class System(Script):
def __init__(self):
Script.__init__(self, "System")
def start(self, args):
self.translator = SystemTranslator()
try:
self.root = args["root"].value()
except IndexError:
self.root = self.vfs.getnode('/')
self.process()
self.report()
def process(self, root=None):
self.registryManager = ModuleProcessusManager().get("winreg")
if root != None:
self.root = root
self.registryManager = ModuleProcessusManager().get("winreg")
self.windowsVersions = WindowsVersions()
self.computerNames = ComputerNames()
self.timeZones = TimeZones()
self.shutdownTimes = ShutdownTimes()
self.version()
self.computer()
self.timeZone()
self.shutdownTime()
def version(self):
regKeys = self.registryManager.getKeys(
{'HKLM\Software\Microsoft\Windows NT\CurrentVersion': ['*']},
self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
self.windowsVersions.add(node,
WindowsVersion(key.values()))
def computer(self):
regKeys = self.registryManager.getKeys(
{
'HKLM\System\ControlSet*\Control\ComputerName\ComputerName':
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
for value in key.values():
if value.name == 'ComputerName':
self.computerNames.add(node,
ComputerName(value.data()))
def timeZone(self):
regKeys = self.registryManager.getKeys(
{'HKLM\System\ControlSet*\Control\TimeZoneInformation': ['*']},
self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
self.timeZones.add(node, TimeZone(key.values()))
def shutdownTime(self):
regKeys = self.registryManager.getKeys(
{'HKLM\System\ControlSet*\Control\Windows': ['*']}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
for value in key.values():
if value.name == 'ShutdownTime':
self.shutdownTimes.add(node,
ShutdownTime(value.data()))
def report(self):
self.reportManager = ReportManager()
page = self.reportManager.createPage(
self.translator.translate("Operating system") + " " +
self.root.name().translate(None, "!@#$%^&'\/?"),
self.translator.translate("System"))
self.windowsVersions.report(page)
self.computerNames.report(page)
self.timeZones.report(page)
self.shutdownTimes.report(page)
self.reportManager.addPage(page)
class Network(Script):
def __init__(self):
Script.__init__(self, "Network")
def start(self, args):
try:
self.root = args["root"].value()
except IndexError:
self.root = self.vfs.getnode("/")
self.process()
self.report()
def process(self, root=None):
if root != None:
self.root = root
else:
root = self.root
self.registryManager = ModuleProcessusManager().get("winreg")
self.networkInterfaces = NetworkInterfaces()
self.wlanConfigs = WlanConfigs()
self.networkList = NetworkList()
self.interfaces()
self.cards()
self.wlan()
self.network()
self.signatures()
def interfaces(self):
regKeys = self.registryManager.getKeys(
{
'HKLM\SYSTEM\ControlSet*\Services\Tcpip\Parameters\Interfaces\*':
['']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
self.networkInterfaces.add(
node, NetworkInterface(key.name, key.values()))
def cards(self):
regKeys = self.registryManager.getKeys(
{
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\*':
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
self.networkInterfaces.setDescription(key.values())
def wlan(self):
regKeys = self.registryManager.getKeys(
{'HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\*': ['*']},
self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
for value in key.values():
if value.name == 'ActiveSettings':
self.wlanConfigs.add(node,
WlanConfig(value.data()))
def network(self):
regKeys = self.registryManager.getKeys(
{
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*':
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
self.networkList.add(node,
Profiles(key.name, key.values()))
def signatures(self):
for mode in ['Managed', 'Unmanaged']:
regKeys = self.registryManager.getKeys(
{
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\\' + mode + '\*':
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
if key.values():
self.networkList.addSignature(
node, Signature(mode, key.values()))
def report(self):
self.reportManager = ReportManager()
translator = NetworkTranslator()
page = self.reportManager.createPage(
translator.translate("Operating system") + " " +
self.root.name().translate(None, "!@#$%^&'\/?").encode(
'UTF-8', 'replace'), translator.translate("Network"))
self.networkInterfaces.report(page)
self.wlanConfigs.report(page)
self.networkList.report(page)
self.reportManager.addPage(page)
class Software(Script):
def __init__(self):
Script.__init__(self, "Software")
def start(self, args):
try:
self.root = args["root"].value()
except IndexError:
self.root = self.vfs.getnode('/')
self.registryManager = ModuleProcessusManager().get("winreg")
self.uninstalls = Uninstalls()
self.MSIs = MSIs()
self.ARPCaches = ARPCaches()
self.autoRuns = AutoRuns()
self.uninstalled()
self.msi()
self.arpcache()
self.runs()
self.report()
def uninstalled(self):
regKeys = self.registryManager.getKeys(
{
"HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\*":
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
self.uninstalls.add(node, Uninstall(key))
regKeys = self.registryManager.getKeys(
{
"HKU\Software\Microsoft\Windows\Currentversion\Uninstall\*":
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
self.uninstalls.add(node, Uninstall(key))
regKeys = self.registryManager.getKeys(
{
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*":
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
self.uninstalls.add(node, Uninstall(key))
def msi(self):
regKeys = self.registryManager.getKeys(
{
"HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\*\Products\*\InstallProperties":
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
values = key.values()
if values:
self.MSIs.add(node, MSI(key.values()))
def arpcache(self):
regKeys = self.registryManager.getKeys(
{
"HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\*":
['*']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
applicationName = key.name
if applicationName[0] == '{':
applicationName = self.uninstalls.find(applicationName)
if applicationName:
self.ARPCaches.add(node, ARPCache(applicationName))
def runs(self):
self.runsPath("HKLM\Software\Microsoft\Windows\CurrentVersion\Run")
self.runsPath("HKU\Software\Microsoft\Windows\CurrentVersion\Run")
self.runsPath("HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce",
True)
self.runsPath(
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx", True)
self.runsPath("HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce",
True)
self.runsPath(
"HKU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx", True)
def runsPath(self, path, once=False):
regKeys = self.registryManager.getKeys({path: ['*']}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
values = key.values()
if values:
for value in key.values():
self.autoRuns.add(node, AutoRun(value, once))
def report(self):
self.reportManager = ReportManager()
trSoftware = TranslateSoftware()
page = self.reportManager.createPage(
trSoftware.translate("Operating system") + " " +
self.root.name().translate(None, "!@#$%^&'\/?"),
trSoftware.translate("Software"))
self.uninstalls.report(page)
self.MSIs.report(page)
self.ARPCaches.report(page)
self.autoRuns.report(page)
self.reportManager.addPage(page)
class RegistryQueriesParser(object):
def __init__(self, name, registryMap, root):
self.registryManager = ModuleProcessusManager().get("winreg")
self.__queriesSet = {}
self.__name = name #module name ?
self.__root = root
self.parse(registryMap, root)
def name(self):
return self.__name
def root(self):
return self.__root
def queriesSet(self, name = None):
if name == None:
return self.__queriesSet
else:
try:
return self.__queriesSet[name]
except KeyError:
return None
def parse(self, registryMap, root):
for name, queryMap in registryMap.iteritems():
self.__queriesSet[name] = self.parseQuery(queryMap, root)
#def report(self, queriesName = None):
#print "reporting "
#reportManager = ReportManager()
#if queriesName == None:
#page = reportManager.createPage("Analyse", self.__name)
#queriesTab = TabFragment("")
#for queryName in self.__queriesSet:
##page = reportManager.createPage(self.__name, queryName)
#tabFragment = TabFragment("")
#self.__queriesSet[queryName].report(tabFragment)
#queriesTab.addTab(queryName, tabFragment)
#page.add(queriesTab)
##XXX overwrite a gerer
#reportManager.addPage(page)
#else:
##page = ReportManager.createPage(self.__name, queriesName)
#page = ReportManager.createPage("Analyse", self.__name)
#queries = self.__queriesSet[queriesName].report(tabFragment)
##XXX overwrite a gerer
#reportManager.addPage(page)
def parseQuery(self, regKeyPath, root):
regKeys = self.registryManager.getKeys(regKeyPath, root)
regSplit = regKeys.split()
registryQueries = RegistryQueries()
for node, keys in regSplit.iteritems():
for key in keys:
try :
desc = regKeyPath[key.query]["description"]
except (TypeError, KeyError):
print "query didn't have a description"
continue
try :
valueNameDecoder = regKeyPath[key.query]["valuenamedecoder"]
except (TypeError, KeyError):
valueNameDecoder = None
try :
valueDataDecoder = regKeyPath[key.query]["valuedatadecoder"]
except (TypeError, KeyError):
valueDataDecoder = None
query = registryQueries.query(desc, key.path())
kkey = query.key(key.name)
kkey.time(node, MS64DateTime(key.mtime))
values = key.values()
if values:
for value in values:
if valueNameDecoder:
valueName = valueNameDecoder(value.name).decode()
else:
valueName = value.name #if value.name == None
if valueName:
kvalue = kkey.value(valueName)
kdatas = []
datas = value.data()
if type(datas) != list:
datas = [datas]
for data in datas:
if valueDataDecoder:
if type(data) == bytearray and len(data):
data = valueDataDecoder(data, valueName).decode()
elif type(data) == long or type(data) == int:
data = valueDataDecoder(data, valueName).decode()
kdatas.append(data)
kvalue.data(node, kdatas)
return registryQueries
class Devices(Script):
def __init__(self):
Script.__init__(self, "Devices")
def start(self, args):
try:
self.root = args["root"].value()
except IndexError:
self.root = self.vfs.getnode("/")
self.process()
self.report()
def process(self, root=None):
self.registryManager = ModuleProcessusManager().get("winreg")
if root != None:
self.root = root
self.devices = DevicesReg()
self.mountedDevices = MountedDevices()
self.volumes = Volumes()
self.currentControlSet()
self.enums('USBSTOR')
self.enums('USBPRINT')
self.enums('USB')
self.enums('IDE')
self.storage()
self.mounted()
self.mountPoints()
self.correlate()
def currentControlSet(self):
currents = []
regKeys = self.registryManager.getKeys(
{'HKLM\SYSTEM\Select': ['current']}, self.root) #last known good ?
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
for value in key.values():
self.devices.addCurrent(node, value.data())
return currents
def enums(self, enumName):
regKeys = self.registryManager.getKeys(
{
'HKLM\SYSTEM\ControlSet*\Enum\\' + enumName + '\*\*':
['Class', 'DeviceDesc', 'FriendlyName', 'ParentIdPrefix']
}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
self.devices.addDevice(
node, Device(enumName, key.name, key.values()))
def mounted(self):
regKeys = self.registryManager.getKeys(
{'HKLM\SYSTEM\MountedDevices': {
"values": "*"
}}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
for value in key.values():
self.mountedDevices.add(
node,
MountedDevice(value.name,
value.data().decode('utf-16')))
def storage(self):
regKeys = self.registryManager.getKeys(
{'HKLM\SYSTEM\ControlSet*\Enum\STORAGE\Volume\*': {
"values": "*"
}}, self.root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
self.volumes.add(node, Volume(key.name, key.values()))
#for volume in self.volumes:
#print volume
def correlate(self):
for nodeID, devices in self.devices.devices().iteritems():
for device in devices:
parentIdPrefix = device.parentIdPrefix()
if parentIdPrefix:
mountedDevices = self.mountedDevices.findParentIdPrefix(
nodeID, parentIdPrefix)
if mountedDevices:
for mountedDevice in mountedDevices:
if mountedDevice.isMountPoint():
device.addMountPoint(mountedDevice.name())
else:
users = self.searchUsersVolume(
mountedDevice.volume())
device.addUsers(users)
def mountPoints(self):
self.__mountPointsKeys = self.registryManager.getKeys(
{
'HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*':
{
"values": "*"
}
}, self.root).split()
def searchUsersVolume(self, volume):
users = []
for node, keys in self.__mountPointsKeys.iteritems():
for key in keys:
if volume == key.name:
parent = key.parent().get_parent()
for value in parent.values:
if value.name == 'Logon User Name':
user = value.fetch_raw_data().decode('utf-16')
if not user in users:
users.append((user, MS64DateTime(key.mtime)))
return users
def report(self):
translator = DeviceTranslator()
self.reportManager = ReportManager()
tables = self.devices.tables()
categoryName = translator.translate(
"Operating system") + " " + self.root.name().translate(
None, "!@#$%^&'\/?")
page = self.reportManager.createPage(categoryName,
translator.translate("Devices"))
for (name, props, table) in tables:
page.addTable(name, props, table)
self.volumes.report(page)
self.reportManager.addPage(page)
class Accounts(Script):
def __init__(self):
Script.__init__(self, "Accounts")
self.__accounts = None
def start(self, args):
try:
self.root = args["root"].value()
except IndexError:
self.root = self.vfs.getnode("/")
self.process()
self.report()
def process(self, root=None):
if root != None:
root = root
else:
root = self.root
self.__accounts = Account()
self.registryManager = ModuleProcessusManager().get("winreg")
regKeys = self.registryManager.getKeys(
{'HKLM\SAM\SAM\Domains\Account\Users\*': {
"values": "*"
}}, root)
regSplit = regKeys.split()
for node, keys in regSplit.iteritems():
for key in keys:
V = None
F = None
for value in key.values():
if value.name == 'V':
V = value.data()
if value.name == 'F':
F = value.data()
if V and F:
self.__accounts.addUser(node, User(V, F))
groupKeys = self.registryManager.getKeys(GroupC.RegistryKeyPath, root)
groupSplit = groupKeys.split()
for node, keys in groupSplit.iteritems():
for key in keys:
for value in key.values():
if value.name == 'C':
self.__accounts.addGroup(node, GroupC(value.data()))
accountDBKeys = self.registryManager.getKeys(
AccountDBF.RegistryKeyPath, root)
accountDBKeysSplit = accountDBKeys.split()
for node, keys in accountDBKeysSplit.iteritems():
for key in keys:
for value in key.values():
if value.name == 'F':
self.__accounts.addDB(node, AccountDBF(value.data()))
def accounts(self, root=None):
if self.__accounts == None:
self.process(root)
return self.__accounts
def report(self):
try:
self.__accounts.report(self.root)
except Exception as e:
print 'Module Account error when reporting ' + str(e)
class ReportUI(UI):
def __init__(self, arguments):
UI.__init__(self, arguments)
self.taskManager = TaskManager()
self.reportManager = ReportManager()
self.registryManager = ModuleProcessusManager().get("winreg")
self.evtxManager = ModuleProcessusManager().get("evtx")
self.sqliteManager = ModuleProcessusManager().get('SqliteDB')
self.root = vfs().getnode("/")
def configureProcessing(self):
self.taskManager.addPostProcessingModules(PROCESSING_MODULES)
self.taskManager.addPostProcessingAnalyses(PROCESSING_ANALYSES)
self.taskManager.addAnalyseDependencies()
def launchProcessing(self):
proc = self.taskManager.add("local", {"path": self.dumpPath},
"console")
proc.event.wait()
self.taskManager.join()
def launch(self):
self.startTime = time.time()
self.dumpPath = sys.argv[1]
self.reportPath = sys.argv[2]
#PROCESSING
self.configureProcessing()
self.launchProcessing()
self.searchTaggedNode()
self.addProcessingTime()
self.reportManager.setExportPath(self.reportPath)
self.reportManager.export(exportContent=True)
#SHOW EXECUTION TIME
def addProcessingTime(self):
totalTime = time.time() - self.startTime
if totalTime > 60:
totalTime = str(totalTime / 60) + " minutes"
else:
totalTime = str(totalTime) + " secondes"
page = self.reportManager.createPage("MyAnalysis", "Stats")
page.addText("Processing time ", totalTime)
self.reportManager.addPage(page)
def searchTaggedNode(self):
f = Filter("")
f.compile('tags in ["malware", "suspicious"]')
f.process(self.root)
malwareNodes = f.matchedNodes()
if len(malwareNodes
) != 0: #if get some results we add it to the report
page = self.reportManager.createPage("MyAnalysis", "Files")
page.addNodeList("Malware", malwareNodes)
self.reportManager.addPage(page)
def searchRegistryKeys(self):
regKeys = self.registryManager.getKeys(
{'HKLM\Software\Microsoft\Windows NT\CurrentVersion': ['*']}, root)
table = []
for key in regKeys:
for value in key.values():
data = value.data()
if type(data) != bytearray:
table.append((
value.name,
data,
key.hive.absolute(),
))
registryPage = iself.reportManager.createPage("MyAnalysis", "Registry")
registryPage.addTable("Current version",
["name", "value", "hive path"], table)
self.reportManager.addPage(registryPage)
def searchSQL(self):
cookiePage = reportManager.createPage("MyAnalysis", "Cookies")
for db, node in sqliteManager.databases.iteritems():
sqltables = db.execute("SELECT * FROM cookies").fetchall()
table = []
for row in sqltables:
table.append((row[1], ))
if len(table):
cookiePage.addTable(node.absolute(), ["site"], table)
reportManager.addPage(cookiePage)
def searchEVTX(self):
events = self.evtxManager.getXmlById({"id": [4624]}, "/")
table = []
for event in events:
try:
etime = event.findall(".//TimeCreated")[0].attrib["SystemTime"]
user = event.findall(
".//Data[@Name='SubjectUserName']")[0].text
domain = event.findall(
".//Data[@Name='SubjectDomainName']")[0].text
table.append((
etime,
user,
domain,
))
except:
pass
#NODES COUNT AND STATS (type of files etc ?)
#save to reload ? :)
eventPage = self.reportManager.createPage("MyAnalysis", "Event")
eventPage.addTable("Login", ["time", "user", "domain"], table)
self.reportManager.addPage(eventPage)
