Permalink
Browse files

Added check to validate Windows path separator #265

  • Loading branch information...
joachimmetz committed Jun 28, 2018
1 parent 520a314 commit 1af553116130273559153dd8c9a97cccf0984194
Showing with 73 additions and 33 deletions.
  1. +18 −4 artifacts/definitions.py
  2. +17 −10 data/antivirus.yaml
  3. +4 −1 data/cloud_services.yaml
  4. +7 −6 data/java.yaml
  5. +27 −12 tools/validator.py
View
@@ -39,9 +39,23 @@
'Users': 'Information about users.'
}
SUPPORTED_OS = frozenset(['Darwin', 'Linux', 'Windows'])
SUPPORTED_OS_DARWIN = 'Darwin'
SUPPORTED_OS_LINUX = 'Linux'
SUPPORTED_OS_WINDOWS = 'Windows'
# yapf: disable
SUPPORTED_OS = frozenset([
SUPPORTED_OS_DARWIN,
SUPPORTED_OS_LINUX,
SUPPORTED_OS_WINDOWS])
TOP_LEVEL_KEYS = frozenset([
'conditions', 'doc', 'labels', 'name', 'provides', 'sources',
'supported_os', 'urls'
])
'conditions',
'doc',
'labels',
'name',
'provides',
'sources',
'supported_os',
'urls'])
# yapf: enable
View
@@ -16,32 +16,36 @@ sources:
paths:
- '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
- '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**'
separator: '\'
supported_os: [Windows]
labels: [Antivirus]
---
name: SophosAVLogs
doc: Sophos Anti-Virus log files.
sources:
- type: FILE
attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']}
supported_os: [Windows]
sources:
- type: FILE
attributes: {paths: ['/Library/Logs/Sophos*.log']}
supported_os: [Darwin]
supported_os: [Windows, Darwin]
- type: FILE
attributes:
paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']
separator: '\'
supported_os: [Windows]
supported_os: [Darwin, Windows]
labels: [Antivirus, Logs]
---
name: SophosAVQuarantine
doc: Sophos Anti-Virus Quarantine (Infected) files.
sources:
- type: FILE
attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']}
supported_os: [Windows]
- type: FILE
attributes: {paths: ['/Users/Shared/Infected/*']}
supported_os: [Darwin]
supported_os: [Windows, Darwin]
- type: FILE
attributes:
paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']
separator: '\'
supported_os: [Windows]
supported_os: [Darwin, Windows]
labels: [Antivirus]
---
name: SymantecAVLogs
@@ -52,6 +56,7 @@ sources:
paths:
- '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
- '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
separator: '\'
supported_os: [Windows]
supported_os: [Windows]
labels: [Antivirus, Logs]
@@ -60,7 +65,9 @@ name: SymantecAVQuarantine
doc: Symantec Anti-Virus Quarantine (Infected) files.
sources:
- type: FILE
attributes: {paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']}
attributes:
paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']
separator: '\'
supported_os: [Windows]
supported_os: [Windows]
labels: [Antivirus, Logs]
View
@@ -20,6 +20,7 @@ sources:
paths:
- '%%users.appdata%%\Dropbox\*.db*'
- '%%users.localappdata%%\Dropbox\*.db*'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes:
@@ -42,6 +43,7 @@ sources:
- '%%users.localappdata%%\Google\Drive\user_default\snapshot.db'
- '%%users.localappdata%%\Google\Drive\user_default\sync_config.db'
- '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes:
@@ -53,7 +55,7 @@ sources:
- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db'
- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*'
supported_os: [Darwin]
supported_os: [Darwin,Windows]
supported_os: [Darwin, Windows]
labels: [Cloud Storage]
urls: ['http://www.forensicswiki.org/wiki/Google_Drive']
---
@@ -71,6 +73,7 @@ sources:
- '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml'
- '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat'
- '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini'
separator: '\'
supported_os: [Windows]
supported_os: [Windows]
labels: [Cloud Storage]
View
@@ -3,17 +3,18 @@
name: JavaCacheFiles
doc: Java Plug-in cache.
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']}
supported_os: [Linux]
- type: FILE
attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']}
supported_os: [Darwin]
- type: FILE
attributes:
paths:
- '%%users.localappdata_low%%\Sun\Java\Deployment\cache\**'
- '%%users.homedir%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
- '%%users.homedir%%\Application Data\Sun\Java\Deployment\cache\**'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']}
supported_os: [Darwin]
- type: FILE
attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']}
supported_os: [Linux]
supported_os: [Windows, Linux, Darwin]
View
@@ -41,13 +41,13 @@ def _CheckRegistryKeyPath(self, filename, artifact_definition, key_path):
result = True
key_path = key_path.upper()
if key_path.startswith(u'%%CURRENT_CONTROL_SET%%'):
if key_path.startswith('%%CURRENT_CONTROL_SET%%'):
result = False
logging.warning((
u'Artifact definition: {0:s} in file: {1:s} contains Windows '
u'Registry key path that starts with '
u'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with '
u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format(
'Artifact definition: {0:s} in file: {1:s} contains Windows '
'Registry key path that starts with '
'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with '
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format(
artifact_definition.name, filename))
return result
@@ -72,10 +72,10 @@ def _HasDuplicateRegistryKeyPaths(
intersection = self._artifact_registry_key_paths.intersection(
set(source.keys))
if intersection:
duplicate_key_paths = u'\n'.join(intersection)
duplicate_key_paths = '\n'.join(intersection)
logging.warning((
u'Artifact definition: {0:s} in file: {1:s} has duplicate '
u'Registry key paths:\n{2:s}').format(
'Artifact definition: {0:s} in file: {1:s} has duplicate '
'Registry key paths:\n{2:s}').format(
artifact_definition.name, filename, duplicate_key_paths))
result = True
@@ -100,12 +100,27 @@ def CheckFile(self, filename):
self._artifact_registry.RegisterDefinition(artifact_definition)
except KeyError:
logging.warning(
u'Duplicate artifact definition: {0:s} in file: {1:s}'.format(
'Duplicate artifact definition: {0:s} in file: {1:s}'.format(
artifact_definition.name, filename))
result = False
for source in artifact_definition.sources:
if source.type_indicator == (
if source.type_indicator in (
definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH):
if definitions.SUPPORTED_OS_WINDOWS in source.supported_os:
for path in source.paths:
number_of_forward_slashes = path.count('/')
number_of_backslashes = path.count('\\')
if (number_of_forward_slashes < number_of_backslashes and
source.separator != '\\'):
logging.warning((
'Incorrect path separator: {0:s} in path: {1:s} defined '
'by artifact definition: {2:s} in file: {3:s}').format(
source.separator, path, artifact_definition.name,
filename))
result = False
elif source.type_indicator == (
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
# Exempt the legacy file from duplicate checking because it has
@@ -125,12 +140,12 @@ def CheckFile(self, filename):
for key_value_pair in source.key_value_pairs:
if not self._CheckRegistryKeyPath(
filename, artifact_definition, key_value_pair[u'key']):
filename, artifact_definition, key_value_pair['key']):
result = False
except errors.FormatError as exception:
logging.warning(
u'Unable to validate file: {0:s} with error: {1!s}'.format(
'Unable to validate file: {0:s} with error: {1!s}'.format(
filename, exception))
result = False

0 comments on commit 1af5531

Please sign in to comment.