From bcd3d0e922b25cf3b9501d2c040d777a60a60391 Mon Sep 17 00:00:00 2001 From: jokim0x01 Date: Tue, 23 May 2017 22:26:22 -0400 Subject: [PATCH 1/2] Update ShimCacheParser.py Made minor fix to the read_zip function: changed the file name to search for removed hostname column Headers updated to be consistent with tool --- ShimCacheParser.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ShimCacheParser.py b/ShimCacheParser.py index 64762bb..a945c9b 100755 --- a/ShimCacheParser.py +++ b/ShimCacheParser.py @@ -822,7 +822,7 @@ def read_zip(zip_name): print "[+] Processing %d registry acquisitions..." % len(zip_contents) for item in zip_contents: try: - if '_w32registry.xml' not in item: + if 'w32registry' not in item: continue filename = item.split('/') if len(filename) > 0: @@ -846,15 +846,13 @@ def read_zip(zip_name): else: for li in out_list: if "Last Modified" not in li[0]: - li.insert(0, hostname) final_list.append(li) except IOError, err: print "[-] Error opening file: %s in MIR archive: %s" % (item, err) continue # Add the final header. - final_list.insert(0, ("Hostname", "Last Modified", "Last Update", - "Path", "File Size", "File Executed", "Key Path")) + final_list.insert(0, ("Last Modified", "Last Update", "Path", "File Size", "Exec Flag")) return final_list except (IOError, zipfile.BadZipfile, struct.error), err: @@ -969,4 +967,3 @@ def main(argv=[]): if __name__ == '__main__': main(sys.argv) - From 90d2849b3b7e8217d3709d921364bd6b1840a6e9 Mon Sep 17 00:00:00 2001 From: jokim0x01 Date: Wed, 24 May 2017 10:06:12 -0400 Subject: [PATCH 2/2] Update ShimCacheParser.py --- ShimCacheParser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ShimCacheParser.py b/ShimCacheParser.py index a945c9b..4c181d7 100755 --- a/ShimCacheParser.py +++ b/ShimCacheParser.py @@ -811,7 +811,7 @@ def read_zip(zip_name): tmp_list = [] final_list = [] out_list = [] - hostname = "" + hostname = "N/A" try: # Open the zip archive. @@ -846,13 +846,14 @@ def read_zip(zip_name): else: for li in out_list: if "Last Modified" not in li[0]: + li.insert(0, hostname) final_list.append(li) except IOError, err: print "[-] Error opening file: %s in MIR archive: %s" % (item, err) continue # Add the final header. - final_list.insert(0, ("Last Modified", "Last Update", "Path", "File Size", "Exec Flag")) + final_list.insert(0, ("Hostname", "Last Modified", "Last Update", "Path", "File Size", "Exec Flag")) return final_list except (IOError, zipfile.BadZipfile, struct.error), err: