def raw_handles(): handles = {} handles[18446738026470543136] = dd(obj=18446738026470543136, handle=12, pid=3472, access_mask=1048608, obj_type_index=28) handles[18446738026474344592] = dd(obj=18446738026474344592, handle=16, pid=3472, access_mask=2031617, obj_type_index=36) handles[18446738026474569824] = dd(obj=18446738026474569824, handle=204, pid=920, access_mask=1048578, obj_type_index=17) handles[18446738026469227424] = dd(obj=18446738026469227424, handle=116, pid=920, access_mask=2031619, obj_type_index=12) handles[18446735964891181152] = dd(obj=18446735964891181152, handle=108, pid=1616, access_mask=983551, obj_type_index=5) return handles
def raw_handles(): handles = {} handles[18446738026470543136] = dd(obj=18446738026470543136, handle=12, pid=3472, access_mask=1048608, obj_type_index=28) handles[18446738026474344592] = dd(obj=18446738026474344592, handle=16, pid=3472, access_mask=2031617, obj_type_index=36) handles[18446738026474569824] = dd(obj=18446738026474569824, handle=204, pid=920, access_mask=1048578, obj_type_index=17) handles[18446738026469227424] = dd(obj=18446738026469227424, handle=116, pid=920, access_mask=2031619, obj_type_index=12) handles[18446735964891181152] = dd(obj=18446735964891181152, handle=108, pid=1616, access_mask=983551, obj_type_index=5) return handles
def thread_registry(handle_repo_mock, image_meta_registry_mock): p1 = { "session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4", "unique_process_key": 18446738026492816176, "exit_status": 259, "parent_id": "0x17c", "image_file_name": "services.exe", "directory_table_base": 4299976704, "user_sid": None } t1 = { "user_stack_base": 14483456, "io_priority": 2, "teb_base": 8796092874752, "process_id": "0x1e4", "stack_limit": 18446735827441688576, "t_thread_id": "0x238", "base_priority": 9, "win32_start_addr": 2009573488, "page_priority": 5, "stack_base": 18446735827441713152, "user_stack_limit": 14450688, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0" } t2 = { "user_stack_base": 16580608, "io_priority": 2, "teb_base": 8796092669952, "process_id": "0x1e4", "stack_limit": 18446735827442425856, "t_thread_id": "0x254", "base_priority": 9, "win32_start_addr": 8791752742020, "page_priority": 5, "stack_base": 18446735827442450432, "user_stack_limit": 16547840, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0" } thread_registry = ThreadRegistry(handle_repo_mock, [], image_meta_registry_mock) thread_registry.add_thread(ENUM_PROCESS, dd(p1)) thread_registry.add_thread(ENUM_THREAD, dd(t1)) thread_registry.add_thread(ENUM_THREAD, dd(t2)) return thread_registry
def hive_parser(kevent_mock, thread_registry_mock): kcb1 = dd({ "index": 0, "process_id": 1224, "status": 0, "key_handle": 18446735964840821928, "key_name": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\" "{4a33e644-94a8-11e5-a0c5-806e6f6e6963}\\", "thread_id": 1484, "initial_time": 24218562806 }) kcb2 = dd({ 'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964896987168, 'key_name': '\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\HDAudBus', 'process_id': 3820 }) kcb3 = dd({ "index": 0, "process_id": 896, "status": 0, "key_handle": 18446735964812642928, "key_name": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}" "\\InprocServer32", "thread_id": 2916, "initial_time": 0 }) hive_parser = HiveParser(kevent_mock, thread_registry_mock) hive_parser.add_kcb(kcb1) hive_parser.add_kcb(kcb2) hive_parser.add_kcb(kcb3) return hive_parser
def hive_parser(kevent_mock, thread_registry_mock): kcb1 = dd({"index": 0, "process_id": 1224, "status": 0, "key_handle": 18446735964840821928, "key_name": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\" "{4a33e644-94a8-11e5-a0c5-806e6f6e6963}\\", "thread_id": 1484, "initial_time": 24218562806}) kcb2 = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964896987168, 'key_name': '\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\HDAudBus', 'process_id': 3820}) kcb3 = dd({"index": 0, "process_id": 896, "status": 0, "key_handle": 18446735964812642928, "key_name": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}" "\\InprocServer32", "thread_id": 2916, "initial_time": 0}) hive_parser = HiveParser(kevent_mock, thread_registry_mock) hive_parser.add_kcb(kcb1) hive_parser.add_kcb(kcb2) hive_parser.add_kcb(kcb3) return hive_parser
def test_create_thread_registry_proc_lookup_failed_invalid_handle(self, get_last_error, close_handle_mock, open_process_mock, thread_registry, handle_repo_mock): kti = dd({"user_stack_base": 1835008, "io_priority": 2, "teb_base": 8796092878848, "process_id": "0x4c8", "stack_limit": 18446735827446923264, "t_thread_id": "0x4dc", "base_priority": 8, "win32_start_addr": 4286166856, "page_priority": 5, "stack_base": 18446735827446964224, "user_stack_limit": 1744896, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}) thread_id = int(kti.t_thread_id, 16) process_id = int(kti.process_id, 16) with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd(name='explorer.exe', comm='C:\\Windows\\Explorer.EXE', parent_pid=0x4c8)) as query_process_info_mock: thread_registry.add_thread(CREATE_THREAD, kti) assert get_last_error.call_count == 1 open_process_mock.assert_called_with(PROCESS_QUERY_LIMITED_INFORMATION, False, process_id) query_process_info_mock.assert_called_with(29, False) close_handle_mock.assert_called_with(29) handle_repo_mock.query_handles.assert_called_with(process_id) proc = thread_registry.get_thread(process_id) assert proc assert proc.name == 'explorer.exe' t = thread_registry.get_thread(thread_id) assert t assert t.name == 'explorer.exe' assert t.comm == 'C:\\Windows\\Explorer.EXE'
def test_create_thread_registry_proc_lookup_failed(self, close_handle_mock, open_process_mock, thread_registry, handle_repo_mock): kti = dd({"user_stack_base": 10289152, "io_priority": 2, "teb_base": 8796092874752, "process_id": "0x330", "stack_limit": 18446735827443150848, "t_thread_id": "0x338", "base_priority": 8, "win32_start_addr": 2009573488, "page_priority": 5, "stack_base": 18446735827443175424, "user_stack_limit": 10256384, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}) thread_id = int(kti.t_thread_id, 16) process_id = int(kti.process_id, 16) with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd(name='Dwm.exe', comm='C:\\Windows\\system32\\Dwm.exe', parent_pid=0x748)) as query_process_info_mock: thread_registry.add_thread(CREATE_THREAD, kti) open_process_mock.assert_called_with(PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, False, process_id) query_process_info_mock.assert_called_with(13) close_handle_mock.assert_called_with(13) handle_repo_mock.query_handles.assert_called_with(process_id) proc = thread_registry.get_thread(process_id) assert proc assert proc.name == 'dwm.exe' t = thread_registry.get_thread(thread_id) assert t assert t.name == 'dwm.exe'
def test_write_file(self, fsio, kevent): kfsio = dd({"file_object": 18446738026474426144, "process_id": 859, "io_flags": 0, "io_size": 8296, "offset": 75279, "ttid": 1956}) fsio.parse_fsio(WRITE_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == NA assert kevent.params.io_size == kfsio.io_size / 1024
def test_enum_process(self, thread_registry, handle_repo_mock): kti = dd({ "session_id": 0, "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", "process_id": "0x2d8", "unique_process_key": 18446738026496154416, "exit_status": 259, "user_sid": None, "parent_id": "0x1e4", "image_file_name": "svchost.exe", "directory_table_base": 3716534272 }) thread_registry.add_thread(ENUM_PROCESS, kti) process_id = int(kti.process_id, 16) handle_repo_mock.query_handles.assert_not_called() t = thread_registry.get_thread(process_id) assert t assert t.pid == process_id assert t.ppid == int(kti.parent_id, 16) assert t.name == kti.image_file_name assert t.exe == 'C:\\Windows\\system32\\svchost.exe' assert t.comm == kti.command_line assert len(t.args) > 0 assert ['-k', 'RPCSS'] == t.args assert '-k' in t.args assert 'RPCSS' in t.args
def test_create_process(self, thread_registry, handle_repo_mock): kti = dd({ "session_id": 4294967295, "command_line": "\\SystemRoot\\System32\\smss.exe", "process_id": "0xfc", "unique_process_key": 18446738026484345648, "exit_status": 259, "user_sid": None, "parent_id": "0x4", "image_file_name": "smss.exe", "directory_table_base": 4508921856 }) thread_registry.add_thread(CREATE_PROCESS, kti) process_id = int(kti.process_id, 16) t = thread_registry.get_thread(process_id) sys_root = os.path.expandvars("%SystemRoot%") assert t assert t.pid == process_id assert t.ppid == int(kti.parent_id, 16) assert t.name == kti.image_file_name assert t.exe == '%s\\System32\\smss.exe' % sys_root assert t.comm == kti.command_line assert len(t.args) == 0
def test_parse_hive_delete_value(self, hive_parser, kevent_mock): regkevt = dd({ "index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385 }) hive_parser.parse_hive(REG_DELETE_VALUE, regkevt) kparams = kevent_mock.params assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' assert kparams[ 'key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id
def test_terminate_thread(self, thread_registry): kti = dd({ "user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944, "process_id": "0x1e4", "stack_limit": 18446735827462836224, "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544, "page_priority": 5, "stack_base": 18446735827462860800, "user_stack_limit": 18841600, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0" }) thread_id = int(kti.t_thread_id, 16) process_id = int(kti.process_id, 16) proc = thread_registry.get_thread(process_id) child_count = proc.child_count t = thread_registry.get_thread(thread_id) assert t thread_registry.remove_thread(TERMINATE_THREAD, kti) t = thread_registry.get_thread(thread_id) assert t is None assert proc.child_count == child_count - 1
def test_create_thread(self, thread_registry): kti = dd({ "user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944, "process_id": "0x1e4", "stack_limit": 18446735827462836224, "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544, "page_priority": 5, "stack_base": 18446735827462860800, "user_stack_limit": 18841600, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0" }) thread_registry.add_thread(CREATE_THREAD, kti) thread_id = int(kti.t_thread_id, 16) t = thread_registry.get_thread(thread_id) assert t assert t.tid == thread_id assert t.pid == t.ppid == int(kti.process_id, 16) assert t.kstack_base == hex(kti.stack_base) assert t.ustack_base == hex(kti.user_stack_base) assert t.base_priority == kti.base_priority assert t.io_priority == kti.io_priority assert t.child_count == 0
def test_parse_connect(self, tcpip_parser, kevent_mock): ktcpip = dd({ 'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15', 'sport': 49804, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0, 'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 443, 'wsopt': 0, 'sackopt': 0 }) tcpip_parser.parse_tcpip(CONNECT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport assert kparams['rwin'] == ktcpip.rcvwin assert kparams['protocol'] == 'https'
def test_parse_hive_key_handles_lookup(self, hive_parser, kevent_mock, thread_registry_mock): regkevt = dd({ "index": 0, "process_id": 896, "status": 3221225524, "key_handle": 18446735964819421216, "key_name": "Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}", "thread_id": 2916, "initial_time": 24219715717 }) hive_parser.parse_hive(REG_OPEN_KEY, regkevt) thread_registry_mock.get_thread.assert_called_with(regkevt.process_id) kcb = hive_parser.kcblocks[regkevt.key_handle] assert kcb and isinstance(kcb, Kcb) assert kcb.key == "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \ "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}" assert kevent_mock.params[ 'hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES' assert kevent_mock.params['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \ "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"
def test_set_file_information(self, fsio, kevent): kfsio = dd( {"file_object": 18446738023471035392, "ttid": 1956, "info_class": 20, "process_id": 859, "irp_ptr": 18446738026471032392}) fsio.parse_fsio(SET_FILE_INFORMATION, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.info_class == 20 assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'
def test_parse_hive_na(self, hive_parser, kevent_mock): regkevt = dd({"index": 2, "process_id": 896, "status": 0, "key_handle": 19446735964812642920, "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376}) hive_parser.parse_hive(REG_OPEN_KEY, regkevt) kparams = kevent_mock.params assert kparams['hive'] == NA assert kparams['key'] == '..\\ThreadingModel'
def test_create_thread_registry_proc_lookup_failed_invalid_handle( self, get_last_error, close_handle_mock, open_process_mock, thread_registry, handle_repo_mock): kti = dd({ "user_stack_base": 1835008, "io_priority": 2, "teb_base": 8796092878848, "process_id": "0x4c8", "stack_limit": 18446735827446923264, "t_thread_id": "0x4dc", "base_priority": 8, "win32_start_addr": 4286166856, "page_priority": 5, "stack_base": 18446735827446964224, "user_stack_limit": 1744896, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0" }) thread_id = int(kti.t_thread_id, 16) process_id = int(kti.process_id, 16) with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd( name='explorer.exe', comm='C:\\Windows\\Explorer.EXE', parent_pid=0x4c8)) as query_process_info_mock: thread_registry.add_thread(CREATE_THREAD, kti) assert get_last_error.call_count == 1 open_process_mock.assert_called_with( PROCESS_QUERY_LIMITED_INFORMATION, False, process_id) query_process_info_mock.assert_called_with(29, False) close_handle_mock.assert_called_with(29) handle_repo_mock.query_handles.assert_called_with(process_id) proc = thread_registry.get_thread(process_id) assert proc assert proc.name == 'explorer.exe' t = thread_registry.get_thread(thread_id) assert t assert t.name == 'explorer.exe' assert t.comm == 'C:\\Windows\\Explorer.EXE'
def test_delete_file(self, fsio, kevent): kfsio = dd({ "file_object": 18446738026474426144, "ttid": 1956, "irp_ptr": 18446738026471032392 }) fsio.parse_fsio(DELETE_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log'
def test_rename_file(self, fsio, kevent): kfsio = dd({ "file_object": 18446738023471035392, "ttid": 1956, "irp_ptr": 18446738026471032392 }) fsio.parse_fsio(RENAME_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'
def test_create_thread_registry_proc_lookup_failed(self, close_handle_mock, open_process_mock, thread_registry, handle_repo_mock): kti = dd({ "user_stack_base": 10289152, "io_priority": 2, "teb_base": 8796092874752, "process_id": "0x330", "stack_limit": 18446735827443150848, "t_thread_id": "0x338", "base_priority": 8, "win32_start_addr": 2009573488, "page_priority": 5, "stack_base": 18446735827443175424, "user_stack_limit": 10256384, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0" }) thread_id = int(kti.t_thread_id, 16) process_id = int(kti.process_id, 16) with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd( name='Dwm.exe', comm='C:\\Windows\\system32\\Dwm.exe', parent_pid=0x748)) as query_process_info_mock: thread_registry.add_thread(CREATE_THREAD, kti) open_process_mock.assert_called_with( PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, False, process_id) query_process_info_mock.assert_called_with(13) close_handle_mock.assert_called_with(13) handle_repo_mock.query_handles.assert_called_with(process_id) proc = thread_registry.get_thread(process_id) assert proc assert proc.name == 'dwm.exe' t = thread_registry.get_thread(thread_id) assert t assert t.name == 'dwm.exe'
def test_add_kcb(self, hive_parser): kcb = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964879434920, 'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820}) hive_parser.add_kcb(kcb) assert kcb.key_handle in hive_parser.kcblocks kcblock = hive_parser.kcblocks[kcb.key_handle] assert isinstance(kcblock, Kcb) assert kcblock.key == kcb.key_name
def test_remove_kcb(self, hive_parser): kcb = dd({ 'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964879434920, 'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820 }) hive_parser.remove_kcb(kcb.key_handle) assert kcb.key_handle not in hive_parser.kcblocks
def test_parse_hive_key_kevent_full_node_name(self, kevent_type, hive_parser, kevent_mock): regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385}) hive_parser.parse_hive(kevent_type, regkevt) kparams = kevent_mock.params assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id
def test_parse_hive_key_kevent_kcb_lookup_match(self, kevent_type, hive_parser, kevent_mock): regkevt = dd({"index": 2, "process_id": 896, "status": 0, "key_handle": 18446735964812642928, "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376}) hive_parser.parse_hive(kevent_type, regkevt) kparams = kevent_mock.params assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' assert kparams['key'] == 'SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}' \ '\\InprocServer32\\ThreadingModel' assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id
def test_parse_reconnect(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15', 'sport': 49804, 'pid': 1380, 'daddr': '216.58.211.206', 'dport': 443,}) tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport
def test_parse_reconnect(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15', 'sport': 49804, 'pid': 1380, 'daddr': '216.58.211.206', 'dport': 443,}) tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport
def test_terminate_process(self, thread_registry): kti = dd({"session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4", "unique_process_key": 18446738026492816176, "exit_status": 259, "parent_id": "0x17c", "image_file_name": "services.exe", "directory_table_base": 4299976704, "user_sid": None}) process_id = int(kti.process_id, 16) proc = thread_registry.get_thread(process_id) assert proc thread_registry.remove_thread(TERMINATE_PROCESS, kti) proc = thread_registry.get_thread(process_id) assert proc is None
def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock): ktcpip = dd({ 'seqnum': 0, 'connid': 0, 'sport': 25, 'daddr': '91.226.88.5', 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 51234 }) tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['protocol'] == 'smtp'
def test_parse_accept(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15', 'sport': 22, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0, 'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 49804, 'wsopt': 0, 'sackopt': 0}) tcpip_parser.parse_tcpip(ACCEPT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport assert kparams['rwin'] == ktcpip.rcvwin assert kparams['protocol'] == 'ssh'
def test_parse_hive_na(self, hive_parser, kevent_mock): regkevt = dd({ "index": 2, "process_id": 896, "status": 0, "key_handle": 19446735964812642920, "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376 }) hive_parser.parse_hive(REG_OPEN_KEY, regkevt) kparams = kevent_mock.params assert kparams['hive'] == NA assert kparams['key'] == '..\\ThreadingModel'
def thread_registry(handle_repo_mock): p1 = {"session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4", "unique_process_key": 18446738026492816176, "exit_status": 259, "parent_id": "0x17c", "image_file_name": "services.exe", "directory_table_base": 4299976704, "user_sid": None} t1 = {"user_stack_base": 14483456, "io_priority": 2, "teb_base": 8796092874752, "process_id": "0x1e4", "stack_limit": 18446735827441688576, "t_thread_id": "0x238", "base_priority": 9, "win32_start_addr": 2009573488, "page_priority": 5, "stack_base": 18446735827441713152, "user_stack_limit": 14450688, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"} t2 = {"user_stack_base": 16580608, "io_priority": 2, "teb_base": 8796092669952, "process_id": "0x1e4", "stack_limit": 18446735827442425856, "t_thread_id": "0x254", "base_priority": 9, "win32_start_addr": 8791752742020, "page_priority": 5, "stack_base": 18446735827442450432, "user_stack_limit": 16547840, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"} thread_registry = ThreadRegistry(handle_repo_mock, []) thread_registry.add_thread(ENUM_PROCESS, dd(p1)) thread_registry.add_thread(ENUM_THREAD, dd(t1)) thread_registry.add_thread(ENUM_THREAD, dd(t2)) return thread_registry
def test_add_kcb(self, hive_parser): kcb = dd({ 'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964879434920, 'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820 }) hive_parser.add_kcb(kcb) assert kcb.key_handle in hive_parser.kcblocks kcblock = hive_parser.kcblocks[kcb.key_handle] assert isinstance(kcblock, Kcb) assert kcblock.key == kcb.key_name
def test_terminate_process(self, thread_registry): kti = dd({ "session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4", "unique_process_key": 18446738026492816176, "exit_status": 259, "parent_id": "0x17c", "image_file_name": "services.exe", "directory_table_base": 4299976704, "user_sid": None }) process_id = int(kti.process_id, 16) proc = thread_registry.get_thread(process_id) assert proc thread_registry.remove_thread(TERMINATE_PROCESS, kti) proc = thread_registry.get_thread(process_id) assert proc is None
def test_create_process(self, thread_registry, handle_repo_mock): kti = dd({"session_id": 4294967295, "command_line": "\\SystemRoot\\System32\\smss.exe", "process_id": "0xfc", "unique_process_key": 18446738026484345648, "exit_status": 259, "user_sid": None, "parent_id": "0x4", "image_file_name": "smss.exe", "directory_table_base": 4508921856}) thread_registry.add_thread(CREATE_PROCESS, kti) process_id = int(kti.process_id, 16) t = thread_registry.get_thread(process_id) sys_root = os.path.expandvars("%SystemRoot%") assert t assert t.pid == process_id assert t.ppid == int(kti.parent_id, 16) assert t.name == kti.image_file_name assert t.exe == '%s\\System32\\smss.exe' % sys_root assert t.comm == kti.command_line assert len(t.args) == 0
def test_create_thread(self, thread_registry): kti = dd({"user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944, "process_id": "0x1e4", "stack_limit": 18446735827462836224, "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544, "page_priority": 5, "stack_base": 18446735827462860800, "user_stack_limit": 18841600, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}) thread_registry.add_thread(CREATE_THREAD, kti) thread_id = int(kti.t_thread_id, 16) t = thread_registry.get_thread(thread_id) assert t assert t.tid == thread_id assert t.pid == t.ppid == int(kti.process_id, 16) assert t.kstack_base == hex(kti.stack_base) assert t.ustack_base == hex(kti.user_stack_base) assert t.base_priority == kti.base_priority assert t.io_priority == kti.io_priority assert t.child_count == 0
def test_parse_hive_key_handles_lookup(self, hive_parser, kevent_mock, thread_registry_mock): regkevt = dd({"index": 0, "process_id": 896, "status": 3221225524, "key_handle": 18446735964819421216, "key_name": "Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}", "thread_id": 2916, "initial_time": 24219715717}) hive_parser.parse_hive(REG_OPEN_KEY, regkevt) thread_registry_mock.get_thread.assert_called_with(regkevt.process_id) kcb = hive_parser.kcblocks[regkevt.key_handle] assert kcb and isinstance(kcb, Kcb) assert kcb.key == "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \ "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}" assert kevent_mock.params['hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES' assert kevent_mock.params['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \ "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"
def test_parse_hive_set_value_kevent_full_node_name(self, hive_parser, kevent_mock): regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385}) with patch('fibratus.registry.HiveParser._query_value', return_value=('open', 'REG_SZ')) \ as query_value_mock: hive_parser.parse_hive(REG_SET_VALUE, regkevt) kparams = kevent_mock.params query_value_mock.assert_called_with(HKEY_LOCAL_MACHINE, 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C', 'DefaultIcon') assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id assert kparams['value_type'] == 'REG_SZ' assert kparams['value'] == 'open'
class TestHandleRepository(): def test_init_handle_repository(self, handle_repo): handle_types = handle_repo._handle_types assert isinstance(handle_types, list) assert HandleType.FILE.name in handle_types @patch('fibratus.handle.HandleRepository._enum_handles', return_value=raw_handles()) @patch('fibratus.handle.open_process', side_effect=[None, 200, 301, 120, 343]) @patch('fibratus.handle.duplicate_handle', side_effect=[1, 1, 1, 0]) @patch('fibratus.handle.HandleRepository._query_handle', side_effect=query_handle_side_effects()) @patch('fibratus.handle.close_handle') @patch('fibratus.handle.get_current_process', return_value=os.getpid()) @patch('fibratus.handle.cast', return_value=dd(value='FILE')) @patch('fibratus.handle.byref', return_value=0x100) def test_query_handles(self, byref_mock, cast_mock, get_current_process_mock, close_handle_mock, query_handle_mock, duplicate_handle_mock, open_process_mock, enum_handles_mock, handle_repo): handles = handle_repo.query_handles() assert enum_handles_mock.called assert get_current_process_mock.called open_process_expected_calls = [ call(PROCESS_DUP_HANDLE, False, 3472), call(PROCESS_DUP_HANDLE, False, 3472), call(PROCESS_DUP_HANDLE, False, 920), call(PROCESS_DUP_HANDLE, False, 920), call(PROCESS_DUP_HANDLE, False, 1616) ] open_process_mock.assert_has_calls(open_process_expected_calls, any_order=True) assert duplicate_handle_mock.call_count == 4 assert query_handle_mock.call_count == 6 assert close_handle_mock.call_count == 7 assert len(handles) == 3 assert len([h for h in handles if h.handle_type == HandleType.FILE]) > 0
def test_parse_hive_key_kevent_kcb_lookup_match(self, kevent_type, hive_parser, kevent_mock): regkevt = dd({ "index": 2, "process_id": 896, "status": 0, "key_handle": 18446735964812642928, "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376 }) hive_parser.parse_hive(kevent_type, regkevt) kparams = kevent_mock.params assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' assert kparams['key'] == 'SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}' \ '\\InprocServer32\\ThreadingModel' assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id
def test_terminate_thread(self, thread_registry): kti = dd({"user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944, "process_id": "0x1e4", "stack_limit": 18446735827462836224, "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544, "page_priority": 5, "stack_base": 18446735827462860800, "user_stack_limit": 18841600, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}) thread_id = int(kti.t_thread_id, 16) process_id = int(kti.process_id, 16) proc = thread_registry.get_thread(process_id) child_count = proc.child_count t = thread_registry.get_thread(thread_id) assert t thread_registry.remove_thread(TERMINATE_THREAD, kti) t = thread_registry.get_thread(thread_id) assert t is None assert proc.child_count == child_count - 1
def test_parse_hive_set_value_kevent_full_node_name(self, hive_parser, kevent_mock): regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, "key_name": "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES" "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams", "thread_id": 2164, "initial_time": 24218563385}) with patch('fibratus.registry.HiveParser._query_value', return_value=('0x12', 'REG_DWORD')) \ as query_value_mock: hive_parser.parse_hive(REG_QUERY_VALUE, regkevt) kparams = kevent_mock.params query_value_mock.assert_called_with(HKEY_USERS, "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES" "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion" "\\TrayNotify", 'IconStreams') assert kparams['hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES' assert kparams['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ "\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams" assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id assert kparams['value_type'] == 'REG_DWORD' assert kparams['value'] == '0x12'
def test_parse_hive_set_value_kevent_full_node_name( self, hive_parser, kevent_mock): regkevt = dd({ "index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, "key_name": "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES" "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams", "thread_id": 2164, "initial_time": 24218563385 }) with patch('fibratus.registry.HiveParser._query_value', return_value=('0x12', 'REG_DWORD')) \ as query_value_mock: hive_parser.parse_hive(REG_QUERY_VALUE, regkevt) kparams = kevent_mock.params query_value_mock.assert_called_with( HKEY_USERS, "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES" "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion" "\\TrayNotify", 'IconStreams') assert kparams[ 'hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES' assert kparams['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ "\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams" assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id assert kparams['value_type'] == 'REG_DWORD' assert kparams['value'] == '0x12'
def test_enum_process(self, thread_registry, handle_repo_mock): kti = dd({"session_id": 0, "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", "process_id": "0x2d8", "unique_process_key": 18446738026496154416, "exit_status": 259, "user_sid": None, "parent_id": "0x1e4", "image_file_name": "svchost.exe", "directory_table_base": 3716534272}) thread_registry.add_thread(ENUM_PROCESS, kti) process_id = int(kti.process_id, 16) handle_repo_mock.query_handles.assert_not_called() t = thread_registry.get_thread(process_id) assert t assert t.pid == process_id assert t.ppid == int(kti.parent_id, 16) assert t.name == kti.image_file_name assert t.exe == 'C:\\Windows\\system32\\svchost.exe' assert t.comm == kti.command_line assert len(t.args) > 0 assert ['-k', 'RPCSS'] == t.args assert '-k' in t.args assert 'RPCSS' in t.args
def test_parse_hive_set_value_kevent_full_node_name( self, hive_parser, kevent_mock): regkevt = dd({ "index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385 }) with patch('fibratus.registry.HiveParser._query_value', return_value=('open', 'REG_SZ')) \ as query_value_mock: hive_parser.parse_hive(REG_SET_VALUE, regkevt) kparams = kevent_mock.params query_value_mock.assert_called_with( HKEY_LOCAL_MACHINE, 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C', 'DefaultIcon') assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' assert kparams[ 'key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' assert kparams['status'] == regkevt.status assert kparams['pid'] == regkevt.process_id assert kparams['tid'] == regkevt.thread_id assert kparams['value_type'] == 'REG_SZ' assert kparams['value'] == 'open'
def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock): ktcpip = dd({'seqnum': 0, 'connid': 0, 'sport': 25, 'daddr': '91.226.88.5', 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 51234}) tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['protocol'] == 'smtp'
def test_delete_file(self, fsio, kevent): kfsio = dd({"file_object": 18446738026474426144, "ttid": 1956, "irp_ptr": 18446738026471032392}) fsio.parse_fsio(DELETE_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log'
def test_remove_kcb(self, hive_parser): kcb = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964879434920, 'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820}) hive_parser.remove_kcb(kcb.key_handle) assert kcb.key_handle not in hive_parser.kcblocks
def query_handle_side_effects(): return [dd(contents=dd(type_name=dd(buffer="FILE"))), dd(contents=dd(buffer="\Device\HarddiskVolume2"))] \ * len(raw_handles())
class TestTcpIpParser(): @pytest.mark.parametrize('ktcpip, l4_proto, l5_proto, kevent_type', [ (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238", "dport": 443, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'TCP', 'https', SEND_SOCKET_TCPV4), (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238", "dport": 53, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'UDP', 'domain', SEND_SOCKET_UDPV4)]) def test_parse_send(self, ktcpip, l4_proto, l5_proto, kevent_type, tcpip_parser, kevent_mock): tcpip_parser.parse_tcpip(kevent_type, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport assert kparams['packet_size'] == ktcpip.size assert kparams['l4_proto'] == l4_proto assert kparams['application'] == l5_proto @pytest.mark.parametrize('ktcpip, l4_proto, l5_proto, kevent_type', [ (dd({'seqnum': 0, 'connid': 0, 'sport': 49720, 'daddr': '91.226.88.5', 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 443}), 'TCP', 'https', RECV_SOCKET_TCPV4), (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238", "dport": 53, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'UDP', 'domain', RECV_SOCKET_UDPV4)]) def test_parse_recv(self, ktcpip, l4_proto, l5_proto, kevent_type, tcpip_parser, kevent_mock): tcpip_parser.parse_tcpip(kevent_type, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport assert kparams['packet_size'] == ktcpip.size assert kparams['l4_proto'] == l4_proto assert kparams['application'] == l5_proto def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock): ktcpip = dd({'seqnum': 0, 'connid': 0, 'sport': 25, 'daddr': '91.226.88.5', 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 51234}) tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['application'] == 'smtp' def test_parse_accept(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15', 'sport': 22, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0, 'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 49804, 'wsopt': 0, 'sackopt': 0}) tcpip_parser.parse_tcpip(ACCEPT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport assert kparams['rwin'] == ktcpip.rcvwin assert kparams['application'] == 'ssh' def test_parse_connect(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15', 'sport': 49804, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0, 'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 443, 'wsopt': 0, 'sackopt': 0}) tcpip_parser.parse_tcpip(CONNECT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport assert kparams['rwin'] == ktcpip.rcvwin assert kparams['application'] == 'https' def test_parse_disconnect(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15', 'sport': 49804, 'pid': 1380, 'daddr': '216.58.211.206', 'dport': 443,}) tcpip_parser.parse_tcpip(DISCONNECT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport def test_parse_reconnect(self, tcpip_parser, kevent_mock): ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15', 'sport': 49804, 'pid': 1380, 'daddr': '216.58.211.206', 'dport': 443,}) tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip) kparams = kevent_mock.params assert kparams['pid'] == ktcpip.pid assert kparams['ip_src'] == ktcpip.saddr assert kparams['ip_dst'] == ktcpip.daddr assert kparams['sport'] == ktcpip.sport assert kparams['dport'] == ktcpip.dport
def query_handle_side_effects(): return [dd(contents=dd(type_name=dd(buffer="FILE"))), dd(contents=dd(buffer="\Device\HarddiskVolume2"))] \ * len(raw_handles())
class TestFsIO(): def test_init_fsio(self, fsio): assert len(fsio.file_handles) == 2 @pytest.mark.parametrize( 'expected_op, kfsio', [(FileOps.SUPERSEDE, dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 1223456, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 1, "file_attributes": 0 })), (FileOps.OPEN, dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 2, "file_attributes": 0 })), (FileOps.CREATE, dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 33554532, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 4, "file_attributes": 0 })), (FileOps.OPEN_IF, dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 58651617, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 3, "file_attributes": 0 })), (FileOps.OVERWRITE, dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 78874400, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 5, "file_attributes": 0 })), (FileOps.OVERWRITE_IF, dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 83886112, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 6, "file_attributes": 0 }))]) def test_create_file_operation(self, expected_op, kfsio, fsio, kevent): fsio.parse_fsio(CREATE_FILE, kfsio) kparams = kevent.params assert kparams.file == kfsio.open_path assert kparams.tid == kfsio.ttid assert kparams.operation == expected_op.name @pytest.mark.parametrize( 'expected_share_mask, kfsio', [('r--', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 1, "file_attributes": 0 })), ('-w-', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 2, "file_attributes": 0 })), ('--d', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 4, "file_attributes": 0 })), ('rw-', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 3, "file_attributes": 0 })), ('r-d', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 5, "file_attributes": 0 })), ('-wd', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 6, "file_attributes": 0 })), ('rwd', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": 7, "file_attributes": 0 })), ('---', dd({ "file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", "irp_ptr": 18446738026471032392, "share_access": -1, "file_attributes": 0 }))]) def test_create_file_share_mask(self, expected_share_mask, kfsio, fsio, kevent): fsio.parse_fsio(CREATE_FILE, kfsio) assert kevent.params.share_mask == expected_share_mask def test_delete_file(self, fsio, kevent): kfsio = dd({ "file_object": 18446738026474426144, "ttid": 1956, "irp_ptr": 18446738026471032392 }) fsio.parse_fsio(DELETE_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log' def test_write_file(self, fsio, kevent): kfsio = dd({ "file_object": 18446738026474426144, "io_flags": 0, "io_size": 8296, "offset": 75279, "ttid": 1956 }) fsio.parse_fsio(WRITE_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == NA assert kevent.params.io_size == kfsio.io_size / 1024 def test_rename_file(self, fsio, kevent): kfsio = dd({ "file_object": 18446738023471035392, "ttid": 1956, "irp_ptr": 18446738026471032392 }) fsio.parse_fsio(RENAME_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'
def test_rename_file(self, fsio, kevent): kfsio = dd({"file_object": 18446738023471035392, "ttid": 1956, "irp_ptr": 18446738026471032392}) fsio.parse_fsio(RENAME_FILE, kfsio) assert kevent.params.tid == kfsio.ttid assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'