# Copyright (c) 2017, The MITRE Corporation. All rights reserved. # See LICENSE.txt for complete terms. import sys from mixbox.binding_utils import * from . import cybox_common from . import win_handle_object class WinEventType(cybox_common.BaseObjectPropertyType): """WinEventType specifies Windows event types, via a union of the WinEventTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core cybox_common.BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.This attribute is optional and specifies the expected type for the value of the specified property.""" subclass = None superclass = cybox_common.BaseObjectPropertyType def __init__(self, obfuscation_algorithm_ref=None, refanging_transform_type=None, has_changed=None, delimiter='##comma##', pattern_type=None, datatype='string', refanging_transform=None, is_case_sensitive=True, bit_mask=None, appears_random=None, observed_encoding=None, defanging_algorithm_ref=None, is_obfuscated=None, regex_syntax=None, apply_condition='ANY', trend=None, idref=None, is_defanged=None, id=None, condition=None, valueOf_=None): super(WinEventType, self).__init__(obfuscation_algorithm_ref, refanging_transform_type, has_changed, delimiter, pattern_type, datatype, refanging_transform, is_case_sensitive, bit_mask, appears_random, observed_encoding, defanging_algorithm_ref, is_obfuscated, regex_syntax, apply_condition, trend, idref, is_defanged, id, condition, valueOf_) self.datatype = _cast(None, datatype) self.valueOf_ = valueOf_ def factory(*args_, **kwargs_): if WinEventType.subclass: return WinEventType.subclass(*args_, **kwargs_) else: return WinEventType(*args_, **kwargs_) factory = staticmethod(factory) def get_datatype(self): return self.datatype def set_datatype(self, datatype): self.datatype = datatype def get_valueOf_(self): return self.valueOf_ def set_valueOf_(self, valueOf_): self.valueOf_ = valueOf_ def hasContent_(self): if ( self.valueOf_ or super(WinEventType, self).hasContent_() ): return True else: return False def export(self, lwrite, level, namespace_='WinEventObj:', name_='WinEventType', namespacedef_='', pretty_print=True): if pretty_print: eol_ = '\n' else: eol_ = '' showIndent(lwrite, level, pretty_print) lwrite('<%s%s%s' % (namespace_, name_, namespacedef_ and ' ' + namespacedef_ or '', )) already_processed = set() self.exportAttributes(lwrite, level, already_processed, namespace_, name_='WinEventType') if self.hasContent_(): lwrite('>') lwrite(quote_xml(self.valueOf_)) self.exportChildren(lwrite, level + 1, namespace_, name_, pretty_print=pretty_print) lwrite('%s' % (namespace_, name_, eol_)) else: lwrite('/>%s' % (eol_, )) def exportAttributes(self, lwrite, level, already_processed, namespace_='WinEventObj:', name_='WinEventType'): super(WinEventType, self).exportAttributes(lwrite, level, already_processed, namespace_, name_='WinEventType') if self.datatype is not None: lwrite(' datatype=%s' % (quote_attrib(self.datatype), )) def exportChildren(self, lwrite, level, namespace_='WinEventObj:', name_='WinEventType', fromsubclass_=False, pretty_print=True): super(WinEventType, self).exportChildren(lwrite, level, 'WinEventObj:', name_, True, pretty_print=pretty_print) pass def build(self, node): self.__sourcenode__ = node already_processed = set() self.buildAttributes(node, node.attrib, already_processed) self.valueOf_ = get_all_text_(node) for child in node: nodeName_ = Tag_pattern_.match(child.tag).groups()[-1] self.buildChildren(child, node, nodeName_) def buildAttributes(self, node, attrs, already_processed): value = find_attr_value_('datatype', node) if value is not None: self.datatype = value super(WinEventType, self).buildAttributes(node, attrs, already_processed) def buildChildren(self, child_, node, nodeName_, fromsubclass_=False): pass # end class WinEventType class WindowsEventObjectType(cybox_common.ObjectPropertiesType): """The WindowsEventObjectType type is intended to characterize Windows event (synchronization) objects.""" subclass = None superclass = cybox_common.ObjectPropertiesType def __init__(self, object_reference=None, Custom_Properties=None, xsi_type=None, Handle=None, Name=None, Type=None): super(WindowsEventObjectType, self).__init__(object_reference, Custom_Properties, xsi_type ) self.Handle = Handle self.Name = Name self.Type = Type def factory(*args_, **kwargs_): if WindowsEventObjectType.subclass: return WindowsEventObjectType.subclass(*args_, **kwargs_) else: return WindowsEventObjectType(*args_, **kwargs_) factory = staticmethod(factory) def get_Handle(self): return self.Handle def set_Handle(self, Handle): self.Handle = Handle def get_Name(self): return self.Name def set_Name(self, Name): self.Name = Name def validate_StringObjectPropertyType(self, value): # Validate type cybox_common.StringObjectPropertyType, a restriction on None. pass def get_Type(self): return self.Type def set_Type(self, Type): self.Type = Type def validate_WinEventType(self, value): # Validate type WinEventType, a restriction on None. pass def hasContent_(self): if ( self.Handle is not None or self.Name is not None or self.Type is not None or super(WindowsEventObjectType, self).hasContent_() ): return True else: return False def export(self, lwrite, level, namespace_='WinEventObj:', name_='WindowsEventObjectType', namespacedef_='', pretty_print=True): if pretty_print: eol_ = '\n' else: eol_ = '' showIndent(lwrite, level, pretty_print) lwrite('<%s%s%s' % (namespace_, name_, namespacedef_ and ' ' + namespacedef_ or '', )) already_processed = set() self.exportAttributes(lwrite, level, already_processed, namespace_, name_='WindowsEventObjectType') if self.hasContent_(): lwrite('>%s' % (eol_, )) self.exportChildren(lwrite, level + 1, namespace_, name_, pretty_print=pretty_print) showIndent(lwrite, level, pretty_print) lwrite('%s' % (namespace_, name_, eol_)) else: lwrite('/>%s' % (eol_, )) def exportAttributes(self, lwrite, level, already_processed, namespace_='WinEventObj:', name_='WindowsEventObjectType'): super(WindowsEventObjectType, self).exportAttributes(lwrite, level, already_processed, namespace_, name_='WindowsEventObjectType') def exportChildren(self, lwrite, level, namespace_='WinEventObj:', name_='WindowsEventObjectType', fromsubclass_=False, pretty_print=True): super(WindowsEventObjectType, self).exportChildren(lwrite, level, 'WinEventObj:', name_, True, pretty_print=pretty_print) if pretty_print: eol_ = '\n' else: eol_ = '' if self.Handle is not None: self.Handle.export(lwrite, level, 'WinEventObj:', name_='Handle', pretty_print=pretty_print) if self.Name is not None: self.Name.export(lwrite, level, 'WinEventObj:', name_='Name', pretty_print=pretty_print) if self.Type is not None: self.Type.export(lwrite, level, 'WinEventObj:', name_='Type', pretty_print=pretty_print) def build(self, node): self.__sourcenode__ = node already_processed = set() self.buildAttributes(node, node.attrib, already_processed) for child in node: nodeName_ = Tag_pattern_.match(child.tag).groups()[-1] self.buildChildren(child, node, nodeName_) def buildAttributes(self, node, attrs, already_processed): super(WindowsEventObjectType, self).buildAttributes(node, attrs, already_processed) def buildChildren(self, child_, node, nodeName_, fromsubclass_=False): if nodeName_ == 'Handle': obj_ = win_handle_object.WindowsHandleObjectType.factory() obj_.build(child_) self.set_Handle(obj_) elif nodeName_ == 'Name': obj_ = cybox_common.StringObjectPropertyType.factory() obj_.build(child_) self.set_Name(obj_) elif nodeName_ == 'Type': obj_ = WinEventType.factory() obj_.build(child_) self.set_Type(obj_) super(WindowsEventObjectType, self).buildChildren(child_, node, nodeName_, True) # end class WindowsEventObjectType GDSClassesMapping = { 'Build_Utility': cybox_common.BuildUtilityType, 'Errors': cybox_common.ErrorsType, 'Time': cybox_common.TimeType, 'Certificate_Issuer': cybox_common.StringObjectPropertyType, 'Metadata': cybox_common.MetadataType, 'Hash': cybox_common.HashType, 'Information_Source_Type': cybox_common.ControlledVocabularyStringType, 'Block_Hash_Value': cybox_common.HashValueType, 'Fuzzy_Hash_Structure': cybox_common.FuzzyHashStructureType, 'SubDatum': cybox_common.MetadataType, 'Segment_Hash': cybox_common.HashValueType, 'Digital_Signature': cybox_common.DigitalSignatureInfoType, 'Code_Snippets': cybox_common.CodeSnippetsType, 'Value': cybox_common.StringObjectPropertyType, 'Length': cybox_common.IntegerObjectPropertyType, 'Encoding': cybox_common.ControlledVocabularyStringType, 'Internationalization_Settings': cybox_common.InternationalizationSettingsType, 'Tool_Configuration': cybox_common.ToolConfigurationType, 'Object_Address': cybox_common.UnsignedLongObjectPropertyType, 'English_Translation': cybox_common.StringObjectPropertyType, 'Functions': cybox_common.FunctionsType, 'String_Value': cybox_common.StringObjectPropertyType, 'Pointer_Count': cybox_common.UnsignedLongObjectPropertyType, 'Build_Utility_Platform_Specification': cybox_common.PlatformSpecificationType, 'Compiler_Informal_Description': cybox_common.CompilerInformalDescriptionType, 'System': cybox_common.ObjectPropertiesType, 'Platform': cybox_common.PlatformSpecificationType, 'Usage_Context_Assumptions': cybox_common.UsageContextAssumptionsType, 'Type': win_handle_object.HandleType, 'Compilers': cybox_common.CompilersType, 'Tool_Type': cybox_common.ControlledVocabularyStringType, 'String': cybox_common.ExtractedStringType, 'Tool': cybox_common.ToolInformationType, 'Build_Information': cybox_common.BuildInformationType, 'Tool_Hashes': cybox_common.HashListType, 'Compiler_Platform_Specification': cybox_common.PlatformSpecificationType, 'Error_Instances': cybox_common.ErrorInstancesType, 'Data_Segment': cybox_common.StringObjectPropertyType, 'Certificate_Subject': cybox_common.StringObjectPropertyType, 'Language': cybox_common.StringObjectPropertyType, 'Identifier': cybox_common.PlatformIdentifierType, 'Strings': cybox_common.ExtractedStringsType, 'File_System_Offset': cybox_common.IntegerObjectPropertyType, 'Reference_Description': cybox_common.StructuredTextType, 'User_Account_Info': cybox_common.ObjectPropertiesType, 'Configuration_Settings': cybox_common.ConfigurationSettingsType, 'Simple_Hash_Value': cybox_common.SimpleHashValueType, 'Byte_String_Value': cybox_common.HexBinaryObjectPropertyType, 'Instance': cybox_common.ObjectPropertiesType, 'Import': cybox_common.StringObjectPropertyType, 'Access_Mask': cybox_common.UnsignedLongObjectPropertyType, 'Property': cybox_common.PropertyType, 'Tool_Specific_Data': cybox_common.ToolSpecificDataType, 'Execution_Environment': cybox_common.ExecutionEnvironmentType, 'ID': cybox_common.UnsignedIntegerObjectPropertyType, 'Dependencies': cybox_common.DependenciesType, 'Offset': cybox_common.IntegerObjectPropertyType, 'Date': cybox_common.DateRangeType, 'Hashes': cybox_common.HashListType, 'Segments': cybox_common.HashSegmentsType, 'Segment_Count': cybox_common.IntegerObjectPropertyType, 'Usage_Context_Assumption': cybox_common.StructuredTextType, 'Block_Hash': cybox_common.FuzzyHashBlockType, 'Dependency': cybox_common.DependencyType, 'Error': cybox_common.ErrorType, 'Trigger_Point': cybox_common.HexBinaryObjectPropertyType, 'Environment_Variable': cybox_common.EnvironmentVariableType, 'Byte_Run': cybox_common.ByteRunType, 'Contributors': cybox_common.PersonnelType, 'Image_Offset': cybox_common.IntegerObjectPropertyType, 'Imports': cybox_common.ImportsType, 'Library': cybox_common.LibraryType, 'References': cybox_common.ToolReferencesType, 'Windows_Handle': win_handle_object.WindowsHandleObjectType, 'Internal_Strings': cybox_common.InternalStringsType, 'Custom_Properties': cybox_common.CustomPropertiesType, 'Configuration_Setting': cybox_common.ConfigurationSettingType, 'Libraries': cybox_common.LibrariesType, 'Function': cybox_common.StringObjectPropertyType, 'Handle': win_handle_object.WindowsHandleObjectType, 'Description': cybox_common.StructuredTextType, 'Code_Snippet': cybox_common.ObjectPropertiesType, 'Build_Configuration': cybox_common.BuildConfigurationType, 'Address': cybox_common.HexBinaryObjectPropertyType, 'Search_Within': cybox_common.IntegerObjectPropertyType, 'Segment': cybox_common.HashSegmentType, 'Compiler': cybox_common.CompilerType, 'Name': cybox_common.StringObjectPropertyType, 'Signature_Description': cybox_common.StringObjectPropertyType, 'Block_Size': cybox_common.IntegerObjectPropertyType, 'Search_Distance': cybox_common.IntegerObjectPropertyType, 'Fuzzy_Hash_Value': cybox_common.FuzzyHashValueType, 'Dependency_Description': cybox_common.StructuredTextType, 'Contributor': cybox_common.ContributorType, 'Tools': cybox_common.ToolsInformationType, 'Data_Size': cybox_common.DataSizeType, } USAGE_TEXT = """ Usage: python .py [ -s ] """ def usage(): print(USAGE_TEXT) sys.exit(1) def get_root_tag(node): tag = Tag_pattern_.match(node.tag).groups()[-1] rootClass = GDSClassesMapping.get(tag) if rootClass is None: rootClass = globals().get(tag) return tag, rootClass def parse(inFileName): doc = parsexml_(inFileName) rootNode = doc.getroot() rootTag, rootClass = get_root_tag(rootNode) if rootClass is None: rootTag = 'Windows_Event' rootClass = WindowsEventObjectType rootObj = rootClass.factory() rootObj.build(rootNode) # Enable Python to collect the space used by the DOM. doc = None # sys.stdout.write('\n') # rootObj.export(sys.stdout.write, 0, name_=rootTag, # namespacedef_='', # pretty_print=True) return rootObj def parseEtree(inFileName): doc = parsexml_(inFileName) rootNode = doc.getroot() rootTag, rootClass = get_root_tag(rootNode) if rootClass is None: rootTag = 'Windows_Event' rootClass = WindowsEventObjectType rootObj = rootClass.factory() rootObj.build(rootNode) # Enable Python to collect the space used by the DOM. doc = None rootElement = rootObj.to_etree(None, name_=rootTag) content = etree_.tostring(rootElement, pretty_print=True, xml_declaration=True, encoding="utf-8") sys.stdout.write(content) sys.stdout.write('\n') return rootObj, rootElement def parseString(inString): from mixbox.vendor.six import StringIO doc = parsexml_(StringIO(inString)) rootNode = doc.getroot() rootTag, rootClass = get_root_tag(rootNode) if rootClass is None: rootTag = 'Windows_Event' rootClass = WindowsEventObjectType rootObj = rootClass.factory() rootObj.build(rootNode) # Enable Python to collect the space used by the DOM. doc = None # sys.stdout.write('\n') # rootObj.export(sys.stdout.write, 0, name_="Windows_Event", # namespacedef_='') return rootObj def main(): args = sys.argv[1:] if len(args) == 1: parse(args[0]) else: usage() if __name__ == '__main__': #import pdb; pdb.set_trace() main() __all__ = [ "WindowsEventObjectType", "WinEventType" ]