예제 #1
0
파일: windows.py 프로젝트: naaya17/carpe 
    def _ParseValueData(self, knowledge_base, value_data):
        """Parses Windows Registry value data for a preprocessing attribute.

    Args:
      knowledge_base (KnowledgeBase): to fill with preprocessing information.
      value_data (object): Windows Registry value data.

    Raises:
      errors.PreProcessFail: if the preprocessing fails.
    """
        if not isinstance(value_data, str):
            raise errors.PreProcessFail(
                'Unsupported Windows Registry value type: {0!s} for '
                'artifact: {1:s}.'.format(type(value_data),
                                          self.ARTIFACT_DEFINITION_NAME))

        # Map the Windows time zone name to a Python equivalent name.
        lookup_key = value_data.replace(' ', '')

        time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data)
        # TODO: check if time zone is set in knowledge base.
        if time_zone:
            try:
                # Catch and warn about unsupported preprocessor plugin.
                knowledge_base.SetTimeZone(time_zone)
            except ValueError:
                # TODO: add and store preprocessing errors.
                logger.warning(
                    'Unable to map: "{0:s}" to time zone'.format(value_data))
예제 #2
0
    def _OpenPathSpec(self, path_specification, ascii_codepage='cp1252'):
        """Opens the Windows Registry file specified by the path specification.

    Args:
      path_specification (dfvfs.PathSpec): path specification.
      ascii_codepage (Optional[str]): ASCII string codepage.

    Returns:
      WinRegistryFile: Windows Registry file or None.
    """
        if not path_specification:
            return None

        file_entry = self._file_system.GetFileEntryByPathSpec(
            path_specification)
        if file_entry is None:
            return None

        file_object = file_entry.GetFileObject()
        if file_object is None:
            return None

        registry_file = dfwinreg_regf.REGFWinRegistryFile(
            ascii_codepage=ascii_codepage)

        try:
            registry_file.Open(file_object)
        except IOError as exception:
            logger.warning(
                'Unable to open Windows Registry file with error: {0!s}'.
                format(exception))
            file_object.close()
            return None

        return registry_file
예제 #3
0
    def CollectFromWindowsRegistry(cls, artifacts_registry, knowledge_base,
                                   searcher):
        """Collects values from Windows Registry values.

        Args:
          artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
              definitions registry.
          knowledge_base (KnowledgeBase): to fill with preprocessing information.
          searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
              preprocess the Windows Registry.
        """
        for preprocess_plugin in cls._windows_registry_plugins.values():
            artifact_definition = artifacts_registry.GetDefinitionByName(
                preprocess_plugin.ARTIFACT_DEFINITION_NAME)
            if not artifact_definition:
                logger.warning('Missing artifact definition: {0:s}'.format(
                    preprocess_plugin.ARTIFACT_DEFINITION_NAME))
                continue

            logger.debug(
                'Running Windows Registry preprocessor plugin: {0:s}'.format(
                    preprocess_plugin.ARTIFACT_DEFINITION_NAME))
            try:
                preprocess_plugin.Collect(knowledge_base, artifact_definition,
                                          searcher)
            except (IOError, errors.PreProcessFail) as exception:
                logger.warning(
                    ('Unable to collect value from artifact definition: {0:s} '
                     'with error: {1!s}').format(
                         preprocess_plugin.ARTIFACT_DEFINITION_NAME,
                         exception))
예제 #4
0
    def RunPlugins(cls, artifacts_registry, file_system, mount_point,
                   knowledge_base):

        searcher = file_system_searcher.FileSystemSearcher(
            file_system, mount_point)

        cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher,
                                  file_system)

        environment_variables = None
        if knowledge_base:
            environment_variables = knowledge_base.GetEnvironmentVariables()

        registry_file_reader = FileSystemWinRegistryFileReader(
            file_system,
            mount_point,
            environment_variables=environment_variables)
        win_registry = dfwinreg_registry.WinRegistry(
            registry_file_reader=registry_file_reader)

        searcher = registry_searcher.WinRegistrySearcher(win_registry)

        cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base,
                                       searcher)

        cls.CollectFromKnowledgeBase(knowledge_base)

        if not knowledge_base.HasUserAccounts():
            logger.warning('Unable to find any user accounts on the system.')
예제 #5
0
    def CollectFromKnowledgeBase(cls, knowledge_base):
        """Collects values from knowledge base values.

        Args:
          knowledge_base (KnowledgeBase): to fill with preprocessing information.
        """
        for preprocess_plugin in cls._knowledge_base_plugins.values():
            logger.debug(
                'Running knowledge base preprocessor plugin: {0:s}'.format(
                    preprocess_plugin.__class__.__name__))
            try:
                preprocess_plugin.Collect(knowledge_base)
            except errors.PreProcessFail as exception:
                logger.warning(
                    'Unable to collect knowledge base value with error: {0!s}'.
                    format(exception))