Imanol-Mikel Barba Sabariego / gravedigger · Commits

Commit dcc62414073c77b75d05fb804876323afb55f4c0

Authored by Imanol-Mikel Barba Sabariego
1 parent ab37d6aa

Removed dependencies for sleuthkit and pev

Inline Side-by-side
Showing 3 changed files with 53 additions and 26 deletions
README.md
  View file @dcc6241
... ... @@ -3,7 +3,7 @@ REQUIRED PACKAGES
3 3  
4 4 * python3
5 5 * python3-dialog
6   -* sleuthkit
7   -* pev
  6 +* pytsk3
  7 +* python-pefile
8 8 * ntfs-3g
9 9 * lshw
10 10 \ No newline at end of file
... ...
modules/mft.py
  View file @dcc6241
... ... @@ -4,6 +4,7 @@ import logger
4 4 import tomb
5 5 from modules.module import Module
6 6 from runcmd import runProcess
  7 +import pytsk3
7 8  
8 9  
9 10 def getInstance():
... ... @@ -17,14 +18,33 @@ class MFTModule(Module):
17 18 self.requiredVars = ["ntfsvol"]
18 19 self.vars = {}
19 20  
  21 + def dumpMFT(self,ntfsvol,file):
  22 + img = pytsk3.Img_Info(url=ntfsvol)
  23 + fs = pytsk3.FS_Info(img)
  24 + file_entry = fs.open_meta(inode=0)
  25 + offset = 0
  26 + size = file_entry.info.meta.size
  27 + BUFF_SIZE = 1024*1024
  28 + mft = open(file,'wb')
  29 +
  30 + while offset < size:
  31 + available_to_read = min(BUFF_SIZE, size - offset)
  32 + data = file_entry.read_random(offset, available_to_read)
  33 + if not data:
  34 + break
  35 +
  36 + offset += len(data)
  37 + mft.write(data)
  38 +
  39 + mft.close()
  40 + img.close()
  41 +
  42 +
20 43 def execute(self):
21 44 path = tomb.getPath() + self.name + "/"
22 45 if(not os.path.exists(path)):
23 46 os.mkdir(path)
24 47 logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
25 48 for vol in self.vars['ntfsvol'].value:
26   - result,code = runProcess(["icat","/dev/" + vol,"0"])
27   - mftbin = open(path + vol + ".bin",'wb')
28   - mftbin.write(result)
29   - mftbin.close()
  49 + self.dumpMFT("/dev/" + vol,path + vol + ".bin")
30 50  
... ...
winver.py
  View file @dcc6241
1 1 import os
2 2 from runcmd import runProcess
3 3 import re
  4 +import pefile
4 5  
5 6 _WIN_9x = 0
6 7 _WIN_ME = 1
... ... @@ -22,26 +23,32 @@ _WIN_10 = 10
22 23  
23 24 def getWindowsVersion(path):
24 25 if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")):
25   - output,code = runProcess(["pev","-p",getWindowsDirectory(path) + "/System32/ntdll.dll"])
26   - version = output.decode("utf-8")
27   - if re.match("(3|4)\.",version) != None:
28   - return _WIN_NT
29   - elif re.match("5\.0",version) != None:
30   - return _WIN_2k
31   - elif re.match("5\.1", version) != None:
32   - return _WIN_XP
33   - elif re.match("5\.2", version) != None:
34   - return _WIN_2k3
35   - elif re.match("6\.0", version) != None:
36   - return _WIN_VISTA
37   - elif re.match("6\.1", version) != None:
38   - return _WIN_7
39   - elif re.match("6\.2", version) != None:
40   - return _WIN_8
41   - elif re.match("6\.3", version) != None:
42   - return _WIN_81
43   - elif re.match("10\.", version) != None:
44   - return _WIN_10
  26 + version = ""
  27 + pe = pefile.PE(getWindowsDirectory(path) + "/System32/ntdll.dll")
  28 + for entry in pe.FileInfo:
  29 + if hasattr(entry, 'StringTable'):
  30 + for st in entry.StringTable:
  31 + for k, v in st.entries.items():
  32 + if k == "ProductVersion":
  33 + version = v
  34 + if re.match("(3|4)\.",version) != None:
  35 + return _WIN_NT
  36 + elif re.match("5\.0", version) != None:
  37 + return _WIN_2k
  38 + elif re.match("5\.1", version) != None:
  39 + return _WIN_XP
  40 + elif re.match("5\.2", version) != None:
  41 + return _WIN_2k3
  42 + elif re.match("6\.0", version) != None:
  43 + return _WIN_VISTA
  44 + elif re.match("6\.1", version) != None:
  45 + return _WIN_7
  46 + elif re.match("6\.2", version) != None:
  47 + return _WIN_8
  48 + elif re.match("6\.3", version) != None:
  49 + return _WIN_81
  50 + elif re.match("10\.", version) != None:
  51 + return _WIN_10
45 52 else:
46 53 if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")):
47 54 return _WIN_ME
... ...