def _GetWinRegistryFromFileEntry(self, file_entry):
"""Retrieves a Windows Registry from a file entry.
Args:
file_entry: A file entry object (instance of dfvfs.FileEntry) that
references a test file.
Returns:
A Windows Registry object (instance of dfwinreg.WinRegistry) or None.
"""
file_object = file_entry.GetFileObject()
if not file_object:
return
win_registry_reader = winreg.FileObjectWinRegistryFileReader()
registry_file = win_registry_reader.Open(file_object)
if not registry_file:
file_object.close()
return
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
return win_registry
def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry sources."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistry', 'TestRegistryValue']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
test_filters_helper.BuildFindSpecs(artifact_filter_names)
# There should be 3 Windows Registry find specifications.
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 0)
self.assertEqual(len(test_filters_helper.registry_find_specs), 3)
win_registry_reader = (
windows_registry_parser.FileObjectWinRegistryFileReader())
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(
searcher.Find(find_specs=test_filters_helper.registry_find_specs))
self.assertIsNotNone(key_paths)
self.assertEqual(len(key_paths), 5)
def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry artifacts."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper(
['TestRegistry'], knowledge_base)
test_filter_file.BuildFindSpecs(environment_variables=None)
find_specs_per_source_type = knowledge_base.GetValue(
test_filter_file.KNOWLEDGE_BASE_VALUE)
find_specs = find_specs_per_source_type.get(
artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, [])
self.assertEqual(len(find_specs), 1)
win_registry_reader = (
windows_registry_parser.FileObjectWinRegistryFileReader())
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(searcher.Find(find_specs=find_specs))
self.assertIsNotNone(key_paths)
# Three key paths found.
self.assertEqual(len(key_paths), 3)
def Open(self):
"""Opens a Windows Registry file.
Raises:
IOError: if the Windows Registry file cannot be opened.
"""
if self._registry_file:
raise IOError(u'Registry file already open.')
file_object = self.file_entry.GetFileObject()
if not file_object:
logging.error(
u'Unable to open Registry file: {0:s} [{1:s}]'.format(
self.path, self._collector_name))
raise IOError(u'Unable to open Registry file.')
win_registry_reader = winreg.FileObjectWinRegistryFileReader()
self._registry_file = win_registry_reader.Open(file_object)
if not self._registry_file:
file_object.close()
logging.error(
u'Unable to open Registry file: {0:s} [{1:s}]'.format(
self.path, self._collector_name))
raise IOError(u'Unable to open Registry file.')
self._win_registry = dfwinreg_registry.WinRegistry()
self._key_path_prefix = self._win_registry.GetRegistryFileMapping(
self._registry_file)
self._win_registry.MapFile(self._key_path_prefix, self._registry_file)
self._registry_file_name = self.file_entry.name
self._registry_file_type = self.GetRegistryFileType(
self._registry_file)
# Retrieve the Registry file root key because the Registry helper
# expects self._currently_registry_key to be set after
# the Registry file is opened.
self._currently_registry_key = self._registry_file.GetRootKey()
