Пример #1
0
	def csv_startup_programs(self):
		''' Exports the programs running at startup '''
		''' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
			[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
			[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
			[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
			[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
			[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit]
			[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
			
			[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
			[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
			[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
			[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
			[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
			[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
		'''
		self.logger.info("Getting startup programs from registry")
		software = '\Software'
		wow = '\Wow6432Node'
		with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			aReg = ConnectRegistry(None, HKEY_USERS)
			for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys
				# in HKEY_USERS, we have a list of subkeys which are SIDs
				str_sid = EnumKey(aReg, index_sid)
				username = str_sid2username(str_sid)
				paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\',
						'\Software\Microsoft\Windows\CurrentVersion\RunOnceEx',
						'\Microsoft\Windows\CurrentVersion\RunServices\\',
						'\Microsoft\Windows\CurrentVersion\RunServicesOnce\\',
						'\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit\\']
				for path in paths:
					try:
						full_path = str_sid + software + path
						self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username)
						full_path = str_sid + software + wow + path
						self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username)
					except WindowsError:
						pass
			CloseKey(aReg)
		with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'ab') as output:
			csv_writer = get_csv_writer(output)
			aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
			paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\',
					'\Software\Microsoft\Windows\CurrentVersion\RunOnceEx',
					'\Microsoft\Windows\CurrentVersion\RunServices\\',
					'\Microsoft\Windows\CurrentVersion\RunServicesOnce\\',
					'\Microsoft\Windows NT\CurrentVersion\Windows\\',
					'\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run']
			for path in paths:
				try:
					full_path = software + path
					self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer)
					full_path = software + wow + path
					self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer)
				except WindowsError:
					pass
		CloseKey(aReg)
Пример #2
0
    def get_fps_info(self):
        command = "dumpsys gfxinfo " + self.task.pid + " reset | grep -E 'Total frames|Janky frames'"
        dirs = self.task.output + "/fps_stats/"
        file_name = "fps_" + self.task.device + "_" + self.task.applicationid + "_" + self.task.version_name + "_" + self.task.name
        field_names = [self.TIME, self.FPS]
        writer = utils.get_csv_writer(dirs, file_name, field_names)
        while self.is_running:
            result = self.task.d.adb_shell(command)
            print(result)
            total_frames = int(re.findall("\d+", result)[0])
            janky_frames = int(re.findall("\d+", result)[1])
            print(total_frames)
            print(janky_frames)
            # if self.is_first:
            #     self.last_time = time.time_ns()
            #     self.last_fps = int(re.findall("\d+", self.task.d.adb_shell(command))[0])
            #     self.is_first = False
            #     continue

            # current_time = time.time_ns()
            # current_fps = int(re.findall("\d+", self.task.d.adb_shell(command))[0])
            # time_delta = (current_time - self.last_time) / 1000000000.0
            # fps_delta = current_fps - self.last_fps
            # fps = fps_delta / time_delta
            # print('current_frames=%d, last_frames=%d, + %d, current_fps=%d' % (current_fps, self.last_fps, fps_delta, fps))
            # self.last_time = current_time
            # self.last_fps = current_fps
            # writer.writerow({self.TIME: self.get_index(), self.FPS: "{:.2f}".format(fps)})
            # self.count += 1
            time.sleep(self.task.interval)
Пример #3
0
 def get_mem_info(self):
     dirs = self.task.output + "/mem_stats/"
     file_name = "mem_" + self.task.device + "_" + self.task.applicationid + "_" + self.task.version_name + "_" + self.task.name
     # field_names = [self.TIME, self.NATIVE_HEAP, self.DALVIK_HEAP, self.TOTAL_HEAP]
     field_names = [self.TIME, self.TOTAL_HEAP]
     writer = utils.get_csv_writer(dirs, file_name, field_names)
     while self.is_running:
         # native_info = self.task.d.adb_shell("dumpsys meminfo " + self.task.pid + " | grep 'Native Heap '")
         # native_pss = format(int(re.findall(r"\d+", native_info)[0]) / 1000.0, ".2f")
         # print('Native Heap=%s' %native_info)
         # dalvik_info = self.task.d.adb_shell("dumpsys meminfo " + self.task.pid + " | grep 'Dalvik Heap '")
         # dalvik_pss = format(int(re.findall(r"\d+", dalvik_info)[0]) / 1000.0, ".2f")
         # print('Dalvik Heap=%s' %dalvik_info)
         total_info = self.task.d.adb_shell("dumpsys meminfo " +
                                            self.task.pid +
                                            " | grep 'TOTAL:'")
         total_pss = format(
             int(re.findall(r"\d+", total_info)[0]) / 1000.0, ".2f")
         print(total_info)
         # print(total_pss)
         writer.writerow({
             self.TIME:
             self.get_index(),
             # self.NATIVE_HEAP: native_pss, self.DALVIK_HEAP: dalvik_pss,
             self.TOTAL_HEAP:
             total_pss
         })
         self.count += 1
         time.sleep(self.task.interval)
Пример #4
0
 def _csv_event_logs(self, isWinXP):
     ''' Prints the event logs in a csv, the called method is different for WinXP and lower '''
     server = None  # name of the target computer to get event logs, None to get logs from current computer
     with open(self.output_dir + '\\' + self.computer_name + '_evts.csv',
               'wb') as fw:
         csv_writer = get_csv_writer(fw)
         if isWinXP:
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_XP(
                     server, 'Security'):
                 write_to_csv([
                     self.computer_name, 'Logs', 'Security', eventCategory,
                     sourceName, eventID, eventType, date
                 ] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_XP(
                     server, 'Application'):
                 write_to_csv([
                     self.computer_name, 'Logs', 'Application',
                     eventCategory, sourceName, eventID, eventType, date
                 ] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_XP(
                     server, 'System'):
                 write_to_csv([
                     self.computer_name, 'Logs', 'System', eventCategory,
                     sourceName, eventID, eventType, date
                 ] + log, csv_writer)
         else:
             # Exports everything from the event viewer
             evt_handle = win32evtlog.EvtOpenChannelEnum()
             while True:
                 # opening channel for enumeration
                 logtype = win32evtlog.EvtNextChannelPath(evt_handle)
                 if logtype is None:
                     break
                 #fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
                 self._list_evt_Vista(server, logtype)
Пример #5
0
	def _csv_list_named_pipes(self,pipes):
		with open(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			#output.write('"Computer Name"|"Type"|"Name"\n')
			for pipe in pipes:
				write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer)
		record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
Пример #6
0
    def _csv_all_modules_dll(self):
        ''' Outputs all processes and their opened dll in a csv '''
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)

        pe32 = PROCESSENTRY32()
        pe32.dwSize = sizeof(PROCESSENTRY32)
        ret = Process32First(hProcessSnap, pointer(pe32))

        with open(
                self.output_dir + '\\' + self.computer_name +
                '_processes_dll.csv', 'wb') as output:
            csv_writer = get_csv_writer(output)
            #output.write('"Computer Name"|"Type"|"PID"|"Name"|"Module"\r\n')
            while ret:
                self.logger.info("  process ID		= %d" % pe32.th32ProcessID)

                modules = self._GetProcessModules(pe32.th32ProcessID, False)
                if len(modules) > 0:
                    process_name = modules.pop(
                        0)  # first element is the name of the process
                    for module in modules:
                        write_to_csv([
                            self.computer_name, 'DLL',
                            unicode(pe32.th32ProcessID), process_name, module
                        ], csv_writer)
                #ListProcessThreads( pe32.th32ProcessID )

                ret = Process32Next(hProcessSnap, pointer(pe32))
Пример #7
0
	def csv_clipboard(self):
		''' Exports the clipboard contents '''
		# TODO check if it is the same for older windows
		self.logger.info('Getting clipboard contents')
		with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			#output.write('"Computer Name"|"Type"|Data"\n')
			try:
				r = Tk() # Using Tk instead because it supports exotic characters
				data = r.selection_get(selection='CLIPBOARD')
				r.destroy()
				#data = win32clipboard.GetClipboardData().decode('utf_8')
				write_to_csv([self.computer_name, 'String data in clipboard', unicode(data)], csv_writer)
			except:
				r.destroy()
				win32clipboard.OpenClipboard()
				clip = win32clipboard.EnumClipboardFormats(0)
				while clip:
					try: format_name = win32clipboard.GetClipboardFormatName(clip)
					except win32api.error: format_name = "?"
					self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name))
					if clip == 15: # 15 seems to be a list of filenames
						filenames = win32clipboard.GetClipboardData(clip)
						for filename in filenames:
							write_to_csv([self.computer_name, 'List of files in clipboard', filename], csv_writer)
					clip = win32clipboard.EnumClipboardFormats(clip)
				win32clipboard.CloseClipboard()
Пример #8
0
 def csv_sha256(self, path=os.environ['SYSTEMDRIVE'] + '\\'):
     try:
         list_files = os.listdir(unicode(path))
     except Exception as e:
         self.logger.warn("Cannot list " + path)
         return
     for f in list_files:
         d = os.path.join(path, f)
         if os.path.isdir(d):
             self.csv_sha256(d)
         elif os.path.isfile(d):
             try:
                 sha = process_sha256(d)
                 with open(
                         self.output_dir + '\\' + self.computer_name +
                         '_sha256.csv', 'ab') as output:
                     csv_writer = get_csv_writer(output)
                     write_to_csv(
                         ['sha256', d, sha.hexdigest()], csv_writer)
             except UnicodeError:
                 pass
             except IOError:
                 pass
             except ValueError:
                 pass
Пример #9
0
 def _csv_event_logs(self, is_win_xp):
     """Prints the event logs in a csv, the called method is different for WinXP and lower"""
     server = None  # name of the target computer to get event logs, None to get logs from current computer
     with open(self.output_dir + '\\' + self.computer_name + '_evts.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         if is_win_xp:
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'):
                 write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType,
                               date] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server,
                                                                                               'Application'):
                 write_to_csv(
                     [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType,
                      date] + log, csv_writer)
             for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'):
                 write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType,
                               date] + log, csv_writer)
         else:
             # Exports everything from the event viewer
             evt_handle = win32evtlog.EvtOpenChannelEnum()
             os.mkdir(self.output_dir + r"\evt")
             while True:
                 # opening channel for enumeration
                 logtype = win32evtlog.EvtNextChannelPath(evt_handle)
                 if logtype is None:
                     break
                     # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
                 self._list_evt_vista(server, logtype)
Пример #10
0
    def csv_shell_bags(self):
        """Extracts shellbags: size, view, icon and position for Explorer folders"""
        # TODO Check Vista and under
        self.logger.info("Extracting shell bags")
        paths = [r"Software\Microsoft\Windows\Shell\Bags",
                 r"Software\Microsoft\Windows\Shell\BagMRU",
                 r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags",
                 r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU"]
        hive_list = []
        for path in paths:
            hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
        to_csv_list = []
        for item in hive_list:
            try:
                datas = decode_shellbag_itempos_data(item[self.VALUE_NAME], item[self.VALUE_DATA])
            except IndexError:
                self.logger.error("Error in shellbag data format for " + item[self.VALUE_NAME])
                datas = None
            if datas:
                for data in datas:
                    if item[self.KEY_VALUE_STR] == "VALUE":
                        to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                            item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                                            registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(data))
            else:
                if item[self.KEY_VALUE_STR] == "VALUE":
                    to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                        item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                                        registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))

        with open(self.output_dir + "\\" + self.computer_name + "_shellbags.csv", "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Пример #11
0
    def _csv_user_assist(self, count_offset, is_win7_or_further):
        ''' Extracts information from UserAssist registry key which contains information about executed programs '''
        ''' The count offset is for Windows versions before 7, where it would start at 6... '''
        self.logger.info('Getting user_assist from registry')
        aReg = ConnectRegistry(None, HKEY_USERS)

        str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'
        with open(
                self.output_dir + '\\' + self.computer_name +
                '_userassist.csv', 'wb') as output:
            csv_writer = get_csv_writer(output)
            for index_sid in range(
                    QueryInfoKey(aReg)[0]):  # the number of subkeys
                # in HKEY_USERS, we have a list of subkeys which are SIDs
                str_sid = EnumKey(aReg, index_sid)
                try:
                    path = str_sid + '\\' + str_user_assist
                    username = str_sid2username(str_sid)
                    reg_user_assist = OpenKey(aReg, path)
                    for index_clsid in range(QueryInfoKey(reg_user_assist)
                                             [0]):  # the number of subkeys
                        # in UserAssist, we have a list of IDs which may vary between different Windows versions
                        str_clsid = EnumKey(reg_user_assist, index_clsid)
                        result = [username, str_sid, str_clsid]
                        reg_count = OpenKey(aReg, path + str_clsid + '\\Count')
                        date_last_mod = convert_windate(
                            QueryInfoKey(reg_count)[2])
                        for index_value in range(QueryInfoKey(reg_count)
                                                 [1]):  # the number of values
                            # the name of the value is encoded with ROT13
                            str_value_name = EnumValue(reg_count,
                                                       index_value)[0]
                            str_value_name = codecs.decode(
                                str_value_name, 'rot_13')
                            str_value_datatmp = EnumValue(
                                reg_count, index_value)[1]
                            # some data are less than 16 bytes for some reason...
                            if len(str_value_datatmp) < 16:
                                write_to_csv(
                                    result + [str_value_name, date_last_mod],
                                    csv_writer)
                            else:
                                if is_win7_or_further:
                                    arr_output = result + [
                                        str_value_name, date_last_mod
                                    ] + self.__csv_user_assist_value_decode_win7_and_after(
                                        str_value_datatmp, count_offset)
                                    write_to_csv(arr_output, csv_writer)
                                else:
                                    write_to_csv(
                                        result +
                                        [str_value_name, date_last_mod] + self.
                                        __csv_user_assist_value_decode_before_win7(
                                            str_value_datatmp, count_offset),
                                        csv_writer)
                        CloseKey(reg_count)
                    CloseKey(reg_user_assist)
                except WindowsError:
                    pass
            CloseKey(aReg)
Пример #12
0
	def csv_recent_docs(self):
		# Shows where recently opened files are saved and when they were opened
		self.logger.info('Getting recent_docs from registry')
		path = '\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\\'
		aReg = ConnectRegistry(None,HKEY_USERS)
		with open(self.output_dir + '\\' + self.computer_name + '_recent_docs.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys (SIDs)
				str_sid = EnumKey(aReg, index_sid)
				full_path = str_sid + path
				try:
					username = str_sid2username(str_sid)
					result = [username, str_sid]
					reg_recent_docs = OpenKey(aReg, full_path)
					# Get values of RecentDocs itself
					for index_value in range(QueryInfoKey(reg_recent_docs)[1]): # the number of values (RecentDocs)
						str_value_name = EnumValue(reg_recent_docs, index_value)[0]
						str_value_datatmp = EnumValue(reg_recent_docs, index_value)[1]
						if str_value_name != "MRUListEx":
							value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp)
							write_to_csv(result + value_decoded, csv_writer)
					# Get values of RecentDocs subkeys
					for index_recent_docs_subkey in range(QueryInfoKey(reg_recent_docs)[0]): # the number of subkeys (RecentDocs)
						recent_docs_subkey = EnumKey(reg_recent_docs, index_recent_docs_subkey)
						reg_recent_docs_subkey = OpenKey(aReg, full_path + recent_docs_subkey)
						for index_value in range(QueryInfoKey(reg_recent_docs_subkey)[1]): # the number of values (RecentDocs subkeys)
							str_value_name = EnumValue(reg_recent_docs_subkey, index_value)[0]
							str_value_datatmp = EnumValue(reg_recent_docs_subkey, index_value)[1]
							if str_value_name != "MRUListEx":
								value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp)
								write_to_csv(result + value_decoded, csv_writer)
					#self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username)
				except WindowsError:
					pass
		CloseKey(aReg)
Пример #13
0
    def _csv_windows_prefetch(self, wpref):
        with open(
                self.output_dir + '\\' + self.computer_name + '_prefetch.csv',
                'wb') as output:
            csv_writer = get_csv_writer(output)
            #output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n')
            for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
                str_c = ''
                for s in list_str_c:
                    str_c += s.replace('\0', '') + ';'

                write_to_csv([
                    self.computer_name, 'Prefetch', prefetch_file,
                    unicode(format_version),
                    unicode(file_size),
                    exec_name.replace('\00', ''),
                    unicode(tc),
                    unicode(tm),
                    unicode(run_count),
                    unicode(hash_table_a['start_time']),
                    unicode(hash_table_a['duration']),
                    unicode(hash_table_a['average_duration']), str_c
                ], csv_writer)
        record_sha256_logs(
            self.output_dir + '\\' + self.computer_name + '_prefetch.csv',
            self.output_dir + '\\' + self.computer_name + '_sha256.log')
Пример #14
0
 def csv_shell_bags(self):
     ''' Exports the shell bags from Windows registry in a csv '''
     # TODO Check Vista and under
     self.logger.info("Getting shell bags from registry")
     aReg = ConnectRegistry(None, HKEY_USERS)
     with open(
             self.output_dir + '\\' + self.computer_name + '_shellbags.csv',
             'wb') as output:
         csv_writer = get_csv_writer(output)
         for index_sid in range(
                 QueryInfoKey(aReg)[0]):  # the number of subkeys
             # in HKEY_USERS, we have a list of subkeys which are SIDs
             str_sid = EnumKey(aReg, index_sid)
             username = str_sid2username(str_sid)
             paths = [
                 '\\Software\\Microsoft\\Windows\\Shell\\Bags\\',
                 '\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\',
                 '\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags\\',
                 '\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\'
             ]
             for path in paths:
                 try:
                     full_path = str_sid + path
                     self._dump_csv_registry_to_output(
                         'HKEY_USERS', full_path, aReg, csv_writer,
                         username, self.__decode_shellbag_itempos_data)
                 except WindowsError:
                     pass
     CloseKey(aReg)
Пример #15
0
 def csv_windows_values(self):
     # outputs winlogon's values to file
     self.logger.info('Getting windows values from registry')
     path = 'Software\Microsoft\Windows NT\CurrentVersion\Windows\\'
     with open(
             self.output_dir + '\\' + self.computer_name +
             '_windows_values.csv', 'wb') as output:
         aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
         csv_writer = get_csv_writer(output)
         try:
             self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE',
                                               path,
                                               aReg,
                                               csv_writer,
                                               is_recursive=False)
             aReg = ConnectRegistry(None, HKEY_USERS)
             for index_sid in range(
                     QueryInfoKey(aReg)[0]):  # the number of subkeys
                 # in HKEY_USERS, we have a list of subkeys which are SIDs
                 str_sid = EnumKey(aReg, index_sid)
                 username = str_sid2username(str_sid)
                 full_path = str_sid + '\\' + path
                 try:
                     self._dump_csv_registry_to_output('HKEY_USERS',
                                                       full_path,
                                                       aReg,
                                                       csv_writer,
                                                       username,
                                                       is_recursive=False)
                 except WindowsError:
                     pass
         except WindowsError:
             pass
     CloseKey(aReg)
Пример #16
0
 def _csv_open_save_mru(self, str_opensave_mru):
     """Extracts OpenSaveMRU containing information about opened and saved windows"""
     # TODO : Win XP
     self.logger.info("Extracting open save MRU")
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru)
     to_csv_list = []
     for item in hive_list:
         if item[self.VALUE_NAME] != "MRUListEx":
             l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA])
             # FIXME: (dirty) if the list is empty it's probably because the string is off by 1...
             if len(l_printable) == 0:
                 # So we take away the first char to have a correct offset (modulo 2)
                 l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA][1:])
             if len(l_printable) != 0:
                 str_printable = l_printable[-1]
                 if item[self.KEY_VALUE_STR] == "VALUE":
                     to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                         item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                                         registry_obj.get_str_type(item[self.VALUE_TYPE]), str_printable))
             else:  # if the length is still 0 then don't know
                 if item[self.KEY_VALUE_STR] == "VALUE":
                     to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                         item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                                         registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))
     with open(self.output_dir + "\\" + self.computer_name + "_opensaveMRU.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #17
0
    def get_net_info(self):
        command = "cat /proc/" + self.task.pid + "/net/dev | grep wlan"
        dirs = self.task.output + "/net_stats/"
        file_name = "net_" + self.task.device + "_" + self.task.applicationid + "_" + self.task.version_name + "_" + self.task.name
        field_names = [self.TIME,
                       self.DOWN_SPEED,
                       self.UP_SPEED,
                       self.AVERAGE_DOWN_SPEED,
                       self.AVERAGEUP_SPEED,
                       self.TOTAL_DOWN_SPEED,
                       self.TOTAL_UP_SPEED]
        writer = utils.get_csv_writer(dirs, file_name, field_names)
        while self.is_running:
            if self.is_first:
                self.start_time = time.time_ns()
                self.last_time = self.start_time
                net_info = self.task.d.adb_shell(command)
                net_array = re.split("\s+", net_info)
                self.start_net_down = int(net_array[2])
                self.last_net_down = self.start_net_down
                self.start_net_up = int(net_array[10])
                self.last_net_up = self.start_net_up
                self.is_first = False
            current_time = time.time_ns()
            current_info = self.task.d.adb_shell(command)
            current_array = re.split("\s+", current_info)
            current_net_down = int(current_array[2])
            current_net_up = int(current_array[10])
            time_delta = (current_time - self.last_time) / 1000000000.0
            time_total = (current_time - self.start_time) / 1000000000.0
            net_delta_up = (current_net_up - self.last_net_up) / 1024.0
            net_delta_down = (current_net_down - self.last_net_down) / 1024.0
            net_total_up = (current_net_up - self.start_net_up) / 1024.0
            net_total_down = (current_net_down - self.start_net_down) / 1024.0
            net_speed_up = net_delta_up / time_delta
            net_speed_down = net_delta_down / time_delta
            net_average_speed_up = net_total_up / time_total
            net_average_speed_down = net_total_down / time_total

            writer.writerow({self.TIME: self.get_index(),
                             self.DOWN_SPEED: "{:.2f}".format(net_speed_down),
                             self.UP_SPEED: "{:.2f}".format(net_speed_up),
                             self.AVERAGE_DOWN_SPEED: "{:.2f}".format(net_average_speed_down),
                             self.AVERAGEUP_SPEED: "{:.2f}".format(net_average_speed_up),
                             self.TOTAL_DOWN_SPEED: "{:.2f}".format(net_total_down),
                             self.TOTAL_UP_SPEED: "{:.2f}".format(net_total_up)
                             })
            # print("下载速度:{:.2f} KB/s".format(net_speed_down))
            # print("上传速度:{:.2f} KB/s".format(net_speed_up))
            # print("平均下载速度:{:.2f} KB/s".format(net_average_speed_down))
            # print("平均上传速度:{:.2f} KB/s".format(net_average_speed_up))
            # print("下载总流量:{:.0f} KB/s".format(net_total_down))
            # print("上传总流量:{:.0f} KB/s".format(net_total_up))
            # print("\n")
            self.last_time = current_time
            self.last_net_up = current_net_up
            self.last_net_down = current_net_down
            self.count += 1
            time.sleep(self.task.interval)
Пример #18
0
	def _csv_list_network_drives(self,drives):
		self.logger.info("Health : Listing network drives")
		with open(self.output_dir+'_list_networks_drives.csv','wb') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n')
			for diskCapt,diskFs,diskPName in drives:
				write_to_csv([self.computer_name, 'Network drives', diskCapt, diskFs, diskPName], csv_writer)
		record_sha256_logs(self.output_dir+ '_list_networks_drives.csv',self.output_dir +'_sha256.log')
Пример #19
0
	def _csv_list_route_table(self,routes):
		self.logger.info('Health : Listing routes tables')
		with open(self.output_dir+"_routes_tables.csv",'ab') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n')
			for name,mask in routes:
				write_to_csv([self.computer_name, 'Route table', unicode(name), unicode(mask)], csv_writer)
		record_sha256_logs(self.output_dir +'_routes_tables.csv',self.output_dir +'_sha256.log')
Пример #20
0
	def _csv_list_drives(self,drives):
		self.logger.info("Health : Listing drives")
		with open(self.output_dir+'_list_drives.csv','wb') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n')
			for phCapt,partCapt,logicalCapt,fs in drives:
				write_to_csv([self.computer_name, 'Drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
		record_sha256_logs(self.output_dir + '_list_drives.csv',self.output_dir+'_sha256.log')
Пример #21
0
	def _csv_list_share(self,share):
		self.logger.info("Health : Listing shares")
		with open(self.output_dir + '_shares.csv','wb') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n')
			for name,path in share:
				write_to_csv([self.computer_name, 'Shares', name, path], csv_writer)
		record_sha256_logs(self.output_dir +'_shares.csv',self.output_dir +'_sha256.log')
Пример #22
0
	def _csv_list_sessions(self,sessions):
		self.logger.info('Health : Listing sessions')
		with open(self.output_dir+'_sessions.csv','ab') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"Logon ID"|"Authentication Package"|"Start Time"|"Logon Type"\r\n')
			for logonID,authenticationPackage,startime,logontype in sessions:
				write_to_csv([	self.computer_name, 'Active sessions', unicode(logonID),
								authenticationPackage, unicode(startime.split('.')[0]),  unicode(logontype)], csv_writer)
		record_sha256_logs(self.output_dir + '_sessions.csv',self.output_dir +'_sha256.log')
Пример #23
0
 def csv_installer_folder(self):
     """Extracts information about folders which are created at installation"""
     self.logger.info("Extracting installer folders")
     path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     with open(self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #24
0
 def csv_run_mru_start(self):
     """Extracts run MRU, containing the 26 last oommands executed using the RUN command"""
     self.logger.info("Extracting Run MRU")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
     to_csv_list = []
     self._generate_hku_csv_list(to_csv_list, path)
     with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #25
0
    def _csv_open_save_MRU(self, str_opensaveMRU):
        ''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows '''
        # TODO : Win XP
        self.logger.info('Getting open_save_MRU from registry')
        aReg = ConnectRegistry(None, HKEY_USERS)

        with open(
                self.output_dir + '\\' + self.computer_name +
                '_opensaveMRU.csv', 'wb') as output:
            csv_writer = get_csv_writer(output)
            for index_sid in range(
                    QueryInfoKey(aReg)[0]):  # the number of subkeys
                # in HKEY_USERS, we have a list of subkeys which are SIDs
                str_sid = EnumKey(aReg, index_sid)
                try:
                    username = str_sid2username(str_sid)
                    path = str_sid + '\\' + str_opensaveMRU
                    reg_opensaveMRU = OpenKey(aReg, path)
                    for index_clsid in range(QueryInfoKey(reg_opensaveMRU)
                                             [0]):  # the number of subkeys
                        str_filetype = EnumKey(reg_opensaveMRU, index_clsid)
                        reg_filetype = OpenKey(aReg,
                                               path + '\\' + str_filetype)
                        date_last_mod = convert_windate(
                            QueryInfoKey(reg_filetype)[2])
                        # now get the value from the SID subkey
                        for index_value in range(
                                QueryInfoKey(reg_filetype)
                            [1]):  # the number of values
                            value_filetype = EnumValue(reg_filetype,
                                                       index_value)
                            # Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values
                            if value_filetype[0] != 'MRUListEx':
                                l_printable = self.__extract_filename_from_PIDLMRU(
                                    value_filetype[1])

                                # VERY DIRTY, if the list is empty it's probably because the string is off by 1...
                                if len(l_printable) == 0:
                                    # So we take away the first char to have a correct offset (modulo 2)
                                    l_printable = self.__extract_filename_from_PIDLMRU(
                                        value_filetype[1][1:])
                                if len(l_printable) != 0:
                                    str_printable = l_printable[-1]
                                    write_to_csv([
                                        username, str_sid, str_filetype,
                                        date_last_mod, str_printable
                                    ], csv_writer)
                                else:  # if the length is still 0 then... I'm at a loss for words
                                    write_to_csv([
                                        username, str_sid, str_filetype,
                                        date_last_mod
                                    ], csv_writer)
                        CloseKey(reg_filetype)
                    CloseKey(reg_opensaveMRU)
                except WindowsError:
                    pass
        CloseKey(aReg)
Пример #26
0
 def csv_registry_services(self):
     """Extracts services"""
     self.logger.info("Extracting services")
     path = r"System\CurrentControlSet\Services"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #27
0
 def csv_usb_history(self):
     self.logger.info('Getting USB history')
     key = 'SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\'
     with open(
             self.output_dir + '\\' + self.computer_name +
             '_USBHistory.csv', 'wb') as output:
         csv_writer = get_csv_writer(output)
         self._print_regkey_csv(key, HKEY_LOCAL_MACHINE, False, csv_writer,
                                'USBSTOR', self._get_key_info)
Пример #28
0
 def csv_installed_components(self):
     """Extracts installed components"""
     self.logger.info("Extracting installed components")
     path = r"Software\Microsoft\Active Setup\Installed Components"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     with open(self.output_dir + "\\" + self.computer_name + "_installed_components.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #29
0
 def csv_windows_values(self):
     """Extracts windows values"""
     self.logger.info("Extracting windows values")
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     self._generate_hku_csv_list(to_csv_list, path)
     with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #30
0
 def _csv_list_share(self, share):
     self.logger.info("Health : Listing shares")
     with open(self.output_dir + '_shares.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         #fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n')
         for name, path in share:
             write_to_csv([self.computer_name, 'Shares', name, path],
                          csv_writer)
     record_sha256_logs(self.output_dir + '_shares.csv',
                        self.output_dir + '_sha256.log')
Пример #31
0
	def _csv_list_sockets_network(self,connections):
		self.logger.info('Health : Listing sockets networks')
		with open(self.output_dir+'_sockets.csv','ab') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"pid"|"name"|"local address"|"source port"|"remote addr"|"remote port"|"status"\r\n')
			for pid,name,local_address,source_port,remote_addr,remote_port,status in connections:
				write_to_csv([	self.computer_name, 'Sockets', unicode(pid),
								unicode(name), unicode(local_address), unicode(source_port),
								unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
		record_sha256_logs(self.output_dir +'_sockets.csv',self.output_dir +'_sha256.log')
Пример #32
0
	def _csv_list_services(self,services):
		self.logger.info('Health : Listing services')
		with open(self.output_dir+'_services.csv','ab') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n')
			for name,caption,processId,pathName,serviceType,status,state,startMode in services:
				write_to_csv([	self.computer_name, 'Services', caption,
								unicode(processId), serviceType, pathName,
								unicode(status), state, startMode], csv_writer)
		record_sha256_logs(self.output_dir +'_services.csv',self.output_dir +'_sha256.log')
Пример #33
0
 def csv_registry_services(self):
     """Extracts services"""
     self.logger.info("Extracting services")
     path = r"System\CurrentControlSet\Services"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     with open(
             self.output_dir + "\\" + self.computer_name +
             "_registry_services.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #34
0
	def csv_registry_services(self):
		self.logger.info('Getting services from registry')
		aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
		with open(self.output_dir + '\\' + self.computer_name + '_services_registry.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			try:
				#write_to_output('"Computer Name""|""CatchEvidence""|""Date last modification""|""Registry path""|""Registry type""|""Value"', output)
				self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', 'System\CurrentControlSet\Services\\', aReg, csv_writer)
			except WindowsError:
				pass
		CloseKey(aReg)
Пример #35
0
 def csv_installer_folder(self):
     """Extracts information about folders which are created at installation"""
     self.logger.info("Extracting installer folders")
     path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     with open(
             self.output_dir + "\\" + self.computer_name +
             "_installer_folder.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #36
0
 def csv_installed_components(self):
     """Extracts installed components"""
     self.logger.info("Extracting installed components")
     path = r"Software\Microsoft\Active Setup\Installed Components"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     with open(
             self.output_dir + "\\" + self.computer_name +
             "_installed_components.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #37
0
 def csv_run_mru_start(self):
     """Extracts run MRU, containing the 26 last oommands executed using the RUN command"""
     self.logger.info("Extracting Run MRU")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
     to_csv_list = []
     self._generate_hku_csv_list(to_csv_list, path)
     with open(
             self.output_dir + "\\" + self.computer_name +
             "_run_MRU_start.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #38
0
 def _csv_list_named_pipes(self, pipes):
     with open(
             self.output_dir + '\\' + self.computer_name +
             '_named_pipes.csv', 'wb') as output:
         csv_writer = get_csv_writer(output)
         #output.write('"Computer Name"|"Type"|"Name"\n')
         for pipe in pipes:
             write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer)
     record_sha256_logs(
         self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',
         self.output_dir + '\\' + self.computer_name + '_sha256.log')
Пример #39
0
 def _csv_list_drives(self, drives):
     self.logger.info("Health : Listing drives")
     with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         #fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n')
         for phCapt, partCapt, logicalCapt, fs in drives:
             write_to_csv([
                 self.computer_name, 'Drives', phCapt, partCapt,
                 logicalCapt, fs
             ], csv_writer)
     record_sha256_logs(self.output_dir + '_list_drives.csv',
                        self.output_dir + '_sha256.log')
Пример #40
0
 def _csv_list_network_drives(self, drives):
     self.logger.info("Health : Listing network drives")
     with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
         csv_writer = get_csv_writer(fw)
         #fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n')
         for diskCapt, diskFs, diskPName in drives:
             write_to_csv([
                 self.computer_name, 'Network drives', diskCapt, diskFs,
                 diskPName
             ], csv_writer)
     record_sha256_logs(self.output_dir + '_list_networks_drives.csv',
                        self.output_dir + '_sha256.log')
Пример #41
0
	def _csv_list_running_process(self,list_running):
		self.logger.info("Health : Listing running processes")
		with open(self.output_dir+'_processes.csv','ab') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"PID"|"Name"|"Command"|"Path Exec"\r\n')
			for p in list_running:
				pid=p[0]
				name=p[1]
				cmd=p[2]
				exe_path=p[3]
				write_to_csv([self.computer_name, 'Running processes', unicode(pid), name, unicode(cmd), unicode(exe_path)], csv_writer)
		record_sha256_logs(self.output_dir +'_processes.csv',self.output_dir+'_sha256.log')
Пример #42
0
	def csv_installer_folder(self):
		# Shows where recently opened files are saved and when they were opened
		self.logger.info('Getting installer folders from registry')
		path = 'Software\Microsoft\Windows\CurrentVersion\Installer\Folders\\'
		with open(self.output_dir + '\\' + self.computer_name + '_installer_folder.csv', 'ab') as output:
			aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
			csv_writer = get_csv_writer(output)
			try:
				self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer)
			except WindowsError:
				pass
		CloseKey(aReg)
Пример #43
0
 def csv_windows_values(self):
     """Extracts windows values"""
     self.logger.info("Extracting windows values")
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows"
     to_csv_list = []
     self._generate_hklm_csv_list(to_csv_list, path)
     self._generate_hku_csv_list(to_csv_list, path)
     with open(
             self.output_dir + "\\" + self.computer_name +
             "_windows_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #44
0
 def _csv_user_assist(self, count_offset, is_win7_or_further):
     """Extracts information from UserAssist registry key which contains information about executed programs
     The count offset is for Windows versions before 7, where it would start at 6...
     """
     self.logger.info("Extracting user assist")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
     count = "\Count"
     # logged on users
     users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
     hive_list = []
     for i in xrange(users.get_number_of_sub_keys()):
         user = users.get_sub_key(i)
         user_assist_key = user.get_sub_key_by_path(path)
         if user_assist_key:
             for j in xrange(user_assist_key.get_number_of_sub_keys()):
                 # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
                 path_no_sid = "\\".join(
                     user_assist_key.get_sub_key(j).get_path().split("\\")
                     [1:])
                 hive_list += self._get_list_from_registry_key(
                     registry_obj.HKEY_USERS, path_no_sid + count)
     to_csv_list = []
     for item in hive_list:
         if item[self.KEY_VALUE_STR] == "VALUE":
             str_value_name = codecs.decode(item[self.VALUE_NAME], "rot_13")
             str_value_datatmp = item[self.VALUE_DATA]
             # some data are less than 16 bytes for some reason...
             if len(str_value_datatmp) < 16:
                 to_csv_list.append(
                     (self.computer_name, item[self.VALUE_LAST_WRITE_TIME],
                      "HKEY_USERS", item[self.VALUE_PATH],
                      item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                      registry_obj.get_str_type(item[self.VALUE_TYPE]),
                      str_value_name))
             else:
                 if is_win7_or_further:
                     data = csv_user_assist_value_decode_win7_and_after(
                         str_value_datatmp, count_offset)
                 else:
                     data = csv_user_assist_value_decode_before_win7(
                         str_value_datatmp, count_offset)
                 to_csv_list.append(
                     (self.computer_name, item[self.VALUE_LAST_WRITE_TIME],
                      "HKEY_USERS", item[self.VALUE_PATH],
                      item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                      registry_obj.get_str_type(item[self.VALUE_TYPE]),
                      str_value_name) + tuple(data))
     with open(
             self.output_dir + "\\" + self.computer_name +
             "_user_assist.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #45
0
	def csv_recycle_bin(self):
		''' Exports the filenames contained in the recycle bin '''
		with open(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			#output.write('"Computer Name"|"Type"|"Name 1"|"Name 2"\n')
			idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET)
			desktop = shell.SHGetDesktopFolder()
			files = desktop.BindToObject(idl, None, shell.IID_IShellFolder)
			
			for bin_file in files:
				write_to_csv([	self.computer_name, 'Recycle Bin', files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL),
								files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING)], csv_writer)
		record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
Пример #46
0
	def csv_installed_components(self):
		# outputs installed components to file
		''' HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components '''
		self.logger.info('Getting installed components from registry')
		path = 'Software\Microsoft\Active Setup\Installed Components\\'
		with open(self.output_dir + '\\' + self.computer_name + '_installed_components.csv', 'wb') as output:
			aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
			csv_writer = get_csv_writer(output)
			try:
				self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer)
			except WindowsError:
				pass
		CloseKey(aReg)
Пример #47
0
 def _csv_list_services(self, services):
     self.logger.info('Health : Listing services')
     with open(self.output_dir + '_services.csv', 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         #fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n')
         for name, caption, processId, pathName, serviceType, status, state, startMode in services:
             write_to_csv([
                 self.computer_name, 'Services', caption,
                 unicode(processId), serviceType, pathName,
                 unicode(status), state, startMode
             ], csv_writer)
     record_sha256_logs(self.output_dir + '_services.csv',
                        self.output_dir + '_sha256.log')
Пример #48
0
 def _csv_list_route_table(self, routes):
     self.logger.info('Health : Listing routes tables')
     with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
         csv_writer = get_csv_writer(fw)
         #fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n')
         for name, mask in routes:
             write_to_csv([
                 self.computer_name, 'Route table',
                 unicode(name),
                 unicode(mask)
             ], csv_writer)
     record_sha256_logs(self.output_dir + '_routes_tables.csv',
                        self.output_dir + '_sha256.log')
Пример #49
0
    def _csv_all_modules_opened_files(self):
        ''' Outputs all processes and their opened files in a csv '''
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)

        pe32 = PROCESSENTRY32()
        pe32.dwSize = sizeof(PROCESSENTRY32)
        ret = Process32First(hProcessSnap, pointer(pe32))

        with open(
                self.output_dir + '\\' + self.computer_name +
                '_processes_opened_files.csv', 'wb') as output:
            csv_writer = get_csv_writer(output)

            #output.write('"Computer Name"|"PID"|"Process Name"|"File Opened"\r\n')
            while ret:
                #print "  process ID		= %d" % pe32.th32ProcessID
                try:
                    p = psutil.Process(pe32.th32ProcessID)
                    process_name = p.name()
                    self.logger.info('Getting opened files for : ' +
                                     process_name + '(' +
                                     unicode(pe32.th32ProcessID) + ')')
                    # Here, we need open a subprocess because get_open_files may hang forever
                    q = Queue()
                    process = Process(target=timer_open_files, args=(
                        p,
                        q,
                    ))
                    process.start()
                    # We wait for 2 seconds
                    process.join(2)
                    if process.is_alive():
                        # If the subprocess is still alive, assume it is hanged and kill it
                        q.close()
                        process.terminate()
                    else:
                        # Otherwise, continue normal processing
                        opened_files = q.get()
                        if isinstance(opened_files, list):
                            for opened_file in opened_files:
                                write_to_csv([
                                    self.computer_name, 'Files Opened',
                                    unicode(pe32.th32ProcessID), process_name,
                                    opened_file[0]
                                ], csv_writer)
                except psutil.AccessDenied:
                    self.logger.warn('Could not open handle for PID : ' +
                                     unicode(pe32.th32ProcessID))
                #ListProcessThreads( pe32.th32ProcessID )

                ret = Process32Next(hProcessSnap, pointer(pe32))
Пример #50
0
	def _csv_windows_prefetch(self,wpref):
		with open(self.output_dir + '\\' + self.computer_name + '_prefetch.csv', 'wb') as output:
			csv_writer = get_csv_writer(output)
			#output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n')
			for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
				str_c = ''
				for s in list_str_c:
					str_c += s.replace('\0', '') + ';'
				
				write_to_csv([	self.computer_name, 'Prefetch', prefetch_file,
									unicode(format_version), unicode(file_size), exec_name.replace('\00', ''),
									unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']),
									unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c], csv_writer)
		record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_prefetch.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
	def csv_list_scheduled_jobs(self):
		self.logger.info('Health : Listing scheduled jobs')
		file_tasks=self.output_dir + '_tasks.csv'
		with open(file_tasks, 'wb') as tasks_logs:
			proc=subprocess.Popen(["schtasks.exe",'/query','/fo','CSV'],stdout=subprocess.PIPE)
			res = proc.communicate()
			res = get_terminal_decoded_string(res[0])
			write_to_output(res, tasks_logs, self.logger)
		with open(file_tasks, "r") as fr, open(self.output_dir,'ab') as fw:
			csv_writer = get_csv_writer(fw)
			for l in fr.readlines():
				l = l.decode('utf8')[:-1].replace('"', '')
				if l.find(',') !=-1:
					write_to_csv([self.computer_name, 'Scheduled jobs'] + l.split(','), csv_writer)
Пример #52
0
	def _csv_list_arp_table(self,arp):
		self.logger.info('Health : Listing ARP tables')
		with open(self.output_dir + "_arp_table.csv",'wb') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"IP"|"Mac"|"Status"\n')
			for entry in arp:
				entry.replace('\xff','')
				tokens=entry.split()
				entry_to_write=''
				if len(tokens)==3:
					entry_to_write='"'+self.computer_name+'"|"ARP table"|"'+'"|"'.join(tokens)+'"\n'
				if entry_to_write.find('\.')!=1 and len(entry_to_write) >0:
					arr_to_write = [self.computer_name, 'ARP table'] + tokens
					write_to_csv(arr_to_write, csv_writer)
		record_sha256_logs(self.output_dir +'_arp_table.csv',self.output_dir +'_sha256.log')
Пример #53
0
 def csv_recent_docs(self):
     """Extracts information about recently opened files saved location and opened date"""
     self.logger.info("Extracting recent docs")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
     to_csv_list = []
     for item in hive_list:
         if item[self.KEY_VALUE_STR] == "VALUE":
             if item[self.VALUE_NAME] != "MRUListEx":
                 value_decoded = decode_recent_docs_mru(item[self.VALUE_DATA])
                 to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                     item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(value_decoded))
     with open(self.output_dir + "\\" + self.computer_name + "_recent_docs.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #54
0
 def csv_usb_history(self):
     """Extracts information about USB devices"""
     self.logger.info("Extracting USB history")
     hive_list = self._get_list_from_registry_key(
         registry_obj.HKEY_LOCAL_MACHINE,
         r"SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}",
         is_recursive=False)
     to_csv_list = []
     for item in hive_list:
         if item[self.KEY_VALUE_STR] == "KEY":
             usb_decoded = get_usb_key_info(item[self.KEY_PATH])
             to_csv_list.append((self.computer_name, item[self.KEY_LAST_WRITE_TIME], "HKEY_LOCAL_MACHINE",
                                 item[self.KEY_PATH], item[self.KEY_VALUE_STR], usb_decoded))
     with open(self.output_dir + "\\" + self.computer_name + "_USBHistory.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Пример #55
0
	def _csv_list_scheduled_jobs(self):
		self.logger.info('Health : Listing scheduled jobs')
		file_tasks=self.output_dir + '_tasks.csv'
		with open(file_tasks,'wb') as tasks_logs:
			proc=subprocess.Popen(["schtasks.exe",'/query','/fo','CSV'], stdout=subprocess.PIPE)
			res = proc.communicate()
			res = get_terminal_decoded_string(res[0])
			write_to_output(res, tasks_logs, self.logger)
		with open(file_tasks,"r") as fr, open(self.output_dir + "_scheduled_jobs.csv",'wb') as fw:
			csv_writer = get_csv_writer(fw)
			#fw.write('"Computer Name"|"Type"|"Name"|"Time"|"State"\r\n')
			for l in fr.readlines():
				l = l.decode('utf8')
				if l.find('\\') > 0:
					l = l[:-1].replace('"', '') # remove the end of line
					arr_write = [self.computer_name, 'Scheduled jobs'] + l.split(',')
					write_to_csv(arr_write, csv_writer)
		record_sha256_logs(self.output_dir +'_scheduled_jobs.csv',self.output_dir +'_sha256.log')