Skip to content

Commit

Permalink
Acquire MSSQL error logs
Browse files Browse the repository at this point in the history
  • Loading branch information
@Miauwkeru
Miauwkeru committed Jan 16, 2025
1 parent c134ca5 commit d870100
Showing 1 changed file with 30 additions and 5 deletions.
35 changes: 30 additions & 5 deletions acquire/acquire.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,7 @@
\__,_|\___\__, |\__,_|_|_| \___|
by Fox-IT |_| v{}
part of NCC Group
""".format(
VERSION
)[
1:
]
""".format(VERSION)[1:]

MODULES = {}
MODULE_LOOKUP = {}
Expand Down Expand Up @@ -770,6 +766,35 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite
return spec


@register_module("--mssql")
class MSSQL(Module):
DESC = "MSSql error logs"

SPEC = [("glob", "/var/opt/mssql/log/errorlog*")]

@classmethod
def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]:
log_paths = set()

Check warning on line 777 in acquire/acquire.py

View check run for this annotation

Codecov / codecov/patch

acquire/acquire.py#L777 

Added line #L777 was not covered by tests

if not target.has_function("registry"):
return

Check warning on line 780 in acquire/acquire.py

View check run for this annotation

Codecov / codecov/patch

acquire/acquire.py#L779-L780 

Added lines #L779 - L780 were not covered by tests

for reg_key in target.registry.glob_ext("HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\*"):
try:
log_paths.add(reg_key.value("ErrorDumpDir").value)
except Exception:
pass

Check warning on line 786 in acquire/acquire.py

View check run for this annotation

Codecov / codecov/patch

acquire/acquire.py#L782-L786 

Added lines #L782 - L786 were not covered by tests

try:
subkey = reg_key.subkey("CPE")
log_paths.add(subkey.value("ErrorDumpDir").value)
except Exception:
pass

Check warning on line 792 in acquire/acquire.py

View check run for this annotation

Codecov / codecov/patch

acquire/acquire.py#L788-L792 

Added lines #L788 - L792 were not covered by tests

for log_path in log_paths:
yield ("glob", f"{log_path}/ERRORLOG*")

Check warning on line 795 in acquire/acquire.py

View check run for this annotation

Codecov / codecov/patch

acquire/acquire.py#L794-L795 

Added lines #L794 - L795 were not covered by tests


@register_module("--iis")
class IIS(Module):
DESC = "IIS logs"
Expand Down

0 comments on commit d870100

Please sign in to comment.