def testGetCachedFileByPath(self):
"""Tests the _GetCachedFileByPath function."""
test_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(test_path)
win_registry = registry.WinRegistry()
# Note that _GetCachedFileByPath expects the key path to be in
# upper case.
key_path = 'HKEY_LOCAL_MACHINE\\SYSTEM'
key_path_prefix, registry_file = win_registry._GetCachedFileByPath(
key_path)
self.assertIsNone(key_path_prefix)
self.assertIsNone(registry_file)
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
key_path_prefix, registry_file = win_registry._GetCachedFileByPath(
key_path)
self.assertEqual(key_path_prefix, key_path)
self.assertIsNotNone(registry_file)
def testGetCurrentControlSet(self):
"""Tests the _GetCurrentControlSet function."""
test_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(test_path)
win_registry = registry.WinRegistry()
registry_key = win_registry._GetCurrentControlSet('')
self.assertIsNone(registry_key)
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
registry_key = win_registry._GetCurrentControlSet('')
self.assertIsNotNone(registry_key)
expected_key_path = 'HKEY_LOCAL_MACHINE\\System\\ControlSet001'
self.assertEqual(registry_key.path, expected_key_path)
# Tests Current value is not an integer.
win_registry = TestWinRegistry()
registry_key = win_registry._GetCurrentControlSet('')
self.assertIsNone(registry_key)
def testGetKeyByPathOnSystem(self):
"""Tests the GetKeyByPath function on a SYSTEM file."""
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
test_path = self._GetTestFilePath([u'SYSTEM'])
registry_file = win_registry._OpenFile(test_path)
win_registry = registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
# Test an existing key.
registry_key = win_registry.GetKeyByPath(
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001')
self.assertIsNotNone(registry_key)
# Test a virtual key.
registry_key = win_registry.GetKeyByPath(
u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet')
self.assertIsNotNone(registry_key)
# Test a non-existing key.
registry_key = win_registry.GetKeyByPath(
u'HKEY_LOCAL_MACHINE\\System\\Bogus')
self.assertIsNone(registry_key)
def testGetUsers(self):
"""Tests the _GetUsers function."""
ntuser_test_path = self._GetTestFilePath(['NTUSER.DAT'])
self._SkipIfPathNotExists(ntuser_test_path)
software_test_path = self._GetTestFilePath(['SOFTWARE'])
self._SkipIfPathNotExists(software_test_path)
win_registry = registry.WinRegistry()
registry_key = win_registry._GetUsers('S-1-5-18')
self.assertIsNone(registry_key)
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(ntuser_test_path)
profile_path = '%SystemRoot%\\System32\\config\\systemprofile\\NTUSER.DAT'
win_registry.MapUserFile(profile_path, registry_file)
registry_file = win_registry._OpenFile(software_test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
registry_key = win_registry._GetUsers('S-1-5-18')
self.assertIsNotNone(registry_key)
expected_key_path = 'HKEY_USERS\\S-1-5-18'
self.assertEqual(registry_key.path, expected_key_path)
registry_key = win_registry._GetUsers('.DEFAULT')
self.assertIsNotNone(registry_key)
expected_key_path = 'HKEY_USERS\\.DEFAULT'
self.assertEqual(registry_key.path, expected_key_path)
def testGetKeyByPathOnNTUserDat(self):
"""Tests the GetKeyByPath function on a NTUSER.DAT file."""
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
test_path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = win_registry._OpenFile(test_path)
win_registry = registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
# Test an existing key.
registry_key = win_registry.GetKeyByPath(
'HKEY_CURRENT_USER\\Software\\Microsoft')
self.assertIsNotNone(registry_key)
# Test a non-existing key.
registry_key = win_registry.GetKeyByPath(
'HKEY_CURRENT_USER\\Software\\Bogus')
self.assertIsNone(registry_key)
# Test a non-existing root.
with self.assertRaises(RuntimeError):
win_registry.GetKeyByPath('HKEY_BOGUS\\Software\\Bogus')
# Test a non-existing key outside the Registry file.
registry_key = win_registry.GetKeyByPath(
'HKEY_LOCAL_MACHINE\\System\\ControlSet001')
self.assertIsNone(registry_key)
def testMapUserFile(self):
"""Tests the MapUserFile function."""
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
test_path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = win_registry._OpenFile(test_path)
win_registry = registry.WinRegistry()
profile_path = '%SystemRoot%\\System32\\config\\systemprofile'
win_registry.MapUserFile(profile_path, registry_file)
def testMapFile(self):
"""Tests the MapFile function."""
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
test_path = self._GetTestFilePath(['SYSTEM'])
registry_file = win_registry._OpenFile(test_path)
win_registry = registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\SAM'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Users')
registry_file.AddKeyByPath('\\SAM\\Domains\\Account', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._RID)
registry_key.AddSubkey(self._RID, subkey)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'F', data=_F_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY)
subkey.AddValue(registry_value)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'V', data=_V_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('ProfileList')
registry_file.AddKeyByPath(
'\\Microsoft\\Windows NT\\CurrentVersion', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._SID)
registry_key.AddSubkey(subkey)
value_data = self._PROFILE_PATH.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProfileImagePath', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry sources."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistry', 'TestRegistryValue']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
test_filters_helper.BuildFindSpecs(artifact_filter_names)
# There should be 3 Windows Registry find specifications.
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 0)
self.assertEqual(len(test_filters_helper.registry_find_specs), 3)
win_registry_reader = (
windows_registry_parser.FileObjectWinRegistryFileReader())
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(
searcher.Find(find_specs=test_filters_helper.registry_find_specs))
self.assertIsNotNone(key_paths)
self.assertEqual(len(key_paths), 5)
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Services')
registry_file.AddKeyByPath('\\CurrentControlSet', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey('WwanSvc')
registry_key.AddSubkey('WwanSvc', subkey)
value_data = self._DESCRIPTION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Description',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._DISPLAY_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DisplayName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._IMAGE_PATH.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._OBJECT_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ObjectName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = b'\x03\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
subkey.AddValue(registry_value)
value_data = b'\x20\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Environment')
registry_file.AddKeyByPath(
'\\CurrentControlSet\\Control\\Session Manager', registry_key)
value_data = '%SystemRoot%\\TEMP'.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'TEMP', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses a Windows Registry file-like object.
Args:
parser_mediator (ParserMediator): parser mediator.
file_object (dfvfs.FileIO): a file-like object.
"""
win_registry_reader = FileObjectWinRegistryFileReader()
try:
registry_file = win_registry_reader.Open(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
'unable to open Windows Registry file with error: {0!s}'.format(
exception))
return
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
root_key = registry_file.GetRootKey()
if not root_key:
return
try:
self._ParseRecurseKeys(parser_mediator, root_key)
except IOError as exception:
parser_mediator.ProduceExtractionError('{0:s}'.format(exception))
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID1)
registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION1)
registry_key.AddSubkey(self._VERSION1, subkey)
value_data = self._DESCRIPTION1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
language_key = dfwinreg_fake.FakeWinRegistryKey('409')
subkey.AddSubkey('409', language_key)
platform_key = dfwinreg_fake.FakeWinRegistryKey('Win32')
language_key.AddSubkey('Win32', platform_key)
value_data = self._FILENAME1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
platform_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID2)
registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION2)
registry_key.AddSubkey(self._VERSION2, subkey)
value_data = self._DESCRIPTION1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
language_key = dfwinreg_fake.FakeWinRegistryKey('0')
subkey.AddSubkey('0', language_key)
platform_key = dfwinreg_fake.FakeWinRegistryKey('x64')
language_key.AddSubkey('x64', platform_key)
value_data = self._FILENAME1.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
platform_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _GetWinRegistryFromFileEntry(self, file_entry):
"""Retrieves a Windows Registry from a file entry.
Args:
file_entry: A file entry object (instance of dfvfs.FileEntry) that
references a test file.
Returns:
A Windows Registry object (instance of dfwinreg.WinRegistry) or None.
"""
file_object = file_entry.GetFileObject()
if not file_object:
return
win_registry_reader = winreg.FileObjectWinRegistryFileReader()
registry_file = win_registry_reader.Open(file_object)
if not registry_file:
file_object.close()
return
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
return win_registry
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system,
mount_point, plugin):
"""Runs a preprocessor plugin on a Windows Registry value.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
searcher = registry_searcher.WinRegistrySearcher(win_registry)
plugin.Collect(knowledge_base_object, artifact_definition, searcher)
return knowledge_base_object
def testGetRegistryFileMappingOnNTUserDat(self):
"""Tests the GetRegistryFileMapping function on a NTUSER.DAT file."""
dat_test_path = self._GetTestFilePath(['NTUSER.DAT'])
self._SkipIfPathNotExists(dat_test_path)
log_test_path = self._GetTestFilePath(['NTUSER.DAT.LOG'])
self._SkipIfPathNotExists(log_test_path)
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(dat_test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
self.assertEqual(key_path_prefix, 'HKEY_CURRENT_USER')
registry_file.Close()
registry_file = win_registry._OpenFile(log_test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
self.assertEqual(key_path_prefix, '')
registry_file.Close()
key_path_prefix = win_registry.GetRegistryFileMapping(None)
self.assertEqual(key_path_prefix, '')
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Select')
registry_file.AddKeyByPath('\\', registry_key)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Current', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey('AppCompatibility')
registry_file.AddKeyByPath(
'\\ControlSet001\\Control\\Session Manager', registry_key)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'AppCompatCache', data=_CACHE_DATA_WINDOWS_XP,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _RunWindowsRegistryPlugin(self, file_system, mount_point, plugin):
"""Runs a Windows Registry preprocess plugin.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (PreprocessPlugin): preprocess plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
plugin.Run(win_registry, knowledge_base_object)
return knowledge_base_object
def _CreateTestKeyWithMappedRegistry(self):
"""Creates a virtual Windows Registry key with a mapped registry.
Returns:
VirtualWinRegistryKey: virtual Windows Registry key.
"""
test_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(test_path)
registry_key = virtual.VirtualWinRegistryKey(
'HKEY_LOCAL_MACHINE', key_path='HKEY_LOCAL_MACHINE')
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
sub_registry_key = virtual.VirtualWinRegistryKey('System',
registry=win_registry)
registry_key.AddSubkey(sub_registry_key)
return registry_key
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('CurrentVersion')
registry_file.AddKeyByPath('\\Microsoft\\Windows NT', registry_key)
value_data = self._CSD_VERSION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CSDVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_BUILD_NUMBER.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentBuildNumber', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_TYPE.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentType', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_VERSION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentVersion', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x47\xc8\xda\x4c'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'InstallDate', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
value_data = self._PRODUCT_IDENTIFIER.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductId', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._PRODUCT_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductName', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
# TODO: add more values.
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testCollect(self):
"""Tests the Collect function."""
test_path = self._GetTestFilePath(['SOFTWARE'])
self._SkipIfPathNotExists(test_path)
registry = dfwinreg_registry.WinRegistry()
with open(test_path, 'rb') as file_object:
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252')
registry_file.Open(file_object)
key_path_prefix = registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
registry.MapFile(key_path_prefix, registry_file)
collector_object = msie_zone_info.MSIEZoneInformationCollector()
test_results = list(collector_object.Collect(registry))
self.assertEqual(len(test_results), 1724)
zone_information = test_results[0]
self.assertEqual(zone_information.zone, '0')
self.assertEqual(zone_information.zone_name, 'Computer')
self.assertEqual(zone_information.control, '1809')
self.assertEqual(zone_information.control_value, 3)
def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry artifacts."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper(
['TestRegistry'], knowledge_base)
test_filter_file.BuildFindSpecs(environment_variables=None)
find_specs_per_source_type = knowledge_base.GetValue(
test_filter_file.KNOWLEDGE_BASE_VALUE)
find_specs = find_specs_per_source_type.get(
artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, [])
self.assertEqual(len(find_specs), 1)
win_registry_reader = (
windows_registry_parser.FileObjectWinRegistryFileReader())
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(searcher.Find(find_specs=find_specs))
self.assertIsNotNone(key_paths)
# Three key paths found.
self.assertEqual(len(key_paths), 3)
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('MountedDevices')
registry_file.AddKeyByPath('\\', registry_key)
value_data = b'\x78\x56\x34\x12\x00\x10\x00\x00\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'\\DosDevices\\C:',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_CURRENT_USER'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('RecentDocs')
registry_file.AddKeyByPath(
'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer',
registry_key)
value_data = b'a\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = 'MyFile.txt\x00'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'{fd6c8b29-e936-4a61-8da6-b0c12ad3ba00}')
registry_file.AddKeyByPath('\\Classes\\AppID', registry_key)
value_data = 'Wordpad'.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testCollect(self):
"""Tests the Collect function."""
test_path = self._GetTestFilePath(['NTUSER.DAT'])
self._SkipIfPathNotExists(test_path)
registry = dfwinreg_registry.WinRegistry()
with open(test_path, 'rb') as file_object:
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252')
registry_file.Open(file_object)
key_path_prefix = registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
registry.MapFile(key_path_prefix, registry_file)
test_output_writer = test_lib.TestOutputWriter()
collector_object = programscache.ProgramsCacheCollector(
output_writer=test_output_writer)
result = collector_object.Collect(registry)
self.assertTrue(result)
test_output_writer.Close()
def RunPlugins(cls, artifacts_registry, file_system, mount_point,
knowledge_base):
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher,
file_system)
environment_variables = None
if knowledge_base:
environment_variables = knowledge_base.GetEnvironmentVariables()
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base,
searcher)
cls.CollectFromKnowledgeBase(knowledge_base)
if not knowledge_base.HasUserAccounts():
logger.warning('Unable to find any user accounts on the system.')
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('FolderDescriptions')
registry_file.AddKeyByPath(
'\\Microsoft\\Windows\\CurrentVersion\\Explorer', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey(self._GUID)
registry_key.AddSubkey(self._GUID, subkey)
value_data = self._NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Name', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._LOCALIZED_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'LocalizedName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testGetKeyByPathOnSystem(self):
"""Tests the GetKeyByPath function on a SYSTEM file."""
win_registry = registry.WinRegistry(
registry_file_reader=TestWinRegistryFileReaderMapped())
# Test an existing key.
registry_key = win_registry.GetKeyByPath(
'HKEY_LOCAL_MACHINE\\System\\ControlSet001')
self.assertIsNotNone(registry_key)
# Test a virtual key.
registry_key = win_registry.GetKeyByPath(
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet')
self.assertIsNotNone(registry_key)
# Test a non-existing key.
registry_key = win_registry.GetKeyByPath(
'HKEY_LOCAL_MACHINE\\System\\Bogus')
self.assertIsNone(registry_key)
# Tests Current value is not an integer.
win_registry = TestWinRegistryKeyPathPrefixMismatch(
registry_file_reader=TestWinRegistryFileReaderMapped())
with self.assertRaises(RuntimeError):
win_registry.GetKeyByPath(
'HKEY_LOCAL_MACHINE\\System\\ControlSet001')
