Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package registry :: Module getservicesids
[frames] | no frames]

Source Code for Module rekall.plugins.windows.registry.getservicesids

 1  # Rekall Memory Forensics 
 2  # Copyright (C) 2011 Volatile Systems 
 3  # Copyright (C) 2011 Jamie Levy (Gleeda) <jamie.levy@gmail.com> 
 4  # Copyright 2013 Google Inc. All Rights Reserved. 
 5  # 
 6  # This program is free software; you can redistribute it and/or modify 
 7  # it under the terms of the GNU General Public License as published by 
 8  # the Free Software Foundation; either version 2 of the License, or (at 
 9  # your option) any later version. 
10  # 
11  # This program is distributed in the hope that it will be useful, but 
12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
14  # General Public License for more details. 
15  # 
16  # You should have received a copy of the GNU General Public License 
17  # along with this program; if not, write to the Free Software 
18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
19  # 
20   
21  """ 
22  @author:       Jamie Levy (Gleeda) 
23  @license:      GNU General Public License 2.0 or later 
24  @contact:      jamie.levy@gmail.com 
25  @organization: Volatile Systems 
26  """ 
27   
28  import hashlib 
29  import struct 
30   
31  from rekall.plugins.windows.registry import registry 
32  from rekall_lib import utils 
33   
34   

35 -class GetServiceSids(registry.RegistryPlugin): 

36      """Get the names of services in the Registry and return Calculated SID""" 
37   
38      __name = "getservicesids" 
39   

40 -    def createservicesid(self, service_name): 

41          """Calculate the Service SID.""" 
42   
43          # We depend on service name to be a unicode string here. 
44          service_name = utils.SmartUnicode(service_name) 
45   
46          sha = hashlib.sha1(service_name.encode("utf-16-le").upper()).digest() 
47          return 'S-1-5-80-' + '-'.join( 
48              [str(n) for n in struct.unpack("<IIIII", sha)]) 

49   

50 -    def get_service_sids(self): 

51          # Search for the current_control_set in all hives. 
52          for hive_offset in self.hive_offsets: 
53              reg = registry.RegistryHive( 
54                  hive_offset=hive_offset, session=self.session) 
55   
56              current_control_set = reg.CurrentControlSet() 
57   
58              # There is no CurrentControlSet in this hive. 
59              if not current_control_set: 
60                  continue 
61   
62              # Enumerate the services. 
63              for subkey in current_control_set.open_subkey("services").subkeys(): 
64                  sid = self.createservicesid(subkey.Name) 
65   
66                  yield sid, subkey.Name 

67   

68 -    def render(self, renderer): 

69          """output to Service SIDs as a dictionary for future use.""" 
70          renderer.table_header([("SID", "sid", "<70"), 
71                                 ("Service Name", "name", "")]) 
72   
73          for sid, service in self.get_service_sids(): 
74              renderer.table_row(sid, service) 

75

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:49 2017 http://epydoc.sourceforge.net