def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows Registry file-like object. Args: parser_mediator: a parser mediator object (instance of ParserMediator). file_object: a file-like object. """ win_registry_reader = FileObjectWinRegistryFileReader() try: registry_file = win_registry_reader.Open(file_object) except IOError as exception: parser_mediator.ProduceParseError( u'unable to open Windows Registry file with error: {0:s}'. format(exception)) return win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) root_key = registry_file.GetRootKey() if not root_key: return try: self._ParseRecurseKeys(parser_mediator, root_key) except IOError as exception: parser_mediator.ProduceParseError(u'{0:s}'.format(exception))
def RunPlugins(cls, platform, file_system, mount_point, knowledge_base): """Runs the plugins for a specific platform. Args: platform: A string containing the supported operating system of the plugin. file_system: the file system object (instance of vfs.FileSystem) to be preprocessed. mount_point: the mount point path specification (instance of path.PathSpec) that refers to the base location of the file system. knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. """ # TODO: bootstrap the artifact preprocessor. searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point) for weight in cls._GetWeights(cls._plugin_classes, platform): for plugin_object in cls._GetPluginsByWeight( cls._plugin_classes, platform, weight): try: plugin_object.Run(searcher, knowledge_base) except (IOError, errors.PreProcessFail) as exception: logging.warning(( u'Unable to run preprocessor: {0:s} for attribute: {1:s} ' u'with error: {2:s}').format( plugin_object.plugin_name, plugin_object.ATTRIBUTE, exception)) # Run the Registry plugins separately so we do not have to open # Registry files in every plugin. if knowledge_base: pre_obj = knowledge_base.pre_obj path_attributes = pre_obj.__dict__ else: pre_obj = None path_attributes = None registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, path_attributes=path_attributes) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) for weight in cls._GetWeights(cls._registry_plugin_classes, platform): for plugin_object in cls._GetPluginsByWeight( cls._registry_plugin_classes, platform, weight): try: plugin_object.Run(win_registry, knowledge_base) except (IOError, errors.PreProcessFail) as exception: logging.warning(( u'Unable to run preprocessor: {0:s} for attribute: {1:s} ' u'with error: {2:s}').format( plugin_object.plugin_name, plugin_object.ATTRIBUTE, exception))
def __init__(self, file_entry, collector_name, knowledge_base_object, codepage=u'cp1252'): """Initialize the Registry helper. Args: file_entry: file entry object (instance of dfvfs.FileEntry). collector_name: the name of the collector, eg. TSK. knowledge_base_object: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. codepage: optional codepage value used for the Registry file. The default is cp1252. """ self._Reset() self._codepage = codepage self._collector_name = collector_name self._key_path_prefix = u'' self._knowledge_base_object = knowledge_base_object self._registry_file = None self._registry_file_name = None self._registry_file_type = REGISTRY_FILE_TYPE_UNKNOWN self._win_registry = dfwinreg_registry.WinRegistry( backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF) self.file_entry = file_entry
def _GetWinRegistryFromFileEntry(self, file_entry): """Retrieves a Windows Registry from a file entry. Args: file_entry: A file entry object (instance of dfvfs.FileEntry) that references a test file. Returns: A Windows Registry object (instance of dfwinreg.WinRegistry) or None. """ file_object = file_entry.GetFileObject() if not file_object: return win_registry_reader = winreg.FileObjectWinRegistryFileReader() registry_file = win_registry_reader.Open(file_object) if not registry_file: file_object.close() return win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) return win_registry
def _GetKeyFromFileEntry(self, file_entry, key_path): """Retrieves a Windows Registry key from a file. Args: file_entry: A dfVFS file_entry object that references a test file. key_path: The path of the key to parse. Returns: A Windows Registry key (instance of WinRegKey). """ registry = dfwinreg_registry.WinRegistry( backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF) winreg_file = registry.OpenFileEntry(file_entry, codepage=u'cp1252') return winreg_file.GetKeyByPath(key_path)
def setUp(self): """Makes preparations before running an individual test.""" path_attributes = {u'systemroot': u'\\Windows'} file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddTestFile(u'/Windows/System32/config/SYSTEM', [u'SYSTEM']) mount_point = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') registry_file_reader = manager.FileSystemWinRegistryFileReader( file_system_builder.file_system, mount_point, path_attributes=path_attributes) self._win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader)
def setUp(self): """Sets up the needed objects used throughout the test.""" path_attributes = {u'systemroot': u'/Windows'} file_data = self._ReadTestFile([u'SYSTEM']) self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/Windows/System32/config/SYSTEM', file_data) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point) registry_file_reader = dfwinreg_registry.SearcherWinRegistryFileReader( self._searcher, path_attributes=path_attributes) self._win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader)
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() pre_obj.systemroot = u'/Windows' file_data = self._ReadTestFile([u'SYSTEM']) self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/Windows/System32/config/SYSTEM', file_data) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point) registry_file_reader = dfwinreg_registry.WinRegistryFileReader( self._searcher, pre_obj=pre_obj) self._win_registry = dfwinreg_registry.WinRegistry( backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF, registry_file_reader=registry_file_reader)
def Open(self): """Opens a Windows Registry file. Raises: IOError: if the Windows Registry file cannot be opened. """ if self._registry_file: raise IOError(u'Registry file already open.') file_object = self.file_entry.GetFileObject() if not file_object: logging.error( u'Unable to open Registry file: {0:s} [{1:s}]'.format( self.path, self._collector_name)) raise IOError(u'Unable to open Registry file.') win_registry_reader = winreg.FileObjectWinRegistryFileReader() self._registry_file = win_registry_reader.Open(file_object) if not self._registry_file: file_object.close() logging.error( u'Unable to open Registry file: {0:s} [{1:s}]'.format( self.path, self._collector_name)) raise IOError(u'Unable to open Registry file.') self._win_registry = dfwinreg_registry.WinRegistry() self._key_path_prefix = self._win_registry.GetRegistryFileMapping( self._registry_file) self._win_registry.MapFile(self._key_path_prefix, self._registry_file) self._registry_file_name = self.file_entry.name self._registry_file_type = self.GetRegistryFileType( self._registry_file) # Retrieve the Registry file root key because the Registry helper # expects self._currently_registry_key to be set after # the Registry file is opened. self._currently_registry_key = self._registry_file.GetRootKey()
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows Registry file-like object. Args: parser_mediator: a parser mediator object (instance of ParserMediator). file_object: a file-like object. """ win_registry_reader = dfwinreg_registry.FileObjectWinRegistryFileReader( ) registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) root_key = registry_file.GetRootKey() if not root_key: return try: for registry_key in root_key.RecurseKeys(): # TODO: use a filter tree to optimize lookups. found_matching_plugin = False for plugin_object in self._plugins: if parser_mediator.abort: break if self._CanProcessKeyWithPlugin(registry_key, plugin_object): found_matching_plugin = True plugin_object.UpdateChainAndProcess( parser_mediator, registry_key) if not found_matching_plugin: self._default_plugin.UpdateChainAndProcess( parser_mediator, registry_key) except IOError as exception: parser_mediator.ProduceParseError(u'{0:s}'.format(exception))
def GetRegistryFilePaths(self, plugin_name=None, registry_file_type=None): """Returns a list of Registry paths. If the Registry file type is not set this functions attempts to determine it based on the presence of specific Registry keys. Args: plugin_name: optional string containing the name of the plugin or an empty string or None for all the types. The default is None. registry_file_type: optional Windows Registry file type string. The default is None, which represents auto-detect. Returns: A list of path names for Registry files. """ if self._parse_restore_points: restore_path = u'/System Volume Information/_restor.+/RP[0-9]+/snapshot/' else: restore_path = u'' if registry_file_type: types = [registry_file_type] else: types = self._GetRegistryTypes(plugin_name) # Gather the Registry files to fetch. paths = [] for reg_type in types: if reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_NTUSER: paths.append(u'/Documents And Settings/.+/NTUSER.DAT') paths.append(u'/Users/.+/NTUSER.DAT') if restore_path: paths.append( u'{0:s}/_REGISTRY_USER_NTUSER.+'.format(restore_path)) elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SAM: paths.append(u'{sysregistry}/SAM') if restore_path: paths.append( u'{0:s}/_REGISTRY_MACHINE_SAM'.format(restore_path)) elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SECURITY: paths.append(u'{sysregistry}/SECURITY') if restore_path: paths.append(u'{0:s}/_REGISTRY_MACHINE_SECURITY'.format( restore_path)) elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SOFTWARE: paths.append(u'{sysregistry}/SOFTWARE') if restore_path: paths.append(u'{0:s}/_REGISTRY_MACHINE_SOFTWARE'.format( restore_path)) elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_SYSTEM: paths.append(u'{sysregistry}/SYSTEM') if restore_path: paths.append( u'{0:s}/_REGISTRY_MACHINE_SYSTEM'.format(restore_path)) elif reg_type == dfwinreg_definitions.REGISTRY_FILE_TYPE_USRCLASS: paths.append( u'/Users/.+/AppData/Local/Microsoft/Windows/UsrClass.dat') # Expand all the paths. win_registry = dfwinreg_registry.WinRegistry() # TODO: deprecate usage of pre_obj. path_attributes = self.knowledge_base_object.pre_obj.__dict__ expanded_key_paths = [] for key_path in paths: try: expanded_key_path = win_registry.ExpandKeyPath( key_path, path_attributes) expanded_key_paths.append(expanded_key_path) except KeyError as exception: logging.error( u'Unable to expand key path: {0:s} with error: {1:s}'. format(key_path, exception)) return expanded_key_paths
def __init__(self): """Initializes a parser object.""" super(WinRegistryParser, self).__init__() self._plugins = WinRegistryParser.GetPluginList() self._win_registry = dfwinreg_registry.WinRegistry( backend=dfwinreg_registry.WinRegistry.BACKEND_PYREGF)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._registry = registry.WinRegistry( backend=registry.WinRegistry.BACKEND_PYREGF)
def setUp(self): """Makes preparations before running an individual test.""" self._registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader())
def setUp(self): """Sets up the needed objects used throughout the test.""" self._registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader())