def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect Values in Servers and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
mru_values_dict = {}
for subkey in registry_key.GetSubkeys():
username_value = subkey.GetValueByName(u'UsernameHint')
if (username_value and username_value.data and
username_value.DataIsString()):
username = username_value.GetDataAsObject()
else:
username = u'N/A'
mru_values_dict[subkey.name] = username
values_dict = {u'Username hint': username}
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_time, subkey.path, values_dict,
offset=subkey.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, mru_values_dict,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Gather the BootExecute Value, compare to default, return event.
The rest of the values in the Session Manager key are in a separate event.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
if value_name == u'BootExecute':
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used as well.
if registry_value.DataIsString():
value_string = registry_value.GetDataAsObject()
elif registry_value.DataIsMultiString():
value_string = u''.join(registry_value.GetDataAsObject())
elif registry_value.DataIsBinaryData():
value_string = registry_value.GetDataAsObject()
else:
value_string = u''
error_string = (
u'Key: {0:s}, value: {1:s}: unsupported value data type: '
u'{2:s}.').format(registry_key.path, value_name,
registry_value.data_type_string)
parser_mediator.ProduceParseError(error_string)
# TODO: why does this have a separate event object? Remove this.
value_dict = {u'BootExecute': value_string}
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
value_dict,
offset=registry_key.offset,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
else:
values_dict[value_name] = registry_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect Values under Office 2010 MRUs and return events for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
# TODO: Test other Office versions to make sure this plugin is applicable.
mru_values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore any value not in the form: 'Item [0-9]+'.
if not registry_value.name or not self._RE_VALUE_NAME.search(
registry_value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
value_string = registry_value.GetDataAsObject()
values = self._RE_VALUE_DATA.findall(value_string)
# Values will contain a list containing a tuple containing 2 values.
if len(values) != 1 or len(values[0]) != 2:
continue
try:
filetime = int(values[0][0], 16)
except ValueError:
parser_mediator.ProduceParseError(
(u'unable to convert filetime string to an integer for '
u'value: {0:s}.').format(registry_value.name))
continue
mru_values_dict[registry_value.name] = value_string
# TODO: change into a separate event object.
values_dict = {registry_value.name: value_string}
event_object = windows_events.WindowsRegistryEvent(
filetime,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
mru_values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self,
parser_mediator,
key=None,
registry_type=None,
codepage='cp1252',
**unused_kwargs):
"""Extracts event objects from a CCleaner Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
for value in key.GetValues():
if not value.name or not value.data:
continue
text_dict = {}
text_dict[value.name] = value.data
if value.name == u'UpdateKey':
timestamp = timelib.Timestamp.FromTimeString(
value.data, timezone=parser_mediator.timezone)
event_object = windows_events.WindowsRegistryEvent(
timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type)
elif value.name == '0':
event_object = windows_events.WindowsRegistryEvent(
key.timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type)
else:
# TODO: change this event not to set a timestamp of 0.
event_object = windows_events.WindowsRegistryEvent(
0,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type)
event_object.source_append = u': CCleaner Registry key'
parser_mediator.ProduceEvent(event_object)
def GetEntries(
self, parser_context, file_entry=None, key=None, registry_type=None,
**unused_kwargs):
"""Gather the BootExecute Value, compare to default, return event.
The rest of the values in the Session Manager key are in a separate event.
Args:
parser_context: A parser context object (instance of ParserContext).
file_entry: optional file entry object (instance of dfvfs.FileEntry).
The default is None.
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
text_dict = {}
for value in key.GetValues():
if value.name == 'BootExecute':
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used as well.
if value.DataIsString():
value_string = value.data
elif value.DataIsMultiString():
value_string = u''.join(value.data)
elif value.DataIsBinaryData():
value_string = value.data
else:
value_string = u''
error_string = (
u'Key: {0:s}, value: {1:s}: unuspported value data type: '
u'{2:s}.').format(key.path, value.name, value.data_type_string)
parser_context.ProduceParseError(
self.NAME, error_string, file_entry=file_entry)
# TODO: why does this have a separate event object? Remove this.
value_dict = {'BootExecute': value_string}
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp, key.path, value_dict, offset=key.offset,
registry_type=registry_type, urls=self.URLS)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
else:
text_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp, key.path, text_dict, offset=key.offset,
registry_type=registry_type, urls=self.URLS)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(
self, parser_mediator, key=None, registry_file_type=None,
codepage=u'cp1252', **unused_kwargs):
"""Gather the BootExecute Value, compare to default, return event.
The rest of the values in the Session Manager key are in a separate event.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_file_type: Optional string containing the Windows Registry file
type, e.g. NTUSER, SOFTWARE. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
text_dict = {}
for value in key.GetValues():
if value.name == u'BootExecute':
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used as well.
if value.DataIsString():
value_string = value.data
elif value.DataIsMultiString():
value_string = u''.join(value.data)
elif value.DataIsBinaryData():
value_string = value.data
else:
value_string = u''
error_string = (
u'Key: {0:s}, value: {1:s}: unsupported value data type: '
u'{2:s}.').format(key.path, value.name, value.data_type_string)
parser_mediator.ProduceParseError(error_string)
# TODO: why does this have a separate event object? Remove this.
value_dict = {u'BootExecute': value_string}
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp, key.path, value_dict, offset=key.offset,
registry_file_type=registry_file_type, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
else:
text_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp, key.path, text_dict, offset=key.offset,
registry_file_type=registry_file_type, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def CreateTestEventObjects():
"""Creates the event objects for testing.
Returns:
A list of event objects (instances of EventObject).
"""
event_objects = []
filetime = dfwinreg_filetime.Filetime()
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Value': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime.timestamp,
u'MY AutoRun key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-05-02 13:43:26.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39')
text_dict = {
u'hostname':
u'nomachine',
u'text':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'username':
u'johndoe'
}
event_object = text_events.TextEvent(timemstamp, 12, text_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
return event_objects
def GetEntries(self,
parser_mediator,
key=None,
registry_type=None,
codepage='cp1252',
**unused_kwargs):
"""Gather the BootVerification key values and return one event for all.
This key is rare, so its presence is suspect.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
text_dict = {}
for value in key.GetValues():
text_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect typed URLs values.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for value in registry_key.GetValues():
# Ignore any value not in the form: 'url[0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
values_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Extracts event objects from a WinRAR ArcHistory key.
Args:
parser_mediator: a parser mediator object (instance of ParserMediator).
registry_key: a Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore any value not in the form: '[0-9]+'.
if (not registry_value.name
or not self._RE_VALUE_NAME.search(registry_value.name)):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
values_dict[registry_value.name] = registry_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def _ParseMRUListExKey(
self, parser_context, key, registry_type=None, codepage='cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_context: A parser context object (instance of ParserContext).
key: the Registry key (instance of winreg.WinRegKey).
registry_type: Optional Registry type string. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
text_dict = {}
for index, entry_number in self._ParseMRUListExValue(key):
# TODO: detect if list ends prematurely.
# MRU lists are terminated with 0xffffffff (-1).
if entry_number == 0xffffffff:
break
self._ParseMRUListExEntryValue(
parser_context, key, index, entry_number, text_dict,
codepage=codepage)
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp, key.path, text_dict,
offset=key.offset, registry_type=registry_type,
source_append=': MRUListEx')
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(
self, parser_mediator, key=None, registry_type=None, codepage='cp1252',
**kwargs):
"""Collect values under WinRAR ArcHistory and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
for value in key.GetValues():
# Ignore any value not in the form: '[0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
if value.name == '0':
timestamp = key.last_written_timestamp
else:
timestamp = 0
text_dict = {}
text_dict[value.name] = value.data
# TODO: shouldn't this behavior be, put all the values
# into a single event object with the last written time of the key?
event_object = windows_events.WindowsRegistryEvent(
timestamp, key.path, text_dict, offset=key.offset,
registry_type=registry_type,
source_append=': WinRAR History')
parser_mediator.ProduceEvent(event_object)
def GetEntries(
self, parser_context, key=None, registry_type=None, **unused_kwargs):
"""Collect typed URLs values.
Args:
parser_context: A parser context object (instance of ParserContext).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
for value in key.GetValues():
# Ignore any value not in the form: 'url[0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
# TODO: shouldn't this behavior be, put all the typed urls
# into a single event object with the last written time of the key?
if value.name == 'url1':
timestamp = key.last_written_timestamp
else:
timestamp = 0
text_dict = {}
text_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
timestamp, key.path, text_dict, offset=key.offset,
registry_type=registry_type,
source_append=u': Typed URLs')
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def _ParseMRUListExKey(self, parser_mediator, key, codepage=u'cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: the Registry key (instance of dfwinreg.WinRegistryKey).
codepage: Optional extended ASCII string codepage.
"""
values_dict = {}
for entry_index, entry_number in self._ParseMRUListExValue(key):
# TODO: detect if list ends prematurely.
# MRU lists are terminated with 0xffffffff (-1).
if entry_number == 0xffffffff:
break
value_string = self._ParseMRUListExEntryValue(parser_mediator,
key,
entry_index,
entry_number,
codepage=codepage)
value_text = u'Index: {0:d} [MRU Value {1:d}]'.format(
entry_index + 1, entry_number)
values_dict[value_text] = value_string
event_object = windows_events.WindowsRegistryEvent(
key.last_written_time,
key.path,
values_dict,
offset=key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect the values under Outlook and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
# Ignore any value that is empty or that does not contain an integer.
if not registry_value.data or not registry_value.DataIsInteger():
continue
# TODO: change this 32-bit integer into something meaningful, for now
# the value name is the most interesting part.
value_integer = registry_value.GetDataAsObject()
values_dict[registry_value.name] = u'0x{0:08x}'.format(value_integer)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self,
parser_mediator,
key=None,
registry_type=None,
codepage='cp1252',
**unused_kwargs):
"""Collect the Values under the Run Key and return an event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
for value in key.GetValues():
# Ignore the default value.
if not value.name:
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
text_dict = {}
text_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
urls=self.URLS,
registry_type=registry_type,
source_append=': Run Key')
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect ShutdownTime value under Windows and produce an event object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
shutdown_value = registry_key.GetValueByName(u'ShutdownTime')
if not shutdown_value:
return
try:
filetime = self._UINT64_STRUCT.parse(shutdown_value.data)
except construct.FieldError as exception:
parser_mediator.ProduceParseError(
u'Unable to extract shutdown timestamp with error: {0:s}'.format(
exception))
return
values_dict = {u'Description': shutdown_value.name}
event_object = windows_events.WindowsRegistryEvent(
filetime, registry_key.path, values_dict,
offset=registry_key.offset, source_append=self._SOURCE_APPEND,
usage=eventdata.EventTimestamp.LAST_SHUTDOWN)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self,
parser_mediator,
key=None,
registry_type=None,
codepage='cp1252',
**unused_kwargs):
"""Collect values and return an event.
Args:
parser_mediator: A parser context object (instance of ParserContext).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
if key is None:
return
text_dict = {}
for value_name in self.WIN_TIMEZONE_VALUE_NAMES:
text_dict[value_name] = self._GetValue(value_name, key)
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect MRU Values and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for value in registry_key.GetValues():
# Ignore the default value.
if not value.name:
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
values_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def _ParseSubKey(self,
parser_context,
key,
parent_value_string,
registry_type=None,
codepage='cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_context: A parser context object (instance of ParserContext).
key: the Registry key (instance of winreg.WinRegKey).
parent_value_string: string containing the parent value string.
registry_type: Optional Registry type string. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
text_dict = {}
value_strings = {}
for index, entry_number in self._ParseMRUListExValue(key):
# TODO: detect if list ends prematurely.
# MRU lists are terminated with 0xffffffff (-1).
if entry_number == 0xffffffff:
break
self._ParseMRUListExEntryValue(parser_context,
key,
index,
entry_number,
text_dict,
value_strings,
parent_value_string,
codepage=codepage)
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type,
urls=self.URLS,
source_append=': BagMRU')
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
for index, entry_number in self._ParseMRUListExValue(key):
# TODO: detect if list ends prematurely.
# MRU lists are terminated with 0xffffffff (-1).
if entry_number == 0xffffffff:
break
sub_key = key.GetSubkey(u'{0:d}'.format(entry_number))
if not sub_key:
logging.debug(
u'[{0:s}] Missing BagMRU sub key: {1:d} in key: {2:s}.'.
format(self.name, key.path, entry_number))
continue
value_string = value_strings.get(entry_number, u'')
self._ParseSubKey(parser_context,
sub_key,
value_string,
codepage=codepage)
def GetEntries(self,
parser_mediator,
key=None,
registry_type=None,
codepage='cp1252',
**unused_kwargs):
"""Collect Values in Servers and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
for subkey in key.GetSubkeys():
username_value = subkey.GetValue('UsernameHint')
if (username_value and username_value.data
and username_value.DataIsString()):
username = username_value.data
else:
username = u'None'
text_dict = {}
text_dict['UsernameHint'] = username
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type,
source_append=': RDP Connection')
parser_mediator.ProduceEvent(event_object)
def GetEntries(
self, parser_mediator, key=None, registry_file_type=None,
codepage=u'cp1252', **unused_kwargs):
"""Extracts event objects from a CCleaner Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_file_type: Optional string containing the Windows Registry file
type, e.g. NTUSER, SOFTWARE. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
for value in key.GetValues():
if not value.name or not value.data:
continue
text_dict = {}
text_dict[value.name] = value.data
if value.name == u'UpdateKey':
try:
timestamp = timelib.Timestamp.FromTimeString(
value.data, timezone=parser_mediator.timezone)
except errors.TimestampError:
parser_mediator.ProduceParseError(
u'Unable to parse time string: {0:s}'.format(value.data))
continue
event_object = windows_events.WindowsRegistryEvent(
timestamp, key.path, text_dict, offset=key.offset,
registry_file_type=registry_file_type)
elif value.name == u'0':
event_object = windows_events.WindowsRegistryEvent(
key.timestamp, key.path, text_dict, offset=key.offset,
registry_file_type=registry_file_type)
else:
# TODO: change this event not to set a timestamp of 0.
event_object = windows_events.WindowsRegistryEvent(
0, key.path, text_dict, offset=key.offset,
registry_file_type=registry_file_type)
event_object.source_append = u': CCleaner Registry key'
parser_mediator.ProduceEvent(event_object)
def GetEntries(self,
parser_mediator,
key=None,
registry_file_type=None,
codepage=u'cp1252',
**kwargs):
"""Returns an event object based on a Registry key name and values.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_file_type: Optional string containing the Windows Registry file
type, e.g. NTUSER, SOFTWARE. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
text_dict = {}
if key.number_of_values == 0:
text_dict[u'Value'] = u'No values stored in key.'
else:
for value in key.GetValues():
if not value.name:
value_name = u'(default)'
else:
value_name = u'{0:s}'.format(value.name)
if value.data is None:
value_string = u'[{0:s}] Empty'.format(
value.data_type_string)
elif value.DataIsString():
string_decode = utils.GetUnicodeString(value.data)
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, string_decode)
elif value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
value.data_type_string, value.data)
elif value.DataIsMultiString():
if not isinstance(value.data, (list, tuple)):
value_string = u'[{0:s}]'.format(
value.data_type_string)
# TODO: Add a flag or some sort of an anomaly alert.
else:
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, u''.join(value.data))
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
text_dict[value_name] = value_string
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
registry_file_type=registry_file_type)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self,
parser_mediator,
key=None,
registry_file_type=None,
codepage=u'cp1252',
**unused_kwargs):
"""Collect Values under Office 2010 MRUs and return events for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_file_type: Optional string containing the Windows Registry file
type, e.g. NTUSER, SOFTWARE. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
# TODO: Test other Office versions to make sure this plugin is applicable.
for value in key.GetValues():
# Ignore any value not in the form: 'Item [0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
values = self._RE_VALUE_DATA.findall(value.data)
# Values will contain a list containing a tuple containing 2 values.
if len(values) != 1 or len(values[0]) != 2:
continue
try:
filetime = int(values[0][0], 16)
except ValueError:
logging.warning(
u'Unable to convert filetime string to an integer.')
filetime = 0
# TODO: why this behavior? Only the first Item is stored with its
# timestamp. Shouldn't this be: Store all the Item # values with
# their timestamp and store the entire MRU as one event with the
# registry key last written time?
if value.name == u'Item 1':
timestamp = timelib.Timestamp.FromFiletime(filetime)
else:
timestamp = 0
text_dict = {}
text_dict[value.name] = value.data
event_object = windows_events.WindowsRegistryEvent(
timestamp,
key.path,
text_dict,
offset=key.offset,
registry_file_type=registry_file_type,
source_append=u': Microsoft Office MRU')
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Gather minimal information about system install and return an event.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
installation_value = None
string_values = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
if (registry_value.name == u'InstallDate'
and registry_value.DataIsInteger()):
installation_value = registry_value
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
string_value_name = self._STRING_VALUE_NAME_STRINGS.get(
registry_value.name, None)
if not string_value_name:
continue
string_values[string_value_name] = registry_value.GetDataAsObject()
owner = string_values.get(u'owner', u'')
product_name = string_values.get(u'product_name', u'')
service_pack = string_values.get(u'service_pack', u'')
version = string_values.get(u'version', u'')
values_dict = {}
values_dict[u'Owner'] = owner
values_dict[u'Product name'] = product_name
values_dict[u'Service pack'] = service_pack
values_dict[u'Windows Version Information'] = version
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
# TODO: if not present indicate anomaly of missing installation
# date and time.
if installation_value:
posix_time = installation_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryInstallationEvent(
posix_time, registry_key.path, owner, product_name,
service_pack, version)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Returns an event object based on a Registry key name and values.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
if registry_key.number_of_values == 0:
values_dict[u'Value'] = u'No values stored in key.'
else:
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
if registry_value.data is None:
value_string = u'[{0:s}] Empty'.format(
registry_value.data_type_string)
elif registry_value.DataIsString():
string_decode = utils.GetUnicodeString(
registry_value.GetDataAsObject())
value_string = u'[{0:s}] {1:s}'.format(
registry_value.data_type_string, string_decode)
elif registry_value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
registry_value.data_type_string,
registry_value.GetDataAsObject())
elif registry_value.DataIsMultiString():
multi_string = registry_value.GetDataAsObject()
if not isinstance(multi_string, (list, tuple)):
value_string = u'[{0:s}]'.format(
registry_value.data_type_string)
# TODO: Add a flag or some sort of an anomaly alert.
else:
value_string = u'[{0:s}] {1:s}'.format(
registry_value.data_type_string,
u''.join(multi_string))
else:
value_string = u'[{0:s}]'.format(
registry_value.data_type_string)
values_dict[value_name] = value_string
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
def GetEntries(
self, parser_context, file_entry=None, key=None, registry_type=None,
**unused_kwargs):
"""Extracts event objects from a MRU list.
Args:
parser_context: A parser context object (instance of ParserContext).
file_entry: optional file entry object (instance of dfvfs.FileEntry).
The default is None.
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
mru_list_value = key.GetValue('MRUList')
if not mru_list_value:
error_string = u'Key: {0:s}, value: MRUList missing.'.format(key.path)
parser_context.ProduceParseError(
self.NAME, error_string, file_entry=file_entry)
return
timestamp = key.last_written_timestamp
entry_list = []
text_dict = {}
for entry_index, mru_value_name in enumerate(mru_list_value.data):
value = key.GetValue(mru_value_name)
if not value:
error_string = u'Key: {0:s}, value: {1:s} missing.'.format(
key.path, mru_value_name)
parser_context.ProduceParseError(
self.NAME, error_string, file_entry=file_entry)
continue
if not value.data:
error_string = u'Key: {0:s}, value: {1:s} data missing.'.format(
key.path, mru_value_name)
parser_context.ProduceParseError(
self.NAME, error_string, file_entry=file_entry)
continue
if not value.DataIsString():
# TODO: add support for shell item based MRU value data.
mru_value_string = u''
else:
mru_value_string = value.data
entry_list.append(mru_value_string)
text_dict[u'Index: {0:d} [MRU Value {1:s}]'.format(
entry_index + 1, mru_value_name)] = mru_value_string
event_object = windows_events.WindowsRegistryEvent(
timestamp, key.path, text_dict, offset=key.offset,
registry_type=registry_type, urls=self.URLS,
source_append=': MRU List')
event_object.mru_list = entry_list
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self,
parser_context,
key=None,
registry_type=None,
**unused_kwargs):
"""Returns an event object based on a Registry key name and values.
Args:
parser_context: A parser context object (instance of ParserContext).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
"""
text_dict = {}
if key.number_of_values == 0:
text_dict[u'Value'] = u'No values stored in key.'
else:
for value in key.GetValues():
if not value.name:
value_name = '(default)'
else:
value_name = u'{0:s}'.format(value.name)
if value.data is None:
value_string = u'[{0:s}] Empty'.format(
value.data_type_string)
elif value.DataIsString():
string_decode = utils.GetUnicodeString(value.data)
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, string_decode)
elif value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
value.data_type_string, value.data)
elif value.DataIsMultiString():
if type(value.data) not in (list, tuple):
value_string = u'[{0:s}]'.format(
value.data_type_string)
# TODO: Add a flag or some sort of an anomaly alert.
else:
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, u''.join(value.data))
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
text_dict[value_name] = value_string
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp,
key.path,
text_dict,
offset=key.offset,
registry_type=registry_type)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._event_objects = []
event_1 = windows_events.WindowsRegistryEvent(
timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596'),
u'MY AutoRun key', {u'Value': u'c:/Temp/evil.exe'})
event_1.parser = 'UNKNOWN'
event_2 = windows_events.WindowsRegistryEvent(
timelib.Timestamp.CopyFromString(u'2012-05-02 13:43:26.929596'),
u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
{u'Value': u'send all the exes to the other world'})
event_2.parser = 'UNKNOWN'
event_3 = windows_events.WindowsRegistryEvent(
timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000'),
u'\\HKCU\\Windows\\Normal',
{u'Value': u'run all the benign stuff'})
event_3.parser = 'UNKNOWN'
text_dict = {
'text':
('This is a line by someone not reading the log line properly. And '
'since this log line exceeds the accepted 80 chars it will be '
'shortened.'),
'hostname':
'nomachine',
'username':
'******'
}
event_4 = text_events.TextEvent(
timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39.000000'),
12, text_dict)
event_4.parser = 'UNKNOWN'
self._event_objects.append(event_1)
self._event_objects.append(event_2)
self._event_objects.append(event_3)
self._event_objects.append(event_4)
self._formatter_mediator = formatters_mediator.FormatterMediator()
def GetEntries(self,
parser_mediator,
key=None,
registry_file_type=None,
codepage=u'cp1252',
**unused_kwargs):
"""Retrieves information from the MountPoints2 registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_file_type: Optional string containing the Windows Registry file
type, e.g. NTUSER, SOFTWARE. The default is None.
codepage: Optional extended ASCII string codepage. The default is cp1252.
"""
for subkey in key.GetSubkeys():
name = subkey.name
if not name:
continue
text_dict = {}
text_dict[u'Volume'] = name
# Get the label if it exists.
label_value = subkey.GetValue(u'_LabelFromReg')
if label_value:
text_dict[u'Label'] = label_value.data
if name.startswith(u'{'):
text_dict[u'Type'] = u'Volume'
elif name.startswith(u'#'):
# The format is: ##Server_Name#Share_Name.
text_dict[u'Type'] = u'Remote Drive'
server_name, _, share_name = name[2:].partition(u'#')
text_dict[u'Remote_Server'] = server_name
text_dict[u'Share_Name'] = u'\\{0:s}'.format(
share_name.replace(u'#', u'\\'))
else:
text_dict[u'Type'] = u'Drive'
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_timestamp,
key.path,
text_dict,
offset=subkey.offset,
registry_file_type=registry_file_type,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
