def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect Values in Servers and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ mru_values_dict = {} for subkey in registry_key.GetSubkeys(): username_value = subkey.GetValueByName(u'UsernameHint') if (username_value and username_value.data and username_value.DataIsString()): username = username_value.GetDataAsObject() else: username = u'N/A' mru_values_dict[subkey.name] = username values_dict = {u'Username hint': username} event_object = windows_events.WindowsRegistryEvent( subkey.last_written_time, subkey.path, values_dict, offset=subkey.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, mru_values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Gather the BootExecute Value, compare to default, return event. The rest of the values in the Session Manager key are in a separate event. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): value_name = registry_value.name or u'(default)' if value_name == u'BootExecute': # MSDN: claims that the data type of this value is REG_BINARY # although REG_MULTI_SZ is known to be used as well. if registry_value.DataIsString(): value_string = registry_value.GetDataAsObject() elif registry_value.DataIsMultiString(): value_string = u''.join(registry_value.GetDataAsObject()) elif registry_value.DataIsBinaryData(): value_string = registry_value.GetDataAsObject() else: value_string = u'' error_string = ( u'Key: {0:s}, value: {1:s}: unsupported value data type: ' u'{2:s}.').format(registry_key.path, value_name, registry_value.data_type_string) parser_mediator.ProduceParseError(error_string) # TODO: why does this have a separate event object? Remove this. value_dict = {u'BootExecute': value_string} event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, value_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object) else: values_dict[value_name] = registry_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect Values under Office 2010 MRUs and return events for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ # TODO: Test other Office versions to make sure this plugin is applicable. mru_values_dict = {} for registry_value in registry_key.GetValues(): # Ignore any value not in the form: 'Item [0-9]+'. if not registry_value.name or not self._RE_VALUE_NAME.search( registry_value.name): continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue value_string = registry_value.GetDataAsObject() values = self._RE_VALUE_DATA.findall(value_string) # Values will contain a list containing a tuple containing 2 values. if len(values) != 1 or len(values[0]) != 2: continue try: filetime = int(values[0][0], 16) except ValueError: parser_mediator.ProduceParseError( (u'unable to convert filetime string to an integer for ' u'value: {0:s}.').format(registry_value.name)) continue mru_values_dict[registry_value.name] = value_string # TODO: change into a separate event object. values_dict = {registry_value.name: value_string} event_object = windows_events.WindowsRegistryEvent( filetime, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, mru_values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, key=None, registry_type=None, codepage='cp1252', **unused_kwargs): """Extracts event objects from a CCleaner Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ for value in key.GetValues(): if not value.name or not value.data: continue text_dict = {} text_dict[value.name] = value.data if value.name == u'UpdateKey': timestamp = timelib.Timestamp.FromTimeString( value.data, timezone=parser_mediator.timezone) event_object = windows_events.WindowsRegistryEvent( timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type) elif value.name == '0': event_object = windows_events.WindowsRegistryEvent( key.timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type) else: # TODO: change this event not to set a timestamp of 0. event_object = windows_events.WindowsRegistryEvent( 0, key.path, text_dict, offset=key.offset, registry_type=registry_type) event_object.source_append = u': CCleaner Registry key' parser_mediator.ProduceEvent(event_object)
def GetEntries( self, parser_context, file_entry=None, key=None, registry_type=None, **unused_kwargs): """Gather the BootExecute Value, compare to default, return event. The rest of the values in the Session Manager key are in a separate event. Args: parser_context: A parser context object (instance of ParserContext). file_entry: optional file entry object (instance of dfvfs.FileEntry). The default is None. key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ text_dict = {} for value in key.GetValues(): if value.name == 'BootExecute': # MSDN: claims that the data type of this value is REG_BINARY # although REG_MULTI_SZ is known to be used as well. if value.DataIsString(): value_string = value.data elif value.DataIsMultiString(): value_string = u''.join(value.data) elif value.DataIsBinaryData(): value_string = value.data else: value_string = u'' error_string = ( u'Key: {0:s}, value: {1:s}: unuspported value data type: ' u'{2:s}.').format(key.path, value.name, value.data_type_string) parser_context.ProduceParseError( self.NAME, error_string, file_entry=file_entry) # TODO: why does this have a separate event object? Remove this. value_dict = {'BootExecute': value_string} event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, value_dict, offset=key.offset, registry_type=registry_type, urls=self.URLS) parser_context.ProduceEvent(event_object, plugin_name=self.NAME) else: text_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, urls=self.URLS) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries( self, parser_mediator, key=None, registry_file_type=None, codepage=u'cp1252', **unused_kwargs): """Gather the BootExecute Value, compare to default, return event. The rest of the values in the Session Manager key are in a separate event. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_file_type: Optional string containing the Windows Registry file type, e.g. NTUSER, SOFTWARE. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ text_dict = {} for value in key.GetValues(): if value.name == u'BootExecute': # MSDN: claims that the data type of this value is REG_BINARY # although REG_MULTI_SZ is known to be used as well. if value.DataIsString(): value_string = value.data elif value.DataIsMultiString(): value_string = u''.join(value.data) elif value.DataIsBinaryData(): value_string = value.data else: value_string = u'' error_string = ( u'Key: {0:s}, value: {1:s}: unsupported value data type: ' u'{2:s}.').format(key.path, value.name, value.data_type_string) parser_mediator.ProduceParseError(error_string) # TODO: why does this have a separate event object? Remove this. value_dict = {u'BootExecute': value_string} event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, value_dict, offset=key.offset, registry_file_type=registry_file_type, urls=self.URLS) parser_mediator.ProduceEvent(event_object) else: text_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_file_type=registry_file_type, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def CreateTestEventObjects(): """Creates the event objects for testing. Returns: A list of event objects (instances of EventObject). """ event_objects = [] filetime = dfwinreg_filetime.Filetime() filetime.CopyFromString(u'2012-04-20 22:38:46.929596') values_dict = {u'Value': u'c:/Temp/evil.exe'} event_object = windows_events.WindowsRegistryEvent(filetime.timestamp, u'MY AutoRun key', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) filetime.CopyFromString(u'2012-05-02 13:43:26.929596') values_dict = {u'Value': u'send all the exes to the other world'} event_object = windows_events.WindowsRegistryEvent( filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) filetime.CopyFromString(u'2012-04-20 16:44:46') values_dict = {u'Value': u'run all the benign stuff'} event_object = windows_events.WindowsRegistryEvent( filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39') text_dict = { u'hostname': u'nomachine', u'text': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), u'username': u'johndoe' } event_object = text_events.TextEvent(timemstamp, 12, text_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) return event_objects
def GetEntries(self, parser_mediator, key=None, registry_type=None, codepage='cp1252', **unused_kwargs): """Gather the BootVerification key values and return one event for all. This key is rare, so its presence is suspect. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ text_dict = {} for value in key.GetValues(): text_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect typed URLs values. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for value in registry_key.GetValues(): # Ignore any value not in the form: 'url[0-9]+'. if not value.name or not self._RE_VALUE_NAME.search(value.name): continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue values_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Extracts event objects from a WinRAR ArcHistory key. Args: parser_mediator: a parser mediator object (instance of ParserMediator). registry_key: a Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): # Ignore any value not in the form: '[0-9]+'. if (not registry_value.name or not self._RE_VALUE_NAME.search(registry_value.name)): continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue values_dict[registry_value.name] = registry_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def _ParseMRUListExKey( self, parser_context, key, registry_type=None, codepage='cp1252'): """Extract event objects from a MRUListEx Registry key. Args: parser_context: A parser context object (instance of ParserContext). key: the Registry key (instance of winreg.WinRegKey). registry_type: Optional Registry type string. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ text_dict = {} for index, entry_number in self._ParseMRUListExValue(key): # TODO: detect if list ends prematurely. # MRU lists are terminated with 0xffffffff (-1). if entry_number == 0xffffffff: break self._ParseMRUListExEntryValue( parser_context, key, index, entry_number, text_dict, codepage=codepage) event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, source_append=': MRUListEx') parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries( self, parser_mediator, key=None, registry_type=None, codepage='cp1252', **kwargs): """Collect values under WinRAR ArcHistory and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ for value in key.GetValues(): # Ignore any value not in the form: '[0-9]+'. if not value.name or not self._RE_VALUE_NAME.search(value.name): continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue if value.name == '0': timestamp = key.last_written_timestamp else: timestamp = 0 text_dict = {} text_dict[value.name] = value.data # TODO: shouldn't this behavior be, put all the values # into a single event object with the last written time of the key? event_object = windows_events.WindowsRegistryEvent( timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, source_append=': WinRAR History') parser_mediator.ProduceEvent(event_object)
def GetEntries( self, parser_context, key=None, registry_type=None, **unused_kwargs): """Collect typed URLs values. Args: parser_context: A parser context object (instance of ParserContext). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ for value in key.GetValues(): # Ignore any value not in the form: 'url[0-9]+'. if not value.name or not self._RE_VALUE_NAME.search(value.name): continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue # TODO: shouldn't this behavior be, put all the typed urls # into a single event object with the last written time of the key? if value.name == 'url1': timestamp = key.last_written_timestamp else: timestamp = 0 text_dict = {} text_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, source_append=u': Typed URLs') parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def _ParseMRUListExKey(self, parser_mediator, key, codepage=u'cp1252'): """Extract event objects from a MRUListEx Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: the Registry key (instance of dfwinreg.WinRegistryKey). codepage: Optional extended ASCII string codepage. """ values_dict = {} for entry_index, entry_number in self._ParseMRUListExValue(key): # TODO: detect if list ends prematurely. # MRU lists are terminated with 0xffffffff (-1). if entry_number == 0xffffffff: break value_string = self._ParseMRUListExEntryValue(parser_mediator, key, entry_index, entry_number, codepage=codepage) value_text = u'Index: {0:d} [MRU Value {1:d}]'.format( entry_index + 1, entry_number) values_dict[value_text] = value_string event_object = windows_events.WindowsRegistryEvent( key.last_written_time, key.path, values_dict, offset=key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect the values under Outlook and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): # Ignore the default value. if not registry_value.name: continue # Ignore any value that is empty or that does not contain an integer. if not registry_value.data or not registry_value.DataIsInteger(): continue # TODO: change this 32-bit integer into something meaningful, for now # the value name is the most interesting part. value_integer = registry_value.GetDataAsObject() values_dict[registry_value.name] = u'0x{0:08x}'.format(value_integer) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, key=None, registry_type=None, codepage='cp1252', **unused_kwargs): """Collect the Values under the Run Key and return an event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ for value in key.GetValues(): # Ignore the default value. if not value.name: continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue text_dict = {} text_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, urls=self.URLS, registry_type=registry_type, source_append=': Run Key') parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect ShutdownTime value under Windows and produce an event object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ shutdown_value = registry_key.GetValueByName(u'ShutdownTime') if not shutdown_value: return try: filetime = self._UINT64_STRUCT.parse(shutdown_value.data) except construct.FieldError as exception: parser_mediator.ProduceParseError( u'Unable to extract shutdown timestamp with error: {0:s}'.format( exception)) return values_dict = {u'Description': shutdown_value.name} event_object = windows_events.WindowsRegistryEvent( filetime, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND, usage=eventdata.EventTimestamp.LAST_SHUTDOWN) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, key=None, registry_type=None, codepage='cp1252', **unused_kwargs): """Collect values and return an event. Args: parser_mediator: A parser context object (instance of ParserContext). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ if key is None: return text_dict = {} for value_name in self.WIN_TIMEZONE_VALUE_NAMES: text_dict[value_name] = self._GetValue(value_name, key) event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect MRU Values and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for value in registry_key.GetValues(): # Ignore the default value. if not value.name: continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue values_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def _ParseSubKey(self, parser_context, key, parent_value_string, registry_type=None, codepage='cp1252'): """Extract event objects from a MRUListEx Registry key. Args: parser_context: A parser context object (instance of ParserContext). key: the Registry key (instance of winreg.WinRegKey). parent_value_string: string containing the parent value string. registry_type: Optional Registry type string. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ text_dict = {} value_strings = {} for index, entry_number in self._ParseMRUListExValue(key): # TODO: detect if list ends prematurely. # MRU lists are terminated with 0xffffffff (-1). if entry_number == 0xffffffff: break self._ParseMRUListExEntryValue(parser_context, key, index, entry_number, text_dict, value_strings, parent_value_string, codepage=codepage) event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, urls=self.URLS, source_append=': BagMRU') parser_context.ProduceEvent(event_object, plugin_name=self.NAME) for index, entry_number in self._ParseMRUListExValue(key): # TODO: detect if list ends prematurely. # MRU lists are terminated with 0xffffffff (-1). if entry_number == 0xffffffff: break sub_key = key.GetSubkey(u'{0:d}'.format(entry_number)) if not sub_key: logging.debug( u'[{0:s}] Missing BagMRU sub key: {1:d} in key: {2:s}.'. format(self.name, key.path, entry_number)) continue value_string = value_strings.get(entry_number, u'') self._ParseSubKey(parser_context, sub_key, value_string, codepage=codepage)
def GetEntries(self, parser_mediator, key=None, registry_type=None, codepage='cp1252', **unused_kwargs): """Collect Values in Servers and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ for subkey in key.GetSubkeys(): username_value = subkey.GetValue('UsernameHint') if (username_value and username_value.data and username_value.DataIsString()): username = username_value.data else: username = u'None' text_dict = {} text_dict['UsernameHint'] = username event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, source_append=': RDP Connection') parser_mediator.ProduceEvent(event_object)
def GetEntries( self, parser_mediator, key=None, registry_file_type=None, codepage=u'cp1252', **unused_kwargs): """Extracts event objects from a CCleaner Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_file_type: Optional string containing the Windows Registry file type, e.g. NTUSER, SOFTWARE. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ for value in key.GetValues(): if not value.name or not value.data: continue text_dict = {} text_dict[value.name] = value.data if value.name == u'UpdateKey': try: timestamp = timelib.Timestamp.FromTimeString( value.data, timezone=parser_mediator.timezone) except errors.TimestampError: parser_mediator.ProduceParseError( u'Unable to parse time string: {0:s}'.format(value.data)) continue event_object = windows_events.WindowsRegistryEvent( timestamp, key.path, text_dict, offset=key.offset, registry_file_type=registry_file_type) elif value.name == u'0': event_object = windows_events.WindowsRegistryEvent( key.timestamp, key.path, text_dict, offset=key.offset, registry_file_type=registry_file_type) else: # TODO: change this event not to set a timestamp of 0. event_object = windows_events.WindowsRegistryEvent( 0, key.path, text_dict, offset=key.offset, registry_file_type=registry_file_type) event_object.source_append = u': CCleaner Registry key' parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, key=None, registry_file_type=None, codepage=u'cp1252', **kwargs): """Returns an event object based on a Registry key name and values. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_file_type: Optional string containing the Windows Registry file type, e.g. NTUSER, SOFTWARE. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ text_dict = {} if key.number_of_values == 0: text_dict[u'Value'] = u'No values stored in key.' else: for value in key.GetValues(): if not value.name: value_name = u'(default)' else: value_name = u'{0:s}'.format(value.name) if value.data is None: value_string = u'[{0:s}] Empty'.format( value.data_type_string) elif value.DataIsString(): string_decode = utils.GetUnicodeString(value.data) value_string = u'[{0:s}] {1:s}'.format( value.data_type_string, string_decode) elif value.DataIsInteger(): value_string = u'[{0:s}] {1:d}'.format( value.data_type_string, value.data) elif value.DataIsMultiString(): if not isinstance(value.data, (list, tuple)): value_string = u'[{0:s}]'.format( value.data_type_string) # TODO: Add a flag or some sort of an anomaly alert. else: value_string = u'[{0:s}] {1:s}'.format( value.data_type_string, u''.join(value.data)) else: value_string = u'[{0:s}]'.format(value.data_type_string) text_dict[value_name] = value_string event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_file_type=registry_file_type) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, key=None, registry_file_type=None, codepage=u'cp1252', **unused_kwargs): """Collect Values under Office 2010 MRUs and return events for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_file_type: Optional string containing the Windows Registry file type, e.g. NTUSER, SOFTWARE. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ # TODO: Test other Office versions to make sure this plugin is applicable. for value in key.GetValues(): # Ignore any value not in the form: 'Item [0-9]+'. if not value.name or not self._RE_VALUE_NAME.search(value.name): continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue values = self._RE_VALUE_DATA.findall(value.data) # Values will contain a list containing a tuple containing 2 values. if len(values) != 1 or len(values[0]) != 2: continue try: filetime = int(values[0][0], 16) except ValueError: logging.warning( u'Unable to convert filetime string to an integer.') filetime = 0 # TODO: why this behavior? Only the first Item is stored with its # timestamp. Shouldn't this be: Store all the Item # values with # their timestamp and store the entire MRU as one event with the # registry key last written time? if value.name == u'Item 1': timestamp = timelib.Timestamp.FromFiletime(filetime) else: timestamp = 0 text_dict = {} text_dict[value.name] = value.data event_object = windows_events.WindowsRegistryEvent( timestamp, key.path, text_dict, offset=key.offset, registry_file_type=registry_file_type, source_append=u': Microsoft Office MRU') parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Gather minimal information about system install and return an event. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ installation_value = None string_values = {} for registry_value in registry_key.GetValues(): # Ignore the default value. if not registry_value.name: continue if (registry_value.name == u'InstallDate' and registry_value.DataIsInteger()): installation_value = registry_value continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue string_value_name = self._STRING_VALUE_NAME_STRINGS.get( registry_value.name, None) if not string_value_name: continue string_values[string_value_name] = registry_value.GetDataAsObject() owner = string_values.get(u'owner', u'') product_name = string_values.get(u'product_name', u'') service_pack = string_values.get(u'service_pack', u'') version = string_values.get(u'version', u'') values_dict = {} values_dict[u'Owner'] = owner values_dict[u'Product name'] = product_name values_dict[u'Service pack'] = service_pack values_dict[u'Windows Version Information'] = version event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object) # TODO: if not present indicate anomaly of missing installation # date and time. if installation_value: posix_time = installation_value.GetDataAsObject() event_object = windows_events.WindowsRegistryInstallationEvent( posix_time, registry_key.path, owner, product_name, service_pack, version) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Returns an event object based on a Registry key name and values. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} if registry_key.number_of_values == 0: values_dict[u'Value'] = u'No values stored in key.' else: for registry_value in registry_key.GetValues(): value_name = registry_value.name or u'(default)' if registry_value.data is None: value_string = u'[{0:s}] Empty'.format( registry_value.data_type_string) elif registry_value.DataIsString(): string_decode = utils.GetUnicodeString( registry_value.GetDataAsObject()) value_string = u'[{0:s}] {1:s}'.format( registry_value.data_type_string, string_decode) elif registry_value.DataIsInteger(): value_string = u'[{0:s}] {1:d}'.format( registry_value.data_type_string, registry_value.GetDataAsObject()) elif registry_value.DataIsMultiString(): multi_string = registry_value.GetDataAsObject() if not isinstance(multi_string, (list, tuple)): value_string = u'[{0:s}]'.format( registry_value.data_type_string) # TODO: Add a flag or some sort of an anomaly alert. else: value_string = u'[{0:s}] {1:s}'.format( registry_value.data_type_string, u''.join(multi_string)) else: value_string = u'[{0:s}]'.format( registry_value.data_type_string) values_dict[value_name] = value_string event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object)
def GetEntries( self, parser_context, file_entry=None, key=None, registry_type=None, **unused_kwargs): """Extracts event objects from a MRU list. Args: parser_context: A parser context object (instance of ParserContext). file_entry: optional file entry object (instance of dfvfs.FileEntry). The default is None. key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ mru_list_value = key.GetValue('MRUList') if not mru_list_value: error_string = u'Key: {0:s}, value: MRUList missing.'.format(key.path) parser_context.ProduceParseError( self.NAME, error_string, file_entry=file_entry) return timestamp = key.last_written_timestamp entry_list = [] text_dict = {} for entry_index, mru_value_name in enumerate(mru_list_value.data): value = key.GetValue(mru_value_name) if not value: error_string = u'Key: {0:s}, value: {1:s} missing.'.format( key.path, mru_value_name) parser_context.ProduceParseError( self.NAME, error_string, file_entry=file_entry) continue if not value.data: error_string = u'Key: {0:s}, value: {1:s} data missing.'.format( key.path, mru_value_name) parser_context.ProduceParseError( self.NAME, error_string, file_entry=file_entry) continue if not value.DataIsString(): # TODO: add support for shell item based MRU value data. mru_value_string = u'' else: mru_value_string = value.data entry_list.append(mru_value_string) text_dict[u'Index: {0:d} [MRU Value {1:s}]'.format( entry_index + 1, mru_value_name)] = mru_value_string event_object = windows_events.WindowsRegistryEvent( timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type, urls=self.URLS, source_append=': MRU List') event_object.mru_list = entry_list parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, parser_context, key=None, registry_type=None, **unused_kwargs): """Returns an event object based on a Registry key name and values. Args: parser_context: A parser context object (instance of ParserContext). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_type: Optional Registry type string. The default is None. """ text_dict = {} if key.number_of_values == 0: text_dict[u'Value'] = u'No values stored in key.' else: for value in key.GetValues(): if not value.name: value_name = '(default)' else: value_name = u'{0:s}'.format(value.name) if value.data is None: value_string = u'[{0:s}] Empty'.format( value.data_type_string) elif value.DataIsString(): string_decode = utils.GetUnicodeString(value.data) value_string = u'[{0:s}] {1:s}'.format( value.data_type_string, string_decode) elif value.DataIsInteger(): value_string = u'[{0:s}] {1:d}'.format( value.data_type_string, value.data) elif value.DataIsMultiString(): if type(value.data) not in (list, tuple): value_string = u'[{0:s}]'.format( value.data_type_string) # TODO: Add a flag or some sort of an anomaly alert. else: value_string = u'[{0:s}] {1:s}'.format( value.data_type_string, u''.join(value.data)) else: value_string = u'[{0:s}]'.format(value.data_type_string) text_dict[value_name] = value_string event_object = windows_events.WindowsRegistryEvent( key.last_written_timestamp, key.path, text_dict, offset=key.offset, registry_type=registry_type) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._event_objects = [] event_1 = windows_events.WindowsRegistryEvent( timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596'), u'MY AutoRun key', {u'Value': u'c:/Temp/evil.exe'}) event_1.parser = 'UNKNOWN' event_2 = windows_events.WindowsRegistryEvent( timelib.Timestamp.CopyFromString(u'2012-05-02 13:43:26.929596'), u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key', {u'Value': u'send all the exes to the other world'}) event_2.parser = 'UNKNOWN' event_3 = windows_events.WindowsRegistryEvent( timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000'), u'\\HKCU\\Windows\\Normal', {u'Value': u'run all the benign stuff'}) event_3.parser = 'UNKNOWN' text_dict = { 'text': ('This is a line by someone not reading the log line properly. And ' 'since this log line exceeds the accepted 80 chars it will be ' 'shortened.'), 'hostname': 'nomachine', 'username': '******' } event_4 = text_events.TextEvent( timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39.000000'), 12, text_dict) event_4.parser = 'UNKNOWN' self._event_objects.append(event_1) self._event_objects.append(event_2) self._event_objects.append(event_3) self._event_objects.append(event_4) self._formatter_mediator = formatters_mediator.FormatterMediator()
def GetEntries(self, parser_mediator, key=None, registry_file_type=None, codepage=u'cp1252', **unused_kwargs): """Retrieves information from the MountPoints2 registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: Optional Registry key (instance of winreg.WinRegKey). The default is None. registry_file_type: Optional string containing the Windows Registry file type, e.g. NTUSER, SOFTWARE. The default is None. codepage: Optional extended ASCII string codepage. The default is cp1252. """ for subkey in key.GetSubkeys(): name = subkey.name if not name: continue text_dict = {} text_dict[u'Volume'] = name # Get the label if it exists. label_value = subkey.GetValue(u'_LabelFromReg') if label_value: text_dict[u'Label'] = label_value.data if name.startswith(u'{'): text_dict[u'Type'] = u'Volume' elif name.startswith(u'#'): # The format is: ##Server_Name#Share_Name. text_dict[u'Type'] = u'Remote Drive' server_name, _, share_name = name[2:].partition(u'#') text_dict[u'Remote_Server'] = server_name text_dict[u'Share_Name'] = u'\\{0:s}'.format( share_name.replace(u'#', u'\\')) else: text_dict[u'Type'] = u'Drive' event_object = windows_events.WindowsRegistryEvent( subkey.last_written_timestamp, key.path, text_dict, offset=subkey.offset, registry_file_type=registry_file_type, urls=self.URLS) parser_mediator.ProduceEvent(event_object)