def testMatch(self):
"""Tests the Match function."""
path_filter = interface.WindowsRegistryKeyWithValuesFilter(
('a', 'MRUList'))
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\MRU')
result = path_filter.Match(registry_key)
self.assertFalse(result)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'MRUList', data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
result = path_filter.Match(registry_key)
self.assertFalse(result)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'a', data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
result = path_filter.Match(registry_key)
self.assertTrue(result)
class ServicesPlugin(interface.WindowsRegistryPlugin):
"""Plug-in to format the Services and Drivers keys having Type and Start."""
NAME = u'windows_services'
DESCRIPTION = u'Parser for services and drivers Registry data.'
# TODO: use a key path prefix match here. Might be more efficient.
# HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services
FILTERS = frozenset([
interface.WindowsRegistryKeyWithValuesFilter([
u'Start', u'Type'])])
URLS = [u'http://support.microsoft.com/kb/103000']
def GetServiceDll(self, key):
"""Get the Service DLL for a service, if it exists.
Checks for a ServiceDLL for in the Parameters subkey of a service key in
the Registry.
Args:
key: A Windows Registry key (instance of dfwinreg.WinRegistryKey).
Returns:
A string containing the service DLL path or None.
"""
parameters_key = key.GetSubkeyByName(u'Parameters')
if not parameters_key:
return
service_dll = parameters_key.GetValueByName(u'ServiceDll')
if not service_dll:
return
return service_dll.GetDataAsObject()
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Create one event for each subkey under Services that has Type and Start.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
service_type_value = registry_key.GetValueByName(u'Type')
service_start_value = registry_key.GetValueByName(u'Start')
# Grab the ServiceDLL value if it exists.
if service_type_value and service_start_value:
service_dll = self.GetServiceDll(registry_key)
if service_dll:
values_dict[u'ServiceDll'] = service_dll
# Gather all the other string and integer values and insert as they are.
for value in registry_key.GetValues():
if not value.name:
continue
if value.name not in values_dict:
if value.DataIsString() or value.DataIsInteger():
values_dict[value.name] = value.GetDataAsObject()
elif value.DataIsMultiString():
values_dict[value.name] = u', '.join(value.GetDataAsObject())
# Create a specific service event, so that we can recognize and expand
# certain values when we're outputting the event.
event_object = windows_events.WindowsRegistryServiceEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def testKeyPaths(self):
"""Tests the key_paths property."""
path_filter = interface.WindowsRegistryKeyWithValuesFilter(
('a', 'MRUList'))
self.assertEqual(path_filter.key_paths, [])
def testInitialize(self):
"""Tests the __init__ function."""
path_filter = interface.WindowsRegistryKeyWithValuesFilter(
('a', 'MRUList'))
self.assertIsNotNone(path_filter)
class ServicesPlugin(interface.WindowsRegistryPlugin):
"""Plug-in to format the Services and Drivers keys having Type and Start."""
NAME = 'windows_services'
DESCRIPTION = 'Parser for services and drivers Registry data.'
# TODO: use a key path prefix match here. Might be more efficient.
# HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services
FILTERS = frozenset([
interface.WindowsRegistryKeyWithValuesFilter([
'Start', 'Type'])])
URLS = ['http://support.microsoft.com/kb/103000']
def GetServiceDll(self, key):
"""Get the Service DLL for a service, if it exists.
Checks for a ServiceDLL for in the Parameters subkey of a service key in
the Registry.
Args:
key (dfwinreg.WinRegistryKey): a Windows Registry key.
Returns:
str: path of the service DLL or None.
"""
parameters_key = key.GetSubkeyByName('Parameters')
if not parameters_key:
return
service_dll = parameters_key.GetValueByName('ServiceDll')
if not service_dll:
return
return service_dll.GetDataAsObject()
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
service_type_value = registry_key.GetValueByName('Type')
service_start_value = registry_key.GetValueByName('Start')
# Grab the ServiceDLL value if it exists.
if service_type_value and service_start_value:
service_dll = self.GetServiceDll(registry_key)
if service_dll:
values_dict['ServiceDll'] = service_dll
# Gather all the other string and integer values and insert as they are.
for value in registry_key.GetValues():
if not value.name:
continue
if value.name not in values_dict:
if value.DataIsString() or value.DataIsInteger():
values_dict[value.name] = value.GetDataAsObject()
elif value.DataIsMultiString():
values_dict[value.name] = ', '.join(value.GetDataAsObject())
# Create a specific service event, so that we can recognize and expand
# certain values when we're outputting the event.
event_data = windows_events.WindowsRegistryServiceEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
class ServicesPlugin(interface.WindowsRegistryPlugin):
"""Plug-in to format the Services and Drivers keys having Type and Start."""
NAME = 'windows_services'
DATA_FORMAT = 'Windows drivers and services Registry data'
# TODO: use a key path prefix match here. Might be more efficient.
# HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services
FILTERS = frozenset(
[interface.WindowsRegistryKeyWithValuesFilter(['Start', 'Type'])])
def _GetServiceDll(self, key):
"""Retrieves the service DLL value.
Obtains the service DLL for in the Parameters subkey of a Windows Registry
service key.
Args:
key (dfwinreg.WinRegistryKey): a Windows Registry key.
Returns:
str: path of the service DLL or None.
"""
parameters_key = key.GetSubkeyByName('Parameters')
if not parameters_key:
return None
service_dll = parameters_key.GetValueByName('ServiceDll')
if not service_dll:
return None
return service_dll.GetDataAsObject()
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
service_type = None
start_type = None
registry_value = registry_key.GetValueByName('Type')
if registry_value:
service_type = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('Start')
if registry_value:
start_type = registry_value.GetDataAsObject()
if None in (service_type, start_type):
# TODO: generate extraction warning.
return
# Create a specific service event, so that we can recognize and expand
# certain values when we're outputting the event.
event_data = WindowsRegistryServiceEventData()
event_data.key_path = registry_key.path
event_data.name = registry_key.name
event_data.service_type = service_type
event_data.service_dll = self._GetServiceDll(registry_key)
event_data.start_type = start_type
registry_value = registry_key.GetValueByName('ErrorControl')
if registry_value:
event_data.error_control = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('ImagePath')
if registry_value:
event_data.image_path = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('ObjectName')
if registry_value:
event_data.object_name = registry_value.GetDataAsObject()
values_dict = self._GetValuesFromKey(parser_mediator,
registry_key,
names_to_skip=[
'ErrorControl', 'ImagePath',
'ObjectName', 'Start', 'Type'
])
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
class ServicesPlugin(interface.WindowsRegistryPlugin):
"""Plug-in to format the Services and Drivers keys having Type and Start.
Also see:
http://support.microsoft.com/kb/103000
"""
NAME = 'windows_services'
DESCRIPTION = 'Parser for services and drivers Registry data.'
# TODO: use a key path prefix match here. Might be more efficient.
# HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services
FILTERS = frozenset(
[interface.WindowsRegistryKeyWithValuesFilter(['Start', 'Type'])])
def _GetServiceDll(self, key):
"""Retrieves the service DLL value.
Obtains the service DLL for in the Parameters subkey of a Windows Registry
service key.
Args:
key (dfwinreg.WinRegistryKey): a Windows Registry key.
Returns:
str: path of the service DLL or None.
"""
parameters_key = key.GetSubkeyByName('Parameters')
if not parameters_key:
return None
service_dll = parameters_key.GetValueByName('ServiceDll')
if not service_dll:
return None
return service_dll.GetDataAsObject()
def _GetValuesFromKey(self, registry_key):
"""Retrieves the values from a Windows Registry key.
Args:
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
Returns:
dict[str, object]: names and data of the values in the key. The default
value is named "(default)".
"""
values_dict = {}
for registry_value in registry_key.GetValues():
if not registry_value.name or registry_value.name.lower() in (
'errorcontrol', 'imagepath', 'objectname', 'start',
'type'):
continue
value_object = registry_value.GetDataAsObject()
if registry_value.DataIsString() or registry_value.DataIsInteger():
values_dict[registry_value.name] = value_object
elif registry_value.DataIsMultiString():
if value_object:
value_object = ', '.join(value_object)
else:
value_object = '[]'
values_dict[registry_value.name] = value_object
return values_dict
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
service_type = None
start_type = None
registry_value = registry_key.GetValueByName('Type')
if registry_value:
service_type = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('Start')
if registry_value:
start_type = registry_value.GetDataAsObject()
if None in (service_type, start_type):
# TODO: generate extraction warning.
return
# Create a specific service event, so that we can recognize and expand
# certain values when we're outputting the event.
event_data = WindowsRegistryServiceEventData()
event_data.key_path = registry_key.path
event_data.name = registry_key.name
event_data.service_type = service_type
event_data.service_dll = self._GetServiceDll(registry_key)
event_data.start_type = start_type
registry_value = registry_key.GetValueByName('ErrorControl')
if registry_value:
event_data.error_control = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('ImagePath')
if registry_value:
event_data.image_path = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('ObjectName')
if registry_value:
event_data.object_name = registry_value.GetDataAsObject()
values_dict = self._GetValuesFromKey(registry_key)
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())
]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
