.debug('Error: smb.SMB.PARSE_NT_CREATE_ANDX_REQUEST\n%s' % util.hexPlusAscii(request.smbdata))
return
fid = response.PARSE_NT_CREATE_ANDX_RESPONSE(response.smbdata)
self.debug('%s FID: %s' % (conn.addr, fid))
if fid == -1:
self.debug('Error: smb.SMB.PARSE_NT_CREATE_ANDX_RESPONSE\n%s' % util.hexPlusAscii(response.smbdata))
self.debug(util.hexPlusAscii(response.smbdata))
return
self.fidhandles[fid] = self.__localfilename(self.outdir, os.path.normpath(filename))
elif cmd == SMB_COM_WRITE_ANDX: # write data to the file
fid, rawbytes = request.PARSE_WRITE_ANDX(request.smbdata)
# do we have a local fd already open to handle this write?
if fid in self.fds.keys():
self.fds[fid].write(rawbytes)
else:
try:
fidhandle = self.fidhandles[fid]
self.fds[fid] = open(fidhandle, 'wb')
self.fds[fid].write(rawbytes)
except KeyError:
self.debug("Error: Could not find fidhandle for FID %s" % (fid))
return
elif cmd == SMB_COM_CLOSE: # file is being closed
fid = request.PARSE_COM_CLOSE(request.smbdata)
if fid in self.fds.keys():
self.log(repr(conn) + '\t%s' % (self.fidhandles[fid]))
self.fds[fid].close()
del self.fds[fid]
if fid in self.fidhandles.keys():
self.debug('Closing FID: %s Filename: %s' %
(hex(fid), self.fidhandles[fid]))
del self.fidhandles[fid]
def dump(self,pkt=None,**kw): #pass packets to pcap
'''dump raw packet data to an output
override this if you want a format other than pcap'''
pktdata=str(pkt) #might be string, might be a dpkt object
pktlen=kw.get('len',len(pktdata))
if self.pcapwriter: self.pcapwriter.write(pktlen,pktdata,kw['ts'])
else: self.log(util.hexPlusAscii(str(pkt)),level=logging.DEBUG)
def dump(self, pkt=None, **kw): # pass packets to pcap
'''dump raw packet data to an output
override this if you want a format other than pcap'''
pktdata = str(pkt) # might be string, might be a dpkt object
pktlen = kw.get('len', len(pktdata))
if self.pcapwriter:
self.pcapwriter.write(pktlen, pktdata, kw['ts'])
else:
self.log(util.hexPlusAscii(str(pkt)), level=logging.DEBUG)
def rawHandler(self, dlen, data, ts, **kw):
if self.verbose:
self.log("%.06f %d\n%s" % (ts, dlen, util.hexPlusAscii(str(data))))
eth = dpkt.ethernet.Ethernet(str(data))
src = binascii.hexlify(eth.src)
dst = binascii.hexlify(eth.dst)
self.alert('%6x->%6x %4x len %d' %
(long(src, 16), long(dst, 16), eth.type, len(eth.data)),
type=eth.type,
bytes=len(eth.data),
src=src,
dst=dst,
ts=ts)
def rawHandler(self, dlen, data, ts, **kw):
if self.verbose:
self.log("%.06f %d\n%s" % (ts, dlen, util.hexPlusAscii(str(data))))
eth = dpkt.ethernet.Ethernet(str(data))
src = binascii.hexlify(eth.src)
dst = binascii.hexlify(eth.dst)
self.alert(
"%6x->%6x %4x len %d" % (long(src, 16), long(dst, 16), eth.type, len(eth.data)),
type=eth.type,
bytes=len(eth.data),
src=src,
dst=dst,
ts=ts,
)
def packetHandler(self, ip=None, proto=None):
if self.verbose:
self.out.log(util.hexPlusAscii(ip.pkt))
self.alert(**ip.info())
if self.out.sessionwriter:
self.write(ip)
def packetHandler(self,ip=None,proto=None):
if self.verbose: self.out.log(util.hexPlusAscii(ip.pkt))
self.alert(**ip.info())
if self.out.sessionwriter: self.write(ip)
def SMBHandler(self,
conn,
request=None,
response=None,
requesttime=None,
responsetime=None,
cmd=None,
status=None):
# we only care about valid responses and matching request/response user
# IDs
if status == SMB_STATUS_SUCCESS and request.uid == response.uid:
#
# SMB_COM_SESSION_SETUP - Start tracking user authentication by UID
#
if cmd == SMB_COM_SESSION_SETUP_ANDX and type(status) != type(
None):
auth_record = request.PARSE_SESSION_SETUP_ANDX_REQUEST(
request.smbdata)
if not (auth_record):
return
domain_name = auth_record.domain_name
user_name = auth_record.user_name
host_name = auth_record.host_name
self.uidname[response.uid] = (host_name, "%s\%s" %
(domain_name, user_name))
#
# SMB_COM_TREE_CONNECT - Start tracking tree by TID
#
if cmd == SMB_COM_TREE_CONNECT_ANDX:
request_path = unicode(
request.SMB_COM_TREE_CONNECT_ANDX_Request(request.smbdata),
'utf-16').encode('utf-8').rstrip('\0')
self.tidmap[response.tid] = request_path
#
# SMB_COM_NT_CREATE - Start tracking file handle by FID
#
# file is being requested/opened
elif cmd == SMB_COM_NT_CREATE_ANDX:
self.debug('%s UID: %s MID: %s NT Create AndX Status: %s' %
(conn.addr, request.uid, response.mid, hex(status)))
filename = request.PARSE_NT_CREATE_ANDX_REQUEST(
request.smbdata)
if type(filename) == type(None):
self.debug(
'Error: smb.SMB.PARSE_NT_CREATE_ANDX_REQUEST\n%s' %
util.hexPlusAscii(request.smbdata))
return
fid = response.PARSE_NT_CREATE_ANDX_RESPONSE(response.smbdata)
if fid == -1:
self.debug(
'Error: smb.SMB.PARSE_NT_CREATE_ANDX_RESPONSE\n%s' %
util.hexPlusAscii(response.smbdata))
self.debug(util.hexPlusAscii(response.smbdata))
return
# Setup smbfile object
if response.uid in self.uidname:
hostname, username = self.uidname[response.uid]
else:
hostname = 'Unknown'
username = '******'
if response.tid in self.tidmap:
treepath = self.tidmap[response.tid]
else:
treepath = ''
fileobj = self.smbfile(self, conn, fid, requesttime, filename,
username, hostname, treepath)
fileIndex = self.fileIndexFromFID(conn, fid)
self.smbfileobjs[fileIndex] = fileobj
#
# SMB_COM_WRITE - File writes
#
elif cmd == SMB_COM_WRITE_ANDX: # write data to the file
fid, rawbytes = request.PARSE_WRITE_ANDX(request.smbdata)
#self.debug('COM_WRITE_ANDX\n%s' % (util.hexPlusAscii(request.smbdata)))
fileIndex = self.fileIndexFromFID(conn, fid)
if fileIndex in self.smbfileobjs:
self.smbfileobjs[fileIndex].writeblock(rawbytes)
#
# SMB_COM_READ - File reads
#
elif cmd == SMB_COM_READ_ANDX: # read data from the file
fid = request.PARSE_READ_ANDX_Request(request.smbdata)
rawbytes = response.PARSE_READ_ANDX_Response(response.smbdata)
#self.debug('COM_READ_ANDX (FID %s)\n%s' % (fid, util.hexPlusAscii(response.smbdata)))
fileIndex = self.fileIndexFromFID(conn, fid)
if fileIndex in self.smbfileobjs:
self.smbfileobjs[fileIndex].readblock(rawbytes)
#
# SMB_COM_CLOSE - Closing file
#
elif cmd == SMB_COM_CLOSE: # file is being closed
fid = request.PARSE_COM_CLOSE(request.smbdata)
fileIndex = self.fileIndexFromFID(conn, fid)
if fileIndex in self.smbfileobjs:
self.smbfileobjs[fileIndex].closetime = responsetime
del self.smbfileobjs[fileIndex]
def _write_string(self, text, direction, timestamp, encoding=None):
colorTag = ''
# Print TimestampcolorTag
if self._COLORMODE == 'HTML' and timestamp != None:
self._htmlwrite('<div class="timestamp">\n%s UTC:</div>' %
datetime.datetime.utcfromtimestamp(timestamp))
#if self._hexmode: self._htmlwrite("<br>")
elif self._COLORMODE == 'TTY' and self._timemode and timestamp != None:
self.fh.write('\x1b[36m%s UTC:\x1b[0m\n' %
datetime.datetime.utcfromtimestamp(timestamp))
# Set Direction
if direction.lower() == 'cs':
if self._COLORMODE == 'HTML':
self._htmlwrite('<span style="color:red;">')
elif self._COLORMODE == 'TTY':
colorTag = '\x1b[0;31m'
elif direction.lower() == 'sc':
if self._COLORMODE == 'HTML':
self._htmlwrite('<span style="color:blue;">')
elif self._COLORMODE == 'TTY':
colorTag = '\x1b[0;32m'
# Hex Mode Data
if self._hexmode:
# Hex Output
dlen = len(text)
if direction.lower() == 'cs':
msgOffset = self._CS_offset
self._CS_offset += dlen
elif direction.lower() == 'sc':
msgOffset = self._SC_offset
self._SC_offset += dlen
else:
msgOffset = self._NODIR_offset
self._NODIR_offset += dlen
text = util.hexPlusAscii(str(text), 16, msgOffset)
if self._COLORMODE == 'HTML':
text = cgi.escape(text)
self._htmlwrite(text)
elif self._COLORMODE == 'TTY':
self._write_tty(text, colorTag)
else:
self.fh.write(text)
# Plain Text
else:
if type(text) == unicode:
text = util.printableUnicode(text).encode('utf-8')
elif encoding:
try:
utext = unicode(text, encoding)
text = util.printableUnicode(utext).encode('utf-8')
except:
text = util.printableText(str(text))
else:
text = util.printableText(str(text))
if self._COLORMODE == 'HTML':
text = cgi.escape(text)
self._htmlwrite(text)
elif self._COLORMODE == 'TTY':
self._write_tty(text, colorTag)
else:
self.fh.write(text)
# Close direction
if self._COLORMODE == 'HTML' and direction != '':
self._htmlwrite("</span>")
def SMBHandler(self,
conn,
request=None,
response=None,
requesttime=None,
responsetime=None,
cmd=None,
status=None):
# we only care about valid responses and matching request/response user
# IDs
if status == SMB_STATUS_SUCCESS and request.uid == response.uid:
if cmd == SMB_COM_SESSION_SETUP_ANDX and type(status) != type(
None):
auth_record = request.PARSE_SESSION_SETUP_ANDX_REQUEST(
request.smbdata)
if not (auth_record):
return
domain_name = auth_record.domain_name
user_name = auth_record.user_name
self.uidname[response.uid] = "%s\\%s" % (domain_name,
user_name)
# file is being requested/opened
elif cmd == SMB_COM_NT_CREATE_ANDX:
self.debug('%s UID: %s MID: %s NT Create AndX Status: %s' %
(conn.addr, request.uid, response.mid, hex(status)))
filename = request.PARSE_NT_CREATE_ANDX_REQUEST(
request.smbdata)
if type(filename) == type(None):
self.debug(
'Error: smb.SMB.PARSE_NT_CREATE_ANDX_REQUEST\n%s' %
util.hexPlusAscii(request.smbdata))
return
fid = response.PARSE_NT_CREATE_ANDX_RESPONSE(response.smbdata)
if fid == -1:
self.debug(
'Error: smb.SMB.PARSE_NT_CREATE_ANDX_RESPONSE\n%s' %
util.hexPlusAscii(response.smbdata))
self.debug(util.hexPlusAscii(response.smbdata))
return
match = re.search(
r'psexecsvc-(.*)-(\d+)-(stdin|stdout|stderr)', filename)
if not match:
return
# We have a PSEXEC File Handle!
hostname = match.group(1)
pid = match.group(2)
iohandleName = match.group(3)
sessionIndex = self.sessIndexFromPID(conn, pid)
if not sessionIndex in self.psexecobjs:
self.psexecobjs[sessionIndex] = self.psexec(
self, conn, hostname, pid, requesttime)
self.fidhandles[fid] = self.psexecobjs[sessionIndex]
self.fidhandles[fid].addIO(fid, filename)
if response.uid in self.uidname:
self.fidhandles[fid].username = self.uidname[response.uid]
elif cmd == SMB_COM_WRITE_ANDX: # write data to the file
fid, rawbytes = request.PARSE_WRITE_ANDX(request.smbdata)
self.debug('COM_WRITE_ANDX\n%s' %
(util.hexPlusAscii(request.smbdata)))
if fid in self.fidhandles:
self.fidhandles[fid].addmsg(rawbytes, 'cs', requesttime)
elif cmd == SMB_COM_READ_ANDX: # write data to the file
fid = request.PARSE_READ_ANDX_Request(request.smbdata)
rawbytes = response.PARSE_READ_ANDX_Response(response.smbdata)
self.debug('COM_READ_ANDX (FID %s)\n%s' %
(fid, util.hexPlusAscii(response.smbdata)))
if fid in self.fidhandles:
self.fidhandles[fid].addmsg(rawbytes, 'sc', responsetime)
elif cmd == SMB_COM_CLOSE: # file is being closed
fid = request.PARSE_COM_CLOSE(request.smbdata)
if fid in self.fidhandles.keys():
self.fidhandles[fid].delIO(fid)
self.debug('Closing FID: %s Filename: %s' %
(hex(fid), self.fidhandles[fid]))
if self.fidhandles[fid].handleCount(
) < 1 and self.sessIndexFromPID(
conn, self.fidhandles[fid].pid) in self.psexecobjs:
self.psexecobjs[self.sessIndexFromPID(
conn,
self.fidhandles[fid].pid)].closetime = responsetime
del self.psexecobjs[self.sessIndexFromPID(
conn, self.fidhandles[fid].pid)]
del self.fidhandles[fid]
def _write_string(self, text, direction, timestamp, encoding=None):
colorTag = ''
# Print TimestampcolorTag
if self._COLORMODE == 'HTML' and timestamp != None:
self._htmlwrite('<div class="timestamp">\n%s UTC:</div>' %
datetime.datetime.utcfromtimestamp(timestamp))
#if self._hexmode: self._htmlwrite("<br>")
elif self._COLORMODE == 'TTY' and self._timemode and timestamp != None:
self.fh.write('\x1b[36m%s UTC:\x1b[0m\n' %
datetime.datetime.utcfromtimestamp(timestamp))
if self.nobuffer:
self.fh.flush()
# Set Direction
if direction.lower() == 'cs':
if self._COLORMODE == 'HTML':
self._htmlwrite('<span style="color:red;">')
elif self._COLORMODE == 'TTY':
colorTag = '\x1b[0;31m'
elif direction.lower() == 'sc':
if self._COLORMODE == 'HTML':
self._htmlwrite('<span style="color:blue;">')
elif self._COLORMODE == 'TTY':
colorTag = '\x1b[0;32m'
# Hex Mode Data
if self._hexmode:
# Hex Output
dlen = len(text)
if direction.lower() == 'cs':
msgOffset = self._CS_offset
self._CS_offset += dlen
elif direction.lower() == 'sc':
msgOffset = self._SC_offset
self._SC_offset += dlen
else:
msgOffset = self._NODIR_offset
self._NODIR_offset += dlen
text = util.hexPlusAscii(str(text), 16, msgOffset)
if self._COLORMODE == 'HTML':
text = cgi.escape(text)
self._htmlwrite(text)
elif self._COLORMODE == 'TTY':
self._write_tty(text, colorTag)
else:
self.fh.write(text)
if self.nobuffer:
self.fh.flush()
# Plain Text
else:
if type(text) == unicode:
text = util.printableUnicode(text).encode('utf-8')
elif encoding:
try:
utext = unicode(text, encoding)
text = util.printableUnicode(utext).encode('utf-8')
except:
text = util.printableText(str(text))
else:
text = util.printableText(str(text))
if self._COLORMODE == 'HTML':
text = cgi.escape(text)
self._htmlwrite(text)
elif self._COLORMODE == 'TTY':
self._write_tty(text, colorTag)
else:
self.fh.write(text)
# Close direction
if self._COLORMODE == 'HTML' and direction != '':
self._htmlwrite("</span>")
def SMBHandler(self, conn, request=None, response=None, requesttime=None, responsetime=None, cmd=None, status=None):
# we only care about valid responses and matching request/response user
# IDs
if status == SMB_STATUS_SUCCESS and request.uid == response.uid:
#
# SMB_COM_SESSION_SETUP - Start tracking user authentication by UID
#
if cmd == SMB_COM_SESSION_SETUP_ANDX and type(status) != type(None):
auth_record = request.PARSE_SESSION_SETUP_ANDX_REQUEST(
request.smbdata)
if not(auth_record):
return
domain_name = auth_record.domain_name
user_name = auth_record.user_name
host_name = auth_record.host_name
self.uidname[response.uid] = (
host_name, "%s\%s" % (domain_name, user_name))
#
# SMB_COM_TREE_CONNECT - Start tracking tree by TID
#
if cmd == SMB_COM_TREE_CONNECT_ANDX:
request_path = unicode(request.SMB_COM_TREE_CONNECT_ANDX_Request(
request.smbdata), 'utf-16').encode('utf-8').rstrip('\0')
self.tidmap[response.tid] = request_path
#
# SMB_COM_NT_CREATE - Start tracking file handle by FID
#
# file is being requested/opened
elif cmd == SMB_COM_NT_CREATE_ANDX:
self.debug('%s UID: %s MID: %s NT Create AndX Status: %s' % (
conn.addr, request.uid, response.mid, hex(status)))
filename = request.PARSE_NT_CREATE_ANDX_REQUEST(
request.smbdata)
if type(filename) == type(None):
self.debug('Error: smb.SMB.PARSE_NT_CREATE_ANDX_REQUEST\n%s' % util.hexPlusAscii(
request.smbdata))
return
fid = response.PARSE_NT_CREATE_ANDX_RESPONSE(response.smbdata)
if fid == -1:
self.debug('Error: smb.SMB.PARSE_NT_CREATE_ANDX_RESPONSE\n%s' % util.hexPlusAscii(
response.smbdata))
self.debug(util.hexPlusAscii(response.smbdata))
return
# Setup smbfile object
if response.uid in self.uidname:
hostname, username = self.uidname[response.uid]
else:
hostname = 'Unknown'
username = '******'
if response.tid in self.tidmap:
treepath = self.tidmap[response.tid]
else:
treepath = ''
fileobj = self.smbfile(
self, conn, fid, requesttime, filename, username, hostname, treepath)
fileIndex = self.fileIndexFromFID(conn, fid)
self.smbfileobjs[fileIndex] = fileobj
#
# SMB_COM_WRITE - File writes
#
elif cmd == SMB_COM_WRITE_ANDX: # write data to the file
fid, rawbytes = request.PARSE_WRITE_ANDX(request.smbdata)
#self.debug('COM_WRITE_ANDX\n%s' % (util.hexPlusAscii(request.smbdata)))
fileIndex = self.fileIndexFromFID(conn, fid)
if fileIndex in self.smbfileobjs:
self.smbfileobjs[fileIndex].writeblock(rawbytes)
#
# SMB_COM_READ - File reads
#
elif cmd == SMB_COM_READ_ANDX: # read data from the file
fid = request.PARSE_READ_ANDX_Request(request.smbdata)
rawbytes = response.PARSE_READ_ANDX_Response(response.smbdata)
#self.debug('COM_READ_ANDX (FID %s)\n%s' % (fid, util.hexPlusAscii(response.smbdata)))
fileIndex = self.fileIndexFromFID(conn, fid)
if fileIndex in self.smbfileobjs:
self.smbfileobjs[fileIndex].readblock(rawbytes)
#
# SMB_COM_CLOSE - Closing file
#
elif cmd == SMB_COM_CLOSE: # file is being closed
fid = request.PARSE_COM_CLOSE(request.smbdata)
fileIndex = self.fileIndexFromFID(conn, fid)
if fileIndex in self.smbfileobjs:
self.smbfileobjs[fileIndex].closetime = responsetime
del self.smbfileobjs[fileIndex]
def SMBHandler(self, conn, request=None, response=None, requesttime=None, responsetime=None, cmd=None, status=None):
# we only care about valid responses and matching request/response user
# IDs
if status == SMB_STATUS_SUCCESS and request.uid == response.uid:
if cmd == SMB_COM_SESSION_SETUP_ANDX and type(status) != type(None):
auth_record = request.PARSE_SESSION_SETUP_ANDX_REQUEST(
request.smbdata)
if not(auth_record):
return
domain_name = auth_record.domain_name
user_name = auth_record.user_name
self.uidname[response.uid] = "%s\\%s" % (
domain_name, user_name)
# file is being requested/opened
elif cmd == SMB_COM_NT_CREATE_ANDX:
self.debug('%s UID: %s MID: %s NT Create AndX Status: %s' % (
conn.addr, request.uid, response.mid, hex(status)))
filename = request.PARSE_NT_CREATE_ANDX_REQUEST(
request.smbdata)
if type(filename) == type(None):
self.debug('Error: smb.SMB.PARSE_NT_CREATE_ANDX_REQUEST\n%s' % util.hexPlusAscii(
request.smbdata))
return
fid = response.PARSE_NT_CREATE_ANDX_RESPONSE(response.smbdata)
if fid == -1:
self.debug('Error: smb.SMB.PARSE_NT_CREATE_ANDX_RESPONSE\n%s' % util.hexPlusAscii(
response.smbdata))
self.debug(util.hexPlusAscii(response.smbdata))
return
match = re.search(
r'psexecsvc-(.*)-(\d+)-(stdin|stdout|stderr)', filename)
if not match:
return
# We have a PSEXEC File Handle!
hostname = match.group(1)
pid = match.group(2)
iohandleName = match.group(3)
sessionIndex = self.sessIndexFromPID(conn, pid)
if not sessionIndex in self.psexecobjs:
self.psexecobjs[sessionIndex] = self.psexec(
self, conn, hostname, pid, requesttime)
self.fidhandles[fid] = self.psexecobjs[sessionIndex]
self.fidhandles[fid].addIO(fid, filename)
if response.uid in self.uidname:
self.fidhandles[fid].username = self.uidname[response.uid]
elif cmd == SMB_COM_WRITE_ANDX: # write data to the file
fid, rawbytes = request.PARSE_WRITE_ANDX(request.smbdata)
self.debug('COM_WRITE_ANDX\n%s' %
(util.hexPlusAscii(request.smbdata)))
if fid in self.fidhandles:
self.fidhandles[fid].addmsg(rawbytes, 'cs', requesttime)
elif cmd == SMB_COM_READ_ANDX: # write data to the file
fid = request.PARSE_READ_ANDX_Request(request.smbdata)
rawbytes = response.PARSE_READ_ANDX_Response(response.smbdata)
self.debug('COM_READ_ANDX (FID %s)\n%s' %
(fid, util.hexPlusAscii(response.smbdata)))
if fid in self.fidhandles:
self.fidhandles[fid].addmsg(rawbytes, 'sc', responsetime)
elif cmd == SMB_COM_CLOSE: # file is being closed
fid = request.PARSE_COM_CLOSE(request.smbdata)
if fid in self.fidhandles.keys():
self.fidhandles[fid].delIO(fid)
self.debug('Closing FID: %s Filename: %s' %
(hex(fid), self.fidhandles[fid]))
if self.fidhandles[fid].handleCount() < 1 and self.sessIndexFromPID(conn, self.fidhandles[fid].pid) in self.psexecobjs:
self.psexecobjs[
self.sessIndexFromPID(conn, self.fidhandles[fid].pid)].closetime = responsetime
del self.psexecobjs[
self.sessIndexFromPID(conn, self.fidhandles[fid].pid)]
del self.fidhandles[fid]
