Skip to content

ScanMsi

Collects metadata parsed by Exiftool.

Options

keys: exiftool key values to log in the event. Defaults to all. tmp_directory: Location where tempfile writes temporary files. Defaults to '/tmp/'.

Source code in strelka/src/python/strelka/scanners/scan_msi.py 
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
class ScanMsi(strelka.Scanner):
    """Collects metadata parsed by Exiftool.

    Options:
        keys: exiftool key values to log in the event.
            Defaults to all.
        tmp_directory: Location where tempfile writes temporary files.
            Defaults to '/tmp/'.
    """

    def scan(self, data, file, options, expire_at):
        # Get a list of keys to collect from the MSI file
        keys = options.get("keys", [])

        # Get the temporary directory to write the MSI file to
        tmp_directory = options.get("tmp_directory", "/tmp/")

        with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data:
            # Write the MSI data to the temporary file
            tmp_data.write(data)
            tmp_data.flush()

            # Run exiftool to extract metadata from the file
            try:
                (stdout, stderr) = subprocess.Popen(
                    ["exiftool", "-d", '"%s"', "-j", tmp_data.name],
                    stdout=subprocess.PIPE,
                    stderr=subprocess.DEVNULL,
                ).communicate()
            except strelka.ScannerTimeout:
                raise
            except Exception as e:
                # Handle any exceptions raised while running exiftool
                self.flags.append(f"msi_extract_error: {e}")
                return

            if stdout:
                # Load the metadata from exiftool's JSON output
                try:
                    exiftool_dictionary = json.loads(stdout)[0]
                except ValueError as e:
                    # Handle any errors while parsing the JSON output
                    self.flags.append(f"msi_parse_error: {e}")
                    return

                for k, v in exiftool_dictionary.items():
                    # Only collect the keys specified in the `keys` list
                    if keys and k not in keys:
                        continue

                    # Add the metadata key and value to the event
                    self.event[k] = v

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
application/vnd.ms-msi
application/x-msi
image/vnd.fpx

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
Author
str
CodePage
str
Comments
str
CreateDate
str
Directory
str
ExifToolVersion
str
FileAccessDate
str
FileInodeChangeDate
str
FileModifyDate
str
FileName
str
FilePermissions
str
FileSize
str
FileType
str
FileTypeExtension
str
Keywords
str
MIMEType
str
ModifyDate
str
Pages
int
RevisionNumber
str
Security
str
Software
str
SourceFile
str
Subject
str
Template
str
Title
str
Words
int
elapsed
str
flags
list

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "elapsed": 0.001,
        "flags": [],
        "SourceFile": 0.001,
        "ExifToolVersion": 0.001,
        "FileName": 0.001,
        "Directory": "/tmp",
        "FileSize": 0.001,
        "FileModifyDate": 0.001,
        "FileAccessDate": 0.001,
        "FileInodeChangeDate": 0.001,
        "FilePermissions": 0.001,
        "FileType": "FPX",
        "FileTypeExtension": "fpx",
        "MIMEType": "image/vnd.fpx",
        "CodePage": "Windows Latin 1 (Western European)",
        "Title": "Installation Database",
        "Subject": "StrelkaMSITest",
        "Author": "Target",
        "Keywords": "Installer",
        "Comments": "This installer database contains the logic and data required to install StrelkaMSITest.",
        "Template": "Intel;1033",
        "RevisionNumber": "{3F5D9FF7-E061-48CF-95B2-0AA7C9E5DE2A}",
        "CreateDate": 0.001,
        "ModifyDate": 0.001,
        "Pages": 200,
        "Words": 2,
        "Software": "Windows Installer XML Toolset (3.11.2.4516)",
        "Security": "Read-only recommended",
    }