Пример #1
0
/// Redline Audit folder
func LoadRedlineAuditDirectory(caseinfo nightHawk.CaseInformation, filename string, debugmodule string) int {
	// Check if supplied path is directory
	fd, err := os.Open(filename)
	if err != nil {
		panic(err.Error())
	}
	defer fd.Close()

	finfo, _ := fd.Stat()

	if finfo.Mode().IsRegular() {
		return nightHawk.ERROR_UNSUPPORTED_TRIAGE_FILE
	}

	if !IsRedlineAuditDirectory(filename) {
		return nightHawk.ERROR_UNSUPPORTED_TRIAGE_FILE
	}

	targetDir := filename

	manifest, err := nightHawk.GetAuditManifestFile(targetDir)
	if err != nil {
		panic(err.Error())
	}

	var rlman nightHawk.RlManifest
	rlman.ParseAuditManifest(filepath.Join(targetDir, manifest))
	auditfiles := rlman.Payloads2(targetDir)

	computername := rlman.SysInfo.SystemInfo.Machine
	if computername == "" {
		ExitOnError("Failed to get Computer Name from Audits", nightHawk.ERROR_READING_COMPUTERNAME)
	}

	cmsg := fmt.Sprintf("Processing Redline audits for %s\n", computername)
	ConsoleMessage("INFO", cmsg, nightHawk.VERBOSE)

	var rlwg sync.WaitGroup

	for _, auditfile := range auditfiles {
		rlwg.Add(1)
		go GoLoadAudit(&rlwg, computername, caseinfo, targetDir, auditfile)
	}
	rlwg.Wait()
	return 0
}
Пример #2
0
func LoadRedlineAuditFile(caseinfo nightHawk.CaseInformation, filename string, debugmodule string) int {
	ConsoleMessage("INFO", "Processing redline file", nightHawk.VERBOSE)

	targetDir := CreateSessionDirectory(filename)
	ConsoleMessage("INFO", "Session directory "+targetDir, nightHawk.VERBOSE)

	// Fix for Redline audit file containing one-level sub folder
	if !IsRedlineAuditDirectory(targetDir) {
		ConsoleMessage("DEBUG", targetDir+" is not Redline Audit directory", nightHawk.VERBOSE)
		dirList, _ := filepath.Glob(filepath.Join(targetDir, "*"))

		for _, d := range dirList {
			if IsRedlineAuditDirectory(d) {
				targetDir = d
				ConsoleMessage("INFO", "Session directory updated to "+targetDir, nightHawk.VERBOSE)
				break
			}
		}
	}

	manifest, err := nightHawk.GetAuditManifestFile(targetDir)
	if err != nil {
		panic(err.Error())
	}

	var rlman nightHawk.RlManifest
	rlman.ParseAuditManifest(filepath.Join(targetDir, manifest))
	auditfiles := rlman.Payloads2(targetDir)

	computername := rlman.SysInfo.SystemInfo.Machine
	if computername == "" {
		ExitOnError("Failed to get Computer Name from Audits", nightHawk.ERROR_READING_COMPUTERNAME)
	}
	cmsg := fmt.Sprintf("Processing Redline audits for %s\n", computername)
	ConsoleMessage("INFO", cmsg, nightHawk.VERBOSE)

	var rlwg sync.WaitGroup

	for _, auditfile := range auditfiles {
		rlwg.Add(1)
		go GoLoadAudit(&rlwg, computername, caseinfo, targetDir, auditfile)
	}
	rlwg.Wait()
	os.RemoveAll(targetDir)
	return 0
}