Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Docs] + add table for different file types #286 #287

Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ GView framework is a powerful tool for examining files or any data with a define

- [GView](#gview)
- [General description](#general-description)
- [Motivation](#motivation)
- [Smart Viewers](#smart-viewers)
- [Buffer Viewer](#buffer-viewer)
- [Text Viewer](#text-viewer)
Expand Down Expand Up @@ -40,6 +41,30 @@ GView framework is a powerful tool for examining files or any data with a define

On the other hand, from the perspective of developers, **GView** offers a flexible platform to create plugins that can parse various data structures. Developers can harness this capability to develop customized views and enhance the analysis capabilities of **GView**. By creating plugins, developers can extend the framework's functionality and tailor it to specific data formats or requirements, enabling more efficient and insightful data analysis.

## Motivation

These days, a cyber-security attack is represented by a combination of files, payloads, and network operations that are carried out at every stage of the kill-chain rather than by a single file. Because of this, assessing an attack of this nature is a difficult undertaking requiring a thorough comprehension of the different file formats, payloads, and network protocols that may be employed in these situations. The file types listed in the following table are either directly used in an attack or are extra files or security logs that a security researcher needs.

| File type | Description |
|---------------------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Binary file (.exe, .dll) | Used by the attacker to execute code on the targeted machine |
| Archives (.zip, .rar) | Used either as a transportation method for exfiltrated data |
| Documents (.docx, .pdf) | Used for initial access (either as a scam or as an exploit or part of a file-less attack) |
| Macros (.vba) | Used as a stage for cases where the initial access relies on Office documents that will execute a second payload |
| Scrips (.js, .ps1) | Used for various type of file-less attacks |
| Bash (.bat, .sh) | Used as part of execution flow or file-less attacks |
| Images (.png, .jpg) | Used to convey information from the attacker that should not be easily readable pragmatically (such as a ransom note or a password to open an archive, etc.) |
| Links (.pif, .lnk) | Used for lateral movement (e.g. powershell-based attacks) or partial persistence (e.g. links on desktop) |


| Log type | Description |
|---------------------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Packet captures (.pcap) | Used to analyze the network packet data |
| Config files (.json, .ini) | Used to analyze configuration for various tools (they may contain indicators of miss-configurations or for malicious programs may contain C\&C addresses, passwords, wallets, etc.) |
| Registry hives | Used to evaluate things like persistence, debug settings, etc. |
| Memory dumps | Useful to identify vulnerabilities or credential access |
| System logs | Used to identify various actions that happened on a system (login/logout information, etc.)

## Smart Viewers

**Smart viewers** are software components designed to display data in various formats or representations. In the context of a **data identifier plugin**, multiple smart viewers are usually available, with one being designated as the primary viewer. This setup allows users to effortlessly switch between different viewers, selecting the visualization method that most effectively meets their specific needs.
Expand Down
Loading