def testExamineEventAndCompileReportOnSystemFile(self): """Tests the ExamineEvent and CompileReport functions on a SYSTEM file.""" # We could remove the non-Services plugins, but testing shows that the # performance gain is negligible. parser = winreg.WinRegistryParser() plugin = windows_services.WindowsServicesAnalysisPlugin() storage_writer = self._ParseAndAnalyzeFile([u'SYSTEM'], parser, plugin) self.assertEqual(len(storage_writer.events), 31436) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] # We'll check that a few strings are in the report, like they're supposed # to be, rather than checking for the exact content of the string, # as that's dependent on the full path to the test files. test_strings = [ u'1394ohci', u'WwanSvc', u'Sources:', u'ControlSet001', u'ControlSet002'] for string in test_strings: self.assertIn(string, analysis_report.text)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" events = [] for event_dictionary in self._TEST_EVENTS: event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec( location=u'C:\\WINDOWS\\system32\\SYSTEM') event = self._CreateTestEventObject(event_dictionary) events.append(event) plugin = windows_services.WindowsServicesAnalysisPlugin() storage_writer = self._AnalyzeEvents(events, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] expected_text = ( u'Listing Windows Services\n' u'TestbDriver\n' u'\tImage Path = C:\\Dell\\testdriver.sys\n' u'\tService Type = File System Driver (0x2)\n' u'\tStart Type = Auto Start (2)\n' u'\tService Dll = \n' u'\tObject Name = \n' u'\tSources:\n' u'\t\tC:\\WINDOWS\\system32\\SYSTEM:' u'\\ControlSet001\\services\\TestbDriver\n' u'\t\tC:\\WINDOWS\\system32\\SYSTEM:' u'\\ControlSet003\\services\\TestbDriver\n\n') self.assertEqual(expected_text, analysis_report.text) self.assertEqual(analysis_report.plugin_name, 'windows_services')
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" plugin = windows_services.WindowsServicesAnalysisPlugin() storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] expected_text = ( 'Listing Windows Services\n' 'TestbDriver\n' '\tImage Path = C:\\Dell\\testdriver.sys\n' '\tService Type = File System Driver (0x2)\n' '\tStart Type = Auto Start (2)\n' '\tService Dll = \n' '\tObject Name = \n' '\tSources:\n' '\t\tC:\\WINDOWS\\system32\\SYSTEM:' '\\ControlSet001\\services\\TestbDriver\n' '\t\tC:\\WINDOWS\\system32\\SYSTEM:' '\\ControlSet003\\services\\TestbDriver\n\n') self.assertEqual(expected_text, analysis_report.text) self.assertEqual(analysis_report.plugin_name, 'windows_services')
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" plugin = windows_services.WindowsServicesAnalysisPlugin() storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin) number_of_reports = storage_writer.GetNumberOfAttributeContainers( 'analysis_report') self.assertEqual(number_of_reports, 1) analysis_report = storage_writer.GetAttributeContainerByIndex( reports.AnalysisReport.CONTAINER_TYPE, 0) self.assertIsNotNone(analysis_report) expected_text = ('Listing Windows Services\n' 'TestbDriver\n' '\tImage Path = C:\\Dell\\testdriver.sys\n' '\tService Type = File System Driver (0x2)\n' '\tStart Type = Auto Start (2)\n' '\tService Dll = \n' '\tObject Name = \n' '\tSources:\n' '\t\tC:\\WINDOWS\\system32\\SYSTEM:' '\\ControlSet001\\services\\TestbDriver\n' '\t\tC:\\WINDOWS\\system32\\SYSTEM:' '\\ControlSet003\\services\\TestbDriver\n\n') self.assertEqual(expected_text, analysis_report.text) self.assertEqual(analysis_report.plugin_name, 'windows_services')
def testExamineEventAndCompileReportOnSystemFileWithYAML(self): """Tests the ExamineEvent and CompileReport with YAML.""" # We could remove the non-Services plugins, but testing shows that the # performance gain is negligible. parser = winreg_parser.WinRegistryParser() plugin = windows_services.WindowsServicesAnalysisPlugin() plugin.SetOutputFormat('yaml') storage_writer = self._ParseAndAnalyzeFile(['SYSTEM'], parser, plugin) number_of_reports = storage_writer.GetNumberOfAttributeContainers( 'analysis_report') self.assertEqual(number_of_reports, 1) analysis_report = storage_writer.GetAttributeContainerByIndex( reports.AnalysisReport.CONTAINER_TYPE, 0) self.assertIsNotNone(analysis_report) # We'll check that a few strings are in the report, like they're supposed # to be, rather than checking for the exact content of the string, # as that's dependent on the full path to the test files. test_strings = [ windows_services.WindowsService.yaml_tag, '1394ohci', 'WwanSvc', 'ControlSet001', 'ControlSet002' ] for string in test_strings: self.assertIn(string, analysis_report.text)
def testParseOptions(self): """Tests the ParseOptions function.""" options = cli_test_lib.TestOptions() analysis_plugin = windows_services.WindowsServicesAnalysisPlugin() arguments_helper.WindowsServicesAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) with self.assertRaises(errors.BadConfigObject): arguments_helper.WindowsServicesAnalysisArgumentsHelper.ParseOptions( options, None)