def testParseFileObjectOnExecutable(self):
"""Tests the ParseFileObject on a PE executable (EXE) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_pe.exe'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'pe:compilation:compilation_time',
'pe_type': 'Executable (EXE)',
'timestamp': '2015-04-21 14:53:56.000000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_event_values = {
'data_type': 'pe:import:import_time',
'timestamp': '2015-04-21 14:53:55.000000'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
expected_event_values = {
'data_type': 'pe:delay_import:import_time',
'dll_name': 'USER32.dll',
'imphash': '8d0739063fc8f9955cc6696b462544ab',
'pe_type': 'Executable (EXE)',
'timestamp': '2015-04-21 14:53:54.000000'
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
def testParseFileObjectOnExecutable(self):
"""Tests the ParseFileObject on a PE executable (EXE) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_pe.exe'], parser)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:56.000000')
self.assertEqual(event.data_type, 'pe:compilation:compilation_time')
self.assertEqual(event.pe_type, 'Executable (EXE)')
event = events[1]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:55.000000')
self.assertEqual(event.data_type, 'pe:import:import_time')
event = events[2]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:54.000000')
self.assertEqual(event.data_type, 'pe:delay_import:import_time')
def testParseFileObjectOnDriver(self):
"""Tests the ParseFileObject on a PE driver (SYS) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_driver.sys'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'pe',
'date_time': '2015-04-21 14:53:54',
'pe_attribute': None,
'pe_type': 'Driver (SYS)',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectEXE(self):
"""Tests the ParseFileObject method against an EXE PE file."""
test_path = self._GetTestFilePath([u'test_pe.exe'])
parser = pe.PEParser()
event_queue_consumer = self._ParseFile(parser, test_path)
events = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(events), 3)
first_event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2015-04-21 14:53:56')
self.assertEqual(first_event.pe_type, u'Executable (EXE)')
self.assertEqual(first_event.timestamp, expected_timestamp)
self.assertEqual(first_event.data_type,
u'pe:compilation:compilation_time')
second_event = events[1]
expected_timestamp2 = timelib.Timestamp.CopyFromString(
u'2015-04-21 14:53:55')
self.assertEqual(second_event.timestamp, expected_timestamp2)
self.assertEqual(second_event.data_type, u'pe:import:import_time')
third_event = events[2]
expected_timestamp3 = timelib.Timestamp.CopyFromString(
u'2015-04-21 14:53:54')
self.assertEqual(third_event.timestamp, expected_timestamp3)
self.assertEqual(third_event.data_type, u'pe:delay_import:import_time')
def testParseFileObjectOnExecutable(self):
"""Tests the ParseFileObject on a PE executable (EXE) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_pe.exe'], parser)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-04-21 14:53:56')
self.assertEqual(event.pe_type, 'Executable (EXE)')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.data_type, 'pe:compilation:compilation_time')
event = events[1]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-04-21 14:53:55')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.data_type, 'pe:import:import_time')
event = events[2]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-04-21 14:53:54')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.data_type, 'pe:delay_import:import_time')
def testDriver(self):
"""Tests the ParseFileObject method against a driver (SYS) PE file."""
test_path = self._GetTestFilePath([u'test_driver.sys'])
parser = pe.PEParser()
event_queue_consumer = self._ParseFile(parser, test_path)
events = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(events), 1)
first_event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2015-04-21 14:53:54')
self.assertEqual(first_event.pe_type, u'Driver (SYS)')
self.assertEqual(first_event.timestamp, expected_timestamp)
def testParseFileObjectOnExecutable(self):
"""Tests the ParseFileObject on a PE executable (EXE) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_pe.exe'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 3)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'pe',
'date_time': '2015-04-21 14:53:56',
'pe_attribute': None,
'pe_type': 'Executable (EXE)',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
expected_event_values = {
'data_type': 'pe',
'date_time': '2015-04-21 14:53:55',
'pe_attribute': 'DIRECTORY_ENTRY_IMPORT',
'pe_type': 'Executable (EXE)',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
expected_event_values = {
'data_type': 'pe',
'date_time': '2015-04-21 14:53:54',
'dll_name': 'USER32.dll',
'imphash': '8d0739063fc8f9955cc6696b462544ab',
'pe_attribute': 'DIRECTORY_ENTRY_DELAY_IMPORT',
'pe_type': 'Executable (EXE)',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectOnDriver(self):
"""Tests the ParseFileObject on a PE driver (SYS) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_driver.sys'], parser)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:54.000000')
self.assertEqual(event.pe_type, 'Driver (SYS)')
def testParseFileObjectOnDriver(self):
"""Tests the ParseFileObject on a PE driver (SYS) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_driver.sys'], parser)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-04-21 14:53:54')
self.assertEqual(event.pe_type, 'Driver (SYS)')
self.assertEqual(event.timestamp, expected_timestamp)
def testParseFileObjectOnDriver(self):
"""Tests the ParseFileObject on a PE driver (SYS) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_driver.sys'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
expected_event_values = {
'pe_type': 'Driver (SYS)',
'timestamp': '2015-04-21 14:53:54.000000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectOnDriver(self):
"""Tests the ParseFileObject on a PE driver (SYS) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_driver.sys'], parser)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'pe:compilation:compilation_time',
'date_time': '2015-04-21 14:53:54',
'pe_type': 'Driver (SYS)'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectOnExecutable(self):
"""Tests the ParseFileObject on a PE executable (EXE) file."""
parser = pe.PEParser()
storage_writer = self._ParseFile(['test_pe.exe'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:56.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'pe:compilation:compilation_time')
self.assertEqual(event_data.pe_type, 'Executable (EXE)')
event = events[1]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:55.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'pe:import:import_time')
event = events[2]
self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:54.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'pe:delay_import:import_time')
expected_message = (
'DLL name: USER32.dll '
'PE Type: Executable (EXE) '
'Import hash: 8d0739063fc8f9955cc6696b462544ab')
expected_short_message = 'USER32.dll'
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
