From 7815a66d5b0599f96986e4baedb707897e52511a Mon Sep 17 00:00:00 2001 From: digitalsleuth Date: Sat, 8 Oct 2022 23:26:18 +0000 Subject: [PATCH 1/6] Update to fix dict detection --- BitsParser.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/BitsParser.py b/BitsParser.py index be70619..3a06dbe 100644 --- a/BitsParser.py +++ b/BitsParser.py @@ -1,3 +1,4 @@ +#!/usr/bin/python3 # Copyright 2021 FireEye, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with @@ -551,7 +552,7 @@ def parse(self): self.job_dict[alias] = self.escape(self.job_dict[alias]) # Update the object hash - if type(v) is not 'Dict': + if not isinstance(v, dict): job_hash.update(str(v).encode('utf-8')) self.hash = job_hash.hexdigest() From df42dbc0bcde54791500f5fe0aa4d04676040125 Mon Sep 17 00:00:00 2001 From: Hiroshi Suzuki <20717881+herosi@users.noreply.github.com> Date: Mon, 22 Apr 2024 10:22:39 +0900 Subject: [PATCH 2/6] Update BitsParser.py to fix a problem if a directory is passed as input If a directory is passed with -i, the -o option will overwrite the output file again and again. Therefore, all results except for the last one will be lost. To avoid it, I changed the mode "w" to "a" when opening the output file given with -o option. --- BitsParser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BitsParser.py b/BitsParser.py index 3a06dbe..7a009cf 100644 --- a/BitsParser.py +++ b/BitsParser.py @@ -331,7 +331,7 @@ def output_jobs(self, file_path, jobs): # If an output file is specified, open it and use it instead of stdout if self.out_file: orig_stdout = sys.stdout - sys.stdout = open(self.out_file, "w") + sys.stdout = open(self.out_file, "a") try: for job in jobs: From 0fb479ea8cfcd0e3ecb58809e06cab4c61d324e7 Mon Sep 17 00:00:00 2001 From: Hiroshi Suzuki <20717881+herosi@users.noreply.github.com> Date: Tue, 28 May 2024 15:04:54 +0900 Subject: [PATCH 3/6] Fixed a KeyError: 'FatherDataPageNumber' exception Exception occurred processing file qmgr.db: Traceback (most recent call last): File "C:\tools\BitsParser\BitsParser.py", line 369, in process_file jobs = self.load_qmgr10_jobs(file_data) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\tools\BitsParser\BitsParser.py", line 319, in load_qmgr10_jobs jobs = self.load_qmgr10_db(file_data) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\tools\BitsParser\BitsParser.py", line 245, in load_qmgr10_db files_table = ese.openTable("Files") ^^^^^^^^^^^^^^^^^^^^^^ File "C:\tools\BitsParser\ese\ese.py", line 644, in openTable cursor['LongValues'] = self.__getLongValues(cursor['TableData']['LongValues']['FatherDataPageNumber']) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^ KeyError: 'FatherDataPageNumber' --- ese/ese.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ese/ese.py b/ese/ese.py index a389fdd..978528f 100644 --- a/ese/ese.py +++ b/ese/ese.py @@ -641,7 +641,10 @@ def openTable(self, tableName): cursor['CurrentTag'] = 0 # Create a mapping of the long values tree - cursor['LongValues'] = self.__getLongValues(cursor['TableData']['LongValues']['FatherDataPageNumber']) + print(cursor['TableData']['LongValues'].keys()) + print(dir(cursor['TableData']['LongValues'])) + if 'FatherDataPageNumber' in cursor['TableData']['LongValues']: + cursor['LongValues'] = self.__getLongValues(cursor['TableData']['LongValues']['FatherDataPageNumber']) return cursor From 782fd6310d04cb011b891d9144a60e1abf6ac726 Mon Sep 17 00:00:00 2001 From: Hiroshi Suzuki <20717881+herosi@users.noreply.github.com> Date: Tue, 28 May 2024 15:06:16 +0900 Subject: [PATCH 4/6] Deleted unnecessary debug prints. --- ese/ese.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/ese/ese.py b/ese/ese.py index 978528f..7edf35c 100644 --- a/ese/ese.py +++ b/ese/ese.py @@ -641,8 +641,6 @@ def openTable(self, tableName): cursor['CurrentTag'] = 0 # Create a mapping of the long values tree - print(cursor['TableData']['LongValues'].keys()) - print(dir(cursor['TableData']['LongValues'])) if 'FatherDataPageNumber' in cursor['TableData']['LongValues']: cursor['LongValues'] = self.__getLongValues(cursor['TableData']['LongValues']['FatherDataPageNumber']) From 338bbc816d9fee90f81c510c21e52740fe607852 Mon Sep 17 00:00:00 2001 From: Hiroshi Suzuki <20717881+herosi@users.noreply.github.com> Date: Thu, 6 Jun 2024 08:02:13 +0900 Subject: [PATCH 5/6] Delete Apache-1.1-Impacket.txt --- Apache-1.1-Impacket.txt | 58 ----------------------------------------- 1 file changed, 58 deletions(-) delete mode 100644 Apache-1.1-Impacket.txt diff --git a/Apache-1.1-Impacket.txt b/Apache-1.1-Impacket.txt deleted file mode 100644 index ab003ad..0000000 --- a/Apache-1.1-Impacket.txt +++ /dev/null @@ -1,58 +0,0 @@ ----- Impacket (https://github.com/SecureAuthCorp/impacket) ---- - -We provide this software under a slightly modified version of the -Apache Software License. The only changes to the document were the -replacement of "Apache" with "Impacket" and "Apache Software Foundation" -with "SecureAuth Corporation". Feel free to compare the resulting -document to the official Apache license. - -The `Apache Software License' is an Open Source Initiative Approved -License. - - -The Apache Software License, Version 1.1 -Modifications by SecureAuth Corporation (see above) - -Copyright (c) 2000 The Apache Software Foundation. All rights -reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. - -3. The end-user documentation included with the redistribution, - if any, must include the following acknowledgment: - "This product includes software developed by - SecureAuth Corporation (https://www.secureauth.com/)." - Alternately, this acknowledgment may appear in the software itself, - if and wherever such third-party acknowledgments normally appear. - -4. The names "Impacket", "SecureAuth Corporation" must - not be used to endorse or promote products derived from this - software without prior written permission. For written - permission, please contact oss@secureauth.com. - -5. Products derived from this software may not be called "Impacket", - nor may "Impacket" appear in their name, without prior written - permission of SecureAuth Corporation. - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR -ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF -USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT -OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. From 648610758707fab94978408769042878361dbd84 Mon Sep 17 00:00:00 2001 From: Hiroshi Suzuki <20717881+herosi@users.noreply.github.com> Date: Thu, 6 Jun 2024 08:04:57 +0900 Subject: [PATCH 6/6] Added Apache-1.1-Impacket.txt again --- Apache-1.1-Impacket.txt | 58 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 Apache-1.1-Impacket.txt diff --git a/Apache-1.1-Impacket.txt b/Apache-1.1-Impacket.txt new file mode 100644 index 0000000..ab003ad --- /dev/null +++ b/Apache-1.1-Impacket.txt @@ -0,0 +1,58 @@ +---- Impacket (https://github.com/SecureAuthCorp/impacket) ---- + +We provide this software under a slightly modified version of the +Apache Software License. The only changes to the document were the +replacement of "Apache" with "Impacket" and "Apache Software Foundation" +with "SecureAuth Corporation". Feel free to compare the resulting +document to the official Apache license. + +The `Apache Software License' is an Open Source Initiative Approved +License. + + +The Apache Software License, Version 1.1 +Modifications by SecureAuth Corporation (see above) + +Copyright (c) 2000 The Apache Software Foundation. All rights +reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +3. The end-user documentation included with the redistribution, + if any, must include the following acknowledgment: + "This product includes software developed by + SecureAuth Corporation (https://www.secureauth.com/)." + Alternately, this acknowledgment may appear in the software itself, + if and wherever such third-party acknowledgments normally appear. + +4. The names "Impacket", "SecureAuth Corporation" must + not be used to endorse or promote products derived from this + software without prior written permission. For written + permission, please contact oss@secureauth.com. + +5. Products derived from this software may not be called "Impacket", + nor may "Impacket" appear in their name, without prior written + permission of SecureAuth Corporation. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR +ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE.