def testExamineEventAndCompileReportOnSystemFile(self):
"""Tests the ExamineEvent and CompileReport functions on a SYSTEM file."""
# We could remove the non-Services plugins, but testing shows that the
# performance gain is negligible.
parser = winreg.WinRegistryParser()
plugin = windows_services.WindowsServicesAnalysisPlugin()
storage_writer = self._ParseAndAnalyzeFile([u'SYSTEM'], parser, plugin)
self.assertEqual(len(storage_writer.events), 31436)
self.assertEqual(len(storage_writer.analysis_reports), 1)
analysis_report = storage_writer.analysis_reports[0]
# We'll check that a few strings are in the report, like they're supposed
# to be, rather than checking for the exact content of the string,
# as that's dependent on the full path to the test files.
test_strings = [
u'1394ohci',
u'WwanSvc',
u'Sources:',
u'ControlSet001',
u'ControlSet002']
for string in test_strings:
self.assertIn(string, analysis_report.text)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
events = []
for event_dictionary in self._TEST_EVENTS:
event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec(
location=u'C:\\WINDOWS\\system32\\SYSTEM')
event = self._CreateTestEventObject(event_dictionary)
events.append(event)
plugin = windows_services.WindowsServicesAnalysisPlugin()
storage_writer = self._AnalyzeEvents(events, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
analysis_report = storage_writer.analysis_reports[0]
expected_text = (
u'Listing Windows Services\n'
u'TestbDriver\n'
u'\tImage Path = C:\\Dell\\testdriver.sys\n'
u'\tService Type = File System Driver (0x2)\n'
u'\tStart Type = Auto Start (2)\n'
u'\tService Dll = \n'
u'\tObject Name = \n'
u'\tSources:\n'
u'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
u'\\ControlSet001\\services\\TestbDriver\n'
u'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
u'\\ControlSet003\\services\\TestbDriver\n\n')
self.assertEqual(expected_text, analysis_report.text)
self.assertEqual(analysis_report.plugin_name, 'windows_services')
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
plugin = windows_services.WindowsServicesAnalysisPlugin()
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
analysis_report = storage_writer.analysis_reports[0]
expected_text = (
'Listing Windows Services\n'
'TestbDriver\n'
'\tImage Path = C:\\Dell\\testdriver.sys\n'
'\tService Type = File System Driver (0x2)\n'
'\tStart Type = Auto Start (2)\n'
'\tService Dll = \n'
'\tObject Name = \n'
'\tSources:\n'
'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
'\\ControlSet001\\services\\TestbDriver\n'
'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
'\\ControlSet003\\services\\TestbDriver\n\n')
self.assertEqual(expected_text, analysis_report.text)
self.assertEqual(analysis_report.plugin_name, 'windows_services')
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
plugin = windows_services.WindowsServicesAnalysisPlugin()
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 1)
analysis_report = storage_writer.GetAttributeContainerByIndex(
reports.AnalysisReport.CONTAINER_TYPE, 0)
self.assertIsNotNone(analysis_report)
expected_text = ('Listing Windows Services\n'
'TestbDriver\n'
'\tImage Path = C:\\Dell\\testdriver.sys\n'
'\tService Type = File System Driver (0x2)\n'
'\tStart Type = Auto Start (2)\n'
'\tService Dll = \n'
'\tObject Name = \n'
'\tSources:\n'
'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
'\\ControlSet001\\services\\TestbDriver\n'
'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
'\\ControlSet003\\services\\TestbDriver\n\n')
self.assertEqual(expected_text, analysis_report.text)
self.assertEqual(analysis_report.plugin_name, 'windows_services')
def testExamineEventAndCompileReportOnSystemFileWithYAML(self):
"""Tests the ExamineEvent and CompileReport with YAML."""
# We could remove the non-Services plugins, but testing shows that the
# performance gain is negligible.
parser = winreg_parser.WinRegistryParser()
plugin = windows_services.WindowsServicesAnalysisPlugin()
plugin.SetOutputFormat('yaml')
storage_writer = self._ParseAndAnalyzeFile(['SYSTEM'], parser, plugin)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 1)
analysis_report = storage_writer.GetAttributeContainerByIndex(
reports.AnalysisReport.CONTAINER_TYPE, 0)
self.assertIsNotNone(analysis_report)
# We'll check that a few strings are in the report, like they're supposed
# to be, rather than checking for the exact content of the string,
# as that's dependent on the full path to the test files.
test_strings = [
windows_services.WindowsService.yaml_tag, '1394ohci', 'WwanSvc',
'ControlSet001', 'ControlSet002'
]
for string in test_strings:
self.assertIn(string, analysis_report.text)
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
analysis_plugin = windows_services.WindowsServicesAnalysisPlugin()
arguments_helper.WindowsServicesAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
with self.assertRaises(errors.BadConfigObject):
arguments_helper.WindowsServicesAnalysisArgumentsHelper.ParseOptions(
options, None)
