def __init__(self, reg_cache=None):
"""Initializes key-based Windows Registry plugin object.
Args:
reg_cache: Optional Windows Registry objects cache (instance of
WinRegistryCache). The default is None.
"""
super(KeyPlugin, self).__init__(reg_cache=reg_cache)
self._path_expander = winreg_path_expander.WinRegistryKeyPathExpander(
reg_cache=reg_cache)
self.expanded_keys = None
def __init__(self, obj_store):
"""Initializes the Window Registry preprocess plugin object.
Args:
obj_store: the object store.
"""
super(WindowsRegistryPreprocess, self).__init__(obj_store)
self._file_path_expander = winreg_path_expander.WinRegistryKeyPathExpander(
obj_store, None)
self._key_path_expander = None
def BuildFindSpecsFromFile(filter_file_path, pre_obj=None):
"""Returns a list of find specification from a filter file.
Args:
filter_file_path: A path to a file that contains find specifications.
pre_obj: A preprocessing object (instance of PreprocessObject). This is
optional but when provided takes care of expanding each segment.
"""
find_specs = []
if pre_obj:
expander = path_expander.WinRegistryKeyPathExpander()
with open(filter_file_path, 'rb') as file_object:
for line in file_object:
line = line.strip()
if line.startswith(u'#'):
continue
if pre_obj:
try:
line = expander.ExpandPath(line, pre_obj=pre_obj)
except KeyError as exception:
logging.error((
u'Unable to use collection filter line: {0:s} with error: '
u'{1:s}').format(line, exception))
continue
if not line.startswith(u'/'):
logging.warning(
(u'The filter string must be defined as an abolute path: '
u'{0:s}').format(line))
continue
_, _, file_path = line.rstrip().rpartition(u'/')
if not file_path:
logging.warning(
u'Unable to parse the filter string: {0:s}'.format(line))
continue
# Convert the filter paths into a list of path segments and strip
# the root path segment.
path_segments = line.split(u'/')
path_segments.pop(0)
find_specs.append(
file_system_searcher.FindSpec(location_regex=path_segments,
case_sensitive=False))
return find_specs
def __init__(self, pre_obj=None, reg_cache=None):
"""Initializes key-based Windows Registry plugin object.
Args:
pre_obj: Optional preprocessing object that contains information gathered
during preprocessing of data. The default is None.
reg_cache: Optional Windows Registry objects cache (instance of
WinRegistryCache). The default is None.
"""
super(KeyPlugin, self).__init__(pre_obj=pre_obj, reg_cache=reg_cache)
self._path_expander = winreg_path_expander.WinRegistryKeyPathExpander(
pre_obj, reg_cache)
# Build a list of expanded keys this plugin supports.
self.expanded_keys = []
for registry_key in self.REG_KEYS:
key_fixed = u''
try:
key_fixed = self._path_expander.ExpandPath(registry_key)
self.expanded_keys.append(key_fixed)
except KeyError as exception:
logging.debug((
u'Unable to use registry key {0:s} for plugin {1:s}, error '
u'message: {1:s}').format(registry_key, self.plugin_name,
exception))
continue
if not key_fixed:
continue
# Special case of Wow6432 Windows Registry redirection.
# URL: http://msdn.microsoft.com/en-us/library/windows/desktop/\
# ms724072%28v=vs.85%29.aspx
if key_fixed.startswith('\\Software'):
_, first, second = key_fixed.partition('\\Software')
self.expanded_keys.append(u'{0:s}\\Wow6432Node{1:s}'.format(
first, second))
if self.REG_TYPE == 'SOFTWARE' or self.REG_TYPE == 'any':
self.expanded_keys.append(
u'\\Wow6432Node{:s}'.format(key_fixed))
def GetValue(self, searcher):
"""Return the value gathered from a registry key for preprocessing.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
# TODO: optimize this in one find.
try:
path = self._file_path_expander.ExpandPath(self.REG_PATH)
except KeyError:
path = u''
if not path:
raise errors.PreProcessFail(u'Unable to expand path: {0:s}'.format(
self.REG_PATH))
find_spec = file_system_searcher.FindSpec(location=path,
case_sensitive=False)
path_specs = list(searcher.Find(find_specs=[find_spec]))
if not path_specs or len(path_specs) != 1:
raise errors.PreProcessFail(
u'Unable to find directory: {0:s}'.format(self.REG_PATH))
directory_location = getattr(path_specs[0], 'location', None)
if not directory_location:
raise errors.PreProcessFail(
u'Missing directory location for: {0:s}'.format(self.REG_PATH))
# The path is split in segments to make it path segement separator
# independent (and thus platform independent).
path_segments = searcher.SplitPath(directory_location)
path_segments.append(self.REG_FILE)
find_spec = file_system_searcher.FindSpec(location=path_segments,
case_sensitive=False)
path_specs = list(searcher.Find(find_specs=[find_spec]))
if not path_specs:
raise errors.PreProcessFail(
u'Unable to find file: {0:s} in directory: {1:s}'.format(
self.REG_FILE, directory_location))
if len(path_specs) != 1:
raise errors.PreProcessFail(
(u'Find for file: {1:s} in directory: {0:s} returned {2:d} '
u'results.').format(self.REG_FILE, directory_location,
len(path_specs)))
file_location = getattr(path_specs[0], 'location', None)
if not directory_location:
raise errors.PreProcessFail(
u'Missing file location for: {0:s} in directory: {1:s}'.format(
self.REG_FILE, directory_location))
try:
file_entry = searcher.GetFileEntryByPathSpec(path_specs[0])
except IOError as exception:
raise errors.PreProcessFail(
u'Unable to open file entry: {0:s} with error: {1:s}'.format(
file_location, exception))
if not file_entry:
raise errors.PreProcessFail(
u'Unable to open file entry: {0:s}'.format(file_location))
# TODO: remove this check win_registry.OpenFile doesn't fail instead?
try:
file_object = file_entry.GetFileObject()
file_object.close()
except IOError as exception:
raise errors.PreProcessFail(
u'Unable to open file object: {0:s} with error: {1:s}'.format(
file_location, exception))
codepage = getattr(self._obj_store, 'code_page', 'cp1252')
win_registry = winregistry.WinRegistry(
winregistry.WinRegistry.BACKEND_PYREGF)
try:
winreg_file = win_registry.OpenFile(file_entry, codepage=codepage)
except IOError as exception:
raise errors.PreProcessFail(
u'Unable to open Registry file: {0:s} with error: {1:s}'.
format(file_location, exception))
self.winreg_file = winreg_file
if not self._key_path_expander:
# TODO: it is more efficient to have one cache that is passed to every
# plugin, or maybe one path expander. Or replace the path expander by
# dfvfs WindowsPathResolver?
reg_cache = cache.WinRegistryCache()
reg_cache.BuildCache(winreg_file, self.REG_FILE)
self._key_path_expander = winreg_path_expander.WinRegistryKeyPathExpander(
self._obj_store, reg_cache)
try:
key_path = self._key_path_expander.ExpandPath(self.REG_KEY)
except KeyError:
key_path = u''
if not key_path:
raise errors.PreProcessFail(u'Unable to expand path: {0:s}'.format(
self.REG_KEY))
try:
key = winreg_file.GetKeyByPath(key_path)
except IOError as exception:
raise errors.PreProcessFail(
u'Unable to fetch Registry key: {0:s} with error: {1:s}'.
format(key_path, exception))
if not key:
raise errors.PreProcessFail(
u'Registry key {0:s} does not exist.'.format(self.REG_KEY))
return self.ParseKey(key)
def __init__(self):
"""Initializes the Window Registry preprocess plugin object."""
super(WindowsRegistryPreprocessPlugin, self).__init__()
self._file_path_expander = winreg_path_expander.WinRegistryKeyPathExpander(
)
self._key_path_expander = None
def _BuildHiveCache(self):
"""Calculate the Registry cache."""
self.reg_cache = cache.WinRegistryCache()
self.reg_cache.BuildCache(self._hive, self._hive_type)
self.path_expander = winreg_path_expander.WinRegistryKeyPathExpander(
reg_cache=self.reg_cache)
def _GetRegistryFilePaths(self, plugin_name=None, registry_type=None):
"""Returns a list of Registry paths from a configuration object.
Args:
plugin_name: optional string containing the name of the plugin or an empty
string or None for all the types. Defaults to None.
registry_type: optional Registry type string. None by default.
Returns:
A list of path names for registry files.
"""
if self._parse_restore_points:
restore_path = u'/System Volume Information/_restor.+/RP[0-9]+/snapshot/'
else:
restore_path = u''
if registry_type:
types = [registry_type]
else:
types = self._GetRegistryTypes(plugin_name)
# Gather the Registry files to fetch.
paths = []
for reg_type in types:
if reg_type == 'NTUSER':
paths.append('/Documents And Settings/.+/NTUSER.DAT')
paths.append('/Users/.+/NTUSER.DAT')
if restore_path:
paths.append('{0:s}/_REGISTRY_USER_NTUSER.+'.format(restore_path))
elif reg_type == 'SOFTWARE':
paths.append('{sysregistry}/SOFTWARE')
if restore_path:
paths.append('{0:s}/_REGISTRY_MACHINE_SOFTWARE'.format(restore_path))
elif reg_type == 'SYSTEM':
paths.append('{sysregistry}/SYSTEM')
if restore_path:
paths.append('{0:s}/_REGISTRY_MACHINE_SYSTEM'.format(restore_path))
elif reg_type == 'SECURITY':
paths.append('{sysregistry}/SECURITY')
if restore_path:
paths.append('{0:s}/_REGISTRY_MACHINE_SECURITY'.format(restore_path))
elif reg_type == 'USRCLASS':
paths.append('/Users/.+/AppData/Local/Microsoft/Windows/UsrClass.dat')
elif reg_type == 'SAM':
paths.append('{sysregistry}/SAM')
if restore_path:
paths.append('{0:s}/_REGISTRY_MACHINE_SAM'.format(restore_path))
# Expand all the paths.
expanded_paths = []
expander = winreg_path_expander.WinRegistryKeyPathExpander()
for path in paths:
try:
expanded_paths.append(expander.ExpandPath(
path, pre_obj=PregCache.knowledge_base_object.pre_obj))
except KeyError as exception:
logging.error(u'Unable to expand keys with error: {0:s}'.format(
exception))
return expanded_paths