def ParseMultiple(self, stats, knowledge_base):
"""Parse each returned registry value."""
user_dict = {}
for stat in stats:
sid_str = stat.pathspec.path.split("/", 3)[2]
if SID_RE.match(sid_str):
if sid_str not in user_dict:
user_dict[sid_str] = rdf_client.KnowledgeBaseUser(
sid=sid_str)
if stat.registry_data.GetValue():
# Look up in the mapping if we can use this entry to populate a user
# attribute, and if so, set it.
reg_key_name = stat.pathspec.Dirname().Basename()
if reg_key_name in self.key_var_mapping:
map_dict = self.key_var_mapping[reg_key_name]
reg_key = stat.pathspec.Basename()
kb_attr = map_dict.get(reg_key)
if kb_attr:
value = artifact_lib.ExpandWindowsEnvironmentVariables(
stat.registry_data.GetValue(), knowledge_base)
value = artifact_lib.ExpandWindowsUserEnvironmentVariables(
value, knowledge_base, sid=sid_str)
user_dict[sid_str].Set(kb_attr, value)
# Now yield each user we found.
return user_dict.itervalues()
def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
for response in responses:
runkey = response.registry_data.string
path_guesses = utils.GuessWindowsFileNameFromString(runkey)
path_guesses = filter(self._IsExecutableExtension, path_guesses)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
full_path = artifact_lib.ExpandWindowsEnvironmentVariables(
path, kb)
filenames.append(
rdfvalue.PathSpec(path=full_path,
pathtype=rdfvalue.PathSpec.PathType.TSK))
if filenames:
self.CallFlow("MultiGetFile",
pathspecs=filenames,
next_state="Done")
def Parse(self, result, knowledge_base):
binaries = set()
for section in result.sections:
table = section.table
# Find indices of "protection" and "filename" columns
indexed_headers = dict([(header.name, i)
for i, header in enumerate(table.headers)])
try:
protection_col_index = indexed_headers["protection"]
filename_col_index = indexed_headers["filename"]
except KeyError:
# If we can't find "protection" and "filename" columns, just skip
# this section
continue
for row in table.rows:
protection_attr = row.values[protection_col_index]
filename_attr = row.values[filename_col_index]
if protection_attr.svalue in ("EXECUTE_READ",
"EXECUTE_READWRITE",
"EXECUTE_WRITECOPY"):
if filename_attr.svalue and filename_attr.svalue not in binaries:
binaries.add(filename_attr.svalue)
system_drive = artifact_lib.ExpandWindowsEnvironmentVariables(
"%systemdrive%", knowledge_base)
path = rdfvalue.PathSpec(
path=system_drive + "\\" +
filename_attr.svalue.lstrip("\\"),
pathtype=rdfvalue.PathSpec.PathType.OS)
yield path
def Parse(self, stat, knowledge_base):
"""Parse the key currentcontrolset output."""
value = stat.registry_data.GetValue()
if not value:
raise parsers.ParseError("Invalid value for key %s" %
stat.pathspec.path)
value = artifact_lib.ExpandWindowsEnvironmentVariables(
value, knowledge_base)
if value:
yield rdfvalue.RDFString(value)
def ParseMultiple(self, stats, knowledge_base):
"""Parse each returned registry variable."""
prof_directory = r"%SystemDrive%\Documents and Settings"
all_users = "All Users" # Default value.
for stat in stats:
value = stat.registry_data.GetValue()
if stat.pathspec.Basename() == "ProfilesDirectory" and value:
prof_directory = value
elif stat.pathspec.Basename() == "AllUsersProfile" and value:
all_users = value
all_users_dir = r"%s\%s" % (prof_directory, all_users)
all_users_dir = artifact_lib.ExpandWindowsEnvironmentVariables(
all_users_dir, knowledge_base)
yield rdfvalue.RDFString(all_users_dir)
def Parse(self, response, knowledge_base):
system_drive = artifact_lib.ExpandWindowsEnvironmentVariables(
"%systemdrive%", knowledge_base)
for message in json.loads(response.json_messages):
if message[0] == "r":
protection = message[1].get("protection", {}).get("enum", "")
if "EXECUTE" not in protection:
continue
filename = message[1].get("filename", "")
if filename and filename != "Pagefile-backed section":
yield rdfvalue.PathSpec(
path=ntpath.normpath(
ntpath.join(system_drive, filename)),
pathtype=rdfvalue.PathSpec.PathType.OS)
def _GetFilePaths(self, path, pathtype, kb):
"""Guess windows filenames from a commandline string."""
pathspecs = []
path_guesses = utils.GuessWindowsFileNameFromString(path)
path_guesses = filter(self._IsExecutableExtension, path_guesses)
if not path_guesses:
# TODO(user): yield a ParserAnomaly object
return []
for path in path_guesses:
path = re.sub(self.systemroot_re, r"%systemroot%", path, count=1)
path = re.sub(self.system32_re,
r"%systemroot%\\system32",
path,
count=1)
full_path = artifact_lib.ExpandWindowsEnvironmentVariables(
path, kb)
pathspecs.append(
rdfvalue.PathSpec(path=full_path, pathtype=pathtype))
return pathspecs
