Better error trapping and other improvements

[jayaramcs]

We were running into several errors during parsing and made a few improvements. We also messed up our branches and ended up with this giant commit. My apologies in advance.

Let me know if you'd like to go over any specific changes and I am happy to. But pure compare in diff mode may not be feasible.

I am also open to bumping up the version number on this, if that is a better approach.

Let me know. Thanks J

Here are a summary of changes

• Updated appinit dlls to create entries based on space or , per microsofts documents
• Added appinit dll to autoruns collection. It was never called in previous code.
• Moved all registry access over to registryapi.
• Added exception handling/logging to all methods accessing/parsing registry data.
• Fixed issue where verbose option was not updated.
• Made autoruns subclass of AbstractWindowsCommand as most plugins are.
• Updated render_table and render_text to use output produced by calculate() instead of accessing data dictionaries
• Added check to bail if registryapi was unable to find any registry hives instead of allowing to run and producing no output for users.
• Added check to winlogon notify so it would only run if the system being analyzed is pre vista as those systems are the only ones that use winlogon notify.
• Added more sanitization to data pulled from registry
• Added more checking so we do not produce entries if no exe/dll was found.
• Gerneral code cleanup and removed unnecessary librarires/code.

[tomchop]

Thanks a bunch for this PR. As you say the changes are pretty huge :) I am trying to get a few test images I could use to test the plugin on an integrate it into some kind of continuous build system. Would you happen to have something like that handy?

[jayaramcs]

We have some images that we run tests on, I will need to check and see if there is anything sensitive on there before I can publish it. Love the continuous build idea. Travis-CI may be? Haven't played with it much - but I suppose writing tests is the first step.

[tomchop]

Yeah I'm a bit familiar with Travis-CI so I guess it would be a good place to start. I was imagining running the plugin on an image in which we know what things to look for and a test to confirm that the output is as expected.

I've been trying to find memory samples, so far I've found:

• https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples (no Win10)
• https://www.dfir.training/tools/test-images-and-challenges/ (need to dig into those to see what we can get)

Ideally we'd have Win7, Win8, and Win10 images.

[jayaramcs]

I can have Win 10 and XP in a couple of weeks or so. I'll also look into the images in the link provided.

[tomchop]

People who have tested it on a memory dump have had positive results with your PR. Merging now. Thanks a lot for your contribution!

[jayaramcs]

No problem. happy to contribute. We do not have any scheduled updates to this, but if anything comes along, I will send along the PR.

[tomchop]

All good! If you find any ASEPs to be missing please open an issue so we can track it.