-
Notifications
You must be signed in to change notification settings - Fork 1
/
missingservices.py
83 lines (67 loc) · 2.14 KB
/
missingservices.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/env python3
"""
This script compares the json output of a known registry key using printkey and
svcscan of volatility. The registry key can be searched for after the malware
family has been determined through other methods.
To get the information required, execute the following commands on the image:
volatility -f $image --profile $profile svcscan --output=json --output-file=svcscan.json
volatility -f $image --profile $profile printkey --output=json --output-file=printkey.json
The following arguments are available:
--svc=svcscan.json
--reg=printkey.json
Usage:
missingservices.py --svc=<svcscan> --reg=<printkey>
Options:
<svcscan> JSON output of volatility svcscan command
<printkey> JSON output of volatility printkey command
"""
import json
from pprint import pprint
import sys
print("This is the name of the script: ", sys.argv[0])
print("Number of arguments: ", len(sys.argv))
print("The arguments are: ", str(sys.argv))
svcfile = ""
regfile = ""
for arg in sys.argv:
if arg.startswith("--svc="):
svcfile = arg.replace("--svc=", "")
elif arg.startswith("--reg="):
regfile = arg.replace("--reg=", "")
elif arg == sys.argv[0]:
continue
else:
print("invalid argument " + arg)
print(regfile)
print(svcfile)
with open(regfile) as f:
regdata = json.load(f)
with open(svcfile) as f:
svcdata = json.load(f)
servicefield = 4
svcservices = []
for service in svcdata["rows"]:
svcservices.append(service[servicefield])
regservices = []
for service in regdata["rows"]:
regservices.append(service[servicefield])
missingregservices = []
for regservice in regservices:
found = False
for svcservice in svcservices:
if(regservice == svcservice):
found = True
break
if not found:
missingregservices.append(regservice)
missingsvcservices = []
for svcservice in svcservices:
found = False
for regservice in regservices:
if(regservice == svcservice):
found = True
break
if not found:
missingsvcservices.append(svcservice)
pprint(missingregservices)
pprint(missingsvcservices)