Changeset 521

Timestamp:

06/17/07 17:21:39 (1 year ago)

Author:

kindlund

Message:

Merged DB branch into trunk.

Files:

• honeyclient/trunk/bin/StartManager.pl (modified) (1 diff)
• honeyclient/trunk/bin/TestRegistry.pl (modified) (2 diffs)
• honeyclient/trunk/bin/install_honeyclient_db.pl (copied) (copied from honeyclient/branches/exp/mbriggs-db/bin/install_honeyclient_db.pl)
• honeyclient/trunk/bin/run.sh (modified) (1 diff)
• honeyclient/trunk/etc/honeyclient.xml (modified) (8 diffs)
• honeyclient/trunk/lib/HoneyClient/Agent.pm (modified) (5 diffs)
• honeyclient/trunk/lib/HoneyClient/Agent/Driver.pm (modified) (2 diffs)
• honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Filesystem.pm (modified) (39 diffs)
• honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Registry.pm (modified) (22 diffs)
• honeyclient/trunk/lib/HoneyClient/DB (copied) (copied from honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/DB)
• honeyclient/trunk/lib/HoneyClient/DB.pm (copied) (copied from honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/DB.pm)
• honeyclient/trunk/lib/HoneyClient/Manager.pm (modified) (15 diffs)
• honeyclient/trunk/lib/HoneyClient/Manager/DB.pm (copied) (copied from honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Manager/DB.pm)
• honeyclient/trunk/lib/HoneyClient/Manager/VM (copied) (copied from honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Manager/VM)
• honeyclient/trunk/lib/bin (copied) (copied from honeyclient/branches/exp/mbriggs-db/lib/bin)
• honeyclient/trunk/lib/etc (copied) (copied from honeyclient/branches/exp/mbriggs-db/lib/etc)
• honeyclient/trunk/t/db_test.pl (copied) (copied from honeyclient/branches/exp/mbriggs-db/t/db_test.pl)
• honeyclient/trunk/t/honeyclient_agent.t (modified) (1 diff)
• honeyclient/trunk/t/honeyclient_agent_driver.t (modified) (1 diff)
• honeyclient/trunk/t/honeyclient_agent_integrity_filesystem.t (modified) (8 diffs)
• honeyclient/trunk/t/honeyclient_agent_integrity_registry.t (modified) (8 diffs)
• honeyclient/trunk/t/honeyclient_manager_db.t (copied) (copied from honeyclient/branches/exp/mbriggs-db/t/honeyclient_manager_db.t)
• honeyclient/trunk/t/honeyclient_manager_vm_clone.t (added)
• honeyclient/trunk/t/honeyclient_util_config.t (modified) (1 diff)

honeyclient/trunk/bin/StartManager.pl

@@ -25 +25 @@
-
-my $driver = "IE";
-19
-5
+20
+10
-my $nexturl = "";
-my $urllist= "";

honeyclient/trunk/bin/TestRegistry.pl

@@ -51 +51 @@
-    } else {
-        foreach my $change (@{$changes}) {
-
+_name
-        }
-    }
@@ -62 +62 @@
-    print "Detailed registry changes were written to: " . $file . "\n";
-}
-

honeyclient/trunk/bin/run.sh

@@ -2 +2 @@
-
-echo "Starting up Agent - (Hit CTRL-C multiple times to exit.)"
+
+# Remove all old /tmp/* entries.
+rm /tmp/*
-
-IP=$(/cygdrive/c/Program\ Files/VMware/VMware\ Tools/VMip.exe -get)

honeyclient/trunk/etc/honeyclient.xml

@@ -72 +72 @@
-            <!-- TODO: Update this. -->
-            <timeout description="How long the Driver waits during a drive operation, before timing out (in seconds)." default="60">
-3
+2
-            </timeout>
-            <Browser>
@@ -124 +124 @@
-        </Driver>
-        <perform_integrity_checks description="An integer, representing whether the Agent should perform any integrity checks. 1 enables, 0 disables." default="1">
- 
+
-        </perform_integrity_checks>
-        <!-- HoneyClient::Agent::Integrity Options -->
@@ -205 +205 @@
-                    <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing.*$</regex>
-                    <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\TypedURLs$</regex>
+                    <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\MediaPlayer.*$</regex>
+                    <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia.*$</regex>
-                    <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links.*$</regex>
-                    <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs.*$</regex>
@@ -244 +246 @@
-                    <regex>^HKEY_USERS\\.+\\UNICODE Program Groups.*$</regex>
-                    <regex>^HKEY_USERS\\S.+\\SessionInformation$</regex>
+                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\ActiveMovie\\devenum.*$</regex>
-                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\IntelliForms$</regex>
-                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\International$</regex>
@@ -250 +253 @@
-                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing.*$</regex>
-                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\TypedURLs$</regex>
-
+
+
-                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links.*$</regex>
-                    <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs.*$</regex>
@@ -291 +295 @@
-        </Integrity>
-    </Agent>
+    <!-- HoneyClient::DB Options -->
+    <DB>
+        <enable description="Enables database operations. 1 enables, 0 disables." default="0">
+            1
+        </enable>
+        <host description="The system providing the HoneyClient database.  If the database is installed on the same host system as the Manager, then localhost should be used." default="127.0.0.1">
+            172.16.164.1
+        </host>
+        <dbname description="The name of the HoneyClient database." default="HoneyClient">
+            HoneyClient
+        </dbname>
+        <user description="The username to use, when connecting to the HoneyClient database.">
+            honeyclient_user
+        </user>
+        <pass description="The password to use, when connecting to the HoneyClient database.">
+            honeyclient_password 
+        </pass>
+        <port description="The default TCP port number used to communicate with the database." default="3306">
+            3306
+        </port>
+    </DB>
-    <Manager>
-        <!-- TODO: Update this. -->
@@ -396 +421 @@
-            <!-- TODO: Update this. -->
-            <fwprocess description="Name of external SOAP listener.">
- 
+
-            </fwprocess>
-            <!-- TODO: Update this. -->
@@ -403 +428 @@
-            </config_file>
-        </FW>
-        <!-- HoneyClient::Manager::DB Options -->
-        <DB>
-            <!-- TODO: Update this. -->
-            <address description="eth0 interface static IP">
-                192.168.0.128
-            </address>
-            <!-- TODO: Update this. -->
-            <port description="Default FW port number" default="8083">
-                8089
-            </port>
-        </DB>
-        <!-- HoneyClient::Manager::VM Options -->
-        <VM>

honeyclient/trunk/lib/HoneyClient/Agent.pm

@@ -792 +792 @@
-        # Initially set all driver objects to undef. 
-        my $driver = undef;
+
+        # Last resource used by driver.
+        my $lastResource = undef;
-    
-        # Acquire lock on stored driver state.
@@ -846 +849 @@
-            foreach my $resource (keys %{$driver->next()->{resources}}) {
-                $LOG->info("Driving To Resource: " . $resource);
+                $lastResource = $resource;
-            }
-
@@ -882 +886 @@
-        # TODO: Perform Integrity Check
-        my $isCompromised = 0;
+        my $changes = undef;
-        if (defined($integrity)) {
-            # For now, we update a scalar called 'is_compromised' within
-            # the $data->{$driverName}->{'status'} sub-hashtable.
-            $LOG->info("Performing Integrity Checks.");
-my 
+
-            if (scalar(@{$changes->{registry}}) || 
-                scalar(@{$changes->{filesystem}})) {
-                $LOG->warn("Integrity Check: FAILED");
-                $isCompromised = 1;
+                $changes->{'last_resource'} = $lastResource;
-            } else {
-                $LOG->info("Integrity Check: PASSED");
@@ -900 +906 @@
-
-        # Update driver state one last time, before exiting.
-                
-        # Acquire lock on stored driver state.
-        $data = _lock();
@@ -911 +916 @@
-        $data->{$driverName}->{'status'} = $driver->status();
-        $data->{$driverName}->{'status'}->{'is_compromised'} = $isCompromised;
+        $data->{$driverName}->{'status'}->{'fingerprint'} = $changes;
-        $data->{$driverName}->{'status'}->{'is_running'} = 0;
-        $data->{$driverName}->{'state'} = $driver;

honeyclient/trunk/lib/HoneyClient/Agent/Driver.pm

@@ -288 +288 @@
-#
-# use HoneyClient::Agent::Driver;
-
+HoneyClient::Agent::
-#
-# What this function allows us to do, is programmatically, get or set
@@ -375 +375 @@
-my $driver = HoneyClient::Agent::Driver->new(test => 1);
-is($driver->{test}, 1, "new(test => 1)") or diag("The new() call failed.");
+isa_ok($driver, 'HoneyClient::Agent::Driver', "new(test => 1)") or diag("The new() call failed.");
-
-=end testing

honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Filesystem.pm

@@ -66 +66 @@
-  #     # Indicates if the filesystem entry was deleted,
-  #     # added, or changed.
-
+
+
+
+
-  #
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-  #     },
-  # }, ]
@@ -124 +119 @@
-# Include Logging Library
-use Log::Log4perl qw(:easy);
+
+# Use DateTime Library
+use DateTime;
+
+# Use MD5 Library
+use Digest::MD5;
+
+# Use SHA Library
+use Digest::SHA;
+
+# Use File::Type Library
+use File::Type;
+
+# Use IO::File Library
+use IO::File;
-
-#######################################################################
@@ -242 +252 @@
-use HoneyClient::Agent::Integrity::Filesystem;
-
+# Make sure DateTime loads.
+BEGIN { use_ok('DateTime') or diag("Can't load DateTime package.  Check to make sure the package library is correctly listed within the path."); }
+require_ok('DateTime');
+use DateTime;
+
+# Make sure Digest::MD5 loads.
+BEGIN { use_ok('Digest::MD5') or diag("Can't load Digest::MD5 package.  Check to make sure the package library is correctly listed within the path."); }
+require_ok('Digest::MD5');
+use Digest::MD5;
+
+# Make sure Digest::SHA loads.
+BEGIN { use_ok('Digest::SHA') or diag("Can't load Digest::SHA package.  Check to make sure the package library is correctly listed within the path."); }
+require_ok('Digest::SHA');
+use Digest::SHA;
+
+# Make sure File::Type loads.
+BEGIN { use_ok('File::Type') or diag("Can't load File::Type package.  Check to make sure the package library is correctly listed within the path."); }
+require_ok('File::Type');
+use File::Type;
+
+# Make sure IO::File loads.
+BEGIN { use_ok('IO::File') or diag("Can't load IO::File package.  Check to make sure the package library is correctly listed within the path."); }
+require_ok('IO::File');
+use IO::File;
+
-=end testing
-
@@ -249 +284 @@
-# Global Configuration Variables                                      #
-#######################################################################
+
+# TODO: Need to link these constants with DB code.
+# Filesystem Status Identifiers
+our $STATUS_DELETED  = 0;
+our $STATUS_ADDED    = 1;
+our $STATUS_MODIFIED = 2;
+
+# TODO: Need to link these constants with DB code.
+# Set hash value to this constant, if unable to compute. 
+our $HASH_UNKNOWN    = 'UNKNOWN';
+# Set type value to this constant, if unable to compute. 
+our $TYPE_UNKNOWN    = 'UNKNOWN';
-
-# The global logging object.
@@ -432 +479 @@
-# Input: Algorithm::Diff object
-# Output: Array reference of hashtables
+# Notes: This function returns hashtables in the following
+# format:
+#
+#  $changes = [ {
+#      # Indicates if the filesystem entry was deleted,
+#      # added, or changed.
+#      'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,
+#
+#      # If the entry has been added/changed, then this 
+#      # hashtable contains the file/directory's new information.
+#      'new' => {
+#          'name'  => 'C:\WINDOWS\SYSTEM32...',
+#          'size'  => 1263, # in bytes
+#          'mtime' => 1178135092, # modification time, seconds since epoch
+#      },
+#
+#      # If the entry has been deleted/changed, then this
+#      # hashtable contains the file/directory's old information.
+#      'old' => {
+#          'name'  => 'C:\WINDOWS\SYSTEM32...',
+#          'size'  => 802, # in bytes
+#          'mtime' => 1178135028, # modification time, seconds since epoch
+#      },
+#  }, ]
-sub _diff {
-
@@ -458 +529 @@
-
-                push (@{$ret}, {
-'deleted'
+$STATUS_DELETED
-                    'old' => $_,
-                });
@@ -471 +542 @@
-
-                push (@{$ret}, {
-'added'
+$STATUS_ADDED
-                    'new' => $_,
-                });
@@ -501 +572 @@
-
-                        push (@{$ret}, {
-'changed'
+$STATUS_MODIFIED
-                            'old' => $old_entry,
-                            'new' => $new_entry,
@@ -515 +586 @@
-
-                        push (@{$ret}, {
-'deleted'
+$STATUS_DELETED
-                            'old' => $old_entry,
-                        });
-                        push (@{$ret}, {
-'added'
+$STATUS_ADDED
-                            'new' => $new_entry,
-                        });
@@ -543 +614 @@
-
-                        push (@{$ret}, {
-'changed'
+$STATUS_MODIFIED
-                            'old' => $old_entry,
-                            'new' => $new_entry,
@@ -557 +628 @@
-
-                        push (@{$ret}, {
-'deleted'
+$STATUS_DELETED
-                            'old' => $old_entry,
-                        });
@@ -568 +639 @@
-                            $LOG->debug("File Added - "   . Dumper($new_entry));
-                            push (@{$ret}, {
-'added'
+$STATUS_ADDED
-                                'new' => $new_entry,
-                            });
@@ -584 +655 @@
-                    $LOG->debug("File Added - "   . Dumper($new_entry));
-                    push (@{$ret}, {
-'added'
+$STATUS_ADDED
-                        'new' => $new_entry,
-                    });
@@ -604 +675 @@
-                                                " - New - " . Dumper($new_entry));
-                        push (@{$ret}, {
-'changed'
+$STATUS_MODIFIED
-                            'old' => $old_entry,
-                            'new' => $new_entry,
@@ -617 +688 @@
-                        $LOG->debug("File Added - "   . Dumper($new_entry));
-                        push (@{$ret}, {
-'added'
+$STATUS_ADDED
-                            'new' => $new_entry,
-                        });
@@ -628 +699 @@
-                            $LOG->debug("File Deleted - "   . Dumper($old_entry));
-                            push (@{$ret}, {
-'deleted'
+$STATUS_DELETED
-                                'old' => $old_entry,
-                            });
@@ -644 +715 @@
-                    $LOG->debug("File Deleted - "   . Dumper($old_entry));
-                    push (@{$ret}, {
-'deleted'
+$STATUS_DELETED
-                        'old' => $old_entry,
-                    });
@@ -659 +730 @@
-#
-# Input: Array reference of hashtables 
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-sub _filter {
-    my ($self, $changes) = @_;
@@ -668 +763 @@
-        # Extract the file name from each entry.
-        my $name = undef;
-eq 'added') or ($_->{status} eq 'changed'
+== $STATUS_ADDED) or ($_->{status} == $STATUS_MODIFIED
-            $name = $_->{'new'}->{name};
-        } else {
@@ -705 +800 @@
-
-            # Sanity check.
-eq 'changed'
-eq 'changed'
-eq 'added'
-eq 'added'
-eq 'deleted'
-eq 'deleted'
+== $STATUS_MODIFIED
+== $STATUS_MODIFIED
+== $STATUS_ADDED
+== $STATUS_ADDED
+== $STATUS_DELETED
+== $STATUS_DELETED
-                $LOG->error("Duplicate filesystem change entries were found. " .
-                            "Previous Entry - " . Dumper($prev_entry) . " - ".
@@ -720 +815 @@
-            # If the previous entry was added and the current
-            # was deleted.
-eq 'added'
-eq 'deleted'
-'changed'
+== $STATUS_ADDED
+== $STATUS_DELETED
+$STATUS_MODIFIED
-                $prev_entry->{old} = $curr_entry->{old};
-
@@ -728 +823 @@
-            # current was added.
-            } else {
-'changed'
+$STATUS_MODIFIED
-                $prev_entry->{'new'} = $curr_entry->{'new'};
-            }
@@ -741 +836 @@
-    }
-    return $ret;
+}
+
+# A helper function, designed to manipulate the array of changes into 
+# a format that is expected by the check() function -- collecting
+# more forensic data about each change along the way.
+#
+# Input: Array reference of hashtables 
+# Output: Array reference of hashtables (manipulated)
+# Notes: This function expects hashtables in the following
+# format:
+#
+#  $inputChanges = [ {
+#      # Indicates if the filesystem entry was deleted,
+#      # added, or changed.
+#      'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,
+#
+#      # If the entry has been added/changed, then this 
+#      # hashtable contains the file/directory's new information.
+#      'new' => {
+#          'name'  => 'C:\WINDOWS\SYSTEM32...',
+#          'size'  => 1263, # in bytes
+#          'mtime' => 1178135092, # modification time, seconds since epoch
+#      },
+#
+#      # If the entry has been deleted/changed, then this
+#      # hashtable contains the file/directory's old information.
+#      'old' => {
+#          'name'  => 'C:\WINDOWS\SYSTEM32...',
+#          'size'  => 802, # in bytes
+#          'mtime' => 1178135028, # modification time, seconds since epoch
+#      },
+#  }, ]
+#
+# And outputs hashtables in the following format:
+# 
+#  $outputChanges = [ {
+#      # Indicates if the filesystem entry was deleted,
+#      # added, or changed.
+#      'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,
+#      'name'  => 'C:\WINDOWS\SYSTEM32...',
+#      'mtime' => 'YYYY-MM-DD HH:MM:SS', # new mtime for added/modified files;
+#                                        # old mtime for deleted files
+#
+#      # content will only exist for added/modified files
+#      'content' => {
+#          'size' => 1263,                                       # size of new content 
+#          'type' => 'application/octet-stream',                 # type of new content
+#          'md5'  => 'b1946ac92492d2347c6235b4d2611184',         # md5  of new content
+#          'sha1' => 'f572d396fae9206628714fb2ce00f72e94f2258f', # sha1 of new content
+#      },
+#  }, ]
+#
+sub _prepare {
+    my ($self, $changes) = @_;
+    my $ret = [];
+
+    $LOG->debug("Preparing changes.");
+
+    my $md5_ctx  = Digest::MD5->new();
+    my $sha1_ctx = Digest::SHA->new("1");
+    my $type_ctx = File::Type->new();
+
+    foreach my $entry (@{$changes}) {
+        # Construct a new entry in the new format.
+        my $newEntry = {
+            'status' => $entry->{'status'},
+        };
+
+        # Figure out which type of entry it is.
+        if ($entry->{'status'} == $STATUS_DELETED) {
+            # Convert Filename
+            $newEntry->{'name'}  = _convertFilename($entry->{'old'}->{'name'});
+            $newEntry->{'mtime'} = _convertTime($entry->{'old'}->{'mtime'});
+    
+            $LOG->debug("Filename: " . $newEntry->{'name'});
+        } else {
+            $newEntry->{'name'}  = $entry->{'new'}->{'name'};
+            $newEntry->{'mtime'} = _convertTime($entry->{'new'}->{'mtime'});
+
+            $LOG->debug("Filename: " . $newEntry->{'name'});
+
+            # Create a new file handle.
+            my $fh = IO::File->new($newEntry->{'name'}, "r");
+            my $md5  = $HASH_UNKNOWN;
+            my $sha1 = $HASH_UNKNOWN;
+            my $type = $TYPE_UNKNOWN;
+
+            # Check to make sure the new/changed file exists.
+            if (defined($fh)) {
+                # If the entry is a directory.
+                if (-d $fh) {
+                    $type = "directory";
+                    undef $fh;
+
+                    # XXX: We currently skip all entries that
+                    # only correspond to directories.
+                    # This is a known limitation.
+                    next;
+
+                # If the entry is a file.
+                } else {
+                    # Compute MD5 Checksum.
+                    $md5_ctx->addfile($fh);
+                    $md5 = $md5_ctx->hexdigest();
+
+                    # Rewind file handle.
+                    seek($fh, 0, 0);
+
+                    # Compute SHA1 Checksum.
+                    $sha1_ctx->addfile($fh);
+                    $sha1 = $sha1_ctx->hexdigest();
+
+                    # Close the file handle.
+                    undef $fh;
+
+                    # Compute File Type.
+                    $type = $type_ctx->mime_type($newEntry->{'name'});
+               }
+            }
+            
+            # Populate the content, accordingly.
+            $newEntry->{'content'} = {
+                'size' => $entry->{'new'}->{'size'},
+                'type' => $type,
+                'md5'  => $md5,
+                'sha1' => $sha1,
+            };
+
+            # Convert Filename
+            $newEntry->{'name'}  = _convertFilename($newEntry->{'name'});
+        }
+
+        # Finally, push it onto our return array.
+        push (@{$ret}, $newEntry);
+    }
+    return $ret;
+}
+
+# Helper function, designed to convert seconds since epoch to
+# an ISO 8601 date time format.
+#
+# Input: epoch
+# Output: iso8601 date/time
+sub _convertTime {
+    my $dt = DateTime->from_epoch(epoch => shift);
+    return $dt->ymd('-') . " " . $dt->hms(':');
+}
+
+# Helper function, designed to convert Cygwin filename paths to
+# a Windows format, where the output is always lowercase.
+#
+# Input: cygwin filename path
+# Output: absolute windows filename path
+sub _convertFilename {
+    return lc(fullwin32path(shift));
-}
-
@@ -838 +1088 @@
-}
-
-################################################################################
-
-=pod
-
-
+no_prepare => $no_prepare
-
-=over 4
@@ -848 +1096 @@
-Checks the filesystem for various changes, based upon
-the filesystem baseline, when the new() method was invoked.
+
+I<Inputs>:
+ B<$no_prepare> is an optional parameter, specifying the output
+format of the changes found.
-
-I<Output>:
@@ -853 +1105 @@
-hashtable has the following format:
-
+  If $no_prepare == 1, then the format will be:
+
-  $changes = [ {
-      # Indicates if the filesystem entry was deleted,
-      # added, or changed.
-'deleted' | 'added' | 'changed'
+$STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED
-
-      # If the entry has been added/changed, then this 
@@ -875 +1129 @@
-  }, ]
-
+  Otherwise, the format will be:
+
+  $changes = [ {
+      # Indicates if the filesystem entry was deleted,
+      # added, or changed.
+      'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,
+      'name'  => 'C:\WINDOWS\SYSTEM32...',
+      'mtime' => 'YYYY-MM-DD HH:MM:SS', # new mtime for added/modified files;
+                                        # old mtime for deleted files
+
+      # content will only exist for added/modified files
+      'content' => {
+          'size' => 1263,                                       # size of new content 
+          'type' => 'application/octet-stream',                 # type of new content
+          'md5'  => 'b1946ac92492d2347c6235b4d2611184',         # md5  of new content
+          'sha1' => 'f572d396fae9206628714fb2ce00f72e94f2258f', # sha1 of new content
+      },
+  }, ]
+
-I<Notes>:
+ If $no_prepare != 1 or $no_prepare == undef, then the outputted changes will B<NEVER> refer to
+any directories.  All the changes will correspond to individual files.
-
-=back
@@ -931 +1206 @@
-close ADD_FILE;
-
+my $md5_ctx = Digest::MD5->new();
+my $sha1_ctx = Digest::SHA->new("1");
+my $type_ctx = File::Type->new();
+
+my $add_fh = IO::File->new($add_file, "r");
+$md5_ctx->addfile($add_fh);
+my $add_file_md5 = $md5_ctx->hexdigest();
+seek($add_fh, 0, 0);
+$sha1_ctx->addfile($add_fh);
+my $add_file_sha1 = $sha1_ctx->hexdigest();
+undef $add_fh;
+my $add_file_type = $type_ctx->mime_type($add_file);
+
-@file_attr = stat($add_file);
-my $add_file_size  = $file_attr[7];
@@ -940 +1228 @@
-close CHANGE_FILE;
-
+my $change_fh = IO::File->new($change_file, "r");
+$md5_ctx->addfile($change_fh);
+my $change_file_md5 = $md5_ctx->hexdigest();
+seek($change_fh, 0, 0);
+$sha1_ctx->addfile($change_fh);
+my $change_file_sha1 = $sha1_ctx->hexdigest();
+undef $change_fh;
+my $change_file_type = $type_ctx->mime_type($change_file);
+
-@file_attr = stat($change_file);
-my $change_file_size2  = $file_attr[7];
@@ -945 +1242 @@
-
-### Perform check.
-
+no_prepare => 1
-
-# Uncomment these lines, if you want to see more
@@ -956 +1253 @@
-my $expectedChanges = [
-  {
-'changed'
+$HoneyClient::Agent::Integrity::Filesystem::STATUS_MODIFIED
-    'new' => {
-        'name'  => $change_file,
@@ -969 +1266 @@
-  },
-  {
-'added'
+$HoneyClient::Agent::Integrity::Filesystem::STATUS_ADDED
-    'new' => {
-        'name'  => $add_file,
@@ -977 +1274 @@
-  },
-  {
-'deleted'
+$HoneyClient::Agent::Integrity::Filesystem::STATUS_DELETED
-    'old' => {
-        'name'  => $delete_file,
@@ -986 +1283 @@
-];
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-### Clean up test data.
@@ -1015 +1354 @@
-    });
-
+    # Sanity checks; check if any args were specified.
+    my $argsExist = scalar(%args);
+
-    # Analyze the filesystem.
-    $LOG->info("Analyzing filesystem.");
@@ -1024 +1366 @@
-                                                    $file_analysis,
-                                                    { keyGen => \&_toString }));
-Return filtered
+Filter
-    $changes = $self->_filter($changes);
-    if (scalar(@{$changes})) {
@@ -1031 +1373 @@
-        $LOG->info("No filesystem changes found.");
-    }
+
+    # Prepare results, if not directed otherwise.
+    if (!$argsExist || 
+        !exists($args{'no_prepare'}) || 
+        !defined($args{'no_prepare'}) ||
+        !$args{'no_prepare'}) {
+        $changes = $self->_prepare($changes);
+    }
+
+    # Return formatted results.
-    return $changes;
-}
@@ -1059 +1411 @@
-
-=back
+
+This library also only monitors B<FILE> changes.  Thus, if malware
+manipulates B<EMPTY DIRECTORIES> on the system, then this library will
+B<NOT&