class System(Script): def __init__(self): Script.__init__(self, "System") def start(self, args): self.translator = SystemTranslator() try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode('/') self.process() self.report() def process(self, root=None): self.registryManager = ModuleProcessusManager().get("winreg") if root != None: self.root = root self.registryManager = ModuleProcessusManager().get("winreg") self.windowsVersions = WindowsVersions() self.computerNames = ComputerNames() self.timeZones = TimeZones() self.shutdownTimes = ShutdownTimes() self.version() self.computer() self.timeZone() self.shutdownTime() def version(self): regKeys = self.registryManager.getKeys( {'HKLM\Software\Microsoft\Windows NT\CurrentVersion': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.windowsVersions.add(node, WindowsVersion(key.values())) def computer(self): regKeys = self.registryManager.getKeys( { 'HKLM\System\ControlSet*\Control\ComputerName\ComputerName': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): for value in key.values(): if value.name == 'ComputerName': self.computerNames.add(node, ComputerName(value.data())) def timeZone(self): regKeys = self.registryManager.getKeys( {'HKLM\System\ControlSet*\Control\TimeZoneInformation': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.timeZones.add(node, TimeZone(key.values())) def shutdownTime(self): regKeys = self.registryManager.getKeys( {'HKLM\System\ControlSet*\Control\Windows': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): for value in key.values(): if value.name == 'ShutdownTime': self.shutdownTimes.add(node, ShutdownTime(value.data())) def report(self): self.reportManager = ReportManager() page = self.reportManager.createPage( self.translator.translate("Operating system") + " " + self.root.name().translate(None, "!@#$%^&'\/?"), self.translator.translate("System")) self.windowsVersions.report(page) self.computerNames.report(page) self.timeZones.report(page) self.shutdownTimes.report(page) self.reportManager.addPage(page)
class Network(Script): def __init__(self): Script.__init__(self, "Network") def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode("/") self.process() self.report() def process(self, root=None): if root != None: self.root = root else: root = self.root self.registryManager = ModuleProcessusManager().get("winreg") self.networkInterfaces = NetworkInterfaces() self.wlanConfigs = WlanConfigs() self.networkList = NetworkList() self.interfaces() self.cards() self.wlan() self.network() self.signatures() def interfaces(self): regKeys = self.registryManager.getKeys( { 'HKLM\SYSTEM\ControlSet*\Services\Tcpip\Parameters\Interfaces\*': [''] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkInterfaces.add( node, NetworkInterface(key.name, key.values())) def cards(self): regKeys = self.registryManager.getKeys( { 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\*': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkInterfaces.setDescription(key.values()) def wlan(self): regKeys = self.registryManager.getKeys( {'HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\*': ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): for value in key.values(): if value.name == 'ActiveSettings': self.wlanConfigs.add(node, WlanConfig(value.data())) def network(self): regKeys = self.registryManager.getKeys( { 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkList.add(node, Profiles(key.name, key.values())) def signatures(self): for mode in ['Managed', 'Unmanaged']: regKeys = self.registryManager.getKeys( { 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\\' + mode + '\*': ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: if key.values(): self.networkList.addSignature( node, Signature(mode, key.values())) def report(self): self.reportManager = ReportManager() translator = NetworkTranslator() page = self.reportManager.createPage( translator.translate("Operating system") + " " + self.root.name().translate(None, "!@#$%^&'\/?").encode( 'UTF-8', 'replace'), translator.translate("Network")) self.networkInterfaces.report(page) self.wlanConfigs.report(page) self.networkList.report(page) self.reportManager.addPage(page)
class Software(Script): def __init__(self): Script.__init__(self, "Software") def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode('/') self.registryManager = ModuleProcessusManager().get("winreg") self.uninstalls = Uninstalls() self.MSIs = MSIs() self.ARPCaches = ARPCaches() self.autoRuns = AutoRuns() self.uninstalled() self.msi() self.arpcache() self.runs() self.report() def uninstalled(self): regKeys = self.registryManager.getKeys( { "HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\*": ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: self.uninstalls.add(node, Uninstall(key)) regKeys = self.registryManager.getKeys( { "HKU\Software\Microsoft\Windows\Currentversion\Uninstall\*": ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: self.uninstalls.add(node, Uninstall(key)) regKeys = self.registryManager.getKeys( { "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*": ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: self.uninstalls.add(node, Uninstall(key)) def msi(self): regKeys = self.registryManager.getKeys( { "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\*\Products\*\InstallProperties": ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: values = key.values() if values: self.MSIs.add(node, MSI(key.values())) def arpcache(self): regKeys = self.registryManager.getKeys( { "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\*": ['*'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: applicationName = key.name if applicationName[0] == '{': applicationName = self.uninstalls.find(applicationName) if applicationName: self.ARPCaches.add(node, ARPCache(applicationName)) def runs(self): self.runsPath("HKLM\Software\Microsoft\Windows\CurrentVersion\Run") self.runsPath("HKU\Software\Microsoft\Windows\CurrentVersion\Run") self.runsPath("HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce", True) self.runsPath( "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx", True) self.runsPath("HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce", True) self.runsPath( "HKU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx", True) def runsPath(self, path, once=False): regKeys = self.registryManager.getKeys({path: ['*']}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: values = key.values() if values: for value in key.values(): self.autoRuns.add(node, AutoRun(value, once)) def report(self): self.reportManager = ReportManager() trSoftware = TranslateSoftware() page = self.reportManager.createPage( trSoftware.translate("Operating system") + " " + self.root.name().translate(None, "!@#$%^&'\/?"), trSoftware.translate("Software")) self.uninstalls.report(page) self.MSIs.report(page) self.ARPCaches.report(page) self.autoRuns.report(page) self.reportManager.addPage(page)
class RegistryQueriesParser(object): def __init__(self, name, registryMap, root): self.registryManager = ModuleProcessusManager().get("winreg") self.__queriesSet = {} self.__name = name #module name ? self.__root = root self.parse(registryMap, root) def name(self): return self.__name def root(self): return self.__root def queriesSet(self, name = None): if name == None: return self.__queriesSet else: try: return self.__queriesSet[name] except KeyError: return None def parse(self, registryMap, root): for name, queryMap in registryMap.iteritems(): self.__queriesSet[name] = self.parseQuery(queryMap, root) #def report(self, queriesName = None): #print "reporting " #reportManager = ReportManager() #if queriesName == None: #page = reportManager.createPage("Analyse", self.__name) #queriesTab = TabFragment("") #for queryName in self.__queriesSet: ##page = reportManager.createPage(self.__name, queryName) #tabFragment = TabFragment("") #self.__queriesSet[queryName].report(tabFragment) #queriesTab.addTab(queryName, tabFragment) #page.add(queriesTab) ##XXX overwrite a gerer #reportManager.addPage(page) #else: ##page = ReportManager.createPage(self.__name, queriesName) #page = ReportManager.createPage("Analyse", self.__name) #queries = self.__queriesSet[queriesName].report(tabFragment) ##XXX overwrite a gerer #reportManager.addPage(page) def parseQuery(self, regKeyPath, root): regKeys = self.registryManager.getKeys(regKeyPath, root) regSplit = regKeys.split() registryQueries = RegistryQueries() for node, keys in regSplit.iteritems(): for key in keys: try : desc = regKeyPath[key.query]["description"] except (TypeError, KeyError): print "query didn't have a description" continue try : valueNameDecoder = regKeyPath[key.query]["valuenamedecoder"] except (TypeError, KeyError): valueNameDecoder = None try : valueDataDecoder = regKeyPath[key.query]["valuedatadecoder"] except (TypeError, KeyError): valueDataDecoder = None query = registryQueries.query(desc, key.path()) kkey = query.key(key.name) kkey.time(node, MS64DateTime(key.mtime)) values = key.values() if values: for value in values: if valueNameDecoder: valueName = valueNameDecoder(value.name).decode() else: valueName = value.name #if value.name == None if valueName: kvalue = kkey.value(valueName) kdatas = [] datas = value.data() if type(datas) != list: datas = [datas] for data in datas: if valueDataDecoder: if type(data) == bytearray and len(data): data = valueDataDecoder(data, valueName).decode() elif type(data) == long or type(data) == int: data = valueDataDecoder(data, valueName).decode() kdatas.append(data) kvalue.data(node, kdatas) return registryQueries
class Devices(Script): def __init__(self): Script.__init__(self, "Devices") def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode("/") self.process() self.report() def process(self, root=None): self.registryManager = ModuleProcessusManager().get("winreg") if root != None: self.root = root self.devices = DevicesReg() self.mountedDevices = MountedDevices() self.volumes = Volumes() self.currentControlSet() self.enums('USBSTOR') self.enums('USBPRINT') self.enums('USB') self.enums('IDE') self.storage() self.mounted() self.mountPoints() self.correlate() def currentControlSet(self): currents = [] regKeys = self.registryManager.getKeys( {'HKLM\SYSTEM\Select': ['current']}, self.root) #last known good ? regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: for value in key.values(): self.devices.addCurrent(node, value.data()) return currents def enums(self, enumName): regKeys = self.registryManager.getKeys( { 'HKLM\SYSTEM\ControlSet*\Enum\\' + enumName + '\*\*': ['Class', 'DeviceDesc', 'FriendlyName', 'ParentIdPrefix'] }, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: self.devices.addDevice( node, Device(enumName, key.name, key.values())) def mounted(self): regKeys = self.registryManager.getKeys( {'HKLM\SYSTEM\MountedDevices': { "values": "*" }}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: for value in key.values(): self.mountedDevices.add( node, MountedDevice(value.name, value.data().decode('utf-16'))) def storage(self): regKeys = self.registryManager.getKeys( {'HKLM\SYSTEM\ControlSet*\Enum\STORAGE\Volume\*': { "values": "*" }}, self.root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: self.volumes.add(node, Volume(key.name, key.values())) #for volume in self.volumes: #print volume def correlate(self): for nodeID, devices in self.devices.devices().iteritems(): for device in devices: parentIdPrefix = device.parentIdPrefix() if parentIdPrefix: mountedDevices = self.mountedDevices.findParentIdPrefix( nodeID, parentIdPrefix) if mountedDevices: for mountedDevice in mountedDevices: if mountedDevice.isMountPoint(): device.addMountPoint(mountedDevice.name()) else: users = self.searchUsersVolume( mountedDevice.volume()) device.addUsers(users) def mountPoints(self): self.__mountPointsKeys = self.registryManager.getKeys( { 'HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*': { "values": "*" } }, self.root).split() def searchUsersVolume(self, volume): users = [] for node, keys in self.__mountPointsKeys.iteritems(): for key in keys: if volume == key.name: parent = key.parent().get_parent() for value in parent.values: if value.name == 'Logon User Name': user = value.fetch_raw_data().decode('utf-16') if not user in users: users.append((user, MS64DateTime(key.mtime))) return users def report(self): translator = DeviceTranslator() self.reportManager = ReportManager() tables = self.devices.tables() categoryName = translator.translate( "Operating system") + " " + self.root.name().translate( None, "!@#$%^&'\/?") page = self.reportManager.createPage(categoryName, translator.translate("Devices")) for (name, props, table) in tables: page.addTable(name, props, table) self.volumes.report(page) self.reportManager.addPage(page)
class Accounts(Script): def __init__(self): Script.__init__(self, "Accounts") self.__accounts = None def start(self, args): try: self.root = args["root"].value() except IndexError: self.root = self.vfs.getnode("/") self.process() self.report() def process(self, root=None): if root != None: root = root else: root = self.root self.__accounts = Account() self.registryManager = ModuleProcessusManager().get("winreg") regKeys = self.registryManager.getKeys( {'HKLM\SAM\SAM\Domains\Account\Users\*': { "values": "*" }}, root) regSplit = regKeys.split() for node, keys in regSplit.iteritems(): for key in keys: V = None F = None for value in key.values(): if value.name == 'V': V = value.data() if value.name == 'F': F = value.data() if V and F: self.__accounts.addUser(node, User(V, F)) groupKeys = self.registryManager.getKeys(GroupC.RegistryKeyPath, root) groupSplit = groupKeys.split() for node, keys in groupSplit.iteritems(): for key in keys: for value in key.values(): if value.name == 'C': self.__accounts.addGroup(node, GroupC(value.data())) accountDBKeys = self.registryManager.getKeys( AccountDBF.RegistryKeyPath, root) accountDBKeysSplit = accountDBKeys.split() for node, keys in accountDBKeysSplit.iteritems(): for key in keys: for value in key.values(): if value.name == 'F': self.__accounts.addDB(node, AccountDBF(value.data())) def accounts(self, root=None): if self.__accounts == None: self.process(root) return self.__accounts def report(self): try: self.__accounts.report(self.root) except Exception as e: print 'Module Account error when reporting ' + str(e)
class ReportUI(UI): def __init__(self, arguments): UI.__init__(self, arguments) self.taskManager = TaskManager() self.reportManager = ReportManager() self.registryManager = ModuleProcessusManager().get("winreg") self.evtxManager = ModuleProcessusManager().get("evtx") self.sqliteManager = ModuleProcessusManager().get('SqliteDB') self.root = vfs().getnode("/") def configureProcessing(self): self.taskManager.addPostProcessingModules(PROCESSING_MODULES) self.taskManager.addPostProcessingAnalyses(PROCESSING_ANALYSES) self.taskManager.addAnalyseDependencies() def launchProcessing(self): proc = self.taskManager.add("local", {"path": self.dumpPath}, "console") proc.event.wait() self.taskManager.join() def launch(self): self.startTime = time.time() self.dumpPath = sys.argv[1] self.reportPath = sys.argv[2] #PROCESSING self.configureProcessing() self.launchProcessing() self.searchTaggedNode() self.addProcessingTime() self.reportManager.setExportPath(self.reportPath) self.reportManager.export(exportContent=True) #SHOW EXECUTION TIME def addProcessingTime(self): totalTime = time.time() - self.startTime if totalTime > 60: totalTime = str(totalTime / 60) + " minutes" else: totalTime = str(totalTime) + " secondes" page = self.reportManager.createPage("MyAnalysis", "Stats") page.addText("Processing time ", totalTime) self.reportManager.addPage(page) def searchTaggedNode(self): f = Filter("") f.compile('tags in ["malware", "suspicious"]') f.process(self.root) malwareNodes = f.matchedNodes() if len(malwareNodes ) != 0: #if get some results we add it to the report page = self.reportManager.createPage("MyAnalysis", "Files") page.addNodeList("Malware", malwareNodes) self.reportManager.addPage(page) def searchRegistryKeys(self): regKeys = self.registryManager.getKeys( {'HKLM\Software\Microsoft\Windows NT\CurrentVersion': ['*']}, root) table = [] for key in regKeys: for value in key.values(): data = value.data() if type(data) != bytearray: table.append(( value.name, data, key.hive.absolute(), )) registryPage = iself.reportManager.createPage("MyAnalysis", "Registry") registryPage.addTable("Current version", ["name", "value", "hive path"], table) self.reportManager.addPage(registryPage) def searchSQL(self): cookiePage = reportManager.createPage("MyAnalysis", "Cookies") for db, node in sqliteManager.databases.iteritems(): sqltables = db.execute("SELECT * FROM cookies").fetchall() table = [] for row in sqltables: table.append((row[1], )) if len(table): cookiePage.addTable(node.absolute(), ["site"], table) reportManager.addPage(cookiePage) def searchEVTX(self): events = self.evtxManager.getXmlById({"id": [4624]}, "/") table = [] for event in events: try: etime = event.findall(".//TimeCreated")[0].attrib["SystemTime"] user = event.findall( ".//Data[@Name='SubjectUserName']")[0].text domain = event.findall( ".//Data[@Name='SubjectDomainName']")[0].text table.append(( etime, user, domain, )) except: pass #NODES COUNT AND STATS (type of files etc ?) #save to reload ? :) eventPage = self.reportManager.createPage("MyAnalysis", "Event") eventPage.addTable("Login", ["time", "user", "domain"], table) self.reportManager.addPage(eventPage)