EVTX single endpoint added

kevoreilly · Mar 12, 2024 · 30c1509 · 30c1509
1 parent 1d1bfba
commit 30c1509
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/conf/api.conf b/conf/api.conf
@@ -205,6 +205,13 @@ auth_only = no
 rps = 1/s
 #rpm = 10/m
 
+# Pull a EVTX from a specific task
+[taskevtx]
+enabled = yes
+auth_only = no
+rps = 1/s
+#rpm = 10/m
+
 # Pull the dropped files from a specific task
 [taskdropped]
 enabled = yes

diff --git a/web/apiv2/urls.py b/web/apiv2/urls.py
@@ -47,6 +47,7 @@
     re_path(r"^tasks/get/procmemory/(?P<task_id>\d+)/(?P<pid>\d{1,5})/$", views.tasks_procmemory),
     re_path(r"^tasks/get/fullmemory/(?P<task_id>\d+)/$", views.tasks_fullmemory),
     re_path(r"^tasks/get/pcap/(?P<task_id>\d+)/$", views.tasks_pcap),
+    re_path(r"^tasks/get/evtx/(?P<task_id>\d+)/$", views.tasks_evtx),
     re_path(r"^tasks/get/dropped/(?P<task_id>\d+)/$", views.tasks_dropped),
     re_path(r"^tasks/get/surifile/(?P<task_id>\d+)/$", views.tasks_surifile),
     re_path(r"^tasks/get/payloadfiles/(?P<task_id>\d+)/$", views.tasks_payloadfiles),

diff --git a/web/apiv2/views.py b/web/apiv2/views.py
@@ -1574,6 +1574,35 @@ def tasks_pcap(request, task_id):
         return Response(resp)
 
 
+@csrf_exempt
+@api_view(["GET"])
+def tasks_evtx(request, task_id):
+    if not apiconf.taskevtx.get("enabled"):
+        resp = {"error": True, "error_value": "EVTX download API is disabled"}
+        return Response(resp)
+
+    check = validate_task(task_id)
+    if check["error"]:
+        return Response(check)
+
+    rtid = check.get("rtid", 0)
+    if rtid:
+        task_id = rtid
+
+    evtxfile = os.path.join(CUCKOO_ROOT, "storage", "analyses", "%s" % task_id, "evtx", "evtx.zip")
+    if not os.path.normpath(evtxfile).startswith(ANALYSIS_BASE_PATH):
+        return render(request, "error.html", {"error": f"File not found: {os.path.basename(evtxfile)}"})
+    if path_exists(evtxfile):
+        fname = "%s_evtx.zip" % task_id
+        resp = StreamingHttpResponse(FileWrapper(open(evtxfile, "rb")), content_type="application/zip")
+        resp["Content-Length"] = os.path.getsize(evtxfile)
+        resp["Content-Disposition"] = "attachment; filename=" + fname
+        return resp
+
+    else:
+        resp = {"error": True, "error_value": "EVTX does not exist"}
+        return Response(resp)
+
 @csrf_exempt
 @api_view(["GET"])
 def tasks_dropped(request, task_id):