Parse users\' quarantines
()
| 392 | return None |
| 393 | |
| 394 | def ParseQuarantines(): |
| 395 | ''' Parse users\' quarantines ''' |
| 396 | |
| 397 | PrintAndLog(u'Quarantines', 'SECTION') |
| 398 | |
| 399 | for User in os.listdir(os.path.join(ROOT_PATH, 'Users/')): |
| 400 | if User[0] != '.': |
| 401 | PrintAndLog(User.decode('utf-8') +'\'s quarantine', 'SUBSECTION') |
| 402 | DbPathV2 = os.path.join(ROOT_PATH, 'Users', User, 'Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2') # OS X >= 10.7 |
| 403 | DbPathV1 = os.path.join(ROOT_PATH, 'Users', User, 'Library/Preferences/com.apple.LaunchServices.QuarantineEvents') # OS X <= 10.6 |
| 404 | if os.path.isfile(DbPathV2): |
| 405 | DbPath = DbPathV2 |
| 406 | elif os.path.isfile(DbPathV1): |
| 407 | DbPath = DbPathV1 |
| 408 | else: |
| 409 | PrintAndLog(u'No quarantined files for user ' + User.decode('utf-8') + u'\n', 'INFO') |
| 410 | continue |
| 411 | DbConnection = sqlite3.connect(DbPath) |
| 412 | DbCursor = DbConnection.cursor() |
| 413 | LSQuarantineEvents = DbCursor.execute('SELECT * from LSQuarantineEvent') |
| 414 | for LSQuarantineEvent in LSQuarantineEvents: |
| 415 | JointLSQuarantineEvent = u'' |
| 416 | for Q in LSQuarantineEvent: |
| 417 | decoded = str(Q).decode('UTF-8', 'ignore') |
| 418 | JointLSQuarantineEvent += u';' + decoded |
| 419 | PrintAndLog(JointLSQuarantineEvent[1:] + u'\n'.decode('utf-8'), 'INFO') |
| 420 | DbConnection.close() |
| 421 | |
| 422 | def ParseStartupItems(StartupItemsPath): |
| 423 | ''' Parse the StartupItems plist and hash its program argument ''' |