dissect.target.plugins.os.windows.regf.firewall

Module Contents

Classes

FirewallPlugin

Plugin that parses firewall rules from the registry.

Attributes

re_firewall

dissect.target.plugins.os.windows.regf.firewall.re_firewall

class dissect.target.plugins.os.windows.regf.firewall.FirewallPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin that parses firewall rules from the registry.

KEY = 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules'

FIELD_MAP

VALUE_MAP

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

firewall()

Return firewall rules saved in the registry.

For a Windows operating system, the Firewall rules are stored in the HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules registry key.

Yields dynamic records with usually the following fields:

hostname (string): The target hostname. domain (string): The target domain. key (string): The rule key name. version (string): The version field of the rule. action (string): The action of the rule. active (boolean): Whether the rule is active. dir (string): The direction of the rule. protocol (uint32): The specified protocol (UDP=17, TCP=6). lport (string): The listening port of the rule. rport (string): The receiving port of the rule. profile (string): The Profile field of the rule. app (string): The App field of the rule. svc (string): The Svc of the rule. name (string): The Name of the rule. desc (string): The Desc of the rule. embed_ctxt (string): The EmbedCtxt of the rule.