def _ConfigureStorageMediaFileTest(self):
"""Configure a test against a storage media file.
Returns:
A front-end object (instance of PregFrontend).
"""
front_end = preg.PregFrontend()
front_end.SetSingleFile(False)
knowledge_base_object = knowledge_base.KnowledgeBase()
front_end.SetKnowledgeBase(knowledge_base_object)
storage_media_path = self._GetTestFilePath([u'registry_test.dd'])
test_source_scanner = source_scanner.SourceScanner()
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(storage_media_path)
test_source_scanner.Scan(scan_context)
# Getting the most upper node.
scan_node = scan_context.GetRootScanNode()
while scan_node.sub_nodes:
scan_node = scan_node.sub_nodes[0]
front_end.SetSourcePath(storage_media_path)
front_end.SetSourcePathSpecs([scan_node.path_spec])
return front_end
def _ConfigureSingleFileTest(self, knowledge_base_values=None):
"""Configure a single file test.
Args:
knowledge_base_values: optional dict containing the knowledge base
values.
Returns:
A front-end object (instance of PregFrontend).
"""
front_end = preg.PregFrontend()
front_end.SetSingleFile(True)
registry_file_path = self._GetTestFilePath([u'SYSTEM'])
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=registry_file_path)
front_end.SetSourcePath(registry_file_path)
front_end.SetSourcePathSpecs([path_spec])
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in iter(knowledge_base_values.items()):
knowledge_base_object.SetValue(identifier, value)
front_end.SetKnowledgeBase(knowledge_base_object)
return front_end
def _GetHelperAndOutputWriter(self):
"""Return a helper object (instance of PregHelper) and an output writer."""
hive_storage = preg.PregStorage()
options = frontend.Options()
output_writer = test_lib.StringIOOutputWriter()
test_front_end = preg.PregFrontend(output_writer)
shell_helper = preg.PregHelper(options, test_front_end, hive_storage)
return shell_helper, output_writer
def testRunAgainstKey(self):
"""Tests running the preg frontend against a Registry key."""
output_writer = StringIOOutputWriter()
test_front_end = preg.PregFrontend(output_writer)
options = test_lib.Options()
options.key = u'\\Microsoft\\Windows NT\\CurrentVersion'
options.regfile = self._GetTestFilePath(['SOFTWARE'])
options.verbose = False
test_front_end.ParseOptions(options, source_option='image')
test_front_end.RunModeRegistryKey(options, u'')
self.assertTrue(
u'Product name : Windows 7 Ultimate' in output_writer.GetValue())
def testRunPlugin(self):
"""Tests running the preg frontend against a plugin."""
output_writer = StringIOOutputWriter()
test_front_end = preg.PregFrontend(output_writer)
options = test_lib.Options()
options.regfile = self._GetTestFilePath(['NTUSER.DAT'])
options.verbose = False
test_front_end.ParseOptions(options, source_option='image')
test_front_end.RunModeRegistryPlugin(options, u'userassist')
self.assertTrue((
u'UEME_RUNPATH:C:\\Program Files\\Internet Explorer\\iexplore.exe : '
u'[Count: 1]') in output_writer.GetValue())
def Main():
"""Run the tool."""
output_writer = frontend.StdoutFrontendOutputWriter()
front_end = preg.PregFrontend(output_writer)
epilog = textwrap.dedent("""
Example usage:
Parse the SOFTWARE hive from an image:
{0:s} [--vss] [--vss-stores VSS_STORES] -i IMAGE_PATH [-o OFFSET] -c SOFTWARE
Parse an userassist key within an extracted hive:
{0:s} -p userassist MYNTUSER.DAT
Parse the run key from all Registry keys (in vss too):
{0:s} --vss -i IMAGE_PATH [-o OFFSET] -p run
Open up a console session for the SYSTEM hive inside an image:
{0:s} -i IMAGE_PATH [-o OFFSET] -c SYSTEM
""").format(os.path.basename(sys.argv[0]))
description = textwrap.dedent("""
preg is a simple Windows Registry parser using the plaso Registry
plugins and image parsing capabilities.
It uses the back-end libraries of plaso to read raw image files and
extract Registry files from VSS and restore points and then runs the
Registry plugins of plaso against the Registry hive and presents it
in a textual format.
""")
arg_parser = argparse.ArgumentParser(
epilog=epilog,
description=description,
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter)
# Create the different argument groups.
mode_options = arg_parser.add_argument_group(u'Run Mode Options')
image_options = arg_parser.add_argument_group(u'Image Options')
info_options = arg_parser.add_argument_group(u'Informational Options')
additional_data = arg_parser.add_argument_group(u'Additional Options')
mode_options.add_argument(
'-c',
'--console',
dest='console',
action='store_true',
default=False,
help=
u'Drop into a console session Instead of printing output to STDOUT.')
additional_data.add_argument(
'-r',
'--restore_points',
dest='restore_points',
action='store_true',
default=False,
help=u'Include restore points for hive locations.')
image_options.add_argument(
'-i',
'--image',
dest='image',
action='store',
type=unicode,
default='',
metavar='IMAGE_PATH',
help=(
u'If the Registry file is contained within a storage media image, '
u'set this option to specify the path of image file.'))
front_end.AddImageOptions(image_options)
info_options.add_argument('-v',
'--verbose',
dest='verbose',
action='store_true',
default=False,
help=u'Print sub key information.')
info_options.add_argument('-h',
'--help',
action='help',
help=u'Show this help message and exit.')
front_end.AddVssProcessingOptions(additional_data)
info_options.add_argument(
'--info',
dest='info',
action='store_true',
default=False,
help=u'Print out information about supported plugins.')
mode_options.add_argument(
'-p',
'--plugins',
dest='plugin_names',
action='append',
default=[],
type=unicode,
metavar='PLUGIN_NAME',
help=(u'Substring match of the Registry plugin to be used, this '
u'parameter can be repeated to create a list of plugins to be '
u'run against, eg: "-p userassist -p rdp" or "-p userassist".'))
mode_options.add_argument(
'-k',
'--key',
dest='key',
action='store',
default='',
type=unicode,
metavar='REGISTRY_KEYPATH',
help=(u'A Registry key path that the tool should parse using all '
u'available plugins.'))
arg_parser.add_argument(
'regfile',
action='store',
metavar='REGHIVE',
nargs='?',
help=(u'The Registry hive to read key from (not needed if running '
u'using a plugin)'))
# Parse the command line arguments.
options = arg_parser.parse_args()
if options.info:
print front_end.GetListOfAllPlugins()
return True
try:
front_end.ParseOptions(options, source_option='image')
except errors.BadConfigOption as exception:
arg_parser.print_usage()
print u''
logging.error('{0:s}'.format(exception))
return False
# Run the tool, using the run mode according to the options passed
# to the tool.
if front_end.run_mode == front_end.RUN_MODE_CONSOLE:
RunModeConsole(front_end, options)
if front_end.run_mode == front_end.RUN_MODE_REG_KEY:
front_end.RunModeRegistryKey(options, options.plugin_names)
elif front_end.run_mode == front_end.RUN_MODE_REG_PLUGIN:
front_end.RunModeRegistryPlugin(options, options.plugin_names)
elif front_end.run_mode == front_end.RUN_MODE_REG_FILE:
front_end.RunModeRegistryFile(options, options.regfile)
return True
