def read_trace(n, l, f=5):
ret = []
if PRINT == True:
for i in range(n):
buf = FH.read(l)
# IBM floats - 4 byte - Must be big endian
if f == 1:
ret.append(
construct.BFloat32("x").parse(ibmfloat.ibm2ieee32(buf)))
# INT - 4 byte or 2 byte
elif f == 2:
if ENDIAN == 'little':
# Swap 4 byte
b = construct.SLInt32("x").parse(buf)
else:
b = construct.SBInt32("x").parse(buf)
ret.append(b)
elif f == 3:
if ENDIAN == 'little':
# Swap 2 byte
b = construct.SLInt16("x").parse(buf)
else:
b = construct.SBInt16("x").parse(buf)
ret.append(b)
# IEEE floats - 4 byte
elif f == 5:
if ENDIAN == 'little':
# Swap 4 byte
b = construct.LFloat32("x").parse(buf)
else:
b = construct.BFloat32("x").parse(buf)
ret.append(b)
# INT - 1 byte
elif f == 8:
ret.append(construct.SBInt8("x").parse(buf))
else:
FH.read(n * l)
return ret
class TestRegValue(interface.WinRegValue):
"""Implementation of the Registry value interface for testing."""
_INT32_BIG_ENDIAN = construct.SBInt32('value')
_INT32_LITTLE_ENDIAN = construct.SLInt32('value')
_INT64_LITTLE_ENDIAN = construct.SLInt64('value')
def __init__(self, name, data, data_type, offset=0):
"""Set up the test reg value object."""
super(TestRegValue, self).__init__()
self._name = name
self._data = data
self._data_type = data_type
self._offset = offset
self._type_str = ''
@property
def name(self):
"""The name of the value."""
return self._name
@property
def offset(self):
"""The offset of the value within the Windows Registry file."""
return self._offset
@property
def data_type(self):
"""Numeric value that contains the data type."""
return self._data_type
@property
def raw_data(self):
"""The value data as a byte string."""
return self._data
@property
def data(self):
"""The value data as a native Python object."""
if not self._data:
return None
if self._data_type in [self.REG_SZ, self.REG_EXPAND_SZ, self.REG_LINK]:
try:
return unicode(self._data.decode('utf-16-le'))
except UnicodeError:
pass
elif self._data_type == self.REG_DWORD and len(self._data) == 4:
return self._INT32_LITTLE_ENDIAN.parse(self._data)
elif self._data_type == self.REG_DWORD_BIG_ENDIAN and len(
self._data) == 4:
return self._INT32_BIG_ENDIAN.parse(self._data)
elif self._data_type == self.REG_QWORD and len(self._data) == 8:
return self._INT64_LITTLE_ENDIAN.parse(self._data)
elif self._data_type == self.REG_MULTI_SZ:
try:
utf16_string = unicode(self._data.decode('utf-16-le'))
return filter(None, utf16_string.split('\x00'))
except UnicodeError:
pass
return self._data
class FakeWinRegistryValue(interface.WinRegistryValue):
"""Fake implementation of a Windows Registry value."""
_INT32_BIG_ENDIAN = construct.SBInt32(u'value')
_INT32_LITTLE_ENDIAN = construct.SLInt32(u'value')
_INT64_LITTLE_ENDIAN = construct.SLInt64(u'value')
def __init__(self, name, data=b'', data_type=0, offset=0):
"""Initializes a Windows Registry value object.
Args:
name: the name of the Windows Registry value.
data: optional binary string containing the value data.
data_type: optional integer containing the value data type.
offset: optional offset of the value within the Windows Registry file.
"""
super(FakeWinRegistryValue, self).__init__()
self._data = data
self._data_type = data_type
self._data_size = len(data)
self._name = name
self._offset = offset
@property
def data(self):
"""The value data as a native Python object.
Raises:
WinRegistryValueError: if the value data cannot be read.
"""
if not self._data:
return None
if self._data_type in self._STRING_VALUE_TYPES:
try:
return self._data.decode(u'utf-16-le')
except UnicodeError as exception:
raise errors.WinRegistryValueError(
u'Unable to read data from value: {0:s} with error: {1:s}'.
format(self._name, exception))
elif (self._data_type == definitions.REG_DWORD
and self._data_size == 4):
return self._INT32_LITTLE_ENDIAN.parse(self._data)
elif (self._data_type == definitions.REG_DWORD_BIG_ENDIAN
and self._data_size == 4):
return self._INT32_BIG_ENDIAN.parse(self._data)
elif (self._data_type == definitions.REG_QWORD
and self._data_size == 8):
return self._INT64_LITTLE_ENDIAN.parse(self._data)
elif self._data_type == definitions.REG_MULTI_SZ:
try:
utf16_string = self._data.decode(u'utf-16-le')
return filter(None, utf16_string.split(u'\x00'))
except UnicodeError as exception:
raise errors.WinRegistryValueError(
u'Unable to read data from value: {0:s} with error: {1:s}'.
format(self._name, exception))
return self._data
@property
def data_type(self):
"""Numeric value that contains the data type."""
return self._data_type
@property
def name(self):
"""The name of the value."""
return self._name
@property
def offset(self):
"""The offset of the value within the Windows Registry file."""
return self._pyregf_value.offset
@property
def raw_data(self):
"""The value data as a byte string."""
return self._data
c.UBInt64('connection_id'),
)
announce_req = c.Struct('request',
c.UBInt64('connection_id'),
c.UBInt32('action'),
c.UBInt32('transaction_id'),
c.Bytes('info_hash', 20),
c.Bytes('peer_id', 20),
c.UBInt64('downloaded'),
c.UBInt64('left'),
c.UBInt64('uploaded'),
c.UBInt32('event'),
c.UBInt32('ip_addr'),
c.UBInt32('key'),
c.SBInt32('num_want'),
c.UBInt16('port'),
)
announce_resp = c.Struct('response',
c.UBInt32('action'),
c.UBInt32('transaction_id'),
c.UBInt32('interval'),
c.UBInt32('leechers'),
c.UBInt32('seeders'),
c.GreedyRange(
c.Struct('peer',
c.Array(4, c.UBInt8('addr')),
c.UBInt16('port')
)
)
class FakeWinRegistryValue(interface.WinRegistryValue):
"""Fake implementation of a Windows Registry value."""
_INT32_BIG_ENDIAN = construct.SBInt32(u'value')
_INT32_LITTLE_ENDIAN = construct.SLInt32(u'value')
_INT64_LITTLE_ENDIAN = construct.SLInt64(u'value')
def __init__(self, name, data=b'', data_type=definitions.REG_NONE, offset=0):
"""Initializes a Windows Registry value.
Args:
name (str): name of the Windows Registry value.
data (Optional[bytes]): value data.
data_type (Optional[int]): value data type.
offset (Optional[int]): offset of the value within the Windows Registry
file.
"""
super(FakeWinRegistryValue, self).__init__()
self._data = data
self._data_type = data_type
self._data_size = len(data)
self._name = name
self._offset = offset
@property
def data(self):
"""bytes: value data as a byte string."""
return self._data
@property
def data_type(self):
"""int: data type."""
return self._data_type
@property
def name(self):
"""str: name of the value."""
return self._name
@property
def offset(self):
"""int: offset of the value within the Windows Registry file."""
return self._offset
def GetDataAsObject(self):
"""Retrieves the data as an object.
Returns:
object: data as a Python type.
Raises:
WinRegistryValueError: if the value data cannot be read.
"""
if not self._data:
return
if self._data_type in self._STRING_VALUE_TYPES:
try:
return self._data.decode(u'utf-16-le')
# AttributeError is raised when self._data has no decode method.
except AttributeError as exception:
raise errors.WinRegistryValueError((
u'Unsupported data type: {0!s} of value: {1!s} with error: '
u'{2!s}').format(type(self._data), self._name, exception))
except UnicodeError as exception:
raise errors.WinRegistryValueError(
u'Unable to decode data of value: {0!s} with error: {1!s}'.format(
self._name, exception))
elif (self._data_type == definitions.REG_DWORD and
self._data_size == 4):
return self._INT32_LITTLE_ENDIAN.parse(self._data)
elif (self._data_type == definitions.REG_DWORD_BIG_ENDIAN and
self._data_size == 4):
return self._INT32_BIG_ENDIAN.parse(self._data)
elif (self._data_type == definitions.REG_QWORD and
self._data_size == 8):
return self._INT64_LITTLE_ENDIAN.parse(self._data)
elif self._data_type == definitions.REG_MULTI_SZ:
try:
utf16_string = self._data.decode(u'utf-16-le')
# TODO: evaluate the use of filter here is appropriate behavior.
return list(filter(None, utf16_string.split(u'\x00')))
# AttributeError is raised when self._data has no decode method.
except AttributeError as exception:
raise errors.WinRegistryValueError((
u'Unsupported data type: {0!s} of value: {1!s} with error: '
u'{2!s}').format(type(self._data), self._name, exception))
except UnicodeError as exception:
raise errors.WinRegistryValueError(
u'Unable to read data from value: {0!s} with error: {1!s}'.format(
self._name, exception))
return self._data
def psint():
PINT = construct.Struct("PINT", construct.SBInt32("x"))
return PINT
def bin_header_be_int():
BIN = construct.Struct("BIN", construct.SBInt32("nzyear"),
construct.SBInt32("nzjday"),
construct.SBInt32("nzhour"),
construct.SBInt32("nzmin"),
construct.SBInt32("nzsec"),
construct.SBInt32("nzmsec"),
construct.SBInt32("nvhdr"),
construct.SBInt32("norid"),
construct.SBInt32("nevid"),
construct.SBInt32("npts"),
construct.SBInt32("nsnpts"),
construct.SBInt32("nwfid"),
construct.SBInt32("nxsize"),
construct.SBInt32("nysize"),
construct.SBInt32("unused15"),
construct.SBInt32("iftype"),
construct.SBInt32("idep"),
construct.SBInt32("iztype"),
construct.SBInt32("unused16"),
construct.SBInt32("iinst"),
construct.SBInt32("istreg"),
construct.SBInt32("ievreg"),
construct.SBInt32("ievtyp"),
construct.SBInt32("iqual"),
construct.SBInt32("isynth"),
construct.SBInt32("imagtyp"),
construct.SBInt32("imagsrc"),
construct.SBInt32("unused19"),
construct.SBInt32("unused20"),
construct.SBInt32("unused21"),
construct.SBInt32("unused22"),
construct.SBInt32("unused23"),
construct.SBInt32("unused24"),
construct.SBInt32("unused25"),
construct.SBInt32("unused26"),
construct.SBInt32("leven"),
construct.SBInt32("lpspol"),
construct.SBInt32("lovrok"),
construct.SBInt32("lcalda"),
construct.SBInt32("unused27"))
return BIN