xrl · March 23, 2012 08:44
diff --git a/script.py b/script.py
 #!/usr/bin/python
 """
 This class is used to search the av.db file generated by Memoryze by Mandiant.
 #ProTip: Ensure you enumerate strings in memory when you run Memoryze for best results.
 This class takes two arguments:
 The path to the av.db file
 The string you are searching for
 """

 from optparse import OptionParser
 import sqlite3
 import sys
 import os

 def searchDB(filepath, searchstring):
  con = None

  try:
    con = sqlite3.connect(filepath)

    cur = con.cursor()
    cur.execute("SELECT name FROM sqlite_master WHERE type='table' AND name LIKE 'strings_%'")

    tables = []
    tables = cur.fetchall()

    for table in tables:
      cur.execute("SELECT pid, string FROM " + table[0] + " WHERE string LIKE '%" + searchstring + "%'")
      rows = cur.fetchall()
      for row in rows:
        print str(row[0]) + " -- " + row[1]
    
  except sqlite3.Error, e:
    print "Error %s" % e.args[0]
    sys.exit(1)

  finally:
    if con:
      con.close()


 def main():
    parser = OptionParser(usage="usage: %prog [options]",
                          version="%prog 1.0")
    parser.add_option("-f",
                      action="store",
                      dest="filepath",
                      default=False,
                      help="This is the av.db file Memoryze creates.")
    parser.add_option("-s",
                      action="store",
                      dest="searchstring",
                      default=False,
                      help="The string you want to search the file for, use double quotes \" \".",)
    (options, args) = parser.parse_args()
    # WTF hack to force mandatory options. Exercise to reader why it works.
    mandatory = ['filepath', 'searchstring']
    for m in mandatory:
      if not options.__dict__[m]:
        print "mandatory option is missing\n"
        parser.print_help()
        exit(-1)

    print repr(options)
    searchDB(options.filepath, options.searchstring)

 if __name__ == '__main__':
    main()
	#!/usr/bin/python
	"""
	This class is used to search the av.db file generated by Memoryze by Mandiant.
	#ProTip: Ensure you enumerate strings in memory when you run Memoryze for best results.
	This class takes two arguments:
	The path to the av.db file
	The string you are searching for
	"""

	from optparse import OptionParser
	import sqlite3
	import sys
	import os

	def searchDB(filepath, searchstring):
	con = None

	try:
	con = sqlite3.connect(filepath)

	cur = con.cursor()
	cur.execute("SELECT name FROM sqlite_master WHERE type='table' AND name LIKE 'strings_%'")

	tables = []
	tables = cur.fetchall()

	for table in tables:
	cur.execute("SELECT pid, string FROM " + table[0] + " WHERE string LIKE '%" + searchstring + "%'")
	rows = cur.fetchall()
	for row in rows:
	print str(row[0]) + " -- " + row[1]

	except sqlite3.Error, e:
	print "Error %s" % e.args[0]
	sys.exit(1)

	finally:
	if con:
	con.close()


	def main():
	parser = OptionParser(usage="usage: %prog [options]",
	version="%prog 1.0")
	parser.add_option("-f",
	action="store",
	dest="filepath",
	default=False,
	help="This is the av.db file Memoryze creates.")
	parser.add_option("-s",
	action="store",
	dest="searchstring",
	default=False,
	help="The string you want to search the file for, use double quotes \" \".",)
	(options, args) = parser.parse_args()
	# WTF hack to force mandatory options. Exercise to reader why it works.
	mandatory = ['filepath', 'searchstring']
	for m in mandatory:
	if not options.__dict__[m]:
	print "mandatory option is missing\n"
	parser.print_help()
	exit(-1)

	print repr(options)
	searchDB(options.filepath, options.searchstring)

	if __name__ == '__main__':
	main()