Moved AMCache formatter to configuration log2timeline#444

Author: joachimmetz

data/formatters.yaml

@@ -0,0 +1,41 @@
+# Event formatters.
+
+type: 'conditional'
+data_type: 'windows:registry:amcache'
+message:
+- 'path: {full_path}'
+- 'sha1: {sha1}'
+- 'productname: {productname}'
+- 'companyname: {companyname}'
+- 'fileversion: {fileversion}'
+- 'languagecode: {languagecode}'
+- 'filesize: {filesize}'
+- 'filedescription: {filedescription}'
+- 'linkerts: {linkerts}'
+- 'lastmodifiedts: {lastmodifiedts}'
+- 'createdts: {createdts}'
+- 'programid: {programid}'
+short_message:
+- 'path: {full_path}'
+short_source: 'AMCACHE'
+source: 'Amcache Registry Entry'
+---
+type: 'conditional'
+data_type: 'windows:registry:amcache:programs'
+message:
+- 'name: {name}'
+- 'version: {version}'
+- 'publisher: {publisher}'
+- 'languagecode: {languagecode}'
+- 'entrytype: {entrytype}'
+- 'uninstallkey: {uninstallkey}'
+- 'filepaths: {filepaths}'
+- 'productcode: {productcode}'
+- 'packagecode: {packagecode}'
+- 'msiproductcode: {msiproductcode}'
+- 'msipackagecode: {msipackagecode}'
+- 'files: {files}'
+short_message:
+- 'name: {name}'
+short_source: 'AMCACHEPROGRAM'
+source: 'Amcache Programs Registry Entry'

plaso/cli/extraction_tool.py

@@ -238,7 +238,7 @@ def _ReadParserPresetsFromFile(self):
       self._presets_manager.ReadFromFile(self._presets_file)
     except errors.MalformedPresetError as exception:
       raise errors.BadConfigOption(
-          'Unable to read presets from file with error: {0!s}'.format(
+          'Unable to read parser presets from file with error: {0!s}'.format(
               exception))
 
   def _SetExtractionParsersAndPlugins(self, configuration, session):

plaso/cli/psort_tool.py

@@ -29,6 +29,7 @@
 from plaso.engine import engine
 from plaso.engine import knowledge_base
 from plaso.filters import event_filter
+from plaso.formatters import manager as formatters_manager
 from plaso.lib import errors
 from plaso.lib import loggers
 from plaso.lib import timelib
@@ -61,6 +62,8 @@ class PsortTool(
       'Application to read, filter and process output from a plaso storage '
       'file.')
 
+  _FORMATTERS_FILE_NAME = 'formatters.yaml'
+
   def __init__(self, input_reader=None, output_writer=None):
     """Initializes the CLI tool object.
 
@@ -79,6 +82,7 @@ def __init__(self, input_reader=None, output_writer=None):
     self._deduplicate_events = True
     self._event_filter_expression = None
     self._event_filter = None
+    self._formatters_file = None
     self._knowledge_base = knowledge_base.KnowledgeBase()
     self._number_of_analysis_reports = 0
     self._preferred_language = 'en-US'
@@ -284,6 +288,26 @@ def _PrintAnalysisReportsDetails(self, storage_reader):
 
       table_view.Write(self._output_writer)
 
+  def _ReadEventFormattersFromFile(self):
+    """Reads the event formatters the formatters.yaml file.
+
+    Raises:
+      BadConfigOption: if the event formatters file cannot be read.
+    """
+    self._formatters_file = os.path.join(
+        self._data_location, self._FORMATTERS_FILE_NAME)
+    if not os.path.isfile(self._formatters_file):
+      raise errors.BadConfigOption(
+          'No such event formatters file: {0:s}.'.format(self._formatters_file))
+
+    try:
+      formatters_manager.FormattersManager.ReadFormattersFromFile(
+          self._formatters_file)
+    except KeyError as exception:
+      raise errors.BadConfigOption(
+          'Unable to read event formatters from file with error: {0!s}'.format(
+              exception))
+
   def AddProcessingOptions(self, argument_group):
     """Adds processing options to the argument group
 
@@ -457,6 +481,8 @@ def ParseOptions(self, options):
     helpers_manager.ArgumentHelperManager.ParseOptions(
         options, self, names=['data_location'])
 
+    self._ReadEventFormattersFromFile()
+
     self._ParseLogFileOptions(options)
 
     self._ParseProcessingOptions(options)

plaso/cli/psteal_tool.py

@@ -23,6 +23,7 @@
 from plaso.engine import engine
 from plaso.engine import knowledge_base
 from plaso.engine import single_process as single_process_engine
+from plaso.formatters import manager as formatters_manager
 from plaso.lib import errors
 from plaso.lib import loggers
 from plaso.multi_processing import psort
@@ -83,6 +84,8 @@ class PstealTool(
       'And that is how you build a timeline using psteal...',
       '']))
 
+  _FORMATTERS_FILE_NAME = 'formatters.yaml'
+
   _SOURCE_TYPES_TO_PREPROCESS = frozenset([
       dfvfs_definitions.SOURCE_TYPE_DIRECTORY,
       dfvfs_definitions.SOURCE_TYPE_STORAGE_MEDIA_DEVICE,
@@ -103,6 +106,7 @@ def __init__(self, input_reader=None, output_writer=None):
     self._command_line_arguments = None
     self._deduplicate_events = True
     self._enable_sigsegv_handler = False
+    self._formatters_file = None
     self._knowledge_base = knowledge_base.KnowledgeBase()
     self._number_of_analysis_reports = 0
     self._number_of_extraction_workers = 0
@@ -173,6 +177,26 @@ def _PrintAnalysisReportsDetails(
 
       table_view.Write(self._output_writer)
 
+  def _ReadEventFormattersFromFile(self):
+    """Reads the event formatters the formatters.yaml file.
+
+    Raises:
+      BadConfigOption: if the event formatters file cannot be read.
+    """
+    self._formatters_file = os.path.join(
+        self._data_location, self._FORMATTERS_FILE_NAME)
+    if not os.path.isfile(self._formatters_file):
+      raise errors.BadConfigOption(
+          'No such event formatters file: {0:s}.'.format(self._formatters_file))
+
+    try:
+      formatters_manager.FormattersManager.ReadFormattersFromFile(
+          self._formatters_file)
+    except KeyError as exception:
+      raise errors.BadConfigOption(
+          'Unable to read event formatters from file with error: {0!s}'.format(
+              exception))
+
   def AnalyzeEvents(self):
     """Analyzes events from a plaso storage file and generate a report.
 
@@ -452,6 +476,7 @@ def ParseOptions(self, options):
         options, self, names=['data_location'])
 
     self._ReadParserPresetsFromFile()
+    self._ReadEventFormattersFromFile()
 
     # The output modules options are dependent on the preferred language
     # and preferred time zone options.

plaso/formatters/__init__.py

@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 """This file contains an import statement for each formatter."""
 
-from plaso.formatters import amcache
 from plaso.formatters import android_app_usage
 from plaso.formatters import android_calls
 from plaso.formatters import android_sms

plaso/formatters/amcache.py

@@ -6,6 +6,7 @@
 from plaso.formatters import default
 from plaso.formatters import logger
 from plaso.lib import definitions
+from plaso.formatters import yaml_formatters_file
 
 
 class FormattersManager(object):
@@ -15,6 +16,9 @@ class FormattersManager(object):
   _formatter_objects = {}
   _unformatted_attributes = {}
 
+  # Work-around to prevent the tests re-reading the formatters file.
+  _file_was_read = False
+
   @classmethod
   def DeregisterFormatter(cls, formatter_class):
     """Deregisters a formatter class.
@@ -29,9 +33,8 @@ def DeregisterFormatter(cls, formatter_class):
     """
     formatter_data_type = formatter_class.DATA_TYPE.lower()
     if formatter_data_type not in cls._formatter_classes:
-      raise KeyError(
-          'Formatter class not set for data type: {0:s}.'.format(
-              formatter_class.DATA_TYPE))
+      raise KeyError('Formatter class not set for data type: {0:s}.'.format(
+          formatter_class.DATA_TYPE))
 
     del cls._formatter_classes[formatter_data_type]
 
@@ -57,8 +60,8 @@ def GetFormatterObject(cls, data_type):
         formatter_object = formatter_class()
 
       if not formatter_object:
-        logger.warning(
-            'Using default formatter for data type: {0:s}'.format(data_type))
+        logger.warning('Using default formatter for data type: {0:s}'.format(
+            data_type))
         formatter_object = default.DefaultFormatter()
 
       cls._formatter_objects[data_type] = formatter_object
@@ -124,6 +127,28 @@ def GetUnformattedAttributes(cls, event_data):
 
     return unformatted_attributes
 
+  @classmethod
+  def ReadFormattersFromFile(cls, path):
+    """Reads formatters from a file.
+
+    Args:
+      path (str): path of file that contains the formatters configuration.
+
+    Raises:
+      KeyError: if formatter class is already set for the corresponding
+          data type.
+    """
+    if not cls._file_was_read:
+      formatters_file = yaml_formatters_file.YAMLFormattersFile()
+      for formatter in formatters_file.ReadFromFile(path):
+        # TODO: refactor RegisterFormatter to only use formatter objects.
+        cls.RegisterFormatter(formatter)
+
+        data_type = formatter.DATA_TYPE.lower()
+        cls._formatter_objects[data_type] = formatter
+
+      cls._file_was_read = True
+
   @classmethod
   def RegisterFormatter(cls, formatter_class):
     """Registers a formatter class.
@@ -139,9 +164,8 @@ def RegisterFormatter(cls, formatter_class):
     """
     formatter_data_type = formatter_class.DATA_TYPE.lower()
     if formatter_data_type in cls._formatter_classes:
-      raise KeyError((
-          'Formatter class already set for data type: {0:s}.').format(
-              formatter_class.DATA_TYPE))
+      raise KeyError('Formatter class already set for data type: {0:s}.'.format(
+          formatter_class.DATA_TYPE))
 
     cls._formatter_classes[formatter_data_type] = formatter_class
 

plaso/formatters/manager.py

@@ -88,22 +88,24 @@ def testReadFormatterDefinition(self):
 
   def testReadFromFileObject(self):
     """Tests the _ReadFromFileObject function."""
-    test_path = self._GetTestFilePath(['formatters', 'format_test.yaml'])
-    self._SkipIfPathNotExists(test_path)
+    test_file_path = self._GetTestFilePath(['formatters', 'format_test.yaml'])
+    self._SkipIfPathNotExists(test_file_path)
 
     test_formatters_file = yaml_formatters_file.YAMLFormattersFile()
-    with io.open(test_path, 'r', encoding='utf-8') as file_object:
+
+    with io.open(test_file_path, 'r', encoding='utf-8') as file_object:
       formatters = list(test_formatters_file._ReadFromFileObject(file_object))
 
     self.assertEqual(len(formatters), 1)
 
   def testReadFromFile(self):
     """Tests the ReadFromFile function."""
-    test_path = self._GetTestFilePath(['formatters', 'format_test.yaml'])
-    self._SkipIfPathNotExists(test_path)
+    test_file_path = self._GetTestFilePath(['formatters', 'format_test.yaml'])
+    self._SkipIfPathNotExists(test_file_path)
 
     test_formatters_file = yaml_formatters_file.YAMLFormattersFile()
-    formatters = test_formatters_file.ReadFromFile(test_path)
+
+    formatters = test_formatters_file.ReadFromFile(test_file_path)
 
     self.assertEqual(len(formatters), 1)
 

tests/formatters/yaml_formatters_file.py

@@ -35,20 +35,17 @@ def testParse(self):
         'is-f4510.tmp\\idafree50.tmp')
     self.assertEqual(event_data.full_path, expected_full_path)
 
-    expected_sha1 = '82274eef0911a948f91425f5e5b0e730517fe75e'
-    self.assertEqual(event_data.sha1, expected_sha1)
+    self.assertEqual(
+        event_data.sha1, '82274eef0911a948f91425f5e5b0e730517fe75e')
 
     event = events[1148]
 
     event_data = self._GetEventDataOfEvent(storage_writer, event)
+    self.assertEqual(event_data.name, 'FileInsight - File analysis tool')
+    self.assertEqual(event_data.publisher, 'McAfee Inc.')
 
-    expected_program_name = 'FileInsight - File analysis tool'
-    self.assertEqual(event_data.name, expected_program_name)
-
-    expected_publisher = 'McAfee Inc.'
-    self.assertEqual(event_data.publisher, expected_publisher)
-
-    # TODO: add test for message string
+    expected_message = 'name: FileInsight - File analysis tool'
+    self._TestGetMessageStrings(event_data, expected_message, expected_message)
 
   def testParseWithSystem(self):
     """Tests the Parse function with a SYSTEM Registry file."""