def csv_startup_programs(self): ''' Exports the programs running at startup ''' ''' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] ''' self.logger.info("Getting startup programs from registry") software = '\Software' wow = '\Wow6432Node' with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'wb') as output: csv_writer = get_csv_writer(output) aReg = ConnectRegistry(None, HKEY_USERS) for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) username = str_sid2username(str_sid) paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\', '\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', '\Microsoft\Windows\CurrentVersion\RunServices\\', '\Microsoft\Windows\CurrentVersion\RunServicesOnce\\', '\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit\\'] for path in paths: try: full_path = str_sid + software + path self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username) full_path = str_sid + software + wow + path self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username) except WindowsError: pass CloseKey(aReg) with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'ab') as output: csv_writer = get_csv_writer(output) aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\', '\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', '\Microsoft\Windows\CurrentVersion\RunServices\\', '\Microsoft\Windows\CurrentVersion\RunServicesOnce\\', '\Microsoft\Windows NT\CurrentVersion\Windows\\', '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'] for path in paths: try: full_path = software + path self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer) full_path = software + wow + path self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer) except WindowsError: pass CloseKey(aReg)
def get_fps_info(self): command = "dumpsys gfxinfo " + self.task.pid + " reset | grep -E 'Total frames|Janky frames'" dirs = self.task.output + "/fps_stats/" file_name = "fps_" + self.task.device + "_" + self.task.applicationid + "_" + self.task.version_name + "_" + self.task.name field_names = [self.TIME, self.FPS] writer = utils.get_csv_writer(dirs, file_name, field_names) while self.is_running: result = self.task.d.adb_shell(command) print(result) total_frames = int(re.findall("\d+", result)[0]) janky_frames = int(re.findall("\d+", result)[1]) print(total_frames) print(janky_frames) # if self.is_first: # self.last_time = time.time_ns() # self.last_fps = int(re.findall("\d+", self.task.d.adb_shell(command))[0]) # self.is_first = False # continue # current_time = time.time_ns() # current_fps = int(re.findall("\d+", self.task.d.adb_shell(command))[0]) # time_delta = (current_time - self.last_time) / 1000000000.0 # fps_delta = current_fps - self.last_fps # fps = fps_delta / time_delta # print('current_frames=%d, last_frames=%d, + %d, current_fps=%d' % (current_fps, self.last_fps, fps_delta, fps)) # self.last_time = current_time # self.last_fps = current_fps # writer.writerow({self.TIME: self.get_index(), self.FPS: "{:.2f}".format(fps)}) # self.count += 1 time.sleep(self.task.interval)
def get_mem_info(self): dirs = self.task.output + "/mem_stats/" file_name = "mem_" + self.task.device + "_" + self.task.applicationid + "_" + self.task.version_name + "_" + self.task.name # field_names = [self.TIME, self.NATIVE_HEAP, self.DALVIK_HEAP, self.TOTAL_HEAP] field_names = [self.TIME, self.TOTAL_HEAP] writer = utils.get_csv_writer(dirs, file_name, field_names) while self.is_running: # native_info = self.task.d.adb_shell("dumpsys meminfo " + self.task.pid + " | grep 'Native Heap '") # native_pss = format(int(re.findall(r"\d+", native_info)[0]) / 1000.0, ".2f") # print('Native Heap=%s' %native_info) # dalvik_info = self.task.d.adb_shell("dumpsys meminfo " + self.task.pid + " | grep 'Dalvik Heap '") # dalvik_pss = format(int(re.findall(r"\d+", dalvik_info)[0]) / 1000.0, ".2f") # print('Dalvik Heap=%s' %dalvik_info) total_info = self.task.d.adb_shell("dumpsys meminfo " + self.task.pid + " | grep 'TOTAL:'") total_pss = format( int(re.findall(r"\d+", total_info)[0]) / 1000.0, ".2f") print(total_info) # print(total_pss) writer.writerow({ self.TIME: self.get_index(), # self.NATIVE_HEAP: native_pss, self.DALVIK_HEAP: dalvik_pss, self.TOTAL_HEAP: total_pss }) self.count += 1 time.sleep(self.task.interval)
def _csv_event_logs(self, isWinXP): ''' Prints the event logs in a csv, the called method is different for WinXP and lower ''' server = None # name of the target computer to get event logs, None to get logs from current computer with open(self.output_dir + '\\' + self.computer_name + '_evts.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) if isWinXP: for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_XP( server, 'Security'): write_to_csv([ self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType, date ] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_XP( server, 'Application'): write_to_csv([ self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType, date ] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_XP( server, 'System'): write_to_csv([ self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType, date ] + log, csv_writer) else: # Exports everything from the event viewer evt_handle = win32evtlog.EvtOpenChannelEnum() while True: # opening channel for enumeration logtype = win32evtlog.EvtNextChannelPath(evt_handle) if logtype is None: break #fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n') self._list_evt_Vista(server, logtype)
def _csv_list_named_pipes(self,pipes): with open(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name"\n') for pipe in pipes: write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_all_modules_dll(self): ''' Outputs all processes and their opened dll in a csv ''' hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = Process32First(hProcessSnap, pointer(pe32)) with open( self.output_dir + '\\' + self.computer_name + '_processes_dll.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"PID"|"Name"|"Module"\r\n') while ret: self.logger.info(" process ID = %d" % pe32.th32ProcessID) modules = self._GetProcessModules(pe32.th32ProcessID, False) if len(modules) > 0: process_name = modules.pop( 0) # first element is the name of the process for module in modules: write_to_csv([ self.computer_name, 'DLL', unicode(pe32.th32ProcessID), process_name, module ], csv_writer) #ListProcessThreads( pe32.th32ProcessID ) ret = Process32Next(hProcessSnap, pointer(pe32))
def csv_clipboard(self): ''' Exports the clipboard contents ''' # TODO check if it is the same for older windows self.logger.info('Getting clipboard contents') with open(self.output_dir + '\\' + self.computer_name + '_clipboard.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|Data"\n') try: r = Tk() # Using Tk instead because it supports exotic characters data = r.selection_get(selection='CLIPBOARD') r.destroy() #data = win32clipboard.GetClipboardData().decode('utf_8') write_to_csv([self.computer_name, 'String data in clipboard', unicode(data)], csv_writer) except: r.destroy() win32clipboard.OpenClipboard() clip = win32clipboard.EnumClipboardFormats(0) while clip: try: format_name = win32clipboard.GetClipboardFormatName(clip) except win32api.error: format_name = "?" self.logger.info('format ' + unicode(clip) + ' ' + unicode(format_name)) if clip == 15: # 15 seems to be a list of filenames filenames = win32clipboard.GetClipboardData(clip) for filename in filenames: write_to_csv([self.computer_name, 'List of files in clipboard', filename], csv_writer) clip = win32clipboard.EnumClipboardFormats(clip) win32clipboard.CloseClipboard()
def csv_sha256(self, path=os.environ['SYSTEMDRIVE'] + '\\'): try: list_files = os.listdir(unicode(path)) except Exception as e: self.logger.warn("Cannot list " + path) return for f in list_files: d = os.path.join(path, f) if os.path.isdir(d): self.csv_sha256(d) elif os.path.isfile(d): try: sha = process_sha256(d) with open( self.output_dir + '\\' + self.computer_name + '_sha256.csv', 'ab') as output: csv_writer = get_csv_writer(output) write_to_csv( ['sha256', d, sha.hexdigest()], csv_writer) except UnicodeError: pass except IOError: pass except ValueError: pass
def _csv_event_logs(self, is_win_xp): """Prints the event logs in a csv, the called method is different for WinXP and lower""" server = None # name of the target computer to get event logs, None to get logs from current computer with open(self.output_dir + '\\' + self.computer_name + '_evts.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) if is_win_xp: for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'): write_to_csv([self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Application'): write_to_csv( [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'): write_to_csv([self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType, date] + log, csv_writer) else: # Exports everything from the event viewer evt_handle = win32evtlog.EvtOpenChannelEnum() os.mkdir(self.output_dir + r"\evt") while True: # opening channel for enumeration logtype = win32evtlog.EvtNextChannelPath(evt_handle) if logtype is None: break # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n') self._list_evt_vista(server, logtype)
def csv_shell_bags(self): """Extracts shellbags: size, view, icon and position for Explorer folders""" # TODO Check Vista and under self.logger.info("Extracting shell bags") paths = [r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU", r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU"] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [] for item in hive_list: try: datas = decode_shellbag_itempos_data(item[self.VALUE_NAME], item[self.VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[self.VALUE_NAME]) datas = None if datas: for data in datas: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(data)) else: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA])) with open(self.output_dir + "\\" + self.computer_name + "_shellbags.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further): ''' Extracts information from UserAssist registry key which contains information about executed programs ''' ''' The count offset is for Windows versions before 7, where it would start at 6... ''' self.logger.info('Getting user_assist from registry') aReg = ConnectRegistry(None, HKEY_USERS) str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\' with open( self.output_dir + '\\' + self.computer_name + '_userassist.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: path = str_sid + '\\' + str_user_assist username = str_sid2username(str_sid) reg_user_assist = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_user_assist) [0]): # the number of subkeys # in UserAssist, we have a list of IDs which may vary between different Windows versions str_clsid = EnumKey(reg_user_assist, index_clsid) result = [username, str_sid, str_clsid] reg_count = OpenKey(aReg, path + str_clsid + '\\Count') date_last_mod = convert_windate( QueryInfoKey(reg_count)[2]) for index_value in range(QueryInfoKey(reg_count) [1]): # the number of values # the name of the value is encoded with ROT13 str_value_name = EnumValue(reg_count, index_value)[0] str_value_name = codecs.decode( str_value_name, 'rot_13') str_value_datatmp = EnumValue( reg_count, index_value)[1] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: write_to_csv( result + [str_value_name, date_last_mod], csv_writer) else: if is_win7_or_further: arr_output = result + [ str_value_name, date_last_mod ] + self.__csv_user_assist_value_decode_win7_and_after( str_value_datatmp, count_offset) write_to_csv(arr_output, csv_writer) else: write_to_csv( result + [str_value_name, date_last_mod] + self. __csv_user_assist_value_decode_before_win7( str_value_datatmp, count_offset), csv_writer) CloseKey(reg_count) CloseKey(reg_user_assist) except WindowsError: pass CloseKey(aReg)
def csv_recent_docs(self): # Shows where recently opened files are saved and when they were opened self.logger.info('Getting recent_docs from registry') path = '\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\\' aReg = ConnectRegistry(None,HKEY_USERS) with open(self.output_dir + '\\' + self.computer_name + '_recent_docs.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys (SIDs) str_sid = EnumKey(aReg, index_sid) full_path = str_sid + path try: username = str_sid2username(str_sid) result = [username, str_sid] reg_recent_docs = OpenKey(aReg, full_path) # Get values of RecentDocs itself for index_value in range(QueryInfoKey(reg_recent_docs)[1]): # the number of values (RecentDocs) str_value_name = EnumValue(reg_recent_docs, index_value)[0] str_value_datatmp = EnumValue(reg_recent_docs, index_value)[1] if str_value_name != "MRUListEx": value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp) write_to_csv(result + value_decoded, csv_writer) # Get values of RecentDocs subkeys for index_recent_docs_subkey in range(QueryInfoKey(reg_recent_docs)[0]): # the number of subkeys (RecentDocs) recent_docs_subkey = EnumKey(reg_recent_docs, index_recent_docs_subkey) reg_recent_docs_subkey = OpenKey(aReg, full_path + recent_docs_subkey) for index_value in range(QueryInfoKey(reg_recent_docs_subkey)[1]): # the number of values (RecentDocs subkeys) str_value_name = EnumValue(reg_recent_docs_subkey, index_value)[0] str_value_datatmp = EnumValue(reg_recent_docs_subkey, index_value)[1] if str_value_name != "MRUListEx": value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp) write_to_csv(result + value_decoded, csv_writer) #self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username) except WindowsError: pass CloseKey(aReg)
def _csv_windows_prefetch(self, wpref): with open( self.output_dir + '\\' + self.computer_name + '_prefetch.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n') for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref: str_c = '' for s in list_str_c: str_c += s.replace('\0', '') + ';' write_to_csv([ self.computer_name, 'Prefetch', prefetch_file, unicode(format_version), unicode(file_size), exec_name.replace('\00', ''), unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']), unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c ], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_prefetch.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def csv_shell_bags(self): ''' Exports the shell bags from Windows registry in a csv ''' # TODO Check Vista and under self.logger.info("Getting shell bags from registry") aReg = ConnectRegistry(None, HKEY_USERS) with open( self.output_dir + '\\' + self.computer_name + '_shellbags.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) username = str_sid2username(str_sid) paths = [ '\\Software\\Microsoft\\Windows\\Shell\\Bags\\', '\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\', '\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags\\', '\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\' ] for path in paths: try: full_path = str_sid + path self._dump_csv_registry_to_output( 'HKEY_USERS', full_path, aReg, csv_writer, username, self.__decode_shellbag_itempos_data) except WindowsError: pass CloseKey(aReg)
def csv_windows_values(self): # outputs winlogon's values to file self.logger.info('Getting windows values from registry') path = 'Software\Microsoft\Windows NT\CurrentVersion\Windows\\' with open( self.output_dir + '\\' + self.computer_name + '_windows_values.csv', 'wb') as output: aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) csv_writer = get_csv_writer(output) try: self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer, is_recursive=False) aReg = ConnectRegistry(None, HKEY_USERS) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) username = str_sid2username(str_sid) full_path = str_sid + '\\' + path try: self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username, is_recursive=False) except WindowsError: pass except WindowsError: pass CloseKey(aReg)
def _csv_open_save_mru(self, str_opensave_mru): """Extracts OpenSaveMRU containing information about opened and saved windows""" # TODO : Win XP self.logger.info("Extracting open save MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru) to_csv_list = [] for item in hive_list: if item[self.VALUE_NAME] != "MRUListEx": l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA]) # FIXME: (dirty) if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), str_printable)) else: # if the length is still 0 then don't know if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA])) with open(self.output_dir + "\\" + self.computer_name + "_opensaveMRU.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def get_net_info(self): command = "cat /proc/" + self.task.pid + "/net/dev | grep wlan" dirs = self.task.output + "/net_stats/" file_name = "net_" + self.task.device + "_" + self.task.applicationid + "_" + self.task.version_name + "_" + self.task.name field_names = [self.TIME, self.DOWN_SPEED, self.UP_SPEED, self.AVERAGE_DOWN_SPEED, self.AVERAGEUP_SPEED, self.TOTAL_DOWN_SPEED, self.TOTAL_UP_SPEED] writer = utils.get_csv_writer(dirs, file_name, field_names) while self.is_running: if self.is_first: self.start_time = time.time_ns() self.last_time = self.start_time net_info = self.task.d.adb_shell(command) net_array = re.split("\s+", net_info) self.start_net_down = int(net_array[2]) self.last_net_down = self.start_net_down self.start_net_up = int(net_array[10]) self.last_net_up = self.start_net_up self.is_first = False current_time = time.time_ns() current_info = self.task.d.adb_shell(command) current_array = re.split("\s+", current_info) current_net_down = int(current_array[2]) current_net_up = int(current_array[10]) time_delta = (current_time - self.last_time) / 1000000000.0 time_total = (current_time - self.start_time) / 1000000000.0 net_delta_up = (current_net_up - self.last_net_up) / 1024.0 net_delta_down = (current_net_down - self.last_net_down) / 1024.0 net_total_up = (current_net_up - self.start_net_up) / 1024.0 net_total_down = (current_net_down - self.start_net_down) / 1024.0 net_speed_up = net_delta_up / time_delta net_speed_down = net_delta_down / time_delta net_average_speed_up = net_total_up / time_total net_average_speed_down = net_total_down / time_total writer.writerow({self.TIME: self.get_index(), self.DOWN_SPEED: "{:.2f}".format(net_speed_down), self.UP_SPEED: "{:.2f}".format(net_speed_up), self.AVERAGE_DOWN_SPEED: "{:.2f}".format(net_average_speed_down), self.AVERAGEUP_SPEED: "{:.2f}".format(net_average_speed_up), self.TOTAL_DOWN_SPEED: "{:.2f}".format(net_total_down), self.TOTAL_UP_SPEED: "{:.2f}".format(net_total_up) }) # print("下载速度:{:.2f} KB/s".format(net_speed_down)) # print("上传速度:{:.2f} KB/s".format(net_speed_up)) # print("平均下载速度:{:.2f} KB/s".format(net_average_speed_down)) # print("平均上传速度:{:.2f} KB/s".format(net_average_speed_up)) # print("下载总流量:{:.0f} KB/s".format(net_total_down)) # print("上传总流量:{:.0f} KB/s".format(net_total_up)) # print("\n") self.last_time = current_time self.last_net_up = current_net_up self.last_net_down = current_net_down self.count += 1 time.sleep(self.task.interval)
def _csv_list_network_drives(self,drives): self.logger.info("Health : Listing network drives") with open(self.output_dir+'_list_networks_drives.csv','wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n') for diskCapt,diskFs,diskPName in drives: write_to_csv([self.computer_name, 'Network drives', diskCapt, diskFs, diskPName], csv_writer) record_sha256_logs(self.output_dir+ '_list_networks_drives.csv',self.output_dir +'_sha256.log')
def _csv_list_route_table(self,routes): self.logger.info('Health : Listing routes tables') with open(self.output_dir+"_routes_tables.csv",'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n') for name,mask in routes: write_to_csv([self.computer_name, 'Route table', unicode(name), unicode(mask)], csv_writer) record_sha256_logs(self.output_dir +'_routes_tables.csv',self.output_dir +'_sha256.log')
def _csv_list_drives(self,drives): self.logger.info("Health : Listing drives") with open(self.output_dir+'_list_drives.csv','wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n') for phCapt,partCapt,logicalCapt,fs in drives: write_to_csv([self.computer_name, 'Drives', phCapt, partCapt, logicalCapt, fs], csv_writer) record_sha256_logs(self.output_dir + '_list_drives.csv',self.output_dir+'_sha256.log')
def _csv_list_share(self,share): self.logger.info("Health : Listing shares") with open(self.output_dir + '_shares.csv','wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n') for name,path in share: write_to_csv([self.computer_name, 'Shares', name, path], csv_writer) record_sha256_logs(self.output_dir +'_shares.csv',self.output_dir +'_sha256.log')
def _csv_list_sessions(self,sessions): self.logger.info('Health : Listing sessions') with open(self.output_dir+'_sessions.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Logon ID"|"Authentication Package"|"Start Time"|"Logon Type"\r\n') for logonID,authenticationPackage,startime,logontype in sessions: write_to_csv([ self.computer_name, 'Active sessions', unicode(logonID), authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer) record_sha256_logs(self.output_dir + '_sessions.csv',self.output_dir +'_sha256.log')
def csv_installer_folder(self): """Extracts information about folders which are created at installation""" self.logger.info("Extracting installer folders") path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) with open(self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_run_mru_start(self): """Extracts run MRU, containing the 26 last oommands executed using the RUN command""" self.logger.info("Extracting Run MRU") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" to_csv_list = [] self._generate_hku_csv_list(to_csv_list, path) with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_open_save_MRU(self, str_opensaveMRU): ''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows ''' # TODO : Win XP self.logger.info('Getting open_save_MRU from registry') aReg = ConnectRegistry(None, HKEY_USERS) with open( self.output_dir + '\\' + self.computer_name + '_opensaveMRU.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: username = str_sid2username(str_sid) path = str_sid + '\\' + str_opensaveMRU reg_opensaveMRU = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_opensaveMRU) [0]): # the number of subkeys str_filetype = EnumKey(reg_opensaveMRU, index_clsid) reg_filetype = OpenKey(aReg, path + '\\' + str_filetype) date_last_mod = convert_windate( QueryInfoKey(reg_filetype)[2]) # now get the value from the SID subkey for index_value in range( QueryInfoKey(reg_filetype) [1]): # the number of values value_filetype = EnumValue(reg_filetype, index_value) # Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values if value_filetype[0] != 'MRUListEx': l_printable = self.__extract_filename_from_PIDLMRU( value_filetype[1]) # VERY DIRTY, if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = self.__extract_filename_from_PIDLMRU( value_filetype[1][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] write_to_csv([ username, str_sid, str_filetype, date_last_mod, str_printable ], csv_writer) else: # if the length is still 0 then... I'm at a loss for words write_to_csv([ username, str_sid, str_filetype, date_last_mod ], csv_writer) CloseKey(reg_filetype) CloseKey(reg_opensaveMRU) except WindowsError: pass CloseKey(aReg)
def csv_registry_services(self): """Extracts services""" self.logger.info("Extracting services") path = r"System\CurrentControlSet\Services" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_usb_history(self): self.logger.info('Getting USB history') key = 'SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\' with open( self.output_dir + '\\' + self.computer_name + '_USBHistory.csv', 'wb') as output: csv_writer = get_csv_writer(output) self._print_regkey_csv(key, HKEY_LOCAL_MACHINE, False, csv_writer, 'USBSTOR', self._get_key_info)
def csv_installed_components(self): """Extracts installed components""" self.logger.info("Extracting installed components") path = r"Software\Microsoft\Active Setup\Installed Components" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) with open(self.output_dir + "\\" + self.computer_name + "_installed_components.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_windows_values(self): """Extracts windows values""" self.logger.info("Extracting windows values") path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) self._generate_hku_csv_list(to_csv_list, path) with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_share(self, share): self.logger.info("Health : Listing shares") with open(self.output_dir + '_shares.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n') for name, path in share: write_to_csv([self.computer_name, 'Shares', name, path], csv_writer) record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_list_sockets_network(self,connections): self.logger.info('Health : Listing sockets networks') with open(self.output_dir+'_sockets.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"pid"|"name"|"local address"|"source port"|"remote addr"|"remote port"|"status"\r\n') for pid,name,local_address,source_port,remote_addr,remote_port,status in connections: write_to_csv([ self.computer_name, 'Sockets', unicode(pid), unicode(name), unicode(local_address), unicode(source_port), unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer) record_sha256_logs(self.output_dir +'_sockets.csv',self.output_dir +'_sha256.log')
def _csv_list_services(self,services): self.logger.info('Health : Listing services') with open(self.output_dir+'_services.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n') for name,caption,processId,pathName,serviceType,status,state,startMode in services: write_to_csv([ self.computer_name, 'Services', caption, unicode(processId), serviceType, pathName, unicode(status), state, startMode], csv_writer) record_sha256_logs(self.output_dir +'_services.csv',self.output_dir +'_sha256.log')
def csv_registry_services(self): """Extracts services""" self.logger.info("Extracting services") path = r"System\CurrentControlSet\Services" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) with open( self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_registry_services(self): self.logger.info('Getting services from registry') aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) with open(self.output_dir + '\\' + self.computer_name + '_services_registry.csv', 'wb') as output: csv_writer = get_csv_writer(output) try: #write_to_output('"Computer Name""|""CatchEvidence""|""Date last modification""|""Registry path""|""Registry type""|""Value"', output) self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', 'System\CurrentControlSet\Services\\', aReg, csv_writer) except WindowsError: pass CloseKey(aReg)
def csv_installer_folder(self): """Extracts information about folders which are created at installation""" self.logger.info("Extracting installer folders") path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) with open( self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_installed_components(self): """Extracts installed components""" self.logger.info("Extracting installed components") path = r"Software\Microsoft\Active Setup\Installed Components" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) with open( self.output_dir + "\\" + self.computer_name + "_installed_components.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_run_mru_start(self): """Extracts run MRU, containing the 26 last oommands executed using the RUN command""" self.logger.info("Extracting Run MRU") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" to_csv_list = [] self._generate_hku_csv_list(to_csv_list, path) with open( self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_named_pipes(self, pipes): with open( self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name"\n') for pipe in pipes: write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_drives(self, drives): self.logger.info("Health : Listing drives") with open(self.output_dir + '_list_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n') for phCapt, partCapt, logicalCapt, fs in drives: write_to_csv([ self.computer_name, 'Drives', phCapt, partCapt, logicalCapt, fs ], csv_writer) record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives): self.logger.info("Health : Listing network drives") with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n') for diskCapt, diskFs, diskPName in drives: write_to_csv([ self.computer_name, 'Network drives', diskCapt, diskFs, diskPName ], csv_writer) record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_running_process(self,list_running): self.logger.info("Health : Listing running processes") with open(self.output_dir+'_processes.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"PID"|"Name"|"Command"|"Path Exec"\r\n') for p in list_running: pid=p[0] name=p[1] cmd=p[2] exe_path=p[3] write_to_csv([self.computer_name, 'Running processes', unicode(pid), name, unicode(cmd), unicode(exe_path)], csv_writer) record_sha256_logs(self.output_dir +'_processes.csv',self.output_dir+'_sha256.log')
def csv_installer_folder(self): # Shows where recently opened files are saved and when they were opened self.logger.info('Getting installer folders from registry') path = 'Software\Microsoft\Windows\CurrentVersion\Installer\Folders\\' with open(self.output_dir + '\\' + self.computer_name + '_installer_folder.csv', 'ab') as output: aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) csv_writer = get_csv_writer(output) try: self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer) except WindowsError: pass CloseKey(aReg)
def csv_windows_values(self): """Extracts windows values""" self.logger.info("Extracting windows values") path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows" to_csv_list = [] self._generate_hklm_csv_list(to_csv_list, path) self._generate_hku_csv_list(to_csv_list, path) with open( self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further): """Extracts information from UserAssist registry key which contains information about executed programs The count offset is for Windows versions before 7, where it would start at 6... """ self.logger.info("Extracting user assist") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist" count = "\Count" # logged on users users = registry_obj.RegistryKey(registry_obj.HKEY_USERS) hive_list = [] for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) user_assist_key = user.get_sub_key_by_path(path) if user_assist_key: for j in xrange(user_assist_key.get_number_of_sub_keys()): # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count path_no_sid = "\\".join( user_assist_key.get_sub_key(j).get_path().split("\\") [1:]) hive_list += self._get_list_from_registry_key( registry_obj.HKEY_USERS, path_no_sid + count) to_csv_list = [] for item in hive_list: if item[self.KEY_VALUE_STR] == "VALUE": str_value_name = codecs.decode(item[self.VALUE_NAME], "rot_13") str_value_datatmp = item[self.VALUE_DATA] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: to_csv_list.append( (self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), str_value_name)) else: if is_win7_or_further: data = csv_user_assist_value_decode_win7_and_after( str_value_datatmp, count_offset) else: data = csv_user_assist_value_decode_before_win7( str_value_datatmp, count_offset) to_csv_list.append( (self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), str_value_name) + tuple(data)) with open( self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_recycle_bin(self): ''' Exports the filenames contained in the recycle bin ''' with open(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name 1"|"Name 2"\n') idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET) desktop = shell.SHGetDesktopFolder() files = desktop.BindToObject(idl, None, shell.IID_IShellFolder) for bin_file in files: write_to_csv([ self.computer_name, 'Recycle Bin', files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL), files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING)], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def csv_installed_components(self): # outputs installed components to file ''' HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components ''' self.logger.info('Getting installed components from registry') path = 'Software\Microsoft\Active Setup\Installed Components\\' with open(self.output_dir + '\\' + self.computer_name + '_installed_components.csv', 'wb') as output: aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) csv_writer = get_csv_writer(output) try: self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer) except WindowsError: pass CloseKey(aReg)
def _csv_list_services(self, services): self.logger.info('Health : Listing services') with open(self.output_dir + '_services.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n') for name, caption, processId, pathName, serviceType, status, state, startMode in services: write_to_csv([ self.computer_name, 'Services', caption, unicode(processId), serviceType, pathName, unicode(status), state, startMode ], csv_writer) record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes): self.logger.info('Health : Listing routes tables') with open(self.output_dir + "_routes_tables.csv", 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n') for name, mask in routes: write_to_csv([ self.computer_name, 'Route table', unicode(name), unicode(mask) ], csv_writer) record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def _csv_all_modules_opened_files(self): ''' Outputs all processes and their opened files in a csv ''' hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = Process32First(hProcessSnap, pointer(pe32)) with open( self.output_dir + '\\' + self.computer_name + '_processes_opened_files.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"PID"|"Process Name"|"File Opened"\r\n') while ret: #print " process ID = %d" % pe32.th32ProcessID try: p = psutil.Process(pe32.th32ProcessID) process_name = p.name() self.logger.info('Getting opened files for : ' + process_name + '(' + unicode(pe32.th32ProcessID) + ')') # Here, we need open a subprocess because get_open_files may hang forever q = Queue() process = Process(target=timer_open_files, args=( p, q, )) process.start() # We wait for 2 seconds process.join(2) if process.is_alive(): # If the subprocess is still alive, assume it is hanged and kill it q.close() process.terminate() else: # Otherwise, continue normal processing opened_files = q.get() if isinstance(opened_files, list): for opened_file in opened_files: write_to_csv([ self.computer_name, 'Files Opened', unicode(pe32.th32ProcessID), process_name, opened_file[0] ], csv_writer) except psutil.AccessDenied: self.logger.warn('Could not open handle for PID : ' + unicode(pe32.th32ProcessID)) #ListProcessThreads( pe32.th32ProcessID ) ret = Process32Next(hProcessSnap, pointer(pe32))
def _csv_windows_prefetch(self,wpref): with open(self.output_dir + '\\' + self.computer_name + '_prefetch.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n') for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref: str_c = '' for s in list_str_c: str_c += s.replace('\0', '') + ';' write_to_csv([ self.computer_name, 'Prefetch', prefetch_file, unicode(format_version), unicode(file_size), exec_name.replace('\00', ''), unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']), unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_prefetch.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def csv_list_scheduled_jobs(self): self.logger.info('Health : Listing scheduled jobs') file_tasks=self.output_dir + '_tasks.csv' with open(file_tasks, 'wb') as tasks_logs: proc=subprocess.Popen(["schtasks.exe",'/query','/fo','CSV'],stdout=subprocess.PIPE) res = proc.communicate() res = get_terminal_decoded_string(res[0]) write_to_output(res, tasks_logs, self.logger) with open(file_tasks, "r") as fr, open(self.output_dir,'ab') as fw: csv_writer = get_csv_writer(fw) for l in fr.readlines(): l = l.decode('utf8')[:-1].replace('"', '') if l.find(',') !=-1: write_to_csv([self.computer_name, 'Scheduled jobs'] + l.split(','), csv_writer)
def _csv_list_arp_table(self,arp): self.logger.info('Health : Listing ARP tables') with open(self.output_dir + "_arp_table.csv",'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"IP"|"Mac"|"Status"\n') for entry in arp: entry.replace('\xff','') tokens=entry.split() entry_to_write='' if len(tokens)==3: entry_to_write='"'+self.computer_name+'"|"ARP table"|"'+'"|"'.join(tokens)+'"\n' if entry_to_write.find('\.')!=1 and len(entry_to_write) >0: arr_to_write = [self.computer_name, 'ARP table'] + tokens write_to_csv(arr_to_write, csv_writer) record_sha256_logs(self.output_dir +'_arp_table.csv',self.output_dir +'_sha256.log')
def csv_recent_docs(self): """Extracts information about recently opened files saved location and opened date""" self.logger.info("Extracting recent docs") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [] for item in hive_list: if item[self.KEY_VALUE_STR] == "VALUE": if item[self.VALUE_NAME] != "MRUListEx": value_decoded = decode_recent_docs_mru(item[self.VALUE_DATA]) to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(value_decoded)) with open(self.output_dir + "\\" + self.computer_name + "_recent_docs.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_usb_history(self): """Extracts information about USB devices""" self.logger.info("Extracting USB history") hive_list = self._get_list_from_registry_key( registry_obj.HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}", is_recursive=False) to_csv_list = [] for item in hive_list: if item[self.KEY_VALUE_STR] == "KEY": usb_decoded = get_usb_key_info(item[self.KEY_PATH]) to_csv_list.append((self.computer_name, item[self.KEY_LAST_WRITE_TIME], "HKEY_LOCAL_MACHINE", item[self.KEY_PATH], item[self.KEY_VALUE_STR], usb_decoded)) with open(self.output_dir + "\\" + self.computer_name + "_USBHistory.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_list_scheduled_jobs(self): self.logger.info('Health : Listing scheduled jobs') file_tasks=self.output_dir + '_tasks.csv' with open(file_tasks,'wb') as tasks_logs: proc=subprocess.Popen(["schtasks.exe",'/query','/fo','CSV'], stdout=subprocess.PIPE) res = proc.communicate() res = get_terminal_decoded_string(res[0]) write_to_output(res, tasks_logs, self.logger) with open(file_tasks,"r") as fr, open(self.output_dir + "_scheduled_jobs.csv",'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Time"|"State"\r\n') for l in fr.readlines(): l = l.decode('utf8') if l.find('\\') > 0: l = l[:-1].replace('"', '') # remove the end of line arr_write = [self.computer_name, 'Scheduled jobs'] + l.split(',') write_to_csv(arr_write, csv_writer) record_sha256_logs(self.output_dir +'_scheduled_jobs.csv',self.output_dir +'_sha256.log')