dissect.target.plugins.os.windows.regf.firewall

Module Contents

Classes

FirewallPlugin

Plugin that parses firewall rules from the registry.

Attributes

re_firewall

dissect.target.plugins.os.windows.regf.firewall.re_firewall

class dissect.target.plugins.os.windows.regf.firewall.FirewallPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin that parses firewall rules from the registry.

KEY = 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules'

FIELD_MAP

VALUE_MAP

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

firewall() → Iterator[dissect.target.helpers.record.DynamicDescriptor]

Return firewall rules saved in the registry.

For a Windows operating system, the Firewall rules are stored in the HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules registry key.

Yields dynamic records with usually the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
key (string): The rule key name.
version (string): The version field of the rule.
action (string): The action of the rule.
active (boolean): Whether the rule is active.
dir (string): The direction of the rule.
protocol (uint32): The specified protocol (UDP=17, TCP=6).
lport (string): The listening port of the rule.
rport (string): The receiving port of the rule.
profile (string): The Profile field of the rule.
app (string): The App field of the rule.
svc (string): The Svc of the rule.
name (string): The Name of the rule.
desc (string): The Desc of the rule.
embed_ctxt (string): The EmbedCtxt of the rule.