def _setTimestamp(self, obj, attrs):
if obj.ExitTime:
exit_datetime = obj.ExitTime.as_windows_timestamp()
vt = MS64DateTime(exit_datetime)
vt.thisown = False
attrs["State"] = Variant("Exited")
attrs["Exit time"] = Variant(vt)
else:
attrs["State"] = Variant("Running")
create_datetime = obj.CreateTime.as_windows_timestamp()
vt = MS64DateTime(create_datetime)
vt.thisown = False
attrs["Create time"] = Variant(vt)
def attributesTypes(values, types):
if (types == DateTime):
val = DateTime(values)
val.thisown = False
elif (types == MS64DateTime):
val = MS64DateTime(values)
val.thisown = False
elif (types == DosDateTime):
val = DosDateTime(*values)
val.thisown = False
elif (types == int) or (types == long):
if type(values) == str: #XXX strange ?
values = 0
val = types(values)
elif (types == dict):
val = VMap()
for k, v in values.iteritems():
vval = Variant(attributesTypes(*v))
val[k] = vval
elif (types == list):
val = VList()
for v in values:
vval = Variant(attributesTypes(*v))
val.append(vval)
elif (types == str):
if type(values) == unicode:
val = values.encode("UTF-8", "replace")
else:
val = str(values)
elif (types == VLink): #return node is already created
val = values
else:
val = types(values)
return val
def _attributes(self):
attr = VMap()
vt = MS64DateTime(self.timestamp)
vt.thisown = False
vmodified = Variant(vt)
attr["modified"] = vmodified
return attr
def __setConnections(self, attrs):
if self._fsobj.connections.has_key(long(self.eproc.UniqueProcessId)):
conns = VMap()
count = 0
for conn_obj in self._fsobj.connections[long(
self.eproc.UniqueProcessId)]:
count += 1
conn = VMap()
conn["Local IP address"] = Variant(str(conn_obj.localAddr))
conn["Local port"] = Variant(int(conn_obj.localPort))
if conn_obj.proto is not None:
conn["Protocol"] = Variant(int(conn_obj.proto))
conn["Protocol type"] = Variant(conn_obj.type)
if conn_obj.ctime is not None:
create_datetime = conn_obj.ctime.as_windows_timestamp()
vt = MS64DateTime(create_datetime)
vt.thisown = False
conn["Create time"] = Variant(vt)
if conn_obj.remoteAddr is not None:
conn["Remote IP address"] = Variant(
str(conn_obj.remoteAddr))
conn["Remote port"] = Variant(int(conn_obj.remotePort))
if conn_obj.state is not None:
conn["State"] = Variant(str(conn_obj.state))
conns["Connection " + str(count)] = Variant(conn)
attrs["Connections"] = conns
def __init__(self, key):
self.__values = {
'KeyName': key.name,
'KeyDate': str(MS64DateTime(key.mtime))
}
values = key.values()
if values:
for value in values:
self.__values[value.name] = value.data()
def __init__(self, vfile):
data = unpack('Q', vfile.read(8))[0]
#MS didn't differentiate absolute and relative time (time/datetime)
#so use ugly trick heare
if data >= 116444736000000000: #a date time should be superior than the lep between unix & ms epoch
vt = MS64DateTime(data)
vt.thisown = False
Variant.__init__(self, vt)
else:
Variant.__init__(self, data)
def searchUsersVolume(self, volume):
users = []
for node, keys in self.__mountPointsKeys.iteritems():
for key in keys:
if volume == key.name:
parent = key.parent().get_parent()
for value in parent.values:
if value.name == 'Logon User Name':
user = value.fetch_raw_data().decode('utf-16')
if not user in users:
users.append((user, MS64DateTime(key.mtime)))
return users
def __init__(self, data, keyname):
self.count = 0
self.lastUpdate = "N/A"
self.id = 0
if len(data) <= 16:
try:
self.id = unpack("<I", str(data[0:4]))[0]
self.count = unpack("<I", str(data[4:8]))[0]
if self.count > 5:
self.count -= 5
else:
self.count = 0
self.lastUpdate = MS64DateTime(
unpack("<Q", str(data[8:16]))[0])
except:
pass
elif len(data) == 72:
try:
self.count = unpack("<I", str(data[4:8]))[0]
self.lastUpdate = MS64DateTime(
unpack("<Q", str(data[60:68]))[0])
except:
pass
def parseQuery(self, regKeyPath, root):
regKeys = self.registryManager.getKeys(regKeyPath, root)
regSplit = regKeys.split()
registryQueries = RegistryQueries()
for node, keys in regSplit.iteritems():
for key in keys:
try :
desc = regKeyPath[key.query]["description"]
except (TypeError, KeyError):
print "query didn't have a description"
continue
try :
valueNameDecoder = regKeyPath[key.query]["valuenamedecoder"]
except (TypeError, KeyError):
valueNameDecoder = None
try :
valueDataDecoder = regKeyPath[key.query]["valuedatadecoder"]
except (TypeError, KeyError):
valueDataDecoder = None
query = registryQueries.query(desc, key.path())
kkey = query.key(key.name)
kkey.time(node, MS64DateTime(key.mtime))
values = key.values()
if values:
for value in values:
if valueNameDecoder:
valueName = valueNameDecoder(value.name).decode()
else:
valueName = value.name #if value.name == None
if valueName:
kvalue = kkey.value(valueName)
kdatas = []
datas = value.data()
if type(datas) != list:
datas = [datas]
for data in datas:
if valueDataDecoder:
if type(data) == bytearray and len(data):
data = valueDataDecoder(data, valueName).decode()
elif type(data) == long or type(data) == int:
data = valueDataDecoder(data, valueName).decode()
kdatas.append(data)
kvalue.data(node, kdatas)
return registryQueries
def __init__(self, data):
data = buffer(data)
length, dwCtlFlags, macAddress, unknown, ssidLength, ssidRaw = unpack(
'II6s2sI32s', data[0:0x14 + 32])
self.__ssid = ssidRaw[:ssidLength]
mac = ""
for x in macAddress:
mac += '%.2x' % ord(x) + ':'
if mac == "00:00:00:00:00:00:":
self.__macAddress = None
else:
self.__macAddress = mac[:-1]
self.__lastConnection = None
try:
lastConnection = unpack('Q', data[0x2b8:0x2b8 + 8])[0]
if lastConnection:
self.__lastConnection = str(MS64DateTime(lastConnection))
except:
pass
def __init__(self, data):
data = buffer(data)
self.__shutdownTime = MS64DateTime(unpack('Q', data)[0])
def __attributes(self):
attribs = VMap()
kdbg_offsets = VMap()
proc_head = VMap()
mod_head = VMap()
sys_info = VMap()
sys_info["Chosen profile"] = Variant(self.__fsobj._config.PROFILE)
sys_info["Major"] = Variant(
self._kdbg.obj_vm.profile.metadata.get('major', 0))
sys_info["Minor"] = Variant(
self._kdbg.obj_vm.profile.metadata.get('minor', 0))
sys_info["Build"] = Variant(
self._kdbg.obj_vm.profile.metadata.get('build', 0))
if hasattr(self._kdbg.obj_vm, 'vtop'):
kdbg_offsets["virtual"] = Variant(self._kdbg.obj_offset)
kdbg_offsets["physical"] = Variant(
self._kdbg.obj_vm.vtop(self._kdbg.obj_offset))
sys_info["Service Pack (CmNtCSDVersion)"] = Variant(
self._kdbg.ServicePack)
sys_info["Build string (NtBuildLab)"] = Variant(
str(self._kdbg.NtBuildLab.dereference()))
try:
num_tasks = len(list(self._kdbg.processes()))
except AttributeError:
num_tasks = 0
try:
num_modules = len(list(self._kdbg.modules()))
except AttributeError:
num_modules = 0
cpu_blocks = list(self._kdbg.kpcrs())
proc_head["offset"] = Variant(long(self._kdbg.PsActiveProcessHead))
proc_head["process count"] = Variant(num_tasks)
mod_head["offset"] = Variant(long(self._kdbg.PsLoadedModuleList))
mod_head["modules count"] = Variant(num_modules)
try:
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset=self._kdbg.KernBase,
vm=self._kdbg.obj_vm)
nt_header = dos_header.get_nt_header()
except:
pass
else:
sys_info["Major (OptionalHeader)"] = Variant(
long(nt_header.OptionalHeader.MajorOperatingSystemVersion))
sys_info["Minor (OptionalHeader)"] = Variant(
long(nt_header.OptionalHeader.MinorOperatingSystemVersion))
i = 0
kpcrs = VMap()
for kpcr in cpu_blocks:
kpcrs["CPU " + str(kpcr.ProcessorBlock.Number)] = Variant(
kpcr.obj_offset)
attribs["KPCR(s)"] = Variant(kpcrs)
attribs["DTB"] = Variant(self._aspace.dtb)
volmagic = obj.VolMagic(self._aspace)
KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v()
if KUSER_SHARED_DATA:
attribs["KUSER_SHARED_DATA"] = Variant(KUSER_SHARED_DATA)
k = obj.Object("_KUSER_SHARED_DATA",
offset=KUSER_SHARED_DATA,
vm=self._aspace)
if k:
stime = k.SystemTime
vtstime = MS64DateTime(stime.as_windows_timestamp())
vtstime.thisown = False
attribs["Image date and time"] = Variant(vtstime)
tz = timefmt.OffsetTzInfo(
-k.TimeZoneBias.as_windows_timestamp() / 10000000)
lsystime = stime.as_datetime().astimezone(tz)
vtlstime = DateTime(lsystime.year, lsystime.month,
lsystime.day, lsystime.hour,
lsystime.minute, lsystime.second)
vtlstime.thisown = False
attribs["Image local date and time"] = Variant(vtlstime)
else:
kdbg_offsets["physical"] = Variant(self._kdbg.obj_offset)
proc_head["offset"] = Variant(self._kdbg.PsActiveProcessHead)
mod_head["offset"] = Variant(self._kdbg.PsLoadedModuleList)
attribs["PsActiveProcessHead"] = Variant(proc_head)
attribs["PsLoadedModuleList"] = Variant(mod_head)
attribs["KDBG offsets"] = Variant(kdbg_offsets)
attribs["KernelBase"] = Variant(long(self._kdbg.KernBase))
if not hasattr(self._aspace, "pae"):
attribs["PAE type"] = Variant("No PAE")
else:
attribs["PAE type"] = Variant("PAE")
verinfo = self._kdbg.dbgkd_version64()
if verinfo:
ver64 = VMap()
ver64["Major"] = Variant(long(verinfo.MajorVersion))
ver64["Minor"] = Variant(long(verinfo.MinorVersion))
ver64["offset"] = Variant(verinfo.obj_offset)
sys_info["Version 64"] = Variant(ver64)
attribs["System Information"] = Variant(sys_info)
return attribs
def accountExpirationDate(self):
if self.__accountExpirationDate:
return str(MS64DateTime(self.__loginTime))
else:
return self.translator.unknown()
def passwordResetDate(self):
if (self.__passwordResetDate):
return str(MS64DateTime(self.__passwordResetDate))
else:
return self.translator.unknown()
def lastLoginDate(self):
if self.__lastLoginDate:
return str(MS64DateTime(self.__lastLoginDate))
else:
return self.translator.unknown()
def __init__(self, data):
self.data = data
if type(data) == bytearray:
self.data = str(MS64DateTime(unpack('Q', str(data))[0]))
else:
self.data = str(DateTime(data))