Commit dcc62414073c77b75d05fb804876323afb55f4c0
1 parent
ab37d6aa
Removed dependencies for sleuthkit and pev
Showing
3 changed files
with
53 additions
and
26 deletions
README.md
modules/mft.py
@@ -4,6 +4,7 @@ import logger | @@ -4,6 +4,7 @@ import logger | ||
4 | import tomb | 4 | import tomb |
5 | from modules.module import Module | 5 | from modules.module import Module |
6 | from runcmd import runProcess | 6 | from runcmd import runProcess |
7 | +import pytsk3 | ||
7 | 8 | ||
8 | 9 | ||
9 | def getInstance(): | 10 | def getInstance(): |
@@ -17,14 +18,33 @@ class MFTModule(Module): | @@ -17,14 +18,33 @@ class MFTModule(Module): | ||
17 | self.requiredVars = ["ntfsvol"] | 18 | self.requiredVars = ["ntfsvol"] |
18 | self.vars = {} | 19 | self.vars = {} |
19 | 20 | ||
21 | + def dumpMFT(self,ntfsvol,file): | ||
22 | + img = pytsk3.Img_Info(url=ntfsvol) | ||
23 | + fs = pytsk3.FS_Info(img) | ||
24 | + file_entry = fs.open_meta(inode=0) | ||
25 | + offset = 0 | ||
26 | + size = file_entry.info.meta.size | ||
27 | + BUFF_SIZE = 1024*1024 | ||
28 | + mft = open(file,'wb') | ||
29 | + | ||
30 | + while offset < size: | ||
31 | + available_to_read = min(BUFF_SIZE, size - offset) | ||
32 | + data = file_entry.read_random(offset, available_to_read) | ||
33 | + if not data: | ||
34 | + break | ||
35 | + | ||
36 | + offset += len(data) | ||
37 | + mft.write(data) | ||
38 | + | ||
39 | + mft.close() | ||
40 | + img.close() | ||
41 | + | ||
42 | + | ||
20 | def execute(self): | 43 | def execute(self): |
21 | path = tomb.getPath() + self.name + "/" | 44 | path = tomb.getPath() + self.name + "/" |
22 | if(not os.path.exists(path)): | 45 | if(not os.path.exists(path)): |
23 | os.mkdir(path) | 46 | os.mkdir(path) |
24 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) | 47 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
25 | for vol in self.vars['ntfsvol'].value: | 48 | for vol in self.vars['ntfsvol'].value: |
26 | - result,code = runProcess(["icat","/dev/" + vol,"0"]) | ||
27 | - mftbin = open(path + vol + ".bin",'wb') | ||
28 | - mftbin.write(result) | ||
29 | - mftbin.close() | 49 | + self.dumpMFT("/dev/" + vol,path + vol + ".bin") |
30 | 50 |
winver.py
1 | import os | 1 | import os |
2 | from runcmd import runProcess | 2 | from runcmd import runProcess |
3 | import re | 3 | import re |
4 | +import pefile | ||
4 | 5 | ||
5 | _WIN_9x = 0 | 6 | _WIN_9x = 0 |
6 | _WIN_ME = 1 | 7 | _WIN_ME = 1 |
@@ -22,26 +23,32 @@ _WIN_10 = 10 | @@ -22,26 +23,32 @@ _WIN_10 = 10 | ||
22 | 23 | ||
23 | def getWindowsVersion(path): | 24 | def getWindowsVersion(path): |
24 | if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): | 25 | if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): |
25 | - output,code = runProcess(["pev","-p",getWindowsDirectory(path) + "/System32/ntdll.dll"]) | ||
26 | - version = output.decode("utf-8") | ||
27 | - if re.match("(3|4)\.",version) != None: | ||
28 | - return _WIN_NT | ||
29 | - elif re.match("5\.0",version) != None: | ||
30 | - return _WIN_2k | ||
31 | - elif re.match("5\.1", version) != None: | ||
32 | - return _WIN_XP | ||
33 | - elif re.match("5\.2", version) != None: | ||
34 | - return _WIN_2k3 | ||
35 | - elif re.match("6\.0", version) != None: | ||
36 | - return _WIN_VISTA | ||
37 | - elif re.match("6\.1", version) != None: | ||
38 | - return _WIN_7 | ||
39 | - elif re.match("6\.2", version) != None: | ||
40 | - return _WIN_8 | ||
41 | - elif re.match("6\.3", version) != None: | ||
42 | - return _WIN_81 | ||
43 | - elif re.match("10\.", version) != None: | ||
44 | - return _WIN_10 | 26 | + version = "" |
27 | + pe = pefile.PE(getWindowsDirectory(path) + "/System32/ntdll.dll") | ||
28 | + for entry in pe.FileInfo: | ||
29 | + if hasattr(entry, 'StringTable'): | ||
30 | + for st in entry.StringTable: | ||
31 | + for k, v in st.entries.items(): | ||
32 | + if k == "ProductVersion": | ||
33 | + version = v | ||
34 | + if re.match("(3|4)\.",version) != None: | ||
35 | + return _WIN_NT | ||
36 | + elif re.match("5\.0", version) != None: | ||
37 | + return _WIN_2k | ||
38 | + elif re.match("5\.1", version) != None: | ||
39 | + return _WIN_XP | ||
40 | + elif re.match("5\.2", version) != None: | ||
41 | + return _WIN_2k3 | ||
42 | + elif re.match("6\.0", version) != None: | ||
43 | + return _WIN_VISTA | ||
44 | + elif re.match("6\.1", version) != None: | ||
45 | + return _WIN_7 | ||
46 | + elif re.match("6\.2", version) != None: | ||
47 | + return _WIN_8 | ||
48 | + elif re.match("6\.3", version) != None: | ||
49 | + return _WIN_81 | ||
50 | + elif re.match("10\.", version) != None: | ||
51 | + return _WIN_10 | ||
45 | else: | 52 | else: |
46 | if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): | 53 | if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): |
47 | return _WIN_ME | 54 | return _WIN_ME |