def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
value_data = registry_value.GetDataAsObject()
values_dict[registry_value.name] = value_data
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
if registry_key is None:
return
values_dict = {}
for value_name in self._VALUE_NAMES:
registry_value = registry_key.GetValueByName(value_name)
if not registry_value:
continue
value_data = registry_value.GetDataAsObject()
if value_data is None:
continue
values_dict[value_name] = value_data
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
# Ignore any value that is empty or that does not contain an integer.
if not registry_value.data or not registry_value.DataIsInteger():
continue
# TODO: change this 32-bit integer into something meaningful, for now
# the value name is the most interesting part.
value_integer = registry_value.GetDataAsObject()
values_dict[registry_value.name] = '0x{0:08x}'.format(value_integer)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def _ParseLogonApplications(self, parser_mediator, registry_key):
"""Parses the registered logon applications.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
for application in self._LOGON_APPLICATIONS:
command_value = registry_key.GetValueByName(application)
if not command_value:
continue
values_dict = {
'Application': application,
'Command': command_value.GetDataAsObject(),
'Trigger': 'Logon'
}
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = ': Winlogon'
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def _ProduceDefaultWindowsRegistryEvent(self,
parser_mediator,
registry_key,
names_to_skip=None):
"""Produces a default Windows Registry event.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
names_to_skip (Optional[list[str]]): names of values that should
be skipped.
"""
values_dict = self._GetValuesFromKey(parser_mediator,
registry_key,
names_to_skip=names_to_skip)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore any value not in the form: '[0-9]+'.
if (not registry_value.name
or not self._RE_VALUE_NAME.search(registry_value.name)):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
values_dict[registry_value.name] = registry_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
for registry_value in registry_key.GetValues():
if not registry_value.name or not registry_value.data:
continue
if registry_value.name == 'UpdateKey':
self._ParseUpdateKeyValue(parser_mediator, registry_value,
registry_key.path)
else:
values_dict[
registry_value.name] = registry_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def _ParseMRUListExKey(
self, parser_mediator, registry_key, codepage='cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
codepage (Optional[str]): extended ASCII string codepage.
"""
values_dict = {}
for entry_index, entry_number in self._ParseMRUListExValue(registry_key):
# TODO: detect if list ends prematurely.
# MRU lists are terminated with 0xffffffff (-1).
if entry_number == 0xffffffff:
break
value_string = self._ParseMRUListExEntryValue(
parser_mediator, registry_key, entry_index, entry_number,
codepage=codepage)
value_text = 'Index: {0:d} [MRU Value {1:d}]'.format(
entry_index + 1, entry_number)
values_dict[value_text] = value_string
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Terminal Server Client Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
for subkey in registry_key.GetSubkeys():
username_value = subkey.GetValueByName('UsernameHint')
if (username_value and username_value.data and
username_value.DataIsString()):
username = username_value.GetDataAsObject()
else:
username = '******'
event_data = TerminalServerClientConnectionEventData()
event_data.key_path = subkey.path
event_data.username = username
event = time_events.DateTimeValuesEvent(
subkey.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
values_dict = self._GetValuesFromKey(registry_key)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = self._GetValuesFromKey(registry_key,
names_to_skip=['InstallDate'])
installation_time = None
registry_value = registry_key.GetValueByName('InstallDate')
if registry_value:
installation_time = registry_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
# TODO: if not present indicate anomaly of missing installation
# date and time.
if installation_time is not None:
event_data = WindowsRegistryInstallationEventData()
event_data.key_path = registry_key.path
registry_value = registry_key.GetValueByName('CurrentBuildNumber')
if registry_value:
event_data.build_number = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('RegisteredOwner')
if registry_value:
event_data.owner = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('ProductName')
if registry_value:
event_data.product_name = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('CSDVersion')
if registry_value:
event_data.service_pack = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('CurrentVersion')
if registry_value:
event_data.version = registry_value.GetDataAsObject()
date_time = dfdatetime_posix_time.PosixTime(
timestamp=installation_time)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_INSTALLATION)
parser_mediator.ProduceEventWithEventData(event, event_data)
def _ParseMRUListExKey(self,
parser_mediator,
registry_key,
codepage='cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
codepage (Optional[str]): extended ASCII string codepage.
"""
try:
mrulistex = self._ParseMRUListExValue(registry_key)
except (ValueError, errors.ParseError) as exception:
parser_mediator.ProduceExtractionWarning(
'unable to parse MRUListEx value with error: {0!s}'.format(
exception))
return
if not mrulistex:
return
values_dict = {}
found_terminator = False
for entry_index, entry_number in enumerate(mrulistex):
# The MRU list is terminated with -1 (0xffffffff).
if entry_number == -1:
break
if found_terminator:
parser_mediator.ProduceExtractionWarning((
'found additional MRUListEx entries after terminator in key: '
'{0:s}.').format(registry_key.path))
# Only create one parser error per terminator.
found_terminator = False
value_string = self._ParseMRUListExEntryValue(parser_mediator,
registry_key,
entry_index,
entry_number,
codepage=codepage)
value_text = 'Index: {0:d} [MRU Value {1:d}]'.format(
entry_index + 1, entry_number)
values_dict[value_text] = value_string
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
if registry_key.number_of_values == 0:
values_dict['Value'] = 'No values stored in key.'
else:
for registry_value in registry_key.GetValues():
value_name = registry_value.name or '(default)'
if registry_value.data is None:
value_string = '[{0:s}] Empty'.format(
registry_value.data_type_string)
elif registry_value.DataIsString():
value_string = registry_value.GetDataAsObject()
value_string = '[{0:s}] {1:s}'.format(
registry_value.data_type_string, value_string)
elif registry_value.DataIsInteger():
value_integer = registry_value.GetDataAsObject()
value_string = '[{0:s}] {1:d}'.format(
registry_value.data_type_string, value_integer)
elif registry_value.DataIsMultiString():
multi_string = registry_value.GetDataAsObject()
if not isinstance(multi_string, (list, tuple)):
value_string = '[{0:s}]'.format(
registry_value.data_type_string)
# TODO: Add a flag or some sort of an anomaly alert.
else:
value_string = '[{0:s}] {1:s}'.format(
registry_value.data_type_string,
''.join(multi_string))
else:
value_string = '[{0:s}]'.format(
registry_value.data_type_string)
values_dict[value_name] = value_string
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.urls = self.URLS
values_dict = {}
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
if value_name == u'BootExecute':
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used as well.
if registry_value.DataIsString():
value_string = registry_value.GetDataAsObject()
elif registry_value.DataIsMultiString():
value_string = u''.join(registry_value.GetDataAsObject())
elif registry_value.DataIsBinaryData():
value_string = registry_value.GetDataAsObject()
else:
value_string = u''
error_string = (
u'Key: {0:s}, value: {1:s}: unsupported value data type: '
u'{2:s}.').format(
registry_key.path, value_name,
registry_value.data_type_string)
parser_mediator.ProduceExtractionError(error_string)
# TODO: why does this have a separate event object? Remove this.
event_data.regvalue = {u'BootExecute': value_string}
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
else:
values_dict[value_name] = registry_value.GetDataAsObject()
event_data.regvalue = values_dict
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Terminal Server Client Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
mru_values_dict = {}
for subkey in registry_key.GetSubkeys():
username_value = subkey.GetValueByName(u'UsernameHint')
if (username_value and username_value.data
and username_value.DataIsString()):
username = username_value.GetDataAsObject()
else:
username = u'N/A'
mru_values_dict[subkey.name] = username
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = subkey.path
event_data.offset = subkey.offset
event_data.regvalue = {u'Username hint': username}
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
subkey.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = mru_values_dict
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = self._GetValuesFromKey(registry_key,
names_to_skip=['BootExecute'])
boot_execute = None
registry_value = registry_key.GetValueByName('BootExecute')
if registry_value:
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used.
if registry_value.DataIsString():
boot_execute = registry_value.GetDataAsObject()
elif registry_value.DataIsMultiString():
boot_execute = ', '.join([
value for value in registry_value.GetDataAsObject() or []
])
else:
error_string = (
'Key: {0:s}, value: BootExecute: unsupported value data type: '
'{1:s}.').format(registry_key.path,
registry_value.data_type_string)
parser_mediator.ProduceExtractionWarning(error_string)
if boot_execute:
event_data = WindowsBootExecuteEventData()
event_data.key_path = (registry_key.path).replace("\\", "/")
event_data.value = boot_execute
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
if values_dict:
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = (registry_key.path).replace("\\", "/")
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
])
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = self._GetValuesFromKey(registry_key)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
registry_value = registry_key.GetValueByName(u'ProgramsCache')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
registry_value = registry_key.GetValueByName(u'ProgramsCacheSMP')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
registry_value = registry_key.GetValueByName(u'ProgramsCacheTBP')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name or registry_value.name in (
u'ProgramsCache', u'ProgramsCacheSMP',
u'ProgramsCacheTBP'):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
values_dict[registry_value.name] = registry_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
for subkey in registry_key.GetSubkeys():
name = subkey.name
if not name:
continue
values_dict = {}
values_dict[u'Volume'] = name
label_value = subkey.GetValueByName(u'_LabelFromReg')
if label_value:
values_dict[u'Label'] = label_value.GetDataAsObject()
if name.startswith(u'{'):
values_dict[u'Type'] = u'Volume'
elif name.startswith(u'#'):
# The format is: ##Server_Name#Share_Name.
values_dict[u'Type'] = u'Remote Drive'
server_name, _, share_name = name[2:].partition(u'#')
values_dict[u'Remote_Server'] = server_name
values_dict[u'Share_Name'] = u'\\{0:s}'.format(
share_name.replace(u'#', u'\\'))
else:
values_dict[u'Type'] = u'Drive'
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = subkey.offset
event_data.regvalue = values_dict
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
subkey.last_written_time, eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
for subkey in registry_key.GetSubkeys():
values_dict = {}
values_dict[u'subkey_name'] = subkey.name
vendor_identification = None
product_identification = None
try:
subkey_name_parts = subkey.name.split(u'&')
if len(subkey_name_parts) >= 2:
vendor_identification = subkey_name_parts[0]
product_identification = subkey_name_parts[1]
except ValueError as exception:
logging.warning(
u'Unable to split string: {0:s} with error: {1:s}'.format(
subkey.name, exception))
if vendor_identification and product_identification:
values_dict[u'vendor'] = vendor_identification
values_dict[u'product'] = product_identification
for devicekey in subkey.GetSubkeys():
values_dict[u'serial'] = devicekey.name
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
# Last USB connection per USB device recorded in the Registry.
event = time_events.DateTimeValuesEvent(
devicekey.last_written_time,
definitions.TIME_DESCRIPTION_LAST_CONNECTED)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
for subkey in registry_key.GetSubkeys():
drive_letter = subkey.name
if not drive_letter:
continue
values_dict = {
u'DriveLetter': drive_letter,
u'Type': u'Mapped Drive'
}
# Get the remote path if it exists.
remote_path_value = subkey.GetValueByName(u'RemotePath')
if remote_path_value:
remote_path = remote_path_value.GetDataAsObject()
if remote_path.startswith(u'\\\\'):
server_name, _, share_name = remote_path[2:].partition(
u'\\')
values_dict[u'RemoteServer'] = server_name
values_dict[u'ShareName'] = u'\\{0:s}'.format(
share_name.replace(u'#', u'\\'))
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = subkey.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
subkey.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
values_dict[value_name] = registry_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def _ParseRegisteredDLLs(self, parser_mediator, registry_key):
"""Parses the registered DLLs that receive event notifications.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
notify_key = registry_key.GetSubkeyByName(u'Notify')
if not notify_key:
return
for subkey in notify_key.GetSubkeys():
for trigger in self._TRIGGERS:
handler_value = subkey.GetValueByName(trigger)
if not handler_value:
continue
values_dict = {
u'Application': subkey.name,
u'Handler': handler_value.GetDataAsObject(),
u'Trigger': trigger
}
command_value = subkey.GetValueByName(u'DllName')
if command_value:
values_dict[u'Command'] = command_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = subkey.path
event_data.offset = subkey.offset
event_data.regvalue = values_dict
event_data.source_append = u': Winlogon'
event = time_events.DateTimeValuesEvent(
subkey.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
image_path = None
registry_value = registry_key.GetValueByName('ImagePath')
if registry_value:
image_path = registry_value.GetDataAsObject()
if image_path:
event_data = WindowsBootVerificationEventData()
event_data.key_path = (registry_key.path).replace("\\", "/")
event_data.image_path = image_path
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
values_dict = self._GetValuesFromKey(registry_key,
names_to_skip=['ImagePath'])
if values_dict:
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = (registry_key.path).replace("\\", "/")
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
registry_value = registry_key.GetValueByName('ProgramsCache')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
registry_value = registry_key.GetValueByName('ProgramsCacheSMP')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
registry_value = registry_key.GetValueByName('ProgramsCacheTBP')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
values_dict = self._GetValuesFromKey(registry_key)
for name in list(values_dict.keys()):
if name.lower() in ('programscache', 'programscachesmp',
'programscachetbp'):
del values_dict[name]
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def _ParseSubKey(
self, parser_mediator, registry_key, parent_path_segments,
codepage=u'cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
parent_path_segments (list[str]): parent shell item path segments.
codepage (Optional[str]): extended ASCII string codepage.
"""
entry_numbers = {}
values_dict = {}
value_strings = {}
found_terminator = False
for index, entry_number in self._ParseMRUListExValue(
parser_mediator, registry_key):
if entry_number == 0xffffffff:
found_terminator = True
continue
if found_terminator:
parser_mediator.ProduceExtractionError((
u'Found additional MRUListEx entries after terminator '
u'in key: {0:s}.').format(registry_key.path))
# Only create one parser error per terminator.
found_terminator = False
path_segment = self._ParseMRUListExEntryValue(
parser_mediator, registry_key, index, entry_number, values_dict,
value_strings, parent_path_segments, codepage=codepage)
entry_numbers[entry_number] = path_segment
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
for entry_number, path_segment in iter(entry_numbers.items()):
sub_key_name = u'{0:d}'.format(entry_number)
sub_key = registry_key.GetSubkeyByName(sub_key_name)
if not sub_key:
parser_mediator.ProduceExtractionError(
u'Missing BagMRU sub key: {0:d} in key: {1:s}.'.format(
entry_number, registry_key.path))
continue
parent_path_segments.append(path_segment)
self._ParseSubKey(
parser_mediator, sub_key, parent_path_segments, codepage=codepage)
parent_path_segments.pop()
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
installation_value = None
string_values = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
if (registry_value.name == 'InstallDate'
and registry_value.DataIsInteger()):
installation_value = registry_value
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
string_value_name = self._STRING_VALUE_NAME_STRINGS.get(
registry_value.name, None)
if not string_value_name:
continue
string_values[string_value_name] = registry_value.GetDataAsObject()
values_dict = {}
values_dict['Owner'] = string_values.get('owner', '')
values_dict['Product name'] = string_values.get('product_name', '')
values_dict['Service pack'] = string_values.get('service_pack', '')
values_dict['Windows Version Information'] = string_values.get(
'version', '')
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
# TODO: if not present indicate anomaly of missing installation
# date and time.
if installation_value:
event_data = windows_events.WindowsRegistryInstallationEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.owner = string_values.get('owner', None)
event_data.product_name = string_values.get('product_name', None)
event_data.service_pack = string_values.get('service_pack', None)
event_data.version = string_values.get('version', None)
installation_time = installation_value.GetDataAsObject()
date_time = dfdatetime_posix_time.PosixTime(
timestamp=installation_time)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_INSTALLATION)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
if registry_key.number_of_values > 0:
for registry_value in registry_key.GetValues():
value_name = registry_value.name or '(default)'
if registry_value.DataIsString():
value_string = '[{0:s}] {1:s}'.format(
registry_value.data_type_string, registry_value.GetDataAsObject())
elif registry_value.DataIsInteger():
value_string = '[{0:s}] {1:d}'.format(
registry_value.data_type_string, registry_value.GetDataAsObject())
elif registry_value.DataIsMultiString():
value_string = '[{0:s}] {1:s}'.format(
registry_value.data_type_string, ''.join(
registry_value.GetDataAsObject()))
else:
value_string = '[{0:s}]'.format(registry_value.data_type_string)
values_dict[value_name] = value_string
# Generate at least one event object for the key.
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
if registry_key.number_of_subkeys == 0:
error_string = 'Key: {0:s} missing subkeys.'.format(registry_key.path)
parser_mediator.ProduceExtractionError(error_string)
return
for zone_key in registry_key.GetSubkeys():
# TODO: these values are stored in the Description value of the
# zone key. This solution will break on zone values that are larger
# than 5.
path = '{0:s}\\{1:s}'.format(
registry_key.path, self._ZONE_NAMES[zone_key.name])
values_dict = {}
# TODO: this plugin currently just dumps the values and does not
# distinguish between what is a feature control or not.
for value in zone_key.GetValues():
# Ignore the default value.
if not value.name:
continue
if value.DataIsString():
value_string = value.GetDataAsObject()
elif value.DataIsInteger():
value_integer = value.GetDataAsObject()
if value.name in self._KNOWN_PERMISSIONS_VALUE_NAMES:
value_string = self._CONTROL_VALUES_PERMISSIONS.get(
value_integer, 'UNKNOWN')
elif value.name == '1A00':
value_string = self._CONTROL_VALUES_1A00.get(
value_integer, 'UNKNOWN')
elif value.name == '1C00':
value_string = self._CONTROL_VALUES_1C00.get(
value_integer, 'UNKNOWN')
elif value.name == '1E05':
value_string = self._CONTROL_VALUES_SAFETY.get(
value_integer, 'UNKNOWN')
else:
value_string = '{0:d}'.format(value_integer)
else:
value_string = '[{0:s}]'.format(value.data_type_string)
if len(value.name) == 4 and value.name != 'Icon':
value_description = self._FEATURE_CONTROLS.get(value.name, 'UNKNOWN')
else:
value_description = self._FEATURE_CONTROLS.get(value.name, '')
if value_description:
feature_control = '[{0:s}] {1:s}'.format(
value.name, value_description)
else:
feature_control = '[{0:s}]'.format(value.name)
values_dict[feature_control] = value_string
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = path
event_data.offset = zone_key.offset
event_data.regvalue = values_dict
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
zone_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
dynamic_info_size_error_reported = False
tasks_key = registry_key.GetSubkeyByName(u'Tasks')
tree_key = registry_key.GetSubkeyByName(u'Tree')
if not tasks_key or not tree_key:
parser_mediator.ProduceExtractionError(
u'Task Cache is missing a Tasks or Tree sub key.')
return
task_guids = {}
for sub_key in tree_key.GetSubkeys():
for value_key, id_value in self._GetIdValue(sub_key):
# TODO: improve this check to a regex.
# The GUID is in the form {%GUID%} and stored an UTF-16 little-endian
# string and should be 78 bytes in size.
id_value_data_size = len(id_value.data)
if id_value_data_size != 78:
parser_mediator.ProduceExtractionError(
u'unsupported Id value data size: {0:d}.'.format(
id_value_data_size))
continue
guid_string = id_value.GetDataAsObject()
task_guids[guid_string] = value_key.name
for sub_key in tasks_key.GetSubkeys():
dynamic_info_value = sub_key.GetValueByName(u'DynamicInfo')
if not dynamic_info_value:
continue
dynamic_info_value_data_size = len(dynamic_info_value.data)
if dynamic_info_value_data_size == self._DYNAMIC_INFO_STRUCT_SIZE:
dynamic_info_struct = self._DYNAMIC_INFO_STRUCT.parse(
dynamic_info_value.data)
elif dynamic_info_value_data_size == self._DYNAMIC_INFO2_STRUCT_SIZE:
dynamic_info_struct = self._DYNAMIC_INFO_STRUCT.parse(
dynamic_info_value.data)
else:
if not dynamic_info_size_error_reported:
parser_mediator.ProduceExtractionError(
u'unsupported DynamicInfo value data size: {0:d}.'.
format(dynamic_info_value_data_size))
dynamic_info_size_error_reported = True
continue
name = task_guids.get(sub_key.name, sub_key.name)
values_dict = {}
values_dict[u'Task: {0:s}'.format(name)] = u'[ID: {0:s}]'.format(
sub_key.name)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
eventdata.EventTimestamp.WRITTEN_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
event_data = TaskCacheEventData()
event_data.task_name = name
event_data.task_identifier = sub_key.name
last_registered_time = dynamic_info_struct.get(
u'last_registered_time')
if last_registered_time:
# Note this is likely either the last registered time or
# the update time.
date_time = dfdatetime_filetime.Filetime(
timestamp=last_registered_time)
event = time_events.DateTimeValuesEvent(
date_time, u'Last registered time')
parser_mediator.ProduceEventWithEventData(event, event_data)
launch_time = dynamic_info_struct.get(u'launch_time')
if launch_time:
# Note this is likely the launch time.
date_time = dfdatetime_filetime.Filetime(timestamp=launch_time)
event = time_events.DateTimeValuesEvent(
date_time, u'Launch time')
parser_mediator.ProduceEventWithEventData(event, event_data)
unknown_time = dynamic_info_struct.get(u'unknown_time')
if unknown_time:
date_time = dfdatetime_filetime.Filetime(
timestamp=unknown_time)
event = time_events.DateTimeValuesEvent(
date_time, eventdata.EventTimestamp.UNKNOWN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def CreateTestEvents():
"""Creates events for testing.
Returns:
list[EventObject]: events.
"""
test_events = []
hostname = u'MYHOSTNAME'
data_type = u'test:event'
event = events.EventObject()
event.username = u'joesmith'
event.filename = u'c:/Users/joesmith/NTUSER.DAT'
event.hostname = hostname
event.timestamp = 0
event.data_type = data_type
event.text = u''
test_events.append(event)
filetime = dfdatetime_filetime.Filetime()
# TODO: move this to a WindowsRegistryEvent unit test.
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = u'MY AutoRun key'
event_data.hostname = hostname
event_data.regvalue = {u'Value': u'c:/Temp/evil.exe'}
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
event = time_events.DateTimeValuesEvent(
filetime, definitions.TIME_DESCRIPTION_WRITTEN)
_MergeEventAndEventData(event, event_data)
test_events.append(event)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = u'HKEY_CURRENT_USER\\Secret\\EvilEmpire\\Malicious_key'
event_data.hostname = hostname
event_data.regvalue = {u'Value': u'send all the exes to the other world'}
filetime.CopyFromString(u'2012-04-20 23:56:46.929596')
event = time_events.DateTimeValuesEvent(
filetime, definitions.TIME_DESCRIPTION_WRITTEN)
_MergeEventAndEventData(event, event_data)
test_events.append(event)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = u'HKEY_CURRENT_USER\\Windows\\Normal'
event_data.hostname = hostname
event_data.regvalue = {u'Value': u'run all the benign stuff'}
filetime.CopyFromString(u'2012-04-20 16:44:46')
event = time_events.DateTimeValuesEvent(
filetime, definitions.TIME_DESCRIPTION_WRITTEN)
_MergeEventAndEventData(event, event_data)
test_events.append(event)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
filename = u'c:/Temp/evil.exe'
attributes = {u'text': u'This log line reads ohh so much.'}
event = TestEvent(timestamp, attributes)
event.filename = filename
event.hostname = hostname
test_events.append(event)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
attributes = {u'text': u'Nothing of interest here, move on.'}
event = TestEvent(timestamp, attributes)
event.filename = filename
event.hostname = hostname
test_events.append(event)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596')
attributes = {
u'text': u'Mr. Evil just logged into the machine and got root.'
}
event = TestEvent(timestamp, attributes)
event.filename = filename
event.hostname = hostname
test_events.append(event)
timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000')
# TODO: refactor to use event data.
event = time_events.TimestampEvent(timestamp,
definitions.TIME_DESCRIPTION_WRITTEN,
data_type=u'text:entry')
event.hostname = u'nomachine'
event.offset = 12
event.body = (
u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.')
# TODO: fix missing body attribute
event.text = event.body
event.username = u'johndoe'
test_events.append(event)
return test_events
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
# TODO: Test other Office versions to make sure this plugin is applicable.
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore any value not in the form: 'Item [0-9]+'.
if not registry_value.name or not self._RE_VALUE_NAME.search(
registry_value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
value_string = registry_value.GetDataAsObject()
values = self._RE_VALUE_DATA.findall(value_string)
# Values will contain a list containing a tuple containing 2 values.
if len(values) != 1 or len(values[0]) != 2:
continue
try:
timestamp = int(values[0][0], 16)
except ValueError:
parser_mediator.ProduceExtractionWarning(
('unable to convert filetime string to an integer for '
'value: {0:s}.').format(registry_value.name))
continue
event_data = OfficeMRUWindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_value.offset
# TODO: split value string in individual values.
event_data.value_string = value_string
values_dict[registry_value.name] = value_string
if not timestamp:
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
else:
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
# TODO: determine if this should be last written time.
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.source_append = self._SOURCE_APPEND
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)