def _ParsePlistWithPlugin( self, plugin_object, plist_name, top_level_object, knowledge_base_values=None): """Parses a plist using the plugin object. Args: plugin_object: the plugin object. plist_name: the name of the plist to parse. top_level_object: the top-level plist object. knowledge_base_values: optional dict containing the knowledge base values. Returns: An event object queue consumer object (instance of TestItemQueueConsumer). """ event_queue = single_process.SingleProcessQueue() event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue) parse_error_queue = single_process.SingleProcessQueue() parser_mediator = self._GetParserMediator( event_queue, parse_error_queue, knowledge_base_values=knowledge_base_values) plugin_object.Process( parser_mediator, plist_name=plist_name, top_level=top_level_object) return event_queue_consumer
def _ParseEseDbFileWithPlugin(self, path_segments, plugin_object, knowledge_base_values=None): """Parses a file as an ESE database file and returns an event generator. Args: path_segments: The path to the ESE database test file. plugin_object: The plugin object that is used to extract an event generator. knowledge_base_values: optional dict containing the knowledge base values. The default is None. Returns: An event object queue consumer object (instance of TestItemQueueConsumer). """ event_queue = single_process.SingleProcessQueue() event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue) parse_error_queue = single_process.SingleProcessQueue() parser_mediator = self._GetParserMediator( event_queue, parse_error_queue, knowledge_base_values=knowledge_base_values) esedb_file = self._OpenEseDbFile(path_segments) cache = esedb.EseDbCache() plugin_object.Process(parser_mediator, database=esedb_file, cache=cache) return event_queue_consumer
def _ParseDatabaseFileWithPlugin(self, plugin_object, path, cache=None, knowledge_base_values=None): """Parses a file as a SQLite database with a specific plugin. Args: plugin_object: The plugin object that is used to extract an event generator. path: The path to the SQLite database file. cache: A cache object (instance of SQLiteCache). knowledge_base_values: optional dict containing the knowledge base values. The default is None. Returns: An event object queue consumer object (instance of TestItemQueueConsumer). """ event_queue = single_process.SingleProcessQueue() event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue) parse_error_queue = single_process.SingleProcessQueue() parser_mediator = self._GetParserMediator( event_queue, parse_error_queue, knowledge_base_values=knowledge_base_values) path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=path) file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec) parser_mediator.SetFileEntry(file_entry) # AppendToParserChain needs to be run after SetFileEntry. parser_mediator.AppendToParserChain(plugin_object) database = sqlite.SQLiteDatabase(file_entry.name) file_object = file_entry.GetFileObject() try: database.Open(file_object) finally: file_object.close() try: plugin_object.Process(parser_mediator, cache=cache, database=database) finally: database.Close() return event_queue_consumer
def _ParseKeyWithPlugin(self, plugin_object, registry_key, file_entry=None, knowledge_base_values=None, parser_chain=None): """Parses a key within a Windows Registry file using the plugin object. Args: plugin_object: The plugin object. registry_key: The Windows Registry Key. file_entry: Optional file entry object (instance of dfvfs.FileEntry). knowledge_base_values: Optional dict containing the knowledge base values. parser_chain: Optional string containing the parsing chain up to this point. Returns: An event object queue consumer object (instance of TestItemQueueConsumer). """ self.assertNotEqual(registry_key, None) event_queue = single_process.SingleProcessQueue() event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue) parse_error_queue = single_process.SingleProcessQueue() parser_mediator = self._GetParserMediator( event_queue, parse_error_queue, knowledge_base_values=knowledge_base_values) parser_mediator.SetFileEntry(file_entry) # Most tests aren't explicitly checking for parser chain values, # or setting them, so we'll just append the plugin name if no explicit # parser chain argument is supplied. # pylint: disable=protected-access if parser_chain is None: # AppendToParserChain needs to be run after SetFileEntry. parser_mediator.AppendToParserChain(plugin_object) else: # In the rare case that a test is checking for a particular chain, we # provide a way set it directly. There's no public API for this, # as access to the parser chain should be very infrequent. parser_mediator._parser_chain_components = parser_chain.split(u'/') plugin_object.Process(parser_mediator, registry_key) return event_queue_consumer
def _ParseOleCfFileWithPlugin(self, path, plugin_object, knowledge_base_values=None): """Parses a file as an OLE compound file and returns an event generator. Args: path: The path to the OLE CF test file. plugin_object: The plugin object that is used to extract an event generator. knowledge_base_values: optional dict containing the knowledge base values. Returns: An event object queue consumer object (instance of TestItemQueueConsumer). """ event_queue = single_process.SingleProcessQueue() event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue) parse_error_queue = single_process.SingleProcessQueue() parser_mediator = self._GetParserMediator( event_queue, parse_error_queue, knowledge_base_values=knowledge_base_values) olecf_file = self._OpenOleCfFile(path) file_entry = self._GetTestFileEntryFromPath([path]) parser_mediator.SetFileEntry(file_entry) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] plugin_object.Process(parser_mediator, root_item=root_item, item_names=item_names) return event_queue_consumer
def _ParseFileWithPlugin( self, plugin_name, path, knowledge_base_values=None): """Parses a syslog file with a specific plugin. Args: plugin_name: a string containing the name of the plugin. path: a string containing the path to the syslog file. knowledge_base_values: optional dictionary containing the knowledge base values. Returns: An event object queue consumer object (instance of ItemQueueConsumer). """ event_queue = single_process.SingleProcessQueue() event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue) parse_error_queue = single_process.SingleProcessQueue() parser_mediator = self._GetParserMediator( event_queue, parse_error_queue, knowledge_base_values=knowledge_base_values) path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=path) file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec) parser_mediator.SetFileEntry(file_entry) parser_object = syslog.SyslogParser() parser_object.EnablePlugins([plugin_name]) file_object = file_entry.GetFileObject() try: parser_object.Parse(parser_mediator, file_object) finally: file_object.close() return event_queue_consumer