Module Contents#



Plugin that parses firewall rules from the registry.


class dissect.target.plugins.os.windows.regf.firewall.FirewallPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin that parses firewall rules from the registry.

KEY = 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.


UnsupportedPluginError – If the plugin could not be loaded.


Return firewall rules saved in the registry.

For a Windows operating system, the Firewall rules are stored in the HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules registry key.

Yields dynamic records with usually the following fields:

hostname (string): The target hostname. domain (string): The target domain. key (string): The rule key name. version (string): The version field of the rule. action (string): The action of the rule. active (boolean): Whether the rule is active. dir (string): The direction of the rule. protocol (uint32): The specified protocol (UDP=17, TCP=6). lport (string): The listening port of the rule. rport (string): The receiving port of the rule. profile (string): The Profile field of the rule. app (string): The App field of the rule. svc (string): The Svc of the rule. name (string): The Name of the rule. desc (string): The Desc of the rule. embed_ctxt (string): The EmbedCtxt of the rule.