def parse_bookmark(cls, fullpath, idx, item_name, buf): if buf is None or len(buf) < cls.HEADER.size: return [] magic, _size, _version, data_offset = cls.HEADER.unpack_from(buf) if magic != b'book' and magic != b'alis': return [] table_of_contents, toc_count = cls.get_toc(buf, data_offset) all_data = [{'bookmark_index': idx} for _i in range(toc_count)] embedded = defaultdict(list) for toc_entry in table_of_contents: cur_toc_entry = all_data[toc_entry['index']] if 'toc_depth' not in cur_toc_entry: cur_toc_entry['toc_depth'] = toc_entry['depth'] record_offset = toc_entry['record_offset'] record_length, record_data_type = cls.RECORD_HEADER.unpack_from( buf, record_offset) cls.process_field(fullpath, buf, item_name, data_offset, cur_toc_entry, toc_entry['record_type'], record_offset, record_length, record_data_type) if 'alias_data' in cur_toc_entry: for alias_record in AliasParser.parse( fullpath, idx, cur_toc_entry.pop('alias_data')): embedded[toc_entry['index']].append( dict(alias_record, bookmark_index=idx)) # yield embedded alias records immediately following parent bookmark entry record for rec_idx, record in enumerate(all_data): yield record for embedded_record in embedded.get(rec_idx, []): yield embedded_record
def ProcessMRU(office_items, app_name, mru_list, user, source): for mru in mru_list: try: access_data = mru.get('Access Date', '') access_time = None try: v = struct.unpack('<I', access_data[2:6])[0] access_time = CommonFunctions.ReadMacHFSTime(v) except (IndexError, ValueError): log.exception('') path = '' alias_data = mru.get('File Alias', None) if alias_data: try: alias_properties = next( AliasParser.parse(source, 0, alias_data)) #log.debug(alias_properties) path = alias_properties.get('path', '') except (IndexError, ValueError, KeyError, TypeError): log.exception('') o_item = MSOfficeItem(app_name, access_time, 'MRU', path, '', user, source) office_items.append(o_item) except (ValueError, TypeError): log.exception('')
def process_loginitems_plist(mac_info, plist_path, user, uid, persistent_programs): mac_info.ExportFile(plist_path, __Plugin_Name, user + "_", False) success, plist, error = mac_info.ReadPlist(plist_path) if success: try: items = plist['SessionItems']['CustomListItems'] for item in items: try: name = item.get('Name', '') path = '' alias_data = item.get('Alias', None) if alias_data: try: alias_properties = next( AliasParser.parse(plist_path, 0, alias_data)) path = alias_properties.get('path', '') except (IndexError, ValueError, KeyError, TypeError): log.exception('') program = PersistentProgram(plist_path, name, name, 'Login Item', user, uid, '', path) program.start_when = 'Run at Login' persistent_programs.append(program) except (ValueError, TypeError): log.exception('') except KeyError: pass # SessionItems or CustomListItems not present log.warning( 'Possibly a newer version of com.apple.loginitems.plist Filepath was {}' .format(plist_path)) #Look for legacy LoginHook LogoutHook login_hook = plist.get('LoginHook', '') if login_hook: program = PersistentProgram(plist_path, os.path.basename(login_hook), name, 'Login Hook', user, uid, '', login_hook) program.start_when = 'Run at Login' persistent_programs.append(program) logout_hook = plist.get('LogoutHook', '') if logout_hook: program = PersistentProgram(plist_path, os.path.basename(logout_hook), name, 'Logout Hook', user, uid, '', logout_hook) program.start_when = 'Run at Logout' persistent_programs.append(program) else: log.error("Problem reading plist for {} - {}".format( plist_path, error))