Commit dcc62414073c77b75d05fb804876323afb55f4c0
1 parent
ab37d6aa
Removed dependencies for sleuthkit and pev
Showing
3 changed files
with
53 additions
and
26 deletions
README.md
modules/mft.py
... | ... | @@ -4,6 +4,7 @@ import logger |
4 | 4 | import tomb |
5 | 5 | from modules.module import Module |
6 | 6 | from runcmd import runProcess |
7 | +import pytsk3 | |
7 | 8 | |
8 | 9 | |
9 | 10 | def getInstance(): |
... | ... | @@ -17,14 +18,33 @@ class MFTModule(Module): |
17 | 18 | self.requiredVars = ["ntfsvol"] |
18 | 19 | self.vars = {} |
19 | 20 | |
21 | + def dumpMFT(self,ntfsvol,file): | |
22 | + img = pytsk3.Img_Info(url=ntfsvol) | |
23 | + fs = pytsk3.FS_Info(img) | |
24 | + file_entry = fs.open_meta(inode=0) | |
25 | + offset = 0 | |
26 | + size = file_entry.info.meta.size | |
27 | + BUFF_SIZE = 1024*1024 | |
28 | + mft = open(file,'wb') | |
29 | + | |
30 | + while offset < size: | |
31 | + available_to_read = min(BUFF_SIZE, size - offset) | |
32 | + data = file_entry.read_random(offset, available_to_read) | |
33 | + if not data: | |
34 | + break | |
35 | + | |
36 | + offset += len(data) | |
37 | + mft.write(data) | |
38 | + | |
39 | + mft.close() | |
40 | + img.close() | |
41 | + | |
42 | + | |
20 | 43 | def execute(self): |
21 | 44 | path = tomb.getPath() + self.name + "/" |
22 | 45 | if(not os.path.exists(path)): |
23 | 46 | os.mkdir(path) |
24 | 47 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
25 | 48 | for vol in self.vars['ntfsvol'].value: |
26 | - result,code = runProcess(["icat","/dev/" + vol,"0"]) | |
27 | - mftbin = open(path + vol + ".bin",'wb') | |
28 | - mftbin.write(result) | |
29 | - mftbin.close() | |
49 | + self.dumpMFT("/dev/" + vol,path + vol + ".bin") | |
30 | 50 | ... | ... |
winver.py
1 | 1 | import os |
2 | 2 | from runcmd import runProcess |
3 | 3 | import re |
4 | +import pefile | |
4 | 5 | |
5 | 6 | _WIN_9x = 0 |
6 | 7 | _WIN_ME = 1 |
... | ... | @@ -22,26 +23,32 @@ _WIN_10 = 10 |
22 | 23 | |
23 | 24 | def getWindowsVersion(path): |
24 | 25 | if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): |
25 | - output,code = runProcess(["pev","-p",getWindowsDirectory(path) + "/System32/ntdll.dll"]) | |
26 | - version = output.decode("utf-8") | |
27 | - if re.match("(3|4)\.",version) != None: | |
28 | - return _WIN_NT | |
29 | - elif re.match("5\.0",version) != None: | |
30 | - return _WIN_2k | |
31 | - elif re.match("5\.1", version) != None: | |
32 | - return _WIN_XP | |
33 | - elif re.match("5\.2", version) != None: | |
34 | - return _WIN_2k3 | |
35 | - elif re.match("6\.0", version) != None: | |
36 | - return _WIN_VISTA | |
37 | - elif re.match("6\.1", version) != None: | |
38 | - return _WIN_7 | |
39 | - elif re.match("6\.2", version) != None: | |
40 | - return _WIN_8 | |
41 | - elif re.match("6\.3", version) != None: | |
42 | - return _WIN_81 | |
43 | - elif re.match("10\.", version) != None: | |
44 | - return _WIN_10 | |
26 | + version = "" | |
27 | + pe = pefile.PE(getWindowsDirectory(path) + "/System32/ntdll.dll") | |
28 | + for entry in pe.FileInfo: | |
29 | + if hasattr(entry, 'StringTable'): | |
30 | + for st in entry.StringTable: | |
31 | + for k, v in st.entries.items(): | |
32 | + if k == "ProductVersion": | |
33 | + version = v | |
34 | + if re.match("(3|4)\.",version) != None: | |
35 | + return _WIN_NT | |
36 | + elif re.match("5\.0", version) != None: | |
37 | + return _WIN_2k | |
38 | + elif re.match("5\.1", version) != None: | |
39 | + return _WIN_XP | |
40 | + elif re.match("5\.2", version) != None: | |
41 | + return _WIN_2k3 | |
42 | + elif re.match("6\.0", version) != None: | |
43 | + return _WIN_VISTA | |
44 | + elif re.match("6\.1", version) != None: | |
45 | + return _WIN_7 | |
46 | + elif re.match("6\.2", version) != None: | |
47 | + return _WIN_8 | |
48 | + elif re.match("6\.3", version) != None: | |
49 | + return _WIN_81 | |
50 | + elif re.match("10\.", version) != None: | |
51 | + return _WIN_10 | |
45 | 52 | else: |
46 | 53 | if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): |
47 | 54 | return _WIN_ME | ... | ... |