OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Preg plaso front-end.""" | 2 """Preg plaso front-end.""" |
3 | 3 |
4 from __future__ import print_function | 4 from __future__ import print_function |
5 import logging | 5 import logging |
6 | 6 |
7 from dfvfs.helpers import file_system_searcher | 7 from dfvfs.helpers import file_system_searcher |
8 from dfvfs.helpers import windows_path_resolver | 8 from dfvfs.helpers import windows_path_resolver |
9 from dfvfs.lib import definitions as dfvfs_definitions | 9 from dfvfs.lib import definitions as dfvfs_definitions |
10 from dfvfs.path import factory as path_spec_factory | 10 from dfvfs.path import factory as path_spec_factory |
11 from dfvfs.resolver import resolver as path_spec_resolver | 11 from dfvfs.resolver import resolver as path_spec_resolver |
12 | 12 |
13 from plaso.containers import sessions | 13 from plaso.containers import sessions |
14 from plaso.frontend import extraction_frontend | |
15 from plaso.lib import py2to3 | 14 from plaso.lib import py2to3 |
16 from plaso.parsers import mediator as parsers_mediator | 15 from plaso.parsers import mediator as parsers_mediator |
17 from plaso.parsers import manager as parsers_manager | 16 from plaso.parsers import manager as parsers_manager |
18 from plaso.parsers import winreg_plugins # pylint: disable=unused-import | 17 from plaso.parsers import winreg_plugins # pylint: disable=unused-import |
19 from plaso.preprocessors import manager as preprocess_manager | 18 from plaso.preprocessors import manager as preprocess_manager |
20 # TODO: refactor usage of fake storage. | 19 # TODO: refactor usage of fake storage. |
21 from plaso.storage import fake_storage | 20 from plaso.storage import fake_storage |
22 | 21 |
23 from l2tpreg import definitions | 22 from l2tpreg import definitions |
24 from l2tpreg import helper | 23 from l2tpreg import helper |
25 from l2tpreg import plugin_list | 24 from l2tpreg import plugin_list |
26 | 25 |
27 | 26 |
28 class PregFrontend(extraction_frontend.ExtractionFrontend): | 27 class PregFrontend(object): |
29 """Class that implements the preg front-end. | 28 """Preg front-end. |
30 | 29 |
31 Attributes: | 30 Attributes: |
32 knowledge_base_object (plaso.KnowledgeBase): knowledge base. | 31 knowledge_base_object (plaso.KnowledgeBase): knowledge base. |
33 """ | 32 """ |
34 | 33 |
35 def __init__(self): | 34 def __init__(self): |
36 """Initializes a front-end object.""" | 35 """Initializes a preg front-end.""" |
37 super(PregFrontend, self).__init__() | 36 super(PregFrontend, self).__init__() |
38 self._mount_path_spec = None | 37 self._mount_path_spec = None |
39 self._parse_restore_points = False | 38 self._parse_restore_points = False |
40 self._preprocess_completed = False | 39 self._preprocess_completed = False |
41 self._registry_files = [] | 40 self._registry_files = [] |
42 self._registry_plugin_list = self.GetWindowsRegistryPlugins() | 41 self._registry_plugin_list = self.GetWindowsRegistryPlugins() |
43 self._single_file = False | 42 self._single_file = False |
44 self._source_path = None | 43 self._source_path = None |
45 self._source_path_specs = [] | 44 self._source_path_specs = [] |
46 | 45 |
(...skipping 223 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
270 paths.append( | 269 paths.append( |
271 u'%UserProfile%\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat') | 270 u'%UserProfile%\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat') |
272 if restore_path: | 271 if restore_path: |
273 paths.append( | 272 paths.append( |
274 u'{0:s}\\_REGISTRY_USER_USRCLASS_.+'.format(restore_path)) | 273 u'{0:s}\\_REGISTRY_USER_USRCLASS_.+'.format(restore_path)) |
275 | 274 |
276 return paths | 275 return paths |
277 | 276 |
278 # TODO: refactor this function. Current implementation is too complex. | 277 # TODO: refactor this function. Current implementation is too complex. |
279 def GetRegistryHelpers( | 278 def GetRegistryHelpers( |
280 self, registry_file_types=None, plugin_names=None, codepage=u'cp1252'): | 279 self, artifacts_registry, registry_file_types=None, plugin_names=None, |
| 280 codepage=u'cp1252'): |
281 """Retrieves discovered Windows Registry helpers. | 281 """Retrieves discovered Windows Registry helpers. |
282 | 282 |
283 Args: | 283 Args: |
| 284 artifacts_registry (artifacts.ArtifactDefinitionsRegistry]): artifact |
| 285 definitions registry. |
284 registry_file_types (Optional[list[str]]): of Windows Registry file types, | 286 registry_file_types (Optional[list[str]]): of Windows Registry file types, |
285 for example "NTUSER" or "SAM" that should be included. | 287 for example "NTUSER" or "SAM" that should be included. |
286 plugin_names (Optional[str]): names of the plugins or an empty string for | 288 plugin_names (Optional[str]): names of the plugins or an empty string for |
287 all the plugins. | 289 all the plugins. |
288 codepage (str): codepage of the Windows Registry file. | 290 codepage (str): codepage of the Windows Registry file. |
289 | 291 |
290 Returns: | 292 Returns: |
291 list[PregRegistryHelper]: Windows Registry helpers. | 293 list[PregRegistryHelper]: Windows Registry helpers. |
292 | 294 |
293 Raises: | 295 Raises: |
294 ValueError: If neither registry_file_types nor plugin name is passed | 296 ValueError: If neither registry_file_types nor plugin name is passed |
295 as a parameter. | 297 as a parameter. |
296 """ | 298 """ |
297 if registry_file_types is None and plugin_names is None: | 299 if registry_file_types is None and plugin_names is None: |
298 raise ValueError( | 300 raise ValueError( |
299 u'Missing registry_file_types or plugin_name value.') | 301 u'Missing registry_file_types or plugin_name value.') |
300 | 302 |
301 if plugin_names is None: | 303 if plugin_names is None: |
302 plugin_names = [] | 304 plugin_names = [] |
303 else: | 305 else: |
304 plugin_names = [plugin_name.lower() for plugin_name in plugin_names] | 306 plugin_names = [plugin_name.lower() for plugin_name in plugin_names] |
305 | 307 |
306 # TODO: use non-preprocess collector with filter to collect Registry files. | 308 # TODO: use non-preprocess collector with filter to collect Registry files. |
307 if not self._single_file and not self._preprocess_completed: | 309 if not self._single_file and not self._preprocess_completed: |
308 file_system, mount_point = self._GetSourceFileSystem( | 310 file_system, mount_point = self._GetSourceFileSystem( |
309 self._source_path_specs[0]) | 311 self._source_path_specs[0]) |
310 try: | 312 try: |
311 preprocess_manager.PreprocessPluginsManager.RunPlugins( | 313 preprocess_manager.PreprocessPluginsManager.RunPlugins( |
312 file_system, mount_point, self.knowledge_base_object) | 314 artifacts_registry, file_system, mount_point, |
| 315 self.knowledge_base_object) |
313 self._preprocess_completed = True | 316 self._preprocess_completed = True |
314 finally: | 317 finally: |
315 file_system.Close() | 318 file_system.Close() |
316 | 319 |
317 # TODO: fix issue handling Windows paths | 320 # TODO: fix issue handling Windows paths |
318 if registry_file_types is None: | 321 if registry_file_types is None: |
319 registry_file_types = [] | 322 registry_file_types = [] |
320 | 323 |
321 types_from_plugins = ( | 324 types_from_plugins = ( |
322 self._registry_plugin_list.GetRegistryTypesFromPlugins(plugin_names)) | 325 self._registry_plugin_list.GetRegistryTypesFromPlugins(plugin_names)) |
(...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
515 for filter_object in plugin_object.FILTERS: | 518 for filter_object in plugin_object.FILTERS: |
516 if filter_object.Match(registry_key): | 519 if filter_object.Match(registry_key): |
517 can_process = True | 520 can_process = True |
518 break | 521 break |
519 | 522 |
520 if not can_process: | 523 if not can_process: |
521 continue | 524 continue |
522 | 525 |
523 found_matching_plugin = True | 526 found_matching_plugin = True |
524 plugin_object.Process(parser_mediator, registry_key) | 527 plugin_object.Process(parser_mediator, registry_key) |
525 if storage_writer.events: | 528 |
526 return_dict[plugin_object] = storage_writer.events | 529 events = list(storage_writer.GetEvents()) |
| 530 if events: |
| 531 return_dict[plugin_object] = events |
527 | 532 |
528 if not found_matching_plugin: | 533 if not found_matching_plugin: |
529 winreg_parser = parsers_manager.ParsersManager.GetParserObjectByName( | 534 winreg_parser = parsers_manager.ParsersManager.GetParserObjectByName( |
530 u'winreg') | 535 u'winreg') |
531 if not winreg_parser: | 536 if not winreg_parser: |
532 return | 537 return |
| 538 |
533 default_plugin_object = winreg_parser.GetPluginObjectByName( | 539 default_plugin_object = winreg_parser.GetPluginObjectByName( |
534 u'winreg_default') | 540 u'winreg_default') |
535 | 541 |
536 default_plugin_object.Process(parser_mediator, registry_key) | 542 default_plugin_object.Process(parser_mediator, registry_key) |
537 if storage_writer.events: | 543 |
538 return_dict[default_plugin_object] = storage_writer.events | 544 events = list(storage_writer.GetEvents()) |
| 545 if events: |
| 546 return_dict[default_plugin_object] = events |
539 | 547 |
540 return return_dict | 548 return return_dict |
541 | 549 |
542 def SetSingleFile(self, single_file=False): | 550 def SetSingleFile(self, single_file=False): |
543 """Sets the single file processing parameter. | 551 """Sets the single file processing parameter. |
544 | 552 |
545 Args: | 553 Args: |
546 single_file (Optional[bool]): True if source is a single file input, | 554 single_file (Optional[bool]): True if source is a single file input, |
547 False otherwise for example if source is a storage media format. | 555 False otherwise for example if source is a storage media format. |
548 """ | 556 """ |
(...skipping 15 matching lines...) Expand all Loading... |
564 """ | 572 """ |
565 self._source_path_specs = source_path_specs | 573 self._source_path_specs = source_path_specs |
566 | 574 |
567 def SetKnowledgeBase(self, knowledge_base_object): | 575 def SetKnowledgeBase(self, knowledge_base_object): |
568 """Sets the knowledge base. | 576 """Sets the knowledge base. |
569 | 577 |
570 Args: | 578 Args: |
571 knowledge_base_object (plaso.KnowledgeBase): knowledge base. | 579 knowledge_base_object (plaso.KnowledgeBase): knowledge base. |
572 """ | 580 """ |
573 self.knowledge_base_object = knowledge_base_object | 581 self.knowledge_base_object = knowledge_base_object |
OLD | NEW |