def ParseMultiple(self, stats, knowledge_base): """Parse each returned registry value.""" user_dict = {} for stat in stats: sid_str = stat.pathspec.path.split("/", 3)[2] if SID_RE.match(sid_str): if sid_str not in user_dict: user_dict[sid_str] = rdf_client.User(sid=sid_str) if stat.registry_data.GetValue(): # Look up in the mapping if we can use this entry to populate a user # attribute, and if so, set it. reg_key_name = stat.pathspec.Dirname().Basename() if reg_key_name in self.key_var_mapping: map_dict = self.key_var_mapping[reg_key_name] reg_key = stat.pathspec.Basename() kb_attr = map_dict.get(reg_key) if kb_attr: value = artifact_utils.ExpandWindowsEnvironmentVariables( stat.registry_data.GetValue(), knowledge_base) value = artifact_utils.ExpandWindowsUserEnvironmentVariables( value, knowledge_base, sid=sid_str) user_dict[sid_str].Set(kb_attr, value) # Now yield each user we found. return itervalues(user_dict)
def Parse(self, stat, knowledge_base): value = stat.registry_data.GetValue() if not value: # Provide a default, if the registry value is not available. value = "%SystemDrive%\\Documents and Settings" interpolated_value = artifact_utils.ExpandWindowsEnvironmentVariables( value, knowledge_base) yield rdfvalue.RDFString(interpolated_value)
def Parse(self, stat, knowledge_base): """Expand any variables in the value.""" value = stat.registry_data.GetValue() if not value: raise parsers.ParseError("Invalid value for key %s" % stat.pathspec.path) value = artifact_utils.ExpandWindowsEnvironmentVariables( value, knowledge_base) if value: yield rdfvalue.RDFString(value)
def Parse(self, response, knowledge_base): system_drive = artifact_utils.ExpandWindowsEnvironmentVariables( "%systemdrive%", knowledge_base) for message in json.loads(response.json_messages): if message[0] == "r": protection = message[1].get("protection", {}).get("enum", "") if "EXECUTE" not in protection: continue filename = message[1].get("filename", "") if filename and filename != "Pagefile-backed section": yield rdf_paths.PathSpec( path=ntpath.normpath(ntpath.join(system_drive, filename)), pathtype=rdf_paths.PathSpec.PathType.OS)
def Parse(self, stat, knowledge_base): value = stat.registry_data.GetValue() or "All Users" all_users_dir = artifact_utils.ExpandWindowsEnvironmentVariables( "%ProfilesDirectory%\\" + value, knowledge_base) yield rdfvalue.RDFString(all_users_dir)