def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system,
mount_point, plugin):
"""Runs a preprocessor plugin on a Windows Registry value.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
searcher = registry_searcher.WinRegistrySearcher(win_registry)
plugin.Collect(knowledge_base_object, artifact_definition, searcher)
return knowledge_base_object
def _RunWindowsRegistryPlugin(self, file_system, mount_point, plugin):
"""Runs a Windows Registry preprocess plugin.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (PreprocessPlugin): preprocess plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
plugin.Run(win_registry, knowledge_base_object)
return knowledge_base_object
def setUp(self):
"""Makes preparations before running an individual test."""
path_attributes = {u'systemroot': u'\\Windows'}
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddTestFile(u'/Windows/System32/config/SYSTEM',
[u'SYSTEM'])
mount_point = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system_builder.file_system,
mount_point,
path_attributes=path_attributes)
self._win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system,
mount_point,
storage_writer, plugin):
"""Runs a preprocessor plugin on a Windows Registry value.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
storage_writer (StorageWriter): storage writer.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
PreprocessMediator: preprocess mediator.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
session = sessions.Session()
test_knowledge_base = knowledge_base.KnowledgeBase()
test_mediator = mediator.PreprocessMediator(session, storage_writer,
test_knowledge_base)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
plugin.Collect(test_mediator, artifact_definition, searcher)
return test_mediator