def unified_output(self, data):
offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)"
tg = renderers.TreeGrid([("Offset{0}".format(offsettype), Address),
("Name", str), ('Base', Address),
('Size', Hex), ('File', str)],
self.generator(data))
return tg
def unified_output(self, data):
return renderers.TreeGrid([("MFT Offset", Address), ("Attribute", str),
("Record", int), ("Link count", int),
("Type", str), ("Creation", str),
("Modified", str), ("MFT Altered", str),
("Access Date", str), ("Value", str)],
self.generator(data))
def unified_output(self, data):
def generator(data):
for thread in data:
yield (
0,
[
Address(thread.obj_offset),
int(thread.Cid.UniqueProcess),
int(thread.Cid.UniqueThread),
Address(thread.StartAddress),
str(thread.CreateTime or ''),
str(thread.ExitTime or ''),
],
)
return renderers.TreeGrid(
[
(self.offset_column(), Address),
("PID", int),
("TID", int),
("Start Address", Address),
("Create Time", str),
("Exit Time", str),
],
generator(data),
)
def unified_output(self, data):
def generator(data):
for object_type in data:
yield (
0,
[
Address(object_type.obj_offset),
Hex(object_type.TotalNumberOfObjects),
Hex(object_type.TotalNumberOfHandles),
str(object_type.Key),
str(object_type.Name or ''),
str(object_type.TypeInfo.PoolType),
],
)
return renderers.TreeGrid(
[
("Offset", Address),
("nObjects", Hex),
("nHandles", Hex),
("Key", str),
("Name", str),
("PoolType", str),
],
generator(data),
)
def unified_output(self, data):
return renderers.TreeGrid(
[("Process(V)", Address),
("Name", str),
("Module Base", Address),
("Module Name", str),
("Result", str)], self.generator(data))
def unified_output(self, data):
return renderers.TreeGrid(
[
("FileOffset", Address),
("Memory Offset", Address),
("Size", Hex),
],
self.generator(data),
)
def unified_output(self, data):
return renderers.TreeGrid([
("Session", str),
("Type", str),
("Tag", str),
("fnDestroy", Address),
("Flags", str),
], self.generator(data))
def unified_output(self, data):
return renderers.TreeGrid(
[(self.offset_column(), Address),
("AtomOfs(V)", Address),
("Atom", Hex),
("Refs", int),
("Pinned", int),
("Name", str),
], self.generator(data))
def unified_output(self, data):
cols = [("Offset", Address), ("Name", str), ("Pid", int),
("PPid", int), ("Thds", int), ("Hnds", int), ("Time", str)]
if self._config.VERBOSE:
cols += [("Audit", str), ("Cmd", str), ("Path", str)]
tg = renderers.TreeGrid(cols, self.generator(data))
return tg
def unified_output(self, data):
print("unified")
tg = renderers.TreeGrid([
("owner", str),
("bluecoat", str),
("virustotal", str),
("misp", str),
("url/Ip", str),
], self.generator(data))
return tg
def unified_output(self, data):
return renderers.TreeGrid([(self.offset_column(), Address),
('PID', int),
('Port', int),
('Proto', int),
('Protocol', str),
('Address', str),
('Create Time', str)
], self.generator(data))
def unified_output(self, data):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
tg = renderers.TreeGrid([("Module Base", Address),
("Module Name", str), ("Result", str)],
self.generator(data))
return tg
def unified_output(self, data):
"""Renders the tasks to disk images, outputting progress as they go"""
return renderers.TreeGrid(
[
("Process(V)", Address),
("ImageBase", Address),
("Name", str),
("Result", str),
],
self.generator(data),
)
def unified_output(self, data):
offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)"
tg = renderers.TreeGrid([
("Offset{0}".format(offsettype), Address),
("Pid", int),
("Handle", Hex),
("Access", Hex),
("Type", str),
("Details", str),
], self.generator(data))
return tg
def unified_output(self, data):
def generator(data):
user_sids = self.lookup_user_sids()
for task in data:
token = task.get_token()
if not token:
yield (
0,
[
int(task.UniqueProcessId),
str(task.ImageFileName),
"Token unreadable",
"",
],
)
continue
for sid_string in token.get_sids():
if sid_string in well_known_sids:
sid_name = well_known_sids[sid_string]
elif sid_string in getservicesids.servicesids:
sid_name = getservicesids.servicesids[sid_string]
elif sid_string in user_sids:
sid_name = user_sids[sid_string]
else:
sid_name_re = find_sid_re(
sid_string, well_known_sid_re
)
if sid_name_re:
sid_name = sid_name_re
else:
sid_name = ""
yield (
0,
[
int(task.UniqueProcessId),
str(task.ImageFileName),
str(sid_string),
str(sid_name),
],
)
return renderers.TreeGrid(
[
("PID", int),
("Process", str),
("SID", str),
("Name", str),
],
generator(data),
)
def unified_output(self, data):
return renderers.TreeGrid(
[("Offset(V)", Address),
("Session", int),
("WindowStation", str),
("Atom", Hex),
("RefCount", int),
("HIndex", int),
("Pinned", int),
("Name", str),
], self.generator(data))
def unified_output(self, data):
def generator(data):
for drv in data:
yield (0, [
str(drv.Name),
Address(drv.StartAddress),
Address(drv.EndAddress),
str(drv.CurrentTime)
])
return renderers.TreeGrid([("Name", str), ('StartAddress', Address),
('EndAddress', Address), ('Time', str)],
generator(data))
def unified_output(self, data):
return renderers.TreeGrid(
[
("Pid", int),
("Process", str),
("Value", int),
("Privilege", str),
("Attributes", str),
("Description", str),
],
self.generator(data),
)
def unified_output(self, data):
offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)"
return renderers.TreeGrid(
[
("Offset{0}".format(offsettype), Address),
("PID", int),
("Port", int),
("Proto", int),
("Protocol", str),
("Address", str),
("Create Time", str),
],
self.generator(data),
)
def unified_output(self, data):
def generator(data):
for ldr_entry in data:
yield (0, [
Address(ldr_entry.obj_offset),
str(ldr_entry.BaseDllName or ''),
Address(ldr_entry.DllBase),
Hex(ldr_entry.SizeOfImage),
str(ldr_entry.FullDllName or '')
])
return renderers.TreeGrid([(self.offset_column(), Address),
('Name', str), ('Base', Address),
('Size', Hex), ('File', str)],
generator(data))
def unified_output(self, data):
return renderers.TreeGrid([("PID", int), ("Process", str),
("Vad Start", Address),
("Vad End", Address), ("Result", str)],
self.generator(data))
