fq format for parsing PyRDP replays.
In progress.
You will need Go >= 1.17 installed. If present, clone the fq repository:
$ git clone [email protected]:wader/fq.git
$ cd fq3 files need to be changed for fq to support the pyrdp format.
Inside the fq directory, apply the patch with:
$ patch -p1 < ../fq-pyrdp/fq-pyrdp.patch- Add the
pyrdpformat to the import list atformat/all/all.go:
_ "github.com/wader/fq/format/pyrdp"- Add it to the list of decoders in
format/format.go:
PYRDP = &decode.Group{Name: "pyrdp"}- Add it to tests in
format/all/all.fqtest:
pyrdp PyRDP Replay Files
Now that the format was added to the list of available formats, the actual code needs to be copied or linked in the format/ directory. Here's how you can do the later (as it can be updated independently):
$ cd format/
$ ln -s /the/path/to/fq-pyrdp/pyrdp pyrdpTo build fq with the new format added just go to the root of the fq repository and use make fq. That should create an fq binary in the same directory with the new PyRDP replay format added.
To enable this repository to resolve the fq code and reduce warnings, the configuration of a Go workspace is recommended.
To do so, at the root of this repository, type:
go work init
go work use ./path-to-fqIn the fq repository, run:
go test ./format -run TestFormats/pyrdpTesting won't work with format/pyrdp as a symbolic link to this repo so you will need to copy the files to test.
Ref: https://github.com/wader/fq/blob/b0025b64c94aa443e310647a4148c4c8015d7d1c/doc/dev.md#checklist
To parse the replay files using fq you will need to specify the format using -d and a query, just as you will do with jq:
$ ./fq -d pyrdp '.events[]' /the/path/to/replay.pyrdpMore complex information can be extracted depending on the PDUs that the pyrdp format can parse. For example, we can get the password used by the user that connected to the RDP service:
$ ./fq -d pyrdp '.events[1].client_info|{password:.password,username:.username}' /the/path/to/replay.pyrdp
{
"password": "admin",
"username": "administrator"
}