def fsio(kevent):
handles = [HandleInfo(3080, 18446738026482168384, HandleType.DIRECTORY,
"\\Device\\HarddiskVolume2\\Users\\Nedo\\AppData\\Local\\VirtualStore", 640),
HandleInfo(2010, 18446738023471035392, HandleType.FILE,
"\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll", 640)]
fsio = FsIO(kevent, handles)
fsio.file_pool[18446738026474426144] = '\\Device\\HarddiskVolume2\\fibratus.log'
return fsio
def handle_repo_mock():
handle_repo = Mock(spec_set=HandleRepository)
handle_repo.query_handles.return_value = [
HandleInfo(20, 18446738026501927904, 'FILE',
'C:\\Windows\\System32\\kernel32.dll', 0x2d8)
]
return handle_repo
def thread_registry_mock():
thread_registry = Mock(spec_set=ThreadRegistry)
thread_info = ThreadInfo(896, 2916, 22, 'explorer.exe',
'C:\\Windows\\EXPLORER.exe', None)
thread_info.handles.append(
HandleInfo(
836, 18446735964859105184, HandleType.KEY,
"\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings"
"\\Software\Microsoft\\Windows\\Shell\\Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}",
896))
thread_registry.get_thread.return_value = thread_info
return thread_registry