diff --git a/NOTICE.txt b/NOTICE.txt index 6e1844076440..56895fc65dc8 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -12088,6 +12088,218 @@ Copyright 2014 CloudFlare. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file. +-------------------------------------------------------------------------------- +Dependency : github.com/minio/sha256-simd +Version: v1.0.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/minio/sha256-simd@v1.0.0/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Dependency : github.com/mitchellh/gox Version: v1.0.1 @@ -34419,6 +34631,38 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/klauspost/cpuid/v2 +Version: v2.0.4 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/klauspost/cpuid/v2@v2.0.4/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2015 Klaus Post + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + -------------------------------------------------------------------------------- Dependency : github.com/konsorten/go-windows-terminal-sequences Version: v1.0.2 diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 8ceb7914f045..0280a1aae727 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -116,6 +116,12 @@ auditbeat.modules: # Set to true to publish fields with null values in events. #keep_null: false + # Uncomment the following to parse object files that trigger events + #processors: + # - add_file_data: + # ignore_failure: true + + # ================================== General =================================== diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index cd143ad919e7..1c4bc8b74b5e 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -11730,6 +11730,597 @@ type: keyword -- +[float] +=== file + +Extensions to the ECS File field set + + +[float] +=== elf + +These fields contain Linux Executable Linkable Format (ELF) metadata. + + +*`file.elf.header.class`*:: ++ +-- +Header class of the ELF file. + + +type: keyword + +-- + +*`file.elf.header.data`*:: ++ +-- +Data type of the ELF header. + + +type: keyword + +-- + +*`file.elf.header.machine`*:: ++ +-- +Machine type of the ELF header. + + +type: keyword + +-- + +*`file.elf.header.os_abi`*:: ++ +-- +Application Binary Interface (ABI) of the Linux OS. + + +type: keyword + +-- + +*`file.elf.header.type`*:: ++ +-- +Header type of the ELF file. + + +type: keyword + +-- + +*`file.elf.header.version`*:: ++ +-- +Version of the ELF header. + + +type: keyword + +-- + +*`file.elf.header.abi_version`*:: ++ +-- +Version of the ELF Application Binary Interface (ABI). + + +type: keyword + +-- + +*`file.elf.header.entrypoint`*:: ++ +-- +Header entrypoint of the ELF file. + + +type: long + +format: string + +-- + +*`file.elf.sections`*:: ++ +-- +Section information of the ELF file. + + +type: nested + +-- + +*`file.elf.exports`*:: ++ +-- +List of exported element names and types. + + +type: flattened + +-- + +*`file.elf.imports`*:: ++ +-- +List of imported element names and types. + + +type: flattened + +-- + +*`file.elf.shared_libraries`*:: ++ +-- +List of shared libraries used by this ELF object + + +type: keyword + +-- + +*`file.elf.telfhash`*:: ++ +-- +telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + + +type: keyword + +-- + +*`file.elf.segments`*:: ++ +-- +ELF object segment list. + + +type: nested + +-- + +*`file.elf.debug`*:: ++ +-- +Debug information, if present + +type: nested + +-- + +*`file.elf.packers`*:: ++ +-- +List of packers and tools used. + + +type: keyword + +example: ["ASPack v2.12", ".NET executable"] + +-- + +[float] +=== pe + +PE ECS field extensions + + +*`file.pe.debug`*:: ++ +-- +Debug information, if present + +type: nested + +-- + +*`file.pe.imports`*:: ++ +-- +List of all imported functions + +type: flattened + +example: { "library" : "mscoree.dll", "name" : "GetFileVersionInfoSizeA" } + +-- + +*`file.pe.sections`*:: ++ +-- +Data about sections of compiled binary PE + + +type: nested + +-- + +*`file.pe.resources`*:: ++ +-- +If the PE contains resources, some info about them + + +type: nested + +-- + +*`file.pe.exports`*:: ++ +-- +List of symbols exported by PE + + +type: keyword + +example: ["DllInstall", "DllRegisterServer", "DllUnregisterServer"] + +-- + +*`file.pe.icons`*:: ++ +-- +If the PE contains icons, some info about them + + +type: flattened + +-- + +*`file.pe.authentihash`*:: ++ +-- +Authentihash of the PE file. + + +type: keyword + +example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + +-- + +*`file.pe.compile_timestamp`*:: ++ +-- +Compile timestamp of the PE file. + + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`file.pe.compiler.name`*:: ++ +-- +Name of the compiler + + +type: keyword + +example: Clang + +-- + +*`file.pe.compiler.version`*:: ++ +-- +Version of the compiler. + + +type: keyword + +example: 11.0.0 + +-- + +*`file.pe.rich_header.hash.md5`*:: ++ +-- +MD5 hash of the header for the PE file. + + +type: keyword + +example: 5aa1aa0f2b4be70397a1e9e2b87627cd + +-- + +*`file.pe.entrypoint`*:: ++ +-- +Relative byte offset to the base of the PE file. + + +type: keyword + +example: 25856 + +-- + +*`file.pe.packers`*:: ++ +-- +List of packers and tools used. + + +type: keyword + +example: ["ASPack v2.12", ".NET executable"] + +-- + +[float] +=== macho + +These fields contain macOS Mach Object (Mach-O) metadata. + + +*`file.macho.architectures`*:: ++ +-- +Object files contained inside this file by architecture + +type: nested + +-- + +[float] +=== lnk + +These fields contain windows LNK metadata. + + +*`file.lnk.name`*:: ++ +-- +LNK name + +type: keyword + +-- + +*`file.lnk.relative_path`*:: ++ +-- +LNK relative path + +type: keyword + +-- + +*`file.lnk.working_directory`*:: ++ +-- +LNK working directory + +type: keyword + +-- + +*`file.lnk.command_line`*:: ++ +-- +LNK command line + +type: keyword + +-- + +*`file.lnk.icon_location`*:: ++ +-- +LNK icon location + +type: keyword + +-- + +*`file.lnk.extra`*:: ++ +-- +Extra fields in the LNK, type specific + +type: flattened + +-- + +*`file.lnk.header.guid`*:: ++ +-- +LNK guid + +type: keyword + +-- + +*`file.lnk.header.link_flags`*:: ++ +-- +LNK link flags + +type: keyword + +-- + +*`file.lnk.header.file_flags`*:: ++ +-- +LNK file flags + +type: keyword + +-- + +*`file.lnk.header.creation_time`*:: ++ +-- +LNK creation time + +type: date + +-- + +*`file.lnk.header.accessed_time`*:: ++ +-- +LNK accessed time + +type: date + +-- + +*`file.lnk.header.modified_time`*:: ++ +-- +LNK modified time + +type: date + +-- + +*`file.lnk.header.file_size`*:: ++ +-- +LNK file size + +type: long + +-- + +*`file.lnk.header.icon_index`*:: ++ +-- +LNK icon index + +type: long + +-- + +*`file.lnk.header.window_style`*:: ++ +-- +LNK window style + +type: keyword + +-- + +*`file.lnk.header.hot_key`*:: ++ +-- +LNK hot key + +type: keyword + +-- + +*`file.lnk.shellbags`*:: ++ +-- +LNK shellbags + +type: nested + +-- + +*`file.lnk.location.flags`*:: ++ +-- +LNK location flags + +type: keyword + +-- + +*`file.lnk.location.common_path_suffix`*:: ++ +-- +LNK common path suffix + +type: keyword + +-- + +*`file.lnk.location.local_base_path`*:: ++ +-- +LNK local base path + +type: keyword + +-- + +*`file.lnk.location.volume.drive_type`*:: ++ +-- +LNK volume drive type + +type: keyword + +-- + +*`file.lnk.location.volume.drive_serial_number`*:: ++ +-- +LNK volume drive serial number + +type: keyword + +-- + +*`file.lnk.location.volume.volume_label`*:: ++ +-- +LNK volume label + +type: keyword + +-- + +*`file.lnk.location.network_share.flags`*:: ++ +-- +LNK network share flags + +type: keyword + +-- + +*`file.lnk.location.network_share.provider_type`*:: ++ +-- +LNK network share provider type + +type: keyword + +-- + +*`file.lnk.location.network_share.name`*:: ++ +-- +LNK network share name + +type: keyword + +-- + +*`file.lnk.location.network_share.device_name`*:: ++ +-- +LNK network share device name + +type: keyword + +-- + [[exported-fields-host-processor]] == Host fields diff --git a/auditbeat/module/file_integrity/_meta/config.yml.tmpl b/auditbeat/module/file_integrity/_meta/config.yml.tmpl index af346d9fb984..5298703fc9da 100644 --- a/auditbeat/module/file_integrity/_meta/config.yml.tmpl +++ b/auditbeat/module/file_integrity/_meta/config.yml.tmpl @@ -77,4 +77,10 @@ # Set to true to publish fields with null values in events. #keep_null: false + + # Uncomment the following to parse object files that trigger events + #processors: + # - add_file_data: + # ignore_failure: true + {{ end }} diff --git a/auditbeat/module/file_integrity/_meta/fields.yml b/auditbeat/module/file_integrity/_meta/fields.yml index c34aaaf1d43f..5fe873ff0f10 100644 --- a/auditbeat/module/file_integrity/_meta/fields.yml +++ b/auditbeat/module/file_integrity/_meta/fields.yml @@ -2,77 +2,719 @@ title: File Integrity description: These are the fields generated by the file_integrity module. fields: - - name: hash - type: group - description: > - Hashes of the file. The keys are algorithm names and the values are - the hex encoded digest values. - - fields: - - name: blake2b_256 - type: keyword - description: BLAKE2b-256 hash of the file. - - - name: blake2b_384 - type: keyword - description: BLAKE2b-384 hash of the file. - - - name: blake2b_512 - type: keyword - description: BLAKE2b-512 hash of the file. - - - name: md5 - overwrite: true - type: keyword - description: MD5 hash of the file. - - - name: sha1 - overwrite: true - type: keyword - description: SHA1 hash of the file. - - - name: sha224 - type: keyword - description: SHA224 hash of the file. - - - name: sha256 - overwrite: true - type: keyword - description: SHA256 hash of the file. - - - name: sha384 - type: keyword - description: SHA384 hash of the file. - - - name: sha3_224 - type: keyword - description: SHA3_224 hash of the file. - - - name: sha3_256 - type: keyword - description: SHA3_256 hash of the file. - - - name: sha3_384 - type: keyword - description: SHA3_384 hash of the file. - - - name: sha3_512 - type: keyword - description: SHA3_512 hash of the file. - - - name: sha512 - overwrite: true - type: keyword - description: SHA512 hash of the file. - - - name: sha512_224 - type: keyword - description: SHA512/224 hash of the file. - - - name: sha512_256 - type: keyword - description: SHA512/256 hash of the file. - - - name: xxh64 - type: keyword - description: XX64 hash of the file. + - name: hash + type: group + description: > + Hashes of the file. The keys are algorithm names and the values are + the hex encoded digest values. + + fields: + - name: blake2b_256 + type: keyword + description: BLAKE2b-256 hash of the file. + + - name: blake2b_384 + type: keyword + description: BLAKE2b-384 hash of the file. + + - name: blake2b_512 + type: keyword + description: BLAKE2b-512 hash of the file. + + - name: md5 + overwrite: true + type: keyword + description: MD5 hash of the file. + + - name: sha1 + overwrite: true + type: keyword + description: SHA1 hash of the file. + + - name: sha224 + type: keyword + description: SHA224 hash of the file. + + - name: sha256 + overwrite: true + type: keyword + description: SHA256 hash of the file. + + - name: sha384 + type: keyword + description: SHA384 hash of the file. + + - name: sha3_224 + type: keyword + description: SHA3_224 hash of the file. + + - name: sha3_256 + type: keyword + description: SHA3_256 hash of the file. + + - name: sha3_384 + type: keyword + description: SHA3_384 hash of the file. + + - name: sha3_512 + type: keyword + description: SHA3_512 hash of the file. + + - name: sha512 + overwrite: true + type: keyword + description: SHA512 hash of the file. + + - name: sha512_224 + type: keyword + description: SHA512/224 hash of the file. + + - name: sha512_256 + type: keyword + description: SHA512/256 hash of the file. + + - name: xxh64 + type: keyword + description: XX64 hash of the file. + + # These are extensions to the file field set + - name: file + title: File + description: Extensions to the ECS File field set + type: group + fields: + # ELF fields + - name: elf + title: ELF file information + description: These fields contain Linux Executable Linkable Format (ELF) metadata. + type: group + fields: + - name: header.class + description: > + Header class of the ELF file. + type: keyword + + - name: header.data + description: > + Data type of the ELF header. + type: keyword + + - name: header.machine + description: > + Machine type of the ELF header. + type: keyword + + - name: header.os_abi + description: > + Application Binary Interface (ABI) of the Linux OS. + type: keyword + + - name: header.type + description: > + Header type of the ELF file. + type: keyword + + - name: header.version + description: > + Version of the ELF header. + type: keyword + + - name: header.abi_version + type: keyword + description: > + Version of the ELF Application Binary Interface (ABI). + + - name: header.entrypoint + format: string + type: long + description: > + Header entrypoint of the ELF file. + + - name: sections + description: > + Section information of the ELF file. + type: nested + fields: + - name: flags + description: > + ELF Section List flags. + type: keyword + + - name: name + description: > + ELF Section List name. + type: keyword + + - name: physical_offset + description: > + ELF Section List offset. + type: keyword + + - name: type + description: > + ELF Section List type. + type: keyword + + - name: physical_size + description: > + ELF Section List physical size. + format: bytes + type: long + + - name: virtual_address + description: > + ELF Section List virtual address. + format: string + type: long + + - name: virtual_size + description: > + ELF Section List virtual size. + format: string + type: long + + - name: entropy + description: > + Shannon entropy calculation from the section. + format: number + type: double + + - name: chi2 + description: > + Chi-square probability distribution of the section. + format: number + type: double + + - name: exports + description: > + List of exported element names and types. + type: flattened + + - name: imports + description: > + List of imported element names and types. + type: flattened + + - name: shared_libraries + description: > + List of shared libraries used by this ELF object + type: keyword + + - name: telfhash + short: telfhash hash for ELF files + description: > + telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + type: keyword + + - name: segments + description: > + ELF object segment list. + type: nested + fields: + - name: type + description: ELF object segment type. + type: keyword + + - name: sections + description: ELF object segment sections. + type: keyword + + - name: debug + type: nested + description: Debug information, if present + fields: + - name: offset + type: keyword + description: Debug offset information. + example: 1296336 + + - name: size + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: type + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: timestamp + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: packers + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array + + # PE fields + - name: pe + title: PE file information. + description: PE ECS field extensions + type: group + fields: + - name: debug + type: nested + description: Debug information, if present + fields: + - name: offset + type: keyword + description: Debug offset information. + example: 1296336 + + - name: size + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: type + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: timestamp + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: imports + type: flattened + description: List of all imported functions + example: '{ "library" : "mscoree.dll", "name" : "GetFileVersionInfoSizeA" }' + + - name: sections + description: > + Data about sections of compiled binary PE + type: nested + fields: + - name: chi2 + description: Chi-square probability distribution. + type: long + example: 3027194 + + - name: virtual_address + description: Virtual address available to the file. + type: long + format: bytes + example: 8192 + + - name: entropy + description: Measurement of entropy randomness in the file. + type: float + example: 6.24 + + - name: flags + description: Section flags of the file. + type: keyword + example: rx + + - name: name + description: Section names of the file. + type: keyword + example: .text, .data + + - name: raw_size + description: Size of the section or the dize of the initialized data on disk. + type: long + format: bytes + example: 198144 + + - name: resources + type: nested + description: > + If the PE contains resources, some info about them + fields: + - name: chi2 + description: Chi-square probability distribution. + type: long + example: -1 + + - name: filetype + description: File type of the resources section. + type: keyword + example: Data + + - name: entropy + description: Measurement of entropy randomness in the resources section. + type: long + example: 0, 1 + + - name: sha256 + description: SHA256 hash of resources section. + type: keyword + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + - name: language + description: Language identification. + type: keyword + example: "CHINESE SIMPLIFIED" + + - name: type + type: keyword + short: List of resource types. + description: > + Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + normalize: + - array + + - name: exports + type: keyword + description: > + List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + normalize: + - array + + - name: icons + type: flattened + description: > + If the PE contains icons, some info about them + + - name: authentihash + description: > + Authentihash of the PE file. + type: keyword + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + + - name: compile_timestamp + description: > + Compile timestamp of the PE file. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: compiler.name + type: keyword + description: > + Name of the compiler + example: Clang + + - name: compiler.version + type: keyword + description: > + Version of the compiler. + example: 11.0.0 + + - name: rich_header.hash.md5 + type: keyword + description: > + MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + + - name: entrypoint + description: > + Relative byte offset to the base of the PE file. + type: keyword + example: 25856 + + - name: packers + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array + + # MachO + - name: macho + title: Mach-O file information. + type: group + description: These fields contain macOS Mach Object (Mach-O) metadata. + fields: + - name: architectures + description: Object files contained inside this file by architecture + type: nested + fields: + - name: debug + type: nested + description: Debug information, if present + fields: + - name: offset + type: keyword + description: Debug offset information. + example: 1296336 + + - name: size + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: type + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: timestamp + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: cpu + description: CPU architecture target for the file. + type: keyword + example: 64-bit + + - name: byte_order + description: Byte order for the file. + type: keyword + example: little-endian + + - name: type + description: Mach-O file type. + type: keyword + + - name: header.commands + description: Header load commands + type: nested + fields: + - name: number + description: Number of load commands for the Mach-O header. + type: long + example: 23 + + - name: size + description: Size of load commands of the Mach-O header. + type: long + format: bytes + example: 3888 + + - name: type + description: Type of the load commands for the Mach-O header. + type: keyword + example: LC_SYMTAB, 0x2c + + - name: header.magic + description: Magic field of the Mach-O header. + type: keyword + example: 0xfeedfacf + + - name: header.flags + description: Flags set in the Mach-O header. + type: keyword + example: TWOLEVEL, 0x4000000 + + - name: segments + description: Segment information for the file. + type: nested + fields: + - name: vmaddr + description: Memory address of this segment. + type: keyword + example: 0x0 + + - name: name + description: Name of this segment. + type: keyword + example: __TEXT, __DATA, __IMPORT + + - name: vmsize + description: Memory size of this segment. + type: keyword + example: 0x4c000 + + - name: fileoff + description: File offset of this segment. + type: keyword + example: 0x0 + + - name: filesize + description: Amount of memory to map from the file. + type: keyword + example: 0x4c000 + + - name: sections + description: Section information for the segment of the file. + type: nested + fields: + - name: name + description: Name of this section. + type: keyword + + - name: type + description: Type of this section. + type: keyword + + - name: offset + description: Offset of this section. + type: long + + - name: size + description: Size of this section. + type: long + + - name: entropy + description: Entropy of this section. + type: double + + - name: chi2 + description: Chi-square of this section. + type: double + + - name: flags + description: Flags of this section. + type: keyword + + - name: flags + description: Segment flags. + type: keyword + + - name: libraries + description: Imported libraries. + type: keyword + + - name: imports + description: Imported symbols. + type: keyword + + - name: exports + description: Exported symbols. + type: keyword + + - name: packers + description: Packers. + type: keyword + + - name: symhash + description: Symbol hash. + type: keyword + + - name: cdhash + description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file. + type: keyword + + # LNK + - name: lnk + title: LNK file information. + type: group + description: These fields contain windows LNK metadata. + fields: + - name: name + description: LNK name + type: keyword + + - name: relative_path + description: LNK relative path + type: keyword + + - name: working_directory + description: LNK working directory + type: keyword + + - name: command_line + description: LNK command line + type: keyword + + - name: icon_location + description: LNK icon location + type: keyword + + - name: extra + description: Extra fields in the LNK, type specific + type: flattened + + - name: header.guid + description: LNK guid + type: keyword + + - name: header.link_flags + description: LNK link flags + type: keyword + + - name: header.file_flags + description: LNK file flags + type: keyword + + - name: header.creation_time + description: LNK creation time + type: date + + - name: header.accessed_time + description: LNK accessed time + type: date + + - name: header.modified_time + description: LNK modified time + type: date + + - name: header.file_size + description: LNK file size + type: long + + - name: header.icon_index + description: LNK icon index + type: long + + - name: header.window_style + description: LNK window style + type: keyword + + - name: header.hot_key + description: LNK hot key + type: keyword + + - name: shellbags + description: LNK shellbags + type: nested + fields: + - name: name + description: LNK shellbag name + type: integer + + - name: size + description: LNK shellbag size + type: integer + + - name: type_id + description: LNK shellbag type id + type: integer + + - name: sha256 + description: LNK shellbag sha256 + type: keyword + + - name: location.flags + description: LNK location flags + type: keyword + + - name: location.common_path_suffix + description: LNK common path suffix + type: keyword + + - name: location.local_base_path + description: LNK local base path + type: keyword + + - name: location.volume.drive_type + description: LNK volume drive type + type: keyword + + - name: location.volume.drive_serial_number + description: LNK volume drive serial number + type: keyword + + - name: location.volume.volume_label + description: LNK volume label + type: keyword + + - name: location.network_share.flags + description: LNK network share flags + type: keyword + + - name: location.network_share.provider_type + description: LNK network share provider type + type: keyword + + - name: location.network_share.name + description: LNK network share name + type: keyword + + - name: location.network_share.device_name + description: LNK network share device name + type: keyword diff --git a/auditbeat/module/file_integrity/fields.go b/auditbeat/module/file_integrity/fields.go index c7dce9bc9867..0a85bff93e2d 100644 --- a/auditbeat/module/file_integrity/fields.go +++ b/auditbeat/module/file_integrity/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFileIntegrity returns asset data. // This is the base64 encoded gzipped contents of module/file_integrity. func AssetFileIntegrity() string { - return "eJykk81u6jAQhfd5inkBuIohEcriSqnaKlXbFV2wQw4eYgsnRrYD5O2ruCk/ElJsusxo8p3jmTMT2GGXwVZIXIvGYqWF7SIAK6zEDF6FRHi7qjM0Gy32Vqgmgy+OBoFqBMsRtgIlM1Bhg5paZFB2Q/2aDbVircRpBMMPWQQwgYbWmAGnhkcAALbbYwaVVu3efd/I/nclgIIajgbU9iwz7S31LzLOFZWV0sLy2uEN0Ia51gOVLbqWgdQXOZ4Am41iyICJCo0d+qaR67q4vfgtJd0hKdckSX9JzvgOu6PSbKjdmH/6yN9fSDkhSeqee2M/ukufLeah9Nli7ktPYhJKT2IyRq9ZMhDUAfVRC4sZWN2ir9bnczKmYTiN/yayLPLYQ4UQ7wUsi5yQ0dn3zHNkHvfukSHDaUB8lkXukZyeuQ6biev34/qf0g/XbwYhR+S4vnMIOB/H9bgdw+mF+ng6vJUCd5nE5J/fNh07aJ+OPb7R04mn3pZXq/Se2e8AAAD//yR/DPc=" + return "eJzsXF9v47gRf8+nILIPtwckXkuxEzsPBbKJsxts/mGd2961KARKGlm8UKJL0ln7in73Qv9syaIkSvKiKHp5uFvIQ85vhsOZ4QylU/QKm0vkEQoWCSUsOJGbI4QkkRQu0S2hgO5yz10QDidLSVh4iV58EIAwByR9QB4B6gq0gBA4luAie5M+z8+NAuauKAyOUDrg8gghhE5RiAO4RD4WfvwAIblZwiVacLZapk8KzP+SPkToMxY+CMS8LbtBBC2STMToMF0wTqQfxEwEwqEbk75huoKYZDtX9NiHNYLQYS64yCULEDKlHByldHnkefQ2xa9g2pY5Pt/+lgnyCpvvjLu55wVxPt5ffZmZ9qk5Po+VUBDnqJLT2WTUldPZZNSG09gwu3IaG6YOp8Ad52Zib8C/cyLhEkm+gra8H27GOjyFj43DMZ1/vjI0uZpm64Wbf74yTa01i+YvmGB/uTTtUvi4g0nOP19pWmM0v9VNd/E4fR7tt3DCQ19PXTZvzKONrjps25iH5p4VPi5y6G9prTh3tIWxYX7Qt4aYTyd7iPnoWcR67Z+3FuXXX88rhXiXi8+wlhAKwkKBJNsSJnEMCZCFGBz9lMXgXRqgisGz0rSz63mSNBSnVkXz/SD6Ds3ub9OnJe0A9fK6SWAl9BQQCT3GAxyBqtJUoos0R3FYKDEJ0T0JV2s0W4OzktimED14jf9xG8+H3s/ub39GAUjsYokHpeXJy6OSKS+CD9gFPnAoFqJAUJnYZH+f45EoHpktdCb7YI+6aDZ1QCKJ2uG4wRLHDPIg0tk6wwiw45MQ2iF5SAYdHAwTFrZJOyxXyyUlTmx86CMJMd/EGTP3sAPo/dXHu58zhIm5Pc2744soO9nOvqL6mc4bcFHcaxpIviWDDrlc2CaWGkuV9+yGs3mJB7U4IZR8s2QklHvcErd1iYTkJFwoZaCs9IPeku+YlhdeCVaAE03Z0jnNk1F5H6xnaCEICftro3KgeYwexYt9gBogo78ITQb2ngiZzLWPDdUbYB5L9N8DQYmm6oFk6W8EcTC1mOftQm5fUMlkPWApvFVXLNFUh1CQIH8cClI2J4rmVGHLNre9kaCy2dz+rgT+RrhcYWph1+VQyhu6Qk9nRemsdeCVnqkt+gNqPYPepPReuCPXyZabbpDnPg5DFmaTIAdTZ0UTx+hxFsSuMfW1dRKEq8AGXimBy1Y2hWoZHJ+Y3QS49smp+OcqOjcsObOxTSiRG+SSSKf2Ku/hf4wY22VYLxmXLeNR6rrSweAioBBAKPO1v80SSkafwPEolhJCqMg7SNADUTL4wIiEjzm4FiU2x5yU/IwmtGQWtJ0FrURWwCUi3oTM/h2c/ciikalJoF6uqJv9CZ9xufs1OcN6jG9zhpaCbCciAolNYDOqmPIE/b4SElHyCtFiZPTpou4GPM8S+gG6B8xDFDAOCEvkS7kUlx8+LIj0V/bAYcEHySF0A+Jw9iGD0CGdFbCIDKKlzLtlySZAlIhSwO6RbekEcAWKnsG6Ig/V4ZwNbck94+yCvVJn4Ur1FdDcRGPzWfAJIh5achBQTvsb9F6ZxtUdayoQJXPlgamUA2scLClcIsOcnp+dndesjjqWVx5WkEYmVCybkT+2R1V3X6m12CdGDe4KW26l0bvcGSc+UZeaXQlgtqy0wi3Yu4erTzPrZvbxl0/Wy2/PM+v56dNTDXwSgJA4WFZHUiwbN+tLNks3BR+bQ3N4ahinw/GLcXFpji9HF4PhcPi3Y/V+WmLnFXjHmJQOTuIjYzQJSvXetQL3T38/vpo/Y+cVvZkDwzw+QceDx9kLgm3l7/gfP+0NDiONUPIHqLYp5hxvdjK/S0KGsnJZsLq0cJkGmCq9FxT0PIuLqkk9dVfHPdpXQZtS5J9+7k8/VwftTz/Xzs+pjwX7+XsN3sznYUp3xwRvFSoToZ1b+xc6TlL2zTG6RMeBcBgHGLiURi4uwhY//wTyllBIC5vR4ka2d3WM/v3TISuBcXsA22y1y8MimRwWLAmNTCepnD7PDpeg6hxyNY6z1elixUbfLsHZ0LwwpqODFXC+FSszCL9hQuOOVK5v1xpuk1/KeZap2bss8gBYrHhyxI0O4mkdhOPQZUEYSUVCDVk8yrAqNmzBng/MGsVrVYqz0lJMXOyhVsGqdqFbYHzdr2icoUrqA4dCNZCwlico6ftV4uP4u1a5Lh+90t2OGE98be4nEhJJ4jTKjRw3RiyMdt7rjzNhYzoxRiO1X+Mg2Io7pQl0c5+yz7tLxHyeZT1lsWNyggQLkiQvdYvSh+B/zcOdGjV7jFDQqRHENwLyLcitjuoqiNqWfVNr0Yf2Wi2wN+l2eIJqtFu6xaXEvXc367CahTN76IxG5nTiOYZjjKbYs72RM5lOzz17ao7MCwwjA0bno6k9PRs5eDQdT6eGfTEZm/ZkPK4WjuJwscKLRtO5T+kQcSGUxEvbsL2kOr7+fPc4m8/Q/O7h+f7u9m52c3zwhDqtcGaZXbYu6lJvSWx1Zf4muY2qNV3+8Pv1xfo2+zq/e3qM8sKvL9bD1ePd7Wz+Uj72ovqjL1Idf1Fjzb5HO35boo6rumJX17cVqWRe6BtK70IhcZIM31D6FRZESOBz4G/A04e/hLz4uFchIK8J4pQz6BZHAq1YE/OoiDNKUHgl/WgfKUryTddcciMzN57WMTrVZLAzHY/H7tQY2bZtGCY4ztgzxrY9nUwuHDw5uzC80fQM28PpyDgbjWB6cW7bk5ExdCYYX0zU8qWHDavqGNkg5HUyfHcK1ZJUcSLtfJRMBeADRaLYYxc94mAbfDMWVZCvI9/cgO5H37rZMqoCaRiD4WBYkeYRx7fSqzdxR6Z4s7wn0v2b5QmjuHFUYylb4GOMDYyHnmmPbLgYnk0vsAFTMO3Jxbl54VR0JipvEDWA/QoUS/IGcd6c1cjSo6SNBRxiJ5vjyfj8/70A/IAd/+loX/4AOz7LDU/rvxHx6VNtDVhd1G2+0hpg52keM0BPSW/sfcJNfY21rkqMueMTCY5c8fp2bMoo7plmQMBFJBTEhaSFHItqbwpzHq4MpKpnN0xZEqJNXbsOE9KpbyONBLICoV6dG2nVulFzvRs1HWaQxuG8JErr2jdqrH+j5pQdddH6AWrhqEM9HGnWxFFTXbwkULfaOOqS1OSFcJarxjrG8y8FB4Ek5guQ29DauwR2Pjq1iazGGNmvxbirvK9UfLUtDqc8H/h7o6NESgqnELoEh/1uVeYDTM/bGNlrCywIcOg2VlTTy8eUYRfVjGnwzDrOtfJiWQnTY0wZmXsB1nblUm2pb6MXEdc4wV0+dNbZ0yqdZBF0umkPg1nHce96HZPJpLPfLbqgXCmw95LU+/It+vtra/7bw8vVxxM0XJtOo8EHeEGc5n22IE7am9ddGG1/MFx7AK6HHa8RrFaz4zZuciTJw4Ghvvz16X72bXYf6XY0jP/q7ncpb7uV8M7TS135Nwv0nG0vv/IWYNfV8isPEDC+2fbqYgMgIpPvIFY7XCsUiZr7SSWsuwLAgRFa1svs15cTZFk3Vy9X0f/vHp6fvr7Uw34LdL1gqmSxzRgPruGRozRXtNfoYJ6ngzfudaRJ+n/FIuJjmKZyrwK2SvodQaJmyVCAl7t76lX7rANsDTXX3PwsQVe9d5R5h+w6aEPrFDU7DNTgNJDeViyh39uOlZ2aIszKZG0fSk0gLkHZBeMfAqX2DFwC87S/cTThqN/n2MdSsy1KSOZFh3NQHNUtSSWUWdqLbI2m6h2RfTwVTWYlmFyz+YfhqUpnlIBud3c3DmbAOkCUuUrlO4UajLet0Yp3OUpM77KbYtsRPc556jts1TzTflwPjupWYYnjbH0wjupydInjc0LW5xWGTaDosJUYzXdvqvRg5rg6vK6ZC1kD+f31zc/qj7pwIZE5PI3Pg+1uHm0J3qH7xy9H+yBp+JqbIq2D3z9++SFF8O8kdNl3Ec/ftuqtiOLFCwmPX1Q0Gm+X8LQXYy2xrG2+RiwyYqQg1uD1nfFXEi4sl3BwJOP7sabELx2AqgZo8EwP8RZt+JxDxC6lRQpaDU7EYaFFmbP/xQ8lq4gYVRBr8IK15LXfyZhFBJkFpifr+8cvJ0m1WCzBIV6pkqD1bl96MF+sSP3l4ccvSEGj/xkFSsJXSxXqSmwiSmVQ1GcWfw5Oi1nyiZpezBwO8bLH9wEabTIlRgriXIm9jh92HBACXC1+GXEPfgFziUc0+WXEPfjFi6fIotVrpyCsypL3+MQbnIQurLV2t4pSk1MSKiwhN7RRqIQWqWj1TdJn0nqFRn/sM4nKZDrvkvpAqa2xvaoIe/RhdS4351lXDUggxN+MBN76FZ1qdrXv9DSyi8iskput5xjHAOUYXRm1LoEWpawaomE9WZxUVpTL4SCl7uqlt9yidICFcWJkiZXnkcZ9n4yIsyOkHNGGffQPatlY6OVmMXlyfaZbdrZl/MboKoCBy6O0UFG0KbFOBqB4gKrK05m5AE4wtZRNtXoUyUh1O64DnOR/FsU2UE0cKto2nEOQUfprxV9B0LP8dEjy4YTe5l8EsOTsjbjAtQyiCCQb2tc0ioC0jkQFHN0OSBXsXXgjDljtUSQDm8H8JwAA//8wwdRy" } diff --git a/go.mod b/go.mod index 504fe58a8266..c08842b7c9bd 100644 --- a/go.mod +++ b/go.mod @@ -119,6 +119,7 @@ require ( github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/miekg/dns v1.1.15 + github.com/minio/sha256-simd v1.0.0 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 github.com/mitchellh/mapstructure v1.3.3 diff --git a/go.sum b/go.sum index 4fcc1ef0c5ca..9a31605de3a9 100644 --- a/go.sum +++ b/go.sum @@ -489,6 +489,8 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.11.0 h1:wJbzvpYMVGG9iTI9VxpnNZfd4DzMPoCWze3GgSqz8yg= github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/cpuid/v2 v2.0.4 h1:g0I61F2K2DjRHz1cnxlkNSBIaePVoJIjjnHui8QHbiw= +github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -533,6 +535,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182aff github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= +github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= diff --git a/libbeat/docs/processors-list.asciidoc b/libbeat/docs/processors-list.asciidoc index e2670ebc39e3..ae9e8143a333 100644 --- a/libbeat/docs/processors-list.asciidoc +++ b/libbeat/docs/processors-list.asciidoc @@ -14,6 +14,9 @@ endif::[] ifndef::no_add_fields_processor[] * <> endif::[] +ifndef::no_add_file_data_processor[] +* <> +endif::[] ifndef::no_add_host_metadata_processor[] * <> endif::[] @@ -128,6 +131,9 @@ endif::[] ifndef::no_add_fields_processor[] include::{libbeat-processors-dir}/actions/docs/add_fields.asciidoc[] endif::[] +ifndef::no_add_file_data_processor[] +include::{libbeat-processors-dir}/actions/docs/add_file_data.asciidoc[] +endif::[] ifndef::no_add_host_metadata_processor[] include::{libbeat-processors-dir}/add_host_metadata/docs/add_host_metadata.asciidoc[] endif::[] diff --git a/libbeat/formats/common/chi.go b/libbeat/formats/common/chi.go new file mode 100644 index 000000000000..e066303c3ae9 --- /dev/null +++ b/libbeat/formats/common/chi.go @@ -0,0 +1,42 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package common + +import ( + "math" +) + +// ChiSquare calculates the chi-squared distribution of data +func ChiSquare(data []byte) float64 { + cache := make([]float64, 256) + for _, b := range data { + cache[b] = cache[b] + 1 + } + + result := 0.0 + length := len(data) + perBin := float64(length) / float64(256) // expected count per bin + if perBin == 0 { + return 0.0 + } + for _, count := range cache { + a := count - perBin + result += (a * a) / perBin + } + return math.Round(result*100) / 100 +} diff --git a/libbeat/formats/common/entropy.go b/libbeat/formats/common/entropy.go new file mode 100644 index 000000000000..4625c462092b --- /dev/null +++ b/libbeat/formats/common/entropy.go @@ -0,0 +1,40 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package common + +import "math" + +// Entropy calculates the entropy of data +func Entropy(data []byte) float64 { + cache := make(map[byte]int) + for _, b := range data { + if found, ok := cache[b]; ok { + cache[b] = found + 1 + } else { + cache[b] = 1 + } + } + + result := 0.0 + length := len(data) + for _, count := range cache { + frequency := float64(count) / float64(length) + result -= frequency * math.Log2(frequency) + } + return math.Round(result*100) / 100 +} diff --git a/libbeat/formats/common/string.go b/libbeat/formats/common/string.go new file mode 100644 index 000000000000..3ca28d5c5bc6 --- /dev/null +++ b/libbeat/formats/common/string.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package common + +// ReadString reads a string starting at the given offset +func ReadString(data []byte, offset int) string { + if offset < 0 || offset >= len(data) { + return "" + } + + for end := offset; end < len(data); end++ { + if data[end] == 0 { + return string(data[offset:end]) + } + } + return "" +} diff --git a/libbeat/formats/common/unicode.go b/libbeat/formats/common/unicode.go new file mode 100644 index 000000000000..b07f0d9aa531 --- /dev/null +++ b/libbeat/formats/common/unicode.go @@ -0,0 +1,39 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package common + +import ( + "encoding/binary" + "unicode/utf16" +) + +// ReadUnicode decodes a unicode string ending with a null +func ReadUnicode(data []byte, offset int) string { + encode := []uint16{} + for { + if len(data) < offset+1 { + return string(utf16.Decode(encode)) + } + value := binary.LittleEndian.Uint16(data[offset : offset+2]) + if value == 0 { + return string(utf16.Decode(encode)) + } + encode = append(encode, value) + offset += 2 + } +} diff --git a/libbeat/formats/dwarf/dwarf.go b/libbeat/formats/dwarf/dwarf.go new file mode 100644 index 000000000000..b0bc5a2c1159 --- /dev/null +++ b/libbeat/formats/dwarf/dwarf.go @@ -0,0 +1,154 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package dwarf + +import ( + "debug/dwarf" + "time" +) + +var dwarfTypes = map[dwarf.Tag]string{ + dwarf.TagArrayType: "array", + dwarf.TagClassType: "class", + dwarf.TagEntryPoint: "entrypoint", + dwarf.TagEnumerationType: "enumeration", + dwarf.TagFormalParameter: "formal parameter", + dwarf.TagImportedDeclaration: "imported declaration", + dwarf.TagLabel: "label", + dwarf.TagLexDwarfBlock: "lex block", + dwarf.TagMember: "member", + dwarf.TagPointerType: "pointer", + dwarf.TagReferenceType: "reference", + dwarf.TagCompileUnit: "compile unit", + dwarf.TagStringType: "string", + dwarf.TagStructType: "struct", + dwarf.TagSubroutineType: "subroutine", + dwarf.TagTypedef: "typedef", + dwarf.TagUnionType: "union", + dwarf.TagUnspecifiedParameters: "unspecified parameters", + dwarf.TagVariant: "variant", + dwarf.TagCommonDwarfBlock: "common block", + dwarf.TagCommonInclusion: "common inclusion", + dwarf.TagInheritance: "inheritance", + dwarf.TagInlinedSubroutine: "inlined subroutine", + dwarf.TagModule: "module", + dwarf.TagPtrToMemberType: "pointer to member", + dwarf.TagSetType: "set", + dwarf.TagSubrangeType: "subrange", + dwarf.TagWithStmt: "with statement", + dwarf.TagAccessDeclaration: "access declaration", + dwarf.TagBaseType: "base", + dwarf.TagCatchDwarfBlock: "catch block", + dwarf.TagConstType: "const", + dwarf.TagConstant: "constant", + dwarf.TagEnumerator: "enumerator", + dwarf.TagFileType: "file", + dwarf.TagFriend: "friend", + dwarf.TagNamelist: "namelist", + dwarf.TagNamelistItem: "namelist item", + dwarf.TagPackedType: "packed", + dwarf.TagSubprogram: "subprogram", + dwarf.TagTemplateTypeParameter: "template type parameter", + dwarf.TagTemplateValueParameter: "template value parameter", + dwarf.TagThrownType: "thrown", + dwarf.TagTryDwarfBlock: "try block", + dwarf.TagVariantPart: "variant part", + dwarf.TagVariable: "variable", + dwarf.TagVolatileType: "volatile", + dwarf.TagDwarfProcedure: "procedure", + dwarf.TagRestrictType: "restrict", + dwarf.TagInterfaceType: "interface", + dwarf.TagNamespace: "namespace", + dwarf.TagImportedModule: "imported module", + dwarf.TagUnspecifiedType: "unspecified", + dwarf.TagPartialUnit: "partial unit", + dwarf.TagImportedUnit: "imported unit", + dwarf.TagMutableType: "mutable", + dwarf.TagCondition: "condition", + dwarf.TagSharedType: "shared", + dwarf.TagTypeUnit: "type unit", + dwarf.TagRvalueReferenceType: "rvalue reference", + dwarf.TagTemplateAlias: "template alias", + dwarf.TagCoarrayType: "coarray", + dwarf.TagGenericSubrange: "generic subrange", + dwarf.TagDynamicType: "dynamic", + dwarf.TagAtomicType: "atomic", + dwarf.TagCallSite: "call site", + dwarf.TagCallSiteParameter: "call site parameter", + dwarf.TagSkeletonUnit: "skeleton unit", + dwarf.TagImmutableType: "immutable", +} + +func lookupType(tag dwarf.Tag) string { + if name, ok := dwarfTypes[tag]; ok { + return name + } + return "unknown" +} + +// DWARF contains debug info +type DWARF struct { + Offset int64 `json:"offset,omitempty"` + Size int64 `json:"size,omitempty"` + Type string `json:"type,omitempty"` + Timestamp *time.Time `json:"timestamp,omitempty"` +} + +// Parse parses a DWARF table into debug sections +func Parse(data *dwarf.Data) ([]DWARF, error) { + reader := data.Reader() + if reader == nil { + return nil, nil + } + offset := dwarf.Offset(0) + symbols := []DWARF{} + for { + entry, err := reader.Next() + if entry == nil { + break + } + if err != nil { + return nil, err + } + size := entry.Offset - offset + offset = entry.Offset + var compiledAt *time.Time + if entry.Tag == dwarf.TagCompileUnit { + lreader, err := data.LineReader(entry) + if err == nil && lreader != nil { + // just skip if we can't read the data + for _, f := range lreader.Files() { + if f != nil && f.Mtime != 0 { + // we have some sort of modification time + // use it as thhe compiled time + compiled := time.Unix(int64(f.Mtime), 0).UTC() + compiledAt = &compiled + break + } + } + } + } + symbols = append(symbols, DWARF{ + Offset: int64(entry.Offset), + Size: int64(size), + Type: lookupType(entry.Tag), + Timestamp: compiledAt, + }) + } + return symbols, nil +} diff --git a/libbeat/formats/elf/.gitignore b/libbeat/formats/elf/.gitignore new file mode 100644 index 000000000000..b36ad95ce030 --- /dev/null +++ b/libbeat/formats/elf/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +elf-fuzz.zip diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go new file mode 100644 index 000000000000..e46ffe6d692d --- /dev/null +++ b/libbeat/formats/elf/elf.go @@ -0,0 +1,219 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package elf + +import ( + "bytes" + "debug/elf" + "fmt" + "io" + "io/ioutil" + + "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/elastic/beats/v7/libbeat/formats/dwarf" +) + +// Segment represents a program segment +type Segment struct { + Name string `json:"name"` + Sections []string `json:"sections"` +} + +// Symbol contains information about a symbol +type Symbol struct { + Name string `json:"name"` + Type string `json:"type"` +} + +// Header contains information inside the elf header. +type Header struct { + Class string `json:"class"` + Data string `json:"data"` + Machine string `json:"machine"` + OSAbi string `json:"os_abi"` + Type string `json:"type"` + Version string `json:"version"` + AbiVersion string `json:"abi_version"` + Entrypoint string `json:"entrypoint"` +} + +// Section contains information about a section in an elf file. +type Section struct { + Flags []string `json:"flags,omitempty"` + Name string `json:"name"` + PhysicalOffset int64 `json:"physical_offset"` + Type string `json:"type"` + PhysicalSize int64 `json:"physical_size"` + VirtualAddress int64 `json:"virtual_address"` + VirtualSize int64 `json:"virtual_size"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` +} + +// Info contains high level fingerprinting an analysis of a elf file. +type Info struct { + Imports []Symbol `json:"imports,omitempty"` + Exports []Symbol `json:"exports,omitempty"` + Segments []Segment `json:"segments,omitempty"` + SharedLibraries []string `json:"shared_libraries,omitempty"` + Header Header `json:"header"` + Sections []Section `json:"sections,omitempty"` + Packers []string `json:"packers,omitempty"` + Debug []dwarf.DWARF `json:"debug,omitempty"` + + // TODO: Calculating this requires disassembly of non-exported + // function call sites, consider re-adding it if we can + // find a native go disassembler + // Telfhash string `json:"telfhash,omitempty"` +} + +// Parse parses the elf file and returns information about it or errors. +func Parse(r io.ReaderAt) (interface{}, error) { + elfFile, err := elf.NewFile(r) + if err != nil { + return nil, err + } + dynamicSymbols, err := elfFile.DynamicSymbols() + if err != nil { + if err != elf.ErrNoSymbols { + return nil, err + } + } + exports := []Symbol{} + imports := []Symbol{} + librarySet := make(map[string]struct{}) + for _, symbol := range dynamicSymbols { + binding := elf.ST_BIND(symbol.Info) + if binding == elf.STB_GLOBAL && symbol.Section == elf.SHN_UNDEF { + // symbol is imported + library := symbol.Library + if library != "" { + librarySet[library] = struct{}{} + } + imports = append(imports, Symbol{ + Name: symbol.Name, + Type: elf.ST_TYPE(symbol.Info).String(), + }) + } else if elf.ST_VISIBILITY(symbol.Other) == elf.STV_DEFAULT { + // if we have a weak or globally bound symbol, it's exported + if binding == elf.STB_GLOBAL || binding == elf.STB_WEAK { + exports = append(exports, Symbol{ + Name: symbol.Name, + Type: elf.ST_TYPE(symbol.Info).String(), + }) + } + } + } + libraries := []string{} + for library := range librarySet { + libraries = append(libraries, library) + } + + header := Header{ + Class: translateClass(elfFile.Class), + Data: translateData(elfFile.Data), + Machine: translateMachine(elfFile.Machine), + OSAbi: translateOSABI(elfFile.OSABI), + Type: translateType(elfFile.Type), + Version: translateVersion(elfFile.Version), + AbiVersion: fmt.Sprintf("%d", elfFile.ABIVersion), + Entrypoint: fmt.Sprintf("0x%x", elfFile.Entry), + } + + segments := make(map[*elf.Prog][]string) + sections := []Section{} + for _, section := range elfFile.Sections { + var entropy float64 + var chiSquare float64 + + name := section.Name + if name == "" { + if section.Size == 0 { + continue + } + name = "UKNOWN" + } + for _, prog := range elfFile.Progs { + if prog.Off <= section.Offset && prog.Off+prog.Memsz > section.Offset { + // program segments can overlap, so don't break early + segments[prog] = append(segments[prog], name) + } + } + + data, err := section.Data() + if err == nil { + entropy = common.Entropy(data) + chiSquare = common.ChiSquare(data) + } + sections = append(sections, Section{ + Flags: translateSectionFlags(section.Flags), + Name: name, + PhysicalOffset: int64(section.Offset), + Type: translateSectionType(section.Type), + PhysicalSize: int64(section.FileSize), + VirtualAddress: int64(section.Addr), + VirtualSize: int64(section.Size), + Entropy: entropy, + ChiSquare: chiSquare, + }) + } + translatedSegments := make([]Segment, len(elfFile.Progs)) + for i, prog := range elfFile.Progs { + sections, ok := segments[prog] + if !ok { + sections = []string{} + } + translatedSegments[i] = Segment{ + Name: translateProgType(prog.Type), + Sections: sections, + } + } + + info := &Info{ + Imports: imports, + Exports: exports, + Segments: translatedSegments, + SharedLibraries: libraries, + Header: header, + Sections: sections, + Packers: getPackers(elfFile), + } + + if debug, err := elfFile.DWARF(); err == nil { + // just ignore the error if we can't get DWARF information + debugSymbols, err := dwarf.Parse(debug) + if err == nil { + info.Debug = debugSymbols + } + } + + return info, nil +} + +func getPackers(elfFile *elf.File) []string { + // this is expensive, figure out a way of making it less so + for _, prog := range elfFile.Progs { + data, err := ioutil.ReadAll(prog.Open()) + if err == nil { + if bytes.Contains(data, []byte("UPX!")) { + return []string{"upx"} + } + } + } + return nil +} diff --git a/libbeat/formats/elf/elf_fuzz.go b/libbeat/formats/elf/elf_fuzz.go new file mode 100644 index 000000000000..e3580ed9253f --- /dev/null +++ b/libbeat/formats/elf/elf_fuzz.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build fuzz + +package elf + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/elf/elf_test.go b/libbeat/formats/elf/elf_test.go new file mode 100644 index 000000000000..7647d3ca9617 --- /dev/null +++ b/libbeat/formats/elf/elf_test.go @@ -0,0 +1,61 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package elf + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "hello-linux", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/elf/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/elf/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/elf/header.go b/libbeat/formats/elf/header.go new file mode 100644 index 000000000000..4d0f43402415 --- /dev/null +++ b/libbeat/formats/elf/header.go @@ -0,0 +1,301 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package elf + +import "debug/elf" + +var machineNames = map[elf.Machine]string{ + elf.EM_NONE: "Unknown machine", + elf.EM_M32: "AT&T WE32100", + elf.EM_SPARC: "Sun SPARC", + elf.EM_386: "Intel i386", + elf.EM_68K: "Motorola 68000", + elf.EM_88K: "Motorola 88000", + elf.EM_860: "Intel i860", + elf.EM_MIPS: "MIPS R3000 Big-Endian only", + elf.EM_S370: "IBM System/370", + elf.EM_MIPS_RS3_LE: "MIPS R3000 Little-Endian", + elf.EM_PARISC: "HP PA-RISC", + elf.EM_VPP500: "Fujitsu VPP500", + elf.EM_SPARC32PLUS: "SPARC v8plus", + elf.EM_960: "Intel 80960", + elf.EM_PPC: "PowerPC 32-bit", + elf.EM_PPC64: "PowerPC 64-bit", + elf.EM_S390: "IBM System/390", + elf.EM_V800: "NEC V800", + elf.EM_FR20: "Fujitsu FR20", + elf.EM_RH32: "TRW RH-32", + elf.EM_RCE: "Motorola RCE", + elf.EM_ARM: "ARM", + elf.EM_SH: "Hitachi SH", + elf.EM_SPARCV9: "SPARC v9 64-bit", + elf.EM_TRICORE: "Siemens TriCore embedded processor", + elf.EM_ARC: "Argonaut RISC Core", + elf.EM_H8_300: "Hitachi H8/300", + elf.EM_H8_300H: "Hitachi H8/300H", + elf.EM_H8S: "Hitachi H8S", + elf.EM_H8_500: "Hitachi H8/500", + elf.EM_IA_64: "Intel IA-64 Processor", + elf.EM_MIPS_X: "Stanford MIPS-X", + elf.EM_COLDFIRE: "Motorola ColdFire", + elf.EM_68HC12: "Motorola M68HC12", + elf.EM_MMA: "Fujitsu MMA", + elf.EM_PCP: "Siemens PCP", + elf.EM_NCPU: "Sony nCPU", + elf.EM_NDR1: "Denso NDR1 microprocessor", + elf.EM_STARCORE: "Motorola Star*Core processor", + elf.EM_ME16: "Toyota ME16 processor", + elf.EM_ST100: "STMicroelectronics ST100 processor", + elf.EM_TINYJ: "Advanced Logic Corp. TinyJ processor", + elf.EM_X86_64: "Advanced Micro Devices x86-64", + elf.EM_PDSP: "Sony DSP Processor", + elf.EM_PDP10: "Digital Equipment Corp. PDP-10", + elf.EM_PDP11: "Digital Equipment Corp. PDP-11", + elf.EM_FX66: "Siemens FX66 microcontroller", + elf.EM_ST9PLUS: "STMicroelectronics ST9+ 8/16 bit microcontroller", + elf.EM_ST7: "STMicroelectronics ST7 8-bit microcontroller", + elf.EM_68HC16: "Motorola MC68HC16 Microcontroller", + elf.EM_68HC11: "Motorola MC68HC11 Microcontroller", + elf.EM_68HC08: "Motorola MC68HC08 Microcontroller", + elf.EM_68HC05: "Motorola MC68HC05 Microcontroller", + elf.EM_SVX: "Silicon Graphics SVx", + elf.EM_ST19: "STMicroelectronics ST19 8-bit microcontroller", + elf.EM_VAX: "Digital VAX", + elf.EM_CRIS: "Axis Communications 32-bit embedded processor", + elf.EM_JAVELIN: "Infineon Technologies 32-bit embedded processor", + elf.EM_FIREPATH: "Element 14 64-bit DSP Processor", + elf.EM_ZSP: "LSI Logic 16-bit DSP Processor", + elf.EM_MMIX: "Donald Knuth's educational 64-bit processor", + elf.EM_HUANY: "Harvard University machine-independent object files", + elf.EM_PRISM: "SiTera Prism", + elf.EM_AVR: "Atmel AVR 8-bit microcontroller", + elf.EM_FR30: "Fujitsu FR30", + elf.EM_D10V: "Mitsubishi D10V", + elf.EM_D30V: "Mitsubishi D30V", + elf.EM_V850: "NEC v850", + elf.EM_M32R: "Mitsubishi M32R", + elf.EM_MN10300: "Matsushita MN10300", + elf.EM_MN10200: "Matsushita MN10200", + elf.EM_PJ: "picoJava", + elf.EM_OPENRISC: "OpenRISC 32-bit embedded processor", + elf.EM_ARC_COMPACT: "ARC International ARCompact processor (old spelling/synonym: EM_ARC_A5)", + elf.EM_XTENSA: "Tensilica Xtensa Architecture", + elf.EM_VIDEOCORE: "Alphamosaic VideoCore processor", + elf.EM_TMM_GPP: "Thompson Multimedia General Purpose Processor", + elf.EM_NS32K: "National Semiconductor 32000 series", + elf.EM_TPC: "Tenor Network TPC processor", + elf.EM_SNP1K: "Trebia SNP 1000 processor", + elf.EM_ST200: "STMicroelectronics (www.st.com) ST200 microcontroller", + elf.EM_IP2K: "Ubicom IP2xxx microcontroller family", + elf.EM_MAX: "MAX Processor", + elf.EM_CR: "National Semiconductor CompactRISC microprocessor", + elf.EM_F2MC16: "Fujitsu F2MC16", + elf.EM_MSP430: "Texas Instruments embedded microcontroller msp430", + elf.EM_BLACKFIN: "Analog Devices Blackfin (DSP) processor", + elf.EM_SE_C33: "S1C33 Family of Seiko Epson processors", + elf.EM_SEP: "Sharp embedded microprocessor", + elf.EM_ARCA: "Arca RISC Microprocessor", + elf.EM_UNICORE: "Microprocessor series from PKU-Unity Ltd. and MPRC of Peking University", + elf.EM_EXCESS: "eXcess: 16/32/64-bit configurable embedded CPU", + elf.EM_DXP: "Icera Semiconductor Inc. Deep Execution Processor", + elf.EM_ALTERA_NIOS2: "Altera Nios II soft-core processor", + elf.EM_CRX: "National Semiconductor CompactRISC CRX microprocessor", + elf.EM_XGATE: "Motorola XGATE embedded processor", + elf.EM_C166: "Infineon C16x/XC16x processor", + elf.EM_M16C: "Renesas M16C series microprocessors", + elf.EM_DSPIC30F: "Microchip Technology dsPIC30F Digital Signal Controller", + elf.EM_CE: "Freescale Communication Engine RISC core", + elf.EM_M32C: "Renesas M32C series microprocessors", + elf.EM_TSK3000: "Altium TSK3000 core", + elf.EM_RS08: "Freescale RS08 embedded processor", + elf.EM_SHARC: "Analog Devices SHARC family of 32-bit DSP processors", + elf.EM_ECOG2: "Cyan Technology eCOG2 microprocessor", + elf.EM_SCORE7: "Sunplus S+core7 RISC processor", + elf.EM_DSP24: "New Japan Radio (NJR) 24-bit DSP Processor", + elf.EM_VIDEOCORE3: "Broadcom VideoCore III processor", + elf.EM_LATTICEMICO32: "RISC processor for Lattice FPGA architecture", + elf.EM_SE_C17: "Seiko Epson C17 family", + elf.EM_TI_C6000: "The Texas Instruments TMS320C6000 DSP family", + elf.EM_TI_C2000: "The Texas Instruments TMS320C2000 DSP family", + elf.EM_TI_C5500: "The Texas Instruments TMS320C55x DSP family", + elf.EM_TI_ARP32: "Texas Instruments Application Specific RISC Processor, 32bit fetch", + elf.EM_TI_PRU: "Texas Instruments Programmable Realtime Unit", + elf.EM_MMDSP_PLUS: "STMicroelectronics 64bit VLIW Data Signal Processor", + elf.EM_CYPRESS_M8C: "Cypress M8C microprocessor", + elf.EM_R32C: "Renesas R32C series microprocessors", + elf.EM_TRIMEDIA: "NXP Semiconductors TriMedia architecture family", + elf.EM_QDSP6: "QUALCOMM DSP6 Processor", + elf.EM_8051: "Intel 8051 and variants", + elf.EM_STXP7X: "STMicroelectronics STxP7x family of configurable and extensible RISC processors", + elf.EM_NDS32: "Andes Technology compact code size embedded RISC processor family", + // elf.EM_ECOG1: "Cyan Technology eCOG1X family", + elf.EM_ECOG1X: "Cyan Technology eCOG1X family", + elf.EM_MAXQ30: "Dallas Semiconductor MAXQ30 Core Micro-controllers", + elf.EM_XIMO16: "New Japan Radio (NJR) 16-bit DSP Processor", + elf.EM_MANIK: "M2000 Reconfigurable RISC Microprocessor", + elf.EM_CRAYNV2: "Cray Inc. NV2 vector architecture", + elf.EM_RX: "Renesas RX family", + elf.EM_METAG: "Imagination Technologies META processor architecture", + elf.EM_MCST_ELBRUS: "MCST Elbrus general purpose hardware architecture", + elf.EM_ECOG16: "Cyan Technology eCOG16 family", + elf.EM_CR16: "National Semiconductor CompactRISC CR16 16-bit microprocessor", + elf.EM_ETPU: "Freescale Extended Time Processing Unit", + elf.EM_SLE9X: "Infineon Technologies SLE9X core", + elf.EM_L10M: "Intel L10M", + elf.EM_K10M: "Intel K10M", + elf.EM_AARCH64: "ARM 64-bit Architecture (AArch64)", + elf.EM_AVR32: "Atmel Corporation 32-bit microprocessor family", + elf.EM_STM8: "STMicroeletronics STM8 8-bit microcontroller", + elf.EM_TILE64: "Tilera TILE64 multicore architecture family", + elf.EM_TILEPRO: "Tilera TILEPro multicore architecture family", + elf.EM_MICROBLAZE: "Xilinx MicroBlaze 32-bit RISC soft processor core", + elf.EM_CUDA: "NVIDIA CUDA architecture", + elf.EM_TILEGX: "Tilera TILE-Gx multicore architecture family", + elf.EM_CLOUDSHIELD: "CloudShield architecture family", + elf.EM_COREA_1ST: "KIPO-KAIST Core-A 1st generation processor family", + elf.EM_COREA_2ND: "KIPO-KAIST Core-A 2nd generation processor family", + elf.EM_ARC_COMPACT2: "Synopsys ARCompact V2", + elf.EM_OPEN8: "Open8 8-bit RISC soft processor core", + elf.EM_RL78: "Renesas RL78 family", + elf.EM_VIDEOCORE5: "Broadcom VideoCore V processor", + elf.EM_78KOR: "Renesas 78KOR family", + elf.EM_56800EX: "Freescale 56800EX Digital Signal Controller (DSC)", + elf.EM_BA1: "Beyond BA1 CPU architecture", + elf.EM_BA2: "Beyond BA2 CPU architecture", + elf.EM_XCORE: "XMOS xCORE processor family", + elf.EM_MCHP_PIC: "Microchip 8-bit PIC(r) family", + elf.EM_INTEL205: "Reserved by Intel", + elf.EM_INTEL206: "Reserved by Intel", + elf.EM_INTEL207: "Reserved by Intel", + elf.EM_INTEL208: "Reserved by Intel", + elf.EM_INTEL209: "Reserved by Intel", + elf.EM_KM32: "KM211 KM32 32-bit processor", + elf.EM_KMX32: "KM211 KMX32 32-bit processor", + elf.EM_KMX16: "KM211 KMX16 16-bit processor", + elf.EM_KMX8: "KM211 KMX8 8-bit processor", + elf.EM_KVARC: "KM211 KVARC processor", + elf.EM_CDP: "Paneve CDP architecture family", + elf.EM_COGE: "Cognitive Smart Memory Processor", + elf.EM_COOL: "Bluechip Systems CoolEngine", + elf.EM_NORC: "Nanoradio Optimized RISC", + elf.EM_CSR_KALIMBA: "CSR Kalimba architecture family", + elf.EM_Z80: "Zilog Z80", + elf.EM_VISIUM: "Controls and Data Services VISIUMcore processor", + elf.EM_FT32: "FTDI Chip FT32 high performance 32-bit RISC architecture", + elf.EM_MOXIE: "Moxie processor family", + elf.EM_AMDGPU: "AMD GPU architecture", + elf.EM_RISCV: "RISC-V", + elf.EM_LANAI: "Lanai 32-bit processor", + elf.EM_BPF: "Linux BPF – in-kernel virtual machine", + // deprecated + elf.EM_486: "Intel i486", + // elf.EM_MIPS_RS4_BE: "MIPS R4000 Big-Endian", + elf.EM_ALPHA_STD: "Digital Alpha (standard value)", + elf.EM_ALPHA: "Alpha (written in the absence of an ABI)", +} + +func translateMachine(machine elf.Machine) string { + if found, ok := machineNames[machine]; ok { + return found + } + return "Unknown machine" +} + +func translateVersion(version elf.Version) string { + switch version { + case elf.EV_NONE: + return "none" + case elf.EV_CURRENT: + return "current" + default: + return "unknown" + } +} + +var osABINames = map[elf.OSABI]string{ + elf.ELFOSABI_NONE: "UNIX System V ABI", + elf.ELFOSABI_HPUX: "HP-UX operating system", + elf.ELFOSABI_NETBSD: "NetBSD", + elf.ELFOSABI_LINUX: "GNU/Linux", + elf.ELFOSABI_HURD: "GNU/Hurd", + elf.ELFOSABI_86OPEN: "86Open common IA32 ABI", + elf.ELFOSABI_SOLARIS: "Solaris", + elf.ELFOSABI_AIX: "AIX", + elf.ELFOSABI_IRIX: "IRIX", + elf.ELFOSABI_FREEBSD: "FreeBSD", + elf.ELFOSABI_TRU64: "TRU64 UNIX", + elf.ELFOSABI_MODESTO: "Novell Modesto", + elf.ELFOSABI_OPENBSD: "OpenBSD", + elf.ELFOSABI_OPENVMS: "Open VMS", + elf.ELFOSABI_NSK: "HP Non-Stop Kernel", + elf.ELFOSABI_AROS: "Amiga Research OS", + elf.ELFOSABI_FENIXOS: "The FenixOS highly scalable multi-core OS", + elf.ELFOSABI_CLOUDABI: "Nuxi CloudABI", + elf.ELFOSABI_ARM: "ARM", + elf.ELFOSABI_STANDALONE: "Standalone (embedded) application", +} + +func translateOSABI(abi elf.OSABI) string { + if found, ok := osABINames[abi]; ok { + return found + } + return "Unknown OS ABI" +} + +func translateType(t elf.Type) string { + switch t { + case elf.ET_REL: + return "Relocatable" + case elf.ET_EXEC: + return "Executable" + case elf.ET_DYN: + return "Shared object" + case elf.ET_CORE: + return "Core file" + default: + if t >= elf.ET_LOOS && t <= elf.ET_HIOS { + return "OS specific" + } + if t >= elf.ET_LOPROC && t <= elf.ET_HIPROC { + return "Processor specific" + } + return "unknown type" + } +} + +func translateClass(c elf.Class) string { + switch c { + case elf.ELFCLASS32: + return "32-bit architecture" + case elf.ELFCLASS64: + return "64-bit architecture" + default: + return "unknown architecture class" + } +} + +func translateData(d elf.Data) string { + switch d { + case elf.ELFDATA2LSB: + return "little-endian" + case elf.ELFDATA2MSB: + return "big-endian" + default: + return "unknown data format" + } +} diff --git a/libbeat/formats/elf/prog.go b/libbeat/formats/elf/prog.go new file mode 100644 index 000000000000..b5b457d73661 --- /dev/null +++ b/libbeat/formats/elf/prog.go @@ -0,0 +1,52 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package elf + +import "debug/elf" + +const ( + // https://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic.html + + // specifies the location and size of the exception handling information as defined by the .eh_frame_hdr section. + ptGnuEhFrame elf.ProgType = 0x6474e550 + // specifies the permissions on the segment containing the stack and is used to indicate wether the stack should be executable. The absense of this header indicates that the stack will be executable. + ptGnuStack elf.ProgType = 0x6474e551 + // specifies the location and size of a segment which may be made read-only after relocation shave been processed. + ptGnuRelro elf.ProgType = 0x6474e552 +) + +var progNames = map[elf.ProgType]string{ + elf.PT_NULL: "NULL", + elf.PT_LOAD: "LOAD", + elf.PT_DYNAMIC: "DYNAMIC", + elf.PT_INTERP: "INTERP", + elf.PT_NOTE: "NOTE", + elf.PT_SHLIB: "SHLIB", + elf.PT_PHDR: "PHDR", + elf.PT_TLS: "TLS", + ptGnuEhFrame: "GNU_EH_FRAME", + ptGnuStack: "GNU_STACK", + ptGnuRelro: "GNU_RELRO", +} + +func translateProgType(progType elf.ProgType) string { + if found, ok := progNames[progType]; ok { + return found + } + return "UNKNOWN" +} diff --git a/libbeat/formats/elf/section.go b/libbeat/formats/elf/section.go new file mode 100644 index 000000000000..4b3be38b8a6d --- /dev/null +++ b/libbeat/formats/elf/section.go @@ -0,0 +1,99 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package elf + +import ( + "debug/elf" +) + +var sectionNames = map[elf.SectionType]string{ + elf.SHT_NULL: "NULL", + elf.SHT_PROGBITS: "PROGBITS", + elf.SHT_SYMTAB: "SYMTAB", + elf.SHT_STRTAB: "STRTAB", + elf.SHT_RELA: "RELA", + elf.SHT_HASH: "HASH", + elf.SHT_DYNAMIC: "DYNAMIC", + elf.SHT_NOTE: "NOTE", + elf.SHT_NOBITS: "NOBITS", + elf.SHT_REL: "REL", + elf.SHT_SHLIB: "SHLIB", + elf.SHT_DYNSYM: "DYNSYM", + elf.SHT_INIT_ARRAY: "INIT_ARRAY", + elf.SHT_FINI_ARRAY: "FINI_ARRAY", + elf.SHT_PREINIT_ARRAY: "PREINIT_ARRAY", + elf.SHT_GROUP: "GROUP", + elf.SHT_SYMTAB_SHNDX: "SYMTAB_SHNDX", + elf.SHT_GNU_ATTRIBUTES: "GNU_ATTRIBUTES", + elf.SHT_GNU_HASH: "GNU_HASH", + elf.SHT_GNU_LIBLIST: "GNU_LIBLIST", + elf.SHT_GNU_VERDEF: "GNU_VERDEF", + elf.SHT_GNU_VERNEED: "GNU_VERNEED", + elf.SHT_GNU_VERSYM: "GNU_VERSYM", +} + +func translateSectionType(sectionType elf.SectionType) string { + if found, ok := sectionNames[sectionType]; ok { + return found + } + return "UNKNOWN" +} + +func translateSectionFlags(flags elf.SectionFlag) []string { + active := []string{} + if flags&elf.SHF_WRITE > 0 { + active = append(active, "WRITE") + } + if flags&elf.SHF_ALLOC > 0 { + active = append(active, "ALLOC") + } + if flags&elf.SHF_EXECINSTR > 0 { + active = append(active, "EXECINSTR") + } + if flags&elf.SHF_MERGE > 0 { + active = append(active, "MERGE") + } + if flags&elf.SHF_STRINGS > 0 { + active = append(active, "STRINGS") + } + if flags&elf.SHF_INFO_LINK > 0 { + active = append(active, "INFO_LINK") + } + if flags&elf.SHF_LINK_ORDER > 0 { + active = append(active, "LINK_ORDER") + } + if flags&elf.SHF_OS_NONCONFORMING > 0 { + active = append(active, "OS_NONCONFORMING") + } + if flags&elf.SHF_GROUP > 0 { + active = append(active, "GROUP") + } + if flags&elf.SHF_TLS > 0 { + active = append(active, "TLS") + } + if flags&elf.SHF_COMPRESSED > 0 { + active = append(active, "COMPRESSED") + } + if flags&elf.SHF_MASKOS > 0 { + active = append(active, "MASKOS") + } + if flags&elf.SHF_MASKPROC > 0 { + active = append(active, "MASKPROC") + } + return active +} diff --git a/libbeat/formats/fixtures/elf/crashes/0e8e8ead37a39ad29c63f2882e64772f7d47d666 b/libbeat/formats/fixtures/elf/crashes/0e8e8ead37a39ad29c63f2882e64772f7d47d666 new file mode 100644 index 000000000000..6a09acd5c788 Binary files /dev/null and b/libbeat/formats/fixtures/elf/crashes/0e8e8ead37a39ad29c63f2882e64772f7d47d666 differ diff --git a/libbeat/formats/fixtures/elf/crashes/README.txt b/libbeat/formats/fixtures/elf/crashes/README.txt new file mode 100644 index 000000000000..939f979db45f --- /dev/null +++ b/libbeat/formats/fixtures/elf/crashes/README.txt @@ -0,0 +1,6 @@ +This directory contains a sample of binaries that currently +result in code that panics, these were obtained via fuzzing. +They happen as a result of oversized allocations in `debug/elf` +that don't guard against invalid segment lengths passed in to a +`make(..., segment.Size)` call. For the code not to panic, this +should be fixed upstream. diff --git a/libbeat/formats/fixtures/elf/crashes/fcc78f3e10a96840e0722882649a8534ee55d7c8 b/libbeat/formats/fixtures/elf/crashes/fcc78f3e10a96840e0722882649a8534ee55d7c8 new file mode 100644 index 000000000000..042f45f064d4 Binary files /dev/null and b/libbeat/formats/fixtures/elf/crashes/fcc78f3e10a96840e0722882649a8534ee55d7c8 differ diff --git a/libbeat/formats/fixtures/elf/hello-linux b/libbeat/formats/fixtures/elf/hello-linux new file mode 100644 index 000000000000..26e3b7383e0d Binary files /dev/null and b/libbeat/formats/fixtures/elf/hello-linux differ diff --git a/libbeat/formats/fixtures/elf/hello-linux.fingerprint b/libbeat/formats/fixtures/elf/hello-linux.fingerprint new file mode 100644 index 000000000000..2e888063b937 --- /dev/null +++ b/libbeat/formats/fixtures/elf/hello-linux.fingerprint @@ -0,0 +1,383 @@ +{ + "imports": [ + { + "name": "printf", + "type": "STT_FUNC" + }, + { + "name": "__libc_start_main", + "type": "STT_FUNC" + } + ], + "exports": [ + { + "name": "_init", + "type": "STT_FUNC" + }, + { + "name": "_fini", + "type": "STT_FUNC" + } + ], + "segments": [ + { + "name": "PHDR", + "sections": [] + }, + { + "name": "INTERP", + "sections": [ + ".interp" + ] + }, + { + "name": "LOAD", + "sections": [ + ".interp", + ".hash", + ".gnu.hash", + ".dynsym", + ".dynstr", + ".rela.plt", + ".init", + ".plt", + ".text", + ".fini", + ".rodata", + ".eh_frame_hdr", + ".eh_frame" + ] + }, + { + "name": "LOAD", + "sections": [ + ".ctors", + ".dtors", + ".dynamic", + ".got.plt", + ".data", + ".bss", + ".comment", + ".shstrtab" + ] + }, + { + "name": "DYNAMIC", + "sections": [ + ".dynamic" + ] + }, + { + "name": "GNU_EH_FRAME", + "sections": [ + ".eh_frame_hdr" + ] + }, + { + "name": "GNU_STACK", + "sections": [] + }, + { + "name": "GNU_RELRO", + "sections": [ + ".ctors", + ".dtors", + ".dynamic" + ] + } + ], + "header": { + "class": "64-bit architecture", + "data": "little-endian", + "machine": "Advanced Micro Devices x86-64", + "os_abi": "UNIX System V ABI", + "type": "Executable", + "version": "current", + "abi_version": "0", + "entrypoint": "0x400390" + }, + "sections": [ + { + "flags": [ + "ALLOC" + ], + "name": ".interp", + "physical_offset": 512, + "type": "PROGBITS", + "physical_size": 25, + "virtual_address": 4194816, + "virtual_size": 25, + "entropy": 4.05, + "chi2": 394.84 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".hash", + "physical_offset": 544, + "type": "HASH", + "physical_size": 40, + "virtual_address": 4194848, + "virtual_size": 40, + "entropy": 0.95, + "chi2": 7409.6 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".gnu.hash", + "physical_offset": 584, + "type": "GNU_HASH", + "physical_size": 40, + "virtual_address": 4194888, + "virtual_size": 40, + "entropy": 2.57, + "chi2": 3492.8 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".dynsym", + "physical_offset": 624, + "type": "DYNSYM", + "physical_size": 120, + "virtual_address": 4194928, + "virtual_size": 120, + "entropy": 1.14, + "chi2": 22147.73 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".dynstr", + "physical_offset": 744, + "type": "STRTAB", + "physical_size": 46, + "virtual_address": 4195048, + "virtual_size": 46, + "entropy": 3.68, + "chi2": 1067.04 + }, + { + "flags": [ + "ALLOC", + "INFO_LINK" + ], + "name": ".rela.plt", + "physical_offset": 792, + "type": "RELA", + "physical_size": 48, + "virtual_address": 4195096, + "virtual_size": 48, + "entropy": 1.31, + "chi2": 7738.67 + }, + { + "flags": [ + "ALLOC", + "EXECINSTR" + ], + "name": ".init", + "physical_offset": 840, + "type": "PROGBITS", + "physical_size": 13, + "virtual_address": 4195144, + "virtual_size": 13, + "entropy": 2.78, + "chi2": 558.08 + }, + { + "flags": [ + "ALLOC", + "EXECINSTR" + ], + "name": ".plt", + "physical_offset": 864, + "type": "PROGBITS", + "physical_size": 48, + "virtual_address": 4195168, + "virtual_size": 48, + "entropy": 3.44, + "chi2": 1584 + }, + { + "flags": [ + "ALLOC", + "EXECINSTR" + ], + "name": ".text", + "physical_offset": 912, + "type": "PROGBITS", + "physical_size": 465, + "virtual_address": 4195216, + "virtual_size": 465, + "entropy": 5.44, + "chi2": 6552.7 + }, + { + "flags": [ + "ALLOC", + "EXECINSTR" + ], + "name": ".fini", + "physical_offset": 1377, + "type": "PROGBITS", + "physical_size": 8, + "virtual_address": 4195681, + "virtual_size": 8, + "entropy": 2.75, + "chi2": 312 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".rodata", + "physical_offset": 1385, + "type": "PROGBITS", + "physical_size": 14, + "virtual_address": 4195689, + "virtual_size": 14, + "entropy": 3.32, + "chi2": 388.29 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".eh_frame_hdr", + "physical_offset": 1400, + "type": "PROGBITS", + "physical_size": 28, + "virtual_address": 4195704, + "virtual_size": 28, + "entropy": 2.86, + "chi2": 1617.71 + }, + { + "flags": [ + "ALLOC" + ], + "name": ".eh_frame", + "physical_offset": 1432, + "type": "PROGBITS", + "physical_size": 100, + "virtual_address": 4195736, + "virtual_size": 100, + "entropy": 3.94, + "chi2": 4717.92 + }, + { + "flags": [ + "WRITE", + "ALLOC" + ], + "name": ".ctors", + "physical_offset": 3744, + "type": "PROGBITS", + "physical_size": 16, + "virtual_address": 6295200, + "virtual_size": 16, + "entropy": 1, + "chi2": 2032 + }, + { + "flags": [ + "WRITE", + "ALLOC" + ], + "name": ".dtors", + "physical_offset": 3760, + "type": "PROGBITS", + "physical_size": 16, + "virtual_address": 6295216, + "virtual_size": 16, + "entropy": 1, + "chi2": 2032 + }, + { + "flags": [ + "WRITE", + "ALLOC" + ], + "name": ".dynamic", + "physical_offset": 3776, + "type": "DYNAMIC", + "physical_size": 320, + "virtual_address": 6295232, + "virtual_size": 320, + "entropy": 1.22, + "chi2": 60276.8 + }, + { + "flags": [ + "WRITE", + "ALLOC" + ], + "name": ".got.plt", + "physical_offset": 4096, + "type": "PROGBITS", + "physical_size": 40, + "virtual_address": 6295552, + "virtual_size": 40, + "entropy": 1.38, + "chi2": 6193.6 + }, + { + "flags": [ + "WRITE", + "ALLOC" + ], + "name": ".data", + "physical_offset": 4136, + "type": "PROGBITS", + "physical_size": 8, + "virtual_address": 6295592, + "virtual_size": 8, + "entropy": 0, + "chi2": 2040 + }, + { + "flags": [ + "WRITE", + "ALLOC" + ], + "name": ".bss", + "physical_offset": 4144, + "type": "NOBITS", + "physical_size": 80, + "virtual_address": 6295616, + "virtual_size": 80, + "entropy": 4.38, + "chi2": 1251.2 + }, + { + "flags": [ + "MERGE", + "STRINGS" + ], + "name": ".comment", + "physical_offset": 4144, + "type": "PROGBITS", + "physical_size": 17, + "virtual_address": 0, + "virtual_size": 17, + "entropy": 3.62, + "chi2": 359.47 + }, + { + "name": ".shstrtab", + "physical_offset": 4161, + "type": "STRTAB", + "physical_size": 157, + "virtual_address": 0, + "virtual_size": 157, + "entropy": 4.11, + "chi2": 2730.75 + } + ] +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk new file mode 100644 index 000000000000..e9df3274c816 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint new file mode 100644 index 000000000000..16edfa8811fa --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -0,0 +1,110 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2009-07-14T04:53:59Z", + "accessed_time": "2010-05-16T19:36:08Z", + "modified_time": "2010-05-16T19:36:08Z", + "file_size": 8192, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 116, + "type_id": 49, + "sha256": "15f08d33878f4f6c7c9b6f889a601cd4b5da4a64bd49f845a9165b2ab9adb39d" + }, + { + "name": "Directory", + "size": 96, + "type_id": 49, + "sha256": "142835287f922609b47768a48c433e0179b064b5bce13036c31cfa49572add57" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix", + "VolumeIDAndLocalBasePath" + ], + "common_path_suffix": "Administrator", + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a", + "volume_label": "SSD-WIN7" + }, + "local_base_path": "C:\\Users\\", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\NETBOOK\\Users" + } + }, + "relative_path": "..\\..\\Administrator", + "extra": { + "known_folder": { + "id": "0762d272-c50a-4bb0-a382-697dcd729b80", + "offset": 161 + }, + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Administrator" + }, + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2382555026-1982050849-604700897-1000" + }, + { + "name": "Item Folder Path Display Narrow", + "type": "VT_LPWSTR", + "value": "Utilisateurs (C:)" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Users\\Administrator" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "netbook", + "droid": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "136502ff-8c66-11df-b6eb-001377d34a59" + ], + "droid_birth": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "136502ff-8c66-11df-b6eb-001377d34a59" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk new file mode 100644 index 000000000000..b2c7051a7d7c Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint new file mode 100644 index 000000000000..19dd1695114d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -0,0 +1,76 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2004-08-19T12:05:25Z", + "accessed_time": "2010-07-09T07:36:45Z", + "modified_time": "2010-07-09T06:48:01Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "8c1009b9789a8cb64ad3bf77c76be523b21a8bf7d53bb013973bf81d474b4cb7" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "d5bbac054641d34880108d430b28da42e49bba744601d2850069b8ab637fd8dd" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\WINDOWS\\system32" + }, + "relative_path": ".\\system32", + "extra": { + "special_folder": { + "id": 37, + "offset": 169 + }, + "tracker": { + "version": 0, + "machine_id": "al-0145", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "fc884f95-388b-11dd-b743-001c234bc396" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "fc884f95-388b-11dd-b743-001c234bc396" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk new file mode 100644 index 000000000000..74dc242216a2 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint new file mode 100644 index 000000000000..405f3f2ffdde --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint @@ -0,0 +1,66 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasDarwinID", + "HasExpIcon", + "HasIconLocation", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "6628adc3d5686a8ac96b35d0ae6f91578a0146ffd15337e0a512cf9b7ef3526e" + }, + { + "name": "Directory", + "size": 88, + "type_id": 49, + "sha256": "7a58b65a8a9659b9579d5a069e4f725ac263d4db5b2a310f939855551427e6f7" + }, + { + "name": "Directory", + "size": 176, + "type_id": 49, + "sha256": "fbfe3fc760a034ebce6f618753b1fb2bc84bbe69cedc49b5f8f664d4e979ded1" + }, + { + "name": "File", + "size": 100, + "type_id": 50, + "sha256": "dc034cb7d706329934d1f2a8ab36a1813879ff0cf34e6b0540059551c83a0ec8" + } + ], + "relative_path": "..\\..\\..\\..\\..\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", + "icon_location": "C:\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", + "extra": { + "darwin": { + "ansi": "34TL`lrv5(mOG_3$,CC!ReaderProgramFiles\u003ep=@0y{Wn0A8XHjl@4WqB", + "unicode": "34TL`lrv5(mOG_3$,CC!ReaderProgramFiles\u003ep=@0y{Wn0A8XHjl@4WqB" + }, + "icon_environment": { + "ansi": "%SystemRoot%\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", + "unicode": "%SystemRoot%\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico" + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk b/libbeat/formats/fixtures/lnk/local.file.env.lnk new file mode 100644 index 000000000000..47407a8198db Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.file.env.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint new file mode 100644 index 000000000000..52a1486f26b7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint @@ -0,0 +1,153 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_NORMAL" + ], + "creation_time": "2006-10-10T19:35:39Z", + "accessed_time": "2006-10-10T19:36:20Z", + "modified_time": "2006-09-08T10:03:59Z", + "file_size": 330240, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "17555a450f772b5b548a41a14ba12f6531e74034d1964e1770a1c2ae10a6cad8" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "59c44cc9d6d8a16f3cc4ff5a3c7d0102210ec9bfb0bf0e5cd47088477aec9c94" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "48bd6e8d037f068a905dcf428936ff4d71931f013a8ae9d43dab822a5ec9a05c" + }, + { + "name": "Directory", + "size": 52, + "type_id": 49, + "sha256": "f1865bfcb016766619b56925e4a7e028f48973a1e1c314552d33d7eb50da6d00" + }, + { + "name": "File", + "size": 80, + "type_id": 50, + "sha256": "df36120f19805571a0c42758cb439726c29ed03e987ae7cbbe08a16900e6b8d1" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x4c8360ef" + }, + "local_base_path": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "extra": { + "console": { + "fill_attributes": [ + "BACKGROUND_BLUE", + "BACKGROUND_RED", + "FOREGROUND_GREEN", + "FOREGROUND_RED" + ], + "popup_fill_attributes": [ + "BACKGROUND_BLUE", + "BACKGROUND_GREEN", + "BACKGROUND_INTENSITY", + "BACKGROUND_RED", + "FOREGROUND_BLUE", + "FOREGROUND_GREEN" + ], + "screen_buffer_size_x": 120, + "screen_buffer_size_y": 3000, + "window_size_x": 120, + "window_size_y": 50, + "window_origin_x": 0, + "window_origin_y": 0, + "font_size": 0, + "font_family": "FF_DONTCARE | TMPF_NONE", + "font_weight": 0, + "cursor_size": 25, + "full_screen": false, + "quick_edit": true, + "insert_mode": true, + "auto_position": false, + "history_buffer_size": 50, + "number_of_history_buffers": 4, + "history_no_dup": false, + "color_table": [ + "0x000000", + "0x800000", + "0x008000", + "0x808000", + "0x000080", + "0x562401", + "0xf0edee", + "0xc0c0c0", + "0x808080", + "0xff0000", + "0x00ff00", + "0xffff00", + "0x0000ff", + "0xff00ff", + "0x00ffff", + "0xffffff" + ] + }, + "environment": { + "ansi": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "unicode": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + }, + "tracker": { + "version": 0, + "machine_id": "nana-home", + "droid": [ + "946c1150-d061-40dd-8497-a97bde7709e9", + "a48a38cb-5894-11db-afb7-00123f2cd1e5" + ], + "droid_birth": [ + "946c1150-d061-40dd-8497-a97bde7709e9", + "a48a38cb-5894-11db-afb7-00123f2cd1e5" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk b/libbeat/formats/fixtures/lnk/local.file.exec.lnk new file mode 100644 index 000000000000..c6e1d2e1f343 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.file.exec.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint new file mode 100644 index 000000000000..a53b1e817abd --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -0,0 +1,164 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasArguments", + "HasIconLocation", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2010-07-12T09:45:31Z", + "accessed_time": "2010-07-12T09:59:58Z", + "modified_time": "2010-07-12T09:55:36Z", + "file_size": 5120, + "icon_index": 27, + "window_style": "SW_NORMAL", + "hot_key": "HOTKEYF_ALT+G" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "60f07666cf8f95d45c113e5b9c05b10600ca3271fefd4f38b37a43d21df6a05d" + }, + { + "name": "Directory", + "size": 58, + "type_id": 49, + "sha256": "e2866081c76085e7ae84ec96313f54e053f3a58f1675300c38594b743783b022" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "6649788de17203194be295fe532f33645963c55cc991371ddab890ffa6b85b19" + }, + { + "name": "Directory", + "size": 72, + "type_id": 49, + "sha256": "c44fbc11152540e01bc5de14510b51f2187c3080e3cd740eb5f4dfc090fe2858" + }, + { + "name": "Directory", + "size": 48, + "type_id": 49, + "sha256": "60ac6e91f4ff666354577d111d987cbb4c934af387bb111afc1b2408e4226209" + }, + { + "name": "Directory", + "size": 54, + "type_id": 49, + "sha256": "5dec5b7c3d205cc117c64ad91081575b2787d8af02d8a6944e6cd1f7f20af038" + }, + { + "name": "File", + "size": 84, + "type_id": 50, + "sha256": "866b54e6bbf760b626d80661f219f7e296c649dc97d0f031cca82c7416161e64" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xd0d576f3", + "volume_label": "DATA" + }, + "local_base_path": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyTool\\bin\\Debug\\ShellifyTool.exe" + }, + "name": "ExecTesting", + "relative_path": "..\\..\\ShellifyTool\\bin\\Debug\\ShellifyTool.exe", + "working_directory": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyTool\\bin\\Debug", + "command_line": "argument1 argument2 argument3", + "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", + "extra": { + "console": { + "fill_attributes": [ + "BACKGROUND_BLUE", + "BACKGROUND_GREEN", + "FOREGROUND_BLUE", + "FOREGROUND_GREEN", + "FOREGROUND_RED" + ], + "popup_fill_attributes": [ + "BACKGROUND_BLUE", + "BACKGROUND_GREEN", + "BACKGROUND_INTENSITY", + "BACKGROUND_RED", + "FOREGROUND_BLUE", + "FOREGROUND_RED" + ], + "screen_buffer_size_x": 80, + "screen_buffer_size_y": 300, + "window_size_x": 79, + "window_size_y": 24, + "window_origin_x": 0, + "window_origin_y": 0, + "font_size": 1048576, + "font_family": "FF_MODERN | TMPF_DEVICE | TMPF_TRUETYPE | TMPF_VECTOR", + "font_weight": 400, + "face_name": "Lucida Console", + "cursor_size": 100, + "full_screen": true, + "quick_edit": false, + "insert_mode": true, + "auto_position": true, + "history_buffer_size": 50, + "number_of_history_buffers": 4, + "history_no_dup": false, + "color_table": [ + "0x000000", + "0x800000", + "0x008000", + "0x808001", + "0x000080", + "0x800080", + "0x008080", + "0xc0c0c0", + "0x808080", + "0xff0000", + "0x00ff00", + "0xffff00", + "0x0000ff", + "0xff00ff", + "0x00ffff", + "0xffffff" + ] + }, + "tracker": { + "version": 0, + "machine_id": "al-0145", + "droid": [ + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dede-8cbb-11df-ba00-001c234bc396" + ], + "droid_birth": [ + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dede-8cbb-11df-ba00-001c234bc396" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk new file mode 100644 index 000000000000..2bd6580ed2ea Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint new file mode 100644 index 000000000000..9bbc29d069a6 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint @@ -0,0 +1,106 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2010-07-12T09:41:21Z", + "accessed_time": "2010-07-12T09:57:19Z", + "modified_time": "2010-07-12T09:55:35Z", + "file_size": 40448, + "icon_index": 130, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "60f07666cf8f95d45c113e5b9c05b10600ca3271fefd4f38b37a43d21df6a05d" + }, + { + "name": "Directory", + "size": 58, + "type_id": 49, + "sha256": "e2866081c76085e7ae84ec96313f54e053f3a58f1675300c38594b743783b022" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "6649788de17203194be295fe532f33645963c55cc991371ddab890ffa6b85b19" + }, + { + "name": "Directory", + "size": 70, + "type_id": 49, + "sha256": "22eb8c20198706753fb5cba5a39c2e1e2cf8fa2f0c4e680971b858c27467c088" + }, + { + "name": "Directory", + "size": 48, + "type_id": 49, + "sha256": "76b612868ab38df0dcc1677bba83da80e9c80d577d1a37f7ec4e86bdb4340836" + }, + { + "name": "Directory", + "size": 54, + "type_id": 49, + "sha256": "4ca94beee15dc6425e9c9ae3e3a44f269f98aa41233d8108598e4ff0a99af603" + }, + { + "name": "File", + "size": 82, + "type_id": 50, + "sha256": "7ffea5fd88a6cf3ba3573aaf372cb19b1f682c95734e004f131a087ee8da29f6" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xd0d576f3", + "volume_label": "DATA" + }, + "local_base_path": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyLib\\bin\\Debug\\ShellifyLib.dll" + }, + "relative_path": "..\\..\\ShellifyLib\\bin\\Debug\\ShellifyLib.dll", + "working_directory": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyLib\\bin\\Debug", + "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", + "extra": { + "tracker": { + "version": 0, + "machine_id": "al-0145", + "droid": [ + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dedd-8cbb-11df-ba00-001c234bc396" + ], + "droid_birth": [ + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dedd-8cbb-11df-ba00-001c234bc396" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk b/libbeat/formats/fixtures/lnk/local.file.seven.lnk new file mode 100644 index 000000000000..dc25929ad3c7 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.file.seven.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint new file mode 100644 index 000000000000..73965641e80c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -0,0 +1,109 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2010-06-06T18:06:55Z", + "accessed_time": "2010-06-06T18:06:55Z", + "modified_time": "2010-06-06T18:08:09Z", + "file_size": 2034, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 116, + "type_id": 49, + "sha256": "15f08d33878f4f6c7c9b6f889a601cd4b5da4a64bd49f845a9165b2ab9adb39d" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "153accb5ef74a60a314aff5e316f9727adfc526cab3f7f48797975fb13c964ae" + }, + { + "name": "Directory", + "size": 122, + "type_id": 49, + "sha256": "dc23b8936e1d2aa9f6e441e7d6cdfcc5aa8aca9560ff743a3a5c9f3bce02f6cf" + }, + { + "name": "File", + "size": 98, + "type_id": 50, + "sha256": "2c742382accd87fc7f9adcab1008b50091d347d1edad1a128ef0e9bc7f3ed7ae" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix", + "VolumeIDAndLocalBasePath" + ], + "common_path_suffix": "root\\Desktop\\Fatality.rdp", + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a", + "volume_label": "SSD-WIN7" + }, + "local_base_path": "C:\\Users\\", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\NETBOOK\\Users" + } + }, + "relative_path": ".\\Fatality.rdp", + "working_directory": "C:\\Users\\root\\Desktop", + "extra": { + "known_folder": { + "id": "b4bfcc3a-db2c-424c-b029-7fe99a87c641", + "offset": 357 + }, + "property_store": { + "properties": [ + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2382555026-1982050849-604700897-1000" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "netbook", + "droid": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "13650300-8c66-11df-b6eb-001377d34a59" + ], + "droid_birth": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "13650300-8c66-11df-b6eb-001377d34a59" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk b/libbeat/formats/fixtures/lnk/local.file.xp.lnk new file mode 100644 index 000000000000..23db775f6470 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local.file.xp.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint new file mode 100644 index 000000000000..b2558e9360f6 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-19T12:16:19Z", + "accessed_time": "2010-07-09T07:37:36Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 2, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "8c1009b9789a8cb64ad3bf77c76be523b21a8bf7d53bb013973bf81d474b4cb7" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "a4ffe239bd06d5f0a41f154758a2386925f5b1d5f51b3c4a5b1ba421be663188" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\WINDOWS\\desktop.ini" + }, + "relative_path": ".\\desktop.ini", + "working_directory": "C:\\WINDOWS", + "extra": { + "special_folder": { + "id": 36, + "offset": 105 + }, + "tracker": { + "version": 0, + "machine_id": "al-0145", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "7372eb6b-8ac9-11df-b9fe-001c234bc396" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "7372eb6b-8ac9-11df-b9fe-001c234bc396" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk b/libbeat/formats/fixtures/lnk/local_cmd.lnk new file mode 100644 index 000000000000..89c6537f5e48 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local_cmd.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint new file mode 100644 index 000000000000..759751cecb17 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -0,0 +1,118 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasArguments", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2019-07-01T14:00:40Z", + "accessed_time": "2019-07-01T14:00:40Z", + "modified_time": "2014-10-29T01:28:18Z", + "file_size": 357376, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 86, + "type_id": 49, + "sha256": "3e55b101ccd41e57101a81b240cb57553c8f37a404c48c2a04b6a9af7211cb74" + }, + { + "name": "Directory", + "size": 90, + "type_id": 49, + "sha256": "68d128c6058227a91f23f4e2ddce18205f60e05e8f7e8c974b7f849e70203f71" + }, + { + "name": "File", + "size": 114, + "type_id": 50, + "sha256": "ea4edd38f35d777cce7bacfc79f5d48566baa33f4610614aebaa2a9ba6ad4547" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xce9c0987", + "volume_label": "System" + }, + "local_base_path": "C:\\Windows\\System32\\cmd with space.exe" + }, + "name": "This is a comment.", + "relative_path": "..\\Windows\\System32\\cmd with space.exe", + "working_directory": "C:\\Windows\\System32", + "command_line": "arg1 \"arg 2\"", + "extra": { + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 221 + }, + "property_store": { + "properties": [ + { + "name": "Item Folder Path Display Narrow", + "type": "VT_LPWSTR", + "value": "System32 (C:\\Windows)" + }, + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2899541433-556809949-1686860144-1001" + }, + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "cmd with space.exe" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Windows\\System32\\cmd with space.exe" + } + ] + }, + "special_folder": { + "id": 37, + "offset": 221 + }, + "tracker": { + "version": 0, + "machine_id": "test012345", + "droid": [ + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de30155-9a7e-11e9-8328-bcee7b5dda94" + ], + "droid_birth": [ + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de30155-9a7e-11e9-8328-bcee7b5dda94" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk b/libbeat/formats/fixtures/lnk/local_unicode.lnk new file mode 100644 index 000000000000..2cac0a294668 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local_unicode.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint new file mode 100644 index 000000000000..247a178f74ef --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -0,0 +1,94 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2019-07-08T14:05:42Z", + "accessed_time": "2019-07-08T14:05:42Z", + "modified_time": "2019-07-08T14:05:42Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "c7d8fb0f772edeafd3493f815c856a08ce48db8e39bb7633bd8377b33f1dc739" + }, + { + "name": "File", + "size": 88, + "type_id": 50, + "sha256": "c1f6c25dbd064b168c812f6dfb28c9e84bd4fbbdc43e3225b1b7066de3841c65" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xce9c0987", + "volume_label": "System" + }, + "local_base_path": "C:\\Temp\\??.txt" + }, + "relative_path": ".\\💎.txt", + "working_directory": "C:\\Temp", + "extra": { + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "💎.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Temp\\💎.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "C:\\Temp" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "test012345", + "droid": [ + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "c2edb485-a168-11e9-8328-bcee7b5dda94" + ], + "droid_birth": [ + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "c2edb485-a168-11e9-8328-bcee7b5dda94" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk b/libbeat/formats/fixtures/lnk/local_win31j.lnk new file mode 100644 index 000000000000..35096d6281ed Binary files /dev/null and b/libbeat/formats/fixtures/lnk/local_win31j.lnk differ diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint new file mode 100644 index 000000000000..07e5ba88fb9c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -0,0 +1,98 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasIconLocation", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2019-06-30T13:51:53Z", + "accessed_time": "2019-06-30T13:51:53Z", + "modified_time": "2019-06-30T13:52:01Z", + "file_size": 10, + "icon_index": 70, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "a7691842c2beffb97ba901387165f8ac32cf7f8856ea1f79507949153e4ed35e" + }, + { + "size": 98, + "type_id": 54, + "sha256": "83cadfd78fc69dabcc842b324a64f35ef66f718f89a64fd0a9db1cbec935357d" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xce9c0987", + "volume_label": "System" + }, + "local_base_path": "C:\\Temp\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt" + }, + "name": "コメント", + "relative_path": ".\\リンク先.txt", + "working_directory": "C:\\Temp", + "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", + "extra": { + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "リンク先.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Temp\\リンク先.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "C:\\Temp" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "test012345", + "droid": [ + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de2f08c-9a7e-11e9-8328-bcee7b5dda94" + ], + "droid_birth": [ + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de2f08c-9a7e-11e9-8328-bcee7b5dda94" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk b/libbeat/formats/fixtures/lnk/microsoft.lnk new file mode 100644 index 000000000000..1b71096688bb Binary files /dev/null and b/libbeat/formats/fixtures/lnk/microsoft.lnk differ diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint new file mode 100644 index 000000000000..ab3175808a72 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint @@ -0,0 +1,73 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-09-12T20:27:17Z", + "accessed_time": "2008-09-12T20:27:17Z", + "modified_time": "2008-09-12T20:27:17Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 70, + "type_id": 49, + "sha256": "c02d6aedc5f2218379c281485addd05d2b4c3183126249cdb8d6bd60830ce56a" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "baf8f9079dd6dd2bb7bb5a9af973db124953df9783537e565664d02dbd31c2f1" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x307a8a81" + }, + "local_base_path": "C:\\test\\a.txt" + }, + "relative_path": ".\\a.txt", + "working_directory": "C:\\test", + "extra": { + "tracker": { + "version": 0, + "machine_id": "chris-xps", + "droid": [ + "94c77840-fa47-46c7-b356-5c2dc6b6d115", + "7bcd46ec-7f22-11dd-9499-00137216874a" + ], + "droid_birth": [ + "94c77840-fa47-46c7-b356-5c2dc6b6d115", + "7bcd46ec-7f22-11dd-9499-00137216874a" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk new file mode 100644 index 000000000000..04850d633f81 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint new file mode 100644 index 000000000000..bdf86c10b8f1 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint @@ -0,0 +1,85 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T05:34:23Z", + "accessed_time": "2008-01-19T05:34:23Z", + "modified_time": "2008-01-19T07:33:04Z", + "file_size": 318976, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "445e47a77dbe4cec458a99963f5b6fd0d0b2837972b3dd74491d803a77ab4864" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" + }, + { + "name": "File", + "size": 78, + "type_id": 50, + "sha256": "6becf139d62015eead2ae71382dd74a5500b381c3d8d1eb9a623d22e402d1b0c" + } + ], + "name": "@%windir%\\system32\\shell32.dll,-22534", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\cmd.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\cmd.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\cmd.exe", + "unicode": "%SystemRoot%\\system32\\cmd.exe" + }, + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 205 + }, + "special_folder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machine_id": "win-hwdt97ahwff", + "droid": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491d-c682-11dc-901d-0014220d9404" + ], + "droid_birth": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491d-c682-11dc-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk new file mode 100644 index 000000000000..f519fdd780a7 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint new file mode 100644 index 000000000000..8e445c11d96b --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -0,0 +1,25 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 4294967187, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + } + ], + "name": "@%windir%\\explorer.exe,-304", + "icon_location": "%SystemRoot%\\system32\\imageres.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk new file mode 100644 index 000000000000..6854d0ea3b3b Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint new file mode 100644 index 000000000000..4ddad37d40b7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint @@ -0,0 +1,25 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 4294967269, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "b88204e884efad7cc3a304a1eb4f91b38824b9fb23d8c042484368296447a512" + } + ], + "name": "@%windir%\\explorer.exe,-307", + "icon_location": "%SystemRoot%\\system32\\imageres.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk new file mode 100644 index 000000000000..b4d80eb28add Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint new file mode 100644 index 000000000000..39a6332714fd --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -0,0 +1,57 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2010-06-21T14:55:25Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "file_size": 4096, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" + }, + { + "size": 32, + "type_id": 0, + "sha256": "6e6f7fd0a77efb40d35dc65df6a9db45b48d043d84d3e9e0881e2e6c8cf210f8" + } + ], + "relative_path": "..\\Documents", + "extra": { + "known_folder": { + "id": "fdd39ad0-238f-46af-adb4-6c85480369c7", + "offset": 52 + }, + "special_folder": { + "id": 5, + "offset": 52 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a013-7d44-11df-a3ad-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a013-7d44-11df-a3ad-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk new file mode 100644 index 000000000000..31822e4bfa22 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint new file mode 100644 index 000000000000..9309be8d95f7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -0,0 +1,85 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T05:45:45Z", + "accessed_time": "2008-01-19T08:38:39Z", + "modified_time": "2006-11-02T09:44:59Z", + "file_size": 211968, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "64f014858e5dfac5b2aa3e1e3472842ba6afa6a99b6d831e5a30f2cb42adb3e1" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" + }, + { + "name": "File", + "size": 90, + "type_id": 50, + "sha256": "26a9b3fc6ec08617a3569614d28b83e4d10daed34fbb197382f2f20483f6cc24" + } + ], + "name": "@%windir%\\system32\\accessibilityCpl.dll,-45", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", + "command_line": "/name Microsoft.EaseOfAccessCenter", + "icon_location": "%SystemRoot%\\system32\\AccessibilityCpl.dll", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\control.exe", + "unicode": "%SystemRoot%\\system32\\control.exe" + }, + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 205 + }, + "special_folder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machine_id": "win-hwdt97ahwff", + "droid": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4916-c682-11dc-901d-0014220d9404" + ], + "droid_birth": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4916-c682-11dc-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk new file mode 100644 index 000000000000..c03069d5c177 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint new file mode 100644 index 000000000000..2621994814a4 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint @@ -0,0 +1,91 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpIcon", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-03-18T14:50:44Z", + "accessed_time": "2010-06-18T09:17:35Z", + "modified_time": "2009-03-18T14:50:44Z", + "file_size": 1189128, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 132, + "type_id": 49, + "sha256": "adf51df4bd648fb2b18fb07a5cf4b90094e7c6e7b2d43b67e344fffea33001a1" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "d1277da4e5ae5831f07dc4900b1f2c20bebab925ed107e32f2dc20d5930c32a6" + }, + { + "name": "Directory", + "size": 96, + "type_id": 49, + "sha256": "c393ada649af95abad997ca3c0269a061486e79be9fec25380083fc3b9a541a1" + }, + { + "name": "File", + "size": 100, + "type_id": 50, + "sha256": "3b88d21502d4e4ae7aefd7ebdfce459648578037c2814b14298a253c23f6ebd5" + } + ], + "name": "Gestionnaire CA ARCserve Backup", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\Program Files\\CA\\ARCserve Backup\\ARCserveMgr.exe", + "working_directory": "C:\\Program Files\\CA\\ARCserve Backup\\", + "icon_location": "C:\\Windows\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe", + "extra": { + "icon_environment": { + "ansi": "%SystemRoot%\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe", + "unicode": "%SystemRoot%\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe" + }, + "known_folder": { + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", + "offset": 177 + }, + "special_folder": { + "id": 42, + "offset": 177 + }, + "tracker": { + "version": 0, + "machine_id": "als-projets1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "fbb2487c-7ab3-11df-8161-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "fbb2487c-7ab3-11df-8161-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk new file mode 100644 index 000000000000..4c92eb004587 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint new file mode 100644 index 000000000000..f9377232483c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint @@ -0,0 +1,25 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 4294967272, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "8db1287718d91d57c60da1c79fbc3067e006a4f0be2f88b4f551c8d7120514a5" + } + ], + "name": "@%windir%\\explorer.exe,-7001", + "icon_location": "%SystemRoot%\\system32\\shell32.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk new file mode 100644 index 000000000000..1a635d97f959 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint new file mode 100644 index 000000000000..32988084f80e --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint @@ -0,0 +1,80 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasArguments", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T05:48:02Z", + "accessed_time": "2008-01-19T05:48:02Z", + "modified_time": "2008-01-19T07:33:12Z", + "file_size": 625664, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 132, + "type_id": 49, + "sha256": "adf51df4bd648fb2b18fb07a5cf4b90094e7c6e7b2d43b67e344fffea33001a1" + }, + { + "name": "Directory", + "size": 100, + "type_id": 49, + "sha256": "685477904216903ee533c0252a6a366a0cdd435dc36db81ca4d07c284286ff9e" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "3a35c60aa0f6a856fe3805cae26b398fc6ec9bd456bba30fc38c3004769eda4b" + } + ], + "name": "@\"%windir%\\System32\\ie4uinit.exe\",-738", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "command_line": " -extoff", + "extra": { + "known_folder": { + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", + "offset": 177 + }, + "special_folder": { + "id": 42, + "offset": 177 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk new file mode 100644 index 000000000000..f6ece3407d56 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint new file mode 100644 index 000000000000..c79ed494bad2 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T05:48:02Z", + "accessed_time": "2008-01-19T05:48:02Z", + "modified_time": "2008-01-19T07:33:12Z", + "file_size": 625664, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 132, + "type_id": 49, + "sha256": "adf51df4bd648fb2b18fb07a5cf4b90094e7c6e7b2d43b67e344fffea33001a1" + }, + { + "name": "Directory", + "size": 100, + "type_id": 49, + "sha256": "685477904216903ee533c0252a6a366a0cdd435dc36db81ca4d07c284286ff9e" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "3a35c60aa0f6a856fe3805cae26b398fc6ec9bd456bba30fc38c3004769eda4b" + } + ], + "name": "@\"%windir%\\System32\\ie4uinit.exe\",-732", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "known_folder": { + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", + "offset": 177 + }, + "special_folder": { + "id": 42, + "offset": 177 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk new file mode 100644 index 000000000000..2d8cb7b02aa8 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint new file mode 100644 index 000000000000..77518f049ea6 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint @@ -0,0 +1,56 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2010-06-21T14:55:25Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" + }, + { + "size": 32, + "type_id": 0, + "sha256": "685e1e10e74af0266c9e14af0bdcaca225c4ea0299a91fe6cb1d5722650fbe13" + } + ], + "relative_path": "..\\Music", + "extra": { + "known_folder": { + "id": "4bd8d571-6d19-48d3-be97-422220080e43", + "offset": 52 + }, + "special_folder": { + "id": 13, + "offset": 52 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a011-7d44-11df-a3ad-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a011-7d44-11df-a3ad-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk new file mode 100644 index 000000000000..47e39c336a2c Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint new file mode 100644 index 000000000000..1b3e36273e5a --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -0,0 +1,83 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T04:06:25Z", + "accessed_time": "2008-01-19T08:38:15Z", + "modified_time": "2006-11-02T09:47:04Z", + "file_size": 991232, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "64f014858e5dfac5b2aa3e1e3472842ba6afa6a99b6d831e5a30f2cb42adb3e1" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "5f3bbf55754acb6bb75910d672f3fe7ed0ad4976da30b3c226e2290df49c9020" + } + ], + "name": "@%windir%\\system32\\shell32.dll,-22560", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", + "icon_location": "%SystemRoot%\\system32\\narrator.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\narrator.exe", + "unicode": "%SystemRoot%\\system32\\narrator.exe" + }, + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 205 + }, + "special_folder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machine_id": "win-hwdt97ahwff", + "droid": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4914-c682-11dc-901d-0014220d9404" + ], + "droid_birth": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4914-c682-11dc-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk new file mode 100644 index 000000000000..572096782c08 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint new file mode 100644 index 000000000000..be1b78beab27 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint @@ -0,0 +1,86 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creation_time": "2008-01-19T05:46:11Z", + "accessed_time": "2008-01-19T05:46:11Z", + "modified_time": "2008-01-19T07:33:18Z", + "file_size": 151040, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "445e47a77dbe4cec458a99963f5b6fd0d0b2837972b3dd74491d803a77ab4864" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" + }, + { + "name": "File", + "size": 90, + "type_id": 50, + "sha256": "4140b49bc395ac5f137b7e959bc99afa9893a569ee3c00dea8ecbf3b300bda85" + } + ], + "name": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\notepad.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\notepad.exe", + "unicode": "%SystemRoot%\\system32\\notepad.exe" + }, + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 205 + }, + "special_folder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machine_id": "win-hwdt97ahwff", + "droid": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4920-c682-11dc-901d-0014220d9404" + ], + "droid_birth": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4920-c682-11dc-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk new file mode 100644 index 000000000000..6ef018b404c9 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint new file mode 100644 index 000000000000..4060784919e1 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint @@ -0,0 +1,83 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T05:46:07Z", + "accessed_time": "2008-01-19T08:38:04Z", + "modified_time": "2006-11-02T09:45:31Z", + "file_size": 182272, + "icon_index": 4294967295, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "64f014858e5dfac5b2aa3e1e3472842ba6afa6a99b6d831e5a30f2cb42adb3e1" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" + }, + { + "name": "File", + "size": 78, + "type_id": 50, + "sha256": "c1230826c72434c115d9ed0d60c35ffdcf7e22d40fa20e3547e5ad594763b6ca" + } + ], + "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", + "icon_location": "%SystemRoot%\\system32\\osk.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\osk.exe", + "unicode": "%SystemRoot%\\system32\\osk.exe" + }, + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 205 + }, + "special_folder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machine_id": "win-hwdt97ahwff", + "droid": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491b-c682-11dc-901d-0014220d9404" + ], + "droid_birth": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491b-c682-11dc-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk new file mode 100644 index 000000000000..236e6f1a6e04 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint new file mode 100644 index 000000000000..09ea3072f2f4 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint @@ -0,0 +1,56 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2010-06-21T14:55:25Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" + }, + { + "size": 32, + "type_id": 0, + "sha256": "30f371e0d6a76863f215c88287df45271f5e17b8109f629e8387680d1a6c2466" + } + ], + "relative_path": "..\\Pictures", + "extra": { + "known_folder": { + "id": "33e28130-4e1e-4676-835a-98395c3bc3bb", + "offset": 52 + }, + "special_folder": { + "id": 39, + "offset": 52 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a012-7d44-11df-a3ad-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a012-7d44-11df-a3ad-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk new file mode 100644 index 000000000000..06675bb57e49 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint new file mode 100644 index 000000000000..b7168a97318a --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint @@ -0,0 +1,48 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2008-01-19T09:40:53Z", + "accessed_time": "2008-01-19T09:40:53Z", + "modified_time": "2008-01-19T09:40:53Z", + "file_size": 4096, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "980319fa30c13a88eadfd58c70287f37f62f47a3cbae58d4523148e8d0e870b9" + } + ], + "relative_path": "..\\..\\Public", + "extra": { + "known_folder": { + "id": "dfdf76a2-c82a-4d63-906a-5644ac457385", + "offset": 20 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed8a-7a1f-11df-a4a2-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed8a-7a1f-11df-a4a2-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk new file mode 100644 index 000000000000..1bdee439aae4 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint new file mode 100644 index 000000000000..a3c77ae91a76 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint @@ -0,0 +1,25 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 4294967271, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "532430ce84b6c846622da10af300d777c81c555a3c0cebdf2a6a17ff2e6aa885" + } + ], + "name": "@%windir%\\explorer.exe,-7003", + "icon_location": "%SystemRoot%\\system32\\shell32.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk new file mode 100644 index 000000000000..33896719c371 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint new file mode 100644 index 000000000000..ffd357af9395 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint @@ -0,0 +1,53 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2010-06-21T14:55:33Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "file_size": 4096, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" + }, + { + "size": 32, + "type_id": 0, + "sha256": "91da9f1c8377c19ae3dcb208ccecda47a6a01643001408f757793ddfd87d068a" + } + ], + "relative_path": "..\\Searches", + "extra": { + "known_folder": { + "id": "f3ce0f7c-4901-4acc-8648-d5d44b04ef8f", + "offset": 20 + }, + "tracker": { + "version": 0, + "machine_id": "als-backup1", + "droid": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a00f-7d44-11df-a3ad-a4badb43b04f" + ], + "droid_birth": [ + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a00f-7d44-11df-a3ad-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk new file mode 100644 index 000000000000..409e1f62f9c7 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint new file mode 100644 index 000000000000..8ada107f8e3f --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint @@ -0,0 +1,25 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 4294967038, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "08f7df35a94d580703a76f2c82de60e7d7d45ce9a6640f8df2b1ef5271b33cba" + } + ], + "name": "@%SystemRoot%\\system32\\shell32.dll,-10114", + "icon_location": "%SystemRoot%\\explorer.exe", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk new file mode 100644 index 000000000000..d964e7ef61f1 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint new file mode 100644 index 000000000000..e98049aa0d46 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint @@ -0,0 +1,25 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 4294967186, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "ff8bf60a7527cf54c4f53476c417841e5b5bf25480eee7f276ebcb58864ace0f" + } + ], + "name": "@%SystemRoot%\\system32\\shell32.dll,-10113", + "icon_location": "%SystemRoot%\\system32\\imageres.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk new file mode 100644 index 000000000000..f60be7a288f5 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint new file mode 100644 index 000000000000..31961cba4f10 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -0,0 +1,77 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-01-19T05:45:08Z", + "accessed_time": "2008-01-19T05:45:08Z", + "modified_time": "2008-01-19T07:33:10Z", + "file_size": 2927104, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "9136014a2f33dd37fd52591b7f69dd411f807398b3154677b2aadf9d6568f3d7" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "d536a3e92540146875923c64bf2f48a787cc9ac78c44790e8caf68f6f6b53ac6" + } + ], + "name": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\explorer.exe", + "icon_location": "%SystemRoot%\\explorer.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\explorer.exe", + "unicode": "%SystemRoot%\\explorer.exe" + }, + "known_folder": { + "id": "f38bf404-1d43-42f2-9305-67de0b28fc23", + "offset": 123 + }, + "special_folder": { + "id": 36, + "offset": 123 + }, + "tracker": { + "version": 0, + "machine_id": "win-hwdt97ahwff", + "droid": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f48f6-c682-11dc-901d-b3d7e32f3e9f" + ], + "droid_birth": [ + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f48f6-c682-11dc-901d-b3d7e32f3e9f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk b/libbeat/formats/fixtures/lnk/native.seven.01.lnk new file mode 100644 index 000000000000..c9155f5d536e Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.01.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint new file mode 100644 index 000000000000..3c02028e6c7c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -0,0 +1,96 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2010-03-26T10:07:11Z", + "accessed_time": "2010-03-26T10:07:11Z", + "modified_time": "2005-09-04T20:18:26Z", + "file_size": 1019392, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 136, + "type_id": 49, + "sha256": "e17a03b6cc4c5bbd9ef14d82b68bad88f6ba23768edc2795b8b6eeda30940e9a" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "44ba2a20c07abbee954952c9258aecefcc543645322dee50b37e88f7c281a99e" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "00bb61a6c63eb6e409c9836fbea931aed5c815083aef0e28eb1b321c33ed7137" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x3e5dce88" + }, + "local_base_path": "C:\\Program Files\\ConTEXT\\ConTEXT.exe" + }, + "relative_path": "..\\..\\..\\Program Files\\ConTEXT\\ConTEXT.exe", + "working_directory": "C:\\Program Files\\ConTEXT", + "extra": { + "known_folder": { + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", + "offset": 181 + }, + "property_store": { + "properties": [ + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" + } + ] + }, + "special_folder": { + "id": 42, + "offset": 181 + }, + "tracker": { + "version": 0, + "machine_id": "al-0149", + "droid": [ + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "31a6cdbd-319f-11df-b163-001e4ff01cc7" + ], + "droid_birth": [ + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "31a6cdbd-319f-11df-b163-001e4ff01cc7" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.02.lnk b/libbeat/formats/fixtures/lnk/native.seven.02.lnk new file mode 100644 index 000000000000..f58f8e46cf5d Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.02.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint new file mode 100644 index 000000000000..cedb2edb6ce8 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint @@ -0,0 +1,60 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2009-09-16T09:31:55Z", + "accessed_time": "2009-09-16T09:32:12Z", + "modified_time": "2009-09-16T09:32:12Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x3e5dce88" + }, + "local_base_path": "C:\\Users\\Aldheris\\Desktop" + }, + "relative_path": "..\\Desktop", + "extra": { + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Bureau" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Users\\Aldheris\\Desktop" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "al-0149", + "droid": [ + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "1f541ae8-a2a3-11de-b558-001e4ff01cc7" + ], + "droid_birth": [ + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "1f541ae8-a2a3-11de-b558-001e4ff01cc7" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk b/libbeat/formats/fixtures/lnk/native.seven.03.lnk new file mode 100644 index 000000000000..348a53dc43d2 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.03.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint new file mode 100644 index 000000000000..744d3d4498c6 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -0,0 +1,37 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "1a017498e9f75896a4d55428cdb9fa94199bf05042949f90adaf0b15540f62dc" + } + ], + "extra": { + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Emplacements récents" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}" + } + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk b/libbeat/formats/fixtures/lnk/native.seven.04.lnk new file mode 100644 index 000000000000..e79d70d9f5a4 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.04.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint new file mode 100644 index 000000000000..c64692e31669 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -0,0 +1,96 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2008-03-26T17:25:22Z", + "accessed_time": "2010-06-14T11:28:03Z", + "modified_time": "2008-03-26T17:25:22Z", + "file_size": 1888256, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 136, + "type_id": 49, + "sha256": "ec06dc548e0c3aa8b9969070bff6b9f0db3906d424329a630950b1d67f1f292c" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "1a1a0e0f935bcd37eb429d1d194d15f815d14690fc4d3d80957ab55b885290e0" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "fcaedf0364307388aa077b217f7800403a7cc4c67125d301fb7f5d18d80a4d1b" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x3e5dce88" + }, + "local_base_path": "C:\\Program Files\\SopCast\\SopCast.exe" + }, + "relative_path": "..\\..\\..\\Program Files\\SopCast\\SopCast.exe", + "working_directory": "C:\\Program Files\\SopCast", + "extra": { + "known_folder": { + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", + "offset": 181 + }, + "property_store": { + "properties": [ + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" + } + ] + }, + "special_folder": { + "id": 42, + "offset": 181 + }, + "tracker": { + "version": 0, + "machine_id": "al-0149", + "droid": [ + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "a7fd65bd-7527-11df-a754-001e4ff01cc7" + ], + "droid_birth": [ + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "a7fd65bd-7527-11df-a754-001e4ff01cc7" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk b/libbeat/formats/fixtures/lnk/native.seven.05.lnk new file mode 100644 index 000000000000..30af0d678f89 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.05.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint new file mode 100644 index 000000000000..4d87027abc75 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint @@ -0,0 +1,35 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "DisableKnownFolderTracking", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "RECYCLE_BIN", + "size": 20, + "type_id": 31, + "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" + }, + { + "name": "Control Panel Category", + "size": 12, + "type_id": 1, + "sha256": "4a6262d4f1d9b6d3342ca0d20934f6e2e39f28314313e7dd0b1751c8558e884d" + }, + { + "size": 30, + "type_id": 113, + "sha256": "15078e6b9eb879d2c4cbc741a2fbc512212eeec68e656892fae4dd6ab26c6ebb" + } + ], + "extra": { + "property_store": {} + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk b/libbeat/formats/fixtures/lnk/native.seven.06.lnk new file mode 100644 index 000000000000..5145ca58b778 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.06.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint new file mode 100644 index 000000000000..1e5025d426c8 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint @@ -0,0 +1,30 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "DisableKnownFolderTracking", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "RECYCLE_BIN", + "size": 20, + "type_id": 31, + "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" + }, + { + "name": "Control Panel Category", + "size": 12, + "type_id": 1, + "sha256": "4a6262d4f1d9b6d3342ca0d20934f6e2e39f28314313e7dd0b1751c8558e884d" + } + ], + "extra": { + "property_store": {} + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.07.lnk b/libbeat/formats/fixtures/lnk/native.seven.07.lnk new file mode 100644 index 000000000000..99d4e492c447 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.07.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint new file mode 100644 index 000000000000..468d5a5073a7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T23:40:14Z", + "accessed_time": "2009-07-13T23:40:14Z", + "modified_time": "2009-07-14T01:14:15Z", + "file_size": 113152, + "icon_index": 4294967295, + "window_style": "SW_NORMAL" + }, + "name": "@%systemroot%\\system32\\sdcpl.dll,-100", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", + "command_line": "/name Microsoft.BackupAndRestore", + "icon_location": "%systemroot%\\system32\\sdcpl.dll", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\System32\\control.exe", + "unicode": "%SystemRoot%\\System32\\control.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac705-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac705-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk b/libbeat/formats/fixtures/lnk/native.seven.08.lnk new file mode 100644 index 000000000000..5602c10fb4e3 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.08.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint new file mode 100644 index 000000000000..1bc1a5549e03 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -0,0 +1,82 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasDarwinID", + "HasExpIcon", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "e71acd89cfd4ea2d98b3c7eaf8c0853f0a7e5238fbea43079435761c8187ba7d" + }, + { + "name": "Directory", + "size": 88, + "type_id": 49, + "sha256": "e63a11251663101f0df4b22e128d76fc9648e08756d0892252d544fdc8421230" + }, + { + "name": "Directory", + "size": 176, + "type_id": 49, + "sha256": "120f192356058a8d750dd88ee8a164fa42721ae46c8499734e5b9709799c6c1c" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "7f7400e003233182197171579cf7fcb58b516102981c38728480cd62b217d4b2" + } + ], + "name": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft.", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "icon_location": "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "extra": { + "darwin": { + "ansi": "xb'BV5!!!!!!!!!MKKSkCAGFiles\u003eFJGjc2{CeAz+$QTBrVhU", + "unicode": "xb'BV5!!!!!!!!!MKKSkCAGFiles\u003eFJGjc2{CeAz+$QTBrVhU" + }, + "icon_environment": { + "ansi": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "unicode": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe" + }, + "property_store": { + "properties": [ + { + "name": "Comment", + "type": "VT_LPWSTR", + "value": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft." + }, + { + "name": "App User Model Exclude From Show In New Install", + "type": "VT_BOOL", + "value": true + } + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk b/libbeat/formats/fixtures/lnk/native.seven.09.lnk new file mode 100644 index 000000000000..18791204b673 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.09.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint new file mode 100644 index 000000000000..4429c4fa8f12 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -0,0 +1,108 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T23:51:37Z", + "accessed_time": "2009-07-13T23:51:37Z", + "modified_time": "2009-07-14T01:14:20Z", + "file_size": 219648, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "7cc98221fb355ac3c98eea9ed0bf25157463c069d09e01241079f0a8c6d5d3dd" + }, + { + "name": "Directory", + "size": 86, + "type_id": 49, + "sha256": "5f6b27f32ca26e1c1f0fda319c20675c7e632175be08ecd6c185364a4d217ff3" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "c63ae8934e29d153b90528c8b4f7b710b7a286b3ac6ee76ce64f3e58c61f325c" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a" + }, + "local_base_path": "C:\\Windows\\System32\\fsquirt.exe" + }, + "name": "@C:\\Windows\\system32\\fsquirt.exe,-2305", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\fsquirt.exe", + "working_directory": "C:\\Windows\\system32", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\fsquirt.exe", + "unicode": "%SystemRoot%\\system32\\fsquirt.exe" + }, + "known_folder": { + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", + "offset": 213 + }, + "property_store": { + "properties": [ + { + "name": "Comment", + "type": "VT_LPWSTR", + "value": "Transfère les fichiers entre les périphériques et les ordinateurs à l'aide de la technologie sans fil Bluetooth." + }, + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-18" + } + ] + }, + "special_folder": { + "id": 37, + "offset": 213 + }, + "tracker": { + "version": 0, + "machine_id": "win-40r2agv20qa", + "droid": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d466-6120-11df-964c-ac3a656c3b1d" + ], + "droid_birth": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d466-6120-11df-964c-ac3a656c3b1d" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.10.lnk b/libbeat/formats/fixtures/lnk/native.seven.10.lnk new file mode 100644 index 000000000000..f936cf9b587f Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.10.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint new file mode 100644 index 000000000000..96b5c854ca5a --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T23:41:28Z", + "accessed_time": "2009-07-13T23:41:28Z", + "modified_time": "2009-07-14T01:14:13Z", + "file_size": 776192, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22531", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\calc.exe", + "icon_location": "%windir%\\system32\\calc.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\calc.exe", + "unicode": "%windir%\\system32\\calc.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71b-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71b-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk b/libbeat/formats/fixtures/lnk/native.seven.11.lnk new file mode 100644 index 000000000000..1d58cd870686 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.11.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint new file mode 100644 index 000000000000..a9ded9703fc1 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint @@ -0,0 +1,30 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "DisableKnownFolderTracking", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "RECYCLE_BIN", + "size": 20, + "type_id": 31, + "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" + }, + { + "name": "Control Panel Category", + "size": 12, + "type_id": 1, + "sha256": "19d9bdc584dc223d08afeed1f4f419fe4986fa533413147081b80c2da6e800ca" + } + ], + "extra": { + "property_store": {} + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.12.lnk b/libbeat/formats/fixtures/lnk/native.seven.12.lnk new file mode 100644 index 000000000000..cec646acd206 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.12.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint new file mode 100644 index 000000000000..f49d5c67eb81 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasWorkingDir", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-14T00:11:56Z", + "accessed_time": "2009-07-14T00:11:56Z", + "modified_time": "2009-07-14T01:14:28Z", + "file_size": 86016, + "icon_index": 4294965857, + "window_style": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\odbcint.dll,-1312", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\odbcad32.exe", + "working_directory": "%windir%\\system32", + "icon_location": "%windir%\\system32\\odbcint.dll", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\odbcad32.exe", + "unicode": "%windir%\\system32\\odbcad32.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac6fc-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac6fc-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.13.lnk b/libbeat/formats/fixtures/lnk/native.seven.13.lnk new file mode 100644 index 000000000000..a171b7fd4349 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.13.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint new file mode 100644 index 000000000000..bf2831c2ea94 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint @@ -0,0 +1,69 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2010-05-18T19:24:11Z", + "accessed_time": "2010-05-18T19:24:30Z", + "modified_time": "2010-05-18T19:24:30Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix", + "VolumeIDAndLocalBasePath" + ], + "common_path_suffix": "Juliette\\Desktop", + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a", + "volume_label": "SSD-WIN7" + }, + "local_base_path": "C:\\Users\\", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\NETBOOK\\Users" + } + }, + "relative_path": "..\\Desktop", + "extra": { + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Bureau" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Users\\Juliette\\Desktop" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "netbook", + "droid": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f983f11e-62b0-11df-9c95-001377d34a59" + ], + "droid_birth": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f983f11e-62b0-11df-9c95-001377d34a59" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.14.lnk b/libbeat/formats/fixtures/lnk/native.seven.14.lnk new file mode 100644 index 000000000000..c415050d0ef8 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.14.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint new file mode 100644 index 000000000000..9305f37cc5d8 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-14T00:15:12Z", + "accessed_time": "2009-07-14T00:15:12Z", + "modified_time": "2009-07-14T01:14:45Z", + "file_size": 802304, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\FXSRESM.dll,-121", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\WFS.exe", + "command_line": "/SendTo", + "icon_location": "%windir%\\system32\\WFSR.dll", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\WFS.exe", + "unicode": "%windir%\\system32\\WFS.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71a-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71a-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.15.lnk b/libbeat/formats/fixtures/lnk/native.seven.15.lnk new file mode 100644 index 000000000000..18971678d24f Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.15.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint new file mode 100644 index 000000000000..ff3b495ffa6b --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T23:39:26Z", + "accessed_time": "2009-07-13T23:39:26Z", + "modified_time": "2009-07-14T01:14:23Z", + "file_size": 941568, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\mblctr.exe,-1004", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mblctr.exe", + "command_line": "/open", + "icon_location": "%windir%\\system32\\mblctr.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\mblctr.exe", + "unicode": "%windir%\\system32\\mblctr.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-40r2agv20qa", + "droid": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d4fb-6120-11df-964c-ac3a656c3b1d" + ], + "droid_birth": [ + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d4fb-6120-11df-964c-ac3a656c3b1d" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk b/libbeat/formats/fixtures/lnk/native.seven.16.lnk new file mode 100644 index 000000000000..9fb4fb81ec5b Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.16.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint new file mode 100644 index 000000000000..632cea63b5ae --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint @@ -0,0 +1,33 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "2b67f98d3d1de6745ab00ce99bf56db5a9ed94ff2e0bf9393a9c54a821eae7da" + }, + { + "size": 32, + "type_id": 0, + "sha256": "94756e66587275bbf78c7d0caa3800da26570d172745df23e7ed4f14746e09f8" + } + ], + "name": "@%SystemRoot%\\system32\\gameux.dll,-10311", + "icon_location": "%ProgramFiles%\\Microsoft Games\\More Games\\MoreGames.dll", + "extra": { + "property_store": {} + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.17.lnk b/libbeat/formats/fixtures/lnk/native.seven.17.lnk new file mode 100644 index 000000000000..b26d0e7ac90c Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.17.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint new file mode 100644 index 000000000000..3fd192eb67ba --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T21:39:34Z", + "accessed_time": "2009-07-14T01:18:50Z", + "modified_time": "2009-07-14T01:24:31Z", + "file_size": 1073152, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\shell32.dll,-22560", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", + "icon_location": "%windir%\\system32\\narrator.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\narrator.exe", + "unicode": "%windir%\\system32\\narrator.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac706-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac706-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.18.lnk b/libbeat/formats/fixtures/lnk/native.seven.18.lnk new file mode 100644 index 000000000000..449b6ff4e7a1 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.18.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint new file mode 100644 index 000000000000..4295e9745138 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasWorkingDir", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T23:41:04Z", + "accessed_time": "2009-07-13T23:41:04Z", + "modified_time": "2009-07-14T01:14:27Z", + "file_size": 179712, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%windir%\\system32\\notepad.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\notepad.exe", + "unicode": "%windir%\\system32\\notepad.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac70f-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac70f-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.19.lnk b/libbeat/formats/fixtures/lnk/native.seven.19.lnk new file mode 100644 index 000000000000..2c6f5789b258 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.19.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint new file mode 100644 index 000000000000..df69f6557ffe --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-14T00:14:01Z", + "accessed_time": "2009-07-14T00:14:01Z", + "modified_time": "2009-07-14T01:14:28Z", + "file_size": 646144, + "icon_index": 4294967295, + "window_style": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", + "icon_location": "%windir%\\system32\\osk.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\osk.exe", + "unicode": "%windir%\\system32\\osk.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac704-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac704-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.20.lnk b/libbeat/formats/fixtures/lnk/native.seven.20.lnk new file mode 100644 index 000000000000..5fffdf6123b3 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.seven.20.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint new file mode 100644 index 000000000000..28098bc5524e --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2009-07-13T23:43:12Z", + "accessed_time": "2009-07-13T23:43:12Z", + "modified_time": "2009-07-14T01:14:26Z", + "file_size": 6376960, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22566", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mspaint.exe", + "icon_location": "%windir%\\system32\\mspaint.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\mspaint.exe", + "unicode": "%windir%\\system32\\mspaint.exe" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "win-dc3j5p1qj61", + "droid": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac710-7037-11de-816d-001c23e25b76" + ], + "droid_birth": [ + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac710-7037-11de-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk b/libbeat/formats/fixtures/lnk/native.xp.01.lnk new file mode 100644 index 000000000000..55dda6b4c5c9 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.01.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint new file mode 100644 index 000000000000..fd0458396f45 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint @@ -0,0 +1,82 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:44Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 35840, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "760576ff55dcd587d07f37af9d8926cc6b35a7e54479fc48acf9d95e4ad7d52c" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\rcimlby.exe" + }, + "name": "@%systemroot%\\system32\\rcbdyctl.dll,-151", + "relative_path": "..\\..\\..\\..\\WINDOWS\\system32\\rcimlby.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "command_line": "-LaunchRA", + "icon_location": "%SYSTEMROOT%\\system32\\rcimlby.exe", + "extra": { + "environment": { + "ansi": "%SYSTEMROOT%\\system32\\rcimlby.exe", + "unicode": "%SYSTEMROOT%\\system32\\rcimlby.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.02.lnk b/libbeat/formats/fixtures/lnk/native.xp.02.lnk new file mode 100644 index 000000000000..987a807f10e8 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.02.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint new file mode 100644 index 000000000000..fa39ea3f072b --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint @@ -0,0 +1,33 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "b6d6b0fc4575980bd03dbbb68eb13e12b1b823988a4b57a4edab2bb2c2930cf9" + }, + { + "name": "URI", + "size": 86, + "type_id": 97, + "sha256": "5bf61e9176461c9988fa66440347677a800e489a08c7839cc8011b629bfc87f4" + } + ], + "name": "@%systemRoot%\\system32\\compatUI.dll,-117", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\compatUI.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk b/libbeat/formats/fixtures/lnk/native.xp.03.lnk new file mode 100644 index 000000000000..5cbf379040d6 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.03.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint new file mode 100644 index 000000000000..88d23ac041e5 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:39Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 70656, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "f60b197da76aae978d272e20ebc53a0f40a97c4fcaeff126c561391b1cc065cc" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\notepad.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22563", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\notepad.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\notepad.exe", + "unicode": "%SystemRoot%\\system32\\notepad.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk b/libbeat/formats/fixtures/lnk/native.xp.04.lnk new file mode 100644 index 000000000000..3d595ec483d8 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.04.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint new file mode 100644 index 000000000000..802bd0edbd22 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -0,0 +1,86 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-19T12:16:11Z", + "accessed_time": "2004-08-18T23:00:00Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 46080, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "64587f2c5156542e099060cc844f871875c55e235196afb8a49bda0c96d06bab" + }, + { + "name": "File", + "size": 60, + "type_id": 50, + "sha256": "fbb2a01fced2f0b017ca2b99bfc4eec5c5daae8cb96c695ebb26530ca999223e" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\Program Files\\Outlook Express\\wab.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22529", + "relative_path": "..\\..\\..\\..\\..\\Program Files\\Outlook Express\\wab.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "special_folder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machine_id": "al-0142", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e5-0bd4-11dd-bcc5-001f3c29339f" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e5-0bd4-11dd-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk b/libbeat/formats/fixtures/lnk/native.xp.05.lnk new file mode 100644 index 000000000000..d1c799b60f38 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.05.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint new file mode 100644 index 000000000000..64938ad5315a --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:42Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 216576, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 60, + "type_id": 50, + "sha256": "361c206cf27900f0e16d34d7b41aace2a6e5e256b8e59a244c217aa4c5b56d55" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\osk.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "relative_path": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\osk.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\osk.exe", + "unicode": "%SystemRoot%\\system32\\osk.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk b/libbeat/formats/fixtures/lnk/native.xp.06.lnk new file mode 100644 index 000000000000..c0247359226d Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.06.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint new file mode 100644 index 000000000000..106b740db0c7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint @@ -0,0 +1,86 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-19T12:16:09Z", + "accessed_time": "2008-04-17T09:55:10Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 93184, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "ce5079c50db50144897615c77509fbe77207699b9875e6d8ea807e8e2814eafb" + }, + { + "name": "File", + "size": 76, + "type_id": 50, + "sha256": "7dcfeeda1ba6b6aab552965f012835a36968dd0325a924296ca28d98ce1f3552" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" + }, + "name": "@xpsp1res.dll,-11002", + "relative_path": "..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "special_folder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machine_id": "al-0142", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk b/libbeat/formats/fixtures/lnk/native.xp.07.lnk new file mode 100644 index 000000000000..3a4cac3b6988 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.07.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint new file mode 100644 index 000000000000..c8b39565dc67 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint @@ -0,0 +1,74 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:28Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 1036288, + "icon_index": 1, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "File", + "size": 76, + "type_id": 50, + "sha256": "03be5e4a5bbc17237e00b64988a74ee271945da1af03004335b9c4dd8ec4c807" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\explorer.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22579", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\explorer.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\explorer.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\explorer.exe", + "unicode": "%SystemRoot%\\explorer.exe" + }, + "special_folder": { + "id": 36, + "offset": 105 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk b/libbeat/formats/fixtures/lnk/native.xp.08.lnk new file mode 100644 index 000000000000..1cbce6c12af3 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.08.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint new file mode 100644 index 000000000000..fbc8ff951a8c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -0,0 +1,80 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasArguments", + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:51Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 50176, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "6713e47a9b39d461a433bfa90c97d8ca2da94769355efb3bac3c70d0ff09d149" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\utilman.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22577", + "relative_path": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\utilman.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "command_line": "/start", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\utilman.exe", + "unicode": "%SystemRoot%\\system32\\utilman.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk b/libbeat/formats/fixtures/lnk/native.xp.09.lnk new file mode 100644 index 000000000000..85ea0135ec56 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.09.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint new file mode 100644 index 000000000000..32e3a6121d7e --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -0,0 +1,86 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-19T12:16:09Z", + "accessed_time": "2008-04-17T09:55:10Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 93184, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" + }, + { + "name": "Directory", + "size": 82, + "type_id": 49, + "sha256": "ce5079c50db50144897615c77509fbe77207699b9875e6d8ea807e8e2814eafb" + }, + { + "name": "File", + "size": 76, + "type_id": 50, + "sha256": "7dcfeeda1ba6b6aab552965f012835a36968dd0325a924296ca28d98ce1f3552" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" + }, + "name": "@xpsp1res.dll,-11002", + "relative_path": "..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "special_folder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machine_id": "al-0142", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk b/libbeat/formats/fixtures/lnk/native.xp.10.lnk new file mode 100644 index 000000000000..2423305b7bc2 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.10.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint new file mode 100644 index 000000000000..a990546dd751 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -0,0 +1,80 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasIconLocation", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:16Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 400896, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 60, + "type_id": 50, + "sha256": "d4a1fef6d5e84c2847ed0354c20bd9881931244f439378ad792dd85a3908fda5" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\cmd.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22534", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\cmd.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\cmd.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\cmd.exe", + "unicode": "%SystemRoot%\\system32\\cmd.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk b/libbeat/formats/fixtures/lnk/native.xp.11.lnk new file mode 100644 index 000000000000..c2e11a2dfcfb Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.11.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint new file mode 100644 index 000000000000..56232552990c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint @@ -0,0 +1,86 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasArguments", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-19T12:16:15Z", + "accessed_time": "2008-04-17T09:07:57Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 73728, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" + }, + { + "name": "Directory", + "size": 88, + "type_id": 49, + "sha256": "6565f989f2d926802e9d7bd77bb2db9e0e06b43483aee226cee41ba5da4fd9bf" + }, + { + "name": "File", + "size": 76, + "type_id": 50, + "sha256": "b5e33a19db51e49cb71c212dba89453071d7f3397d1cac620f6cac8395e8082f" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\Program Files\\Windows Media Player\\wmplayer.exe" + }, + "name": "@%SystemRoot%\\inf\\unregmp2.exe,-155", + "relative_path": "..\\..\\..\\..\\Program Files\\Windows Media Player\\wmplayer.exe", + "command_line": "/prefetch:1", + "extra": { + "special_folder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machine_id": "al-0142", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e4-0bd4-11dd-bcc5-001f3c29339f" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e4-0bd4-11dd-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk b/libbeat/formats/fixtures/lnk/native.xp.12.lnk new file mode 100644 index 000000000000..810ccc4da555 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.12.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint new file mode 100644 index 000000000000..68624a06a5ce --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:33Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 73216, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "210f5cdafe77225370bdbba5cc7995f1329697916d86b6e294da34705eb14214" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\magnify.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22553", + "relative_path": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\magnify.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\magnify.exe", + "unicode": "%SystemRoot%\\system32\\magnify.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk b/libbeat/formats/fixtures/lnk/native.xp.13.lnk new file mode 100644 index 000000000000..d0c32b57ca21 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.13.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint new file mode 100644 index 000000000000..1d2d2a585abd --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:34Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 144384, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 72, + "type_id": 50, + "sha256": "bdef8d596eb5e8593a83e6f2fe9266165c420725dd956baffc3c291cf2ee99bd" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\mobsync.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22574", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\mobsync.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\mobsync.exe", + "unicode": "%SystemRoot%\\system32\\mobsync.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk b/libbeat/formats/fixtures/lnk/native.xp.14.lnk new file mode 100644 index 000000000000..f6bb31d9e747 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.14.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint new file mode 100644 index 000000000000..582847189ef0 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-20T01:03:16Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 347136, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" + }, + { + "name": "File", + "size": 78, + "type_id": 50, + "sha256": "2836bf377a587fbb79ccd8b3568fe7f9851eab2a2d1329a21ef222ba6ca5d500" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\WINDOWS\\system32\\tourstart.exe" + }, + "name": "@%SystemRoot%\\system32\\tourstart.exe,-2", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\tourstart.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\tourstart.exe", + "unicode": "%SystemRoot%\\system32\\tourstart.exe" + }, + "special_folder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk b/libbeat/formats/fixtures/lnk/native.xp.15.lnk new file mode 100644 index 000000000000..a570d108952a Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.15.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint new file mode 100644 index 000000000000..1c580a537d8a --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -0,0 +1,62 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2004-08-20T01:16:19Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-20T01:16:48Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "User profile", + "size": 50, + "type_id": 46, + "sha256": "18985b6bff0f7bf5db513ddd53be1fecd6ed4c10c21df6baced373b82ba1d497" + }, + { + "name": "Directory", + "size": 88, + "type_id": 49, + "sha256": "4ec58bf37f7d3b5982a81d1928a4738b7629dfddf5f0b5d8332b5867460131fc" + }, + { + "size": 98, + "type_id": 53, + "sha256": "44a10b03d7e0d30733c07bcbca835ff48c72b88763b794214d87b667dc168874" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\Documents and Settings\\All Users\\Documents\\Mes images\\\ufffdchantillons d'images" + }, + "relative_path": "..\\..\\..\\All Users\\Documents\\Mes images\\Échantillons d'images", + "extra": { + "special_folder": { + "id": 54, + "offset": 158 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk b/libbeat/formats/fixtures/lnk/native.xp.16.lnk new file mode 100644 index 000000000000..2b9848f5a961 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.16.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint new file mode 100644 index 000000000000..7e4631a9caf0 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -0,0 +1,62 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creation_time": "2004-08-20T01:16:19Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-20T01:16:48Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "User profile", + "size": 50, + "type_id": 46, + "sha256": "18985b6bff0f7bf5db513ddd53be1fecd6ed4c10c21df6baced373b82ba1d497" + }, + { + "name": "Directory", + "size": 88, + "type_id": 49, + "sha256": "345165d205551d013be4d95cc086225a88f82562728fcc9706568f60e1c06796" + }, + { + "size": 102, + "type_id": 53, + "sha256": "ff4dc4fb64d9a14ca88b5727173c8ae390858e7edff2df3580526fe16a220e19" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" + }, + "local_base_path": "C:\\Documents and Settings\\All Users\\Documents\\Ma musique\\\ufffdchantillons de musique" + }, + "relative_path": "..\\..\\..\\All Users\\Documents\\Ma musique\\Échantillons de musique", + "extra": { + "special_folder": { + "id": 53, + "offset": 158 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk b/libbeat/formats/fixtures/lnk/native.xp.17.lnk new file mode 100644 index 000000000000..1353087869e4 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.17.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint new file mode 100644 index 000000000000..0b00ba70aa42 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint @@ -0,0 +1,86 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creation_time": "2004-08-19T12:16:10Z", + "accessed_time": "2004-08-18T23:00:00Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 60416, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" + }, + { + "name": "Directory", + "size": 78, + "type_id": 49, + "sha256": "64587f2c5156542e099060cc844f871875c55e235196afb8a49bda0c96d06bab" + }, + { + "name": "File", + "size": 66, + "type_id": 50, + "sha256": "3688c322d34ecdc63be6c20b023af853d2a1f59971747853a4a62129786016d7" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" + }, + "local_base_path": "C:\\Program Files\\Outlook Express\\msimn.exe" + }, + "name": "@xpsp1res.dll,-11005", + "relative_path": "..\\..\\..\\..\\Program Files\\Outlook Express\\msimn.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "special_folder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machine_id": "al-0142", + "droid": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e3-0bd4-11dd-bcc5-001f3c29339f" + ], + "droid_birth": [ + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e3-0bd4-11dd-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk b/libbeat/formats/fixtures/lnk/native.xp.18.lnk new file mode 100644 index 000000000000..77370ee9118f Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.18.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint new file mode 100644 index 000000000000..cdfe155e7175 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint @@ -0,0 +1,31 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasName", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 41, + "type_id": 47, + "sha256": "9a34e0b473c2e492c168b9e909db999a0f661e2c56c2e935356aa472e18a4eba" + } + ], + "name": "Lecteur Drag-to-Disc", + "working_directory": "D:\\", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk b/libbeat/formats/fixtures/lnk/native.xp.19.lnk new file mode 100644 index 000000000000..e22aba3532e1 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.19.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint new file mode 100644 index 000000000000..ed00fc3dbc6f --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint @@ -0,0 +1,31 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasName", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "MY_COMPUTER", + "size": 20, + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" + }, + { + "name": "Drive letter", + "size": 25, + "type_id": 47, + "sha256": "ad39eb6a19c31c41c88df2c4b58168683d09220691d4f8cf2c58274f1dca3d57" + } + ], + "name": "Lecteur Drag-to-Disc", + "working_directory": "E:\\", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk b/libbeat/formats/fixtures/lnk/native.xp.20.lnk new file mode 100644 index 000000000000..60ef8448dca0 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/native.xp.20.lnk differ diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint new file mode 100644 index 000000000000..cab05b31999d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -0,0 +1,108 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY" + ], + "creation_time": "2007-02-05T14:52:40Z", + "accessed_time": "2008-04-17T09:12:06Z", + "modified_time": "2007-02-05T14:52:41Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" + }, + { + "size": 50, + "type_id": 71, + "sha256": "a767a5a7314be4f7af859afbfd30bc7fe72067b43359c758386ba3085e888c27" + }, + { + "size": 136, + "type_id": 70, + "sha256": "a46d51ce6e398d5d134a1d36f079e4c2297aeecea2312d578a794adb9e5c7224" + }, + { + "size": 36, + "type_id": 65, + "sha256": "587cd34ec942f8cde567ccea2ab19298247035a28eeff0c9c24095cd14e1a85e" + }, + { + "size": 41, + "type_id": 66, + "sha256": "395580e02c9d7d2951c1d8f724af7f8a17ef1a61f401d294eda8c0063e6eb364" + }, + { + "name": "Network location", + "size": 175, + "type_id": 195, + "sha256": "fb44c4ef44c34e303786b835f2447de5caad62133c6dcf291aa0bc511f301cf8" + }, + { + "name": "Directory", + "size": 60, + "type_id": 49, + "sha256": "ad4a2dcf641f9a38f5a4b0a9b0b1cd2c28d83991ce73467a8cf7ea7c33e2f4e0" + }, + { + "name": "Directory", + "size": 74, + "type_id": 49, + "sha256": "76933fb66eaeef51c350bdf0b22cc954b854e36c195eb695deaa5563fc1375ed" + }, + { + "name": "Directory", + "size": 76, + "type_id": 49, + "sha256": "8e7a35254cd8aa31bf509d77373488c86cc00d3890182548fcc81dfe4b27291c" + }, + { + "name": "Directory", + "size": 58, + "type_id": 49, + "sha256": "76ebef0ab661fab3af5f8603b2d91352ad01d0555bc07975ced837274d1f8ee5" + }, + { + "name": "Directory", + "size": 52, + "type_id": 49, + "sha256": "c3bd864934e3eaca85f5ab392c071ccf02fe3df97a795cff1d79cc2f14f8c812" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "Install\\Install_Softs\\Administrateur\\Newsid\\2003", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\ALS-FICHIERS7\\D$" + } + }, + "extra": { + "tracker": { + "version": 0, + "machine_id": "als-fichiers7", + "droid": [ + "00000000-0000-0000-0000-000000000000", + "4d1dcd06-fce5-11dc-8902-0015c5fbcbe3" + ], + "droid_birth": [ + "00000000-0000-0000-0000-000000000000", + "4d1dcd06-fce5-11dc-8902-0015c5fbcbe3" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk b/libbeat/formats/fixtures/lnk/net_unicode.lnk new file mode 100644 index 000000000000..532e8b521966 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/net_unicode.lnk differ diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint new file mode 100644 index 000000000000..afbbdd80606c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint @@ -0,0 +1,97 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasExpString", + "HasLinkInfo", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_NORMAL" + ], + "creation_time": "2019-07-08T14:05:42Z", + "accessed_time": "2019-07-08T14:06:30Z", + "modified_time": "2019-07-08T14:05:42Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "??.txt", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\TEST\\SHARE" + } + }, + "working_directory": "\\\\test\\share", + "extra": { + "environment": { + "ansi": "\\\\test\\share\\??.txt", + "unicode": "\\\\test\\share\\💎.txt" + }, + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "💎.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "\\\\test\\share\\💎.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "\\\\test\\share" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "test", + "droid": [ + "73923651-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0dcf-180000000000" + ], + "droid_birth": [ + "73923650-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0dcf-180000000000" + ] + }, + "vista_and_above_id_list": { + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" + }, + { + "size": 171, + "type_id": 0, + "sha256": "4bc6ed31b49e4b6f2482b2a5bfc44ec3401841d3cb8aaca5b1df8b7b87380f09" + }, + { + "name": "Network location", + "size": 39, + "type_id": 195, + "sha256": "8275bc1e94cec22e8e079b9c2b2731b8fb6ff1e36b0d0d4c6d5d3e9ba133afea" + }, + { + "name": "File", + "size": 90, + "type_id": 50, + "sha256": "c04122979f9b6ef516c2861ae50bb1283ef67d8c737ec08d9673cbaadcc84c06" + } + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk b/libbeat/formats/fixtures/lnk/net_unicode2.lnk new file mode 100644 index 000000000000..dd39c5345715 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/net_unicode2.lnk differ diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint new file mode 100644 index 000000000000..5866f9579ba4 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint @@ -0,0 +1,98 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasExpString", + "HasLinkInfo", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_NORMAL" + ], + "creation_time": "2019-07-08T14:04:50Z", + "accessed_time": "2019-07-09T13:31:07Z", + "modified_time": "2019-07-08T14:04:50Z", + "file_size": 10, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\TEST\\??" + } + }, + "working_directory": "\\\\test\\📂", + "extra": { + "environment": { + "ansi": "\\\\test\\??\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", + "unicode": "\\\\test\\📂\\リンク先.txt" + }, + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "リンク先.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "\\\\test\\📂\\リンク先.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "\\\\test\\📂" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "test", + "droid": [ + "8af13753-d44b-f198-1366-c15ed7085770", + "0000a804-0000-0000-3346-190000000000" + ], + "droid_birth": [ + "8af13752-d44b-f198-1366-c15ed7085770", + "0000a804-0000-0000-3346-190000000000" + ] + }, + "vista_and_above_id_list": { + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" + }, + { + "size": 171, + "type_id": 0, + "sha256": "4bc6ed31b49e4b6f2482b2a5bfc44ec3401841d3cb8aaca5b1df8b7b87380f09" + }, + { + "name": "Network location", + "size": 94, + "type_id": 195, + "sha256": "aa73f540ef1254e02b4edb3ddd6126b0b306f722855e22af3e5b687f6b03a558" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "1d932907538d3f9b47b136af3907983e02dbf0c8a98fd3be83a31fa78be8985b" + } + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk b/libbeat/formats/fixtures/lnk/net_win31j.lnk new file mode 100644 index 000000000000..dea41497b787 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/net_win31j.lnk differ diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint new file mode 100644 index 000000000000..a4275f7c18ff --- /dev/null +++ b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint @@ -0,0 +1,98 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "EnableTargetMetadata", + "HasExpString", + "HasLinkInfo", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_NORMAL" + ], + "creation_time": "2019-07-08T14:04:50Z", + "accessed_time": "2019-07-08T14:05:30Z", + "modified_time": "2019-07-08T14:04:50Z", + "file_size": 10, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\TEST\\SHARE" + } + }, + "working_directory": "\\\\test\\share", + "extra": { + "environment": { + "ansi": "\\\\test\\share\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", + "unicode": "\\\\test\\share\\リンク先.txt" + }, + "property_store": { + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "リンク先.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "\\\\test\\share\\リンク先.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "\\\\test\\share" + } + ] + }, + "tracker": { + "version": 0, + "machine_id": "test", + "droid": [ + "73923651-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0ccf-180000000000" + ], + "droid_birth": [ + "73923650-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0ccf-180000000000" + ] + }, + "vista_and_above_id_list": { + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" + }, + { + "size": 171, + "type_id": 0, + "sha256": "4bc6ed31b49e4b6f2482b2a5bfc44ec3401841d3cb8aaca5b1df8b7b87380f09" + }, + { + "name": "Network location", + "size": 39, + "type_id": 195, + "sha256": "8275bc1e94cec22e8e079b9c2b2731b8fb6ff1e36b0d0d4c6d5d3e9ba133afea" + }, + { + "name": "File", + "size": 94, + "type_id": 50, + "sha256": "a517f117fcf3c38ac660e8cdd2f9c6f3d34a050462cadf3330f8f0ea2eada281" + } + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk new file mode 100644 index 000000000000..e721d87c5a96 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk differ diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint new file mode 100644 index 000000000000..9187cd7c4361 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -0,0 +1,84 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasTargetIDList", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY" + ], + "creation_time": "2009-10-08T13:48:55Z", + "accessed_time": "2010-07-09T13:52:31Z", + "modified_time": "2010-07-08T12:36:01Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" + }, + { + "size": 50, + "type_id": 71, + "sha256": "a767a5a7314be4f7af859afbfd30bc7fe72067b43359c758386ba3085e888c27" + }, + { + "size": 136, + "type_id": 70, + "sha256": "a46d51ce6e398d5d134a1d36f079e4c2297aeecea2312d578a794adb9e5c7224" + }, + { + "size": 36, + "type_id": 65, + "sha256": "587cd34ec942f8cde567ccea2ab19298247035a28eeff0c9c24095cd14e1a85e" + }, + { + "size": 88, + "type_id": 66, + "sha256": "6a428f1cf9a17e0102283bbe97ba75da1d220c45d695edc9720204d4051ab18f" + }, + { + "name": "Network location", + "size": 136, + "type_id": 195, + "sha256": "c54b5d2f206d54c9ff1e04c8a683bc68c05990d7279adbba1e9356b8f219c670" + }, + { + "name": "Directory", + "size": 68, + "type_id": 49, + "sha256": "d994f7ca637c81f97c4eede84aaf5bb6c5a5be66252b02318ad8fb8639871519" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "GMAldheris", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\ALS-FICHIERS3\\QUALIT\ufffd" + } + }, + "extra": { + "tracker": { + "version": 0, + "machine_id": "als-fichiers3", + "droid": [ + "00000000-0000-0000-0000-000000000000", + "8ab7e0c5-75c8-11de-b8c9-000f1ff7c0dd" + ], + "droid_birth": [ + "00000000-0000-0000-0000-000000000000", + "8ab7e0c5-75c8-11de-b8c9-000f1ff7c0dd" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk new file mode 100644 index 000000000000..445b9675a7cc Binary files /dev/null and b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk differ diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint new file mode 100644 index 000000000000..60841ef69fd7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint @@ -0,0 +1,89 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "DisableKnownFolderTracking", + "HasExpString", + "HasLinkInfo", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_DIRECTORY" + ], + "creation_time": "2009-07-26T15:39:33Z", + "accessed_time": "2009-07-26T15:41:16Z", + "modified_time": "2009-07-26T15:41:16Z", + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "Encoding\\@Films\\AAA AAA AAAAA 1", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\FATALITY\\K$" + } + }, + "extra": { + "environment": { + "ansi": "\\\\fatality\\k$\\Encoding\\@Films\\AAA AAA AAAAA 1", + "unicode": "\\\\fatality\\k$\\Encoding\\@Films\\AAA AAA AAAAA 1" + }, + "property_store": {}, + "tracker": { + "version": 0, + "machine_id": "fatality", + "droid": [ + "118ef8d6-402d-4186-b384-3527d35fb1eb", + "3885261f-9174-11df-9091-8fae47a32577" + ], + "droid_birth": [ + "118ef8d6-402d-4186-b384-3527d35fb1eb", + "3885261f-9174-11df-9091-8fae47a32577" + ] + }, + "vista_and_above_id_list": { + "shellbags": [ + { + "name": "Users property view", + "size": 20, + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" + }, + { + "size": 179, + "type_id": 0, + "sha256": "bd32f1a3508b0655a5fa4cffae5d9be54c17767902c3999b400485241282732c" + }, + { + "name": "Network location", + "size": 160, + "type_id": 195, + "sha256": "a4fe40ed41a8840627455ec68e9e3a6f1400a73acd140338e333007f08399d71" + }, + { + "name": "Directory", + "size": 86, + "type_id": 49, + "sha256": "71eb7827f93da2318a811d0afea6a95733a17ad260e4bbe94e275d2e9bdbaccf" + }, + { + "name": "Directory", + "size": 80, + "type_id": 49, + "sha256": "39acd6f749a39479e5e0c7ed9e819b50a7a0c9e9d901a3673bbb37612fd3abf2" + }, + { + "name": "Directory", + "size": 100, + "type_id": 49, + "sha256": "c2a944702c66a098636fe43c60e349c2ea357aea459c5ce92d57e734d33b26b6" + } + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk new file mode 100644 index 000000000000..0cf6455d9f33 Binary files /dev/null and b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk differ diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint new file mode 100644 index 000000000000..444a4c906a87 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -0,0 +1,99 @@ +{ + "header": { + "guid": "00021401-0000-0000-c000-000000000046", + "link_flags": [ + "HasLinkInfo", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "file_flags": [ + "FILE_ATTRIBUTE_NORMAL" + ], + "creation_time": "2004-11-04T09:10:42Z", + "accessed_time": "2010-07-09T13:53:19Z", + "modified_time": "2001-02-21T16:33:49Z", + "file_size": 325120, + "icon_index": 0, + "window_style": "SW_NORMAL" + }, + "shellbags": [ + { + "name": "INTERNET_EXPLORER", + "size": 20, + "type_id": 31, + "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" + }, + { + "size": 50, + "type_id": 71, + "sha256": "a767a5a7314be4f7af859afbfd30bc7fe72067b43359c758386ba3085e888c27" + }, + { + "size": 136, + "type_id": 70, + "sha256": "a46d51ce6e398d5d134a1d36f079e4c2297aeecea2312d578a794adb9e5c7224" + }, + { + "size": 36, + "type_id": 65, + "sha256": "587cd34ec942f8cde567ccea2ab19298247035a28eeff0c9c24095cd14e1a85e" + }, + { + "size": 88, + "type_id": 66, + "sha256": "6a428f1cf9a17e0102283bbe97ba75da1d220c45d695edc9720204d4051ab18f" + }, + { + "name": "Network location", + "size": 136, + "type_id": 195, + "sha256": "c54b5d2f206d54c9ff1e04c8a683bc68c05990d7279adbba1e9356b8f219c670" + }, + { + "name": "Directory", + "size": 64, + "type_id": 49, + "sha256": "d6d39f8de76caf500c4eff1c54d5e6fc26061356c0ab02b56a42d35f01188785" + }, + { + "name": "Directory", + "size": 80, + "type_id": 49, + "sha256": "be6f4fa28aea1dad8b858ab45bea631b4f3b377cf229602f360aa5a1ba87538c" + }, + { + "name": "File", + "size": 114, + "type_id": 50, + "sha256": "438f25337d38fa8946d7d920b0d46974c07689c3eb1df166692cf5193c6d5561" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "common_path_suffix": "Archives\\M\ufffdthodologie WAS\\Norme de d\ufffdveloppement JAVA.doc", + "network_share": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\ALS-FICHIERS3\\QUALIT\ufffd" + } + }, + "working_directory": "\\\\als-fichiers3\\Qualité\\Archives\\Méthodologie WAS", + "extra": { + "tracker": { + "version": 0, + "machine_id": "als-fichiers3", + "droid": [ + "00000000-0000-0000-0000-000000000000", + "ea461b34-9877-11da-80bd-000f1ff7c0dc" + ], + "droid_birth": [ + "00000000-0000-0000-0000-000000000000", + "ea461b34-9877-11da-80bd-000f1ff7c0dc" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/macho/hello-darwin b/libbeat/formats/fixtures/macho/hello-darwin new file mode 100644 index 000000000000..d21b27936eff Binary files /dev/null and b/libbeat/formats/fixtures/macho/hello-darwin differ diff --git a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint new file mode 100644 index 000000000000..9e7204f5766d --- /dev/null +++ b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint @@ -0,0 +1,213 @@ +{ + "architectures": [ + { + "cpu": "x86_64", + "byte_order": "little-endian", + "type": "Exec", + "header": { + "commands": [ + { + "number": 25, + "size": 72, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 472, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 152, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 232, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 72, + "type": "LC_SEGMENT_64" + }, + { + "number": 2147483682, + "size": 48, + "type": "LC_DYLD_INFO_ONLY" + }, + { + "number": 2, + "size": 24, + "type": "LC_SYMTAB" + }, + { + "number": 11, + "size": 80, + "type": "LC_DYSYMTAB" + }, + { + "number": 14, + "size": 32, + "type": "LC_LOAD_DYLINKER" + }, + { + "number": 27, + "size": 24, + "type": "LC_UUID" + }, + { + "number": 50, + "size": 32, + "type": "LC_UNKNOWN" + }, + { + "number": 42, + "size": 16, + "type": "LC_SOURCE_VERSION" + }, + { + "number": 2147483688, + "size": 24, + "type": "LC_MAIN" + }, + { + "number": 12, + "size": 56, + "type": "LC_LOAD_DYLIB" + }, + { + "number": 38, + "size": 16, + "type": "LC_FUNCTION_STARTS" + }, + { + "number": 41, + "size": 16, + "type": "LC_DATA_IN_CODE" + } + ], + "magic": "0xfeedfacf", + "flags": [ + "MH_NOUNDEFS", + "MH_DYLDLINK", + "MH_TWOLEVEL", + "MH_PIE" + ] + }, + "segments": [ + { + "vmaddr": "0x100000000", + "name": "__TEXT", + "vmsize": 4096, + "fileoff": 0, + "filesize": 4096, + "sections": [ + { + "name": "__text", + "type": "S_REGULAR", + "offset": 3936, + "size": 42, + "entropy": 4.04, + "chi2": 1030.76, + "flags": [ + "S_ATTR_PURE_INSTRUCTIONS", + "S_ATTR_SOME_INSTRUCTIONS" + ] + }, + { + "name": "__stubs", + "type": "S_SYMBOL_STUBS", + "offset": 3978, + "size": 6, + "entropy": 2.25, + "chi2": 335.33, + "flags": [ + "S_ATTR_PURE_INSTRUCTIONS", + "S_ATTR_SOME_INSTRUCTIONS" + ] + }, + { + "name": "__stub_helper", + "type": "S_REGULAR", + "offset": 3984, + "size": 26, + "entropy": 3.3, + "chi2": 1057.08, + "flags": [ + "S_ATTR_PURE_INSTRUCTIONS", + "S_ATTR_SOME_INSTRUCTIONS" + ] + }, + { + "name": "__cstring", + "type": "S_CSTRING_LITERALS", + "offset": 4010, + "size": 14, + "entropy": 3.32, + "chi2": 388.29 + }, + { + "name": "__unwind_info", + "type": "S_REGULAR", + "offset": 4024, + "size": 72, + "entropy": 1.58, + "chi2": 10452.44 + } + ] + }, + { + "vmaddr": "0x100001000", + "name": "__DATA_CONST", + "vmsize": 4096, + "fileoff": 4096, + "filesize": 4096, + "sections": [ + { + "name": "__got", + "type": "S_NON_LAZY_SYMBOL_POINTERS", + "offset": 4096, + "size": 8, + "entropy": 0, + "chi2": 2040 + } + ] + }, + { + "vmaddr": "0x100002000", + "name": "__DATA", + "vmsize": 4096, + "fileoff": 8192, + "filesize": 4096, + "sections": [ + { + "name": "__la_symbol_ptr", + "type": "S_LAZY_SYMBOL_POINTERS", + "offset": 8192, + "size": 8, + "entropy": 1.55, + "chi2": 888 + }, + { + "name": "__data", + "type": "S_REGULAR", + "offset": 8200, + "size": 8, + "entropy": 0, + "chi2": 2040 + } + ] + } + ], + "libraries": [ + "/usr/lib/libSystem.B.dylib" + ], + "imports": [ + "_printf", + "dyld_stub_binder" + ], + "symhash": "e4cce50a95ec8387770df669df413dd2" + } + ] +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/pe/hello-windows b/libbeat/formats/fixtures/pe/hello-windows new file mode 100644 index 000000000000..c37deb302b9a Binary files /dev/null and b/libbeat/formats/fixtures/pe/hello-windows differ diff --git a/libbeat/formats/fixtures/pe/hello-windows.fingerprint b/libbeat/formats/fixtures/pe/hello-windows.fingerprint new file mode 100644 index 000000000000..02bebbafbe84 --- /dev/null +++ b/libbeat/formats/fixtures/pe/hello-windows.fingerprint @@ -0,0 +1,425 @@ +{ + "entrypoint": "0x14e0", + "imports": [ + { + "library": "KERNEL32.dll", + "name": "DeleteCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "EnterCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "GetLastError" + }, + { + "library": "KERNEL32.dll", + "name": "GetStartupInfoA" + }, + { + "library": "KERNEL32.dll", + "name": "InitializeCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "IsDBCSLeadByteEx" + }, + { + "library": "KERNEL32.dll", + "name": "LeaveCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "MultiByteToWideChar" + }, + { + "library": "KERNEL32.dll", + "name": "SetUnhandledExceptionFilter" + }, + { + "library": "KERNEL32.dll", + "name": "Sleep" + }, + { + "library": "KERNEL32.dll", + "name": "TlsGetValue" + }, + { + "library": "KERNEL32.dll", + "name": "VirtualProtect" + }, + { + "library": "KERNEL32.dll", + "name": "VirtualQuery" + }, + { + "library": "KERNEL32.dll", + "name": "WideCharToMultiByte" + }, + { + "library": "msvcrt.dll", + "name": "__C_specific_handler" + }, + { + "library": "msvcrt.dll", + "name": "___lc_codepage_func" + }, + { + "library": "msvcrt.dll", + "name": "___mb_cur_max_func" + }, + { + "library": "msvcrt.dll", + "name": "__getmainargs" + }, + { + "library": "msvcrt.dll", + "name": "__initenv" + }, + { + "library": "msvcrt.dll", + "name": "__iob_func" + }, + { + "library": "msvcrt.dll", + "name": "__lconv_init" + }, + { + "library": "msvcrt.dll", + "name": "__set_app_type" + }, + { + "library": "msvcrt.dll", + "name": "__setusermatherr" + }, + { + "library": "msvcrt.dll", + "name": "_acmdln" + }, + { + "library": "msvcrt.dll", + "name": "_amsg_exit" + }, + { + "library": "msvcrt.dll", + "name": "_cexit" + }, + { + "library": "msvcrt.dll", + "name": "_commode" + }, + { + "library": "msvcrt.dll", + "name": "_errno" + }, + { + "library": "msvcrt.dll", + "name": "_fmode" + }, + { + "library": "msvcrt.dll", + "name": "_initterm" + }, + { + "library": "msvcrt.dll", + "name": "_lock" + }, + { + "library": "msvcrt.dll", + "name": "_onexit" + }, + { + "library": "msvcrt.dll", + "name": "_unlock" + }, + { + "library": "msvcrt.dll", + "name": "abort" + }, + { + "library": "msvcrt.dll", + "name": "calloc" + }, + { + "library": "msvcrt.dll", + "name": "exit" + }, + { + "library": "msvcrt.dll", + "name": "fprintf" + }, + { + "library": "msvcrt.dll", + "name": "fputc" + }, + { + "library": "msvcrt.dll", + "name": "free" + }, + { + "library": "msvcrt.dll", + "name": "fwrite" + }, + { + "library": "msvcrt.dll", + "name": "localeconv" + }, + { + "library": "msvcrt.dll", + "name": "malloc" + }, + { + "library": "msvcrt.dll", + "name": "memcpy" + }, + { + "library": "msvcrt.dll", + "name": "memset" + }, + { + "library": "msvcrt.dll", + "name": "signal" + }, + { + "library": "msvcrt.dll", + "name": "strerror" + }, + { + "library": "msvcrt.dll", + "name": "strlen" + }, + { + "library": "msvcrt.dll", + "name": "strncmp" + }, + { + "library": "msvcrt.dll", + "name": "vfprintf" + }, + { + "library": "msvcrt.dll", + "name": "wcslen" + } + ], + "sections": [ + { + "name": ".text", + "flags": [ + "IMAGE_SCN_CNT_CODE", + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_EXECUTE", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 4096, + "raw_size": 27648, + "entropy": 6.29, + "chi2": 225694.72 + }, + { + "name": ".data", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 32768, + "raw_size": 512, + "entropy": 0.95, + "chi2": 101000 + }, + { + "name": ".rdata", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 36864, + "raw_size": 3584, + "entropy": 4.4, + "chi2": 168406.57 + }, + { + "name": ".pdata", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 40960, + "raw_size": 1536, + "entropy": 3.34, + "chi2": 157780.33 + }, + { + "name": ".xdata", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 45056, + "raw_size": 1536, + "entropy": 3.5, + "chi2": 89461.33 + }, + { + "name": ".bss", + "flags": [ + "IMAGE_SCN_CNT_UNINITIALIZED_DATA", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 49152 + }, + { + "name": ".idata", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 53248, + "raw_size": 2048, + "entropy": 3.68, + "chi2": 152175 + }, + { + "name": ".CRT", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 57344, + "raw_size": 512, + "entropy": 0.34, + "chi2": 120559 + }, + { + "name": ".tls", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 61440, + "raw_size": 512, + "chi2": 130560 + }, + { + "name": ".reloc", + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_DISCARDABLE", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 65536, + "raw_size": 512, + "entropy": 1.61, + "chi2": 81624 + } + ], + "imphash": "8eb8d513fcdab15ac9a267576668cb1c", + "architecture": "x64" +} \ No newline at end of file diff --git a/libbeat/formats/lnk/.gitignore b/libbeat/formats/lnk/.gitignore new file mode 100644 index 000000000000..b2750523e456 --- /dev/null +++ b/libbeat/formats/lnk/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +lnk-fuzz.zip diff --git a/libbeat/formats/lnk/extra.go b/libbeat/formats/lnk/extra.go new file mode 100644 index 000000000000..5b973408805f --- /dev/null +++ b/libbeat/formats/lnk/extra.go @@ -0,0 +1,133 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" + "fmt" + "io" +) + +const ( + environmentBlock uint32 = 0xa0000001 + iota + consoleBlock + trackerBlock + consoleFEBlock + specialFolderBlock + darwinBlock + iconEnvironmentBlock + shimBlock + propertyStoreBlock + _ + knownFolderBlock + vistaAndAboveIDListBlock +) + +// https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#6-extra-data + +func parseExtraBlocks(header *Header, offset int64, r io.ReaderAt) (*Extra, error) { + var size uint32 + var signature uint32 + var data []byte + var err error + extra := &Extra{} + for { + size, signature, offset, data, err = readRawBlock(offset, r) + if err != nil { + return nil, err + } + if size == 0 { + break + } + switch signature { + case environmentBlock: + extra.Environment, err = parseExtraEnvironment(size, data) + if err != nil { + return nil, err + } + case consoleBlock: + extra.Console, err = parseExtraConsole(size, data) + if err != nil { + return nil, err + } + case trackerBlock: + extra.Tracker, err = parseExtraTracker(size, data) + if err != nil { + return nil, err + } + case consoleFEBlock: + extra.ConsoleFE, err = parseExtraConsoleFE(size, data) + if err != nil { + return nil, err + } + case specialFolderBlock: + extra.SpecialFolder, err = parseExtraSpecialFolder(size, data) + if err != nil { + return nil, err + } + case darwinBlock: + extra.Darwin, err = parseExtraDarwin(size, data) + if err != nil { + return nil, err + } + case iconEnvironmentBlock: + extra.IconEnvironment, err = parseExtraIconEnvironment(size, data) + if err != nil { + return nil, err + } + case shimBlock: + extra.Shim, err = parseExtraShim(size, data) + if err != nil { + return nil, err + } + case propertyStoreBlock: + extra.PropertyStore, err = parseExtraPropertyStore(size, data) + if err != nil { + return nil, err + } + case knownFolderBlock: + extra.KnownFolder, err = parseExtraKnownFolder(size, data) + if err != nil { + return nil, err + } + case vistaAndAboveIDListBlock: + extra.VistaAndAboveIDList, err = parseExtraVistaAndAboveIDList(size, data) + if err != nil { + return nil, err + } + default: + return nil, fmt.Errorf("unknown block signature: %x", signature) + } + } + return extra, nil +} + +func readRawBlock(offset int64, r io.ReaderAt) (uint32, uint32, int64, []byte, error) { + size, data, err := readU32Data(offset, r) + if err != nil { + return 0, 0, 0, nil, err + } + if size == 0 { + return 0, 0, 0, nil, nil + } + if size < 8 { + return 0, 0, 0, nil, errors.New("invalid block size") + } + return size, binary.LittleEndian.Uint32(data[4:8]), offset + int64(size), data, nil +} diff --git a/libbeat/formats/lnk/extra_console.go b/libbeat/formats/lnk/extra_console.go new file mode 100644 index 000000000000..df52dad65765 --- /dev/null +++ b/libbeat/formats/lnk/extra_console.go @@ -0,0 +1,121 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" + "fmt" + "sort" + "strings" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +var ( + fontFamilies = map[uint32]string{ + 0x0000: "FF_DONTCARE", + 0x0010: "FF_ROMAN", + 0x0020: "FW_SWISS", + 0x0030: "FF_MODERN", + 0x0040: "FF_SCRIPT", + 0x0050: "FF_DECORATIVE", + } + fontPitches = map[uint32]string{ + 0x0000: "TMPF_NONE", + 0x0001: "TMPF_FIXED_PITCH", + 0x0002: "TMPF_VECTOR", + 0x0003: "TMPF_TRUETYPE", + 0x0004: "TMPF_DEVICE", + } + fillAttributes = map[uint32]string{ + 0x0001: "FOREGROUND_BLUE", + 0x0002: "FOREGROUND_GREEN", + 0x0004: "FOREGROUND_RED", + 0x0008: "FOREGROUND_INTENSITY", + 0x0010: "BACKGROUND_BLUE", + 0x0020: "BACKGROUND_GREEN", + 0x0040: "BACKGROUND_RED", + 0x0080: "BACKGROUND_INTENSITY", + } +) + +func parseExtraConsole(size uint32, data []byte) (*Console, error) { + if size != 0x000000cc { + return nil, errors.New("invalid extra console block size") + } + return &Console{ + FillAttributes: parseFlags(fillAttributes, uint32(binary.LittleEndian.Uint16(data[8:10]))), + PopupFillAttributes: parseFlags(fillAttributes, uint32(binary.LittleEndian.Uint16(data[10:12]))), + ScreenBufferSizeX: binary.LittleEndian.Uint16(data[12:14]), + ScreenBufferSizeY: binary.LittleEndian.Uint16(data[14:16]), + WindowSizeX: binary.LittleEndian.Uint16(data[16:18]), + WindowSizeY: binary.LittleEndian.Uint16(data[18:20]), + WindowOriginX: binary.LittleEndian.Uint16(data[20:22]), + WindowOriginY: binary.LittleEndian.Uint16(data[22:24]), + FontSize: binary.LittleEndian.Uint32(data[32:36]), + FontFamily: normalizeFontFamily(binary.LittleEndian.Uint32(data[36:40])), + FontWeight: binary.LittleEndian.Uint32(data[40:44]), + FaceName: common.ReadUnicode(data[44:108], 0), + CursorSize: binary.LittleEndian.Uint32(data[108:112]), + FullScreen: normalizeBoolean(binary.LittleEndian.Uint32(data[112:116])), + QuickEdit: normalizeBoolean(binary.LittleEndian.Uint32(data[116:120])), + InsertMode: normalizeBoolean(binary.LittleEndian.Uint32(data[120:124])), + AutoPosition: normalizeBoolean(binary.LittleEndian.Uint32(data[124:128])), + HistoryBufferSize: binary.LittleEndian.Uint32(data[128:132]), + NumberOfHistoryBuffers: binary.LittleEndian.Uint32(data[132:136]), + HistoryNoDup: normalizeBoolean(binary.LittleEndian.Uint32(data[136:140])), + ColorTable: chunkColorTable(data[140:204]), + }, nil +} + +func normalizeFontFamily(value uint32) string { + fontTokens := []string{} + for flag, name := range fontFamilies { + if 0xFFF0&value == flag { + fontTokens = append(fontTokens, name) + break + } + } + if len(fontTokens) == 0 { + return "" + } + pitchValue := 0x000F & value + for flag, name := range fontPitches { + if hasFlag(pitchValue, flag) { + fontTokens = append(fontTokens, name) + } + } + if len(fontTokens) == 1 { + fontTokens = append(fontTokens, "TMPF_NONE") + } + sort.Strings(fontTokens) + return strings.Join(fontTokens, " | ") +} + +func normalizeBoolean(value uint32) bool { + return value != 0 +} + +func chunkColorTable(value []byte) []string { + colors := make([]string, 16) + for i := 0; i < 16; i++ { + colors[i] = fmt.Sprintf("0x%06x", binary.LittleEndian.Uint32(value[i*4:(i+1)*4])) + } + return colors +} diff --git a/libbeat/formats/lnk/extra_console_fe.go b/libbeat/formats/lnk/extra_console_fe.go new file mode 100644 index 000000000000..6e908233c940 --- /dev/null +++ b/libbeat/formats/lnk/extra_console_fe.go @@ -0,0 +1,193 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" +) + +var ( + // https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers + codePages = map[uint32]string{ + 037: "IBM EBCDIC US-Canada", + 437: "OEM United States", + 500: "IBM EBCDIC International", + 708: "Arabic (ASMO 708)", + 709: "Arabic (ASMO-449+, BCON V4)", + 710: "Arabic - Transparent Arabic", + 720: "Arabic (Transparent ASMO); Arabic (DOS)", + 737: "OEM Greek (formerly 437G); Greek (DOS)", + 775: "OEM Baltic; Baltic (DOS)", + 850: "OEM Multilingual Latin 1; Western European (DOS)", + 852: "OEM Latin 2; Central European (DOS)", + 855: "OEM Cyrillic (primarily Russian)", + 857: "OEM Turkish; Turkish (DOS)", + 858: "OEM Multilingual Latin 1 + Euro symbol", + 860: "OEM Portuguese; Portuguese (DOS)", + 861: "OEM Icelandic; Icelandic (DOS)", + 862: "OEM Hebrew; Hebrew (DOS)", + 863: "OEM French Canadian; French Canadian (DOS)", + 864: "OEM Arabic; Arabic (864)", + 865: "OEM Nordic; Nordic (DOS)", + 866: "OEM Russian; Cyrillic (DOS)", + 869: "OEM Modern Greek; Greek, Modern (DOS)", + 870: "IBM EBCDIC Multilingual/ROECE (Latin 2); IBM EBCDIC Multilingual Latin 2", + 874: "ANSI/OEM Thai (ISO 8859-11); Thai (Windows)", + 875: "IBM EBCDIC Greek Modern", + 932: "ANSI/OEM Japanese; Japanese (Shift-JIS)", + 936: "ANSI/OEM Simplified Chinese (PRC, Singapore); Chinese Simplified (GB2312)", + 949: "ANSI/OEM Korean (Unified Hangul Code)", + 950: "ANSI/OEM Traditional Chinese (Taiwan; Hong Kong SAR, PRC); Chinese Traditional (Big5)", + 1026: "IBM EBCDIC Turkish (Latin 5)", + 1047: "IBM EBCDIC Latin 1/Open System", + 1140: "IBM EBCDIC US-Canada (037 + Euro symbol); IBM EBCDIC (US-Canada-Euro)", + 1141: "IBM EBCDIC Germany (20273 + Euro symbol); IBM EBCDIC (Germany-Euro)", + 1142: "IBM EBCDIC Denmark-Norway (20277 + Euro symbol); IBM EBCDIC (Denmark-Norway-Euro)", + 1143: "IBM EBCDIC Finland-Sweden (20278 + Euro symbol); IBM EBCDIC (Finland-Sweden-Euro)", + 1144: "IBM EBCDIC Italy (20280 + Euro symbol); IBM EBCDIC (Italy-Euro)", + 1145: "IBM EBCDIC Latin America-Spain (20284 + Euro symbol); IBM EBCDIC (Spain-Euro)", + 1146: "IBM EBCDIC United Kingdom (20285 + Euro symbol); IBM EBCDIC (UK-Euro)", + 1147: "IBM EBCDIC France (20297 + Euro symbol); IBM EBCDIC (France-Euro)", + 1148: "IBM EBCDIC International (500 + Euro symbol); IBM EBCDIC (International-Euro)", + 1149: "IBM EBCDIC Icelandic (20871 + Euro symbol); IBM EBCDIC (Icelandic-Euro)", + 1200: "Unicode UTF-16, little endian byte order (BMP of ISO 10646); available only to managed applications", + 1201: "Unicode UTF-16, big endian byte order; available only to managed applications", + 1250: "ANSI Central European; Central European (Windows)", + 1251: "ANSI Cyrillic; Cyrillic (Windows)", + 1252: "ANSI Latin 1; Western European (Windows)", + 1253: "ANSI Greek; Greek (Windows)", + 1254: "ANSI Turkish; Turkish (Windows)", + 1255: "ANSI Hebrew; Hebrew (Windows)", + 1256: "ANSI Arabic; Arabic (Windows)", + 1257: "ANSI Baltic; Baltic (Windows)", + 1258: "ANSI/OEM Vietnamese; Vietnamese (Windows)", + 1361: "Korean (Johab)", + 10000: "MAC Roman; Western European (Mac)", + 10001: "Japanese (Mac)", + 10002: "MAC Traditional Chinese (Big5); Chinese Traditional (Mac)", + 10003: "Korean (Mac)", + 10004: "Arabic (Mac)", + 10005: "Hebrew (Mac)", + 10006: "Greek (Mac)", + 10007: "Cyrillic (Mac)", + 10008: "MAC Simplified Chinese (GB 2312); Chinese Simplified (Mac)", + 10010: "Romanian (Mac)", + 10017: "Ukrainian (Mac)", + 10021: "Thai (Mac)", + 10029: "MAC Latin 2; Central European (Mac)", + 10079: "Icelandic (Mac)", + 10081: "Turkish (Mac)", + 10082: "Croatian (Mac)", + 12000: "Unicode UTF-32, little endian byte order; available only to managed applications", + 12001: "Unicode UTF-32, big endian byte order; available only to managed applications", + 20000: "CNS Taiwan; Chinese Traditional (CNS)", + 20001: "TCA Taiwan", + 20002: "Eten Taiwan; Chinese Traditional (Eten)", + 20003: "IBM5550 Taiwan", + 20004: "TeleText Taiwan", + 20005: "Wang Taiwan", + 20105: "IA5 (IRV International Alphabet No. 5, 7-bit); Western European (IA5)", + 20106: "IA5 German (7-bit)", + 20107: "IA5 Swedish (7-bit)", + 20108: "IA5 Norwegian (7-bit)", + 20127: "US-ASCII (7-bit)", + 20261: "T.61", + 20269: "ISO 6937 Non-Spacing Accent", + 20273: "IBM EBCDIC Germany", + 20277: "IBM EBCDIC Denmark-Norway", + 20278: "IBM EBCDIC Finland-Sweden", + 20280: "IBM EBCDIC Italy", + 20284: "IBM EBCDIC Latin America-Spain", + 20285: "IBM EBCDIC United Kingdom", + 20290: "IBM EBCDIC Japanese Katakana Extended", + 20297: "IBM EBCDIC France", + 20420: "IBM EBCDIC Arabic", + 20423: "IBM EBCDIC Greek", + 20424: "IBM EBCDIC Hebrew", + 20833: "IBM EBCDIC Korean Extended", + 20838: "IBM EBCDIC Thai", + 20866: "Russian (KOI8-R); Cyrillic (KOI8-R)", + 20871: "IBM EBCDIC Icelandic", + 20880: "IBM EBCDIC Cyrillic Russian", + 20905: "IBM EBCDIC Turkish", + 20924: "IBM EBCDIC Latin 1/Open System (1047 + Euro symbol)", + 20932: "Japanese (JIS 0208-1990 and 0212-1990)", + 20936: "Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)", + 20949: "Korean Wansung", + 21025: "IBM EBCDIC Cyrillic Serbian-Bulgarian", + 21866: "Ukrainian (KOI8-U); Cyrillic (KOI8-U)", + 28591: "ISO 8859-1 Latin 1; Western European (ISO)", + 28592: "ISO 8859-2 Central European; Central European (ISO)", + 28593: "ISO 8859-3 Latin 3", + 28594: "ISO 8859-4 Baltic", + 28595: "ISO 8859-5 Cyrillic", + 28596: "ISO 8859-6 Arabic", + 28597: "ISO 8859-7 Greek", + 28598: "ISO 8859-8 Hebrew; Hebrew (ISO-Visual)", + 28599: "ISO 8859-9 Turkish", + 28603: "ISO 8859-13 Estonian", + 28605: "ISO 8859-15 Latin 9", + 29001: "Europa 3", + 38598: "ISO 8859-8 Hebrew; Hebrew (ISO-Logical)", + 50220: "ISO 2022 Japanese with no halfwidth Katakana; Japanese (JIS)", + 50221: "ISO 2022 Japanese with halfwidth Katakana; Japanese (JIS-Allow 1 byte Kana)", + 50222: "ISO 2022 Japanese JIS X 0201-1989; Japanese (JIS-Allow 1 byte Kana - SO/SI)", + 50225: "ISO 2022 Korean", + 50227: "ISO 2022 Simplified Chinese; Chinese Simplified (ISO 2022)", + 50229: "ISO 2022 Traditional Chinese", + 50930: "EBCDIC Japanese (Katakana) Extended", + 50931: "EBCDIC US-Canada and Japanese", + 50933: "EBCDIC Korean Extended and Korean", + 50935: "EBCDIC Simplified Chinese Extended and Simplified Chinese", + 50936: "EBCDIC Simplified Chinese", + 50937: "EBCDIC US-Canada and Traditional Chinese", + 50939: "EBCDIC Japanese (Latin) Extended and Japanese", + 51932: "EUC Japanese", + 51936: "EUC Simplified Chinese; Chinese Simplified (EUC)", + 51949: "EUC Korean", + 51950: "EUC Traditional Chinese", + 52936: "HZ-GB2312 Simplified Chinese; Chinese Simplified (HZ)", + 54936: "Windows XP and later: GB18030 Simplified Chinese (4 byte); Chinese Simplified (GB18030)", + 57002: "ISCII Devanagari", + 57003: "ISCII Bangla", + 57004: "ISCII Tamil", + 57005: "ISCII Telugu", + 57006: "ISCII Assamese", + 57007: "ISCII Odia", + 57008: "ISCII Kannada", + 57009: "ISCII Malayalam", + 57010: "ISCII Gujarati", + 57011: "ISCII Punjabi", + 65000: "Unicode (UTF-7)", + 65001: "Unicode (UTF-8)", + } +) + +func parseExtraConsoleFE(size uint32, data []byte) (*ConsoleFE, error) { + if size != 0x0000000c { + return nil, errors.New("invalid extra console fe block size") + } + codePage, ok := codePages[binary.LittleEndian.Uint32(data[8:12])] + if !ok { + codePage = "Unknown" + } + return &ConsoleFE{ + CodePage: codePage, + }, nil +} diff --git a/libbeat/formats/lnk/extra_darwin_block.go b/libbeat/formats/lnk/extra_darwin_block.go new file mode 100644 index 000000000000..23bab873a3f2 --- /dev/null +++ b/libbeat/formats/lnk/extra_darwin_block.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraDarwin(size uint32, data []byte) (*Darwin, error) { + if size != 0x00000314 { + return nil, errors.New("invalid extra darwin block size") + } + ansi := common.ReadString(data[8:268], 0) + unicode := common.ReadUnicode(data[268:788], 0) + return &Darwin{ + ANSI: ansi, + Unicode: unicode, + }, nil +} diff --git a/libbeat/formats/lnk/extra_environment.go b/libbeat/formats/lnk/extra_environment.go new file mode 100644 index 000000000000..7c6c764368ac --- /dev/null +++ b/libbeat/formats/lnk/extra_environment.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraEnvironment(size uint32, data []byte) (*Environment, error) { + if size != 0x00000314 { + return nil, errors.New("invalid extra environment block size") + } + ansi := common.ReadString(data[8:268], 0) + unicode := common.ReadUnicode(data[268:788], 0) + return &Environment{ + ANSI: ansi, + Unicode: unicode, + }, nil +} diff --git a/libbeat/formats/lnk/extra_icon_environment.go b/libbeat/formats/lnk/extra_icon_environment.go new file mode 100644 index 000000000000..5aa6d0430920 --- /dev/null +++ b/libbeat/formats/lnk/extra_icon_environment.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraIconEnvironment(size uint32, data []byte) (*IconEnvironment, error) { + if size != 0x00000314 { + return nil, errors.New("invalid extra icon environment block size") + } + ansi := common.ReadString(data[8:268], 0) + unicode := common.ReadUnicode(data[268:788], 0) + return &IconEnvironment{ + ANSI: ansi, + Unicode: unicode, + }, nil +} diff --git a/libbeat/formats/lnk/extra_known_folder.go b/libbeat/formats/lnk/extra_known_folder.go new file mode 100644 index 000000000000..f2416d606d16 --- /dev/null +++ b/libbeat/formats/lnk/extra_known_folder.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" +) + +func parseExtraKnownFolder(size uint32, data []byte) (*KnownFolder, error) { + if size != 0x0000001C { + return nil, errors.New("invalid extra known folder block size") + } + return &KnownFolder{ + ID: encodeUUID(data[8:24]), + Offset: binary.LittleEndian.Uint32(data[24:28]), + }, nil +} diff --git a/libbeat/formats/lnk/extra_property_store.go b/libbeat/formats/lnk/extra_property_store.go new file mode 100644 index 000000000000..6d8c64f65e7a --- /dev/null +++ b/libbeat/formats/lnk/extra_property_store.go @@ -0,0 +1,374 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" + "math" + "strconv" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +const ( + vtEmpty uint32 = 0x0000 + vtNull uint32 = 0x0001 + vtI2 uint32 = 0x0002 + vtI4 uint32 = 0x0003 + vtR4 uint32 = 0x0004 + vtR8 uint32 = 0x0005 + vtCY uint32 = 0x0006 + vtDate uint32 = 0x0007 + vtBStr uint32 = 0x0008 + vtError uint32 = 0x000A + vtBool uint32 = 0x000B + vtDecimal uint32 = 0x000E + vtI1 uint32 = 0x0010 + vtUI1 uint32 = 0x0011 + vtUI2 uint32 = 0x0012 + vtUI4 uint32 = 0x0013 + vtI8 uint32 = 0x0014 + vtUI8 uint32 = 0x0015 + vtInt uint32 = 0x0016 + vtUInt uint32 = 0x0017 + vtLPStr uint32 = 0x001E + vtLPWStr uint32 = 0x001F + vtFiletime uint32 = 0x0040 + vtBlob uint32 = 0x0041 + vtStream uint32 = 0x0042 + vtStorage uint32 = 0x0043 + vtStreamedObject uint32 = 0x0044 + vtStoredObject uint32 = 0x0045 + vtBlobObject uint32 = 0x0046 + vtCF uint32 = 0x0047 + vtCLSID uint32 = 0x0048 + vtVersionedStream uint32 = 0x0049 + // vectors + vtVectorI2 uint32 = 0x1002 + vtVectorI4 uint32 = 0x1003 + vtVectorR4 uint32 = 0x1004 + vtVectorR8 uint32 = 0x1005 + vtVectorCY uint32 = 0x1006 + vtVectorDate uint32 = 0x1007 + vtVectorBStr uint32 = 0x1008 + vtVectorError uint32 = 0x100A + vtVectorBool uint32 = 0x100B + vtVectorVariant uint32 = 0x100C + vtVectorI1 uint32 = 0x1010 + vtVectorUI1 uint32 = 0x1011 + vtVectorUI2 uint32 = 0x1012 + vtVectorUI4 uint32 = 0x1013 + vtVectorI8 uint32 = 0x1014 + vtVectorUI8 uint32 = 0x1015 + vtVectorLPStr uint32 = 0x101E + vtVectorLPWStr uint32 = 0x101F + vtVectorFiletime uint32 = 0x1040 + vtVectorCF uint32 = 0x1047 + vtVectorCLSID uint32 = 0x1048 + // arrays + vtArrayI2 uint32 = 0x2002 + vtArrayI4 uint32 = 0x2003 + vtArrayR4 uint32 = 0x2004 + vtArrayR8 uint32 = 0x2005 + vtArrayCY uint32 = 0x2006 + vtArrayDate uint32 = 0x2007 + vtArrayBStr uint32 = 0x2008 + vtArrayError uint32 = 0x200A + vtArrayBool uint32 = 0x200B + vtArrayVariant uint32 = 0x200C + vtArrayDecimal uint32 = 0x200E + vtArrayI1 uint32 = 0x2010 + vtArrayUI1 uint32 = 0x2011 + vtArrayUI2 uint32 = 0x2012 + vtArrayUI4 uint32 = 0x2013 + vtArrayInt uint32 = 0x2016 + vtArrayUint uint32 = 0x2017 +) + +var ( + propertyTypes = map[uint32]string{ + vtEmpty: "VT_EMPTY", + vtNull: "VT_NULL", + vtI2: "VT_I2", + vtI4: "VT_I4", + vtR4: "VT_R4", + vtR8: "VT_R8", + vtCY: "VT_CY", + vtDate: "VT_DATE", + vtBStr: "VT_BSTR", + vtError: "VT_ERROR", + vtBool: "VT_BOOL", + vtDecimal: "VT_DECIMAL", + vtI1: "VT_I1", + vtUI1: "VT_UI1", + vtUI2: "VT_UI2", + vtUI4: "VT_UI4", + vtI8: "VT_I8", + vtUI8: "VT_UI8", + vtInt: "VT_INT", + vtUInt: "VT_UINT", + vtLPStr: "VT_LPSTR", + vtLPWStr: "VT_LPWSTR", + vtFiletime: "VT_FILETIME", + vtBlob: "VT_BLOB", + vtStream: "VT_STREAM", + vtStorage: "VT_STORAGE", + vtStreamedObject: "VT_STREAMED_OBJECT", + vtStoredObject: "VT_STORED_OBJECT", + vtBlobObject: "VT_BLOB_OBJECT", + vtCF: "VT_CF", + vtCLSID: "VT_CLSID", + vtVersionedStream: "VT_VERSIONED_STREAM", + vtVectorI2: "VT_VECTOR | VT_I2", + vtVectorI4: "VT_VECTOR | VT_I4", + vtVectorR4: "VT_VECTOR | VT_R4", + vtVectorR8: "VT_VECTOR | VT_R8", + vtVectorCY: "VT_VECTOR | VT_CY", + vtVectorDate: "VT_VECTOR | VT_DATE", + vtVectorBStr: "VT_VECTOR | VT_BSTR", + vtVectorError: "VT_VECTOR | VT_ERROR", + vtVectorBool: "VT_VECTOR | VT_BOOL", + vtVectorVariant: "VT_VECTOR | VT_VARIANT", + vtVectorI1: "VT_VECTOR | VT_I1", + vtVectorUI1: "VT_VECTOR | VT_UI1", + vtVectorUI2: "VT_VECTOR | VT_UI2", + vtVectorUI4: "VT_VECTOR | VT_UI4", + vtVectorI8: "VT_VECTOR | VT_I8", + vtVectorUI8: "VT_VECTOR | VT_UI8", + vtVectorLPStr: "VT_VECTOR | VT_LPSTR", + vtVectorLPWStr: "VT_VECTOR | VT_LPWSTR", + vtVectorFiletime: "VT_VECTOR | VT_FILETIME", + vtVectorCF: "VT_VECTOR | VT_CF", + vtVectorCLSID: "VT_VECTOR | VT_CLSID", + vtArrayI2: "VT_ARRAY | VT_I2", + vtArrayI4: "VT_ARRAY | VT_I4", + vtArrayR4: "VT_ARRAY | VT_R4", + vtArrayR8: "VT_ARRAY | VT_R8", + vtArrayCY: "VT_ARRAY | VT_CY", + vtArrayDate: "VT_ARRAY | VT_DATE", + vtArrayBStr: "VT_ARRAY | VT_BSTR", + vtArrayError: "VT_ARRAY | VT_ERROR", + vtArrayBool: "VT_ARRAY | VT_BOOL", + vtArrayVariant: "VT_ARRAY | VT_VARIANT", + vtArrayDecimal: "VT_ARRAY | VT_DECIMAL", + vtArrayI1: "VT_ARRAY | VT_I1", + vtArrayUI1: "VT_ARRAY | VT_UI1", + vtArrayUI2: "VT_ARRAY | VT_UI2", + vtArrayUI4: "VT_ARRAY | VT_UI4", + vtArrayInt: "VT_ARRAY | VT_INT", + vtArrayUint: "VT_ARRAY | VT_UINT", + } +) + +func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { + if size < 0x0000000C { + return nil, errors.New("invalid extra property store block size") + } + props := []Property{} + store := data[8:] + offset := 0 + for { + propertyData := store[offset:] + if len(propertyData) < 4 { + break + } + propertySize := binary.LittleEndian.Uint32(propertyData[0:4]) + if propertySize == 0 { + break + } + if len(propertyData) < 24 || len(propertyData) < int(propertySize) { + return nil, errors.New("invalid property size") + } + version := binary.LittleEndian.Uint32(propertyData[4:8]) + if version != 0x53505331 { + return nil, errors.New("invalid property version") + } + format := encodeUUID(propertyData[8:24]) + name, property, err := parseProperties(format, propertyData[24:propertySize]) + if err != nil { + return nil, err + } + if property != nil { + property.Name = name + props = append(props, *property) + } + offset += int(propertySize) + } + + return &PropertyStore{ + Properties: props, + }, nil +} + +func parseProperties(identifier string, data []byte) (string, *Property, error) { + propertySize := binary.LittleEndian.Uint32(data[0:4]) + if propertySize == 0 { + return "", nil, nil + } + id := binary.LittleEndian.Uint32(data[4:8]) + name := identifier + "\\" + strconv.Itoa(int(id)) + knownFormat, known := knownProperties[identifier] + if known { + idName, knownName := knownFormat[id] + if knownName { + name = idName + } + } + + _, value, err := parseTypedValue(data[9:propertySize]) + if err != nil { + return name, nil, err + } + return name, value, nil +} + +func parseTypedValue(data []byte) (uint32, *Property, error) { + if len(data) < 4 { + return 0, nil, errors.New("invalid properties") + } + valueType := binary.LittleEndian.Uint32(data[0:4]) + switch valueType { + case vtEmpty: + fallthrough + case vtNull: + return valueType, &Property{ + Type: propertyTypes[valueType], + }, nil + case vtI2: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: int16(binary.LittleEndian.Uint16(data[4:8])), + }, nil + case vtI4: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: int32(binary.LittleEndian.Uint32(data[4:8])), + }, nil + case vtR4: + bits := binary.LittleEndian.Uint32(data[4:8]) + float := math.Float32frombits(bits) + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: float, + }, nil + case vtR8: + bits := binary.LittleEndian.Uint64(data[4:12]) + float := math.Float64frombits(bits) + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: float, + }, nil + case vtCY: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint64(data[4:12]), + }, nil + case vtDate: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: normalizeTime(binary.LittleEndian.Uint64(data[4:12])), + }, nil + case vtBStr: + codePageSize := binary.LittleEndian.Uint32(data[4:8]) + codePage := common.ReadString(data[8:8+codePageSize], 0) + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: codePage, + }, nil + case vtError: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint32(data[4:8]), + }, nil + case vtBool: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint16(data[4:6]) == 0xFFFF, + }, nil + // case vtDecimal: + // case vtI1: + // case vtUI1: + // case vtUI2: + // case vtUI4: + // case vtI8: + // case vtUI8: + // case vtInt: + // case vtUInt: + // case vtLPStr: + case vtLPWStr: + length := binary.LittleEndian.Uint32(data[4:8]) * 2 + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: common.ReadUnicode(data[8:8+length], 0), + }, nil + // case vtFiletime: + // case vtBlob: + // case vtStream: + // case vtStorage: + // case vtStreamedObject: + // case vtStoredObject: + // case vtBlobObject: + // case vtCF: + // case vtCLSID: + // case vtVersionedStream: + // case vtVectorI2: + // case vtVectorI4: + // case vtVectorR4: + // case vtVectorR8: + // case vtVectorCY: + // case vtVectorDate: + // case vtVectorBStr: + // case vtVectorError: + // case vtVectorBool: + // case vtVectorVariant: + // case vtVectorI1: + // case vtVectorUI1: + // case vtVectorUI2: + // case vtVectorUI4: + // case vtVectorI8: + // case vtVectorUI8: + // case vtVectorLPStr: + // case vtVectorLPWStr: + // case vtVectorFiletime: + // case vtVectorCF: + // case vtVectorCLSID: + // case vtArrayI2: + // case vtArrayI4: + // case vtArrayR4: + // case vtArrayR8: + // case vtArrayCY: + // case vtArrayDate: + // case vtArrayBStr: + // case vtArrayError: + // case vtArrayBool: + // case vtArrayVariant: + // case vtArrayDecimal: + // case vtArrayI1: + // case vtArrayUI1: + // case vtArrayUI2: + // case vtArrayUI4: + // case vtArrayInt: + // case vtArrayUint: + default: + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: data[4:], + }, nil + } +} diff --git a/libbeat/formats/lnk/extra_shim.go b/libbeat/formats/lnk/extra_shim.go new file mode 100644 index 000000000000..8c16861ddf24 --- /dev/null +++ b/libbeat/formats/lnk/extra_shim.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraShim(size uint32, data []byte) (*Shim, error) { + if size < 0x00000088 { + return nil, errors.New("invalid extra shim block size") + } + return &Shim{ + LayerName: common.ReadUnicode(data, 8), + }, nil +} diff --git a/libbeat/formats/lnk/extra_special_folder.go b/libbeat/formats/lnk/extra_special_folder.go new file mode 100644 index 000000000000..66b786db9e38 --- /dev/null +++ b/libbeat/formats/lnk/extra_special_folder.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" +) + +func parseExtraSpecialFolder(size uint32, data []byte) (*SpecialFolder, error) { + if size != 0x00000010 { + return nil, errors.New("invalid extra special folder block size") + } + return &SpecialFolder{ + ID: binary.LittleEndian.Uint32(data[8:12]), + Offset: binary.LittleEndian.Uint32(data[12:16]), + }, nil +} diff --git a/libbeat/formats/lnk/extra_tracker.go b/libbeat/formats/lnk/extra_tracker.go new file mode 100644 index 000000000000..f8523a20364e --- /dev/null +++ b/libbeat/formats/lnk/extra_tracker.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraTracker(size uint32, data []byte) (*Tracker, error) { + if size != 0x00000060 { + return nil, errors.New("invalid extra tracker block size") + } + return &Tracker{ + Version: binary.LittleEndian.Uint32(data[12:16]), + MachineID: common.ReadString(data[16:32], 0), + Droid: []string{ + encodeUUID(data[32:48]), + encodeUUID(data[48:64]), + }, + DroidBirth: []string{ + encodeUUID(data[64:80]), + encodeUUID(data[80:96]), + }, + }, nil +} diff --git a/libbeat/formats/lnk/extra_vista_and_above_id_list.go b/libbeat/formats/lnk/extra_vista_and_above_id_list.go new file mode 100644 index 000000000000..0cf5e31d8407 --- /dev/null +++ b/libbeat/formats/lnk/extra_vista_and_above_id_list.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import "errors" + +func parseExtraVistaAndAboveIDList(size uint32, data []byte) (*VistaAndAboveIDList, error) { + if size < 0x0000000A { + return nil, errors.New("invalid extra vista and above id list block size") + } + shellbags, err := parseShellbagList(data[8:]) + if err != nil { + return nil, err + } + return &VistaAndAboveIDList{ + Shellbags: shellbags, + }, nil +} diff --git a/libbeat/formats/lnk/header.go b/libbeat/formats/lnk/header.go new file mode 100644 index 000000000000..59f1cb0c34df --- /dev/null +++ b/libbeat/formats/lnk/header.go @@ -0,0 +1,286 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "fmt" + "io" + "sort" + "time" +) + +const ( + // link flags + hasTargetIDList uint32 = 1 << iota + hasLinkInfo + hasName + hasRelativePath + hasWorkingDir + hasArguments + hasIconLocation + isUnicode + forceNoLinkInfo + hasExpString + runInSeparateProcess + _ + hasDarwinID + runAsUser + hasExpIcon + noPidlAlias + _ + runWithShimLayer + forceNoLinkTrack + enableTargetMetadata + disableLinkPathTracking + disableKnownFolderTracking + disableKnownFolderAlias + allowLinkToLink + unaliasOnSave + preferEnvironmentPath + keepLocalIDListForUNCTarget +) + +const ( + // file flags + fileAttributeReadonly uint32 = 1 << iota + fileAttributeHidden + fileAttributeSystem + _ + fileAttributeDirectory + fileAttributeArchive + fileAttributeDevice + fileAttributeNormal + fileAttributeTemporary + fileAttributeSparseFile + fileAttributeReparsePoint + fileAttributeCompressed + fileAttributeOffline + fileAttributeNotContentIndexed + fileAttributeEncrypted + _ + fileAttributeVirtual +) + +var ( + windowStyles = []string{ + "SW_HIDE", + "SW_NORMAL", + "SW_SHOWMINIMIZED", + "SW_MAXIMIZE ", + "SW_SHOWNOACTIVATE", + "SW_SHOW", + "SW_MINIMIZE", + "SW_SHOWMINNOACTIVE", + "SW_SHOWNA", + "SW_RESTORE", + "SW_SHOWDEFAULT", + "SW_FORCEMINIMIZE", + } + hotKeyModifiers = []string{ + "UNSET", + "HOTKEYF_SHIFT", + "HOTKEYF_CONTROL", + "HOTKEYF_ALT", + } + fKeys = []string{ + "VK_F1", + "VK_F2", + "VK_F3", + "VK_F4", + "VK_F5", + "VK_F6", + "VK_F7", + "VK_F8", + "VK_F9", + "VK_F10", + "VK_F11", + "VK_F12", + "VK_F13", + "VK_F14", + "VK_F15", + "VK_F16", + "VK_F17", + "VK_F18", + "VK_F19", + "VK_F20", + "VK_F21", + "VK_F22", + "VK_F23", + "VK_F24", + } + linkFlags = map[uint32]string{ + hasTargetIDList: "HasTargetIDList", + hasLinkInfo: "HasLinkInfo", + hasName: "HasName", + hasRelativePath: "HasRelativePath", + hasWorkingDir: "HasWorkingDir", + hasArguments: "HasArguments", + hasIconLocation: "HasIconLocation", + isUnicode: "IsUnicode", + forceNoLinkInfo: "ForceNoLinkInfo", + hasExpString: "HasExpString", + runInSeparateProcess: "RunInSeparateProcess", + hasDarwinID: "HasDarwinID", + runAsUser: "RunAsUser", + hasExpIcon: "HasExpIcon", + noPidlAlias: "NoPidlAlias", + runWithShimLayer: "RunWithShimLayer", + forceNoLinkTrack: "ForceNoLinkTrack", + enableTargetMetadata: "EnableTargetMetadata", + disableLinkPathTracking: "DisableLinkPathTracking", + disableKnownFolderTracking: "DisableKnownFolderTracking", + disableKnownFolderAlias: "DisableKnownFolderAlias", + allowLinkToLink: "AllowLinkToLink", + unaliasOnSave: "UnaliasOnSave", + preferEnvironmentPath: "PreferEnvironmentPath", + keepLocalIDListForUNCTarget: "KeepLocalIDListForUNCTarget", + } + fileFlags = map[uint32]string{ + fileAttributeReadonly: "FILE_ATTRIBUTE_READONLY", + fileAttributeHidden: "FILE_ATTRIBUTE_HIDDEN", + fileAttributeSystem: "FILE_ATTRIBUTE_SYSTEM", + fileAttributeDirectory: "FILE_ATTRIBUTE_DIRECTORY", + fileAttributeArchive: "FILE_ATTRIBUTE_ARCHIVE", + fileAttributeDevice: "FILE_ATTRIBUTE_DEVICE", + fileAttributeNormal: "FILE_ATTRIBUTE_NORMAL", + fileAttributeTemporary: "FILE_ATTRIBUTE_TEMPORARY", + fileAttributeSparseFile: "FILE_ATTRIBUTE_SPARSE_FILE", + fileAttributeReparsePoint: "FILE_ATTRIBUTE_REPARSE_POINT", + fileAttributeCompressed: "FILE_ATTRIBUTE_COMPRESSED", + fileAttributeOffline: "FILE_ATTRIBUTE_OFFLINE", + fileAttributeNotContentIndexed: "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED", + fileAttributeEncrypted: "FILE_ATTRIBUTE_ENCRYPTED", + fileAttributeVirtual: "FILE_ATTRIBUTE_VIRTUAL", + } +) + +// 116444736000000000 is the number of 100-nanoseconds between +// 1 january 1601 00:00 and 1 january 1970 00:00 UTC +const epochDelta uint64 = 116444736000000000 + +func windowsTimeToUnix(timestamp uint64) uint64 { + // Convert to 100-nanoseconds increment since Unix Epoch and then + // truncate to seconds + return (timestamp - epochDelta) / 1e7 +} + +func parseHeader(r io.ReaderAt) (*Header, int64, error) { + header := make([]byte, 76) + read, err := r.ReadAt(header, 0) + if err != nil { + return nil, 0, err + } + if read != 76 { + return nil, 0, errors.New("truncated LNK header") + } + rawLinkFlags := binary.LittleEndian.Uint32(header[20:24]) + rawFileFlags := binary.LittleEndian.Uint32(header[24:28]) + return &Header{ + GUID: encodeUUID(header[4:20]), + rawLinkFlags: rawLinkFlags, + LinkFlags: parseFlags(linkFlags, rawLinkFlags), + rawFileFlags: rawFileFlags, + FileFlags: parseFlags(fileFlags, rawFileFlags), + CreationTime: normalizeTime(binary.LittleEndian.Uint64(header[28:36])), + AccessedTime: normalizeTime(binary.LittleEndian.Uint64(header[36:44])), + ModifiedTime: normalizeTime(binary.LittleEndian.Uint64(header[44:52])), + FileSize: binary.LittleEndian.Uint32(header[52:56]), + IconIndex: binary.LittleEndian.Uint32(header[56:60]), + WindowStyle: normalizeWindowStyle(binary.LittleEndian.Uint32(header[60:64])), + HotKey: normalizeHotKey(header[64], header[65]), + }, 76, nil +} + +func normalizeWindowStyle(style uint32) string { + if style >= uint32(len(windowStyles)) { + return fmt.Sprintf("UNKNOWN:%d", style) + } + return windowStyles[style] +} + +func normalizeTime(value uint64) *time.Time { + if value == 0 { + return nil + } + timestamp := time.Unix(int64(windowsTimeToUnix(value)), 0).UTC() + return ×tamp +} + +func normalizeHotKey(lower, upper uint8) string { + if lower == 0x00 && upper == 0x00 { + return "" + } + var key string + if upper < uint8(len(hotKeyModifiers)) { + modifier := hotKeyModifiers[upper] + if modifier != "UNSET" { + key = modifier + "+" + } + } + if (0x30 <= lower && lower <= 0x39) || (0x41 <= lower && lower <= 0x5a) { + return key + string(rune(lower)) + } + if (lower - 0x70) < uint8(len(fKeys)) { + return key + fKeys[lower-0x70] + } + if lower == 0x90 { + return key + "VK_NUMLOCK" + } + if lower == 0x91 { + return key + "VK_SCROLL" + } + return "UNKNOWN" +} + +func parseFlags(flagset map[uint32]string, value uint32) []string { + flags := []string{} + for flag, name := range flagset { + if hasFlag(value, flag) { + flags = append(flags, name) + } + } + sort.Strings(flags) + return flags +} + +func encodeUUID(uuid []byte) string { + dst := make([]byte, 36) + swapped := make([]byte, 8) + binary.BigEndian.PutUint16(swapped[2:4], binary.LittleEndian.Uint16(uuid[0:2])) + binary.BigEndian.PutUint16(swapped[0:2], binary.LittleEndian.Uint16(uuid[2:4])) + binary.BigEndian.PutUint16(swapped[4:6], binary.LittleEndian.Uint16(uuid[4:6])) + binary.BigEndian.PutUint16(swapped[6:8], binary.LittleEndian.Uint16(uuid[6:8])) + + hex.Encode(dst, swapped[:4]) + dst[8] = '-' + hex.Encode(dst[9:13], swapped[4:6]) + dst[13] = '-' + hex.Encode(dst[14:18], swapped[6:8]) + dst[18] = '-' + hex.Encode(dst[19:23], uuid[8:10]) + dst[23] = '-' + hex.Encode(dst[24:], uuid[10:]) + return string(dst) +} + +func hasFlag(flagset, flag uint32) bool { + return (flagset & flag) != 0 +} diff --git a/libbeat/formats/lnk/known_properties.go b/libbeat/formats/lnk/known_properties.go new file mode 100644 index 000000000000..8c242aaa87cf --- /dev/null +++ b/libbeat/formats/lnk/known_properties.go @@ -0,0 +1,2579 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +var knownProperties = map[string]map[uint32]string{ + "46588ae2-4cbc-4338-bbfc-139326986dce": map[uint32]string{ + 4: "SID", + }, + "dabd30ed-0043-4789-a7f8-d013a4736622": map[uint32]string{ + 100: "Item Folder Path Display Narrow", + }, + "28636aa6-953d-11d2-b5d6-00c04fd918d0": map[uint32]string{ + 0: "Find Data", + 1: "Network Resource", + 2: "Description ID", + 3: "Which Folder", + 4: "Network Location", + 5: "Computer Name", + 6: "Namespace CLSID", + 8: "Item Path Display Narrow", + 9: "Perceived Type", + 10: "Computer Simple Name", + 11: "Item Type", + 12: "File Count", + 14: "Total File Size", + 22: "Max Stack Count", + 23: "List Description", + 24: "Parsing Name", + 25: "SFGAO Flags", + 26: "Order", + 27: "Computer Description", + 29: "Contained Items", + 30: "Parsing Path", + 31: "Network Provider", + 32: "Delegate ID List", + 33: "Is SendTo Target", + 34: "Hide On Desktop", + 35: "Network Places Default Name", + 36: "Storage System Type", + 37: "Item SubType", + }, + "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3": map[uint32]string{ + 2: "App User Model Relaunch Command", + 3: "App User Model Relaunch Icon Resource", + 4: "App User Model Relaunch Display Name Resource", + 5: "App User Model ID", + 6: "App User Model Is DestList Separator", + 7: "App User Model Is DestList Link", + 8: "App User Model Exclude From Show In New Install", + 9: "App User Model Prevent Pinning", + 10: "App User Model Best Shortcut", + 11: "App User Model Is Dual Mode", + 12: "App User Model Start Pin Option", + 13: "App User Model Relevance", + 14: "App User Model Host Environment", + 15: "App User Model Package Install Path", + 16: "App User Model Record State", + 17: "App User Model Package Family Name", + 18: "App User Model Installed By", + 19: "App User Model Parent ID", + 20: "App User Model Activation Context", + 21: "App User Model Package Full Name", + 22: "App User Model Package Relative Application ID", + 23: "App User Model Excluded From Launcher", + 24: "App User Model AppCompat ID", + 25: "App User Model Run Flags", + 26: "App User Model Toast Activator CLSID", + 27: "App User Model DestList Provided Title", + 28: "App User Model DestList Provided Description", + 29: "App User Model DestList Logo Uri", + 30: "App User Model DestList Provided Group Name", + }, + "446d16b1-8dad-4870-a748-402ea43d788c": map[uint32]string{ + 100: "Thumbnail Cache Id", + 104: "Volume Id", + 105: "Tooltip Thumbnail Stream", + }, + "fb8d2d7b-90d1-4e34-bf60-6eac09922bbf": map[uint32]string{ + 2: "WinX Hash", + }, + "f29f85e0-4ff9-1068-ab91-08002b27b3d9": map[uint32]string{ + 3: "Subject", + 4: "Author", + 5: "Keywords", + 6: "Comment", + 7: "Document Template", + 8: "Document Last Author", + 9: "Document Revision Number", + 10: "Document Total Editing Time", + 11: "Document Date Printed", + 12: "Document Date Created", + 13: "Document Date Saved", + 14: "Document Page Count", + 15: "Document Word Count", + 16: "Document Character Count", + 17: "Thumbnail", + 18: "Application Name", + 19: "Document Security", + 24: "High Keywords", + 25: "Low Keywords", + 26: "Medium Keywords", + 27: "Thumbnail Stream", + }, + "841e4f90-ff59-4d16-8947-e81bbffab36d": map[uint32]string{ + 2: "Publisher Display Name", + 3: "Software Registered Owner", + 4: "Software Registered Company", + 5: "Software AppId", + 6: "Software Support Url", + 7: "Software Support Telephone", + 8: "Software Help Link", + 9: "Software Install Location", + 10: "Software Install Source", + 11: "Software Date Installed", + 12: "Software Support Contact Name", + 13: "Software ReadMe Url", + 14: "Software Update Info Url", + 15: "Software Times Used", + 16: "Software Date Last Used", + 17: "Software Tasks File Url", + 18: "Software Parent Name", + 19: "Software Product ID", + 20: "Software Comments", + 997: "Software Null Preview Total Size", + 998: "Software Null Preview Subtitle", + 999: "Software Null Preview Title", + }, + "86d40b4d-9069-443c-819a-2a54090dccec": map[uint32]string{ + 2: "Tile Small Image Location", + 4: "Tile Background Color", + 5: "Tile Foreground Color", + 11: "Tile Display Name", + 12: "Tile Image Location", + 13: "Tile Wide 310x150 Logo Path", + 14: "Tile Unknown Flags", + 15: "Tile Badge Logo Path", + 16: "Tile Suite Display Name", + 17: "Tile Suite Sor tName", + 18: "Tile Display Name Language", + 19: "Tile Square 310x310 Logo Path", + 20: "Tile Square 70x70 Logo Path", + 21: "Tile Fence Post", + 22: "Tile Install Progress", + 23: "Tile Encoded Target Path", + }, + "b725f130-47ef-101a-a5f1-02608c9eebac": map[uint32]string{ + 2: "Item Folder Name Display", + 3: "Search ClassID", + 4: "Item Type Text", + 8: "File Index", + 9: "Search Last Change USN", + 10: "Item Name Display", + 12: "Size", + 13: "File Attributes", + 14: "Date Modified", + 15: "Date Created", + 16: "Date Accessed", + 18: "File Allocation Size", + 19: "Search Contents", + 20: "Search ShortName", + 21: "File FRN", + 22: "Search Scope", + 23: "Item Name Sort Override", + 24: "Item Name Display Without Extension", + 25: "Folder Name Display", + }, + "e3e0584c-b788-4a5a-bb20-7f5a44c9acdd": map[uint32]string{ + 2: "Message Bcc Address", + 3: "Message Bcc Name", + 4: "Message Cc Address", + 5: "Message Cc Name", + 6: "Item Folder Path Display", + 7: "Item Path Display", + 9: "Communication Account Name", + 10: "Is Read", + 11: "Importance", + 12: "Flag Status", + 13: "Message From Address", + 14: "Message From Name", + 15: "Message Store", + 16: "Message To Address", + 17: "Message To Name", + 18: "Contact Web Page", + 19: "Message Date Sent", + 20: "Message Date Received", + 21: "Message Attachment Names", + }, + "00000000-0000-0000-0000-000000000000": map[uint32]string{ + 0: "Null", + }, + "000214a1-0000-0000-c000-000000000046}": map[uint32]string{ + 9: "Status", + }, + "00bc20a3-bd48-4085-872c-a88d77f5097e": map[uint32]string{ + 105: "Music Composer Sort Override", + }, + "00f58a38-c54b-4c40-8696-97235980eae1": map[uint32]string{ + 100: "Calendar Resources", + }, + "00f63dd8-22bd-4a5d-ba34-5cb0b9bdcb03": map[uint32]string{ + 101: "Contact Job Info1 Yomi Company Name", + 102: "Contact Job Info1 Company Name", + 103: "Contact Job Info1 Title", + 104: "Contact Job Info1 Office Location", + 105: "Contact Job Info1 Manager", + 106: "Contact Job Info1 Department", + 107: "Contact Job Info2 Yomi Company Name", + 108: "Contact Job Info2 Company Name", + 109: "Contact Job Info2 Title", + 110: "Contact Job Info2 Office Location", + 112: "Contact Job Info2 Manager", + 113: "Contact Job Info2 Department", + 114: "Contact Job Info3 Yomi Company Name", + 115: "Contact Job Info3 Company Name", + 116: "Contact Job Info3 Title", + 117: "Contact Job Info3 Office Location", + 118: "Contact Job Info3 Manager", + 119: "Contact Job Info3 Department", + 120: "Contact Job Info1 Company Address", + 121: "Contact Job Info2 Company Address", + 123: "Contact Job Info3 Company Address", + 124: "Contact Webpage 2", + 125: "Contact Webpage 3", + }, + "026e516e-b814-414b-83cd-856d6fef4822": map[uint32]string{ + 3: "Devices Interface Enabled", + 4: "Devices Interface Class Guid", + 6: "Devices Restricted Interface", + }, + "029c0252-5b86-46c7-aca0-2769ffc8e3d4": map[uint32]string{ + 100: "GPS Latitude Ref", + }, + "02b0f689-a914-4e45-821d-1dda452ed2c4": map[uint32]string{ + 100: "GPS Longitude Numerator", + }, + "03089873-8ee8-4191-bd60-d31f72b7900b": map[uint32]string{ + 100: "Contact Display Other Phone Numbers", + }, + "0337ecec-39fb-4581-a0bd-4c4cc51e9914": map[uint32]string{ + 100: "Photo Aperture Numerator", + }, + "048658ad-2db8-41a4-bbb6-ac1ef1207eb1": map[uint32]string{ + 100: "Item Class Type", + }, + "05e932b1-7ca2-491f-bd69-99b4cb266cbb": map[uint32]string{ + 2: "Connected Search Disambiguation Text", + }, + "06704b0c-e830-4c81-9178-91e4e95a80a0": map[uint32]string{ + 2: "Devices Notification Store", + 3: "Devices Notification", + }, + "084d8a0a-e6d5-40de-bf1f-c8820e7c877c": map[uint32]string{ + 100: "Task CompletionStatus", + }, + "08a65aa1-f4c9-43dd-9ddf-a33d8e7ead85": map[uint32]string{ + 100: "Contact HomeAddressCountry", + }, + "08c7cc5f-60f2-4494-ad75-55e3e0b5add0": map[uint32]string{ + 100: "Task Owner", + }, + "08f6d7c2-e3f2-44fc-af1e-5aa5c81a2d3e": map[uint32]string{ + 100: "Photo MaxAperture", + }, + "09329b74-40a3-4c68-bf07-af9a572f607c": map[uint32]string{ + 100: "Is Folder", + }, + "0933f3f5-4786-4f46-a8e8-d64dd37fa521": map[uint32]string{ + 100: "Photo Focal Plane X Resolution Denominator", + }, + "09429607-582d-437f-84c3-de93a2b24c3c": map[uint32]string{ + 100: "Calendar Optional AttendeeNames", + }, + "09736039-456b-4219-ba3e-ec573b58cf97": map[uint32]string{ + 2: "Secondary Tile Is Uninstalled", + }, + "09edd5b6-b301-43c5-9990-d00302effd46": map[uint32]string{ + 100: "Media Average Level", + }, + "0a7b84ef-0c27-463f-84ef-06c5070001be": map[uint32]string{ + 10: "Device Interface Printer Name", + }, + "0abe4d16-9384-426b-b41a-eac3c8e0f147": map[uint32]string{ + 2: "Search Content Snippet", + }, + "0adef160-db3f-4308-9a21-06237b16fa2a": map[uint32]string{ + 100: "Contact Home Address Street", + }, + "0b48f35a-be6e-4f17-b108-3c4073d1669a": map[uint32]string{ + 15: "Device Printer URL", + }, + "0b63e343-9ccc-11d0-bcdb-00805fccce04": map[uint32]string{ + 2: "Search Url To Index", + 12: "Search Url To Index With Modification Time", + 23: "Search Is Closed Directory", + 24: "Search Is Fully Contained", + 25: "Search Provider Class", + 26: "Search Provider Web Domain", + 27: "Search Provider Result Limit", + }, + "0b63e350-9ccc-11d0-bcdb-00805fccce04": map[uint32]string{ + 5: "MIME Type", + 8: "Search Gather Time", + 9: "Search Access Count", + 11: "Search Last Indexed Total Time", + }, + "0b8bb018-2725-4b44-92ba-7933aeb2dde7": map[uint32]string{ + 2: "Contact Account Picture Dynamic Video", + 3: "Contact Account Picture Large", + 4: "Contact Account Picture Small", + }, + "0ba7d6c3-568d-4159-ab91-781a91fb71e5": map[uint32]string{ + 100: "Calendar Required Attendee Addresses", + }, + "0bba1ede-7566-4f47-90ec-25fc567ced2a": map[uint32]string{ + 2: "Devices AepContainer Children", + 3: "Devices AepContainer Can Pair", + 4: "Devices AepContainer Is Paired", + 6: "Devices AepContainer Manufacturer", + 7: "Devices AepContainer Model Name", + 8: "Devices AepContainer Model Ids", + 9: "Devices AepContainer Categories", + 11: "Devices AepContainer Is Present", + 12: "Devices AepContainer Container Id", + 13: "Devices AepContainer Protocol Ids", + }, + "0be1c8e7-1981-4676-ae14-fdd78f05a6e7": map[uint32]string{ + 100: "Message Sender Address", + }, + "0be3fd71-3f87-40e0-aead-0294cf674635": map[uint32]string{ + 2: "Shell Is Dav Resource", + }, + "0c73b141-39d6-4653-a683-cab291eaf95b": map[uint32]string{ + 2: "Supplemental Album Id", + 3: "Supplemental Resource Id", + }, + "0c840a88-b043-466d-9766-d4b26da3fa77": map[uint32]string{ + 100: "Photo Subject Distance Denominator", + }, + "0cb2bf5a-9ee7-4a86-8222-f01e07fdadaf": map[uint32]string{ + 100: "PropGroup Photo Advanced", + }, + "0cef7d53-fa64-11d1-a203-0000f81fedee": map[uint32]string{ + 3: "File Description", + 4: "File Version", + 5: "Internal Name", + 6: "Original File Name", + 7: "Software Product Name", + 8: "Software Product Version", + 9: "Trademarks", + 11: "Platform", + }, + "0cf8fb02-1837-42f1-a697-a7017aa289b9": map[uint32]string{ + 100: "GPS DOP", + }, + "0da41cfa-d224-4a18-ae2f-596158db4b3a": map[uint32]string{ + 100: "Message Sender Name", + }, + "0ded77b3-c614-456c-ae5b-285b38d7b01b": map[uint32]string{ + 2: "Launcher Order", + 3: "Launcher Group ID", + 6: "Launcher View ID", + 7: "Launcher App State", + 8: "Launcher Tile Size", + 9: "Launcher Group Name", + 10: "Launcher Splash Screen Image", + 11: "Launcher TileSize Timestamp", + 12: "Launcher ItemPosition Timestamp", + 13: "Launcher View ID Timestamp", + 14: "Launcher Group Membership Timestamp", + 15: "Launcher Group Name Timestamp", + 16: "Launcher Default Tile Size", + 17: "Launcher Placeholder Expiry Candidate", + 18: "Launcher Placeholder Expiry Candidate Timestamp", + 19: "Launcher Item Flags", + 20: "Launcher Group Position Timestamp", + 21: "Launcher Store Category", + 22: "Launcher Win Store Category Name", + 23: "Launcher SubgroupID", + }, + "0f55cde2-4f49-450d-92c1-dcd16301b1b7": map[uint32]string{ + 100: "GPS Latitude Decimal", + }, + "10984e0a-f9f2-4321-b7ef-baf195af4319": map[uint32]string{ + 100: "Parental Rating Reason", + }, + "10b24595-41a2-4e20-93c2-5761c1395f32": map[uint32]string{ + 100: "GPS Img Direction Denominator", + }, + "10dabe05-32aa-4c29-bf1a-63e2d220587f": map[uint32]string{ + 100: "Image Image Id", + }, + "1173f62a-2a55-4f62-aed6-8c7112e0f7a3": map[uint32]string{ + 5: "Force Full Text", + }, + "11d6336b-38c4-4ec9-84d6-eb38d0b150af": map[uint32]string{ + 100: "Contact Other Email Addresses", + }, + "125491f4-818f-46b2-91b5-d537753617b2": map[uint32]string{ + 100: "GPS Status", + }, + "12ea418f-d8cd-4cdf-9b23-457eaac7ff0d": map[uint32]string{ + 100: "Communication Directory Server", + }, + "12fa14f5-c6fe-4545-bce2-1ed6cb6b8422": map[uint32]string{ + 2: "Connected Search Link Text", + }, + "13673f42-a3d6-49f6-b4da-ae46e0c5237c": map[uint32]string{ + 2: "Devices DevObject Type", + }, + "13eb7ffc-ec89-4346-b19d-ccc6f1784223": map[uint32]string{ + 101: "Music Album Title Sort Override", + }, + "14977844-6b49-4aad-a714-a4513bf60460": map[uint32]string{ + 100: "Contact First Name", + }, + "149c0b69-2c2d-48fc-808f-d318d78c4636": map[uint32]string{ + 2: "Volume Is Mapped Drive", + }, + "14b81da1-0135-4d31-96d9-6cbfc9671a99": map[uint32]string{ + 259: "Image Compression", + 271: "Photo Camera Manufacturer", + 272: "Photo Camera Model", + 273: "Photo Camera Serial Number", + 274: "Photo Orientation", + 305: "Software Used", + 18248: "Photo Event", + 18258: "Date Imported", + 33432: "Image Copyright", + 33434: "Photo Exposure Time", + 33437: "Photo FNumber", + 34850: "Photo Exposure Program", + 34855: "Photo ISO Speed", + 36867: "Photo Date Taken", + 37377: "Photo Shutter Speed", + 37378: "Photo Aperture", + 37380: "Photo Exposure Bias", + 37382: "Photo Subject Distance", + 37383: "Photo Metering Mode", + 37384: "Photo Light Source", + 37385: "Photo Flash", + 37386: "Photo Focal Length", + 40096: "Image Property Bag", + 40961: "Image Color Space", + 41483: "Photo Flash Energy", + }, + "1506935d-e3e7-450f-8637-82233ebe5f6e": map[uint32]string{ + 2: "Devices WiFi Direct Interface Address", + 3: "Devices WiFi Direct Interface Guid", + 4: "Devices WiFi Direct Group Id", + 5: "Devices WiFi Direct Is Connected", + 6: "Devices WiFi Direct Is Visible", + 7: "Devices WiFi Direct Is Legacy Device", + 8: "Devices WiFi Direct Miracast Version", + 9: "Devices WiFi Direct Is Miracast Lcp Supported", + 10: "Devices WiFi Direct Services", + 11: "Devices WiFi Direct Supported ChannelList", + 12: "Devices WiFi Direct Information Elements", + 13: "Devices WiFi Direct Device Address", + }, + "16473c91-d017-4ed9-ba4d-b6baa55dbcf8": map[uint32]string{ + 100: "GPS Img Direction", + }, + "16cbb924-6500-473b-a5be-f1599bcbe413": map[uint32]string{ + 100: "Photo Digital Zoom Numerator", + }, + "16e634ee-2bff-497b-bd8a-4341ad39eeb9": map[uint32]string{ + 100: "GPS Latitude Denominator", + }, + "16ea4042-d6f4-4bca-8349-7c78d30fb333": map[uint32]string{ + 100: "Photo Shutter Speed Numerator", + }, + "176dc63c-2688-4e89-8143-a347800f25e9": map[uint32]string{ + 6: "Contact Job Title", + 7: "Contact Office Location", + 20: "Contact Home Telephone", + 25: "Contact Primary Telephone", + 35: "Contact Mobile Telephone", + 47: "Contact Birthday", + 48: "Contact Primary Email Address", + 65: "Contact Hom eAddress City", + 69: "Contact Personal Title", + 70: "Contact Given Name", + 71: "Contact Middle Name", + 73: "Contact Suffix", + 74: "Contact Nick Name", + 75: "Contact Prefix", + }, + "1804d1fb-9fa4-441d-a536-76468ac43307": map[uint32]string{ + 100: "WebDav Path", + }, + "182c1ea6-7c1c-4083-ab4b-ac6c9f4ed128": map[uint32]string{ + 100: "GPS Dest Longitude Ref", + }, + "188c1f91-3c40-4132-9ec5-d8b03b72a8a2": map[uint32]string{ + 100: "Calendar Response Status", + }, + "18bbd425-ecfd-46ef-b612-7b4a6034eda0": map[uint32]string{ + 100: "Contact Primary Address Postal Code", + }, + "19b51fa6-1f92-4a5c-ab48-7df0abd67444": map[uint32]string{ + 100: "Image Resolution Unit", + }, + "1a701bf6-478c-4361-83ab-3701bb053c58": map[uint32]string{ + 100: "Photo Brightness", + }, + "1a9ba605-8e7c-4d11-ad7d-a50ada18ba1b": map[uint32]string{ + 2: "Message Participants", + }, + "1b5439e7-eba1-4af8-bdd7-7af1d4549493": map[uint32]string{ + 100: "RecordedTV Station Name", + }, + "1b97738a-fdfc-462f-9d93-1957e08be90c": map[uint32]string{ + 100: "Photo FNumber Numerator", + }, + "30c8eef4-a832-41e2-ab32-e3c3ca28fd29": map[uint32]string{ + 2: "Home Grouping", + 3: "Home Sort Order", + 4: "Home Is Pinned", + 5: "Home PropList Sort", + 6: "Home Item Folder Path Display", + }, + "3143bf7c-80a8-4854-8880-e2e40189bdd0": map[uint32]string{ + 100: "Message Attachment Contents", + }, + "315b9c8d-80a9-4ef9-ae16-8e746da51d70": map[uint32]string{ + 100: "Calendar Is Recurring", + }, + "318a6b45-087f-4dc2-b8cc-05359551fc9e": map[uint32]string{ + 100: "Photo Related Sound File", + }, + "31b37743-7c5e-4005-93e6-e953f92b82e9": map[uint32]string{ + 2: "Devices WiFi Direct Services Service Address", + 3: "Devices WiFi Direct Services Service Name", + 4: "Devices WiFi Direct Services Service Information", + 5: "Devices WiFi Direct Services Advertisement Id", + 6: "Devices WiFi Direct Services Service Config Methods", + 7: "Devices WiFi Direct Services Request Service Information", + }, + "328d8b21-7729-4bfc-954c-902b329d56b0": map[uint32]string{ + 2: "Sync Copy In", + }, + "32bcb03c-7f34-4e3f-bbb2-ebe63629f5e4": map[uint32]string{ + 100: "Is Simple Item", + }, + "33dcf22b-28d5-464c-8035-1ee9efd25278": map[uint32]string{ + 100: "GPS Longitude Ref", + }, + "341796f1-1df9-4b1c-a564-91bdefa43877": map[uint32]string{ + 100: "Photo PhotometricInterpretation", + }, + "346c8bd1-2e6a-4c45-89a4-61b78e8e700f": map[uint32]string{ + 100: "Is Incomplete", + }, + "35dbe6fe-44c3-4400-aaae-d2c799c407e8": map[uint32]string{ + 100: "GPS Track Ref", + }, + "3602c812-0f3b-45f0-85ad-603468d69423": map[uint32]string{ + 100: "GPS Date", + }, + "3633de59-6825-4381-a49b-9f6ba13a1471": map[uint32]string{ + 2: "Devices Playback State", + 3: "Devices Playback Title", + 4: "Devices Remaining Duration", + 5: "Devices Playback Position Percent", + }, + "364028da-d895-41fe-a584-302b1bb70a76": map[uint32]string{ + 100: "Contact Display Business Phone Numbers", + }, + "364b6fa9-37ab-482a-be2b-ae02f60d4318": map[uint32]string{ + 100: "Image Compressed Bits Per Pixel", + }, + "37ebd11f-7e72-4ebc-9d4c-c790f8c277c2": map[uint32]string{ + 2: "Device Interface Spb Controller Friendly Name", + }, + "38965063-edc8-4268-8491-b7723172cf29": map[uint32]string{ + 100: "Contact Email Address 2", + }, + "38d43380-d418-4830-84d5-46935a81c5c6": map[uint32]string{ + 32: "Security Allowed Enterprise Data Protection Identities", + }, + "39a7f922-477c-48de-8bc8-b28441e342e3": map[uint32]string{ + 100: "Project", + }, + "39b77f4f-a104-4863-b395-2db2ad8f7bc1": map[uint32]string{ + 100: "Contact Connected Service Display Name", + }, + "3a372292-7fca-49a7-99d5-e47bb2d4e7ab": map[uint32]string{ + 100: "GPS Dest Latitude Denominator", + }, + "3b2ce006-5e61-4fde-bab8-9b8aac9b26df": map[uint32]string{ + 5: "Devices Aep Protocol Id", + 8: "Devices Aep Id", + }, + "3c8cee58-d4f0-4cf9-b756-4e5d24447bcd": map[uint32]string{ + 100: "Contact Gender", + 101: "Contact Gender Value", + }, + "3d658d4d-bc38-464a-b555-418d554a8df8": map[uint32]string{ + 100: "Fonts Description", + }, + "3d75e4f5-a391-4952-81f7-c7072fe53025": map[uint32]string{ + 100: "File Reparse Point Tag", + }, + "3f08e66f-2f44-4bb9-a682-ac35d2562322": map[uint32]string{ + 100: "Image Compression Text", + }, + "3f5d9b45-5e9f-4d5c-8a5e-403181bf177b": map[uint32]string{ + 2: "Extensions Type", + 3: "Extensions Date Last Used", + 4: "Extensions Used Count", + 5: "Extensions Blocked Count", + 6: "Extensions CLSID", + 7: "Extensions Status", + 8: "Check State", + 9: "Extensions Suspect", + 10: "Extensions File Name", + 11: "Extensions File Path", + 12: "Extensions Flags", + }, + "3f8472b5-e0af-4db2-8071-c53fe76ae7ce": map[uint32]string{ + 100: "Due Date", + }, + "402b5934-ec5a-48c3-93e6-85e86a2d934e": map[uint32]string{ + 100: "Contact Business Address City", + }, + "41cf5ae0-f75a-4806-bd87-59c7d9248eb9": map[uint32]string{ + 100: "File Name", + }, + "425d69e5-48ad-4900-8d80-6eb6b8d0ac86": map[uint32]string{ + 100: "GPS Dest Longitude Denominator", + }, + "428040ac-a177-4c8a-9760-f6f761227f9a": map[uint32]string{ + 100: "Communication Date Item Expires", + }, + "42864dfd-9da4-4f77-bded-4aad7b256735": map[uint32]string{ + 100: "Photo Gain Control Denominator", + }, + "4340a6c5-93fa-4706-972c-7b648008a5a7": map[uint32]string{ + 8: "Devices Parent", + 9: "Devices Children", + }, + "436f2667-14e2-4feb-b30a-146c53b5b674": map[uint32]string{ + 100: "Link Arguments", + }, + "43f8d7b7-a444-4f87-9383-52271c9b915c": map[uint32]string{ + 100: "DateArchived", + }, + "446f787f-10c4-41cb-a6c4-4d0343551597": map[uint32]string{ + 100: "Contact Business Address State", + }, + "4530d076-b598-4a81-8813-9b11286ef6ea": map[uint32]string{ + 2: "Fonts Font Embeddability", + 5: "Fonts Type", + 7: "Fonts File Names", + }, + "4596208c-32fa-41d2-9695-af0cb9e8dcfe": map[uint32]string{ + 100: "Stack Thumbnail Cache Ids", + }, + "45eae747-8e2a-40ae-8cbf-ca52aba6152a": map[uint32]string{ + 100: "Flag Color Text", + }, + "4679c1b5-844d-4590-baf5-f322231f1b81": map[uint32]string{ + 100: "GPS Longitude Decimal", + }, + "467ee575-1f25-4557-ad4e-b8b58b0d9c15": map[uint32]string{ + 100: "GPS Satellites", + }, + "4684fe97-8765-4842-9c13-f006447b178c": map[uint32]string{ + 100: "Recorded TV Original Broadcast Date", + }, + "46ac629d-75ea-4515-867f-6dc4321c5844": map[uint32]string{ + 100: "GPS Altitude Ref", + }, + "46b4e8de-cdb2-440d-885c-1658eb65b914": map[uint32]string{ + 100: "Note Color Text", + }, + "47166b16-364f-4aa0-9f31-e2ab3df449c3": map[uint32]string{ + 100: "GPS DOP Numerator", + }, + "4776cafa-bce4-4cb1-a23e-265e76d8eb11": map[uint32]string{ + 100: "Note Color", + }, + "47a96261-cb4c-4807-8ad3-40b9d9dbc6bc": map[uint32]string{ + 100: "GPS DestLongitude", + }, + "48fd6ec8-8a12-4cdf-a03e-4ec5a511edde": map[uint32]string{ + 100: "Start Date", + }, + "49237325-a95a-4f67-b211-816b2d45d2e0": map[uint32]string{ + 100: "Photo Saturation", + }, + "49691c90-7e17-101a-a91c-08002b2ecda9": map[uint32]string{ + 2: "Search Results Rank", + 3: "Search Rank", + 4: "Search Hit Count", + 5: "Search Entry Id", + 8: "Search Reverse File Name", + 9: "Item Url", + 10: "Content Url", + 15: "Search Row Id", + 21: "Search Query Property Hits", + 22: "Search Completion", + 28: "Search Result Set Aggregate Attributes", + }, + "49753869-849c-4323-a41f-26d73f28b53b": map[uint32]string{ + 100: "Fonts Vendors", + }, + "49cd1f76-5626-4b17-a4e8-18b4aa1a2213": map[uint32]string{ + 2: "Devices Signal Strength", + 3: "Devices Text Messages", + 4: "Devices New Pictures", + 5: "Devices Missed Calls", + 6: "Devices Voicemail", + 7: "Devices Network Name", + 8: "Devices Network Type", + 9: "Devices Roaming", + 10: "Devices Battery Life", + 11: "Devices Charging State", + 12: "Devices Storage Capacity", + 13: "Devices Storage Free Space", + 14: "Devices Storage Free Space Percent", + 22: "Devices Battery Plus Charging", + 23: "Devices Battery Plus Charging Text", + }, + "49d1091f-082e-493f-b23f-d2308aa9668c": map[uint32]string{ + 100: "PropList Non Personal", + }, + "49eb6558-c09c-46dc-8668-1f848c290d0b": map[uint32]string{ + 1: "Shell Exclusion", + 3: "Shell Item Offline Status", + }, + "4ac903f8-e780-4e4b-b7b8-4d00a99804fc": map[uint32]string{ + 100: "Home Group Sharing Status", + }, + "4b486401-5468-4381-9b5a-42df4cb49f53": map[uint32]string{ + 100: "Fonts Category", + }, + "4bd13b3d-e68b-44ec-89ee-7611789d4070": map[uint32]string{ + 100: "Start Menu Group", + 101: "Start Menu Run Command", + 102: "Start Menu Query", + 103: "Start Menu Group Item", + 104: "Start Menu Include In Scope", + 105: "Start Menu Result Source Id", + }, + "4c6bf15c-4c03-4aac-91f5-64c0f852bcf4": map[uint32]string{ + 2: "Device Interface Serial Usb Vendor Id", + 3: "Device Interface Serial Usb Product Id", + 4: "Device Interface Serial Port Name", + }, + "4d1ebee8-0803-4774-9842-b77db50265e9": map[uint32]string{ + 2: "Storage Portable", + 3: "Storage Removable Media", + 4: "Storage System Critical", + }, + "4e9cfc01-5d36-406a-83cd-4e7423923604": map[uint32]string{ + 2: "Offline Sync Time", + }, + "4f289a46-2bbb-4ae8-9eda-e5e034707a71": map[uint32]string{ + 2: "Lzh Folder Compressed Size", + 3: "Lzh Folder CRC16", + 4: "Lzh Folder Method", + 5: "Lzh Folder Ratio", + }, + "4fffe4d0-914f-4ac4-8d6f-c9c61de169b1": map[uint32]string{ + 100: "Photo Focal Plane Y Resolution", + }, + "502cfeab-47eb-459c-b960-e6d8728f7701": map[uint32]string{ + 100: "Zone Identifier", + 101: "Last Writer Package Family Name", + 102: "App Zone Identifier", + }, + "5068bcdf-d697-4d85-8c53-1f1cdab01763": map[uint32]string{ + 100: "Contact Display Home Phone Numbers", + }, + "508161fa-313b-43d5-83a1-c1accf68622c": map[uint32]string{ + 100: "Contact Other Address", + }, + "51236583-0c4a-4fe8-b81f-166aec13f510": map[uint32]string{ + 100: "Devices App Package Family Name", + 123: "Devices Glyph Icon", + }, + "51ec3f47-dd50-421d-8769-334f50424b1e": map[uint32]string{ + 100: "Photo Sharpness Text", + }, + "53da57cf-62c0-45c4-81de-7610bcefd7f5": map[uint32]string{ + 100: "Calendar Show Time As Text", + }, + "540b947e-8b40-45bc-a8a2-6a0b894cbda2": map[uint32]string{ + 5: "Devices Present", + 6: "Devices Device Has Problem", + 9: "Devices Physical Device Location", + }, + "54b3a473-59aa-445b-aecd-77541ba8b7c9": map[uint32]string{ + 2: "User Name", + 3: "User Display Name", + 5: "User Profile Path", + }, + "5567bf77-2be2-4222-befa-d0c9c9cc4b6e": map[uint32]string{ + 2: "Velocity Feature Id", + }, + "55e98597-ad16-42e0-b624-21599a199838": map[uint32]string{ + 100: "Photo Exposure Time Denominator", + }, + "560c36c0-503a-11cf-baa1-00004c752a9a": map[uint32]string{ + 2: "Search Auto Summary", + 3: "Search Query Focused Summary", + 4: "Search Query Focused Summary With Fallback", + }, + "56310920-2491-4919-99ce-eadb06fafdb2": map[uint32]string{ + 100: "Contact Business Home Page", + }, + "56a3372e-ce9c-11d2-9f0e-006097c686f6": map[uint32]string{ + 2: "Music Artist", + 4: "Music Album Title", + 5: "Media Year", + 7: "Music Track Number", + 11: "Music Genre", + 12: "Music Lyrics", + 13: "Music Album Artist", + 33: "Music Content Group Description", + 34: "Music Initial Key", + 35: "Music Beats Per Minute", + 36: "Music Conductor", + 37: "Music Part Of Set", + 38: "Media Sub Title", + 39: "Music Mood", + 100: "Music Album Id", + }, + "56c90e9d-9d46-4963-886f-2e1cd9a694ef": map[uint32]string{ + 100: "Contact Home Email Addresses", + }, + "57086c23-86c6-478f-afb2-236188c8f47f": map[uint32]string{ + 2: "Taskbar Tab Active", + 3: "Taskbar Tab List", + }, + "5741cf9c-56fe-485b-8901-4786449e188d": map[uint32]string{ + 100: "Fonts Designed For", + }, + "59569556-0a08-4212-95b9-fae2ad6413db": map[uint32]string{ + 2: "Devices Notifications New Voicemail", + }, + "596fd41b-af9b-4ba8-9b49-33b16f16678c": map[uint32]string{ + 100: "Fonts Styles", + }, + "59d49e61-840f-4aa9-a939-e2099b7f6399": map[uint32]string{ + 100: "GPS Processing Method", + }, + "59dde9f2-5253-40ea-9a8b-479e96c6249a": map[uint32]string{ + 100: "Photo Contrast Text", + }, + "5ab5c75f-15e1-4d65-924a-04754567243c": map[uint32]string{ + 2: "Setting Host Id", + 3: "Setting Setting Id", + 4: "Setting Page Id", + 5: "Setting Group Id", + 6: "Setting Condition", + 7: "Setting Glyph", + 8: "Setting Glyph Rtl", + }, + "5bf396d4-5eb2-466f-bde9-2fb3f2361d6e": map[uint32]string{ + 100: "Calendar Show Time As", + }, + "5cbf2787-48cf-4208-b90e-ee5e5d420294": map[uint32]string{ + 1: "History Url Hash", + 2: "Link Target Url", + 3: "Url Scheme", + 4: "Url HostName", + 5: "History Url Extra Info", + 6: "History Code Page", + 7: "History Visit Count", + 8: "History Is History", + 9: "History I sDownload", + 10: "History Download Location", + 11: "History Download Size", + 12: "History Favorite IconKey", + 13: "History Is Favorite", + 14: "History Is Offline Favorite", + 15: "History Is Pinned Favorite", + 16: "History Is Typed Url", + 17: "History Is Top Level", + 18: "History Is Feed", + 19: "History Keywords", + 20: "History User Keywords", + 21: "Link Description", + 22: "History User Description", + 23: "Link Date Visited", + 24: "History Icon Bits", + 25: "Icon Path", + 26: "Icon Index", + 27: "History Icon Date", + 28: "History Points", + 29: "History Sessions", + 33: "History Subscription Cookie", + 34: "History Tracking", + 35: "Link Working Folder Path", + 36: "Link Hot Key", + 37: "Link Show Cmd", + 38: "Link Whats New", + 39: "History Date Changed", + 40: "History Flags", + 41: "History Watch", + 42: "History Favorite Icon Hash", + 43: "Icon Secondary Stream Name", + }, + "5cda5fc8-33ee-4ff3-9094-ae7bd8868c4d": map[uint32]string{ + 100: "Is Deleted", + }, + "5cde9f0e-1de4-4453-96a9-56e8832efa3d": map[uint32]string{ + 1: "Computer Domain Name", + 2: "Computer Workgroup", + }, + "5d76b67f-9b3d-44bb-b6ae-25da4f638a67": map[uint32]string{ + 2: "Is Pinned To Name Space Tree", + 3: "Is Default Save Location", + 4: "Is Search Only Item", + 5: "Is Default Non Owner Save Location", + 6: "Owner SID", + 7: "Is Default Save Location For Display", + 8: "Is Location Supported", + 9: "Library Location Support Status", + 10: "Default Save Location Display", + 11: "Default Save Location Icon Container", + }, + "5da84765-e3ff-4278-86b0-a27967fbdd03": map[uint32]string{ + 100: "Is Flagged", + }, + "5dc2253f-5e11-4adf-9cfe-910dd01e3e70": map[uint32]string{ + 100: "Contact Hobbies", + }, + "5f5aff6a-37e5-4780-97ea-80c7565cf535": map[uint32]string{ + 34: "Security Encryption Owners", + }, + "5fbd34cd-561a-412e-ba98-478a6b0fef1d": map[uint32]string{ + 2: "Devices Aep Bluetooth Cod Major", + 3: "Devices Aep Bluetooth Cod Minor", + 4: "Devices Aep Bluetooth Cod Services Limited Discovery", + 5: "Devices Aep Bluetooth Cod Services Positioning", + 6: "Devices Aep Bluetooth Cod Services Networking", + 7: "Devices Aep Bluetooth Cod Services Rendering", + 8: "Devices Aep Bluetooth Cod Services Capturing", + 9: "Devices Aep Bluetooth Cod Services Object Xfer", + 10: "Devices Aep Bluetooth Cod Services Audio", + 11: "Devices Aep Bluetooth Cod Services Telephony", + 12: "Devices Aep Bluetooth Cod Services Information", + }, + "61478c08-b600-4a84-bbe4-e99c45f0a072": map[uint32]string{ + 100: "Photo Saturation Text", + }, + "61872cf7-6b5e-4b4b-ac2d-59da84459248": map[uint32]string{ + 100: "PropGroup Media", + }, + "62d2d9ab-8b64-498d-b865-402d4796f865": map[uint32]string{ + 3: "Location Empty String", + }, + "6336b95e-c7a7-426d-86fd-7ae3d39c84b4": map[uint32]string{ + 100: "Photo White Balance Text", + }, + "635e9051-50a5-4ba2-b9db-4ed056c77296": map[uint32]string{ + 100: "Contact Full Name", + }, + "63c25b20-96be-488f-8788-c09c407ad812": map[uint32]string{ + 100: "Contact Primary Address Street", + }, + "641064ba-9329-47e6-8f36-5fa81aa461a0": map[uint32]string{ + 2: "OneNote Page Edit History", + 3: "OneNote Tagged Notes", + 4: "OneNote Linked Note Uri", + }, + "6444048f-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 3: "Image Horizontal Size", + 4: "Image Vertical Size", + 5: "Image Horizontal Resolution", + 6: "Image Vertical Resolution", + 7: "Image Bit Depth", + 12: "Media Frame Count", + 13: "Image Dimensions", + }, + "64440490-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 2: "Audio Format", + 3: "Media Duration", + 4: "Audio Encoding Bitrate", + 5: "Audio Sample Rate", + 6: "Audio Sample Size", + 7: "Audio Channel Count", + 8: "Audio Stream Number", + 9: "Audio Stream Name", + 10: "Audio Compression", + }, + "64440491-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 2: "Video Stream Name", + 3: "Video Frame Width", + 4: "Video Frame Height", + 6: "Video Frame Rate", + 8: "Video Encoding Bitrate", + 9: "Video Sample Size", + 10: "Video Compression", + 11: "Video Stream Number", + 42: "Video Horizontal Aspect Ratio", + 43: "Video Total Bitrate", + 44: "Video Four CC", + 45: "Video Vertical Aspect Ratio", + 46: "Video Transcoded For Sync", + 98: "Video Is Stereo", + 99: "Video Orientation", + 100: "Video Is Spherical", + }, + "64440492-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 7: "Media Status", + 9: "Rating", + 11: "Copyright", + 12: "Share User Rating", + 13: "Media Class Primary Id", + 14: "Media Class Secondary Id", + 15: "Media DVDID", + 16: "Media MCDI", + 17: "Media Metadata Content Provider", + 18: "Media Content Distributor", + 19: "Music Composer", + 20: "Video Director", + 21: "Parental Rating", + 22: "Media Producer", + 23: "Media Writer", + 24: "Media Collection Group Id", + 25: "Media Collection Id", + 26: "Media Content Id", + 27: "Media Creator Application", + 28: "Media Creator Application Version", + 30: "Media Publisher", + 31: "Music Period", + 32: "Media Author Url", + 33: "Media Promotion Url", + 34: "Media User Web Url", + 35: "Media Unique File Identifier", + 36: "Media Encoded By", + 37: "Media Encoding Settings", + 38: "Media Protection Type", + 39: "Media Provider Rating", + 40: "Media Provider Style", + 41: "Media User No Auto Info", + 42: "Media Series Name", + 47: "Media Thumbnail Large Path", + 48: "Media Thumbnail Large Uri", + 49: "Media ThumbnailSmallPath", + 50: "Media Thumbnail Small Uri", + 100: "Media Episode Number", + 101: "Media Season Number", + }, + "644d37b4-e1b3-4bad-b099-7e7c04966aca": map[uint32]string{ + 100: "Contact Email Address3", + }, + "656a3bb3-ecc0-43fd-8477-4ae0404a96cd": map[uint32]string{ + 8192: "Devices Manufacturer", + 8194: "Devices Model Name", + 8195: "Devices Model Number", + 8198: "Devices Presentation Url", + 12288: "Devices Friendly Name", + 12297: "Devices Ip Address", + 16384: "Devices Service Address", + 16385: "Devices Service Id", + }, + "65a98875-3c80-40ab-abbc-efdaf77dbee2": map[uint32]string{ + 100: "Acquisition Id", + }, + "660e04d6-81ab-4977-a09f-82313113ab26": map[uint32]string{ + 100: "Contact Home Fax Number", + }, + "6614ef48-4efe-4424-9eda-c79f404edf3e": map[uint32]string{ + 2: "Devices Notifications Missed Call", + }, + "668cdfa5-7a1b-4323-ae4b-e527393a1d81": map[uint32]string{ + 100: "Source Item", + }, + "67df94de-0ca7-4d6f-b792-053a3e4f03cf": map[uint32]string{ + 100: "Flag Color", + }, + "6845cc72-1b71-48c3-af86-b09171a19b14": map[uint32]string{ + 3: "Devices Dial Protocol Installed Applications", + }, + "68dd6094-7216-40f1-a029-43fe7127043f": map[uint32]string{ + 100: "PropGroup Music", + }, + "6a15e5a0-0a1e-4cd7-bb8c-d2f1b0c929bc": map[uint32]string{ + 100: "Contact Business Telephone", + }, + "6af55d45-38db-4495-acb0-d4728a3b8314": map[uint32]string{ + 2: "Devices AepContainer Supports Audio", + 3: "Devices AepContainer Supports Video", + 4: "Devices AepContainer Supports Images", + 5: "Devices AepContainer Supported Uri Schemes", + 6: "Devices AepContainer Dial Protocol Installed Applications", + 7: "Devices AepContainer Supports Limited Discovery", + 8: "Devices AepContainer Supports Positioning", + 9: "Devices AepContainer Supports Networking", + 10: "Devices AepContainer Supports Rendering", + 11: "Devices AepContainer Supports Capturing", + 12: "Devices AepContainer Supports Object Transfer", + 13: "Devices AepContainer Supports Telephony", + 14: "Devices AepContainer Supports Information", + }, + "6afe7437-9bcd-49c7-80fe-4a5c65fa5874": map[uint32]string{ + 104: "Music Disc Number", + }, + "6b223b6a-162e-4aa9-b39f-05d678fc6d77": map[uint32]string{ + 100: "Music Synchronized Lyrics", + }, + "6b8b68f6-200b-47ea-8d25-d8050f57339f": map[uint32]string{ + 100: "Photo Flash Text", + }, + "6b8da074-3b5c-43bc-886f-0a2cdce00b6f": map[uint32]string{ + 100: "Item Name", + }, + "6bdd1fc6-810f-11d0-bec7-08002be2092f": map[uint32]string{ + 2: "Devices Wia Device Type", + }, + "6ccd0131-c397-4744-b2d8-d2c13f457026": map[uint32]string{ + 80: "Game Type", + }, + "6d217f6d-3f6a-4825-b470-5f03ca2fbe9b": map[uint32]string{ + 100: "Photo Program Mode", + }, + "6d24888f-4718-4bda-afed-ea0fb4386cd8": map[uint32]string{ + 100: "Offline Status", + }, + "6d6d5d49-265d-4688-9f4e-1fdd33e7cc83": map[uint32]string{ + 100: "Identity Internet Sid", + }, + "6d748de2-8d38-4cc3-ac60-f009b057c557": map[uint32]string{ + 2: "RecordedTV Episode Name", + 3: "RecordedTV Program Description", + 4: "RecordedTV Credits", + 5: "RecordedTV Station Call Sign", + 7: "RecordedTV Channe' Number", + 10: "RecordedTV Video Quality", + 12: "RecordedTV Is Closed Captioning Available", + 13: "RecordedTV Is Repeat Broadcast", + 14: "RecordedTV Is SAP", + 15: "RecordedTV Date Content Expires", + 16: "RecordedTV Is ATSC Content", + 17: "RecordedTV Is DTV Content", + 18: "RecordedTV Is HD Content", + }, + "6e682923-7f7b-4f0c-a337-cfca296687bf": map[uint32]string{ + 100: "Contact Other Address City", + }, + "6ebe6946-2321-440a-90f0-c043efd32476": map[uint32]string{ + 100: "Photo Brightness Denominator", + }, + "6fa20de6-d11c-4d9d-a154-64317628c12d": map[uint32]string{ + 100: "Expand oProperties", + }, + "702926f4-44a6-43e1-ae71-45627116893b": map[uint32]string{ + 100: "GPS Track Numerator", + }, + "7036dcfc-69ab-4316-b5ac-50de702447b0": map[uint32]string{ + 102: "Structured Query Before", + 103: "Structured Query After", + 104: "Structured Query File", + 105: "Structured Query Custom Property Boolean", + 106: "Structured Query Custom Property Integer", + 107: "Structured Query Custom Property Floating Point", + 108: "Structured Query Custom Property String", + 109: "Structured Query Custom Property DateTime", + 110: "Structured Query Has", + 111: "Structured Query Is", + 112: "Structured Query Null", + }, + "705ccb0f-5a0d-41ea-b2ca-2c9b5cc7db41": map[uint32]string{ + 100: "Verb Restrictions", + }, + "705d8364-7547-468c-8c88-84860bcbed4c": map[uint32]string{ + 2: "SAM Name", + 3: "SAM Version", + 4: "SAM Date Changed", + 5: "SAM Password Last Set", + 6: "SAM Date Account Expires", + 7: "SAM Password Can Change", + 8: "SAM Password Must Change", + 9: "SAM Full Name", + 10: "SAM Home Directory", + 11: "SAM Home Directory Drive", + 12: "SAM Script Path", + 13: "SAM Profile Path", + 14: "SAM Admin Comment", + 15: "SAM Workstations", + 16: "SAM User Comment", + 17: "SAM Password", + 18: "SAM Security Id", + 19: "SAM User Account Control", + 20: "SAM Logon Hours", + 21: "SAM Country Code", + 22: "SAM Code Page", + 23: "SAM Password Expired", + 24: "SAM User Picture", + 25: "SAM Password Hint", + 26: "SAM Domain", + 31: "SAM Groups", + 32: "SAM Type", + 36: "SAM Interactive Login", + 37: "SAM Network Login", + 38: "SAM Batch Login", + 39: "SAM Service Login", + 40: "SAM Remote Interactive Login", + 41: "SAM Deny Interactive Login", + 42: "SAM Deny Network Login", + 43: "SAM Deny Batch Login", + 44: "SAM Deny Service Login", + 45: "SAM Deny Remote Interactive Login", + 46: "SAM Dont Show In Logon UI", + 47: "SAM Shell Admin Object Props", + 50: "SAM Password Is Empty", + 102: "SAM Group Members", + 103: "SAM Residual Id", + 200: "LOGON LU Id", + 201: "LOGON Authentication Package", + 202: "LOGON TS Session", + 203: "LOGON Logon Time", + 204: "LOGON Logon Server", + 205: "LOGON Dns Domain Name", + 206: "LOGON UPN", + 207: "LOGON Client Name", + 208: "LOGON WinS tation Name", + 209: "LOGON Status", + 500: "PROFILE Path", + 501: "PROFILE GUID", + }, + "71724756-3e74-4432-9b59-e7b2f668a593": map[uint32]string{ + 2: "Devices AepService Friendly Name", + 3: "Devices AepService Service Class Id", + 4: "Devices AepService Container Id", + }, + "71b377d6-e570-425f-a170-809fae73e54e": map[uint32]string{ + 100: "Contact Other Address State", + }, + "720eb626-dbe4-4113-835c-9315e1e2ff77": map[uint32]string{ + 2: "Actions Action Name", + 3: "Actions Activation Context", + }, + "7268af55-1ce4-4f6e-a41f-b6e4ef10e4a9": map[uint32]string{ + 100: "Contact Profession", + }, + "72fab781-acda-43e5-b155-b2434f85e678": map[uint32]string{ + 100: "Date Completed", + }, + "72fc5ba4-24f9-4011-9f3f-add27afad818": map[uint32]string{ + 100: "Calendar Reminder Time", + }, + "730fb6dd-cf7c-426b-a03f-bd166cc9ee24": map[uint32]string{ + 100: "Contact Business Address", + }, + "73389854-0b42-4ea6-bc67-847d430899fd": map[uint32]string{ + 2: "Connected Search Require Template", + }, + "733cb147-8b1f-4c48-9966-192fde353c75": map[uint32]string{ + 100: "Music Stack Thumbnail Cache Ids", + }, + "738bf284-1d87-420b-92cf-5834bf6ef9ed": map[uint32]string{ + 100: "Photo Exposure Bias Numerator", + }, + "744c8242-4df5-456c-ab9e-014efb9021e3": map[uint32]string{ + 100: "Calendar Organizer Address", + }, + "745baf0e-e5c1-4cfb-8a1b-d031a0a52393": map[uint32]string{ + 100: "Photo Digital Zoom Denominator", + }, + "74a7de49-fa11-4d3d-a006-db7e08675916": map[uint32]string{ + 100: "Identity Provider Id", + }, + "75ee72ae-7d5f-482f-9487-f1c46ca819c1": map[uint32]string{ + 100: "Camera Roll Deduplication Id", + }, + "76c09943-7c33-49e3-9e7e-cdba872cfada": map[uint32]string{ + 100: "GPS Track", + }, + "776b6b3b-1e3d-4b0c-9a0e-8fbaf2a8492a": map[uint32]string{ + 100: "Photo Focal Lengt hNumerator", + }, + "78342dcb-e358-4145-ae9a-6bfe4e0f9f51": map[uint32]string{ + 100: "GPS Altitude Denominator", + }, + "78c34fc8-104a-4aca-9ea4-524d52996e57": map[uint32]string{ + 52: "Devices Discovery Method", + 55: "Devices Connected", + 56: "Devices Paired", + 57: "Devices Icon", + 70: "Devices Local Machine", + 71: "Devices Metadata Path", + 77: "Devices Launch Device Stage From Explorer", + 81: "Devices Device Description1", + 82: "Devices Device Description2", + 83: "Devices NotWorking Properly", + 84: "Devices Is Shared", + 85: "Devices Is Network Connected", + 86: "Devices Is Default", + 90: "Devices Category Ids", + 91: "Devices Category", + 92: "Devices Category Plural", + 94: "Devices Category Group", + 256: "Devices Device Instance Id", + }, + "79486778-4c6f-4dde-bc53-cd594311af99": map[uint32]string{ + 2: "Connected Search Local Weights", + }, + "79d94e82-4d79-45aa-821a-74858b4e4ca6": map[uint32]string{ + 2: "Devices AepService IoT Service Interfaces", + }, + "7a55582b-bd8c-4475-b94c-b87a388a7899": map[uint32]string{ + 100: "Status Icons", + }, + "7a7d76f4-b630-4bd7-95ff-37cc51a975c9": map[uint32]string{ + 2: "Link Target Extension", + }, + "7abcf4f8-7c3f-4988-ac91-8d2c2e97eca5": map[uint32]string{ + 100: "GPS Dest Bearing Denominator", + }, + "7b9f6399-0a3f-4b12-89bd-4adc51c918af": map[uint32]string{ + 100: "Contact Home Address Post Office Box", + }, + "7ba3535d-69aa-4525-a938-f3ec79485377": map[uint32]string{ + 2: "SAM Allowed Logon", + 3: "SAM Dont Enumerate For Logon", + }, + "7bd5533e-af15-44db-b8c8-bd6624e1d032": map[uint32]string{ + 2: "Sync Handler CollectionId", + 3: "Sync Handler Id", + 4: "Sync Event Description", + 5: "Sync Progress", + 6: "Sync Item Id", + 7: "Sync Date Synchronized", + 8: "Sync Handler Type", + 9: "Sync Handler Type Label", + 10: "Sync Status", + 11: "Sync Conflict Count", + 12: "Sync Error Count", + 13: "Sync Comments", + 14: "Sync Enabled", + 15: "Sync Hidden", + 16: "Sync Connected", + 17: "Sync Link", + 19: "Sync Context", + 20: "Sync Event Level", + 21: "Sync Event Flags", + 22: "Sync Sync Results", + 23: "Sync Progress Percentage", + 24: "Sync State", + 25: "Sync Item State", + 26: "Sync Item Status Text", + 27: "Sync Item Status Description", + 28: "Sync Item Status Action", + 29: "Sync Global Activity Message", + 30: "Sync Last Synced Message", + }, + "7d122d5a-ae5e-4335-8841-d71e7ce72f53": map[uint32]string{ + 100: "GPS Speed Denominator", + }, + "7d683fc9-d155-45a8-bb1f-89d19bcb792f": map[uint32]string{ + 100: "Identity Display Name", + }, + "7ddaaad1-ccc8-41ae-b750-b2cb8031aea2": map[uint32]string{ + 100: "GPS Latitude Numerator", + }, + "7fd7259d-16b4-4135-9f97-7c96ecd2fa9e": map[uint32]string{ + 100: "PropGroup Message", + }, + "7fe3aa27-2648-42f3-89b0-454e5cb150c3": map[uint32]string{ + 100: "Photo Program Mode Text", + }, + "807b653a-9e91-43ef-8f97-11ce04ee20c5": map[uint32]string{ + 100: "Communication Suffix", + }, + "80d81ea6-7473-4b0c-8216-efc11a2c4c8b": map[uint32]string{ + 2: "Devices Model Id", + }, + "80f41eb8-afc4-4208-aa5f-cce21a627281": map[uint32]string{ + 100: "Contact Connected Service Identities", + }, + "813f4124-34e6-4d17-ab3e-6b1f3c2247a1": map[uint32]string{ + 100: "Photo Maker Note Offset", + }, + "821437d6-9eab-4765-a589-3b1cbbd22a61": map[uint32]string{ + 100: "Photo Photometric Interpretation Text", + }, + "827edb4f-5b73-44a7-891d-fdffabea35ca": map[uint32]string{ + 100: "GPS Altitude", + }, + "83914d1a-c270-48bf-b00d-1c4e451b0150": map[uint32]string{ + 100: "Default Group Order", + }, + "83a6347e-6fe4-4f40-ba9c-c4865240d1f4": map[uint32]string{ + 100: "Communication Followup Icon Index", + }, + "83da6326-97a6-4088-9453-a1923f573b29": map[uint32]string{ + 9: "Devices Is Software Installing", + }, + "847c66de-b8d6-4af9-abc3-6f4f926bc039": map[uint32]string{ + 14: "Device Interface Printer Driver Directory", + }, + "84d8f337-981d-44b3-9615-c7596dba17e3": map[uint32]string{ + 100: "Contact Email Addresses", + }, + "8589e481-6040-473d-b171-7fa89c2708ed": map[uint32]string{ + 100: "Contact Company Main Telephone", + }, + "8619a4b6-9f4d-4429-8c0f-b996ca59e335": map[uint32]string{ + 100: "Communication Security Flags", + }, + "86407db8-9df7-48cd-b986-f999adc19731": map[uint32]string{ + 2: "Share Target Description", + }, + "8727cfff-4868-4ec6-ad5b-81b98521d1ab": map[uint32]string{ + 100: "GPS Latitude", + }, + "880f70a2-6082-47ac-8aab-a739d1a300c3": map[uint32]string{ + 151: "Devices Shared Tooltip", + 152: "Devices Networked Tooltip", + 153: "Devices Default Tooltip", + }, + "8859a284-de7e-4642-99ba-d431d044b1ec": map[uint32]string{ + 100: "PropGroup Media Advanced", + }, + "8943b373-388c-4395-b557-bc6dbaffafdb": map[uint32]string{ + 2: "Devices Audio Device Raw Processing Supported", + 3: "Devices Audio Device Microphone Sensitivity In Dbfs", + 4: "Devices Audio Device Microphone Signal To Noise Ratio In Db", + }, + "8969b275-9475-4e00-a887-ff93b8b41e44": map[uint32]string{ + 100: "PropGroup Description", + }, + "897b3694-fe9e-43e6-8066-260f590c0100": map[uint32]string{ + 2: "Contact JA Company Name Phonetic", + 3: "Contact JA First Name Phonetic", + 4: "Contact JA Last Name Phonetic", + }, + "8a2f99f9-3c37-465d-a8d7-69777a246d0c": map[uint32]string{ + 2: "Link Feed Item Local Id", + 5: "Link Target Url Host Name", + 6: "Link Target Url Path", + }, + "8af4961c-f526-43e5-aa81-db768219178d": map[uint32]string{ + 100: "Photo SubjectDistanceNumerator", + }, + "8afcc170-8a46-4b53-9eee-90bae7151e62": map[uint32]string{ + 100: "Contact Home Address Postal Code", + }, + "8b26ea41-058f-43f6-aecc-4035681ce977": map[uint32]string{ + 100: "Contact Other Address Post Office Box", + }, + "8bf6b9f6-b4f5-482f-a2c2-44bdad2fcfa9": map[uint32]string{ + 51: "SAM Account Is Disabled For Logon UI", + }, + "8c3b93a4-baed-1a83-9a32-102ee313f6eb": map[uint32]string{ + 100: "Identity Blob", + }, + "8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c": map[uint32]string{ + 2: "Devices Container Id", + 4: "Devices In Local Machine Container", + }, + "8d72aca1-0716-419a-9ac1-acb07b18dc32": map[uint32]string{ + 2: "File Attributes Display", + }, + "8e531030-b960-4346-ae0d-66bc9a86fb94": map[uint32]string{ + 100: "Communication Direction", + }, + "8e8ecf7c-b7b8-4eb8-a63f-0ee715c96f9e": map[uint32]string{ + 100: "Photo Gain Control Numerator", + }, + "8f167568-0aae-4322-8ed9-6055b7b0e398": map[uint32]string{ + 100: "Contact Other Address Country", + }, + "8f367200-c270-457c-b1d4-e07c5bcd90c7": map[uint32]string{ + 100: "Contact Last Name", + }, + "8fdc6dea-b929-412b-ba90-397a257465fe": map[uint32]string{ + 100: "Contact Car Telephone", + }, + "900a403b-097b-4b95-8ae2-071fdaeeb118": map[uint32]string{ + 100: "PropGroup Advanced", + }, + "90197ca7-fd8f-4e8c-9da3-b57e1e609295": map[uint32]string{ + 100: "Rating Text", + }, + "908696c7-8f87-44f2-80ed-a8c1c6894575": map[uint32]string{ + 2: "Library Locations Count", + 4: "Library Locations List", + }, + "9098f33c-9a7d-48a8-8de5-2e1227a64e91": map[uint32]string{ + 100: "Message Proof In Progress", + }, + "90e5e14e-648b-4826-b2aa-acaf790e3513": map[uint32]string{ + 10: "Is Encrypted", + }, + "916d17ac-8a97-48af-85b7-867a88fad542": map[uint32]string{ + 2: "Connected Search Auto Complete", + }, + "91eff6f3-2e27-42ca-933e-7c999fbe310b": map[uint32]string{ + 100: "Contact Business Fax Number", + }, + "93112f89-c28b-492f-8a9d-4be2062cee8a": map[uint32]string{ + 100: "Photo Exposure Index Denominator", + }, + "95beb1fc-326d-4644-b396-cd3ed90e6ddf": map[uint32]string{ + 100: "Journal Entry Type", + }, + "95c656c1-2abf-4148-9ed3-9ec602e3b7cd": map[uint32]string{ + 100: "Contact Other Address Postal Code", + }, + "95e127b5-79cc-4e83-9c9e-8422187b3e0e": map[uint32]string{ + 2: "Device Interface Win Usb Usb Vendor Id", + 3: "Device Interface Win Usb Usb Product Id", + 4: "Device Interface Win Usb Usb Class", + 5: "Device Interface Win Usb Usb Sub Class", + 6: "Device Interface Win Usb Usb Protocol", + 7: "Device Interface Win Usb Device Interface Classes", + }, + "9660c283-fc3a-4a08-a096-eed3aac46da2": map[uint32]string{ + 100: "Contact Data Suppliers", + }, + "967b5af8-995a-46ed-9e11-35b3c5b9782d": map[uint32]string{ + 100: "Photo Exposure Index", + }, + "972e333e-ac7e-49f1-8adf-a70d07a9bcab": map[uint32]string{ + 100: "GPS Area Information", + }, + "9744311e-7951-4b2e-b6f0-ecb293cac119": map[uint32]string{ + 1: "Devices Aep Bluetooth Issue Inquiry", + 2: "Devices Aep Bluetooth Le Active Scanning", + 3: "Devices Aep Bluetooth Le Scan Interval", + 4: "Devices Aep Bluetooth Le Scan Window", + 5: "Devices AepService Bluetooth Cache Mode", + 6: "Devices AepService Bluetooth Target Device", + }, + "97b0ad89-df49-49cc-834e-660974fd755b": map[uint32]string{ + 100: "Contact Label", + }, + "98f920d1-51e2-4722-9069-3c4b5cff5165": map[uint32]string{ + 100: "Is Barricade Page", + }, + "98f98354-617a-46b8-8560-5b1b64bf1f89": map[uint32]string{ + 100: "Contact Home Address", + }, + "995ef0b0-7eb3-4a8b-b9ce-068bb3f4af69": map[uint32]string{ + 1: "Devices Aep Bluetooth Le Appearance", + 2: "Devices Aep Bluetooth Le Advertisement", + 3: "Devices Aep Bluetooth Le Scan Response", + 4: "Devices Aep Bluetooth Le Address Type", + 5: "Devices Aep Bluetooth Le Appearance Category", + 6: "Devices Aep Bluetooth Le Appearance Subcategory", + 8: "Devices Aep Bluetooth Le Is Connectable", + }, + "9973d2b5-bfd8-438a-ba94-5349b293181a": map[uint32]string{ + 100: "PropGroup Calendar", + }, + "9a8ebb75-6458-4e82-bacb-35c0095b03bb": map[uint32]string{ + 100: "Photo Transcoded For Sync", + }, + "9a93244d-a7ad-4ff8-9b99-45ee4cc09af6": map[uint32]string{ + 100: "Contact Assistant Telephone", + }, + "9a9bc088-4f6d-469e-9919-e705412040f9": map[uint32]string{ + 100: "Message Is Fwd Or Reply", + }, + "9ab84393-2a0f-4b75-bb22-7279786977cb": map[uint32]string{ + 100: "GPS Dest Bearing Ref", + }, + "9ad5badb-cea7-4470-a03d-b84e51b9949e": map[uint32]string{ + 100: "Contact Anniversary", + }, + "9aebae7a-9644-487d-a92c-657585ed751a": map[uint32]string{ + 100: "Media Subscription Content Id", + }, + "9b174b33-40ff-11d2-a27e-00c04fc30871": map[uint32]string{ + 2: "Recycle Deleted From", + 3: "Recycle Date Deleted", + }, + "9b174b34-40ff-11d2-a27e-00c04fc30871": map[uint32]string{ + 4: "File Owner", + 8: "New Menu Preferred Types", + 10: "New Menu Allowed Types", + }, + "9b174b35-40ff-11d2-a27e-00c04fc30871": map[uint32]string{ + 2: "Free Space", + 3: "Capacity", + 4: "Volume File System", + 5: "Percent Full", + 7: "Computer Decorated FreeSpace", + 10: "Volume Is Root", + }, + "9b34bbb9-949c-488d-9a6d-eeb47c847a2f": map[uint32]string{ + 2: "Wireless Profile Name", + 4: "Wireless Security", + 5: "Wireless Radio Type", + 9: "Wireless Connection Mode", + }, + "9bc2c99b-ac71-4127-9d1c-2596d0d7dcb7": map[uint32]string{ + 100: "GPS Dest Distance Denominator", + }, + "9c1fcf74-2d97-41ba-b4ae-cb2e3661a6e4": map[uint32]string{ + 5: "Priority", + 7: "Communication Newsgroup Name", + 8: "Message Has Attachments", + 10: "SAM Account Name", + 13: "Message Type", + 17: "Message Received", + }, + "9cb0c358-9d7a-46b1-b466-dcc6f1a3d93d": map[uint32]string{ + 100: "Contact Display Mobile Phone Numbers", + }, + "9d1d7cc5-5c39-451c-86b3-928e2d18cc47": map[uint32]string{ + 100: "GPS Dest Latitude", + }, + "9d2408b6-3167-422b-82b0-f583b7a7cfe3": map[uint32]string{ + 100: "Contact Spouse Name", + }, + "9e7d118f-b314-45a0-8cfb-d654b917c9e9": map[uint32]string{ + 100: "Photo Brightness Numerator", + }, + "a00742a1-cd8c-4b37-95ab-70755587767a": map[uint32]string{ + 3: "Device Interface Printer Enumeration Flag", + }, + "a015ed5d-aaea-4d58-8a86-3c586920ea0b": map[uint32]string{ + 100: "GPS Measure Mode", + }, + "a06992b3-8caf-4ed7-a547-b259e32ac9fc": map[uint32]string{ + 100: "Search Store", + }, + "a09f084e-ad41-489f-8076-aa5be3082bca": map[uint32]string{ + 100: "Simple Rating", + }, + "a0be94c5-50ba-487b-bd35-0654be8881ed": map[uint32]string{ + 100: "GPS DOP Denominator", + }, + "a0e00ee1-f0c7-4d41-b8e7-26a7bd8d38b0": map[uint32]string{ + 2: "Devices Notifications Storage Full", + 3: "Devices Notifications Storage Full Link Text", + }, + "a0e74609-b84d-4f49-b860-462bd9971f98": map[uint32]string{ + 100: "Photo Focal Length In Film", + }, + "a11c005a-ff95-4785-8617-beaf92399c3c": map[uint32]string{ + 100: "HasLeafContainers", + }, + "a1829ea2-27eb-459e-935d-b2fad7b07762": map[uint32]string{ + 2: "Devices Microphone Array Geometry", + }, + "a19fb7a9-024b-4371-a8bf-4d29c3e4e9c9": map[uint32]string{ + 100: "Contact Connected Service Supported Actions", + }, + "a26f4afc-7346-4299-be47-eb1ae613139f": map[uint32]string{ + 16: "Identity Key Provider Name", + 17: "Identity Key Provider Context", + 100: "Identity", + }, + "a2e541c5-4440-4ba8-867e-75cfc06828cd": map[uint32]string{ + 100: "Photo Focal Plane Y Resolution Numerator", + }, + "a3250282-fb6d-48d5-9a89-dbcace75cccf": map[uint32]string{ + 100: "GPS Dest Longitude Numerator", + }, + "a35996ab-11cf-4935-8b61-a6761081ecdf": map[uint32]string{ + 3: "Devices Aep Model Name", + 4: "Devices Aep Model Id", + 5: "Devices Aep Manufacturer", + 6: "Devices Aep Signal Strength", + 7: "Devices Aep Is Connected", + 9: "Devices Aep Is Present", + 12: "Devices Aep Device Address", + 16: "Devices Aep Is Paired", + 17: "Devices Aep Category", + }, + "a399aac7-c265-474e-b073-ffce57721716": map[uint32]string{ + 2: "Devices AepService Bluetooth Service Guid", + }, + "a3b29791-7713-4e1d-bb40-17db85f01831": map[uint32]string{ + 100: "Importance Text", + }, + "a40294ef-d2b1-40ed-9512-dd3853b431f5": map[uint32]string{ + 2: "Connected Search Defer Image Prefetch", + }, + "a4108708-09df-4377-9dfc-6d99986d5a67": map[uint32]string{ + 100: "Identity Is Me Identity", + }, + "a45c254e-df1c-4efd-8020-67d146a850e0": map[uint32]string{ + 3: "Devices Hardware Ids", + 4: "Devices Compatible Ids", + 10: "Devices Class Guid", + 13: "Devices Device Manufacturer", + 17: "Devices Device Capabilities", + 29: "Devices Device Characteristics", + 37: "Devices Location Paths", + }, + "a4790b72-7113-4348-97ea-292bbc1f6770": map[uint32]string{ + 5: "Visio Masters Keywords", + 6: "Visio Masters Details", + }, + "a4aaa5b7-1ad0-445f-811a-0f8f6e67f6b5": map[uint32]string{ + 100: "GPS Img Direction Ref", + }, + "a5477f61-7a82-4eca-9dde-98b69b2479b3": map[uint32]string{ + 100: "Recorded TV Recording Time", + }, + "a63b464f-2ace-4d83-87ae-abaf011cc6ac": map[uint32]string{ + 1720: "Volume BitLocker Can Change Passphrase By Proxy", + }, + "a6744477-c237-475b-a075-54f34498292a": map[uint32]string{ + 100: "Communication Task Status Text", + }, + "a6f360d2-55f9-48de-b909-620e090a647c": map[uint32]string{ + 100: "Is Flagged Complete", + }, + "a7b6f596-d678-4bc1-b05f-0203d27e8aa1": map[uint32]string{ + 101: "Contact Home Address1 Street", + 102: "Contact Home Address1 Locality", + 103: "Contact Home Address1 Region", + 104: "Contact Home Address1 Country", + 105: "Contact Home Address1 Postal Code", + 106: "Contact Home Address2 Street", + 107: "Contact Home Address2 Locality", + 108: "Contact Home Address2 Region", + 109: "Contact Home Address2 Country", + 110: "Contact Home Address2 Postal Code", + 111: "Contact Home Address3 Street", + 112: "Contact Home Address3 Locality", + 113: "Contact Home Address3 Region", + 114: "Contact Home Address3 Country", + 115: "Contact Home Address3 Postal Code", + 116: "Contact Business Address1 Street", + 117: "Contact Business Address1 Locality", + 118: "Contact Business Address1 Region", + 119: "Contact Business Address1 Country", + 120: "Contact Business Address1 Postal Code", + 121: "Contact Business Address2 Street", + 122: "Contact Business Address2 Locality", + 123: "Contact Business Address2 Region", + 124: "Contact Business Address2 Country", + 125: "Contact Business Address2 Postal Code", + 126: "Contact Business Address3 Street", + 127: "Contact Business Address3 Locality", + 128: "Contact Business Address3 Region", + 129: "Contact Business Address3 Country", + 130: "Contact Business Address3 Postal Code", + 131: "Contact Other Address1 Street", + 132: "Contact Other Address1 Locality", + 133: "Contact Other Address1 Region", + 134: "Contact Other Address1 Country", + 135: "Contact Other Address1 Postal Code", + 136: "Contact Other Address2 Street", + 137: "Contact Other Address2 Locality", + 138: "Contact Other Address2 Region", + 139: "Contact Other Address2 Country", + 140: "Contact Other Address2 Postal Code", + 141: "Contact Other Address3 Street", + 142: "Contact Other Address3 Locality", + 143: "Contact Other Address3 Region", + 144: "Contact Other Address3 Country", + 145: "Contact Other Address3 Postal Code", + }, + "a7fe0840-1344-46f0-8d37-52ed712a4bf9": map[uint32]string{ + 100: "Parental Ratings Organization", + }, + "a82d9ee7-ca67-4312-965e-226bcea85023": map[uint32]string{ + 100: "Message Flags", + }, + "a8a74b92-361b-4e9a-b722-7c4a7330a312": map[uint32]string{ + 100: "Identity Provider Data", + }, + "a8a7a412-1927-4a34-b1d4-45f67cc672fb": map[uint32]string{ + 2: "Connected Search Referrer Id", + }, + "a93eae04-6804-4f24-ac81-09b266452118": map[uint32]string{ + 100: "GPS Dest Distance", + }, + "a94688b6-7d9f-4570-a648-e3dfc0ab2b3f": map[uint32]string{ + 100: "Offline Availability", + }, + "a9ea193c-c511-498a-a06b-58e2776dcc28": map[uint32]string{ + 100: "Photo Orientation Text", + }, + "aaa660f9-9865-458e-b484-01bc7fe3973e": map[uint32]string{ + 100: "Calendar Organizer Name", + }, + "aabaf6c9-e0c5-4719-8585-57b103e584fe": map[uint32]string{ + 100: "Photo Flash Manufacturer", + }, + "aaf16bac-2b55-45e6-9f6d-415eb94910df": map[uint32]string{ + 100: "Contact TTY TDD Telephone", + }, + "aaf4ee25-bd3b-4dd7-bfc4-47f77bb00f6d": map[uint32]string{ + 100: "GPS Differential", + }, + "ab205e50-04b7-461c-a18c-2f233836e627": map[uint32]string{ + 100: "Photo Exposure Bias Denominator", + }, + "acc9ce3d-c213-4942-8b48-6d0820f21c6d": map[uint32]string{ + 100: "GPS Speed Numerator", + }, + "ad763ac7-f1ed-4039-9fb4-b7b84ef33cef": map[uint32]string{ + 2: "Search Provider Attributes", + }, + "aeac19e4-89ae-4508-b9b7-bb867abee2ed": map[uint32]string{ + 2: "DRM Is Protected", + 3: "DRM Description", + 4: "DRM Play Count", + 5: "DRM Date Play Starts", + 6: "DRM Date Play Expires", + 7: "DRM Is Disabled", + }, + "afc47170-14f5-498c-8f30-b0d19be449c6": map[uint32]string{ + 11: "DeviceInterface Printer Driver Name", + }, + "afd97640-86a3-4210-b67c-289c41aabe55": map[uint32]string{ + 2: "Devices Safe Removal Required", + }, + "b0b87314-fcf6-4feb-8dff-a50da6af561c": map[uint32]string{ + 100: "Contact Business Address Country", + }, + "b180ad60-ed3f-4d16-bd43-f5b4fcf325a9": map[uint32]string{ + 2: "Sync Conflict ItemS hort Location", + 3: "Sync Conflict Item Full Location", + }, + "b2f9b9d6-fec4-4dd5-94d7-8957488c807b": map[uint32]string{ + 2: "File Placeholder Status", + 3: "Storage Provider File Identifier", + 4: "Storage Provider File Version", + 5: "Storage Provider File Checksum", + 6: "Storage Provider File Version Waterline", + 7: "Storage Provider Caller Version Information", + }, + "b33af30b-f552-4584-936c-cb93e5cda29f": map[uint32]string{ + 100: "Calendar Required Attendee Names", + }, + "b5c84c9e-5927-46b5-a3cc-933c21b78469": map[uint32]string{ + 100: "Contact Connected Service Name", + }, + "b769d0fe-bc33-421a-8ce6-45add82ec756": map[uint32]string{ + 2: "Connected Search Suppress Local Hero", + }, + "b771b352-8692-42e6-ac33-cc7b062ad950": map[uint32]string{ + 100: "Game Win SPR Recommended", + }, + "b7b4d61c-5a64-4187-a52e-b1539f359099": map[uint32]string{ + 2: "Devices Win Phone8 Camera Flags", + }, + "b812f15d-c2d8-4bbf-bacd-79744346113f": map[uint32]string{ + 100: "Photo Tag View Aggregate", + }, + "b96eff7b-35ca-4a35-8607-29e3a54c46ea": map[uint32]string{ + 100: "Identity Provider Name", + }, + "b9b4b3fc-2b51-4a42-b5d8-324146afcf25": map[uint32]string{ + 2: "Link Target Parsing Path", + 3: "Link Status", + 5: "Link Comment", + 6: "Item After", + 8: "Link Target SFGAO Flags", + }, + "ba3b1da9-86ee-4b5d-a2a4-a271a429f0cf": map[uint32]string{ + 100: "GPS Dest Bearing Numerator", + }, + "bb44403b-1399-4650-95eb-03c53a57c2cf": map[uint32]string{ + 60: "Game Int Update Status", + }, + "bc4e71ce-17f9-48d5-bee9-021df0ea5409": map[uint32]string{ + 100: "Contact Business Address Post Office Box", + }, + "bccc8a3c-8cef-42e5-9b1c-c69079398bc7": map[uint32]string{ + 100: "Message To Do Title", + }, + "bceee283-35df-4d53-826a-f36a3eefc6be": map[uint32]string{ + 100: "Search Container Hash", + }, + "be1a72c6-9a1d-46b7-afe7-afaf8cef4999": map[uint32]string{ + 100: "Communication Task Status", + }, + "be6e176c-4534-4d2c-ace5-31dedac1606b": map[uint32]string{ + 100: "GPS Longitude Denominator", + }, + "bebe0920-7671-4c54-a3eb-49fddfc191ee": map[uint32]string{ + 100: "PropGroup Video", + }, + "bf53d1c3-49e0-4f7f-8567-5a821d8ac542": map[uint32]string{ + 100: "Contact Callback Telephone", + }, + "bf79c0ab-bb74-4cee-b070-470b5ae202ea": map[uint32]string{ + 2: "Devices Dnssd Service Name", + 3: "Devices Dnssd Domain", + 4: "Devices Dnssd Instance Name", + 5: "Devices Dnssd Full Name", + 6: "Devices Dnssd Text Attributes", + 7: "Devices Dnssd Host Name", + 8: "Devices Dnssd Weight", + 9: "Devices Dnssd Priority", + 10: "Devices Dnssd Ttl", + 11: "Devices Dnssd Network Adapte rId", + 12: "Devices Dnssd Port Number", + }, + "bfee9149-e3e2-49a7-a862-c05988145cec": map[uint32]string{ + 100: "Calendar Is Online", + }, + "c06238b2-0bf9-4279-a723-25856715cb9d": map[uint32]string{ + 100: "Photo Gain Control Text", + }, + "c0ac206a-827e-4650-95ae-77e2bb74fcc9": map[uint32]string{ + 100: "Contact Mailing Address", + }, + "c107e191-a459-44c5-9ae6-b952ad4b906d": map[uint32]string{ + 100: "Photo Max Aperture Numerator", + }, + "c2ea046e-033c-4e91-bd5b-d4942f6bbe49": map[uint32]string{ + 2: "Creator App Id", + 3: "Creator Open With UI Options", + }, + "c4322503-78ca-49c6-9acc-a68e2afd7b6b": map[uint32]string{ + 100: "Identity User Name", + }, + "c449d5cb-9ea4-4809-82e8-af9d59ded6d1": map[uint32]string{ + 100: "Music Is Compilation", + }, + "c4c07f2b-8524-4e66-ae3a-a6235f103beb": map[uint32]string{ + 2: "Devices Notifications Low Battery", + }, + "c4c4dbb2-b593-466b-bbda-d03d27d5e43a": map[uint32]string{ + 100: "GPS Longitude", + }, + "c5043536-932e-219e-5fb9-1c2807d7b03e": map[uint32]string{ + 600: "Activity App Display Name", + 601: "Activity App Image Uri", + 602: "Activity Background Color", + 603: "Activity Content Image Uri", + 604: "Activity Content Uri", + 605: "Activity Description", + 606: "Activity Display Text", + 607: "Activity Tilexml", + 608: "Activity History Active Days", + 609: "Activity History Active Duration", + 610: "Activity History Active Hours", + 611: "Activity History App Activity Id", + 612: "Activity History App Id", + 613: "Activity History Device Display Name", + 614: "Activity History Device Id", + 615: "Activity History Display Text", + 616: "Activity History End Time", + 617: "Activity History Id", + 618: "Activity History Start Time", + 619: "Activity History Type", + 620: "Activity Activity Id", + }, + "c53e42a9-db3c-4bc7-b0f3-83a524adf0ec": map[uint32]string{ + 1719: "Volume BitLocker Can Change Pin", + }, + "c554493c-c1f7-40c1-a76c-ef8c0614003e": map[uint32]string{ + 100: "Contact Telex Number", + }, + "c64a866e-41ae-4c8c-b3d5-dd6dbf70c9c1": map[uint32]string{ + 100: "Is Group", + }, + "c66d4b3c-e888-47cc-b99f-9dca3ee34dea": map[uint32]string{ + 100: "GPS Dest Bearing", + }, + "c6f039e7-f6a4-4185-ae48-07938262c274": map[uint32]string{ + 100: "Hide In Grep Search", + }, + "c75faa05-96fd-49e7-9cb4-9f601082d553": map[uint32]string{ + 100: "End Date", + }, + "c77724d4-601f-46c5-9b89-c53f93bceb77": map[uint32]string{ + 100: "Photo Max Aperture Denominator", + }, + "c89a23d0-7d6d-4eb8-87d4-776a82d493e5": map[uint32]string{ + 100: "Contact Home Address State", + }, + "c8d1920c-01f6-40c0-ac86-2f3a4ad00770": map[uint32]string{ + 100: "GPS Track Denominator", + }, + "c8ea94f0-a9e3-4969-a94b-9c62a95324e0": map[uint32]string{ + 100: "Contact Primary Address City", + }, + "c9944a21-a406-48fe-8225-aec7e24c211b": map[uint32]string{ + 2: "PropList Full Details", + 3: "PropList Tile Info", + 4: "PropList Info Tip", + 5: "PropList Quick Tip", + 6: "PropList Preview Title", + 8: "PropList Preview Details", + 9: "PropList Extended Tile Info", + 10: "PropList File Operation Prompt", + 11: "PropList Conflict Prompt", + 12: "PropList Set Defaults For", + 13: "PropList Content View Mode For Browse", + 14: "PropList Content View Mode For Search", + 16: "PropList Status Icons", + 17: "Info Tip Text", + 18: "PropList Status Icons Display Flag", + 500: "Layout Pattern Content View Mode For Browse", + 501: "Layout Pattern Content View Mode For Search", + 502: "Layout Pattern Place Holder", + 503: "Layout Pattern Tiles View Mode", + 504: "Layout Pattern Group", + 510: "PropList Details Pane Null Select", + 511: "PropList Details Pane Null Select Title", + }, + "c9b88dba-04db-4887-a200-cf0d3afe1146": map[uint32]string{ + 99: "Game Update Status", + }, + "c9c141a9-1b4c-4f17-a9d1-f298538cadb8": map[uint32]string{ + 2: "Devices Aep Service Service Id", + 5: "Devices Aep Service Protocol Id", + 6: "Devices Aep Service Aep Id", + 7: "Devices Aep Service Parent Aep Is Paired", + }, + "c9c34f84-2241-4401-b607-bd20ed75ae7f": map[uint32]string{ + 100: "Communication Header Item", + }, + "cbf38310-4a17-4310-a1eb-247f0b67593b": map[uint32]string{ + 2: "Device Interface Hid Usage Page", + 3: "Device Interface Hid Usage Id", + 4: "Device Interface Hid Is Read Only", + 5: "Device Interface Hid Vendor Id", + 6: "Device Interface Hid Product Id", + 7: "Device Interface Hid Version Number", + }, + "cc158e89-6581-4311-9637-a8da9002f118": map[uint32]string{ + 2: "Connected Search Require Install", + }, + "cc301630-b192-4c22-b372-9f4c6d338e07": map[uint32]string{ + 100: "PropGroup General", + }, + "cc6f4f24-6083-4bd4-8754-674d0de87ab8": map[uint32]string{ + 100: "Contact Email Name", + }, + "cd102c9c-5540-4a88-a6f6-64e4981c8cd1": map[uint32]string{ + 100: "Contact Assistant Name", + }, + "cd9ed458-08ce-418f-a70e-f912c7bb9c5c": map[uint32]string{ + 103: "Message Message Class", + }, + "cdbfc167-337e-41d8-af7c-8c09205429c7": map[uint32]string{ + 100: "Application Defined Properties", + }, + "cdedcf30-8919-44df-8f4c-4eb2ffdb8d89": map[uint32]string{ + 100: "Photo Exposure Index Numerator", + }, + "ce50c159-2fb8-41fd-be68-d3e042e274bc": map[uint32]string{ + 2: "Sync Handler Name", + 3: "Sync Item Name", + 4: "Sync Conflict Description", + 6: "Sync Conflict First Location", + 7: "Sync Conflict Second Location", + 10: "Sync Conflict Unresolvable", + }, + "cea820b9-ce61-4885-a128-005d9087c192": map[uint32]string{ + 100: "GPS Dest Latitude Ref", + }, + "cebf9b37-26ae-466b-9fe9-c7550c4b0ce8": map[uint32]string{ + 100: "Transfer Path", + }, + "cf5751fd-f4b3-443d-b31c-9a34740759ec": map[uint32]string{ + 100: "Search Scope", + }, + "cfa31b45-525d-4998-bb44-3f7d81542fa4": map[uint32]string{ + 100: "Media Dlna Profile Id", + }, + "cfc08d97-c6f7-4484-89dd-ebef4356fe76": map[uint32]string{ + 100: "Photo Focal Plane X Resolution", + }, + "d042d2a1-927e-40b5-a503-6edbd42a517e": map[uint32]string{ + 100: "Contact Phone Numbers Canonical", + }, + "d08dd4c0-3a9e-462e-8290-7b636b2576b9": map[uint32]string{ + 2: "Devices Interface Paths", + 3: "Devices Function Paths", + 10: "Devices Primary Category", + 257: "Devices Status 1", + 258: "Devices Status 2", + 259: "Devices Status", + }, + "d0a04f0a-462a-48a4-bb2f-3706e88dbd7d": map[uint32]string{ + 100: "Item Authors", + }, + "d0c7f054-3f72-4725-8527-129a577cb269": map[uint32]string{ + 100: "Sensitivity Text", + }, + "d0dab0ba-368a-4050-a882-6c010fd19a4f": map[uint32]string{ + 100: "PropGroup Content", + }, + "d21a7148-d32c-4624-8900-277210f79c0f": map[uint32]string{ + 100: "Image Compressed Bits Per Pixel Numerator", + }, + "d35f743a-eb2e-47f2-a286-844132cb1427": map[uint32]string{ + 100: "Photo EXIF Version", + }, + "d37d52c6-261c-4303-82b3-08b926ac6f12": map[uint32]string{ + 100: "Task Billing Information", + }, + "d4729704-8ef1-43ef-9024-2bd381187fd5": map[uint32]string{ + 100: "Contact Children", + }, + "d4bf61b3-442e-4ada-882d-fa7b70c832d9": map[uint32]string{ + 6: "Devices Aep Point Of Service Connection Types", + }, + "d4d0aa16-9948-41a4-aa85-d97ff9646993": map[uint32]string{ + 100: "Item Participants", + }, + "d55bae5a-3892-417a-a649-c6ac5aaaeab3": map[uint32]string{ + 100: "Calendar Optional Attendee Addresses", + }, + "d5cdd502-2e9c-101b-9397-08002b2cf9ae": map[uint32]string{ + 1: "Codepage", + 2: "Category", + 3: "Document Presentation Format", + 4: "Document ByteC ount", + 5: "Document Line Count", + 6: "Document Paragraph Count", + 7: "Document Slide Count", + 8: "Document Note Count", + 9: "Document Hidden Slide Count", + 10: "Document Multimedia Clip Count", + 11: "Scale", + 12: "Headingpair", + 13: "Document Parts", + 14: "Document Manager", + 15: "Company", + 16: "Document Links Dirty", + 26: "Content Type", + 27: "Content Status", + 28: "Language", + 29: "Document Version", + }, + "d6304e01-f8f5-4f45-8b15-d024a6296789": map[uint32]string{ + 100: "Contact Pager Telephone", + }, + "d68dbd8a-3374-4b81-9972-3ec30682db3d": map[uint32]string{ + 100: "Contact IM Address", + }, + "d6942081-d53b-443d-ad47-5e059d9cd27a": map[uint32]string{ + 2: "Shell SFGAOFlagsStrings", + 3: "Link TargetSFGAOFlagsStrings", + }, + "d6b5b883-18bd-4b4d-b2ec-9e38affeda82": map[uint32]string{ + 2: "Devices SmartCards ReaderKind", + }, + "d6cf9145-d365-471b-bcb8-f0b4a96b891c": map[uint32]string{ + 100: "Fonts ActiveStatus", + }, + "d7313ff1-a77a-401c-8c99-3dbdd68add36": map[uint32]string{ + 100: "Item Name Prefix", + }, + "d76e7ba8-dfa6-48e7-9670-d62dfb07206b": map[uint32]string{ + 2: "Connected Search Contract Id", + 3: "Connected Search App Min Version", + 4: "Connected Search App Installed State", + }, + "d7750ee0-c6a4-48ec-b53e-b87b52e6d073": map[uint32]string{ + 100: "Image Parsing Name", + }, + "d7b61c70-6323-49cd-a5fc-c84277162c97": map[uint32]string{ + 100: "Photo Flash Energy Denominator", + }, + "d98be98b-b86b-4095-bf52-9d23b2e0a752": map[uint32]string{ + 100: "Priority Text", + }, + "d9c22960-532c-4bc6-9876-7b12b52593d7": map[uint32]string{ + 2: "Protocol Name", + }, + "da520e51-f4e9-4739-ac82-02e0a95c9030": map[uint32]string{ + 100: "Identity Qualified User Name", + }, + "da5d0862-6e76-4e1b-babd-70021bd25494": map[uint32]string{ + 100: "GPS Speed", + }, + "dc54fd2e-189d-4871-aa01-08c2f57a4abc": map[uint32]string{ + 100: "Flag Status Text", + }, + "dc5877c7-225f-45f7-bac7-e81334b6130a": map[uint32]string{ + 100: "GPS Img Direction Numerator", + }, + "dc8f80bd-af1e-4289-85b6-3dfc1b493992": map[uint32]string{ + 100: "Message Conversation Id", + 101: "Message Conversation Index", + }, + "dccb10af-b4e2-4b88-95f9-031b4d5ab490": map[uint32]string{ + 100: "Photo Focal Plane X Resolution Numerator", + }, + "dce33a78-aa18-4b3d-b1df-a6621ac8bdd2": map[uint32]string{ + 2: "Connected Search Bypass View Action", + }, + "dd141766-313a-4a30-90f0-056a7c968437": map[uint32]string{ + 2: "Print Status Document Count", + 3: "Print Status Error Status", + 4: "Print Status Location", + 5: "Print Status Comment", + 6: "Print Status Preferences", + 7: "Print Status Warning Status", + 8: "Print Status Info Status", + 9: "Scan Status Profile", + }, + "ddd1460f-c0bf-4553-8ce4-10433c908fb0": map[uint32]string{ + 100: "Contact Business Address Street", + }, + "de00de32-547e-4981-ad4b-542f2e9007d8": map[uint32]string{ + 100: "PropGroup Camera", + }, + "de35258c-c695-4cbc-b982-38b0ad24ced0": map[uint32]string{ + 2: "Shell Omit From View", + }, + "de41cc29-6971-4290-b472-f59f2e2f31e2": map[uint32]string{ + 100: "Media Date Released", + }, + "de5ef3c7-46e1-484e-9999-62c5308394c1": map[uint32]string{ + 100: "Contact Primary Address Post Office Box", + }, + "de621b8f-e125-43a3-a32d-5665446d632a": map[uint32]string{ + 25: "Security Encryption Owners Display", + }, + "de9e220b-41d4-4690-8b6b-3d89e231eef1": map[uint32]string{ + 100: "Fonts Family Name", + }, + "dea7c82c-1d89-4a66-9427-a4e3debabcb1": map[uint32]string{ + 100: "Journal Contacts", + }, + "debda43a-37b3-4383-91e7-4498da2995ab": map[uint32]string{ + 5: "WNET Local Name", + 6: "WNET Remote Name", + 7: "WNET Comment", + 8: "WNET Provider", + }, + "deeb2db5-0696-4ce0-94fe-a01f77a45fb5": map[uint32]string{ + 102: "Music Artist Sort Override", + }, + "df975fd3-250a-4004-858f-34e29a3e37aa": map[uint32]string{ + 100: "Prop Group Contact", + }, + "dfb9a04d-362f-4ca3-b30b-0254b17b5b84": map[uint32]string{ + 100: "Parsing Bind Context", + }, + "e08805c8-e395-40df-80d2-54f0d6c43154": map[uint32]string{ + 100: "Document Document ID", + }, + "e1277516-2b5f-4869-89b1-2e585bd38b7a": map[uint32]string{ + 100: "Photo Len sModel", + }, + "e13d8975-81c7-4948-ae3f-37cae11e8ff7": map[uint32]string{ + 100: "Photo Shutter Speed Denominator", + }, + "e1a9a38b-6685-46bd-875e-570dc7ad7320": map[uint32]string{ + 100: "Photo Aperture Denominator", + }, + "e1ad4953-a752-443c-93bf-80c7525566c2": map[uint32]string{ + 2: "Connected Search Type", + 3: "Connected Search Rendering Template", + 4: "Connected Search Fallback Template", + 5: "Connected Search Telemetry Id", + 6: "Connected Search Impression Id", + 7: "Connected Search Is Visibility Tracked", + 8: "Connected Search Telemetry Data", + 9: "Connected Search Application Search Scope", + 10: "Connected Search Parent Id", + 11: "Connected Search Child Count", + 12: "Connected Search Top Level Id", + 13: "Connected Search Is Visible By Default", + 14: "Connected Search Is Activatable", + 15: "Connected Search Suggestion Context", + 16: "Connected Search Region Id", + 17: "Connected Search Item Source", + 18: "Connected Search Activation Command", + 19: "Connected Search Is History Item", + 20: "Connected Search Is App Available", + 21: "Connected Search History Title", + 22: "Connected Search History Description", + 23: "Connected Search History Glyph", + 27: "Connected Search Requires Consent", + 28: "Connected Search Copy Text", + 29: "Connected Search Add Open In Browser Command", + 30: "Connected Search Image Url", + 31: "Connected Search Image Prefetch Stage", + 32: "Connected Search Is Local Item", + }, + "e1d4a09e-d758-4cd1-b6ec-34a8b5a73f80": map[uint32]string{ + 100: "Contact Business Address Postal Code", + }, + "e2d40928-632c-4280-a202-e0c2ad1ea0f4": map[uint32]string{ + 2: "Connected Search Qs Code", + 3: "Connected Search Jump List", + 4: "Connected Search Voice Command Examples", + }, + "e32596b0-1163-4e02-867a-12132db4ba06": map[uint32]string{ + 2: "IE FeedItem Local Id", + }, + "e3690a87-0fa8-4a2a-9a9f-fce8827055ac": map[uint32]string{ + 100: "Prop Group Image", + }, + "e3a7d2c1-80fc-4b40-8f34-30ea111bdc2e": map[uint32]string{ + 100: "Prop Group File System", + }, + "e4f10a3c-49e6-405d-8288-a23bd4eeaa6c": map[uint32]string{ + 100: "File Extension", + }, + "e53d799d-0f3f-466e-b2ff-74634a3cb7a4": map[uint32]string{ + 100: "Contact Primary Address Country", + }, + "e5473742-4611-4aaf-9c49-a3417748cbc8": map[uint32]string{ + 100: "Invalid Path Value", + }, + "e55fc3b0-2b60-4220-918e-b21e8bf16016": map[uint32]string{ + 100: "Identity Unique Id", + }, + "e6822fee-8c17-4d62-823c-8e9cfcbd1d5c": map[uint32]string{ + 100: "Audio Is Variable Bit Rate", + }, + "e6c3d9ad-7b32-4efe-a167-0a868ffdf3af": map[uint32]string{ + 100: "Game WinSPR Minimum", + }, + "e6ddcaf7-29c5-4f0a-9a68-d19412ec7090": map[uint32]string{ + 100: "Photo Lens Manufacturer", + }, + "e77e90df-6271-4f5b-834f-2dd1f245dda4": map[uint32]string{ + 2: "Storage Provider UI Status", + 3: "Storage Provider State", + 4: "Storage Provider Transfer Progress", + }, + "e7b33238-6584-4170-a5c0-ac25efd9da56": map[uint32]string{ + 100: "Prop Group Recorded TV", + }, + "e7c3fb29-caa7-4f47-8c8b-be59b330d4c5": map[uint32]string{ + 2: "Devices Aep Container Id", + 3: "Devices Aep Can Pair", + }, + "e8309b6e-084c-49b4-b1fc-90a80331b638": map[uint32]string{ + 100: "Photo PeopleNames", + }, + "e88dcce0-b7b3-11d1-a9f0-00aa0060fa31": map[uint32]string{ + 2: "Zip Folder Encrypted", + 3: "Zip Folder Method", + 4: "Zip Folder Ratio", + 5: "Zip Folder CRC32", + 6: "Zip Folder Compressed Size", + }, + "e92a2496-223b-4463-a4e3-30eabba79d80": map[uint32]string{ + 100: "Photo FNumber Denominator", + }, + "e9641eff-af25-4db7-947b-4128929f8ef5": map[uint32]string{ + 2: "Connected Search Suggestion Detail Text", + }, + "e9edd392-0b4c-4cf2-82c0-b0d139666245": map[uint32]string{ + 102: "Structured Query Virtual Bcc", + 103: "Structured Query Virtual Cc", + 104: "Structured Query Virtual From", + 105: "Structured Query Virtual To", + 106: "Structured Query Virtual Organizer", + 107: "Structured Query Virtual Required Attendees", + 108: "Structured Query Virtual Optional Attendees", + 109: "Structured Query Virtual Resources", + 110: "Structured Query Virtual Date Created", + 111: "Structured Query Virtual Phone", + 112: "Structured Query Virtual Message Size", + 113: "Structured Query Virtual About", + 114: "Structured Query Virtual Is Read", + 115: "Structured Query Virtual Journal Duration", + 116: "Structured Query Virtual Is Encrypted", + 117: "Structured Query Virtual Type", + 118: "Structured Query Virtual Artist", + }, + "ea810849-87ff-4b54-abd6-5b71adf466f8": map[uint32]string{ + 1: "Dui Control Resource", + }, + "ec0b4191-ab0b-4c66-90b6-c6637cdebbab": map[uint32]string{ + 100: "Communication Policy Tag", + }, + "ecf4b6f6-d5a6-433c-bb92-4076650fc890": map[uint32]string{ + 100: "GPS Dest Latitude Numerator", + }, + "ecf7f4c9-544f-4d6d-9d98-8ad79adaf453": map[uint32]string{ + 100: "GPS Speed Ref", + }, + "ed4df2d3-8695-450b-856f-f5c1c53acb66": map[uint32]string{ + 100: "GPS Des tDistance Ref", + }, + "ee31306c-fb9b-4d62-8621-3575d972a9f9": map[uint32]string{ + 1718: "Volume BitLocker Requires Admin", + }, + "ee3d3d8a-5381-4cfa-b13b-aaf66b5f4ec9": map[uint32]string{ + 100: "Photo White Balance", + }, + "eec7b761-6f94-41b1-949f-c729720dd13c": map[uint32]string{ + 12: "Device Interface Printer Port Name", + }, + "ef1167eb-cbfc-4341-a568-a7c91a68982c": map[uint32]string{ + 2: "Devices WiFi Interface Guid", + }, + "ef884c5b-2bfe-41bb-aae5-76eedf4f9902": map[uint32]string{ + 100: "Is Shared", + 200: "Shared With", + 300: "Sharing Status", + 400: "Share Scope", + }, + "f04bef95-c585-4197-a2b7-df46fdc9ee6d": map[uint32]string{ + 100: "Kind Text", + }, + "f0f7984d-222e-4ad2-82ab-1dd8ea40e57e": map[uint32]string{ + 300: "Title Sort Override", + }, + "f1176dfe-7138-4640-8b4c-ae375dc70a6d": map[uint32]string{ + 100: "Contact Primary Address State", + }, + "f18dedf3-337f-42c0-9e03-cee08708a8c3": map[uint32]string{ + 100: "Identity Logon Status String", + }, + "f1a24aa7-9ca7-40f6-89ec-97def9ffe8db": map[uint32]string{ + 100: "Contact File As Name", + }, + "f1fdb4af-f78c-466c-bb05-56e92db0b8ec": map[uint32]string{ + 103: "Music Album Artist Sort Override", + }, + "f21d9941-81f0-471a-adee-4e74b49217ed": map[uint32]string{ + 100: "Provider Item Id", + }, + "f2275480-f782-4291-bd94-f13693513aec": map[uint32]string{ + 0: "Prop List XP Details Panel", + }, + "f23f425c-71a1-4fa8-922f-678ea4a60408": map[uint32]string{ + 100: "Is Attachment", + }, + "f271c659-7e5e-471f-ba25-7f77b286f836": map[uint32]string{ + 100: "Contact Business Email Addresses", + }, + "f27abe3a-7111-4dda-8cb2-29222ae23566": map[uint32]string{ + 2: "Connected Search Disambiguation Id", + }, + "f334115e-da1b-4509-9b3d-119504dc7abb": map[uint32]string{ + 100: "Document Contributor", + }, + "f3713ada-90e3-4e11-aae5-fdc17685b9be": map[uint32]string{ + 100: "Prop Group GPS", + }, + "f3aecac4-5b8d-436a-ad0c-64ab194fdaf3": map[uint32]string{ + 100: "Fonts Collection Name", + }, + "f3c9b698-be85-47ce-888f-83874d9abcb4": map[uint32]string{ + 2: "App Contract Pinned", + 3: "App Contract Hidden", + 4: "App Contract Pinned Order", + 5: "App Contract Relevance", + 6: "App Contract Category", + 7: "App Contract Supported File Types", + }, + "f3d8f40d-50cb-44a2-9718-40cb9119495d": map[uint32]string{ + 100: "Contact Initials", + }, + "f50d2f5d-dda0-48d4-8d2b-e83729fb69a4": map[uint32]string{ + 100: "Item Query Condition", + }, + "f6272d18-cecc-40b1-b26a-3911717aa7bd": map[uint32]string{ + 100: "Calendar Location", + }, + "f628fd8c-7ba8-465a-a65b-c5aa79263a9e": map[uint32]string{ + 100: "Photo Metering Mode Text", + }, + "f7db74b4-4287-4103-afba-f1b13dcd75cf": map[uint32]string{ + 100: "Item Date", + }, + "f8245476-2ec6-44be-b2f7-82ec2537fa2e": map[uint32]string{ + 100: "Condition", + 101: "Condition Key", + }, + "f85bf840-a925-4bc2-b0c4-8e36b598679e": map[uint32]string{ + 100: "Photo Digital Zoom", + }, + "f8d3f6ac-4874-42cb-be59-ab454b30716a": map[uint32]string{ + 100: "Sensitivity", + }, + "f8fa7fa3-d12b-4785-8a4e-691a94f7a3e7": map[uint32]string{ + 100: "Contact Email Address", + }, + "fa303353-b659-4052-85e9-bcac79549b84": map[uint32]string{ + 100: "Photo Maker Note", + }, + "fa304789-00c7-4d80-904a-1e4dcc7265aa": map[uint32]string{ + 100: "Photo Gain Control", + }, + "fb1de864-e06d-47f4-82a6-8a0aef44493c": map[uint32]string{ + 2: "Devices Audio Device Speech Processing Supported", + }, + "fb3842cd-9e2a-4f83-8fcc-4b0761139ae9": map[uint32]string{ + 2: "Device Interface Proximity Supports Nfc", + }, + "fc6976db-8349-4970-ae97-b3c5316a08f0": map[uint32]string{ + 100: "Photo Sharpness", + }, + "fc9f7306-ff8f-4d49-9fb6-3ffe5c0951ec": map[uint32]string{ + 100: "Contact Department", + }, + "fcad3d3d-0858-400f-aaa3-2f66cce2a6bc": map[uint32]string{ + 100: "Photo Flash Energy Numerator", + }, + "fcc16823-baed-4f24-9b32-a0982117f7fa": map[uint32]string{ + 100: "Identity Primary Email Address", + }, + "fceff153-e839-4cf3-a9e7-ea22832094b8": map[uint32]string{ + 100: "File Offline Availability Status", + 101: "Folder Kind", + 103: "Sync Transfer Status", + 104: "Transfer Position", + 105: "Transfer Size", + 106: "Transfer Order", + 107: "Last Sync Error", + 108: "Storage Provider Id", + 109: "Storage Provider Error", + 110: "Storage Provider Status", + 111: "Storage Provider Share Statuses", + 112: "Storage Provider File Remote Uri", + 113: "Cached File Updater Content Id For Stream", + 114: "Cached File Updater Content Id For Conflict Resolution", + 115: "Remote Conflicting File", + 116: "Storage Provider Thumbnail Dimensions", + 117: "Storage Provider Sharing Status", + 118: "Storage Provider Descendant Sharing Status", + 119: "Storage Provider Fully Qualified Id", + 120: "Storage Provider Custom States", + 121: "Item Custom State State List", + 122: "Item Custom State Values", + 123: "Item Custom State Icon References", + 124: "Storage Provider Aggregated Custom States", + 125: "Storage Provider Network Connected", + 126: "Storage Provider Warning Error State", + 127: "Storage Provider Protection Mode", + }, + "fcfb52aa-c1e5-4cd8-88bc-f80fd7390f20": map[uint32]string{ + 100: "Not User Content", + }, + "fd122953-fa93-4ef7-92c3-04c946b2f7c8": map[uint32]string{ + 100: "Music Display Artist", + }, + "fd9d9fc7-38ec-436d-8fc6-ec39bad301e6": map[uint32]string{ + 100: "Computer Processor", + 101: "Computer Memory", + }, + "fdf84370-031a-4add-9e91-0d775f1c6605": map[uint32]string{ + 100: "Mileage Information", + }, + "fe83bb35-4d1a-42e2-916b-06f3e1af719e": map[uint32]string{ + 100: "Photo Flash Model", + }, + "fe9e4c12-aacb-4aa3-966d-91a29e6128b5": map[uint32]string{ + 3: "Printer Default", + 4: "Printer Location", + 5: "Printer Model", + 6: "Printer Queue Size", + 7: "Printer Status", + }, + "fec690b7-5f30-4646-ae47-4caafba884a3": map[uint32]string{ + 100: "Photo Exposure Program Text", + }, + "fec7952b-4bf0-4c03-b6e1-2796818b7ca9": map[uint32]string{ + 100: "Fonts Version", + }, + "ff1167eb-cbfc-4341-a568-a7c91a68982c": map[uint32]string{ + 2: "Devices Wwan Interface Guid", + }, + "ff962609-b7d6-4999-862d-95180d529aea": map[uint32]string{ + 100: "Contact Other Address Street", + }, + "ffae9db7-1c8d-43ff-818c-84403aa3732d": map[uint32]string{ + 100: "Source Package Family Name", + }, +} diff --git a/libbeat/formats/lnk/known_shellbag_guids.go b/libbeat/formats/lnk/known_shellbag_guids.go new file mode 100644 index 000000000000..d93c8587ec17 --- /dev/null +++ b/libbeat/formats/lnk/known_shellbag_guids.go @@ -0,0 +1,398 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +var knownShellbagGuids = map[string]string{ + "008ca0b1-55b4-4c56-b8a8-4de4b299d3bE": "Account Pictures", + "00bcfc5a-ed94-4e48-96a1-3f6217f21990": "RoamingTiles", + "00c6d95f-329c-409a-81d7-c46c66ea7f33": "Default Location", + "00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3": "Scanners and Cameras", + "0139d44e-6afe-49f2-8690-3dafcae6ffb8": "Programs", + "0142e4d0-fb7a-11dc-ba4a-000ffe7ab428": "Biometric Devices", + "018d5c66-4533-4307-9b53-224de2ed1fe6": "OneDrive", + "025a5937-a6be-4686-a844-36fe4bec8b6d": "Power Options", + "031e4825-7b94-4dc3-b131-e946b44c8dd5": "Libraries", + "04731b67-d933-450a-90e6-4acd2e9408fe": "Search Folder", + "0482af6c-08f1-4c34-8c90-e17ec98b1e17": "Public Account Pictures", + "054fae61-4dd8-4787-80b6-090220c4b700": "GameExplorer", + "05d7b0f4-2121-4eff-bf6b-ed3f69b894d9": "Taskbar (NotificationAreaIcons)", + "0762d272-c50a-4bb0-a382-697dcd729b80": "Users", + "087da31b-0dd3-4537-8e23-64a18591f88b": "Windows Security Center", + "0907616e-f5e6-48d8-9d61-a91c3d28106d": "Hyper-V Remote File Browsing", + "0ac0837c-bbf8-452a-850d-79d08e667ca7": "Computer", + "0afaced1-e828-11d1-9187-b532f1e9575d": "Folder Shortcut", + "0b2baaeb-0042-4dca-aa4d-3ee8648d03e5": "Pictures Library", + "0c15d503-d017-47ce-9016-7b3f978721cc": "Portable Device Values", + "0c39a5cf-1a7a-40c8-ba74-8900e6df5fcd": "Recent Items", + "0cd7a5c0-9f37-11ce-ae65-08002b2e1262": "Cabinet File", + "0d4c3db6-03a3-462f-a0e6-08924c41b5d4": "History", + "0df44eaa-ff21-4412-828e-260a8728e7f1": "Taskbar and Start Menu", + "0f214138-b1d3-4a90-bba9-27cbc0c5389a": "Sync Setup", + "11016101-e366-4d22-bc06-4ada335c892b": "Internet Explorer History and Feeds Shell Data Source for Windows Search", + "1206f5f1-0569-412c-8fec-3204630dfb70": "Credential Manager", + "13e7f612-f261-4391-bea2-39df4f3fa311": "Windows Desktop Search", + "15ca69b3-30ee-49c1-ace1-6b5ec372afb5": "Sample Playlists", + "15eae92e-f17a-4431-9f28-805e482dafd4": "Install New Programs ", + "1723d66a-7a12-443e-88c7-05e1bfe79983": "Previous Versions Delegate Folder", + "1777f761-68ad-4d8a-87bd-30b759fa33dd": "Favorites", + "17cd9488-1228-4b2f-88ce-4298e93e0966": "Default Programs", + "18989b1d-99b5-455b-841c-ab7c74e4ddfc": "Videos", + "190337d1-b8ca-4121-a639-6d472d16972a": "Search Results", + "1a6fdba2-f42d-4358-a798-b74d745926c5": "Recorded TV", + "1a9ba3a0-143a-11cf-8350-444553540000": "Shell Favorite Folder", + "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7": "System32", + "1b3ea5dc-b587-4786-b4ef-bd1dc332aeae": "Libraries", + "1cf1260c-4dd0-4ebb-811f-33c572699fde": "Music", + "1d2680c9-0e2a-469d-b787-065558bc7d43": "Fusion Cache", + "1e87508d-89c2-42f0-8a7e-645a0f50ca58": "Applications", + "1f3427c8-5c10-4210-aa03-2ee45287d668": "User Pinned", + "1f43a58c-ea28-43e6-9ec4-34574a16ebb7": "Windows Desktop Search MAPI Namespace Extension Class", + "1f4de370-d627-11d1-ba4f-00a0c91eedba": "Search Results - Computers (Computer Search Results Folder, Network Computers)", + "1fa9085f-25a2-489b-85d4-86326eedcd87": "Manage Wireless Networks", + "208d2c60-3aea-1069-a2d7-08002b30309d": "My Network Places", + "20d04fe0-3aea-1069-a2d8-08002b30309d": "My Computer", + "2112ab0a-c86a-4ffe-a368-0de96e47012e": "Music", + "21ec2020-3aea-1069-a2dd-08002b30309d": "Control Panel", + "2227a280-3aea-1069-a2de-08002b30309d": "Printers", + "22877a6d-37a1-461a-91b0-dbda5aaebc99": "Recent Places", + "2400183a-6185-49fb-a2d8-4a392a602ba3": "Public Videos", + "241d7c96-f8bf-4f85-b01f-e2b043341a4b": "Workspaces Center(Remote Application and Desktop Connections)", + "24d89e24-2f19-4534-9dde-6a6671fbb8fe": "Documents", + "2559a1f0-21d7-11d4-bdaf-00c04f60b9f0": "Search", + "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0": "Help and Support", + "2559a1f2-21d7-11d4-bdaf-00c04f60b9f0": "Windows Security", + "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0": "Run...", + "2559a1f4-21d7-11d4-bdaf-00c04f60b9f0": "Internet", + "2559a1f5-21d7-11d4-bdaf-00c04f60b9f0": "E-mail", + "2559a1f6-21d7-11d4-bdaf-00c04f60b9f0": "OEM link", + "2559a1f7-21d7-11d4-bdaf-00c04f60b9f0": "Set Program Access and Defaults", + "259ef4b1-e6c9-4176-b574-481532c9bce8": "Game Controllers", + "267cf8a9-f4e3-41e6-95b1-af881be130ff": "Location Folder", + "26ee0668-a00a-44d7-9371-beb064c98683": "Control Panel", + "2728520d-1ec8-4c68-a551-316b684c4ea7": "Network Setup Wizard", + "27e2e392-a111-48e0-ab0c-e17705a05f85": "WPD Content Type Folder", + "28803f59-3a75-4058-995f-4ee5503b023c": "Bluetooth Devices", + "289978ac-a101-4341-a817-21eba7fd046d": "Sync Center Conflict Folder", + "289a9a43-be44-4057-a41b-587a76d7e7f9": "Sync Results", + "289af617-1cc3-42a6-926c-e6a863f0e3ba": "DLNA Media Servers Data Source", + "292108be-88ab-4f33-9a26-7748e62e37ad": "Videos library", + "2965e715-eb66-4719-b53f-1672673bbefa": "Results Folder", + "2a00375e-224c-49de-b8d1-440df7ef3ddc": "LocalizedResourcesDir", + "2b0f765d-c0e9-4171-908e-08a611b84ff6": "Cookies", + "2c36c0aa-5812-4b87-bfd0-4cd0dfb19b39": "Original Images", + "2e9e59c0-b437-4981-a647-9c34b9b90891": "Sync Setup Folder", + "2f6ce85c-f9ee-43ca-90c7-8a9bd53a2467": "File History Data Source", + "3080f90d-d7ad-11d9-bd98-0000947b0257": "Show Desktop", + "3080f90e-d7ad-11d9-bd98-0000947b0257": "Window Switcher", + "3214fab5-9757-4298-bb61-92a9deaa44ff": "Public Music", + "323ca680-c24d-4099-b94d-446dd2d7249e": "Common Places", + "328b0346-7eaf-4bbe-a479-7cb88a095f5b": "Layout Folder", + "335a31dd-f04b-4d76-a925-d6b47cf360df": "Backup and Restore Center", + "339719b5-8c47-4894-94c2-d8f77add44a6": "Pictures", + "33e28130-4e1e-4676-835a-98395c3bc3bb": "Pictures", + "352481e8-33be-4251-ba85-6007caedcf9d": "Temporary Internet Files", + "35786d3c-b075-49b9-88dd-029876e11c01": "Portable Devices", + "36011842-dccc-40fe-aa3d-6177ea401788": "Documents Search Results", + "36eef7db-88ad-4e81-ad49-0e313f0c35f8": "Windows Update", + "374de290-123f-4565-9164-39c4925e467b": "Downloads", + "37efd44d-ef8d-41b1-940d-96973a50e9e0": "Desktop Gadgets", + "38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b": "Connect To", + "3add1653-eb32-4cb0-bbd7-dfa0abb5acca": "Pictures", + "3c5c43a3-9ce9-4a9b-9699-2ac0cf6cc4bf": "Configure Wireless Network", + "3d644c9b-1fb8-4f30-9b45-f670235f79c0": "Public Downloads", + "3e7efb4c-faf1-453d-89eb-56026875ef90": "Windows Marketplace", + "3eb685db-65f9-4cf6-a03a-e3ef65729f3d": "RoamingAppData", + "3f2a72a7-99fa-4ddb-a5a8-c604edf61d6b": "Music Library", + "3f6bc534-dfa1-4ab4-ae54-ef25a74e0107": "System Restore", + "3f98a740-839c-4af7-8c36-5badfb33d5fd": "Documents library", + "4026492f-2f69-46b8-b9bf-5654fc07e423": "Windows Firewall", + "40419485-c444-4567-851a-2dd7bfa1684d": "Phone and Modem", + "418c8b64-5463-461d-88e0-75e2afa3c6fa": "Explorer Browser Results Folder", + "4234d49b-0245-4df3-b780-3893943456e1": "Applications", + "4336a54d-038b-4685-ab02-99bb52d3fb8b": "Samples", + "43668bf8-c14e-49b2-97c9-747784d784b7": "Sync Center", + "437ff9c0-a07f-4fa0-af80-84b6c6440a16": "Command Folder", + "450d8fba-ad25-11d0-98a8-0800361b1103": "My Documents", + "4564b25e-30cd-4787-82ba-39e73a750b14": "Recent Items Instance Folder", + "45c6afa5-2c13-402f-bc5d-45cc8172ef6b": "Toshiba Bluetooth Stack", + "46137b78-0ec3-426d-8b89-ff7c3a458b5e": "Network Neighborhood", + "46e06680-4bf0-11d1-83ee-00a0c90dc849": "NETWORK_DOMAIN", + "48daf80b-e6cf-4f4e-b800-0e69d84ee384": "Libraries", + "48e7caab-b918-4e58-a94d-505519c795dc": "Start Menu Folder", + "491e922f-5643-4af4-a7eb-4e7a138d8174": "Videos", + "4bd8d571-6d19-48d3-be97-422220080e43": "Music", + "4bfefb45-347d-4006-a5be-ac0cb0567192": "Conflicts", + "4c5c32ff-bb9d-43b0-b5b4-2d72e54eaaa4": "Saved Games", + "4d9f7874-4e0c-4904-967b-40b0d20c3e4b": "Internet", + "4dcafe13-e6a7-4c28-be02-ca8c2126280d": "Pictures Search Results", + "5224f545-a443-4859-ba23-7b5a95bdc8ef": "People Near Me", + "52528a6b-b9e3-4add-b60d-588c2dba842d": "Homegroup", + "52a4f021-7b75-48a9-9f6b-4b87a210bc8f": "Quick Launch", + "5399e694-6ce5-4d6c-8fce-1d8870fdcba0": "Control Panel command object for Start menu and desktop", + "54a754c0-4bf1-11d1-83ee-00a0c90dc849": "NETWORK_SHARE", + "56784854-c6cb-462b-8169-88e350acb882": "Contacts", + "58e3c745-d971-4081-9034-86e34b30836a": "Speech Recognition Options", + "59031a47-3f72-44a7-89c5-5595fe6b30ee": "Shared Documents Folder (Users Files)", + "5b3749ad-b49f-49c1-83eb-15370fbd4882": "TreeProperties", + "5b934b42-522b-4c34-bbfe-37a3ef7b9c90": "This Device Folder", + "5c4f28b5-f869-4e84-8e60-f11db97c5cc7": "Generic (All folder items)", + "5cd7aee2-2219-4a67-b85d-6c9ce15660cb": "Programs", + "5ce4a5e9-e4eb-479d-b89f-130c02886155": "DeviceMetadataStore", + "5e6c858f-0e22-4760-9afe-ea3317b67173": "Profile", + "5e8fc967-829a-475c-93ea-51fce6d9ffce": "RealPlayer Cloud", + "5ea4f148-308c-46d7-98a9-49041b1dd468": "Mobility Center Control Panel", + "5f4eab9a-6833-4f61-899d-31cf46979d49": "Generic library", + "5fa947b5-650a-4374-8a9a-5efa4f126834": "OpenDrive", + "5fa96407-7e77-483c-ac93-691d05850de8": "Videos", + "5fcd4425-ca3a-48f4-a57c-b8a75c32acb1": "Hewlett-Packard Recovery (Protect.dll)", + "60632754-c523-4b62-b45c-4172da012619": "User Accounts", + "625b53c3-ab48-4ec1-ba1f-a1ef4146fc19": "Start Menu", + "62ab5d82-fdc1-4dc3-a9dd-070d1d495d97": "ProgramData", + "62d8ed13-c9d0-4ce8-a914-47dd628fb1b0": "Regional and Language Options", + "631958a6-ad0f-4035-a745-28ac066dc6ed": "Videos Library", + "6365d5a7-0f0d-45e5-87f6-0da56b6a4f7d": "Common Files", + "63da6ec0-2e98-11cf-8d82-444553540000": "Microsoft FTP Folder", + "640167b4-59b0-47a6-b335-a6b3c0695aea": "Portable Media Devices", + "645ff040-5081-101b-9f08-00aa002f954e": "Recycle bin", + "64693913-1c21-4f30-a98f-4e52906d3b56": "App Instance Folder", + "67718415-c450-4f3c-bf8a-b487642dc39b": "Windows Features", + "6785bfac-9d2d-4be5-b7e2-59937e8fb80a": "Other Users Folder", + "679f85cb-0220-4080-b29b-5540cc05aab6": "Home Folder", + "67ca7650-96e6-4fdd-bb43-a8e774f73a57": "Home Group Control Panel (Home Group)", + "692f0339-cbaa-47e6-b5b5-3b84db604e87": "Extensions Manager Folder", + "69d2cf90-fc33-4fb7-9a0c-ebb0f0fcb43c": "Slide Shows", + "6c8eec18-8d75-41b2-a177-8831d59d2d50": "Mouse", + "6dfd7c5c-2451-11d3-a299-00c04f8ef6af": "Folder Options", + "6f0cd92b-2e97-45d1-88ff-b0d186b8dedd": "Network Connections", + "7007acc7-3202-11d1-aad2-00805fc1270e": "Network Connections", + "708e1662-b832-42a8-bbe1-0a77121e3908": "Tree property value folder", + "71689ac1-cc88-45d0-8a22-2943c3e7dfb3": "Music Search Results", + "71d99464-3b6b-475c-b241-e15883207529": "Sync Results Folder", + "724ef170-a42d-4fef-9f26-b60e846fba4f": "Administrative tools", + "725be8f7-668e-4c7b-8f90-46bdb0936430": "Keyboard", + "72b36e70-8700-42d6-a7f7-c9ab3323ee51": "Search Connector Folder", + "74246bfc-4c96-11d0-abef-0020af6b0b7a": "Device Manager", + "767e6811-49cb-4273-87c2-20f355e1085b": "Camera Roll", + "76fc4e2d-d6ad-4519-a663-37bd56068185": "Printers", + "78cb147a-98ea-4aa6-b0df-c8681f69341c": "Windows CardSpace", + "78f3955e-3b90-4184-bd14-5397c15f1efc": "Performance Information and Tools", + "7a979262-40ce-46ff-aeee-7884ac3b6136": "Add Hardware", + "7a9d77bd-5403-11d2-8785-2e0420524153": "User Accounts (Users and Passwords)", + "7b0db17d-9cd2-4a93-9733-46cc89022e7c": "Documents", + "7b396e54-9ec5-4300-be0a-2482ebae1a26": "Gadgets", + "7b81be6a-ce2b-4676-a29e-eb907a5126c5": "Programs and Features", + "7bd29e00-76c1-11cf-9dd0-00a0c9034933": "Temporary Internet Files", + "7bd29e01-76c1-11cf-9dd0-00a0c9034933": "Temporary Internet Files", + "7be9d83c-a729-4d97-b5a7-1b7313c39e0a": "Programs Folder", + "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e": "Program Files", + "7d1d3a04-debb-4115-95cf-2f29da2920da": "Searches", + "7d49d726-3c21-4f05-99aa-fdc2c9474656": "Documents", + "7e636bfe-dfa9-4d5e-b456-d7b39851d8a9": "Templates", + "7fde1a1e-8b31-49a5-93b8-6be14cfa4943": "Generic Search Results", + "80213e82-bcfd-4c4f-8817-bb27601267a9": "Compressed Folder (zip folder)", + "8060b2e3-c9d7-4a5d-8c6b-ce8eba111328": "Proximity CPL", + "80f3f1d5-feca-45f3-bc32-752c152e456e": "Tablet PC Settings", + "82a5ea35-d9cd-47c5-9629-e15d2f714e6e": "CommonStartup", + "82a74aeb-aeb4-465c-a014-d097ee346d63": "Control Panel", + "82ba0782-5b7a-4569-b5d7-ec83085f08cc": "TopViews", + "8343457c-8703-410f-ba8b-8b026e431743": "Feedback Tool", + "859ead94-2e85-48ad-a71a-0969cb56a6cd": "Sample Videos", + "85bbd920-42a0-1069-a2e4-08002b30309d": "Briefcase", + "863aa9fd-42df-457b-8e4d-0de1b8015c60": "Remote Printers", + "865e5e76-ad83-4dca-a109-50dc2113ce9a": "Programs Folder and Fast Items", + "871c5380-42a0-1069-a2ea-08002b30309d": "Internet Explorer (Homepage)", + "87630419-6216-4ff8-a1f0-143562d16d5c": "Mobile Broadband Profile Settings Editor", + "877ca5ac-cb41-4842-9c69-9136e42d47e2": "File Backup Index", + "87d66a43-7b11-4a28-9811-c86ee395acf7": "Indexing Options", + "88c6c381-2e85-11d0-94de-444553540000": "ActiveX Cache Folder", + "896664f7-12e1-490f-8782-c0835afd98fc": "Libraries delegate folder that appears in Users Files Folder", + "8983036c-27c0-404b-8f08-102d10dcfd74": "SendTo", + "89d83576-6bd1-4c86-9454-beb04e94c819": "MAPI Folder", + "8ad10c31-2adb-4296-a8f7-e4701232c972": "Resources", + "8e74d236-7f35-4720-b138-1fed0b85ea75": "OneDrive", + "8e908fc9-becc-40f6-915b-f4ca0e70d03d": "Network and Sharing Center", + "8fd8b88d-30e1-4f25-ac2b-553d3d65f0ea": "DXP", + "905e63b6-c1bf-494e-b29c-65b732d3d21a": "Program Files", + "9113a02d-00a3-46b9-bc5f-9c04daddd5d7": "Enhanced Storage Data Source", + "9274bd8d-cfd1-41c3-b35e-b13f55a758f4": "Printer Shortcuts", + "93412589-74d4-4e4e-ad0e-e0cb621440fd": "Font Settings", + "9343812e-1c37-4a49-a12e-4b2d810d956b": "Search Home", + "94d6ddcc-4a68-4175-a374-bd584a510b78": "Music", + "96437431-5a90-4658-a77c-25478734f03e": "Server Manager", + "96ae8d84-a250-4520-95a5-a47a7e3c548b": "Parental Controls", + "978e0ed7-92d6-4cec-9b59-3135b9c49ccf": "Music library", + "98d99750-0b8a-4c59-9151-589053683d73": "Windows Search Service Media Center Namespace Extension Handler", + "98ec0e18-2098-4d44-8644-66979315a281": "Microsoft Office Outlook", + "98f275b4-4fff-11e0-89e2-7b86dfd72085": "Start Menu Launcher Provider Folder", + "992cffa0-f557-101a-88ec-00dd010ccc48": "Network Connections", + "9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e": "Internet Explorer RSS Feeds Folder", + "9b74b6a3-0dfd-4f11-9e78-5f7800f2e772": "The user's username (%USERNAME%)", + "9c60de1e-e5fc-40f4-a487-460851a8d915": "AutoPlay", + "9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf": "Sync Center", + "9db7a13c-f208-4981-8353-73cc61ae2783": "Previous Versions", + "9e3995ab-1f9c-4f13-b827-48b24b6c7174": "User Pinned", + "9e52ab10-f80d-49df-acb8-4330f5687855": "CDBurning", + "9f433b7c-5f96-4ce1-ac28-aeaa1cc04d7c": "Security Center", + "9fe63afd-59cf-4419-9775-abcc3849f861": "System Recovery", + "a00ee528-ebd9-48b8-944a-8942113d46ac": "Start Menu Commanding Provider Folder", + "a0275511-0e86-4eca-97c2-ecd8f1221d08": "Infrared", + "a0953c92-50dc-43bf-be83-3742fed03c9c": "Videos", + "a302545d-deff-464b-abe8-61c8648d939b": "Libraries", + "a304259d-52b8-4526-8b1a-a1d6cecc8243": "iSCSI Initiator", + "a305ce99-f527-492b-8b1a-7e76fa98d6e4": "Installed Updates", + "a3918781-e5f2-4890-b3d9-a7e54332328c": "Application Shortcuts", + "a3c3d402-e56c-4033-95f7-4885e80b0111": "Previous Versions Results Delegate Folder", + "a3dd4f92-658a-410f-84fd-6fbbbef2fffe": "Internet Options", + "a4115719-d62e-491d-aa7c-e74b8be3b067": "Start Menu", + "a5110426-177d-4e08-ab3f-785f10b4439c": "Sony Ericsson File Manager", + "a520a1a4-1780-4ff6-bd18-167343c5af16": "AppDataLow", + "a52bba46-e9e1-435f-b3d9-28daa648c0f6": "OneDrive", + "a5a3563a-5755-4a6f-854e-afa3230b199f": "Library Folder", + "a5e46e3a-8849-11d1-9d8c-00c04fc99d61": "Microsoft Browser Architecture", + "a63293e8-664e-48db-a079-df759e0509f7": "Templates", + "a6482830-08eb-41e2-84c1-73920c2badb9": "Removable Storage Devices", + "a75d362e-50fc-4fb7-ac2c-a8beaa314493": "SidebarParts", + "a77f5d77-2e2b-44c3-a6a2-aba601054a51": "Programs", + "a8a91a66-3a7d-4424-8d24-04e180695c7a": "Device Center(Devices and Printers)", + "a8cdff1c-4878-43be-b5fd-f8091c1c60d0": "Documents", + "a990ae9f-a03b-4e80-94bc-9912d7504104": "Pictures", + "aaa8d5a5-f1d6-4259-baa8-78e7ef60835e": "RoamedTileImages", + "ab4f43ca-adcd-4384-b9af-3cecea7d6544": "Sitios Web", + "ab5fb87b-7ce2-4f83-915d-550846c9537b": "Camera Roll", + "ae50c081-ebd2-438a-8655-8a092e34987a": "Recent Items", + "aee2420f-d50e-405c-8784-363c582bf45a": "Device Pairing Folder", + "afdb1f70-2a4c-11d2-9039-00c04f8eeb3e": "Offline Files Folder", + "b155bdf8-02f0-451e-9a26-ae317cfd7779": "Delegate folder that appears in Computer", + "b250c668-f57d-4ee1-a63c-290ee7d1aa1f": "Sample Music", + "b28aa736-876b-46da-b3a8-84c5e30ba492": "Web sites", + "b2952b16-0e07-4e5a-b993-58c52cb94cae": "DB Folder", + "b2c761c6-29bc-4f19-9251-e6195265baf1": "Color Management", + "b3690e58-e961-423b-b687-386ebfd83239": "Pictures folder", + "b4bfcc3a-db2c-424c-b029-7fe99a87c641": "Desktop", + "b4fb3f98-c1ea-428d-a78a-d1f5659cba93": "Other Users Folder", + "b5947d7f-b489-4fde-9e77-23780cc610d1": "Virtual Machines", + "b689b0d0-76d3-4cbb-87f7-585d0e0ce070": "Games folder", + "b6ebfb86-6907-413c-9af7-4fc2abf07cc5": "Public Pictures", + "b7534046-3ecb-4c18-be4e-64cd4cb7d6ac": "Recycle Bin", + "b7bede81-df94-4682-a7d8-57a52620b86f": "Screenshots", + "b94237e7-57ac-4347-9151-b08c6c32d1f7": "CommonTemplates", + "b97d20bb-f46a-4c97-ba10-5e3608430854": "Startup", + "b98a2bea-7d42-4558-8bd1-832f41bac6fd": "Backup And Restore (Backup and Restore Center)", + "bb06c0e4-d293-4f75-8a90-cb05b6477eee": "System", + "bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6": "Action Center", + "bc476f4c-d9d7-4100-8d4e-e043f6dec409": "Microsoft Browser Architecture", + "bc48b32f-5910-47f5-8570-5074a8a5636a": "Sync Results Delegate Folder", + "bcb5256f-79f6-4cee-b725-dc34e402fd46": "ImplicitAppShortcuts", + "bcbd3057-ca5c-4622-b42d-bc56db0ae516": "Programs", + "bd7a2e7b-21cb-41b2-a086-b309680c6b7e": "Client Side Cache Folder", + "bd84b380-8ca2-1069-ab1d-08000948f534": "Microsoft Windows Font Folder", + "bd85e001-112e-431e-983b-7b15ac09fff1": "RecordedTV", + "bdbe736f-34f5-4829-abe8-b550e65146c4": "TopViews", + "bdeadf00-c265-11d0-bced-00a0c90ab50f": "Web Folders", + "be122a0e-4503-11da-8bde-f66bad1e3f3a": "Windows Anytime Upgrade", + "bf782cc9-5a52-4a17-806c-2a894ffeeac5": "Language Settings", + "bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968": "Links", + "c0542a90-4bf0-11d1-83ee-00a0c90dc849": "NETWORK_SERVER", + "c1bae2d0-10df-4334-bedd-7aa20b227a9d": "Common OEM Links", + "c1f8339f-f312-4c97-b1c6-ecdf5910c5c0": "Pictures library", + "c291a080-b400-4e34-ae3f-3d2b9637d56c": "UNCFAT IShellFolder Class", + "c2b136e2-d50e-405c-8784-363c582bf43e": "Device Center Initialization", + "c4900540-2379-4c75-844b-64e6faf8716b": "Sample Pictures", + "c4aa340d-f20f-4863-afef-f87ef2e6ba25": "Public Desktop", + "c4d98f09-6124-4fe0-9942-826416082da9": "Users libraries", + "c555438b-3c23-4769-a71f-b6d3d9b6053a": "Display", + "c57a6066-66a3-4d91-9eb9-41532179f0a5": "Application Suggested Locations", + "c58c4893-3be0-4b45-abb5-a63e4b8c8651": "Troubleshooting", + "c5abbf53-e17f-4121-8900-86626fc2c973": "Network Shortcuts", + "c870044b-f49e-4126-a9c3-b52a1ff411e8": "Ringtones", + "cac52c1a-b53d-4edc-92d7-6b2e8ac19434": "Games", + "cb1b7f8c-c50a-4176-b604-9e24dee8d4d1": "Welcome Center", + "cce6191f-13b2-44fa-8d14-324728beef2c": "{Unknown CSIDL}", + "d0384e7d-bac3-4797-8f14-cba229b392b5": "Administrative Tools", + "d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3": "Text to Speech", + "d2035edf-75cb-4ef1-95a7-410d9ee17170": "DLNA Content Directory Data Source", + "d20beec4-5ca8-4905-ae3b-bf251ea09b53": "Network", + "d20ea4e1-3957-11d2-a40b-0c5020524152": "Fonts", + "d20ea4e1-3957-11d2-a40b-0c5020524153": "Administrative Tools", + "d24f75aa-4f2b-4d07-a3c4-469b3d9030c4": "Offline Files", + "d34a6ca6-62c2-4c34-8a7c-14709c1ad938": "Common Places FS Folder", + "d426cfd0-87fc-4906-98d9-a23f5d515d61": "Windows Search Service Outlook Express Protocol Handler", + "d4480a50-ba28-11d1-8e75-00c04fa31a86": "Add Network Place", + "d450a8a1-9568-45c7-9c0e-b4f9fb4537bd": "Installed Updates", + "d555645e-d4f8-4c29-a827-d93c859c4f2a": "Ease of Access", + "d5b1944e-db4e-482e-b3f1-db05827f0978": "Softex OmniPass Encrypted Folder", + "d6277990-4c6a-11cf-8d87-00aa0060f5bf": "Scheduled Tasks", + "d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27": "System32", + "d8559eb9-20c0-410e-beda-7ed416aecc2a": "Windows Defender", + "d9dc8a3b-b784-432e-a781-5a1130a75963": "History", + "d9ef8727-cac2-4e60-809e-86f80a666c91": "Secure Startup (BitLocker Drive Encryption)", + "da3f6866-35fe-4229-821a-26553a67fc18": "General (Generic) library", + "daf95313-e44d-46af-be1b-cbacea2c3065": "Start Menu Provider Folder", + "de2b70ec-9bf7-4a93-bd3d-243f7881d492": "Contacts", + "de61d971-5ebc-4f02-a3a9-6c82895e5c04": "AddNewPrograms", + "de92c1c7-837f-4f69-a3bb-86e631204a23": "Playlists", + "de974d24-d9c6-4d3e-bf91-f4455120b917": "Common Files", + "debf2536-e1a8-4c59-b6a2-414586476aea": "GameExplorer", + "df7266ac-9274-4867-8d55-3bd661de872d": "Programs and Features", + "dfdf76a2-c82a-4d63-906a-5644ac457385": "Public", + "dffacdc5-679f-4156-8947-c5c76bc0b67f": "Delegate folder that appears in Users Files Folder", + "e17d4fc0-5564-11d1-83f2-00a0c90dc849": "Search Results Folder", + "e211b736-43fd-11d1-9efb-0000f8757fcd": "Scanners and Cameras", + "e2e7934b-dce5-43c4-9576-7fe4f75e7480": "Date and Time", + "e345f35f-9397-435c-8f95-4e922c26259e": "Start Menu Path Complete Provider Folder", + "e413d040-6788-4c22-957e-175d1c513a34": "Sync Center Conflict Delegate Folder", + "e555ab60-153b-4d17-9f04-a5fe99fc15ec": "Ringtones", + "e773f1af-3a65-4866-857d-846fc9c4598a": "Shell Storage Folder Viewer", + "e7de9b1a-7533-4556-9484-b26fb486475e": "Network Map", + "e7e4bc40-e76a-11ce-a9bb-00aa004ae837": "Shell DocObject Viewer", + "e88dcce0-b7b3-11d1-a9f0-00aa0060fa31": "Compressed Folder", + "e95a4861-d57a-4be1-ad0f-35267e261739": "Windows Side Show", + "e9950154-c418-419e-a90a-20c5287ae24b": "Location and Other Sensors", + "ea25fbd7-3bf7-409e-b97f-3352240903f4": "Videos Search Results", + "ecdb0924-4208-451e-8ee0-373c0956de16": "Work Folders", + "ed228fdf-9ea8-4870-83b1-96b02cfe0d52": "My Games", + "ed4824af-dce4-45a8-81e2-fc7965083634": "Public Documents", + "ed50fc29-b964-48a9-afb3-15ebb9b97f36": "PrintHood delegate folder", + "ed7ba470-8e54-465e-825c-99712043e01c": "All Tasks", + "ed834ed6-4b5a-4bfe-8f11-a626dcb6a921": "Personalization Control Panel", + "edc978d6-4d53-4b2f-a265-5805674be568": "Stream Backed Folder", + "ee32e446-31ca-4aba-814f-a5ebd2fd6d5e": "Offline Files", + "f02c1a0d-be21-4350-88b0-7367fc96ef3c": "Network", + "f0d63f85-37ec-4097-b30d-61b4a8917118": "Photo Stream", + "f1390a9a-a3f4-4e5d-9c5f-98f3bd8d935c": "Sync Setup Delegate Folder", + "f1b32785-6fba-4fcf-9d55-7b8e7f157091": "LocalAppData", + "f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d": "Sound", + "f38bf404-1d43-42f2-9305-67de0b28fc23": "Windows", + "f3ce0f7c-4901-4acc-8648-d5d44b04ef8f": "Users Files", + "f3f5824c-ad58-4728-af59-a1ebe3392799": "Sticky Notes Namespace Extension for Windows Desktop Search", + "f5175861-2688-11d0-9c5e-00aa00a45957": "Subscription Folder", + "f6b6e965-e9b2-444b-9286-10c9152edbc5": "History Vault", + "f7f1ed05-9f6d-47a2-aaae-29d317c6f066": "Common Files", + "f82df8f7-8b9f-442e-a48c-818ea735ff9b": "Pen and Input Devices", + "f8c2ab3b-17bc-41da-9758-339d7dbf2d88": "Previous Versions Results Folder", + "f90c627b-7280-45db-bc26-cce7bdd620a4": "All Tasks", + "f942c606-0914-47ab-be56-1321b8035096": "Storage Spaces", + "fb0c9c8a-6c50-11d1-9f1d-0000f8757fcd": "Scanners & Cameras", + "fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9": "Documents Library", + "fc9fb64a-1eb2-4ccf-af5e-1a497a9b5c2d": "My sharing folders", + "fcfeecae-ee1b-4849-ae50-685dcf7717ec": "Problem Reports and Solutions", + "fd228cb7-ae11-4ae3-864c-16f3910ab8fe": "Fonts", + "fdd39ad0-238f-46af-adb4-6c85480369c7": "Documents", + "fe1290f0-cfbd-11cf-a330-00aa00c16e65": "Directory", + "ff393560-c2a7-11cf-bff4-444553540000": "History", +} diff --git a/libbeat/formats/lnk/known_shellbags.go b/libbeat/formats/lnk/known_shellbags.go new file mode 100644 index 000000000000..0683de147134 --- /dev/null +++ b/libbeat/formats/lnk/known_shellbags.go @@ -0,0 +1,210 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "fmt" +) + +type shellbagParser func(data []byte) string + +func simpleShellbagParser(name string) shellbagParser { + return func(data []byte) string { + return name + } +} + +func checkKnownGUIDs(offset int, data []byte) string { + if len(data) >= 16+offset { + uuid := encodeUUID(data[offset : 16+offset]) + if name, known := knownShellbagGuids[uuid]; known { + return name + } + } + return "" +} + +func parseShellbag0x00(data []byte) string { + return checkKnownGUIDs(0xE, data) +} + +func parseShellbag0x01(data []byte) string { + if data[8] == 0x3A && data[9] == 0x00 { + return "Hyper-V storage volume" + } + signature := binary.LittleEndian.Uint32(data[4:]) + if signature != 0x39de2184 { + return "Control Panel Category" + } + switch data[8] { + case 0x00: + return "All Control Panel Items" + case 0x01: + return "Appearance and Personalization" + case 0x02: + return "Hardware and Sound" + case 0x03: + return "Network and Internet" + case 0x04: + return "Sound, Speech and Audio Devices" + case 0x05: + return "System and Security" + case 0x06: + return "Clock, Language, and Region" + case 0x07: + return "Ease of Access" + case 0x08: + return "Programs" + case 0x09: + return "User Accounts" + case 0x10: + return "Security Center" + case 0x11: + return "Mobile PC" + default: + return fmt.Sprintf("Unknown Control Panel Category: %d", data[8]) + } +} + +func parseShellbag0x2e(data []byte) string { + if known := checkKnownGUIDs(0x4, data); known != "" { + return known + } + + if len(data) == 0x16 && data[3] == 0x80 { + return "Root folder: GUID" + } + signature := binary.LittleEndian.Uint64(data[len(data)-8:]) + if signature == 0x0000ee306bfe9555 || signature == 0xee306bfe9555c589 { + return "User profile" + } + shortSignature := binary.LittleEndian.Uint32(data[5:]) + if shortSignature >= 0x15032601 { + return "Control panel category" + } + return "Users property view" +} + +func parseShellbag0x1f(data []byte) string { + if known := checkKnownGUIDs(4, data); known != "" { + return known + } + if data[0] == 0x14 || data[0] == 0x32 || data[0] == 0x3A { + return "Root folder: GUID" + } + if data[4] == 0x2f { + return "Users property view: Drive letter" + } + maskedBit := data[3] & 0x70 + switch maskedBit { + // https://github.com/williballenthin/shellbags/blob/fee76eb25c2b80c33caf8ab9013de5cba113dcd2/ShellItems.py#L54 + case 0x00: + return "INTERNET_EXPLORER" + case 0x42: + return "LIBRARIES" + case 0x44: + return "USERS" + case 0x48: + return "MY_DOCUMENTS" + case 0x50: + return "MY_COMPUTER" + case 0x58: + return "NETWORK" + case 0x60: + return "RECYCLE_BIN" + case 0x68: + return "INTERNET_EXPLORER" + case 0x80: + return "MY_GAMES" + // unknown + case 0x40: + fallthrough + case 0x70: + return "Root folder: GUID" + } + signature := binary.LittleEndian.Uint32(data[6:]) + if signature == 0xbeebee00 { + return "Variable: Users property view" + } + if signature == 0x4c644970 { + return "Windows Backup" + } + return "Users property view" +} + +func parseShellbag0x40(data []byte) string { + switch data[2] { + case 0x47: + return "Entire Network" + case 0x46: + return "Microsoft Windows Network" + case 0x41: + return "Domain/Workgroup name" + case 0x42: + return "Server UNC path" + case 0x43: + return "Share UNC path" + default: + return "Network location" + } +} + +func parseShellbag0x71(data []byte) string { + return checkKnownGUIDs(0xE, data) +} + +// Have a better look at +// https://github.com/williballenthin/shellbags/blob/fee76eb25c2b80c33caf8ab9013de5cba113dcd2/ShellItems.py +var knownShellbags = map[byte]shellbagParser{ + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X23.cs + 0x23: simpleShellbagParser("Drive letter"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X4C.cs + 0x4C: simpleShellbagParser("Sharepoint directory"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x00.cs + 0x00: parseShellbag0x00, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x01.cs + 0x01: parseShellbag0x01, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x1f.cs + 0x1f: parseShellbag0x1f, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x2e.cs + 0x2e: parseShellbag0x2e, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x2f.cs + 0x2f: simpleShellbagParser("Drive letter"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x31.cs + 0x31: simpleShellbagParser("Directory"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x32.cs + 0x32: simpleShellbagParser("File"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x40.cs + 0x40: parseShellbag0x40, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x61.cs + 0x61: simpleShellbagParser("URI"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x71.cs + 0x71: parseShellbag0x71, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x74.cs + // 0x74: + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0xc3.cs + 0xc3: simpleShellbagParser("Network location"), +} + +func getShellbagName(shellbagType byte, data []byte) string { + if parser, known := knownShellbags[shellbagType]; known { + return parser(data) + } + return "" +} diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go new file mode 100644 index 000000000000..e9e12a968612 --- /dev/null +++ b/libbeat/formats/lnk/lnk.go @@ -0,0 +1,251 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +// https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc + +import ( + "io" + "time" +) + +// Console contains LNK extra console data block info +type Console struct { + FillAttributes []string `json:"fill_attributes,omitempty"` + PopupFillAttributes []string `json:"popup_fill_attributes,omitempty"` + ScreenBufferSizeX uint16 `json:"screen_buffer_size_x"` + ScreenBufferSizeY uint16 `json:"screen_buffer_size_y"` + WindowSizeX uint16 `json:"window_size_x"` + WindowSizeY uint16 `json:"window_size_y"` + WindowOriginX uint16 `json:"window_origin_x"` + WindowOriginY uint16 `json:"window_origin_y"` + FontSize uint32 `json:"font_size"` + FontFamily string `json:"font_family,omitempty"` + FontWeight uint32 `json:"font_weight"` + FaceName string `json:"face_name,omitempty"` + CursorSize uint32 `json:"cursor_size"` + FullScreen bool `json:"full_screen"` + QuickEdit bool `json:"quick_edit"` + InsertMode bool `json:"insert_mode"` + AutoPosition bool `json:"auto_position"` + HistoryBufferSize uint32 `json:"history_buffer_size"` + NumberOfHistoryBuffers uint32 `json:"number_of_history_buffers"` + HistoryNoDup bool `json:"history_no_dup"` + ColorTable []string `json:"color_table"` +} + +// ConsoleFE contains LNK extra console data block info +type ConsoleFE struct { + CodePage string `json:"code_page"` +} + +// Darwin contains LNK extra darwin data block info +type Darwin struct { + ANSI string `json:"ansi"` + Unicode string `json:"unicode"` +} + +// Environment contains LNK extra environment data block info +type Environment struct { + ANSI string `json:"ansi"` + Unicode string `json:"unicode"` +} + +// IconEnvironment contains LNK extra icon environment data block info +type IconEnvironment struct { + ANSI string `json:"ansi"` + Unicode string `json:"unicode"` +} + +// KnownFolder contains LNK extra known folder data block info +type KnownFolder struct { + ID string `json:"id"` + Offset uint32 `json:"offset"` +} + +// Property contains property storage propery info +type Property struct { + Name string `json:"name"` + Type string `json:"type"` + Value interface{} `json:"value"` +} + +// PropertyStore contains LNK extra property store data block info +type PropertyStore struct { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec + Properties []Property `json:"properties,omitempty"` +} + +// Shim contains LNK extra shim data block info +type Shim struct { + LayerName string `json:"layer_name,omitempty"` +} + +// SpecialFolder contains LNK extra special folder data block info +type SpecialFolder struct { + ID uint32 `json:"id"` + Offset uint32 `json:"offset"` +} + +// Tracker contains LNK extra tracker data block info +type Tracker struct { + Version uint32 `json:"version"` + MachineID string `json:"machine_id"` + Droid []string `json:"droid,omitempty"` + DroidBirth []string `json:"droid_birth,omitempty"` +} + +// VistaAndAboveIDList contains LNK extra vista and above id list data block info +type VistaAndAboveIDList struct { + Shellbags []Shellbag `json:"shellbags,omitempty"` +} + +// Extra contains LNK extra block info +type Extra struct { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1 + Console *Console `json:"console,omitempty"` + ConsoleFE *ConsoleFE `json:"console_fe,omitempty"` + Darwin *Darwin `json:"darwin,omitempty"` + Environment *Environment `json:"environment,omitempty"` + IconEnvironment *IconEnvironment `json:"icon_environment,omitempty"` + KnownFolder *KnownFolder `json:"known_folder,omitempty"` + PropertyStore *PropertyStore `json:"property_store,omitempty"` + Shim *Shim `json:"shim,omitempty"` + SpecialFolder *SpecialFolder `json:"special_folder,omitempty"` + Tracker *Tracker `json:"tracker,omitempty"` + VistaAndAboveIDList *VistaAndAboveIDList `json:"vista_and_above_id_list,omitempty"` +} + +// Volume contains LNK location volume info +type Volume struct { + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#42-volume-information + DriveType string `json:"drive_type,omitempty"` + DriveSerialNumber string `json:"drive_serial_number,omitempty"` + VolumeLabel string `json:"volume_label,omitempty"` +} + +// NetworkShare contains LNK location network share info +type NetworkShare struct { + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#43-network-share-information + Flags []string `json:"flags,omitempty"` + ProviderType string `json:"provider_type,omitempty"` + Name string `json:"name,omitempty"` + DeviceName string `json:"device_name,omitempty"` +} + +// Location contains LNK location info +type Location struct { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/6813269d-0cc8-4be2-933f-e96e8e3412dc + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#4-location-information + Flags []string `json:"flags"` + CommonPathSuffix string `json:"common_path_suffix,omitempty"` + // Location information data + Volume *Volume `json:"volume,omitempty"` + LocalBasePath string `json:"local_base_path,omitempty"` + // The network share information + NetworkShare *NetworkShare `json:"network_share,omitempty"` +} + +// Shellbag contains LNK shellbag info +type Shellbag struct { + Name string `json:"name,omitempty"` + Size uint16 `json:"size"` + TypeID uint8 `json:"type_id"` + SHA256 string `json:"sha256"` +} + +// Header contains LNK header info +type Header struct { + GUID string `json:"guid"` + LinkFlags []string `json:"link_flags"` + FileFlags []string `json:"file_flags"` + CreationTime *time.Time `json:"creation_time,omitempty"` + AccessedTime *time.Time `json:"accessed_time,omitempty"` + ModifiedTime *time.Time `json:"modified_time,omitempty"` + FileSize uint32 `json:"file_size,omitempty"` + IconIndex uint32 `json:"icon_index"` + WindowStyle string `json:"window_style"` + HotKey string `json:"hot_key,omitempty"` + + rawLinkFlags uint32 + rawFileFlags uint32 +} + +// Info contains high level fingerprinting an analysis of an LNK file. +type Info struct { + Header *Header `json:"header"` + Shellbags []Shellbag `json:"shellbags,omitempty"` + Location *Location `json:"location,omitempty"` + Name string `json:"name,omitempty"` + RelativePath string `json:"relative_path,omitempty"` + WorkingDirectory string `json:"working_directory,omitempty"` + CommandLine string `json:"command_line,omitempty"` + IconLocation string `json:"icon_location,omitempty"` + Extra *Extra `json:"extra,omitempty"` +} + +// Parse parses the LNK file and returns information about it or errors. +func Parse(r io.ReaderAt) (interface{}, error) { + header, offset, err := parseHeader(r) + if err != nil { + return nil, err + } + shellbags, offset, err := parseShellbags(header, offset, r) + if err != nil { + return nil, err + } + location, offset, err := parseLocationInfo(header, offset, r) + if err != nil { + return nil, err + } + name, offset, err := readDataString(header, hasName, offset, r) + if err != nil { + return nil, err + } + relativePath, offset, err := readDataString(header, hasRelativePath, offset, r) + if err != nil { + return nil, err + } + workingDirectory, offset, err := readDataString(header, hasWorkingDir, offset, r) + if err != nil { + return nil, err + } + commandLine, offset, err := readDataString(header, hasArguments, offset, r) + if err != nil { + return nil, err + } + iconLocation, offset, err := readDataString(header, hasIconLocation, offset, r) + if err != nil { + return nil, err + } + extra, err := parseExtraBlocks(header, offset, r) + if err != nil { + return nil, err + } + return &Info{ + Header: header, + Shellbags: shellbags, + Location: location, + Name: name, + RelativePath: relativePath, + WorkingDirectory: workingDirectory, + CommandLine: commandLine, + IconLocation: iconLocation, + Extra: extra, + }, nil +} diff --git a/libbeat/formats/lnk/lnk_fuzz.go b/libbeat/formats/lnk/lnk_fuzz.go new file mode 100644 index 000000000000..35e1032cfbd0 --- /dev/null +++ b/libbeat/formats/lnk/lnk_fuzz.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build fuzz + +package lnk + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/lnk/lnk_test.go b/libbeat/formats/lnk/lnk_test.go new file mode 100644 index 000000000000..8a8a48c0d3d8 --- /dev/null +++ b/libbeat/formats/lnk/lnk_test.go @@ -0,0 +1,138 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "local.directory.seven.lnk", + "local.directory.xp.lnk", + "local.file.darwin.lnk", + "local.file.env.lnk", + "local.file.exec.lnk", + "local.file.icoset.lnk", + "local.file.seven.lnk", + "local.file.xp.lnk", + "local_cmd.lnk", + "local_unicode.lnk", + "local_win31j.lnk", + "microsoft.lnk", + "native.2008srv.01.lnk", + "native.2008srv.02.lnk", + "native.2008srv.03.lnk", + "native.2008srv.04.lnk", + "native.2008srv.05.lnk", + "native.2008srv.06.lnk", + "native.2008srv.07.lnk", + "native.2008srv.08.lnk", + "native.2008srv.09.lnk", + "native.2008srv.10.lnk", + "native.2008srv.11.lnk", + "native.2008srv.12.lnk", + "native.2008srv.13.lnk", + "native.2008srv.14.lnk", + "native.2008srv.15.lnk", + "native.2008srv.16.lnk", + "native.2008srv.17.lnk", + "native.2008srv.18.lnk", + "native.2008srv.19.lnk", + "native.2008srv.20.lnk", + "native.seven.01.lnk", + "native.seven.02.lnk", + "native.seven.03.lnk", + "native.seven.04.lnk", + "native.seven.05.lnk", + "native.seven.06.lnk", + "native.seven.07.lnk", + "native.seven.08.lnk", + "native.seven.09.lnk", + "native.seven.10.lnk", + "native.seven.11.lnk", + "native.seven.12.lnk", + "native.seven.13.lnk", + "native.seven.14.lnk", + "native.seven.15.lnk", + "native.seven.16.lnk", + "native.seven.17.lnk", + "native.seven.18.lnk", + "native.seven.19.lnk", + "native.seven.20.lnk", + "native.xp.01.lnk", + "native.xp.02.lnk", + "native.xp.03.lnk", + "native.xp.04.lnk", + "native.xp.05.lnk", + "native.xp.06.lnk", + "native.xp.07.lnk", + "native.xp.08.lnk", + "native.xp.09.lnk", + "native.xp.10.lnk", + "native.xp.11.lnk", + "native.xp.12.lnk", + "native.xp.13.lnk", + "native.xp.14.lnk", + "native.xp.15.lnk", + "native.xp.16.lnk", + "native.xp.17.lnk", + "native.xp.18.lnk", + "native.xp.19.lnk", + "native.xp.20.lnk", + "net_unicode.lnk", + "net_unicode2.lnk", + "net_win31j.lnk", + "remote.directory.xp.lnk", + "remote.file.aidlist.lnk", + "remote.file.xp.lnk", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/lnk/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/lnk/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/lnk/location.go b/libbeat/formats/lnk/location.go new file mode 100644 index 000000000000..69ea649b1161 --- /dev/null +++ b/libbeat/formats/lnk/location.go @@ -0,0 +1,222 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" + "fmt" + "io" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +const ( + // location flags + volumeIDAndLocalBasePath uint32 = 1 << iota + commonNetworkRelativeLinkAndPathSuffix +) + +const ( + // network share flags + validDevice uint32 = 1 << iota + validNetType +) + +var ( + driveTypes = []string{ + "DRIVE_UNKNOWN", + "DRIVE_NO_ROOT_DIR", + "DRIVE_REMOVABLE", + "DRIVE_FIXED", + "DRIVE_REMOTE", + "DRIVE_CDROM", + "DRIVE_RAMDISK", + } + locationFlags = map[uint32]string{ + volumeIDAndLocalBasePath: "VolumeIDAndLocalBasePath", + commonNetworkRelativeLinkAndPathSuffix: "CommonNetworkRelativeLinkAndPathSuffix", + } + networkShareFlags = map[uint32]string{ + validDevice: "ValidDevice", + validNetType: "ValidNetType", + } + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#432-network-provider-types + providerTypes = map[uint32]string{ + 0x001a0000: "WNNC_NET_AVID", + 0x001b0000: "WNNC_NET_DOCUSPACE", + 0x001c0000: "WNNC_NET_MANGOSOFT", + 0x001d0000: "WNNC_NET_SERNET", + 0x001e0000: "WNNC_NET_RIVERFRONT1", + 0x001f0000: "WNNC_NET_RIVERFRONT2", + 0x00200000: "WNNC_NET_DECORB", + 0x00210000: "WNNC_NET_PROTSTOR", + 0x00220000: "WNNC_NET_FJ_REDIR", + 0x00230000: "WNNC_NET_DISTINCT", + 0x00240000: "WNNC_NET_TWINS", + 0x00250000: "WNNC_NET_RDR2SAMPLE", + 0x00260000: "WNNC_NET_CSC", + 0x00270000: "WNNC_NET_3IN1", + 0x00290000: "WNNC_NET_EXTENDNET", + 0x002a0000: "WNNC_NET_STAC", + 0x002b0000: "WNNC_NET_FOXBAT", + 0x002c0000: "WNNC_NET_YAHOO", + 0x002d0000: "WNNC_NET_EXIFS", + 0x002e0000: "WNNC_NET_DAV", + 0x002f0000: "WNNC_NET_KNOWARE", + 0x00300000: "WNNC_NET_OBJECT_DIRE", + 0x00310000: "WNNC_NET_MASFAX", + 0x00320000: "WNNC_NET_HOB_NFS", + 0x00330000: "WNNC_NET_SHIVA", + 0x00340000: "WNNC_NET_IBMAL", + 0x00350000: "WNNC_NET_LOCK", + 0x00360000: "WNNC_NET_TERMSRV", + 0x00370000: "WNNC_NET_SRT", + 0x00380000: "WNNC_NET_QUINCY", + 0x00390000: "WNNC_NET_OPENAFS", + 0x003a0000: "WNNC_NET_AVID1", + 0x003b0000: "WNNC_NET_DFS", + 0x003c0000: "WNNC_NET_KWNP", + 0x003d0000: "WNNC_NET_ZENWORKS", + 0x003e0000: "WNNC_NET_DRIVEONWEB", + 0x003f0000: "WNNC_NET_VMWARE", + 0x00400000: "WNNC_NET_RSFX", + 0x00410000: "WNNC_NET_MFILES", + 0x00420000: "WNNC_NET_MS_NFS", + 0x00430000: "WNNC_NET_GOOGLE", + } +) + +func parseLocationInfo(header *Header, offset int64, r io.ReaderAt) (*Location, int64, error) { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/6813269d-0cc8-4be2-933f-e96e8e3412dc + if !hasFlag(header.rawLinkFlags, hasLinkInfo) { + return nil, offset, nil + } + size, data, err := readU32Data(offset, r) + if err != nil { + return nil, 0, err + } + if size < 28 { + return nil, 0, errors.New("invalid location info") + } + flags := binary.LittleEndian.Uint32(data[8:12]) + volumeOffset := binary.LittleEndian.Uint32(data[12:16]) + localBasePathOffset := binary.LittleEndian.Uint32(data[16:20]) + networkOffset := binary.LittleEndian.Uint32(data[20:24]) + commonOffset := binary.LittleEndian.Uint32(data[24:28]) + + var volume *Volume + var localBasePath string + if hasFlag(flags, volumeIDAndLocalBasePath) { + localBasePath = common.ReadString(data, int(localBasePathOffset)) + if volumeOffset >= size { + return nil, 0, errors.New("invalid volume offset") + } + volume, err = parseVolumeInfo(data[volumeOffset:]) + if err != nil { + return nil, 0, err + } + } + + var networkShare *NetworkShare + if hasFlag(flags, commonNetworkRelativeLinkAndPathSuffix) { + if networkOffset >= size { + return nil, 0, errors.New("invalid network share offset") + } + networkShare, err = parseNetworkShareInfo(data[networkOffset:]) + if err != nil { + return nil, 0, err + } + } + + commonPathSuffix := common.ReadString(data, int(commonOffset)) + + return &Location{ + Flags: parseFlags(locationFlags, flags), + LocalBasePath: localBasePath, + CommonPathSuffix: commonPathSuffix, + Volume: volume, + NetworkShare: networkShare, + }, offset + int64(size), nil +} + +func parseVolumeInfo(data []byte) (*Volume, error) { + if len(data) < 16 { + return nil, errors.New("invalid volume info") + } + size := binary.LittleEndian.Uint32(data[0:4]) + if uint32(len(data)) < size { + return nil, errors.New("invalid volume info") + } + driveType := binary.LittleEndian.Uint32(data[4:8]) + driveSerialNumber := binary.LittleEndian.Uint32(data[8:12]) + volumeLabelOffset := binary.LittleEndian.Uint32(data[12:16]) + hasUnicodeLabel := volumeLabelOffset == 0x00000014 + var volumeLabel string + if hasUnicodeLabel { + if len(data) < 20 { + return nil, errors.New("invalid volume info") + } + volumeLabelOffset = binary.LittleEndian.Uint32(data[16:20]) + volumeLabel = common.ReadUnicode(data, int(volumeLabelOffset)) + } else { + volumeLabel = common.ReadString(data, int(volumeLabelOffset)) + } + + normalizedDriveType := "DRIVE_UNKNOWN" + if uint32(len(driveTypes)) > driveType { + normalizedDriveType = driveTypes[driveType] + } + return &Volume{ + DriveType: normalizedDriveType, + DriveSerialNumber: fmt.Sprintf("0x%08x", driveSerialNumber), + VolumeLabel: volumeLabel, + }, nil +} + +func parseNetworkShareInfo(data []byte) (*NetworkShare, error) { + if len(data) < 20 { + return nil, errors.New("invalid network share info") + } + size := binary.LittleEndian.Uint32(data[0:4]) + if uint32(len(data)) < size { + return nil, errors.New("invalid network share info") + } + flags := binary.LittleEndian.Uint32(data[4:8]) + shareNameOffset := binary.LittleEndian.Uint32(data[8:12]) + deviceNameOffset := binary.LittleEndian.Uint32(data[12:16]) + providerType := binary.LittleEndian.Uint32(data[16:20]) + normalizedFlags := parseFlags(networkShareFlags, flags) + var normalizedProviderType string + if hasFlag(flags, validNetType) { + if found, ok := providerTypes[providerType]; ok { + normalizedProviderType = found + } + } + shareName := common.ReadString(data, int(shareNameOffset)) + var deviceName string + if hasFlag(flags, validDevice) { + deviceName = common.ReadString(data, int(deviceNameOffset)) + } + return &NetworkShare{ + Name: shareName, + DeviceName: deviceName, + Flags: normalizedFlags, + ProviderType: normalizedProviderType, + }, nil +} diff --git a/libbeat/formats/lnk/shellbag.go b/libbeat/formats/lnk/shellbag.go new file mode 100644 index 000000000000..6d4cb349fa43 --- /dev/null +++ b/libbeat/formats/lnk/shellbag.go @@ -0,0 +1,85 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "io" + + sha256 "github.com/minio/sha256-simd" +) + +func parseShellbags(header *Header, offset int64, r io.ReaderAt) ([]Shellbag, int64, error) { + if !hasFlag(header.rawLinkFlags, hasTargetIDList) { + return nil, offset, nil + } + + sizeData := make([]byte, 2) + n, err := r.ReadAt(sizeData, offset) + if err != nil { + return nil, 0, err + } + if n != 2 { + return nil, 0, errors.New("invalid target list") + } + offset += 2 + size := binary.LittleEndian.Uint16(sizeData) + data := make([]byte, size) + n, err = r.ReadAt(data, offset) + if err != nil { + return nil, 0, err + } + if n != int(size) { + return nil, 0, errors.New("invalid target list size") + } + shellbags, err := parseShellbagList(data) + return shellbags, offset + int64(size), err +} + +func parseShellbagList(data []byte) ([]Shellbag, error) { + // https://github.com/libyal/libfwsi/blob/master/documentation/Windows%20Shell%20Item%20format.asciidoc#2-shell-item-list + shellbags := []Shellbag{} + offset := 0 + for { + shellbagData := data[offset:] + if len(shellbagData) < 3 { + // early end + return shellbags, nil + } + shellbagSize := binary.LittleEndian.Uint16(shellbagData[0:2]) + if shellbagSize == 0 { + return shellbags, nil + } + if len(shellbagData) < int(shellbagSize) { + // we have an invalid target + return shellbags, nil + } + shellbagData = shellbagData[:shellbagSize] + shellbagType := shellbagData[2] + hash := sha256.Sum256(shellbagData[3:]) + shellbags = append(shellbags, Shellbag{ + Name: getShellbagName(shellbagType, shellbagData[3:]), + Size: shellbagSize, + TypeID: shellbagType, + SHA256: hex.EncodeToString(hash[:]), + }) + offset += int(shellbagSize) + } +} diff --git a/libbeat/formats/lnk/strings.go b/libbeat/formats/lnk/strings.go new file mode 100644 index 000000000000..ed232161b6a4 --- /dev/null +++ b/libbeat/formats/lnk/strings.go @@ -0,0 +1,80 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package lnk + +import ( + "encoding/binary" + "errors" + "io" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func readU16Data(offset int64, r io.ReaderAt, hasUnicode bool) (uint16, []byte, error) { + sizeData := make([]byte, 2) + n, err := r.ReadAt(sizeData, offset) + if err != nil { + return 0, nil, err + } + if n != 2 { + return 0, nil, errors.New("invalid size") + } + size := binary.LittleEndian.Uint16(sizeData) + if hasUnicode { + size *= 2 + } + data := make([]byte, size) + n, err = r.ReadAt(data, offset+2) + if uint16(n) != size { + return 0, nil, errors.New("invalid data") + } + return size, data, nil +} + +func readU32Data(offset int64, r io.ReaderAt) (uint32, []byte, error) { + sizeData := make([]byte, 4) + n, err := r.ReadAt(sizeData, offset) + if err != nil { + return 0, nil, err + } + if n != 4 { + return 0, nil, errors.New("invalid size") + } + size := binary.LittleEndian.Uint32(sizeData) + data := make([]byte, size) + n, err = r.ReadAt(data, offset) + if uint32(n) != size { + return 0, nil, errors.New("invalid data") + } + return size, data, nil +} + +func readDataString(header *Header, flag uint32, offset int64, r io.ReaderAt) (string, int64, error) { + if !hasFlag(header.rawLinkFlags, flag) { + return "", offset, nil + } + hasUnicode := hasFlag(header.rawLinkFlags, isUnicode) + size, data, err := readU16Data(offset, r, hasUnicode) + if err != nil { + return "", 0, err + } + if hasUnicode { + return common.ReadUnicode(data, 0), offset + 2 + int64(size), nil + } + return common.ReadString(data, 0), offset + 2 + int64(size), nil +} diff --git a/libbeat/formats/macho/.gitignore b/libbeat/formats/macho/.gitignore new file mode 100644 index 000000000000..ceeded8e4bd6 --- /dev/null +++ b/libbeat/formats/macho/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +macho-fuzz.zip diff --git a/libbeat/formats/macho/command.go b/libbeat/formats/macho/command.go new file mode 100644 index 000000000000..f4d2c4140c55 --- /dev/null +++ b/libbeat/formats/macho/command.go @@ -0,0 +1,138 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import "debug/macho" + +func translateLoadType(loadType uint32) string { + switch loadType { + case 0x80000000: + return "LC_REQ_DYLD" + case 0x80000018: + return "LC_LOAD_WEAK_DYLIB" + case 0x8000001c: + return "LC_RPATH" + case 0x8000001f: + return "LC_REEXPORT_DYLIB" + case 0x80000022: + return "LC_DYLD_INFO_ONLY" + case 0x80000023: + return "LC_LOAD_UPWARD_DYLIB" + case 0x80000028: + return "LC_MAIN" + case 0x1: + return "LC_SEGMENT" + case 0x2: + return "LC_SYMTAB" + case 0x3: + return "LC_SYMSEG" + case 0x4: + return "LC_THREAD" + case 0x5: + return "LC_UNIXTHREAD" + case 0x6: + return "LC_LOADFVMLIB" + case 0x7: + return "LC_IDFVMLIB" + case 0x8: + return "LC_IDENT" + case 0x9: + return "LC_FVMFILE" + case 0xa: + return "LC_PREPAGE" + case 0xb: + return "LC_DYSYMTAB" + case 0xc: + return "LC_LOAD_DYLIB" + case 0xd: + return "LC_ID_DYLIB" + case 0xe: + return "LC_LOAD_DYLINKER" + case 0xf: + return "LC_ID_DYLINKER" + case 0x10: + return "LC_PREBOUND_DYLIB" + case 0x11: + return "LC_ROUTINES" + case 0x12: + return "LC_SUB_FRAMEWORK" + case 0x13: + return "LC_SUB_UMBRELLA" + case 0x14: + return "LC_SUB_CLIENT" + case 0x15: + return "LC_SUB_LIBRARY" + case 0x16: + return "LC_TWOLEVEL_HINTS" + case 0x17: + return "LC_PREBIND_CKSUM" + case 0x19: + return "LC_SEGMENT_64" + case 0x1a: + return "LC_ROUTINES_64" + case 0x1b: + return "LC_UUID" + case 0x1d: + return "LC_CODE_SIGNATURE" + case 0x1e: + return "LC_SEGMENT_SPLIT_INFO" + case 0x20: + return "LC_LAZY_LOAD_DYLIB" + case 0x21: + return "LC_ENCRYPTION_INFO" + case 0x22: + return "LC_DYLD_INFO" + case 0x24: + return "LC_VERSION_MIN_MACOSX" + case 0x25: + return "LC_VERSION_MIN_IPHONEOS" + case 0x26: + return "LC_FUNCTION_STARTS" + case 0x27: + return "LC_DYLD_ENVIRONMENT" + case 0x29: + return "LC_DATA_IN_CODE" + case 0x2A: + return "LC_SOURCE_VERSION" + case 0x2B: + return "LC_DYLIB_CODE_SIGN_DRS" + case 0x2C: + return "LC_ENCRYPTION_INFO_64" + case 0x2D: + return "LC_LINKER_OPTION" + case 0x2E: + return "LC_LINKER_OPTIMIZATION_HINT" + default: + return "LC_UNKNOWN" + } +} + +func loadCommands(f *macho.File) []Command { + commands := make([]Command, len(f.Loads)) + for i, load := range f.Loads { + data := load.Raw() + loadType := f.ByteOrder.Uint32(data[0:4]) + command := Command{ + Number: int64(loadType), + Size: int64(f.ByteOrder.Uint32(data[4:8])), + } + command.Type = translateLoadType(loadType) + commands[i] = command + } + return commands +} diff --git a/libbeat/formats/macho/cpu.go b/libbeat/formats/macho/cpu.go new file mode 100644 index 000000000000..f1fd41543d46 --- /dev/null +++ b/libbeat/formats/macho/cpu.go @@ -0,0 +1,213 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import "debug/macho" + +const ( + CPU_SUBTYPE_MASK uint32 = 0x00ffffff + CPU_ARCH_ABI64 uint32 = 0x01000000 + CPU_ARCH_ABI64_32 uint32 = 0x02000000 + + // cpu types + CPU_TYPE_VAX uint32 = 1 + CPU_TYPE_MC680X0 uint32 = 6 + CPU_TYPE_X86 uint32 = 7 + CPU_TYPE_I386 uint32 = CPU_TYPE_X86 + CPU_TYPE_X86_64 uint32 = CPU_TYPE_X86 | CPU_ARCH_ABI64 + CPU_TYPE_MIPS uint32 = 8 + CPU_TYPE_MC98000 uint32 = 10 + CPU_TYPE_HPPA uint32 = 11 + CPU_TYPE_ARM uint32 = 12 + CPU_TYPE_ARM64 uint32 = CPU_TYPE_ARM | CPU_ARCH_ABI64 + CPU_TYPE_ARM64_32 uint32 = CPU_TYPE_ARM | CPU_ARCH_ABI64_32 + CPU_TYPE_MC88000 uint32 = 13 + CPU_TYPE_SPARC uint32 = 14 + CPU_TYPE_I860 uint32 = 15 + CPU_TYPE_ALPHA uint32 = 16 + CPU_TYPE_POWERPC uint32 = 18 + CPU_TYPE_POWERPC64 uint32 = CPU_TYPE_POWERPC | CPU_ARCH_ABI64 + + // cpu sub-types + CPU_SUBTYPE_LITTLE_ENDIAN uint32 = 0 + CPU_SUBTYPE_BIG_ENDIAN uint32 = 1 + CPU_SUBTYPE_VAX_ALL uint32 = 0 + CPU_SUBTYPE_VAX780 uint32 = 1 + CPU_SUBTYPE_VAX785 uint32 = 2 + CPU_SUBTYPE_VAX750 uint32 = 3 + CPU_SUBTYPE_VAX730 uint32 = 4 + CPU_SUBTYPE_UVAXI uint32 = 5 + CPU_SUBTYPE_UVAXII uint32 = 6 + CPU_SUBTYPE_VAX8200 uint32 = 7 + CPU_SUBTYPE_VAX8500 uint32 = 8 + CPU_SUBTYPE_VAX8600 uint32 = 9 + CPU_SUBTYPE_VAX8650 uint32 = 10 + CPU_SUBTYPE_VAX8800 uint32 = 11 + CPU_SUBTYPE_UVAXIII uint32 = 12 + CPU_SUBTYPE_MC680X0_ALL uint32 = 1 + CPU_SUBTYPE_MC68030 uint32 = 1 + CPU_SUBTYPE_MC68040 uint32 = 2 + CPU_SUBTYPE_MC68030_ONLY uint32 = 3 + CPU_SUBTYPE_I386_ALL uint32 = 3 + CPU_SUBTYPE_386 uint32 = 3 + CPU_SUBTYPE_486 uint32 = 4 + CPU_SUBTYPE_486SX uint32 = 4 + (8 << 4) + CPU_SUBTYPE_586 uint32 = 5 + CPU_SUBTYPE_PENT uint32 = 5 + CPU_SUBTYPE_PENTPRO uint32 = 6 + (1 << 4) + CPU_SUBTYPE_PENTII_M3 uint32 = 6 + (3 << 4) + CPU_SUBTYPE_PENTII_M5 uint32 = 6 + (5 << 4) + CPU_SUBTYPE_CELERON uint32 = 7 + (6 << 4) + CPU_SUBTYPE_CELERON_MOBILE uint32 = 7 + (7 << 4) + CPU_SUBTYPE_PENTIUM_3 uint32 = 8 + CPU_SUBTYPE_PENTIUM_3_M uint32 = 8 + (1 << 4) + CPU_SUBTYPE_PENTIUM_3_XEON uint32 = 8 + (2 << 4) + CPU_SUBTYPE_PENTIUM_M uint32 = 9 + CPU_SUBTYPE_PENTIUM_4 uint32 = 10 + CPU_SUBTYPE_PENTIUM_4_M uint32 = 10 + (1 << 4) + CPU_SUBTYPE_ITANIUM uint32 = 11 + CPU_SUBTYPE_ITANIUM_2 uint32 = 11 + (1 << 4) + CPU_SUBTYPE_XEON uint32 = 12 + CPU_SUBTYPE_XEON_MP uint32 = 12 + (1 << 4) + CPU_SUBTYPE_INTEL_FAMILY_MAX uint32 = 15 + CPU_SUBTYPE_INTEL_MODEL_ALL uint32 = 0 + CPU_SUBTYPE_X86_ALL uint32 = 3 + CPU_SUBTYPE_X86_64_ALL uint32 = 3 + CPU_SUBTYPE_X86_ARCH1 uint32 = 4 + CPU_SUBTYPE_X86_64_H uint32 = 8 + CPU_SUBTYPE_MIPS_ALL uint32 = 0 + CPU_SUBTYPE_MIPS_R2300 uint32 = 1 + CPU_SUBTYPE_MIPS_R2600 uint32 = 2 + CPU_SUBTYPE_MIPS_R2800 uint32 = 3 + CPU_SUBTYPE_MIPS_R2000A uint32 = 4 + CPU_SUBTYPE_MIPS_R2000 uint32 = 5 + CPU_SUBTYPE_MIPS_R3000A uint32 = 6 + CPU_SUBTYPE_MIPS_R3000 uint32 = 7 + CPU_SUBTYPE_MC98000_ALL uint32 = 0 + CPU_SUBTYPE_MC98601 uint32 = 1 + CPU_SUBTYPE_HPPA_ALL uint32 = 0 + CPU_SUBTYPE_HPPA_7100 uint32 = 0 + CPU_SUBTYPE_HPPA_7100LC uint32 = 1 + CPU_SUBTYPE_MC88000_ALL uint32 = 0 + CPU_SUBTYPE_MC88100 uint32 = 1 + CPU_SUBTYPE_MC88110 uint32 = 2 + CPU_SUBTYPE_SPARC_ALL uint32 = 0 + CPU_SUBTYPE_I860_ALL uint32 = 0 + CPU_SUBTYPE_I860_860 uint32 = 1 + CPU_SUBTYPE_POWERPC_ALL uint32 = 0 + CPU_SUBTYPE_POWERPC_601 uint32 = 1 + CPU_SUBTYPE_POWERPC_602 uint32 = 2 + CPU_SUBTYPE_POWERPC_603 uint32 = 3 + CPU_SUBTYPE_POWERPC_603E uint32 = 4 + CPU_SUBTYPE_POWERPC_603EV uint32 = 5 + CPU_SUBTYPE_POWERPC_604 uint32 = 6 + CPU_SUBTYPE_POWERPC_604E uint32 = 7 + CPU_SUBTYPE_POWERPC_620 uint32 = 8 + CPU_SUBTYPE_POWERPC_750 uint32 = 9 + CPU_SUBTYPE_POWERPC_7400 uint32 = 10 + CPU_SUBTYPE_POWERPC_7450 uint32 = 11 + CPU_SUBTYPE_POWERPC_970 uint32 = 100 + CPU_SUBTYPE_ARM_ALL uint32 = 0 + CPU_SUBTYPE_ARM_V4T uint32 = 5 + CPU_SUBTYPE_ARM_V6 uint32 = 6 + CPU_SUBTYPE_ARM_V5TEJ uint32 = 7 + CPU_SUBTYPE_ARM_XSCALE uint32 = 8 + CPU_SUBTYPE_ARM_V7 uint32 = 9 + CPU_SUBTYPE_ARM_V7F uint32 = 10 + CPU_SUBTYPE_ARM_V7S uint32 = 11 + CPU_SUBTYPE_ARM_V7K uint32 = 12 + CPU_SUBTYPE_ARM_V6M uint32 = 14 + CPU_SUBTYPE_ARM_V7M uint32 = 15 + CPU_SUBTYPE_ARM_V7EM uint32 = 16 + CPU_SUBTYPE_ARM_V8 uint32 = 13 + CPU_SUBTYPE_ARM64_ALL uint32 = 0 + CPU_SUBTYPE_ARM64_V8 uint32 = 1 + CPU_SUBTYPE_ARM64_E uint32 = 2 + CPU_SUBTYPE_ARM64_32_ALL uint32 = 0 + CPU_SUBTYPE_ARM64_32_V8 uint32 = 1 +) + +var flagMaps = []struct { + name string + cpuType uint32 + cpuSubtype uint32 +}{ + {"ppc64", CPU_TYPE_POWERPC64, CPU_SUBTYPE_POWERPC_ALL}, + {"x86_64", CPU_TYPE_X86_64, CPU_SUBTYPE_X86_64_ALL}, + {"x86_64h", CPU_TYPE_X86_64, CPU_SUBTYPE_X86_64_H}, + {"arm64", CPU_TYPE_ARM64, CPU_SUBTYPE_ARM64_ALL}, + {"arm64_32", CPU_TYPE_ARM64_32, CPU_SUBTYPE_ARM64_32_ALL}, + {"ppc970-64", CPU_TYPE_POWERPC64, CPU_SUBTYPE_POWERPC_970}, + {"ppc", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_ALL}, + {"i386", CPU_TYPE_I386, CPU_SUBTYPE_I386_ALL}, + {"m68k", CPU_TYPE_MC680X0, CPU_SUBTYPE_MC680X0_ALL}, + {"hppa", CPU_TYPE_HPPA, CPU_SUBTYPE_HPPA_ALL}, + {"sparc", CPU_TYPE_SPARC, CPU_SUBTYPE_SPARC_ALL}, + {"m88k", CPU_TYPE_MC88000, CPU_SUBTYPE_MC88000_ALL}, + {"i860", CPU_TYPE_I860, CPU_SUBTYPE_I860_ALL}, + {"arm", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_ALL}, + {"ppc601", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_601}, + {"ppc603", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_603}, + {"ppc603e", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_603E}, + {"ppc603ev", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_603EV}, + {"ppc604", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_604}, + {"ppc604e", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_604E}, + {"ppc750", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_750}, + {"ppc7400", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_7400}, + {"ppc7450", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_7450}, + {"ppc970", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_970}, + {"i486", CPU_TYPE_I386, CPU_SUBTYPE_486}, + {"i486SX", CPU_TYPE_I386, CPU_SUBTYPE_486SX}, + {"i586", CPU_TYPE_I386, CPU_SUBTYPE_586}, + {"i686", CPU_TYPE_I386, CPU_SUBTYPE_PENTPRO}, + {"pentIIm3", CPU_TYPE_I386, CPU_SUBTYPE_PENTII_M3}, + {"pentIIm5", CPU_TYPE_I386, CPU_SUBTYPE_PENTII_M5}, + {"pentium4", CPU_TYPE_I386, CPU_SUBTYPE_PENTIUM_4}, + {"m68030", CPU_TYPE_MC680X0, CPU_SUBTYPE_MC68030_ONLY}, + {"m68040", CPU_TYPE_MC680X0, CPU_SUBTYPE_MC68040}, + {"hppa7100LC", CPU_TYPE_HPPA, CPU_SUBTYPE_HPPA_7100LC}, + {"armv4t", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V4T}, + {"armv5", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V5TEJ}, + {"xscale", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_XSCALE}, + {"armv6", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6}, + {"armv6m", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6M}, + {"armv7", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7}, + {"armv7f", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7F}, + {"armv7s", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7S}, + {"armv7k", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7K}, + {"armv7m", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7M}, + {"armv7em", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7EM}, + {"arm64v8", CPU_TYPE_ARM64, CPU_SUBTYPE_ARM64_V8}, + {"arm64e", CPU_TYPE_ARM64, CPU_SUBTYPE_ARM64_E}, + {"arm64_32_v8", CPU_TYPE_ARM64_32, CPU_SUBTYPE_ARM64_32_V8}, + // others + {"pentium", CPU_TYPE_I386, CPU_SUBTYPE_PENT}, + {"pentpro", CPU_TYPE_I386, CPU_SUBTYPE_PENTPRO}, + {"x86", CPU_TYPE_I386, CPU_SUBTYPE_I386_ALL}, +} + +// the default string translations are gross +func translateCPU(cpu macho.Cpu, subtype uint32) string { + cputype := uint32(cpu) + for _, cpuMapping := range flagMaps { + if cpuMapping.cpuType == cputype && cpuMapping.cpuSubtype == (CPU_SUBTYPE_MASK&subtype) { + return cpuMapping.name + } + } + return "unknown" +} diff --git a/libbeat/formats/macho/header_flags.go b/libbeat/formats/macho/header_flags.go new file mode 100644 index 000000000000..137abc58c621 --- /dev/null +++ b/libbeat/formats/macho/header_flags.go @@ -0,0 +1,102 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +func headerFlags(flags uint32) []string { + flagNames := []string{} + if (flags & 0x1) > 0 { + flagNames = append(flagNames, "MH_NOUNDEFS") + } + if (flags & 0x2) > 0 { + flagNames = append(flagNames, "MH_INCRLINK") + } + if (flags & 0x4) > 0 { + flagNames = append(flagNames, "MH_DYLDLINK") + } + if (flags & 0x8) > 0 { + flagNames = append(flagNames, "MH_BINDATLOAD") + } + if (flags & 0x10) > 0 { + flagNames = append(flagNames, "MH_PREBOUND") + } + if (flags & 0x20) > 0 { + flagNames = append(flagNames, "MH_SPLIT_SEGS") + } + if (flags & 0x40) > 0 { + flagNames = append(flagNames, "MH_LAZY_INIT") + } + if (flags & 0x80) > 0 { + flagNames = append(flagNames, "MH_TWOLEVEL") + } + if (flags & 0x100) > 0 { + flagNames = append(flagNames, "MH_FORCE_FLAT") + } + if (flags & 0x200) > 0 { + flagNames = append(flagNames, "MH_NOMULTIDEFS") + } + + if (flags & 0x400) > 0 { + flagNames = append(flagNames, "MH_NOFIXPREBINDING") + } + if (flags & 0x800) > 0 { + flagNames = append(flagNames, "MH_PREBINDABLE") + } + if (flags & 0x1000) > 0 { + flagNames = append(flagNames, "MH_ALLMODSBOUND") + } + if (flags & 0x2000) > 0 { + flagNames = append(flagNames, "MH_SUBSECTIONS_VIA_SYMBOLS") + } + if (flags & 0x4000) > 0 { + flagNames = append(flagNames, "MH_CANONICAL") + } + if (flags & 0x8000) > 0 { + flagNames = append(flagNames, "MH_WEAK_DEFINES") + } + if (flags & 0x10000) > 0 { + flagNames = append(flagNames, "MH_BINDS_TO_WEAK") + } + if (flags & 0x20000) > 0 { + flagNames = append(flagNames, "MH_ALLOW_STACK_EXECUTION") + } + if (flags & 0x40000) > 0 { + flagNames = append(flagNames, "MH_ROOT_SAFE") + } + if (flags & 0x80000) > 0 { + flagNames = append(flagNames, "MH_SETUID_SAFE") + } + if (flags & 0x100000) > 0 { + flagNames = append(flagNames, "MH_NO_REEXPORTED_DYLIBS") + } + if (flags & 0x200000) > 0 { + flagNames = append(flagNames, "MH_PIE") + } + if (flags & 0x400000) > 0 { + flagNames = append(flagNames, "MH_DEAD_STRIPPABLE_DYLIB") + } + if (flags & 0x800000) > 0 { + flagNames = append(flagNames, "MH_HAS_TLV_DESCRIPTORS") + } + if (flags & 0x1000000) > 0 { + flagNames = append(flagNames, "MH_NO_HEAP_EXECUTION") + } + if (flags & 0x2000000) > 0 { + flagNames = append(flagNames, "MH_APP_EXTENSION_SAFE") + } + return flagNames +} diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go new file mode 100644 index 000000000000..ebf8bba203e1 --- /dev/null +++ b/libbeat/formats/macho/macho.go @@ -0,0 +1,226 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import ( + "debug/macho" + "fmt" + "io" + "sort" + + "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/elastic/beats/v7/libbeat/formats/dwarf" +) + +// Command contains info about a load command +type Command struct { + Number int64 `json:"number"` + Size int64 `json:"size"` + Type string `json:"type,omitempty"` +} + +// Header contains info about the overall file structure +type Header struct { + Commands []Command `json:"commands"` + Magic string `json:"magic"` + Flags []string `json:"flags"` +} + +// Section contains information about a section in a mach-o file. +type Section struct { + Name string `json:"name"` + Type string `json:"type"` + Offset int64 `json:"offset"` + Size int64 `json:"size"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` + Flags []string `json:"flags,omitempty"` +} + +// Segment contains info about a segment +type Segment struct { + VMAddress string `json:"vmaddr"` + Name string `json:"name"` + VMSize int64 `json:"vmsize"` + FileOffset int64 `json:"fileoff"` + FileSize int64 `json:"filesize"` + Sections []Section `json:"sections,omitempty"` + Flags []string `json:"flags,omitempty"` +} + +// Architecture represents a fat file architecture +type Architecture struct { + CPU string `json:"cpu"` + ByteOrder string `json:"byte_order"` + Type string `json:"type,omitempty"` + Header Header `json:"header"` + Debug []dwarf.DWARF `json:"debug,omitempty"` + Segments []Segment `json:"segments,omitempty"` + Libraries []string `json:"libraries,omitempty"` + Imports []string `json:"imports,omitempty"` + Packers []string `json:"packers,omitempty"` + Symhash string `json:"symhash,omitempty"` + // TODO: Add the following + // Exports []string `json:"exports,omitempty"` + // CDHash string `json:"cdhash,omitempty"` +} + +// Info contains high level fingerprinting an analysis of a mach-o file. +type Info struct { + Architectures []*Architecture `json:"architectures,omitempty"` +} + +// Parse parses the mach-o file and returns information about it or errors. +func Parse(r io.ReaderAt) (interface{}, error) { + machoFiles := []*macho.File{} + machoFatFile, err := macho.NewFatFile(r) + if err != nil { + if err != macho.ErrNotFat { + return nil, err + } + machoFile, err := macho.NewFile(r) + if err != nil { + return nil, err + } + machoFiles = append(machoFiles, machoFile) + } else { + for _, arch := range machoFatFile.Arches { + machoFiles = append(machoFiles, arch.File) + } + } + + architectures := make([]*Architecture, len(machoFiles)) + for i, machoFile := range machoFiles { + arch, err := parse(machoFile) + if err != nil { + return nil, err + } + architectures[i] = arch + } + return &Info{ + Architectures: architectures, + }, nil +} + +func parse(machoFile *macho.File) (*Architecture, error) { + symhash, err := symhash(machoFile) + if err != nil { + return nil, err + } + libraries, err := machoFile.ImportedLibraries() + if err != nil { + return nil, err + } + importSymbols, err := machoFile.ImportedSymbols() + if err != nil { + if _, ok := err.(*macho.FormatError); !ok { + return nil, err + } + } + + segmentMap := make(map[string]Segment) + for _, section := range machoFile.Sections { + var entropy float64 + var chiSquare float64 + + data, err := section.Data() + if err != nil { + if err != io.EOF { + return nil, err + } + } else { + entropy = common.Entropy(data) + chiSquare = common.ChiSquare(data) + } + segment, found := segmentMap[section.Seg] + if !found { + segment = Segment{ + Name: section.Seg, + } + mSegment := machoFile.Segment(section.Seg) + if mSegment != nil { + segment.VMAddress = fmt.Sprintf("0x%x", mSegment.Addr) + segment.VMSize = int64(mSegment.Memsz) + segment.FileOffset = int64(mSegment.Offset) + segment.FileSize = int64(mSegment.Filesz) + } + } + segment.Sections = append(segment.Sections, Section{ + Name: section.Name, + Size: int64(section.Size), + Offset: int64(section.Offset), + Entropy: entropy, + ChiSquare: chiSquare, + Type: sectionType(section.Flags), + Flags: sectionFlags(section.Flags), + }) + segmentMap[section.Seg] = segment + } + segments := []Segment{} + for _, segment := range segmentMap { + segments = append(segments, segment) + } + sort.Slice(segments, func(i, j int) bool { + return segments[i].FileOffset < segments[j].FileOffset + }) + + info := &Architecture{ + CPU: translateCPU(machoFile.Cpu, machoFile.SubCpu), + ByteOrder: translateByteOrder(machoFile.ByteOrder.String()), + Type: machoFile.Type.String(), + Header: Header{ + Magic: fmt.Sprintf("0x%x", machoFile.Magic), + Flags: headerFlags(machoFile.Flags), + Commands: loadCommands(machoFile), + }, + Symhash: symhash, + Libraries: libraries, + Imports: importSymbols, + Segments: segments, + Packers: getPackers(machoFile), + } + + if debug, err := machoFile.DWARF(); err == nil { + // just ignore the error if we can't get DWARF information + debugSymbols, err := dwarf.Parse(debug) + if err == nil { + info.Debug = debugSymbols + } + } + return info, nil +} + +func translateByteOrder(order string) string { + switch order { + case "BigEndian": + return "big-endian" + case "LittleEndian": + return "little-endian" + default: + return "unknown" + } +} + +func getPackers(machoFile *macho.File) []string { + for _, section := range machoFile.Sections { + if section.Name == "upxTEXT" { + return []string{"upx"} + } + } + return nil +} diff --git a/libbeat/formats/macho/macho_fuzz.go b/libbeat/formats/macho/macho_fuzz.go new file mode 100644 index 000000000000..1f1b66792f1d --- /dev/null +++ b/libbeat/formats/macho/macho_fuzz.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build fuzz + +package macho + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/macho/macho_test.go b/libbeat/formats/macho/macho_test.go new file mode 100644 index 000000000000..e40718e7c0d1 --- /dev/null +++ b/libbeat/formats/macho/macho_test.go @@ -0,0 +1,61 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "hello-darwin", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/macho/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/macho/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/macho/section_flags.go b/libbeat/formats/macho/section_flags.go new file mode 100644 index 000000000000..658e763dc790 --- /dev/null +++ b/libbeat/formats/macho/section_flags.go @@ -0,0 +1,105 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +func sectionType(flags uint32) string { + maskedType := flags & 0x000000ff + switch maskedType { + case 0x00: + return "S_REGULAR" + case 0x01: + return "S_ZEROFILL" + case 0x02: + return "S_CSTRING_LITERALS" + case 0x03: + return "S_4BYTE_LITERALS" + case 0x04: + return "S_8BYTE_LITERALS" + case 0x05: + return "S_LITERAL_POINTERS" + case 0x06: + return "S_NON_LAZY_SYMBOL_POINTERS" + case 0x07: + return "S_LAZY_SYMBOL_POINTERS" + case 0x08: + return "S_SYMBOL_STUBS" + case 0x09: + return "S_MOD_INIT_FUNC_POINTERS" + case 0x0a: + return "S_MOD_TERM_FUNC_POINTERS" + case 0x0b: + return "S_COALESCED" + case 0x0c: + return "S_GB_ZEROFILL" + case 0x0d: + return "S_INTERPOSING" + case 0x0e: + return "S_16BYTE_LITERALS" + case 0x0f: + return "S_DTRACE_DOF" + case 0x10: + return "S_LAZY_DYLIB_SYMBOL_POINTERS" + case 0x11: + return "S_THREAD_LOCAL_REGULAR" + case 0x12: + return "S_THREAD_LOCAL_ZEROFILL" + case 0x13: + return "S_THREAD_LOCAL_VARIABLES" + case 0x14: + return "S_THREAD_LOCAL_VARIABLE_POINTERS" + case 0x15: + return "S_THREAD_LOCAL_INIT_FUNCTION_POINTERS" + default: + return "UNKNOWN" + } +} + +func sectionFlags(flags uint32) []string { + flagNames := []string{} + if (flags & 0x80000000) > 0 { + flagNames = append(flagNames, "S_ATTR_PURE_INSTRUCTIONS") + } + if (flags & 0x40000000) > 0 { + flagNames = append(flagNames, "S_ATTR_NO_TOC") + } + if (flags & 0x20000000) > 0 { + flagNames = append(flagNames, "S_ATTR_STRIP_STATIC_SYMS") + } + if (flags & 0x10000000) > 0 { + flagNames = append(flagNames, "S_ATTR_NO_DEAD_STRIP") + } + if (flags & 0x08000000) > 0 { + flagNames = append(flagNames, "S_ATTR_LIVE_SUPPORT") + } + if (flags & 0x04000000) > 0 { + flagNames = append(flagNames, "S_ATTR_SELF_MODIFYING_CODE") + } + if (flags & 0x02000000) > 0 { + flagNames = append(flagNames, "S_ATTR_DEBUG") + } + if (flags & 0x00000400) > 0 { + flagNames = append(flagNames, "S_ATTR_SOME_INSTRUCTIONS") + } + if (flags & 0x00000200) > 0 { + flagNames = append(flagNames, "S_ATTR_EXT_RELOC") + } + if (flags & 0x00000100) > 0 { + flagNames = append(flagNames, "S_ATTR_LOC_RELOC") + } + return flagNames +} diff --git a/libbeat/formats/macho/symhash.go b/libbeat/formats/macho/symhash.go new file mode 100644 index 000000000000..1e9a2d9444f6 --- /dev/null +++ b/libbeat/formats/macho/symhash.go @@ -0,0 +1,48 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import ( + "crypto/md5" + "debug/macho" + "encoding/hex" + "sort" + "strings" +) + +func symhash(machoFile *macho.File) (string, error) { + if machoFile.Magic == macho.MagicFat { + return "", nil + } + if machoFile.Symtab == nil { + return "", nil + } + if machoFile.Dysymtab == nil { + return "", nil + } + hashed := []string{} + symbols := machoFile.Symtab.Syms + for _, symbol := range symbols { + if symbol.Type&0x0E == 0 { + hashed = append(hashed, symbol.Name) + } + } + sort.Strings(hashed) + md5hash := md5.Sum([]byte(strings.Join(hashed, ","))) + return hex.EncodeToString(md5hash[:]), nil +} diff --git a/libbeat/formats/pe/.gitignore b/libbeat/formats/pe/.gitignore new file mode 100644 index 000000000000..abe7c26c9696 --- /dev/null +++ b/libbeat/formats/pe/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +pe-fuzz.zip diff --git a/libbeat/formats/pe/imphash.go b/libbeat/formats/pe/imphash.go new file mode 100644 index 000000000000..74aa875d68ac --- /dev/null +++ b/libbeat/formats/pe/imphash.go @@ -0,0 +1,241 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +import ( + "crypto/md5" + "debug/pe" + "encoding/binary" + "encoding/hex" + "path/filepath" + "strings" +) + +func readString(section []byte, start int) string { + if start < 0 || start >= len(section) { + return "" + } + + for end := start; end < len(section); end++ { + if section[end] == 0 { + return string(section[start:end]) + } + } + return "" +} + +func importDirectory(f *pe.File) pe.DataDirectory { + var emptyDirectory pe.DataDirectory + if f.Machine == pe.IMAGE_FILE_MACHINE_AMD64 { + header := f.OptionalHeader.(*pe.OptionalHeader64) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_IMPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_IMPORT] + } + header := f.OptionalHeader.(*pe.OptionalHeader32) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_IMPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_IMPORT] +} + +func exportDirectory(f *pe.File) pe.DataDirectory { + var emptyDirectory pe.DataDirectory + if f.Machine == pe.IMAGE_FILE_MACHINE_AMD64 { + header := f.OptionalHeader.(*pe.OptionalHeader64) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_EXPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_EXPORT] + } + header := f.OptionalHeader.(*pe.OptionalHeader32) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_EXPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_EXPORT] +} + +func directoryData(f *pe.File, directory pe.DataDirectory) ([]byte, uint32, uint32, error) { + if directory.Size == 0 { + return nil, 0, 0, nil + } + var section *pe.Section + for _, s := range f.Sections { + if s.VirtualAddress <= directory.VirtualAddress && directory.VirtualAddress < s.VirtualAddress+s.VirtualSize { + section = s + break + } + } + if section == nil { + return nil, 0, 0, nil + } + + data, err := section.Data() + if err != nil { + return nil, 0, 0, err + } + return data, directory.VirtualAddress, section.VirtualAddress, nil +} + +func importData(f *pe.File) ([]byte, uint32, uint32, error) { + return directoryData(f, importDirectory(f)) +} + +func exportData(f *pe.File) ([]byte, uint32, uint32, error) { + return directoryData(f, exportDirectory(f)) +} + +func normalizeLibraryName(name string) string { + name = strings.ToLower(name) + extension := filepath.Ext(name) + if extension == ".ocx" || + extension == ".sys" || + extension == ".dll" { + return name[:len(name)-4] + } + return name +} + +func exports(f *pe.File) []string { + if f.OptionalHeader == nil { + return nil + } + data, exportAddress, sectionAddress, err := exportData(f) + if err != nil { + // couldn't find the proper data directory, swallow the error + return nil + } + if data == nil { + return nil + } + exportOffset := exportAddress - sectionAddress + if int(exportOffset) > len(data) { + return nil + } + tableData := data[exportOffset:] + if len(tableData) < 40 { + return nil + } + exportCount := int(binary.LittleEndian.Uint32(tableData[24:30])) + nameOffset := binary.LittleEndian.Uint32(tableData[32:36]) + if len(data) < int(nameOffset-sectionAddress)+1 { + return nil + } + nameRVATable := data[nameOffset-sectionAddress:] + // The pointers are 32 bits each and are relative to the image base + if len(nameRVATable) < 4*exportCount { + return nil + } + + functions := make([]string, exportCount) + for offset := 0; offset < exportCount; offset++ { + start := offset * 4 + symbolOffset := binary.LittleEndian.Uint32(nameRVATable[start : start+4]) + functions[offset] = readString(data, int(symbolOffset-sectionAddress)) + } + + return functions +} + +func imphash(f *pe.File) (map[string][]string, string) { + if f.OptionalHeader == nil { + return nil, "" + } + + pe64 := f.Machine == pe.IMAGE_FILE_MACHINE_AMD64 + data, importAddress, sectionAddress, err := importData(f) + if err != nil { + // swallow error + return nil, "" + } + if data == nil { + return nil, "" + } + + importOffset := importAddress - sectionAddress + if int(importOffset) > len(data) { + return nil, "" + } + tableData := data[importOffset:] + offset := 0 + symbols := make(map[string][]string) + imphashEntries := []string{} + for len(tableData) >= offset+20 { + directoryData := tableData[offset:] + firstThunk := binary.LittleEndian.Uint32(directoryData[0:4]) + if firstThunk == 0 { + // check to see if the image is not bound + firstThunk = binary.LittleEndian.Uint32(directoryData[16:20]) + if firstThunk == 0 { + break + } + } + + name := binary.LittleEndian.Uint32(directoryData[12:16]) + dllOffset := int(name - sectionAddress) + dllName := readString(data, dllOffset) + normalizedDllName := normalizeLibraryName(dllName) + functionOffset := int(firstThunk - sectionAddress) + offset += 20 + + for len(data) > functionOffset { + functionData := data[functionOffset:] + if pe64 { // 64bit + if len(functionData) < 8 { + return nil, "" + } + functionAddress := binary.LittleEndian.Uint64(functionData[0:8]) + if functionAddress == 0 { + break + } + if functionAddress&0x8000000000000000 > 0 { // is Ordinal + normalizedFunctionName := strings.ToLower(lookupOrdinal(dllName, int(functionAddress&0xffffffff))) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } else { + functionName := readString(data, int(uint32(functionAddress)-sectionAddress+2)) + symbols[dllName] = append(symbols[dllName], functionName) + normalizedFunctionName := strings.ToLower(functionName) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } + functionOffset += 8 + } else { // 32bit + if len(functionData) < 4 { + return nil, "" + } + functionAddress := binary.LittleEndian.Uint32(functionData[0:4]) + if functionAddress == 0 { + break + } + if functionAddress&0x80000000 > 0 { // is Ordinal + normalizedFunctionName := strings.ToLower(lookupOrdinal(dllName, int(functionAddress&0x0000ffff))) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } else { + functionName := readString(data, int(functionAddress-sectionAddress+2)) + symbols[dllName] = append(symbols[dllName], functionName) + normalizedFunctionName := strings.ToLower(functionName) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } + functionOffset += 4 + } + } + } + + hash := md5.Sum([]byte(strings.Join(imphashEntries, ","))) + return symbols, hex.EncodeToString(hash[:]) +} diff --git a/libbeat/formats/pe/locale.go b/libbeat/formats/pe/locale.go new file mode 100644 index 000000000000..8fd088c8cca5 --- /dev/null +++ b/libbeat/formats/pe/locale.go @@ -0,0 +1,251 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +var localeMap = map[uint16]string{ + 1025: "Arabic - Saudi Arabia", + 1026: "Bulgarian", + 1027: "Catalan", + 1028: "Chinese - Taiwan", + 1029: "Czech", + 1030: "Danish", + 1031: "German - Germany", + 1032: "Greek", + 1033: "English - United States", + 1034: "Spanish - Spain (Traditional Sort)", + 1035: "Finnish", + 1036: "French - France", + 1037: "Hebrew", + 1038: "Hungarian", + 1039: "Icelandic", + 1040: "Italian - Italy", + 1041: "Japanese", + 1042: "Korean", + 1043: "Dutch - Netherlands", + 1044: "Norwegian (BokmÃ¥l)", + 1045: "Polish", + 1046: "Portuguese - Brazil", + 1047: "Rhaeto-Romanic", + 1048: "Romanian", + 1049: "Russian", + 1050: "Croatian", + 1051: "Slovak", + 1052: "Albanian - Albania", + 1053: "Swedish", + 1054: "Thai", + 1055: "Turkish", + 1056: "Urdu - Pakistan", + 1057: "Indonesian", + 1058: "Ukrainian", + 1059: "Belarusian", + 1060: "Slovenian", + 1061: "Estonian", + 1062: "Latvian", + 1063: "Lithuanian", + 1064: "Tajik", + 1065: "Persian", + 1066: "Vietnamese", + 1067: "Armenian - Armenia", + 1068: "Azeri (Latin)", + 1069: "Basque", + 1070: "Sorbian", + 1071: "F.Y.R.O. Macedonian", + 1072: "Sutu", + 1073: "Tsonga", + 1074: "Tswana", + 1075: "Venda", + 1076: "Xhosa", + 1077: "Zulu", + 1078: "Afrikaans - South Africa", + 1079: "Georgian", + 1080: "Faroese", + 1081: "Hindi", + 1082: "Maltese", + 1083: "Sami", + 1084: "Gaelic (Scotland)", + 1085: "Yiddish", + 1086: "Malay - Malaysia", + 1087: "Kazakh", + 1088: "Kyrgyz (Cyrillic)", + 1089: "Swahili", + 1090: "Turkmen", + 1091: "Uzbek (Latin)", + 1092: "Tatar", + 1093: "Bengali (India)", + 1094: "Punjabi", + 1095: "Gujarati", + 1096: "Oriya", + 1097: "Tamil", + 1098: "Telugu", + 1099: "Kannada", + 1100: "Malayalam", + 1101: "Assamese", + 1102: "Marathi", + 1103: "Sanskrit", + 1104: "Mongolian (Cyrillic)", + 1105: "Tibetan - People's Republic of China", + 1106: "Welsh", + 1107: "Khmer", + 1108: "Lao", + 1109: "Burmese", + 1110: "Galician", + 1111: "Konkani", + 1112: "Manipuri", + 1113: "Sindhi - India", + 1114: "Syriac", + 1115: "Sinhalese - Sri Lanka", + 1116: "Cherokee - United States", + 1117: "Inuktitut", + 1118: "Amharic - Ethiopia", + 1119: "Tamazight (Arabic)", + 1120: "Kashmiri (Arabic)", + 1121: "Nepali", + 1122: "Frisian - Netherlands", + 1123: "Pashto", + 1124: "Filipino", + 1125: "Divehi", + 1126: "Edo", + 1127: "Fulfulde - Nigeria", + 1128: "Hausa - Nigeria", + 1129: "Ibibio - Nigeria", + 1130: "Yoruba", + 1131: "Quecha - Bolivia", + 1132: "Sepedi", + 1136: "Igbo - Nigeria", + 1137: "Kanuri - Nigeria", + 1138: "Oromo", + 1139: "Tigrigna - Ethiopia", + 1140: "Guarani - Paraguay", + 1141: "Hawaiian - United States", + 1142: "Latin", + 1143: "Somali", + 1144: "Yi", + 1145: "Papiamentu", + 1152: "Uighur - China", + 1153: "Maori - New Zealand", + 2049: "Arabic - Iraq", + 2052: "Chinese - People's Republic of China", + 2055: "German - Switzerland", + 2057: "English - United Kingdom", + 2058: "Spanish - Mexico", + 2060: "French - Belgium", + 2064: "Italian - Switzerland", + 2067: "Dutch - Belgium", + 2068: "Norwegian (Nynorsk)", + 2070: "Portuguese - Portugal", + 2072: "Romanian - Moldava", + 2073: "Russian - Moldava", + 2074: "Serbian (Latin)", + 2077: "Swedish - Finland", + 2080: "Urdu - India", + 2092: "Azeri (Cyrillic)", + 2108: "Gaelic (Ireland)", + 2110: "Malay - Brunei Darussalam", + 2115: "Uzbek (Cyrillic)", + 2117: "Bengali (Bangladesh)", + 2118: "Punjabi (Pakistan)", + 2128: "Mongolian (Mongolian)", + 2129: "Tibetan - Bhutan", + 2137: "Sindhi - Pakistan", + 2143: "Tamazight (Latin)", + 2144: "Kashmiri (Devanagari)", + 2145: "Nepali - India", + 2155: "Quecha - Ecuador", + 2163: "Tigrigna - Eritrea", + 3073: "Arabic - Egypt", + 3076: "Chinese - Hong Kong SAR", + 3079: "German - Austria", + 3081: "English - Australia", + 3082: "Spanish - Spain (Modern Sort)", + 3084: "French - Canada", + 3098: "Serbian (Cyrillic)", + 3179: "Quecha - Peru", + 4097: "Arabic - Libya", + 4100: "Chinese - Singapore", + 4103: "German - Luxembourg", + 4105: "English - Canada", + 4106: "Spanish - Guatemala", + 4108: "French - Switzerland", + 4122: "Croatian (Bosnia/Herzegovina)", + 5121: "Arabic - Algeria", + 5124: "Chinese - Macao SAR", + 5127: "German - Liechtenstein", + 5129: "English - New Zealand", + 5130: "Spanish - Costa Rica", + 5132: "French - Luxembourg", + 5146: "Bosnian (Bosnia/Herzegovina)", + 6145: "Arabic - Morocco", + 6153: "English - Ireland", + 6154: "Spanish - Panama", + 6156: "French - Monaco", + 7169: "Arabic - Tunisia", + 7177: "English - South Africa", + 7178: "Spanish - Dominican Republic", + 7180: "French - West Indies", + 8193: "Arabic - Oman", + 8201: "English - Jamaica", + 8202: "Spanish - Venezuela", + 8204: "French - Reunion", + 9217: "Arabic - Yemen", + 9225: "English - Caribbean", + 9226: "Spanish - Colombia", + 9228: "French - Democratic Rep. of Congo", + 10241: "Arabic - Syria", + 10249: "English - Belize", + 10250: "Spanish - Peru", + 10252: "French - Senegal", + 11265: "Arabic - Jordan", + 11273: "English - Trinidad", + 11274: "Spanish - Argentina", + 11276: "French - Cameroon", + 12289: "Arabic - Lebanon", + 12297: "English - Zimbabwe", + 12298: "Spanish - Ecuador", + 12300: "French - Cote d'Ivoire", + 13313: "Arabic - Kuwait", + 13321: "English - Philippines", + 13322: "Spanish - Chile", + 13324: "French - Mali", + 14337: "Arabic - U.A.E.", + 14345: "English - Indonesia", + 14346: "Spanish - Uruguay", + 14348: "French - Morocco", + 15361: "Arabic - Bahrain", + 15369: "English - Hong Kong SAR", + 15370: "Spanish - Paraguay", + 15372: "French - Haiti", + 16385: "Arabic - Qatar", + 16393: "English - India", + 16394: "Spanish - Bolivia", + 17417: "English - Malaysia", + 17418: "Spanish - El Salvador", + 18441: "English - Singapore", + 18442: "Spanish - Honduras", + 19466: "Spanish - Nicaragua", + 20490: "Spanish - Puerto Rico", + 21514: "Spanish - United States", + 58378: "Spanish - Latin America", + 58380: "French - North Africa", +} + +func languageName(language uint16) string { + if found, ok := localeMap[language]; ok { + return found + } + return "Unknown" +} diff --git a/libbeat/formats/pe/ordinals.go b/libbeat/formats/pe/ordinals.go new file mode 100644 index 000000000000..dd6ea7f6edb0 --- /dev/null +++ b/libbeat/formats/pe/ordinals.go @@ -0,0 +1,559 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +import ( + "strconv" + "strings" +) + +var oleaut32Names = map[int]string{ + 2: "SysAllocString", + 3: "SysReAllocString", + 4: "SysAllocStringLen", + 5: "SysReAllocStringLen", + 6: "SysFreeString", + 7: "SysStringLen", + 8: "VariantInit", + 9: "VariantClear", + 10: "VariantCopy", + 11: "VariantCopyInd", + 12: "VariantChangeType", + 13: "VariantTimeToDosDateTime", + 14: "DosDateTimeToVariantTime", + 15: "SafeArrayCreate", + 16: "SafeArrayDestroy", + 17: "SafeArrayGetDim", + 18: "SafeArrayGetElemsize", + 19: "SafeArrayGetUBound", + 20: "SafeArrayGetLBound", + 21: "SafeArrayLock", + 22: "SafeArrayUnlock", + 23: "SafeArrayAccessData", + 24: "SafeArrayUnaccessData", + 25: "SafeArrayGetElement", + 26: "SafeArrayPutElement", + 27: "SafeArrayCopy", + 28: "DispGetParam", + 29: "DispGetIDsOfNames", + 30: "DispInvoke", + 31: "CreateDispTypeInfo", + 32: "CreateStdDispatch", + 33: "RegisterActiveObject", + 34: "RevokeActiveObject", + 35: "GetActiveObject", + 36: "SafeArrayAllocDescriptor", + 37: "SafeArrayAllocData", + 38: "SafeArrayDestroyDescriptor", + 39: "SafeArrayDestroyData", + 40: "SafeArrayRedim", + 41: "SafeArrayAllocDescriptorEx", + 42: "SafeArrayCreateEx", + 43: "SafeArrayCreateVectorEx", + 44: "SafeArraySetRecordInfo", + 45: "SafeArrayGetRecordInfo", + 46: "VarParseNumFromStr", + 47: "VarNumFromParseNum", + 48: "VarI2FromUI1", + 49: "VarI2FromI4", + 50: "VarI2FromR4", + 51: "VarI2FromR8", + 52: "VarI2FromCy", + 53: "VarI2FromDate", + 54: "VarI2FromStr", + 55: "VarI2FromDisp", + 56: "VarI2FromBool", + 57: "SafeArraySetIID", + 58: "VarI4FromUI1", + 59: "VarI4FromI2", + 60: "VarI4FromR4", + 61: "VarI4FromR8", + 62: "VarI4FromCy", + 63: "VarI4FromDate", + 64: "VarI4FromStr", + 65: "VarI4FromDisp", + 66: "VarI4FromBool", + 67: "SafeArrayGetIID", + 68: "VarR4FromUI1", + 69: "VarR4FromI2", + 70: "VarR4FromI4", + 71: "VarR4FromR8", + 72: "VarR4FromCy", + 73: "VarR4FromDate", + 74: "VarR4FromStr", + 75: "VarR4FromDisp", + 76: "VarR4FromBool", + 77: "SafeArrayGetVartype", + 78: "VarR8FromUI1", + 79: "VarR8FromI2", + 80: "VarR8FromI4", + 81: "VarR8FromR4", + 82: "VarR8FromCy", + 83: "VarR8FromDate", + 84: "VarR8FromStr", + 85: "VarR8FromDisp", + 86: "VarR8FromBool", + 87: "VarFormat", + 88: "VarDateFromUI1", + 89: "VarDateFromI2", + 90: "VarDateFromI4", + 91: "VarDateFromR4", + 92: "VarDateFromR8", + 93: "VarDateFromCy", + 94: "VarDateFromStr", + 95: "VarDateFromDisp", + 96: "VarDateFromBool", + 97: "VarFormatDateTime", + 98: "VarCyFromUI1", + 99: "VarCyFromI2", + 100: "VarCyFromI4", + 101: "VarCyFromR4", + 102: "VarCyFromR8", + 103: "VarCyFromDate", + 104: "VarCyFromStr", + 105: "VarCyFromDisp", + 106: "VarCyFromBool", + 107: "VarFormatNumber", + 108: "VarBstrFromUI1", + 109: "VarBstrFromI2", + 110: "VarBstrFromI4", + 111: "VarBstrFromR4", + 112: "VarBstrFromR8", + 113: "VarBstrFromCy", + 114: "VarBstrFromDate", + 115: "VarBstrFromDisp", + 116: "VarBstrFromBool", + 117: "VarFormatPercent", + 118: "VarBoolFromUI1", + 119: "VarBoolFromI2", + 120: "VarBoolFromI4", + 121: "VarBoolFromR4", + 122: "VarBoolFromR8", + 123: "VarBoolFromDate", + 124: "VarBoolFromCy", + 125: "VarBoolFromStr", + 126: "VarBoolFromDisp", + 127: "VarFormatCurrency", + 128: "VarWeekdayName", + 129: "VarMonthName", + 130: "VarUI1FromI2", + 131: "VarUI1FromI4", + 132: "VarUI1FromR4", + 133: "VarUI1FromR8", + 134: "VarUI1FromCy", + 135: "VarUI1FromDate", + 136: "VarUI1FromStr", + 137: "VarUI1FromDisp", + 138: "VarUI1FromBool", + 139: "VarFormatFromTokens", + 140: "VarTokenizeFormatString", + 141: "VarAdd", + 142: "VarAnd", + 143: "VarDiv", + 144: "DllCanUnloadNow", + 145: "DllGetClassObject", + 146: "DispCallFunc", + 147: "VariantChangeTypeEx", + 148: "SafeArrayPtrOfIndex", + 149: "SysStringByteLen", + 150: "SysAllocStringByteLen", + 151: "DllRegisterServer", + 152: "VarEqv", + 153: "VarIdiv", + 154: "VarImp", + 155: "VarMod", + 156: "VarMul", + 157: "VarOr", + 158: "VarPow", + 159: "VarSub", + 160: "CreateTypeLib", + 161: "LoadTypeLib", + 162: "LoadRegTypeLib", + 163: "RegisterTypeLib", + 164: "QueryPathOfRegTypeLib", + 165: "LHashValOfNameSys", + 166: "LHashValOfNameSysA", + 167: "VarXor", + 168: "VarAbs", + 169: "VarFix", + 170: "OaBuildVersion", + 171: "ClearCustData", + 172: "VarInt", + 173: "VarNeg", + 174: "VarNot", + 175: "VarRound", + 176: "VarCmp", + 177: "VarDecAdd", + 178: "VarDecDiv", + 179: "VarDecMul", + 180: "CreateTypeLib2", + 181: "VarDecSub", + 182: "VarDecAbs", + 183: "LoadTypeLibEx", + 184: "SystemTimeToVariantTime", + 185: "VariantTimeToSystemTime", + 186: "UnRegisterTypeLib", + 187: "VarDecFix", + 188: "VarDecInt", + 189: "VarDecNeg", + 190: "VarDecFromUI1", + 191: "VarDecFromI2", + 192: "VarDecFromI4", + 193: "VarDecFromR4", + 194: "VarDecFromR8", + 195: "VarDecFromDate", + 196: "VarDecFromCy", + 197: "VarDecFromStr", + 198: "VarDecFromDisp", + 199: "VarDecFromBool", + 200: "GetErrorInfo", + 201: "SetErrorInfo", + 202: "CreateErrorInfo", + 203: "VarDecRound", + 204: "VarDecCmp", + 205: "VarI2FromI1", + 206: "VarI2FromUI2", + 207: "VarI2FromUI4", + 208: "VarI2FromDec", + 209: "VarI4FromI1", + 210: "VarI4FromUI2", + 211: "VarI4FromUI4", + 212: "VarI4FromDec", + 213: "VarR4FromI1", + 214: "VarR4FromUI2", + 215: "VarR4FromUI4", + 216: "VarR4FromDec", + 217: "VarR8FromI1", + 218: "VarR8FromUI2", + 219: "VarR8FromUI4", + 220: "VarR8FromDec", + 221: "VarDateFromI1", + 222: "VarDateFromUI2", + 223: "VarDateFromUI4", + 224: "VarDateFromDec", + 225: "VarCyFromI1", + 226: "VarCyFromUI2", + 227: "VarCyFromUI4", + 228: "VarCyFromDec", + 229: "VarBstrFromI1", + 230: "VarBstrFromUI2", + 231: "VarBstrFromUI4", + 232: "VarBstrFromDec", + 233: "VarBoolFromI1", + 234: "VarBoolFromUI2", + 235: "VarBoolFromUI4", + 236: "VarBoolFromDec", + 237: "VarUI1FromI1", + 238: "VarUI1FromUI2", + 239: "VarUI1FromUI4", + 240: "VarUI1FromDec", + 241: "VarDecFromI1", + 242: "VarDecFromUI2", + 243: "VarDecFromUI4", + 244: "VarI1FromUI1", + 245: "VarI1FromI2", + 246: "VarI1FromI4", + 247: "VarI1FromR4", + 248: "VarI1FromR8", + 249: "VarI1FromDate", + 250: "VarI1FromCy", + 251: "VarI1FromStr", + 252: "VarI1FromDisp", + 253: "VarI1FromBool", + 254: "VarI1FromUI2", + 255: "VarI1FromUI4", + 256: "VarI1FromDec", + 257: "VarUI2FromUI1", + 258: "VarUI2FromI2", + 259: "VarUI2FromI4", + 260: "VarUI2FromR4", + 261: "VarUI2FromR8", + 262: "VarUI2FromDate", + 263: "VarUI2FromCy", + 264: "VarUI2FromStr", + 265: "VarUI2FromDisp", + 266: "VarUI2FromBool", + 267: "VarUI2FromI1", + 268: "VarUI2FromUI4", + 269: "VarUI2FromDec", + 270: "VarUI4FromUI1", + 271: "VarUI4FromI2", + 272: "VarUI4FromI4", + 273: "VarUI4FromR4", + 274: "VarUI4FromR8", + 275: "VarUI4FromDate", + 276: "VarUI4FromCy", + 277: "VarUI4FromStr", + 278: "VarUI4FromDisp", + 279: "VarUI4FromBool", + 280: "VarUI4FromI1", + 281: "VarUI4FromUI2", + 282: "VarUI4FromDec", + 283: "BSTR_UserSize", + 284: "BSTR_UserMarshal", + 285: "BSTR_UserUnmarshal", + 286: "BSTR_UserFree", + 287: "VARIANT_UserSize", + 288: "VARIANT_UserMarshal", + 289: "VARIANT_UserUnmarshal", + 290: "VARIANT_UserFree", + 291: "LPSAFEARRAY_UserSize", + 292: "LPSAFEARRAY_UserMarshal", + 293: "LPSAFEARRAY_UserUnmarshal", + 294: "LPSAFEARRAY_UserFree", + 295: "LPSAFEARRAY_Size", + 296: "LPSAFEARRAY_Marshal", + 297: "LPSAFEARRAY_Unmarshal", + 298: "VarDecCmpR8", + 299: "VarCyAdd", + 300: "DllUnregisterServer", + 301: "OACreateTypeLib2", + 303: "VarCyMul", + 304: "VarCyMulI4", + 305: "VarCySub", + 306: "VarCyAbs", + 307: "VarCyFix", + 308: "VarCyInt", + 309: "VarCyNeg", + 310: "VarCyRound", + 311: "VarCyCmp", + 312: "VarCyCmpR8", + 313: "VarBstrCat", + 314: "VarBstrCmp", + 315: "VarR8Pow", + 316: "VarR4CmpR8", + 317: "VarR8Round", + 318: "VarCat", + 319: "VarDateFromUdateEx", + 322: "GetRecordInfoFromGuids", + 323: "GetRecordInfoFromTypeInfo", + 325: "SetVarConversionLocaleSetting", + 326: "GetVarConversionLocaleSetting", + 327: "SetOaNoCache", + 329: "VarCyMulI8", + 330: "VarDateFromUdate", + 331: "VarUdateFromDate", + 332: "GetAltMonthNames", + 333: "VarI8FromUI1", + 334: "VarI8FromI2", + 335: "VarI8FromR4", + 336: "VarI8FromR8", + 337: "VarI8FromCy", + 338: "VarI8FromDate", + 339: "VarI8FromStr", + 340: "VarI8FromDisp", + 341: "VarI8FromBool", + 342: "VarI8FromI1", + 343: "VarI8FromUI2", + 344: "VarI8FromUI4", + 345: "VarI8FromDec", + 346: "VarI2FromI8", + 347: "VarI2FromUI8", + 348: "VarI4FromI8", + 349: "VarI4FromUI8", + 360: "VarR4FromI8", + 361: "VarR4FromUI8", + 362: "VarR8FromI8", + 363: "VarR8FromUI8", + 364: "VarDateFromI8", + 365: "VarDateFromUI8", + 366: "VarCyFromI8", + 367: "VarCyFromUI8", + 368: "VarBstrFromI8", + 369: "VarBstrFromUI8", + 370: "VarBoolFromI8", + 371: "VarBoolFromUI8", + 372: "VarUI1FromI8", + 373: "VarUI1FromUI8", + 374: "VarDecFromI8", + 375: "VarDecFromUI8", + 376: "VarI1FromI8", + 377: "VarI1FromUI8", + 378: "VarUI2FromI8", + 379: "VarUI2FromUI8", + 401: "OleLoadPictureEx", + 402: "OleLoadPictureFileEx", + 411: "SafeArrayCreateVector", + 412: "SafeArrayCopyData", + 413: "VectorFromBstr", + 414: "BstrFromVector", + 415: "OleIconToCursor", + 416: "OleCreatePropertyFrameIndirect", + 417: "OleCreatePropertyFrame", + 418: "OleLoadPicture", + 419: "OleCreatePictureIndirect", + 420: "OleCreateFontIndirect", + 421: "OleTranslateColor", + 422: "OleLoadPictureFile", + 423: "OleSavePictureFile", + 424: "OleLoadPicturePath", + 425: "VarUI4FromI8", + 426: "VarUI4FromUI8", + 427: "VarI8FromUI8", + 428: "VarUI8FromI8", + 429: "VarUI8FromUI1", + 430: "VarUI8FromI2", + 431: "VarUI8FromR4", + 432: "VarUI8FromR8", + 433: "VarUI8FromCy", + 434: "VarUI8FromDate", + 435: "VarUI8FromStr", + 436: "VarUI8FromDisp", + 437: "VarUI8FromBool", + 438: "VarUI8FromI1", + 439: "VarUI8FromUI2", + 440: "VarUI8FromUI4", + 441: "VarUI8FromDec", + 442: "RegisterTypeLibForUser", + 443: "UnRegisterTypeLibForUser", +} + +var ws2_32Names = map[int]string{ + 1: "accept", + 2: "bind", + 3: "closesocket", + 4: "connect", + 5: "getpeername", + 6: "getsockname", + 7: "getsockopt", + 8: "htonl", + 9: "htons", + 10: "ioctlsocket", + 11: "inet_addr", + 12: "inet_ntoa", + 13: "listen", + 14: "ntohl", + 15: "ntohs", + 16: "recv", + 17: "recvfrom", + 18: "select", + 19: "send", + 20: "sendto", + 21: "setsockopt", + 22: "shutdown", + 23: "socket", + 24: "GetAddrInfoW", + 25: "GetNameInfoW", + 26: "WSApSetPostRoutine", + 27: "FreeAddrInfoW", + 28: "WPUCompleteOverlappedRequest", + 29: "WSAAccept", + 30: "WSAAddressToStringA", + 31: "WSAAddressToStringW", + 32: "WSACloseEvent", + 33: "WSAConnect", + 34: "WSACreateEvent", + 35: "WSADuplicateSocketA", + 36: "WSADuplicateSocketW", + 37: "WSAEnumNameSpaceProvidersA", + 38: "WSAEnumNameSpaceProvidersW", + 39: "WSAEnumNetworkEvents", + 40: "WSAEnumProtocolsA", + 41: "WSAEnumProtocolsW", + 42: "WSAEventSelect", + 43: "WSAGetOverlappedResult", + 44: "WSAGetQOSByName", + 45: "WSAGetServiceClassInfoA", + 46: "WSAGetServiceClassInfoW", + 47: "WSAGetServiceClassNameByClassIdA", + 48: "WSAGetServiceClassNameByClassIdW", + 49: "WSAHtonl", + 50: "WSAHtons", + 51: "gethostbyaddr", + 52: "gethostbyname", + 53: "getprotobyname", + 54: "getprotobynumber", + 55: "getservbyname", + 56: "getservbyport", + 57: "gethostname", + 58: "WSAInstallServiceClassA", + 59: "WSAInstallServiceClassW", + 60: "WSAIoctl", + 61: "WSAJoinLeaf", + 62: "WSALookupServiceBeginA", + 63: "WSALookupServiceBeginW", + 64: "WSALookupServiceEnd", + 65: "WSALookupServiceNextA", + 66: "WSALookupServiceNextW", + 67: "WSANSPIoctl", + 68: "WSANtohl", + 69: "WSANtohs", + 70: "WSAProviderConfigChange", + 71: "WSARecv", + 72: "WSARecvDisconnect", + 73: "WSARecvFrom", + 74: "WSARemoveServiceClass", + 75: "WSAResetEvent", + 76: "WSASend", + 77: "WSASendDisconnect", + 78: "WSASendTo", + 79: "WSASetEvent", + 80: "WSASetServiceA", + 81: "WSASetServiceW", + 82: "WSASocketA", + 83: "WSASocketW", + 84: "WSAStringToAddressA", + 85: "WSAStringToAddressW", + 86: "WSAWaitForMultipleEvents", + 87: "WSCDeinstallProvider", + 88: "WSCEnableNSProvider", + 89: "WSCEnumProtocols", + 90: "WSCGetProviderPath", + 91: "WSCInstallNameSpace", + 92: "WSCInstallProvider", + 93: "WSCUnInstallNameSpace", + 94: "WSCUpdateProvider", + 95: "WSCWriteNameSpaceOrder", + 96: "WSCWriteProviderOrder", + 97: "freeaddrinfo", + 98: "getaddrinfo", + 99: "getnameinfo", + 101: "WSAAsyncSelect", + 102: "WSAAsyncGetHostByAddr", + 103: "WSAAsyncGetHostByName", + 104: "WSAAsyncGetProtoByNumber", + 105: "WSAAsyncGetProtoByName", + 106: "WSAAsyncGetServByPort", + 107: "WSAAsyncGetServByName", + 108: "WSACancelAsyncRequest", + 109: "WSASetBlockingHook", + 110: "WSAUnhookBlockingHook", + 111: "WSAGetLastError", + 112: "WSASetLastError", + 113: "WSACancelBlockingCall", + 114: "WSAIsBlocking", + 115: "WSAStartup", + 116: "WSACleanup", + 151: "__WSAFDIsSet", + 500: "WEP", +} + +var ordinalMaps = map[string]map[int]string{ + "ws2_32.dll": ws2_32Names, + "wsock32.dll": ws2_32Names, + "oleaut32.dll": oleaut32Names, +} + +func lookupOrdinal(libname string, ordinal int) string { + if names, ok := ordinalMaps[strings.ToLower(libname)]; ok { + if name, ok := names[ordinal]; ok { + return name + } + } + return "ord" + strconv.Itoa(ordinal) +} diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go new file mode 100644 index 000000000000..4861b38a21ca --- /dev/null +++ b/libbeat/formats/pe/pe.go @@ -0,0 +1,217 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +import ( + "debug/pe" + "fmt" + "io" + "sort" + "time" + + "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/elastic/beats/v7/libbeat/formats/dwarf" +) + +// Header contains information found in a PE header. +type Header struct { + CompilationTimestamp *time.Time `json:"compilationTimestamp,omitempty"` + Entrypoint uint32 `json:"entrypoint"` + TargetMachine string `json:"targetMachine"` + ContainedSections int `json:"containedSections"` +} + +// VersionInfo hold keys and values parsed from the version info resource. +type VersionInfo struct { + Name string + Value string +} + +// Compiler contains compiler information about the object file +type Compiler struct { + Version string `json:"version,omitempty"` + Name string `json:"name,omitempty"` +} + +// ImportedSymbol contains information about where an imported symbol comes from +type ImportedSymbol struct { + Library string `json:"library,omitempty"` + Name string `json:"name,omitempty"` +} + +// Section contains information about a section in a PE file. +type Section struct { + Name string `json:"name"` + Flags []string `json:"flags"` + VirtualAddress uint32 `json:"virtual_address"` + RawSize uint32 `json:"raw_size,omitempty"` + Entropy float64 `json:"entropy,omitempty"` + ChiSquare float64 `json:"chi2,omitempty"` +} + +// Resource represents a resource entry embedded in a PE file. +type Resource struct { + Type string `json:"type"` + Language string `json:"language"` + SHA256 string `json:"sha256"` + FileType string `json:"filetype,omitempty"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` + + data []byte +} + +// Icon holds fields that are used for fingerprinting embedded icons +type Icon struct { + Dhash string `json:"dhash"` // https://github.com/corona10/goimagehash +} + +// Info contains high level fingerprinting an analysis of a PE file. +type Info struct { + CompilationTimestamp *time.Time `json:"compile_timestamp,omitempty"` + Entrypoint string `json:"entrypoint"` + Exports []string `json:"exports,omitempty"` + Debug []dwarf.DWARF `json:"debug,omitempty"` + Imports []ImportedSymbol `json:"imports,omitempty"` + Sections []Section `json:"sections,omitempty"` + Resources []Resource `json:"resources,omitempty"` + Packers []string `json:"packers,omitempty"` + ImpHash string `json:"imphash,omitempty"` + FileVersion string `json:"file_version,omitempty"` + Description string `json:"description,omitempty"` + Company string `json:"company,omitempty"` + OriginalFileName string `json:"original_file_name,omitempty"` + Product string `json:"product,omitempty"` + Architecture string `json:"architecture,omitempty"` + + // TODO: Things that we should be able to get + // Authentihash string `json:"authentihash,omitempty"` // https://github.com/lief-project/LIEF/blob/05103f55a6cb993cb20735da3c7a6333e4f600e3/src/PE/Binary.cpp#L1046 + // Compiler *Compiler `json:"compiler,omitempty"` + // RichHeaderHash string `json:"rich_header.hash.md5,omitempty"` + // Icons []Icon `json:"icon,omitempty"` +} + +func getPackers(f *pe.File) []string { + for _, section := range f.Sections { + if section.Name == "UPX0" { + return []string{"upx"} + } + } + return nil +} + +// Parse parses the PE and returns information about it or errors. +func Parse(r io.ReaderAt) (interface{}, error) { + peFile, err := pe.NewFile(r) + if err != nil { + return nil, err + } + var architecture string + var entrypoint uint32 + switch header := peFile.OptionalHeader.(type) { + case *pe.OptionalHeader32: + architecture = "x32" + entrypoint = header.AddressOfEntryPoint + + case *pe.OptionalHeader64: + architecture = "x64" + entrypoint = header.AddressOfEntryPoint + + default: + architecture = "unknown" + } + + exportSymbols := exports(peFile) + importSymbols, imphash := imphash(peFile) + imports := []ImportedSymbol{} + for library, symbols := range importSymbols { + for _, symbol := range symbols { + imports = append(imports, ImportedSymbol{ + Library: library, + Name: symbol, + }) + } + } + sort.Slice(imports, func(i, j int) bool { + return (imports[i].Library < imports[j].Library || imports[i].Name < imports[j].Name) + }) + + sectionSize := len(peFile.Sections) + var compiledAt *time.Time + timestamp := int64(peFile.FileHeader.TimeDateStamp) + if timestamp != 0 { + compiled := time.Unix(timestamp, 0).UTC() + compiledAt = &compiled + } + + info := &Info{ + CompilationTimestamp: compiledAt, + Entrypoint: fmt.Sprintf("0x%x", entrypoint), + Imports: imports, + Exports: exportSymbols, + Packers: getPackers(peFile), + ImpHash: imphash, + Architecture: architecture, + Sections: make([]Section, sectionSize), + } + + if debug, err := peFile.DWARF(); err == nil { + // just ignore the error if we can't get DWARF information + debugSymbols, err := dwarf.Parse(debug) + if err == nil { + info.Debug = debugSymbols + } + } + + for i, section := range peFile.Sections { + data, _ := section.Data() + info.Sections[i] = Section{ + Name: section.Name, + VirtualAddress: section.VirtualAddress, + RawSize: section.Size, + Flags: translateSectionFlags(section.Characteristics), + Entropy: common.Entropy(data), + ChiSquare: common.ChiSquare(data), + } + + if section.Name == ".rsrc" && len(data) > 0 { + info.Resources = parseDirectory(section.VirtualAddress, data) + fileVersionInfo := getVersionInfoForResources(info.Resources) + if companyName, found := fileVersionInfo["CompanyName"]; found { + info.Company = companyName + } + if fileDescription, found := fileVersionInfo["FileDescription"]; found { + info.Description = fileDescription + } + if fileVersion, found := fileVersionInfo["FileVersion"]; found { + info.FileVersion = fileVersion + } + if originalFilename, found := fileVersionInfo["OriginalFilename"]; found { + info.OriginalFileName = originalFilename + } + productName := fileVersionInfo["ProductName"] + if productVersion, found := fileVersionInfo["ProductVersion"]; productName != "" && found { + productName += " (" + productVersion + ")" + } + if productName != "" { + info.Product = productName + } + } + } + return info, nil +} diff --git a/libbeat/formats/pe/pe_fuzz.go b/libbeat/formats/pe/pe_fuzz.go new file mode 100644 index 000000000000..7b4be49b10b5 --- /dev/null +++ b/libbeat/formats/pe/pe_fuzz.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build fuzz + +package pe + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/pe/pe_test.go b/libbeat/formats/pe/pe_test.go new file mode 100644 index 000000000000..c9487588d2f0 --- /dev/null +++ b/libbeat/formats/pe/pe_test.go @@ -0,0 +1,61 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "hello-windows", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/pe/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/pe/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/pe/resources.go b/libbeat/formats/pe/resources.go new file mode 100644 index 000000000000..efb553a8451a --- /dev/null +++ b/libbeat/formats/pe/resources.go @@ -0,0 +1,231 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "strconv" + + "github.com/h2non/filetype" + sha256 "github.com/minio/sha256-simd" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +const ( + rtCursor uint32 = 1 + rtBitmap uint32 = 2 + rtIcon uint32 = 3 + rtMenu uint32 = 4 + rtDialog uint32 = 5 + rtString uint32 = 6 + rtFontdir uint32 = 7 + rtFont uint32 = 8 + rtAccelerator uint32 = 9 + rtRcdata uint32 = 10 + rtMessagetable uint32 = 11 + rtGroupCursor uint32 = 12 + rtGroupIcon uint32 = 14 + rtVersion uint32 = 16 + rtDlginclude uint32 = 17 + rtPlugplay uint32 = 19 + rtVxd uint32 = 20 + rtAnicursor uint32 = 21 + rtAniicon uint32 = 22 + rtHTML uint32 = 23 + rtManifest uint32 = 24 + // max depth of directory parsing + maxDepth int = 2 +) + +var nameMap = map[uint32]string{ + rtCursor: "RT_CURSOR", + rtBitmap: "RT_BITMAP", + rtIcon: "RT_ICON", + rtMenu: "RT_MENU", + rtDialog: "RT_DIALOG", + rtString: "RT_STRING", + rtFontdir: "RT_FONTDIR", + rtFont: "RT_FONT", + rtAccelerator: "RT_ACCELERATOR", + rtRcdata: "RT_RCDATA", + rtMessagetable: "RT_MESSAGETABLE", + rtGroupCursor: "RT_GROUP_CURSOR", + rtGroupIcon: "RT_GROUP_ICON", + rtVersion: "RT_VERSION", + rtDlginclude: "RT_DLGINCLUDE", + rtPlugplay: "RT_PLUGPLAY", + rtVxd: "RT_VXD", + rtAnicursor: "RT_ANICURSOR", + rtAniicon: "RT_ANIICON", + rtHTML: "RT_HTML", + rtManifest: "RT_MANIFEST", +} + +func idName(id uint32) string { + if found, ok := nameMap[id]; ok { + return found + } + return strconv.Itoa(int(id)) +} + +func isRVA(value uint32) bool { + return (value & 0x80000000) > 0 +} + +func rvaOffset(value uint32) int { + return int(value & 0x7fffffff) +} + +// this checks if value is an rva, and if so calculates the real offset +// and then does a bounds check on the slice that is returned +func followOffset(global []byte, value uint32, requiredSize int) ([]byte, error) { + offset := int(value) + if isRVA(value) { + offset = rvaOffset(value) + } + if len(global) < offset+requiredSize { + return nil, errors.New("invalid data") + } + return global[offset:], nil +} + +// a lot of the checks we do here are fairly permissive, we want to +// return as much of the parsable information as we can, so don't bother +// sanity checking things like the number of entries matching what's specified +// instead we just make sure to bounds check what we're reading and int the +// case of potential over-read, return an error +func parseDirectory(virtualAddress uint32, data []byte) []Resource { + entries, err := parseEntries(virtualAddress, "", data, data, 0) + if err != nil { + // swallow the error and move on + return nil + } + return entries +} + +func parseName(global, base []byte) (string, error) { + id := binary.LittleEndian.Uint32(base[0:4]) + if isRVA(id) { + nameData, err := followOffset(global, id, 2) + if err != nil { + return "", err + } + nameEnd := int(binary.LittleEndian.Uint16(nameData[0:2]))*2 + 2 + if len(nameData) < nameEnd { + return "", errors.New("invalid data") + } + return common.ReadUnicode(nameData[:nameEnd], 2), nil + } + return idName(id), nil +} + +// we swallow errors from followOffset so we +// parse all entries we can and just ignore +// the invalid ones +func parseEntry(virtualAddress uint32, root string, global, base []byte, depth int) ([]Resource, error) { + offset := binary.LittleEndian.Uint32(base[4:8]) + if isRVA(offset) { + // we have a nested directory + next, err := followOffset(global, offset, 0) + if err != nil { + return nil, nil + } + return parseEntries(virtualAddress, root, global, next, depth+1) + } + // we have a leaf resource + language := uint16(binary.LittleEndian.Uint32(base[0:4])) + entry, err := followOffset(global, offset, 8) + if err != nil { + return nil, nil + } + entryOffset := binary.LittleEndian.Uint32(entry[0:4]) + entrySize := int(binary.LittleEndian.Uint32(entry[4:8])) + if entryOffset < virtualAddress { + // we don't fully handle upx packed resources for now which point + // to the locations of the compressed resouces outside of + // the Resource Data section + return []Resource{ + Resource{Type: root, Language: languageName(language)}, + }, nil + } + + data, err := followOffset(global, entryOffset-virtualAddress, entrySize) + if err != nil { + // we have an invalid data reference, so just return what we can + return []Resource{ + Resource{Type: root, Language: languageName(language)}, + }, nil + } + resourceData := data[0:entrySize] + hash := sha256.Sum256(resourceData) + resourceMime := "Data" + if kind, err := filetype.Match(resourceData); err == nil && kind.MIME.Value != "" { + resourceMime = kind.MIME.Value + } + return []Resource{ + Resource{Type: root, Language: languageName(language), data: resourceData, FileType: resourceMime, SHA256: hex.EncodeToString(hash[:]), Entropy: common.Entropy(data), ChiSquare: common.ChiSquare(data)}, + }, nil +} + +// A leaf's Type, Name, and Language IDs are determined by the path +// that is taken through directory tables to reach the leaf. The first +// table determines Type ID, the second table (pointed to by the directory +// entry in the first table) determines Name ID, and the third table +// determines Language ID. +func parseEntries(virtualAddress uint32, root string, global, base []byte, depth int) ([]Resource, error) { + if len(base) < 16 { + return nil, errors.New("invalid data") + } + if depth > maxDepth { + return nil, errors.New("invalid resource depth") + } + resources := []Resource{} + namedEntries := binary.LittleEndian.Uint16(base[12:14]) + idEntries := binary.LittleEndian.Uint16(base[14:16]) + numEntries := int(namedEntries + idEntries) + entriesData := base[16:] + if len(entriesData) < numEntries*8 { + // invalid directory + return nil, nil + } + + for i := 0; i < numEntries; i++ { + entryData := entriesData[8*i:] + leafRoot := root + + if leafRoot == "" { + var err error + leafRoot, err = parseName(global, entryData) + if err != nil { + // invalid name, still attempt to parse + leafRoot = "UNKNOWN" + } + } + + entryResources, err := parseEntry(virtualAddress, leafRoot, global, entryData, depth) + if err != nil { + // if we threw an error, just swallow it to keep trying to parse + return nil, nil + } + resources = append(resources, entryResources...) + } + return resources, nil +} diff --git a/libbeat/formats/pe/section_flags.go b/libbeat/formats/pe/section_flags.go new file mode 100644 index 000000000000..511c0a34a7da --- /dev/null +++ b/libbeat/formats/pe/section_flags.go @@ -0,0 +1,166 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +const ( + IMAGE_SCN_TYPE_NO_PAD uint32 = 0x00000008 + IMAGE_SCN_CNT_CODE uint32 = 0x00000020 + IMAGE_SCN_CNT_INITIALIZED_DATA uint32 = 0x00000040 + IMAGE_SCN_CNT_UNINITIALIZED_DATA uint32 = 0x00000080 + IMAGE_SCN_LNK_OTHER uint32 = 0x00000100 + IMAGE_SCN_LNK_INFO uint32 = 0x00000200 + IMAGE_SCN_LNK_REMOVE uint32 = 0x00000800 + IMAGE_SCN_LNK_COMDAT uint32 = 0x00001000 + IMAGE_SCN_GPREL uint32 = 0x00008000 + IMAGE_SCN_MEM_PURGEABLE uint32 = 0x00020000 + IMAGE_SCN_MEM_16BIT uint32 = 0x00020000 + IMAGE_SCN_MEM_LOCKED uint32 = 0x00040000 + IMAGE_SCN_MEM_PRELOAD uint32 = 0x00080000 + IMAGE_SCN_ALIGN_1BYTES uint32 = 0x00100000 + IMAGE_SCN_ALIGN_2BYTES uint32 = 0x00200000 + IMAGE_SCN_ALIGN_4BYTES uint32 = 0x00300000 + IMAGE_SCN_ALIGN_8BYTES uint32 = 0x00400000 + IMAGE_SCN_ALIGN_16BYTES uint32 = 0x00500000 + IMAGE_SCN_ALIGN_32BYTES uint32 = 0x00600000 + IMAGE_SCN_ALIGN_64BYTES uint32 = 0x00700000 + IMAGE_SCN_ALIGN_128BYTES uint32 = 0x00800000 + IMAGE_SCN_ALIGN_256BYTES uint32 = 0x00900000 + IMAGE_SCN_ALIGN_512BYTES uint32 = 0x00A00000 + IMAGE_SCN_ALIGN_1024BYTES uint32 = 0x00B00000 + IMAGE_SCN_ALIGN_2048BYTES uint32 = 0x00C00000 + IMAGE_SCN_ALIGN_4096BYTES uint32 = 0x00D00000 + IMAGE_SCN_ALIGN_8192BYTES uint32 = 0x00E00000 + IMAGE_SCN_LNK_NRELOC_OVFL uint32 = 0x01000000 + IMAGE_SCN_MEM_DISCARDABLE uint32 = 0x02000000 + IMAGE_SCN_MEM_NOT_CACHED uint32 = 0x04000000 + IMAGE_SCN_MEM_NOT_PAGED uint32 = 0x08000000 + IMAGE_SCN_MEM_SHARED uint32 = 0x10000000 + IMAGE_SCN_MEM_EXECUTE uint32 = 0x20000000 + IMAGE_SCN_MEM_READ uint32 = 0x40000000 + IMAGE_SCN_MEM_WRITE uint32 = 0x80000000 +) + +func translateSectionFlags(characteristics uint32) []string { + flags := []string{} + if (characteristics & IMAGE_SCN_TYPE_NO_PAD) != 0 { + flags = append(flags, "IMAGE_SCN_TYPE_NO_PAD") + } + if (characteristics & IMAGE_SCN_CNT_CODE) != 0 { + flags = append(flags, "IMAGE_SCN_CNT_CODE") + } + if (characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) != 0 { + flags = append(flags, "IMAGE_SCN_CNT_INITIALIZED_DATA") + } + if (characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) != 0 { + flags = append(flags, "IMAGE_SCN_CNT_UNINITIALIZED_DATA") + } + if (characteristics & IMAGE_SCN_LNK_OTHER) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_OTHER") + } + if (characteristics & IMAGE_SCN_LNK_INFO) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_INFO") + } + if (characteristics & IMAGE_SCN_LNK_REMOVE) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_REMOVE") + } + if (characteristics & IMAGE_SCN_LNK_COMDAT) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_COMDAT") + } + if (characteristics & IMAGE_SCN_GPREL) != 0 { + flags = append(flags, "IMAGE_SCN_GPREL") + } + if (characteristics & IMAGE_SCN_MEM_PURGEABLE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_PURGEABLE") + } + if (characteristics & IMAGE_SCN_MEM_16BIT) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_16BIT") + } + if (characteristics & IMAGE_SCN_MEM_LOCKED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_LOCKED") + } + if (characteristics & IMAGE_SCN_MEM_PRELOAD) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_PRELOAD") + } + if (characteristics & IMAGE_SCN_ALIGN_1BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_1BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_2BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_2BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_4BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_4BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_8BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_8BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_16BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_16BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_32BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_32BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_64BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_64BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_128BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_128BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_256BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_256BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_512BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_512BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_1024BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_1024BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_2048BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_2048BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_4096BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_4096BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_8192BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_8192BYTES") + } + if (characteristics & IMAGE_SCN_LNK_NRELOC_OVFL) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_NRELOC_OVFL") + } + if (characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_DISCARDABLE") + } + if (characteristics & IMAGE_SCN_MEM_NOT_CACHED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_NOT_CACHED") + } + if (characteristics & IMAGE_SCN_MEM_NOT_PAGED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_NOT_PAGED") + } + if (characteristics & IMAGE_SCN_MEM_SHARED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_SHARED") + } + if (characteristics & IMAGE_SCN_MEM_EXECUTE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_EXECUTE") + } + if (characteristics & IMAGE_SCN_MEM_READ) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_READ") + } + if (characteristics & IMAGE_SCN_MEM_WRITE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_WRITE") + } + return flags +} diff --git a/libbeat/formats/pe/utils.go b/libbeat/formats/pe/utils.go new file mode 100644 index 000000000000..813e2aafcf52 --- /dev/null +++ b/libbeat/formats/pe/utils.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +func countValue(group map[string]int, value string) { + if found, ok := group[value]; ok { + group[value] = found + 1 + return + } + group[value] = 1 +} diff --git a/libbeat/formats/pe/version_info.go b/libbeat/formats/pe/version_info.go new file mode 100644 index 000000000000..57abd7c30ff9 --- /dev/null +++ b/libbeat/formats/pe/version_info.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pe + +import ( + "bytes" + "encoding/binary" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +var ( + stringFileInfo = []byte{83, 0, 116, 0, 114, 0, 105, 0, 110, 0, 103, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0} +) + +func readStrings(data []byte) []VersionInfo { + childStrings := []VersionInfo{} + offset := 0 + for { + if len(data) < offset+2 { + return childStrings + } + stringData := data[offset:] + stringSize := binary.LittleEndian.Uint16(stringData[0:2]) + if stringSize == 0 { + offset += 2 + continue + } + if len(stringData) < 6 { + // we have junk string, just try and read past the offset + offset += int(stringSize) + continue + } + valueType := binary.LittleEndian.Uint16(stringData[4:6]) + if valueType == 1 { + key := common.ReadUnicode(stringData, 6) + paddingOffset := len(key)*2 + 8 + paddedOffset := paddingOffset + (paddingOffset % 4) + if len(stringData) >= paddedOffset+1 { + value := common.ReadUnicode(stringData, paddedOffset) + if value != "" { + childStrings = append(childStrings, VersionInfo{ + Name: key, + Value: value, + }) + } + } + } + offset += int(stringSize) + } +} + +func readStringTables(data []byte) []VersionInfo { + childStrings := []VersionInfo{} + offset := 0 + for { + if len(data) < offset+2 { + return childStrings + } + tableData := data[offset:] + tableSize := binary.LittleEndian.Uint16(tableData[0:2]) + if tableSize == 0 { + offset += 2 + continue + } + // An 8-digit hexadecimal number stored as a Unicode string + szKeyLength := 8 * 2 + childOffset := szKeyLength + 6 + paddedOffset := childOffset + (childOffset % 4) + childEnd := int(tableSize) - paddedOffset + if childEnd < paddedOffset || len(tableData) < paddedOffset+1 || len(tableData) < int(tableSize)-paddedOffset { + // we have an invalid string + offset += int(tableSize) + continue + } + children := tableData[paddedOffset:childEnd] + + childStrings = append(childStrings, readStrings(children)...) + offset += int(tableSize) + } +} + +func readStringFileInfo(data []byte) []VersionInfo { + szKeyLength := len(stringFileInfo) + if len(data) < szKeyLength { + return nil + } + for i := 0; i < len(data)-szKeyLength; i++ { + szKey := data[i : i+szKeyLength] + if bytes.Compare(szKey, stringFileInfo) == 0 { + return readStringTables(data[i+szKeyLength+(i+szKeyLength)%4:]) + } + } + return nil +} + +func getVersionInfoForResources(resources []Resource) map[string]string { + for _, resource := range resources { + if resource.Type == "RT_VERSION" { + versionInfo := readStringFileInfo(resource.data) + data := make(map[string]string, len(versionInfo)) + for _, info := range versionInfo { + data[info.Name] = info.Value + } + return data + } + } + return nil +} diff --git a/libbeat/mime/byte.go b/libbeat/mime/byte.go index c8be7def3614..3f244d2e6f9e 100644 --- a/libbeat/mime/byte.go +++ b/libbeat/mime/byte.go @@ -32,6 +32,16 @@ const ( maxHeaderSize = 8192 ) +var addedTypes = map[string]func([]byte) bool{ + "application/x-ms-shortcut": lnk, +} + +func init() { + for mimeType, matcher := range addedTypes { + filetype.AddMatcher(filetype.NewType(mimeType, mimeType), matcher) + } +} + // DetectBytes tries to detect a mime-type based off // of a chunk of bytes passed into the function func DetectBytes(data []byte) string { diff --git a/libbeat/mime/reader.go b/libbeat/mime/reader.go new file mode 100644 index 000000000000..f3453400eef5 --- /dev/null +++ b/libbeat/mime/reader.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mime + +import ( + "io" +) + +// DetectReader tries to detect a mime-type based off +// of a chunk of bytes passed in through an io.Reader +func DetectReader(data io.Reader) string { + buffer := make([]byte, maxHeaderSize) + n, err := io.ReadFull(data, buffer) + if err == nil || err == io.ErrUnexpectedEOF { + return DetectBytes(buffer[:n]) + } + return "" +} diff --git a/libbeat/mime/types.go b/libbeat/mime/types.go new file mode 100644 index 000000000000..9eaf5c38f951 --- /dev/null +++ b/libbeat/mime/types.go @@ -0,0 +1,21 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package mime + +func lnk(buf []byte) bool { + return len(buf) > 3 && (buf[0] == 0x4C && buf[1] == 0x00 && buf[2] == 0x00 && buf[3] == 0x00) +} diff --git a/libbeat/processors/actions/add_file_data.go b/libbeat/processors/actions/add_file_data.go new file mode 100644 index 000000000000..1dc29d086fb8 --- /dev/null +++ b/libbeat/processors/actions/add_file_data.go @@ -0,0 +1,216 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package actions + +import ( + "encoding/json" + "fmt" + "io" + "os" + "regexp" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/formats/elf" + "github.com/elastic/beats/v7/libbeat/formats/lnk" + "github.com/elastic/beats/v7/libbeat/formats/macho" + "github.com/elastic/beats/v7/libbeat/formats/pe" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/mime" + "github.com/elastic/beats/v7/libbeat/processors" + "github.com/elastic/beats/v7/libbeat/processors/checks" +) + +const ( + addFileDataName = "add_file_data" + addFileDataLogName = "processor." + addFileDataName + defaultFilePathField = "file.path" + defaultTargetField = "file" +) + +func init() { + processors.RegisterPlugin(addFileDataName, + checks.ConfigChecked(NewAddFileData, + checks.AllowedFields("field", "target", "exclude", "only", "pattern", "ignore_failure"))) +} + +type addFileDataProcessor struct { + Field string `config:"field"` + Target string `config:"target"` + Exclude *[]string `config:"exclude"` + Only *[]string `config:"only"` + Pattern string `config:"pattern"` + IgnoreFailure bool `config:"ignore_failure"` + + parsers []*parser + compiled *regexp.Regexp + log *logp.Logger +} + +// NewAddFileData constructs a add format data processor. +func NewAddFileData(cfg *common.Config) (processors.Processor, error) { + cfgwarn.Beta("The " + addFileDataName + " processor is beta.") + log := logp.NewLogger(addFileDataLogName) + addFileData := &addFileDataProcessor{ + Field: defaultFilePathField, + Target: defaultTargetField, + log: log, + } + if err := cfg.Unpack(addFileData); err != nil { + return nil, errors.Wrapf(err, "fail to unpack the "+addFileDataName+" configuration") + } + if addFileData.Pattern != "" { + compiled, err := regexp.Compile(addFileData.Pattern) + if err != nil { + return nil, errors.Wrap(err, fmt.Sprintf("invalid pattern for "+addFileDataName+": '%s'", addFileData.Pattern)) + } + addFileData.compiled = compiled + } + parsers := allParsers + // only takes precedence to exclude + if addFileData.Only != nil { + parsers = onlyParsers(*addFileData.Only) + } + if addFileData.Exclude != nil { + parsers = filterParsers(*addFileData.Exclude) + } + addFileData.parsers = parsers + + return addFileData, nil +} + +func (a *addFileDataProcessor) applyParser(event *beat.Event, path string) error { + file, err := os.Open(path) + if err != nil { + return err + } + mimeType := mime.DetectReader(file) + if mimeType == "" { + // we couldn't identify the file, don't parse it + return nil + } + for _, parser := range a.parsers { + if mimeType == parser.mimeType { + data, err := parser.parse(file) + if err != nil { + return err + } + target := a.Target + "." + parser.target + event.Fields.DeepUpdate(common.MapStr{ + target: honorStructTagsHack(data), + }) + return nil + } + } + return nil +} + +func honorStructTagsHack(data interface{}) map[string]interface{} { + unmarshaled := make(map[string]interface{}) + marshaled, _ := json.Marshal(data) + json.Unmarshal(marshaled, &unmarshaled) + return unmarshaled +} + +func (a *addFileDataProcessor) Run(event *beat.Event) (*beat.Event, error) { + valI, err := event.GetValue(a.Field) + if err != nil { + // doesn't have the required fieldd value to analyze + return event, nil + } + val, _ := valI.(string) + if val == "" { + // wrong type or not set + return event, nil + } + if a.compiled != nil { + if !a.compiled.MatchString(val) { + // we filtered out this event + return event, nil + } + } + if err := a.applyParser(event, val); err != nil { + if a.IgnoreFailure { + a.log.Debugf("failed to parse file because of error: %v", err) + return event, nil + } + return event, err + } + return event, nil +} + +func (a *addFileDataProcessor) String() string { + return fmt.Sprintf("%s=%+v,%+v,%+v", addFileDataName, a.Field, a.Exclude, a.Only) +} + +type parser struct { + name string + target string + mimeType string + parse func(r io.ReaderAt) (interface{}, error) +} + +var allParsers = []*parser{ + makeParser("pe", "pe", "application/vnd.microsoft.portable-executable", pe.Parse), + makeParser("macho", "macho", "application/x-mach-binary", macho.Parse), + makeParser("elf", "elf", "application/x-executable", elf.Parse), + makeParser("lnk", "lnk", "application/x-ms-shortcut", lnk.Parse), +} + +func makeParser(name, target, mimeType string, parse func(r io.ReaderAt) (interface{}, error)) *parser { + return &parser{ + name: name, + target: target, + mimeType: mimeType, + parse: parse, + } +} + +func filterParsers(exclude []string) []*parser { + parsers := []*parser{} + exclusionSet := map[string]struct{}{} + for _, exclusion := range exclude { + exclusionSet[exclusion] = struct{}{} + } + + for _, parser := range allParsers { + if _, ok := exclusionSet[parser.name]; ok { + continue + } + parsers = append(parsers, parser) + } + return parsers +} + +func onlyParsers(only []string) []*parser { + parsers := []*parser{} + inclusionSet := map[string]struct{}{} + for _, inclusion := range only { + inclusionSet[inclusion] = struct{}{} + } + + for _, parser := range allParsers { + if _, ok := inclusionSet[parser.name]; ok { + parsers = append(parsers, parser) + } + } + return parsers +} diff --git a/libbeat/processors/actions/add_file_data_test.go b/libbeat/processors/actions/add_file_data_test.go new file mode 100644 index 000000000000..e89b065a1eae --- /dev/null +++ b/libbeat/processors/actions/add_file_data_test.go @@ -0,0 +1,185 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package actions + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" +) + +func TestFileDataPE(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.NoError(t, err) +} + +func TestFileDataMachO(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/macho/hello-darwin", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.macho") + require.NoError(t, err) +} + +func TestFileDataElf(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/elf/hello-linux", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.elf") + require.NoError(t, err) +} + +func TestFileDataLnk(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/lnk/local_cmd.lnk", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.lnk") + require.NoError(t, err) +} + +func TestFileDataOnly(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "only": []string{"macho"}, + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.Error(t, err) +} + +func TestFileDataExclude(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "exclude": []string{"pe"}, + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.Error(t, err) +} + +func TestFileDataPattern(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "pattern": "^$", // don't match anything + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.Error(t, err) +} + +func TestFileDataTarget(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "target": "zoiks", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("zoiks.pe") + require.NoError(t, err) +} + +func TestFileDataIgnoreFailure(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "file.path": "./doesnotexist", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "ignore_failure": true, + })) + require.NoError(t, err) + _, err = p.Run(&evt) + require.NoError(t, err) +} + +func TestFileDataNoIgnoreFailure(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "file.path": "./doesnotexist", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{})) + require.NoError(t, err) + _, err = p.Run(&evt) + require.Error(t, err) +} diff --git a/libbeat/processors/actions/docs/add_file_data.asciidoc b/libbeat/processors/actions/docs/add_file_data.asciidoc new file mode 100644 index 000000000000..a6b24c1f132a --- /dev/null +++ b/libbeat/processors/actions/docs/add_file_data.asciidoc @@ -0,0 +1,34 @@ +[[add-file-data]] +=== Add file data + +++++ +add_file_data +++++ + +beta[] + +The `add_file_data` processor adds file format specific data based +off of a file at a given path in `field`. If the processor +supports the file's file type, the extracted information is added +under the `target` field with a sub-key based off of the type. The +supported file types are `pe`, `macho`, `elf`, and `lnk`. + +`field`:: Use the given field as a file path. +`target`:: Use the given field as the location for dumping the file data. +`exclude`:: Exclude the specified file parsers. +`only`:: Use only the specified file parsers. +`pattern`:: Only attempt to parse files that match the given regex. +`ignore_failure`:: No-op if the file could not successfully be parsed. + +[source,yaml] +------- +processors: + - add_file_data: + field: dll.path + target: dll + only: + - pe + pattern: "^.*\.dll$" +------- + +See <> for a list of supported conditions. diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 274bc3f3b331..4d155d0e5172 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -116,6 +116,12 @@ auditbeat.modules: # Set to true to publish fields with null values in events. #keep_null: false + # Uncomment the following to parse object files that trigger events + #processors: + # - add_file_data: + # ignore_failure: true + + # The system module collects security related information about a host. # All datasets send both periodic state information (e.g. all currently # running processes) and real-time changes (e.g. when a new process starts