plaso-rubanetra/plaso/parsers/winreg_plugins/msie_zones.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the MSIE zone settings plugin."""

from plaso.events import windows_events
from plaso.parsers import winreg
from plaso.parsers.winreg_plugins import interface


__author__ = 'Elizabeth Schweinsberg (beth@bethlogic.net)'


class MsieZoneSettingsPlugin(interface.KeyPlugin):
  """Windows Registry plugin for parsing the MSIE Zones settings."""

  NAME = 'winreg_msie_zone'
  DESCRIPTION = u'Parser for Internet Explorer zone settings Registry data.'

  REG_TYPE = 'NTUSER'

  REG_KEYS = [
      (u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
       u'\\Zones'),
      (u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
       u'\\Lockdown_Zones')]

  URLS = ['http://support.microsoft.com/kb/182569']

  ZONE_NAMES = {
      '0': '0 (My Computer)',
      '1': '1 (Local Intranet Zone)',
      '2': '2 (Trusted sites Zone)',
      '3': '3 (Internet Zone)',
      '4': '4 (Restricted Sites Zone)',
      '5': '5 (Custom)'
  }

  KNOWN_PERMISSIONS_VALUE_NAMES = [
      '1001', '1004', '1200', '1201', '1400', '1402', '1405', '1406', '1407',
      '1601', '1604', '1606', '1607', '1608', '1609', '1800', '1802', '1803',
      '1804', '1809', '1A04', '2000', '2001', '2004', '2100', '2101', '2102',
      '2200', '2201', '2300']

  CONTROL_VALUES_PERMISSIONS = {
      0x00000000: '0 (Allow)',
      0x00000001: '1 (Prompt User)',
      0x00000003: '3 (Not Allowed)',
      0x00010000: '0x00010000 (Administrator approved)'
  }

  CONTROL_VALUES_SAFETY = {
      0x00010000: '0x00010000 (High safety)',
      0x00020000: '0x00020000 (Medium safety)',
      0x00030000: '0x00030000 (Low safety)'
  }

  CONTROL_VALUES_1A00 = {
      0x00000000: ('0x00000000 (Automatic logon with current user name and '
                   'password)'),
      0x00010000: '0x00010000 (Prompt for user name and password)',
      0x00020000: '0x00020000 (Automatic logon only in Intranet zone)',
      0x00030000: '0x00030000 (Anonymous logon)'
  }

  CONTROL_VALUES_1C00 = {
      0x00000000: '0x00000000 (Disable Java)',
      0x00010000: '0x00010000 (High safety)',
      0x00020000: '0x00020000 (Medium safety)',
      0x00030000: '0x00030000 (Low safety)',
      0x00800000: '0x00800000 (Custom)'
  }

  FEATURE_CONTROLS = {
      '1200': 'Run ActiveX controls and plug-ins',
      '1400': 'Active scripting',
      '1001': 'Download signed ActiveX controls',
      '1004': 'Download unsigned ActiveX controls',
      '1201': 'Initialize and script ActiveX controls not marked as safe',
      '1206': 'Allow scripting of IE Web browser control',
      '1207': 'Reserved',
      '1208': 'Allow previously unused ActiveX controls to run without prompt',
      '1209': 'Allow Scriptlets',
      '120A': 'Override Per-Site (domain-based) ActiveX restrictions',
      '120B': 'Override Per-Site (domain-based) ActiveX restrictions',
      '1402': 'Scripting of Java applets',
      '1405': 'Script ActiveX controls marked as safe for scripting',
      '1406': 'Access data sources across domains',
      '1407': 'Allow Programmatic clipboard access',
      '1408': 'Reserved',
      '1601': 'Submit non-encrypted form data',
      '1604': 'Font download',
      '1605': 'Run Java',
      '1606': 'Userdata persistence',
      '1607': 'Navigate sub-frames across different domains',
      '1608': 'Allow META REFRESH',
      '1609': 'Display mixed content',
      '160A': 'Include local directory path when uploading files to a server',
      '1800': 'Installation of desktop items',
      '1802': 'Drag and drop or copy and paste files',
      '1803': 'File Download',
      '1804': 'Launching programs and files in an IFRAME',
      '1805': 'Launching programs and files in webview',
      '1806': 'Launching applications and unsafe files',
      '1807': 'Reserved',
      '1808': 'Reserved',
      '1809': 'Use Pop-up Blocker',
      '180A': 'Reserved',
      '180B': 'Reserved',
      '180C': 'Reserved',
      '180D': 'Reserved',
      '1A00': 'User Authentication: Logon',
      '1A02': 'Allow persistent cookies that are stored on your computer',
      '1A03': 'Allow per-session cookies (not stored)',
      '1A04': 'Don\'t prompt for client cert selection when no certs exists',
      '1A05': 'Allow 3rd party persistent cookies',
      '1A06': 'Allow 3rd party session cookies',
      '1A10': 'Privacy Settings',
      '1C00': 'Java permissions',
      '1E05': 'Software channel permissions',
      '1F00': 'Reserved',
      '2000': 'Binary and script behaviors',
      '2001': '.NET: Run components signed with Authenticode',
      '2004': '.NET: Run components not signed with Authenticode',
      '2100': 'Open files based on content, not file extension',
      '2101': 'Web sites in less privileged zone can navigate into this zone',
      '2102': ('Allow script initiated windows without size/position '
               'constraints'),
      '2103': 'Allow status bar updates via script',
      '2104': 'Allow websites to open windows without address or status bars',
      '2105': 'Allow websites to prompt for information using scripted windows',
      '2200': 'Automatic prompting for file downloads',
      '2201': 'Automatic prompting for ActiveX controls',
      '2300': 'Allow web pages to use restricted protocols for active content',
      '2301': 'Use Phishing Filter',
      '2400': '.NET: XAML browser applications',
      '2401': '.NET: XPS documents',
      '2402': '.NET: Loose XAML',
      '2500': 'Turn on Protected Mode',
      '2600': 'Enable .NET Framework setup',
      '{AEBA21FA-782A-4A90-978D-B72164C80120}': 'First Party Cookie',
      '{A8A88C49-5EB2-4990-A1A2-0876022C854F}': 'Third Party Cookie'
  }

  def GetEntries(
      self, parser_context, file_entry=None, key=None, registry_type=None,
      parser_chain=None, **unused_kwargs):
    """Retrieves information of the Internet Settings Zones values.

    The MSIE Feature controls are stored in the Zone specific subkeys in:
      Internet Settings\\Zones key
      Internet Settings\\Lockdown_Zones key

    Args:
      parser_context: A parser context object (instance of ParserContext).
      file_entry: optional file entry object (instance of dfvfs.FileEntry).
                  The default is None.
      key: Optional Registry key (instance of winreg.WinRegKey).
           The default is None.
      registry_type: Optional Registry type string. The default is None.
      parser_chain: Optional string containing the parsing chain up to this
                    point. The default is None.
    """
    text_dict = {}

    if key.number_of_values == 0:
      error_string = u'Key: {0:s} missing values.'.format(key.path)
      parser_context.ProduceParseError(
          self.NAME, error_string, file_entry=file_entry)

    else:
      for value in key.GetValues():
        if not value.name:
          value_name = '(default)'
        else:
          value_name = u'{0:s}'.format(value.name)

        if value.DataIsString():
          value_string = u'[{0:s}] {1:s}'.format(
              value.data_type_string, value.data)
        elif value.DataIsInteger():
          value_string = u'[{0:s}] {1:d}'.format(
              value.data_type_string, value.data)
        elif value.DataIsMultiString():
          value_string = u'[{0:s}] {1:s}'.format(
              value.data_type_string, u''.join(value.data))
        else:
          value_string = u'[{0:s}]'.format(value.data_type_string)

        text_dict[value_name] = value_string

    # Generate at least one event object for the key.
    event_object = windows_events.WindowsRegistryEvent(
        key.last_written_timestamp, key.path, text_dict, offset=key.offset,
        registry_type=registry_type, urls=self.URLS)
    parser_context.ProduceEvent(
        event_object, parser_chain=parser_chain, file_entry=file_entry)

    if key.number_of_subkeys == 0:
      error_string = u'Key: {0:s} missing subkeys.'.format(key.path)
      parser_context.ProduceParseError(
          self.NAME, error_string, file_entry=file_entry)
      return

    for zone_key in key.GetSubkeys():
      # TODO: these values are stored in the Description value of the
      # zone key. This solution will break on zone values that are larger
      # than 5.
      path = u'{0:s}\\{1:s}'.format(key.path, self.ZONE_NAMES[zone_key.name])

      text_dict = {}

      # TODO: this plugin currently just dumps the values and does not
      # distinguish between what is a feature control or not.
      for value in zone_key.GetValues():
        # Ignore the default value.
        if not value.name:
          continue

        if value.DataIsString():
          value_string = value.data

        elif value.DataIsInteger():
          if value.name in self.KNOWN_PERMISSIONS_VALUE_NAMES:
            value_string = self.CONTROL_VALUES_PERMISSIONS.get(
                value.data, u'UNKNOWN')
          elif value.name == '1A00':
            value_string = self.CONTROL_VALUES_1A00.get(value.data, u'UNKNOWN')
          elif value.name == '1C00':
            value_string = self.CONTROL_VALUES_1C00.get(value.data, u'UNKNOWN')
          elif value.name == '1E05':
            value_string = self.CONTROL_VALUES_SAFETY.get(
                value.data, u'UNKNOWN')
          else:
            value_string = u'{0:d}'.format(value.data)

        else:
          value_string = u'[{0:s}]'.format(value.data_type_string)

        if len(value.name) == 4 and value.name != 'Icon':
          value_description = self.FEATURE_CONTROLS.get(value.name, 'UNKNOWN')
        else:
          value_description = self.FEATURE_CONTROLS.get(value.name, '')

        if value_description:
          feature_control = u'[{0:s}] {1:s}'.format(
              value.name, value_description)
        else:
          feature_control = u'[{0:s}]'.format(value.name)

        text_dict[feature_control] = value_string

      event_object = windows_events.WindowsRegistryEvent(
          zone_key.last_written_timestamp, path, text_dict,
          offset=zone_key.offset, registry_type=registry_type,
          urls=self.URLS)
      parser_context.ProduceEvent(
          event_object, parser_chain=parser_chain, file_entry=file_entry)


class MsieZoneSettingsSoftwareZonesPlugin(MsieZoneSettingsPlugin):
  """Parses the Zones key in the Software hive."""

  NAME = 'winreg_msie_zone_software'

  REG_TYPE = 'SOFTWARE'
  REG_KEYS = [
      u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones',
      (u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
       u'\\Lockdown_Zones'),
      (u'\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
       u'\\Zones'),
      (u'\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
       u'\\Lockdown_Zones')]


winreg.WinRegistryParser.RegisterPlugins([
    MsieZoneSettingsPlugin, MsieZoneSettingsSoftwareZonesPlugin])