plaso-rubanetra/plaso/parsers/winreg_plugins/msie_zones.py

293 lines
11 KiB
Python
Raw Permalink Normal View History

2020-04-06 16:48:34 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the MSIE zone settings plugin."""
from plaso.events import windows_events
from plaso.parsers import winreg
from plaso.parsers.winreg_plugins import interface
__author__ = 'Elizabeth Schweinsberg (beth@bethlogic.net)'
class MsieZoneSettingsPlugin(interface.KeyPlugin):
"""Windows Registry plugin for parsing the MSIE Zones settings."""
NAME = 'winreg_msie_zone'
DESCRIPTION = u'Parser for Internet Explorer zone settings Registry data.'
REG_TYPE = 'NTUSER'
REG_KEYS = [
(u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Zones'),
(u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Lockdown_Zones')]
URLS = ['http://support.microsoft.com/kb/182569']
ZONE_NAMES = {
'0': '0 (My Computer)',
'1': '1 (Local Intranet Zone)',
'2': '2 (Trusted sites Zone)',
'3': '3 (Internet Zone)',
'4': '4 (Restricted Sites Zone)',
'5': '5 (Custom)'
}
KNOWN_PERMISSIONS_VALUE_NAMES = [
'1001', '1004', '1200', '1201', '1400', '1402', '1405', '1406', '1407',
'1601', '1604', '1606', '1607', '1608', '1609', '1800', '1802', '1803',
'1804', '1809', '1A04', '2000', '2001', '2004', '2100', '2101', '2102',
'2200', '2201', '2300']
CONTROL_VALUES_PERMISSIONS = {
0x00000000: '0 (Allow)',
0x00000001: '1 (Prompt User)',
0x00000003: '3 (Not Allowed)',
0x00010000: '0x00010000 (Administrator approved)'
}
CONTROL_VALUES_SAFETY = {
0x00010000: '0x00010000 (High safety)',
0x00020000: '0x00020000 (Medium safety)',
0x00030000: '0x00030000 (Low safety)'
}
CONTROL_VALUES_1A00 = {
0x00000000: ('0x00000000 (Automatic logon with current user name and '
'password)'),
0x00010000: '0x00010000 (Prompt for user name and password)',
0x00020000: '0x00020000 (Automatic logon only in Intranet zone)',
0x00030000: '0x00030000 (Anonymous logon)'
}
CONTROL_VALUES_1C00 = {
0x00000000: '0x00000000 (Disable Java)',
0x00010000: '0x00010000 (High safety)',
0x00020000: '0x00020000 (Medium safety)',
0x00030000: '0x00030000 (Low safety)',
0x00800000: '0x00800000 (Custom)'
}
FEATURE_CONTROLS = {
'1200': 'Run ActiveX controls and plug-ins',
'1400': 'Active scripting',
'1001': 'Download signed ActiveX controls',
'1004': 'Download unsigned ActiveX controls',
'1201': 'Initialize and script ActiveX controls not marked as safe',
'1206': 'Allow scripting of IE Web browser control',
'1207': 'Reserved',
'1208': 'Allow previously unused ActiveX controls to run without prompt',
'1209': 'Allow Scriptlets',
'120A': 'Override Per-Site (domain-based) ActiveX restrictions',
'120B': 'Override Per-Site (domain-based) ActiveX restrictions',
'1402': 'Scripting of Java applets',
'1405': 'Script ActiveX controls marked as safe for scripting',
'1406': 'Access data sources across domains',
'1407': 'Allow Programmatic clipboard access',
'1408': 'Reserved',
'1601': 'Submit non-encrypted form data',
'1604': 'Font download',
'1605': 'Run Java',
'1606': 'Userdata persistence',
'1607': 'Navigate sub-frames across different domains',
'1608': 'Allow META REFRESH',
'1609': 'Display mixed content',
'160A': 'Include local directory path when uploading files to a server',
'1800': 'Installation of desktop items',
'1802': 'Drag and drop or copy and paste files',
'1803': 'File Download',
'1804': 'Launching programs and files in an IFRAME',
'1805': 'Launching programs and files in webview',
'1806': 'Launching applications and unsafe files',
'1807': 'Reserved',
'1808': 'Reserved',
'1809': 'Use Pop-up Blocker',
'180A': 'Reserved',
'180B': 'Reserved',
'180C': 'Reserved',
'180D': 'Reserved',
'1A00': 'User Authentication: Logon',
'1A02': 'Allow persistent cookies that are stored on your computer',
'1A03': 'Allow per-session cookies (not stored)',
'1A04': 'Don\'t prompt for client cert selection when no certs exists',
'1A05': 'Allow 3rd party persistent cookies',
'1A06': 'Allow 3rd party session cookies',
'1A10': 'Privacy Settings',
'1C00': 'Java permissions',
'1E05': 'Software channel permissions',
'1F00': 'Reserved',
'2000': 'Binary and script behaviors',
'2001': '.NET: Run components signed with Authenticode',
'2004': '.NET: Run components not signed with Authenticode',
'2100': 'Open files based on content, not file extension',
'2101': 'Web sites in less privileged zone can navigate into this zone',
'2102': ('Allow script initiated windows without size/position '
'constraints'),
'2103': 'Allow status bar updates via script',
'2104': 'Allow websites to open windows without address or status bars',
'2105': 'Allow websites to prompt for information using scripted windows',
'2200': 'Automatic prompting for file downloads',
'2201': 'Automatic prompting for ActiveX controls',
'2300': 'Allow web pages to use restricted protocols for active content',
'2301': 'Use Phishing Filter',
'2400': '.NET: XAML browser applications',
'2401': '.NET: XPS documents',
'2402': '.NET: Loose XAML',
'2500': 'Turn on Protected Mode',
'2600': 'Enable .NET Framework setup',
'{AEBA21FA-782A-4A90-978D-B72164C80120}': 'First Party Cookie',
'{A8A88C49-5EB2-4990-A1A2-0876022C854F}': 'Third Party Cookie'
}
def GetEntries(
self, parser_context, file_entry=None, key=None, registry_type=None,
parser_chain=None, **unused_kwargs):
"""Retrieves information of the Internet Settings Zones values.
The MSIE Feature controls are stored in the Zone specific subkeys in:
Internet Settings\\Zones key
Internet Settings\\Lockdown_Zones key
Args:
parser_context: A parser context object (instance of ParserContext).
file_entry: optional file entry object (instance of dfvfs.FileEntry).
The default is None.
key: Optional Registry key (instance of winreg.WinRegKey).
The default is None.
registry_type: Optional Registry type string. The default is None.
parser_chain: Optional string containing the parsing chain up to this
point. The default is None.
"""
text_dict = {}
if key.number_of_values == 0:
error_string = u'Key: {0:s} missing values.'.format(key.path)
parser_context.ProduceParseError(
self.NAME, error_string, file_entry=file_entry)
else:
for value in key.GetValues():
if not value.name:
value_name = '(default)'
else:
value_name = u'{0:s}'.format(value.name)
if value.DataIsString():
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, value.data)
elif value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
value.data_type_string, value.data)
elif value.DataIsMultiString():
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, u''.join(value.data))
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
text_dict[value_name] = value_string
# Generate at least one event object for the key.
event_object = windows_events.WindowsRegistryEvent(
key.last_written_timestamp, key.path, text_dict, offset=key.offset,
registry_type=registry_type, urls=self.URLS)
parser_context.ProduceEvent(
event_object, parser_chain=parser_chain, file_entry=file_entry)
if key.number_of_subkeys == 0:
error_string = u'Key: {0:s} missing subkeys.'.format(key.path)
parser_context.ProduceParseError(
self.NAME, error_string, file_entry=file_entry)
return
for zone_key in key.GetSubkeys():
# TODO: these values are stored in the Description value of the
# zone key. This solution will break on zone values that are larger
# than 5.
path = u'{0:s}\\{1:s}'.format(key.path, self.ZONE_NAMES[zone_key.name])
text_dict = {}
# TODO: this plugin currently just dumps the values and does not
# distinguish between what is a feature control or not.
for value in zone_key.GetValues():
# Ignore the default value.
if not value.name:
continue
if value.DataIsString():
value_string = value.data
elif value.DataIsInteger():
if value.name in self.KNOWN_PERMISSIONS_VALUE_NAMES:
value_string = self.CONTROL_VALUES_PERMISSIONS.get(
value.data, u'UNKNOWN')
elif value.name == '1A00':
value_string = self.CONTROL_VALUES_1A00.get(value.data, u'UNKNOWN')
elif value.name == '1C00':
value_string = self.CONTROL_VALUES_1C00.get(value.data, u'UNKNOWN')
elif value.name == '1E05':
value_string = self.CONTROL_VALUES_SAFETY.get(
value.data, u'UNKNOWN')
else:
value_string = u'{0:d}'.format(value.data)
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
if len(value.name) == 4 and value.name != 'Icon':
value_description = self.FEATURE_CONTROLS.get(value.name, 'UNKNOWN')
else:
value_description = self.FEATURE_CONTROLS.get(value.name, '')
if value_description:
feature_control = u'[{0:s}] {1:s}'.format(
value.name, value_description)
else:
feature_control = u'[{0:s}]'.format(value.name)
text_dict[feature_control] = value_string
event_object = windows_events.WindowsRegistryEvent(
zone_key.last_written_timestamp, path, text_dict,
offset=zone_key.offset, registry_type=registry_type,
urls=self.URLS)
parser_context.ProduceEvent(
event_object, parser_chain=parser_chain, file_entry=file_entry)
class MsieZoneSettingsSoftwareZonesPlugin(MsieZoneSettingsPlugin):
"""Parses the Zones key in the Software hive."""
NAME = 'winreg_msie_zone_software'
REG_TYPE = 'SOFTWARE'
REG_KEYS = [
u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones',
(u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Lockdown_Zones'),
(u'\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Zones'),
(u'\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Lockdown_Zones')]
winreg.WinRegistryParser.RegisterPlugins([
MsieZoneSettingsPlugin, MsieZoneSettingsSoftwareZonesPlugin])