Exemplo n.º 1
0
    def run(self, hive, registry_handler=None, args=None) -> list:
        """ Execute plugin specific actions on the hive file provided
                    - The return value should be the list of registry_provider.registry_item objects """

        if not hive:
            logger.warning('Unsupported hive file')
            return []

        #  Load required registry provider
        self.load_provider()

        logger.debug('Plugin: %s -> Run(%s)' %
                     (self.name, hive.hive_file_path))

        items = []

        _plugin_reg_handler = build_registry_handler(
            registry_parser=self.parser,
            registry_handlers=
            'decrypt_teamviewer<field>value_content<rfield>value_content')

        registry_handler = self.choose_registry_handler(
            main_reg_handler=registry_handler,
            plugin_reg_handler=_plugin_reg_handler,
            merge=True)

        #items.extend(self.parser.query_key_wd(key_path=QUERY_KEY_LIST, hive=hive, plugin_name=self.name, reg_handler=registry_handler))
        items.extend(
            self.parser.query_value_wd(value_path=QUERY_VALUE_LIST,
                                       hive=hive,
                                       plugin_name=self.name,
                                       reg_handler=registry_handler))

        return items
Exemplo n.º 2
0
    def format_parsed_args(self):

        if self.parsed_args:

            if self.parsed_args.baseline_enabled:
                self.baseline_enabled = True

            self.parsed_args.keys_to_query = param_to_list(
                self.parsed_args.keys_to_query, strip_char='"', join_list=True)
            self.parsed_args.values_to_query = param_to_list(
                self.parsed_args.values_to_query,
                strip_char='"',
                join_list=True)

            self.parsed_args.keys_to_query_w = param_to_list(
                self.parsed_args.keys_to_query_w,
                strip_char='"',
                join_list=True)
            self.parsed_args.values_to_query_w = param_to_list(
                self.parsed_args.values_to_query_w,
                strip_char='"',
                join_list=True)

            if self.parsed_args.registry_handlers:

                self.parsed_args.registry_handlers = build_registry_handler(
                    registry_handlers=self.parsed_args.registry_handlers.strip(
                        '"'),
                    registry_parser=self.parser,
                    decode_param_from=self.parsed_args.rh_decode_param)

            if self.parsed_args.key_info:
                self.parsed_args.key_info = param_to_list(
                    self.parsed_args.key_info, strip_char='"')[0]
Exemplo n.º 3
0
    def run(self, hive, registry_handler=None, args=None) -> list:
        """ Execute plugin specific actions on the hive file provided
                    - The return value should be the list of registry_provider.registry_item objects """

        if not hive:
            logger.warning('Unsupported hive file')
            return []

        #  Load required registry provider
        self.load_provider()

        logger.debug('Plugin: %s -> Run(%s)' % (self.name, hive.hive_file_path))

        if not self.is_hive_supported(hive=hive):
            logger.warning('Unsupported hive type: %s' % hive.hive_type)
            return []

        items = []

        _plugin_reg_handler = build_registry_handler(registry_parser=self.parser,
                                                     registry_handlers="cit_dump<field>value_content,unescape_url<field>value_content",
                                                     )

        registry_handler = self.choose_registry_handler(main_reg_handler=registry_handler, plugin_reg_handler=_plugin_reg_handler)

        _items = self.parser.query_value_wd(value_path=QUERY_VALUE_LIST, hive=hive, plugin_name=self.name, reg_handler=registry_handler)

        if _items:
            items.extend(_items)

        return items
Exemplo n.º 4
0
    def format_parsed_args(self):
        """ Exposes standard parameters related to baseline and registry handlers etc.
            - Meant to be used in plugins which have no specific plugin parameters
        """
        if self.parsed_args:

            if self.parsed_args.baseline_enabled:
                self.baseline_enabled = True

            if self.parsed_args.registry_handlers:

                self.parsed_args.registry_handlers = build_registry_handler(
                    registry_handlers=self.parsed_args.registry_handlers.strip(
                        "'"),
                    registry_parser=self.parser,
                    decode_param_from=self.parsed_args.rh_decode_param)
Exemplo n.º 5
0
    def format_parsed_args(self):

        if self.parsed_args:

            if self.parsed_args.baseline_enabled:
                self.baseline_enabled = True

            for attr in self.attribute_names_type_mapping.keys():
                attr_current_value = getattr(self.parsed_args, attr)
                attr_current_value = param_to_list(attr_current_value,
                                                   strip_char='"',
                                                   join_list=False)
                setattr(self.parsed_args, attr, attr_current_value)

            if self.parsed_args.registry_handlers:

                self.parsed_args.registry_handlers = build_registry_handler(
                    registry_handlers=self.parsed_args.registry_handlers.strip(
                        '"'),
                    registry_parser=self.parser,
                    decode_param_from=self.parsed_args.rh_decode_param)
Exemplo n.º 6
0
    def run(self, hive, registry_handler=None, args=None) -> list:

        if not hive:
            logger.warning('Unsupported hive file')
            return []

        #  Load required registry provider
        self.load_provider()

        logger.debug('Plugin: %s -> Run(%s)' %
                     (self.name, hive.hive_file_path))

        if not self.is_hive_supported(hive=hive):
            logger.warning('Unsupported hive type: %s' % hive.hive_type)
            return []

        items = []

        _plugin_reg_handler = build_registry_handler(
            registry_parser=self.parser,
            registry_handlers=
            'nothing<field>value_raw_data,ntfs_decompress<field>value_raw_data,cit_dump<field>value_raw_data<rfield>value_content',
            custom_handlers=cit.custom_registry_handlers)

        registry_handler = self.choose_registry_handler(
            main_reg_handler=registry_handler,
            plugin_reg_handler=_plugin_reg_handler)

        _items = self.parser.query_key_wd(key_path=QUERY_KEY_LIST,
                                          hive=hive,
                                          plugin_name=self.name,
                                          reg_handler=registry_handler)

        if _items:
            items.extend(_items)

        return items