def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry artifacts."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper(
['TestRegistry'], knowledge_base)
test_filter_file.BuildFindSpecs(environment_variables=None)
find_specs_per_source_type = knowledge_base.GetValue(
test_filter_file.KNOWLEDGE_BASE_VALUE)
find_specs = find_specs_per_source_type.get(
artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, [])
self.assertEqual(len(find_specs), 1)
win_registry_reader = (
windows_registry_parser.FileObjectWinRegistryFileReader())
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(searcher.Find(find_specs=find_specs))
self.assertIsNotNone(key_paths)
# Three key paths found.
self.assertEqual(len(key_paths), 3)
def RunPlugins(cls, artifacts_registry, file_system, mount_point,
knowledge_base):
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher,
file_system)
environment_variables = None
if knowledge_base:
environment_variables = knowledge_base.GetEnvironmentVariables()
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base,
searcher)
cls.CollectFromKnowledgeBase(knowledge_base)
if not knowledge_base.HasUserAccounts():
logger.warning('Unable to find any user accounts on the system.')
def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry sources."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistry', 'TestRegistryValue']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
test_filters_helper.BuildFindSpecs(artifact_filter_names)
# There should be 3 Windows Registry find specifications.
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 0)
self.assertEqual(len(test_filters_helper.registry_find_specs), 3)
win_registry_reader = (
windows_registry_parser.FileObjectWinRegistryFileReader())
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = win_registry_reader.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(
searcher.Find(find_specs=test_filters_helper.registry_find_specs))
self.assertIsNotNone(key_paths)
self.assertEqual(len(key_paths), 5)
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system,
mount_point, plugin):
"""Runs a preprocessor plugin on a Windows Registry value.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
searcher = registry_searcher.WinRegistrySearcher(win_registry)
plugin.Collect(knowledge_base_object, artifact_definition, searcher)
return knowledge_base_object
def testFind(self):
"""Tests the Find function."""
test_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(test_path)
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
find_spec = registry_searcher.FindSpec(
key_path='HKEY_LOCAL_MACHINE\\System\\ControlSet001')
expected_key_paths = ['HKEY_LOCAL_MACHINE\\System\\ControlSet001']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(
key_path_glob='HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*')
expected_key_paths = [
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'
]
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(key_path_regex=[
'HKEY_LOCAL_MACHINE', 'System', 'ControlSet001', '.*'
])
expected_key_paths = [
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'
]
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
# Test without find specifications.
key_paths = list(searcher.Find())
self.assertEqual(len(key_paths), 31351)
def _ParseKeysFromFindSpecs(self, parser_mediator, win_registry, find_specs):
"""Parses the Registry keys from FindSpecs.
Args:
parser_mediator (ParserMediator): parser mediator.
win_registry (dfwinreg.WinRegistryKey): root Windows Registry key.
find_specs (dfwinreg.FindSpecs): Keys to search for.
"""
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
for registry_key_path in searcher.Find(find_specs=find_specs):
if parser_mediator.abort:
break
registry_key = searcher.GetKeyByPath(registry_key_path)
self._ParseKey(parser_mediator, registry_key)
def testSplitKeyPath(self):
"""Tests the SplitKeyPath function."""
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
test_path = self._GetTestFilePath(['SYSTEM'])
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
path_segments = searcher.SplitKeyPath(
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control')
self.assertEqual(len(path_segments), 4)
def testGetKeyByPath(self):
"""Tests the GetKeyByPath function."""
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
test_path = self._GetTestFilePath(['SYSTEM'])
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
registry_key = searcher.GetKeyByPath(
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control')
self.assertIsNotNone(registry_key)
def RunPlugins(cls, artifacts_registry, file_system, mount_point,
mediator):
"""Runs the preprocessing plugins.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
"""
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
cls.CollectFromFileSystem(artifacts_registry, mediator, searcher,
file_system)
# Run the Registry plugins separately so we do not have to open
# Registry files for every preprocess plugin.
environment_variables = None
if mediator.knowledge_base:
environment_variables = mediator.knowledge_base.GetEnvironmentVariables(
)
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)
cls.CollectFromKnowledgeBase(mediator)
if not mediator.knowledge_base.HasUserAccounts():
logger.warning('Unable to find any user accounts on the system.')
def testFind(self):
"""Tests the Find function."""
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
test_path = self._GetTestFilePath([u'SYSTEM'])
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
find_spec = registry_searcher.FindSpec(
key_path=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001')
expected_key_paths = [u'HKEY_LOCAL_MACHINE\\System\\ControlSet001']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(
key_path_glob=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*')
expected_key_paths = [
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(
key_path_regex=[
u'HKEY_LOCAL_MACHINE', u'System', u'ControlSet001', u'.*'])
expected_key_paths = [
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
def RunPlugins(cls, artifacts_registry, file_system, mount_point,
knowledge_base):
"""Runs the preprocessing plugins.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
"""
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher,
file_system)
# Run the Registry plugins separately so we do not have to open
# Registry files for every preprocess plugin.
environment_variables = None
if knowledge_base:
environment_variables = knowledge_base.GetEnvironmentVariables()
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base,
searcher)
if not knowledge_base.HasUserAccounts():
logging.warning('Unable to find any user accounts on the system.')
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system,
mount_point,
storage_writer, plugin):
"""Runs a preprocessor plugin on a Windows Registry value.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
storage_writer (StorageWriter): storage writer.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
PreprocessMediator: preprocess mediator.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
session = sessions.Session()
test_knowledge_base = knowledge_base.KnowledgeBase()
test_mediator = mediator.PreprocessMediator(session, storage_writer,
test_knowledge_base)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
plugin.Collect(test_mediator, artifact_definition, searcher)
return test_mediator
def testInitialize(self):
"""Tests the __init__ function."""
with self.assertRaises(ValueError):
registry_searcher.WinRegistrySearcher(None)
