Commit dcc62414073c77b75d05fb804876323afb55f4c0
1 parent
ab37d6aa
Removed dependencies for sleuthkit and pev
Showing
3 changed files
with
53 additions
and
26 deletions
README.md
modules/mft.py
| @@ -4,6 +4,7 @@ import logger | @@ -4,6 +4,7 @@ import logger | ||
| 4 | import tomb | 4 | import tomb |
| 5 | from modules.module import Module | 5 | from modules.module import Module |
| 6 | from runcmd import runProcess | 6 | from runcmd import runProcess |
| 7 | +import pytsk3 | ||
| 7 | 8 | ||
| 8 | 9 | ||
| 9 | def getInstance(): | 10 | def getInstance(): |
| @@ -17,14 +18,33 @@ class MFTModule(Module): | @@ -17,14 +18,33 @@ class MFTModule(Module): | ||
| 17 | self.requiredVars = ["ntfsvol"] | 18 | self.requiredVars = ["ntfsvol"] |
| 18 | self.vars = {} | 19 | self.vars = {} |
| 19 | 20 | ||
| 21 | + def dumpMFT(self,ntfsvol,file): | ||
| 22 | + img = pytsk3.Img_Info(url=ntfsvol) | ||
| 23 | + fs = pytsk3.FS_Info(img) | ||
| 24 | + file_entry = fs.open_meta(inode=0) | ||
| 25 | + offset = 0 | ||
| 26 | + size = file_entry.info.meta.size | ||
| 27 | + BUFF_SIZE = 1024*1024 | ||
| 28 | + mft = open(file,'wb') | ||
| 29 | + | ||
| 30 | + while offset < size: | ||
| 31 | + available_to_read = min(BUFF_SIZE, size - offset) | ||
| 32 | + data = file_entry.read_random(offset, available_to_read) | ||
| 33 | + if not data: | ||
| 34 | + break | ||
| 35 | + | ||
| 36 | + offset += len(data) | ||
| 37 | + mft.write(data) | ||
| 38 | + | ||
| 39 | + mft.close() | ||
| 40 | + img.close() | ||
| 41 | + | ||
| 42 | + | ||
| 20 | def execute(self): | 43 | def execute(self): |
| 21 | path = tomb.getPath() + self.name + "/" | 44 | path = tomb.getPath() + self.name + "/" |
| 22 | if(not os.path.exists(path)): | 45 | if(not os.path.exists(path)): |
| 23 | os.mkdir(path) | 46 | os.mkdir(path) |
| 24 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) | 47 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
| 25 | for vol in self.vars['ntfsvol'].value: | 48 | for vol in self.vars['ntfsvol'].value: |
| 26 | - result,code = runProcess(["icat","/dev/" + vol,"0"]) | ||
| 27 | - mftbin = open(path + vol + ".bin",'wb') | ||
| 28 | - mftbin.write(result) | ||
| 29 | - mftbin.close() | 49 | + self.dumpMFT("/dev/" + vol,path + vol + ".bin") |
| 30 | 50 |
winver.py
| 1 | import os | 1 | import os |
| 2 | from runcmd import runProcess | 2 | from runcmd import runProcess |
| 3 | import re | 3 | import re |
| 4 | +import pefile | ||
| 4 | 5 | ||
| 5 | _WIN_9x = 0 | 6 | _WIN_9x = 0 |
| 6 | _WIN_ME = 1 | 7 | _WIN_ME = 1 |
| @@ -22,26 +23,32 @@ _WIN_10 = 10 | @@ -22,26 +23,32 @@ _WIN_10 = 10 | ||
| 22 | 23 | ||
| 23 | def getWindowsVersion(path): | 24 | def getWindowsVersion(path): |
| 24 | if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): | 25 | if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): |
| 25 | - output,code = runProcess(["pev","-p",getWindowsDirectory(path) + "/System32/ntdll.dll"]) | ||
| 26 | - version = output.decode("utf-8") | ||
| 27 | - if re.match("(3|4)\.",version) != None: | ||
| 28 | - return _WIN_NT | ||
| 29 | - elif re.match("5\.0",version) != None: | ||
| 30 | - return _WIN_2k | ||
| 31 | - elif re.match("5\.1", version) != None: | ||
| 32 | - return _WIN_XP | ||
| 33 | - elif re.match("5\.2", version) != None: | ||
| 34 | - return _WIN_2k3 | ||
| 35 | - elif re.match("6\.0", version) != None: | ||
| 36 | - return _WIN_VISTA | ||
| 37 | - elif re.match("6\.1", version) != None: | ||
| 38 | - return _WIN_7 | ||
| 39 | - elif re.match("6\.2", version) != None: | ||
| 40 | - return _WIN_8 | ||
| 41 | - elif re.match("6\.3", version) != None: | ||
| 42 | - return _WIN_81 | ||
| 43 | - elif re.match("10\.", version) != None: | ||
| 44 | - return _WIN_10 | 26 | + version = "" |
| 27 | + pe = pefile.PE(getWindowsDirectory(path) + "/System32/ntdll.dll") | ||
| 28 | + for entry in pe.FileInfo: | ||
| 29 | + if hasattr(entry, 'StringTable'): | ||
| 30 | + for st in entry.StringTable: | ||
| 31 | + for k, v in st.entries.items(): | ||
| 32 | + if k == "ProductVersion": | ||
| 33 | + version = v | ||
| 34 | + if re.match("(3|4)\.",version) != None: | ||
| 35 | + return _WIN_NT | ||
| 36 | + elif re.match("5\.0", version) != None: | ||
| 37 | + return _WIN_2k | ||
| 38 | + elif re.match("5\.1", version) != None: | ||
| 39 | + return _WIN_XP | ||
| 40 | + elif re.match("5\.2", version) != None: | ||
| 41 | + return _WIN_2k3 | ||
| 42 | + elif re.match("6\.0", version) != None: | ||
| 43 | + return _WIN_VISTA | ||
| 44 | + elif re.match("6\.1", version) != None: | ||
| 45 | + return _WIN_7 | ||
| 46 | + elif re.match("6\.2", version) != None: | ||
| 47 | + return _WIN_8 | ||
| 48 | + elif re.match("6\.3", version) != None: | ||
| 49 | + return _WIN_81 | ||
| 50 | + elif re.match("10\.", version) != None: | ||
| 51 | + return _WIN_10 | ||
| 45 | else: | 52 | else: |
| 46 | if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): | 53 | if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): |
| 47 | return _WIN_ME | 54 | return _WIN_ME |