C Sample Exploitation ETL
This sample shows the steps needed to implement a file exploitation ETL in Truxton. You can see this same sample implemented in Python. Add your ETL to the Truxton Service for it to automatically start with the other ETL processes.
Sample File Format
This sample will exploit a fake file format we call Acme. Acme Corporation is a known supplier of nefarious devices and explosives. Their file format begins with a five byte magic value followed by eleven bytes in a data structure. If the sixth byte in the file is 0x11 then it is a serial number file that uniquely identifies the user.
0000h: 88 77 66 55 00 11 22 33 44 55 66 77 88 99 AA BB 0010h: CC
Source Code
1 #include <stdio.h>
2 #include <memory.h>
3 #include <inttypes.h>
4 #include <TruxtonCAPI.h>
5 #include <TruxtonFileTypes.h>
6 #include <TruxtonDefines.h>
7 #pragma comment (lib, "TruxtonCAPI.lib")
8
9 int main(void)
10 {
11 uint8_t buffer[20];
12
13 uint64_t message = 0;
14
15 uint64_t etl_application = truxton_etl_create();
16
17 truxton_etl_set_application_name(etl_application, "Acme Exploitation");
18 truxton_etl_set_description(etl_application, "This exploits Acme Corporation data files");
19 truxton_etl_set_queue_name(etl_application, "wiley");
20 truxton_etl_set_stage_number(etl_application, 40);
21 truxton_etl_add_desired_file_type(etl_application, 11111);
22
23 message = truxton_etl_get_message(etl_application);
24
25 while (message != 0)
26 {
27 // Do something with the message
28 uint64_t file_in_truxton = truxton_message_get_file(message);
29
30 if (file_in_truxton != 0)
31 {
32 truxton_file_seek(file_in_truxton, 5, SEEK_SET);
33
34 if (truxton_file_read(file_in_truxton, buffer, 1) == 1)
35 {
36 if (buffer[0] == 0x11)
37 {
38 // Serial Number. The next 8 bytes are a serial number
39 truxton_file_seek(file_in_truxton, 6, SEEK_SET);
40
41 if (truxton_file_read(file_in_truxton, buffer, 8) == 8)
42 {
43 char serial_number_string[32];
44
45 uint64_t artifact = truxton_file_create_artifact(file_in_truxton);
46 truxton_artifact_set_type(artifact, ENTITY_TYPE_SERIAL_NUMBER);
47
48 sprintf_s(serial_number_string, sizeof(serial_number_string), "%02X%02X%02X%02X%02X%02X%02X%02X",
49 (int)buffer[0], (int)buffer[1], (int)buffer[2], (int)buffer[3],
50 (int)buffer[4], (int)buffer[5], (int)buffer[6], (int)buffer[7]);
51 truxton_artifact_set_value(artifact, serial_number_string);
52 truxton_artifact_set_data_type(artifact, DATA_TYPE_uint8_t);
53 truxton_artifact_set_offset(artifact, 6);
54 truxton_artifact_set_length(artifact, 8);
55
56 if (truxton_artifact_save(artifact) == 0)
57 {
58 printf("Cannot save artifact to the database.\n");
59 }
60
61 truxton_artifact_destroy(artifact);
62 }
63 }
64 }
65
66 truxton_file_free(file_in_truxton);
67 }
68
69 truxton_message_destroy(message);
70
71 // Pause here until we get another message from the "wiley" message queue
72 message = truxton_etl_get_message(etl_application);
73 }
74
75 truxton_etl_destroy(etl_application);
76 return(0);
77 }
Code Walkthrough
Lines 17-21 setup the ETL. The message queue name will be "acme", we are an early stage and want to receive Acme files (11111 was chosen as the identifier of Acme files).
Line 23 starts the ETL logic and waits until a message arrives on the "wiley" queue.
Line 28 opens the file so we can read from it.
Lines 32-36 read the sixth byte in the file and checks it for validity.
Lines 45-56 creates an artifact (which will be stored in the [Entity]
table in the database) and saves it to Truxton.
Line 46 sets the type of artifact to a serial number. This allows analysts to quickly find items of interest by their type.
Line 52 stores the format of how the serial number was stored in the file.
Line 56 saves the data to Truxton.
It will create a record in the [Entity]
table in the database.
Saving the artifact will cause Truxton to route it to any ETL that has subscribed to Type_Artifact
messages.
Line 72 pauses your ETL until a new message arrives on it queue