Member Avatar for tony75

Hi
I’m working right now with computer forensics.
I have an xml file which I have saved from Process Monitor .
The file look like
<?xml version="1.0" encoding="UTF-8"?>
<Company>Sysinternals - www.sysinternals.com</Company>

<module>
<Timestamp>130412795960224800</Timestamp>
<BaseAddress>0x6de80000</BaseAddress>
<Size>24576</Size>
<Path>C:\Windows\system32\Riched32.dll</Path>
<Version>6.1.7600.16385 (win7_rtm.090713-1255)</Version>
<Company>Microsoft Corporation</Company>
<Description>Wrapper Dll for Richedit 1.0</Description>
</module>
<module>
<Timestamp>130412795960224800</Timestamp>
<BaseAddress>0x6f3b0000</BaseAddress>
<Size>65536</Size>
<Path>C:\Windows\system32\napinsp.dll</Path>
<Version>6.1.7600.16385 (win7_rtm.090713-1255)</Version>
<Company>Microsoft Corporation</Company>
<Description>E-mail Naming Shim Provider</Description>
</module>

Now I need script to look at through my xml or CSV file and search after all .dll words in <path> and print out it(write) to and text file for example dll.txt like
Riched32.dll
napinsp.dll

and my .csv file

7:40:20.5240252 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\sechost.dll","SUCCESS",""
7:40:20.5240436 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\rpcrt4.dll","SUCCESS",""
7:40:20.5240615 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\oleaut32.dll","SUCCESS",""
7:40:20.5240794 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\ole32.dll","SUCCESS",""
7:40:20.5240996 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\comctl32.dll","SUCCESS",""
7:40:20.5241186 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\wow32.dll","SUCCESS",""
7:40:20.5241371 PM,"dd.exe","3316","CloseFile","C:\Windows\System32\apphelp.dll","SUCCESS",""

Thanks for your help

Edited by tony75
  • 2 Contributors
  • 9 Replies
  • 495 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by tony75

Recommended Answers

All 9 Replies

Member Avatar for snippsat

Some hint,using a parser in standard library ElementTree.
Most of the time i use BeautifulSoup or lxml for parsing.

import os
import xml.etree.ElementTree as ET

tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    print element.text
    print os.path.basename(element.text)

'''Output-->
C:\Windows\system32\Riched32.dll
Riched32.dll
C:\Windows\system32\napinsp.dll
napinsp.dll
'''

But not duplicated .dll words

Use set()

and my .csv file

Try to do something yourself,post code if stuck.

Edited by snippsat
Member Avatar for tony75

Thanks snippsat for your answer.
How can we do i, if we want to just write all .dll with out path to an text file ?
like this.

Riched32.dll
napinsp.dll

Can we use the same code for Logfile.CSV ?

Member Avatar for tony75

Thanks snippsat for your answer.
How can we do i, if we want to just write all .dll with out path to an text file ?
like this.

Riched32.dll
napinsp.dll

Edited by tony75
Member Avatar for tony75 
C:\Windows\system32\DNSAPI.dll
DNSAPI.dll
C:\Windows\system32\netlogon.DLL
netlogon.DLL
C:\Windows\system32\msv1_0.DLL
msv1_0.DLL
C:\Windows\System32\wship6.dll
wship6.dll
C:\Windows\system32\mswsock.dll
mswsock.dll
C:\Windows\system32\CRYPTSP.dll
CRYPTSP.dll
C:\Windows\system32\kerberos.DLL
kerberos.DLL
C:\Windows\system32\negoexts.DLL
negoexts.DLL
C:\Windows\system32\netjoin.dll
netjoin.dll
C:\Windows\system32\msprivs.DLL
msprivs.DLL
C:\Windows\system32\bcrypt.dll
bcrypt.dll
C:\Windows\system32\ncrypt.dll
ncrypt.dll
C:\Windows\system32\AUTHZ.dll
AUTHZ.dll
C:\Windows\system32\cngaudit.dll
cngaudit.dll
C:\Windows\system32\wevtapi.dll
wevtapi.dll
C:\Windows\system32\cryptdll.dll
cryptdll.dll
C:\Windows\system32\SAMSRV.dll
SAMSRV.dll
C:\Windows\system32\lsasrv.dll
lsasrv.dll
C:\Windows\system32\Secur32.dll
Secur32.dll


It seems that the loop continue and I would like to write out to an text file without C:\Windows\system32\  :)
Member Avatar for snippsat

You don't know that print element.text just was an example?
A simple test and you should be able to figure very basic stuff like this out.
You just use os.path.basename(element.text)

import os
import xml.etree.ElementTree as ET

f_out = open('my_file.txt', 'w')
tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    f_out.write('{}\n'.format(os.path.basename(element.text)))
f_out.close()
Edited by snippsat
Member Avatar for tony75

Thanks again and I agree with you but I was a way alittle bit from python now try to start again and remember :)
The code work very fine
But I need just print .dll not .exe but it seems nothing happen in my_file?
I forget somthing?

import os
import xml.etree.ElementTree as ET
f_out = open('my_file.txt', 'w')
tree = ET.parse("Logfile.xml")
root = tree.getroot()
EXTENSIONS = '.dll'
for element in root.iter('Path+ *.dll'):
     if element.endswith('.dll'):
         f_out.write('{}\n'.format(os.path.basename(element.text)))
f_out.close()
Edited by tony75
Member Avatar for snippsat 
import os
import xml.etree.ElementTree as ET

tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    print os.path.basename(element.text)

'''Output-->
Riched32.dll
napinsp.dll
test.exe
'''

Fix so "exe" not is in output.

import os
import xml.etree.ElementTree as ET

tree = ET.parse("test.xml")
root = tree.getroot()
for element in root.iter('Path'):
    file_name = os.path.basename(element.text)
    #jpg just an example that you can have more values
    if not file_name.endswith(('.exe', '.jpg')): 
        print file_name

'''Output-->
Riched32.dll
napinsp.dll
'''
Edited by snippsat
Member Avatar for tony75

Wonderful
Thanks working very fine

import os
import xml.etree.ElementTree as ET
f_out = open('my_file.txt', 'w')
tree = ET.parse("Logfile.xml")
root = tree.getroot()
for element in root.iter('Path'):
    file_name = os.path.basename(element.text)
    #jpg just an example that you can have more values
    if not file_name.endswith(('.exe', '.jpg')):
        f_out.write('{}\n'.format(os.path.basename(element.text)))
f_out.close()
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.