def __setConnections(self, attrs): if self._fsobj.connections.has_key(long(self.eproc.UniqueProcessId)): conns = VMap() count = 0 for conn_obj in self._fsobj.connections[long( self.eproc.UniqueProcessId)]: count += 1 conn = VMap() conn["Local IP address"] = Variant(str(conn_obj.localAddr)) conn["Local port"] = Variant(int(conn_obj.localPort)) if conn_obj.proto is not None: conn["Protocol"] = Variant(int(conn_obj.proto)) conn["Protocol type"] = Variant(conn_obj.type) if conn_obj.ctime is not None: create_datetime = conn_obj.ctime.as_windows_timestamp() vt = MS64DateTime(create_datetime) vt.thisown = False conn["Create time"] = Variant(vt) if conn_obj.remoteAddr is not None: conn["Remote IP address"] = Variant( str(conn_obj.remoteAddr)) conn["Remote port"] = Variant(int(conn_obj.remotePort)) if conn_obj.state is not None: conn["State"] = Variant(str(conn_obj.state)) conns["Connection " + str(count)] = Variant(conn) attrs["Connections"] = conns
def attributesTypes(values, types): if types == vtime: val = vtime(*values) #(X, X) vtime take 2 arguments val.thisown = False elif (types == int) or (types == long): if type(values) == str: #XXX strange ? values = 0 val = types(values) elif (types == dict): val = VMap() for k, v in values.iteritems(): vval = Variant(attributesTypes(*v)) val[k] = vval elif (types == list): val = VList() for v in values: vval = Variant(attributesTypes(*v)) val.append(vval) elif (types == str): if type(values) == unicode: val = values.encode("ascii", "replace") else: val = str(values) elif (types == VLink): #return node is already created val = values else: val = types(values) return val
def _attributes(self): attr = VMap() attr.thisown = False try: vlist = Variant(self.evt_record.getStrings(), typeId.String) vlist.thisown = False attr["Log strings"] = vlist except RuntimeError: pass s_name = Variant(self.evt_record.sourceName()) attr["Source name"] = s_name c_name = Variant(self.evt_record.computerName()) attr["Computer name"] = c_name event_type = Variant(self.evt_record.eventType()) attr["Event type"] = event_type time_gen = Variant(self.evt_record.getTimeGenerated()) attr["Time generated"] = time_gen time_written = Variant(self.evt_record.getTimeWritten()) attr["Time written"] = time_written return attr
def _attributes(self): attr = VMap() vmap = VMap() for t in self.tables.map: vmap[hex(t)] = Variant(hex(self.tables.map[t].write)) attr["tables"] = Variant(vmap) attr["reallocated blocks"] = Variant(self.aalloc) return attr
def attributes(self, node): try: classAttributes = self.nodeAttributes[long(node.this)] return classAttributes._attributes() except KeyError: attr = VMap() attr.thisown = False return attr
def attributes(self, node): try: classAttributes = self.nodeAttributes[node.uid()] return classAttributes._attributes() except KeyError: attr = VMap() attr.thisown = False return attr
def _attributes(self): attr = VMap() for i in xrange(0, 2): vmap = VMap() name = ["segment 0 (norfs)", "segment 1 (nandfs)"] vmap["start offset"] = Variant(self.boot.segment[i].start) vmap["end offset"] = Variant(self.boot.segment[i].end) vmap["size"] = Variant(self.boot.segment[i].size) vmap["erse block size"] = Variant(self.boot.segment[i].erasesize) vmap["block size"] = Variant(self.boot.segment[i].blocksize) attr[name[i]] = Variant(vmap) return attr
def _setLoadedModules(self, attrs): dlls = VList() for m in self.eproc.get_load_modules(): name = str(m.FullDllName) or 'N/A' dll = VMap() dllattribs = VMap() dllattribs["Base"] = Variant(long(m.DllBase)) dllattribs["Size"] = Variant(long(m.SizeOfImage)) if name != "N/A": self._setImportedFunctions(name, dllattribs) dll[name] = Variant(dllattribs) dlls.append(dll) attrs["Loaded modules"] = Variant(dlls)
def attributes(self, node): m = VMap() hinfos = self.calculatedHash[long(node.this)] hashes = self.getHashes(node) for algo in hashes: v = Variant(str(hashes[algo])) m[str(algo)] = v if len(hinfos.hsets): knownBad = [] knownGood = [] for setId in hinfos.hsets: hset = self.parent.hashSets.get(setId) if hset.knownGood: knownGood.append(hset) else: knownBad.append(hset) if len(knownBad): badList = VList() for badSet in knownBad: vname = Variant(badSet.name) badList.append(vname) m["known bad"] = badList if len(knownGood): goodList = VList() for goodSet in knownGood: vname = Variant(goodSet.name) goodList.append(vname) m["known good"] = goodList return m
def _setFileAttributes(self, handle, files): file_attrs = VMap() fileobj = handle.dereference_as("_FILE_OBJECT") #self._setTimestamp(thrd, thrd_attrs) fnamedev = fileobj.file_name_with_device() if True: if fnamedev.find("\\Device\\HarddiskVolume1") != -1: fnamedev_overlay = fnamedev.replace( "\\Device\\HarddiskVolume1", "WinXpPro/WinXpPro.vmdk/Baselink/VirtualHDD/Partitions/Partition 1/NTFS" ).replace("\\", "/") node = self.v.getnode(fnamedev_overlay) if node: file_attrs["HardDriveImage"] = Variant(node) else: file_attrs["HardDriveImage"] = Variant("Not found") file_attrs["WriteAccess"] = Variant(fileobj.WriteAccess > 0, typeId.Bool) file_attrs["ReadAccess"] = Variant(fileobj.ReadAccess > 0, typeId.Bool) file_attrs["DeleteAccess"] = Variant(fileobj.DeleteAccess > 0, typeId.Bool) file_attrs["SharedRead"] = Variant(fileobj.SharedRead > 0, typeId.Bool) file_attrs["SharedWrite"] = Variant(fileobj.SharedWrite > 0, typeId.Bool) file_attrs["SharedDelete"] = Variant(fileobj.SharedDelete > 0, typeId.Bool) files[fnamedev] = file_attrs
def attributes(self, node): try: attr = self.nodeAttributes[node.uid()] return AttributesVMap(attr) except KeyError: attr = VMap() return attr
def _attributes(self): vmap = VMap() v = Variant(self.cbFormat) vmap['Clibboard Format'] = v v = Variant(self.cbDataFormat) vmap['Clibboard Data Format'] = v return vmap
def _attributes(self): attr = VMap() vt = vtime(self.timestamp, TIME_MS_64) vt.thisown = False vmodified = Variant(vt) attr["modified"] = vmodified return attr
def _setThreadAttributes(self, handle, threads): thrd_attrs = VMap() thrd = handle.dereference_as("_ETHREAD") thrd_attrs["UniqueProcess"] = Variant(int(thrd.Cid.UniqueProcess)) self._setTimestamp(thrd, thrd_attrs) threads[str(thrd.Cid.UniqueThread)] = thrd_attrs
def attributes(self, node): attr = VMap() vfile = node.open() img = Image.open(vfile) info = img._getexif() vfile.close() for tag, values in info.items(): if tag in self.dateTimeTags: try: decoded = str(TAGS.get(tag, tag)) try: dt = strptime(values, "%Y:%m:%d %H:%M:%S") except ValueError: try: dt = strptime(values[:-6], "%Y-%m-%dT%H:%M:%S") except ValueError: dt = strptime(values.rstrip(' '), "%a %b %d %H:%M:%S") vt = vtime(dt.tm_year, dt.tm_mon, dt.tm_mday, dt.tm_hour, dt.tm_min, dt.tm_sec, 0) vt.thisown = False attr[decoded] = Variant(vt) except Exception as e: attr[decoded] = Variant(str(values)) else: decoded = str(TAGS.get(tag, tag)) if isinstance(values, tuple): vl = VList() for value in values: vl.push_back(Variant(value)) attr[decoded] = vl else: attr[decoded] = Variant(values) return attr
def _attributes(self): attr = VMap() vt = MS64DateTime(self.timestamp) vt.thisown = False vmodified = Variant(vt) attr["modified"] = vmodified return attr
def attributes(self, node): try: attr = self.nodeAttributes[long(node.this)] return AttributesVMap(attr) except KeyError: attr = VMap() return attr
def attributes(self, node): attr = VMap() try: attr["skin percent"] = Variant(self.skinnodes[node.uid()]) except Exception: pass return attr
def __flagsToVariant(self, flags): attrsflags = VMap() for name in sorted(flags.members.keys()): value = flags.m(name) if value != 0: attrsflags[str(name)] = Variant(long(value)) return attrsflags
def _attributes(self): attr = VMap() if self.pid != None: attr["pid"] = Variant(self.pid) if self.active_threads: attr["threads"] = Variant(self.active_threads) if self.inherited_from: attr["ppid"] = Variant(self.inherited_from) if self.handle_count: attr["handle count"] = Variant(self.handle_count) if self.connections: attr["connection"] = Variant(self.connections) if self.create_time: at = vtime() at.thisown = False d = datetime.fromtimestamp(self.create_time).timetuple() at.year = d[0] at.month = d[1] at.day = d[2] at.hour = d[3] at.minute = d[4] at.second = d[5] at.usecond = 0 attr["creation"] = Variant(at) return attr
def start(self, args): if args.has_key("start-offset"): startoff = args["start-offset"].value() else: startoff = 0 if args.has_key("block-aligned"): aligned = True else: aligned = False patterns = VList() for mimetype in filetypes.keys(): if mimetype in args: vsubtypes = args[mimetype].value() for subtype in filetypes[mimetype].keys(): if subtype in vsubtypes: pattern = VMap() descr = filetypes[mimetype][subtype] for p in descr: header = VMap() header["needle"] = Variant(p[0], typeId.String) header["size"] = Variant(len(p[0]), typeId.UInt32) footer = VMap() footer["needle"] = Variant(p[1], typeId.String) footer["size"] = Variant(len(p[1]), typeId.UInt32) pattern["filetype"] = Variant( subtype, typeId.String) pattern["header"] = Variant(header) pattern["footer"] = Variant(footer) pattern["window"] = Variant( int(p[2]), typeId.UInt32) if aligned: pattern["aligned"] = Variant(True, typeId.Bool) else: pattern["aligned"] = Variant( False, typeId.Bool) patterns.append(pattern) margs = VMap() margs["patterns"] = Variant(patterns) margs["file"] = args["file"] margs["start-offset"] = Variant(startoff, typeId.UInt64) proc = self.tm.add("carver", margs, ["console"]) if proc: proc.event.wait()
def _attributes(self): i = 1 attr = VMap() vlist = VList() for f in self.files: node = f.value() vlist.append(Variant(node.absolute())) attr["concatanated files (ordered)"] = Variant(vlist) return attr
def attributes(self, node): attr = VMap() attr.thisown = False file = node.open() parser = guessParser(StringInputStream(file.read())) file.close() if not parser: attr["info"] = Variant("unable to read metadata") return attr try: metadata = extractMetadata(parser) for data in metadata: if not(any(data.values)): continue attr[data.key] = Variant("; ".join([str(val.value) for val in data.values])) except HachoirError, err: attr["info"] = Variant("error while reading metadata")
def attributes(self, node): attr = VMap() try: result = self.nodeAttributes[node.uid()] v = Variant(result) attr["malware"] = v except KeyError: pass return attr
def __attributes(self): attrs = VMap() if self._baseaddr != -1: attrs["Virtual Base address"] = Variant(self._boffset) attrs["Physical Base address"] = Variant( self._aspace.translate(self._boffset)) else: attrs["Virtual Base address (not valid addr)"] = Variant( self._boffset) return attrs
def __attributes(self): attrs = VMap() if self._baseaddr != -1: attrs["Virtual Base address"] = Variant(self._boffset) attrs["Physical Base address"] = Variant( self._ldr_entry.obj_offset) else: attrs["Virtual Base address (not valid addr)"] = Variant( self._boffset) return attrs
def _attributes(self): try: attr = AttributesVMap(ResolveAttributesMap(self, self.AttributesMap)) if self.extraAttr: (name, vmap) = self.extraAttr attr[name] = vmap return attr except : attr = VMap() return attr
def _attributes(self): try: attr = VMap() attr['type'] = Variant(regtype[self.__type]) data = self.decodeData() if data != None: attr['data'] = data except Exception as e: pass return attr
def _setHandles(self): self.handles_map = VMap() hmap = {} for handle in self.eproc.ObjectTable.handles(): object_type = handle.get_object_type() if object_type != None: if object_type in WinProcNode.handleMapper: if object_type not in hmap: hmap[str(object_type)] = VMap() func = getattr(self, WinProcNode.handleMapper[object_type]) func(handle, hmap[str(object_type)]) else: pass #name = str(handle.NameInfo.Name) # if len(name): #if object_type not in self.handles_map: # self.handles_map[object_type] = [] #self.handles_map[object_type].append(name) for key in hmap: self.handles_map[key] = hmap[key]
def _attributes(self): attr = VMap() attr["Last modified"] = self.getTime( self.record.metadata().lastModifiedDateTime()) attr["Last fetched"] = self.getTime( self.record.metadata().lastFetchedDateTime()) attr["Expiration"] = self.getTime( self.record.metadata().expirationDateTime()) return attr
def __split(self, root, chunksize): nodesize = self.origin.size() chunks = nodesize / chunksize vmap = VMap() vmap["complete chunks"] = Variant(chunks) for idx in xrange(0, chunks*chunksize, chunksize): snode = SplitNode(self, root, self.origin, idx, chunksize) lastchunk = nodesize % chunksize if lastchunk != 0: snode = SplitNode(self, root, self.origin, self.origin.size() - lastchunk, lastchunk) vmap["truncated chunk (size)"] = Variant(lastchunk) self.res[str(chunksize) + " bytes split"] = Variant(vmap)