def Parse(self, stat, knowledge_base): """Parse the key currentcontrolset output.""" value = stat.registry_data.GetValue() if not value: raise parsers.ParseError("Invalid value for key %s" % stat.pathspec.path) value = artifact_utils.ExpandWindowsEnvironmentVariables(value, knowledge_base) if value: yield rdfvalue.RDFString(value)
def Parse(self, response, knowledge_base): system_drive = artifact_utils.ExpandWindowsEnvironmentVariables( "%systemdrive%", knowledge_base) for message in json.loads(response.json_messages): if message[0] == "r": protection = message[1].get("protection", {}).get("enum", "") if "EXECUTE" not in protection: continue filename = message[1].get("filename", "") if filename and filename != "Pagefile-backed section": yield rdf_paths.PathSpec( path=ntpath.normpath(ntpath.join(system_drive, filename)), pathtype=rdf_paths.PathSpec.PathType.OS)
def ParseMultiple(self, stats, knowledge_base): """Parse each returned registry variable.""" prof_directory = r"%SystemDrive%\Documents and Settings" all_users = "All Users" # Default value. for stat in stats: value = stat.registry_data.GetValue() if stat.pathspec.Basename() == "ProfilesDirectory" and value: prof_directory = value elif stat.pathspec.Basename() == "AllUsersProfile" and value: all_users = value all_users_dir = r"%s\%s" % (prof_directory, all_users) all_users_dir = artifact_utils.ExpandWindowsEnvironmentVariables( all_users_dir, knowledge_base) yield rdfvalue.RDFString(all_users_dir)
def _GetFilePaths(self, path, pathtype, kb): """Guess windows filenames from a commandline string.""" pathspecs = [] path_guesses = utils.GuessWindowsFileNameFromString(path) path_guesses = filter(self._IsExecutableExtension, path_guesses) if not path_guesses: # TODO(user): yield a ParserAnomaly object return [] for path in path_guesses: path = re.sub(self.systemroot_re, r"%systemroot%", path, count=1) path = re.sub(self.system32_re, r"%systemroot%\\system32", path, count=1) full_path = artifact_utils.ExpandWindowsEnvironmentVariables( path, kb) pathspecs.append( rdf_paths.PathSpec(path=full_path, pathtype=pathtype)) return pathspecs
def ParseRunKeys(self, responses): """Get filenames from the RunKeys and download the files.""" filenames = [] client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token) kb = artifact.GetArtifactKnowledgeBase(client) for response in responses: runkey = response.registry_data.string path_guesses = utils.GuessWindowsFileNameFromString(runkey) path_guesses = filter(self._IsExecutableExtension, path_guesses) if not path_guesses: self.Log("Couldn't guess path for %s", runkey) for path in path_guesses: full_path = artifact_utils.ExpandWindowsEnvironmentVariables(path, kb) filenames.append(rdf_paths.PathSpec( path=full_path, pathtype=rdf_paths.PathSpec.PathType.TSK)) if filenames: self.CallFlow("MultiGetFile", pathspecs=filenames, next_state="Done")
def Parse(self, stat, knowledge_base): value = stat.registry_data.GetValue() or "All Users" all_users_dir = artifact_utils.ExpandWindowsEnvironmentVariables( "%ProfilesDirectory%\\" + value, knowledge_base) yield rdfvalue.RDFString(all_users_dir)