def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses a Windows Registry file-like object.
Args:
parser_mediator: a parser mediator object (instance of ParserMediator).
file_object: a file-like object.
"""
win_registry_reader = FileObjectWinRegistryFileReader()
try:
registry_file = win_registry_reader.Open(file_object)
except IOError as exception:
parser_mediator.ProduceParseError(
u'unable to open Windows Registry file with error: {0:s}'.
format(exception))
return
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
root_key = registry_file.GetRootKey()
if not root_key:
return
try:
self._ParseRecurseKeys(parser_mediator, root_key)
except IOError as exception:
parser_mediator.ProduceParseError(u'{0:s}'.format(exception))
def RunPlugins(cls, platform, file_system, mount_point, knowledge_base):
"""Runs the plugins for a specific platform.
Args:
platform: A string containing the supported operating system
of the plugin.
file_system: the file system object (instance of vfs.FileSystem)
to be preprocessed.
mount_point: the mount point path specification (instance of
path.PathSpec) that refers to the base location
of the file system.
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
"""
# TODO: bootstrap the artifact preprocessor.
searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point)
for weight in cls._GetWeights(cls._plugin_classes, platform):
for plugin_object in cls._GetPluginsByWeight(
cls._plugin_classes, platform, weight):
try:
plugin_object.Run(searcher, knowledge_base)
except (IOError, errors.PreProcessFail) as exception:
logging.warning((
u'Unable to run preprocessor: {0:s} for attribute: {1:s} '
u'with error: {2:s}').format(
plugin_object.plugin_name, plugin_object.ATTRIBUTE,
exception))
# Run the Registry plugins separately so we do not have to open
# Registry files in every plugin.
if knowledge_base:
pre_obj = knowledge_base.pre_obj
path_attributes = pre_obj.__dict__
else:
pre_obj = None
path_attributes = None
registry_file_reader = FileSystemWinRegistryFileReader(
file_system, mount_point, path_attributes=path_attributes)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
for weight in cls._GetWeights(cls._registry_plugin_classes, platform):
for plugin_object in cls._GetPluginsByWeight(
cls._registry_plugin_classes, platform, weight):
try:
plugin_object.Run(win_registry, knowledge_base)
except (IOError, errors.PreProcessFail) as exception:
logging.warning((
u'Unable to run preprocessor: {0:s} for attribute: {1:s} '
u'with error: {2:s}').format(
plugin_object.plugin_name, plugin_object.ATTRIBUTE,
exception))
def __init__(self,
file_entry,
collector_name,
knowledge_base_object,
codepage=u'cp1252'):
"""Initialize the Registry helper.
Args:
file_entry: file entry object (instance of dfvfs.FileEntry).
collector_name: the name of the collector, eg. TSK.
knowledge_base_object: A knowledge base object (instance of
KnowledgeBase), which contains information from
the source data needed for parsing.
codepage: optional codepage value used for the Registry file. The default
is cp1252.
"""
self._Reset()
self._codepage = codepage
self._collector_name = collector_name
self._key_path_prefix = u''
self._knowledge_base_object = knowledge_base_object
self._registry_file = None
self._registry_file_name = None
self._registry_file_type = REGISTRY_FILE_TYPE_UNKNOWN
self._win_registry = dfwinreg_registry.WinRegistry(
backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF)
self.file_entry = file_entry
def _GetWinRegistryFromFileEntry(self, file_entry):
"""Retrieves a Windows Registry from a file entry.
Args:
file_entry: A file entry object (instance of dfvfs.FileEntry) that
references a test file.
Returns:
A Windows Registry object (instance of dfwinreg.WinRegistry) or None.
"""
file_object = file_entry.GetFileObject()
if not file_object:
return
win_registry_reader = winreg.FileObjectWinRegistryFileReader()
registry_file = win_registry_reader.Open(file_object)
if not registry_file:
file_object.close()
return
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
return win_registry
def _GetKeyFromFileEntry(self, file_entry, key_path):
"""Retrieves a Windows Registry key from a file.
Args:
file_entry: A dfVFS file_entry object that references a test file.
key_path: The path of the key to parse.
Returns:
A Windows Registry key (instance of WinRegKey).
"""
registry = dfwinreg_registry.WinRegistry(
backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF)
winreg_file = registry.OpenFileEntry(file_entry, codepage=u'cp1252')
return winreg_file.GetKeyByPath(key_path)
def setUp(self):
"""Makes preparations before running an individual test."""
path_attributes = {u'systemroot': u'\\Windows'}
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddTestFile(u'/Windows/System32/config/SYSTEM',
[u'SYSTEM'])
mount_point = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system_builder.file_system,
mount_point,
path_attributes=path_attributes)
self._win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
path_attributes = {u'systemroot': u'/Windows'}
file_data = self._ReadTestFile([u'SYSTEM'])
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/Windows/System32/config/SYSTEM', file_data)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
registry_file_reader = dfwinreg_registry.SearcherWinRegistryFileReader(
self._searcher, path_attributes=path_attributes)
self._win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
pre_obj = event.PreprocessObject()
pre_obj.systemroot = u'/Windows'
file_data = self._ReadTestFile([u'SYSTEM'])
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/Windows/System32/config/SYSTEM', file_data)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
registry_file_reader = dfwinreg_registry.WinRegistryFileReader(
self._searcher, pre_obj=pre_obj)
self._win_registry = dfwinreg_registry.WinRegistry(
backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF,
registry_file_reader=registry_file_reader)
def Open(self):
"""Opens a Windows Registry file.
Raises:
IOError: if the Windows Registry file cannot be opened.
"""
if self._registry_file:
raise IOError(u'Registry file already open.')
file_object = self.file_entry.GetFileObject()
if not file_object:
logging.error(
u'Unable to open Registry file: {0:s} [{1:s}]'.format(
self.path, self._collector_name))
raise IOError(u'Unable to open Registry file.')
win_registry_reader = winreg.FileObjectWinRegistryFileReader()
self._registry_file = win_registry_reader.Open(file_object)
if not self._registry_file:
file_object.close()
logging.error(
u'Unable to open Registry file: {0:s} [{1:s}]'.format(
self.path, self._collector_name))
raise IOError(u'Unable to open Registry file.')
self._win_registry = dfwinreg_registry.WinRegistry()
self._key_path_prefix = self._win_registry.GetRegistryFileMapping(
self._registry_file)
self._win_registry.MapFile(self._key_path_prefix, self._registry_file)
self._registry_file_name = self.file_entry.name
self._registry_file_type = self.GetRegistryFileType(
self._registry_file)
# Retrieve the Registry file root key because the Registry helper
# expects self._currently_registry_key to be set after
# the Registry file is opened.
self._currently_registry_key = self._registry_file.GetRootKey()
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses a Windows Registry file-like object.
Args:
parser_mediator: a parser mediator object (instance of ParserMediator).
file_object: a file-like object.
"""
win_registry_reader = dfwinreg_registry.FileObjectWinRegistryFileReader(
)
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
root_key = registry_file.GetRootKey()
if not root_key:
return
try:
for registry_key in root_key.RecurseKeys():
# TODO: use a filter tree to optimize lookups.
found_matching_plugin = False
for plugin_object in self._plugins:
if parser_mediator.abort:
break
if self._CanProcessKeyWithPlugin(registry_key,
plugin_object):
found_matching_plugin = True
plugin_object.UpdateChainAndProcess(
parser_mediator, registry_key)
if not found_matching_plugin:
self._default_plugin.UpdateChainAndProcess(
parser_mediator, registry_key)
except IOError as exception:
parser_mediator.ProduceParseError(u'{0:s}'.format(exception))
def GetRegistryFilePaths(self, plugin_name=None, registry_file_type=None):
"""Returns a list of Registry paths.
If the Registry file type is not set this functions attempts to determine
it based on the presence of specific Registry keys.
Args:
plugin_name: optional string containing the name of the plugin or an empty
string or None for all the types. The default is None.
registry_file_type: optional Windows Registry file type string.
The default is None, which represents auto-detect.
Returns:
A list of path names for Registry files.
"""
if self._parse_restore_points:
restore_path = u'/System Volume Information/_restor.+/RP[0-9]+/snapshot/'
else:
restore_path = u''
if registry_file_type:
types = [registry_file_type]
else:
types = self._GetRegistryTypes(plugin_name)
# Gather the Registry files to fetch.
paths = []
for reg_type in types:
if reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_NTUSER:
paths.append(u'/Documents And Settings/.+/NTUSER.DAT')
paths.append(u'/Users/.+/NTUSER.DAT')
if restore_path:
paths.append(
u'{0:s}/_REGISTRY_USER_NTUSER.+'.format(restore_path))
elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SAM:
paths.append(u'{sysregistry}/SAM')
if restore_path:
paths.append(
u'{0:s}/_REGISTRY_MACHINE_SAM'.format(restore_path))
elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SECURITY:
paths.append(u'{sysregistry}/SECURITY')
if restore_path:
paths.append(u'{0:s}/_REGISTRY_MACHINE_SECURITY'.format(
restore_path))
elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SOFTWARE:
paths.append(u'{sysregistry}/SOFTWARE')
if restore_path:
paths.append(u'{0:s}/_REGISTRY_MACHINE_SOFTWARE'.format(
restore_path))
elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SYSTEM:
paths.append(u'{sysregistry}/SYSTEM')
if restore_path:
paths.append(
u'{0:s}/_REGISTRY_MACHINE_SYSTEM'.format(restore_path))
elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_USRCLASS:
paths.append(
u'/Users/.+/AppData/Local/Microsoft/Windows/UsrClass.dat')
# Expand all the paths.
win_registry = dfwinreg_registry.WinRegistry()
# TODO: deprecate usage of pre_obj.
path_attributes = self.knowledge_base_object.pre_obj.__dict__
expanded_key_paths = []
for key_path in paths:
try:
expanded_key_path = win_registry.ExpandKeyPath(
key_path, path_attributes)
expanded_key_paths.append(expanded_key_path)
except KeyError as exception:
logging.error(
u'Unable to expand key path: {0:s} with error: {1:s}'.
format(key_path, exception))
return expanded_key_paths
def __init__(self):
"""Initializes a parser object."""
super(WinRegistryParser, self).__init__()
self._plugins = WinRegistryParser.GetPluginList()
self._win_registry = dfwinreg_registry.WinRegistry(
backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._registry = registry.WinRegistry(
backend=registry.WinRegistry.BACKEND_PYREGF)
def setUp(self):
"""Makes preparations before running an individual test."""
self._registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())