记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

HackingTeam 邮件分析的部分代码

2016-01-09 20:20

有朋友在对HackingTeam的分析过程中,在处理pst文件时遇到一些问题,我把部分代码发出来供参考吧。

以下C#代码主要功能是提取pst文件中的邮件部分关键要素,保存到本地csv,保存到mysql中,提取邮件附件保存到本地。

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MySql.Data;
using MySql.Data.MySqlClient;
using System.Data;
using System.IO;
using System.Collections;
using Outlook = Microsoft.Office.Interop.Outlook;

namespace HackingTeamEmailExtractor
{
    class Program
    {
        public static int totalmails = 0;
        public static int totalitems = 0;
        public static int totalfolders = 0;

        public static string htmailcsv = @"G:\htmail.csv";
        public static FileStream fs = null;
        public static StreamWriter sw = null;

        public static MySqlConnection conn = new MySql.Data.MySqlClient.MySqlConnection();
        public static MySqlCommand cmd = new MySql.Data.MySqlClient.MySqlCommand();

        public static int savemailinforeturn = -1;


        static void Main(string[] args)
        {
            string pstpath = @"G:\HackingTeam\mail";

            string htmailcsv = @"G:\htmail.csv";

            conn.ConnectionString = "server=192.168.159.129;user=root;database=HackingTeamEmails;port=3306;password=yourpassword;";

            Console.WriteLine("Connecting to MySQL...");
            conn.Open();
            cmd.Connection = conn;


            if (File.Exists(htmailcsv))
            {
                try
                {
                    File.Delete(htmailcsv);
                    Console.WriteLine("Deleted Csv File");
                }
                catch(Exception e)
                {
                    Console.WriteLine("Delete Csv File Error:"+e.Message);
                }
            }

            fs = new FileStream(htmailcsv, FileMode.Append);
            sw = new StreamWriter(fs);


            DirectoryInfo dir = new DirectoryInfo(pstpath);
            ArrayList pstfiles = GetAll(dir);

            foreach (string pstfile in pstfiles)
            {
                Console.WriteLine(string.Format("Processing {0} file...", pstpath + "\\" + pstfile));
                ProcessPstFile(pstpath + "\\" + pstfile);
            }

            sw.Flush();
            sw.Close();
            fs.Close();
            conn.Close();

            Console.WriteLine("\nFinished Extract mails,Total Mails:{0} ,Total Folders:{1}\n\n", totalmails, totalfolders);
            Console.WriteLine("All Done!Press any key to Exit!\n\n");
            Console.ReadKey();


        }

        private static ArrayList GetAll(DirectoryInfo dir)//搜索文件夹中的文件
        {
            ArrayList FileList = new ArrayList();

            FileInfo[] allFile = dir.GetFiles("*.pst");
            foreach (FileInfo fi in allFile)
            {
                FileList.Add(fi.Name);
            }

            DirectoryInfo[] allDir = dir.GetDirectories();
            foreach (DirectoryInfo d in allDir)
            {
                GetAll(d);
            }
            return FileList;
        }

        private static void ProcessPstFile(string filename)
        {
            Outlook.Application app = new Outlook.Application();
            Outlook.NameSpace outlookNs = app.GetNamespace("MAPI");
            outlookNs.AddStore(filename);

            string rootname = filename.Substring(filename.LastIndexOf("\\") + 1, filename.Length - filename.LastIndexOf("\\") - 5);

            foreach (Outlook.Store store in outlookNs.Stores)
            {
                Console.WriteLine("Trying store: " + store.DisplayName + "\n");
                if (store.DisplayName == rootname)
                {

                    Console.WriteLine("found store!\n");

                    Outlook.MAPIFolder rootFolder = store.GetRootFolder();

                    //  Outlook.MAPIFolder emailFolder = outlookNs.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox);

                    Console.WriteLine("foldername: " + rootFolder.Name + " loaded\n");

                    displayfolder(rootFolder);


                    outlookNs.RemoveStore(rootFolder);
                    Console.WriteLine("foldername: " + rootFolder.Name + " disloaded\n");

                }
            }


        }

        private static void displayfolder(Outlook.MAPIFolder mailfolder)
        {

            totalfolders++;

            Outlook.Items items = mailfolder.Items;

            totalitems += items.Count;

            Console.WriteLine(string.Format("Total {0} Items in {1} Folder", items.Count, mailfolder.Name));

            foreach (object item in items)
            {
                if (item is Outlook.MailItem)
                {
                    Outlook.MailItem mailItem = item as Outlook.MailItem;

                    string toaddress = "";
                    if (mailItem.Recipients != null && mailItem.Recipients.Count > 0)
                    {
                        foreach (Outlook.Recipient recip in mailItem.Recipients)
                        {
                            totalmails++;
                            // Console.WriteLine("Mail Subject" + mailItem.Subject + " From: " + mailItem.SenderEmailAddress + " TO: " + recip.Address + " Received Time: " + mailItem.ReceivedTime + "\n");
                            sw.WriteLine(string.Format("{0},{1},{2},{3},{4},{5},{6},{7},{8}", mailItem.ReceivedTime, mailItem.SenderEmailAddress, Treatsplit(mailItem.SenderName), recip.Address, Treatsplit(recip.Name), Treatsplit(mailItem.Subject), mailItem.Importance, Treatsplit(mailfolder.Name), recip.Type));
                            savemailinforeturn = SaveMailInfoToMysql(mailItem.ReceivedTime, mailItem.SenderEmailAddress, Treatsplit(mailItem.SenderName), recip.Address, Treatsplit(recip.Name), Treatsplit(mailItem.Subject), mailItem.Importance, Treatsplit(mailfolder.Name), recip.Type);
                            Console.Write(".");
                        }

                        if (mailItem.Body != null && mailItem.Body != "")
                        {
                            SaveMailBodyToMysql(mailItem.Body, savemailinforeturn);
                        }
                        //SaveAttachement(mailItem);
                    }
                    else
                    {
                        totalmails++;
                        Console.WriteLine("\nNo Recipients found!\n");
                        Console.WriteLine("Mail Subject" + mailItem.Subject + " From: " + mailItem.SenderEmailAddress + " TO: " + "NOT FOUND!" + " Received Time: " + mailItem.ReceivedTime + "\n");
                    }
                }
            }

            sw.Flush();
            //System.Threading.Thread.Sleep(2000);

            try
            {
                foreach (Outlook.MAPIFolder folder in mailfolder.Folders)
                {
                    Console.WriteLine("\nTreating folder:" + folder.Name + "\n");
                    displayfolder(folder);
                }
            }
            catch(Exception e)
            {
                Console.WriteLine("\nError:" + e.Message + "\n");
            }
        }

        private static string Treatsplit(string ostr)
        {
            try
            {
                return ostr.Replace(',', ',');
            }
            catch
            {
                return "";
            }
        }

        private static int SaveMailInfoToMysql(DateTime createtime,string mailfrom,string sendername,string mailto,string mailtoname,string subject,Outlook.OlImportance importance,string foldername,int mailtype)
        {
            try
            {
                cmd.CommandText = "INSERT INTO `HackingTeamEmails`.`AllEmails`VALUES(null,@FromAddress,@FromName,@ToAddress,@ToName,@ReceiveTime,@Subject,@Importance,@Folder,@SendMode); ";
                cmd.Prepare();

                int mailimportance = 1;
                if (importance == Microsoft.Office.Interop.Outlook.OlImportance.olImportanceHigh)
                {
                    mailimportance = 2;
                }
                if (importance == Microsoft.Office.Interop.Outlook.OlImportance.olImportanceLow)
                {
                    mailimportance = 0;
                }

                cmd.Parameters.Clear();

                cmd.Parameters.AddWithValue("@FromAddress", mailfrom);
                cmd.Parameters.AddWithValue("@FromName", sendername);
                cmd.Parameters.AddWithValue("@ToAddress", mailto);
                cmd.Parameters.AddWithValue("@ToName", mailtoname);
                cmd.Parameters.AddWithValue("@ReceiveTime", createtime);
                cmd.Parameters.AddWithValue("@Subject", subject);
                cmd.Parameters.AddWithValue("@Importance", mailimportance);
                cmd.Parameters.AddWithValue("@Folder", foldername);
                cmd.Parameters.AddWithValue("@SendMode", mailtype);
                cmd.Parameters.AddWithValue("@id", MySqlDbType.Int32);
                cmd.Parameters["@id"].Direction = ParameterDirection.Output;

                cmd.ExecuteNonQuery();

                return (int)cmd.Parameters["@id"].Value;



            }
            catch (Exception ex)
            {
                Console.WriteLine("Save MailInfo To Mysql Error: "+ex.ToString()+"\n");
                return -1;
            }


        }

        private static void SaveMailBodyToMysql(string MailBody, int MailInfoID)
        {
            try
            {
                cmd.CommandText = "INSERT INTO `HackingTeamEmails`.`EmailBody` VALUES(null,@Eid,@PlainText);";
                cmd.Prepare();

                cmd.Parameters.Clear();
                cmd.Parameters.AddWithValue("@PlainText", MailBody);
                cmd.Parameters.AddWithValue("@Eid", MailInfoID);

                cmd.ExecuteNonQuery();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Save MailBody To Mysql Error: " + ex.ToString() + "\n");
            }


        }

        private static void SaveAttachement(Outlook.MailItem mailitem)
        {
            try
            {
                if (mailitem.Attachments != null && mailitem.Attachments.Count > 0)
                {
                    foreach (Outlook.Attachment attach in mailitem.Attachments)
                    {
                        string filename = @"G:\HTmailAttachment\" + mailitem.CreationTime.ToString("yyyyMMddHHmmssfff")+"_"+attach.FileName;

                        StringBuilder rBuilder = new StringBuilder(filename);
                        foreach (char rInvalidChar in Path.GetInvalidFileNameChars())
                            rBuilder.Replace(rInvalidChar.ToString(), string.Empty);


                        if (attach.Size > 0 && attach.FileName!=null && attach.FileName != "")
                        {
                            attach.SaveAsFile(filename);
                            Console.WriteLine("\nAttachment Extracted! File:" + filename + "\n");
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("\nErrors in Attachment Extract! Error:" + e.Message + "\n");
                System.Threading.Thread.Sleep(2000);
            }

        }

       

    }
}


知识来源: www.sec-un.org/hackingteam-message-parsing-code.html

阅读:160057 | 评论:0 | 标签:安全技术

想收藏或者和大家分享这篇好文章→复制链接地址

“HackingTeam 邮件分析的部分代码”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云