Changeset 1108
- Timestamp:
- 01/11/08 16:55:41 (8 months ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/trunk/lib/HoneyClient/Agent/Integrity.pm
r1008 r1108 437 437 $changes = { 438 438 #A reference to an anonymous array of process objects 439 processes => [ {439 os_processes => [ { 440 440 'name' => "C:\WINDOWS\system32\Notepad.exe", # The process name as a full path 441 441 'pid' => 1000, # The Windows system process ID … … 450 450 451 451 #OPTIONAL, its existence signifies that we saw this process be created 452 'created _time' => ISO 8601 Timestamp (yyyy-mm-dd hh24:mi:ss.uuuuuu)452 'created' => ISO 8601 Timestamp (yyyy-mm-dd hh24:mi:ss.uuuuuu) 453 453 454 454 #OPTIONAL, its existence signifies that we saw this process be terminated 455 ' terminated_time' => ISO 8601 Timestamp455 'stopped' => ISO 8601 Timestamp 456 456 457 457 #A reference to an anonymous array of registry objects 458 reg istry=> [ {458 regkeys => [ { 459 459 # The registry directory name in regedit 460 460 'key_name' => 'HKEY_LOCAL_MACHINE\Software...', 461 461 462 'time ' => ISO 8601 Timestamp,462 'time_at' => ISO 8601 Timestamp, 463 463 464 464 #The specific registry event type which took place, as given by it's Windows name 465 'event _type' => { CreateKey | OpenKey | CloseKey | Query Key |465 'event' => { CreateKey | OpenKey | CloseKey | Query Key | 466 466 QueryValueKey, EnumerateKey | EnumerateValueKey | 467 467 SetValueKey | DeleteValueKey | DeleteKey }, … … 472 472 #The "type" which shows up in regedit. It is only possible to create the first 473 473 # 6 types by manually using regedit (and REG_NONE is only indirect, for instance 474 # on a DeleteValueKey event _type).474 # on a DeleteValueKey event). 475 475 'value_type' => { REG_NONE | REG_SZ | REG_BINARY | REG_DWORD | 476 476 REG_EXPAND_SZ | REG_MULTI_SZ | REG_LINK | … … 485 485 486 486 #A reference to an anonymous array of file system objects 487 file_system=> [ {487 process_files => [ { 488 488 #The full path and name of the file which was effected 489 489 'name' => 'C:\WINDOWS\SYSTEM32...', 490 490 491 'event _type' => { Deleted | Read | Write }, #TODO: add created & renamed/moved492 493 'time ' => ISO 8601 Timestamp,491 'event' => { Deleted | Read | Write }, #TODO: add created & renamed/moved 492 493 'time_at' => ISO 8601 Timestamp, 494 494 495 495 #OPTIONAL, this will not exist for deleted files … … 546 546 else{ 547 547 %changes = ( 548 ' processes' => [],548 'os_processes' => [], 549 549 ); 550 550 … … 596 596 my @tmp_toks = split("\",\"",$capdump[0]); 597 597 $tmp_toks[0] =~ s/^"(.*)/$1/; 598 %changes = (' compromise_time' => $tmp_toks[0]);598 %changes = ('time_at' => $tmp_toks[0]); 599 599 my $line_num = 0; 600 600 … … 618 618 #If the object already exists as something which didn't have anything filled in, then fill it in 619 619 if($ret == 1){ 620 $proc_objs[$index]->{"$toks[$P_EVENT_TYPE]_time"} = $toks[$P_TIME]; 620 #$proc_objs[$index]->{"$toks[$P_EVENT_TYPE]_time"} = $toks[$P_TIME]; 621 $proc_objs[$index]->{"stopped"} = $toks[$P_TIME]; 621 622 $proc_push = 0; 622 623 } … … 628 629 'parent_pid' => $toks[$P_PARENT_PID], 629 630 'parent_name' => $toks[$P_PARENT_NAME], 630 "$toks[$P_EVENT_TYPE]_time" => $toks[$P_TIME], 631 'file_system' => [], 632 'registry' => [], 631 #"$toks[$P_EVENT_TYPE]_time" => $toks[$P_TIME], 632 'created' => $toks[$P_TIME], 633 'process_files' => [], 634 'regkeys' => [], 633 635 }; 634 636 } … … 645 647 'pid' => $toks[$R_PROC_PID], 646 648 'name' => $toks[$R_PROC_NAME], 647 'reg istry' => [],648 ' file_system' => [],649 'regkeys' => [], 650 'process_files' => [], 649 651 }; 650 652 $proc_push = 1; … … 665 667 } 666 668 my $reg_obj = { 667 'time ' => $toks[$R_TIME],668 'event _type' => $toks[$R_EVENT_TYPE],669 'time_at' => $toks[$R_TIME], 670 'event' => $toks[$R_EVENT_TYPE], 669 671 'key_name' => $sanit_key_name, 670 672 'value_name' => $toks[$R_VALUE_NAME], … … 672 674 'value' => $toks[$R_VALUE], 673 675 }; 674 push @{$proc_obj->{'reg istry'}}, $reg_obj;676 push @{$proc_obj->{'regkeys'}}, $reg_obj; 675 677 } 676 678 elsif($toks[$ENTRY_TYPE] eq "file"){ 677 679 678 680 #Build the filesystem object and put it in to the proc object 679 my $fs_ref = $proc_obj->{' file_system'};681 my $fs_ref = $proc_obj->{'process_files'}; 680 682 if(scalar(@{$fs_ref}) == 0 || $fs_ref->[-1]->{'name'} ne $toks[$F_NAME] || 681 $fs_ref->[-1]->{'event _type'} ne $toks[$F_EVENT_TYPE]){683 $fs_ref->[-1]->{'event'} ne $toks[$F_EVENT_TYPE]){ 682 684 683 685 my $file_obj = { 684 686 'name' => $toks[$F_NAME], 685 'event _type' => $toks[$F_EVENT_TYPE],686 'time ' => $toks[$F_TIME],687 'event' => $toks[$F_EVENT_TYPE], 688 'time_at' => $toks[$F_TIME], 687 689 }; 688 690 if($toks[$F_EVENT_TYPE] ne "Delete"){ … … 741 743 }; 742 744 } 743 push @{$proc_obj->{' file_system'}},$file_obj;745 push @{$proc_obj->{'process_files'}},$file_obj; 744 746 } 745 747 … … 752 754 }#end foreach 753 755 754 $changes{' processes'} = \@proc_objs;756 $changes{'os_processes'} = \@proc_objs; 755 757 # $Data::Dumper::Terse = 1; 756 758 # $Data::Dumper::Indent = 1; … … 762 764 # If any changes were found, write them out to the 763 765 # filesystem. 764 if (scalar($changes{' processes'})){766 if (scalar($changes{'os_processes'})){ 765 767 if (!open(CHANGE_FILE, ">>" . $self->{changes_found_file})) { 766 768 $LOG->error("Unable to write changes to file '" . $self->{changes_found_file} . "'.");
