def csv_recent_docs(self): """Extracts information about recently opened files saved location and opened date""" self.logger.info("Extracting recent docs") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": if item[VALUE_NAME] != "MRUListEx": values_decoded = decode_recent_docs_mru(item[VALUE_DATA]) for value_decoded in values_decoded: to_csv_list.append( (self.computer_name, "recent_docs", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), value_decoded)) with open( self.output_dir + "\\" + self.computer_name + "_recent_docs" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_clipboard(self): """Exports the clipboard contents""" # TODO : what happens if clipboard contents is a CSV string ? self.logger.info('Getting clipboard contents') with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer) r = None #initialize the local variable r try: r = Tk() # Using Tk instead because it supports exotic characters data = r.selection_get(selection='CLIPBOARD') r.destroy() write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer) except: if r != None: # Verify that r exist before calling destroy r.destroy() win32clipboard.OpenClipboard() clip = win32clipboard.EnumClipboardFormats(0) while clip: try: format_name = win32clipboard.GetClipboardFormatName(clip) except win32api.error: format_name = "?" self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name)) if clip == 15: # 15 seems to be a list of filenames filenames = win32clipboard.GetClipboardData(clip) for filename in filenames: write_to_csv([self.computer_name, 'clipboard', filename], csv_writer) clip = win32clipboard.EnumClipboardFormats(clip) win32clipboard.CloseClipboard() record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_open_save_mru(self, str_opensave_mru): """Extracts OpenSaveMRU containing information about files selected in the Open and Save view""" # TODO : Win XP self.logger.info("Extracting open save MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru) to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for item in hive_list: if item[KEY_VALUE_STR] == 'VALUE': if item[VALUE_NAME] != "MRUListEx": pidl = shell.StringAsPIDL(item[VALUE_DATA]) path = shell.SHGetPathFromIDList(pidl) to_csv_list.append( (self.computer_name, "opensaveMRU", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), path)) with open( self.output_dir + "\\" + self.computer_name + "_opensaveMRU" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_running_process(self, list_running): self.logger.info("Health : Listing running processes") with open( self.output_dir + '%s_processes' % self.computer_name + self.rand_ext, 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv([ "COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "COMMAND", "EXEC_PATH" ], csv_writer) for p in list_running: pid = p[0] name = p[1] cmd = p[2] exe_path = p[3] write_to_csv([ self.computer_name, 'processes', unicode(pid), name, unicode(cmd), unicode(exe_path) ], csv_writer) record_sha256_logs( self.output_dir + self.computer_name + '_processes' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _csv_event_logs(self, is_win_xp): """Prints the event logs in a csv, the called method is different for WinXP and lower""" server = None # name of the target computer to get event logs, None to get logs from current computer with open(self.output_dir + '\\' + self.computer_name + '_evts.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) if is_win_xp: for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'): write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Application'): write_to_csv( [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'): write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) else: # Exports everything from the event viewer evt_handle = win32evtlog.EvtOpenChannelEnum() os.mkdir(self.output_dir + r"\evt") while True: # opening channel for enumeration logtype = win32evtlog.EvtNextChannelPath(evt_handle) if logtype is None: break # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n') self._list_evt_vista(server, logtype)
def _csv_list_drives(self, drives): with open(self.output_dir + '_list_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer) for phCapt, partCapt, logicalCapt, fs in drives: write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer) record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives): with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer) for diskCapt, diskFs, diskPName in drives: write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer) record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share): with open(self.output_dir + '_shares.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer) for name, path in share: write_to_csv([self.computer_name, 'shares', name, path], csv_writer) record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_event_logs(self, is_win_xp): """Prints the event logs in a csv, the called method is different for WinXP and lower""" server = None # name of the target computer to get event logs, None to get logs from current computer with open(self.output_dir + '\\' + self.computer_name + '_evts' + self.rand_ext, 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(['COMPUTER', 'TYPE', 'SOURCE', 'CATEGORY', 'SOURCE NAME', 'ID', 'EVENT_TYPE', 'LOG'], csv_writer) if is_win_xp: for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'): write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Application'): write_to_csv( [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'): write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) else: # Exports everything from the event viewer evt_handle = win32evtlog.EvtOpenChannelEnum() os.mkdir(self.output_dir + r"\evt") while True: # opening channel for enumeration logtype = win32evtlog.EvtNextChannelPath(evt_handle) if logtype is None: break # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n') self._list_evt_vista(server, logtype)
def _csv_list_scheduled_jobs(self): self.logger.info('Health : Listing scheduled jobs') file_tasks = self.output_dir + '_tasks.csv' with open(file_tasks, 'wb') as tasks_logs: proc = subprocess.Popen(["schtasks.exe", '/query', '/fo', 'CSV'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) res = proc.communicate() res = get_terminal_decoded_string(res[0]) # clean and write the command output write_to_output('"TASK_NAME","NEXT_SCHEDULE","STATUS"\r\n', tasks_logs, self.logger) column_names = None for line in res.split('\r\n'): if line == "": continue if line[0] != '"': continue if not column_names: column_names = line continue elif column_names == line: continue write_to_output(line+"\r\n", tasks_logs, self.logger) self.logger.info('Health : Listing scheduled jobs') with open(file_tasks, "r") as fr, open(self.output_dir + "_scheduled_jobs.csv", 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "JOB_NAME", "TIME", "STATE"], csv_writer) for l in fr.readlines(): l = l.decode('utf8') if l.find('\\') > 0: l = l[:-1].replace('"', '') # remove the end of line arr_write = [self.computer_name, 'scheduled_jobs'] + l.split(',') write_to_csv(arr_write, csv_writer) self.logger.info('Health : Listing scheduled jobs') record_sha256_logs(self.output_dir + '_scheduled_jobs.csv', self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes): with open(self.output_dir + "_routes_tables.csv", 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer) for ip, mask in routes: write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer) record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def csv_custom_registry_keys(self): """ Extracts custom registry keys, the user specifies whether it should be recursive or not. The list of registry keys to extract should be comma-separated """ if self.exec_custom_registry_keys: self.logger.info("Extracting custom registry keys") to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] for paths in reader([self.custom_registry_keys]): # used as a kind of unpack for path in paths: temp = path.split("\\") hive = temp[0].upper() path = "\\".join(temp[1:]) if hive in ("HKLM", "HKEY_LOCAL_MACHINE"): self._generate_hklm_csv_list(to_csv_list, "custom_registry_key", path, is_recursive=self.registry_recursive) elif hive in ("HKU", "HKEY_USERS"): self._generate_hku_csv_list(to_csv_list, "custom_registry_key", path, is_recursive=self.registry_recursive) else: # error self.logger.warn("Must specify HKLM/HKEY_LOCAL_MACHINE or HKU/HKEY_USERS as hive") return with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_all_modules_dll(self): """Outputs all processes and their opened dll in a csv""" hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = Process32First(hProcessSnap, pointer(pe32)) with open( self.output_dir + '\\' + self.computer_name + '_processes_dll' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv( ["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "MODULE"], csv_writer) while ret: modules = self._GetProcessModules(pe32.th32ProcessID, False) if len(modules) > 0: process_name = modules.pop( 0) # first element is the name of the process for module in modules: write_to_csv([ self.computer_name, 'processes_dll', unicode(pe32.th32ProcessID), process_name, module ], csv_writer) ret = Process32Next(hProcessSnap, pointer(pe32)) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_processes_dll' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_networks_list(self, key): with open(os.path.join(self.output_dir,'%s_network_list_%s' % (self.computer_name, self.rand_ext)), 'wb') as output: csv_writer = get_csv_writer(output) network_list_result = self._get_network_list(key) arr_data = [v.values() for v in network_list_result.values()] arr_data.insert(0,network_list_result.values()[0].keys()) write_list_to_csv(arr_data, csv_writer)
def csv_custom_registry_keys(self): with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) to_csv_list = self.__get_custom_registry_keys() if to_csv_list: write_list_to_csv(to_csv_list, csv_writer)
def _csv_infos_fs(self, files): with open( self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw: csv_writer = get_csv_writer(fw) for f, mime, md5, sha1, sha256, zip_value, datem, empty in files: write_to_csv([ self.computer_name, 'Filecatcher', unicode(datem), unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime), unicode(zip_value), unicode(empty), self._get_url_VT(sha256) ], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log') if self.zip_file: self.zip_file.close()
def _csv_hash_running_process(self, list_running): self.logger.info("Health : Hashing running processes") with open(self.output_dir + '_hash_processes' + self.rand_ext, 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv([ "COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "EXEC_PATH", "MD5", "SHA1", "CTIME", "MTIME", "ATIME" ], csv_writer) for p in list_running: pid = p[0] name = p[1] cmd = p[2] exe_path = p[3] if exe_path: ctime = datetime.datetime.fromtimestamp( os.path.getctime(exe_path)) mtime = datetime.datetime.fromtimestamp( os.path.getmtime(exe_path)) atime = datetime.datetime.fromtimestamp( os.path.getatime(exe_path)) md5 = process_md5(unicode(exe_path)) sha1 = process_sha1(unicode(exe_path)) write_to_csv([ self.computer_name, 'processes', unicode(pid), name, unicode(exe_path), md5, sha1, ctime, mtime, atime ], csv_writer) record_sha256_logs(self.output_dir + '_hash_processes' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_firefox_history(self, fhistory): with open(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) for time, url, user, profile in fhistory: write_to_csv([self.computer_name, 'firefox_history', time, url, user, profile], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_firefox_history' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_clipboard(self): """Exports the clipboard contents""" # TODO : what happens if clipboard contents is a CSV string ? self.logger.info('Getting clipboard contents') with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv(["COMPUTER_NAME", "TYPE", "DATA"], csv_writer) try: r = Tk() # Using Tk instead because it supports exotic characters data = r.selection_get(selection='CLIPBOARD') r.destroy() write_to_csv([self.computer_name, 'clipboard', unicode(data)], csv_writer) except: r.destroy() win32clipboard.OpenClipboard() clip = win32clipboard.EnumClipboardFormats(0) while clip: try: format_name = win32clipboard.GetClipboardFormatName(clip) except win32api.error: format_name = "?" self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name)) if clip == 15: # 15 seems to be a list of filenames filenames = win32clipboard.GetClipboardData(clip) for filename in filenames: write_to_csv([self.computer_name, 'clipboard', filename], csv_writer) clip = win32clipboard.EnumClipboardFormats(clip) win32clipboard.CloseClipboard() record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_windows_prefetch(self, wpref): with open( self.output_dir + self.computer_name + '_prefetch' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv( ("COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE", "EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME", "RUN_COUNT", "START_TIME", "DURATION", "AVERAGE_DURATION", "DLL_LIST"), csv_writer) for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref: str_c = '' for s in list_str_c: str_c += s.replace('\0', '') + ';' write_to_csv([ self.computer_name, 'prefetch', pref_file, unicode(format_version), unicode(file_size), exec_name.replace('\00', ''), unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']), unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c ], csv_writer) record_sha256_logs( self.output_dir + self.computer_name + '_prefetch' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def csv_shell_bags(self): """ Extracts shellbags: size, view, icon and position of graphical windows In particular, executed graphical programs will leave a key here """ self.logger.info("Extracting shell bags") paths = [ r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU" ] paths_usrclass = [ r"Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU" ] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key( registry_obj.HKEY_USERS, path) for path in paths_usrclass: hive_list += self._get_list_from_registry_key( registry_obj.HKEY_USERS, path, is_usrclass=True) to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for item in hive_list: if "ItemPos" in item[VALUE_NAME]: try: data = decode_shellbag_itempos_data(item[VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[VALUE_NAME]) data = None if data: if item[KEY_VALUE_STR] == "VALUE": for data in data: for d in data: to_csv_list.append( (self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type( item[VALUE_TYPE]), d)) else: if item[KEY_VALUE_STR] == "VALUE": to_csv_list.append( (self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), item[VALUE_DATA])) with open( self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_route_table(self, routes): self.logger.info('Health : Listing routes tables') with open(self.output_dir + "_routes_tables.csv", 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer) for ip, mask in routes: write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer) record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def _csv_list_sessions(self, sessions): with open(self.output_dir + '_sessions.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer) for logonID, authenticationPackage, startime, logontype in sessions: write_to_csv([self.computer_name, 'sessions', unicode(logonID), authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer) record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives): self.logger.info("Health : Listing network drives") with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer) for diskCapt, diskFs, diskPName in drives: write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer) record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_drives(self, drives): self.logger.info("Health : Listing drives") with open(self.output_dir + '_list_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer) for phCapt, partCapt, logicalCapt, fs in drives: write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer) record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_share(self, share): self.logger.info("Health : Listing shares") with open(self.output_dir + '_shares.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer) for name, path in share: write_to_csv([self.computer_name, 'shares', name, path], csv_writer) record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives): self.logger.info("Health : Listing network drives") with open(self.output_dir + '%s_list_networks_drives' % self.computer_name + self.rand_ext, 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "DISK", "FILESYSTEM", "PARTITION_NAME"], csv_writer) for diskCapt, diskFs, diskPName in drives: write_to_csv([self.computer_name, 'list_networks_drives', diskCapt, diskFs, diskPName], csv_writer) record_sha256_logs(self.output_dir + '_list_networks_drives' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes): self.logger.info('Health : Listing routes tables') with open(self.output_dir + '_routes_tables' + self.rand_ext, 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "NAME", "MASK"], csv_writer) for ip, mask in routes: write_to_csv([self.computer_name, 'routes_tables', unicode(ip), unicode(mask)], csv_writer) record_sha256_logs(self.output_dir + '_routes_tables' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_share(self, share): self.logger.info("Health : Listing shares") with open(self.output_dir + '_shares' + self.rand_ext, 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "SHARE_NAME", "SHARE_PATH"], csv_writer) for name, path in share: write_to_csv([self.computer_name, 'shares', name, path], csv_writer) record_sha256_logs(self.output_dir + '_shares' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_list_drives(self, drives): self.logger.info("Health : Listing drives") with open(self.output_dir + '%s_list_drives' % self.computer_name + self.rand_ext, 'wb') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "FAB", "PARTITIONS", "DISK", "FILESYSTEM"], csv_writer) for phCapt, partCapt, logicalCapt, fs in drives: write_to_csv([self.computer_name, 'list_drives', phCapt, partCapt, logicalCapt, fs], csv_writer) record_sha256_logs(self.output_dir + '_list_drives' + self.rand_ext, self.output_dir + '_sha256.log')
def _csv_chrome_history(self, chistory): with open(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv(("COMPUTER_NAME", "TYPE", "TIME", "URL", "TITLE", "USER", "PROFILE"), csv_writer) for time, url, title, user, profile in chistory: write_to_csv([self.computer_name, 'chrome_history', time, url, title, user, profile], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_chrome_history' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_named_pipes(self, pipes): with open(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer) for pipe in pipes: write_to_csv([self.computer_name, 'named_pipes', pipe], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_networks_list(self, key): with open(os.path.join(self.output_dir, '%s_network_list_%s' % (self.computer_name, self.rand_ext)), 'wb') as output: csv_writer = get_csv_writer(output) network_list_result = self._get_network_list(key) arr_data = [v.values() for v in network_list_result.values()] arr_data.insert(0, network_list_result.values()[0].keys()) write_list_to_csv(arr_data, csv_writer)
def _csv_list_kb(self, kbs): with open(self.output_dir + '_kb.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME", "FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE", "INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"], csv_writer) for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs: write_to_csv( [self.computer_name, 'kb', Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status], csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further): """ Extracts information from UserAssist registry key which contains information about executed programs The count offset is for Windows versions before 7, where it would start at 6 """ self.logger.info("Extracting user assist") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist" count = "\Count" # logged on users users = registry_obj.RegistryKey(registry_obj.HKEY_USERS) hive_list = [] for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) user_assist_key = user.get_sub_key_by_path(path) if user_assist_key: for j in xrange(user_assist_key.get_number_of_sub_keys()): # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:]) hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count) if is_win7_or_further: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")] else: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": str_value_name = codecs.decode(item[VALUE_NAME], "rot_13") str_value_datatmp = item[VALUE_DATA] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: to_csv_list.append((self.computer_name, "userassist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name)) else: if is_win7_or_further: data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset) else: data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset) to_csv_list.append((self.computer_name, "user_assist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name) + tuple(data)) with open(self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further): """ Extracts information from UserAssist registry key which contains information about executed programs The count offset is for Windows versions before 7, where it would start at 6 """ self.logger.info("Extracting user assist") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist" count = "\Count" # logged on users users = registry_obj.RegistryKey(registry_obj.HKEY_USERS) hive_list = [] for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) user_assist_key = user.get_sub_key_by_path(path) if user_assist_key: for j in xrange(user_assist_key.get_number_of_sub_keys()): # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:]) hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count) if is_win7_or_further: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")] else: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": str_value_name = codecs.decode(item[VALUE_NAME], "rot_13") str_value_datatmp = item[VALUE_DATA] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: to_csv_list.append((self.computer_name, "userassist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name)) else: if is_win7_or_further: data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset) else: data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset) to_csv_list.append((self.computer_name, "user_assist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name) + tuple(data)) with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_sessions(self, sessions): self.logger.info('Health : Listing sessions') with open(self.output_dir + '_sessions.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "LOGON_ID", "AUTH_PACKAGE", "START_TIME", "LOGON_TYPE"], csv_writer) for logonID, authenticationPackage, startime, logontype in sessions: write_to_csv([self.computer_name, 'sessions', unicode(logonID), authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer) record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def csv_registry_services(self): """Extracts services""" path = r"System\CurrentControlSet\Services" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hklm_csv_list(to_csv_list, "registry_services", path) with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_clipboard(self): """Exports the clipboard contents""" # TODO : what happens if clipboard contents is a CSV string ? with open(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_list_to_csv(self.__get_clipboard(), csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_startup_programs(self): """Extracts programs running at startup from various keys""" self.logger.info("Extracting startup programs") software = "Software" wow = r"\Wow6432Node" ts_run = ( r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software" r"\Microsoft\Windows\CurrentVersion\Run") ts_run_once = ( r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software" r"\Microsoft\Windows\CurrentVersion\RunOnce") paths = [ r"\Microsoft\Windows\CurrentVersion\Run", r"\Microsoft\Windows\CurrentVersion\RunOnce", r"\Microsoft\Windows\CurrentVersion\RunOnceEx", r"\Microsoft\Windows\CurrentVersion\RunServices", r"\Microsoft\Windows\CurrentVersion\RunServicesOnce", r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run, ts_run_once ] to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for path in paths: full_path = software + path self._generate_hklm_csv_list(to_csv_list, "startup", full_path) full_path = software + wow + path self._generate_hklm_csv_list(to_csv_list, "startup", full_path) paths = [ r"\Microsoft\Windows\CurrentVersion\Run", r"\Microsoft\Windows\CurrentVersion\RunOnce", r"\Microsoft\Windows\CurrentVersion\RunOnceEx", r"\Microsoft\Windows\CurrentVersion\RunServices", r"\Microsoft\Windows\CurrentVersion\RunServicesOnce", r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run, ts_run_once ] for path in paths: full_path = software + path self._generate_hku_csv_list(to_csv_list, "startup", full_path) full_path = software + wow + path self._generate_hku_csv_list(to_csv_list, "startup", full_path) if self.get_autoruns: to_csv_list = self._get_files_and_hashes(to_csv_list[1:]) to_csv_list.insert( 0, ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "MD5", "SHA1", "SHA256")) with open( self.output_dir + "\\" + self.computer_name + "_startup" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_all_modules_opened_files(self): with open(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_list_to_csv(self.__get_all_modules_opened_files(), csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_run_mru_start(self): """Extracts run MRU, containing the last 26 oommands executed using the RUN command""" self.logger.info("Extracting Run MRU") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path) with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_installer_folder(self): """Extracts information about folders which are created at installation""" self.logger.info("Extracting installer folders") path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hklm_csv_list(to_csv_list, "installer_folder", path) with open(self.output_dir + "\\" + self.computer_name + "_installer_folder" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_run_mru_start(self): """Extracts run MRU, containing the last 26 oommands executed using the RUN command""" self.logger.info("Extracting Run MRU") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path) with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_installer_folder(self): """Extracts information about folders which are created at installation""" self.logger.info("Extracting installer folders") path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hklm_csv_list(to_csv_list, "installer_folder", path) with open(self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_registry_services(self): """Extracts services""" self.logger.info("Extracting services") path = r"System\CurrentControlSet\Services" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hklm_csv_list(to_csv_list, "registry_services", path) with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_kb(self, kbs): self.logger.info('Health : Listing KB installed on computer') with open(self.output_dir + '_kb.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "CS_NAME", "FIX_COMMENTS", "HOTFIX_ID", "INSTALL_DATE", "INSTALLED_ON", "NAME", "SERVICE_PACK", "STATUS"], csv_writer) for Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status in kbs: write_to_csv( [self.computer_name, 'kb', Caption, CSName, FixComments, HotFixID, InstallDate, InstalledOn, Name, ServicePackInEffect, Status], csv_writer)
def _csv_infos_fs(self, files): with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw: csv_writer = get_csv_writer(fw) for f, mime, md5,sha1,sha256, zip_value, datem, empty in files: write_to_csv([self.computer_name, 'Filecatcher', unicode(datem), unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime), unicode(zip_value), unicode(empty), self._get_url_VT(sha256)], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log') self.zip_file.close()
def _csv_list_sockets_network(self, connections): with open(self.output_dir + '_sockets.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR", "REMOTE_PORT", "STATUS"], csv_writer) for pid, name, local_address, source_port, remote_addr, remote_port, status in connections: write_to_csv([self.computer_name, 'sockets', unicode(pid), unicode(name), unicode(local_address), unicode(source_port), unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer) record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self, services): with open(self.output_dir + '_services.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE", "START_MODE"], csv_writer) for name, caption, processId, pathName, serviceType, status, state, startMode in services: write_to_csv([self.computer_name, 'services', caption, unicode(processId), serviceType, pathName, unicode(status), state, startMode], csv_writer) record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_all_modules_dll(self): with open( self.output_dir + self.computer_name + '_processes_dll' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_list_to_csv(self.__get_all_modules_dll(), csv_writer) record_sha256_logs( self.output_dir + self.computer_name + '_processes_dll' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _csv_all_modules_opened_files(self): """Outputs all processes and their opened files in a csv""" hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = Process32First(hProcessSnap, pointer(pe32)) with open( self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv( ["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "FILENAME"], csv_writer) while ret: try: p = psutil.Process(pe32.th32ProcessID) process_name = p.name() self.logger.info('Getting opened files for : ' + process_name + '(' + unicode(pe32.th32ProcessID) + ')') # We need open a subprocess because get_open_files may hang forever q = Queue() process = Process(target=timer_open_files, args=( p, q, )) process.start() # We wait for 2 seconds process.join(2) if process.is_alive(): # If the subprocess is still alive, assume it is hanged and kill it q.close() process.terminate() else: # Otherwise, continue normal processing opened_files = q.get() if isinstance(opened_files, list): for opened_file in opened_files: write_to_csv([ self.computer_name, 'processes_opened_files', unicode(pe32.th32ProcessID), process_name, opened_file[0] ], csv_writer) except psutil.AccessDenied: self.logger.warn('Could not open handle for PID : ' + unicode(pe32.th32ProcessID)) ret = Process32Next(hProcessSnap, pointer(pe32)) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_sockets_network(self, connections): self.logger.info('Health : Listing sockets networks') with open(self.output_dir + '_sockets.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "PID", "PROCESS_NAME", "LOCAL_ADDR", "SOURCE_PORT", "REMOTE_ADDR", "REMOTE_PORT", "STATUS"], csv_writer) for pid, name, local_address, source_port, remote_addr, remote_port, status in connections: write_to_csv([self.computer_name, 'sockets', unicode(pid), unicode(name), unicode(local_address), unicode(source_port), unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer) record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self, services): self.logger.info('Health : Listing services') with open(self.output_dir + '_services.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) write_to_csv(["COMPUTER_NAME", "TYPE", "CAPTION", "PID", "SERVICE_TYPE", "PATH_NAME", "STATUS", "STATE", "START_MODE"], csv_writer) for name, caption, processId, pathName, serviceType, status, state, startMode in services: write_to_csv([self.computer_name, 'services', caption, unicode(processId), serviceType, pathName, unicode(status), state, startMode], csv_writer) record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_list_named_pipes(self, pipes): with open( self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output: csv_writer = get_csv_writer(output) write_to_csv(("COMPUTER_NAME", "TYPE", "NAME"), csv_writer) for pipe in pipes: write_to_csv([self.computer_name, 'named_pipes', pipe], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_clipboard(self): """Exports the clipboard contents""" with open( self.output_dir + self.computer_name + '_clipboard' + self.rand_ext, 'wb') as output: csv_writer = get_csv_writer(output) write_list_to_csv(self.__get_clipboard(), csv_writer) record_sha256_logs( self.output_dir + self.computer_name + '_clipboard' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def csv_shell_bags(self): """ Extracts shellbags: size, view, icon and position of graphical windows In particular, executed graphical programs will leave a key here """ self.logger.info("Extracting shell bags") paths = [r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU"] paths_usrclass = [r"Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) for path in paths_usrclass: hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_usrclass=True) to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] for item in hive_list: if "ItemPos" in item[VALUE_NAME]: try: data = decode_shellbag_itempos_data(item[VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[VALUE_NAME]) data = None if data: if item[KEY_VALUE_STR] == "VALUE": for data in data: for d in data: to_csv_list.append((self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), d)) else: if item[KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), item[VALUE_DATA])) with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_windows_values(self): """ Extracts windows values, in particular AppInit_DLLs, where any DLL specified here will be loaded by any application """ path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows" to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] self._generate_hklm_csv_list(to_csv_list, "windows_values", path) self._generate_hku_csv_list(to_csv_list, "windows_values", path) with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)