Skip to content

JSON Schema

Jump to bottom
Gabe Stocco edited this page Sep 10, 2020 · 2 revisions

Condensed Output

Condensed output is the default and exports into a single json file.

That JSON File is a serialization of a Dictionary<string,object>.

The Dictionary will contain a metadata key which maps to a Dictionary<string,string> with platform and app version information.

The Dictionary also contains a results key which was generated from a Dictionary<(RESULT_TYPE, CHANGE_TYPE), List<CompareResult>>. The Key for the tuple is represented as (X, Y) => "X_Y". So to get results where Files were Created you would look for fullJson["results"]["FILE_CREATED"] and get a List<CompareResult>

The CompareResult will contain up to two CollectObject states: base (before) and compare (after). Each CollectObject also contains a RESULT_TYPE that identifies which type it is. The fields available in the CollectObject will vary based on RESULT_TYPE. See the documentation for CollectObject to see the classes that inherit from it. For example, a CollectObject with RESULT_TYPE.FILE is a FileSystemObject.

For example a run with a single result - a deleted executable file:

{
  "results": {
    "FILE_DELETED": [
      {
        "Identity": "mytest\\RecursiveExtractor.dll",
        "ChangeType": "DELETED",
        "ResultType": "FILE",
        "Analysis": "DEBUG",
        "BaseRowKey": "292765643",
        "BaseRunId": "2020-09-10T11:14:47.4583842-07:00",
        "CompareRunId": "2020-09-10T11:14:54.3257420-07:00",
        "Base": {
          "Identity": "mytest\\RecursiveExtractor.dll",
          "Path": "mytest\\RecursiveExtractor.dll",
          "Size": 172544,
          "SignatureStatus": {},
          "IsExecutable": true,
          "Owner": "DESKTOP-HJQJUB9\\Gstoc",
          "Group": "DESKTOP-HJQJUB9\\Gstoc",
          "Characteristics": [
            "IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
            "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
            "IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
            "IMAGE_DLLCHARACTERISTICS_NO_SEH",
            "IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
          ],
          "Permissions": {
            "NT AUTHORITY\\SYSTEM": "FullControl",
            "BUILTIN\\Administrators": "FullControl",
            "DESKTOP-HJQJUB9\\Gstoc": "FullControl"
          },
          "LastModified": "2020-08-16T20:14:48.0956105Z",
          "Created": "2020-09-10T18:13:53.9273877Z",
          "ResultType": "FILE"
        }
      }
    ]
  },
  "metadata": {
    "compare-version": "2.2.57+7af37f8172",
    "compare-os": "WINDOWS",
    "compare-osversion": "Microsoft Windows NT 6.2.9200.0"
  }
}

API Documentation for: RESULT_TYPE CHANGE_TYPE CompareResult CollectObject

Exploded Output

The exploded output puts each List<CompareResult> and the metadata each as independent files.

Clone this wiki locally