def _GetWinRegistryFromFileEntry(self, file_entry): """Retrieves a Windows Registry from a file entry. Args: file_entry: A file entry object (instance of dfvfs.FileEntry) that references a test file. Returns: A Windows Registry object (instance of dfwinreg.WinRegistry) or None. """ file_object = file_entry.GetFileObject() if not file_object: return win_registry_reader = winreg.FileObjectWinRegistryFileReader() registry_file = win_registry_reader.Open(file_object) if not registry_file: file_object.close() return win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) return win_registry
def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry sources.""" knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistry', 'TestRegistryValue'] test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper( knowledge_base) test_filters_helper.BuildFindSpecs(artifact_filter_names) # There should be 3 Windows Registry find specifications. self.assertEqual( len(test_filters_helper.included_file_system_find_specs), 0) self.assertEqual(len(test_filters_helper.registry_find_specs), 3) win_registry_reader = ( windows_registry_parser.FileObjectWinRegistryFileReader()) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list( searcher.Find(find_specs=test_filters_helper.registry_find_specs)) self.assertIsNotNone(key_paths) self.assertEqual(len(key_paths), 5)
def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry artifacts.""" knowledge_base = knowledge_base_engine.KnowledgeBase() test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper( ['TestRegistry'], knowledge_base) test_filter_file.BuildFindSpecs(environment_variables=None) find_specs_per_source_type = knowledge_base.GetValue( test_filter_file.KNOWLEDGE_BASE_VALUE) find_specs = find_specs_per_source_type.get( artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, []) self.assertEqual(len(find_specs), 1) win_registry_reader = ( windows_registry_parser.FileObjectWinRegistryFileReader()) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list(searcher.Find(find_specs=find_specs)) self.assertIsNotNone(key_paths) # Three key paths found. self.assertEqual(len(key_paths), 3)
def Open(self): """Opens a Windows Registry file. Raises: IOError: if the Windows Registry file cannot be opened. """ if self._registry_file: raise IOError(u'Registry file already open.') file_object = self.file_entry.GetFileObject() if not file_object: logging.error( u'Unable to open Registry file: {0:s} [{1:s}]'.format( self.path, self._collector_name)) raise IOError(u'Unable to open Registry file.') win_registry_reader = winreg.FileObjectWinRegistryFileReader() self._registry_file = win_registry_reader.Open(file_object) if not self._registry_file: file_object.close() logging.error( u'Unable to open Registry file: {0:s} [{1:s}]'.format( self.path, self._collector_name)) raise IOError(u'Unable to open Registry file.') self._win_registry = dfwinreg_registry.WinRegistry() self._key_path_prefix = self._win_registry.GetRegistryFileMapping( self._registry_file) self._win_registry.MapFile(self._key_path_prefix, self._registry_file) self._registry_file_name = self.file_entry.name self._registry_file_type = self.GetRegistryFileType( self._registry_file) # Retrieve the Registry file root key because the Registry helper # expects self._currently_registry_key to be set after # the Registry file is opened. self._currently_registry_key = self._registry_file.GetRootKey()