def _generator(self, layer_name, symbol_table, hive_offsets): chunk_size = 0x500000 for hive in hivelist.HiveList.list_hives(self.context, self.config_path, layer_name=layer_name, symbol_table=symbol_table, hive_offsets=hive_offsets): maxaddr = hive.hive.Storage[0].Length hive_name = self._sanitize_hive_name(hive.get_name()) filedata = plugins.FileInterface('registry.{}.{}.hive'.format( hive_name, hex(hive.hive_offset))) if hive._base_block: hive_data = self.context.layers[hive.dependencies[0]].read( hive.hive.BaseBlock, 1 << 12) else: hive_data = '\x00' * (1 << 12) filedata.data.write(hive_data) for i in range(0, maxaddr, chunk_size): current_chunk_size = min(chunk_size, maxaddr - i) data = hive.read(i, current_chunk_size, pad=True) filedata.data.write(data) # if self._progress_callback: # self._progress_callback((i / maxaddr) * 100, 'Writing layer {}'.format(hive_name)) self.produce_file(filedata) yield (0, (hive.name, format_hints.Hex(hive.hive_offset), 'Written to {}'.format(filedata.preferred_filename)))
def _generator(self): if self.config.get('layer_name', None) is None: for layer_name in self.context.layers: yield 0, ("Layer '{}' available as '{}'".format( layer_name, self.context.layers[layer_name].__class__.__name__), ) elif self.config['layer_name'] not in self.context.layers: yield 0, ('Layer Name does not exist', ) elif os.path.exists(self.config.get('output', self.default_output_name)): yield 0, ('Refusing to overwrite existing output file', ) else: chunk_size = self.config.get('block_size', self.default_block_size) layer = self.context.layers[self.config['layer_name']] try: filedata = plugins.FileInterface( self.config.get('output', self.default_output_name)) for i in range(0, layer.maximum_address, chunk_size): current_chunk_size = min(chunk_size, layer.maximum_address - i) data = layer.read(i, current_chunk_size, pad=True) filedata.data.write(data) self.produce_file(filedata) except Exception as excp: vollog.warning("Unable to write out output file") yield 0, ('Layer {} has been written to {}'.format( self.config['layer_name'], self.config.get('output', self.default_output_name)), )
def write_layer( cls, context: interfaces.context.ContextInterface, layer_name: str, preferred_name: str, chunk_size: Optional[int] = None, progress_callback: Optional[constants.ProgressCallback] = None ) -> Optional[plugins.FileInterface]: """Produces a filedata from the named layer in the provided context Args: context: the context from which to read the memory layer layer_name: the name of the layer to write out preferred_name: a string with the preferred filename for hte file chunk_size: an optional size for the chunks that should be written (defaults to 0x500000) progress_callback: an optional function that takes a percentage and a string that displays output """ if layer_name not in context.layers: raise exceptions.LayerException("Layer not found") layer = context.layers[layer_name] if chunk_size is None: chunk_size = cls.default_block_size filedata = plugins.FileInterface(preferred_name) for i in range(0, layer.maximum_address, chunk_size): current_chunk_size = min(chunk_size, layer.maximum_address - i) data = layer.read(i, current_chunk_size, pad=True) filedata.data.write(data) if progress_callback: progress_callback((i / layer.maximum_address) * 100, 'Writing layer {}'.format(layer_name)) return filedata
def _generator(self): filename = "config.json" config = dict(self.build_configuration()) if self.config.get('extra', False): vollog.debug( "Outputting additional information, this will NOT work with the -c option" ) config = dict(self.context.config) filename = "config.extra" try: filedata = plugins.FileInterface(filename) filedata.data.write( bytes(json.dumps(config, sort_keys=True, indent=2), 'latin-1')) self.produce_file(filedata) except Exception: vollog.warning("Unable to JSON encode configuration") for k, v in config.items(): yield (0, (k, json.dumps(v)))
def _generator(self) -> Iterator[Tuple[int, Tuple[int, str]]]: chunk_size = 0x500000 for hive_object in self.list_hive_objects( context=self.context, layer_name=self.config["primary"], symbol_table=self.config["nt_symbols"], filter_string=self.config.get('filter', None)): dumped = False if self.config['dump']: # Construct the hive hive = next( self.list_hives(self.context, self.config_path, layer_name=self.config["primary"], symbol_table=self.config["nt_symbols"], hive_offsets=[hive_object.vol.offset])) maxaddr = hive.hive.Storage[0].Length hive_name = self._sanitize_hive_name(hive.get_name()) filedata = plugins.FileInterface('registry.{}.{}.hive'.format( hive_name, hex(hive.hive_offset))) if hive._base_block: hive_data = self.context.layers[hive.dependencies[0]].read( hive.hive.BaseBlock, 1 << 12) else: hive_data = '\x00' * (1 << 12) filedata.data.write(hive_data) for i in range(0, maxaddr, chunk_size): current_chunk_size = min(chunk_size, maxaddr - i) data = hive.read(i, current_chunk_size, pad=True) filedata.data.write(data) # if self._progress_callback: # self._progress_callback((i / maxaddr) * 100, 'Writing layer {}'.format(hive_name)) self.produce_file(filedata) dumped = True yield (0, (format_hints.Hex(hive_object.vol.offset), hive_object.get_name() or "", dumped))