def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU'
values = []
values.append(
winreg_test_lib.TestRegValue('MRUList',
'acb'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=123))
values.append(
winreg_test_lib.TestRegValue(
'a',
'Some random text here'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
values.append(
winreg_test_lib.TestRegValue(
'b',
'c:/evil.exe'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_BINARY,
offset=612))
values.append(
winreg_test_lib.TestRegValue(
'c',
'C:/looks_legit.exe'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1001))
timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values,
1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (u'[{0:s}] '
u'Index: 1 [MRU Value a]: Some random text here '
u'Index: 2 [MRU Value c]: C:/looks_legit.exe '
u'Index: 3 [MRU Value b]: ').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\WinRAR\\ArcHistory'
values = []
values.append(
winreg_test_lib.TestRegValue(
'0',
'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
'utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
values.append(
winreg_test_lib.TestRegValue(
'1',
'C:\\Downloads\\plaso-static.rar'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=612))
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(key_path,
expected_timestamp,
values,
offset=1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_string = (
u'[{0:s}] 0: C:\\Downloads\\The Sleeping Dragon CD1.iso'
).format(key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
event_object = event_objects[1]
self.assertEqual(event_object.timestamp, 0)
expected_string = u'[{0:s}] 1: C:\\Downloads\\plaso-static.rar'.format(
key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU'
values = []
values.append(
winreg_test_lib.TestRegValue('MRUList',
'acb'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=123))
values.append(
winreg_test_lib.TestRegValue(
'a',
'Some random text here'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
values.append(
winreg_test_lib.TestRegValue(
'b',
'c:/evil.exe'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_BINARY,
offset=612))
values.append(
winreg_test_lib.TestRegValue(
'c',
'C:/looks_legit.exe'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1001))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031,
values, 1456)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
self.assertEquals(event_object.timestamp, 1346145829002031)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value a]: Some random text here '
u'Index: 2 [MRU Value c]: C:/looks_legit.exe '
u'Index: 3 [MRU Value b]: REGALERT: Unsupported MRU value: b data '
u'type.').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRUlist'
values = []
# The order is: 201
values.append(
winreg_test_lib.TestRegValue(
'MRUListEx',
'\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00',
winreg_interface.WinRegValue.REG_BINARY, 123))
values.append(
winreg_test_lib.TestRegValue(
'0', 'Some random text here'.encode('utf_16_le'),
winreg_interface.WinRegValue.REG_SZ, 1892))
values.append(
winreg_test_lib.TestRegValue(
'1', 'c:\\evil.exe'.encode('utf_16_le'),
winreg_interface.WinRegValue.REG_BINARY, 612))
values.append(
winreg_test_lib.TestRegValue(
'2', 'C:\\looks_legit.exe'.encode('utf_16_le'),
winreg_interface.WinRegValue.REG_SZ, 1001))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031,
values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 1)
# A MRUListEx event object.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value 2]: C:\\looks_legit.exe '
u'Index: 2 [MRU Value 0]: Some random text here '
u'Index: 3 [MRU Value 1]: c:\\evil.exe').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value 2]: C:\\l...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Default'
values = []
values.append(
winreg_test_lib.TestRegValue('MRU0',
'192.168.16.60'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
values.append(
winreg_test_lib.TestRegValue(
'MRU1', 'computer.domain.com'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ, 612))
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(key_path, expected_timestamp,
values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
expected_msg_short = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[1]
self.assertEqual(event_object.timestamp, 0)
expected_msg = u'[{0:s}] MRU1: computer.domain.com'.format(key_path)
expected_msg_short = u'[{0:s}] MRU1: computer.domain.com'.format(
key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\WinRAR\\ArcHistory'
values = []
values.append(
winreg_test_lib.TestRegValue(
'0',
'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
'utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
values.append(
winreg_test_lib.TestRegValue(
'1',
'C:\\Downloads\\plaso-static.rar'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=612))
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(key_path,
expected_timestamp,
values,
offset=1456)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 2)
event_object = event_objects[0]
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_string = (
u'[{0:s}] 0: C:\\Downloads\\The Sleeping Dragon CD1.iso'
).format(key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
event_object = event_objects[1]
self.assertEquals(event_object.timestamp, 0)
expected_string = u'[{0:s}] 1: C:\\Downloads\\plaso-static.rar'.format(
key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
def testWinVer(self):
"""Test the WinVer plugin."""
key_path = u'\\Microsoft\\Windows NT\\CurrentVersion'
values = []
values.append(
winreg_test_lib.TestRegValue('ProductName',
'MyTestOS'.encode('utf_16_le'), 1,
123))
values.append(
winreg_test_lib.TestRegValue('CSDBuildNumber',
'5'.encode('utf_16_le'), 1, 1892))
values.append(
winreg_test_lib.TestRegValue(
'RegisteredOwner', 'A Concerned Citizen'.encode('utf_16_le'),
1, 612))
values.append(
winreg_test_lib.TestRegValue('InstallDate', '\x13\x1aAP', 3, 1001))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346445929000000,
values, 153)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-08-31 20:09:55')
self.assertEqual(event_object.timestamp, expected_timestamp)
# Note that the double spaces here are intentional.
expected_msg = (u'[{0:s}] '
u'Windows Version Information: '
u'Owner: A Concerned Citizen '
u'Product name: MyTestOS sp: 5').format(key_path)
expected_msg_short = (u'[{0:s}] '
u'Windows Version Information: '
u'Owner: ...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Office\\15.0\\Outlook\\Search'
values = []
values.append(winreg_test_lib.TestRegValue(
('C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
'*****@*****.**'), '\xcf\x2b\x37\x00',
winreg_test_lib.TestRegValue.REG_DWORD, offset=1892))
winreg_key = winreg_test_lib.TestRegKey(
key_path, 1346145829002031, values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
expected_msg = (
u'[{0:s}] '
u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
u'[email protected]: 0x00372bcf').format(key_path)
expected_msg_short = u'[{0:s}] C:\\Users\\username\\AppData\\Lo...'.format(
key_path)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, 1346145829002031)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Servers'
values = []
values.append(winreg_test_lib.TestRegValue(
'UsernameHint', 'DOMAIN\\username'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ, offset=1892))
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
server_key_path = (
u'\\Software\\Microsoft\\Terminal Server Client\\Servers\\myserver.com')
server_key = winreg_test_lib.TestRegKey(
server_key_path, expected_timestamp, values, offset=1456)
winreg_key = winreg_test_lib.TestRegKey(
key_path, expected_timestamp, None, offset=865, subkeys=[server_key])
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = u'[{0:s}] UsernameHint: DOMAIN\\username'.format(key_path)
expected_msg_short = (
u'[{0:s}] UsernameHint: DOMAIN\\use...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\ControlSet001\\Control\\BootVerificationProgram'
values = []
values.append(
winreg_test_lib.TestRegValue(
'ImagePath',
'C:\\WINDOWS\\system32\\googleupdater.exe'.encode('utf_16_le'),
1, 123))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346445929000000,
values, 153)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
# Timestamp is: Fri, 31 Aug 2012 20:45:29 GMT
self.assertEquals(event_object.timestamp, 1346445929000000)
self.assertTrue(event_object.regalert)
expected_msg = (u'[{0:s}] '
u'BootVerification: REGALERT '
u'ImagePath: C:\\WINDOWS\\system32\\googleupdater.exe'
).format(key_path)
expected_msg_short = (
u'[{0:s}] BootVerification: REGALERT I...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Office\\15.0\\Outlook\\Search'
values = []
values.append(winreg_test_lib.TestRegValue(
('C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
'*****@*****.**'), '\xcf\x2b\x37\x00',
winreg_test_lib.TestRegValue.REG_DWORD, offset=1892))
winreg_key = winreg_test_lib.TestRegKey(
key_path, 1346145829002031, values, 1456)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
expected_msg = (
u'[{0:s}] '
u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
u'[email protected]: 0x00372bcf').format(key_path)
expected_msg_short = u'[{0:s}] C:\\Users\\username\\AppData\\Lo...'.format(
key_path)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
self.assertEquals(event_object.timestamp, 1346145829002031)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU'
values = []
values.append(
winreg_test_lib.TestRegValue('MRUList', 'acb'.encode('utf_16_le'),
1, 123))
values.append(
winreg_test_lib.TestRegValue(
'a', 'Some random text here'.encode('utf_16_le'), 1, 1892))
values.append(
winreg_test_lib.TestRegValue('b',
'c:/evil.exe'.encode('utf_16_le'), 3,
612))
values.append(
winreg_test_lib.TestRegValue(
'c', 'C:/looks_legit.exe'.encode('utf_16_le'), 1, 1001))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031,
values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, 1346145829002031)
expected_msg = (u'[{0:s}] '
u'MRUList: [REG_SZ] acb '
u'a: [REG_SZ] Some random text here '
u'b: [REG_BINARY] '
u'c: [REG_SZ] C:/looks_legit.exe').format(key_path)
expected_msg_short = (
u'[{0:s}] MRUList: [REG_SZ] acb a: [REG_SZ...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function on a virtual key."""
key_path = u'\\ControlSet001\\services\\TestDriver'
values = []
values.append(
winreg_test_lib.TestRegValue('Type', '\x02\x00\x00\x00', 4, 123))
values.append(
winreg_test_lib.TestRegValue('Start', '\x02\x00\x00\x00', 4, 127))
values.append(
winreg_test_lib.TestRegValue('ErrorControl', '\x01\x00\x00\x00', 4,
131))
values.append(
winreg_test_lib.TestRegValue('Group',
'Pnp Filter'.encode('utf_16_le'), 1,
140))
values.append(
winreg_test_lib.TestRegValue('DisplayName',
'Test Driver'.encode('utf_16_le'), 1,
160))
values.append(
winreg_test_lib.TestRegValue(
'DriverPackageId',
'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(
'utf_16_le'), 1, 180))
values.append(
winreg_test_lib.TestRegValue(
'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1,
200))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031,
values, 1456)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
# Timestamp is: Tue, 28 Aug 2012 09:23:49 GMT.
self.assertEquals(event_object.timestamp, 1346145829002031)
self.assertTrue(event_object.regalert)
expected_msg = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
u'ErrorControl: Normal (1) '
u'Group: Pnp Filter '
u'ImagePath: REGALERT Driver not in system32: C:\\Dell\\testdriver.sys '
u'Start: REGALERT Unusual Start for Driver: Auto Start (2) '
u'Type: File System Driver (0x2)').format(key_path)
expected_msg_short = (u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function on a virtual key."""
key_path = u'\\ControlSet001\\services\\TestDriver'
values = []
values.append(winreg_test_lib.TestRegValue(
'Type', '\x02\x00\x00\x00', 4, 123))
values.append(winreg_test_lib.TestRegValue(
'Start', '\x02\x00\x00\x00', 4, 127))
values.append(winreg_test_lib.TestRegValue(
'ErrorControl', '\x01\x00\x00\x00', 4, 131))
values.append(winreg_test_lib.TestRegValue(
'Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140))
values.append(winreg_test_lib.TestRegValue(
'DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160))
values.append(winreg_test_lib.TestRegValue(
'DriverPackageId',
'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode('utf_16_le'), 1,
180))
values.append(winreg_test_lib.TestRegValue(
'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200))
timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(
key_path, timestamp, values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
self.assertEquals(event_object.timestamp, expected_timestamp)
# TODO: Remove RegAlert completely
# self.assertTrue(event_object.regalert)
expected_msg = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
u'ErrorControl: Normal (1) '
u'Group: Pnp Filter '
u'ImagePath: C:\\Dell\\testdriver.sys '
u'Start: Auto Start (2) '
# u'ImagePath: REGALERT Driver not in system32: '
# u'C:\\Dell\\testdriver.sys '
# u'Start: REGALERT Unusual Start for Driver: Auto Start (2) '
u'Type: File System Driver (0x2)').format(key_path)
expected_msg_short = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRUlist'
values = []
# The order is: 201
values.append(
winreg_test_lib.TestRegValue(
'MRUListEx',
'\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00', 3, 123))
values.append(
winreg_test_lib.TestRegValue(
'0', 'Some random text here'.encode('utf_16_le'), 1, 1892))
values.append(
winreg_test_lib.TestRegValue('1',
'c:/evil.exe'.encode('utf_16_le'), 3,
612))
values.append(
winreg_test_lib.TestRegValue(
'2', 'C:/looks_legit.exe'.encode('utf_16_le'), 1, 1001))
winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031,
values, 1456)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
self.assertEquals(event_object.timestamp, 1346145829002031)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value 2]: C:/looks_legit.exe '
u'Index: 2 [MRU Value 0]: Some random text here '
u'Index: 3 [MRU Value 1]: c:/evil.exe').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value 2]: C:/l...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function on a virtual key."""
key_path = u'\\ControlSet001\\services\\TestDriver'
values = []
values.append(winreg_test_lib.TestRegValue(
'Type', '\x02\x00\x00\x00', 4, 123))
values.append(winreg_test_lib.TestRegValue(
'Start', '\x02\x00\x00\x00', 4, 127))
values.append(winreg_test_lib.TestRegValue(
'ErrorControl', '\x01\x00\x00\x00', 4, 131))
values.append(winreg_test_lib.TestRegValue(
'Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140))
values.append(winreg_test_lib.TestRegValue(
'DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160))
values.append(winreg_test_lib.TestRegValue(
'DriverPackageId',
'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode('utf_16_le'), 1,
180))
values.append(winreg_test_lib.TestRegValue(
'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200))
timestamp = timelib.Timestamp.CopyFromString(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(
key_path, timestamp, values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-08-28 09:23:49.002031')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
u'ErrorControl: Normal (1) '
u'Group: Pnp Filter '
u'ImagePath: C:\\Dell\\testdriver.sys '
u'Start: Auto Start (2) '
u'Type: File System Driver (0x2)').format(key_path)
expected_msg_short = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Default'
values = []
values.append(winreg_test_lib.TestRegValue(
'MRU0', '192.168.16.60'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ, offset=1892))
values.append(winreg_test_lib.TestRegValue(
'MRU1', 'computer.domain.com'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ, 612))
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(
key_path, expected_timestamp, values, 1456)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 2)
event_object = event_objects[0]
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
expected_msg_short = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
event_object = event_objects[1]
self.assertEquals(event_object.timestamp, 0)
expected_msg = u'[{0:s}] MRU1: computer.domain.com'.format(key_path)
expected_msg_short = u'[{0:s}] MRU1: computer.domain.com'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Servers'
values = []
values.append(
winreg_test_lib.TestRegValue(
'UsernameHint',
'DOMAIN\\username'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-08-28 09:23:49.002031')
server_key_path = (
u'\\Software\\Microsoft\\Terminal Server Client\\Servers\\myserver.com'
)
server_key = winreg_test_lib.TestRegKey(server_key_path,
expected_timestamp,
values,
offset=1456)
winreg_key = winreg_test_lib.TestRegKey(key_path,
expected_timestamp,
None,
offset=865,
subkeys=[server_key])
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = u'[{0:s}] UsernameHint: DOMAIN\\username'.format(
key_path)
expected_msg_short = (
u'[{0:s}] UsernameHint: DOMAIN\\use...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\ControlSet001\\Control\\BootVerificationProgram'
values = []
values.append(
winreg_test_lib.TestRegValue(
'ImagePath',
'C:\\WINDOWS\\system32\\googleupdater.exe'.encode('utf_16_le'),
1, 123))
timestamp = timelib.Timestamp.CopyFromString('2012-08-31 20:45:29')
winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values,
153)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-08-31 20:45:29')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (u'[{0:s}] '
u'ImagePath: C:\\WINDOWS\\system32\\googleupdater.exe'
).format(key_path)
expected_msg_short = (
u'[{0:s}] ImagePath: C:\\WINDOWS\\system...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\ControlSet001\\Control\\Session Manager'
values = []
values.append(
winreg_test_lib.TestRegValue(
'BootExecute', 'autocheck autochk *\x00'.encode('utf_16_le'),
7, 123))
values.append(
winreg_test_lib.TestRegValue('CriticalSectionTimeout',
'2592000'.encode('utf_16_le'), 1,
153))
values.append(
winreg_test_lib.TestRegValue('ExcludeFromKnownDlls',
'\x00'.encode('utf_16_le'), 7, 163))
values.append(
winreg_test_lib.TestRegValue('GlobalFlag', '0'.encode('utf_16_le'),
1, 173))
values.append(
winreg_test_lib.TestRegValue('HeapDeCommitFreeBlockThreshold',
'0'.encode('utf_16_le'), 1, 183))
values.append(
winreg_test_lib.TestRegValue('HeapDeCommitTotalFreeThreshold',
'0'.encode('utf_16_le'), 1, 203))
values.append(
winreg_test_lib.TestRegValue('HeapSegmentCommit',
'0'.encode('utf_16_le'), 1, 213))
values.append(
winreg_test_lib.TestRegValue('HeapSegmentReserve',
'0'.encode('utf_16_le'), 1, 223))
values.append(
winreg_test_lib.TestRegValue('NumberOfInitialSessions',
'2'.encode('utf_16_le'), 1, 243))
timestamp = timelib_test.CopyStringToTimestamp('2012-08-31 20:45:29')
winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values,
153)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 2)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-31 20:45:29')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_string = (
u'[{0:s}] BootExecute: autocheck autochk *').format(key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
event_object = event_objects[1]
expected_msg = (u'[{0:s}] '
u'CriticalSectionTimeout: 2592000 '
u'ExcludeFromKnownDlls: [] '
u'GlobalFlag: 0 '
u'HeapDeCommitFreeBlockThreshold: 0 '
u'HeapDeCommitTotalFreeThreshold: 0 '
u'HeapSegmentCommit: 0 '
u'HeapSegmentReserve: 0 '
u'NumberOfInitialSessions: 2').format(key_path)
expected_msg_short = (
u'[{0:s}] CriticalSectionTimeout: 2592000 Excl...'
).format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcessMock(self):
"""Tests the Process function on created key."""
knowledge_base_values = {'current_control_set': u'ControlSet001'}
key_path = u'\\ControlSet001\\Control\\TimeZoneInformation'
values = []
values.append(
winreg_test_lib.TestRegValue(
'ActiveTimeBias', '\xFF\xFF\xFF\xC4',
winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN))
values.append(
winreg_test_lib.TestRegValue(
'Bias', '\xFF\xFF\xFF\xC4',
winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN))
values.append(
winreg_test_lib.TestRegValue(
'DaylightBias', '\xFF\xFF\xFF\xC4',
winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN))
values.append(
winreg_test_lib.TestRegValue('DaylightName',
'@tzres.dll,-321'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ))
values.append(
winreg_test_lib.TestRegValue(
'DaylightStart', '\x00\x00\x03\x00\x05\x00\x02\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00',
winreg_test_lib.TestRegValue.REG_BINARY))
values.append(
winreg_test_lib.TestRegValue(
'DynamicDaylightTimeDisabled', '\x00\x00\x00\x00',
winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN))
values.append(
winreg_test_lib.TestRegValue(
'StandardBias', '\x00\x00\x00\x00',
winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN))
values.append(
winreg_test_lib.TestRegValue('StandardName',
'@tzres.dll,-322'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ))
values.append(
winreg_test_lib.TestRegValue(
'StandardStart', '\x00\x00\x0A\x00\x05\x00\x03\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00',
winreg_test_lib.TestRegValue.REG_BINARY))
values.append(
winreg_test_lib.TestRegValue(
'TimeZoneKeyName',
'W. Europe Standard Time'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ))
# expr `date -u -d "2013-01-30 10:47:57" +"%s%N"` \/ 1000
winreg_key = winreg_test_lib.TestRegKey(key_path, 1359542877000000,
values, 153)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin,
winreg_key,
knowledge_base_values=knowledge_base_values)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2013-01-30 10:47:57.000000')
self.assertEqual(event_objects[0].timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'ActiveTimeBias: -60 '
u'Bias: -60 '
u'DaylightBias: -60 '
u'DaylightName: @tzres.dll,-321 '
u'DynamicDaylightTimeDisabled: 0 '
u'StandardBias: 0 '
u'StandardName: @tzres.dll,-322 '
u'TimeZoneKeyName: W. Europe Standard Time').format(key_path)
expected_msg_short = (u'[{0:s}] '
u'ActiveTimeBias: -60 '
u'Bias: -60 '
u'Da...').format(key_path)
self._TestGetMessageStrings(event_objects[0], expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = (
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\'
u'DesktopStreamMRU')
values = []
data = ''.join(
map(chr, [
0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a,
0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d,
0x19, 0x00, 0x23, 0x43, 0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31, 0x00, 0x00,
0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57,
0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00,
0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x00, 0x00,
0x25, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e,
0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69,
0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44,
0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31,
0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10,
0x00, 0x44, 0x65, 0x73, 0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00,
0x00, 0x00
]))
values.append(
winreg_test_lib.TestRegValue('MRUList',
'a'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=123))
values.append(
winreg_test_lib.TestRegValue(
'a', data, winreg_test_lib.TestRegValue.REG_BINARY,
offset=612))
timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values,
1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 5)
# A MRUList event object.
event_object = event_objects[4]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value a]: Shell item path: '
u'<My Computer> C:\\Winnt\\Profiles\\Administrator\\Desktop'
).format(key_path)
expected_msg_short = u'[{0:s}] Index:...'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
# A shell item event object.
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-01-14 12:03:52')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (u'Name: Winnt '
u'Shell item path: <My Computer> C:\\Winnt '
u'Origin: {0:s}').format(key_path)
expected_msg_short = (
u'Name: Winnt '
u'Origin: \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\'
u'Deskt...')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
