def attributes(self, node):
m = VMap()
hinfos = self.calculatedHash[long(node.this)]
hashes = self.getHashes(node)
for algo in hashes:
v = Variant(str(hashes[algo]))
m[str(algo)] = v
if len(hinfos.hsets):
knownBad = []
knownGood = []
for setId in hinfos.hsets:
hset = self.parent.hashSets.get(setId)
if hset.knownGood:
knownGood.append(hset)
else:
knownBad.append(hset)
if len(knownBad):
badList = VList()
for badSet in knownBad:
vname = Variant(badSet.name)
badList.append(vname)
m["known bad"] = badList
if len(knownGood):
goodList = VList()
for goodSet in knownGood:
vname = Variant(goodSet.name)
goodList.append(vname)
m["known good"] = goodList
return m
def __notifyFailure(self, src, ftype, tb):
e = event()
e.thisown = False
e.type = ftype
vl = VList()
vl.append(Variant(src))
vl.append(Variant(str(tb)))
e.value = RCVariant(Variant(vl))
self.notify(e)
def __notifyFileProgress(self, node, percent):
e = event()
e.thisown = False
e.type = Extract.FileProgress
vl = VList()
vl.append(Variant(node))
vl.append(Variant(int(percent)))
e.value = RCVariant(Variant(vl))
self.notify(e)
def __notifyRename(self, src, dst):
e = event()
e.thisown = False
e.type = Extract.RenameOccured
vl = VList()
vl.append(Variant(src))
vl.append(Variant(dst))
e.value = RCVariant(Variant(vl))
self.notify(e)
def _attributes(self):
i = 1
attr = VMap()
vlist = VList()
for f in self.files:
node = f.value()
vlist.append(Variant(node.absolute()))
attr["concatanated files (ordered)"] = Variant(vlist)
return attr
def _attributes(self):
i = 1
attr = VMap()
vlist = VList()
for f in self.files:
node = f.value()
vlist.append(Variant(node.absolute()))
attr["concatanated files (ordered)"] = Variant(vlist)
return attr
def _setLoadedModules(self, attrs):
dlls = VList()
for m in self.eproc.get_load_modules():
name = str(m.FullDllName) or 'N/A'
dll = VMap()
dllattribs = VMap()
dllattribs["Base"] = Variant(long(m.DllBase))
dllattribs["Size"] = Variant(long(m.SizeOfImage))
if name != "N/A":
self._setImportedFunctions(name, dllattribs)
dll[name] = Variant(dllattribs)
dlls.append(dll)
attrs["Loaded modules"] = Variant(dlls)
def _setImportedFunctions(self, name, attrs):
if self.__pe and hasattr(self.__pe, "DIRECTORY_ENTRY_IMPORT"):
found = False
for entry in self.__pe.DIRECTORY_ENTRY_IMPORT:
if name.lower().find(entry.dll.lower()) != -1:
found = True
break
if found:
funcs = VList()
for imp in entry.imports:
func = VMap()
if imp.name:
func[str(imp.name)] = Variant(imp.address)
else:
func[str(imp.ordinal)] = Variant(imp.address)
funcs.append(func)
attrs["Imported functions"] = Variant(funcs)
def start(self, args):
if args.has_key("start-offset"):
startoff = args["start-offset"].value()
else:
startoff = 0
if args.has_key("block-aligned"):
aligned = True
else:
aligned = False
patterns = VList()
for mimetype in filetypes.keys():
if mimetype in args:
vsubtypes = args[mimetype].value()
for subtype in filetypes[mimetype].keys():
if subtype in vsubtypes:
pattern = VMap()
descr = filetypes[mimetype][subtype]
for p in descr:
header = VMap()
header["needle"] = Variant(p[0], typeId.String)
header["size"] = Variant(len(p[0]), typeId.UInt32)
footer = VMap()
footer["needle"] = Variant(p[1], typeId.String)
footer["size"] = Variant(len(p[1]), typeId.UInt32)
pattern["filetype"] = Variant(
subtype, typeId.String)
pattern["header"] = Variant(header)
pattern["footer"] = Variant(footer)
pattern["window"] = Variant(
int(p[2]), typeId.UInt32)
if aligned:
pattern["aligned"] = Variant(True, typeId.Bool)
else:
pattern["aligned"] = Variant(
False, typeId.Bool)
patterns.append(pattern)
margs = VMap()
margs["patterns"] = Variant(patterns)
margs["file"] = args["file"]
margs["start-offset"] = Variant(startoff, typeId.UInt64)
proc = self.tm.add("carver", margs, ["console"])
if proc:
proc.event.wait()
def createContext(self, selected):
lpatterns = VList()
for filetype in selected.iterkeys():
patterns = selected[filetype][0]
aligned = selected[filetype][1]
for pattern in patterns:
vpattern = VMap()
vpattern["filetype"] = Variant(filetype, typeId.String)
header = VMap()
header["needle"] = Variant(pattern[0], typeId.String)
header["size"] = Variant(len(pattern[0]), typeId.UInt32)
footer = VMap()
footer["needle"] = Variant(pattern[1], typeId.String)
footer["size"] = Variant(len(pattern[1]), typeId.UInt32)
vpattern["header"] = Variant(header)
vpattern["footer"] = Variant(footer)
vpattern["window"] = Variant(int(pattern[2]), typeId.UInt32)
vpattern["aligned"] = Variant(aligned, typeId.Bool)
lpatterns.append(vpattern)
return lpatterns
def attributes(self, node):
m = VMap()
idx = node.uid()
self.__lock.acquire()
if self.__hashs.has_key(idx):
hashInfo = self.__hashs[idx]
hsets = hashInfo.hsets
else:
hsets = []
self.__lock.release()
hashes = self.__getHashes(node)
for algo in hashes:
v = Variant(str(hashes[algo]))
m[str(algo)] = v
if len(hsets):
knownBad = []
knownGood = []
for setId in hsets:
hset = self.__parent.getHashSetFromId(setId)
if hset.knownGood:
knownGood.append(hset)
else:
knownBad.append(hset)
if len(knownBad):
badList = VList()
for badSet in knownBad:
vname = Variant(badSet.name)
badList.append(vname)
m["known bad"] = badList
if len(knownGood):
goodList = VList()
for goodSet in knownGood:
vname = Variant(goodSet.name)
goodList.append(vname)
m["known good"] = goodList
return m
def __createReport(self):
if len(self.__failed_files):
vl = VList()
for ffile in self.__failed_files:
vl.append(Variant(ffile))
self.res["failed extraction for files"] = vl
if len(self.__failed_folders):
vl = VList()
for ffolder in self.__failed_folders:
vl.append(Variant(ffolder))
self.res["failed extraction for folders"] = vl
if len(self.__renamed):
vmap = VMap()
for key in self.__renamed:
vl = VList()
for val in self.__renamed[key]:
vl.append(Variant(val))
vmap[key] = vl
self.res["renamed"] = vmap
def __createReport(self):
if len(self.__failed_files):
vl = VList()
for ffile in self.__failed_files:
vl.append(Variant(ffile))
self.res["failed extraction for files"] = vl
if len(self.__failed_folders):
vl = VList()
for ffolder in self.__failed_folders:
vl.append(Variant(ffolder))
self.res["failed extraction for folders"] = vl
if len(self.__renamed):
vmap = VMap()
for key in self.__renamed:
vl = VList()
for val in self.__renamed[key]:
vl.append(Variant(val))
vmap[key] = vl
self.res["renamed"] = vmap
def decode_REG_MULTI_SZ(self, data):
vlist = VList()
for line in unicode(data, 'UTF-16').split('\x00'):
if line:
vlist.append(Variant(line.encode('UTF-8')))
return vlist
