Added reglookup from sentinal chickens into the PF source tree.

darcs-hash:20090111144415-f1522-c1ec549a7d33bc9f0cf7682e02854af294e0c934.gz
anarchivist · Jan 11, 2009 · 3adfdd3 · 3adfdd3
1 parent 7f6e0f5
commit 3adfdd3
Show file tree

Hide file tree

Showing 34 changed files with 6,767 additions and 6,135 deletions.
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = lib mailtools indextools_ng network filesystems include pyflag mmedia distorm
+SUBDIRS = lib mailtools indextools_ng network filesystems include pyflag mmedia distorm regtools
 
 my_javascript		=       $(shell find javascript -not -name .\*)
 nobase_pkgdata_DATA	=	$(my_javascript)

diff --git a/src/lib/talloc.c b/src/lib/talloc.c
@@ -209,6 +209,9 @@ static inline void *__talloc(const void *context, size_t size)
 	tc = (struct talloc_chunk *)malloc(TC_HDR_SIZE+size);
 	if (unlikely(tc == NULL)) return NULL;
 
+	// Ensure memory is properly initialised
+	memset(tc, 0, TC_HDR_SIZE+size);
+
 	tc->size = size;
 	tc->flags = TALLOC_MAGIC;
 	tc->destructor = NULL;

diff --git a/src/plugins/GenericTable.py b/src/plugins/GenericTable.py
@@ -36,9 +36,11 @@ def display(self, query,result):
             i = int(i)
 
             columns = t.columns + t.extras
-            columns_cls, args = columns[i]
+            columns_cls, args = columns[i][:2]
             args = args.copy()
-            elements.append( columns_cls(table=t.name, case=query['case'], **args))
+            args['case'] = query['case']
+            args['table'] = t.name
+            elements.append( columns_cls(**args))
 
         result.table(
             elements = elements,

diff --git a/src/plugins/NetworkForensics/ProtocolHandlers/Google.py b/src/plugins/NetworkForensics/ProtocolHandlers/Google.py
@@ -98,9 +98,13 @@ def process_image_list(self):
                     result = "<table>%s</table>" % result
                     tag.add_child(result)
 
+                page = self.parser.root.innerHTML()
+                page = page.encode("utf8","ignore")
+
                 inode_id = self.ddfs.VFSCreate(self.inode,
                                                "xGimage",
-                                               "Gimage")
+                                               "Gimage",
+                                               size=len(page))
 
                 ## Update the http and http_parameters table to point
                 ## to this new Inode instead:
@@ -113,8 +117,6 @@ def process_image_list(self):
                            where = DB.expand("inode_id=%r",self.inode_id),
                            inode_id = inode_id)
 
-                page = self.parser.root.innerHTML()
-                page = page.encode("utf","ignore")
                 CacheManager.MANAGER.create_cache_from_data(self.case,
                                                             "%s|xGimage" % self.inode,
                                                             page,

diff --git a/src/pyflag/FileSystem.py b/src/pyflag/FileSystem.py
@@ -319,6 +319,10 @@ def VFSCreate(self,root_inode,inode,new_filename,directory=False ,gid=0, uid=0,
 
         inode_properties = dict(status="alloc", mode=40755, links=4, _fast=_fast,
                                 size=0)
+        try:
+            inode_properties['mtime'] = self.mtime
+        except: pass
+
         if inode:
             inode_properties['inode'] = inode
 
@@ -333,6 +337,9 @@ def VFSCreate(self,root_inode,inode,new_filename,directory=False ,gid=0, uid=0,
         for t in ['ctime','atime','mtime']:
             if properties.get("_"+t):
                 inode_properties["_"+t] = "from_unixtime(%r)" % int(properties["_"+t])
+                try:
+                    del inode_properties[t]
+                except KeyError: pass
             elif properties.get(t):
                     inode_properties[t] = properties[t]
 
@@ -430,10 +437,10 @@ def lookup(self, path=None,inode=None, inode_id=None):
 
         elif inode_id:
             dbh.check_index('inode','inode_id')
-            dbh.execute("select inode.inode, concat(path,name) as path from inode left join file on inode.inode_id=file.inode_id where inode.inode_id=%r order by file.status limit 1", inode_id)
+            dbh.execute("select mtime, inode.inode, concat(path,name) as path from inode left join file on inode.inode_id=file.inode_id where inode.inode_id=%r order by file.status limit 1", inode_id)
             res = dbh.fetch()
             if not res: raise IOError("Inode ID %s not found" % inode_id)
-
+            self.mtime = res['mtime']
             return res['path'],res['inode'], inode_id
 
         else:

diff --git a/src/pyflag/FlagHTTPServer.py b/src/pyflag/FlagHTTPServer.py
@@ -480,8 +480,17 @@ def Server(HandlerClass = FlagServerHandler,
     HandlerClass.protocol_version = protocol
     httpd = ServerClass(server_address, HandlerClass)
     #httpd.socket.settimeout(1.0)
-    sa = httpd.socket.getsockname()
-    pyflaglog.log(pyflaglog.INFO, "Serving PyFlag requests on %s", sa)
+    sa = list(httpd.socket.getsockname())
+    pyflaglog.log(pyflaglog.INFO, "Serving PyFlag requests on http://%s:%s" % (sa[0],sa[1]))
+
+    if sa[0]=='0.0.0.0':
+        sa[0]='127.0.0.1'
+
+    try:
+        os.startfile("http://%s:%s/" % (sa[0],sa[1]))
+    except Exception,e:
+        pass
+
     httpd.serve_forever()
 
 config.add_option("HTTPSERVER_BINDIF", default='127.0.0.1',

diff --git a/src/regtools/Makefile.am b/src/regtools/Makefile.am
@@ -1,4 +1,9 @@
-bin_PROGRAMS	= regtool
-regtool_SOURCES = regtool.c registry.c misc.c ntreg.c timeconv.c
+include $(top_srcdir)/config/Makefile.rules
+
+bin_PROGRAMS	= reglookup
+
+reglookup_SOURCES = lru_cache.c range_list.c regfi.c reglookup.c smb_deps.c void_stack.c
+reglookup_LDADD  = ../lib/liboo.la -lm
 
 noinst_HEADERS = $(srcdir)/*.h
+
diff --git a/src/regtools/README b/src/regtools/README
@@ -0,0 +1,4 @@
+This is a fork on reglookup 0.9.0 with heavy code modifications. The latest version can be found here http://projects.sentinelchicken.org/reglookup/.
+
+Original Copyright Tim Morgan.
+Modified to add talloc support: Michael Cohen ([email protected])
diff --git a/src/regtools/byteorder.h b/src/regtools/byteorder.h
@@ -0,0 +1,177 @@
+/* 
+ * Branched from Samba project Subversion repository, version #2:
+ *  http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/byteorder.h
+ *
+ * Unix SMB/CIFS implementation.
+ * SMB Byte handling
+ *
+ * Copyright (C) 2005 Timothy D. Morgan
+ * Copyright (C) 1992-1998 Andrew Tridgell 
+ * 
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 3 of the License.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * $Id: byteorder.h 111 2008-05-01 04:06:22Z tim $
+ */
+
+#ifndef _BYTEORDER_H
+#define _BYTEORDER_H
+
+/*
+   This file implements macros for machine independent short and 
+   int manipulation
+
+Here is a description of this file that I emailed to the samba list once:
+
+> I am confused about the way that byteorder.h works in Samba. I have
+> looked at it, and I would have thought that you might make a distinction
+> between LE and BE machines, but you only seem to distinguish between 386
+> and all other architectures.
+> 
+> Can you give me a clue?
+
+sure.
+
+The distinction between 386 and other architectures is only there as
+an optimisation. You can take it out completely and it will make no
+difference. The routines (macros) in byteorder.h are totally byteorder
+independent. The 386 optimsation just takes advantage of the fact that
+the x86 processors don't care about alignment, so we don't have to
+align ints on int boundaries etc. If there are other processors out
+there that aren't alignment sensitive then you could also define
+CAREFUL_ALIGNMENT=0 on those processors as well.
+
+Ok, now to the macros themselves. I'll take a simple example, say we
+want to extract a 2 byte integer from a SMB packet and put it into a
+type called uint16 that is in the local machines byte order, and you
+want to do it with only the assumption that uint16 is _at_least_ 16
+bits long (this last condition is very important for architectures
+that don't have any int types that are 2 bytes long)
+
+You do this:
+
+#define CVAL(buf,pos) (((unsigned char *)(buf))[pos])
+#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
+#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
+
+then to extract a uint16 value at offset 25 in a buffer you do this:
+
+char *buffer = foo_bar();
+uint16 xx = SVAL(buffer,25);
+
+We are using the byteoder independence of the ANSI C bitshifts to do
+the work. A good optimising compiler should turn this into efficient
+code, especially if it happens to have the right byteorder :-)
+
+I know these macros can be made a bit tidier by removing some of the
+casts, but you need to look at byteorder.h as a whole to see the
+reasoning behind them. byteorder.h defines the following macros:
+
+SVAL(buf,pos) - extract a 2 byte SMB value
+IVAL(buf,pos) - extract a 4 byte SMB value
+SVALS(buf,pos) signed version of SVAL()
+IVALS(buf,pos) signed version of IVAL()
+
+SSVAL(buf,pos,val) - put a 2 byte SMB value into a buffer
+SIVAL(buf,pos,val) - put a 4 byte SMB value into a buffer
+SSVALS(buf,pos,val) - signed version of SSVAL()
+SIVALS(buf,pos,val) - signed version of SIVAL()
+
+RSVAL(buf,pos) - like SVAL() but for NMB byte ordering
+RSVALS(buf,pos) - like SVALS() but for NMB byte ordering
+RIVAL(buf,pos) - like IVAL() but for NMB byte ordering
+RIVALS(buf,pos) - like IVALS() but for NMB byte ordering
+RSSVAL(buf,pos,val) - like SSVAL() but for NMB ordering
+RSIVAL(buf,pos,val) - like SIVAL() but for NMB ordering
+RSIVALS(buf,pos,val) - like SIVALS() but for NMB ordering
+
+it also defines lots of intermediate macros, just ignore those :-)
+
+*/
+
+#undef CAREFUL_ALIGNMENT
+
+/* we know that the 386 can handle misalignment and has the "right" 
+   byteorder */
+#ifdef __i386__
+#define CAREFUL_ALIGNMENT 0
+#endif
+
+#ifndef CAREFUL_ALIGNMENT
+#define CAREFUL_ALIGNMENT 1
+#endif
+
+#define CVAL(buf,pos) ((unsigned)(((const unsigned char *)(buf))[pos]))
+#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */
+#define PVAL(buf,pos) (CVAL(buf,pos))
+#define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val))
+
+
+#if CAREFUL_ALIGNMENT
+
+#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
+#define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)
+#define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0xFF),CVAL_NC(buf,pos+1)=(unsigned char)((val)>>8))
+#define SIVALX(buf,pos,val) (SSVALX(buf,pos,val&0xFFFF),SSVALX(buf,pos+2,val>>16))
+#define SVALS(buf,pos) ((int16)SVAL(buf,pos))
+#define IVALS(buf,pos) ((int32)IVAL(buf,pos))
+#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16)(val)))
+#define SIVAL(buf,pos,val) SIVALX((buf),(pos),((uint32)(val)))
+#define SSVALS(buf,pos,val) SSVALX((buf),(pos),((int16)(val)))
+#define SIVALS(buf,pos,val) SIVALX((buf),(pos),((int32)(val)))
+
+#else /* CAREFUL_ALIGNMENT */
+
+/* this handles things for architectures like the 386 that can handle
+   alignment errors */
+/*
+   WARNING: This section is dependent on the length of int16 and int32
+   being correct 
+*/
+
+/* get single value from an SMB buffer */
+#define SVAL(buf,pos) (*(const uint16 *)((const char *)(buf) + (pos)))
+#define SVAL_NC(buf,pos) (*(uint16 *)((char *)(buf) + (pos))) /* Non const version of above. */
+#define IVAL(buf,pos) (*(const uint32 *)((const char *)(buf) + (pos)))
+#define IVAL_NC(buf,pos) (*(uint32 *)((char *)(buf) + (pos))) /* Non const version of above. */
+#define SVALS(buf,pos) (*(const int16 *)((const char *)(buf) + (pos)))
+#define SVALS_NC(buf,pos) (*(int16 *)((char *)(buf) + (pos))) /* Non const version of above. */
+#define IVALS(buf,pos) (*(const int32 *)((const char *)(buf) + (pos)))
+#define IVALS_NC(buf,pos) (*(int32 *)((char *)(buf) + (pos))) /* Non const version of above. */
+
+/* store single value in an SMB buffer */
+#define SSVAL(buf,pos,val) SVAL_NC(buf,pos)=((uint16)(val))
+#define SIVAL(buf,pos,val) IVAL_NC(buf,pos)=((uint32)(val))
+#define SSVALS(buf,pos,val) SVALS_NC(buf,pos)=((int16)(val))
+#define SIVALS(buf,pos,val) IVALS_NC(buf,pos)=((int32)(val))
+
+#endif /* CAREFUL_ALIGNMENT */
+
+/* now the reverse routines - these are used in nmb packets (mostly) */
+#define SREV(x) ((((x)&0xFF)<<8) | (((x)>>8)&0xFF))
+#define IREV(x) ((SREV(x)<<16) | (SREV((x)>>16)))
+
+#define RSVAL(buf,pos) SREV(SVAL(buf,pos))
+#define RSVALS(buf,pos) SREV(SVALS(buf,pos))
+#define RIVAL(buf,pos) IREV(IVAL(buf,pos))
+#define RIVALS(buf,pos) IREV(IVALS(buf,pos))
+#define RSSVAL(buf,pos,val) SSVAL(buf,pos,SREV(val))
+#define RSSVALS(buf,pos,val) SSVALS(buf,pos,SREV(val))
+#define RSIVAL(buf,pos,val) SIVAL(buf,pos,IREV(val))
+#define RSIVALS(buf,pos,val) SIVALS(buf,pos,IREV(val))
+
+/* Alignment macros. */
+#define ALIGN4(p,base) ((p) + ((4 - (PTR_DIFF((p), (base)) & 3)) & 3))
+#define ALIGN2(p,base) ((p) + ((2 - (PTR_DIFF((p), (base)) & 1)) & 1))
+
+#endif /* _BYTEORDER_H */