def testMatch(self): """Tests the Match function.""" path_filter = interface.WindowsRegistryKeyWithValuesFilter( ('a', 'MRUList')) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\MRU') result = path_filter.Match(registry_key) self.assertFalse(result) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'MRUList', data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) result = path_filter.Match(registry_key) self.assertFalse(result) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'a', data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) result = path_filter.Match(registry_key) self.assertTrue(result)
class ServicesPlugin(interface.WindowsRegistryPlugin): """Plug-in to format the Services and Drivers keys having Type and Start.""" NAME = u'windows_services' DESCRIPTION = u'Parser for services and drivers Registry data.' # TODO: use a key path prefix match here. Might be more efficient. # HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services FILTERS = frozenset([ interface.WindowsRegistryKeyWithValuesFilter([ u'Start', u'Type'])]) URLS = [u'http://support.microsoft.com/kb/103000'] def GetServiceDll(self, key): """Get the Service DLL for a service, if it exists. Checks for a ServiceDLL for in the Parameters subkey of a service key in the Registry. Args: key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). Returns: A string containing the service DLL path or None. """ parameters_key = key.GetSubkeyByName(u'Parameters') if not parameters_key: return service_dll = parameters_key.GetValueByName(u'ServiceDll') if not service_dll: return return service_dll.GetDataAsObject() def GetEntries(self, parser_mediator, registry_key, **kwargs): """Create one event for each subkey under Services that has Type and Start. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} service_type_value = registry_key.GetValueByName(u'Type') service_start_value = registry_key.GetValueByName(u'Start') # Grab the ServiceDLL value if it exists. if service_type_value and service_start_value: service_dll = self.GetServiceDll(registry_key) if service_dll: values_dict[u'ServiceDll'] = service_dll # Gather all the other string and integer values and insert as they are. for value in registry_key.GetValues(): if not value.name: continue if value.name not in values_dict: if value.DataIsString() or value.DataIsInteger(): values_dict[value.name] = value.GetDataAsObject() elif value.DataIsMultiString(): values_dict[value.name] = u', '.join(value.GetDataAsObject()) # Create a specific service event, so that we can recognize and expand # certain values when we're outputting the event. event_object = windows_events.WindowsRegistryServiceEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def testKeyPaths(self): """Tests the key_paths property.""" path_filter = interface.WindowsRegistryKeyWithValuesFilter( ('a', 'MRUList')) self.assertEqual(path_filter.key_paths, [])
def testInitialize(self): """Tests the __init__ function.""" path_filter = interface.WindowsRegistryKeyWithValuesFilter( ('a', 'MRUList')) self.assertIsNotNone(path_filter)
class ServicesPlugin(interface.WindowsRegistryPlugin): """Plug-in to format the Services and Drivers keys having Type and Start.""" NAME = 'windows_services' DESCRIPTION = 'Parser for services and drivers Registry data.' # TODO: use a key path prefix match here. Might be more efficient. # HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services FILTERS = frozenset([ interface.WindowsRegistryKeyWithValuesFilter([ 'Start', 'Type'])]) URLS = ['http://support.microsoft.com/kb/103000'] def GetServiceDll(self, key): """Get the Service DLL for a service, if it exists. Checks for a ServiceDLL for in the Parameters subkey of a service key in the Registry. Args: key (dfwinreg.WinRegistryKey): a Windows Registry key. Returns: str: path of the service DLL or None. """ parameters_key = key.GetSubkeyByName('Parameters') if not parameters_key: return service_dll = parameters_key.GetValueByName('ServiceDll') if not service_dll: return return service_dll.GetDataAsObject() def ExtractEvents(self, parser_mediator, registry_key, **kwargs): """Extracts events from a Windows Registry key. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey): Windows Registry key. """ values_dict = {} service_type_value = registry_key.GetValueByName('Type') service_start_value = registry_key.GetValueByName('Start') # Grab the ServiceDLL value if it exists. if service_type_value and service_start_value: service_dll = self.GetServiceDll(registry_key) if service_dll: values_dict['ServiceDll'] = service_dll # Gather all the other string and integer values and insert as they are. for value in registry_key.GetValues(): if not value.name: continue if value.name not in values_dict: if value.DataIsString() or value.DataIsInteger(): values_dict[value.name] = value.GetDataAsObject() elif value.DataIsMultiString(): values_dict[value.name] = ', '.join(value.GetDataAsObject()) # Create a specific service event, so that we can recognize and expand # certain values when we're outputting the event. event_data = windows_events.WindowsRegistryServiceEventData() event_data.key_path = registry_key.path event_data.offset = registry_key.offset event_data.regvalue = values_dict event_data.urls = self.URLS event = time_events.DateTimeValuesEvent( registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN) parser_mediator.ProduceEventWithEventData(event, event_data)
class ServicesPlugin(interface.WindowsRegistryPlugin): """Plug-in to format the Services and Drivers keys having Type and Start.""" NAME = 'windows_services' DATA_FORMAT = 'Windows drivers and services Registry data' # TODO: use a key path prefix match here. Might be more efficient. # HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services FILTERS = frozenset( [interface.WindowsRegistryKeyWithValuesFilter(['Start', 'Type'])]) def _GetServiceDll(self, key): """Retrieves the service DLL value. Obtains the service DLL for in the Parameters subkey of a Windows Registry service key. Args: key (dfwinreg.WinRegistryKey): a Windows Registry key. Returns: str: path of the service DLL or None. """ parameters_key = key.GetSubkeyByName('Parameters') if not parameters_key: return None service_dll = parameters_key.GetValueByName('ServiceDll') if not service_dll: return None return service_dll.GetDataAsObject() def ExtractEvents(self, parser_mediator, registry_key, **kwargs): """Extracts events from a Windows Registry key. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey): Windows Registry key. """ service_type = None start_type = None registry_value = registry_key.GetValueByName('Type') if registry_value: service_type = registry_value.GetDataAsObject() registry_value = registry_key.GetValueByName('Start') if registry_value: start_type = registry_value.GetDataAsObject() if None in (service_type, start_type): # TODO: generate extraction warning. return # Create a specific service event, so that we can recognize and expand # certain values when we're outputting the event. event_data = WindowsRegistryServiceEventData() event_data.key_path = registry_key.path event_data.name = registry_key.name event_data.service_type = service_type event_data.service_dll = self._GetServiceDll(registry_key) event_data.start_type = start_type registry_value = registry_key.GetValueByName('ErrorControl') if registry_value: event_data.error_control = registry_value.GetDataAsObject() registry_value = registry_key.GetValueByName('ImagePath') if registry_value: event_data.image_path = registry_value.GetDataAsObject() registry_value = registry_key.GetValueByName('ObjectName') if registry_value: event_data.object_name = registry_value.GetDataAsObject() values_dict = self._GetValuesFromKey(parser_mediator, registry_key, names_to_skip=[ 'ErrorControl', 'ImagePath', 'ObjectName', 'Start', 'Type' ]) event_data.values = ' '.join([ '{0:s}: {1!s}'.format(name, value) for name, value in sorted(values_dict.items()) ]) or None event = time_events.DateTimeValuesEvent( registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN) parser_mediator.ProduceEventWithEventData(event, event_data)
class ServicesPlugin(interface.WindowsRegistryPlugin): """Plug-in to format the Services and Drivers keys having Type and Start. Also see: http://support.microsoft.com/kb/103000 """ NAME = 'windows_services' DESCRIPTION = 'Parser for services and drivers Registry data.' # TODO: use a key path prefix match here. Might be more efficient. # HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services FILTERS = frozenset( [interface.WindowsRegistryKeyWithValuesFilter(['Start', 'Type'])]) def _GetServiceDll(self, key): """Retrieves the service DLL value. Obtains the service DLL for in the Parameters subkey of a Windows Registry service key. Args: key (dfwinreg.WinRegistryKey): a Windows Registry key. Returns: str: path of the service DLL or None. """ parameters_key = key.GetSubkeyByName('Parameters') if not parameters_key: return None service_dll = parameters_key.GetValueByName('ServiceDll') if not service_dll: return None return service_dll.GetDataAsObject() def _GetValuesFromKey(self, registry_key): """Retrieves the values from a Windows Registry key. Args: registry_key (dfwinreg.WinRegistryKey): Windows Registry key. Returns: dict[str, object]: names and data of the values in the key. The default value is named "(default)". """ values_dict = {} for registry_value in registry_key.GetValues(): if not registry_value.name or registry_value.name.lower() in ( 'errorcontrol', 'imagepath', 'objectname', 'start', 'type'): continue value_object = registry_value.GetDataAsObject() if registry_value.DataIsString() or registry_value.DataIsInteger(): values_dict[registry_value.name] = value_object elif registry_value.DataIsMultiString(): if value_object: value_object = ', '.join(value_object) else: value_object = '[]' values_dict[registry_value.name] = value_object return values_dict def ExtractEvents(self, parser_mediator, registry_key, **kwargs): """Extracts events from a Windows Registry key. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey): Windows Registry key. """ service_type = None start_type = None registry_value = registry_key.GetValueByName('Type') if registry_value: service_type = registry_value.GetDataAsObject() registry_value = registry_key.GetValueByName('Start') if registry_value: start_type = registry_value.GetDataAsObject() if None in (service_type, start_type): # TODO: generate extraction warning. return # Create a specific service event, so that we can recognize and expand # certain values when we're outputting the event. event_data = WindowsRegistryServiceEventData() event_data.key_path = registry_key.path event_data.name = registry_key.name event_data.service_type = service_type event_data.service_dll = self._GetServiceDll(registry_key) event_data.start_type = start_type registry_value = registry_key.GetValueByName('ErrorControl') if registry_value: event_data.error_control = registry_value.GetDataAsObject() registry_value = registry_key.GetValueByName('ImagePath') if registry_value: event_data.image_path = registry_value.GetDataAsObject() registry_value = registry_key.GetValueByName('ObjectName') if registry_value: event_data.object_name = registry_value.GetDataAsObject() values_dict = self._GetValuesFromKey(registry_key) event_data.values = ' '.join([ '{0:s}: {1!s}'.format(name, value) for name, value in sorted(values_dict.items()) ]) or None event = time_events.DateTimeValuesEvent( registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN) parser_mediator.ProduceEventWithEventData(event, event_data)