def testFindsKeyWithLiteralAndModificationTimeConditions(self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 - 1), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 + 1)) vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="Windows Sidebar\\Sidebar.exe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. MODIFICATION_TIME, modification_time=modification_time), registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_LITERAL_MATCH, value_literal_match=vlm) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). self.assertEqual( results[0].stat_entry.AFF4Path(client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsKeyIfItMatchesRegexMatchCondition(self): value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex="Windows.+\\.exe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_REGEX_MATCH, value_regex_match=value_regex_match) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) self.assertEqual(len(results[0].matches), 1) self.assertEqual(results[0].matches[0].offset, 15) self.assertEqual(results[0].matches[0].data, "ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun") self.assertEqual( results[0].stat_entry.AFF4Path(client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar") self.assertEqual( results[0].stat_entry.pathspec.path, "/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/" "CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.pathtype, rdf_paths.PathSpec.PathType.REGISTRY)
def testFindsKeyIfItMatchesLiteralMatchCondition(self): vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal=b"Windows Sidebar\\Sidebar.exe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type .VALUE_LITERAL_MATCH, value_literal_match=vlm) ]) results = flow_test_lib.GetFlowResults(client_id, session_id) self.assertLen(results, 1) self.assertLen(results[0].matches, 1) self.assertEqual(results[0].matches[0].offset, 15) self.assertEqual(results[0].matches[0].data, b"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun") self.assertEqual( results[0].stat_entry.pathspec.CollapsePath(), "/HKEY_USERS/S-1-5-20/Software/Microsoft/" "Windows/CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.pathtype, rdf_paths.PathSpec.PathType.REGISTRY)
def testSizeCondition(self): client_id = self.SetupClient(0) # There are two values, one is 20 bytes, the other 53. session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type.SIZE, size=rdf_file_finder.FileFinderSizeCondition(min_file_size=50)) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) self.assertGreater(results[0].stat_entry.st_size, 50)
def testFindsNothingIfRegexMatchesNothing(self): value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex=".*CanNotFindMe.*") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_REGEX_MATCH, value_regex_match=value_regex_match) ]) self.AssertNoResults(session_id)
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self): vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="CanNotFindMe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_LITERAL_MATCH, value_literal_match=vlm) ]) self.AssertNoResults(session_id)
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(0), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(1)) client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type .MODIFICATION_TIME, modification_time=modification_time) ]) self.assertFalse(flow_test_lib.GetFlowResults(client_id, session_id))
def testFindsKeysIfModificationTimeConditionMatches(self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 - 1), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 + 1)) client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type .MODIFICATION_TIME, modification_time=modification_time) ]) results = flow_test_lib.GetFlowResults(client_id, session_id) self.assertLen(results, 2) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). basenames = [os.path.basename(r.stat_entry.pathspec.path) for r in results] self.assertCountEqual(basenames, ["Sidebar", "MctAdmin"])