# -*- coding: utf-8 -*-
"""Windows mounted devices collector."""
from winregrc import data_format
from winregrc import errors
[docs]
class MountedDevice(object):
"""Mounted device.
Attributes:
device (str): device.
disk_identity (int): MBR disk identity.
identifier (str): identifier.
partition_identifier (str): GPT partition identifier.
partition_offset (int): MBR partition offset.
"""
[docs]
def __init__(self, identifier):
"""Initializes a mounted device.
Args:
identifier (str): identifier.
"""
super(MountedDevice, self).__init__()
self.device = None
self.disk_identity = None
self.identifier = identifier
self.partition_identifier = None
self.partition_offset = None
[docs]
class MountedDevicesCollector(data_format.BinaryDataFormat):
"""Windows mounted devices collector."""
_DEFINITION_FILE = 'mounted_devices.yaml'
_MOUNTED_DEVICES_KEY_PATH = (
'HKEY_LOCAL_MACHINE\\System\\MountedDevices')
def _ParseMountedDevicesValue(self, registry_value):
"""Parses a Windows mounted devices Windows Registry value.
Args:
registry_value (dfwinreg.WinRegistryValue): a mounted devices Windows
Registry value.
Returns:
MountedDevice: a mounted device.
Raises:
ParseError: if the value could not be parsed.
"""
mounted_device = MountedDevice(registry_value.name)
value_data_size = len(registry_value.data)
if value_data_size == 12:
data_type_map = self._GetDataTypeMap('mounted_devices_mbr_partition')
try:
partition_values = self._ReadStructureFromByteStream(
registry_value.data, 0, data_type_map,
'Mounted devices MBR partition values')
except (ValueError, errors.ParseError) as exception:
raise errors.ParseError((
f'Unable to parse Mounted devices MBR partition values with '
f'error: {exception!s}'))
mounted_device.disk_identity = partition_values.disk_identity
mounted_device.partition_offset = partition_values.partition_offset
elif value_data_size == 24:
data_type_map = self._GetDataTypeMap('mounted_devices_gpt_partition')
try:
partition_values = self._ReadStructureFromByteStream(
registry_value.data, 0, data_type_map,
'Mounted devices GPT partition values')
except (ValueError, errors.ParseError) as exception:
raise errors.ParseError((
f'Unable to parse Mounted devices GPT partition values with '
f'error: {exception!s}'))
mounted_device.partition_identifier = (
partition_values.partition_identifier)
else:
mounted_device.device = registry_value.data.decode('utf-16-le')
return mounted_device
[docs]
def Collect(self, registry):
"""Collects Windows mounted devices.
Args:
registry (dfwinreg.WinRegistry): Windows Registry.
Yields:
MountedDevice: a mounted device.
Raises:
ParseError: if a mounted devices value could not be parsed.
"""
mounted_devices_key = registry.GetKeyByPath(self._MOUNTED_DEVICES_KEY_PATH)
if mounted_devices_key:
for registry_value in mounted_devices_key.GetValues():
yield self._ParseMountedDevicesValue(registry_value)