Содержание
Condensed Output
Condensed output is the default and exports into a single json file.
That JSON File is a serialization of a Dictionary<string,object>.
The Dictionary will contain a metadata key which maps to a Dictionary<string,string> with platform and app version information.
The Dictionary also contains a results key which was generated from a Dictionary<(RESULT_TYPE, CHANGE_TYPE), List<CompareResult>>. The Key for the tuple is represented as (X, Y) => "X_Y". So to get results where Files were Created you would look for fullJson["results"]["FILE_CREATED"] and get a List<CompareResult>
The CompareResult will contain up to two CollectObject states: base (before) and compare (after). Each CollectObject also contains a RESULT_TYPE that identifies which type it is. The fields available in the CollectObject will vary based on RESULT_TYPE. See the documentation for CollectObject to see the classes that inherit from it. For example, a CollectObject with RESULT_TYPE.FILE is a FileSystemObject.
For example a run with a single result - a modified executable file:
{
"results": {
"FILE_MODIFIED": [
{
"Analysis": "WARNING",
"Base": {
"Characteristics": [
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NO_BIND",
"IMAGE_DLLCHARACTERISTICS_APPCONTAINER",
"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"ContentHash": "lx7gx6aRZS3xT6yEwhlefSXd7ODFi9ngVjfA+xDaJ6/GmR07Jp442QHetHzk4l9oXmRwFFkfwybHvSsCDSAG7g==",
"Created": "2021-09-28T23:07:07.4341641Z",
"Group": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Identity": ".\\devskim.exe",
"IsExecutable": true,
"LastModified": "2021-10-06T18:26:59.7863559Z",
"Owner": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Path": ".\\devskim.exe",
"Permissions": {
"NT AUTHORITY\\SYSTEM": "FullControl",
"BUILTIN\\Administrators": "FullControl",
"S-1-12-1-1692076736-1293559039-2251920262-2914442584": "FullControl"
},
"SignatureStatus": {},
"Size": 193842,
"ResultType": "FILE"
},
"BaseRunId": "2021-10-06T11:27:31.5382772-07:00",
"ChangeType": "MODIFIED",
"Compare": {
"Characteristics": [
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NO_BIND",
"IMAGE_DLLCHARACTERISTICS_APPCONTAINER",
"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"ContentHash": "elFsTNsVO6OLaLEevX4VU5pSM0mdW70CQvc9hP9l1PI3UBKnPQihkGEQ2vRU5BPDx6eO9tOLHu70S91Ce2OozA==",
"Created": "2021-09-28T23:07:07.4341641Z",
"Group": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Identity": ".\\devskim.exe",
"IsExecutable": true,
"LastModified": "2021-10-06T18:27:36.5705497Z",
"Owner": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Path": ".\\devskim.exe",
"Permissions": {
"NT AUTHORITY\\SYSTEM": "FullControl",
"BUILTIN\\Administrators": "FullControl",
"S-1-12-1-1692076736-1293559039-2251920262-2914442584": "FullControl"
},
"SignatureStatus": {},
"Size": 193841,
"ResultType": "FILE"
},
"CompareRunId": "2021-10-06T11:27:38.4500214-07:00",
"Diffs": [
{
"After": "elFsTNsVO6OLaLEevX4VU5pSM0mdW70CQvc9hP9l1PI3UBKnPQihkGEQ2vRU5BPDx6eO9tOLHu70S91Ce2OozA==",
"Before": "lx7gx6aRZS3xT6yEwhlefSXd7ODFi9ngVjfA+xDaJ6/GmR07Jp442QHetHzk4l9oXmRwFFkfwybHvSsCDSAG7g==",
"Field": "ContentHash"
},
{
"After": "2021-10-06T18:27:36.5705497Z",
"Before": "2021-10-06T18:26:59.7863559Z",
"Field": "LastModified"
},
{
"After": 193841,
"Before": 193842,
"Field": "Size"
}
],
"Identity": ".\\devskim.exe",
"ResultType": "FILE",
"Rules": [
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without ASLR.",
"Name": "Missing ASLR"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without DEP.",
"Name": "Missing DEP"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"LINUX",
"MACOS",
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when unsigned/incorrectly signed binaries are added.",
"Name": "Unsigned binaries"
}
]
}
]
},
"metadata": {
"compare-version": "2.3.265-beta+57a61a78bd",
"compare-os": "WINDOWS",
"compare-osversion": "Microsoft Windows NT 10.0.19043.0",
"analyses-hash": "FQd8gmt9GwkXL6FXX9wiTXQ6ywH9K0ucAT6tAYsKXfbFFAXwNGtl9vFRs6RZCInXzmTELmNzFNkw951wbBCGBQ=="
}
}
API Documentation for: RESULT_TYPE CHANGE_TYPE CompareResult CollectObject
Exploded Output
The exploded output puts each List<CompareResult> and the metadata each as independent files.