Skip to content

Commit

Permalink
Changes to windows_services analysis plugin log2timeline#3001
Browse files Browse the repository at this point in the history
  • Loading branch information
@Onager
Onager committed Jun 5, 2020
1 parent 96ff696 commit de1d40b
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions plaso/analysis/windows_services.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from plaso.analysis import interface
from plaso.analysis import manager
from plaso.containers import reports
from plaso.parsers.winreg_plugins import services
from plaso.winnt import human_readable_service_enums


Expand Down Expand Up @@ -124,10 +125,12 @@ def FromEventData(cls, event_data):
else:
source = ('Unknown', 'Unknown')

service_dll = getattr(event_data, 'service_dll', None)

return cls(
event_data.name, event_data.service_type, event_data.image_path,
event_data.start_type, event_data.object_name, source,
service_dll=event_data.service_dll)
service_dll=service_dll)

def HumanReadableType(self):
"""Return a human readable string describing the type value.
Expand Down Expand Up @@ -191,8 +194,6 @@ class WindowsServicesAnalysisPlugin(interface.AnalysisPlugin):
# Indicate that we can run this plugin during regular extraction.
ENABLE_IN_EXTRACTION = True

_SUPPORTED_EVENT_DATA_TYPES = frozenset([
'windows:registry:service'])

def __init__(self):
"""Initializes the Windows Services plugin."""
Expand Down Expand Up @@ -263,11 +264,15 @@ def ExamineEvent(self, mediator, event, event_data):
event (EventObject): event to examine.
event_data (EventData): event data.
"""
if event_data.data_type not in self._SUPPORTED_EVENT_DATA_TYPES:
# TODO: Handle event log entries here also (ie, event id 4697).
if not event_data.data_type == 'windows:registry:service':
return

# TODO: Handle event log entries here also (ie, event id 4697).
service = WindowsService.FromEventData(event_data)
event_data_attributes = event_data.CopyToDict()
service_event_data = services.WindowsRegistryServiceEventData()
service_event_data.CopyFromDict(event_data_attributes)

service = WindowsService.FromEventData(service_event_data)
self._service_collection.AddService(service)

def SetOutputFormat(self, output_format):
Expand Down

0 comments on commit de1d40b

Please sign in to comment.