Hi
I’m working right now with computer forensics.
I have an xml file which I have saved from Process Monitor .
The file look like
<?xml version="1.0" encoding="UTF-8"?>
<Company>Sysinternals - www.sysinternals.com</Company>

<module>
<Timestamp>130412795960224800</Timestamp>
<BaseAddress>0x6de80000</BaseAddress>
<Size>24576</Size>
<Path>C:\Windows\system32\Riched32.dll</Path>
<Version>6.1.7600.16385 (win7_rtm.090713-1255)</Version>
<Company>Microsoft Corporation</Company>
<Description>Wrapper Dll for Richedit 1.0</Description>
</module>
<module>
<Timestamp>130412795960224800</Timestamp>
<BaseAddress>0x6f3b0000</BaseAddress>
<Size>65536</Size>
<Path>C:\Windows\system32\napinsp.dll</Path>
<Version>6.1.7600.16385 (win7_rtm.090713-1255)</Version>
<Company>Microsoft Corporation</Company>
<Description>E-mail Naming Shim Provider</Description>
</module>

Now I need script to look at through my xml or CSV file and search after all .dll words in <path> and print out it(write) to and text file for example dll.txt like
Riched32.dll
napinsp.dll

and my .csv file

7:40:20.5240252 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\sechost.dll","SUCCESS",""
7:40:20.5240436 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\rpcrt4.dll","SUCCESS",""
7:40:20.5240615 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\oleaut32.dll","SUCCESS",""
7:40:20.5240794 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\ole32.dll","SUCCESS",""
7:40:20.5240996 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\comctl32.dll","SUCCESS",""
7:40:20.5241186 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\wow32.dll","SUCCESS",""
7:40:20.5241371 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\apphelp.dll","SUCCESS",""

Thanks for your help

Edited 2 Years Ago by tony75

Some hint,using a parser in standard library ElementTree.
Most of the time i use BeautifulSoup or lxml for parsing.

import os
import xml.etree.ElementTree as ET

tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    print element.text
    print os.path.basename(element.text)

'''Output-->
C:\Windows\system32\Riched32.dll
Riched32.dll
C:\Windows\system32\napinsp.dll
napinsp.dll
'''

But not duplicated .dll words

Use set()

and my .csv file

Try to do something yourself,post code if stuck.

Edited 2 Years Ago by snippsat

Thanks snippsat for your answer.
How can we do i, if we want to just write all .dll with out path to an text file ?
like this.

Riched32.dll
napinsp.dll

Can we use the same code for Logfile.CSV ?

Thanks snippsat for your answer.
How can we do i, if we want to just write all .dll with out path to an text file ?
like this.

Riched32.dll
napinsp.dll

Edited 2 Years Ago by tony75

C:\Windows\system32\DNSAPI.dll
DNSAPI.dll
C:\Windows\system32\netlogon.DLL
netlogon.DLL
C:\Windows\system32\msv1_0.DLL
msv1_0.DLL
C:\Windows\System32\wship6.dll
wship6.dll
C:\Windows\system32\mswsock.dll
mswsock.dll
C:\Windows\system32\CRYPTSP.dll
CRYPTSP.dll
C:\Windows\system32\kerberos.DLL
kerberos.DLL
C:\Windows\system32\negoexts.DLL
negoexts.DLL
C:\Windows\system32\netjoin.dll
netjoin.dll
C:\Windows\system32\msprivs.DLL
msprivs.DLL
C:\Windows\system32\bcrypt.dll
bcrypt.dll
C:\Windows\system32\ncrypt.dll
ncrypt.dll
C:\Windows\system32\AUTHZ.dll
AUTHZ.dll
C:\Windows\system32\cngaudit.dll
cngaudit.dll
C:\Windows\system32\wevtapi.dll
wevtapi.dll
C:\Windows\system32\cryptdll.dll
cryptdll.dll
C:\Windows\system32\SAMSRV.dll
SAMSRV.dll
C:\Windows\system32\lsasrv.dll
lsasrv.dll
C:\Windows\system32\Secur32.dll
Secur32.dll


It seems that the loop continue and I would like to write out to an text file without C:\Windows\system32\  :)

You don't know that print element.text just was an example?
A simple test and you should be able to figure very basic stuff like this out.
You just use os.path.basename(element.text)

import os
import xml.etree.ElementTree as ET

f_out = open('my_file.txt', 'w')
tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    f_out.write('{}\n'.format(os.path.basename(element.text)))
f_out.close()

Edited 2 Years Ago by snippsat

Thanks again and I agree with you but I was a way alittle bit from python now try to start again and remember :)
The code work very fine
But I need just print .dll not .exe but it seems nothing happen in my_file?
I forget somthing?

import os
import xml.etree.ElementTree as ET
f_out = open('my_file.txt', 'w')
tree = ET.parse("Logfile.xml")
root = tree.getroot()
EXTENSIONS = '.dll'
for element in root.iter('Path+ *.dll'):
     if element.endswith('.dll'):
         f_out.write('{}\n'.format(os.path.basename(element.text)))
f_out.close()

Edited 2 Years Ago by tony75

import os
import xml.etree.ElementTree as ET

tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    print os.path.basename(element.text)

'''Output-->
Riched32.dll
napinsp.dll
test.exe
'''

Fix so "exe" not is in output.

import os
import xml.etree.ElementTree as ET

tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    file_name = os.path.basename(element.text)
    #jpg just an example that you can have more values
    if not file_name.endswith(('.exe', '.jpg')): 
        print file_name

'''Output-->
Riched32.dll
napinsp.dll
'''

Edited 2 Years Ago by snippsat

Wonderful
Thanks working very fine

import os
import xml.etree.ElementTree as ET
f_out = open('my_file.txt', 'w')
tree = ET.parse("Logfile.xml")
root = tree.getroot()
for element in root.iter('Path'):
    file_name = os.path.basename(element.text)
    #jpg just an example that you can have more values
    if not file_name.endswith(('.exe', '.jpg')):
        f_out.write('{}\n'.format(os.path.basename(element.text)))
f_out.close()
This question has already been answered. Start a new discussion instead.