def g_display(self):
QWidget.__init__(self)
self.evtWidget = None
self.evtxWidget = None
layout = QHBoxLayout(self)
layout.setSpacing(0)
layout.setContentsMargins(0, 0, 0, 0)
widget = QTabWidget()
layout.addWidget(widget)
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
evt = processus_manager.get('evt')
try:
self.evtxWidgets = evtx.getall('/')
if self.evtxWidgets:
if self.evtxWidgets.list_widget.count():
widget.addTab(self.evtxWidgets, "Events logs (.evtx)")
except Exception as e:
pass
try:
self.evtWidgets = evt.getAllEvtFiles('/')
if self.evtWidgets.evtFileListWidget.count():
widget.addTab(self.evtWidgets, "Events logs (.evt)")
except Exception as e:
pass
def __init__(self, config={}):
processusManager = ModuleProcessusManager()
self._registry = processusManager.get('winreg')
self._sqlite = processusManager.get('SqliteDB')
self._msiecf = processusManager.get('msiecf')
self._config = config
self._name = ""
self.__log = ""
def createRegMap(self):
processusManager = ModuleProcessusManager()
regm = processusManager.get('winreg')
if len(regm.registry) > 0:
self.hives = regm.registry
self.manager = regm
for key, values in self.hives.iteritems():
try:
h = key.getHive()
iterator = h.iterator
rtype, sourcenode = values
rtype = self.RegType(sourcenode)
if rtype != None:
try:
machine = self.regmap[sourcenode.fsobj().uid()]
except:
machine = self.regmap[sourcenode.fsobj().uid()] = {}
try:
regsource = machine[rtype]
except:
regsource = machine[rtype] = []
regsource.append(key)
del(h)
except:
del(h)
pass
return True
else:
return False
return False
def createRegMap(self):
processusManager = ModuleProcessusManager()
regm = processusManager.get('winreg')
if len(regm.registry) > 0:
self.__columnCount = 1
self.hives = regm.registry
self.manager = regm
for key, values in self.hives.iteritems():
try:
h = key.getHive()
iterator = h.iterator
rtype, sourcenode = values
rtype = self.RegType(sourcenode)
if rtype != None:
try:
machine = self.regmap[sourcenode.fsobj().uid()]
except:
machine = self.regmap[
sourcenode.fsobj().uid()] = {}
try:
regsource = machine[rtype]
except:
regsource = machine[rtype] = []
regsource.append(key)
del (h)
except:
del (h)
pass
return True
else:
return False
return False
def display(self, row):
self.setCurrentCell(row, 0)
node_ptr = self.item(row, 4).text()
index = int(self.item(row, 5).text())
processus_manager = ModuleProcessusManager()
evt = processus_manager.get('evt')
record = evt.evts[long(node_ptr)][index]
self.label1.setText("Date : " + record.getTimeGenerated())
self.label2.setText("Source : " + record.sourceName())
self.lab_icon.setPixmap(
QPixmap(record.getIcon()).scaled(32, 32, Qt.KeepAspectRatio))
self.label3.setText("Type : " + record.getSingleType())
self.label4.setText("Category : " + str(record.EventCategory))
self.label5.setText("EventId : " + str(record.EventID))
self.label6.setText("Computer : " + record.computerName())
self.log_strings.setPlainText('')
for log in record.getStrings():
if log is not None:
self.log_strings.setPlainText(self.log_strings.toPlainText() +
log + "\n")
self.hideOrDipsButton()
def itemRecord(self, row):
node_ptr = self.item(row, 4).text()
index = int(self.item(row, 5).text())
processus_manager = ModuleProcessusManager()
evt = processus_manager.get('evt')
record = evt.evts[long(node_ptr)][index]
return record
def getXML(self, chunk, offset, node=None):
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
if node is not None:
self.node = node
return evtx.getxml(chunk, offset, node)
def dispEventType(self, index):
if index == 0:
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
chunks = evtx.data(self.node.uid())
self.display(chunks, self.node)
else:
self.evtx_table_view.clearContents()
self.evtx_table_view.setRowCount(0)
event_list = self.evtx_parser.getEventBylevel(index - 1)
self.display_chunk(event_list)
def __init__(self, root=None):
self._compatible_browsers = [
InternetBrowsers.FIREFOX, InternetBrowsers.CHROME,
InternetBrowsers.OPERA, InternetBrowsers.IE
]
self.__log = []
processusManager = ModuleProcessusManager()
self._registry = processusManager.get('winreg')
self._browsers = []
self.__log.append("Trying to find browsers databases")
self.__firefox = Firefox(None)
self.__chrome = Chrome(None)
self.__opera = Opera(None)
self.__ie = InternetExplorer(None)
self.__browsersInstalledVersion()
if self.__firefox.relevantDatabasesFound():
self.__log.append(
"\t[OK] Firefox databases found -- installed version: " +
self.__firefox.version())
self._browsers.append(self.__firefox)
elif self.__firefox.version() != "N/A":
self.__log.append(
"\t[NOK] Firefox databases not found but is installed -- version: "
+ self.__firefox.version())
if self.__chrome.relevantDatabasesFound():
self.__log.append(
"\t[OK] Chrome databases found -- installed version: " +
self.__chrome.version())
self._browsers.append(self.__chrome)
elif self.__chrome.version() != "N/A":
self.__log.append(
"\t[NOK] Chrome databases not found but is installed -- version: "
+ self.__chrome.version())
if len(self.__opera.history()):
self.__log.append(
"\t[OK] Opera databases found -- installed version: " +
self.__opera.version())
self._browsers.append(self.__opera)
elif self.__firefox.version() != "N/A":
self.__log.append(
"\t[NOK] Opera databases not found but is installed -- version: "
+ self.__opera.version())
if len(self.__ie.history()):
self.__log.append(
"\t[OK] Internet Explorer databases found -- installed version: "
+ self.__ie.version())
self._browsers.append(self.__ie)
elif self.__firefox.version() != "N/A":
self.__log.append(
"\t[NOK] Internet Explorer databases not found but is installed -- version: "
+ self.__ie.version())
def g_display(self):
QWidget.__init__(self)
self.layout = QVBoxLayout(self)
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
if not self.preview:
self.viewer = EventLogViewer(self.node, evtx.data(self.node.uid()))
self.layout.addWidget(self.viewer)
self.name = self.node.name()
self.viewer.display(evtx.data(self.node.uid()), self.node)
else:
self.build_preview()
def dispAdminEvents(self, checked):
self.evtx_table_view.clearContents()
if self.display_mode == 0:
error_list = self.evtx_parser.getEventBylevel(2)
self.admin_pannel.admin_events.setText("All events")
tmp_list = self.evtx_parser.getEventBylevel(3)
error_list.extend(tmp_list)
self.display_mode = 1
self.display_chunk(error_list)
elif self.display_mode == 1:
self.admin_pannel.admin_events.setText("Admin. events")
self.display_mode = 0
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
chunks = evtx.data(self.node.uid())
self.display(chunks, self.node)
def start(self, args):
try:
self.preview = args['preview'].value()
except IndexError:
self.preview = False
try:
self.node = args['file'].value()
except (KeyError, Exception):
print "No input file provided. Exiting."
t = EVT()
t.start(args)
processus_manager = ModuleProcessusManager()
evt = processus_manager.get('evt')
evt.update(t)
def fill_log_viewer(self, item):
ptr = item.data(QListWidgetItem.UserType)
node = VFS.Get().getNodeById(ptr.toULongLong()[0])
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
self.node = node
self.evtx_parser.chunks = evtx.data(ptr.toULongLong()[0])
self.evtx_parser.node = node
self.admin_pannel.cb = self.admin_pannel.initId(
evtx.data(ptr.toULongLong()[0]), 'id')
self.admin_pannel.cbs = self.admin_pannel.initId(
evtx.data(ptr.toULongLong()[0]), 'source')
self.display(evtx.data(ptr.toULongLong()[0]), node)
def g_display(self):
QWidget.__init__(self)
layout = QHBoxLayout(self)
splitter = QSplitter()
layout.addWidget(splitter)
splitter.setOrientation(Qt.Horizontal)
if self.node is not None:
processus_manager = ModuleProcessusManager()
evt = processus_manager.get('evt')
if not self.preview:
self.evtWidget = evt.getAllEvtFiles()
if self.evtWidget:
splitter.addWidget(self.evtWidget)
splitter.setStretchFactor(1, 2)
else:
self.evtWidget = evt.previewWidget(long(self.node.this))
if self.evtWidget:
splitter.addWidget(self.evtWidget)
def getEventByParam(self, param, value):
if self.node is None:
return []
tmp_list = []
nb_chunk = 0
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
chunks = evtx.data(self.node.uid())
for chunk in chunks:
events = chunk.events()
tmp_map = {}
for event in events:
if events[event][param] == value:
tmp_map[event] = events[event]
tmp_map[event]['chunk_nb'] = nb_chunk
tmp_list.append(tmp_map)
nb_chunk += 1
return tmp_list
def getEventsBetween(self, date_begin, date_end):
processus_manager = ModuleProcessusManager()
evtx = processus_manager.get('evtx')
chunks = evtx.data(self.node.uid())
try:
date_begin_t = date_begin
if type(date_begin) is StringType:
date_begin_t = datetime.strptime(date_begin, "%Y-%m-%dT%H:%M:%S")
else:
date_begin_t = datetime.fromtimestamp(date_begin)
date_end_t = date_end
if type(date_end) is StringType:
date_end_t = datetime.strptime(date_end, "%Y-%m-%dT%H:%M:%S")
else:
date_end_t = datetime.fromtimestamp(date_end)
tmp_list = []
count = 0
chunk_nb = 0
for chunk in chunks:
events = chunk.events()
tmp_map = {}
for event in events:
event_date = datetime.strptime(events[event]['date'], "%Y-%m-%dT%H:%M:%S")
if event_date >= date_begin_t and event_date <= date_end_t:
tmp_map[event] = events[event]
tmp_map[event]['chunk_nb'] = chunk_nb
#self.getXML(count, event)
count += 1
tmp_list.append(tmp_map)
chunk_nb += 1
return tmp_list
except ValueError:
print "One of the date you are trying to use is invalid."
return []
def __init__(self):
processusManager = ModuleProcessusManager()
self._registry = processusManager.get('winreg')
def dispSingleEvent(self, row, column):
box = QDialog()
main_layout = QHBoxLayout(box)
main_widget = QWidget()
main_layout.addWidget(main_widget)
layout = QVBoxLayout(main_widget)
node_ptr = self.item(row, 4).text()
index = int(self.item(row, 5).text())
processus_manager = ModuleProcessusManager()
evt = processus_manager.get('evt')
record = evt.evts[long(node_ptr)][index]
self.label1 = QLabel("Date : " + record.getTimeGenerated())
self.label2 = QLabel("Source : " + record.sourceName())
self.label3 = QLabel("Type : " + record.getSingleType())
self.lab_icon = QLabel()
self.lab_icon.setPixmap(
QPixmap(record.getIcon()).scaled(32, 32, Qt.KeepAspectRatio))
weed = QWidget()
l = QHBoxLayout(weed)
l.addWidget(self.lab_icon)
l.addWidget(self.label3)
self.label4 = QLabel("Category : " + str(record.EventCategory))
self.label5 = QLabel("EventId : " + str(record.EventID))
self.label6 = QLabel("Computer : " + record.computerName())
layout.addWidget(self.subWidget(self.label1, self.label2))
layout.addWidget(self.subWidget(weed, self.label4))
layout.addWidget(self.subWidget(self.label5, self.label6))
layout.addWidget(QLabel('Messages :'))
self.log_strings = QTextEdit('')
self.log_strings.setReadOnly(True)
self.log_strings.setLineWrapMode(QTextEdit.WidgetWidth)
for log in record.getStrings():
if log is not None:
self.log_strings.setPlainText(self.log_strings.toPlainText() +
log + "\n\n")
layout.addWidget(self.log_strings)
button_widget = QWidget()
main_layout.addWidget(button_widget)
self.next_evt = QPushButton(QIcon(":/next.png"), "")
self.next_evt.setToolTip("Next record")
self.prev_evt = QPushButton(QIcon(":/previous.png"), "")
self.prev_evt.setToolTip("Previous record")
self.next_evt.clicked.connect(self.dispNextEvent)
self.prev_evt.clicked.connect(self.dispPrevEvent)
if row == 0:
self.prev_evt.setEnabled(False)
elif row + 1 == self.rowCount():
self.next_evt.setEnabled(False)
else:
self.hideOrDipsButton()
button_layout = QVBoxLayout(button_widget)
button_layout.addWidget(self.prev_evt)
button_layout.addWidget(self.next_evt)
spacerItem = QSpacerItem(20, 40, QSizePolicy.Minimum,
QSizePolicy.Expanding)
button_layout.addItem(spacerItem)
close_button = QPushButton("Close")
close_button.clicked.connect(box.done)
button_layout.addWidget(close_button)
box.exec_()
