Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def _parse_dirt_block(hive_path, transaction_log, hbins_data_size):
restored_hive_buffer = BytesIO(open(hive_path, 'rb').read())
recovered_dirty_pages_count = 0
dirty_vector_length = hbins_data_size // 4096
if transaction_log.read(4) != b'DIRT':
raise RegistryRecoveryException('Expected DIRT signature!')
log_file_base = 1024 # 512 + len(b'DIRT') + dirty_vector_length
primary_file_base = 4096
bitmap = transaction_log.read(dirty_vector_length)
bit_counter = 0
bitmap_offset = 0
# Tuples of offset in primary and offset in transaction log
offsets = []
while bit_counter < dirty_vector_length * 8:
is_bit_set = ((bitmap[bit_counter // 8] >> (bit_counter % 8)) & 1) != 0
if is_bit_set:
# We skip the basic block for the offsets
registry_offset = primary_file_base + (bit_counter * 512)
def test_installed_programs_plugin_software(software_hive):
registry_hive = RegistryHive(software_hive)
plugin_instance = InstalledSoftwarePlugin(registry_hive, as_json=True)
plugin_instance.run()
assert len(plugin_instance.entries) == 67
assert plugin_instance.entries[0] == {
'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
'service_name': 'AddressBook',
'timestamp': '2009-07-14T04:41:12.758808+00:00'
}
assert plugin_instance.entries[-1].items() > {
'service_name': '{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}',
'timestamp': '2011-07-05T22:58:57.996094+00:00',
'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
'uninstall_string': 'MsiExec.exe /X{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}',
def test_recurse_ntuser(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
value_types = {
'REG_BINARY': 0,
'REG_DWORD': 0,
'REG_EXPAND_SZ': 0,
'REG_MULTI_SZ': 0,
'REG_NONE': 0,
'REG_QWORD': 0,
'REG_SZ': 0
}
subkey_count = 0
values_count = 0
for subkey in registry_hive.recurse_subkeys(as_json=True):
subkey_values = subkey.values
subkey_count += 1
def test_hive_serialization(ntuser_hive, temp_output_file):
registry_hive = RegistryHive(ntuser_hive)
dump_hive_to_json(registry_hive, temp_output_file, registry_hive.root, verbose=False)
counter = 0
with open(temp_output_file, 'r') as dumped_hive:
for x in dumped_hive.readlines():
assert json.loads(x)
counter += 1
assert counter == 2318
def test_parse_header(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
assert isinstance(registry_hive, RegistryHive)
assert registry_hive.header.primary_sequence_num == 744
assert registry_hive.header.secondary_sequence_num == 744
assert registry_hive.header.last_modification_time == 129782982453388850
assert registry_hive.header.major_version == 1
assert registry_hive.header.minor_version == 3
assert registry_hive.header.root_key_offset == 32
assert registry_hive.header.hive_bins_data_size == 733184
assert registry_hive.header.minor_version == 3
assert registry_hive.header.file_name == '?\\C:\\Users\\vibranium\\ntuser.dat'
assert registry_hive.header.checksum == 448714443
def test_persistence_plugin_software(software_hive):
registry_hive = RegistryHive(software_hive)
plugin_instance = SoftwarePersistencePlugin(registry_hive, as_json=True)
plugin_instance.run()
assert plugin_instance.entries == {
'\\Microsoft\\Windows\\CurrentVersion\\Run':
{'timestamp': '2012-04-04T01:54:23.669836+00:00',
'values': [
{
'name': 'VMware Tools',
'value_type': 'REG_SZ',
'value': '"C:\\Program Files\\VMware\\VMware Tools\\VMwareTray.exe"',
'is_corrupted': False
},
{
'name': 'VMware User Process',
'value_type': 'REG_SZ',
def test_persistence_plugin_ntuser(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
plugin_instance = NTUserPersistencePlugin(registry_hive, as_json=True)
plugin_instance.run()
assert plugin_instance.entries == {
'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run': {
'timestamp': '2012-04-03T21:19:54.837716+00:00',
'values': [
{'name': 'Sidebar',
'value_type': 'REG_EXPAND_SZ',
'value': '%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun', 'is_corrupted': False
}
def test_typed_urls_plugin_ntuser(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
plugin_instance = TypedUrlsPlugin(registry_hive, as_json=True)
plugin_instance.run()
assert plugin_instance.entries == {
'last_write': '2012-04-03T22:37:55.411500+00:00',
'entries': [
{'url1': 'http://199.73.28.114:53/'},
{'url2': 'http://go.microsoft.com/fwlink/?LinkId=69157'}
]
def test_shimcache_plugin(system_hive):
registry_hive = RegistryHive(system_hive)
plugin_instance = ShimCachePlugin(registry_hive, as_json=True)
plugin_instance.run()
assert len(plugin_instance.entries) == 660
assert plugin_instance.entries[0] == {
'last_mod_date': '2011-01-12T12:08:00+00:00',
'path': '\\??\\C:\\Program Files\\McAfee\\VirusScan Enterprise\\mfeann.exe',
'exec_flag': 'True'
}
def test_printdemon_plugin(software_hive):
registry_hive = RegistryHive(software_hive)
plugin_instance = PrintDemonPlugin(registry_hive, as_json=True)
plugin_instance.run()
assert plugin_instance.entries == [
{'parameters': ['9600', 'n', '8', '1'],
'port_name': 'COM1:',
'timestamp': '2010-11-10T10:35:02.448040+00:00'},
{'parameters': ['9600', 'n', '8', '1'],
'port_name': 'COM2:',
'timestamp': '2010-11-10T10:35:02.448040+00:00'},
{'parameters': ['9600', 'n', '8', '1'],
'port_name': 'COM3:',
'timestamp': '2010-11-10T10:35:02.448040+00:00'},
{'parameters': ['9600', 'n', '8', '1'],
'port_name': 'COM4:',
'timestamp': '2010-11-10T10:35:02.448040+00:00'},