def get_service_info(regapi): ccs = regapi.reg_get_currentcontrolset() key_name = "{0}\\services".format(ccs) info = {} for subkey in regapi.reg_get_all_subkeys(hive_name="system", key=key_name): path_value = "" dll_value = "" image_path = regapi.reg_get_value(hive_name="system", key="", value="ImagePath", given_root=subkey) if image_path: path_value = utils.remove_unprintable(image_path) for rootkey in regapi.reg_get_all_subkeys(hive_name="system", key="", given_root=subkey): if rootkey.Name == "Parameters": service_dll = regapi.reg_get_value(hive_name="system", key="", value="ServiceDll", given_root=rootkey) if service_dll != None: dll_value = utils.remove_unprintable(service_dll) break info[utils.remove_unprintable(str(subkey.Name))] = (dll_value, path_value) return info
def USBSTOR(self): usbstor = self.regapi.reg_get_currentcontrolset() + "\\Enum\\USBSTOR" for subkey in self.regapi.reg_get_all_subkeys(None, key = usbstor): device = OrderedDict((name, "") for name in self.usb_struct) part = subkey.Name.split("&") if part[0].lower() != "disk": continue if len(part) == 4: device["Vendor"] = part[1][4:] device["Product"] = part[2][5:] device["Version"] = part[3][4:] for serial in self.regapi.reg_get_all_subkeys(None, key = usbstor + "\\" + subkey.Name): device["Ven/Prod/Rev key update"] = serial.LastWriteTime serial_part = serial.Name.split('&') serial_no = serial_part[0] if len(serial_part) == 2 else serial.Name val = self.regapi.reg_get_value(None, key = usbstor + "\\" + subkey.Name + "\\" + serial.Name, value = "FriendlyName") if val: device["Device name"] = utils.remove_unprintable(val) val = self.regapi.reg_get_value(None, key = usbstor + "\\" + subkey.Name + "\\" + serial.Name, value = "ParentIdPrefix") if val: device["Parent prefix ID"] = utils.remove_unprintable(val) for properties in self.regapi.reg_get_all_subkeys(None, key = usbstor + "\\" + subkey.Name + "\\" + serial.Name + "\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}"): name = str(properties.Name) if "0064" in name: device["Install date"] = properties.LastWriteTime elif "0065" in name: device["First install date"] = properties.LastWriteTime elif "0066" in name: device["Last arrival date"] = properties.LastWriteTime elif "0067" in name: device["Last removal date"] = properties.LastWriteTime self.usb_devices[serial_no] = device
def get_service_info(regapi): ccs = regapi.reg_get_currentcontrolset() key_name = "{0}\\services".format(ccs) info = {} for subkey in regapi.reg_get_all_subkeys(hive_name = "system", key = key_name): path_value = "" dll_value = "" failure_value = "" image_path = regapi.reg_get_value(hive_name = "system", key = "", value = "ImagePath", given_root = subkey) if image_path: path_value = utils.remove_unprintable(image_path) failure_path = regapi.reg_get_value(hive_name = "system", key = "", value = "FailureCommand", given_root = subkey) if failure_path: failure_value = utils.remove_unprintable(failure_path) for rootkey in regapi.reg_get_all_subkeys(hive_name = "system", key = "", given_root = subkey): if rootkey.Name == "Parameters": service_dll = regapi.reg_get_value(hive_name = "system", key = "", value = "ServiceDll", given_root = rootkey) if service_dll != None: dll_value = utils.remove_unprintable(service_dll) break last_write = int(subkey.LastWriteTime) info[utils.remove_unprintable(str(subkey.Name))] = (dll_value, path_value, failure_value, last_write) return info
def get_service_info(regapi): ccs = regapi.reg_get_currentcontrolset() key_name = "{0}\\services".format(ccs) info = {} for subkey in regapi.reg_get_all_subkeys(hive_name="system", key=key_name): path_value = "" dll_value = "" failure_value = "" image_path = regapi.reg_get_value(hive_name="system", key="", value="ImagePath", given_root=subkey) if image_path: # this could be REG_SZ or REG_MULTI_SZ if isinstance(image_path, list): image_path = image_path[0] path_value = utils.remove_unprintable(image_path) failure_path = regapi.reg_get_value(hive_name="system", key="", value="FailureCommand", given_root=subkey) if failure_path: failure_value = utils.remove_unprintable(failure_path) for rootkey in regapi.reg_get_all_subkeys(hive_name="system", key="", given_root=subkey): if rootkey.Name == "Parameters": service_dll = regapi.reg_get_value(hive_name="system", key="", value="ServiceDll", given_root=rootkey) if service_dll != None: dll_value = utils.remove_unprintable(service_dll) break last_write = int(subkey.LastWriteTime) info[utils.remove_unprintable(str( subkey.Name))] = (dll_value, path_value, failure_value, last_write) return info
def get_service_dlls(regapi): ccs = regapi.reg_get_currentcontrolset() key_name = "{0}\\services".format(ccs) dlls = {} for subkey in regapi.reg_get_all_subkeys(hive_name="system", key=key_name): for rootkey in regapi.reg_get_all_subkeys(hive_name="system", key="", given_root=subkey): if rootkey.Name == "Parameters": service_dll = regapi.reg_get_value(hive_name="system", key="", value="ServiceDll", given_root=rootkey) if service_dll != None: dlls[utils.remove_unprintable(str( subkey.Name))] = "{0}".format( utils.remove_unprintable(service_dll)) return dlls
def reg_get_key_path(self, key): ''' Takes in a key object and traverses back through its family to build the path ''' path = key.Name while key.Parent and key.Parent & 0xffffffff > 0x20: key = key.Parent.dereference() if utils.remove_unprintable(str(key.Name)) != "": path = "{0}\\{1}".format(key.Name, path) return path
def reg_get_key_path(self, key): """ Takes in a key object and traverses back through its family to build the path """ path = key.Name while key.Parent and key.Parent & 0xFFFFFFFF > 0x20: key = key.Parent.dereference() if utils.remove_unprintable(key.Name.v()) != "": path = f"{key.Name}\\{path}" return path
def get_service_dlls(regapi): ccs = regapi.reg_get_currentcontrolset() key_name = "{0}\\services".format(ccs) dlls = {} for subkey in regapi.reg_get_all_subkeys(hive_name = "system", key = key_name): for rootkey in regapi.reg_get_all_subkeys(hive_name = "system", key = "", given_root = subkey): if rootkey.Name == "Parameters": service_dll = regapi.reg_get_value(hive_name = "system", key = "", value = "ServiceDll", given_root = rootkey) if service_dll != None: dlls[utils.remove_unprintable(str(subkey.Name))] = "{0}".format(utils.remove_unprintable(service_dll)) return dlls
def WindowsPortableDevices(self): for subkey in self.regapi.reg_get_all_subkeys(None, key = "Microsoft\\Windows Portable Devices\\Devices"): name = str(subkey.Name) if not 'USBSTOR#DISK' in name: continue val = self.regapi.reg_get_value(None, key = "Microsoft\\Windows Portable Devices\\Devices\\" + name, value = "FriendlyName") if val: part = name.split("USBSTOR#DISK&")[1].split("#")[1] serial_part = part.split("&") serial_no = serial_part[0] if len(serial_part) == 2 else part if serial_no in self.usb_devices: self.usb_devices[serial_no]["Volume name"] = utils.remove_unprintable(val)
def MountedDevices(self): mounted = self.regapi.reg_yield_values(None, key = "MountedDevices", thetype = "REG_BINARY") for serial in self.usb_devices: for value, data in mounted: data = utils.remove_unprintable(data) value = str(value) if "Volume" in value: if self.usb_devices[serial]["Parent prefix ID"]: if self.usb_devices[serial]["Parent prefix ID"] in data: self.usb_devices[serial]["GUID"] = value[11:-1] else: if serial in data: self.usb_devices[serial]["GUID"] = value[11:-1] if "DosDevices" in value: if self.usb_devices[serial]["Parent prefix ID"]: if self.usb_devices[serial]["Parent prefix ID"] in data: self.usb_devices[serial]["Drive letter"] = value[12:] else: if serial in data: self.usb_devices[serial]["Drive letter"] = value[12:] if self.usb_devices[serial]["Drive letter"] and self.usb_devices[serial]["GUID"]: break
def parse_evt_info(self, name, buf, rawtime=False): loc = buf.find("LfLe") ## Skip the EVTLogHeader at offset 4. Here you can also parse ## and print the header values if you like. if loc == 4: loc = buf.find("LfLe", loc + 1) while loc != -1: ## This record's data (and potentially the data for records ## that follow it, so we'll be careful to chop it in the right ## places before future uses). rec = buf[loc - 4:] ## Use a buffer AS to instantiate the object bufferas = addrspace.BufferAddressSpace(self._config, data=rec) evtlog = obj.Object("EVTRecordStruct", offset=0, vm=bufferas) rec_size = bufferas.profile.get_obj_size("EVTRecordStruct") ## Calculate the SID string. If the SidLength is zero, the next ## field (list of strings) starts at StringOffset. If the SidLength ## is non-zero, use the data of length SidLength to determine the ## SID string and the next field starts at SidOffet. if evtlog.SidLength == 0: end = evtlog.StringOffset sid_string = "N/A" else: ## detect manged records based on invalid SID length if evtlog.SidLength > 68: loc = buf.find("LfLe", loc + 1) continue ## these should be appropriately sized SIDs end = evtlog.SidOffset sid_string = self.get_sid_string(rec[end:end + evtlog.SidLength]) computer_name = "" source = "" items = rec[rec_size:end].split("\x00\x00") source = utils.remove_unprintable(items[0]) if len(items) > 1: computer_name = utils.remove_unprintable(items[1]) strings = rec[evtlog.StringOffset:].split("\x00\x00", evtlog.NumStrings) messages = [] for s in range(min(len(strings), evtlog.NumStrings)): messages.append(utils.remove_unprintable(strings[s])) # We'll just say N/A if there are no messages, otherwise join them # together with semi-colons. if messages: msg = ";".join(messages) msg = msg.replace("|", "%7c") else: msg = "N/A" # Records with an invalid timestamp are ignored entirely if evtlog.TimeWritten != None: fields = [ str(evtlog.TimeWritten) if not rawtime else evtlog.TimeWritten, ntpath.basename(name), computer_name, sid_string, source, str(evtlog.EventID), str(evtlog.EventType), msg, ] yield fields ## Scan to the next record signature loc = buf.find("LfLe", loc + 1)
def parse_evt_info(self, name, buf, rawtime = False): loc = buf.find("LfLe") ## Skip the EVTLogHeader at offset 4. Here you can also parse ## and print the header values if you like. if loc == 4: loc = buf.find("LfLe", loc + 1) while loc != -1: ## This record's data (and potentially the data for records ## that follow it, so we'll be careful to chop it in the right ## places before future uses). rec = buf[loc - 4:] ## Use a buffer AS to instantiate the object bufferas = addrspace.BufferAddressSpace(self._config, data = rec) evtlog = obj.Object("EVTRecordStruct", offset = 0, vm = bufferas) rec_size = bufferas.profile.get_obj_size("EVTRecordStruct") ## Calculate the SID string. If the SidLength is zero, the next ## field (list of strings) starts at StringOffset. If the SidLength ## is non-zero, use the data of length SidLength to determine the ## SID string and the next field starts at SidOffet. if evtlog.SidLength == 0: end = evtlog.StringOffset sid_string = "N/A" else: ## detect manged records based on invalid SID length if evtlog.SidLength > 68: loc = buf.find("LfLe", loc + 1) continue ## these should be appropriately sized SIDs end = evtlog.SidOffset sid_string = self.get_sid_string(rec[end:end + evtlog.SidLength]) computer_name = "" source = "" items = rec[rec_size:end].split("\x00\x00") source = utils.remove_unprintable(items[0]) if len(items) > 1: computer_name = utils.remove_unprintable(items[1]) strings = rec[evtlog.StringOffset:].split("\x00\x00", evtlog.NumStrings) messages = [] for s in range(min(len(strings), evtlog.NumStrings)): messages.append(utils.remove_unprintable(strings[s])) # We'll just say N/A if there are no messages, otherwise join them # together with semi-colons. if messages: msg = ";".join(messages) msg = msg.replace("|", "%7c") else: msg = "N/A" # Records with an invalid timestamp are ignored entirely if evtlog.TimeWritten != None: fields = [ str(evtlog.TimeWritten) if not rawtime else evtlog.TimeWritten, ntpath.basename(name), computer_name, sid_string, source, str(evtlog.EventID), str(evtlog.EventType), msg] yield fields ## Scan to the next record signature loc = buf.find("LfLe", loc + 1)
def render_xlsx(self, outfd, data): BoldStyle = Style(font=Font(name='Calibri', size=11, bold=True, italic=False, vertAlign=None, underline='none', strike=False, color='FFFFFFFF'), fill=PatternFill(fill_type="solid", start_color='FF000000', end_color='FF000000')) RedStyle = Style(font=Font(name='Calibri', size=11, bold=False, italic=False, vertAlign=None, underline='none', strike=False, color='FF000000'), border=Border(left=Side(border_style="thick", color='FF000000'), right=Side(border_style="thick", color='FF000000'), top=Side(border_style="thick", color='FF000000'), bottom=Side(border_style="thick", color='FF000000'), diagonal=Side(border_style="thick", color='FF000000'), diagonal_direction=0, outline=Side(border_style="thick", color='FF000000'), vertical=Side(border_style="thick", color='FF000000'), horizontal=Side(border_style="thick", color='FF000000')), fill=PatternFill(start_color = 'FFFF0000', end_color = 'FFFF0000', fill_type = 'solid')) GreenStyle = Style(font=Font(name='Calibri', size=11, bold=False, italic=False, vertAlign=None, underline='none', strike=False, color='FF000000'), fill=PatternFill(start_color = "FF00FF00", end_color = "FF00FF00", fill_type = "solid")) wb = Workbook(optimized_write = True) ws = wb.create_sheet() ws.title = "Psxview Output" ws.append(["Offset (P)", "Name", "PID", "pslist", "psscan", "thrdproc", "pspcid", "csrss", "session", "deskthrd", "Exit Time"]) total = 1 for offset, process, ps_sources in data: incsrss = ps_sources['csrss'].has_key(offset) insession = ps_sources['session'].has_key(offset) indesktop = ps_sources['deskthrd'].has_key(offset) inpspcid = ps_sources['pspcid'].has_key(offset) inpslist = ps_sources['pslist'].has_key(offset) inthread = ps_sources['thrdproc'].has_key(offset) if self._config.APPLY_RULES: if not incsrss: if str(process.ImageFileName).lower() in ["system", "smss.exe", "csrss.exe"]: incsrss = "Okay" elif process.ExitTime > 0: incsrss = "Okay" if not insession: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: insession = "Okay" elif process.ExitTime > 0: insession = "Okay" if not indesktop: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: indesktop = "Okay" elif process.ExitTime > 0: indesktop = "Okay" if not inpspcid: if process.ExitTime > 0: inpspcid = "Okay" if not inpslist: if process.ExitTime > 0: inpslist = "Okay" if not inthread: if process.ExitTime > 0: inthread = "Okay" ws.append([hex(offset), str(utils.remove_unprintable(str(process.ImageFileName)) or ""), str(process.UniqueProcessId), str(inpslist), str(ps_sources['psscan'].has_key(offset)), str(inthread), str(inpspcid), str(incsrss), str(insession), str(indesktop), str(process.ExitTime or '')]) total += 1 wb.save(filename = self._config.OUTPUT_FILE) wb = load_workbook(filename = self._config.OUTPUT_FILE) ws = wb.get_sheet_by_name(name = "Psxview Output") for col in xrange(1, 12): ws.cell("{0}{1}".format(get_column_letter(col), 1)).style = BoldStyle for row in xrange(2, total + 1): for col in xrange(4, 11): if ws.cell("{0}{1}".format(get_column_letter(col), row)).value == "False": ws.cell("{0}{1}".format(get_column_letter(col), row)).style = RedStyle else: ws.cell("{0}{1}".format(get_column_letter(col), row)).style = GreenStyle wb.save(filename = self._config.OUTPUT_FILE)