From 337879e8e0cbb93e36d61a426ad86badce1805fb Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 22 Feb 2021 15:50:26 -0500 Subject: [PATCH 01/30] Add file format parsers --- go.mod | 2 + go.sum | 6 + libbeat/formats/common/chi.go | 25 + libbeat/formats/common/entropy.go | 23 + libbeat/formats/common/string.go | 15 + libbeat/formats/common/unicode.go | 22 + libbeat/formats/elf/.gitignore | 4 + libbeat/formats/elf/elf.go | 142 +++++ libbeat/formats/elf/elf_fuzz.go | 12 + libbeat/formats/elf/elf_test.go | 44 ++ libbeat/formats/elf/machine.go | 200 +++++++ libbeat/formats/elf/prog.go | 35 ++ libbeat/formats/elf/section.go | 86 +++ libbeat/formats/elf/telfhash.go | 221 +++++++ libbeat/formats/elf/tlsh.go | 229 ++++++++ .../0e8e8ead37a39ad29c63f2882e64772f7d47d666 | Bin 0 -> 65 bytes .../formats/fixtures/elf/crashes/README.txt | 6 + .../fcc78f3e10a96840e0722882649a8534ee55d7c8 | Bin 0 -> 100 bytes libbeat/formats/fixtures/elf/hello-linux | Bin 0 -> 5728 bytes .../fixtures/elf/hello-linux.fingerprint | 310 ++++++++++ .../fixtures/lnk/local.directory.seven.lnk | Bin 0 -> 1114 bytes .../lnk/local.directory.seven.lnk.fingerprint | 110 ++++ .../fixtures/lnk/local.directory.xp.lnk | Bin 0 -> 459 bytes .../lnk/local.directory.xp.lnk.fingerprint | 72 +++ .../fixtures/lnk/local.file.darwin.lnk | Bin 0 -> 2471 bytes .../lnk/local.file.darwin.lnk.fingerprint | 60 ++ .../formats/fixtures/lnk/local.file.env.lnk | Bin 0 -> 1979 bytes .../lnk/local.file.env.lnk.fingerprint | 146 +++++ .../formats/fixtures/lnk/local.file.exec.lnk | Bin 0 -> 1337 bytes .../lnk/local.file.exec.lnk.fingerprint | 155 +++++ .../fixtures/lnk/local.file.icoset.lnk | Bin 0 -> 1037 bytes .../lnk/local.file.icoset.lnk.fingerprint | 97 ++++ .../formats/fixtures/lnk/local.file.seven.lnk | Bin 0 -> 1012 bytes .../lnk/local.file.seven.lnk.fingerprint | 104 ++++ .../formats/fixtures/lnk/local.file.xp.lnk | Bin 0 -> 498 bytes .../lnk/local.file.xp.lnk.fingerprint | 74 +++ libbeat/formats/fixtures/lnk/local_cmd.lnk | Bin 0 -> 1380 bytes .../fixtures/lnk/local_cmd.lnk.fingerprint | 117 ++++ .../formats/fixtures/lnk/local_unicode.lnk | Bin 0 -> 848 bytes .../lnk/local_unicode.lnk.fingerprint | 93 +++ libbeat/formats/fixtures/lnk/local_win31j.lnk | Bin 0 -> 913 bytes .../fixtures/lnk/local_win31j.lnk.fingerprint | 98 ++++ libbeat/formats/fixtures/lnk/microsoft.lnk | Bin 0 -> 459 bytes .../fixtures/lnk/microsoft.lnk.fingerprint | 69 +++ .../fixtures/lnk/native.2008srv.01.lnk | Bin 0 -> 1579 bytes .../lnk/native.2008srv.01.lnk.fingerprint | 80 +++ .../fixtures/lnk/native.2008srv.02.lnk | Bin 0 -> 230 bytes .../lnk/native.2008srv.02.lnk.fingerprint | 24 + .../fixtures/lnk/native.2008srv.03.lnk | Bin 0 -> 230 bytes .../lnk/native.2008srv.03.lnk.fingerprint | 24 + .../fixtures/lnk/native.2008srv.04.lnk | Bin 0 -> 302 bytes .../lnk/native.2008srv.04.lnk.fingerprint | 56 ++ .../fixtures/lnk/native.2008srv.05.lnk | Bin 0 -> 1669 bytes .../lnk/native.2008srv.05.lnk.fingerprint | 80 +++ .../fixtures/lnk/native.2008srv.06.lnk | Bin 0 -> 1959 bytes .../lnk/native.2008srv.06.lnk.fingerprint | 85 +++ .../fixtures/lnk/native.2008srv.07.lnk | Bin 0 -> 230 bytes .../lnk/native.2008srv.07.lnk.fingerprint | 24 + .../fixtures/lnk/native.2008srv.08.lnk | Bin 0 -> 885 bytes .../lnk/native.2008srv.08.lnk.fingerprint | 75 +++ .../fixtures/lnk/native.2008srv.09.lnk | Bin 0 -> 855 bytes .../lnk/native.2008srv.09.lnk.fingerprint | 73 +++ .../fixtures/lnk/native.2008srv.10.lnk | Bin 0 -> 294 bytes .../lnk/native.2008srv.10.lnk.fingerprint | 55 ++ .../fixtures/lnk/native.2008srv.11.lnk | Bin 0 -> 1577 bytes .../lnk/native.2008srv.11.lnk.fingerprint | 78 +++ .../fixtures/lnk/native.2008srv.12.lnk | Bin 0 -> 1615 bytes .../lnk/native.2008srv.12.lnk.fingerprint | 81 +++ .../fixtures/lnk/native.2008srv.13.lnk | Bin 0 -> 1549 bytes .../lnk/native.2008srv.13.lnk.fingerprint | 78 +++ .../fixtures/lnk/native.2008srv.14.lnk | Bin 0 -> 300 bytes .../lnk/native.2008srv.14.lnk.fingerprint | 55 ++ .../fixtures/lnk/native.2008srv.15.lnk | Bin 0 -> 254 bytes .../lnk/native.2008srv.15.lnk.fingerprint | 47 ++ .../fixtures/lnk/native.2008srv.16.lnk | Bin 0 -> 230 bytes .../lnk/native.2008srv.16.lnk.fingerprint | 24 + .../fixtures/lnk/native.2008srv.17.lnk | Bin 0 -> 284 bytes .../lnk/native.2008srv.17.lnk.fingerprint | 52 ++ .../fixtures/lnk/native.2008srv.18.lnk | Bin 0 -> 240 bytes .../lnk/native.2008srv.18.lnk.fingerprint | 24 + .../fixtures/lnk/native.2008srv.19.lnk | Bin 0 -> 258 bytes .../lnk/native.2008srv.19.lnk.fingerprint | 24 + .../fixtures/lnk/native.2008srv.20.lnk | Bin 0 -> 1461 bytes .../lnk/native.2008srv.20.lnk.fingerprint | 73 +++ .../formats/fixtures/lnk/native.seven.01.lnk | Bin 0 -> 953 bytes .../lnk/native.seven.01.lnk.fingerprint | 92 +++ .../formats/fixtures/lnk/native.seven.02.lnk | Bin 0 -> 444 bytes .../lnk/native.seven.02.lnk.fingerprint | 62 ++ .../formats/fixtures/lnk/native.seven.03.lnk | Bin 0 -> 383 bytes .../lnk/native.seven.03.lnk.fingerprint | 38 ++ .../formats/fixtures/lnk/native.seven.04.lnk | Bin 0 -> 953 bytes .../lnk/native.seven.04.lnk.fingerprint | 92 +++ .../formats/fixtures/lnk/native.seven.05.lnk | Bin 0 -> 186 bytes .../lnk/native.seven.05.lnk.fingerprint | 33 ++ .../formats/fixtures/lnk/native.seven.06.lnk | Bin 0 -> 156 bytes .../lnk/native.seven.06.lnk.fingerprint | 28 + .../formats/fixtures/lnk/native.seven.07.lnk | Bin 0 -> 1304 bytes .../lnk/native.seven.07.lnk.fingerprint | 47 ++ .../formats/fixtures/lnk/native.seven.08.lnk | Bin 0 -> 3115 bytes .../lnk/native.seven.08.lnk.fingerprint | 78 +++ .../formats/fixtures/lnk/native.seven.09.lnk | Bin 0 -> 1959 bytes .../lnk/native.seven.09.lnk.fingerprint | 105 ++++ .../formats/fixtures/lnk/native.seven.10.lnk | Bin 0 -> 1230 bytes .../lnk/native.seven.10.lnk.fingerprint | 45 ++ .../formats/fixtures/lnk/native.seven.11.lnk | Bin 0 -> 156 bytes .../lnk/native.seven.11.lnk.fingerprint | 28 + .../formats/fixtures/lnk/native.seven.12.lnk | Bin 0 -> 1270 bytes .../lnk/native.seven.12.lnk.fingerprint | 47 ++ .../formats/fixtures/lnk/native.seven.13.lnk | Bin 0 -> 489 bytes .../lnk/native.seven.13.lnk.fingerprint | 71 +++ .../formats/fixtures/lnk/native.seven.14.lnk | Bin 0 -> 1238 bytes .../lnk/native.seven.14.lnk.fingerprint | 47 ++ .../formats/fixtures/lnk/native.seven.15.lnk | Bin 0 -> 1238 bytes .../lnk/native.seven.15.lnk.fingerprint | 47 ++ .../formats/fixtures/lnk/native.seven.16.lnk | Bin 0 -> 370 bytes .../lnk/native.seven.16.lnk.fingerprint | 32 ++ .../formats/fixtures/lnk/native.seven.17.lnk | Bin 0 -> 1262 bytes .../lnk/native.seven.17.lnk.fingerprint | 45 ++ .../formats/fixtures/lnk/native.seven.18.lnk | Bin 0 -> 1304 bytes .../lnk/native.seven.18.lnk.fingerprint | 47 ++ .../formats/fixtures/lnk/native.seven.19.lnk | Bin 0 -> 1250 bytes .../lnk/native.seven.19.lnk.fingerprint | 45 ++ .../formats/fixtures/lnk/native.seven.20.lnk | Bin 0 -> 1242 bytes .../lnk/native.seven.20.lnk.fingerprint | 45 ++ libbeat/formats/fixtures/lnk/native.xp.01.lnk | Bin 0 -> 1503 bytes .../fixtures/lnk/native.xp.01.lnk.fingerprint | 77 +++ libbeat/formats/fixtures/lnk/native.xp.02.lnk | Bin 0 -> 386 bytes .../fixtures/lnk/native.xp.02.lnk.fingerprint | 31 + libbeat/formats/fixtures/lnk/native.xp.03.lnk | Bin 0 -> 1423 bytes .../fixtures/lnk/native.xp.03.lnk.fingerprint | 73 +++ libbeat/formats/fixtures/lnk/native.xp.04.lnk | Bin 0 -> 780 bytes .../fixtures/lnk/native.xp.04.lnk.fingerprint | 81 +++ libbeat/formats/fixtures/lnk/native.xp.05.lnk | Bin 0 -> 1405 bytes .../fixtures/lnk/native.xp.05.lnk.fingerprint | 73 +++ libbeat/formats/fixtures/lnk/native.xp.06.lnk | Bin 0 -> 785 bytes .../fixtures/lnk/native.xp.06.lnk.fingerprint | 81 +++ libbeat/formats/fixtures/lnk/native.xp.07.lnk | Bin 0 -> 1391 bytes .../fixtures/lnk/native.xp.07.lnk.fingerprint | 70 +++ libbeat/formats/fixtures/lnk/native.xp.08.lnk | Bin 0 -> 1443 bytes .../fixtures/lnk/native.xp.08.lnk.fingerprint | 75 +++ libbeat/formats/fixtures/lnk/native.xp.09.lnk | Bin 0 -> 773 bytes .../fixtures/lnk/native.xp.09.lnk.fingerprint | 81 +++ libbeat/formats/fixtures/lnk/native.xp.10.lnk | Bin 0 -> 1459 bytes .../fixtures/lnk/native.xp.10.lnk.fingerprint | 75 +++ libbeat/formats/fixtures/lnk/native.xp.11.lnk | Bin 0 -> 798 bytes .../fixtures/lnk/native.xp.11.lnk.fingerprint | 81 +++ libbeat/formats/fixtures/lnk/native.xp.12.lnk | Bin 0 -> 1429 bytes .../fixtures/lnk/native.xp.12.lnk.fingerprint | 73 +++ libbeat/formats/fixtures/lnk/native.xp.13.lnk | Bin 0 -> 1423 bytes .../fixtures/lnk/native.xp.13.lnk.fingerprint | 73 +++ libbeat/formats/fixtures/lnk/native.xp.14.lnk | Bin 0 -> 1431 bytes .../fixtures/lnk/native.xp.14.lnk.fingerprint | 73 +++ libbeat/formats/fixtures/lnk/native.xp.15.lnk | Bin 0 -> 605 bytes .../fixtures/lnk/native.xp.15.lnk.fingerprint | 59 ++ libbeat/formats/fixtures/lnk/native.xp.16.lnk | Bin 0 -> 615 bytes .../fixtures/lnk/native.xp.16.lnk.fingerprint | 59 ++ libbeat/formats/fixtures/lnk/native.xp.17.lnk | Bin 0 -> 744 bytes .../fixtures/lnk/native.xp.17.lnk.fingerprint | 81 +++ libbeat/formats/fixtures/lnk/native.xp.18.lnk | Bin 0 -> 195 bytes .../fixtures/lnk/native.xp.18.lnk.fingerprint | 29 + libbeat/formats/fixtures/lnk/native.xp.19.lnk | Bin 0 -> 179 bytes .../fixtures/lnk/native.xp.19.lnk.fingerprint | 29 + libbeat/formats/fixtures/lnk/native.xp.20.lnk | Bin 0 -> 1074 bytes .../fixtures/lnk/native.xp.20.lnk.fingerprint | 101 ++++ libbeat/formats/fixtures/lnk/net_unicode.lnk | Bin 0 -> 1745 bytes .../fixtures/lnk/net_unicode.lnk.fingerprint | 97 ++++ libbeat/formats/fixtures/lnk/net_unicode2.lnk | Bin 0 -> 1803 bytes .../fixtures/lnk/net_unicode2.lnk.fingerprint | 98 ++++ libbeat/formats/fixtures/lnk/net_win31j.lnk | Bin 0 -> 1741 bytes .../fixtures/lnk/net_win31j.lnk.fingerprint | 98 ++++ .../fixtures/lnk/remote.directory.xp.lnk | Bin 0 -> 797 bytes .../lnk/remote.directory.xp.lnk.fingerprint | 81 +++ .../fixtures/lnk/remote.file.aidlist.lnk | Bin 0 -> 1733 bytes .../lnk/remote.file.aidlist.lnk.fingerprint | 84 +++ .../formats/fixtures/lnk/remote.file.xp.lnk | Bin 0 -> 1134 bytes .../lnk/remote.file.xp.lnk.fingerprint | 94 +++ libbeat/formats/fixtures/macho/hello-darwin | Bin 0 -> 12532 bytes .../fixtures/macho/hello-darwin.fingerprint | 81 +++ libbeat/formats/fixtures/pe/hello-windows | Bin 0 -> 39424 bytes .../fixtures/pe/hello-windows.fingerprint | 156 +++++ libbeat/formats/lnk/.gitignore | 4 + libbeat/formats/lnk/extra.go | 116 ++++ libbeat/formats/lnk/extra_console.go | 104 ++++ libbeat/formats/lnk/extra_console_fe.go | 176 ++++++ libbeat/formats/lnk/extra_darwin_block.go | 19 + libbeat/formats/lnk/extra_environment.go | 19 + libbeat/formats/lnk/extra_icon_environment.go | 19 + libbeat/formats/lnk/extra_known_folder.go | 16 + libbeat/formats/lnk/extra_property_store.go | 405 +++++++++++++ libbeat/formats/lnk/extra_shim.go | 16 + libbeat/formats/lnk/extra_special_folder.go | 16 + libbeat/formats/lnk/extra_tracker.go | 26 + .../lnk/extra_vista_and_above_id_list.go | 16 + libbeat/formats/lnk/header.go | 263 +++++++++ libbeat/formats/lnk/lnk.go | 233 ++++++++ libbeat/formats/lnk/lnk_fuzz.go | 12 + libbeat/formats/lnk/lnk_test.go | 121 ++++ libbeat/formats/lnk/location.go | 205 +++++++ libbeat/formats/lnk/strings.go | 63 ++ libbeat/formats/lnk/target.go | 67 +++ libbeat/formats/macho/.gitignore | 4 + libbeat/formats/macho/macho.go | 150 +++++ libbeat/formats/macho/macho_fuzz.go | 12 + libbeat/formats/macho/macho_test.go | 44 ++ libbeat/formats/macho/symhash.go | 31 + libbeat/formats/pe/.gitignore | 4 + libbeat/formats/pe/imphash.go | 224 ++++++++ libbeat/formats/pe/locale.go | 234 ++++++++ libbeat/formats/pe/ordinals.go | 542 ++++++++++++++++++ libbeat/formats/pe/pe.go | 149 +++++ libbeat/formats/pe/pe_fuzz.go | 12 + libbeat/formats/pe/pe_test.go | 44 ++ libbeat/formats/pe/resources.go | 213 +++++++ libbeat/formats/pe/utils.go | 9 + libbeat/formats/pe/version_info.go | 102 ++++ 215 files changed, 10617 insertions(+) create mode 100644 libbeat/formats/common/chi.go create mode 100644 libbeat/formats/common/entropy.go create mode 100644 libbeat/formats/common/string.go create mode 100644 libbeat/formats/common/unicode.go create mode 100644 libbeat/formats/elf/.gitignore create mode 100644 libbeat/formats/elf/elf.go create mode 100644 libbeat/formats/elf/elf_fuzz.go create mode 100644 libbeat/formats/elf/elf_test.go create mode 100644 libbeat/formats/elf/machine.go create mode 100644 libbeat/formats/elf/prog.go create mode 100644 libbeat/formats/elf/section.go create mode 100644 libbeat/formats/elf/telfhash.go create mode 100644 libbeat/formats/elf/tlsh.go create mode 100644 libbeat/formats/fixtures/elf/crashes/0e8e8ead37a39ad29c63f2882e64772f7d47d666 create mode 100644 libbeat/formats/fixtures/elf/crashes/README.txt create mode 100644 libbeat/formats/fixtures/elf/crashes/fcc78f3e10a96840e0722882649a8534ee55d7c8 create mode 100644 libbeat/formats/fixtures/elf/hello-linux create mode 100644 libbeat/formats/fixtures/elf/hello-linux.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.directory.seven.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.directory.xp.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.file.darwin.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.file.env.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.file.exec.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.file.icoset.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.file.seven.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local.file.xp.lnk create mode 100644 libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local_cmd.lnk create mode 100644 libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local_unicode.lnk create mode 100644 libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/local_win31j.lnk create mode 100644 libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/microsoft.lnk create mode 100644 libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.01.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.02.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.03.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.04.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.05.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.06.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.07.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.08.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.09.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.10.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.11.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.12.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.13.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.14.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.15.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.16.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.17.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.18.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.19.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.20.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.01.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.02.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.03.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.04.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.05.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.06.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.07.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.08.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.09.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.10.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.11.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.12.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.13.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.14.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.15.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.16.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.17.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.18.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.19.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.seven.20.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.01.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.02.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.03.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.04.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.05.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.06.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.07.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.08.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.09.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.10.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.11.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.12.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.13.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.14.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.15.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.16.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.17.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.18.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.19.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/native.xp.20.lnk create mode 100644 libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/net_unicode.lnk create mode 100644 libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/net_unicode2.lnk create mode 100644 libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/net_win31j.lnk create mode 100644 libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/remote.directory.xp.lnk create mode 100644 libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk create mode 100644 libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/lnk/remote.file.xp.lnk create mode 100644 libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint create mode 100644 libbeat/formats/fixtures/macho/hello-darwin create mode 100644 libbeat/formats/fixtures/macho/hello-darwin.fingerprint create mode 100644 libbeat/formats/fixtures/pe/hello-windows create mode 100644 libbeat/formats/fixtures/pe/hello-windows.fingerprint create mode 100644 libbeat/formats/lnk/.gitignore create mode 100644 libbeat/formats/lnk/extra.go create mode 100644 libbeat/formats/lnk/extra_console.go create mode 100644 libbeat/formats/lnk/extra_console_fe.go create mode 100644 libbeat/formats/lnk/extra_darwin_block.go create mode 100644 libbeat/formats/lnk/extra_environment.go create mode 100644 libbeat/formats/lnk/extra_icon_environment.go create mode 100644 libbeat/formats/lnk/extra_known_folder.go create mode 100644 libbeat/formats/lnk/extra_property_store.go create mode 100644 libbeat/formats/lnk/extra_shim.go create mode 100644 libbeat/formats/lnk/extra_special_folder.go create mode 100644 libbeat/formats/lnk/extra_tracker.go create mode 100644 libbeat/formats/lnk/extra_vista_and_above_id_list.go create mode 100644 libbeat/formats/lnk/header.go create mode 100644 libbeat/formats/lnk/lnk.go create mode 100644 libbeat/formats/lnk/lnk_fuzz.go create mode 100644 libbeat/formats/lnk/lnk_test.go create mode 100644 libbeat/formats/lnk/location.go create mode 100644 libbeat/formats/lnk/strings.go create mode 100644 libbeat/formats/lnk/target.go create mode 100644 libbeat/formats/macho/.gitignore create mode 100644 libbeat/formats/macho/macho.go create mode 100644 libbeat/formats/macho/macho_fuzz.go create mode 100644 libbeat/formats/macho/macho_test.go create mode 100644 libbeat/formats/macho/symhash.go create mode 100644 libbeat/formats/pe/.gitignore create mode 100644 libbeat/formats/pe/imphash.go create mode 100644 libbeat/formats/pe/locale.go create mode 100644 libbeat/formats/pe/ordinals.go create mode 100644 libbeat/formats/pe/pe.go create mode 100644 libbeat/formats/pe/pe_fuzz.go create mode 100644 libbeat/formats/pe/pe_test.go create mode 100644 libbeat/formats/pe/resources.go create mode 100644 libbeat/formats/pe/utils.go create mode 100644 libbeat/formats/pe/version_info.go diff --git a/go.mod b/go.mod index 504fe58a8266..065f4e11b287 100644 --- a/go.mod +++ b/go.mod @@ -111,6 +111,7 @@ require ( github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.1.0 + github.com/knightsc/gapstone v4.0.1+incompatible github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.11.0 @@ -119,6 +120,7 @@ require ( github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/miekg/dns v1.1.15 + github.com/minio/sha256-simd v1.0.0 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 github.com/mitchellh/mapstructure v1.3.3 diff --git a/go.sum b/go.sum index 4fcc1ef0c5ca..56bdb2f1c9a3 100644 --- a/go.sum +++ b/go.sum @@ -489,6 +489,10 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.11.0 h1:wJbzvpYMVGG9iTI9VxpnNZfd4DzMPoCWze3GgSqz8yg= github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/cpuid/v2 v2.0.4 h1:g0I61F2K2DjRHz1cnxlkNSBIaePVoJIjjnHui8QHbiw= +github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/knightsc/gapstone v4.0.1+incompatible h1:yROPRgpqBWgD/7fyH3+AJ2hQR4gYfKNFGnKcNY8HPIA= +github.com/knightsc/gapstone v4.0.1+incompatible/go.mod h1:N9Q82fxOi8Fp9pHE2eflNZf5/FSg1815WZFhV8Gc2PE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -533,6 +537,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182aff github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= +github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= diff --git a/libbeat/formats/common/chi.go b/libbeat/formats/common/chi.go new file mode 100644 index 000000000000..d87bb4ae5156 --- /dev/null +++ b/libbeat/formats/common/chi.go @@ -0,0 +1,25 @@ +package common + +import ( + "math" +) + +// ChiSquare calculates the chi-squared distribution of data +func ChiSquare(data []byte) float64 { + cache := make([]float64, 256) + for _, b := range data { + cache[b] = cache[b] + 1 + } + + result := 0.0 + length := len(data) + perBin := float64(length) / float64(256) // expected count per bin + if perBin == 0 { + return 0.0 + } + for _, count := range cache { + a := count - perBin + result += (a * a) / perBin + } + return math.Round(result*100) / 100 +} diff --git a/libbeat/formats/common/entropy.go b/libbeat/formats/common/entropy.go new file mode 100644 index 000000000000..09b34bb827ec --- /dev/null +++ b/libbeat/formats/common/entropy.go @@ -0,0 +1,23 @@ +package common + +import "math" + +// Entropy calculates the entropy of data +func Entropy(data []byte) float64 { + cache := make(map[byte]int) + for _, b := range data { + if found, ok := cache[b]; ok { + cache[b] = found + 1 + } else { + cache[b] = 1 + } + } + + result := 0.0 + length := len(data) + for _, count := range cache { + frequency := float64(count) / float64(length) + result -= frequency * math.Log2(frequency) + } + return math.Round(result*100) / 100 +} diff --git a/libbeat/formats/common/string.go b/libbeat/formats/common/string.go new file mode 100644 index 000000000000..017d4ff4041c --- /dev/null +++ b/libbeat/formats/common/string.go @@ -0,0 +1,15 @@ +package common + +// ReadString reads a string starting at the given offset +func ReadString(data []byte, offset int) string { + if offset < 0 || offset >= len(data) { + return "" + } + + for end := offset; end < len(data); end++ { + if data[end] == 0 { + return string(data[offset:end]) + } + } + return "" +} diff --git a/libbeat/formats/common/unicode.go b/libbeat/formats/common/unicode.go new file mode 100644 index 000000000000..a7f1b9519ee1 --- /dev/null +++ b/libbeat/formats/common/unicode.go @@ -0,0 +1,22 @@ +package common + +import ( + "encoding/binary" + "unicode/utf16" +) + +// ReadUnicode decodes a unicode string ending with a null +func ReadUnicode(data []byte, offset int) string { + encode := []uint16{} + for { + if len(data) < offset+1 { + return string(utf16.Decode(encode)) + } + value := binary.LittleEndian.Uint16(data[offset : offset+2]) + if value == 0 { + return string(utf16.Decode(encode)) + } + encode = append(encode, value) + offset += 2 + } +} diff --git a/libbeat/formats/elf/.gitignore b/libbeat/formats/elf/.gitignore new file mode 100644 index 000000000000..b36ad95ce030 --- /dev/null +++ b/libbeat/formats/elf/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +elf-fuzz.zip diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go new file mode 100644 index 000000000000..036c63acc21a --- /dev/null +++ b/libbeat/formats/elf/elf.go @@ -0,0 +1,142 @@ +package elf + +import ( + "bytes" + "crypto/md5" + "debug/elf" + "encoding/hex" + "io" + "io/ioutil" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +// Section contains information about a section in a mach-o file. +type Section struct { + Name string `json:"name"` + Type string `json:"type"` + Address uint64 `json:"address"` + Size uint64 `json:"size"` + Offset uint64 `json:"offset"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` + Flags string `json:"flags"` + MD5 string `json:"md5,omitempty"` +} + +// Segment represents a program segment +type Segment struct { + Name string `json:"name"` + Sections []string `json:"sections"` +} + +// Info contains high level fingerprinting an analysis of a mach-o file. +type Info struct { + Machine string `json:"machine"` + Segments []Segment `json:"segments,omitempty"` + Sections []Section `json:"sections,omitempty"` + Imports map[string][]string `json:"imports,omitempty"` + Exports []string `json:"exports,omitempty"` + Packer string `json:"packer,omitempty"` + Telfhash string `json:"telfhash,omitempty"` +} + +// Parse parses the elf file and returns information about it or errors. +func Parse(r io.ReaderAt) (*Info, error) { + elfFile, err := elf.NewFile(r) + if err != nil { + return nil, err + } + telfhash, err := telfhash(elfFile) + if err != nil { + return nil, err + } + groupedSymbols := make(map[string][]string) + importSymbols, err := elfFile.ImportedSymbols() + if err != nil { + if err != elf.ErrNoSymbols { + return nil, err + } + } + for _, symbol := range importSymbols { + library := symbol.Library + if library == "" { + library = "unknown" + } + groupedSymbols[library] = append(groupedSymbols[library], symbol.Name) + } + + segments := make(map[*elf.Prog][]string) + sections := []Section{} + for _, section := range elfFile.Sections { + var md5String string + var entropy float64 + var chiSquare float64 + + name := section.Name + if name == "" { + if section.Size == 0 { + continue + } + name = "UKNOWN" + } + for _, prog := range elfFile.Progs { + if prog.Off <= section.Offset && prog.Off+prog.Memsz > section.Offset { + // program segments can overlap, so don't break early + segments[prog] = append(segments[prog], name) + } + } + + data, err := section.Data() + if err == nil { + md5hash := md5.Sum(data) + md5String = hex.EncodeToString(md5hash[:]) + entropy = common.Entropy(data) + chiSquare = common.ChiSquare(data) + } + sections = append(sections, Section{ + Name: name, + Type: translateSectionType(section.Type), + Address: section.Addr, + Size: section.Size, + Offset: section.Offset, + Entropy: entropy, + ChiSquare: chiSquare, + Flags: translateSectionFlags(section.Flags), + MD5: md5String, + }) + } + translatedSegments := make([]Segment, len(elfFile.Progs)) + for i, prog := range elfFile.Progs { + sections, ok := segments[prog] + if !ok { + sections = []string{} + } + translatedSegments[i] = Segment{ + Name: translateProgType(prog.Type), + Sections: sections, + } + } + + return &Info{ + Machine: translateMachine(elfFile.Machine), + Sections: sections, + Segments: translatedSegments, + Imports: groupedSymbols, + Packer: getPacker(elfFile), + Telfhash: telfhash, + }, nil +} + +func getPacker(elfFile *elf.File) string { + // this is expensive, figure out a way of making it less so + for _, prog := range elfFile.Progs { + data, err := ioutil.ReadAll(prog.Open()) + if err == nil { + if bytes.Contains(data, []byte("UPX!")) { + return "upx" + } + } + } + return "" +} diff --git a/libbeat/formats/elf/elf_fuzz.go b/libbeat/formats/elf/elf_fuzz.go new file mode 100644 index 000000000000..0675c849d502 --- /dev/null +++ b/libbeat/formats/elf/elf_fuzz.go @@ -0,0 +1,12 @@ +// +build fuzz + +package elf + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/elf/elf_test.go b/libbeat/formats/elf/elf_test.go new file mode 100644 index 000000000000..d5eefe8e2277 --- /dev/null +++ b/libbeat/formats/elf/elf_test.go @@ -0,0 +1,44 @@ +package elf + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "hello-linux", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/elf/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/elf/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/elf/machine.go b/libbeat/formats/elf/machine.go new file mode 100644 index 000000000000..cf908297b57a --- /dev/null +++ b/libbeat/formats/elf/machine.go @@ -0,0 +1,200 @@ +package elf + +import "debug/elf" + +var machineNames = map[elf.Machine]string{ + elf.EM_NONE: "Unknown machine", + elf.EM_M32: "AT&T WE32100", + elf.EM_SPARC: "Sun SPARC", + elf.EM_386: "Intel i386", + elf.EM_68K: "Motorola 68000", + elf.EM_88K: "Motorola 88000", + elf.EM_860: "Intel i860", + elf.EM_MIPS: "MIPS R3000 Big-Endian only", + elf.EM_S370: "IBM System/370", + elf.EM_MIPS_RS3_LE: "MIPS R3000 Little-Endian", + elf.EM_PARISC: "HP PA-RISC", + elf.EM_VPP500: "Fujitsu VPP500", + elf.EM_SPARC32PLUS: "SPARC v8plus", + elf.EM_960: "Intel 80960", + elf.EM_PPC: "PowerPC 32-bit", + elf.EM_PPC64: "PowerPC 64-bit", + elf.EM_S390: "IBM System/390", + elf.EM_V800: "NEC V800", + elf.EM_FR20: "Fujitsu FR20", + elf.EM_RH32: "TRW RH-32", + elf.EM_RCE: "Motorola RCE", + elf.EM_ARM: "ARM", + elf.EM_SH: "Hitachi SH", + elf.EM_SPARCV9: "SPARC v9 64-bit", + elf.EM_TRICORE: "Siemens TriCore embedded processor", + elf.EM_ARC: "Argonaut RISC Core", + elf.EM_H8_300: "Hitachi H8/300", + elf.EM_H8_300H: "Hitachi H8/300H", + elf.EM_H8S: "Hitachi H8S", + elf.EM_H8_500: "Hitachi H8/500", + elf.EM_IA_64: "Intel IA-64 Processor", + elf.EM_MIPS_X: "Stanford MIPS-X", + elf.EM_COLDFIRE: "Motorola ColdFire", + elf.EM_68HC12: "Motorola M68HC12", + elf.EM_MMA: "Fujitsu MMA", + elf.EM_PCP: "Siemens PCP", + elf.EM_NCPU: "Sony nCPU", + elf.EM_NDR1: "Denso NDR1 microprocessor", + elf.EM_STARCORE: "Motorola Star*Core processor", + elf.EM_ME16: "Toyota ME16 processor", + elf.EM_ST100: "STMicroelectronics ST100 processor", + elf.EM_TINYJ: "Advanced Logic Corp. TinyJ processor", + elf.EM_X86_64: "Advanced Micro Devices x86-64", + elf.EM_PDSP: "Sony DSP Processor", + elf.EM_PDP10: "Digital Equipment Corp. PDP-10", + elf.EM_PDP11: "Digital Equipment Corp. PDP-11", + elf.EM_FX66: "Siemens FX66 microcontroller", + elf.EM_ST9PLUS: "STMicroelectronics ST9+ 8/16 bit microcontroller", + elf.EM_ST7: "STMicroelectronics ST7 8-bit microcontroller", + elf.EM_68HC16: "Motorola MC68HC16 Microcontroller", + elf.EM_68HC11: "Motorola MC68HC11 Microcontroller", + elf.EM_68HC08: "Motorola MC68HC08 Microcontroller", + elf.EM_68HC05: "Motorola MC68HC05 Microcontroller", + elf.EM_SVX: "Silicon Graphics SVx", + elf.EM_ST19: "STMicroelectronics ST19 8-bit microcontroller", + elf.EM_VAX: "Digital VAX", + elf.EM_CRIS: "Axis Communications 32-bit embedded processor", + elf.EM_JAVELIN: "Infineon Technologies 32-bit embedded processor", + elf.EM_FIREPATH: "Element 14 64-bit DSP Processor", + elf.EM_ZSP: "LSI Logic 16-bit DSP Processor", + elf.EM_MMIX: "Donald Knuth's educational 64-bit processor", + elf.EM_HUANY: "Harvard University machine-independent object files", + elf.EM_PRISM: "SiTera Prism", + elf.EM_AVR: "Atmel AVR 8-bit microcontroller", + elf.EM_FR30: "Fujitsu FR30", + elf.EM_D10V: "Mitsubishi D10V", + elf.EM_D30V: "Mitsubishi D30V", + elf.EM_V850: "NEC v850", + elf.EM_M32R: "Mitsubishi M32R", + elf.EM_MN10300: "Matsushita MN10300", + elf.EM_MN10200: "Matsushita MN10200", + elf.EM_PJ: "picoJava", + elf.EM_OPENRISC: "OpenRISC 32-bit embedded processor", + elf.EM_ARC_COMPACT: "ARC International ARCompact processor (old spelling/synonym: EM_ARC_A5)", + elf.EM_XTENSA: "Tensilica Xtensa Architecture", + elf.EM_VIDEOCORE: "Alphamosaic VideoCore processor", + elf.EM_TMM_GPP: "Thompson Multimedia General Purpose Processor", + elf.EM_NS32K: "National Semiconductor 32000 series", + elf.EM_TPC: "Tenor Network TPC processor", + elf.EM_SNP1K: "Trebia SNP 1000 processor", + elf.EM_ST200: "STMicroelectronics (www.st.com) ST200 microcontroller", + elf.EM_IP2K: "Ubicom IP2xxx microcontroller family", + elf.EM_MAX: "MAX Processor", + elf.EM_CR: "National Semiconductor CompactRISC microprocessor", + elf.EM_F2MC16: "Fujitsu F2MC16", + elf.EM_MSP430: "Texas Instruments embedded microcontroller msp430", + elf.EM_BLACKFIN: "Analog Devices Blackfin (DSP) processor", + elf.EM_SE_C33: "S1C33 Family of Seiko Epson processors", + elf.EM_SEP: "Sharp embedded microprocessor", + elf.EM_ARCA: "Arca RISC Microprocessor", + elf.EM_UNICORE: "Microprocessor series from PKU-Unity Ltd. and MPRC of Peking University", + elf.EM_EXCESS: "eXcess: 16/32/64-bit configurable embedded CPU", + elf.EM_DXP: "Icera Semiconductor Inc. Deep Execution Processor", + elf.EM_ALTERA_NIOS2: "Altera Nios II soft-core processor", + elf.EM_CRX: "National Semiconductor CompactRISC CRX microprocessor", + elf.EM_XGATE: "Motorola XGATE embedded processor", + elf.EM_C166: "Infineon C16x/XC16x processor", + elf.EM_M16C: "Renesas M16C series microprocessors", + elf.EM_DSPIC30F: "Microchip Technology dsPIC30F Digital Signal Controller", + elf.EM_CE: "Freescale Communication Engine RISC core", + elf.EM_M32C: "Renesas M32C series microprocessors", + elf.EM_TSK3000: "Altium TSK3000 core", + elf.EM_RS08: "Freescale RS08 embedded processor", + elf.EM_SHARC: "Analog Devices SHARC family of 32-bit DSP processors", + elf.EM_ECOG2: "Cyan Technology eCOG2 microprocessor", + elf.EM_SCORE7: "Sunplus S+core7 RISC processor", + elf.EM_DSP24: "New Japan Radio (NJR) 24-bit DSP Processor", + elf.EM_VIDEOCORE3: "Broadcom VideoCore III processor", + elf.EM_LATTICEMICO32: "RISC processor for Lattice FPGA architecture", + elf.EM_SE_C17: "Seiko Epson C17 family", + elf.EM_TI_C6000: "The Texas Instruments TMS320C6000 DSP family", + elf.EM_TI_C2000: "The Texas Instruments TMS320C2000 DSP family", + elf.EM_TI_C5500: "The Texas Instruments TMS320C55x DSP family", + elf.EM_TI_ARP32: "Texas Instruments Application Specific RISC Processor, 32bit fetch", + elf.EM_TI_PRU: "Texas Instruments Programmable Realtime Unit", + elf.EM_MMDSP_PLUS: "STMicroelectronics 64bit VLIW Data Signal Processor", + elf.EM_CYPRESS_M8C: "Cypress M8C microprocessor", + elf.EM_R32C: "Renesas R32C series microprocessors", + elf.EM_TRIMEDIA: "NXP Semiconductors TriMedia architecture family", + elf.EM_QDSP6: "QUALCOMM DSP6 Processor", + elf.EM_8051: "Intel 8051 and variants", + elf.EM_STXP7X: "STMicroelectronics STxP7x family of configurable and extensible RISC processors", + elf.EM_NDS32: "Andes Technology compact code size embedded RISC processor family", + // elf.EM_ECOG1: "Cyan Technology eCOG1X family", + elf.EM_ECOG1X: "Cyan Technology eCOG1X family", + elf.EM_MAXQ30: "Dallas Semiconductor MAXQ30 Core Micro-controllers", + elf.EM_XIMO16: "New Japan Radio (NJR) 16-bit DSP Processor", + elf.EM_MANIK: "M2000 Reconfigurable RISC Microprocessor", + elf.EM_CRAYNV2: "Cray Inc. NV2 vector architecture", + elf.EM_RX: "Renesas RX family", + elf.EM_METAG: "Imagination Technologies META processor architecture", + elf.EM_MCST_ELBRUS: "MCST Elbrus general purpose hardware architecture", + elf.EM_ECOG16: "Cyan Technology eCOG16 family", + elf.EM_CR16: "National Semiconductor CompactRISC CR16 16-bit microprocessor", + elf.EM_ETPU: "Freescale Extended Time Processing Unit", + elf.EM_SLE9X: "Infineon Technologies SLE9X core", + elf.EM_L10M: "Intel L10M", + elf.EM_K10M: "Intel K10M", + elf.EM_AARCH64: "ARM 64-bit Architecture (AArch64)", + elf.EM_AVR32: "Atmel Corporation 32-bit microprocessor family", + elf.EM_STM8: "STMicroeletronics STM8 8-bit microcontroller", + elf.EM_TILE64: "Tilera TILE64 multicore architecture family", + elf.EM_TILEPRO: "Tilera TILEPro multicore architecture family", + elf.EM_MICROBLAZE: "Xilinx MicroBlaze 32-bit RISC soft processor core", + elf.EM_CUDA: "NVIDIA CUDA architecture", + elf.EM_TILEGX: "Tilera TILE-Gx multicore architecture family", + elf.EM_CLOUDSHIELD: "CloudShield architecture family", + elf.EM_COREA_1ST: "KIPO-KAIST Core-A 1st generation processor family", + elf.EM_COREA_2ND: "KIPO-KAIST Core-A 2nd generation processor family", + elf.EM_ARC_COMPACT2: "Synopsys ARCompact V2", + elf.EM_OPEN8: "Open8 8-bit RISC soft processor core", + elf.EM_RL78: "Renesas RL78 family", + elf.EM_VIDEOCORE5: "Broadcom VideoCore V processor", + elf.EM_78KOR: "Renesas 78KOR family", + elf.EM_56800EX: "Freescale 56800EX Digital Signal Controller (DSC)", + elf.EM_BA1: "Beyond BA1 CPU architecture", + elf.EM_BA2: "Beyond BA2 CPU architecture", + elf.EM_XCORE: "XMOS xCORE processor family", + elf.EM_MCHP_PIC: "Microchip 8-bit PIC(r) family", + elf.EM_INTEL205: "Reserved by Intel", + elf.EM_INTEL206: "Reserved by Intel", + elf.EM_INTEL207: "Reserved by Intel", + elf.EM_INTEL208: "Reserved by Intel", + elf.EM_INTEL209: "Reserved by Intel", + elf.EM_KM32: "KM211 KM32 32-bit processor", + elf.EM_KMX32: "KM211 KMX32 32-bit processor", + elf.EM_KMX16: "KM211 KMX16 16-bit processor", + elf.EM_KMX8: "KM211 KMX8 8-bit processor", + elf.EM_KVARC: "KM211 KVARC processor", + elf.EM_CDP: "Paneve CDP architecture family", + elf.EM_COGE: "Cognitive Smart Memory Processor", + elf.EM_COOL: "Bluechip Systems CoolEngine", + elf.EM_NORC: "Nanoradio Optimized RISC", + elf.EM_CSR_KALIMBA: "CSR Kalimba architecture family", + elf.EM_Z80: "Zilog Z80", + elf.EM_VISIUM: "Controls and Data Services VISIUMcore processor", + elf.EM_FT32: "FTDI Chip FT32 high performance 32-bit RISC architecture", + elf.EM_MOXIE: "Moxie processor family", + elf.EM_AMDGPU: "AMD GPU architecture", + elf.EM_RISCV: "RISC-V", + elf.EM_LANAI: "Lanai 32-bit processor", + elf.EM_BPF: "Linux BPF – in-kernel virtual machine", + // deprecated + elf.EM_486: "Intel i486", + // elf.EM_MIPS_RS4_BE: "MIPS R4000 Big-Endian", + elf.EM_ALPHA_STD: "Digital Alpha (standard value)", + elf.EM_ALPHA: "Alpha (written in the absence of an ABI)", +} + +func translateMachine(machine elf.Machine) string { + if found, ok := machineNames[machine]; ok { + return found + } + return "Unknown machine" +} diff --git a/libbeat/formats/elf/prog.go b/libbeat/formats/elf/prog.go new file mode 100644 index 000000000000..254b0643e36b --- /dev/null +++ b/libbeat/formats/elf/prog.go @@ -0,0 +1,35 @@ +package elf + +import "debug/elf" + +const ( + // https://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic.html + + // specifies the location and size of the exception handling information as defined by the .eh_frame_hdr section. + ptGnuEhFrame elf.ProgType = 0x6474e550 + // specifies the permissions on the segment containing the stack and is used to indicate wether the stack should be executable. The absense of this header indicates that the stack will be executable. + ptGnuStack elf.ProgType = 0x6474e551 + // specifies the location and size of a segment which may be made read-only after relocation shave been processed. + ptGnuRelro elf.ProgType = 0x6474e552 +) + +var progNames = map[elf.ProgType]string{ + elf.PT_NULL: "NULL", + elf.PT_LOAD: "LOAD", + elf.PT_DYNAMIC: "DYNAMIC", + elf.PT_INTERP: "INTERP", + elf.PT_NOTE: "NOTE", + elf.PT_SHLIB: "SHLIB", + elf.PT_PHDR: "PHDR", + elf.PT_TLS: "TLS", + ptGnuEhFrame: "GNU_EH_FRAME", + ptGnuStack: "GNU_STACK", + ptGnuRelro: "GNU_RELRO", +} + +func translateProgType(progType elf.ProgType) string { + if found, ok := progNames[progType]; ok { + return found + } + return "UNKNOWN" +} diff --git a/libbeat/formats/elf/section.go b/libbeat/formats/elf/section.go new file mode 100644 index 000000000000..e1602154a7e7 --- /dev/null +++ b/libbeat/formats/elf/section.go @@ -0,0 +1,86 @@ +package elf + +import ( + "debug/elf" + "strings" +) + +var sectionNames = map[elf.SectionType]string{ + elf.SHT_NULL: "NULL", + elf.SHT_PROGBITS: "PROGBITS", + elf.SHT_SYMTAB: "SYMTAB", + elf.SHT_STRTAB: "STRTAB", + elf.SHT_RELA: "RELA", + elf.SHT_HASH: "HASH", + elf.SHT_DYNAMIC: "DYNAMIC", + elf.SHT_NOTE: "NOTE", + elf.SHT_NOBITS: "NOBITS", + elf.SHT_REL: "REL", + elf.SHT_SHLIB: "SHLIB", + elf.SHT_DYNSYM: "DYNSYM", + elf.SHT_INIT_ARRAY: "INIT_ARRAY", + elf.SHT_FINI_ARRAY: "FINI_ARRAY", + elf.SHT_PREINIT_ARRAY: "PREINIT_ARRAY", + elf.SHT_GROUP: "GROUP", + elf.SHT_SYMTAB_SHNDX: "SYMTAB_SHNDX", + elf.SHT_GNU_ATTRIBUTES: "GNU_ATTRIBUTES", + elf.SHT_GNU_HASH: "GNU_HASH", + elf.SHT_GNU_LIBLIST: "GNU_LIBLIST", + elf.SHT_GNU_VERDEF: "GNU_VERDEF", + elf.SHT_GNU_VERNEED: "GNU_VERNEED", + elf.SHT_GNU_VERSYM: "GNU_VERSYM", +} + +func translateSectionType(sectionType elf.SectionType) string { + if found, ok := sectionNames[sectionType]; ok { + return found + } + return "UNKNOWN" +} + +func translateSectionFlags(flags elf.SectionFlag) string { + active := []string{} + if flags&elf.SHF_WRITE > 0 { + active = append(active, "WRITE") + } + if flags&elf.SHF_ALLOC > 0 { + active = append(active, "ALLOC") + } + if flags&elf.SHF_EXECINSTR > 0 { + active = append(active, "EXECINSTR") + } + if flags&elf.SHF_MERGE > 0 { + active = append(active, "MERGE") + } + if flags&elf.SHF_STRINGS > 0 { + active = append(active, "STRINGS") + } + if flags&elf.SHF_INFO_LINK > 0 { + active = append(active, "INFO_LINK") + } + if flags&elf.SHF_LINK_ORDER > 0 { + active = append(active, "LINK_ORDER") + } + if flags&elf.SHF_OS_NONCONFORMING > 0 { + active = append(active, "OS_NONCONFORMING") + } + if flags&elf.SHF_GROUP > 0 { + active = append(active, "GROUP") + } + if flags&elf.SHF_TLS > 0 { + active = append(active, "TLS") + } + if flags&elf.SHF_COMPRESSED > 0 { + active = append(active, "COMPRESSED") + } + if flags&elf.SHF_MASKOS > 0 { + active = append(active, "MASKOS") + } + if flags&elf.SHF_MASKPROC > 0 { + active = append(active, "MASKPROC") + } + if len(active) == 0 { + return "-" + } + return strings.Join(active, " | ") +} diff --git a/libbeat/formats/elf/telfhash.go b/libbeat/formats/elf/telfhash.go new file mode 100644 index 000000000000..4d5c854a0abb --- /dev/null +++ b/libbeat/formats/elf/telfhash.go @@ -0,0 +1,221 @@ +package elf + +import ( + "debug/elf" + "errors" + "io/ioutil" + "regexp" + "sort" + "strings" + + "github.com/knightsc/gapstone" +) + +var ( + exclusionsRegex = []*regexp.Regexp{ + regexp.MustCompile(`^[_\.].*$`), // Function names starting with . or _ + regexp.MustCompile(`^.*64$`), // x64-64 specific functions + regexp.MustCompile(`^str.*$`), // gcc significantly changes string functions depending on the target architecture, so we ignore them + regexp.MustCompile(`^mem.*$`), // gcc significantly changes string functions depending on the target architecture, so we ignore them + } + exclusionsString = []string{ + "__libc_start_main", // main function + "main", // main function z + "abort", // ARM default + "cachectl", // MIPS default + "cacheflush", // MIPS default + "puts", // Compiler optimization (function replacement) + "atol", // Compiler optimization (function replacement) + "malloc_trim", // GNU extensions + } +) + +func canExclude(symbol elf.Symbol) bool { + if elf.ST_TYPE(symbol.Info) != elf.STT_FUNC { + return true + } + if elf.ST_BIND(symbol.Info) != elf.STB_GLOBAL { + return true + } + if elf.ST_VISIBILITY(symbol.Other) != elf.STV_DEFAULT { + return true + } + if symbol.Name == "" { + return true + } + + for _, exclusion := range exclusionsString { + if symbol.Name == exclusion { + return true + } + } + for _, exclusion := range exclusionsRegex { + if exclusion.MatchString(symbol.Name) { + return true + } + } + return false +} + +func capstoneArgs(f *elf.File) (int, int, bool) { + switch { + case f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_386: + return gapstone.CS_ARCH_X86, gapstone.CS_MODE_32, true + case f.Class == elf.ELFCLASS64 && f.Machine == elf.EM_X86_64: + return gapstone.CS_ARCH_X86, gapstone.CS_MODE_64, true + case f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_ARM: + return gapstone.CS_ARCH_ARM, gapstone.CS_MODE_ARM, true + case f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_MIPS: + return gapstone.CS_ARCH_MIPS, int(gapstone.CS_MODE_MIPS32) | gapstone.CS_MODE_BIG_ENDIAN, true + default: + return 0, 0, false + } +} + +func isX86(f *elf.File) bool { + return (f.Class == elf.ELFCLASS64 && f.Machine == elf.EM_X86_64) || (f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_386) +} + +func stringMember(ary []string, test string) bool { + for _, a := range ary { + if a == test { + return true + } + } + return false +} + +func getImageBase(f *elf.File) uint64 { + for _, segment := range f.Progs { + if segment.Type == elf.PT_LOAD { + return segment.Vaddr + } + } + return 0 +} + +func extractCallDestinations(f *elf.File) ([]string, error) { + arch, mode, found := capstoneArgs(f) + if !found { + return nil, nil + } + entryPoint := f.Entry + var offset uint64 + var err error + var data []byte + for _, section := range f.Sections { + if section.Addr <= entryPoint && section.Addr+section.Size >= entryPoint { + offset = getImageBase(f) + section.Offset + data, err = section.Data() + if err != nil { + return nil, err + } + break + } + } + if data == nil { + section := f.Section(".text") + if section != nil { + offset = getImageBase(f) + section.Offset + data, err = section.Data() + if err != nil { + return nil, err + } + } + } + if data == nil { + for _, segment := range f.Progs { + if segment.Type == elf.PT_LOAD && segment.Flags == (elf.PF_R&elf.PF_X) { + if entryPoint > segment.Vaddr { + segmentData, err := ioutil.ReadAll(segment.Open()) + if err != nil { + return nil, err + } + offset = entryPoint + if int(entryPoint-segment.Vaddr) > len(segmentData) { + return nil, errors.New("invalid segment offset") + } + data = segmentData[entryPoint-segment.Vaddr:] + break + } + } + } + } + if data != nil { + engine, err := gapstone.New(arch, mode) + if err != nil { + return nil, err + } + defer engine.Close() + instructions, err := engine.Disasm(data, offset, 0) + if err != nil { + return nil, err + } + symbols := []string{} + for _, instruction := range instructions { + if isX86(f) && instruction.Mnemonic == "call" { + // Consider only call to absolute addresses + if strings.HasPrefix(instruction.OpStr, "0x") { + address := instruction.OpStr[2:] + if !stringMember(symbols, address) { + symbols = append(symbols, address) + } + } + } else if f.Machine == elf.EM_ARM && strings.HasPrefix(instruction.Mnemonic, "bl") { + if strings.HasPrefix(instruction.OpStr, "#0x") { + address := instruction.OpStr[3:] + if !stringMember(symbols, address) { + symbols = append(symbols, address) + } + } + } else if f.Machine == elf.EM_MIPS && strings.HasPrefix(instruction.Mnemonic, "lw") { + if strings.HasPrefix(instruction.OpStr, "$t9, ") { + address := instruction.OpStr[8 : len(instruction.OpStr)-5] + if !stringMember(symbols, address) { + symbols = append(symbols, address) + } + } + } + } + return symbols, nil + } + return nil, nil +} + +func telfhash(elfFile *elf.File) (string, error) { + symbols := []string{} + dynSymbols, err := elfFile.DynamicSymbols() + if err != nil { + if err != elf.ErrNoSymbols { + return "", err + } + } + staticSymbols, err := elfFile.Symbols() + if err != nil { + if err != elf.ErrNoSymbols { + return "", err + } + } + if len(staticSymbols) == 0 && len(dynSymbols) == 0 { + // extract symbols from call sites since we're in a static binary + symbols, err = extractCallDestinations(elfFile) + if err != nil { + return "", err + } + } else { + for _, symbol := range dynSymbols { + if !canExclude(symbol) { + symbols = append(symbols, strings.ToLower(symbol.Name)) + } + } + for _, symbol := range staticSymbols { + if !canExclude(symbol) { + symbols = append(symbols, strings.ToLower(symbol.Name)) + } + } + sort.Strings(symbols) + } + tlsh := newTlsh() + tlsh.update([]byte(strings.Join(symbols, ","))) + return strings.ToLower(tlsh.hash()), nil +} diff --git a/libbeat/formats/elf/tlsh.go b/libbeat/formats/elf/tlsh.go new file mode 100644 index 000000000000..00178ff16737 --- /dev/null +++ b/libbeat/formats/elf/tlsh.go @@ -0,0 +1,229 @@ +package elf + +import ( + "math" + "sort" + "strings" +) + +var vTable = []int{ + 1, 87, 49, 12, 176, 178, 102, 166, 121, 193, 6, 84, 249, 230, 44, 163, + 14, 197, 213, 181, 161, 85, 218, 80, 64, 239, 24, 226, 236, 142, 38, 200, + 110, 177, 104, 103, 141, 253, 255, 50, 77, 101, 81, 18, 45, 96, 31, 222, + 25, 107, 190, 70, 86, 237, 240, 34, 72, 242, 20, 214, 244, 227, 149, 235, + 97, 234, 57, 22, 60, 250, 82, 175, 208, 5, 127, 199, 111, 62, 135, 248, + 174, 169, 211, 58, 66, 154, 106, 195, 245, 171, 17, 187, 182, 179, 0, 243, + 132, 56, 148, 75, 128, 133, 158, 100, 130, 126, 91, 13, 153, 246, 216, 219, + 119, 68, 223, 78, 83, 88, 201, 99, 122, 11, 92, 32, 136, 114, 52, 10, + 138, 30, 48, 183, 156, 35, 61, 26, 143, 74, 251, 94, 129, 162, 63, 152, + 170, 7, 115, 167, 241, 206, 3, 150, 55, 59, 151, 220, 90, 53, 23, 131, + 125, 173, 15, 238, 79, 95, 89, 16, 105, 137, 225, 224, 217, 160, 37, 123, + 118, 73, 2, 157, 46, 116, 9, 145, 134, 228, 207, 212, 202, 215, 69, 229, + 27, 188, 67, 124, 168, 252, 42, 4, 29, 108, 21, 247, 19, 205, 39, 203, + 233, 40, 186, 147, 198, 192, 155, 33, 164, 191, 98, 204, 165, 180, 117, 76, + 140, 36, 210, 172, 41, 54, 159, 8, 185, 232, 113, 196, 231, 47, 146, 120, + 51, 65, 28, 144, 254, 221, 93, 189, 194, 139, 112, 43, 71, 109, 184, 209, +} + +func bucketMapping(salt, i, j, k int) int { + h := vTable[salt] + h = vTable[h^i] + h = vTable[h^j] + h = vTable[h^k] + return h +} + +const ( + log1_5 = 0.4054651 + log1_3 = 0.26236426 + log1_1 = 0.095310180 +) + +// compute length portion of tlsh +func capturing(length int) int { + var i int + switch { + case length <= 656: + i = int(math.Floor(math.Log(float64(length)) / log1_5)) + case length <= 3199: + i = int(math.Floor(math.Log(float64(length))/log1_3 - 8.72777)) + default: + i = int(math.Floor(math.Log(float64(length))/log1_1 - 62.5472)) + } + return i & 0xFF +} + +const slidingWindowSize = 5 +const buckets = 256 + +type tlshState struct { + checksum int + checksumArray []int + checksumLength int + bucket []int64 + bucketCount int + window []int + dataLen int + codeSize int +} + +func newTlsh() *tlshState { + bucketCount := 128 + checksumLength := 1 + + return &tlshState{ + bucketCount: bucketCount, + checksumLength: checksumLength, + codeSize: bucketCount >> 2, + window: make([]int, slidingWindowSize), + bucket: make([]int64, buckets), + } +} + +func (t *tlshState) update(data []byte) { + // Indexes into the sliding window. They cycle like + // 0 4 3 2 1 + // 1 0 4 3 2 + // 2 1 0 4 3 + // 3 2 1 0 4 + // 4 3 2 1 0 + // 0 4 3 2 1 + // and so on + j := t.dataLen % slidingWindowSize + j1 := (j - 1 + slidingWindowSize) % slidingWindowSize + j2 := (j - 2 + slidingWindowSize) % slidingWindowSize + j3 := (j - 3 + slidingWindowSize) % slidingWindowSize + j4 := (j - 4 + slidingWindowSize) % slidingWindowSize + + fedLen := t.dataLen + for i := 0; i < len(data); i++ { + t.window[j] = int(data[i]) + if fedLen >= 4 { + // only calculate when input >= 5 bytes + t.checksum = bucketMapping(0, t.window[j], t.window[j1], t.checksum) + if t.checksumLength > 1 { + t.checksumArray[0] = t.checksum + for k := 1; k < t.checksumLength; k++ { + // use calculated 1 byte checksums to expand the total checksum to 3 bytes + t.checksumArray[k] = bucketMapping(t.checksumArray[k-1], t.window[j], t.window[j1], t.checksumArray[k]) + } + } + + r := bucketMapping(2, t.window[j], t.window[j1], t.window[j2]) + t.bucket[r]++ + r = bucketMapping(3, t.window[j], t.window[j1], t.window[j3]) + t.bucket[r]++ + r = bucketMapping(5, t.window[j], t.window[j2], t.window[j3]) + t.bucket[r]++ + r = bucketMapping(7, t.window[j], t.window[j2], t.window[j4]) + t.bucket[r]++ + r = bucketMapping(11, t.window[j], t.window[j1], t.window[j4]) + t.bucket[r]++ + r = bucketMapping(13, t.window[j], t.window[j3], t.window[j4]) + t.bucket[r]++ + } + // rotate the sliding window indexes + j4, j3, j2, j1, j = j3, j2, j1, j, j4 + + fedLen++ + } + t.dataLen += len(data) +} + +func median(data []int64) int64 { + length := len(data) + if length%2 != 0 { + return data[length/2] + } + return data[length/2-1] +} + +func (t *tlshState) findQuartile() []int64 { + bucketCopy := make([]int64, t.bucketCount) + copy(bucketCopy, t.bucket) + sort.Slice(bucketCopy, func(i, j int) bool { + return bucketCopy[i] < bucketCopy[j] + }) + + length := len(bucketCopy) + // Find the cutoff places depeding on if + // the input slice length is even or odd + var c1 int + var c2 int + if length%2 == 0 { + c1 = length / 2 + c2 = length / 2 + } else { + c1 = (length - 1) / 2 + c2 = c1 + 1 + } + + return []int64{ + median(bucketCopy[:c1]), + median(bucketCopy), + median(bucketCopy[c2:]), + } +} + +func (t *tlshState) hash() string { + if t.dataLen == 0 { + return "" + } + quartiles := t.findQuartile() + q1 := quartiles[0] + q2 := quartiles[1] + q3 := quartiles[2] + + code := make([]int, t.codeSize) + for i := 0; i < t.codeSize; i++ { + h := 0 + for j := 0; j < 4; j++ { + k := t.bucket[4*i+j] + if q3 < k { + h += 3 << (j * 2) + } else if q2 < k { + h += 2 << (j * 2) + } else if q1 < k { + h += 1 << (j * 2) + } + } + code[i] = h + } + + lValue := capturing(t.dataLen) + q1Ratio := int(float64(q1*100.0)/float64(q3)) & 0xF + q2Ratio := int(float64(q2*100.0)/float64(q3)) & 0xF + + if t.checksumLength == 1 { + return encode([]int{t.checksum}, lValue, q1Ratio, q2Ratio, code) + } + return encode(t.checksumArray, lValue, q1Ratio, q2Ratio, code) +} + +var hexChars = []byte{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'} + +func writeHex(src int, builder *strings.Builder) { + builder.WriteByte(hexChars[(src>>4)&0xF]) + builder.WriteByte(hexChars[src&0xF]) +} + +func writeHexSwapped(src int, builder *strings.Builder) { + builder.WriteByte(hexChars[src&0xF]) + builder.WriteByte(hexChars[(src>>4)&0xF]) +} + +func encode(checksum []int, lValue, q1Ratio, q2Ratio int, codes []int) string { + // extra 4 characters come from length and Q1 and Q2 ratio. + hashStringLength := len(codes)*2 + len(checksum)*2 + 4 + var builder strings.Builder + builder.Grow(hashStringLength) + for k := 0; k < len(checksum); k++ { + writeHexSwapped(checksum[k], &builder) + } + writeHexSwapped(lValue, &builder) + writeHex(q1Ratio<<4|q2Ratio, &builder) + for i := 0; i < len(codes); i++ { + writeHex(codes[len(codes)-1-i], &builder) + } + return builder.String() +} diff --git a/libbeat/formats/fixtures/elf/crashes/0e8e8ead37a39ad29c63f2882e64772f7d47d666 b/libbeat/formats/fixtures/elf/crashes/0e8e8ead37a39ad29c63f2882e64772f7d47d666 new file mode 100644 index 0000000000000000000000000000000000000000..6a09acd5c788a1a55d957c425d8d981d2c6dc0e5 GIT binary patch literal 65 fcmb<-^>JfjWHdkqs62=aBLf7$)PZJfjWMn`Fs5}M+L7*fvvH~c3hX#c41x*fJKLE^j14RG; literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/elf/hello-linux b/libbeat/formats/fixtures/elf/hello-linux new file mode 100644 index 0000000000000000000000000000000000000000..26e3b7383e0d847c6b1834ed8b0d4e2a3eee0c3f GIT binary patch literal 5728 zcmeHLO-x)>6u$EY%J4T#rLEXn8MP#6o z8)?TjA*7Loi^jynG%j2=t}tkU&@^#j(#8$$SV$a#R$Qo{hIj8f$4{NmJRZTMi5CS*(_TZV>`{p2fD%d9DSW~ZyTneh4Kx+-XQ&nA z_Kf*Fxn}MoJ1=m=35^t*VNZxZW=n!OXNbI#)@){wWb@x?k+~2-wT?K<^&`I$fk)JY z`7{MsC(bxb4{`H^n7#`Fi&0PJ-zxMTy)J0q892-D*#HpY;_UEtk)kD(DT+s z!`|X0Fe`oq!}Lt(=*9C>u@-d7J%?8X+9>UetWecd~1C%ku>Kzbe#}9JyJ9+ic z)3re%3*W96(Ns!V{&1`D?PX6-A!|Q$wL)+aN{Sse}hED z$Y`IOs{9pmo?HpN9{T)-KO)Y~&cG-yuAv|o?t5in%_F;(@-16A$ilowPF8*a$dI+; z7C8A7opdebR*LOVS}B2=xg{vPc z{?&SL+0gtlG}{ZaK3JGbf?I_uMm8y4|6+n03JHx@LqdfO%RGqoXJ_#zLl(aGDL>X7 zIn}cPh568AWL*|+`7Su{i@n8f!0q`(8Be9M&jrtAbE(*qu&4HTkK*3OJyd*PS)ITy zLrM|gNIPsMJa3;7p0R*uPhFJ{f1~z+9&w)lrX6kkffN3wR~u?aeG}r??xW8h-1ii! z(FV#Cd%@>!RD}G2D_T$ewmxu#a+%5nUD`MlBXgWCv!Lp|9(MAvC!DcX< zPRBE*yQqI521r1p;QI+%xwQ{j#^;IWXT}FL10*;{lA={fTW4whHs^iX z25$ojmyq{Y@hkKauMa=*S&Mc(h_dqFO zKp#$O0|9G!iIlvro9M;h_W*6S!=F3;5zwJez7yf|z9c-q-(aH19sdAmo%o2?P<9bl ze5HgTKojQOAUpAVFE&m1yRLwYV}Cs^JpT?wvEe{muPyz#f3Ls-hT#6=X%#6+c=v^h zD;;qfY@K+%f8u*7JSRGd_Z{oPFmd9qQT%HZKgNc{-Ss31PwjHtyV(GDzufp?7ap$? zkZw@n55tdwE$$tT&%bwkpJ!0RsGQRCV80W9MH9yJ?>KLiR#90+nH(tvq{=TR|pA1t%rDU4PhJ4>g@1*v{6}H@cpMmYV zek&Kn9#Z=wQ2qH!a z)KDI!b%L`LC2*iyt#`mq%ZW;&lyNrhpU62@eetG6bJredXl^)1YF{evM4|X3@2S7? zsQMf)2_kHIPGy-aw=!bs2RH(M{wM!uRJnd=_fIzt(=Zp}7KlAa#E} zQvrD?hmA-KGXjC;y@&RAy^V<|xVt0ap0E**b;P4FSb1Lu0!g{_`Q%h9fT7q_=klyq zV~xWX!e`&a2G8FiKhL{n(l^Sr)9>@^3tOJf*XLR8EtuN}ZqJR{$!8JBCsq+lrva+y zPbXBc+@qH7V{nF5#WcP}5E??XyI8jbD|K8;tR~chpWDpxU8iq#cYiJiQO zogSU53QC>cDz0QVv2^Y&;~*gi`Kmvk^`Ni*!H-Gnh!NT>rI)g+cUVK+!cGaZGo^E+ zYl1kbI#@#yJaA#F1aq_zvf=$>T}8XDPh~%ThY9aY&ZL|CCJB%#tS9870Jr_~D+K;o z7x^+V+Ns!xL#;`>Cm8RHMvo^g{`sLZUTyki(`DbfwwWvAreEfuH8k)c`^g-vz0>=T J{Le2N{RZ%}&|d%m literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint new file mode 100644 index 000000000000..bcbf92fd47be --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -0,0 +1,110 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creationTime": "2009-07-14T04:53:59Z", + "accessedTime": "2010-05-16T19:36:08Z", + "modifiedTime": "2010-05-16T19:36:08Z", + "fileSize": 8192, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 116, + "typeId": 0, + "sha256": "694bda772b560aa1e8db78d9d436be2c5918f098b7104b5ffe1a5e619962398f" + }, + { + "size": 96, + "typeId": 0, + "sha256": "d95bf8611fa96a435db45248eafc5ce43064d57d69d0e1a76975fd985f22fad2" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix", + "VolumeIDAndLocalBasePath" + ], + "commonPathSuffix": "Administrator", + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x502e1a8a", + "volumeLabel": "SSD-WIN7" + }, + "localBasePath": "C:\\Users\\", + "networkShare": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\NETBOOK\\Users" + } + }, + "relativePath": "..\\..\\Administrator", + "extra": { + "knownFolder": { + "id": "72d26207-0ac5-b04b-a382-697dcd729b80", + "offset": 161 + }, + "propertyStore": { + "properties": { + "10": [ + { + "type": "VT_LPWSTR", + "value": "Administrator" + } + ], + "100": [ + { + "type": "VT_LPWSTR", + "value": "Utilisateurs (C:)" + } + ], + "30": [ + { + "type": "VT_LPWSTR", + "value": "C:\\Users\\Administrator" + } + ], + "4": [ + { + "type": "VT_LPWSTR", + "value": "S-1-5-21-2382555026-1982050849-604700897-1000" + } + ] + } + }, + "tracker": { + "version": 0, + "machineId": "netbook", + "droid": [ + "da667c4f-20d3-c44c-8d50-165dd98ebc01", + "ff026513-668c-df11-b6eb-001377d34a59" + ], + "droidBirth": [ + "da667c4f-20d3-c44c-8d50-165dd98ebc01", + "ff026513-668c-df11-b6eb-001377d34a59" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk new file mode 100644 index 0000000000000000000000000000000000000000..b2c7051a7d7c6d660ea44e76303b4e8b510a1af2 GIT binary patch literal 459 zcmeZaU|?VrVFHp23Z*M%}{!)t2(789#WptuX@95M@Ap zFb0%f%^<=cAMn8cg2F4SOo2r=I2g1I4CYEQ=sR1*peY4$Z5Rx}qStMdtpyaqJ^ft# z!-E;r7?>GY7~by_He8$V(nirn1gIvQ!IQy{!G*ye$O;DX#TXo*dSBWwnh7WrR~DC~ z<{BF@FleCYW;6roE@r3%;u3~bhFk_?2B0Da2_W_WVi_O?c>+Wm12G7=1F<*|GXwGE zJ$nTNfOK$VaEPlf1JD~#SH>W0Gh-VSy@;UJ1krKnyf-K?INnfy5kL x149#22nR@J*|jM%*ebhhIm-I4DD8FJRR4}Y-4=HRw>vY)D0?5CMo1oH5CER@T*UwY literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint new file mode 100644 index 000000000000..d36142c4814c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -0,0 +1,72 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creationTime": "2004-08-19T12:05:25Z", + "accessedTime": "2010-07-09T07:36:45Z", + "modifiedTime": "2010-07-09T06:48:01Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 60, + "typeId": 0, + "sha256": "f41f1eedb6784f72604ff611740d040d42de1e01b21b2233a36d6f4723c5630b" + }, + { + "size": 64, + "typeId": 0, + "sha256": "04ee9bc0826d6a59abdf9fdbb3d55dacf9a1347f526cd02c7cd9c1c79485b928" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x10bdbcd3", + "volumeLabel": "SYSTEM" + }, + "localBasePath": "C:\\WINDOWS\\system32" + }, + "relativePath": ".\\system32", + "extra": { + "specialFolder": { + "id": 37, + "offset": 169 + }, + "tracker": { + "version": 0, + "machineId": "al-0145", + "droid": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "954f88fc-8b38-dd11-b743-001c234bc396" + ], + "droidBirth": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "954f88fc-8b38-dd11-b743-001c234bc396" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk new file mode 100644 index 0000000000000000000000000000000000000000..74dc242216a28d10da2628ac383a2ceb2c1927da GIT binary patch literal 2471 zcmeHI&ubG=5dLC|_LxH`3W5nVP_!F2ZknVaDcNjE8we&OkcOLU^<+T`9);cn_2|`aH^G`{X$}P=^gS|pKZg0{&3rSP1>o{rq6FSK z66yE(!Qw3G8dLb{^591PbMDalC02L$Kh5EmC_cZ2+e%CuQ?<7R1fA0l@z;H~SFN{d z#({-6<}i!zZ@^s|Lzej<~w)kyiXwgC&RWvwtn7q4+m%r>DdEMyBN+g_;qhTQ;uSJBQC~=hv zg#>v;5{D!B5O^>|{TRir)!*dW{|uwBSd5J4CzuA=-GxRbF)DG*zPG(1Zo z#3}G@g=gZ}41%!KtlO)bf6!dCMHv{!80~>$w>e-AP+w~KNoK=xNRhT86 z(Wp7G2r%MXj5lzdzk3L9YNyK4{Al}JE< zUtVnH)+^G&lA`zq3Co+twpnea>kZvn-AyFLPFHP-ahGu!>zISo0z}V{o#m$f;>Z0N$O|l0mX_1-WQ(Hg>Ncb zEN35?v9z@G^js|8RHhOB}u3F!|GP|qZ1^P?Yq1w^WSM4}v+$5BV9nQqIGlxzhFrV0*;?f$C zONauyh=s%{#EFK3H5PKPEvc%j=?bd;miDG#H0%vV1G|0Af!0=4uA+uS4vTCLbTXKW zcd$eKDb4Pf%DQFuKxHR?S5+11TB-Qe&1b=eEqpe%GAk!LTZKBVY(MOJu@T#;W5a5q z?}uD!SLZ)K9!Tr3Kf;w4KEN(}85+nua7dh0h0Yauo@4 z6c|h8inTFqk|22ww#Br&gC>|c4lT5Mn$k_zz%UfTdkd?W`n?7s-<__oLP@x@nP-Gz z`uWV7+0XPxu9D}+b**B#S)L8Nq+CEQv4jhxJ-#z1iCVD%_(=qdVb!~uWaY4o#>^-Q3 z%)oo*5`Wtt5r++9{SmPf)GwJZ%6(aH;v|)KJbP}NF?zFrcbbmDVRy8F_Ixb{>d6J# z8`~R8nuBdJ%LKfItv!vS&o&%7HMIA6H2?LzilgzK`X_~#uVd!=We;Bc?)*M|Fvo#9 zeBgw{f6tmPUfaON*@IUF-2u9puMrD6y83g5RQ!8DUP}<69ZX@>~aUq?%&cSUX{|pTa-+C$V zse)2Q4^c1SLnIW{K;P=Ym!KD|pa-)-fkZEX{m$9FPN&hi_dDM`-#y>|-#I}54%a5m zKu*p$w@mIPU7vdJ`*HOXF8?Y0$=e+hMq@camFwJDo zaM81{DE<(z{VNtW(}Efn5ya>@MZNL%_b=HA9ncEt%Y7EhJ1p+dLZf0e$p98Ws3Dgo9 zDs*f9SIu>+mb%1Kp+fq)4wvRz$K5{KF2$fu92If3-p+c7ZF!?O_MwXiO|X7fnOTaN zd3gv+Wpx|K>QRlu%wky9!=U~piLn7nb;^qJdLltY)ygUc`G~cOxI}knp=a3+axuEh zT93EkL}9^s%TlH5^478Noj&)>y%%$n^YdS8Ufuq*{UzIf=;HL<|NVbY8@y(+r|^qa zJLU)z|7(Xrd;?SGHD0K7SlA)g)UsV zQ0PkCq>2l1CAx8;AcEbw=|&NxexPENfoi*QQSiK($s{!a=keZsbKgDpbMCbOB-9N& zf!D!_!H<+l?wjB4+mHI*CKjKq)gM#7FaNnHC1!yed{1z`=hTj?4RjVoqAHjK4X_Q3$iDG4uV7@%@jSOY-Ha?f z$~PH#1Y^W{TrSF>5hD*qk$)I7I`Km}%Q}6X#b{CNC1aWRCqd@_;w}2I125?~|L$1@ zwmXj9G5&Xqw`o64`>i+;+55%{vo;-jY7~3dAy$HnC0914FiMn)vp53TFo{aWxoW0m zfgVGqeIqsO8wU%W>J9VNPzpEzcG0WkUrIRuQigp5`2~8oySP_t@8%UsbKu+nH~@|Q zim*|l!FqhLTw9O?8nUoftyc0pAVqdHi0JIhs$kucEfLI1$bo3<;QER(wACX->x2nT zNpou2y|imWznyaE!+vHlO@6BE%@y`!f~!icpsuMu%3evoL&(A6lK&0nFNM55I8Q0R z%if`M=GgJ@hv%l%9`!=^OyPDVId}K@!qbIMi~TQeectkdE!ubH&7J?fOGkeJI0)DeEf_firHJiiY*IpvI*HuT&msn`Ru!U@==LVwlh^`1$-tc)=y?2N*FaaT;KL`PU$d$f7_F z^pc;UHpb&aH$2G5dl%f)yam!mMi3v%)SgFH1PHEfP+$ z0t_Dh!c6C^Om%JdLx<9rE#^zc1aZy!t6F7Nctoz7|KtkGTz#y!h&;0yn4o2&Hw0K` zh;i*0;hV$=YFg_JMTw9JgC%2UWNP0YftX`d>B1pWnyzeA!nSPW@mr`e|*L3Ywd6y??r%a{#+$WC>1i&%NDRS6*X&2pdk<70Nx;}99 zL?n?oZbm_LU$+{kuY1OJR-^MR|F3W-q6pL9*Z`fio0HM8zOUjfTY#T`|ggv9jCp8giex&l;S#hNj=tD ziRJQfxw>f)N9D~gV?xrZN?QR+f_#xA*zA; zAnM`dW(E-k`G5!h7ZhGuWeP01!NH(yU@%vbLEqUb2CfLfuwgI+bFSMcTMH%m zTAW>yU!a$nm&u?9*Uy#o(xw)yKZPNcp_n0?p@boyp#Z2NlOYd?85pF1*c*stfEeT% z5N!;^Am9bW;y}y{#FzK%6%YW@!I8lsuD%RF??7D}gKRScFVN^12JDt`F*q|=0cBCW z0y319fnk9PkOny@0f>PXE{FiqAdr}&YhY+%3gH0BEW0*k23uv9Ek{}Z6{Wq7%YI!{ We6s7l;Ld*xGRoeErxB6|83X`3gk`t@ literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint new file mode 100644 index 000000000000..a8a1a0534d58 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -0,0 +1,74 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-19T12:16:19Z", + "accessedTime": "2010-07-09T07:37:36Z", + "modifiedTime": "2004-08-05T11:00:00Z", + "fileSize": 2, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 60, + "typeId": 0, + "sha256": "f41f1eedb6784f72604ff611740d040d42de1e01b21b2233a36d6f4723c5630b" + }, + { + "size": 72, + "typeId": 0, + "sha256": "625f645fd0d89a18f36657647acdbc6ff594867dc5b42ae436360e97430a80ec" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x10bdbcd3", + "volumeLabel": "SYSTEM" + }, + "localBasePath": "C:\\WINDOWS\\desktop.ini" + }, + "relativePath": ".\\desktop.ini", + "workingDirectory": "C:\\WINDOWS", + "extra": { + "specialFolder": { + "id": 36, + "offset": 105 + }, + "tracker": { + "version": 0, + "machineId": "al-0145", + "droid": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "6beb7273-c98a-df11-b9fe-001c234bc396" + ], + "droidBirth": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "6beb7273-c98a-df11-b9fe-001c234bc396" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk b/libbeat/formats/fixtures/lnk/local_cmd.lnk new file mode 100644 index 0000000000000000000000000000000000000000..89c6537f5e481df4d7ff768f48f2f994607ffbe4 GIT binary patch literal 1380 zcma)6TS$~q5dPLIG^I52l0^PUnh|bCcMTN;X}uJ9Wlhc2aM|5*!&Pw?)FKIbC?$yK zLPUnx4Iu)lkjTnq{<1GCVzfGUtFx`si$X*q95W9REXP|!W28+}gcvS9&hzUW z>flBzoM=NQytGL`L%{2^igO2JHEXxm=kl1cf$c%Ry)B{>zwVf&{O&lC4=cLq&j%Mg zFoD~VgbtaRdSh{4l%`qAi|TgP^kf-}>x+TffcK9T@$CZfzOyirbW)D^YYg2UhJ#+6 z&=|9uXEc-Zq8)b1T`&?|1hAgi6PP7;S(^wM4MZZbj5ro~aaB}?r<4hUG%>OH9XqQqqP9FlXI|?9)2#C)yH7c2_tNa3T^wRK(>&Qih~9D zA$W^sF*>lHSE(U2z-ugjDkM>M-#{8?DXkPGitEmbN6AxRjTIwB#^IaQ=SM`hk!{T@ z7}!ld%UWgquI|6Hpttn;&xyDz-hHVBlsgHe5DCQMTi1}WWWbwc6Gty0jz9I)myDL> zTJFuqolZaR8TU{gE(YRQTEU7;=8}mVB3tLOk&8TjIWTi==Ea(HeGax!qja5_RQ8F) z52f3hb*ZA2{|5r@@(c+?&8CgalqSbqoegU`ap~KQJjz!RdLVI}L+d;sp0=xHW1$fH z6a5_!VYIA;S$G8GB7(U}!w;(0YFZ7ec{QS@)SMDq*|18OLL&H#kUvaF;MWc~G78SV zh`sX)W0h}{ChU}NAoRdDaSp9-LhC~DyD*x_@FyCm4+wlNuTN!Vo6I?WLHOgA@~7ho jr6;f4GQYP>p4w&jT+nmjYwXdC(I1Bz-<|oNUcCGU&p!-} literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint new file mode 100644 index 000000000000..3b3dc74ead4b --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -0,0 +1,117 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "EnableTargetMetadata", + "HasArguments", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creationTime": "2019-07-01T14:00:40Z", + "accessedTime": "2019-07-01T14:00:40Z", + "modifiedTime": "2014-10-29T01:28:18Z", + "fileSize": 357376, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 86, + "typeId": 0, + "sha256": "4c4d0c2148e23276d0f4f742bbba4a8e3e1b318795a2d7d4b5cd80791781b93a" + }, + { + "size": 90, + "typeId": 0, + "sha256": "99b17e4be73b9f9a34d149f6dfead6f71abde0b38183c5c0062fd1b5fe5ccf94" + }, + { + "size": 114, + "typeId": 0, + "sha256": "1b51868f7cf57860ce02d0f22729b8ab9e232b0e566256cf349b897bf83aa718" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xce9c0987", + "volumeLabel": "System" + }, + "localBasePath": "C:\\Windows\\System32\\cmd with space.exe" + }, + "name": "This is a comment.", + "relativePath": "..\\Windows\\System32\\cmd with space.exe", + "workingDirectory": "C:\\Windows\\System32", + "commandLine": "arg1 \"arg 2\"", + "extra": { + "knownFolder": { + "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "offset": 221 + }, + "propertyStore": { + "properties": { + "10": [ + { + "type": "VT_LPWSTR", + "value": "cmd with space.exe" + } + ], + "100": [ + { + "type": "VT_LPWSTR", + "value": "System32 (C:\\Windows)" + } + ], + "30": [ + { + "type": "VT_LPWSTR", + "value": "C:\\Windows\\System32\\cmd with space.exe" + } + ], + "4": [ + { + "type": "VT_LPWSTR", + "value": "S-1-5-21-2899541433-556809949-1686860144-1001" + } + ] + } + }, + "specialFolder": { + "id": 37, + "offset": 221 + }, + "tracker": { + "version": 0, + "machineId": "test012345", + "droid": [ + "04c26c4d-cace-1647-8fa4-b334de43dd91", + "5501e33d-7e9a-e911-8328-bcee7b5dda94" + ], + "droidBirth": [ + "04c26c4d-cace-1647-8fa4-b334de43dd91", + "5501e33d-7e9a-e911-8328-bcee7b5dda94" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk b/libbeat/formats/fixtures/lnk/local_unicode.lnk new file mode 100644 index 0000000000000000000000000000000000000000..2cac0a2946683e3d65d5a971f4e6813b3de26aed GIT binary patch literal 848 zcmeZaU|?VrVFHp23 z1%+2unF5P$a4={a7|fMq(08_qK~oCi`Y{-SMIZUu76>SWq~;bdFjz5gGO#eb-)H3d zrsk2Kd4V2K#R+SWMJ!;o2%`ThI%0p zAq)(5P%}X?APh1yFoYFIb~1ytz=>5o7a44C^xe^8C}F4oVg?2&AkG0|6(9z=0z_K_ zF$iP;u@?|$0kJp`gA8luoO4b9NC#IIm!#%006h-!SB$;AUP(m>gEP>7F>qJMpxFh~ z1`K#TpbBI+u%qb$1qLSr!-Azi)rP?V!3G~yx4(Cn5?K0?DWPZH>otl%aW0Ti@<7ZE z#K?w$#6^LaAH;9~5jyLwK~W46eS^GQhzOG72Pn%wVm-PJT5KVj_T@FADOD!P2FA#$qxhyML!*=Q=!L8RA4*1`cxB!ZHIgkR7$sorN4jG_F zfa*Yo`9wT;+_62%Yqvsul*`FAcR@a817fgY96%b?FpvxcBmgO3BrS-5@=H>SOAHK+ wj7>}-0xXAed{3PdbMIfW+2o${-HEMR-X6+W_)@T0W6!(l*jrNw$%9M*04Q;{%>V!Z literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint new file mode 100644 index 000000000000..fbdb1ecede68 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -0,0 +1,93 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE", + "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" + ], + "creationTime": "2019-07-08T14:05:42Z", + "accessedTime": "2019-07-08T14:05:42Z", + "modifiedTime": "2019-07-08T14:05:42Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 78, + "typeId": 0, + "sha256": "a154c245be75662c7e902023315c2e1213a17a623645d87096cf888760b290d0" + }, + { + "size": 88, + "typeId": 0, + "sha256": "f87251a348e83e143d759541bd3cd4dce270b6cfaefee702c54aa29b0b2dd5ad" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xce9c0987", + "volumeLabel": "System" + }, + "localBasePath": "C:\\Temp\\??.txt" + }, + "relativePath": ".\\💎.txt", + "workingDirectory": "C:\\Temp", + "extra": { + "propertyStore": { + "properties": { + "10": [ + { + "type": "VT_LPWSTR", + "value": "💎.txt" + } + ], + "30": [ + { + "type": "VT_LPWSTR", + "value": "C:\\Temp\\💎.txt" + } + ], + "6": [ + { + "type": "VT_LPWSTR", + "value": "C:\\Temp" + } + ] + } + }, + "tracker": { + "version": 0, + "machineId": "test012345", + "droid": [ + "04c26c4d-cace-1647-8fa4-b334de43dd91", + "85b4edc2-68a1-e911-8328-bcee7b5dda94" + ], + "droidBirth": [ + "04c26c4d-cace-1647-8fa4-b334de43dd91", + "85b4edc2-68a1-e911-8328-bcee7b5dda94" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk b/libbeat/formats/fixtures/lnk/local_win31j.lnk new file mode 100644 index 0000000000000000000000000000000000000000..35096d6281ed9d8cfacaeb60a6464014c1697db4 GIT binary patch literal 913 zcmah{T}YE*6nOlB`jBEP((*y{aGPXxaz#D>KbaT{sz-!dY%h+Xi#yD!+3wH?i}S@= zV`|YezR=ChR#QHykTrIX7tQ6GS2p?6OltqEOy<$m}E6D{vHWOk6>Dh`s_ zO)Q^P=`_VxR)~;!bu2TAB4mM4^(-0Gy_Hy(=TZPQ4Z x%I6Q%Nl9GxXI%$gOs{LaaC@vS8=ko|`151v^tG?1sF=ra4<}_A zMHu7*9{68Scx9C-u;>N{gSLUeTuBCf7poY!A_T*a!4S+bw$P6iU?=x#3Fot9jHQZtt(ET05fa-Elpc_3H{26>1Tp3(| zVeH8e24txsi3Tt@GK2uts4~a`F|v6`A`7pSyl#y1*$;$ED*~8F*lH3?srh?Ia93Pb{D;k>jGzN z2gxM>F)#})hycpsSeCLHTycRz6hhNsyzoF^a T9l;5*3?fRrQ&3RG_>b(5@UH1OWi?pCc>) literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint new file mode 100644 index 000000000000..4ff1222143b3 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -0,0 +1,24 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [], + "iconIndex": 4294967187, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + } + ], + "name": "@%windir%\\explorer.exe,-304", + "iconLocation": "%SystemRoot%\\system32\\imageres.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk new file mode 100644 index 0000000000000000000000000000000000000000..6854d0ea3b3bea8a7eb5745ca892d6ac581edee4 GIT binary patch literal 230 zcmeZaU|?VrVFHp2379W4=j?(pu?ccV9a2^V9uZf yR2R%p$xzHt0+h>T2m-3j2eLuBi;={Q8H|7;nLrhZ4C!FAQi1Y%K)Z5)5Cj0yv?i4R literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint new file mode 100644 index 000000000000..827f56dbff47 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint @@ -0,0 +1,24 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [], + "iconIndex": 4294967269, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 128, + "sha256": "fe665801103b090a9f447cb365a4acb589b5e2aed6473da23290967de2fcbbf9" + } + ], + "name": "@%windir%\\explorer.exe,-307", + "iconLocation": "%SystemRoot%\\system32\\imageres.dll", + "extra": {} +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk new file mode 100644 index 0000000000000000000000000000000000000000..b4d80eb28add3febc145ef9ccc63d4470d14b322 GIT binary patch literal 302 zcmeZaU|?VrVFHp23UH;pzyxwi?mYh}(=FHD$56sh47P}sfnfmBF*&=mz!1zgiZWfCcSFH*?cX~sx)YAX3on>f>{5GQaPitDyKXyg@Fye>G6Vql C8C3)T literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint new file mode 100644 index 000000000000..44dee573d71a --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -0,0 +1,56 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creationTime": "2010-06-21T14:55:25Z", + "accessedTime": "2010-06-21T14:55:33Z", + "modifiedTime": "2010-06-21T14:55:33Z", + "fileSize": 4096, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 68, + "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" + }, + { + "size": 32, + "typeId": 0, + "sha256": "ad0ad2454b2255ece9e4624c170ead63718269e0bd0c73db424ea6e556ed4b76" + } + ], + "relativePath": "..\\Documents", + "extra": { + "knownFolder": { + "id": "d09ad3fd-8f23-af46-adb4-6c85480369c7", + "offset": 52 + }, + "specialFolder": { + "id": 5, + "offset": 52 + }, + "tracker": { + "version": 0, + "machineId": "als-backup1", + "droid": [ + "325a35a3-6ed8-2049-adfd-dc842d90c45f", + "13a09673-447d-df11-a3ad-a4badb43b04f" + ], + "droidBirth": [ + "325a35a3-6ed8-2049-adfd-dc842d90c45f", + "13a09673-447d-df11-a3ad-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk new file mode 100644 index 0000000000000000000000000000000000000000..31822e4bfa22b27c440307c351f1e8d16b7f7f1d GIT binary patch literal 1669 zcmd^8L1@!p6#g!E-{!9q{3i5SY3U2}XFX>36+zO3l!J$aegPmDV(fzjWU zVZlZX4t%)G^`jKBsg)Qe7hKPr)ei%iknaHb)QaT0H`2*Bi3Rd_Ffj`q{0zG=B_ms% z9&hGV7>@1DIStL6H*q55Y$f&d>zw4wPIPh_tj;Fq9Ag6-x#wxX0Bw{U3D(~3!XhRC z!3x$_Ay9?E+hoQicAD0pdBkOLDPXP9H*gS19Kkrd)p(14^y^g>=u}0pmTo-_VT_$t zsh!Ee$+JQu=-MT^&T2KBV%BB0$o0ucPg%Z`8kxk8P=n|nOZ?hluDdc(mftB8=d5ya znu+#ElpM!P2>0iBi0H1${oB~r-{{+Yr#H4f|4Vlgy;a>lQD$BtHK{CXXaAN75ExVW6ZQ^u#A&%bW(pD12g TTz$J^X%O+DzMH*&%1h24|H8(y literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint new file mode 100644 index 000000000000..00f8c6bd4437 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -0,0 +1,80 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2008-01-19T05:45:45Z", + "accessedTime": "2008-01-19T08:38:39Z", + "modifiedTime": "2006-11-02T09:44:59Z", + "fileSize": 211968, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 68, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 78, + "typeId": 0, + "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" + }, + { + "size": 82, + "typeId": 0, + "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + }, + { + "size": 90, + "typeId": 0, + "sha256": "0b31690e53d5e14c12bc8b900fc5746cfd64a640461d13e3d22e4ad06d31e520" + } + ], + "name": "@%windir%\\system32\\accessibilityCpl.dll,-45", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", + "commandLine": "/name Microsoft.EaseOfAccessCenter", + "iconLocation": "%SystemRoot%\\system32\\AccessibilityCpl.dll", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\control.exe", + "unicode": "%SystemRoot%\\system32\\control.exe" + }, + "knownFolder": { + "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "offset": 205 + }, + "specialFolder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machineId": "win-hwdt97ahwff", + "droid": [ + "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", + "16494f80-82c6-dc11-901d-0014220d9404" + ], + "droidBirth": [ + "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", + "16494f80-82c6-dc11-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk new file mode 100644 index 0000000000000000000000000000000000000000..c03069d5c177eaf63256511dfc98d7d7e7d4b72e GIT binary patch literal 1959 zcmds2U1-x#6h8F_2ZC&4;6!Cbtb&@_v}v1^B1^JlTeWPYsAB}SprNaF%}DFquOJM3 z6JLE0h6+9j{yd02$UujvFVd%hihJJ6z(=Rxckf)Qh@0TcFyWq@d+#~lckVeS$tfZV zv}}PSn&XnpkL^T3rcWGRTDbQ*aA1D_?pM3s2G-^cp=P#A0WRy}NuY(=dKY`%1(#BV z#@h=GbTksVwTF)DDZ6e}(`HEIdNoa%ChE0%IxY1ImWs54w$bwQn7lX3_71`71h=dc zYSc?Ud6b8AXc*y|RDh>TWmvXD4nZ&Cj!~4tbe`+SNWe^_B*~n+6_#r;h?z#xRf6p* zdo}&0tC|)$`{@^qek+e*RpN*3ve z)x{}BA%mphH0S6dU7``#wj%B*v2^>XGo!&8e%RKtsZnvQagn;UXudCtOM8^a*l zhtWoz(92Xo4m~R2cA)t@B6dtcA(`EBWWT*~o$^yG(crIEO+KMW9JoW4ZvV7@i4e zN!W-KhnIn>vteQ;(KOIBU=~oPA+Y2yJj}D;V|B@+Dn2|1fFuG{Lx-rGD*^5p7$mGJ zz+yel&<(_(K##&!#H!AjlBm{d544~qcM#2na^vNSJ8XGgC1iJ($`z+rbbWhLHcX`> zY3hQiND)CwDv}__q=b;v#kgT;hGxd4XJ8Oj+l8S)rXfMgMn7sHUsP{B~Zki(D<E1`>) z;vW!1-4@zK7gZD&g}Rik1O;6eir`W!c;1U9K`e^%c=z6S?|Jv*yy*d8aabvVbt%!g zO094|x#!p(3~gA>^zir9k1?L{>6S!Vq|A%7#es^zo_|yM(`eckwrr@Wt)07zM{SMa zJSu0+z%A|HP4Jc=5cGEiTi(+ZMKNw*e@)ZNd?Hpw)KiJf7i>iUDI_pX89|KgcEaRM z1CvBHQ%=y1a%rf8ikH%U2p3OoG(eZNOX<({py|I}*x~8z?+Esa9(oFT(De40=wbR? z4}b@8OtDUi+MuPN0~sV)D?y*|1Em;bO+lHaS2rmzjZ89{NExb;F@V-w9jmJ8R#nt7 z?~6kDS?OV}!n~?H^E%48t2l2ZoOn%KoD-R>>qHoRctajUe=*5ISmvomTH;Jb&hk`3 zFw;Pk4llhbZ(mRT|5d_QU@P02ic)8|=lR|9opWaT0a)x-N?=DybT3mY zJkQJRhhu?V%e4+|e)|xmkB>zXX^}E3QWiTZeaGHC<)qoPtsWHONqzltDe5|#gIUy# zwTK33@3)}07(T!Eg};4)p$HxzAE)0n{qcavRTI@Jky*kH_>e>#6O>^@*={#X-ZU^x zWEFbckv4#i8y>5w=~h+nm=%I3 zJ1Zlsm0MSpKCh#Ur<(It!GT%gVw}h%uLD86#2oh^`isgf1ZACPNJ*T@%ypeAh|Rbp z%FU?C+xM4ue~I8dHk9e=w&@;miXM0|z^%IBXRTpcj-03u?HD4)0UP&F0Ibwff4SPr zL;9y}f%)^5i@x{0JAaP1&OV7;h$oM^5o+;-Bh${;;WtyMMCM;;3^c994iwME-=jt6 c(vMe5zYD)szWr6azPi4B*!kJ}zr3h<35M0CM*si- literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint new file mode 100644 index 000000000000..dfcba27cf9e8 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -0,0 +1,73 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2008-01-19T05:48:02Z", + "accessedTime": "2008-01-19T05:48:02Z", + "modifiedTime": "2008-01-19T07:33:12Z", + "fileSize": 625664, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 132, + "typeId": 0, + "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" + }, + { + "size": 100, + "typeId": 0, + "sha256": "d08e5c93e6953dd7352b577645b8e8bb820e60a162b89f9b02c5a5cb3329f04b" + }, + { + "size": 94, + "typeId": 0, + "sha256": "2aadd8d53e7463686a436c806960bd61778d0048f6c535ecb9a90a95b7da74ae" + } + ], + "name": "@\"%windir%\\System32\\ie4uinit.exe\",-732", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "knownFolder": { + "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "offset": 177 + }, + "specialFolder": { + "id": 42, + "offset": 177 + }, + "tracker": { + "version": 0, + "machineId": "als-backup1", + "droid": [ + "325a35a3-6ed8-2049-adfd-dc842d90c45f", + "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" + ], + "droidBirth": [ + "325a35a3-6ed8-2049-adfd-dc842d90c45f", + "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk new file mode 100644 index 0000000000000000000000000000000000000000..2d8cb7b02aa86f97caade05d298873e2b4117d9c GIT binary patch literal 294 zcmeZaU|?VrVFHp23`Za|8M4xICDV+0t&GxJjN z%ZnK-7}yzD7~bzQwvhG($*2L<6l;PMB3l>Ekjaq8kiwA9P|i>cloMkJf}5rgE5Hz3 zSzMBuYiz{8U$kc{rbW{Bp5*dnsFcD~SK9JS}nqL9L3=A?r ztjgd3#N|+*WCGd6|;(9>c z0iZ`&85kC*0_n3r3@S0Wf&6m6gHq3#V*R$e=xtmVIAc3V zE&+&vS!h87kOqPB%skzU@{|%w^Tdquv^0iY+j#$OZCd9$FP!1E@S#8aBA)&YO~>vC RPLO2~QR1D#LP#EDCIA$XwTJ)! literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint new file mode 100644 index 000000000000..cd4d9731c4d9 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2008-01-19T04:06:25Z", + "accessedTime": "2008-01-19T08:38:15Z", + "modifiedTime": "2006-11-02T09:47:04Z", + "fileSize": 991232, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 68, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 78, + "typeId": 0, + "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" + }, + { + "size": 82, + "typeId": 0, + "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + }, + { + "size": 94, + "typeId": 0, + "sha256": "f4951a33ecf276bad83040de196791ed4c980ede7f272fabcce11723570b5b6e" + } + ], + "name": "@%windir%\\system32\\shell32.dll,-22560", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", + "iconLocation": "%SystemRoot%\\system32\\narrator.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\narrator.exe", + "unicode": "%SystemRoot%\\system32\\narrator.exe" + }, + "knownFolder": { + "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "offset": 205 + }, + "specialFolder": { + "id": 37, + "offset": 205 + }, + "tracker": { + "version": 0, + "machineId": "win-hwdt97ahwff", + "droid": [ + "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", + "14494f80-82c6-dc11-901d-0014220d9404" + ], + "droidBirth": [ + "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", + "14494f80-82c6-dc11-901d-0014220d9404" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk new file mode 100644 index 0000000000000000000000000000000000000000..572096782c082c2cacb7b6c1f3f1e0eead399afb GIT binary patch literal 1615 zcmeZaU|?VrVFHp23N{gSLUeTuBCf7poY!A_T*a!4S+bw$P6iUv271-lLd!-$AuqoqwIDG? zFSR0-!2xdOF2K;5L0s9_1R3*C0? zJ`n}F)q}yG!I#06!37xpo(y3?mMW5H0D~h#2vChGgCY8H^c#+887l{6I9&t4XFC zd=(h-i?j7oD^ii%cSP6N;;;+IJj+~k^YVeFWi#jj&8q-nkoy=IG#MNiR2h(M3Ie)6 zA84y8Lkv(ostZ6O89==`KnQY?9?-WSwhn_XkY~hT%3#J|0>pYi7(*tB8j3L}ZUfmF z19Tm-KV(UAKdN34W^fEHP=!QIP=0=iYD_USnqpv~3kt{K4@gM`sG&Ig!)7G;Pypyz zRtAOzszCZI5X%5DH;`ZMcTnm%Q>@>17rl+^0%vRo$t3_WFbge+0MZ~(o|&hcQJzv_ yX`Yx-o|eY2Ya8$1txfBE=Y=!87C!WcU)s~Zq3PHi!3nYqB1*hdSP033%me`A1g;>emn4Dc&Un+D_`KtSZOBOBJb=!G^KOuRLAplyvMOy#> literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint new file mode 100644 index 000000000000..c1693258c5b9 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "EnableTargetMetadata", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creationTime": "2008-01-19T09:40:53Z", + "accessedTime": "2008-01-19T09:40:53Z", + "modifiedTime": "2008-01-19T09:40:53Z", + "fileSize": 4096, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 76, + "sha256": "82fe82afa3005892e74781cbae9bc9ecf682ea56ce765f650d6d402aa2cc7253" + } + ], + "relativePath": "..\\..\\Public", + "extra": { + "knownFolder": { + "id": "a276dfdf-2ac8-634d-906a-5644ac457385", + "offset": 20 + }, + "tracker": { + "version": 0, + "machineId": "als-backup1", + "droid": [ + "325a35a3-6ed8-2049-adfd-dc842d90c45f", + "8aed08bb-1f7a-df11-a4a2-a4badb43b04f" + ], + "droidBirth": [ + "325a35a3-6ed8-2049-adfd-dc842d90c45f", + "8aed08bb-1f7a-df11-a4a2-a4badb43b04f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk new file mode 100644 index 0000000000000000000000000000000000000000..1bdee439aae4d420c35fe099a702f1090cdde8d1 GIT binary patch literal 230 zcmeZaU|?VrVFHp23|NnnRG!8Oj+l8S)rXfMgMn7sHUsP{B~Zki(D<WNUZd6Lp+=USIQ;rot_dW^M*O zAdF!MW=Lg7WGG@tX2<}tiWy|UatsS<_|JW2^gQF$=5h6kH_Q8e5ukVi5Hm9{EQkQo zAdr|-tecdWoLyRA2<96_nJ&(|q2Rgp@0}Li2}k1j7fdU5sl6|_cBG!ihE#@Jh9HJ~AS?lj#sI|-;>HX{V37=ihE#@Jh9HJ~AS?lj#sI|-;>HX{V37=AYLQ-QMJfY>6Wq+Dy2chubwOs%^Fuc?m7#*6fFTEHW)VXw5bFWS3Ls`+kO5*% z1_uUJhG2$DpnWAk(OiZgpvrt8Ta_UOD25O>2D&5$s4@enDhCKbd_ACBL2MlcT_Deh z!IZ(A!ID8AD6R)oODc)#`xvl0vAJ9lkBf2nR)iTG(hF3BD~n4~bA$5pOH^Y}gA){R zBLd)#Z(N}_B7$Yac~SuAV^#)+1u8(g8i+yV0XLA(@}>K;v+O6Q$*k%3xHbMLgX9u` z7?_0?L;z_JD9_B(%_vVPu{2N2C{Igc*tL!K@7AVuzVpHvUJD=k!~f00zoF^a9l;5* Po3B6Cx0_E$9%Lo}py;5t literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint new file mode 100644 index 000000000000..18cf034f4c4d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -0,0 +1,73 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2008-01-19T05:45:08Z", + "accessedTime": "2008-01-19T05:45:08Z", + "modifiedTime": "2008-01-19T07:33:10Z", + "fileSize": 2927104, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 68, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 78, + "typeId": 0, + "sha256": "d388526f94e64db09ca8ad1e27366bdd87e94d1909273a6cd0aa3328bdd9ad30" + }, + { + "size": 94, + "typeId": 0, + "sha256": "a925d96d0dc0fa9a669f6796f5ddc972e09bfbeca048f69435d791be383fd764" + } + ], + "name": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\explorer.exe", + "iconLocation": "%SystemRoot%\\explorer.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\explorer.exe", + "unicode": "%SystemRoot%\\explorer.exe" + }, + "knownFolder": { + "id": "04f48bf3-431d-f242-9305-67de0b28fc23", + "offset": 123 + }, + "specialFolder": { + "id": 36, + "offset": 123 + }, + "tracker": { + "version": 0, + "machineId": "win-hwdt97ahwff", + "droid": [ + "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", + "f6484f80-82c6-dc11-901d-b3d7e32f3e9f" + ], + "droidBirth": [ + "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", + "f6484f80-82c6-dc11-901d-b3d7e32f3e9f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk b/libbeat/formats/fixtures/lnk/native.seven.01.lnk new file mode 100644 index 0000000000000000000000000000000000000000..c9155f5d536efd8acb41e653737872afaf8946e3 GIT binary patch literal 953 zcma)4OK1~O6g{IADk3Htq?Ou65Es>?GbXWV2vQk4f<`lBA_R%jP(ut%8cjE~h+C`B zZrms$hKk*47cRsP*+`+(;L@F?SPMd1=~BDsd9Rrc5kzM==iYbkefORBNdQoMJIFvy zGK?p*eq#3ixAyt@ImNNKY}F@bJ}Q{pCo2`nE)^6Xy3B>-XaA2_(KGd>6~|TeX*+uK zSk|rD_Qs(}e=Ppp^ukOf&!x`XW#}ea(So%PtFh-kk?UsFZCU9qXvndN3d$&ub0|@= zfg)_=F~V#=`38NPe+VZL#C7SPK!76+y@<;7+mPDUv21#vmxt2>nKa@J6+*#Sd|9e^ zbx9~VEZ25Pr-osqF@OviIEZUpK^)T2(8Vdg(=nJI&EsrS*R8!Bu|?PYZbRuccMWnU zqXck>u!s&q%o8?1h%ZHWiJioF{px8CEqM55rCg}wN`9kg=SQ-Q9XeL(LN^a6h-?%8 z{dluzmiOn_k=w?)7`y&|Cn0$kP!*T{nh@LD!|_`Gl{>$y8yD`KudOe<`86qWkBQyP zP0(tVX)Qj;81E8M{q4qqhsPe3>bDqgA<#wi5Ef5LBO;AAAYOusK5~ffLA;1wnbQzv zM8hd^i1{$%VrE2+qO_tq!g(U9N?)wwe1mj&2h~g?kh24-7VdM>=v-N<=Ju{6rx#z& c=`U)D_n)S@vZXRDad;?$zz7{{EHjMSpc;ux3I;_QKo^7p?N0?7QVe7}GUPC%Fl2!FnP3rA_knanKmw2g`gK7Bl%JTRYhY+%3FQGT qdi!)iBJW%OWslaMa$b7C=Y>>={NhFT1h+;o$oYSeIZj9(WDo$s=VBZH literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint new file mode 100644 index 000000000000..46b5111cc8e1 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint @@ -0,0 +1,62 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "EnableTargetMetadata", + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creationTime": "2009-09-16T09:31:55Z", + "accessedTime": "2009-09-16T09:32:12Z", + "modifiedTime": "2009-09-16T09:32:12Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x3e5dce88" + }, + "localBasePath": "C:\\Users\\Aldheris\\Desktop" + }, + "relativePath": "..\\Desktop", + "extra": { + "propertyStore": { + "properties": { + "10": [ + { + "type": "VT_LPWSTR", + "value": "Bureau" + } + ], + "30": [ + { + "type": "VT_LPWSTR", + "value": "C:\\Users\\Aldheris\\Desktop" + } + ] + } + }, + "tracker": { + "version": 0, + "machineId": "al-0149", + "droid": [ + "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", + "e81a541f-a3a2-de11-b558-001e4ff01cc7" + ], + "droidBirth": [ + "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", + "e81a541f-a3a2-de11-b558-001e4ff01cc7" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk b/libbeat/formats/fixtures/lnk/native.seven.03.lnk new file mode 100644 index 0000000000000000000000000000000000000000..348a53dc43d239984cd5ceae908ad7b437534b31 GIT binary patch literal 383 zcmeZaU|?VrVFHp23^0K2T{fLncsL5l~ApLnRQG zFuVX81X9Vs&K!#}ou@w+jGZ+D(1%o*d zIx?66Ezo5!2D1%;EEAxJAy8bG!4gP2F&F?@Ev|Gkf07}WK2LG?j0oiZb$)Ih07* zL;*#(s4+W6d5(6Ge-sB0!KAYHBTUc0FcPYN4>Id`_~Dc*sa$Oeqiq(#z+>_HfwZ+c zG!zSm94bhWLk&}m?8F2+$dE232Cs&^iV=6(#gTSZ$#_*~XQbd(RjVU5R*mo^(*&@a za0s~q*(W+o$d@4k#Aaf?b^4H>8XUe|E$6GbQphY6-CDMNLQgAR7~p^+$Zn8-A8(cv z)*t#$-=o{Zu_Rgb|0@aQEkIo^{V5^G>!!alc5?P-ef9X?l!TFxogyh zV>?S%#?2S$MC$qKj+=XKm0IT+_YvqPh6sm~GKhHl4aiH-F+v&Tdyp3~ta1ioj2Jjb z8D&1kxa^E8FF`G<1vUD?vd`_9nd9n{C$fm|`H8?g~DjlSj2_1yMl>(SEVcd3WX Z^hBKK;s1ZtZ%(<{*{+PzW}hdygC2? literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint new file mode 100644 index 000000000000..6e72c32ff0fd --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -0,0 +1,92 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2008-03-26T17:25:22Z", + "accessedTime": "2010-06-14T11:28:03Z", + "modifiedTime": "2008-03-26T17:25:22Z", + "fileSize": 1888256, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 136, + "typeId": 0, + "sha256": "840a0411d530cd09b5792384fc7ed5e04f93fe1c71ed24d65cd0182e64fd31a1" + }, + { + "size": 82, + "typeId": 0, + "sha256": "c09ce9a158eab2f04757007a4235bf293c1fe0c398738797318b07b4acac3bc7" + }, + { + "size": 94, + "typeId": 0, + "sha256": "233c0e52e887e2c64a9e46fd3ed6607e6555a4b9e2f521928d25990ee18f9510" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x3e5dce88" + }, + "localBasePath": "C:\\Program Files\\SopCast\\SopCast.exe" + }, + "relativePath": "..\\..\\..\\Program Files\\SopCast\\SopCast.exe", + "workingDirectory": "C:\\Program Files\\SopCast", + "extra": { + "knownFolder": { + "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "offset": 181 + }, + "propertyStore": { + "properties": { + "4": [ + { + "type": "VT_LPWSTR", + "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" + } + ] + } + }, + "specialFolder": { + "id": 42, + "offset": 181 + }, + "tracker": { + "version": 0, + "machineId": "al-0149", + "droid": [ + "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", + "bd65fda7-2775-df11-a754-001e4ff01cc7" + ], + "droidBirth": [ + "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", + "bd65fda7-2775-df11-a754-001e4ff01cc7" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk b/libbeat/formats/fixtures/lnk/native.seven.05.lnk new file mode 100644 index 0000000000000000000000000000000000000000..30af0d678f89a37b757a628078c9f7aca417e3d7 GIT binary patch literal 186 zcmeZaU|?VrVFHp234-8`nkl_rO40%Ak`3&Vi^J5r-k?e-pkqnf}1G)g@5|BNq3>84Ez@QHlO$53S z#P$W6k_=W+3{;f{RISJ01e8r?$Yv-7y3Y}8M-Wgg$Y1$Dm8lH!6#7&H7;2mh3=3p{ zv|(^S@T0B>w>>@<&b$8zPga|edkz+;BFw<}0jg6Ct}HG|%?--WFHwzwu#JsklJoOQ zit=;xQY%tn8ip~giW0v;z?gugEn?$+7zfS>@>&AWufS}vAOh;=^2|Kllw{*9(*nc7 uEHgufWt+J}r0rS!x4X@W`hK7yo%Q&vN9G0h1RHZ1WRxF8ml2W&84CcK8Hla` literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint new file mode 100644 index 000000000000..e3e8a6fff094 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-13T23:40:14Z", + "accessedTime": "2009-07-13T23:40:14Z", + "modifiedTime": "2009-07-14T01:14:15Z", + "fileSize": 113152, + "iconIndex": 4294967295, + "windowStyle": "SW_NORMAL" + }, + "name": "@%systemroot%\\system32\\sdcpl.dll,-100", + "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", + "commandLine": "/name Microsoft.BackupAndRestore", + "iconLocation": "%systemroot%\\system32\\sdcpl.dll", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\System32\\control.exe", + "unicode": "%SystemRoot%\\System32\\control.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "05c79ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "05c79ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk b/libbeat/formats/fixtures/lnk/native.seven.08.lnk new file mode 100644 index 0000000000000000000000000000000000000000..5602c10fb4e3d589f38bd05a25e6d4d868428249 GIT binary patch literal 3115 zcmeHJOKTHR6#k+`D{dl$`q(sqhKMyW39Zl&i)rkHG_8H44~0QYrqgEHJZffY(-z%{ zf(voeowU@A;6}+_`~zYa3c71oJ{AhPa#g=Olg1beb|Gks_j1oYbIzIboqO)NGq)Fj z&9RRZcy3ZiF9s~;chpvA@XqEy^T2xln)72wv#-8sM62Kb;5g1iLvo#|cpO5&l$OK6 zCA)J>%a0f4bcE4}27G?@DfG}GG^c1|H{+{^8-s>C#!B)v zO@f@S_Nty6o zYdK-YlOYv5BYf)gCU$HK-$EAt3|a}D6YCsVcqr3MObc1aQq*)&nl>>-Y#F@AHO$h# zlTpo5F8t*1fp2Q2eII9q=wcNGOi=H`Wey+Y9nqhwR%RyaD^C8S^&m6a?RGN8dI>S+ zeq{h()6qyw(z2@FDfPsrl;C1ijV!db3=Ve{M>8X=$Gz4{ ztVj5YNOp&Vl4Wa{bowmv8+U`{Vn(ZhFdZU6h-*x@NBO v4#)qiO6^s}+IlZ1k-U+Uz032<9f?P48?U?@ufHClyiu4O=Gfd6+>iDhY*tIT literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint new file mode 100644 index 000000000000..adbd9ec4896b --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -0,0 +1,78 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasDarwinID", + "HasExpIcon", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [], + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 82, + "typeId": 0, + "sha256": "adb0bd79a80a54398d17e2ccdab84c03e2231e531e7ab5e2f9dbb30568b12a5b" + }, + { + "size": 88, + "typeId": 0, + "sha256": "1e58de9fc1d34050c497b08eaf7fcd03df9aa8d7b34aac88736e6189502c1121" + }, + { + "size": 176, + "typeId": 0, + "sha256": "ff90de58070d4797d0e32a5349466c9a385cd908aaf70bee4d3c613847adf13a" + }, + { + "size": 94, + "typeId": 0, + "sha256": "cc81ce35eb86e8c41d89c988c14966f9f500594e9e4d51ff68e2e65fe0e427e2" + } + ], + "name": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft.", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "iconLocation": "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "extra": { + "darwin": { + "ansi": "xb'BV5!!!!!!!!!MKKSkCAGFiles\u003eFJGjc2{CeAz+$QTBrVhU", + "unicode": "xb'BV5!!!!!!!!!MKKSkCAGFiles\u003eFJGjc2{CeAz+$QTBrVhU" + }, + "iconEnvironment": { + "ansi": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "unicode": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe" + }, + "propertyStore": { + "properties": { + "6": [ + { + "type": "VT_LPWSTR", + "value": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft." + } + ], + "8": [ + { + "type": "VT_BOOL", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk b/libbeat/formats/fixtures/lnk/native.seven.09.lnk new file mode 100644 index 0000000000000000000000000000000000000000..18791204b673011a55aa7b58ac98a733a2787a6a GIT binary patch literal 1959 zcmd^AUr19?82`hViZ&m zLWEN7sgR-v9}+2u9tuLJAR}n>(jUkm2nu@W_uV_EjzXX9jPHEsobR{a`JM0H^W7i- zhpU7=@W|@XHp!{Naj0(hJ6Gv5N5Sv8FraXbQ=2TL!^Ri-Mu!X4ptpHjcbfVsx+-n}V?nIZ7h$b^8no)*Qe4ATTZ@DD0ml&s|uXwvI7)T(B zBr-6Gs=~#%vzjJx60=q+y3L{iJOm-jnM`?hY)=t|=6D{Js zG-=0Z6*NiqxZ4+U(u1kYXG&W-pSDsGYH%1WP@!RUel#jreKrk$SGAuC0zADRjZ`W> zZH>Nor{XOBYp2R}Ds?dh%+8d@K5}O=nf7RA{_(CpzT{{_HxE{3x07#wl5doU&uG2R zcSEP=zd4*#gUxa$=wH*Ma%|%~)Bf1~v81Pcrqy?U`uN0*#Cmyo${DMmuMda9x$~3X ze|7Xb?_6eyu6?lZgP1KeRMS$l6D(5^7FUxc;uFU@6vWw^^f4B(Gw5fpGa@TGk?A7T z5I%Fozz~u4NXnnhpcB2!mn1GqWP&?N;T_4d<}6GtR}IERf!)WsqF6{#k>Kker}bHS z6zZ{c+dAV!9%Wp1PUo*mKa1H?JHmk^Bwjt2GmYFC?j@0+NIhXiS)`|=5A08?JqyPW_ literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint new file mode 100644 index 000000000000..72d7d2db5a1e --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -0,0 +1,105 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-13T23:51:37Z", + "accessedTime": "2009-07-13T23:51:37Z", + "modifiedTime": "2009-07-14T01:14:20Z", + "fileSize": 219648, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 82, + "typeId": 0, + "sha256": "184e677e10b73142c9acb6bc4b5db242dabebda53ff506e59d720d2cbd5be706" + }, + { + "size": 86, + "typeId": 0, + "sha256": "8ce8fcbfca1d3b5d6838544cdb47e95443e55e56f0aff1a73199531b735d77d3" + }, + { + "size": 94, + "typeId": 0, + "sha256": "dc814bc487fc41e03499933cac5facf8154e3b768f8d22c06ac286342037386c" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x502e1a8a" + }, + "localBasePath": "C:\\Windows\\System32\\fsquirt.exe" + }, + "name": "@C:\\Windows\\system32\\fsquirt.exe,-2305", + "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\fsquirt.exe", + "workingDirectory": "C:\\Windows\\system32", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\fsquirt.exe", + "unicode": "%SystemRoot%\\system32\\fsquirt.exe" + }, + "knownFolder": { + "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "offset": 213 + }, + "propertyStore": { + "properties": { + "4": [ + { + "type": "VT_LPWSTR", + "value": "S-1-5-18" + } + ], + "6": [ + { + "type": "VT_LPWSTR", + "value": "Transfère les fichiers entre les périphériques et les ordinateurs à l'aide de la technologie sans fil Bluetooth." + } + ] + } + }, + "specialFolder": { + "id": 37, + "offset": 213 + }, + "tracker": { + "version": 0, + "machineId": "win-40r2agv20qa", + "droid": [ + "da667c4f-20d3-c44c-8d50-165dd98ebc01", + "66d492f8-2061-df11-964c-ac3a656c3b1d" + ], + "droidBirth": [ + "da667c4f-20d3-c44c-8d50-165dd98ebc01", + "66d492f8-2061-df11-964c-ac3a656c3b1d" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.10.lnk b/libbeat/formats/fixtures/lnk/native.seven.10.lnk new file mode 100644 index 0000000000000000000000000000000000000000..f936cf9b587f7eab26a9d0f1db7ff6a45e0e1551 GIT binary patch literal 1230 zcmeZaU|?VrVFHp23GP?+TuBaA)}xR&u1tH+7pA~28dnB42eL~lY!=>GE@Mu6wpoOP+ge} zML1lDu1f>xS55|o1u{U|FgPIiQCEc99v=(m-G789tIfzg2MY=jW?-lS)v1lVf<_?jzXYt?eHYe))fr@nL>KeiU6sNFHP?0G|79)Bpeg literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint new file mode 100644 index 000000000000..0704b1895052 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-13T23:41:28Z", + "accessedTime": "2009-07-13T23:41:28Z", + "modifiedTime": "2009-07-14T01:14:13Z", + "fileSize": 776192, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22531", + "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\calc.exe", + "iconLocation": "%windir%\\system32\\calc.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\calc.exe", + "unicode": "%windir%\\system32\\calc.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "1bc79ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "1bc79ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk b/libbeat/formats/fixtures/lnk/native.seven.11.lnk new file mode 100644 index 0000000000000000000000000000000000000000..1d58cd87068655c32a68a15884adf4e41e55ae0e GIT binary patch literal 156 zcmeZaU|?VrVFHp232NNeszgbtMdXKwb_I z>M-as7y?xo0@dgPMfHFx@sr_DoAQBn76VlW2A5wn zfMLSPz_36DNE-$R1V8GEaNFZ!;k^5g@MN_ax#wU(Cc+F1eV{tk^31%H%p%p8;>zNZ z)LdhunEaHahs?{X%z-+M~0_tsG*3eB!HqJ6F wFf7b6Gh|q{nL9+ME0csU}RR910 literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint new file mode 100644 index 000000000000..fa97ff5da2a6 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasWorkingDir", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-14T00:11:56Z", + "accessedTime": "2009-07-14T00:11:56Z", + "modifiedTime": "2009-07-14T01:14:28Z", + "fileSize": 86016, + "iconIndex": 4294965857, + "windowStyle": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\odbcint.dll,-1312", + "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\odbcad32.exe", + "workingDirectory": "%windir%\\system32", + "iconLocation": "%windir%\\system32\\odbcint.dll", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\odbcad32.exe", + "unicode": "%windir%\\system32\\odbcad32.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "fcc69ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "fcc69ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.13.lnk b/libbeat/formats/fixtures/lnk/native.seven.13.lnk new file mode 100644 index 0000000000000000000000000000000000000000..a171b7fd4349f1827b0150917a68af89920c77f2 GIT binary patch literal 489 zcmeZaU|?VrVFHp23W*Yi~*%V zrj!D)3=lIzX;UEW0K_RkED6LQ@h&O700AH!9PFYS?&)XF;A|BWTAW%`9K*n%0u%?C zBLc(_z{C&}x+O! zB!Ybbl3@U{A)1$EC2QDDy(GBx8p8qqn-UjXf#Px?1t85*Kfxj^ zg9C#qLpehxLmop4kSqf7Vi<}UDuK9!A(bJQ!I;4aDB{Kt!4S+4#NY}feHrwCYIA^4 zhe4OY5GZd5r1gL>hA1)|YFj?g-eRDhU<}*Bf%XLh%}Qmc0Ah9qeIPFt?7|R+dGca2$h=BSXm^E}$ zl8v)W3k(ah%nTWpZRQSY|LelQGOI%Mo1oHECAD; BY;XVo literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint new file mode 100644 index 000000000000..e9fb29ca1c24 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-14T00:15:12Z", + "accessedTime": "2009-07-14T00:15:12Z", + "modifiedTime": "2009-07-14T01:14:45Z", + "fileSize": 802304, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\FXSRESM.dll,-121", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\WFS.exe", + "commandLine": "/SendTo", + "iconLocation": "%windir%\\system32\\WFSR.dll", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\WFS.exe", + "unicode": "%windir%\\system32\\WFS.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "1ac79ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "1ac79ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.15.lnk b/libbeat/formats/fixtures/lnk/native.seven.15.lnk new file mode 100644 index 0000000000000000000000000000000000000000..18971678d24feee9811bcb08c9ba3f3966a2b65c GIT binary patch literal 1238 zcmeZaU|?VrVFHp23}^%An7X&rkrgF^@rpY}aZ4{mjY0us{Y# z8wLjiKkABb+v8*5y!(&vWVIQ&=U_o1!VC;upgPs^%)FG$BGs7U%HopLTw|k{+@zf3 zk|Mp-id2}|;ZBpAGKPD&j5Plx06h%M77HSv9tUO(T@!;Mqr~(wBZI<3hFfVh{tB0m j`1A&d#op}O!}$Bkq#p{2_XVfA@2qd|8% literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint new file mode 100644 index 000000000000..a09c8a4e0a1d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasArguments", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-13T23:39:26Z", + "accessedTime": "2009-07-13T23:39:26Z", + "modifiedTime": "2009-07-14T01:14:23Z", + "fileSize": 941568, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "name": "@%windir%\\system32\\mblctr.exe,-1004", + "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mblctr.exe", + "commandLine": "/open", + "iconLocation": "%windir%\\system32\\mblctr.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\mblctr.exe", + "unicode": "%windir%\\system32\\mblctr.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-40r2agv20qa", + "droid": [ + "da667c4f-20d3-c44c-8d50-165dd98ebc01", + "fbd492f8-2061-df11-964c-ac3a656c3b1d" + ], + "droidBirth": [ + "da667c4f-20d3-c44c-8d50-165dd98ebc01", + "fbd492f8-2061-df11-964c-ac3a656c3b1d" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk b/libbeat/formats/fixtures/lnk/native.seven.16.lnk new file mode 100644 index 0000000000000000000000000000000000000000..9fb4fb81ec5b2bd6fa9f5f2e6b08b9250ed17d7c GIT binary patch literal 370 zcmeZaU|?VrVFHp23zEuA6xWS?}|N`&be3=Ryc48aVQ48;s345a;qqytHiYBz>V zpsG}$X&^IwfxKj}d@)c>8qg*M26w2b#bEh-plm7*QG`mE?HWMOa569~kO9($!2!XK Yx+2{6_*gja{v$kDZAR`ngkKpL05f+%^8f$< literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint new file mode 100644 index 000000000000..33ef897d405d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint @@ -0,0 +1,32 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasIconLocation", + "HasName", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [], + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 128, + "sha256": "b784138ea9c6c6076de1bfb17a04afc1bc18431cf6cf9ff707e6bfebfd428ed2" + }, + { + "size": 32, + "typeId": 0, + "sha256": "a4064e1cb728a90a91be50f60bfcd4e5c3a8ac6f44d2b911ee873580c591440f" + } + ], + "name": "@%SystemRoot%\\system32\\gameux.dll,-10311", + "iconLocation": "%ProgramFiles%\\Microsoft Games\\More Games\\MoreGames.dll", + "extra": { + "propertyStore": {} + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.17.lnk b/libbeat/formats/fixtures/lnk/native.seven.17.lnk new file mode 100644 index 0000000000000000000000000000000000000000..b26d0e7ac90c7453c31cc7e86713456e0a62b33b GIT binary patch literal 1262 zcmeZaU|?VrVFHp23YJfU0tU5X9GGNCC5T7<7R= zBL-6jGoZLRP+SkFmQ*sFA(J5wXktD?InZX1UFf#wfnAo$P{5D~RHp}YNd*v#0^RDt z;LqU8;L6|vbiXG<7?7okBpSfr$PfZlqskx)#N|+XG8u}1JZ!$iZjS~q)HoR!7RUf; z!{C76M_mzadweXMcmENdtTrR}94t^pn1S&FRHs^=nU|7Tq#9FPSzMBuYitygmtT@v zkeH&ET9FDTh7y&`n7;&N3}9EX*=9WLUPDJ4D)^ j#eciooT%>yD$@Cn&w6BDa8Ix?mqAAPQFIw0d62OHHS&CY literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint new file mode 100644 index 000000000000..14957c761962 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint @@ -0,0 +1,47 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "HasWorkingDir", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-13T23:41:04Z", + "accessedTime": "2009-07-13T23:41:04Z", + "modifiedTime": "2009-07-14T01:14:27Z", + "fileSize": 179712, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "iconLocation": "%windir%\\system32\\notepad.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\notepad.exe", + "unicode": "%windir%\\system32\\notepad.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "0fc79ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "0fc79ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.19.lnk b/libbeat/formats/fixtures/lnk/native.seven.19.lnk new file mode 100644 index 0000000000000000000000000000000000000000..2c6f5789b2582a7548c052500eda905b76803143 GIT binary patch literal 1250 zcmeZaU|?VrVFHp23d9m% z!r^XIJsLp&b22b2kO9($!2!XKx+2{6_*gja{v$kDZAR`nSn!B214A09PPIHUFD0`` zHKw?-xFj{#*eE8yI9o5ZA{C}^1kj|1@(2i&5$MGPpr3)+VnGDd@4&2~o04ptWm;fZ um}O?juxvATh_pS6|8}=IQQr?#q_Z5K^~k*7o?v4xgN*W{=rTg`AY%boFL%!X literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint new file mode 100644 index 000000000000..870eb5b8a655 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-14T00:14:01Z", + "accessedTime": "2009-07-14T00:14:01Z", + "modifiedTime": "2009-07-14T01:14:28Z", + "fileSize": 646144, + "iconIndex": 4294967295, + "windowStyle": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", + "iconLocation": "%windir%\\system32\\osk.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\osk.exe", + "unicode": "%windir%\\system32\\osk.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "04c79ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "04c79ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.20.lnk b/libbeat/formats/fixtures/lnk/native.seven.20.lnk new file mode 100644 index 0000000000000000000000000000000000000000..5fffdf6123b355aecf5a38edc95a6eb0dbeb183d GIT binary patch literal 1242 zcmeZaU|?VrVFHp23x~wpb7W^*1nU=%yqa zXPFil7G{|lGA!H79U^Vd;=kQ(PSp1U73l)UXFW16xF^_{%OIotD7uW0Jjhr8o~LxT literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint new file mode 100644 index 000000000000..36a3fbf27c65 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint @@ -0,0 +1,45 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "ForceNoLinkInfo", + "HasExpString", + "HasIconLocation", + "HasName", + "HasRelativePath", + "IsUnicode", + "PreferEnvironmentPath" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2009-07-13T23:43:12Z", + "accessedTime": "2009-07-13T23:43:12Z", + "modifiedTime": "2009-07-14T01:14:26Z", + "fileSize": 6376960, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22566", + "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mspaint.exe", + "iconLocation": "%windir%\\system32\\mspaint.exe", + "extra": { + "environment": { + "ansi": "%windir%\\system32\\mspaint.exe", + "unicode": "%windir%\\system32\\mspaint.exe" + }, + "propertyStore": {}, + "tracker": { + "version": 0, + "machineId": "win-dc3j5p1qj61", + "droid": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "10c79ae2-3770-de11-816d-001c23e25b76" + ], + "droidBirth": [ + "a6b30b54-1b3f-044f-b746-9c5af7c07867", + "10c79ae2-3770-de11-816d-001c23e25b76" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk b/libbeat/formats/fixtures/lnk/native.xp.01.lnk new file mode 100644 index 0000000000000000000000000000000000000000..55dda6b4c5c9c6265367756580e7dd5e501ead17 GIT binary patch literal 1503 zcmcgsOK1~O6g^3&C5qLkqt;R|E+PSIOj?8zT(tB<3Q1F&U?|K&(*`UgewtWQoP`@j z#7(E@PAKjKyK~XmNU1IaMe7Ib!bKM%B4QSb+jwr0nIyIaLGcauo%`;b``&qX-kS&j zhw5YxESGx>l{oa!_pBstox1VV0ndEv$LqvvrP1(J;_V92Q31RE4i$$+*JG=mFQF;- z{WTYk1_JjE;&^{Zvq?4QB!cCE8eDX_ksKZwh$Z7Vf+i>^K9=a-AkL`dBr%K;3?N1? z&hdWqHst1JbNO_(y9@AblAXgWa>yf%EV@Aw+7K4xHd-jbgXxK>Y$i49PZ!eg+cR9T z*Pq4&rkI^UigWonQ-KDw(?)0=G%1GQF`Bd}Z8xonW)!=Y+(fVt)qQG~X03j4>hFb@ zYHNz8ae+^sQLP~^JJBG@QkW!vf}9MsO|s9RlRAPpLGv-@Cv#)pSkf6WQ^bDG(B%!bQFC^kmJQR>WJVhF5^5Eo+G;thZ&D!oR(l-l(86}1fzehL1kH4 z@da;uJf0Ygj>TdL?-nJMy8rhU4i%k`UYW|!E<@kL)nzQ_!_y-O+*~ykt<}&aHn-Ez zT`e8RHXFK+??d)Ye1h%dS~-$uHQ`zQ-&fO`$wE2Dn>B|c$?yyA3olLOL&;RyzRl?u zsk_7``rl_Ndy;HR*7n?{jQA5mlh3uhU2e%zjEO2j4b<{D4Zq6nu%*fi9fva zli(<09xkWM)sGNQ>F+luUUy$B_cF;_DgPVoADng3R{nd4Q*ClC)HkLQp?&WBQaz$sH;(JKxHZ3Bb3VGM~4 zAcYwW$qWSyRt)+;Sj*oP(B5yRu5=K2~Z^j zXfQZ1sG^t@1XPy~RH4ccgCcIsU<4FFwk4Fo6KGlrLkmIcySuQCyug%gH0=}1yTiQ*3<=s2n5W)>Pw6r?jT!=QA*iO5{$ zE20T1DHpY9=c2bLq};X0eh3j4L9R+NFvy6o@4T7uk8u%n9_OBW&OJZhIrqKS0>Gx* zxdM~cilzrto!r;{9J+pbc*+Ln&HVXml!=vq?=q!svpiF4DoEBP=r|bo)Hdz>;=SN_ zIFpC6ii&#&aJ1eVT=QDpokXRz*DIgqIndSYZ)of4z#-&7!{Q6E?x{q#PM;P5Q2L( zLu|EvKf+dg1U=}bM+gICpor`z7n5ZeB9D-TTFC|E9I~ue-)6G^Td;fch z$;UfsMI-N~op*GGJJ&jE0Cni3j|)1-zzL1HI;^W|4~Ju}Ek+=7+C-aQv`xqVLG^hT z?GtZIt!bB`b~B&oa-YuQB7u=?cIKy+od zaY8A2)x`ObN|rA|DS1^ThJo+IGX6Cgm)^P;l5vR>PRy9vH0`plhnHX6#xDynwa$0+^L)-3_&uuR NkB}?h1mzR5&|hJwGz0(u literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint new file mode 100644 index 000000000000..fd7f1f9325f9 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -0,0 +1,73 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-20T01:03:39Z", + "accessedTime": "2004-08-19T12:00:00Z", + "modifiedTime": "2004-08-06T00:00:00Z", + "fileSize": 70656, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 60, + "typeId": 0, + "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + }, + { + "size": 64, + "typeId": 0, + "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + }, + { + "size": 72, + "typeId": 0, + "sha256": "baf549441aaaef3984b378f7971bb0b4fcf7278c9c03c8e04289dcf3ef06bdd1" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xb832ef92" + }, + "localBasePath": "C:\\WINDOWS\\system32\\notepad.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22563", + "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\notepad.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\notepad.exe", + "unicode": "%SystemRoot%\\system32\\notepad.exe" + }, + "specialFolder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk b/libbeat/formats/fixtures/lnk/native.xp.04.lnk new file mode 100644 index 0000000000000000000000000000000000000000..3d595ec483d83efcf7459781361e04936aa21fd3 GIT binary patch literal 780 zcmah{O-mb56g@GG6uOBuT3ZSZNCZ*Sj8PdyMbX3$v@;~J*fK4h;Hc3FBa>*-F1pi= zt1P=HN`Hfh3l$f-7wke1QBYfG7ySpN=Ot;Bg7_Zip7-wDcjmq`GY-Jzt6&873lWiZ zvP5j0Uuxf14qQ0-T$>fFRK7X=NZu?Kx{6eeZkG@B+J$-~{p?P9zn(lqb1?YjDP9bA z>*b=G#TewmCa*kGtDr^I;po68rrO}f1N`2rmSaX<`7z>Sl?DekW*H5n*jxljSTK?1 zvpT#iDXl46mKW+|d|Xw9QfFDIGLcuVB0@>U5;8n%b1qORj2srJE3}GgJ?ubS(IaC@ zLe@wG%$$kFTUw80YzwU{yGbCxvpE8&CEgOx31N=l5Fv(e;0fU-j(2vwUUKYpEFPW! z?a>^2)-h62Bx#vxU0uppw!I*QbBm6dPV4`AKok1mM+_g>YKE^&AzHXdhFP7tn|z3u z5SckvS)5`Yz;t2Vf>!R@&_Q&eo%sN3?}~R@uis;){+~fL>~e%>CTRK)J0Ha>uKc&M z8U_$&jUVreR&7j?#W1Yapxn+6QyTMqs}1OF7}`Aa{BdS}y}Mp+&VPG!R<(18`ktoH R`hCxZ{T}|}jpS@e^Dp)cm$m=^ literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint new file mode 100644 index 000000000000..86549de34c3d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -0,0 +1,81 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-19T12:16:11Z", + "accessedTime": "2004-08-18T23:00:00Z", + "modifiedTime": "2004-08-05T11:00:00Z", + "fileSize": 46080, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 74, + "typeId": 0, + "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + }, + { + "size": 78, + "typeId": 0, + "sha256": "82632d0a1514981d68a6b96a0a5f263554234138682b4f9f82eec4562bc41939" + }, + { + "size": 60, + "typeId": 0, + "sha256": "dd4bb56f6dba3b57a1a3fa7b78b1588af84f1634945b53e3461494ff834c888b" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x10bdbcd3", + "volumeLabel": "SYSTEM" + }, + "localBasePath": "C:\\Program Files\\Outlook Express\\wab.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22529", + "relativePath": "..\\..\\..\\..\\..\\Program Files\\Outlook Express\\wab.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "specialFolder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machineId": "al-0142", + "droid": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "e5762b91-d40b-dd11-bcc5-001f3c29339f" + ], + "droidBirth": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "e5762b91-d40b-dd11-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk b/libbeat/formats/fixtures/lnk/native.xp.05.lnk new file mode 100644 index 0000000000000000000000000000000000000000..d1c799b60f382f2772d57f1520b9c41c0e3791d6 GIT binary patch literal 1405 zcmbtUO-NKx6#iy>mIcySud)!Dg%kbQXq41>~zCL*z2 zz9O2Sl5$atb}o90Ldso>rXNDYg$p4lX@XkVBJ4YF=8aAaL3AGHo_o*x&OP5b_ubb4 zz@a-i0#nwA)(2d=IiC;e*H4X1JK(-qx^Rs)u^ec-MC&iIkd6#KH-3VS9fA4Il>4*q zg6rW-3HDZ3-`j@$O}Q*C`W@>ma&Eu+=xW`yy2nns@(Bh z?g(T1;AQj>RdNF-s1;OcfY^Ohk#=esRoY{uYoEDj!Q!*Eg>0T7J0W(n5)W%yVHiY& zPmJCWGq3oCxp>Z#ML!=|d(msntH_|1&q37V0QS)DCHC)QeoqVK%CCGg8MW~QPNIb; z5oE1rIP)79onJ15_mTI&Ww zZRB3EmXmZJ5(|u`Of6JusFrnx@>9z{np!2C=y+>t0=Us=Cf{Y!76uoQ@oqSFP+1 zrIPzBaZm64WPFnL=c9yLs;aQ=jc~L%ixsigi|!emx(XQxb(SaF&URQ(Zr0YrRbM=6MVdH`8NtMwT^eh9ZNf_Y2{x~EO&zT3034b DCP)UnD~!8*m| zQALCh4ZaP+>o7gDUPMXQ#j@~=8k+nvW)4~D5ZJ;7+3M`czGN&= zgNo#tGKLqSR-T#iz;w9I6q>syl}4d|BhTh26J?2f$y{Q%EoP0nPXiS(5EuMZn8gs?NEo@MGK_Sfkw{wR zEux8vs1|Kn*DMMt7eR}rB6>nCT=bA!xG5^^`)B5w6XT*y|K&UXWB&8M=A6?BKr@QC z0+X2)ZSSf2C^t2D#}157Y4Dv}IenTuF&}I{L7rX(jlT;P(;XPt82r$k_I+;b_gsHf zimf#@S1Pf+r7^tNFDLIoZALO`ZA z)YqaDb&xWaF@z6Rd@yPcSwp53w}6_32=+n*3vmo03L8VP2$O4^0K7z7j!Q$LZzF_S zi3*~aaAxc7ddR_Ma8enlYgj`&=eM6d1z1-H4pH(ivIfzNgY@yEl31#X zrRHdGM4a9=e`s`g#2Vf{B^R#Goi|#rgW+09r^mN6KatDlhYTKz0XmHiGQCS@aQ%3F_**@S-6SP?7iff zGsQrXljs^(Q0{w?^{sxM<y{M-vionwbnDX)QY{1nkPw}w+0;Lp}%C2IBtG- z1`LrU_U(%93`AE&+CnW4+c+PR+;j6wGA475%p_y7PaywGns$*}(8ybvfBS%xewn%Y Wo_s2c|CmtnT9oikRFU@+Lcak^ZW^3mn%A=C6=Om%W|~r17MpB}p>-BJ9}V{nR$?`0Vbr-J8kB zo{EY)+fiQU_GOe-4u?@`GWNxRpds;0q?;?zWv5Ojn$U`RwDHtI zek+cxvJDM~!u~*Y6|gIdbqK=c^v zvc{E++Y#gnQ|eLkp4+pqh=JNezU)|$uv9fnz3p4X@ zGA(G}gxWc&lRP?c2vtE*+gx~CK{N0Be2a>bG4o#go-psOC*Nfhxjm(or5KePKTGuKx*Lm3lK!|KRZC?h=8KXX(>V(jNb?Kt4eiCYn-P({ zBAr`K_I9*hSLxbj8zhDWihe{-K;x$~I%{b5RIlv(Z51=N{AmQGt~m8i7hY1Lca}6A z^U&?68t2^vQQ|GeF01GW@Qt}le2GP*wyuR(MC=5kGln)zxt#0Z=8IkZ&HzJeen-8d S32OzZ{3UYbO^`k$3j6}Q$v7kc literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint new file mode 100644 index 000000000000..f6bd45af1354 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -0,0 +1,75 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasArguments", + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-20T01:03:51Z", + "accessedTime": "2004-08-19T12:00:00Z", + "modifiedTime": "2004-08-06T00:00:00Z", + "fileSize": 50176, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 60, + "typeId": 0, + "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + }, + { + "size": 64, + "typeId": 0, + "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + }, + { + "size": 72, + "typeId": 0, + "sha256": "adb9a32cd72cf4ca2a425e05f93f0eff96af06eddd6378f1b18ee5ec377a9ae7" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xb832ef92" + }, + "localBasePath": "C:\\WINDOWS\\system32\\utilman.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22577", + "relativePath": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\utilman.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "commandLine": "/start", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\utilman.exe", + "unicode": "%SystemRoot%\\system32\\utilman.exe" + }, + "specialFolder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk b/libbeat/formats/fixtures/lnk/native.xp.09.lnk new file mode 100644 index 0000000000000000000000000000000000000000..85ea0135ec56e2c619b67a7bb4b3b988879d73b3 GIT binary patch literal 773 zcmah`!DRDQIDUORZI&usYiBOSDHkysSY)hViQ@98 zAwq~2-_FA8Grh9jL`m4ivha$MDYws*c+j+LYEhizRfH={-z#=&7#DNLz7THM7{o3yB+ z%Dp07#sqsNl^fj4Vn2)Ei1>e(18z9TH#u{(3ulnQ9G#ix`z-yjafemrK-a}I%ACnS zdXNBm7nz?D_X+yb^O@zTL=%R2jen7>E;zvL4{pgH$KcD(Gyt;w( M^|8s7LGP00FWoegz5oCK literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint new file mode 100644 index 000000000000..f2c24e1a69f7 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -0,0 +1,81 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-19T12:16:09Z", + "accessedTime": "2008-04-17T09:55:10Z", + "modifiedTime": "2004-08-05T11:00:00Z", + "fileSize": 93184, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 74, + "typeId": 0, + "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + }, + { + "size": 82, + "typeId": 0, + "sha256": "e265b8b434f903cfa0bba803a9f347f6fe5d34ab6582180db809602f2ae45659" + }, + { + "size": 76, + "typeId": 0, + "sha256": "967d629eca0380265ede8765c9b8220a284a147df471c55ebd0aebd9a63a7933" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0x10bdbcd3", + "volumeLabel": "SYSTEM" + }, + "localBasePath": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" + }, + "name": "@xpsp1res.dll,-11002", + "relativePath": "..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "specialFolder": { + "id": 38, + "offset": 119 + }, + "tracker": { + "version": 0, + "machineId": "al-0142", + "droid": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "e2762b91-d40b-dd11-bcc5-001f3c29339f" + ], + "droidBirth": [ + "6a3e8623-003d-2344-b4c5-05fe7266eb5e", + "e2762b91-d40b-dd11-bcc5-001f3c29339f" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk b/libbeat/formats/fixtures/lnk/native.xp.10.lnk new file mode 100644 index 0000000000000000000000000000000000000000..2423305b7bc2ffce35b7fe5fc54c8e37e33351d9 GIT binary patch literal 1459 zcmbtUUr1A76#s2r%>rrGtt_ne;QB+hbe7bxNc@9_=~Bs;JxIDraLm{kN*}a{#K*iw zw4jhOsE6Ks=spxtzV(nK`XmF z&7Esi)Q4)c6XU{m>fd*hSx4vCIMGp8TjFuHhC&fnmXXO!v&io+V;0DNh8nyJ_VHJy zR=?g*8+exZ^8B5L#R5ZjL!v@831Sg{L)ft*GH9a*eoxibdtSx^YQR!=f__KwVmEbPWS~ZW{im6fF8>33S z#rPE!8w9?Q%h;EAROZ|{ACF3&Xl&ZlCK;D~4ZQqHGrvZ_)Y_+r^L&)Y1o?yH$~Qs# HPy&=+V(B*T literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint new file mode 100644 index 000000000000..1609cbb1993d --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -0,0 +1,75 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasExpString", + "HasIconLocation", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-20T01:03:16Z", + "accessedTime": "2004-08-19T12:00:00Z", + "modifiedTime": "2004-08-06T00:00:00Z", + "fileSize": 400896, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 60, + "typeId": 0, + "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + }, + { + "size": 64, + "typeId": 0, + "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + }, + { + "size": 60, + "typeId": 0, + "sha256": "b5da25626a62a350171bc2bd09e68745c1d1eebb5e838cfc8390afe965656eaf" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xb832ef92" + }, + "localBasePath": "C:\\WINDOWS\\system32\\cmd.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22534", + "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\cmd.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "iconLocation": "%SystemRoot%\\system32\\cmd.exe", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\cmd.exe", + "unicode": "%SystemRoot%\\system32\\cmd.exe" + }, + "specialFolder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk b/libbeat/formats/fixtures/lnk/native.xp.11.lnk new file mode 100644 index 0000000000000000000000000000000000000000..c2e11a2dfcfb3de0e829c87a37f54bd762d7e74b GIT binary patch literal 798 zcma)3O=}ZT6g^{%6uL<gZOG-k*MNo5d6Gl>&2O_@}ubp;8M_qPzr)Yp@RMbi|0LKY^g=xaPGZx-(7=t=P)Ck>?-!Fp^9@ zJ%+^Pto7$quey$us@wWtVE{(4aJ6`Gk*zdBIEe4B4yR1Jt$(=|kGt<~TmPX{2GlmYgCkC+c>*|2)Vf*PCf_rJ zTvg%-5hC6#uS6ou=Cpb9N**-M@S8Q?_C(HYI4!H>&QzK~OXQu3YYRi^v33iKaqMB3 z9HWIf{@g>6!!}tD!&1XnnIF&upSv|BIgQ^^M=?e-$N8LLFV2&DmIcySuQHLEg%d?K`9o1dS>g{P=s2k~n^|Z$n$S4P41>~zCMt26 zuZSk7q+HaZor~V0ka8E1{SYE9TDU67z!tU$`_7vg|CorNb2;~%d)~R{eCOPIUn2mU zZs!b4STpJ$aOo8NjqTdmp-CH@H}mJNQzn-E-b<8wZI)+hwp43cgpPgw&&^ZLFPK!@>)(?kGpQPM-i8;6p8% zskL&w3uo5tjSfa*p>Smda3IU>C&|^PD?K(iVBXS9F?@n2>xYW-{Wk#vUg!8 zk$HJCO{n7uweY0QQFE=a`caKG`naI88SK-jtJONNmPjP#`a>h6TN`NOb=&ayKP))*sO^j=YdKZtago6Al&J;t4OO?rP(E_uCsQkd9gXiyO&o4i8w&nkmvbE> zYLane&n@mL{5GQc=sz)cM@6a(b)Nh$r<}d>5*?^Qo`sD#YpPNv>&~T(*h-t@V+zY0 zaf-_^uKRKgwM^RloCabP`+OQJPNlvH&c|Uxb#k9%kvOwy-%Jl=pGB-&jMCB}5$PsYb7e?Cg6rP5;S4GG2!W|2af_524@d%62|Tx_o?XO~mG z9j-N0rnZ?n$zg+H9Pty8TR LDY59NqjJZj*~`iW+CcCLE~5>gF`y-1G_oCzR zbOFjMD$I{si7HFctDYA)(9z_tZ|!KuKIB2e!Yi@vs6wYspAIy^k9xFn z)lPjEPOpiL#-shAaJ2{6pCdYoIHKrB2w_x%PAG;?B-_|T2u_3}UD0@Nw>vZtf;*ex zO16F&5p*#}9KGnKM+gICpoHuvmy%@|A`g;L=&Ij&r*tO3;GEPY(iIR;K>)YWbsRa+#|@7iDlGN*O4{zF^0{U21H zcfmgX&eR&W8EQN8i7w~qJT4L#nliOup`jYK7|KsB{%mSxu%r3CsfokwT0S3Hzkvy|$-^>go&LZ|L@|WzVXCS(= z+c=>Vy=mlpNM+2k#GLMj$=EpM?JKwEK(?=&wn(v*Sqh<#P*hQb~!cM zp?X7QdYfsG8a62A5kDb~pU%*Xsp;ui>HI~Nu(teFgr%=Z`kybluEg&$Wv1qdk%SuM z-WXZxEhcZM#31mKSjN65W71pad@?3+!ii~9o1$ITb@1}Wt-V=*sWpF~pXX~{C8hik M^5srYJ|heL1xn8|djJ3c literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint new file mode 100644 index 000000000000..2ea8be64b47f --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -0,0 +1,73 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasExpString", + "HasLinkInfo", + "HasName", + "HasRelativePath", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_ARCHIVE" + ], + "creationTime": "2004-08-20T01:03:34Z", + "accessedTime": "2004-08-19T12:00:00Z", + "modifiedTime": "2004-08-06T00:00:00Z", + "fileSize": 144384, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 25, + "typeId": 67, + "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + }, + { + "size": 60, + "typeId": 0, + "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + }, + { + "size": 64, + "typeId": 0, + "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + }, + { + "size": 72, + "typeId": 0, + "sha256": "25f56f104046bbef2b0f7e19c82c5449eb38631861f3f7482d9fb647781342b2" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xb832ef92" + }, + "localBasePath": "C:\\WINDOWS\\system32\\mobsync.exe" + }, + "name": "@%SystemRoot%\\system32\\shell32.dll,-22574", + "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\mobsync.exe", + "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "extra": { + "environment": { + "ansi": "%SystemRoot%\\system32\\mobsync.exe", + "unicode": "%SystemRoot%\\system32\\mobsync.exe" + }, + "specialFolder": { + "id": 37, + "offset": 169 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk b/libbeat/formats/fixtures/lnk/native.xp.14.lnk new file mode 100644 index 0000000000000000000000000000000000000000..f6bb31d9e747c8b45680b12e56a2f2b9630bcf77 GIT binary patch literal 1431 zcmb_cO-NKx6#iy>mIcyOQ&|Yj!l@veoDrgiiu@T-n4D?Gvc+3yWZ*)^oadl)sfkEj z<}0F!exzI!(auG0QAoLKk^K-NE`nT@WKauTgnj2Z<1~?rz%!hC?m74TeCOOZHw?hx zc5(&A>=h07sd{ApaCxBqF03$0Df^^w*%cA*Fw=3a<(vmb44`m~}6&8SC& zyEyf&I93pw>`xjUUDW|#&p)D*=tmL;I?#n`&UvVv*@c&iVLQIY9 z^f*GiqZse%6nEY~tWngUg+5-mIS9^Z*c-R6ES5+Z-W7)+vnrs!Ke&R!RZ$v)bI#E> zme#PrRGXMlbh%N_L6N}Vgr(`FrV6byRWrHlqoq~AiSS!X6NhUxrb6`BrDE5R8fPAf zxxtvSZ$qk^{$n$@RN|Y5PeA$L=+4L3?jIl;zvj#eu8K;eu0NV2pBlUGg&T&n+s$wo!Tjg*eKd5 zV&h*B5wXz1PO!1l!pb7~2jc8Sl!%S9ycu?QGrRB21MmdAl!03}V|tIOpRjsw%qMp4 zJYa{7Z`)L{yzJg9JW!)5yq*Bs7he}1+53pqbpBk2?r``diVzyAcus3-<@n`kcHeC2 zyDoKJ&9wSbg|UnH?tSv;V?A72Ld4|q@2~&bk3U#> znouuh(DCb4M%y6r;9mmJCYf8h9$V;Shgwk zm=G)}c|raVbd5`9D9uHbC`MiKF-g$pU+~ literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint new file mode 100644 index 000000000000..3749310bf10e --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -0,0 +1,59 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creationTime": "2004-08-20T01:16:19Z", + "accessedTime": "2004-08-19T12:00:00Z", + "modifiedTime": "2004-08-20T01:16:48Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 50, + "typeId": 0, + "sha256": "47cb092c959a4aa13007f154fa8992a26a9065f11ed30de3d43f12832b9ab0c5" + }, + { + "size": 88, + "typeId": 0, + "sha256": "73a8aaeff232a15bb75df27b252781136149be3d9a8f278a3835ecba83fd4c32" + }, + { + "size": 98, + "typeId": 0, + "sha256": "3db7f92e529c32261a025446f8d8563aca6c06b4ca84a75a0f27a4f18473b1f2" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xb832ef92" + }, + "localBasePath": "C:\\Documents and Settings\\All Users\\Documents\\Mes images\\\ufffdchantillons d'images" + }, + "relativePath": "..\\..\\..\\All Users\\Documents\\Mes images\\Échantillons d'images", + "extra": { + "specialFolder": { + "id": 54, + "offset": 158 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk b/libbeat/formats/fixtures/lnk/native.xp.16.lnk new file mode 100644 index 0000000000000000000000000000000000000000..2b9848f5a961a50592cb196036bf9ccc2bbbd62f GIT binary patch literal 615 zcmb7AJxc>Y5PdN!8Wa)?7=qxI;z!5_0h1;MLsT#*gn+_D49RK^Hy4tB z#KylMB4VM1onT|9pp}L87UJyrMbO4s-aKx2GjsDM0XV!(l!0?QBfUZFA?y9h4{zHr5De~x5kNMp zLj@KjbkvAB^^V9g7a|f4l!O=@3J=F(QTVWc=;vIY%Y!QvQKoJKCUpvW>F@b2*T;PP zp{i1cq@5+&^m{X-4J(8mg7Qc45JANNSgNSH*I{Fm)lShGZrFRRXbF4 eP$dg2GLPFPsM=q4YX3Aroz(&yD6{v~i4^Zik%0aH literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint new file mode 100644 index 000000000000..fda0366e92bd --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -0,0 +1,59 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasRelativePath", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY", + "FILE_ATTRIBUTE_READONLY" + ], + "creationTime": "2004-08-20T01:16:19Z", + "accessedTime": "2004-08-19T12:00:00Z", + "modifiedTime": "2004-08-20T01:16:48Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 80, + "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + }, + { + "size": 50, + "typeId": 0, + "sha256": "47cb092c959a4aa13007f154fa8992a26a9065f11ed30de3d43f12832b9ab0c5" + }, + { + "size": 88, + "typeId": 0, + "sha256": "aa3e6bbc6482eea02a621eddc6590b882b924f3946353e933e1a070af3a37deb" + }, + { + "size": 102, + "typeId": 0, + "sha256": "95a8b825400274184ef8f90be08414a4df70159fab7ddfa90d25d19592ef0044" + } + ], + "location": { + "flags": [ + "VolumeIDAndLocalBasePath" + ], + "volume": { + "driveType": "DRIVE_FIXED", + "driveSerialNumber": "0xb832ef92" + }, + "localBasePath": "C:\\Documents and Settings\\All Users\\Documents\\Ma musique\\\ufffdchantillons de musique" + }, + "relativePath": "..\\..\\..\\All Users\\Documents\\Ma musique\\Échantillons de musique", + "extra": { + "specialFolder": { + "id": 53, + "offset": 158 + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk b/libbeat/formats/fixtures/lnk/native.xp.17.lnk new file mode 100644 index 0000000000000000000000000000000000000000..1353087869e4b490e8a5d3d023faaf10cc3bab9c GIT binary patch literal 744 zcmah`O-mb56g^QRE!{*L+bV(s62Yo5Q?(3I#jivw>I_L*R0eBGN0~a~$c!Jsg*)B2 z%F=}>{ss{jTDquv!7hX%2$mMA;6D)0OG0#E@jcExZ{EA_%(?ds0q_Nj7=iEEh}afc zA||iev_Gpqd^p{Bu_Rb29sjjVzRD%~a#V;V{=jyTauiXsnoIXKAB(hnF=H7O_ zkaV{ggq;1zC{=11w7A+I?_S~78x*4i*WaGYiBv}UI}l`+1{V&d8B?%nE(Q}840t?y zg^|3{y0T{lpngaWsj5(VTTm+foKb$qgp!H{%=50pIYXr=(wL*J(8{Ux(19q?FJn}K z?V0v$*hm|AeNU}i#=cOqdBD0Wj0xf;QB0g190mg9#8@I3 z9R{1Exz4nkvZa`58J?~#%v+8#BSq75uHkw5of8Dnm9_2Bx|}y3#ut`lp%G2olM&%; zXd}d>B$0k{L>XWGO=tg93vKkW6GqXV3+TOVilE|xK`B~@v9?R`vTf6LC5a`8w1-y z9@K+}3Ox$Nf559J5u{WQy@?lZ;vrtdvmSi2*`%rF;4bs)`@Z+)d*93y01OPL*aL6k z91XHcsVZ?PN$#`OL7#EjTu07ShPkQMWpO52e zHv2q>Ih?8nk<@%w3tPgqBUBL}f`kSiF8dHI2+nL;fybD|vvM4%6}?&*h@dXDMX%um zO@Tv8$(79@Tt~SFt)U1HH8KWd3{a1ES){E2hwCP-=o?ew{*wNH*mcIFkb!}1!*|@; zvVT8l^w~Lu5lms*vTR?B*1g)A=Z0dUZ{SP3#izdlEhp0_cEJv%z3OV4cBnb6x*bVa z{B71sV3dlKzBTqPGZmPi&tb0rr)q&bA$8hVjVr$yuQf8X$gJuwW9_$aog;8Zza-Ky z8$#N?kINXuG5mO)AD{Af^yO1kT`gf)#pB5?iWNjlu)c<+|wojUD}N zAM`RR$(gBBI*UTW6zL=P(lBOBi}MMoMp9!$y^3ox z;mVKiZlzIjo5FLzx^)!ocA3;oQ1`?mqtY{W1ewcbZ-969UtA7Z{&Yg+qw08`t^Kw* z;iuNqY**NnUB$J(6fDaqR7Pjb>3K6>u1r`nnNHcQr2NYjz5`(y&W6|UgbZ!zMxoVK sV#R5#kZcgxTS{1uUdzPTGYoyWQ2h4$%gHAxoZkQS{%embp7!(q0h}@M*Z=?k literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint new file mode 100644 index 000000000000..eda954b7a879 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -0,0 +1,101 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY" + ], + "creationTime": "2007-02-05T14:52:40Z", + "accessedTime": "2008-04-17T09:12:06Z", + "modifiedTime": "2007-02-05T14:52:41Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 88, + "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" + }, + { + "size": 50, + "typeId": 0, + "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" + }, + { + "size": 136, + "typeId": 0, + "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" + }, + { + "size": 36, + "typeId": 0, + "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" + }, + { + "size": 41, + "typeId": 0, + "sha256": "cd62d04905339ebd75908eface1487a326def9797f4513a626b7f5e0cc2774d7" + }, + { + "size": 175, + "typeId": 0, + "sha256": "70a5ac77f6b59746aabfbef46c8645499c08b622fc79ec57ffa921f9d61afa87" + }, + { + "size": 60, + "typeId": 0, + "sha256": "19bcb8ecfc99b2b8152e9c7fd3b34335cd4b29cca0216f6482d9721c7930c227" + }, + { + "size": 74, + "typeId": 0, + "sha256": "eb5ff2514a899d457c5e2c11cb1bb0e9fb9248c289a170c384efff7ea1533050" + }, + { + "size": 76, + "typeId": 0, + "sha256": "79c0924b5e5a2e082f86f3672d03481a048fab6b0fb05463fef7a4586dce5ca2" + }, + { + "size": 58, + "typeId": 0, + "sha256": "53afcfc9c2e090649738cd4b5e044f9b611b66d5400ec23aac022358f1e47eee" + }, + { + "size": 52, + "typeId": 0, + "sha256": "432999e9d2645fdfb83af63aeae94aac516e643096fb2c865508794d7c9fb1c1" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "commonPathSuffix": "Install\\Install_Softs\\Administrateur\\Newsid\\2003", + "networkShare": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\ALS-FICHIERS7\\D$" + } + }, + "extra": { + "tracker": { + "version": 0, + "machineId": "als-fichiers7", + "droid": [ + "00000000-0000-0000-0000-000000000000", + "06cd1d4d-e5fc-dc11-8902-0015c5fbcbe3" + ], + "droidBirth": [ + "00000000-0000-0000-0000-000000000000", + "06cd1d4d-e5fc-dc11-8902-0015c5fbcbe3" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk b/libbeat/formats/fixtures/lnk/net_unicode.lnk new file mode 100644 index 0000000000000000000000000000000000000000..532e8b5219662edfd08f2937cb0c4f7e597ed702 GIT binary patch literal 1745 zcmeZaU|?VrVFHp23oACWAr-mv3V*oX^1E2~-a<)Fb+_9lJ{m-=bHmiY(mNM*KKiPUZBpet(R)DN7c7DpW z&v~tX>yykoZN@Y51cBn*AR|G<|NkHs0|UsD*kVW)C=QPyRv-r!%|Ip?z-+NvviII* z^JeFX&s}ER(ww>)WD7G$g)mqdGNI0JnDJ;#Oi5~SNlbA@Vo@rCZ)S2)esO+UiGp8h zNqK%zHYnjmF&Ke$z3|&s(7+HM=<4m_RA;6a5)s0{U-WLLyM6E_w^hP4o`l!q-j59@#!;hswX`X87r7DPb9 n0hB+HgCx*wQt{uXe*Y()xymnW$o+?91w?*a(OgH!_m4d2q^fc3}jEn3xPKYwQ$_V3gLDVrYLTMP4 z3}navF~l^8D2N{h#8yyo5FY}V7}TJwn3xdP;E))5dxjVw3}J9(2nLcd47N88-C^I?=UP(m>11DHX2}3GFF+&Mdi8s(4oD2*LRsxMP3=Rl3_^7)5y}Oja(vM6D zJ@a0#Q3Z;Foh%Pz02MO4GWcw;-oPVJ4`@UM5QBgy5c7i=4j^LI1{sjYL4rIWK8OMH zwI-0w0ulrn2a-Kzu-0Iw!3hHehLb?nQ-g;<<4+hsH1UBHIsh>&>_GfbAO<;fSyr-! z?bJ(xTdy%3@V_Z>!4fDg2T}ksSr~{x!GY@67_5#5>2U;NkfA;i4<2`HkMi2BP#@)T za?M?k@7X{KK!$?+fN3a576Mvh z>nB@JhxngC7bpU75&!>#SPTpx&tZ!lS)e#P zc36QNn1_K(Fo4-&wPf$T&F0O{6Q8@xxTQIDHOLlbkP1*pp@KMu!;DvBVoFkrOF*g0 zH#4~?zc@dwM8Pk$q&&YU8+#!5GGsC&GZZo81JhPMLmJQ_3JiY0lvct}4&)ax0JQ-D z6GI$>5!l5q{ALw2FvN#OxV!q)dFzElgfK8T0TUPt!~1<8xtD&Av-N;FjNK%`I#CI6 zJ6%T1gb2zWB0ygO<6!~Z12HIB0M(db&cjTsxO2cT4~h}(y#%1|f!Sg~1T+*tSsOV( hg3Uj6d0(0FQ8?{j+;xud0+tmJSyq^fc3}j0``Dj6pPv&jnG(zzC&bloya8 z1H=&1Afh0?Ef6b0#YG^(U|vj2h-+|2Ot6PzkSjxTSM%g%zX{LuN-9bico<@Uu!JF% zp%_TU0Lcu7M1~?DKOAT&Cj-NRl|T~=g9CyMKB{hi?=B^<^dnP3&%D=bRDt4P_sIhp zK!psi3_csIH}DA50~%BT#2_FF#QY$J1BjTlK?dYIkRT6;4`RT)s0n1VfCNFtfn<*v ztTotaaKb==;Utjt)Zih|_!9;YO?)7Q4nPbGC=fpqh(QirmX)kwJN1&_)@uw0{BKHJ z00oL1NCC)XF(Ag};~1=7U|{eB>H!(-6Y=12$Mz_%-3s+lE+^OA)dh;P0WsKMULcLj zV2~OZ@B;=b(0dC+7~~^(rF1?h?hA14*ifAQXWDz4)j&l{8FsIqY&{(k77QROKvow! zKjqrzyw<<n4;~9B^Kyhx6ks#v#e-Mj-!4inE#gr^i93E4wKn^UrflM%f*WQ z%rRK27U;skgdKf$^fAp?_8IeF^S)pdxtJdLBj$b9&WTZR0UGXWt}Q1w-P^vG!>nS2 zt9WgimK#>4&Sd7uAgtv88+EZ;t=7bjsJEyZJ%gGPg*1i?4rCk%TZ&Z+av$Q2^5LJp zWyGH^nSiQNF6jaEf}zrZTEX5M~z@$g;z`P|E6 PoGtx0`m~nH+`RlR!K1rB literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint new file mode 100644 index 000000000000..4c18e950c22c --- /dev/null +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -0,0 +1,81 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasTargetIDList", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_DIRECTORY" + ], + "creationTime": "2009-10-08T13:48:55Z", + "accessedTime": "2010-07-09T13:52:31Z", + "modifiedTime": "2010-07-08T12:36:01Z", + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 88, + "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" + }, + { + "size": 50, + "typeId": 0, + "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" + }, + { + "size": 136, + "typeId": 0, + "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" + }, + { + "size": 36, + "typeId": 0, + "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" + }, + { + "size": 88, + "typeId": 0, + "sha256": "cb97a3fb5034bc4a98fb7b62e09dc921ee0f731485134edee6d41f22aa3cd7bf" + }, + { + "size": 136, + "typeId": 1, + "sha256": "da3df06592f5ce0069a83a8eea3aeda6b4e8650a05baf32f239c46ba9ada876b" + }, + { + "size": 68, + "typeId": 0, + "sha256": "4c365273e81fc9ae17a9b83d85ae17e9fb0e4b7bd5766ea36f8f0bc33758fa66" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "commonPathSuffix": "GMAldheris", + "networkShare": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\ALS-FICHIERS3\\QUALIT\ufffd" + } + }, + "extra": { + "tracker": { + "version": 0, + "machineId": "als-fichiers3", + "droid": [ + "00000000-0000-0000-0000-000000000000", + "c5e0b78a-c875-de11-b8c9-000f1ff7c0dd" + ], + "droidBirth": [ + "00000000-0000-0000-0000-000000000000", + "c5e0b78a-c875-de11-b8c9-000f1ff7c0dd" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk new file mode 100644 index 0000000000000000000000000000000000000000..445b9675a7ccbe4592920cb47759dfadab2d379d GIT binary patch literal 1733 zcmds1T}V@57=E>&vL7}aArg2hwTy&DM6yNhG@V4#MoKLBC=Z((hs{mSj)?Sgktrcj zi4@*cgX*fZVi#SQBj~P+2%;_`3L**d!gd!T*z=yBv`Kis@9_S7@B8lgzV~Nekci4$ z<={lG4NifpCaq1Dn1!|!axlIJ0JflM^h$ou1skrb3)MRf)$g(V11kFts0lSST>!O>(4Xs zrMnBqa=@FU>1X5K2ei>RK?ZkshB^-w>Rv9iRXZLR%DZpepMP2hdj&_-fVO~Qq>v6u zk_tJ|;;UDUkk;4-y z4&KT!%$Ao~vsaeh&_^L+imoJ8eNZH7sa=g|=}bDNOC3G>Kw3*sNYQj9-XrxXniQRj zDg8PLe8qPbl%QGwwYyIT0qiwI5rvSeW@H?PN1{GsFHw}{4BUSB zxP@oQZCo|t&FPN6&EaNlMu`{l5pTE7z5|HbYeW{0Lo20ln>3JBXmP|;;dB%Ao_Feu zgUn77c`VFkPa(-3#^ij~j+l=EKuc0DG9=mwY!h$M({R~A7#FN7Fa<5dMNi=p`xvpA z0oM$zO#Dd(Uy-Jbv8zBXG#uGw|7n+4Z(#Yf(p&$ZKS9ME7qq%xqNv7p%~xt&deti3 zjP@fnyq{Tq;Q5{WJ{k_Z3O4ztmnz5WCwkx6nRi3M-zOWk4EBR(`#=4@>1_0k$hm7r e_IRh{FZU}2Y70cSRC@={BCmeKRhBxcX}I11d?@s)#HNEOn%QTdNs`kn4$|aXB4&NRK{I;)$biqm zRU|1I&}LH25lA+T*yTjwIEFBc&rjOPZ|cX{FLz@UBT=<}-7Z!3c|M2hVgA$E-OLDz z)rC^Fw3z}f9p!&lz1hc>pI@ZTTvTa;?jv@SH_@c+(N`Qt2G;>ZcPCuI=OF(Ncg76d literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint new file mode 100644 index 000000000000..6f163eb08f90 --- /dev/null +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -0,0 +1,94 @@ +{ + "header": { + "guid": "01140200-0000-0000-c000-000000000046", + "linkFlags": [ + "HasLinkInfo", + "HasTargetIDList", + "HasWorkingDir", + "IsUnicode" + ], + "fileFlags": [ + "FILE_ATTRIBUTE_NORMAL" + ], + "creationTime": "2004-11-04T09:10:42Z", + "accessedTime": "2010-07-09T13:53:19Z", + "modifiedTime": "2001-02-21T16:33:49Z", + "fileSize": 325120, + "iconIndex": 0, + "windowStyle": "SW_NORMAL" + }, + "targets": [ + { + "size": 20, + "typeId": 88, + "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" + }, + { + "size": 50, + "typeId": 0, + "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" + }, + { + "size": 136, + "typeId": 0, + "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" + }, + { + "size": 36, + "typeId": 0, + "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" + }, + { + "size": 88, + "typeId": 0, + "sha256": "cb97a3fb5034bc4a98fb7b62e09dc921ee0f731485134edee6d41f22aa3cd7bf" + }, + { + "size": 136, + "typeId": 1, + "sha256": "da3df06592f5ce0069a83a8eea3aeda6b4e8650a05baf32f239c46ba9ada876b" + }, + { + "size": 64, + "typeId": 0, + "sha256": "ee476d4c1256e99cbe21022ffedb5d1602a3c74e148d7c3c6f4c9d44f05d05ca" + }, + { + "size": 80, + "typeId": 0, + "sha256": "7dc34531f388c48579b53e320e6750074510329fd0ff7fffd87efc8629b3bf7b" + }, + { + "size": 114, + "typeId": 0, + "sha256": "42a5b872d13027882d743445de13c29673f211b01c1e66513c7e002054f0a8a2" + } + ], + "location": { + "flags": [ + "CommonNetworkRelativeLinkAndPathSuffix" + ], + "commonPathSuffix": "Archives\\M\ufffdthodologie WAS\\Norme de d\ufffdveloppement JAVA.doc", + "networkShare": { + "flags": [ + "ValidNetType" + ], + "name": "\\\\ALS-FICHIERS3\\QUALIT\ufffd" + } + }, + "workingDirectory": "\\\\als-fichiers3\\Qualité\\Archives\\Méthodologie WAS", + "extra": { + "tracker": { + "version": 0, + "machineId": "als-fichiers3", + "droid": [ + "00000000-0000-0000-0000-000000000000", + "341b46ea-7798-da11-80bd-000f1ff7c0dc" + ], + "droidBirth": [ + "00000000-0000-0000-0000-000000000000", + "341b46ea-7798-da11-80bd-000f1ff7c0dc" + ] + } + } +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/macho/hello-darwin b/libbeat/formats/fixtures/macho/hello-darwin new file mode 100644 index 0000000000000000000000000000000000000000..d21b27936eff76976990d8d82bf07f1047406ddb GIT binary patch literal 12532 zcmeHN%}-N75Z{6yjiMA!ep^(G8bg7AF@7X~G?qyC5R8PxEG;e2q_nktM7WU<4`@g@ z84n&j8c!ZH@vez_FdV#i^diATZyt;>*5B{FeeLT5{sA%*=FQH|?Ck7syDyu^tp54= zZ?{r`TBR0hlu{w^=uV{`s4!Ye9RkO|S`T*Jh>k^X4Y0SG0@doK8smI{qt+wQ(UEEw zdpsxhlF^Zha+zkWt<;=VarDOVuvE1d4_t3=KWjtKn z9S}6}T)PubPp2~ZQ~^%@cq=B}VH1ElaWB(`{3eQ4A)TEv4*qyAOuYTZPTfmYv0>19 zHhVvvP3m-ZGH2`6`|-xa+Qc8?df&TR*Mto zm+K6j7+eRA%oYogOga%s&S#R)Nk_oUWA)SH(~-~ZPnXul@~2nYg#fFK|U2m*qDAh3NAxE)*i7F+xgdLRAEMaGt|wL`pA z>-!*DKQ2XoFMWtDz6;%bTWZSV!q~Tb>>fndaH%N{kCkaW)c3VgsT50PGPw)kJGnw8 z*=XNukJ1M6O5RaRf2#ZAP5Kof`A|(2nYg#fFK|U2m*qDAOHj!PN^XR z(a_1FTDurtCr}@b;`O0|T2Vzw<151`Tk#P1KRuZ1jsiU|93C#+k8%ev`}8Mt|F USV literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint new file mode 100644 index 000000000000..e579e05f15da --- /dev/null +++ b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint @@ -0,0 +1,81 @@ +{ + "architectures": [ + { + "cpu": "x86_64", + "sections": [ + { + "name": "__text", + "address": 4294971232, + "size": 42, + "entropy": 4.04, + "chi2": 1030.76, + "md5": "77166fb4124bfa15ceebf0b9425cda23" + }, + { + "name": "__stubs", + "address": 4294971274, + "size": 6, + "entropy": 2.25, + "chi2": 335.33, + "md5": "f9e07e9c40c24082fdf9f1eab3c8137c" + }, + { + "name": "__stub_helper", + "address": 4294971280, + "size": 26, + "entropy": 3.3, + "chi2": 1057.08, + "md5": "7277b077b4cc51c5284ccaf6077babca" + }, + { + "name": "__cstring", + "address": 4294971306, + "size": 14, + "entropy": 3.32, + "chi2": 388.29, + "md5": "a79133c2466b7180a4de0fd3fe302b0b" + }, + { + "name": "__unwind_info", + "address": 4294971320, + "size": 72, + "entropy": 1.58, + "chi2": 10452.44, + "md5": "5a85d345ab9f929bf8ee00e141401105" + }, + { + "name": "__got", + "address": 4294971392, + "size": 8, + "entropy": 0, + "chi2": 2040, + "md5": "7dea362b3fac8e00956a4952a3d4f474" + }, + { + "name": "__la_symbol_ptr", + "address": 4294975488, + "size": 8, + "entropy": 1.55, + "chi2": 888, + "md5": "a8f250ea011781d751ad55c91ce4d39c" + }, + { + "name": "__data", + "address": 4294975496, + "size": 8, + "entropy": 0, + "chi2": 2040, + "md5": "7dea362b3fac8e00956a4952a3d4f474" + } + ], + "libraries": [ + "/usr/lib/libSystem.B.dylib" + ], + "imports": [ + "_printf", + "dyld_stub_binder" + ], + "symhash": "e4cce50a95ec8387770df669df413dd2" + } + ] +} \ No newline at end of file diff --git a/libbeat/formats/fixtures/pe/hello-windows b/libbeat/formats/fixtures/pe/hello-windows new file mode 100644 index 0000000000000000000000000000000000000000..c37deb302b9a017870e27f3ea16ff28d8efdb796 GIT binary patch literal 39424 zcmeIb3wTpi);E6ACeT95snSBdFa!cLSv4DN%YikB>{F;`VDzpHxTGIQy|%F5*)^P)0ywYSo|w9@RjrO3Q&`Qoy1>FI+k zI_g3v$1T2pP@jrUapRH(CnZ_93Pk@FPa4N{WddffY<2?y3MXlF)2oSI=r04QXw2Hp z9NJZa7c-02%Tk7Z@9`KdzMbQ)8K?!>?*dZM2+*5)p`JX?#2(1NNw*^FUOT|g(c$_FZ3)#(kVP#9Uf|S6`q7YJ69MQSFL5- zl#T?@#0|kyosbDZJ6B>KSEc1+ZQO*&0eI^0B>dUAT>H3ME#Fw8X&WBOcYi`A1X;dC zH8m8wX)u056#D*O9aj<>w^YN&c-@XXDR}xZ7WhKr@@Ewjh9&gVg@@Yv5T1lTJ7*7# z^Hi{UGbsKP9?D0ulkms#RhLyPFO5}&4xxMxCuBkp^-k#<^FQ}(PkH$`ex#o@kRNI1 zMBgVlqHM});JCcD7LFtqufy;ff4Ly>bQu@}vah%KrLY}ERiSx===nG}t IyJ95b9OBu>t+IvRq{j`Zu(G}o0-vooF zC@&=X_U7y%dUq0q$}_+c*+K98^M%>v^=AhgJWc{h-hgihwQdN1e{D1xl^c8TlGhgK z;C~ZV%MrtmtV0YZ2Gf55kya)`*Tm5~P+zSFMJFMnL#|U;S!WkS6dj{wM=WZK4FO-~V!92PV3JCWZZrzj>64jg+YpfQXNVYW~_d(N#z zV*Mv1l{;zp=7ror6mv^0Uy6SfN;{zMP#WGPgj?P6!Q65nN9*J^QO5RDg zJUTxFwhZG(q8*~GnfDJz=ABA1#|hEbL`gX%@_)Zt41~PLMfuu%6wEs*5AgLEc)tl5 zIY$m^^9DywEPhg2mBxg-=03Fue!r zJ(~5*ZpxMQ0%Z=S`@fAwMJY*n@GdZ2@83d7l1!^mnNqxjaA;V)7f0sCWYpi`ar%xK zJeRYM7kwcEzdfVwta;5xg48PbP8sUXULx?0*2o9ttlh|;#pGgpp@DMa-9*_xLq#d5 z$RQ6ze|m=PAQRN>u*@^?fi46k({X5EvGmHJlqpzdC@B5F75*UEEge%@OVHW!m7i}V za$5o?*G$Pf8l%r8yWioIHOL_bs|=#_x$*~uUD7F0GQQ`Mi{C+!u;|-kQ0}2Tws*V- zZw@*x?-5%#`V*x|e*jwLb&az#d{mQZEu!RfiRzO%w?u68P_9n&gPeXFf|6+tejyP4 zH-SaY66mdi_Xi1Q{azBKJLWIAQ(B?5qtv=Nt1}|ZWypEvVAcb%CO>Ba|hP)#$mUoCI-SnRxYwWZL( zTQM+wwgLRQgJ_P74#+yU3Y3%@?}I&!cE#=0h~FXl3kRPen7`mNR%PSo7a5}bixkbU zCNE;C=Q%97Bx}K}2Piv#-fBw@gw7>>j(Y3sOK*@gQ{ej5IM=Y%vQvm@zkmQNltcBzJapG%L6RK|%&e=46M( z5iAV(j_>xQ1Pjmkj(_9L^qD^2jIo5SE4*XAFb@OF&iQ(hMA=O~N3mssu)~O=JM8#z z@XnB!JYpXTh|=^Fm-MD66=g)T%%}t^;@N1{E6)?H=|jO)sYzMPhBxH*sA{IJluZwy zsC;V*vg}w%R?3l`t=xoM#B11h#3@(dwXx3t;ARVRgj>nUAs>f)CtY*Olg0yIAnF+= z2FrH9R*|U^<_imSd(~nZLTv-($|~|I9u|YfIz0P$M2WtxQ_5rDAbg&q_u^e1@c}@K z>D?!gN*SzsNu10u`kjb!OI@NBYQAUSnqSILXg!1Z4P$^C7BlciKsnzCJ_i~pSd;=S z!3XvsjFF$_w!P2$ZUYD40Bk}Xu9pZu-lLH`&CeJHqwkX1UG=RL?eB2$V!LQ4*SRbCI+B!vf0PvHZvAX+X; zqlT%^BiyU=d}r-^U^SW|%0#?Q=l!t3Zs{iV3(Bj}iPS^x)Gq>UBJVoXn{ys=qCsja ztJuyl{=bQ4y5(!lu!~@zLmq>Q!NYDx@;LIia#)#h#Dp&O8x({*ZuLTP9{Glamr(fE z2tx-!2IoSU_x%MFqV;2;Mg5jK&x%{{5mZ5Xgm2BbNlOe zQA%G0Tx#YV&4>xbr~#wzJUI!vMGDs+gHV|3&*bM%Lr;_NOu{TR#IO4U1!V+RI80Ec zlYKp@E3bgs9s^?I%D=pkDZ8B*0i0sJ6+bVYC9`Yic8~~yAhSO1Cz%MV{~cspapNT9 z4|(36Gy=eTO-BXMh9TQNwx(YvyZ0@8HQ3tFXDr3a1j#qXA5sJ#TvIM;{RX{A&7t8O~^Lt-Q zXz}%kWVEU0v+R&VX zqMV-smXSktM+QoG-v+8Ds5En&py=T9)T1aH2bx+m%ci@LLwZ$|2+<(oH*_NWlU>

KNQJYM-fu+A@b*# zeIuoe+D~pm?FUdbujhj?sYA_#PDNTYYs=s9BB#HI7ZKj#6?q+zA>?mM`-z~7U~XlD z4L+`r;f;uJ)-DsJDH+NWMGVDehT=h>=tb`bb|gxsrAUmtuGh!tA!lvs%CW#wD4S*> znXDk%01a=)n*pJiGiJU+^DE&adLy!FG?GEiG36TcXyh%-KjhQ!qp1Yr=^ojX#IksA zl}$a5Kqz_)-hYz)K$yBWJJxO(Nc5lb!7LW<{S1ugqC738=K$!h#q>`-6wRvN1|6^j zLa4j|T^0FDum2ECe+s#xS!*fBMC6EhLK=ksTyN7BP-bEQ6tn8m2j&tUHP+ornsGB2}PU&6V z@rvd3wV=ss$LdR_JGeLlB-pWh;1PTZNHEs9f}XuOku=DM3qtR*edW1a*g<+hl-?p& zX)0=hupKAE%tRepOtTB9GBL6dlvqItv4IH5aDxz+p6d4~p<9EHq-7;|CYIQXG=j zFFHp~IfxTlWE}|!X7fu?9>qa2^|K2LWpE5bQi$r+O)tv)yJ2vJP0{YLqn|E_#*do_AR zYq&qjZznSQ2l$*xM7wNZ@B83t3?K4YgwyRpSQ$xC@$uu9M_3s>ZD8PyBmo7b`4bBa zM`98%#4WWZ&>xcnRgmi%!G8$lyCe#ku3&LSwv&2?yq^6eskcB+w4qln14xAmPKHInO0Ix*KR z?SVt#l3rJCV|HMk#atk%;2`|(om>e_;=+r`(>*3g`;^Vd;*b=Kt=v1<8c*n4PI_d8(Y47D==oAxKRvn0t^01#gc>*W&lY zO?D^0yMyfaXs(Wge4_;bd6UWQ7HQg+3pHeMIB4z$edUlkGzTmF=xwA09F_@6_;Q5E zr6N332QXlubwvIO{+3UQuJxQxB&qj6Y4*wkbYEC8k4D^DM{2ugI2AN%1@l5`HR73F zrRZct69(W^i&=tJ4_q8h*tKUje3(gyPMENiH!}MpN}ckolYUMcHpAuwyhA6!v zy#c;57B=;=FpO-yEcBBNhs%b>h=$XVOJnvQ{oIh2Bo|qHO$MpRBHB)S9LUDlw3h^< z$YLwXSpzl=5#^!Xd(EDgmEAW3Rgop~a)Leuo@Qf`IgTiSCu_z5VRr(ucXUkqH5OLs z=$iFbGEsvANBzjyCp9qyMz1wEB?=Z|+{F2JHT;l-y1+jkjA{e}1B`(u(5kdZy{28@ z?V64+Vap*fEf9aPbXEq8Ll@*J&{2D#GTKF>wh1dsOv11ND9lqE!Ft7q6t?)T@gMqS zf)lezp~aqo`l2qW1GdW5?68czl62se?%+JjSiyJ9oYx`n+l}Y@y54i7wl)~ggR+G= zgBz!a!I@Zhf75M!OSuwN(7da6zvOh7{6Eid!Z@ZEV`Qr)KSFod?zxZ>*=$a$F0!F_ zd{Xs5&So#**N?4F2+}JM9p9Pdyx#^r;*@JMc947ta&3w;5EXb=i!XHk=@!!Ae4rU5 zIpn+395zMZ-TSaw;S2F>mEznPOiV~W2|L)zg>^3tcQXbhoMhhrH3~YV&xs!z{V;wc zVx!uz+LP-GT@T(krB0#l>2K+iw&6&;^!i{jT?SAOrHu^mYBmQA|uEaFJA+fM{KQ8S8(Bg49QWc}Sof{vrgL z2jr4$^!8cM-CNGO58QA_cc*Dpe}z5*Z{TzD{%j({cQOfVU6V@K8oCkVXt)m8lA5PR zbCJNW9|c@`uc9DCmJjp*NvwZkdi^L`>5xtd=+{7Kts=aHVo^;@h~jlAcvt@vr|X9Y zPBv;_1LtYfK#Ub^`vkrqap3If#=s#99%t!}fp}A!u-Jof%S6(D1oh}#QD3Gy8(H(7 zM@EuPy&e9^AdwMQ38kpE;U}&SSpJXuhgM`8E0A{hcVn$WxC}a(qwy zhqXZW*Wghf1)!clF|;G07t}}4G^uAaHvlU`v}wTyt_LB`U;%bcwIS>bt}-~Jf~^Im z(E<#0jOL3S#K3~BPOIva4r+Z*N)zLN^*!~fdLDlCeoVygd0dx}z$t3yS>#F}UtNy( z#(w${hGMIw4sB=3&>>f6$oD{myP*%8VK#iB;abmn2ABKpF{1?&(GIyL4ZG0=%?WDp z!>@YBioLs~&V!YbHojp7a@*@ZUW;)-@BU$=a$X=Qz+aspoh^{MTssfGto^|qWl}`` zPeE{rp}@A+bCnZr_!Z^8d(E8ZQcP{2-Q1&S={MPnDS$mmXy(SkPjX57wDBfNt*+C@ z@GFK-B)fwXe^p?Jx~)CFP_EDb@AORSigYYgqD16RY}}%){QBoLh&jCfFq$tkJGm=eL9YRlS#6FK>GbPJl{-aQZG#q}=Ad0XKxL@w;b ztNSg8)qEhSNprgb9cyys=_%d&dflLRp>gXzG<#Y#rMq1K>LLr_+pFUXmOa^TmA{TU z70pFMJrk&PW2klN2*`Zzc#@ig9i)9-{NLdCpBQCmSD&T<7xVYr(x+gNo%eqPX(c3P zQjsbt2G(EV={MC~Y^Z7ao%$nCg;Zj=|1JbH`lx8G%eT*Khw3rxj_(`?s1$uco?$|=*1x^P-`S%K2U;;$(2dIf<90sq zB?1sGv@i>4(2%eu^=Fwm@vlUh7`)pIsagL53Zq^8_JKReIrN7-14Zoq@GrGO1eLE( zVUG1FP6oY(G)DemO{c!Pw3%q1G#h^_X+FRf*+ofJE&;<#4 zEuoR|EUMGBNB5dRgpm(Kkb&eX7qUz3A*ln+r<<5s^nV^N0v85Zx|;{^0W!@R9*sZo z@sbaU69(1VkATttE^440R|2y#3OQ8T7a;zzsrA|m$c^w0We77c&A`D1wgG8}WBjJF z4fZ%D=Rd-ygP&2Y8EgiOx%ygmmPAKVhf3MF5w(WMMHyhr1{DfQ?|4_Wd$zO!3)Jquo7>^W9{iaOUC_vqrtT96Z-QE%E6)36cKeR)^))#3z z+LH&dhEr00MofRk@gxHeG^h7dbu6-hC~Z73`GWIrN5v#I#ej7mW$^y#L^_#S-cM<& zl_^<9*BGMfpPwSKCa$maK4a?xjP73}y-$Csi;%gIb@CMmQJNT)rbCkX^%o$5c`=Q= z|2fna<6k#=sGl6%NcDb0o>aT~2vy&!%cuF|z2`()I3etfB>E(h_MF{tdbS*u2 zS9y847(R1}!y3lEMrk;FW~4xK)1@ITrRNfBs}%NrND6B#PS1FU2v}_zi?PM+pdW_~ z%UzvLq+&(!7+-J%bGqR4Bx|c+YuyRn!V`o*aQuw019}O%Cr#Om9ulx^pTclL2T^ne z4&)p&r_*5YwK*v!MY;1Ne6(N@3=G!JRi~lYf=yWL711J}S_qd}o6j$C$Wtqjme7Bd}1$yMHpkQ?Z*xUsDz)c0_8QJfC~ zZ6Z4}(4_1F|7n40(fQc%MCD6RdGC5{%aja=E@nOCtVbSb)C%I{Lz8k05=I5Bi3NXv z-c{*wB!ue631_ndutg_))DIB8gz9Gt7jG&8woV~c5p3~beD|))Antqq&E$XY-yEJm znkv!1NoeO8NFcRSI4^-gvGJtux0EDy5Z~|}$%DV^-?o-Sixy7x)?R%At?{s4s{f8U ziTAf72Nr}zljraI?%UPVN#h(|>%a)|zl=2N7dY~v_oM*dRXVO*iRFn1lmQ#JX5>-6 zA-uh7dTT$5V0j$&1{=xLsE4lC^>{x-k7LA9x;sN_bO}3=Qr-xCgCQ1qHP(J~EeXFi z1k@p#s)0W1)8%S6DHo={68QQkWIyu9xF2v#NdYZZrp%DQ)!(m ze!dp#-fsCkhkRQKmag}>rFZj#X;>0@%`J8C&$q#~G-Gj_Eh=|N?Wd2VwqqwEwRPur zQPdF*t1wq@q6f-pUA*B9G@-oyBU(Fu9Kixq8@L+MNFGmy?<@`w)4C2D&~TP4xiqR_ z9r*QsHgX)+rgF!TQ0Fysxngjx!HH67|Dx{2+=XBN0I`P^19^Q^eEgVYjKmy;$jXD_ifd9Lc!d17f3jsEc2k-Gj8f=iMd z)`MagYOGyq^1jROKIybI@#}w%1~{!v-TMac{%0r**C?&AJ6wlpC|}cwsq~6E>8*F_c() zoYuw1iMDT6j#lYVj^=+s^vfatF_6UOwr&wGmiJ4MTGCnSkFNw z-@qPu1Le!>zl*N*3RpRtRfSYm3*=C!hZaVR-oJh`Br(#| z%TLxb<@KN9zy|txofqZM{k7>a`7SVYtoml>5FlV@uUv;tSPzAdC5fF~E<+RFa4pD2 zmYuW~$P!$gClcgDYQw2!QTj#zSs28Euge^{oQ(tQn}Z#xta{X!iV12%GC9{IeEu~c z16wS<>T`YWJN@UGYM23f31xk?r6QSOKPd zI15{qH~_bIF8MIbsEmO=Kzh8tj($X)4SCl4i@cuWtO>E+FI1kVJcbI`CVn@TQI9jG zlHB&e{3z@}Bi}#=uyz%ckf_&8hyZOP!GrTLNC+U==&EE)Zgejs0UL6 z^*z{r&`n$$ij(u+Ax<0-%)sznGnnMB8Ape}JuD`==u{{U&HK?MI0Vs*F4JSZU(n7G zTUUy&?|@Itae(zza?wn6WxO6fFdhV`JbrrRh4{w2&%b<#v^Gj({YfqZ+r?4od~)CX z%zvt({J)Rqr%7!ysv>-5(5Vzr`l@)kfJrFxC72GG8jp|XzZChY-)OfcKF&0*W+Qj3 z{i4*;{UP{}7NX!r1Sume8s&l(cks&bg>XO?kS9|soDOkztUzbTS|OXC z5wT{pP~XLwsReFJ6(6Vr60uavA~a+g^xRONsGch0w_{6q59Ubwsh%)md}l^`H}cz) ziC8g4tsnOGal$3N>xP@P+L;%1=5-5f9V=LfaaKvwth%$eue9>pJ6xs3zrnWhiRf`n zFYZ@rp;h&|)wO68#ru@piK+a$r{ED`kuRBF_Xt8X{SW+{qFzFqnH};UfMyotBw*rUU67La?NhOI{Hbm~L1Ul_xa9{~%b<1Y_fluZ#yuUy#GIRR1?Ryl^+l6; ze=F4}r&;ipW2g=M{coe*ghI-vA0Y2AJ+B}ewY-ooA_?3A4z&9I z7s&WvGpmF(u>l8_QK>!=jwq|%2a-dOXqTL6iOG}8x0l#x;{6LW(!sp1wNR305K_S4 zv1q821YW7XMrjgU!ayZ`t!A{P_DLh}AB?(>;-H}0VrP^iJG^?kG8Eeh>K!Ntq3{l} zK^}Sk1~iYMpiX48?yN;aNKlsm!u_G1p#zU4%9qsii%_0=X5w|c{~Ay?@oG>-JVGC_ z&eD78r5~q{)-8XCzEZ4bsV|VGA^c0=W5n>1=<0aOWA#_?es3%t4UVNxrFz{^8jz>+ zp;mPcgq3TF=XV18k8tfjeuS$3AgV_H@0Yt4>(}Z@s7Gpz4>D`)72`*Njyl0XX(Z3I znSx}s0SOqq5TNTI_>`(Oo6;(@LO6_p=CVS77=M(D(%t=NgeU~Q1~;hla^HbV850I3 z8B8J!*mO``pfN#yHQ9$?_lj?V=#qO?qTKc#%AJRDiM*uxMq^<7oBHap0HnT2ldJ^E zrE0Z=ecIm0&p(dYCjbeLY2`F#ka3l9y2tBX}^%GBP2t>UTiFnn7Jn1xVEF zBo7l~`Dy!!QdpT3P0&Unk@a+ejJ4RHX*l-i3j!a|hCb{{9S9;KrlJP1w4G*cE3Cv5 zY=bm0Edh~Gir%5lj;JY^A(F*ena7-c1e2V+<4bh|;;CK`4|??RyBU#nYm&zE{%M4q z)G_N9<%ze^DgWw;%Od)KlX~i2P9n9Y&V{hyXqIL_)E9sRj-#g4)zN5+Pt6siLFy@t z0jg4XiBtk=)dd?bFg6ca>HyVCQM!RC(HW?Yk>Hlv&?1tJapW{zhxh{60cNe#0^}#F zz-);6Jl;@6l5U!?KdQIvWfam9pcdiB#uNUD1Y%)n4l3V)&O`gJ;R9qXkUu$&C|O5@ z1tYjKjKHU%vPn@)p+=paXIZU@1M5ks3=)gkTD3sKn(S+ip_zyTd{0R|R1P!=LtOm} zBqDy^i=Ai6JL)@g(VA>FBhl@@Aw=G9;c(mj)n8$W(0dX3BOAK`Mz);PyPl(;r@>ho ztaW2``l2;u3{Boq&5w=Y5p3;izXYPOKqLllHAva~_95<|-Pj-+u?^>MBNy92Qjf#U zSdGGpOGApk4d-g{4M?&m4MZkZwSK-O@2GYjUAL;Ovg=&uaY;0aLGhean4<1QJ>(a~ zJ}=SNw@;iDbrVLnw|0>`hwU0Cs5?pj=|nCibi7XG$H7O zDp06?928}Ik_QViR;2f^YD7aTKBN#OxN(JXw6^zZ-V#fjv62wruUCJsvz8nL(Ll3^X!6iS=~YY=pp>D` zuqi~*6A(?GeNCX4TuJeDy(&lsf&;OCi}fvx0V(2p-zd$qh~8_V!~8)+VZsOj?=h^n zo6pf|7V!aG{a&J_A1mzm6vo$M^d1($E7S?wDePcQXfXX=CngoxWyZLTq4_=z^%K%T zkUNJwYKIvWh>L(c599&o4PoR18CIRKoDW*U?`Jv;Z;7Z@Ol^4>!z6vO@(3cj<$_;p8#uX4I$Dorvv z%3XYA1T8fl0>XX#{mUR6(5(%~M1O+sgh724fq4HBcP0!cUF2su5(NuP1Q*jU1FibE z%Fn=<;S&zE2r60|=ZX1Yy(zysB_@b!bv&QYGA)xTP$$B~px>cXQ1eYg^^P2~k@b}$ zc`JkJc$N$7(}^ci9PpeAV@?mLqJ~#t%c#GlCoqg0IHhaFOyD&3D`2-_eJ~0=kXg@pRhx8O`(2pa^a!E^q%A!IJrGGmf*6TYsY%>H011(Nu{vzXh& zrX8?(?28tGzvUI_K}Il++aW}Ad-RN(2&h#A*ka#mi+czhX}6`Al)_w8F_n>Hk^luCXm*OZ-}w5NW^|bv00<)vqCjM%(@sTZ8|B%NPprk>Nbc zTzvn7HITx{aNVAWwj;d%Rxpa?pcPjkT6fmw`I!8yxn%t_AP%A#l&CyJDK>t6_?sknx@=}cIvY|}FNpo9^M3f!=Pw4ww0NMh+Nt`7w3+YU*U z=NJW80E5GNOjohCLwv9iW55AsnT6o=Z+*wU#kwtG1ncX9?;8UpxcNuIBaa* zn*4`6sSa>+!#rdLu_Xp<-;wtAV3*@{NOcJtOxl<^2!#L&muTZ10|lFSIQ4f44gEmd znhR|QrB;5%J}XLD!+IUoeWVRZJ9wZKJa^EN*%F97@2^37>CoVfaBv;c2?s={4h>e; zWszApi#`W>j^$k1Y~haJ<6q^lre`F6dW8hj%N4UX- z4YWZD0{njmL~RroxEW#EfW_@6$jK>BV6Tty07oMBDJx+RkZZj~D^bNph%ZEwokGzE zHD+i|&O_Un_!A-Bm=9rs=AjP<6_rg;&nU+LMX(Zn3W`tpX^Ou3T5L9v2CX9d*^#WL(*!aS@U{(|gWL)b#gP7Lvw_!5DOk0R1C(QqZTLCP^ zgauTa)ltBK2qst%eS8p;ApJ;SV?y;HSE6QIG4a39j8G<~+q6uTF#T7B`E~cfWR&xB z(q~aLQ))DWjuFEKcMl(WF`W6537guniw0%m;$V z3tf=)(TxnZCZRR=_*(GMJd~I-?5u4R^5li0~nS(LZis2Oe4HY%q zN$W*!EXh+XuzZNaNTQK72ocJ3AdkIZbYKJ*;AF1f0(z9Ikmi;?k0p~bBHN7Vm`^8~ zb`tDv=>$1Thp^6s?GOZ|=HT31ZPX)3Kmd5ZFZ z#u8~CZnsfx)+~ZKRpA5ALsrQ&Pms@}k>)#Y7z|GYhp-?$G`p~afo5v?5;6F5gYO#~ zK4V4uz^C=Mp(xn`HjD7>$s=yr!C$dqq+9y9K>AASKkED=a0Z|qc)tNk4s;!52> zMgX#83-b@sjx-LWNe3w&V$qOJIuR>rWPfx)H?-oLC2&Sv#l+n~3}w9bLS9iu+5v@t z^6)0L?gUdcr_HWZgJiI133?Rn7a39%Ani};y%_BxrT-||Jd{Tzg?cUo-3j(SK{_$8 z=7Njv$mrg5R2ZvU;ZS2tFi@*TDn6GoDBH0W36X#-+B6HYx+RYmnu}?|{yz96$guz0 zXGeW!l6Zd#ID`4-+Ek}JEgP1`BQWmjqh6D2)cuIH3W>wmx#@26L>(wr~^nFUpk((!4Wyo6=Rdcek10aL(C_uF znFJA94*jNiG#5dBnahtJQ(uIgOAzzJFjsm;kMae2S67fN>aUSeY8nGX(6DHwM=*4# z^hp%cYcRou@!n|W^3>l#Ujh*`p2|~9tDIooO^fnZxV_Z#5Y7!*=o@dU?|qzv7=$1R z1>}HV|0eVsbuKAzH4iClFq21D99IDD;4L_{b&yPfe>TRk;9HxCqOB;ZX+wX2MmObm z)6z({n-pf`7M3t%fk^c?_cMVIuQG9C&9r?!b~ilW6`mIL1fw-}U6q(Z>4NUFD^ z^AjfGB2##x^sUl?W@7Jtvl~^~T~arxDKk@16}pHH8Q>%?gvs8Jt=2#FPc7})odm?6%qe- zCaLa)5o5ddN)yyEK5C|OLRbV8GuV-CchDGsYrrXK>px<*P8DHQoHUkOl zuRb2jkgT_cM1W{d($$8YH3+pKau<{?*UZ_}i!}pBmb)s!K&hSBSWM7V7O)g@7$U0x z>1*QGeFg;3u1%Ws4fdwi9fMlwz~LR@B-12x10E@0%(Ht37kQ`r1KPomtD5=12Bp&pmdWW{%W`wZMVRTqu?NsoMpv%_D-~T&A;!8jB`*E}08SE0Vh273Bl)ynN zY3ex~`#dLfD#*R^9nl(b1sxmDIV4PJL!K$L4jh@N>wBSP3OrJniIyo?PL3^P@4@#8 zAG>T{uIP%*=bpgZ%CiiWaU(u1qUB*hnvw~Gd$q-HoZ^6AhPZ6RJ&DUTBEL;I6HO+g zbSCZ*5wJg!)(H2d`htkHS058ma2L#2m|k%{Z6bJ1QgGmx{EHoe0SBFNhe+a|cK@Di zdVDcvL$6@z&vP%TwZTk!FU2)0kKRol1n6OYOte!r-HVJ!^?XWsZ^8Bj&fq89=fLI_ z>rAte3)>Sjf#N!#z$$4GVxpZ0RL24f!6xP6XCNr1OAyDjSLrL*{>;G}E=G~iz;>+y z+`#k3&xsORob+5Io4zh(RPg?}7zylVLcJeaOox#~xFY|cer5Y`Btx6saoBbFGN4u91b#*{bC8M}nfcL)b z*Y3;0h8@25^W5NDm6E!KooL7BSpayYB3f~e1P2ZxEeUql5MVPUtVei_~ z?vm0h9&DoQrCX>P(GDB6m%XB!v(cP{8rgjsx{UsU?Gu(B5li>y;Vuh5F%FKt zW*2YJk-HRZFe*dQyO_FDue}pD*UWy$ZT4Jdu#Oc-pC}(9H(hGL-oEo zo5@Q(t0!2P1A4MhS7bNn@3TKhH;Ey9`IZ#rD4Go`1%i10S0Ke5L?cVF0d|cKs;}l!`Wjk#6Z^W*eLm#^ zY`P{9LygF)MBxfy&!-?*kX;a5ne7UWeaaP__>#+}^1l0#0f!y&t*6V^azVVP4W~uM zveImu+s#i=^m~l*mDlSruavw3xB0oUg~5i_nK#Du)l*M&u^8_=cUZ;~KQ9xv`J`^#+VRhZUUh({#u zGdx#@sNj`P&8LV@Y5HpC4t?X9Cd$`~fo>0WTu#IIdOi`Qv$QVBCN}#0mL@_%OA_RI z3z)!Q+!nLtnXi<;LrWd{#=A3qkCS$i7{if>W@<;23uKA73X`_Q*I9w&Xp2c|MTlRlXhe_g#Eue$z*=%_jD zRU6-E3$2%wkxwTL)UNCF+@RmatkQ`{ZQXMF!&h0YK&uuY8a z{+Y<^-7hfaa5MC&A_CJg#TL^0T;%V#eC!C~=#T3CBT)41f9O%^u``(8;v=*g=U1t2^ZVBAyVSTGn9)MF5Y(u-*NPf>D?D$IdbMmd{ zI#0N4pRarm*CM%a%<6)K@#?a*u?rVOecWQ3I~>66AkLFg=0HKJg!~^p%tu;lqjTJ57NY8^me93ooV<;=nO6(nN{X?AEH+}cF@kZAD* zSd3g$M0hiX@mW|U^JI%mX5KQw)txj1uR}h?e4vXmRzAr{H zZd!b22l4AAUX7I^>kvt(~1+_>8Ypkq)_nGkf6X3!TTY zW_4<^816E|(XYWto|!mfg%3SaJH%Z;#%8zTsCJx&p#9$veLxrUKd|i%4&4UqaU6-+ z8rdb6NX>0bZCEu+`@?Fce((c>uD*@_p9!u#h0ekd zK7tdSA zV0Hx0zqCEvWfJPu@eoaPQt_`c9TLxaN*dtCtzcSr$K(d*axjA;Ibhf@UD@Ax!Vz?t zft0P;{w+V~PdNycE)CpqEwVXqLf{ARi1a7)|yiSLg>2R112k5XH#*^@Vq{G8HY}Vm+9g>ZveCu_% zLWlEpI8}$&>F{Sd9HPVTU<0ZAyE=S{!I=Edp$V3V!(sS#6>Q=CSECOLNa`qn(|7## z^Mw}bR}RybiGJjG6k*?sYzx=0VkLdpumv%6y0aE*gLN#7)tP9P5jDZc7Sm=<6>W9Y zx@h^<|249RSXVI%>|0oT)Q+VFIMKkz~LoIxa5kJ=(P_G#g<80wRG}!Vyt3X)iOuw${S-5Iwhb@ zU}KZftJ5`+(dD_ART;lA4tBQ`KMkDK#I{;g_D?ro^L`1cl^0p@n4F;A&UBr|C z`#xIJ0d^8inwHV2@SEs^#hY-^0WCAbQzw<6VjxN_$_W5WiNL=ccnipDb_df(z}sZ| zE63ct^MG<0sqcqDksY?1&5L6F-N%2iV}|!0e5V5GU_k(9c5&vk6BXiCyJp2lwe3?p ztWwmceSd>%N0^j6hjtafXN8{m0KThtWaMVeK2nBC#DOpTxoK=#_k^$HSSA?aSItktK0)x z!0vkidf5#h^*`Ye64&YQ`b{G5zy+(vadcJr2hA6W=OW{|u5sx8M<}RrtYk02hmfRN zFUCL4iE=A%YsiSnEN;1u^$#7O#(69^T~mmy!X1$Fi z0*td1?Bn3rljj-bJ*e3P*#k{<>0=!g(Z7erfd=$9`yT*fSf6((55NgVzsmsp^PPh9 zIlMqDv?;V!$=a2xePZ0(7sU5I@|25(WmtLKZR>{U2!yaj84uu+ud(2yFU@iaz)a6V zF>um*xw-)a>2#q6!ycERx$fR5$NSl25klm)eZ68Cu4Q*hssMKiT;2-FhRn3PTAFEC zX&x#lOPKSpc8d6-bxdS9{L^-}SMM?$u3K#!!+CH!d~;F)N>#Z{L-{(p2h$~8V~IS~ z+eTN5(L#K4;h=8hm*tHNO1&#^Y<&uM`O<}*FwwzG7tWv=aW)xD#~Kyx(=|ymIWF#R zkg-~4T0v0^2`dkV!LRx|G1|7Ln%_AT6)KNuuPd^|;PhOE4a+OP#A1S`Z`zc4WFS8b zcLZ8PScfz&4bfF0*qTtD0fPGJ*<2ljh0zh0uY~%9zV)%SBio+7^|@m8)t6>R*Wy3V zv?+tAn01dB{>HfUD64RK2CGCRnM8Y2FD9V3@4tGFj(!PMkbT;$!>KyFOozi5jE#@z z=udCe?U@c=(cw!vd`5?V*5P^`uF+wo4(ID|h7NDi;W!=sj6wB|-zS{z2c7y~=w8lF z7AN)>i;um>AeNZ={GIwQ%0>I+#$2}FJJpjIWyi~&-O*@hvbG9EY1n9t|AoSR>Fiq7 z_no^(d(Y5eqYiQRKWpD99mWy%qd%kHdpzGy0mcEbtfFH1So56a)fJ0J{Qyt8hV|=@ z{&`Mm=_xwg7}DPDUH?Tn9nb8_yDOKktTdNZS1+$doKSt2cUf7b$Gmv?vW57cku2Vv z>^uuQXRLth}o%mVC>t&RJ94x6H9}g$t`aOBYs{E0)*Pn3tEE zYnI+sxwL#K{ugCwnK`G>eM?ahuy9=Qa?g+EDvswuz9nVm>arSdg~yD4ZRuIQ++4G4 zVMPT(X8OmLWmQN7xn+yZIkRUtVpPOiQM0u2E^o!c>ZP7l=A0teG-?9-Td-`QX9*gY zW4*yVx`zHc=IEN7(RYnCkG{)lHs@5Ac~&f}n1mM$(AN8-(bae|@odDi70-)!9>i0C z3RYgZ^15rx_$Qm5rOV39=*8wmt2|{j=7k>f!Z;S4{N8ef)yqA= z6)U-Nsb`6~6#wMYoLf7(mP5W+4_DQcc^5AS%kcjf7gF8yk3v1mOP5!e(Wf;OF?#X1 zm_GV<T64AON@>TSoK)=$KV71(DDoftV8}QP+tg751vJMC~k?4 z=RUkYhR2P(gu6*EOSq5f`4a1lg{eIC2|8hEB}NPD5#~fvY|rF{`O8bUtm~Nk&(;z- z=Yi(Q->iD1aHykmvhnPH{At*g4^13@`?T5gPPu8ZMS~W*22*r+u?{nJsHNh!E*@fm zF1zJ0;sGIuP6A}Ll-Usw12oU_c6f6pY46|FyJ+peSLRYK3CUu{i;1eKDX&eV9qrw z^10R-cP$J5HJ_XG%aRY~9?Q2s_+0IXzhyZJKRbT-gA1oSe)W36fLBk|Ie?e_y(k^| z-9I`uPP}@{ldoUe?XpeU@|ELT{)zE_`rU)CrtG?7bpG+1WS(eFLG-+OMq z_f4U`ZS{o#J^5A}O*?Dsw`KmP`E&a@e`t>(Pk zapT9uhqNvRKc)Y~pP%I8r}6QVe)wVi*whR9!Izl@OOBgM0gY6U+`>2cpKn*c(x&oxhl7CIPfA| z1z3Y;FT${STrGA@TPY0a!_$RuBj8y)A0SLl-l7ZPIU-yI_#GCB&Qbgb%t`TN{+;6r z0q5bl7-85|?!u91E5c?#8BY$vjesd;j+=mR2H@}UI1t_hc;6_j9aA2_7x5G$90KGo z;kda7X8`^U&pd>;0p{Q=)e?kr0hi*bK)4FDE~cZD<0#s;2YpY^o}sr-?(*n(h$a)9EWu{E)!vb z-{83zVeVdh`h~}gFxKI?i||+w#@Zye4^Ix|`RVWfDF+Ow-C#6uMvOBC7Xk7q9B&xP zrQ{AQ8Bk>^G=`GeQ}sNJ9;Bnp-b{{r0}tszg8kD!K-_6PonX8Us*j!_#=wx|0gIAy z4TXl3WK+s`W3r(zA>V*xZom|zmgxCoc|eaw)$u<|daUg$&t)0@=wKi_&rjmkg>(4GnBJbtRtyJygeIdcC-sX~1~o zO*L_;Q%t$WlH@9eXP}WAI374l3{?hG5@#B3$c@7otyI@|y{=eXf0%0IQfC1#cpR@c zhHpp;H>7${ZfZ$N)xg35A!B<|mm#rUYS$FKT|_hW-H)|Ni=Xnnwx$m>rO!%D9*}D) zF;*pqSRbUAxRfc3?ke_9G>+G4q&l1QIupax)_>@2O&iFiJ(egvplj$LZm1!P)9Wux z2@PmBb|syP^DMDl#G{NHF|H-jL47m6U*G&t9MLdn05@oSFJ*@0B#t=Pr!OgA z>>>K@1ASG98$5s;Ts<&%K#8e}$;c1M1j*)o39=cJU+R-tdY@3aS^emZ@gr7m>^%l! z@j3+f>F<9S2PQ(+V}A{Y;R_t%xMvgMa^8R+))C9m7q0Hq-XGH8Rvo^m!&h{8LWke! zaM){Fxv@IDS%iEr=IC&u4yWp{ zScmg<_;Ve4bht)`59sh$I^3wk%{qKWhdXo_(&2s`cIfae9e$w0FLZcLhXc?b^p~N- z3w3yz4s&&QgAS+aP%8x=Qs?(i{iAW@zgz!YWN?&KlzGbXu|0?#%8DX=Pj0foi54nBI##*zxpMVc%rAz^zVpVeEg2dB@3&$YEw~}XLjY1g_Vmd$`(6o zOUtTgA8+c?3Q)`4XDX^FE34w3FcnwSfUsK^R(Q*}*G&5UqP|avSw<{|?KonFFd$Yz z@$z`B+yrjHg8T(FRb{2Ld%HlZ6LTXw;ulnuE}$*ODr{sfDEC&Da`_ayY|(;JZ#6bn zYqdyj7Gm!z^Uyx>!s@$fxFWpM=2BVZ3a*&K%NOZ6=i{xSba~|pmX28&-fPM{3l>&Y zE%2>r8Z=+U2zOlTjdTFJnoO2@N^^|fq8_TQ9P~WY_@|6%Qgw`5q%eA768pv_? z8)*ZZaI7~jD_d4tg_+(jDTD@d+%rbnF<)4LQyaz_Pc_?q$83$l6=j&ewo<6FbXgS_ zF|LSJ&6!LqOKVs6{s6?N#OYJ^en4cQCjVZQK#vX|4F}C z@3WKt+5Zn~f-D~EZ$FrhH8&QIb+{i)?~m`N_n$cM69@hqai9uocp&G=B~}B zHgj7twwSl%Zn1AE+)}coYD?Xg#x0w+Y}*pr(!Ql@%c(8glNnE%pUi#I{$$~kK-2~O V4v@0RyeWs_#LG{A|JOP2zW~HBp}_zE literal 0 HcmV?d00001 diff --git a/libbeat/formats/fixtures/pe/hello-windows.fingerprint b/libbeat/formats/fixtures/pe/hello-windows.fingerprint new file mode 100644 index 000000000000..e8d62fcd0f3a --- /dev/null +++ b/libbeat/formats/fixtures/pe/hello-windows.fingerprint @@ -0,0 +1,156 @@ +{ + "sections": [ + { + "name": ".text", + "virtualAddress": 4096, + "virtualSize": 27640, + "rawSize": 27648, + "entropy": 6.29, + "chi2": 225694.72, + "md5": "51e08255c411dc9a70cf264ce3759661" + }, + { + "name": ".data", + "virtualAddress": 32768, + "virtualSize": 240, + "rawSize": 512, + "entropy": 0.95, + "chi2": 101000, + "md5": "f949bb1e31e9e86f683276c781b888f0" + }, + { + "name": ".rdata", + "virtualAddress": 36864, + "virtualSize": 3488, + "rawSize": 3584, + "entropy": 4.4, + "chi2": 168406.57, + "md5": "665cbc21d76c304121bec35c0580b5e1" + }, + { + "name": ".pdata", + "virtualAddress": 40960, + "virtualSize": 1152, + "rawSize": 1536, + "entropy": 3.34, + "chi2": 157780.33, + "md5": "c3b5c11cb92a79955c0da333ef10c693" + }, + { + "name": ".xdata", + "virtualAddress": 45056, + "virtualSize": 1068, + "rawSize": 1536, + "entropy": 3.5, + "chi2": 89461.33, + "md5": "59455bf68d2c06503c957bda56cf1dcd" + }, + { + "name": ".bss", + "virtualAddress": 49152, + "virtualSize": 2976, + "rawSize": 0, + "entropy": 0, + "chi2": 0, + "md5": "d41d8cd98f00b204e9800998ecf8427e" + }, + { + "name": ".idata", + "virtualAddress": 53248, + "virtualSize": 1844, + "rawSize": 2048, + "entropy": 3.68, + "chi2": 152175, + "md5": "c0f302e044780a30e2b6196eadbc2738" + }, + { + "name": ".CRT", + "virtualAddress": 57344, + "virtualSize": 104, + "rawSize": 512, + "entropy": 0.34, + "chi2": 120559, + "md5": "136383d4876c87c3e594ab86b9e86a25" + }, + { + "name": ".tls", + "virtualAddress": 61440, + "virtualSize": 16, + "rawSize": 512, + "entropy": 0, + "chi2": 130560, + "md5": "bf619eac0cdf3f68d496ea9344137e8b" + }, + { + "name": ".reloc", + "virtualAddress": 65536, + "virtualSize": 140, + "rawSize": 512, + "entropy": 1.61, + "chi2": 81624, + "md5": "41150a7033476b722bd47a9dbf5238b0" + } + ], + "header": { + "entrypoint": 5344, + "targetMachine": "x64", + "containedSections": 10 + }, + "imports": { + "KERNEL32.dll": [ + "DeleteCriticalSection", + "EnterCriticalSection", + "GetLastError", + "GetStartupInfoA", + "InitializeCriticalSection", + "IsDBCSLeadByteEx", + "LeaveCriticalSection", + "MultiByteToWideChar", + "SetUnhandledExceptionFilter", + "Sleep", + "TlsGetValue", + "VirtualProtect", + "VirtualQuery", + "WideCharToMultiByte" + ], + "msvcrt.dll": [ + "__C_specific_handler", + "___lc_codepage_func", + "___mb_cur_max_func", + "__getmainargs", + "__initenv", + "__iob_func", + "__lconv_init", + "__set_app_type", + "__setusermatherr", + "_acmdln", + "_amsg_exit", + "_cexit", + "_commode", + "_errno", + "_fmode", + "_initterm", + "_lock", + "_onexit", + "_unlock", + "abort", + "calloc", + "exit", + "fprintf", + "fputc", + "free", + "fwrite", + "localeconv", + "malloc", + "memcpy", + "memset", + "signal", + "strerror", + "strlen", + "strncmp", + "vfprintf", + "wcslen" + ] + }, + "imphash": "8eb8d513fcdab15ac9a267576668cb1c" +} \ No newline at end of file diff --git a/libbeat/formats/lnk/.gitignore b/libbeat/formats/lnk/.gitignore new file mode 100644 index 000000000000..b2750523e456 --- /dev/null +++ b/libbeat/formats/lnk/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +lnk-fuzz.zip diff --git a/libbeat/formats/lnk/extra.go b/libbeat/formats/lnk/extra.go new file mode 100644 index 000000000000..2260fe9b0335 --- /dev/null +++ b/libbeat/formats/lnk/extra.go @@ -0,0 +1,116 @@ +package lnk + +import ( + "encoding/binary" + "errors" + "fmt" + "io" +) + +const ( + environmentBlock uint32 = 0xa0000001 + iota + consoleBlock + trackerBlock + consoleFEBlock + specialFolderBlock + darwinBlock + iconEnvironmentBlock + shimBlock + propertyStoreBlock + _ + knownFolderBlock + vistaAndAboveIDListBlock +) + +// https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#6-extra-data + +func parseExtraBlocks(header *Header, offset int64, r io.ReaderAt) (*Extra, error) { + var size uint32 + var signature uint32 + var data []byte + var err error + extra := &Extra{} + for { + size, signature, offset, data, err = readRawBlock(offset, r) + if err != nil { + return nil, err + } + if size == 0 { + break + } + switch signature { + case environmentBlock: + extra.Environment, err = parseExtraEnvironment(size, data) + if err != nil { + return nil, err + } + case consoleBlock: + extra.Console, err = parseExtraConsole(size, data) + if err != nil { + return nil, err + } + case trackerBlock: + extra.Tracker, err = parseExtraTracker(size, data) + if err != nil { + return nil, err + } + case consoleFEBlock: + extra.ConsoleFE, err = parseExtraConsoleFE(size, data) + if err != nil { + return nil, err + } + case specialFolderBlock: + extra.SpecialFolder, err = parseExtraSpecialFolder(size, data) + if err != nil { + return nil, err + } + case darwinBlock: + extra.Darwin, err = parseExtraDarwin(size, data) + if err != nil { + return nil, err + } + case iconEnvironmentBlock: + extra.IconEnvironment, err = parseExtraIconEnvironment(size, data) + if err != nil { + return nil, err + } + case shimBlock: + extra.Shim, err = parseExtraShim(size, data) + if err != nil { + return nil, err + } + case propertyStoreBlock: + extra.PropertyStore, err = parseExtraPropertyStore(size, data) + if err != nil { + return nil, err + } + case knownFolderBlock: + extra.KnownFolder, err = parseExtraKnownFolder(size, data) + if err != nil { + return nil, err + } + case vistaAndAboveIDListBlock: + extra.VistaAndAboveIDList, err = parseExtraVistaAndAboveIDList(size, data) + if err != nil { + return nil, err + } + default: + return nil, fmt.Errorf("unknown block signature: %x", signature) + } + } + return extra, nil +} + +func readRawBlock(offset int64, r io.ReaderAt) (uint32, uint32, int64, []byte, error) { + size, data, err := readU32Data(offset, r) + if err != nil { + return 0, 0, 0, nil, err + } + if size == 0 { + return 0, 0, 0, nil, nil + } + if size < 8 { + return 0, 0, 0, nil, errors.New("invalid block size") + } + return size, binary.LittleEndian.Uint32(data[4:8]), offset + int64(size), data, nil +} diff --git a/libbeat/formats/lnk/extra_console.go b/libbeat/formats/lnk/extra_console.go new file mode 100644 index 000000000000..17f1ac37e9b9 --- /dev/null +++ b/libbeat/formats/lnk/extra_console.go @@ -0,0 +1,104 @@ +package lnk + +import ( + "encoding/binary" + "errors" + "fmt" + "sort" + "strings" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +var ( + fontFamilies = map[uint32]string{ + 0x0000: "FF_DONTCARE", + 0x0010: "FF_ROMAN", + 0x0020: "FW_SWISS", + 0x0030: "FF_MODERN", + 0x0040: "FF_SCRIPT", + 0x0050: "FF_DECORATIVE", + } + fontPitches = map[uint32]string{ + 0x0000: "TMPF_NONE", + 0x0001: "TMPF_FIXED_PITCH", + 0x0002: "TMPF_VECTOR", + 0x0003: "TMPF_TRUETYPE", + 0x0004: "TMPF_DEVICE", + } + fillAttributes = map[uint32]string{ + 0x0001: "FOREGROUND_BLUE", + 0x0002: "FOREGROUND_GREEN", + 0x0004: "FOREGROUND_RED", + 0x0008: "FOREGROUND_INTENSITY", + 0x0010: "BACKGROUND_BLUE", + 0x0020: "BACKGROUND_GREEN", + 0x0040: "BACKGROUND_RED", + 0x0080: "BACKGROUND_INTENSITY", + } +) + +func parseExtraConsole(size uint32, data []byte) (*Console, error) { + if size != 0x000000cc { + return nil, errors.New("invalid extra console block size") + } + return &Console{ + FillAttributes: parseFlags(fillAttributes, uint32(binary.LittleEndian.Uint16(data[8:10]))), + PopupFillAttributes: parseFlags(fillAttributes, uint32(binary.LittleEndian.Uint16(data[10:12]))), + ScreenBufferSizeX: binary.LittleEndian.Uint16(data[12:14]), + ScreenBufferSizeY: binary.LittleEndian.Uint16(data[14:16]), + WindowSizeX: binary.LittleEndian.Uint16(data[16:18]), + WindowSizeY: binary.LittleEndian.Uint16(data[18:20]), + WindowOriginX: binary.LittleEndian.Uint16(data[20:22]), + WindowOriginY: binary.LittleEndian.Uint16(data[22:24]), + FontSize: binary.LittleEndian.Uint32(data[32:36]), + FontFamily: normalizeFontFamily(binary.LittleEndian.Uint32(data[36:40])), + FontWeight: binary.LittleEndian.Uint32(data[40:44]), + FaceName: common.ReadUnicode(data[44:108], 0), + CursorSize: binary.LittleEndian.Uint32(data[108:112]), + FullScreen: normalizeBoolean(binary.LittleEndian.Uint32(data[112:116])), + QuickEdit: normalizeBoolean(binary.LittleEndian.Uint32(data[116:120])), + InsertMode: normalizeBoolean(binary.LittleEndian.Uint32(data[120:124])), + AutoPosition: normalizeBoolean(binary.LittleEndian.Uint32(data[124:128])), + HistoryBufferSize: binary.LittleEndian.Uint32(data[128:132]), + NumberOfHistoryBuffers: binary.LittleEndian.Uint32(data[132:136]), + HistoryNoDup: normalizeBoolean(binary.LittleEndian.Uint32(data[136:140])), + ColorTable: chunkColorTable(data[140:204]), + }, nil +} + +func normalizeFontFamily(value uint32) string { + fontTokens := []string{} + for flag, name := range fontFamilies { + if 0xFFF0&value == flag { + fontTokens = append(fontTokens, name) + break + } + } + if len(fontTokens) == 0 { + return "" + } + pitchValue := 0x000F & value + for flag, name := range fontPitches { + if hasFlag(pitchValue, flag) { + fontTokens = append(fontTokens, name) + } + } + if len(fontTokens) == 1 { + fontTokens = append(fontTokens, "TMPF_NONE") + } + sort.Strings(fontTokens) + return strings.Join(fontTokens, " | ") +} + +func normalizeBoolean(value uint32) bool { + return value != 0 +} + +func chunkColorTable(value []byte) []string { + colors := make([]string, 16) + for i := 0; i < 16; i++ { + colors[i] = fmt.Sprintf("0x%06x", binary.LittleEndian.Uint32(value[i*4:(i+1)*4])) + } + return colors +} diff --git a/libbeat/formats/lnk/extra_console_fe.go b/libbeat/formats/lnk/extra_console_fe.go new file mode 100644 index 000000000000..c92f582fca98 --- /dev/null +++ b/libbeat/formats/lnk/extra_console_fe.go @@ -0,0 +1,176 @@ +package lnk + +import ( + "encoding/binary" + "errors" +) + +var ( + // https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers + codePages = map[uint32]string{ + 037: "IBM EBCDIC US-Canada", + 437: "OEM United States", + 500: "IBM EBCDIC International", + 708: "Arabic (ASMO 708)", + 709: "Arabic (ASMO-449+, BCON V4)", + 710: "Arabic - Transparent Arabic", + 720: "Arabic (Transparent ASMO); Arabic (DOS)", + 737: "OEM Greek (formerly 437G); Greek (DOS)", + 775: "OEM Baltic; Baltic (DOS)", + 850: "OEM Multilingual Latin 1; Western European (DOS)", + 852: "OEM Latin 2; Central European (DOS)", + 855: "OEM Cyrillic (primarily Russian)", + 857: "OEM Turkish; Turkish (DOS)", + 858: "OEM Multilingual Latin 1 + Euro symbol", + 860: "OEM Portuguese; Portuguese (DOS)", + 861: "OEM Icelandic; Icelandic (DOS)", + 862: "OEM Hebrew; Hebrew (DOS)", + 863: "OEM French Canadian; French Canadian (DOS)", + 864: "OEM Arabic; Arabic (864)", + 865: "OEM Nordic; Nordic (DOS)", + 866: "OEM Russian; Cyrillic (DOS)", + 869: "OEM Modern Greek; Greek, Modern (DOS)", + 870: "IBM EBCDIC Multilingual/ROECE (Latin 2); IBM EBCDIC Multilingual Latin 2", + 874: "ANSI/OEM Thai (ISO 8859-11); Thai (Windows)", + 875: "IBM EBCDIC Greek Modern", + 932: "ANSI/OEM Japanese; Japanese (Shift-JIS)", + 936: "ANSI/OEM Simplified Chinese (PRC, Singapore); Chinese Simplified (GB2312)", + 949: "ANSI/OEM Korean (Unified Hangul Code)", + 950: "ANSI/OEM Traditional Chinese (Taiwan; Hong Kong SAR, PRC); Chinese Traditional (Big5)", + 1026: "IBM EBCDIC Turkish (Latin 5)", + 1047: "IBM EBCDIC Latin 1/Open System", + 1140: "IBM EBCDIC US-Canada (037 + Euro symbol); IBM EBCDIC (US-Canada-Euro)", + 1141: "IBM EBCDIC Germany (20273 + Euro symbol); IBM EBCDIC (Germany-Euro)", + 1142: "IBM EBCDIC Denmark-Norway (20277 + Euro symbol); IBM EBCDIC (Denmark-Norway-Euro)", + 1143: "IBM EBCDIC Finland-Sweden (20278 + Euro symbol); IBM EBCDIC (Finland-Sweden-Euro)", + 1144: "IBM EBCDIC Italy (20280 + Euro symbol); IBM EBCDIC (Italy-Euro)", + 1145: "IBM EBCDIC Latin America-Spain (20284 + Euro symbol); IBM EBCDIC (Spain-Euro)", + 1146: "IBM EBCDIC United Kingdom (20285 + Euro symbol); IBM EBCDIC (UK-Euro)", + 1147: "IBM EBCDIC France (20297 + Euro symbol); IBM EBCDIC (France-Euro)", + 1148: "IBM EBCDIC International (500 + Euro symbol); IBM EBCDIC (International-Euro)", + 1149: "IBM EBCDIC Icelandic (20871 + Euro symbol); IBM EBCDIC (Icelandic-Euro)", + 1200: "Unicode UTF-16, little endian byte order (BMP of ISO 10646); available only to managed applications", + 1201: "Unicode UTF-16, big endian byte order; available only to managed applications", + 1250: "ANSI Central European; Central European (Windows)", + 1251: "ANSI Cyrillic; Cyrillic (Windows)", + 1252: "ANSI Latin 1; Western European (Windows)", + 1253: "ANSI Greek; Greek (Windows)", + 1254: "ANSI Turkish; Turkish (Windows)", + 1255: "ANSI Hebrew; Hebrew (Windows)", + 1256: "ANSI Arabic; Arabic (Windows)", + 1257: "ANSI Baltic; Baltic (Windows)", + 1258: "ANSI/OEM Vietnamese; Vietnamese (Windows)", + 1361: "Korean (Johab)", + 10000: "MAC Roman; Western European (Mac)", + 10001: "Japanese (Mac)", + 10002: "MAC Traditional Chinese (Big5); Chinese Traditional (Mac)", + 10003: "Korean (Mac)", + 10004: "Arabic (Mac)", + 10005: "Hebrew (Mac)", + 10006: "Greek (Mac)", + 10007: "Cyrillic (Mac)", + 10008: "MAC Simplified Chinese (GB 2312); Chinese Simplified (Mac)", + 10010: "Romanian (Mac)", + 10017: "Ukrainian (Mac)", + 10021: "Thai (Mac)", + 10029: "MAC Latin 2; Central European (Mac)", + 10079: "Icelandic (Mac)", + 10081: "Turkish (Mac)", + 10082: "Croatian (Mac)", + 12000: "Unicode UTF-32, little endian byte order; available only to managed applications", + 12001: "Unicode UTF-32, big endian byte order; available only to managed applications", + 20000: "CNS Taiwan; Chinese Traditional (CNS)", + 20001: "TCA Taiwan", + 20002: "Eten Taiwan; Chinese Traditional (Eten)", + 20003: "IBM5550 Taiwan", + 20004: "TeleText Taiwan", + 20005: "Wang Taiwan", + 20105: "IA5 (IRV International Alphabet No. 5, 7-bit); Western European (IA5)", + 20106: "IA5 German (7-bit)", + 20107: "IA5 Swedish (7-bit)", + 20108: "IA5 Norwegian (7-bit)", + 20127: "US-ASCII (7-bit)", + 20261: "T.61", + 20269: "ISO 6937 Non-Spacing Accent", + 20273: "IBM EBCDIC Germany", + 20277: "IBM EBCDIC Denmark-Norway", + 20278: "IBM EBCDIC Finland-Sweden", + 20280: "IBM EBCDIC Italy", + 20284: "IBM EBCDIC Latin America-Spain", + 20285: "IBM EBCDIC United Kingdom", + 20290: "IBM EBCDIC Japanese Katakana Extended", + 20297: "IBM EBCDIC France", + 20420: "IBM EBCDIC Arabic", + 20423: "IBM EBCDIC Greek", + 20424: "IBM EBCDIC Hebrew", + 20833: "IBM EBCDIC Korean Extended", + 20838: "IBM EBCDIC Thai", + 20866: "Russian (KOI8-R); Cyrillic (KOI8-R)", + 20871: "IBM EBCDIC Icelandic", + 20880: "IBM EBCDIC Cyrillic Russian", + 20905: "IBM EBCDIC Turkish", + 20924: "IBM EBCDIC Latin 1/Open System (1047 + Euro symbol)", + 20932: "Japanese (JIS 0208-1990 and 0212-1990)", + 20936: "Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)", + 20949: "Korean Wansung", + 21025: "IBM EBCDIC Cyrillic Serbian-Bulgarian", + 21866: "Ukrainian (KOI8-U); Cyrillic (KOI8-U)", + 28591: "ISO 8859-1 Latin 1; Western European (ISO)", + 28592: "ISO 8859-2 Central European; Central European (ISO)", + 28593: "ISO 8859-3 Latin 3", + 28594: "ISO 8859-4 Baltic", + 28595: "ISO 8859-5 Cyrillic", + 28596: "ISO 8859-6 Arabic", + 28597: "ISO 8859-7 Greek", + 28598: "ISO 8859-8 Hebrew; Hebrew (ISO-Visual)", + 28599: "ISO 8859-9 Turkish", + 28603: "ISO 8859-13 Estonian", + 28605: "ISO 8859-15 Latin 9", + 29001: "Europa 3", + 38598: "ISO 8859-8 Hebrew; Hebrew (ISO-Logical)", + 50220: "ISO 2022 Japanese with no halfwidth Katakana; Japanese (JIS)", + 50221: "ISO 2022 Japanese with halfwidth Katakana; Japanese (JIS-Allow 1 byte Kana)", + 50222: "ISO 2022 Japanese JIS X 0201-1989; Japanese (JIS-Allow 1 byte Kana - SO/SI)", + 50225: "ISO 2022 Korean", + 50227: "ISO 2022 Simplified Chinese; Chinese Simplified (ISO 2022)", + 50229: "ISO 2022 Traditional Chinese", + 50930: "EBCDIC Japanese (Katakana) Extended", + 50931: "EBCDIC US-Canada and Japanese", + 50933: "EBCDIC Korean Extended and Korean", + 50935: "EBCDIC Simplified Chinese Extended and Simplified Chinese", + 50936: "EBCDIC Simplified Chinese", + 50937: "EBCDIC US-Canada and Traditional Chinese", + 50939: "EBCDIC Japanese (Latin) Extended and Japanese", + 51932: "EUC Japanese", + 51936: "EUC Simplified Chinese; Chinese Simplified (EUC)", + 51949: "EUC Korean", + 51950: "EUC Traditional Chinese", + 52936: "HZ-GB2312 Simplified Chinese; Chinese Simplified (HZ)", + 54936: "Windows XP and later: GB18030 Simplified Chinese (4 byte); Chinese Simplified (GB18030)", + 57002: "ISCII Devanagari", + 57003: "ISCII Bangla", + 57004: "ISCII Tamil", + 57005: "ISCII Telugu", + 57006: "ISCII Assamese", + 57007: "ISCII Odia", + 57008: "ISCII Kannada", + 57009: "ISCII Malayalam", + 57010: "ISCII Gujarati", + 57011: "ISCII Punjabi", + 65000: "Unicode (UTF-7)", + 65001: "Unicode (UTF-8)", + } +) + +func parseExtraConsoleFE(size uint32, data []byte) (*ConsoleFE, error) { + if size != 0x0000000c { + return nil, errors.New("invalid extra console fe block size") + } + codePage, ok := codePages[binary.LittleEndian.Uint32(data[8:12])] + if !ok { + codePage = "Unknown" + } + return &ConsoleFE{ + CodePage: codePage, + }, nil +} diff --git a/libbeat/formats/lnk/extra_darwin_block.go b/libbeat/formats/lnk/extra_darwin_block.go new file mode 100644 index 000000000000..6d1001b1fed7 --- /dev/null +++ b/libbeat/formats/lnk/extra_darwin_block.go @@ -0,0 +1,19 @@ +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraDarwin(size uint32, data []byte) (*Darwin, error) { + if size != 0x00000314 { + return nil, errors.New("invalid extra darwin block size") + } + ansi := common.ReadString(data[8:268], 0) + unicode := common.ReadUnicode(data[268:788], 0) + return &Darwin{ + ANSI: ansi, + Unicode: unicode, + }, nil +} diff --git a/libbeat/formats/lnk/extra_environment.go b/libbeat/formats/lnk/extra_environment.go new file mode 100644 index 000000000000..b8b7de84f821 --- /dev/null +++ b/libbeat/formats/lnk/extra_environment.go @@ -0,0 +1,19 @@ +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraEnvironment(size uint32, data []byte) (*Environment, error) { + if size != 0x00000314 { + return nil, errors.New("invalid extra environment block size") + } + ansi := common.ReadString(data[8:268], 0) + unicode := common.ReadUnicode(data[268:788], 0) + return &Environment{ + ANSI: ansi, + Unicode: unicode, + }, nil +} diff --git a/libbeat/formats/lnk/extra_icon_environment.go b/libbeat/formats/lnk/extra_icon_environment.go new file mode 100644 index 000000000000..d2abdf645ee7 --- /dev/null +++ b/libbeat/formats/lnk/extra_icon_environment.go @@ -0,0 +1,19 @@ +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraIconEnvironment(size uint32, data []byte) (*IconEnvironment, error) { + if size != 0x00000314 { + return nil, errors.New("invalid extra icon environment block size") + } + ansi := common.ReadString(data[8:268], 0) + unicode := common.ReadUnicode(data[268:788], 0) + return &IconEnvironment{ + ANSI: ansi, + Unicode: unicode, + }, nil +} diff --git a/libbeat/formats/lnk/extra_known_folder.go b/libbeat/formats/lnk/extra_known_folder.go new file mode 100644 index 000000000000..8071b16af1c8 --- /dev/null +++ b/libbeat/formats/lnk/extra_known_folder.go @@ -0,0 +1,16 @@ +package lnk + +import ( + "encoding/binary" + "errors" +) + +func parseExtraKnownFolder(size uint32, data []byte) (*KnownFolder, error) { + if size != 0x0000001C { + return nil, errors.New("invalid extra known folder block size") + } + return &KnownFolder{ + ID: encodeUUID(data[8:24]), + Offset: binary.LittleEndian.Uint32(data[24:28]), + }, nil +} diff --git a/libbeat/formats/lnk/extra_property_store.go b/libbeat/formats/lnk/extra_property_store.go new file mode 100644 index 000000000000..1d467d265b70 --- /dev/null +++ b/libbeat/formats/lnk/extra_property_store.go @@ -0,0 +1,405 @@ +package lnk + +import ( + "encoding/binary" + "errors" + "math" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +const ( + vtEmpty uint32 = 0x0000 + vtNull uint32 = 0x0001 + vtI2 uint32 = 0x0002 + vtI4 uint32 = 0x0003 + vtR4 uint32 = 0x0004 + vtR8 uint32 = 0x0005 + vtCY uint32 = 0x0006 + vtDate uint32 = 0x0007 + vtBStr uint32 = 0x0008 + vtError uint32 = 0x000A + vtBool uint32 = 0x000B + vtDecimal uint32 = 0x000E + vtI1 uint32 = 0x0010 + vtUI1 uint32 = 0x0011 + vtUI2 uint32 = 0x0012 + vtUI4 uint32 = 0x0013 + vtI8 uint32 = 0x0014 + vtUI8 uint32 = 0x0015 + vtInt uint32 = 0x0016 + vtUInt uint32 = 0x0017 + vtLPStr uint32 = 0x001E + vtLPWStr uint32 = 0x001F + vtFiletime uint32 = 0x0040 + vtBlob uint32 = 0x0041 + vtStream uint32 = 0x0042 + vtStorage uint32 = 0x0043 + vtStreamedObject uint32 = 0x0044 + vtStoredObject uint32 = 0x0045 + vtBlobObject uint32 = 0x0046 + vtCF uint32 = 0x0047 + vtCLSID uint32 = 0x0048 + vtVersionedStream uint32 = 0x0049 + // vectors + vtVectorI2 uint32 = 0x1002 + vtVectorI4 uint32 = 0x1003 + vtVectorR4 uint32 = 0x1004 + vtVectorR8 uint32 = 0x1005 + vtVectorCY uint32 = 0x1006 + vtVectorDate uint32 = 0x1007 + vtVectorBStr uint32 = 0x1008 + vtVectorError uint32 = 0x100A + vtVectorBool uint32 = 0x100B + vtVectorVariant uint32 = 0x100C + vtVectorI1 uint32 = 0x1010 + vtVectorUI1 uint32 = 0x1011 + vtVectorUI2 uint32 = 0x1012 + vtVectorUI4 uint32 = 0x1013 + vtVectorI8 uint32 = 0x1014 + vtVectorUI8 uint32 = 0x1015 + vtVectorLPStr uint32 = 0x101E + vtVectorLPWStr uint32 = 0x101F + vtVectorFiletime uint32 = 0x1040 + vtVectorCF uint32 = 0x1047 + vtVectorCLSID uint32 = 0x1048 + // arrays + vtArrayI2 uint32 = 0x2002 + vtArrayI4 uint32 = 0x2003 + vtArrayR4 uint32 = 0x2004 + vtArrayR8 uint32 = 0x2005 + vtArrayCY uint32 = 0x2006 + vtArrayDate uint32 = 0x2007 + vtArrayBStr uint32 = 0x2008 + vtArrayError uint32 = 0x200A + vtArrayBool uint32 = 0x200B + vtArrayVariant uint32 = 0x200C + vtArrayDecimal uint32 = 0x200E + vtArrayI1 uint32 = 0x2010 + vtArrayUI1 uint32 = 0x2011 + vtArrayUI2 uint32 = 0x2012 + vtArrayUI4 uint32 = 0x2013 + vtArrayInt uint32 = 0x2016 + vtArrayUint uint32 = 0x2017 +) + +var ( + propertyTypes = map[uint32]string{ + vtEmpty: "VT_EMPTY", + vtNull: "VT_NULL", + vtI2: "VT_I2", + vtI4: "VT_I4", + vtR4: "VT_R4", + vtR8: "VT_R8", + vtCY: "VT_CY", + vtDate: "VT_DATE", + vtBStr: "VT_BSTR", + vtError: "VT_ERROR", + vtBool: "VT_BOOL", + vtDecimal: "VT_DECIMAL", + vtI1: "VT_I1", + vtUI1: "VT_UI1", + vtUI2: "VT_UI2", + vtUI4: "VT_UI4", + vtI8: "VT_I8", + vtUI8: "VT_UI8", + vtInt: "VT_INT", + vtUInt: "VT_UINT", + vtLPStr: "VT_LPSTR", + vtLPWStr: "VT_LPWSTR", + vtFiletime: "VT_FILETIME", + vtBlob: "VT_BLOB", + vtStream: "VT_STREAM", + vtStorage: "VT_STORAGE", + vtStreamedObject: "VT_STREAMED_OBJECT", + vtStoredObject: "VT_STORED_OBJECT", + vtBlobObject: "VT_BLOB_OBJECT", + vtCF: "VT_CF", + vtCLSID: "VT_CLSID", + vtVersionedStream: "VT_VERSIONED_STREAM", + vtVectorI2: "VT_VECTOR | VT_I2", + vtVectorI4: "VT_VECTOR | VT_I4", + vtVectorR4: "VT_VECTOR | VT_R4", + vtVectorR8: "VT_VECTOR | VT_R8", + vtVectorCY: "VT_VECTOR | VT_CY", + vtVectorDate: "VT_VECTOR | VT_DATE", + vtVectorBStr: "VT_VECTOR | VT_BSTR", + vtVectorError: "VT_VECTOR | VT_ERROR", + vtVectorBool: "VT_VECTOR | VT_BOOL", + vtVectorVariant: "VT_VECTOR | VT_VARIANT", + vtVectorI1: "VT_VECTOR | VT_I1", + vtVectorUI1: "VT_VECTOR | VT_UI1", + vtVectorUI2: "VT_VECTOR | VT_UI2", + vtVectorUI4: "VT_VECTOR | VT_UI4", + vtVectorI8: "VT_VECTOR | VT_I8", + vtVectorUI8: "VT_VECTOR | VT_UI8", + vtVectorLPStr: "VT_VECTOR | VT_LPSTR", + vtVectorLPWStr: "VT_VECTOR | VT_LPWSTR", + vtVectorFiletime: "VT_VECTOR | VT_FILETIME", + vtVectorCF: "VT_VECTOR | VT_CF", + vtVectorCLSID: "VT_VECTOR | VT_CLSID", + vtArrayI2: "VT_ARRAY | VT_I2", + vtArrayI4: "VT_ARRAY | VT_I4", + vtArrayR4: "VT_ARRAY | VT_R4", + vtArrayR8: "VT_ARRAY | VT_R8", + vtArrayCY: "VT_ARRAY | VT_CY", + vtArrayDate: "VT_ARRAY | VT_DATE", + vtArrayBStr: "VT_ARRAY | VT_BSTR", + vtArrayError: "VT_ARRAY | VT_ERROR", + vtArrayBool: "VT_ARRAY | VT_BOOL", + vtArrayVariant: "VT_ARRAY | VT_VARIANT", + vtArrayDecimal: "VT_ARRAY | VT_DECIMAL", + vtArrayI1: "VT_ARRAY | VT_I1", + vtArrayUI1: "VT_ARRAY | VT_UI1", + vtArrayUI2: "VT_ARRAY | VT_UI2", + vtArrayUI4: "VT_ARRAY | VT_UI4", + vtArrayInt: "VT_ARRAY | VT_INT", + vtArrayUint: "VT_ARRAY | VT_UINT", + } +) + +func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { + if size < 0x0000000C { + return nil, errors.New("invalid extra property store block size") + } + namedProperties := make(map[string][]Property) + idProperties := make(map[uint32][]Property) + store := data[8:] + offset := 0 + for { + propertyData := store[offset:] + if len(propertyData) < 4 { + break + } + propertySize := binary.LittleEndian.Uint32(propertyData[0:4]) + if propertySize == 0 { + break + } + if len(propertyData) < 24 || len(propertyData) < int(propertySize) { + return nil, errors.New("invalid property size") + } + version := binary.LittleEndian.Uint32(propertyData[4:8]) + if version != 0x53505331 { + return nil, errors.New("invalid property version") + } + format := encodeUUID(propertyData[8:24]) + if format == "d5cdd505-2e9c-101b-9397-08002b2cf9ae" { + name, properties, err := parseNamedProperties(propertyData[24:propertySize]) + if err != nil { + return nil, err + } + if properties != nil { + namedProperties[name] = properties + } + } else { + id, properties, err := parseProperties(propertyData[24:propertySize]) + if err != nil { + return nil, err + } + if properties != nil { + idProperties[id] = properties + } + } + offset += int(propertySize) + } + + return &PropertyStore{ + NamedProperties: namedProperties, + Properties: idProperties, + }, nil +} + +func parseNamedProperties(data []byte) (string, []Property, error) { + propertySize := binary.LittleEndian.Uint32(data[0:4]) + if propertySize == 0 { + return "", nil, nil + } + nameSize := binary.LittleEndian.Uint32(data[4:8]) + name := common.ReadUnicode(data[9:nameSize+9], 0) + value, err := parseTypedValue(data[nameSize+9 : propertySize]) + if err != nil { + return "", nil, err + } + return name, value, nil +} + +func parseProperties(data []byte) (uint32, []Property, error) { + propertySize := binary.LittleEndian.Uint32(data[0:4]) + if propertySize == 0 { + return 0, nil, nil + } + id := binary.LittleEndian.Uint32(data[4:8]) + if int(propertySize) > len(data) { + return 0, nil, errors.New("invalid property size") + } + value, err := parseTypedValue(data[9:propertySize]) + if err != nil { + return id, nil, err + } + return id, value, nil +} + +func parseTypedValue(data []byte) ([]Property, error) { + if len(data) < 4 { + return nil, errors.New("invalid properties") + } + valueType := binary.LittleEndian.Uint32(data[0:4]) + switch valueType { + case vtEmpty: + fallthrough + case vtNull: + return []Property{ + Property{ + Type: propertyTypes[valueType], + }, + }, nil + case vtI2: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: int16(binary.LittleEndian.Uint16(data[4:8])), + }, + }, nil + case vtI4: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: int32(binary.LittleEndian.Uint32(data[4:8])), + }, + }, nil + case vtR4: + bits := binary.LittleEndian.Uint32(data[4:8]) + float := math.Float32frombits(bits) + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: float, + }, + }, nil + case vtR8: + bits := binary.LittleEndian.Uint64(data[4:12]) + float := math.Float64frombits(bits) + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: float, + }, + }, nil + case vtCY: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint64(data[4:12]), + }, + }, nil + case vtDate: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: normalizeTime(binary.LittleEndian.Uint64(data[4:12])), + }, + }, nil + case vtBStr: + codePageSize := binary.LittleEndian.Uint32(data[4:8]) + if int(codePageSize+8) > len(data) { + return nil, errors.New("invalid code page size") + } + codePage := common.ReadString(data[8:8+codePageSize], 0) + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: codePage, + }, + }, nil + case vtError: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint32(data[4:8]), + }, + }, nil + case vtBool: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint16(data[4:6]) == 0xFFFF, + }, + }, nil + // case vtDecimal: + // case vtI1: + // case vtUI1: + // case vtUI2: + // case vtUI4: + // case vtI8: + // case vtUI8: + // case vtInt: + // case vtUInt: + // case vtLPStr: + case vtLPWStr: + length := binary.LittleEndian.Uint32(data[4:8]) * 2 + if int(length+8) > len(data) { + return nil, errors.New("invalid LPWStr length") + } + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: common.ReadUnicode(data[8:8+length], 0), + }, + }, nil + // case vtFiletime: + // case vtBlob: + // case vtStream: + // case vtStorage: + // case vtStreamedObject: + // case vtStoredObject: + // case vtBlobObject: + // case vtCF: + // case vtCLSID: + // case vtVersionedStream: + // case vtVectorI2: + // case vtVectorI4: + // case vtVectorR4: + // case vtVectorR8: + // case vtVectorCY: + // case vtVectorDate: + // case vtVectorBStr: + // case vtVectorError: + // case vtVectorBool: + // case vtVectorVariant: + // case vtVectorI1: + // case vtVectorUI1: + // case vtVectorUI2: + // case vtVectorUI4: + // case vtVectorI8: + // case vtVectorUI8: + // case vtVectorLPStr: + // case vtVectorLPWStr: + // case vtVectorFiletime: + // case vtVectorCF: + // case vtVectorCLSID: + // case vtArrayI2: + // case vtArrayI4: + // case vtArrayR4: + // case vtArrayR8: + // case vtArrayCY: + // case vtArrayDate: + // case vtArrayBStr: + // case vtArrayError: + // case vtArrayBool: + // case vtArrayVariant: + // case vtArrayDecimal: + // case vtArrayI1: + // case vtArrayUI1: + // case vtArrayUI2: + // case vtArrayUI4: + // case vtArrayInt: + // case vtArrayUint: + default: + return []Property{ + Property{ + Type: propertyTypes[valueType], + Value: data[4:], + }, + }, nil + } +} diff --git a/libbeat/formats/lnk/extra_shim.go b/libbeat/formats/lnk/extra_shim.go new file mode 100644 index 000000000000..ecf535c1e458 --- /dev/null +++ b/libbeat/formats/lnk/extra_shim.go @@ -0,0 +1,16 @@ +package lnk + +import ( + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraShim(size uint32, data []byte) (*Shim, error) { + if size < 0x00000088 { + return nil, errors.New("invalid extra shim block size") + } + return &Shim{ + LayerName: common.ReadUnicode(data, 8), + }, nil +} diff --git a/libbeat/formats/lnk/extra_special_folder.go b/libbeat/formats/lnk/extra_special_folder.go new file mode 100644 index 000000000000..04fc287f12b9 --- /dev/null +++ b/libbeat/formats/lnk/extra_special_folder.go @@ -0,0 +1,16 @@ +package lnk + +import ( + "encoding/binary" + "errors" +) + +func parseExtraSpecialFolder(size uint32, data []byte) (*SpecialFolder, error) { + if size != 0x00000010 { + return nil, errors.New("invalid extra special folder block size") + } + return &SpecialFolder{ + ID: binary.LittleEndian.Uint32(data[8:12]), + Offset: binary.LittleEndian.Uint32(data[12:16]), + }, nil +} diff --git a/libbeat/formats/lnk/extra_tracker.go b/libbeat/formats/lnk/extra_tracker.go new file mode 100644 index 000000000000..42392235c9cd --- /dev/null +++ b/libbeat/formats/lnk/extra_tracker.go @@ -0,0 +1,26 @@ +package lnk + +import ( + "encoding/binary" + "errors" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func parseExtraTracker(size uint32, data []byte) (*Tracker, error) { + if size != 0x00000060 { + return nil, errors.New("invalid extra tracker block size") + } + return &Tracker{ + Version: binary.LittleEndian.Uint32(data[12:16]), + MachineID: common.ReadString(data[16:32], 0), + Droid: []string{ + encodeUUID(data[32:48]), + encodeUUID(data[48:64]), + }, + DroidBirth: []string{ + encodeUUID(data[64:80]), + encodeUUID(data[80:96]), + }, + }, nil +} diff --git a/libbeat/formats/lnk/extra_vista_and_above_id_list.go b/libbeat/formats/lnk/extra_vista_and_above_id_list.go new file mode 100644 index 000000000000..03f2e65e8103 --- /dev/null +++ b/libbeat/formats/lnk/extra_vista_and_above_id_list.go @@ -0,0 +1,16 @@ +package lnk + +import "errors" + +func parseExtraVistaAndAboveIDList(size uint32, data []byte) (*VistaAndAboveIDList, error) { + if size < 0x0000000A { + return nil, errors.New("invalid extra vista and above id list block size") + } + targets, err := parseTargetList(data[8:]) + if err != nil { + return nil, err + } + return &VistaAndAboveIDList{ + Targets: targets, + }, nil +} diff --git a/libbeat/formats/lnk/header.go b/libbeat/formats/lnk/header.go new file mode 100644 index 000000000000..ee2c7b224ab2 --- /dev/null +++ b/libbeat/formats/lnk/header.go @@ -0,0 +1,263 @@ +package lnk + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "fmt" + "io" + "sort" + "time" +) + +const ( + // link flags + hasTargetIDList uint32 = 1 << iota + hasLinkInfo + hasName + hasRelativePath + hasWorkingDir + hasArguments + hasIconLocation + isUnicode + forceNoLinkInfo + hasExpString + runInSeparateProcess + _ + hasDarwinID + runAsUser + hasExpIcon + noPidlAlias + _ + runWithShimLayer + forceNoLinkTrack + enableTargetMetadata + disableLinkPathTracking + disableKnownFolderTracking + disableKnownFolderAlias + allowLinkToLink + unaliasOnSave + preferEnvironmentPath + keepLocalIDListForUNCTarget +) + +const ( + // file flags + fileAttributeReadonly uint32 = 1 << iota + fileAttributeHidden + fileAttributeSystem + _ + fileAttributeDirectory + fileAttributeArchive + fileAttributeDevice + fileAttributeNormal + fileAttributeTemporary + fileAttributeSparseFile + fileAttributeReparsePoint + fileAttributeCompressed + fileAttributeOffline + fileAttributeNotContentIndexed + fileAttributeEncrypted + _ + fileAttributeVirtual +) + +var ( + windowStyles = []string{ + "SW_HIDE", + "SW_NORMAL", + "SW_SHOWMINIMIZED", + "SW_MAXIMIZE ", + "SW_SHOWNOACTIVATE", + "SW_SHOW", + "SW_MINIMIZE", + "SW_SHOWMINNOACTIVE", + "SW_SHOWNA", + "SW_RESTORE", + "SW_SHOWDEFAULT", + "SW_FORCEMINIMIZE", + } + hotKeyModifiers = []string{ + "UNSET", + "HOTKEYF_SHIFT", + "HOTKEYF_CONTROL", + "HOTKEYF_ALT", + } + fKeys = []string{ + "VK_F1", + "VK_F2", + "VK_F3", + "VK_F4", + "VK_F5", + "VK_F6", + "VK_F7", + "VK_F8", + "VK_F9", + "VK_F10", + "VK_F11", + "VK_F12", + "VK_F13", + "VK_F14", + "VK_F15", + "VK_F16", + "VK_F17", + "VK_F18", + "VK_F19", + "VK_F20", + "VK_F21", + "VK_F22", + "VK_F23", + "VK_F24", + } + linkFlags = map[uint32]string{ + hasTargetIDList: "HasTargetIDList", + hasLinkInfo: "HasLinkInfo", + hasName: "HasName", + hasRelativePath: "HasRelativePath", + hasWorkingDir: "HasWorkingDir", + hasArguments: "HasArguments", + hasIconLocation: "HasIconLocation", + isUnicode: "IsUnicode", + forceNoLinkInfo: "ForceNoLinkInfo", + hasExpString: "HasExpString", + runInSeparateProcess: "RunInSeparateProcess", + hasDarwinID: "HasDarwinID", + runAsUser: "RunAsUser", + hasExpIcon: "HasExpIcon", + noPidlAlias: "NoPidlAlias", + runWithShimLayer: "RunWithShimLayer", + forceNoLinkTrack: "ForceNoLinkTrack", + enableTargetMetadata: "EnableTargetMetadata", + disableLinkPathTracking: "DisableLinkPathTracking", + disableKnownFolderTracking: "DisableKnownFolderTracking", + disableKnownFolderAlias: "DisableKnownFolderAlias", + allowLinkToLink: "AllowLinkToLink", + unaliasOnSave: "UnaliasOnSave", + preferEnvironmentPath: "PreferEnvironmentPath", + keepLocalIDListForUNCTarget: "KeepLocalIDListForUNCTarget", + } + fileFlags = map[uint32]string{ + fileAttributeReadonly: "FILE_ATTRIBUTE_READONLY", + fileAttributeHidden: "FILE_ATTRIBUTE_HIDDEN", + fileAttributeSystem: "FILE_ATTRIBUTE_SYSTEM", + fileAttributeDirectory: "FILE_ATTRIBUTE_DIRECTORY", + fileAttributeArchive: "FILE_ATTRIBUTE_ARCHIVE", + fileAttributeDevice: "FILE_ATTRIBUTE_DEVICE", + fileAttributeNormal: "FILE_ATTRIBUTE_NORMAL", + fileAttributeTemporary: "FILE_ATTRIBUTE_TEMPORARY", + fileAttributeSparseFile: "FILE_ATTRIBUTE_SPARSE_FILE", + fileAttributeReparsePoint: "FILE_ATTRIBUTE_REPARSE_POINT", + fileAttributeCompressed: "FILE_ATTRIBUTE_COMPRESSED", + fileAttributeOffline: "FILE_ATTRIBUTE_OFFLINE", + fileAttributeNotContentIndexed: "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED", + fileAttributeEncrypted: "FILE_ATTRIBUTE_ENCRYPTED", + fileAttributeVirtual: "FILE_ATTRIBUTE_VIRTUAL", + } +) + +// 116444736000000000 is the number of 100-nanoseconds between +// 1 january 1601 00:00 and 1 january 1970 00:00 UTC +const epochDelta uint64 = 116444736000000000 + +func windowsTimeToUnix(timestamp uint64) uint64 { + // Convert to 100-nanoseconds increment since Unix Epoch and then + // truncate to seconds + return (timestamp - epochDelta) / 1e7 +} + +func parseHeader(r io.ReaderAt) (*Header, int64, error) { + header := make([]byte, 76) + read, err := r.ReadAt(header, 0) + if err != nil { + return nil, 0, err + } + if read != 76 { + return nil, 0, errors.New("truncated LNK header") + } + rawLinkFlags := binary.LittleEndian.Uint32(header[20:24]) + rawFileFlags := binary.LittleEndian.Uint32(header[24:28]) + return &Header{ + GUID: encodeUUID(header[4:20]), + rawLinkFlags: rawLinkFlags, + LinkFlags: parseFlags(linkFlags, rawLinkFlags), + rawFileFlags: rawFileFlags, + FileFlags: parseFlags(fileFlags, rawFileFlags), + CreationTime: normalizeTime(binary.LittleEndian.Uint64(header[28:36])), + AccessedTime: normalizeTime(binary.LittleEndian.Uint64(header[36:44])), + ModfiedTime: normalizeTime(binary.LittleEndian.Uint64(header[44:52])), + FileSize: binary.LittleEndian.Uint32(header[52:56]), + IconIndex: binary.LittleEndian.Uint32(header[56:60]), + WindowStyle: normalizeWindowStyle(binary.LittleEndian.Uint32(header[60:64])), + HotKey: normalizeHotKey(header[64], header[65]), + }, 76, nil +} + +func normalizeWindowStyle(style uint32) string { + if style >= uint32(len(windowStyles)) { + return fmt.Sprintf("UNKNOWN:%d", style) + } + return windowStyles[style] +} + +func normalizeTime(value uint64) *time.Time { + if value == 0 { + return nil + } + timestamp := time.Unix(int64(windowsTimeToUnix(value)), 0).UTC() + return ×tamp +} + +func normalizeHotKey(lower, upper uint8) string { + if lower == 0x00 && upper == 0x00 { + return "" + } + var key string + if upper < uint8(len(hotKeyModifiers)) { + modifier := hotKeyModifiers[upper] + if modifier != "UNSET" { + key = modifier + "+" + } + } + if (0x30 <= lower && lower <= 0x39) || (0x41 <= lower && lower <= 0x5a) { + return key + string(rune(lower)) + } + if (lower - 0x70) < uint8(len(fKeys)) { + return key + fKeys[lower-0x70] + } + if lower == 0x90 { + return key + "VK_NUMLOCK" + } + if lower == 0x91 { + return key + "VK_SCROLL" + } + return "UNKNOWN" +} + +func parseFlags(flagset map[uint32]string, value uint32) []string { + flags := []string{} + for flag, name := range flagset { + if hasFlag(value, flag) { + flags = append(flags, name) + } + } + sort.Strings(flags) + return flags +} + +func encodeUUID(uuid []byte) string { + dst := make([]byte, 36) + hex.Encode(dst, uuid[:4]) + dst[8] = '-' + hex.Encode(dst[9:13], uuid[4:6]) + dst[13] = '-' + hex.Encode(dst[14:18], uuid[6:8]) + dst[18] = '-' + hex.Encode(dst[19:23], uuid[8:10]) + dst[23] = '-' + hex.Encode(dst[24:], uuid[10:]) + return string(dst) +} + +func hasFlag(flagset, flag uint32) bool { + return (flagset & flag) != 0 +} diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go new file mode 100644 index 000000000000..80a04e41f096 --- /dev/null +++ b/libbeat/formats/lnk/lnk.go @@ -0,0 +1,233 @@ +package lnk + +// https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc + +import ( + "io" + "time" +) + +// Console contains LNK extra console data block info +type Console struct { + FillAttributes []string `json:"fillAttributes,omitempty"` + PopupFillAttributes []string `json:"popupFillAttributes,omitempty"` + ScreenBufferSizeX uint16 `json:"screenBufferSizeX"` + ScreenBufferSizeY uint16 `json:"screenBufferSizeY"` + WindowSizeX uint16 `json:"windowSizeX"` + WindowSizeY uint16 `json:"windowSizeY"` + WindowOriginX uint16 `json:"windowOriginX"` + WindowOriginY uint16 `json:"windowOriginY"` + FontSize uint32 `json:"fontSize"` + FontFamily string `json:"fontFamily,omitempty"` + FontWeight uint32 `json:"fontWeight"` + FaceName string `json:"faceName,omitempty"` + CursorSize uint32 `json:"cursorSize"` + FullScreen bool `json:"fullScreen"` + QuickEdit bool `json:"quickEdit"` + InsertMode bool `json:"insertMode"` + AutoPosition bool `json:"autoPosition"` + HistoryBufferSize uint32 `json:"historyBufferSize"` + NumberOfHistoryBuffers uint32 `json:"numberOfHistoryBuffers"` + HistoryNoDup bool `json:"historyNoDup"` + ColorTable []string `json:"colorTable"` +} + +// ConsoleFE contains LNK extra console data block info +type ConsoleFE struct { + CodePage string `json:"codePage"` +} + +// Darwin contains LNK extra darwin data block info +type Darwin struct { + ANSI string `json:"ansi"` + Unicode string `json:"unicode"` +} + +// Environment contains LNK extra environment data block info +type Environment struct { + ANSI string `json:"ansi"` + Unicode string `json:"unicode"` +} + +// IconEnvironment contains LNK extra icon environment data block info +type IconEnvironment struct { + ANSI string `json:"ansi"` + Unicode string `json:"unicode"` +} + +// KnownFolder contains LNK extra known folder data block info +type KnownFolder struct { + ID string `json:"id"` + Offset uint32 `json:"offset"` +} + +// Property contains property storage propery info +type Property struct { + Type string `json:"type"` + Value interface{} `json:"value"` +} + +// PropertyStore contains LNK extra property store data block info +type PropertyStore struct { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec + NamedProperties map[string][]Property `json:"namedProperties,omitempty"` + Properties map[uint32][]Property `json:"properties,omitempty"` +} + +// Shim contains LNK extra shim data block info +type Shim struct { + LayerName string `json:"layerName,omitempty"` +} + +// SpecialFolder contains LNK extra special folder data block info +type SpecialFolder struct { + ID uint32 `json:"id"` + Offset uint32 `json:"offset"` +} + +// Tracker contains LNK extra tracker data block info +type Tracker struct { + Version uint32 `json:"version"` + MachineID string `json:"machineId"` + Droid []string `json:"droid,omitempty"` + DroidBirth []string `json:"droidBirth,omitempty"` +} + +// VistaAndAboveIDList contains LNK extra vista and above id list data block info +type VistaAndAboveIDList struct { + Targets []Target `json:"targets,omitempty"` +} + +// Extra contains LNK extra block info +type Extra struct { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1 + Console *Console `json:"console,omitempty"` + ConsoleFE *ConsoleFE `json:"consoleFE,omitempty"` + Darwin *Darwin `json:"darwin,omitempty"` + Environment *Environment `json:"environment,omitempty"` + IconEnvironment *IconEnvironment `json:"iconEnvironment,omitempty"` + KnownFolder *KnownFolder `json:"knownFolder,omitempty"` + PropertyStore *PropertyStore `json:"propertyStore,omitempty"` + Shim *Shim `json:"shim,omitempty"` + SpecialFolder *SpecialFolder `json:"specialFolder,omitempty"` + Tracker *Tracker `json:"tracker,omitempty"` + VistaAndAboveIDList *VistaAndAboveIDList `json:"vistaAndAboveIdList,omitempty"` +} + +// Volume contains LNK location volume info +type Volume struct { + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#42-volume-information + DriveType string `json:"driveType,omitempty"` + DriveSerialNumber string `json:"driveSerialNumber,omitempty"` + VolumeLabel string `json:"volumeLabel,omitempty"` +} + +// NetworkShare contains LNK location network share info +type NetworkShare struct { + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#43-network-share-information + Flags []string `json:"flags,omitempty"` + ProviderType string `json:"providerType,omitempty"` + Name string `json:"name,omitempty"` + DeviceName string `json:"deviceName,omitempty"` +} + +// Location contains LNK location info +type Location struct { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/6813269d-0cc8-4be2-933f-e96e8e3412dc + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#4-location-information + Flags []string `json:"flags"` + CommonPathSuffix string `json:"commonPathSuffix,omitempty"` + // Location information data + Volume *Volume `json:"volume,omitempty"` + LocalBasePath string `json:"localBasePath,omitempty"` + // The network share information + NetworkShare *NetworkShare `json:"networkShare,omitempty"` +} + +// Target contains LNK target info +type Target struct { + Size uint16 `json:"size"` + TypeID uint8 `json:"typeId"` + SHA256 string `json:"sha256"` +} + +// Header contains LNK header info +type Header struct { + GUID string `json:"guid"` + LinkFlags []string `json:"linkFlags"` + FileFlags []string `json:"fileFlags"` + CreationTime *time.Time `json:"creationTime,omitempty"` + AccessedTime *time.Time `json:"accessedTime,omitempty"` + ModfiedTime *time.Time `json:"modifiedTime,omitempty"` + FileSize uint32 `json:"fileSize,omitempty"` + IconIndex uint32 `json:"iconIndex"` + WindowStyle string `json:"windowStyle"` + HotKey string `json:"hotKey,omitempty"` + + rawLinkFlags uint32 + rawFileFlags uint32 +} + +// Info contains high level fingerprinting an analysis of an LNK file. +type Info struct { + Header *Header `json:"header"` + Targets []Target `json:"targets,omitempty"` + Location *Location `json:"location,omitempty"` + Name string `json:"name,omitempty"` + RelativePath string `json:"relativePath,omitempty"` + WorkingDirectory string `json:"workingDirectory,omitempty"` + CommandLine string `json:"commandLine,omitempty"` + IconLocation string `json:"iconLocation,omitempty"` + Extra *Extra `json:"extra,omitempty"` +} + +// Parse parses the LNK file and returns information about it or errors. +func Parse(r io.ReaderAt) (*Info, error) { + header, offset, err := parseHeader(r) + if err != nil { + return nil, err + } + targets, offset, err := parseTargets(header, offset, r) + if err != nil { + return nil, err + } + location, offset, err := parseLocationInfo(header, offset, r) + if err != nil { + return nil, err + } + name, offset, err := readDataString(header, hasName, offset, r) + if err != nil { + return nil, err + } + relativePath, offset, err := readDataString(header, hasRelativePath, offset, r) + if err != nil { + return nil, err + } + workingDirectory, offset, err := readDataString(header, hasWorkingDir, offset, r) + if err != nil { + return nil, err + } + commandLine, offset, err := readDataString(header, hasArguments, offset, r) + if err != nil { + return nil, err + } + iconLocation, offset, err := readDataString(header, hasIconLocation, offset, r) + if err != nil { + return nil, err + } + extra, err := parseExtraBlocks(header, offset, r) + if err != nil { + return nil, err + } + return &Info{ + Header: header, + Targets: targets, + Location: location, + Name: name, + RelativePath: relativePath, + WorkingDirectory: workingDirectory, + CommandLine: commandLine, + IconLocation: iconLocation, + Extra: extra, + }, nil +} diff --git a/libbeat/formats/lnk/lnk_fuzz.go b/libbeat/formats/lnk/lnk_fuzz.go new file mode 100644 index 000000000000..bef64066803f --- /dev/null +++ b/libbeat/formats/lnk/lnk_fuzz.go @@ -0,0 +1,12 @@ +// +build fuzz + +package lnk + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/lnk/lnk_test.go b/libbeat/formats/lnk/lnk_test.go new file mode 100644 index 000000000000..3db7f699d6cc --- /dev/null +++ b/libbeat/formats/lnk/lnk_test.go @@ -0,0 +1,121 @@ +package lnk + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "local.directory.seven.lnk", + "local.directory.xp.lnk", + "local.file.darwin.lnk", + "local.file.env.lnk", + "local.file.exec.lnk", + "local.file.icoset.lnk", + "local.file.seven.lnk", + "local.file.xp.lnk", + "local_cmd.lnk", + "local_unicode.lnk", + "local_win31j.lnk", + "microsoft.lnk", + "native.2008srv.01.lnk", + "native.2008srv.02.lnk", + "native.2008srv.03.lnk", + "native.2008srv.04.lnk", + "native.2008srv.05.lnk", + "native.2008srv.06.lnk", + "native.2008srv.07.lnk", + "native.2008srv.08.lnk", + "native.2008srv.09.lnk", + "native.2008srv.10.lnk", + "native.2008srv.11.lnk", + "native.2008srv.12.lnk", + "native.2008srv.13.lnk", + "native.2008srv.14.lnk", + "native.2008srv.15.lnk", + "native.2008srv.16.lnk", + "native.2008srv.17.lnk", + "native.2008srv.18.lnk", + "native.2008srv.19.lnk", + "native.2008srv.20.lnk", + "native.seven.01.lnk", + "native.seven.02.lnk", + "native.seven.03.lnk", + "native.seven.04.lnk", + "native.seven.05.lnk", + "native.seven.06.lnk", + "native.seven.07.lnk", + "native.seven.08.lnk", + "native.seven.09.lnk", + "native.seven.10.lnk", + "native.seven.11.lnk", + "native.seven.12.lnk", + "native.seven.13.lnk", + "native.seven.14.lnk", + "native.seven.15.lnk", + "native.seven.16.lnk", + "native.seven.17.lnk", + "native.seven.18.lnk", + "native.seven.19.lnk", + "native.seven.20.lnk", + "native.xp.01.lnk", + "native.xp.02.lnk", + "native.xp.03.lnk", + "native.xp.04.lnk", + "native.xp.05.lnk", + "native.xp.06.lnk", + "native.xp.07.lnk", + "native.xp.08.lnk", + "native.xp.09.lnk", + "native.xp.10.lnk", + "native.xp.11.lnk", + "native.xp.12.lnk", + "native.xp.13.lnk", + "native.xp.14.lnk", + "native.xp.15.lnk", + "native.xp.16.lnk", + "native.xp.17.lnk", + "native.xp.18.lnk", + "native.xp.19.lnk", + "native.xp.20.lnk", + "net_unicode.lnk", + "net_unicode2.lnk", + "net_win31j.lnk", + "remote.directory.xp.lnk", + "remote.file.aidlist.lnk", + "remote.file.xp.lnk", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/lnk/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/lnk/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/lnk/location.go b/libbeat/formats/lnk/location.go new file mode 100644 index 000000000000..002875b493d9 --- /dev/null +++ b/libbeat/formats/lnk/location.go @@ -0,0 +1,205 @@ +package lnk + +import ( + "encoding/binary" + "errors" + "fmt" + "io" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +const ( + // location flags + volumeIDAndLocalBasePath uint32 = 1 << iota + commonNetworkRelativeLinkAndPathSuffix +) + +const ( + // network share flags + validDevice uint32 = 1 << iota + validNetType +) + +var ( + driveTypes = []string{ + "DRIVE_UNKNOWN", + "DRIVE_NO_ROOT_DIR", + "DRIVE_REMOVABLE", + "DRIVE_FIXED", + "DRIVE_REMOTE", + "DRIVE_CDROM", + "DRIVE_RAMDISK", + } + locationFlags = map[uint32]string{ + volumeIDAndLocalBasePath: "VolumeIDAndLocalBasePath", + commonNetworkRelativeLinkAndPathSuffix: "CommonNetworkRelativeLinkAndPathSuffix", + } + networkShareFlags = map[uint32]string{ + validDevice: "ValidDevice", + validNetType: "ValidNetType", + } + // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#432-network-provider-types + providerTypes = map[uint32]string{ + 0x001a0000: "WNNC_NET_AVID", + 0x001b0000: "WNNC_NET_DOCUSPACE", + 0x001c0000: "WNNC_NET_MANGOSOFT", + 0x001d0000: "WNNC_NET_SERNET", + 0x001e0000: "WNNC_NET_RIVERFRONT1", + 0x001f0000: "WNNC_NET_RIVERFRONT2", + 0x00200000: "WNNC_NET_DECORB", + 0x00210000: "WNNC_NET_PROTSTOR", + 0x00220000: "WNNC_NET_FJ_REDIR", + 0x00230000: "WNNC_NET_DISTINCT", + 0x00240000: "WNNC_NET_TWINS", + 0x00250000: "WNNC_NET_RDR2SAMPLE", + 0x00260000: "WNNC_NET_CSC", + 0x00270000: "WNNC_NET_3IN1", + 0x00290000: "WNNC_NET_EXTENDNET", + 0x002a0000: "WNNC_NET_STAC", + 0x002b0000: "WNNC_NET_FOXBAT", + 0x002c0000: "WNNC_NET_YAHOO", + 0x002d0000: "WNNC_NET_EXIFS", + 0x002e0000: "WNNC_NET_DAV", + 0x002f0000: "WNNC_NET_KNOWARE", + 0x00300000: "WNNC_NET_OBJECT_DIRE", + 0x00310000: "WNNC_NET_MASFAX", + 0x00320000: "WNNC_NET_HOB_NFS", + 0x00330000: "WNNC_NET_SHIVA", + 0x00340000: "WNNC_NET_IBMAL", + 0x00350000: "WNNC_NET_LOCK", + 0x00360000: "WNNC_NET_TERMSRV", + 0x00370000: "WNNC_NET_SRT", + 0x00380000: "WNNC_NET_QUINCY", + 0x00390000: "WNNC_NET_OPENAFS", + 0x003a0000: "WNNC_NET_AVID1", + 0x003b0000: "WNNC_NET_DFS", + 0x003c0000: "WNNC_NET_KWNP", + 0x003d0000: "WNNC_NET_ZENWORKS", + 0x003e0000: "WNNC_NET_DRIVEONWEB", + 0x003f0000: "WNNC_NET_VMWARE", + 0x00400000: "WNNC_NET_RSFX", + 0x00410000: "WNNC_NET_MFILES", + 0x00420000: "WNNC_NET_MS_NFS", + 0x00430000: "WNNC_NET_GOOGLE", + } +) + +func parseLocationInfo(header *Header, offset int64, r io.ReaderAt) (*Location, int64, error) { + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/6813269d-0cc8-4be2-933f-e96e8e3412dc + if !hasFlag(header.rawLinkFlags, hasLinkInfo) { + return nil, offset, nil + } + size, data, err := readU32Data(offset, r) + if err != nil { + return nil, 0, err + } + if size < 28 { + return nil, 0, errors.New("invalid location info") + } + flags := binary.LittleEndian.Uint32(data[8:12]) + volumeOffset := binary.LittleEndian.Uint32(data[12:16]) + localBasePathOffset := binary.LittleEndian.Uint32(data[16:20]) + networkOffset := binary.LittleEndian.Uint32(data[20:24]) + commonOffset := binary.LittleEndian.Uint32(data[24:28]) + + var volume *Volume + var localBasePath string + if hasFlag(flags, volumeIDAndLocalBasePath) { + localBasePath = common.ReadString(data, int(localBasePathOffset)) + if volumeOffset >= size { + return nil, 0, errors.New("invalid volume offset") + } + volume, err = parseVolumeInfo(data[volumeOffset:]) + if err != nil { + return nil, 0, err + } + } + + var networkShare *NetworkShare + if hasFlag(flags, commonNetworkRelativeLinkAndPathSuffix) { + if networkOffset >= size { + return nil, 0, errors.New("invalid network share offset") + } + networkShare, err = parseNetworkShareInfo(data[networkOffset:]) + if err != nil { + return nil, 0, err + } + } + + commonPathSuffix := common.ReadString(data, int(commonOffset)) + + return &Location{ + Flags: parseFlags(locationFlags, flags), + LocalBasePath: localBasePath, + CommonPathSuffix: commonPathSuffix, + Volume: volume, + NetworkShare: networkShare, + }, offset + int64(size), nil +} + +func parseVolumeInfo(data []byte) (*Volume, error) { + if len(data) < 16 { + return nil, errors.New("invalid volume info") + } + size := binary.LittleEndian.Uint32(data[0:4]) + if uint32(len(data)) < size { + return nil, errors.New("invalid volume info") + } + driveType := binary.LittleEndian.Uint32(data[4:8]) + driveSerialNumber := binary.LittleEndian.Uint32(data[8:12]) + volumeLabelOffset := binary.LittleEndian.Uint32(data[12:16]) + hasUnicodeLabel := volumeLabelOffset == 0x00000014 + var volumeLabel string + if hasUnicodeLabel { + if len(data) < 20 { + return nil, errors.New("invalid volume info") + } + volumeLabelOffset = binary.LittleEndian.Uint32(data[16:20]) + volumeLabel = common.ReadUnicode(data, int(volumeLabelOffset)) + } else { + volumeLabel = common.ReadString(data, int(volumeLabelOffset)) + } + + normalizedDriveType := "DRIVE_UNKNOWN" + if uint32(len(driveTypes)) > driveType { + normalizedDriveType = driveTypes[driveType] + } + return &Volume{ + DriveType: normalizedDriveType, + DriveSerialNumber: fmt.Sprintf("0x%08x", driveSerialNumber), + VolumeLabel: volumeLabel, + }, nil +} + +func parseNetworkShareInfo(data []byte) (*NetworkShare, error) { + if len(data) < 20 { + return nil, errors.New("invalid network share info") + } + size := binary.LittleEndian.Uint32(data[0:4]) + if uint32(len(data)) < size { + return nil, errors.New("invalid network share info") + } + flags := binary.LittleEndian.Uint32(data[4:8]) + shareNameOffset := binary.LittleEndian.Uint32(data[8:12]) + deviceNameOffset := binary.LittleEndian.Uint32(data[12:16]) + providerType := binary.LittleEndian.Uint32(data[16:20]) + normalizedFlags := parseFlags(networkShareFlags, flags) + var normalizedProviderType string + if hasFlag(flags, validNetType) { + if found, ok := providerTypes[providerType]; ok { + normalizedProviderType = found + } + } + shareName := common.ReadString(data, int(shareNameOffset)) + var deviceName string + if hasFlag(flags, validDevice) { + deviceName = common.ReadString(data, int(deviceNameOffset)) + } + return &NetworkShare{ + Name: shareName, + DeviceName: deviceName, + Flags: normalizedFlags, + ProviderType: normalizedProviderType, + }, nil +} diff --git a/libbeat/formats/lnk/strings.go b/libbeat/formats/lnk/strings.go new file mode 100644 index 000000000000..47d63569fd72 --- /dev/null +++ b/libbeat/formats/lnk/strings.go @@ -0,0 +1,63 @@ +package lnk + +import ( + "encoding/binary" + "errors" + "io" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +func readU16Data(offset int64, r io.ReaderAt, hasUnicode bool) (uint16, []byte, error) { + sizeData := make([]byte, 2) + n, err := r.ReadAt(sizeData, offset) + if err != nil { + return 0, nil, err + } + if n != 2 { + return 0, nil, errors.New("invalid size") + } + size := binary.LittleEndian.Uint16(sizeData) + if hasUnicode { + size *= 2 + } + data := make([]byte, size) + n, err = r.ReadAt(data, offset+2) + if uint16(n) != size { + return 0, nil, errors.New("invalid data") + } + return size, data, nil +} + +func readU32Data(offset int64, r io.ReaderAt) (uint32, []byte, error) { + sizeData := make([]byte, 4) + n, err := r.ReadAt(sizeData, offset) + if err != nil { + return 0, nil, err + } + if n != 4 { + return 0, nil, errors.New("invalid size") + } + size := binary.LittleEndian.Uint32(sizeData) + data := make([]byte, size) + n, err = r.ReadAt(data, offset) + if uint32(n) != size { + return 0, nil, errors.New("invalid data") + } + return size, data, nil +} + +func readDataString(header *Header, flag uint32, offset int64, r io.ReaderAt) (string, int64, error) { + if !hasFlag(header.rawLinkFlags, flag) { + return "", offset, nil + } + hasUnicode := hasFlag(header.rawLinkFlags, isUnicode) + size, data, err := readU16Data(offset, r, hasUnicode) + if err != nil { + return "", 0, err + } + if hasUnicode { + return common.ReadUnicode(data, 0), offset + 2 + int64(size), nil + } + return common.ReadString(data, 0), offset + 2 + int64(size), nil +} diff --git a/libbeat/formats/lnk/target.go b/libbeat/formats/lnk/target.go new file mode 100644 index 000000000000..bd8f32f5db04 --- /dev/null +++ b/libbeat/formats/lnk/target.go @@ -0,0 +1,67 @@ +package lnk + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "io" + + sha256 "github.com/minio/sha256-simd" +) + +func parseTargets(header *Header, offset int64, r io.ReaderAt) ([]Target, int64, error) { + if !hasFlag(header.rawLinkFlags, hasTargetIDList) { + return nil, offset, nil + } + + sizeData := make([]byte, 2) + n, err := r.ReadAt(sizeData, offset) + if err != nil { + return nil, 0, err + } + if n != 2 { + return nil, 0, errors.New("invalid target list") + } + offset += 2 + size := binary.LittleEndian.Uint16(sizeData) + data := make([]byte, size) + n, err = r.ReadAt(data, offset) + if err != nil { + return nil, 0, err + } + if n != int(size) { + return nil, 0, errors.New("invalid target list size") + } + targets, err := parseTargetList(data) + return targets, offset + int64(size), err +} + +func parseTargetList(data []byte) ([]Target, error) { + // https://github.com/libyal/libfwsi/blob/master/documentation/Windows%20Shell%20Item%20format.asciidoc#2-shell-item-list + targets := []Target{} + offset := 0 + for { + targetData := data[offset:] + if len(targetData) < 3 { + // early end + return targets, nil + } + targetSize := binary.LittleEndian.Uint16(targetData[0:2]) + if targetSize == 0 { + return targets, nil + } + if len(targetData) < int(targetSize) { + // we have an invalid target + return targets, nil + } + targetData = targetData[:targetSize] + targetType := targetData[3] + hash := sha256.Sum256(targetData[4:]) + targets = append(targets, Target{ + Size: targetSize, + TypeID: targetType, + SHA256: hex.EncodeToString(hash[:]), + }) + offset += int(targetSize) + } +} diff --git a/libbeat/formats/macho/.gitignore b/libbeat/formats/macho/.gitignore new file mode 100644 index 000000000000..ceeded8e4bd6 --- /dev/null +++ b/libbeat/formats/macho/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +macho-fuzz.zip diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go new file mode 100644 index 000000000000..ff711967dcf7 --- /dev/null +++ b/libbeat/formats/macho/macho.go @@ -0,0 +1,150 @@ +package macho + +import ( + "crypto/md5" + "debug/macho" + "encoding/hex" + "io" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +// Section contains information about a section in a mach-o file. +type Section struct { + Name string `json:"name"` + Address uint64 `json:"address"` + Size uint64 `json:"size"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` + MD5 string `json:"md5,omitempty"` +} + +// Architecture represents a fat file architecture +type Architecture struct { + CPU string `json:"cpu"` + Sections []Section `json:"sections,omitempty"` + Libraries []string `json:"libraries,omitempty"` + Imports []string `json:"imports,omitempty"` + Exports []string `json:"exports,omitempty"` + Packer string `json:"packer,omitempty"` + Symhash string `json:"symhash,omitempty"` +} + +// Info contains high level fingerprinting an analysis of a mach-o file. +type Info struct { + Architectures []*Architecture `json:"architectures,omitempty"` +} + +// Parse parses the mach-o file and returns information about it or errors. +func Parse(r io.ReaderAt) (*Info, error) { + machoFiles := []*macho.File{} + machoFatFile, err := macho.NewFatFile(r) + if err != nil { + if err != macho.ErrNotFat { + return nil, err + } + machoFile, err := macho.NewFile(r) + if err != nil { + return nil, err + } + machoFiles = append(machoFiles, machoFile) + } else { + for _, arch := range machoFatFile.Arches { + machoFiles = append(machoFiles, arch.File) + } + } + + architectures := make([]*Architecture, len(machoFiles)) + for i, machoFile := range machoFiles { + arch, err := parse(machoFile) + if err != nil { + return nil, err + } + architectures[i] = arch + } + return &Info{ + Architectures: architectures, + }, nil +} + +// the default string translations are gross +func translateCPU(cpu macho.Cpu) string { + switch cpu { + case macho.Cpu386: + return "x86" + case macho.CpuAmd64: + return "x86_64" + case macho.CpuArm: + return "arm" + case macho.CpuArm64: + return "arm64" + case macho.CpuPpc: + return "ppc" + case macho.CpuPpc64: + return "ppc64" + default: + return "unknown" + } +} + +func parse(machoFile *macho.File) (*Architecture, error) { + symhash, err := symhash(machoFile) + if err != nil { + return nil, err + } + libraries, err := machoFile.ImportedLibraries() + if err != nil { + return nil, err + } + importSymbols, err := machoFile.ImportedSymbols() + if err != nil { + if _, ok := err.(*macho.FormatError); !ok { + return nil, err + } + } + + sections := make([]Section, len(machoFile.Sections)) + for i, section := range machoFile.Sections { + var md5String string + var entropy float64 + var chiSquare float64 + + data, err := section.Data() + if err != nil { + if err != io.EOF { + return nil, err + } + } else { + md5hash := md5.Sum(data) + md5String = hex.EncodeToString(md5hash[:]) + entropy = common.Entropy(data) + chiSquare = common.ChiSquare(data) + } + sections[i] = Section{ + Name: section.Name, + Address: section.Addr, + Size: section.Size, + Entropy: entropy, + ChiSquare: chiSquare, + MD5: md5String, + } + } + + return &Architecture{ + CPU: translateCPU(machoFile.Cpu), + Symhash: symhash, + Libraries: libraries, + Imports: importSymbols, + Sections: sections, + Packer: getPacker(machoFile), + }, nil +} + +func getPacker(machoFile *macho.File) string { + for _, section := range machoFile.Sections { + if section.Name == "upxTEXT" { + return "upx" + } + } + return "" +} diff --git a/libbeat/formats/macho/macho_fuzz.go b/libbeat/formats/macho/macho_fuzz.go new file mode 100644 index 000000000000..145884776412 --- /dev/null +++ b/libbeat/formats/macho/macho_fuzz.go @@ -0,0 +1,12 @@ +// +build fuzz + +package macho + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/macho/macho_test.go b/libbeat/formats/macho/macho_test.go new file mode 100644 index 000000000000..cf8507ebc534 --- /dev/null +++ b/libbeat/formats/macho/macho_test.go @@ -0,0 +1,44 @@ +package macho + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "hello-darwin", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/macho/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/macho/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/macho/symhash.go b/libbeat/formats/macho/symhash.go new file mode 100644 index 000000000000..c6df8c367250 --- /dev/null +++ b/libbeat/formats/macho/symhash.go @@ -0,0 +1,31 @@ +package macho + +import ( + "crypto/md5" + "debug/macho" + "encoding/hex" + "sort" + "strings" +) + +func symhash(machoFile *macho.File) (string, error) { + if machoFile.Magic == macho.MagicFat { + return "", nil + } + if machoFile.Symtab == nil { + return "", nil + } + if machoFile.Dysymtab == nil { + return "", nil + } + hashed := []string{} + symbols := machoFile.Symtab.Syms + for _, symbol := range symbols { + if symbol.Type&0x0E == 0 { + hashed = append(hashed, symbol.Name) + } + } + sort.Strings(hashed) + md5hash := md5.Sum([]byte(strings.Join(hashed, ","))) + return hex.EncodeToString(md5hash[:]), nil +} diff --git a/libbeat/formats/pe/.gitignore b/libbeat/formats/pe/.gitignore new file mode 100644 index 000000000000..abe7c26c9696 --- /dev/null +++ b/libbeat/formats/pe/.gitignore @@ -0,0 +1,4 @@ +corpus +suppressions +crashers +pe-fuzz.zip diff --git a/libbeat/formats/pe/imphash.go b/libbeat/formats/pe/imphash.go new file mode 100644 index 000000000000..d25121a80111 --- /dev/null +++ b/libbeat/formats/pe/imphash.go @@ -0,0 +1,224 @@ +package pe + +import ( + "crypto/md5" + "debug/pe" + "encoding/binary" + "encoding/hex" + "path/filepath" + "strings" +) + +func readString(section []byte, start int) string { + if start < 0 || start >= len(section) { + return "" + } + + for end := start; end < len(section); end++ { + if section[end] == 0 { + return string(section[start:end]) + } + } + return "" +} + +func importDirectory(f *pe.File) pe.DataDirectory { + var emptyDirectory pe.DataDirectory + if f.Machine == pe.IMAGE_FILE_MACHINE_AMD64 { + header := f.OptionalHeader.(*pe.OptionalHeader64) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_IMPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_IMPORT] + } + header := f.OptionalHeader.(*pe.OptionalHeader32) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_IMPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_IMPORT] +} + +func exportDirectory(f *pe.File) pe.DataDirectory { + var emptyDirectory pe.DataDirectory + if f.Machine == pe.IMAGE_FILE_MACHINE_AMD64 { + header := f.OptionalHeader.(*pe.OptionalHeader64) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_EXPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_EXPORT] + } + header := f.OptionalHeader.(*pe.OptionalHeader32) + if header.NumberOfRvaAndSizes < pe.IMAGE_DIRECTORY_ENTRY_EXPORT+1 { + return emptyDirectory + } + return header.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_EXPORT] +} + +func directoryData(f *pe.File, directory pe.DataDirectory) ([]byte, uint32, uint32, error) { + if directory.Size == 0 { + return nil, 0, 0, nil + } + var section *pe.Section + for _, s := range f.Sections { + if s.VirtualAddress <= directory.VirtualAddress && directory.VirtualAddress < s.VirtualAddress+s.VirtualSize { + section = s + break + } + } + if section == nil { + return nil, 0, 0, nil + } + + data, err := section.Data() + if err != nil { + return nil, 0, 0, err + } + return data, directory.VirtualAddress, section.VirtualAddress, nil +} + +func importData(f *pe.File) ([]byte, uint32, uint32, error) { + return directoryData(f, importDirectory(f)) +} + +func exportData(f *pe.File) ([]byte, uint32, uint32, error) { + return directoryData(f, exportDirectory(f)) +} + +func normalizeLibraryName(name string) string { + name = strings.ToLower(name) + extension := filepath.Ext(name) + if extension == ".ocx" || + extension == ".sys" || + extension == ".dll" { + return name[:len(name)-4] + } + return name +} + +func exports(f *pe.File) []string { + if f.OptionalHeader == nil { + return nil + } + data, exportAddress, sectionAddress, err := exportData(f) + if err != nil { + // couldn't find the proper data directory, swallow the error + return nil + } + if data == nil { + return nil + } + exportOffset := exportAddress - sectionAddress + if int(exportOffset) > len(data) { + return nil + } + tableData := data[exportOffset:] + if len(tableData) < 40 { + return nil + } + exportCount := int(binary.LittleEndian.Uint32(tableData[24:30])) + nameOffset := binary.LittleEndian.Uint32(tableData[32:36]) + if len(data) < int(nameOffset-sectionAddress)+1 { + return nil + } + nameRVATable := data[nameOffset-sectionAddress:] + // The pointers are 32 bits each and are relative to the image base + if len(nameRVATable) < 4*exportCount { + return nil + } + + functions := make([]string, exportCount) + for offset := 0; offset < exportCount; offset++ { + start := offset * 4 + symbolOffset := binary.LittleEndian.Uint32(nameRVATable[start : start+4]) + functions[offset] = readString(data, int(symbolOffset-sectionAddress)) + } + + return functions +} + +func imphash(f *pe.File) (map[string][]string, string) { + if f.OptionalHeader == nil { + return nil, "" + } + + pe64 := f.Machine == pe.IMAGE_FILE_MACHINE_AMD64 + data, importAddress, sectionAddress, err := importData(f) + if err != nil { + // swallow error + return nil, "" + } + if data == nil { + return nil, "" + } + + importOffset := importAddress - sectionAddress + if int(importOffset) > len(data) { + return nil, "" + } + tableData := data[importOffset:] + offset := 0 + symbols := make(map[string][]string) + imphashEntries := []string{} + for len(tableData) >= offset+20 { + directoryData := tableData[offset:] + firstThunk := binary.LittleEndian.Uint32(directoryData[0:4]) + if firstThunk == 0 { + // check to see if the image is not bound + firstThunk = binary.LittleEndian.Uint32(directoryData[16:20]) + if firstThunk == 0 { + break + } + } + + name := binary.LittleEndian.Uint32(directoryData[12:16]) + dllOffset := int(name - sectionAddress) + dllName := readString(data, dllOffset) + normalizedDllName := normalizeLibraryName(dllName) + functionOffset := int(firstThunk - sectionAddress) + offset += 20 + + for len(data) > functionOffset { + functionData := data[functionOffset:] + if pe64 { // 64bit + if len(functionData) < 8 { + return nil, "" + } + functionAddress := binary.LittleEndian.Uint64(functionData[0:8]) + if functionAddress == 0 { + break + } + if functionAddress&0x8000000000000000 > 0 { // is Ordinal + normalizedFunctionName := strings.ToLower(lookupOrdinal(dllName, int(functionAddress&0xffffffff))) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } else { + functionName := readString(data, int(uint32(functionAddress)-sectionAddress+2)) + symbols[dllName] = append(symbols[dllName], functionName) + normalizedFunctionName := strings.ToLower(functionName) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } + functionOffset += 8 + } else { // 32bit + if len(functionData) < 4 { + return nil, "" + } + functionAddress := binary.LittleEndian.Uint32(functionData[0:4]) + if functionAddress == 0 { + break + } + if functionAddress&0x80000000 > 0 { // is Ordinal + normalizedFunctionName := strings.ToLower(lookupOrdinal(dllName, int(functionAddress&0x0000ffff))) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } else { + functionName := readString(data, int(functionAddress-sectionAddress+2)) + symbols[dllName] = append(symbols[dllName], functionName) + normalizedFunctionName := strings.ToLower(functionName) + imphashEntries = append(imphashEntries, normalizedDllName+"."+normalizedFunctionName) + } + functionOffset += 4 + } + } + } + + hash := md5.Sum([]byte(strings.Join(imphashEntries, ","))) + return symbols, hex.EncodeToString(hash[:]) +} diff --git a/libbeat/formats/pe/locale.go b/libbeat/formats/pe/locale.go new file mode 100644 index 000000000000..a36e5b3cd6e4 --- /dev/null +++ b/libbeat/formats/pe/locale.go @@ -0,0 +1,234 @@ +package pe + +var localeMap = map[uint16]string{ + 1025: "Arabic - Saudi Arabia", + 1026: "Bulgarian", + 1027: "Catalan", + 1028: "Chinese - Taiwan", + 1029: "Czech", + 1030: "Danish", + 1031: "German - Germany", + 1032: "Greek", + 1033: "English - United States", + 1034: "Spanish - Spain (Traditional Sort)", + 1035: "Finnish", + 1036: "French - France", + 1037: "Hebrew", + 1038: "Hungarian", + 1039: "Icelandic", + 1040: "Italian - Italy", + 1041: "Japanese", + 1042: "Korean", + 1043: "Dutch - Netherlands", + 1044: "Norwegian (Bokmål)", + 1045: "Polish", + 1046: "Portuguese - Brazil", + 1047: "Rhaeto-Romanic", + 1048: "Romanian", + 1049: "Russian", + 1050: "Croatian", + 1051: "Slovak", + 1052: "Albanian - Albania", + 1053: "Swedish", + 1054: "Thai", + 1055: "Turkish", + 1056: "Urdu - Pakistan", + 1057: "Indonesian", + 1058: "Ukrainian", + 1059: "Belarusian", + 1060: "Slovenian", + 1061: "Estonian", + 1062: "Latvian", + 1063: "Lithuanian", + 1064: "Tajik", + 1065: "Persian", + 1066: "Vietnamese", + 1067: "Armenian - Armenia", + 1068: "Azeri (Latin)", + 1069: "Basque", + 1070: "Sorbian", + 1071: "F.Y.R.O. Macedonian", + 1072: "Sutu", + 1073: "Tsonga", + 1074: "Tswana", + 1075: "Venda", + 1076: "Xhosa", + 1077: "Zulu", + 1078: "Afrikaans - South Africa", + 1079: "Georgian", + 1080: "Faroese", + 1081: "Hindi", + 1082: "Maltese", + 1083: "Sami", + 1084: "Gaelic (Scotland)", + 1085: "Yiddish", + 1086: "Malay - Malaysia", + 1087: "Kazakh", + 1088: "Kyrgyz (Cyrillic)", + 1089: "Swahili", + 1090: "Turkmen", + 1091: "Uzbek (Latin)", + 1092: "Tatar", + 1093: "Bengali (India)", + 1094: "Punjabi", + 1095: "Gujarati", + 1096: "Oriya", + 1097: "Tamil", + 1098: "Telugu", + 1099: "Kannada", + 1100: "Malayalam", + 1101: "Assamese", + 1102: "Marathi", + 1103: "Sanskrit", + 1104: "Mongolian (Cyrillic)", + 1105: "Tibetan - People's Republic of China", + 1106: "Welsh", + 1107: "Khmer", + 1108: "Lao", + 1109: "Burmese", + 1110: "Galician", + 1111: "Konkani", + 1112: "Manipuri", + 1113: "Sindhi - India", + 1114: "Syriac", + 1115: "Sinhalese - Sri Lanka", + 1116: "Cherokee - United States", + 1117: "Inuktitut", + 1118: "Amharic - Ethiopia", + 1119: "Tamazight (Arabic)", + 1120: "Kashmiri (Arabic)", + 1121: "Nepali", + 1122: "Frisian - Netherlands", + 1123: "Pashto", + 1124: "Filipino", + 1125: "Divehi", + 1126: "Edo", + 1127: "Fulfulde - Nigeria", + 1128: "Hausa - Nigeria", + 1129: "Ibibio - Nigeria", + 1130: "Yoruba", + 1131: "Quecha - Bolivia", + 1132: "Sepedi", + 1136: "Igbo - Nigeria", + 1137: "Kanuri - Nigeria", + 1138: "Oromo", + 1139: "Tigrigna - Ethiopia", + 1140: "Guarani - Paraguay", + 1141: "Hawaiian - United States", + 1142: "Latin", + 1143: "Somali", + 1144: "Yi", + 1145: "Papiamentu", + 1152: "Uighur - China", + 1153: "Maori - New Zealand", + 2049: "Arabic - Iraq", + 2052: "Chinese - People's Republic of China", + 2055: "German - Switzerland", + 2057: "English - United Kingdom", + 2058: "Spanish - Mexico", + 2060: "French - Belgium", + 2064: "Italian - Switzerland", + 2067: "Dutch - Belgium", + 2068: "Norwegian (Nynorsk)", + 2070: "Portuguese - Portugal", + 2072: "Romanian - Moldava", + 2073: "Russian - Moldava", + 2074: "Serbian (Latin)", + 2077: "Swedish - Finland", + 2080: "Urdu - India", + 2092: "Azeri (Cyrillic)", + 2108: "Gaelic (Ireland)", + 2110: "Malay - Brunei Darussalam", + 2115: "Uzbek (Cyrillic)", + 2117: "Bengali (Bangladesh)", + 2118: "Punjabi (Pakistan)", + 2128: "Mongolian (Mongolian)", + 2129: "Tibetan - Bhutan", + 2137: "Sindhi - Pakistan", + 2143: "Tamazight (Latin)", + 2144: "Kashmiri (Devanagari)", + 2145: "Nepali - India", + 2155: "Quecha - Ecuador", + 2163: "Tigrigna - Eritrea", + 3073: "Arabic - Egypt", + 3076: "Chinese - Hong Kong SAR", + 3079: "German - Austria", + 3081: "English - Australia", + 3082: "Spanish - Spain (Modern Sort)", + 3084: "French - Canada", + 3098: "Serbian (Cyrillic)", + 3179: "Quecha - Peru", + 4097: "Arabic - Libya", + 4100: "Chinese - Singapore", + 4103: "German - Luxembourg", + 4105: "English - Canada", + 4106: "Spanish - Guatemala", + 4108: "French - Switzerland", + 4122: "Croatian (Bosnia/Herzegovina)", + 5121: "Arabic - Algeria", + 5124: "Chinese - Macao SAR", + 5127: "German - Liechtenstein", + 5129: "English - New Zealand", + 5130: "Spanish - Costa Rica", + 5132: "French - Luxembourg", + 5146: "Bosnian (Bosnia/Herzegovina)", + 6145: "Arabic - Morocco", + 6153: "English - Ireland", + 6154: "Spanish - Panama", + 6156: "French - Monaco", + 7169: "Arabic - Tunisia", + 7177: "English - South Africa", + 7178: "Spanish - Dominican Republic", + 7180: "French - West Indies", + 8193: "Arabic - Oman", + 8201: "English - Jamaica", + 8202: "Spanish - Venezuela", + 8204: "French - Reunion", + 9217: "Arabic - Yemen", + 9225: "English - Caribbean", + 9226: "Spanish - Colombia", + 9228: "French - Democratic Rep. of Congo", + 10241: "Arabic - Syria", + 10249: "English - Belize", + 10250: "Spanish - Peru", + 10252: "French - Senegal", + 11265: "Arabic - Jordan", + 11273: "English - Trinidad", + 11274: "Spanish - Argentina", + 11276: "French - Cameroon", + 12289: "Arabic - Lebanon", + 12297: "English - Zimbabwe", + 12298: "Spanish - Ecuador", + 12300: "French - Cote d'Ivoire", + 13313: "Arabic - Kuwait", + 13321: "English - Philippines", + 13322: "Spanish - Chile", + 13324: "French - Mali", + 14337: "Arabic - U.A.E.", + 14345: "English - Indonesia", + 14346: "Spanish - Uruguay", + 14348: "French - Morocco", + 15361: "Arabic - Bahrain", + 15369: "English - Hong Kong SAR", + 15370: "Spanish - Paraguay", + 15372: "French - Haiti", + 16385: "Arabic - Qatar", + 16393: "English - India", + 16394: "Spanish - Bolivia", + 17417: "English - Malaysia", + 17418: "Spanish - El Salvador", + 18441: "English - Singapore", + 18442: "Spanish - Honduras", + 19466: "Spanish - Nicaragua", + 20490: "Spanish - Puerto Rico", + 21514: "Spanish - United States", + 58378: "Spanish - Latin America", + 58380: "French - North Africa", +} + +func languageName(language uint16) string { + if found, ok := localeMap[language]; ok { + return found + } + return "Unknown" +} diff --git a/libbeat/formats/pe/ordinals.go b/libbeat/formats/pe/ordinals.go new file mode 100644 index 000000000000..53e6f84523b2 --- /dev/null +++ b/libbeat/formats/pe/ordinals.go @@ -0,0 +1,542 @@ +package pe + +import ( + "strconv" + "strings" +) + +var oleaut32Names = map[int]string{ + 2: "SysAllocString", + 3: "SysReAllocString", + 4: "SysAllocStringLen", + 5: "SysReAllocStringLen", + 6: "SysFreeString", + 7: "SysStringLen", + 8: "VariantInit", + 9: "VariantClear", + 10: "VariantCopy", + 11: "VariantCopyInd", + 12: "VariantChangeType", + 13: "VariantTimeToDosDateTime", + 14: "DosDateTimeToVariantTime", + 15: "SafeArrayCreate", + 16: "SafeArrayDestroy", + 17: "SafeArrayGetDim", + 18: "SafeArrayGetElemsize", + 19: "SafeArrayGetUBound", + 20: "SafeArrayGetLBound", + 21: "SafeArrayLock", + 22: "SafeArrayUnlock", + 23: "SafeArrayAccessData", + 24: "SafeArrayUnaccessData", + 25: "SafeArrayGetElement", + 26: "SafeArrayPutElement", + 27: "SafeArrayCopy", + 28: "DispGetParam", + 29: "DispGetIDsOfNames", + 30: "DispInvoke", + 31: "CreateDispTypeInfo", + 32: "CreateStdDispatch", + 33: "RegisterActiveObject", + 34: "RevokeActiveObject", + 35: "GetActiveObject", + 36: "SafeArrayAllocDescriptor", + 37: "SafeArrayAllocData", + 38: "SafeArrayDestroyDescriptor", + 39: "SafeArrayDestroyData", + 40: "SafeArrayRedim", + 41: "SafeArrayAllocDescriptorEx", + 42: "SafeArrayCreateEx", + 43: "SafeArrayCreateVectorEx", + 44: "SafeArraySetRecordInfo", + 45: "SafeArrayGetRecordInfo", + 46: "VarParseNumFromStr", + 47: "VarNumFromParseNum", + 48: "VarI2FromUI1", + 49: "VarI2FromI4", + 50: "VarI2FromR4", + 51: "VarI2FromR8", + 52: "VarI2FromCy", + 53: "VarI2FromDate", + 54: "VarI2FromStr", + 55: "VarI2FromDisp", + 56: "VarI2FromBool", + 57: "SafeArraySetIID", + 58: "VarI4FromUI1", + 59: "VarI4FromI2", + 60: "VarI4FromR4", + 61: "VarI4FromR8", + 62: "VarI4FromCy", + 63: "VarI4FromDate", + 64: "VarI4FromStr", + 65: "VarI4FromDisp", + 66: "VarI4FromBool", + 67: "SafeArrayGetIID", + 68: "VarR4FromUI1", + 69: "VarR4FromI2", + 70: "VarR4FromI4", + 71: "VarR4FromR8", + 72: "VarR4FromCy", + 73: "VarR4FromDate", + 74: "VarR4FromStr", + 75: "VarR4FromDisp", + 76: "VarR4FromBool", + 77: "SafeArrayGetVartype", + 78: "VarR8FromUI1", + 79: "VarR8FromI2", + 80: "VarR8FromI4", + 81: "VarR8FromR4", + 82: "VarR8FromCy", + 83: "VarR8FromDate", + 84: "VarR8FromStr", + 85: "VarR8FromDisp", + 86: "VarR8FromBool", + 87: "VarFormat", + 88: "VarDateFromUI1", + 89: "VarDateFromI2", + 90: "VarDateFromI4", + 91: "VarDateFromR4", + 92: "VarDateFromR8", + 93: "VarDateFromCy", + 94: "VarDateFromStr", + 95: "VarDateFromDisp", + 96: "VarDateFromBool", + 97: "VarFormatDateTime", + 98: "VarCyFromUI1", + 99: "VarCyFromI2", + 100: "VarCyFromI4", + 101: "VarCyFromR4", + 102: "VarCyFromR8", + 103: "VarCyFromDate", + 104: "VarCyFromStr", + 105: "VarCyFromDisp", + 106: "VarCyFromBool", + 107: "VarFormatNumber", + 108: "VarBstrFromUI1", + 109: "VarBstrFromI2", + 110: "VarBstrFromI4", + 111: "VarBstrFromR4", + 112: "VarBstrFromR8", + 113: "VarBstrFromCy", + 114: "VarBstrFromDate", + 115: "VarBstrFromDisp", + 116: "VarBstrFromBool", + 117: "VarFormatPercent", + 118: "VarBoolFromUI1", + 119: "VarBoolFromI2", + 120: "VarBoolFromI4", + 121: "VarBoolFromR4", + 122: "VarBoolFromR8", + 123: "VarBoolFromDate", + 124: "VarBoolFromCy", + 125: "VarBoolFromStr", + 126: "VarBoolFromDisp", + 127: "VarFormatCurrency", + 128: "VarWeekdayName", + 129: "VarMonthName", + 130: "VarUI1FromI2", + 131: "VarUI1FromI4", + 132: "VarUI1FromR4", + 133: "VarUI1FromR8", + 134: "VarUI1FromCy", + 135: "VarUI1FromDate", + 136: "VarUI1FromStr", + 137: "VarUI1FromDisp", + 138: "VarUI1FromBool", + 139: "VarFormatFromTokens", + 140: "VarTokenizeFormatString", + 141: "VarAdd", + 142: "VarAnd", + 143: "VarDiv", + 144: "DllCanUnloadNow", + 145: "DllGetClassObject", + 146: "DispCallFunc", + 147: "VariantChangeTypeEx", + 148: "SafeArrayPtrOfIndex", + 149: "SysStringByteLen", + 150: "SysAllocStringByteLen", + 151: "DllRegisterServer", + 152: "VarEqv", + 153: "VarIdiv", + 154: "VarImp", + 155: "VarMod", + 156: "VarMul", + 157: "VarOr", + 158: "VarPow", + 159: "VarSub", + 160: "CreateTypeLib", + 161: "LoadTypeLib", + 162: "LoadRegTypeLib", + 163: "RegisterTypeLib", + 164: "QueryPathOfRegTypeLib", + 165: "LHashValOfNameSys", + 166: "LHashValOfNameSysA", + 167: "VarXor", + 168: "VarAbs", + 169: "VarFix", + 170: "OaBuildVersion", + 171: "ClearCustData", + 172: "VarInt", + 173: "VarNeg", + 174: "VarNot", + 175: "VarRound", + 176: "VarCmp", + 177: "VarDecAdd", + 178: "VarDecDiv", + 179: "VarDecMul", + 180: "CreateTypeLib2", + 181: "VarDecSub", + 182: "VarDecAbs", + 183: "LoadTypeLibEx", + 184: "SystemTimeToVariantTime", + 185: "VariantTimeToSystemTime", + 186: "UnRegisterTypeLib", + 187: "VarDecFix", + 188: "VarDecInt", + 189: "VarDecNeg", + 190: "VarDecFromUI1", + 191: "VarDecFromI2", + 192: "VarDecFromI4", + 193: "VarDecFromR4", + 194: "VarDecFromR8", + 195: "VarDecFromDate", + 196: "VarDecFromCy", + 197: "VarDecFromStr", + 198: "VarDecFromDisp", + 199: "VarDecFromBool", + 200: "GetErrorInfo", + 201: "SetErrorInfo", + 202: "CreateErrorInfo", + 203: "VarDecRound", + 204: "VarDecCmp", + 205: "VarI2FromI1", + 206: "VarI2FromUI2", + 207: "VarI2FromUI4", + 208: "VarI2FromDec", + 209: "VarI4FromI1", + 210: "VarI4FromUI2", + 211: "VarI4FromUI4", + 212: "VarI4FromDec", + 213: "VarR4FromI1", + 214: "VarR4FromUI2", + 215: "VarR4FromUI4", + 216: "VarR4FromDec", + 217: "VarR8FromI1", + 218: "VarR8FromUI2", + 219: "VarR8FromUI4", + 220: "VarR8FromDec", + 221: "VarDateFromI1", + 222: "VarDateFromUI2", + 223: "VarDateFromUI4", + 224: "VarDateFromDec", + 225: "VarCyFromI1", + 226: "VarCyFromUI2", + 227: "VarCyFromUI4", + 228: "VarCyFromDec", + 229: "VarBstrFromI1", + 230: "VarBstrFromUI2", + 231: "VarBstrFromUI4", + 232: "VarBstrFromDec", + 233: "VarBoolFromI1", + 234: "VarBoolFromUI2", + 235: "VarBoolFromUI4", + 236: "VarBoolFromDec", + 237: "VarUI1FromI1", + 238: "VarUI1FromUI2", + 239: "VarUI1FromUI4", + 240: "VarUI1FromDec", + 241: "VarDecFromI1", + 242: "VarDecFromUI2", + 243: "VarDecFromUI4", + 244: "VarI1FromUI1", + 245: "VarI1FromI2", + 246: "VarI1FromI4", + 247: "VarI1FromR4", + 248: "VarI1FromR8", + 249: "VarI1FromDate", + 250: "VarI1FromCy", + 251: "VarI1FromStr", + 252: "VarI1FromDisp", + 253: "VarI1FromBool", + 254: "VarI1FromUI2", + 255: "VarI1FromUI4", + 256: "VarI1FromDec", + 257: "VarUI2FromUI1", + 258: "VarUI2FromI2", + 259: "VarUI2FromI4", + 260: "VarUI2FromR4", + 261: "VarUI2FromR8", + 262: "VarUI2FromDate", + 263: "VarUI2FromCy", + 264: "VarUI2FromStr", + 265: "VarUI2FromDisp", + 266: "VarUI2FromBool", + 267: "VarUI2FromI1", + 268: "VarUI2FromUI4", + 269: "VarUI2FromDec", + 270: "VarUI4FromUI1", + 271: "VarUI4FromI2", + 272: "VarUI4FromI4", + 273: "VarUI4FromR4", + 274: "VarUI4FromR8", + 275: "VarUI4FromDate", + 276: "VarUI4FromCy", + 277: "VarUI4FromStr", + 278: "VarUI4FromDisp", + 279: "VarUI4FromBool", + 280: "VarUI4FromI1", + 281: "VarUI4FromUI2", + 282: "VarUI4FromDec", + 283: "BSTR_UserSize", + 284: "BSTR_UserMarshal", + 285: "BSTR_UserUnmarshal", + 286: "BSTR_UserFree", + 287: "VARIANT_UserSize", + 288: "VARIANT_UserMarshal", + 289: "VARIANT_UserUnmarshal", + 290: "VARIANT_UserFree", + 291: "LPSAFEARRAY_UserSize", + 292: "LPSAFEARRAY_UserMarshal", + 293: "LPSAFEARRAY_UserUnmarshal", + 294: "LPSAFEARRAY_UserFree", + 295: "LPSAFEARRAY_Size", + 296: "LPSAFEARRAY_Marshal", + 297: "LPSAFEARRAY_Unmarshal", + 298: "VarDecCmpR8", + 299: "VarCyAdd", + 300: "DllUnregisterServer", + 301: "OACreateTypeLib2", + 303: "VarCyMul", + 304: "VarCyMulI4", + 305: "VarCySub", + 306: "VarCyAbs", + 307: "VarCyFix", + 308: "VarCyInt", + 309: "VarCyNeg", + 310: "VarCyRound", + 311: "VarCyCmp", + 312: "VarCyCmpR8", + 313: "VarBstrCat", + 314: "VarBstrCmp", + 315: "VarR8Pow", + 316: "VarR4CmpR8", + 317: "VarR8Round", + 318: "VarCat", + 319: "VarDateFromUdateEx", + 322: "GetRecordInfoFromGuids", + 323: "GetRecordInfoFromTypeInfo", + 325: "SetVarConversionLocaleSetting", + 326: "GetVarConversionLocaleSetting", + 327: "SetOaNoCache", + 329: "VarCyMulI8", + 330: "VarDateFromUdate", + 331: "VarUdateFromDate", + 332: "GetAltMonthNames", + 333: "VarI8FromUI1", + 334: "VarI8FromI2", + 335: "VarI8FromR4", + 336: "VarI8FromR8", + 337: "VarI8FromCy", + 338: "VarI8FromDate", + 339: "VarI8FromStr", + 340: "VarI8FromDisp", + 341: "VarI8FromBool", + 342: "VarI8FromI1", + 343: "VarI8FromUI2", + 344: "VarI8FromUI4", + 345: "VarI8FromDec", + 346: "VarI2FromI8", + 347: "VarI2FromUI8", + 348: "VarI4FromI8", + 349: "VarI4FromUI8", + 360: "VarR4FromI8", + 361: "VarR4FromUI8", + 362: "VarR8FromI8", + 363: "VarR8FromUI8", + 364: "VarDateFromI8", + 365: "VarDateFromUI8", + 366: "VarCyFromI8", + 367: "VarCyFromUI8", + 368: "VarBstrFromI8", + 369: "VarBstrFromUI8", + 370: "VarBoolFromI8", + 371: "VarBoolFromUI8", + 372: "VarUI1FromI8", + 373: "VarUI1FromUI8", + 374: "VarDecFromI8", + 375: "VarDecFromUI8", + 376: "VarI1FromI8", + 377: "VarI1FromUI8", + 378: "VarUI2FromI8", + 379: "VarUI2FromUI8", + 401: "OleLoadPictureEx", + 402: "OleLoadPictureFileEx", + 411: "SafeArrayCreateVector", + 412: "SafeArrayCopyData", + 413: "VectorFromBstr", + 414: "BstrFromVector", + 415: "OleIconToCursor", + 416: "OleCreatePropertyFrameIndirect", + 417: "OleCreatePropertyFrame", + 418: "OleLoadPicture", + 419: "OleCreatePictureIndirect", + 420: "OleCreateFontIndirect", + 421: "OleTranslateColor", + 422: "OleLoadPictureFile", + 423: "OleSavePictureFile", + 424: "OleLoadPicturePath", + 425: "VarUI4FromI8", + 426: "VarUI4FromUI8", + 427: "VarI8FromUI8", + 428: "VarUI8FromI8", + 429: "VarUI8FromUI1", + 430: "VarUI8FromI2", + 431: "VarUI8FromR4", + 432: "VarUI8FromR8", + 433: "VarUI8FromCy", + 434: "VarUI8FromDate", + 435: "VarUI8FromStr", + 436: "VarUI8FromDisp", + 437: "VarUI8FromBool", + 438: "VarUI8FromI1", + 439: "VarUI8FromUI2", + 440: "VarUI8FromUI4", + 441: "VarUI8FromDec", + 442: "RegisterTypeLibForUser", + 443: "UnRegisterTypeLibForUser", +} + +var ws2_32Names = map[int]string{ + 1: "accept", + 2: "bind", + 3: "closesocket", + 4: "connect", + 5: "getpeername", + 6: "getsockname", + 7: "getsockopt", + 8: "htonl", + 9: "htons", + 10: "ioctlsocket", + 11: "inet_addr", + 12: "inet_ntoa", + 13: "listen", + 14: "ntohl", + 15: "ntohs", + 16: "recv", + 17: "recvfrom", + 18: "select", + 19: "send", + 20: "sendto", + 21: "setsockopt", + 22: "shutdown", + 23: "socket", + 24: "GetAddrInfoW", + 25: "GetNameInfoW", + 26: "WSApSetPostRoutine", + 27: "FreeAddrInfoW", + 28: "WPUCompleteOverlappedRequest", + 29: "WSAAccept", + 30: "WSAAddressToStringA", + 31: "WSAAddressToStringW", + 32: "WSACloseEvent", + 33: "WSAConnect", + 34: "WSACreateEvent", + 35: "WSADuplicateSocketA", + 36: "WSADuplicateSocketW", + 37: "WSAEnumNameSpaceProvidersA", + 38: "WSAEnumNameSpaceProvidersW", + 39: "WSAEnumNetworkEvents", + 40: "WSAEnumProtocolsA", + 41: "WSAEnumProtocolsW", + 42: "WSAEventSelect", + 43: "WSAGetOverlappedResult", + 44: "WSAGetQOSByName", + 45: "WSAGetServiceClassInfoA", + 46: "WSAGetServiceClassInfoW", + 47: "WSAGetServiceClassNameByClassIdA", + 48: "WSAGetServiceClassNameByClassIdW", + 49: "WSAHtonl", + 50: "WSAHtons", + 51: "gethostbyaddr", + 52: "gethostbyname", + 53: "getprotobyname", + 54: "getprotobynumber", + 55: "getservbyname", + 56: "getservbyport", + 57: "gethostname", + 58: "WSAInstallServiceClassA", + 59: "WSAInstallServiceClassW", + 60: "WSAIoctl", + 61: "WSAJoinLeaf", + 62: "WSALookupServiceBeginA", + 63: "WSALookupServiceBeginW", + 64: "WSALookupServiceEnd", + 65: "WSALookupServiceNextA", + 66: "WSALookupServiceNextW", + 67: "WSANSPIoctl", + 68: "WSANtohl", + 69: "WSANtohs", + 70: "WSAProviderConfigChange", + 71: "WSARecv", + 72: "WSARecvDisconnect", + 73: "WSARecvFrom", + 74: "WSARemoveServiceClass", + 75: "WSAResetEvent", + 76: "WSASend", + 77: "WSASendDisconnect", + 78: "WSASendTo", + 79: "WSASetEvent", + 80: "WSASetServiceA", + 81: "WSASetServiceW", + 82: "WSASocketA", + 83: "WSASocketW", + 84: "WSAStringToAddressA", + 85: "WSAStringToAddressW", + 86: "WSAWaitForMultipleEvents", + 87: "WSCDeinstallProvider", + 88: "WSCEnableNSProvider", + 89: "WSCEnumProtocols", + 90: "WSCGetProviderPath", + 91: "WSCInstallNameSpace", + 92: "WSCInstallProvider", + 93: "WSCUnInstallNameSpace", + 94: "WSCUpdateProvider", + 95: "WSCWriteNameSpaceOrder", + 96: "WSCWriteProviderOrder", + 97: "freeaddrinfo", + 98: "getaddrinfo", + 99: "getnameinfo", + 101: "WSAAsyncSelect", + 102: "WSAAsyncGetHostByAddr", + 103: "WSAAsyncGetHostByName", + 104: "WSAAsyncGetProtoByNumber", + 105: "WSAAsyncGetProtoByName", + 106: "WSAAsyncGetServByPort", + 107: "WSAAsyncGetServByName", + 108: "WSACancelAsyncRequest", + 109: "WSASetBlockingHook", + 110: "WSAUnhookBlockingHook", + 111: "WSAGetLastError", + 112: "WSASetLastError", + 113: "WSACancelBlockingCall", + 114: "WSAIsBlocking", + 115: "WSAStartup", + 116: "WSACleanup", + 151: "__WSAFDIsSet", + 500: "WEP", +} + +var ordinalMaps = map[string]map[int]string{ + "ws2_32.dll": ws2_32Names, + "wsock32.dll": ws2_32Names, + "oleaut32.dll": oleaut32Names, +} + +func lookupOrdinal(libname string, ordinal int) string { + if names, ok := ordinalMaps[strings.ToLower(libname)]; ok { + if name, ok := names[ordinal]; ok { + return name + } + } + return "ord" + strconv.Itoa(ordinal) +} diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go new file mode 100644 index 000000000000..7c0a300eda66 --- /dev/null +++ b/libbeat/formats/pe/pe.go @@ -0,0 +1,149 @@ +package pe + +import ( + "crypto/md5" + "debug/pe" + "encoding/hex" + "io" + "time" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +// Section contains information about a section in a PE file. +type Section struct { + Name string `json:"name"` + VirtualAddress uint32 `json:"virtualAddress"` + VirtualSize uint32 `json:"virtualSize"` + RawSize uint32 `json:"rawSize"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` + MD5 string `json:"md5,omitempty"` +} + +// Header contains information found in a PE header. +type Header struct { + CompilationTimestamp *time.Time `json:"compilationTimestamp,omitempty"` + Entrypoint uint32 `json:"entrypoint"` + TargetMachine string `json:"targetMachine"` + ContainedSections int `json:"containedSections"` +} + +// Resource represents a resource entry embedded in a PE file. +type Resource struct { + Type string `json:"type"` + Language string `json:"language"` + SHA256 string `json:"sha256,omitempty"` + MIME string `json:"mime,omitempty"` + Size int `json:"size"` + + data []byte +} + +// VersionInfo hold keys and values parsed from the version info resource. +type VersionInfo struct { + Name string + Value string +} + +// Info contains high level fingerprinting an analysis of a PE file. +type Info struct { + Sections []Section `json:"sections,omitempty"` + FileVersionInfo []VersionInfo `json:"version_info,omitempty"` + Header Header `json:"header,omitempty"` + Imports map[string][]string `json:"imports,omitempty"` + Exports []string `json:"exports,omitempty"` + ContainedResourcesByType map[string]int `json:"containedResourcesByType,omitempty"` + ContainedResourcesByLanguage map[string]int `json:"containedResourcesByLanguage,omitempty"` + Resources []Resource `json:"resources,omitempty"` + Packer string `json:"packer,omitempty"` + ImpHash string `json:"imphash,omitempty"` +} + +func getPacker(f *pe.File) string { + for _, section := range f.Sections { + if section.Name == "UPX0" { + return "upx" + } + } + return "" +} + +// Parse parses the PE and returns information about it or errors. +func Parse(r io.ReaderAt) (*Info, error) { + peFile, err := pe.NewFile(r) + if err != nil { + return nil, err + } + // IsDLL: (peFile.Characteristics & 0x2000) == 0x2000, + // IsSys: (peFile.Characteristics & 0x1000) == 0x1000, + + var architecture string + var entrypoint uint32 + switch header := peFile.OptionalHeader.(type) { + case *pe.OptionalHeader32: + architecture = "x32" + entrypoint = header.AddressOfEntryPoint + + case *pe.OptionalHeader64: + architecture = "x64" + entrypoint = header.AddressOfEntryPoint + + default: + architecture = "unknown" + } + + exportSymbols := exports(peFile) + importSymbols, imphash := imphash(peFile) + + sectionSize := len(peFile.Sections) + var compiledAt *time.Time + timestamp := int64(peFile.FileHeader.TimeDateStamp) + if timestamp != 0 { + compiled := time.Unix(timestamp, 0).UTC() + compiledAt = &compiled + } + + info := &Info{ + ImpHash: imphash, + Header: Header{ + CompilationTimestamp: compiledAt, + Entrypoint: entrypoint, + TargetMachine: architecture, + ContainedSections: sectionSize, + }, + Sections: make([]Section, sectionSize), + ContainedResourcesByType: make(map[string]int), + ContainedResourcesByLanguage: make(map[string]int), + Imports: importSymbols, + Exports: exportSymbols, + Packer: getPacker(peFile), + } + for i, section := range peFile.Sections { + hashed := "" + data, err := section.Data() + if err == nil { + md5Hash := md5.Sum(data) + hashed = hex.EncodeToString(md5Hash[:]) + } + info.Sections[i] = Section{ + Name: section.Name, + VirtualAddress: section.VirtualAddress, + VirtualSize: section.VirtualSize, + RawSize: section.Size, + Entropy: common.Entropy(data), + ChiSquare: common.ChiSquare(data), + MD5: hashed, + } + + if section.Name == ".rsrc" && len(data) > 0 { + info.Resources = parseDirectory(section.VirtualAddress, data) + for _, resource := range info.Resources { + countValue(info.ContainedResourcesByType, resource.Type) + countValue(info.ContainedResourcesByLanguage, resource.Language) + } + info.FileVersionInfo = getVersionInfoForResources(info.Resources) + } + } + return info, nil +} diff --git a/libbeat/formats/pe/pe_fuzz.go b/libbeat/formats/pe/pe_fuzz.go new file mode 100644 index 000000000000..ccc8d89d4139 --- /dev/null +++ b/libbeat/formats/pe/pe_fuzz.go @@ -0,0 +1,12 @@ +// +build fuzz + +package pe + +import ( + "bytes" +) + +func Fuzz(data []byte) int { + Parse(bytes.NewReader(data)) + return 0 +} diff --git a/libbeat/formats/pe/pe_test.go b/libbeat/formats/pe/pe_test.go new file mode 100644 index 000000000000..3d9dbe2defe3 --- /dev/null +++ b/libbeat/formats/pe/pe_test.go @@ -0,0 +1,44 @@ +package pe + +import ( + "encoding/json" + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestBinaries(t *testing.T) { + generate := os.Getenv("GENERATE") == "1" + binaries := []string{ + "hello-windows", + } + for _, binary := range binaries { + t.Run(binary, func(t *testing.T) { + f, err := os.Open("../fixtures/pe/" + binary) + require.NoError(t, err) + defer f.Close() + + info, err := Parse(f) + require.NoError(t, err) + + expectedFile := "../fixtures/pe/" + binary + ".fingerprint" + if generate { + data, err := json.MarshalIndent(info, "", " ") + require.NoError(t, err) + require.NoError(t, ioutil.WriteFile(expectedFile, data, 0644)) + } else { + fixture, err := os.Open(expectedFile) + require.NoError(t, err) + defer fixture.Close() + expected, err := ioutil.ReadAll(fixture) + require.NoError(t, err) + + data, err := json.Marshal(info) + require.NoError(t, err) + require.JSONEq(t, string(expected), string(data)) + } + }) + } +} diff --git a/libbeat/formats/pe/resources.go b/libbeat/formats/pe/resources.go new file mode 100644 index 000000000000..3df4aaa0e1b4 --- /dev/null +++ b/libbeat/formats/pe/resources.go @@ -0,0 +1,213 @@ +package pe + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "strconv" + + "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/h2non/filetype" + sha256 "github.com/minio/sha256-simd" +) + +const ( + rtCursor uint32 = 1 + rtBitmap uint32 = 2 + rtIcon uint32 = 3 + rtMenu uint32 = 4 + rtDialog uint32 = 5 + rtString uint32 = 6 + rtFontdir uint32 = 7 + rtFont uint32 = 8 + rtAccelerator uint32 = 9 + rtRcdata uint32 = 10 + rtMessagetable uint32 = 11 + rtGroupCursor uint32 = 12 + rtGroupIcon uint32 = 14 + rtVersion uint32 = 16 + rtDlginclude uint32 = 17 + rtPlugplay uint32 = 19 + rtVxd uint32 = 20 + rtAnicursor uint32 = 21 + rtAniicon uint32 = 22 + rtHTML uint32 = 23 + rtManifest uint32 = 24 + // max depth of directory parsing + maxDepth int = 2 +) + +var nameMap = map[uint32]string{ + rtCursor: "RT_CURSOR", + rtBitmap: "RT_BITMAP", + rtIcon: "RT_ICON", + rtMenu: "RT_MENU", + rtDialog: "RT_DIALOG", + rtString: "RT_STRING", + rtFontdir: "RT_FONTDIR", + rtFont: "RT_FONT", + rtAccelerator: "RT_ACCELERATOR", + rtRcdata: "RT_RCDATA", + rtMessagetable: "RT_MESSAGETABLE", + rtGroupCursor: "RT_GROUP_CURSOR", + rtGroupIcon: "RT_GROUP_ICON", + rtVersion: "RT_VERSION", + rtDlginclude: "RT_DLGINCLUDE", + rtPlugplay: "RT_PLUGPLAY", + rtVxd: "RT_VXD", + rtAnicursor: "RT_ANICURSOR", + rtAniicon: "RT_ANIICON", + rtHTML: "RT_HTML", + rtManifest: "RT_MANIFEST", +} + +func idName(id uint32) string { + if found, ok := nameMap[id]; ok { + return found + } + return strconv.Itoa(int(id)) +} + +func isRVA(value uint32) bool { + return (value & 0x80000000) > 0 +} + +func rvaOffset(value uint32) int { + return int(value & 0x7fffffff) +} + +// this checks if value is an rva, and if so calculates the real offset +// and then does a bounds check on the slice that is returned +func followOffset(global []byte, value uint32, requiredSize int) ([]byte, error) { + offset := int(value) + if isRVA(value) { + offset = rvaOffset(value) + } + if len(global) < offset+requiredSize { + return nil, errors.New("invalid data") + } + return global[offset:], nil +} + +// a lot of the checks we do here are fairly permissive, we want to +// return as much of the parsable information as we can, so don't bother +// sanity checking things like the number of entries matching what's specified +// instead we just make sure to bounds check what we're reading and int the +// case of potential over-read, return an error +func parseDirectory(virtualAddress uint32, data []byte) []Resource { + entries, err := parseEntries(virtualAddress, "", data, data, 0) + if err != nil { + // swallow the error and move on + return nil + } + return entries +} + +func parseName(global, base []byte) (string, error) { + id := binary.LittleEndian.Uint32(base[0:4]) + if isRVA(id) { + nameData, err := followOffset(global, id, 2) + if err != nil { + return "", err + } + nameEnd := int(binary.LittleEndian.Uint16(nameData[0:2]))*2 + 2 + if len(nameData) < nameEnd { + return "", errors.New("invalid data") + } + return common.ReadUnicode(nameData[:nameEnd], 2), nil + } + return idName(id), nil +} + +// we swallow errors from followOffset so we +// parse all entries we can and just ignore +// the invalid ones +func parseEntry(virtualAddress uint32, root string, global, base []byte, depth int) ([]Resource, error) { + offset := binary.LittleEndian.Uint32(base[4:8]) + if isRVA(offset) { + // we have a nested directory + next, err := followOffset(global, offset, 0) + if err != nil { + return nil, nil + } + return parseEntries(virtualAddress, root, global, next, depth+1) + } + // we have a leaf resource + language := uint16(binary.LittleEndian.Uint32(base[0:4])) + entry, err := followOffset(global, offset, 8) + if err != nil { + return nil, nil + } + entryOffset := binary.LittleEndian.Uint32(entry[0:4]) + entrySize := int(binary.LittleEndian.Uint32(entry[4:8])) + if entryOffset < virtualAddress { + // we don't fully handle upx packed resources for now which point + // to the locations of the compressed resouces outside of + // the Resource Data section + return []Resource{ + Resource{Type: root, Language: languageName(language), Size: entrySize}, + }, nil + } + + data, err := followOffset(global, entryOffset-virtualAddress, entrySize) + if err != nil { + // we have an invalid data reference, so just return what we can + return []Resource{ + Resource{Type: root, Language: languageName(language), Size: entrySize}, + }, nil + } + resourceData := data[0:entrySize] + hash := sha256.Sum256(resourceData) + resourceMime := "Data" + if kind, err := filetype.Match(resourceData); err == nil && kind.MIME.Value != "" { + resourceMime = kind.MIME.Value + } + return []Resource{ + Resource{Type: root, Language: languageName(language), Size: entrySize, data: resourceData, MIME: resourceMime, SHA256: hex.EncodeToString(hash[:])}, + }, nil +} + +// A leaf's Type, Name, and Language IDs are determined by the path +// that is taken through directory tables to reach the leaf. The first +// table determines Type ID, the second table (pointed to by the directory +// entry in the first table) determines Name ID, and the third table +// determines Language ID. +func parseEntries(virtualAddress uint32, root string, global, base []byte, depth int) ([]Resource, error) { + if len(base) < 16 { + return nil, errors.New("invalid data") + } + if depth > maxDepth { + return nil, errors.New("invalid resource depth") + } + resources := []Resource{} + namedEntries := binary.LittleEndian.Uint16(base[12:14]) + idEntries := binary.LittleEndian.Uint16(base[14:16]) + numEntries := int(namedEntries + idEntries) + entriesData := base[16:] + if len(entriesData) < numEntries*8 { + // invalid directory + return nil, nil + } + + for i := 0; i < numEntries; i++ { + entryData := entriesData[8*i:] + leafRoot := root + + if leafRoot == "" { + var err error + leafRoot, err = parseName(global, entryData) + if err != nil { + // invalid name, still attempt to parse + leafRoot = "UNKNOWN" + } + } + + entryResources, err := parseEntry(virtualAddress, leafRoot, global, entryData, depth) + if err != nil { + // if we threw an error, just swallow it to keep trying to parse + return nil, nil + } + resources = append(resources, entryResources...) + } + return resources, nil +} diff --git a/libbeat/formats/pe/utils.go b/libbeat/formats/pe/utils.go new file mode 100644 index 000000000000..4bac306229a8 --- /dev/null +++ b/libbeat/formats/pe/utils.go @@ -0,0 +1,9 @@ +package pe + +func countValue(group map[string]int, value string) { + if found, ok := group[value]; ok { + group[value] = found + 1 + return + } + group[value] = 1 +} diff --git a/libbeat/formats/pe/version_info.go b/libbeat/formats/pe/version_info.go new file mode 100644 index 000000000000..f6893d8f9782 --- /dev/null +++ b/libbeat/formats/pe/version_info.go @@ -0,0 +1,102 @@ +package pe + +import ( + "bytes" + "encoding/binary" + + "github.com/elastic/beats/v7/libbeat/formats/common" +) + +var ( + stringFileInfo = []byte{83, 0, 116, 0, 114, 0, 105, 0, 110, 0, 103, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0} +) + +func readStrings(data []byte) []VersionInfo { + childStrings := []VersionInfo{} + offset := 0 + for { + if len(data) < offset+2 { + return childStrings + } + stringData := data[offset:] + stringSize := binary.LittleEndian.Uint16(stringData[0:2]) + if stringSize == 0 { + offset += 2 + continue + } + if len(stringData) < 6 { + // we have junk string, just try and read past the offset + offset += int(stringSize) + continue + } + valueType := binary.LittleEndian.Uint16(stringData[4:6]) + if valueType == 1 { + key := common.ReadUnicode(stringData, 6) + paddingOffset := len(key)*2 + 8 + paddedOffset := paddingOffset + (paddingOffset % 4) + if len(stringData) >= paddedOffset+1 { + value := common.ReadUnicode(stringData, paddedOffset) + if value != "" { + childStrings = append(childStrings, VersionInfo{ + Name: key, + Value: value, + }) + } + } + } + offset += int(stringSize) + } +} + +func readStringTables(data []byte) []VersionInfo { + childStrings := []VersionInfo{} + offset := 0 + for { + if len(data) < offset+2 { + return childStrings + } + tableData := data[offset:] + tableSize := binary.LittleEndian.Uint16(tableData[0:2]) + if tableSize == 0 { + offset += 2 + continue + } + // An 8-digit hexadecimal number stored as a Unicode string + szKeyLength := 8 * 2 + childOffset := szKeyLength + 6 + paddedOffset := childOffset + (childOffset % 4) + childEnd := int(tableSize) - paddedOffset + if childEnd < paddedOffset || len(tableData) < paddedOffset+1 || len(tableData) < int(tableSize)-paddedOffset { + // we have an invalid string + offset += int(tableSize) + continue + } + children := tableData[paddedOffset:childEnd] + + childStrings = append(childStrings, readStrings(children)...) + offset += int(tableSize) + } +} + +func readStringFileInfo(data []byte) []VersionInfo { + szKeyLength := len(stringFileInfo) + if len(data) < szKeyLength { + return nil + } + for i := 0; i < len(data)-szKeyLength; i++ { + szKey := data[i : i+szKeyLength] + if bytes.Compare(szKey, stringFileInfo) == 0 { + return readStringTables(data[i+szKeyLength+(i+szKeyLength)%4:]) + } + } + return nil +} + +func getVersionInfoForResources(resources []Resource) []VersionInfo { + for _, resource := range resources { + if resource.Type == "RT_VERSION" { + return readStringFileInfo(resource.data) + } + } + return nil +} From 63de5828b743a57adad6cafaaf13626f78398878 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 22 Feb 2021 16:53:15 -0500 Subject: [PATCH 02/30] Add basic action --- libbeat/formats/elf/elf.go | 2 +- libbeat/formats/lnk/lnk.go | 2 +- libbeat/formats/macho/macho.go | 2 +- libbeat/formats/pe/pe.go | 2 +- libbeat/mime/byte.go | 10 ++ libbeat/mime/reader.go | 33 ++++ libbeat/mime/types.go | 21 +++ libbeat/processors/actions/add_format_data.go | 169 ++++++++++++++++++ .../actions/add_format_data_test.go | 103 +++++++++++ 9 files changed, 340 insertions(+), 4 deletions(-) create mode 100644 libbeat/mime/reader.go create mode 100644 libbeat/mime/types.go create mode 100644 libbeat/processors/actions/add_format_data.go create mode 100644 libbeat/processors/actions/add_format_data_test.go diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go index 036c63acc21a..a35eeaea4514 100644 --- a/libbeat/formats/elf/elf.go +++ b/libbeat/formats/elf/elf.go @@ -42,7 +42,7 @@ type Info struct { } // Parse parses the elf file and returns information about it or errors. -func Parse(r io.ReaderAt) (*Info, error) { +func Parse(r io.ReaderAt) (interface{}, error) { elfFile, err := elf.NewFile(r) if err != nil { return nil, err diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index 80a04e41f096..7958e0e05cf4 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -182,7 +182,7 @@ type Info struct { } // Parse parses the LNK file and returns information about it or errors. -func Parse(r io.ReaderAt) (*Info, error) { +func Parse(r io.ReaderAt) (interface{}, error) { header, offset, err := parseHeader(r) if err != nil { return nil, err diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index ff711967dcf7..c22b70328ac5 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -36,7 +36,7 @@ type Info struct { } // Parse parses the mach-o file and returns information about it or errors. -func Parse(r io.ReaderAt) (*Info, error) { +func Parse(r io.ReaderAt) (interface{}, error) { machoFiles := []*macho.File{} machoFatFile, err := macho.NewFatFile(r) if err != nil { diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go index 7c0a300eda66..03cdee680649 100644 --- a/libbeat/formats/pe/pe.go +++ b/libbeat/formats/pe/pe.go @@ -70,7 +70,7 @@ func getPacker(f *pe.File) string { } // Parse parses the PE and returns information about it or errors. -func Parse(r io.ReaderAt) (*Info, error) { +func Parse(r io.ReaderAt) (interface{}, error) { peFile, err := pe.NewFile(r) if err != nil { return nil, err diff --git a/libbeat/mime/byte.go b/libbeat/mime/byte.go index c8be7def3614..3f244d2e6f9e 100644 --- a/libbeat/mime/byte.go +++ b/libbeat/mime/byte.go @@ -32,6 +32,16 @@ const ( maxHeaderSize = 8192 ) +var addedTypes = map[string]func([]byte) bool{ + "application/x-ms-shortcut": lnk, +} + +func init() { + for mimeType, matcher := range addedTypes { + filetype.AddMatcher(filetype.NewType(mimeType, mimeType), matcher) + } +} + // DetectBytes tries to detect a mime-type based off // of a chunk of bytes passed into the function func DetectBytes(data []byte) string { diff --git a/libbeat/mime/reader.go b/libbeat/mime/reader.go new file mode 100644 index 000000000000..f3453400eef5 --- /dev/null +++ b/libbeat/mime/reader.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mime + +import ( + "io" +) + +// DetectReader tries to detect a mime-type based off +// of a chunk of bytes passed in through an io.Reader +func DetectReader(data io.Reader) string { + buffer := make([]byte, maxHeaderSize) + n, err := io.ReadFull(data, buffer) + if err == nil || err == io.ErrUnexpectedEOF { + return DetectBytes(buffer[:n]) + } + return "" +} diff --git a/libbeat/mime/types.go b/libbeat/mime/types.go new file mode 100644 index 000000000000..9eaf5c38f951 --- /dev/null +++ b/libbeat/mime/types.go @@ -0,0 +1,21 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package mime + +func lnk(buf []byte) bool { + return len(buf) > 3 && (buf[0] == 0x4C && buf[1] == 0x00 && buf[2] == 0x00 && buf[3] == 0x00) +} diff --git a/libbeat/processors/actions/add_format_data.go b/libbeat/processors/actions/add_format_data.go new file mode 100644 index 000000000000..35954f87bb26 --- /dev/null +++ b/libbeat/processors/actions/add_format_data.go @@ -0,0 +1,169 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package actions + +import ( + "fmt" + "io" + "os" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/formats/elf" + "github.com/elastic/beats/v7/libbeat/formats/lnk" + "github.com/elastic/beats/v7/libbeat/formats/macho" + "github.com/elastic/beats/v7/libbeat/formats/pe" + "github.com/elastic/beats/v7/libbeat/mime" + "github.com/elastic/beats/v7/libbeat/processors" + "github.com/elastic/beats/v7/libbeat/processors/checks" + "github.com/pkg/errors" +) + +func init() { + processors.RegisterPlugin("add_format_data", + checks.ConfigChecked(NewAddFormatData, + checks.AllowedFields("field", "exclude", "only"))) +} + +type addFormatDataProcessor struct { + Field string `config:"field"` + Exclude *[]string `config:"exclude"` + Only *[]string `config:"only"` +} + +const defaultFilePathField = "file.path" + +// NewAddFormatData constructs a add format data processor. +func NewAddFormatData(cfg *common.Config) (processors.Processor, error) { + addFormatData := &addFormatDataProcessor{ + Field: defaultFilePathField, + } + if err := cfg.Unpack(addFormatData); err != nil { + return nil, errors.Wrapf(err, "fail to unpack the add_format_data configuration") + } + + return addFormatData, nil +} + +func (a *addFormatDataProcessor) applyParser(event *beat.Event, path string) error { + file, err := os.Open(path) + if err != nil { + return err + } + mimeType := mime.DetectReader(file) + if mimeType == "" { + // we couldn't identify the file, don't parse it + return nil + } + parsers := allParsers + // only takes precedence to exclude + if a.Only != nil { + parsers = onlyParsers(*a.Only) + } + if a.Exclude != nil { + parsers = filterParsers(*a.Exclude) + } + for _, parser := range parsers { + if mimeType == parser.mimeType { + data, err := parser.parse(file) + if err != nil { + return err + } + event.Fields.DeepUpdate(common.MapStr{ + parser.target: data, + }) + return nil + } + } + return nil +} + +func (a *addFormatDataProcessor) Run(event *beat.Event) (*beat.Event, error) { + valI, err := event.GetValue(a.Field) + if err != nil { + // doesn't have the required fieldd value to analyze + return event, nil + } + val, _ := valI.(string) + if val == "" { + // wrong type or not set + return event, nil + } + if err := a.applyParser(event, val); err != nil { + return event, err + } + return event, nil +} + +func (a *addFormatDataProcessor) String() string { + return fmt.Sprintf("add_format_data=%+v,%+v,%+v", a.Field, a.Exclude, a.Only) +} + +type parser struct { + name string + target string + mimeType string + parse func(r io.ReaderAt) (interface{}, error) +} + +var allParsers = []*parser{ + makeParser("pe", "file.pe", "application/vnd.microsoft.portable-executable", pe.Parse), + makeParser("macho", "file.macho", "application/x-mach-binary", macho.Parse), + makeParser("elf", "file.elf", "application/x-executable", elf.Parse), + makeParser("lnk", "file.lnk", "application/x-ms-shortcut", lnk.Parse), +} + +func makeParser(name, target, mimeType string, parse func(r io.ReaderAt) (interface{}, error)) *parser { + return &parser{ + name: name, + target: target, + mimeType: mimeType, + parse: parse, + } +} + +func filterParsers(exclude []string) []*parser { + parsers := []*parser{} + exclusionSet := map[string]struct{}{} + for _, exclusion := range exclude { + exclusionSet[exclusion] = struct{}{} + } + + for _, parser := range allParsers { + if _, ok := exclusionSet[parser.name]; ok { + continue + } + parsers = append(parsers, parser) + } + return parsers +} + +func onlyParsers(only []string) []*parser { + parsers := []*parser{} + inclusionSet := map[string]struct{}{} + for _, inclusion := range only { + inclusionSet[inclusion] = struct{}{} + } + + for _, parser := range allParsers { + if _, ok := inclusionSet[parser.name]; ok { + parsers = append(parsers, parser) + } + } + return parsers +} diff --git a/libbeat/processors/actions/add_format_data_test.go b/libbeat/processors/actions/add_format_data_test.go new file mode 100644 index 000000000000..f7faa0d4001e --- /dev/null +++ b/libbeat/processors/actions/add_format_data_test.go @@ -0,0 +1,103 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package actions + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/formats/elf" + "github.com/elastic/beats/v7/libbeat/formats/lnk" + "github.com/elastic/beats/v7/libbeat/formats/macho" + "github.com/elastic/beats/v7/libbeat/formats/pe" +) + +func TestFormatDataPE(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + data, err := observed.Fields.GetValue("file.pe") + require.NoError(t, err) + _, ok := data.(*pe.Info) + require.True(t, ok) +} + +func TestFormatDataMachO(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/macho/hello-darwin", + }, + } + p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + data, err := observed.Fields.GetValue("file.macho") + require.NoError(t, err) + _, ok := data.(*macho.Info) + require.True(t, ok) +} + +func TestFormatDataElf(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/elf/hello-linux", + }, + } + p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + data, err := observed.Fields.GetValue("file.elf") + require.NoError(t, err) + _, ok := data.(*elf.Info) + require.True(t, ok) +} + +func TestFormatDataLnk(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/lnk/local_cmd.lnk", + }, + } + p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + data, err := observed.Fields.GetValue("file.lnk") + require.NoError(t, err) + _, ok := data.(*lnk.Info) + require.True(t, ok) +} From ff383193eb76b31acc509a2260ea23a2c1d38075 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 22 Feb 2021 16:56:07 -0500 Subject: [PATCH 03/30] Add license headers --- libbeat/formats/common/chi.go | 17 ++++++++++++++++ libbeat/formats/common/entropy.go | 17 ++++++++++++++++ libbeat/formats/common/string.go | 17 ++++++++++++++++ libbeat/formats/common/unicode.go | 17 ++++++++++++++++ libbeat/formats/elf/elf.go | 17 ++++++++++++++++ libbeat/formats/elf/elf_fuzz.go | 17 ++++++++++++++++ libbeat/formats/elf/elf_test.go | 17 ++++++++++++++++ libbeat/formats/elf/machine.go | 17 ++++++++++++++++ libbeat/formats/elf/prog.go | 17 ++++++++++++++++ libbeat/formats/elf/section.go | 17 ++++++++++++++++ libbeat/formats/elf/telfhash.go | 17 ++++++++++++++++ libbeat/formats/elf/tlsh.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_console.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_console_fe.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_darwin_block.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_environment.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_icon_environment.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_known_folder.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_property_store.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_shim.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_special_folder.go | 17 ++++++++++++++++ libbeat/formats/lnk/extra_tracker.go | 17 ++++++++++++++++ .../lnk/extra_vista_and_above_id_list.go | 17 ++++++++++++++++ libbeat/formats/lnk/header.go | 17 ++++++++++++++++ libbeat/formats/lnk/lnk.go | 17 ++++++++++++++++ libbeat/formats/lnk/lnk_fuzz.go | 17 ++++++++++++++++ libbeat/formats/lnk/lnk_test.go | 17 ++++++++++++++++ libbeat/formats/lnk/location.go | 17 ++++++++++++++++ libbeat/formats/lnk/strings.go | 17 ++++++++++++++++ libbeat/formats/lnk/target.go | 17 ++++++++++++++++ libbeat/formats/macho/macho.go | 17 ++++++++++++++++ libbeat/formats/macho/macho_fuzz.go | 17 ++++++++++++++++ libbeat/formats/macho/macho_test.go | 17 ++++++++++++++++ libbeat/formats/macho/symhash.go | 17 ++++++++++++++++ libbeat/formats/pe/imphash.go | 17 ++++++++++++++++ libbeat/formats/pe/locale.go | 17 ++++++++++++++++ libbeat/formats/pe/ordinals.go | 17 ++++++++++++++++ libbeat/formats/pe/pe.go | 17 ++++++++++++++++ libbeat/formats/pe/pe_fuzz.go | 17 ++++++++++++++++ libbeat/formats/pe/pe_test.go | 17 ++++++++++++++++ libbeat/formats/pe/resources.go | 20 ++++++++++++++++++- libbeat/formats/pe/utils.go | 17 ++++++++++++++++ libbeat/formats/pe/version_info.go | 17 ++++++++++++++++ libbeat/processors/actions/add_format_data.go | 3 ++- 45 files changed, 752 insertions(+), 2 deletions(-) diff --git a/libbeat/formats/common/chi.go b/libbeat/formats/common/chi.go index d87bb4ae5156..e066303c3ae9 100644 --- a/libbeat/formats/common/chi.go +++ b/libbeat/formats/common/chi.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package common import ( diff --git a/libbeat/formats/common/entropy.go b/libbeat/formats/common/entropy.go index 09b34bb827ec..4625c462092b 100644 --- a/libbeat/formats/common/entropy.go +++ b/libbeat/formats/common/entropy.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package common import "math" diff --git a/libbeat/formats/common/string.go b/libbeat/formats/common/string.go index 017d4ff4041c..3ca28d5c5bc6 100644 --- a/libbeat/formats/common/string.go +++ b/libbeat/formats/common/string.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package common // ReadString reads a string starting at the given offset diff --git a/libbeat/formats/common/unicode.go b/libbeat/formats/common/unicode.go index a7f1b9519ee1..b07f0d9aa531 100644 --- a/libbeat/formats/common/unicode.go +++ b/libbeat/formats/common/unicode.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package common import ( diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go index a35eeaea4514..0aca78bdf5de 100644 --- a/libbeat/formats/elf/elf.go +++ b/libbeat/formats/elf/elf.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import ( diff --git a/libbeat/formats/elf/elf_fuzz.go b/libbeat/formats/elf/elf_fuzz.go index 0675c849d502..e3580ed9253f 100644 --- a/libbeat/formats/elf/elf_fuzz.go +++ b/libbeat/formats/elf/elf_fuzz.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + // +build fuzz package elf diff --git a/libbeat/formats/elf/elf_test.go b/libbeat/formats/elf/elf_test.go index d5eefe8e2277..7647d3ca9617 100644 --- a/libbeat/formats/elf/elf_test.go +++ b/libbeat/formats/elf/elf_test.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import ( diff --git a/libbeat/formats/elf/machine.go b/libbeat/formats/elf/machine.go index cf908297b57a..4cc46745e3c8 100644 --- a/libbeat/formats/elf/machine.go +++ b/libbeat/formats/elf/machine.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import "debug/elf" diff --git a/libbeat/formats/elf/prog.go b/libbeat/formats/elf/prog.go index 254b0643e36b..b5b457d73661 100644 --- a/libbeat/formats/elf/prog.go +++ b/libbeat/formats/elf/prog.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import "debug/elf" diff --git a/libbeat/formats/elf/section.go b/libbeat/formats/elf/section.go index e1602154a7e7..0c2705534c23 100644 --- a/libbeat/formats/elf/section.go +++ b/libbeat/formats/elf/section.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import ( diff --git a/libbeat/formats/elf/telfhash.go b/libbeat/formats/elf/telfhash.go index 4d5c854a0abb..a6cd35d63538 100644 --- a/libbeat/formats/elf/telfhash.go +++ b/libbeat/formats/elf/telfhash.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import ( diff --git a/libbeat/formats/elf/tlsh.go b/libbeat/formats/elf/tlsh.go index 00178ff16737..bf68b899f501 100644 --- a/libbeat/formats/elf/tlsh.go +++ b/libbeat/formats/elf/tlsh.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package elf import ( diff --git a/libbeat/formats/lnk/extra.go b/libbeat/formats/lnk/extra.go index 2260fe9b0335..5b973408805f 100644 --- a/libbeat/formats/lnk/extra.go +++ b/libbeat/formats/lnk/extra.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_console.go b/libbeat/formats/lnk/extra_console.go index 17f1ac37e9b9..df52dad65765 100644 --- a/libbeat/formats/lnk/extra_console.go +++ b/libbeat/formats/lnk/extra_console.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_console_fe.go b/libbeat/formats/lnk/extra_console_fe.go index c92f582fca98..6e908233c940 100644 --- a/libbeat/formats/lnk/extra_console_fe.go +++ b/libbeat/formats/lnk/extra_console_fe.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_darwin_block.go b/libbeat/formats/lnk/extra_darwin_block.go index 6d1001b1fed7..23bab873a3f2 100644 --- a/libbeat/formats/lnk/extra_darwin_block.go +++ b/libbeat/formats/lnk/extra_darwin_block.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_environment.go b/libbeat/formats/lnk/extra_environment.go index b8b7de84f821..7c6c764368ac 100644 --- a/libbeat/formats/lnk/extra_environment.go +++ b/libbeat/formats/lnk/extra_environment.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_icon_environment.go b/libbeat/formats/lnk/extra_icon_environment.go index d2abdf645ee7..5aa6d0430920 100644 --- a/libbeat/formats/lnk/extra_icon_environment.go +++ b/libbeat/formats/lnk/extra_icon_environment.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_known_folder.go b/libbeat/formats/lnk/extra_known_folder.go index 8071b16af1c8..f2416d606d16 100644 --- a/libbeat/formats/lnk/extra_known_folder.go +++ b/libbeat/formats/lnk/extra_known_folder.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_property_store.go b/libbeat/formats/lnk/extra_property_store.go index 1d467d265b70..44fff19dd9ff 100644 --- a/libbeat/formats/lnk/extra_property_store.go +++ b/libbeat/formats/lnk/extra_property_store.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_shim.go b/libbeat/formats/lnk/extra_shim.go index ecf535c1e458..8c16861ddf24 100644 --- a/libbeat/formats/lnk/extra_shim.go +++ b/libbeat/formats/lnk/extra_shim.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_special_folder.go b/libbeat/formats/lnk/extra_special_folder.go index 04fc287f12b9..66b786db9e38 100644 --- a/libbeat/formats/lnk/extra_special_folder.go +++ b/libbeat/formats/lnk/extra_special_folder.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_tracker.go b/libbeat/formats/lnk/extra_tracker.go index 42392235c9cd..f8523a20364e 100644 --- a/libbeat/formats/lnk/extra_tracker.go +++ b/libbeat/formats/lnk/extra_tracker.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/extra_vista_and_above_id_list.go b/libbeat/formats/lnk/extra_vista_and_above_id_list.go index 03f2e65e8103..a7a6525dca36 100644 --- a/libbeat/formats/lnk/extra_vista_and_above_id_list.go +++ b/libbeat/formats/lnk/extra_vista_and_above_id_list.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import "errors" diff --git a/libbeat/formats/lnk/header.go b/libbeat/formats/lnk/header.go index ee2c7b224ab2..8b7a3168a364 100644 --- a/libbeat/formats/lnk/header.go +++ b/libbeat/formats/lnk/header.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index 7958e0e05cf4..ec7d2ed7516c 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc diff --git a/libbeat/formats/lnk/lnk_fuzz.go b/libbeat/formats/lnk/lnk_fuzz.go index bef64066803f..35e1032cfbd0 100644 --- a/libbeat/formats/lnk/lnk_fuzz.go +++ b/libbeat/formats/lnk/lnk_fuzz.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + // +build fuzz package lnk diff --git a/libbeat/formats/lnk/lnk_test.go b/libbeat/formats/lnk/lnk_test.go index 3db7f699d6cc..8a8a48c0d3d8 100644 --- a/libbeat/formats/lnk/lnk_test.go +++ b/libbeat/formats/lnk/lnk_test.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/location.go b/libbeat/formats/lnk/location.go index 002875b493d9..69ea649b1161 100644 --- a/libbeat/formats/lnk/location.go +++ b/libbeat/formats/lnk/location.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/strings.go b/libbeat/formats/lnk/strings.go index 47d63569fd72..ed232161b6a4 100644 --- a/libbeat/formats/lnk/strings.go +++ b/libbeat/formats/lnk/strings.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/lnk/target.go b/libbeat/formats/lnk/target.go index bd8f32f5db04..d0e01ed65942 100644 --- a/libbeat/formats/lnk/target.go +++ b/libbeat/formats/lnk/target.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index c22b70328ac5..727b1947a8d0 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package macho import ( diff --git a/libbeat/formats/macho/macho_fuzz.go b/libbeat/formats/macho/macho_fuzz.go index 145884776412..1f1b66792f1d 100644 --- a/libbeat/formats/macho/macho_fuzz.go +++ b/libbeat/formats/macho/macho_fuzz.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + // +build fuzz package macho diff --git a/libbeat/formats/macho/macho_test.go b/libbeat/formats/macho/macho_test.go index cf8507ebc534..e40718e7c0d1 100644 --- a/libbeat/formats/macho/macho_test.go +++ b/libbeat/formats/macho/macho_test.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package macho import ( diff --git a/libbeat/formats/macho/symhash.go b/libbeat/formats/macho/symhash.go index c6df8c367250..1e9a2d9444f6 100644 --- a/libbeat/formats/macho/symhash.go +++ b/libbeat/formats/macho/symhash.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package macho import ( diff --git a/libbeat/formats/pe/imphash.go b/libbeat/formats/pe/imphash.go index d25121a80111..74aa875d68ac 100644 --- a/libbeat/formats/pe/imphash.go +++ b/libbeat/formats/pe/imphash.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe import ( diff --git a/libbeat/formats/pe/locale.go b/libbeat/formats/pe/locale.go index a36e5b3cd6e4..8fd088c8cca5 100644 --- a/libbeat/formats/pe/locale.go +++ b/libbeat/formats/pe/locale.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe var localeMap = map[uint16]string{ diff --git a/libbeat/formats/pe/ordinals.go b/libbeat/formats/pe/ordinals.go index 53e6f84523b2..dd6ea7f6edb0 100644 --- a/libbeat/formats/pe/ordinals.go +++ b/libbeat/formats/pe/ordinals.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe import ( diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go index 03cdee680649..0a20317da745 100644 --- a/libbeat/formats/pe/pe.go +++ b/libbeat/formats/pe/pe.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe import ( diff --git a/libbeat/formats/pe/pe_fuzz.go b/libbeat/formats/pe/pe_fuzz.go index ccc8d89d4139..7b4be49b10b5 100644 --- a/libbeat/formats/pe/pe_fuzz.go +++ b/libbeat/formats/pe/pe_fuzz.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + // +build fuzz package pe diff --git a/libbeat/formats/pe/pe_test.go b/libbeat/formats/pe/pe_test.go index 3d9dbe2defe3..c9487588d2f0 100644 --- a/libbeat/formats/pe/pe_test.go +++ b/libbeat/formats/pe/pe_test.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe import ( diff --git a/libbeat/formats/pe/resources.go b/libbeat/formats/pe/resources.go index 3df4aaa0e1b4..968cbae5e076 100644 --- a/libbeat/formats/pe/resources.go +++ b/libbeat/formats/pe/resources.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe import ( @@ -6,9 +23,10 @@ import ( "errors" "strconv" - "github.com/elastic/beats/v7/libbeat/formats/common" "github.com/h2non/filetype" sha256 "github.com/minio/sha256-simd" + + "github.com/elastic/beats/v7/libbeat/formats/common" ) const ( diff --git a/libbeat/formats/pe/utils.go b/libbeat/formats/pe/utils.go index 4bac306229a8..813e2aafcf52 100644 --- a/libbeat/formats/pe/utils.go +++ b/libbeat/formats/pe/utils.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe func countValue(group map[string]int, value string) { diff --git a/libbeat/formats/pe/version_info.go b/libbeat/formats/pe/version_info.go index f6893d8f9782..2f093141b17b 100644 --- a/libbeat/formats/pe/version_info.go +++ b/libbeat/formats/pe/version_info.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe import ( diff --git a/libbeat/processors/actions/add_format_data.go b/libbeat/processors/actions/add_format_data.go index 35954f87bb26..09f3c98d72af 100644 --- a/libbeat/processors/actions/add_format_data.go +++ b/libbeat/processors/actions/add_format_data.go @@ -22,6 +22,8 @@ import ( "io" "os" + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/formats/elf" @@ -31,7 +33,6 @@ import ( "github.com/elastic/beats/v7/libbeat/mime" "github.com/elastic/beats/v7/libbeat/processors" "github.com/elastic/beats/v7/libbeat/processors/checks" - "github.com/pkg/errors" ) func init() { From c1a24848e6160fd9119ceff64127c1673b5c4176 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 22 Feb 2021 17:00:08 -0500 Subject: [PATCH 04/30] Add exclude/only test --- .../actions/add_format_data_test.go | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/libbeat/processors/actions/add_format_data_test.go b/libbeat/processors/actions/add_format_data_test.go index f7faa0d4001e..223b354bcaaa 100644 --- a/libbeat/processors/actions/add_format_data_test.go +++ b/libbeat/processors/actions/add_format_data_test.go @@ -101,3 +101,37 @@ func TestFormatDataLnk(t *testing.T) { _, ok := data.(*lnk.Info) require.True(t, ok) } + +func TestFormatDataOnly(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "only": []string{"macho"}, + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.Error(t, err) +} + +func TestFormatDataExclude(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "exclude": []string{"pe"}, + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.Error(t, err) +} From 9bf99d95ca5ccb0e43719353e71de81804fb3ba7 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 22 Feb 2021 22:26:08 -0500 Subject: [PATCH 05/30] move the filtering into the constructor --- libbeat/processors/actions/add_format_data.go | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libbeat/processors/actions/add_format_data.go b/libbeat/processors/actions/add_format_data.go index 09f3c98d72af..d200903b585b 100644 --- a/libbeat/processors/actions/add_format_data.go +++ b/libbeat/processors/actions/add_format_data.go @@ -45,6 +45,7 @@ type addFormatDataProcessor struct { Field string `config:"field"` Exclude *[]string `config:"exclude"` Only *[]string `config:"only"` + parsers []*parser } const defaultFilePathField = "file.path" @@ -57,6 +58,15 @@ func NewAddFormatData(cfg *common.Config) (processors.Processor, error) { if err := cfg.Unpack(addFormatData); err != nil { return nil, errors.Wrapf(err, "fail to unpack the add_format_data configuration") } + parsers := allParsers + // only takes precedence to exclude + if addFormatData.Only != nil { + parsers = onlyParsers(*addFormatData.Only) + } + if addFormatData.Exclude != nil { + parsers = filterParsers(*addFormatData.Exclude) + } + addFormatData.parsers = parsers return addFormatData, nil } @@ -71,15 +81,7 @@ func (a *addFormatDataProcessor) applyParser(event *beat.Event, path string) err // we couldn't identify the file, don't parse it return nil } - parsers := allParsers - // only takes precedence to exclude - if a.Only != nil { - parsers = onlyParsers(*a.Only) - } - if a.Exclude != nil { - parsers = filterParsers(*a.Exclude) - } - for _, parser := range parsers { + for _, parser := range a.parsers { if mimeType == parser.mimeType { data, err := parser.parse(file) if err != nil { From 878639a5b295e0bc18e01d3f743dce94148a0b16 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 09:37:06 -0500 Subject: [PATCH 06/30] ECS-ify elf --- libbeat/formats/dwarf/dwarf.go | 154 ++++++++ libbeat/formats/elf/elf.go | 178 ++++++--- libbeat/formats/elf/{machine.go => header.go} | 84 +++++ libbeat/formats/elf/section.go | 8 +- .../fixtures/elf/hello-linux.fingerprint | 344 +++++++++++------- 5 files changed, 574 insertions(+), 194 deletions(-) create mode 100644 libbeat/formats/dwarf/dwarf.go rename libbeat/formats/elf/{machine.go => header.go} (84%) diff --git a/libbeat/formats/dwarf/dwarf.go b/libbeat/formats/dwarf/dwarf.go new file mode 100644 index 000000000000..b2c4d54b7729 --- /dev/null +++ b/libbeat/formats/dwarf/dwarf.go @@ -0,0 +1,154 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package dwarf + +import ( + "debug/dwarf" + "time" +) + +var dwarfTypes = map[dwarf.Tag]string{ + dwarf.TagArrayType: "array", + dwarf.TagClassType: "class", + dwarf.TagEntryPoint: "entrypoint", + dwarf.TagEnumerationType: "enumeration", + dwarf.TagFormalParameter: "formal parameter", + dwarf.TagImportedDeclaration: "imported declaration", + dwarf.TagLabel: "label", + dwarf.TagLexDwarfBlock: "lex block", + dwarf.TagMember: "member", + dwarf.TagPointerType: "pointer", + dwarf.TagReferenceType: "reference", + dwarf.TagCompileUnit: "compile unit", + dwarf.TagStringType: "string", + dwarf.TagStructType: "struct", + dwarf.TagSubroutineType: "subroutine", + dwarf.TagTypedef: "typedef", + dwarf.TagUnionType: "union", + dwarf.TagUnspecifiedParameters: "unspecified parameters", + dwarf.TagVariant: "variant", + dwarf.TagCommonDwarfBlock: "common block", + dwarf.TagCommonInclusion: "common inclusion", + dwarf.TagInheritance: "inheritance", + dwarf.TagInlinedSubroutine: "inlined subroutine", + dwarf.TagModule: "module", + dwarf.TagPtrToMemberType: "pointer to member", + dwarf.TagSetType: "set", + dwarf.TagSubrangeType: "subrange", + dwarf.TagWithStmt: "with statement", + dwarf.TagAccessDeclaration: "access declaration", + dwarf.TagBaseType: "base", + dwarf.TagCatchDwarfBlock: "catch block", + dwarf.TagConstType: "const", + dwarf.TagConstant: "constant", + dwarf.TagEnumerator: "enumerator", + dwarf.TagFileType: "file", + dwarf.TagFriend: "friend", + dwarf.TagNamelist: "namelist", + dwarf.TagNamelistItem: "namelist item", + dwarf.TagPackedType: "packed", + dwarf.TagSubprogram: "subprogram", + dwarf.TagTemplateTypeParameter: "template type parameter", + dwarf.TagTemplateValueParameter: "template value parameter", + dwarf.TagThrownType: "thrown", + dwarf.TagTryDwarfBlock: "try block", + dwarf.TagVariantPart: "variant part", + dwarf.TagVariable: "variable", + dwarf.TagVolatileType: "volatile", + dwarf.TagDwarfProcedure: "procedure", + dwarf.TagRestrictType: "restrict", + dwarf.TagInterfaceType: "interface", + dwarf.TagNamespace: "namespace", + dwarf.TagImportedModule: "imported module", + dwarf.TagUnspecifiedType: "unspecified", + dwarf.TagPartialUnit: "partial unit", + dwarf.TagImportedUnit: "imported unit", + dwarf.TagMutableType: "mutable", + dwarf.TagCondition: "condition", + dwarf.TagSharedType: "shared", + dwarf.TagTypeUnit: "type unit", + dwarf.TagRvalueReferenceType: "rvalue reference", + dwarf.TagTemplateAlias: "template alias", + dwarf.TagCoarrayType: "coarray", + dwarf.TagGenericSubrange: "generic subrange", + dwarf.TagDynamicType: "dynamic", + dwarf.TagAtomicType: "atomic", + dwarf.TagCallSite: "call site", + dwarf.TagCallSiteParameter: "call site parameter", + dwarf.TagSkeletonUnit: "skeleton unit", + dwarf.TagImmutableType: "immutable", +} + +func lookupType(tag dwarf.Tag) string { + if name, ok := dwarfTypes[tag]; ok { + return name + } + return "unknown" +} + +// DWARF contains debug info +type DWARF struct { + Offset int64 `json:"offset,omitempty"` + Size int64 `json:"size,omitempty"` + Type string `json:"type,omitempty"` + Timestamp *time.Time `json:"timestamp,omitempty"` +} + +// Parse parses a DWARF table into debug sections +func Parse(data *dwarf.Data) ([]DWARF, error) { + reader := data.Reader() + if reader == nil { + return nil, nil + } + offset := dwarf.Offset(0) + symbols := []DWARF{} + for { + entry, err := reader.Next() + if entry == nil { + break + } + if err != nil { + return nil, err + } + size := entry.Offset - offset + offset = entry.Offset + var compiledAt *time.Time + if entry.Tag == dwarf.TagCompileUnit { + lreader, err := data.LineReader(entry) + if err == nil { + // just skip if we can't read the data + for _, f := range lreader.Files() { + if f != nil && f.Mtime != 0 { + // we have some sort of modification time + // use it as thhe compiled time + compiled := time.Unix(int64(f.Mtime), 0).UTC() + compiledAt = &compiled + break + } + } + } + } + symbols = append(symbols, DWARF{ + Offset: int64(entry.Offset), + Size: int64(size), + Type: lookupType(entry.Tag), + Timestamp: compiledAt, + }) + } + return symbols, nil +} diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go index 0aca78bdf5de..3adeed2d1666 100644 --- a/libbeat/formats/elf/elf.go +++ b/libbeat/formats/elf/elf.go @@ -19,43 +19,74 @@ package elf import ( "bytes" - "crypto/md5" "debug/elf" - "encoding/hex" + "fmt" "io" "io/ioutil" "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/elastic/beats/v7/libbeat/formats/dwarf" ) -// Section contains information about a section in a mach-o file. -type Section struct { - Name string `json:"name"` - Type string `json:"type"` - Address uint64 `json:"address"` - Size uint64 `json:"size"` - Offset uint64 `json:"offset"` - Entropy float64 `json:"entropy"` - ChiSquare float64 `json:"chi2"` - Flags string `json:"flags"` - MD5 string `json:"md5,omitempty"` -} - // Segment represents a program segment type Segment struct { Name string `json:"name"` Sections []string `json:"sections"` } -// Info contains high level fingerprinting an analysis of a mach-o file. +// Symbol contains information about a symbol +type Symbol struct { + Name string `json:"name"` + Type string `json:"type"` +} + +// Header contains information inside the elf header. +type Header struct { + Class string `json:"class"` + Data string `json:"data"` + Machine string `json:"machine"` + OSAbi string `json:"os_abi"` + Type string `json:"type"` + Version string `json:"version"` + AbiVersion string `json:"abi_version"` + Entrypoint string `json:"entrypoint"` + + // Is this either Version or AbiVersion? + // ObjectVersion string `json:"object_version"` +} + +// Section contains information about a section in an elf file. +type Section struct { + Flags []string `json:"flags,omitempty"` + Name string `json:"name"` + PhysicalOffset int64 `json:"physical_offset"` + Type string `json:"type"` + PhysicalSize int64 `json:"physical_size"` + VirtualAddress int64 `json:"virtual_address"` + VirtualSize int64 `json:"virtual_size"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` +} + +// Info contains high level fingerprinting an analysis of a elf file. type Info struct { - Machine string `json:"machine"` - Segments []Segment `json:"segments,omitempty"` - Sections []Section `json:"sections,omitempty"` - Imports map[string][]string `json:"imports,omitempty"` - Exports []string `json:"exports,omitempty"` - Packer string `json:"packer,omitempty"` - Telfhash string `json:"telfhash,omitempty"` + Imports []Symbol `json:"imports,omitempty"` + Exports []Symbol `json:"exports,omitempty"` + Telfhash string `json:"telfhash,omitempty"` + Segments []Segment `json:"segments,omitempty"` + SharedLibraries []string `json:"shared_libraries,omitempty"` + Header Header `json:"header"` + Sections []Section `json:"sections,omitempty"` + Packers []string `json:"packers,omitempty"` + Debug []dwarf.DWARF `json:"debug,omitempty"` + + // This isn't in ELF + // CreationDate time.Time `json:"creation_date"` + + // These are already contained in Header + // Architecture string `json:"architecture"` + // ByteOrder string `json:"byte_order"` + // CPUType string `json:"cpu_type"` } // Parse parses the elf file and returns information about it or errors. @@ -68,25 +99,56 @@ func Parse(r io.ReaderAt) (interface{}, error) { if err != nil { return nil, err } - groupedSymbols := make(map[string][]string) - importSymbols, err := elfFile.ImportedSymbols() + dynamicSymbols, err := elfFile.DynamicSymbols() if err != nil { if err != elf.ErrNoSymbols { return nil, err } } - for _, symbol := range importSymbols { - library := symbol.Library - if library == "" { - library = "unknown" + exports := []Symbol{} + imports := []Symbol{} + librarySet := make(map[string]struct{}) + for _, symbol := range dynamicSymbols { + binding := elf.ST_BIND(symbol.Info) + if binding == elf.STB_GLOBAL && symbol.Section == elf.SHN_UNDEF { + // symbol is imported + library := symbol.Library + if library != "" { + librarySet[library] = struct{}{} + } + imports = append(imports, Symbol{ + Name: symbol.Name, + Type: elf.ST_TYPE(symbol.Info).String(), + }) + } else if elf.ST_VISIBILITY(symbol.Other) == elf.STV_DEFAULT { + // if we have a weak or globally bound symbol, it's exported + if binding == elf.STB_GLOBAL || binding == elf.STB_WEAK { + exports = append(exports, Symbol{ + Name: symbol.Name, + Type: elf.ST_TYPE(symbol.Info).String(), + }) + } } - groupedSymbols[library] = append(groupedSymbols[library], symbol.Name) + } + libraries := []string{} + for library := range librarySet { + libraries = append(libraries, library) + } + + header := Header{ + Class: translateClass(elfFile.Class), + Data: translateData(elfFile.Data), + Machine: translateMachine(elfFile.Machine), + OSAbi: translateOSABI(elfFile.OSABI), + Type: translateType(elfFile.Type), + Version: translateVersion(elfFile.Version), + AbiVersion: fmt.Sprintf("%d", elfFile.ABIVersion), + Entrypoint: fmt.Sprintf("%x", elfFile.Entry), } segments := make(map[*elf.Prog][]string) sections := []Section{} for _, section := range elfFile.Sections { - var md5String string var entropy float64 var chiSquare float64 @@ -106,21 +168,19 @@ func Parse(r io.ReaderAt) (interface{}, error) { data, err := section.Data() if err == nil { - md5hash := md5.Sum(data) - md5String = hex.EncodeToString(md5hash[:]) entropy = common.Entropy(data) chiSquare = common.ChiSquare(data) } sections = append(sections, Section{ - Name: name, - Type: translateSectionType(section.Type), - Address: section.Addr, - Size: section.Size, - Offset: section.Offset, - Entropy: entropy, - ChiSquare: chiSquare, - Flags: translateSectionFlags(section.Flags), - MD5: md5String, + Flags: translateSectionFlags(section.Flags), + Name: name, + PhysicalOffset: int64(section.Offset), + Type: translateSectionType(section.Type), + PhysicalSize: int64(section.FileSize), + VirtualAddress: int64(section.Addr), + VirtualSize: int64(section.Size), + Entropy: entropy, + ChiSquare: chiSquare, }) } translatedSegments := make([]Segment, len(elfFile.Progs)) @@ -135,25 +195,37 @@ func Parse(r io.ReaderAt) (interface{}, error) { } } - return &Info{ - Machine: translateMachine(elfFile.Machine), - Sections: sections, - Segments: translatedSegments, - Imports: groupedSymbols, - Packer: getPacker(elfFile), - Telfhash: telfhash, - }, nil + info := &Info{ + Imports: imports, + Exports: exports, + Telfhash: telfhash, + Segments: translatedSegments, + SharedLibraries: libraries, + Header: header, + Sections: sections, + Packers: getPackers(elfFile), + } + + if debug, err := elfFile.DWARF(); err == nil { + // just ignore the error if we can't get DWARF information + debugSymbols, err := dwarf.Parse(debug) + if err == nil { + info.Debug = debugSymbols + } + } + + return info, nil } -func getPacker(elfFile *elf.File) string { +func getPackers(elfFile *elf.File) []string { // this is expensive, figure out a way of making it less so for _, prog := range elfFile.Progs { data, err := ioutil.ReadAll(prog.Open()) if err == nil { if bytes.Contains(data, []byte("UPX!")) { - return "upx" + return []string{"upx"} } } } - return "" + return nil } diff --git a/libbeat/formats/elf/machine.go b/libbeat/formats/elf/header.go similarity index 84% rename from libbeat/formats/elf/machine.go rename to libbeat/formats/elf/header.go index 4cc46745e3c8..4d0f43402415 100644 --- a/libbeat/formats/elf/machine.go +++ b/libbeat/formats/elf/header.go @@ -215,3 +215,87 @@ func translateMachine(machine elf.Machine) string { } return "Unknown machine" } + +func translateVersion(version elf.Version) string { + switch version { + case elf.EV_NONE: + return "none" + case elf.EV_CURRENT: + return "current" + default: + return "unknown" + } +} + +var osABINames = map[elf.OSABI]string{ + elf.ELFOSABI_NONE: "UNIX System V ABI", + elf.ELFOSABI_HPUX: "HP-UX operating system", + elf.ELFOSABI_NETBSD: "NetBSD", + elf.ELFOSABI_LINUX: "GNU/Linux", + elf.ELFOSABI_HURD: "GNU/Hurd", + elf.ELFOSABI_86OPEN: "86Open common IA32 ABI", + elf.ELFOSABI_SOLARIS: "Solaris", + elf.ELFOSABI_AIX: "AIX", + elf.ELFOSABI_IRIX: "IRIX", + elf.ELFOSABI_FREEBSD: "FreeBSD", + elf.ELFOSABI_TRU64: "TRU64 UNIX", + elf.ELFOSABI_MODESTO: "Novell Modesto", + elf.ELFOSABI_OPENBSD: "OpenBSD", + elf.ELFOSABI_OPENVMS: "Open VMS", + elf.ELFOSABI_NSK: "HP Non-Stop Kernel", + elf.ELFOSABI_AROS: "Amiga Research OS", + elf.ELFOSABI_FENIXOS: "The FenixOS highly scalable multi-core OS", + elf.ELFOSABI_CLOUDABI: "Nuxi CloudABI", + elf.ELFOSABI_ARM: "ARM", + elf.ELFOSABI_STANDALONE: "Standalone (embedded) application", +} + +func translateOSABI(abi elf.OSABI) string { + if found, ok := osABINames[abi]; ok { + return found + } + return "Unknown OS ABI" +} + +func translateType(t elf.Type) string { + switch t { + case elf.ET_REL: + return "Relocatable" + case elf.ET_EXEC: + return "Executable" + case elf.ET_DYN: + return "Shared object" + case elf.ET_CORE: + return "Core file" + default: + if t >= elf.ET_LOOS && t <= elf.ET_HIOS { + return "OS specific" + } + if t >= elf.ET_LOPROC && t <= elf.ET_HIPROC { + return "Processor specific" + } + return "unknown type" + } +} + +func translateClass(c elf.Class) string { + switch c { + case elf.ELFCLASS32: + return "32-bit architecture" + case elf.ELFCLASS64: + return "64-bit architecture" + default: + return "unknown architecture class" + } +} + +func translateData(d elf.Data) string { + switch d { + case elf.ELFDATA2LSB: + return "little-endian" + case elf.ELFDATA2MSB: + return "big-endian" + default: + return "unknown data format" + } +} diff --git a/libbeat/formats/elf/section.go b/libbeat/formats/elf/section.go index 0c2705534c23..4b3be38b8a6d 100644 --- a/libbeat/formats/elf/section.go +++ b/libbeat/formats/elf/section.go @@ -19,7 +19,6 @@ package elf import ( "debug/elf" - "strings" ) var sectionNames = map[elf.SectionType]string{ @@ -55,7 +54,7 @@ func translateSectionType(sectionType elf.SectionType) string { return "UNKNOWN" } -func translateSectionFlags(flags elf.SectionFlag) string { +func translateSectionFlags(flags elf.SectionFlag) []string { active := []string{} if flags&elf.SHF_WRITE > 0 { active = append(active, "WRITE") @@ -96,8 +95,5 @@ func translateSectionFlags(flags elf.SectionFlag) string { if flags&elf.SHF_MASKPROC > 0 { active = append(active, "MASKPROC") } - if len(active) == 0 { - return "-" - } - return strings.Join(active, " | ") + return active } diff --git a/libbeat/formats/fixtures/elf/hello-linux.fingerprint b/libbeat/formats/fixtures/elf/hello-linux.fingerprint index 01c3502cb7bf..babbbaf355a9 100644 --- a/libbeat/formats/fixtures/elf/hello-linux.fingerprint +++ b/libbeat/formats/fixtures/elf/hello-linux.fingerprint @@ -1,5 +1,25 @@ { - "machine": "Advanced Micro Devices x86-64", + "imports": [ + { + "name": "printf", + "type": "STT_FUNC" + }, + { + "name": "__libc_start_main", + "type": "STT_FUNC" + } + ], + "exports": [ + { + "name": "_init", + "type": "STT_FUNC" + }, + { + "name": "_fini", + "type": "STT_FUNC" + } + ], + "telfhash": "3e400000000c00000003000000000c000003000000c03000000000000000000000000c", "segments": [ { "name": "PHDR", @@ -67,244 +87,298 @@ ] } ], + "header": { + "class": "64-bit architecture", + "data": "little-endian", + "machine": "Advanced Micro Devices x86-64", + "os_abi": "UNIX System V ABI", + "type": "Executable", + "version": "current", + "abi_version": "0", + "entrypoint": "400390" + }, "sections": [ { + "flags": [ + "ALLOC" + ], "name": ".interp", + "physical_offset": 512, "type": "PROGBITS", - "address": 4194816, - "size": 25, - "offset": 512, + "physical_size": 25, + "virtual_address": 4194816, + "virtual_size": 25, "entropy": 4.05, - "chi2": 394.84, - "flags": "ALLOC", - "md5": "09bd6bae3c649f0b7db796acb252ed8e" + "chi2": 394.84 }, { + "flags": [ + "ALLOC" + ], "name": ".hash", + "physical_offset": 544, "type": "HASH", - "address": 4194848, - "size": 40, - "offset": 544, + "physical_size": 40, + "virtual_address": 4194848, + "virtual_size": 40, "entropy": 0.95, - "chi2": 7409.6, - "flags": "ALLOC", - "md5": "3314c6875824870e88e705d17c9fd386" + "chi2": 7409.6 }, { + "flags": [ + "ALLOC" + ], "name": ".gnu.hash", + "physical_offset": 584, "type": "GNU_HASH", - "address": 4194888, - "size": 40, - "offset": 584, + "physical_size": 40, + "virtual_address": 4194888, + "virtual_size": 40, "entropy": 2.57, - "chi2": 3492.8, - "flags": "ALLOC", - "md5": "7883c669be02a88af23602f9e1844d9c" + "chi2": 3492.8 }, { + "flags": [ + "ALLOC" + ], "name": ".dynsym", + "physical_offset": 624, "type": "DYNSYM", - "address": 4194928, - "size": 120, - "offset": 624, + "physical_size": 120, + "virtual_address": 4194928, + "virtual_size": 120, "entropy": 1.14, - "chi2": 22147.73, - "flags": "ALLOC", - "md5": "27ad98f5d71388d30966a587909c096a" + "chi2": 22147.73 }, { + "flags": [ + "ALLOC" + ], "name": ".dynstr", + "physical_offset": 744, "type": "STRTAB", - "address": 4195048, - "size": 46, - "offset": 744, + "physical_size": 46, + "virtual_address": 4195048, + "virtual_size": 46, "entropy": 3.68, - "chi2": 1067.04, - "flags": "ALLOC", - "md5": "070647007636639b24a57bfee83de833" + "chi2": 1067.04 }, { + "flags": [ + "ALLOC", + "INFO_LINK" + ], "name": ".rela.plt", + "physical_offset": 792, "type": "RELA", - "address": 4195096, - "size": 48, - "offset": 792, + "physical_size": 48, + "virtual_address": 4195096, + "virtual_size": 48, "entropy": 1.31, - "chi2": 7738.67, - "flags": "ALLOC | INFO_LINK", - "md5": "7ad2c1e3481180009cc7f7c5a859525c" + "chi2": 7738.67 }, { + "flags": [ + "ALLOC", + "EXECINSTR" + ], "name": ".init", + "physical_offset": 840, "type": "PROGBITS", - "address": 4195144, - "size": 13, - "offset": 840, + "physical_size": 13, + "virtual_address": 4195144, + "virtual_size": 13, "entropy": 2.78, - "chi2": 558.08, - "flags": "ALLOC | EXECINSTR", - "md5": "b3fc11cad8bf472315f13141abac6d5a" + "chi2": 558.08 }, { + "flags": [ + "ALLOC", + "EXECINSTR" + ], "name": ".plt", + "physical_offset": 864, "type": "PROGBITS", - "address": 4195168, - "size": 48, - "offset": 864, + "physical_size": 48, + "virtual_address": 4195168, + "virtual_size": 48, "entropy": 3.44, - "chi2": 1584, - "flags": "ALLOC | EXECINSTR", - "md5": "1823bec928baea492f590957c583d0b5" + "chi2": 1584 }, { + "flags": [ + "ALLOC", + "EXECINSTR" + ], "name": ".text", + "physical_offset": 912, "type": "PROGBITS", - "address": 4195216, - "size": 465, - "offset": 912, + "physical_size": 465, + "virtual_address": 4195216, + "virtual_size": 465, "entropy": 5.44, - "chi2": 6552.7, - "flags": "ALLOC | EXECINSTR", - "md5": "ebc2192feed561951385b85af9f255de" + "chi2": 6552.7 }, { + "flags": [ + "ALLOC", + "EXECINSTR" + ], "name": ".fini", + "physical_offset": 1377, "type": "PROGBITS", - "address": 4195681, - "size": 8, - "offset": 1377, + "physical_size": 8, + "virtual_address": 4195681, + "virtual_size": 8, "entropy": 2.75, - "chi2": 312, - "flags": "ALLOC | EXECINSTR", - "md5": "5d437075a3b50fd449d03cc3f59b341b" + "chi2": 312 }, { + "flags": [ + "ALLOC" + ], "name": ".rodata", + "physical_offset": 1385, "type": "PROGBITS", - "address": 4195689, - "size": 14, - "offset": 1385, + "physical_size": 14, + "virtual_address": 4195689, + "virtual_size": 14, "entropy": 3.32, - "chi2": 388.29, - "flags": "ALLOC", - "md5": "a79133c2466b7180a4de0fd3fe302b0b" + "chi2": 388.29 }, { + "flags": [ + "ALLOC" + ], "name": ".eh_frame_hdr", + "physical_offset": 1400, "type": "PROGBITS", - "address": 4195704, - "size": 28, - "offset": 1400, + "physical_size": 28, + "virtual_address": 4195704, + "virtual_size": 28, "entropy": 2.86, - "chi2": 1617.71, - "flags": "ALLOC", - "md5": "61bd12fa18ee6e8e4bd49c72fd4c057e" + "chi2": 1617.71 }, { + "flags": [ + "ALLOC" + ], "name": ".eh_frame", + "physical_offset": 1432, "type": "PROGBITS", - "address": 4195736, - "size": 100, - "offset": 1432, + "physical_size": 100, + "virtual_address": 4195736, + "virtual_size": 100, "entropy": 3.94, - "chi2": 4717.92, - "flags": "ALLOC", - "md5": "58f77822288abd3346f8a680baddd3a7" + "chi2": 4717.92 }, { + "flags": [ + "WRITE", + "ALLOC" + ], "name": ".ctors", + "physical_offset": 3744, "type": "PROGBITS", - "address": 6295200, - "size": 16, - "offset": 3744, + "physical_size": 16, + "virtual_address": 6295200, + "virtual_size": 16, "entropy": 1, - "chi2": 2032, - "flags": "WRITE | ALLOC", - "md5": "f858d36231ba743ad8c898d86a67a864" + "chi2": 2032 }, { + "flags": [ + "WRITE", + "ALLOC" + ], "name": ".dtors", + "physical_offset": 3760, "type": "PROGBITS", - "address": 6295216, - "size": 16, - "offset": 3760, + "physical_size": 16, + "virtual_address": 6295216, + "virtual_size": 16, "entropy": 1, - "chi2": 2032, - "flags": "WRITE | ALLOC", - "md5": "f858d36231ba743ad8c898d86a67a864" + "chi2": 2032 }, { + "flags": [ + "WRITE", + "ALLOC" + ], "name": ".dynamic", + "physical_offset": 3776, "type": "DYNAMIC", - "address": 6295232, - "size": 320, - "offset": 3776, + "physical_size": 320, + "virtual_address": 6295232, + "virtual_size": 320, "entropy": 1.22, - "chi2": 60276.8, - "flags": "WRITE | ALLOC", - "md5": "e0fb5e7ca80769538acb5efb27a266fa" + "chi2": 60276.8 }, { + "flags": [ + "WRITE", + "ALLOC" + ], "name": ".got.plt", + "physical_offset": 4096, "type": "PROGBITS", - "address": 6295552, - "size": 40, - "offset": 4096, + "physical_size": 40, + "virtual_address": 6295552, + "virtual_size": 40, "entropy": 1.38, - "chi2": 6193.6, - "flags": "WRITE | ALLOC", - "md5": "8075570109c80fbfea0c3392fde4996a" + "chi2": 6193.6 }, { + "flags": [ + "WRITE", + "ALLOC" + ], "name": ".data", + "physical_offset": 4136, "type": "PROGBITS", - "address": 6295592, - "size": 8, - "offset": 4136, + "physical_size": 8, + "virtual_address": 6295592, + "virtual_size": 8, "entropy": 0, - "chi2": 2040, - "flags": "WRITE | ALLOC", - "md5": "7dea362b3fac8e00956a4952a3d4f474" + "chi2": 2040 }, { + "flags": [ + "WRITE", + "ALLOC" + ], "name": ".bss", + "physical_offset": 4144, "type": "NOBITS", - "address": 6295616, - "size": 80, - "offset": 4144, + "physical_size": 80, + "virtual_address": 6295616, + "virtual_size": 80, "entropy": 4.38, - "chi2": 1251.2, - "flags": "WRITE | ALLOC", - "md5": "037927a92704c28e7d7fbf79b86af579" + "chi2": 1251.2 }, { + "flags": [ + "MERGE", + "STRINGS" + ], "name": ".comment", + "physical_offset": 4144, "type": "PROGBITS", - "address": 0, - "size": 17, - "offset": 4144, + "physical_size": 17, + "virtual_address": 0, + "virtual_size": 17, "entropy": 3.62, - "chi2": 359.47, - "flags": "MERGE | STRINGS", - "md5": "97e57f09b3f0ad65e3b218ba9812a382" + "chi2": 359.47 }, { "name": ".shstrtab", + "physical_offset": 4161, "type": "STRTAB", - "address": 0, - "size": 157, - "offset": 4161, + "physical_size": 157, + "virtual_address": 0, + "virtual_size": 157, "entropy": 4.11, - "chi2": 2730.75, - "flags": "-", - "md5": "f6fd260a73c3e8adff25122e03bfc0f7" + "chi2": 2730.75 } - ], - "imports": { - "unknown": [ - "printf", - "__libc_start_main" - ] - }, - "telfhash": "3e400000000c00000003000000000c000003000000c03000000000000000000000000c" + ] } \ No newline at end of file From 8821462e3417eb6d1d184c8de66fbcf5e7ebd17f Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 10:29:19 -0500 Subject: [PATCH 07/30] ECS-ify pe --- .../fixtures/pe/hello-windows.fingerprint | 497 ++++++++++++++---- libbeat/formats/pe/pe.go | 174 +++--- libbeat/formats/pe/resources.go | 6 +- libbeat/formats/pe/section_flags.go | 149 ++++++ libbeat/formats/pe/version_info.go | 9 +- 5 files changed, 657 insertions(+), 178 deletions(-) create mode 100644 libbeat/formats/pe/section_flags.go diff --git a/libbeat/formats/fixtures/pe/hello-windows.fingerprint b/libbeat/formats/fixtures/pe/hello-windows.fingerprint index e8d62fcd0f3a..d8d2171b5d1e 100644 --- a/libbeat/formats/fixtures/pe/hello-windows.fingerprint +++ b/libbeat/formats/fixtures/pe/hello-windows.fingerprint @@ -1,156 +1,425 @@ { + "entrypoint": "14e0", + "imports": [ + { + "library": "KERNEL32.dll", + "name": "DeleteCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "EnterCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "GetLastError" + }, + { + "library": "KERNEL32.dll", + "name": "GetStartupInfoA" + }, + { + "library": "KERNEL32.dll", + "name": "InitializeCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "IsDBCSLeadByteEx" + }, + { + "library": "KERNEL32.dll", + "name": "LeaveCriticalSection" + }, + { + "library": "KERNEL32.dll", + "name": "MultiByteToWideChar" + }, + { + "library": "KERNEL32.dll", + "name": "SetUnhandledExceptionFilter" + }, + { + "library": "KERNEL32.dll", + "name": "Sleep" + }, + { + "library": "KERNEL32.dll", + "name": "TlsGetValue" + }, + { + "library": "KERNEL32.dll", + "name": "VirtualProtect" + }, + { + "library": "KERNEL32.dll", + "name": "VirtualQuery" + }, + { + "library": "KERNEL32.dll", + "name": "WideCharToMultiByte" + }, + { + "library": "msvcrt.dll", + "name": "__C_specific_handler" + }, + { + "library": "msvcrt.dll", + "name": "___lc_codepage_func" + }, + { + "library": "msvcrt.dll", + "name": "___mb_cur_max_func" + }, + { + "library": "msvcrt.dll", + "name": "__getmainargs" + }, + { + "library": "msvcrt.dll", + "name": "__initenv" + }, + { + "library": "msvcrt.dll", + "name": "__iob_func" + }, + { + "library": "msvcrt.dll", + "name": "__lconv_init" + }, + { + "library": "msvcrt.dll", + "name": "__set_app_type" + }, + { + "library": "msvcrt.dll", + "name": "__setusermatherr" + }, + { + "library": "msvcrt.dll", + "name": "_acmdln" + }, + { + "library": "msvcrt.dll", + "name": "_amsg_exit" + }, + { + "library": "msvcrt.dll", + "name": "_cexit" + }, + { + "library": "msvcrt.dll", + "name": "_commode" + }, + { + "library": "msvcrt.dll", + "name": "_errno" + }, + { + "library": "msvcrt.dll", + "name": "_fmode" + }, + { + "library": "msvcrt.dll", + "name": "_initterm" + }, + { + "library": "msvcrt.dll", + "name": "_lock" + }, + { + "library": "msvcrt.dll", + "name": "_onexit" + }, + { + "library": "msvcrt.dll", + "name": "_unlock" + }, + { + "library": "msvcrt.dll", + "name": "abort" + }, + { + "library": "msvcrt.dll", + "name": "calloc" + }, + { + "library": "msvcrt.dll", + "name": "exit" + }, + { + "library": "msvcrt.dll", + "name": "fprintf" + }, + { + "library": "msvcrt.dll", + "name": "fputc" + }, + { + "library": "msvcrt.dll", + "name": "free" + }, + { + "library": "msvcrt.dll", + "name": "fwrite" + }, + { + "library": "msvcrt.dll", + "name": "localeconv" + }, + { + "library": "msvcrt.dll", + "name": "malloc" + }, + { + "library": "msvcrt.dll", + "name": "memcpy" + }, + { + "library": "msvcrt.dll", + "name": "memset" + }, + { + "library": "msvcrt.dll", + "name": "signal" + }, + { + "library": "msvcrt.dll", + "name": "strerror" + }, + { + "library": "msvcrt.dll", + "name": "strlen" + }, + { + "library": "msvcrt.dll", + "name": "strncmp" + }, + { + "library": "msvcrt.dll", + "name": "vfprintf" + }, + { + "library": "msvcrt.dll", + "name": "wcslen" + } + ], "sections": [ { "name": ".text", - "virtualAddress": 4096, - "virtualSize": 27640, - "rawSize": 27648, + "flags": [ + "IMAGE_SCN_CNT_CODE", + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_EXECUTE", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 4096, + "raw_size": 27648, "entropy": 6.29, - "chi2": 225694.72, - "md5": "51e08255c411dc9a70cf264ce3759661" + "chi2": 225694.72 }, { "name": ".data", - "virtualAddress": 32768, - "virtualSize": 240, - "rawSize": 512, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 32768, + "raw_size": 512, "entropy": 0.95, - "chi2": 101000, - "md5": "f949bb1e31e9e86f683276c781b888f0" + "chi2": 101000 }, { "name": ".rdata", - "virtualAddress": 36864, - "virtualSize": 3488, - "rawSize": 3584, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 36864, + "raw_size": 3584, "entropy": 4.4, - "chi2": 168406.57, - "md5": "665cbc21d76c304121bec35c0580b5e1" + "chi2": 168406.57 }, { "name": ".pdata", - "virtualAddress": 40960, - "virtualSize": 1152, - "rawSize": 1536, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 40960, + "raw_size": 1536, "entropy": 3.34, - "chi2": 157780.33, - "md5": "c3b5c11cb92a79955c0da333ef10c693" + "chi2": 157780.33 }, { "name": ".xdata", - "virtualAddress": 45056, - "virtualSize": 1068, - "rawSize": 1536, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 45056, + "raw_size": 1536, "entropy": 3.5, - "chi2": 89461.33, - "md5": "59455bf68d2c06503c957bda56cf1dcd" + "chi2": 89461.33 }, { "name": ".bss", - "virtualAddress": 49152, - "virtualSize": 2976, - "rawSize": 0, - "entropy": 0, - "chi2": 0, - "md5": "d41d8cd98f00b204e9800998ecf8427e" + "flags": [ + "IMAGE_SCN_CNT_UNINITIALIZED_DATA", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 49152 }, { "name": ".idata", - "virtualAddress": 53248, - "virtualSize": 1844, - "rawSize": 2048, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 53248, + "raw_size": 2048, "entropy": 3.68, - "chi2": 152175, - "md5": "c0f302e044780a30e2b6196eadbc2738" + "chi2": 152175 }, { "name": ".CRT", - "virtualAddress": 57344, - "virtualSize": 104, - "rawSize": 512, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 57344, + "raw_size": 512, "entropy": 0.34, - "chi2": 120559, - "md5": "136383d4876c87c3e594ab86b9e86a25" + "chi2": 120559 }, { "name": ".tls", - "virtualAddress": 61440, - "virtualSize": 16, - "rawSize": 512, - "entropy": 0, - "chi2": 130560, - "md5": "bf619eac0cdf3f68d496ea9344137e8b" + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_8BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_2048BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_READ", + "IMAGE_SCN_MEM_WRITE" + ], + "virtual_address": 61440, + "raw_size": 512, + "chi2": 130560 }, { "name": ".reloc", - "virtualAddress": 65536, - "virtualSize": 140, - "rawSize": 512, + "flags": [ + "IMAGE_SCN_CNT_INITIALIZED_DATA", + "IMAGE_SCN_ALIGN_1BYTES", + "IMAGE_SCN_ALIGN_2BYTES", + "IMAGE_SCN_ALIGN_4BYTES", + "IMAGE_SCN_ALIGN_16BYTES", + "IMAGE_SCN_ALIGN_32BYTES", + "IMAGE_SCN_ALIGN_64BYTES", + "IMAGE_SCN_ALIGN_256BYTES", + "IMAGE_SCN_ALIGN_512BYTES", + "IMAGE_SCN_ALIGN_1024BYTES", + "IMAGE_SCN_ALIGN_4096BYTES", + "IMAGE_SCN_ALIGN_8192BYTES", + "IMAGE_SCN_MEM_DISCARDABLE", + "IMAGE_SCN_MEM_READ" + ], + "virtual_address": 65536, + "raw_size": 512, "entropy": 1.61, - "chi2": 81624, - "md5": "41150a7033476b722bd47a9dbf5238b0" + "chi2": 81624 } ], - "header": { - "entrypoint": 5344, - "targetMachine": "x64", - "containedSections": 10 - }, - "imports": { - "KERNEL32.dll": [ - "DeleteCriticalSection", - "EnterCriticalSection", - "GetLastError", - "GetStartupInfoA", - "InitializeCriticalSection", - "IsDBCSLeadByteEx", - "LeaveCriticalSection", - "MultiByteToWideChar", - "SetUnhandledExceptionFilter", - "Sleep", - "TlsGetValue", - "VirtualProtect", - "VirtualQuery", - "WideCharToMultiByte" - ], - "msvcrt.dll": [ - "__C_specific_handler", - "___lc_codepage_func", - "___mb_cur_max_func", - "__getmainargs", - "__initenv", - "__iob_func", - "__lconv_init", - "__set_app_type", - "__setusermatherr", - "_acmdln", - "_amsg_exit", - "_cexit", - "_commode", - "_errno", - "_fmode", - "_initterm", - "_lock", - "_onexit", - "_unlock", - "abort", - "calloc", - "exit", - "fprintf", - "fputc", - "free", - "fwrite", - "localeconv", - "malloc", - "memcpy", - "memset", - "signal", - "strerror", - "strlen", - "strncmp", - "vfprintf", - "wcslen" - ] - }, - "imphash": "8eb8d513fcdab15ac9a267576668cb1c" + "imphash": "8eb8d513fcdab15ac9a267576668cb1c", + "architecture": "x64" } \ No newline at end of file diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go index 0a20317da745..7455749ef715 100644 --- a/libbeat/formats/pe/pe.go +++ b/libbeat/formats/pe/pe.go @@ -18,26 +18,15 @@ package pe import ( - "crypto/md5" "debug/pe" - "encoding/hex" + "fmt" "io" "time" "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/elastic/beats/v7/libbeat/formats/dwarf" ) -// Section contains information about a section in a PE file. -type Section struct { - Name string `json:"name"` - VirtualAddress uint32 `json:"virtualAddress"` - VirtualSize uint32 `json:"virtualSize"` - RawSize uint32 `json:"rawSize"` - Entropy float64 `json:"entropy"` - ChiSquare float64 `json:"chi2"` - MD5 string `json:"md5,omitempty"` -} - // Header contains information found in a PE header. type Header struct { CompilationTimestamp *time.Time `json:"compilationTimestamp,omitempty"` @@ -46,44 +35,89 @@ type Header struct { ContainedSections int `json:"containedSections"` } +// VersionInfo hold keys and values parsed from the version info resource. +type VersionInfo struct { + Name string + Value string +} + +// Compiler contains compiler information about the object file +type Compiler struct { + Version string `json:"version,omitempty"` + Name string `json:"name,omitempty"` +} + +// ImportedSymbol contains information about where an imported symbol comes from +type ImportedSymbol struct { + Library string `json:"library,omitempty"` + Name string `json:"name,omitempty"` +} + +// Section contains information about a section in a PE file. +type Section struct { + Name string `json:"name"` + Flags []string `json:"flags"` + VirtualAddress uint32 `json:"virtual_address"` + RawSize uint32 `json:"raw_size,omitempty"` + Entropy float64 `json:"entropy,omitempty"` + ChiSquare float64 `json:"chi2,omitempty"` +} + // Resource represents a resource entry embedded in a PE file. type Resource struct { - Type string `json:"type"` - Language string `json:"language"` - SHA256 string `json:"sha256,omitempty"` - MIME string `json:"mime,omitempty"` - Size int `json:"size"` + Type string `json:"type"` + Language string `json:"language"` + SHA256 string `json:"sha256"` + FileType string `json:"filetype,omitempty"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` data []byte } -// VersionInfo hold keys and values parsed from the version info resource. -type VersionInfo struct { - Name string - Value string +// Icon holds fields that are used for fingerprinting embedded icons +type Icon struct { + // leverage https://github.com/corona10/goimagehash + Dhash string `json:"dhash"` } // Info contains high level fingerprinting an analysis of a PE file. type Info struct { - Sections []Section `json:"sections,omitempty"` - FileVersionInfo []VersionInfo `json:"version_info,omitempty"` - Header Header `json:"header,omitempty"` - Imports map[string][]string `json:"imports,omitempty"` - Exports []string `json:"exports,omitempty"` - ContainedResourcesByType map[string]int `json:"containedResourcesByType,omitempty"` - ContainedResourcesByLanguage map[string]int `json:"containedResourcesByLanguage,omitempty"` - Resources []Resource `json:"resources,omitempty"` - Packer string `json:"packer,omitempty"` - ImpHash string `json:"imphash,omitempty"` + CompilationTimestamp *time.Time `json:"compile_timestamp,omitempty"` + Entrypoint string `json:"entrypoint"` + Exports []string `json:"exports,omitempty"` + Debug []dwarf.DWARF `json:"debug,omitempty"` + Imports []ImportedSymbol `json:"imports,omitempty"` + Sections []Section `json:"sections,omitempty"` + Resources []Resource `json:"resources,omitempty"` + Packers []string `json:"packers,omitempty"` + ImpHash string `json:"imphash,omitempty"` + FileVersion string `json:"file_version,omitempty"` + Description string `json:"description,omitempty"` + Company string `json:"company,omitempty"` + OriginalFileName string `json:"original_file_name,omitempty"` + Product string `json:"product,omitempty"` + Architecture string `json:"architecture,omitempty"` + + // Things that we should be able to get + // See https://github.com/lief-project/LIEF/blob/05103f55a6cb993cb20735da3c7a6333e4f600e3/src/PE/Binary.cpp#L1046 + // Authentihash string `json:"authentihash,omitempty"` + // Compiler *Compiler `json:"compiler,omitempty"` + // RichHeaderHash string `json:"rich_header.hash.md5,omitempty"` + // Icons []Icon `json:"icon,omitempty"` + + // Fields that are likely duplicated + // CreationDate *time.Time `json:"creation_date,omitempty"` + // MachineType string `json:"machine_type"` } -func getPacker(f *pe.File) string { +func getPackers(f *pe.File) []string { for _, section := range f.Sections { if section.Name == "UPX0" { - return "upx" + return []string{"upx"} } } - return "" + return nil } // Parse parses the PE and returns information about it or errors. @@ -112,6 +146,15 @@ func Parse(r io.ReaderAt) (interface{}, error) { exportSymbols := exports(peFile) importSymbols, imphash := imphash(peFile) + imports := []ImportedSymbol{} + for library, symbols := range importSymbols { + for _, symbol := range symbols { + imports = append(imports, ImportedSymbol{ + Library: library, + Name: symbol, + }) + } + } sectionSize := len(peFile.Sections) var compiledAt *time.Time @@ -122,44 +165,57 @@ func Parse(r io.ReaderAt) (interface{}, error) { } info := &Info{ - ImpHash: imphash, - Header: Header{ - CompilationTimestamp: compiledAt, - Entrypoint: entrypoint, - TargetMachine: architecture, - ContainedSections: sectionSize, - }, - Sections: make([]Section, sectionSize), - ContainedResourcesByType: make(map[string]int), - ContainedResourcesByLanguage: make(map[string]int), - Imports: importSymbols, - Exports: exportSymbols, - Packer: getPacker(peFile), + CompilationTimestamp: compiledAt, + Entrypoint: fmt.Sprintf("%x", entrypoint), + Imports: imports, + Exports: exportSymbols, + Packers: getPackers(peFile), + ImpHash: imphash, + Architecture: architecture, + Sections: make([]Section, sectionSize), } - for i, section := range peFile.Sections { - hashed := "" - data, err := section.Data() + + if debug, err := peFile.DWARF(); err == nil { + // just ignore the error if we can't get DWARF information + debugSymbols, err := dwarf.Parse(debug) if err == nil { - md5Hash := md5.Sum(data) - hashed = hex.EncodeToString(md5Hash[:]) + info.Debug = debugSymbols } + } + + for i, section := range peFile.Sections { + data, _ := section.Data() info.Sections[i] = Section{ Name: section.Name, VirtualAddress: section.VirtualAddress, - VirtualSize: section.VirtualSize, RawSize: section.Size, + Flags: translateSectionFlags(section.Characteristics), Entropy: common.Entropy(data), ChiSquare: common.ChiSquare(data), - MD5: hashed, } if section.Name == ".rsrc" && len(data) > 0 { info.Resources = parseDirectory(section.VirtualAddress, data) - for _, resource := range info.Resources { - countValue(info.ContainedResourcesByType, resource.Type) - countValue(info.ContainedResourcesByLanguage, resource.Language) + fileVersionInfo := getVersionInfoForResources(info.Resources) + if companyName, found := fileVersionInfo["CompanyName"]; found { + info.Company = companyName + } + if fileDescription, found := fileVersionInfo["FileDescription"]; found { + info.Description = fileDescription + } + if fileVersion, found := fileVersionInfo["FileVersion"]; found { + info.FileVersion = fileVersion + } + if originalFilename, found := fileVersionInfo["OriginalFilename"]; found { + info.OriginalFileName = originalFilename + } + productName := fileVersionInfo["ProductName"] + if productVersion, found := fileVersionInfo["ProductVersion"]; productName != "" && found { + productName += " (" + productVersion + ")" + } + if productName != "" { + info.Product = productName } - info.FileVersionInfo = getVersionInfoForResources(info.Resources) } } return info, nil diff --git a/libbeat/formats/pe/resources.go b/libbeat/formats/pe/resources.go index 968cbae5e076..efb553a8451a 100644 --- a/libbeat/formats/pe/resources.go +++ b/libbeat/formats/pe/resources.go @@ -163,7 +163,7 @@ func parseEntry(virtualAddress uint32, root string, global, base []byte, depth i // to the locations of the compressed resouces outside of // the Resource Data section return []Resource{ - Resource{Type: root, Language: languageName(language), Size: entrySize}, + Resource{Type: root, Language: languageName(language)}, }, nil } @@ -171,7 +171,7 @@ func parseEntry(virtualAddress uint32, root string, global, base []byte, depth i if err != nil { // we have an invalid data reference, so just return what we can return []Resource{ - Resource{Type: root, Language: languageName(language), Size: entrySize}, + Resource{Type: root, Language: languageName(language)}, }, nil } resourceData := data[0:entrySize] @@ -181,7 +181,7 @@ func parseEntry(virtualAddress uint32, root string, global, base []byte, depth i resourceMime = kind.MIME.Value } return []Resource{ - Resource{Type: root, Language: languageName(language), Size: entrySize, data: resourceData, MIME: resourceMime, SHA256: hex.EncodeToString(hash[:])}, + Resource{Type: root, Language: languageName(language), data: resourceData, FileType: resourceMime, SHA256: hex.EncodeToString(hash[:]), Entropy: common.Entropy(data), ChiSquare: common.ChiSquare(data)}, }, nil } diff --git a/libbeat/formats/pe/section_flags.go b/libbeat/formats/pe/section_flags.go new file mode 100644 index 000000000000..8e7e93bc3468 --- /dev/null +++ b/libbeat/formats/pe/section_flags.go @@ -0,0 +1,149 @@ +package pe + +const ( + IMAGE_SCN_TYPE_NO_PAD uint32 = 0x00000008 + IMAGE_SCN_CNT_CODE uint32 = 0x00000020 + IMAGE_SCN_CNT_INITIALIZED_DATA uint32 = 0x00000040 + IMAGE_SCN_CNT_UNINITIALIZED_DATA uint32 = 0x00000080 + IMAGE_SCN_LNK_OTHER uint32 = 0x00000100 + IMAGE_SCN_LNK_INFO uint32 = 0x00000200 + IMAGE_SCN_LNK_REMOVE uint32 = 0x00000800 + IMAGE_SCN_LNK_COMDAT uint32 = 0x00001000 + IMAGE_SCN_GPREL uint32 = 0x00008000 + IMAGE_SCN_MEM_PURGEABLE uint32 = 0x00020000 + IMAGE_SCN_MEM_16BIT uint32 = 0x00020000 + IMAGE_SCN_MEM_LOCKED uint32 = 0x00040000 + IMAGE_SCN_MEM_PRELOAD uint32 = 0x00080000 + IMAGE_SCN_ALIGN_1BYTES uint32 = 0x00100000 + IMAGE_SCN_ALIGN_2BYTES uint32 = 0x00200000 + IMAGE_SCN_ALIGN_4BYTES uint32 = 0x00300000 + IMAGE_SCN_ALIGN_8BYTES uint32 = 0x00400000 + IMAGE_SCN_ALIGN_16BYTES uint32 = 0x00500000 + IMAGE_SCN_ALIGN_32BYTES uint32 = 0x00600000 + IMAGE_SCN_ALIGN_64BYTES uint32 = 0x00700000 + IMAGE_SCN_ALIGN_128BYTES uint32 = 0x00800000 + IMAGE_SCN_ALIGN_256BYTES uint32 = 0x00900000 + IMAGE_SCN_ALIGN_512BYTES uint32 = 0x00A00000 + IMAGE_SCN_ALIGN_1024BYTES uint32 = 0x00B00000 + IMAGE_SCN_ALIGN_2048BYTES uint32 = 0x00C00000 + IMAGE_SCN_ALIGN_4096BYTES uint32 = 0x00D00000 + IMAGE_SCN_ALIGN_8192BYTES uint32 = 0x00E00000 + IMAGE_SCN_LNK_NRELOC_OVFL uint32 = 0x01000000 + IMAGE_SCN_MEM_DISCARDABLE uint32 = 0x02000000 + IMAGE_SCN_MEM_NOT_CACHED uint32 = 0x04000000 + IMAGE_SCN_MEM_NOT_PAGED uint32 = 0x08000000 + IMAGE_SCN_MEM_SHARED uint32 = 0x10000000 + IMAGE_SCN_MEM_EXECUTE uint32 = 0x20000000 + IMAGE_SCN_MEM_READ uint32 = 0x40000000 + IMAGE_SCN_MEM_WRITE uint32 = 0x80000000 +) + +func translateSectionFlags(characteristics uint32) []string { + flags := []string{} + if (characteristics & IMAGE_SCN_TYPE_NO_PAD) != 0 { + flags = append(flags, "IMAGE_SCN_TYPE_NO_PAD") + } + if (characteristics & IMAGE_SCN_CNT_CODE) != 0 { + flags = append(flags, "IMAGE_SCN_CNT_CODE") + } + if (characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) != 0 { + flags = append(flags, "IMAGE_SCN_CNT_INITIALIZED_DATA") + } + if (characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) != 0 { + flags = append(flags, "IMAGE_SCN_CNT_UNINITIALIZED_DATA") + } + if (characteristics & IMAGE_SCN_LNK_OTHER) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_OTHER") + } + if (characteristics & IMAGE_SCN_LNK_INFO) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_INFO") + } + if (characteristics & IMAGE_SCN_LNK_REMOVE) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_REMOVE") + } + if (characteristics & IMAGE_SCN_LNK_COMDAT) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_COMDAT") + } + if (characteristics & IMAGE_SCN_GPREL) != 0 { + flags = append(flags, "IMAGE_SCN_GPREL") + } + if (characteristics & IMAGE_SCN_MEM_PURGEABLE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_PURGEABLE") + } + if (characteristics & IMAGE_SCN_MEM_16BIT) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_16BIT") + } + if (characteristics & IMAGE_SCN_MEM_LOCKED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_LOCKED") + } + if (characteristics & IMAGE_SCN_MEM_PRELOAD) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_PRELOAD") + } + if (characteristics & IMAGE_SCN_ALIGN_1BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_1BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_2BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_2BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_4BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_4BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_8BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_8BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_16BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_16BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_32BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_32BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_64BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_64BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_128BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_128BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_256BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_256BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_512BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_512BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_1024BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_1024BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_2048BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_2048BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_4096BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_4096BYTES") + } + if (characteristics & IMAGE_SCN_ALIGN_8192BYTES) != 0 { + flags = append(flags, "IMAGE_SCN_ALIGN_8192BYTES") + } + if (characteristics & IMAGE_SCN_LNK_NRELOC_OVFL) != 0 { + flags = append(flags, "IMAGE_SCN_LNK_NRELOC_OVFL") + } + if (characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_DISCARDABLE") + } + if (characteristics & IMAGE_SCN_MEM_NOT_CACHED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_NOT_CACHED") + } + if (characteristics & IMAGE_SCN_MEM_NOT_PAGED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_NOT_PAGED") + } + if (characteristics & IMAGE_SCN_MEM_SHARED) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_SHARED") + } + if (characteristics & IMAGE_SCN_MEM_EXECUTE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_EXECUTE") + } + if (characteristics & IMAGE_SCN_MEM_READ) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_READ") + } + if (characteristics & IMAGE_SCN_MEM_WRITE) != 0 { + flags = append(flags, "IMAGE_SCN_MEM_WRITE") + } + return flags +} diff --git a/libbeat/formats/pe/version_info.go b/libbeat/formats/pe/version_info.go index 2f093141b17b..57abd7c30ff9 100644 --- a/libbeat/formats/pe/version_info.go +++ b/libbeat/formats/pe/version_info.go @@ -109,10 +109,15 @@ func readStringFileInfo(data []byte) []VersionInfo { return nil } -func getVersionInfoForResources(resources []Resource) []VersionInfo { +func getVersionInfoForResources(resources []Resource) map[string]string { for _, resource := range resources { if resource.Type == "RT_VERSION" { - return readStringFileInfo(resource.data) + versionInfo := readStringFileInfo(resource.data) + data := make(map[string]string, len(versionInfo)) + for _, info := range versionInfo { + data[info.Name] = info.Value + } + return data } } return nil From 4400f74dcb2dbe8bd249cf6b6773a973d679d7df Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 10:29:55 -0500 Subject: [PATCH 08/30] Add license header --- libbeat/formats/pe/section_flags.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libbeat/formats/pe/section_flags.go b/libbeat/formats/pe/section_flags.go index 8e7e93bc3468..511c0a34a7da 100644 --- a/libbeat/formats/pe/section_flags.go +++ b/libbeat/formats/pe/section_flags.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package pe const ( From bb30c1b67e5d55f836608803dbd6ef71b3247ce6 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 11:48:42 -0500 Subject: [PATCH 09/30] ECS-ify macho --- .../fixtures/macho/hello-darwin.fingerprint | 255 ++++++++++++++---- libbeat/formats/macho/command.go | 138 ++++++++++ libbeat/formats/macho/cpu.go | 195 ++++++++++++++ libbeat/formats/macho/header_flags.go | 102 +++++++ libbeat/formats/macho/macho.go | 146 ++++++---- libbeat/formats/macho/section_flags.go | 105 ++++++++ 6 files changed, 830 insertions(+), 111 deletions(-) create mode 100644 libbeat/formats/macho/command.go create mode 100644 libbeat/formats/macho/cpu.go create mode 100644 libbeat/formats/macho/header_flags.go create mode 100644 libbeat/formats/macho/section_flags.go diff --git a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint index e579e05f15da..6a1a2f70eb40 100644 --- a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint +++ b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint @@ -2,70 +2,207 @@ "architectures": [ { "cpu": "x86_64", - "sections": [ + "byte_order": "LittleEndian", + "type": "Exec", + "header": { + "commands": [ + { + "number": 25, + "size": 72, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 472, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 152, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 232, + "type": "LC_SEGMENT_64" + }, + { + "number": 25, + "size": 72, + "type": "LC_SEGMENT_64" + }, + { + "number": 2147483682, + "size": 48, + "type": "LC_DYLD_INFO_ONLY" + }, + { + "number": 2, + "size": 24, + "type": "LC_SYMTAB" + }, + { + "number": 11, + "size": 80, + "type": "LC_DYSYMTAB" + }, + { + "number": 14, + "size": 32, + "type": "LC_LOAD_DYLINKER" + }, + { + "number": 27, + "size": 24, + "type": "LC_UUID" + }, + { + "number": 50, + "size": 32, + "type": "LC_UNKNOWN" + }, + { + "number": 42, + "size": 16, + "type": "LC_SOURCE_VERSION" + }, + { + "number": 2147483688, + "size": 24, + "type": "LC_MAIN" + }, + { + "number": 12, + "size": 56, + "type": "LC_LOAD_DYLIB" + }, + { + "number": 38, + "size": 16, + "type": "LC_FUNCTION_STARTS" + }, + { + "number": 41, + "size": 16, + "type": "LC_DATA_IN_CODE" + } + ], + "magic": "0xfeedfacf", + "flags": [ + "MH_NOUNDEFS", + "MH_DYLDLINK", + "MH_TWOLEVEL", + "MH_PIE" + ] + }, + "segments": [ { - "name": "__text", - "address": 4294971232, - "size": 42, - "entropy": 4.04, - "chi2": 1030.76, - "md5": "77166fb4124bfa15ceebf0b9425cda23" + "vmaddr": "100000000", + "name": "__TEXT", + "vmsize": 4096, + "fileoff": 0, + "filesize": 4096, + "sections": [ + { + "name": "__text", + "type": "S_REGULAR", + "offset": 3936, + "size": 42, + "entropy": 4.04, + "chi2": 1030.76, + "flags": [ + "S_ATTR_PURE_INSTRUCTIONS", + "S_ATTR_SOME_INSTRUCTIONS" + ] + }, + { + "name": "__stubs", + "type": "S_SYMBOL_STUBS", + "offset": 3978, + "size": 6, + "entropy": 2.25, + "chi2": 335.33, + "flags": [ + "S_ATTR_PURE_INSTRUCTIONS", + "S_ATTR_SOME_INSTRUCTIONS" + ] + }, + { + "name": "__stub_helper", + "type": "S_REGULAR", + "offset": 3984, + "size": 26, + "entropy": 3.3, + "chi2": 1057.08, + "flags": [ + "S_ATTR_PURE_INSTRUCTIONS", + "S_ATTR_SOME_INSTRUCTIONS" + ] + }, + { + "name": "__cstring", + "type": "S_CSTRING_LITERALS", + "offset": 4010, + "size": 14, + "entropy": 3.32, + "chi2": 388.29, + "flags": [] + }, + { + "name": "__unwind_info", + "type": "S_REGULAR", + "offset": 4024, + "size": 72, + "entropy": 1.58, + "chi2": 10452.44, + "flags": [] + } + ] }, { - "name": "__stubs", - "address": 4294971274, - "size": 6, - "entropy": 2.25, - "chi2": 335.33, - "md5": "f9e07e9c40c24082fdf9f1eab3c8137c" + "vmaddr": "100001000", + "name": "__DATA_CONST", + "vmsize": 4096, + "fileoff": 4096, + "filesize": 4096, + "sections": [ + { + "name": "__got", + "type": "S_NON_LAZY_SYMBOL_POINTERS", + "offset": 4096, + "size": 8, + "entropy": 0, + "chi2": 2040, + "flags": [] + } + ] }, { - "name": "__stub_helper", - "address": 4294971280, - "size": 26, - "entropy": 3.3, - "chi2": 1057.08, - "md5": "7277b077b4cc51c5284ccaf6077babca" - }, - { - "name": "__cstring", - "address": 4294971306, - "size": 14, - "entropy": 3.32, - "chi2": 388.29, - "md5": "a79133c2466b7180a4de0fd3fe302b0b" - }, - { - "name": "__unwind_info", - "address": 4294971320, - "size": 72, - "entropy": 1.58, - "chi2": 10452.44, - "md5": "5a85d345ab9f929bf8ee00e141401105" - }, - { - "name": "__got", - "address": 4294971392, - "size": 8, - "entropy": 0, - "chi2": 2040, - "md5": "7dea362b3fac8e00956a4952a3d4f474" - }, - { - "name": "__la_symbol_ptr", - "address": 4294975488, - "size": 8, - "entropy": 1.55, - "chi2": 888, - "md5": "a8f250ea011781d751ad55c91ce4d39c" - }, - { - "name": "__data", - "address": 4294975496, - "size": 8, - "entropy": 0, - "chi2": 2040, - "md5": "7dea362b3fac8e00956a4952a3d4f474" + "vmaddr": "100002000", + "name": "__DATA", + "vmsize": 4096, + "fileoff": 8192, + "filesize": 4096, + "sections": [ + { + "name": "__la_symbol_ptr", + "type": "S_LAZY_SYMBOL_POINTERS", + "offset": 8192, + "size": 8, + "entropy": 1.55, + "chi2": 888, + "flags": [] + }, + { + "name": "__data", + "type": "S_REGULAR", + "offset": 8200, + "size": 8, + "entropy": 0, + "chi2": 2040, + "flags": [] + } + ] } ], "libraries": [ diff --git a/libbeat/formats/macho/command.go b/libbeat/formats/macho/command.go new file mode 100644 index 000000000000..f4d2c4140c55 --- /dev/null +++ b/libbeat/formats/macho/command.go @@ -0,0 +1,138 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import "debug/macho" + +func translateLoadType(loadType uint32) string { + switch loadType { + case 0x80000000: + return "LC_REQ_DYLD" + case 0x80000018: + return "LC_LOAD_WEAK_DYLIB" + case 0x8000001c: + return "LC_RPATH" + case 0x8000001f: + return "LC_REEXPORT_DYLIB" + case 0x80000022: + return "LC_DYLD_INFO_ONLY" + case 0x80000023: + return "LC_LOAD_UPWARD_DYLIB" + case 0x80000028: + return "LC_MAIN" + case 0x1: + return "LC_SEGMENT" + case 0x2: + return "LC_SYMTAB" + case 0x3: + return "LC_SYMSEG" + case 0x4: + return "LC_THREAD" + case 0x5: + return "LC_UNIXTHREAD" + case 0x6: + return "LC_LOADFVMLIB" + case 0x7: + return "LC_IDFVMLIB" + case 0x8: + return "LC_IDENT" + case 0x9: + return "LC_FVMFILE" + case 0xa: + return "LC_PREPAGE" + case 0xb: + return "LC_DYSYMTAB" + case 0xc: + return "LC_LOAD_DYLIB" + case 0xd: + return "LC_ID_DYLIB" + case 0xe: + return "LC_LOAD_DYLINKER" + case 0xf: + return "LC_ID_DYLINKER" + case 0x10: + return "LC_PREBOUND_DYLIB" + case 0x11: + return "LC_ROUTINES" + case 0x12: + return "LC_SUB_FRAMEWORK" + case 0x13: + return "LC_SUB_UMBRELLA" + case 0x14: + return "LC_SUB_CLIENT" + case 0x15: + return "LC_SUB_LIBRARY" + case 0x16: + return "LC_TWOLEVEL_HINTS" + case 0x17: + return "LC_PREBIND_CKSUM" + case 0x19: + return "LC_SEGMENT_64" + case 0x1a: + return "LC_ROUTINES_64" + case 0x1b: + return "LC_UUID" + case 0x1d: + return "LC_CODE_SIGNATURE" + case 0x1e: + return "LC_SEGMENT_SPLIT_INFO" + case 0x20: + return "LC_LAZY_LOAD_DYLIB" + case 0x21: + return "LC_ENCRYPTION_INFO" + case 0x22: + return "LC_DYLD_INFO" + case 0x24: + return "LC_VERSION_MIN_MACOSX" + case 0x25: + return "LC_VERSION_MIN_IPHONEOS" + case 0x26: + return "LC_FUNCTION_STARTS" + case 0x27: + return "LC_DYLD_ENVIRONMENT" + case 0x29: + return "LC_DATA_IN_CODE" + case 0x2A: + return "LC_SOURCE_VERSION" + case 0x2B: + return "LC_DYLIB_CODE_SIGN_DRS" + case 0x2C: + return "LC_ENCRYPTION_INFO_64" + case 0x2D: + return "LC_LINKER_OPTION" + case 0x2E: + return "LC_LINKER_OPTIMIZATION_HINT" + default: + return "LC_UNKNOWN" + } +} + +func loadCommands(f *macho.File) []Command { + commands := make([]Command, len(f.Loads)) + for i, load := range f.Loads { + data := load.Raw() + loadType := f.ByteOrder.Uint32(data[0:4]) + command := Command{ + Number: int64(loadType), + Size: int64(f.ByteOrder.Uint32(data[4:8])), + } + command.Type = translateLoadType(loadType) + commands[i] = command + } + return commands +} diff --git a/libbeat/formats/macho/cpu.go b/libbeat/formats/macho/cpu.go new file mode 100644 index 000000000000..8f1607df594b --- /dev/null +++ b/libbeat/formats/macho/cpu.go @@ -0,0 +1,195 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +import "debug/macho" + +// /// Get the cputype and cpusubtype from a name +// pub fn get_arch_from_flag(name: &str) -> Option<(CpuType, CpuSubType)> { +// get_arch_from_flag_no_alias(name).or_else(|| { +// // we also handle some common aliases +// match name { +// // these are used by apple +// "pentium" => Some((CPU_TYPE_I386, CPU_SUBTYPE_PENT)), +// "pentpro" => Some((CPU_TYPE_I386, CPU_SUBTYPE_PENTPRO)), +// // these are used commonly for consistency +// "x86" => Some((CPU_TYPE_I386, CPU_SUBTYPE_I386_ALL)), +// _ => None, +// } +// }) +// } + +// /// An alias for u32 +// pub type CpuType = u32; +// /// An alias for u32 +// pub type CpuSubType = u32; + +// /// the mask for CPU feature flags +// pub const CPU_SUBTYPE_MASK: u32 = 0xff00_0000; +// /// mask for architecture bits +// pub const CPU_ARCH_MASK: CpuType = 0xff00_0000; +// /// the mask for 64 bit ABI +// pub const CPU_ARCH_ABI64: CpuType = 0x0100_0000; +// /// the mask for ILP32 ABI on 64 bit hardware +// pub const CPU_ARCH_ABI64_32: CpuType = 0x0200_0000; + +// // CPU Types +// pub const CPU_TYPE_ANY: CpuType = !0; +// pub const CPU_TYPE_VAX: CpuType = 1; +// pub const CPU_TYPE_MC680X0: CpuType = 6; +// pub const CPU_TYPE_X86: CpuType = 7; +// pub const CPU_TYPE_I386: CpuType = CPU_TYPE_X86; +// pub const CPU_TYPE_X86_64: CpuType = CPU_TYPE_X86 | CPU_ARCH_ABI64; +// pub const CPU_TYPE_MIPS: CpuType = 8; +// pub const CPU_TYPE_MC98000: CpuType = 10; +// pub const CPU_TYPE_HPPA: CpuType = 11; +// pub const CPU_TYPE_ARM: CpuType = 12; +// pub const CPU_TYPE_ARM64: CpuType = CPU_TYPE_ARM | CPU_ARCH_ABI64; +// pub const CPU_TYPE_ARM64_32: CpuType = CPU_TYPE_ARM | CPU_ARCH_ABI64_32; +// pub const CPU_TYPE_MC88000: CpuType = 13; +// pub const CPU_TYPE_SPARC: CpuType = 14; +// pub const CPU_TYPE_I860: CpuType = 15; +// pub const CPU_TYPE_ALPHA: CpuType = 16; +// pub const CPU_TYPE_POWERPC: CpuType = 18; +// pub const CPU_TYPE_POWERPC64: CpuType = CPU_TYPE_POWERPC | CPU_ARCH_ABI64; + +// // CPU Subtypes +// pub const CPU_SUBTYPE_MULTIPLE: CpuSubType = !0; +// pub const CPU_SUBTYPE_LITTLE_ENDIAN: CpuSubType = 0; +// pub const CPU_SUBTYPE_BIG_ENDIAN: CpuSubType = 1; +// pub const CPU_SUBTYPE_VAX_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_VAX780: CpuSubType = 1; +// pub const CPU_SUBTYPE_VAX785: CpuSubType = 2; +// pub const CPU_SUBTYPE_VAX750: CpuSubType = 3; +// pub const CPU_SUBTYPE_VAX730: CpuSubType = 4; +// pub const CPU_SUBTYPE_UVAXI: CpuSubType = 5; +// pub const CPU_SUBTYPE_UVAXII: CpuSubType = 6; +// pub const CPU_SUBTYPE_VAX8200: CpuSubType = 7; +// pub const CPU_SUBTYPE_VAX8500: CpuSubType = 8; +// pub const CPU_SUBTYPE_VAX8600: CpuSubType = 9; +// pub const CPU_SUBTYPE_VAX8650: CpuSubType = 10; +// pub const CPU_SUBTYPE_VAX8800: CpuSubType = 11; +// pub const CPU_SUBTYPE_UVAXIII: CpuSubType = 12; +// pub const CPU_SUBTYPE_MC680X0_ALL: CpuSubType = 1; +// pub const CPU_SUBTYPE_MC68030: CpuSubType = 1; /* compat */ +// pub const CPU_SUBTYPE_MC68040: CpuSubType = 2; +// pub const CPU_SUBTYPE_MC68030_ONLY: CpuSubType = 3; + +// macro_rules! CPU_SUBTYPE_INTEL { +// ($f:expr, $m:expr) => {{ +// ($f) + (($m) << 4) +// }}; +// } + +// pub const CPU_SUBTYPE_I386_ALL: CpuSubType = CPU_SUBTYPE_INTEL!(3, 0); +// pub const CPU_SUBTYPE_386: CpuSubType = CPU_SUBTYPE_INTEL!(3, 0); +// pub const CPU_SUBTYPE_486: CpuSubType = CPU_SUBTYPE_INTEL!(4, 0); +// pub const CPU_SUBTYPE_486SX: CpuSubType = CPU_SUBTYPE_INTEL!(4, 8); // 8 << 4 = 128 +// pub const CPU_SUBTYPE_586: CpuSubType = CPU_SUBTYPE_INTEL!(5, 0); +// pub const CPU_SUBTYPE_PENT: CpuSubType = CPU_SUBTYPE_INTEL!(5, 0); +// pub const CPU_SUBTYPE_PENTPRO: CpuSubType = CPU_SUBTYPE_INTEL!(6, 1); +// pub const CPU_SUBTYPE_PENTII_M3: CpuSubType = CPU_SUBTYPE_INTEL!(6, 3); +// pub const CPU_SUBTYPE_PENTII_M5: CpuSubType = CPU_SUBTYPE_INTEL!(6, 5); +// pub const CPU_SUBTYPE_CELERON: CpuSubType = CPU_SUBTYPE_INTEL!(7, 6); +// pub const CPU_SUBTYPE_CELERON_MOBILE: CpuSubType = CPU_SUBTYPE_INTEL!(7, 7); +// pub const CPU_SUBTYPE_PENTIUM_3: CpuSubType = CPU_SUBTYPE_INTEL!(8, 0); +// pub const CPU_SUBTYPE_PENTIUM_3_M: CpuSubType = CPU_SUBTYPE_INTEL!(8, 1); +// pub const CPU_SUBTYPE_PENTIUM_3_XEON: CpuSubType = CPU_SUBTYPE_INTEL!(8, 2); +// pub const CPU_SUBTYPE_PENTIUM_M: CpuSubType = CPU_SUBTYPE_INTEL!(9, 0); +// pub const CPU_SUBTYPE_PENTIUM_4: CpuSubType = CPU_SUBTYPE_INTEL!(10, 0); +// pub const CPU_SUBTYPE_PENTIUM_4_M: CpuSubType = CPU_SUBTYPE_INTEL!(10, 1); +// pub const CPU_SUBTYPE_ITANIUM: CpuSubType = CPU_SUBTYPE_INTEL!(11, 0); +// pub const CPU_SUBTYPE_ITANIUM_2: CpuSubType = CPU_SUBTYPE_INTEL!(11, 1); +// pub const CPU_SUBTYPE_XEON: CpuSubType = CPU_SUBTYPE_INTEL!(12, 0); +// pub const CPU_SUBTYPE_XEON_MP: CpuSubType = CPU_SUBTYPE_INTEL!(12, 1); +// pub const CPU_SUBTYPE_INTEL_FAMILY_MAX: CpuSubType = 15; +// pub const CPU_SUBTYPE_INTEL_MODEL_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_X86_ALL: CpuSubType = 3; +// pub const CPU_SUBTYPE_X86_64_ALL: CpuSubType = 3; +// pub const CPU_SUBTYPE_X86_ARCH1: CpuSubType = 4; +// pub const CPU_SUBTYPE_X86_64_H: CpuSubType = 8; +// pub const CPU_SUBTYPE_MIPS_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_MIPS_R2300: CpuSubType = 1; +// pub const CPU_SUBTYPE_MIPS_R2600: CpuSubType = 2; +// pub const CPU_SUBTYPE_MIPS_R2800: CpuSubType = 3; +// pub const CPU_SUBTYPE_MIPS_R2000A: CpuSubType = 4; +// pub const CPU_SUBTYPE_MIPS_R2000: CpuSubType = 5; +// pub const CPU_SUBTYPE_MIPS_R3000A: CpuSubType = 6; +// pub const CPU_SUBTYPE_MIPS_R3000: CpuSubType = 7; +// pub const CPU_SUBTYPE_MC98000_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_MC98601: CpuSubType = 1; +// pub const CPU_SUBTYPE_HPPA_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_HPPA_7100: CpuSubType = 0; +// pub const CPU_SUBTYPE_HPPA_7100LC: CpuSubType = 1; +// pub const CPU_SUBTYPE_MC88000_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_MC88100: CpuSubType = 1; +// pub const CPU_SUBTYPE_MC88110: CpuSubType = 2; +// pub const CPU_SUBTYPE_SPARC_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_I860_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_I860_860: CpuSubType = 1; +// pub const CPU_SUBTYPE_POWERPC_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_POWERPC_601: CpuSubType = 1; +// pub const CPU_SUBTYPE_POWERPC_602: CpuSubType = 2; +// pub const CPU_SUBTYPE_POWERPC_603: CpuSubType = 3; +// pub const CPU_SUBTYPE_POWERPC_603E: CpuSubType = 4; +// pub const CPU_SUBTYPE_POWERPC_603EV: CpuSubType = 5; +// pub const CPU_SUBTYPE_POWERPC_604: CpuSubType = 6; +// pub const CPU_SUBTYPE_POWERPC_604E: CpuSubType = 7; +// pub const CPU_SUBTYPE_POWERPC_620: CpuSubType = 8; +// pub const CPU_SUBTYPE_POWERPC_750: CpuSubType = 9; +// pub const CPU_SUBTYPE_POWERPC_7400: CpuSubType = 10; +// pub const CPU_SUBTYPE_POWERPC_7450: CpuSubType = 11; +// pub const CPU_SUBTYPE_POWERPC_970: CpuSubType = 100; +// pub const CPU_SUBTYPE_ARM_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_ARM_V4T: CpuSubType = 5; +// pub const CPU_SUBTYPE_ARM_V6: CpuSubType = 6; +// pub const CPU_SUBTYPE_ARM_V5TEJ: CpuSubType = 7; +// pub const CPU_SUBTYPE_ARM_XSCALE: CpuSubType = 8; +// pub const CPU_SUBTYPE_ARM_V7: CpuSubType = 9; +// pub const CPU_SUBTYPE_ARM_V7F: CpuSubType = 10; +// pub const CPU_SUBTYPE_ARM_V7S: CpuSubType = 11; +// pub const CPU_SUBTYPE_ARM_V7K: CpuSubType = 12; +// pub const CPU_SUBTYPE_ARM_V6M: CpuSubType = 14; +// pub const CPU_SUBTYPE_ARM_V7M: CpuSubType = 15; +// pub const CPU_SUBTYPE_ARM_V7EM: CpuSubType = 16; +// pub const CPU_SUBTYPE_ARM_V8: CpuSubType = 13; +// pub const CPU_SUBTYPE_ARM64_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_ARM64_V8: CpuSubType = 1; +// pub const CPU_SUBTYPE_ARM64_E: CpuSubType = 2; +// pub const CPU_SUBTYPE_ARM64_32_ALL: CpuSubType = 0; +// pub const CPU_SUBTYPE_ARM64_32_V8: CpuSubType = 1; + +// the default string translations are gross +func translateCPU(cpu macho.Cpu) string { + switch cpu { + case macho.Cpu386: + return "x86" + case macho.CpuAmd64: + return "x86_64" + case macho.CpuArm: + return "arm" + case macho.CpuArm64: + return "arm64" + case macho.CpuPpc: + return "ppc" + case macho.CpuPpc64: + return "ppc64" + default: + return "unknown" + } +} diff --git a/libbeat/formats/macho/header_flags.go b/libbeat/formats/macho/header_flags.go new file mode 100644 index 000000000000..137abc58c621 --- /dev/null +++ b/libbeat/formats/macho/header_flags.go @@ -0,0 +1,102 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +func headerFlags(flags uint32) []string { + flagNames := []string{} + if (flags & 0x1) > 0 { + flagNames = append(flagNames, "MH_NOUNDEFS") + } + if (flags & 0x2) > 0 { + flagNames = append(flagNames, "MH_INCRLINK") + } + if (flags & 0x4) > 0 { + flagNames = append(flagNames, "MH_DYLDLINK") + } + if (flags & 0x8) > 0 { + flagNames = append(flagNames, "MH_BINDATLOAD") + } + if (flags & 0x10) > 0 { + flagNames = append(flagNames, "MH_PREBOUND") + } + if (flags & 0x20) > 0 { + flagNames = append(flagNames, "MH_SPLIT_SEGS") + } + if (flags & 0x40) > 0 { + flagNames = append(flagNames, "MH_LAZY_INIT") + } + if (flags & 0x80) > 0 { + flagNames = append(flagNames, "MH_TWOLEVEL") + } + if (flags & 0x100) > 0 { + flagNames = append(flagNames, "MH_FORCE_FLAT") + } + if (flags & 0x200) > 0 { + flagNames = append(flagNames, "MH_NOMULTIDEFS") + } + + if (flags & 0x400) > 0 { + flagNames = append(flagNames, "MH_NOFIXPREBINDING") + } + if (flags & 0x800) > 0 { + flagNames = append(flagNames, "MH_PREBINDABLE") + } + if (flags & 0x1000) > 0 { + flagNames = append(flagNames, "MH_ALLMODSBOUND") + } + if (flags & 0x2000) > 0 { + flagNames = append(flagNames, "MH_SUBSECTIONS_VIA_SYMBOLS") + } + if (flags & 0x4000) > 0 { + flagNames = append(flagNames, "MH_CANONICAL") + } + if (flags & 0x8000) > 0 { + flagNames = append(flagNames, "MH_WEAK_DEFINES") + } + if (flags & 0x10000) > 0 { + flagNames = append(flagNames, "MH_BINDS_TO_WEAK") + } + if (flags & 0x20000) > 0 { + flagNames = append(flagNames, "MH_ALLOW_STACK_EXECUTION") + } + if (flags & 0x40000) > 0 { + flagNames = append(flagNames, "MH_ROOT_SAFE") + } + if (flags & 0x80000) > 0 { + flagNames = append(flagNames, "MH_SETUID_SAFE") + } + if (flags & 0x100000) > 0 { + flagNames = append(flagNames, "MH_NO_REEXPORTED_DYLIBS") + } + if (flags & 0x200000) > 0 { + flagNames = append(flagNames, "MH_PIE") + } + if (flags & 0x400000) > 0 { + flagNames = append(flagNames, "MH_DEAD_STRIPPABLE_DYLIB") + } + if (flags & 0x800000) > 0 { + flagNames = append(flagNames, "MH_HAS_TLV_DESCRIPTORS") + } + if (flags & 0x1000000) > 0 { + flagNames = append(flagNames, "MH_NO_HEAP_EXECUTION") + } + if (flags & 0x2000000) > 0 { + flagNames = append(flagNames, "MH_APP_EXTENSION_SAFE") + } + return flagNames +} diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index 727b1947a8d0..dc1e845ce245 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -18,33 +18,63 @@ package macho import ( - "crypto/md5" "debug/macho" - "encoding/hex" + "fmt" "io" "github.com/elastic/beats/v7/libbeat/formats/common" + "github.com/elastic/beats/v7/libbeat/formats/dwarf" ) +// Command contains info about a load command +type Command struct { + Number int64 `json:"number"` + Size int64 `json:"size"` + Type string `json:"type,omitempty"` +} + +// Header contains info about the overall file structure +type Header struct { + Commands []Command `json:"commands"` + Magic string `json:"magic"` + Flags []string `json:"flags"` +} + // Section contains information about a section in a mach-o file. type Section struct { - Name string `json:"name"` - Address uint64 `json:"address"` - Size uint64 `json:"size"` - Entropy float64 `json:"entropy"` - ChiSquare float64 `json:"chi2"` - MD5 string `json:"md5,omitempty"` + Name string `json:"name"` + Type string `json:"type"` + Offset int64 `json:"offset"` + Size int64 `json:"size"` + Entropy float64 `json:"entropy"` + ChiSquare float64 `json:"chi2"` + Flags []string `json:"flags,omitempty"` +} + +// Segment contains info about a segment +type Segment struct { + VMAddress string `json:"vmaddr"` + Name string `json:"name"` + VMSize int64 `json:"vmsize"` + FileOffset int64 `json:"fileoff"` + FileSize int64 `json:"filesize"` + Sections []Section `json:"sections,omitempty"` } // Architecture represents a fat file architecture type Architecture struct { - CPU string `json:"cpu"` - Sections []Section `json:"sections,omitempty"` - Libraries []string `json:"libraries,omitempty"` - Imports []string `json:"imports,omitempty"` - Exports []string `json:"exports,omitempty"` - Packer string `json:"packer,omitempty"` - Symhash string `json:"symhash,omitempty"` + CPU string `json:"cpu"` + ByteOrder string `json:"byte_order"` + Type string `json:"type,omitempty"` + Header Header `json:"header"` + Debug []dwarf.DWARF `json:"debug,omitempty"` + Segments []Segment `json:"segments,omitempty"` + Libraries []string `json:"libraries,omitempty"` + Imports []string `json:"imports,omitempty"` + Packers []string `json:"packers,omitempty"` + Symhash string `json:"symhash,omitempty"` + // Exports []string `json:"exports,omitempty"` + // CDHash string `json:"cdhash"` } // Info contains high level fingerprinting an analysis of a mach-o file. @@ -84,26 +114,6 @@ func Parse(r io.ReaderAt) (interface{}, error) { }, nil } -// the default string translations are gross -func translateCPU(cpu macho.Cpu) string { - switch cpu { - case macho.Cpu386: - return "x86" - case macho.CpuAmd64: - return "x86_64" - case macho.CpuArm: - return "arm" - case macho.CpuArm64: - return "arm64" - case macho.CpuPpc: - return "ppc" - case macho.CpuPpc64: - return "ppc64" - default: - return "unknown" - } -} - func parse(machoFile *macho.File) (*Architecture, error) { symhash, err := symhash(machoFile) if err != nil { @@ -120,9 +130,8 @@ func parse(machoFile *macho.File) (*Architecture, error) { } } - sections := make([]Section, len(machoFile.Sections)) - for i, section := range machoFile.Sections { - var md5String string + segmentMap := make(map[string]Segment) + for _, section := range machoFile.Sections { var entropy float64 var chiSquare float64 @@ -132,36 +141,69 @@ func parse(machoFile *macho.File) (*Architecture, error) { return nil, err } } else { - md5hash := md5.Sum(data) - md5String = hex.EncodeToString(md5hash[:]) entropy = common.Entropy(data) chiSquare = common.ChiSquare(data) } - sections[i] = Section{ + segment, found := segmentMap[section.Seg] + if !found { + segment = Segment{ + Name: section.Seg, + } + mSegment := machoFile.Segment(section.Seg) + if mSegment != nil { + segment.VMAddress = fmt.Sprintf("%x", mSegment.Addr) + segment.VMSize = int64(mSegment.Memsz) + segment.FileOffset = int64(mSegment.Offset) + segment.FileSize = int64(mSegment.Filesz) + } + } + segment.Sections = append(segment.Sections, Section{ Name: section.Name, - Address: section.Addr, - Size: section.Size, + Size: int64(section.Size), + Offset: int64(section.Offset), Entropy: entropy, ChiSquare: chiSquare, - MD5: md5String, - } + Type: sectionType(section.Flags), + Flags: sectionFlags(section.Flags), + }) + segmentMap[section.Seg] = segment + } + segments := []Segment{} + for _, segment := range segmentMap { + segments = append(segments, segment) } - return &Architecture{ + info := &Architecture{ CPU: translateCPU(machoFile.Cpu), + ByteOrder: machoFile.ByteOrder.String(), + Type: machoFile.Type.String(), + Header: Header{ + Magic: fmt.Sprintf("0x%x", machoFile.Magic), + Flags: headerFlags(machoFile.Flags), + Commands: loadCommands(machoFile), + }, Symhash: symhash, Libraries: libraries, Imports: importSymbols, - Sections: sections, - Packer: getPacker(machoFile), - }, nil + Segments: segments, + Packers: getPackers(machoFile), + } + + if debug, err := machoFile.DWARF(); err == nil { + // just ignore the error if we can't get DWARF information + debugSymbols, err := dwarf.Parse(debug) + if err == nil { + info.Debug = debugSymbols + } + } + return info, nil } -func getPacker(machoFile *macho.File) string { +func getPackers(machoFile *macho.File) []string { for _, section := range machoFile.Sections { if section.Name == "upxTEXT" { - return "upx" + return []string{"upx"} } } - return "" + return nil } diff --git a/libbeat/formats/macho/section_flags.go b/libbeat/formats/macho/section_flags.go new file mode 100644 index 000000000000..658e763dc790 --- /dev/null +++ b/libbeat/formats/macho/section_flags.go @@ -0,0 +1,105 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package macho + +func sectionType(flags uint32) string { + maskedType := flags & 0x000000ff + switch maskedType { + case 0x00: + return "S_REGULAR" + case 0x01: + return "S_ZEROFILL" + case 0x02: + return "S_CSTRING_LITERALS" + case 0x03: + return "S_4BYTE_LITERALS" + case 0x04: + return "S_8BYTE_LITERALS" + case 0x05: + return "S_LITERAL_POINTERS" + case 0x06: + return "S_NON_LAZY_SYMBOL_POINTERS" + case 0x07: + return "S_LAZY_SYMBOL_POINTERS" + case 0x08: + return "S_SYMBOL_STUBS" + case 0x09: + return "S_MOD_INIT_FUNC_POINTERS" + case 0x0a: + return "S_MOD_TERM_FUNC_POINTERS" + case 0x0b: + return "S_COALESCED" + case 0x0c: + return "S_GB_ZEROFILL" + case 0x0d: + return "S_INTERPOSING" + case 0x0e: + return "S_16BYTE_LITERALS" + case 0x0f: + return "S_DTRACE_DOF" + case 0x10: + return "S_LAZY_DYLIB_SYMBOL_POINTERS" + case 0x11: + return "S_THREAD_LOCAL_REGULAR" + case 0x12: + return "S_THREAD_LOCAL_ZEROFILL" + case 0x13: + return "S_THREAD_LOCAL_VARIABLES" + case 0x14: + return "S_THREAD_LOCAL_VARIABLE_POINTERS" + case 0x15: + return "S_THREAD_LOCAL_INIT_FUNCTION_POINTERS" + default: + return "UNKNOWN" + } +} + +func sectionFlags(flags uint32) []string { + flagNames := []string{} + if (flags & 0x80000000) > 0 { + flagNames = append(flagNames, "S_ATTR_PURE_INSTRUCTIONS") + } + if (flags & 0x40000000) > 0 { + flagNames = append(flagNames, "S_ATTR_NO_TOC") + } + if (flags & 0x20000000) > 0 { + flagNames = append(flagNames, "S_ATTR_STRIP_STATIC_SYMS") + } + if (flags & 0x10000000) > 0 { + flagNames = append(flagNames, "S_ATTR_NO_DEAD_STRIP") + } + if (flags & 0x08000000) > 0 { + flagNames = append(flagNames, "S_ATTR_LIVE_SUPPORT") + } + if (flags & 0x04000000) > 0 { + flagNames = append(flagNames, "S_ATTR_SELF_MODIFYING_CODE") + } + if (flags & 0x02000000) > 0 { + flagNames = append(flagNames, "S_ATTR_DEBUG") + } + if (flags & 0x00000400) > 0 { + flagNames = append(flagNames, "S_ATTR_SOME_INSTRUCTIONS") + } + if (flags & 0x00000200) > 0 { + flagNames = append(flagNames, "S_ATTR_EXT_RELOC") + } + if (flags & 0x00000100) > 0 { + flagNames = append(flagNames, "S_ATTR_LOC_RELOC") + } + return flagNames +} From ac07ec9090d5363f6d34eed97ffbc9864f72e721 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 11:54:15 -0500 Subject: [PATCH 10/30] snakecase lnk --- .../lnk/local.directory.seven.lnk.fingerprint | 46 ++++---- .../lnk/local.directory.xp.lnk.fingerprint | 38 +++---- .../lnk/local.file.darwin.lnk.fingerprint | 26 ++--- .../lnk/local.file.env.lnk.fingerprint | 88 +++++++-------- .../lnk/local.file.exec.lnk.fingerprint | 96 ++++++++-------- .../lnk/local.file.icoset.lnk.fingerprint | 52 ++++----- .../lnk/local.file.seven.lnk.fingerprint | 52 ++++----- .../lnk/local.file.xp.lnk.fingerprint | 42 +++---- .../fixtures/lnk/local_cmd.lnk.fingerprint | 50 ++++----- .../lnk/local_unicode.lnk.fingerprint | 40 +++---- .../fixtures/lnk/local_win31j.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/microsoft.lnk.fingerprint | 36 +++--- .../lnk/native.2008srv.01.lnk.fingerprint | 40 +++---- .../lnk/native.2008srv.02.lnk.fingerprint | 12 +- .../lnk/native.2008srv.03.lnk.fingerprint | 12 +- .../lnk/native.2008srv.04.lnk.fingerprint | 30 ++--- .../lnk/native.2008srv.05.lnk.fingerprint | 40 +++---- .../lnk/native.2008srv.06.lnk.fingerprint | 44 ++++---- .../lnk/native.2008srv.07.lnk.fingerprint | 12 +- .../lnk/native.2008srv.08.lnk.fingerprint | 40 +++---- .../lnk/native.2008srv.09.lnk.fingerprint | 38 +++---- .../lnk/native.2008srv.10.lnk.fingerprint | 28 ++--- .../lnk/native.2008srv.11.lnk.fingerprint | 38 +++---- .../lnk/native.2008srv.12.lnk.fingerprint | 40 +++---- .../lnk/native.2008srv.13.lnk.fingerprint | 38 +++---- .../lnk/native.2008srv.14.lnk.fingerprint | 28 ++--- .../lnk/native.2008srv.15.lnk.fingerprint | 26 ++--- .../lnk/native.2008srv.16.lnk.fingerprint | 12 +- .../lnk/native.2008srv.17.lnk.fingerprint | 28 ++--- .../lnk/native.2008srv.18.lnk.fingerprint | 12 +- .../lnk/native.2008srv.19.lnk.fingerprint | 12 +- .../lnk/native.2008srv.20.lnk.fingerprint | 36 +++--- .../lnk/native.seven.01.lnk.fingerprint | 46 ++++---- .../lnk/native.seven.02.lnk.fingerprint | 28 ++--- .../lnk/native.seven.03.lnk.fingerprint | 12 +- .../lnk/native.seven.04.lnk.fingerprint | 46 ++++---- .../lnk/native.seven.05.lnk.fingerprint | 16 +-- .../lnk/native.seven.06.lnk.fingerprint | 14 +-- .../lnk/native.seven.07.lnk.fingerprint | 28 ++--- .../lnk/native.seven.08.lnk.fingerprint | 28 ++--- .../lnk/native.seven.09.lnk.fingerprint | 46 ++++---- .../lnk/native.seven.10.lnk.fingerprint | 26 ++--- .../lnk/native.seven.11.lnk.fingerprint | 14 +-- .../lnk/native.seven.12.lnk.fingerprint | 28 ++--- .../lnk/native.seven.13.lnk.fingerprint | 34 +++--- .../lnk/native.seven.14.lnk.fingerprint | 28 ++--- .../lnk/native.seven.15.lnk.fingerprint | 28 ++--- .../lnk/native.seven.16.lnk.fingerprint | 16 +-- .../lnk/native.seven.17.lnk.fingerprint | 26 ++--- .../lnk/native.seven.18.lnk.fingerprint | 28 ++--- .../lnk/native.seven.19.lnk.fingerprint | 26 ++--- .../lnk/native.seven.20.lnk.fingerprint | 26 ++--- .../fixtures/lnk/native.xp.01.lnk.fingerprint | 42 +++---- .../fixtures/lnk/native.xp.02.lnk.fingerprint | 16 +-- .../fixtures/lnk/native.xp.03.lnk.fingerprint | 38 +++---- .../fixtures/lnk/native.xp.04.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/native.xp.05.lnk.fingerprint | 38 +++---- .../fixtures/lnk/native.xp.06.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/native.xp.07.lnk.fingerprint | 38 +++---- .../fixtures/lnk/native.xp.08.lnk.fingerprint | 40 +++---- .../fixtures/lnk/native.xp.09.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/native.xp.10.lnk.fingerprint | 40 +++---- .../fixtures/lnk/native.xp.11.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/native.xp.12.lnk.fingerprint | 38 +++---- .../fixtures/lnk/native.xp.13.lnk.fingerprint | 38 +++---- .../fixtures/lnk/native.xp.14.lnk.fingerprint | 38 +++---- .../fixtures/lnk/native.xp.15.lnk.fingerprint | 32 +++--- .../fixtures/lnk/native.xp.16.lnk.fingerprint | 32 +++--- .../fixtures/lnk/native.xp.17.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/native.xp.18.lnk.fingerprint | 14 +-- .../fixtures/lnk/native.xp.19.lnk.fingerprint | 14 +-- .../fixtures/lnk/native.xp.20.lnk.fingerprint | 44 ++++---- .../fixtures/lnk/net_unicode.lnk.fingerprint | 36 +++--- .../fixtures/lnk/net_unicode2.lnk.fingerprint | 38 +++---- .../fixtures/lnk/net_win31j.lnk.fingerprint | 38 +++---- .../lnk/remote.directory.xp.lnk.fingerprint | 36 +++--- .../lnk/remote.file.aidlist.lnk.fingerprint | 38 +++---- .../lnk/remote.file.xp.lnk.fingerprint | 44 ++++---- libbeat/formats/lnk/lnk.go | 106 +++++++++--------- 79 files changed, 1389 insertions(+), 1389 deletions(-) diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint index bcbf92fd47be..8bb8002d36fb 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -1,43 +1,43 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2009-07-14T04:53:59Z", - "accessedTime": "2010-05-16T19:36:08Z", - "modifiedTime": "2010-05-16T19:36:08Z", - "fileSize": 8192, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-14T04:53:59Z", + "accessed_time": "2010-05-16T19:36:08Z", + "modified_time": "2010-05-16T19:36:08Z", + "file_size": 8192, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 116, - "typeId": 0, + "type_id": 0, "sha256": "694bda772b560aa1e8db78d9d436be2c5918f098b7104b5ffe1a5e619962398f" }, { "size": 96, - "typeId": 0, + "type_id": 0, "sha256": "d95bf8611fa96a435db45248eafc5ce43064d57d69d0e1a76975fd985f22fad2" } ], @@ -46,27 +46,27 @@ "CommonNetworkRelativeLinkAndPathSuffix", "VolumeIDAndLocalBasePath" ], - "commonPathSuffix": "Administrator", + "common_path_suffix": "Administrator", "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x502e1a8a", - "volumeLabel": "SSD-WIN7" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a", + "volume_label": "SSD-WIN7" }, - "localBasePath": "C:\\Users\\", - "networkShare": { + "local_base_path": "C:\\Users\\", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\NETBOOK\\Users" } }, - "relativePath": "..\\..\\Administrator", + "relative_path": "..\\..\\Administrator", "extra": { - "knownFolder": { + "known_folder": { "id": "72d26207-0ac5-b04b-a382-697dcd729b80", "offset": 161 }, - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -96,12 +96,12 @@ }, "tracker": { "version": 0, - "machineId": "netbook", + "machine_id": "netbook", "droid": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "ff026513-668c-df11-b6eb-001377d34a59" ], - "droidBirth": [ + "droid_birth": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "ff026513-668c-df11-b6eb-001377d34a59" ] diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint index d36142c4814c..de0fe66cafae 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -1,41 +1,41 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2004-08-19T12:05:25Z", - "accessedTime": "2010-07-09T07:36:45Z", - "modifiedTime": "2010-07-09T06:48:01Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:05:25Z", + "accessed_time": "2010-07-09T07:36:45Z", + "modified_time": "2010-07-09T06:48:01Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "f41f1eedb6784f72604ff611740d040d42de1e01b21b2233a36d6f4723c5630b" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "04ee9bc0826d6a59abdf9fdbb3d55dacf9a1347f526cd02c7cd9c1c79485b928" } ], @@ -44,26 +44,26 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\WINDOWS\\system32" + "local_base_path": "C:\\WINDOWS\\system32" }, - "relativePath": ".\\system32", + "relative_path": ".\\system32", "extra": { - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 }, "tracker": { "version": 0, - "machineId": "al-0145", + "machine_id": "al-0145", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "954f88fc-8b38-dd11-b743-001c234bc396" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "954f88fc-8b38-dd11-b743-001c234bc396" ] diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint index a82ab2ca9d45..98f01aa1ef48 100644 --- a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasDarwinID", "HasExpIcon", "HasIconLocation", @@ -9,50 +9,50 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "03b6ada4d4a6844cfedb49a1467a2ba3f29b9311a6012fa30a74d4e0221fccd8" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "2968e67313cce5c74e34e9f34804e2433f69e79e67321bedf6be0c76ff64ec02" }, { "size": 176, - "typeId": 0, + "type_id": 0, "sha256": "20ad53865e56b2bd5c5f5bc5e4c691c67a4e96f56fc53e8c49f1bccb69cf1221" }, { "size": 100, - "typeId": 0, + "type_id": 0, "sha256": "6f299cb843c8a398e2b99038e2c23d1ef42c175a7271101f5dc5e34102485147" } ], - "relativePath": "..\\..\\..\\..\\..\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", - "iconLocation": "C:\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", + "relative_path": "..\\..\\..\\..\\..\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", + "icon_location": "C:\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", "extra": { "darwin": { "ansi": "34TL`lrv5(mOG_3$,CC!ReaderProgramFiles\u003ep=@0y{Wn0A8XHjl@4WqB", "unicode": "34TL`lrv5(mOG_3$,CC!ReaderProgramFiles\u003ep=@0y{Wn0A8XHjl@4WqB" }, - "iconEnvironment": { + "icon_environment": { "ansi": "%SystemRoot%\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", "unicode": "%SystemRoot%\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico" } diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint index 51d1b0a0b499..49a8e4c0c21b 100644 --- a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasLinkInfo", @@ -10,50 +10,50 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_NORMAL" ], - "creationTime": "2006-10-10T19:35:39Z", - "accessedTime": "2006-10-10T19:36:20Z", - "modifiedTime": "2006-09-08T10:03:59Z", - "fileSize": 330240, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2006-10-10T19:35:39Z", + "accessed_time": "2006-10-10T19:36:20Z", + "modified_time": "2006-09-08T10:03:59Z", + "file_size": 330240, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "75fb49371e5d0116588d805e3ce5999a2f4e488956bfbe90289351d7c068ffda" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "59bcd4a36c78fc7ed3fe33324ee1b40be1b00125605251bd24efe88ca61e44d3" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "3782d4d70fbe9ad335bb343246b7abc78dd1ffe379a7518b3c9867aa1005134b" }, { "size": 52, - "typeId": 0, + "type_id": 0, "sha256": "751b73134b478a47a70374696bb7756dc71bb59afff5fb049e52c771054dd99f" }, { "size": 80, - "typeId": 0, + "type_id": 0, "sha256": "b03c004cd552c864747c87138aef2d57d6c8d22e9e7cb22f3ad537a7f75786a5" } ], @@ -62,23 +62,23 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x4c8360ef" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x4c8360ef" }, - "localBasePath": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + "local_base_path": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" }, - "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "extra": { "console": { - "fillAttributes": [ + "fill_attributes": [ "BACKGROUND_BLUE", "BACKGROUND_RED", "FOREGROUND_GREEN", "FOREGROUND_RED" ], - "popupFillAttributes": [ + "popup_fill_attributes": [ "BACKGROUND_BLUE", "BACKGROUND_GREEN", "BACKGROUND_INTENSITY", @@ -86,24 +86,24 @@ "FOREGROUND_BLUE", "FOREGROUND_GREEN" ], - "screenBufferSizeX": 120, - "screenBufferSizeY": 3000, - "windowSizeX": 120, - "windowSizeY": 50, - "windowOriginX": 0, - "windowOriginY": 0, - "fontSize": 0, - "fontFamily": "FF_DONTCARE | TMPF_NONE", - "fontWeight": 0, - "cursorSize": 25, - "fullScreen": false, - "quickEdit": true, - "insertMode": true, - "autoPosition": false, - "historyBufferSize": 50, - "numberOfHistoryBuffers": 4, - "historyNoDup": false, - "colorTable": [ + "screen_buffer_size_x": 120, + "screen_buffer_size_y": 3000, + "window_size_x": 120, + "window_size_y": 50, + "window_origin_x": 0, + "window_origin_y": 0, + "font_size": 0, + "font_family": "FF_DONTCARE | TMPF_NONE", + "font_weight": 0, + "cursor_size": 25, + "full_screen": false, + "quick_edit": true, + "insert_mode": true, + "auto_position": false, + "history_buffer_size": 50, + "number_of_history_buffers": 4, + "history_no_dup": false, + "color_table": [ "0x000000", "0x800000", "0x008000", @@ -126,18 +126,18 @@ "ansi": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "unicode": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 }, "tracker": { "version": 0, - "machineId": "nana-home", + "machine_id": "nana-home", "droid": [ "50116c94-61d0-dd40-8497-a97bde7709e9", "cb388aa4-9458-db11-afb7-00123f2cd1e5" ], - "droidBirth": [ + "droid_birth": [ "50116c94-61d0-dd40-8497-a97bde7709e9", "cb388aa4-9458-db11-afb7-00123f2cd1e5" ] diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint index 62a4a830f89d..32c18892e603 100644 --- a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasArguments", "HasIconLocation", "HasLinkInfo", @@ -11,61 +11,61 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2010-07-12T09:45:31Z", - "accessedTime": "2010-07-12T09:59:58Z", - "modifiedTime": "2010-07-12T09:55:36Z", - "fileSize": 5120, - "iconIndex": 27, - "windowStyle": "SW_NORMAL", + "creation_time": "2010-07-12T09:45:31Z", + "accessed_time": "2010-07-12T09:59:58Z", + "modified_time": "2010-07-12T09:55:36Z", + "file_size": 5120, + "icon_index": 27, + "window_style": "SW_NORMAL", "hotKey": "HOTKEYF_ALT+G" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "af2aa63827c0a19bb40eb90e1e36d29dfebcc9615f550aedec805d0f46ec2e6d" }, { "size": 58, - "typeId": 0, + "type_id": 0, "sha256": "60d3eafdaecb7dcf21f68c1af22052f9519419ae77ea2b4b91d187519a07047b" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "7e199b495493900dcabae0891a57762af90e08623979852291b6d6a14b143ce4" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "09e05071911f51a15ffd453abf4f1825b20909ee3aa3898aaad086d28d356791" }, { "size": 48, - "typeId": 0, + "type_id": 0, "sha256": "4b4782ce717aaf5477a3c9330f00b8c3f4a797db5c991f29e7fd40e8cb6b692a" }, { "size": 54, - "typeId": 0, + "type_id": 0, "sha256": "648e071b1e752a5588ec8953007fdd3a1ca6a003c7f34bda208a3547ce0355da" }, { "size": 84, - "typeId": 0, + "type_id": 0, "sha256": "c787c3eabf63fe8f045a8e711bc92185318d9d15a37be8e8cc6442170320ce16" } ], @@ -74,27 +74,27 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xd0d576f3", - "volumeLabel": "DATA" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xd0d576f3", + "volume_label": "DATA" }, - "localBasePath": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyTool\\bin\\Debug\\ShellifyTool.exe" + "local_base_path": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyTool\\bin\\Debug\\ShellifyTool.exe" }, "name": "ExecTesting", - "relativePath": "..\\..\\ShellifyTool\\bin\\Debug\\ShellifyTool.exe", - "workingDirectory": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyTool\\bin\\Debug", - "commandLine": "argument1 argument2 argument3", - "iconLocation": "%SystemRoot%\\system32\\SHELL32.dll", + "relative_path": "..\\..\\ShellifyTool\\bin\\Debug\\ShellifyTool.exe", + "working_directory": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyTool\\bin\\Debug", + "command_line": "argument1 argument2 argument3", + "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", "extra": { "console": { - "fillAttributes": [ + "fill_attributes": [ "BACKGROUND_BLUE", "BACKGROUND_GREEN", "FOREGROUND_BLUE", "FOREGROUND_GREEN", "FOREGROUND_RED" ], - "popupFillAttributes": [ + "popup_fill_attributes": [ "BACKGROUND_BLUE", "BACKGROUND_GREEN", "BACKGROUND_INTENSITY", @@ -102,25 +102,25 @@ "FOREGROUND_BLUE", "FOREGROUND_RED" ], - "screenBufferSizeX": 80, - "screenBufferSizeY": 300, - "windowSizeX": 79, - "windowSizeY": 24, - "windowOriginX": 0, - "windowOriginY": 0, - "fontSize": 1048576, - "fontFamily": "FF_MODERN | TMPF_DEVICE | TMPF_TRUETYPE | TMPF_VECTOR", - "fontWeight": 400, - "faceName": "Lucida Console", - "cursorSize": 100, - "fullScreen": true, - "quickEdit": false, - "insertMode": true, - "autoPosition": true, - "historyBufferSize": 50, - "numberOfHistoryBuffers": 4, - "historyNoDup": false, - "colorTable": [ + "screen_buffer_size_x": 80, + "screen_buffer_size_y": 300, + "window_size_x": 79, + "window_size_y": 24, + "window_origin_x": 0, + "window_origin_y": 0, + "font_size": 1048576, + "font_family": "FF_MODERN | TMPF_DEVICE | TMPF_TRUETYPE | TMPF_VECTOR", + "font_weight": 400, + "face_name": "Lucida Console", + "cursor_size": 100, + "full_screen": true, + "quick_edit": false, + "insert_mode": true, + "auto_position": true, + "history_buffer_size": 50, + "number_of_history_buffers": 4, + "history_no_dup": false, + "color_table": [ "0x000000", "0x800000", "0x008000", @@ -141,12 +141,12 @@ }, "tracker": { "version": 0, - "machineId": "al-0145", + "machine_id": "al-0145", "droid": [ "06f31514-5a0c-904f-8d72-20c497b6ddb0", "dedee424-bb8c-df11-ba00-001c234bc396" ], - "droidBirth": [ + "droid_birth": [ "06f31514-5a0c-904f-8d72-20c497b6ddb0", "dedee424-bb8c-df11-ba00-001c234bc396" ] diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint index b87571b9764b..4aea7f6f3c22 100644 --- a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasLinkInfo", "HasRelativePath", @@ -9,60 +9,60 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2010-07-12T09:41:21Z", - "accessedTime": "2010-07-12T09:57:19Z", - "modifiedTime": "2010-07-12T09:55:35Z", - "fileSize": 40448, - "iconIndex": 130, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-07-12T09:41:21Z", + "accessed_time": "2010-07-12T09:57:19Z", + "modified_time": "2010-07-12T09:55:35Z", + "file_size": 40448, + "icon_index": 130, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "af2aa63827c0a19bb40eb90e1e36d29dfebcc9615f550aedec805d0f46ec2e6d" }, { "size": 58, - "typeId": 0, + "type_id": 0, "sha256": "60d3eafdaecb7dcf21f68c1af22052f9519419ae77ea2b4b91d187519a07047b" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "7e199b495493900dcabae0891a57762af90e08623979852291b6d6a14b143ce4" }, { "size": 70, - "typeId": 0, + "type_id": 0, "sha256": "3208af1501b709fe6178cbd2ead925445a94314cf9edbfcd5f1b27804322d217" }, { "size": 48, - "typeId": 0, + "type_id": 0, "sha256": "348793e6ab253b2dbc6cf4647f1caf2a4eef634a7ebb9fb15e0ee7fbd34f51ae" }, { "size": 54, - "typeId": 0, + "type_id": 0, "sha256": "f6631a645f4f33b43f0fe4111d7de6b4baa828bf9f88981262dc9636858e3d2f" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "45b3d624bb750836cfb3c636eb3b3009043d88aea6fc57579ee709d2c91b79aa" } ], @@ -71,24 +71,24 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xd0d576f3", - "volumeLabel": "DATA" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xd0d576f3", + "volume_label": "DATA" }, - "localBasePath": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyLib\\bin\\Debug\\ShellifyLib.dll" + "local_base_path": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyLib\\bin\\Debug\\ShellifyLib.dll" }, - "relativePath": "..\\..\\ShellifyLib\\bin\\Debug\\ShellifyLib.dll", - "workingDirectory": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyLib\\bin\\Debug", - "iconLocation": "%SystemRoot%\\system32\\SHELL32.dll", + "relative_path": "..\\..\\ShellifyLib\\bin\\Debug\\ShellifyLib.dll", + "working_directory": "D:\\Devl.Net\\@Perso\\Shellify\\ShellifyLib\\bin\\Debug", + "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", "extra": { "tracker": { "version": 0, - "machineId": "al-0145", + "machine_id": "al-0145", "droid": [ "06f31514-5a0c-904f-8d72-20c497b6ddb0", "dddee424-bb8c-df11-ba00-001c234bc396" ], - "droidBirth": [ + "droid_birth": [ "06f31514-5a0c-904f-8d72-20c497b6ddb0", "dddee424-bb8c-df11-ba00-001c234bc396" ] diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint index 2f64f9f77f90..5d4bf1bd1bc4 100644 --- a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", "HasRelativePath", @@ -9,46 +9,46 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2010-06-06T18:06:55Z", - "accessedTime": "2010-06-06T18:06:55Z", - "modifiedTime": "2010-06-06T18:08:09Z", - "fileSize": 2034, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-06-06T18:06:55Z", + "accessed_time": "2010-06-06T18:06:55Z", + "modified_time": "2010-06-06T18:08:09Z", + "file_size": 2034, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 116, - "typeId": 0, + "type_id": 0, "sha256": "694bda772b560aa1e8db78d9d436be2c5918f098b7104b5ffe1a5e619962398f" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "6f130cb5a33a554a10e16efc399472fa6ee40de4330712ba3d437cc07dab4b57" }, { "size": 122, - "typeId": 0, + "type_id": 0, "sha256": "5f5ae18c3c0ff67b459a0e8d532587a6e09ef7f69c3f74ae80344ea49d29dbd1" }, { "size": 98, - "typeId": 0, + "type_id": 0, "sha256": "b4f1ac18eb87007ff1c35192f8b4185035735485bca35359444ecf2685f98363" } ], @@ -57,28 +57,28 @@ "CommonNetworkRelativeLinkAndPathSuffix", "VolumeIDAndLocalBasePath" ], - "commonPathSuffix": "root\\Desktop\\Fatality.rdp", + "common_path_suffix": "root\\Desktop\\Fatality.rdp", "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x502e1a8a", - "volumeLabel": "SSD-WIN7" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a", + "volume_label": "SSD-WIN7" }, - "localBasePath": "C:\\Users\\", - "networkShare": { + "local_base_path": "C:\\Users\\", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\NETBOOK\\Users" } }, - "relativePath": ".\\Fatality.rdp", - "workingDirectory": "C:\\Users\\root\\Desktop", + "relative_path": ".\\Fatality.rdp", + "working_directory": "C:\\Users\\root\\Desktop", "extra": { - "knownFolder": { + "known_folder": { "id": "3accbfb4-2cdb-4c42-b029-7fe99a87c641", "offset": 357 }, - "propertyStore": { + "property_store": { "properties": { "4": [ { @@ -90,12 +90,12 @@ }, "tracker": { "version": 0, - "machineId": "netbook", + "machine_id": "netbook", "droid": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "00036513-668c-df11-b6eb-001377d34a59" ], - "droidBirth": [ + "droid_birth": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "00036513-668c-df11-b6eb-001377d34a59" ] diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint index a8a1a0534d58..057fb639c889 100644 --- a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -1,42 +1,42 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-19T12:16:19Z", - "accessedTime": "2010-07-09T07:37:36Z", - "modifiedTime": "2004-08-05T11:00:00Z", - "fileSize": 2, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:16:19Z", + "accessed_time": "2010-07-09T07:37:36Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 2, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "f41f1eedb6784f72604ff611740d040d42de1e01b21b2233a36d6f4723c5630b" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "625f645fd0d89a18f36657647acdbc6ff594867dc5b42ae436360e97430a80ec" } ], @@ -45,27 +45,27 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\WINDOWS\\desktop.ini" + "local_base_path": "C:\\WINDOWS\\desktop.ini" }, - "relativePath": ".\\desktop.ini", - "workingDirectory": "C:\\WINDOWS", + "relative_path": ".\\desktop.ini", + "working_directory": "C:\\WINDOWS", "extra": { - "specialFolder": { + "special_folder": { "id": 36, "offset": 105 }, "tracker": { "version": 0, - "machineId": "al-0145", + "machine_id": "al-0145", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "6beb7273-c98a-df11-b9fe-001c234bc396" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "6beb7273-c98a-df11-b9fe-001c234bc396" ] diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint index 3b3dc74ead4b..29dc075a5ee0 100644 --- a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasArguments", "HasLinkInfo", @@ -11,41 +11,41 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2019-07-01T14:00:40Z", - "accessedTime": "2019-07-01T14:00:40Z", - "modifiedTime": "2014-10-29T01:28:18Z", - "fileSize": 357376, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2019-07-01T14:00:40Z", + "accessed_time": "2019-07-01T14:00:40Z", + "modified_time": "2014-10-29T01:28:18Z", + "file_size": 357376, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 86, - "typeId": 0, + "type_id": 0, "sha256": "4c4d0c2148e23276d0f4f742bbba4a8e3e1b318795a2d7d4b5cd80791781b93a" }, { "size": 90, - "typeId": 0, + "type_id": 0, "sha256": "99b17e4be73b9f9a34d149f6dfead6f71abde0b38183c5c0062fd1b5fe5ccf94" }, { "size": 114, - "typeId": 0, + "type_id": 0, "sha256": "1b51868f7cf57860ce02d0f22729b8ab9e232b0e566256cf349b897bf83aa718" } ], @@ -54,22 +54,22 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xce9c0987", - "volumeLabel": "System" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xce9c0987", + "volume_label": "System" }, - "localBasePath": "C:\\Windows\\System32\\cmd with space.exe" + "local_base_path": "C:\\Windows\\System32\\cmd with space.exe" }, "name": "This is a comment.", - "relativePath": "..\\Windows\\System32\\cmd with space.exe", - "workingDirectory": "C:\\Windows\\System32", - "commandLine": "arg1 \"arg 2\"", + "relative_path": "..\\Windows\\System32\\cmd with space.exe", + "working_directory": "C:\\Windows\\System32", + "command_line": "arg1 \"arg 2\"", "extra": { - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 221 }, - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -97,18 +97,18 @@ ] } }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 221 }, "tracker": { "version": 0, - "machineId": "test012345", + "machine_id": "test012345", "droid": [ "04c26c4d-cace-1647-8fa4-b334de43dd91", "5501e33d-7e9a-e911-8328-bcee7b5dda94" ], - "droidBirth": [ + "droid_birth": [ "04c26c4d-cace-1647-8fa4-b334de43dd91", "5501e33d-7e9a-e911-8328-bcee7b5dda94" ] diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint index fbdb1ecede68..692c2e7204ec 100644 --- a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", "HasRelativePath", @@ -9,35 +9,35 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2019-07-08T14:05:42Z", - "accessedTime": "2019-07-08T14:05:42Z", - "modifiedTime": "2019-07-08T14:05:42Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2019-07-08T14:05:42Z", + "accessed_time": "2019-07-08T14:05:42Z", + "modified_time": "2019-07-08T14:05:42Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "a154c245be75662c7e902023315c2e1213a17a623645d87096cf888760b290d0" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "f87251a348e83e143d759541bd3cd4dce270b6cfaefee702c54aa29b0b2dd5ad" } ], @@ -46,16 +46,16 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xce9c0987", - "volumeLabel": "System" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xce9c0987", + "volume_label": "System" }, - "localBasePath": "C:\\Temp\\??.txt" + "local_base_path": "C:\\Temp\\??.txt" }, - "relativePath": ".\\💎.txt", - "workingDirectory": "C:\\Temp", + "relative_path": ".\\💎.txt", + "working_directory": "C:\\Temp", "extra": { - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -79,12 +79,12 @@ }, "tracker": { "version": 0, - "machineId": "test012345", + "machine_id": "test012345", "droid": [ "04c26c4d-cace-1647-8fa4-b334de43dd91", "85b4edc2-68a1-e911-8328-bcee7b5dda94" ], - "droidBirth": [ + "droid_birth": [ "04c26c4d-cace-1647-8fa4-b334de43dd91", "85b4edc2-68a1-e911-8328-bcee7b5dda94" ] diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint index 23c646a0c093..ab765b249d02 100644 --- a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasIconLocation", "HasLinkInfo", @@ -11,36 +11,36 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2019-06-30T13:51:53Z", - "accessedTime": "2019-06-30T13:51:53Z", - "modifiedTime": "2019-06-30T13:52:01Z", - "fileSize": 10, - "iconIndex": 70, - "windowStyle": "SW_NORMAL" + "creation_time": "2019-06-30T13:51:53Z", + "accessed_time": "2019-06-30T13:51:53Z", + "modified_time": "2019-06-30T13:52:01Z", + "file_size": 10, + "icon_index": 70, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "931c046b62479296dfc72fc30b862c0eec0e3c215619366629a6710408584fb3" }, { "size": 98, - "typeId": 0, + "type_id": 0, "sha256": "f52818a36aca20ddbad0a86a50838e2d629046074b02fd8369a25cb009c6087a" } ], @@ -49,18 +49,18 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xce9c0987", - "volumeLabel": "System" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xce9c0987", + "volume_label": "System" }, - "localBasePath": "C:\\Temp\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt" + "local_base_path": "C:\\Temp\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt" }, "name": "コメント", - "relativePath": ".\\リンク先.txt", - "workingDirectory": "C:\\Temp", - "iconLocation": "%SystemRoot%\\system32\\SHELL32.dll", + "relative_path": ".\\リンク先.txt", + "working_directory": "C:\\Temp", + "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", "extra": { - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -84,12 +84,12 @@ }, "tracker": { "version": 0, - "machineId": "test012345", + "machine_id": "test012345", "droid": [ "04c26c4d-cace-1647-8fa4-b334de43dd91", "8cf0e23d-7e9a-e911-8328-bcee7b5dda94" ], - "droidBirth": [ + "droid_birth": [ "04c26c4d-cace-1647-8fa4-b334de43dd91", "8cf0e23d-7e9a-e911-8328-bcee7b5dda94" ] diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint index 994b08431270..8a19a4de62a9 100644 --- a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", "HasRelativePath", @@ -9,34 +9,34 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-09-12T20:27:17Z", - "accessedTime": "2008-09-12T20:27:17Z", - "modifiedTime": "2008-09-12T20:27:17Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-09-12T20:27:17Z", + "accessed_time": "2008-09-12T20:27:17Z", + "modified_time": "2008-09-12T20:27:17Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 70, - "typeId": 0, + "type_id": 0, "sha256": "1c65aad4c1ca4ef42a6531aaa29a4b528040a6d87d576a1afbaa02c7a6be82db" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "631f8dc975154983492d18f1712ff973b8425f3dcd2c9d079ed527bed6c9eee1" } ], @@ -45,22 +45,22 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x307a8a81" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x307a8a81" }, - "localBasePath": "C:\\test\\a.txt" + "local_base_path": "C:\\test\\a.txt" }, - "relativePath": ".\\a.txt", - "workingDirectory": "C:\\test", + "relative_path": ".\\a.txt", + "working_directory": "C:\\test", "extra": { "tracker": { "version": 0, - "machineId": "chris-xps", + "machine_id": "chris-xps", "droid": [ "4078c794-47fa-c746-b356-5c2dc6b6d115", "ec46cd7b-227f-dd11-9499-00137216874a" ], - "droidBirth": [ + "droid_birth": [ "4078c794-47fa-c746-b356-5c2dc6b6d115", "ec46cd7b-227f-dd11-9499-00137216874a" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint index 7b7141da5057..5c14b8815bb3 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasName", @@ -10,68 +10,68 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T05:34:23Z", - "accessedTime": "2008-01-19T05:34:23Z", - "modifiedTime": "2008-01-19T07:33:04Z", - "fileSize": 318976, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:34:23Z", + "accessed_time": "2008-01-19T05:34:23Z", + "modified_time": "2008-01-19T07:33:04Z", + "file_size": 318976, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "ffd0f85e19747c2bff4141e1e95b3f75928a6ca4a5c2aa143ba3ac6bf45a9189" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "beb5ad6f99c69a36573c346a64a0c76cf1a73660bffbb95fac0b06efe53079cf" } ], "name": "@%windir%\\system32\\shell32.dll,-22534", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\cmd.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%SystemRoot%\\system32\\cmd.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\cmd.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\cmd.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\cmd.exe", "unicode": "%SystemRoot%\\system32\\cmd.exe" }, - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 205 }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 205 }, "tracker": { "version": 0, - "machineId": "win-hwdt97ahwff", + "machine_id": "win-hwdt97ahwff", "droid": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "1d494f80-82c6-dc11-901d-0014220d9404" ], - "droidBirth": [ + "droid_birth": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "1d494f80-82c6-dc11-901d-0014220d9404" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint index 4ff1222143b3..b22bd7a77610 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 4294967187, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 4294967187, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" } ], "name": "@%windir%\\explorer.exe,-304", - "iconLocation": "%SystemRoot%\\system32\\imageres.dll", + "icon_location": "%SystemRoot%\\system32\\imageres.dll", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint index 827f56dbff47..0a23efd71b95 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 4294967269, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 4294967269, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "fe665801103b090a9f447cb365a4acb589b5e2aed6473da23290967de2fcbbf9" } ], "name": "@%windir%\\explorer.exe,-307", - "iconLocation": "%SystemRoot%\\system32\\imageres.dll", + "icon_location": "%SystemRoot%\\system32\\imageres.dll", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint index 44dee573d71a..a20c3e3308bd 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -1,53 +1,53 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2010-06-21T14:55:25Z", - "accessedTime": "2010-06-21T14:55:33Z", - "modifiedTime": "2010-06-21T14:55:33Z", - "fileSize": 4096, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-06-21T14:55:25Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "file_size": 4096, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 68, + "type_id": 68, "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" }, { "size": 32, - "typeId": 0, + "type_id": 0, "sha256": "ad0ad2454b2255ece9e4624c170ead63718269e0bd0c73db424ea6e556ed4b76" } ], - "relativePath": "..\\Documents", + "relative_path": "..\\Documents", "extra": { - "knownFolder": { + "known_folder": { "id": "d09ad3fd-8f23-af46-adb4-6c85480369c7", "offset": 52 }, - "specialFolder": { + "special_folder": { "id": 5, "offset": 52 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "13a09673-447d-df11-a3ad-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "13a09673-447d-df11-a3ad-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint index 00f8c6bd4437..e1f8cafa0d53 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasArguments", "HasExpString", "HasIconLocation", @@ -10,68 +10,68 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T05:45:45Z", - "accessedTime": "2008-01-19T08:38:39Z", - "modifiedTime": "2006-11-02T09:44:59Z", - "fileSize": 211968, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:45:45Z", + "accessed_time": "2008-01-19T08:38:39Z", + "modified_time": "2006-11-02T09:44:59Z", + "file_size": 211968, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" }, { "size": 90, - "typeId": 0, + "type_id": 0, "sha256": "0b31690e53d5e14c12bc8b900fc5746cfd64a640461d13e3d22e4ad06d31e520" } ], "name": "@%windir%\\system32\\accessibilityCpl.dll,-45", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", - "commandLine": "/name Microsoft.EaseOfAccessCenter", - "iconLocation": "%SystemRoot%\\system32\\AccessibilityCpl.dll", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", + "command_line": "/name Microsoft.EaseOfAccessCenter", + "icon_location": "%SystemRoot%\\system32\\AccessibilityCpl.dll", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\control.exe", "unicode": "%SystemRoot%\\system32\\control.exe" }, - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 205 }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 205 }, "tracker": { "version": 0, - "machineId": "win-hwdt97ahwff", + "machine_id": "win-hwdt97ahwff", "droid": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "16494f80-82c6-dc11-901d-0014220d9404" ], - "droidBirth": [ + "droid_birth": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "16494f80-82c6-dc11-901d-0014220d9404" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint index 8bebb792d7cb..7c9c02a65f65 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpIcon", "HasIconLocation", "HasName", @@ -10,73 +10,73 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-03-18T14:50:44Z", - "accessedTime": "2010-06-18T09:17:35Z", - "modifiedTime": "2009-03-18T14:50:44Z", - "fileSize": 1189128, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-03-18T14:50:44Z", + "accessed_time": "2010-06-18T09:17:35Z", + "modified_time": "2009-03-18T14:50:44Z", + "file_size": 1189128, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 132, - "typeId": 0, + "type_id": 0, "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "050ac3a59f27a3c0128267289bc2d97fc0c556c767e64440ec5fc14b3bf82898" }, { "size": 96, - "typeId": 0, + "type_id": 0, "sha256": "ced8e13e8a3e6becfa46c36ddb8093dd290dcef2ef92a819cfd1a5212fae19a6" }, { "size": 100, - "typeId": 0, + "type_id": 0, "sha256": "49da630304583e350c863d917055477edc006d5c5d5b41cd1932a1c351838e1a" } ], "name": "Gestionnaire CA ARCserve Backup", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\CA\\ARCserve Backup\\ARCserveMgr.exe", - "workingDirectory": "C:\\Program Files\\CA\\ARCserve Backup\\", - "iconLocation": "C:\\Windows\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\Program Files\\CA\\ARCserve Backup\\ARCserveMgr.exe", + "working_directory": "C:\\Program Files\\CA\\ARCserve Backup\\", + "icon_location": "C:\\Windows\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe", "extra": { - "iconEnvironment": { + "icon_environment": { "ansi": "%SystemRoot%\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe", "unicode": "%SystemRoot%\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe" }, - "knownFolder": { + "known_folder": { "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", "offset": 177 }, - "specialFolder": { + "special_folder": { "id": 42, "offset": 177 }, "tracker": { "version": 0, - "machineId": "als-projets1", + "machine_id": "als-projets1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "7c48b2fb-b37a-df11-8161-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "7c48b2fb-b37a-df11-8161-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint index c9260ff8f71c..5e96362aad06 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 4294967272, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 4294967272, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "16d0e14f639e9764cece0da2d07db14c9bd498fa3bc66fd559ac00d26d24cc2c" } ], "name": "@%windir%\\explorer.exe,-7001", - "iconLocation": "%SystemRoot%\\system32\\shell32.dll", + "icon_location": "%SystemRoot%\\system32\\shell32.dll", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint index 701641f91268..3097515ed084 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasArguments", "HasName", "HasRelativePath", @@ -9,64 +9,64 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T05:48:02Z", - "accessedTime": "2008-01-19T05:48:02Z", - "modifiedTime": "2008-01-19T07:33:12Z", - "fileSize": 625664, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:48:02Z", + "accessed_time": "2008-01-19T05:48:02Z", + "modified_time": "2008-01-19T07:33:12Z", + "file_size": 625664, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 132, - "typeId": 0, + "type_id": 0, "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" }, { "size": 100, - "typeId": 0, + "type_id": 0, "sha256": "d08e5c93e6953dd7352b577645b8e8bb820e60a162b89f9b02c5a5cb3329f04b" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "2aadd8d53e7463686a436c806960bd61778d0048f6c535ecb9a90a95b7da74ae" } ], "name": "@\"%windir%\\System32\\ie4uinit.exe\",-738", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "commandLine": " -extoff", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "command_line": " -extoff", "extra": { - "knownFolder": { + "known_folder": { "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", "offset": 177 }, - "specialFolder": { + "special_folder": { "id": 42, "offset": 177 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint index dfcba27cf9e8..f68a919ab464 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -1,70 +1,70 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasName", "HasRelativePath", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T05:48:02Z", - "accessedTime": "2008-01-19T05:48:02Z", - "modifiedTime": "2008-01-19T07:33:12Z", - "fileSize": 625664, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:48:02Z", + "accessed_time": "2008-01-19T05:48:02Z", + "modified_time": "2008-01-19T07:33:12Z", + "file_size": 625664, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 132, - "typeId": 0, + "type_id": 0, "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" }, { "size": 100, - "typeId": 0, + "type_id": 0, "sha256": "d08e5c93e6953dd7352b577645b8e8bb820e60a162b89f9b02c5a5cb3329f04b" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "2aadd8d53e7463686a436c806960bd61778d0048f6c535ecb9a90a95b7da74ae" } ], "name": "@\"%windir%\\System32\\ie4uinit.exe\",-732", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { - "knownFolder": { + "known_folder": { "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", "offset": 177 }, - "specialFolder": { + "special_folder": { "id": 42, "offset": 177 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint index 84b25c87683f..52a7c1dbeea0 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint @@ -1,52 +1,52 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2010-06-21T14:55:25Z", - "accessedTime": "2010-06-21T14:55:33Z", - "modifiedTime": "2010-06-21T14:55:33Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-06-21T14:55:25Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 68, + "type_id": 68, "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" }, { "size": 32, - "typeId": 0, + "type_id": 0, "sha256": "a937e7b511b1a11289f065360e4175ea46b7fca384533c53a811c8ef0d4aa884" } ], - "relativePath": "..\\Music", + "relative_path": "..\\Music", "extra": { - "knownFolder": { + "known_folder": { "id": "71d5d84b-196d-d348-be97-422220080e43", "offset": 52 }, - "specialFolder": { + "special_folder": { "id": 13, "offset": 52 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "11a09673-447d-df11-a3ad-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "11a09673-447d-df11-a3ad-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint index cd4d9731c4d9..a9c15d3920c6 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasName", @@ -9,67 +9,67 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T04:06:25Z", - "accessedTime": "2008-01-19T08:38:15Z", - "modifiedTime": "2006-11-02T09:47:04Z", - "fileSize": 991232, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T04:06:25Z", + "accessed_time": "2008-01-19T08:38:15Z", + "modified_time": "2006-11-02T09:47:04Z", + "file_size": 991232, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "f4951a33ecf276bad83040de196791ed4c980ede7f272fabcce11723570b5b6e" } ], "name": "@%windir%\\system32\\shell32.dll,-22560", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", - "iconLocation": "%SystemRoot%\\system32\\narrator.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", + "icon_location": "%SystemRoot%\\system32\\narrator.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\narrator.exe", "unicode": "%SystemRoot%\\system32\\narrator.exe" }, - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 205 }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 205 }, "tracker": { "version": 0, - "machineId": "win-hwdt97ahwff", + "machine_id": "win-hwdt97ahwff", "droid": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "14494f80-82c6-dc11-901d-0014220d9404" ], - "droidBirth": [ + "droid_birth": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "14494f80-82c6-dc11-901d-0014220d9404" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint index cb29c78f3da9..1bdd3ac5bda0 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasName", @@ -10,69 +10,69 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE", "FILE_ATTRIBUTE_NOT_CONTENT_INDEXED" ], - "creationTime": "2008-01-19T05:46:11Z", - "accessedTime": "2008-01-19T05:46:11Z", - "modifiedTime": "2008-01-19T07:33:18Z", - "fileSize": 151040, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:46:11Z", + "accessed_time": "2008-01-19T05:46:11Z", + "modified_time": "2008-01-19T07:33:18Z", + "file_size": 151040, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "ffd0f85e19747c2bff4141e1e95b3f75928a6ca4a5c2aa143ba3ac6bf45a9189" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" }, { "size": 90, - "typeId": 0, + "type_id": 0, "sha256": "f03efa059ed9d8a90809826fe09df1ff94b1a4e7d376efa89742e74f86bda53a" } ], "name": "@%SystemRoot%\\system32\\Shell32.dll,-22563", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%SystemRoot%\\system32\\notepad.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\notepad.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\notepad.exe", "unicode": "%SystemRoot%\\system32\\notepad.exe" }, - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 205 }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 205 }, "tracker": { "version": 0, - "machineId": "win-hwdt97ahwff", + "machine_id": "win-hwdt97ahwff", "droid": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "20494f80-82c6-dc11-901d-0014220d9404" ], - "droidBirth": [ + "droid_birth": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "20494f80-82c6-dc11-901d-0014220d9404" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint index 2aced7f00904..b627a0427494 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasName", @@ -9,67 +9,67 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T05:46:07Z", - "accessedTime": "2008-01-19T08:38:04Z", - "modifiedTime": "2006-11-02T09:45:31Z", - "fileSize": 182272, - "iconIndex": 4294967295, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:46:07Z", + "accessed_time": "2008-01-19T08:38:04Z", + "modified_time": "2006-11-02T09:45:31Z", + "file_size": 182272, + "icon_index": 4294967295, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "35b83166179ee8bc57ed1d34e1d4d0774363c6defe6bf3af7d9528eb4f285ae7" } ], "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", - "iconLocation": "%SystemRoot%\\system32\\osk.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", + "icon_location": "%SystemRoot%\\system32\\osk.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\osk.exe", "unicode": "%SystemRoot%\\system32\\osk.exe" }, - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 205 }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 205 }, "tracker": { "version": 0, - "machineId": "win-hwdt97ahwff", + "machine_id": "win-hwdt97ahwff", "droid": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "1b494f80-82c6-dc11-901d-0014220d9404" ], - "droidBirth": [ + "droid_birth": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "1b494f80-82c6-dc11-901d-0014220d9404" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint index b88e18462443..142eb23c7b50 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint @@ -1,52 +1,52 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2010-06-21T14:55:25Z", - "accessedTime": "2010-06-21T14:55:33Z", - "modifiedTime": "2010-06-21T14:55:33Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-06-21T14:55:25Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 68, + "type_id": 68, "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" }, { "size": 32, - "typeId": 0, + "type_id": 0, "sha256": "fc79a99570cb829bdfe1fc9d98d34509af46e4f1b9db55604bd2be872355ca89" } ], - "relativePath": "..\\Pictures", + "relative_path": "..\\Pictures", "extra": { - "knownFolder": { + "known_folder": { "id": "3081e233-1e4e-7646-835a-98395c3bc3bb", "offset": 52 }, - "specialFolder": { + "special_folder": { "id": 39, "offset": 52 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "12a09673-447d-df11-a3ad-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "12a09673-447d-df11-a3ad-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint index c1693258c5b9..c7678ed950bb 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint @@ -1,44 +1,44 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2008-01-19T09:40:53Z", - "accessedTime": "2008-01-19T09:40:53Z", - "modifiedTime": "2008-01-19T09:40:53Z", - "fileSize": 4096, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T09:40:53Z", + "accessed_time": "2008-01-19T09:40:53Z", + "modified_time": "2008-01-19T09:40:53Z", + "file_size": 4096, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 76, + "type_id": 76, "sha256": "82fe82afa3005892e74781cbae9bc9ecf682ea56ce765f650d6d402aa2cc7253" } ], - "relativePath": "..\\..\\Public", + "relative_path": "..\\..\\Public", "extra": { - "knownFolder": { + "known_folder": { "id": "a276dfdf-2ac8-634d-906a-5644ac457385", "offset": 20 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "8aed08bb-1f7a-df11-a4a2-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "8aed08bb-1f7a-df11-a4a2-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint index 87c3530aa273..b0f170235367 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 4294967271, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 4294967271, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "0b5f1863267db7942c94a25ae7eab7b40020a5c8a1f46138490d77f88310203a" } ], "name": "@%windir%\\explorer.exe,-7003", - "iconLocation": "%SystemRoot%\\system32\\shell32.dll", + "icon_location": "%SystemRoot%\\system32\\shell32.dll", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint index 7a6816f586ae..76551747e3c7 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint @@ -1,49 +1,49 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2010-06-21T14:55:33Z", - "accessedTime": "2010-06-21T14:55:33Z", - "modifiedTime": "2010-06-21T14:55:33Z", - "fileSize": 4096, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-06-21T14:55:33Z", + "accessed_time": "2010-06-21T14:55:33Z", + "modified_time": "2010-06-21T14:55:33Z", + "file_size": 4096, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 68, + "type_id": 68, "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" }, { "size": 32, - "typeId": 0, + "type_id": 0, "sha256": "4231fd1104c96daf3bbe8a2bff7b105845c84c63b69a8c8872dcf6e644c55295" } ], - "relativePath": "..\\Searches", + "relative_path": "..\\Searches", "extra": { - "knownFolder": { + "known_folder": { "id": "7c0fcef3-0149-cc4a-8648-d5d44b04ef8f", "offset": 20 }, "tracker": { "version": 0, - "machineId": "als-backup1", + "machine_id": "als-backup1", "droid": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "0fa09673-447d-df11-a3ad-a4badb43b04f" ], - "droidBirth": [ + "droid_birth": [ "325a35a3-6ed8-2049-adfd-dc842d90c45f", "0fa09673-447d-df11-a3ad-a4badb43b04f" ] diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint index 7f35a9713314..9f2cbae14e66 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 4294967038, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 4294967038, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "5adf040358900b7b886aebf682ef8ebefb25dcfc2b4f4cd7fb076bfc2317cbe3" } ], "name": "@%SystemRoot%\\system32\\shell32.dll,-10114", - "iconLocation": "%SystemRoot%\\explorer.exe", + "icon_location": "%SystemRoot%\\explorer.exe", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint index 3b7e2d37ae0a..ae45f29e3750 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 4294967186, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 4294967186, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "25852b2a04726dbaed894c66d51d93ffdbcafbb4157cb9948bddd89879fa46d9" } ], "name": "@%SystemRoot%\\system32\\shell32.dll,-10113", - "iconLocation": "%SystemRoot%\\system32\\imageres.dll", + "icon_location": "%SystemRoot%\\system32\\imageres.dll", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint index 18cf034f4c4d..ca51fb574113 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasName", @@ -9,62 +9,62 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-01-19T05:45:08Z", - "accessedTime": "2008-01-19T05:45:08Z", - "modifiedTime": "2008-01-19T07:33:10Z", - "fileSize": 2927104, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-01-19T05:45:08Z", + "accessed_time": "2008-01-19T05:45:08Z", + "modified_time": "2008-01-19T07:33:10Z", + "file_size": 2927104, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 68, + "type_id": 68, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "d388526f94e64db09ca8ad1e27366bdd87e94d1909273a6cd0aa3328bdd9ad30" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "a925d96d0dc0fa9a669f6796f5ddc972e09bfbeca048f69435d791be383fd764" } ], "name": "@%SystemRoot%\\system32\\Shell32.dll,-22579", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\explorer.exe", - "iconLocation": "%SystemRoot%\\explorer.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\explorer.exe", + "icon_location": "%SystemRoot%\\explorer.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\explorer.exe", "unicode": "%SystemRoot%\\explorer.exe" }, - "knownFolder": { + "known_folder": { "id": "04f48bf3-431d-f242-9305-67de0b28fc23", "offset": 123 }, - "specialFolder": { + "special_folder": { "id": 36, "offset": 123 }, "tracker": { "version": 0, - "machineId": "win-hwdt97ahwff", + "machine_id": "win-hwdt97ahwff", "droid": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "f6484f80-82c6-dc11-901d-b3d7e32f3e9f" ], - "droidBirth": [ + "droid_birth": [ "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", "f6484f80-82c6-dc11-901d-b3d7e32f3e9f" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint index 1f7836038450..f637f79d0c7b 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -1,47 +1,47 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2010-03-26T10:07:11Z", - "accessedTime": "2010-03-26T10:07:11Z", - "modifiedTime": "2005-09-04T20:18:26Z", - "fileSize": 1019392, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-03-26T10:07:11Z", + "accessed_time": "2010-03-26T10:07:11Z", + "modified_time": "2005-09-04T20:18:26Z", + "file_size": 1019392, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 136, - "typeId": 0, + "type_id": 0, "sha256": "be0bfdb8a1e17d06c03f1d309c8d201d670db88d3c2f898f7ee7ffc1a5bbf070" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "526ba298e7e1cf4fd68e20af01f2d623860d2fa75c5abdfc8b9a5ff332471fa5" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "4972a1d1f32b875a121605f0d353db21abe693756ca03a447ca6703a6e933791" } ], @@ -50,19 +50,19 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x3e5dce88" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x3e5dce88" }, - "localBasePath": "C:\\Program Files\\ConTEXT\\ConTEXT.exe" + "local_base_path": "C:\\Program Files\\ConTEXT\\ConTEXT.exe" }, - "relativePath": "..\\..\\..\\Program Files\\ConTEXT\\ConTEXT.exe", - "workingDirectory": "C:\\Program Files\\ConTEXT", + "relative_path": "..\\..\\..\\Program Files\\ConTEXT\\ConTEXT.exe", + "working_directory": "C:\\Program Files\\ConTEXT", "extra": { - "knownFolder": { + "known_folder": { "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", "offset": 181 }, - "propertyStore": { + "property_store": { "properties": { "4": [ { @@ -72,18 +72,18 @@ ] } }, - "specialFolder": { + "special_folder": { "id": 42, "offset": 181 }, "tracker": { "version": 0, - "machineId": "al-0149", + "machine_id": "al-0149", "droid": [ "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", "bdcda631-9f31-df11-b163-001e4ff01cc7" ], - "droidBirth": [ + "droid_birth": [ "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", "bdcda631-9f31-df11-b163-001e4ff01cc7" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint index 46b5111cc8e1..2036b7049d64 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint @@ -1,36 +1,36 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2009-09-16T09:31:55Z", - "accessedTime": "2009-09-16T09:32:12Z", - "modifiedTime": "2009-09-16T09:32:12Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-09-16T09:31:55Z", + "accessed_time": "2009-09-16T09:32:12Z", + "modified_time": "2009-09-16T09:32:12Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "location": { "flags": [ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x3e5dce88" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x3e5dce88" }, - "localBasePath": "C:\\Users\\Aldheris\\Desktop" + "local_base_path": "C:\\Users\\Aldheris\\Desktop" }, - "relativePath": "..\\Desktop", + "relative_path": "..\\Desktop", "extra": { - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -48,12 +48,12 @@ }, "tracker": { "version": 0, - "machineId": "al-0149", + "machine_id": "al-0149", "droid": [ "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", "e81a541f-a3a2-de11-b558-001e4ff01cc7" ], - "droidBirth": [ + "droid_birth": [ "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", "e81a541f-a3a2-de11-b558-001e4ff01cc7" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint index ed83ab7d8291..334cf9d82375 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -1,24 +1,24 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "39dfe126408d76807afbd0057b9f4d96911391dfea30b2bbd12dd19e359b616e" } ], "extra": { - "propertyStore": { + "property_store": { "properties": { "10": [ { diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint index 6e72c32ff0fd..4f94a66334ed 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -1,47 +1,47 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2008-03-26T17:25:22Z", - "accessedTime": "2010-06-14T11:28:03Z", - "modifiedTime": "2008-03-26T17:25:22Z", - "fileSize": 1888256, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2008-03-26T17:25:22Z", + "accessed_time": "2010-06-14T11:28:03Z", + "modified_time": "2008-03-26T17:25:22Z", + "file_size": 1888256, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 136, - "typeId": 0, + "type_id": 0, "sha256": "840a0411d530cd09b5792384fc7ed5e04f93fe1c71ed24d65cd0182e64fd31a1" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "c09ce9a158eab2f04757007a4235bf293c1fe0c398738797318b07b4acac3bc7" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "233c0e52e887e2c64a9e46fd3ed6607e6555a4b9e2f521928d25990ee18f9510" } ], @@ -50,19 +50,19 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x3e5dce88" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x3e5dce88" }, - "localBasePath": "C:\\Program Files\\SopCast\\SopCast.exe" + "local_base_path": "C:\\Program Files\\SopCast\\SopCast.exe" }, - "relativePath": "..\\..\\..\\Program Files\\SopCast\\SopCast.exe", - "workingDirectory": "C:\\Program Files\\SopCast", + "relative_path": "..\\..\\..\\Program Files\\SopCast\\SopCast.exe", + "working_directory": "C:\\Program Files\\SopCast", "extra": { - "knownFolder": { + "known_folder": { "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", "offset": 181 }, - "propertyStore": { + "property_store": { "properties": { "4": [ { @@ -72,18 +72,18 @@ ] } }, - "specialFolder": { + "special_folder": { "id": 42, "offset": 181 }, "tracker": { "version": 0, - "machineId": "al-0149", + "machine_id": "al-0149", "droid": [ "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", "bd65fda7-2775-df11-a754-001e4ff01cc7" ], - "droidBirth": [ + "droid_birth": [ "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", "bd65fda7-2775-df11-a754-001e4ff01cc7" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint index ab119ffa373f..78b69519689c 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint @@ -1,33 +1,33 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "DisableKnownFolderTracking", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 112, + "type_id": 112, "sha256": "4f2ef7c750b2e077b92d59dcecca8414e25706ebfe12e01016750e9af9574410" }, { "size": 12, - "typeId": 0, + "type_id": 0, "sha256": "ba3853104050fa0a1b1c6902ab5f00d91143d95955927624727ae16547273a82" }, { "size": 30, - "typeId": 128, + "type_id": 128, "sha256": "7f57d0f9f1a4cba5e9db241ecfa85a0fd9e4b5819d95870da37dc7b7210e81e5" } ], "extra": { - "propertyStore": {} + "property_store": {} } } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint index 7fea9e1ef4fb..a80c12d4c0f9 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint @@ -1,28 +1,28 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "DisableKnownFolderTracking", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 112, + "type_id": 112, "sha256": "4f2ef7c750b2e077b92d59dcecca8414e25706ebfe12e01016750e9af9574410" }, { "size": 12, - "typeId": 0, + "type_id": 0, "sha256": "ba3853104050fa0a1b1c6902ab5f00d91143d95955927624727ae16547273a82" } ], "extra": { - "propertyStore": {} + "property_store": {} } } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint index e3e8a6fff094..80fc6c39af58 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasArguments", "HasExpString", @@ -11,34 +11,34 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T23:40:14Z", - "accessedTime": "2009-07-13T23:40:14Z", - "modifiedTime": "2009-07-14T01:14:15Z", - "fileSize": 113152, - "iconIndex": 4294967295, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T23:40:14Z", + "accessed_time": "2009-07-13T23:40:14Z", + "modified_time": "2009-07-14T01:14:15Z", + "file_size": 113152, + "icon_index": 4294967295, + "window_style": "SW_NORMAL" }, "name": "@%systemroot%\\system32\\sdcpl.dll,-100", - "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", - "commandLine": "/name Microsoft.BackupAndRestore", - "iconLocation": "%systemroot%\\system32\\sdcpl.dll", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\control.exe", + "command_line": "/name Microsoft.BackupAndRestore", + "icon_location": "%systemroot%\\system32\\sdcpl.dll", "extra": { "environment": { "ansi": "%SystemRoot%\\System32\\control.exe", "unicode": "%SystemRoot%\\System32\\control.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "05c79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "05c79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint index adbd9ec4896b..a6e2d588b983 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasDarwinID", "HasExpIcon", "HasIconLocation", @@ -10,55 +10,55 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "adb0bd79a80a54398d17e2ccdab84c03e2231e531e7ab5e2f9dbb30568b12a5b" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "1e58de9fc1d34050c497b08eaf7fcd03df9aa8d7b34aac88736e6189502c1121" }, { "size": 176, - "typeId": 0, + "type_id": 0, "sha256": "ff90de58070d4797d0e32a5349466c9a385cd908aaf70bee4d3c613847adf13a" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "cc81ce35eb86e8c41d89c988c14966f9f500594e9e4d51ff68e2e65fe0e427e2" } ], "name": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft.", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", - "iconLocation": "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", + "icon_location": "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", "extra": { "darwin": { "ansi": "xb'BV5!!!!!!!!!MKKSkCAGFiles\u003eFJGjc2{CeAz+$QTBrVhU", "unicode": "xb'BV5!!!!!!!!!MKKSkCAGFiles\u003eFJGjc2{CeAz+$QTBrVhU" }, - "iconEnvironment": { + "icon_environment": { "ansi": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe", "unicode": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe" }, - "propertyStore": { + "property_store": { "properties": { "6": [ { diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint index 72d7d2db5a1e..f837ede4753d 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasLinkInfo", "HasName", @@ -10,40 +10,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T23:51:37Z", - "accessedTime": "2009-07-13T23:51:37Z", - "modifiedTime": "2009-07-14T01:14:20Z", - "fileSize": 219648, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T23:51:37Z", + "accessed_time": "2009-07-13T23:51:37Z", + "modified_time": "2009-07-14T01:14:20Z", + "file_size": 219648, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "184e677e10b73142c9acb6bc4b5db242dabebda53ff506e59d720d2cbd5be706" }, { "size": 86, - "typeId": 0, + "type_id": 0, "sha256": "8ce8fcbfca1d3b5d6838544cdb47e95443e55e56f0aff1a73199531b735d77d3" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "dc814bc487fc41e03499933cac5facf8154e3b768f8d22c06ac286342037386c" } ], @@ -52,24 +52,24 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x502e1a8a" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a" }, - "localBasePath": "C:\\Windows\\System32\\fsquirt.exe" + "local_base_path": "C:\\Windows\\System32\\fsquirt.exe" }, "name": "@C:\\Windows\\system32\\fsquirt.exe,-2305", - "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\fsquirt.exe", - "workingDirectory": "C:\\Windows\\system32", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\fsquirt.exe", + "working_directory": "C:\\Windows\\system32", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\fsquirt.exe", "unicode": "%SystemRoot%\\system32\\fsquirt.exe" }, - "knownFolder": { + "known_folder": { "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", "offset": 213 }, - "propertyStore": { + "property_store": { "properties": { "4": [ { @@ -85,18 +85,18 @@ ] } }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 213 }, "tracker": { "version": 0, - "machineId": "win-40r2agv20qa", + "machine_id": "win-40r2agv20qa", "droid": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "66d492f8-2061-df11-964c-ac3a656c3b1d" ], - "droidBirth": [ + "droid_birth": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "66d492f8-2061-df11-964c-ac3a656c3b1d" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint index 0704b1895052..6efce3a1ad2b 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasExpString", "HasIconLocation", @@ -10,33 +10,33 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T23:41:28Z", - "accessedTime": "2009-07-13T23:41:28Z", - "modifiedTime": "2009-07-14T01:14:13Z", - "fileSize": 776192, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T23:41:28Z", + "accessed_time": "2009-07-13T23:41:28Z", + "modified_time": "2009-07-14T01:14:13Z", + "file_size": 776192, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22531", - "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\calc.exe", - "iconLocation": "%windir%\\system32\\calc.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\calc.exe", + "icon_location": "%windir%\\system32\\calc.exe", "extra": { "environment": { "ansi": "%windir%\\system32\\calc.exe", "unicode": "%windir%\\system32\\calc.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "1bc79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "1bc79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint index cca65617d9c3..bd9d4e75cd86 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint @@ -1,28 +1,28 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "DisableKnownFolderTracking", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 112, + "type_id": 112, "sha256": "4f2ef7c750b2e077b92d59dcecca8414e25706ebfe12e01016750e9af9574410" }, { "size": 12, - "typeId": 0, + "type_id": 0, "sha256": "5acc20e219f85705afbb40e1379eff5b9ed6ee025f9a07f583725038dd1926d2" } ], "extra": { - "propertyStore": {} + "property_store": {} } } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint index fa97ff5da2a6..1c830b4eeff4 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasExpString", "HasIconLocation", @@ -11,34 +11,34 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-14T00:11:56Z", - "accessedTime": "2009-07-14T00:11:56Z", - "modifiedTime": "2009-07-14T01:14:28Z", - "fileSize": 86016, - "iconIndex": 4294965857, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-14T00:11:56Z", + "accessed_time": "2009-07-14T00:11:56Z", + "modified_time": "2009-07-14T01:14:28Z", + "file_size": 86016, + "icon_index": 4294965857, + "window_style": "SW_NORMAL" }, "name": "@%windir%\\system32\\odbcint.dll,-1312", - "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\odbcad32.exe", - "workingDirectory": "%windir%\\system32", - "iconLocation": "%windir%\\system32\\odbcint.dll", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\odbcad32.exe", + "working_directory": "%windir%\\system32", + "icon_location": "%windir%\\system32\\odbcint.dll", "extra": { "environment": { "ansi": "%windir%\\system32\\odbcad32.exe", "unicode": "%windir%\\system32\\odbcad32.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "fcc69ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "fcc69ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint index 2712e1439641..451883b4c247 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint @@ -1,45 +1,45 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2010-05-18T19:24:11Z", - "accessedTime": "2010-05-18T19:24:30Z", - "modifiedTime": "2010-05-18T19:24:30Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2010-05-18T19:24:11Z", + "accessed_time": "2010-05-18T19:24:30Z", + "modified_time": "2010-05-18T19:24:30Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "location": { "flags": [ "CommonNetworkRelativeLinkAndPathSuffix", "VolumeIDAndLocalBasePath" ], - "commonPathSuffix": "Juliette\\Desktop", + "common_path_suffix": "Juliette\\Desktop", "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x502e1a8a", - "volumeLabel": "SSD-WIN7" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x502e1a8a", + "volume_label": "SSD-WIN7" }, - "localBasePath": "C:\\Users\\", - "networkShare": { + "local_base_path": "C:\\Users\\", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\NETBOOK\\Users" } }, - "relativePath": "..\\Desktop", + "relative_path": "..\\Desktop", "extra": { - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -57,12 +57,12 @@ }, "tracker": { "version": 0, - "machineId": "netbook", + "machine_id": "netbook", "droid": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "1ef183f9-b062-df11-9c95-001377d34a59" ], - "droidBirth": [ + "droid_birth": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "1ef183f9-b062-df11-9c95-001377d34a59" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint index e9fb29ca1c24..6b76252c7d57 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasArguments", "HasExpString", @@ -11,34 +11,34 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-14T00:15:12Z", - "accessedTime": "2009-07-14T00:15:12Z", - "modifiedTime": "2009-07-14T01:14:45Z", - "fileSize": 802304, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-14T00:15:12Z", + "accessed_time": "2009-07-14T00:15:12Z", + "modified_time": "2009-07-14T01:14:45Z", + "file_size": 802304, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "name": "@%windir%\\system32\\FXSRESM.dll,-121", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\WFS.exe", - "commandLine": "/SendTo", - "iconLocation": "%windir%\\system32\\WFSR.dll", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\WFS.exe", + "command_line": "/SendTo", + "icon_location": "%windir%\\system32\\WFSR.dll", "extra": { "environment": { "ansi": "%windir%\\system32\\WFS.exe", "unicode": "%windir%\\system32\\WFS.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "1ac79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "1ac79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint index a09c8a4e0a1d..c11ab5040d7c 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasArguments", "HasExpString", @@ -11,34 +11,34 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T23:39:26Z", - "accessedTime": "2009-07-13T23:39:26Z", - "modifiedTime": "2009-07-14T01:14:23Z", - "fileSize": 941568, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T23:39:26Z", + "accessed_time": "2009-07-13T23:39:26Z", + "modified_time": "2009-07-14T01:14:23Z", + "file_size": 941568, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "name": "@%windir%\\system32\\mblctr.exe,-1004", - "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mblctr.exe", - "commandLine": "/open", - "iconLocation": "%windir%\\system32\\mblctr.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mblctr.exe", + "command_line": "/open", + "icon_location": "%windir%\\system32\\mblctr.exe", "extra": { "environment": { "ansi": "%windir%\\system32\\mblctr.exe", "unicode": "%windir%\\system32\\mblctr.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-40r2agv20qa", + "machine_id": "win-40r2agv20qa", "droid": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "fbd492f8-2061-df11-964c-ac3a656c3b1d" ], - "droidBirth": [ + "droid_birth": [ "da667c4f-20d3-c44c-8d50-165dd98ebc01", "fbd492f8-2061-df11-964c-ac3a656c3b1d" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint index 33ef897d405d..58e2f747f28e 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint @@ -1,32 +1,32 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasIconLocation", "HasName", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 128, + "type_id": 128, "sha256": "b784138ea9c6c6076de1bfb17a04afc1bc18431cf6cf9ff707e6bfebfd428ed2" }, { "size": 32, - "typeId": 0, + "type_id": 0, "sha256": "a4064e1cb728a90a91be50f60bfcd4e5c3a8ac6f44d2b911ee873580c591440f" } ], "name": "@%SystemRoot%\\system32\\gameux.dll,-10311", - "iconLocation": "%ProgramFiles%\\Microsoft Games\\More Games\\MoreGames.dll", + "icon_location": "%ProgramFiles%\\Microsoft Games\\More Games\\MoreGames.dll", "extra": { - "propertyStore": {} + "property_store": {} } } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint index 7f7ccb89b18c..f697b40e816f 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasExpString", "HasIconLocation", @@ -10,33 +10,33 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T21:39:34Z", - "accessedTime": "2009-07-14T01:18:50Z", - "modifiedTime": "2009-07-14T01:24:31Z", - "fileSize": 1073152, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T21:39:34Z", + "accessed_time": "2009-07-14T01:18:50Z", + "modified_time": "2009-07-14T01:24:31Z", + "file_size": 1073152, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "name": "@%windir%\\system32\\shell32.dll,-22560", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", - "iconLocation": "%windir%\\system32\\narrator.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Narrator.exe", + "icon_location": "%windir%\\system32\\narrator.exe", "extra": { "environment": { "ansi": "%windir%\\system32\\narrator.exe", "unicode": "%windir%\\system32\\narrator.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "06c79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "06c79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint index 14957c761962..c784d304f47d 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasExpString", "HasIconLocation", @@ -11,34 +11,34 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T23:41:04Z", - "accessedTime": "2009-07-13T23:41:04Z", - "modifiedTime": "2009-07-14T01:14:27Z", - "fileSize": 179712, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T23:41:04Z", + "accessed_time": "2009-07-13T23:41:04Z", + "modified_time": "2009-07-14T01:14:27Z", + "file_size": 179712, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "name": "@%SystemRoot%\\system32\\Shell32.dll,-22563", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%windir%\\system32\\notepad.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\notepad.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%windir%\\system32\\notepad.exe", "extra": { "environment": { "ansi": "%windir%\\system32\\notepad.exe", "unicode": "%windir%\\system32\\notepad.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "0fc79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "0fc79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint index 870eb5b8a655..fa93089eddae 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasExpString", "HasIconLocation", @@ -10,33 +10,33 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-14T00:14:01Z", - "accessedTime": "2009-07-14T00:14:01Z", - "modifiedTime": "2009-07-14T01:14:28Z", - "fileSize": 646144, - "iconIndex": 4294967295, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-14T00:14:01Z", + "accessed_time": "2009-07-14T00:14:01Z", + "modified_time": "2009-07-14T01:14:28Z", + "file_size": 646144, + "icon_index": 4294967295, + "window_style": "SW_NORMAL" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", - "relativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", - "iconLocation": "%windir%\\system32\\osk.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\osk.exe", + "icon_location": "%windir%\\system32\\osk.exe", "extra": { "environment": { "ansi": "%windir%\\system32\\osk.exe", "unicode": "%windir%\\system32\\osk.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "04c79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "04c79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint index 36a3fbf27c65..32d11e2d3b1c 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "ForceNoLinkInfo", "HasExpString", "HasIconLocation", @@ -10,33 +10,33 @@ "IsUnicode", "PreferEnvironmentPath" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2009-07-13T23:43:12Z", - "accessedTime": "2009-07-13T23:43:12Z", - "modifiedTime": "2009-07-14T01:14:26Z", - "fileSize": 6376960, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-13T23:43:12Z", + "accessed_time": "2009-07-13T23:43:12Z", + "modified_time": "2009-07-14T01:14:26Z", + "file_size": 6376960, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22566", - "relativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mspaint.exe", - "iconLocation": "%windir%\\system32\\mspaint.exe", + "relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\mspaint.exe", + "icon_location": "%windir%\\system32\\mspaint.exe", "extra": { "environment": { "ansi": "%windir%\\system32\\mspaint.exe", "unicode": "%windir%\\system32\\mspaint.exe" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "win-dc3j5p1qj61", + "machine_id": "win-dc3j5p1qj61", "droid": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "10c79ae2-3770-de11-816d-001c23e25b76" ], - "droidBirth": [ + "droid_birth": [ "a6b30b54-1b3f-044f-b746-9c5af7c07867", "10c79ae2-3770-de11-816d-001c23e25b76" ] diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint index 8acff65f5d64..fb236a466890 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasArguments", "HasExpString", "HasIconLocation", @@ -12,40 +12,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:44Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 35840, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:44Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 35840, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "04c034e4484017367cb2f6f4f294165aa73c1bd8811683d3951630be601a8903" } ], @@ -54,22 +54,22 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\rcimlby.exe" + "local_base_path": "C:\\WINDOWS\\system32\\rcimlby.exe" }, "name": "@%systemroot%\\system32\\rcbdyctl.dll,-151", - "relativePath": "..\\..\\..\\..\\WINDOWS\\system32\\rcimlby.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "commandLine": "-LaunchRA", - "iconLocation": "%SYSTEMROOT%\\system32\\rcimlby.exe", + "relative_path": "..\\..\\..\\..\\WINDOWS\\system32\\rcimlby.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "command_line": "-LaunchRA", + "icon_location": "%SYSTEMROOT%\\system32\\rcimlby.exe", "extra": { "environment": { "ansi": "%SYSTEMROOT%\\system32\\rcimlby.exe", "unicode": "%SYSTEMROOT%\\system32\\rcimlby.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint index 08c028450f91..e7d2b207c9f4 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint @@ -1,31 +1,31 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasIconLocation", "HasName", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 104, + "type_id": 104, "sha256": "e454c954e255ac7a0021bcead81c35467cb90b962b6bcb2b1c319a118083b9e4" }, { "size": 86, - "typeId": 128, + "type_id": 128, "sha256": "56c3e94faf8577b2beab3681dff177f30462048ecb410662e2ffce5095643713" } ], "name": "@%systemRoot%\\system32\\compatUI.dll,-117", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%SystemRoot%\\system32\\compatUI.dll", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\compatUI.dll", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint index fd7f1f9325f9..0e59eeed772d 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasLinkInfo", "HasName", @@ -10,40 +10,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:39Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 70656, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:39Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 70656, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "baf549441aaaef3984b378f7971bb0b4fcf7278c9c03c8e04289dcf3ef06bdd1" } ], @@ -52,20 +52,20 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\notepad.exe" + "local_base_path": "C:\\WINDOWS\\system32\\notepad.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22563", - "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\notepad.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\notepad.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\notepad.exe", "unicode": "%SystemRoot%\\system32\\notepad.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint index 86549de34c3d..f9fc41eabd9d 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasName", "HasRelativePath", @@ -9,40 +9,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-19T12:16:11Z", - "accessedTime": "2004-08-18T23:00:00Z", - "modifiedTime": "2004-08-05T11:00:00Z", - "fileSize": 46080, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:16:11Z", + "accessed_time": "2004-08-18T23:00:00Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 46080, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "82632d0a1514981d68a6b96a0a5f263554234138682b4f9f82eec4562bc41939" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "dd4bb56f6dba3b57a1a3fa7b78b1588af84f1634945b53e3461494ff834c888b" } ], @@ -51,28 +51,28 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\Program Files\\Outlook Express\\wab.exe" + "local_base_path": "C:\\Program Files\\Outlook Express\\wab.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22529", - "relativePath": "..\\..\\..\\..\\..\\Program Files\\Outlook Express\\wab.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\Program Files\\Outlook Express\\wab.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { - "specialFolder": { + "special_folder": { "id": 38, "offset": 119 }, "tracker": { "version": 0, - "machineId": "al-0142", + "machine_id": "al-0142", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e5762b91-d40b-dd11-bcc5-001f3c29339f" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e5762b91-d40b-dd11-bcc5-001f3c29339f" ] diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint index d8ac4bec4b2b..406f4970eb78 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasLinkInfo", "HasName", @@ -10,40 +10,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:42Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 216576, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:42Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 216576, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "16b2c2d7055f112df524a2f17a9bd0fc1b1298a2325c8f9c289cf8a39d8bdb4e" } ], @@ -52,20 +52,20 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\osk.exe" + "local_base_path": "C:\\WINDOWS\\system32\\osk.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", - "relativePath": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\osk.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\osk.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\osk.exe", "unicode": "%SystemRoot%\\system32\\osk.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint index c98a80687ba3..20095fa8041f 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasName", "HasRelativePath", @@ -9,40 +9,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-19T12:16:09Z", - "accessedTime": "2008-04-17T09:55:10Z", - "modifiedTime": "2004-08-05T11:00:00Z", - "fileSize": 93184, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:16:09Z", + "accessed_time": "2008-04-17T09:55:10Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 93184, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "e265b8b434f903cfa0bba803a9f347f6fe5d34ab6582180db809602f2ae45659" }, { "size": 76, - "typeId": 0, + "type_id": 0, "sha256": "967d629eca0380265ede8765c9b8220a284a147df471c55ebd0aebd9a63a7933" } ], @@ -51,28 +51,28 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" + "local_base_path": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" }, "name": "@xpsp1res.dll,-11002", - "relativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { - "specialFolder": { + "special_folder": { "id": 38, "offset": 119 }, "tracker": { "version": 0, - "machineId": "al-0142", + "machine_id": "al-0142", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e2762b91-d40b-dd11-bcc5-001f3c29339f" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e2762b91-d40b-dd11-bcc5-001f3c29339f" ] diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint index 270989de6051..d83027ab5952 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasLinkInfo", @@ -11,35 +11,35 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:28Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 1036288, - "iconIndex": 1, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:28Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 1036288, + "icon_index": 1, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 76, - "typeId": 0, + "type_id": 0, "sha256": "7ef9845c2cc80f31c36a39241a1ba49cf9c78cf5efadbba3aa99acad06ab0c14" } ], @@ -48,21 +48,21 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\explorer.exe" + "local_base_path": "C:\\WINDOWS\\explorer.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22579", - "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\explorer.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%SystemRoot%\\explorer.exe", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\explorer.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\explorer.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\explorer.exe", "unicode": "%SystemRoot%\\explorer.exe" }, - "specialFolder": { + "special_folder": { "id": 36, "offset": 105 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint index f6bd45af1354..3d14471092f7 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasArguments", "HasExpString", "HasLinkInfo", @@ -11,40 +11,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:51Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 50176, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:51Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 50176, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "adb9a32cd72cf4ca2a425e05f93f0eff96af06eddd6378f1b18ee5ec377a9ae7" } ], @@ -53,21 +53,21 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\utilman.exe" + "local_base_path": "C:\\WINDOWS\\system32\\utilman.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22577", - "relativePath": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\utilman.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "commandLine": "/start", + "relative_path": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\utilman.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "command_line": "/start", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\utilman.exe", "unicode": "%SystemRoot%\\system32\\utilman.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint index f2c24e1a69f7..6ec8131efc9f 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasName", "HasRelativePath", @@ -9,40 +9,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-19T12:16:09Z", - "accessedTime": "2008-04-17T09:55:10Z", - "modifiedTime": "2004-08-05T11:00:00Z", - "fileSize": 93184, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:16:09Z", + "accessed_time": "2008-04-17T09:55:10Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 93184, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" }, { "size": 82, - "typeId": 0, + "type_id": 0, "sha256": "e265b8b434f903cfa0bba803a9f347f6fe5d34ab6582180db809602f2ae45659" }, { "size": 76, - "typeId": 0, + "type_id": 0, "sha256": "967d629eca0380265ede8765c9b8220a284a147df471c55ebd0aebd9a63a7933" } ], @@ -51,28 +51,28 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" + "local_base_path": "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" }, "name": "@xpsp1res.dll,-11002", - "relativePath": "..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\Program Files\\Internet Explorer\\IEXPLORE.EXE", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { - "specialFolder": { + "special_folder": { "id": 38, "offset": 119 }, "tracker": { "version": 0, - "machineId": "al-0142", + "machine_id": "al-0142", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e2762b91-d40b-dd11-bcc5-001f3c29339f" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e2762b91-d40b-dd11-bcc5-001f3c29339f" ] diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint index 1609cbb1993d..e5418a224442 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasIconLocation", "HasLinkInfo", @@ -11,40 +11,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:16Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 400896, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:16Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 400896, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "b5da25626a62a350171bc2bd09e68745c1d1eebb5e838cfc8390afe965656eaf" } ], @@ -53,21 +53,21 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\cmd.exe" + "local_base_path": "C:\\WINDOWS\\system32\\cmd.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22534", - "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\cmd.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", - "iconLocation": "%SystemRoot%\\system32\\cmd.exe", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\cmd.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", + "icon_location": "%SystemRoot%\\system32\\cmd.exe", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\cmd.exe", "unicode": "%SystemRoot%\\system32\\cmd.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint index 4fa20d6aa0e7..b746b362a2be 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasArguments", "HasLinkInfo", "HasName", @@ -9,40 +9,40 @@ "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-19T12:16:15Z", - "accessedTime": "2008-04-17T09:07:57Z", - "modifiedTime": "2004-08-05T11:00:00Z", - "fileSize": 73728, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:16:15Z", + "accessed_time": "2008-04-17T09:07:57Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 73728, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "3a9978d1b2866cd821cc4790146342e76d361aa3e82876bb6db66d178357bd34" }, { "size": 76, - "typeId": 0, + "type_id": 0, "sha256": "09b949f5889727cb7f0b51cb8f2db570a68c537e5e0e0a6e91008ed258bb1da7" } ], @@ -51,28 +51,28 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\Program Files\\Windows Media Player\\wmplayer.exe" + "local_base_path": "C:\\Program Files\\Windows Media Player\\wmplayer.exe" }, "name": "@%SystemRoot%\\inf\\unregmp2.exe,-155", - "relativePath": "..\\..\\..\\..\\Program Files\\Windows Media Player\\wmplayer.exe", - "commandLine": "/prefetch:1", + "relative_path": "..\\..\\..\\..\\Program Files\\Windows Media Player\\wmplayer.exe", + "command_line": "/prefetch:1", "extra": { - "specialFolder": { + "special_folder": { "id": 38, "offset": 119 }, "tracker": { "version": 0, - "machineId": "al-0142", + "machine_id": "al-0142", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e4762b91-d40b-dd11-bcc5-001f3c29339f" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e4762b91-d40b-dd11-bcc5-001f3c29339f" ] diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint index 27d04583fd67..bd7efe309385 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasLinkInfo", "HasName", @@ -10,40 +10,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:33Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 73216, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:33Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 73216, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "045a096cb7bfc82a6ce4c2dd402d12493317ae6ad7c419ab3fc07fbb8d405ce2" } ], @@ -52,20 +52,20 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\magnify.exe" + "local_base_path": "C:\\WINDOWS\\system32\\magnify.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22553", - "relativePath": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\magnify.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\magnify.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\magnify.exe", "unicode": "%SystemRoot%\\system32\\magnify.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint index 2ea8be64b47f..30fd7960955a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasLinkInfo", "HasName", @@ -10,40 +10,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:34Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 144384, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:34Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 144384, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 72, - "typeId": 0, + "type_id": 0, "sha256": "25f56f104046bbef2b0f7e19c82c5449eb38631861f3f7482d9fb647781342b2" } ], @@ -52,20 +52,20 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\mobsync.exe" + "local_base_path": "C:\\WINDOWS\\system32\\mobsync.exe" }, "name": "@%SystemRoot%\\system32\\shell32.dll,-22574", - "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\mobsync.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\mobsync.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\mobsync.exe", "unicode": "%SystemRoot%\\system32\\mobsync.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint index d521f3724c8f..c2268d2ffbaa 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasExpString", "HasLinkInfo", "HasName", @@ -10,40 +10,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-20T01:03:16Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-06T00:00:00Z", - "fileSize": 347136, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:03:16Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-06T00:00:00Z", + "file_size": 347136, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "61986764b83398b82a9fe2c734a44070aa6c1d4cf170e1ba35a1926f6f2585bf" } ], @@ -52,20 +52,20 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\WINDOWS\\system32\\tourstart.exe" + "local_base_path": "C:\\WINDOWS\\system32\\tourstart.exe" }, "name": "@%SystemRoot%\\system32\\tourstart.exe,-2", - "relativePath": "..\\..\\..\\..\\..\\WINDOWS\\system32\\tourstart.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\..\\WINDOWS\\system32\\tourstart.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { "environment": { "ansi": "%SystemRoot%\\system32\\tourstart.exe", "unicode": "%SystemRoot%\\system32\\tourstart.exe" }, - "specialFolder": { + "special_folder": { "id": 37, "offset": 169 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint index 3749310bf10e..3fe6e0f7ce54 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -1,41 +1,41 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2004-08-20T01:16:19Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-20T01:16:48Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:16:19Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-20T01:16:48Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 50, - "typeId": 0, + "type_id": 0, "sha256": "47cb092c959a4aa13007f154fa8992a26a9065f11ed30de3d43f12832b9ab0c5" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "73a8aaeff232a15bb75df27b252781136149be3d9a8f278a3835ecba83fd4c32" }, { "size": 98, - "typeId": 0, + "type_id": 0, "sha256": "3db7f92e529c32261a025446f8d8563aca6c06b4ca84a75a0f27a4f18473b1f2" } ], @@ -44,14 +44,14 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\Documents and Settings\\All Users\\Documents\\Mes images\\\ufffdchantillons d'images" + "local_base_path": "C:\\Documents and Settings\\All Users\\Documents\\Mes images\\\ufffdchantillons d'images" }, - "relativePath": "..\\..\\..\\All Users\\Documents\\Mes images\\Échantillons d'images", + "relative_path": "..\\..\\..\\All Users\\Documents\\Mes images\\Échantillons d'images", "extra": { - "specialFolder": { + "special_folder": { "id": 54, "offset": 158 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint index fda0366e92bd..d86f6c496b0c 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -1,41 +1,41 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasRelativePath", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY", "FILE_ATTRIBUTE_READONLY" ], - "creationTime": "2004-08-20T01:16:19Z", - "accessedTime": "2004-08-19T12:00:00Z", - "modifiedTime": "2004-08-20T01:16:48Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-20T01:16:19Z", + "accessed_time": "2004-08-19T12:00:00Z", + "modified_time": "2004-08-20T01:16:48Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 50, - "typeId": 0, + "type_id": 0, "sha256": "47cb092c959a4aa13007f154fa8992a26a9065f11ed30de3d43f12832b9ab0c5" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "aa3e6bbc6482eea02a621eddc6590b882b924f3946353e933e1a070af3a37deb" }, { "size": 102, - "typeId": 0, + "type_id": 0, "sha256": "95a8b825400274184ef8f90be08414a4df70159fab7ddfa90d25d19592ef0044" } ], @@ -44,14 +44,14 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0xb832ef92" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0xb832ef92" }, - "localBasePath": "C:\\Documents and Settings\\All Users\\Documents\\Ma musique\\\ufffdchantillons de musique" + "local_base_path": "C:\\Documents and Settings\\All Users\\Documents\\Ma musique\\\ufffdchantillons de musique" }, - "relativePath": "..\\..\\..\\All Users\\Documents\\Ma musique\\Échantillons de musique", + "relative_path": "..\\..\\..\\All Users\\Documents\\Ma musique\\Échantillons de musique", "extra": { - "specialFolder": { + "special_folder": { "id": 53, "offset": 158 } diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint index 4955b8d7fe74..62df3700b408 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint @@ -1,7 +1,7 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasName", "HasRelativePath", @@ -9,40 +9,40 @@ "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_ARCHIVE" ], - "creationTime": "2004-08-19T12:16:10Z", - "accessedTime": "2004-08-18T23:00:00Z", - "modifiedTime": "2004-08-05T11:00:00Z", - "fileSize": 60416, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-08-19T12:16:10Z", + "accessed_time": "2004-08-18T23:00:00Z", + "modified_time": "2004-08-05T11:00:00Z", + "file_size": 60416, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 67, + "type_id": 67, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" }, { "size": 78, - "typeId": 0, + "type_id": 0, "sha256": "82632d0a1514981d68a6b96a0a5f263554234138682b4f9f82eec4562bc41939" }, { "size": 66, - "typeId": 0, + "type_id": 0, "sha256": "5950df6e91f2c9c0e58bea4e541d981a4e8ddd1658a94127d50a1670b3706cd7" } ], @@ -51,28 +51,28 @@ "VolumeIDAndLocalBasePath" ], "volume": { - "driveType": "DRIVE_FIXED", - "driveSerialNumber": "0x10bdbcd3", - "volumeLabel": "SYSTEM" + "drive_type": "DRIVE_FIXED", + "drive_serial_number": "0x10bdbcd3", + "volume_label": "SYSTEM" }, - "localBasePath": "C:\\Program Files\\Outlook Express\\msimn.exe" + "local_base_path": "C:\\Program Files\\Outlook Express\\msimn.exe" }, "name": "@xpsp1res.dll,-11005", - "relativePath": "..\\..\\..\\..\\Program Files\\Outlook Express\\msimn.exe", - "workingDirectory": "%HOMEDRIVE%%HOMEPATH%", + "relative_path": "..\\..\\..\\..\\Program Files\\Outlook Express\\msimn.exe", + "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { - "specialFolder": { + "special_folder": { "id": 38, "offset": 119 }, "tracker": { "version": 0, - "machineId": "al-0142", + "machine_id": "al-0142", "droid": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e3762b91-d40b-dd11-bcc5-001f3c29339f" ], - "droidBirth": [ + "droid_birth": [ "6a3e8623-003d-2344-b4c5-05fe7266eb5e", "e3762b91-d40b-dd11-bcc5-001f3c29339f" ] diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint index 6a2052575dbc..c8fef54cd3ea 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint @@ -1,29 +1,29 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasName", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 41, - "typeId": 68, + "type_id": 68, "sha256": "32ade5364cd623e3dd4032487653ac80010e5e3f8b9978da718094e448e389cc" } ], "name": "Lecteur Drag-to-Disc", - "workingDirectory": "D:\\", + "working_directory": "D:\\", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint index 56d0a19ed422..ac5f9f59cfd6 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint @@ -1,29 +1,29 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasName", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [], - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "file_flags": [], + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 80, + "type_id": 80, "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" }, { "size": 25, - "typeId": 69, + "type_id": 69, "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" } ], "name": "Lecteur Drag-to-Disc", - "workingDirectory": "E:\\", + "working_directory": "E:\\", "extra": {} } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint index eda954b7a879..71134f9b842d 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -1,74 +1,74 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY" ], - "creationTime": "2007-02-05T14:52:40Z", - "accessedTime": "2008-04-17T09:12:06Z", - "modifiedTime": "2007-02-05T14:52:41Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2007-02-05T14:52:40Z", + "accessed_time": "2008-04-17T09:12:06Z", + "modified_time": "2007-02-05T14:52:41Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" }, { "size": 50, - "typeId": 0, + "type_id": 0, "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" }, { "size": 136, - "typeId": 0, + "type_id": 0, "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" }, { "size": 36, - "typeId": 0, + "type_id": 0, "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" }, { "size": 41, - "typeId": 0, + "type_id": 0, "sha256": "cd62d04905339ebd75908eface1487a326def9797f4513a626b7f5e0cc2774d7" }, { "size": 175, - "typeId": 0, + "type_id": 0, "sha256": "70a5ac77f6b59746aabfbef46c8645499c08b622fc79ec57ffa921f9d61afa87" }, { "size": 60, - "typeId": 0, + "type_id": 0, "sha256": "19bcb8ecfc99b2b8152e9c7fd3b34335cd4b29cca0216f6482d9721c7930c227" }, { "size": 74, - "typeId": 0, + "type_id": 0, "sha256": "eb5ff2514a899d457c5e2c11cb1bb0e9fb9248c289a170c384efff7ea1533050" }, { "size": 76, - "typeId": 0, + "type_id": 0, "sha256": "79c0924b5e5a2e082f86f3672d03481a048fab6b0fb05463fef7a4586dce5ca2" }, { "size": 58, - "typeId": 0, + "type_id": 0, "sha256": "53afcfc9c2e090649738cd4b5e044f9b611b66d5400ec23aac022358f1e47eee" }, { "size": 52, - "typeId": 0, + "type_id": 0, "sha256": "432999e9d2645fdfb83af63aeae94aac516e643096fb2c865508794d7c9fb1c1" } ], @@ -76,8 +76,8 @@ "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "Install\\Install_Softs\\Administrateur\\Newsid\\2003", - "networkShare": { + "common_path_suffix": "Install\\Install_Softs\\Administrateur\\Newsid\\2003", + "network_share": { "flags": [ "ValidNetType" ], @@ -87,12 +87,12 @@ "extra": { "tracker": { "version": 0, - "machineId": "als-fichiers7", + "machine_id": "als-fichiers7", "droid": [ "00000000-0000-0000-0000-000000000000", "06cd1d4d-e5fc-dc11-8902-0015c5fbcbe3" ], - "droidBirth": [ + "droid_birth": [ "00000000-0000-0000-0000-000000000000", "06cd1d4d-e5fc-dc11-8902-0015c5fbcbe3" ] diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint index eda6ed0bf20a..e2e5a1fd0361 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint @@ -1,41 +1,41 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasExpString", "HasLinkInfo", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_NORMAL" ], - "creationTime": "2019-07-08T14:05:42Z", - "accessedTime": "2019-07-08T14:06:30Z", - "modifiedTime": "2019-07-08T14:05:42Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2019-07-08T14:05:42Z", + "accessed_time": "2019-07-08T14:06:30Z", + "modified_time": "2019-07-08T14:05:42Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "location": { "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "??.txt", - "networkShare": { + "common_path_suffix": "??.txt", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\TEST\\SHARE" } }, - "workingDirectory": "\\\\test\\share", + "working_directory": "\\\\test\\share", "extra": { "environment": { "ansi": "\\\\test\\share\\??.txt", "unicode": "\\\\test\\share\\💎.txt" }, - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -59,36 +59,36 @@ }, "tracker": { "version": 0, - "machineId": "test", + "machine_id": "test", "droid": [ "51369273-fde5-4eff-91cc-d50f13310bfc", "04a80000-0000-0000-0dcf-180000000000" ], - "droidBirth": [ + "droid_birth": [ "50369273-fde5-4eff-91cc-d50f13310bfc", "04a80000-0000-0000-0dcf-180000000000" ] }, - "vistaAndAboveIdList": { + "vista_and_above_id_list": { "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" }, { "size": 171, - "typeId": 0, + "type_id": 0, "sha256": "28222bc3c9d115226224f871f30af6d5f51aaead9bb52f0e86c60bf8c03aff7e" }, { "size": 39, - "typeId": 1, + "type_id": 1, "sha256": "d0f317c9a1aa7d1e38f393b24b90e27c8e51e88be305c3655b43936e9d13e9ec" }, { "size": 90, - "typeId": 0, + "type_id": 0, "sha256": "5f9dbc4cb81c898fc455cded76ca8e043cac3e1f2fe1daf5fd43ccb20f33ac83" } ] diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint index 9d7534e2e1da..2f2f8abc416f 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint @@ -1,42 +1,42 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasExpString", "HasLinkInfo", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_NORMAL" ], - "creationTime": "2019-07-08T14:04:50Z", - "accessedTime": "2019-07-09T13:31:07Z", - "modifiedTime": "2019-07-08T14:04:50Z", - "fileSize": 10, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2019-07-08T14:04:50Z", + "accessed_time": "2019-07-09T13:31:07Z", + "modified_time": "2019-07-08T14:04:50Z", + "file_size": 10, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "location": { "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", - "networkShare": { + "common_path_suffix": "\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\TEST\\??" } }, - "workingDirectory": "\\\\test\\📂", + "working_directory": "\\\\test\\📂", "extra": { "environment": { "ansi": "\\\\test\\??\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", "unicode": "\\\\test\\📂\\リンク先.txt" }, - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -60,36 +60,36 @@ }, "tracker": { "version": 0, - "machineId": "test", + "machine_id": "test", "droid": [ "5337f18a-4bd4-98f1-1366-c15ed7085770", "04a80000-0000-0000-3346-190000000000" ], - "droidBirth": [ + "droid_birth": [ "5237f18a-4bd4-98f1-1366-c15ed7085770", "04a80000-0000-0000-3346-190000000000" ] }, - "vistaAndAboveIdList": { + "vista_and_above_id_list": { "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" }, { "size": 171, - "typeId": 0, + "type_id": 0, "sha256": "28222bc3c9d115226224f871f30af6d5f51aaead9bb52f0e86c60bf8c03aff7e" }, { "size": 94, - "typeId": 1, + "type_id": 1, "sha256": "e834f0f99e38cfd381d40d2e46d31f973523645a460ac56accb82d6fb2612fe6" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "7369db988302b83ea4845b133a25286f7beaefbda25474d8b4d5bfa1d1acd869" } ] diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint index 571d7afa68cd..33f3e011780b 100644 --- a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint @@ -1,42 +1,42 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "EnableTargetMetadata", "HasExpString", "HasLinkInfo", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_NORMAL" ], - "creationTime": "2019-07-08T14:04:50Z", - "accessedTime": "2019-07-08T14:05:30Z", - "modifiedTime": "2019-07-08T14:04:50Z", - "fileSize": 10, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2019-07-08T14:04:50Z", + "accessed_time": "2019-07-08T14:05:30Z", + "modified_time": "2019-07-08T14:04:50Z", + "file_size": 10, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "location": { "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", - "networkShare": { + "common_path_suffix": "\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\TEST\\SHARE" } }, - "workingDirectory": "\\\\test\\share", + "working_directory": "\\\\test\\share", "extra": { "environment": { "ansi": "\\\\test\\share\\\ufffd\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffd.txt", "unicode": "\\\\test\\share\\リンク先.txt" }, - "propertyStore": { + "property_store": { "properties": { "10": [ { @@ -60,36 +60,36 @@ }, "tracker": { "version": 0, - "machineId": "test", + "machine_id": "test", "droid": [ "51369273-fde5-4eff-91cc-d50f13310bfc", "04a80000-0000-0000-0ccf-180000000000" ], - "droidBirth": [ + "droid_birth": [ "50369273-fde5-4eff-91cc-d50f13310bfc", "04a80000-0000-0000-0ccf-180000000000" ] }, - "vistaAndAboveIdList": { + "vista_and_above_id_list": { "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" }, { "size": 171, - "typeId": 0, + "type_id": 0, "sha256": "28222bc3c9d115226224f871f30af6d5f51aaead9bb52f0e86c60bf8c03aff7e" }, { "size": 39, - "typeId": 1, + "type_id": 1, "sha256": "d0f317c9a1aa7d1e38f393b24b90e27c8e51e88be305c3655b43936e9d13e9ec" }, { "size": 94, - "typeId": 0, + "type_id": 0, "sha256": "a27e3a9e31dfe073c62944697d439c8aa4331d556c92ef11e21e6e486f72b69e" } ] diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint index 4c18e950c22c..7f4baac3618b 100644 --- a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -1,54 +1,54 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasTargetIDList", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY" ], - "creationTime": "2009-10-08T13:48:55Z", - "accessedTime": "2010-07-09T13:52:31Z", - "modifiedTime": "2010-07-08T12:36:01Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-10-08T13:48:55Z", + "accessed_time": "2010-07-09T13:52:31Z", + "modified_time": "2010-07-08T12:36:01Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" }, { "size": 50, - "typeId": 0, + "type_id": 0, "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" }, { "size": 136, - "typeId": 0, + "type_id": 0, "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" }, { "size": 36, - "typeId": 0, + "type_id": 0, "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "cb97a3fb5034bc4a98fb7b62e09dc921ee0f731485134edee6d41f22aa3cd7bf" }, { "size": 136, - "typeId": 1, + "type_id": 1, "sha256": "da3df06592f5ce0069a83a8eea3aeda6b4e8650a05baf32f239c46ba9ada876b" }, { "size": 68, - "typeId": 0, + "type_id": 0, "sha256": "4c365273e81fc9ae17a9b83d85ae17e9fb0e4b7bd5766ea36f8f0bc33758fa66" } ], @@ -56,8 +56,8 @@ "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "GMAldheris", - "networkShare": { + "common_path_suffix": "GMAldheris", + "network_share": { "flags": [ "ValidNetType" ], @@ -67,12 +67,12 @@ "extra": { "tracker": { "version": 0, - "machineId": "als-fichiers3", + "machine_id": "als-fichiers3", "droid": [ "00000000-0000-0000-0000-000000000000", "c5e0b78a-c875-de11-b8c9-000f1ff7c0dd" ], - "droidBirth": [ + "droid_birth": [ "00000000-0000-0000-0000-000000000000", "c5e0b78a-c875-de11-b8c9-000f1ff7c0dd" ] diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint index 2d0ee63f382e..8e51736d134a 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint @@ -1,27 +1,27 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "DisableKnownFolderTracking", "HasExpString", "HasLinkInfo", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_DIRECTORY" ], - "creationTime": "2009-07-26T15:39:33Z", - "accessedTime": "2009-07-26T15:41:16Z", - "modifiedTime": "2009-07-26T15:41:16Z", - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2009-07-26T15:39:33Z", + "accessed_time": "2009-07-26T15:41:16Z", + "modified_time": "2009-07-26T15:41:16Z", + "icon_index": 0, + "window_style": "SW_NORMAL" }, "location": { "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "Encoding\\@Films\\AAA AAA AAAAA 1", - "networkShare": { + "common_path_suffix": "Encoding\\@Films\\AAA AAA AAAAA 1", + "network_share": { "flags": [ "ValidNetType" ], @@ -33,49 +33,49 @@ "ansi": "\\\\fatality\\k$\\Encoding\\@Films\\AAA AAA AAAAA 1", "unicode": "\\\\fatality\\k$\\Encoding\\@Films\\AAA AAA AAAAA 1" }, - "propertyStore": {}, + "property_store": {}, "tracker": { "version": 0, - "machineId": "fatality", + "machine_id": "fatality", "droid": [ "d6f88e11-2d40-8641-b384-3527d35fb1eb", "1f268538-7491-df11-9091-8fae47a32577" ], - "droidBirth": [ + "droid_birth": [ "d6f88e11-2d40-8641-b384-3527d35fb1eb", "1f268538-7491-df11-9091-8fae47a32577" ] }, - "vistaAndAboveIdList": { + "vista_and_above_id_list": { "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" }, { "size": 179, - "typeId": 0, + "type_id": 0, "sha256": "a4924888c786d4acf9e3c42c824563e5fdec6cd93042dbebadc1fd3227199ef4" }, { "size": 160, - "typeId": 0, + "type_id": 0, "sha256": "e1f098b643c47bdee4c734acd2ff6f2a5b3332fed6566870f937c8717a07f4af" }, { "size": 86, - "typeId": 0, + "type_id": 0, "sha256": "223d3713713681f8fbc798cdd4e7c027c3dfc0d5733a9009299b6e698d2b20a5" }, { "size": 80, - "typeId": 0, + "type_id": 0, "sha256": "b1727773baaf9441c2f87f6b39f73978df4e861a0e97ce3d6fcc1178ad986b56" }, { "size": 100, - "typeId": 0, + "type_id": 0, "sha256": "6ed7a47644a27ed26d689a4fda0144dbed91dfacb0d45a658c0e0e2b3c1a2894" } ] diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint index 6f163eb08f90..2dcd88c7ff1e 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -1,66 +1,66 @@ { "header": { "guid": "01140200-0000-0000-c000-000000000046", - "linkFlags": [ + "link_flags": [ "HasLinkInfo", "HasTargetIDList", "HasWorkingDir", "IsUnicode" ], - "fileFlags": [ + "file_flags": [ "FILE_ATTRIBUTE_NORMAL" ], - "creationTime": "2004-11-04T09:10:42Z", - "accessedTime": "2010-07-09T13:53:19Z", - "modifiedTime": "2001-02-21T16:33:49Z", - "fileSize": 325120, - "iconIndex": 0, - "windowStyle": "SW_NORMAL" + "creation_time": "2004-11-04T09:10:42Z", + "accessed_time": "2010-07-09T13:53:19Z", + "modified_time": "2001-02-21T16:33:49Z", + "file_size": 325120, + "icon_index": 0, + "window_style": "SW_NORMAL" }, "targets": [ { "size": 20, - "typeId": 88, + "type_id": 88, "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" }, { "size": 50, - "typeId": 0, + "type_id": 0, "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" }, { "size": 136, - "typeId": 0, + "type_id": 0, "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" }, { "size": 36, - "typeId": 0, + "type_id": 0, "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" }, { "size": 88, - "typeId": 0, + "type_id": 0, "sha256": "cb97a3fb5034bc4a98fb7b62e09dc921ee0f731485134edee6d41f22aa3cd7bf" }, { "size": 136, - "typeId": 1, + "type_id": 1, "sha256": "da3df06592f5ce0069a83a8eea3aeda6b4e8650a05baf32f239c46ba9ada876b" }, { "size": 64, - "typeId": 0, + "type_id": 0, "sha256": "ee476d4c1256e99cbe21022ffedb5d1602a3c74e148d7c3c6f4c9d44f05d05ca" }, { "size": 80, - "typeId": 0, + "type_id": 0, "sha256": "7dc34531f388c48579b53e320e6750074510329fd0ff7fffd87efc8629b3bf7b" }, { "size": 114, - "typeId": 0, + "type_id": 0, "sha256": "42a5b872d13027882d743445de13c29673f211b01c1e66513c7e002054f0a8a2" } ], @@ -68,24 +68,24 @@ "flags": [ "CommonNetworkRelativeLinkAndPathSuffix" ], - "commonPathSuffix": "Archives\\M\ufffdthodologie WAS\\Norme de d\ufffdveloppement JAVA.doc", - "networkShare": { + "common_path_suffix": "Archives\\M\ufffdthodologie WAS\\Norme de d\ufffdveloppement JAVA.doc", + "network_share": { "flags": [ "ValidNetType" ], "name": "\\\\ALS-FICHIERS3\\QUALIT\ufffd" } }, - "workingDirectory": "\\\\als-fichiers3\\Qualité\\Archives\\Méthodologie WAS", + "working_directory": "\\\\als-fichiers3\\Qualité\\Archives\\Méthodologie WAS", "extra": { "tracker": { "version": 0, - "machineId": "als-fichiers3", + "machine_id": "als-fichiers3", "droid": [ "00000000-0000-0000-0000-000000000000", "341b46ea-7798-da11-80bd-000f1ff7c0dc" ], - "droidBirth": [ + "droid_birth": [ "00000000-0000-0000-0000-000000000000", "341b46ea-7798-da11-80bd-000f1ff7c0dc" ] diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index ec7d2ed7516c..a70ebb746d19 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -26,32 +26,32 @@ import ( // Console contains LNK extra console data block info type Console struct { - FillAttributes []string `json:"fillAttributes,omitempty"` - PopupFillAttributes []string `json:"popupFillAttributes,omitempty"` - ScreenBufferSizeX uint16 `json:"screenBufferSizeX"` - ScreenBufferSizeY uint16 `json:"screenBufferSizeY"` - WindowSizeX uint16 `json:"windowSizeX"` - WindowSizeY uint16 `json:"windowSizeY"` - WindowOriginX uint16 `json:"windowOriginX"` - WindowOriginY uint16 `json:"windowOriginY"` - FontSize uint32 `json:"fontSize"` - FontFamily string `json:"fontFamily,omitempty"` - FontWeight uint32 `json:"fontWeight"` - FaceName string `json:"faceName,omitempty"` - CursorSize uint32 `json:"cursorSize"` - FullScreen bool `json:"fullScreen"` - QuickEdit bool `json:"quickEdit"` - InsertMode bool `json:"insertMode"` - AutoPosition bool `json:"autoPosition"` - HistoryBufferSize uint32 `json:"historyBufferSize"` - NumberOfHistoryBuffers uint32 `json:"numberOfHistoryBuffers"` - HistoryNoDup bool `json:"historyNoDup"` - ColorTable []string `json:"colorTable"` + FillAttributes []string `json:"fill_attributes,omitempty"` + PopupFillAttributes []string `json:"popup_fill_attributes,omitempty"` + ScreenBufferSizeX uint16 `json:"screen_buffer_size_x"` + ScreenBufferSizeY uint16 `json:"screen_buffer_size_y"` + WindowSizeX uint16 `json:"window_size_x"` + WindowSizeY uint16 `json:"window_size_y"` + WindowOriginX uint16 `json:"window_origin_x"` + WindowOriginY uint16 `json:"window_origin_y"` + FontSize uint32 `json:"font_size"` + FontFamily string `json:"font_family,omitempty"` + FontWeight uint32 `json:"font_weight"` + FaceName string `json:"face_name,omitempty"` + CursorSize uint32 `json:"cursor_size"` + FullScreen bool `json:"full_screen"` + QuickEdit bool `json:"quick_edit"` + InsertMode bool `json:"insert_mode"` + AutoPosition bool `json:"auto_position"` + HistoryBufferSize uint32 `json:"history_buffer_size"` + NumberOfHistoryBuffers uint32 `json:"number_of_history_buffers"` + HistoryNoDup bool `json:"history_no_dup"` + ColorTable []string `json:"color_table"` } // ConsoleFE contains LNK extra console data block info type ConsoleFE struct { - CodePage string `json:"codePage"` + CodePage string `json:"code_page"` } // Darwin contains LNK extra darwin data block info @@ -87,13 +87,13 @@ type Property struct { // PropertyStore contains LNK extra property store data block info type PropertyStore struct { // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec - NamedProperties map[string][]Property `json:"namedProperties,omitempty"` + NamedProperties map[string][]Property `json:"named_properties,omitempty"` Properties map[uint32][]Property `json:"properties,omitempty"` } // Shim contains LNK extra shim data block info type Shim struct { - LayerName string `json:"layerName,omitempty"` + LayerName string `json:"layer_name,omitempty"` } // SpecialFolder contains LNK extra special folder data block info @@ -105,9 +105,9 @@ type SpecialFolder struct { // Tracker contains LNK extra tracker data block info type Tracker struct { Version uint32 `json:"version"` - MachineID string `json:"machineId"` + MachineID string `json:"machine_id"` Droid []string `json:"droid,omitempty"` - DroidBirth []string `json:"droidBirth,omitempty"` + DroidBirth []string `json:"droid_birth,omitempty"` } // VistaAndAboveIDList contains LNK extra vista and above id list data block info @@ -119,33 +119,33 @@ type VistaAndAboveIDList struct { type Extra struct { // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1 Console *Console `json:"console,omitempty"` - ConsoleFE *ConsoleFE `json:"consoleFE,omitempty"` + ConsoleFE *ConsoleFE `json:"console_fe,omitempty"` Darwin *Darwin `json:"darwin,omitempty"` Environment *Environment `json:"environment,omitempty"` - IconEnvironment *IconEnvironment `json:"iconEnvironment,omitempty"` - KnownFolder *KnownFolder `json:"knownFolder,omitempty"` - PropertyStore *PropertyStore `json:"propertyStore,omitempty"` + IconEnvironment *IconEnvironment `json:"icon_environment,omitempty"` + KnownFolder *KnownFolder `json:"known_folder,omitempty"` + PropertyStore *PropertyStore `json:"property_store,omitempty"` Shim *Shim `json:"shim,omitempty"` - SpecialFolder *SpecialFolder `json:"specialFolder,omitempty"` + SpecialFolder *SpecialFolder `json:"special_folder,omitempty"` Tracker *Tracker `json:"tracker,omitempty"` - VistaAndAboveIDList *VistaAndAboveIDList `json:"vistaAndAboveIdList,omitempty"` + VistaAndAboveIDList *VistaAndAboveIDList `json:"vista_and_above_id_list,omitempty"` } // Volume contains LNK location volume info type Volume struct { // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#42-volume-information - DriveType string `json:"driveType,omitempty"` - DriveSerialNumber string `json:"driveSerialNumber,omitempty"` - VolumeLabel string `json:"volumeLabel,omitempty"` + DriveType string `json:"drive_type,omitempty"` + DriveSerialNumber string `json:"drive_serial_number,omitempty"` + VolumeLabel string `json:"volume_label,omitempty"` } // NetworkShare contains LNK location network share info type NetworkShare struct { // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#43-network-share-information Flags []string `json:"flags,omitempty"` - ProviderType string `json:"providerType,omitempty"` + ProviderType string `json:"provider_type,omitempty"` Name string `json:"name,omitempty"` - DeviceName string `json:"deviceName,omitempty"` + DeviceName string `json:"device_name,omitempty"` } // Location contains LNK location info @@ -153,32 +153,32 @@ type Location struct { // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/6813269d-0cc8-4be2-933f-e96e8e3412dc // https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc#4-location-information Flags []string `json:"flags"` - CommonPathSuffix string `json:"commonPathSuffix,omitempty"` + CommonPathSuffix string `json:"common_path_suffix,omitempty"` // Location information data Volume *Volume `json:"volume,omitempty"` - LocalBasePath string `json:"localBasePath,omitempty"` + LocalBasePath string `json:"local_base_path,omitempty"` // The network share information - NetworkShare *NetworkShare `json:"networkShare,omitempty"` + NetworkShare *NetworkShare `json:"network_share,omitempty"` } // Target contains LNK target info type Target struct { Size uint16 `json:"size"` - TypeID uint8 `json:"typeId"` + TypeID uint8 `json:"type_id"` SHA256 string `json:"sha256"` } // Header contains LNK header info type Header struct { GUID string `json:"guid"` - LinkFlags []string `json:"linkFlags"` - FileFlags []string `json:"fileFlags"` - CreationTime *time.Time `json:"creationTime,omitempty"` - AccessedTime *time.Time `json:"accessedTime,omitempty"` - ModfiedTime *time.Time `json:"modifiedTime,omitempty"` - FileSize uint32 `json:"fileSize,omitempty"` - IconIndex uint32 `json:"iconIndex"` - WindowStyle string `json:"windowStyle"` + LinkFlags []string `json:"link_flags"` + FileFlags []string `json:"file_flags"` + CreationTime *time.Time `json:"creation_time,omitempty"` + AccessedTime *time.Time `json:"accessed_time,omitempty"` + ModfiedTime *time.Time `json:"modified_time,omitempty"` + FileSize uint32 `json:"file_size,omitempty"` + IconIndex uint32 `json:"icon_index"` + WindowStyle string `json:"window_style"` HotKey string `json:"hotKey,omitempty"` rawLinkFlags uint32 @@ -191,10 +191,10 @@ type Info struct { Targets []Target `json:"targets,omitempty"` Location *Location `json:"location,omitempty"` Name string `json:"name,omitempty"` - RelativePath string `json:"relativePath,omitempty"` - WorkingDirectory string `json:"workingDirectory,omitempty"` - CommandLine string `json:"commandLine,omitempty"` - IconLocation string `json:"iconLocation,omitempty"` + RelativePath string `json:"relative_path,omitempty"` + WorkingDirectory string `json:"working_directory,omitempty"` + CommandLine string `json:"command_line,omitempty"` + IconLocation string `json:"icon_location,omitempty"` Extra *Extra `json:"extra,omitempty"` } From 80d932853357cb7efb7e67bac99621527d79082d Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 13:45:03 -0500 Subject: [PATCH 11/30] Add cpu translation code --- .../fixtures/macho/hello-darwin.fingerprint | 17 +- libbeat/formats/macho/cpu.go | 352 +++++++++--------- libbeat/formats/macho/macho.go | 15 +- 3 files changed, 204 insertions(+), 180 deletions(-) diff --git a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint index 6a1a2f70eb40..ed48557927ae 100644 --- a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint +++ b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint @@ -2,7 +2,7 @@ "architectures": [ { "cpu": "x86_64", - "byte_order": "LittleEndian", + "byte_order": "little-endian", "type": "Exec", "header": { "commands": [ @@ -145,8 +145,7 @@ "offset": 4010, "size": 14, "entropy": 3.32, - "chi2": 388.29, - "flags": [] + "chi2": 388.29 }, { "name": "__unwind_info", @@ -154,8 +153,7 @@ "offset": 4024, "size": 72, "entropy": 1.58, - "chi2": 10452.44, - "flags": [] + "chi2": 10452.44 } ] }, @@ -172,8 +170,7 @@ "offset": 4096, "size": 8, "entropy": 0, - "chi2": 2040, - "flags": [] + "chi2": 2040 } ] }, @@ -190,8 +187,7 @@ "offset": 8192, "size": 8, "entropy": 1.55, - "chi2": 888, - "flags": [] + "chi2": 888 }, { "name": "__data", @@ -199,8 +195,7 @@ "offset": 8200, "size": 8, "entropy": 0, - "chi2": 2040, - "flags": [] + "chi2": 2040 } ] } diff --git a/libbeat/formats/macho/cpu.go b/libbeat/formats/macho/cpu.go index 8f1607df594b..f1fd41543d46 100644 --- a/libbeat/formats/macho/cpu.go +++ b/libbeat/formats/macho/cpu.go @@ -19,177 +19,195 @@ package macho import "debug/macho" -// /// Get the cputype and cpusubtype from a name -// pub fn get_arch_from_flag(name: &str) -> Option<(CpuType, CpuSubType)> { -// get_arch_from_flag_no_alias(name).or_else(|| { -// // we also handle some common aliases -// match name { -// // these are used by apple -// "pentium" => Some((CPU_TYPE_I386, CPU_SUBTYPE_PENT)), -// "pentpro" => Some((CPU_TYPE_I386, CPU_SUBTYPE_PENTPRO)), -// // these are used commonly for consistency -// "x86" => Some((CPU_TYPE_I386, CPU_SUBTYPE_I386_ALL)), -// _ => None, -// } -// }) -// } +const ( + CPU_SUBTYPE_MASK uint32 = 0x00ffffff + CPU_ARCH_ABI64 uint32 = 0x01000000 + CPU_ARCH_ABI64_32 uint32 = 0x02000000 -// /// An alias for u32 -// pub type CpuType = u32; -// /// An alias for u32 -// pub type CpuSubType = u32; + // cpu types + CPU_TYPE_VAX uint32 = 1 + CPU_TYPE_MC680X0 uint32 = 6 + CPU_TYPE_X86 uint32 = 7 + CPU_TYPE_I386 uint32 = CPU_TYPE_X86 + CPU_TYPE_X86_64 uint32 = CPU_TYPE_X86 | CPU_ARCH_ABI64 + CPU_TYPE_MIPS uint32 = 8 + CPU_TYPE_MC98000 uint32 = 10 + CPU_TYPE_HPPA uint32 = 11 + CPU_TYPE_ARM uint32 = 12 + CPU_TYPE_ARM64 uint32 = CPU_TYPE_ARM | CPU_ARCH_ABI64 + CPU_TYPE_ARM64_32 uint32 = CPU_TYPE_ARM | CPU_ARCH_ABI64_32 + CPU_TYPE_MC88000 uint32 = 13 + CPU_TYPE_SPARC uint32 = 14 + CPU_TYPE_I860 uint32 = 15 + CPU_TYPE_ALPHA uint32 = 16 + CPU_TYPE_POWERPC uint32 = 18 + CPU_TYPE_POWERPC64 uint32 = CPU_TYPE_POWERPC | CPU_ARCH_ABI64 -// /// the mask for CPU feature flags -// pub const CPU_SUBTYPE_MASK: u32 = 0xff00_0000; -// /// mask for architecture bits -// pub const CPU_ARCH_MASK: CpuType = 0xff00_0000; -// /// the mask for 64 bit ABI -// pub const CPU_ARCH_ABI64: CpuType = 0x0100_0000; -// /// the mask for ILP32 ABI on 64 bit hardware -// pub const CPU_ARCH_ABI64_32: CpuType = 0x0200_0000; + // cpu sub-types + CPU_SUBTYPE_LITTLE_ENDIAN uint32 = 0 + CPU_SUBTYPE_BIG_ENDIAN uint32 = 1 + CPU_SUBTYPE_VAX_ALL uint32 = 0 + CPU_SUBTYPE_VAX780 uint32 = 1 + CPU_SUBTYPE_VAX785 uint32 = 2 + CPU_SUBTYPE_VAX750 uint32 = 3 + CPU_SUBTYPE_VAX730 uint32 = 4 + CPU_SUBTYPE_UVAXI uint32 = 5 + CPU_SUBTYPE_UVAXII uint32 = 6 + CPU_SUBTYPE_VAX8200 uint32 = 7 + CPU_SUBTYPE_VAX8500 uint32 = 8 + CPU_SUBTYPE_VAX8600 uint32 = 9 + CPU_SUBTYPE_VAX8650 uint32 = 10 + CPU_SUBTYPE_VAX8800 uint32 = 11 + CPU_SUBTYPE_UVAXIII uint32 = 12 + CPU_SUBTYPE_MC680X0_ALL uint32 = 1 + CPU_SUBTYPE_MC68030 uint32 = 1 + CPU_SUBTYPE_MC68040 uint32 = 2 + CPU_SUBTYPE_MC68030_ONLY uint32 = 3 + CPU_SUBTYPE_I386_ALL uint32 = 3 + CPU_SUBTYPE_386 uint32 = 3 + CPU_SUBTYPE_486 uint32 = 4 + CPU_SUBTYPE_486SX uint32 = 4 + (8 << 4) + CPU_SUBTYPE_586 uint32 = 5 + CPU_SUBTYPE_PENT uint32 = 5 + CPU_SUBTYPE_PENTPRO uint32 = 6 + (1 << 4) + CPU_SUBTYPE_PENTII_M3 uint32 = 6 + (3 << 4) + CPU_SUBTYPE_PENTII_M5 uint32 = 6 + (5 << 4) + CPU_SUBTYPE_CELERON uint32 = 7 + (6 << 4) + CPU_SUBTYPE_CELERON_MOBILE uint32 = 7 + (7 << 4) + CPU_SUBTYPE_PENTIUM_3 uint32 = 8 + CPU_SUBTYPE_PENTIUM_3_M uint32 = 8 + (1 << 4) + CPU_SUBTYPE_PENTIUM_3_XEON uint32 = 8 + (2 << 4) + CPU_SUBTYPE_PENTIUM_M uint32 = 9 + CPU_SUBTYPE_PENTIUM_4 uint32 = 10 + CPU_SUBTYPE_PENTIUM_4_M uint32 = 10 + (1 << 4) + CPU_SUBTYPE_ITANIUM uint32 = 11 + CPU_SUBTYPE_ITANIUM_2 uint32 = 11 + (1 << 4) + CPU_SUBTYPE_XEON uint32 = 12 + CPU_SUBTYPE_XEON_MP uint32 = 12 + (1 << 4) + CPU_SUBTYPE_INTEL_FAMILY_MAX uint32 = 15 + CPU_SUBTYPE_INTEL_MODEL_ALL uint32 = 0 + CPU_SUBTYPE_X86_ALL uint32 = 3 + CPU_SUBTYPE_X86_64_ALL uint32 = 3 + CPU_SUBTYPE_X86_ARCH1 uint32 = 4 + CPU_SUBTYPE_X86_64_H uint32 = 8 + CPU_SUBTYPE_MIPS_ALL uint32 = 0 + CPU_SUBTYPE_MIPS_R2300 uint32 = 1 + CPU_SUBTYPE_MIPS_R2600 uint32 = 2 + CPU_SUBTYPE_MIPS_R2800 uint32 = 3 + CPU_SUBTYPE_MIPS_R2000A uint32 = 4 + CPU_SUBTYPE_MIPS_R2000 uint32 = 5 + CPU_SUBTYPE_MIPS_R3000A uint32 = 6 + CPU_SUBTYPE_MIPS_R3000 uint32 = 7 + CPU_SUBTYPE_MC98000_ALL uint32 = 0 + CPU_SUBTYPE_MC98601 uint32 = 1 + CPU_SUBTYPE_HPPA_ALL uint32 = 0 + CPU_SUBTYPE_HPPA_7100 uint32 = 0 + CPU_SUBTYPE_HPPA_7100LC uint32 = 1 + CPU_SUBTYPE_MC88000_ALL uint32 = 0 + CPU_SUBTYPE_MC88100 uint32 = 1 + CPU_SUBTYPE_MC88110 uint32 = 2 + CPU_SUBTYPE_SPARC_ALL uint32 = 0 + CPU_SUBTYPE_I860_ALL uint32 = 0 + CPU_SUBTYPE_I860_860 uint32 = 1 + CPU_SUBTYPE_POWERPC_ALL uint32 = 0 + CPU_SUBTYPE_POWERPC_601 uint32 = 1 + CPU_SUBTYPE_POWERPC_602 uint32 = 2 + CPU_SUBTYPE_POWERPC_603 uint32 = 3 + CPU_SUBTYPE_POWERPC_603E uint32 = 4 + CPU_SUBTYPE_POWERPC_603EV uint32 = 5 + CPU_SUBTYPE_POWERPC_604 uint32 = 6 + CPU_SUBTYPE_POWERPC_604E uint32 = 7 + CPU_SUBTYPE_POWERPC_620 uint32 = 8 + CPU_SUBTYPE_POWERPC_750 uint32 = 9 + CPU_SUBTYPE_POWERPC_7400 uint32 = 10 + CPU_SUBTYPE_POWERPC_7450 uint32 = 11 + CPU_SUBTYPE_POWERPC_970 uint32 = 100 + CPU_SUBTYPE_ARM_ALL uint32 = 0 + CPU_SUBTYPE_ARM_V4T uint32 = 5 + CPU_SUBTYPE_ARM_V6 uint32 = 6 + CPU_SUBTYPE_ARM_V5TEJ uint32 = 7 + CPU_SUBTYPE_ARM_XSCALE uint32 = 8 + CPU_SUBTYPE_ARM_V7 uint32 = 9 + CPU_SUBTYPE_ARM_V7F uint32 = 10 + CPU_SUBTYPE_ARM_V7S uint32 = 11 + CPU_SUBTYPE_ARM_V7K uint32 = 12 + CPU_SUBTYPE_ARM_V6M uint32 = 14 + CPU_SUBTYPE_ARM_V7M uint32 = 15 + CPU_SUBTYPE_ARM_V7EM uint32 = 16 + CPU_SUBTYPE_ARM_V8 uint32 = 13 + CPU_SUBTYPE_ARM64_ALL uint32 = 0 + CPU_SUBTYPE_ARM64_V8 uint32 = 1 + CPU_SUBTYPE_ARM64_E uint32 = 2 + CPU_SUBTYPE_ARM64_32_ALL uint32 = 0 + CPU_SUBTYPE_ARM64_32_V8 uint32 = 1 +) -// // CPU Types -// pub const CPU_TYPE_ANY: CpuType = !0; -// pub const CPU_TYPE_VAX: CpuType = 1; -// pub const CPU_TYPE_MC680X0: CpuType = 6; -// pub const CPU_TYPE_X86: CpuType = 7; -// pub const CPU_TYPE_I386: CpuType = CPU_TYPE_X86; -// pub const CPU_TYPE_X86_64: CpuType = CPU_TYPE_X86 | CPU_ARCH_ABI64; -// pub const CPU_TYPE_MIPS: CpuType = 8; -// pub const CPU_TYPE_MC98000: CpuType = 10; -// pub const CPU_TYPE_HPPA: CpuType = 11; -// pub const CPU_TYPE_ARM: CpuType = 12; -// pub const CPU_TYPE_ARM64: CpuType = CPU_TYPE_ARM | CPU_ARCH_ABI64; -// pub const CPU_TYPE_ARM64_32: CpuType = CPU_TYPE_ARM | CPU_ARCH_ABI64_32; -// pub const CPU_TYPE_MC88000: CpuType = 13; -// pub const CPU_TYPE_SPARC: CpuType = 14; -// pub const CPU_TYPE_I860: CpuType = 15; -// pub const CPU_TYPE_ALPHA: CpuType = 16; -// pub const CPU_TYPE_POWERPC: CpuType = 18; -// pub const CPU_TYPE_POWERPC64: CpuType = CPU_TYPE_POWERPC | CPU_ARCH_ABI64; - -// // CPU Subtypes -// pub const CPU_SUBTYPE_MULTIPLE: CpuSubType = !0; -// pub const CPU_SUBTYPE_LITTLE_ENDIAN: CpuSubType = 0; -// pub const CPU_SUBTYPE_BIG_ENDIAN: CpuSubType = 1; -// pub const CPU_SUBTYPE_VAX_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_VAX780: CpuSubType = 1; -// pub const CPU_SUBTYPE_VAX785: CpuSubType = 2; -// pub const CPU_SUBTYPE_VAX750: CpuSubType = 3; -// pub const CPU_SUBTYPE_VAX730: CpuSubType = 4; -// pub const CPU_SUBTYPE_UVAXI: CpuSubType = 5; -// pub const CPU_SUBTYPE_UVAXII: CpuSubType = 6; -// pub const CPU_SUBTYPE_VAX8200: CpuSubType = 7; -// pub const CPU_SUBTYPE_VAX8500: CpuSubType = 8; -// pub const CPU_SUBTYPE_VAX8600: CpuSubType = 9; -// pub const CPU_SUBTYPE_VAX8650: CpuSubType = 10; -// pub const CPU_SUBTYPE_VAX8800: CpuSubType = 11; -// pub const CPU_SUBTYPE_UVAXIII: CpuSubType = 12; -// pub const CPU_SUBTYPE_MC680X0_ALL: CpuSubType = 1; -// pub const CPU_SUBTYPE_MC68030: CpuSubType = 1; /* compat */ -// pub const CPU_SUBTYPE_MC68040: CpuSubType = 2; -// pub const CPU_SUBTYPE_MC68030_ONLY: CpuSubType = 3; - -// macro_rules! CPU_SUBTYPE_INTEL { -// ($f:expr, $m:expr) => {{ -// ($f) + (($m) << 4) -// }}; -// } - -// pub const CPU_SUBTYPE_I386_ALL: CpuSubType = CPU_SUBTYPE_INTEL!(3, 0); -// pub const CPU_SUBTYPE_386: CpuSubType = CPU_SUBTYPE_INTEL!(3, 0); -// pub const CPU_SUBTYPE_486: CpuSubType = CPU_SUBTYPE_INTEL!(4, 0); -// pub const CPU_SUBTYPE_486SX: CpuSubType = CPU_SUBTYPE_INTEL!(4, 8); // 8 << 4 = 128 -// pub const CPU_SUBTYPE_586: CpuSubType = CPU_SUBTYPE_INTEL!(5, 0); -// pub const CPU_SUBTYPE_PENT: CpuSubType = CPU_SUBTYPE_INTEL!(5, 0); -// pub const CPU_SUBTYPE_PENTPRO: CpuSubType = CPU_SUBTYPE_INTEL!(6, 1); -// pub const CPU_SUBTYPE_PENTII_M3: CpuSubType = CPU_SUBTYPE_INTEL!(6, 3); -// pub const CPU_SUBTYPE_PENTII_M5: CpuSubType = CPU_SUBTYPE_INTEL!(6, 5); -// pub const CPU_SUBTYPE_CELERON: CpuSubType = CPU_SUBTYPE_INTEL!(7, 6); -// pub const CPU_SUBTYPE_CELERON_MOBILE: CpuSubType = CPU_SUBTYPE_INTEL!(7, 7); -// pub const CPU_SUBTYPE_PENTIUM_3: CpuSubType = CPU_SUBTYPE_INTEL!(8, 0); -// pub const CPU_SUBTYPE_PENTIUM_3_M: CpuSubType = CPU_SUBTYPE_INTEL!(8, 1); -// pub const CPU_SUBTYPE_PENTIUM_3_XEON: CpuSubType = CPU_SUBTYPE_INTEL!(8, 2); -// pub const CPU_SUBTYPE_PENTIUM_M: CpuSubType = CPU_SUBTYPE_INTEL!(9, 0); -// pub const CPU_SUBTYPE_PENTIUM_4: CpuSubType = CPU_SUBTYPE_INTEL!(10, 0); -// pub const CPU_SUBTYPE_PENTIUM_4_M: CpuSubType = CPU_SUBTYPE_INTEL!(10, 1); -// pub const CPU_SUBTYPE_ITANIUM: CpuSubType = CPU_SUBTYPE_INTEL!(11, 0); -// pub const CPU_SUBTYPE_ITANIUM_2: CpuSubType = CPU_SUBTYPE_INTEL!(11, 1); -// pub const CPU_SUBTYPE_XEON: CpuSubType = CPU_SUBTYPE_INTEL!(12, 0); -// pub const CPU_SUBTYPE_XEON_MP: CpuSubType = CPU_SUBTYPE_INTEL!(12, 1); -// pub const CPU_SUBTYPE_INTEL_FAMILY_MAX: CpuSubType = 15; -// pub const CPU_SUBTYPE_INTEL_MODEL_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_X86_ALL: CpuSubType = 3; -// pub const CPU_SUBTYPE_X86_64_ALL: CpuSubType = 3; -// pub const CPU_SUBTYPE_X86_ARCH1: CpuSubType = 4; -// pub const CPU_SUBTYPE_X86_64_H: CpuSubType = 8; -// pub const CPU_SUBTYPE_MIPS_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_MIPS_R2300: CpuSubType = 1; -// pub const CPU_SUBTYPE_MIPS_R2600: CpuSubType = 2; -// pub const CPU_SUBTYPE_MIPS_R2800: CpuSubType = 3; -// pub const CPU_SUBTYPE_MIPS_R2000A: CpuSubType = 4; -// pub const CPU_SUBTYPE_MIPS_R2000: CpuSubType = 5; -// pub const CPU_SUBTYPE_MIPS_R3000A: CpuSubType = 6; -// pub const CPU_SUBTYPE_MIPS_R3000: CpuSubType = 7; -// pub const CPU_SUBTYPE_MC98000_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_MC98601: CpuSubType = 1; -// pub const CPU_SUBTYPE_HPPA_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_HPPA_7100: CpuSubType = 0; -// pub const CPU_SUBTYPE_HPPA_7100LC: CpuSubType = 1; -// pub const CPU_SUBTYPE_MC88000_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_MC88100: CpuSubType = 1; -// pub const CPU_SUBTYPE_MC88110: CpuSubType = 2; -// pub const CPU_SUBTYPE_SPARC_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_I860_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_I860_860: CpuSubType = 1; -// pub const CPU_SUBTYPE_POWERPC_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_POWERPC_601: CpuSubType = 1; -// pub const CPU_SUBTYPE_POWERPC_602: CpuSubType = 2; -// pub const CPU_SUBTYPE_POWERPC_603: CpuSubType = 3; -// pub const CPU_SUBTYPE_POWERPC_603E: CpuSubType = 4; -// pub const CPU_SUBTYPE_POWERPC_603EV: CpuSubType = 5; -// pub const CPU_SUBTYPE_POWERPC_604: CpuSubType = 6; -// pub const CPU_SUBTYPE_POWERPC_604E: CpuSubType = 7; -// pub const CPU_SUBTYPE_POWERPC_620: CpuSubType = 8; -// pub const CPU_SUBTYPE_POWERPC_750: CpuSubType = 9; -// pub const CPU_SUBTYPE_POWERPC_7400: CpuSubType = 10; -// pub const CPU_SUBTYPE_POWERPC_7450: CpuSubType = 11; -// pub const CPU_SUBTYPE_POWERPC_970: CpuSubType = 100; -// pub const CPU_SUBTYPE_ARM_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_ARM_V4T: CpuSubType = 5; -// pub const CPU_SUBTYPE_ARM_V6: CpuSubType = 6; -// pub const CPU_SUBTYPE_ARM_V5TEJ: CpuSubType = 7; -// pub const CPU_SUBTYPE_ARM_XSCALE: CpuSubType = 8; -// pub const CPU_SUBTYPE_ARM_V7: CpuSubType = 9; -// pub const CPU_SUBTYPE_ARM_V7F: CpuSubType = 10; -// pub const CPU_SUBTYPE_ARM_V7S: CpuSubType = 11; -// pub const CPU_SUBTYPE_ARM_V7K: CpuSubType = 12; -// pub const CPU_SUBTYPE_ARM_V6M: CpuSubType = 14; -// pub const CPU_SUBTYPE_ARM_V7M: CpuSubType = 15; -// pub const CPU_SUBTYPE_ARM_V7EM: CpuSubType = 16; -// pub const CPU_SUBTYPE_ARM_V8: CpuSubType = 13; -// pub const CPU_SUBTYPE_ARM64_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_ARM64_V8: CpuSubType = 1; -// pub const CPU_SUBTYPE_ARM64_E: CpuSubType = 2; -// pub const CPU_SUBTYPE_ARM64_32_ALL: CpuSubType = 0; -// pub const CPU_SUBTYPE_ARM64_32_V8: CpuSubType = 1; +var flagMaps = []struct { + name string + cpuType uint32 + cpuSubtype uint32 +}{ + {"ppc64", CPU_TYPE_POWERPC64, CPU_SUBTYPE_POWERPC_ALL}, + {"x86_64", CPU_TYPE_X86_64, CPU_SUBTYPE_X86_64_ALL}, + {"x86_64h", CPU_TYPE_X86_64, CPU_SUBTYPE_X86_64_H}, + {"arm64", CPU_TYPE_ARM64, CPU_SUBTYPE_ARM64_ALL}, + {"arm64_32", CPU_TYPE_ARM64_32, CPU_SUBTYPE_ARM64_32_ALL}, + {"ppc970-64", CPU_TYPE_POWERPC64, CPU_SUBTYPE_POWERPC_970}, + {"ppc", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_ALL}, + {"i386", CPU_TYPE_I386, CPU_SUBTYPE_I386_ALL}, + {"m68k", CPU_TYPE_MC680X0, CPU_SUBTYPE_MC680X0_ALL}, + {"hppa", CPU_TYPE_HPPA, CPU_SUBTYPE_HPPA_ALL}, + {"sparc", CPU_TYPE_SPARC, CPU_SUBTYPE_SPARC_ALL}, + {"m88k", CPU_TYPE_MC88000, CPU_SUBTYPE_MC88000_ALL}, + {"i860", CPU_TYPE_I860, CPU_SUBTYPE_I860_ALL}, + {"arm", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_ALL}, + {"ppc601", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_601}, + {"ppc603", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_603}, + {"ppc603e", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_603E}, + {"ppc603ev", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_603EV}, + {"ppc604", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_604}, + {"ppc604e", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_604E}, + {"ppc750", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_750}, + {"ppc7400", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_7400}, + {"ppc7450", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_7450}, + {"ppc970", CPU_TYPE_POWERPC, CPU_SUBTYPE_POWERPC_970}, + {"i486", CPU_TYPE_I386, CPU_SUBTYPE_486}, + {"i486SX", CPU_TYPE_I386, CPU_SUBTYPE_486SX}, + {"i586", CPU_TYPE_I386, CPU_SUBTYPE_586}, + {"i686", CPU_TYPE_I386, CPU_SUBTYPE_PENTPRO}, + {"pentIIm3", CPU_TYPE_I386, CPU_SUBTYPE_PENTII_M3}, + {"pentIIm5", CPU_TYPE_I386, CPU_SUBTYPE_PENTII_M5}, + {"pentium4", CPU_TYPE_I386, CPU_SUBTYPE_PENTIUM_4}, + {"m68030", CPU_TYPE_MC680X0, CPU_SUBTYPE_MC68030_ONLY}, + {"m68040", CPU_TYPE_MC680X0, CPU_SUBTYPE_MC68040}, + {"hppa7100LC", CPU_TYPE_HPPA, CPU_SUBTYPE_HPPA_7100LC}, + {"armv4t", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V4T}, + {"armv5", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V5TEJ}, + {"xscale", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_XSCALE}, + {"armv6", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6}, + {"armv6m", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6M}, + {"armv7", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7}, + {"armv7f", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7F}, + {"armv7s", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7S}, + {"armv7k", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7K}, + {"armv7m", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7M}, + {"armv7em", CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7EM}, + {"arm64v8", CPU_TYPE_ARM64, CPU_SUBTYPE_ARM64_V8}, + {"arm64e", CPU_TYPE_ARM64, CPU_SUBTYPE_ARM64_E}, + {"arm64_32_v8", CPU_TYPE_ARM64_32, CPU_SUBTYPE_ARM64_32_V8}, + // others + {"pentium", CPU_TYPE_I386, CPU_SUBTYPE_PENT}, + {"pentpro", CPU_TYPE_I386, CPU_SUBTYPE_PENTPRO}, + {"x86", CPU_TYPE_I386, CPU_SUBTYPE_I386_ALL}, +} // the default string translations are gross -func translateCPU(cpu macho.Cpu) string { - switch cpu { - case macho.Cpu386: - return "x86" - case macho.CpuAmd64: - return "x86_64" - case macho.CpuArm: - return "arm" - case macho.CpuArm64: - return "arm64" - case macho.CpuPpc: - return "ppc" - case macho.CpuPpc64: - return "ppc64" - default: - return "unknown" +func translateCPU(cpu macho.Cpu, subtype uint32) string { + cputype := uint32(cpu) + for _, cpuMapping := range flagMaps { + if cpuMapping.cpuType == cputype && cpuMapping.cpuSubtype == (CPU_SUBTYPE_MASK&subtype) { + return cpuMapping.name + } } + return "unknown" } diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index dc1e845ce245..c1fded3d5ea3 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -174,8 +174,8 @@ func parse(machoFile *macho.File) (*Architecture, error) { } info := &Architecture{ - CPU: translateCPU(machoFile.Cpu), - ByteOrder: machoFile.ByteOrder.String(), + CPU: translateCPU(machoFile.Cpu, machoFile.SubCpu), + ByteOrder: translateByteOrder(machoFile.ByteOrder.String()), Type: machoFile.Type.String(), Header: Header{ Magic: fmt.Sprintf("0x%x", machoFile.Magic), @@ -199,6 +199,17 @@ func parse(machoFile *macho.File) (*Architecture, error) { return info, nil } +func translateByteOrder(order string) string { + switch order { + case "BigEndian": + return "big-endian" + case "LittleEndian": + return "little-endian" + default: + return "unknown" + } +} + func getPackers(machoFile *macho.File) []string { for _, section := range machoFile.Sections { if section.Name == "upxTEXT" { From bdd8af8b0d4484b24e0069e762b9572d712242e2 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 13:57:30 -0500 Subject: [PATCH 12/30] rename processor and add more options --- .../{add_format_data.go => add_file_data.go} | 68 ++++++++++++------- ...mat_data_test.go => add_file_data_test.go} | 60 ++++++++++++---- 2 files changed, 93 insertions(+), 35 deletions(-) rename libbeat/processors/actions/{add_format_data.go => add_file_data.go} (65%) rename libbeat/processors/actions/{add_format_data_test.go => add_file_data_test.go} (66%) diff --git a/libbeat/processors/actions/add_format_data.go b/libbeat/processors/actions/add_file_data.go similarity index 65% rename from libbeat/processors/actions/add_format_data.go rename to libbeat/processors/actions/add_file_data.go index d200903b585b..1820d9873180 100644 --- a/libbeat/processors/actions/add_format_data.go +++ b/libbeat/processors/actions/add_file_data.go @@ -21,6 +21,7 @@ import ( "fmt" "io" "os" + "regexp" "github.com/pkg/errors" @@ -36,27 +37,41 @@ import ( ) func init() { - processors.RegisterPlugin("add_format_data", - checks.ConfigChecked(NewAddFormatData, - checks.AllowedFields("field", "exclude", "only"))) + processors.RegisterPlugin("add_file_data", + checks.ConfigChecked(NewAddFileData, + checks.AllowedFields("field", "target", "exclude", "only", "pattern"))) } -type addFormatDataProcessor struct { - Field string `config:"field"` - Exclude *[]string `config:"exclude"` - Only *[]string `config:"only"` - parsers []*parser +type addFileDataProcessor struct { + Field string `config:"field"` + Target string `config:"target"` + Exclude *[]string `config:"exclude"` + Only *[]string `config:"only"` + Pattern string `config:"pattern"` + parsers []*parser + compiled *regexp.Regexp } -const defaultFilePathField = "file.path" +const ( + defaultFilePathField = "file.path" + defaultTargetField = "file" +) -// NewAddFormatData constructs a add format data processor. -func NewAddFormatData(cfg *common.Config) (processors.Processor, error) { - addFormatData := &addFormatDataProcessor{ - Field: defaultFilePathField, +// NewAddFileData constructs a add format data processor. +func NewAddFileData(cfg *common.Config) (processors.Processor, error) { + addFormatData := &addFileDataProcessor{ + Field: defaultFilePathField, + Target: defaultTargetField, } if err := cfg.Unpack(addFormatData); err != nil { - return nil, errors.Wrapf(err, "fail to unpack the add_format_data configuration") + return nil, errors.Wrapf(err, "fail to unpack the add_file_data configuration") + } + if addFormatData.Pattern != "" { + compiled, err := regexp.Compile(addFormatData.Pattern) + if err != nil { + return nil, errors.Wrap(err, fmt.Sprintf("invalid pattern for add_file_data: '%s'", addFormatData.Pattern)) + } + addFormatData.compiled = compiled } parsers := allParsers // only takes precedence to exclude @@ -71,7 +86,7 @@ func NewAddFormatData(cfg *common.Config) (processors.Processor, error) { return addFormatData, nil } -func (a *addFormatDataProcessor) applyParser(event *beat.Event, path string) error { +func (a *addFileDataProcessor) applyParser(event *beat.Event, path string) error { file, err := os.Open(path) if err != nil { return err @@ -87,8 +102,9 @@ func (a *addFormatDataProcessor) applyParser(event *beat.Event, path string) err if err != nil { return err } + target := a.Target + "." + parser.target event.Fields.DeepUpdate(common.MapStr{ - parser.target: data, + target: data, }) return nil } @@ -96,7 +112,7 @@ func (a *addFormatDataProcessor) applyParser(event *beat.Event, path string) err return nil } -func (a *addFormatDataProcessor) Run(event *beat.Event) (*beat.Event, error) { +func (a *addFileDataProcessor) Run(event *beat.Event) (*beat.Event, error) { valI, err := event.GetValue(a.Field) if err != nil { // doesn't have the required fieldd value to analyze @@ -107,14 +123,20 @@ func (a *addFormatDataProcessor) Run(event *beat.Event) (*beat.Event, error) { // wrong type or not set return event, nil } + if a.compiled != nil { + if !a.compiled.MatchString(val) { + // we filtered out this event + return event, nil + } + } if err := a.applyParser(event, val); err != nil { return event, err } return event, nil } -func (a *addFormatDataProcessor) String() string { - return fmt.Sprintf("add_format_data=%+v,%+v,%+v", a.Field, a.Exclude, a.Only) +func (a *addFileDataProcessor) String() string { + return fmt.Sprintf("add_file_data=%+v,%+v,%+v", a.Field, a.Exclude, a.Only) } type parser struct { @@ -125,10 +147,10 @@ type parser struct { } var allParsers = []*parser{ - makeParser("pe", "file.pe", "application/vnd.microsoft.portable-executable", pe.Parse), - makeParser("macho", "file.macho", "application/x-mach-binary", macho.Parse), - makeParser("elf", "file.elf", "application/x-executable", elf.Parse), - makeParser("lnk", "file.lnk", "application/x-ms-shortcut", lnk.Parse), + makeParser("pe", "pe", "application/vnd.microsoft.portable-executable", pe.Parse), + makeParser("macho", "macho", "application/x-mach-binary", macho.Parse), + makeParser("elf", "elf", "application/x-executable", elf.Parse), + makeParser("lnk", "lnk", "application/x-ms-shortcut", lnk.Parse), } func makeParser(name, target, mimeType string, parse func(r io.ReaderAt) (interface{}, error)) *parser { diff --git a/libbeat/processors/actions/add_format_data_test.go b/libbeat/processors/actions/add_file_data_test.go similarity index 66% rename from libbeat/processors/actions/add_format_data_test.go rename to libbeat/processors/actions/add_file_data_test.go index 223b354bcaaa..a16dac714240 100644 --- a/libbeat/processors/actions/add_format_data_test.go +++ b/libbeat/processors/actions/add_file_data_test.go @@ -30,13 +30,13 @@ import ( "github.com/elastic/beats/v7/libbeat/formats/pe" ) -func TestFormatDataPE(t *testing.T) { +func TestFileDataPE(t *testing.T) { evt := beat.Event{ Fields: common.MapStr{ "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", }, } - p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ "field": "foo.bar.baz", })) require.NoError(t, err) @@ -48,13 +48,13 @@ func TestFormatDataPE(t *testing.T) { require.True(t, ok) } -func TestFormatDataMachO(t *testing.T) { +func TestFileDataMachO(t *testing.T) { evt := beat.Event{ Fields: common.MapStr{ "foo.bar.baz": "../../formats/fixtures/macho/hello-darwin", }, } - p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ "field": "foo.bar.baz", })) require.NoError(t, err) @@ -66,13 +66,13 @@ func TestFormatDataMachO(t *testing.T) { require.True(t, ok) } -func TestFormatDataElf(t *testing.T) { +func TestFileDataElf(t *testing.T) { evt := beat.Event{ Fields: common.MapStr{ "foo.bar.baz": "../../formats/fixtures/elf/hello-linux", }, } - p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ "field": "foo.bar.baz", })) require.NoError(t, err) @@ -84,13 +84,13 @@ func TestFormatDataElf(t *testing.T) { require.True(t, ok) } -func TestFormatDataLnk(t *testing.T) { +func TestFileDataLnk(t *testing.T) { evt := beat.Event{ Fields: common.MapStr{ "foo.bar.baz": "../../formats/fixtures/lnk/local_cmd.lnk", }, } - p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ "field": "foo.bar.baz", })) require.NoError(t, err) @@ -102,13 +102,13 @@ func TestFormatDataLnk(t *testing.T) { require.True(t, ok) } -func TestFormatDataOnly(t *testing.T) { +func TestFileDataOnly(t *testing.T) { evt := beat.Event{ Fields: common.MapStr{ "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", }, } - p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ "field": "foo.bar.baz", "only": []string{"macho"}, })) @@ -119,13 +119,13 @@ func TestFormatDataOnly(t *testing.T) { require.Error(t, err) } -func TestFormatDataExclude(t *testing.T) { +func TestFileDataExclude(t *testing.T) { evt := beat.Event{ Fields: common.MapStr{ "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", }, } - p, err := NewAddFormatData(common.MustNewConfigFrom(map[string]interface{}{ + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ "field": "foo.bar.baz", "exclude": []string{"pe"}, })) @@ -135,3 +135,39 @@ func TestFormatDataExclude(t *testing.T) { _, err = observed.Fields.GetValue("file.pe") require.Error(t, err) } + +func TestFileDataPattern(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "pattern": "^$", // don't match anything + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + _, err = observed.Fields.GetValue("file.pe") + require.Error(t, err) +} + +func TestFileDataTarget(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "foo.bar.baz": "../../formats/fixtures/pe/hello-windows", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "field": "foo.bar.baz", + "target": "zoiks", + })) + require.NoError(t, err) + observed, err := p.Run(&evt) + require.NoError(t, err) + data, err := observed.Fields.GetValue("zoiks.pe") + require.NoError(t, err) + _, ok := data.(*pe.Info) + require.True(t, ok) +} From 89319dbc3055459b866203b4d7a0d0715a490085 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 15:06:31 -0500 Subject: [PATCH 13/30] Add fields to FIM --- auditbeat/docs/fields.asciidoc | 591 +++++++++++++ .../module/file_integrity/_meta/fields.yml | 786 ++++++++++++++++-- auditbeat/module/file_integrity/fields.go | 2 +- libbeat/formats/lnk/header.go | 2 +- libbeat/formats/lnk/lnk.go | 4 +- libbeat/formats/macho/macho.go | 3 +- 6 files changed, 1309 insertions(+), 79 deletions(-) diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index cd143ad919e7..a65c0f7210aa 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -11730,6 +11730,597 @@ type: keyword -- +[float] +=== file + +Extensions to the ECS File field set + + +[float] +=== elf + +These fields contain Linux Executable Linkable Format (ELF) metadata. + + +*`file.elf.header.class`*:: ++ +-- +Header class of the ELF file. + + +type: keyword + +-- + +*`file.elf.header.data`*:: ++ +-- +Data type of the ELF header. + + +type: keyword + +-- + +*`file.elf.header.machine`*:: ++ +-- +Machine type of the ELF header. + + +type: keyword + +-- + +*`file.elf.header.os_abi`*:: ++ +-- +Application Binary Interface (ABI) of the Linux OS. + + +type: keyword + +-- + +*`file.elf.header.type`*:: ++ +-- +Header type of the ELF file. + + +type: keyword + +-- + +*`file.elf.header.version`*:: ++ +-- +Version of the ELF header. + + +type: keyword + +-- + +*`file.elf.header.abi_version`*:: ++ +-- +Version of the ELF Application Binary Interface (ABI). + + +type: keyword + +-- + +*`file.elf.header.entrypoint`*:: ++ +-- +Header entrypoint of the ELF file. + + +type: long + +format: string + +-- + +*`file.elf.sections`*:: ++ +-- +Section information of the ELF file. + + +type: nested + +-- + +*`file.elf.exports`*:: ++ +-- +List of exported element names and types. + + +type: flattened + +-- + +*`file.elf.imports`*:: ++ +-- +List of imported element names and types. + + +type: flattened + +-- + +*`file.elf.shared_libraries`*:: ++ +-- +List of shared libraries used by this ELF object + + +type: keyword + +-- + +*`file.elf.telfhash`*:: ++ +-- +telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + + +type: keyword + +-- + +*`file.elf.segments`*:: ++ +-- +ELF object segment list. + + +type: nested + +-- + +*`file.elf.debug`*:: ++ +-- +Debug information, if present + +type: nested + +-- + +*`file.elf.packers`*:: ++ +-- +List of packers and tools used. + + +type: keyword + +example: ["ASPack v2.12", ".NET executable"] + +-- + +[float] +=== pe + +PE ECS field extensions + + +*`file.pe.debug`*:: ++ +-- +Debug information, if present + +type: nested + +-- + +*`file.pe.imports`*:: ++ +-- +List of all imported functions + +type: flattened + +example: { "library" : "mscoree.dll", "name" : "GetFileVersionInfoSizeA" } + +-- + +*`file.pe.sections`*:: ++ +-- +Data about sections of compiled binary PE + + +type: nested + +-- + +*`file.pe.resources`*:: ++ +-- +If the PE contains resources, some info about them + + +type: nested + +-- + +*`file.pe.exports`*:: ++ +-- +List of symbols exported by PE + + +type: keyword + +example: ["DllInstall", "DllRegisterServer", "DllUnregisterServer"] + +-- + +*`file.pe.icons`*:: ++ +-- +If the PE contains icons, some info about them + + +type: flattened + +-- + +*`file.pe.authentihash`*:: ++ +-- +Authentihash of the PE file. + + +type: keyword + +example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + +-- + +*`file.pe.compile_timestamp`*:: ++ +-- +Compile timestamp of the PE file. + + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`file.pe.compiler.name`*:: ++ +-- +Name of the compiler + + +type: keyword + +example: Clang + +-- + +*`file.pe.compiler.version`*:: ++ +-- +Version of the compiler. + + +type: keyword + +example: 11.0.0 + +-- + +*`file.pe.rich_header.hash.md5`*:: ++ +-- +MD5 hash of the header for the PE file. + + +type: keyword + +example: 5aa1aa0f2b4be70397a1e9e2b87627cd + +-- + +*`file.pe.entrypoint`*:: ++ +-- +Relative byte offset to the base of the PE file. + + +type: keyword + +example: 25856 + +-- + +*`file.pe.packers`*:: ++ +-- +List of packers and tools used. + + +type: keyword + +example: ["ASPack v2.12", ".NET executable"] + +-- + +[float] +=== macho + +These fields contain macOS Mach Object (Mach-O) metadata. + + +*`file.macho.architectures`*:: ++ +-- +Object files contained inside this file by architecture + +type: nested + +-- + +[float] +=== lnk + +These fields contain windows LNK metadata. + + +*`file.lnk.name`*:: ++ +-- +LNK name + +type: keyword + +-- + +*`file.lnk.relative_path`*:: ++ +-- +LNK relative path + +type: keyword + +-- + +*`file.lnk.working_directory`*:: ++ +-- +LNK working directory + +type: keyword + +-- + +*`file.lnk.command_line`*:: ++ +-- +LNK command line + +type: keyword + +-- + +*`file.lnk.icon_location`*:: ++ +-- +LNK icon location + +type: keyword + +-- + +*`file.lnk.extra`*:: ++ +-- +Extra fields in the LNK, type specific + +type: flattened + +-- + +*`file.lnk.header.guid`*:: ++ +-- +LNK guid + +type: keyword + +-- + +*`file.lnk.header.link_flags`*:: ++ +-- +LNK link flags + +type: keyword + +-- + +*`file.lnk.header.file_flags`*:: ++ +-- +LNK file flags + +type: keyword + +-- + +*`file.lnk.header.creation_time`*:: ++ +-- +LNK creation time + +type: date + +-- + +*`file.lnk.header.accessed_time`*:: ++ +-- +LNK accessed time + +type: date + +-- + +*`file.lnk.header.modified_time`*:: ++ +-- +LNK modified time + +type: date + +-- + +*`file.lnk.header.file_size`*:: ++ +-- +LNK file size + +type: long + +-- + +*`file.lnk.header.icon_index`*:: ++ +-- +LNK icon index + +type: long + +-- + +*`file.lnk.header.window_style`*:: ++ +-- +LNK window style + +type: keyword + +-- + +*`file.lnk.header.hot_key`*:: ++ +-- +LNK hot key + +type: keyword + +-- + +*`file.lnk.targets`*:: ++ +-- +LNK targets + +type: nested + +-- + +*`file.lnk.location.flags`*:: ++ +-- +LNK location flags + +type: keyword + +-- + +*`file.lnk.location.common_path_suffix`*:: ++ +-- +LNK common path suffix + +type: keyword + +-- + +*`file.lnk.location.local_base_path`*:: ++ +-- +LNK local base path + +type: keyword + +-- + +*`file.lnk.location.volume.drive_type`*:: ++ +-- +LNK volume drive type + +type: keyword + +-- + +*`file.lnk.location.volume.drive_serial_number`*:: ++ +-- +LNK volume drive serial number + +type: keyword + +-- + +*`file.lnk.location.volume.volume_label`*:: ++ +-- +LNK volume label + +type: keyword + +-- + +*`file.lnk.location.network_share.flags`*:: ++ +-- +LNK network share flags + +type: keyword + +-- + +*`file.lnk.location.network_share.provider_type`*:: ++ +-- +LNK network share provider type + +type: keyword + +-- + +*`file.lnk.location.network_share.name`*:: ++ +-- +LNK network share name + +type: keyword + +-- + +*`file.lnk.location.network_share.device_name`*:: ++ +-- +LNK network share device name + +type: keyword + +-- + [[exported-fields-host-processor]] == Host fields diff --git a/auditbeat/module/file_integrity/_meta/fields.yml b/auditbeat/module/file_integrity/_meta/fields.yml index c34aaaf1d43f..aee8cf4f4406 100644 --- a/auditbeat/module/file_integrity/_meta/fields.yml +++ b/auditbeat/module/file_integrity/_meta/fields.yml @@ -2,77 +2,715 @@ title: File Integrity description: These are the fields generated by the file_integrity module. fields: - - name: hash - type: group - description: > - Hashes of the file. The keys are algorithm names and the values are - the hex encoded digest values. - - fields: - - name: blake2b_256 - type: keyword - description: BLAKE2b-256 hash of the file. - - - name: blake2b_384 - type: keyword - description: BLAKE2b-384 hash of the file. - - - name: blake2b_512 - type: keyword - description: BLAKE2b-512 hash of the file. - - - name: md5 - overwrite: true - type: keyword - description: MD5 hash of the file. - - - name: sha1 - overwrite: true - type: keyword - description: SHA1 hash of the file. - - - name: sha224 - type: keyword - description: SHA224 hash of the file. - - - name: sha256 - overwrite: true - type: keyword - description: SHA256 hash of the file. - - - name: sha384 - type: keyword - description: SHA384 hash of the file. - - - name: sha3_224 - type: keyword - description: SHA3_224 hash of the file. - - - name: sha3_256 - type: keyword - description: SHA3_256 hash of the file. - - - name: sha3_384 - type: keyword - description: SHA3_384 hash of the file. - - - name: sha3_512 - type: keyword - description: SHA3_512 hash of the file. - - - name: sha512 - overwrite: true - type: keyword - description: SHA512 hash of the file. - - - name: sha512_224 - type: keyword - description: SHA512/224 hash of the file. - - - name: sha512_256 - type: keyword - description: SHA512/256 hash of the file. - - - name: xxh64 - type: keyword - description: XX64 hash of the file. + - name: hash + type: group + description: > + Hashes of the file. The keys are algorithm names and the values are + the hex encoded digest values. + + fields: + - name: blake2b_256 + type: keyword + description: BLAKE2b-256 hash of the file. + + - name: blake2b_384 + type: keyword + description: BLAKE2b-384 hash of the file. + + - name: blake2b_512 + type: keyword + description: BLAKE2b-512 hash of the file. + + - name: md5 + overwrite: true + type: keyword + description: MD5 hash of the file. + + - name: sha1 + overwrite: true + type: keyword + description: SHA1 hash of the file. + + - name: sha224 + type: keyword + description: SHA224 hash of the file. + + - name: sha256 + overwrite: true + type: keyword + description: SHA256 hash of the file. + + - name: sha384 + type: keyword + description: SHA384 hash of the file. + + - name: sha3_224 + type: keyword + description: SHA3_224 hash of the file. + + - name: sha3_256 + type: keyword + description: SHA3_256 hash of the file. + + - name: sha3_384 + type: keyword + description: SHA3_384 hash of the file. + + - name: sha3_512 + type: keyword + description: SHA3_512 hash of the file. + + - name: sha512 + overwrite: true + type: keyword + description: SHA512 hash of the file. + + - name: sha512_224 + type: keyword + description: SHA512/224 hash of the file. + + - name: sha512_256 + type: keyword + description: SHA512/256 hash of the file. + + - name: xxh64 + type: keyword + description: XX64 hash of the file. + + # These are extensions to the file field set + - name: file + title: File + description: Extensions to the ECS File field set + type: group + fields: + # ELF fields + - name: elf + title: ELF file information + description: These fields contain Linux Executable Linkable Format (ELF) metadata. + type: group + fields: + - name: header.class + description: > + Header class of the ELF file. + type: keyword + + - name: header.data + description: > + Data type of the ELF header. + type: keyword + + - name: header.machine + description: > + Machine type of the ELF header. + type: keyword + + - name: header.os_abi + description: > + Application Binary Interface (ABI) of the Linux OS. + type: keyword + + - name: header.type + description: > + Header type of the ELF file. + type: keyword + + - name: header.version + description: > + Version of the ELF header. + type: keyword + + - name: header.abi_version + type: keyword + description: > + Version of the ELF Application Binary Interface (ABI). + + - name: header.entrypoint + format: string + type: long + description: > + Header entrypoint of the ELF file. + + - name: sections + description: > + Section information of the ELF file. + type: nested + fields: + - name: flags + description: > + ELF Section List flags. + type: keyword + + - name: name + description: > + ELF Section List name. + type: keyword + + - name: physical_offset + description: > + ELF Section List offset. + type: keyword + + - name: type + description: > + ELF Section List type. + type: keyword + + - name: physical_size + description: > + ELF Section List physical size. + format: bytes + type: long + + - name: virtual_address + description: > + ELF Section List virtual address. + format: string + type: long + + - name: virtual_size + description: > + ELF Section List virtual size. + format: string + type: long + + - name: entropy + description: > + Shannon entropy calculation from the section. + format: number + type: double + + - name: chi2 + description: > + Chi-square probability distribution of the section. + format: number + type: double + + - name: exports + description: > + List of exported element names and types. + type: flattened + + - name: imports + description: > + List of imported element names and types. + type: flattened + + - name: shared_libraries + description: > + List of shared libraries used by this ELF object + type: keyword + + - name: telfhash + short: telfhash hash for ELF files + description: > + telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + type: keyword + + - name: segments + description: > + ELF object segment list. + type: nested + fields: + - name: type + description: ELF object segment type. + type: keyword + + - name: sections + description: ELF object segment sections. + type: keyword + + - name: debug + type: nested + description: Debug information, if present + fields: + - name: offset + type: keyword + description: Debug offset information. + example: 1296336 + + - name: size + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: type + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: timestamp + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: packers + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array + + # PE fields + - name: pe + title: PE file information. + description: PE ECS field extensions + type: group + fields: + - name: debug + type: nested + description: Debug information, if present + fields: + - name: offset + type: keyword + description: Debug offset information. + example: 1296336 + + - name: size + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: type + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: timestamp + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: imports + type: flattened + description: List of all imported functions + example: '{ "library" : "mscoree.dll", "name" : "GetFileVersionInfoSizeA" }' + + - name: sections + description: > + Data about sections of compiled binary PE + type: nested + fields: + - name: chi2 + description: Chi-square probability distribution. + type: long + example: 3027194 + + - name: virtual_address + description: Virtual address available to the file. + type: long + format: bytes + example: 8192 + + - name: entropy + description: Measurement of entropy randomness in the file. + type: float + example: 6.24 + + - name: flags + description: Section flags of the file. + type: keyword + example: rx + + - name: name + description: Section names of the file. + type: keyword + example: .text, .data + + - name: raw_size + description: Size of the section or the dize of the initialized data on disk. + type: long + format: bytes + example: 198144 + + - name: resources + type: nested + description: > + If the PE contains resources, some info about them + fields: + - name: chi2 + description: Chi-square probability distribution. + type: long + example: -1 + + - name: filetype + description: File type of the resources section. + type: keyword + example: Data + + - name: entropy + description: Measurement of entropy randomness in the resources section. + type: long + example: 0, 1 + + - name: sha256 + description: SHA256 hash of resources section. + type: keyword + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + - name: language + description: Language identification. + type: keyword + example: "CHINESE SIMPLIFIED" + + - name: type + type: keyword + short: List of resource types. + description: > + Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + normalize: + - array + + - name: exports + type: keyword + description: > + List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + normalize: + - array + + - name: icons + type: flattened + description: > + If the PE contains icons, some info about them + + - name: authentihash + description: > + Authentihash of the PE file. + type: keyword + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + + - name: compile_timestamp + description: > + Compile timestamp of the PE file. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: compiler.name + type: keyword + description: > + Name of the compiler + example: Clang + + - name: compiler.version + type: keyword + description: > + Version of the compiler. + example: 11.0.0 + + - name: rich_header.hash.md5 + type: keyword + description: > + MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + + - name: entrypoint + description: > + Relative byte offset to the base of the PE file. + type: keyword + example: 25856 + + - name: packers + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array + + # MachO + - name: macho + title: Mach-O file information. + type: group + description: These fields contain macOS Mach Object (Mach-O) metadata. + fields: + - name: architectures + description: Object files contained inside this file by architecture + type: nested + fields: + - name: debug + type: nested + description: Debug information, if present + fields: + - name: offset + type: keyword + description: Debug offset information. + example: 1296336 + + - name: size + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: type + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: timestamp + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: cpu + description: CPU architecture target for the file. + type: keyword + example: 64-bit + + - name: byte_order + description: Byte order for the file. + type: keyword + example: little-endian + + - name: type + description: Mach-O file type. + type: keyword + + - name: header.commands + description: Header load commands + type: nested + fields: + - name: number + description: Number of load commands for the Mach-O header. + type: long + example: 23 + + - name: size + description: Size of load commands of the Mach-O header. + type: long + format: bytes + example: 3888 + + - name: type + description: Type of the load commands for the Mach-O header. + type: keyword + example: LC_SYMTAB, 0x2c + + - name: header.magic + description: Magic field of the Mach-O header. + type: keyword + example: 0xfeedfacf + + - name: header.flags + description: Flags set in the Mach-O header. + type: keyword + example: TWOLEVEL, 0x4000000 + + - name: segments + description: Segment information for the file. + type: nested + fields: + - name: vmaddr + description: Memory address of this segment. + type: keyword + example: 0x0 + + - name: name + description: Name of this segment. + type: keyword + example: __TEXT, __DATA, __IMPORT + + - name: vmsize + description: Memory size of this segment. + type: keyword + example: 0x4c000 + + - name: fileoff + description: File offset of this segment. + type: keyword + example: 0x0 + + - name: filesize + description: Amount of memory to map from the file. + type: keyword + example: 0x4c000 + + - name: sections + description: Section information for the segment of the file. + type: nested + fields: + - name: name + description: Name of this section. + type: keyword + + - name: type + description: Type of this section. + type: keyword + + - name: offset + description: Offset of this section. + type: long + + - name: size + description: Size of this section. + type: long + + - name: entropy + description: Entropy of this section. + type: double + + - name: chi2 + description: Chi-square of this section. + type: double + + - name: flags + description: Flags of this section. + type: keyword + + - name: flags + description: Segment flags. + type: keyword + + - name: libraries + description: Imported libraries. + type: keyword + + - name: imports + description: Imported symbols. + type: keyword + + - name: exports + description: Exported symbols. + type: keyword + + - name: packers + description: Packers. + type: keyword + + - name: symhash + description: Symbol hash. + type: keyword + + - name: cdhash + description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file. + type: keyword + + # LNK + - name: lnk + title: LNK file information. + type: group + description: These fields contain windows LNK metadata. + fields: + - name: name + description: LNK name + type: keyword + + - name: relative_path + description: LNK relative path + type: keyword + + - name: working_directory + description: LNK working directory + type: keyword + + - name: command_line + description: LNK command line + type: keyword + + - name: icon_location + description: LNK icon location + type: keyword + + - name: extra + description: Extra fields in the LNK, type specific + type: flattened + + - name: header.guid + description: LNK guid + type: keyword + + - name: header.link_flags + description: LNK link flags + type: keyword + + - name: header.file_flags + description: LNK file flags + type: keyword + + - name: header.creation_time + description: LNK creation time + type: date + + - name: header.accessed_time + description: LNK accessed time + type: date + + - name: header.modified_time + description: LNK modified time + type: date + + - name: header.file_size + description: LNK file size + type: long + + - name: header.icon_index + description: LNK icon index + type: long + + - name: header.window_style + description: LNK window style + type: keyword + + - name: header.hot_key + description: LNK hot key + type: keyword + + - name: targets + description: LNK targets + type: nested + fields: + - name: size + description: LNK target size + type: integer + + - name: type_id + description: LNK target type id + type: integer + + - name: sha256 + description: LNK target sha256 + type: keyword + + - name: location.flags + description: LNK location flags + type: keyword + + - name: location.common_path_suffix + description: LNK common path suffix + type: keyword + + - name: location.local_base_path + description: LNK local base path + type: keyword + + - name: location.volume.drive_type + description: LNK volume drive type + type: keyword + + - name: location.volume.drive_serial_number + description: LNK volume drive serial number + type: keyword + + - name: location.volume.volume_label + description: LNK volume label + type: keyword + + - name: location.network_share.flags + description: LNK network share flags + type: keyword + + - name: location.network_share.provider_type + description: LNK network share provider type + type: keyword + + - name: location.network_share.name + description: LNK network share name + type: keyword + + - name: location.network_share.device_name + description: LNK network share device name + type: keyword diff --git a/auditbeat/module/file_integrity/fields.go b/auditbeat/module/file_integrity/fields.go index c7dce9bc9867..0b9dbfc0f3aa 100644 --- a/auditbeat/module/file_integrity/fields.go +++ b/auditbeat/module/file_integrity/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFileIntegrity returns asset data. // This is the base64 encoded gzipped contents of module/file_integrity. func AssetFileIntegrity() string { - return "eJykk81u6jAQhfd5inkBuIohEcriSqnaKlXbFV2wQw4eYgsnRrYD5O2ruCk/ElJsusxo8p3jmTMT2GGXwVZIXIvGYqWF7SIAK6zEDF6FRHi7qjM0Gy32Vqgmgy+OBoFqBMsRtgIlM1Bhg5paZFB2Q/2aDbVircRpBMMPWQQwgYbWmAGnhkcAALbbYwaVVu3efd/I/nclgIIajgbU9iwz7S31LzLOFZWV0sLy2uEN0Ia51gOVLbqWgdQXOZ4Am41iyICJCo0d+qaR67q4vfgtJd0hKdckSX9JzvgOu6PSbKjdmH/6yN9fSDkhSeqee2M/ukufLeah9Nli7ktPYhJKT2IyRq9ZMhDUAfVRC4sZWN2ir9bnczKmYTiN/yayLPLYQ4UQ7wUsi5yQ0dn3zHNkHvfukSHDaUB8lkXukZyeuQ6biev34/qf0g/XbwYhR+S4vnMIOB/H9bgdw+mF+ng6vJUCd5nE5J/fNh07aJ+OPb7R04mn3pZXq/Se2e8AAAD//yR/DPc=" + return "eJzsXF9v47gRf8+nILIPtwckXkuxEzsPBbKJsxts/mGd2961KARKGtm8UKJL0ln7in73Qn8tWZRESV4URS8Pdwt5yPnNcDgznKF0il5he4k8QsEigYQFJ3J7hJAkksIluiUU0F3uuQvC4WQlCQsu0csSBCDMAcklII8AdQVaQAAcS3CRvU2e5+dGPnPXFAZHKBlweYQQQqcowD5coiUWy+gBQnK7gku04Gy9Sp4UmP8leYjQZyyWIBDzMnaDEFoomYjQYbpgnMilHzERCAduRPqG6Roikmyu8PESNggCh7ngIpcsQMiEcnCU0OWR59HbFL+CaVvm+Dz7LRXkFbbfGXdzzwvifLy/+jIz7VNzfB4poSDOUSWns8moK6ezyagNp7FhduU0NkwdTr47zs3E3oB/50TCJZJ8DW15P9yMdXiKJTYOx3T++crQ5GqarRdu/vnKNLXWLJy/YIL95dK0S7HEHUxy/vlK0xrD+a1uuovG6fNov4VjHvp66rJ5Ix5tdNVh20Y8NPesWOIih/6W1opzR1sYG+YHfWuI+HSyh4iPnkVsNsvz1qL8+ut5pRDvcvEZNhICQVggkGQZYRzHkABZiMHhT2kM3qUBqhg8K007u57HSUNxalU03w+i79Ds/jZ5WtIOUC+vmxhWTE8BkcBj3MchqCpNxbpIchSHBRKTAN2TYL1Bsw04a4ltCuGD1+gft9F86P3s/vZn5IPELpZ4UFqevDwqmfIiLAG7wAcOxUIUCCoTm/TvczQSRSPThU5lH+xRF82mDkgoUTscN1jiiEEeRDJbZxg+dpYkgHZIHuJBBwfDhIVt0g7L1WpFiRMZH/pIAsy3UcbMPewAen/18e7nFGFsbk/z7vhCyk62s6+ofqbzBlwU95oGkm/xoEMuF7aJpcZS5T274Wxe4kEtTggk364YCeQet9htXSIhOQkWShkoK/2gt+Q7puWFV4IV4IRTtnRO83hU3gfrGVoAQsL+2qgcaB6jR/FiH6AGyPAvRJOCvSdCxnPtY0P1BpjHEv73QFDCqXogWS23gjiYWszzdiG3L6h4sh6wFN6qK5ZwqkMoSJA/DgUpnROFc6qwpZvb3kpQ2Wxuf1cCfyNcrjG1sOtyKOUNXaEns6Jk1jrwSs/UFv0BtZ5Cb1J6L9yh62SrbTfI8yUOAhakkyAHU2dNY8foceZHrjHxtXUSBGvfBl4pgcvWNoVqGZwlMbsJcL0kp+Kf6/DcsOLMxjahRG6RS0Kd2uu8h/8xYmTLsFkxLlvGo8R1JYPBRUDBh0Dma3/bFZSMPobjUSwlBFCRdxC/B6J48IERiSXm4FqU2BxzUvIzmtDiWVA2C1qLtIBLRLQJmf07OPuRRSNTk0C9XFE3/RNLxuXu1/gM6zGe5QwtBckmIgKJrW8zqpjyBP2+FhJR8grhYqT0yaLuBjzPYvoBugfMA+QzDghLtJRyJS4/fFgQuVzbA4f5HySHwPWJw9mHFEKHdFbAIjSIljLvliWdAFEiSgG7R7alE8AVKHoG64o8VIdzOrQl95SzC/ZanYUr1VdAcxOOzWfBJ4h4aMVBQDntb9B7ZRpXd6ypQBTPlQemUg5ssL+icIkMc3p+dnZeszrqWF55WEEamVCxbEb+yI6q7r5Sa7FPjBrcFbbcSqN3uTNOdKIuNbtiwGxVaYUZ2LuHq08z62b28ZdP1stvzzPr+enTUw184oOQ2F9VR1IsGzfrSzpLNwUfm0NzeGoYp8Pxi3FxaY4vRxeD4XD4t2P1flph5xV4x5iUDI7jI2M0Dkr13rUC909/P76aP2PnFb2ZA8M8PkHHg8fZC4Ks8nf8j5/2BgehRij5A1TbFHOOtzuZ38UhQ1m5LFhdUrhMAkyV3gsKep5FRdW4nrqr4x7tq6BNKfJPP/enn6uD9qefa+fn1MeC/fy9Bm/q8zClu2OCtw6UidDOrf0LHccp+/YYXaJjXziMAwxcSkMXF2KLnn8CeUsoJIXNcHFD27s6Rv/+6ZCVwKg9gG223uVhoUwO81eEhqYTV06fZ4dLUHUOuRrH2ep0sWKjZ0twNjQvjOnoYAWcb8XKDMJvmNCoI5Xr27WG2+SXcp5lavYuizwAFmseH3HDg3hSB+E4cJkfhFKRQEMWjzKsig0Z2POBWaN4rUpxWlqKiIs91CpY1S40A8Y3/YrGKaq4PnAoVAMJG3mC4r5fJT6Ov2uV6/LRK9ntiPHY1+Z+IgGRJEqj3NBxY8SCcOe9/jgTNqYTYzRS+zUOgq25U5pAN/cp+7y7WMznWdpTFjsmJ0gwP07yErcol+D/r3m4U6NmjxEKOjWC6EZAvgWZ6aiugqht2Te1Fn1or9UCe5NuhyeoRrulW1xK3Ht3sw6rWTizh85oZE4nnmM4xmiKPdsbOZPp9Nyzp+bIvMAwMmB0Ppra07ORg0fT8XRq2BeTsWlPxuNq4SgOFmu8aDSd+4QOERcCSbykDdtLquPrz3ePs/kMze8enu/vbu9mN8cHT6iTCmea2aXroi71lsRWV+Zv4tuoWtPlD79fX6xvs6/zu6fHMC/8+mI9XD3e3c7mL+VjL6o/+iLV8Rc11ux7tOOzEnVU1RW7ur6tSCXzQt9QehcIieNk+IbSr7AgQgKfA38Dnjz8JeDFx70KAXlNEKecQbc4EmjFmohHRZxRgsJruQz3kaIk33TNJTcydeNJHaNTTQY70/F47E6NkW3bhmGC44w9Y2zb08nkwsGTswvDG03PsD2cjoyz0QimF+e2PRkZQ2eC8cVELV9y2LCqjpENQl7Hw3enUC1JFSfSzkfJRAA+UCSKPXbRI/az4JuyqIJ8HfrmBnQ/+tZNxqgKpGEMhoNhRZpHnKWVXL2JOjLFm+U9ke7fLI8ZRY2jGkvJgI8xNjAeeqY9suFieDa9wAZMwbQnF+fmhVPRmai8QdQA9itQLMkbRHlzWiNLjpI2FnCInWyOJ+Pz//cC8AN2lk9H+/L72Fmy3PCk/hsSnz7p14CVl1d97DzNo6nQU9wFex/Pq76wWlcPxtxZEgmOXPP6xmvCKOqOpkDARSQQxIW4WRwJZW8Lcx6u4KOqXDdMWRKiTQW7DhPSqWQjjVSxAqFeRRtpVbVRc2UbNR1bkMYxvCRK6yo3aqx0o+bkHHXR+gGq3qhD5RtpVr9RUwW8JFC3Kjjqkr7khXBW68aKxfMvBQeBJOYLkFkQ7V3sOh+d2kRWYwzt12LcVd5MKr7EFgVOng/xvdFRIiWFUwhcgoN+9yfzoaTnvYv0BQXm+zhwG2unyTVjyrCLasY0eGYd51p5hayE6TGiDM29ACtbuURb6nvnRcQ1TnCX+Zx19rRKJ1kEnWzaw2DWcdy7rsZkMunsd4suKFf0670k9b48Q39/bc1/e3i5+niChhvTaTR4Hy+I07zPFsRJuvC6C6PtD4YbD8D1sOM1gtVqa9xG7Yw4eTgw1Je/Pt3Pvs3uQ92OhtFf3U0u5b22Et55cn0r/w6BnrPt5VfefOy6Wn7lAXzGt1lXLjIAIlL5DmK1w41Ckai5c1TCujvqHxihZb3Mfn05QZZ1c/VyFf7/7uH56etLPew3X9cLJkoWWcZ4cA2PHKW5or2WBvM8HbxRVyNJ0v8rFhEdwzSVe+WzddzZ8GM1S4Z8vNrdSK/aZx1ga6i55o5nCbrqDaPUO6QXPxuapKjZYaAGp4H0tmIJ/d52rOzJFGFWJmv7UGoCcQnKLhj/ECi1Z+ASmKf9jaMJR/3mxj6Wmm1RQjIvOpyD4qhuPiqhzJKuY2s0VW+D7OOpaCcrweTayj8MT1U6owR0u7ulcTAD1gGizFUq3x7UYJw1QSve2igxvUvvhGUjepzz1LfVqnkmnbceHNVNwRLH2eZgHNWF5xLH55isz8sKW1/RSysxmu/eSenBzHF1eF0zF9JW8fvrm5/Vn2/hQiJzeBqdB9vdMcoI3qH7xy9H+yBp8JqbIql43z9+qS13q+8wNxfBv5PAZd9FNH/bqrciihevHjx+UdFovEfCk66LtcKyts0askiJkYJYg9d3xl9JsLBcwsGRjO/HmhK/ZACqGqDBMznEW7Thww0hu4QWKWg1OBGHBRZlzv63PZSsQmJUQazBCzaS134RYxYSpBaYnKzvH7+cxNVisQKHeKVKgtZbfMnBfLEm9deEH78gBY3+BxMoCV4tVagrsQkplUFRn1n04TctZvHHaHoxczhEyx51/httMiFGCuJcib2OH3YcEAJcLX4pcQ9+PnOJRzT5pcQ9+EWLp8ii1WunIKzKkvf4RBucBC5stHa3ilKTUxwqLCG3tFGomBapaPVNcsmk9QqN/njJJCqT6bxaG/VMGjeXmqxHD1bnevCOcf2LNNF3IYHX90Cskser4xc5Y+UITZZ69y7zElYN0FjENFwpC7tlr5xQd3WWGbcwKrMgyk8ssfY80rj94hFRkoKUI9qwD/9BLRsLvRQpIo/vq3RLkjLGb4yufRi4PMzOFLWTEut4AIoGqIotnZkL4ARTS9nbqkcRj1R3xTrAif9nUWwD1cShom3DOQAZZqFW9NkBPctPhsRfKuht/kUAK87eiAtcyyCKQNKhfU2jCEjrZFLA0e2cUsHehTfigNUeRTywGcx/AgAA//8XkLCX" } diff --git a/libbeat/formats/lnk/header.go b/libbeat/formats/lnk/header.go index 8b7a3168a364..74f0e2e427c8 100644 --- a/libbeat/formats/lnk/header.go +++ b/libbeat/formats/lnk/header.go @@ -201,7 +201,7 @@ func parseHeader(r io.ReaderAt) (*Header, int64, error) { FileFlags: parseFlags(fileFlags, rawFileFlags), CreationTime: normalizeTime(binary.LittleEndian.Uint64(header[28:36])), AccessedTime: normalizeTime(binary.LittleEndian.Uint64(header[36:44])), - ModfiedTime: normalizeTime(binary.LittleEndian.Uint64(header[44:52])), + ModifiedTime: normalizeTime(binary.LittleEndian.Uint64(header[44:52])), FileSize: binary.LittleEndian.Uint32(header[52:56]), IconIndex: binary.LittleEndian.Uint32(header[56:60]), WindowStyle: normalizeWindowStyle(binary.LittleEndian.Uint32(header[60:64])), diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index a70ebb746d19..46697724116c 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -175,11 +175,11 @@ type Header struct { FileFlags []string `json:"file_flags"` CreationTime *time.Time `json:"creation_time,omitempty"` AccessedTime *time.Time `json:"accessed_time,omitempty"` - ModfiedTime *time.Time `json:"modified_time,omitempty"` + ModifiedTime *time.Time `json:"modified_time,omitempty"` FileSize uint32 `json:"file_size,omitempty"` IconIndex uint32 `json:"icon_index"` WindowStyle string `json:"window_style"` - HotKey string `json:"hotKey,omitempty"` + HotKey string `json:"hot_key,omitempty"` rawLinkFlags uint32 rawFileFlags uint32 diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index c1fded3d5ea3..157e0bef1346 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -59,6 +59,7 @@ type Segment struct { FileOffset int64 `json:"fileoff"` FileSize int64 `json:"filesize"` Sections []Section `json:"sections,omitempty"` + Flags []string `json:"flags,omitempty"` } // Architecture represents a fat file architecture @@ -74,7 +75,7 @@ type Architecture struct { Packers []string `json:"packers,omitempty"` Symhash string `json:"symhash,omitempty"` // Exports []string `json:"exports,omitempty"` - // CDHash string `json:"cdhash"` + // CDHash string `json:"cdhash,omitempty"` } // Info contains high level fingerprinting an analysis of a mach-o file. From eafb279452f053fbac1ea010fdff566c4e4bc0f6 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 15:39:10 -0500 Subject: [PATCH 14/30] Add ignore_failure --- auditbeat/auditbeat.reference.yml | 6 ++ .../file_integrity/_meta/config.yml.tmpl | 6 ++ auditbeat/module/file_integrity/fields.go | 2 +- libbeat/docs/processors-list.asciidoc | 6 ++ libbeat/processors/actions/add_file_data.go | 64 +++++++++++-------- .../processors/actions/add_file_data_test.go | 26 ++++++++ .../actions/docs/add_file_data.asciidoc | 34 ++++++++++ x-pack/auditbeat/auditbeat.reference.yml | 6 ++ 8 files changed, 124 insertions(+), 26 deletions(-) create mode 100644 libbeat/processors/actions/docs/add_file_data.asciidoc diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 8ceb7914f045..0280a1aae727 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -116,6 +116,12 @@ auditbeat.modules: # Set to true to publish fields with null values in events. #keep_null: false + # Uncomment the following to parse object files that trigger events + #processors: + # - add_file_data: + # ignore_failure: true + + # ================================== General =================================== diff --git a/auditbeat/module/file_integrity/_meta/config.yml.tmpl b/auditbeat/module/file_integrity/_meta/config.yml.tmpl index af346d9fb984..5298703fc9da 100644 --- a/auditbeat/module/file_integrity/_meta/config.yml.tmpl +++ b/auditbeat/module/file_integrity/_meta/config.yml.tmpl @@ -77,4 +77,10 @@ # Set to true to publish fields with null values in events. #keep_null: false + + # Uncomment the following to parse object files that trigger events + #processors: + # - add_file_data: + # ignore_failure: true + {{ end }} diff --git a/auditbeat/module/file_integrity/fields.go b/auditbeat/module/file_integrity/fields.go index 0b9dbfc0f3aa..b44b5dc0ff06 100644 --- a/auditbeat/module/file_integrity/fields.go +++ b/auditbeat/module/file_integrity/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFileIntegrity returns asset data. // This is the base64 encoded gzipped contents of module/file_integrity. func AssetFileIntegrity() string { - return "eJzsXF9v47gRf8+nILIPtwckXkuxEzsPBbKJsxts/mGd2961KARKGtm8UKJL0ln7in73Qn8tWZRESV4URS8Pdwt5yPnNcDgznKF0il5he4k8QsEigYQFJ3J7hJAkksIluiUU0F3uuQvC4WQlCQsu0csSBCDMAcklII8AdQVaQAAcS3CRvU2e5+dGPnPXFAZHKBlweYQQQqcowD5coiUWy+gBQnK7gku04Gy9Sp4UmP8leYjQZyyWIBDzMnaDEFoomYjQYbpgnMilHzERCAduRPqG6Roikmyu8PESNggCh7ngIpcsQMiEcnCU0OWR59HbFL+CaVvm+Dz7LRXkFbbfGXdzzwvifLy/+jIz7VNzfB4poSDOUSWns8moK6ezyagNp7FhduU0NkwdTr47zs3E3oB/50TCJZJ8DW15P9yMdXiKJTYOx3T++crQ5GqarRdu/vnKNLXWLJy/YIL95dK0S7HEHUxy/vlK0xrD+a1uuovG6fNov4VjHvp66rJ5Ix5tdNVh20Y8NPesWOIih/6W1opzR1sYG+YHfWuI+HSyh4iPnkVsNsvz1qL8+ut5pRDvcvEZNhICQVggkGQZYRzHkABZiMHhT2kM3qUBqhg8K007u57HSUNxalU03w+i79Ds/jZ5WtIOUC+vmxhWTE8BkcBj3MchqCpNxbpIchSHBRKTAN2TYL1Bsw04a4ltCuGD1+gft9F86P3s/vZn5IPELpZ4UFqevDwqmfIiLAG7wAcOxUIUCCoTm/TvczQSRSPThU5lH+xRF82mDkgoUTscN1jiiEEeRDJbZxg+dpYkgHZIHuJBBwfDhIVt0g7L1WpFiRMZH/pIAsy3UcbMPewAen/18e7nFGFsbk/z7vhCyk62s6+ofqbzBlwU95oGkm/xoEMuF7aJpcZS5T274Wxe4kEtTggk364YCeQet9htXSIhOQkWShkoK/2gt+Q7puWFV4IV4IRTtnRO83hU3gfrGVoAQsL+2qgcaB6jR/FiH6AGyPAvRJOCvSdCxnPtY0P1BpjHEv73QFDCqXogWS23gjiYWszzdiG3L6h4sh6wFN6qK5ZwqkMoSJA/DgUpnROFc6qwpZvb3kpQ2Wxuf1cCfyNcrjG1sOtyKOUNXaEns6Jk1jrwSs/UFv0BtZ5Cb1J6L9yh62SrbTfI8yUOAhakkyAHU2dNY8foceZHrjHxtXUSBGvfBl4pgcvWNoVqGZwlMbsJcL0kp+Kf6/DcsOLMxjahRG6RS0Kd2uu8h/8xYmTLsFkxLlvGo8R1JYPBRUDBh0Dma3/bFZSMPobjUSwlBFCRdxC/B6J48IERiSXm4FqU2BxzUvIzmtDiWVA2C1qLtIBLRLQJmf07OPuRRSNTk0C9XFE3/RNLxuXu1/gM6zGe5QwtBckmIgKJrW8zqpjyBP2+FhJR8grhYqT0yaLuBjzPYvoBugfMA+QzDghLtJRyJS4/fFgQuVzbA4f5HySHwPWJw9mHFEKHdFbAIjSIljLvliWdAFEiSgG7R7alE8AVKHoG64o8VIdzOrQl95SzC/ZanYUr1VdAcxOOzWfBJ4h4aMVBQDntb9B7ZRpXd6ypQBTPlQemUg5ssL+icIkMc3p+dnZeszrqWF55WEEamVCxbEb+yI6q7r5Sa7FPjBrcFbbcSqN3uTNOdKIuNbtiwGxVaYUZ2LuHq08z62b28ZdP1stvzzPr+enTUw184oOQ2F9VR1IsGzfrSzpLNwUfm0NzeGoYp8Pxi3FxaY4vRxeD4XD4t2P1flph5xV4x5iUDI7jI2M0Dkr13rUC909/P76aP2PnFb2ZA8M8PkHHg8fZC4Ks8nf8j5/2BgehRij5A1TbFHOOtzuZ38UhQ1m5LFhdUrhMAkyV3gsKep5FRdW4nrqr4x7tq6BNKfJPP/enn6uD9qefa+fn1MeC/fy9Bm/q8zClu2OCtw6UidDOrf0LHccp+/YYXaJjXziMAwxcSkMXF2KLnn8CeUsoJIXNcHFD27s6Rv/+6ZCVwKg9gG223uVhoUwO81eEhqYTV06fZ4dLUHUOuRrH2ep0sWKjZ0twNjQvjOnoYAWcb8XKDMJvmNCoI5Xr27WG2+SXcp5lavYuizwAFmseH3HDg3hSB+E4cJkfhFKRQEMWjzKsig0Z2POBWaN4rUpxWlqKiIs91CpY1S40A8Y3/YrGKaq4PnAoVAMJG3mC4r5fJT6Ov2uV6/LRK9ntiPHY1+Z+IgGRJEqj3NBxY8SCcOe9/jgTNqYTYzRS+zUOgq25U5pAN/cp+7y7WMznWdpTFjsmJ0gwP07yErcol+D/r3m4U6NmjxEKOjWC6EZAvgWZ6aiugqht2Te1Fn1or9UCe5NuhyeoRrulW1xK3Ht3sw6rWTizh85oZE4nnmM4xmiKPdsbOZPp9Nyzp+bIvMAwMmB0Ppra07ORg0fT8XRq2BeTsWlPxuNq4SgOFmu8aDSd+4QOERcCSbykDdtLquPrz3ePs/kMze8enu/vbu9mN8cHT6iTCmea2aXroi71lsRWV+Zv4tuoWtPlD79fX6xvs6/zu6fHMC/8+mI9XD3e3c7mL+VjL6o/+iLV8Rc11ux7tOOzEnVU1RW7ur6tSCXzQt9QehcIieNk+IbSr7AgQgKfA38Dnjz8JeDFx70KAXlNEKecQbc4EmjFmohHRZxRgsJruQz3kaIk33TNJTcydeNJHaNTTQY70/F47E6NkW3bhmGC44w9Y2zb08nkwsGTswvDG03PsD2cjoyz0QimF+e2PRkZQ2eC8cVELV9y2LCqjpENQl7Hw3enUC1JFSfSzkfJRAA+UCSKPXbRI/az4JuyqIJ8HfrmBnQ/+tZNxqgKpGEMhoNhRZpHnKWVXL2JOjLFm+U9ke7fLI8ZRY2jGkvJgI8xNjAeeqY9suFieDa9wAZMwbQnF+fmhVPRmai8QdQA9itQLMkbRHlzWiNLjpI2FnCInWyOJ+Pz//cC8AN2lk9H+/L72Fmy3PCk/hsSnz7p14CVl1d97DzNo6nQU9wFex/Pq76wWlcPxtxZEgmOXPP6xmvCKOqOpkDARSQQxIW4WRwJZW8Lcx6u4KOqXDdMWRKiTQW7DhPSqWQjjVSxAqFeRRtpVbVRc2UbNR1bkMYxvCRK6yo3aqx0o+bkHHXR+gGq3qhD5RtpVr9RUwW8JFC3Kjjqkr7khXBW68aKxfMvBQeBJOYLkFkQ7V3sOh+d2kRWYwzt12LcVd5MKr7EFgVOng/xvdFRIiWFUwhcgoN+9yfzoaTnvYv0BQXm+zhwG2unyTVjyrCLasY0eGYd51p5hayE6TGiDM29ACtbuURb6nvnRcQ1TnCX+Zx19rRKJ1kEnWzaw2DWcdy7rsZkMunsd4suKFf0670k9b48Q39/bc1/e3i5+niChhvTaTR4Hy+I07zPFsRJuvC6C6PtD4YbD8D1sOM1gtVqa9xG7Yw4eTgw1Je/Pt3Pvs3uQ92OhtFf3U0u5b22Et55cn0r/w6BnrPt5VfefOy6Wn7lAXzGt1lXLjIAIlL5DmK1w41Ckai5c1TCujvqHxihZb3Mfn05QZZ1c/VyFf7/7uH56etLPew3X9cLJkoWWcZ4cA2PHKW5or2WBvM8HbxRVyNJ0v8rFhEdwzSVe+WzddzZ8GM1S4Z8vNrdSK/aZx1ga6i55o5nCbrqDaPUO6QXPxuapKjZYaAGp4H0tmIJ/d52rOzJFGFWJmv7UGoCcQnKLhj/ECi1Z+ASmKf9jaMJR/3mxj6Wmm1RQjIvOpyD4qhuPiqhzJKuY2s0VW+D7OOpaCcrweTayj8MT1U6owR0u7ulcTAD1gGizFUq3x7UYJw1QSve2igxvUvvhGUjepzz1LfVqnkmnbceHNVNwRLH2eZgHNWF5xLH55isz8sKW1/RSysxmu/eSenBzHF1eF0zF9JW8fvrm5/Vn2/hQiJzeBqdB9vdMcoI3qH7xy9H+yBp8JqbIql43z9+qS13q+8wNxfBv5PAZd9FNH/bqrciihevHjx+UdFovEfCk66LtcKyts0askiJkYJYg9d3xl9JsLBcwsGRjO/HmhK/ZACqGqDBMznEW7Thww0hu4QWKWg1OBGHBRZlzv63PZSsQmJUQazBCzaS134RYxYSpBaYnKzvH7+cxNVisQKHeKVKgtZbfMnBfLEm9deEH78gBY3+BxMoCV4tVagrsQkplUFRn1n04TctZvHHaHoxczhEyx51/httMiFGCuJcib2OH3YcEAJcLX4pcQ9+PnOJRzT5pcQ9+EWLp8ii1WunIKzKkvf4RBucBC5stHa3ilKTUxwqLCG3tFGomBapaPVNcsmk9QqN/njJJCqT6bxaG/VMGjeXmqxHD1bnevCOcf2LNNF3IYHX90Cskser4xc5Y+UITZZ69y7zElYN0FjENFwpC7tlr5xQd3WWGbcwKrMgyk8ssfY80rj94hFRkoKUI9qwD/9BLRsLvRQpIo/vq3RLkjLGb4yufRi4PMzOFLWTEut4AIoGqIotnZkL4ARTS9nbqkcRj1R3xTrAif9nUWwD1cShom3DOQAZZqFW9NkBPctPhsRfKuht/kUAK87eiAtcyyCKQNKhfU2jCEjrZFLA0e2cUsHehTfigNUeRTywGcx/AgAA//8XkLCX" + return "eJzsXF9v47gRf8+nILIPtwckXkuxEzsPBbKJsxts/mGd2961KARKGtm8UKJL0ln7in73Qn8tWZRESV4URS8Pdwt5yPnNcDgznKF0il5he4k8QsEigYQFJ3J7hJAkksIluiUU0F3uuQvC4WQlCQsu0csSBCDMAcklII8AdQVaQAAcS3CRvU2e5+dGPnPXFAZHKBlweYQQQqcowD5coiUWy+gBQnK7gku04Gy9Sp4UmP8leYjQZyyWIBDzMnaDEFoomYjQYbpgnMilHzERCAduRPqG6Roikmyu8PESNggCh7ngIpcsQMiEcnCU0OWR59HbFL+CaVvm+Dz7LRXkFbbfGXdzzwvifLy/+jIz7VNzfB4poSDOUSWns8moK6ezyagNp7FhduU0NkwdTr47zs3E3oB/50TCJZJ8DW15P9yMdXiKJTYOx3T++crQ5GqarRdu/vnKNLXWLJy/YIL95dK0S7HEHUxy/vlK0xrD+a1uuovG6fNov4VjHvp66rJ5Ix5tdNVh20Y8NPesWOIih/6W1opzR1sYG+YHfWuI+HSyh4iPnkVsNsvz1qL8+ut5pRDvcvEZNhICQVggkGQZYRzHkABZiMHhT2kM3qUBqhg8K007u57HSUNxalU03w+i79Ds/jZ5WtIOUC+vmxhWTE8BkcBj3MchqCpNxbpIchSHBRKTAN2TYL1Bsw04a4ltCuGD1+gft9F86P3s/vZn5IPELpZ4UFqevDwqmfIiLAG7wAcOxUIUCCoTm/TvczQSRSPThU5lH+xRF82mDkgoUTscN1jiiEEeRDJbZxg+dpYkgHZIHuJBBwfDhIVt0g7L1WpFiRMZH/pIAsy3UcbMPewAen/18e7nFGFsbk/z7vhCyk62s6+ofqbzBlwU95oGkm/xoEMuF7aJpcZS5T274Wxe4kEtTggk364YCeQet9htXSIhOQkWShkoK/2gt+Q7puWFV4IV4IRTtnRO83hU3gfrGVoAQsL+2qgcaB6jR/FiH6AGyPAvRJOCvSdCxnPtY0P1BpjHEv73QFDCqXogWS23gjiYWszzdiG3L6h4sh6wFN6qK5ZwqkMoSJA/DgUpnROFc6qwpZvb3kpQ2Wxuf1cCfyNcrjG1sOtyKOUNXaEns6Jk1jrwSs/UFv0BtZ5Cb1J6L9yh62SrbTfI8yUOAhakkyAHU2dNY8foceZHrjHxtXUSBGvfBl4pgcvWNoVqGZwlMbsJcL0kp+Kf6/DcsOLMxjahRG6RS0Kd2uu8h/8xYmTLsFkxLlvGo8R1JYPBRUDBh0Dma3/bFZSMPobjUSwlBFCRdxC/B6J48IERiSXm4FqU2BxzUvIzmtDiWVA2C1qLtIBLRLQJmf07OPuRRSNTk0C9XFE3/RNLxuXu1/gM6zGe5QwtBckmIgKJrW8zqpjyBP2+FhJR8grhYqT0yaLuBjzPYvoBugfMA+QzDghLtJRyJS4/fFgQuVzbA4f5HySHwPWJw9mHFEKHdFbAIjSIljLvliWdAFEiSgG7R7alE8AVKHoG64o8VIdzOrQl95SzC/ZanYUr1VdAcxOOzWfBJ4h4aMVBQDntb9B7ZRpXd6ypQBTPlQemUg5ssL+icIkMc3p+dnZeszrqWF55WEEamVCxbEb+yI6q7r5Sa7FPjBrcFbbcSqN3uTNOdKIuNbtiwGxVaYUZ2LuHq08z62b28ZdP1stvzzPr+enTUw184oOQ2F9VR1IsGzfrSzpLNwUfm0NzeGoYp8Pxi3FxaY4vRxeD4XD4t2P1flph5xV4x5iUDI7jI2M0Dkr13rUC909/P76aP2PnFb2ZA8M8PkHHg8fZC4Ks8nf8j5/2BgehRij5A1TbFHOOtzuZ38UhQ1m5LFhdUrhMAkyV3gsKep5FRdW4nrqr4x7tq6BNKfJPP/enn6uD9qefa+fn1MeC/fy9Bm/q8zClu2OCtw6UidDOrf0LHccp+/YYXaJjXziMAwxcSkMXF2KLnn8CeUsoJIXNcHFD27s6Rv/+6ZCVwKg9gG223uVhoUwO81eEhqYTV06fZ4dLUHUOuRrH2ep0sWKjZ0twNjQvjOnoYAWcb8XKDMJvmNCoI5Xr27WG2+SXcp5lavYuizwAFmseH3HDg3hSB+E4cJkfhFKRQEMWjzKsig0Z2POBWaN4rUpxWlqKiIs91CpY1S40A8Y3/YrGKaq4PnAoVAMJG3mC4r5fJT6Ov2uV6/LRK9ntiPHY1+Z+IgGRJEqj3NBxY8SCcOe9/jgTNqYTYzRS+zUOgq25U5pAN/cp+7y7WMznWdpTFjsmJ0gwP07yErcol+D/r3m4U6NmjxEKOjWC6EZAvgWZ6aiugqht2Te1Fn1or9UCe5NuhyeoRrulW1xK3Ht3sw6rWTizh85oZE4nnmM4xmiKPdsbOZPp9Nyzp+bIvMAwMmB0Ppra07ORg0fT8XRq2BeTsWlPxuNq4SgOFmu8aDSd+4QOERcCSbykDdtLquPrz3ePs/kMze8enu/vbu9mN8cHT6iTCmea2aXroi71lsRWV+Zv4tuoWtPlD79fX6xvs6/zu6fHMC/8+mI9XD3e3c7mL+VjL6o/+iLV8Rc11ux7tOOzEnVU1RW7ur6tSCXzQt9QehcIieNk+IbSr7AgQgKfA38Dnjz8JeDFx70KAXlNEKecQbc4EmjFmohHRZxRgsJruQz3kaIk33TNJTcydeNJHaNTTQY70/F47E6NkW3bhmGC44w9Y2zb08nkwsGTswvDG03PsD2cjoyz0QimF+e2PRkZQ2eC8cVELV9y2LCqjpENQl7Hw3enUC1JFSfSzkfJRAA+UCSKPXbRI/az4JuyqIJ8HfrmBnQ/+tZNxqgKpGEMhoNhRZpHnKWVXL2JOjLFm+U9ke7fLI8ZRY2jGkvJgI8xNjAeeqY9suFieDa9wAZMwbQnF+fmhVPRmai8QdQA9itQLMkbRHlzWiNLjpI2FnCInWyOJ+Pz//cC8AN2lk9H+/L72Fmy3PCk/hsSnz7V1oDVRd3mK60+dp7mEQP0FPfG3sfc1NdY66rEmDtLIsGRa17fjk0YRT3TFAi4iASCuBC3kCNR7W1hzsOVgVT17IYpS0K0qWvXYUI69W2kkUBWINSrcyOtWjdqrnejpsMM0jicl0RpXftGjfVv1Jyyoy5aP0AtHHWohyPNmjhqqouXBOpWG0ddkpq8EM5q3VjHeP6l4CCQxHwBMgutvUtg56NTm8hqjKH9Woy7yvtKxVfbonDK84G/NzpKpKRwCoFLcNDvVmU+wPS8jZG+tsB8HwduY0U1uXxMGXZRzZgGz6zjXCsvlpUwPUaUobkXYGUrl2hLfRu9iLjGCe7yobPOnlbpJIugk017GMw6jnvX65hMJp39btEF5UqBvZek3pdn6O+vrflvDy9XH0/QcGM6jQbv4wVxmvfZgjhJb153YbT9wXDjAbgedrxGsFrNjtuoyREnDweG+vLXp/vZt9l9qNvRMPqru9+lvO1WwjtPLnXl3yzQc7a9/Mqbj11Xy688gM/4NuvVRQZARCrfQax2uFEoEjX3k0pYdwWAAyO0rJfZry8nyLJurl6uwv/fPTw/fX2ph/3m63rBRMkiyxgPruGRozRXtNfoYJ6ngzfqdSRJ+n/FIqJjmKZyr3y2jvsdfqxmyZCPV7t76lX7rANsDTXX3PwsQVe9d5R6h/Q6aEPrFDU7DNTgNJDeViyh39uOlZ2aIszKZG0fSk0gLkHZBeMfAqX2DFwC87S/cTThqN/n2MdSsy1KSOZFh3NQHNUtSSWUWdKLbI2m6h2RfTwVTWYlmFyz+YfhqUpnlIBud3c3DmbAOkCUuUrlO4UajLPWaMW7HCWmd+lNsWxEj3Oe+g5bNc+kH9eDo7pVWOI42xyMo7ocXeL4HJP1eYVh6ys6bCVG892bKj2YOa4Or2vmQtpAfn9987P6oy5cSGQOT6PzYLubRxnBO3T/+OVoHyQNXnNTJHXw+8cvP6QI/p0ELvsuovnbVr0VUbx4IeHxi4pG4+0SnvRirBWWtc3XkEVKjBTEGry+M/5KgoXlEg6OZHw/1pT4JQNQ1QANnskh3qINn3MI2SW0SEGrwYk4LLAoc/a/+KFkFRKjCmINXrCRvPY7GbOQILXA5GR9//jlJK4WixU4xCtVErTe7UsO5os1qb88/PgFKWj0P6NASfBqqUJdiU1IqQyK+syiz8FpMYs/UdOLmcMhWvboPkCjTSbESEGcK7HX8cOOA0KAq8UvJe7Bz2cu8Ygmv5S4B79o8RRZtHrtFIRVWfIen2iDk8CFjdbuVlFqcopDhSXkljYKFdMiFa2+SS6ZtF6h0R8vmURlMp0XbqOeSePmUpP16MHqXBreMa5/vSb6WiTw+h6IVfJ4dfwiZ6wcoclS7zZmXsKqARqLmIYrZWG37JUT6q7OMuMWRmUWRPmJJdaeRxq3XzwiSlKQckQb9uE/qGVjoZciReTxLZZuSVLG+I3RtQ8Dl4fZmaJ2UmIdD0DRAFWxpTNzAZxgail7W/Uo4pHqrlgHOPH/LIptoJo4VLRtOAcgwyzUij5GoGf5yZD4+wW9zb8IYMXZG3GBaxlEEUg6tK9pFAFpnUwKOLqdUyrYu/BGHLDao4gHNoP5TwAAAP//wZC2Kg==" } diff --git a/libbeat/docs/processors-list.asciidoc b/libbeat/docs/processors-list.asciidoc index e2670ebc39e3..ae9e8143a333 100644 --- a/libbeat/docs/processors-list.asciidoc +++ b/libbeat/docs/processors-list.asciidoc @@ -14,6 +14,9 @@ endif::[] ifndef::no_add_fields_processor[] * <> endif::[] +ifndef::no_add_file_data_processor[] +* <> +endif::[] ifndef::no_add_host_metadata_processor[] * <> endif::[] @@ -128,6 +131,9 @@ endif::[] ifndef::no_add_fields_processor[] include::{libbeat-processors-dir}/actions/docs/add_fields.asciidoc[] endif::[] +ifndef::no_add_file_data_processor[] +include::{libbeat-processors-dir}/actions/docs/add_file_data.asciidoc[] +endif::[] ifndef::no_add_host_metadata_processor[] include::{libbeat-processors-dir}/add_host_metadata/docs/add_host_metadata.asciidoc[] endif::[] diff --git a/libbeat/processors/actions/add_file_data.go b/libbeat/processors/actions/add_file_data.go index 1820d9873180..ab95a3b1fa55 100644 --- a/libbeat/processors/actions/add_file_data.go +++ b/libbeat/processors/actions/add_file_data.go @@ -27,63 +27,73 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/formats/elf" "github.com/elastic/beats/v7/libbeat/formats/lnk" "github.com/elastic/beats/v7/libbeat/formats/macho" "github.com/elastic/beats/v7/libbeat/formats/pe" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/mime" "github.com/elastic/beats/v7/libbeat/processors" "github.com/elastic/beats/v7/libbeat/processors/checks" ) +const ( + addFileDataName = "add_file_data" + addFileDataLogName = "processor." + addFileDataName + defaultFilePathField = "file.path" + defaultTargetField = "file" +) + func init() { - processors.RegisterPlugin("add_file_data", + processors.RegisterPlugin(addFileDataName, checks.ConfigChecked(NewAddFileData, checks.AllowedFields("field", "target", "exclude", "only", "pattern"))) } type addFileDataProcessor struct { - Field string `config:"field"` - Target string `config:"target"` - Exclude *[]string `config:"exclude"` - Only *[]string `config:"only"` - Pattern string `config:"pattern"` + Field string `config:"field"` + Target string `config:"target"` + Exclude *[]string `config:"exclude"` + Only *[]string `config:"only"` + Pattern string `config:"pattern"` + IgnoreFailure bool `config:"ignore_failure"` + parsers []*parser compiled *regexp.Regexp + log *logp.Logger } -const ( - defaultFilePathField = "file.path" - defaultTargetField = "file" -) - // NewAddFileData constructs a add format data processor. func NewAddFileData(cfg *common.Config) (processors.Processor, error) { - addFormatData := &addFileDataProcessor{ + cfgwarn.Beta("The " + addFileDataName + " processor is beta.") + log := logp.NewLogger(addFileDataLogName) + addFileData := &addFileDataProcessor{ Field: defaultFilePathField, Target: defaultTargetField, + log: log, } - if err := cfg.Unpack(addFormatData); err != nil { - return nil, errors.Wrapf(err, "fail to unpack the add_file_data configuration") + if err := cfg.Unpack(addFileData); err != nil { + return nil, errors.Wrapf(err, "fail to unpack the "+addFileDataName+" configuration") } - if addFormatData.Pattern != "" { - compiled, err := regexp.Compile(addFormatData.Pattern) + if addFileData.Pattern != "" { + compiled, err := regexp.Compile(addFileData.Pattern) if err != nil { - return nil, errors.Wrap(err, fmt.Sprintf("invalid pattern for add_file_data: '%s'", addFormatData.Pattern)) + return nil, errors.Wrap(err, fmt.Sprintf("invalid pattern for "+addFileDataName+": '%s'", addFileData.Pattern)) } - addFormatData.compiled = compiled + addFileData.compiled = compiled } parsers := allParsers // only takes precedence to exclude - if addFormatData.Only != nil { - parsers = onlyParsers(*addFormatData.Only) + if addFileData.Only != nil { + parsers = onlyParsers(*addFileData.Only) } - if addFormatData.Exclude != nil { - parsers = filterParsers(*addFormatData.Exclude) + if addFileData.Exclude != nil { + parsers = filterParsers(*addFileData.Exclude) } - addFormatData.parsers = parsers + addFileData.parsers = parsers - return addFormatData, nil + return addFileData, nil } func (a *addFileDataProcessor) applyParser(event *beat.Event, path string) error { @@ -130,13 +140,17 @@ func (a *addFileDataProcessor) Run(event *beat.Event) (*beat.Event, error) { } } if err := a.applyParser(event, val); err != nil { + if a.IgnoreFailure { + a.log.Debugf("failed to parse file because of error: %v", err) + return event, nil + } return event, err } return event, nil } func (a *addFileDataProcessor) String() string { - return fmt.Sprintf("add_file_data=%+v,%+v,%+v", a.Field, a.Exclude, a.Only) + return fmt.Sprintf("%s=%+v,%+v,%+v", addFileDataName, a.Field, a.Exclude, a.Only) } type parser struct { diff --git a/libbeat/processors/actions/add_file_data_test.go b/libbeat/processors/actions/add_file_data_test.go index a16dac714240..495cd7bb8ec0 100644 --- a/libbeat/processors/actions/add_file_data_test.go +++ b/libbeat/processors/actions/add_file_data_test.go @@ -171,3 +171,29 @@ func TestFileDataTarget(t *testing.T) { _, ok := data.(*pe.Info) require.True(t, ok) } + +func TestFileDataIgnoreFailure(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "file.path": "./doesnotexist", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{ + "ignore_failure": true, + })) + require.NoError(t, err) + _, err = p.Run(&evt) + require.NoError(t, err) +} + +func TestFileDataNoIgnoreFailure(t *testing.T) { + evt := beat.Event{ + Fields: common.MapStr{ + "file.path": "./doesnotexist", + }, + } + p, err := NewAddFileData(common.MustNewConfigFrom(map[string]interface{}{})) + require.NoError(t, err) + _, err = p.Run(&evt) + require.Error(t, err) +} diff --git a/libbeat/processors/actions/docs/add_file_data.asciidoc b/libbeat/processors/actions/docs/add_file_data.asciidoc new file mode 100644 index 000000000000..a6b24c1f132a --- /dev/null +++ b/libbeat/processors/actions/docs/add_file_data.asciidoc @@ -0,0 +1,34 @@ +[[add-file-data]] +=== Add file data + +++++ +add_file_data +++++ + +beta[] + +The `add_file_data` processor adds file format specific data based +off of a file at a given path in `field`. If the processor +supports the file's file type, the extracted information is added +under the `target` field with a sub-key based off of the type. The +supported file types are `pe`, `macho`, `elf`, and `lnk`. + +`field`:: Use the given field as a file path. +`target`:: Use the given field as the location for dumping the file data. +`exclude`:: Exclude the specified file parsers. +`only`:: Use only the specified file parsers. +`pattern`:: Only attempt to parse files that match the given regex. +`ignore_failure`:: No-op if the file could not successfully be parsed. + +[source,yaml] +------- +processors: + - add_file_data: + field: dll.path + target: dll + only: + - pe + pattern: "^.*\.dll$" +------- + +See <> for a list of supported conditions. diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 274bc3f3b331..4d155d0e5172 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -116,6 +116,12 @@ auditbeat.modules: # Set to true to publish fields with null values in events. #keep_null: false + # Uncomment the following to parse object files that trigger events + #processors: + # - add_file_data: + # ignore_failure: true + + # The system module collects security related information about a host. # All datasets send both periodic state information (e.g. all currently # running processes) and real-time changes (e.g. when a new process starts From 9ef18b7897af552a80b5e59326854a22b8a2564a Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 15:54:17 -0500 Subject: [PATCH 15/30] Fix ignore_failure option --- libbeat/formats/dwarf/dwarf.go | 2 +- libbeat/processors/actions/add_file_data.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libbeat/formats/dwarf/dwarf.go b/libbeat/formats/dwarf/dwarf.go index b2c4d54b7729..b0bc5a2c1159 100644 --- a/libbeat/formats/dwarf/dwarf.go +++ b/libbeat/formats/dwarf/dwarf.go @@ -130,7 +130,7 @@ func Parse(data *dwarf.Data) ([]DWARF, error) { var compiledAt *time.Time if entry.Tag == dwarf.TagCompileUnit { lreader, err := data.LineReader(entry) - if err == nil { + if err == nil && lreader != nil { // just skip if we can't read the data for _, f := range lreader.Files() { if f != nil && f.Mtime != 0 { diff --git a/libbeat/processors/actions/add_file_data.go b/libbeat/processors/actions/add_file_data.go index ab95a3b1fa55..30eb89206f4c 100644 --- a/libbeat/processors/actions/add_file_data.go +++ b/libbeat/processors/actions/add_file_data.go @@ -48,7 +48,7 @@ const ( func init() { processors.RegisterPlugin(addFileDataName, checks.ConfigChecked(NewAddFileData, - checks.AllowedFields("field", "target", "exclude", "only", "pattern"))) + checks.AllowedFields("field", "target", "exclude", "only", "pattern", "ignore_failure"))) } type addFileDataProcessor struct { From 61c74ccb1a18eff9f94f87055a5156147a01b47f Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 17:10:10 -0500 Subject: [PATCH 16/30] Fix marshaling issues with struct tags --- libbeat/processors/actions/add_file_data.go | 10 +++++++- .../processors/actions/add_file_data_test.go | 24 ++++--------------- 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/libbeat/processors/actions/add_file_data.go b/libbeat/processors/actions/add_file_data.go index 30eb89206f4c..1dc29d086fb8 100644 --- a/libbeat/processors/actions/add_file_data.go +++ b/libbeat/processors/actions/add_file_data.go @@ -18,6 +18,7 @@ package actions import ( + "encoding/json" "fmt" "io" "os" @@ -114,7 +115,7 @@ func (a *addFileDataProcessor) applyParser(event *beat.Event, path string) error } target := a.Target + "." + parser.target event.Fields.DeepUpdate(common.MapStr{ - target: data, + target: honorStructTagsHack(data), }) return nil } @@ -122,6 +123,13 @@ func (a *addFileDataProcessor) applyParser(event *beat.Event, path string) error return nil } +func honorStructTagsHack(data interface{}) map[string]interface{} { + unmarshaled := make(map[string]interface{}) + marshaled, _ := json.Marshal(data) + json.Unmarshal(marshaled, &unmarshaled) + return unmarshaled +} + func (a *addFileDataProcessor) Run(event *beat.Event) (*beat.Event, error) { valI, err := event.GetValue(a.Field) if err != nil { diff --git a/libbeat/processors/actions/add_file_data_test.go b/libbeat/processors/actions/add_file_data_test.go index 495cd7bb8ec0..e89b065a1eae 100644 --- a/libbeat/processors/actions/add_file_data_test.go +++ b/libbeat/processors/actions/add_file_data_test.go @@ -24,10 +24,6 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/formats/elf" - "github.com/elastic/beats/v7/libbeat/formats/lnk" - "github.com/elastic/beats/v7/libbeat/formats/macho" - "github.com/elastic/beats/v7/libbeat/formats/pe" ) func TestFileDataPE(t *testing.T) { @@ -42,10 +38,8 @@ func TestFileDataPE(t *testing.T) { require.NoError(t, err) observed, err := p.Run(&evt) require.NoError(t, err) - data, err := observed.Fields.GetValue("file.pe") + _, err = observed.Fields.GetValue("file.pe") require.NoError(t, err) - _, ok := data.(*pe.Info) - require.True(t, ok) } func TestFileDataMachO(t *testing.T) { @@ -60,10 +54,8 @@ func TestFileDataMachO(t *testing.T) { require.NoError(t, err) observed, err := p.Run(&evt) require.NoError(t, err) - data, err := observed.Fields.GetValue("file.macho") + _, err = observed.Fields.GetValue("file.macho") require.NoError(t, err) - _, ok := data.(*macho.Info) - require.True(t, ok) } func TestFileDataElf(t *testing.T) { @@ -78,10 +70,8 @@ func TestFileDataElf(t *testing.T) { require.NoError(t, err) observed, err := p.Run(&evt) require.NoError(t, err) - data, err := observed.Fields.GetValue("file.elf") + _, err = observed.Fields.GetValue("file.elf") require.NoError(t, err) - _, ok := data.(*elf.Info) - require.True(t, ok) } func TestFileDataLnk(t *testing.T) { @@ -96,10 +86,8 @@ func TestFileDataLnk(t *testing.T) { require.NoError(t, err) observed, err := p.Run(&evt) require.NoError(t, err) - data, err := observed.Fields.GetValue("file.lnk") + _, err = observed.Fields.GetValue("file.lnk") require.NoError(t, err) - _, ok := data.(*lnk.Info) - require.True(t, ok) } func TestFileDataOnly(t *testing.T) { @@ -166,10 +154,8 @@ func TestFileDataTarget(t *testing.T) { require.NoError(t, err) observed, err := p.Run(&evt) require.NoError(t, err) - data, err := observed.Fields.GetValue("zoiks.pe") + _, err = observed.Fields.GetValue("zoiks.pe") require.NoError(t, err) - _, ok := data.(*pe.Info) - require.True(t, ok) } func TestFileDataIgnoreFailure(t *testing.T) { From da0b595522c4b7715aa690f1d3bb15e1d4335c39 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 19:17:41 -0500 Subject: [PATCH 17/30] Re-generate notice --- NOTICE.txt | 280 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 280 insertions(+) diff --git a/NOTICE.txt b/NOTICE.txt index 6e1844076440..a145fdfa0d7a 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -11809,6 +11809,42 @@ freely, subject to the following restrictions: distribution. +-------------------------------------------------------------------------------- +Dependency : github.com/knightsc/gapstone +Version: v4.0.1+incompatible +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/knightsc/gapstone@v4.0.1+incompatible/LICENSE: + +Copyright (c) 2019 Scott Knight + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this +list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, +this list of conditions and the following disclaimer in the documentation and/or +other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its contributors +may be used to endorse or promote products derived from this software without +specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : github.com/lib/pq Version: v1.1.2-0.20190507191818-2ff3cb3adc01 @@ -12088,6 +12124,218 @@ Copyright 2014 CloudFlare. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file. +-------------------------------------------------------------------------------- +Dependency : github.com/minio/sha256-simd +Version: v1.0.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/minio/sha256-simd@v1.0.0/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Dependency : github.com/mitchellh/gox Version: v1.0.1 @@ -34419,6 +34667,38 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/klauspost/cpuid/v2 +Version: v2.0.4 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/klauspost/cpuid/v2@v2.0.4/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2015 Klaus Post + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + -------------------------------------------------------------------------------- Dependency : github.com/konsorten/go-windows-terminal-sequences Version: v1.0.2 From 33daf07497f78ee98bf74c2cdb8594b479bb6c5a Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 21:12:50 -0500 Subject: [PATCH 18/30] Remove telfhash --- NOTICE.txt | 36 --- go.mod | 1 - go.sum | 2 - libbeat/formats/elf/elf.go | 11 +- libbeat/formats/elf/telfhash.go | 238 ----------------- libbeat/formats/elf/tlsh.go | 246 ------------------ .../fixtures/elf/hello-linux.fingerprint | 1 - 7 files changed, 5 insertions(+), 530 deletions(-) delete mode 100644 libbeat/formats/elf/telfhash.go delete mode 100644 libbeat/formats/elf/tlsh.go diff --git a/NOTICE.txt b/NOTICE.txt index a145fdfa0d7a..56895fc65dc8 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -11809,42 +11809,6 @@ freely, subject to the following restrictions: distribution. --------------------------------------------------------------------------------- -Dependency : github.com/knightsc/gapstone -Version: v4.0.1+incompatible -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/knightsc/gapstone@v4.0.1+incompatible/LICENSE: - -Copyright (c) 2019 Scott Knight - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - -1. Redistributions of source code must retain the above copyright notice, this -list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright notice, -this list of conditions and the following disclaimer in the documentation and/or -other materials provided with the distribution. - -3. Neither the name of the copyright holder nor the names of its contributors -may be used to endorse or promote products derived from this software without -specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR -ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -------------------------------------------------------------------------------- Dependency : github.com/lib/pq Version: v1.1.2-0.20190507191818-2ff3cb3adc01 diff --git a/go.mod b/go.mod index 065f4e11b287..c08842b7c9bd 100644 --- a/go.mod +++ b/go.mod @@ -111,7 +111,6 @@ require ( github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.1.0 - github.com/knightsc/gapstone v4.0.1+incompatible github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.11.0 diff --git a/go.sum b/go.sum index 56bdb2f1c9a3..9a31605de3a9 100644 --- a/go.sum +++ b/go.sum @@ -491,8 +491,6 @@ github.com/klauspost/compress v1.11.0 h1:wJbzvpYMVGG9iTI9VxpnNZfd4DzMPoCWze3GgSq github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/cpuid/v2 v2.0.4 h1:g0I61F2K2DjRHz1cnxlkNSBIaePVoJIjjnHui8QHbiw= github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= -github.com/knightsc/gapstone v4.0.1+incompatible h1:yROPRgpqBWgD/7fyH3+AJ2hQR4gYfKNFGnKcNY8HPIA= -github.com/knightsc/gapstone v4.0.1+incompatible/go.mod h1:N9Q82fxOi8Fp9pHE2eflNZf5/FSg1815WZFhV8Gc2PE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go index 3adeed2d1666..de5d3127770b 100644 --- a/libbeat/formats/elf/elf.go +++ b/libbeat/formats/elf/elf.go @@ -72,7 +72,6 @@ type Section struct { type Info struct { Imports []Symbol `json:"imports,omitempty"` Exports []Symbol `json:"exports,omitempty"` - Telfhash string `json:"telfhash,omitempty"` Segments []Segment `json:"segments,omitempty"` SharedLibraries []string `json:"shared_libraries,omitempty"` Header Header `json:"header"` @@ -87,6 +86,11 @@ type Info struct { // Architecture string `json:"architecture"` // ByteOrder string `json:"byte_order"` // CPUType string `json:"cpu_type"` + + // Calculating this requires disassembly of non-exported + // function call sites, consider re-adding it if we can + // find a native go disassembler + // Telfhash string `json:"telfhash,omitempty"` } // Parse parses the elf file and returns information about it or errors. @@ -95,10 +99,6 @@ func Parse(r io.ReaderAt) (interface{}, error) { if err != nil { return nil, err } - telfhash, err := telfhash(elfFile) - if err != nil { - return nil, err - } dynamicSymbols, err := elfFile.DynamicSymbols() if err != nil { if err != elf.ErrNoSymbols { @@ -198,7 +198,6 @@ func Parse(r io.ReaderAt) (interface{}, error) { info := &Info{ Imports: imports, Exports: exports, - Telfhash: telfhash, Segments: translatedSegments, SharedLibraries: libraries, Header: header, diff --git a/libbeat/formats/elf/telfhash.go b/libbeat/formats/elf/telfhash.go deleted file mode 100644 index a6cd35d63538..000000000000 --- a/libbeat/formats/elf/telfhash.go +++ /dev/null @@ -1,238 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package elf - -import ( - "debug/elf" - "errors" - "io/ioutil" - "regexp" - "sort" - "strings" - - "github.com/knightsc/gapstone" -) - -var ( - exclusionsRegex = []*regexp.Regexp{ - regexp.MustCompile(`^[_\.].*$`), // Function names starting with . or _ - regexp.MustCompile(`^.*64$`), // x64-64 specific functions - regexp.MustCompile(`^str.*$`), // gcc significantly changes string functions depending on the target architecture, so we ignore them - regexp.MustCompile(`^mem.*$`), // gcc significantly changes string functions depending on the target architecture, so we ignore them - } - exclusionsString = []string{ - "__libc_start_main", // main function - "main", // main function z - "abort", // ARM default - "cachectl", // MIPS default - "cacheflush", // MIPS default - "puts", // Compiler optimization (function replacement) - "atol", // Compiler optimization (function replacement) - "malloc_trim", // GNU extensions - } -) - -func canExclude(symbol elf.Symbol) bool { - if elf.ST_TYPE(symbol.Info) != elf.STT_FUNC { - return true - } - if elf.ST_BIND(symbol.Info) != elf.STB_GLOBAL { - return true - } - if elf.ST_VISIBILITY(symbol.Other) != elf.STV_DEFAULT { - return true - } - if symbol.Name == "" { - return true - } - - for _, exclusion := range exclusionsString { - if symbol.Name == exclusion { - return true - } - } - for _, exclusion := range exclusionsRegex { - if exclusion.MatchString(symbol.Name) { - return true - } - } - return false -} - -func capstoneArgs(f *elf.File) (int, int, bool) { - switch { - case f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_386: - return gapstone.CS_ARCH_X86, gapstone.CS_MODE_32, true - case f.Class == elf.ELFCLASS64 && f.Machine == elf.EM_X86_64: - return gapstone.CS_ARCH_X86, gapstone.CS_MODE_64, true - case f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_ARM: - return gapstone.CS_ARCH_ARM, gapstone.CS_MODE_ARM, true - case f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_MIPS: - return gapstone.CS_ARCH_MIPS, int(gapstone.CS_MODE_MIPS32) | gapstone.CS_MODE_BIG_ENDIAN, true - default: - return 0, 0, false - } -} - -func isX86(f *elf.File) bool { - return (f.Class == elf.ELFCLASS64 && f.Machine == elf.EM_X86_64) || (f.Class == elf.ELFCLASS32 && f.Machine == elf.EM_386) -} - -func stringMember(ary []string, test string) bool { - for _, a := range ary { - if a == test { - return true - } - } - return false -} - -func getImageBase(f *elf.File) uint64 { - for _, segment := range f.Progs { - if segment.Type == elf.PT_LOAD { - return segment.Vaddr - } - } - return 0 -} - -func extractCallDestinations(f *elf.File) ([]string, error) { - arch, mode, found := capstoneArgs(f) - if !found { - return nil, nil - } - entryPoint := f.Entry - var offset uint64 - var err error - var data []byte - for _, section := range f.Sections { - if section.Addr <= entryPoint && section.Addr+section.Size >= entryPoint { - offset = getImageBase(f) + section.Offset - data, err = section.Data() - if err != nil { - return nil, err - } - break - } - } - if data == nil { - section := f.Section(".text") - if section != nil { - offset = getImageBase(f) + section.Offset - data, err = section.Data() - if err != nil { - return nil, err - } - } - } - if data == nil { - for _, segment := range f.Progs { - if segment.Type == elf.PT_LOAD && segment.Flags == (elf.PF_R&elf.PF_X) { - if entryPoint > segment.Vaddr { - segmentData, err := ioutil.ReadAll(segment.Open()) - if err != nil { - return nil, err - } - offset = entryPoint - if int(entryPoint-segment.Vaddr) > len(segmentData) { - return nil, errors.New("invalid segment offset") - } - data = segmentData[entryPoint-segment.Vaddr:] - break - } - } - } - } - if data != nil { - engine, err := gapstone.New(arch, mode) - if err != nil { - return nil, err - } - defer engine.Close() - instructions, err := engine.Disasm(data, offset, 0) - if err != nil { - return nil, err - } - symbols := []string{} - for _, instruction := range instructions { - if isX86(f) && instruction.Mnemonic == "call" { - // Consider only call to absolute addresses - if strings.HasPrefix(instruction.OpStr, "0x") { - address := instruction.OpStr[2:] - if !stringMember(symbols, address) { - symbols = append(symbols, address) - } - } - } else if f.Machine == elf.EM_ARM && strings.HasPrefix(instruction.Mnemonic, "bl") { - if strings.HasPrefix(instruction.OpStr, "#0x") { - address := instruction.OpStr[3:] - if !stringMember(symbols, address) { - symbols = append(symbols, address) - } - } - } else if f.Machine == elf.EM_MIPS && strings.HasPrefix(instruction.Mnemonic, "lw") { - if strings.HasPrefix(instruction.OpStr, "$t9, ") { - address := instruction.OpStr[8 : len(instruction.OpStr)-5] - if !stringMember(symbols, address) { - symbols = append(symbols, address) - } - } - } - } - return symbols, nil - } - return nil, nil -} - -func telfhash(elfFile *elf.File) (string, error) { - symbols := []string{} - dynSymbols, err := elfFile.DynamicSymbols() - if err != nil { - if err != elf.ErrNoSymbols { - return "", err - } - } - staticSymbols, err := elfFile.Symbols() - if err != nil { - if err != elf.ErrNoSymbols { - return "", err - } - } - if len(staticSymbols) == 0 && len(dynSymbols) == 0 { - // extract symbols from call sites since we're in a static binary - symbols, err = extractCallDestinations(elfFile) - if err != nil { - return "", err - } - } else { - for _, symbol := range dynSymbols { - if !canExclude(symbol) { - symbols = append(symbols, strings.ToLower(symbol.Name)) - } - } - for _, symbol := range staticSymbols { - if !canExclude(symbol) { - symbols = append(symbols, strings.ToLower(symbol.Name)) - } - } - sort.Strings(symbols) - } - tlsh := newTlsh() - tlsh.update([]byte(strings.Join(symbols, ","))) - return strings.ToLower(tlsh.hash()), nil -} diff --git a/libbeat/formats/elf/tlsh.go b/libbeat/formats/elf/tlsh.go deleted file mode 100644 index bf68b899f501..000000000000 --- a/libbeat/formats/elf/tlsh.go +++ /dev/null @@ -1,246 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package elf - -import ( - "math" - "sort" - "strings" -) - -var vTable = []int{ - 1, 87, 49, 12, 176, 178, 102, 166, 121, 193, 6, 84, 249, 230, 44, 163, - 14, 197, 213, 181, 161, 85, 218, 80, 64, 239, 24, 226, 236, 142, 38, 200, - 110, 177, 104, 103, 141, 253, 255, 50, 77, 101, 81, 18, 45, 96, 31, 222, - 25, 107, 190, 70, 86, 237, 240, 34, 72, 242, 20, 214, 244, 227, 149, 235, - 97, 234, 57, 22, 60, 250, 82, 175, 208, 5, 127, 199, 111, 62, 135, 248, - 174, 169, 211, 58, 66, 154, 106, 195, 245, 171, 17, 187, 182, 179, 0, 243, - 132, 56, 148, 75, 128, 133, 158, 100, 130, 126, 91, 13, 153, 246, 216, 219, - 119, 68, 223, 78, 83, 88, 201, 99, 122, 11, 92, 32, 136, 114, 52, 10, - 138, 30, 48, 183, 156, 35, 61, 26, 143, 74, 251, 94, 129, 162, 63, 152, - 170, 7, 115, 167, 241, 206, 3, 150, 55, 59, 151, 220, 90, 53, 23, 131, - 125, 173, 15, 238, 79, 95, 89, 16, 105, 137, 225, 224, 217, 160, 37, 123, - 118, 73, 2, 157, 46, 116, 9, 145, 134, 228, 207, 212, 202, 215, 69, 229, - 27, 188, 67, 124, 168, 252, 42, 4, 29, 108, 21, 247, 19, 205, 39, 203, - 233, 40, 186, 147, 198, 192, 155, 33, 164, 191, 98, 204, 165, 180, 117, 76, - 140, 36, 210, 172, 41, 54, 159, 8, 185, 232, 113, 196, 231, 47, 146, 120, - 51, 65, 28, 144, 254, 221, 93, 189, 194, 139, 112, 43, 71, 109, 184, 209, -} - -func bucketMapping(salt, i, j, k int) int { - h := vTable[salt] - h = vTable[h^i] - h = vTable[h^j] - h = vTable[h^k] - return h -} - -const ( - log1_5 = 0.4054651 - log1_3 = 0.26236426 - log1_1 = 0.095310180 -) - -// compute length portion of tlsh -func capturing(length int) int { - var i int - switch { - case length <= 656: - i = int(math.Floor(math.Log(float64(length)) / log1_5)) - case length <= 3199: - i = int(math.Floor(math.Log(float64(length))/log1_3 - 8.72777)) - default: - i = int(math.Floor(math.Log(float64(length))/log1_1 - 62.5472)) - } - return i & 0xFF -} - -const slidingWindowSize = 5 -const buckets = 256 - -type tlshState struct { - checksum int - checksumArray []int - checksumLength int - bucket []int64 - bucketCount int - window []int - dataLen int - codeSize int -} - -func newTlsh() *tlshState { - bucketCount := 128 - checksumLength := 1 - - return &tlshState{ - bucketCount: bucketCount, - checksumLength: checksumLength, - codeSize: bucketCount >> 2, - window: make([]int, slidingWindowSize), - bucket: make([]int64, buckets), - } -} - -func (t *tlshState) update(data []byte) { - // Indexes into the sliding window. They cycle like - // 0 4 3 2 1 - // 1 0 4 3 2 - // 2 1 0 4 3 - // 3 2 1 0 4 - // 4 3 2 1 0 - // 0 4 3 2 1 - // and so on - j := t.dataLen % slidingWindowSize - j1 := (j - 1 + slidingWindowSize) % slidingWindowSize - j2 := (j - 2 + slidingWindowSize) % slidingWindowSize - j3 := (j - 3 + slidingWindowSize) % slidingWindowSize - j4 := (j - 4 + slidingWindowSize) % slidingWindowSize - - fedLen := t.dataLen - for i := 0; i < len(data); i++ { - t.window[j] = int(data[i]) - if fedLen >= 4 { - // only calculate when input >= 5 bytes - t.checksum = bucketMapping(0, t.window[j], t.window[j1], t.checksum) - if t.checksumLength > 1 { - t.checksumArray[0] = t.checksum - for k := 1; k < t.checksumLength; k++ { - // use calculated 1 byte checksums to expand the total checksum to 3 bytes - t.checksumArray[k] = bucketMapping(t.checksumArray[k-1], t.window[j], t.window[j1], t.checksumArray[k]) - } - } - - r := bucketMapping(2, t.window[j], t.window[j1], t.window[j2]) - t.bucket[r]++ - r = bucketMapping(3, t.window[j], t.window[j1], t.window[j3]) - t.bucket[r]++ - r = bucketMapping(5, t.window[j], t.window[j2], t.window[j3]) - t.bucket[r]++ - r = bucketMapping(7, t.window[j], t.window[j2], t.window[j4]) - t.bucket[r]++ - r = bucketMapping(11, t.window[j], t.window[j1], t.window[j4]) - t.bucket[r]++ - r = bucketMapping(13, t.window[j], t.window[j3], t.window[j4]) - t.bucket[r]++ - } - // rotate the sliding window indexes - j4, j3, j2, j1, j = j3, j2, j1, j, j4 - - fedLen++ - } - t.dataLen += len(data) -} - -func median(data []int64) int64 { - length := len(data) - if length%2 != 0 { - return data[length/2] - } - return data[length/2-1] -} - -func (t *tlshState) findQuartile() []int64 { - bucketCopy := make([]int64, t.bucketCount) - copy(bucketCopy, t.bucket) - sort.Slice(bucketCopy, func(i, j int) bool { - return bucketCopy[i] < bucketCopy[j] - }) - - length := len(bucketCopy) - // Find the cutoff places depeding on if - // the input slice length is even or odd - var c1 int - var c2 int - if length%2 == 0 { - c1 = length / 2 - c2 = length / 2 - } else { - c1 = (length - 1) / 2 - c2 = c1 + 1 - } - - return []int64{ - median(bucketCopy[:c1]), - median(bucketCopy), - median(bucketCopy[c2:]), - } -} - -func (t *tlshState) hash() string { - if t.dataLen == 0 { - return "" - } - quartiles := t.findQuartile() - q1 := quartiles[0] - q2 := quartiles[1] - q3 := quartiles[2] - - code := make([]int, t.codeSize) - for i := 0; i < t.codeSize; i++ { - h := 0 - for j := 0; j < 4; j++ { - k := t.bucket[4*i+j] - if q3 < k { - h += 3 << (j * 2) - } else if q2 < k { - h += 2 << (j * 2) - } else if q1 < k { - h += 1 << (j * 2) - } - } - code[i] = h - } - - lValue := capturing(t.dataLen) - q1Ratio := int(float64(q1*100.0)/float64(q3)) & 0xF - q2Ratio := int(float64(q2*100.0)/float64(q3)) & 0xF - - if t.checksumLength == 1 { - return encode([]int{t.checksum}, lValue, q1Ratio, q2Ratio, code) - } - return encode(t.checksumArray, lValue, q1Ratio, q2Ratio, code) -} - -var hexChars = []byte{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'} - -func writeHex(src int, builder *strings.Builder) { - builder.WriteByte(hexChars[(src>>4)&0xF]) - builder.WriteByte(hexChars[src&0xF]) -} - -func writeHexSwapped(src int, builder *strings.Builder) { - builder.WriteByte(hexChars[src&0xF]) - builder.WriteByte(hexChars[(src>>4)&0xF]) -} - -func encode(checksum []int, lValue, q1Ratio, q2Ratio int, codes []int) string { - // extra 4 characters come from length and Q1 and Q2 ratio. - hashStringLength := len(codes)*2 + len(checksum)*2 + 4 - var builder strings.Builder - builder.Grow(hashStringLength) - for k := 0; k < len(checksum); k++ { - writeHexSwapped(checksum[k], &builder) - } - writeHexSwapped(lValue, &builder) - writeHex(q1Ratio<<4|q2Ratio, &builder) - for i := 0; i < len(codes); i++ { - writeHex(codes[len(codes)-1-i], &builder) - } - return builder.String() -} diff --git a/libbeat/formats/fixtures/elf/hello-linux.fingerprint b/libbeat/formats/fixtures/elf/hello-linux.fingerprint index babbbaf355a9..3c1d9acbf18a 100644 --- a/libbeat/formats/fixtures/elf/hello-linux.fingerprint +++ b/libbeat/formats/fixtures/elf/hello-linux.fingerprint @@ -19,7 +19,6 @@ "type": "STT_FUNC" } ], - "telfhash": "3e400000000c00000003000000000c000003000000c03000000000000000000000000c", "segments": [ { "name": "PHDR", From 1e34cd341e6d6f5b60065a3ec0b463835391cde0 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 21:49:45 -0500 Subject: [PATCH 19/30] Fix bad json --- libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint index 32c18892e603..5f5328643ca0 100644 --- a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -20,7 +20,7 @@ "file_size": 5120, "icon_index": 27, "window_style": "SW_NORMAL", - "hotKey": "HOTKEYF_ALT+G" + "hot_key": "HOTKEYF_ALT+G" }, "targets": [ { From 7429cb29ee7d01e5232ba7fafbe9dd5a6904997b Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 22:16:43 -0500 Subject: [PATCH 20/30] sort symbols and segments --- libbeat/formats/fixtures/pe/hello-windows.fingerprint | 4 ++-- libbeat/formats/macho/macho.go | 4 ++++ libbeat/formats/pe/pe.go | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/libbeat/formats/fixtures/pe/hello-windows.fingerprint b/libbeat/formats/fixtures/pe/hello-windows.fingerprint index d8d2171b5d1e..60c4dc18263b 100644 --- a/libbeat/formats/fixtures/pe/hello-windows.fingerprint +++ b/libbeat/formats/fixtures/pe/hello-windows.fingerprint @@ -59,7 +59,7 @@ }, { "library": "msvcrt.dll", - "name": "__C_specific_handler" + "name": "_cexit" }, { "library": "msvcrt.dll", @@ -103,7 +103,7 @@ }, { "library": "msvcrt.dll", - "name": "_cexit" + "name": "__C_specific_handler" }, { "library": "msvcrt.dll", diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index 157e0bef1346..b839033520f9 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -21,6 +21,7 @@ import ( "debug/macho" "fmt" "io" + "sort" "github.com/elastic/beats/v7/libbeat/formats/common" "github.com/elastic/beats/v7/libbeat/formats/dwarf" @@ -173,6 +174,9 @@ func parse(machoFile *macho.File) (*Architecture, error) { for _, segment := range segmentMap { segments = append(segments, segment) } + sort.Slice(segments, func(i, j int) bool { + return segments[i].FileOffset < segments[j].FileOffset + }) info := &Architecture{ CPU: translateCPU(machoFile.Cpu, machoFile.SubCpu), diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go index 7455749ef715..a46d59601d80 100644 --- a/libbeat/formats/pe/pe.go +++ b/libbeat/formats/pe/pe.go @@ -21,6 +21,7 @@ import ( "debug/pe" "fmt" "io" + "sort" "time" "github.com/elastic/beats/v7/libbeat/formats/common" @@ -155,6 +156,9 @@ func Parse(r io.ReaderAt) (interface{}, error) { }) } } + sort.Slice(imports, func(i, j int) bool { + return (imports[i].Library < imports[j].Library && imports[i].Name < imports[j].Name) + }) sectionSize := len(peFile.Sections) var compiledAt *time.Time From ddaa2c0cc6a3ca6bc38320682ef8f6403b4645f7 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 23 Feb 2021 22:56:42 -0500 Subject: [PATCH 21/30] Fix up hex encoding of entrypoints and clean up commented code into TODOs --- libbeat/formats/elf/elf.go | 17 +++----------- .../fixtures/elf/hello-linux.fingerprint | 2 +- .../fixtures/macho/hello-darwin.fingerprint | 6 ++--- .../fixtures/pe/hello-windows.fingerprint | 2 +- libbeat/formats/macho/macho.go | 3 ++- libbeat/formats/pe/pe.go | 23 ++++++------------- 6 files changed, 17 insertions(+), 36 deletions(-) diff --git a/libbeat/formats/elf/elf.go b/libbeat/formats/elf/elf.go index de5d3127770b..e46ffe6d692d 100644 --- a/libbeat/formats/elf/elf.go +++ b/libbeat/formats/elf/elf.go @@ -50,9 +50,6 @@ type Header struct { Version string `json:"version"` AbiVersion string `json:"abi_version"` Entrypoint string `json:"entrypoint"` - - // Is this either Version or AbiVersion? - // ObjectVersion string `json:"object_version"` } // Section contains information about a section in an elf file. @@ -79,18 +76,10 @@ type Info struct { Packers []string `json:"packers,omitempty"` Debug []dwarf.DWARF `json:"debug,omitempty"` - // This isn't in ELF - // CreationDate time.Time `json:"creation_date"` - - // These are already contained in Header - // Architecture string `json:"architecture"` - // ByteOrder string `json:"byte_order"` - // CPUType string `json:"cpu_type"` - - // Calculating this requires disassembly of non-exported + // TODO: Calculating this requires disassembly of non-exported // function call sites, consider re-adding it if we can // find a native go disassembler - // Telfhash string `json:"telfhash,omitempty"` + // Telfhash string `json:"telfhash,omitempty"` } // Parse parses the elf file and returns information about it or errors. @@ -143,7 +132,7 @@ func Parse(r io.ReaderAt) (interface{}, error) { Type: translateType(elfFile.Type), Version: translateVersion(elfFile.Version), AbiVersion: fmt.Sprintf("%d", elfFile.ABIVersion), - Entrypoint: fmt.Sprintf("%x", elfFile.Entry), + Entrypoint: fmt.Sprintf("0x%x", elfFile.Entry), } segments := make(map[*elf.Prog][]string) diff --git a/libbeat/formats/fixtures/elf/hello-linux.fingerprint b/libbeat/formats/fixtures/elf/hello-linux.fingerprint index 3c1d9acbf18a..2e888063b937 100644 --- a/libbeat/formats/fixtures/elf/hello-linux.fingerprint +++ b/libbeat/formats/fixtures/elf/hello-linux.fingerprint @@ -94,7 +94,7 @@ "type": "Executable", "version": "current", "abi_version": "0", - "entrypoint": "400390" + "entrypoint": "0x400390" }, "sections": [ { diff --git a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint index ed48557927ae..9e7204f5766d 100644 --- a/libbeat/formats/fixtures/macho/hello-darwin.fingerprint +++ b/libbeat/formats/fixtures/macho/hello-darwin.fingerprint @@ -97,7 +97,7 @@ }, "segments": [ { - "vmaddr": "100000000", + "vmaddr": "0x100000000", "name": "__TEXT", "vmsize": 4096, "fileoff": 0, @@ -158,7 +158,7 @@ ] }, { - "vmaddr": "100001000", + "vmaddr": "0x100001000", "name": "__DATA_CONST", "vmsize": 4096, "fileoff": 4096, @@ -175,7 +175,7 @@ ] }, { - "vmaddr": "100002000", + "vmaddr": "0x100002000", "name": "__DATA", "vmsize": 4096, "fileoff": 8192, diff --git a/libbeat/formats/fixtures/pe/hello-windows.fingerprint b/libbeat/formats/fixtures/pe/hello-windows.fingerprint index 60c4dc18263b..6536cb9bf73c 100644 --- a/libbeat/formats/fixtures/pe/hello-windows.fingerprint +++ b/libbeat/formats/fixtures/pe/hello-windows.fingerprint @@ -1,5 +1,5 @@ { - "entrypoint": "14e0", + "entrypoint": "0x14e0", "imports": [ { "library": "KERNEL32.dll", diff --git a/libbeat/formats/macho/macho.go b/libbeat/formats/macho/macho.go index b839033520f9..ebf8bba203e1 100644 --- a/libbeat/formats/macho/macho.go +++ b/libbeat/formats/macho/macho.go @@ -75,6 +75,7 @@ type Architecture struct { Imports []string `json:"imports,omitempty"` Packers []string `json:"packers,omitempty"` Symhash string `json:"symhash,omitempty"` + // TODO: Add the following // Exports []string `json:"exports,omitempty"` // CDHash string `json:"cdhash,omitempty"` } @@ -153,7 +154,7 @@ func parse(machoFile *macho.File) (*Architecture, error) { } mSegment := machoFile.Segment(section.Seg) if mSegment != nil { - segment.VMAddress = fmt.Sprintf("%x", mSegment.Addr) + segment.VMAddress = fmt.Sprintf("0x%x", mSegment.Addr) segment.VMSize = int64(mSegment.Memsz) segment.FileOffset = int64(mSegment.Offset) segment.FileSize = int64(mSegment.Filesz) diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go index a46d59601d80..c067a3dee555 100644 --- a/libbeat/formats/pe/pe.go +++ b/libbeat/formats/pe/pe.go @@ -78,8 +78,7 @@ type Resource struct { // Icon holds fields that are used for fingerprinting embedded icons type Icon struct { - // leverage https://github.com/corona10/goimagehash - Dhash string `json:"dhash"` + Dhash string `json:"dhash"` // https://github.com/corona10/goimagehash } // Info contains high level fingerprinting an analysis of a PE file. @@ -100,16 +99,11 @@ type Info struct { Product string `json:"product,omitempty"` Architecture string `json:"architecture,omitempty"` - // Things that we should be able to get - // See https://github.com/lief-project/LIEF/blob/05103f55a6cb993cb20735da3c7a6333e4f600e3/src/PE/Binary.cpp#L1046 - // Authentihash string `json:"authentihash,omitempty"` - // Compiler *Compiler `json:"compiler,omitempty"` - // RichHeaderHash string `json:"rich_header.hash.md5,omitempty"` - // Icons []Icon `json:"icon,omitempty"` - - // Fields that are likely duplicated - // CreationDate *time.Time `json:"creation_date,omitempty"` - // MachineType string `json:"machine_type"` + // TODO: Things that we should be able to get + // Authentihash string `json:"authentihash,omitempty"` // https://github.com/lief-project/LIEF/blob/05103f55a6cb993cb20735da3c7a6333e4f600e3/src/PE/Binary.cpp#L1046 + // Compiler *Compiler `json:"compiler,omitempty"` + // RichHeaderHash string `json:"rich_header.hash.md5,omitempty"` + // Icons []Icon `json:"icon,omitempty"` } func getPackers(f *pe.File) []string { @@ -127,9 +121,6 @@ func Parse(r io.ReaderAt) (interface{}, error) { if err != nil { return nil, err } - // IsDLL: (peFile.Characteristics & 0x2000) == 0x2000, - // IsSys: (peFile.Characteristics & 0x1000) == 0x1000, - var architecture string var entrypoint uint32 switch header := peFile.OptionalHeader.(type) { @@ -170,7 +161,7 @@ func Parse(r io.ReaderAt) (interface{}, error) { info := &Info{ CompilationTimestamp: compiledAt, - Entrypoint: fmt.Sprintf("%x", entrypoint), + Entrypoint: fmt.Sprintf("0x%x", entrypoint), Imports: imports, Exports: exportSymbols, Packers: getPackers(peFile), From 86d172f8155df96d75a6fbcc644c5089884cdc31 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 24 Feb 2021 08:14:01 -0500 Subject: [PATCH 22/30] fix sort logic --- libbeat/formats/fixtures/pe/hello-windows.fingerprint | 4 ++-- libbeat/formats/pe/pe.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libbeat/formats/fixtures/pe/hello-windows.fingerprint b/libbeat/formats/fixtures/pe/hello-windows.fingerprint index 6536cb9bf73c..02bebbafbe84 100644 --- a/libbeat/formats/fixtures/pe/hello-windows.fingerprint +++ b/libbeat/formats/fixtures/pe/hello-windows.fingerprint @@ -59,7 +59,7 @@ }, { "library": "msvcrt.dll", - "name": "_cexit" + "name": "__C_specific_handler" }, { "library": "msvcrt.dll", @@ -103,7 +103,7 @@ }, { "library": "msvcrt.dll", - "name": "__C_specific_handler" + "name": "_cexit" }, { "library": "msvcrt.dll", diff --git a/libbeat/formats/pe/pe.go b/libbeat/formats/pe/pe.go index c067a3dee555..4861b38a21ca 100644 --- a/libbeat/formats/pe/pe.go +++ b/libbeat/formats/pe/pe.go @@ -148,7 +148,7 @@ func Parse(r io.ReaderAt) (interface{}, error) { } } sort.Slice(imports, func(i, j int) bool { - return (imports[i].Library < imports[j].Library && imports[i].Name < imports[j].Name) + return (imports[i].Library < imports[j].Library || imports[i].Name < imports[j].Name) }) sectionSize := len(peFile.Sections) From 89cbdc549cd3a1eaabf0264b879e8cecace5e913 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 14:08:09 -0500 Subject: [PATCH 23/30] Update guid with proper zig-zag encoding and add known properties --- .../lnk/local.directory.seven.lnk.fingerprint | 24 +- .../lnk/local.directory.xp.lnk.fingerprint | 10 +- .../lnk/local.file.darwin.lnk.fingerprint | 2 +- .../lnk/local.file.env.lnk.fingerprint | 10 +- .../lnk/local.file.exec.lnk.fingerprint | 10 +- .../lnk/local.file.icoset.lnk.fingerprint | 10 +- .../lnk/local.file.seven.lnk.fingerprint | 14 +- .../lnk/local.file.xp.lnk.fingerprint | 10 +- .../fixtures/lnk/local_cmd.lnk.fingerprint | 24 +- .../lnk/local_unicode.lnk.fingerprint | 22 +- .../fixtures/lnk/local_win31j.lnk.fingerprint | 22 +- .../fixtures/lnk/microsoft.lnk.fingerprint | 10 +- .../lnk/native.2008srv.01.lnk.fingerprint | 12 +- .../lnk/native.2008srv.02.lnk.fingerprint | 2 +- .../lnk/native.2008srv.03.lnk.fingerprint | 2 +- .../lnk/native.2008srv.04.lnk.fingerprint | 12 +- .../lnk/native.2008srv.05.lnk.fingerprint | 12 +- .../lnk/native.2008srv.06.lnk.fingerprint | 12 +- .../lnk/native.2008srv.07.lnk.fingerprint | 2 +- .../lnk/native.2008srv.08.lnk.fingerprint | 12 +- .../lnk/native.2008srv.09.lnk.fingerprint | 12 +- .../lnk/native.2008srv.10.lnk.fingerprint | 12 +- .../lnk/native.2008srv.11.lnk.fingerprint | 12 +- .../lnk/native.2008srv.12.lnk.fingerprint | 12 +- .../lnk/native.2008srv.13.lnk.fingerprint | 12 +- .../lnk/native.2008srv.14.lnk.fingerprint | 12 +- .../lnk/native.2008srv.15.lnk.fingerprint | 12 +- .../lnk/native.2008srv.16.lnk.fingerprint | 2 +- .../lnk/native.2008srv.17.lnk.fingerprint | 12 +- .../lnk/native.2008srv.18.lnk.fingerprint | 2 +- .../lnk/native.2008srv.19.lnk.fingerprint | 2 +- .../lnk/native.2008srv.20.lnk.fingerprint | 12 +- .../lnk/native.seven.01.lnk.fingerprint | 14 +- .../lnk/native.seven.02.lnk.fingerprint | 14 +- .../lnk/native.seven.03.lnk.fingerprint | 6 +- .../lnk/native.seven.04.lnk.fingerprint | 14 +- .../lnk/native.seven.05.lnk.fingerprint | 2 +- .../lnk/native.seven.06.lnk.fingerprint | 2 +- .../lnk/native.seven.07.lnk.fingerprint | 10 +- .../lnk/native.seven.08.lnk.fingerprint | 14 +- .../lnk/native.seven.09.lnk.fingerprint | 20 +- .../lnk/native.seven.10.lnk.fingerprint | 10 +- .../lnk/native.seven.11.lnk.fingerprint | 2 +- .../lnk/native.seven.12.lnk.fingerprint | 10 +- .../lnk/native.seven.13.lnk.fingerprint | 14 +- .../lnk/native.seven.14.lnk.fingerprint | 10 +- .../lnk/native.seven.15.lnk.fingerprint | 10 +- .../lnk/native.seven.16.lnk.fingerprint | 2 +- .../lnk/native.seven.17.lnk.fingerprint | 10 +- .../lnk/native.seven.18.lnk.fingerprint | 10 +- .../lnk/native.seven.19.lnk.fingerprint | 10 +- .../lnk/native.seven.20.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.01.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.02.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.03.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.04.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.05.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.06.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.07.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.08.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.09.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.10.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.11.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.12.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.13.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.14.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.15.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.16.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.17.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.18.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.19.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.20.lnk.fingerprint | 6 +- .../fixtures/lnk/net_unicode.lnk.fingerprint | 22 +- .../fixtures/lnk/net_unicode2.lnk.fingerprint | 22 +- .../fixtures/lnk/net_win31j.lnk.fingerprint | 22 +- .../lnk/remote.directory.xp.lnk.fingerprint | 6 +- .../lnk/remote.file.aidlist.lnk.fingerprint | 10 +- .../lnk/remote.file.xp.lnk.fingerprint | 6 +- libbeat/formats/lnk/extra_property_store.go | 95 +- libbeat/formats/lnk/header.go | 12 +- libbeat/formats/lnk/known_properties.go | 2562 +++++++++++++++++ libbeat/formats/lnk/lnk.go | 3 +- 82 files changed, 2964 insertions(+), 422 deletions(-) create mode 100644 libbeat/formats/lnk/known_properties.go diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint index 8bb8002d36fb..13d6a49dce4d 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", @@ -63,30 +63,30 @@ "relative_path": "..\\..\\Administrator", "extra": { "known_folder": { - "id": "72d26207-0ac5-b04b-a382-697dcd729b80", + "id": "0762d272-c50a-4bb0-a382-697dcd729b80", "offset": 161 }, "property_store": { "properties": { - "10": [ + "Item Folder Path Display Narrow": [ { "type": "VT_LPWSTR", - "value": "Administrator" + "value": "Utilisateurs (C:)" } ], - "100": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "Utilisateurs (C:)" + "value": "Administrator" } ], - "30": [ + "Parsing Path": [ { "type": "VT_LPWSTR", "value": "C:\\Users\\Administrator" } ], - "4": [ + "SID": [ { "type": "VT_LPWSTR", "value": "S-1-5-21-2382555026-1982050849-604700897-1000" @@ -98,12 +98,12 @@ "version": 0, "machine_id": "netbook", "droid": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "ff026513-668c-df11-b6eb-001377d34a59" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "136502ff-8c66-11df-b6eb-001377d34a59" ], "droid_birth": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "ff026513-668c-df11-b6eb-001377d34a59" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "136502ff-8c66-11df-b6eb-001377d34a59" ] } } diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint index de0fe66cafae..18cb0c22809b 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasRelativePath", @@ -60,12 +60,12 @@ "version": 0, "machine_id": "al-0145", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "954f88fc-8b38-dd11-b743-001c234bc396" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "fc884f95-388b-11dd-b743-001c234bc396" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "954f88fc-8b38-dd11-b743-001c234bc396" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "fc884f95-388b-11dd-b743-001c234bc396" ] } } diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint index 98f01aa1ef48..5d1d31def174 100644 --- a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasDarwinID", "HasExpIcon", diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint index 49a8e4c0c21b..e1ac1d0966f1 100644 --- a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", @@ -134,12 +134,12 @@ "version": 0, "machine_id": "nana-home", "droid": [ - "50116c94-61d0-dd40-8497-a97bde7709e9", - "cb388aa4-9458-db11-afb7-00123f2cd1e5" + "946c1150-d061-40dd-8497-a97bde7709e9", + "a48a38cb-5894-11db-afb7-00123f2cd1e5" ], "droid_birth": [ - "50116c94-61d0-dd40-8497-a97bde7709e9", - "cb388aa4-9458-db11-afb7-00123f2cd1e5" + "946c1150-d061-40dd-8497-a97bde7709e9", + "a48a38cb-5894-11db-afb7-00123f2cd1e5" ] } } diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint index 5f5328643ca0..ae3fbb182902 100644 --- a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasArguments", "HasIconLocation", @@ -143,12 +143,12 @@ "version": 0, "machine_id": "al-0145", "droid": [ - "06f31514-5a0c-904f-8d72-20c497b6ddb0", - "dedee424-bb8c-df11-ba00-001c234bc396" + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dede-8cbb-11df-ba00-001c234bc396" ], "droid_birth": [ - "06f31514-5a0c-904f-8d72-20c497b6ddb0", - "dedee424-bb8c-df11-ba00-001c234bc396" + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dede-8cbb-11df-ba00-001c234bc396" ] } } diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint index 4aea7f6f3c22..81fc603c55d0 100644 --- a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasLinkInfo", @@ -85,12 +85,12 @@ "version": 0, "machine_id": "al-0145", "droid": [ - "06f31514-5a0c-904f-8d72-20c497b6ddb0", - "dddee424-bb8c-df11-ba00-001c234bc396" + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dedd-8cbb-11df-ba00-001c234bc396" ], "droid_birth": [ - "06f31514-5a0c-904f-8d72-20c497b6ddb0", - "dddee424-bb8c-df11-ba00-001c234bc396" + "1415f306-0c5a-4f90-8d72-20c497b6ddb0", + "24e4dedd-8cbb-11df-ba00-001c234bc396" ] } } diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint index 5d4bf1bd1bc4..fb1eeac55460 100644 --- a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", @@ -75,12 +75,12 @@ "working_directory": "C:\\Users\\root\\Desktop", "extra": { "known_folder": { - "id": "3accbfb4-2cdb-4c42-b029-7fe99a87c641", + "id": "b4bfcc3a-db2c-424c-b029-7fe99a87c641", "offset": 357 }, "property_store": { "properties": { - "4": [ + "SID": [ { "type": "VT_LPWSTR", "value": "S-1-5-21-2382555026-1982050849-604700897-1000" @@ -92,12 +92,12 @@ "version": 0, "machine_id": "netbook", "droid": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "00036513-668c-df11-b6eb-001377d34a59" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "13650300-8c66-11df-b6eb-001377d34a59" ], "droid_birth": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "00036513-668c-df11-b6eb-001377d34a59" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "13650300-8c66-11df-b6eb-001377d34a59" ] } } diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint index 057fb639c889..8a41826986ae 100644 --- a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasRelativePath", @@ -62,12 +62,12 @@ "version": 0, "machine_id": "al-0145", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "6beb7273-c98a-df11-b9fe-001c234bc396" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "7372eb6b-8ac9-11df-b9fe-001c234bc396" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "6beb7273-c98a-df11-b9fe-001c234bc396" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "7372eb6b-8ac9-11df-b9fe-001c234bc396" ] } } diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint index 29dc075a5ee0..bd6f5f4d5d79 100644 --- a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasArguments", @@ -66,30 +66,30 @@ "command_line": "arg1 \"arg 2\"", "extra": { "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 221 }, "property_store": { "properties": { - "10": [ + "Item Folder Path Display Narrow": [ { "type": "VT_LPWSTR", - "value": "cmd with space.exe" + "value": "System32 (C:\\Windows)" } ], - "100": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "System32 (C:\\Windows)" + "value": "cmd with space.exe" } ], - "30": [ + "Parsing Path": [ { "type": "VT_LPWSTR", "value": "C:\\Windows\\System32\\cmd with space.exe" } ], - "4": [ + "SID": [ { "type": "VT_LPWSTR", "value": "S-1-5-21-2899541433-556809949-1686860144-1001" @@ -105,12 +105,12 @@ "version": 0, "machine_id": "test012345", "droid": [ - "04c26c4d-cace-1647-8fa4-b334de43dd91", - "5501e33d-7e9a-e911-8328-bcee7b5dda94" + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de30155-9a7e-11e9-8328-bcee7b5dda94" ], "droid_birth": [ - "04c26c4d-cace-1647-8fa4-b334de43dd91", - "5501e33d-7e9a-e911-8328-bcee7b5dda94" + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de30155-9a7e-11e9-8328-bcee7b5dda94" ] } } diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint index 692c2e7204ec..e4c5aa07cc15 100644 --- a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", @@ -57,22 +57,22 @@ "extra": { "property_store": { "properties": { - "10": [ + "Item Folder Path Display": [ { "type": "VT_LPWSTR", - "value": "💎.txt" + "value": "C:\\Temp" } ], - "30": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "C:\\Temp\\💎.txt" + "value": "💎.txt" } ], - "6": [ + "Parsing Path": [ { "type": "VT_LPWSTR", - "value": "C:\\Temp" + "value": "C:\\Temp\\💎.txt" } ] } @@ -81,12 +81,12 @@ "version": 0, "machine_id": "test012345", "droid": [ - "04c26c4d-cace-1647-8fa4-b334de43dd91", - "85b4edc2-68a1-e911-8328-bcee7b5dda94" + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "c2edb485-a168-11e9-8328-bcee7b5dda94" ], "droid_birth": [ - "04c26c4d-cace-1647-8fa4-b334de43dd91", - "85b4edc2-68a1-e911-8328-bcee7b5dda94" + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "c2edb485-a168-11e9-8328-bcee7b5dda94" ] } } diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint index ab765b249d02..40da84819d5c 100644 --- a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasIconLocation", @@ -62,22 +62,22 @@ "extra": { "property_store": { "properties": { - "10": [ + "Item Folder Path Display": [ { "type": "VT_LPWSTR", - "value": "リンク先.txt" + "value": "C:\\Temp" } ], - "30": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "C:\\Temp\\リンク先.txt" + "value": "リンク先.txt" } ], - "6": [ + "Parsing Path": [ { "type": "VT_LPWSTR", - "value": "C:\\Temp" + "value": "C:\\Temp\\リンク先.txt" } ] } @@ -86,12 +86,12 @@ "version": 0, "machine_id": "test012345", "droid": [ - "04c26c4d-cace-1647-8fa4-b334de43dd91", - "8cf0e23d-7e9a-e911-8328-bcee7b5dda94" + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de2f08c-9a7e-11e9-8328-bcee7b5dda94" ], "droid_birth": [ - "04c26c4d-cace-1647-8fa4-b334de43dd91", - "8cf0e23d-7e9a-e911-8328-bcee7b5dda94" + "4d6cc204-ceca-4716-8fa4-b334de43dd91", + "3de2f08c-9a7e-11e9-8328-bcee7b5dda94" ] } } diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint index 8a19a4de62a9..9f313883930d 100644 --- a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", @@ -57,12 +57,12 @@ "version": 0, "machine_id": "chris-xps", "droid": [ - "4078c794-47fa-c746-b356-5c2dc6b6d115", - "ec46cd7b-227f-dd11-9499-00137216874a" + "94c77840-fa47-46c7-b356-5c2dc6b6d115", + "7bcd46ec-7f22-11dd-9499-00137216874a" ], "droid_birth": [ - "4078c794-47fa-c746-b356-5c2dc6b6d115", - "ec46cd7b-227f-dd11-9499-00137216874a" + "94c77840-fa47-46c7-b356-5c2dc6b6d115", + "7bcd46ec-7f22-11dd-9499-00137216874a" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint index 5c14b8815bb3..f9e10ae1a287 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", @@ -57,7 +57,7 @@ "unicode": "%SystemRoot%\\system32\\cmd.exe" }, "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 205 }, "special_folder": { @@ -68,12 +68,12 @@ "version": 0, "machine_id": "win-hwdt97ahwff", "droid": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "1d494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491d-c682-11dc-901d-0014220d9404" ], "droid_birth": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "1d494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491d-c682-11dc-901d-0014220d9404" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint index b22bd7a77610..d5aba7636e8d 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint index 0a23efd71b95..c17477a62b5b 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint index a20c3e3308bd..47aee5f48b83 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasRelativePath", @@ -33,7 +33,7 @@ "relative_path": "..\\Documents", "extra": { "known_folder": { - "id": "d09ad3fd-8f23-af46-adb4-6c85480369c7", + "id": "fdd39ad0-238f-46af-adb4-6c85480369c7", "offset": 52 }, "special_folder": { @@ -44,12 +44,12 @@ "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "13a09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a013-7d44-11df-a3ad-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "13a09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a013-7d44-11df-a3ad-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint index e1f8cafa0d53..b6c9d2cfe5b1 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasArguments", "HasExpString", @@ -57,7 +57,7 @@ "unicode": "%SystemRoot%\\system32\\control.exe" }, "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 205 }, "special_folder": { @@ -68,12 +68,12 @@ "version": 0, "machine_id": "win-hwdt97ahwff", "droid": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "16494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4916-c682-11dc-901d-0014220d9404" ], "droid_birth": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "16494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4916-c682-11dc-901d-0014220d9404" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint index 7c9c02a65f65..d8112975699b 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpIcon", "HasIconLocation", @@ -62,7 +62,7 @@ "unicode": "%SystemRoot%\\Installer\\{8EF9D7FC-A940-4794-8346-7C15EEBEBF54}\\BrightStorManager1_319B2AA96D38499581EEE0912B18CF57.exe" }, "known_folder": { - "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", "offset": 177 }, "special_folder": { @@ -73,12 +73,12 @@ "version": 0, "machine_id": "als-projets1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "7c48b2fb-b37a-df11-8161-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "fbb2487c-7ab3-11df-8161-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "7c48b2fb-b37a-df11-8161-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "fbb2487c-7ab3-11df-8161-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint index 5e96362aad06..f09eea571440 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint index 3097515ed084..5554ea96dc41 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasArguments", "HasName", @@ -52,7 +52,7 @@ "command_line": " -extoff", "extra": { "known_folder": { - "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", "offset": 177 }, "special_folder": { @@ -63,12 +63,12 @@ "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint index f68a919ab464..31e6ae3ae1be 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasName", "HasRelativePath", @@ -50,7 +50,7 @@ "working_directory": "%HOMEDRIVE%%HOMEPATH%", "extra": { "known_folder": { - "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", "offset": 177 }, "special_folder": { @@ -61,12 +61,12 @@ "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "90ed08bb-1f7a-df11-a4a2-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed90-7a1f-11df-a4a2-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint index 52a7c1dbeea0..e0bb411be560 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasRelativePath", @@ -32,7 +32,7 @@ "relative_path": "..\\Music", "extra": { "known_folder": { - "id": "71d5d84b-196d-d348-be97-422220080e43", + "id": "4bd8d571-6d19-48d3-be97-422220080e43", "offset": 52 }, "special_folder": { @@ -43,12 +43,12 @@ "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "11a09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a011-7d44-11df-a3ad-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "11a09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a011-7d44-11df-a3ad-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint index a9c15d3920c6..d69ea75ecc87 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", @@ -55,7 +55,7 @@ "unicode": "%SystemRoot%\\system32\\narrator.exe" }, "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 205 }, "special_folder": { @@ -66,12 +66,12 @@ "version": 0, "machine_id": "win-hwdt97ahwff", "droid": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "14494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4914-c682-11dc-901d-0014220d9404" ], "droid_birth": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "14494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4914-c682-11dc-901d-0014220d9404" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint index 1bdd3ac5bda0..43ac0bf22a39 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", @@ -58,7 +58,7 @@ "unicode": "%SystemRoot%\\system32\\notepad.exe" }, "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 205 }, "special_folder": { @@ -69,12 +69,12 @@ "version": 0, "machine_id": "win-hwdt97ahwff", "droid": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "20494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4920-c682-11dc-901d-0014220d9404" ], "droid_birth": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "20494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f4920-c682-11dc-901d-0014220d9404" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint index b627a0427494..4a038d401b7e 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", @@ -55,7 +55,7 @@ "unicode": "%SystemRoot%\\system32\\osk.exe" }, "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 205 }, "special_folder": { @@ -66,12 +66,12 @@ "version": 0, "machine_id": "win-hwdt97ahwff", "droid": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "1b494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491b-c682-11dc-901d-0014220d9404" ], "droid_birth": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "1b494f80-82c6-dc11-901d-0014220d9404" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f491b-c682-11dc-901d-0014220d9404" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint index 142eb23c7b50..dcb90fbde246 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasRelativePath", @@ -32,7 +32,7 @@ "relative_path": "..\\Pictures", "extra": { "known_folder": { - "id": "3081e233-1e4e-7646-835a-98395c3bc3bb", + "id": "33e28130-4e1e-4676-835a-98395c3bc3bb", "offset": 52 }, "special_folder": { @@ -43,12 +43,12 @@ "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "12a09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a012-7d44-11df-a3ad-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "12a09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a012-7d44-11df-a3ad-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint index c7678ed950bb..5a313ef535af 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasRelativePath", @@ -28,19 +28,19 @@ "relative_path": "..\\..\\Public", "extra": { "known_folder": { - "id": "a276dfdf-2ac8-634d-906a-5644ac457385", + "id": "dfdf76a2-c82a-4d63-906a-5644ac457385", "offset": 20 }, "tracker": { "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "8aed08bb-1f7a-df11-a4a2-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed8a-7a1f-11df-a4a2-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "8aed08bb-1f7a-df11-a4a2-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "bb08ed8a-7a1f-11df-a4a2-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint index b0f170235367..d6eea756548d 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint index 76551747e3c7..0e1fd22cbcf3 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasRelativePath", @@ -33,19 +33,19 @@ "relative_path": "..\\Searches", "extra": { "known_folder": { - "id": "7c0fcef3-0149-cc4a-8648-d5d44b04ef8f", + "id": "f3ce0f7c-4901-4acc-8648-d5d44b04ef8f", "offset": 20 }, "tracker": { "version": 0, "machine_id": "als-backup1", "droid": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "0fa09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a00f-7d44-11df-a3ad-a4badb43b04f" ], "droid_birth": [ - "325a35a3-6ed8-2049-adfd-dc842d90c45f", - "0fa09673-447d-df11-a3ad-a4badb43b04f" + "a3355a32-d86e-4920-adfd-dc842d90c45f", + "7396a00f-7d44-11df-a3ad-a4badb43b04f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint index 9f2cbae14e66..24f7f3a60e3d 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint index ae45f29e3750..a43af5bab21c 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint index ca51fb574113..eef7ab1a2a4e 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", @@ -50,7 +50,7 @@ "unicode": "%SystemRoot%\\explorer.exe" }, "known_folder": { - "id": "04f48bf3-431d-f242-9305-67de0b28fc23", + "id": "f38bf404-1d43-42f2-9305-67de0b28fc23", "offset": 123 }, "special_folder": { @@ -61,12 +61,12 @@ "version": 0, "machine_id": "win-hwdt97ahwff", "droid": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "f6484f80-82c6-dc11-901d-b3d7e32f3e9f" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f48f6-c682-11dc-901d-b3d7e32f3e9f" ], "droid_birth": [ - "bab60dfd-b582-ae4d-9e57-00eb13c2fc0f", - "f6484f80-82c6-dc11-901d-b3d7e32f3e9f" + "fd0db6ba-82b5-4dae-9e57-00eb13c2fc0f", + "804f48f6-c682-11dc-901d-b3d7e32f3e9f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint index f637f79d0c7b..44c73fa63bf9 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasRelativePath", @@ -59,12 +59,12 @@ "working_directory": "C:\\Program Files\\ConTEXT", "extra": { "known_folder": { - "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", "offset": 181 }, "property_store": { "properties": { - "4": [ + "SID": [ { "type": "VT_LPWSTR", "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" @@ -80,12 +80,12 @@ "version": 0, "machine_id": "al-0149", "droid": [ - "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", - "bdcda631-9f31-df11-b163-001e4ff01cc7" + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "31a6cdbd-319f-11df-b163-001e4ff01cc7" ], "droid_birth": [ - "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", - "bdcda631-9f31-df11-b163-001e4ff01cc7" + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "31a6cdbd-319f-11df-b163-001e4ff01cc7" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint index 2036b7049d64..63b0aa67d358 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", @@ -32,13 +32,13 @@ "extra": { "property_store": { "properties": { - "10": [ + "Item Name Display": [ { "type": "VT_LPWSTR", "value": "Bureau" } ], - "30": [ + "Parsing Path": [ { "type": "VT_LPWSTR", "value": "C:\\Users\\Aldheris\\Desktop" @@ -50,12 +50,12 @@ "version": 0, "machine_id": "al-0149", "droid": [ - "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", - "e81a541f-a3a2-de11-b558-001e4ff01cc7" + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "1f541ae8-a2a3-11de-b558-001e4ff01cc7" ], "droid_birth": [ - "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", - "e81a541f-a3a2-de11-b558-001e4ff01cc7" + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "1f541ae8-a2a3-11de-b558-001e4ff01cc7" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint index 334cf9d82375..ee0f4e855899 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasTargetIDList", @@ -20,13 +20,13 @@ "extra": { "property_store": { "properties": { - "10": [ + "Item Name Display": [ { "type": "VT_LPWSTR", "value": "Emplacements récents" } ], - "30": [ + "Parsing Path": [ { "type": "VT_LPWSTR", "value": "::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}" diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint index 4f94a66334ed..0918c710d162 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasRelativePath", @@ -59,12 +59,12 @@ "working_directory": "C:\\Program Files\\SopCast", "extra": { "known_folder": { - "id": "ef405a7c-fba0-fc4b-874a-c0f2e0b9fa8e", + "id": "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e", "offset": 181 }, "property_store": { "properties": { - "4": [ + "SID": [ { "type": "VT_LPWSTR", "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" @@ -80,12 +80,12 @@ "version": 0, "machine_id": "al-0149", "droid": [ - "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", - "bd65fda7-2775-df11-a754-001e4ff01cc7" + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "a7fd65bd-7527-11df-a754-001e4ff01cc7" ], "droid_birth": [ - "1eede5a0-610d-ed4f-a6e2-afca43a5c04c", - "bd65fda7-2775-df11-a754-001e4ff01cc7" + "a0e5ed1e-0d61-4fed-a6e2-afca43a5c04c", + "a7fd65bd-7527-11df-a754-001e4ff01cc7" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint index 78b69519689c..d47cfbf4bdd6 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "DisableKnownFolderTracking", "HasTargetIDList", diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint index a80c12d4c0f9..7d2efe855b61 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "DisableKnownFolderTracking", "HasTargetIDList", diff --git a/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint index 80fc6c39af58..468d5a5073a7 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.07.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasArguments", @@ -35,12 +35,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "05c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac705-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "05c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac705-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint index a6e2d588b983..cf3a645ba015 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasDarwinID", "HasExpIcon", @@ -60,16 +60,16 @@ }, "property_store": { "properties": { - "6": [ + "App User Model Exclude From Show In New Install": [ { - "type": "VT_LPWSTR", - "value": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft." + "type": "VT_BOOL", + "value": true } ], - "8": [ + "Comment": [ { - "type": "VT_BOOL", - "value": true + "type": "VT_LPWSTR", + "value": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft." } ] } diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint index f837ede4753d..ed5fd3b98d85 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasLinkInfo", @@ -66,21 +66,21 @@ "unicode": "%SystemRoot%\\system32\\fsquirt.exe" }, "known_folder": { - "id": "774ec11a-e702-5d4e-b744-2eb1ae5198b7", + "id": "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7", "offset": 213 }, "property_store": { "properties": { - "4": [ + "Comment": [ { "type": "VT_LPWSTR", - "value": "S-1-5-18" + "value": "Transfère les fichiers entre les périphériques et les ordinateurs à l'aide de la technologie sans fil Bluetooth." } ], - "6": [ + "SID": [ { "type": "VT_LPWSTR", - "value": "Transfère les fichiers entre les périphériques et les ordinateurs à l'aide de la technologie sans fil Bluetooth." + "value": "S-1-5-18" } ] } @@ -93,12 +93,12 @@ "version": 0, "machine_id": "win-40r2agv20qa", "droid": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "66d492f8-2061-df11-964c-ac3a656c3b1d" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d466-6120-11df-964c-ac3a656c3b1d" ], "droid_birth": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "66d492f8-2061-df11-964c-ac3a656c3b1d" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d466-6120-11df-964c-ac3a656c3b1d" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint index 6efce3a1ad2b..96b5c854ca5a 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.10.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasExpString", @@ -33,12 +33,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "1bc79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71b-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "1bc79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71b-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint index bd9d4e75cd86..1f8f3a89520f 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "DisableKnownFolderTracking", "HasTargetIDList", diff --git a/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint index 1c830b4eeff4..f49d5c67eb81 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.12.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasExpString", @@ -35,12 +35,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "fcc69ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac6fc-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "fcc69ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac6fc-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint index 451883b4c247..1456fbb9c121 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasLinkInfo", @@ -41,13 +41,13 @@ "extra": { "property_store": { "properties": { - "10": [ + "Item Name Display": [ { "type": "VT_LPWSTR", "value": "Bureau" } ], - "30": [ + "Parsing Path": [ { "type": "VT_LPWSTR", "value": "C:\\Users\\Juliette\\Desktop" @@ -59,12 +59,12 @@ "version": 0, "machine_id": "netbook", "droid": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "1ef183f9-b062-df11-9c95-001377d34a59" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f983f11e-62b0-11df-9c95-001377d34a59" ], "droid_birth": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "1ef183f9-b062-df11-9c95-001377d34a59" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f983f11e-62b0-11df-9c95-001377d34a59" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint index 6b76252c7d57..9305f37cc5d8 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.14.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasArguments", @@ -35,12 +35,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "1ac79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71a-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "1ac79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac71a-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint index c11ab5040d7c..ff3b495ffa6b 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.15.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasArguments", @@ -35,12 +35,12 @@ "version": 0, "machine_id": "win-40r2agv20qa", "droid": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "fbd492f8-2061-df11-964c-ac3a656c3b1d" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d4fb-6120-11df-964c-ac3a656c3b1d" ], "droid_birth": [ - "da667c4f-20d3-c44c-8d50-165dd98ebc01", - "fbd492f8-2061-df11-964c-ac3a656c3b1d" + "4f7c66da-d320-4cc4-8d50-165dd98ebc01", + "f892d4fb-6120-11df-964c-ac3a656c3b1d" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint index 58e2f747f28e..e5038449c4bc 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasIconLocation", diff --git a/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint index f697b40e816f..3fd192eb67ba 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.17.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasExpString", @@ -33,12 +33,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "06c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac706-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "06c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac706-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint index c784d304f47d..4295e9745138 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.18.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasExpString", @@ -35,12 +35,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "0fc79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac70f-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "0fc79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac70f-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint index fa93089eddae..df69f6557ffe 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.19.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasExpString", @@ -33,12 +33,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "04c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac704-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "04c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac704-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint index 32d11e2d3b1c..28098bc5524e 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.20.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "ForceNoLinkInfo", "HasExpString", @@ -33,12 +33,12 @@ "version": 0, "machine_id": "win-dc3j5p1qj61", "droid": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "10c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac710-7037-11de-816d-001c23e25b76" ], "droid_birth": [ - "a6b30b54-1b3f-044f-b746-9c5af7c07867", - "10c79ae2-3770-de11-816d-001c23e25b76" + "540bb3a6-3f1b-4f04-b746-9c5af7c07867", + "e29ac710-7037-11de-816d-001c23e25b76" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint index fb236a466890..7cf85e077a72 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasArguments", "HasExpString", diff --git a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint index e7d2b207c9f4..16eaa32d552f 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasIconLocation", "HasName", diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint index 0e59eeed772d..d4536f4b11cc 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasLinkInfo", diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint index f9fc41eabd9d..a50c942f0b7b 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasName", @@ -69,12 +69,12 @@ "version": 0, "machine_id": "al-0142", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e5762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e5-0bd4-11dd-bcc5-001f3c29339f" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e5762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e5-0bd4-11dd-bcc5-001f3c29339f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint index 406f4970eb78..717a1dc8a797 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasLinkInfo", diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint index 20095fa8041f..e15cc10c786a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasName", @@ -69,12 +69,12 @@ "version": 0, "machine_id": "al-0142", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e2762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e2762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint index d83027ab5952..9ca5f6956460 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint index 3d14471092f7..ecd49bebd5c2 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasArguments", "HasExpString", diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint index 6ec8131efc9f..8d15100ebf86 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasName", @@ -69,12 +69,12 @@ "version": 0, "machine_id": "al-0142", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e2762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e2762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e2-0bd4-11dd-bcc5-001f3c29339f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint index e5418a224442..06f9b9e8e287 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasIconLocation", diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint index b746b362a2be..461ba030fec0 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasArguments", "HasLinkInfo", @@ -69,12 +69,12 @@ "version": 0, "machine_id": "al-0142", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e4762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e4-0bd4-11dd-bcc5-001f3c29339f" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e4762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e4-0bd4-11dd-bcc5-001f3c29339f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint index bd7efe309385..5af18dae9258 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasLinkInfo", diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint index 30fd7960955a..b5142282f8ca 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasLinkInfo", diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint index c2268d2ffbaa..5770bca05bf5 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasExpString", "HasLinkInfo", diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint index 3fe6e0f7ce54..674ef887b346 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasRelativePath", diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint index d86f6c496b0c..d2f08900809a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasRelativePath", diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint index 62df3700b408..e14a57358993 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasName", @@ -69,12 +69,12 @@ "version": 0, "machine_id": "al-0142", "droid": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e3762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e3-0bd4-11dd-bcc5-001f3c29339f" ], "droid_birth": [ - "6a3e8623-003d-2344-b4c5-05fe7266eb5e", - "e3762b91-d40b-dd11-bcc5-001f3c29339f" + "23863e6a-3d00-4423-b4c5-05fe7266eb5e", + "912b76e3-0bd4-11dd-bcc5-001f3c29339f" ] } } diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint index c8fef54cd3ea..73011c743e9c 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasName", "HasTargetIDList", diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint index ac5f9f59cfd6..2139d39a209a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasName", "HasTargetIDList", diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint index 71134f9b842d..9be526bafbeb 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasTargetIDList", @@ -90,11 +90,11 @@ "machine_id": "als-fichiers7", "droid": [ "00000000-0000-0000-0000-000000000000", - "06cd1d4d-e5fc-dc11-8902-0015c5fbcbe3" + "4d1dcd06-fce5-11dc-8902-0015c5fbcbe3" ], "droid_birth": [ "00000000-0000-0000-0000-000000000000", - "06cd1d4d-e5fc-dc11-8902-0015c5fbcbe3" + "4d1dcd06-fce5-11dc-8902-0015c5fbcbe3" ] } } diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint index e2e5a1fd0361..53c5c871b8f0 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasExpString", @@ -37,22 +37,22 @@ }, "property_store": { "properties": { - "10": [ + "Item Folder Path Display": [ { "type": "VT_LPWSTR", - "value": "💎.txt" + "value": "\\\\test\\share" } ], - "30": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "\\\\test\\share\\💎.txt" + "value": "💎.txt" } ], - "6": [ + "Parsing Path": [ { "type": "VT_LPWSTR", - "value": "\\\\test\\share" + "value": "\\\\test\\share\\💎.txt" } ] } @@ -61,12 +61,12 @@ "version": 0, "machine_id": "test", "droid": [ - "51369273-fde5-4eff-91cc-d50f13310bfc", - "04a80000-0000-0000-0dcf-180000000000" + "73923651-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0dcf-180000000000" ], "droid_birth": [ - "50369273-fde5-4eff-91cc-d50f13310bfc", - "04a80000-0000-0000-0dcf-180000000000" + "73923650-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0dcf-180000000000" ] }, "vista_and_above_id_list": { diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint index 2f2f8abc416f..936e4ce26a04 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasExpString", @@ -38,22 +38,22 @@ }, "property_store": { "properties": { - "10": [ + "Item Folder Path Display": [ { "type": "VT_LPWSTR", - "value": "リンク先.txt" + "value": "\\\\test\\📂" } ], - "30": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "\\\\test\\📂\\リンク先.txt" + "value": "リンク先.txt" } ], - "6": [ + "Parsing Path": [ { "type": "VT_LPWSTR", - "value": "\\\\test\\📂" + "value": "\\\\test\\📂\\リンク先.txt" } ] } @@ -62,12 +62,12 @@ "version": 0, "machine_id": "test", "droid": [ - "5337f18a-4bd4-98f1-1366-c15ed7085770", - "04a80000-0000-0000-3346-190000000000" + "8af13753-d44b-f198-1366-c15ed7085770", + "0000a804-0000-0000-3346-190000000000" ], "droid_birth": [ - "5237f18a-4bd4-98f1-1366-c15ed7085770", - "04a80000-0000-0000-3346-190000000000" + "8af13752-d44b-f198-1366-c15ed7085770", + "0000a804-0000-0000-3346-190000000000" ] }, "vista_and_above_id_list": { diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint index 33f3e011780b..990186177db7 100644 --- a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "EnableTargetMetadata", "HasExpString", @@ -38,22 +38,22 @@ }, "property_store": { "properties": { - "10": [ + "Item Folder Path Display": [ { "type": "VT_LPWSTR", - "value": "リンク先.txt" + "value": "\\\\test\\share" } ], - "30": [ + "Item Name Display": [ { "type": "VT_LPWSTR", - "value": "\\\\test\\share\\リンク先.txt" + "value": "リンク先.txt" } ], - "6": [ + "Parsing Path": [ { "type": "VT_LPWSTR", - "value": "\\\\test\\share" + "value": "\\\\test\\share\\リンク先.txt" } ] } @@ -62,12 +62,12 @@ "version": 0, "machine_id": "test", "droid": [ - "51369273-fde5-4eff-91cc-d50f13310bfc", - "04a80000-0000-0000-0ccf-180000000000" + "73923651-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0ccf-180000000000" ], "droid_birth": [ - "50369273-fde5-4eff-91cc-d50f13310bfc", - "04a80000-0000-0000-0ccf-180000000000" + "73923650-e5fd-ff4e-91cc-d50f13310bfc", + "0000a804-0000-0000-0ccf-180000000000" ] }, "vista_and_above_id_list": { diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint index 7f4baac3618b..0ea67c1677e1 100644 --- a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasTargetIDList", @@ -70,11 +70,11 @@ "machine_id": "als-fichiers3", "droid": [ "00000000-0000-0000-0000-000000000000", - "c5e0b78a-c875-de11-b8c9-000f1ff7c0dd" + "8ab7e0c5-75c8-11de-b8c9-000f1ff7c0dd" ], "droid_birth": [ "00000000-0000-0000-0000-000000000000", - "c5e0b78a-c875-de11-b8c9-000f1ff7c0dd" + "8ab7e0c5-75c8-11de-b8c9-000f1ff7c0dd" ] } } diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint index 8e51736d134a..6ff334943d45 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "DisableKnownFolderTracking", "HasExpString", @@ -38,12 +38,12 @@ "version": 0, "machine_id": "fatality", "droid": [ - "d6f88e11-2d40-8641-b384-3527d35fb1eb", - "1f268538-7491-df11-9091-8fae47a32577" + "118ef8d6-402d-4186-b384-3527d35fb1eb", + "3885261f-9174-11df-9091-8fae47a32577" ], "droid_birth": [ - "d6f88e11-2d40-8641-b384-3527d35fb1eb", - "1f268538-7491-df11-9091-8fae47a32577" + "118ef8d6-402d-4186-b384-3527d35fb1eb", + "3885261f-9174-11df-9091-8fae47a32577" ] }, "vista_and_above_id_list": { diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint index 2dcd88c7ff1e..9a89c3ed71fd 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -1,6 +1,6 @@ { "header": { - "guid": "01140200-0000-0000-c000-000000000046", + "guid": "00021401-0000-0000-c000-000000000046", "link_flags": [ "HasLinkInfo", "HasTargetIDList", @@ -83,11 +83,11 @@ "machine_id": "als-fichiers3", "droid": [ "00000000-0000-0000-0000-000000000000", - "341b46ea-7798-da11-80bd-000f1ff7c0dc" + "ea461b34-9877-11da-80bd-000f1ff7c0dc" ], "droid_birth": [ "00000000-0000-0000-0000-000000000000", - "341b46ea-7798-da11-80bd-000f1ff7c0dc" + "ea461b34-9877-11da-80bd-000f1ff7c0dc" ] } } diff --git a/libbeat/formats/lnk/extra_property_store.go b/libbeat/formats/lnk/extra_property_store.go index 44fff19dd9ff..1400a5bb7e7b 100644 --- a/libbeat/formats/lnk/extra_property_store.go +++ b/libbeat/formats/lnk/extra_property_store.go @@ -21,6 +21,7 @@ import ( "encoding/binary" "errors" "math" + "strconv" "github.com/elastic/beats/v7/libbeat/formats/common" ) @@ -179,8 +180,7 @@ func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { if size < 0x0000000C { return nil, errors.New("invalid extra property store block size") } - namedProperties := make(map[string][]Property) - idProperties := make(map[uint32][]Property) + props := make(map[string][]Property) store := data[8:] offset := 0 for { @@ -200,85 +200,66 @@ func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { return nil, errors.New("invalid property version") } format := encodeUUID(propertyData[8:24]) - if format == "d5cdd505-2e9c-101b-9397-08002b2cf9ae" { - name, properties, err := parseNamedProperties(propertyData[24:propertySize]) - if err != nil { - return nil, err - } - if properties != nil { - namedProperties[name] = properties - } - } else { - id, properties, err := parseProperties(propertyData[24:propertySize]) - if err != nil { - return nil, err - } - if properties != nil { - idProperties[id] = properties - } + name, properties, err := parseProperties(format, propertyData[24:propertySize]) + if err != nil { + return nil, err + } + if properties != nil { + props[name] = properties } offset += int(propertySize) } return &PropertyStore{ - NamedProperties: namedProperties, - Properties: idProperties, + Properties: props, }, nil } -func parseNamedProperties(data []byte) (string, []Property, error) { +func parseProperties(identifier string, data []byte) (string, []Property, error) { propertySize := binary.LittleEndian.Uint32(data[0:4]) if propertySize == 0 { return "", nil, nil } - nameSize := binary.LittleEndian.Uint32(data[4:8]) - name := common.ReadUnicode(data[9:nameSize+9], 0) - value, err := parseTypedValue(data[nameSize+9 : propertySize]) - if err != nil { - return "", nil, err - } - return name, value, nil -} - -func parseProperties(data []byte) (uint32, []Property, error) { - propertySize := binary.LittleEndian.Uint32(data[0:4]) - if propertySize == 0 { - return 0, nil, nil - } id := binary.LittleEndian.Uint32(data[4:8]) - if int(propertySize) > len(data) { - return 0, nil, errors.New("invalid property size") + name := identifier + "\\" + strconv.Itoa(int(id)) + knownFormat, known := knownProperties[identifier] + if known { + idName, knownName := knownFormat[id] + if knownName { + name = idName + } } - value, err := parseTypedValue(data[9:propertySize]) + + _, value, err := parseTypedValue(data[9:propertySize]) if err != nil { - return id, nil, err + return name, nil, err } - return id, value, nil + return name, value, nil } -func parseTypedValue(data []byte) ([]Property, error) { +func parseTypedValue(data []byte) (uint32, []Property, error) { if len(data) < 4 { - return nil, errors.New("invalid properties") + return 0, nil, errors.New("invalid properties") } valueType := binary.LittleEndian.Uint32(data[0:4]) switch valueType { case vtEmpty: fallthrough case vtNull: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], }, }, nil case vtI2: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: int16(binary.LittleEndian.Uint16(data[4:8])), }, }, nil case vtI4: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: int32(binary.LittleEndian.Uint32(data[4:8])), @@ -287,7 +268,7 @@ func parseTypedValue(data []byte) ([]Property, error) { case vtR4: bits := binary.LittleEndian.Uint32(data[4:8]) float := math.Float32frombits(bits) - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: float, @@ -296,21 +277,21 @@ func parseTypedValue(data []byte) ([]Property, error) { case vtR8: bits := binary.LittleEndian.Uint64(data[4:12]) float := math.Float64frombits(bits) - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: float, }, }, nil case vtCY: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: binary.LittleEndian.Uint64(data[4:12]), }, }, nil case vtDate: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: normalizeTime(binary.LittleEndian.Uint64(data[4:12])), @@ -318,25 +299,22 @@ func parseTypedValue(data []byte) ([]Property, error) { }, nil case vtBStr: codePageSize := binary.LittleEndian.Uint32(data[4:8]) - if int(codePageSize+8) > len(data) { - return nil, errors.New("invalid code page size") - } codePage := common.ReadString(data[8:8+codePageSize], 0) - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: codePage, }, }, nil case vtError: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: binary.LittleEndian.Uint32(data[4:8]), }, }, nil case vtBool: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: binary.LittleEndian.Uint16(data[4:6]) == 0xFFFF, @@ -354,10 +332,7 @@ func parseTypedValue(data []byte) ([]Property, error) { // case vtLPStr: case vtLPWStr: length := binary.LittleEndian.Uint32(data[4:8]) * 2 - if int(length+8) > len(data) { - return nil, errors.New("invalid LPWStr length") - } - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: common.ReadUnicode(data[8:8+length], 0), @@ -412,7 +387,7 @@ func parseTypedValue(data []byte) ([]Property, error) { // case vtArrayInt: // case vtArrayUint: default: - return []Property{ + return valueType, []Property{ Property{ Type: propertyTypes[valueType], Value: data[4:], diff --git a/libbeat/formats/lnk/header.go b/libbeat/formats/lnk/header.go index 74f0e2e427c8..59f1cb0c34df 100644 --- a/libbeat/formats/lnk/header.go +++ b/libbeat/formats/lnk/header.go @@ -263,11 +263,17 @@ func parseFlags(flagset map[uint32]string, value uint32) []string { func encodeUUID(uuid []byte) string { dst := make([]byte, 36) - hex.Encode(dst, uuid[:4]) + swapped := make([]byte, 8) + binary.BigEndian.PutUint16(swapped[2:4], binary.LittleEndian.Uint16(uuid[0:2])) + binary.BigEndian.PutUint16(swapped[0:2], binary.LittleEndian.Uint16(uuid[2:4])) + binary.BigEndian.PutUint16(swapped[4:6], binary.LittleEndian.Uint16(uuid[4:6])) + binary.BigEndian.PutUint16(swapped[6:8], binary.LittleEndian.Uint16(uuid[6:8])) + + hex.Encode(dst, swapped[:4]) dst[8] = '-' - hex.Encode(dst[9:13], uuid[4:6]) + hex.Encode(dst[9:13], swapped[4:6]) dst[13] = '-' - hex.Encode(dst[14:18], uuid[6:8]) + hex.Encode(dst[14:18], swapped[6:8]) dst[18] = '-' hex.Encode(dst[19:23], uuid[8:10]) dst[23] = '-' diff --git a/libbeat/formats/lnk/known_properties.go b/libbeat/formats/lnk/known_properties.go new file mode 100644 index 000000000000..5e619e6faafc --- /dev/null +++ b/libbeat/formats/lnk/known_properties.go @@ -0,0 +1,2562 @@ +package lnk + +var knownProperties = map[string]map[uint32]string{ + "46588ae2-4cbc-4338-bbfc-139326986dce": map[uint32]string{ + 4: "SID", + }, + "dabd30ed-0043-4789-a7f8-d013a4736622": map[uint32]string{ + 100: "Item Folder Path Display Narrow", + }, + "28636aa6-953d-11d2-b5d6-00c04fd918d0": map[uint32]string{ + 0: "Find Data", + 1: "Network Resource", + 2: "Description ID", + 3: "Which Folder", + 4: "Network Location", + 5: "Computer Name", + 6: "Namespace CLSID", + 8: "Item Path Display Narrow", + 9: "Perceived Type", + 10: "Computer Simple Name", + 11: "Item Type", + 12: "File Count", + 14: "Total File Size", + 22: "Max Stack Count", + 23: "List Description", + 24: "Parsing Name", + 25: "SFGAO Flags", + 26: "Order", + 27: "Computer Description", + 29: "Contained Items", + 30: "Parsing Path", + 31: "Network Provider", + 32: "Delegate ID List", + 33: "Is SendTo Target", + 34: "Hide On Desktop", + 35: "Network Places Default Name", + 36: "Storage System Type", + 37: "Item SubType", + }, + "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3": map[uint32]string{ + 2: "App User Model Relaunch Command", + 3: "App User Model Relaunch Icon Resource", + 4: "App User Model Relaunch Display Name Resource", + 5: "App User Model ID", + 6: "App User Model Is DestList Separator", + 7: "App User Model Is DestList Link", + 8: "App User Model Exclude From Show In New Install", + 9: "App User Model Prevent Pinning", + 10: "App User Model Best Shortcut", + 11: "App User Model Is Dual Mode", + 12: "App User Model Start Pin Option", + 13: "App User Model Relevance", + 14: "App User Model Host Environment", + 15: "App User Model Package Install Path", + 16: "App User Model Record State", + 17: "App User Model Package Family Name", + 18: "App User Model Installed By", + 19: "App User Model Parent ID", + 20: "App User Model Activation Context", + 21: "App User Model Package Full Name", + 22: "App User Model Package Relative Application ID", + 23: "App User Model Excluded From Launcher", + 24: "App User Model AppCompat ID", + 25: "App User Model Run Flags", + 26: "App User Model Toast Activator CLSID", + 27: "App User Model DestList Provided Title", + 28: "App User Model DestList Provided Description", + 29: "App User Model DestList Logo Uri", + 30: "App User Model DestList Provided Group Name", + }, + "446d16b1-8dad-4870-a748-402ea43d788c": map[uint32]string{ + 100: "Thumbnail Cache Id", + 104: "Volume Id", + 105: "Tooltip Thumbnail Stream", + }, + "fb8d2d7b-90d1-4e34-bf60-6eac09922bbf": map[uint32]string{ + 2: "WinX Hash", + }, + "f29f85e0-4ff9-1068-ab91-08002b27b3d9": map[uint32]string{ + 3: "Subject", + 4: "Author", + 5: "Keywords", + 6: "Comment", + 7: "Document Template", + 8: "Document Last Author", + 9: "Document Revision Number", + 10: "Document Total Editing Time", + 11: "Document Date Printed", + 12: "Document Date Created", + 13: "Document Date Saved", + 14: "Document Page Count", + 15: "Document Word Count", + 16: "Document Character Count", + 17: "Thumbnail", + 18: "Application Name", + 19: "Document Security", + 24: "High Keywords", + 25: "Low Keywords", + 26: "Medium Keywords", + 27: "Thumbnail Stream", + }, + "841e4f90-ff59-4d16-8947-e81bbffab36d": map[uint32]string{ + 2: "Publisher Display Name", + 3: "Software Registered Owner", + 4: "Software Registered Company", + 5: "Software AppId", + 6: "Software Support Url", + 7: "Software Support Telephone", + 8: "Software Help Link", + 9: "Software Install Location", + 10: "Software Install Source", + 11: "Software Date Installed", + 12: "Software Support Contact Name", + 13: "Software ReadMe Url", + 14: "Software Update Info Url", + 15: "Software Times Used", + 16: "Software Date Last Used", + 17: "Software Tasks File Url", + 18: "Software Parent Name", + 19: "Software Product ID", + 20: "Software Comments", + 997: "Software Null Preview Total Size", + 998: "Software Null Preview Subtitle", + 999: "Software Null Preview Title", + }, + "86d40b4d-9069-443c-819a-2a54090dccec": map[uint32]string{ + 2: "Tile Small Image Location", + 4: "Tile Background Color", + 5: "Tile Foreground Color", + 11: "Tile Display Name", + 12: "Tile Image Location", + 13: "Tile Wide 310x150 Logo Path", + 14: "Tile Unknown Flags", + 15: "Tile Badge Logo Path", + 16: "Tile Suite Display Name", + 17: "Tile Suite Sor tName", + 18: "Tile Display Name Language", + 19: "Tile Square 310x310 Logo Path", + 20: "Tile Square 70x70 Logo Path", + 21: "Tile Fence Post", + 22: "Tile Install Progress", + 23: "Tile Encoded Target Path", + }, + "b725f130-47ef-101a-a5f1-02608c9eebac": map[uint32]string{ + 2: "Item Folder Name Display", + 3: "Search ClassID", + 4: "Item Type Text", + 8: "File Index", + 9: "Search Last Change USN", + 10: "Item Name Display", + 12: "Size", + 13: "File Attributes", + 14: "Date Modified", + 15: "Date Created", + 16: "Date Accessed", + 18: "File Allocation Size", + 19: "Search Contents", + 20: "Search ShortName", + 21: "File FRN", + 22: "Search Scope", + 23: "Item Name Sort Override", + 24: "Item Name Display Without Extension", + 25: "Folder Name Display", + }, + "e3e0584c-b788-4a5a-bb20-7f5a44c9acdd": map[uint32]string{ + 2: "Message Bcc Address", + 3: "Message Bcc Name", + 4: "Message Cc Address", + 5: "Message Cc Name", + 6: "Item Folder Path Display", + 7: "Item Path Display", + 9: "Communication Account Name", + 10: "Is Read", + 11: "Importance", + 12: "Flag Status", + 13: "Message From Address", + 14: "Message From Name", + 15: "Message Store", + 16: "Message To Address", + 17: "Message To Name", + 18: "Contact Web Page", + 19: "Message Date Sent", + 20: "Message Date Received", + 21: "Message Attachment Names", + }, + "00000000-0000-0000-0000-000000000000": map[uint32]string{ + 0: "Null", + }, + "000214a1-0000-0000-c000-000000000046}": map[uint32]string{ + 9: "Status", + }, + "00bc20a3-bd48-4085-872c-a88d77f5097e": map[uint32]string{ + 105: "Music Composer Sort Override", + }, + "00f58a38-c54b-4c40-8696-97235980eae1": map[uint32]string{ + 100: "Calendar Resources", + }, + "00f63dd8-22bd-4a5d-ba34-5cb0b9bdcb03": map[uint32]string{ + 101: "Contact Job Info1 Yomi Company Name", + 102: "Contact Job Info1 Company Name", + 103: "Contact Job Info1 Title", + 104: "Contact Job Info1 Office Location", + 105: "Contact Job Info1 Manager", + 106: "Contact Job Info1 Department", + 107: "Contact Job Info2 Yomi Company Name", + 108: "Contact Job Info2 Company Name", + 109: "Contact Job Info2 Title", + 110: "Contact Job Info2 Office Location", + 112: "Contact Job Info2 Manager", + 113: "Contact Job Info2 Department", + 114: "Contact Job Info3 Yomi Company Name", + 115: "Contact Job Info3 Company Name", + 116: "Contact Job Info3 Title", + 117: "Contact Job Info3 Office Location", + 118: "Contact Job Info3 Manager", + 119: "Contact Job Info3 Department", + 120: "Contact Job Info1 Company Address", + 121: "Contact Job Info2 Company Address", + 123: "Contact Job Info3 Company Address", + 124: "Contact Webpage 2", + 125: "Contact Webpage 3", + }, + "026e516e-b814-414b-83cd-856d6fef4822": map[uint32]string{ + 3: "Devices Interface Enabled", + 4: "Devices Interface Class Guid", + 6: "Devices Restricted Interface", + }, + "029c0252-5b86-46c7-aca0-2769ffc8e3d4": map[uint32]string{ + 100: "GPS Latitude Ref", + }, + "02b0f689-a914-4e45-821d-1dda452ed2c4": map[uint32]string{ + 100: "GPS Longitude Numerator", + }, + "03089873-8ee8-4191-bd60-d31f72b7900b": map[uint32]string{ + 100: "Contact Display Other Phone Numbers", + }, + "0337ecec-39fb-4581-a0bd-4c4cc51e9914": map[uint32]string{ + 100: "Photo Aperture Numerator", + }, + "048658ad-2db8-41a4-bbb6-ac1ef1207eb1": map[uint32]string{ + 100: "Item Class Type", + }, + "05e932b1-7ca2-491f-bd69-99b4cb266cbb": map[uint32]string{ + 2: "Connected Search Disambiguation Text", + }, + "06704b0c-e830-4c81-9178-91e4e95a80a0": map[uint32]string{ + 2: "Devices Notification Store", + 3: "Devices Notification", + }, + "084d8a0a-e6d5-40de-bf1f-c8820e7c877c": map[uint32]string{ + 100: "Task CompletionStatus", + }, + "08a65aa1-f4c9-43dd-9ddf-a33d8e7ead85": map[uint32]string{ + 100: "Contact HomeAddressCountry", + }, + "08c7cc5f-60f2-4494-ad75-55e3e0b5add0": map[uint32]string{ + 100: "Task Owner", + }, + "08f6d7c2-e3f2-44fc-af1e-5aa5c81a2d3e": map[uint32]string{ + 100: "Photo MaxAperture", + }, + "09329b74-40a3-4c68-bf07-af9a572f607c": map[uint32]string{ + 100: "Is Folder", + }, + "0933f3f5-4786-4f46-a8e8-d64dd37fa521": map[uint32]string{ + 100: "Photo Focal Plane X Resolution Denominator", + }, + "09429607-582d-437f-84c3-de93a2b24c3c": map[uint32]string{ + 100: "Calendar Optional AttendeeNames", + }, + "09736039-456b-4219-ba3e-ec573b58cf97": map[uint32]string{ + 2: "Secondary Tile Is Uninstalled", + }, + "09edd5b6-b301-43c5-9990-d00302effd46": map[uint32]string{ + 100: "Media Average Level", + }, + "0a7b84ef-0c27-463f-84ef-06c5070001be": map[uint32]string{ + 10: "Device Interface Printer Name", + }, + "0abe4d16-9384-426b-b41a-eac3c8e0f147": map[uint32]string{ + 2: "Search Content Snippet", + }, + "0adef160-db3f-4308-9a21-06237b16fa2a": map[uint32]string{ + 100: "Contact Home Address Street", + }, + "0b48f35a-be6e-4f17-b108-3c4073d1669a": map[uint32]string{ + 15: "Device Printer URL", + }, + "0b63e343-9ccc-11d0-bcdb-00805fccce04": map[uint32]string{ + 2: "Search Url To Index", + 12: "Search Url To Index With Modification Time", + 23: "Search Is Closed Directory", + 24: "Search Is Fully Contained", + 25: "Search Provider Class", + 26: "Search Provider Web Domain", + 27: "Search Provider Result Limit", + }, + "0b63e350-9ccc-11d0-bcdb-00805fccce04": map[uint32]string{ + 5: "MIME Type", + 8: "Search Gather Time", + 9: "Search Access Count", + 11: "Search Last Indexed Total Time", + }, + "0b8bb018-2725-4b44-92ba-7933aeb2dde7": map[uint32]string{ + 2: "Contact Account Picture Dynamic Video", + 3: "Contact Account Picture Large", + 4: "Contact Account Picture Small", + }, + "0ba7d6c3-568d-4159-ab91-781a91fb71e5": map[uint32]string{ + 100: "Calendar Required Attendee Addresses", + }, + "0bba1ede-7566-4f47-90ec-25fc567ced2a": map[uint32]string{ + 2: "Devices AepContainer Children", + 3: "Devices AepContainer Can Pair", + 4: "Devices AepContainer Is Paired", + 6: "Devices AepContainer Manufacturer", + 7: "Devices AepContainer Model Name", + 8: "Devices AepContainer Model Ids", + 9: "Devices AepContainer Categories", + 11: "Devices AepContainer Is Present", + 12: "Devices AepContainer Container Id", + 13: "Devices AepContainer Protocol Ids", + }, + "0be1c8e7-1981-4676-ae14-fdd78f05a6e7": map[uint32]string{ + 100: "Message Sender Address", + }, + "0be3fd71-3f87-40e0-aead-0294cf674635": map[uint32]string{ + 2: "Shell Is Dav Resource", + }, + "0c73b141-39d6-4653-a683-cab291eaf95b": map[uint32]string{ + 2: "Supplemental Album Id", + 3: "Supplemental Resource Id", + }, + "0c840a88-b043-466d-9766-d4b26da3fa77": map[uint32]string{ + 100: "Photo Subject Distance Denominator", + }, + "0cb2bf5a-9ee7-4a86-8222-f01e07fdadaf": map[uint32]string{ + 100: "PropGroup Photo Advanced", + }, + "0cef7d53-fa64-11d1-a203-0000f81fedee": map[uint32]string{ + 3: "File Description", + 4: "File Version", + 5: "Internal Name", + 6: "Original File Name", + 7: "Software Product Name", + 8: "Software Product Version", + 9: "Trademarks", + 11: "Platform", + }, + "0cf8fb02-1837-42f1-a697-a7017aa289b9": map[uint32]string{ + 100: "GPS DOP", + }, + "0da41cfa-d224-4a18-ae2f-596158db4b3a": map[uint32]string{ + 100: "Message Sender Name", + }, + "0ded77b3-c614-456c-ae5b-285b38d7b01b": map[uint32]string{ + 2: "Launcher Order", + 3: "Launcher Group ID", + 6: "Launcher View ID", + 7: "Launcher App State", + 8: "Launcher Tile Size", + 9: "Launcher Group Name", + 10: "Launcher Splash Screen Image", + 11: "Launcher TileSize Timestamp", + 12: "Launcher ItemPosition Timestamp", + 13: "Launcher View ID Timestamp", + 14: "Launcher Group Membership Timestamp", + 15: "Launcher Group Name Timestamp", + 16: "Launcher Default Tile Size", + 17: "Launcher Placeholder Expiry Candidate", + 18: "Launcher Placeholder Expiry Candidate Timestamp", + 19: "Launcher Item Flags", + 20: "Launcher Group Position Timestamp", + 21: "Launcher Store Category", + 22: "Launcher Win Store Category Name", + 23: "Launcher SubgroupID", + }, + "0f55cde2-4f49-450d-92c1-dcd16301b1b7": map[uint32]string{ + 100: "GPS Latitude Decimal", + }, + "10984e0a-f9f2-4321-b7ef-baf195af4319": map[uint32]string{ + 100: "Parental Rating Reason", + }, + "10b24595-41a2-4e20-93c2-5761c1395f32": map[uint32]string{ + 100: "GPS Img Direction Denominator", + }, + "10dabe05-32aa-4c29-bf1a-63e2d220587f": map[uint32]string{ + 100: "Image Image Id", + }, + "1173f62a-2a55-4f62-aed6-8c7112e0f7a3": map[uint32]string{ + 5: "Force Full Text", + }, + "11d6336b-38c4-4ec9-84d6-eb38d0b150af": map[uint32]string{ + 100: "Contact Other Email Addresses", + }, + "125491f4-818f-46b2-91b5-d537753617b2": map[uint32]string{ + 100: "GPS Status", + }, + "12ea418f-d8cd-4cdf-9b23-457eaac7ff0d": map[uint32]string{ + 100: "Communication Directory Server", + }, + "12fa14f5-c6fe-4545-bce2-1ed6cb6b8422": map[uint32]string{ + 2: "Connected Search Link Text", + }, + "13673f42-a3d6-49f6-b4da-ae46e0c5237c": map[uint32]string{ + 2: "Devices DevObject Type", + }, + "13eb7ffc-ec89-4346-b19d-ccc6f1784223": map[uint32]string{ + 101: "Music Album Title Sort Override", + }, + "14977844-6b49-4aad-a714-a4513bf60460": map[uint32]string{ + 100: "Contact First Name", + }, + "149c0b69-2c2d-48fc-808f-d318d78c4636": map[uint32]string{ + 2: "Volume Is Mapped Drive", + }, + "14b81da1-0135-4d31-96d9-6cbfc9671a99": map[uint32]string{ + 259: "Image Compression", + 271: "Photo Camera Manufacturer", + 272: "Photo Camera Model", + 273: "Photo Camera Serial Number", + 274: "Photo Orientation", + 305: "Software Used", + 18248: "Photo Event", + 18258: "Date Imported", + 33432: "Image Copyright", + 33434: "Photo Exposure Time", + 33437: "Photo FNumber", + 34850: "Photo Exposure Program", + 34855: "Photo ISO Speed", + 36867: "Photo Date Taken", + 37377: "Photo Shutter Speed", + 37378: "Photo Aperture", + 37380: "Photo Exposure Bias", + 37382: "Photo Subject Distance", + 37383: "Photo Metering Mode", + 37384: "Photo Light Source", + 37385: "Photo Flash", + 37386: "Photo Focal Length", + 40096: "Image Property Bag", + 40961: "Image Color Space", + 41483: "Photo Flash Energy", + }, + "1506935d-e3e7-450f-8637-82233ebe5f6e": map[uint32]string{ + 2: "Devices WiFi Direct Interface Address", + 3: "Devices WiFi Direct Interface Guid", + 4: "Devices WiFi Direct Group Id", + 5: "Devices WiFi Direct Is Connected", + 6: "Devices WiFi Direct Is Visible", + 7: "Devices WiFi Direct Is Legacy Device", + 8: "Devices WiFi Direct Miracast Version", + 9: "Devices WiFi Direct Is Miracast Lcp Supported", + 10: "Devices WiFi Direct Services", + 11: "Devices WiFi Direct Supported ChannelList", + 12: "Devices WiFi Direct Information Elements", + 13: "Devices WiFi Direct Device Address", + }, + "16473c91-d017-4ed9-ba4d-b6baa55dbcf8": map[uint32]string{ + 100: "GPS Img Direction", + }, + "16cbb924-6500-473b-a5be-f1599bcbe413": map[uint32]string{ + 100: "Photo Digital Zoom Numerator", + }, + "16e634ee-2bff-497b-bd8a-4341ad39eeb9": map[uint32]string{ + 100: "GPS Latitude Denominator", + }, + "16ea4042-d6f4-4bca-8349-7c78d30fb333": map[uint32]string{ + 100: "Photo Shutter Speed Numerator", + }, + "176dc63c-2688-4e89-8143-a347800f25e9": map[uint32]string{ + 6: "Contact Job Title", + 7: "Contact Office Location", + 20: "Contact Home Telephone", + 25: "Contact Primary Telephone", + 35: "Contact Mobile Telephone", + 47: "Contact Birthday", + 48: "Contact Primary Email Address", + 65: "Contact Hom eAddress City", + 69: "Contact Personal Title", + 70: "Contact Given Name", + 71: "Contact Middle Name", + 73: "Contact Suffix", + 74: "Contact Nick Name", + 75: "Contact Prefix", + }, + "1804d1fb-9fa4-441d-a536-76468ac43307": map[uint32]string{ + 100: "WebDav Path", + }, + "182c1ea6-7c1c-4083-ab4b-ac6c9f4ed128": map[uint32]string{ + 100: "GPS Dest Longitude Ref", + }, + "188c1f91-3c40-4132-9ec5-d8b03b72a8a2": map[uint32]string{ + 100: "Calendar Response Status", + }, + "18bbd425-ecfd-46ef-b612-7b4a6034eda0": map[uint32]string{ + 100: "Contact Primary Address Postal Code", + }, + "19b51fa6-1f92-4a5c-ab48-7df0abd67444": map[uint32]string{ + 100: "Image Resolution Unit", + }, + "1a701bf6-478c-4361-83ab-3701bb053c58": map[uint32]string{ + 100: "Photo Brightness", + }, + "1a9ba605-8e7c-4d11-ad7d-a50ada18ba1b": map[uint32]string{ + 2: "Message Participants", + }, + "1b5439e7-eba1-4af8-bdd7-7af1d4549493": map[uint32]string{ + 100: "RecordedTV Station Name", + }, + "1b97738a-fdfc-462f-9d93-1957e08be90c": map[uint32]string{ + 100: "Photo FNumber Numerator", + }, + "30c8eef4-a832-41e2-ab32-e3c3ca28fd29": map[uint32]string{ + 2: "Home Grouping", + 3: "Home Sort Order", + 4: "Home Is Pinned", + 5: "Home PropList Sort", + 6: "Home Item Folder Path Display", + }, + "3143bf7c-80a8-4854-8880-e2e40189bdd0": map[uint32]string{ + 100: "Message Attachment Contents", + }, + "315b9c8d-80a9-4ef9-ae16-8e746da51d70": map[uint32]string{ + 100: "Calendar Is Recurring", + }, + "318a6b45-087f-4dc2-b8cc-05359551fc9e": map[uint32]string{ + 100: "Photo Related Sound File", + }, + "31b37743-7c5e-4005-93e6-e953f92b82e9": map[uint32]string{ + 2: "Devices WiFi Direct Services Service Address", + 3: "Devices WiFi Direct Services Service Name", + 4: "Devices WiFi Direct Services Service Information", + 5: "Devices WiFi Direct Services Advertisement Id", + 6: "Devices WiFi Direct Services Service Config Methods", + 7: "Devices WiFi Direct Services Request Service Information", + }, + "328d8b21-7729-4bfc-954c-902b329d56b0": map[uint32]string{ + 2: "Sync Copy In", + }, + "32bcb03c-7f34-4e3f-bbb2-ebe63629f5e4": map[uint32]string{ + 100: "Is Simple Item", + }, + "33dcf22b-28d5-464c-8035-1ee9efd25278": map[uint32]string{ + 100: "GPS Longitude Ref", + }, + "341796f1-1df9-4b1c-a564-91bdefa43877": map[uint32]string{ + 100: "Photo PhotometricInterpretation", + }, + "346c8bd1-2e6a-4c45-89a4-61b78e8e700f": map[uint32]string{ + 100: "Is Incomplete", + }, + "35dbe6fe-44c3-4400-aaae-d2c799c407e8": map[uint32]string{ + 100: "GPS Track Ref", + }, + "3602c812-0f3b-45f0-85ad-603468d69423": map[uint32]string{ + 100: "GPS Date", + }, + "3633de59-6825-4381-a49b-9f6ba13a1471": map[uint32]string{ + 2: "Devices Playback State", + 3: "Devices Playback Title", + 4: "Devices Remaining Duration", + 5: "Devices Playback Position Percent", + }, + "364028da-d895-41fe-a584-302b1bb70a76": map[uint32]string{ + 100: "Contact Display Business Phone Numbers", + }, + "364b6fa9-37ab-482a-be2b-ae02f60d4318": map[uint32]string{ + 100: "Image Compressed Bits Per Pixel", + }, + "37ebd11f-7e72-4ebc-9d4c-c790f8c277c2": map[uint32]string{ + 2: "Device Interface Spb Controller Friendly Name", + }, + "38965063-edc8-4268-8491-b7723172cf29": map[uint32]string{ + 100: "Contact Email Address 2", + }, + "38d43380-d418-4830-84d5-46935a81c5c6": map[uint32]string{ + 32: "Security Allowed Enterprise Data Protection Identities", + }, + "39a7f922-477c-48de-8bc8-b28441e342e3": map[uint32]string{ + 100: "Project", + }, + "39b77f4f-a104-4863-b395-2db2ad8f7bc1": map[uint32]string{ + 100: "Contact Connected Service Display Name", + }, + "3a372292-7fca-49a7-99d5-e47bb2d4e7ab": map[uint32]string{ + 100: "GPS Dest Latitude Denominator", + }, + "3b2ce006-5e61-4fde-bab8-9b8aac9b26df": map[uint32]string{ + 5: "Devices Aep Protocol Id", + 8: "Devices Aep Id", + }, + "3c8cee58-d4f0-4cf9-b756-4e5d24447bcd": map[uint32]string{ + 100: "Contact Gender", + 101: "Contact Gender Value", + }, + "3d658d4d-bc38-464a-b555-418d554a8df8": map[uint32]string{ + 100: "Fonts Description", + }, + "3d75e4f5-a391-4952-81f7-c7072fe53025": map[uint32]string{ + 100: "File Reparse Point Tag", + }, + "3f08e66f-2f44-4bb9-a682-ac35d2562322": map[uint32]string{ + 100: "Image Compression Text", + }, + "3f5d9b45-5e9f-4d5c-8a5e-403181bf177b": map[uint32]string{ + 2: "Extensions Type", + 3: "Extensions Date Last Used", + 4: "Extensions Used Count", + 5: "Extensions Blocked Count", + 6: "Extensions CLSID", + 7: "Extensions Status", + 8: "Check State", + 9: "Extensions Suspect", + 10: "Extensions File Name", + 11: "Extensions File Path", + 12: "Extensions Flags", + }, + "3f8472b5-e0af-4db2-8071-c53fe76ae7ce": map[uint32]string{ + 100: "Due Date", + }, + "402b5934-ec5a-48c3-93e6-85e86a2d934e": map[uint32]string{ + 100: "Contact Business Address City", + }, + "41cf5ae0-f75a-4806-bd87-59c7d9248eb9": map[uint32]string{ + 100: "File Name", + }, + "425d69e5-48ad-4900-8d80-6eb6b8d0ac86": map[uint32]string{ + 100: "GPS Dest Longitude Denominator", + }, + "428040ac-a177-4c8a-9760-f6f761227f9a": map[uint32]string{ + 100: "Communication Date Item Expires", + }, + "42864dfd-9da4-4f77-bded-4aad7b256735": map[uint32]string{ + 100: "Photo Gain Control Denominator", + }, + "4340a6c5-93fa-4706-972c-7b648008a5a7": map[uint32]string{ + 8: "Devices Parent", + 9: "Devices Children", + }, + "436f2667-14e2-4feb-b30a-146c53b5b674": map[uint32]string{ + 100: "Link Arguments", + }, + "43f8d7b7-a444-4f87-9383-52271c9b915c": map[uint32]string{ + 100: "DateArchived", + }, + "446f787f-10c4-41cb-a6c4-4d0343551597": map[uint32]string{ + 100: "Contact Business Address State", + }, + "4530d076-b598-4a81-8813-9b11286ef6ea": map[uint32]string{ + 2: "Fonts Font Embeddability", + 5: "Fonts Type", + 7: "Fonts File Names", + }, + "4596208c-32fa-41d2-9695-af0cb9e8dcfe": map[uint32]string{ + 100: "Stack Thumbnail Cache Ids", + }, + "45eae747-8e2a-40ae-8cbf-ca52aba6152a": map[uint32]string{ + 100: "Flag Color Text", + }, + "4679c1b5-844d-4590-baf5-f322231f1b81": map[uint32]string{ + 100: "GPS Longitude Decimal", + }, + "467ee575-1f25-4557-ad4e-b8b58b0d9c15": map[uint32]string{ + 100: "GPS Satellites", + }, + "4684fe97-8765-4842-9c13-f006447b178c": map[uint32]string{ + 100: "Recorded TV Original Broadcast Date", + }, + "46ac629d-75ea-4515-867f-6dc4321c5844": map[uint32]string{ + 100: "GPS Altitude Ref", + }, + "46b4e8de-cdb2-440d-885c-1658eb65b914": map[uint32]string{ + 100: "Note Color Text", + }, + "47166b16-364f-4aa0-9f31-e2ab3df449c3": map[uint32]string{ + 100: "GPS DOP Numerator", + }, + "4776cafa-bce4-4cb1-a23e-265e76d8eb11": map[uint32]string{ + 100: "Note Color", + }, + "47a96261-cb4c-4807-8ad3-40b9d9dbc6bc": map[uint32]string{ + 100: "GPS DestLongitude", + }, + "48fd6ec8-8a12-4cdf-a03e-4ec5a511edde": map[uint32]string{ + 100: "Start Date", + }, + "49237325-a95a-4f67-b211-816b2d45d2e0": map[uint32]string{ + 100: "Photo Saturation", + }, + "49691c90-7e17-101a-a91c-08002b2ecda9": map[uint32]string{ + 2: "Search Results Rank", + 3: "Search Rank", + 4: "Search Hit Count", + 5: "Search Entry Id", + 8: "Search Reverse File Name", + 9: "Item Url", + 10: "Content Url", + 15: "Search Row Id", + 21: "Search Query Property Hits", + 22: "Search Completion", + 28: "Search Result Set Aggregate Attributes", + }, + "49753869-849c-4323-a41f-26d73f28b53b": map[uint32]string{ + 100: "Fonts Vendors", + }, + "49cd1f76-5626-4b17-a4e8-18b4aa1a2213": map[uint32]string{ + 2: "Devices Signal Strength", + 3: "Devices Text Messages", + 4: "Devices New Pictures", + 5: "Devices Missed Calls", + 6: "Devices Voicemail", + 7: "Devices Network Name", + 8: "Devices Network Type", + 9: "Devices Roaming", + 10: "Devices Battery Life", + 11: "Devices Charging State", + 12: "Devices Storage Capacity", + 13: "Devices Storage Free Space", + 14: "Devices Storage Free Space Percent", + 22: "Devices Battery Plus Charging", + 23: "Devices Battery Plus Charging Text", + }, + "49d1091f-082e-493f-b23f-d2308aa9668c": map[uint32]string{ + 100: "PropList Non Personal", + }, + "49eb6558-c09c-46dc-8668-1f848c290d0b": map[uint32]string{ + 1: "Shell Exclusion", + 3: "Shell Item Offline Status", + }, + "4ac903f8-e780-4e4b-b7b8-4d00a99804fc": map[uint32]string{ + 100: "Home Group Sharing Status", + }, + "4b486401-5468-4381-9b5a-42df4cb49f53": map[uint32]string{ + 100: "Fonts Category", + }, + "4bd13b3d-e68b-44ec-89ee-7611789d4070": map[uint32]string{ + 100: "Start Menu Group", + 101: "Start Menu Run Command", + 102: "Start Menu Query", + 103: "Start Menu Group Item", + 104: "Start Menu Include In Scope", + 105: "Start Menu Result Source Id", + }, + "4c6bf15c-4c03-4aac-91f5-64c0f852bcf4": map[uint32]string{ + 2: "Device Interface Serial Usb Vendor Id", + 3: "Device Interface Serial Usb Product Id", + 4: "Device Interface Serial Port Name", + }, + "4d1ebee8-0803-4774-9842-b77db50265e9": map[uint32]string{ + 2: "Storage Portable", + 3: "Storage Removable Media", + 4: "Storage System Critical", + }, + "4e9cfc01-5d36-406a-83cd-4e7423923604": map[uint32]string{ + 2: "Offline Sync Time", + }, + "4f289a46-2bbb-4ae8-9eda-e5e034707a71": map[uint32]string{ + 2: "Lzh Folder Compressed Size", + 3: "Lzh Folder CRC16", + 4: "Lzh Folder Method", + 5: "Lzh Folder Ratio", + }, + "4fffe4d0-914f-4ac4-8d6f-c9c61de169b1": map[uint32]string{ + 100: "Photo Focal Plane Y Resolution", + }, + "502cfeab-47eb-459c-b960-e6d8728f7701": map[uint32]string{ + 100: "Zone Identifier", + 101: "Last Writer Package Family Name", + 102: "App Zone Identifier", + }, + "5068bcdf-d697-4d85-8c53-1f1cdab01763": map[uint32]string{ + 100: "Contact Display Home Phone Numbers", + }, + "508161fa-313b-43d5-83a1-c1accf68622c": map[uint32]string{ + 100: "Contact Other Address", + }, + "51236583-0c4a-4fe8-b81f-166aec13f510": map[uint32]string{ + 100: "Devices App Package Family Name", + 123: "Devices Glyph Icon", + }, + "51ec3f47-dd50-421d-8769-334f50424b1e": map[uint32]string{ + 100: "Photo Sharpness Text", + }, + "53da57cf-62c0-45c4-81de-7610bcefd7f5": map[uint32]string{ + 100: "Calendar Show Time As Text", + }, + "540b947e-8b40-45bc-a8a2-6a0b894cbda2": map[uint32]string{ + 5: "Devices Present", + 6: "Devices Device Has Problem", + 9: "Devices Physical Device Location", + }, + "54b3a473-59aa-445b-aecd-77541ba8b7c9": map[uint32]string{ + 2: "User Name", + 3: "User Display Name", + 5: "User Profile Path", + }, + "5567bf77-2be2-4222-befa-d0c9c9cc4b6e": map[uint32]string{ + 2: "Velocity Feature Id", + }, + "55e98597-ad16-42e0-b624-21599a199838": map[uint32]string{ + 100: "Photo Exposure Time Denominator", + }, + "560c36c0-503a-11cf-baa1-00004c752a9a": map[uint32]string{ + 2: "Search Auto Summary", + 3: "Search Query Focused Summary", + 4: "Search Query Focused Summary With Fallback", + }, + "56310920-2491-4919-99ce-eadb06fafdb2": map[uint32]string{ + 100: "Contact Business Home Page", + }, + "56a3372e-ce9c-11d2-9f0e-006097c686f6": map[uint32]string{ + 2: "Music Artist", + 4: "Music Album Title", + 5: "Media Year", + 7: "Music Track Number", + 11: "Music Genre", + 12: "Music Lyrics", + 13: "Music Album Artist", + 33: "Music Content Group Description", + 34: "Music Initial Key", + 35: "Music Beats Per Minute", + 36: "Music Conductor", + 37: "Music Part Of Set", + 38: "Media Sub Title", + 39: "Music Mood", + 100: "Music Album Id", + }, + "56c90e9d-9d46-4963-886f-2e1cd9a694ef": map[uint32]string{ + 100: "Contact Home Email Addresses", + }, + "57086c23-86c6-478f-afb2-236188c8f47f": map[uint32]string{ + 2: "Taskbar Tab Active", + 3: "Taskbar Tab List", + }, + "5741cf9c-56fe-485b-8901-4786449e188d": map[uint32]string{ + 100: "Fonts Designed For", + }, + "59569556-0a08-4212-95b9-fae2ad6413db": map[uint32]string{ + 2: "Devices Notifications New Voicemail", + }, + "596fd41b-af9b-4ba8-9b49-33b16f16678c": map[uint32]string{ + 100: "Fonts Styles", + }, + "59d49e61-840f-4aa9-a939-e2099b7f6399": map[uint32]string{ + 100: "GPS Processing Method", + }, + "59dde9f2-5253-40ea-9a8b-479e96c6249a": map[uint32]string{ + 100: "Photo Contrast Text", + }, + "5ab5c75f-15e1-4d65-924a-04754567243c": map[uint32]string{ + 2: "Setting Host Id", + 3: "Setting Setting Id", + 4: "Setting Page Id", + 5: "Setting Group Id", + 6: "Setting Condition", + 7: "Setting Glyph", + 8: "Setting Glyph Rtl", + }, + "5bf396d4-5eb2-466f-bde9-2fb3f2361d6e": map[uint32]string{ + 100: "Calendar Show Time As", + }, + "5cbf2787-48cf-4208-b90e-ee5e5d420294": map[uint32]string{ + 1: "History Url Hash", + 2: "Link Target Url", + 3: "Url Scheme", + 4: "Url HostName", + 5: "History Url Extra Info", + 6: "History Code Page", + 7: "History Visit Count", + 8: "History Is History", + 9: "History I sDownload", + 10: "History Download Location", + 11: "History Download Size", + 12: "History Favorite IconKey", + 13: "History Is Favorite", + 14: "History Is Offline Favorite", + 15: "History Is Pinned Favorite", + 16: "History Is Typed Url", + 17: "History Is Top Level", + 18: "History Is Feed", + 19: "History Keywords", + 20: "History User Keywords", + 21: "Link Description", + 22: "History User Description", + 23: "Link Date Visited", + 24: "History Icon Bits", + 25: "Icon Path", + 26: "Icon Index", + 27: "History Icon Date", + 28: "History Points", + 29: "History Sessions", + 33: "History Subscription Cookie", + 34: "History Tracking", + 35: "Link Working Folder Path", + 36: "Link Hot Key", + 37: "Link Show Cmd", + 38: "Link Whats New", + 39: "History Date Changed", + 40: "History Flags", + 41: "History Watch", + 42: "History Favorite Icon Hash", + 43: "Icon Secondary Stream Name", + }, + "5cda5fc8-33ee-4ff3-9094-ae7bd8868c4d": map[uint32]string{ + 100: "Is Deleted", + }, + "5cde9f0e-1de4-4453-96a9-56e8832efa3d": map[uint32]string{ + 1: "Computer Domain Name", + 2: "Computer Workgroup", + }, + "5d76b67f-9b3d-44bb-b6ae-25da4f638a67": map[uint32]string{ + 2: "Is Pinned To Name Space Tree", + 3: "Is Default Save Location", + 4: "Is Search Only Item", + 5: "Is Default Non Owner Save Location", + 6: "Owner SID", + 7: "Is Default Save Location For Display", + 8: "Is Location Supported", + 9: "Library Location Support Status", + 10: "Default Save Location Display", + 11: "Default Save Location Icon Container", + }, + "5da84765-e3ff-4278-86b0-a27967fbdd03": map[uint32]string{ + 100: "Is Flagged", + }, + "5dc2253f-5e11-4adf-9cfe-910dd01e3e70": map[uint32]string{ + 100: "Contact Hobbies", + }, + "5f5aff6a-37e5-4780-97ea-80c7565cf535": map[uint32]string{ + 34: "Security Encryption Owners", + }, + "5fbd34cd-561a-412e-ba98-478a6b0fef1d": map[uint32]string{ + 2: "Devices Aep Bluetooth Cod Major", + 3: "Devices Aep Bluetooth Cod Minor", + 4: "Devices Aep Bluetooth Cod Services Limited Discovery", + 5: "Devices Aep Bluetooth Cod Services Positioning", + 6: "Devices Aep Bluetooth Cod Services Networking", + 7: "Devices Aep Bluetooth Cod Services Rendering", + 8: "Devices Aep Bluetooth Cod Services Capturing", + 9: "Devices Aep Bluetooth Cod Services Object Xfer", + 10: "Devices Aep Bluetooth Cod Services Audio", + 11: "Devices Aep Bluetooth Cod Services Telephony", + 12: "Devices Aep Bluetooth Cod Services Information", + }, + "61478c08-b600-4a84-bbe4-e99c45f0a072": map[uint32]string{ + 100: "Photo Saturation Text", + }, + "61872cf7-6b5e-4b4b-ac2d-59da84459248": map[uint32]string{ + 100: "PropGroup Media", + }, + "62d2d9ab-8b64-498d-b865-402d4796f865": map[uint32]string{ + 3: "Location Empty String", + }, + "6336b95e-c7a7-426d-86fd-7ae3d39c84b4": map[uint32]string{ + 100: "Photo White Balance Text", + }, + "635e9051-50a5-4ba2-b9db-4ed056c77296": map[uint32]string{ + 100: "Contact Full Name", + }, + "63c25b20-96be-488f-8788-c09c407ad812": map[uint32]string{ + 100: "Contact Primary Address Street", + }, + "641064ba-9329-47e6-8f36-5fa81aa461a0": map[uint32]string{ + 2: "OneNote Page Edit History", + 3: "OneNote Tagged Notes", + 4: "OneNote Linked Note Uri", + }, + "6444048f-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 3: "Image Horizontal Size", + 4: "Image Vertical Size", + 5: "Image Horizontal Resolution", + 6: "Image Vertical Resolution", + 7: "Image Bit Depth", + 12: "Media Frame Count", + 13: "Image Dimensions", + }, + "64440490-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 2: "Audio Format", + 3: "Media Duration", + 4: "Audio Encoding Bitrate", + 5: "Audio Sample Rate", + 6: "Audio Sample Size", + 7: "Audio Channel Count", + 8: "Audio Stream Number", + 9: "Audio Stream Name", + 10: "Audio Compression", + }, + "64440491-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 2: "Video Stream Name", + 3: "Video Frame Width", + 4: "Video Frame Height", + 6: "Video Frame Rate", + 8: "Video Encoding Bitrate", + 9: "Video Sample Size", + 10: "Video Compression", + 11: "Video Stream Number", + 42: "Video Horizontal Aspect Ratio", + 43: "Video Total Bitrate", + 44: "Video Four CC", + 45: "Video Vertical Aspect Ratio", + 46: "Video Transcoded For Sync", + 98: "Video Is Stereo", + 99: "Video Orientation", + 100: "Video Is Spherical", + }, + "64440492-4c8b-11d1-8b70-080036b11a03": map[uint32]string{ + 7: "Media Status", + 9: "Rating", + 11: "Copyright", + 12: "Share User Rating", + 13: "Media Class Primary Id", + 14: "Media Class Secondary Id", + 15: "Media DVDID", + 16: "Media MCDI", + 17: "Media Metadata Content Provider", + 18: "Media Content Distributor", + 19: "Music Composer", + 20: "Video Director", + 21: "Parental Rating", + 22: "Media Producer", + 23: "Media Writer", + 24: "Media Collection Group Id", + 25: "Media Collection Id", + 26: "Media Content Id", + 27: "Media Creator Application", + 28: "Media Creator Application Version", + 30: "Media Publisher", + 31: "Music Period", + 32: "Media Author Url", + 33: "Media Promotion Url", + 34: "Media User Web Url", + 35: "Media Unique File Identifier", + 36: "Media Encoded By", + 37: "Media Encoding Settings", + 38: "Media Protection Type", + 39: "Media Provider Rating", + 40: "Media Provider Style", + 41: "Media User No Auto Info", + 42: "Media Series Name", + 47: "Media Thumbnail Large Path", + 48: "Media Thumbnail Large Uri", + 49: "Media ThumbnailSmallPath", + 50: "Media Thumbnail Small Uri", + 100: "Media Episode Number", + 101: "Media Season Number", + }, + "644d37b4-e1b3-4bad-b099-7e7c04966aca": map[uint32]string{ + 100: "Contact Email Address3", + }, + "656a3bb3-ecc0-43fd-8477-4ae0404a96cd": map[uint32]string{ + 8192: "Devices Manufacturer", + 8194: "Devices Model Name", + 8195: "Devices Model Number", + 8198: "Devices Presentation Url", + 12288: "Devices Friendly Name", + 12297: "Devices Ip Address", + 16384: "Devices Service Address", + 16385: "Devices Service Id", + }, + "65a98875-3c80-40ab-abbc-efdaf77dbee2": map[uint32]string{ + 100: "Acquisition Id", + }, + "660e04d6-81ab-4977-a09f-82313113ab26": map[uint32]string{ + 100: "Contact Home Fax Number", + }, + "6614ef48-4efe-4424-9eda-c79f404edf3e": map[uint32]string{ + 2: "Devices Notifications Missed Call", + }, + "668cdfa5-7a1b-4323-ae4b-e527393a1d81": map[uint32]string{ + 100: "Source Item", + }, + "67df94de-0ca7-4d6f-b792-053a3e4f03cf": map[uint32]string{ + 100: "Flag Color", + }, + "6845cc72-1b71-48c3-af86-b09171a19b14": map[uint32]string{ + 3: "Devices Dial Protocol Installed Applications", + }, + "68dd6094-7216-40f1-a029-43fe7127043f": map[uint32]string{ + 100: "PropGroup Music", + }, + "6a15e5a0-0a1e-4cd7-bb8c-d2f1b0c929bc": map[uint32]string{ + 100: "Contact Business Telephone", + }, + "6af55d45-38db-4495-acb0-d4728a3b8314": map[uint32]string{ + 2: "Devices AepContainer Supports Audio", + 3: "Devices AepContainer Supports Video", + 4: "Devices AepContainer Supports Images", + 5: "Devices AepContainer Supported Uri Schemes", + 6: "Devices AepContainer Dial Protocol Installed Applications", + 7: "Devices AepContainer Supports Limited Discovery", + 8: "Devices AepContainer Supports Positioning", + 9: "Devices AepContainer Supports Networking", + 10: "Devices AepContainer Supports Rendering", + 11: "Devices AepContainer Supports Capturing", + 12: "Devices AepContainer Supports Object Transfer", + 13: "Devices AepContainer Supports Telephony", + 14: "Devices AepContainer Supports Information", + }, + "6afe7437-9bcd-49c7-80fe-4a5c65fa5874": map[uint32]string{ + 104: "Music Disc Number", + }, + "6b223b6a-162e-4aa9-b39f-05d678fc6d77": map[uint32]string{ + 100: "Music Synchronized Lyrics", + }, + "6b8b68f6-200b-47ea-8d25-d8050f57339f": map[uint32]string{ + 100: "Photo Flash Text", + }, + "6b8da074-3b5c-43bc-886f-0a2cdce00b6f": map[uint32]string{ + 100: "Item Name", + }, + "6bdd1fc6-810f-11d0-bec7-08002be2092f": map[uint32]string{ + 2: "Devices Wia Device Type", + }, + "6ccd0131-c397-4744-b2d8-d2c13f457026": map[uint32]string{ + 80: "Game Type", + }, + "6d217f6d-3f6a-4825-b470-5f03ca2fbe9b": map[uint32]string{ + 100: "Photo Program Mode", + }, + "6d24888f-4718-4bda-afed-ea0fb4386cd8": map[uint32]string{ + 100: "Offline Status", + }, + "6d6d5d49-265d-4688-9f4e-1fdd33e7cc83": map[uint32]string{ + 100: "Identity Internet Sid", + }, + "6d748de2-8d38-4cc3-ac60-f009b057c557": map[uint32]string{ + 2: "RecordedTV Episode Name", + 3: "RecordedTV Program Description", + 4: "RecordedTV Credits", + 5: "RecordedTV Station Call Sign", + 7: "RecordedTV Channe' Number", + 10: "RecordedTV Video Quality", + 12: "RecordedTV Is Closed Captioning Available", + 13: "RecordedTV Is Repeat Broadcast", + 14: "RecordedTV Is SAP", + 15: "RecordedTV Date Content Expires", + 16: "RecordedTV Is ATSC Content", + 17: "RecordedTV Is DTV Content", + 18: "RecordedTV Is HD Content", + }, + "6e682923-7f7b-4f0c-a337-cfca296687bf": map[uint32]string{ + 100: "Contact Other Address City", + }, + "6ebe6946-2321-440a-90f0-c043efd32476": map[uint32]string{ + 100: "Photo Brightness Denominator", + }, + "6fa20de6-d11c-4d9d-a154-64317628c12d": map[uint32]string{ + 100: "Expand oProperties", + }, + "702926f4-44a6-43e1-ae71-45627116893b": map[uint32]string{ + 100: "GPS Track Numerator", + }, + "7036dcfc-69ab-4316-b5ac-50de702447b0": map[uint32]string{ + 102: "Structured Query Before", + 103: "Structured Query After", + 104: "Structured Query File", + 105: "Structured Query Custom Property Boolean", + 106: "Structured Query Custom Property Integer", + 107: "Structured Query Custom Property Floating Point", + 108: "Structured Query Custom Property String", + 109: "Structured Query Custom Property DateTime", + 110: "Structured Query Has", + 111: "Structured Query Is", + 112: "Structured Query Null", + }, + "705ccb0f-5a0d-41ea-b2ca-2c9b5cc7db41": map[uint32]string{ + 100: "Verb Restrictions", + }, + "705d8364-7547-468c-8c88-84860bcbed4c": map[uint32]string{ + 2: "SAM Name", + 3: "SAM Version", + 4: "SAM Date Changed", + 5: "SAM Password Last Set", + 6: "SAM Date Account Expires", + 7: "SAM Password Can Change", + 8: "SAM Password Must Change", + 9: "SAM Full Name", + 10: "SAM Home Directory", + 11: "SAM Home Directory Drive", + 12: "SAM Script Path", + 13: "SAM Profile Path", + 14: "SAM Admin Comment", + 15: "SAM Workstations", + 16: "SAM User Comment", + 17: "SAM Password", + 18: "SAM Security Id", + 19: "SAM User Account Control", + 20: "SAM Logon Hours", + 21: "SAM Country Code", + 22: "SAM Code Page", + 23: "SAM Password Expired", + 24: "SAM User Picture", + 25: "SAM Password Hint", + 26: "SAM Domain", + 31: "SAM Groups", + 32: "SAM Type", + 36: "SAM Interactive Login", + 37: "SAM Network Login", + 38: "SAM Batch Login", + 39: "SAM Service Login", + 40: "SAM Remote Interactive Login", + 41: "SAM Deny Interactive Login", + 42: "SAM Deny Network Login", + 43: "SAM Deny Batch Login", + 44: "SAM Deny Service Login", + 45: "SAM Deny Remote Interactive Login", + 46: "SAM Dont Show In Logon UI", + 47: "SAM Shell Admin Object Props", + 50: "SAM Password Is Empty", + 102: "SAM Group Members", + 103: "SAM Residual Id", + 200: "LOGON LU Id", + 201: "LOGON Authentication Package", + 202: "LOGON TS Session", + 203: "LOGON Logon Time", + 204: "LOGON Logon Server", + 205: "LOGON Dns Domain Name", + 206: "LOGON UPN", + 207: "LOGON Client Name", + 208: "LOGON WinS tation Name", + 209: "LOGON Status", + 500: "PROFILE Path", + 501: "PROFILE GUID", + }, + "71724756-3e74-4432-9b59-e7b2f668a593": map[uint32]string{ + 2: "Devices AepService Friendly Name", + 3: "Devices AepService Service Class Id", + 4: "Devices AepService Container Id", + }, + "71b377d6-e570-425f-a170-809fae73e54e": map[uint32]string{ + 100: "Contact Other Address State", + }, + "720eb626-dbe4-4113-835c-9315e1e2ff77": map[uint32]string{ + 2: "Actions Action Name", + 3: "Actions Activation Context", + }, + "7268af55-1ce4-4f6e-a41f-b6e4ef10e4a9": map[uint32]string{ + 100: "Contact Profession", + }, + "72fab781-acda-43e5-b155-b2434f85e678": map[uint32]string{ + 100: "Date Completed", + }, + "72fc5ba4-24f9-4011-9f3f-add27afad818": map[uint32]string{ + 100: "Calendar Reminder Time", + }, + "730fb6dd-cf7c-426b-a03f-bd166cc9ee24": map[uint32]string{ + 100: "Contact Business Address", + }, + "73389854-0b42-4ea6-bc67-847d430899fd": map[uint32]string{ + 2: "Connected Search Require Template", + }, + "733cb147-8b1f-4c48-9966-192fde353c75": map[uint32]string{ + 100: "Music Stack Thumbnail Cache Ids", + }, + "738bf284-1d87-420b-92cf-5834bf6ef9ed": map[uint32]string{ + 100: "Photo Exposure Bias Numerator", + }, + "744c8242-4df5-456c-ab9e-014efb9021e3": map[uint32]string{ + 100: "Calendar Organizer Address", + }, + "745baf0e-e5c1-4cfb-8a1b-d031a0a52393": map[uint32]string{ + 100: "Photo Digital Zoom Denominator", + }, + "74a7de49-fa11-4d3d-a006-db7e08675916": map[uint32]string{ + 100: "Identity Provider Id", + }, + "75ee72ae-7d5f-482f-9487-f1c46ca819c1": map[uint32]string{ + 100: "Camera Roll Deduplication Id", + }, + "76c09943-7c33-49e3-9e7e-cdba872cfada": map[uint32]string{ + 100: "GPS Track", + }, + "776b6b3b-1e3d-4b0c-9a0e-8fbaf2a8492a": map[uint32]string{ + 100: "Photo Focal Lengt hNumerator", + }, + "78342dcb-e358-4145-ae9a-6bfe4e0f9f51": map[uint32]string{ + 100: "GPS Altitude Denominator", + }, + "78c34fc8-104a-4aca-9ea4-524d52996e57": map[uint32]string{ + 52: "Devices Discovery Method", + 55: "Devices Connected", + 56: "Devices Paired", + 57: "Devices Icon", + 70: "Devices Local Machine", + 71: "Devices Metadata Path", + 77: "Devices Launch Device Stage From Explorer", + 81: "Devices Device Description1", + 82: "Devices Device Description2", + 83: "Devices NotWorking Properly", + 84: "Devices Is Shared", + 85: "Devices Is Network Connected", + 86: "Devices Is Default", + 90: "Devices Category Ids", + 91: "Devices Category", + 92: "Devices Category Plural", + 94: "Devices Category Group", + 256: "Devices Device Instance Id", + }, + "79486778-4c6f-4dde-bc53-cd594311af99": map[uint32]string{ + 2: "Connected Search Local Weights", + }, + "79d94e82-4d79-45aa-821a-74858b4e4ca6": map[uint32]string{ + 2: "Devices AepService IoT Service Interfaces", + }, + "7a55582b-bd8c-4475-b94c-b87a388a7899": map[uint32]string{ + 100: "Status Icons", + }, + "7a7d76f4-b630-4bd7-95ff-37cc51a975c9": map[uint32]string{ + 2: "Link Target Extension", + }, + "7abcf4f8-7c3f-4988-ac91-8d2c2e97eca5": map[uint32]string{ + 100: "GPS Dest Bearing Denominator", + }, + "7b9f6399-0a3f-4b12-89bd-4adc51c918af": map[uint32]string{ + 100: "Contact Home Address Post Office Box", + }, + "7ba3535d-69aa-4525-a938-f3ec79485377": map[uint32]string{ + 2: "SAM Allowed Logon", + 3: "SAM Dont Enumerate For Logon", + }, + "7bd5533e-af15-44db-b8c8-bd6624e1d032": map[uint32]string{ + 2: "Sync Handler CollectionId", + 3: "Sync Handler Id", + 4: "Sync Event Description", + 5: "Sync Progress", + 6: "Sync Item Id", + 7: "Sync Date Synchronized", + 8: "Sync Handler Type", + 9: "Sync Handler Type Label", + 10: "Sync Status", + 11: "Sync Conflict Count", + 12: "Sync Error Count", + 13: "Sync Comments", + 14: "Sync Enabled", + 15: "Sync Hidden", + 16: "Sync Connected", + 17: "Sync Link", + 19: "Sync Context", + 20: "Sync Event Level", + 21: "Sync Event Flags", + 22: "Sync Sync Results", + 23: "Sync Progress Percentage", + 24: "Sync State", + 25: "Sync Item State", + 26: "Sync Item Status Text", + 27: "Sync Item Status Description", + 28: "Sync Item Status Action", + 29: "Sync Global Activity Message", + 30: "Sync Last Synced Message", + }, + "7d122d5a-ae5e-4335-8841-d71e7ce72f53": map[uint32]string{ + 100: "GPS Speed Denominator", + }, + "7d683fc9-d155-45a8-bb1f-89d19bcb792f": map[uint32]string{ + 100: "Identity Display Name", + }, + "7ddaaad1-ccc8-41ae-b750-b2cb8031aea2": map[uint32]string{ + 100: "GPS Latitude Numerator", + }, + "7fd7259d-16b4-4135-9f97-7c96ecd2fa9e": map[uint32]string{ + 100: "PropGroup Message", + }, + "7fe3aa27-2648-42f3-89b0-454e5cb150c3": map[uint32]string{ + 100: "Photo Program Mode Text", + }, + "807b653a-9e91-43ef-8f97-11ce04ee20c5": map[uint32]string{ + 100: "Communication Suffix", + }, + "80d81ea6-7473-4b0c-8216-efc11a2c4c8b": map[uint32]string{ + 2: "Devices Model Id", + }, + "80f41eb8-afc4-4208-aa5f-cce21a627281": map[uint32]string{ + 100: "Contact Connected Service Identities", + }, + "813f4124-34e6-4d17-ab3e-6b1f3c2247a1": map[uint32]string{ + 100: "Photo Maker Note Offset", + }, + "821437d6-9eab-4765-a589-3b1cbbd22a61": map[uint32]string{ + 100: "Photo Photometric Interpretation Text", + }, + "827edb4f-5b73-44a7-891d-fdffabea35ca": map[uint32]string{ + 100: "GPS Altitude", + }, + "83914d1a-c270-48bf-b00d-1c4e451b0150": map[uint32]string{ + 100: "Default Group Order", + }, + "83a6347e-6fe4-4f40-ba9c-c4865240d1f4": map[uint32]string{ + 100: "Communication Followup Icon Index", + }, + "83da6326-97a6-4088-9453-a1923f573b29": map[uint32]string{ + 9: "Devices Is Software Installing", + }, + "847c66de-b8d6-4af9-abc3-6f4f926bc039": map[uint32]string{ + 14: "Device Interface Printer Driver Directory", + }, + "84d8f337-981d-44b3-9615-c7596dba17e3": map[uint32]string{ + 100: "Contact Email Addresses", + }, + "8589e481-6040-473d-b171-7fa89c2708ed": map[uint32]string{ + 100: "Contact Company Main Telephone", + }, + "8619a4b6-9f4d-4429-8c0f-b996ca59e335": map[uint32]string{ + 100: "Communication Security Flags", + }, + "86407db8-9df7-48cd-b986-f999adc19731": map[uint32]string{ + 2: "Share Target Description", + }, + "8727cfff-4868-4ec6-ad5b-81b98521d1ab": map[uint32]string{ + 100: "GPS Latitude", + }, + "880f70a2-6082-47ac-8aab-a739d1a300c3": map[uint32]string{ + 151: "Devices Shared Tooltip", + 152: "Devices Networked Tooltip", + 153: "Devices Default Tooltip", + }, + "8859a284-de7e-4642-99ba-d431d044b1ec": map[uint32]string{ + 100: "PropGroup Media Advanced", + }, + "8943b373-388c-4395-b557-bc6dbaffafdb": map[uint32]string{ + 2: "Devices Audio Device Raw Processing Supported", + 3: "Devices Audio Device Microphone Sensitivity In Dbfs", + 4: "Devices Audio Device Microphone Signal To Noise Ratio In Db", + }, + "8969b275-9475-4e00-a887-ff93b8b41e44": map[uint32]string{ + 100: "PropGroup Description", + }, + "897b3694-fe9e-43e6-8066-260f590c0100": map[uint32]string{ + 2: "Contact JA Company Name Phonetic", + 3: "Contact JA First Name Phonetic", + 4: "Contact JA Last Name Phonetic", + }, + "8a2f99f9-3c37-465d-a8d7-69777a246d0c": map[uint32]string{ + 2: "Link Feed Item Local Id", + 5: "Link Target Url Host Name", + 6: "Link Target Url Path", + }, + "8af4961c-f526-43e5-aa81-db768219178d": map[uint32]string{ + 100: "Photo SubjectDistanceNumerator", + }, + "8afcc170-8a46-4b53-9eee-90bae7151e62": map[uint32]string{ + 100: "Contact Home Address Postal Code", + }, + "8b26ea41-058f-43f6-aecc-4035681ce977": map[uint32]string{ + 100: "Contact Other Address Post Office Box", + }, + "8bf6b9f6-b4f5-482f-a2c2-44bdad2fcfa9": map[uint32]string{ + 51: "SAM Account Is Disabled For Logon UI", + }, + "8c3b93a4-baed-1a83-9a32-102ee313f6eb": map[uint32]string{ + 100: "Identity Blob", + }, + "8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c": map[uint32]string{ + 2: "Devices Container Id", + 4: "Devices In Local Machine Container", + }, + "8d72aca1-0716-419a-9ac1-acb07b18dc32": map[uint32]string{ + 2: "File Attributes Display", + }, + "8e531030-b960-4346-ae0d-66bc9a86fb94": map[uint32]string{ + 100: "Communication Direction", + }, + "8e8ecf7c-b7b8-4eb8-a63f-0ee715c96f9e": map[uint32]string{ + 100: "Photo Gain Control Numerator", + }, + "8f167568-0aae-4322-8ed9-6055b7b0e398": map[uint32]string{ + 100: "Contact Other Address Country", + }, + "8f367200-c270-457c-b1d4-e07c5bcd90c7": map[uint32]string{ + 100: "Contact Last Name", + }, + "8fdc6dea-b929-412b-ba90-397a257465fe": map[uint32]string{ + 100: "Contact Car Telephone", + }, + "900a403b-097b-4b95-8ae2-071fdaeeb118": map[uint32]string{ + 100: "PropGroup Advanced", + }, + "90197ca7-fd8f-4e8c-9da3-b57e1e609295": map[uint32]string{ + 100: "Rating Text", + }, + "908696c7-8f87-44f2-80ed-a8c1c6894575": map[uint32]string{ + 2: "Library Locations Count", + 4: "Library Locations List", + }, + "9098f33c-9a7d-48a8-8de5-2e1227a64e91": map[uint32]string{ + 100: "Message Proof In Progress", + }, + "90e5e14e-648b-4826-b2aa-acaf790e3513": map[uint32]string{ + 10: "Is Encrypted", + }, + "916d17ac-8a97-48af-85b7-867a88fad542": map[uint32]string{ + 2: "Connected Search Auto Complete", + }, + "91eff6f3-2e27-42ca-933e-7c999fbe310b": map[uint32]string{ + 100: "Contact Business Fax Number", + }, + "93112f89-c28b-492f-8a9d-4be2062cee8a": map[uint32]string{ + 100: "Photo Exposure Index Denominator", + }, + "95beb1fc-326d-4644-b396-cd3ed90e6ddf": map[uint32]string{ + 100: "Journal Entry Type", + }, + "95c656c1-2abf-4148-9ed3-9ec602e3b7cd": map[uint32]string{ + 100: "Contact Other Address Postal Code", + }, + "95e127b5-79cc-4e83-9c9e-8422187b3e0e": map[uint32]string{ + 2: "Device Interface Win Usb Usb Vendor Id", + 3: "Device Interface Win Usb Usb Product Id", + 4: "Device Interface Win Usb Usb Class", + 5: "Device Interface Win Usb Usb Sub Class", + 6: "Device Interface Win Usb Usb Protocol", + 7: "Device Interface Win Usb Device Interface Classes", + }, + "9660c283-fc3a-4a08-a096-eed3aac46da2": map[uint32]string{ + 100: "Contact Data Suppliers", + }, + "967b5af8-995a-46ed-9e11-35b3c5b9782d": map[uint32]string{ + 100: "Photo Exposure Index", + }, + "972e333e-ac7e-49f1-8adf-a70d07a9bcab": map[uint32]string{ + 100: "GPS Area Information", + }, + "9744311e-7951-4b2e-b6f0-ecb293cac119": map[uint32]string{ + 1: "Devices Aep Bluetooth Issue Inquiry", + 2: "Devices Aep Bluetooth Le Active Scanning", + 3: "Devices Aep Bluetooth Le Scan Interval", + 4: "Devices Aep Bluetooth Le Scan Window", + 5: "Devices AepService Bluetooth Cache Mode", + 6: "Devices AepService Bluetooth Target Device", + }, + "97b0ad89-df49-49cc-834e-660974fd755b": map[uint32]string{ + 100: "Contact Label", + }, + "98f920d1-51e2-4722-9069-3c4b5cff5165": map[uint32]string{ + 100: "Is Barricade Page", + }, + "98f98354-617a-46b8-8560-5b1b64bf1f89": map[uint32]string{ + 100: "Contact Home Address", + }, + "995ef0b0-7eb3-4a8b-b9ce-068bb3f4af69": map[uint32]string{ + 1: "Devices Aep Bluetooth Le Appearance", + 2: "Devices Aep Bluetooth Le Advertisement", + 3: "Devices Aep Bluetooth Le Scan Response", + 4: "Devices Aep Bluetooth Le Address Type", + 5: "Devices Aep Bluetooth Le Appearance Category", + 6: "Devices Aep Bluetooth Le Appearance Subcategory", + 8: "Devices Aep Bluetooth Le Is Connectable", + }, + "9973d2b5-bfd8-438a-ba94-5349b293181a": map[uint32]string{ + 100: "PropGroup Calendar", + }, + "9a8ebb75-6458-4e82-bacb-35c0095b03bb": map[uint32]string{ + 100: "Photo Transcoded For Sync", + }, + "9a93244d-a7ad-4ff8-9b99-45ee4cc09af6": map[uint32]string{ + 100: "Contact Assistant Telephone", + }, + "9a9bc088-4f6d-469e-9919-e705412040f9": map[uint32]string{ + 100: "Message Is Fwd Or Reply", + }, + "9ab84393-2a0f-4b75-bb22-7279786977cb": map[uint32]string{ + 100: "GPS Dest Bearing Ref", + }, + "9ad5badb-cea7-4470-a03d-b84e51b9949e": map[uint32]string{ + 100: "Contact Anniversary", + }, + "9aebae7a-9644-487d-a92c-657585ed751a": map[uint32]string{ + 100: "Media Subscription Content Id", + }, + "9b174b33-40ff-11d2-a27e-00c04fc30871": map[uint32]string{ + 2: "Recycle Deleted From", + 3: "Recycle Date Deleted", + }, + "9b174b34-40ff-11d2-a27e-00c04fc30871": map[uint32]string{ + 4: "File Owner", + 8: "New Menu Preferred Types", + 10: "New Menu Allowed Types", + }, + "9b174b35-40ff-11d2-a27e-00c04fc30871": map[uint32]string{ + 2: "Free Space", + 3: "Capacity", + 4: "Volume File System", + 5: "Percent Full", + 7: "Computer Decorated FreeSpace", + 10: "Volume Is Root", + }, + "9b34bbb9-949c-488d-9a6d-eeb47c847a2f": map[uint32]string{ + 2: "Wireless Profile Name", + 4: "Wireless Security", + 5: "Wireless Radio Type", + 9: "Wireless Connection Mode", + }, + "9bc2c99b-ac71-4127-9d1c-2596d0d7dcb7": map[uint32]string{ + 100: "GPS Dest Distance Denominator", + }, + "9c1fcf74-2d97-41ba-b4ae-cb2e3661a6e4": map[uint32]string{ + 5: "Priority", + 7: "Communication Newsgroup Name", + 8: "Message Has Attachments", + 10: "SAM Account Name", + 13: "Message Type", + 17: "Message Received", + }, + "9cb0c358-9d7a-46b1-b466-dcc6f1a3d93d": map[uint32]string{ + 100: "Contact Display Mobile Phone Numbers", + }, + "9d1d7cc5-5c39-451c-86b3-928e2d18cc47": map[uint32]string{ + 100: "GPS Dest Latitude", + }, + "9d2408b6-3167-422b-82b0-f583b7a7cfe3": map[uint32]string{ + 100: "Contact Spouse Name", + }, + "9e7d118f-b314-45a0-8cfb-d654b917c9e9": map[uint32]string{ + 100: "Photo Brightness Numerator", + }, + "a00742a1-cd8c-4b37-95ab-70755587767a": map[uint32]string{ + 3: "Device Interface Printer Enumeration Flag", + }, + "a015ed5d-aaea-4d58-8a86-3c586920ea0b": map[uint32]string{ + 100: "GPS Measure Mode", + }, + "a06992b3-8caf-4ed7-a547-b259e32ac9fc": map[uint32]string{ + 100: "Search Store", + }, + "a09f084e-ad41-489f-8076-aa5be3082bca": map[uint32]string{ + 100: "Simple Rating", + }, + "a0be94c5-50ba-487b-bd35-0654be8881ed": map[uint32]string{ + 100: "GPS DOP Denominator", + }, + "a0e00ee1-f0c7-4d41-b8e7-26a7bd8d38b0": map[uint32]string{ + 2: "Devices Notifications Storage Full", + 3: "Devices Notifications Storage Full Link Text", + }, + "a0e74609-b84d-4f49-b860-462bd9971f98": map[uint32]string{ + 100: "Photo Focal Length In Film", + }, + "a11c005a-ff95-4785-8617-beaf92399c3c": map[uint32]string{ + 100: "HasLeafContainers", + }, + "a1829ea2-27eb-459e-935d-b2fad7b07762": map[uint32]string{ + 2: "Devices Microphone Array Geometry", + }, + "a19fb7a9-024b-4371-a8bf-4d29c3e4e9c9": map[uint32]string{ + 100: "Contact Connected Service Supported Actions", + }, + "a26f4afc-7346-4299-be47-eb1ae613139f": map[uint32]string{ + 16: "Identity Key Provider Name", + 17: "Identity Key Provider Context", + 100: "Identity", + }, + "a2e541c5-4440-4ba8-867e-75cfc06828cd": map[uint32]string{ + 100: "Photo Focal Plane Y Resolution Numerator", + }, + "a3250282-fb6d-48d5-9a89-dbcace75cccf": map[uint32]string{ + 100: "GPS Dest Longitude Numerator", + }, + "a35996ab-11cf-4935-8b61-a6761081ecdf": map[uint32]string{ + 3: "Devices Aep Model Name", + 4: "Devices Aep Model Id", + 5: "Devices Aep Manufacturer", + 6: "Devices Aep Signal Strength", + 7: "Devices Aep Is Connected", + 9: "Devices Aep Is Present", + 12: "Devices Aep Device Address", + 16: "Devices Aep Is Paired", + 17: "Devices Aep Category", + }, + "a399aac7-c265-474e-b073-ffce57721716": map[uint32]string{ + 2: "Devices AepService Bluetooth Service Guid", + }, + "a3b29791-7713-4e1d-bb40-17db85f01831": map[uint32]string{ + 100: "Importance Text", + }, + "a40294ef-d2b1-40ed-9512-dd3853b431f5": map[uint32]string{ + 2: "Connected Search Defer Image Prefetch", + }, + "a4108708-09df-4377-9dfc-6d99986d5a67": map[uint32]string{ + 100: "Identity Is Me Identity", + }, + "a45c254e-df1c-4efd-8020-67d146a850e0": map[uint32]string{ + 3: "Devices Hardware Ids", + 4: "Devices Compatible Ids", + 10: "Devices Class Guid", + 13: "Devices Device Manufacturer", + 17: "Devices Device Capabilities", + 29: "Devices Device Characteristics", + 37: "Devices Location Paths", + }, + "a4790b72-7113-4348-97ea-292bbc1f6770": map[uint32]string{ + 5: "Visio Masters Keywords", + 6: "Visio Masters Details", + }, + "a4aaa5b7-1ad0-445f-811a-0f8f6e67f6b5": map[uint32]string{ + 100: "GPS Img Direction Ref", + }, + "a5477f61-7a82-4eca-9dde-98b69b2479b3": map[uint32]string{ + 100: "Recorded TV Recording Time", + }, + "a63b464f-2ace-4d83-87ae-abaf011cc6ac": map[uint32]string{ + 1720: "Volume BitLocker Can Change Passphrase By Proxy", + }, + "a6744477-c237-475b-a075-54f34498292a": map[uint32]string{ + 100: "Communication Task Status Text", + }, + "a6f360d2-55f9-48de-b909-620e090a647c": map[uint32]string{ + 100: "Is Flagged Complete", + }, + "a7b6f596-d678-4bc1-b05f-0203d27e8aa1": map[uint32]string{ + 101: "Contact Home Address1 Street", + 102: "Contact Home Address1 Locality", + 103: "Contact Home Address1 Region", + 104: "Contact Home Address1 Country", + 105: "Contact Home Address1 Postal Code", + 106: "Contact Home Address2 Street", + 107: "Contact Home Address2 Locality", + 108: "Contact Home Address2 Region", + 109: "Contact Home Address2 Country", + 110: "Contact Home Address2 Postal Code", + 111: "Contact Home Address3 Street", + 112: "Contact Home Address3 Locality", + 113: "Contact Home Address3 Region", + 114: "Contact Home Address3 Country", + 115: "Contact Home Address3 Postal Code", + 116: "Contact Business Address1 Street", + 117: "Contact Business Address1 Locality", + 118: "Contact Business Address1 Region", + 119: "Contact Business Address1 Country", + 120: "Contact Business Address1 Postal Code", + 121: "Contact Business Address2 Street", + 122: "Contact Business Address2 Locality", + 123: "Contact Business Address2 Region", + 124: "Contact Business Address2 Country", + 125: "Contact Business Address2 Postal Code", + 126: "Contact Business Address3 Street", + 127: "Contact Business Address3 Locality", + 128: "Contact Business Address3 Region", + 129: "Contact Business Address3 Country", + 130: "Contact Business Address3 Postal Code", + 131: "Contact Other Address1 Street", + 132: "Contact Other Address1 Locality", + 133: "Contact Other Address1 Region", + 134: "Contact Other Address1 Country", + 135: "Contact Other Address1 Postal Code", + 136: "Contact Other Address2 Street", + 137: "Contact Other Address2 Locality", + 138: "Contact Other Address2 Region", + 139: "Contact Other Address2 Country", + 140: "Contact Other Address2 Postal Code", + 141: "Contact Other Address3 Street", + 142: "Contact Other Address3 Locality", + 143: "Contact Other Address3 Region", + 144: "Contact Other Address3 Country", + 145: "Contact Other Address3 Postal Code", + }, + "a7fe0840-1344-46f0-8d37-52ed712a4bf9": map[uint32]string{ + 100: "Parental Ratings Organization", + }, + "a82d9ee7-ca67-4312-965e-226bcea85023": map[uint32]string{ + 100: "Message Flags", + }, + "a8a74b92-361b-4e9a-b722-7c4a7330a312": map[uint32]string{ + 100: "Identity Provider Data", + }, + "a8a7a412-1927-4a34-b1d4-45f67cc672fb": map[uint32]string{ + 2: "Connected Search Referrer Id", + }, + "a93eae04-6804-4f24-ac81-09b266452118": map[uint32]string{ + 100: "GPS Dest Distance", + }, + "a94688b6-7d9f-4570-a648-e3dfc0ab2b3f": map[uint32]string{ + 100: "Offline Availability", + }, + "a9ea193c-c511-498a-a06b-58e2776dcc28": map[uint32]string{ + 100: "Photo Orientation Text", + }, + "aaa660f9-9865-458e-b484-01bc7fe3973e": map[uint32]string{ + 100: "Calendar Organizer Name", + }, + "aabaf6c9-e0c5-4719-8585-57b103e584fe": map[uint32]string{ + 100: "Photo Flash Manufacturer", + }, + "aaf16bac-2b55-45e6-9f6d-415eb94910df": map[uint32]string{ + 100: "Contact TTY TDD Telephone", + }, + "aaf4ee25-bd3b-4dd7-bfc4-47f77bb00f6d": map[uint32]string{ + 100: "GPS Differential", + }, + "ab205e50-04b7-461c-a18c-2f233836e627": map[uint32]string{ + 100: "Photo Exposure Bias Denominator", + }, + "acc9ce3d-c213-4942-8b48-6d0820f21c6d": map[uint32]string{ + 100: "GPS Speed Numerator", + }, + "ad763ac7-f1ed-4039-9fb4-b7b84ef33cef": map[uint32]string{ + 2: "Search Provider Attributes", + }, + "aeac19e4-89ae-4508-b9b7-bb867abee2ed": map[uint32]string{ + 2: "DRM Is Protected", + 3: "DRM Description", + 4: "DRM Play Count", + 5: "DRM Date Play Starts", + 6: "DRM Date Play Expires", + 7: "DRM Is Disabled", + }, + "afc47170-14f5-498c-8f30-b0d19be449c6": map[uint32]string{ + 11: "DeviceInterface Printer Driver Name", + }, + "afd97640-86a3-4210-b67c-289c41aabe55": map[uint32]string{ + 2: "Devices Safe Removal Required", + }, + "b0b87314-fcf6-4feb-8dff-a50da6af561c": map[uint32]string{ + 100: "Contact Business Address Country", + }, + "b180ad60-ed3f-4d16-bd43-f5b4fcf325a9": map[uint32]string{ + 2: "Sync Conflict ItemS hort Location", + 3: "Sync Conflict Item Full Location", + }, + "b2f9b9d6-fec4-4dd5-94d7-8957488c807b": map[uint32]string{ + 2: "File Placeholder Status", + 3: "Storage Provider File Identifier", + 4: "Storage Provider File Version", + 5: "Storage Provider File Checksum", + 6: "Storage Provider File Version Waterline", + 7: "Storage Provider Caller Version Information", + }, + "b33af30b-f552-4584-936c-cb93e5cda29f": map[uint32]string{ + 100: "Calendar Required Attendee Names", + }, + "b5c84c9e-5927-46b5-a3cc-933c21b78469": map[uint32]string{ + 100: "Contact Connected Service Name", + }, + "b769d0fe-bc33-421a-8ce6-45add82ec756": map[uint32]string{ + 2: "Connected Search Suppress Local Hero", + }, + "b771b352-8692-42e6-ac33-cc7b062ad950": map[uint32]string{ + 100: "Game Win SPR Recommended", + }, + "b7b4d61c-5a64-4187-a52e-b1539f359099": map[uint32]string{ + 2: "Devices Win Phone8 Camera Flags", + }, + "b812f15d-c2d8-4bbf-bacd-79744346113f": map[uint32]string{ + 100: "Photo Tag View Aggregate", + }, + "b96eff7b-35ca-4a35-8607-29e3a54c46ea": map[uint32]string{ + 100: "Identity Provider Name", + }, + "b9b4b3fc-2b51-4a42-b5d8-324146afcf25": map[uint32]string{ + 2: "Link Target Parsing Path", + 3: "Link Status", + 5: "Link Comment", + 6: "Item After", + 8: "Link Target SFGAO Flags", + }, + "ba3b1da9-86ee-4b5d-a2a4-a271a429f0cf": map[uint32]string{ + 100: "GPS Dest Bearing Numerator", + }, + "bb44403b-1399-4650-95eb-03c53a57c2cf": map[uint32]string{ + 60: "Game Int Update Status", + }, + "bc4e71ce-17f9-48d5-bee9-021df0ea5409": map[uint32]string{ + 100: "Contact Business Address Post Office Box", + }, + "bccc8a3c-8cef-42e5-9b1c-c69079398bc7": map[uint32]string{ + 100: "Message To Do Title", + }, + "bceee283-35df-4d53-826a-f36a3eefc6be": map[uint32]string{ + 100: "Search Container Hash", + }, + "be1a72c6-9a1d-46b7-afe7-afaf8cef4999": map[uint32]string{ + 100: "Communication Task Status", + }, + "be6e176c-4534-4d2c-ace5-31dedac1606b": map[uint32]string{ + 100: "GPS Longitude Denominator", + }, + "bebe0920-7671-4c54-a3eb-49fddfc191ee": map[uint32]string{ + 100: "PropGroup Video", + }, + "bf53d1c3-49e0-4f7f-8567-5a821d8ac542": map[uint32]string{ + 100: "Contact Callback Telephone", + }, + "bf79c0ab-bb74-4cee-b070-470b5ae202ea": map[uint32]string{ + 2: "Devices Dnssd Service Name", + 3: "Devices Dnssd Domain", + 4: "Devices Dnssd Instance Name", + 5: "Devices Dnssd Full Name", + 6: "Devices Dnssd Text Attributes", + 7: "Devices Dnssd Host Name", + 8: "Devices Dnssd Weight", + 9: "Devices Dnssd Priority", + 10: "Devices Dnssd Ttl", + 11: "Devices Dnssd Network Adapte rId", + 12: "Devices Dnssd Port Number", + }, + "bfee9149-e3e2-49a7-a862-c05988145cec": map[uint32]string{ + 100: "Calendar Is Online", + }, + "c06238b2-0bf9-4279-a723-25856715cb9d": map[uint32]string{ + 100: "Photo Gain Control Text", + }, + "c0ac206a-827e-4650-95ae-77e2bb74fcc9": map[uint32]string{ + 100: "Contact Mailing Address", + }, + "c107e191-a459-44c5-9ae6-b952ad4b906d": map[uint32]string{ + 100: "Photo Max Aperture Numerator", + }, + "c2ea046e-033c-4e91-bd5b-d4942f6bbe49": map[uint32]string{ + 2: "Creator App Id", + 3: "Creator Open With UI Options", + }, + "c4322503-78ca-49c6-9acc-a68e2afd7b6b": map[uint32]string{ + 100: "Identity User Name", + }, + "c449d5cb-9ea4-4809-82e8-af9d59ded6d1": map[uint32]string{ + 100: "Music Is Compilation", + }, + "c4c07f2b-8524-4e66-ae3a-a6235f103beb": map[uint32]string{ + 2: "Devices Notifications Low Battery", + }, + "c4c4dbb2-b593-466b-bbda-d03d27d5e43a": map[uint32]string{ + 100: "GPS Longitude", + }, + "c5043536-932e-219e-5fb9-1c2807d7b03e": map[uint32]string{ + 600: "Activity App Display Name", + 601: "Activity App Image Uri", + 602: "Activity Background Color", + 603: "Activity Content Image Uri", + 604: "Activity Content Uri", + 605: "Activity Description", + 606: "Activity Display Text", + 607: "Activity Tilexml", + 608: "Activity History Active Days", + 609: "Activity History Active Duration", + 610: "Activity History Active Hours", + 611: "Activity History App Activity Id", + 612: "Activity History App Id", + 613: "Activity History Device Display Name", + 614: "Activity History Device Id", + 615: "Activity History Display Text", + 616: "Activity History End Time", + 617: "Activity History Id", + 618: "Activity History Start Time", + 619: "Activity History Type", + 620: "Activity Activity Id", + }, + "c53e42a9-db3c-4bc7-b0f3-83a524adf0ec": map[uint32]string{ + 1719: "Volume BitLocker Can Change Pin", + }, + "c554493c-c1f7-40c1-a76c-ef8c0614003e": map[uint32]string{ + 100: "Contact Telex Number", + }, + "c64a866e-41ae-4c8c-b3d5-dd6dbf70c9c1": map[uint32]string{ + 100: "Is Group", + }, + "c66d4b3c-e888-47cc-b99f-9dca3ee34dea": map[uint32]string{ + 100: "GPS Dest Bearing", + }, + "c6f039e7-f6a4-4185-ae48-07938262c274": map[uint32]string{ + 100: "Hide In Grep Search", + }, + "c75faa05-96fd-49e7-9cb4-9f601082d553": map[uint32]string{ + 100: "End Date", + }, + "c77724d4-601f-46c5-9b89-c53f93bceb77": map[uint32]string{ + 100: "Photo Max Aperture Denominator", + }, + "c89a23d0-7d6d-4eb8-87d4-776a82d493e5": map[uint32]string{ + 100: "Contact Home Address State", + }, + "c8d1920c-01f6-40c0-ac86-2f3a4ad00770": map[uint32]string{ + 100: "GPS Track Denominator", + }, + "c8ea94f0-a9e3-4969-a94b-9c62a95324e0": map[uint32]string{ + 100: "Contact Primary Address City", + }, + "c9944a21-a406-48fe-8225-aec7e24c211b": map[uint32]string{ + 2: "PropList Full Details", + 3: "PropList Tile Info", + 4: "PropList Info Tip", + 5: "PropList Quick Tip", + 6: "PropList Preview Title", + 8: "PropList Preview Details", + 9: "PropList Extended Tile Info", + 10: "PropList File Operation Prompt", + 11: "PropList Conflict Prompt", + 12: "PropList Set Defaults For", + 13: "PropList Content View Mode For Browse", + 14: "PropList Content View Mode For Search", + 16: "PropList Status Icons", + 17: "Info Tip Text", + 18: "PropList Status Icons Display Flag", + 500: "Layout Pattern Content View Mode For Browse", + 501: "Layout Pattern Content View Mode For Search", + 502: "Layout Pattern Place Holder", + 503: "Layout Pattern Tiles View Mode", + 504: "Layout Pattern Group", + 510: "PropList Details Pane Null Select", + 511: "PropList Details Pane Null Select Title", + }, + "c9b88dba-04db-4887-a200-cf0d3afe1146": map[uint32]string{ + 99: "Game Update Status", + }, + "c9c141a9-1b4c-4f17-a9d1-f298538cadb8": map[uint32]string{ + 2: "Devices Aep Service Service Id", + 5: "Devices Aep Service Protocol Id", + 6: "Devices Aep Service Aep Id", + 7: "Devices Aep Service Parent Aep Is Paired", + }, + "c9c34f84-2241-4401-b607-bd20ed75ae7f": map[uint32]string{ + 100: "Communication Header Item", + }, + "cbf38310-4a17-4310-a1eb-247f0b67593b": map[uint32]string{ + 2: "Device Interface Hid Usage Page", + 3: "Device Interface Hid Usage Id", + 4: "Device Interface Hid Is Read Only", + 5: "Device Interface Hid Vendor Id", + 6: "Device Interface Hid Product Id", + 7: "Device Interface Hid Version Number", + }, + "cc158e89-6581-4311-9637-a8da9002f118": map[uint32]string{ + 2: "Connected Search Require Install", + }, + "cc301630-b192-4c22-b372-9f4c6d338e07": map[uint32]string{ + 100: "PropGroup General", + }, + "cc6f4f24-6083-4bd4-8754-674d0de87ab8": map[uint32]string{ + 100: "Contact Email Name", + }, + "cd102c9c-5540-4a88-a6f6-64e4981c8cd1": map[uint32]string{ + 100: "Contact Assistant Name", + }, + "cd9ed458-08ce-418f-a70e-f912c7bb9c5c": map[uint32]string{ + 103: "Message Message Class", + }, + "cdbfc167-337e-41d8-af7c-8c09205429c7": map[uint32]string{ + 100: "Application Defined Properties", + }, + "cdedcf30-8919-44df-8f4c-4eb2ffdb8d89": map[uint32]string{ + 100: "Photo Exposure Index Numerator", + }, + "ce50c159-2fb8-41fd-be68-d3e042e274bc": map[uint32]string{ + 2: "Sync Handler Name", + 3: "Sync Item Name", + 4: "Sync Conflict Description", + 6: "Sync Conflict First Location", + 7: "Sync Conflict Second Location", + 10: "Sync Conflict Unresolvable", + }, + "cea820b9-ce61-4885-a128-005d9087c192": map[uint32]string{ + 100: "GPS Dest Latitude Ref", + }, + "cebf9b37-26ae-466b-9fe9-c7550c4b0ce8": map[uint32]string{ + 100: "Transfer Path", + }, + "cf5751fd-f4b3-443d-b31c-9a34740759ec": map[uint32]string{ + 100: "Search Scope", + }, + "cfa31b45-525d-4998-bb44-3f7d81542fa4": map[uint32]string{ + 100: "Media Dlna Profile Id", + }, + "cfc08d97-c6f7-4484-89dd-ebef4356fe76": map[uint32]string{ + 100: "Photo Focal Plane X Resolution", + }, + "d042d2a1-927e-40b5-a503-6edbd42a517e": map[uint32]string{ + 100: "Contact Phone Numbers Canonical", + }, + "d08dd4c0-3a9e-462e-8290-7b636b2576b9": map[uint32]string{ + 2: "Devices Interface Paths", + 3: "Devices Function Paths", + 10: "Devices Primary Category", + 257: "Devices Status 1", + 258: "Devices Status 2", + 259: "Devices Status", + }, + "d0a04f0a-462a-48a4-bb2f-3706e88dbd7d": map[uint32]string{ + 100: "Item Authors", + }, + "d0c7f054-3f72-4725-8527-129a577cb269": map[uint32]string{ + 100: "Sensitivity Text", + }, + "d0dab0ba-368a-4050-a882-6c010fd19a4f": map[uint32]string{ + 100: "PropGroup Content", + }, + "d21a7148-d32c-4624-8900-277210f79c0f": map[uint32]string{ + 100: "Image Compressed Bits Per Pixel Numerator", + }, + "d35f743a-eb2e-47f2-a286-844132cb1427": map[uint32]string{ + 100: "Photo EXIF Version", + }, + "d37d52c6-261c-4303-82b3-08b926ac6f12": map[uint32]string{ + 100: "Task Billing Information", + }, + "d4729704-8ef1-43ef-9024-2bd381187fd5": map[uint32]string{ + 100: "Contact Children", + }, + "d4bf61b3-442e-4ada-882d-fa7b70c832d9": map[uint32]string{ + 6: "Devices Aep Point Of Service Connection Types", + }, + "d4d0aa16-9948-41a4-aa85-d97ff9646993": map[uint32]string{ + 100: "Item Participants", + }, + "d55bae5a-3892-417a-a649-c6ac5aaaeab3": map[uint32]string{ + 100: "Calendar Optional Attendee Addresses", + }, + "d5cdd502-2e9c-101b-9397-08002b2cf9ae": map[uint32]string{ + 1: "Codepage", + 2: "Category", + 3: "Document Presentation Format", + 4: "Document ByteC ount", + 5: "Document Line Count", + 6: "Document Paragraph Count", + 7: "Document Slide Count", + 8: "Document Note Count", + 9: "Document Hidden Slide Count", + 10: "Document Multimedia Clip Count", + 11: "Scale", + 12: "Headingpair", + 13: "Document Parts", + 14: "Document Manager", + 15: "Company", + 16: "Document Links Dirty", + 26: "Content Type", + 27: "Content Status", + 28: "Language", + 29: "Document Version", + }, + "d6304e01-f8f5-4f45-8b15-d024a6296789": map[uint32]string{ + 100: "Contact Pager Telephone", + }, + "d68dbd8a-3374-4b81-9972-3ec30682db3d": map[uint32]string{ + 100: "Contact IM Address", + }, + "d6942081-d53b-443d-ad47-5e059d9cd27a": map[uint32]string{ + 2: "Shell SFGAOFlagsStrings", + 3: "Link TargetSFGAOFlagsStrings", + }, + "d6b5b883-18bd-4b4d-b2ec-9e38affeda82": map[uint32]string{ + 2: "Devices SmartCards ReaderKind", + }, + "d6cf9145-d365-471b-bcb8-f0b4a96b891c": map[uint32]string{ + 100: "Fonts ActiveStatus", + }, + "d7313ff1-a77a-401c-8c99-3dbdd68add36": map[uint32]string{ + 100: "Item Name Prefix", + }, + "d76e7ba8-dfa6-48e7-9670-d62dfb07206b": map[uint32]string{ + 2: "Connected Search Contract Id", + 3: "Connected Search App Min Version", + 4: "Connected Search App Installed State", + }, + "d7750ee0-c6a4-48ec-b53e-b87b52e6d073": map[uint32]string{ + 100: "Image Parsing Name", + }, + "d7b61c70-6323-49cd-a5fc-c84277162c97": map[uint32]string{ + 100: "Photo Flash Energy Denominator", + }, + "d98be98b-b86b-4095-bf52-9d23b2e0a752": map[uint32]string{ + 100: "Priority Text", + }, + "d9c22960-532c-4bc6-9876-7b12b52593d7": map[uint32]string{ + 2: "Protocol Name", + }, + "da520e51-f4e9-4739-ac82-02e0a95c9030": map[uint32]string{ + 100: "Identity Qualified User Name", + }, + "da5d0862-6e76-4e1b-babd-70021bd25494": map[uint32]string{ + 100: "GPS Speed", + }, + "dc54fd2e-189d-4871-aa01-08c2f57a4abc": map[uint32]string{ + 100: "Flag Status Text", + }, + "dc5877c7-225f-45f7-bac7-e81334b6130a": map[uint32]string{ + 100: "GPS Img Direction Numerator", + }, + "dc8f80bd-af1e-4289-85b6-3dfc1b493992": map[uint32]string{ + 100: "Message Conversation Id", + 101: "Message Conversation Index", + }, + "dccb10af-b4e2-4b88-95f9-031b4d5ab490": map[uint32]string{ + 100: "Photo Focal Plane X Resolution Numerator", + }, + "dce33a78-aa18-4b3d-b1df-a6621ac8bdd2": map[uint32]string{ + 2: "Connected Search Bypass View Action", + }, + "dd141766-313a-4a30-90f0-056a7c968437": map[uint32]string{ + 2: "Print Status Document Count", + 3: "Print Status Error Status", + 4: "Print Status Location", + 5: "Print Status Comment", + 6: "Print Status Preferences", + 7: "Print Status Warning Status", + 8: "Print Status Info Status", + 9: "Scan Status Profile", + }, + "ddd1460f-c0bf-4553-8ce4-10433c908fb0": map[uint32]string{ + 100: "Contact Business Address Street", + }, + "de00de32-547e-4981-ad4b-542f2e9007d8": map[uint32]string{ + 100: "PropGroup Camera", + }, + "de35258c-c695-4cbc-b982-38b0ad24ced0": map[uint32]string{ + 2: "Shell Omit From View", + }, + "de41cc29-6971-4290-b472-f59f2e2f31e2": map[uint32]string{ + 100: "Media Date Released", + }, + "de5ef3c7-46e1-484e-9999-62c5308394c1": map[uint32]string{ + 100: "Contact Primary Address Post Office Box", + }, + "de621b8f-e125-43a3-a32d-5665446d632a": map[uint32]string{ + 25: "Security Encryption Owners Display", + }, + "de9e220b-41d4-4690-8b6b-3d89e231eef1": map[uint32]string{ + 100: "Fonts Family Name", + }, + "dea7c82c-1d89-4a66-9427-a4e3debabcb1": map[uint32]string{ + 100: "Journal Contacts", + }, + "debda43a-37b3-4383-91e7-4498da2995ab": map[uint32]string{ + 5: "WNET Local Name", + 6: "WNET Remote Name", + 7: "WNET Comment", + 8: "WNET Provider", + }, + "deeb2db5-0696-4ce0-94fe-a01f77a45fb5": map[uint32]string{ + 102: "Music Artist Sort Override", + }, + "df975fd3-250a-4004-858f-34e29a3e37aa": map[uint32]string{ + 100: "Prop Group Contact", + }, + "dfb9a04d-362f-4ca3-b30b-0254b17b5b84": map[uint32]string{ + 100: "Parsing Bind Context", + }, + "e08805c8-e395-40df-80d2-54f0d6c43154": map[uint32]string{ + 100: "Document Document ID", + }, + "e1277516-2b5f-4869-89b1-2e585bd38b7a": map[uint32]string{ + 100: "Photo Len sModel", + }, + "e13d8975-81c7-4948-ae3f-37cae11e8ff7": map[uint32]string{ + 100: "Photo Shutter Speed Denominator", + }, + "e1a9a38b-6685-46bd-875e-570dc7ad7320": map[uint32]string{ + 100: "Photo Aperture Denominator", + }, + "e1ad4953-a752-443c-93bf-80c7525566c2": map[uint32]string{ + 2: "Connected Search Type", + 3: "Connected Search Rendering Template", + 4: "Connected Search Fallback Template", + 5: "Connected Search Telemetry Id", + 6: "Connected Search Impression Id", + 7: "Connected Search Is Visibility Tracked", + 8: "Connected Search Telemetry Data", + 9: "Connected Search Application Search Scope", + 10: "Connected Search Parent Id", + 11: "Connected Search Child Count", + 12: "Connected Search Top Level Id", + 13: "Connected Search Is Visible By Default", + 14: "Connected Search Is Activatable", + 15: "Connected Search Suggestion Context", + 16: "Connected Search Region Id", + 17: "Connected Search Item Source", + 18: "Connected Search Activation Command", + 19: "Connected Search Is History Item", + 20: "Connected Search Is App Available", + 21: "Connected Search History Title", + 22: "Connected Search History Description", + 23: "Connected Search History Glyph", + 27: "Connected Search Requires Consent", + 28: "Connected Search Copy Text", + 29: "Connected Search Add Open In Browser Command", + 30: "Connected Search Image Url", + 31: "Connected Search Image Prefetch Stage", + 32: "Connected Search Is Local Item", + }, + "e1d4a09e-d758-4cd1-b6ec-34a8b5a73f80": map[uint32]string{ + 100: "Contact Business Address Postal Code", + }, + "e2d40928-632c-4280-a202-e0c2ad1ea0f4": map[uint32]string{ + 2: "Connected Search Qs Code", + 3: "Connected Search Jump List", + 4: "Connected Search Voice Command Examples", + }, + "e32596b0-1163-4e02-867a-12132db4ba06": map[uint32]string{ + 2: "IE FeedItem Local Id", + }, + "e3690a87-0fa8-4a2a-9a9f-fce8827055ac": map[uint32]string{ + 100: "Prop Group Image", + }, + "e3a7d2c1-80fc-4b40-8f34-30ea111bdc2e": map[uint32]string{ + 100: "Prop Group File System", + }, + "e4f10a3c-49e6-405d-8288-a23bd4eeaa6c": map[uint32]string{ + 100: "File Extension", + }, + "e53d799d-0f3f-466e-b2ff-74634a3cb7a4": map[uint32]string{ + 100: "Contact Primary Address Country", + }, + "e5473742-4611-4aaf-9c49-a3417748cbc8": map[uint32]string{ + 100: "Invalid Path Value", + }, + "e55fc3b0-2b60-4220-918e-b21e8bf16016": map[uint32]string{ + 100: "Identity Unique Id", + }, + "e6822fee-8c17-4d62-823c-8e9cfcbd1d5c": map[uint32]string{ + 100: "Audio Is Variable Bit Rate", + }, + "e6c3d9ad-7b32-4efe-a167-0a868ffdf3af": map[uint32]string{ + 100: "Game WinSPR Minimum", + }, + "e6ddcaf7-29c5-4f0a-9a68-d19412ec7090": map[uint32]string{ + 100: "Photo Lens Manufacturer", + }, + "e77e90df-6271-4f5b-834f-2dd1f245dda4": map[uint32]string{ + 2: "Storage Provider UI Status", + 3: "Storage Provider State", + 4: "Storage Provider Transfer Progress", + }, + "e7b33238-6584-4170-a5c0-ac25efd9da56": map[uint32]string{ + 100: "Prop Group Recorded TV", + }, + "e7c3fb29-caa7-4f47-8c8b-be59b330d4c5": map[uint32]string{ + 2: "Devices Aep Container Id", + 3: "Devices Aep Can Pair", + }, + "e8309b6e-084c-49b4-b1fc-90a80331b638": map[uint32]string{ + 100: "Photo PeopleNames", + }, + "e88dcce0-b7b3-11d1-a9f0-00aa0060fa31": map[uint32]string{ + 2: "Zip Folder Encrypted", + 3: "Zip Folder Method", + 4: "Zip Folder Ratio", + 5: "Zip Folder CRC32", + 6: "Zip Folder Compressed Size", + }, + "e92a2496-223b-4463-a4e3-30eabba79d80": map[uint32]string{ + 100: "Photo FNumber Denominator", + }, + "e9641eff-af25-4db7-947b-4128929f8ef5": map[uint32]string{ + 2: "Connected Search Suggestion Detail Text", + }, + "e9edd392-0b4c-4cf2-82c0-b0d139666245": map[uint32]string{ + 102: "Structured Query Virtual Bcc", + 103: "Structured Query Virtual Cc", + 104: "Structured Query Virtual From", + 105: "Structured Query Virtual To", + 106: "Structured Query Virtual Organizer", + 107: "Structured Query Virtual Required Attendees", + 108: "Structured Query Virtual Optional Attendees", + 109: "Structured Query Virtual Resources", + 110: "Structured Query Virtual Date Created", + 111: "Structured Query Virtual Phone", + 112: "Structured Query Virtual Message Size", + 113: "Structured Query Virtual About", + 114: "Structured Query Virtual Is Read", + 115: "Structured Query Virtual Journal Duration", + 116: "Structured Query Virtual Is Encrypted", + 117: "Structured Query Virtual Type", + 118: "Structured Query Virtual Artist", + }, + "ea810849-87ff-4b54-abd6-5b71adf466f8": map[uint32]string{ + 1: "Dui Control Resource", + }, + "ec0b4191-ab0b-4c66-90b6-c6637cdebbab": map[uint32]string{ + 100: "Communication Policy Tag", + }, + "ecf4b6f6-d5a6-433c-bb92-4076650fc890": map[uint32]string{ + 100: "GPS Dest Latitude Numerator", + }, + "ecf7f4c9-544f-4d6d-9d98-8ad79adaf453": map[uint32]string{ + 100: "GPS Speed Ref", + }, + "ed4df2d3-8695-450b-856f-f5c1c53acb66": map[uint32]string{ + 100: "GPS Des tDistance Ref", + }, + "ee31306c-fb9b-4d62-8621-3575d972a9f9": map[uint32]string{ + 1718: "Volume BitLocker Requires Admin", + }, + "ee3d3d8a-5381-4cfa-b13b-aaf66b5f4ec9": map[uint32]string{ + 100: "Photo White Balance", + }, + "eec7b761-6f94-41b1-949f-c729720dd13c": map[uint32]string{ + 12: "Device Interface Printer Port Name", + }, + "ef1167eb-cbfc-4341-a568-a7c91a68982c": map[uint32]string{ + 2: "Devices WiFi Interface Guid", + }, + "ef884c5b-2bfe-41bb-aae5-76eedf4f9902": map[uint32]string{ + 100: "Is Shared", + 200: "Shared With", + 300: "Sharing Status", + 400: "Share Scope", + }, + "f04bef95-c585-4197-a2b7-df46fdc9ee6d": map[uint32]string{ + 100: "Kind Text", + }, + "f0f7984d-222e-4ad2-82ab-1dd8ea40e57e": map[uint32]string{ + 300: "Title Sort Override", + }, + "f1176dfe-7138-4640-8b4c-ae375dc70a6d": map[uint32]string{ + 100: "Contact Primary Address State", + }, + "f18dedf3-337f-42c0-9e03-cee08708a8c3": map[uint32]string{ + 100: "Identity Logon Status String", + }, + "f1a24aa7-9ca7-40f6-89ec-97def9ffe8db": map[uint32]string{ + 100: "Contact File As Name", + }, + "f1fdb4af-f78c-466c-bb05-56e92db0b8ec": map[uint32]string{ + 103: "Music Album Artist Sort Override", + }, + "f21d9941-81f0-471a-adee-4e74b49217ed": map[uint32]string{ + 100: "Provider Item Id", + }, + "f2275480-f782-4291-bd94-f13693513aec": map[uint32]string{ + 0: "Prop List XP Details Panel", + }, + "f23f425c-71a1-4fa8-922f-678ea4a60408": map[uint32]string{ + 100: "Is Attachment", + }, + "f271c659-7e5e-471f-ba25-7f77b286f836": map[uint32]string{ + 100: "Contact Business Email Addresses", + }, + "f27abe3a-7111-4dda-8cb2-29222ae23566": map[uint32]string{ + 2: "Connected Search Disambiguation Id", + }, + "f334115e-da1b-4509-9b3d-119504dc7abb": map[uint32]string{ + 100: "Document Contributor", + }, + "f3713ada-90e3-4e11-aae5-fdc17685b9be": map[uint32]string{ + 100: "Prop Group GPS", + }, + "f3aecac4-5b8d-436a-ad0c-64ab194fdaf3": map[uint32]string{ + 100: "Fonts Collection Name", + }, + "f3c9b698-be85-47ce-888f-83874d9abcb4": map[uint32]string{ + 2: "App Contract Pinned", + 3: "App Contract Hidden", + 4: "App Contract Pinned Order", + 5: "App Contract Relevance", + 6: "App Contract Category", + 7: "App Contract Supported File Types", + }, + "f3d8f40d-50cb-44a2-9718-40cb9119495d": map[uint32]string{ + 100: "Contact Initials", + }, + "f50d2f5d-dda0-48d4-8d2b-e83729fb69a4": map[uint32]string{ + 100: "Item Query Condition", + }, + "f6272d18-cecc-40b1-b26a-3911717aa7bd": map[uint32]string{ + 100: "Calendar Location", + }, + "f628fd8c-7ba8-465a-a65b-c5aa79263a9e": map[uint32]string{ + 100: "Photo Metering Mode Text", + }, + "f7db74b4-4287-4103-afba-f1b13dcd75cf": map[uint32]string{ + 100: "Item Date", + }, + "f8245476-2ec6-44be-b2f7-82ec2537fa2e": map[uint32]string{ + 100: "Condition", + 101: "Condition Key", + }, + "f85bf840-a925-4bc2-b0c4-8e36b598679e": map[uint32]string{ + 100: "Photo Digital Zoom", + }, + "f8d3f6ac-4874-42cb-be59-ab454b30716a": map[uint32]string{ + 100: "Sensitivity", + }, + "f8fa7fa3-d12b-4785-8a4e-691a94f7a3e7": map[uint32]string{ + 100: "Contact Email Address", + }, + "fa303353-b659-4052-85e9-bcac79549b84": map[uint32]string{ + 100: "Photo Maker Note", + }, + "fa304789-00c7-4d80-904a-1e4dcc7265aa": map[uint32]string{ + 100: "Photo Gain Control", + }, + "fb1de864-e06d-47f4-82a6-8a0aef44493c": map[uint32]string{ + 2: "Devices Audio Device Speech Processing Supported", + }, + "fb3842cd-9e2a-4f83-8fcc-4b0761139ae9": map[uint32]string{ + 2: "Device Interface Proximity Supports Nfc", + }, + "fc6976db-8349-4970-ae97-b3c5316a08f0": map[uint32]string{ + 100: "Photo Sharpness", + }, + "fc9f7306-ff8f-4d49-9fb6-3ffe5c0951ec": map[uint32]string{ + 100: "Contact Department", + }, + "fcad3d3d-0858-400f-aaa3-2f66cce2a6bc": map[uint32]string{ + 100: "Photo Flash Energy Numerator", + }, + "fcc16823-baed-4f24-9b32-a0982117f7fa": map[uint32]string{ + 100: "Identity Primary Email Address", + }, + "fceff153-e839-4cf3-a9e7-ea22832094b8": map[uint32]string{ + 100: "File Offline Availability Status", + 101: "Folder Kind", + 103: "Sync Transfer Status", + 104: "Transfer Position", + 105: "Transfer Size", + 106: "Transfer Order", + 107: "Last Sync Error", + 108: "Storage Provider Id", + 109: "Storage Provider Error", + 110: "Storage Provider Status", + 111: "Storage Provider Share Statuses", + 112: "Storage Provider File Remote Uri", + 113: "Cached File Updater Content Id For Stream", + 114: "Cached File Updater Content Id For Conflict Resolution", + 115: "Remote Conflicting File", + 116: "Storage Provider Thumbnail Dimensions", + 117: "Storage Provider Sharing Status", + 118: "Storage Provider Descendant Sharing Status", + 119: "Storage Provider Fully Qualified Id", + 120: "Storage Provider Custom States", + 121: "Item Custom State State List", + 122: "Item Custom State Values", + 123: "Item Custom State Icon References", + 124: "Storage Provider Aggregated Custom States", + 125: "Storage Provider Network Connected", + 126: "Storage Provider Warning Error State", + 127: "Storage Provider Protection Mode", + }, + "fcfb52aa-c1e5-4cd8-88bc-f80fd7390f20": map[uint32]string{ + 100: "Not User Content", + }, + "fd122953-fa93-4ef7-92c3-04c946b2f7c8": map[uint32]string{ + 100: "Music Display Artist", + }, + "fd9d9fc7-38ec-436d-8fc6-ec39bad301e6": map[uint32]string{ + 100: "Computer Processor", + 101: "Computer Memory", + }, + "fdf84370-031a-4add-9e91-0d775f1c6605": map[uint32]string{ + 100: "Mileage Information", + }, + "fe83bb35-4d1a-42e2-916b-06f3e1af719e": map[uint32]string{ + 100: "Photo Flash Model", + }, + "fe9e4c12-aacb-4aa3-966d-91a29e6128b5": map[uint32]string{ + 3: "Printer Default", + 4: "Printer Location", + 5: "Printer Model", + 6: "Printer Queue Size", + 7: "Printer Status", + }, + "fec690b7-5f30-4646-ae47-4caafba884a3": map[uint32]string{ + 100: "Photo Exposure Program Text", + }, + "fec7952b-4bf0-4c03-b6e1-2796818b7ca9": map[uint32]string{ + 100: "Fonts Version", + }, + "ff1167eb-cbfc-4341-a568-a7c91a68982c": map[uint32]string{ + 2: "Devices Wwan Interface Guid", + }, + "ff962609-b7d6-4999-862d-95180d529aea": map[uint32]string{ + 100: "Contact Other Address Street", + }, + "ffae9db7-1c8d-43ff-818c-84403aa3732d": map[uint32]string{ + 100: "Source Package Family Name", + }, +} diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index 46697724116c..3814f6f1dc50 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -87,8 +87,7 @@ type Property struct { // PropertyStore contains LNK extra property store data block info type PropertyStore struct { // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec - NamedProperties map[string][]Property `json:"named_properties,omitempty"` - Properties map[uint32][]Property `json:"properties,omitempty"` + Properties map[string][]Property `json:"properties,omitempty"` } // Shim contains LNK extra shim data block info From d8d9a19be8d619abc4bed2e252a40b52d9e481a9 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 14:25:42 -0500 Subject: [PATCH 24/30] Make property store an array --- .../lnk/local.directory.seven.lnk.fingerprint | 48 ++++---- .../lnk/local.file.seven.lnk.fingerprint | 15 ++- .../fixtures/lnk/local_cmd.lnk.fingerprint | 48 ++++---- .../lnk/local_unicode.lnk.fingerprint | 37 +++--- .../fixtures/lnk/local_win31j.lnk.fingerprint | 37 +++--- .../lnk/native.seven.01.lnk.fingerprint | 15 ++- .../lnk/native.seven.02.lnk.fingerprint | 26 ++--- .../lnk/native.seven.03.lnk.fingerprint | 26 ++--- .../lnk/native.seven.04.lnk.fingerprint | 15 ++- .../lnk/native.seven.08.lnk.fingerprint | 26 ++--- .../lnk/native.seven.09.lnk.fingerprint | 26 ++--- .../lnk/native.seven.13.lnk.fingerprint | 26 ++--- .../fixtures/lnk/net_unicode.lnk.fingerprint | 37 +++--- .../fixtures/lnk/net_unicode2.lnk.fingerprint | 37 +++--- .../fixtures/lnk/net_win31j.lnk.fingerprint | 37 +++--- libbeat/formats/lnk/extra_property_store.go | 107 +++++++----------- libbeat/formats/lnk/lnk.go | 3 +- 17 files changed, 254 insertions(+), 312 deletions(-) diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint index 13d6a49dce4d..186cac0a9fea 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -67,32 +67,28 @@ "offset": 161 }, "property_store": { - "properties": { - "Item Folder Path Display Narrow": [ - { - "type": "VT_LPWSTR", - "value": "Utilisateurs (C:)" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "Administrator" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Users\\Administrator" - } - ], - "SID": [ - { - "type": "VT_LPWSTR", - "value": "S-1-5-21-2382555026-1982050849-604700897-1000" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Administrator" + }, + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2382555026-1982050849-604700897-1000" + }, + { + "name": "Item Folder Path Display Narrow", + "type": "VT_LPWSTR", + "value": "Utilisateurs (C:)" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Users\\Administrator" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint index fb1eeac55460..0c8770f862c5 100644 --- a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -79,14 +79,13 @@ "offset": 357 }, "property_store": { - "properties": { - "SID": [ - { - "type": "VT_LPWSTR", - "value": "S-1-5-21-2382555026-1982050849-604700897-1000" - } - ] - } + "properties": [ + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2382555026-1982050849-604700897-1000" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint index bd6f5f4d5d79..cbf00912b340 100644 --- a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -70,32 +70,28 @@ "offset": 221 }, "property_store": { - "properties": { - "Item Folder Path Display Narrow": [ - { - "type": "VT_LPWSTR", - "value": "System32 (C:\\Windows)" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "cmd with space.exe" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Windows\\System32\\cmd with space.exe" - } - ], - "SID": [ - { - "type": "VT_LPWSTR", - "value": "S-1-5-21-2899541433-556809949-1686860144-1001" - } - ] - } + "properties": [ + { + "name": "Item Folder Path Display Narrow", + "type": "VT_LPWSTR", + "value": "System32 (C:\\Windows)" + }, + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2899541433-556809949-1686860144-1001" + }, + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "cmd with space.exe" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Windows\\System32\\cmd with space.exe" + } + ] }, "special_folder": { "id": 37, diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint index e4c5aa07cc15..0474b92469ee 100644 --- a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -56,26 +56,23 @@ "working_directory": "C:\\Temp", "extra": { "property_store": { - "properties": { - "Item Folder Path Display": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Temp" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "💎.txt" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Temp\\💎.txt" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "💎.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Temp\\💎.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "C:\\Temp" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint index 40da84819d5c..e36ea1c549b9 100644 --- a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -61,26 +61,23 @@ "icon_location": "%SystemRoot%\\system32\\SHELL32.dll", "extra": { "property_store": { - "properties": { - "Item Folder Path Display": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Temp" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "リンク先.txt" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Temp\\リンク先.txt" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "リンク先.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Temp\\リンク先.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "C:\\Temp" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint index 44c73fa63bf9..0d4cb55484e9 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -63,14 +63,13 @@ "offset": 181 }, "property_store": { - "properties": { - "SID": [ - { - "type": "VT_LPWSTR", - "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" - } - ] - } + "properties": [ + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" + } + ] }, "special_folder": { "id": 42, diff --git a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint index 63b0aa67d358..cedb2edb6ce8 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.02.lnk.fingerprint @@ -31,20 +31,18 @@ "relative_path": "..\\Desktop", "extra": { "property_store": { - "properties": { - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "Bureau" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Users\\Aldheris\\Desktop" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Bureau" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Users\\Aldheris\\Desktop" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint index ee0f4e855899..6aab953eb0c5 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -19,20 +19,18 @@ ], "extra": { "property_store": { - "properties": { - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "Emplacements récents" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Emplacements récents" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}" + } + ] } } } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint index 0918c710d162..6596866296c4 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -63,14 +63,13 @@ "offset": 181 }, "property_store": { - "properties": { - "SID": [ - { - "type": "VT_LPWSTR", - "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" - } - ] - } + "properties": [ + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-21-2092377875-1431633947-1539857752-1075" + } + ] }, "special_folder": { "id": 42, diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint index cf3a645ba015..fb9768d08cd3 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -59,20 +59,18 @@ "unicode": "%SystemRoot%\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\cagicon.exe" }, "property_store": { - "properties": { - "App User Model Exclude From Show In New Install": [ - { - "type": "VT_BOOL", - "value": true - } - ], - "Comment": [ - { - "type": "VT_LPWSTR", - "value": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft." - } - ] - } + "properties": [ + { + "name": "Comment", + "type": "VT_LPWSTR", + "value": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft." + }, + { + "name": "App User Model Exclude From Show In New Install", + "type": "VT_BOOL", + "value": true + } + ] } } } \ No newline at end of file diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint index ed5fd3b98d85..b4d77fc455de 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -70,20 +70,18 @@ "offset": 213 }, "property_store": { - "properties": { - "Comment": [ - { - "type": "VT_LPWSTR", - "value": "Transfère les fichiers entre les périphériques et les ordinateurs à l'aide de la technologie sans fil Bluetooth." - } - ], - "SID": [ - { - "type": "VT_LPWSTR", - "value": "S-1-5-18" - } - ] - } + "properties": [ + { + "name": "Comment", + "type": "VT_LPWSTR", + "value": "Transfère les fichiers entre les périphériques et les ordinateurs à l'aide de la technologie sans fil Bluetooth." + }, + { + "name": "SID", + "type": "VT_LPWSTR", + "value": "S-1-5-18" + } + ] }, "special_folder": { "id": 37, diff --git a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint index 1456fbb9c121..bf2831c2ea94 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.13.lnk.fingerprint @@ -40,20 +40,18 @@ "relative_path": "..\\Desktop", "extra": { "property_store": { - "properties": { - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "Bureau" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "C:\\Users\\Juliette\\Desktop" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "Bureau" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "C:\\Users\\Juliette\\Desktop" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint index 53c5c871b8f0..0c0a64939222 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint @@ -36,26 +36,23 @@ "unicode": "\\\\test\\share\\💎.txt" }, "property_store": { - "properties": { - "Item Folder Path Display": [ - { - "type": "VT_LPWSTR", - "value": "\\\\test\\share" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "💎.txt" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "\\\\test\\share\\💎.txt" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "💎.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "\\\\test\\share\\💎.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "\\\\test\\share" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint index 936e4ce26a04..b9a347df1eca 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint @@ -37,26 +37,23 @@ "unicode": "\\\\test\\📂\\リンク先.txt" }, "property_store": { - "properties": { - "Item Folder Path Display": [ - { - "type": "VT_LPWSTR", - "value": "\\\\test\\📂" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "リンク先.txt" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "\\\\test\\📂\\リンク先.txt" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "リンク先.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "\\\\test\\📂\\リンク先.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "\\\\test\\📂" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint index 990186177db7..e770da81e985 100644 --- a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint @@ -37,26 +37,23 @@ "unicode": "\\\\test\\share\\リンク先.txt" }, "property_store": { - "properties": { - "Item Folder Path Display": [ - { - "type": "VT_LPWSTR", - "value": "\\\\test\\share" - } - ], - "Item Name Display": [ - { - "type": "VT_LPWSTR", - "value": "リンク先.txt" - } - ], - "Parsing Path": [ - { - "type": "VT_LPWSTR", - "value": "\\\\test\\share\\リンク先.txt" - } - ] - } + "properties": [ + { + "name": "Item Name Display", + "type": "VT_LPWSTR", + "value": "リンク先.txt" + }, + { + "name": "Parsing Path", + "type": "VT_LPWSTR", + "value": "\\\\test\\share\\リンク先.txt" + }, + { + "name": "Item Folder Path Display", + "type": "VT_LPWSTR", + "value": "\\\\test\\share" + } + ] }, "tracker": { "version": 0, diff --git a/libbeat/formats/lnk/extra_property_store.go b/libbeat/formats/lnk/extra_property_store.go index 1400a5bb7e7b..6d8c64f65e7a 100644 --- a/libbeat/formats/lnk/extra_property_store.go +++ b/libbeat/formats/lnk/extra_property_store.go @@ -180,7 +180,7 @@ func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { if size < 0x0000000C { return nil, errors.New("invalid extra property store block size") } - props := make(map[string][]Property) + props := []Property{} store := data[8:] offset := 0 for { @@ -200,12 +200,13 @@ func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { return nil, errors.New("invalid property version") } format := encodeUUID(propertyData[8:24]) - name, properties, err := parseProperties(format, propertyData[24:propertySize]) + name, property, err := parseProperties(format, propertyData[24:propertySize]) if err != nil { return nil, err } - if properties != nil { - props[name] = properties + if property != nil { + property.Name = name + props = append(props, *property) } offset += int(propertySize) } @@ -215,7 +216,7 @@ func parseExtraPropertyStore(size uint32, data []byte) (*PropertyStore, error) { }, nil } -func parseProperties(identifier string, data []byte) (string, []Property, error) { +func parseProperties(identifier string, data []byte) (string, *Property, error) { propertySize := binary.LittleEndian.Uint32(data[0:4]) if propertySize == 0 { return "", nil, nil @@ -237,7 +238,7 @@ func parseProperties(identifier string, data []byte) (string, []Property, error) return name, value, nil } -func parseTypedValue(data []byte) (uint32, []Property, error) { +func parseTypedValue(data []byte) (uint32, *Property, error) { if len(data) < 4 { return 0, nil, errors.New("invalid properties") } @@ -246,79 +247,59 @@ func parseTypedValue(data []byte) (uint32, []Property, error) { case vtEmpty: fallthrough case vtNull: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - }, + return valueType, &Property{ + Type: propertyTypes[valueType], }, nil case vtI2: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: int16(binary.LittleEndian.Uint16(data[4:8])), - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: int16(binary.LittleEndian.Uint16(data[4:8])), }, nil case vtI4: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: int32(binary.LittleEndian.Uint32(data[4:8])), - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: int32(binary.LittleEndian.Uint32(data[4:8])), }, nil case vtR4: bits := binary.LittleEndian.Uint32(data[4:8]) float := math.Float32frombits(bits) - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: float, - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: float, }, nil case vtR8: bits := binary.LittleEndian.Uint64(data[4:12]) float := math.Float64frombits(bits) - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: float, - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: float, }, nil case vtCY: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: binary.LittleEndian.Uint64(data[4:12]), - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint64(data[4:12]), }, nil case vtDate: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: normalizeTime(binary.LittleEndian.Uint64(data[4:12])), - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: normalizeTime(binary.LittleEndian.Uint64(data[4:12])), }, nil case vtBStr: codePageSize := binary.LittleEndian.Uint32(data[4:8]) codePage := common.ReadString(data[8:8+codePageSize], 0) - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: codePage, - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: codePage, }, nil case vtError: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: binary.LittleEndian.Uint32(data[4:8]), - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint32(data[4:8]), }, nil case vtBool: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: binary.LittleEndian.Uint16(data[4:6]) == 0xFFFF, - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: binary.LittleEndian.Uint16(data[4:6]) == 0xFFFF, }, nil // case vtDecimal: // case vtI1: @@ -332,11 +313,9 @@ func parseTypedValue(data []byte) (uint32, []Property, error) { // case vtLPStr: case vtLPWStr: length := binary.LittleEndian.Uint32(data[4:8]) * 2 - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: common.ReadUnicode(data[8:8+length], 0), - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: common.ReadUnicode(data[8:8+length], 0), }, nil // case vtFiletime: // case vtBlob: @@ -387,11 +366,9 @@ func parseTypedValue(data []byte) (uint32, []Property, error) { // case vtArrayInt: // case vtArrayUint: default: - return valueType, []Property{ - Property{ - Type: propertyTypes[valueType], - Value: data[4:], - }, + return valueType, &Property{ + Type: propertyTypes[valueType], + Value: data[4:], }, nil } } diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index 3814f6f1dc50..7663f36cc13c 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -80,6 +80,7 @@ type KnownFolder struct { // Property contains property storage propery info type Property struct { + Name string `json:"name"` Type string `json:"type"` Value interface{} `json:"value"` } @@ -87,7 +88,7 @@ type Property struct { // PropertyStore contains LNK extra property store data block info type PropertyStore struct { // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec - Properties map[string][]Property `json:"properties,omitempty"` + Properties []Property `json:"properties,omitempty"` } // Shim contains LNK extra shim data block info From 0cd5fe10aaf6d4ebdfdac31179394cc785a8c88a Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 15:38:37 -0500 Subject: [PATCH 25/30] Add basic target parsing --- .../lnk/local.directory.seven.lnk.fingerprint | 20 ++- .../lnk/local.directory.xp.lnk.fingerprint | 20 ++- .../lnk/local.file.darwin.lnk.fingerprint | 30 ++-- .../lnk/local.file.env.lnk.fingerprint | 35 +++-- .../lnk/local.file.exec.lnk.fingerprint | 45 +++--- .../lnk/local.file.icoset.lnk.fingerprint | 45 +++--- .../lnk/local.file.seven.lnk.fingerprint | 30 ++-- .../lnk/local.file.xp.lnk.fingerprint | 20 ++- .../fixtures/lnk/local_cmd.lnk.fingerprint | 25 +-- .../lnk/local_unicode.lnk.fingerprint | 20 ++- .../fixtures/lnk/local_win31j.lnk.fingerprint | 19 ++- .../fixtures/lnk/microsoft.lnk.fingerprint | 20 ++- .../lnk/native.2008srv.01.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.02.lnk.fingerprint | 5 +- .../lnk/native.2008srv.03.lnk.fingerprint | 5 +- .../lnk/native.2008srv.04.lnk.fingerprint | 7 +- .../lnk/native.2008srv.05.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.06.lnk.fingerprint | 30 ++-- .../lnk/native.2008srv.07.lnk.fingerprint | 5 +- .../lnk/native.2008srv.08.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.09.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.10.lnk.fingerprint | 7 +- .../lnk/native.2008srv.11.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.12.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.13.lnk.fingerprint | 25 +-- .../lnk/native.2008srv.14.lnk.fingerprint | 7 +- .../lnk/native.2008srv.15.lnk.fingerprint | 5 +- .../lnk/native.2008srv.16.lnk.fingerprint | 5 +- .../lnk/native.2008srv.17.lnk.fingerprint | 7 +- .../lnk/native.2008srv.18.lnk.fingerprint | 5 +- .../lnk/native.2008srv.19.lnk.fingerprint | 5 +- .../lnk/native.2008srv.20.lnk.fingerprint | 20 ++- .../lnk/native.seven.01.lnk.fingerprint | 25 +-- .../lnk/native.seven.03.lnk.fingerprint | 5 +- .../lnk/native.seven.04.lnk.fingerprint | 25 +-- .../lnk/native.seven.05.lnk.fingerprint | 14 +- .../lnk/native.seven.06.lnk.fingerprint | 10 +- .../lnk/native.seven.08.lnk.fingerprint | 30 ++-- .../lnk/native.seven.09.lnk.fingerprint | 25 +-- .../lnk/native.seven.11.lnk.fingerprint | 10 +- .../lnk/native.seven.16.lnk.fingerprint | 7 +- .../fixtures/lnk/native.xp.01.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.02.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.03.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.04.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.05.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.06.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.07.lnk.fingerprint | 20 ++- .../fixtures/lnk/native.xp.08.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.09.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.10.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.11.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.12.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.13.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.14.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.15.lnk.fingerprint | 19 ++- .../fixtures/lnk/native.xp.16.lnk.fingerprint | 19 ++- .../fixtures/lnk/native.xp.17.lnk.fingerprint | 25 +-- .../fixtures/lnk/native.xp.18.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.19.lnk.fingerprint | 10 +- .../fixtures/lnk/native.xp.20.lnk.fingerprint | 51 ++++--- .../fixtures/lnk/net_unicode.lnk.fingerprint | 17 ++- .../fixtures/lnk/net_unicode2.lnk.fingerprint | 17 ++- .../fixtures/lnk/net_win31j.lnk.fingerprint | 17 ++- .../lnk/remote.directory.xp.lnk.fingerprint | 31 ++-- .../lnk/remote.file.aidlist.lnk.fingerprint | 27 ++-- .../lnk/remote.file.xp.lnk.fingerprint | 41 ++--- libbeat/formats/lnk/known_targets.go | 143 ++++++++++++++++++ libbeat/formats/lnk/lnk.go | 1 + libbeat/formats/lnk/target.go | 5 +- 70 files changed, 968 insertions(+), 563 deletions(-) create mode 100644 libbeat/formats/lnk/known_targets.go diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint index 186cac0a9fea..307e5818db4c 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -21,24 +21,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 116, - "type_id": 0, - "sha256": "694bda772b560aa1e8db78d9d436be2c5918f098b7104b5ffe1a5e619962398f" + "type_id": 49, + "sha256": "15f08d33878f4f6c7c9b6f889a601cd4b5da4a64bd49f845a9165b2ab9adb39d" }, { + "name": "Directory", "size": 96, - "type_id": 0, - "sha256": "d95bf8611fa96a435db45248eafc5ce43064d57d69d0e1a76975fd985f22fad2" + "type_id": 49, + "sha256": "142835287f922609b47768a48c433e0179b064b5bce13036c31cfa49572add57" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint index 18cb0c22809b..1fcc64213207 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -19,24 +19,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "f41f1eedb6784f72604ff611740d040d42de1e01b21b2233a36d6f4723c5630b" + "type_id": 49, + "sha256": "8c1009b9789a8cb64ad3bf77c76be523b21a8bf7d53bb013973bf81d474b4cb7" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "04ee9bc0826d6a59abdf9fdbb3d55dacf9a1347f526cd02c7cd9c1c79485b928" + "type_id": 49, + "sha256": "d5bbac054641d34880108d430b28da42e49bba744601d2850069b8ab637fd8dd" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint index 5d1d31def174..56bf947daeb2 100644 --- a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint @@ -15,34 +15,40 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "03b6ada4d4a6844cfedb49a1467a2ba3f29b9311a6012fa30a74d4e0221fccd8" + "type_id": 49, + "sha256": "6628adc3d5686a8ac96b35d0ae6f91578a0146ffd15337e0a512cf9b7ef3526e" }, { + "name": "Directory", "size": 88, - "type_id": 0, - "sha256": "2968e67313cce5c74e34e9f34804e2433f69e79e67321bedf6be0c76ff64ec02" + "type_id": 49, + "sha256": "7a58b65a8a9659b9579d5a069e4f725ac263d4db5b2a310f939855551427e6f7" }, { + "name": "Directory", "size": 176, - "type_id": 0, - "sha256": "20ad53865e56b2bd5c5f5bc5e4c691c67a4e96f56fc53e8c49f1bccb69cf1221" + "type_id": 49, + "sha256": "fbfe3fc760a034ebce6f618753b1fb2bc84bbe69cedc49b5f8f664d4e979ded1" }, { + "name": "File", "size": 100, - "type_id": 0, - "sha256": "6f299cb843c8a398e2b99038e2c23d1ef42c175a7271101f5dc5e34102485147" + "type_id": 50, + "sha256": "dc034cb7d706329934d1f2a8ab36a1813879ff0cf34e6b0540059551c83a0ec8" } ], "relative_path": "..\\..\\..\\..\\..\\Windows\\Installer\\{AC76BA86-7AD7-1036-7B44-A93000000001}\\SC_Reader.ico", diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint index e1ac1d0966f1..d019afd27ca7 100644 --- a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint @@ -22,39 +22,46 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "75fb49371e5d0116588d805e3ce5999a2f4e488956bfbe90289351d7c068ffda" + "type_id": 49, + "sha256": "17555a450f772b5b548a41a14ba12f6531e74034d1964e1770a1c2ae10a6cad8" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "59bcd4a36c78fc7ed3fe33324ee1b40be1b00125605251bd24efe88ca61e44d3" + "type_id": 49, + "sha256": "59c44cc9d6d8a16f3cc4ff5a3c7d0102210ec9bfb0bf0e5cd47088477aec9c94" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "3782d4d70fbe9ad335bb343246b7abc78dd1ffe379a7518b3c9867aa1005134b" + "type_id": 49, + "sha256": "48bd6e8d037f068a905dcf428936ff4d71931f013a8ae9d43dab822a5ec9a05c" }, { + "name": "Directory", "size": 52, - "type_id": 0, - "sha256": "751b73134b478a47a70374696bb7756dc71bb59afff5fb049e52c771054dd99f" + "type_id": 49, + "sha256": "f1865bfcb016766619b56925e4a7e028f48973a1e1c314552d33d7eb50da6d00" }, { + "name": "File", "size": 80, - "type_id": 0, - "sha256": "b03c004cd552c864747c87138aef2d57d6c8d22e9e7cb22f3ad537a7f75786a5" + "type_id": 50, + "sha256": "df36120f19805571a0c42758cb439726c29ed03e987ae7cbbe08a16900e6b8d1" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint index ae3fbb182902..7a298adc332a 100644 --- a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -24,49 +24,58 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "af2aa63827c0a19bb40eb90e1e36d29dfebcc9615f550aedec805d0f46ec2e6d" + "type_id": 49, + "sha256": "60f07666cf8f95d45c113e5b9c05b10600ca3271fefd4f38b37a43d21df6a05d" }, { + "name": "Directory", "size": 58, - "type_id": 0, - "sha256": "60d3eafdaecb7dcf21f68c1af22052f9519419ae77ea2b4b91d187519a07047b" + "type_id": 49, + "sha256": "e2866081c76085e7ae84ec96313f54e053f3a58f1675300c38594b743783b022" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "7e199b495493900dcabae0891a57762af90e08623979852291b6d6a14b143ce4" + "type_id": 49, + "sha256": "6649788de17203194be295fe532f33645963c55cc991371ddab890ffa6b85b19" }, { + "name": "Directory", "size": 72, - "type_id": 0, - "sha256": "09e05071911f51a15ffd453abf4f1825b20909ee3aa3898aaad086d28d356791" + "type_id": 49, + "sha256": "c44fbc11152540e01bc5de14510b51f2187c3080e3cd740eb5f4dfc090fe2858" }, { + "name": "Directory", "size": 48, - "type_id": 0, - "sha256": "4b4782ce717aaf5477a3c9330f00b8c3f4a797db5c991f29e7fd40e8cb6b692a" + "type_id": 49, + "sha256": "60ac6e91f4ff666354577d111d987cbb4c934af387bb111afc1b2408e4226209" }, { + "name": "Directory", "size": 54, - "type_id": 0, - "sha256": "648e071b1e752a5588ec8953007fdd3a1ca6a003c7f34bda208a3547ce0355da" + "type_id": 49, + "sha256": "5dec5b7c3d205cc117c64ad91081575b2787d8af02d8a6944e6cd1f7f20af038" }, { + "name": "File", "size": 84, - "type_id": 0, - "sha256": "c787c3eabf63fe8f045a8e711bc92185318d9d15a37be8e8cc6442170320ce16" + "type_id": 50, + "sha256": "866b54e6bbf760b626d80661f219f7e296c649dc97d0f031cca82c7416161e64" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint index 81fc603c55d0..9d484ff3dec8 100644 --- a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint @@ -21,49 +21,58 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "af2aa63827c0a19bb40eb90e1e36d29dfebcc9615f550aedec805d0f46ec2e6d" + "type_id": 49, + "sha256": "60f07666cf8f95d45c113e5b9c05b10600ca3271fefd4f38b37a43d21df6a05d" }, { + "name": "Directory", "size": 58, - "type_id": 0, - "sha256": "60d3eafdaecb7dcf21f68c1af22052f9519419ae77ea2b4b91d187519a07047b" + "type_id": 49, + "sha256": "e2866081c76085e7ae84ec96313f54e053f3a58f1675300c38594b743783b022" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "7e199b495493900dcabae0891a57762af90e08623979852291b6d6a14b143ce4" + "type_id": 49, + "sha256": "6649788de17203194be295fe532f33645963c55cc991371ddab890ffa6b85b19" }, { + "name": "Directory", "size": 70, - "type_id": 0, - "sha256": "3208af1501b709fe6178cbd2ead925445a94314cf9edbfcd5f1b27804322d217" + "type_id": 49, + "sha256": "22eb8c20198706753fb5cba5a39c2e1e2cf8fa2f0c4e680971b858c27467c088" }, { + "name": "Directory", "size": 48, - "type_id": 0, - "sha256": "348793e6ab253b2dbc6cf4647f1caf2a4eef634a7ebb9fb15e0ee7fbd34f51ae" + "type_id": 49, + "sha256": "76b612868ab38df0dcc1677bba83da80e9c80d577d1a37f7ec4e86bdb4340836" }, { + "name": "Directory", "size": 54, - "type_id": 0, - "sha256": "f6631a645f4f33b43f0fe4111d7de6b4baa828bf9f88981262dc9636858e3d2f" + "type_id": 49, + "sha256": "4ca94beee15dc6425e9c9ae3e3a44f269f98aa41233d8108598e4ff0a99af603" }, { + "name": "File", "size": 82, - "type_id": 0, - "sha256": "45b3d624bb750836cfb3c636eb3b3009043d88aea6fc57579ee709d2c91b79aa" + "type_id": 50, + "sha256": "7ffea5fd88a6cf3ba3573aaf372cb19b1f682c95734e004f131a087ee8da29f6" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint index 0c8770f862c5..a0f889f06b08 100644 --- a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -22,34 +22,40 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 116, - "type_id": 0, - "sha256": "694bda772b560aa1e8db78d9d436be2c5918f098b7104b5ffe1a5e619962398f" + "type_id": 49, + "sha256": "15f08d33878f4f6c7c9b6f889a601cd4b5da4a64bd49f845a9165b2ab9adb39d" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "6f130cb5a33a554a10e16efc399472fa6ee40de4330712ba3d437cc07dab4b57" + "type_id": 49, + "sha256": "153accb5ef74a60a314aff5e316f9727adfc526cab3f7f48797975fb13c964ae" }, { + "name": "Directory", "size": 122, - "type_id": 0, - "sha256": "5f5ae18c3c0ff67b459a0e8d532587a6e09ef7f69c3f74ae80344ea49d29dbd1" + "type_id": 49, + "sha256": "dc23b8936e1d2aa9f6e441e7d6cdfcc5aa8aca9560ff743a3a5c9f3bce02f6cf" }, { + "name": "File", "size": 98, - "type_id": 0, - "sha256": "b4f1ac18eb87007ff1c35192f8b4185035735485bca35359444ecf2685f98363" + "type_id": 50, + "sha256": "2c742382accd87fc7f9adcab1008b50091d347d1edad1a128ef0e9bc7f3ed7ae" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint index 8a41826986ae..a360b2418c04 100644 --- a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -20,24 +20,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "f41f1eedb6784f72604ff611740d040d42de1e01b21b2233a36d6f4723c5630b" + "type_id": 49, + "sha256": "8c1009b9789a8cb64ad3bf77c76be523b21a8bf7d53bb013973bf81d474b4cb7" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "625f645fd0d89a18f36657647acdbc6ff594867dc5b42ae436360e97430a80ec" + "type_id": 50, + "sha256": "a4ffe239bd06d5f0a41f154758a2386925f5b1d5f51b3c4a5b1ba421be663188" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint index cbf00912b340..8c708aeb1295 100644 --- a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -24,29 +24,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 86, - "type_id": 0, - "sha256": "4c4d0c2148e23276d0f4f742bbba4a8e3e1b318795a2d7d4b5cd80791781b93a" + "type_id": 49, + "sha256": "3e55b101ccd41e57101a81b240cb57553c8f37a404c48c2a04b6a9af7211cb74" }, { + "name": "Directory", "size": 90, - "type_id": 0, - "sha256": "99b17e4be73b9f9a34d149f6dfead6f71abde0b38183c5c0062fd1b5fe5ccf94" + "type_id": 49, + "sha256": "68d128c6058227a91f23f4e2ddce18205f60e05e8f7e8c974b7f849e70203f71" }, { + "name": "File", "size": 114, - "type_id": 0, - "sha256": "1b51868f7cf57860ce02d0f22729b8ab9e232b0e566256cf349b897bf83aa718" + "type_id": 50, + "sha256": "ea4edd38f35d777cce7bacfc79f5d48566baa33f4610614aebaa2a9ba6ad4547" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint index 0474b92469ee..cbba588cde48 100644 --- a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -21,24 +21,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "a154c245be75662c7e902023315c2e1213a17a623645d87096cf888760b290d0" + "type_id": 49, + "sha256": "c7d8fb0f772edeafd3493f815c856a08ce48db8e39bb7633bd8377b33f1dc739" }, { + "name": "File", "size": 88, - "type_id": 0, - "sha256": "f87251a348e83e143d759541bd3cd4dce270b6cfaefee702c54aa29b0b2dd5ad" + "type_id": 50, + "sha256": "c1f6c25dbd064b168c812f6dfb28c9e84bd4fbbdc43e3225b1b7066de3841c65" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint index e36ea1c549b9..c686110dce31 100644 --- a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -24,24 +24,27 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "931c046b62479296dfc72fc30b862c0eec0e3c215619366629a6710408584fb3" + "type_id": 49, + "sha256": "a7691842c2beffb97ba901387165f8ac32cf7f8856ea1f79507949153e4ed35e" }, { "size": 98, - "type_id": 0, - "sha256": "f52818a36aca20ddbad0a86a50838e2d629046074b02fd8369a25cb009c6087a" + "type_id": 54, + "sha256": "83cadfd78fc69dabcc842b324a64f35ef66f718f89a64fd0a9db1cbec935357d" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint index 9f313883930d..797ba511c61c 100644 --- a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint @@ -20,24 +20,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 70, - "type_id": 0, - "sha256": "1c65aad4c1ca4ef42a6531aaa29a4b528040a6d87d576a1afbaa02c7a6be82db" + "type_id": 49, + "sha256": "c02d6aedc5f2218379c281485addd05d2b4c3183126249cdb8d6bd60830ce56a" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "631f8dc975154983492d18f1712ff973b8425f3dcd2c9d079ed527bed6c9eee1" + "type_id": 50, + "sha256": "baf8f9079dd6dd2bb7bb5a9af973db124953df9783537e565664d02dbd31c2f1" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint index f9e10ae1a287..151d3f215349 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "ffd0f85e19747c2bff4141e1e95b3f75928a6ca4a5c2aa143ba3ac6bf45a9189" + "type_id": 49, + "sha256": "445e47a77dbe4cec458a99963f5b6fd0d0b2837972b3dd74491d803a77ab4864" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" }, { + "name": "File", "size": 78, - "type_id": 0, - "sha256": "beb5ad6f99c69a36573c346a64a0c76cf1a73660bffbb95fac0b06efe53079cf" + "type_id": 50, + "sha256": "6becf139d62015eead2ae71382dd74a5500b381c3d8d1eb9a623d22e402d1b0c" } ], "name": "@%windir%\\system32\\shell32.dll,-22534", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint index d5aba7636e8d..26c93c8a0030 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -13,9 +13,10 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" } ], "name": "@%windir%\\explorer.exe,-304", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint index c17477a62b5b..8c56fe76f500 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint @@ -13,9 +13,10 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 128, - "sha256": "fe665801103b090a9f447cb365a4acb589b5e2aed6473da23290967de2fcbbf9" + "type_id": 31, + "sha256": "b88204e884efad7cc3a304a1eb4f91b38824b9fb23d8c042484368296447a512" } ], "name": "@%windir%\\explorer.exe,-307", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint index 47aee5f48b83..9595e668b044 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -20,14 +20,15 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 68, - "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" }, { "size": 32, "type_id": 0, - "sha256": "ad0ad2454b2255ece9e4624c170ead63718269e0bd0c73db424ea6e556ed4b76" + "sha256": "6e6f7fd0a77efb40d35dc65df6a9db45b48d043d84d3e9e0881e2e6c8cf210f8" } ], "relative_path": "..\\Documents", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint index b6c9d2cfe5b1..00bfe788cb3d 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" + "type_id": 49, + "sha256": "64f014858e5dfac5b2aa3e1e3472842ba6afa6a99b6d831e5a30f2cb42adb3e1" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" }, { + "name": "File", "size": 90, - "type_id": 0, - "sha256": "0b31690e53d5e14c12bc8b900fc5746cfd64a640461d13e3d22e4ad06d31e520" + "type_id": 50, + "sha256": "26a9b3fc6ec08617a3569614d28b83e4d10daed34fbb197382f2f20483f6cc24" } ], "name": "@%windir%\\system32\\accessibilityCpl.dll,-45", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint index d8112975699b..b94ce8f36aba 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint @@ -22,34 +22,40 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 132, - "type_id": 0, - "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" + "type_id": 49, + "sha256": "adf51df4bd648fb2b18fb07a5cf4b90094e7c6e7b2d43b67e344fffea33001a1" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "050ac3a59f27a3c0128267289bc2d97fc0c556c767e64440ec5fc14b3bf82898" + "type_id": 49, + "sha256": "d1277da4e5ae5831f07dc4900b1f2c20bebab925ed107e32f2dc20d5930c32a6" }, { + "name": "Directory", "size": 96, - "type_id": 0, - "sha256": "ced8e13e8a3e6becfa46c36ddb8093dd290dcef2ef92a819cfd1a5212fae19a6" + "type_id": 49, + "sha256": "c393ada649af95abad997ca3c0269a061486e79be9fec25380083fc3b9a541a1" }, { + "name": "File", "size": 100, - "type_id": 0, - "sha256": "49da630304583e350c863d917055477edc006d5c5d5b41cd1932a1c351838e1a" + "type_id": 50, + "sha256": "3b88d21502d4e4ae7aefd7ebdfce459648578037c2814b14298a253c23f6ebd5" } ], "name": "Gestionnaire CA ARCserve Backup", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint index f09eea571440..a9f0d8680e4c 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint @@ -13,9 +13,10 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 128, - "sha256": "16d0e14f639e9764cece0da2d07db14c9bd498fa3bc66fd559ac00d26d24cc2c" + "type_id": 31, + "sha256": "8db1287718d91d57c60da1c79fbc3067e006a4f0be2f88b4f551c8d7120514a5" } ], "name": "@%windir%\\explorer.exe,-7001", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint index 5554ea96dc41..dd902ea28ac8 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 132, - "type_id": 0, - "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" + "type_id": 49, + "sha256": "adf51df4bd648fb2b18fb07a5cf4b90094e7c6e7b2d43b67e344fffea33001a1" }, { + "name": "Directory", "size": 100, - "type_id": 0, - "sha256": "d08e5c93e6953dd7352b577645b8e8bb820e60a162b89f9b02c5a5cb3329f04b" + "type_id": 49, + "sha256": "685477904216903ee533c0252a6a366a0cdd435dc36db81ca4d07c284286ff9e" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "2aadd8d53e7463686a436c806960bd61778d0048f6c535ecb9a90a95b7da74ae" + "type_id": 50, + "sha256": "3a35c60aa0f6a856fe3805cae26b398fc6ec9bd456bba30fc38c3004769eda4b" } ], "name": "@\"%windir%\\System32\\ie4uinit.exe\",-738", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint index 31e6ae3ae1be..40d469006114 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -20,29 +20,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 132, - "type_id": 0, - "sha256": "46463e8662fedf13e7875f980e95b1323c9d5a29f95761ea11e90e13cb1c1b71" + "type_id": 49, + "sha256": "adf51df4bd648fb2b18fb07a5cf4b90094e7c6e7b2d43b67e344fffea33001a1" }, { + "name": "Directory", "size": 100, - "type_id": 0, - "sha256": "d08e5c93e6953dd7352b577645b8e8bb820e60a162b89f9b02c5a5cb3329f04b" + "type_id": 49, + "sha256": "685477904216903ee533c0252a6a366a0cdd435dc36db81ca4d07c284286ff9e" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "2aadd8d53e7463686a436c806960bd61778d0048f6c535ecb9a90a95b7da74ae" + "type_id": 50, + "sha256": "3a35c60aa0f6a856fe3805cae26b398fc6ec9bd456bba30fc38c3004769eda4b" } ], "name": "@\"%windir%\\System32\\ie4uinit.exe\",-732", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint index e0bb411be560..fc89f9d5f516 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint @@ -19,14 +19,15 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 68, - "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" }, { "size": 32, "type_id": 0, - "sha256": "a937e7b511b1a11289f065360e4175ea46b7fca384533c53a811c8ef0d4aa884" + "sha256": "685e1e10e74af0266c9e14af0bdcaca225c4ea0299a91fe6cb1d5722650fbe13" } ], "relative_path": "..\\Music", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint index d69ea75ecc87..01f25a366548 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" + "type_id": 49, + "sha256": "64f014858e5dfac5b2aa3e1e3472842ba6afa6a99b6d831e5a30f2cb42adb3e1" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "f4951a33ecf276bad83040de196791ed4c980ede7f272fabcce11723570b5b6e" + "type_id": 50, + "sha256": "5f3bbf55754acb6bb75910d672f3fe7ed0ad4976da30b3c226e2290df49c9020" } ], "name": "@%windir%\\system32\\shell32.dll,-22560", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint index 43ac0bf22a39..637b52f4c7a7 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint @@ -23,29 +23,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "ffd0f85e19747c2bff4141e1e95b3f75928a6ca4a5c2aa143ba3ac6bf45a9189" + "type_id": 49, + "sha256": "445e47a77dbe4cec458a99963f5b6fd0d0b2837972b3dd74491d803a77ab4864" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" }, { + "name": "File", "size": 90, - "type_id": 0, - "sha256": "f03efa059ed9d8a90809826fe09df1ff94b1a4e7d376efa89742e74f86bda53a" + "type_id": 50, + "sha256": "4140b49bc395ac5f137b7e959bc99afa9893a569ee3c00dea8ecbf3b300bda85" } ], "name": "@%SystemRoot%\\system32\\Shell32.dll,-22563", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint index 4a038d401b7e..474144cf36f3 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "fece27f82c45bb2da91e051a5eef11d40b38ab0a8763b1d10e140c9c92de7465" + "type_id": 49, + "sha256": "64f014858e5dfac5b2aa3e1e3472842ba6afa6a99b6d831e5a30f2cb42adb3e1" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "b580caeeb15f5ca1a896023cfb9db496f369a4153ae21c1364304bcdda351fe6" + "type_id": 49, + "sha256": "39e5c6b17525d42ccd4e02ac74fbf5bc7c66733d56f4446611e5eb54abc048f9" }, { + "name": "File", "size": 78, - "type_id": 0, - "sha256": "35b83166179ee8bc57ed1d34e1d4d0774363c6defe6bf3af7d9528eb4f285ae7" + "type_id": 50, + "sha256": "c1230826c72434c115d9ed0d60c35ffdcf7e22d40fa20e3547e5ad594763b6ca" } ], "name": "@%SystemRoot%\\system32\\shell32.dll,-22564", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint index dcb90fbde246..4511b13014c6 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint @@ -19,14 +19,15 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 68, - "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" }, { "size": 32, "type_id": 0, - "sha256": "fc79a99570cb829bdfe1fc9d98d34509af46e4f1b9db55604bd2be872355ca89" + "sha256": "30f371e0d6a76863f215c88287df45271f5e17b8109f629e8387680d1a6c2466" } ], "relative_path": "..\\Pictures", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint index 5a313ef535af..4060a5600146 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint @@ -20,9 +20,10 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 76, - "sha256": "82fe82afa3005892e74781cbae9bc9ecf682ea56ce765f650d6d402aa2cc7253" + "type_id": 31, + "sha256": "980319fa30c13a88eadfd58c70287f37f62f47a3cbae58d4523148e8d0e870b9" } ], "relative_path": "..\\..\\Public", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint index d6eea756548d..2530560d3580 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint @@ -13,9 +13,10 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 128, - "sha256": "0b5f1863267db7942c94a25ae7eab7b40020a5c8a1f46138490d77f88310203a" + "type_id": 31, + "sha256": "532430ce84b6c846622da10af300d777c81c555a3c0cebdf2a6a17ff2e6aa885" } ], "name": "@%windir%\\explorer.exe,-7003", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint index 0e1fd22cbcf3..cf15e47c67e2 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint @@ -20,14 +20,15 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 68, - "sha256": "9193c3d2d24cd3be01e287b81dc4373db0e51b5167c48799ed0ff396bd4d42a2" + "type_id": 31, + "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" }, { "size": 32, "type_id": 0, - "sha256": "4231fd1104c96daf3bbe8a2bff7b105845c84c63b69a8c8872dcf6e644c55295" + "sha256": "91da9f1c8377c19ae3dcb208ccecda47a6a01643001408f757793ddfd87d068a" } ], "relative_path": "..\\Searches", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint index 24f7f3a60e3d..2f7a2e249b45 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint @@ -13,9 +13,10 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 128, - "sha256": "5adf040358900b7b886aebf682ef8ebefb25dcfc2b4f4cd7fb076bfc2317cbe3" + "type_id": 31, + "sha256": "08f7df35a94d580703a76f2c82de60e7d7d45ce9a6640f8df2b1ef5271b33cba" } ], "name": "@%SystemRoot%\\system32\\shell32.dll,-10114", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint index a43af5bab21c..6a9eac3e4966 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint @@ -13,9 +13,10 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 128, - "sha256": "25852b2a04726dbaed894c66d51d93ffdbcafbb4157cb9948bddd89879fa46d9" + "type_id": 31, + "sha256": "ff8bf60a7527cf54c4f53476c417841e5b5bf25480eee7f276ebcb58864ace0f" } ], "name": "@%SystemRoot%\\system32\\shell32.dll,-10113", diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint index eef7ab1a2a4e..24cb1411f523 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -21,24 +21,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 68, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "67bcf1dbcf03183937b51fb3e0be2c1a0d12ac3b3349d39650e65dd7e7991ee9" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "d388526f94e64db09ca8ad1e27366bdd87e94d1909273a6cd0aa3328bdd9ad30" + "type_id": 49, + "sha256": "9136014a2f33dd37fd52591b7f69dd411f807398b3154677b2aadf9d6568f3d7" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "a925d96d0dc0fa9a669f6796f5ddc972e09bfbeca048f69435d791be383fd764" + "type_id": 50, + "sha256": "d536a3e92540146875923c64bf2f48a787cc9ac78c44790e8caf68f6f6b53ac6" } ], "name": "@%SystemRoot%\\system32\\Shell32.dll,-22579", diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint index 0d4cb55484e9..33d3179f5059 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -20,29 +20,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 136, - "type_id": 0, - "sha256": "be0bfdb8a1e17d06c03f1d309c8d201d670db88d3c2f898f7ee7ffc1a5bbf070" + "type_id": 49, + "sha256": "e17a03b6cc4c5bbd9ef14d82b68bad88f6ba23768edc2795b8b6eeda30940e9a" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "526ba298e7e1cf4fd68e20af01f2d623860d2fa75c5abdfc8b9a5ff332471fa5" + "type_id": 49, + "sha256": "44ba2a20c07abbee954952c9258aecefcc543645322dee50b37e88f7c281a99e" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "4972a1d1f32b875a121605f0d353db21abe693756ca03a447ca6703a6e933791" + "type_id": 50, + "sha256": "00bb61a6c63eb6e409c9836fbea931aed5c815083aef0e28eb1b321c33ed7137" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint index 6aab953eb0c5..d8ba0d1ae9cb 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -12,9 +12,10 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 128, - "sha256": "39dfe126408d76807afbd0057b9f4d96911391dfea30b2bbd12dd19e359b616e" + "type_id": 31, + "sha256": "1a017498e9f75896a4d55428cdb9fa94199bf05042949f90adaf0b15540f62dc" } ], "extra": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint index 6596866296c4..2dd98c707da5 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -20,29 +20,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 136, - "type_id": 0, - "sha256": "840a0411d530cd09b5792384fc7ed5e04f93fe1c71ed24d65cd0182e64fd31a1" + "type_id": 49, + "sha256": "ec06dc548e0c3aa8b9969070bff6b9f0db3906d424329a630950b1d67f1f292c" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "c09ce9a158eab2f04757007a4235bf293c1fe0c398738797318b07b4acac3bc7" + "type_id": 49, + "sha256": "1a1a0e0f935bcd37eb429d1d194d15f815d14690fc4d3d80957ab55b885290e0" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "233c0e52e887e2c64a9e46fd3ed6607e6555a4b9e2f521928d25990ee18f9510" + "type_id": 50, + "sha256": "fcaedf0364307388aa077b217f7800403a7cc4c67125d301fb7f5d18d80a4d1b" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint index d47cfbf4bdd6..899d49e94233 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint @@ -12,19 +12,21 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 112, - "sha256": "4f2ef7c750b2e077b92d59dcecca8414e25706ebfe12e01016750e9af9574410" + "type_id": 31, + "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" }, { + "name": "Control Panel Category", "size": 12, - "type_id": 0, - "sha256": "ba3853104050fa0a1b1c6902ab5f00d91143d95955927624727ae16547273a82" + "type_id": 1, + "sha256": "4a6262d4f1d9b6d3342ca0d20934f6e2e39f28314313e7dd0b1751c8558e884d" }, { "size": 30, - "type_id": 128, - "sha256": "7f57d0f9f1a4cba5e9db241ecfa85a0fd9e4b5819d95870da37dc7b7210e81e5" + "type_id": 113, + "sha256": "15078e6b9eb879d2c4cbc741a2fbc512212eeec68e656892fae4dd6ab26c6ebb" } ], "extra": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint index 7d2efe855b61..a68a2aec1e8f 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint @@ -12,14 +12,16 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 112, - "sha256": "4f2ef7c750b2e077b92d59dcecca8414e25706ebfe12e01016750e9af9574410" + "type_id": 31, + "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" }, { + "name": "Control Panel Category", "size": 12, - "type_id": 0, - "sha256": "ba3853104050fa0a1b1c6902ab5f00d91143d95955927624727ae16547273a82" + "type_id": 1, + "sha256": "4a6262d4f1d9b6d3342ca0d20934f6e2e39f28314313e7dd0b1751c8558e884d" } ], "extra": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint index fb9768d08cd3..1eb71bb3c270 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -16,34 +16,40 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "adb0bd79a80a54398d17e2ccdab84c03e2231e531e7ab5e2f9dbb30568b12a5b" + "type_id": 49, + "sha256": "e71acd89cfd4ea2d98b3c7eaf8c0853f0a7e5238fbea43079435761c8187ba7d" }, { + "name": "Directory", "size": 88, - "type_id": 0, - "sha256": "1e58de9fc1d34050c497b08eaf7fcd03df9aa8d7b34aac88736e6189502c1121" + "type_id": 49, + "sha256": "e63a11251663101f0df4b22e128d76fc9648e08756d0892252d544fdc8421230" }, { + "name": "Directory", "size": 176, - "type_id": 0, - "sha256": "ff90de58070d4797d0e32a5349466c9a385cd908aaf70bee4d3c613847adf13a" + "type_id": 49, + "sha256": "120f192356058a8d750dd88ee8a164fa42721ae46c8499734e5b9709799c6c1c" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "cc81ce35eb86e8c41d89c988c14966f9f500594e9e4d51ff68e2e65fe0e427e2" + "type_id": 50, + "sha256": "7f7400e003233182197171579cf7fcb58b516102981c38728480cd62b217d4b2" } ], "name": "Importez et organisez des photos, des images clip art, des fichiers sons et animation à l'aide de la Bibliothèque multimédia Microsoft.", diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint index b4d77fc455de..0e652d924bba 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "184e677e10b73142c9acb6bc4b5db242dabebda53ff506e59d720d2cbd5be706" + "type_id": 49, + "sha256": "7cc98221fb355ac3c98eea9ed0bf25157463c069d09e01241079f0a8c6d5d3dd" }, { + "name": "Directory", "size": 86, - "type_id": 0, - "sha256": "8ce8fcbfca1d3b5d6838544cdb47e95443e55e56f0aff1a73199531b735d77d3" + "type_id": 49, + "sha256": "5f6b27f32ca26e1c1f0fda319c20675c7e632175be08ecd6c185364a4d217ff3" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "dc814bc487fc41e03499933cac5facf8154e3b768f8d22c06ac286342037386c" + "type_id": 50, + "sha256": "c63ae8934e29d153b90528c8b4f7b710b7a286b3ac6ee76ce64f3e58c61f325c" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint index 1f8f3a89520f..89345bfe94cf 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint @@ -12,14 +12,16 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 112, - "sha256": "4f2ef7c750b2e077b92d59dcecca8414e25706ebfe12e01016750e9af9574410" + "type_id": 31, + "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" }, { + "name": "Control Panel Category", "size": 12, - "type_id": 0, - "sha256": "5acc20e219f85705afbb40e1379eff5b9ed6ee025f9a07f583725038dd1926d2" + "type_id": 1, + "sha256": "19d9bdc584dc223d08afeed1f4f419fe4986fa533413147081b80c2da6e800ca" } ], "extra": { diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint index e5038449c4bc..d6346706b5f3 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint @@ -14,14 +14,15 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 128, - "sha256": "b784138ea9c6c6076de1bfb17a04afc1bc18431cf6cf9ff707e6bfebfd428ed2" + "type_id": 31, + "sha256": "2b67f98d3d1de6745ab00ce99bf56db5a9ed94ff2e0bf9393a9c54a821eae7da" }, { "size": 32, "type_id": 0, - "sha256": "a4064e1cb728a90a91be50f60bfcd4e5c3a8ac6f44d2b911ee873580c591440f" + "sha256": "94756e66587275bbf78c7d0caa3800da26570d172745df23e7ed4f14746e09f8" } ], "name": "@%SystemRoot%\\system32\\gameux.dll,-10311", diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint index 7cf85e077a72..75f642b9b8f3 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint @@ -24,29 +24,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "04c034e4484017367cb2f6f4f294165aa73c1bd8811683d3951630be601a8903" + "type_id": 50, + "sha256": "760576ff55dcd587d07f37af9d8926cc6b35a7e54479fc48acf9d95e4ad7d52c" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint index 16eaa32d552f..13d38eadcb74 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint @@ -14,14 +14,16 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 104, - "sha256": "e454c954e255ac7a0021bcead81c35467cb90b962b6bcb2b1c319a118083b9e4" + "type_id": 31, + "sha256": "b6d6b0fc4575980bd03dbbb68eb13e12b1b823988a4b57a4edab2bb2c2930cf9" }, { + "name": "URI", "size": 86, - "type_id": 128, - "sha256": "56c3e94faf8577b2beab3681dff177f30462048ecb410662e2ffce5095643713" + "type_id": 97, + "sha256": "5bf61e9176461c9988fa66440347677a800e489a08c7839cc8011b629bfc87f4" } ], "name": "@%systemRoot%\\system32\\compatUI.dll,-117", diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint index d4536f4b11cc..4de53d87b4fc 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "baf549441aaaef3984b378f7971bb0b4fcf7278c9c03c8e04289dcf3ef06bdd1" + "type_id": 50, + "sha256": "f60b197da76aae978d272e20ebc53a0f40a97c4fcaeff126c561391b1cc065cc" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint index a50c942f0b7b..797edad73b8c 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "82632d0a1514981d68a6b96a0a5f263554234138682b4f9f82eec4562bc41939" + "type_id": 49, + "sha256": "64587f2c5156542e099060cc844f871875c55e235196afb8a49bda0c96d06bab" }, { + "name": "File", "size": 60, - "type_id": 0, - "sha256": "dd4bb56f6dba3b57a1a3fa7b78b1588af84f1634945b53e3461494ff834c888b" + "type_id": 50, + "sha256": "fbb2a01fced2f0b017ca2b99bfc4eec5c5daae8cb96c695ebb26530ca999223e" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint index 717a1dc8a797..56d89ed9ef82 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 60, - "type_id": 0, - "sha256": "16b2c2d7055f112df524a2f17a9bd0fc1b1298a2325c8f9c289cf8a39d8bdb4e" + "type_id": 50, + "sha256": "361c206cf27900f0e16d34d7b41aace2a6e5e256b8e59a244c217aa4c5b56d55" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint index e15cc10c786a..8b103a04fcbc 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "e265b8b434f903cfa0bba803a9f347f6fe5d34ab6582180db809602f2ae45659" + "type_id": 49, + "sha256": "ce5079c50db50144897615c77509fbe77207699b9875e6d8ea807e8e2814eafb" }, { + "name": "File", "size": 76, - "type_id": 0, - "sha256": "967d629eca0380265ede8765c9b8220a284a147df471c55ebd0aebd9a63a7933" + "type_id": 50, + "sha256": "7dcfeeda1ba6b6aab552965f012835a36968dd0325a924296ca28d98ce1f3552" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint index 9ca5f6956460..69d8878cee16 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint @@ -23,24 +23,28 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "File", "size": 76, - "type_id": 0, - "sha256": "7ef9845c2cc80f31c36a39241a1ba49cf9c78cf5efadbba3aa99acad06ab0c14" + "type_id": 50, + "sha256": "03be5e4a5bbc17237e00b64988a74ee271945da1af03004335b9c4dd8ec4c807" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint index ecd49bebd5c2..4d875a1eabef 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -23,29 +23,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "adb9a32cd72cf4ca2a425e05f93f0eff96af06eddd6378f1b18ee5ec377a9ae7" + "type_id": 50, + "sha256": "6713e47a9b39d461a433bfa90c97d8ca2da94769355efb3bac3c70d0ff09d149" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint index 8d15100ebf86..53dd86def640 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" }, { + "name": "Directory", "size": 82, - "type_id": 0, - "sha256": "e265b8b434f903cfa0bba803a9f347f6fe5d34ab6582180db809602f2ae45659" + "type_id": 49, + "sha256": "ce5079c50db50144897615c77509fbe77207699b9875e6d8ea807e8e2814eafb" }, { + "name": "File", "size": 76, - "type_id": 0, - "sha256": "967d629eca0380265ede8765c9b8220a284a147df471c55ebd0aebd9a63a7933" + "type_id": 50, + "sha256": "7dcfeeda1ba6b6aab552965f012835a36968dd0325a924296ca28d98ce1f3552" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint index 06f9b9e8e287..15cc7a6e78ef 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -23,29 +23,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 60, - "type_id": 0, - "sha256": "b5da25626a62a350171bc2bd09e68745c1d1eebb5e838cfc8390afe965656eaf" + "type_id": 50, + "sha256": "d4a1fef6d5e84c2847ed0354c20bd9881931244f439378ad792dd85a3908fda5" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint index 461ba030fec0..5a2ed8df3d35 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" }, { + "name": "Directory", "size": 88, - "type_id": 0, - "sha256": "3a9978d1b2866cd821cc4790146342e76d361aa3e82876bb6db66d178357bd34" + "type_id": 49, + "sha256": "6565f989f2d926802e9d7bd77bb2db9e0e06b43483aee226cee41ba5da4fd9bf" }, { + "name": "File", "size": 76, - "type_id": 0, - "sha256": "09b949f5889727cb7f0b51cb8f2db570a68c537e5e0e0a6e91008ed258bb1da7" + "type_id": 50, + "sha256": "b5e33a19db51e49cb71c212dba89453071d7f3397d1cac620f6cac8395e8082f" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint index 5af18dae9258..b2bfc3d21f97 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "045a096cb7bfc82a6ce4c2dd402d12493317ae6ad7c419ab3fc07fbb8d405ce2" + "type_id": 50, + "sha256": "210f5cdafe77225370bdbba5cc7995f1329697916d86b6e294da34705eb14214" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint index b5142282f8ca..0c99d59e72a5 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 72, - "type_id": 0, - "sha256": "25f56f104046bbef2b0f7e19c82c5449eb38631861f3f7482d9fb647781342b2" + "type_id": 50, + "sha256": "bdef8d596eb5e8593a83e6f2fe9266165c420725dd956baffc3c291cf2ee99bd" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint index 5770bca05bf5..8918da1205bf 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint @@ -22,29 +22,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "0e62cf1b75299134613af72b61479a233bf7d8a3309c7e4b4e4713eb3c4e2ed2" + "type_id": 49, + "sha256": "33504bcb0a5bc7206d722d13536045f5a8d45d032d34e7a2028cfaf07131d276" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "63c6a5e26cd51f340f4c3ffe91812bb812aad7752db664b5033c17e5fa623962" + "type_id": 49, + "sha256": "124df81585d766fafe1720fd97fb91727ed23a501fa86303260d39f942d4ee95" }, { + "name": "File", "size": 78, - "type_id": 0, - "sha256": "61986764b83398b82a9fe2c734a44070aa6c1d4cf170e1ba35a1926f6f2585bf" + "type_id": 50, + "sha256": "2836bf377a587fbb79ccd8b3568fe7f9851eab2a2d1329a21ef222ba6ca5d500" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint index 674ef887b346..681a00636f5c 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -19,24 +19,27 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "User profile", "size": 50, - "type_id": 0, - "sha256": "47cb092c959a4aa13007f154fa8992a26a9065f11ed30de3d43f12832b9ab0c5" + "type_id": 46, + "sha256": "18985b6bff0f7bf5db513ddd53be1fecd6ed4c10c21df6baced373b82ba1d497" }, { + "name": "Directory", "size": 88, - "type_id": 0, - "sha256": "73a8aaeff232a15bb75df27b252781136149be3d9a8f278a3835ecba83fd4c32" + "type_id": 49, + "sha256": "4ec58bf37f7d3b5982a81d1928a4738b7629dfddf5f0b5d8332b5867460131fc" }, { "size": 98, - "type_id": 0, - "sha256": "3db7f92e529c32261a025446f8d8563aca6c06b4ca84a75a0f27a4f18473b1f2" + "type_id": 53, + "sha256": "44a10b03d7e0d30733c07bcbca835ff48c72b88763b794214d87b667dc168874" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint index d2f08900809a..539ac4b6d47e 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -19,24 +19,27 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "User profile", "size": 50, - "type_id": 0, - "sha256": "47cb092c959a4aa13007f154fa8992a26a9065f11ed30de3d43f12832b9ab0c5" + "type_id": 46, + "sha256": "18985b6bff0f7bf5db513ddd53be1fecd6ed4c10c21df6baced373b82ba1d497" }, { + "name": "Directory", "size": 88, - "type_id": 0, - "sha256": "aa3e6bbc6482eea02a621eddc6590b882b924f3946353e933e1a070af3a37deb" + "type_id": 49, + "sha256": "345165d205551d013be4d95cc086225a88f82562728fcc9706568f60e1c06796" }, { "size": 102, - "type_id": 0, - "sha256": "95a8b825400274184ef8f90be08414a4df70159fab7ddfa90d25d19592ef0044" + "type_id": 53, + "sha256": "ff4dc4fb64d9a14ca88b5727173c8ae390858e7edff2df3580526fe16a220e19" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint index e14a57358993..cae919dbff04 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint @@ -21,29 +21,34 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 67, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "3648262ce8730d814cd1125280e270291159f9ca471fbc5fd2a438aa3116edca" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "668767e84ba993ed4e6eb5d04e5f85aec0edd67bb145dbe3dc68844ae3897194" + "type_id": 49, + "sha256": "0e92ea4cb3b7d33ace7b473e6196dd04f87ae86430790e4d74d52424b8835a04" }, { + "name": "Directory", "size": 78, - "type_id": 0, - "sha256": "82632d0a1514981d68a6b96a0a5f263554234138682b4f9f82eec4562bc41939" + "type_id": 49, + "sha256": "64587f2c5156542e099060cc844f871875c55e235196afb8a49bda0c96d06bab" }, { + "name": "File", "size": 66, - "type_id": 0, - "sha256": "5950df6e91f2c9c0e58bea4e541d981a4e8ddd1658a94127d50a1670b3706cd7" + "type_id": 50, + "sha256": "3688c322d34ecdc63be6c20b023af853d2a1f59971747853a4a62129786016d7" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint index 73011c743e9c..365976ea2116 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint @@ -13,14 +13,16 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 41, - "type_id": 68, - "sha256": "32ade5364cd623e3dd4032487653ac80010e5e3f8b9978da718094e448e389cc" + "type_id": 47, + "sha256": "9a34e0b473c2e492c168b9e909db999a0f661e2c56c2e935356aa472e18a4eba" } ], "name": "Lecteur Drag-to-Disc", diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint index 2139d39a209a..683bad718349 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint @@ -13,14 +13,16 @@ }, "targets": [ { + "name": "Root folder: GUID", "size": 20, - "type_id": 80, - "sha256": "df3ab5fa5bfd571b68b5a1fdf4889a3c43a80391809dbc7e3cdf97d471b4bcee" + "type_id": 31, + "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" }, { + "name": "Drive letter", "size": 25, - "type_id": 69, - "sha256": "03ebea9a4d6ab5842ebe07b818f2a8b31c70a04c7704364bb874c991443e3d6e" + "type_id": 47, + "sha256": "ad39eb6a19c31c41c88df2c4b58168683d09220691d4f8cf2c58274f1dca3d57" } ], "name": "Lecteur Drag-to-Disc", diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint index 9be526bafbeb..9a4e5349ae6a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -17,59 +17,66 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" + "type_id": 31, + "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" }, { "size": 50, - "type_id": 0, - "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" + "type_id": 71, + "sha256": "a767a5a7314be4f7af859afbfd30bc7fe72067b43359c758386ba3085e888c27" }, { "size": 136, - "type_id": 0, - "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" + "type_id": 70, + "sha256": "a46d51ce6e398d5d134a1d36f079e4c2297aeecea2312d578a794adb9e5c7224" }, { "size": 36, - "type_id": 0, - "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" + "type_id": 65, + "sha256": "587cd34ec942f8cde567ccea2ab19298247035a28eeff0c9c24095cd14e1a85e" }, { "size": 41, - "type_id": 0, - "sha256": "cd62d04905339ebd75908eface1487a326def9797f4513a626b7f5e0cc2774d7" + "type_id": 66, + "sha256": "395580e02c9d7d2951c1d8f724af7f8a17ef1a61f401d294eda8c0063e6eb364" }, { + "name": "Network location", "size": 175, - "type_id": 0, - "sha256": "70a5ac77f6b59746aabfbef46c8645499c08b622fc79ec57ffa921f9d61afa87" + "type_id": 195, + "sha256": "fb44c4ef44c34e303786b835f2447de5caad62133c6dcf291aa0bc511f301cf8" }, { + "name": "Directory", "size": 60, - "type_id": 0, - "sha256": "19bcb8ecfc99b2b8152e9c7fd3b34335cd4b29cca0216f6482d9721c7930c227" + "type_id": 49, + "sha256": "ad4a2dcf641f9a38f5a4b0a9b0b1cd2c28d83991ce73467a8cf7ea7c33e2f4e0" }, { + "name": "Directory", "size": 74, - "type_id": 0, - "sha256": "eb5ff2514a899d457c5e2c11cb1bb0e9fb9248c289a170c384efff7ea1533050" + "type_id": 49, + "sha256": "76933fb66eaeef51c350bdf0b22cc954b854e36c195eb695deaa5563fc1375ed" }, { + "name": "Directory", "size": 76, - "type_id": 0, - "sha256": "79c0924b5e5a2e082f86f3672d03481a048fab6b0fb05463fef7a4586dce5ca2" + "type_id": 49, + "sha256": "8e7a35254cd8aa31bf509d77373488c86cc00d3890182548fcc81dfe4b27291c" }, { + "name": "Directory", "size": 58, - "type_id": 0, - "sha256": "53afcfc9c2e090649738cd4b5e044f9b611b66d5400ec23aac022358f1e47eee" + "type_id": 49, + "sha256": "76ebef0ab661fab3af5f8603b2d91352ad01d0555bc07975ced837274d1f8ee5" }, { + "name": "Directory", "size": 52, - "type_id": 0, - "sha256": "432999e9d2645fdfb83af63aeae94aac516e643096fb2c865508794d7c9fb1c1" + "type_id": 49, + "sha256": "c3bd864934e3eaca85f5ab392c071ccf02fe3df97a795cff1d79cc2f14f8c812" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint index 0c0a64939222..bd5c327a6fde 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint @@ -69,24 +69,27 @@ "vista_and_above_id_list": { "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" }, { "size": 171, "type_id": 0, - "sha256": "28222bc3c9d115226224f871f30af6d5f51aaead9bb52f0e86c60bf8c03aff7e" + "sha256": "4bc6ed31b49e4b6f2482b2a5bfc44ec3401841d3cb8aaca5b1df8b7b87380f09" }, { + "name": "Network location", "size": 39, - "type_id": 1, - "sha256": "d0f317c9a1aa7d1e38f393b24b90e27c8e51e88be305c3655b43936e9d13e9ec" + "type_id": 195, + "sha256": "8275bc1e94cec22e8e079b9c2b2731b8fb6ff1e36b0d0d4c6d5d3e9ba133afea" }, { + "name": "File", "size": 90, - "type_id": 0, - "sha256": "5f9dbc4cb81c898fc455cded76ca8e043cac3e1f2fe1daf5fd43ccb20f33ac83" + "type_id": 50, + "sha256": "c04122979f9b6ef516c2861ae50bb1283ef67d8c737ec08d9673cbaadcc84c06" } ] } diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint index b9a347df1eca..f4bdbd83b010 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint @@ -70,24 +70,27 @@ "vista_and_above_id_list": { "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" }, { "size": 171, "type_id": 0, - "sha256": "28222bc3c9d115226224f871f30af6d5f51aaead9bb52f0e86c60bf8c03aff7e" + "sha256": "4bc6ed31b49e4b6f2482b2a5bfc44ec3401841d3cb8aaca5b1df8b7b87380f09" }, { + "name": "Network location", "size": 94, - "type_id": 1, - "sha256": "e834f0f99e38cfd381d40d2e46d31f973523645a460ac56accb82d6fb2612fe6" + "type_id": 195, + "sha256": "aa73f540ef1254e02b4edb3ddd6126b0b306f722855e22af3e5b687f6b03a558" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "7369db988302b83ea4845b133a25286f7beaefbda25474d8b4d5bfa1d1acd869" + "type_id": 50, + "sha256": "1d932907538d3f9b47b136af3907983e02dbf0c8a98fd3be83a31fa78be8985b" } ] } diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint index e770da81e985..206e9638c29b 100644 --- a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint @@ -70,24 +70,27 @@ "vista_and_above_id_list": { "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" }, { "size": 171, "type_id": 0, - "sha256": "28222bc3c9d115226224f871f30af6d5f51aaead9bb52f0e86c60bf8c03aff7e" + "sha256": "4bc6ed31b49e4b6f2482b2a5bfc44ec3401841d3cb8aaca5b1df8b7b87380f09" }, { + "name": "Network location", "size": 39, - "type_id": 1, - "sha256": "d0f317c9a1aa7d1e38f393b24b90e27c8e51e88be305c3655b43936e9d13e9ec" + "type_id": 195, + "sha256": "8275bc1e94cec22e8e079b9c2b2731b8fb6ff1e36b0d0d4c6d5d3e9ba133afea" }, { + "name": "File", "size": 94, - "type_id": 0, - "sha256": "a27e3a9e31dfe073c62944697d439c8aa4331d556c92ef11e21e6e486f72b69e" + "type_id": 50, + "sha256": "a517f117fcf3c38ac660e8cdd2f9c6f3d34a050462cadf3330f8f0ea2eada281" } ] } diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint index 0ea67c1677e1..151865dbc38e 100644 --- a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -17,39 +17,42 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" + "type_id": 31, + "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" }, { "size": 50, - "type_id": 0, - "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" + "type_id": 71, + "sha256": "a767a5a7314be4f7af859afbfd30bc7fe72067b43359c758386ba3085e888c27" }, { "size": 136, - "type_id": 0, - "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" + "type_id": 70, + "sha256": "a46d51ce6e398d5d134a1d36f079e4c2297aeecea2312d578a794adb9e5c7224" }, { "size": 36, - "type_id": 0, - "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" + "type_id": 65, + "sha256": "587cd34ec942f8cde567ccea2ab19298247035a28eeff0c9c24095cd14e1a85e" }, { "size": 88, - "type_id": 0, - "sha256": "cb97a3fb5034bc4a98fb7b62e09dc921ee0f731485134edee6d41f22aa3cd7bf" + "type_id": 66, + "sha256": "6a428f1cf9a17e0102283bbe97ba75da1d220c45d695edc9720204d4051ab18f" }, { + "name": "Network location", "size": 136, - "type_id": 1, - "sha256": "da3df06592f5ce0069a83a8eea3aeda6b4e8650a05baf32f239c46ba9ada876b" + "type_id": 195, + "sha256": "c54b5d2f206d54c9ff1e04c8a683bc68c05990d7279adbba1e9356b8f219c670" }, { + "name": "Directory", "size": 68, - "type_id": 0, - "sha256": "4c365273e81fc9ae17a9b83d85ae17e9fb0e4b7bd5766ea36f8f0bc33758fa66" + "type_id": 49, + "sha256": "d994f7ca637c81f97c4eede84aaf5bb6c5a5be66252b02318ad8fb8639871519" } ], "location": { diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint index 6ff334943d45..648eac1147b9 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint @@ -49,34 +49,39 @@ "vista_and_above_id_list": { "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "0fd765c464bc0175cb0d598bbd77de8217dac435999d9261df8f384ae69d5e85" + "type_id": 31, + "sha256": "39a497e3b1e2d328ec88df1bbe8de598540d152c29b2a56627cff92f624c4bb3" }, { "size": 179, "type_id": 0, - "sha256": "a4924888c786d4acf9e3c42c824563e5fdec6cd93042dbebadc1fd3227199ef4" + "sha256": "bd32f1a3508b0655a5fa4cffae5d9be54c17767902c3999b400485241282732c" }, { + "name": "Network location", "size": 160, - "type_id": 0, - "sha256": "e1f098b643c47bdee4c734acd2ff6f2a5b3332fed6566870f937c8717a07f4af" + "type_id": 195, + "sha256": "a4fe40ed41a8840627455ec68e9e3a6f1400a73acd140338e333007f08399d71" }, { + "name": "Directory", "size": 86, - "type_id": 0, - "sha256": "223d3713713681f8fbc798cdd4e7c027c3dfc0d5733a9009299b6e698d2b20a5" + "type_id": 49, + "sha256": "71eb7827f93da2318a811d0afea6a95733a17ad260e4bbe94e275d2e9bdbaccf" }, { + "name": "Directory", "size": 80, - "type_id": 0, - "sha256": "b1727773baaf9441c2f87f6b39f73978df4e861a0e97ce3d6fcc1178ad986b56" + "type_id": 49, + "sha256": "39acd6f749a39479e5e0c7ed9e819b50a7a0c9e9d901a3673bbb37612fd3abf2" }, { + "name": "Directory", "size": 100, - "type_id": 0, - "sha256": "6ed7a47644a27ed26d689a4fda0144dbed91dfacb0d45a658c0e0e2b3c1a2894" + "type_id": 49, + "sha256": "c2a944702c66a098636fe43c60e349c2ea357aea459c5ce92d57e734d33b26b6" } ] } diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint index 9a89c3ed71fd..d02d741adbf6 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -19,49 +19,54 @@ }, "targets": [ { + "name": "Users property view", "size": 20, - "type_id": 88, - "sha256": "96abeb65d87512271bcabeac8b283506e78a94968b1d8658dd5cb31a1f40951f" + "type_id": 31, + "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" }, { "size": 50, - "type_id": 0, - "sha256": "620d29be08dff63afe598819f919717bb1357d90b06e5a00d5a0d09e91626505" + "type_id": 71, + "sha256": "a767a5a7314be4f7af859afbfd30bc7fe72067b43359c758386ba3085e888c27" }, { "size": 136, - "type_id": 0, - "sha256": "3d18dc812ad70df870b6f8a81582461acf2352d59bca0bdad825e6f59495126a" + "type_id": 70, + "sha256": "a46d51ce6e398d5d134a1d36f079e4c2297aeecea2312d578a794adb9e5c7224" }, { "size": 36, - "type_id": 0, - "sha256": "2558b29fa32b5a5da3dd4eff2c00f06ad7444b0098073b148f556e1875482f03" + "type_id": 65, + "sha256": "587cd34ec942f8cde567ccea2ab19298247035a28eeff0c9c24095cd14e1a85e" }, { "size": 88, - "type_id": 0, - "sha256": "cb97a3fb5034bc4a98fb7b62e09dc921ee0f731485134edee6d41f22aa3cd7bf" + "type_id": 66, + "sha256": "6a428f1cf9a17e0102283bbe97ba75da1d220c45d695edc9720204d4051ab18f" }, { + "name": "Network location", "size": 136, - "type_id": 1, - "sha256": "da3df06592f5ce0069a83a8eea3aeda6b4e8650a05baf32f239c46ba9ada876b" + "type_id": 195, + "sha256": "c54b5d2f206d54c9ff1e04c8a683bc68c05990d7279adbba1e9356b8f219c670" }, { + "name": "Directory", "size": 64, - "type_id": 0, - "sha256": "ee476d4c1256e99cbe21022ffedb5d1602a3c74e148d7c3c6f4c9d44f05d05ca" + "type_id": 49, + "sha256": "d6d39f8de76caf500c4eff1c54d5e6fc26061356c0ab02b56a42d35f01188785" }, { + "name": "Directory", "size": 80, - "type_id": 0, - "sha256": "7dc34531f388c48579b53e320e6750074510329fd0ff7fffd87efc8629b3bf7b" + "type_id": 49, + "sha256": "be6f4fa28aea1dad8b858ab45bea631b4f3b377cf229602f360aa5a1ba87538c" }, { + "name": "File", "size": 114, - "type_id": 0, - "sha256": "42a5b872d13027882d743445de13c29673f211b01c1e66513c7e002054f0a8a2" + "type_id": 50, + "sha256": "438f25337d38fa8946d7d920b0d46974c07689c3eb1df166692cf5193c6d5561" } ], "location": { diff --git a/libbeat/formats/lnk/known_targets.go b/libbeat/formats/lnk/known_targets.go new file mode 100644 index 000000000000..be2c21da2605 --- /dev/null +++ b/libbeat/formats/lnk/known_targets.go @@ -0,0 +1,143 @@ +package lnk + +import ( + "encoding/binary" + "fmt" +) + +type targetParser func(data []byte) string + +func simpleTargetParser(name string) targetParser { + return func(data []byte) string { + return name + } +} + +func parseTarget0x01(data []byte) string { + if data[8] == 0x3A && data[9] == 0x00 { + return "Hyper-V storage volume" + } + signature := binary.LittleEndian.Uint32(data[4:]) + if signature != 0x39de2184 { + return "Control Panel Category" + } + switch data[8] { + case 0x00: + return "All Control Panel Items" + case 0x01: + return "Appearance and Personalization" + case 0x02: + return "Hardware and Sound" + case 0x03: + return "Network and Internet" + case 0x04: + return "Sound, Speech and Audio Devices" + case 0x05: + return "System and Security" + case 0x06: + return "Clock, Language, and Region" + case 0x07: + return "Ease of Access" + case 0x08: + return "Programs" + case 0x09: + return "User Accounts" + case 0x10: + return "Security Center" + case 0x11: + return "Mobile PC" + default: + return fmt.Sprintf("Unknown Control Panel Category: %d", data[8]) + } +} + +func parseTarget0x2e(data []byte) string { + if len(data) == 0x16 && data[3] == 0x80 { + return "Root folder: GUID" + } + signature := binary.LittleEndian.Uint64(data[len(data)-8:]) + if signature == 0x0000ee306bfe9555 || signature == 0xee306bfe9555c589 { + return "User profile" + } + shortSignature := binary.LittleEndian.Uint32(data[5:]) + if shortSignature >= 0x15032601 { + return "Control panel category" + } + return "Users property view" +} + +func parseTarget0x1f(data []byte) string { + if data[0] == 0x14 || data[0] == 0x32 || data[0] == 0x3A { + return "Root folder: GUID" + } + if data[4] == 0x2f { + return "Users property view: Drive letter" + } + maskedBit := data[3] & 0x70 + if maskedBit == 0x40 || maskedBit == 0x50 || maskedBit == 0x70 { + return "Root folder: GUID" + } + signature := binary.LittleEndian.Uint32(data[6:]) + if signature == 0xbeebee00 { + return "Variable: Users property view" + } + if signature == 0x4c644970 { + return "Windows Backup" + } + return "Users property view" +} + +func parseTarget0x40(data []byte) string { + switch data[2] { + case 0x47: + return "Entire Network" + case 0x46: + return "Microsoft Windows Network" + case 0x41: + return "Domain/Workgroup name" + case 0x42: + return "Server UNC path" + case 0x43: + return "Share UNC path" + default: + return "Network location" + } +} + +var knownTargets = map[byte]targetParser{ + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X23.cs + 0x23: simpleTargetParser("Drive letter"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X4C.cs + 0x4C: simpleTargetParser("Sharepoint directory"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x00.cs + // 0x00: + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x01.cs + 0x01: parseTarget0x01, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x1f.cs + 0x1f: parseTarget0x1f, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x2e.cs + 0x2e: parseTarget0x2e, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x2f.cs + 0x2f: simpleTargetParser("Drive letter"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x31.cs + 0x31: simpleTargetParser("Directory"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x32.cs + 0x32: simpleTargetParser("File"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x40.cs + 0x40: parseTarget0x40, + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x61.cs + 0x61: simpleTargetParser("URI"), + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x71.cs + // 0x71: + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x74.cs + // 0x74: + // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0xc3.cs + 0xc3: simpleTargetParser("Network location"), +} + +func getTargetName(targetType byte, data []byte) string { + if parser, known := knownTargets[targetType]; known { + return parser(data) + } + return "" +} diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index 7663f36cc13c..7969493166b7 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -163,6 +163,7 @@ type Location struct { // Target contains LNK target info type Target struct { + Name string `json:"name,omitempty"` Size uint16 `json:"size"` TypeID uint8 `json:"type_id"` SHA256 string `json:"sha256"` diff --git a/libbeat/formats/lnk/target.go b/libbeat/formats/lnk/target.go index d0e01ed65942..38a8fb005278 100644 --- a/libbeat/formats/lnk/target.go +++ b/libbeat/formats/lnk/target.go @@ -72,9 +72,10 @@ func parseTargetList(data []byte) ([]Target, error) { return targets, nil } targetData = targetData[:targetSize] - targetType := targetData[3] - hash := sha256.Sum256(targetData[4:]) + targetType := targetData[2] + hash := sha256.Sum256(targetData[3:]) targets = append(targets, Target{ + Name: getTargetName(targetType, targetData[3:]), Size: targetSize, TypeID: targetType, SHA256: hex.EncodeToString(hash[:]), From e1cdb373ad16b22e641875b8d0c23c972e10c05c Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 15:59:36 -0500 Subject: [PATCH 26/30] Add better naming --- .../lnk/local.directory.seven.lnk.fingerprint | 2 +- .../lnk/local.directory.xp.lnk.fingerprint | 2 +- .../lnk/local.file.darwin.lnk.fingerprint | 2 +- .../lnk/local.file.env.lnk.fingerprint | 2 +- .../lnk/local.file.exec.lnk.fingerprint | 2 +- .../lnk/local.file.icoset.lnk.fingerprint | 2 +- .../lnk/local.file.seven.lnk.fingerprint | 2 +- .../lnk/local.file.xp.lnk.fingerprint | 2 +- .../fixtures/lnk/local_cmd.lnk.fingerprint | 2 +- .../lnk/local_unicode.lnk.fingerprint | 2 +- .../fixtures/lnk/local_win31j.lnk.fingerprint | 2 +- .../fixtures/lnk/microsoft.lnk.fingerprint | 2 +- .../lnk/native.2008srv.01.lnk.fingerprint | 2 +- .../lnk/native.2008srv.02.lnk.fingerprint | 2 +- .../lnk/native.2008srv.04.lnk.fingerprint | 2 +- .../lnk/native.2008srv.05.lnk.fingerprint | 2 +- .../lnk/native.2008srv.06.lnk.fingerprint | 2 +- .../lnk/native.2008srv.07.lnk.fingerprint | 2 +- .../lnk/native.2008srv.08.lnk.fingerprint | 2 +- .../lnk/native.2008srv.09.lnk.fingerprint | 2 +- .../lnk/native.2008srv.10.lnk.fingerprint | 2 +- .../lnk/native.2008srv.11.lnk.fingerprint | 2 +- .../lnk/native.2008srv.12.lnk.fingerprint | 2 +- .../lnk/native.2008srv.13.lnk.fingerprint | 2 +- .../lnk/native.2008srv.14.lnk.fingerprint | 2 +- .../lnk/native.2008srv.16.lnk.fingerprint | 2 +- .../lnk/native.2008srv.17.lnk.fingerprint | 2 +- .../lnk/native.2008srv.18.lnk.fingerprint | 2 +- .../lnk/native.2008srv.19.lnk.fingerprint | 2 +- .../lnk/native.2008srv.20.lnk.fingerprint | 2 +- .../lnk/native.seven.01.lnk.fingerprint | 2 +- .../lnk/native.seven.03.lnk.fingerprint | 2 +- .../lnk/native.seven.04.lnk.fingerprint | 2 +- .../lnk/native.seven.05.lnk.fingerprint | 2 +- .../lnk/native.seven.06.lnk.fingerprint | 2 +- .../lnk/native.seven.08.lnk.fingerprint | 2 +- .../lnk/native.seven.09.lnk.fingerprint | 2 +- .../lnk/native.seven.11.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.01.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.03.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.04.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.05.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.06.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.07.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.08.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.09.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.10.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.11.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.12.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.13.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.14.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.15.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.16.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.17.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.18.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.19.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.20.lnk.fingerprint | 2 +- .../lnk/remote.directory.xp.lnk.fingerprint | 2 +- .../lnk/remote.file.xp.lnk.fingerprint | 2 +- libbeat/formats/lnk/known_shellbag_guids.go | 381 ++++++++++++++++++ libbeat/formats/lnk/known_targets.go | 31 +- 61 files changed, 470 insertions(+), 60 deletions(-) create mode 100644 libbeat/formats/lnk/known_shellbag_guids.go diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint index 307e5818db4c..050414ec857f 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint index 1fcc64213207..f25d1965a4f9 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -19,7 +19,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint index 56bf947daeb2..7a8fa66233ce 100644 --- a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint @@ -15,7 +15,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint index d019afd27ca7..ca33de191a76 100644 --- a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint index 7a298adc332a..1901c0fc8f07 100644 --- a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -24,7 +24,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint index 9d484ff3dec8..504abe472ada 100644 --- a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint index a0f889f06b08..ef8b3695bc1e 100644 --- a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint index a360b2418c04..eb8926abc2bd 100644 --- a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint index 8c708aeb1295..b2cafb1a2737 100644 --- a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -24,7 +24,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint index cbba588cde48..841a8a103634 100644 --- a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint index c686110dce31..d0ba24886635 100644 --- a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -24,7 +24,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint index 797ba511c61c..7dc5c3f5c5c9 100644 --- a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint index 151d3f215349..945cdd6417ab 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint index 26c93c8a0030..94a718b15ec8 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint index 9595e668b044..61009a2571b0 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint index 00bfe788cb3d..fc99f063a74b 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint index b94ce8f36aba..d8beb2c09bce 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint index a9f0d8680e4c..c6140f9f183f 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "8db1287718d91d57c60da1c79fbc3067e006a4f0be2f88b4f551c8d7120514a5" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint index dd902ea28ac8..369ee6c08151 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint index 40d469006114..0c238177a16d 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint index fc89f9d5f516..13c36b147b29 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint @@ -19,7 +19,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint index 01f25a366548..ef0b85fe7c90 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint index 637b52f4c7a7..80de348da1ee 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint @@ -23,7 +23,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint index 474144cf36f3..70fefa0e5234 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint index 4511b13014c6..b635ab12cc41 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint @@ -19,7 +19,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint index 2530560d3580..630dce5659db 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "532430ce84b6c846622da10af300d777c81c555a3c0cebdf2a6a17ff2e6aa885" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint index cf15e47c67e2..3627915720fa 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "fdc480a4bb8842fd0a3f686a5d8738d66c525442be3e08414a78a1216ceac8e0" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint index 2f7a2e249b45..e5572114efc0 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "08f7df35a94d580703a76f2c82de60e7d7d45ce9a6640f8df2b1ef5271b33cba" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint index 6a9eac3e4966..949dd922cb16 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "ff8bf60a7527cf54c4f53476c417841e5b5bf25480eee7f276ebcb58864ace0f" diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint index 24cb1411f523..76ba6a7c5a1d 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint index 33d3179f5059..dcf9b06d61ff 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint index d8ba0d1ae9cb..011d4ed068f9 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -12,7 +12,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "1a017498e9f75896a4d55428cdb9fa94199bf05042949f90adaf0b15540f62dc" diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint index 2dd98c707da5..23e23e012592 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -20,7 +20,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint index 899d49e94233..958f13fd4a92 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint @@ -12,7 +12,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "RECYCLE_BIN", "size": 20, "type_id": 31, "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint index a68a2aec1e8f..0b6ed19385d0 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint @@ -12,7 +12,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "RECYCLE_BIN", "size": 20, "type_id": 31, "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint index 1eb71bb3c270..4972745980da 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -16,7 +16,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint index 0e652d924bba..4f4b036ba0d6 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint index 89345bfe94cf..6ae0d3c704a3 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint @@ -12,7 +12,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "RECYCLE_BIN", "size": 20, "type_id": 31, "sha256": "f60454d9b322749cf4092847b9e81572fa4f9aa4df272c462866ef55c0b46657" diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint index 75f642b9b8f3..7da35e8e6aed 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint @@ -24,7 +24,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint index 4de53d87b4fc..8af9f8c59611 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint index 797edad73b8c..04766a1f7c24 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint index 56d89ed9ef82..a0901055e06a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint index 8b103a04fcbc..640e6961b94e 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint index 69d8878cee16..b775f0ca6521 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint @@ -23,7 +23,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint index 4d875a1eabef..5c0bb8377825 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -23,7 +23,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint index 53dd86def640..3bd7ae71316b 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint index 15cc7a6e78ef..f8ed1af2aba9 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -23,7 +23,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint index 5a2ed8df3d35..81ead8196722 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint index b2bfc3d21f97..b894f4729370 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint index 0c99d59e72a5..1cb2e38559d9 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint index 8918da1205bf..d8bb4b0c3ed8 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint @@ -22,7 +22,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint index 681a00636f5c..890e025e8631 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -19,7 +19,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint index 539ac4b6d47e..d8583a91fb69 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -19,7 +19,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint index cae919dbff04..f093096d7c8a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint @@ -21,7 +21,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint index 365976ea2116..fcf4c354356d 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint index 683bad718349..e11095ceae21 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint @@ -13,7 +13,7 @@ }, "targets": [ { - "name": "Root folder: GUID", + "name": "MY_COMPUTER", "size": 20, "type_id": 31, "sha256": "e0e4d0b44f5795d50c6143686d84d5293d3c178c2e9321cf030c1c12d9b0ba6b" diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint index 9a4e5349ae6a..3cf25c922745 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -17,7 +17,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint index 151865dbc38e..32b48fa466c5 100644 --- a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -17,7 +17,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint index d02d741adbf6..7ba9956d6549 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -19,7 +19,7 @@ }, "targets": [ { - "name": "Users property view", + "name": "INTERNET_EXPLORER", "size": 20, "type_id": 31, "sha256": "e5195069b02302adc92598b7a8e87732d75cf4a0fc6182b267676fc323a1e5e7" diff --git a/libbeat/formats/lnk/known_shellbag_guids.go b/libbeat/formats/lnk/known_shellbag_guids.go new file mode 100644 index 000000000000..66f14fa17d89 --- /dev/null +++ b/libbeat/formats/lnk/known_shellbag_guids.go @@ -0,0 +1,381 @@ +package lnk + +var knownShellbagGuids = map[string]string{ + "008ca0b1-55b4-4c56-b8a8-4de4b299d3bE": "Account Pictures", + "00bcfc5a-ed94-4e48-96a1-3f6217f21990": "RoamingTiles", + "00c6d95f-329c-409a-81d7-c46c66ea7f33": "Default Location", + "00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3": "Scanners and Cameras", + "0139d44e-6afe-49f2-8690-3dafcae6ffb8": "Programs", + "0142e4d0-fb7a-11dc-ba4a-000ffe7ab428": "Biometric Devices", + "018d5c66-4533-4307-9b53-224de2ed1fe6": "OneDrive", + "025a5937-a6be-4686-a844-36fe4bec8b6d": "Power Options", + "031e4825-7b94-4dc3-b131-e946b44c8dd5": "Libraries", + "04731b67-d933-450a-90e6-4acd2e9408fe": "Search Folder", + "0482af6c-08f1-4c34-8c90-e17ec98b1e17": "Public Account Pictures", + "054fae61-4dd8-4787-80b6-090220c4b700": "GameExplorer", + "05d7b0f4-2121-4eff-bf6b-ed3f69b894d9": "Taskbar (NotificationAreaIcons)", + "0762d272-c50a-4bb0-a382-697dcd729b80": "Users", + "087da31b-0dd3-4537-8e23-64a18591f88b": "Windows Security Center", + "0907616e-f5e6-48d8-9d61-a91c3d28106d": "Hyper-V Remote File Browsing", + "0ac0837c-bbf8-452a-850d-79d08e667ca7": "Computer", + "0afaced1-e828-11d1-9187-b532f1e9575d": "Folder Shortcut", + "0b2baaeb-0042-4dca-aa4d-3ee8648d03e5": "Pictures Library", + "0c15d503-d017-47ce-9016-7b3f978721cc": "Portable Device Values", + "0c39a5cf-1a7a-40c8-ba74-8900e6df5fcd": "Recent Items", + "0cd7a5c0-9f37-11ce-ae65-08002b2e1262": "Cabinet File", + "0d4c3db6-03a3-462f-a0e6-08924c41b5d4": "History", + "0df44eaa-ff21-4412-828e-260a8728e7f1": "Taskbar and Start Menu", + "0f214138-b1d3-4a90-bba9-27cbc0c5389a": "Sync Setup", + "11016101-e366-4d22-bc06-4ada335c892b": "Internet Explorer History and Feeds Shell Data Source for Windows Search", + "1206f5f1-0569-412c-8fec-3204630dfb70": "Credential Manager", + "13e7f612-f261-4391-bea2-39df4f3fa311": "Windows Desktop Search", + "15ca69b3-30ee-49c1-ace1-6b5ec372afb5": "Sample Playlists", + "15eae92e-f17a-4431-9f28-805e482dafd4": "Install New Programs ", + "1723d66a-7a12-443e-88c7-05e1bfe79983": "Previous Versions Delegate Folder", + "1777f761-68ad-4d8a-87bd-30b759fa33dd": "Favorites", + "17cd9488-1228-4b2f-88ce-4298e93e0966": "Default Programs", + "18989b1d-99b5-455b-841c-ab7c74e4ddfc": "Videos", + "190337d1-b8ca-4121-a639-6d472d16972a": "Search Results", + "1a6fdba2-f42d-4358-a798-b74d745926c5": "Recorded TV", + "1a9ba3a0-143a-11cf-8350-444553540000": "Shell Favorite Folder", + "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7": "System32", + "1b3ea5dc-b587-4786-b4ef-bd1dc332aeae": "Libraries", + "1cf1260c-4dd0-4ebb-811f-33c572699fde": "Music", + "1d2680c9-0e2a-469d-b787-065558bc7d43": "Fusion Cache", + "1e87508d-89c2-42f0-8a7e-645a0f50ca58": "Applications", + "1f3427c8-5c10-4210-aa03-2ee45287d668": "User Pinned", + "1f43a58c-ea28-43e6-9ec4-34574a16ebb7": "Windows Desktop Search MAPI Namespace Extension Class", + "1f4de370-d627-11d1-ba4f-00a0c91eedba": "Search Results - Computers (Computer Search Results Folder, Network Computers)", + "1fa9085f-25a2-489b-85d4-86326eedcd87": "Manage Wireless Networks", + "208d2c60-3aea-1069-a2d7-08002b30309d": "My Network Places", + "20d04fe0-3aea-1069-a2d8-08002b30309d": "My Computer", + "2112ab0a-c86a-4ffe-a368-0de96e47012e": "Music", + "21ec2020-3aea-1069-a2dd-08002b30309d": "Control Panel", + "2227a280-3aea-1069-a2de-08002b30309d": "Printers", + "22877a6d-37a1-461a-91b0-dbda5aaebc99": "Recent Places", + "2400183a-6185-49fb-a2d8-4a392a602ba3": "Public Videos", + "241d7c96-f8bf-4f85-b01f-e2b043341a4b": "Workspaces Center(Remote Application and Desktop Connections)", + "24d89e24-2f19-4534-9dde-6a6671fbb8fe": "Documents", + "2559a1f0-21d7-11d4-bdaf-00c04f60b9f0": "Search", + "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0": "Help and Support", + "2559a1f2-21d7-11d4-bdaf-00c04f60b9f0": "Windows Security", + "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0": "Run...", + "2559a1f4-21d7-11d4-bdaf-00c04f60b9f0": "Internet", + "2559a1f5-21d7-11d4-bdaf-00c04f60b9f0": "E-mail", + "2559a1f6-21d7-11d4-bdaf-00c04f60b9f0": "OEM link", + "2559a1f7-21d7-11d4-bdaf-00c04f60b9f0": "Set Program Access and Defaults", + "259ef4b1-e6c9-4176-b574-481532c9bce8": "Game Controllers", + "267cf8a9-f4e3-41e6-95b1-af881be130ff": "Location Folder", + "26ee0668-a00a-44d7-9371-beb064c98683": "Control Panel", + "2728520d-1ec8-4c68-a551-316b684c4ea7": "Network Setup Wizard", + "27e2e392-a111-48e0-ab0c-e17705a05f85": "WPD Content Type Folder", + "28803f59-3a75-4058-995f-4ee5503b023c": "Bluetooth Devices", + "289978ac-a101-4341-a817-21eba7fd046d": "Sync Center Conflict Folder", + "289a9a43-be44-4057-a41b-587a76d7e7f9": "Sync Results", + "289af617-1cc3-42a6-926c-e6a863f0e3ba": "DLNA Media Servers Data Source", + "292108be-88ab-4f33-9a26-7748e62e37ad": "Videos library", + "2965e715-eb66-4719-b53f-1672673bbefa": "Results Folder", + "2a00375e-224c-49de-b8d1-440df7ef3ddc": "LocalizedResourcesDir", + "2b0f765d-c0e9-4171-908e-08a611b84ff6": "Cookies", + "2c36c0aa-5812-4b87-bfd0-4cd0dfb19b39": "Original Images", + "2e9e59c0-b437-4981-a647-9c34b9b90891": "Sync Setup Folder", + "2f6ce85c-f9ee-43ca-90c7-8a9bd53a2467": "File History Data Source", + "3080f90d-d7ad-11d9-bd98-0000947b0257": "Show Desktop", + "3080f90e-d7ad-11d9-bd98-0000947b0257": "Window Switcher", + "3214fab5-9757-4298-bb61-92a9deaa44ff": "Public Music", + "323ca680-c24d-4099-b94d-446dd2d7249e": "Common Places", + "328b0346-7eaf-4bbe-a479-7cb88a095f5b": "Layout Folder", + "335a31dd-f04b-4d76-a925-d6b47cf360df": "Backup and Restore Center", + "339719b5-8c47-4894-94c2-d8f77add44a6": "Pictures", + "33e28130-4e1e-4676-835a-98395c3bc3bb": "Pictures", + "352481e8-33be-4251-ba85-6007caedcf9d": "Temporary Internet Files", + "35786d3c-b075-49b9-88dd-029876e11c01": "Portable Devices", + "36011842-dccc-40fe-aa3d-6177ea401788": "Documents Search Results", + "36eef7db-88ad-4e81-ad49-0e313f0c35f8": "Windows Update", + "374de290-123f-4565-9164-39c4925e467b": "Downloads", + "37efd44d-ef8d-41b1-940d-96973a50e9e0": "Desktop Gadgets", + "38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b": "Connect To", + "3add1653-eb32-4cb0-bbd7-dfa0abb5acca": "Pictures", + "3c5c43a3-9ce9-4a9b-9699-2ac0cf6cc4bf": "Configure Wireless Network", + "3d644c9b-1fb8-4f30-9b45-f670235f79c0": "Public Downloads", + "3e7efb4c-faf1-453d-89eb-56026875ef90": "Windows Marketplace", + "3eb685db-65f9-4cf6-a03a-e3ef65729f3d": "RoamingAppData", + "3f2a72a7-99fa-4ddb-a5a8-c604edf61d6b": "Music Library", + "3f6bc534-dfa1-4ab4-ae54-ef25a74e0107": "System Restore", + "3f98a740-839c-4af7-8c36-5badfb33d5fd": "Documents library", + "4026492f-2f69-46b8-b9bf-5654fc07e423": "Windows Firewall", + "40419485-c444-4567-851a-2dd7bfa1684d": "Phone and Modem", + "418c8b64-5463-461d-88e0-75e2afa3c6fa": "Explorer Browser Results Folder", + "4234d49b-0245-4df3-b780-3893943456e1": "Applications", + "4336a54d-038b-4685-ab02-99bb52d3fb8b": "Samples", + "43668bf8-c14e-49b2-97c9-747784d784b7": "Sync Center", + "437ff9c0-a07f-4fa0-af80-84b6c6440a16": "Command Folder", + "450d8fba-ad25-11d0-98a8-0800361b1103": "My Documents", + "4564b25e-30cd-4787-82ba-39e73a750b14": "Recent Items Instance Folder", + "45c6afa5-2c13-402f-bc5d-45cc8172ef6b": "Toshiba Bluetooth Stack", + "46137b78-0ec3-426d-8b89-ff7c3a458b5e": "Network Neighborhood", + "46e06680-4bf0-11d1-83ee-00a0c90dc849": "NETWORK_DOMAIN", + "48daf80b-e6cf-4f4e-b800-0e69d84ee384": "Libraries", + "48e7caab-b918-4e58-a94d-505519c795dc": "Start Menu Folder", + "491e922f-5643-4af4-a7eb-4e7a138d8174": "Videos", + "4bd8d571-6d19-48d3-be97-422220080e43": "Music", + "4bfefb45-347d-4006-a5be-ac0cb0567192": "Conflicts", + "4c5c32ff-bb9d-43b0-b5b4-2d72e54eaaa4": "Saved Games", + "4d9f7874-4e0c-4904-967b-40b0d20c3e4b": "Internet", + "4dcafe13-e6a7-4c28-be02-ca8c2126280d": "Pictures Search Results", + "5224f545-a443-4859-ba23-7b5a95bdc8ef": "People Near Me", + "52528a6b-b9e3-4add-b60d-588c2dba842d": "Homegroup", + "52a4f021-7b75-48a9-9f6b-4b87a210bc8f": "Quick Launch", + "5399e694-6ce5-4d6c-8fce-1d8870fdcba0": "Control Panel command object for Start menu and desktop", + "54a754c0-4bf1-11d1-83ee-00a0c90dc849": "NETWORK_SHARE", + "56784854-c6cb-462b-8169-88e350acb882": "Contacts", + "58e3c745-d971-4081-9034-86e34b30836a": "Speech Recognition Options", + "59031a47-3f72-44a7-89c5-5595fe6b30ee": "Shared Documents Folder (Users Files)", + "5b3749ad-b49f-49c1-83eb-15370fbd4882": "TreeProperties", + "5b934b42-522b-4c34-bbfe-37a3ef7b9c90": "This Device Folder", + "5c4f28b5-f869-4e84-8e60-f11db97c5cc7": "Generic (All folder items)", + "5cd7aee2-2219-4a67-b85d-6c9ce15660cb": "Programs", + "5ce4a5e9-e4eb-479d-b89f-130c02886155": "DeviceMetadataStore", + "5e6c858f-0e22-4760-9afe-ea3317b67173": "Profile", + "5e8fc967-829a-475c-93ea-51fce6d9ffce": "RealPlayer Cloud", + "5ea4f148-308c-46d7-98a9-49041b1dd468": "Mobility Center Control Panel", + "5f4eab9a-6833-4f61-899d-31cf46979d49": "Generic library", + "5fa947b5-650a-4374-8a9a-5efa4f126834": "OpenDrive", + "5fa96407-7e77-483c-ac93-691d05850de8": "Videos", + "5fcd4425-ca3a-48f4-a57c-b8a75c32acb1": "Hewlett-Packard Recovery (Protect.dll)", + "60632754-c523-4b62-b45c-4172da012619": "User Accounts", + "625b53c3-ab48-4ec1-ba1f-a1ef4146fc19": "Start Menu", + "62ab5d82-fdc1-4dc3-a9dd-070d1d495d97": "ProgramData", + "62d8ed13-c9d0-4ce8-a914-47dd628fb1b0": "Regional and Language Options", + "631958a6-ad0f-4035-a745-28ac066dc6ed": "Videos Library", + "6365d5a7-0f0d-45e5-87f6-0da56b6a4f7d": "Common Files", + "63da6ec0-2e98-11cf-8d82-444553540000": "Microsoft FTP Folder", + "640167b4-59b0-47a6-b335-a6b3c0695aea": "Portable Media Devices", + "645ff040-5081-101b-9f08-00aa002f954e": "Recycle bin", + "64693913-1c21-4f30-a98f-4e52906d3b56": "App Instance Folder", + "67718415-c450-4f3c-bf8a-b487642dc39b": "Windows Features", + "6785bfac-9d2d-4be5-b7e2-59937e8fb80a": "Other Users Folder", + "679f85cb-0220-4080-b29b-5540cc05aab6": "Home Folder", + "67ca7650-96e6-4fdd-bb43-a8e774f73a57": "Home Group Control Panel (Home Group)", + "692f0339-cbaa-47e6-b5b5-3b84db604e87": "Extensions Manager Folder", + "69d2cf90-fc33-4fb7-9a0c-ebb0f0fcb43c": "Slide Shows", + "6c8eec18-8d75-41b2-a177-8831d59d2d50": "Mouse", + "6dfd7c5c-2451-11d3-a299-00c04f8ef6af": "Folder Options", + "6f0cd92b-2e97-45d1-88ff-b0d186b8dedd": "Network Connections", + "7007acc7-3202-11d1-aad2-00805fc1270e": "Network Connections", + "708e1662-b832-42a8-bbe1-0a77121e3908": "Tree property value folder", + "71689ac1-cc88-45d0-8a22-2943c3e7dfb3": "Music Search Results", + "71d99464-3b6b-475c-b241-e15883207529": "Sync Results Folder", + "724ef170-a42d-4fef-9f26-b60e846fba4f": "Administrative tools", + "725be8f7-668e-4c7b-8f90-46bdb0936430": "Keyboard", + "72b36e70-8700-42d6-a7f7-c9ab3323ee51": "Search Connector Folder", + "74246bfc-4c96-11d0-abef-0020af6b0b7a": "Device Manager", + "767e6811-49cb-4273-87c2-20f355e1085b": "Camera Roll", + "76fc4e2d-d6ad-4519-a663-37bd56068185": "Printers", + "78cb147a-98ea-4aa6-b0df-c8681f69341c": "Windows CardSpace", + "78f3955e-3b90-4184-bd14-5397c15f1efc": "Performance Information and Tools", + "7a979262-40ce-46ff-aeee-7884ac3b6136": "Add Hardware", + "7a9d77bd-5403-11d2-8785-2e0420524153": "User Accounts (Users and Passwords)", + "7b0db17d-9cd2-4a93-9733-46cc89022e7c": "Documents", + "7b396e54-9ec5-4300-be0a-2482ebae1a26": "Gadgets", + "7b81be6a-ce2b-4676-a29e-eb907a5126c5": "Programs and Features", + "7bd29e00-76c1-11cf-9dd0-00a0c9034933": "Temporary Internet Files", + "7bd29e01-76c1-11cf-9dd0-00a0c9034933": "Temporary Internet Files", + "7be9d83c-a729-4d97-b5a7-1b7313c39e0a": "Programs Folder", + "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e": "Program Files", + "7d1d3a04-debb-4115-95cf-2f29da2920da": "Searches", + "7d49d726-3c21-4f05-99aa-fdc2c9474656": "Documents", + "7e636bfe-dfa9-4d5e-b456-d7b39851d8a9": "Templates", + "7fde1a1e-8b31-49a5-93b8-6be14cfa4943": "Generic Search Results", + "80213e82-bcfd-4c4f-8817-bb27601267a9": "Compressed Folder (zip folder)", + "8060b2e3-c9d7-4a5d-8c6b-ce8eba111328": "Proximity CPL", + "80f3f1d5-feca-45f3-bc32-752c152e456e": "Tablet PC Settings", + "82a5ea35-d9cd-47c5-9629-e15d2f714e6e": "CommonStartup", + "82a74aeb-aeb4-465c-a014-d097ee346d63": "Control Panel", + "82ba0782-5b7a-4569-b5d7-ec83085f08cc": "TopViews", + "8343457c-8703-410f-ba8b-8b026e431743": "Feedback Tool", + "859ead94-2e85-48ad-a71a-0969cb56a6cd": "Sample Videos", + "85bbd920-42a0-1069-a2e4-08002b30309d": "Briefcase", + "863aa9fd-42df-457b-8e4d-0de1b8015c60": "Remote Printers", + "865e5e76-ad83-4dca-a109-50dc2113ce9a": "Programs Folder and Fast Items", + "871c5380-42a0-1069-a2ea-08002b30309d": "Internet Explorer (Homepage)", + "87630419-6216-4ff8-a1f0-143562d16d5c": "Mobile Broadband Profile Settings Editor", + "877ca5ac-cb41-4842-9c69-9136e42d47e2": "File Backup Index", + "87d66a43-7b11-4a28-9811-c86ee395acf7": "Indexing Options", + "88c6c381-2e85-11d0-94de-444553540000": "ActiveX Cache Folder", + "896664f7-12e1-490f-8782-c0835afd98fc": "Libraries delegate folder that appears in Users Files Folder", + "8983036c-27c0-404b-8f08-102d10dcfd74": "SendTo", + "89d83576-6bd1-4c86-9454-beb04e94c819": "MAPI Folder", + "8ad10c31-2adb-4296-a8f7-e4701232c972": "Resources", + "8e74d236-7f35-4720-b138-1fed0b85ea75": "OneDrive", + "8e908fc9-becc-40f6-915b-f4ca0e70d03d": "Network and Sharing Center", + "8fd8b88d-30e1-4f25-ac2b-553d3d65f0ea": "DXP", + "905e63b6-c1bf-494e-b29c-65b732d3d21a": "Program Files", + "9113a02d-00a3-46b9-bc5f-9c04daddd5d7": "Enhanced Storage Data Source", + "9274bd8d-cfd1-41c3-b35e-b13f55a758f4": "Printer Shortcuts", + "93412589-74d4-4e4e-ad0e-e0cb621440fd": "Font Settings", + "9343812e-1c37-4a49-a12e-4b2d810d956b": "Search Home", + "94d6ddcc-4a68-4175-a374-bd584a510b78": "Music", + "96437431-5a90-4658-a77c-25478734f03e": "Server Manager", + "96ae8d84-a250-4520-95a5-a47a7e3c548b": "Parental Controls", + "978e0ed7-92d6-4cec-9b59-3135b9c49ccf": "Music library", + "98d99750-0b8a-4c59-9151-589053683d73": "Windows Search Service Media Center Namespace Extension Handler", + "98ec0e18-2098-4d44-8644-66979315a281": "Microsoft Office Outlook", + "98f275b4-4fff-11e0-89e2-7b86dfd72085": "Start Menu Launcher Provider Folder", + "992cffa0-f557-101a-88ec-00dd010ccc48": "Network Connections", + "9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e": "Internet Explorer RSS Feeds Folder", + "9b74b6a3-0dfd-4f11-9e78-5f7800f2e772": "The user's username (%USERNAME%)", + "9c60de1e-e5fc-40f4-a487-460851a8d915": "AutoPlay", + "9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf": "Sync Center", + "9db7a13c-f208-4981-8353-73cc61ae2783": "Previous Versions", + "9e3995ab-1f9c-4f13-b827-48b24b6c7174": "User Pinned", + "9e52ab10-f80d-49df-acb8-4330f5687855": "CDBurning", + "9f433b7c-5f96-4ce1-ac28-aeaa1cc04d7c": "Security Center", + "9fe63afd-59cf-4419-9775-abcc3849f861": "System Recovery", + "a00ee528-ebd9-48b8-944a-8942113d46ac": "Start Menu Commanding Provider Folder", + "a0275511-0e86-4eca-97c2-ecd8f1221d08": "Infrared", + "a0953c92-50dc-43bf-be83-3742fed03c9c": "Videos", + "a302545d-deff-464b-abe8-61c8648d939b": "Libraries", + "a304259d-52b8-4526-8b1a-a1d6cecc8243": "iSCSI Initiator", + "a305ce99-f527-492b-8b1a-7e76fa98d6e4": "Installed Updates", + "a3918781-e5f2-4890-b3d9-a7e54332328c": "Application Shortcuts", + "a3c3d402-e56c-4033-95f7-4885e80b0111": "Previous Versions Results Delegate Folder", + "a3dd4f92-658a-410f-84fd-6fbbbef2fffe": "Internet Options", + "a4115719-d62e-491d-aa7c-e74b8be3b067": "Start Menu", + "a5110426-177d-4e08-ab3f-785f10b4439c": "Sony Ericsson File Manager", + "a520a1a4-1780-4ff6-bd18-167343c5af16": "AppDataLow", + "a52bba46-e9e1-435f-b3d9-28daa648c0f6": "OneDrive", + "a5a3563a-5755-4a6f-854e-afa3230b199f": "Library Folder", + "a5e46e3a-8849-11d1-9d8c-00c04fc99d61": "Microsoft Browser Architecture", + "a63293e8-664e-48db-a079-df759e0509f7": "Templates", + "a6482830-08eb-41e2-84c1-73920c2badb9": "Removable Storage Devices", + "a75d362e-50fc-4fb7-ac2c-a8beaa314493": "SidebarParts", + "a77f5d77-2e2b-44c3-a6a2-aba601054a51": "Programs", + "a8a91a66-3a7d-4424-8d24-04e180695c7a": "Device Center(Devices and Printers)", + "a8cdff1c-4878-43be-b5fd-f8091c1c60d0": "Documents", + "a990ae9f-a03b-4e80-94bc-9912d7504104": "Pictures", + "aaa8d5a5-f1d6-4259-baa8-78e7ef60835e": "RoamedTileImages", + "ab4f43ca-adcd-4384-b9af-3cecea7d6544": "Sitios Web", + "ab5fb87b-7ce2-4f83-915d-550846c9537b": "Camera Roll", + "ae50c081-ebd2-438a-8655-8a092e34987a": "Recent Items", + "aee2420f-d50e-405c-8784-363c582bf45a": "Device Pairing Folder", + "afdb1f70-2a4c-11d2-9039-00c04f8eeb3e": "Offline Files Folder", + "b155bdf8-02f0-451e-9a26-ae317cfd7779": "Delegate folder that appears in Computer", + "b250c668-f57d-4ee1-a63c-290ee7d1aa1f": "Sample Music", + "b28aa736-876b-46da-b3a8-84c5e30ba492": "Web sites", + "b2952b16-0e07-4e5a-b993-58c52cb94cae": "DB Folder", + "b2c761c6-29bc-4f19-9251-e6195265baf1": "Color Management", + "b3690e58-e961-423b-b687-386ebfd83239": "Pictures folder", + "b4bfcc3a-db2c-424c-b029-7fe99a87c641": "Desktop", + "b4fb3f98-c1ea-428d-a78a-d1f5659cba93": "Other Users Folder", + "b5947d7f-b489-4fde-9e77-23780cc610d1": "Virtual Machines", + "b689b0d0-76d3-4cbb-87f7-585d0e0ce070": "Games folder", + "b6ebfb86-6907-413c-9af7-4fc2abf07cc5": "Public Pictures", + "b7534046-3ecb-4c18-be4e-64cd4cb7d6ac": "Recycle Bin", + "b7bede81-df94-4682-a7d8-57a52620b86f": "Screenshots", + "b94237e7-57ac-4347-9151-b08c6c32d1f7": "CommonTemplates", + "b97d20bb-f46a-4c97-ba10-5e3608430854": "Startup", + "b98a2bea-7d42-4558-8bd1-832f41bac6fd": "Backup And Restore (Backup and Restore Center)", + "bb06c0e4-d293-4f75-8a90-cb05b6477eee": "System", + "bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6": "Action Center", + "bc476f4c-d9d7-4100-8d4e-e043f6dec409": "Microsoft Browser Architecture", + "bc48b32f-5910-47f5-8570-5074a8a5636a": "Sync Results Delegate Folder", + "bcb5256f-79f6-4cee-b725-dc34e402fd46": "ImplicitAppShortcuts", + "bcbd3057-ca5c-4622-b42d-bc56db0ae516": "Programs", + "bd7a2e7b-21cb-41b2-a086-b309680c6b7e": "Client Side Cache Folder", + "bd84b380-8ca2-1069-ab1d-08000948f534": "Microsoft Windows Font Folder", + "bd85e001-112e-431e-983b-7b15ac09fff1": "RecordedTV", + "bdbe736f-34f5-4829-abe8-b550e65146c4": "TopViews", + "bdeadf00-c265-11d0-bced-00a0c90ab50f": "Web Folders", + "be122a0e-4503-11da-8bde-f66bad1e3f3a": "Windows Anytime Upgrade", + "bf782cc9-5a52-4a17-806c-2a894ffeeac5": "Language Settings", + "bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968": "Links", + "c0542a90-4bf0-11d1-83ee-00a0c90dc849": "NETWORK_SERVER", + "c1bae2d0-10df-4334-bedd-7aa20b227a9d": "Common OEM Links", + "c1f8339f-f312-4c97-b1c6-ecdf5910c5c0": "Pictures library", + "c291a080-b400-4e34-ae3f-3d2b9637d56c": "UNCFAT IShellFolder Class", + "c2b136e2-d50e-405c-8784-363c582bf43e": "Device Center Initialization", + "c4900540-2379-4c75-844b-64e6faf8716b": "Sample Pictures", + "c4aa340d-f20f-4863-afef-f87ef2e6ba25": "Public Desktop", + "c4d98f09-6124-4fe0-9942-826416082da9": "Users libraries", + "c555438b-3c23-4769-a71f-b6d3d9b6053a": "Display", + "c57a6066-66a3-4d91-9eb9-41532179f0a5": "Application Suggested Locations", + "c58c4893-3be0-4b45-abb5-a63e4b8c8651": "Troubleshooting", + "c5abbf53-e17f-4121-8900-86626fc2c973": "Network Shortcuts", + "c870044b-f49e-4126-a9c3-b52a1ff411e8": "Ringtones", + "cac52c1a-b53d-4edc-92d7-6b2e8ac19434": "Games", + "cb1b7f8c-c50a-4176-b604-9e24dee8d4d1": "Welcome Center", + "cce6191f-13b2-44fa-8d14-324728beef2c": "{Unknown CSIDL}", + "d0384e7d-bac3-4797-8f14-cba229b392b5": "Administrative Tools", + "d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3": "Text to Speech", + "d2035edf-75cb-4ef1-95a7-410d9ee17170": "DLNA Content Directory Data Source", + "d20beec4-5ca8-4905-ae3b-bf251ea09b53": "Network", + "d20ea4e1-3957-11d2-a40b-0c5020524152": "Fonts", + "d20ea4e1-3957-11d2-a40b-0c5020524153": "Administrative Tools", + "d24f75aa-4f2b-4d07-a3c4-469b3d9030c4": "Offline Files", + "d34a6ca6-62c2-4c34-8a7c-14709c1ad938": "Common Places FS Folder", + "d426cfd0-87fc-4906-98d9-a23f5d515d61": "Windows Search Service Outlook Express Protocol Handler", + "d4480a50-ba28-11d1-8e75-00c04fa31a86": "Add Network Place", + "d450a8a1-9568-45c7-9c0e-b4f9fb4537bd": "Installed Updates", + "d555645e-d4f8-4c29-a827-d93c859c4f2a": "Ease of Access", + "d5b1944e-db4e-482e-b3f1-db05827f0978": "Softex OmniPass Encrypted Folder", + "d6277990-4c6a-11cf-8d87-00aa0060f5bf": "Scheduled Tasks", + "d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27": "System32", + "d8559eb9-20c0-410e-beda-7ed416aecc2a": "Windows Defender", + "d9dc8a3b-b784-432e-a781-5a1130a75963": "History", + "d9ef8727-cac2-4e60-809e-86f80a666c91": "Secure Startup (BitLocker Drive Encryption)", + "da3f6866-35fe-4229-821a-26553a67fc18": "General (Generic) library", + "daf95313-e44d-46af-be1b-cbacea2c3065": "Start Menu Provider Folder", + "de2b70ec-9bf7-4a93-bd3d-243f7881d492": "Contacts", + "de61d971-5ebc-4f02-a3a9-6c82895e5c04": "AddNewPrograms", + "de92c1c7-837f-4f69-a3bb-86e631204a23": "Playlists", + "de974d24-d9c6-4d3e-bf91-f4455120b917": "Common Files", + "debf2536-e1a8-4c59-b6a2-414586476aea": "GameExplorer", + "df7266ac-9274-4867-8d55-3bd661de872d": "Programs and Features", + "dfdf76a2-c82a-4d63-906a-5644ac457385": "Public", + "dffacdc5-679f-4156-8947-c5c76bc0b67f": "Delegate folder that appears in Users Files Folder", + "e17d4fc0-5564-11d1-83f2-00a0c90dc849": "Search Results Folder", + "e211b736-43fd-11d1-9efb-0000f8757fcd": "Scanners and Cameras", + "e2e7934b-dce5-43c4-9576-7fe4f75e7480": "Date and Time", + "e345f35f-9397-435c-8f95-4e922c26259e": "Start Menu Path Complete Provider Folder", + "e413d040-6788-4c22-957e-175d1c513a34": "Sync Center Conflict Delegate Folder", + "e555ab60-153b-4d17-9f04-a5fe99fc15ec": "Ringtones", + "e773f1af-3a65-4866-857d-846fc9c4598a": "Shell Storage Folder Viewer", + "e7de9b1a-7533-4556-9484-b26fb486475e": "Network Map", + "e7e4bc40-e76a-11ce-a9bb-00aa004ae837": "Shell DocObject Viewer", + "e88dcce0-b7b3-11d1-a9f0-00aa0060fa31": "Compressed Folder", + "e95a4861-d57a-4be1-ad0f-35267e261739": "Windows Side Show", + "e9950154-c418-419e-a90a-20c5287ae24b": "Location and Other Sensors", + "ea25fbd7-3bf7-409e-b97f-3352240903f4": "Videos Search Results", + "ecdb0924-4208-451e-8ee0-373c0956de16": "Work Folders", + "ed228fdf-9ea8-4870-83b1-96b02cfe0d52": "My Games", + "ed4824af-dce4-45a8-81e2-fc7965083634": "Public Documents", + "ed50fc29-b964-48a9-afb3-15ebb9b97f36": "PrintHood delegate folder", + "ed7ba470-8e54-465e-825c-99712043e01c": "All Tasks", + "ed834ed6-4b5a-4bfe-8f11-a626dcb6a921": "Personalization Control Panel", + "edc978d6-4d53-4b2f-a265-5805674be568": "Stream Backed Folder", + "ee32e446-31ca-4aba-814f-a5ebd2fd6d5e": "Offline Files", + "f02c1a0d-be21-4350-88b0-7367fc96ef3c": "Network", + "f0d63f85-37ec-4097-b30d-61b4a8917118": "Photo Stream", + "f1390a9a-a3f4-4e5d-9c5f-98f3bd8d935c": "Sync Setup Delegate Folder", + "f1b32785-6fba-4fcf-9d55-7b8e7f157091": "LocalAppData", + "f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d": "Sound", + "f38bf404-1d43-42f2-9305-67de0b28fc23": "Windows", + "f3ce0f7c-4901-4acc-8648-d5d44b04ef8f": "Users Files", + "f3f5824c-ad58-4728-af59-a1ebe3392799": "Sticky Notes Namespace Extension for Windows Desktop Search", + "f5175861-2688-11d0-9c5e-00aa00a45957": "Subscription Folder", + "f6b6e965-e9b2-444b-9286-10c9152edbc5": "History Vault", + "f7f1ed05-9f6d-47a2-aaae-29d317c6f066": "Common Files", + "f82df8f7-8b9f-442e-a48c-818ea735ff9b": "Pen and Input Devices", + "f8c2ab3b-17bc-41da-9758-339d7dbf2d88": "Previous Versions Results Folder", + "f90c627b-7280-45db-bc26-cce7bdd620a4": "All Tasks", + "f942c606-0914-47ab-be56-1321b8035096": "Storage Spaces", + "fb0c9c8a-6c50-11d1-9f1d-0000f8757fcd": "Scanners & Cameras", + "fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9": "Documents Library", + "fc9fb64a-1eb2-4ccf-af5e-1a497a9b5c2d": "My sharing folders", + "fcfeecae-ee1b-4849-ae50-685dcf7717ec": "Problem Reports and Solutions", + "fd228cb7-ae11-4ae3-864c-16f3910ab8fe": "Fonts", + "fdd39ad0-238f-46af-adb4-6c85480369c7": "Documents", + "fe1290f0-cfbd-11cf-a330-00aa00c16e65": "Directory", + "ff393560-c2a7-11cf-bff4-444553540000": "History", +} diff --git a/libbeat/formats/lnk/known_targets.go b/libbeat/formats/lnk/known_targets.go index be2c21da2605..0f153674b618 100644 --- a/libbeat/formats/lnk/known_targets.go +++ b/libbeat/formats/lnk/known_targets.go @@ -74,7 +74,30 @@ func parseTarget0x1f(data []byte) string { return "Users property view: Drive letter" } maskedBit := data[3] & 0x70 - if maskedBit == 0x40 || maskedBit == 0x50 || maskedBit == 0x70 { + switch maskedBit { + // https://github.com/williballenthin/shellbags/blob/fee76eb25c2b80c33caf8ab9013de5cba113dcd2/ShellItems.py#L54 + case 0x00: + return "INTERNET_EXPLORER" + case 0x42: + return "LIBRARIES" + case 0x44: + return "USERS" + case 0x48: + return "MY_DOCUMENTS" + case 0x50: + return "MY_COMPUTER" + case 0x58: + return "NETWORK" + case 0x60: + return "RECYCLE_BIN" + case 0x68: + return "INTERNET_EXPLORER" + case 0x80: + return "MY_GAMES" + // unknown + case 0x40: + fallthrough + case 0x70: return "Root folder: GUID" } signature := binary.LittleEndian.Uint32(data[6:]) @@ -136,6 +159,12 @@ var knownTargets = map[byte]targetParser{ } func getTargetName(targetType byte, data []byte) string { + if len(data) >= 20 { + uuid := encodeUUID(data[4:20]) + if name, known := knownShellbagGuids[uuid]; known { + return name + } + } if parser, known := knownTargets[targetType]; known { return parser(data) } From 06911aaefdef7ea269451ffb980767b55162fe90 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 16:01:14 -0500 Subject: [PATCH 27/30] Add license headers --- libbeat/formats/lnk/known_properties.go | 17 +++++++++++++++++ libbeat/formats/lnk/known_shellbag_guids.go | 17 +++++++++++++++++ libbeat/formats/lnk/known_targets.go | 17 +++++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/libbeat/formats/lnk/known_properties.go b/libbeat/formats/lnk/known_properties.go index 5e619e6faafc..8c242aaa87cf 100644 --- a/libbeat/formats/lnk/known_properties.go +++ b/libbeat/formats/lnk/known_properties.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk var knownProperties = map[string]map[uint32]string{ diff --git a/libbeat/formats/lnk/known_shellbag_guids.go b/libbeat/formats/lnk/known_shellbag_guids.go index 66f14fa17d89..d93c8587ec17 100644 --- a/libbeat/formats/lnk/known_shellbag_guids.go +++ b/libbeat/formats/lnk/known_shellbag_guids.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk var knownShellbagGuids = map[string]string{ diff --git a/libbeat/formats/lnk/known_targets.go b/libbeat/formats/lnk/known_targets.go index 0f153674b618..0e3c48325f76 100644 --- a/libbeat/formats/lnk/known_targets.go +++ b/libbeat/formats/lnk/known_targets.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + package lnk import ( From bf1539727120cfba3c09674bf16fa833a1ffc49e Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 16:16:25 -0500 Subject: [PATCH 28/30] A few more basic classifiers --- libbeat/formats/lnk/known_targets.go | 37 ++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libbeat/formats/lnk/known_targets.go b/libbeat/formats/lnk/known_targets.go index 0e3c48325f76..2ff1e31d611b 100644 --- a/libbeat/formats/lnk/known_targets.go +++ b/libbeat/formats/lnk/known_targets.go @@ -30,6 +30,20 @@ func simpleTargetParser(name string) targetParser { } } +func checkKnownGUIDs(offset int, data []byte) string { + if len(data) >= 16+offset { + uuid := encodeUUID(data[offset : 16+offset]) + if name, known := knownShellbagGuids[uuid]; known { + return name + } + } + return "" +} + +func parseTarget0x00(data []byte) string { + return checkKnownGUIDs(0xE, data) +} + func parseTarget0x01(data []byte) string { if data[8] == 0x3A && data[9] == 0x00 { return "Hyper-V storage volume" @@ -69,6 +83,10 @@ func parseTarget0x01(data []byte) string { } func parseTarget0x2e(data []byte) string { + if known := checkKnownGUIDs(0x4, data); known != "" { + return known + } + if len(data) == 0x16 && data[3] == 0x80 { return "Root folder: GUID" } @@ -84,6 +102,9 @@ func parseTarget0x2e(data []byte) string { } func parseTarget0x1f(data []byte) string { + if known := checkKnownGUIDs(4, data); known != "" { + return known + } if data[0] == 0x14 || data[0] == 0x32 || data[0] == 0x3A { return "Root folder: GUID" } @@ -144,13 +165,19 @@ func parseTarget0x40(data []byte) string { } } +func parseTarget0x71(data []byte) string { + return checkKnownGUIDs(0xE, data) +} + +// Have a better look at +// https://github.com/williballenthin/shellbags/blob/fee76eb25c2b80c33caf8ab9013de5cba113dcd2/ShellItems.py var knownTargets = map[byte]targetParser{ // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X23.cs 0x23: simpleTargetParser("Drive letter"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X4C.cs 0x4C: simpleTargetParser("Sharepoint directory"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x00.cs - // 0x00: + 0x00: parseTarget0x00, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x01.cs 0x01: parseTarget0x01, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x1f.cs @@ -168,7 +195,7 @@ var knownTargets = map[byte]targetParser{ // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x61.cs 0x61: simpleTargetParser("URI"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x71.cs - // 0x71: + 0x71: parseTarget0x71, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x74.cs // 0x74: // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0xc3.cs @@ -176,12 +203,6 @@ var knownTargets = map[byte]targetParser{ } func getTargetName(targetType byte, data []byte) string { - if len(data) >= 20 { - uuid := encodeUUID(data[4:20]) - if name, known := knownShellbagGuids[uuid]; known { - return name - } - } if parser, known := knownTargets[targetType]; known { return parser(data) } From c0edfbab3d24d855813897b289fc1216ab176f23 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 16:32:39 -0500 Subject: [PATCH 29/30] Rename targets to shellbags --- .../lnk/local.directory.seven.lnk.fingerprint | 2 +- .../lnk/local.directory.xp.lnk.fingerprint | 2 +- .../lnk/local.file.darwin.lnk.fingerprint | 2 +- .../lnk/local.file.env.lnk.fingerprint | 2 +- .../lnk/local.file.exec.lnk.fingerprint | 2 +- .../lnk/local.file.icoset.lnk.fingerprint | 2 +- .../lnk/local.file.seven.lnk.fingerprint | 2 +- .../lnk/local.file.xp.lnk.fingerprint | 2 +- .../fixtures/lnk/local_cmd.lnk.fingerprint | 2 +- .../lnk/local_unicode.lnk.fingerprint | 2 +- .../fixtures/lnk/local_win31j.lnk.fingerprint | 2 +- .../fixtures/lnk/microsoft.lnk.fingerprint | 2 +- .../lnk/native.2008srv.01.lnk.fingerprint | 2 +- .../lnk/native.2008srv.02.lnk.fingerprint | 2 +- .../lnk/native.2008srv.03.lnk.fingerprint | 2 +- .../lnk/native.2008srv.04.lnk.fingerprint | 2 +- .../lnk/native.2008srv.05.lnk.fingerprint | 2 +- .../lnk/native.2008srv.06.lnk.fingerprint | 2 +- .../lnk/native.2008srv.07.lnk.fingerprint | 2 +- .../lnk/native.2008srv.08.lnk.fingerprint | 2 +- .../lnk/native.2008srv.09.lnk.fingerprint | 2 +- .../lnk/native.2008srv.10.lnk.fingerprint | 2 +- .../lnk/native.2008srv.11.lnk.fingerprint | 2 +- .../lnk/native.2008srv.12.lnk.fingerprint | 2 +- .../lnk/native.2008srv.13.lnk.fingerprint | 2 +- .../lnk/native.2008srv.14.lnk.fingerprint | 2 +- .../lnk/native.2008srv.15.lnk.fingerprint | 2 +- .../lnk/native.2008srv.16.lnk.fingerprint | 2 +- .../lnk/native.2008srv.17.lnk.fingerprint | 2 +- .../lnk/native.2008srv.18.lnk.fingerprint | 2 +- .../lnk/native.2008srv.19.lnk.fingerprint | 2 +- .../lnk/native.2008srv.20.lnk.fingerprint | 2 +- .../lnk/native.seven.01.lnk.fingerprint | 2 +- .../lnk/native.seven.03.lnk.fingerprint | 2 +- .../lnk/native.seven.04.lnk.fingerprint | 2 +- .../lnk/native.seven.05.lnk.fingerprint | 2 +- .../lnk/native.seven.06.lnk.fingerprint | 2 +- .../lnk/native.seven.08.lnk.fingerprint | 2 +- .../lnk/native.seven.09.lnk.fingerprint | 2 +- .../lnk/native.seven.11.lnk.fingerprint | 2 +- .../lnk/native.seven.16.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.01.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.02.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.03.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.04.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.05.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.06.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.07.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.08.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.09.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.10.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.11.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.12.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.13.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.14.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.15.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.16.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.17.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.18.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.19.lnk.fingerprint | 2 +- .../fixtures/lnk/native.xp.20.lnk.fingerprint | 2 +- .../fixtures/lnk/net_unicode.lnk.fingerprint | 2 +- .../fixtures/lnk/net_unicode2.lnk.fingerprint | 2 +- .../fixtures/lnk/net_win31j.lnk.fingerprint | 2 +- .../lnk/remote.directory.xp.lnk.fingerprint | 2 +- .../lnk/remote.file.aidlist.lnk.fingerprint | 2 +- .../lnk/remote.file.xp.lnk.fingerprint | 2 +- .../lnk/extra_vista_and_above_id_list.go | 4 +- .../{known_targets.go => known_shellbags.go} | 48 +++++++++---------- libbeat/formats/lnk/lnk.go | 28 +++++------ .../formats/lnk/{target.go => shellbag.go} | 42 ++++++++-------- 71 files changed, 128 insertions(+), 128 deletions(-) rename libbeat/formats/lnk/{known_targets.go => known_shellbags.go} (83%) rename libbeat/formats/lnk/{target.go => shellbag.go} (66%) diff --git a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint index 050414ec857f..16edfa8811fa 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.seven.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint index f25d1965a4f9..19dd1695114d 100644 --- a/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.directory.xp.lnk.fingerprint @@ -17,7 +17,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint index 7a8fa66233ce..405f3f2ffdde 100644 --- a/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.darwin.lnk.fingerprint @@ -13,7 +13,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint index ca33de191a76..52a1486f26b7 100644 --- a/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.env.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint index 1901c0fc8f07..a53b1e817abd 100644 --- a/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.exec.lnk.fingerprint @@ -22,7 +22,7 @@ "window_style": "SW_NORMAL", "hot_key": "HOTKEYF_ALT+G" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint index 504abe472ada..9bbc29d069a6 100644 --- a/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.icoset.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 130, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint index ef8b3695bc1e..73965641e80c 100644 --- a/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.seven.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint index eb8926abc2bd..b2558e9360f6 100644 --- a/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local.file.xp.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint index b2cafb1a2737..759751cecb17 100644 --- a/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_cmd.lnk.fingerprint @@ -22,7 +22,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint index 841a8a103634..247a178f74ef 100644 --- a/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_unicode.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint index d0ba24886635..07e5ba88fb9c 100644 --- a/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/local_win31j.lnk.fingerprint @@ -22,7 +22,7 @@ "icon_index": 70, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint index 7dc5c3f5c5c9..ab3175808a72 100644 --- a/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/microsoft.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint index 945cdd6417ab..bdf86c10b8f1 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.01.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint index 94a718b15ec8..8e445c11d96b 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.02.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 4294967187, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint index 8c56fe76f500..4ddad37d40b7 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.03.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 4294967269, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint index 61009a2571b0..39a6332714fd 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.04.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint index fc99f063a74b..9309be8d95f7 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.05.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint index d8beb2c09bce..2621994814a4 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.06.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint index c6140f9f183f..f9377232483c 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.07.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 4294967272, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint index 369ee6c08151..32988084f80e 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.08.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint index 0c238177a16d..c79ed494bad2 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.09.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint index 13c36b147b29..77518f049ea6 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.10.lnk.fingerprint @@ -17,7 +17,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint index ef0b85fe7c90..1b3e36273e5a 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.11.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint index 80de348da1ee..be1b78beab27 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.12.lnk.fingerprint @@ -21,7 +21,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint index 70fefa0e5234..4060784919e1 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.13.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 4294967295, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint index b635ab12cc41..09ea3072f2f4 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.14.lnk.fingerprint @@ -17,7 +17,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint index 4060a5600146..b7168a97318a 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.15.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint index 630dce5659db..a3c77ae91a76 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.16.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 4294967271, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint index 3627915720fa..ffd357af9395 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.17.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint index e5572114efc0..8ada107f8e3f 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.18.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 4294967038, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint index 949dd922cb16..e98049aa0d46 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.19.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 4294967186, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint index 76ba6a7c5a1d..31961cba4f10 100644 --- a/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.2008srv.20.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint index dcf9b06d61ff..3c02028e6c7c 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.01.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint index 011d4ed068f9..744d3d4498c6 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.03.lnk.fingerprint @@ -10,7 +10,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint index 23e23e012592..c64692e31669 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.04.lnk.fingerprint @@ -18,7 +18,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint index 958f13fd4a92..4d87027abc75 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.05.lnk.fingerprint @@ -10,7 +10,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "RECYCLE_BIN", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint index 0b6ed19385d0..1e5025d426c8 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.06.lnk.fingerprint @@ -10,7 +10,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "RECYCLE_BIN", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint index 4972745980da..1bc1a5549e03 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.08.lnk.fingerprint @@ -14,7 +14,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint index 4f4b036ba0d6..4429c4fa8f12 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.09.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint index 6ae0d3c704a3..a9ded9703fc1 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.11.lnk.fingerprint @@ -10,7 +10,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "RECYCLE_BIN", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint index d6346706b5f3..632cea63b5ae 100644 --- a/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.seven.16.lnk.fingerprint @@ -12,7 +12,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint index 7da35e8e6aed..fd0458396f45 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.01.lnk.fingerprint @@ -22,7 +22,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint index 13d38eadcb74..fa39ea3f072b 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.02.lnk.fingerprint @@ -12,7 +12,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint index 8af9f8c59611..88d23ac041e5 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.03.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint index 04766a1f7c24..802bd0edbd22 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.04.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint index a0901055e06a..64938ad5315a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.05.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint index 640e6961b94e..106b740db0c7 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.06.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint index b775f0ca6521..c8b39565dc67 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.07.lnk.fingerprint @@ -21,7 +21,7 @@ "icon_index": 1, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint index 5c0bb8377825..fbc8ff951a8c 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.08.lnk.fingerprint @@ -21,7 +21,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint index 3bd7ae71316b..32e3a6121d7e 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.09.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint index f8ed1af2aba9..a990546dd751 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.10.lnk.fingerprint @@ -21,7 +21,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint index 81ead8196722..56232552990c 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.11.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint index b894f4729370..68624a06a5ce 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.12.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint index 1cb2e38559d9..1d2d2a585abd 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.13.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint index d8bb4b0c3ed8..582847189ef0 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.14.lnk.fingerprint @@ -20,7 +20,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint index 890e025e8631..1c580a537d8a 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.15.lnk.fingerprint @@ -17,7 +17,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint index d8583a91fb69..7e4631a9caf0 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.16.lnk.fingerprint @@ -17,7 +17,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint index f093096d7c8a..0b00ba70aa42 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.17.lnk.fingerprint @@ -19,7 +19,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint index fcf4c354356d..cdfe155e7175 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.18.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint index e11095ceae21..ed00fc3dbc6f 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.19.lnk.fingerprint @@ -11,7 +11,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "MY_COMPUTER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint index 3cf25c922745..cab05b31999d 100644 --- a/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/native.xp.20.lnk.fingerprint @@ -15,7 +15,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint index bd5c327a6fde..afbbdd80606c 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode.lnk.fingerprint @@ -67,7 +67,7 @@ ] }, "vista_and_above_id_list": { - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint index f4bdbd83b010..5866f9579ba4 100644 --- a/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_unicode2.lnk.fingerprint @@ -68,7 +68,7 @@ ] }, "vista_and_above_id_list": { - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint index 206e9638c29b..a4275f7c18ff 100644 --- a/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/net_win31j.lnk.fingerprint @@ -68,7 +68,7 @@ ] }, "vista_and_above_id_list": { - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint index 32b48fa466c5..9187cd7c4361 100644 --- a/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.directory.xp.lnk.fingerprint @@ -15,7 +15,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint index 648eac1147b9..60841ef69fd7 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.aidlist.lnk.fingerprint @@ -47,7 +47,7 @@ ] }, "vista_and_above_id_list": { - "targets": [ + "shellbags": [ { "name": "Users property view", "size": 20, diff --git a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint index 7ba9956d6549..444a4c906a87 100644 --- a/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint +++ b/libbeat/formats/fixtures/lnk/remote.file.xp.lnk.fingerprint @@ -17,7 +17,7 @@ "icon_index": 0, "window_style": "SW_NORMAL" }, - "targets": [ + "shellbags": [ { "name": "INTERNET_EXPLORER", "size": 20, diff --git a/libbeat/formats/lnk/extra_vista_and_above_id_list.go b/libbeat/formats/lnk/extra_vista_and_above_id_list.go index a7a6525dca36..0cf5e31d8407 100644 --- a/libbeat/formats/lnk/extra_vista_and_above_id_list.go +++ b/libbeat/formats/lnk/extra_vista_and_above_id_list.go @@ -23,11 +23,11 @@ func parseExtraVistaAndAboveIDList(size uint32, data []byte) (*VistaAndAboveIDLi if size < 0x0000000A { return nil, errors.New("invalid extra vista and above id list block size") } - targets, err := parseTargetList(data[8:]) + shellbags, err := parseShellbagList(data[8:]) if err != nil { return nil, err } return &VistaAndAboveIDList{ - Targets: targets, + Shellbags: shellbags, }, nil } diff --git a/libbeat/formats/lnk/known_targets.go b/libbeat/formats/lnk/known_shellbags.go similarity index 83% rename from libbeat/formats/lnk/known_targets.go rename to libbeat/formats/lnk/known_shellbags.go index 2ff1e31d611b..0683de147134 100644 --- a/libbeat/formats/lnk/known_targets.go +++ b/libbeat/formats/lnk/known_shellbags.go @@ -22,9 +22,9 @@ import ( "fmt" ) -type targetParser func(data []byte) string +type shellbagParser func(data []byte) string -func simpleTargetParser(name string) targetParser { +func simpleShellbagParser(name string) shellbagParser { return func(data []byte) string { return name } @@ -40,11 +40,11 @@ func checkKnownGUIDs(offset int, data []byte) string { return "" } -func parseTarget0x00(data []byte) string { +func parseShellbag0x00(data []byte) string { return checkKnownGUIDs(0xE, data) } -func parseTarget0x01(data []byte) string { +func parseShellbag0x01(data []byte) string { if data[8] == 0x3A && data[9] == 0x00 { return "Hyper-V storage volume" } @@ -82,7 +82,7 @@ func parseTarget0x01(data []byte) string { } } -func parseTarget0x2e(data []byte) string { +func parseShellbag0x2e(data []byte) string { if known := checkKnownGUIDs(0x4, data); known != "" { return known } @@ -101,7 +101,7 @@ func parseTarget0x2e(data []byte) string { return "Users property view" } -func parseTarget0x1f(data []byte) string { +func parseShellbag0x1f(data []byte) string { if known := checkKnownGUIDs(4, data); known != "" { return known } @@ -148,7 +148,7 @@ func parseTarget0x1f(data []byte) string { return "Users property view" } -func parseTarget0x40(data []byte) string { +func parseShellbag0x40(data []byte) string { switch data[2] { case 0x47: return "Entire Network" @@ -165,45 +165,45 @@ func parseTarget0x40(data []byte) string { } } -func parseTarget0x71(data []byte) string { +func parseShellbag0x71(data []byte) string { return checkKnownGUIDs(0xE, data) } // Have a better look at // https://github.com/williballenthin/shellbags/blob/fee76eb25c2b80c33caf8ab9013de5cba113dcd2/ShellItems.py -var knownTargets = map[byte]targetParser{ +var knownShellbags = map[byte]shellbagParser{ // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X23.cs - 0x23: simpleTargetParser("Drive letter"), + 0x23: simpleShellbagParser("Drive letter"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0X4C.cs - 0x4C: simpleTargetParser("Sharepoint directory"), + 0x4C: simpleShellbagParser("Sharepoint directory"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x00.cs - 0x00: parseTarget0x00, + 0x00: parseShellbag0x00, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x01.cs - 0x01: parseTarget0x01, + 0x01: parseShellbag0x01, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x1f.cs - 0x1f: parseTarget0x1f, + 0x1f: parseShellbag0x1f, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x2e.cs - 0x2e: parseTarget0x2e, + 0x2e: parseShellbag0x2e, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x2f.cs - 0x2f: simpleTargetParser("Drive letter"), + 0x2f: simpleShellbagParser("Drive letter"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x31.cs - 0x31: simpleTargetParser("Directory"), + 0x31: simpleShellbagParser("Directory"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x32.cs - 0x32: simpleTargetParser("File"), + 0x32: simpleShellbagParser("File"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x40.cs - 0x40: parseTarget0x40, + 0x40: parseShellbag0x40, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x61.cs - 0x61: simpleTargetParser("URI"), + 0x61: simpleShellbagParser("URI"), // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x71.cs - 0x71: parseTarget0x71, + 0x71: parseShellbag0x71, // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0x74.cs // 0x74: // https://github.com/EricZimmerman/Lnk/blob/master/Lnk/ShellItems/ShellBag0xc3.cs - 0xc3: simpleTargetParser("Network location"), + 0xc3: simpleShellbagParser("Network location"), } -func getTargetName(targetType byte, data []byte) string { - if parser, known := knownTargets[targetType]; known { +func getShellbagName(shellbagType byte, data []byte) string { + if parser, known := knownShellbags[shellbagType]; known { return parser(data) } return "" diff --git a/libbeat/formats/lnk/lnk.go b/libbeat/formats/lnk/lnk.go index 7969493166b7..e9e12a968612 100644 --- a/libbeat/formats/lnk/lnk.go +++ b/libbeat/formats/lnk/lnk.go @@ -112,7 +112,7 @@ type Tracker struct { // VistaAndAboveIDList contains LNK extra vista and above id list data block info type VistaAndAboveIDList struct { - Targets []Target `json:"targets,omitempty"` + Shellbags []Shellbag `json:"shellbags,omitempty"` } // Extra contains LNK extra block info @@ -161,8 +161,8 @@ type Location struct { NetworkShare *NetworkShare `json:"network_share,omitempty"` } -// Target contains LNK target info -type Target struct { +// Shellbag contains LNK shellbag info +type Shellbag struct { Name string `json:"name,omitempty"` Size uint16 `json:"size"` TypeID uint8 `json:"type_id"` @@ -188,15 +188,15 @@ type Header struct { // Info contains high level fingerprinting an analysis of an LNK file. type Info struct { - Header *Header `json:"header"` - Targets []Target `json:"targets,omitempty"` - Location *Location `json:"location,omitempty"` - Name string `json:"name,omitempty"` - RelativePath string `json:"relative_path,omitempty"` - WorkingDirectory string `json:"working_directory,omitempty"` - CommandLine string `json:"command_line,omitempty"` - IconLocation string `json:"icon_location,omitempty"` - Extra *Extra `json:"extra,omitempty"` + Header *Header `json:"header"` + Shellbags []Shellbag `json:"shellbags,omitempty"` + Location *Location `json:"location,omitempty"` + Name string `json:"name,omitempty"` + RelativePath string `json:"relative_path,omitempty"` + WorkingDirectory string `json:"working_directory,omitempty"` + CommandLine string `json:"command_line,omitempty"` + IconLocation string `json:"icon_location,omitempty"` + Extra *Extra `json:"extra,omitempty"` } // Parse parses the LNK file and returns information about it or errors. @@ -205,7 +205,7 @@ func Parse(r io.ReaderAt) (interface{}, error) { if err != nil { return nil, err } - targets, offset, err := parseTargets(header, offset, r) + shellbags, offset, err := parseShellbags(header, offset, r) if err != nil { return nil, err } @@ -239,7 +239,7 @@ func Parse(r io.ReaderAt) (interface{}, error) { } return &Info{ Header: header, - Targets: targets, + Shellbags: shellbags, Location: location, Name: name, RelativePath: relativePath, diff --git a/libbeat/formats/lnk/target.go b/libbeat/formats/lnk/shellbag.go similarity index 66% rename from libbeat/formats/lnk/target.go rename to libbeat/formats/lnk/shellbag.go index 38a8fb005278..6d4cb349fa43 100644 --- a/libbeat/formats/lnk/target.go +++ b/libbeat/formats/lnk/shellbag.go @@ -26,7 +26,7 @@ import ( sha256 "github.com/minio/sha256-simd" ) -func parseTargets(header *Header, offset int64, r io.ReaderAt) ([]Target, int64, error) { +func parseShellbags(header *Header, offset int64, r io.ReaderAt) ([]Shellbag, int64, error) { if !hasFlag(header.rawLinkFlags, hasTargetIDList) { return nil, offset, nil } @@ -49,37 +49,37 @@ func parseTargets(header *Header, offset int64, r io.ReaderAt) ([]Target, int64, if n != int(size) { return nil, 0, errors.New("invalid target list size") } - targets, err := parseTargetList(data) - return targets, offset + int64(size), err + shellbags, err := parseShellbagList(data) + return shellbags, offset + int64(size), err } -func parseTargetList(data []byte) ([]Target, error) { +func parseShellbagList(data []byte) ([]Shellbag, error) { // https://github.com/libyal/libfwsi/blob/master/documentation/Windows%20Shell%20Item%20format.asciidoc#2-shell-item-list - targets := []Target{} + shellbags := []Shellbag{} offset := 0 for { - targetData := data[offset:] - if len(targetData) < 3 { + shellbagData := data[offset:] + if len(shellbagData) < 3 { // early end - return targets, nil + return shellbags, nil } - targetSize := binary.LittleEndian.Uint16(targetData[0:2]) - if targetSize == 0 { - return targets, nil + shellbagSize := binary.LittleEndian.Uint16(shellbagData[0:2]) + if shellbagSize == 0 { + return shellbags, nil } - if len(targetData) < int(targetSize) { + if len(shellbagData) < int(shellbagSize) { // we have an invalid target - return targets, nil + return shellbags, nil } - targetData = targetData[:targetSize] - targetType := targetData[2] - hash := sha256.Sum256(targetData[3:]) - targets = append(targets, Target{ - Name: getTargetName(targetType, targetData[3:]), - Size: targetSize, - TypeID: targetType, + shellbagData = shellbagData[:shellbagSize] + shellbagType := shellbagData[2] + hash := sha256.Sum256(shellbagData[3:]) + shellbags = append(shellbags, Shellbag{ + Name: getShellbagName(shellbagType, shellbagData[3:]), + Size: shellbagSize, + TypeID: shellbagType, SHA256: hex.EncodeToString(hash[:]), }) - offset += int(targetSize) + offset += int(shellbagSize) } } From 1e82b351a40f156a0ddf49e3161e00cd76ff2bf9 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 3 Mar 2021 16:37:09 -0500 Subject: [PATCH 30/30] Update field mappings --- auditbeat/docs/fields.asciidoc | 4 ++-- auditbeat/module/file_integrity/_meta/fields.yml | 14 +++++++++----- auditbeat/module/file_integrity/fields.go | 2 +- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index a65c0f7210aa..1c4bc8b74b5e 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -12222,10 +12222,10 @@ type: keyword -- -*`file.lnk.targets`*:: +*`file.lnk.shellbags`*:: + -- -LNK targets +LNK shellbags type: nested diff --git a/auditbeat/module/file_integrity/_meta/fields.yml b/auditbeat/module/file_integrity/_meta/fields.yml index aee8cf4f4406..5fe873ff0f10 100644 --- a/auditbeat/module/file_integrity/_meta/fields.yml +++ b/auditbeat/module/file_integrity/_meta/fields.yml @@ -659,20 +659,24 @@ description: LNK hot key type: keyword - - name: targets - description: LNK targets + - name: shellbags + description: LNK shellbags type: nested fields: + - name: name + description: LNK shellbag name + type: integer + - name: size - description: LNK target size + description: LNK shellbag size type: integer - name: type_id - description: LNK target type id + description: LNK shellbag type id type: integer - name: sha256 - description: LNK target sha256 + description: LNK shellbag sha256 type: keyword - name: location.flags diff --git a/auditbeat/module/file_integrity/fields.go b/auditbeat/module/file_integrity/fields.go index b44b5dc0ff06..0a85bff93e2d 100644 --- a/auditbeat/module/file_integrity/fields.go +++ b/auditbeat/module/file_integrity/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFileIntegrity returns asset data. // This is the base64 encoded gzipped contents of module/file_integrity. func AssetFileIntegrity() string { - return "eJzsXF9v47gRf8+nILIPtwckXkuxEzsPBbKJsxts/mGd2961KARKGtm8UKJL0ln7in73Qn8tWZRESV4URS8Pdwt5yPnNcDgznKF0il5he4k8QsEigYQFJ3J7hJAkksIluiUU0F3uuQvC4WQlCQsu0csSBCDMAcklII8AdQVaQAAcS3CRvU2e5+dGPnPXFAZHKBlweYQQQqcowD5coiUWy+gBQnK7gku04Gy9Sp4UmP8leYjQZyyWIBDzMnaDEFoomYjQYbpgnMilHzERCAduRPqG6Roikmyu8PESNggCh7ngIpcsQMiEcnCU0OWR59HbFL+CaVvm+Dz7LRXkFbbfGXdzzwvifLy/+jIz7VNzfB4poSDOUSWns8moK6ezyagNp7FhduU0NkwdTr47zs3E3oB/50TCJZJ8DW15P9yMdXiKJTYOx3T++crQ5GqarRdu/vnKNLXWLJy/YIL95dK0S7HEHUxy/vlK0xrD+a1uuovG6fNov4VjHvp66rJ5Ix5tdNVh20Y8NPesWOIih/6W1opzR1sYG+YHfWuI+HSyh4iPnkVsNsvz1qL8+ut5pRDvcvEZNhICQVggkGQZYRzHkABZiMHhT2kM3qUBqhg8K007u57HSUNxalU03w+i79Ds/jZ5WtIOUC+vmxhWTE8BkcBj3MchqCpNxbpIchSHBRKTAN2TYL1Bsw04a4ltCuGD1+gft9F86P3s/vZn5IPELpZ4UFqevDwqmfIiLAG7wAcOxUIUCCoTm/TvczQSRSPThU5lH+xRF82mDkgoUTscN1jiiEEeRDJbZxg+dpYkgHZIHuJBBwfDhIVt0g7L1WpFiRMZH/pIAsy3UcbMPewAen/18e7nFGFsbk/z7vhCyk62s6+ofqbzBlwU95oGkm/xoEMuF7aJpcZS5T274Wxe4kEtTggk364YCeQet9htXSIhOQkWShkoK/2gt+Q7puWFV4IV4IRTtnRO83hU3gfrGVoAQsL+2qgcaB6jR/FiH6AGyPAvRJOCvSdCxnPtY0P1BpjHEv73QFDCqXogWS23gjiYWszzdiG3L6h4sh6wFN6qK5ZwqkMoSJA/DgUpnROFc6qwpZvb3kpQ2Wxuf1cCfyNcrjG1sOtyKOUNXaEns6Jk1jrwSs/UFv0BtZ5Cb1J6L9yh62SrbTfI8yUOAhakkyAHU2dNY8foceZHrjHxtXUSBGvfBl4pgcvWNoVqGZwlMbsJcL0kp+Kf6/DcsOLMxjahRG6RS0Kd2uu8h/8xYmTLsFkxLlvGo8R1JYPBRUDBh0Dma3/bFZSMPobjUSwlBFCRdxC/B6J48IERiSXm4FqU2BxzUvIzmtDiWVA2C1qLtIBLRLQJmf07OPuRRSNTk0C9XFE3/RNLxuXu1/gM6zGe5QwtBckmIgKJrW8zqpjyBP2+FhJR8grhYqT0yaLuBjzPYvoBugfMA+QzDghLtJRyJS4/fFgQuVzbA4f5HySHwPWJw9mHFEKHdFbAIjSIljLvliWdAFEiSgG7R7alE8AVKHoG64o8VIdzOrQl95SzC/ZanYUr1VdAcxOOzWfBJ4h4aMVBQDntb9B7ZRpXd6ypQBTPlQemUg5ssL+icIkMc3p+dnZeszrqWF55WEEamVCxbEb+yI6q7r5Sa7FPjBrcFbbcSqN3uTNOdKIuNbtiwGxVaYUZ2LuHq08z62b28ZdP1stvzzPr+enTUw184oOQ2F9VR1IsGzfrSzpLNwUfm0NzeGoYp8Pxi3FxaY4vRxeD4XD4t2P1flph5xV4x5iUDI7jI2M0Dkr13rUC909/P76aP2PnFb2ZA8M8PkHHg8fZC4Ks8nf8j5/2BgehRij5A1TbFHOOtzuZ38UhQ1m5LFhdUrhMAkyV3gsKep5FRdW4nrqr4x7tq6BNKfJPP/enn6uD9qefa+fn1MeC/fy9Bm/q8zClu2OCtw6UidDOrf0LHccp+/YYXaJjXziMAwxcSkMXF2KLnn8CeUsoJIXNcHFD27s6Rv/+6ZCVwKg9gG223uVhoUwO81eEhqYTV06fZ4dLUHUOuRrH2ep0sWKjZ0twNjQvjOnoYAWcb8XKDMJvmNCoI5Xr27WG2+SXcp5lavYuizwAFmseH3HDg3hSB+E4cJkfhFKRQEMWjzKsig0Z2POBWaN4rUpxWlqKiIs91CpY1S40A8Y3/YrGKaq4PnAoVAMJG3mC4r5fJT6Ov2uV6/LRK9ntiPHY1+Z+IgGRJEqj3NBxY8SCcOe9/jgTNqYTYzRS+zUOgq25U5pAN/cp+7y7WMznWdpTFjsmJ0gwP07yErcol+D/r3m4U6NmjxEKOjWC6EZAvgWZ6aiugqht2Te1Fn1or9UCe5NuhyeoRrulW1xK3Ht3sw6rWTizh85oZE4nnmM4xmiKPdsbOZPp9Nyzp+bIvMAwMmB0Ppra07ORg0fT8XRq2BeTsWlPxuNq4SgOFmu8aDSd+4QOERcCSbykDdtLquPrz3ePs/kMze8enu/vbu9mN8cHT6iTCmea2aXroi71lsRWV+Zv4tuoWtPlD79fX6xvs6/zu6fHMC/8+mI9XD3e3c7mL+VjL6o/+iLV8Rc11ux7tOOzEnVU1RW7ur6tSCXzQt9QehcIieNk+IbSr7AgQgKfA38Dnjz8JeDFx70KAXlNEKecQbc4EmjFmohHRZxRgsJruQz3kaIk33TNJTcydeNJHaNTTQY70/F47E6NkW3bhmGC44w9Y2zb08nkwsGTswvDG03PsD2cjoyz0QimF+e2PRkZQ2eC8cVELV9y2LCqjpENQl7Hw3enUC1JFSfSzkfJRAA+UCSKPXbRI/az4JuyqIJ8HfrmBnQ/+tZNxqgKpGEMhoNhRZpHnKWVXL2JOjLFm+U9ke7fLI8ZRY2jGkvJgI8xNjAeeqY9suFieDa9wAZMwbQnF+fmhVPRmai8QdQA9itQLMkbRHlzWiNLjpI2FnCInWyOJ+Pz//cC8AN2lk9H+/L72Fmy3PCk/hsSnz7V1oDVRd3mK60+dp7mEQP0FPfG3sfc1NdY66rEmDtLIsGRa17fjk0YRT3TFAi4iASCuBC3kCNR7W1hzsOVgVT17IYpS0K0qWvXYUI69W2kkUBWINSrcyOtWjdqrnejpsMM0jicl0RpXftGjfVv1Jyyoy5aP0AtHHWohyPNmjhqqouXBOpWG0ddkpq8EM5q3VjHeP6l4CCQxHwBMgutvUtg56NTm8hqjKH9Woy7yvtKxVfbonDK84G/NzpKpKRwCoFLcNDvVmU+wPS8jZG+tsB8HwduY0U1uXxMGXZRzZgGz6zjXCsvlpUwPUaUobkXYGUrl2hLfRu9iLjGCe7yobPOnlbpJIugk017GMw6jnvX65hMJp39btEF5UqBvZek3pdn6O+vrflvDy9XH0/QcGM6jQbv4wVxmvfZgjhJb153YbT9wXDjAbgedrxGsFrNjtuoyREnDweG+vLXp/vZt9l9qNvRMPqru9+lvO1WwjtPLnXl3yzQc7a9/Mqbj11Xy688gM/4NuvVRQZARCrfQax2uFEoEjX3k0pYdwWAAyO0rJfZry8nyLJurl6uwv/fPTw/fX2ph/3m63rBRMkiyxgPruGRozRXtNfoYJ6ngzfqdSRJ+n/FIqJjmKZyr3y2jvsdfqxmyZCPV7t76lX7rANsDTXX3PwsQVe9d5R6h/Q6aEPrFDU7DNTgNJDeViyh39uOlZ2aIszKZG0fSk0gLkHZBeMfAqX2DFwC87S/cTThqN/n2MdSsy1KSOZFh3NQHNUtSSWUWdKLbI2m6h2RfTwVTWYlmFyz+YfhqUpnlIBud3c3DmbAOkCUuUrlO4UajLPWaMW7HCWmd+lNsWxEj3Oe+g5bNc+kH9eDo7pVWOI42xyMo7ocXeL4HJP1eYVh6ys6bCVG892bKj2YOa4Or2vmQtpAfn9987P6oy5cSGQOT6PzYLubRxnBO3T/+OVoHyQNXnNTJHXw+8cvP6QI/p0ELvsuovnbVr0VUbx4IeHxi4pG4+0SnvRirBWWtc3XkEVKjBTEGry+M/5KgoXlEg6OZHw/1pT4JQNQ1QANnskh3qINn3MI2SW0SEGrwYk4LLAoc/a/+KFkFRKjCmINXrCRvPY7GbOQILXA5GR9//jlJK4WixU4xCtVErTe7UsO5os1qb88/PgFKWj0P6NASfBqqUJdiU1IqQyK+syiz8FpMYs/UdOLmcMhWvboPkCjTSbESEGcK7HX8cOOA0KAq8UvJe7Bz2cu8Ygmv5S4B79o8RRZtHrtFIRVWfIen2iDk8CFjdbuVlFqcopDhSXkljYKFdMiFa2+SS6ZtF6h0R8vmURlMp0XbqOeSePmUpP16MHqXBreMa5/vSb6WiTw+h6IVfJ4dfwiZ6wcoclS7zZmXsKqARqLmIYrZWG37JUT6q7OMuMWRmUWRPmJJdaeRxq3XzwiSlKQckQb9uE/qGVjoZciReTxLZZuSVLG+I3RtQ8Dl4fZmaJ2UmIdD0DRAFWxpTNzAZxgail7W/Uo4pHqrlgHOPH/LIptoJo4VLRtOAcgwyzUij5GoGf5yZD4+wW9zb8IYMXZG3GBaxlEEUg6tK9pFAFpnUwKOLqdUyrYu/BGHLDao4gHNoP5TwAAAP//wZC2Kg==" + return "eJzsXF9v47gRf8+nILIPtwckXkuxEzsPBbKJsxts/mGd2961KARKGlm8UKJL0ln7in73Qv9syaIkSvKiKHp5uFvIQ85vhsOZ4QylU/QKm0vkEQoWCSUsOJGbI4QkkRQu0S2hgO5yz10QDidLSVh4iV58EIAwByR9QB4B6gq0gBA4luAie5M+z8+NAuauKAyOUDrg8gghhE5RiAO4RD4WfvwAIblZwiVacLZapk8KzP+SPkToMxY+CMS8LbtBBC2STMToMF0wTqQfxEwEwqEbk75huoKYZDtX9NiHNYLQYS64yCULEDKlHByldHnkefQ2xa9g2pY5Pt/+lgnyCpvvjLu55wVxPt5ffZmZ9qk5Po+VUBDnqJLT2WTUldPZZNSG09gwu3IaG6YOp8Ad52Zib8C/cyLhEkm+gra8H27GOjyFj43DMZ1/vjI0uZpm64Wbf74yTa01i+YvmGB/uTTtUvi4g0nOP19pWmM0v9VNd/E4fR7tt3DCQ19PXTZvzKONrjps25iH5p4VPi5y6G9prTh3tIWxYX7Qt4aYTyd7iPnoWcR67Z+3FuXXX88rhXiXi8+wlhAKwkKBJNsSJnEMCZCFGBz9lMXgXRqgisGz0rSz63mSNBSnVkXz/SD6Ds3ub9OnJe0A9fK6SWAl9BQQCT3GAxyBqtJUoos0R3FYKDEJ0T0JV2s0W4OzktimED14jf9xG8+H3s/ub39GAUjsYokHpeXJy6OSKS+CD9gFPnAoFqJAUJnYZH+f45EoHpktdCb7YI+6aDZ1QCKJ2uG4wRLHDPIg0tk6wwiw45MQ2iF5SAYdHAwTFrZJOyxXyyUlTmx86CMJMd/EGTP3sAPo/dXHu58zhIm5Pc2744soO9nOvqL6mc4bcFHcaxpIviWDDrlc2CaWGkuV9+yGs3mJB7U4IZR8s2QklHvcErd1iYTkJFwoZaCs9IPeku+YlhdeCVaAE03Z0jnNk1F5H6xnaCEICftro3KgeYwexYt9gBogo78ITQb2ngiZzLWPDdUbYB5L9N8DQYmm6oFk6W8EcTC1mOftQm5fUMlkPWApvFVXLNFUh1CQIH8cClI2J4rmVGHLNre9kaCy2dz+rgT+RrhcYWph1+VQyhu6Qk9nRemsdeCVnqkt+gNqPYPepPReuCPXyZabbpDnPg5DFmaTIAdTZ0UTx+hxFsSuMfW1dRKEq8AGXimBy1Y2hWoZHJ+Y3QS49smp+OcqOjcsObOxTSiRG+SSSKf2Ku/hf4wY22VYLxmXLeNR6rrSweAioBBAKPO1v80SSkafwPEolhJCqMg7SNADUTL4wIiEjzm4FiU2x5yU/IwmtGQWtJ0FrURWwCUi3oTM/h2c/ciikalJoF6uqJv9CZ9xufs1OcN6jG9zhpaCbCciAolNYDOqmPIE/b4SElHyCtFiZPTpou4GPM8S+gG6B8xDFDAOCEvkS7kUlx8+LIj0V/bAYcEHySF0A+Jw9iGD0CGdFbCIDKKlzLtlySZAlIhSwO6RbekEcAWKnsG6Ig/V4ZwNbck94+yCvVJn4Ur1FdDcRGPzWfAJIh5achBQTvsb9F6ZxtUdayoQJXPlgamUA2scLClcIsOcnp+dndesjjqWVx5WkEYmVCybkT+2R1V3X6m12CdGDe4KW26l0bvcGSc+UZeaXQlgtqy0wi3Yu4erTzPrZvbxl0/Wy2/PM+v56dNTDXwSgJA4WFZHUiwbN+tLNks3BR+bQ3N4ahinw/GLcXFpji9HF4PhcPi3Y/V+WmLnFXjHmJQOTuIjYzQJSvXetQL3T38/vpo/Y+cVvZkDwzw+QceDx9kLgm3l7/gfP+0NDiONUPIHqLYp5hxvdjK/S0KGsnJZsLq0cJkGmCq9FxT0PIuLqkk9dVfHPdpXQZtS5J9+7k8/VwftTz/Xzs+pjwX7+XsN3sznYUp3xwRvFSoToZ1b+xc6TlL2zTG6RMeBcBgHGLiURi4uwhY//wTyllBIC5vR4ka2d3WM/v3TISuBcXsA22y1y8MimRwWLAmNTCepnD7PDpeg6hxyNY6z1elixUbfLsHZ0LwwpqODFXC+FSszCL9hQuOOVK5v1xpuk1/KeZap2bss8gBYrHhyxI0O4mkdhOPQZUEYSUVCDVk8yrAqNmzBng/MGsVrVYqz0lJMXOyhVsGqdqFbYHzdr2icoUrqA4dCNZCwlico6ftV4uP4u1a5Lh+90t2OGE98be4nEhJJ4jTKjRw3RiyMdt7rjzNhYzoxRiO1X+Mg2Io7pQl0c5+yz7tLxHyeZT1lsWNyggQLkiQvdYvSh+B/zcOdGjV7jFDQqRHENwLyLcitjuoqiNqWfVNr0Yf2Wi2wN+l2eIJqtFu6xaXEvXc367CahTN76IxG5nTiOYZjjKbYs72RM5lOzz17ao7MCwwjA0bno6k9PRs5eDQdT6eGfTEZm/ZkPK4WjuJwscKLRtO5T+kQcSGUxEvbsL2kOr7+fPc4m8/Q/O7h+f7u9m52c3zwhDqtcGaZXbYu6lJvSWx1Zf4muY2qNV3+8Pv1xfo2+zq/e3qM8sKvL9bD1ePd7Wz+Uj72ovqjL1Idf1Fjzb5HO35boo6rumJX17cVqWRe6BtK70IhcZIM31D6FRZESOBz4G/A04e/hLz4uFchIK8J4pQz6BZHAq1YE/OoiDNKUHgl/WgfKUryTddcciMzN57WMTrVZLAzHY/H7tQY2bZtGCY4ztgzxrY9nUwuHDw5uzC80fQM28PpyDgbjWB6cW7bk5ExdCYYX0zU8qWHDavqGNkg5HUyfHcK1ZJUcSLtfJRMBeADRaLYYxc94mAbfDMWVZCvI9/cgO5H37rZMqoCaRiD4WBYkeYRx7fSqzdxR6Z4s7wn0v2b5QmjuHFUYylb4GOMDYyHnmmPbLgYnk0vsAFTMO3Jxbl54VR0JipvEDWA/QoUS/IGcd6c1cjSo6SNBRxiJ5vjyfj8/70A/IAd/+loX/4AOz7LDU/rvxHx6VNtDVhd1G2+0hpg52keM0BPSW/sfcJNfY21rkqMueMTCY5c8fp2bMoo7plmQMBFJBTEhaSFHItqbwpzHq4MpKpnN0xZEqJNXbsOE9KpbyONBLICoV6dG2nVulFzvRs1HWaQxuG8JErr2jdqrH+j5pQdddH6AWrhqEM9HGnWxFFTXbwkULfaOOqS1OSFcJarxjrG8y8FB4Ek5guQ29DauwR2Pjq1iazGGNmvxbirvK9UfLUtDqc8H/h7o6NESgqnELoEh/1uVeYDTM/bGNlrCywIcOg2VlTTy8eUYRfVjGnwzDrOtfJiWQnTY0wZmXsB1nblUm2pb6MXEdc4wV0+dNbZ0yqdZBF0umkPg1nHce96HZPJpLPfLbqgXCmw95LU+/It+vtra/7bw8vVxxM0XJtOo8EHeEGc5n22IE7am9ddGG1/MFx7AK6HHa8RrFaz4zZuciTJw4Ghvvz16X72bXYf6XY0jP/q7ncpb7uV8M7TS135Nwv0nG0vv/IWYNfV8isPEDC+2fbqYgMgIpPvIFY7XCsUiZr7SSWsuwLAgRFa1svs15cTZFk3Vy9X0f/vHp6fvr7Uw34LdL1gqmSxzRgPruGRozRXtNfoYJ6ngzfudaRJ+n/FIuJjmKZyrwK2SvodQaJmyVCAl7t76lX7rANsDTXX3PwsQVe9d5R5h+w6aEPrFDU7DNTgNJDeViyh39uOlZ2aIszKZG0fSk0gLkHZBeMfAqX2DFwC87S/cTThqN/n2MdSsy1KSOZFh3NQHNUtSSWUWdqLbI2m6h2RfTwVTWYlmFyz+YfhqUpnlIBud3c3DmbAOkCUuUrlO4UajLet0Yp3OUpM77KbYtsRPc556jts1TzTflwPjupWYYnjbH0wjupydInjc0LW5xWGTaDosJUYzXdvqvRg5rg6vK6ZC1kD+f31zc/qj7pwIZE5PI3Pg+1uHm0J3qH7xy9H+yBp+JqbIq2D3z9++SFF8O8kdNl3Ec/ftuqtiOLFCwmPX1Q0Gm+X8LQXYy2xrG2+RiwyYqQg1uD1nfFXEi4sl3BwJOP7sabELx2AqgZo8EwP8RZt+JxDxC6lRQpaDU7EYaFFmbP/xQ8lq4gYVRBr8IK15LXfyZhFBJkFpifr+8cvJ0m1WCzBIV6pkqD1bl96MF+sSP3l4ccvSEGj/xkFSsJXSxXqSmwiSmVQ1GcWfw5Oi1nyiZpezBwO8bLH9wEabTIlRgriXIm9jh92HBACXC1+GXEPfgFziUc0+WXEPfjFi6fIotVrpyCsypL3+MQbnIQurLV2t4pSk1MSKiwhN7RRqIQWqWj1TdJn0nqFRn/sM4nKZDrvkvpAqa2xvaoIe/RhdS4351lXDUggxN+MBN76FZ1qdrXv9DSyi8iskput5xjHAOUYXRm1LoEWpawaomE9WZxUVpTL4SCl7uqlt9yidICFcWJkiZXnkcZ9n4yIsyOkHNGGffQPatlY6OVmMXlyfaZbdrZl/MboKoCBy6O0UFG0KbFOBqB4gKrK05m5AE4wtZRNtXoUyUh1O64DnOR/FsU2UE0cKto2nEOQUfprxV9B0LP8dEjy4YTe5l8EsOTsjbjAtQyiCCQb2tc0ioC0jkQFHN0OSBXsXXgjDljtUSQDm8H8JwAA//8wwdRy" }