From cd261bd15aa6811faddd5070cb9df446afc1ed3d Mon Sep 17 00:00:00 2001 From: Poorbillionaire Date: Fri, 24 Jun 2016 18:40:16 -0700 Subject: [PATCH 1/6] Added JSON-formatted output option --- samples/amcache.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/samples/amcache.py b/samples/amcache.py index bdfd266..5bdeee5 100644 --- a/samples/amcache.py +++ b/samples/amcache.py @@ -19,6 +19,7 @@ import logging import datetime from collections import namedtuple +import json import argparse import unicodecsv @@ -175,6 +176,8 @@ def main(argv=None): help="Enable verbose output") parser.add_argument("-t", action="store_true", dest="do_timeline", help="Output in simple timeline format") + parser.add_argument("-j", action="store_true", dest="do_json", + help="Output in JSON-formatted strings") args = parser.parse_args(argv[1:]) if args.verbose: @@ -213,6 +216,19 @@ def main(argv=None): w.writerow(["timestamp", "timestamp_type", "path", "sha1"]) for e in sorted(entries, key=lambda e: e.timestamp): w.writerow([e.timestamp, e.type, e.entry.path, e.entry.sha1]) + + elif args.do_json: + for e in ee: + document = {} + for i in FIELDS: + document[i.name] = getattr(e, i.name) + if document[i.name] is None: + document[i.name] = "-" + elif type(document[i.name]) == datetime.datetime: + document[i.name] = str(document[i.name]) + + print json.dumps(document, ensure_ascii=False).encode("utf8") + else: w = unicodecsv.writer(sys.stdout, delimiter="|", quotechar="\"", quoting=unicodecsv.QUOTE_MINIMAL, encoding="utf-8") From bdee3bebf970b1a4383749f27cedeb5003bfb08e Mon Sep 17 00:00:00 2001 From: Poorbillionaire Date: Fri, 24 Jun 2016 18:47:20 -0700 Subject: [PATCH 2/6] Added '-' to encoding to match Python docs --- samples/amcache.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/amcache.py b/samples/amcache.py index 5bdeee5..8decf24 100644 --- a/samples/amcache.py +++ b/samples/amcache.py @@ -227,7 +227,7 @@ def main(argv=None): elif type(document[i.name]) == datetime.datetime: document[i.name] = str(document[i.name]) - print json.dumps(document, ensure_ascii=False).encode("utf8") + print json.dumps(document, ensure_ascii=False).encode("utf-8") else: w = unicodecsv.writer(sys.stdout, delimiter="|", quotechar="\"", From da9ed00854aa0ec982a6fa929122ba5be980ed8e Mon Sep 17 00:00:00 2001 From: Poorbillionaire Date: Fri, 24 Jun 2016 19:45:38 -0700 Subject: [PATCH 3/6] Using the print() function to stay consistent with the project --- samples/amcache.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/samples/amcache.py b/samples/amcache.py index 8decf24..f65c577 100644 --- a/samples/amcache.py +++ b/samples/amcache.py @@ -15,6 +15,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + +from __future__ import print_function import sys import logging import datetime @@ -227,7 +229,7 @@ def main(argv=None): elif type(document[i.name]) == datetime.datetime: document[i.name] = str(document[i.name]) - print json.dumps(document, ensure_ascii=False).encode("utf-8") + print(json.dumps(document, ensure_ascii=False).encode("utf-8")) else: w = unicodecsv.writer(sys.stdout, delimiter="|", quotechar="\"", From aa95a5bff0a46859811c4dc589557d29546d2f66 Mon Sep 17 00:00:00 2001 From: Poorbillionaire Date: Sat, 25 Jun 2016 10:34:08 -0700 Subject: [PATCH 4/6] Re-ordered imports --- samples/amcache.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/samples/amcache.py b/samples/amcache.py index f65c577..9572702 100644 --- a/samples/amcache.py +++ b/samples/amcache.py @@ -17,11 +17,12 @@ # limitations under the License. from __future__ import print_function + import sys +import json import logging import datetime from collections import namedtuple -import json import argparse import unicodecsv @@ -236,6 +237,8 @@ def main(argv=None): quoting=unicodecsv.QUOTE_MINIMAL, encoding="utf-8") w.writerow(map(lambda e: e.name, FIELDS)) for e in ee: + print(e) + exit(type(e.path)) w.writerow(map(lambda i: getattr(e, i.name), FIELDS)) From 49517ee48f9a5080b31ed3c7fda85ad8710c86bd Mon Sep 17 00:00:00 2001 From: Poorbillionaire Date: Sat, 25 Jun 2016 10:59:30 -0700 Subject: [PATCH 5/6] Cleaned up jsonl functionality, removed lines I used during testing --- samples/amcache.py | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/samples/amcache.py b/samples/amcache.py index 9572702..d7d211b 100644 --- a/samples/amcache.py +++ b/samples/amcache.py @@ -15,7 +15,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - from __future__ import print_function import sys @@ -224,12 +223,10 @@ def main(argv=None): for e in ee: document = {} for i in FIELDS: - document[i.name] = getattr(e, i.name) - if document[i.name] is None: - document[i.name] = "-" - elif type(document[i.name]) == datetime.datetime: - document[i.name] = str(document[i.name]) - + val = getattr(e, i.name, "-") + if isinstance(val, datetime.datetime): + val = val.isoformat(" ") + document[i.name] = val print(json.dumps(document, ensure_ascii=False).encode("utf-8")) else: @@ -237,8 +234,6 @@ def main(argv=None): quoting=unicodecsv.QUOTE_MINIMAL, encoding="utf-8") w.writerow(map(lambda e: e.name, FIELDS)) for e in ee: - print(e) - exit(type(e.path)) w.writerow(map(lambda i: getattr(e, i.name), FIELDS)) From 9276975388e9125eaf8b98bd40982ef356343574 Mon Sep 17 00:00:00 2001 From: Poorbillionaire Date: Sat, 25 Jun 2016 11:04:54 -0700 Subject: [PATCH 6/6] Adding mutual exclusivity to -t and -j command-line switches --- samples/amcache.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/samples/amcache.py b/samples/amcache.py index d7d211b..426a4b0 100644 --- a/samples/amcache.py +++ b/samples/amcache.py @@ -172,14 +172,15 @@ def main(argv=None): parser = argparse.ArgumentParser( description="Parse program execution entries from the Amcache.hve Registry hive") + group = parser.add_mutually_exclusive_group() + group.add_argument("-t", action="store_true", dest="do_timeline", + help="Output in simple timeline format") + group.add_argument("-j", action="store_true", dest="do_json", + help="Output in JSON-formatted strings") parser.add_argument("registry_hive", type=str, help="Path to the Amcache.hve hive to process") parser.add_argument("-v", action="store_true", dest="verbose", help="Enable verbose output") - parser.add_argument("-t", action="store_true", dest="do_timeline", - help="Output in simple timeline format") - parser.add_argument("-j", action="store_true", dest="do_json", - help="Output in JSON-formatted strings") args = parser.parse_args(argv[1:]) if args.verbose: