def search_create_item(self,
plugin_name,
hive,
key,
values=None,
reg_handler=None,
parse_security_descriptor=True,
custom_fields=None):
# Create key object (if necessary)
if isinstance(key, Registry.RegistryKey):
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(
key_obj=key,
reg_handler=reg_handler,
parse_security_descriptor=parse_security_descriptor,
reg_item_obj=_registry_item)
else:
_registry_key = key
# Create value object (if necessary)
if values is None:
registry_values = []
else:
registry_values = [
self.parse_value_obj(_key=key.path(),
value_obj=value,
reg_handler=reg_handler)
for value in values
]
_registry_item = registry_provider.registry_item()
_registry_item.add(_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=registry_values,
custom_fields=custom_fields)
return _registry_item
def query_value(self,
value_path,
hive,
reg_handler=None,
plugin_name='') -> list:
_registry_key = None
_items = []
value = None
# Check if both hive and key_path were given
if value_path and hive:
if not isinstance(value_path, list):
value_path = [value_path]
for _value_path in value_path:
# IF there is no \\, the key shall be initialized with hive's root key
if "\\" in _value_path:
_key_path, __, _value_name = _value_path.rpartition('\\')
else:
_key_path = None
_value_name = _value_path
try:
logger.debug('QUERY VALUE: %s, %s' %
(hive.hive_file_path, _value_path))
except:
test = ""
try:
if _key_path is not None:
key = hive.hive_obj.open(_key_path)
else:
key = hive.hive_obj.root()
# Query value
value = key.value(_value_name)
except Registry.RegistryKeyNotFoundException:
logger.debug('KEY NOT FOUND: %s, %s' %
(hive.hive_file_path, _key_path))
continue
except Registry.RegistryValueNotFoundException:
logger.debug('VALUE NOT FOUND: %s, %s' %
(hive.hive_file_path, _value_path))
continue
except Exception as msg:
logger.debug('%s: Value: %s\%s -> Unexpected error: %s' %
(self.name, hive.hive_file_path, _value_path,
str(msg)))
continue
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(key_obj=key,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
value = self.parse_value_obj(_key=_key_path,
value_obj=value,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
_registry_item.add(_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=[value])
if _registry_item:
_items.append(_registry_item)
_registry_values = []
_registry_key = None
value = None
return _items
else:
logger.error(
'The value_path to query was not specified or hive not initialized properly'
)
return None
def query_value_regex(self,
key_path,
value_name_pattern,
hive,
reg_handler=None,
plugin_name=''):
_registry_key = None
_items = []
_registry_values = []
# Check if both hive and key_path were given
if key_path and hive:
if not isinstance(key_path, list):
value_path = [key_path]
for _value_path in value_path:
logger.debug('QUERY VALUE: %s, %s' %
(hive.hive_file_path, _value_path))
try:
if key_path is not None:
key = hive.hive_obj.open(key_path)
else:
key = hive.hive_obj.root()
# Query all values and make filtering based on value_name_pattern
if key.values():
for value in key.values():
if re.search(value_name_pattern, value.name(),
re.IGNORECASE):
_registry_values.append(
self.parse_value_obj(
_key=key_path,
value_obj=value,
reg_handler=reg_handler))
except Registry.RegistryKeyNotFoundException:
logger.debug('KEY NOT FOUND: %s, %s' %
(hive.hive_file_path, key_path))
continue
except Registry.RegistryValueNotFoundException:
logger.debug('VALUE NOT FOUND: %s, %s' %
(hive.hive_file_path,
key_path + '\\' + value_name_pattern))
continue
except Exception as msg:
logger.debug('%s: Value: %s\%s -> Unexpected error: %s' %
(self.name, hive.hive_file_path, key_path +
'\\' + value_name_pattern, str(msg)))
continue
if _registry_values:
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(
key_obj=key,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
_registry_item.add(_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=_registry_values)
if _registry_item:
_items.append(_registry_item)
else:
return []
_registry_values = []
_registry_key = None
value = None
return _items
else:
logger.error(
'The value_path to query was not specified or hive not initialized properly'
)
return None
def query_key(self,
key_path,
hive,
reg_handler=None,
plugin_name='') -> list:
_registry_key = None
_registry_values = []
# Check if both hive and key_path were given
if key_path and hive:
if not isinstance(key_path, list):
key_path = [key_path]
_keys = []
for _key in key_path:
logger.debug('QUERY: %s, %s' % (hive.hive_file_path, _key))
try:
key = hive.hive_obj.open(_key)
except Registry.RegistryKeyNotFoundException:
logger.debug('KEY NOT FOUND: %s, %s' %
(hive.hive_file_path, _key))
continue
except Exception as msg:
logger.debug(
'%s: Key: %s\%s -> Unexpected error: %s' %
(self.name, hive.hive_file_path, _key, str(msg)))
continue
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(key_obj=key,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
# The key has values
if key.values():
for value in key.values():
value_obj = self.parse_value_obj(
_key=_key,
value_obj=value,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
_registry_values.append(value_obj)
_registry_item.add(_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=_registry_values)
if _registry_item:
_keys.append(_registry_item)
_registry_values = []
_registry_key = None
return _keys
else:
logger.error(
'The key_path to query was not specified or hive not initialized properly'
)
return None
def query_key_recursive(self,
hive,
key_obj,
reg_handler=None,
depth=0,
items=None,
plugin_name='') -> list:
if items is None: items = []
if key_obj:
_registry_key = None
_registry_values = []
key = key_obj
key_path = key.path()
# Strip the root key
_, __, key_path = key_path.partition('\\')
logger.debug('QUERY: %s, %s' % (hive.hive_file_path, key_path))
# Parse registry key
# Create registry_item object
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(key_obj=key,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
# The key has values
if key.values():
for value in key.values():
value_obj = self.parse_value_obj(
_key=key_path,
value_obj=value,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
_registry_values.append(value_obj)
_registry_item.add(_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=_registry_values)
# Extend the list with newly created registry_item
if _registry_item:
items.append(_registry_item)
# Follow the query actions for all subkeys (recursive mode)
for subkey in key.subkeys():
self.query_key_recursive(key_obj=subkey,
hive=hive,
reg_handler=reg_handler,
depth=depth + 1,
items=items,
plugin_name=plugin_name)
else:
logger.warning('KEY NOT FOUND')
return []
return items
def query_value_regex(self,
key_path,
value_name_pattern,
hive,
reg_handler=None,
plugin_name=''):
_registry_key = None
_registry_values = []
# Check if both hive and key_path were given
if key_path and hive:
if not isinstance(key_path, list):
key_path = [key_path]
_keys = []
for _key in key_path:
logger.debug('QUERY: %s, %s' % (hive.hive_file_path, _key))
try:
key = hive.hive_obj.find_key(_key)
if key:
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(
key_obj=key,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
# The key has values
if key.values_count():
loop = True
key_values = key.values()
while loop:
try:
value = key_values.__next__()
if re.search(value_name_pattern,
value.name(), re.IGNORECASE):
value_obj = self.parse_value_obj(
_key=_key,
value_obj=value,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
_registry_values.append(value_obj)
_registry_item.add(
_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=_registry_values)
except StopIteration:
loop = False
if _registry_item:
_keys.append(_registry_item)
_registry_values = []
_registry_key = None
except Exception as msg:
logger.error('QueryKey -> Exception: %s, %s -> %s' %
(hive.hive_file_path, _key, str(msg)))
continue
return _keys
else:
logger.error(
'The key_path to query was not specified or hive not initialized properly'
)
return []
def query_value(self,
value_path,
hive,
reg_handler=None,
plugin_name='') -> list:
_registry_key = None
_items = []
# Check if both hive and value_path were given
if value_path and hive:
if not isinstance(value_path, list):
value_path = [value_path]
for _value_path in value_path:
# IF there is no \\, the key shall be initialized with hive's root key
if "\\" in _value_path:
_key_path, __, _value_name = _value_path.rpartition('\\')
else:
_key_path = None
_value_name = _value_path
logger.debug('QUERY VALUE: %s, %s' %
(hive.hive_file_path, _value_path))
try:
if _key_path is not None:
key = hive.hive_obj.find_key(_key_path)
if key is None:
logger.debug('KEY NOT FOUND: %s, %s' %
(hive.hive_file_path, _key_path))
continue
if _value_name == "(default)":
_value_name = ""
# Query value
value = key.value(_value_name)
if value is None:
logger.debug('VALUE NOT FOUND: %s, %s' %
(hive.hive_file_path, _value_path))
continue
except Exception as msg:
logger.error('QueryValue -> Exception: %s, %s -> %s' %
(hive.hive_file_path, _value_path, str(msg)))
continue
_registry_item = registry_provider.registry_item()
_registry_key = self.parse_key_obj(key_obj=key,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
value = self.parse_value_obj(_key=_key_path,
value_obj=value,
reg_handler=reg_handler,
reg_item_obj=_registry_item)
_registry_item.add(_plugin_name=plugin_name,
_registry_hive=hive,
_registry_key=_registry_key,
_registry_values=[value])
if _registry_item:
_items.append(_registry_item)
_registry_values = []
_registry_key = None
value = None
return _items
else:
logger.error(
'The value_path to query was not specified or hive not initialized properly'
)
return []
