def _parse_value(value): if value is None or value == '': return None if isinstance(value, six.string_types): return long(value, 0) else: return long(value)
def _parse_value(value): if value is None or value == '': return None if isinstance(value, six.string_types): return long(value, 0) else: return long(value)
class TestWinCriticalSection(ObjectTestCase, unittest.TestCase): object_type = "WindowsComputerAccountObjectType" klass = WinComputerAccount _full_dict = { 'security_id': u("An ID"), 'type': u("A type"), 'fully_qualified_name': { 'netbeui_name': u("A NetBEUI name"), 'full_name': u("A full name") }, 'kerberos': { 'ticket': long(9000), 'delegation': { 'bitmask': "dead1234", 'service': { 'computer': "Computer goes here", 'name': "name goes here", 'user': "******", 'port': { 'port_value': 80, 'layer4_protocol': 'TCP', 'xsi:type': "PortObjectType" } } } }, 'xsi:type': object_type }
class TestWinFile(ObjectTestCase, unittest.TestCase): object_type = "WindowsFileObjectType" klass = WinFile _full_dict = { # File fields (only a few are included) 'file_name': u("example.doc"), 'full_path': u("C:\\Temp\\example.doc"), 'file_extension': u("doc"), 'size_in_bytes': long(1024), 'magic_number': u("D0CF11E0"), # WinFile-specific fields 'filename_accessed_time': "2012-05-12T07:14:02+07:00", 'filename_created_time': "2012-05-17T09:28:04+07:00", 'filename_modified_time': "2012-06-12T11:15:12+07:00", 'drive': u("C:"), 'security_id': u("S-1-5-21-3623958015-3361044348-30300820-1013"), 'security_type': u("SidTypeFile"), 'stream_list': [{ 'name': u("StreamA") }, TestStream._full_dict], # WinFile-specific implementations of abstract types. 'file_attributes_list': [u("Hidden"), u("System"), u("Temporary")], 'permissions': TestWindowsFilePermissions._full_dict, 'xsi:type': object_type, }
class TestMemory(ObjectTestCase, unittest.TestCase): object_type = "MemoryObjectType" klass = Memory _full_dict = { 'custom_properties': [ {'name': "Prop1", 'description': "Property1", 'value': "Value1"}, {'name': "Prop2", 'description': "Property2", 'value': "Value2"}, ], 'is_injected': True, 'is_mapped': False, 'is_protected': True, 'is_volatile': False, 'hashes': [ {'type': u("MD5"), 'simple_hash_value': EMPTY_MD5} ], 'name': u("A memory region"), 'region_size': long(65536), 'memory_source': u(".data"), 'block_type': u("Free"), 'region_start_address': u("00040000"), 'region_end_address': u("00048000"), 'extracted_features': {'functions': [u("StringA"), u("StringB")]}, 'xsi:type': object_type, }
class TestWinMemoryPageRegion(ObjectTestCase, unittest.TestCase): object_type = "WindowsMemoryPageRegionObjectType" klass = WinMemoryPageRegion _full_dict = { 'is_injected': True, 'is_mapped': False, 'is_protected': True, 'is_volatile': False, 'name': u("A page region"), 'memory_source': u("A source"), 'region_size': long(10000), 'block_type': u("A block type"), 'region_start_address': u("1234abcde"), 'region_end_address': u("1234abdde"), 'allocation_base_address': u("1234abbbe"), 'type': u("A type"), 'allocation_protect': u("allocate protection"), 'state': u("A state"), 'protect': u("protection"), 'extracted_features': TestExtractedFeatures._full_dict, 'hashes': [{ 'type': u("MD5"), 'simple_hash_value': EMPTY_MD5 }], 'xsi:type': object_type, }
class TestArchiveFile(ObjectTestCase, unittest.TestCase): object_type = "ArchiveFileObjectType" klass = ArchiveFile _full_dict = { 'archive_format': u("ZIP"), 'version': u("v2"), 'file_count': 10000, 'encryption_algorithm': u("some algorithm"), 'decryption_key': u("abc123key"), 'comment': u("This is a test"), #'archived_file': [], 'is_packed': False, 'is_masqueraded': True, 'file_name': u("example.txt"), 'file_path': {'value': u("C:\\Temp"), 'fully_qualified': True}, 'device_path': u("\\Device\\CdRom0"), 'full_path': u("C:\\Temp\\example.txt"), 'file_extension': u("txt"), 'size_in_bytes': long(1024), 'magic_number': u("D0CF11E0"), 'file_format': u("ASCII Text"), 'hashes': [ { 'type': Hash.TYPE_MD5, 'simple_hash_value': u("0123456789abcdef0123456789abcdef") } ], 'digital_signatures': [ { 'certificate_issuer': u("Microsoft"), 'certificate_subject': u("Notepad"), } ], 'modified_time': "2010-11-06T02:02:02+08:00", 'accessed_time': "2010-11-07T02:03:02+09:00", 'created_time': "2010-11-08T02:04:02+10:00", 'user_owner': u("sballmer"), 'packer_list': [ { 'name': u("UPX"), 'version': u("3.91"), } ], 'peak_entropy': 7.454352453, 'sym_links': [u("../link_destination")], 'byte_runs': [{'offset': 16, 'byte_run_data': u("1A2B3C4D")}], 'extracted_features': { 'strings': [{'string_value': u("string from the file")}], }, 'compression_method': u("deflate"), 'compression_version': u("1.0"), 'compression_comment': u("This has been compressed"), 'xsi:type': object_type, }
class TestWinSemaphore(ObjectTestCase, unittest.TestCase): object_type = "WindowsSemaphoreObjectType" klass = WinSemaphore _full_dict = { 'handle': { 'id': 1234, 'name': u("MyHandle"), 'type': u("Window"), 'object_address': long(0xdeadbeef), 'access_mask': long(0x70000000), 'pointer_count': long(3), 'xsi:type': "WindowsHandleObjectType", }, 'security_attributes': u("Attributes go here"), 'named': False, 'current_count': 100, 'maximum_count': 250, 'name': u("A Test"), 'xsi:type': object_type }
class TestNetworkRouteEntry(ObjectTestCase, unittest.TestCase): object_type = "NetworkRouteEntryObjectType" klass = NetworkRouteEntry _full_dict = { 'is_ipv6': False, 'is_autoconfigure_address': True, 'is_immortal': False, 'is_loopback': False, 'is_publish': True, 'destination_address': { 'address_value': u("1.2.3.4"), 'category': Address.CAT_IPV4, 'xsi:type': 'AddressObjectType' }, 'origin': { 'address_value': u("1.2.3.4"), 'category': Address.CAT_IPV4, 'xsi:type': 'AddressObjectType' }, 'netmask': { 'address_value': u("1.2.3.4"), 'category': Address.CAT_IPV4, 'xsi:type': 'AddressObjectType' }, 'gateway_address': { 'address_value': u("1.2.3.4"), 'category': Address.CAT_IPV4, 'xsi:type': 'AddressObjectType' }, 'metric': long(1234), 'type': u("A type"), 'protocol': u("A protocol"), 'interface': u("An interface"), 'preferred_lifetime': u("P7D"), 'valid_lifetime': u("P2D"), 'route_age': u("P3D"), 'xsi:type': object_type, }
class TestWinFilemapping(ObjectTestCase, unittest.TestCase): object_type = "WindowsFilemappingObjectType" klass = WinFilemapping _full_dict = { 'handle': { 'id': 1234, 'name': u("MyHandle"), 'type': u("Window"), 'object_address': long(0xdeadbeef), 'access_mask': long(0x70000000), 'pointer_count': long(3), 'xsi:type': "WindowsHandleObjectType", }, 'file_handle': { 'id': 5678, 'name': u("MyHandle2"), 'type': u("Window"), 'object_address': long(0xbeadbeef), 'access_mask': long(0x90009000), 'pointer_count': long(9), 'xsi:type': "WindowsHandleObjectType", }, 'security_attributes': u("Attributes go here"), 'name': "A mapping name", 'maximum_size': 1000, 'actual_size': 250, 'page_protection_value': "a protection value", 'page_protection_attribute': ["a protection attribute", "another attribute"], 'xsi:type': object_type }
class TestWinTask(ObjectTestCase, unittest.TestCase): object_type = "WindowsTaskObjectType" klass = WinTask _full_dict = { 'status': u("SCHED_S_TASK_RUNNING"), 'priority': u("NORMAL_PRIORITY_CLASS"), 'name': u("Find all the malware"), 'application_name': u("Windows Defender"), 'parameters': u("C:\\\\"), 'flags': u("/DEEP"), 'account_name': u("SYSTEM"), 'account_run_level': u("ARunLevel"), 'account_logon_type': u("S4U"), 'creator': u("TheCreator"), 'creation_date': "2012-04-26T15:30:45-05:00", 'most_recent_run_time': "2013-06-26T10:20:30-05:00", 'exit_code': long(0), 'max_run_time': long(15000), 'next_run_time': "2013-06-27T10:20:30-05:00", 'action_list': [ { 'action_type': u("TASK_ACTION_SEND_EMAIL"), 'action_id': u("Action #1"), 'iemailaction': { 'raw_body': u("Task Completed!"), 'xsi:type': "EmailMessageObjectType", }, }, { 'action_type': u("TASK_ACTION_COM_HANDLER"), 'action_id': u("Action #2"), 'icomhandleraction': { 'com_data': u("COMDATA"), 'com_class_id': u("CLASSID") }, }, { 'action_type': u("TASK_ACTION_EXEC"), 'action_id': u("Action #3"), 'iexecaction': { 'exec_arguments': u("ARGS"), 'exec_program_path': u("C:\\\\temp\\\\cmd.exe"), 'exec_working_directory': u("C:\\\\temp\\\\"), 'exec_program_hashes': TEST_HASH_LIST, }, }, { 'action_type': u("TASK_ACTION_SHOW_MESSAGE"), 'action_id': u("Action #4"), 'ishowmessageaction': { 'show_message_body': u("Task completed."), 'show_message_title': u("Task Complete"), }, }, ], 'trigger_list': [ { 'trigger_begin': "2013-05-05T01:02:03-04:00", 'trigger_delay': u("PT5M"), 'trigger_end': "2013-05-05T01:02:10-04:00", 'trigger_frequency': u("TASK_TIME_TRIGGER_DAILY"), 'trigger_max_run_time': u("PT1M"), 'trigger_session_change_type': u("TASK_REMOTE_CONNECT"), #TODO: Add trigger_type }, { 'trigger_max_run_time': u("PT10M"), }, ], 'comment': u("This is a useless task."), 'working_directory': u("C:\\\\WINDOWS\\\\system32\\\\"), 'work_item_data': u("AAAAn34lq21b4m2nbvoi345"), 'xsi:type': object_type, }
class TestWinDriver(ObjectTestCase, unittest.TestCase): object_type = "WindowsDriverObjectType" klass = WinDriver _full_dict = { 'driver_init': 123, 'driver_name': "A driver name", 'driver_object_address': "abcde12345", 'driver_start_io': "abcce4321", 'driver_unload': "ab3234dec", 'image_base': "12345abc", 'image_size': "12ff", 'irp_mj_cleanup': long(1), 'irp_mj_close': long(2), 'irp_mj_create': long(3), 'irp_mj_create_mailslot': long(4), 'irp_mj_create_named_pipe': long(5), 'irp_mj_device_change': long(6), 'irp_mj_device_control': long(7), 'irp_mj_directory_control': long(8), 'irp_mj_file_system_control': long(9), 'irp_mj_flush_buffers': long(11), 'irp_mj_internal_device_control': long(12), 'irp_mj_lock_control': long(13), 'irp_mj_pnp': long(14), 'irp_mj_power': long(15), 'irp_mj_query_ea': long(16), 'irp_mj_query_information': long(17), 'irp_mj_query_quota': long(22), 'irp_mj_query_security': long(23), 'irp_mj_query_volume_information': long(24), 'irp_mj_read': long(25), 'irp_mj_set_ea': long(26), 'irp_mj_set_information': long(27), 'irp_mj_set_quota': long(33), 'irp_mj_set_security': long(34), 'irp_mj_set_volume_information': long(35), 'irp_mj_shutdown': long(36), 'irp_mj_system_control': long(37), 'irp_mj_write': long(38), #TODO: add 'device_object_list' 'xsi:type': object_type, }
class TestFile(ObjectTestCase, unittest.TestCase): object_type = "FileObjectType" klass = File _full_dict = { 'is_packed': False, 'is_masqueraded': True, 'file_name': u("example.txt"), 'file_path': { 'value': u("C:\\Temp"), 'fully_qualified': True }, 'device_path': u("\\Device\\CdRom0"), 'full_path': u("C:\\Temp\\example.txt"), 'file_extension': u("txt"), 'size_in_bytes': { 'apply_condition': 'ANY', 'condition': 'InclusiveBetween', 'value': [long(1023), long(1024)] }, 'magic_number': u("D0CF11E0"), 'file_format': u("ASCII Text"), 'hashes': [{ 'type': Hash.TYPE_MD5, 'simple_hash_value': u("0123456789abcdef0123456789abcdef") }], 'digital_signatures': [{ 'certificate_issuer': u("Microsoft"), 'certificate_subject': u("Notepad"), }], 'modified_time': "2010-11-06T02:02:02+08:00", 'accessed_time': "2010-11-07T02:03:02+09:00", 'created_time': "2010-11-08T02:04:02+10:00", 'user_owner': u("sballmer"), 'packer_list': [{ 'name': u("UPX"), 'version': u("3.91"), }], 'peak_entropy': 7.454352453, 'sym_links': [u("../link_destination")], 'byte_runs': [{ 'offset': 16, 'byte_run_data': u("1A2B3C4D") }], 'extracted_features': { 'strings': [{ 'string_value': u("string from the file") }], }, 'encryption_algorithm': u("RC4"), 'compression_method': u("deflate"), 'compression_version': u("1.0"), 'compression_comment': u("This has been compressed"), 'xsi:type': object_type, } def test_filepath_is_none(self): # This would throw an exception at one point. Should be fixed now. a = File.from_dict({'file_name': 'abcd.dll'}) def test_get_hashes(self): f = File() f.add_hash(Hash(EMPTY_MD5)) f.add_hash(Hash(EMPTY_SHA1)) f.add_hash(Hash(EMPTY_SHA224)) f.add_hash(Hash(EMPTY_SHA256)) f.add_hash(Hash(EMPTY_SHA384)) f.add_hash(Hash(EMPTY_SHA512)) self.assertEqual(EMPTY_MD5, f.md5) self.assertEqual(EMPTY_SHA1, f.sha1) self.assertEqual(EMPTY_SHA224, f.sha224) self.assertEqual(EMPTY_SHA256, f.sha256) self.assertEqual(EMPTY_SHA384, f.sha384) self.assertEqual(EMPTY_SHA512, f.sha512) def test_set_hashes(self): f = File() f.md5 = EMPTY_MD5 f.sha1 = EMPTY_SHA1 f.sha224 = EMPTY_SHA224 f.sha256 = EMPTY_SHA256 f.sha384 = EMPTY_SHA384 f.sha512 = EMPTY_SHA512 self.assertEqual(EMPTY_MD5, f.md5) self.assertEqual(EMPTY_SHA1, f.sha1) self.assertEqual(EMPTY_SHA224, f.sha224) self.assertEqual(EMPTY_SHA256, f.sha256) self.assertEqual(EMPTY_SHA384, f.sha384) self.assertEqual(EMPTY_SHA512, f.sha512) def test_add_hash_string(self): s = "ffffffffffffffffffff" f = File() f.add_hash(s) h = f.hashes[0] self.assertEqual(s, str(h.simple_hash_value)) self.assertEqual(Hash.TYPE_OTHER, h.type_) def test_fields(self): f = File() f.file_name = "blah.exe" self.assertEqual(String, type(f.file_name)) f.file_path = "C:\\Temp" self.assertEqual(FilePath, type(f.file_path)) def test_fields_not_shared(self): # In a previous version of TypedFields, all objects of the same type # shared a single value of each field. Obviously this was a mistake. f = File() f.file_name = "README.txt" self.assertEqual("README.txt", f.file_name) f2 = File() self.assertEqual(None, f2.file_name) def test_file_name_delimiter(self): f = File() f.file_name = ["foo", "bar"] f.file_name.delimiter = "^^" self.assertTrue(b"foo^^bar" in f.to_xml())
class TestWinRegistryKey(ObjectTestCase, unittest.TestCase): object_type = "WindowsRegistryKeyObjectType" klass = WinRegistryKey _full_dict = { 'key': u("\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting"), 'hive': u("HKEY_LOCAL_MACHINE"), 'number_values': 6, 'values': [ { 'name': u("Disabled"), 'data': u("1"), 'datatype': u("REG_DWORD"), 'byte_runs': [{ 'length': 1, 'byte_run_data': u("A") }], }, { 'name': u("ErrorPort"), 'data': u("\\WindowsErrorReportingServicePort"), 'datatype': u("REG_SZ"), }, ], 'modified_time': u("2013-08-08T15:15:15-04:00"), 'creator_username': u("gback"), 'handle_list': [ { 'name': u("RegHandle"), 'pointer_count': long(1), 'type': u("RegistryKey"), 'xsi:type': u('WindowsHandleObjectType'), }, ], 'number_subkeys': 1, 'subkeys': [ { 'key': u("Consent"), 'number_values': 1, 'values': [ { 'name': u("NewUserDefaultConsent"), 'data': u("1"), 'datatype': u("REG_DWORD"), }, ], 'xsi:type': 'WindowsRegistryKeyObjectType', }, ], 'byte_runs': [ { 'length': 4, 'byte_run_data': u("z!%f") }, { 'offset': 0x1000, 'length': 8, 'byte_run_data': u("%40V.,2@") }, ], 'xsi:type': object_type, }