def testBuildKeyHierarchy(self):
"""Tests the BuildKeyHierarchy function."""
test_key = fake.FakeWinRegistryKey(
'Microsoft',
key_path='HKEY_CURRENT_USER\\Software\\Microsoft',
last_written_time=0)
test_value = fake.FakeWinRegistryValue('')
self.assertIsNotNone(test_key)
self.assertIsNotNone(test_value)
# Test with subkeys and values.
registry_key = fake.FakeWinRegistryKey(
'Software',
key_path='HKEY_CURRENT_USER\\Software',
last_written_time=0,
subkeys=[test_key],
values=[test_value])
self.assertIsNotNone(registry_key)
# Test with duplicate subkeys and values.
registry_key = fake.FakeWinRegistryKey(
'Software',
key_path='HKEY_CURRENT_USER\\Software',
last_written_time=0,
subkeys=[test_key, test_key],
values=[test_value, test_value])
self.assertIsNotNone(registry_key)
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('FolderDescriptions')
registry_file.AddKeyByPath(
'\\Microsoft\\Windows\\CurrentVersion\\Explorer', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._GUID)
registry_key.AddSubkey(self._GUID, subkey)
value_data = self._NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Name', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._LOCALIZED_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'LocalizedName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Servers', key_path=key_path, last_written_time=filetime.timestamp,
offset=865)
server_subkey_name = 'myserver.com'
server_subkey = dfwinreg_fake.FakeWinRegistryKey(
server_subkey_name, last_written_time=filetime.timestamp, offset=1456)
registry_key.AddSubkey(server_subkey_name, server_subkey)
value_data = 'DOMAIN\\username'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'UsernameHint', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
server_subkey.AddValue(registry_value)
return registry_key
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Select')
registry_file.AddKeyByPath('\\', registry_key)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Current', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey('AppCompatibility')
registry_file.AddKeyByPath(
'\\ControlSet001\\Control\\Session Manager', registry_key)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'AppCompatCache', data=_CACHE_DATA_WINDOWS_XP,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testCheckKeyPath(self):
"""Tests the _CheckKeyPath function."""
find_spec = registry_searcher.FindSpec(
key_path=u'HKEY_CURRENT_USER\\Software\\Microsoft')
registry_key = fake.FakeWinRegistryKey(
u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software')
result = find_spec._CheckKeyPath(registry_key, 3)
self.assertTrue(result)
result = find_spec._CheckKeyPath(registry_key, 0)
self.assertTrue(result)
# Test incorrect search depth.
result = find_spec._CheckKeyPath(registry_key, 1)
self.assertFalse(result)
# Test invalid search depth.
result = find_spec._CheckKeyPath(registry_key, -1)
self.assertFalse(result)
result = find_spec._CheckKeyPath(registry_key, 99)
self.assertFalse(result)
# Test find specification with regular expression.
find_spec = registry_searcher.FindSpec(
key_path_regex=[u'HKEY_CURRENT_USER', u'Software', u'Microsoft'])
registry_key = fake.FakeWinRegistryKey(
u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software')
result = find_spec._CheckKeyPath(registry_key, 3)
self.assertTrue(result)
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_filetime.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Servers',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=865)
server_subkey = dfwinreg_fake.FakeWinRegistryKey(
u'myserver.com', last_written_time=filetime.timestamp, offset=1456)
value_data = u'DOMAIN\\username'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'UsernameHint',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
server_subkey.AddValue(registry_value)
registry_key.AddSubkey(server_subkey)
return registry_key
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\SAM'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Users')
registry_file.AddKeyByPath('\\SAM\\Domains\\Account', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._RID)
registry_key.AddSubkey(self._RID, subkey)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'F', data=_F_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY)
subkey.AddValue(registry_value)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'V', data=_V_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('ProfileList')
registry_file.AddKeyByPath(
'\\Microsoft\\Windows NT\\CurrentVersion', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._SID)
registry_key.AddSubkey(subkey)
value_data = self._PROFILE_PATH.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProfileImagePath', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestKey(self, binary_data):
"""Creates Registry keys and values for testing.
Args:
binary_data (bytes): BAM Registry value data.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
key_path = '\\ControlSet001\\Services\\bam\\State'
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString('2019-03-19 20:55:19.975237')
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'UserSettings',
key_path=key_path,
last_written_time=filetime.timestamp)
filetime.CopyFromDateTimeString('2019-03-19 13:29:56.008214')
sid_key_name = 'S-1-5-21-321011808-3761883066-353627080-1000'
sid_key = dfwinreg_fake.FakeWinRegistryKey(
sid_key_name, last_written_time=filetime.timestamp)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
('\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell'
'\\v1.0\\powershell.exe'),
data=binary_data,
data_type=dfwinreg_definitions.REG_BINARY)
sid_key.AddValue(registry_value)
registry_key.AddSubkey(sid_key_name, sid_key)
return registry_key
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Services')
registry_file.AddKeyByPath('\\CurrentControlSet', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey('WwanSvc')
registry_key.AddSubkey('WwanSvc', subkey)
value_data = self._DESCRIPTION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Description',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._DISPLAY_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DisplayName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._IMAGE_PATH.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._OBJECT_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ObjectName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = b'\x03\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
subkey.AddValue(registry_value)
value_data = b'\x20\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testAddSubkey(self):
"""Tests the AddSubkey function."""
registry_key = fake.FakeWinRegistryKey(
'Software', key_path='HKEY_CURRENT_USER\\Software',
last_written_time=0)
sub_registry_key = fake.FakeWinRegistryKey(
'Microsoft', key_path='HKEY_CURRENT_USER\\Software\\Microsoft',
last_written_time=0)
registry_key.AddSubkey(sub_registry_key)
with self.assertRaises(KeyError):
registry_key.AddSubkey(sub_registry_key)
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID1)
registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION1)
registry_key.AddSubkey(self._VERSION1, subkey)
value_data = self._DESCRIPTION1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
language_key = dfwinreg_fake.FakeWinRegistryKey('409')
subkey.AddSubkey('409', language_key)
platform_key = dfwinreg_fake.FakeWinRegistryKey('Win32')
language_key.AddSubkey('Win32', platform_key)
value_data = self._FILENAME1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
platform_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID2)
registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION2)
registry_key.AddSubkey(self._VERSION2, subkey)
value_data = self._DESCRIPTION1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
language_key = dfwinreg_fake.FakeWinRegistryKey('0')
subkey.AddSubkey('0', language_key)
platform_key = dfwinreg_fake.FakeWinRegistryKey('x64')
language_key.AddSubkey('x64', platform_key)
value_data = self._FILENAME1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
platform_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestKey(self, time_string, binary_data):
"""Creates Registry keys and values for testing.
Args:
time_string: string containing the key last written date and time.
binary_data: the binary data of the AppCompatCache Registry value.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache'
filetime = dfwinreg_filetime.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'AppCompatCache',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'AppCompatCache',
data=binary_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TestDriver', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD,
offset=123)
registry_key.AddValue(registry_value)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD,
offset=127)
registry_key.AddValue(registry_value)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ErrorControl', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD, offset=131)
registry_key.AddValue(registry_value)
value_data = u'Pnp Filter'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Group', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=140)
registry_key.AddValue(registry_value)
value_data = u'Test Driver'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DisplayName', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=160)
registry_key.AddValue(registry_value)
value_data = u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DriverPackageId', data=value_data,
data_type=dfwinreg_definitions.REG_SZ, offset=180)
registry_key.AddValue(registry_value)
value_data = u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=200)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates WinRAR ArcHistory Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'ArcHistory', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'0', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'1', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'{fd6c8b29-e936-4a61-8da6-b0c12ad3ba00}')
registry_file.AddKeyByPath('\\Classes\\AppID', registry_key)
value_data = 'Wordpad'.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def GetKeyByPath(self, key_path):
"""Retrieves the key for a specific path.
Args:
key_path (str): Windows Registry key path.
Returns:
WinRegistryKey: Windows Registry key or None if not available.
Raises:
RuntimeError: if the root key is not supported.
"""
if key_path == 'HKEY_LOCAL_MACHINE\\System\\Select':
registry_key = fake.FakeWinRegistryKey(
'Select', key_path='HKEY_LOCAL_MACHINE\\System',
last_written_time=0)
registry_value = fake.FakeWinRegistryValue(
'Current', data=b'DATA', data_type=definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_value = fake.FakeWinRegistryValue(
'Default', data=b'\xff\xff\xff\xff', data_type=definitions.REG_DWORD)
registry_key.AddValue(registry_value)
registry_value = fake.FakeWinRegistryValue(
'LastKnownGood', data=b'\x01\x00\x00\x00',
data_type=definitions.REG_DWORD)
registry_key.AddValue(registry_value)
return registry_key
return super(TestWinRegistry, self).GetKeyByPath(key_path)
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Environment')
registry_file.AddKeyByPath(
'\\CurrentControlSet\\Control\\Session Manager', registry_key)
value_data = '%SystemRoot%\\TEMP'.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'TEMP', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_CURRENT_USER'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('RecentDocs')
registry_file.AddKeyByPath(
'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer',
registry_key)
value_data = b'a\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = 'MyFile.txt\x00'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('MountedDevices')
registry_file.AddKeyByPath('\\', registry_key)
value_data = b'\x78\x56\x34\x12\x00\x10\x00\x00\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'\\DosDevices\\C:',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('CurrentVersion')
registry_file.AddKeyByPath('\\Microsoft\\Windows NT', registry_key)
value_data = self._CSD_VERSION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CSDVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_BUILD_NUMBER.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentBuildNumber', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_TYPE.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentType', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_VERSION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentVersion', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x47\xc8\xda\x4c'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'InstallDate', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
value_data = self._PRODUCT_IDENTIFIER.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductId', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._PRODUCT_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductName', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
# TODO: add more values.
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'BootVerificationProgram',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = 'C:\\WINDOWS\\system32\\googleupdater.exe'.encode(
'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Default', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_data = '192.168.16.60'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'MRU0', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = 'computer.domain.com'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'MRU1', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = mrulist.MRUListStringPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
'InterestingApp\\MRU')
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'MRUlist', key_path=key_path)
result = self._CheckFiltersOnKeyPath(plugin, registry_key)
self.assertFalse(result)
registry_value = dfwinreg_fake.FakeWinRegistryValue('MRUList')
registry_key.AddValue(registry_value)
registry_value = dfwinreg_fake.FakeWinRegistryValue('a')
registry_key.AddValue(registry_value)
result = self._CheckFiltersOnKeyPath(plugin, registry_key)
self.assertTrue(result)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\DesktopStreamMRU')
self._AssertNotFiltersOnKeyPath(plugin, key_path)
def testGetValuesFromKey(self):
"""Tests the _GetValuesFromKey function."""
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\MRU')
value_data = b'a\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'MRUList',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = b'o\x00n\x00e\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'a', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
plugin = interface.WindowsRegistryPlugin()
expected_value_dict = {
'a': '[REG_SZ] one',
'MRUList': '[REG_BINARY] (2 bytes)'
}
values_dict = plugin._GetValuesFromKey(registry_key)
self.assertEqual(sorted(values_dict.items()),
sorted(expected_value_dict.items()))
def _CreateTestKey(self, time_string, binary_data):
"""Creates Registry keys and values for testing.
Args:
time_string (str): key last written date and time.
binary_data (bytes): AppCompatCache Registry value data.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'AppCompatCache',
key_path=self._TEST_KEY_PATH,
last_written_time=filetime.timestamp,
offset=1456)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'AppCompatCache',
data=binary_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Search',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_name = (
'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
'*****@*****.**')
value_data = b'\xcf\x2b\x37\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
value_name,
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=1892)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'CurrentVersion',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = 'Service Pack 1'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CSDVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = '5.1'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1121)
registry_key.AddValue(registry_value)
value_data = b'\x13\x1aAP'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'InstallDate',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_LITTLE_ENDIAN,
offset=1001)
registry_key.AddValue(registry_value)
value_data = 'MyTestOS'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = 'A Concerned Citizen'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'RegisteredOwner',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def testAddKeyByPath(self):
"""Tests the AddKeyByPath function."""
registry_file = fake.FakeWinRegistryFile()
software_key = fake.FakeWinRegistryKey('Software')
registry_file.AddKeyByPath('\\', software_key)
test_key = fake.FakeWinRegistryKey('Key')
registry_file.AddKeyByPath('\\Test\\Path', test_key)
test_key = fake.FakeWinRegistryKey('More')
registry_file.AddKeyByPath('\\Test\\Path\\Key', test_key)
with self.assertRaises(KeyError):
registry_file.AddKeyByPath('\\', software_key)
with self.assertRaises(ValueError):
registry_file.AddKeyByPath('Test', software_key)
def testGetKeyByPath(self):
"""Tests the GetKeyByPath function."""
registry_file = fake.FakeWinRegistryFile()
registry_key = registry_file.GetKeyByPath('\\')
self.assertIsNone(registry_key)
registry_file = self._OpenFakeRegistryFile(
key_path_prefix='HKEY_LOCAL_MACHINE')
test_key = fake.FakeWinRegistryKey('Key')
registry_file.AddKeyByPath('\\Test\\Path', test_key)
# Test root key without prefix.
key_path = '\\'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, key_path)
# Test root key with prefix.
key_path = 'HKEY_LOCAL_MACHINE\\'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, '\\')
# Test key without prefix.
key_path = '\\Software'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, key_path)
# Test key with prefix.
key_path = 'HKEY_LOCAL_MACHINE\\Software'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, '\\Software')
# Test key with some depth.
key_path = '\\Test\\Path\\Key'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, key_path)
# Test non-existing keys.
key_path = '\\Bogus'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNone(registry_key)
key_path = '\\Test\\Path\\Bogus'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNone(registry_key)
key_path = 'Bogus'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNone(registry_key)
registry_file.Close()
