Skip to content

Commit

Permalink
Code review: 269610043: Replaced Registry path expander by dfvfs Wind…
Browse files Browse the repository at this point in the history 
…ows path resolver log2timeline#145
  • Loading branch information
@joachimmetz
joachimmetz committed Dec 31, 2015
1 parent c6a2af6 commit 1d30f6d
Show file tree
Hide file tree
Showing 10 changed files with 194 additions and 312 deletions.
2 changes: 1 addition & 1 deletion config/dpkg/changelog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ python-plaso (1.3.1-1) unstable; urgency=low

* Auto-generated

-- Log2Timeline <[email protected]> Tue, 03 Nov 2015 22:20:37 +0100
-- Log2Timeline <[email protected]> Thu, 12 Nov 2015 08:45:22 -0500
8 changes: 0 additions & 8 deletions docs/plaso.dfwinreg.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,6 @@ plaso.dfwinreg.interface module
:undoc-members:
:show-inheritance:

plaso.dfwinreg.path_expander module
-----------------------------------

.. automodule:: plaso.dfwinreg.path_expander
:members:
:undoc-members:
:show-inheritance:

plaso.dfwinreg.regf module
--------------------------

Expand Down
2 changes: 1 addition & 1 deletion plaso/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
__version__ = '1.3.1'

VERSION_DEV = True
VERSION_DATE = '20151103'
VERSION_DATE = '20151112'


def GetVersion():
Expand Down
45 changes: 0 additions & 45 deletions plaso/dfwinreg/path_expander.py
View file

This file was deleted.

247 changes: 10 additions & 237 deletions plaso/dfwinreg/registry.py
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,6 @@
# -*- coding: utf-8 -*-
"""Classes for Windows Registry access."""

import logging

from dfvfs.helpers import file_system_searcher
from dfvfs.resolver import resolver

from plaso.dfwinreg import interface
from plaso.dfwinreg import path_expander
from plaso.dfwinreg import regf


Expand Down Expand Up @@ -41,49 +34,46 @@ class WinRegistry(object):

_PATH_SEPARATOR = u'\\'

# TODO: refactor to use %SystemRoot% and %UserProfile% instead.
# TODO: refactor to use Windows paths.

_REGISTRY_FILE_MAPPINGS_9X = [
WinRegistryFileMapping(
u'HKEY_LOCAL_MACHINE',
u'{systemroot}/SYSTEM.DAT',
u'%SystemRoot%\\SYSTEM.DAT',
[]),
WinRegistryFileMapping(
u'HKEY_USERS',
u'{systemroot}/USER.DAT',
u'%SystemRoot%\\USER.DAT',
[]),
]

_REGISTRY_FILE_MAPPINGS_NT = [
WinRegistryFileMapping(
u'HKEY_CURRENT_USER',
u'{userprofile}/NTUSER.DAT',
u'%UserProfile%\\NTUSER.DAT',
[u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer']),
WinRegistryFileMapping(
u'HKEY_CURRENT_USER\\Software\\Classes',
u'{userprofile}/AppData/Local/Microsoft/Windows/UsrClass.dat',
u'%UserProfile%\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat',
[u'\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion']),
WinRegistryFileMapping(
u'HKEY_CURRENT_USER\\Software\\Classes',
(u'{userprofile}/Local Settings/Application Data/Microsoft/'
u'Windows/UsrClass.dat'),
(u'%UserProfile%\\Local Settings\\Application Data\\Microsoft\\'
u'Windows\\UsrClass.dat'),
[]),
WinRegistryFileMapping(
u'HKEY_LOCAL_MACHINE\\SAM',
u'{systemroot}/System32/config/SAM',
u'%SystemRoot%\\System32\\config\\SAM',
[u'\\SAM\\Domains\\Account\\Users']),
WinRegistryFileMapping(
u'HKEY_LOCAL_MACHINE\\Security',
u'{systemroot}/System32/config/SECURITY',
u'%SystemRoot%\\System32\\config\\SECURITY',
[u'\\Policy\\PolAdtEv']),
WinRegistryFileMapping(
u'HKEY_LOCAL_MACHINE\\Software',
u'{systemroot}/System32/config/SOFTWARE',
u'%SystemRoot%\\System32\\config\\SOFTWARE',
[u'\\Microsoft\\Windows\\CurrentVersion\\App Paths']),
WinRegistryFileMapping(
u'HKEY_LOCAL_MACHINE\\System',
u'{systemroot}/System32/config/SYSTEM',
u'%SystemRoot%\\System32\\config\\SYSTEM',
[u'\\Select'])
]

Expand Down Expand Up @@ -436,220 +426,3 @@ def OpenFileEntry(self, file_entry):
registry_file = None

return registry_file


class PathSpecWinRegistryFileReader(interface.WinRegistryFileReader):
"""A single path specification Windows Registry file reader."""

def __init__(self, path_spec):
"""Initializes a Windows Registry file reader object.
Args:
path_spec: a path specification (instance of dfvfs.PathSpec).
"""
super(PathSpecWinRegistryFileReader, self).__init__()
self._path_spec = path_spec

def _OpenPathSpec(self, path_spec, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specified by the path specification.
Args:
path_spec: a path specification (instance of dfvfs.PathSpec).
ascii_codepage: optional ASCII string codepage. The default is cp1252
(or windows-1252).
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
if not path_spec:
return

file_entry = resolver.Resolver.OpenFileEntry(path_spec)
if file_entry is None:
return

file_object = file_entry.GetFileObject()
if file_object is None:
return

registry_file = regf.REGFWinRegistryFile(ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError as exception:
logging.warning(
u'Unable to open Windows Registry file with error: {0:s}'.format(
exception))
file_object.close()
return

return registry_file

def Open(self, path, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specified by the path.
Args:
path: the path of the Windows Registry file.
ascii_codepage: optional ASCII string codepage. The default is cp1252
(or windows-1252).
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
return self._OpenPathSpec(self._path_spec)


class SearcherWinRegistryFileReader(interface.WinRegistryFileReader):
"""A file system searcher-based Windows Registry file reader."""

def __init__(self, searcher, path_attributes=None):
"""Initializes a Windows Registry file reader object.
Args:
searcher: the file system searcher object (instance of
dfvfs.FileSystemSearcher).
path_attributes: optional dictionary of path attributes.
"""
super(SearcherWinRegistryFileReader, self).__init__()
self._file_path_expander = path_expander.WinRegistryKeyPathExpander()
self._path_attributes = path_attributes or {}
self._searcher = searcher

def _FindPathSpec(self, path):
"""Searches for a path specification.
Args:
path: the path of the Windows Registry file.
Returns:
A path specification (instance of dfvfs.PathSpec) of
the Windows Registry file.
Raises:
IOError: If the Windows Registry file cannot be found.
"""
path, _, filename = path.rpartition(u'/')

# TODO: determine why this first find is used add comment or remove.
# It does not appear to help with making sure path segment separate
# is correct.
find_spec = file_system_searcher.FindSpec(
location=path, case_sensitive=False)
path_specs = list(self._searcher.Find(find_specs=[find_spec]))

if not path_specs or len(path_specs) != 1:
raise IOError(
u'Unable to find directory: {0:s}'.format(path))

relative_path = self._searcher.GetRelativePath(path_specs[0])
if not relative_path:
raise IOError(u'Unable to determine relative path of: {0:s}'.format(path))

# The path is split in segments to make it path segement separator
# independent (and thus platform independent).
path_segments = self._searcher.SplitPath(relative_path)
path_segments.append(filename)

find_spec = file_system_searcher.FindSpec(
location=path_segments, case_sensitive=False)
path_specs = list(self._searcher.Find(find_specs=[find_spec]))

if not path_specs:
raise IOError(
u'Unable to find file: {0:s} in directory: {1:s}'.format(
filename, relative_path))

if len(path_specs) != 1:
raise IOError((
u'Find for file: {0:s} in directory: {1:s} returned {2:d} '
u'results.').format(filename, relative_path, len(path_specs)))

if not relative_path:
raise IOError(
u'Missing file: {0:s} in directory: {1:s}'.format(
filename, relative_path))

return path_specs[0]

def _OpenPathSpec(self, path_spec, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specified by the path specification.
Args:
path_spec: a path specification (instance of dfvfs.PathSpec).
ascii_codepage: optional ASCII string codepage. The default is cp1252
(or windows-1252).
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
if not path_spec:
return

file_entry = self._searcher.GetFileEntryByPathSpec(path_spec)
if file_entry is None:
return

file_object = file_entry.GetFileObject()
if file_object is None:
return

registry_file = regf.REGFWinRegistryFile(ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError as exception:
logging.warning(
u'Unable to open Windows Registry file with error: {0:s}'.format(
exception))
file_object.close()
return

return registry_file

def Open(self, path, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specified by the path.
Args:
path: the path of the Windows Registry file.
ascii_codepage: optional ASCII string codepage. The default is cp1252
(or windows-1252).
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
try:
expanded_path = self._file_path_expander.ExpandPath(
path, path_attributes=self._path_attributes)

except KeyError as exception:
logging.warning(
u'Unable to expand path: {0:s} with error: {1:s}'.format(
path, exception))
expanded_path = path

path_spec = self._FindPathSpec(expanded_path)
return self._OpenPathSpec(path_spec)


class FileObjectWinRegistryFileReader(interface.WinRegistryFileReader):
"""A single file-like object Windows Registry file reader."""

def Open(self, file_object, ascii_codepage=u'cp1252'):
"""Opens a Windows Registry file-like object.
Args:
file_object: the Windows Registry file-like object.
ascii_codepage: optional ASCII string codepage. The default is cp1252
(or windows-1252).
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
registry_file = regf.REGFWinRegistryFile(ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError as exception:
logging.warning(
u'Unable to open Windows Registry file with error: {0:s}'.format(
exception))
return

return registry_file
Loading

0 comments on commit 1d30f6d

Please sign in to comment.