def csv_recent_docs(self):
"""Extracts information about recently opened files saved location and opened date"""
self.logger.info("Extracting recent docs")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
path)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
if item[VALUE_NAME] != "MRUListEx":
values_decoded = decode_recent_docs_mru(item[VALUE_DATA])
for value_decoded in values_decoded:
to_csv_list.append(
(self.computer_name, "recent_docs",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
value_decoded))
with open(
self.output_dir + "\\" + self.computer_name + "_recent_docs" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_clipboard(self):
"""Exports the clipboard contents"""
# TODO : what happens if clipboard contents is a CSV string ?
self.logger.info('Getting clipboard contents')
with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer)
r = None #initialize the local variable r
try:
r = Tk() # Using Tk instead because it supports exotic characters
data = r.selection_get(selection='CLIPBOARD')
r.destroy()
write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer)
except:
if r != None: # Verify that r exist before calling destroy
r.destroy()
win32clipboard.OpenClipboard()
clip = win32clipboard.EnumClipboardFormats(0)
while clip:
try:
format_name = win32clipboard.GetClipboardFormatName(clip)
except win32api.error:
format_name = "?"
self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
if clip == 15: # 15 seems to be a list of filenames
filenames = win32clipboard.GetClipboardData(clip)
for filename in filenames:
write_to_csv([self.computer_name, 'clipboard', filename], csv_writer)
clip = win32clipboard.EnumClipboardFormats(clip)
win32clipboard.CloseClipboard()
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_open_save_mru(self, str_opensave_mru):
"""Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
# TODO : Win XP
self.logger.info("Extracting open save MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
str_opensave_mru)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if item[KEY_VALUE_STR] == 'VALUE':
if item[VALUE_NAME] != "MRUListEx":
pidl = shell.StringAsPIDL(item[VALUE_DATA])
path = shell.SHGetPathFromIDList(pidl)
to_csv_list.append(
(self.computer_name, "opensaveMRU",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]), path))
with open(
self.output_dir + "\\" + self.computer_name + "_opensaveMRU" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_running_process(self, list_running):
self.logger.info("Health : Listing running processes")
with open(
self.output_dir + '%s_processes' % self.computer_name +
self.rand_ext, 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv([
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "COMMAND",
"EXEC_PATH"
], csv_writer)
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
write_to_csv([
self.computer_name, 'processes',
unicode(pid), name,
unicode(cmd),
unicode(exe_path)
], csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_event_logs(self, is_win_xp):
"""Prints the event logs in a csv, the called method is different for WinXP and lower"""
server = None # name of the target computer to get event logs, None to get logs from current computer
with open(self.output_dir + '\\' + self.computer_name + '_evts.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
if is_win_xp:
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'):
write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType,
date] + log, csv_writer)
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server,
'Application'):
write_to_csv(
[self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType,
date] + log, csv_writer)
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'):
write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType,
date] + log, csv_writer)
else:
# Exports everything from the event viewer
evt_handle = win32evtlog.EvtOpenChannelEnum()
os.mkdir(self.output_dir + r"\evt")
while True:
# opening channel for enumeration
logtype = win32evtlog.EvtNextChannelPath(evt_handle)
if logtype is None:
break
# fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
self._list_evt_vista(server, logtype)
def _csv_list_drives(self, drives):
with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
for diskCapt, diskFs, diskPName in drives:
write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share):
with open(self.output_dir + '_shares.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
for name, path in share:
write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_event_logs(self, is_win_xp):
"""Prints the event logs in a csv, the called method is different for WinXP and lower"""
server = None # name of the target computer to get event logs, None to get logs from current computer
with open(self.output_dir + '\\' + self.computer_name + '_evts' + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(['COMPUTER', 'TYPE', 'SOURCE', 'CATEGORY', 'SOURCE NAME', 'ID', 'EVENT_TYPE', 'LOG'], csv_writer)
if is_win_xp:
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'):
write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType,
date] + log, csv_writer)
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server,
'Application'):
write_to_csv(
[self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType,
date] + log, csv_writer)
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'):
write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType,
date] + log, csv_writer)
else:
# Exports everything from the event viewer
evt_handle = win32evtlog.EvtOpenChannelEnum()
os.mkdir(self.output_dir + r"\evt")
while True:
# opening channel for enumeration
logtype = win32evtlog.EvtNextChannelPath(evt_handle)
if logtype is None:
break
# fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
self._list_evt_vista(server, logtype)
def _csv_list_scheduled_jobs(self):
self.logger.info('Health : Listing scheduled jobs')
file_tasks = self.output_dir + '_tasks.csv'
with open(file_tasks, 'wb') as tasks_logs:
proc = subprocess.Popen(["schtasks.exe", '/query', '/fo', 'CSV'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
res = proc.communicate()
res = get_terminal_decoded_string(res[0])
# clean and write the command output
write_to_output('"TASK_NAME","NEXT_SCHEDULE","STATUS"\r\n', tasks_logs, self.logger)
column_names = None
for line in res.split('\r\n'):
if line == "":
continue
if line[0] != '"':
continue
if not column_names:
column_names = line
continue
elif column_names == line:
continue
write_to_output(line+"\r\n", tasks_logs, self.logger)
self.logger.info('Health : Listing scheduled jobs')
with open(file_tasks, "r") as fr, open(self.output_dir + "_scheduled_jobs.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "JOB_NAME", "TIME", "STATE"], csv_writer)
for l in fr.readlines():
l = l.decode('utf8')
if l.find('\\') > 0:
l = l[:-1].replace('"', '') # remove the end of line
arr_write = [self.computer_name, 'scheduled_jobs'] + l.split(',')
write_to_csv(arr_write, csv_writer)
self.logger.info('Health : Listing scheduled jobs')
record_sha256_logs(self.output_dir + '_scheduled_jobs.csv', self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes):
with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
for ip, mask in routes:
write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def csv_custom_registry_keys(self):
"""
Extracts custom registry keys, the user specifies whether it should be recursive or not.
The list of registry keys to extract should be comma-separated
"""
if self.exec_custom_registry_keys:
self.logger.info("Extracting custom registry keys")
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for paths in reader([self.custom_registry_keys]): # used as a kind of unpack
for path in paths:
temp = path.split("\\")
hive = temp[0].upper()
path = "\\".join(temp[1:])
if hive in ("HKLM", "HKEY_LOCAL_MACHINE"):
self._generate_hklm_csv_list(to_csv_list, "custom_registry_key", path,
is_recursive=self.registry_recursive)
elif hive in ("HKU", "HKEY_USERS"):
self._generate_hku_csv_list(to_csv_list, "custom_registry_key", path,
is_recursive=self.registry_recursive)
else: # error
self.logger.warn("Must specify HKLM/HKEY_LOCAL_MACHINE or HKU/HKEY_USERS as hive")
return
with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_all_modules_dll(self):
"""Outputs all processes and their opened dll in a csv"""
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = Process32First(hProcessSnap, pointer(pe32))
with open(
self.output_dir + '\\' + self.computer_name +
'_processes_dll' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(
["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "MODULE"],
csv_writer)
while ret:
modules = self._GetProcessModules(pe32.th32ProcessID, False)
if len(modules) > 0:
process_name = modules.pop(
0) # first element is the name of the process
for module in modules:
write_to_csv([
self.computer_name, 'processes_dll',
unicode(pe32.th32ProcessID), process_name, module
], csv_writer)
ret = Process32Next(hProcessSnap, pointer(pe32))
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_processes_dll' +
self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_networks_list(self, key):
with open(os.path.join(self.output_dir,'%s_network_list_%s' % (self.computer_name, self.rand_ext)), 'wb') as output:
csv_writer = get_csv_writer(output)
network_list_result = self._get_network_list(key)
arr_data = [v.values() for v in network_list_result.values()]
arr_data.insert(0,network_list_result.values()[0].keys())
write_list_to_csv(arr_data, csv_writer)
def csv_custom_registry_keys(self):
with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
to_csv_list = self.__get_custom_registry_keys()
if to_csv_list:
write_list_to_csv(to_csv_list, csv_writer)
def _csv_infos_fs(self, files):
with open(
self.output_dir + '\\' + self.computer_name + '_Filecatcher' +
self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
for f, mime, md5, sha1, sha256, zip_value, datem, empty in files:
write_to_csv([
self.computer_name, 'Filecatcher',
unicode(datem),
unicode(f),
unicode(md5),
unicode(sha1),
unicode(sha256),
unicode(mime),
unicode(zip_value),
unicode(empty),
self._get_url_VT(sha256)
], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_Filecatcher' +
self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
if self.zip_file:
self.zip_file.close()
def _csv_hash_running_process(self, list_running):
self.logger.info("Health : Hashing running processes")
with open(self.output_dir + '_hash_processes' + self.rand_ext,
'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv([
"COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "EXEC_PATH",
"MD5", "SHA1", "CTIME", "MTIME", "ATIME"
], csv_writer)
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
if exe_path:
ctime = datetime.datetime.fromtimestamp(
os.path.getctime(exe_path))
mtime = datetime.datetime.fromtimestamp(
os.path.getmtime(exe_path))
atime = datetime.datetime.fromtimestamp(
os.path.getatime(exe_path))
md5 = process_md5(unicode(exe_path))
sha1 = process_sha1(unicode(exe_path))
write_to_csv([
self.computer_name, 'processes',
unicode(pid), name,
unicode(exe_path), md5, sha1, ctime, mtime, atime
], csv_writer)
record_sha256_logs(self.output_dir + '_hash_processes' + self.rand_ext,
self.output_dir + '_sha256.log')
def _csv_firefox_history(self, fhistory):
with open(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
for time, url, user, profile in fhistory:
write_to_csv([self.computer_name, 'firefox_history', time, url, user, profile], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_clipboard(self):
"""Exports the clipboard contents"""
# TODO : what happens if clipboard contents is a CSV string ?
self.logger.info('Getting clipboard contents')
with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer)
try:
r = Tk() # Using Tk instead because it supports exotic characters
data = r.selection_get(selection='CLIPBOARD')
r.destroy()
write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer)
except:
r.destroy()
win32clipboard.OpenClipboard()
clip = win32clipboard.EnumClipboardFormats(0)
while clip:
try:
format_name = win32clipboard.GetClipboardFormatName(clip)
except win32api.error:
format_name = "?"
self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
if clip == 15: # 15 seems to be a list of filenames
filenames = win32clipboard.GetClipboardData(clip)
for filename in filenames:
write_to_csv([self.computer_name, 'clipboard', filename], csv_writer)
clip = win32clipboard.EnumClipboardFormats(clip)
win32clipboard.CloseClipboard()
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_windows_prefetch(self, wpref):
with open(
self.output_dir + self.computer_name + '_prefetch' +
self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(
("COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE",
"EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME", "RUN_COUNT",
"START_TIME", "DURATION", "AVERAGE_DURATION", "DLL_LIST"),
csv_writer)
for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_csv([
self.computer_name, 'prefetch', pref_file,
unicode(format_version),
unicode(file_size),
exec_name.replace('\00', ''),
unicode(tc),
unicode(tm),
unicode(run_count),
unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']),
unicode(hash_table_a['average_duration']), str_c
], csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_prefetch' + self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def csv_shell_bags(self):
"""
Extracts shellbags: size, view, icon and position of graphical windows
In particular, executed graphical programs will leave a key here
"""
self.logger.info("Extracting shell bags")
paths = [
r"Software\Microsoft\Windows\Shell\Bags",
r"Software\Microsoft\Windows\Shell\BagMRU"
]
paths_usrclass = [
r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"
]
hive_list = []
for path in paths:
hive_list += self._get_list_from_registry_key(
registry_obj.HKEY_USERS, path)
for path in paths_usrclass:
hive_list += self._get_list_from_registry_key(
registry_obj.HKEY_USERS, path, is_usrclass=True)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if "ItemPos" in item[VALUE_NAME]:
try:
data = decode_shellbag_itempos_data(item[VALUE_DATA])
except IndexError:
self.logger.error("Error in shellbag data format for " +
item[VALUE_NAME])
data = None
if data:
if item[KEY_VALUE_STR] == "VALUE":
for data in data:
for d in data:
to_csv_list.append(
(self.computer_name, "shellbags",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(
item[VALUE_TYPE]), d))
else:
if item[KEY_VALUE_STR] == "VALUE":
to_csv_list.append(
(self.computer_name, "shellbags",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
item[VALUE_DATA]))
with open(
self.output_dir + "\\" + self.computer_name + "_shellbags" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_route_table(self, routes):
self.logger.info('Health : Listing routes tables')
with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
for ip, mask in routes:
write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def _csv_list_sessions(self, sessions):
with open(self.output_dir + '_sessions.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer)
for logonID, authenticationPackage, startime, logontype in sessions:
write_to_csv([self.computer_name, 'sessions', unicode(logonID),
authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
self.logger.info("Health : Listing network drives")
with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
for diskCapt, diskFs, diskPName in drives:
write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_drives(self, drives):
self.logger.info("Health : Listing drives")
with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share):
self.logger.info("Health : Listing shares")
with open(self.output_dir + '_shares.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
for name, path in share:
write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
self.logger.info("Health : Listing network drives")
with open(self.output_dir + '%s_list_networks_drives' % self.computer_name + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer)
for diskCapt, diskFs, diskPName in drives:
write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes):
self.logger.info('Health : Listing routes tables')
with open(self.output_dir + '_routes_tables' + self.rand_ext, 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer)
for ip, mask in routes:
write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_share(self, share):
self.logger.info("Health : Listing shares")
with open(self.output_dir + '_shares' + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer)
for name, path in share:
write_to_csv([self.computer_name, 'shares', name, path], csv_writer)
record_sha256_logs(self.output_dir + '_shares' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_drives(self, drives):
self.logger.info("Health : Listing drives")
with open(self.output_dir + '%s_list_drives' % self.computer_name + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer)
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives' + self.rand_ext, self.output_dir + '_sha256.log')
def csv_custom_registry_keys(self):
with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext,
"wb") as output:
csv_writer = get_csv_writer(output)
to_csv_list = self.__get_custom_registry_keys()
if to_csv_list:
write_list_to_csv(to_csv_list, csv_writer)
def _csv_chrome_history(self, chistory):
with open(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "TIME", "URL", "TITLE", "USER", "PROFILE"), csv_writer)
for time, url, title, user, profile in chistory:
write_to_csv([self.computer_name, 'chrome_history', time, url, title, user, profile], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_named_pipes(self, pipes):
with open(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer)
for pipe in pipes:
write_to_csv([self.computer_name, 'named_pipes', pipe], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_networks_list(self, key):
with open(os.path.join(self.output_dir, '%s_network_list_%s' % (self.computer_name, self.rand_ext)),
'wb') as output:
csv_writer = get_csv_writer(output)
network_list_result = self._get_network_list(key)
arr_data = [v.values() for v in network_list_result.values()]
arr_data.insert(0, network_list_result.values()[0].keys())
write_list_to_csv(arr_data, csv_writer)
def _csv_list_kb(self, kbs):
with open(self.output_dir + '_kb.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME", "FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE",
"INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"], csv_writer)
for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs:
write_to_csv(
[self.computer_name, 'kb', Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name,
ServicePackInEffect, Status], csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further):
"""
Extracts information from UserAssist registry key which contains information about executed programs
The count offset is for Windows versions before 7, where it would start at 6
"""
self.logger.info("Extracting user assist")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
count = "\Count"
# logged on users
users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
hive_list = []
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
user_assist_key = user.get_sub_key_by_path(path)
if user_assist_key:
for j in xrange(user_assist_key.get_number_of_sub_keys()):
# getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
if is_win7_or_further:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
else:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
str_value_datatmp = item[VALUE_DATA]
# some data are less than 16 bytes for some reason...
if len(str_value_datatmp) < 16:
to_csv_list.append((self.computer_name,
"userassist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name))
else:
if is_win7_or_further:
data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
else:
data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
to_csv_list.append((self.computer_name,
"user_assist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name) + tuple(data))
with open(self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further):
"""
Extracts information from UserAssist registry key which contains information about executed programs
The count offset is for Windows versions before 7, where it would start at 6
"""
self.logger.info("Extracting user assist")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
count = "\Count"
# logged on users
users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
hive_list = []
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
user_assist_key = user.get_sub_key_by_path(path)
if user_assist_key:
for j in xrange(user_assist_key.get_number_of_sub_keys()):
# getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
if is_win7_or_further:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
else:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
str_value_datatmp = item[VALUE_DATA]
# some data are less than 16 bytes for some reason...
if len(str_value_datatmp) < 16:
to_csv_list.append((self.computer_name,
"userassist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name))
else:
if is_win7_or_further:
data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
else:
data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
to_csv_list.append((self.computer_name,
"user_assist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name) + tuple(data))
with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_sessions(self, sessions):
self.logger.info('Health : Listing sessions')
with open(self.output_dir + '_sessions.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer)
for logonID, authenticationPackage, startime, logontype in sessions:
write_to_csv([self.computer_name, 'sessions', unicode(logonID),
authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def csv_registry_services(self):
"""Extracts services"""
path = r"System\CurrentControlSet\Services"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hklm_csv_list(to_csv_list, "registry_services", path)
with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_clipboard(self):
"""Exports the clipboard contents"""
# TODO : what happens if clipboard contents is a CSV string ?
with open(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_clipboard(), csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_startup_programs(self):
"""Extracts programs running at startup from various keys"""
self.logger.info("Extracting startup programs")
software = "Software"
wow = r"\Wow6432Node"
ts_run = (
r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
r"\Microsoft\Windows\CurrentVersion\Run")
ts_run_once = (
r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
r"\Microsoft\Windows\CurrentVersion\RunOnce")
paths = [
r"\Microsoft\Windows\CurrentVersion\Run",
r"\Microsoft\Windows\CurrentVersion\RunOnce",
r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
r"\Microsoft\Windows\CurrentVersion\RunServices",
r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run,
ts_run_once
]
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for path in paths:
full_path = software + path
self._generate_hklm_csv_list(to_csv_list, "startup", full_path)
full_path = software + wow + path
self._generate_hklm_csv_list(to_csv_list, "startup", full_path)
paths = [
r"\Microsoft\Windows\CurrentVersion\Run",
r"\Microsoft\Windows\CurrentVersion\RunOnce",
r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
r"\Microsoft\Windows\CurrentVersion\RunServices",
r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run,
ts_run_once
]
for path in paths:
full_path = software + path
self._generate_hku_csv_list(to_csv_list, "startup", full_path)
full_path = software + wow + path
self._generate_hku_csv_list(to_csv_list, "startup", full_path)
if self.get_autoruns:
to_csv_list = self._get_files_and_hashes(to_csv_list[1:])
to_csv_list.insert(
0, ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE",
"KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE",
"ATTR_DATA", "MD5", "SHA1", "SHA256"))
with open(
self.output_dir + "\\" + self.computer_name + "_startup" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_all_modules_opened_files(self):
with open(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_all_modules_opened_files(), csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_run_mru_start(self):
"""Extracts run MRU, containing the last 26 oommands executed using the RUN command"""
self.logger.info("Extracting Run MRU")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path)
with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_installer_folder(self):
"""Extracts information about folders which are created at installation"""
self.logger.info("Extracting installer folders")
path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hklm_csv_list(to_csv_list, "installer_folder", path)
with open(self.output_dir + "\\" + self.computer_name + "_installer_folder" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_run_mru_start(self):
"""Extracts run MRU, containing the last 26 oommands executed using the RUN command"""
self.logger.info("Extracting Run MRU")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path)
with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_installer_folder(self):
"""Extracts information about folders which are created at installation"""
self.logger.info("Extracting installer folders")
path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hklm_csv_list(to_csv_list, "installer_folder", path)
with open(self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_registry_services(self):
"""Extracts services"""
self.logger.info("Extracting services")
path = r"System\CurrentControlSet\Services"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hklm_csv_list(to_csv_list, "registry_services", path)
with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_kb(self, kbs):
self.logger.info('Health : Listing KB installed on computer')
with open(self.output_dir + '_kb.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME", "FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE",
"INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"], csv_writer)
for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs:
write_to_csv(
[self.computer_name, 'kb', Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name,
ServicePackInEffect, Status], csv_writer)
def _csv_infos_fs(self, files):
with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw:
csv_writer = get_csv_writer(fw)
for f, mime, md5,sha1,sha256, zip_value, datem, empty in files:
write_to_csv([self.computer_name, 'Filecatcher', unicode(datem),
unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime),
unicode(zip_value), unicode(empty), self._get_url_VT(sha256)], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
self.zip_file.close()
def _csv_list_sockets_network(self, connections):
with open(self.output_dir + '_sockets.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR",
"REMOTE_PORT", "STATUS"], csv_writer)
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
write_to_csv([self.computer_name, 'sockets', unicode(pid),
unicode(name), unicode(local_address), unicode(source_port),
unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self, services):
with open(self.output_dir + '_services.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE",
"START_MODE"], csv_writer)
for name, caption, processId, pathName, serviceType, status, state, startMode in services:
write_to_csv([self.computer_name, 'services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode], csv_writer)
record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_all_modules_dll(self):
with open(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_all_modules_dll(), csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_processes_dll' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _csv_all_modules_opened_files(self):
"""Outputs all processes and their opened files in a csv"""
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = Process32First(hProcessSnap, pointer(pe32))
with open(
self.output_dir + '\\' + self.computer_name +
'_processes_opened_files' + self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(
["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "FILENAME"],
csv_writer)
while ret:
try:
p = psutil.Process(pe32.th32ProcessID)
process_name = p.name()
self.logger.info('Getting opened files for : ' +
process_name + '(' +
unicode(pe32.th32ProcessID) + ')')
# We need open a subprocess because get_open_files may hang forever
q = Queue()
process = Process(target=timer_open_files, args=(
p,
q,
))
process.start()
# We wait for 2 seconds
process.join(2)
if process.is_alive():
# If the subprocess is still alive, assume it is hanged and kill it
q.close()
process.terminate()
else:
# Otherwise, continue normal processing
opened_files = q.get()
if isinstance(opened_files, list):
for opened_file in opened_files:
write_to_csv([
self.computer_name,
'processes_opened_files',
unicode(pe32.th32ProcessID), process_name,
opened_file[0]
], csv_writer)
except psutil.AccessDenied:
self.logger.warn('Could not open handle for PID : ' +
unicode(pe32.th32ProcessID))
ret = Process32Next(hProcessSnap, pointer(pe32))
record_sha256_logs(
self.output_dir + '\\' + self.computer_name +
'_processes_opened_files' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_sockets_network(self, connections):
self.logger.info('Health : Listing sockets networks')
with open(self.output_dir + '_sockets.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR",
"REMOTE_PORT", "STATUS"], csv_writer)
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
write_to_csv([self.computer_name, 'sockets', unicode(pid),
unicode(name), unicode(local_address), unicode(source_port),
unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self, services):
self.logger.info('Health : Listing services')
with open(self.output_dir + '_services.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE",
"START_MODE"], csv_writer)
for name, caption, processId, pathName, serviceType, status, state, startMode in services:
write_to_csv([self.computer_name, 'services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode], csv_writer)
record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_list_named_pipes(self, pipes):
with open(
self.output_dir + '\\' + self.computer_name +
'_named_pipes.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer)
for pipe in pipes:
write_to_csv([self.computer_name, 'named_pipes', pipe],
csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_clipboard(self):
"""Exports the clipboard contents"""
with open(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext, 'wb') as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(self.__get_clipboard(), csv_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_clipboard' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def csv_shell_bags(self):
"""
Extracts shellbags: size, view, icon and position of graphical windows
In particular, executed graphical programs will leave a key here
"""
self.logger.info("Extracting shell bags")
paths = [r"Software\Microsoft\Windows\Shell\Bags",
r"Software\Microsoft\Windows\Shell\BagMRU"]
paths_usrclass = [r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"]
hive_list = []
for path in paths:
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
for path in paths_usrclass:
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_usrclass=True)
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for item in hive_list:
if "ItemPos" in item[VALUE_NAME]:
try:
data = decode_shellbag_itempos_data(item[VALUE_DATA])
except IndexError:
self.logger.error("Error in shellbag data format for " + item[VALUE_NAME])
data = None
if data:
if item[KEY_VALUE_STR] == "VALUE":
for data in data:
for d in data:
to_csv_list.append((self.computer_name,
"shellbags",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
d))
else:
if item[KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name,
"shellbags",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
item[VALUE_DATA]))
with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_windows_values(self):
"""
Extracts windows values, in particular AppInit_DLLs, where any DLL specified here will be loaded by any
application
"""
path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows"
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
self._generate_hklm_csv_list(to_csv_list, "windows_values", path)
self._generate_hku_csv_list(to_csv_list, "windows_values", path)
with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)