def run(self, hive, registry_handler=None, args=None) -> list:
""" Execute plugin specific actions on the hive file provided
- The return value should be the list of registry_provider.registry_item objects """
if not hive:
logger.warning('Unsupported hive file')
return []
# Load required registry provider
self.load_provider()
logger.debug('Plugin: %s -> Run(%s)' %
(self.name, hive.hive_file_path))
items = []
_plugin_reg_handler = build_registry_handler(
registry_parser=self.parser,
registry_handlers=
'decrypt_teamviewer<field>value_content<rfield>value_content')
registry_handler = self.choose_registry_handler(
main_reg_handler=registry_handler,
plugin_reg_handler=_plugin_reg_handler,
merge=True)
#items.extend(self.parser.query_key_wd(key_path=QUERY_KEY_LIST, hive=hive, plugin_name=self.name, reg_handler=registry_handler))
items.extend(
self.parser.query_value_wd(value_path=QUERY_VALUE_LIST,
hive=hive,
plugin_name=self.name,
reg_handler=registry_handler))
return items
def format_parsed_args(self):
if self.parsed_args:
if self.parsed_args.baseline_enabled:
self.baseline_enabled = True
self.parsed_args.keys_to_query = param_to_list(
self.parsed_args.keys_to_query, strip_char='"', join_list=True)
self.parsed_args.values_to_query = param_to_list(
self.parsed_args.values_to_query,
strip_char='"',
join_list=True)
self.parsed_args.keys_to_query_w = param_to_list(
self.parsed_args.keys_to_query_w,
strip_char='"',
join_list=True)
self.parsed_args.values_to_query_w = param_to_list(
self.parsed_args.values_to_query_w,
strip_char='"',
join_list=True)
if self.parsed_args.registry_handlers:
self.parsed_args.registry_handlers = build_registry_handler(
registry_handlers=self.parsed_args.registry_handlers.strip(
'"'),
registry_parser=self.parser,
decode_param_from=self.parsed_args.rh_decode_param)
if self.parsed_args.key_info:
self.parsed_args.key_info = param_to_list(
self.parsed_args.key_info, strip_char='"')[0]
def run(self, hive, registry_handler=None, args=None) -> list:
""" Execute plugin specific actions on the hive file provided
- The return value should be the list of registry_provider.registry_item objects """
if not hive:
logger.warning('Unsupported hive file')
return []
# Load required registry provider
self.load_provider()
logger.debug('Plugin: %s -> Run(%s)' % (self.name, hive.hive_file_path))
if not self.is_hive_supported(hive=hive):
logger.warning('Unsupported hive type: %s' % hive.hive_type)
return []
items = []
_plugin_reg_handler = build_registry_handler(registry_parser=self.parser,
registry_handlers="cit_dump<field>value_content,unescape_url<field>value_content",
)
registry_handler = self.choose_registry_handler(main_reg_handler=registry_handler, plugin_reg_handler=_plugin_reg_handler)
_items = self.parser.query_value_wd(value_path=QUERY_VALUE_LIST, hive=hive, plugin_name=self.name, reg_handler=registry_handler)
if _items:
items.extend(_items)
return items
def format_parsed_args(self):
""" Exposes standard parameters related to baseline and registry handlers etc.
- Meant to be used in plugins which have no specific plugin parameters
"""
if self.parsed_args:
if self.parsed_args.baseline_enabled:
self.baseline_enabled = True
if self.parsed_args.registry_handlers:
self.parsed_args.registry_handlers = build_registry_handler(
registry_handlers=self.parsed_args.registry_handlers.strip(
"'"),
registry_parser=self.parser,
decode_param_from=self.parsed_args.rh_decode_param)
def format_parsed_args(self):
if self.parsed_args:
if self.parsed_args.baseline_enabled:
self.baseline_enabled = True
for attr in self.attribute_names_type_mapping.keys():
attr_current_value = getattr(self.parsed_args, attr)
attr_current_value = param_to_list(attr_current_value,
strip_char='"',
join_list=False)
setattr(self.parsed_args, attr, attr_current_value)
if self.parsed_args.registry_handlers:
self.parsed_args.registry_handlers = build_registry_handler(
registry_handlers=self.parsed_args.registry_handlers.strip(
'"'),
registry_parser=self.parser,
decode_param_from=self.parsed_args.rh_decode_param)
def run(self, hive, registry_handler=None, args=None) -> list:
if not hive:
logger.warning('Unsupported hive file')
return []
# Load required registry provider
self.load_provider()
logger.debug('Plugin: %s -> Run(%s)' %
(self.name, hive.hive_file_path))
if not self.is_hive_supported(hive=hive):
logger.warning('Unsupported hive type: %s' % hive.hive_type)
return []
items = []
_plugin_reg_handler = build_registry_handler(
registry_parser=self.parser,
registry_handlers=
'nothing<field>value_raw_data,ntfs_decompress<field>value_raw_data,cit_dump<field>value_raw_data<rfield>value_content',
custom_handlers=cit.custom_registry_handlers)
registry_handler = self.choose_registry_handler(
main_reg_handler=registry_handler,
plugin_reg_handler=_plugin_reg_handler)
_items = self.parser.query_key_wd(key_path=QUERY_KEY_LIST,
hive=hive,
plugin_name=self.name,
reg_handler=registry_handler)
if _items:
items.extend(_items)
return items