def _parse_value(value):
if value is None or value == '':
return None
if isinstance(value, six.string_types):
return long(value, 0)
else:
return long(value)
def _parse_value(value):
if value is None or value == '':
return None
if isinstance(value, six.string_types):
return long(value, 0)
else:
return long(value)
class TestWinCriticalSection(ObjectTestCase, unittest.TestCase):
object_type = "WindowsComputerAccountObjectType"
klass = WinComputerAccount
_full_dict = {
'security_id': u("An ID"),
'type': u("A type"),
'fully_qualified_name': {
'netbeui_name': u("A NetBEUI name"),
'full_name': u("A full name")
},
'kerberos': {
'ticket': long(9000),
'delegation': {
'bitmask': "dead1234",
'service': {
'computer': "Computer goes here",
'name': "name goes here",
'user': "******",
'port': {
'port_value': 80,
'layer4_protocol': 'TCP',
'xsi:type': "PortObjectType"
}
}
}
},
'xsi:type': object_type
}
class TestWinFile(ObjectTestCase, unittest.TestCase):
object_type = "WindowsFileObjectType"
klass = WinFile
_full_dict = {
# File fields (only a few are included)
'file_name': u("example.doc"),
'full_path': u("C:\\Temp\\example.doc"),
'file_extension': u("doc"),
'size_in_bytes': long(1024),
'magic_number': u("D0CF11E0"),
# WinFile-specific fields
'filename_accessed_time': "2012-05-12T07:14:02+07:00",
'filename_created_time': "2012-05-17T09:28:04+07:00",
'filename_modified_time': "2012-06-12T11:15:12+07:00",
'drive': u("C:"),
'security_id': u("S-1-5-21-3623958015-3361044348-30300820-1013"),
'security_type': u("SidTypeFile"),
'stream_list': [{
'name': u("StreamA")
}, TestStream._full_dict],
# WinFile-specific implementations of abstract types.
'file_attributes_list': [u("Hidden"),
u("System"),
u("Temporary")],
'permissions': TestWindowsFilePermissions._full_dict,
'xsi:type': object_type,
}
class TestMemory(ObjectTestCase, unittest.TestCase):
object_type = "MemoryObjectType"
klass = Memory
_full_dict = {
'custom_properties': [
{'name': "Prop1", 'description': "Property1", 'value': "Value1"},
{'name': "Prop2", 'description': "Property2", 'value': "Value2"},
],
'is_injected': True,
'is_mapped': False,
'is_protected': True,
'is_volatile': False,
'hashes': [
{'type': u("MD5"), 'simple_hash_value': EMPTY_MD5}
],
'name': u("A memory region"),
'region_size': long(65536),
'memory_source': u(".data"),
'block_type': u("Free"),
'region_start_address': u("00040000"),
'region_end_address': u("00048000"),
'extracted_features': {'functions': [u("StringA"), u("StringB")]},
'xsi:type': object_type,
}
class TestWinMemoryPageRegion(ObjectTestCase, unittest.TestCase):
object_type = "WindowsMemoryPageRegionObjectType"
klass = WinMemoryPageRegion
_full_dict = {
'is_injected': True,
'is_mapped': False,
'is_protected': True,
'is_volatile': False,
'name': u("A page region"),
'memory_source': u("A source"),
'region_size': long(10000),
'block_type': u("A block type"),
'region_start_address': u("1234abcde"),
'region_end_address': u("1234abdde"),
'allocation_base_address': u("1234abbbe"),
'type': u("A type"),
'allocation_protect': u("allocate protection"),
'state': u("A state"),
'protect': u("protection"),
'extracted_features': TestExtractedFeatures._full_dict,
'hashes': [{
'type': u("MD5"),
'simple_hash_value': EMPTY_MD5
}],
'xsi:type': object_type,
}
class TestArchiveFile(ObjectTestCase, unittest.TestCase):
object_type = "ArchiveFileObjectType"
klass = ArchiveFile
_full_dict = {
'archive_format': u("ZIP"),
'version': u("v2"),
'file_count': 10000,
'encryption_algorithm': u("some algorithm"),
'decryption_key': u("abc123key"),
'comment': u("This is a test"),
#'archived_file': [],
'is_packed': False,
'is_masqueraded': True,
'file_name': u("example.txt"),
'file_path': {'value': u("C:\\Temp"),
'fully_qualified': True},
'device_path': u("\\Device\\CdRom0"),
'full_path': u("C:\\Temp\\example.txt"),
'file_extension': u("txt"),
'size_in_bytes': long(1024),
'magic_number': u("D0CF11E0"),
'file_format': u("ASCII Text"),
'hashes': [
{
'type': Hash.TYPE_MD5,
'simple_hash_value': u("0123456789abcdef0123456789abcdef")
}
],
'digital_signatures': [
{
'certificate_issuer': u("Microsoft"),
'certificate_subject': u("Notepad"),
}
],
'modified_time': "2010-11-06T02:02:02+08:00",
'accessed_time': "2010-11-07T02:03:02+09:00",
'created_time': "2010-11-08T02:04:02+10:00",
'user_owner': u("sballmer"),
'packer_list': [
{
'name': u("UPX"),
'version': u("3.91"),
}
],
'peak_entropy': 7.454352453,
'sym_links': [u("../link_destination")],
'byte_runs': [{'offset': 16, 'byte_run_data': u("1A2B3C4D")}],
'extracted_features': {
'strings': [{'string_value': u("string from the file")}],
},
'compression_method': u("deflate"),
'compression_version': u("1.0"),
'compression_comment': u("This has been compressed"),
'xsi:type': object_type,
}
class TestWinSemaphore(ObjectTestCase, unittest.TestCase):
object_type = "WindowsSemaphoreObjectType"
klass = WinSemaphore
_full_dict = {
'handle': {
'id': 1234,
'name': u("MyHandle"),
'type': u("Window"),
'object_address': long(0xdeadbeef),
'access_mask': long(0x70000000),
'pointer_count': long(3),
'xsi:type': "WindowsHandleObjectType",
},
'security_attributes': u("Attributes go here"),
'named': False,
'current_count': 100,
'maximum_count': 250,
'name': u("A Test"),
'xsi:type': object_type
}
class TestNetworkRouteEntry(ObjectTestCase, unittest.TestCase):
object_type = "NetworkRouteEntryObjectType"
klass = NetworkRouteEntry
_full_dict = {
'is_ipv6': False,
'is_autoconfigure_address': True,
'is_immortal': False,
'is_loopback': False,
'is_publish': True,
'destination_address': {
'address_value': u("1.2.3.4"),
'category': Address.CAT_IPV4,
'xsi:type': 'AddressObjectType'
},
'origin': {
'address_value': u("1.2.3.4"),
'category': Address.CAT_IPV4,
'xsi:type': 'AddressObjectType'
},
'netmask': {
'address_value': u("1.2.3.4"),
'category': Address.CAT_IPV4,
'xsi:type': 'AddressObjectType'
},
'gateway_address': {
'address_value': u("1.2.3.4"),
'category': Address.CAT_IPV4,
'xsi:type': 'AddressObjectType'
},
'metric': long(1234),
'type': u("A type"),
'protocol': u("A protocol"),
'interface': u("An interface"),
'preferred_lifetime': u("P7D"),
'valid_lifetime': u("P2D"),
'route_age': u("P3D"),
'xsi:type': object_type,
}
class TestWinFilemapping(ObjectTestCase, unittest.TestCase):
object_type = "WindowsFilemappingObjectType"
klass = WinFilemapping
_full_dict = {
'handle': {
'id': 1234,
'name': u("MyHandle"),
'type': u("Window"),
'object_address': long(0xdeadbeef),
'access_mask': long(0x70000000),
'pointer_count': long(3),
'xsi:type': "WindowsHandleObjectType",
},
'file_handle': {
'id': 5678,
'name': u("MyHandle2"),
'type': u("Window"),
'object_address': long(0xbeadbeef),
'access_mask': long(0x90009000),
'pointer_count': long(9),
'xsi:type': "WindowsHandleObjectType",
},
'security_attributes':
u("Attributes go here"),
'name':
"A mapping name",
'maximum_size':
1000,
'actual_size':
250,
'page_protection_value':
"a protection value",
'page_protection_attribute':
["a protection attribute", "another attribute"],
'xsi:type':
object_type
}
class TestWinTask(ObjectTestCase, unittest.TestCase):
object_type = "WindowsTaskObjectType"
klass = WinTask
_full_dict = {
'status':
u("SCHED_S_TASK_RUNNING"),
'priority':
u("NORMAL_PRIORITY_CLASS"),
'name':
u("Find all the malware"),
'application_name':
u("Windows Defender"),
'parameters':
u("C:\\\\"),
'flags':
u("/DEEP"),
'account_name':
u("SYSTEM"),
'account_run_level':
u("ARunLevel"),
'account_logon_type':
u("S4U"),
'creator':
u("TheCreator"),
'creation_date':
"2012-04-26T15:30:45-05:00",
'most_recent_run_time':
"2013-06-26T10:20:30-05:00",
'exit_code':
long(0),
'max_run_time':
long(15000),
'next_run_time':
"2013-06-27T10:20:30-05:00",
'action_list': [
{
'action_type': u("TASK_ACTION_SEND_EMAIL"),
'action_id': u("Action #1"),
'iemailaction': {
'raw_body': u("Task Completed!"),
'xsi:type': "EmailMessageObjectType",
},
},
{
'action_type': u("TASK_ACTION_COM_HANDLER"),
'action_id': u("Action #2"),
'icomhandleraction': {
'com_data': u("COMDATA"),
'com_class_id': u("CLASSID")
},
},
{
'action_type': u("TASK_ACTION_EXEC"),
'action_id': u("Action #3"),
'iexecaction': {
'exec_arguments': u("ARGS"),
'exec_program_path': u("C:\\\\temp\\\\cmd.exe"),
'exec_working_directory': u("C:\\\\temp\\\\"),
'exec_program_hashes': TEST_HASH_LIST,
},
},
{
'action_type': u("TASK_ACTION_SHOW_MESSAGE"),
'action_id': u("Action #4"),
'ishowmessageaction': {
'show_message_body': u("Task completed."),
'show_message_title': u("Task Complete"),
},
},
],
'trigger_list': [
{
'trigger_begin': "2013-05-05T01:02:03-04:00",
'trigger_delay': u("PT5M"),
'trigger_end': "2013-05-05T01:02:10-04:00",
'trigger_frequency': u("TASK_TIME_TRIGGER_DAILY"),
'trigger_max_run_time': u("PT1M"),
'trigger_session_change_type': u("TASK_REMOTE_CONNECT"),
#TODO: Add trigger_type
},
{
'trigger_max_run_time': u("PT10M"),
},
],
'comment':
u("This is a useless task."),
'working_directory':
u("C:\\\\WINDOWS\\\\system32\\\\"),
'work_item_data':
u("AAAAn34lq21b4m2nbvoi345"),
'xsi:type':
object_type,
}
class TestWinDriver(ObjectTestCase, unittest.TestCase):
object_type = "WindowsDriverObjectType"
klass = WinDriver
_full_dict = {
'driver_init': 123,
'driver_name': "A driver name",
'driver_object_address': "abcde12345",
'driver_start_io': "abcce4321",
'driver_unload': "ab3234dec",
'image_base': "12345abc",
'image_size': "12ff",
'irp_mj_cleanup': long(1),
'irp_mj_close': long(2),
'irp_mj_create': long(3),
'irp_mj_create_mailslot': long(4),
'irp_mj_create_named_pipe': long(5),
'irp_mj_device_change': long(6),
'irp_mj_device_control': long(7),
'irp_mj_directory_control': long(8),
'irp_mj_file_system_control': long(9),
'irp_mj_flush_buffers': long(11),
'irp_mj_internal_device_control': long(12),
'irp_mj_lock_control': long(13),
'irp_mj_pnp': long(14),
'irp_mj_power': long(15),
'irp_mj_query_ea': long(16),
'irp_mj_query_information': long(17),
'irp_mj_query_quota': long(22),
'irp_mj_query_security': long(23),
'irp_mj_query_volume_information': long(24),
'irp_mj_read': long(25),
'irp_mj_set_ea': long(26),
'irp_mj_set_information': long(27),
'irp_mj_set_quota': long(33),
'irp_mj_set_security': long(34),
'irp_mj_set_volume_information': long(35),
'irp_mj_shutdown': long(36),
'irp_mj_system_control': long(37),
'irp_mj_write': long(38),
#TODO: add 'device_object_list'
'xsi:type': object_type,
}
class TestFile(ObjectTestCase, unittest.TestCase):
object_type = "FileObjectType"
klass = File
_full_dict = {
'is_packed':
False,
'is_masqueraded':
True,
'file_name':
u("example.txt"),
'file_path': {
'value': u("C:\\Temp"),
'fully_qualified': True
},
'device_path':
u("\\Device\\CdRom0"),
'full_path':
u("C:\\Temp\\example.txt"),
'file_extension':
u("txt"),
'size_in_bytes': {
'apply_condition': 'ANY',
'condition': 'InclusiveBetween',
'value': [long(1023), long(1024)]
},
'magic_number':
u("D0CF11E0"),
'file_format':
u("ASCII Text"),
'hashes': [{
'type': Hash.TYPE_MD5,
'simple_hash_value': u("0123456789abcdef0123456789abcdef")
}],
'digital_signatures': [{
'certificate_issuer': u("Microsoft"),
'certificate_subject': u("Notepad"),
}],
'modified_time':
"2010-11-06T02:02:02+08:00",
'accessed_time':
"2010-11-07T02:03:02+09:00",
'created_time':
"2010-11-08T02:04:02+10:00",
'user_owner':
u("sballmer"),
'packer_list': [{
'name': u("UPX"),
'version': u("3.91"),
}],
'peak_entropy':
7.454352453,
'sym_links': [u("../link_destination")],
'byte_runs': [{
'offset': 16,
'byte_run_data': u("1A2B3C4D")
}],
'extracted_features': {
'strings': [{
'string_value': u("string from the file")
}],
},
'encryption_algorithm':
u("RC4"),
'compression_method':
u("deflate"),
'compression_version':
u("1.0"),
'compression_comment':
u("This has been compressed"),
'xsi:type':
object_type,
}
def test_filepath_is_none(self):
# This would throw an exception at one point. Should be fixed now.
a = File.from_dict({'file_name': 'abcd.dll'})
def test_get_hashes(self):
f = File()
f.add_hash(Hash(EMPTY_MD5))
f.add_hash(Hash(EMPTY_SHA1))
f.add_hash(Hash(EMPTY_SHA224))
f.add_hash(Hash(EMPTY_SHA256))
f.add_hash(Hash(EMPTY_SHA384))
f.add_hash(Hash(EMPTY_SHA512))
self.assertEqual(EMPTY_MD5, f.md5)
self.assertEqual(EMPTY_SHA1, f.sha1)
self.assertEqual(EMPTY_SHA224, f.sha224)
self.assertEqual(EMPTY_SHA256, f.sha256)
self.assertEqual(EMPTY_SHA384, f.sha384)
self.assertEqual(EMPTY_SHA512, f.sha512)
def test_set_hashes(self):
f = File()
f.md5 = EMPTY_MD5
f.sha1 = EMPTY_SHA1
f.sha224 = EMPTY_SHA224
f.sha256 = EMPTY_SHA256
f.sha384 = EMPTY_SHA384
f.sha512 = EMPTY_SHA512
self.assertEqual(EMPTY_MD5, f.md5)
self.assertEqual(EMPTY_SHA1, f.sha1)
self.assertEqual(EMPTY_SHA224, f.sha224)
self.assertEqual(EMPTY_SHA256, f.sha256)
self.assertEqual(EMPTY_SHA384, f.sha384)
self.assertEqual(EMPTY_SHA512, f.sha512)
def test_add_hash_string(self):
s = "ffffffffffffffffffff"
f = File()
f.add_hash(s)
h = f.hashes[0]
self.assertEqual(s, str(h.simple_hash_value))
self.assertEqual(Hash.TYPE_OTHER, h.type_)
def test_fields(self):
f = File()
f.file_name = "blah.exe"
self.assertEqual(String, type(f.file_name))
f.file_path = "C:\\Temp"
self.assertEqual(FilePath, type(f.file_path))
def test_fields_not_shared(self):
# In a previous version of TypedFields, all objects of the same type
# shared a single value of each field. Obviously this was a mistake.
f = File()
f.file_name = "README.txt"
self.assertEqual("README.txt", f.file_name)
f2 = File()
self.assertEqual(None, f2.file_name)
def test_file_name_delimiter(self):
f = File()
f.file_name = ["foo", "bar"]
f.file_name.delimiter = "^^"
self.assertTrue(b"foo^^bar" in f.to_xml())
class TestWinRegistryKey(ObjectTestCase, unittest.TestCase):
object_type = "WindowsRegistryKeyObjectType"
klass = WinRegistryKey
_full_dict = {
'key':
u("\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting"),
'hive':
u("HKEY_LOCAL_MACHINE"),
'number_values':
6,
'values': [
{
'name': u("Disabled"),
'data': u("1"),
'datatype': u("REG_DWORD"),
'byte_runs': [{
'length': 1,
'byte_run_data': u("A")
}],
},
{
'name': u("ErrorPort"),
'data': u("\\WindowsErrorReportingServicePort"),
'datatype': u("REG_SZ"),
},
],
'modified_time':
u("2013-08-08T15:15:15-04:00"),
'creator_username':
u("gback"),
'handle_list': [
{
'name': u("RegHandle"),
'pointer_count': long(1),
'type': u("RegistryKey"),
'xsi:type': u('WindowsHandleObjectType'),
},
],
'number_subkeys':
1,
'subkeys': [
{
'key':
u("Consent"),
'number_values':
1,
'values': [
{
'name': u("NewUserDefaultConsent"),
'data': u("1"),
'datatype': u("REG_DWORD"),
},
],
'xsi:type':
'WindowsRegistryKeyObjectType',
},
],
'byte_runs': [
{
'length': 4,
'byte_run_data': u("z!%f")
},
{
'offset': 0x1000,
'length': 8,
'byte_run_data': u("%40V.,2@")
},
],
'xsi:type':
object_type,
}
