def external_process(self, fd):
if self.mime_type == "application/x-winnt-registry":
print "Grabbing message sources from %s" % self.fd.inode
## populate the EventMessageSources table from the registry
dbh=DB.DBO(self.case)
pydbh = DB.DBO()
inode_id = self.fd.lookup_id()
dbh.execute("select * from reg where reg_key='EventMessageFile' and inode_id=%r", inode_id)
for row in dbh:
service = os.path.basename(os.path.normpath(row['path']))
pydbh.execute("select * from EventMessageSources where source=%r limit 1",service)
pyrow=pydbh.fetch()
if not pyrow:
filename = row['value'].split("\\")[-1].lower()
pydbh.execute("insert ignore into EventMessageSources set filename=%r, source=%r" , (filename, service))
return
filename, inode, inode_id = self.ddfs.lookup(inode=self.inode)
b = Buffer(fd=fd)
pyflaglog.log(pyflaglog.VERBOSE_DEBUG, "Opening %s to extract messages" % self.inode)
pydbh = DB.DBO()
pydbh.mass_insert_start('EventMessages')
try:
m=PElib.get_messages(b)
for k,v in m.messages.items():
pydbh.mass_insert(filename = os.path.basename(filename),
message_id = k,
message = v['Message'],
offset = v.buffer.offset,
)
except (IndexError, IOError, AttributeError):
pyflaglog.log(pyflaglog.VERBOSE_DEBUG, "%s does not contain messages" % filename)
def external_process(self, fd):
if self.mime_type == "application/x-winnt-registry":
print "Grabbing message sources from %s" % self.fd.inode
## populate the EventMessageSources table from the registry
dbh = DB.DBO(self.case)
pydbh = DB.DBO()
inode_id = self.fd.lookup_id()
dbh.execute(
"select * from reg where reg_key='EventMessageFile' and inode_id=%r",
inode_id)
for row in dbh:
service = os.path.basename(os.path.normpath(row['path']))
pydbh.execute(
"select * from EventMessageSources where source=%r limit 1",
service)
pyrow = pydbh.fetch()
if not pyrow:
filename = row['value'].split("\\")[-1].lower()
pydbh.execute(
"insert ignore into EventMessageSources set filename=%r, source=%r",
(filename, service))
return
filename, inode, inode_id = self.ddfs.lookup(inode=self.inode)
b = Buffer(fd=fd)
pyflaglog.log(pyflaglog.VERBOSE_DEBUG,
"Opening %s to extract messages" % self.inode)
pydbh = DB.DBO()
pydbh.mass_insert_start('EventMessages')
try:
m = PElib.get_messages(b)
for k, v in m.messages.items():
pydbh.mass_insert(
filename=os.path.basename(filename),
message_id=k,
message=v['Message'],
offset=v.buffer.offset,
)
except (IndexError, IOError, AttributeError):
pyflaglog.log(pyflaglog.VERBOSE_DEBUG,
"%s does not contain messages" % filename)
for directory in config.args:
for F in recurse(directory):
f = F.lower()
fd = open(F)
data = fd.read(1024)
magic = Magic.buffer(data)
if "PE" in magic:
fd.seek(0)
b = Buffer(fd=fd)
logging.log(logging.DEBUG,
"Opening %s to extract messages" % F)
dbh.mass_insert_start('EventMessages')
try:
m = PElib.get_messages(b)
for k, v in m.messages.items():
dbh.mass_insert(
filename=os.path.basename(f),
message_id=k,
message=v['Message'],
offset=v.buffer.offset,
)
except (IndexError, IOError, AttributeError):
logging.log(logging.VERBOSE_DEBUG,
"%s does not contain messages" % f)
dbh.mass_insert_commit()
elif config.mode == 'reg':
Magic=FlagFramework.Magic()
for directory in config.args:
for F in recurse(directory):
f=F.lower()
fd = open(F)
data = fd.read(1024)
magic = Magic.buffer(data)
if "PE" in magic:
fd.seek(0)
b = Buffer(fd=fd)
logging.log(logging.DEBUG, "Opening %s to extract messages" % F)
dbh.mass_insert_start('EventMessages')
try:
m=PElib.get_messages(b)
for k,v in m.messages.items():
dbh.mass_insert(filename = os.path.basename(f),
message_id = k,
message = v['Message'],
offset = v.buffer.offset,
)
except (IndexError, IOError, AttributeError):
logging.log(logging.VERBOSE_DEBUG, "%s does not contain messages" % f)
dbh.mass_insert_commit()
elif config.mode == 'reg':
import FileFormats.RegFile as RegFile
dbh=DB.DBO()
