def Parse(self, stat, knowledge_base):
"""Parse the key currentcontrolset output."""
value = stat.registry_data.GetValue()
if not value:
raise parsers.ParseError("Invalid value for key %s" % stat.pathspec.path)
value = artifact_utils.ExpandWindowsEnvironmentVariables(value,
knowledge_base)
if value:
yield rdfvalue.RDFString(value)
def Parse(self, response, knowledge_base):
system_drive = artifact_utils.ExpandWindowsEnvironmentVariables(
"%systemdrive%", knowledge_base)
for message in json.loads(response.json_messages):
if message[0] == "r":
protection = message[1].get("protection", {}).get("enum", "")
if "EXECUTE" not in protection:
continue
filename = message[1].get("filename", "")
if filename and filename != "Pagefile-backed section":
yield rdf_paths.PathSpec(
path=ntpath.normpath(ntpath.join(system_drive, filename)),
pathtype=rdf_paths.PathSpec.PathType.OS)
def ParseMultiple(self, stats, knowledge_base):
"""Parse each returned registry variable."""
prof_directory = r"%SystemDrive%\Documents and Settings"
all_users = "All Users" # Default value.
for stat in stats:
value = stat.registry_data.GetValue()
if stat.pathspec.Basename() == "ProfilesDirectory" and value:
prof_directory = value
elif stat.pathspec.Basename() == "AllUsersProfile" and value:
all_users = value
all_users_dir = r"%s\%s" % (prof_directory, all_users)
all_users_dir = artifact_utils.ExpandWindowsEnvironmentVariables(
all_users_dir, knowledge_base)
yield rdfvalue.RDFString(all_users_dir)
def _GetFilePaths(self, path, pathtype, kb):
"""Guess windows filenames from a commandline string."""
pathspecs = []
path_guesses = utils.GuessWindowsFileNameFromString(path)
path_guesses = filter(self._IsExecutableExtension, path_guesses)
if not path_guesses:
# TODO(user): yield a ParserAnomaly object
return []
for path in path_guesses:
path = re.sub(self.systemroot_re, r"%systemroot%", path, count=1)
path = re.sub(self.system32_re,
r"%systemroot%\\system32",
path,
count=1)
full_path = artifact_utils.ExpandWindowsEnvironmentVariables(
path, kb)
pathspecs.append(
rdf_paths.PathSpec(path=full_path, pathtype=pathtype))
return pathspecs
def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
for response in responses:
runkey = response.registry_data.string
path_guesses = utils.GuessWindowsFileNameFromString(runkey)
path_guesses = filter(self._IsExecutableExtension, path_guesses)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
full_path = artifact_utils.ExpandWindowsEnvironmentVariables(path, kb)
filenames.append(rdf_paths.PathSpec(
path=full_path, pathtype=rdf_paths.PathSpec.PathType.TSK))
if filenames:
self.CallFlow("MultiGetFile", pathspecs=filenames,
next_state="Done")
def Parse(self, stat, knowledge_base):
value = stat.registry_data.GetValue() or "All Users"
all_users_dir = artifact_utils.ExpandWindowsEnvironmentVariables(
"%ProfilesDirectory%\\" + value, knowledge_base)
yield rdfvalue.RDFString(all_users_dir)
