def ParseMultiple(self, stats, knowledge_base): """Parse each returned registry value.""" user_dict = {} for stat in stats: sid_str = stat.pathspec.path.split("/", 3)[2] if SID_RE.match(sid_str): if sid_str not in user_dict: user_dict[sid_str] = rdf_client.KnowledgeBaseUser( sid=sid_str) if stat.registry_data.GetValue(): # Look up in the mapping if we can use this entry to populate a user # attribute, and if so, set it. reg_key_name = stat.pathspec.Dirname().Basename() if reg_key_name in self.key_var_mapping: map_dict = self.key_var_mapping[reg_key_name] reg_key = stat.pathspec.Basename() kb_attr = map_dict.get(reg_key) if kb_attr: value = artifact_lib.ExpandWindowsEnvironmentVariables( stat.registry_data.GetValue(), knowledge_base) value = artifact_lib.ExpandWindowsUserEnvironmentVariables( value, knowledge_base, sid=sid_str) user_dict[sid_str].Set(kb_attr, value) # Now yield each user we found. return user_dict.itervalues()
def ParseRunKeys(self, responses): """Get filenames from the RunKeys and download the files.""" filenames = [] client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token) kb = artifact.GetArtifactKnowledgeBase(client) for response in responses: runkey = response.registry_data.string path_guesses = utils.GuessWindowsFileNameFromString(runkey) path_guesses = filter(self._IsExecutableExtension, path_guesses) if not path_guesses: self.Log("Couldn't guess path for %s", runkey) for path in path_guesses: full_path = artifact_lib.ExpandWindowsEnvironmentVariables( path, kb) filenames.append( rdfvalue.PathSpec(path=full_path, pathtype=rdfvalue.PathSpec.PathType.TSK)) if filenames: self.CallFlow("MultiGetFile", pathspecs=filenames, next_state="Done")
def Parse(self, result, knowledge_base): binaries = set() for section in result.sections: table = section.table # Find indices of "protection" and "filename" columns indexed_headers = dict([(header.name, i) for i, header in enumerate(table.headers)]) try: protection_col_index = indexed_headers["protection"] filename_col_index = indexed_headers["filename"] except KeyError: # If we can't find "protection" and "filename" columns, just skip # this section continue for row in table.rows: protection_attr = row.values[protection_col_index] filename_attr = row.values[filename_col_index] if protection_attr.svalue in ("EXECUTE_READ", "EXECUTE_READWRITE", "EXECUTE_WRITECOPY"): if filename_attr.svalue and filename_attr.svalue not in binaries: binaries.add(filename_attr.svalue) system_drive = artifact_lib.ExpandWindowsEnvironmentVariables( "%systemdrive%", knowledge_base) path = rdfvalue.PathSpec( path=system_drive + "\\" + filename_attr.svalue.lstrip("\\"), pathtype=rdfvalue.PathSpec.PathType.OS) yield path
def Parse(self, stat, knowledge_base): """Parse the key currentcontrolset output.""" value = stat.registry_data.GetValue() if not value: raise parsers.ParseError("Invalid value for key %s" % stat.pathspec.path) value = artifact_lib.ExpandWindowsEnvironmentVariables( value, knowledge_base) if value: yield rdfvalue.RDFString(value)
def ParseMultiple(self, stats, knowledge_base): """Parse each returned registry variable.""" prof_directory = r"%SystemDrive%\Documents and Settings" all_users = "All Users" # Default value. for stat in stats: value = stat.registry_data.GetValue() if stat.pathspec.Basename() == "ProfilesDirectory" and value: prof_directory = value elif stat.pathspec.Basename() == "AllUsersProfile" and value: all_users = value all_users_dir = r"%s\%s" % (prof_directory, all_users) all_users_dir = artifact_lib.ExpandWindowsEnvironmentVariables( all_users_dir, knowledge_base) yield rdfvalue.RDFString(all_users_dir)
def Parse(self, response, knowledge_base): system_drive = artifact_lib.ExpandWindowsEnvironmentVariables( "%systemdrive%", knowledge_base) for message in json.loads(response.json_messages): if message[0] == "r": protection = message[1].get("protection", {}).get("enum", "") if "EXECUTE" not in protection: continue filename = message[1].get("filename", "") if filename and filename != "Pagefile-backed section": yield rdfvalue.PathSpec( path=ntpath.normpath( ntpath.join(system_drive, filename)), pathtype=rdfvalue.PathSpec.PathType.OS)
def _GetFilePaths(self, path, pathtype, kb): """Guess windows filenames from a commandline string.""" pathspecs = [] path_guesses = utils.GuessWindowsFileNameFromString(path) path_guesses = filter(self._IsExecutableExtension, path_guesses) if not path_guesses: # TODO(user): yield a ParserAnomaly object return [] for path in path_guesses: path = re.sub(self.systemroot_re, r"%systemroot%", path, count=1) path = re.sub(self.system32_re, r"%systemroot%\\system32", path, count=1) full_path = artifact_lib.ExpandWindowsEnvironmentVariables( path, kb) pathspecs.append( rdfvalue.PathSpec(path=full_path, pathtype=pathtype)) return pathspecs