#!/usr/bin/python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v.0.3.0 from __future__ import absolute_import import struct import datetime from functools import partial class memoize(object): """cache the return value of a method From http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/ This class is meant to be used as a decorator of methods. The return value from a given method invocation will be cached on the instance whose method was invoked. All arguments passed to a method decorated with memoize must be hashable. If a memoized method is invoked directly on its class the result will not be cached. Instead the method will be invoked like a static method: class Obj(object): @memoize def add_to(self, arg): return self + arg Obj.add_to(1) # not enough arguments Obj.add_to(1, 2) # returns 3, result is not cached """ def __init__(self, func): self.func = func def __get__(self, obj, objtype=None): if obj is None: return self.func return partial(self, obj) def __call__(self, *args, **kw): obj = args[0] try: cache = obj.__cache except AttributeError: cache = obj.__cache = {} key = (self.func, args[1:], frozenset(list(kw.items()))) if key not in cache: cache[key] = self.func(*args, **kw) return cache[key] def align(offset, alignment): """ Return the offset aligned to the nearest greater given alignment Arguments: - `offset`: An integer - `alignment`: An integer """ if offset % alignment == 0: return offset return offset + (alignment - (offset % alignment)) def dosdate(dosdate, dostime): """ `dosdate`: 2 bytes, little endian. `dostime`: 2 bytes, little endian. returns: datetime.datetime or datetime.datetime.min on error """ try: t = ord(dosdate[1]) << 8 t |= ord(dosdate[0]) day = t & 0b0000000000011111 month = (t & 0b0000000111100000) >> 5 year = (t & 0b1111111000000000) >> 9 year += 1980 t = ord(dostime[1]) << 8 t |= ord(dostime[0]) sec = t & 0b0000000000011111 sec *= 2 minute = (t & 0b0000011111100000) >> 5 hour = (t & 0b1111100000000000) >> 11 return datetime.datetime(year, month, day, hour, minute, sec) except ValueError: return datetime.datetime.min def parse_filetime(qword): # see http://integriography.wordpress.com/2010/01/16/using-phython-to-parse-and-present-windows-64-bit-timestamps/ if qword == 0: return datetime.datetime.min try: return datetime.datetime.fromtimestamp(float(qword) * 1e-7 - 11644473600, datetime.timezone.utc) except (ValueError, OSError): return datetime.datetime.min class BinaryParserException(Exception): """ Base Exception class for binary parsing. """ def __init__(self, value): """ Constructor. Arguments: - `value`: A string description. """ super(BinaryParserException, self).__init__() self._value = value def __repr__(self): return "BinaryParserException({!r})".format(self._value) def __str__(self): return "Binary Parser Exception: {}".format(self._value) class ParseException(BinaryParserException): """ An exception to be thrown during binary parsing, such as when an invalid header is encountered. """ def __init__(self, value): """ Constructor. Arguments: - `value`: A string description. """ super(ParseException, self).__init__(value) def __repr__(self): return "ParseException({!r})".format(self._value) def __str__(self): return "Parse Exception({})".format(self._value) class OverrunBufferException(ParseException): def __init__(self, readOffs, bufLen): tvalue = "read: {}, buffer length: {}".format(hex(readOffs), hex(bufLen)) super(ParseException, self).__init__(tvalue) def __repr__(self): return "OverrunBufferException({!r})".format(self._value) def __str__(self): return "Tried to parse beyond the end of the file ({})".format(self._value) class Block(object): """ Base class for structure blocks in binary parsing. A block is associated with a offset into a byte-string. """ def __init__(self, buf, offset): """ Constructor. Arguments: - `buf`: Byte string containing stuff to parse. - `offset`: The offset into the buffer at which the block starts. """ self._buf = buf self._offset = offset self._implicit_offset = 0 def __repr__(self): return "Block(buf={!r}, offset={!r})".format(self._buf, self._offset) def __str__(self): return str(self) def declare_field(self, type, name, offset=None, length=None): """ Declaratively add fields to this block. This method will dynamically add corresponding offset and unpacker methods to this block. Arguments: - `type`: A string. Should be one of the unpack_* types. - `name`: A string. - `offset`: A number. - `length`: (Optional) A number. For (w)strings, length in chars. """ if offset is None: offset = self._implicit_offset if length is None: def no_length_handler(): f = getattr(self, "unpack_" + type) return f(offset) setattr(self, name, no_length_handler) else: def explicit_length_handler(): f = getattr(self, "unpack_" + type) return f(offset, length) setattr(self, name, explicit_length_handler) setattr(self, "_off_" + name, offset) if type == "byte": self._implicit_offset = offset + 1 elif type == "int8": self._implicit_offset = offset + 1 elif type == "word": self._implicit_offset = offset + 2 elif type == "word_be": self._implicit_offset = offset + 2 elif type == "int16": self._implicit_offset = offset + 2 elif type == "dword": self._implicit_offset = offset + 4 elif type == "dword_be": self._implicit_offset = offset + 4 elif type == "int32": self._implicit_offset = offset + 4 elif type == "qword": self._implicit_offset = offset + 8 elif type == "int64": self._implicit_offset = offset + 8 elif type == "float": self._implicit_offset = offset + 4 elif type == "double": self._implicit_offset = offset + 8 elif type == "dosdate": self._implicit_offset = offset + 4 elif type == "filetime": self._implicit_offset = offset + 8 elif type == "systemtime": self._implicit_offset = offset + 8 elif type == "guid": self._implicit_offset = offset + 16 elif type == "binary": self._implicit_offset = offset + length elif type == "string" and length is not None: self._implicit_offset = offset + length elif type == "wstring" and length is not None: self._implicit_offset = offset + (2 * length) elif "string" in type and length is None: raise ParseException("Implicit offset not supported " "for dynamic length strings") else: raise ParseException("Implicit offset not supported " "for type: {}".format(type)) def current_field_offset(self): return self._implicit_offset def unpack_byte(self, offset): """ Returns a little-endian unsigned byte from the relative offset. Arguments: - `offset`: The relative offset from the start of the block. Throws: - `OverrunBufferException` """ o = self._offset + offset try: return struct.unpack_from("H", self._buf, o)[0] except struct.error: raise OverrunBufferException(o, len(self._buf)) def unpack_int16(self, offset): """ Returns a little-endian signed WORD (2 bytes) from the relative offset. Arguments: - `offset`: The relative offset from the start of the block. Throws: - `OverrunBufferException` """ o = self._offset + offset try: return struct.unpack_from("I", self._buf, o)[0] except struct.error: raise OverrunBufferException(o, len(self._buf)) def unpack_int32(self, offset): """ Returns a little-endian signed integer (4 bytes) from the relative offset. Arguments: - `offset`: The relative offset from the start of the block. Throws: - `OverrunBufferException` """ o = self._offset + offset try: return struct.unpack_from("