Worked on Windows Defender scan DetectionHistory file

joachimmetz · joachimmetz · commit 35272acfc895 · 2022-02-15T19:41:51.000+01:00
diff --git a/documentation/Windows Defender scan DetectionHistory file format.asciidoc b/documentation/Windows Defender scan DetectionHistory file format.asciidoc
@@ -96,50 +96,130 @@ The Windows Defender scan DetectionHistory file consists of:
 
 === Known values
 
+The known values consists of multiple sets of values that are separated by
+a value containing the string "Magic.Version:1.2".
+
+* set 1, which contains basic information
+* set 2, which contains threat information
+* one of more set 3, which contains information about threat detection resources
+
+[yellow-background]*TODO: if information is related to MSFT_MpThreat or MSFT_MpThreatDetection classes?*
+
+==== Known values - set 1
+
 [cols="1,1,5",options="header"]
 |===
 | Value index | Value | Description
-3+| _Information related to MSFT_MpThreat class?_
 | 0 | | Threat identifier
 | 1 | | Identifier +
 Contains the GUID corresponding to the file name
-| 2 | "Magic.Version:1.2" | [yellow-background]*Unknown (signature and version?)*
-| 3 | | Name of the threat that was detected +
+|===
+
+==== Known values - set 2
+
+[cols="1,1,5",options="header"]
+|===
+| Value index | Value | Description
+| 0 | "Magic.Version:1.2" | Known values set separator
+| 1 | | Name of the threat that was detected +
 For example: "Virus:DOS/EICAR_Test_File"
-| 4 | | [yellow-background]*Unknown* +
+| 2 | | [yellow-background]*Unknown* +
 Seen: 0
-| 5 | | [yellow-background]*Unknown* +
+| 3 | | [yellow-background]*Unknown* +
 Seen: 5
-| 6 | | Category +
+| 4 | | Category +
 See section: <<category,Category>>
-| 7 | | [yellow-background]*Unknown* +
-Seen: 0x6e
-| 8 | | [yellow-background]*Unknown (Severity?)* +
+| 5 | | [yellow-background]*Unknown* +
+Seen: 49 (last value index 10), 63 (last value index 12), 110 (last value index 13)
+| 6 | | [yellow-background]*Unknown (Severity?)* +
 Seen: 4
+| 7 | | [yellow-background]*Unknown* +
+Seen: 3
+| 8 | | [yellow-background]*Unknown* +
+Seen: 3
 | 9 | | [yellow-background]*Unknown* +
 Seen: 3
 | 10 | | [yellow-background]*Unknown* +
 Seen: 3
+3+| _Optional values_
 | 11 | | [yellow-background]*Unknown* +
-Seen: 3
-| 12 | | [yellow-background]*Unknown* +
-Seen: 3
-| 13 | | [yellow-background]*Unknown* +
 Seen: 2
-| 14 | | [yellow-background]*Unknown* +
+| 12 | | [yellow-background]*Unknown* +
 Seen: 6
-| 15 | | [yellow-background]*Unknown* +
+| 13 | | [yellow-background]*Unknown* +
 Seen: 1
-3+| _Information related to MSFT_MpThreatDetection class?_
-| 16 | "Magic.Version:1.2" | [yellow-background]*Unknown (signature and version?)*
-| 17 | "file" | [yellow-background]*Unknown*
-| 18 | | [yellow-background]*Unknown (path of file)*
+|===
+
+==== Known values - set 3
+
+[cols="1,1,5",options="header"]
+|===
+| Value index | Value | Description
+| 0 | "Magic.Version:1.2" | Known values set separator
+| 1 | | Resource type +
+Seen: "file", "regkey", "regkeyvalue", "startup", "uninstall"
+| 2 | | Resource location +
+Seen: file path, Windows Registry key path
+| 3 | | [yellow-background]*Unknown* +
+Seen: 0, 0x10000001
+| 4 | | Thread data size
+| 5 | | Thread data
+3+| _Optional values_
+| 6 | | [yellow-background]*Unknown date and time*
+| 7 | | [yellow-background]*Unknown* +
+Seen: 0
+| 8 | | [yellow-background]*Unknown* +
+Seen: 0
+| 9 | | [yellow-background]*Unknown GUID*
+| 10 | | [yellow-background]*Unknown* +
+Seen: 0, 1
+| 11 | | [yellow-background]*Unknown* +
+Seen: 2, 6
+| 12 | | User/System account name
+| 13 | | [yellow-background]*Unknown* +
+Seen: 2, 3
+| 14 | | [yellow-background]*Unknown (parent process?)* +
+Seen: Path of parent process executable, "Unknown"
+| 15 | | [yellow-background]*Unknown* +
+Seen: 2, 3
+| 16 | | [yellow-background]*Unknown* +
+Seen: 0, 1
+| 17 | | [yellow-background]*Unknown* +
+Seen: 0
+| 18 | | [yellow-background]*Unknown date and time*
 | 19 | | [yellow-background]*Unknown* +
-Seen: 0x10000001
-| 20 | | [yellow-background]*Unknown (threat data size?)*
-| 21 | | [yellow-background]*Unknown (threat data?)*
+Seen: 0, 3
+| 20 | | [yellow-background]*Unknown date and time*
+| 21 | | [yellow-background]*Unknown* +
+Seen: 0
+| 22 | | [yellow-background]*Unknown* +
+Seen: 0
+| 23 | | [yellow-background]*Unknown* +
+Seen: 0
+| 24 | | User/System account name
+| 25 | | [yellow-background]*Unknown* +
+Seen: 0
+| 26 | | [yellow-background]*Unknown* +
+Seen: 0
+| 27 | | [yellow-background]*Unknown* +
+Seen: 0
+| 28 | | [yellow-background]*Unknown* +
+Seen: 0
+| 29 | | [yellow-background]*Unknown* +
+Seen: 0
+| 30 | | [yellow-background]*Unknown* +
+Seen: 0
+| 31 | | [yellow-background]*Unknown* +
+Seen: 1
 |===
 
+....
+Possible date and time values:
+InitialDetectionTime
+LastThreatStatusChangeTime
+RemediationTime
+....
+
 === [[category]]Category
 
 [cols="1,1,5",options="header"]
diff --git a/dtformats/detection_history.py b/dtformats/detection_history.py
@@ -22,6 +22,71 @@ class WindowsDefenderScanDetectionHistoryFile(data_format.BinaryDataFile):
       ('value_string', 'Value string', '_FormatString'),
       ('alignment_padding', 'Alignment padding', '_FormatDataInHexadecimal')]
 
+  _VALUE_DESCRIPTIONS = [
+      {0: 'Threat identifier',
+       1: 'Identifier'},
+      {0: 'UnknownMagic1',
+       1: 'Threat name',
+       4: 'Category'},
+      {0: 'UnknownMagic2',
+       1: 'Resource type',
+       2: 'Resource location',
+       4: 'Threat data size',
+       5: 'Threat data',
+       6: 'Unknown date and time1',
+       12: 'User/System account name1',
+       18: 'Unknown date and time2',
+       20: 'Unknown date and time3',
+       24: 'User/System account name2'}]
+
+  _CATEGORY_NAME = {
+      0: 'INVALID',
+      1: 'ADWARE',
+      2: 'SPYWARE',
+      3: 'PASSWORDSTEALER',
+      4: 'TROJANDOWNLOADER',
+      5: 'WORM',
+      6: 'BACKDOOR',
+      7: 'REMOTEACCESSTROJAN',
+      8: 'TROJAN',
+      9: 'EMAILFLOODER',
+      10: 'KEYLOGGER',
+      11: 'DIALER',
+      12: 'MONITORINGSOFTWARE',
+      13: 'BROWSERMODIFIER',
+      14: 'COOKIE',
+      15: 'BROWSERPLUGIN',
+      16: 'AOLEXPLOIT',
+      17: 'NUKER',
+      18: 'SECURITYDISABLER',
+      19: 'JOKEPROGRAM',
+      20: 'HOSTILEACTIVEXCONTROL',
+      21: 'SOFTWAREBUNDLER',
+      22: 'STEALTHNOTIFIER',
+      23: 'SETTINGSMODIFIER',
+      24: 'TOOLBAR',
+      25: 'REMOTECONTROLSOFTWARE',
+      26: 'TROJANFTP',
+      27: 'POTENTIALUNWANTEDSOFTWARE',
+      28: 'ICQEXPLOIT',
+      29: 'TROJANTELNET',
+      30: 'FILESHARINGPROGRAM',
+      31: 'MALWARE_CREATION_TOOL',
+      32: 'REMOTE_CONTROL_SOFTWARE',
+      33: 'TOOL',
+      34: 'TROJAN_DENIALOFSERVICE',
+      36: 'TROJAN_DROPPER',
+      37: 'TROJAN_MASSMAILER',
+      38: 'TROJAN_MONITORINGSOFTWARE',
+      39: 'TROJAN_PROXYSERVER',
+      40: 'VIRUS',
+      42: 'KNOWN',
+      43: 'UNKNOWN',
+      44: 'SPP',
+      45: 'BEHAVIOR',
+      46: 'VULNERABILTIY',
+      47: 'POLICY'}
+
   def _ReadValue(self, file_object, file_offset):
     """Reads the value.
 
@@ -30,7 +95,7 @@ def _ReadValue(self, file_object, file_offset):
       file_offset (int): offset of the value relative to the start of the file.
 
     Returns:
-      detection_history_value: value.
+      object: value.
 
     Raises:
       IOError: if the value cannot be read.
@@ -43,7 +108,20 @@ def _ReadValue(self, file_object, file_offset):
     if self._debug:
       self._DebugPrintStructureObject(value, self._DEBUG_INFO_VALUE)
 
-    return value
+    value_object = None
+    if value.data_type in (
+        0x00000000, 0x00000005, 0x00000006, 0x00000008):
+      value_object = value.value_integer
+    elif value.data_type == 0x0000000a:
+      value_object = value.value_filetime
+    elif value.data_type == 0x00000015:
+      value_object = value.value_string
+    elif value.data_type == 0x0000001e:
+      value_object = value.value_guid
+    elif value.data_type == 0x00000028:
+      value_object = value.data
+
+    return value_object
 
   def ReadFileObject(self, file_object):
     """Reads a Windows Defender scan DetectionHistory file-like object.
@@ -54,7 +132,34 @@ def ReadFileObject(self, file_object):
     Raises:
       ParseError: if the file cannot be read.
     """
+    value_objects = []
+
     file_offset = 0
     while file_offset < self._file_size:
-      self._ReadValue(file_object, file_offset)
+      value_object = self._ReadValue(file_object, file_offset)
+      value_objects.append(value_object)
+
       file_offset = file_object.tell()
+
+    if self._debug:
+      value_index_set = 0
+      value_index = 0
+      for value_object in value_objects:
+        if value_object == 'Magic.Version:1.2':
+          if value_index_set < 2:
+            value_index_set += 1
+          value_index = 0
+
+        description = self._VALUE_DESCRIPTIONS[value_index_set].get(
+            value_index, 'UNKNOWN_{0:d}_{1:d}'.format(
+                value_index_set, value_index))
+
+        if (value_index_set, value_index) == (1, 4):
+          value_string = '{0!s} ({1:s})'.format(
+              value_object, self._CATEGORY_NAME.get(value_object, 'UNKNOWN'))
+        else:
+          value_string = '{0!s}'.format(value_object)
+
+        self._DebugPrintValue(description, value_string)
+
+        value_index += 1
diff --git a/dtformats/detection_history.yaml b/dtformats/detection_history.yaml
@@ -149,6 +149,7 @@ members:
   encoding: utf-16-le
   element_data_type: byte
   elements_data_size: detection_history_value_string.data_size
+  elements_terminator: "\x00\x00"
 - name: alignment_padding
   type: padding
   alignment_size: 8
